Memory Checking Requires Logarithmic Overhead

We study the complexity of memory checkers with computational security and prove the first general tight lower bound. Memory checkers, first introduced over 30 years ago by Blum, Evans, Gemmel, Kannan, and Naor (FOCS ’91, Algorithmica ’94), allow a user to store and maintain a large memory on a remote and unreliable server by using small trusted local storage. The user can issue instructions to the server and after every instruction, obtain either the correct value or a failure (but not an incorrect answer) with high probability. The main complexity measure of interest is the size of the local storage and the number of queries the memory checker makes upon every logical instruction. The most efficient known construction has query complexity O(logn/loglogn) and local space proportional to a computational security parameter, assuming one-way functions, where n is the logical memory size. Dwork, Naor, Rothblum, and Vaikuntanathan (TCC ’09) showed that for a restricted class of “deterministic and non-adaptive” memory checkers, this construction is optimal, up to constant factors. However, going beyond the small class of deterministic and non-adaptive constructions has remained a major open problem. In this work, we fully resolve the complexity of memory checkers by showing that any construction with local space p and query complexity q must satisfy p ≥ n/(logn)O(q)  . This implies, as a special case, that q≥ Ω(logn/loglogn) in any scheme, assuming that p≤ n1−ε for ε>0. The bound applies to any scheme with computational security, completeness 2/3, and inverse polynomial in n soundness (all of which make our lower bound only stronger). We further extend the lower bound to schemes where the read complexity qr and write complexity qw differ. For instance, we show the tight bound that if qr=O(1) and p≤ n1−ε for ε>0, then qw≥ nΩ(1). This is the first lower bound, for any non-trivial class of constructions, showing a read-write query complexity trade-off. Our proof is via a delicate compression argument showing that a “too good to be true” memory checker can be used to compress random bits of information. We draw inspiration from tools recently developed for lower bounds for relaxed locally decodable codes. However, our proof itself significantly departs from these works, necessitated by the differences between settings.


Introduction
Consider a user who wishes to maintain and operate on a large database but does not have sufficient local memory.A natural idea is for the user to offload the database to a remote storage service and perform accesses remotely.This solution, however, introduces a trust concern: the user must trust the storage service to perform its accesses reliably.Blum, Evans, Gemmel, Kannan and Naor [BEG + 94] addressed this issue more than 30 years ago by introducing the concept of a memory checker : a method for a user to use its small (but trusted) local storage to detect faults in the large untrusted storage service.Since cloud storage and cloud computing have become widespread and growing practices, the need to guarantee the integrity of remotely stored data is paramount.Beyond merely checking integrity of remotely stored data [BEG + 94, HJ05, CSG + 05, OR07, CD16], memory checkers have found applications in various other real-world applications, for example, provable data possession and retrievability systems [ABC + 07, JJ07, OR07, SW13, CKW17], various verifiable computation systems [WTS + 18, XZZ + 19, Set20, ZXZS20, OWWB20, BMM + 21, BDFG21, BCHO22], and many more.
A memory checker can be thought of as a proxy between the user and the untrusted remote storage.The checker receives from the user an adaptively generated sequence of read and write operations to a large unreliable memory.For each such logical request, it makes its own physical queries to the remote storage.The checker then uses the responses, together with a small reliable local memory, to either ascertain the correct answer to the logical request or report that the remote storage was faulty.The checker's assertions should be correct with high probability; typically, a small two-sided error is permitted.The main complexity measures of a memory checker are its space complexity (denoted p), the size of the reliable local memory in bits, and its query complexity (denoted q), the number of physical queries made to the unreliable memory per logical user request.
Blum et al.'s main results are efficient memory checkers in two different settings, as stated next.Throughout, we use n to denote the (logical) memory size.
• Construction 1: Space complexity p = O(λ), where λ is the size of a cryptographic key, and query complexity q = O(log n).These constructions assume that one-way functions exist and that the adversary who controls the unreliable memory is computationally efficient.
• Construction 2: Space complexity p and query complexity q = O(n/p).This construction is statistically secure.
Naor and Rothblum [NR09] showed that any memory checker with a non-trivial query-space tradeoff (i.e., q = o(n/p)) must be computationally secure and must be based on the existence of one-way functions.Thus, Construction 2 from above is optimal among all statistically secure constructions.Yet, whether more efficient computationally secure constructions than Construction 1 exist is a long-standing open problem.In particular, is the logarithmic query complexity necessary?In many applications, logarithmic overhead per query is a significant price to pay for data verification, so if more efficient constructions exist, they may be preferable.
While this problem has been open for more than three decades, only one work managed to make progress.This work, due to Dwork, Naor, Rothblum, and Vaikuntanathan [DNRV09], showed that logarithmic query complexity is inherent for a restricted class of memory checkers.They consider memory checkers where for each read/write operation made by the user, the locations that the checker accesses in the unreliable memory are fixed and known.They refer to such checkers as deterministic and non-adaptive.While this class captures many known memory checker constructions, it is obviously quite restrictive.For instance, a memory checker could be nondeterministic, i.e., decide on its queries to the unreliable memory in a probabilistic manner via randomness derived from freshly sampled coins.Alternatively, a memory checker could be adaptive, i.e., choose sequentially which locations in the remote storage it reads and writes, and choose these locations based on the contents of earlier read locations or its reliable local memory contents.Of course, a memory checker could be both non-deterministic and adaptive, potentially resulting with more efficient construction.
Indeed, there are many computational models where randomness and/or adaptivity are either necessary or make certain problems easier.For instance, in the context of two-party communication complexity it is well known (see [NW93]) that for every k ∈ N, randomization is more powerful than determinism in k-round protocols, and further that having k rounds of adaptive communication is (exponentially) better than having only k − 1 rounds.This shows that randomness and adaptivity are computational resources that have the potential to significantly improve the complexity of certain tasks.Additionally, in the context of oblivious RAM computation (which we shall discuss in length below), randomness is known to be necessary [GO96] and there is evidence that adaptivity is required in certain non-trivial regimes of parameters [CDH20].
Thus, the main question we address in this work is as follows: What is the achievable complexity of memory checkers?Do memory checkers with sub-logarithmic query complexity exist (under any cryptographic assumption)?

Our Results
We fully resolve the complexity of memory checkers by showing that logarithmic query complexity is inherent, no matter how the scheme operates and no matter which computational assumptions are used.Specifically, we prove the following theorem.
Theorem 1 (Informal; see Theorem 5).Every memory checker (with computational security) for a logical memory of size n that has query complexity q, and local state p, must satisfy p ≥ n (log n) O(q) .In particular, q ≥ Ω(log n/ log log n) assuming that p ≤ n 1−ε for ε > 0. As mentioned, the above theorem applies to all possible schemes, including ones that use randomness and adaptivity to decide which locations to access in the remote storage, and also in the computational setting.Furthermore, the lower bound applies even to schemes where the local state is private (from the adversary).Lastly, the completeness of the memory checker in the theorem is 2/3 and soundness is inverse polynomial in n.Note that these make our result only stronger because in constructions we usually aim for perfect (or near-perfect) completeness and negligible soundness.
The lower bound is tight up to the constant hidden in the O(•) notation.A memory checker construction with matching complexity, i.e., with q = O(log n/ log log n), was given by Papamanthou and Tamassi [PT11].However, their construction requires private local state (used to store a secret PRF key).We improve upon their result and show (for completeness) a construction with quantitatively matching complexity and with only (public) reliable local state.Our construction requires the existence of sub-exponentially secure one-way functions, as is needed in all other computationally secure memory checker constructions with similar properties.Theorem 2 (Informal; see Corollary 5).Assume the existence of sub-exponentially secure one-way functions.For all sufficiently large q ≤ log n/ log log n, there is a deterministic and non-adaptive memory checker for a logical memory of size n with reliable local state, perfect completeness, and (computational) negligible soundness in n, that has local space p ≤ n (log n) Ω(q) .In particular, for some q = Θ(log n/ log log n), this construction has local space p = polylog(n).
We refer to Figure 1.1 for a summary of known memory checker constructions.Figure 1: Complexity of memory checker constructions for a logical memory of size n.

Reference Read complexity
Reads vs. writes.Our lower bound rules out memory checkers where the worst-case query complexity of all accesses is below (quasi-)logarithmic.However, not all types of accesses necessarily occur as often in applications.Depending on the application, it could be that read operations are far more frequent than writes, or vice versa.Our stated lower bound from above does not rule out a memory checker where the read complexity is, say, constant but writes have logarithmic complexity.In fact, no known lower bound, not even for restricted classes of constructions (e.g., deterministic and non-adaptive), rules out such a construction.We extend our lower bound from Theorem 1 to this setting and prove a general trade-off between the local reliable space, the read query complexity, and the write query complexity.
Theorem 3 (Informal; see Theorem 5).Every memory checker (with computational security) for a logical memory of size n that has read-query complexity q r , write-query complexity q w , and local state p, must satisfy p ≥ n (qrqw log n) O(qr ) .
In particular, the above theorem rules out a memory checker with constant read-query complexity and sub-polynomial write-query complexity, i.e., every memory checker with q r = O(1) and local space p ≤ n 1−Ω(1) must have q w = n Ω(1) .This bound is optimal due to a construction of Dwork et al. [DNRV09] who showed a construction with write-query (resp.read-query) complexity O(d log d n) and read-query (resp.write-query) complexity O(log d n) for every parameter d.Indeed, setting d = n O(1) , we get a memory checker with q r = O(1) and q w = n O(1) , which is optimal according to our lower bound.Finally, we note that Theorem 1 is obtained as a special case of Theorem 3 with q r = q w .Interestingly, we do not know if the "reverse" bound also holds in general, i.e., that if q w = O(1) then q w must be large.We leave this as an intriguing open problem.We make initial steps towards this question by proving it for the restricted class of deterministic and non-adaptive memory checkers.
Theorem 4 (Informal; see Theorem 6).Every deterministic and non-adaptive memory checker (with computational security) for a logical memory of size n that has read-query complexity q r , write-query complexity q w , and local state p, must satisfy p ≥ n (qrqw log n) O(min{qw ,qr }) .This theorem means that if either one of q r or q w are sub-(quasi)-logarithmic, then the other one must be much larger.In other words, the "reverse" bound of Theorem 3 holds for deterministic and non-adaptive constructions: if q w = O(1), then necessarily q r = n Ω(1) (as long as the local space is not too large, i.e., p ≤ n 1−Ω(1) ).By the above-mentioned constructions of Dwork et al. [DNRV09] (that happen to be deterministic and non-adaptive), we conclude that our lower bound is tight, fully resolving the complexity of deterministic and non-adaptive memory checkers.Lastly, we mention that we provide some (weak) evidence that a "reverse" bound of Theorem 3 for general (not necessarily deterministic and non-adaptive) schemes would require relatively new ideas; see Appendix C for details.
We refer to Figure 1.1 for a summary of known memory checker lower bounds.
Reference Space/Query tradeoff Limitation of the Scheme  2: Lower bounds on the local space p of memory checkers for a logical memory of size n with q r read query complexity and q w write query complexity.

