15 research outputs found
RiffleScrambler - a memory-hard password storing function
We introduce RiffleScrambler: a new family of directed acyclic graphs and a
corresponding data-independent memory hard function with password independent
memory access. We prove its memory hardness in the random oracle model.
RiffleScrambler is similar to Catena -- updates of hashes are determined by a
graph (bit-reversal or double-butterfly graph in Catena). The advantage of the
RiffleScrambler over Catena is that the underlying graphs are not predefined
but are generated per salt, as in Balloon Hashing. Such an approach leads to
higher immunity against practical parallel attacks. RiffleScrambler offers
better efficiency than Balloon Hashing since the in-degree of the underlying
graph is equal to 3 (and is much smaller than in Ballon Hashing). At the same
time, because the underlying graph is an instance of a Superconcentrator, our
construction achieves the same time-memory trade-offs.Comment: Accepted to ESORICS 201
Fast and Tradeoff-Resilient Memory-Hard Functions for Cryptocurrencies and Password Hashing
Memory-hard functions are becoming an important tool in the design of password hashing schemes, cryptocurrencies, and more generic proof-of-work primitives that are x86-oriented and can not be computed on dedicated hardware more efficiently.
We develop a simple and cryptographically secure approach to the design of such functions and show how to exploit the architecture of modern CPUs and memory chips to make faster and more secure schemes compared to existing alternatives such as scrypt. We also propose cryptographic criteria for the components, that prevent cost reductions using time-memory tradeoffs and side-channel leaks. The concrete proof-of-work instantiation, which we call Argon2, can fill GBytes of RAM within a second, is resilient to various tradeoffs, and is suitable for a wide range of applications, which aim to bind a computation to a certain architecture.
Concerning potential DoS attacks, our scheme is lightweight enough to offset the bottleneck from the CPU to the memory bus thus leaving sufficient computing power for other tasks. We also propose parameters for which our scheme is botnet resistant. As an application, we suggest a cryptocurrency design with fast and memory-hard proof-of-work, which allows memoryless verification
LIPIcs
We study space complexity and time-space trade-offs with a focus not on peak memory usage but on overall memory consumption throughout the computation. Such a cumulative space measure was introduced for the computational model of parallel black pebbling by [Alwen and Serbinenko ’15] as a tool for obtaining results in cryptography. We consider instead the non- deterministic black-white pebble game and prove optimal cumulative space lower bounds and trade-offs, where in order to minimize pebbling time the space has to remain large during a significant fraction of the pebbling. We also initiate the study of cumulative space in proof complexity, an area where other space complexity measures have been extensively studied during the last 10–15 years. Using and extending the connection between proof complexity and pebble games in [Ben-Sasson and Nordström ’08, ’11] we obtain several strong cumulative space results for (even parallel versions of) the resolution proof system, and outline some possible future directions of study of this, in our opinion, natural and interesting space measure
Nullstellensatz Size-Degree Trade-offs from Reversible Pebbling
We establish an exactly tight relation between reversible pebblings of graphs
and Nullstellensatz refutations of pebbling formulas, showing that a graph
can be reversibly pebbled in time and space if and only if there is a
Nullstellensatz refutation of the pebbling formula over in size and
degree (independently of the field in which the Nullstellensatz refutation
is made). We use this correspondence to prove a number of strong size-degree
trade-offs for Nullstellensatz, which to the best of our knowledge are the
first such results for this proof system
Near-linear time, Leakage-resilient Key Evolution Schemes from Expander Graphs
We develop new schemes for deterministically updating a stored
cryptographic key that provide security against an internal
adversary who can control the update computation and leak bounded
amounts of information to the outside world. Our schemes are much
more efficient than the previous schemes for this model, due to Dziembowski,
Kazana and Wichs (CRYPTO 2011). Specifically, our update operation
runs in time quasilinear in the key length, rather than quadratic,
while offering a similar level of leakage resilience.
