Constant-Round Maliciously Secure Two-Party Computation in the RAM Model

Hazay, Carmit; Yanai, Avishay

doi:10.1007/s00145-019-09321-3

Constant-Round Maliciously Secure Two-Party Computation in the RAM Model

Published: 23 April 2019

Volume 32, pages 1144–1199, (2019)
Cite this article

Download PDF

Journal of Cryptology Aims and scope Submit manuscript

Constant-Round Maliciously Secure Two-Party Computation in the RAM Model

Download PDF

Carmit Hazay¹ &
Avishay Yanai¹

2218 Accesses
Explore all metrics

Abstract

The random-access memory model of computation allows program constant-time memory lookup and is more applicable in practice today, covering many important algorithms. This is in contrast to the classic setting of secure 2-party computation (2PC) that mostly follows the approach for which the desired functionality must be represented as a Boolean circuit. In this work, we design the first constant-round maliciously secure two-party protocol in the RAM model. Our starting point is the garbled RAM construction of Gentry et al. (EUROCRYPT, pp 405–422, 2014) that readily induces a constant round semi-honest two-party protocol for any RAM program assuming identity-based encryption schemes. We show how to enhance the security of their construction into the malicious setting while facing several challenges that stem due to handling the data memory. Next, we show how to apply our techniques to a more recent garbled RAM construction by Garg et al. (STOC, pp 449–458, 2015) that is based on one-way functions.

Constant-Round Maliciously Secure Two-Party Computation in the RAM Model

Better Two-Round Adaptive Multi-party Computation

Adaptively Secure Computation for RAM Programs

1 Introduction

1.1 Background: Secure Computation and the RAM Model

Secure multiparty computation enables a set of parties to mutually run a protocol that computes some function f on their private inputs, while preserving a number of security properties. Two of the most important properties are privacy and correctness. The former implies data confidentiality, namely nothing leaks by the protocol execution but the computed output. The latter requirement implies that the protocol enforces the integrity of the computations made by the parties, namely honest parties learn the correct output. More generally, a rigorous security definition requires that distrusting parties with secret inputs will be able to compute a function of their inputs as if the computation is executed in an ideal setting, where the parties send their inputs to a incorruptible trusted party that performs the computation and returns its result (also known by the ideal/real paradigm). The feasibility of secure computation has been established by a sequence of works [2, 7, 21, 39, 51], proving security under this rigorous definition with respect to two adversarial models: the semi-honest model (where the adversary follows the instructions of the protocol but tries to learn more than it should from the protocol transcript) and the malicious model (where the adversary follows an arbitrary polynomial-time strategy).

Following these works, a lot of effort has been made into improving the efficiency of computation with the aim of minimizing the workload of the parties [26,27,28,29, 32, 33, 35, 40, 42]. These general-purpose protocols are restricted to functions represented by Boolean/arithmetic circuits. Namely, the function is first translated into a (typically Boolean) circuit and then the protocol securely evaluates it gate by gate on the parties’ private inputs. This approach, however, falls short when the computation involves access to a large memory since in the circuit-based approach, dynamic memory accesses, which depend on the secret inputs, are translated into a linear scan of the memory. This translation is required for every memory access and causes a huge blowup in the description of the circuit.

The RAM Model of Computation We further note that the majority of applications encountered in practice today are more efficiently captured using random-access memory (RAM) programs that allow constant-time memory lookup. This covers graph algorithms, such as the known Dijkstra’s shortest path algorithm, binary search on sorted data, finding the kth-ranked element, the Gale–Shapely stable matching algorithm and many more. This is in contrast to the sequential memory access that is supported by the architecture of Turing machines. Generic transformations from RAM programs that run in time T generate circuits of size $O(T^3\log T)$, which are non-scalable even for cases where the memory size is relatively small [10, 43].

To address these limitations, researchers have recently started to design secure protocols directly in the RAM model [1, 11, 24]. The main underlying idea is to rely on Oblivious RAM (ORAM) [19, 22, 41], a fundamental tool that supports dynamic memory access with poly-logarithmic cost while preventing any leakage from the memory. To be concrete, ORAM is a technique for hiding all the information about the memory of a RAM program. This includes both the content of the memory and the access pattern to it.

In more detail, a RAM program P is defined by a function that is executed in the presence of memory D via a sequence of read-and-write operations, where the memory is viewed as an array of n entries (or blocks) that are initially set to zero. More formally, a RAM program is defined by a “next-instruction” function that is executed on an input x, a current state $\mathsf {state}$ and data element $b^\mathsf {read}$ (that will always be equal to the last read element from memory D) and outputs the next instruction and an updated state. We use the notation $P^D(x)$ to denote the execution of such a program. To avoid trivial solutions, such as fetching the entire memory, it is required that the space used by the evaluator grows linearly with $\log n$, |x| and the block length (where a block is the atomic accessible data item in memory). The space complexity of a RAM program on inputs x, D is the maximum number of entries used by P during the course of the execution. The time complexity of a RAM program on the same inputs is the number of read/write accesses issued in the execution as described above.

Secure Computation for RAM Programs An important application of ORAM is in gaining more efficient protocols for secure computation [1, 12, 14,15,16,17,18, 24, 25, 30, 36, 37, 47, 48]. This approach is used to securely evaluate RAM programs where the overall input sizes of the parties are large (for instance, when one of the inputs is a database). Among these works, only [1] addresses general secure computation for arbitrary RAM programs with security in the presence of malicious adversaries. The advantage of using secure protocols directly for RAM programs is that such protocols imply (amortized) complexity that can be sublinear in the total size of the input. In particular, the overhead of these protocols grows linearly with the time complexity of the underlying computation on the RAM program (which may be sublinear in the input size). This is in contrast to the overhead induced by evaluating the corresponding Boolean/arithmetic circuit of the underlying computation (for which its size is linear in the input size).

One significant challenge in handling dynamic memory accesses is to hide the actual memory locations being read/written from all parties. The general approach in most of these protocols is of designing protocols that work via a sequence of ORAM instructions using traditional circuit-based secure computation phases. More precisely, these protocols are defined using two phases: (1) initialize and set up the ORAM, a one-time computation with cost depending on the memory size, and (2) evaluate the next-instruction circuit which outputs shares of the RAM program’s internal state, the next memory operations (read/write), the location to access and the data value in case of a write. This approach leads to protocols with semi-honest security with round complexity that depends on the ORAM running time. In [24], Gordon et al. designed the first provably secure semi-honest protocol based on this approach, which achieves sublinear amortized overhead that is asymptotically close to the running time of the underlying RAM program in an insecure environment.

As observed later by Afshar et al. [1], adapting this approach in the malicious setting is quite challenging. Specifically, the protocol must ensure that the parties use state and memory shares that are consistent with prior iterations, while ensuring that the running time only depends on the ORAM running time rather than on the entire memory. They, therefore, consider a different approach of garbling the memory first and then propagate the output labels of these garbling within the CPU-step circuits.

The main question left open by prior work is the feasibility of constant-round malicious secure computation in the RAM model. In this work, we address this question in the two-party setting. Since we are interested in concrete efficiency, we rule out practically inefficient solutions that rely on general zero-knowledge proofs or alternatively require public-key operations for every gate in the circuit. To be precise, we restrict our attention to protocols that can be described in the OT hybrid and only rely on one-way functions with poly-logarithmic amortized communication overhead in the memory size of the RAM program.

1.2 Background: Garbled RAM and Circularity

The feasibility of constant-round semi-honest secure two-party computation has established by Lu and Ostrovsky in [37] by introducing a new cryptographic primitive, analogue to garbled circuits [34, 51], known as garbled RAM (or GRAM).

The Lu–Ostrovsky construction In order to understand the difficulty in destining GRAMs, we consider a simplified version in which the memory is read-only. Then, the garbled data in [37], denoted by $\widetilde{D}$, consists of n secret keys for some symmetric-key encryption scheme. Namely, for each bit $i\in [n]$, $\widetilde{D}$ contains a secret key $\mathsf{sk}_i$ such that $\mathsf{sk}_i=F_k(i,D[i])$ and F is a pseudorandom function (PRF).

Furthermore, the garbled program $\widetilde{P}$ consists of T garbled copies of a CPU-step circuit that takes as input the current CPU state and the last read bit $(\mathsf{state}, b^{\mathsf {read} })$ and outputs $(\mathsf{state'}, i^\mathsf{read})$ which contains the updated state and the next read location. The garbled circuit of the jth CPU-step copy is defined so that the output labels for the wires corresponding to $\mathsf{state'}$ match the input labels corresponding to the input $\mathsf{state}$ for the garbled circuit of the $(j+1)$th CPU-step copy. This allows the garbled state to be securely transferred from one garbled CPU-step circuit to another, whereas the read location $i^\mathsf{read}$ is output in the clear (assuming that the running program is the product of an ORAM compiler).

It remains to incorporate the data from the memory into the computation. Let $\mathsf{lbl}_0^{(\mathsf{read}, j+1)}, \mathsf{lbl}_1^{(\mathsf{read}, j+1)}$ be the two input labels of the wire corresponding to the bit $b^{\mathsf {read} }$ within the $(j+1)$th CPU-step copy. Note that these labels are created at “compile time” whenever the garbled program is created and therefore cannot depend on $i^\mathsf{read}$ which is only known at “run-time”.

In order to ensure that the evaluator can only learn one of these labels, Lu and Ostrovsky devised an “augmenting” circuit where the jth CPU-step circuit outputs a translation mappingtranslate, which allows the evaluator to translate a secret key into an input label. This translation mapping consists of two ciphertexts $\mathsf{translate}=({\mathsf {ct}}_0, {\mathsf {ct}}_1)$ where ${\mathsf {ct}}_b$ is an encryption of the label $\mathsf{lbl}_b^{(\mathsf{read}, j+1)}$ under the secret key $F_k(i,b)$. This requires that the augmented CPU-step circuits will be hard-coded with the PRF key k.

The Circularity Problem Assume that the evaluator only gets one label per wire for the first garbled circuit (namely, $j=1$) and therefore does not learn anything beyond $i^\mathsf{read}, \mathsf{translate}=(\mathsf {ct}_0,\mathsf {ct}_1))$ and the garbled value $\mathsf{state}_2$ which is used as an input to the second circuit. Now, assume that $D[i^\mathsf{read}]=0$ and so the evaluator can use $F_k(i^\mathsf{read},0)$ to recover the label $\mathsf{lbl}_0^{(\mathsf{read}, 2)}$ for the next CPU-step circuit where $j=2$. Next, we need to argue that the evaluator does not learn anything about label $\mathsf{lbl}_1^{(\mathsf{read}, 2)}$. Intuitively, the above should hold since the evaluator does not know the secret key generated by $F_k(i^\mathsf{read},1)$ that is needed to decrypt ${\mathsf {ct}}_1$. Unfortunately, attempting to make this intuition formal uncovers a complex circularity:

1.
In order to argue that the evaluator does not learn anything about the “other” label $\mathsf{lbl}_1^{(\mathsf{read}, 2)}$, we need to rely on the privacy of ciphertext ${\mathsf {ct}}_1$.
2.
In order to rely on the privacy of ciphertext ${\mathsf {ct}}_1$, we need to argue that the attacker does not learn the secret key $F_k(i^\mathsf{read},1)$, which implies that the attacker should not use the PRF key k. However, this key is hard-coded within the second garbled circuit as well as within all future circuits. Therefore, to argue that the attacker does not use k we need to rely on the privacy of the second garbled circuit.
3.
In order to rely on the privacy of the second garbled circuit, we need to argue that the evaluator only learns one label per wire, and in particular, we need to argue that the evaluator does not learn the “other” label $\mathsf{lbl}_1^{(\mathsf{read}, 2)}$, which is what we needed to prove in the first place.

Applying our Techniques to the Lu–Ostrovsky Construction Unfortunately, our techniques of factoring out the “hard-coded secrets” do not solve the above circularity problem. To illustrate that, consider the Lu–Ostrovsky construction with a small modification. Namely, the PRF k is given as an input to the first garbled circuit ($j=1$) such that k is transmitted from one CPU-step circuit to another, just like the program state. Then, it is simple to verify that the above circularity still holds. Specifically, to argue that the evaluator does not learn $\mathsf{lbl}_1^{(\mathsf{read}, 2)}$ we need to rely on the privacy of ${\mathsf {ct}}_1$, which implies that we need to rely on the pseudorandomness of $F_k(i^\mathsf{read},1)$. Nevertheless, k is also transmitted to the second garbled circuit ($j=2$), which means that security must rely on the privacy of the second garbled circuit, which again requires to rely on the fact that the evaluator does not learn $\mathsf{lbl}_1^{(\mathsf{read}, 2)}$ and so on.

1.3 Our Results

In this work, we design the first constant-round maliciously secure protocol for arbitrary RAM programs. Our starting point is the garbled RAM construction of Gentry et al. [18] that is analogous to garbled circuits [4, 51] with respect to RAM programs. Namely, a user can garble an arbitrary RAM program directly without transforming it into a circuit first. A garbled RAM scheme can be used to garble the data, the program and the input in a way that reveals only the evaluation outcome and nothing else. In their work, that is based on identity-based encryption (IBE) schemes, Gentry et al. proposed a way to remove the circularity assumption that is additionally required in the construction of Lu and Ostrovsky [37]. We first show how to transform their IBE-based protocol into a maliciously secure 2PC protocol using the cut-and-choose technique. Following that, we apply our transformation to the garbled RAM construction of Garg et al. [15] to obtain a construction under the weaker assumption of one-way functions. As a side remark, we believe that our techniques are applicable to the GRAM constructions of [37] and [14] as well. Nevertheless, we chose not to explore these directions in this work due to the non-standard circularity assumption in [37] and the complicated machinery in [14].

Let $\mathrm {C}^P_{\scriptscriptstyle \mathrm {CPU}}$ be the circuit that computes a single CPU-step (which involves reading/writing to the memory), T be the upper bound on the running time of a program P on input of length |x| and $\kappa ,s$ be the computational and statistical security parameters. Then, our first main theorem states the following,

Theorem 1.1

(Informal) Assuming oblivious transfer and IBE, there exists a constant-round two-party protocol that securely realizes any RAM program in the presence of malicious adversaries, where the size of the garbled database is $n \cdot \mathsf {poly}(\kappa , \log n)$, the size of the garbled input is $|x|\cdot O(\kappa )$ and the size of the garbled program is $T \cdot \mathsf {poly}(\kappa ,\log n) \cdot s$, and its evaluation time is $T \cdot \mathsf {poly}(\kappa ) \cdot \mathsf {polylog~}(n)\cdot s$.

We next demonstrate how to apply our approach to the GRAM from [15] that is only based on one-way functions. This implies the following theorem,

Theorem 1.2

(Informal) Assuming oblivious transfer, there exists a constant-round two-party protocol that securely realizes any RAM program in the presence of malicious adversaries where the asymptotic complexities are as implied by Theorem 1.1.

Challenges Faced in the Malicious Setting for RAM Programs

1.
Memory management Intuitively speaking, garbled RAM readily induces a two-party protocol with semi-honest security by exchanging the garbled input using oblivious transfer (OT). The natural approach for lifting the garbled RAM’s security from semi-honest to malicious is using the cut-and-choose technique [33]. This means that the basic semi-honest protocol is instantiated s times (for some statistical parameter s) and then the parties prove that they followed the prescribed protocol in a subset of the instances. (This subset is chosen uniformly.) Finally, the parties use the remaining instances to obtain the output (typically by taking the majority of results). It has been proven that the output of this process leads to the correct output with overwhelming probability. Applying the cut-and-choose technique to the RAM model naively leads to handling multiple instances of memory. That is, since each semi-honest protocol instance is executed independently, the RAM program implemented within this instance is associated with its own instance of memory. Recalling that the size of the memory might be huge compared to the other components in the RAM system, it is undesirable to store multiple copies of the data in the local memory of the parties. Therefore, the first challenge we had to handle is how to work with multiple copies of the same protocol while having access to a single memory data.
2.
Handling check/evaluation circuits The second challenge concerns the cut-and-choose proof technique as well. The original approach to garble the memory is by using encryptions computed based on PRF keys that are embedded inside the garbled circuits. These keys are used to generate a mapping which allows the receiver to translate between the secret keys and the labels of the read bit in the next circuit. When employing the cut-and-choose technique, all the secret information embedded within the circuits is exposed during the check process of that procedure which might violate the privacy of the sender. The same difficulty arises when hardwiring the randomness used for the encryption algorithm. A naive solution would be to let the sender choose s sets of keys, such that each set is used within the appropriate copy of the circuit. While this solution works, it prevents the evaluator from determining the majority of the (intermediate) results of all copies.
3.
Integrity and consistency of memory operations During the evaluation of program P, the receiver reads and writes back to the memory. In the malicious setting, these operations must be backed up with a mechanism that enforces correctness. Moreover, a corrupted evaluator should not be able to roll back the stored memory to an earlier version. This task is very challenging in a scenario where the evaluator locally stores the memory and fully controls its accesses without the sender being able to verify whether the receiver has indeed carried out the required instructions (as that would imply that the round complexity grows linearly with the running time of the RAM program).

Constant-Round 2PC in the RAM Model (Sect. 4) Towards achieving malicious security, we demonstrate how to adapt the garbled RAM construction from [18] into the two-party setting while achieving malicious security. Our protocol consists of two main components. First, an initialization circuit is evaluated in order to create all the IBE keys (or the PRF keys) that are incorporated in the latter RAM computation, based on the joint randomness of the parties. (This phase is not computed locally since we cannot rely on the sender properly creating these keys.) Next, the program P is computed via a sequence of small CPU steps that are implemented using a circuit that takes as input the current CPU state and a bit that was read from the last read memory location, and outputs an updated state, the next location to read, a location to write to and a bit to write into that location. In order to cope with the challenges regarding the cut-and-choose approach, we must ensure that none of the secret keys nor randomness are incorporated into the circuits, but instead given as inputs. Moreover, to avoid memory duplication, all the circuits are given the same sequence of random strings. This ensures that the same set of secret keys/ciphertexts are created within all CPU circuits.

We note that our protocol is applicable to any garbled scheme that supports wire labels in the sense of Definition 2.2 and can be optimized using all known optimizations (e.g. row reduction, free-XOR, etc.). Moreover, in a variant of our construction the initialization phase can be treated as a preprocessing phase that does not depend on the input. We further note that our abstraction of garbled circuits takes into account authenticity [4]. Meaning that, a malicious evaluator should not be able to conclude the encoding of a string that is different than the actual output. This requirement is crucial for the security of garbled circuits with reusable labels (namely, where the output labels are used as input labels in another circuit) and must be addressed even in the semi-honest setting (and specifically for garbled RAM protocols). This is because authenticity is not handled by the standard privacy requirement. Yet, all prior garbled RAM constructions do not consider it. We stress that we do not claim that prior proofs are incorrect, rather that the underlying garbled circuits must adhere this security requirement in addition to privacy.

Removing the IBE Assumption (Sect. 5) Our techniques are also applicable with respect to the GRAM from [15]. Loosely speaking, in order to avoid circularity, Garg et al. considered a different approach by constructing a tree for which the memory is associated with its leafs. Moreover, each internal node is associated with a PRF key that is encrypted under a PRF key associated with this node’s parent. Then, during the evaluation, each navigation circuit outputs a translation table that allows the evaluator to learn the input label for the next node based on the path to the read position in the memory. In addition, the circuit refreshes the PRF key associated with this node and computes a new set of PRF values based on this new key. This technique incurs an overhead of $\log n$ on the running time of the program since for each memory access the evaluator has to traverse a tree of depth $\log n$ and only then perform the actual access. Consequently, while our first construction based on IBE (see Sects. 3 and 4) requires s chains of CPU-step circuits of size T, removing the IBE assumption implies that each CPU-step circuit is now expanded to $\log n$ navigation circuits. Moreover, the initialization circuit now generates $\log n$ fresh keys for the $\log n$ navigation circuits of each chain and passes these keys over the input wires, which means that the initialization circuit is now of size $O(T\log n)$. On the other hand, the complexity of the initialization circuit is much simpler now as it does not need to employ the complex TIBE algorithms but rather simple XOR operations.

Table 1 A comparison between the constructions presented in [13] and in this paper. Memory refers to the memory size that is needed to be stored by the parties when the original memory size is $|D|=n$; Comm/Comp counts the communication and computation complexities of the constructions when the program’s original run-time is T; No. of GC counts the number of garbled circuits that have to be generated in the protocol; finally Mem. dup. refers to the required number of memory duplications

Full size table

Complexity The overhead of our first protocol (cf. Sect. 4) is dominated by the complexity induced by the garbled RAM construction of [18] times s, where s is the cut-and-choose statistical parameter. The [18] construction guarantees that the size/evaluation time of the garbled program is $|\mathrm {C}^P_{\scriptscriptstyle \mathrm {CPU}}| \times T \times \mathsf {poly}(\kappa ) \times \mathsf {polylog~}(n)\times s$. Therefore, the multiplicative overhead of our protocol is $\mathsf {poly}(\kappa ) \times \mathsf {polylog~}(n)\times s$. Our second protocol (cf. Sect. 5), which is based on the GRAM from [15], is $\log n$ times slower than the first protocol due to the way the memory is being accessed (i.e. by traversing a tree). This has an impact on the initialization circuit of each CPU-step circuits chain. As mentioned above, the initialization circuit in the first protocol needs to realize the IBE algorithms which contribute $T\cdot \mathsf {poly}(\log k)$ to the circuit’s size, whereas the initialization circuit in the second protocol needs to generates $T\cdot \log n$ random PRF keys, each of size k. The overall complexities are given in Table 1.

Reusable/Persistent Data Reusable/persistent data means that the garbled memory data can be reused across multiple program executions. That is, all memory updates persist for future program executions and cannot be rolled back by the malicious evaluator. This feature is very important as it allows to execute a sequence of programs without requiring to initialize the data for every execution, implying that the amortized running time is only proportional to the running time of the program in a unsecured environment. The garbled RAM in [18] allows to garble any sequence of programs and inputs. Nevertheless, the set of programs and inputs must be determined in advance and cannot be chosen adaptively based on prior iterations. This is due to an issue, which arises in the proof, related to another open problem known as “adaptive Yao” where the evaluator of the garbled circuit may choose its input based on the garbled circuit. In this work, we prove that our scheme preserves the weaker property as in [18] in the presence of malicious attacks as well.

Concurrent Work In a concurrent and independent work by Garg, Gupta, Miao and Pandey [13], the authors demonstrate constant-round multiparty constructions for both the semi-honest and the malicious settings. Their maliciously secure construction is based on the black-box garbled RAM [14], the BMR constant-round MPC protocol [3] and the IPS compiler [27]. Their semi-honest secure protocol achieves persistent data, whereas their maliciously secure protocol achieves the weaker notion of selectively choosing the programs and inputs in advance, as we do. The core technique of pulling the secrets out of the programs is common to both our and their work. In contrast to [13], in our scheme only one party locally stores the memory throughout the evaluation. These differences are summarized in Table 1.

The parameters $p,\kappa $ and s refer to the number of parties and the respective computational and statistical security parameters. We denote the ORAM’s run-time and memory overheads by $\log ^a n$ and $\log ^b n$, respectively, where a, b are constants determined by the choice of ORAM construction. The memory size in [13] has the term $O(n\log ^{b} n +T)$ since this is based on the GRAM of [14] in which a memory entry is represented by a bucket of garbled circuits and there is a $\log n$-depth tree of such buckets. The number of garbled circuits that reside within each bucket varies, buckets in lower levels have less garbled circuits, and the total number of garbled circuits used as memory entries are O(T). In addition, it has the term $\mathsf {poly}(\kappa ,p)$ since it is based on the BMR protocol in which each bit is represented by a $\kappa p$-bits string. The memory size in our first construction (based on IBE) depends only on the original memory size n, the ORAM’s overhead $\log ^b n$ and the security parameter $\kappa $; hence, it has the simplest expression among the three constructions. The memory size in our second construction (Sect. 5) has the term $O(n\log ^{b+1} n)$ since it is based on [15] which adds a tree of keys on top of the ORAM underlying memory size. Note that in both of our constructions the memory size is independent of s (the cut-and-choose parameter). Both [13] and our second construction imply communication and computation complexity proportional to $O(T\log ^{a+1} n)$, as they are, respectively, based on [14] and [15], which incur an overhead of $O(\log n)$ over the ORAM’s complexity. Finally, since [14] treats the memory as garbled circuits, it adds O(T) garbled circuits over the $O(T\log ^a n)$ ones of the ORAM. In another work [38], Miao demonstrates how to achieve persistent data for the two-party setting in the programmable random oracle model, using techniques from [40] and [4], where the underlying one-way function is used in a black-box manner.

