On the Complexity of Scrypt and Proofs of Space in the Parallel Random Oracle Model

  • Joël Alwen
  • Binyi Chen
  • Chethan Kamath
  • Vladimir Kolmogorov
  • Krzysztof PietrzakEmail author
  • Stefano Tessaro
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9666)


We study the time- and memory-complexities of the problem of computing labels of (multiple) randomly selected challenge-nodes in a directed acyclic graph. The w-bit label of a node is the hash of the labels of its parents, and the hash function is modeled as a random oracle. Specific instances of this problem underlie both proofs of space [Dziembowski et al. CRYPTO’15] as well as popular memory-hard functions like scrypt. As our main tool, we introduce the new notion of a probabilistic parallel entangled pebbling game, a new type of combinatorial pebbling game on a graph, which is closely related to the labeling game on the same graph.

As a first application of our framework, we prove that for \(\texttt {scrypt} \), when the underlying hash function is invoked n times, the cumulative memory complexity (CMC) (a notion recently introduced by Alwen and Serbinenko (STOC’15) to capture amortized memory-hardness for parallel adversaries) is at least \(\varOmega (w \cdot (n/\log (n))^2)\). This bound holds for adversaries that can store many natural functions of the labels (e.g., linear combinations), but still not arbitrary functions thereof.

We then introduce and study a combinatorial quantity, and show how a sufficiently small upper bound on it (which we conjecture) extends our CMC bound for \(\texttt {scrypt} \) to hold against arbitrary adversaries.

We also show that such an upper bound solves the main open problem for proofs-of-space protocols: namely, establishing that the time complexity of computing the label of a random node in a graph on n nodes (given an initial kw-bit state) reduces tightly to the time complexity for black pebbling on the same graph (given an initial k-node pebbling).



Joël Alwen, Chethan Kamath, and Krzysztof Pietrzak’s research is partially supported by an ERC starting grant (259668-PSPC). Vladimir Kolmogorov is partially supported by an ERC consolidator grant (616160-DOICV). Binyi Chen was partially supported by NSF grants CNS-1423566 and CNS-1514526, and a gift from the Gareatis Foundation. Stefano Tessaro was partially supported by NSF grants CNS-1423566, CNS-1528178, a Hellman Fellowship, and the Glen and Susanne Culler Chair.

This work was done in part while the authors were visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through NSF grant CNS-1523467.


  1. 1.
    Crypto-Currency Market Capitalizations. Accessed 10 July 2015
  2. 2.
    Almeida, L.C., Andrade, E.R., Barreto, P.S.L. M., Simplicio Jr., M.A.: Lyra: Password-based key derivation with tunable memory and processing costs. Cryptology ePrint Archive, report 2014/030 (2014). Google Scholar
  3. 3.
    Alwen, J., Serbinenko, V.: High parallel complexity graphs and memory-hard functions. In: Servedio, R.A., Rubinfeld, R. (eds) 47th ACM STOC, pp. 595–603. ACM Press, June 2015Google Scholar
  4. 4.
    Biryukov, A., Dinu, D., Khovratovich, D.: Fast and tradeoff-resilient memory-hard functions for cryptocurrencies and password hashing. Cryptology ePrint Archive, report 2015/430 (2015).
  5. 5.
    Banik, S., Bogdanov, A., Isobe, T., Shibutani, K., Hiwatari, H., Akishita, T., Regazzoni, F.: Midori: a block cipher for low energy. In: Iwata, T., et al. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 411–436. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48800-3_17 CrossRefGoogle Scholar
  6. 6.
    Chang, J., Mishra, S., Kumar Sanadhya, S.: Time memory tradeoff analysis of graphs in password hashing constructions. Preproc. PASSWORDS 14, 256–266 (2014)Google Scholar
  7. 7.
    Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 139–147. Springer, Heidelberg (1993)Google Scholar
  8. 8.
    Dwork, C., Naor, M., Wee, H.M.: Pebbling and proofs of work. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 37–54. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Dziembowski, S., Faust, S., Kolmogorov, V., Pietrzak, K.: Proofs of space. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 585–605. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  10. 10.
    Dziembowski, S., Kazana, T., Wichs, D.: One-time computable self-erasing functions. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 125–143. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  11. 11.
    Forler, C., Lucks, S., Wenzel, J.: Catena: a memory-consuming password scrambler. Cryptology ePrint Archive, report 2013/525 (2013).
  12. 12.
    Jakobsson, M., Juels, A.: Proofs of work, bread pudding protocols. In: Preneel, B., (ed.) Secure Information Networks: Observation of strains. Infect Dis. Ther. 3(1), 35–43.: Communications and Multimedia Security, IFIP TC6/TC11 Joint Working Conference on Communications and Multimedia Security (CMS 1999), 20–21 September 1999, Leuven, Belgium, vol. 152 of IFIP Conference Proceedings, pp. 258–272. Kluwer, 1999 (2011)Google Scholar
  13. 13.
    Kaliski, B.: PKCS #5: Password-based cryptography specification version 2.0 (2000)Google Scholar
  14. 14.
    Lee, C.: Litecoin (2011).
  15. 15.
    Park, S., Pietrzak, K., Kwon, A., Alwen, J., Fuchsbauer, G., Gaži, P.: Spacemint: A cryptocurrency based on proofs of space. Cryptology ePrint Archive, report 2015/528 (2015).
  16. 16.
    Percival, C. :Stronger key derivation via sequential memory-hard functions (2009).
  17. 17.
    Corrigan-Gibbs, H., Boneh, D., Schechter, S.: Balloon Hashing: Provably Space-Hard Hash Functions with Data-Independent Access Patterns. Cryptology ePrint Archive, Report 2016/027 (2016).

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Joël Alwen
    • 1
  • Binyi Chen
    • 2
  • Chethan Kamath
    • 1
  • Vladimir Kolmogorov
    • 1
  • Krzysztof Pietrzak
    • 1
    Email author
  • Stefano Tessaro
    • 2
  1. 1.IST AustriaKlosterneuburgAustria
  2. 2.University of CaliforniaSanta BarbaraUSA

Personalised recommendations