Memory Trace Oblivious Program Execution by Liu, Chang et al.
Memory Trace Oblivious Program Execution
Department of Computer Science Technical Report CS-TR-5020
Chang Liu, Michael Hicks, and Elaine Shi
The University of Maryland, College Park, USA
Abstract—Cloud computing allows users to delegate data
and computation to cloud service providers, at the cost of
giving up physical control of their computing infrastructure.
An attacker (e.g., insider) with physical access to the computing
platform can perform various physical attacks, including prob-
ing memory buses and cold-boot style attacks. Previous work on
secure (co-)processors provides hardware support for memory
encryption and prevents direct leakage of sensitive data over
the memory bus. However, an adversary snooping on the bus
can still infer sensitive information from the memory access
traces. Existing work on Oblivious RAM (ORAM) provides a
solution for users to put all data in an ORAM; and accesses
to an ORAM are obfuscated such that no information leaks
through memory access traces. This method, however, incurs
significant memory access overhead.
In this work, we are among the first to leverage pro-
gramming language techniques to offer efficient memory-trace
oblivious program execution, while providing formal security
guarantees. We formally define the notion of memory-trace
obliviousness, and provide a type system for verifying that a
program satisfies this property. We also describe a compiler
that transforms a program into a structurally similar one
that satisfies memory trace obliviousness. To achieve optimal
efficiency, our compiler partitions variables into several small
ORAM banks rather than one large one, without risking
security. We use several example programs to demonstrate the
efficiency gains our compiler achieves in comparison with the
naive method of placing all variables in the same ORAM.
I. INTRODUCTION
Cloud computing allows users to delegate their data
and computation to computing service providers, and thus
relieves users from the necessity to purchase and maintain
requisite computing infrastructure. The value proposition
is appealing to both cloud providers and clients: market
research predicts a 50% compound annual growth rate on
public cloud workloads [23].
Despite its increasing popularity, privacy concerns have
become a major barrier in furthering cloud adoption. Cloud
customers offloading computations transfer both their code
and their data to the provider, and thereby relinquish con-
trol over both their intellectual property and their private
information. While various existing works have considered
how to secure sensitive data in the cloud against remote
software attacks [15], [31], [48], we consider a stronger
adversarial model where the attacker (e.g., a malicious
employee of the cloud provider) has physical access to the
computing platform. Such an attacker can observe memory
contents through cold-boot style attacks [21], [41], malicious
peripherals, or by snooping on system buses.
Previous work has proposed the idea of using memory
encryption to ensure confidentiality of sensitive memory
contents [43], [44], [33], [39], [40]. However, as memory
addresses are transferred in cleartext over the memory buses,
an adversary can gain sensitive information by observing the
memory addresses accessed. For example, address disclosure
can leak implicit program execution flows, resulting in the
leakage of sensitive code or data [50].
Oblivious RAM (ORAM), first proposed by Goldreich
and Ostrovsky [17], can be used to protect memory access
patterns. In particular, we can place sensitive code and data
into ORAM, and doing so has the effect of hiding the
access pattern. Roughly speaking, this works by issuing
many physical reads/writes for each logical one in the
program, and by shuffling the mapping between the logical
data and its actual physical location. Unfortunately, placing
all code and sensitive data in ORAM leads to significant
memory access overhead in practice [42], [47], [12], and
can still leak information, e.g., according to the length of the
memory trace. On the other hand, customized data-oblivious
algorithms have been suggested for specific algorithms, to
achieve asymptotically better overhead than generic ORAM
simulation [20], [11]. This approach, however, does not scale
in terms of human effort.
Contributions. We make four main contributions. First, we
define memory trace obliviousness, a property that accounts
for leaks via the memory access trace. We present a formal
semantics for a simple programming language that allocates
its secret data and instructions in ORAM, and define the
trace of data reads/writes and instruction fetches during
execution. We define memory trace obliviousness as an
extension of termination-sensitive noninterference [2], [34]
that accounts for the memory trace as a channel of informa-
tion. Note that memory trace obliviousness is stronger than
the notion used in the traditional ORAM literature [17]—it
ensures the content and length of the memory access pattern
are independent of sensitive inputs, while traditional ORAM
security does not provide the latter guarantee.
Second, we present a novel type system for enforcing
memory trace obliviousness. This type system builds on
standard type systems for checking noninterference [34].
Notably, our type system requires (reminiscent of work by
Agat [1] and others) that both branches of a conditional
whose guard references secret information produce indis-
tinguishable traces, where trace events consider public and
secret data accesses and instruction fetches, and that loop
guards not depend on secret information. We also support
allocating memory in distinct ORAM banks, for improved
performance.
Third, we develop a compilation algorithm for transform-
ing programs that (roughly) satisfy standard noninterference
into those that satisfy memory trace obliviousness. There
are two distinct problems: allocating data to ORAM banks,
and adding padding instructions. Our algorithm employs a
solution to the shortest common supersequence problem [14]
to find common events on the true and false branches of a
conditional, and then inserts minimal padding instructions
on both sides, so that the traces will be equal.
Finally, we present a small empirical evaluation of our ap-
proach with several popular algorithms including Dijkstra’s
(single-source) shortest path, k-means, matrix multiplication,
and find-max. In comparison with generic ORAM simulation
(i.e., placing all data in a single ORAM bank), we can
always achieve at least a constant factor performance gain.
More interestingly, in many cases we can achieve asymptotic
performance gains. The intuition is that many data mining
algorithms traverse data in a predetermined order, indepen-
dent of the sensitive data contents. For example, the find-max
example sequentially scans through a sensitive array to find
the maximum. In these cases, it suffices to encrypt the data
array in memory, without placing them in ORAM (this is
equivalent to placing each element in the array in a separate
ORAM bank of size 1).
We present an overview of our approach in the next
section. Sections III and IV present our type system and
compiler, and Section V presents our empirical evaluation.
We compare to related work in Section VI and conclude
with ideas for future research in Section VII.
II. OVERVIEW
We are interested in the scenario in which an untrusted
cloud provider hosts both computation and storage for a
client. In particular, the client uploads both code and data to
the cloud, and the code is executed over the data on a cloud
server. To start, we assume the code to be run is not secret,
but that some or all of the uploaded data is. For example,
the census bureau does not care if the cloud provider knows
which suite of statistical analyses it is running, but does care
to keep the census data itself private. While code privacy is
not a focus of this paper, we point out that it can easily
be achieved by placing all instructions in an ORAM bank
dedicated for code – and since code size is typically small
in comparison with data size, the performance overhead of
doing this is mild in comparison with placing all data in a
single ORAM.
Figure 1(a) depicts a motivating example. The program
max scans through the array h[], and finds its maximum
element. The length of the array n is labeled public,
meaning that it may be learned by the adversary. The
array h[] itself is labeled secret, as is the type of the
returned value, meaning that the adversary should nothing
about either of them. We would like this program to ex-
hibit termination-sensitive noninterference when run at the
cloud provider—the provider should learn nothing about the
contents of h[] or the result. We can see that this program
would be accepted by a type system for enforcing standard
noninterference [34].1
A. Threat model
We consider an adversary who has physical access to
the cloud server (e.g., a malicious employee of the cloud
provider). In particular, we asume the adversary can observe
the contents of DRAM, e.g., via cold-boot style attacks.
We also assume that the adversary can observe the traffic
on the system buses (memory bus, peripheral buses), and
can observe when the program terminates. On the other
hand, we assume the adversary cannot observe the inner
workings of the CPU, i.e., the contents of registers, caches,
etc. that are on-chip. In other words, the CPU is trusted.
These assumptions roughly correspond to those of the XOM
execution model [44], and the software/hardware architec-
ture we present here builds on work in this area.
In addition to sniffing sensitive data, an adversary with
physical access could also attempt to tamper with the correct
execution of the program. We refer to such attacks as
integrity attacks. Defending against integrity attacks can be
incorporated into our approach using standard techniques
such as memory authentication [38], [39], [44], [43], so for
simplicity we do not consider them. We assume that there
exists a mechanism for the client to securely ship its code
and data to (and from) the cloud provider and start execution
(more on this below).
Though they are a real threat, in this paper we do not
consider timing and other covert channels. We believe we
can incorporate ideas from related research to handle timing
leaks [1], [10], [26]. Preventing/mitigating timing leaks is
neither necessary nor sufficient for preventing leaks due to
observed memory traffic, which is our focus in this paper;
see Section VI for further discussion. In reality, processor
optimizations such as caching and branch prediction can
affect what visible memory traces are generated during
program execution. In this paper, we assume no caching
or branch prediction – how to allow such chip-level features
while ensuring memory trace obliviousness is left as future
work and discussed in Section VII.
1The typing of arrays is slightly non-standard: as explained in the next
section, we permit public indexes to secret arrays by using a “failure-
oblivious” semantics that ignores out-of-bounds accesses; this semantics
resembles Deng and Smith’s “lenient” semantics [9].
1 secret int max( public int n,
2 secret int h[]) {
3 public int i = 0;
4 secret int m = 0;
5 while (i < n) {




1 secret1 int max( public int n,
2 secret2 int h[]) {
3 public int i = 0;
4 secret1 int m = 0, mdummy = 0;
5 while (i < n) {
6 if (h[i] > m) then m = h[i]; 3
7 else mdummy = h[i]; 3
8 i++; }
9 return m; }
(a) original program (b) transformed program
Figure 1. Example program and its memory-oblivious transformation.
B. Approach
We now detail our approach step by step.
Encrypting secrets. To hide data from an adversary who can
inspect the cloud server’s storage—DRAM in particular—
we can use encryption. That is, any secrets can be stored in
memory in encrypted form, then decrypted when computed
with, and encrypted again before storing the results back
to memory. Given that we only trust the CPU, we require
that the encryption/decryption be performed entirely on chip
(rather than in software) and we need a way to securely
load the encryption key onto the chip without revealing
it to the adversary. On-chip encryption is now a standard
feature (AES has been supported on Intel chips since 2010),
and we can use code attestation [30], [37], [35] to achieve
secure and verifiable bootstrapping of the program and the
encryption key. While existing trusted computing and code
attestation are not bullet proof against physical attacks,
hardware security modules on chip [24] are starting to attract
attention and can provide the needed security.
Even with these measures in place, the adversary can still
observe the stream of accesses to memory, even if he cannot
observe the content of those accesses, and such observations
are sufficient to infer secret information. For our example,
we see that the conditional on line 6 will produce a non-zero
number of events when the guard is true, but no events when
it is false. As such, by observing the trace the adversary
could learn the index of the maximum value. Prior work
has also observed that the memory trace can leak sensitive
information [50], [44], [43].
To eliminate this channel of information, we need a
way to run the program so that the event stream does not
depend on the secret data—no matter the values of the
secret, the observable events will be the same. Programs
that exhibit this behavior enjoy a property we call memory
trace obliviousness.
Padding. Toward ensuring memory trace obliviousness, the
compiler can add padding instructions to either or both
branches of if statements whose guards reference secret
information (we refer to such guards as high guards).
This idea is similar to inserting padding to ensure uniform
timing [1], [4], [22], [7]. Looking at Figure 1(b) we can see
the original program transformed to add an else branch on
line 8 that aims to produce the same events as the if branch.
Unfortunately, this approach does not quite work because
while number and kind of events in the added branch is the
same, the write address is different—for the true branch the
program writes to m while for the false branch it writes to
mdummy. We need to somehow hide the addresses being read
from/written to.
ORAM for secret data. We can solve this problem by
storing secret data in Oblivious RAM (ORAM), and ex-
tend our trusted computing base with an on-chip ORAM
controller. This controller will encrypt/decrypt the secret
data and maintain a mapping between addresses for vari-
ables used by the program and actual storage addresses for
those variables in DRAM. For each read/write issued for
a secret program address the ORAM controller will issue
a series of reads/writes to actual DRAM addresses, which
has the effect of hiding which of the accesses was the real
address. Moreover, with each access, the ORAM controller
will shuffle program/storage address mappings so that the
physical location of any program variable is constantly in
flux. Asymptotically, ORAM accesses are polylogarithmic in
the size of the ORAM [17]. Note that if we were concerned
about integrity, we could compose the ORAM controller
with machinery for, say, authenticated accesses.2
Returning to the example, we can see that by allocating
all secret data in ORAM, and mdummy and m in particular, we
ensure that both branches produce indistinguishable traces,
consisting of: read of i, ORAM event (for the read of h[i]),
ORAM event (for the read of m), read of i, ORAM event
(for the read of h[i]), and ORAM event (for the write to m
or mdummy).
Note that loops can also be source of trace information:
if the guard is secret, then the number of loop iterations
(as reflected in the trace) could reveal something about the
secret. Therefore we forbid loops with secret guards, and
forbid loops of any kind in conditionals. Fortunately, this is
not too onerous in the common case that inputs and outputs
are secret, but the length of secret data (or an upper bound
2A detailed hardware design is outside the scope of this work, but we
are indeed in the process of constructing one [29].
on that length) can be known.
Storing (some) code in ORAM. The careful reader will
have observed that while the data accesses of the two
branches now produce indistinguishable traces, the instruc-
tion fetches can be distinguished: depending on whether
h[i] > m we will either fetch instructions corresponding
to statement 7 or statement 8. Since instructions are stored
in unencrypted DRAM, the adversary can observe them
being fetched. We can solve this problem by storing some
instructions in ORAM so as to effectively hide the program
counter; in general we must store instructions on both
branches of a conditional with a high guard. In our example,
we illustrate this fact by drawing a box around the affected
statements on lines 7 and 8.
Multiple ORAM banks. ORAM can be an order of mag-
nitude slower than regular DRAM [42]. Moreover, larger
ORAM banks containing more variables incur higher over-
head than smaller ORAM banks [17], [36]; as mentioned
above, ORAM accesses are asymptotically related to the size
of the ORAM. Thus we can reduce run-time overhead by
allocating code/data in multiple, smaller ORAM banks rather
than all of it in a single, large bank.
We observe that for the purposes of memory trace obliv-
iousness, we do not need to group all secret addresses in
the same ORAM bank. For our example, we only need
to make accesses to m and mdummy indistinguishable, and
fetches from the boxed statements on lines 7 and 8; we do
not need to differentiate a fetch from line 7 from a read/write
of m. In particular, we can use three distinct ORAM banks,
which are indicated by subscripts on secret qualifiers in
the figure: m and mdummy go in one bank, h goes in another,
and code on lines 7 and 8 goes in a third.
Arrays. Implicitly we have assumed that all of an array is
allocated to the same ORAM bank, but this need not be the
case. Indeed, for our example it is safe to simply encrypt the
contents of h[i] because knowing which memory address
we are accessing does not happen to reveal anything about
the contents of h[]. This is because the access pattern on
the array does not depend on any secret—every execution of
max will access the same array elements in the same order.
If we allocate each array element in a separate ORAM
bank, the running time of the program becomes roughly 6n
accesses: each access to h[i] is in a bank of size 1, and
m or mdummy are in a bank of size 2. In both cases we can
access these variables securely using the “trivial ORAM,”
which simply scans every element in its bank; thus there is
one access for each read of h[] and two accesses for each
read/write of m and mdummy, for a total of 6n accesses.
In comparison, the naı̈ve strategy of allocating all vari-
ables in a single ORAM bank would incur 4n ·poly log(n+
2)) memory accesses (for secret variables), since each access
to an ORAM bank of size m requires O(poly log(m))
Variables x, y, z ∈ Vars
Numbers n ∈ Nat
ORAM bank o ∈ ORAMbanks
Expressions e ::= x | e op e | x[e] | n
Statements s ::= skip | x := e | x[e] := e |
if(e, S, S) | while (e, S)
Programs S ::= p:s | S;S
Locations p ::= n | o
Figure 2. Language syntax
Arrays m ∈ Arrays = Nat ⇀ Nat
Labels l ∈ SecLabels = {L} ∪ORAMbanks
Memory M ∈ Vars ⇀ (Arrays ∪ Nat)× SecLabels
Traces t ::= read(x, n) | readarr(x, n, n) |
write(x, n) | writearr(x, n, n) |
fetch(p) | o | t@t | ε
get(m,n) =
{








