We construct the first fully succinct garbling scheme for RAM programs, assuming the existence of indistinguishability obfuscation for circuits and one-way functions. That is, the size, space requirements, and runtime of the garbled program are the same as those of the input program, up to poly-logarithmic factors and a polynomial in the security parameter. The scheme can be used to construct indistinguishability obfuscators for RAM programs with comparable efficiency, at the price of requiring sub-exponential security of the underlying primitives.
INTRODUCTION
A garbling scheme G converts programs and input values into "opaque" constructs that reveal nothing but the corresponding output values. That is, G turns a program M into a garbled programM and, separately, turns a value x into a garbled inputx, with the guarantee thatM (x) = M (x) and in addition the pair (M ,x) reveals nothing but M (x). Originally conceived by Yao [Yao86] , garbling schemes are a pillar of cryptographic protocol design, with numerous apPermission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Permissions@acm.org. ITCS'16, January 14-16, 2016, Cambridge, MA, USA. plications such as secure two-party and multiparty computation protocols, verifiable delegation schemes, randomized encoding schemes, one time programs, and functional encryption.
A drawback of Yao's original construction is that the size and runtime of the garbled program are proportional to the circuit representation of the input program. This holds even if the plaintext program is represented more succinctly, say as a Turing machine or a RAM program. (Essentially, one has to first translate the plaintext program to a circuit, and then apply Yao's garbling method in a gate by gate manner.) This drawback becomes especially significant in situations where the input x is much larger than the program's size or runtime -as in, say, keyword search in a large-but-sorted database -or when the runtime of the plaintext program varies from input to input.
Noticing this drawback, Goldwasser Kalai et al.
[GKP + 13] construct a garbling scheme for Turing machines, namely a scheme where the size, runtime and space requirements of the garbled program are proportional to those of the Turing machine representation of the plaintext program. To do that, they make strong extractability assumptions. Namely, they postulate existence of an efficient algorithm for extracting secrets from a certain class of adversaries.
Noticing the same drawback, Lu and Ostrovsky, and later Gentry Halevi et al. and Garg Lu et al. [LO13, GHL + 14, GLOS15], construct garbling schemes for RAM programs, where the runtime of the garbled program is proportional only to the runtime of the plaintext program on that input. In [GLOS15] this is done assuming only one way functions. Still, the size of the garbled program is proportional to the runtime of the plaintext program.
Bitansky Garg et al. and Canetti Holmgren et al. construct a semi-succinct garbling scheme for RAM programs, assuming non-succinct Indistinguishability Obfuscation (IO) and injective one way functions [BGL + 15, CHJV15] . That is, they construct garbling schemes where the space and runtime of the garbled program are proportional to the space and runtime of the plaintext program, and where the size of the garbled program is proportional to the space complexity of the plaintext program. For this they assume existence of non-succinct IO schemes, i.e. schemes where the complexity of the obfuscated program is polynomial in the size of the circuit representation of the plaintext program. Any advancement on this question directly applies to the many applications of succinct garbling mentioned in these works, including delegation of computation, functional encryption and others.
From succinct garbling to succinct obfuscation.
In [BGL + 15, CHJV15] it is also shown how to turn a garbling scheme into a full-fledged program obfuscation scheme with comparable efficiency and succinctness properties, at the price of making stronger assumptions on the underlying cryptographic building blocks. That is, given non-succinct IO (namely IO for circuits), one-way functions, and a garbling scheme G, they construct an IO scheme O with similar efficiency and size overhead as that for G. We note that, due to the exponential degradation in security in that transform, the security parameter needs to grow linearly with log D. The size of the obfuscated program thus grows polynomially in the length of input to the plaintext program. We only know how to get below this bound under significantly stronger assumptions on the underlying obfuscation scheme [BCP14, IPS15] .
Our contribution
We answer both questions. Given an IO scheme for circuits and one way functions we construct a fully succinct garbling scheme for RAM programs. That is, the runtime, space, and size of the garbled program are the same as those of the plaintext program, up to polylogarithmic factors and a polynomial in the security parameter. The security of the scheme degrades polynomially with the runtime of the plaintext program. Assuming quasipolynomial security of the underlying primitives, the scheme guarantees full security even for programs with arbitrary polynomial runtime. Using the transformation of [BGL + 15, CHJV15], and assuming subexponential security of the underlying primitives, we obtain a fully succinct IO scheme for RAM programs.