Implications of our Lower Bounds
Lower bounds for memory checkers optimizing other metrics.As an immediate application of our lower bound, we get general lower bounds for memory checking in other models where different notions of efficiency are considered.We mention two recent works next.Mathialagan [Mat23] extended the memory checking notion to deal with Parallel RAM (PRAM) machines, and suggested a construction for PRAMs with m CPUs with O(log N ) query blowup and O(log N ) depth blowup, relying on the existence of one-way functions.Since their constructions match (in query complexity) the best known construction in the RAM setting, along with our lower bound, we conclude that their scheme is optimal in this sense.Wang, Lu, Papamanthou, and Zhang [WLPZ23] studied the locality of memory checkers (i.e., the number of non-contiguous memory regions a checker must query to verifiably answer a read or a write query).They adapted the lower bound of Dwork et al. [DNRV09] to conclude that Ω(log n/ log log n) locality is necessary for any deterministic and non-adaptive memory checker.Our lower bound implies (analogously) that the same lower bound applies to all possible schemes.Impossibility of efficient black-box malicious Oblivious RAM compilers.As mentioned, memory checkers are used to solve the trust issue that arises when one offloads a memory to a remote and untrusted server.However, there is also a privacy concern in doing so which is not addressed by memory checkers.Since the remote server fully controls the memory and executes instructions in the user's behalf, then it can see the user's data and the program being executed.To obtain privacy, we need to hide the data (using say an encryption scheme) and also "scramble" the observed access patterns so that instructions look unrelated to the data or the program being executed.The tool that achieves the latter goal is called Oblivious RAM (ORAM), introduced in the seminal works of Goldreich and Ostrovsky [Gol87,Ost90,GO96].
The efficiency of ORAM schemes is measured (similarly to memory checkers) by the number of physical queries in the oblivious simulation per logical database query.We know that logarithmic overhead is unavoidable, for any construction, even ones that rely on cryptographic assumptions [GO96, BN16, LN18, KL21].We also have matching constructions with (worst-case) logarithmic overhead, where security is computational and relying on one-way functions [PPRY18, AKL + 23, AKLS21].We note however that in the ORAM setting, one typically assumes that the remote untrusted server is passive in the sense that it behaves honestly except that it tries to learn information about the underlying data or program from the observed access pattern.A natural question is whether it is possible to tolerate a malicious attacker that may not behave honestly and actually tamper with the memory while trying to learn something about the underlying data.It is well-known (e.g., [LPM + 13]) that by naively compiling every instruction of the ORAM using a memory checker one obtains a "maliciously secure" ORAM that achieves both privacy and integrity, simultaneously.This however comes at a cost: every logical instruction will now require ORAMOverhead×MemoryCheckerOverhead physical accesses, which is roughly Θ(log2 n) (using [BEG + 94, AKL + 23]). 1athialagan and Vafa [MV23] recently improved upon the above generic compiler and gave a construction (called MacORAMa) of a"maliciously secure" ORAM with overhead O(log n) (which is obviously optimal).They achieve their result by a tedious process of opening up every building block in [AKL + 23, AKLS21]'s construction and turning it into a maliciously secure building block using various constructions of memory checkers.As such, the construction is overall very long and complex.[MV23] ask if such a white-box construction and analysis is necessary or maybe there is a generic way to compile ORAMs into maliciously secure counterparts with only constant overhead.Towards this, a barrier was presented by [MV23]: such a "black-box" compiler would imply a memory checker with O(1) query complexity.By our result (Theorem 1), such memory checkers do not exist, no matter what, and so there is no way to generically upgrade ORAMs into malicious with less than additional logarithmic blowup.See details and the formal statement in Appendix A.
It is crucial for this corollary that our lower bound in Theorem 1 applies to all constructions of memory checkers, including ones that use randomness and adaptivity.Indeed, the way Mathialagan and Vafa obtain the above-mentioned "barrier" is by using an ORAM and the malicious compiler to build a memory checker.Since ORAMs are inherently randomized and (as far as we know [CDH20]) require adaptivity, their resulting memory checker is using randomness and adaptivity.

Offline vs. Online Memory Checkers
We have considered memory checkers that need to report either a correct value or an error (but never be wrong) after every logical instruction.This notion of memory checkers is known as "online" memory checkers.Prior works in this area additionally considered a weaker notion called "offline" memory checkers.The latter are required to report that some error has occurred only after a batch of requests.None of our lower bounds apply to this weaker notion, and this is not surprising: there exist offline memory checkers that achieve amortized O(1) bandwidth (see [BEG + 94] and [DNRV09, Section 5]); these are even statistically secure and do not require any cryptographic assumptions.

Technical Overview
We begin by describing the previous approach of Dwork et al. [DNRV09], which as we mentioned, only gives a lower bound for deterministic and non-adaptive memory checkers.We already mention that our approach significantly differs from theirs, and the main purpose of this part of the overview is to explain why their approach seems only applicable to the restricted class of deterministic and non-adaptive constructions.
At a high level, they proceed as follows.First, they prove a lower bound for a base case setting where the query complexity of the memory checker is 1; this is done by a compression argument.Then, they consider the general case, and show a reduction from high query complexity to lower complexity at the expense of decreasing the logical memory size, increasing the local space, and increasing the physical word size.The reduction is performed iteratively until they end up with a memory checker with query complexity 1, where they can invoke the base case lower bound.More details follow.
Base case.Suppose there is a deterministic and non-adaptive memory checker with query complexity 1: namely, a single fixed physical query takes place for each logical query.To obtain a lower bound for this base case, they invoke a compression argument, where Alice is to transmit a random string x ∼ {0, 1} n to Bob.Consider a sequence of logical operations that first writes 0 to each logical index, resulting in public database DB 0 and local state st 0 .(Alice and Bob can share DB 0 and st 0 for free since there is no dependence on x.)Then, Alice uses the memory checker to write 1 to all i ∈ [n] such that x i = 1, resulting in public database DB 1 and local state st 1 .Alice will send just st 1 to Bob.
Bob's decoding strategy is as follows: for all i ∈ [n], use the memory checker to read logical index i using DB 0 and st 1 .If the answer is a bit value b ∈ {0, 1} value, set xi = b.Otherwise, if the answer is ⊥, set xi = 1.By soundness, for all i such that the answer is a bit value, we know xi = x i .By completeness,2 since queries to logical indices i must induce disjoint physical queries (here relying on query complexity 1 and basic information encoding), if x i = 0, then we must recover the bit value 0, since DB 0 and DB 1 are consistent at the corresponding ith physical query location.Therefore, for all i ∈ [n], xi = x i .Since Alice and Bob communicated n bits of information, it follows by a counting argument that |st 1 | ≥ n.
Reducing to the base case.Next, they show to reduce the query complexity of a general memory checker to 1, at the cost of degrading the other parameters (the logical memory size, the local space, and the physical word size).Roughly speaking, they condition on the following: either there is a set of sufficiently many physical locations that are sufficiently "heavy," in the sense that many logical queries touch that location, or there does not exist such a set.In either case, the assumption that the construction is deterministic and non-adaptive is crucial.
• If there does exist such a heavy set, then, they restrict the memory checker to logical indices that frequently touch that heavy set.In this case, they move the heavy part of the public database into the local state and reduce query complexity, at the cost of decreasing the logical memory size and increasing the local space.
• If there does not exist such a heavy set, they argue that one can prune off (not too many) logical indices so that the remaining logical indices have disjoint physical locations.By restricting the memory checker to these logical indices and increasing the physical word size, this becomes a memory checker with query complexity 1. (Then, the base case applies.) Without significant new ideas, it seems hard to use the above template to go beyond deterministic and non-adaptive constructions, as we argue next.Both of the above main steps, i.e., the base case and the reduction to the base case, rely on this assumption.We would thus need to prove an analogue of the base case for general constructions and then devise a reduction that works even if the construction uses randomness and adaptivity.We believe that the harder task is the latter one.It is not at all clear how one could restrict logical indices in either of the two cases.In the first case, one would need to at least define the heavy set differently, and in the second case, because of randomness and adaptivity, it is possible that a memory checker can adaptively choose to have many logical queries overlapping in random locations, making no single location "heavy" and yet there will be no non-trivial subset of logical indices with disjoint physical locations.

