A randomized encoding of a computation instance(P, x)hides both the memory content and the access pattern of the computation except for its outputy =P(x)and runtimet∗. Conceptually, we follow the same natural idea to use public-key encryption to hide the memory content (including the input) and oblivious PRAM to hide the access pattern, and then useCiO-PRAM to obfuscate the compiled computation instance. Namely, ourREencoding algorithm outputsCiO(Πhide)as the encoding, whereΠhideis defined by(Phide, xhide),Phide
is aPKE andOPRAMcompiled version ofP, andxhideis an encrypted version ofx.Phideoutputs encrypted
CPU states and memory contents at each time step, and usesOPRAMto compile its memory access.
Our construction ofREin the PRAM model is split into four major steps: (i)given a PRAM programP
and its inputx, we interpret it as a PRAM computation Π; (ii)we compile Π into Πo using BCP-OPRAM
compiler to hide the access pattern;(iii)we transformΠo intoΠe, which further hides the memory content in the computation system; and finally(iv)we obfuscateΠeintoENCusingCiO-PRAM. Formally, we construct ourRE=RE.{Encode,Decode}for the PRAM programPand inputxas follows:
Encoding algorithmENC ← RE.Encode(P, x,1λ): The encoding algorithm takes the following steps to generate the encodingENC.
Upon receiving the description of PRAM programP and an input value x, first, the encoding algorithm transforms them into a computation systemΠ. It representsPinto a next-step programF, and storesxinto the memory, i.e., setsmem0 := x. Then it setsst0
k := ⊥for allk,1 ≤k≤ m, and defines the following
computation system in the PRAM model
Π = ((mem0,{st0k}mk=1), F).
Second, the encoding algorithm hides the access pattern in the computation system. It chooses puncturable PRF keyKN ← PPRF.Setup(1λ). Then it runs theBCP-OPRAMcompilation described in Section8.1,
i.e.,Πo =BCP-OPRAM.Compile(Π,OPACCESS{KN}), and obtains Πo= ((mem0o,{st0o,k}mk=1), Fo),
wherest0
o,k =st0osuch that all CPUs have the sameOPRAMstate.
Third, the encoding algorithm further hides the CPU state and the memory content. That is, it transformsΠo
into
Πe= ((mem0e,{st0e,k}mk=1), Fe).
Here the encoding algorithm chooses puncturable PRF key KE ← PPRF.Setup(1λ), and generates an
initial configuration of the encrypted version of memory and CPU state as follows: To initialize memorymem0
e, the encoding algorithm parses mem0o as treesΓ, and then for each Γit
further parses all pathsIfrom root to leaf. For each vectorI, the encoding algorithm computes
(r01,r02) =PRF(KE,(lw0, h(I)))wherelw0 =0, (pk0,sk0) =PKE.Gen(1λ;r01),
B[i] = (
PKE.Encrypt(pk0[i],B[i]) ifB[i]stores any valid block
B[i] otherwise,
whereB[i]denotes thei-th element (which is also a bucket here) in vectorB, andhis a function to compute the “height” of elements in vectorI. That is, for any vectorIof length|I|, defineh(I) = (1,2, . . . ,|I|). For each non-empty B, store(B,lw0)to its corresponding pathIinmem0
e.
In addition, the encoding algorithm setsst0
e,k = st0o,k for allk ∈ [m]. Note that each CPU holds the
same non-encryptedst0
e,kbecausest0k is only⊥for allk. To work with such initialization, the procedure
PKE.Decrypt(skst,·)for decryption of states (inFe) is augmented to ignore non-encrypted special value⊥
as follows: stinA = ( PKE.Decrypt(skst, st in A) if st in A 6=⊥ ⊥ otherwise.
These techniques are applied to eliminate the dependency of memory sizeSand number of CPUsmfrom the complexity of encoding size and time, and we summarize them in Table5.