Furthermore, similarly to the schemes of [CHJV15, BGL + 15, KLW15], our garbling scheme extends easily to support persistent data: Multiple machines M1, . . . , M can be garbled, along with some (potentially very large) data, such that machine Mi acts on the data configuration left by Mi−1, and such that having access to the garbled data and garbled machines gives no information other than y1, ..., y , where yi is the output of Mi when executed in sequence on the data after M1, ..., Mi−1. Importantly, in our case of RAM machines, each machine can run in time that is sublinear in the entire data; for example, each machine may execute a database query, modifying the database and returning some small result. Our transformation preserves the sub-linear complexity of the machines.
The preservation of sublinear complexity is powerful also in the context of delegation of computation. Indeed, consider the task of delegating the computation of sublineartime RAM programs over large delegated databases. Indeed, when instantiated with our scheme, the delegation of computation scheme for RAM-IO (described in [CHJV15] ) is the first to guarantee both correctness and privacy of the computation, while preserving full succinctness and sublinear complexity for the prover. We note that in this work we achieve security only when the RAM machine M and database x are chosen ahead of time. In a follow-up work [CCHR15] , it is shown how to achieve security against adaptively chosen RAM machines.
Our Techniques.
While our result may come across as natural and expected given the results of [KLW15] and [CHJV15] , obtaining it does require new ideas and significant work. Indeed, naive attempts to extend the techniques of [KLW15] to RAM programs encounter the following problem: The [KLW15] technique applies when the plaintext machine is deterministic and its memory access pattern is fixed and independent of the inputs. When the plaintext program is a Turing machine, making sure that the memory access pattern is fixed incurs only small overhead in complexity. In contrast, hiding the memory access pattern in a RAM program in an efficiency-preserving way requires the memory access pattern to be randomized. Indeed, this is the case for Oblivious RAM schemes [GO96] . Furthermore, the security guarantees provided by Oblivious RAM (ORAM) schemes hold only when the internal random choices of the scheme are hidden from the adversary. However, in our case these internal random choices are encapsulated in a succinct program that is only protected by indistinguishability obfuscation.
A second look reveals the following basic discrepancy between the [CHJV15] technique (which is ORAM-friendly) and the [KLW15] technique (which is not). In both works, security of the garbled program is demonstrated by gradually moving, in a way that's indistinguishable to the adversary, from the real garbled program to a dummy garbled program, where the dummy program has just the result hardwired and is running a fake computation in all steps but the last one. In [CHJV15] , the intermediate, hybrid programs start with some number, i, of dummy steps, and then continue the computation from the ith intermediate configuration all the way to the end. To make this technique work with ORAM, [CHJV15] use an ORAM scheme with a strong forward security property: Essentially, the addresses accessed before time i must appear independent of the underlying access pattern, even given the scheme's internal state at time i + 1.
In contrast, [KLW15] move from the real garbled program to the dummy one via intermediate programs that perform the computation from the beginning until some step, i. From then on, the intermediate program performs the dummy computation and in the end it outputs its hardwired value. This reversal of the order of steps in the intermediate programs is the key idea that allows the size of their garbled program to not depend on the space requirements of the plaintext program. However, this new structure of the hybrid programs seems incompatible with ORAM techniques: Indeed, the natural way to extend the [KLW15] argument to this case would be to argue that the program's memory access pattern at steps i and up is random even given the program's state at steps 1 through i − 1. But this does not hold, since all the steps of the computation up to the transition point i are executed, including the internal random choices of whatever ORAM scheme is in use.
Our first step towards getting around this difficulty is to identify the following property of ORAM schemes. Recall that an ORAM scheme translates the memory access requests made by the underlying program to randomized locations in the actual external memory. We say that an ORAM scheme has localized randomness if the random variable describing the physical location of the memory cell accessed by the plaintext program at a certain step of the computation depends only on a relatively small portion of the entire random input of the ORAM scheme. Furthermore, we require that the location of this portion depends only on the last step in which this memory cell was accessed, which in of itself is a deterministic function of the underlying program. To the best of our knowledge, this property of Path ORAMs has not been utilized in previous work, but we observe that the ORAM of [CP13] has localized randomness. (In fact, it seems likely that other schemes do as well, or can be slightly modified to be so.) Now, given an ORAM scheme with localized randomness, we "puncture" the scheme at exactly the points that are necessary for making the external memory access locations at step i appear random even given the punctured program state at step i − 1. Furthermore, we can perform this puncturing with minimal overhead in terms of the size of the obfuscated program.