l if l ∈ ORAMbanks
t otherwise
Figure 3. Auxiliary syntax and functions for semantics
physical memory accesses. This shows that we can achieve
asymptotic gains in performance for some programs.
III. MEMORY TRACE OBLIVIOUSNESS BY TYPING
This section formalizes a type system for verifying that
programs like the one in Figure 1(b) enjoy memory trace
obliviousness. In the next section we describe a compiler to
transform programs like the one in Figure 1(a) so they can
be verified by our type system.
We formalize our type system using the simple language
presented in Figure 2. Programs S consist of a sequence
S;S of labeled statements p:s, where p is either a number
n unique to the program (i.e., a line number) or is an ORAM
bank identifier o; in the latter case, the statement is stored
in the corresponding ORAM bank, while in the former it is
stored in unencrypted RAM. Statements s include the no-op
skip, assignments to variables and arrays, conditionals, and
loops. Expressions e consist of constant natural numbers,
variable and array reads, and (compound) operations. For
simplicity, arrays may contain only integers (and not other
arrays), and bulk assignments between arrays (i.e., x := y
when y is an array) are not permitted.
A. Operational semantics
We define a big-step operational semantics for our lan-
guage in Figure 4, which refers to auxiliary functions and
〈M, e〉 ⇓t n
E-Var
M(x) = (n, l)