The encoding algorithm then upgradesFo into a more sophisticated next-step programFe which de- crypts its inputs, performs the computation ofΠo, and encrypts its outputs. Please refer to Algorithm18
for more details ofFe.
Finally, the encoding algorithm computesENC←CiO.Obf(1λ,Πe)and outputsENC.
Decoding algorithm y ← RE.Decode(ENC,1λ, T, S): Upon receiving the encoding ENC, the decoding algorithm executesCiO.Eval(ENC). If the decoding algorithm does not terminate inT steps, then it outputs
y := ⊥. Otherwise, if it terminates at stept∗, and obtains mem]t ∗ ,ste t∗ 1 where ste t∗ 1 = (halt, y), then it
Observation Technique to encode input efficiently Corresponding shorthand in pro- gramFe
Input data in ORAMtree structure is sparse
Encrypt only those buckets with data For each encrypted bucket BinA, de- crypt ciphertext except empty bucket All m initial CPU states
are the same empty value
Leave the state in plaintext Decrypt ciphertext stinA except empty state
Table 5: Techniques to improve encoding efficiency
Efficiency Let|F|be the description size of programF,nbe the description size of initial memorymem0,
mbe the total number of CPUs, T andS be time and space bound. According to CiO-PRAM, assume that
CiO has compilation timeO(poly(˜ |F|) +n)and compilation sizeO(poly(˜ |F|) +n), and parallel evaluation timeO(T˜ ·poly(|F|))and evaluation spaceO(m˜ +S). However, there remains polylogarithmic overhead of
OPRAMincluding computation overheadpolylogmpolylogS and space overheadω(logS). Finally, ourRE construction has following complexity:
Encoding time isO(poly(˜ |F|) +n). Encoding size isO(poly(˜ |F|) +n). Parallel decoding time isO(T˜ ·poly(|F|)). Decoding space isO(m˜ +S).
Security We state the following theorem that the randomized encoding schemeREdescribed above is secure. Please refer to AppendixA.2for the security definition of randomized encoding schemes.
Theorem 8.1. LetPKE be a semantically-secure public key encryption scheme,CiObe a computation-trace indistinguishability obfuscation scheme in the PRAM model, andPRFbe a secure puncturable PRF scheme; thenREis a secure randomized encoding scheme in the PRAM model.
The proof sketch can be found in AppendixB.6.
9
Extensions
In this section, we extend our results in previous sections to suit for several important scenarios of delegation of computations. One of our major extensions is to letRE support persistent database (PDB). This can be achieved by first defining and constructing the corresponding variants ofCiOwithPDB. Next, recall that or- dinaryRE only provides input and program privacy, and produces a short output in the clear. For practical scenarios of delegation of computation, other properties such as long output, output hiding, and output verifia- bility may be desirable. Thus, we will demonstrate how we can obtain these extensions by possibly using other primitives such as encryption and signatures.
9.1 CiO with Persistent Database
In the persistent database setting, we consider an initial memory and a sequence of programs which work on the memory content processed and left over by the previous program. Recall thatCiO in some sense forces the evaluator to evaluate an obfuscated program as intended to produce the intended computation trace. In the persistent database setting, we further require that the sequence of programs is executed in the intended order.
