Tradeoff Cryptanalysis of MemoryHard Functions
Abstract
We explore timememory and other tradeoffs for memoryhard functions, which are supposed to impose significant computational and time penalties if less memory is used than intended. We analyze three finalists of the Password Hashing Competition: Catena, which was presented at Asiacrypt 2014, yescrypt and Lyra2.
We demonstrate that Catena’s proof of tradeoff resilience is flawed, and attack it with a novel precomputation tradeoff. We show that using \(M^{4/5}\) memory instead of M we have no time penalties and reduce the AT cost by the factor of 25. We further generalize our method for a wide class of schemes with predictable memory access. For a wide class of datadependent schemes, which addresses memory unpredictably, we develop a novel ranking tradeoff and show how to decrease the timememory and the timearea product by significant factors. We then apply our method to yescrypt and Lyra2 also exploiting the iterative structure of their internal compression functions.
The designers confirmed our attacks and responded by adding a new mode for Catena and tweaking Lyra2.
Keywords
Password hashing Memoryhard Catena Tradeoff Cryptocurrency Proofofwork1 Introduction
Memoryhard functions are a fast emerging trend which has become a popular remedy to the hardwareequipped adversaries in various applications: cryptocurrencies, password hashing, key derivation, and more generic ProofofWork constructions. It was motivated by the rise of various attack techniques, which can be commonly described as optimized exhaustive search. In cryptocurrencies, the hardware arms race made the Bitcoin mining [29] on regular desktops tremendously inefficient, as the best mining rigs spend 30,000 times less energy per hash than x86desktops/laptops^{1}. This causes major centralization of the mining efforts which goes against the democratic philosophy behind the Bitcoin design. This in turn prevents wide adoption and use of such cryptocurrency in economy, limiting the current activities in this area to mining and hoarding, whith negative effects on the price. Restoring the ability of CPU or GPU mining by the use of memoryhard proofofwork functions may have dramatic effect on cryptocurrency adoption and use in economy, for example as a form of decentralized micropayments [15]. In password hashing, numerous leaks of hash databases triggered the wide use of GPUs [3, 34], FPGAs [27] for password cracking with a dictionary. In this context, constructions that intensively use a lot of memory seem to be a countermeasure. The reasons are that memory operations have very high latency on GPU and that the memory chips are quite large and thus expensive on FPGA and ASIC environments compared to a logic core, which computes, e.g. a regular hash function.
Memoryintensive schemes, which bound the memory bandwidth only, were suggested earlier by Burrows et al. [8] and Dwork et al. [17] in the context of spam countermeasures. It was quickly realized that to be a real countermeasure, the amount of memory shall also be bounded [18], so that memory must not be easily traded for computations, time, or other resources that are cheaper on certain architecture. Schemes that are resilient to such tradeoffs are called memoryhard [21, 30]. In fact, the constructions in [18] are so strong that even tiny memory reduction results in a huge computational penalty.
Disadvantage of Classical Constructions and New Schemes. The provably tradeoffresilient superconcentrators [32] and their applications in [18, 19] have serious performance problems. They are terribly slow for modern memory sizes. A superconcentrator requiring N blocks of memory makes \(O(N\log N)\) calls to F. As a result, filling, e.g., 1 GB of RAM with 256bit blocks would require dozens of calls to F per block (\(C\log N\) calls for some constant C). This would take several minutes even with lightweight F and is thus intolerable for most applications like web authentication or cryptocurrencies. Using less memory, e.g., several megabytes, does not effectively prohibit hardware adversaries.
This has been an open challenge to construct a reasonably fast and tradeoffresilient scheme. Since the seminal paper by Dwork et al. [18] the first important step was made by Percival, who suggested scrypt [30]. The idea of scrypt was quite simple: fill the memory by an iterative hash function and then make a pseudorandom walk on the blocks using the block value as an address for the next step. However, the entire design is somewhat sophisticated, as it employs a stack of subfunctions and a number of different crypto primitives. Under certain assumptions, Percival proved that the timememory product is lower bounded by some constant. The scrypt function is used inside cryptocurrency Litecoin [4] with 128 KB memory parameter and is now adapted as an IETF standard for keyderivation [5]. scrypt is a notable example of datadependent schemes where the memory access pattern depends on the input, and this property enabled Percival to prove some lower bound on adversary’s costs. However, the performance and/or the tradeoff resilience of scrypt are apparently not sufficient to discourage hardware mining: the Litecoin ASIC miners are more efficient than CPU miners by the factor of 100 [1].