Our Lower Bound
Like Dwork et al. [DNRV09], we will also use a compression argument using the local state of the memory checker, but this is where the resemblance of our proofs ends.Their proof restricts memory checkers into smaller and smaller ones, finally arriving at a base case compression argument.Ours, on the other hand, will directly run a compression argument in "one shot," without reducing the memory checker into smaller ones.
Below, let the memory checker use physical words (i.e., blocks) of size w ≤ polylog(n) bits.Furthermore, we let m denote the size (i.e., number of words) of the remote server.
Suppose Alice wishes to communicate a random string of x ∈ {0, 1} n of Hamming weight k to Bob (where k is some parameter set later).Alice and Bob can first initialize a memory checker with "0"s logically written everywhere, producing some public database DB 0 ∈ ({0, 1} w ) m , independent of x.Then, Alice can use this memory checker to write the value "1" to each of these indices i ∈ [n] where x i = 1, which will result in some new, updated public database, DB 1 ∈ ({0, 1} w ) m .After doing this, Alice can send to Bob the resulting local state st 1 of the memory checker.Note, however, that Bob does not see the updated database entries DB 1 .
Bob can then use the following decoding strategy to extract x: using st 1 from Alice and the (outdated) public database DB 0 from initialization, sequentially emulate a logical read operation on the memory checker for each i ∈ [n], rewinding the local state st 1 back between each logical read.Each such query is equivalent to a true operation of the memory checker, with an adversarial remote memory that replaces the true DB 1 values with outdated ones from DB 0 .From the syntax of the memory checker, for each i, Bob will receive either 0, 1, or ⊥.By the soundness guarantee of the memory checker, if Bob receives 0 or 1 for some i, Bob knows it is the correct value of x i (with high probability).However, Bob cannot conclude anything if receiving ⊥ from the memory checker.Our hope will be to leverage the completeness guarantee of memory checker, which says that if the memory checker always sees correct (i.e., fresh) values of the public database-namely, DB 0 is equal to DB 1 in all queried locations-then Bob will derive the correct binary, non-⊥ value.The challenge remains of how to do so, given that DB 1 in fact could differ largely from DB 0 .
More precisely, let W ⊆ [m] represent the set of physical locations that were written to in Alice's k writes (so DB 0 and DB 1 differ only on W ). In particular, |W | ≤ kq, where q is the query complexity to remote memory for each logical request.If for a given read query, the physical locations accessed in [m] indeed avoid W , then we would be done, since Bob's decoding strategy can recover x by invoking completeness (and soundness) of the memory checker.However, there is no reason that this guarantee should be true.For example, in Merkle-tree style constructions, the root of the Merkle tree is accessed for all logical queries.
One possible way to get around this is to partition the public database into "heavy" and "light" locations.For heavy locations (e.g., the root of a Merkle tree), one can add their contents to the local space (or equivalently, in the communication game, have Alice send the contents to Bob), and for the light locations (e.g., lower levels of a Merkle tree), we hope that W does not hit too many of them.It turns out, however, that such a naive approach will not give us a useful lower bound, as we explain a bit later (see Remark 1), after we develop some of our ideas further.Thus, we will need a more intricate query partitioning mechanism that we explain next.
Tri-partitioning the public database.We use a more fine-grained partition into heavy, medium, and light locations z ∈ [m], denoted by the sets H, M, L ⊆ [m], respectively, in the following sense: when taking a uniformly random logical index i ∼ [n] and reading it with local state st 1 and public database DB 1 , and sampling a uniformly random one of the corresponding q physical queries, what is the probability that it equals z?For thresholds implicitly set later, H will contain the physical locations z with highest probability, L the lowest probability, and M everything in between.Importantly, the fact that we make the heavy and light sets further apart by introducing the middle set M is crucial for us; see Remark 1.
With this partition in hand, we adjust our communication protocol between Alice and Bob as follows.As mentioned above, we send the heavy locations in the clear; i.e., after Alice performs the k writes, Alice will additionally send over DB 1 | H (instead of just st 1 ), i.e., the updated contents of the physical locations in the heavy set H. 3Now, Bob has access to some "hybrid" public database DB, defined as DB 1 on H and DB 0 on L ∪ M , and Bob will try reading from DB instead of DB 0 (still using the updated local state st 1 ).The set of "bad" physical locations that we are worried about is As long as any given read from Bob avoids BAD in all of its q physical queries, we can invoke completeness to say that Bob will receive the correct answer for that logical index.
We can decompose BAD into (W ∩ M ) ∪ (W ∩ L) and analyze both cases separately.First, the medium thresholds for M will have the property that for random i ∼ [n], the probability that all q physical queries for logical read i avoid M is at least (say) 99/100.Second, the light threshold for L will have the property that for all ℓ ∈ L, the probability (over random i ∼ [n] and a random one of the q physical queries) that the location is ℓ is at most δ.By a union bound, this means that a random read to i ∼ [n] will hit ℓ for at least one of the q physical queries with probability at most qδ.Since W ∩ L ⊆ L and |W ∩ L| ≤ kq, the probability that a random logical read to i ∼ [n] hits W ∩ L is at most kδq 2 .We now set k = Θ(1/(δq 2 )) so that this probability is at most (say) 1/100.Therefore, in total, the probability that a random read to i ∼ [n] avoids BAD is at least 98/100.This implies that Bob will be able to recover at least Ω(k) bits of information about the random string x.Thus, by sending st 1 and DB 1 | H , Alice has communicated Ω(k) bits about x.
Let p = |st 1 | denote the local space of the memory checker.By a standard encoding lemma, saying that the most communication efficient way to transmit uniformly random ℓ bits of information is by sending them in the clear, we get the inequality Rearranging and using our setting of k = Θ(1/(δq 2 )), this means Remark 1 (On the necessity of the medium set).We now explain why we need a "medium" set, M .If we had just a heavy and a light set, the same analysis as above applies.However, it is possible that |H|w and 1/Θ(δq 2 ) do not have enough of a gap, in which case the right-hand side of (1) becomes very small.The medium set allows for this gap to be large.
To explicitly see why this approach fails if there is no medium set, consider the following setup.Suppose w = 4 ln(m) and we have a distribution4 over [m] elements as follows: For all choices of L and δ, as long as L ̸ = ∅, we have 1/δ − |H|w ≤ 2, which is tight when L = [m] and δ = 1/2.(Note that if L = ∅, then Alice is sending the whole updated database to Bob, which has no compression.)This renders (1) useless.
All that is left is the following: how exactly do we set our thresholds for H, M, L (and thus δ and |H|) to maximize the right hand side, where the probability that all q physical queries avoid M is at least 99/100?To do this, we prove a generic partition lemma (whose proof can be found in Section 3): Lemma 1 (Partition Lemma (informal); see Lemma 3).Let X be a random variable supported on a finite set S. Let γ > 1, and let c, n ∈ N.Then, there is a partition S = L ⊔ M ⊔ H such that the following hold for some δ ≥ 1/n: Now, we can directly use Lemma 3 with S = [m], γ = Θ(q 2 w), and c = 100q on the distribution over [m] described earlier.Plugging this back into (1), we immediately have In particular, if w ≤ polylog(n) and p ≤ n 1−ϵ for some ϵ > 0, then q = Ω(log n/ log log n).
Read and write query complexities.We can modify the above analysis to the setting where the read query complexity (q r ) and the write query complexity (q r ) differ.Then, we set c = 100q r and k = Θ(1/δq r q w ), which arrives at p > n (q r q w w) O(qr) .
Loose ends.There are a couple of issues swept under the rug in the above exposition.
• First, the distribution over physical indices produced by the logical read can adaptively change after each write, so Bob does not know what H, M, or L are.
• Second, our setting of parameters is circular.That is, we set k = Θ(1/(δq 2 )), and k is part of the description of the communication game that Alice and Bob are playing.However, δ is only given after applying the partition lemma (Lemma 3), which itself depends adaptively on the behavior of the memory checker.
For the first issue, we observe that Bob only needs to know what H is, so that Bob can produce DB.Specifying H ⊆ [m] can be done with |H| • ⌈log 2 m⌉ bits, so Alice can send this as well in her message to Bob for free as long as w ≥ Ω(log n) and m ≤ poly(n). 5or the second (and more challenging) issue, we modify the communication game as follows.Alice and Bob together effectively "guess" a good value of δ before beginning the protocol.In doing so, Alice can also always feed the memory checker the same number of writes (regardless of δ), and will instead set the "initialized" database DB 0 to be after some number of writes depending on δ.Thankfully, our proof of the partition lemma additionally guarantees that there are most c = Θ(q) possible choices for δ, so guessing δ correctly occurs with noticeable Θ(1/q) probability.
Connection to Relaxed Locally Decodable Codes.Our technique for partitioning [m] into heavy, medium, and light queries is inspired from a work of Goldreich [Gol23] in revisiting lower bounds on the length of relaxed locally decodable codes (rLDCs). 6In their setting, partitioning indices of the codeword into heavy, medium, and light is done in a different manner and for different reasons.For example, instead of having Alice send Bob the heavy set (as is done above), in the rLDC setting, each logical index i ∈ [n] has a different corresponding heavy set H i , so Alice cannot afford to send the database for all H i .Instead, in the rLDC setting, Bob enumerates over all possible choices of DB 1 | H i and checks a certain consensus condition.Furthermore, in the rLDC setting, there is no notion of "writes," as encodings of different messages should have large Hamming distance.As a result, there's no equivalent of a DB 0 that makes sense for the rLDC setting, as there are no local ways to update the codeword.On the other hand, rLDCs are secure against all computationally unbounded adversaries that change a certain fraction of the codeword, whereas memory checkers need to be secure only for computationally bounded adversaries that can tamper with the whole memory.

Lower Bound for Low Write Complexity
The above lower bound shows that if the read query complexity q r is small (e.g., O(1)), then the write query complexity must be large (e.g., n Ω(1) ).We show that for deterministic and non-adaptive memory checkers, the reverse statement is true with analogous quantitative behavior.
In the previous argument, the reason for the (q r q w w) O(qr) term having O(q r ) in the exponent is due to the need to avoid the set M ∩ W for all q r physical queries that Bob does (per logical read i ∈ [n]).This is what prevents the lower bound from being meaningful when q r = ω(log n/ log log n).
However, let us shift our perspective: what if instead of requiring the reads to avoid the (fixed) writes, we ensure that the writes avoid the reads?Since the memory checker is deterministic and non-adaptive, for all i ∈ [n], let W i , R i ⊆ [m] denote the set of physical locations queried for logical write i and logical read i, respectively.We can define a distribution over [m] as follows, now with respect to the writes instead of the reads: sample i ∈ [n] uniformly randomly, and output a uniform element of W i .Just as above, we can use the partition lemma to decompose this into H, M, L with respect to this distribution, with c = 10q w (instead of c = Θ(q r )).Roughly speaking, this will turn the (q r q w w) O(qr) term from before into a (q r q w w) O(qw) term, which will give us the desired trade-off for low writes.Now, we can ensure that the writes avoid M : by determinism and non-adaptivity, we know that at least 9/10 fraction of writes avoid M .Therefore, we can restrict Alice and Bob to consider only these indices when doing the communication argument.Just as before, Alice can send DB 1 | H , and all that is left to argue is how to deal with the light writes, i.e., W ∩ L. By a counting argument, since the queries are light, one can show that the average number of reads that each W i touches is at most δq w q r n.Therefore, by Markov's inequality, at most a 1/10 fraction of write indices will touch greater than 10δq w q r n reads (in L).Once again, we can restrict our memory checker to ignore these bad logical indices, leaving 8n/10 logical indices remaining.Furthermore, among these remaining indices, writing to k = Θ(1/(δq w q r )) logical indices will leave most reads avoiding W ∩ L. The communication analysis then proceeds as in the previous proof, arriving at p > n (q r q w w) O(qw) .
Surpassing determinism and non-adaptivity.Our argument above relies on restricting the logical indices of the memory checker to avoid "bad" indices according to our partition lemma.However, if the memory checker were adaptive, it is not clear how to prevent the "bad" indices from changing adaptively (during or after the writes) in exactly such a way as to break our argument.Also, if the memory checker were randomized, it could be possible that writing to any i ∈ [n] hits M with probability 1/10.In such a case, it is not clear how to avoid requiring soundness (9/10) Ω(n 1−ϵ ) in case k = Ω(n 1−ϵ ).This is because any single "bad" write could possibly corrupt all reads, destroying the communication argument.Note that this is not true for the previous proof: "bad" reads are not a devastating issue and simply result in slightly less information being communicated.
In Appendix C, we give (weak) evidence to say that proving this same lower bound for randomized or adaptive memory checkers might require new ideas.Essentially, we give a generic way to convert memory checkers into new ones that are adaptive and have very cheap writes, at the cost of worse reads.

Preliminaries
For a natural number n ∈ N, we let For a distribution D, we write X ∼ D to denote that the random variable X is distributed according to D. For a finite set S, we abuse notation and write X ∼ S to denote that the random variable X is distributed uniformly over S. For an often implicitly defined universe set U and S ⊆ U , we let S := U \ S denote the complement of S. For subsets For a string x ∈ {0, 1} ℓ , we let ∥x∥ 0 denote the Hamming weight of x, i.e., ∥x∥ 0 = |{i ∈ [ℓ] : x i = 1}|.For strings x 1 ∈ {0, 1} ℓ 1 and x 2 ∈ {0, 1} ℓ 2 , we let x 1 ||x 2 ∈ {0, 1} ℓ 1 +ℓ 2 denote the concatenation of the two strings.We also use the notation (x 1 , x 2 ) to denote x 1 ||x 2 .
Compression lemma.We state the well-known lemma typically used in compression arguments.The lemma says that any method for encoding a uniformly random ℓ-bit string with fewer than ℓ bits must lose information about the string.
Lemma 2 (E.g., [DTT10]).Let S be a finite set.Consider the one-way communication problem of sending uniformly random x ∼ S from Alice to Bob in the public coin setting where the length of Alice's message to Bob is fixed.If Bob succeeds in outputting x with probability δ (over x and the public coins), then Alice's (binary) message to Bob must be at least log 2 (|S|) − log 2 (1/δ) bits long.