2 Preliminaries

Basic Notations We denote the computational and statistical security parameters by $\kappa $ and s, respectively. We say that a function $\mu :\mathbb {N}\rightarrow \mathbb {N}$ is negligible if for every positive polynomial $p(\cdot )$ and all sufficiently large $\kappa $ it holds that $\mu (\kappa )<\frac{1}{p(\kappa )}$. We use the abbreviation PPT to denote probabilistic polynomial time. We further denote by $a\leftarrow A$ the random sampling of a from a distribution A, by [d] the set of elements $\{1,\ldots ,d\}$ and by [0, d] the set $[d]\cup \{0\}$.

We now specify the definition of $(\kappa , s)$-computational indistinguishability (denoted ${\mathop {\approx }\limits ^{\kappa ,s}}$), while the usual (computational indistinguishability) definition (denoted ${\mathop {\approx }\limits ^{\mathrm{c}}}$) can be inferred.

Definition 2.1

Let $X=\{X(a,\kappa ,s)\}_{a\in \{0,1\}^*,\kappa ,s\in \mathbb {N}}$ and $Y=\{Y(a,\kappa ,s)\}_{a\in \{0,1\}^*,\kappa ,s\in \mathbb {N}}$ be two distribution ensembles. We say that X and Y are $(\kappa ,s)$-computationally indistinguishable, denoted $X{\mathop {\approx }\limits ^{\kappa ,s}}Y$, if there exists a constant $0<c\le 1$ such that for every PPT machine ${\mathcal {D}}$, every $s\in \mathbb {N}$ every positive polynomial $p(\cdot )$ and all sufficiently large $\kappa $ it holds that for every $a\in \{0,1\}^*$ :

$$\begin{aligned} \big |\mathrm{Pr}\left[ {\mathcal {D}}(X(a,\kappa ),1^\kappa )=1\right] -\mathrm{Pr}\left[ {\mathcal {D}}(Y(a,\kappa ),1^\kappa )=1\right] \big | <\frac{1}{p(\kappa )} + \frac{1}{2^s}. \end{aligned}$$

2.1 Garbled Circuits

A garbled circuit $(\mathsf {Garb},\mathsf {Eval})$ [50] is a cryptographic non-interactive object that supports correctness and privacy. In more detail, a sender uses $\mathsf {Garb}$ to encode a Boolean circuit, that computes some polynomial-time function f, in a way that (computationally) hides from the receiver any information about f except for its output, where the receiver extracts the output using algorithm $\mathsf {Eval}$. In this work, we combine the notions of garbled circuits and the cut-and-choose technique in order to support a malicious sender. Specifically, the sender uses the algorithm $\mathsf {Garb}$ to generate s garbled versions $\{ \tilde{\mathrm {C}}_i \}_{i\in [s]}$ of a circuit $\mathrm {C}$ and some statistical parameter s, as well as their corresponding encoded inputs $\{ \tilde{x}_i \}_{i\in [s]}$. The evaluator then chooses a subset $Z \subset [s]$ and uses $\mathsf {Eval}$ to evaluate the garbled circuits from this set. Upon completing the evaluation, the evaluator learns |Z| sets of output-wire labels $\{ \tilde{y}_i \}_{i\in Z}$ from which it outputs the majority.^{Footnote 1} In the following exposition, we use the notation of $\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},b}^{j,i}$ to denote the jth input label of the bit value $b\in \{0,1\}$ for the ith garbled circuit. Analogously, $\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},b}^{j,i}$ represents the same notation corresponding to an output wire.

We further abstract two important properties of authenticity and input consistency. Loosely speaking, authenticity ensures that a malicious evaluator will not be able to produce a valid encoding of an incorrect output given the encoding of some input and the garbled circuit. This property is required due to the reusability nature of our construction. Namely, given the output labels of some iteration, the evaluator uses these as the input labels for the next circuit. Therefore, it is important to ensure that it cannot input an encoding of a different input (obtained as the output from the prior iteration). In the abstraction used in our work, violating authenticity boils down to the ability to generate a set of output labels that correspond to an incorrect output. Next, a natural property that a maliciously secure garbling scheme has to provide is input consistency. We formalize this property via a functionality, denoted by $\mathcal {F}_{\scriptscriptstyle \mathrm {{IC}}}$ and formally described in Fig. 6. That is, given a set of garbled circuits $\{ \tilde{\mathrm {C}}_i \}_i$ and a set of garbled inputs $\{ \tilde{x}_i \}_i$ along with the randomness r that was used by $\mathsf {Garb}$, the functionality outputs 1 if the s sets of garbled inputs $\{ \tilde{x}_i \}_{i=1}^{s}$ (where $|\tilde{x}_i|=j$) represent the same input value, and 0 otherwise.

We next proceed with our formal definition of garbled circuits.

Definition 2.2

(Garbled circuits.). A circuit garbling scheme with wire labels consists of the following two polynomial-time algorithms:

The garbling algorithm $\mathsf {Garb}$:
$$\begin{aligned} \big ( \{ \tilde{\mathrm {C}}_i \}_{i} , \{u, b, \mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},b}^{u,i}\}_{u,i,b} \big ) \leftarrow \mathsf {Garb}\bigg (1^\kappa , s, \mathrm {C}, \{v, b, \mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},b}^{v,i}\}_{v,i,b}\bigg ) \end{aligned}$$
for every $u\in [v_{\scriptscriptstyle \mathrm {in}}], v\in [v_{\scriptscriptstyle \mathrm {out}}], i\in [s]$ and $b\in \{0,1\}$. That is, given a circuit $\mathrm {C}$ with input size $v_{\scriptscriptstyle \mathrm {in}}$, output size $v_{\scriptscriptstyle \mathrm {out}}$ and s sets of output labels $\{v,b,\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},b}^{v,i}\}_{v,i,b} $, outputs s garbled circuits $\{ \tilde{\mathrm {C}}_i \}_{i\in [s]}$ and s sets of input labels $\{u, b, \mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},b}^{u,i}\}_{u,i,b}$.
The evaluation algorithm $\mathsf {Eval}$:
$$\begin{aligned} \big \{ \mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}}}^{1,i},\ldots ,\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}}}^{v_{\scriptscriptstyle \mathrm {out}},i} \big \}_{i\in [s]} = \mathsf {Eval}\bigg ( \big \{ \tilde{\mathrm {C}}_i, ~ (\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}}}^{1,i},\ldots ,\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}}}^{v_{{\scriptscriptstyle \mathrm {in}}},i}) \big \}_{i\in [s]} \bigg ). \end{aligned}$$
That is, given s garbled circuits $\{ \tilde{\mathrm {C}}_i \}_{i}$ and s sets of input labels $\big \{ \mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}}}^{1,i},\ldots ,\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}}}^{ v_{{\scriptscriptstyle \mathrm {in}}},i} \big \}_{i}$, outputs s sets of output labels $\{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}}}^{1,i},\ldots ,\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}}}^{v_{{\scriptscriptstyle \mathrm {out}}},i} \}_{i}$. Intuitively, if the input labels $(\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}}}^{1,i},\ldots ,\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}}}^{ v_{{\scriptscriptstyle \mathrm {in}}},i})$ correspond to some input $x \in \{0,1\}^{ v_{{\scriptscriptstyle \mathrm {in}}} }$, then the output labels $(\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}}}^{1,i},\ldots , \mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}}}^{ v_{{\scriptscriptstyle \mathrm {out}}} ,i})$ should correspond to $y = \mathrm {C}(x)$.

Furthermore, the following properties hold.

Correctness For correctness, we require that for any circuit $\mathrm {C}$ and any input $x \in \{0,1\}^{v_{{\scriptscriptstyle \mathrm {in}}}}$, $x = (x[1],\ldots , x[v_{{\scriptscriptstyle \mathrm {in}}}])$ such that $y = (y[1],\ldots ,y[ v_{{\scriptscriptstyle \mathrm {out}}}]) = \mathrm {C}(x)$ and any s sets of output labels $\{v, b, \mathsf {lbl}_{b,{\scriptscriptstyle \mathrm {out}}}^{v,i}\}_{v,i,b}$ (for $u\in v_{\scriptscriptstyle \mathrm {in}}, v\in v_{\scriptscriptstyle \mathrm {out}}, i\in [s]$ and $b\in \{0,1\}$), we have

$$\begin{aligned} \Pr \bigg [ \mathsf {Eval}\big ( \big \{ \tilde{\mathrm {C}}_i, ~ (\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},x[1]}^{1,i},\ldots ,\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},x[v_{\scriptscriptstyle \mathrm {in}}]}^{v_{{\scriptscriptstyle \mathrm {in}}},i}) \big \}_{i} \big ) = \big \{ \mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},y[1]}^{1,i},\ldots ,\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},y[v_{\scriptscriptstyle \mathrm {out}}]}^{v_{\scriptscriptstyle \mathrm {out}},i} \big \}_{i} \bigg ] = 1 \end{aligned}$$

where $\big ( \{ \tilde{\mathrm {C}}_i \}_{i} , \{u, b, \mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},b}^{u,i}\}_{u,i,b} \big ) \leftarrow \mathsf {Garb}\big (1^\kappa , s, \mathrm {C}, \{v, b, \mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},b}^{v,i}\}_{v,i,b}\big )$ as described above.

Verifying the correctness of a circuit Note that in a cut-and-choose-based protocols, the receiver is instructed to check the correctness of a subset of the garbled circuits. This check can be accomplished by the sender sending to the receiver the randomness used in $\mathsf {Garb}$. In our protocol, this is accomplished by giving the receiver both input labels for each input wire of the check circuits, for which it can verify that the circuit computes the agreed functionality. We note that this check is compatible with all prior known garbling schemes.

Privacy For privacy, we require that there is a PPT simulator $\mathsf {SimGC}$ such that for any $\mathrm {C}, x, Z$ and $\big \{ \mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}}}^{1,z},\ldots ,\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}}}^{v_{\scriptscriptstyle \mathrm {out}},z} \big \}_{z\notin [Z]},\{v, b, \mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},b}^{v,z}\}_{v,z\in [Z],b} $ (i.e. one output label for wires in circuits indexed by $z\notin Z$ and a pair of output labels for wires in circuits indexed by $z\in Z$), we have

$$\begin{aligned}&\bigg ( \{ \tilde{\mathrm {C}}_z, ~ (\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},x[1]}^{1,z},\ldots ,\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},x[v_{\scriptscriptstyle \mathrm {in}}]}^{v_{{\scriptscriptstyle \mathrm {in}}},z}) \}_{z} \bigg ) \\&\quad {\mathop {\approx }\limits ^{\mathrm{c}}}\mathsf {SimGC}\bigg (1^\kappa , \big \{ \mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}}}^{1,z},\ldots ,\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}}}^{v_{\scriptscriptstyle \mathrm {out}},z} \big \}_{z\in [Z]},\{v, b, \mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},b}^{v,z}\}_{v,i\notin [Z],b} \bigg ) \end{aligned}$$

where $\big ( \{ \tilde{\mathrm {C}}_z \}_{z} , \{u, b, \mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},b}^{u,z}\}_{u,z,b} \big ) \leftarrow \mathsf {Garb}\big (1^\kappa , s, \mathrm {C}, \{v, b, \mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},b}^{v,z}\}_{v,z,b}\big ) $ and $y=\mathrm {C}(x)$.

Authenticity We describe the authenticity game in Fig. 7 (“Appendix A.1”) where the adversary obtains a set of garbled circuits and garbled inputs for which the adversary needs to output a valid garbling of an invalid output. Namely, a garbled scheme is said to have authenticity if for every circuit $\mathrm {C}$, for every PPT adversary $\mathcal {A}$, every s and for all large enough $\kappa $ the probability $\Pr [\mathrm {Auth}_{\mathcal {A}}(1^\kappa ,s,\mathrm {C})=1]$ is negligible. Our definition is inspired by the definition from [4] and also adapted for the cut-and-choose approach.

Input Consistency We abstract out the functionality that checks the validity of the sender’s input across all garbled circuits. We say that a garbling scheme has input consistency (in the context of cut-and-choose-based protocols) if there exists a protocol that realizes the $\mathcal {F}_{\scriptscriptstyle \mathrm {{IC}}}$ functionality described in Fig. 6 in “Appendix A.1”.

Realizations of our garbled circuits’ notion We require the existence of a protocol $\Pi _{\scriptscriptstyle \mathrm {IC}}$ that securely realizes the functionality $\mathcal {F}_{\scriptscriptstyle \mathrm {{IC}}}$ described in “Fig. 6”, in the presence of malicious adversaries. In “Appendix B”, we exemplify this realization with [35].

2.2 The RAM Model of Computation

We follow the notation from [18] verbatim. We consider a program P that has a random-access to a memory D of size n, which is initially empty. In addition, the program is given a “short” input x, which we can alternatively think of as the initial state of the program. We use the notation $P^D(x)$ to denote the execution of such program. The program can read/write to various locations in the memory throughout the execution. Gentry et al. also considered the case where several different programs are executed sequentially and the memory persists between executions. Our protocol follows this extension as well. Specifically, this process is denoted as $(y_1,\ldots ,y_c) = (P_1(x_1),\ldots ,P_\ell (x_c))^D$ to indicate that first $P_1^D(x_1)$ is executed, resulting in some memory contents $D_1$ and output $y_1$, then $P_2^{D_1}(x_2)$ is executed resulting in some memory contents $D_2$ and output $y_2$, etc.

CPU-step Circuit We view a RAM program as a sequence of at most T small CPU steps, such that step $1\le t \le T$ is represented by a circuit that computes the following functionality:

$$\begin{aligned} \mathrm {C}^P_{\scriptscriptstyle \mathrm {CPU}}(\mathsf {state}_{t} ,b_{t}^{\mathsf {read} }) = (\mathsf {state} _{t+1},i_{t}^{\mathsf {read} },i_{t}^{\mathsf {write} },b_{t}^{\mathsf {write} }). \end{aligned}$$

Namely, this circuit takes as input the CPU state $\mathsf {state}_{t} $ and a bit $b_{t}^{\mathsf {read} }$ that was read from the last read memory location, and outputs an updated state $\mathsf {state}_{t+1} $, the next location to read $i_{t}^{\mathsf {read} }\in [n]$, a location to write to $i_{t}^{\mathsf {write} }\in [n] \cap \bot $ (where $\bot $ means “write nothing”) and a bit $b_{t}^{\mathsf {write} }$ to write into that location. The computation $P^D(x)$ starts with an initial state $\mathsf {state}_{1} = (x_1,x_2)$, corresponding to the parties’ “short input” where the initial read bit $b_{1}^{\mathsf {read} }$ is set to 0 by convention. In each step t, the computation proceeds by running $\mathrm {C}^P_{\scriptscriptstyle \mathrm {CPU}}(\mathsf {state}_{t} , b_{t}^{\mathsf {read} }) = (\mathsf {state}_{t+1} , i_{t}^{\mathsf {read} }, i_{t}^{\mathsf {write} }, b_{t}^{\mathsf {write} })$. Namely, we first read from the requested location $i_{t}^{\mathsf {read} }$ by setting $b_{t+1}^{\mathsf {read} } := D[i_{t}^{\mathsf {read} }]$ and if $i_{t}^{\mathsf {write} }\ne \bot $ we write to the specified location by setting $D[i_{t}^{\mathsf {write} }] := b_{t}^{\mathsf {write} }$. The value $y = \mathsf {state}_{T+1} $ output by the last CPU step serves as the output of the computation. A program P has a read-only memory access if it never overwrites any values in memory. In particular, using the above notation, the outputs of $\mathrm {C}^P_{\scriptscriptstyle \mathrm {CPU}}$ always set $i_{t}^{\mathsf {write} }= \bot $.

2.2.1 Predictably Timed Writes

The predictably timed writes property (denoted by “ptWrites” in [18]) implies that it is easy to figure out the time $t'$ in which some location was most recently written to given only the current state of the computation and without reading any other values in memory. More formally,

Definition 2.3

A program execution $P^D(x_1,x_2)$ has predictably timed writes if there exists a polynomial size circuit, denoted $\mathsf {WriteTime}$, such that for every $t\in [T]$, $t' =\mathsf {WriteTime}(t,\mathsf {state}_{t}, i_{t}^{\mathsf {read} })$ is the largest time (where $t'<t$) in which memory location $i_{t}^{\mathsf {read} }$ has been written, i.e. $\mathsf {WriteTime}(t,\mathsf {state}_{t} ,i_{t}^{\mathsf {read} }) = max\Big \{t' \mid t'<t \wedge i_{t'}^{\mathsf {write} }=i_{t}^{\mathsf {read} }\Big \}$.

In [18, Appendix A.3], the authors describe how to transform a program without ptWrites into a program with ptWrite, which incurs overhead of $O(\log n)$ in memory access time. The authors further prove the following theorem [18, Theorem D.1]:

Theorem 2.4

If G is a garbled RAM scheme that provides UMA security and supports programs with ptWrites and O is an ORAM with ptWrites, then there exists a garbled RAM scheme $G'$ with full security supporting arbitrary programs.

Theorem 2.8 extends this theorem to the malicious setting.

2.3 Oblivious RAM (ORAM)

ORAM, initially proposed by Goldreich and Ostrovsky [19, 22, 41], is an approach for making the access pattern of a RAM program input-oblivious. More precisely, it allows a client to store private data on an untrusted server and provides oblivious access to data, by locally storing only a short local state. A secure ORAM scheme not only hides the content of the memory from the server, but also the access pattern, i.e. which locations in memory the client is reading/writing. The work of the client and server in each such access should be small and bounded by a poly-logarithmic factor in the memory size, where the goal is to access the data without downloading it from the server in its entirety. In stronger attack scenarios, the ORAM is also authenticated which means that the server cannot modify the content of the memory. In particular, the server cannot even “roll back” to an older version of the data. The efficiency of ORAM constructions is evaluated by their bandwidth blowup, client storage and server storage. Bandwidth blowup is the number of data blocks that are needed to be sent between the parties per request. Client storage is the amount of trusted local memory required for the client to manage the ORAM, and server storage is the amount of storage needed at the server to store all data blocks. Since the seminal work of Goldreich and Ostrovsky [22], ORAM has been extensively studied [8, 23, 31, 44,45,46, 49, 52], optimizing different metrics and parameters.

We denote the sequence of memory indices and data written to them in the course of the execution of a program P by $\mathsf {Mem Access}(P,n,x)=\{(i_{t}^{\mathsf {read} }, i_{t}^{\mathsf {write} })\}_{t\in [T]}$ and the number of P’s memory accesses by T(P, n, x) (i.e. P’s running time over memory size n and input x). We define an Oblivious RAM as follows. (The definition is the same as in [9].)

Definition 2.5

A polynomial-time algorithm C is an Oblivious RAM (ORAM) compiler with computational overhead $c(\cdot )$ and memory overhead $m(\cdot )$, if C, when given $n\in \mathbb {N}$ and a deterministic RAM program P with memory size n, outputs a program $P^*$ with memory size $m(n)\cdot n$, such that for any input $x\in \{0,1\}^*$ it follows that $T(P^*(n,x)) \le c(n)\cdot T(P,n,x)$ and there exists a negligible function $\mu $ such that the following properties hold:

Correctness For any $n\in \mathbb {N}$, any input $x\in \{0,1\}^*$ with probability at least $1-\mu (\kappa )$, $P^*(n,x)=P(n,x)$.
Obliviousness For any two programs $P_1,P_2$, any $n\in \mathbb {N}$ and any two inputs $x_1,x_2 \in \{0,1\}^*$ if $T(P_1(n,x_1)) = T(P_2(n,x_2))$ and $P^*_1\leftarrow C(n,P_1)$, $P^*_2\leftarrow C(n,P_2)$ then $\textsf {MemAccess}(P^*_1(n,x_1))$ and $\textsf {MemAccess}(P^*_2(n,x_2))$ are computationally indistinguishable.

Note that the above definition (just as the definition from [22]) only requires an oblivious compilation of deterministic programs P. This is without loss of generality as we can always view a randomized program as a deterministic one that receives random coins as part of its input.

2.4 Secure Computation in the RAM Model

We adapt the standard definition for secure two-party computation of [20, Chapter 7] for the RAM model of computation. In this model of computation, the initial input is split between two parties and the parties run a protocol that securely realizes a program P on a pair of “short” inputs $x_1,x_2$, which are viewed as the initial state of the program. In addition, the program P has random-access to an initially empty memory of size n. The running time of the program, denoted T, is bounded by a polynomial in the input lengths. Using the notations from Sect. 2.2, we refer to this (potentially random) process by $P^D(x_1,x_2)$. In this work, we prove the security in the presence of malicious computationally bounded adversaries.

We next formalize the ideal and real executions, considering D as a common resource.^{Footnote 2} Our formalization induces two flavours of security definitions. In the first (and stronger) definition, the memory accesses to D are hidden, that is, the ideal adversary that corrupts the receiver only obtains (from the trusted party) the running time T of the program P and the output of the computation, y. Given only these inputs, the simulator must be able to produce an indistinguishable memory access pattern. In the weaker, unprotected memory access model described below, the simulator is further given the content of the memory, as well as the memory access pattern produced by the trusted party throughout the computation of $P^D(x_1,x_2)$. We present here both definitions, starting with the definition of full security.

2.4.1 Full Security

Execution in the ideal model In an ideal execution, the parties submit their inputs to a trusted party that computes the output; see Fig. 1 for the description of the functionality computed by the trusted party in the ideal execution. Let P be a two-party program, let $\mathcal {A}$ be a non-uniform PPT machine and let $i \in \{\mathrm{S},\mathrm{R}\}$ be the corrupted party. Then, denote the ideal execution of P on inputs $(x_1,x_2)$, auxiliary input z to $\mathcal {A}$ and security parameters $s,\kappa $, by the random variable $\mathbf{IDEAL}^{\mathcal {F}_{\scriptscriptstyle \mathrm {RAM}}}_{\mathcal {A}(z),i}(s,\kappa ,x_1,x_2)$, as the output pair of the honest party and the adversary $\mathcal {A}$ in the above ideal execution.

Execution in the Real Model In the real model, there is no trusted third party and the parties interact directly. The adversary $\mathcal {A}$ sends all messages in place of the corrupted party and may follow an arbitrary PPT strategy. The honest party follows the instructions of the specified protocol $\pi $. Let $P^D$ be as above and let $\pi $ be a two-party protocol for computing $P^D$. Furthermore, let $\mathcal {A}$ be a non-uniform PPT machine and let $i \in \{\mathrm{S},\mathrm{R}\}$ be the corrupted party. Then, the real execution of$\pi $ on inputs $(x_1,x_2)$, auxiliary input z to $\mathcal {A}$ and security parameters $s,\kappa $, denoted by the random variable $\mathbf{REAL}^\pi _{\mathcal {A}(z),i}(s,\kappa ,x_1,x_2)$, is defined as the output pair of the honest party and the adversary $\mathcal {A}$ from the real execution of $\pi $.

Security as Emulation of a Real Execution in the Ideal Model Having defined the ideal and real models, we can now define security of protocols. Loosely speaking, the definition asserts that a secure party protocol (in the real model) emulates the ideal model (in which a trusted party exists). This is formulated by saying that adversaries in the ideal model are able to simulate executions of the real-model protocol.

Definition 2.6

(Secure computation). Let $\mathcal {F}_{\scriptscriptstyle \mathrm {RAM}}$ and $\pi $ be as above. Protocol $\pi $ is said to securely compute$P^D$with abort in the presence of malicious adversary if, for every non-uniform PPT adversary $\mathcal {A}$ for the real model, there exists a non-uniform PPT adversary $\mathcal {S}$ for the ideal model, such that for every $i \in \{\mathrm{S},\mathrm{R}\}$,

$$\begin{aligned} \left\{ \mathbf{IDEAL}^{\mathcal {F}_{\scriptscriptstyle \mathrm {RAM}}}_{\mathcal {S}(z),i}(s,\kappa ,x_1,x_2)\right\} _{s,\kappa \in \mathbb {N},x_1,x_2,z\in \{0,1\}^*}{\mathop {\approx }\limits ^{\mathrm{c}}}\left\{ \mathbf{REAL}^\pi _{\mathcal {A}(z),i}(s,\kappa ,x_1,x_2)\right\} _ {s,\kappa \in \mathbb {N},x_1,x_2,z\in \{0,1\}^*} \end{aligned}$$

where s and $\kappa $ are the security parameters.

