Tool Evaluation Framework
This page is for evaluating PET tools without turning the guide into an awesome list.
A tool belongs here only when the evaluation helps a reader decide whether the tool fits a concrete PET architecture, threat model, or benchmark.
Evaluation Summary
| Question | Why it matters |
|---|---|
| What does this help build? | Tools should map to patterns and architectures, not vague PET categories. |
| What protected asset does it cover? | Inputs, updates, prompts, embeddings, outputs, logs, or model weights need different controls. |
| What adversary is in scope? | Honest-but-curious, malicious, colluding, platform, inference, or side-channel attackers change the conclusion. |
| What evidence supports the claim? | Documentation is not the same as a benchmark, proof, deployment, or audit. |
| What breaks in production? | Setup, keys, logs, latency, upgrades, and debugging are part of fit. |
| What benchmark should be run first? | A tool review should produce a first measurement, not just a vibe. |
Fit Matrix
| Tool fit | Use this label when... | Review action |
|---|---|---|
| Strong fit | The tool supports the architecture, threat model, and workload with evidence | Link to benchmark or deployment evidence |
| Promising fit | The tool supports the pattern but evidence is thin | Mark as expert judgment and define first benchmark |
| Narrow fit | The tool works for a constrained workload | State constraints clearly |
| Poor fit | The tool solves a different problem than the page needs | Do not list it as a recommendation |
| Unknown fit | The review lacks evidence | Move to claim register or Fix My Itch |
Evidence Checklist
- Is there a security proof, specification, or design document?
- Are supported threat models explicit?
- Are limitations and non-goals documented?
- Are benchmarks reproducible?
- Are deployment examples named and maturity-labeled?
- Are operational requirements documented: keys, logs, monitoring, upgrades, incident response?
- Has the tool been evaluated by someone other than the vendor or maintainer?
First Benchmark By Tool Type
| Tool type | First benchmark |
|---|---|
| FL framework | Non-IID cross-silo training with dropouts, per-site utility, and update leakage review |
| DP library | Privacy accounting and utility curve for a specific release |
| MPC framework | Private aggregate or join with parties, rounds, bandwidth, and dropout behavior |
| HE inference tool | End-to-end latency, ciphertext size, supported operators, and accuracy loss |
| TEE platform | Attestation verification, log review, side-channel assumptions, and failure behavior |
| Synthetic data tool | Memorization tests, downstream utility, DP parameters if claimed |
| Clean-room platform | Query controls, minimum thresholds, output review, repeated-query tests |
Red Flags
- The tool says "privacy-preserving" but does not name a protected asset.
- The threat model is missing or only appears in a paper, not product documentation.
- Benchmarks omit hardware, data shape, parameter settings, or failed cases.
- The tool requires plaintext logs, support bundles, or debugging paths that violate the claim.
- The tool is recommended for a page even though it only supports a different workload.
- The review lists features but never says when not to use the tool.
Review Output
A tool review should end with:
- best-fit architecture or pattern;
- threat model support;
- evidence level;
- first benchmark to run;
- operational risks;
- when not to use it;
- whether the tool should be recommended, watched, or rejected for this guide.