Memory Checking
Here, we define memory checkers for RAMs.Our definitions largely follow classical definitions in the literature (e.g., [BEG + 94, NR09, DNRV09]) and below we shall also discuss several distinguishing points.
Random-access machines.A RAM is an interactive Turing machine that consists of a remote memory and a user.The memory is indexed by the logical address space [n].We refer to each memory word also as a block and we use w ℓ to denote the bit-length of each block.The user can issue read/write instructions to the memory of the form (op, addr, data), where op ∈ {read, write}, addr ∈ [n] and data ∈ {0, 1} w ℓ ∪ {⊥}.If op = read, then data = ⊥ and the returned value is the content of the block located in logical address addr in the memory.If op = write, then the memory data in logical address addr is updated to data.The user can perform arbitrary computation.
Memory checkers.A memory checker [BEG + 94, NR09, DNRV09], at a high level, is a simulation of a standard RAM so that it has the additional guarantee that the RAM's answers to read instructions are reliable even if the remote memory is being tampered with.We formalize a memory checker as an additional interactive Turing machine, placed "between" the user and the remote memory (so they no longer interact directly).The memory checker gets logical queries to a size n memory from the user and processes them into a-possibly adaptively generated and using randomness-sequence of read/write instructions to a physical memory.Responses are sent back to the memory checker that processes them until it finally sends a response to the user (if needed).We emphasize that the user issues instructions for the logical memory but the simulation is done using a physical memory that could possibly be bigger.We let [m] be the address space of the physical memory and assume each word is of size w bits.What makes the task of designing a memory checker non-trivial is the fact that we wish to limit the local space of the memory checker, where by "local space" we mean the number of bits preserved in between user instructions (so it is not a true space complexity parameter, as the memory checker could use an unbounded number of bits in the middle of carrying out a user's query).
Formally, the interface of a memory checker is as follows.We assume that at the start of the system, the local state of the memory checker is empty st = ⊥ and the physical memory DB is initialized with all ⊥s.Furthermore, the memory checker is parametrized by logical and physical memory size and block size (n, w ℓ ) and (m, w), respectively, as well as possibly a computational security parameter given in unary.We suppress these for convenience when clear from context.
The main complexity measure of a memory checker is the communication complexity of the protocols, measured by the total number of queries issued by the memory checker per logical instruction.This is made precise in the following definition.
Definition 1 (Query complexity).We define the read query complexity, denoted q r (and write query complexity, denoted q w ) to be the worst-case number of physical queries made by the memory checker for any given logical read (and logical write, respectively).The query complexity, denoted q, is defined as q = max{q r , q w }.
Remark 2 (Parameters convention).We shall assume that all of the above procedures/protocols can be implemented by machines that run in polynomial time in n, the logical memory size.This implicitly bounds m ≤ 2 poly(n) , as physical indices need log m bits to represent.If unspecified, we assume that m is bounded by a polynomial in n.We remark that this is (essentially) without loss of generality because memory checkers with a fixed number of supported logical queries, can be generically transformed (via hashing) into ones where m ∈ poly(n); see Appendix B for details.Also, unless otherwise specified, we assume w ℓ , w ≤ polylog(n).
Completeness and soundness.Loosely speaking, completeness of a memory checker says that in an honest execution, i.e., without an adversary tampering with the memory, the user should get the "correct" answer.Soundness says that if the adversary is actively trying to tamper with the memory, then the user will either get the "correct" answer or an abort symbol ⊥ indicating that something went wrong.Importantly, the memory checker should not respond with a wrong value.Below, we formalize these properties.
We first define the ideal memory functionality, i.e., a memory that is executed by a trusted party and can provide with the "correct" value of every memory cell at any point in time.We refer to this functionality as the logical memory snapshots functionality.
Definition 2 (Logical memory snapshot functionality).A logical memory snapshot functionality is an ideal primitive that gets as input logical instructions and outputs the full state (so called "snapshot") of the logical memory after each instruction.Initially the memory is assumed to be empty, indicated by ⊥ in each cell.More precisely, the functionality receives (adaptively) a stream of logical instructions of the form (op, addr, data), where op ∈ {read, write}, addr ∈ [n], and data ∈ {0, 1} w ℓ .Each read instruction is ignored.Each write instruction is executed, namely, for (write, addr, data) the value in index addr is updated to data.After processing each instruction, a snapshot of the memory is generated, denoted SnapshotMem.
For a sequence of l logical instructions {(op i , addr i , data i )} i∈[l] , fed into the ideal functionality, we have l snapshots SnapshotMem 1 , . . ., SnapshotMem l .The ith snapshot satisfies for every addr ∈ [n] that SnapshotMem i [addr] = data ∈ {0, 1} w ℓ ∪ {⊥} if there exists a j < i such that (op j , addr j , data j ) = (write, addr, data) and there is no j < j ′ < i with (op j ′ , addr j ′ , data j ′ ) = (write, addr, data ′ ) where data ′ ̸ = data.Now, we can define completeness.We require that for a fixed instruction index i, with probability c(n) over the internal randomness of the memory checker, the memory checker's output on the ith query is correct (i.e., equal to the corresponding value in the ith logical memory snapshot).Furthermore, we do not allow the logical queries to be adaptively chosen based on previous physical queries made by the memory checker.We emphasize that this definition of completeness is rather weak, and specifically, it is weaker than definitions that were formalized in prior works.However, since we prove a lower bound (meaning we rule out constructions satisfying a weak notion of completeness), these weakenings only make our result stronger.In our upper bound (Section 7), we shall obtain perfect completeness (c(n) = 1), achieving the strongest definition of completeness.
We say that a memory checker has completeness c if the following holds for every polynomial l = l(n) and I as above: where the probability is over the randomness used in the experiment CompletenessExpt(I, i) that is defined next.CompletenessExpt(I, i): 1. Initialize a memory checker by setting the local state to st = ⊥ p , and initialize the physical memory DB to ⊥ m .
This protocol outputs a value data ′ j ∈ {0, 1} w ℓ ∪ {⊥}.It also outputs an updated st ′ and an updated physical memory DB ′ , both of which are used in the next iteration.(b) Feed (op j , addr j , data j ) into the logical memory snapshot functionality, getting back a snapshot SnapshotMem j .(c) If j = i, op j = read, and data ′ j ̸ = SnapshotMem j [addr j ], output 0 and abort.
Remark 3 (Completeness amplification).Our definition of completeness allows for amplification by repetition.That is, by running k independent instances of a memory checker at once (sequentially within each logical query) and outputting the majority response, we can improve completeness exponentially in k.This comes at the cost of an O(k) multiplicative blowup in query complexity, local space, and public database size.
For soundness, we consider a malicious PPT adversary playing the role of the physical memory in the interaction with the memory checker.We require that for any such adversary, and for any given logical read, the probability that the memory checker outputs an incorrect value σ ∈ {0, 1} w ℓ for that read is at most s(n).We emphasize that this is a rather weak notion of soundness and specifically it is weaker than definitions that were formalized in prior works.However, since we prove a lower bound (meaning we rule out constructions satisfying a weak notion of completeness), this only makes our result stronger.In our upper bound (Section 7), we shall prove that our construction satisfies a much stronger soundness guarantee we refer to as strong soundness.Definition 4 (s-soundness).Let l ∈ N and consider a sequence of l logical instructions I = {(op i , addr i , data i )} i∈ [l] , where op ∈ {read, write}, addr ∈ [n], and data ∈ {0, 1} w ℓ .
We say that a memory checker has soundness s(n) if for every stateful PPT adversary A and every polynomial l = l(n) and I as above, it holds that where the probability is over the randomness used in the experiment SoundnessExpt A (I, i) that is defined next.SoundnessExpt A (I, i): 1. Initialize a memory checker by setting the local state to st = ⊥ p . 2. For j = 1, . . ., l: (a) Run the protocol between the memory checker and A, acting as the physical memory: MemCheckerOp(st, op j , addr j , data j ) ⇐⇒ A.
The adversary A has read access to everything except for the local state of the memory checker and the random tape of the memory checker.This protocol outputs a value data ′ j ∈ {0, 1} w ℓ ∪ {⊥}.It also outputs an updated st ′ and an updated physical memory DB ′ , both of which are used in the next iteration.
(b) Feed (op j , addr j , data j ) into the logical memory snapshot functionality, getting back a snapshot SnapshotMem j .
Remark 4 (Completeness and soundness parameters).In constructions of memory checkers it is desired to have c as close to 1 as possible and s as small as possible.Usually, we have perfect completeness (i.e., c = 1) and negligible soundness (in a security parameter).These are also the guarantees of our construction in Section 7. In our lower bounds, however, we rule out a much weaker memory checker (which makes our lower bound stronger), where completeness is c = 2/3 and soundness is inverse polynomial in n.
We now define a stronger version of soundness, which we call strong soundness.There are three differences between this notion and soundness as defined above.First, strong soundness allows the adversary to view (but not modify) the local state and random tape of the memory checker.Second, strong soundness allows the logical queries to be adaptively chosen by the adversary instead of fixed in advance.Third, an adversary wins the strong soundness game if it causes the memory checker to err on any logical query, as opposed to a specific logical instruction fixed in advance.
We now give a formal definition.
Definition 5 (s-strong-soundness).We say that a memory checker has strong soundness s(n) if for every stateful PPT adversary A, it holds that where the probability is over the randomness used in the experiment StrongSoundnessExpt A () that is defined next.StrongSoundnessExpt A (): 1. Initialize a memory checker by setting the local state to st = ⊥ p .
2. While (op, addr, data) ← A(st): (a) Run the protocol between the memory checker and A, acting as the physical memory: MemCheckerOp(st, op, addr, data; r) ⇐⇒ A(st, r), where here, r denotes the random tape of the memory checker.We emphasize that that A has read access to everything, including the local state and the random tape of the memory checker.This protocol outputs a value data ′ ∈ {0, 1} w ℓ ∪ {⊥}.It also outputs an updated st ′ and an updated physical memory DB ′ , both of which are used in the next iteration.
(b) Feed (op, addr, data) into the logical memory snapshot functionality, getting back an updated snapshot SnapshotMem.
We now define what it means for a memory checker to be deterministic and non-adaptive, in the sense of Dwork et al. [DNRV09].Recall that Dwork et al. [DNRV09] give a lower bound only for deterministic and non-adaptive memory checkers, while our main lower bound makes no such restriction.
Definition 6 (Deterministic and non-adaptive memory checker).A memory checker is deterministic and non-adaptive if there exist fixed sequences qr such that each logical write (or read) to index i ∈ [n] performs physical queries at the physical locations exactly according to the sequence W i (or R i , respectively), regardless of the local state, contents on the database, or random coins.Note that the contents of the queries can still be randomized and adaptive; it is just the physical locations queried that are completely fixed.
Comparison with prior definitions.In comparing to other definitions of memory checking, our lower bound applies to the widest class of constructions while not restricting the adversary (apart from being computationally efficient).Besides the differences mentioned above, we mention a few other ways in which our lower abound applies more broadly.
Since we define the completeness (and soundness in Definition 4) game to succeed for some particular instruction index i ∈ [l], it is possible that a memory checker with completeness 2/3 makes some mistake with high probability over ℓ(n) = n queries.For example, suppose that the memory checker is independently wrong for each read with probability 1/3.Then, this would still satisfy 2/3 completeness, but the probability that all outputs are correct is 1/2 Ω(n) .Prior definitions of memory checking would consider this memory checker to have "completeness" 1/2 Ω(n) .Another way in which our lower bound is more broad is that it applies to memory checkers that could have secret local state.Furthermore, our lower bound applies to memory checkers that support 2n logical queries (and in fact, just one logical read), as opposed to an arbitrary polynomial number of logical queries.Moreover, our lower bound applies even when w ℓ = 1.Lastly, our main lower bound does not require the memory checker's internal operations to be efficiently computable.In fact, the local space is just the number of bits preserved in between user queries, so it is not a true space complexity parameter, as the memory checker could use an unbounded number of bits in the middle of carrying out a user query.
We note that PRFs exist if one-way functions exist [HILL99,GGM86].Furthermore, we note that we can easily extend the domain and codomain of the PRF to {0, 1} poly(λ) by standard transformations (e.g., see [Gol01]).
Definition 8 (UOWHF).Let λ denote the security parameter.We say that a family of functions λ is a family of (T (λ), ϵ(λ))-secure universal one-way hash functions (UOWHFs) if the following hold: time.