A note on Definition 2.6. Note that in the RAM model the input may be very small while the memory may be very large. Even though we are restrained from allowing $n=|D|$ be exponential in $|x|=|x_1|+|x_2|$ since, yet, |x| may be larger than $\kappa +s$ and thus we intentionally set $n=|D|=\mathsf {poly}(\kappa ,s)$ and explicitly exclude the case.

We next turn to a weaker definition of secure computation in the unprotected memory access model and then discuss a general transformation from a protocol that is secure in the UMA model to a protocol that is fully secure.

2.4.2 The UMA Model

In [18], Gentry et al. considered a weaker notion of security, denoted by unprotected memory access (UMA), in which the receiver may additionally learn the content of the memory D, as well as the memory access pattern throughout the computation including the locations being read/written and their contents. Gentry et al. further demonstrated that this weaker notion of security is useful by providing a transformation from this setting into the stronger setting for which the simulator does not receive this extra information. Their proof holds against semi-honest adversaries. A simple observation shows that their proof can be extended for the malicious 2PC setting by considering secure protocols that run the oblivious RAM and the garbling computations; see below our transformation. In the context of two-party computation, when considering the ideal execution, the trusted party further forwards the adversary the values $\mathsf {Mem Access}=\{(i_{t}^{\mathsf {read} }, i_{t}^{\mathsf {write} }, b_{t}^{\mathsf {write} })\}_{t\in [T]}$ where $i_{t}^{\mathsf {read} }$ is the address to read from, $i_{t}^{\mathsf {write} }$ is the address to write to and $b_{t}^{\mathsf {write} }$ is the bit value to be written to location $i_{t}^{\mathsf {write} }$ in time step t. We denote this functionality, described in Fig. 2, by $\mathcal {F}_{\scriptscriptstyle \mathrm {UMA}}$. We define security in the UMA model and then discuss our general transformation from UMA to full security.

Definition 2.7

(Secure computation in the UMA model). Let $\mathcal {F}_{\scriptscriptstyle \mathrm {UMA}}$ be as above. Protocol $\pi $ is said to securely compute$P^D$with UMA and abort in the presence of malicious adversaries if, for every non-uniform PPT adversary $\mathcal {A}$ for the real model, there exists a non-uniform PPT adversary $\mathcal {S}$ for the ideal model, such that for every $i\in \{\mathrm{S},\mathrm{R}\}$, for every $s\in \mathbb {N},x_1,x_2,z\in \{0,1\}^*$ and for large enough $\kappa $

$$\begin{aligned} \left\{ \mathbf{IDEAL}^{\mathcal {F}_{\scriptscriptstyle \mathrm {UMA}}}_{\mathcal {S}(z),i}(s,\kappa ,x_1,x_2)\right\} _{s,\kappa ,x_1,x_2,z} {\mathop {\approx }\limits ^{\kappa ,s}} \left\{ \mathbf{REAL}^\pi _{\mathcal {A}(z),i}(s,\kappa ,x_1,x_2)\right\} _ {s,\kappa ,x_1,x_2,z} \end{aligned}$$

where s and $\kappa $ are the security parameters.

2.4.3 From UMA to Full Security

Given a UMA-secure protocol for RAM programs that support ptWrites (Definition 2.3) and an ORAM scheme, in [18] the authors presented a way to achieve a fully secure protocol. Their result, adapted to the malicious setting, follows:

Theorem 2.8

[18, Theorem D.1] Let $\pi $ be a secure two-party protocol that provides UMA security against a malicious adversary for RAM programs that support ptWrites in the presence of malicious adversaries and an ORAM compiler, denoted C, then there exists a transformation $\varTheta $ that is given $\pi $ and C and outputs a fully secure protocol $\pi '$.

Informally, their transformation requires the party to first run the ORAM algorithms for the initialization of the memory D and compiling the program P in a secure computation to obtain the oblivious memory $D^*$ and oblivious program $P^*$ and then run $\pi $ over $P^*$ and $D^*$. The first step provides obliviousness, while the second step provides secure memory accesses (privacy and authenticity).

2.4.4 On the Capabilities of Semi-honest in a Garbled RAM and ORAM Schemes

When considering ORAM schemes in the context of two-party computation, it must be ensured that a read operation is carried out correctly. Namely, that the correct element from the memory is indeed fetched, and that the adversary did not “roll back” to an earlier version of that memory cell. Importantly, this is not just a concern in the presence of malicious adversaries, as a semi-honest adversary may try to execute its (partial) view on inconsistent memory values. Therefore, the scheme must withhold such attacks. Handling the first attack scenario is relatively simply using message authentications codes (MACs), so that a MAC tag is stored in addition to the encrypted data. Handling roll backs is slightly more challenging and is typically done using (variants of) Merkle trees [14]. In [18], rollbacks are prevented by creating a new secret key for each time period. This secret key is used to decrypt a corresponding ciphertext in order to extract the label for the next garbled circuit. By replacing the secret key each time period, the adversary is not able decrypt a ciphertext created in some time period with a secret key that was previously generated.

2.5 Timed IBE [18]

TIBE was introduced by Gentry et al. in [18] in order to handle memory data writings in their garbled RAM construction. This primitive allows to create “time-period keys” ${\textsf {TSK}}_t$ for arbitrary time periods $t\ge 0$ such that ${\textsf {TSK}}_t$ can be used to create identity secret keys $\mathsf {SK}_{(t,v)}$ for identities of the form (t, v) for arbitrary v but cannot break the security of any other identities with $t'\ne t$. Gentry et al. demonstrated how to realize this primitive based on IBE [5, 6]. Informally speaking, the security of TIBE is as follows: Let $t^*$ be the “current” time period. Given a single secret key $\mathsf {SK}_{(t,v)}$ for every identity (t, v) of the “past” periods $t < t^*$ and a single period key ${\textsf {TSK}}_{t}$ for every “future” periods $t^*<t \le T$, semantic security should hold for any identity of the form ${\mathsf {id}}^* = (t^*,v^*)$ (for which neither a period nor secret key was not given). The formal definition of timed IBE which is used across our protocol is as follows:^{Footnote 3}

Definition 2.9

(Timed IBE (TIBE)). A TIBE scheme consists of 5 PPT algorithms $\mathsf {MasterGen}, \mathsf {TimeGen}, \mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Dec}$ with the syntax:

$({{\textsf {MPK}}},{\textsf {MSK}})\leftarrow \mathsf {MasterGen}(1^\kappa )$: generates master public/secret key pair ${{{\textsf {MPK}}}}, {{\textsf {MSK}}}$.
${\textsf {TSK}}_t\leftarrow \mathsf {TimeGen}({\textsf {MSK}},t)$: generates a time-period key for time period $t\in \mathbb {N}$.
$\mathsf {sk}_{(t,v)}\leftarrow \mathsf {KeyGen}({\textsf {TSK}}_t,(t,v))$: creates a secret key for the identity (t, v).
$\mathsf {ct}\leftarrow \mathsf {Enc}_{{\textsf {MPK}}}((t,v),\mathsf {msg})$: creates an encryption of $\mathsf {msg}$ under the identity (t, v).
$\mathsf {msg}= \mathsf {Dec}_{\mathsf {sk}_{(t,v)}}(\mathsf {ct})$: decrypts a ciphertexts $\mathsf {ct}$ for the identity (t, v) using a secret key $\mathsf {sk}_{(t,v)}$.

The scheme should satisfy the following properties:

Correctness For any ${\mathsf {id}}= (t,v)$ and any $\mathsf {msg}\in \{0,1\}^*$, it holds that:

$$\begin{aligned} \Pr \biggl [\mathsf {Dec}_\mathsf {sk}(\mathsf {ct}) = \mathsf {msg}\bigg | \begin{array}{c} ({{\textsf {MPK}}},{\textsf {MSK}})\leftarrow \mathsf {MasterGen}(1^\kappa ),{\textsf {TSK}}_t\leftarrow \mathsf {TimeGen}({\textsf {MSK}},t),\\ \mathsf {sk}\leftarrow \mathsf {KeyGen}({\textsf {TSK}}_t,(t,v)),\mathsf {ct}\leftarrow \mathsf {Enc}_{{\textsf {MPK}}}((t,v),\mathsf {msg})\end{array}\biggr ] = 1. \end{aligned}$$

Security We consider the following game between an attacker $\mathcal {A}$ and a challenger.

The attacker $\mathcal {A}(1^\kappa )$ chooses some identity ${\mathsf {id}}^* = (t^*,v^*)$ with $t^*\in \mathbb {N}$ and some bound $T\ge t^*$ (given in unary). The attacker also chooses a set of identities I such that I contains exactly one identity (t, v) for each period $t\in 1,\ldots t^*-1$. Lastly, the adversary chooses messages $\mathsf {msg}_0,\mathsf {msg}_1\in \{0,1\}^*$ of equal size $|\mathsf {msg}_0| = |\mathsf {msg}_1|$.
The challenger chooses $({{\textsf {MPK}}},{\textsf {MSK}})\leftarrow \mathsf {MasterGen}(1^\kappa )$, and ${\textsf {TSK}}_t\leftarrow \mathsf {TimeGen}({\textsf {MSK}},t)$ for $t \in [T]$. For each ${\mathsf {id}}= (t,v)\in I$, it chooses $\mathsf {sk}_{\mathsf {id}}\leftarrow \mathsf {KeyGen}({\textsf {TSK}}_t,{\mathsf {id}})$. Lastly, the challenger chooses a challenge bit $b\leftarrow \{0,1\}$ and sets $\mathsf {ct}\leftarrow \mathsf {Enc}_{{\textsf {MPK}}}({\mathsf {id}}^*,\mathsf {msg}_b)$. The challenger gives the attacker:
$$\begin{aligned} {\textsf {MSK}},~~ \overline{{\textsf {TSK}}} = \{{\textsf {TSK}}_t\}_{t^*< t\le T},~~ \overline{\mathsf {sk}} = \{({\mathsf {id}},\mathsf {sk}_{\mathsf {id}})\}_{{\mathsf {id}}\in S},~~ \mathsf {ct}. \end{aligned}$$
The attacker outputs a bit $\widehat{b}\in \{0,1\}$.

The scheme is secure if, for all PPT$\mathcal {A}$, we have $|Pr[b = \widehat{b}] -\frac{1}{2}|\le \mu (\kappa )$ in the above game.

2.6 Garbled RAM Based on IBE [18]

Our starting point is the garbled RAM construction of [18]. Intuitively speaking, garbled RAM [37] is an analogue object of garbled circuits [4, 50] with respect to RAM programs. The main difference when switching to RAM programs is the requirement of maintaining a memory data D. In this scenario, the data is garbled once, while many different programs are executed sequentially on this data. As pointed out in the modelling of [18], the programs can only be executed in the specified order, where each program obtains a state that depends on prior executions. The [18] garbled RAM proposes a fix to the aforementioned circularity issue raised in [37] by using an identity-based encryption (IBE) scheme [5, 6] instead of a symmetric-key encryption scheme.

In more detail, the inputs D, P, x to the garbled RAM are garbled into $\widetilde{D},\widetilde{P},\widetilde{x}$ such that the evaluator reveals the output $\widetilde{P}(\widetilde{D},\widetilde{x})=P(D,x)$ and nothing else. A RAM program P with running time T can be evaluated using T copies of a Boolean circuit $\mathrm {C}^P_{\scriptscriptstyle \mathrm {CPU}}$ where $\mathrm {C}_{\scriptscriptstyle \mathrm {CPU}}^t$ computes the function $\mathrm {C}^P_{\scriptscriptstyle \mathrm {CPU}}(\mathsf {state}_{t} ,b_{t}^{\mathsf {read} }) = (\mathsf {state}_{t+1} ,i_{t}^{\mathsf {read} },i_{t}^{\mathsf {write} },b_{t}^{\mathsf {write} })$. Then secure evaluation of P is possible by having the sender $\mathrm{S}$ garble the circuits $\{\mathrm {C}_{\scriptscriptstyle \mathrm {CPU}}^t\}_{t\in [T]}$ (these are called the garbled program $\widetilde{P}$), whereas the receiver $\mathrm{R}$ sequentially evaluates these circuits. In order for the evaluation to be secure, the state of the program should remain secret when moving from one circuit to another. To this end, the garbling is done in a way that assigns the output wires of one circuit with the same labels as the input wires of the next circuit. The main challenge here is to preserve the ability to read and write from the memory while preventing the evaluator from learning anything beyond the program’s output, including any intermediate value.

The original idea from [37] employed a clever usage of a PRF for which the secret key is embedded inside all the CPU-step circuits, where the PRF’s role is twofold. For reading from the memory, it is used to produce ciphertexts encrypting the labels of the input wire of the input bit of the next circuit, whereas for writing it is used to generate secret keys for particular “identities”. As explained in [18], the proof of [37] does not follow without assuming an extra circularity assumption. In order to avoid circularity, Gentry et al. proposed to replace the PRF with a public-key primitive. As it is insufficient to use a standard public-key cryptosystem (since the circuit must still produce secret keys for each memory location i, storing the keys $\mathsf {sk}_{i,0}, \mathsf {sk}_{i,1}$), the alternative is to use IBE. Below, we briefly describe their scheme.

The Read-Only Solution The initialized garbled data $\widetilde{D}$ contains a secret key $\mathsf {sk}_{i,b}$ in each memory location $i\in [n]$ where $D[i]=b$, such that i, b serves as an identity secret key for the “identity” (i, b). Moreover, each garbled circuit ${\mathrm {GC}}^{t}_{{\scriptscriptstyle \mathrm {CPU}}}$ is hard-wired with the master public-key ${{{\textsf {MPK}}}}$ of an IBE scheme.^{Footnote 4} This way, the garbled circuit can encrypt the input labels for the next circuit, which are associated with the bit that has just been read from the memory. More specifically, the circuit generates two ciphertexts $\mathsf {ct}_0,\mathsf {ct}_1$ that are viewed as a translation map. Namely, $\mathsf {ct}_b=\mathsf {Enc}_{{{\textsf {MPK}}}}({\mathsf {id}}=(i,b); \mathsf {msg}=\mathsf {lbl}_{b}^{t+1})$ and the correct label is extracted by decrypting the right ciphertext using $\mathsf {sk}_{i,b}$, such that $\mathsf {lbl}_{0}^{t+1},\mathsf {lbl}_{1}^{t+1}$ are the input labels in the next garbled circuit that are associated with the last input bit read from the memory.

The Read–Write Solution A complete solution that allows both reading and writing is slightly more involved. We describe how to garble the data and the program next.

Garbling the data The garbled data consists of secret keys $\mathsf {sk}_{(t,i,b)}$ for identities of the form ${\mathsf {id}}=(t,i,b)$ where i is the location in the memory $D'$, t is the last time step for which that location was written to and $b\in \{0,1\}$ is the bit that was written to location i at time step t. The honest evaluator only needs to keep the most recent secret key for each location i.

Garbling the program Next, each CPU garbled circuit computes the last time step in which memory location i was written to by computing $t' =\mathsf {WriteTime}(t,\mathsf {state}_{t}, i_{t}^{\mathsf {read} })$. Namely, if at time step t the garbled circuit ${\mathrm {GC}}^{t}_{{\scriptscriptstyle \mathrm {CPU}}}$ instructs to read from location $i_{t}^{\mathsf {read} }$, then the circuit further computes the last time step, u, in which that $i_{t}^{\mathsf {read} }$ was written to, it then computes the translation map $\mathsf {translate} _t =(\mathsf {ct}_0,\mathsf {ct}_1)$ by $\mathsf {ct}_b=\mathsf {Enc}_{{{\textsf {MPK}}}}({\mathsf {id}}=(u,i_{t}^{\mathsf {read} },b); \mathsf {msg}=\mathsf {lbl}_{b}^{t+1}))$ and outputs it in the clear.

In order to write at time step t to memory location $i=i_{t}^{\mathsf {write} }$ the value $b=b_{t}^{\mathsf {write} }$, a naive solution would hard-wire ${\textsf {MSK}}$ within each garbled circuit and then generate the key $\mathsf {sk}_{(t,i,b)}=\mathsf {KeyGen}_{\textsf {MSK}}({\mathsf {id}}=(t,i,b) )$, but this idea re-introduces the circularity problem. Instead, Gentry et al. [18] solve this problem by introducing a new primitive called timed IBE (TIBE). Informally, this is a two-level IBE scheme in which the first level includes the master public/secret keys (${{{\textsf {MPK}}}},{\textsf {MSK}}$), whereas the second level has T timed secret keys ${\textsf {TSK}}_{1},\ldots ,{\textsf {TSK}}_{T}$. The keys ${{{\textsf {MPK}}}},{\textsf {MSK}}$ are generated by ${\mathsf {MasterGen}}(1^\kappa )$, and the timed keys are generated by ${\textsf {TSK}}_{t}=\mathsf {TimeGen}({\textsf {MSK}},t)$.

Then in the garbling phase, the key ${\textsf {TSK}}_{t}$ is hard-wired within the tth garbled circuit ${\mathrm {GC}}^{t}_{{\scriptscriptstyle \mathrm {CPU}}}$ and is used to write the bit $b^{\mathsf {write} }_{t}$ to memory location $i_{t}^{\mathsf {write} }$. To do that, ${\mathrm {GC}}^{t}_{{\scriptscriptstyle \mathrm {CPU}}}$ computes the secret key for identity (t, i, b) by $\mathsf {sk}_{(t,i,b)} \leftarrow \mathsf {KeyGen}({\textsf {TSK}}_{t}, (t,i,b))$ which is then stored in memory location i by the evaluator. Note that ${\mathrm {GC}}^{t}_{{\scriptscriptstyle \mathrm {CPU}}}$ outputs a secret key for only one identity in every time step (for (t, i, b) but not $(t,i,1-b)$). This solution bypasses the circularity problem since the timed secret keys ${\textsf {TSK}}_{t}$ are hard-wired only within the garbled circuit computing $\mathrm {C}_{\scriptscriptstyle \mathrm {CPU}}^t$ and cannot be determined from either $\mathsf {sk}_{(t,i,b)}$ or the garbled circuit, provided that the TIBE scheme and the garbling schemes are secure.

3 Building Blocks

In this section, we show how to overcome the challenges discussed in the introduction and design the first maliciously secure 2PC protocol that does not require duplication of the data and is applicable for every garbling scheme in the sense of Definition 2.2. Recall first that in [18] Gentry et al. have used a primitive called timed IBE, where the secret key for every memory location and stored bit (i, b) is enhanced with another parameter: the last time step t in which it has been written to the memory. The secret key $\mathsf {sk}_{(t,i,b)}$ for identity ${\mathsf {id}}=(t,i,b)$ is then generated using the hard-coded time secret-key ${\textsf {TSK}}_{t}$. Now, since algorithm $\mathsf {KeyGen}$ is randomized, running this algorithm s times will yield s independent secret timed keys. This results in s different values to be written to memory at the same location, which implies duplication of memory data D. In order to avoid this, our solution forces the s duplicated garbled circuits for time step t to use the same random string r, yielding that all garbled circuits output the same key for the identity (t, i, b). Importantly, this does not mean that we can hard-code r in all those s circuits, since doing this would reveal r when applying the cut-and-choose technique on these garbled circuits as half of the circuits are opened. Clearly, we cannot reveal the randomness to the evaluator since the security definition of IBE (and timed IBE) does not follow in such a scenario. Instead, we instruct the sender to input the same randomness in all s copies of the circuits and then run an input consistency check to these inputs in order to ensure that this is indeed the case. We continue with describing the components we embed in our protocol. An overview of the circuits involved in our protocol can be found in Fig. 3, and a high-level overview of our protocol can be found in Sect. 4.

3.1 Enhanced CPU-Step Function

The enhanced $\mathsf {cpustep}^+$ function is essentially the CPU-step functionality specified in Sect. 2.2 enhanced with more additional inputs and output, and defined as follows

$$\begin{aligned} \mathsf {cpustep}^+(\mathsf {state}_{t} ,b_{t}^{\mathsf {read} },{{\textsf {MPK}}}, {\textsf {TSK}}_{t},r_{t})=(\mathsf {state}_{t+1}, i_{t}^{\mathsf {read} }, i_{t}^{\mathsf {write} }, b_{t}^{\mathsf {write} }, \mathsf {translate} _{t}) \end{aligned}$$

where the additional inputs ${\textsf {MSK}},{\textsf {TSK}}_{t}$ and $r_t$ are the master public key, a timed secret key for time t and the randomness r used by the $\mathsf {KeyGen}$ algorithm. The output $\mathsf {translate} _t$ is a pair of ciphertexts $\mathsf {ct}_1,\mathsf {ct}_2$, encrypted under ${{{\textsf {MPK}}}}$, that allows the evaluator to obtain the appropriate label of the wire that corresponds to the input bit in the next circuit. We denote the circuit that computes that function by $\mathrm {C}^{t}_{{\scriptscriptstyle \mathrm {CPU}^+}}$. The functionality of $\mathrm {C}^{t}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ is described in Fig. 4. We later describe how to securely realize this function and, in particular, how these new additional inputs are generated and given to the T CPU circuits. The enhanced CPU-step circuit wraps the $\mathsf {WriteTime}$ algorithm defined in Definition 2.3.

3.2 Initialization Circuit

The initialization circuit generates all required keys and randomness to our solution and securely transfers them to the CPU-step circuits. As explained before, our solution requires the parties to input not only their input to the program but also a share to a randomness that the embedded algorithms would be given (that is, the randomness is not fixed by one of the parties). The circuit is described in Fig. 5.

3.3 Batch Single-Choice Cut-And-Choose OT

As a natural task in a cut-and-choose-based protocol, we need to carry out cut-and-choose oblivious transfers for all wires in the circuit, for which the receiver picks a subset $Z\subset [s]$ and then obtains either both input labels (for circuits indexed with $z\in Z$), or the input label that matches the receiver’s input otherwise. It is crucial that the subset of indices for which the receiver obtains both input labels is the same in all transfers. The goal of this functionality is to ensure the input consistency of the receiver, and it is named by “batch single-choice cut-and-choose OT” in [35]. See Fig. 8 (“Appendix A.3”) for its formal definition.

In addition to the above, our protocol uses the following building blocks: A garbling scheme $\pi _{\scriptscriptstyle \mathrm {GC}}=(\mathsf {Garb},\mathsf {Eval})$ that preserves the security properties from Definition 2.2; timed IBE scheme (Sect. 2.5) $\pi _{\scriptscriptstyle \mathrm {TIBE}}= ({\mathsf {MasterGen}}, \mathsf {TimeGen},\mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Dec})$ with security as specified in Definition 2.9 and a statistically binding commitment scheme $\mathsf {Com}$.

4 Constat Round Malicious 2PC for RAM Programs

Given the building blocks detailed in Sect. 3, we are now ready to introduce our complete protocol. Our description incorporates ideas from both [35] and [18]. Specifically, we borrow the cut-and-choose technique and the cut-and-choose OT abstraction from [35] (where the latter tool enables to ensure input consistency for the receiver). Moreover, we extend the garbled RAM ideas presented in [18] for a maliciously secure two-party protocol in the sense that we modify their garbled RAM to support the cut-and-choose approach. This allows us to obtain constant round overhead. Before we delve into the details of the protocol, let us present an overview of its main steps:

The parties wish to run the program P on inputs $x_1,x_2$ with the aid of an external random-access storage D. In addition to their original inputs, the protocol instructs the parties to provide random strings $R_1,R_2$ that suffice for all the randomness needed in the execution of the CPU-step circuits.

