DUPLO #1
Description
Background
DUPLO lifts classic Cut‑and‑Choose (C&C) from “whole‑circuit” to component granularity.
Each reusable component (SubCircuit) is garbled N times with its own random offset Δ.
The evaluator opens a random sample, ensuring that at least (1 – ε) of the remaining copies of every component are correct with overwhelming probability.
When these copies are then soldered together, the correctness of the entire directed‑acyclic graph of components follows inductively: every soldered connection preserves correctness, so global mis‑evaluation would require a faulty component that would almost certainly have been caught in the sample.
Privacy‑free simplifications (subject to final review).
| Protocol part | Rationale in privacy‑free setting |
|---|---|
| Wire‑label masking at the garbler | No confidentiality requirement |
| OT phase for garbler inputs | Inputs may be sent in the clear |
| σ‑bit consistency checks | Semantic bit now public |
Residual leakage and responsibility boundaries will be discussed on the upcoming call.
The first milestone is a minimal yet sound DUPLO over groth16‑garble‑circuit (GC) with full cost profiling (Garbler + Evaluator): wall‑time, memory, and traffic.
Glossary
- Cut‑and‑Choose (C&C) – Garble each asset many times; open a random subset for auditing; evaluate the rest.
- K₀ , K₁ – Wire labels for logical 0/1. In FreeXOR:
K₁ = K₀ ⊕ Δ. - Δ (Delta) – Per‑component global offset for FreeXOR; distinct Δ isolates components.
- σ (Sigma) – Least‑significant‑bit indicator linking a label to 0/1; unused when privacy‑free.
Implementation Components
1.0 Auxiliary Functions
This includes utilities like XOR commitments, Pedersen commitments, and other minor helpers. These are straightforward, but listed here for completeness and ordering.
1.1 SubCircuit Model
GC currently operates on a single flat Circuit. DUPLO requires a component model: logic is partitioned into reusable SubCircuits, each garbled and evaluated independently, then connected via soldering.
This step involves introducing a SubCircuit abstraction and making garbling and evaluation strictly local to it (including wire-label space, Δ, σ, etc.).
1.1.1 Circuit Decomposition
We must rewrite the current GC logic to operate in terms of multiple SubCircuit instances.
This includes explicitly decomposing the existing monolithic circuit into well-defined components:
- each
SubCircuitmust have clearly defined local inputs, outputs, and gates; - interconnections between components must be made explicit and implemented via soldering;
- the decomposition must be reproducible and aligned with the C&C model — i.e., all instances of a component type must be identical in topology and size.
1.2 Soldering
Soldering is the core mechanism that enables DUPLO’s modular architecture. It securely connects independently garbled components by reconciling differences in Δ, σ, and wire label spaces, while preserving correctness and FreeXOR semantics. This step is critical, nontrivial to debug, and central to ensuring that component-level cut-and-choose remains sound under deferred wiring. Any error in soldering silently corrupts evaluation or breaks security — making it the most sensitive part of the protocol.
1.3 DUPLO Protocol Logic
With SubCircuit and Soldering in place, the full DUPLO protocol can be implemented. It proceeds in several stages:
- Component Garbling Each component is garbled independently with local Δ and committed wire labels.
- Cut-and-Choose per Component The evaluator checks a random subset to ensure correctness under replication.
- Soldering Phase Output-input connections are formed securely via homomorphic openings.
- Evaluation Buckets are evaluated in parallel and decoded via majority.
- Output Decoding Final keys are mapped to bits using σ and sent back to the garbler.
The above reflects the minimal functional core of DUPLO, excluding optimizations or advanced reusability. It is sufficient to implement secure component-level 2PC over GC.
Current Blockers
-
Missing FreeXOR support
GC lacks FreeXOR. This means:- wire labels (K₀, K₁) must be generated and stored explicitly;
- XOR gates cannot be garbled “for free”, which increases both size and complexity;
- evaluation speed and circuit size are negatively affected.
-
Wire memory model is global
GC uses a flat global wire namespace, which breaks encapsulation.
DUPLO requires each component to maintain its own wire-local memory:- Δ must be local per component;
- wire label scope must be isolated;
- multipoint wire access (fan-out) and reuse must be handled explicitly.
- The current approach eliminates multithreading only if we don't use
Mutexon eachWire
This is a blocker for efficient C&C, especially given our goal of benchmarking computational overhead.