# Memory Checking for Parallel RAMs 

Surya Mathialagan<br>MIT

## Quick Overview

## Quick Overview

- We define a new notion of memory checking in the parallel RAM model.


## Quick Overview

- We define a new notion of memory checking in the parallel RAM model.
- We construct memory checkers for PRAMs matching the asymptotic efficiency of memory checkers for the RAM setting, while achieving optimal parallel depth.


## Quick Overview

- We define a new notion of memory checking in the parallel RAM model.
- We construct memory checkers for PRAMs matching the asymptotic efficiency of memory checkers for the RAM setting, while achieving optimal parallel depth.
- As an application, we construct maliciously secure Oblivious Parallel RAM with polylog overhead.


## Integrity of Cloud Servers



## Integrity of Cloud Servers



## Integrity of Cloud Servers



## Integrity of Cloud Servers



## Integrity of Cloud Servers



## Integrity of Cloud Servers



- How can a client use her small but trusted local memory to ensure that server is sending back correct responses?


## Integrity of Cloud Servers



- How can a client use her small but trusted local memory to ensure that server is sending back correct responses?
- Answer: Authentication


## Integrity of Cloud Servers



- How can a client use her small but trusted local memory to ensure that server is sending back correct responses?
- Answer: Authentication... if the database is static


## Integrity of Cloud Servers



## Integrity of Cloud Servers



- What if the database contents are dynamically updated?


## Integrity of Cloud Servers



- What if the database contents are dynamically updated?


## Integrity of Cloud Servers



- What if the database contents are dynamically updated?


## Integrity of Cloud Servers



- What if the database contents are dynamically updated?
- We want reads to correspond to most recent version! (i.e. data ${ }_{\text {new }}$ not data)


## Memory Checking

[Blum, Evans, Gemmel, Kannan, Naor '94]


## Memory Checking

[Blum, Evans, Gemmel, Kannan, Naor '94]


## Memory Checking

[Blum, Evans, Gemmel, Kannan, Naor '94]


## Memory Checking

[Blum, Evans, Gemmel, Kannan, Naor '94]


# Memory Checking 

[Blum, Evans, Gemmel, Kannan, Naor '94]


- Correctness: For any PPT malicious server, MC either aborts or gives correct (i.e. most recent version of address) responses.


## Memory Checking

[Blum, Evans, Gemmel, Kannan, Naor '94]


- Correctness: For any PPT malicious server, MC either aborts or gives correct (i.e. most recent version of address) responses.


## Memory Checking

[Blum, Evans, Gemmel, Kannan, Naor '94]


- Correctness: For any PPT malicious server, MC either aborts or gives correct (i.e. most recent version of address) responses.


## Memory Checking

[Blum, Evans, Gemmel, Kannan, Naor '94]


- Correctness: For any PPT malicious server, MC either aborts or gives correct (i.e. most recent version of address) responses.
- Completeness: If the server behaves honestly, MC doesn't abort.


## Multiple Users Sharing Memory



## Multiple Users Sharing Memory



- Examples


## Multiple Users Sharing Memory



- Examples
- Shared database across many clients


## Multiple Users Sharing Memory



- Examples
- Shared database across many clients
- CPUs with shared memory


## Multiple Users Sharing Memory



- Examples
- Shared database across many clients
- CPUs with shared memory
- Distributed computing


## Multiple Users Sharing Memory



- Examples
- Shared database across many clients
- CPUs with shared memory
- Distributed computing
- Integrity verification is very useful here too!


## More Modes of Failure!

Consider two concurrent writes:


## More Modes of Failure!

Consider two concurrent writes:


## More Modes of Failure!

Consider two concurrent writes:


## More Modes of Failure!

Consider two concurrent writes:


## More Modes of Failure!

Consider two concurrent writes:


## More Modes of Failure!

Consider two concurrent writes:


## More Modes of Failure!

Consider two concurrent writes:


This "branching" might happen even when the server makes an "honest mistake"!!


## More Modes of Failure!

Consider two concurrent writes:


This "branching" might happen even when the server makes an "honest mistake"!!