Chains Considering a sequence of circuits $\mathrm {C}_{\scriptscriptstyle \mathrm {INIT}},\mathrm {C}^{1}_{{\scriptscriptstyle \mathrm {CPU}^+}},\ldots ,\mathrm {C}^{T}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ as a connected chain of circuits, the sender $\mathrm{S}$ first generates s versions of garbled chains $\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^i,{\mathrm {GC}}^{1,i}_{{\scriptscriptstyle \mathrm {CPU}^+}},\ldots ,{\mathrm {GC}}^{T,i}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ for every $i\in [s]$. It does so by iteratively feeding the algorithm $\mathsf {Garb}$ with s sets of pairs of output labels, where the first set of output labels $\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}}}$ are chosen uniformly and are fed, together with the circuit $\mathrm {C}^{T}_{{\scriptscriptstyle \mathrm {CPU}^+}}$, to procedure $\mathsf {Garb}$, which in turn, outputs s sets of input labels. This process is being repeated until the first circuit in the chain, i.e $\mathrm {C}_{\scriptscriptstyle \mathrm {INIT}}$, the last s sets of input labels are denoted $\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}}}$.
Cut-and-choose Then, the parties run the batch single-choice cut-and-choose OT protocol $\Pi _{\scriptscriptstyle \mathrm {SCCOT}}$ on the receiver’s input labels, which let the receiver obtain a pair of labels for each of its input wires for every check chain with an index in $Z\subset [s]$ and a single label for each of its input wires for the evaluation chains with an index not in Z, where Z is input by the receiver to $\Pi _{\scriptscriptstyle \mathrm {SCCOT}}$.
Sending chains and commitments Then $\mathrm{S}$ sends $\mathrm{R}$ all garbled chains together with a commitment for every label associated with its input wires in all copies $i\in [s]$.
Reveal the cut-and-choose parameter The receiver $\mathrm{R}$ then notifies $\mathrm{S}$ with its choice of Z and proves that indeed that is the subset it used in $\Pi _{\scriptscriptstyle \mathrm {SCCOT}}$ (by sending a pair of labels for some of its input wires in every chain with an index in Z).
Checking correctness of check chains When convinced, $\mathrm{S}$ sends $\mathrm{R}$ a pair of labels for each input wire associated with the sender’s input; this allows $\mathrm{R}$ check all the check chains, such that if all found to be built correctly than the majority of the other, evaluation chains are also built correctly with overwhelming probability.
Input consistency$\mathrm{S}$ then supplies $\mathrm{R}$ with a single label for each input wire associated with the sender’s input, for all evaluation chains; this step requires checking that those labels are consistent with a single input $x_2$ of the sender. To this end, $\mathrm{S}$ and $\mathrm{R}$ run the input consistency protocol that is provided by the garbling scheme defined in Sect. 2.1.
Evaluation Upon verifying their consistency, $\mathrm{R}$ uses the input labels and evaluates all evaluation chains, such that in every time step t it discards the chains that their outputs $(i_{t}^{\mathsf {read} },i_{t}^{\mathsf {write} },\mathsf {sk}_t,\mathsf {translate} _t)$ do not comply to the majority of the outputs in all evaluation chains. We put a spotlight on the importance of the random strings $R_1,R_2$ that the parties provide to the chains, these allow our protocol to use a single block of data D for all threads of evaluation, which could not be done in a trivial plugging of the cut-and-choose technique. As explained in Definition 2.2, verifying the correctness of the check chains can be done given only (both of the) input labels for $\mathrm {C}_{\scriptscriptstyle \mathrm {INIT}}$ circuits.

Achieving Full Security In the next step, we apply the general transformation discussed in Sect. 2.4, from UMA to full security.

4.1 2PC in the UMA Model

We proceed with the formal detailed description of our protocol.

Protocol$\Pi _{\scriptscriptstyle \mathrm {UMA}}^P$executed between sender$\mathrm{S}$and receiver$\mathrm{R}$. Unless stated differently, in the following parameters z, i, t, j, respectively, iterate over $[Z],[s],[T],[\ell ]$.

Inputs$\mathrm{S}$ has input $x_1$ and $\mathrm{R}$ has input $x_2$ where $|x_1|=|x_2|=\ell '$. $\mathrm{R}$ has a blank storage device D with a capacity of n bits.

Auxiliary inputs

Security parameters $\kappa $ and s.
The description of a program P and a set of circuits $\mathrm {C}_{\scriptscriptstyle \mathrm {INIT}},\mathrm {C}^{1}_{{\scriptscriptstyle \mathrm {CPU}^+}},\ldots , \mathrm {C}^{T}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ (as described above) that computes its CPU steps, such that the output of the last circuit $\mathsf {state}_{T+1} $ equals $P^D(x_1,x_2)$, given that the read/write instructions output by the circuits are being followed.
$(\mathbb {G}, g, q)$ where $\mathbb {G}$ is cyclic group with generator g and prime order q, where q is of length $\kappa $.
$\mathrm{S}$ and $\mathrm{R}$, respectively, choose random strings $R_1$ and $R_2$, where $|R_1|=|R_2|=(4t+1)\cdot m$. We denote the overall input size of the parties by $\ell $, that is, $|x_1|+|R_1|=|x_2|+|R_2|=\ell '+(4t+1)\cdot m=\ell $. Also, denote the output size by $v_{\scriptscriptstyle \mathrm {out}}$.

The Protocol

1.
Garbled CPU step and initialization circuits.
1. (a)
  Garble the last CPU-step circuit ($t=T$):
  - Choose random labels for the labels corresponding to $\mathsf {state}_{T+1} $.
  - Garble $\mathrm {C}^{t}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ by calling
    $$\begin{aligned} \big ( \{ {\mathrm {GC}}^{t,i}_{{\scriptscriptstyle \mathrm {CPU}}} \}_{i} , \{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},b}^{u,i,t}\}_{u,i,b} \big ) \leftarrow \mathsf {Garb}\bigg (1^\kappa , s, \mathrm {C}^{t}_{{\scriptscriptstyle \mathrm {CPU}^+}}, \{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},b}^{v,i,t}\}_{v,i,b} ; r_g^t\bigg ) \end{aligned}$$
    for $v\in [v_{\scriptscriptstyle \mathrm {out}}],i\in [s],b\in \{0,1\}$ and $r_g^t$ the randomness used within $\mathsf {Garb}$.
  - Interpret the result labels $\{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},b}^{u,i,t}\}_{u,i,b}$ as the following groups of values: $\mathsf {state}_{t} $, $b_{t}^{\mathsf {read} }$, ${{{\textsf {MPK}}}}_t$, ${\textsf {TSK}}_{t}$ and $r_t$, that cover the labels: $\{ \mathsf {lbl}_{\mathsf {state} ,b}^{u,i,t}\}_{u,i,b}$, $\{\mathsf {lbl}_{b_{t}^{\mathsf {read} },b}^{u,i,t}\}_{u,i,b}$, $\{\mathsf {lbl}_{{{{\textsf {MPK}}}}_t,b}^{u,i,t}\}_{u,i,b}$, $\{ \mathsf {lbl}_{{\textsf {TSK}}_{t},b}^{u,i,t}\}_{u,i,b}$, $\{\mathsf {lbl}_{r_t,b}^{u,i,t}\}_{u,i,b}$ resp.
2. (b)
  Garble the remaining CPU-step circuits. For $t=T-1,\ldots ,1$:
  - Hard-code the labels $\{\mathsf {lbl}_{b_{t+1}^{\mathsf {read} },b}^{u,i}\}_{u,i,b}$ inside $\mathrm {C}^{t}_{{\scriptscriptstyle \mathrm {CPU}^+}}$.
  - Choose random labels for the output wires that correspond to $i_{t}^{\mathsf {read} },i_{t}^{\mathsf {write} },\mathsf {sk}_{t,i,b}$ and $\mathsf {translate} _t$ and unite them with the labels $\{ \mathsf {lbl}_{\mathsf {state} ,b}^{u,i,t+1}\}_{u,i,b}$ correspond to $\mathsf {state}_{t+1} $ obtained from the previous invocation of $\mathsf {Garb}$; denote the resulting set $\{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},b}^{v,i,t}\}_{v,i,b}$.
  - Garble $\mathrm {C}^{t}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ by calling
    $$\begin{aligned} \big ( \{ {\mathrm {GC}}^{t,i}_{{\scriptscriptstyle \mathrm {CPU}}} \}_{i} , \{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},b}^{u,i,t}\}_{u,i,b} \big ) \leftarrow \mathsf {Garb}\bigg (1^\kappa , s, \mathrm {C}^{t}_{{\scriptscriptstyle \mathrm {CPU}^+}}, \{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},b}^{v,i,t}\}_{v,i,b} ; r_g^t\bigg ) \end{aligned}$$
    with $\{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},b}^{v,i,t}\}_{v,i,b}$ the set of labels from above and $r_g^t$ the randomness used within $\mathsf {Garb}$.
  - Interpret the result labels $\{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},b}^{u,i,t}\}_{u,i,b}$ as the following groups of values: $\mathsf {state}_{t} $, $b_{t}^{\mathsf {read} }$, ${{{\textsf {MPK}}}}_t$, ${\textsf {TSK}}_{t}$ and $r_t$, that cover the labels: $\{ \mathsf {lbl}_{\mathsf {state} ,b}^{u,i,t}\}_{u,i,b}$, $\{\mathsf {lbl}_{b_{t}^{\mathsf {read} },b}^{u,i,t}\}_{u,i,b}$, $\{\mathsf {lbl}_{{{{\textsf {MPK}}}}_t,b}^{u,i,t}\}_{u,i,b}$, $\{ \mathsf {lbl}_{{\textsf {TSK}}_{t},b}^{u,i,t}\}_{u,i,b}$, $\{\mathsf {lbl}_{r_t,b}^{u,i,t}\}_{u,i,b}$ resp.
3. (c)
  Garble the initialization circuit $\mathrm {C}_{\scriptscriptstyle \mathrm {INIT}}$:
  - Combine the group of labels $\{\mathsf {lbl}_{\mathsf {state} ,b}^{u,i,1}\}_{i,b}$, that is covered by the value $\mathsf {state} _1$ which resulted from the last invocation of $\mathsf {Garb}$, with the groups of labels $\{ \mathsf {lbl}_{{{{\textsf {MPK}}}}_t,b}^{u,i,t}, \mathsf {lbl}_{{\textsf {TSK}}{t},b}^{u,i,t}, \mathsf {lbl}_{r_t,b}^{u,i,t} \}_{u,i,b}$ that are covered by the values $\{ {{{\textsf {MPK}}}}_t, {\textsf {TSK}}_t, r_t \}$ for all $t\in [T]$. That is, set $\{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},b}^{v,i}\}_{v,i,b} = \big \{ \mathsf {lbl}_{\mathsf {state} ,b}^{u,i,1} \cup \mathsf {lbl}_{{{{\textsf {MPK}}}}_t,b}^{u,i,t} \cup \mathsf {lbl}_{{\textsf {TSK}}{t},b}^{u,i,t} \cup \mathsf {lbl}_{r_t,b}^{u,i,t} \big \}_{u,i,b} $ for all u, i, t, b.
  - Garble the initialization circuit:
    $$\begin{aligned} \big ( \{ \mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^i \}_{i} , \{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},b}^{u,i}\}_{u,i,b} \big ) \leftarrow \mathsf {Garb}\bigg (1^\kappa , s, \mathrm {C}_{\scriptscriptstyle \mathrm {INIT}}, \{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},b}^{v,i}\}_{v,i,b} ; r_g^0 \bigg ). \end{aligned}$$
  - Interpret the input labels result from that invocation of $\mathsf {Garb}$ by $\{\mathsf {lbl}_{\mathrm{S},b}^{u,i}\}_{u,i,b} $ and $\{\mathsf {lbl}_{\mathrm{R},b}^{u,i}\}_{u,i,b} $ which are the input wire labels that are, respectively, associated with the sender’s and receiver’s input wires.
2.
Oblivious transfers.$\mathrm{S}$ and $\mathrm{R}$ run the batch single-choice cut-and-choose oblivious transfer protocol $\Pi _{\scriptscriptstyle \mathrm {SCCOT}}$.
1. (a)
  $\mathrm{S}$ defines vectors $\mathbf {v_1},\ldots ,\mathbf {v_\ell }$ so that $\mathbf {v_j}$ contains the s pairs of random labels associated with $\mathrm{R}$’s jth input bit $x_2[j]$ in all garbled circuits $\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^1,\ldots ,\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^s$.
2. (b)
  $\mathrm{R}$ inputs a random subset $Z\subset [s]$ of size exactly s / 2 and bits $x_2[1],\ldots ,x_2[\ell ]$.
3. (c)
  The result of $\Pi _{\scriptscriptstyle \mathrm {SCCOT}}$ is that $\mathrm{R}$ receives all the labels associated with its input wires in all circuits $\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^z$ for $z\in Z$ and receives a single label for every wire associated with its input $x_2$ in all other circuits $\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^z$ for $z\notin Z$.
3.
Send garbled circuits and commitments.$\mathrm{S}$ sends $\mathrm{R}$ the garbled circuits chains $\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^i,{\mathrm {GC}}^{1,i}_{{\scriptscriptstyle \mathrm {CPU}^+}},\ldots ,{\mathrm {GC}}^{T,i}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ for every $i\in [s]$, and the commitment ${\mathsf {com}}_{b}^{u,i} = \textsf {Com}(\mathsf {lbl}_{\mathrm{S},b}^{u,i}, {\mathsf {dec}}_{b}^{u,i})$ for every label in $\{\mathsf {lbl}_{\mathrm{S},b}^{u,i}\}_{u,i,b} $ where $\mathsf {lbl}_{\mathrm{S},b}^{u,i}$ is the bth label ($b\in \{0,1\}$) for the sender’s uth bit ($u\in [\ell ]$) for the ith garbled circuit $\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}$.
4.
Send cut-and-choose challenge.$\mathrm{R}$ sends $\mathrm{S}$ the set Z along with the pair of labels associated with its first input bit in every circuit $\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^z$ for every $z\in Z$. If the values received by $\mathrm{S}$ are incorrect, it outputs $\perp $ and aborts. Chains $\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^z, {\mathrm {GC}}^{1,z}_{{\scriptscriptstyle \mathrm {CPU}^+}},\ldots ,{\mathrm {GC}}^{t,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ for $z\in Z$ are called $check circuits $, and for $z\notin Z$ are called $evaluation circuits $.
5.
Send all input garbled values in check circuits.$\mathrm{S}$ sends the pair of labels and decommitments that correspond to its input wires for every $z\in Z$, whereas $\mathrm{R}$ checks that these are consistent with the commitments received in step 3. If not $\mathrm{R}$ aborts, outputting $\perp $.
6.
Correctness of check circuits. For every $z\in Z$, $\mathrm{R}$ has a pair of labels for every input wire for the circuits $\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^z$ (from steps 2 and 5). This means that it can check the correctness of the chains $\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^z,{\mathrm {GC}}^{1,z}_{{\scriptscriptstyle \mathrm {CPU}^+}},\ldots ,{\mathrm {GC}}^{T,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ for every $z\in Z$. If the chain was not built correctly for some z, then output $\perp $.
7.
Check garbled inputs consistency for the evaluation circuits.
- $\mathrm{S}$ sends the labels $\big \{ (\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},x_1[1]}^{1,z},\ldots ,\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},x_1[\ell ]}^{\ell ,z}) \big \}_{z\notin [Z]}$ for its input $x_1$.
- $\mathrm{S}$ and $\mathrm{R}$ participate in the input consistency check protocol $\Pi _{\scriptscriptstyle \mathrm {IC}}$.
  - – The common inputs for this protocol are the circuit $\mathrm {C}_{\scriptscriptstyle \mathrm {INIT}}$, its garbled versions $\{ \mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^i\}_{z\notin Z}$ and the labels $\big \{ (\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},x_1[1]}^{1,z},\ldots ,\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},x_1[\ell ]}^{\ell ,z}) \big \}_{z\notin [Z]}$ that were sent before.
  - – $\mathrm{S}$ inputs its randomness $r_g^0$ and the set of output labels $\{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},b}^{v,i}\}_{v,i,b}$ that were used within $\mathsf {Garb}$ on input $\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}$, along with the decommitments $\{{\mathsf {dec}}_{b}^{u,z}\}_{u\in [\ell ],z\notin Z, b\in \{0,1\}}$.
8.
Evaluation. Let $\tilde{Z}=\{z \mid z\notin Z\}$ be the indices of the evaluation circuits.
1. (a)
  For every $z\in \tilde{Z}$, $\mathrm{R}$ evaluate $\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^{z}$ using $\mathsf {Eval}$ and the input wires it obtained in step 7 and reveal one label for each of its output wires $\mathsf {lbl}_{{\scriptscriptstyle \mathrm {INIT}}}^{{\scriptscriptstyle \mathrm {out}},z}$.
2. (b)
  For $t=1$ to T:
  1. i.
    For every $z\in \tilde{Z}$, evaluate ${\mathrm {GC}}^{t,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ using $\mathsf {Eval}$ and obtain one output label for each of its output wires, namely $\mathsf {lbl}_{{\scriptscriptstyle \mathrm {CPU}^+}}^{{\scriptscriptstyle \mathrm {out}},t,z}$. Part of these labels refer to $\mathsf {state}_{t+1,z} $. In addition, $\mathsf {Eval}$ outputs $\mathsf {out}_{t,z} = (i_{t,z}^{\mathsf {read} }, i_{t,z}^{\mathsf {write} }, b_{t,z}^{\mathsf {write} }, \mathsf {translate} _{t,z})$ in the clear^{Footnote 5}. For $t=T$, $\mathsf {Eval}$ outputs $\mathsf {state}_{T+1} $ in the clear and we assign $\mathsf {out}_{t,z} = \mathsf {state}_{T+1,z} $.
  2. ii.
    Take the majority $\mathsf {out}_{t} = \mathsf {Maj}(\{\mathsf {out}_{t,z} \}_{z\in \tilde{Z}})$ and remove from $\tilde{Z}$ the indices $\tilde{z}$ for which $\mathsf {out}_{t,\tilde{z}} \ne \mathsf {out}_{t}$. Formally set $\tilde{Z}=\tilde{Z}$$\smallsetminus $$\{ z' \mid \mathsf {out}_{t,z'}\ne \mathsf {out}_{t} \}$. This means that $\mathrm{R}$ halts the execution thread of the circuit copies that were found flawed during the evaluation.
  3. iii.
    Output $\mathsf {out}_{T+1}$.

We prove the following theorem (for further details about the hybrid model see A.2).

Theorem 4.1

Assume $\pi _{\scriptscriptstyle \mathrm {GC}}$ is a garbling scheme (cf. Definition 2.2), $\pi _{\scriptscriptstyle \mathrm {TIBE}}$ is TIBE scheme (cf. Definition 2.9) and $\mathsf {Com}$ is a statistical binding commitment scheme (cf. Definition A.1). Then, protocol $\Pi _{\scriptscriptstyle \mathrm {UMA}}^P$ securely realizes $\mathcal {F}_{\scriptscriptstyle \mathrm {UMA}}$ in the presence of malicious adversaries in the $\{\mathcal {F}_{\scriptscriptstyle \mathrm {{SCCOT}}},\mathcal {F}_{\scriptscriptstyle \mathrm {{IC}}}\}$-hybrid for all program executions with ptWrites (cf. Definition 2.3).

Let $n=|D|$ be the size of the storage, T be the program’s run-time and $|x|=|x_1|+|x_2|$ be the overall input length to $\mathcal {F}_{\scriptscriptstyle \mathrm {UMA}}$. Then, in protocol $\Pi _{\scriptscriptstyle \mathrm {UMA}}^P$ the size of the garbled storage is $O(n\cdot \kappa )$, the size of the garbled input is $|x| \cdot O(\kappa )$ and the size of the garbled program and its evaluation time are $O(T\cdot s\cdot \kappa )$.
In addition, there exists a secure protocol that realizes $\mathcal {F}_{\scriptscriptstyle \mathrm {RAM}}$ with garbled storage of size $n\cdot \mathsf {poly}(\kappa ,\log n)$, garbled input of size $|x| \cdot O(\kappa )$ and garbled program and evaluation time of $T \cdot \mathsf {poly}(\kappa ,\log n, s)$.

Proof

We begin our proof by analysing the garbled storage, program and input complexities; the security proof is in Sect. 4.2.

Note that the size of the initialization circuit $\mathrm {C}_{\scriptscriptstyle \mathrm {INIT}}$ is $O(T\cdot \kappa )$ where the bound on the randomness used by the IBE algorithms is $O(\kappa )$. This is because the circuit evaluates the IBE algorithms O(T) times, each such sub-circuit is of size $O(\kappa )$. In addition, all components inside the enhanced CPU-step circuit $\mathrm {C}^{t}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ are of size $O(\kappa )$. Since the sender garbles s chains (where s is a statistical security parameter), the overall number of garbled circuits is $O(T\cdot s)$ and their total size is $O(T\cdot s\cdot \kappa )$. It is clear that the communication and computation complexities depend on the number of garbled circuits and their total size. In particular, our protocol requires $O(T\cdot s)$ oblivious transfers followed by sending and evaluating $O(T\cdot s)$ garbled circuits of total size $O(T\cdot s\cdot \kappa )$, which leads to communication and computation complexities of $O(T\cdot s\cdot \kappa )$. Finally, for each bit in the memory the evaluator stores $O(\kappa )$ bits. Recalling that using the cut-and-choose with our technique of factoring out the randomness to the initialization circuit implies that the receiver stores a single copy of the memory. Thus, the memory size is $O(n\cdot \kappa )$.

In transformation $\Theta $ (implied by Theorem 2.8), the parties apply an ORAM compiler to the original program; this means that the run-time of the result program increases by a factor of $\mathsf {polylog~}n$ (where n is the memory size). It holds that the overall number of garbled circuits is $T\cdot \mathsf {poly}(s, \log n)$ and their total size is $T\cdot \mathsf {poly}(s, \kappa , \log n)$. Similarly, since there are $\mathsf {polylog~}n$ more garbled circuits, the communication and computation complexities are now $T\cdot \mathsf {poly}(s, \kappa , \log n)$ and the memory size is $n\cdot \mathsf {poly}(\kappa , \log n)$. $\square $

4.2 Security Proof of Theorem 4.1

We first show the intuition of how our protocol achieves security in the ${\scriptscriptstyle \mathrm {UMA}}$ model, whereas a full proof of Lemma 4.1 is presented at Sect. 4.2.1. With respect to garbled circuits security, we stress that neither the selective-bit-attack nor the incorrect-circuit-construction attack can harm the computation here due to the cut-and-choose technique, which prevents the sender from cheating in more than $\frac{s-|Z|}{2}$ of the circuits without being detected. As explained in [35], the selective-bit attack cannot be carried out successfully since $\mathrm{R}$ obtains all the input keys associated with its input in the cut-and-choose oblivious transfer, where the labels associated with both the check and evaluation circuits are obtained together. Thus, if $\mathrm{S}$ attempts to run a similar attack for a small number of circuits, then it will not effect the majority, whereas if it does so for a large number of circuits, then it will be caught with overwhelming probability. In the protocol, $\mathrm{R}$ checks that half of the chains and their corresponding input garbled values were correctly generated. It is therefore assured that with high probability the majority of the remaining circuits and their input garbled values are correct as well. Consequently, the result output by the majority of the remaining circuits must be correct.

The proof for the case the receiver is corrupted is based on two secure components: the garbling scheme and the timed IBE scheme, in the proof we reduce the security of our protocol to the security of each one of them. The intuition here is that $\mathrm{R}$ receives |Z| opened check circuits and $|\tilde{Z}|=s-|Z|$ evaluation circuits. Such that for each evaluation circuit it only receives a single set of keys for decrypting the circuit. Furthermore, the keys that it receives for each of the $|\tilde{Z}|$ evaluation circuits are associated with the same pair of inputs $x_1,x_2$. This intuitively implies that $\mathrm{R}$ can do nothing but correctly decrypt $|\tilde{Z}|$ circuits, obtaining the same value $P^d(x_1,x_2)$. One concern regarding the security proof stems from the use of a TIBE encryption scheme within each of the CPU-step circuits. Consequently, we have to argue the secrecy of the input label that is not decrypted by $\mathrm{R}$. Specifically, we show that this is indeed the case by constructing a simulator that, for each CPU step, outputs a fake translate table $\mathsf {translate} $ that correctly encrypts the active label (namely, the label observed by the adversary), yet encrypts a fake inactive label. We then show that the real view in which all labels are correctly encrypted is indistinguishable from the simulated view in which only the active label is encrypted correctly.

The Selective-Bit Attack in the Memory In the context of secure computation via garbled circuit, the “selective-bit attack” means that the garbler may construct an input gate^{Footnote 6} such that if the evaluator’s input on some input wire is b, the evaluation proceeds successfully and otherwise, if the input is $1-b$, then the outcome of that gate is some “gibberish” key that leads to an evaluation failure. This way, the garbler can learn a single input bit of the evaluator, just by inspecting whether it aborts or not.

