10 research outputs found
Approximating Cumulative Pebbling Cost Is Unique Games Hard
The cumulative pebbling complexity of a directed acyclic graph is defined
as , where the minimum is taken over all
legal (parallel) black pebblings of and denotes the number of
pebbles on the graph during round . Intuitively, captures
the amortized Space-Time complexity of pebbling copies of in parallel.
The cumulative pebbling complexity of a graph is of particular interest in
the field of cryptography as is tightly related to the
amortized Area-Time complexity of the Data-Independent Memory-Hard Function
(iMHF) [AS15] defined using a constant indegree directed acyclic
graph (DAG) and a random oracle . A secure iMHF should have
amortized Space-Time complexity as high as possible, e.g., to deter brute-force
password attacker who wants to find such that . Thus, to
analyze the (in)security of a candidate iMHF , it is crucial to
estimate the value but currently, upper and lower bounds for
leading iMHF candidates differ by several orders of magnitude. Blocki and Zhou
recently showed that it is -Hard to compute , but
their techniques do not even rule out an efficient
-approximation algorithm for any constant . We
show that for any constant , it is Unique Games hard to approximate
to within a factor of .
(See the paper for the full abstract.)Comment: 28 pages, updated figures and corrected typo
Nullstellensatz Size-Degree Trade-offs from Reversible Pebbling
We establish an exactly tight relation between reversible pebblings of graphs and Nullstellensatz refutations of pebbling formulas, showing that a graph G can be reversibly pebbled in time t and space s if and only if there is a Nullstellensatz refutation of the pebbling formula over G in size t+1 and degree s (independently of the field in which the Nullstellensatz refutation is made). We use this correspondence to prove a number of strong size-degree trade-offs for Nullstellensatz, which to the best of our knowledge are the first such results for this proof system
LIPIcs
We study space complexity and time-space trade-offs with a focus not on peak memory usage but on overall memory consumption throughout the computation. Such a cumulative space measure was introduced for the computational model of parallel black pebbling by [Alwen and Serbinenko ’15] as a tool for obtaining results in cryptography. We consider instead the non- deterministic black-white pebble game and prove optimal cumulative space lower bounds and trade-offs, where in order to minimize pebbling time the space has to remain large during a significant fraction of the pebbling. We also initiate the study of cumulative space in proof complexity, an area where other space complexity measures have been extensively studied during the last 10–15 years. Using and extending the connection between proof complexity and pebble games in [Ben-Sasson and Nordström ’08, ’11] we obtain several strong cumulative space results for (even parallel versions of) the resolution proof system, and outline some possible future directions of study of this, in our opinion, natural and interesting space measure
Nullstellensatz Size-Degree Trade-offs from Reversible Pebbling
We establish an exactly tight relation between reversible pebblings of graphs
and Nullstellensatz refutations of pebbling formulas, showing that a graph
can be reversibly pebbled in time and space if and only if there is a
Nullstellensatz refutation of the pebbling formula over in size and
degree (independently of the field in which the Nullstellensatz refutation
is made). We use this correspondence to prove a number of strong size-degree
trade-offs for Nullstellensatz, which to the best of our knowledge are the
first such results for this proof system
On the Relative Strength of Pebbling and Resolution
The last decade has seen a revival of interest in pebble games in the context
of proof complexity. Pebbling has proven a useful tool for studying
resolution-based proof systems when comparing the strength of different
subsystems, showing bounds on proof space, and establishing size-space
trade-offs. The typical approach has been to encode the pebble game played on a
graph as a CNF formula and then argue that proofs of this formula must inherit
(various aspects of) the pebbling properties of the underlying graph.
Unfortunately, the reductions used here are not tight. To simulate resolution
proofs by pebblings, the full strength of nondeterministic black-white pebbling
is needed, whereas resolution is only known to be able to simulate
deterministic black pebbling. To obtain strong results, one therefore needs to
find specific graph families which either have essentially the same properties
for black and black-white pebbling (not at all true in general) or which admit
simulations of black-white pebblings in resolution. This paper contributes to
both these approaches. First, we design a restricted form of black-white
pebbling that can be simulated in resolution and show that there are graph
families for which such restricted pebblings can be asymptotically better than
black pebblings. This proves that, perhaps somewhat unexpectedly, resolution
can strictly beat black-only pebbling, and in particular that the space lower
bounds on pebbling formulas in [Ben-Sasson and Nordstrom 2008] are tight.
