Abstract
Memory-hard functions (MHFs) are a useful cryptographic primitive which can be used to design egalitarian proof of work puzzles and to protect low entropy secrets like passwords against brute-force attackers. Intuitively, a memory-hard function is a function whose evaluation costs are dominated by memory costs even if the attacker uses specialized hardware (FPGAs/ASICs), and several cost metrics have been proposed to quantify this intuition. For example, space-time cost looks at the product of running time and the maximum space usage over the entire execution of an algorithm. Alwen and Serbinenko (STOC 2015) observed that the space-time cost of evaluating a function multiple times may not scale linearly in the number of instances being evaluated and introduced the stricter requirement that a memory-hard function has high cumulative memory complexity (CMC) to ensure that an attacker’s amortized space-time costs remain large even if the attacker evaluates the function on multiple different inputs in parallel. Alwen et al. (EUROCRYPT 2018) observed that the notion of CMC still gives the attacker undesirable flexibility in selecting space-time tradeoffs e.g., while the MHF \(\texttt{Scrypt}\) has maximal CMC \(\varOmega (N^2)\), an attacker could evaluate the function with constant O(1) memory in time \(O(N^2)\). Alwen et al. introduced an even stricter notion of Sustained Space complexity and designed an MHF which has \(s=\varOmega (N/\log N)\) sustained complexity \(t=\varOmega (N)\) i.e., any algorithm evaluating the function in the parallel random oracle model must have at least \(t=\varOmega (N)\) steps where the memory usage is at least \(\varOmega (N/\log N)\). In this work, we use dynamic pebbling games and dynamic graphs to explore tradeoffs between sustained space complexity and cumulative memory complexity for data-dependent memory-hard functions such as Argon2id and \(\texttt{Scrypt}\). We design our own dynamic graph (dMHF) with the property that any dynamic pebbling strategy either (1) has \(\varOmega (N)\) rounds with \(\varOmega (N)\) space, or (2) has CMC \(\varOmega (N^{3-\epsilon })\)—substantially larger than \(N^2\). For Argon2id we show that any dynamic pebbling strategy either(1) has \(\varOmega (N)\) rounds with \(\varOmega (N^{1-\epsilon })\) space, or (2) has CMC \(\omega (N^2)\). We also present a dynamic version of DRSample (Alwen et al. 2017) for which any dynamic pebbling strategy either (1) has \(\varOmega (N)\) rounds with \(\varOmega (N/\log N)\) space, or (2) has CMC \(\varOmega (N^3/\log N)\).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Ameri et al. [9] also introduced the notion of a computationally data-independent memory-hard function where the memory access pattern is allowed to depend on the input, but should be computationally bounded adversary should not be able to detect or exploit this dependence.
References
Password hashing competition (2015). https://www.password-hashing.net/
Alwen, J., Blocki, J.: Efficiently computing data-independent memory-hard functions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 241–271. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_9
Alwen, J., Blocki, J., Harsha, B.: Practical graphs for optimal side-channel resistant memory-hard functions. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017: 24th Conference on Computer and Communications Security, 31 October–2 November 2017, pp. 1001–1017. ACM Press (2017)
Alwen, J., Blocki, J., Pietrzak, K.: Depth-robust graphs and their cumulative memory complexity. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part III. LNCS, vol. 10212, pp. 3–32. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_1
Alwen, J., Blocki, J., Pietrzak, K.: Sustained space complexity. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part II. LNCS, vol. 10821, pp. 99–130. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_4
Alwen, J., Chen, B., Pietrzak, K., Reyzin, L., Tessaro, S.: Scrypt is maximally memory-hard. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part III. LNCS, vol. 10212, pp. 33–62. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_2
Alwen, J., Serbinenko, V.: High parallel complexity graphs and memory-hard functions. In: Servedio, R.A., Rubinfeld, R. (eds.) 47th Annual ACM Symposium on Theory of Computing, 14–17 June 2015, pp. 595–603. ACM Press (2015)
Alwen, J., Blocki, J.: Towards practical attacks on argon2i and balloon hashing. In: 2017 IEEE European Symposium on Security and Privacy (EuroS P), pp. 142–157 (2017). https://doi.org/10.1109/EuroSP.2017.47
Ameri, M.H., Blocki, J., Zhou, S.: Computationally data-independent memory hard functions. In: Vidick, T. (ed.) ITCS 2020: 11th Innovations in Theoretical Computer Science Conference, 12–14 January 2020, vol. 151, pp. 36:1–36:28. LIPIcs (2020)
Biryukov, A., Dinu, D., Khovratovich, D.: Argon2: new generation of memory-hard functions for password hashing and other applications. In: 2016 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 292–302. IEEE (2016)
Blocki, J., Cinkoske, M.: A new connection between node and edge depth robust graphs. In: Lee, J.R. (ed.) ITCS 2021: 12th Innovations in Theoretical Computer Science Conference, 6–8 January 2021, vol. 185, pp. 64:1–64:18. LIPIcs (2021)
Blocki, J., Harsha, B., Kang, S., Lee, S., Xing, L., Zhou, S.: Data-independent memory hard functions: new attacks and stronger constructions. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part II. LNCS, vol. 11693, pp. 573–607. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_20
Blocki, J., Zhou, S.: On the depth-robustness and cumulative pebbling cost of Argon2i. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part I. LNCS, vol. 10677, pp. 445–465. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_15
Erdös, P., Graham, R.L., Szemerédi, E.: On sparse graphs with dense long paths. Comput. Math. Appl. 1(3–4), 365–369 (1975)
Hopcroft, J., Paul, W., Valiant, L.: On time versus space. J. ACM (JACM) 24(2), 332–337 (1977)
Lee, C.: Litecoin (2011)
Lengauer, T., Tarjan, R.E.: Upper and lower bounds on time-space tradeoffs. In: Proceedings of the Eleventh Annual ACM Symposium on Theory of Computing, STOC 1979, New York, NY, USA, pp. 262–277. Association for Computing Machinery (1979). https://doi.org/10.1145/800135.804420
Percival, C.: Stronger key derivation via sequential memory-hard functions, January 2009
Schnitger, G.: On depth-reduction and grates. In: 24th Annual Symposium on Foundations of Computer Science, 7–9 November 1983, pp. 323–328. IEEE Computer Society Press (1983)
Acknowledgements
We would like to thank anonymous reviewers for providing constructive feedback. Jeremiah Blocki was supported in part by the National Science Foundation under NSF CAREER Award CNS-2047272. Blake Holman was supported by a Ross Fellowship at Purdue University.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Blocki, J., Holman, B. (2022). Sustained Space and Cumulative Complexity Trade-Offs for Data-Dependent Memory-Hard Functions. In: Dodis, Y., Shrimpton, T. (eds) Advances in Cryptology – CRYPTO 2022. CRYPTO 2022. Lecture Notes in Computer Science, vol 13509. Springer, Cham. https://doi.org/10.1007/978-3-031-15982-4_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-15982-4_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-15981-7
Online ISBN: 978-3-031-15982-4
eBook Packages: Computer ScienceComputer Science (R0)