In our construction, the selective-bit attack is completely thwarted, both in garbled circuits and in memory. That is, the cut-and-choose technique assures that the garbler constructed the garbled circuits correctly (with overwhelming probability). Now, conditioning on the event that all garbled circuits are correct, the only way the garbler affects memory contents is by providing its part of the data for the one-time initialization phase, which takes place before the program is being executed, or by providing its input to the program being executed. Both kinds of behaviour are allowed even in the ideal model; thus, it holds that the cut-and-choose technique protects the evaluator from selective-bit attack in memory as well.

4.2.1 A Formal Proof

We prove Theorem 4.1 in a hybrid model where a trusted party is used to compute the batch single-choice cut-and-choose oblivious transfer functionality $\mathcal {F}_{\scriptscriptstyle \mathrm {{CT}}}$ and the input consistency check functionality $\mathcal {F}_{\scriptscriptstyle \mathrm {{IC}}}$. We separately prove the case that $\mathrm{S}$ is corrupted and the case that $\mathrm{R}$ is corrupted.

The case$\mathrm{S}$is corrupted This case is very similar to the case in which $\mathrm{S}$ is corrupted in a standard cut-and-choose-based protocol (e.g. [35]). Intuitively, $\mathrm{S}$ can only cheat by constructing some of the circuits in an incorrect way. However, in order for this to influence the outcome of the computation, it has to be that a majority of the evaluation circuits, or equivalently over one-quarter of them, are incorrect. Furthermore, it must hold that none of these incorrect circuits are part of the check circuits. The reason this bad event only occurs with negligible probability is that $\mathrm{S}$ is committed to the circuits before it learns which circuits are the check circuits and which are the evaluation circuits. Specifically, observe first that in protocol $\Pi _{\scriptscriptstyle \mathrm {SCCOT}}$, $\mathrm{R}$ receives all the keys associated with its own input wires for the check circuits in Z (while $\mathrm{S}$ knows nothing about Z). Furthermore, $\mathrm{S}$ sends commitments for all input wire labels for input wires associated with its input before learning Z. Thus, it can only succeed in cheating if it successfully guesses over s / 4 circuits which all happen to not be in Z. As shown in [35], this event occurs with probability of approximately $\frac{1}{2^{s/4}}$. The sender $\mathrm{S}$ further participates in an input consistency protocol $\Pi _{\scriptscriptstyle \mathrm {IC}}$ which proves to $\mathrm{R}$ that all its inputs to the evaluation circuits are consistent.

We now proceed to the formal proof. Let $\mathcal {A}$ be an adversary controlling $\mathrm{S}$ in an execution of $\Pi _{\scriptscriptstyle \mathrm {UMA}}^P$ where a trusted party is used to compute the cut-and-choose OT functionality $\mathcal {F}_{\scriptscriptstyle \mathrm {{SCCOT}}}$ and the input consistency check functionality $\mathcal {F}_{\scriptscriptstyle \mathrm {{IC}}}$. We construct a simulator $\mathcal {S}$ that runs in the ideal model with a trusted party computing $\mathcal {F}^{P^D}_{\scriptscriptstyle \mathrm {UMA}}$. The simulator $\mathcal {S}$ internally invokes $\mathcal {A}$ and simulates the honest $\mathrm{R}$ for $\mathcal {A}$ as well as the trusted party computing $\mathcal {F}_{\scriptscriptstyle \mathrm {{SCCOT}}}$ and $\mathcal {F}_{\scriptscriptstyle \mathrm {{IC}}}$ functionalities. In addition, $\mathcal {S}$ interacts externally with the trusted party computing $\mathcal {F}^{P^D}_{\scriptscriptstyle \mathrm {UMA}}$. $\mathcal {S}$ works as follows:

1.
$\mathcal {S}$ invokes $\mathcal {A}$ upon its input and receives the inputs that $\mathcal {A}$ sends to the trusted party computing $\mathcal {F}_{\scriptscriptstyle \mathrm {{SCCOT}}}$ functionality. These inputs constitute an $\ell \times s$ matrix of label pairs $\{(\mathsf {lbl}_{\mathrm{R},0}^{1,1}, \mathsf {lbl}_{\mathrm{R},1}^{1,1}), \ldots , (\mathsf {lbl}_{\mathrm{R},0}^{\ell ,s}, \mathsf {lbl}_{\mathrm{R},1}^{\ell ,s})\}$, where $\mathsf {lbl}_{\mathrm{R},b}^{j,i}$ is the label associated with the jth input wire of the receiver $\mathrm{R}$ in the ith garbled version of the circuit $\mathrm {C}_{\scriptscriptstyle \mathrm {INIT}}$. Recall that these labels constitute the garbled $x_1$ and $R_1$ for all chains $i\in [s]$.
2.
$\mathcal {S}$ receives from $\mathcal {A}$s garbled chains $\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^i,{\mathrm {GC}}^{1,i}_{{\scriptscriptstyle \mathrm {CPU}^+}},\ldots ,{\mathrm {GC}}^{T,i}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ for every $i\in [s]$ and $2\ell s$ commitments $\{{\mathsf {com}}_{b}^{u,i}\}$ for every label $\mathsf {lbl}_{\mathrm{S},b}^{u,i}$ as described in the protocol (the garbled values associated with the sender’s input wires to $\{\mathrm {C}_{\scriptscriptstyle \mathrm {INIT}}\}_i$ for all $i\in [s]$).
3.
$\mathcal {S}$ chooses a subset $Z\subset [s]$ of size s / 2 uniformly at random. For every $z\in Z$ , $\mathcal {S}$ hands $\mathcal {A}$ the values $\mathsf {lbl}_{\mathrm{R},0}^{1,z}, \mathsf {lbl}_{\mathrm{R},1}^{1,z}$ (i.e. the two labels for the first input wire of $\mathrm{R}$ in every check chain, this proves to $\mathcal {A}$ that this chain is indeed a check chain, otherwise, $\mathrm{R}$ could not know both of the labels for that wire).
4.
$\mathcal {A}$ sends the decommitments to all labels of its input wires for the check chains (i.e. all chains indexed by $z\in Z$). Namely, upon receiving the set $\big \{ \mathsf {lbl}_{\mathrm{S},b}^{u,i}, {\mathsf {dec}}_{b}^{u,i} \}$ where $\mathsf {lbl}_{\mathrm{S},b}^{u,i}$ is the bth label ($b\in \{0,1\}$) for the sender’s uth bit ($u\in [\ell ]$) for the ith garbled circuit $\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}$ and ${\mathsf {dec}}_{b}^{u,i}$ is its decommitment information. $\mathcal {S}$ verifies that the decommitment information is correct. If not, $\mathcal {S}$ sends $\perp $ to the trusted party, simulates $\mathrm{R}$ aborting and outputs whatever $\mathcal {A}$ outputs.
5.
$\mathcal {S}$ verifies that all the check chains $\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^z,{\mathrm {GC}}^{1,z}_{{\scriptscriptstyle \mathrm {CPU}}},\ldots ,{\mathrm {GC}}^{T,z}_{{\scriptscriptstyle \mathrm {CPU}}}$ for $z\in Z$ are correctly constructed (the same way that an honest $\mathrm{R}$ would). If not, it sends $\perp $ to the trusted party, simulates $\mathrm{R}$ aborting and outputs whatever $\mathcal {A}$ outputs.
6.
$\mathcal {S}$ receives labels $\big \{ ( \hat{\mathsf{lbl}}_{{\scriptscriptstyle \mathrm {in}},x_1[1]} ^{1,z} , \ldots , \hat{\mathsf{lbl}}_{{\scriptscriptstyle \mathrm {in}},x_1[\ell ]} ^{\ell ,z}) \big \}_{z\notin [Z]}$. In addition $\mathcal {S}$, as a trusted party in the input consistency protocol $\Pi _{\scriptscriptstyle \mathrm {IC}}$, receives the randomness $r_g^0$, the output labels $\{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},b}^{v,i}\}_{v,i,b}$ that were used by $\mathcal {A}$ to generate the s garbled chains in step 1 of the protocol, together with the decommitments ${\mathsf {dec}}_{b}^{u,i}$ for every label associated with the sender’s input wires.
7.
Given the values in the previous step, $\mathcal {S}$ checks the consistency of the labels it received from $\mathrm{S}$ (as if the trusted party in $\mathcal {F}_{\scriptscriptstyle \mathrm {{IC}}}$ would). Note that if the check follows, the simulator $\mathcal {S}$ is able to extract the sender’s input $x_1$.
- If $\mathcal {F}_{\scriptscriptstyle \mathrm {{IC}}}$ returns 0, then $\mathcal {S}$ outputs $\perp $, simulates $\mathrm{R}$ aborting and outputs whatever $\mathcal {A}$ outputs.
- Otherwise, for every $u\in [\ell ']$ ($|x_1|=\ell '$ as specified above), if $ \hat{\mathsf{lbl}}_{{\scriptscriptstyle \mathrm {in}},x_1[u]} ^{u,z} = \mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},0}^{u,z}$ set $x_1[u]=0$ and if $ \hat{\mathsf{lbl}}_{{\scriptscriptstyle \mathrm {in}},x_1[u]} ^{u,z} = \mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},1}^{u,z}$ set $x_1[u]=1$. Note that $\mathcal {S}$ only extracts the values associated with $x_1$ and not $R_1$.
8.
$\mathcal {S}$ sends $(\textsc {Input}_\mathrm{S},x_1)$ to the trusted party computing $\mathcal {F}^{P^D}_{\scriptscriptstyle \mathrm {UMA}}$ and outputs whatever $\mathcal {A}$ outputs and halts.

We next prove that for every $\mathcal {A}$ corrupting $\mathrm{S}$ and every s it holds that

$$\begin{aligned} \left\{ \mathbf{IDEAL}^{\mathcal {F}_{\scriptscriptstyle \mathrm {UMA}}^{P^D}}_{\mathcal {S}(z),\mathrm{S}}(\kappa ,x_1,x_2)\right\} _{\kappa \in \mathbb {N},x_1,x_2,z\in \{0,1\}^*}{\mathop {\approx }\limits ^{\kappa ,s}} \left\{ \mathbf{REAL}^{\Pi _{\scriptscriptstyle \mathrm {UMA}}^P}_{\mathcal {A}(z),\mathrm{S}}(\kappa ,x_1,x_2)\right\} _ {\kappa \in \mathbb {N},x_1,x_2,z\in \{0,1\}^*} \end{aligned}$$

The sender’s view in our protocol is very limited; the values that it sees during the execution are (1) the set of indices Z (in step 4 of the protocol), (2) |Z| pairs of labels that proves that that Z is indeed the one used in $\Pi _{\scriptscriptstyle \mathrm {SCCOT}}$, and (3) the output of the execution. The simulator $\mathcal {S}$ chooses Z exactly as the honest receiver would do and sends $\mathrm{S}$ the rest of the values correctly (also, if it caught a cheat, it aborts as a honest receiver would do). Importantly, as we argue immediately, the adversary could not deviate from the protocol (and produce sufficient amount of incorrect garbled chains) without being caught with overwhelming probability.

Note that after step 3 all labels for input wires of $\mathrm{S}$, and all garbled chains are fully determined, also, one label for every input wire associated with $\mathrm{R}$ is fully determined as well. Therefore, after this step each of the chain of circuits $\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^i,{\mathrm {GC}}^{1,i}_{{\scriptscriptstyle \mathrm {CPU}^+}},\ldots ,{\mathrm {GC}}^{T,i}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ is either “bad” or “not bad”.

It was previously shown, with regard to cut-and-choose analysis, that the probability that $\mathrm{R}$ does not abort and yet the majority of the evaluation circuits is bad, is at most $\frac{1}{2^{s/4}}$. We denote this above event by $\mathsf {badMaj}\wedge \mathsf {noAbort}$ and claim that as long that this event does not occur, the result of the ideal and hybrid executions (where the oblivious transfers and input consistency are ideal) is identically distributed. This is due to the fact that if less than s / 4 circuits are bad, then the majority of circuits evaluated by $\mathrm{R}$ compute the correct chain of circuits $\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^i,{\mathrm {GC}}^{1,i}_{{\scriptscriptstyle \mathrm {CPU}^+}},\ldots ,{\mathrm {GC}}^{T,i}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ which in turn correctly evaluates the program $P^D$ due to the correctness of the garbled scheme. In addition, by the ideal input consistency, the input $x_1$ extracted by the simulator $\mathcal {S}$ and sent to the trusted party computing $P^D$ corresponds exactly to the input $x_1$ in the computation of every not-bad chain of circuits. Thus, in every not-bad chain $\mathrm{R}$ outputs $P^D(x_1,x_2)$, and this is the majority of the evaluation circuits. We conclude that as long as $\mathsf {badMaj}\wedge \mathsf {noAbort}$ does not occur, $\mathrm{R}$ outputs $P^D(x_1,x_2)$ in both the real and ideal executions. Finally, we observe that $\mathcal {S}$ sends $\perp $ to the trusted party whenever $\mathrm{R}$ would abort and output $\perp $. This completes the proof of this corruption case.

The case$\mathrm{R}$is corrupted The intuition of this proof is as follows. For each of the evaluation chains, the receiver only receives a single set of input labels. Furthermore, these labels are associated with the same pair of inputs $x_1,x_2$ due to the single-choice cut-and-choose OT $\mathcal {F}_{\scriptscriptstyle \mathrm {{SCCOT}}}$ functionality. This implies that $\mathrm{R}$ can do nothing but honestly evaluate the evaluation circuits, where each final circuit outputs the same value $P^D(x_1,x_2)$. That is, assume that $\mathrm{R}$ evaluates the s / 2 garbled circuits ${\mathrm {GC}}^{t,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ for CPU step t and all $z\notin Z$; these garbled circuits output a translate $\mathsf {translate} _t$ tuple which corresponds to the values $\mathsf {ct}_0=\mathsf {Enc}_{{{{\textsf {MPK}}}}}({\mathsf {id}}_0,\mathsf {lbl}_{0}^{t+1})$ and $\mathsf {ct}_1=\mathsf {Enc}_{{{{\textsf {MPK}}}}}({\mathsf {id}}_1,\mathsf {lbl}_{1}^{t+1})$.^{Footnote 7} Now, since $\mathrm{R}$ only knows a secret key for the identity ${\mathsf {id}}_b$ from a previous write operation, yet it does not know the secret key that is associated with ${\mathsf {id}}_{1-b}$ it can only decrypt $\mathsf {ct}_b$. Below we formalize this intuition, namely, we show that $\mathrm{R}$ cannot learn any significant information about the plaintext within $\mathsf {ct}_{1-b}$ and thus cannot extract the other label $\mathsf {lbl}_{1-b}$ for the next CPU-step circuit.

Let $\mathcal {A}$ be an adversary controlling $\mathrm{R}$ in an execution of protocol $\Pi _{\scriptscriptstyle \mathrm {UMA}}^P$ where a trusted party is used to compute the cut-and-choose OT functionality $\mathcal {F}_{\scriptscriptstyle \mathrm {{SCCOT}}}$ and the input consistency functionality $\mathcal {F}_{\scriptscriptstyle \mathrm {{IC}}}$. We construct a simulator $\mathcal {S}$ for the ideal model with a trusted party computing $\mathcal {F}^{P^D}_{\scriptscriptstyle \mathrm {UMA}}$.

1.
$\mathcal {S}$ invokes $\mathcal {A}$ upon its input and receives its inputs to the trusted party computing $\mathcal {F}_{\scriptscriptstyle \mathrm {{SCCOT}}}$. These inputs consist of a subset $Z\subset [s]$ of size exactly s / 2 and bits $x_2[1],\ldots ,x_2[\ell ]$. (If Z is not of size exactly s / 2, then $\mathcal {S}$ simulates $\mathrm{S}$ aborting, sends $\perp $ to the trusted party computing $\mathcal {F}_{\scriptscriptstyle \mathrm {UMA}}^{P^D}$, and halts outputting whatever A outputs.)
2.
$\mathcal {S}$ sends $(\textsc {Input}_\mathrm{R},x_2)$ to the trusted party computing $\mathcal {F}_{\scriptscriptstyle \mathrm {UMA}}^{P^D}$ and receives the output $(\textsc {Output}_\mathrm{R},T,y)$ and the memory accesses $\mathsf {Mem Access}=\{(i_{t}^{\mathsf {read} }, i_{t}^{\mathsf {write} }, b_{t}^{\mathsf {write} })\}_{t\in [T]}$ where $i_{t}^{\mathsf {read} }$ is the address to read from, $i_{t}^{\mathsf {write} }$ is the address to write to and $b_{t}^{\mathsf {write} }$ is the bit value to be written to $i_{t}^{\mathsf {write} }$ in time step t.
3.
$\mathcal {S}$ builds s chains of garbled circuits, starting from the last CPU step T towards the first one, in the following manner. (Note that a single call to $\mathsf {SimGC}$ produces both the evaluation and the check circuits).
1. (a)
  Initialize the TIBE scheme: generate the keys $({{{\textsf {MPK}}}}, {\textsf {MSK}})\leftarrow {\mathsf {MasterGen}}(1^\kappa )$ and ${\textsf {TSK}}_{t}\leftarrow \mathsf {TimeGen}({\textsf {MSK}},t)$ for $t=1,\ldots ,T$.
2. (b)
  For the last time step $t=T$, create $\{{\mathrm {GC}}^{t,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}\}_z$ by calling $\mathsf {SimGC}$ on the circuit $\mathrm {C}^{t}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ such that for the evaluation circuits ($z\notin Z$) the output labels $\mathsf {state}_{t+1} $ are set to the value y in the clear, whereas for the check circuits ($z\in Z$) the simulator chooses random pairs of output labels. This produces the input labels for the input $\mathsf {state}_{t} $ and the bit $b_{t}^{\mathsf {read} }$.
3. (c)
  For any other $t=T-1\ldots 1$, recall first that the values $i_{t}^{\mathsf {read} },i_{t}^{\mathsf {write} }, b_{t}^{\mathsf {write} }$ are given in the clear (from $\mathsf {Mem Access}$). Also, note that the labels $\mathsf {lbl}_{\mathsf {read},b}^{t+1,z}$ for the input bit b of circuit ${\mathrm {GC}}^{t+1,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ had been produced by the simulator in step $t+1$. The simulator $\mathcal {S}$ computes the secret key $\mathsf {sk}_{(t,i,b)}$ and the translation table $\mathsf {translate} _t$ as follows:
  - Let $i=i_{t}^{\mathsf {write} }$ and $b=b_{t}^{\mathsf {write} }$. If $i=\perp $, then set $\mathsf {sk}_{(t,i,b)}:=\perp $. Else, set $\mathsf {sk}_{(t,i,b)}\leftarrow \mathsf {KeyGen}({\textsf {TSK}}_{t}, {\mathsf {id}}=(t,i,b))$.
  - Let $i=i_{t}^{\mathsf {read} }$, $t'<t$ be the last write time to location i (i.e. the largest value such that $i_{t'}^{\mathsf {write} }=i_{t}^{\mathsf {read} }$) and let $b=b_{t'}^{\mathsf {write} }$ be the bit written to the location at time $t'$. (This can be easily computed by the given $\mathsf {Mem Access}$.) Then, set:
    $$\begin{aligned} \mathsf {ct}_b\leftarrow \mathsf {Enc}_{{{\textsf {MPK}}}}( (t',i, b), \mathsf {lbl}_{\mathsf {read},b}^{t+1,z} ) ,~~~~\mathsf {ct}_{1-b}\leftarrow \mathsf {Enc}_{{{\textsf {MPK}}}}( (t',i, b), 0 ) \end{aligned}$$
    for all $z\notin Z$, and set $\mathsf {translate} _t=(\mathsf {ct}_0,\mathsf {ct}_1)$.
4. (d)
  Generate $\{{\mathrm {GC}}^{t,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}\}_z$ by calling $\mathsf {SimGC}$ on the circuit $\mathrm {C}^{t}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ such that for the evaluation circuits ($z\notin Z$) it inputs the values $i_{t}^{\mathsf {write} }, i_{t}^{\mathsf {read} },\mathsf {sk}_{(t,i,b)}, \mathsf {translate} _t$ as output labels and for the check circuits ($z\in Z$) it inputs random pairs of labels. Note that when $t=1$, the input labels produced by $\mathsf {SimGC}$ for $\mathsf {state}_{1} $ actually refer to the parties inputs $x_1,x_2$.
5. (e)
  At this point, the input labels for all CPU-step circuits $\{{\mathrm {GC}}^{1,z}_{{\scriptscriptstyle \mathrm {CPU}^+}},\ldots ,{\mathrm {GC}}^{T,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}\}_z$ are known to $\mathcal {S}$. (Specifically, these correspond to either a single label per wire for $z\notin Z$, or a pair of labels per wire for $z\in Z$.) These constitute the output labels that are required for $\mathsf {SimGC}$ to simulate the initialization circuits $\{\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^z\}_z$. Namely, we have the output labels for $x_1,x_2$ and $ \{ {{{\textsf {MPK}}}}_t, {\textsf {TSK}}_{t}, r^{\mathsf {KeyGen}}_t, r^{\mathsf {Enc}}_{t,0}, r^{\mathsf {Enc}}_{t,1} \}_{t\in [T]} $ (again, a single label if $z\notin Z$ and pair of labels if $z\in Z$). The simulator $\mathcal {S}$ inputs these labels as the output labels to $\mathsf {SimGC}$ which produces the labels for the input wires of the circuits $\{\mathrm {C}_{\scriptscriptstyle \mathrm {INIT}}^z\}_z$.
4.
Let $\tilde{Z}=s {\setminus } Z$ be the indices of the evaluation chains. Then in the previous step the simulator produced s sets of labels. For chains indexed with $z\in Z$ (check chain) the set consists of $\ell $pairs of labels corresponding to $\mathrm{R}$’s inputs wires in $\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^z$, whereas for chains indexed with $z\in \tilde{Z}$ (evaluation chains) the set consists of $\ell $single labels corresponding to $\mathrm{R}$ actual input $x_2$. These $(2\ell |Z|+\ell |\tilde{Z}|)$ labels are denoted by $ \overline{\mathsf {lbl}_{Z}} = (\mathsf {lbl}_{\mathrm{R},0}^{1,z}, \mathsf {lbl}_{\mathrm{R},1}^{1,z}, \ldots , \mathsf {lbl}_{\mathrm{R},0}^{\ell ,z}, \mathsf {lbl}_{\mathrm{R},1}^{\ell ,z})$ for all $z\in Z$, and by $\overline{\mathsf {lbl}_{\tilde{Z}}} = (\mathsf {lbl}_{\mathrm{R},x_2[1]}^{1,z}, \ldots , \mathsf {lbl}_{\mathrm{R},x_2[\ell ]}^{\ell ,z})$ for $z\in \tilde{Z}$. Then, $\mathcal {S}$ hands $\mathcal {A}$ all the above labels, i.e. the union $\overline{\mathsf {lbl}_{Z}} \cup \overline{\mathsf {lbl}_{\tilde{Z}}}$ as its output from the oblivious transfers. (Note that $\mathcal {S}$ knows $x_2$ because it extracted it in the beginning of the simulation.)
5.
The simulator $\mathcal {S}$ sends $\mathcal {A}$ the garbled chains and commitments on the labels of all input wires of circuits $\{\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^i\}_{i\in [s]}$.
6.
$\mathcal {S}$ receives the set $Z'$ along with a pair of labels for every $z\in Z$ (proving that $\mathcal {A}$ indeed entered Z).
1. (a)
  If $Z\ne Z'$ and yet the values received are all correct, then $\mathcal {S}$ outputs $\perp $ and halts.
2. (b)
  If $Z=Z'$ and any of the values received are incorrect, then $\mathcal {S}$ sends $\perp $ to the trusted party, simulates $\mathrm{S}$ aborting and halts outputting whatever $\mathcal {A}$ outputs.
3. (c)
  Otherwise, $\mathcal {S}$ proceeds as below.
7.
$\mathcal {S}$ hands $\mathcal {A}$ the input labels that correspond to the sender’s input for all $z\notin Z$ and $u\in [\ell ]$ and sends the value 1 as the output of the trusted party when using the input consistency check functionality $\mathcal {F}_{\scriptscriptstyle \mathrm {{IC}}}$.
8.
$\mathcal {S}$ outputs whatever $\mathcal {A}$ outputs and halts.

