77,380 research outputs found
Computationally Data-Independent Memory Hard Functions
Memory hard functions (MHFs) are an important cryptographic primitive that are used to design egalitarian proofs of work and in the construction of moderately expensive key-derivation functions resistant to brute-force attacks. Broadly speaking, MHFs can be divided into two categories: data-dependent memory hard functions (dMHFs) and data-independent memory hard functions (iMHFs). iMHFs are resistant to certain side-channel attacks as the memory access pattern induced by the honest evaluation algorithm is independent of the potentially sensitive input e.g., password. While dMHFs are potentially vulnerable to side-channel attacks (the induced memory access pattern might leak useful information to a brute-force attacker), they can achieve higher cumulative memory complexity (CMC) in comparison than an iMHF. In particular, any iMHF that can be evaluated in N steps on a sequential machine has CMC at most ?((N^2 log log N)/log N). By contrast, the dMHF scrypt achieves maximal CMC ?(N^2) - though the CMC of scrypt would be reduced to just ?(N) after a side-channel attack.
In this paper, we introduce the notion of computationally data-independent memory hard functions (ciMHFs). Intuitively, we require that memory access pattern induced by the (randomized) ciMHF evaluation algorithm appears to be independent from the standpoint of a computationally bounded eavesdropping attacker - even if the attacker selects the initial input. We then ask whether it is possible to circumvent known upper bound for iMHFs and build a ciMHF with CMC ?(N^2). Surprisingly, we answer the question in the affirmative when the ciMHF evaluation algorithm is executed on a two-tiered memory architecture (RAM/Cache).
We introduce the notion of a k-restricted dynamic graph to quantify the continuum between unrestricted dMHFs (k=n) and iMHFs (k=1). For any ? > 0 we show how to construct a k-restricted dynamic graph with k=?(N^(1-?)) that provably achieves maximum cumulative pebbling cost ?(N^2). We can use k-restricted dynamic graphs to build a ciMHF provided that cache is large enough to hold k hash outputs and the dynamic graph satisfies a certain property that we call "amenable to shuffling". In particular, we prove that the induced memory access pattern is indistinguishable to a polynomial time attacker who can monitor the locations of read/write requests to RAM, but not cache. We also show that when k=o(N^(1/log log N))then any k-restricted graph with constant indegree has cumulative pebbling cost o(N^2). Our results almost completely characterize the spectrum of k-restricted dynamic graphs
RiffleScrambler - a memory-hard password storing function
We introduce RiffleScrambler: a new family of directed acyclic graphs and a
corresponding data-independent memory hard function with password independent
memory access. We prove its memory hardness in the random oracle model.
RiffleScrambler is similar to Catena -- updates of hashes are determined by a
graph (bit-reversal or double-butterfly graph in Catena). The advantage of the
RiffleScrambler over Catena is that the underlying graphs are not predefined
but are generated per salt, as in Balloon Hashing. Such an approach leads to
higher immunity against practical parallel attacks. RiffleScrambler offers
better efficiency than Balloon Hashing since the in-degree of the underlying
graph is equal to 3 (and is much smaller than in Ballon Hashing). At the same
time, because the underlying graph is an instance of a Superconcentrator, our
construction achieves the same time-memory trade-offs.Comment: Accepted to ESORICS 201
Sustained Space and Cumulative Complexity Trade-offs for Data-Dependent Memory-Hard Functions
Memory-hard functions (MHFs) are a useful cryptographic primitive which can be used to design egalitarian proof of work puzzles and to protect low entropy secrets like passwords against brute-force attackers. Intuitively, a memory-hard function is a function whose evaluation costs are dominated by memory costs even if the attacker uses specialized hardware (FPGAs/ASICs), and several cost metrics have been proposed to quantify this intuition. For example, space-time cost looks at the product of running time and the maximum space usage over the entire execution of an algorithm. Alwen and Serbinenko (STOC 2015) observed that the space-time cost of evaluating a function multiple times may not scale linearly in the number of instances being evaluated and introduced the stricter requirement that a memory-hard function has high cumulative memory complexity (CMC) to ensure that an attacker\u27s amortized space-time costs remain large even if the attacker evaluates the function on multiple different inputs in parallel. Alwen et al. (EUROCRYPT 2018) observed that the notion of CMC still gives the attacker undesirable flexibility in selecting space-time