The need for even faster, simpler, and possibly more tradeoffresilient constructions was further emphasized by the ongoing Password Hashing Competition [2], which has recently selected 9 finalists out of the 24 original submissions. Notable entries are Catena [20], just presented at Asiacrypt 2014 with a security proof based on [26], and yescrypt and Lyra2 [25], which both claim performance up to 1 GB/sec and which were quickly adapted within a cryptocurrency proofofwork [7]. The tradeoff resilience of these constructions has not been challenged so far. It is also unclear how possible tradeoffs would translate to the cost
Our Contributions. We present a rigorous approach and a reference model to estimate the amortized costs of password bruteforce on special hardware using fullmemory algorithms or timespace tradeoffs. We show how to evaluate the adversary’s gains in terms of areatime and timememory products via computational complexity and latency of the algorithm.
Then we present our tradeoff attacks on the last versions of Catena and yescrypt, and the original version of Lyra2. Then we generalize them to wide classes of datadependent and dataindependent schemes. For Catena we analyze the faster Dragonfly mode and show that the original security proof for it is flawed and the computationmemory product can be kept constant while reducing the memory. For ASICequipped adversaries we show how to reduce the areatime product (abbreviated further by AT) by the factor of 25 under reasonable assumptions on the architecture. The attack algorithm is then generalized for a wide class of dataindependent schemes as a precomputation method.
Then we consider datadependent schemes and present the first generic tradeoff strategy for them, which we call the ranking method. Our method easily applies to yescrypt and then to the second phase of Lyra2, both taken with minimally secure time parameters. We further exploit the incomplete diffusion in the core primitives of these designs, which reduces the timememory and timearea products for both designs.
Our tradeoff gains on Catena, yescrypt and Lyra2 with minimal secure parameters, \(2^{30}\) memory bytes and reference hardware implementations (Sect. 2). TM loss is the maximal factor by which we can reduce the timememory product compared to the fullmemory implementation. AT loss is the maximal factor for timearea product reduction. Compactness of TM and AT is the maximal memory reduction factor which does not increase the TM or AT, resp., compared to the default implementation.
Related Work. So far there have been only a few attempts to develop tradeoff attacks on memoryhard functions. A simple tradeoff for scrypt has been known in folklore and was recently formalized in [20]. Alwen and Serbinenko analyzed a simplified version of Catena in [9]. Designers of Lyra2 and Catena attempted to attack their own designs in the original submissions [20, 25]. Simple analysis of Catena has been made in [16].
Paper Outline. We introduce necessary definitions and metrics in Sect. 2. We attack CatenaDragonfly in Sect. 3 and generalize this method in Sect. 4. Then we present a generic ranking algorithm for datadependent schemes in Sect. 5 and attack yescrypt with this method in Sect. 6. The attack on Lyra2 is quite sophisticated and we leave it for Appendix A.
2 Preliminaries
2.1 Syntax
We say that the function makes p passes over the memory, if \(T = pM\). Usually p and M are tunable parameters which are responsible for the total running time and the memory requirements, respectively.
2.2 TimeSpace Tradeoff
Let \(\mathcal {A}\) be an algorithm that computes \(\mathcal {G}\). The computational complexity \(C(\mathcal {A})\) is the total number of calls to F and \(f_i\) by \(\mathcal {A}\), averaged over all inputs to \(\mathcal {G}\). We do not consider possible complexity amortization over successive calls to \(\mathcal {A}\). The space complexity \(S(\mathcal {A})\) is the peak number of blocks (or their equivalents) stored by \(\mathcal {A}\), again averaged over all inputs to \(\mathcal {G}\). Suppose that \(\mathcal {A}\) can be represented as a directed acyclic graph with vertices being calls to F. Then the latency \(L(\mathcal {A})\) is the length of the longest chain the graph from the input to the output. Therefore, \(L(\mathcal {A})\) is the minimum time needed to run \(\mathcal {A}\) assuming unlimited parallelism and instant memory access.
A straightforward implementation of the scheme (1) results in an algorithm with computational complexity T and latency \(L=T\) and space complexity M. However, it might be possible to compute \(\mathcal {G}\) using less memory. According to [24], any function, that is described by Eq. (1) and whose reference block indices \(\phi _j(i)\) are known in advance, can be computed using \(c_k\frac{T}{\log T}\) memory blocks for some constant \(c_k\) depending on the number k of input blocks for F. Therefore, any ppass function can be computed using less than \(M=T/p\) memory for sufficiently large M.
2.3 Attackers and Cost Estimates