Main Lower Bound
We begin by describing our main technical theorem: Theorem 5 (Main Theorem).Consider a memory checker for a logical memory of size n and with logical word size w ℓ = 1, supporting 2n logical queries.Assume that the physical database is of size m and with physical word size w, the read query complexity is q r , the write query complexity is q w , and the local space is p.If completeness is 99/100 and soundness is 1/(10 4 • n • q r • 2 qr ), then there is a universal constant C ≤ 10 3 such that for n ≥ C, p ≥ n (Cq r q w (w + log m)) C•qr − log q r − C.
Next, we state a couple of corollaries of this theorem.These corollaries, together with Theorem 5, are the precise and elaborate versions of Theorems 1 and 3 from the introduction.The first corollary gives a (quasi-)logarithmic lower bound on the worst-case query complexity of every memory checker where the reads and writes cost the same.The second corollary allows us to conclude that if the read query complexity is small, then the write complexity must be large.We show how these corollaries follow from Theorem 5 below, followed by a proof of Theorem 5.
Corollary 1.In the setting of Theorem 5 and further assuming that q = max{q w , q r }, m ≤ poly(n), and w ≤ polylog(n), if completeness is 2/3 and soundness is 1/n 1+o(1) , it holds that In particular, if p < n 1−ε for some ϵ > 0, then q ≥ Ω(log n/ log log n).
We first prove that Corollary 1 follows from Theorem 5.
Proof of Corollary 1 assuming Theorem 5. First, we apply completeness amplification by running Θ(1) independent instances at once, to get a memory checker with completeness 99/100, readand write-query complexities q ′ r = Θ(q r ) and q ′ w = Θ(q w ) (so q ′ = max{q ′ r , q ′ w } = Θ(q)), local space p ′ = Θ(p), and m ′ = Θ(m) ≤ poly(n).Suppose that q ′ ≥ log(n)/ log log(n).Then, there exists a constant C such that (log n) C•q ≥ n, in which case the result is trivial as the right hand side is negative.Therefore, we can assume throughout that we are in the case where q ′ r , q ′ w ≤ log(n)/ log log(n).This implies that log q ′ r ≤ O(log log n) and 1/(10 . We then apply Theorem 5 with m ′ ≤ poly(n), and thus log(m ′ ) ≤ O(log n).This makes the denominator (log n) O(q) and the result follows.
Second, we prove that Corollary 2 follows from Theorem 5.
Proof of Corollary 2 assuming Theorem 5. We similarly apply completeness amplification by running Θ(1) independent instances at once, to get a memory checker with completeness 99/100, read-and write-query complexities q ′ r = Θ(q r ) and q ′ w = Θ(q w ), local space p ′ = Θ(p), and m ′ = Θ(m) ≤ poly(n).This implies log(m ′ ) = O(log n).In both cases we need to prove, we have q ′ r = Θ(q r ) = o(log n/ log log n).Applying Theorem 5, we get for some universal constant C. Since p ≥ n 1−ε for some ε > 0 and since log q ′ r is a lower order term, we have n (q r q w log n) Θ(qr) ≤ n 1−ε .
Rearranging, this gives q w ≥ n ε/Θ(qr) q r log n .
The proof of Theorem 5 appears in Section 4.1.
Remark 5 (On super-polynomial public database size).It makes sense to assume that m is bounded by some a priori unspecified polynomial in n (i.e., m ≤ poly(n), as we assume in Corollaries 1 and 2), and in this case the lower bounds from Theorem 5 and Corollaries 1 and 2 are unconditional.
But what if m is super-polynomial in n? Interestingly, we can still get a meaningful result.First, one can generically reduce the public database size from m ≤ 2 poly(n) to m ≤ poly(n) in any memory checker construction, by hashing the address space using a PRF (see Lemma 4 for details).This transformation, on its own, relies on the existence of one-way functions, but we recall that a memory checker satisfying a non-trivial relationship between p and q (i.e., p • q = o(n)) already implies the existence of (infinitely often) one-way functions [NR09] which in turn can be used to get an (infinitely often) PRF [HILL99, GGM86].

Proof of Theorem 5
As explained in the technical overview, the proof proceeds by a compression argument where we utilize a memory checker to convey information from Alice to Bob.Furthermore, the main technical tool that we use is a partition lemma that allows us to classify and split physical locations into heavy, medium, and light.We first state and prove the partition lemma inspired by [Gol23, Claim 2.6] and then proceed with the main proof.
Lemma 3. Let X be a random variable supported on a finite set S. Let γ > 1, and let c, n ∈ N.
Then, there is a partition S = L ⊔ M ⊔ H such that the following hold for some δ ≥ 1/n: • Pr[X = ℓ] ≤ δ for all ℓ ∈ L, • Pr[X ∈ M ] ≤ 1/c, and Moreover, there exists i ∈ [c] such that the conditions above hold for δ = (2γ) i−1 /n.
Looking ahead, we use this last property of δ to argue that for fixed γ, c and n, one can guess a valid value of δ with probability 1/c without knowing the distribution of X.
Proof of Lemma 3. We define the sets where we have S = i∈[c] B i by construction.By an averaging argument, we know there must exist some particular index j ∈ [c] such that Pr[X ∈ B j ] ≤ 1/c.We then set L = i≤j−1 B i , M = B j , and Since for all h ∈ H we have Pr[X = h] ≥ (2γ) j /n, by summing over h ∈ H, we know |H| ≤ n/(2γ) j .On the other hand, by definition of L, we know that for all ℓ ∈ L, Pr[X = ℓ] < (2γ) j−1 /n.(Note that this is vacuously true for j = 1.)We have (2γ) j−1 /n ≥ 1/n since γ > 1 and j ≥ 1, so we can set δ = (2γ) j−1 /n.Combining the inequalities above, we have We now proceed with the proof of the main theorem, Theorem 5. We start by setting a few parameters in anticipation of applying the partition lemma (Lemma 3) to a distribution over physical memory locations.Let c = 100q r and γ = 200q r q w (w + log m + 2) as needed for Lemma 3.For j ∈ [c], let δ j := (2γ) j−1 /n as given by Lemma 3, and let k j := ⌊1/(100δ j q r q w )⌋, where one should think of k j (for j ∈ [c]) as the number of 1s written to the memory checker.Later on in the proof, the choice of these parameter settings will become more clear.(Specifically, c and k j are set by Claim 2, and γ is set at the end of the proof.)Observe that since δ j ≥ 1/n, we have k j ≤ 1/(100δ j ) ≤ n/100.Throughout, we assume n is a multiple of 10 for simplicity, but our proof can be easily modified to handle arbitrary, sufficiently large n.
Using the memory checker, we directly construct a public-coin protocol for Alice and Bob to send c strings x (1) , • • • , x (c) , distributed as follows: for each j ∈ [c], x (j) ∈ {0, 1} 9n/10+k j is independently chosen uniformly at random subject to the constraint that ∥x (j) ∥ 0 = k j (i.e., the Hamming weight of each x (j) is k j ).At a high level, the size of Alice's message will be closely related to the local space p of the memory checker, so success of this protocol will yield a lower bound on p.
Protocol description.Before Alice sees x (1) , • • • , x (c) , Alice and Bob together (using shared randomness) run a memory checker and logically write 0 to all indices i ∈ [n].Then, Alice and Bob together sample j * ∼ [c] independently and uniformly at random.We urge the reader to think of j * as a guess for j ∈ [c] for which δ = (2γ) j−1 /n will appear when applying Lemma 3 later on in the protocol.Since the memory checker could be adaptive, we may not know the right value of j beforehand, so we guess it.For simplicity, on a first pass, one may think of j as being "fixed" to the right value, although Alice has no way of knowing this beforehand.
Alice and Bob then sample uniformly random y ∈ {0, 1} n with ∥y∥ 0 = n/10 − k j * and logically write 1 to all indices i ∈ [n] such that y i = 1 in a uniformly random order.This gives Alice and Bob the public database DB 0 ∈ ({0, 1} w ∪ {⊥}) m after these writes as well as the local state st 0 ∈ {0, 1} p .(This can all be formalized by Alice and Bob sharing a sufficiently long uniformly random string and running the memory checker on that string.) For the remainder of the protocol, Alice and Bob agree on some mapping π : [9n/10 + k j * ] → [n] that maps [9n/10 + k j * ] bijectively to the indices i ∈ [n] where y i = 0.For notational simplicity, we set x = x (j * ) and k = k j * for the rest of the proof.
Alice's encoding.In short, for all j ̸ = j * , Alice will directly encode x (j) , but for j = j * , Alice will write 1 to logical indices π(x) := {π(i) : i ∈ [9n/10 + k], x i = 1} of the memory checker in a random order and send some information related to the memory checker at the end of the writes.
More precisely, Alice tosses coins and uses the memory checker (with DB 0 and st 0 ) to write 1 to every logical index in the set π(x) in a uniformly random order.This produces a new public database DB 1 and local state st 1 .Now, Alice defines a distribution D over [m] as follows: 1. Sample i ∼ [n] uniformly at random.2. Use the memory checker to read index i from local space st 1 and public database DB 1 .
This defines a distribution over sequences of length q r of the physical database locations, corresponding to the locations accessed for logical read i. Sample such a sequence R from this distribution (i.e., |R| = q r ).
3. Finally, sample v ∼ R uniformly at random and output v.
Alice now applies Lemma 3 to this distribution D with parameters c and γ to partition the physical locations into [m] = L ⊔ M ⊔ H and getting a parameter δ of the form δ = (2γ) j−1 /n for some j ∈ [c] (e.g., choosing the smallest possible j for which the above holds).If j ̸ = j * , Alice aborts and the whole protocol fails (This can be formalized by Alice sending the all 0s string.)See Figure 3 for explicit details.We make the following claim: Claim 1.The random variables j * and j are independent.In particular, Pr j = j * = 1/c, where the probability is over all randomness sampled by Alice and Bob in the protocol.
Proof of Claim 1. Recall that the marginal distribution of j * is uniformly random over [c].We now argue that the random variable j ∈ [c] is independent of j * .The distribution of j can be described by the following random process, incorporating randomness used internally by the memory checker and by the logical queries passed into the memory checker: 1. Logically write 0 to all indices i ∈ [n].

Sample j
3. Logically write 1 to n/10 − k j * uniformly random distinct indices (denoted by y above) in a uniformly random order.