9.1.1 Definition
Let a computation system Π ∈ P be composed of an initial database and many programs written as Π = (mem0,0,{F
Algorithm 18:FeinRE-PRAM Input :ste in e,A = (A,stine,A, t),ea in A←M= (IinA ,(B in A,lw in A )) Data :T, KE, KN 1 Computet=dt/qoe; 2 Compute(rin1 ,rin2) =PRF(KE,(lwinA , h(IinA))); 3 Compute(pkin,skin) =PKE.Setup(1λ;rin1 ); 4 ComputeBA=PKE.Decrypt(skin, BinA ); 5 Compute(rt−3 1, r4t−1) =PRF(KE, t−1);
6 Compute(pkst, skst) =PKE.Setup(1λ;rt−3 1);
7 Parsestine,Aas(stinA ||stino,A);
8 ComputestinA =PKE.Decrypt(skst, stinA); 9 Setstb in A = (stinA||stino,A); 10 ComputerN =PRF(KN, t); 11 Compute(stb out A ,IoutA ,BoutA ) =Fo(t,A,stb in A,IinA,BinA, rN); 12 Parsestb out
A as(stoutA ||stouto,A);
13 SetlwoutA = (t, . . . , t);
14 Compute(rout1 ,rout2 ) =PRF(KE,(lwoutA , h(IoutA ))); 15 Compute(pk0,sk0) =PKE.Setup(1λ;rout1 ); 16 Compute BoutA =PKE.Encrypt(pk0,BoutA ;rout2 ); 17 ifstoutA 6= (halt,·)then
18 Compute(r3t, rt4) =PRF(KE, t);
19 Compute(pk0, sk0) =PKE.Setup(1λ;r3t); 20 Compute stoutA =PKE.Encrypt(pk0,stoutA ;rt4); 21 Setstoute,A = (stoutA ||stouto,A);
22 else
23 ifall agents outputstout
A = (halt,⊥)thena special CPU agent returns the outputy;
24 elseAreturnsstout
A as(halt,·);
25 Outputste
out
e,A = (A,stoute,A, t+ 1),ea
out
M←A = (IoutA ,DoutA ), whereDoutA = (B
out
A ,lw
out
stateful functionFsidhas its program and state hardwired. For simplicity, we adopt a convention that the label
of the database and the state are set to 1)(sid−1,0)at the beginning of sessionsid, 2)(sid−1, i)wherei6= 0
in the duration of sessionsid, and finally 3)(sid,0)in the termination stage.
Definition 9.1(CiO with Persistent Database). A computation-trace indistinguishability obfuscation scheme with persistent database w.r.t.P, denoted byCiO=CiO.{DBCompile,Obf,Eval}, is defined as follows: Database compilation algorithm(mem]0,0,ste
0,0
) :=DBCompile(1λ,mem0,0;ρ): DBCompile() is a proba-
bilistic algorithm which takes as input the security parameterλ, the databasemem0,0, and some ran-
domnessρ; and returns the complied database and state(mem]0,0,ste
0,0
)as output.
Program compilation algorithmFesid :=Obf(1λ, Fsid;ρ0): Obf()is a probabilistic algorithm which takes as input the security parameterλ, the stateful functionFsid, and some randomnessρ0; and returns a com-
plied / obfuscated functionFesid as output. Evaluation algorithmconf :=Eval(mem]sid−1,0,ste
sid−1,0
,Fesid): Eval()is a deterministic algorithm which takes as input(mem]sid−1,0,ste
sid−1,0
,Fesid); and returns a configurationconf = (mem]
sid,0
,ste
sid,0
)as output. Correctness For all Fsid with termination time t∗sid and all randomness ρ0, letFesid := Obf(1λ, Fsid;ρ0); it holds thatEval(mem]sid−1,0,ste
sid−1,0
,Fesid) =Confhmemsid−1,0,stsid−1,0, Fsid, t∗sidi.
Security For any (not necessarily uniform) PPT distinguisher D, there exists a negligible functionnegl(·) such that, for all security parametersλ ∈ N, Π0,Π1 ∈ P where Πb = (mem0,0, Fb
1, . . . , Flb) forb ∈ {0,1} andTracehΠ0i=TracehΠ1i, it holds that
|Pr[D(Obf(1λ,Π0)) = 1]−Pr[D(Obf(1λ,Π1)) = 1]≤negl(λ). Efficiency We requireDBCompileandObfruns in timeO(˜ |mem0,0|)andO(poly(˜ |F
sid|)), and efficientEval
runs in timeO(t˜ ∗sid).
9.1.2 ConstructingCiO-RAM with persistent database
Construction We constructCiO-RAM with persistent database from the ordinary CiO-RAM (without per- sistent database). In general, we still follow the original setting ofCiO-RAM, but use(sid, t) as timestamp instead. Moreover, a new keyKT, called termination key, is involved in the obfuscated state function and only used at the beginning and end of a program. These three algorithms work as follows.