〈M, e1〉 ⇓t1 n1 〈M, e2〉 ⇓t2 n2 n = n1 op n2
〈M, e1 op e2〉 ⇓t1@t2 n
E-Arr
〈M, e〉 ⇓t n M(x) = (m, l) n′ = get(m,n)
t1 = evt(l, readarr(x, n, n′))
〈M,x[e]〉 ⇓t@t1 n′
〈M, s〉 ⇓t M ′
S-Skip
〈M, skip〉 ⇓ε M
S-Asn
〈M, e〉 ⇓t n M(x) = (n′, l) t′ = evt(l,write(x, n))
〈M,x := e〉 ⇓t@t′ M [x 7→ (n, l)]
S-AAsn
〈M, e1〉 ⇓t1 n1 〈M, e2〉 ⇓t2 n2 M(x) = (m, l)
m′ = upd(m,n1, n2) t = evt(l,writearr(x, n1, n2))
〈M,x[e1] := e2〉 ⇓t1@t2@t M [x 7→ (m′, l)]
S-Cond
〈M, e〉 ⇓t1 n 〈M,Si〉 ⇓t2 M (i = ite(n, 1, 2))
〈M, if (e, S1, S2) 〉 ⇓t1@t2 M ′
S-WhileT
〈M, e〉 ⇓t n n 6= 0
〈M, (S; p:while(e, S))〉 ⇓t′ M ′
〈M,p:while(e, S)〉 ⇓fetch(p)@t@t′ M ′
S-WhileF
〈M, e〉 ⇓t 0
〈M,p:while(e, S)〉 ⇓fetch(p)@t M
〈M,S〉 ⇓t M ′
P-Stmt
〈M, s〉 ⇓t M ′ t′ = fetch(p)
〈M,p:s〉 ⇓t′@t M ′
P-Stmts
〈M,S1〉 ⇓t1 M ′ 〈M ′, S2〉 ⇓t2 M ′′
〈M,S1;S2〉 ⇓t1@t2 M ′′
Figure 4. Operational semantics
syntax defined in Figure 3. Big-step semantics is simpler
than the small-step alternative, and though it cannot be used
to reason about non-terminating programs, our cloud com-
puting scenario generally assumes that programs terminate.
The main judgment of the former figure, 〈M,S〉 ⇓t M ′
(shown at the bottom), indicates that program S when run
under memory M will terminate with new memory M ′
and in the process produce a memory access trace t. We
also define judgments 〈M, s〉 ⇓t M ′ and 〈M, e〉 ⇓t n for
evaluating statements and expressions, respectively.
We model memories M as partial functions from variables
to labeled values, where a value is either an array m or
a number n, and a label is either L or an ORAM bank
identifier o. Thus we can think of an ORAM bank o
containing all data for variables x such that M(x) = ( , o),
whereas all data labeled L is stored in normal RAM. We
model an array m as a partial function from natural numbers
to natural numbers. We write |m| to model the length of the
array; that is, if |m| = n then m(i) is defined for 0 ≤ i < n
but nothing else. To keep the formalism simple, we assume
all of the data in an array is stored in the same place, i.e.,
all in RAM or all in the same ORAM bank. We sketch how
to relax this assumption, to further improve performance, in
Section III-E.
A memory access trace t is a finite sequence of events
arising during program execution that are observable by
tapping the memory bus. These events include read events
read(x, n) which states that number n was read from
variable x and read(x, n1, n2), which states number n2 was
read from x[n1]. The corresponding events for writes to
variables and arrays are similar, but refer to the number
written, rather than read. Event fetch(p) indicates a fetch
of the statement at location p in the program. Recall that p
could be either an ORAM bank or a unique number, where
the former reflects that the particular instruction is unknown
(since it is stored in ORAM) while the latter indicates the
precise statement number stored in RAM. Event o indicates
an access to ORAM—only the storage bank o is discernable,
not the precise variable involved or even whether the access
is a read or a write. (Each ORAM read/write in the program
translates to several actual DRAM accesses, but we model
them as a single abstract event.) Finally, t@t represents the
concatenation of two traces and ε is the empty trace.
The rules in Figure 4 are largely straightforward. Rule
(E-Var) defines variable reads by looking up the variable in
memory, and then emitting an event consonant with the label
on the variable’s memory. This is done using the evt function
defined in Figure 3: if the label is some ORAM bank o
then event o will be emitted, otherwise event read(x, n) is
emitted since the access is to normal RAM.
The semantics treats array accesses as “oblivious” to
avoid information leakage due to out-of-bounds indexes.
In particular, rule (E-Arr) indexes the array using auxiliary
function get , also defined in Figure 3, that returns 0 if the
index n is out of bounds. Rule (S-AAsn) uses the upd
function similarly: if the write is out of bounds, then the
array is not affected.3 We could have defined the semantics
to throw an exception, or result in a stuck execution, but
this would add unnecessary complication. Supposing we had
such exceptions, our semantics models wrapping array reads
3The syntax m[n1 7→ n2] defines a partial function m′ such that
m′(n1) = n2 and otherwise m′(n) = m(n) when n 6= n1. We use
the same syntax for updating memories M .
and writes with a try-catch block that ignores the exception,
which is a common pattern, e.g., in Jif [25], [5], and has
also been advocated by Deng and Smith [9].
The rule (S-Cond) for conditionals is the obvious one;
we write ite(x,y,z) to denote y when x is 0, and z otherwise.
Rule (S-WhileT) expands the loop one unrolling when the
guard is true and evaluates that to the final memory, and rule
(S-WhileF) does nothing when the guard is false. Notice that
the expanded loop in the premise has the same label p as the
original. For statements other than loops, the rule (P-Stmt)
factors out the handling of the location label: it issues a fetch
event according to the location label p, followed by the trace
resulting from evaluating the statement s itself. Finally rule
(P-Stmts) handles sequences of statements.
B. Memory trace obliviousness
The security property of interest in our setting we call
memory trace obliviousness. This property generalizes the
standard (termination-sensitive) noninterference property to
account for memory traces. Intuitively, a program satisfies
memory trace obliviousness if it will always generate the
same trace (and the same final memory) for the same
adversary-visible memories, no matter the particular values
stored in ORAM. We formalize the property in three steps.
First we define what it means for two memories to be
low-equivalent, which holds when they agree on memory
contents having label L.
Definition 1 (Low equivalence). Two memories M1 and M2
are low-equivalent, denoted as M1 ∼L M2, if and only if
∀x, v.M1(x) = (v,L)⇔M2(x) = (v,L).
Next, we define the notion of the Γ-validity of a memory
M . Here, Γ is the type environment that maps variables to
security types τ , which are either Nat l or Array l (both
are defined in Figure 5). In essence, Γ indicates a mapping
of variables to memory banks, and if memory M employs
that mapping then it is valid with respect to Γ.
Definition 2 (Γ-validity). A memory M is valid under a
environment Γ, or Γ-valid, if and only if, for all x
Γ(x) = Nat l⇔ ∃n ∈ Nat.M(x) = (n, l)
Γ(x) = Array l⇔ ∃m ∈ Arrays.M(x) = (m, l)
Finally, we define memory trace obliviousness. Intuitively,
a program enjoys this property if all runs of the program on
low-equivalent, Γ-valid memories will always produce the
same trace and low-equivalent final memory.
Definition 3 (Memory trace obliviousness). Given a secu-
rity environment Γ, a program S satisfies Γ-memory trace
obliviousness if for any two Γ-valid memories M1 ∼L M2,
if 〈M1, S〉 ⇓t1 M ′1 and 〈M2, S〉 ⇓t2 M ′2, then t1 ≡ t2, and
M ′1 ∼L M ′2.
In this definition, we write t1 ≡ t2 to denote that t1 and t2
are equivalent. Equivalence is defined formally in Appendix
Types τ ::= Int l | Array l
Environments Γ ∈ Vars ⇀ Types
Trace Pats T ::= Read x |Write x |
Readarr x |Writearr x |
Loop(p, T, T ) | Fetch(p) | o |
T@T | T + T | ε
l1 t l2 =
{
l1 if l1 6= L
l2 otherwise
l1 v l2 iff
l1 = L or
l2 6= L and l2 6= n
select(T1, T2) =
{
T1 if T1 ∼L T2
T1 + T2 otherwise
Figure 5. Auxiliary syntax and functions for typing
I, Figure 10. Intuitively, two traces are equivalent if they
are syntactically equivalent or we can apply associativity to
transform one into the other. Furthermore, ε plays the role
of the identity element.
C. Security typing
Figure 6 presents a type system that aims to ensure
memory trace obliviousness. Auxiliary definitions used in
the type rules are given in Figure 5. This type system
borrows ideas from standard security type systems that aim
to enforce (traditional) noninterference. For the purposes
of typing, we define a lattice ordering v among security
labels l as shown in Figure 5, which also shows the t (join)
operation. Essentially, these definitions treat all ORAM bank
labels o as equivalent for the purposes of typing (you can
think of them as the ”high” security label). In the definition
of v, we also consider the case when l2 could be a program
location n, which is treated as equivalent to L (this case
comes up when typing labeled statements).
The typing judgment for expressions is written Γ ` e :
τ ;T , which states that in environment Γ, expression e has
type τ , and when evaluated will produce a trace described
by the trace pattern T . The judgments for statements s and
programs S are similar. Trace patterns describe families of
run-time traces; we write t ∈ T to say that trace t matches
the trace pattern T .
Trace pattern elements are quite similar to their trace
counterparts: fetches and ORAM accesses are the same,
as are empty traces and trace concatenation. Trace pattern
events for reads and writes to variables and arrays are
more abstract, mentioning the variable being read, and not
the particular value (or index, in the case of arrays); we
have read(x, n) ∈ Read(x) for all n, for example. There
is also the or-pattern T1 + T2 which matches traces t
such that either t ∈ T1 or t ∈ T2. Finally, the trace
pattern for loops, Loop(p, T1, T2), denotes the set of patterns
Fetch(p)@T1 and Fetch(p)@T1@T2@Fetch(p)@T1 and
Γ ` e : τ ;T
T-Var
Γ(x) = Nat l
T = evt(l,Read(x))
Γ ` x : Nat l;T T-Con Γ ` n : Nat L; ε
T-Op
Γ ` e1 : Nat l1;T1 Γ ` e2 : Nat l2;T2 l = l1 t l2
Γ ` e1 op e2 : Nat l;T1@T2
T-Arr
Γ(x) = Array l Γ ` e : Nat l′;T l′ v l
T ′ = evt(l,Readarr(x))
Γ ` x[e] : Nat l t l′;T@T ′
Γ, l ` s;T
T-Skip
Γ, l0 ` skip; ε
T-Asn
Γ ` e : Nat l;T Γ(x) = Nat l′ l0 t l v l′
Γ, l0 ` x := e;T@evt(l′,Write(x))
T-AAsn
Γ ` e1 : Nat l1;T1 Γ ` e2 : Nat l2;T2
Γ(x) = Array l l1 t l2 t l0 v l
Γ, l0 ` x[e1] := e2;T1@T2@evt(l,Writearr(x))
T-Cond
Γ ` e : Nat l;T Γ, l t l0 ` Si;Ti (i = 1, 2)
l t l0 6= L⇒ T1 ∼L T2 T ′ = select(T1, T2)
Γ, l0 ` if(e, S1, S2);T@T ′
T-While
Γ ` e : Nat l;T1 Γ, l0 ` S;T2 l t l0 v L
Γ, l0 ` p:while(e, S); Loop(p, T1, T2)
Γ, l ` S;T
T-Lab
Γ, l0 ` s;T l0 v p
Γ, l0 ` p:s; (Fetch p)@T
T-Seq
Γ, l0 ` S1;T1 Γ, l0 ` S2;T2
Γ, l0 ` S1;S2;T1@T2
Figure 6. Typing
Fetch(p)@T1@T2@Fetch(p)@T1@T2@Fetch(p)@T1 and so
on, and thus matches any trace that matches one of them.
Turning to the rules, we can see that each one is struc-
turally similar to the corresponding semantics rule. Each
rule likewise uses the evt function (Figure 3) to selectively
generate an ORAM event o or a basic event, depending on
the label of the variable being read/written. Rule (T-Var) thus
generates a Read(x) pattern if x’s label is L, or generates
the ORAM event l (where l 6= L implies l is some bank
o). As expected, constants n are labeled L by (T-Con), and
compound expressions are labeled with the join of the labels
of the respective sub-expressions by (T-Op). Rule (T-Arr) is
interesting in that we require l v l′, where l is the label
of the index and l′ is the label of the array, but the label
of the resulting expression is the join of the two. As such,
we can have a public index of a secret array, but not the
other way around. This is permitted because of our oblivious
semantics: a public index reveals nothing about the length
of the array when the returned result is secret, and no out-
of-bounds exception is possible.
The judgment for statements Γ, l0 ` s;T is similar to
the judgment for expressions, but there is no final type,
and it employs the standard program counter (PC) label
l0 to prevent implicit flows. In particular, the (T-Asn) and
(T-AAsn) rules both require that the join of the label l of
the expression on the rhs, when joined with the program
counter label l0, must be lower than or equal to the label
l′ of the variable; with arrays, we must also join with the
label l1 of the indexing expression. Rule (T-Cond) checks the
statements Si under the program counter label that is at least
as high as the label of the guard. As such, coupled with the
constraints on assignments, any branch on a high-security
expression will not leak information about that expression
via an assignment to a low-security variable. In a similar
way, rule (T-Lab) requires that the statement location p is
lower or equal to the program counter label, so that a public
instruction fetch cannot be the source of an implicit flow.
Rule (T-Cond) also ensures that if the PC label or that
of the guard expression is secret, then the actual run-time
trace of the true branch (matched by the trace pattern T1)
and the false branch (pattern T2) must be equal; if they were
not, then the difference would reveal something about the
respective guard. We ensure run-time traces will be equal
by requiring the trace patterns T1 and T2 are equivalent,
as axiomatized in Figure 7. The first two rows prove that
ε is the identity, that ∼L is a transitive relation, and that
concatenation is associative. The third row unsurprisingly
proves that ORAM events to the same bank and fetches of
the same location/bank are equivalent. More interestingly,
the third row claims that public reads to the same variable
are equivalent. This makes sense given that public writes
are not equivalent. As such, reads in both branches will
always return the same run-time value they had prior to the
conditional. Notice that the public reads to the same arrays
are also not equivalent, since indices may leak information.
Finally, the (T-Cond) emits trace T ′, which according to
the select function (Figure 5) will be T1 when the two are
equivalent. As such, conditionals in a high context will never
produce or-pattern traces (which are not equivalent to any
other trace pattern).