4.
Logically write 1 to k j * uniformly random distinct indices in a uniformly random order, not overlapping with indices from previous step (denoted by π(x (j * ) ) above).
5. Use the resulting DB 1 , st 1 from the previous step to define a distribution D. Apply Lemma 3 to D to generate j. (This step is deterministic given the previous steps.) This can be equivalently defined by the following random process: 1. Logically write 0 to all indices i ∈ [n].
2. Logically write 1 to n/10 uniformly random distinct indices in a uniformly random order.
3. Use the resulting DB 1 , st 1 from the previous step to define a distribution D. Apply Lemma 3 to D to generate j. (This step is deterministic given the previous steps.) The latter random process has no dependence on j * .Therefore, j * and j are independent.
For the rest of the protocol description, we condition on the event that j = j * .Thus, Alice sends the following information to Bob: • The updated local state st 1 , • DB 1 | H , i.e., the contents of DB 1 at the locations in H, and • Some auxiliary string aux (specified later in the proof) which will help Bob complete Alice's information into a full description of x.
Because the physical database has size m, the description of H can be represented using m |H| + 1 ≤ |H|⌈log(m)⌉ bits.As such, the total size of this message (in bits) can be upper bounded7 by Bob's decoding.Given H and DB 1 | H from Alice, Bob can recreate some partially updated public database DB ∈ ({0, 1} w ∪ {⊥}) m , which is defined as DB 1 on locations in H and DB 0 on H = L ⊔ M .In short, Bob's strategy will simulate the memory checker on the next logical read to all possible i ∈ [n], rewinding back each time, using DB and st 1 from Alice.More formally, let r ∈ {0, 1} t denote the random bits used by the memory checker (for this final read).Let M C(i, DB, st; r) ∈ {0, 1, ⊥} denote the output of the memory checker upon performing a logical read to index i ∈ [n] from local state st and public database DB using randomness r.Let BitMajority : {0, 1, ⊥} 2 t → {0, 1, ⊥} be the function that takes in the bit-wise majority of the inputs, meaning outputting the majority bit if such a bit exists, and otherwise, outputting ⊥.For each i ∈ [n], Bob will set zi := BitMajority M C i, DB, st 1 ; r r∈{0,1} t .
That is, Bob will brute force over all i ∈ [n] and random bits used by the memory checker for this read, and Bob will deduce a bit value zi for z i , the ith logical bit of the memory checker, if there is a strict majority of choices of randomness that agree on a bit (not ⊥) to output.Otherwise,

Alice's Strategy
Shared by Alice and Bob: j * , DB 0 , st 0 , y, π Alice's Private Input: 1. Let x := x (j * ) , and let x (−j * ) be a direct encoding of 3. Using DB 0 and st 0 , use the memory checker to write "1" to all indices in π(x) ⊆ [n] in a uniformly random order.This results in updated DB 1 and st 1 .5. If j * ̸ = j, immediately abort the whole protocol.
7. Let aux be an encoding of the subset U ∩ π(x) ⊆ U .
Output: Bob will put some placeholder value for the ith bit and use aux from Alice to fill it in.Reading off the values at the indices in π([9n/10 + k]) ⊂ [n] will then yield Bob's output x ∈ {0, 1} 9n/10+k .See Figure 4 for explicit details.Note that Bob's decoding strategy may not be computationally efficient; however, this is not an issue for the information theoretic compression argument.
We now analyze how successful Bob will be.At a high level: • We use completeness of the memory checker to argue that whenever DB and DB 1 are consistent for a read (which will happen pretty often per Claim 2 below), then Bob learns z i .
• We use soundness to argue that Bob never learns the wrong value of any z i (but could get ⊥ from the memory checker).
This communicates some information from Alice to Bob, which we show is enough to get the desired lower bound.The string aux is used so that Alice can complete Bob's partial information into full information about x.
Recall that DB 0 and DB 1 can differ only at locations that Alice accessed in writing indices π(i) where x i = 1.Since ∥x∥ 0 ≤ k, this is at most k • q w locations, which we will call W ⊆ [m].Define BAD := W ∩ (L ∪ M ) = W ∩ H to be the set of locations that Alice wrote to that are not included in H.That is, DB 1 and DB differ only at physical locations in BAD.(We emphasize that Bob does not know the set BAD.) We now argue that Bob's physical queries avoid BAD with constant probability.Let R(i, DB, st; r) ⊆ [m] denote the set of (at most q r ) physical locations queried by the memory checker upon performing logical read to index i ∈ [n] using public database DB, local state st, and internal randomness r.
Output: Claim 2. Assuming j = j * , Proof.Since BAD = (W ∩ M ) ∪ (W ∩ L), we can argue the two cases separately.For X ∼ D, we know that Pr[X ∈ M ] ≤ 1/c = 1/(100q r ).By construction of D and the union bound, this implies Pr For the other case, by definition of L and δ j * , and for X ∼ D, we know that Thus, by construction of D, where the last inequality holds since k = k j * = ⌊1/(100δ j * q r q w )⌋.By a union bound over both cases, since Given the above claim, we can invoke completeness of the memory checker, since avoiding BAD means that the physical locations accessed are correct.Explicitly, we invoke completeness on the sequence of logical queries that writes 0 everywhere, writes 1 to n/10 random locations denoted by z, and lastly reads to a random location, denoted by i.We will use completeness for the last logical read, i.e., query number n + n/10 + 1.
Let r 1 and r 2 denote the randomness of the memory checker used for all of the logical writes and randomness of the memory checker used for the final logical read, respectively.Let z i denote the ith logical bit of the memory checker, i.e., z i = y i ∨ 1[i ∈ π(x)].By completeness, we know that Pr where we emphasize that DB 1 and st 1 are random variables that depend on r 1 and z.Since the event that j = j * is independent of the memory checker by Claim 1, we know Pr Given j = j * , we can invoke Claim 2 and the inclusion-exclusion principle to get Pr If R (i, DB 1 , st 1 ; r 2 )∩BAD = ∅, we know that the memory checker using DB and DB 1 are identical (since they are different only in BAD), so we have Pr which, by dropping the conjunction with the second event, implies Pr Then, by an averaging argument8 , Pr Let G denote these "good" values of (r 1 , z) (with density at least 2/3).By another averaging argument, by restricting to a good value of (r 1 , z), Since zi = BitMajority M C i, DB, st 1 ; r r∈{0,1} t , this inner event would correspond to success for Bob, so Let I ⊆ [n] denote these "good" values of i, where we have |I| ≥ 8n/10.Assuming j = j * and (r 1 , z) ∈ G, we notice that this inner probability event corresponds to whether Bob decodes correctly on read i.Assuming j = j * and (r 1 , z) ∈ G, we therefore know that zi = z i is the correct value for all i ∈ I, so Bob can recover a constant fraction of the memory checker's logical bits.That is, there exists I ⊆ [n] with |I| ≥ 8n/10 such that Now, we argue that with good probability, for all i ∈ [n], zi ∈ {z i , ⊥}.More precisely: Claim 3.There exists a "good" set G ′ satisfying Pr r 1 ,z [(r 1 , z) ∈ G ′ ] ≥ 2/3 and Proof.We invoke soundness of the memory checker on the sequence of logical queries that writes 0 everywhere, writes 1 to n/10 random locations denoted by z, and lastly reads to a random location, denoted by i.We will use soundness for the (last) logical read, i.e., query number n + n/10 + 1.
We lastly describe the efficient, dishonest adversary A used in the soundness game.A performs a selective replay attack described as follows.For the first n + n/10 logical queries, A behaves exactly honestly, recording all physical operations made by the memory checker so far.Then, for query n+n/10+1, the adversary guesses some value j * ∼ [c], which then defines δ j * and k j * .Then, for each of the q r physical accesses corresponding to the read, the adversary uniformly randomly and independently chooses whether to be honest at that location (i.e., whether to use DB 1 ) or whether to replay that location to DB 0 .Note that DB 0 and DB 1 are efficiently computable for the adversary as long as the adversary knows the value k j * .The guesses here of whether to use DB 0 or DB 1 correspond to a guess for the heavy indices H restricted to the final read.9Note that all of the q r guesses will be correct (i.e., correspond to H) with probability (at least) 1/2 qr .(We note that this adversary runs in time poly(n) even if m = n ω(1) since the adversary can store all physical queries from the memory checker.)See Figure 5 for explicit details.

Description of A (for soundness)
• For the first n + n/10 queries (i.e., for the logical writes): -Behave honestly, and record all physical queries made by the memory checker.
-Let DB 0 ∈ ({0, 1} w ∪ {⊥}) m be the database rewound to the end of the first n + n/10 − k logical queries. - -Perform all physical queries from the memory checker with respect to DB.
a Even if m = n ω(1) , the adversary can lazily generate DB0, DB1, DB on the fly by storing all physical queries from the memory checker.Let DB ∈ ({0, 1} w ∪ {⊥}) m be the random variable corresponding to the uniformly random hybrid database between DB 0 and DB 1 used by the adversary in the replay attack.Soundness for this adversary means

Using the probability bound Pr
, and letting B denote the event that DB| R(i, DB,st 1 ;r 2 ) = DB| R(i, DB,st 1 ;r 2 ) , which occurs with probability (at least) 1/2 qr , we have Pr Since j * is sampled by A after j is defined, we know that j = j * with probability 1/c.Therefore, we similarly have Pr .
Note that the memory checker using DB and conditioning on B is identical to the memory checker using DB, so we have Pr .
By negating and similar averaging as before, we have Pr Let G ′ denote the set of these "good" values of (r 1 , z) (with density at least 2/3).By averaging again and considering (r . Since 1 − 1/(10n) > 1 − 1/n, the inner event holds with probability 1, i.e., for all i ∈ [n].Moreover, since zi = BitMajority M C i, DB, st 1 ; r r∈{0,1} t , we have That is, assuming j = j * and (r 1 , z) ∈ G ′ , then Bob does not decode "incorrectly" for any In summary, assuming throughout that j = j * and (r 1 , z) ∈ G ∩ G ′ , none of zi will be the incorrect bit, and moreover, for 8n/10 values of i ∈ [n], zi will be the correct bit.In particular, Bob can use the map π to pass these values to x, where Bob now only needs to learn which bits of the remaining at most n − 8n/10 = n/5 placeholder values of x are 1.
We now specify Alice's auxiliary string.Alice can run Bob's whole strategy and deduce where Bob will put placeholder values.Alice will simply send some compressed representation of these placeholder values.Explicitly, Alice must send at most n/5 bits of z in the worst case.This will be at most log n/5 j bits for some j ≤ k, where j corresponds to the number of 1s in the n/5 placeholder bits.Since k ≤ n/100, this quantity is maximized when j = k.As a result, we have the bound Moreover, notice that by definition of G and G ′ and the union bound, the probability that j = j * and (r 1 , z) ∈ G ∩ G ′ is at least 1/c • 1/3 = 1/(300q r ).Therefore, the success probability of this protocol is at least 1/(300q r ).
We are finally ready to invoke the compression lemma (Lemma 2).By the information that Alice is communicating to Bob, we have log This simplifies to which implies, by using the standard bounds on Binomial coefficients By further simplifying, we get that Finally, using the guarantee from Lemma 3, we get that ≥ n (600q r q w (w + log m)) 202qr − log(q r ) − 11, as desired.

