Cryptology ePrint Archive: Report 2015/1074

Succinct Adaptive Garbled RAM

Ran Canetti and Yilei Chen and Justin Holmgren and Mariana Raykova

Abstract: We show how to garble a large persistent database and then garble, one by one, a sequence of adaptively and adversarially chosen RAM programs that query and modify the database in arbitrary ways. Still, it is guaranteed that the garbled database and programs reveal only the outputs of the programs when run in sequence on the database. The runtime, space requirements and description size of the garbled programs are proportional only to those of the plaintext programs and the security parameter. We assume indistinguishability obfuscation for circuits and poly-to-one collision-resistant hash functions. The latter can be constructed based on standard algebraic assumptions such as the hardness of discrete log or factoring. In contrast, all previous garbling schemes with persistent data were shown secure only in the static setting where all the programs are known in advance.

As an immediate application, our scheme is the first to provide a way to outsource large databases to untrusted servers, and later query and update the database over time in a private and verifiable way, with complexity and description size proportional to those of the unprotected queries.

Our scheme extends the non-adaptive RAM garbling scheme of Canetti and Holmgren [ITCS 2016]. We also define and use a new primitive, called adaptive accumulators, which is an adaptive alternative to the positional accumulators of Koppula et al [STOC 2015] and somewhere statistical binding hashing of Hubacek and Wichs [ITCS 2015]. This primitive might well be useful elsewhere.

Category / Keywords: public-key cryptography / Obfuscation, Garbling, RAM Programs, Adaptive Security

Date: received 4 Nov 2015

Contact author: holmgren at mit edu

Available format(s): PDF | BibTeX Citation

Version: 20151105:125513 (All versions of this report)

Short URL: ia.cr/2015/1074

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]