We consider the following attack. Suppose that \(\mathcal {G}\) with time and memory parameters (T, M) is used as a password hashing function with \(I=(P,S)\), where P is a secret password and S is a public salt. An attacker gets H and S (e.g., from a database leak) and tries to recover P. He attempts a dictionary attack: given a list L of most probable passwords, he runs \(\mathcal {G}\) on every \(P\in L\) and checks the output.
Definition 1
In other words, \(\mathcal {G}_{T,M}\) can not be computed cheaper than by the factor of \(\frac{1}{\alpha }\).
The cost function is more difficult to determine. We suggest evaluating amortized computing costs for a single password trial. Depending on the architecture, the costs vary significantly for the same algorithm \(\mathcal {A}\). For the ASICequipped attackers, who can use parallel computing cores, it is widely suggested that the costs can be approximated by the timearea product \(\mathrm {AT}\) [9, 11, 28, 35]. Here T is the time complexity of the used algorithm and A is the sum of areas needed to implement the memory cells and the area needed to implement the cores. Let the area needed to implement one block of memory be the unit of area measurement. Then in order to know the total area, we need corememory ratio \(R_c\), which is how many memory blocks we can place on the area taken by one core.
Then the corememory ratio is \(\frac{2^24 \cdot 0.1}{550} \approx 3000\). For more lightweight hash functions this ratio will be smaller.
In our tradeoff attacks, we are mainly interested to compare the AT and TM costs of \(B_q\) with that of the default algorithm \(\mathcal {A}\). Thus we define the AT ratio of \(B_q\) as \(\frac{\mathrm {AT}_{B_q}}{\mathrm {AT}_{\mathcal {A}}}\), and the TM ratio of \(B_q\) as \(\frac{\mathrm {TM}_{B_q}}{\mathrm {TM}_{\mathcal {A}}}\)
We note that for the same \(\mathrm {TM}\) value the implementation with less memory is preferable, as its design and production will be cheaper. Thus we explore how much the memory can be reduced keeping the AT or TM costs below those of the default algorithm.
Definition 2
For the concrete schemes we take “minimally secure” values of T, i.e. those that supposed to have \((\alpha ,\varPhi )\)security for reasonably high \(\alpha \). Unfortunately, no explicit security claim of this kind is present in the design documents of the functions we consider.
DataDependent and DataIndependent Schemes. The existing schemes can be categorized according to the way they access memory. The dataindependent schemes Catena [20], Pomelo [36], Argon2i [13] computes \(\phi (j)\) independently of the actual password in order to avoid timing attacks like in [33]. Then the algorithm \(\mathcal {B}\) that uses less memory can recompute the missing blocks just by the time they are requested. Therefore, it has the same latency as the fullmemory algorithm, i.e. \(L(\mathcal {B}) = L_0\). For these algorithms the timememory product can be arbitrarily small, and the minimum \(\mathrm {AT}\) value is determined by the corememory ratio.
The datadependent schemes scrypt [30] yescrypt [31], Argon2d [13] compute \(\phi (j)\) using the just computed block: \( \phi (j) = \phi (j,X_{i_{j1}})\). Then precomputation is impossible, and for each recomputing block the latency is increased by the latency of the recomputation algorithm, so \(L_q>L_0\). There exist hybrid schemes [25], which first run a dataindependent phase and then a datadependent one.
3 Cryptanalysis of CatenaDragonfly
3.1 Description
Short History. Catena was first published on ePrint [20] and then submitted to the Password Hashing Competition. Eventually the paper was accepted to Asiacrypt 2014 [21]. In the middle of the reviewing process, we discovered and communicated the first attack on Catena to the authors. The authors have introduced a new mode for Catena in the cameraready version of the Asiacrypt paper, which is resistant to the first attack. The final version of Catena, which is the finalist of the Password Hashing Competition, contains two modes: CatenaDragonfly (which we abbreviate to CatenaD), which is an extension to the original Catena, and CatenaButterfly, which is a new mode advertised as tradeoffresistant. In this paper we present the attack on CatenaDragonfly, which is very similar to the first attack on Catena.
Specification. CatenaD is essentially a mode of operation over the hash function F, which is be instantiated by Blake2b [10] in the full or reducedround version. The functional graph of CatenaD is determined by the time parameter \(\lambda \) (values \(\lambda =1,2\) are recommended) and the memory parameter n, and can be viewed as \((\lambda +1)\)layer graph with \(2^n\) vertices in each layer (denoted by CatenaD\(\lambda \)). We denote the Xth vertex in layer l (both count from 0) by \([X]^l\). With each vertex we associate the corresponding output of the hash function F and denote it by \([X^l]\) as well. The outputs are stored in the memory, and due to the memory access pattern it is sufficient to store only \(2^n\) blocks at each moment. The hash function H has 512bit output, so the total memory requirements are \(2^{n+6}\) bytes.