## Branching Timelines



From Marvel TV Series: Loki

## Branching Timelines



From Marvel TV Series: Loki

## Branching Timelines



## Our Definition

## Memory Checking for Parallel RAMs



## Memory Checking for Parallel RAMs



We now define a notion of memory checking for parallel RAMs.

## Memory Checking for Parallel RAMs



We now define a notion of memory checking for parallel RAMs.

Set-up phase:

## Memory Checking for Parallel RAMs



We now define a notion of memory checking for parallel RAMs.

Set-up phase:

- $\left\{M_{i}\right\}$ initialize their states together.


## Memory Checking for Parallel RAMs



We now define a notion of memory checking for parallel RAMs.

Set-up phase:
$\cdot\left\{M_{i}\right\}$ initialize their states together.
-No direct communication after (except through the server).

## Memory Checking for Parallel RAMs



We now define a notion of memory checking for parallel RAMs.

Set-up phase:
$\cdot\left\{M_{i}\right\}$ initialize their states together.
-No direct communication after (except through the server).

Note: It is possible that the clients have secure channels, but we want to make no assumptions.

## Memory Checking for Parallel RAMs



## Memory Checking for Parallel RAMs



- Correctness: All $\left\{M_{i}\right\}_{i}$ send back correct responses, or some $M_{j}$ aborts.


## Memory Checking for Parallel RAMs



- Correctness: All $\left\{M_{i}\right\}_{i}$ send back correct responses, or some $M_{j}$ aborts.
- All reads are correct


## Memory Checking for Parallel RAMs



- Correctness: All $\left\{M_{i}\right\}_{i}$ send back correct responses, or some $M_{j}$ aborts.
- All reads are correct
- Concurrent writes are tie-broken (arbitrarily chosen by server)


## Memory Checking for Parallel RAMs



## Memory Checking for Parallel RAMs



- Correctness: All $\left\{M_{i}\right\}_{i}$ send back correct responses, or some $M_{j}$ aborts.
- All reads are correct
- Concurrent writes are tie-broken (arbitrarily chosen by server)
- Completeness: No $M_{j}$ aborts if server is not malicious.


## Memory Checking for Parallel RAMs



## Memory Checking for Parallel RAMs



Efficiency metrics

## Memory Checking for Parallel RAMs



Efficiency metrics

- Local Space: Space per checker. This talk: $O(1)$ words $/ O(\lambda)$ bits.


## Memory Checking for Parallel RAMs



Efficiency metrics

- Local Space: Space per checker. This talk: $O(1)$ words $/ O(\lambda)$ bits.


## Memory Checking for Parallel RAMs



Efficiency metrics

- Local Space: Space per checker. This talk: $O(1)$ words $/ O(\lambda)$ bits.
- Server Space: Server storage size. This talk: $O(N)$ words.


## Memory Checking for Parallel RAMs



## Efficiency metrics

- Local Space: Space per checker. This talk: $O(1)$ words $/ O(\lambda)$ bits.
- Server Space: Server storage size. This talk: $O(N)$ words.


## Memory Checking for Parallel RAMs



Efficiency metrics

- Local Space: Space per checker. This talk: $O(1)$ words $/ O(\lambda)$ bits.
- Server Space: Server storage size. This talk: $O(N)$ words.
- Work blowup: Ratio of server accesses per underlying PRAM access.


## Memory Checking for Parallel RAMs



Efficiency metrics

- Local Space: Space per checker. This talk: $O(1)$ words $/ O(\lambda)$ bits.
- Server Space: Server storage size. This talk: $O(N)$ words.
- Work blowup: Ratio of server accesses per underlying PRAM access.


## Memory Checking for Parallel RAMs



## Efficiency metrics

- Local Space: Space per checker. This talk: $O(1)$ words $/ O(\lambda)$ bits.
- Server Space: Server storage size. This talk: $O(N)$ words.
- Work blowup: Ratio of server accesses per underlying PRAM access.
- Depth blowup: Number of parallel steps to support a single batch of requests.


## Memory Checking for Parallel RAMs



## Efficiency metrics

- Local Space: Space per checker. This talk: $O(1)$ words $/ O(\lambda)$ bits.
- Server Space: Server storage size. This talk: $O(N)$ words.
- Work blowup: Ratio of server accesses per underlying PRAM access.
- Depth blowup: Number of parallel steps to support a single batch of requests.


