Garbled RAM Revisited.

The notion of garbled random-access machines (garbled RAMs) was introduced by Lu and Ostrovsky (Eurocrypt 2013). It can be seen as an analogue of Yao's garbled circuits, that allows a user to garble a RAM program directly, without performing the expensive step of converting it into a circuit. In particular, the size of the garbled program and the time it takes to create and evaluate it are only proportional to its running time on a RAM rather than its circuit size. Lu and Ostrovsky gave a candidate construction of this primitive based on pseudo-random functions (PRFs). The starting point of this work is pointing out a subtle circularity hardness assumption in the Lu-Ostrovsky construction. Specifically, the construction requires a complex "circular" security assumption on the underlying Yao garbled circuits and PRFs. We then proceed to abstract, simplify and generalize the main ideas behind the Lu-Ostrovsky construction, and show two alternatives constructions that overcome the circularity of assumptions. Our first construction breaks the circularity by replacing the PRF-based encryption in the Lu-Ostrovsky construction by identity-based encryption (IBE). The result retains the same asymptotic performance characteristics of the original Lu-Ostrovsky construction, namely overhead of O(poly(kappa)polylog(n)) (with n the security parameter and n the data size). Our second construction breaks the circularity assuming only the existence of one way functions, but with overhead O(poly(kappa)n(epsilon)) for any constant epsilon > 0. This construction works by adaptively "revoking" the PRFs at selected points, and using a delicate recursion argument to get successively better performance characteristics. It remains as an interesting open problem to achieve an overhead of poly(kappa)polylog(n) assuming only the existence of one-way functions.