Rule (T-While) requires, by the constraint l t l0 v L,
requires that loop guards be public (which is why we
need not join l0 with l when checking the body S). This
constraint ensures that the length of the trace as related to
the number of loop iterations cannot reveal something about
secret data. Fortunately, this restriction is not problematic for
many examples because secret arrays can be safely indexed
T ∼L T
ε@T ∼L T@ε ∼L T
ε ∼L ε
T1 ∼L T2 T2 ∼L T3
T1 ∼L T3
T1 ∼L T ′1 T2 ∼L T ′2
T1@T2 ∼L T ′1@T ′2
(T1@T2)@T3 ∼L T1@(T2@T3)
o ∼L o Fetch p ∼L Fetch p Read x ∼L Read x
Figure 7. Trace pattern equivalence
by public values, and thus looping over arrays reveals no
information about them.
Finally, we can prove that well typed programs enjoy
memory trace obliviousness.
Theorem 1. If Γ, l ` S;T , then S satisfies memory trace
obliviousness.
The full proof can be found in Appendix I.
D. Examples
Now we consider a few programs that do and do not type
check in our system. In the examples, public (low security)
variables begin with p, and secret (high security) variables
begin with s; we assume each secret variable is allocated in
its own ORAM bank (and ignore statement labels).
There are some interesting differences in our type system
and standard information flow type systems. One is that we
prohibit low reads under high guards that could differ in
both branches. For example, the program if s > 0 then
s := p1 else s := p2 is accepted in the standard type
system but rejected in ours. This is because in our system
we allow the adversary to observe public reads, and thus he
can distinguish the two branches, whereas an adversary can
only observe public writes in the standard noninterference
proof. On the other hand, the program if s > 0 then s
:= p+1 else s := p+2 would be accepted, because both
branches will exhibit the same trace
Another difference is that we do not allow high guards in
loops, so a program like the following is acceptable in the
standard type system is rejected in ours:
s := slen; sum := 0;
while s ≥ 0 do
sum := sum + sarr[p];
s := s - 1;
done
The reason we reject this program is that the number of loop
iterations, which in general cannot be determined at compile
time, could reveal information about the secret at run-time.
In this example, the adversary will observe O(s) memory
events and thus can infer s itself. Prior work on mitigating
timing channels often makes the same restriction for the
same reason [1], [4], [22], [7]. Similarly, we can mitigate
the restrictiveness of our type system by padding out the
number of iterations to a constant value. For example, we
could transform the above program to be instead
p := N; sum := 0;
while p ≥ 0 do
if p < slen then sum := sum + sarr[p];
else sdummy := sdummy + sarr[p];
p := p - 1;
done
Here, N is some constant and sdummy and sum are allocated
in the same ORAM bank. The loop will always iterate N
times but will compute the same sum assuming N ≥ slen.
We also do not allow loops with low guards to appear in
a conditional with a high guard. As above, we may be able
to transform a program to make it acceptable. For example,
for some S, the program if s > 0 then while (p > 0)
do S; done could be transformed to be while (p > 0)
do if s > 0 then S; done (assuming s is not written in
S). This ensures once again that we do not leak information
about the loop guard.
E. Allocating array elements across ORAM banks
For simplicity, our operational semantics and type system
model all elements of the same array as all being stored in
the same ORAM bank. However, as discussed at the end of
Section II and demonstrated empirically in Section V, per-
formance can be significantly improved by allocating each
array element in a separate ORAM bank. Here we sketch
extensions to the type system and operational semantics
that permit each element of an array to be allocated in an
ORAM bank of size 1; i.e., the contents are merely en-
crypted/decrypted on access with no other special handling.4
The changes to the operational semantics are straight-
forward. First, we change memories M to map variables
to either to pairs (n, l) ∈ Nat × SecLabel or arrays
m ∈ Arrays. Arrays are changed to map indexes n ∈ Nat
to pairs (n, l) ∈ Nat × SecLabel, thus allowing each array
element to be in its own ORAM bank. Rules (E-Arr) and (S-
AAsn) are updated in the obvious manner, using the cell’s
individual label l in the event.
The type system is extended as follows. First, we identify
a symbolic ORAM bank o> ∈ ORAMbanks; an array
x of type Array o> represents an array whose elements
are each stored in an ORAM bank of size 1. In addition,
we extend the notion of trace patterns to include events
SArr(x, e) which indicate a read or write of array x whose
type is o>; the indexing expression e is included in the
event. We extend trace equivalence to include the axiom
SArr(x, e) ∼L SArr(x, e); i.e., two accesses to an array
in the symbolic ORAM bank are equivalent if they have
4Note that this extension has no impact on expressiveness: we always
have the option of allocating the whole array in the same bank and
degenerating to the existing type system.
the same index expression. We modify both the (T-Arr) and
(T-AAsn) rules to generate event SArr(x, e) when l is o>.
We also extend these two rules to require that when l
is o> then the label of the index expression e must be L;
i.e., we only permit indexing arrays in the symbolic ORAM
bank with public values. If we allowed secret indexes, then
the adversary could learn something about the index by
observing which ORAM bank is read. For example, suppose
we had the program h[x] := y where h has type Array o>,
and x and y have type Nat o. Suppose the first element of
h is allocated in ORAM bank o1 and the second element is
in ORAM bank o2. Then if we run the program when x is
0 we get trace o@o@o1 (corresponding to the read of x, the
read of y, and the write of h[0]). But if we run the program
with x is 1, we get trace o@o@o2. Assuming the adversary
knows the ORAM allocation for h (i.e., assuming he knows
Γ) then he has learned something about the value of x. On
the other hand, allocating all of an array in the same bank
eliminates this channel of information, so it is safe to index
it with a secret value.
Looking at the code in Figure 1(b), we can see that h
could be allocated in o>. This is because h is accessed with
the same index expression (i) on lines 6 and 7, and trace
equivalence (which precludes writes to public variables)
ensures that i will have the same value in both cases.
On the other hand, if line 7 was instead else mdummy =
h[i+5], then the program would be rejected because the
index expressions in both branches are not the same.
Note that for soundness we need to prove that all possible
run-time values for an array index are the same on both
branches of a secret conditional; preventing writes to public
variables in such branches and requiring the index expression
to be the same is a simple way to do this. Of course, more
sophisticated decision procedures could also be used (that
would, for example, know that i+5 = 5+i).
IV. COMPILATION
Rather than requiring programmers to write memory-trace
oblivious programs directly, we would prefer that program-
mers could write arbitrary programs and rely on a compiler
to transform those programs to be memory trace oblivious.
While more fully realizing this goal remains future work, we
have developed a compiler algorithm that automates some
of the necessary tasks.
In particular, given a program P in which the inputs and
outputs are labeled as secret or public, our compiler will
(a) infer the least labels (secret or public) for the remain-
ing, unannotated variables; (b) allocate all secret variables
to distinct ORAM banks; (c) insert padding instructions in
conditionals to ensure their traces are equivalent; and finally,
(d) allocate instructions appearing in high conditionals to
ORAM banks. These steps are sufficient to transform the
max program in Figure 1(a) into the memory-trace oblivious
version in Figure 1(b). We can also transform other interest-
ing algorithms, such as k-means, Dijkstra’s shortest paths,
and matrix multiplication, as we discuss in the next section.
We now sketch the different steps of our algorithm.
A. Type checking source programs
The first step is to perform label inference on the source
program to make sure that we can compile it. This is
the standard, constraint-based approach to local type in-
ference as implemented in languages like Jif [25] and
FlowCaml [32]. We introduce fresh constraint variables
for the labels of unannotated program variables, and then
generate constraints based on the structure of the program
text. This is done by applying a variant of the type rules
in Figure 6, having three differences. First, we treat labels
l has being either L, representing public variables; H ,
representing secret variables (we can think of this as the
only available ORAM bank); or α, representing constraint
variables. Second, premises like l1 v l2 and l0t l1 v l2 that
appear in the rules are interpreted as generating constraints
that are to be solved later. Third, all parts having to do with
trace patterns T are ignored. Most importantly, we ignore
the requirement that T1 ∼L T2 for conditionals.
Given a set of constraints generated by an application
of these rules, we attempt to find the least solution to the
variables α that appear in these constraints, using standard
techniques [13]. If we can find a solution, the compilation
may continue. If we cannot find a solution, then we have no
easy way to make the program memory-trace oblivious, and
so the program is rejected.
As an example, consider the max program in Figure 1(a),
but assume that on lines 3 and 4 the variables i and m
are not annotated, i.e., they are missing the secret and
public qualifiers. When type inference begins, we assign i
the constraint variable αi and m the constraint variable αm.
In applying the variant type rules (with the PC label l0 set
to L) to this program (that is, the part from lines 5–7), we
will generate the following constraints:
(αi t L) t L v L line 5
αi v H line 6, for h[i] in guard
l0 = αi tH t αm t L PC label for checking if branch
αi v H line 6, for h[i] in assignment
l0 t (H t αi) v αm line 6, assignment
L t (αi t L) v αi line 7
(For simplicity we have elided the constraints on location
labels that arise due to (T-Lab), but normally these would be
included as well.) We can see that the only possible solution
to these constraints is for αi to be L and αm to be H , i.e.,
the former is public and the latter is secret.
Assuming that the programmer minimally labels the
source program, only indicating those data that must be se-
cret and leaving all other variables unlabeled, then the main
restriction on source programs is the restriction on the use
of loops: all loop guards must be public, and no loop may
appear in a conditional whose guard is high. As mentioned
in the previous section, the programmer may transform such
programs into equivalent ones, e.g., by using a constant loop
bound, or by hoisting loops out of conditionals. We leave
the automation of such transformations to future work.
B. Allocating variables to ORAM banks
Given all variables that were identified as secret in the
previous stage, we need to allocate them to one or more
ORAM banks. At one extreme, we could put all secret
variables in a single ORAM bank. The drawback is that each
access to a secret variable could cause significant overhead,
since ORAM accesses are polylogarithmic in the size of the
ORAM [17] (on top of the encryption/decryption cost). At
the other extreme, we could put every secret variable in a
separate ORAM bank. This lowers overhead by making each
access cheaper but will force the next stage to insert more
padding instructions, adding more accesses overall. Finally,
we could attempt to choose some middle ground between
these extreme methods: put some variables in one ORAM
bank, and some variables in others.
Ultimately, there is no analytic method for resolving this
tradeoff, as the “break even” point for choosing padding
over increased bank size, or vice versa, depends on the im-
plementation. A profile-guided approach to optimizing might
be the best approach. With our limited experience so far we
observe that storing each secret variable in a separate ORAM
bank generally achieves very good performance. This is
because when conditional branches have few instructions,
the additional padding adds only a small amount of overhead
compared to the asymptotic slowdown of increased bank
size. Therefore we adopt this method in our experiments.
Nevertheless, more work is needed to find the best tradeoff
in a practical setting.
We also need to assign secret statements (i.e., those
statements whose location label must be H) to ORAM
banks. At this stage, we assign all statements under a given
conditional to the same ORAM bank, but we make a more
fine-grained allocation after the next stage, discussed below.
C. Inserting padding instructions
The next step is to insert padding instructions into condi-
tionals, to ensure the final premise of (T-Cond) is satisfied,
so that both branches will generate the same traces.
To do this, we can apply algorithms that solve the shortest
common supersequence problem [14] when applied to two
traces (a.k.a. the 2-scs problem). That is, given the two trace
patterns Tt and Tf for the true and false branches of an if
(following ORAM bank assignment), let Ttf denote the 2-
scs of Tt and Tf . The differences between Ttf and the origi-
nal traces signal where, and what, padding instructions must
be inserted. The standard algorithm builds on the dynamic
programming solution to the greatest common subsequence












