Beyond Hellman’s Time-Memory Trade-Offs with Applications to Proofs of Space

  • Hamza AbusalahEmail author
  • Joël Alwen
  • Bram Cohen
  • Danylo Khilko
  • Krzysztof Pietrzak
  • Leonid Reyzin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10625)


Proofs of space (PoS) were suggested as more ecological and economical alternative to proofs of work, which are currently used in blockchain designs like Bitcoin. The existing PoS are based on rather sophisticated graph pebbling lower bounds. Much simpler and in several aspects more efficient schemes based on inverting random functions have been suggested, but they don’t give meaningful security guarantees due to existing time-memory trade-offs.

In particular, Hellman showed that any permutation over a domain of size N can be inverted in time T by an algorithm that is given S bits of auxiliary information whenever \(S\cdot T \approx N\) (e.g. \(S=T\approx N^{1/2}\)). For functions Hellman gives a weaker attack with \(S^2\cdot T\approx N^2\) (e.g., \(S=T \approx N^{2/3}\)). To prove lower bounds, one considers an adversary who has access to an oracle \(f:[N]\rightarrow [N]\) and can make T oracle queries. The best known lower bound is \(S\cdot T\in \varOmega (N)\) and holds for random functions and permutations.

We construct functions that provably require more time and/or space to invert. Specifically, for any constant k we construct a function \([N]\rightarrow [N]\) that cannot be inverted unless \(S^k\cdot T \in \varOmega (N^k)\) (in particular, \(S=T\approx N^{k/(k+1)}\)). Our construction does not contradict Hellman’s time-memory trade-off, because it cannot be efficiently evaluated in forward direction. However, its entire function table can be computed in time quasilinear in N, which is sufficient for the PoS application.

Our simplest construction is built from a random function oracle \(g:[N]\times [N]\rightarrow [N]\) and a random permutation oracle \(f:[N]\rightarrow [N]\) and is defined as \(h(x)=g(x,x')\) where \(f(x)=\pi (f(x'))\) with \(\pi \) being any involution without a fixed point, e.g. flipping all the bits. For this function we prove that any adversary who gets S bits of auxiliary information, makes at most T oracle queries, and inverts h on an \(\epsilon \) fraction of outputs must satisfy \(S^2\cdot T\in \varOmega (\epsilon ^2N^2)\).



Hamza Abusalah, Joël Alwen, and Krzysztof Pietrzak were supported by the European Research Council, ERC consolidator grant (682815 - TOCNeT).

Leonid Reyzin gratefully acknowledges the hospitality and support of IST Austria, where much of this work was performed. He was also supported, in part, by US NSF grants 1012910, 1012798, and 1422965.

Supplementary material


  1. Barkan, E., Biham, E., Shamir, A.: Rigorous bounds on cryptanalytic time/memory tradeoffs. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 1–21. Springer, Heidelberg (2006). CrossRefGoogle Scholar
  2. Dziembowski, S., Faust, S., Kolmogorov, V., Pietrzak, K.: Proofs of space. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 585–605. Springer, Heidelberg (2015). CrossRefGoogle Scholar
  3. Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 139–147. Springer, Heidelberg (1993). CrossRefGoogle Scholar
  4. De, A., Trevisan, L., Tulsiani, M.: Time space tradeoffs for attacks against one-way functions and prgs. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 649–665. Springer, Heidelberg (2010). CrossRefGoogle Scholar
  5. Fiat, A., Naor, M.: Rigorous time/space tradeoffs for inverting functions, pp. 534–541 (1991)Google Scholar
  6. Gennaro, R., Trevisan, L.: Lower bounds on the efficiency of generic cryptographic constructions, pp. 305–313 (2000)Google Scholar
  7. Hellman, M.E.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980)MathSciNetCrossRefzbMATHGoogle Scholar
  8. Park, S., Pietrzak, K., Kwon, A., Alwen, J., Fuchsbauer, G., Gaži, P.: Spacemint: A cryptocurrency based on proofs of space. Cryptology ePrint Archive, Report 2015/528 (2015).
  9. Ren, L., Devadas, S.: Proof of space from stacked expanders. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9985, pp. 262–285. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  10. Wee, H.: On obfuscating point functions, pp. 523–532 (2005)Google Scholar
  11. Yao, A.C.-C.: Coherent functions and program checkers (extended abstract), pp. 84–94 (1990)Google Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Hamza Abusalah
    • 1
    Email author
  • Joël Alwen
    • 1
  • Bram Cohen
    • 2
  • Danylo Khilko
    • 3
  • Krzysztof Pietrzak
    • 1
  • Leonid Reyzin
    • 4
  1. 1.Institute of Science and Technology AustriaKlosterneuburgAustria
  2. 2.Chia NetworkSan FranciscoUSA
  3. 3.ENS ParisParisFrance
  4. 4.Boston UniversityBostonUSA

Personalised recommendations