Abstract
Memory-hard functions (MHFs) are a key cryptographic primitive underlying the design of moderately expensive password hashing algorithms and egalitarian proofs of work. Over the past few years several increasingly stringent goals for an MHF have been proposed including the requirement that the MHF have high sequential space-time (ST) complexity, parallel space-time complexity, amortized area-time (aAT) complexity and sustained space complexity. Data-Independent Memory Hard Functions (iMHFs) are of special interest in the context of password hashing as they naturally resist side-channel attacks. iMHFs can be specified using a directed acyclic graph (DAG) G with \(N=2^n\) nodes and low indegree and the complexity of the iMHF can be analyzed using a pebbling game. Recently, Alwen et al. [ABH17] constructed a DAG called DRSample that has aAT complexity at least \(\varOmega \!\left( N^2/{\text {log}} N\right) \). Asymptotically DRSample outperformed all prior iMHF constructions including Argon2i, winner of the password hashing competition (aAT cost \({\mathcal {O}} \!\left( N^{1.767}\right) \)), though the constants in these bounds are poorly understood. We show that the greedy pebbling strategy of Boneh et al. [BCS16] is particularly effective against DRSample e.g., the aAT cost is \({\mathcal {O}} (N^2/{\text {log}} N)\). In fact, our empirical analysis reverses the prior conclusion of Alwen et al. that DRSample provides stronger resistance to known pebbling attacks for practical values of \(N \le 2^{24}\). We construct a new iMHF candidate (DRSample+BRG) by using the bit-reversal graph to extend DRSample. We then prove that the construction is asymptotically optimal under every MHF criteria, and we empirically demonstrate that our iMHF provides the best resistance to known pebbling attacks. For example, we show that any parallel pebbling attack either has aAT cost \(\omega (N^2)\) or requires at least \(\varOmega (N)\) steps with \(\varOmega (N/{\text {log}} N)\) pebbles on the DAG. This makes our construction the first practical iMHF with a strong sustained space-complexity guarantee and immediately implies that any parallel pebbling has aAT complexity \(\varOmega (N^2/{\text {log}} N)\). We also prove that any sequential pebbling (including the greedy pebbling attack) has aAT cost \(\varOmega \!\left( N^2\right) \) and, if a plausible conjecture holds, any parallel pebbling has aAT cost \(\varOmega (N^2 \log \log N/{\text {log}} N)\)—the best possible bound for an iMHF. We implement our new iMHF and demonstrate that it is just as fast as Argon2. Along the way we propose a simple modification to the Argon2 round function that increases an attacker’s aAT cost by nearly an order of magnitude without increasing running time on a CPU. Finally, we give a pebbling reduction that proves that in the parallel random oracle model (PROM) the cost of evaluating an iMHF like Argon2i or DRSample+BRG is given by the pebbling cost of the underlying DAG. Prior pebbling reductions assumed that the iMHF round function concatenates input labels before hashing and did not apply to practical iMHFs such as Argon2i, DRSample or DRSample+BRG where input labels are instead XORed together.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
This latest attack almost matches the lower bound of \(\tilde{\varOmega }\left( N^{1.75}\right) \) on the aAT complexity of Argon2i.
- 2.
Blocki and Zhou did not explicitly work out the constants in their lower bound, but it appears that \(c_2 \approx 5 \times 10^{-7}\) [ABH17].
- 3.
One such graph G would be to start with the pyramid graph \(\bigtriangleup _k\), which has \({\mathcal {O}} (k^2)\) nodes, a single sink node t and append a path W of length \(k^3\) starting at this sink node t. The pyramid graph requires \(\varPi ^{\parallel }_s\left( \bigtriangleup _k\right) = \varTheta (k)\) space to pebble and has \(\varPi _{{cc}}\left( \bigtriangleup _k\right) \le \varPi _{{st}}\left( \bigtriangleup _k\right) \le k^3\). Similarly, the path W requires at least \(\varPi ^{\parallel }_t(W) =\varPi _t(W)= k^3\) steps to pebble the path (even in parallel). Thus, \(\varPi ^{\parallel }_{{st}}(G) \ge k^4\). By contrast, we have \(\varPi _{{cc}}(G) \le \varPi _{{cc}}\left( \bigtriangleup _k\right) + k^3 \le k^3+k^3 \ll k^4\) since we can place a pebble on node t with cost \(\varPi _{{cc}}(\bigtriangleup _k)\), discard all other pebbles from the graph, and then walk this pebble across the path.
- 4.