\([0]^0 = G_1(P,S)\), where \(G_1\) invokes 3 calls to F;

\([1]^0 = G_2(P,S)\), where \(G_2\) invokes 3 calls to F

\([i]^0 \leftarrow F([{i1}]^0,[{i2}]^0),\; 2\le i \le 2^n1\).
Then \(2^{3n/4}\) nodes of the first layer are modified by function \(\varGamma \). The details of \(\varGamma \) are irrelevant to our attack.

\([0]^j = F([0]^{j1}\,\,[{2^n1}]^{j1})\);

\([i]^j = F([{i1}]^j\,\,[{\nu ({i})}]^{j1})\).
Thus to compute \([X]^l\) we need \([\nu ({X})^{l1}]\). The latter can be then overwritten^{5}. An example of CatenaD with \(\lambda =2\) and \(n=3\) is shown at Fig. 1.
In the further text we demonstrate a tradeoff attack yielding much smaller penalties than Eq. (5) and thus asymptotically violating Eq. (6).
3.2 Our Tradeoff Attack on CatenaD
On other architectures the \(\mathrm {AT}\) may drop even further, and we expect that an adversary would choose the one that maximizes the tradeoff effect, so the actual impact of our attack can be even higher.
3.3 Other Results for Catena
Our attack on Catena can be further scrutinized and generalized to noneven segments. More details are provided in [14] with the summary given in Table 2.
Computationmemory tradeoff for CatenaD3 and CatenaD4.
4 Generic Precomputation Tradeoff Attack
The crucial property of the dataindependent attacks is that they can be tested and tuned offline, without hashing any real password. An attacker may spend significant time to search for an optimal tradeoff strategy, since it would then apply to the whole set of passwords hashed with this scheme.

Store the first \(T_1\) computed blocks and the last \(T_2\) computed blocks for some \(T_1,T_2\) (usually about N / q).

Keep the list \(\mathcal {L}\) of the most expensive blocks to recompute and store M[i] if \(\phi (i)\in \mathcal {L}\) (Fig. 2).
5 Generic Ranking Tradeoff Attack
Our tradeoff strategy is following: we compute the blocks sequentially and for each block X[i] decide if we store it or not. If we do not store it, we calculate its access complexity A(i) – the number of calls needed to recompute it as a sum of access complexities of \(X[i1]\) and \(X[r_i]\) plus one. If we store X[i], its access complexity is 0.
The storing heuristic rule is the crucial element of our strategy. The idea is to store the block if \(A(r_i)\) is too high.
Computational, latency, AT (for \(R_c=3000\) and \(M=2^{24}\)), and TM penalties for the ranking tradeoff attack on generic datadependent schemes.
Memory fraction (1 / q)  \(\frac{1}{2}\)  \(\frac{1}{3}\)  \(\frac{1}{4}\)  \(\frac{1}{5}\)  \(\frac{1}{6}\)  \(\frac{1}{7}\)  \(\frac{1}{8}\)  \(\frac{1}{9}\)  \(\frac{1}{10}\) 

