Crypto Seminar
— 5:30pm
Location:
In Person and Virtual - ET
-
Gates Hillman 8102 and Zoom
Speaker:
NEEKON VAFA
,
Ph.D. Student, Theoretical Computer Science, Department of Mathematics, Massachusetts Institute of Technology
https://neekonvafa.com/
Memory Checking Requires Logarithmic Overhead
In this talk, we present the first general tight lower bound on the complexity of memory checkers with computational security.
Memory checkers, first introduced over 30 years ago by Blum, Evans, Gemmel, Kannan, and Naor (FOCS '91, Algorithmica '94), allow a user to store and maintain a large memory on a remote and unreliable server by using small trusted local storage. The user can issue instructions to the server and after every instruction, obtain either the correct value or a failure (but not an incorrect answer) with high probability. The main complexity measure of interest is the size of the local storage and the number of queries the memory checker makes upon every logical instruction. The most efficient known construction has query complexity $O(\log n/\log \log n)$ and local space proportional to a computational security parameter, assuming one-way functions, where $n$ is the logical memory size. Dwork, Naor, Rothblum, and Vaikuntanathan (TCC '09) showed that for a restricted class of "deterministic and non-adaptive" memory checkers, this construction is optimal, up to constant factors. However, going beyond the small class of deterministic and non-adaptive constructions has remained a major open problem.
In this talk, we fully resolve the complexity of memory checkers by showing that $any$ construction with local space $p$ and query complexity $q$ must satisfy $p \geq \frac{n}{(\log n)^{O(q)}}$. This implies, as a special case, that $q \geq \Omega(\log n/\log\log n)$ in any scheme, assuming that $p \leq n^{1-\epsilon}$ for $\epsilon \gt0$. The bound applies to any scheme with computational security, completeness 2/3, and inverse polynomial in n soundness (all of which make our lower bound only stronger). We further extend the lower bound to schemes where the read complexity $q_r $and write complexity $q_w$ differ. For instance, we show the tight bound that if $q_r = O(1)$ and $p \leq n^{1-\epsilon}$ for $\epsilon \gt0$, then $q_w \geq n^{\Omega(1)}$. This is the first lower bound, for any non-trivial class of constructions, showing a read-write query complexity trade-off.
Our proof is via a delicate compression argument showing that a "too good to be true" memory checker can be used to compress random bits of information. We draw inspiration from tools recently developed for lower bounds for relaxed locally decodable codes. However, our proof itself significantly departs from these works, necessitated by the differences between settings.
Based on joint work with Elette Boyle and Ilan Komargodski.
In Person and Zoom Participation. See announcement.
Event Website:
https://sites.google.com/view/crypto-seminar/home