In Argon2, the block-size is 1KB so when we use \(N=2^{24}\) nodes the honest party would require 16 GB (\(=N \times \) KB) of RAM to evaluate the MHF. Thus, we view \(2^{24}\) as a reasonable upper bound on the number of blocks that would be used in practical applications.
- 5.
In the full version [BHK+18] we also analyze the performance of Valiant’s Lemma attack against Argon2i. Previously, the best known upper bound was that Valiant’s Lemma yields a depth-reducing set of size \(e={\mathcal {O}} \left( \frac{N \log (N/d)}{\log N}\right) \) for any DAG G with constant indegree. For the specific case of Argon2i this upper bound on e was significantly larger than the upper bound—\(e=\tilde{{\mathcal {O}}}\left( \frac{N}{d^{1/3}}\right) \)—obtained by running the layered attack [AB17, BZ17]. Nevertheless, empirical analysis of both attacks surprisingly indicated that Valiant’s Lemma yields smaller depth-reducing sets than the layered attack for Argon2i. We show how to customize the analysis of Valiant’s Lemma attack to a specific DAG such as DRSample or Argon2i. Our theoretical analysis of Valiant’s Lemma explains these surprising empirical results. By focusing on Argon2i specifically we can show that, for a target depth d, the attacker yields a depth-reducing set of size \(e=\tilde{{\mathcal {O}}}\left( \frac{N}{d^{1/3}}\right) \ll {\mathcal {O}} \left( \frac{N \log (N/d)}{\log N}\right) \), which is optimal and matches the performance of the layered attack [BZ17].
- 6.
Given a constant R that represents the core/memory area ratio we can define \({\mathsf {aAT}^\parallel } _R({\mathsf {Trace}_{\mathcal {A},R,H}} (x))={\mathsf {cmc}} ({\mathsf {Trace}_{\mathcal {A},R,H}} (x)) + R\sum _i |Q_i|\). We will focus on lower bounds on \({\mathsf {cmc}} \) since the notions are asymptotically equivalent and lower bounds on aAT complexity.
- 7.
In particular, if we let \(L_v = {\mathsf {lab}} _{K_N,H,x}(v) = H(L_{v-1} \oplus \ldots \oplus L_{1})\) denotes the label of node v given input x then the prelabel of node v is \(Y_v = {\mathsf {prelab}} _{K_N,H,x}(v) = L_{i-1} \oplus \ldots \oplus L_{1}\). Given only \(Y_v\) we can obtain \(L_v = H(Y_v)\) and \(Y_{v+1} = Y_v \oplus L_v\). Thus, \({\mathsf {cmc}} _{q,\epsilon }(f_{K_N,H}) = {\mathcal {O}} (N w)\) since we can compute \(f_{K_N,H}(x) = L_N\) in linear time with space \({\mathcal {O}} (w)\).
References
Alwen, J., Blocki, J.: Efficiently computing data-independent memory-hard functions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 241–271. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_9
Alwen, J., Blocki, J.: Towards practical attacks on Argon2i and balloon hashing. In: 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 142–157. IEEE (2017)
Alwen, J., Blocki, J., Harsha, B.: Practical graphs for optimal side-channel resistant memory-hard functions. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.), ACM CCS 2017, pp. 1001–1017. ACM Press, October/November 2017
Abadi, M., Burrows, M., Manasse, M., Wobber, T.: Moderately hard, memory-bound functions. ACM Trans. Internet Technol. 5(2), 299–327 (2005)
Alwen, J., Blocki, J., Pietrzak, K.: Depth-robust graphs and their cumulative memory complexity. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part III. LNCS, vol. 10212, pp. 3–32. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_1
Alwen, J., Blocki, J., Pietrzak, K.: Sustained space complexity. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part II. LNCS, vol. 10821, pp. 99–130. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_4
Alwen, J., Chen, B., Pietrzak, K., Reyzin, L., Tessaro, S.: Scrypt is maximally memory-hard. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part III. LNCS, vol. 10212, pp. 33–62. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_2
Alwen, J., Serbinenko, V.: High parallel complexity graphs and memory-hard functions. In: Servedio, R.A., Rubinfeld, R. (eds.), 47th ACM STOC, pp. 595–603. ACM Press, June 2015
Alwen, J., Tackmann, B.: Moderately hard functions: definition, instantiations, and applications. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part I. LNCS, vol. 10677, pp. 493–526. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_17
Boneh, D., Corrigan-Gibbs, H., Schechter, S.: Balloon hashing: a memory-hard function providing provable protection against sequential attacks. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 220–248. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_8