Computation penalty CP(q)  1.59  2.98  7.3  16.6  57.5  180  635  3340  \(2^{13.2}\) 
Latency penalty LP(q)  1.56  2.55  4  5.8  8.7  11.6  15.4  21.1  24.8 
AT ratio  0.78  0.85  1.02  1.16  1.45  1.69  2.04  2.97  4.24 
TM ratio  0.78  0.85  1.02  1.16  1.45  1.65  1.9  2.34  2.48 
Segment length s  3  5  8  10  13  16  18  21  23 
Window size \(\frac{w}{M}\)  0.06  0.01  0.01  0  0  0  0  0  0 
We conclude that generic 1pass datadependent schemes with random addressing are (0.75, AT) and (0.75, TM)secure using our ranking method. Both AT and TM ratios exceed 1 when \(q\ge 4\), so both the AT and the TMcompactness is about 4.
6 Cryptanalysis of yescrypt
6.1 Description
yescrypt [31] is another PHC finalist, which is built upon scrypt and is notable for its high memory filling rate (up to 2 GB/sec) and a number of features, which includes custom Sboxes to thwart exhaustive search on GPU, multiplicative chains to increase the ASIC latency, and some others. yescrypt is essentially a family of functions, each member activated by a combination of flags. Due to the page limits, we consider only one function of the family.

Blocks are partitioned into 16 64byte subblocks \(B_0, B_1,\ldots ,B_{15}\).
 New blocks are produced sequentially:The details of f are irrelevant to our attack.$$\begin{aligned} B_{0}^{new}&\leftarrow f(B_{0}^{old}\oplus B_{15}^{old});\\ B_{i}^{new}&\leftarrow f(B_{i1}^{new}\oplus B_{i}^{old}),\; 0 <i<16. \end{aligned}$$
6.2 Tradeoff Attack on yescrypt
Our crucial observation is that there is no diffusion from the last subblocks to the first ones. Thus if we store all \(B_0\), we break the dependencies between consecutive blocks and the subblocks can be recomputed from \(B_1\) to \(B_{15}\) with pipelining (Fig. 5). Suppose that the block X[i] is computed with latency L(i), i.e. its computation tree has L(i) levels if measured in F. However, if we consider the tree of f, then the actual latency of X[i] is \(L(i)+15\) instead of expected 16L(i) if measured in calls to f.
If the missing block is recomputed by a tree of depth D, then the latency of the new block is \(D+16\) measured in calls to f, or \(\frac{D}{16}+1\) if measured in calls to F. This number should be compared to the latency \(D+1\) if we had not exploited the iterative structure of F. Thus if the ranking method gives the total latency L (measured in F), the actual latency should be \(\frac{L+15}{16}\).
Computational, latency, AT (for \(R_c=3000\) and \(M=2^{24}\)), and TM penalties for the ranking tradeoff attack on yescrypt mode of operation with 4/3 passes, using the iterative structure of F.
Memory  1  \(\frac{1}{2}\)  \(\frac{1}{3}\)  \(\frac{1}{4}\)  \(\frac{1}{5}\)  \(\frac{1}{6}\)  \(\frac{1}{7}\)  \(\frac{1}{8}\) 

Computation penalty CP(q)  1  2.9  26  1135  \(2^{19} \)       
Latency penalty LP(q)  1  1.1  1.4  2  3.5  6.3  11.1  17.5 
TM ratio  1  0.55  0.47  0.5  0.75  1.05  1.59  2.19 
AT ratio  1  0.55  0.46  0.7  95       
7 Future Work

Application of our methods to other PHC candidates and finalists: Pomelo [36] and the modified Lyra2.

Set of design criteria for the indexing functions that would withstand our attacks.

New methods that directly target schemes that make multiple passes over memory or use parallel cores.

