91 research outputs found
Computationally Data-Independent Memory Hard Functions
Memory hard functions (MHFs) are an important cryptographic primitive that are used to design egalitarian proofs of work and in the construction of moderately expensive key-derivation functions resistant to brute-force attacks. Broadly speaking, MHFs can be divided into two categories: data-dependent memory hard functions (dMHFs) and data-independent memory hard functions (iMHFs). iMHFs are resistant to certain side-channel attacks as the memory access pattern induced by the honest evaluation algorithm is independent of the potentially sensitive input e.g., password. While dMHFs are potentially vulnerable to side-channel attacks (the induced memory access pattern might leak useful information to a brute-force attacker), they can achieve higher cumulative memory complexity (CMC) in comparison than an iMHF. In particular, any iMHF that can be evaluated in N steps on a sequential machine has CMC at most ?((N^2 log log N)/log N). By contrast, the dMHF scrypt achieves maximal CMC ?(N^2) - though the CMC of scrypt would be reduced to just ?(N) after a side-channel attack.
In this paper, we introduce the notion of computationally data-independent memory hard functions (ciMHFs). Intuitively, we require that memory access pattern induced by the (randomized) ciMHF evaluation algorithm appears to be independent from the standpoint of a computationally bounded eavesdropping attacker - even if the attacker selects the initial input. We then ask whether it is possible to circumvent known upper bound for iMHFs and build a ciMHF with CMC ?(N^2). Surprisingly, we answer the question in the affirmative when the ciMHF evaluation algorithm is executed on a two-tiered memory architecture (RAM/Cache).
We introduce the notion of a k-restricted dynamic graph to quantify the continuum between unrestricted dMHFs (k=n) and iMHFs (k=1). For any ? > 0 we show how to construct a k-restricted dynamic graph with k=?(N^(1-?)) that provably achieves maximum cumulative pebbling cost ?(N^2). We can use k-restricted dynamic graphs to build a ciMHF provided that cache is large enough to hold k hash outputs and the dynamic graph satisfies a certain property that we call "amenable to shuffling". In particular, we prove that the induced memory access pattern is indistinguishable to a polynomial time attacker who can monitor the locations of read/write requests to RAM, but not cache. We also show that when k=o(N^(1/log log N))then any k-restricted graph with constant indegree has cumulative pebbling cost o(N^2). Our results almost completely characterize the spectrum of k-restricted dynamic graphs
Hardness measures and resolution lower bounds
Various "hardness" measures have been studied for resolution, providing
theoretical insight into the proof complexity of resolution and its fragments,
as well as explanations for the hardness of instances in SAT solving. In this
report we aim at a unified view of a number of hardness measures, including
different measures of width, space and size of resolution proofs. We also
extend these measures to all clause-sets (possibly satisfiable).Comment: 43 pages, preliminary version (yet the application part is only
sketched, with proofs missing
Efficient pebbling for list traversal synopses
We show how to support efficient back traversal in a unidirectional list,
using small memory and with essentially no slowdown in forward steps. Using
memory for a list of size , the 'th back-step from the
farthest point reached so far takes time in the worst case, while
the overhead per forward step is at most for arbitrary small
constant . An arbitrary sequence of forward and back steps is
allowed. A full trade-off between memory usage and time per back-step is
presented: vs. and vice versa. Our algorithms are based on a
novel pebbling technique which moves pebbles on a virtual binary, or -ary,
tree that can only be traversed in a pre-order fashion. The compact data
structures used by the pebbling algorithms, called list traversal synopses,
extend to general directed graphs, and have other interesting applications,
including memory efficient hash-chain implementation. Perhaps the most
surprising application is in showing that for any program, arbitrary rollback
steps can be efficiently supported with small overhead in memory, and marginal
overhead in its ordinary execution. More concretely: Let be a program that
runs for at most steps, using memory of size . Then, at the cost of
recording the input used by the program, and increasing the memory by a factor
of to , the program can be extended to support an
arbitrary sequence of forward execution and rollback steps: the 'th rollback
step takes time in the worst case, while forward steps take O(1)
time in the worst case, and amortized time per step.Comment: 27 page
Cumulative Memory Lower Bounds for Randomized and Quantum Computation
Cumulative memory -- the sum of space used per step over the duration of a
computation -- is a fine-grained measure of time-space complexity that was
introduced to analyze cryptographic applications like password hashing. It is a
more accurate cost measure for algorithms that have infrequent spikes in memory
usage and are run in environments such as cloud computing that allow dynamic
allocation and de-allocation of resources during execution, or when many
multiple instances of an algorithm are interleaved in parallel.