More concretely, we proceed in two main steps. (The actual construction goes through a number of smaller steps, for sake of modularity and clarity.) We first build a "fixedaddress" garbler which guarantees that the garbled versions of two machines M0 and M1 with inputs x0 and x1 are indistinguishable as long they access the same sequence of addresses. We believe that this property is of independent interest. In the second step we use an ORAM scheme with localized randomness to obtain full garbling. Below we provide more detail on these two steps.
Fixed Address Garbling
As an intermediary step towards a fully succinct garbling scheme for RAM programs, we define and obtain the following weaker security property for garbling schemes. We say that a garbling scheme is a fixed-address garbler if for any two same-size deterministic programs M0 and M1, and any same-length input values x0 and x1, it holds that (M0,x0) ≈ (M1,x1) as long as (a) M0(x0) = M1(x1) and (b) The sequence of memory addresses accessed by M0 when run on x0 is identical to the sequence of memory addresses accessed by M1 when run on x1. (HereM andx are the garbled versions of M and x, respectively.) Furthermore, the sequence of addresses accessed byM on inputx is identical to the sequence of addresses accessed by M on input x.
The fact thatM preserves the access pattern of M provides potential efficiency and practical applicability gains that are not possible in the context of fully secure and succinct garbling of RAM programs, since in the latter the access pattern is inherently randomized. For instance, the garbled machine necessarily has the same fine-grain cache performance as the original one. In contract, ORAM-based techniques need to resort to coarse-grain cache or other workarounds which impact cache performance.
We construct a fully succinct fixed-address garbling scheme. As a preliminary step, we construct a garbling scheme that is fixed-address, except that (M0,x0) ≈ (M1,x1) only when the two computations have the exact same memory access pattern, including the contents of the memory cells accessed.
(We call such schemes fixed-memory garbling schemes.) Here our technique follows the steps of the [KLW15] machinehiding encoding scheme. In particular we use the same underlying primitives, namely positional accumulators, cryptographic iterators, and splittable signatures. (We somewhat simplify their interfaces.) We note however that the [KLW15] construction cannot be used in a "black box" way and needs to be redone in the RAM model.
We then move from fixed-memory garbling to fixed-address garbling. Similarly to the move in [KLW15] from machinehiding encoding to garbling, this step requires encrypting the memory contents in an IO-friendly scheme. We stress however that our situation is different: In their oblivious Turing machine model the memory access pattern contains no information. In contrast, as argued in more detail below, in our case the access pattern can in of itself contain information that is hard to compress in a security-preserving manner. The way we argue about the security of the scheme must change accordingly.
Concretely, to garble M we transform it to a program M which interleaves two executions of M , on two parallel tracks 'A' and 'B' of memory. Whenever M would access a memory address, M accesses the corresponding address in both tracks 'A' and 'B'. At each point in time, tracks 'A' and 'B' both store memory contents corresponding to an execution of M . We then apply the fixed-memory garbling scheme to M . LetM denote the resulting program.
To argue fixed-address security, consider two programs M0 and M1 and input values x0 and x1 that satisfy the fixedaddress requirements. To show that (M 0 ,x0) ≈ (M 1 ,x1), we consider an intermediate hybrid in which M 0 is replaced by a new machine M01 which now executes M0 on track 'A' but M1 on track 'B'. Indistinguishability of the intermediate hybrid from either end is shown by demonstrating how to indistinguishably switch from a machine that outputs the result of track 'A' to a machine that outputs the result of track 'B'.
Full Garbling
Our final and main step is a construction of a succinct fully secure garbler for RAM machines from a succinct fixedaddress garbler. Our construction is fully general; it does not use any special properties of the fixed-address garbler, not even the address-preserving property which we explicitly highlighted above.
Recall that for a fully secure garbler we require that (M0,x0) is computationally indistinguishable from (M1,x1) whenever M0(x0) = M1(x1), and in addition he runtime and space requirement of M0 on x0 is the same as the runtime and space requirement of M1 on x1.