Figure 8. Finding a short padding sequence using the greatest
common subsequence algorithm. An example with two abstract traces
Tt = [T1;T2;T3;T4;T5] and Tf = [T1;T3;T2;T4]. One greatest
common subsequence as shown is [T1;T2;T4]. A shortest common super-
sequence of the two traces is Ttf = [T1;T3;T2;T3;T4;T5].
(gcs) algorithm, which runs in time O(nm) where n and m
are the respective lengths of the two traces [8]. Using this
algorithm to find the gcs reveals which characters must be
inserted into the original strings, as illustrated in Figure 8.
When running 2-scs on traces, we view Tt and Tf as
strings of characters which are themselves trace patterns
due to single statements. Each statement-level pattern will
always begin with a Fetch p, and be followed by zero or
more of the following events: Read, oi for ORAM bank i,
and in the extended type system, SArr(x, e).5 For example,
suppose we have the program o:skip; o:x[y] := z where,
after ORAM bank assignment, the type of y is Nat o1, the
type of z is Array o1, and the type of x is Nat o2. This pro-
gram generates trace pattern Fetch o@Fetch o@o1@o1@o2.
For the purposes of running 2-scs, this trace consists of two
characters: (Fetch o), which corresponds to the statement
o:skip, and (Fetch o@o1@o1@o2), which corresponds to the
statement o:x[y] := z.
Once we have computed the 2-scs and identified the
padding characters needed for each trace, we must generate
“dummy” statements to insert in the program that generate
the same events. This is straightforward. In essence, we can
allocate a “dummy” variable do for each ORAM bank o in
the program, and then read, write, and compute on that vari-
able as needed to generate the correct event. Suppose we had
the program if(e, o:skip, o:x[y] := z) and thus Tt = Fetch o
and Tf = Fetch o@o1@o1@o2. Computing the 2-scs we find
that Tt can be pre-padded with Fetch o@o1@o1@o2 while
Tf can be post-padded with Fetch o. We can readily generate
statements that correspond to both. For the second, we pro-
duce o:skip. For the first, we can produce o:do2 := do1 +do1 .
When we must produce an event corresponding to a public
read, or read from an array, we can essentially just insert
a read from that variable directly. Finally, for the extended
type system, we can simply use the actual expression x[e]
to produce an event SArr(x, e),
Note that this approach will generate more padding
instructions than is strictly needed. In the above exam-
ple, the final program will be if(e, (o:do2 := do1 +
do1 ; o:skip), (o:x[y] := z; o:skip)). Peephole optimizations
5Because of the restrictions imposed by the type system, Tt and Tf
will never contain loop patterns, (public) read-array or write patterns, or
or-patterns.
Table II
Programs and parameters used in our simulation.
No. Description
1 Dijkstra (n = 100 nodes)
2 K-means (n = 100 data points, k = 2, I = 1 iteraion)
3 Matrix multiplication (n× n matrix where n = 40)
4 Matrix multiplication (n× n matrix where n = 25)
5 Find max (n = 100 elements in the array)
6 Find max (n = 10000 elements in the array)
can be used to eliminate some superfluous instructions.
However, a better approach is to use a finer-grained alphabet
which in practice is available when using three address
code, i.e., as the intermediate representation of an actual
compiler. In this kind of language, which involves adversary-
invisible reads/writes to registers, the alphabet can be more
fine grained. We have formalized compilation in this style,
and give several examples, in our technical report [28].
Once padding has been inserted, both branches have the
same number of statements, and thus we can allocate each
pair of statements in its own ORAM bank. Assuming we
did not drop the skip statements in the program above, we
could allocate them both in ORAM bank o3 and allocate the
two assignments in ORAM bank o4, rather than allocate all
instructions in ORAM bank o as is the case now.
V. EVALUATION
To demonstrate the efficiency gains achieved by our
compiler in comparison with the straightforward approach
of placing all secret variables in the same ORAM bank,
we choose four example programs: Dijkstra single-source
shortest paths, K-means, Matrix multiplication (naı̈ve O(n3)
implementation), and Find-max (Figure 1).
We will compare three different strategies:
Strawman: Place all secret variables in the same ORAM
bank, and place all code in the same ORAM bank (different
from the one for storing data).
Opt 1: Store each variable in a separate ORAM bank, but
store whole arrays in the same bank. Allocate instructions to
ORAM banks using the algorithm described in Section IV.
Opt 2: Store each variable, and each member of an
array, in a separate ORAM bank (when allowed, as per
Section III-E). Allocate instructions to ORAM banks using
the algorithm described in Section IV.
In all three cases, we insert padding as necessary to ensure
obliviousness.
A. Asymptotic Analysis
For the four programs we choose, Table I shows the
total number of memory accesses in terms of the data size
n. In this table, we assume that such that each access to
an ORAM bank of size m requires poly logm physical
memory accesses [17], [27], [36]. The degree of the polylog
and the constant would depend on the specific ORAM
implementation and the parameter choices.
Figure 9. Simulation Results for Strawman, Opt 1, and Opt 2.
Memory accesses due to data. Table I illustrates that Opt
1 does not achieve asymptotic improvements compared to
the Strawman (though performance is improved by constant
factors, as discussed below). On the other hand, Opt 2
does achieve asymptotic performance gains. The table shows
that Opt 2 is a poly log(n) factor faster than the strawman
scheme, particularly for the K-means, Matrix multiplication,
and Find-max examples. Intuitively, this is because these
algorithms, like a large class of data mining algorithms,
traverse the data in a predictable pattern independent of the
data contents. Thus it suffices to just encrypt the data, i.e.,
put each array element in an ORAM bank of size 1.
Memory accesses due to instruction fetches. Table I shows
that both Opt 1 and Opt 2 achieve asymptotic savings in
terms of number of memory accesses due to instruction
fetches. Our compiler avoids placing all code in the same
ORAM bank; instead, it stores only instructions on both
branches of a conditional with a high guard in ORAM
banks, and partitions instructions into smaller ORAM banks
whenever possible.
B. Simulation Results
We also performed simulation to measure the performance
of the example programs when compiled by our compiler.
Code for the source and transformed programs is given
in Appendix II. Table II shows the parameters we choose
for our experiment. We built a simulator in C++ that can
measure the number of memory accesses for transformed
programs. Implementing a full-fledged compiler that inte-
grates with our ORAM-capable hardware concurrently being
built [29] is left as future work.
Simulation results are given in Figure 9 for the six setups
described in Table II. The ORAM scheme we used in the
simulation is due to Shi et al [36]. The figure shows that Opt
1 is 1.3 to 5 times faster the strawman scheme; and Opt 2
is 1 to 3 orders of magnitude faster than the strawman for
the chosen programs and parameters.
Table I
Number of memory accesses. c is a small constant (typically 2 or 3) depending on the ORAM scheme chosen. n stands for the size of the data. P is
the length of the program. For K-means, the data is 2-dimensional, n is the number of data points, k is the number of clusters, and I is the number of
iterations (fixed ahead of time independent of the data).
Memory accesses for data Memory accesses for instructions
Program Strawman Opt 1 Opt 2 Strawman Opt 1 Opt 2
Dijkstra O(n2 logc n) O(n2 logc n) O(n2 logc n) O(n2P logc P ) O(n2P ) O(n2P )
K-means O(Ink logc n) O(Ink logc n) O(Ink) O(InkP logc P ) O(InkP ) O(InkP )
Matrix multiplication O(n3 logc n) O(n3 logc n) O(n3) O(n3P logc P ) O(n3P ) O(n3P )
Find max O(n logc n) O(n logc n) O(n) O(nP logc P ) O(nP ) O(nP )
VI. RELATED WORK
We are the first to approach the problem of achieving
privacy using ORAM from a programming languages theory
perspective. Previously, the research community has largely
considered generic oblivious program simulation (i.e., plac-
ing all variables in a single ORAM) [17], [12]), which is
relatively inefficient and can leak information through the
memory trace. Work that has addressed the memory trace
channel has not done so formally, and therefore provides
no rigorous guarantees [50]. Several others have proposed
custom data-oblivious algorithms [20], [11] that achieve
asymptotically better performance than generic oblivious
simulation, but do not scale in terms of human effort due to
the need to design for each specific problem. In comparison,
our proposed approach provides a rigorous security guaran-
tee (memory trace obliviousness) and compiles programs so
that they achieve this guarantee. By partitioning variables
and array contents among multiple ORAM banks we can
sometimes asymptotic performance improvements compared
to generic simulation.
Oblivious RAM (ORAM) was first proposed by Goldreich
and Ostrovsky [17]. Since its proposal, various improve-
ments have been proposed [19], [27], [46], [18], [16], [45].
Our programming language techniques rely on ORAM as
a black box; it does not matter which underlying ORAM
scheme is employed. Active DRAM capable of handling
programmable logic (e.g., the emerging Hybrid Memory
Cube technology [6]) can also be used in place of ORAM.
In this case, encrypted memory addresses can be transmitted
over the bus, and Active DRAM would be able to decrypt
those addresses. Our techniques would also readily apply
when the underlying hardware realization is Active DRAM.
Our work draws ideas from existing type systems that
enforce information flow security [34]. The main difference
in our setting is the adversary model: we assume the
adversary can view the memory trace, which includes the
number and content of events, and program termination.
In general, we are more restrictive than type systems that
enforce standard, termination-insensitive noninterference, as
illustrated with examples in Section III-D. We are the first to
state the memory trace obliviousness property, and to present
a type system and compiler for enforcing it.
Our requirement that loops have low guards and that
conditionals produce equivalent traces is reminiscent of work
that transforms programs to eliminate timing channels [1],
[4], [22], [7] where inserted padding aims to equalize
execution times. Memory trace obliviousness is orthogonal
to timing-sensitive noninterference; while methods for en-
forcing them are similar, programs satisfying the first need
not satisfy the second, and vice versa.
VII. CONCLUSIONS AND FUTURE WORK
This paper has proposed the property of memory-trace
oblivious execution as a practical requirement of using the
XOM model [44] for cloud computing, in which the cloud
provider’s CPU is trusted, but the rest of the hardware is sub-
ject to physical attacks. We have presented a programming
language that stores secret data in oblivious RAM (ORAM)
and defined a type system for proving that programs written
in this language ensure memory trace oblivious execution.
We have also presented a simple compiler that allocates se-
cret variables to different ORAM banks and performs some
simple program transformations toward ensuring programs
are safe. Our approach can achieve asymptotic performance
gains for many real-world programs compared to storing all
variables in a single ORAM.
At present we are considering three avenues of future
work. First, we plan to explore how to compose work on
mitigating timing channels with our work. One simple com-
position would perform black-box, predictive mitigation [3]
on the output from our compiler (suitably adjusted to ensure
we retain our memory obliviousness guarantee). A more
language-level integration is also possible [49].
Second, we plan a more architecture-aware development
of our ideas. Just as inserted padding can be ineffective
for timing channels because it fails to account for chip-
level features such as branch predictors and caches [22],
these features can confound our attempts ensure oblivious
execution traces. For example, instruction and data fetches
to main memory might be suppressed because they are
present in cache, and this presence may be due to secret
information. One solution to this problem is to place such
features between the ORAM controller and main memory,
but this may be impractical. In the worst case, as Zhang
et al., some features can be temporarily disabled (in high
contexts) to avoid leaks. We are developing an architectural
prototype and simulator to assess various options.
Finally, we plan to develop a more full-featured compiler.
In addition to inserting padding, as happens now, we will
explore program transformations for hoisting loops or condi-
tionals, as sketched in Section III-D. We will also account for
more language features, such as dynamic memory allocation,
which can itself be a source of leaks. We may also incor-
porate more sophisticated decision procedures for enabling
more array elements to be safely stored across ORAM banks.
REFERENCES
[1] Johan Agat. Transforming out timing leaks. In 27th
ACM Symposium On Principles OF Programming Languages
(POPL), pages 40–53, 2000.
[2] Aslan Askarov, Sebastian Hunt, Andrei Sabelfeld, and David
Sands. Termination-insensitive noninterference leaks more
than just a bit. In Proceedings of the 13th European
Symposium on Research in Computer Security: Computer
Security, ESORICS ’08, pages 333–348, Berlin, Heidelberg,
2008. Springer-Verlag.
[3] Aslan Askarov, Danfeng Zhang, and Andrew C. Myers. Pre-
dictive black-box mitigation of timing channels. In ACM Con-
ference on Computer and Communications Security, pages
297–307, 2010.
[4] Gilles Barthe, Tamara Rezk, and Martijn Warnier. Preventing
timing leaks through transactional branching instructions.
Electron. Notes Theor. Comput. Sci., 153(2):33–55, May
2006.
[5] Michael R. Clarkson, Stephen Chong, and Andrew C. Myers.
Civitas: Toward a secure voting system. In IEEE Symposium
on Security and Privacy (Oakland), 2008.
[6] HMC Consortium. Hybrid memory cube.
http://hybridmemorycube.org/.
[7] Bart Coppens, Ingrid Verbauwhede, Koen De Bosschere, and
Bjorn De Sutter. Practical mitigations for timing-based side-
channel attacks on modern x86 processors. In Proceedings
of the 2009 30th IEEE Symposium on Security and Privacy,
SP ’09, pages 45–60, Washington, DC, USA, 2009. IEEE
Computer Society.
[8] Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest,
and Clifford Stein. Introduction To Algorithms, Third Edition.
MIT Press, 2009.
[9] Zhenyue Deng and Geoffrey Smith. Lenient array operations
for practical secure information flow. In Proceedings of the
17th Computer Security Foundations Workshop, pages 115–
124. IEEE, June 2004.
[10] Dominique Devriese and Frank Piessens. Noninterference
through secure multi-execution. In Proceedings of the 2010
IEEE Symposium on Security and Privacy, pages 109–124,
2010.
[11] David Eppstein, Michael T. Goodrich, and Roberto Tamassia.
Privacy-preserving data-oblivious geometric algorithms for
geographic data. In GIS, pages 13–22, 2010.
[12] Christopher W. Fletcher, Marten van Dijk, and Srinivas
Devadas. A secure processor architecture for encrypted
computation on untrusted programs. In Proceedings of the
seventh ACM workshop on Scalable trusted computing, STC
’12, pages 3–8. ACM, 2012.
[13] Jeffrey S. Foster, Robert Johnson, John Kodumal, and Alex
Aiken. Flow-Insensitive Type Qualifiers. ACM Transac-
tions of Programming Languages and Systems (TOPLAS),
28(6):1035–1087, November 2006.
[14] M. Garey and D. Johnson. Computers and Intractability: A
Guide to the Theory of NP-Completeness. W.H. Freeman,
1979.
[15] Daniel B. Giffin, Amit Levy, Deian Stefan, David Terei, David
Mazières, John C. Mitchell, and Alejandro Russo. Hails:
protecting data privacy in untrusted web applications. In
Proceedings of the 10th USENIX conference on Operating
Systems Design and Implementation, OSDI’12, pages 47–60,
Berkeley, CA, USA, 2012. USENIX Association.
[16] O. Goldreich. Towards a theory of software protection and
simulation by oblivious RAMs. In ACM Symposium on
Theory of Computing (STOC), 1987.
[17] Oded Goldreich and Rafail Ostrovsky. Software protection
and simulation on oblivious RAMs. J. ACM, 1996.
[18] Michael T. Goodrich and Michael Mitzenmacher. Privacy-
preserving access of outsourced data via oblivious RAM sim-
ulation. In International Colloquium on Automata, Languages
and Programming (ICALP), pages 576–587, 2011.
[19] Michael T. Goodrich, Michael Mitzenmacher, Olga Ohri-
menko, and Roberto Tamassia. Privacy-preserving group data
access via stateless oblivious RAM simulation. In ACM-SIAM
Symposium on Discrete Algorithms (SODA), 2012.
[20] Michael T. Goodrich, Olga Ohrimenko, and Roberto Tamas-
sia. Data-oblivious graph drawing model and algorithms.
CoRR, abs/1209.0756, 2012.
[21] J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William
Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feld-
man, Jacob Appelbaum, and Edward W. Felten. Lest we
remember: cold-boot attacks on encryption keys. Commun.
ACM, 52(5):91–98, 2009.
[22] Daniel Hedin and David Sands. Timing aware information
flow security for a javacard-like bytecode. Electron. Notes
Theor. Comput. Sci., 141(1):163–182, December 2005.
[23] Adam Holt, Keith Weiss, Katy Huberty, Ehud Gelblum,
Simon Flannery, Sanjay Devgan, Atif Malik, Nathan Ro-
zof, Adam Wood, Patrick Standaert, Francois Meunier, Jas-
mine Lu, Grace Chen, Bill Lu, Keon Han, Vipin Khare,
and Masaharu Miyachi. Cloud computing takes off,
market set to boom as migration accelerates. Morgan
Stanley Blue Paper, http://www.morganstanley.com/views/
perspectives/cloud computing.pdf, 2011.
[24] Safety joins performance: Infineon introduces automotive
multicore 32-bit microcontroller family aurix-tm to meet
safety and powertrain requirements of upcoming vehicle gen-
erations. http://www.infineon.com/cms/en/corporate/press/
news/releases/2012/INFATV201205-040.html.
[25] Jif: Java + information flow. http://www.cs.cornell.edu/jif/.
[26] Vineeth Kashyap, Ben Wiedermann, and Ben Hardekopf.
Timing- and termination-sensitive secure information flow:
Exploring a new approach. In Proceedings of the 2011 IEEE
Symposium on Security and Privacy, pages 413–428, 2011.
[27] Eyal Kushilevitz, Steve Lu, and Rafail Ostrovsky. On
the (in)security of hash-based oblivious RAM and a new
balancing scheme. In ACM-SIAM Symposium on Discrete
Algorithms (SODA), 2012.
[28] Chang Liu, Michael Hicks, and Elaine Shi. Memory trace
oblivious program execution. Technical Report CS-TR-5020,
University of Maryland Department of Computer Science,
2013. http://www.cs.umd.edu/∼mwh/papers/pl-oram-tr.pdf.
[29] Martin Maas, Eric Love, Emil Stefanov, Mohit Tiwari, Elaine
Shi, John Kubiatowicz, Krste Asanovic, Ch. Papamanthou,
and Dawn Song. Practical, on-demand oblivious computation.
Manuscript in submission, 2012.
[30] Jonathan M. McCune, Yanlin Li, Ning Qu, Zongwei Zhou,
Anupam Datta, Virgil D. Gligor, and Adrian Perrig. Trustvi-
sor: Efficient TCB reduction and attestation. In IEEE Sym-
posium on Security and Privacy, 2010.
[31] Bryan Parno, Jonathan M. McCune, Dan Wendlandt, David G.
Andersen, and Adrian Perrig. Clamp: Practical prevention
of large-scale data leaks. In Proceedings of the 2009 IEEE
Symposium on Security and Privacy, May 2009.
[32] François Pottier and Vincent Simonet. Information flow in-
ference for ml. ACM Trans. Program. Lang. Syst., 25(1):117–
158, January 2003.
[33] Brian Rogers, Siddhartha Chhabra, Milos Prvulovic, and
Yan Solihin. Using address independent seed encryption
and bonsai merkle trees to make secure processors os- and
performance-friendly. In Proceedings of the 40th Annual
IEEE/ACM International Symposium on Microarchitecture,
MICRO 40, pages 183–196, 2007.
[34] Andrei Sabelfeld and Andrew C. Myers. Language-based
information-flow security. IEEE Journal on Selected Areas
in Communications, 21(1):5–19, January 2003.
[35] Reiner Sailer, Xiaolan Zhang, Trent Jaeger, and Leendert
van Doorn. Design and implementation of a TCG-based
integrity measurement architecture. In Proceedings of the
13th conference on USENIX Security Symposium - Volume 13,
SSYM’04, pages 16–16, Berkeley, CA, USA, 2004. USENIX
Association.
[36] Elaine Shi, T.-H. Hubert Chan, Emil Stefanov, and Mingfei
Li. Oblivious RAM with O((logN)3) worst-case cost. In
ASIACRYPT, pages 197–214, 2011.
[37] Elaine Shi, Adrian Perrig, and Leendert Van Doorn. BIND: A
fine-grained attestation service for secure distributed systems.
In IEEE Symposium on Security and Privacy, 2005.
[38] Weidong Shi and Hsien-Hsin S. Lee. Authentication control
point and its implications for secure processor design. In
Proceedings of the 39th Annual IEEE/ACM International
Symposium on Microarchitecture, MICRO 39, pages 103–
112, Washington, DC, USA, 2006. IEEE Computer Society.
[39] Weidong Shi, Hsien-Hsin S. Lee, Mrinmoy Ghosh, and
Chenghuai Lu. Architectural support for high speed protec-
tion of memory integrity and confidentiality in multiprocessor
systems. In Proceedings of the 13th International Conference
on Parallel Architectures and Compilation Techniques, PACT
’04, pages 123–134, Washington, DC, USA, 2004. IEEE
Computer Society.
[40] Weidong Shi, Hsien-Hsin S. Lee, Mrinmoy Ghosh, Chenghuai
Lu, and Alexandra Boldyreva. High efficiency counter mode
security architecture via prediction and precomputation. In
Proceedings of the 32nd annual international symposium on
Computer Architecture, ISCA ’05, pages 14–24, Washington,
DC, USA, 2005. IEEE Computer Society.
[41] Sergei Skorobogatov. Low temperature data remanence in
static RAM. Technical Report UCAM-CL-TR-536, Univer-
sity of Cambridge, Computer Laboratory, June 2002.
[42] Emil Stefanov, Elaine Shi, and Dawn Song. Towards practical
oblivious RAM. In Network and Distributed System Security
Symposium (NDSS), 2012.
[43] G. Edward Suh, Dwaine Clarke, Blaise Gassend, Marten van
Dijk, and Srinivas Devadas. Aegis: architecture for tamper-
evident and tamper-resistant processing. In Proceedings of
the 17th annual international conference on Supercomputing,
ICS ’03, pages 160–171, New York, NY, USA, 2003. ACM.
[44] David Lie Chandramohan Thekkath, Mark Mitchell, Patrick
Lincoln, Dan Boneh, John Mitchell, and Mark Horowitz.
Architectural support for copy and tamper resistant software.
SIGOPS Oper. Syst. Rev., 34(5):168–177, November 2000.
[45] Peter Williams and Radu Sion. Single round access privacy
on outsourced storage. In CCS, 2012.
[46] Peter Williams, Radu Sion, and Bogdan Carbunar. Building
castles out of mud: practical access pattern privacy and
correctness on untrusted storage. In Proceedings of the 15th
ACM conference on Computer and communications security,
CCS ’08, pages 139–148, New York, NY, USA, 2008. ACM.
[47] Peter Williams, Radu Sion, and Alin Tomescu. Privatefs: a
parallel oblivious file system. In Proceedings of the 2012
ACM conference on Computer and communications security,
CCS ’12, pages 977–988, New York, NY, USA, 2012. ACM.
[48] Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and
David Mazières. Making information flow explicit in histar.
Commun. ACM, 54(11):93–101, 2011.
[49] Danfeng Zhang, Aslan Askarov, and Andrew C. Myers.
Language-based control and mitigation of timing channels.
In PLDI, pages 99–110, 2012.
[50] Xiaotong Zhuang, Tao Zhang, and Santosh Pande. Hide: an
infrastructure for efficiently protecting information leakage on
the address bus. SIGARCH Comput. Archit. News, 32(5):72–
84, October 2004.