We prove the first lower bounds on cumulative memory complexity for both
sequential classical computation and quantum circuits. Moreover, we develop
general paradigms for bounding cumulative memory complexity inspired by the
standard paradigms for proving time-space tradeoff lower bounds that can only
lower bound the maximum space used during an execution. The resulting lower
bounds on cumulative memory that we obtain are just as strong as the best
time-space tradeoff lower bounds, which are very often known to be tight.
Although previous results for pebbling and random oracle models have yielded
time-space tradeoff lower bounds larger than the cumulative memory complexity,
our results show that in general computational models such separations cannot
follow from known lower bound techniques and are not true for many functions.
Among many possible applications of our general methods, we show that any
classical sorting algorithm with success probability at least
requires cumulative memory , any
classical matrix multiplication algorithm requires cumulative memory
, any quantum sorting circuit requires cumulative memory
, and any quantum circuit that finds disjoint collisions in
a random function requires cumulative memory .Comment: 42 pages, 4 figures, accepted to track A of ICALP 202
On Locally Decodable Codes in Resource Bounded Channels
Constructions of locally decodable codes (LDCs) have one of two undesirable properties: low rate or high locality (polynomial in the length of the message). In settings where the encoder/decoder have already exchanged cryptographic keys and the channel is a probabilistic polynomial time (PPT) algorithm, it is possible to circumvent these barriers and design LDCs with constant rate and small locality. However, the assumption that the encoder/decoder have exchanged cryptographic keys is often prohibitive. We thus consider the problem of designing explicit and efficient LDCs in settings where the channel is slightly more constrained than the encoder/decoder with respect to some resource e.g., space or (sequential) time. Given an explicit function f that the channel cannot compute, we show how the encoder can transmit a random secret key to the local decoder using f(?) and a random oracle ?(?). We then bootstrap the private key LDC construction of Ostrovsky, Pandey and Sahai (ICALP, 2007), thereby answering an open question posed by Guruswami and Smith (FOCS 2010) of whether such bootstrapping techniques are applicable to LDCs in channel models weaker than just PPT algorithms. Specifically, in the random oracle model we show how to construct explicit constant rate LDCs with locality of polylog in the security parameter against various resource constrained channels
Lifting with Simple Gadgets and Applications to Circuit and Proof Complexity
We significantly strengthen and generalize the theorem lifting
Nullstellensatz degree to monotone span program size by Pitassi and Robere
(2018) so that it works for any gadget with high enough rank, in particular,
for useful gadgets such as equality and greater-than. We apply our generalized
theorem to solve two open problems:
* We present the first result that demonstrates a separation in proof power
for cutting planes with unbounded versus polynomially bounded coefficients.
Specifically, we exhibit CNF formulas that can be refuted in quadratic length
and constant line space in cutting planes with unbounded coefficients, but for
which there are no refutations in subexponential length and subpolynomial line
space if coefficients are restricted to be of polynomial magnitude.
* We give the first explicit separation between monotone Boolean formulas and
monotone real formulas. Specifically, we give an explicit family of functions
that can be computed with monotone real formulas of nearly linear size but
require monotone Boolean formulas of exponential size. Previously only a
non-explicit separation was known.
An important technical ingredient, which may be of independent interest, is
that we show that the Nullstellensatz degree of refuting the pebbling formula
over a DAG G over any field coincides exactly with the reversible pebbling
price of G. In particular, this implies that the standard decision tree
complexity and the parity decision tree complexity of the corresponding
falsified clause search problem are equal
Proofs of Space: When Space Is of the Essence
Proofs of computational effort were devised to control denial of service attacks. Dwork and Naor (CRYPTO ’92), for example, proposed to use such proofs to discourage spam. The idea is to couple each email message with a proof of work that demonstrates the sender performed some computational task. A proof of work can be either CPU-bound or memory-bound. In a CPU-bound proof, the prover must compute a CPU-intensive function that is easy to check by the verifier. A memory-bound proof, instead, forces the prover to access the main memory several times, effectively replacing CPU cycles with memory accesses.
In this paper we put forward a new concept dubbed proof of space. To compute such a proof, the prover must use a specified amount of space, i.e., we are not interested in the number of accesses to the main memory (as in memory-bound proof of work) but rather on the amount of actual memory the prover must employ to compute the proof. We give a complete and detailed algorithmic description of our model. We develop a comprehensive theoretical analysis which uses combinatorial tools from Complexity Theory (such as pebbling games) which are essential in studying space lower bounds
- …