Design a set of tools that helps to choose a proofofwork instance in various applications: cryptocurrencies, proofs of space, etc.
8 Conclusion
Tradeoff cryptanalysis of memory hard functions is a young, relatively unexplored and complex area of research combining cryptanalytic techniques with understanding of implementation aspects and hardware constraints. It has direct realworld impact since its results can be immediately used in the ongoing arms race of mining hardware for the cryptocurrencies.
In this paper we have analyzed memoryhard functions CatenaDragonfly and yescrypt. We show that CatenaDragonfly is not memoryhard despite original claims and the security proof by the designers’, since a hardwareequipped adversary can reduce the attack costs significantly using our tradeoffs. We also show that yescrypt is more tradeoffresilient than Catena, though we can still exploit several design decisions to reduce the timememory and the timearea product by the factor of 2.
We generalize our ideas to the generic precomputation method for dataindependent schemes and the generic ranking method for the datadependent schemes. Our techniques may be used to estimate the attack cost in various applications from the fast emerging area of memoryhard cryptocurrencies to the passwordbased key derivation.
Footnotes
 1.
The estimate comes from the numbers given in [6]: the best ASICs make \(2^{32}\) hashes per joule, whereas the most efficient laptops can do \(2^{17}\) hashes per joule.
 2.
The full version of this paper is available at [14].
 3.
As well as \(\mathcal {A}\), the family \(\mathcal {B}\) admits parallel implementations.
 4.
We take lowarea implementations, as possible parallelism is already taken into account.
 5.
In terms of Eq. (1) we could enumerate all blocks as \([i]^j = j\underbrace{i}_{n\text { bits }}\) so that \(\phi (ji) = (j1)\nu (i) \).
 6.
This result is a part of Theorem 6.3 in [20].
Notes
Acknowledgement
We would like to thank the authors of Catena for verifying and confirming our attack.
Supplementary material
References
 1.Litecoin: Mining hardware comparison. https://litecoin.info/Mining_hardware_comparison
 2.Password Hashing Competition. https://passwordhashing.net/
 3.Software tool: John the Ripper password cracker. http://www.openwall.com/john/
 4.Litecoin  Open source P2P digital currency (2011). https://litecoin.org/
 5.IETF Draft: The scrypt PasswordBased Key Derivation Function (2012). https://tools.ietf.org/html/draftjosefssonscryptkdf02
 6.Bitcoin: Mining hardware comparison (2014). https://en.bitcoin.it/wiki/Mining_hardware_comparison
 7.Vertcoin: Lyra2RE reference guide (2014). https://vertcoin.org/downloads/Vertcoin_Lyra2RE_Paper_11292014.pdf
 8.Abadi, M., Burrows, M., Manasse, M.S., Wobber, T.: Moderately hard, memorybound functions. ACM Trans. Internet Techn. 5(2), 299–327 (2005)CrossRefGoogle Scholar
 9.Alwen, J., Serbinenko, V.: High parallel complexity graphs and memoryhard functions. IACR Cryptology ePrint Archive 2014/238 (2014)Google Scholar
 10.Aumasson, J.P., Neves, S., WilcoxO’Hearn, Z., Winnerlein, C.: BLAKE2: simpler, smaller, fast as MD5. In: Jacobson, M., Locasto, M., Mohassel, P., SafaviNaini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 119–135. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 11.Bernstein, D.J., Lange, T.: Nonuniform cracks in the concrete: the power of free precomputation. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 321–340. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 12.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: singlepass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 13.Biryukov, A., Dinu, D., Khovratovich, D.: Argon and argon2: password hashing scheme. Technical report (2015). https://passwordhashing.net/submissions/specs/Argonv2.pdf
 14.Biryukov, A., Khovratovich, D.: Tradeoff cryptanalysis of memoryhard functions. Cryptology ePrint Archive, Report 2015/227 (2015). http://eprint.iacr.org/