t1 ≡ t′1 t2 ≡ t′2
t1@t2 ≡ t′1@t′2
(t1@t2)@t3 ≡ t1@(t2@t3)
t1 ≡ t2 t2 ≡ t3
t1 ≡ t3
Figure 10. Trace equivalence
APPENDIX
I. PROOFS
A. Trace equivalence and lemmas
We shall further study some properties of trace equiva-
lence. First of all, we define the length of a trace t, denoted
as |t| to be:
|t| =

1 if t = read(x, n) | write(x, n) | fetch(p) |
readarr(x, n, n′) | writearr(x, n, n′)
0 if t = ε
|t1|+ |t2| if t = t1@t2
(1)
Lemma 1. If t1 ≡ t2, then |t1| = |t2|.
Proof: Let us prove by induction on how t1 ≡ t2 is
derived. If t1 = t2, then the conclusion is obvious. If t1 =
ε@t2, then |t1| = |ε| + |t2| = |t2|. Similarly, we can prove
the conclusion when t1 = t2@ε, t2 = ε@t1, t2 = t1@ε, or
t1 = ε@t and t2 = t@ε.
If t1 = t11@t12, t2 = t21@t22, t11 ≡ t21, and t12 ≡ t22,
then by induction, we have |t11| = |t21|, and |t12| = |t22|.
Therefore |t1| = |t11|+ |t12| = |t21|+ |t22| = |t2|.











|t1| = |t′1@t′2|+|t′3| = |t′1|+|t′2|+|t′3| = |t′1|+|t′2@t′3| = |t2|.




ε if i ≤ 0 ∨ i > |t|
t if i = 1 ∧ t = read(x, n) | write(x, n) |
fetch(p) | readarr(x, n, n′) |
writearr(x, n, n′)
t1[i] if t = t1@t2 ∨ 1 ≤ i ≤ |t1|
t2[i− |t1]] if t = t1@t2 ∨ |t1| < i ≤ |t|
It is easy to see that if ∀i.t1[i] = t2[i] implies |t1| = |t2|
by the following lemma.
Lemma 2. t[i] 6= ε for all i such that 1 ≤ i ≤ |t|, and ε
otherwise.
Proof: The second part of the conclusion is trivial since
it directly follows the definition. We prove the first part by
induction on |t|. If |t |= 0, then the conclusion is trivial.
If |t |= 1, and 1 ≤ i ≤ |t|, then i must be 1. Therefore, t[i]
is one of read(x, n, write(x, n), fetch(p), readarr(x, n, n′),
and writearr(x, n, n′), and therefore t[i] 6= ε.
If |t| > 1, then t must be a concatenation of two subse-
quences, i.e. t1@t2. If 1 ≤ i ≤ |t1|, then t[i] = t1[i], and by
induction, we know that t[i] 6= ε. Otherwise, if |t1| < i ≤ |t|,
then 0 < i − |t1| ≤ |t ` |t1| = |t2|. For natural number n,
n > 0 implies n ≥ 1. Therefore 1 ≤ i− |t1| ≤ |t2|, and by
induction, we have t[i] = t2[i− |t1]] 6= ε.
Before we go to the next lemma, we shall define the
canonical representation of a trace. First, we define the
number of blocks in a trace t, denoted by #(t), as
#(t) =
{
#(t1) + #(t2) if t = t1@t2
1 otherwise
Then we define an order t between two traces t1 and t2 as
follows: t1 t t2 if and only if either of the following two
conditions hold true: (i) #(t1) < #(t2), or (ii) #(t1) =
#(t2) ≥ 2, t1 = t′1@t′′1 , t2 = t′2@t′′2 , and either of the







1 t t′2; or (ii.c) t′1 = t′2
and t′′1  t′′2 . It is easy to see that t is complete.
Definition 4 (canonical representation). The canonical rep-
resentation of a trace t is the minimal element in the set
{t′ : t ≡ t′} under order t.
Lemma 3. The canonical representation of t is (i) ε is |t |=
0; or (ii) can(t) = (...((t1@t2)@t3)...@tn), where n = |t| >
0, and ti = t[i].
Proof: On the one hand, it is easy to see that can(t)
belongs to the set {t′ : t ≡ t′}. In fact, we can prove by
induction on #(t). If #(t) = 1, then either |t |= 1, or |t |=
0. For the former case, t is one of read(x, n, write(x, n),
fetch(p), readarr(x, n, n′), and writearr(x, n, n′), and thus
t = t[1] = can(t). For the later case, t = ε.
Now suppose #(t) > 1, and thus t = t′@t′′. Sup-
pose |t′ |= l1 and |t′′ |= l2. If l2 = 0, by induc-
tion, t′′ = ε, and thus t ≡ t′. Furthermore, we have
|t| = |t′|, and ∀i.t[i] = t′[i] by definition. Therefore
t ≡ t′ ≡ can(t′) = can(t). Similarly, we can prove the
conclusion is true when l1 = 0. Now suppose l1 > 0
and l2 > 0, then can(t′) = (...((t1@t2)@t3)...tl1), and
can(t′′) = (...((tl1+1@tl1+2)@tl1+3)...@tl1+l2). Then t ≡
can(t′)@can(t′′) ≡ can(t).
On the other hand, we shall show that can(t) is the
minimal one in {t′ : t ≡ t′}. To show this point, we only
need to show that for all t′ ≡ can(t), we have can(t) t t′.
We prove by induction on n. If n = 1, the conclusion is
obvious. Suppose n > 1 and the conclusion holds true for
all n′ < n.
It is easy to see that #(t′) > 1, therefore we suppose
t′ = tl@tr. Then we prove that there exists k such that
tl ≡ (...(t1@t2)...@tk) and tr ≡ (...(tk+1@tk+2)...@tn).
We prove by induction on n and how many steps of
equivalent-transitive rule, i.e., t1 ≡ t2 ∧ t2 ≡ t3 ⇒ t1 ∧ t3,
should be applied to derive can(t) ≡ t′. If we should
apply 0 step, then we know one of the following situations
holds: (i) t′ = t′′@tn where t′′ ≡ (...(t1@t2)...@tn−1);
(ii) t′ = (...(t1@t2)...tn−2)@(tn−1@tn); (iii) t′ = t@ε;
or (iv) t′ = ε@t. In any case, our conclusion holds true.
Now suppose we need to apply n > 0 steps to derive t′,
where in the n− 1 step, we derive that can(t) ≡ t′′ and we
can derive t′′ ≡ t′ without applying the equivalent-transitive
rule. Therefore by induction, we know that t′′ = t′′l @t
′′
r ,
and there is k such that t′′l ≡ (...(t1@t2)...@tk) and
t′′r ≡ (...(tk+1@tk+2)...@tn). Since we can derive t′′ ≡ t′
without applying equivalent-transitive rule, we know that
one of the following situations holds:
1 t′′l ≡ tl and t′′r ≡ tr;
2 t′ = ε@t′′;
3 t′ = t′′@ε;
4 t′′ = t′@ε;
5 t′′ = ε@t′;
6 ε@t′ = t′′@ε;
7 t′@ε = ε@t′′;
8 t′′l = (tl1@tl2), tl ≡ tl1, and tr ≡ tl2@t′′r (in this case,
we have (tl1@tl2)@t′′r ≡ tl1@(tl2@t′′r )); and
9 t′′r = (tr1@tr2), tl ≡ t′′l @tr1, and tr ≡ tr2 (in this case,
we have t′′l @(tr1@tr2) ≡ (t′′l @tr1)@tr2).
For the first 7 cases, the conclusion is trivial. For
Case 8, by induction, we know there are some k′
such that tl1 ≡ (...(t1@t2)...@tk′) and tl2 ≡
(...(tk′+1@tk′+2)...@tk). Therefore tl ≡ (...(t1@t2)...@tk′),
and tr ≡ (...(tk′+1@tk′+2)...@tk)@(...(tk+1@tk+2)...@tn)
while the later is equivalent to (...(tk′+1@tk′+2)...@tn).
Similarly, we can prove under case 9, the conclusion is also
true.
Next, we prove that can(t) t tl@tr. To show this
point, by induction, we know (...(t1@t2)...@tk)  tl and
(...(tk+1@tk+2)...@tn)  tr. If either #(tl) > k or #(tr) >
n − k, we have #(t′) > n and thus can(t)  t′. Suppose
#(tl) = k and #(tr) = n−k. If k < n−1, then by the def-
inition of , we have can(t) t t′. Next suppose k = n−1,
then by induction, we know (...(t1@t2)...@tn−1) t tl, and
thus can(t) t tl@tr = t′.
Next is the most important lemma about trace-
equivalence.
Lemma 4. t1 ≡ t2, if and only if ∀i.t1[i] = t2[i].
Proof: “⇒” Suppose ∀i.t1[i] = t2[i]. Then by
Lemma 4, we know can(t1) = can(t2), and thus t1 ≡
can(t1) ≡ can(t2) ≡ t2.
“⇐” Suppose t1 ≡ t2, then by Lemma 4, we have
can(t1) ≡ can(t2). Due to both can(t1) and can(t2) have
the same form, we know they are identical. Therefore, we
can conclude that ∀i.t1[i] = t2[i].
B. Lemmas on trace pattern equivalence
Trace pattern equivalence has similar properties as trace
equivalence. If fact, we define the length of a trace pattern
T , denoted as |T |, to be
|T | =
 1 if T = Read(x) | Fetch(p)0 if T = ε|T1|+ |T2| if T = T1@T2
Similar to trace, we define the i-th element in a trace
pattern T , denoted T [i], as follows:
T [i] =