## Memory Checking for Parallel RAMs



## Efficiency metrics

- Local Space: Space per checker. This talk: $O(1)$ words $/ O(\lambda)$ bits.
- Server Space: Server storage size. This talk: $O(N)$ words.
- Work blowup: Ratio of server accesses per underlying PRAM access.
- Depth blowup: Number of parallel steps to support a single batch of requests.


## Our Results

## Our Results

## Our Results

[Blum-Evans-Gemmel-
Kannan-Naor '91]

- For RAM setting, the best constructions have $O(\log N)$ work blow-up. Lower bound of $\Omega(\log N / \log \log N)$ known for special cases.


## Our Results

[Blum-Evans-Gemmel-
Kannan-Naor '91]

- For RAM setting, the best constructions have $O(\log N)$ work blow-up. Lower bound of $\Omega(\log N / \log \log N)$ known for special cases.
[Dwork-Naor-RothblumVaikuntanathan '09]


## Our Results

- For RAM setting, the best constructions have $O(\log N)$ work blow-up. Lower bound of $\Omega(\log N / \log \log N)$ known for special cases.


## Our Results

- For RAM setting, the best constructions have $O(\log N)$ work blow-up. Lower bound of $\Omega(\log N / \log \log N)$ known for special cases.
- Immediately gives: $m$-CPU PRAM memory checker with $O(\log N)$ work blowup by serialising the algorithm. But $O(m \log N)$ depth blowup.


## Our Results

- For RAM setting, the best constructions have $O(\log N)$ work blow-up. Lower bound of $\Omega(\log N / \log \log N)$ known for special cases.
- Immediately gives: $m$-CPU PRAM memory checker with $O(\log N)$ work blowup by serialising the algorithm. But $O(m \log N)$ depth blowup.
- We show how to also obtain $O(\log N)$ depth.


## Our Results

- For RAM setting, the best constructions have $O(\log N)$ work blow-up. Lower bound of $\Omega(\log N / \log \log N)$ known for special cases.
- Immediately gives: $m$-CPU PRAM memory checker with $O(\log N)$ work blowup by serialising the algorithm. But $O(m \log N)$ depth blowup.
- We show how to also obtain $O(\log N)$ depth.

Theorem 1. Assuming OWFs, there exists a memory checking protocol for PRAM programs with $O(\log N)$ worst-case work and depth blowup.

## Our Results

- For RAM setting, the best constructions have $O(\log N)$ work blow-up. Lower bound of $\Omega(\log N / \log \log N)$ known for special cases.
- Immediately gives: $m$-CPU PRAM memory checker with $O(\log N)$ work blowup by serialising the algorithm. But $O(m \log N)$ depth blowup.
- We show how to also obtain $O(\log N)$ depth. $\begin{gathered}\text { Assumption is minimal } \\ \text { [Naor-Rothblum '05] }\end{gathered}$

Theorem 1. Assuming OWFs, there exists a memory checking protocol for PRAM programs with $O(\log N)$ worst-case work and depth blowup.

## Application to Oblivious Parallel RAM

- Oblivious Parallel RAMs (OPRAMs) are access-pattern hiding PRAM compilers.
[Boyle-Chung-Pass '16]


## Application to Oblivious Parallel RAM

- Oblivious Parallel RAMs (OPRAMs) are access-pattern hiding PRAM compilers.
[Boyle-Chung-Pass '16]
- A recent work constructed an honest-but-curious OPRAM constructions with $O(\log N)$ blowup in both work and depth. Optimal!


## Application to Oblivious Parallel RAM

- Oblivious Parallel RAMs (OPRAMs) are access-pattern hiding PRAM compilers. [Boyle-Chung-Pass '16]
- A recent work constructed an honest-but-curious OPRAM constructions with $O(\log N)$ blowup in both work and depth. Optimal!
- We obtain the first construction of maliciously secure OPRAM with polylogarithmic overhead.


## Application to Oblivious Parallel RAM

- Oblivious Parallel RAMs (OPRAMs) are access-pattern hiding PRAM compilers. [Boyle-Chung-Pass '16]
- A recent work constructed an honest-but-curious OPRAM constructions with $O(\log N)$ blowup in both work and depth. Optimal!
- We obtain the first construction of maliciously secure OPRAM with polylogarithmic overhead.