We now show that for every $\mathcal {A}$ corrupting $\mathrm{R}$ and every s it holds that:

$$\begin{aligned} \left\{ \mathbf{IDEAL}^{\mathcal {F}_{\scriptscriptstyle \mathrm {UMA}}^{P^D}}_{\mathcal {S}(z),\mathrm{R}}(\kappa ,x_1,x_2)\right\} _{\kappa \in \mathbb {N},x_1,x_2,z\in \{0,1\}^*}{\mathop {\approx }\limits ^{\kappa ,s}} \left\{ \mathbf{REAL}^\pi _{\mathcal {A}(z),\mathrm{R}}(\kappa ,x_1,x_2)\right\} _ {\kappa \in \mathbb {N},x_1,x_2,z\in \{0,1\}^*} \end{aligned}$$

In order to do so, we define a series of hybrid distributions $\mathbf {Hyb}_t$ for $t=1,\ldots ,T$. In the hybrid t, the garbled CPU-step circuits ${\mathrm {GC}}^{t+1,z}_{{\scriptscriptstyle \mathrm {CPU}^+}},\ldots ,{\mathrm {GC}}^{T,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ for $z\in Z$ are created as in the real distribution (that is, both labels $\mathsf {lbl}_{\mathsf {read},0}^{t+1,z},\mathsf {lbl}_{\mathsf {read},1}^{t+1,z}$ for the input bit of the next circuit are encrypted) and the garbled CPU-step circuits ${\mathrm {GC}}^{1,z}_{{\scriptscriptstyle \mathrm {CPU}^+}},\ldots ,{\mathrm {GC}}^{t,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ for $z\in Z$ are created as in the simulation. In $\mathbf {Hyb}_t$, when we simulate the tth circuits ${\mathrm {GC}}^{t,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}$, we use the output labels for $\mathsf {state}_{t+1} , b_{t+1}^{\mathsf {read} }$ that these wire takes on during the real computation (i.e. the garbled circuits for time $t+1$ were generated as in the real execution).

We also define a hybrid distribution $\mathbf {Hyb}'_t$ which is like $\mathbf {Hyb}_t$ except for the simulation of the tth CPU-step circuits ${\mathrm {GC}}^{t,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ for $z\in Z$. Instead of choosing $\mathsf {translate} _t$ as in the simulation described above, we choose $\mathsf {translate} _t=(\mathsf {ct}_0,\mathsf {ct}_1)$ to both be encryptions of the correct label of the next circuit:

$$\begin{aligned} \mathsf {ct}_0\leftarrow \mathsf {Enc}_{{{\textsf {MPK}}}}( (t',i_{t}^{\mathsf {read} }, 0), \mathsf {lbl}_{\mathsf {read},0}^{t+1,z} ) ~~~~,~~~~\mathsf {ct}_1\leftarrow \mathsf {Enc}_{{{\textsf {MPK}}}}( (t',i_{t}^{\mathsf {read} }, 1), \mathsf {lbl}_{\mathsf {read},1}^{t+1,z} ) \end{aligned}$$

where $\mathsf {lbl}_{\mathsf {read},0}^{t+1,z}$ and $\mathsf {lbl}_{\mathsf {read},1}^{t+1,z}$ are the labels corresponding to the bits 0 and 1 for the wire $b_{t+1}^{\mathsf {write} }$ in garbled circuit ${\mathrm {GC}}^{t+1,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}$, which is still created using the real garbling procedure. (If $t=T$, we define $\mathbf {Hyb}'_t$ to be the same as $\mathbf {Hyb}_t$).

Note that in $\mathbf {Hyb}_0$ none of the CPU-step circuits are simulated, yet, the initialization circuits $\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^z$ are still simulated. Therefore, we define the hybrid $\mathbf {Hyb}_{(-1)}$ to be the distribution where all circuits are created as in the real distribution.

Note that $\mathbf {Hyb}_{-1}$ is equal to the real distribution and $\mathbf {Hyb}_T$ is equal to the simulated distribution. Therefore, we prove indistinguishability by showing that for each t, we have:

$$\begin{aligned} \mathbf {Hyb}_t ~~ {\mathop {\approx }\limits ^{\mathrm{c}}}~~ \mathbf {Hyb}'_{t+1} ~~ {\mathop {\approx }\limits ^{\mathrm{c}}}~~ \mathbf {Hyb}_{t+1} \end{aligned}$$

and

$$\begin{aligned} \mathbf {Hyb}_{(-1)} ~~ {\mathop {\approx }\limits ^{\mathrm{c}}}~~ \mathbf {Hyb}_0 \end{aligned}$$

We prove this by the following claims:

Claim 4.1

For each $t\in \{0,\ldots ,T\}$, it holds that $\mathbf {Hyb}_t ~ {\mathop {\approx }\limits ^{\mathrm{c}}}~ \mathbf {Hyb}'_{t+1}$.

Proof

This follows directly from the security of the circuit garbling scheme applied only to the garbled CPU set of circuits for step $t+1$. This is because, in $\mathbf {Hyb}_t$, all ${\mathrm {GC}}^{1,z}_{{\scriptscriptstyle \mathrm {CPU}^+}},\ldots ,{\mathrm {GC}}^{t,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ are already simulated, and hence, they only rely on a subset of the input wire labels for the input $\mathsf {state} _{t+1}, b_{t+1}^{\mathsf {write} }$, in the $t+1$th set of circuits, corresponding to the actual values that these wires should take on during the real computation. (This is true for the wire corresponding to $b_{t+1}^{\mathsf {write} }$ since the simulated $\mathsf {translate} _t$ used to create the tth circuit only encrypts one label and the other ciphertext is “dummy”.)

Formally, the difference between the distributions is that the garbled circuits for the $(t+1)$th step in $\mathbf {Hyb}_t$ are generated by $\mathsf {Garb}$, whereas in $\mathbf {Hyb}'_{t+1}$ they were are generated by $\mathsf {SimGC}$. In both cases, the circuit generates $\mathsf {translate} $ according to the real execution. Therefore, given inputs $x_1,x_2$ and a distinguisher $\mathcal {D}'$ between these two distributions, we can construct a distinguisher $\mathcal {D}''$ that breaks the privacy of $\pi _{\scriptscriptstyle \mathrm {GC}}$. In particular, the distinguisher $\mathcal {D}''$ is given a set of garbled circuits $\{{\mathrm {GC}}^{t+1,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}\}_{z\notin Z}$ generated either by the garbling scheme $\mathsf {Garb}$ or by its simulator $\mathsf {SimGC}$, where the output wires’ labels equal the input wires’ labels obtained from garbling $\{{\mathrm {GC}}^{t+2,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}\}_{z\notin Z}$ (note that by Definition 2.2 the privacy must hold for every choice of such labels). The distinguisher $\mathcal {D}''$ produces garbled circuits $\{{\mathrm {GC}}^{j,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}\}_{z\notin Z}$ for $j=T,\ldots ,t+2$ exactly as in the real execution; then, it plugs in the garbled circuits $\{{\mathrm {GC}}^{t+1,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}\}_{z\notin Z}$ (received as input) and completes the chain of garbled circuits as in the simulation and outputs the entire chain. Observe that if the garbled circuits $\{{\mathrm {GC}}^{t+1,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}\}_{z\notin Z}$ (given to $\mathcal {D}''$ as input) are output of $\mathsf {Garb}$, then the chain output by $\mathcal {D}''$ is distributed identically to $\mathbf {Hyb}_t$. Otherwise, it is distributed identically to $\mathbf {Hyb}'_{t+1}$. We conclude that the advantage of $\mathcal {D}''$ equals the advantage of $\mathcal {D}'$, which has to be negligible. $\square $

Claim 4.2

For each $t\in \{0,\ldots ,T\}$ it holds that $\mathbf {Hyb}'_t ~ {\mathop {\approx }\limits ^{\mathrm{c}}}~ \mathbf {Hyb}_t$.

Proof

This follows directly from the security of the TIBE scheme. The only difference between $\mathbf {Hyb}'_t$ and $\mathbf {Hyb}_t$ is the value of $\mathsf {translate} _t=(\mathsf {ct}_0,\mathsf {ct}_1)$ used to simulate the tth set of circuits. Let $b=b_{t+1}^{\mathsf {write} }$ be the value of the read bit in location $i_{t}^{\mathsf {read} }$ in the computation. Then, in $\mathbf {Hyb}'_t$ we set

$$\begin{aligned} \mathsf {ct}_b\leftarrow \mathsf {Enc}_{{{\textsf {MPK}}}}( (t',i_{t}^{\mathsf {read} }, b), \mathsf {lbl}_{\mathsf {read},b}^{t+1,z} ) ~~~~,~~~~\mathsf {ct}_b\leftarrow \mathsf {Enc}_{{{\textsf {MPK}}}}( (t',i_{t}^{\mathsf {read} }, b), \mathsf {lbl}_{\mathsf {read},1-b}^{t+1,z} ) \end{aligned}$$

whereas in $\mathbf {Hyb}_j$ we set

$$\begin{aligned} \mathsf {ct}_b\leftarrow \mathsf {Enc}_{{{\textsf {MPK}}}}( (t',i_{t}^{\mathsf {read} }, b), \mathsf {lbl}_{\mathsf {read},b}^{t+1,z} ) ~~~~,~~~~\mathsf {ct}_b\leftarrow \mathsf {Enc}_{{{\textsf {MPK}}}}( (t',i_{t}^{\mathsf {read} }, b), 0 ) \end{aligned}$$

where $u<t$.

Therefore, we reduce this to the TIBE game where the adversary is given the master public key ${{{\textsf {MPK}}}}$, the timed keys ${\textsf {TSK}}_{t+1},\ldots ,{\textsf {TSK}}_{T}$, a single identity secret key for the identity $(t',i_{t'}^{\mathsf {write} },b_{t'}^{\mathsf {write} })$ for each time step $0<t'<t$. (This key is used to simulate the set of circuits for time step $t'$.)

Assume the existence of parties inputs $x_1,x_2$ for which there exists a distinguisher $\mathcal {D}$ for the hybrids $\mathbf {Hyb}'_t$ and $\mathbf {Hyb}_t$. We construct a distinguisher $\mathcal {D}'$ for the TIBE scheme. $\mathcal {D}'$ is given ${{{\textsf {MPK}}}},{\textsf {TSK}}_{t+1},\ldots ,{\textsf {TSK}}_{T}$ from the game along with one secret key for every time step $t'<t$. $\mathcal {D}'$ works as follows:

1.
Build the circuits ${\mathrm {GC}}^{T,z}_{{\scriptscriptstyle \mathrm {CPU}^+}},\ldots ,{\mathrm {GC}}^{t+1,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}$ for all $z\notin Z$ as in the real distribution.
2.
For the tth circuits ${\mathrm {GC}}^{t,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}$, let $b=b_{t}^{\mathsf {read} }$ be the bit that is being read from memory at time t in the real execution of the program ($\mathcal {D}'$ knows it since it knows $x_1,x_2$ and can infer b from it) and let $\mathsf {lbl}_{\mathsf {read},b}^{t+1,z}, \mathsf {lbl}_{\mathsf {read},1-b}^{t+1,z}$ be the labels of the input bits for the next CPU-step circuits ($\mathcal {D}'$ knows them as well because it generated these labels using $\mathsf {Garb}$).
3.
$\mathcal {D}'$ hands the TIBE game the identity $\mathsf {id}^*=(t,i_{t}^{\mathsf {write} },b)$ and the two messages: $\mathsf {msg}_{0}=\mathsf {lbl}_{\mathsf {read},1-b}^{t+1,z}$ and $\mathsf {msg}_{0}=0$ and receives the ciphertext $\mathsf {ct}$.
4.
Set $\mathsf {translate} _t=(\mathsf {ct}_0,\mathsf {ct}_1)$ where $\mathsf {ct}_b=\mathsf {Enc}_{{{\textsf {MPK}}}}((t',i_{t}^{\mathsf {read} }, b), \mathsf {lbl}_{\mathsf {read},b}^{t+1,z})$ where $t'$ the last time that location $i_{t}^{\mathsf {read} }$ was written to, and $\mathsf {ct}_{1-b}=\mathsf {ct}$.
5.
For CPU-step circuits ${\mathrm {GC}}^{t,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}$, use the suitable input labels $\mathsf {state}_{t+1} $ that was output from the previous invocation of $\mathsf {Garb}$, and the values $i_{t}^{\mathsf {write} },i_{t}^{\mathsf {read} },b_{t}^{\mathsf {write} },\mathsf {translate} _t$ that are output “in the clear” and input them to $\mathsf {SimGC}$ to get the appropriate input labels for CPU-step circuits ${\mathrm {GC}}^{t-1,z}_{{\scriptscriptstyle \mathrm {CPU}^+}}$.
6.
Keep the simulation till the $\mathrm {C}_{\scriptscriptstyle \mathrm {INIT}}$ and hand the result garbled chains together with the memory accesses to $\mathcal {D}$.
7.
If $\mathcal {D}$ outputs $\mathbf {Hyb}'_t$, then output 0, otherwise, if $\mathcal {D}$ outputs $\mathbf {Hyb}_t$ output 1.

Note that if $\mathsf {ct}=\mathsf {Enc}_{{{\textsf {MPK}}}}((t',i_{t}^{\mathsf {read} }, b), \mathsf {lbl}_{\mathsf {read},b}^{t+1,z})$, then the result hybrid is identically distributed to $\mathbf {Hyb}'_t$ and if $\mathsf {ct}=\mathsf {Enc}_{{{\textsf {MPK}}}}((t',i_{t}^{\mathsf {read} }, b), 0)$, then the result hybrid is identically distributed to $\mathbf {Hyb}_t$. Thus, if $\mathcal {D}$ distinguishes between the two hybrids $\mathbf {Hyb}'_t$ and $\mathbf {Hyb}_t$, then the distinguisher $\mathcal {D}'$ distinguishes between the above messages in the TIBE game. $\square $

Claim 4.3

It holds that $\mathbf {Hyb}_{(-1)} ~ {\mathop {\approx }\limits ^{\mathrm{c}}}~ \mathbf {Hyb}_0$.

Proof

Note that the difference between the hybrids is merely whether the first circuits $\mathrm {C}_{\scriptscriptstyle \mathrm {INIT}}^z$ are simulated or not. Hence, we rely on the security of the garbling scheme as done in the proof of Claim 4.2.

5 Removing the IBE Assumption

In this section, we discuss how to apply our ideas to the GRAM by Garg et al. [15] with the aim of removing the IBE assumption. We begin with briefly describing their scheme and then present our construction.

5.1 Background: GRAM Based on OWF [15]

In this construction, as in the previous GRAM scheme, the garbler first garbles the data D, the program P and the input x, and forwards these to the evaluator that runs the evaluation algorithm to obtain the program output y. More precisely, each internal node $\mathsf node$ is associated with a PRF key r that is encrypted under a PRF key associated with $\mathsf node$’s parent, and each memory access is translated into a sequence of $d-1$ navigation circuits (where $d=\log n$ is the depth of the tree) and a step circuit. During the evaluation, each navigation circuit outputs a translation map that allows the evaluator to learn the input labels that encode the input keys associated with the next node on the path to the required memory location. These keys are then used in the next navigation circuit. In addition, the circuit refreshes the PRF key associated with $\mathsf node$ and computes a new set of PRF values based on this new key to be stored on $\mathsf node$. The step circuit finally performs the read or write operation. In more detail,

5.1.1 Garbling Data

Split first the data D into n blocks $D_0,D_1,\ldots ,D_{n-1}$, each of size $\kappa $ bits. These blocks will be the leafs of a binary tree of depth $d=\log n$ such that its $n-1$ internal nodes are determined next.
Choose a set of $n-1$ random keys from $\{0,1\}^\kappa $ indexed by the tuple i, j where $i\in \{0,\ldots ,d-1\}$ is the depth in the tree and j is the index of that node within the ith tree level, where that the ith level includes $2^i$ keys. For example, when $|D|=8\kappa $ then $n=8$ and the nodes on the tree store the values: $r_{0,0}, r_{1,0}, r_{1,1}, r_{2,0}, r_{2,1}, r_{2,2}, r_{2,3}, D_0,D_1,D_2,D_3, D_4, D_5, D_6, D_7$ where $r_{0,0}$ is the root. This tree is the plain data, whereas the encrypted data is described next.
Denote the qth bit of a key r and the qth bit of a data block D by $r^q$ and $D^q$, respectively, where $q\in \{1,\ldots ,\kappa \}$. Encrypt each bit of a key within a node (expect for the root) using the key that is associated with its parent node, where the encryption is carried out using a PRF F and the tags $\textsf {left}$ and $\textsf {right}$. Then, the (i, j) node contains $F_{r_{i-1,j/2}}(\mathsf{side},r_{i,j}^1,1), \ldots , F_{r_{i-1,j/2}}(\mathsf{side},r_{i,j}^\kappa ,\kappa )$ with $\mathsf{side}=\mathsf{left}$ if (i, j) is the left child of $(i-1,j/2)$ and $\mathsf{side}=\mathsf{right}$ otherwise. For example, the garbled memory in node (2, 1) has the bits of key $r_{2,1}$ encrypted using the key $r_{1,0}$ (its parent in the tree) with the tag $\textsf {right}$ (since $r_{2,1}$ is the right child of $r_{1,0}$). Formally, we write
$$\begin{aligned} \widehat{r_{2,1}}= & {} F_{r_{1,0}}(\mathsf{right},r_{2,1}^1,1),\ldots , F_{r_{1,0}}(\mathsf{right},r_{2,1}^\kappa ,\kappa ) ~~{\texttt {a}nd}~~\\ \tilde{D_2}= & {} F_{r_{2,1}}(\textsf {left},D_2^1,1),\ldots ,F_{r_{2,1}}(\textsf {left},D_2^\kappa ,\kappa ) \end{aligned}$$
For each plain key $r_{i,j}$ output its encrypted version $\widehat{r_{i,j}}$ and for each plain data block $D_j$ output its encrypted version $\tilde{D_j}$. This tree is the garbled data $\tilde{D}$. Overall we have that $|\tilde{D}|=O(\kappa \cdot |D|)$.

On a high level, the goal of this data structure is to prevent a “memory rollback” attack by the evaluator. That is, an attempt to input the CPU-step circuit an outdated value (i.e. value that was in memory once, but got updated already). Using the above machinery, the evaluator does not see the actual keys, and so it cannot modify the ciphertexts in a way that yield a valid evaluation of the next garbled circuit.

5.1.2 Garbling Program

Each step in the original program P is performed using d steps in the new scheme, such that the first $d-1$ steps are used to navigate to the required data block in $D_j$ and the last, dth, step is used to perform the CPU step of the program on this block and to kick start the next CPU step. Concretely, the first $d-1$ navigation steps are carried out by evaluating $d-1$$\textsf {nav}$ garbled circuits and the last dth step is performed by evaluating a single garbled circuit $\textsf {step}$. In the following, we overview the internal design of circuits nav and step and further stress that all fresh PRF keys that are hard-wired into the circuits in the [15] construction are given as inputs to the circuits in our construction. Below we present the modified version of [15] that is consistent with our modifications.

5.1.3 The nav Circuit

We index each nav circuit by the tuple i, j ($i\in [T]$ and $j\in [d]$) such that circuit $\textsf {nav}_{i,j}$ is the jth circuit in the ith group of circuits. $\textsf {nav}_{i,j}$ helps to navigate in the jth level of the tree towards the data item $D_L$ that is read in the ith CPU step. Consider circuit $\textsf {nav}_{i,j}$:

Inputs
- – Two (plain) keys$r_{j+1,\ell },r_{j+1,\ell +1}$ (where $\ell \in [2^{j+1}]$) from level $j+1$ of the tree (this amounts to $2\kappa $ input wires). We stress that the circuit can see these keys but the evaluator sees only wire labels that hide them.
- – The key$s=r_{j,\ell /2}$. That is, the parent key of $r_{j+1,\ell },r_{j+1,\ell +1}$. This amounts to $\kappa $ input wires.
- – A fresh key$\tilde{r}$ that is going to replace either $r_{j+1,\ell }$ or $r_{j+1,\ell +1}$ in memory. That is, the evaluator is going to store in memory $\{F_s(\mathsf{left}, \tilde{r}^q,q)\}_{q\in [\kappa ]}, \{F_s(\mathsf{right}, r_{j+1,\ell +1}^q,q)\}_{q\in [\kappa ]}$ or $\{F_s(\mathsf{left}, r_{j+1,\ell }^q,q)\}_{q\in [\kappa ]}, \{F_s(\mathsf{right}, \tilde{r}^q,q)\}_{q\in [\kappa ]}$). This amounts to $\kappa $ input wires.
- – The currentstate of the program (which travels until the next CPU-step circuit).
- – The index$L=L_0,\ldots ,L_{\log |D|}$ of the destination memory entry to access.
Hard-wired values
- – The valuej, that is, which bit in L the circuit should check in order to decide what to do (see next).
- – A set of$4\kappa $input wire labels of the next circuit (the next circuit is $\textsf {nav}_{i,j+1}$ if $j+1<d$ or $\textsf {step}_i$ if $j+1=d$). Those wire labels correspond to two keys $r_{j+2,m},r_{j+2,m+1}$ in the $j+2$th level of the memory (or $D_m, D_{m+1}$ if the next circuit is $\textsf {step}_i$). There are $4\kappa $ labels because there are 2 labels (for zero and one) for each bit of those keys. Denote those labels by $\mathsf{label}^{\mathsf{left},q}_0, \mathsf{label}^{\mathsf{left},q}_1, \mathsf{label}^{\mathsf{right},q}_0, \mathsf{label}^{\mathsf{right},q}_1$ for all $q\in [\kappa ]$.
Procedure
- – Let $L_j=b$. (This indicates whether we should keep the navigation to the left, if $b=0$, or to the right, if $b=1$.) Assign $r_{j+1,\ell +b}\leftarrow \tilde{r}$ (i.e. replace the value of $r_{j+1,\ell +b}$), the value of $r_{j+1,\ell +1-b}$ remains the same.
- – Perform
  $$\begin{aligned} \widehat{r_{j+1,\ell }}&= F_{s}(\mathsf{left},r_{j+1,\ell }^1,1),\ldots , F_{s}(\mathsf{left},r_{j+1,\ell }^\kappa ,\kappa )\\ \widehat{r_{j+1,\ell +1}}&= F_{s}(\mathsf{right},r_{j+1,\ell +1}^1,1),\ldots , F_{s}(\mathsf{right},r_{j+1,\ell +1}^\kappa ,\kappa ) \end{aligned}$$
- – Let $r_{j+2, m}$ and $r_{j+2, m+1}$ be the keys associated with the children of $r_{j+1,\ell +b}$ (i.e. one of these keys is on the path towards data block with index L). Recall that (1) the evaluator knows the PRF values $F_{r_{j+1,\ell +b}}(\mathsf{left},r_{j+2, m}^q,q)$ and $F_{r_{j+1,\ell +b}}(\mathsf{right},r_{j+2, m+1}^q,q)$ for all $q\in [\kappa ]$ in its garbled memory and (2) the next navigation circuit should receive $r_{j+2, m}^q$ and $r_{j+2, m+1}^q$ as inputs. Also, recall that the input wire labels by which these $2\kappa $ bits are transferred to $\textsf {nav}_{i,j+1}$ are hard-wired and known to the current circuit $\textsf {nav}_{i,j}$. The current circuit $\textsf {nav}_{i,j}$ does not know the values of the keys $r_{j+2, m}^q$ and $r_{j+2, m+1}^q$ but since they are encrypted bit by bit using the key $r_{j+1,\ell +1}$, it is possible to output a translation table to be used by the evaluator, see immediately. Thus, let $\mathsf{label}^{\mathsf{left},q}_0, \mathsf{label}^{\mathsf{left},q}_1$ be the two labels that correspond to the qth input bit $r_{j+2, m}^q$ (similarly $\mathsf{label}^{\mathsf{right},q}_0, \mathsf{label}^{\mathsf{right},q}_1$) are the labels that correspond to $r_{j+2, m+1}^q$). Let $k=r_{j+1,\ell +1-b}$; then, if $r_{j+2, m}^q=\beta $, then the evaluator should learn $\mathsf{label}^{\mathsf{left},q}_\beta $ and input it to the next circuit; therefore, we give the evaluator the mapping $\mathsf{translate}_\mathsf{left}^q = (\mathsf{ct}_\mathsf{left,0}^q, \mathsf{ct}_\mathsf{left,1}^q)$ where
  $$\begin{aligned} \mathsf{ct}_\mathsf{left,0}^q= F_{k}(\mathsf{left}, 0,q)\oplus \mathsf{label}^{\mathsf{left},q}_0 ~~\text{ and }~~ \mathsf{ct}_\mathsf{left,1}^q= F_{k}(\mathsf{left}, 1,q)\oplus \mathsf{label}^{\mathsf{left},q}_1 \end{aligned}$$
Note that the evaluator cannot learn $\mathsf{label}^{\mathsf{left},q}_{1-\beta }$ without knowing $F_{k}(\mathsf{left}, 1-\beta ,q)$ and it does not know $F_{k}(\mathsf{left}, 1-\beta ,q)$ because it does not have k.