ε if i ≤ 0 ∨ i > |T |
T if i = 1 ∧ T = Read(x) | Fetch(p)
T1[i] if T = T1@T2 ∨ 1 ≤ i ≤ |T1|
T2[i− |T1]] if T = T1@T2 ∨ |T1| < i ≤ |T |
Using exactly the same technique, we can prove the
following lemma:
Lemma 5. T1 ∼L T2, if and only if ∀i.T1[i] = T2[i].
To avoid verbosity, we do not provide the full proof here.
It is quite similar to the proof of Lemma 4
C. Proof of memory trace obliviousness
To prove Theorem 1, memory trace obliviousness by
typing, we shall first prove the following lemma:
Lemma 6. If Γ ` e : Nat L;T , then for any two Γ-valid low-
equivalent memories M1, M2, if 〈M1, e〉 ⇓t1 n1, 〈M2, e〉 ⇓t2
n2, then t1 = t2 and n1 = n2
Proof: We use structural induction on expression e
to prove this lemma. If e is in form of x, then Γ(x) =
Nat L, and thus M1(x) = M2(x) = n according to
the definition of low-equivalence and Γ-validity. Therefore
t1 = read(x, n) = t2, and n1 = n2 = n.
If e is in form of e1 op e2, then Γ ` e1 : Nat L and
Γ ` e2 : Nat L. Suppose 〈Mi, ej〉 ⇓tij n′ij , for i = 1, 2, j =
1, 2. Then t1j = t2j and n1j = n2j for j = 1, 2. Therefore
t1 = t11@t12 = t21@t22 = t2, and n1 = n11 op n12 =
n21 op n22 = n2.
Next, we consider the expression in form of x[e].
We know that Γ(x) = Array L, which implies
Γ ` e : Nat L. Suppose 〈Mi, e〉 ⇓t′i n
′
i, then by







M1 ∼L M2, we have ∀i ∈ Nat.M1(x)(i) = M2(x)(i).
Therefore t1 = t′1@readarr(x, n′1,M1(x)(n′1)) =






Finally, the conclusion is trivial for constant expression.
For convenience, we define lab : Type→ SecLabels as:
lab(τ) =
{
l if τ = Int l
l if τ = Array l
Similar to Lemma 6, we can prove the following lemma:
Lemma 7. If Γ ` e : Nat l;T and l ∈ ORAMBanks, then
for any two Γ-valid low-equivalent memories M1, M2, if
〈M1, e〉 ⇓t1 n1, 〈M2, e〉 ⇓t2 n2, then t1 = t2
Proof: If l = L, then the conclusion is obvious by
Lemma 6. We only consider l ∈ ORAMBanks. We use
structural induction to prove this lemma. If e is in form of
x, then according to the definition of Γ-validity and evt(·),
we have t1 = lab(Γ(x)) = t2.
If e is in form of e1 op e2, then Γ ` e1 : Nat l1 and
Γ ` e2 : Nat l2. Suppose 〈Mi, ej〉 ⇓tij n′ij , for i = 1, 2, j =
1, 2. Then t1j = t2j , for j = 1, 2 by induction. Therefore
t1 = t11@t12 = t21@t22 = t2.
Finally, we consider the expression in form of x[e]. We




then t′1 = t
′
2 by Lemma 6. Otherwise, l ∈ ORAMBanks,
and by induction assumption, we have t′1 = t
′
2. Since






Now we shall study the property of trace pattern equiva-
lence. First of all, we have the following lemma:
Lemma 8. Suppose s and S are a statement and a labeled
statement respectively. If Γ, l0 ` s;T , l0 ∈ ORAMBanks
and 〈M, s〉 ⇓t M ′, or Γ, l0 ` S;T , l0 ∈ ORAMBanks and
〈M,S〉 ⇓t M ′, then M ∼L M ′.
Proof: We prove by induction on the statement s and
labeled statement S. Notice that the statement is impossible
to be while statement. The conclusion is trivial for the
statement skip.
If s is x := e, then l0 ⊆ lab(Γ(x)), and thus lab(Γ(x)) ∈
ORAMBanks. Therefore M ′ = M [x 7→ (n, l)] for some
natural number n and some security label l, which implies
M ′ ∼L M . Similarly, if s is x[e1] := e2, then lab(Γ(x)) ∈
ORAMBanks. Furthermore, 〈M,x[e1] := e2〉 ⇓t M [x 7→
(m, l)] for some mapping m, and some security label
l ∈ ORAMBanks. Therefore M ′ = M [x 7→ (m, l)], which
implies for x such that M(x) = (n,L), we know that
M ′(x) = (n,L). Therefore M ′ ∼L M .
Next, let us consider statement if(e, S1, S2). Then we
know either of the two conditions holds true: (1) 〈M,S1〉 →
M ′, and (2) 〈M,S2〉 → M ′. Since Γ, l0 ` if(e, S1, S2);T ,
we have Γ, l′ ` S1;T1, and Γ, l′ ` S2;T2, where l0 v l′.
Therefore we know for either condition, we have M ∼L M ′.
Then, for labeled statement p : s′, we know by induction
that Γ, l0 ` s′;T , l0 ∈ ORAMBanks, and 〈M, s′〉 ⇓t′ M ′.
Therefore M ∼L M ′.
Finally, for sequence of two statements S1;S2, suppose
〈M,S1〉 ⇓t M1, and 〈M1, S2〉 ⇓t′ M ′. Then M ∼L M1 ∼L
M ′.
According to definition of the trace pattern equivalence,
it is obvious to see that, if T ∼L T ′, then T is a sequence,
whose element each is in the form of Fetch(p), Read(x), ε,
and o.
We shall define a trace t belongs to a trace pattern T ,
under a memory M , denoted by t ∈ T [M ] as follows:
ε ∈ ε[M ] o ∈ o[M ] fetch(p) ∈ Fetch(p)[M ]
t1 ∈ T1[M ] t2 ∈ T2[M ]
t1@t2 ∈ T1@T2[M ]
t ∈ T [M ] T ∼L T ′
t ∈ T ′[M ]
M(x) = (n,L), n ∈ Nat
read(x, n) ∈ Read(x)[M ]
Now, we prove the most important lemma for t ∈ T [M ]:
Lemma 9. t ∈ T [M ] if and only if |t| = |T | and ∀i.t[i] ∈
(T [i])[M ].
Proof: “⇒” Suppose |t| = |T | and ∀i.t[i] ∈ (T [i])[M ].
We prove by induction on #(t). If #(t) = 1, then the
conclusion is trivial. Assume the conclusion holds for all
#(t′) < n, now suppose #(t) = n > 1. Then we know
t = t1@t2. If t1 = ε, then we know |t2| = |t| = |T |
and ∀i.t2[i] = t[i] ∈ (T [i])[M ], by induction, we know
t2 ∈ T [M ]. Furthermore, we have t1 = ε ∈ ε[M ],
therefore t1@t2 ∈ ε@T [M ]. Since ε@T ∼L T , we have
t = t1@t2 ∈ T [M ]. A similar arguement shows that if
t2 = ε, then we also have t ∈ T [M ].
Now let us consider when |t1 |= 0. By induction, we
have t1 ∈ ε[M ] and t2 ∈ T [M ], and then again, we have
t ∈ T [M ]. Similarly, if |t2 |= 0, we also have t ∈ T [M ].
Now assume |t1| > 0 and |t2| > 0, and
suppose T1 = (...(T1@T2)...@T|t1|) and T2 =
(...(T|t1|+1@T|t1|+2)...@T|T |). Then by induction, we know
that t1 ∈ T1[M ] and t2 ∈ T2[M ], and thus t1@t2 ∈
T1@T2[M ]. According to Lemma 5, we have T1@T2 ∼L T ,
and thus t = t1@t2 ∈ T [M ].
“⇐” We prove by induction on how many steps to derive
t ∈ T [M ]. Suppose we need only 1 step, then one of the
following four conditions is true: (i) t = ε = T ; (ii) t = o =
T ; (iii) t = fetch(p), T = Fetch(p); (iv) t = read(x, n),
T = Read(x) and M(x) = n. In either case, the conclusion
is trivial.
Then suppose we need n step, and the last step is derived
from t = t1@t2, T = T1@T2, and t1 ∈ T2[M ] and t2 ∈
T2[M ]. Then by induction we have |t1| = |T1|, |t2| = |T2|,
∀i.t1[i] ∈ (T1[i])[M ], and ∀i.t2[i] ∈ (T2[i])[M ]. For i < 1
or i > |T |, then t[i] = ε = T [i], and thus t[i] ∈ (T [i])[M ].
If 1 ≤ i ≤ |T1|, then t[i] = t1[i] and T [i] = T1[i], and by
induction, we have t[i] ∈ (T [i])[M ]; if |T1| < i ≤ |T |, then
t[i] = t2[i− |t1]] and T [i] = T2[i− |T1]], and by induction,
we have t[i] ∈ (T [i])[M ].
Finally, suppose we need n step, and the last step is
derived from t ∈ T ′[M ] and T ′ ∼L T . Then according
to Lemma 5, we know that ∀i.T ′[i] = T [i], which also
implies that |T ′| = |T |. By induction, we have |t| = |T ′|
and ∀i.t[i] ∈ (T ′[i])[M ], and therefore, we have ∀i.t[i] ∈
(T [i])[M ] and |t| = |T |.
We have the following corollaries.
Corollary 1. If M1 ∼L M2, and t ∈ T [M1], then t ∈
T [M2].
Proof: By Lemma 9, we only need to show that
∀i.t[i] ∈ (T [i])[M2].
Let us prove by structural induction on how t ∈ T [M ]
is derived. If t = ε = T , or t = o = T , or t = fetch(p)
and T = Fetch(p), or t = t1@t2 and T = T1@T2, then the
conclusion is trivial. The only condition we need to prove
is when t = read(x, n), and T = Read(x). If so, since
t ∈ T [M1], therefore M1(x) = (n,L). Since M1 ∼L M2,
we know that M2(x) = (n,L). Therefore, we have t =
read(x, n) ∈ Read(x)[M2] = T [M2].
According to the definition of T [i], we know it is in one
of the following four forms: ε, Fetch(p), o, or Read. If
T [i] = ε, then we know i < 1 or i > |T | = |t1|. Therefore
t[i] = ε, and thus t[i] ∈ (T [i])[M2]. If T [i] = Fetch(p),
then we know t[i] = fetch(p), and if T [i] = o, then we
know t[i] = o. In both situations, we have t[i] ∈ (T [i])[M2].
Finally, if T [i] = Read(x), then we know t[i] = read(x, n)
where n = M1[x]. Since M1 ∼L M2, we have M2[x] = n,
and thus t[i] ∈ (T [i])[M2].
Corollary 2. If t1 ∈ T [M ] and t2 ∈ T [M ], then t1 ≡ t2.
Proof: Assume t1 ∈ T [M ], and t2 ∈ T [M ], according
to Lemma 9, we have |t1| = |T | = |t2|, ∀i.t1[i] ∈ (T [i])[M ],
and ∀i.t2[i] ∈ (T [i])[M ]. According to the definition of T [i],
we know it is in one of the following four forms: ε, Fetch(p),
o, or Read. If T [i] = ε, then we know i < 1 or i > |T | =
|t1| = |t2|. Therefore t1[i] = t2[i] = ε. If T [i] = Fetch(p),
then we know t1[i] = t2[i] = fetch(p), and if T [i] = o,
then we know t1[i] = t2[i] = o. Finally, if T [i] = Read(x),
then we know t1[i] = read(x, n1), n1 = M [x], t2[i] =
read(x, n2), and n2 = M [x]. Therefore n1 = n2, and thus
t1[i] = t2[i]. Therefore ∀i.t1[i] = t2[i], and according to
Lemma 4, we have t1 ≡ t2.
Then we have the following lemmas:
Lemma 10. Suppose Γ ` e : τ ;T , T ∼L T ′ for some T ′,
and memory M is Γ-valid. If 〈M, e〉 ⇓t n, then t ∈ T [M ].
Proof: We prove by structural induction on e. If e is n,
then T = ε = t.
If e is x, then T = evt(lab(Γ(x)),Read(x)). If
lab(Γ(x)) = l ∈ ORAMBanks, then t = l ∈ l[M ]. If
lab(Γ(x)) = L, then T = Read(x), and t = read(x, n),
where M(x) = (n,L). According to the definition, we know
t ∈ T [M ].
If e is e1 op e2, then suppose 〈M, ei〉 ⇓ti ni and Γ `
ei : li;Ti for i = 1, 2. Then according to the induction
assumption, we have ti ∈ Ti[M ] for i = 1, 2. Since t =
t1@t2, and T = T1@T2, we know t ∈ T [M ].
Next we consider x[e′]. Suppose Γ ` e′ : Nat l′;T ′, and
〈M, e′〉 ⇓t′ n′, then T = T ′@evt(lab(Γ(x)),Readarr(x)),
and t = t′@evt(lab(Γ(x)), readarr(x, n′, n′′)) for some n′′.
Moreover, we have t′ ∈ T ′[M ] by induction. Since T ∼L
T ′, we know lab(Γ(x)) ∈ ORAMBanks. Therefore t =
t′@lab(Γ(x)) ∈ T ′@lab(Γ(x))[M ] = T [M ].
Lemma 11. Suppose Γ, l0 ` S;T , where S is normal
statement or labeled statement, T ∼L T ′ for some T ′,
and l0 ∈ ORAMBanks, and M is a Γ-valid memory. If
〈M,S〉 ⇓t M ′, then t ∈ T [M ].
Proof: We prove by structural induction on the state-
ment S. Since l0 6= L, therefore we know S cannot be a
while statement. If S is skip, then T = ε = t.
Let us consider when S is x := e. Then 〈M, e〉 ⇓t′ n′,
and Γ ` e : τ ;T ′, and T = T ′@evt(lab(Γ(x)),Write(x)).
Since T ∼L T , T does not contain Write(x), and thus
lab(Γ(x)) ∈ ORAMBanks. Therefore t = t′@lab(Γ(x)) ∈
T ′@lab(Γ(x))[M ] by Lemma 10.
Next, suppose S is x[e1] = e2. Suppose 〈M, ei〉 ⇓ti ni,
and Γ ` ei : τ ;Ti for i = 1, 2 by induction. Then
ti ∈ Ti[M ] for i = 1, 2. Similar to the discussion for
x := e, we know lab(Γ(x)) ∈ ORAMBanks, and thus
t = t1@t2@lab(Γ(x)) ∈ T1@T2@lab(Γ(x))[M ].
Next, let us consider (if)(e, S1, S2). Then Γ, l0 ` Si;Ti
for i = 1, 2, and T1 ∼L T2. As well Γ ` e : τ ;Te, 〈M, e〉 ⇓te
ne, idx = ite(ne, 1, 2), and 〈M,Sidx〉 ⇓tidx M ′. Then T =
Te@T1, and te ∈ Te[M ]. If idx = 1, then 〈M,S1〉t1M ′,
and thus t1 ∈ T1[M ]. Therefore t = te@t1 ∈ Te@T1[M ] =
T [M ]. Similarly, if idx = 2, then 〈M,S2〉t2M ′, and thus
t2 ∈ T2[M ]. Therefore t2 ∈ T1[M ]. As a conclusion t =
te@t2 ∈ Te@T1[M ] = T [M ].
Now consider the labeled statements S. If S is p:s,
then Γ, l0 ` s;T ′, and 〈M, s〉 ⇓t′ M ′. Therefore T =
Fetch(p)@T ′, and t = fetch(p)@t′. By induction assump-
tion, we have t′ ∈ T ′[M ]. Therefore t ∈ T [M ].
Finally, suppose S is S1;S2. Then we know Γ, l0 ` Si;Ti
for i = 1, 2, 〈M,S1〉 ⇓t1 M ′, and 〈M ′, S2〉 ⇓t2 M ′′. Since
l0 ∈ ORAMBanks, we know M ∼L M ′ ∼L M ′′. By in-
duction assumption, we know t1 ∈ T1[M ], and t2 ∈ T2[M ′].
Since M ∼L M ′, according to Corollary 1, we know
t2 ∈ T2[M ]. Therefore t = t1@t2 ∈ T1@T2[M ] = T [M ].
Lemma 12. Suppose Γ, l0 ` Si;Ti, for i = 1, 2, where
l0 ∈ ORAMBanks, and T1 ∼L T2. Given two Γ-valid low-
equivalent memories M1, M2, if 〈M1, S1〉 ⇓t1 M ′1, and
〈M2, S2〉 ⇓t2 M ′2, then M ′1 ∼L M ′2, and t1 ≡ t2.
Proof: According to Lemma 11, we know that ti ∈
Ti[Mi] for i = 1, 2. According to Lemma 8, we know that
M ′1 ∼L M1 and M ′2 ∼L M2. Since M1 ∼L M2, we know
that M ′1 ∼L M1 ∼L M2 ∼L M ′2. Because t1 ∈ T1[M1],
and M1 ∼L M2, therefore t1 ∈ T1[M2]. Furthermore, since
T1 ∼L T2, we have t1 ∈ T2[M2]. Finally, since t2 ∈ T2[M2],
and according to Corollary 2 we have t1 ≡ t2.
Now we are ready to prove Theorem 1.
Proof of Theorem 1: We extend this conclusion by
considering both normal statement and labeled statement,
and shall prove by induction on the statement s. For
notational convention, we suppose 〈M1, s〉 ⇓t1 M ′1, and
〈M2, s〉 ⇓t2 M ′2, and thus Γ, l0 ` S;T with M1 ∼L M2 and
both are Γ-valid. Our goal is prove t1 ≡ t2, and M1 ∼L M2.
If s is skip, it is obvious.
Suppose s is x := e, then Γ ` e : Nat l;T . Suppose
〈Mi, e〉 ⇓t′i ni, for i = 1, 2. According to Lemma 6 and
Lemma 7, we know t′1 = t
′
2. If lab(Γ(x)) ∈ ORAMBanks,
then M ′1 = M1[x 7→ (n1, l1)] ∼L M1 ∼L M2 ∼L M2[x 7→
(n2, l2)] = M
′