Lower Bound for Low Write Complexity
In this section we prove a "write-optimized" lower bound that complements the bound in Theorem 5.However, as opposed to Theorem 5, our lower bound here only applies to deterministic and non-adaptive memory checkers (whereas the lower bound in Theorem 5 had no restriction on the scheme).Theorem 6.Consider a deterministic and non-adaptive memory checker for a logical memory of size n and with logical word size w ℓ = 1, supporting 2n logical queries.Assume that the physical database is of size m and with physical word size w, the read query complexity is q r , the write query complexity is q w , and the local space is p.If completeness is 99/100 and soundness is 1/(100n), then there exists a universal constant C ≤ 100 such that for n ≥ C, p ≥ n (Cq r q w w) C•qw − C.
We obtain (analogously to Corollary 2) the following corollary stating a lower bound on the read query complexity in the case of low write complexity.
Corollary 3. In the setting of Theorem 6 and further assuming that w ≤ polylog(n) and p ≤ n 1−ϵ for some ϵ > 0, the following hold: • If q w = o(log n/ log log n), then q r = (log n) ω(1) .
The rest of this section is devoted to the proof of Theorem 6.
Proof of Theorem 6. Throughout, we assume n ≥ 100 and n is a multiple of 10 for simplicity, but our proof can be easily modified to handle arbitrary n ≥ 100.
Let m ≤ 2 poly(n) be the physical database size.Since the scheme is deterministic and nonadaptive, there exist fixed sequences ) such that each logical write (and read, respectively) instruction to index i ∈ [n] performs physical queries exactly according to the sequence W i (and R i , respectively), regardless of the local state, contents on the database, or random coins.Without loss of generality, treating W i and R i as sets, we assume that each W i and R i have exactly q w and q r distinct elements, respectively.(If not, we can pad with distinct dummy queries, and our argument still goes through.)Let D be the distribution defined as follows: 1. Sample i ∼ [n] uniformly at random; 2. Select and output a uniformly random element of W i .
We apply Lemma 3 to D with c = 10q w and γ = 200q r q w (w + 1) to get At a high level, our goal will be to restrict the logical indices [n] to those that avoid M and also avoid many logical reads (outside of H).Then, we write to a random subset of these indices to communicate information from Alice to Bob.
Since Pr X∼D [X ∈ M ] ≤ 1/(10q w ), we know that Pr i∼[n] [W i ∩ M ̸ = ∅] ≤ 1/10.As a result, there exists I 0 ⊆ [n] of size |I 0 | ≥ 9n/10 such that for all i ∈ I 0 , W i ∩ M = ∅.Furthermore, Pr X∼D [X = ℓ] ≤ δ for all ℓ ∈ L. Consequently, Pr i∼[n] [ℓ ∈ W i ] ≤ δq w for all ℓ ∈ L. This means that for all ℓ ∈ L, there are most δq w n values of i ∈ [n] such that ℓ ∈ W i , i.e., ∀ℓ ∈ L : Therefore, by Markov's inequality, Letting I 1 = {i ∈ [n] : α i < 10δq w q r n}, we have |I 1 | ≥ 9n/10.By the inclusion exclusion principle, it follows that |I 0 ∩ I 1 | ≥ 8n/10.For the remainder of the protocol, we fix some arbitrary I ⊆ I 0 ∩ I 1 such that |I| = 8n/10.Note that for all i ∈ I, we have W i ∩ M = ∅ and the number of read indices Protocol description.Now, we construct a public-coin protocol for Alice and Bob to send a uniformly random string x ∈ {0, 1} 8n/10 subject to ∥x∥ 0 ≤ k for k = ⌊1/(100q r q w δ)⌋.Note that k ≤ n/100 since δ ≥ 1/n.Before Alice sees x, Alice and Bob together (using the same randomness) run a memory checker and write 0 to all locations i ∈ Alice's encoding.In short, Alice will write x to the memory checker and send some information related to the memory checker at the end of the writes.More precisely, Alice tosses coins and uses the memory checker (with DB 0 and st 0 ) to write 1 to every logical index in π(x) := {π(i) : i ∈ [8n/10], x i = 1}.This produces a new updated public database DB 1 and local state st 1 .Alice then sends the following to Bob: • The updated local state st 1 , • DB 1 | H , i.e., the contents of DB 1 at the locations in H, and • Some auxiliary string aux (specified later) which will help Bob complete Alice's information into a full description of x.
See Figure 6 for explicit details.The total size of this message (in bits) can be upper bounded by p + |H|(w + 1) + |aux|. 10This results in updated DB 1 and st 1 .
3. Let aux be an encoding of the subset U ∩ π(x) ⊆ U .
Output: Bob's decoding.Given DB 1 | H from Alice, Bob can recreate some partially updated public database DB, which is defined as DB 1 on locations in H and DB 0 on H = L ⊔ M .In short, Bob's strategy will simulate the memory checker on the next logical read to all possible i ∈ [n], rewinding back each time, using DB and st 1 from Alice.More formally, Bob will brute force over all i ∈ [n] and random bits used by the memory checker for this read, and Bob will deduce a bit value zi for z i , the ith logical bit of the memory checker if there is a strict majority of choices of randomness that agree on a bit (not ⊥) to output.Otherwise, Bob will put some placeholder value for the ith bit and use aux from Alice to fill it in.Explicitly, let r ∈ {0, 1} t denote the random bits used by the memory checker (for this final read).Let M C(i, DB, st; r) ∈ {0, 1, ⊥} denote the output of the memory checker upon performing a logical read to index i ∈ [n] from local state st and public database DB using randomness r.For each i ∈ [n], Bob will set zi := BitMajority M C i, DB, st 1 ; r r∈{0,1} t .
Reading off the values in I will then yield Bob's output x ∈ {0, 1} 8n/10 by the mapping π.See Figure 7 for explicit details.
We now analyze how successful Bob will be.Recall that DB 0 and DB 1 can differ only at locations that Alice accessed in writing 1 to π(x).Let We now determine how many read indices j ∈ [n] are unaffected by these writes, in the sense of R j ∩ BAD = ∅.Note that if R j ∩ BAD = ∅, then Bob using DB to perform logical read j Bob's Strategy Shared by Alice and Bob: DB 0 , st 0 Alice's Message: (DB 1 | H , st 1 , aux).
1. Using DB 0 from the shared input and DB 1 | H from Alice, define the database DB ∈ ({0, 1} w ∪ {⊥}) m as follows: 2. For all j ∈ [n], let zj := BitMajority M C j, DB, st 1 ; r r∈{0,1} t ∈ {0, 1, ⊥}.  is identical to instead using DB 1 to perform logical read j honestly, and hence, we can invoke completeness.Let J = {j ∈ [n] : R j ∩ BAD = ∅}.By construction of I, each i ∈ π(x) satisfies r i < 10δq w q r n, which implies where the last inequality follows from the definition of k.Therefore, |J| ≥ 9n/10.We have shown the following claim: Claim 4.There exists J ⊆ [n] such that |J| ≥ 9n/10 and for all j ∈ J, R j ∩ BAD = ∅, i.e., bounds |H| ≤ n since δ ≥ 1/n, so a non-uniform PPT adversary in n can perform this attack even if m = n ω(1) .)This corresponds to Bob's decoding strategy.Soundness for this adversary means Pr .
By similar averaging as before, Pr Let G ′ denote these set of "good" r 1 values, with density at least 2/3.By averaging again and conditioning on r 1 ∈ G ′ , we have Pr Therefore, the inner event holds for all j ∈ [n].As such, In summary, assuming that r 1 ∈ G ∩ G ′ , none of z i will be incorrect, and moreover, for 8n/10 values of i ∈ [n], z i will be correct.In particular, Bob can use the map π to pass these values to x, where Bob now only needs to learn which bits of the remaining at most n/5 placeholder values of x are 1.We can use aux to specify these placeholder values, giving |aux| ≤ log n/5 k .
By standard Binomial coefficient bounds, we have Finally, using the guarantee from Lemma 3, we get that where we use the notation ε to denote the empty string, i.e., the unique element of [d] 0 .We associate each vertex in this tree with a physical location, making the public database have n) many physical words.We associate each leaf of this tree (of which there are at least n) with a logical index.The logical word size will be w ℓ = 2dλ = Θ(λ √ log n), and the physical word size will be w = (2d + 2)λ = Θ(λ √ log n).For a leaf vertex v ∈ [d] ℓ−1 , let data v ∈ {0, 1} w ℓ denote the logical data for the memory checker at the corresponding logical index.
For a vertex v ∈ V , the corresponding entry in the public database will consist of (x v , h v ) pairs, where |x v | = 2dλ and |h v | = 2λ, defined recursively as follows: Here and throughout, H k denotes an element of the UOWHF function family with key k.Note that the size of the input that we are feeding into the hash function is 2dλ ≤ 2λ √ log n, so using this hash function (which has domain {0, 1} λ 2 by Definition 8) is well-defined as long as λ ≥ 2 √ log n.The local state of the memory checker will simply consist of h ε = (k ε , H kε (x ε )), which has size 2λ.
Handling reads.We now describe how logical reads are performed.To read index i ∈ [n], the memory checker will first read the leaf v corresponding to logical index i to yield a candidate response Next, the memory checker performs reads up the path from v to the root ε to verify the validity of data v , starting at node u = v and going to u = ε.Specifically, at each u, the memory checker computes H ku (x u ) and checks that it is consistent with h u , and additionally, for internal nodes, checks that x u contains the correct value h u||j for the unique child j it has read.Finally, the memory checker also checks whether the value of h ε it has read from the public database is consistent with its local state, which has an uncorrupted copy of h ε .If all checks go through, the memory checker returns data v to the user; otherwise, the memory checker returns ⊥.
Overall, the query complexity of a read is ℓ = Θ(log d n) = Θ(log n/ log log n).
Handling writes.We now describe how logical writes are performed.To write data to logical index i ∈ [n], let v be the corresponding leaf to index i.For each node up the path from v to the root ε, the memory checker will perform one physical read and then one physical write before proceeding to the next level.
For the physical write to leaf v, the memory checker will sample fresh k v ∼ {0, 1} λ and then write x v = data and h v = (k v , H kv (x v )).For the physical write to internal nodes u on the path from v to ε, the memory checker samples fresh k u ∼ {0, 1} λ , updates x u with its new entry (based on its immediately previous physical read on the same level and physical write one level below), and writes h u = (k u , H ku (x u )).Concurrently, based on values read during the physical reads, the memory checker does all the same checks as a logical read to ensure that all (old) hashes along the way are consistent with its (old) root and (old) local state.Assuming all checks go through, the memory checker updates its local state to the new value of h ε ; otherwise, the memory checker can just store ⊥ locally and return ⊥ for any later reads.
Overall, the query complexity of a write is 2ℓ = Θ(log n/ log log n).
Completeness and soundness.It is clear that this protocol has completeness 1, but it remains to show strong soundness.The analysis proceeds exactly as in Theorem 2 of Blum et al. [BEG + 94].
To see strong soundness, suppose not.Then, there is an adversary that breaks strong soundness on one of the reads with probability at least p. Going from the root ε to the leaf for this logical read, there must exist a first node u such that h u is incorrect.Moreover, u cannot be the root, because h ε is stored reliably in the local state.Therefore, there must exist a parent v of u, i.e., u = v||j for some j ∈ [d].Furthermore, by our definition of u, we know that h v is correct.Thus, k v and H kv (x v ) are correct, but x v , which contains h v||j = h u , must be incorrect because h u is incorrect.Therefore, this adversary has produced some dishonest We can now use this adversary to created a targeted collision.Specifically, the adversary will guess which read and which node u will be the first incorrect node, and output the x v as the target corresponding to the honest value before the memory checker has broken soundness.Then, upon receiving k v ∼ {0, 1} λ , the adversary will produce the x ′ v that causes a collision.If the adversary breaks memory checking soundness with probability p, then this attack breaks targeted collision resistance with probability p/poly(n) (due to the guess of the read and node).Therefore, if we have ϵ(λ) security for the UOWHF, then we have soundness at most ϵ(λ) • poly(n).
We now apply Theorem 7 with sub-exponentially secure UOWHFs, which we know exist if sub-exponentially secure one-way functions exist [Rom90,KK05].Corollary 4. Suppose there exist sub-exponentially secure one-way functions.Then, there is a deterministic and non-adaptive memory checker with public local state for a logical memory of size n that has query complexity O(log n/ log log n), local space polylog(n), equal logical and physical word sizes of polylog(n), completeness 1, soundness negl(n), and public database size O(n √ log n) that is secure against all poly(n)-time adversaries.Remark 6.We can similarly use the construction in Theorem 7 with larger arity d ∈ [ √ log n, n] to get a memory checker with query complexity Θ(log d n) at the cost of physical and logical words of size d • polylog(n) (and by using UOWHF domain extension).This shows that the dependence on w in Theorem 5 is necessary.
In particular, for matching physical and logical word size n ε , there is a memory checker with query complexity Θ(1/ε).Interestingly, note that this is not true for ORAM: known lower bounds show that for matching physical and logical word size n Ω(1) , there is still a Ω(log n) query complexity lower bound [LN18,KL21].
Proof of Corollary 4. By assumption, we know there is some δ ∈ (0, 1) for which we have (2 λ δ , 1/2 λ δ )secure UOWHFs.Setting λ = log(n) 2/δ in Theorem 7 gives the desired result.In fact, soundness is at most (some) quasi-polynomial in n, and it is secure against adversaries with run-time (some) quasi-polynomial in n. (We note that this construction can be optimized to get word sizes log(n) δ+ϵ for any ϵ > 0, so as δ approaches 1, the word size approaches log n.) We now give another corollary of this construction where there is a trade-off between local space and query complexity.
Corollary 5. Suppose there exist sub-exponentially secure one-way functions.Then, for any q ≤ log n/ log log n, there is a deterministic and non-adaptive memory checker with public local state for a logical memory of size n that has query complexity q, local space p, physical word size polylog(n), completeness 1, soundness negl(n), and public database size O(n √ log n) that is secure against all poly(n)-time adversaries, that satisfies the bound Proof.We start with the construction of Theorem 7. Recall that the reads and writes have query complexity at most q ′ = 2 log d n + Θ(1).Then, we modify the construction so that the memory checker stores all of the h v values for layer α of the d-ary tree instead of the root layer, where α = (q ′ − q)/2 + Θ(1) is chosen so that the memory checker now needs to only make q queries instead of q ′ queries.The local space is now p := 2λd α ≤ 2λd log d (n)−q/2+O(1) ≤ n • polylog(n) (log n) Ω(q) .