Outputs
- – $\widehat{r_{j+1,\ell }}$ and $\widehat{r_{j+1,\ell +1}}$. The evaluator writes these ciphertexts to the $\ell $ and $\ell +1$ locations, respectively, in the $(j+1)$th layer of the garbled memory.
- – The values L and $\mathsf {state} $ are passed (in wire labels) directly to the next circuit.
- The key $\tilde{r}$ is passed (via wire labels) to the next circuit and corresponds as the input s (see the above description).
- – The $2\kappa $ translation tables: $\mathsf{translate}_{\mathsf{left}}^q$ and $\mathsf{translate}_{\mathsf{right}}^q$ for all $q\in [\kappa ]$.

5.1.4 The step Circuit

Recall that a tree with n leafs has $d+1$ layers: $0,\ldots ,d$ ($d=\log n$) such that the data items reside on layer d and the keys reside on the rest of the layers. In order to navigate to the Lth data item on layer d, we skip the 0 layer of the tree (the root) and navigate through the rest of the $d-1$ layers $1,\ldots ,d-1$. Next, circuit step is evaluated by choosing one out of the two data items (from level d) that are given as input.

Inputs
- – Two (plain) data items$D_L,D_{L+1}$ (where $L\in [n]$) from level d of the tree (this amounts to $2\kappa $ input wires). We stress that the circuit can see these keys, but the evaluator sees only wire labels that hide them.
- – The key$s=r_{d-1,L/2}$. That is, the parent key of $D_L,D_{L+1}$. This amounts to $\kappa $ input wires.
- – The root’s key$\rho $ used in order to compute a translation table so the evaluator may input $r_{1,0}$ and $r_{1,1}$ to the next navigation circuit. This input amounts to $\kappa $ input wires.
- – The currentstate of the program (which travels until the next CPU-step circuit).
- – The indexL of the destination memory entry to access.
Hard-wired values
- – A set of$4\kappa $input wire labels of the next circuit (the next circuit is $\textsf {nav}_{i+1,0}$). Those wire labels correspond to two keys $r_{1,0},r_{1,1}$ in the first level of the memory. Again, there are $4\kappa $ labels because there are 2 labels (for zero and one) for each bit of those values. As before, denote those labels by $\mathsf{label}^{\mathsf{left},q}_0, \mathsf{label}^{\mathsf{left},q}_1, \mathsf{label}^{\mathsf{right},q}_0, \mathsf{label}^{\mathsf{right},q}_1$ for all $q\in [\kappa ]$.
Procedure
- – Let $L_{d}=b$ ($b=0$ indicates that we should use $D_L$ and $b=1$ indicates that we should use $D_{L+1}$).
- – Compute $(\textsf {state}',L',D')=C_{\textsf {CPU}}^P(\textsf {state},D_{L+b})$ and re-assign $D_{L+b}\leftarrow D'$.
- – Compute $\tilde{D}_0,\tilde{D}_1$ where
  $$\begin{aligned} \tilde{D}_b = F_{s}(\mathsf{side},D_{L+b}^1,\kappa ),\ldots , F_{s}(\mathsf{side},D_{L+b}^\kappa ,\kappa ) \end{aligned}$$
  where $\mathsf{side}=\mathsf{left}$ if $b=0$ and $\mathsf{side}=\mathsf{right}$ if $b=1$.
- – Let $r_{1, 0}$ and $r_{1, 1}$ be the child keys of the root key $\rho $. Recall that the evaluator has the encryptions $F_{\rho }(\mathsf{left},r_{1, 0}^q,q)$ and $F_{\rho }(\mathsf{right},r_{1, 1}^q,q)$ for all $q\in [\kappa ]$ in its garbled memory, and in the next navigation circuit should receive $r_{1, 0}^q$ and $r_{1, 1}^q$ as inputs. Also recall that the input wire labels by which these $2\kappa $ bits are transferred to $\textsf {nav}_{i+1,0}$ are hard-wired and known to the current circuit. Thus, let $\mathsf{label}^{\mathsf{left},q}_0, \mathsf{label}^{\mathsf{left},q}_1$ be the two labels that correspond to the qth input bit $r_{1, 0}^q$ (similarly $\mathsf{label}^{\mathsf{right},q}_0, \mathsf{label}^{\mathsf{right},q}_1$) are the labels that correspond to $r_{1, 1}^q$). If $r_{1, 0}^q=b$, then the evaluator should learn $\mathsf{label}^{\mathsf{left},q}_0$ and input it to the next circuit; therefore, we give the evaluator $\mathsf{translate}_\mathsf{left}^q = (\mathsf{ct}_\mathsf{left,0}^q, \mathsf{ct}_\mathsf{left,1}^q)$ where
  $$\begin{aligned} \mathsf{ct}_\mathsf{left,0}^q= F_{\rho }(\mathsf{left}, 0,q)\oplus \mathsf{label}^{\mathsf{left},q}_0 ~~and~~ \mathsf{ct}_\mathsf{left,1}^q= F_{\rho }(\mathsf{left}, 1,q)\oplus \mathsf{label}^{\mathsf{left},q}_1 \end{aligned}$$
Outputs
- – $\tilde{D}_0$ and $\tilde{D}_1$. The evaluator writes those encryptions to the L and $L+1$ locations, respectively, in the dth layer of the garbled memory.
- – The values $L'$ and $\mathsf {state} '$ are passed (in wire labels) directly to the next circuit.
- – the $2\kappa $ translation tables: $\mathsf{translate}_\mathsf{left}^q$ and $\mathsf{translate}_\mathsf{right}^q$ for all $q\in [\kappa ]$.

5.1.5 A Chain of Circuits

The overall construction can be seen as a chain of T groups of circuits such that each group consists of $d-1$nav circuits and one step circuit. Each of the nav circuits is hard-wired with a new fresh key and the key that was refreshed in the prior circuit. An evaluation example of a program with two CPU steps and 8 data items is presented in “Appendix C”.

5.2 2PC in the Presence of Malicious Adversaries Relying on OWF

On a high level, we compile the GRAM from [15] into a malicious two-party protocol using the cut-and-choose approach. Similarly to our protocol from Sect. 4.1, we extract the randomness that is used for the read-and-write operations. We note that following this path requires carefully understanding the details of the underlying GRAM scheme which is not a straightforward extension of our protocol from Sect. 4. Specifically, the security proof for the case of corrupted receiver does not use the GRAM in a black-box way as it depends on the mechanism that prevents rollback (e.g. TIBE or a PRF tree). More specifically, in order to apply the cut-and-choose technique we need to figure out what randomness affects the data to be written to the memory (because all copies of the evaluation circuits must output the same values). We note that the above fresh keys that are hard-wired into the circuits, together with the initial data D and the program input x, fully determine the values to be written to the memory during the execution of the program. Specifically, the new PRF keys allow generating the new translation tables to be written in the garbled memory. We continue with the following high-level description of the malicious secure protocol.

5.2.1 Protocol $\tilde{\Pi }_{\scriptscriptstyle \mathrm {UMA}}^P$

Intuitively, the protocol that relies on the existence of one-way functions is the same as the protocol described in Sect. 4.1 with the modifications that now the random inputs $R_1,R_2$ that the parties enter the computation, as well as the values that the $\mathrm {C}_{\scriptscriptstyle \mathrm {INIT}}$ generates, are interpreted differently. We overview these changes in the following description.

Interpretation of$R_1$and$R_2$ The circuit $\mathrm {C}_{\scriptscriptstyle \mathrm {INIT}}$ takes $R_1,R_2$ as inputs, calculates $R=R_1\oplus R_2$ and interprets R as values $\{u_0^t,\ldots ,u_{d-1}^t\}_{t\in [T]}$ which correspond to the fresh PRF keys that are used in the execution of the program, grouped into T parts.
Construction of the Chains of Circuits We now describe how the chains of circuits are being built in the new construction. To simplify notation, we describe how a single chain is being built, out of the s chains that are used in the cut-and-choose process. A chain consists of $T\cdot d$ garbled circuits where the first garbled circuit is $\mathrm {C}_{\scriptscriptstyle \mathrm {INIT}}$ followed by groups of d garbled circuits, such that the last circuit in each group evaluating CPU-step t is a step circuit $\textsf {step}_t$, whereas the rest $d-1$ garbled circuits are navigation circuits $\textsf {nav}_{t,0}, \ldots , \textsf {nav}_{t,d-2}$. The functionalities of these circuits were described above. For each time step $t=T,\ldots ,1$, the garbling procedure starts by garbling $\textsf {step}_t$, then garbling $\textsf {nav}_{t,d-2}$ and so on till the garbling of $\textsf {nav}_{t,0}$. Such that the labels associated with the input wires of $\textsf {nav}_{t,j}$, that represent the current $\mathsf {state}$, are hard-wired into circuit $\textsf {nav}_{t,j-1}$, and similarly, the labels of the input wires of $\textsf {step}_t$, that represent the current $\mathsf {state}$, are hard-wired into circuit $\textsf {nav}_{t,d-2}$. This is done in the same manner as in the protocol described in Sect. 4.1.
The bootstrapping circuit The bootstrapping circuit ($\mathrm {C}_{\scriptscriptstyle \mathrm {INIT}}$) inputs the values $s=u_0^1$ and $\tilde{r} = u_1^1$ to the first navigation circuit $\textsf {nav}_{1,0}$, the values $s=u_1^1$ and $\tilde{r}=u_2^1$ to the second navigation circuit $\textsf {nav}_{1,1}$ and so on, until reaching the first step circuit $\textsf {step}_1$ which is given the keys $u_{d-2}^1,u_0^0$. Generally speaking, the bootstrapping circuit transfers the navigation circuit $\textsf {nav}_{i,j}$ the inputs $s=u_j^i$ and $\tilde{r}= u_{j+1}^i$, and the circuit $\textsf {step}_i$ the inputs $s=u_{d-2}^i$ and $\tilde{r}=u_0^{i}$. Note that each key is input to exactly two circuits and after being used to “decrypt” some labels we update it and it is never used again.

We proceed with a formal description of the protocol:

5.2.2 Formal Description of Protocol $\tilde{\Pi }_{\scriptscriptstyle \mathrm {UMA}}^P$

1.
Garbled navigation, step and initialization circuits.

For $t=T-1,\ldots ,1$
1. (a)
  Garble the CPU-step $\textsf {step}_t$ circuit:
  - If $t=T$, then choose random labels for the labels corresponding to $\mathsf {state}_{T+1} $, otherwise, choose random labels for wires associated with outputs $\tilde{D}_0$, $\tilde{D}_1$, $\mathsf{translate}_\mathsf{left}^q$ and $\mathsf{translate}_{\mathsf{right}}^q$ for all $q\in [\kappa ]$, in addition, use label for output wires of $L'$ and $\mathsf {state} '$ as the labels of the input wires of navigation circuit $\mathsf{nav}_{t+1,0}$.
  - Denote all chosen labels by $\{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},b}^{v,i,t}\}_{v,i,b}$ and continue as follows:
  - Garble $\textsf {step}_t$ by calling
    $$\begin{aligned} \big ( \{ GC_{\mathsf{step},t}^i \}_{i} , \{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},b}^{u,i,t}\}_{u,i,b} \big ) \leftarrow \mathsf {Garb}\bigg (1^\kappa , s, \textsf {step}_t, \{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},b}^{v,i,t}\}_{v,i,b} ; r \bigg ) \end{aligned}$$
    for $v\in [v_{\scriptscriptstyle \mathrm {out}}],i\in [s],b\in \{0,1\}$ and r the randomness used within $\mathsf {Garb}$.
  - Interpret the result labels $\{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},b}^{u,i,t}\}_{u,i,b}$ as the following groups of values: $D_{L,t}$, $D_{L+1,t}$, $s_t$, $\rho $, $\mathsf {state}_{t} $ and L, that cover the labels:
    
    $\{ \mathsf {lbl}_{D_{L,t}}\}$, $\{ \mathsf {lbl}_{D_{L+1,t}}\}$, $\{ \mathsf {lbl}_{s_t}\}$, $\{ \mathsf {lbl}_{\rho }\}$, $\{ \mathsf {lbl}_{\mathsf {state}_{t} }\}$ and $\{ \mathsf {lbl}_{L}\}$, respectively.
2. (b)
  Garble the navigation circuits:
  
  For $j=d-2,\ldots ,0$:
  - If $j=d-2$, then hard-wire the labels $\{ \mathsf {lbl}_{D_{L,t}}\}$ and $\{ \mathsf {lbl}_{D_{L+1,t}}\}$ within $\mathsf{nav}_{t,j}$, otherwise, hard-wire the labels $\{ \mathsf {lbl}_{\mathsf{key}_{\mathsf{left},t,j+1}} \}$ and $\{ \mathsf {lbl}_{\mathsf{key}_{\mathsf{right},t,j+1}} \}$ within $\mathsf{nav}_{t,j}$
  - Choose random labels for the output wires that correspond to $\widehat{r_{j+1,\ell }}$ and $\widehat{r_{j+1,\ell +1}}$ and $\mathsf{translate}_\mathsf{left}^q$ and $\mathsf{translate}_\mathsf{right}^q$ for all $q\in [\kappa ]$, in addition, use labels for output wires of L and $\mathsf {state} $ as the labels of the input wires of navigation circuit $\mathsf{nav}_{t,j+1}$.
  - Denote all chosen labels by $\{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},b}^{v,i,t}\}_{v,i,b}$ and continue as follows:
  - Garble $\textsf {nav}_{t,j}$ by calling
    $$\begin{aligned} \big ( \{ GC_{\mathsf{nav},t,j}^i \}_{i} , \{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},b}^{u,i,t}\}_{u,i,b} \big ) \leftarrow \mathsf {Garb}\bigg (1^\kappa , s, \textsf {nav}_{t,j}, \{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},b}^{v,i,t}\}_{v,i,b} ; r\bigg ) \end{aligned}$$
    with $\{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},b}^{v,i,t}\}_{v,i,b}$ the set of labels from above and r the randomness used within $\mathsf {Garb}$.
  - Interpret the result labels $\{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},b}^{u,i,t}\}_{u,i,b}$ as the following groups of values: $\{ \mathsf {lbl}_{\mathsf{key}_{\mathsf{left},t,j}} \}$, $\{ \mathsf {lbl}_{\mathsf{key}_{\mathsf{right},t,j}} \}$, $\{ \mathsf {lbl}_{s_{t,j}} \}$, $\{ \mathsf {lbl}_{\tilde{r}_{t,j}} \}$, $\{ \mathsf {lbl}_{\mathsf {state}_{t} }\}$ and $\{ \mathsf {lbl}_{L}\}$, respectively.
3. (c)
  Garble the initialization circuit $\mathrm {C}_{\scriptscriptstyle \mathrm {INIT}}$:
  - Combine the group of labels $\{ \mathsf {lbl}_{s_{t,j}} \}$ and $\{ \mathsf {lbl}_{\tilde{r}_{t,j}} \}$ in addition to the input wire labels from the first navigation circuit $\mathsf{nav}_{0,0}$ that correspond to the state and denote them by $\{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},b}^{v,i}\}_{v,i,b}$.
  - Garble the initialization circuit:
    $$\begin{aligned} \big ( \{ \mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^i \}_{i} , \{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {in}},b}^{u,i}\}_{u,i,b} \big ) \leftarrow \mathsf {Garb}\bigg (1^\kappa , s, \mathrm {C}_{\scriptscriptstyle \mathrm {INIT}}, \{\mathsf {lbl}_{{\scriptscriptstyle \mathrm {out}},b}^{v,i}\}_{v,i,b} ; r_g^0 \bigg ). \end{aligned}$$
  - Interpret the input labels result from that invocation of $\mathsf {Garb}$ by $\{\mathsf {lbl}_{\mathrm{S}}\}$ and $\{\mathsf {lbl}_{\mathrm{R}}\}$ which are the input wire labels that are, respectively, associated with the sender’s and receiver’s input wires.
2.
Oblivious transfers.

This step goes exactly as in protocol $\Pi _{\scriptscriptstyle \mathrm {UMA}}^P$.
3.
Send garbled circuits.

$\mathrm{S}$ sends $\mathrm{R}$ the garbled circuits chains $\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^i,\textsf {step}_t^i,\textsf {nav}_{t,j}^i$ for every $t\in [T], j\in [d-1]$ and $i\in [s]$.
4.
Commitments and cut-and-choose challenge.

This step goes exactly as in protocol $\Pi _{\scriptscriptstyle \mathrm {UMA}}^P$.
5.
Send all input garbled values in check circuits.

This step goes exactly as in protocol $\Pi _{\scriptscriptstyle \mathrm {UMA}}^P$.
6.
Correctness of check circuits.

This step goes exactly as in protocol $\Pi _{\scriptscriptstyle \mathrm {UMA}}^P$.
7.
Check garbled inputs consistency for the evaluation circuits.

This step goes exactly as in protocol $\Pi _{\scriptscriptstyle \mathrm {UMA}}^P$.
8.
Evaluation.

Let $\tilde{Z}=\{z \mid z\notin Z\}$ be the indices of the evaluation circuits.
1. (a)
  For every $z\in \tilde{Z}$, $\mathrm{R}$ evaluate $\mathrm {GC}_{\scriptscriptstyle \mathrm {INIT}}^{z}$ using $\mathsf {Eval}$ and the input wires it obtained in step 7 and reveal one label for each of its output wires $\mathsf {lbl}_{{\scriptscriptstyle \mathrm {INIT}}}^{{\scriptscriptstyle \mathrm {out}},z}$.
  
  These output wires correspond to two keys for every of the next circuits as described above.
2. (b)
  For $t=1$ to T:
  1. i.
    For $j=0,\ldots ,d-2$ evaluate the circuit $GC_{\mathsf{nav},t,j}^z$ for all $z\in \tilde{Z}$. As in $\Pi _{\scriptscriptstyle \mathrm {UMA}}^P$, take the majority across the results of all circuits and write it to the appropriate location in the garbled memory tree (i.e. the values written to the gabled memory).
  2. ii.
    Evaluate $GC_{\mathsf{step},t}^z$ for all $z\in \tilde{Z}$ and again take the majority and use it to write to the appropriate location in the garbled memory tree. If $t=T$, output $\mathsf {state} _T$ in the clear.

We prove the following theorem:

Theorem 5.1

Assume the existence of one-way functions, $\pi _{\scriptscriptstyle \mathrm {GC}}$ is a garbling scheme (cf. Definition 2.2), and $\mathsf {Com}$ is a statistical binding commitment scheme (cf. Definition A.1). Then, protocol $\tilde{\Pi }_{\scriptscriptstyle \mathrm {UMA}}^P$ (cf. Sect. 5.2.1) securely realizes $\mathcal {F}_{\scriptscriptstyle \mathrm {UMA}}$ in the presence of malicious adversaries in the $\{\mathcal {F}_{\scriptscriptstyle \mathrm {{SCCOT}}},\mathcal {F}_{\scriptscriptstyle \mathrm {{IC}}}\}$-hybrid models. In addition, all asymptotic complexities are as implied by Theorem 4.1.

Proof Sketch Note first that the above $\textsf {nav}$ and $\textsf {step}$ circuits are given two random PRF keys as inputs from the bootstrapping circuit $\mathrm {C}_{\scriptscriptstyle \mathrm {INIT}}$ where these two PRF keys are used in the same way as in the original protocol description. Intuitively, the following two arguments hold: (a) correctness. Namely, applying the cut-and-choose technique does not require a usage of multiple instances of memory D, i.e. that the same write-data is being output from all chain copies, and (b) privacy. The evaluator does not learn anything beyond the program output and the memory access pattern, where the security analysis and the constructions of the simulators follow similarly to the proof of Theorem 4.1.

The case$\mathrm{S}$is corrupted Namely, in case the sender is corrupted, then the cut-and-choose analysis ensures that the majority of the garbled circuits have been correctly constructed, where the view of the sender can be simulated similarly to the previous section as it is, where before the functionality within $\Pi _{\scriptscriptstyle \mathrm {UMA}}^P$ is embedded with the descriptions of the TIBE algorithms, whereas $\tilde{\Pi }_{\scriptscriptstyle \mathrm {UMA}}^P$ implements PRF evaluations.

The case$\mathrm{R}$is corrupted On the other hand, in case the receiver is corrupted, the sender’s privacy is ensured by the underlying GRAM construction which prevents from the receiver to roll back or run multiple executions on several memory instances. In more detail, the simulator produces simulated garbled circuits starting from the last circuit. It proceeds by generating a random-looking output for each of the circuits by setting the translate tables to be random keys XORed with the corresponding input labels of the next $\mathsf{step}$ or $\mathsf{nav}$ circuit (since we are working backwards, these labels have already been generated), and similarly using random values for emulating the write operations.

The main idea is that we keep track of these random values so that when we simulate the garbled database, we set $\tilde{D}$ to be uniformly random subject to the stored elements. Now, since the simulator gets the full access pattern, it knows exactly which locations in memory it should set entries for, so that they match values that were used to mask the translation table. This scheme was proven secure in [15] for the case of a semi-honest adversary, whereas we claim security against a malicious adversary. However, we stress that since we are working in the $\mathcal {F}_{\scriptscriptstyle \mathrm {{IC}}}$-hybrid model, which ensures input consistency, the adversary’s inputs are extracted and the rest of the simulation goes exactly as theirs which concludes the proof.

Notes

The cut-and-choose analysis ensures that, with overwhelming probability, the majority of these evaluations will correspond to the correct output of $\mathrm {C}$, condition on the remaining garbled circuits from [s] / Z being correctly formed.
Nevertheless, we note that the memory data D will be kept in the receiver’s local memory.
We omit from the following definition the multiple secret keys that the adversary receives for identities of the form (0, v) since in our scheme, data initialization is done as part of the computation if required.
For ease of presentation, Gentry et al. abstract the security properties of the IBE scheme using a new primitive denoted by timed IBE (TIBE); see Sect. 2.5 for more details.
Note that if $\mathrm{S}$ is honest, then $\mathsf {out}_{t,z_1} = \mathsf {out}_{t,z_2}$ for every $z_1,z_2\in \tilde{Z}$.
The attack is not limited to the input gates but it is easier to describe this way.
Recall that all the circuits evaluated in time t output the same value for $\mathsf {translate} _t$ since they all use the same randomness to compute it.