t2, which implies t1 ≡ t2.
If Γ(x) = Nat L, then we know Γ ` e : Nat L;T , and
according to Lemma 6, we have n1 = n2. Then we also
have M ′1 = M1[x → n1] ∼L M2[x → n2] = M ′2, and
t1 = t
′
1@read(x, n1) ≡ t′2@read(x, n2) = t2.
Next, suppose s is x[e1] := e2. Suppose 〈Mi, ej〉 ⇓tij
nij for i = 1, 2, j = 1, 2. If lab(Γ(x)) = L, then
we know Γ ` ej : Nat L, for j = 1, 2. Then by
Lemma 6, we have t1j = t2j , which implies t1j ≡
t2j , n1j = n2j , and according to the definition of Γ-
validity and low-equivalence, ∀i.M1(x)(i) = M2(x)(i).
Therefore t1 = t11@t21@writearr(x, n11, n12) ≡
t21@t22@writearr(x, n21, n22) = t2, and M ′1 = M1[x →
M1(x)[n11 → n12]] ∼L M2[x → M2(x)[n21 → n22]] =
M ′2.
Otherwise, if Γ(x) ∈ ORAMBanks, suppose Γ `
ei : Nat li;Ti, for i = 1, 2. Then we know l0 t l1 t
l2 v lab(Γ(x)). Therefore, by Lemma 7, based on the
same reasoning as above for Nat l case, we have t1 =
t11@t21@Γ(x) ≡ t21@t22@Γ(x) = t2. Furthermore, M ′1 =
M1[x → m1] ∼L M1 ∼L M2 ∼L M2[x → m2] = M ′2 for
some two mappings, m1 and m2.
Then suppose the statement is if(e, S1, S2). There are
two situations. If Γ ` e : Nat le;Te, where le t l0 ∈
ORAMBanks, then according to Lemma 12, we know
M ′1 ∼L M ′2, and t1 ≡ t2. Otherwise, we have le = L
and l0 = L. Suppose 〈Mi, e〉 ⇓t′i ni, for i = 1, 2, then
according to Lemma 6, we know t′1 = t
′
2, which implies
t′1 ≡ t′2, and n1 = n2. If ite(n1, 1, 2) = 1, then we
know 〈M1, S1〉 ⇓t′′1 M
′







1 ≡ t′1@t′′2 = t2, and M ′1 ∼L M ′2 by induction.
We can show the conclusion for ite(n1, 1, 2) = 2 similarly.
Next, let us consider the statement while(e, S). We know
Γ ` e : Nat L;T , therefore there exists a constant n, and
a trace t, such that 〈Mi, e〉 ⇓t, n for both i = 1, 2, by
Lemma 6.
We prove by induction on how many steps applying the
S-WhileT rule and S-WhileF rule (WHILE rules for short)
to derive 〈while(e, S),M1〉 ⇓t1〉. If we only apply one time,
then we must apply S-WhileF rule, and thus n = 0. Then we
have t1 = t = t2, and M ′1 = M1 ∼L M2 = M ′2. Suppose
the conclusion is true when we need to apply n−1 steps of
WHILE rules, now let us consider when we need to apply
n > 0 steps. Then we know n 6= 0. Suppose 〈Mi, S〉 ⇓ti1
Mi1, and 〈Mi1,while(e, S)〉 ⇓ti2 M ′i , for i = 1, 2. Then
we know that we need to apply n − 1 steps of WHILE
rules to derive 〈M11,while(e, S)〉 ⇓t12 M ′1. By induction,
we have t11 = t21, t12 = t22, and M11 ∼L M21. Therefore
M ′1 ∼L M ′2, and t1 = t11@t12 = t21@t22 = t2.
Then let us consider label statement p:s′. Suppose
〈Mi, s′〉 ⇓t′i M
′
i . Then t
′
1 ≡ t′2, and M ′1 ∼L M ′2 by
induction. Therefore t1 = fetch(p)@t′1 = fetch(p)@t′2 = t2.
Finally, let us consider S1;S2. Suppose Γ, l0 ` S1;T1,
Γ, l0 ` S2;T2, 〈Mi, S1〉 ⇓ti1 Mi1, and 〈Mi1, S2〉 ⇓t21 M ′i .
Then by induction assumption, we have t11 = t21, t12 =
t22, M11 ∼L M12, and thus M ′1 ∼L M ′2. Therefore t1 =
t11@t12 = t21@t22 = t2.
II. BENCHMARK PROGRAMS
Source Program for Dijkstra shortest paths (in C).
secret int dijstra(public int n, public int s,






for(int i=0; i<n; ++i)
dis[i] = e[s][i];
for(int i=1; i<n; ++i) {
int bestj = -1;
for(int j=0; j<n; ++j)




for(int j=0; j<n; ++j)
if(!vis[j] && (dis[bestj] +
e[bestj][j] < dis[j]))




Target Program for Dijkstra shortest paths.
secret int dijstra(public int n, public int s,
public int t, secret int e[]) {
secret int vis[MAX];
secret int dis[MAX];
public int i = 0;
while (i<n) {
vis[i]=0; dis[i] = 0;
i = i + 1;
}
vis[s] = 1; i = 0;
while (i<n) {




secret int bestj = -1;
public int j = 0;
while (j<n) {























Source Program for k-means (in C).
void kmeans(public int n, public int k,
public int T, secret float point[][DIM],
secret float ans[][DIM])
{
// suppose the initial guess of ans
// is already assigned.
float nans[MAXK][DIM] = {};
int count[MAXK];




for(int i=0; i<n; ++i) {
int bestj=0;
float best = dis(point[i], ans[0]);
for(int j=1; j<k; ++j) {
float nb = dis(point[i], ans[j]);









for(int i=0; i<k; ++i)





Target Program for k-means.
void kmeans(public int n, public int k, public int T
secret float point[], secret float ans[])
{
// suppose the initial guess of ans
// is already assigned.
secret float nans[MAXK*DIM];
secret int count[MAXK];















secret float best = dis(point+i*DIM, ans);
j=1;
while(j<k) {
secret float nb =
dis(point+i*DIM, ans+j*DIM);





























Source Program for Matrix Multiplication.
void matmul(public int n, secret int a[][MAX],
secret int b[][MAX], secret int c[][MAX]) {
for(int i=0; i<n; ++i)
for(int j=0; j<n; ++j) {
c[i][j] = 0;
for(int k=0; k<n; ++k)
c[i][j] += a[i][k] * b[k][j];
}
}
Target Program for Matrix Multiplication.
void matmul(public int n, secret int a[][MAX],
secret int b[][MAX], secret int c[][MAX]) {
public int i=0;




c[i*n+j] = 0; k=0;
while(k<n) {
c[i][j] += a[i][k] * b[k][j];
k=k+1;
}
j=j+1;
} i=i+1;
}
}