tradeoffs e.g., while the MHF scrypt has maximal CMC , an attacker could evaluate the function with constant memory in time . Alwen et al. introduced an even stricter notion of Sustained Space complexity and designed an MHF which has sustained complexity i.e., any algorithm evaluating the function in the parallel random oracle model must have at least steps where the memory usage is at least . In this work, we use dynamic pebbling games and dynamic graphs to explore tradeoffs between sustained space complexity and cumulative memory complexity for data-dependent memory-hard functions such as Argon2id and scrypt. We design our own dynamic graph (dMHF) with the property that {\em any} dynamic pebbling strategy either (1) has rounds with space, or (2) has CMC --- substantially larger than . For Argon2id we show that {\em any} dynamic pebbling strategy either(1) has rounds with space, or (2) has CMC . We also present a dynamic version of DRSample (Alwen et al. 2017) for which {\em any} dynamic pebbling strategy either (1) has rounds with space, or (2) has CMC
Approximating Cumulative Pebbling Cost Is Unique Games Hard
The cumulative pebbling complexity of a directed acyclic graph is defined
as , where the minimum is taken over all
legal (parallel) black pebblings of and denotes the number of
pebbles on the graph during round . Intuitively, captures
the amortized Space-Time complexity of pebbling copies of in parallel.
The cumulative pebbling complexity of a graph is of particular interest in
the field of cryptography as is tightly related to the
amortized Area-Time complexity of the Data-Independent Memory-Hard Function
(iMHF) [AS15] defined using a constant indegree directed acyclic
graph (DAG) and a random oracle . A secure iMHF should have
amortized Space-Time complexity as high as possible, e.g., to deter brute-force
password attacker who wants to find such that . Thus, to
analyze the (in)security of a candidate iMHF , it is crucial to
estimate the value but currently, upper and lower bounds for
leading iMHF candidates differ by several orders of magnitude. Blocki and Zhou
recently showed that it is -Hard to compute , but
their techniques do not even rule out an efficient
-approximation algorithm for any constant . We
show that for any constant , it is Unique Games hard to approximate
to within a factor of .
(See the paper for the full abstract.)Comment: 28 pages, updated figures and corrected typo
Multi-core computation of transfer matrices for strip lattices in the Potts model
The transfer-matrix technique is a convenient way for studying strip lattices
in the Potts model since the compu- tational costs depend just on the periodic
part of the lattice and not on the whole. However, even when the cost is
reduced, the transfer-matrix technique is still an NP-hard problem since the
time T(|V|, |E|) needed to compute the matrix grows ex- ponentially as a
function of the graph width. In this work, we present a parallel
transfer-matrix implementation that scales performance under multi-core
architectures. The construction of the matrix is based on several repetitions
of the deletion- contraction technique, allowing parallelism suitable to
multi-core machines. Our experimental results show that the multi-core
implementation achieves speedups of 3.7X with p = 4 processors and 5.7X with p
= 8. The efficiency of the implementation lies between 60% and 95%, achieving
the best balance of speedup and efficiency at p = 4 processors for actual
multi-core architectures. The algorithm also takes advantage of the lattice
symmetry, making the transfer matrix computation to run up to 2X faster than
its non-symmetric counterpart and use up to a quarter of the original space
Shared-Memory Parallel Maximal Clique Enumeration
We present shared-memory parallel methods for Maximal Clique Enumeration
(MCE) from a graph. MCE is a fundamental and well-studied graph analytics task,
and is a widely used primitive for identifying dense structures in a graph. Due
to its computationally intensive nature, parallel methods are imperative for
dealing with large graphs. However, surprisingly, there do not yet exist
scalable and parallel methods for MCE on a shared-memory parallel machine. In
this work, we present efficient shared-memory parallel algorithms for MCE, with
the following properties: (1) the parallel algorithms are provably
work-efficient relative to a state-of-the-art sequential algorithm (2) the
algorithms have a provably small parallel depth, showing that they can scale to
a large number of processors, and (3) our implementations on a multicore
machine shows a good speedup and scaling behavior with increasing number of
cores, and are substantially faster than prior shared-memory parallel
algorithms for MCE.Comment: 10 pages, 3 figures, proceedings of the 25th IEEE International
Conference on. High Performance Computing, Data, and Analytics (HiPC), 201
- …