Furthermore, recall that hiding the memory access pattern in an efficiency preseving way is done by Oblivious RAM (ORAM) techniques, which make crucial use of randomness that remains secret within the program. In contrast, our fixed-address garbler guarantees security only when the access pattern of the underlying machine is fixed.
Our first step towards making use of a fixed-address garbler is to "derandomize" the ORAM scheme by setting its randomness to be the result of applying a puncturable PRF to the program's input. This indeed means that, for any givn input, the access pattern is fixed. Still, it is not clear how to argue security of the scheme; in particular, the access pattern ofM0 when run onx0 may well be different than the access pattern ofM1 when run onx1.
For this purpose, we use the localized randomness property sketched above and described in more detail here. Localized randomness requires a particularly structured relationship between the random tape R of an ORAM and the addresses a1, . . . , at that it accesses. Here each ai is itself a sequence of addresses ai,1, . . . , ai,η, accessed in the emulation of the underlying RAM machine's i th step. Specifically, we require that (for given underlying memory operations op 1 , . . . , op t ), each ai is influenced only by a small subset Di of the bits of R, and each bit of R influences at most one of ai. The ORAM must also come with a p.p. To analyze the composition of a fixed-address garbler with a localized-randomness ORAM, we adapt the punctured programming technique of [SW14] . To simulate a garbled program whose output is y and runs in time T , apply a fixedaddress garbler to the program that for each i from 1 to T , simulates addresses ai to access using Sim(F (i)) for some puncturable PRF F , and output the resulting garbled program. We need to prove that this simulation is indistinguishable from the real garbled machine M , in a sequence of hybrids which changes each ai to Sim (F (i) ).
This argument is reminiscent of the proof of security for the [CLTV15] construction of a probabilistic iO (PIO) obfuscator, with the complication that a1 through at are generated adaptively. This complication is handled by switching the ai's in reverse order -starting with at and ending with a1. Here it is crucial to note that, despite the adaptivity, a1 through at are mutually independent random variables by the localized randomness property of the ORAM scheme.
To switch ai to Sim(F (i)), we first hard-code ai, and then puncture the ORAM's PRF on exactly the points which determine ai. ORAM locality implies that this set is small and that the puncturing does not affect any aj for j = i, so the security of the fixed access garbler is applicable. We then indistinguishably replace ai with Sim(F (i)). Finally we remove the hard-codings and unpuncture all the PRFs, relying again on security of the fixed-access garbler.
Related Work
In an independent and concurrent work, Chen et al. [CCC + 15] also show how to garble RAM and even develop new tools to garble parallel RAM programs. In the RAM setting, our constructions are essentially the same. Our proof of security is significantly more modular however, while their analysis achieves a slightly better concrete security parameter.
Roadmap
As mentioned, we build up our main construction in four stages, at each stage strengthening the security properties. In the first two stages, we directly apply the techniques of [KLW15] to produce a very weak garbling scheme for RAM machines. For ease of exposition, we separate this into two parts: In Section 3, we give a garbler which only guarantees indistinguishability of the garbled programs as long as the entire execution transcripts of the two plaintext machines look identical; that is, if they specify the same sequence of internal local states, same addresses accessed, and same values written to memory. We call such schemes fixed transcript garblers. In Section 4, we upgrade this garbling scheme to a fixed-memory garbler, which no longer needs the machines to have the same internal local states.
Our main technical contributions are the construction of a fixed-address garbler in Section 5, and its combination with a local ORAM in Section 6 to build a full RAM garbler. Section 7 presents the application to persistent data.
PRELIMINARIES

Notation
• N denotes the set {0, 1, 2, . . .} For any integer n ∈ N,
[n] denotes the set {0, 1, . . . , n − 1}.
• For a set X and a set Y , Y X denotes the set of all functions from X to Y . When X = N, f ∈ Y N is also identified as the infinite sequence (f (0), f (1), . . .).
• For n ∈ N, X n denotes the set of n-tuples of elements of X.
• X * denotes ∪ i∈N X i .
• For a set S ⊂ [n], S = {i1, . . . , i } with i1 < · · · < i , and a sequence a = (a0, . . . , an−1) ∈ X n , we write aS to denote the tuple (ai 1 , . . . , ai ). We use analogous notation for subsequences of infinite sequences (X N ). More generally, if f is a function from X to Y , and if S is a subset of X, we write f (S) to denote {f (x) : x ∈ S}. If S is an ordered set, f (S) inherits the same ordering.
