Paper 2024/123
Memory Checking Requires Logarithmic Overhead
Abstract
We study the complexity of memory checkers with computational security and prove the first general tight lower bound. Memory checkers, first introduced over 30 years ago by Blum, Evans, Gemmel, Kannan, and Naor (FOCS '91, Algorithmica '94), allow a user to store and maintain a large memory on a remote and unreliable server by using small trusted local storage. The user can issue instructions to the server and after every instruction, obtain either the correct value or a failure (but not an incorrect answer) with high probability. The main complexity measure of interest is the size of the local storage and the number of queries the memory checker makes upon every logical instruction. The most efficient known construction has query complexity $O(\log n/\log\log n)$ and local space proportional to a computational security parameter, assuming oneway functions, where $n$ is the logical memory size. Dwork, Naor, Rothblum, and Vaikuntanathan (TCC '09) showed that for a restricted class of ``deterministic and nonadaptive'' memory checkers, this construction is optimal, up to constant factors. However, going beyond the small class of deterministic and nonadaptive constructions has remained a major open problem. In this work, we fully resolve the complexity of memory checkers by showing that any construction with local space $p$ and query complexity $q$ must satisfy $$ p \ge \frac{n}{(\log n)^{O(q)}} \;. $$ This implies, as a special case, that $q\ge \Omega(\log n/\log\log n)$ in any scheme, assuming that $p\le n^{1\varepsilon}$ for $\varepsilon>0$. The bound applies to any scheme with computational security, completeness $2/3$, and inverse polynomial in $n$ soundness (all of which make our lower bound only stronger). We further extend the lower bound to schemes where the read complexity $q_r$ and write complexity $q_w$ differ. For instance, we show the tight bound that if $q_r=O(1)$ and $p\le n^{1\varepsilon}$ for $\varepsilon>0$, then $q_w\ge n^{\Omega(1)}$. This is the first lower bound, for any nontrivial class of constructions, showing a readwrite query complexity tradeoff. Our proof is via a delicate compression argument showing that a ``too good to be true'' memory checker can be used to compress random bits of information. We draw inspiration from tools recently developed for lower bounds for relaxed locally decodable codes. However, our proof itself significantly departs from these works, necessitated by the differences between settings.
Metadata
 Available format(s)
 Category
 Foundations
 Publication info
 Preprint.
 Keywords
 lower boundmemory checkingcomputational security
 Contact author(s)

eboyle @ alum mit edu
ilank @ cs huji ac il
nvafa @ mit edu  History
 20240129: approved
 20240127: received
 See all versions
 Short URL
 https://ia.cr/2024/123
 License

CC BY
BibTeX
@misc{cryptoeprint:2024/123, author = {Elette Boyle and Ilan Komargodski and Neekon Vafa}, title = {Memory Checking Requires Logarithmic Overhead}, howpublished = {Cryptology ePrint Archive, Paper 2024/123}, year = {2024}, note = {\url{https://eprint.iacr.org/2024/123}}, url = {https://eprint.iacr.org/2024/123} }