In order to design our scheme, we strengthen the connections between
the model of Dziembowski et al. and ``pebbling games\u27\u27, showing that
random-oracle-based key evolution schemes are secure as long as the
graph of the update function\u27s calls to the oracle has
appropriate combinatorial properties. This builds on a connection
between pebbling and the random oracle model first established by
Dwork, Naor and Wee (CRYPTO 2005). Our scheme\u27s efficiency relies on the
existence (which we show) of families of ``local\u27\u27
bipartite expander graphs of constant degree
On the Hardness of Red-Blue Pebble Games
Red-blue pebble games model the computation cost of a two-level memory
hierarchy. We present various hardness results in different red-blue pebbling
variants, with a focus on the oneshot model. We first study the relationship
between previously introduced red-blue pebble models (base, oneshot, nodel). We
also analyze a new variant (compcost) to obtain a more realistic model of
computation. We then prove that red-blue pebbling is NP-hard in all of these
model variants. Furthermore, we show that in the oneshot model, a
-approximation algorithm for is only possible if the unique
games conjecture is false. Finally, we show that greedy algorithms are not good
candidates for approximation, since they can return significantly worse
solutions than the optimum
On the Relative Strength of Pebbling and Resolution
The last decade has seen a revival of interest in pebble games in the context
of proof complexity. Pebbling has proven a useful tool for studying
resolution-based proof systems when comparing the strength of different
subsystems, showing bounds on proof space, and establishing size-space
trade-offs. The typical approach has been to encode the pebble game played on a
graph as a CNF formula and then argue that proofs of this formula must inherit
(various aspects of) the pebbling properties of the underlying graph.
Unfortunately, the reductions used here are not tight. To simulate resolution
proofs by pebblings, the full strength of nondeterministic black-white pebbling
is needed, whereas resolution is only known to be able to simulate
deterministic black pebbling. To obtain strong results, one therefore needs to
find specific graph families which either have essentially the same properties
for black and black-white pebbling (not at all true in general) or which admit
simulations of black-white pebblings in resolution. This paper contributes to
both these approaches. First, we design a restricted form of black-white
pebbling that can be simulated in resolution and show that there are graph
families for which such restricted pebblings can be asymptotically better than
black pebblings. This proves that, perhaps somewhat unexpectedly, resolution
can strictly beat black-only pebbling, and in particular that the space lower
bounds on pebbling formulas in [Ben-Sasson and Nordstrom 2008] are tight.
Second, we present a versatile parametrized graph family with essentially the
same properties for black and black-white pebbling, which gives sharp
simultaneous trade-offs for black and black-white pebbling for various
parameter settings. Both of our contributions have been instrumental in
obtaining the time-space trade-off results for resolution-based proof systems
in [Ben-Sasson and Nordstrom 2009].Comment: Full-length version of paper to appear in Proceedings of the 25th
Annual IEEE Conference on Computational Complexity (CCC '10), June 201
Proofs of Space: When Space Is of the Essence
Proofs of computational effort were devised to control denial of service attacks. Dwork and Naor (CRYPTO ’92), for example, proposed to use such proofs to discourage spam. The idea is to couple each email message with a proof of work that demonstrates the sender performed some computational task. A proof of work can be either CPU-bound or memory-bound. In a CPU-bound proof, the prover must compute a CPU-intensive function that is easy to check by the verifier. A memory-bound proof, instead, forces the prover to access the main memory several times, effectively replacing CPU cycles with memory accesses.
In this paper we put forward a new concept dubbed proof of space. To compute such a proof, the prover must use a specified amount of space, i.e., we are not interested in the number of accesses to the main memory (as in memory-bound proof of work) but rather on the amount of actual memory the prover must employ to compute the proof. We give a complete and detailed algorithmic description of our model. We develop a comprehensive theoretical analysis which uses combinatorial tools from Complexity Theory (such as pebbling games) which are essential in studying space lower bounds