• For a finite set S, we write S to denote the worstcase length of binary strings encoding elements of S (typically this will be log(|S|) ). We identify S with a subset of {0, 1} S .
• For a randomized algorithm A, we write A(x; r) to denote running A on input x with randomness r.
Indistinguishability Obfuscation
We assume the existence of an indistinguishability obfuscator [BGI + 01, GGH + 13].
Syntax.
An indistinguishability obfuscator for circuits is a p.p.t. algorithm iO which takes as input a security parameter 1 λ , a circuit C, and outputs a circuitC.
Correctness.
For all x, Pr[iO(1 λ , C)(x) = C(x)] = 1.
Security.
If |C0| = |C1| and C0(x) = C1(x) for every x, then iO(1 λ , C0) ≈ iO(1 λ , C1).
The RAM Model
RAM Machines
In this work, a RAM machine M is defined as a tuple (Σ, Q, Y, C), where:
• Σ is a finite set, which is the possible contents of a memory cell. For example, Σ = {0, 1}.
• Q is the set of all possible "local states" of M , containing some initial state q0. (We think of Q as a set that grows polynomially as a function of the security parameter. That is, a state q ∈ Q can encode cryptographic keys, as well as "local memory" of size that is bounded by some fixed polynomial in the security parameter.)
• Y is the output space of M .
• C is a circuit implementing a transition function which maps Q × (Σ ∪ { }) → (Q × OΣ) ∪ Y . Here OΣ denotes the set of memory operations with Σ as the alphabet of possible memory symbols. Precisely, OΣ = (N × Σ). That is, C takes the current state and the value returned by the memory access function, and returns a new state, a memory address, a read/write instruction, and a value to be written in case of a write.
We write |M | to denote the tuple ( Σ, Q, Y , |C|), where Σ is the length of a binary encoding of Σ, and similarly for Q and Y .
Memory Configurations
A memory configuration on alphabet Σ is a function s : N → Σ ∪ { }. Let s 0 denote |{a : s(a) = }| and, in a horrific abuse of notation, let s ∞ denote max({a : s(a) = }), which we will call the length of the memory configuration. A memory configuration s can be implemented (say with a balanced binary tree) by a data structure of size O( s 0), supporting updates to any index in O(log s ∞) time.
We can naturally identify a string x = x1 . . . xn ∈ Σ * with the memory configuration sx, defined by
Looking ahead, efficient representations of sparse memory configurations (in which s 0 < s ∞) are convenient for succinctly garbling computations where the space usage is larger than the input length.
Execution
We now define what it means to execute a RAM machine M = (Σ, Q, Y, C) on an initial memory configuration s0 ∈ Σ N to obtain M (s0). Define a0 = 0. For i > 0, iteratively define (qi, ai, vi) = C(qi−1, si−1(ai−1)) and define the i th memory configuration si as
If C(qt−1, st−1(at−1)) = y ∈ Y for some t, then we say that M (s0) = y. If there is no such t, we say that M (s0) = ⊥. When M (s0) = ⊥, it is convenient to define the following functions:
• Define the running time of M on s0 as the above t, and denote it Time(M, s0).
• Define the space usage of M on s0 as max t−1 i=0 ( si ∞), and denote it Space(M, s0).
• Define the execution transcript of M on s0 as ((q0, a0, v0), . . . , (qt−1, at−1, vt−1), y), and denote it T (M, s0).
• Define the resultant memory configuration of M on s0
as st, and denote it NextMem(M, s0).
Garbling
Syntax.
A garbling scheme for RAM progams is a tuple of p.p.t. algorithms (KeyGen, GbPrg, GbMem, Exec).
• Key Generation: KeyGen(1 λ , S, T ) takes the security parameter λ in unary, a space bound S and a time bound T in binary, and outputs a secret key SK.
• Machine Garbling: GbPrg(SK, M ) takes as input a secret key SK and a RAM machine M , and outputs a RAM machineM
• Memory Garbling: GbMem(SK, s) takes as input a secret key SK and a memory configuration s, and then outputs a memory configurations.
We are interested in garbling schemes which are correct, efficient, and secure.
Correctness.