Mathialagan and Vafa [MV23]
show that the existence of a black-box RAM program that transforms an honest-but-curious ORAM into a maliciously secure one is equivalent to a restricted form of memory checkers, which they call separated memory checkers [MV23, Section 5].In short, a separated memory checker differs from a standard memory checker in two key ways: 1.The main difference is that unlike standard memory checking, where there is a joint PPT adversary A controlling both the logical queries and the physical database simultaneously, in a separated memory checker, the adversaries controlling the logical queries and the physical database do not collude during the protocol.That is, soundness (and completeness) holds only for "separated" adversaries that control the logical queries and the physical database independently.(The adversaries are allowed to "collude" before starting the protocol.)Our definitions of completeness and soundness (Definitions 3 and 4) satisfy this notion as well, because the sequence of logical queries is fixed in advance of running the experiment.
2. To make their result meaningful for ORAMs, which inherently have small local space, Mathialagan and Vafa [MV23] consider compilers that are only required to work for low-space honest-but-curious ORAM protocols.They show that such compilers imply separated memory checkers that are only required to be sound (and complete) if the adversary controlling the logical queries has a similar space bound.If this space bound for the adversary is p, they call such a separated memory checker a separated memory checker for users with space p.
Formally, they show the following: Theorem 8 ([MV23], Theorem 3).Suppose there is a RAM program Π such that for all honestbut-curious ORAMs C with local space at most p, the composition of Π and C is a maliciously secure ORAM.If Π has blowup in query complexity ℓ, then there is a separated memory checker for users with space O(p) that has query complexity O(ℓ) bits.
Our lower bound in Theorem 5 also rules out separated memory checkers.As a result, we have the following theorem (for the standard setting of memory checking parameters): Theorem 9.There does not exist a separated memory checker for a memory of size n with query complexity o(log n/ log log n).Moreover, for all ε > 0, the same holds even for separated memory checkers for users with space O(n ε ).
An immediate corollary of this theorem is the following: Corollary 6.There does not exist a RAM program Π with blowup in query complexity o(log n/ log log n) such that for all honest-but-curious ORAMs C on a memory of size n, the composition of Π and C is a maliciously secure ORAM on a memory of size n.The same holds for all ε > 0 even when restricted to honest-but-curious ORAMs with space O(n ε ).
We now prove the main theorem in this section, Theorem 9.
Proof of Theorem 9.The proof proceeds directly from Theorem 5 but considering the memory checker restricted to the first n ′ := n ε/2 logical indices.The crucial observation is that for this proof, the logical queries can be implemented by an adversary running in space O(n ′ log(n ′ )) = O(n ε/2 log n) = O(n ε ) bits.If so, then since n ′ = n ε/2 , Theorem 5 implies a query complexity lower bound of Ω(log(n ′ )/ log log(n ′ )) = Ω(log n/ log log n), as desired.
Therefore, by a hybrid argument using PRF security, since the adversary is efficient and only gets oracle access to the PRF, completeness deteriorates at most by an additive 1/n 2 + negl(λ) = 1/n 2 +negl(n) term.Furthermore, the physical database size is now at most 4(T qn) 2 = poly(n).

C Write-Optimized Memory Checker Construction
In Corollary 2, we showed that for reasonable parameter settings of memory checkers, if the read query complexity is small, then the write query complexity must be large.In Corollary 3, we show that for deterministic and non-adaptive memory checkers, then the reverse is true, namely that when the write query complexity is small, then the read query complexity must be large.
In this section, we give (weak) evidence that for adaptive memory checkers, the story may be more complicated.Explicitly, we give a generic transformation that turns any memory checker into one that has very efficient writes, at the expense of deferring the queries of those logical writes to subsequent logical reads.
Theorem 10.Assume there exist one-way functions.Suppose there is a binary memory checker for a logical memory of size n that has write query complexity q w , read query complexity q r , local space p, physical word size w, completeness c, soundness s, and public database size m.Then, there is a binary memory checker with secret state for a logical memory of size n supporting a fixed poly(n) number of queries with local space p + O(n 1/10 ), physical word size w + ω(log n), completeness c, soundness s + negl(n), and public database size m + poly(n) with the following query complexities: • The write query complexity is 1, and • The read query complexity is O(ℓq w + q r ), where ℓ denotes the number of consecutive logical writes immediately preceding the given logical read.
Proof.The idea for the construction is direct.The new memory checker M ′ will run the old memory checker M , except that for each logical write, M ′ will simply authenticatedly store the logical write instruction (using one query) on a public stash.When the next logical read occurs, M ′ will perform all of the writes that were written on the stash, reset the stash, and then perform the logical read.More specifically, for each logical write (i, data) ∈ [n] × {0, 1}, if this is the jth logical write since the last logical read, then M ′ will write (i, data, PRF k (j, i, data)) to a new public stash at index j ∈ [poly(n)], where PRF is a pseudorandom function with key size n 1/10 and output length any ω(log n) (which we know exists assuming the existence of one-way functions). 11or each logical read i ′ ∈ [n], M ′ will first iterate over all non-empty locations j ∈ [poly(n)] of the stash with contents (i, data, σ), verify that σ = PRF k (j, i, data), and perform logical write (i, data) according to M .After clearing the stash and sampling a new fresh PRF key, M ′ then performs logical read i ′ according to M .The secret state of the memory checker consists of the PRF key k and the current counter j of consecutive logical writes since the last logical read.
The efficiency of M ′ following immediately from our construction, and completeness similarly follows.It remains to show soundness of M ′ .it with a truly random function, at the cost of an additive negl(n) loss.Next, since we sample a new key for each new logical read and since we always increment j when using the PRF, we know that the probability that the adversary can pass the σ = PRF k (j, i, data) check with an incorrect i or data is 1/2 ω(log n) = negl(n).Therefore, with 1 − negl(n) probability, M ′ is exactly running M on the non-stash portion of public memory.This soundness attack on M ′ is therefore an attack on M as well with probability 1 − negl(n).Therefore, M ′ is s + negl(n) sound.
We now apply Theorem 10 to show that there is a regime in which writes can have query complexity O(1) and reads can have query complexity O(log n/ log log n).
Corollary 7. Assume there exist one-way functions.Consider sequences of logical queries that have no more than O(1) consecutive writes.For such sequences, there is a binary memory checker with secret state for a logical memory of size n that has write query complexity q w = 1, read query complexity q r = O(log n/ log log n), local space O(n 1/10 ), physical word size polylog(n), completeness 1, and soundness negl(n).
Proof.We can directly apply the transformation of Theorem 10 to a O(log n/ log log n)-query complexity memory checker with secret state, e.g., Theorem 2 of [PT11] with PRF key size O(n 1/10 ) and output length ω(log n).

4 .
Using DB 1 and st 1 , apply Lemma 3 to the resulting distribution D to get [m] = H ⊔M ⊔L and j ∈ [c].

For
i ∈ [n], let α i denote the number of read indices j ∈ [n] such that W i ∩ R j ∩ L ̸ = ∅.By the above argument and counting, we have i∈[n] [n].This gives Alice and Bob the public database DB 0 after these writes as well as the local state st 0 .(This can all be formalized by Alice and Bob sharing a sufficiently long uniformly random string and running the memory checker on that string.)Let π : [8n/10] → [n] correspond to some fixed ordering of I, i.e., π bijectively maps [8n/10] to I ⊆ [n].

Alice' s
StrategyShared by Alice and Bob: DB 0 , st 0 Alice's Private Input: x 1.Using DB 0 and st 0 , use the memory checker to write "1" to all indices in π(x) ⊆ [n].
this set.Since ∥x∥ 0 = k, we have |W | ≤ kq w .Define BAD := W ∩ (L ∪ M ) = W ∩ H to be the set of locations that Alice wrote to that are not included in H. Equivalently, DB 1 and DB differ only at physical locations in BAD.(We emphasize that Bob does not know the set BAD.)Moreover, since π(x) ⊆ I, by construction of I, we know that W ∩ M = ∅.Therefore, BAD = W ∩ L.

Figure 8 :
Figure 8: This tree represents the construction of the memory checker in Theorem 7 with arity d = 2, n = 4 logical elements, and ℓ = ⌈log d (n)⌉ + 1 = 3 levels.The four logical elements are data 00 , data 01 ∈ {0, 1} 2dλ (shown in the figure) and data 10 , data 11 ∈ {0, 1} 2dλ(not shown).Note that to recompute and check hashes in the tree, there is no need to read any siblings, so the query complexity for updating and checking the hashing is O(log d n).