Theorem 2. Assuming OWFs, there exists an maliciously secure OPRAM compiler with $O\left(\log ^{2} N\right)$ work and depth blowup*.

## Our Results

Theorem 3. Assuming OWFs, there exists an offline memory checking protocol for PRAM programs with $O(1)$ amortised work and depth blowup.

## Our Results

Theorem 3. Assuming OWFs, there exists an offline memory checking protocol for PRAM programs with $O(1)$ amortised work and depth blowup.


Query phase: Answers can be wrong!
Repeat until clients say done.

## Our Results

Theorem 3. Assuming OWFs, there exists an offline memory checking protocol for PRAM programs with $O(1)$ amortised work and depth blowup.


Query phase: Answers can be wrong!
Repeat until clients say done.

## Our Results

Theorem 3. Assuming OWFs, there exists an offline memory checking protocol for PRAM programs with $O(1)$ amortised work and depth blowup.


Query phase: Answers can be wrong!
Repeat until clients say done.


Verification phase: Reports if all correct or some mistake.

## Our Results

Theorem 3. Assuming OWFs, there exists an offline memory checking protocol for PRAM programs with $O(1)$ amortised work and depth blowup.

## Our Results

Theorem 3. Assuming OWFs, there exists an offline memory checking protocol for PRAM programs with $O /$ ) amortised work and depth b

Checks if any mistake happened after

a large batch of concurrent requests

## Our Results

Theorem 3. Assuming OWFs, there exists an offline memory checking protocol for PRAM programs with $O(1)$ amortised work and depth blowup.

## Our Results

Theorem 3. Assuming OWFs, there exists an offline memory checking protocol for PRAM programs with $O(1)$ amortised work and depth blowup.

- Idea: Adapt the counting technique from a previous work [M.-Vafa '23]


## Our Results

Theorem 3. Assuming OWFs, there exists an offline memory checking protocol for PRAM programs with $O(1)$ amortised work and depth blowup.

- Idea: Adapt the counting technique from a previous work [M.-Vafa '23]
- Memory checkers maintain local counters $T_{i}$ of the number of updates.


## Our Results

Theorem 3. Assuming OWFs, there exists an offline memory checking protocol for PRAM programs with $O(1)$ amortised work and depth blowup.

- Idea: Adapt the counting technique from a previous work [M.-Vafa '23]
- Memory checkers maintain local counters $T_{i}$ of the number of updates.
- Every database entry is tagged with counters $\mathrm{ctr}_{i}$


## Our Results

Theorem 3. Assuming OWFs, there exists an offline memory checking protocol for PRAM programs with $O(1)$ amortised work and depth blowup.

- Idea: Adapt the counting technique from a previous work [M.-Vafa '23]
- Memory checkers maintain local counters $T_{i}$ of the number of updates.
- Every database entry is tagged with counters $\mathrm{ctr}_{i}$
- Verification phase: Check if $\sum_{i} \operatorname{ctr}_{i}=\sum_{j} T_{j}$.


## New: Offline-Checking for PRAMs



$\operatorname{ctr}_{i}:$ \#times $D[i]$ updated<br>$T_{i}$ : \#times $M_{i}$ wrote


write(4, data $_{1}$ )

write(4, data $_{2}$ )

write(4, data $_{3}$ )

## New: Offline-Checking for PRAMs



## New: Offline-Checking for PRAMs



## New: Offline-Checking for PRAMs



## New: Offline-Checking for PRAMs



## New: Offline-Checking for PRAMs



## Issue 1: Spoofing Attack



## Issue 1: Spoofing Attack



## Issue 1: Spoofing Attack



## Issue 2: Branching attack



## Issue 2: Branching attack



## Issue 2: Branching attack



## Issue 2: Branching attack



## Issue 2: Branching attack



## Open Problems

## Open Problems

- Can we obtain a statistically secure offline memory checker for CRCW programs with $O(1)$ amortised overhead?


## Open Problems

- Can we obtain a statistically secure offline memory checker for CRCW programs with $O(1)$ amortised overhead?
- Known for single RAM setting, and we show for PRAM setting without concurrent read/writes.