A garbling scheme is said to be correct if for all RAM machines M and all memory configurations s which satisfy Time(M, s) ≤ T and Space(M, s) ≤ S, we have
Efficiency.
A garbling scheme is said to be efficient if:
1. KeyGen, GbPrg, and GbMem are all p.p.t. algorithms.
In particular, we emphasize that:
• The bounds T and S are encoded in binary, so the time to garble does not significantly depend on either of these quantities.
• The running time of GbMem is polynomial in s 0, the number of non-empty addresses in s. In fact in our scheme the running time is linear in s 0.
2. Time(M ,s) =Õ(Time(M, s)) (hiding polylogarithmic factors in S), and Space(M ,s) ≤ S.
Security.
A garbling scheme is said to be secure if there is an efficient algorithm Sim such that for all RAM machines M and memory configurations s with Time(M, s) ≤ T and
in the probability space defined by sampling
FIXED-TRANSCRIPT GARBLING
We first construct a garbling scheme with a very weak security definition. Both the construction and the security proof closely follow the techniques of [KLW15] , adapting them to RAM machines. Definition 1. A garbling scheme (KeyGen, GbPrg, GbMem) is said to be fixed-transcript secure if for all RAM machines M0 and M1 and all memory configurations s such that:
Theorem 1. If one-way functions and an indistinguishability obfuscator for circuits exist, then there is a fixed-transcript secure garbling scheme for RAM machines.
In the full version [CH15] we include this theorem's proof, which closely follows the machine-hiding encoding construction of [KLW15] .
FIXED MEMORY GARBLING
We now use a fixed transcript garbling scheme to satisfy a slightly stronger notion which we call fixed-memory garbling. In fixed-memory garbling, the garblings of two different machines are indistinguishable as long as the memory accesses are the same. Notably, it is possible for the two machines to have differing local states.
Definition 2 (Fixed Memory Security). A garbling scheme (KeyGen, GbPrg, GbMem) is said to be fixed-memory secure if for all RAM machines M0 and M1, memory configurations s, all time bounds T and space bounds S satisfying: q0, a0, v0) , . . . , (qt−1, at−1, vt−1)) and
it holds that t = t and for each i ∈ [t], ai = a i and vi = v i .
it holds that for all p.p.t. adversaries A
Construction
Given a garbling scheme (KeyGen , GbPrg , GbMem ) satisfying fixed transcript security, we build a garbling scheme (KeyGen, GbPrg, GbMem) satisfying fixed-memory security. All we need to do is mask the internal state for each timestamp with a different pseudorandom value. Construction 1. We define (KeyGen, GbPrg, GbMem):
• KeyGen(1 λ , T, S) samples K ← KeyGen (1 λ , T, S) and a puncturable PRF F , and outputs K = (K , F, T, S).
• GbPrg(K, M = (Σ, Q, Y, C)) samples and outputs
where Q = [T ] × {0, 1} Q , and C is defined in Algorithm 1. q 0 , the initial state for M , is defined as (0, F (0) ⊕ q0),
Proof of Security
Theorem 2. If (KeyGen , GbPrg , GbMem ) is a fixed transcript secure garbling scheme, then Construction 1 defines a fully succinct, efficient, fixed memory secure garbling scheme for RAM machines.
A proof is given in the full version of this paper [CH15] .
Input: state q, memory symbol σ Data: Puncturable PRF F , underlying transition function C 1 Parse q as (t, cq); 2 qin := F (t) ⊕ cq; 3 out := C(qin, σ); 4 if out ∈ Y then return out; 5 else 6 Parse out as (qout, op); 7 return ((t + 1, F (t + 1) ⊕ qout), op); 8 end Algorithm 1: Transition function C
FIXED ADDRESS GARBLING
We now use a fixed memory garbling scheme to construct a slightly stronger notion of garbling. Namely, we will now hide the data in memory, but not yet the addresses which are accessed. As discussed in the introduction, in applications where the memory access pattern is known not to leak sensitive information, this notion of garbling may be significantly more efficient. In particular, it preserves the efficacy of cache, for which real-world RAM programs are extensively optimized.
Definition 3. A garbling scheme (KeyGen, GbPrg, GbMem) is said to be fixed-address secure if for all RAM machines M , memory configurations s, time bounds T , and space bounds S satisfying the following conditions:
• Space(M0, s0) ≤ S and Time(M0, s0) ≤ T .