 15.Biryukov, A., Pustogarov, I.: Proofofwork as anonymous micropayment: rewarding a Tor relay. IACR Cryptology ePrint Archive 2014/1011 (2014). To appear at Financial Cryptography 2015Google Scholar
 16.Chang, D., Jati, A., Mishra, S., Sanadhya, S.K.: Time memory tradeoff analysis of graphs in password hashing constructions. In: Preproceedings of PASSWORDS 2014, pp. 256–266 (2014). http://passwords14.item.ntnu.no/Preproceedings_Passwords14.pdf
 17.Dwork, C., Goldberg, A.V., Naor, M.: On memorybound functions for fighting spam. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 426–444. Springer, Heidelberg (2003) CrossRefGoogle Scholar
 18.Dwork, C., Naor, M., Wee, H.M.: Pebbling and proofs of work. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 37–54. Springer, Heidelberg (2005) CrossRefGoogle Scholar
 19.Dziembowski, S., Faust, S., Kolmogorov, V., Pietrzak, K.: Proofs of space. IACR Cryptology ePrint Archive 2013/796 (2013). To appear at Crypto 2015Google Scholar
 20.Forler, C., Lucks, S., Wenzel, J.: Catena: a memoryconsuming password scrambler. IACR Cryptology ePrint Archive, Report 2013/525 (2013). Version of 5 January 2014. http://eprint.iacr.org/eprintbin/getfile.pl?entry=2013/525&version=20140105:194859&file=525.pdf
 21.Forler, C., Lucks, S., Wenzel, J.: Memorydemanding password scrambling. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 289–305. Springer, Heidelberg (2014) Google Scholar
 22.Giridhar, B., Cieslak, M., Duggal, D., Dreslinski, R.G., Chen, H.M., Patti, R., Hold, B., Chakrabarti, C., Mudge, T.N., Blaauw, D.: Exploring DRAM organizations for energyefficient and resilient exascale memories. In: International Conference for High Performance Computing, Networking, Storage and Analysis (SC 2013), pp. 23–35. ACM (2013)Google Scholar
 23.Gürkaynak, F., Gaj, K., Muheim, B., Homsirikamol, E., Keller, C., Rogawski, M., Kaeslin, H., Kaps, J.P.: Lessons learned from designing a 65nm ASIC for evaluating third round SHA3 candidates. In: Third SHA3 Candidate Conference, March 2012Google Scholar
 24.Hopcroft, J.E., Paul, W.J., Valiant, L.G.: On time versus space. J. ACM 24(2), 332–337 (1977)zbMATHMathSciNetCrossRefGoogle Scholar
 25.Simplicio Jr., M.A., Almeida, L.C., Andrade, E.R., dos Santos, P.C.F., Barreto, P.S.L.M.: The Lyra2 reference guide, version 2.3.2. Technical report, April 2014Google Scholar
 26.Thomas Lengauer and Robert Endre Tarjan: Asymptotically tight bounds on timespace tradeoffs in a pebble game. J. ACM 29(4), 1087–1130 (1982)CrossRefGoogle Scholar
 27.Malvoni, K.: Energyefficient bcrypt cracking. In: Passwords 2014 Conference (2014). http://www.openwall.com/presentations/Passwords14_Energ_Efficient_Cracking/
 28.Mukhopadhyay, S., Sarkar, P.: On the effectiveness of TMTO and exhaustive search attacks. In: Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura, S. (eds.) IWSEC 2006. LNCS, vol. 4266, pp. 337–352. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 29.Nakamoto, S.: Bitcoin: a peertopeer electronic cash system (2009). http://www.bitcoin.org/bitcoin.pdf
 30.Percival, C.: Stronger key derivation via sequential memoryhard functions (2009). http://www.tarsnap.com/scrypt/scrypt.pdf
 31.Peslyak, A.: Yescrypt  a password hashing competition submission. Technical report (2014). http://passwordhashing.net/submissions/specs/yescryptv0.pdf
 32.Pippenger, N.: Superconcentrators. SIAM J. Comput. 6(2), 298–304 (1977)zbMATHMathSciNetCrossRefGoogle Scholar
 33.Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in thirdparty compute clouds. In: Proceedings of the 2009 ACM Conference on Computer and Communications Security, CCS 2009, Chicago, Illinois, USA, 9–13 November 2009, pp. 199–212 (2009)Google Scholar
 34.Sprengers, M., Batina, L.: Speeding up GPUbased password cracking. In: SHARCS 2012 (2012). http://2012.sharcs.org/record.pdf
 35.Thompson, C.D.: Areatime complexity for VLSI. In: STOC 1979, pp. 81–88. ACM (1979)Google Scholar
 36.Wu, H.: POMELO: a password hashing algorithm. Technical report (2014). https://passwordhashing.net/submissions/specs/POMELOv1.pdf