Biryukov, A., Dinu, D., Khovratovich, D.: Argon2: new generation of memory-hard functions for password hashing and other applications. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 292–302. IEEE (2016)
Bernstein, D.J.: Cache-timing attacks on AES (2005)
Blocki, J., Harsha, B., Kang, S., Lee, S., Xing, L., Zhou, S.: Data-independent memory hard functions: new attacks and stronger constructions (full version). Cryptology ePrint Archive, Report 2018/944 (2018). https://eprint.iacr.org/2018/944
Blocki, J., Harsha, B., Zhou, S.: On the economics of offline password cracking. In: 2018 IEEE Symposium on Security and Privacy, pp. 853–871. IEEE Computer Society Press, May 2018
Biryukov, A., Khovratovich, D.: Tradeoff cryptanalysis of memory-hard functions. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, Part II. LNCS, vol. 9453, pp. 633–657. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_26
Boyen, X.: Halting password puzzles - hard-to-break encryption from human-memorable keys. In: 16th USENIX Security Symposium–SECURITY 2007, pp. 119–134. The USENIX Association, Berkeley (2007). http://www.cs.stanford.edu/~xb/security07/
Blocki, J., Ren, L., Zhou, S.: Bandwidth-hard functions: reductions and lower bounds. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 1820–1836. ACM Press, October 2018
Blocki, J., Zhou, S.: On the depth-robustness and cumulative pebbling cost of Argon2i. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part I. LNCS, vol. 10677, pp. 445–465. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_15
Dwork, C., Goldberg, A., Naor, M.: On memory-bound functions for fighting spam. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 426–444. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_25
Forler, C., Lucks, S., Wenzel, J.: Memory-demanding password scrambling. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 289–305. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_16
Hong, J.-W., Kung, H.T.: I/o complexity: the red-blue pebble game. In: Proceedings of the Thirteenth Annual ACM Symposium on Theory of Computing, STOC 1981, pp. 326–333. ACM, New York, NY, USA (1981)
Khovratovich, D., Dinu, D., Biryukov, A., Josefsson, S.: The memory-hard Argon2 password hash and proof-of-work function. Memory (2017)
Lee, C.: Litecoin (2011)
Lengauer, T.: Black-white pebbles and graph separation. Acta Informatica 16(4), 465–475 (1981)
Lengauer, T., Tarjan, R.E.: Asymptotically tight bounds on time-space trade-offs in a pebble game. J. ACM 29(4), 1087–1130 (1982)
Percival, C.: Stronger key derivation via sequential memory-hard functions (2009)
Peslyak, A.: yescrypt: password hashing scalable beyond bcrypt and scrypt (2014)
Password hashing competition. (2016). https://password-hashing.net/
Pippenger, N.: Superconcentrators. SIAM J. Comput. 6(2), 298–304 (1977)
Ren, L., Devadas, S.: Bandwidth hard functions for ASIC resistance. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part I. LNCS, vol. 10677, pp. 466–492. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_16
Simplício Jr., M.A., Almeida, L.C., Andrade, E.R., dos Santos, P.C.F., Barreto, P.S.L.M.: Lyra2: password hashing scheme with improved security against time-memory trade-offs. Cryptology ePrint Archive, Report 2015/136 (2015). http://eprint.iacr.org/2015/136
Valiant, L.G.: Graph-theoretic arguments in low-level complexity. In: Gruska, J. (ed.) MFCS 1977. LNCS, vol. 53, pp. 162–176. Springer, Heidelberg (1977). https://doi.org/10.1007/3-540-08353-7_135
Wiener, M.J.: The full cost of cryptanalytic attacks. J. Cryptol. 17(2), 105–124 (2004)
Acknowledgments
Seunghoon Lee was supported in part by NSF award CNS #1755708. Ben Harsha was supported by a Rolls-Royce Doctoral Fellowship. The views expressed in this paper are those of the authors and do not necessarily reflect the views of National Science Foundation or Rolls-Royce.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Blocki, J., Harsha, B., Kang, S., Lee, S., Xing, L., Zhou, S. (2019). Data-Independent Memory Hard Functions: New Attacks and Stronger Constructions. In: Boldyreva, A., Micciancio, D. (eds) Advances in Cryptology – CRYPTO 2019. CRYPTO 2019. Lecture Notes in Computer Science(), vol 11693. Springer, Cham. https://doi.org/10.1007/978-3-030-26951-7_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-26951-7_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-26950-0
Online ISBN: 978-3-030-26951-7
eBook Packages: Computer ScienceComputer Science (R0)