## Open Problems

- Can we obtain a statistically secure offline memory checker for CRCW programs with $O(1)$ amortised overhead?
- Known for single RAM setting, and we show for PRAM setting without concurrent read/writes.
- Can we use these memory checkers to obtain an optimal maliciously secure OPRAM with $O(\log N)$ work and depth blow-up?


## Open Problems

- Can we obtain a statistically secure offline memory checker for CRCW programs with $O(1)$ amortised overhead?
- Known for single RAM setting, and we show for PRAM setting without concurrent read/writes.
- Can we use these memory checkers to obtain an optimal maliciously secure OPRAM with $O(\log N)$ work and depth blow-up?
- [M-Vafa '23] shows an $O(\log N)$ maliciously secure ORAM construction by interleaving offline and online memory checking.


## Open Problems

- Can we obtain a statistically secure offline memory checker for CRCW programs with $O(1)$ amortised overhead?
- Known for single RAM setting, and we show for PRAM setting without concurrent read/writes.
- Can we use these memory checkers to obtain an optimal maliciously secure OPRAM with $O(\log N)$ work and depth blow-up?
- [M-Vafa '23] shows an $O(\log N)$ maliciously secure ORAM construction by interleaving offline and online memory checking.
- Can we do the same?

Bonus Slides

## CRCW Parallel RAM Model



## CRCW Parallel RAM Model

- PRAM: Multiple CPUs accessing shared memory

$m$ Clients
Database of size $N$


## CRCW Parallel RAM Model



## CRCW Parallel RAM Model



## CRCW Parallel RAM Model



## CRCW Parallel RAM Model



- PRAM: Multiple CPUs accessing shared memory
- CRCW Model: $\underline{\text { Concurrent }}$ Read Concurrent Write
- Concurrent reads to any location are allowed.


## CRCW Parallel RAM Model



- PRAM: Multiple CPUs accessing shared memory
- CRCW Model: $\underline{\text { Concurrent }}$ Read Concurrent Write
- Concurrent reads to any location are allowed.


## CRCW Parallel RAM Model



- PRAM: Multiple CPUs accessing shared memory
- CRCW Model: Concurrent Read Concurrent Write
- Concurrent reads to any location are allowed.


## CRCW Parallel RAM Model



- PRAM: Multiple CPUs accessing shared memory
- CRCW Model: Concurrent Read Concurrent Write
- Concurrent reads to any location are allowed.
- Concurrent writes to any location are arbitrarily tiebroken.


## CRCW Parallel RAM Model



- PRAM: Multiple CPUs accessing shared memory
- CRCW Model: Concurrent Read Concurrent Write
- Concurrent reads to any location are allowed.
- Concurrent writes to any location are arbitrarily tiebroken.


## CRCW Parallel RAM Model



- PRAM: Multiple CPUs accessing shared memory
- CRCW Model: Concurrent Read Concurrent Write
- Concurrent reads to any location are allowed.
- Concurrent writes to any location are arbitrarily tiebroken.


## CRCW Parallel RAM Model



- PRAM: Multiple CPUs accessing shared memory
- CRCW Model: $\underline{\text { Concurrent }}$ Read Concurrent Write
- Concurrent reads to any location are allowed.
- Concurrent writes to any location are arbitrarily tiebroken.


## CRCW Parallel RAM Model



- PRAM: Multiple CPUs accessing shared memory
- CRCW Model: $\underline{\text { Concurrent }}$ Read Concurrent Write
- Concurrent reads to any location are allowed.
- Concurrent writes to any location are arbitrarily tiebroken.
- Note: Not every client has to perform an operation.


## CRCW Parallel RAM Model



## CRCW Parallel RAM Model



## CRCW Parallel RAM Model



- PRAM: Multiple CPUs accessing shared memory
- CRCW Model: $\underline{C} o n c u r r e n t ~ \underline{R e a d ~} \underline{\text { Concurrent }}$ Write
- Concurrent reads to any location are allowed.
- Concurrent writes to any location are arbitrarily tiebroken.
- Note: Not every client has to perform an operation.
- Two efficiency metrics for PRAM algorithms:
- Work: Number of read/write operations
- Depth: Number of parallel steps


## Idea: Compose ORAM and MC

$m$ Clients


OPRAM

Database of
size $N$


## Idea: Compose ORAM and MC



## Idea: Compose ORAM and MC



## Idea: Compose ORAM and MC



## Idea: Compose ORAM and MC



## Idea: Compose ORAM and MC



## Idea: Compose ORAM and MC



## Idea: Compose ORAM and MC



## Idea: Compose ORAM and MC



## Idea: Compose ORAM and MC



- MC ensures all responses to OPRAM are correct.


