Prompteus: Confidential Third-Party Safety Auditing with Garbled Circuits, MPC, and PIR
Aditya Bhatia
Regulators and downstream deployers in the Global South increasingly have to vouch for AI models they can't inspect, using evaluation data that can't legally leave the country. it lets a third party verify a safety property of a closed model without the owner revealing internals, without data contributors revealing raw results to each other, and without the owner knowing which probes decide the audit. We use garbled circuits for the private verdict, secret sharing for the private aggregate, and PIR to hide probe selection, which is what stops an owner from special-casing a known benchmark. Built and tested end to end: real oblivious transfer, real garbled circuits, real PIR. A sandbagging model passes a public-probe audit but fails the PIR-hidden one; an honest model passes both
Your system is genuinely clever—using garbled circuits for private verdicts, secret sharing for aggregates, and PIR to hide which probes execute. The sandbagging model passing public audits but failing the PIR-hidden one is a sharp threat model. You're solving something real: Global South regulators can't trust model internals, so you invented a way to audit without revealing them. That's strong.
What lost me: the physics-as-a-service framing feels disconnected from the actual contribution (confidential AI auditing). You reference The Well frame emulators but don't explain why—or whether other black-box simulators would work. Your eval is tight but sparse: only two models tested. I'd want to see how MPC performance degrades at scale or how robust your PIR is against side-channel leaks.
The bigger ask: next week, show us inter-operability with actual deployed services. Right now it's a proof-of-concept. Make it production-ready.
Combining cryptographic privacy (Private Information Retrieval) with ML scientific surrogates to provide honest provenance is an exceptional and novel approach to AI safety. The rigorous execution is commendable, particularly the end-to-end verification showing 0 bits of index leaked to any single server across large random trials. Foregrounding fallback mechanisms and refusing to present deterministic renders as trained scientific output is a highly deployable safety control. As suggested in your future work, replacing the demonstrator garbled-circuit bridge with production MPC primitives would make the system fully deployment-ready.
Instead of treating private retrieval, garbled circuits, and learned surrogates as separate tricks, you fold privacy of intent and honest provenance into a single service and argue convincingly that both are safety controls, and I appreciated that you backed it with randomized verification and a clean-room reimplementation rather than one-off runs. My notes are about reach, not rigor: your "deployable control" story rests on a 16-record demonstrator, the surrogate losses have no baseline to judge them against, and I couldn't find a working code link. I'd add a simple baseline so the held-out loss is interpretable, report latency as the database grows, and publish the repo; I'd also reconcile the Prompteus versus PROMETHEUS title mismatch so the work doesn't undersell itself.
Cite this work
@misc {
title={
(HckPrj) Prompteus: Confidential Third-Party Safety Auditing with Garbled Circuits, MPC, and PIR
},
author={
Aditya Bhatia
},
date={
},
organization={Apart Research},
note={Research submission to the research sprint hosted by Apart.},
howpublished={https://apartresearch.com}
}