Database compilation algorithmDBCompile is identical to Steps 1 and 3 ofCiO-RAM (without persis- tent database). It generates the initial configuration(mem]0,0,ste
0,0
)except thatσ0,0 is generated from the
(pseudo-)randomnessr0 ←PRF(KT,0).
Program compilation algorithm Obf is similar to Step 2 of CiO-RAM except additional authentications under KT for eachsid, 1 ≤ sid ≤ l. It generates the obfuscated stateful function (See Algorithm 19).
Note that the authentications underKT are only performed in the beginning and end of a program. This
algorithm outputsFesid ←iO.Gen(Fbsid0 ).
Evaluation algorithmEval(mem]sid−1,0,ste
sid−1,0
,Fesid)is identical to Evaluation algorithm ofCiO-RAM. It
outputs(mem]sid,0,ste
sid,0
Algorithm 19:Fbsid0 inCiO-RAM with persistent database Input :ste
in
= ((sid, t),stin, vin, win, σin), . . .
Data :. . . , KT
1 ifsidis correctand(sid, t)is the beginning of the sessionsidthen
2 Computersid−1 =PRF(KT,sid−1)and(sksid−1,vksid−1,vksid−1,rej) =Spl.Setup(1λ;rsid−1);
3 ifSpl.Verify(vksid−1,(sid−1,stin, vin, win), σin) = 0thenoutputReject;
4 Setstin=Init;
5 . . .// Lines 1 to 16, Algorithm 1
6 ifstout returnshaltfor terminationthen
7 Computersid =PRF(KT,sid)and(sksid,vksid,vksid,rej) =Spl.Setup(1λ;rsid); 8 Computeσout =Spl.Sign(sk
sid,(sid,stout, vout, wout));
9 Outputste
out
= ((sid,0),stout, vout, wout, σout)// no database access
Security Sketch Recall that the computation system Π consists of an initial memory and a sequence of programs. Although we cannot directly use the security ofCiO-RAM, using the pebble game analogy, we can go through the hybrid argument that is quite similar toCiO-RAM without persistent database.
Conceptually, we can view the computation paths of the sequence of programs as a single large computation path. The proof strategy is modified as follows: Recall that in the security proof ofCiO-RAM without persistent database, we move the check-point fromt = 1tot= t∗through hybrid argument. In the persistent database setting, the technique of moving from the timestamp(sid, t) to(sid, t+ 1)is identical to that in the setting withoutPDB.
The only difference here is that we need to move from the termination time (sid, t∗sid) of sessionsid to the beginning(sid+ 1,0)of the next session. For this, we can use the same technique as before to switch between the type A and B termination keyKT. We note that the purpose ofKT is to introduce keys which
are independent of the termination time of the programs. It is otherwise conceptually the same as the type A keyKAused to sign the internal states.
A special conceptual point to note is that, in some intermediate hybrids, the enforcement of the accumulator or iterator is required to enforce thewhole historyfrom the initiation to the current timestamp.
9.1.3 ConstructingCiO-PRAM with persistent database
Construction Following the same technique and conventions above, we constructCiO-PRAM with persistent database from full-fledgedCiO-PRAM. In our construction ofCiO-PRAM with persistent database, database compilationDBCompile, program compilationObf, and evaluation algorithmEvalworks as those inCiO-RAM with persistent database respectively, except for the obfuscated stateful function (See Algorithm20). Note that once all CPUs terminate in sessionsid, the stateful functionFbsid0 only takes thecpu1’s state to generate the
signature for connecting the next session.
Security Sketch As forCiO-RAM with persistent database, the enforcement of the accumulator or iterator is required to enforce the whole history from the initiation to the current timestamp. We can use the same proof technique illustrated by the pebble game to go through the hybrid argument.