## Idea: Compose ORAM and MC



## Idea: Compose ORAM and MC



## Idea: Compose ORAM and MC



## Offline-Checking for RAMs

[Blum, Evans, Gemmel, Kannan, Naor '94], this construction is based on [M, Vafa `23]
$D[1] \quad D[2] \quad D[3] \quad D[4] \quad D[5] \quad D[6] \quad D[8]$

## Offline-Checking for RAMs

[Blum, Evans, Gemmel, Kannan, Naor '94], this construction is based on [M, Vafa `23]


## Offline-Checking for RAMs

[Blum, Evans, Gemmel, Kannan, Naor '94], this construction is based on [M, Vafa `23]


- For entry $D[i]$, let $\operatorname{ctr}_{i}=$ number of times location $i$ was read or written to. Initialise to 0 .


## Offline-Checking for RAMs

[Blum, Evans, Gemmel, Kannan, Naor '94], this construction is based on [M, Vafa `23]


- For entry $D[i]$, let $\operatorname{ctr}_{i}=$ number of times location $i$ was read or written to. Initialise to 0 .
- Memory checker local stores a counter $T$ initialised to 0 .


## Offline-Checking for RAMs

[Blum, Evans, Gemmel, Kannan, Naor '94], this construction is based on [M, Vafa `23]


- For entry $D[i]$, let $\operatorname{ctr}_{i}=$ number of times location $i$ was read or written to. Initialise to 0 .
- Memory checker local stores a counter $T$ initialised to 0 .
- For every access to $D[i]$, increment $T$ locally, and increment $\operatorname{ctr}_{i}$.


## Dffinem@

[Blum, Evans, Gemmel, Kannan, Naor '94], this construction is based on [M, Vafa `23]


- For entry $D[i]$, let $\operatorname{ctr}_{i}=$ number of times location $i$ was read or written to. Initialise to 0 .
- Memory checker local stores a counter $T$ initialised to 0 .
- For every access to $D[i]$, increment $T$ locally, and increment $\operatorname{ctr}_{i}$.
- At the end, the memory checker iterates over the array and verifies $\sum_{i} \operatorname{ctr}_{i}=T$.


## Offline-Checking for RAMs

[Blum, Evans, Gemmel, Kannan, Naor '94], this construction is based on [M, Vafa `23]


- For entry $D[i]$, let $\operatorname{ctr}_{i}=$ number of times location $i$ was
- Memory checker local stores a counter $T$ initialised to 0 .
- For every access to $D[i]$, increment $T$ locally, and incren

Idea: Let $t_{i}$ be the number of times $D[i]$ was actually accessed.

$$
\sum_{i} \operatorname{ctr}_{i} \leq \sum_{i} t_{i}=T
$$

where equality holds iff there was no replay attack.
. At the end, the memory checker iterates over the array and verifies $\sum \operatorname{ctr}_{i}=T$.

## New: Offline-Checking for PRAMs



## New: Offline-Checking for PRAMs



## New: Offline-Checking for PRAMs



- As before: Initialise all entries with $\operatorname{ctr}_{i}=0$ and authenticate all entries.
- Each $M_{i}$ keeps a local count $T_{i}$.


## New: Offline-Checking for PRAMs



## New: Offline-Checking for PRAMs



## New: Offline-Checking for PRAMs



Idea: Want to maintain

$$
\sum_{i} \operatorname{ctr}_{i} \leq \sum_{j} T_{j}
$$

where equality holds iff server acts honestly


## New: Offline-Checking for PRAMs


write(4, data $_{2}$ )


## New: Offline-Checking for PRAMs



## New: Offline-Checking for PRAMs



## New: Offline-Checking for PRAMs



## New: Offline-Checking for PRAMs



## New: Offline-Checking for PRAMs