• {a : s0(a) = } = {a : s1(a) = }
• If T (M0, s) = ((q0, a0, v0) , . . . , (qt−1, at−1, vt−1)) and T (M1, s) = ((q 0 , a 0 , v 0 ), . . . , (q t −1 , a t −1 , v t −1 )), then t = t and for each i ∈ [t], ai = a i .
• M0(x0) = M1(x1)
for all p.p.t. adversaries A, it holds that
Construction
Given a garbling scheme (KeyGen , GbPrg , GbMem ) satisfying fixed-memory security, we build a garbling scheme (KeyGen, GbPrg, GbMem) satisfying fixed-address security.
Overview.
Our construction of Garble(M, x, T, S) applies Garble to a transformed version of the machine M and a correspondingly transformed of the input x. The transformed machine, which we will denote by M , differs from M in three ways:
• M executes two copies of M in parallel (thereby using twice as much memory). We think of these as an 'A' execution and a 'B' execution. We think of the external storage of M as correspondingly consisting of an 'A' track and a 'B' track. We implement the 'A' and 'B' tracks by modifying the memory alphabet Σ to hold two symbols.
• M writes metadata alongside each value to indicate the time and address at which it is written.
• M authenticates each value it writes: instead of writing (t, a, v, v) to an address a, it writes (t, a, F ((t, a) )⊕ v, G((t, a)) ⊕ v, where F and G are puncturable pseudorandom functions.
Construction 2. We define (KeyGen, GbPrg, GbMem):
• KeyGen(1 λ , T, S) samples K ← KeyGen (1 λ , T, S), as well as puncturable PRFs F and G and outputs
and C is defined in Algorithm 2. The initial state q 0 ∈ Q of M is defined as (0, q0, q0).
• GbMem((K, F, G, T, S), s) sampless ← GbMem(K, s ), where s is defined such that s (a) = if s(a) = , and otherwise
Data: Underlying transition function C, puncturable PRFs F and G Input: State q, symbol σ 1 Parse q as (tq, qA, qB); 2 Parse σ as (tσ, aσ, σA, σB); 3 Compute out ← C(qA, F ((tσ, aσ)) ⊕ σA); 4 if out ∈ Y then return out; 5 Parse out as (qout, (aout, op out , σout)); 6 return ((tq + 1, qout, qout), (aout, op out , (tq, aout, F ((tq, aout)) ⊕ σout, G((tq, aout)) ⊕ σout);
Algorithm 2: C Theorem 3. If (KeyGen , GbPrg , GbMem ) is a fixed memory secure garbling scheme, and if one-way functions (and hence puncturable PRFs) exist, then Construction 2 defines a fully succinct, fixed address secure garbling scheme for RAM machines.
FULL SECURITY
This section constructs a secure garbling scheme for RAM machines, as in defined in Section 2.4, from any fixed-address garbling scheme. As sketched and motivated in the introduction, this is done by combining the fixed address garbling scheme with an oblivious RAM (ORAM) scheme that has a special property, namely localized randomness. We start by formally defining oblivious RAM schemes and localized randomness, and then present the garbling scheme.
Oblivious RAM
Syntax
An oblivious RAM is a tuple of probabilistic polynomialtime algorithms (Setup, OMem, OProg)
• Setup(1 λ , S) takes a security parameter in unary and a space bound S, and outputs a secret key SK.
• OProg(SK, M ) takes a secret key SK and a RAM machine M , and outputs a probabilistic RAM machine M .
• OMem(SK, s) takes a secret key SK and a memory configuration s, and outputs a memory configuration s
Correctness
For all RAM machines M , space bounds S, and memory configurations s such that Space(M, s) ≤ S,
Efficiency
There is a function
such that whenever Space(M, s) ≤ S for a RAM machine M , a memory configuration s, and a space bound S,
in the same probability space as above.
Localized Randomness
Let T = Time(M, s) and η = η(S) for some RAM machine M , memory configuration s, and space bound S. Consider the deterministic function
where r is used as a random tape to sequentially sample
Definition 4. An ORAM (Setup, OProg, OMem) is said to have localized randomness if there is a deterministic algorithm Sim such that for all RAM machines M , memory configurations s, and space bounds S ≥ Space(M, s) and running times t = Time(M, s), there exist sets R1, . . . , Rt ⊆ N such that,
• For each i, |Ri| ≤ poly(log S, λ).