References

A. Afshar, Z. Hu, P. Mohassel, M. Rosulek, How to efficiently evaluate RAM programs with malicious security, in EUROCRYPT (2015), pp. 702–729
D. Beaver, Foundations of secure interactive computing, in CRYPTO (1991), pp. 377–391
D. Beaver, S. Micali, P. Rogaway, The round complexity of secure protocols, in STOC (1990), pp. 503–513
M. Bellare, V.T. Hoang, P. Rogaway, Foundations of garbled circuits, in CCS (2012), pp. 784–796
D. Boneh, X. Boyen, Efficient selective identity-based encryption without random oracles. J. Cryptol. 24(4), 659–693 (2011)
Article MathSciNet Google Scholar
D. Boneh, M.K. Franklin, Identity-based encryption from the weil pairing. SIAM J. Comput. 32(3), 586–615 (2003)
Article MathSciNet Google Scholar
R. Canetti, Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000)
Article MathSciNet Google Scholar
T.H. Chan E. Shi, Circuit OPRAM: unifying statistically and computationally secure orams and oprams, in TCC (2017), pp. 72–107
K. Chung, R. Pass, A simple ORAM. IACR Cryptology ePrint Archive (2013), p. 243
S.A. Cook, R.A. Reckhow, Time-bounded random access machines, in Proceedings of the 4th Annual ACM Symposium on Theory of Computing, May 1–3, 1972, Denver, Colorado, USA (1972), pp. 73–80
I. Damgård, S. Meldgaard, J.B. Nielsen, Perfectly secure oblivious RAM without random oracles, in TCC (2011), pp. 144–163
J. Doerner, A. Shelat, Scaling ORAM for secure computation, in CCS (2017), pp. 523–535
S. Garg, D. Gupta, P. Miao, O. Pandey, Secure multiparty RAM computation in constant rounds, in TCC (2016), pp. 491–520
S. Garg, S. Lu, R. Ostrovsky, Black-box garbled RAM, in FOCS (2015), pp. 210–229
S. Garg, S. Lu, R. Ostrovsky, A. Scafuro, Garbled RAM from one-way functions, in STOC (2015), pp. 449–458
C. Gentry, K.A. Goldman, S. Halevi, C.S. Jutla, M. Raykova, D. Wichs, Optimizing ORAM and using it efficiently for secure computation, in PETS (2013), pp. 1–18
C. Gentry, S. Halevi, C.S. Jutla, M. Raykova, Private database access with he-over-oram architecture, in ACNS (2015), pp. 172–191
C. Gentry, S. Halevi, S. Lu, R. Ostrovsky, M. Raykova, D. Wichs, Garbled RAM revisited, in EUROCRYPT (2014), pp. 405–422
O. Goldreich, Towards a theory of software protection and simulation by oblivious rams, in STOC (1987), pp. 182–194
O. Goldreich. Foundations of Cryptography: Volume 2, Basic Applications (Cambridge University Press, New York, NY, USA, 2004)
O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or A completeness theorem for protocols with honest majority, in STOC (1987), pp. 218–229
O. Goldreich, R. Ostrovsky, Software protection and simulation on oblivious rams. J. ACM 43(3), 431–473 (1996)
Article MathSciNet Google Scholar
M.T. Goodrich, M. Mitzenmacher, O. Ohrimenko, R. Tamassia, Privacy-preserving group data access via stateless oblivious RAM simulation, in SODA (2012), pp. 157–167
S.D. Gordon, J. Katz, V. Kolesnikov, F. Krell, T. Malkin, M. Raykova, Y. Vahlis, Secure two-party computation in sublinear (amortized) time, in CCS (2012) pp. 513–524
Z. Hu, P. Mohassel, M. Rosulek, Efficient zero-knowledge proofs of non-algebraic statements with sublinear amortized cost, in CRYPTO (2015), pp. 150–169
Y. Ishai, E. Kushilevitz, R. Ostrovsky, M. Prabhakaran, A. Sahai, Efficient non-interactive secure computation, in EUROCRYPT (2011), pp. 406–425
Y. Ishai, M. Prabhakaran, A. Sahai, Founding cryptography on oblivious transfer - efficiently, in CRYPTO (2008), pp. 572–591,
Y. Ishai, M. Prabhakaran, A. Sahai. Secure arithmetic computation with no honest majority, in TCC (2009), pp. 294–314
S. Jarecki, V. Shmatikov, Efficient two-party secure computation on committed inputs, in EUROCRYPT (2007), pp. 97–114
M. Keller, P. Scholl, Efficient, oblivious data structures for MPC, in ASIACRYPT (2014), pp. 506–525
E. Kushilevitz, S. Lu, R. Ostrovsky, On the (in)security of hash-based oblivious RAM and a new balancing scheme, in SODA (2012), pp. 143–156
Y. Lindell, Fast cut-and-choose based protocols for malicious and covert adversaries, in CRYPTO (2) (2013), pp. 1–17
Y. Lindell, B. Pinkas, An efficient protocol for secure two-party computation in the presence of malicious adversaries, in EUROCRYPT (2007), pp. 52–78
Y. Lindell, B. Pinkas, A proof of security of yao’s protocol for two-party computation. J. Cryptol. 22(2), 161–188 (2009)
Article MathSciNet Google Scholar
Y. Lindell, B. Pinkas, Secure two-party computation via cut-and-choose oblivious transfer, in TCC (2011), pp. 329–346
C. Liu, Y. Huang, E. Shi, J. Katz, M.W. Hicks, Automating efficient ram-model secure computation, in IEEE Symposium on Security and Privacy (2014), pp. 623–638
S. Lu, R. Ostrovsky, How to garble RAM programs, in EUROCRYPT (2013), pp. 719–734
P. Miao, Cut-and-choose for garbled RAM. IACR Cryptol. ePrint Arch. 2016, 907 (2016)
Google Scholar
S. Micali, P. Rogaway, Secure computation (abstract), in CRYPTO (1991), pp. 392–404
J.B. Nielsen, C. Orlandi, Lego for two-party secure computation, in TCC (2009), pp. 368–386
R. Ostrovsky, Efficient computation on oblivious rams, in STOC (1990), pp. 514–523
B. Pinkas, T. Schneider, N.P. Smart, S.C. Williams, Secure two-party computation is practical, in ASIACRYPT (2009), pp. 250–267
N. Pippenger, M.J. Fischer, Relations among complexity measures. J. ACM 26(2), 361–381 (1979)
Article MathSciNet Google Scholar
L. Ren, C.W. Fletcher, A. Kwon, E. Stefanov, E. Shi, M. van Dijk, S. Devadas, Constants count: Practical improvements to oblivious RAM, in USENIX (2015), pp. 415–430
E. Shi, T.H. Chan, E. Stefanov, M. Li, Oblivious RAM with o((logn)3) worst-case cost, in ASIACRYPT (2011), pp. 197–214
E. Stefanov, M. van Dijk, E. Shi, C.W. Fletcher, L. Ren, X. Yu, S. Devadas, Path ORAM: an extremely simple oblivious RAM protocol, in CCS (2013), pp. 299–310
X. Wang, T.H. Chan, E. Shi, Circuit ORAM: on tightness of the Goldreich-Ostrovsky lower bound, in CCS (2015), pp. 850–861
X.S. Wang, Y. Huang, T.H. Chan, A. Shelat, E. Shi, SCORAM: oblivious RAM for secure computation, in CCS (2014), pp. 191–202
P. Williams, R. Sion, Single round access privacy on outsourced storage, in CCS (2012), pp. 293–304
A.C. Yao, Protocols for secure computations (extended abstract), in FOCS (1982), pp. 160–164
A.C. Yao, How to generate and exchange secrets (extended abstract), in FOCS (1986), pp. 162–167
S. Zahur, X.S. Wang, M. Raykova, A. Gascón, J. Doerner, D. Evans, J. Katz, Revisiting square-root ORAM: efficient random access in multi-party computation, in SP (2016), pp. 218–234

Download references

Author information

Authors and Affiliations

Bar-Ilan University, Ramat Gan, Israel
Carmit Hazay & Avishay Yanai

Authors

Carmit Hazay
View author publications
You can also search for this author in PubMed Google Scholar
Avishay Yanai
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Carmit Hazay.

Additional information

Communicated by Hugo Krawczyk.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Supported by the European Research Council under the ERC consolidators Grant Agreement No. 615172 (HIPS) and by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office. First author’s research partially supported by a grant from the Israel Ministry of Science and Technology (Grant No. 3-10883). The paper appeared in TCC 2016, https://doi.org/10.1007/978-3-662-53641-4_20.

Appendices

Building Blocks

In this section, we discuss the notations and definitions of some of the standard building blocks employed in our constructions, as well as a formal description of the circuits and functionalities used in our protocols.

1.1 Garbled Circuits

The definition of garbled circuits with respect to the cut-and-choose technique is presented in Sect. 2.1. In this section, we present the Input Consistency Functionality (Fig. 6), which is realized via a secure 2PC protocol when the underlying garbling scheme is applied using a cut-and-choose-based protocol. We next present the authenticity game (Fig. 7) used in the definition of garbled circuits.

1.2 The Hybrid Model

The$\mathcal {F}$-hybrid model In order to simplify the exposition of our main protocol, we will use secure two-party protocols as subprotocols. The standard way of doing this is to work in a “hybrid model” where parties both interact with each other (as in the real model) and use trusted help (as in the ideal model). Specifically, when constructing a protocol $\pi $ that uses a subprotocol for securely computing some functionality $\mathcal {F}$, we consider the case that the parties run $\pi $ and use “ideal calls” to a trusted party for computing $\mathcal {F}$. Upon receiving the inputs from the parties, the trusted party computes $\mathcal {F}$ and sends all parties their output. Then, after receiving these outputs back from the trusted party the protocol $\pi $ continues. Let $\mathcal {F}$ be a functionality and let $\pi $ be a two-party protocol that uses ideal calls to a trusted party computing $\mathcal {F}$. Furthermore, let $\mathcal {A}$ be a non-uniform probabilistic polynomial-time machine. Then, the $\mathcal {F}$-hybrid execution of$\pi $ on inputs $(x_1,x_2)$, auxiliary input z to $\mathcal {A}$ and security parameter $\kappa $, denoted $\mathbf {Hyb}_{\pi ^{\mathcal {F}},\mathcal {A}(z)}(\kappa ,x_1,x_2)$, is defined as the output of the honest party and the adversary $\mathcal {A}$ from the hybrid execution of $\pi $ with a trusted party computing $\mathcal {F}$. By the composition theorem [7], any protocol that securely implements $\mathcal {F}$ can replace the ideal calls to $\mathcal {F}$.

1.3 Batch Single-Choice Cut-and-Choose OT

The batch single-choice cut-and-choose oblivious transfer is presented in Fig. 8.

1.4 Commitment Schemes

Commitment schemes are used to enable a party, known as the sender, to commit itself to a value while keeping it secret from the receiver. (This property is called hiding.) Furthermore, in a later stage when the commitment is opened, it is guaranteed that the “opening” can yield only a single value determined in the committing phase. (This property is called binding.) In this work, we consider commitment schemes that are statistically binding, namely while the hiding property only holds against computationally bounded (non-uniform) adversaries, the binding property is required to hold against unbounded adversaries.

Definition A.1

(Commitment schemes). A pair of PPT machines ${\mathsf {Com}}=(\mathrm{R},\mathrm{S})$ is said to be a commitment scheme if the following two properties hold.

Computational hiding: For every (expected) PPT machine $\mathrm{R}^*$, it holds that the following ensembles are computationally indistinguishable.
- $\bullet $ $\{\mathbf{View}_{{\mathsf {Com}}}^{\mathrm{R}^*}(m_1,z)\}_{n \in \mathbb {N},m_1, m_2 \in \{0,1\}^n,z\in \{0,1\}^*}$
- $\bullet $ $\{\mathbf{View}_{{\mathsf {Com}}}^{\mathrm{R}^*}(m_2,z)\}_{n\in \mathbb {N},m_1, m_2 \in \{0,1\}^n,z\in \{0,1\}^*}$
where $\mathbf{View}_{{\mathsf {Com}}}^{\mathrm{R}^*}(m,z)$ denotes the random variable describing the output of $\mathrm{R}^*$ upon interacting with the sender $\mathrm{S}$ which commits to m.
Statistical binding: Informally, the statistical binding property asserts that, with overwhelming probability over the coin tosses of the receiver $\mathrm{R}$, the transcript of the interaction fully determines the value committed to by the sender.

Formally, a receiver’s view of an interaction with the sender, denoted $(r,\bar{m})$, consists of the random coins used by the receiver (namely, r) and the sequence of messages received from the receiver (namely, $\bar{m}$). Let $m_1,m_2\in \mathcal {M}_n$. We say that the receiver’s view (of such interaction), $(r,\bar{m})$, is a possible m-commitment if there exists a string s such that $\bar{m}$ describes the messages received by $\mathrm{R}$ when $\mathrm{R}$ uses local coins r and interacts with $\mathrm{S}$ which uses local coins s and has input $(1^n,m)$.

We say that the receiver’s view $(r,\bar{m})$ is ambiguous if it is both a possible $m_1$-commitment and a possible $m_2$-commitment. The binding property asserts that, for all but a negligible fraction of the coins toss of the receiver, there exists no sequence of messages (from the sender) which together with these coin toss forms an ambiguous receiver view. Namely, that for all but a negligible function of the $r\in \{0,1\}^{\mathsf {poly}(n)}$ there is no $\bar{m}$ such that $(r,\bar{m})$ is ambiguous.

Realizing Definition 2.2

In this section, we argue that our definition of garbled circuit with respect to cut-and-choose-based protocols (cf. Definition 2.2) can be realized by the garbling scheme described in [35]. We first describe the algorithms $\mathsf {Garb},\mathsf {Eval}$ and then argue that they possess the correctness, privacy, authenticity and input consistency properties.

Garbling Recall that in the notion of cut-and-choose-based protocols the garbling scheme is given s sets of output labels, from which it has to produce s garbled circuits along with their corresponding garbled inputs. To simplify notation, we first describe in Fig. 9 the garbling procedure for a single circuit; then, in Fig. 10 we describe the full garbling procedure $\mathsf {Garb}$ that uses $\mathsf {GarbYao}$ as a sub-procedure.

Evaluation As modulated in the garbling procedure, we first show how a single garbled circuit can be evaluated in Fig. 11 and then in Fig. 12 we show how, using $\mathsf {EvalYao}$ as a sub-procedure, we evaluate a set of s garbled circuits.

Correctness and privacy The correctness and privacy properties had been proven in [33] for a single circuit. It is trivial to show that these properties hold in the cut-and-choose notion we defined.

Authenticity The authenticity property is missing from [18], while it is indeed required even in the semi-honest model. We now show that the above scheme has authenticity. Informally, breaking authenticity means that the evaluator guesses a secret label that is not in the encoded output. Switching to a simulated garbling the way defined in [33] produces an indistinguishable view, in that case the probability of guessing an additional label is negligible since the inactive labels are not used at all, then it should be that case for garbled circuits as well.

More formally, given a circuit $\mathrm {C}_{{\scriptscriptstyle \mathrm {CPU}}}$ and an adversary $\mathcal {A}$, for which $\Pr [\mathrm {Auth}_{\mathcal {A}}(1^\kappa ,s,\mathrm {C})=1]=p$, we construct a distinguisher $\mathcal {D}$ for the simulator $\mathsf {SimGC}$ that succeed in distinguishing with the same probability. $\mathcal {D}$ is given a view which contains the garbled circuit $\widetilde{\mathrm {C}_{{\scriptscriptstyle \mathrm {CPU}}}}$ and a garbled input $\tilde{x}$ for a given input x such that $\widetilde{\mathrm {C}_{{\scriptscriptstyle \mathrm {CPU}}}}(\tilde{x})=\tilde{y}$. $\mathcal {D}$ hands $\widetilde{\mathrm {C}_{{\scriptscriptstyle \mathrm {CPU}}}},x,\tilde{x}$ to $\mathcal {A}$, if $\mathcal {A}$ outputs a valid $\hat{a}$ then output 1, otherwise output 0. Note that the probability that $\mathcal {A}$ outputs a valid $\hat{y}$ when given a simulated view is negligible $\epsilon $ (since the inactive labels are merely random string); thus, if $\mathcal {A}$ outputs a valid $\hat{y}$, it means that it got a real view with probability $p-\epsilon $. If p is non-negligible, then $\mathcal {D}$ succeeds in distinguishing with non-negligible probability.

Input consistency We now show the protocol that realizes the input consistency functionality $\mathcal {F}_{\scriptscriptstyle \mathrm {{IC}}}$ from Fig. 6 with respect to the garbling scheme $(\mathsf {Garb},\mathsf {Eval})$ from above. The common inputs are

Security parameters $s,\kappa $.
The circuit $\mathrm {C}_{{\scriptscriptstyle \mathrm {CPU}}}$ and s garbled versions $\{\widetilde{\mathrm {C}_{{\scriptscriptstyle \mathrm {CPU}}}}_i\}_{i\in [s]}$. Note that s here is a subset of the s which the sender used in the garbling phase.
Labels $( \mathsf {lbl}_{1}^{i},\ldots ,\mathsf {lbl}_{\ell }^{i} ) = ( g^{a_1^{x[1]}\cdot r_i}, \ldots , g^{a_\ell ^{x[\ell ]}\cdot r_i} )$ for all i.
Commitments to all the sender’s input labels: $a_1^0, a_1^1 , \ldots , a_{\ell }^0, a_{\ell }^1\in \mathbb {Z}_q$ and $r_1, \ldots , r_{\ell }\in \mathbb {Z}_q$.

Protocol The sender proves that for every$j\in [\ell ]$ the set $\{g^{a_j^{x[j]}\cdot r_i} \}_{i\in [s]}$ is consistent: For every $j\in [\ell ]$ the sender uses the protocol in Fig. 13 to prove that there exists a value $\sigma _j\in \{0,1\}$ such that for every $i\in [s]$, $\mathsf {lbl}_{j}^{i}=g^{a_1^{\sigma _j}\cdot r_i}$. Namely, it proves that all garbled values of a wire are of the same bit. If any of the proofs fail, then P2 aborts and outputs $\perp $.

For completeness, we provide the protocol, used in [35], verbatim.

ZK proof for extended Diffie–Hellman tuples A zero-knowledge proof of an extended Diffie–Hellman tuple is given in Fig. 13. The input is a tuple $(g, h_0, h_1, u_1, v_1,\ldots , u_\eta , v_\eta )$ such that either all $\{ ( g, h_0, u_i, v_i) \}_{i=1}^\eta $ are Diffie–Hellman tuples, or all $\{ (g, h_1, u_i, v_i) \}_{i=1}^\eta $ are Diffie–Hellman tuples. It is shown in [35] that the protocol in Fig. 13 is a ZK-PoK.

Program Execution Example

We start with a memory with 8 items: $D_0,D_1,D_2,D_3,D_4,D_5,D_6,D_7$. Thus, the new plain data would be $D = \Big \{r_{0,0}, r_{1,0}, r_{1,1}, r_{2,0}, r_{2,1}, r_{2,2}, r_{2,3}, D_0,D_1,D_2,D_3, D_4, D_5, D_6, D_7 \Big \}$ and the garbled data would be

$$\begin{aligned}&\tilde{D}= \bigg \{ F_{r_{0,0}}( r_{1,0}, \textsf {left} ), F_{r_{0,0}}( r_{1,1}, \textsf {right} ), F_{r_{1,0}}( r_{2,0}, \textsf {left} ), F_{r_{1,0}}( r_{2,1}, \textsf {right} ), F_{r_{1,1}}( r_{2,2}, \textsf {left} ), \\&\quad F_{r_{1,1}} ( r_{2,3}, \textsf {right} ), F_{r_{2,0}}( D_0, \textsf {left} ), F_{r_{2,0}}( D_1, \textsf {right} ), F_{r_{2,1}}( D_2, \textsf {left} ), F_{r_{2,1}}( D_3, \textsf {right} ),\\&\quad F_{r_{2,2}}( D_4, \textsf {left} ), F_{r_{2,2}}( D_5, \textsf {right} ), F_{r_{2,3}}( D_6, \textsf {left} ), F_{r_{2,3}}( D_7, \textsf {right} ) \bigg \}. \end{aligned}$$

Let the program P consists of the instructions: $\{ \textsf {i}=x\cdot D[3]; \textsf {output}~~\textsf {i}\cdot D[7]; \}$. That is, we have 2 memory accesses to locations 3 and 7 and finally the program outputs $x\cdot D[3]\cdot D[7]$. Furthermore, L is of length 3 bits starting 000 and till 111 ($L=3$ means $L=011$ and $L=7$ means $L=111$). Note that the program uses an internal variable i in its state. The circuits of $\tilde{P}$ works as follows (we ignore the hard-wired labels and the translation table for simplicity):

${\mathbf {\mathsf{{nav}}}}_{1,0}$. Inputs:$\textsf {keys}=\{r_{1,0},r_{1,1}\}$, $L=3$, $\textsf {state}=x$.

Hard-wired:$v_0,v_1, i=0$.

Data$\tilde{D}$upon navigation:

${{\mathbf {\mathsf{{nav}}}}}_{1,1}$. Inputs:$\textsf {keys}=\{r_{2,0},r_{2,1}\}$, $L=3$, $\textsf {state}=x$.

Hard-wired:$v_1,v_2, i=1$.

Data$\tilde{D}$upon navigation:

${{\mathbf {\mathsf{{step}}}}}_{1}$. Inputs:$\textsf {Items}=\{D_2,D_3\}$, $L=3$, $\textsf {state}=x$.

Hard-wired:$v_2,v_0$.

State upon running this step:$\textsf {state}=x\cdot D[3]$.

Data$\tilde{D}$upon running this step:

Note: The above circuit is hard-wired with $v_0$ and thus can decrypt the two values in level 1 of the tree; currently, these values are $v_1$ and $r_{1,1}$. This kick starts the evaluation of the next CPU step, which begins by the circuit $\textsf {nav}_{2,0}$.

${{\mathbf {\mathsf{{nav}}}}}_{2,0}$. Inputs:$\textsf {keys}=\{v_1,r_{1,1}\}$, $L=7$, $\textsf {state}=x\cdot D[3]$.

Hard-wired:$u_0,u_1, i=0$.

Data$\tilde{D}$upon navigation:

${{\mathbf {\mathsf{{nav}}}}}_{2,1}$. Inputs:$\textsf {keys}=\{r_{2,2},r_{2,3}\}$, $L=7$, $\textsf {state}=x\cdot D[3]$.

Hard-wired$u_1,u_2, i=1$.

Data$\tilde{D}$upon navigation:

${{\mathbf {\mathsf{{step}}}}}_{2}$. Inputs:$\textsf {Items}=\{D_6,D_7\}$, $L=7$, $\textsf {state}=x\cdot D[3]$.

Hard-wired$u_2,u_0$.

State upon running this step:$\textsf {state}=x\cdot D[3]\cdot D[7]$.

Data$\tilde{D}$upon running this step:

where the $\textsf {state}$ in the last CPU step is outputted in the clear.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Hazay, C., Yanai, A. Constant-Round Maliciously Secure Two-Party Computation in the RAM Model. J Cryptol 32, 1144–1199 (2019). https://doi.org/10.1007/s00145-019-09321-3

Download citation

Received: 16 October 2016
Revised: 02 April 2019
Published: 23 April 2019
Issue Date: October 2019
DOI: https://doi.org/10.1007/s00145-019-09321-3

Keywords

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

Constant-Round Maliciously Secure Two-Party Computation in the RAM Model

Abstract

Similar content being viewed by others

Constant-Round Maliciously Secure Two-Party Computation in the RAM Model

Better Two-Round Adaptive Multi-party Computation

Adaptively Secure Computation for RAM Programs

1 Introduction

1.1 Background: Secure Computation and the RAM Model

1.2 Background: Garbled RAM and Circularity

1.3 Our Results

Theorem 1.1

Theorem 1.2

2 Preliminaries

Definition 2.1

2.1 Garbled Circuits

Definition 2.2

2.2 The RAM Model of Computation

2.2.1 Predictably Timed Writes

Definition 2.3

Theorem 2.4

2.3 Oblivious RAM (ORAM)

Definition 2.5

2.4 Secure Computation in the RAM Model

2.4.1 Full Security

Definition 2.6

2.4.2 The UMA Model

Definition 2.7

2.4.3 From UMA to Full Security

Theorem 2.8

2.4.4 On the Capabilities of Semi-honest in a Garbled RAM and ORAM Schemes

2.5 Timed IBE [18]

Definition 2.9

2.6 Garbled RAM Based on IBE [18]

3 Building Blocks

3.1 Enhanced CPU-Step Function

3.2 Initialization Circuit

3.3 Batch Single-Choice Cut-And-Choose OT

4 Constat Round Malicious 2PC for RAM Programs

4.1 2PC in the UMA Model

Theorem 4.1

Proof

4.2 Security Proof of Theorem 4.1

4.2.1 A Formal Proof

Claim 4.1

Proof

Claim 4.2

Proof

Claim 4.3

Proof

5 Removing the IBE Assumption

5.1 Background: GRAM Based on OWF [15]

5.1.1 Garbling Data

5.1.2 Garbling Program

5.1.3 The nav Circuit

5.1.4 The step Circuit

5.1.5 A Chain of Circuits

5.2 2PC in the Presence of Malicious Adversaries Relying on OWF

5.2.1 Protocol \(\tilde{\Pi }_{\scriptscriptstyle \mathrm {UMA}}^P\)

5.2.2 Formal Description of Protocol \(\tilde{\Pi }_{\scriptscriptstyle \mathrm {UMA}}^P\)

Theorem 5.1

Notes

References

Author information

Authors and Affiliations

Corresponding author

Additional information

Publisher's Note

Appendices

Building Blocks

1.1 Garbled Circuits

1.2 The Hybrid Model

1.3 Batch Single-Choice Cut-and-Choose OT

1.4 Commitment Schemes

Definition A.1

Realizing Definition 2.2

Program Execution Example

Rights and permissions

About this article

Cite this article

Share this article