• For each i = j, Ri ∩ Rj = ∅.
• For each i, addr M,s,S,λ ( r) {η(i−1),...,ηi−1} = Sim( rR i ) with high probability over a uniformly random r ∈ {0, 1} N .
In the full version of this paper [CH15] , we show that the Chung-Pass ORAM [CP13] satisfies these properties.
Construction
Our garbling scheme is very simple; essentially, we just compose the fixed address garbler on top of an ORAM scheme with localized randomness. That is, to garble a machine M , we first transform it via the ORAM, and then apply the fixed address garbler to that transformed machine.
Construction 3. Let (KeyGen , GbPrg , GbMem ) be a fixedaddress garbling scheme, and let (Setup, OProg, OMem) be an ORAM scheme with localized randomness. We define a garbling scheme (KeyGen, GbPrg, GbMem):
, and a puncturable PRF F and outputs (KF A, KORAM , F ).
• GbPrg((KF A, KORAM , F ), M ) samples and outputs
• GbMem((KF A, KORAM ), s) samples and outputs
Theorem 4. If (KeyGen , GbPrg , GbMem ) is a fixed address secure garbling scheme for RAM machines, then Construction 3 defines a (fully secure) garbling scheme for RAM machines.
PERSISTENT DATA
The garbled RAM construction and security proof above can be generalized to a setting in which the garbled RAM programs act on a persistent database. That is, the updates that a garbled RAM program makes to a database D are accessible to the next garbled program to be executed on that database.
Definition 5. A RAM garbling scheme with persistent data is a tuple of p.p.t. algorithms (KeyGen, GbPrg, GbMem):
KeyGeneration. KeyGen(1 λ , T, S) takes as input a security parameter λ in unary, as well as time and space bounds T and S, and outputs a secret key SK.
Program Garbling. GbPrg(SK, Mi, i) takes as input a secret key SK, a RAM machine Mi and an index i, and outputs a RAM programMi.
Memory Garbling. GbMem(SK, s) takes a secret key SK and a memory configuration s, and outputs a memory configuration databases.
Definition 6. A RAM garbling scheme with persistent data is said to be correct if for every memory configuration s0, for every = poly(λ), and every tuple of RAM machines (M1, . . . , M ), it holds that the outputs of the garbled machines, when run in sequence on the garbled data, equal the outputs of the plaintext machines when run in sequene on the plaintext data. That is:
Pr y1 = y 1 ∧ · · · ∧ y = y ≥ 1 − negl(λ) in the probability space defined by sampling Theorem 5. If there is an indistinguishability obfuscator for circuits and there exist one-way functions, then there is a correct, secure RAM garbling scheme with persistent data.
Proof. (Sketch.) The scheme and the analysis are straightforward extensions of the single-machine case. That is, the memory garbling is identical to the single-machine case, except that the string "step 0" is attached to the root of the merkle tree before signing; The ith machine is garbled by applying the machine garbling algorithm of the single-machine case, with the exception that now the signed root of the Merkle tree is expected to contain also "step i − 1", and the root of the Merkle-tree-hash of the final memory configuration is signed together with "step i". (All machines are garbled with the same accumulator, iterator, and splittable signature parameters.)
Correctness, efficiency and succinctness are straightforward. For security, recall that the single-machine simulator generates a dummy (but legal) initial memory configuration, and a dummy machine that first verifies the signature on the memory configuration and then runs a dummy computation for a fixed number of steps at the end of which a hardcoded value is output. Here we extend this simulation strategy in the natural way. That is, the simulator first generates a dummy legal initial memory configuration. The ith dummy machine first checks the signature on its initial memory configuration, and verifies that the signed string has "step i − 1" encoded in it. Then the machine runs a dummy computation for a fixed number of steps, outputs the hardcoded value, and signs the final memory configuration along with "step i". Analysis of the simulator is extended in a natural way. In particular, it can be done in the same modular way as in the single-machine case.
We note that, by garbling one machine per bit of an output, we can garble machines with long outputs. Full compactness with simulation security is easily seen to be impossible in this setting, and recent work strengthens this impossibility result to hold even for a weaker notion of security [LPST15] . Our work does not contradict these results, because the combined size of the garbled machines grows proportionally to the total output length.