Second, we present a versatile parametrized graph family with essentially the
same properties for black and black-white pebbling, which gives sharp
simultaneous trade-offs for black and black-white pebbling for various
parameter settings. Both of our contributions have been instrumental in
obtaining the time-space trade-off results for resolution-based proof systems
in [Ben-Sasson and Nordstrom 2009].Comment: Full-length version of paper to appear in Proceedings of the 25th
Annual IEEE Conference on Computational Complexity (CCC '10), June 201
Catena: A Memory-Consuming Password-Scrambling Framework
It is a common wisdom that servers should store the one-way hash of their clients’
passwords, rather than storing the password in the clear. In this paper we introduce a set of functional properties a key-derivation function (password scrambler) should have. Unfortunately, none of the existing algorithms satisfies our requirements and therefore, we introduce a novel and provably secure password scrambling framework (PSF) called Catena. Furthermore, we introduce two instantiations of Catena based on a memory-consuming one-way functions. Thus,
Catena excellently thwarts massively parallel attacks on cheap memory-constrained hardware, such as recent graphical processing units (GPUs). Additionally, we show that Catena is also a good key-derivation function, since – in the random oracle model – it is indistinguishable from a random function. Furthermore, the memory-access pattern of both instantiations is password-independent and therefore, Catena provides resistance against cache-timing attacks. Moreover, Catena is the first PSF which naturally supports (1) client-independent updates (the server can increase the security parameters and update the password hash without user
interaction or knowing the password), (2) an optional server relief protocol (saving the server’s resources at the cost of the client), and (3) a variant Catena-KG for secure key derivation (to securely generate many cryptographic keys of arbitrary lengths such that compromising some keys does not help to break others). We denote a password scrambler as a PSF with a certain instantiation
Hardness of Approximation in PSPACE and Separation Results for Pebble Games
We consider the pebble game on DAGs with bounded fan-in introduced in
[Paterson and Hewitt '70] and the reversible version of this game in [Bennett
'89], and study the question of how hard it is to decide exactly or
approximately the number of pebbles needed for a given DAG in these games. We
prove that the problem of eciding whether ~pebbles suffice to reversibly
pebble a DAG is PSPACE-complete, as was previously shown for the standard
pebble game in [Gilbert, Lengauer and Tarjan '80]. Via two different graph
product constructions we then strengthen these results to establish that both
standard and reversible pebbling space are PSPACE-hard to approximate to within
any additive constant. To the best of our knowledge, these are the first
hardness of approximation results for pebble games in an unrestricted setting
(even for polynomial time). Also, since [Chan '13] proved that reversible
pebbling is equivalent to the games in [Dymond and Tompa '85] and [Raz and
McKenzie '99], our results apply to the Dymond--Tompa and Raz--McKenzie games
as well, and from the same paper it follows that resolution depth is
PSPACE-hard to determine up to any additive constant. We also obtain a
multiplicative logarithmic separation between reversible and standard pebbling
space. This improves on the additive logarithmic separation previously known
and could plausibly be tight, although we are not able to prove this. We leave
as an interesting open problem whether our additive hardness of approximation
result could be strengthened to a multiplicative bound if the computational
resources are decreased from polynomial space to the more common setting of
polynomial time
On Black-Box Constructions of Time and Space Efficient Sublinear Arguments from Symmetric-Key Primitives
Zero-knowledge proofs allow a prover to convince a verifier of a statement without revealing anything besides its validity. A major bottleneck in scaling sub-linear zero-knowledge proofs is the high space requirement of the prover, even for NP relations that can be verified in a small space.
In this work, we ask whether there exist complexity-preserving (i.e. overhead w.r.t time and space are minimal) succinct zero-knowledge arguments of knowledge with minimal assumptions while making only black-box access to the underlying primitives.
We design the first such zero-knowledge system with sublinear communication complexity (when the underlying relation uses non-trivial space) and provide evidence why existing techniques are unlikely to improve the communication complexity in this setting.
Namely, for every NP relation that can be verified in time T and space S by a RAM program, we construct a public-coin zero-knowledge argument system that is black-box based on collision-resistant hash-functions (CRH) where the prover runs in time and space , the verifier runs in time and space and the communication is , where ignores polynomial factors in and is the security parameter. As our construction is public-coin, we can apply the Fiat-Shamir heuristic to make it non-interactive with sample communication/computation complexities.
Furthermore, we give evidence that reducing the proof length below will be hard using existing symmetric-key based techniques by arguing the space-complexity of constant-distance error correcting codes
Analysis Design & Applications of Cryptographic Building Blocks
This thesis deals with the basic design and rigorous analysis of cryptographic schemes and primitives, especially of authenticated encryption schemes, hash functions, and password-hashing schemes.
In the last decade, security issues such as the PS3 jailbreak demonstrate that common security notions are rather restrictive, and it seems that they do not model the real world adequately. As a result, in the first part of this work, we introduce a less restrictive security model that is closer to reality. In this model it turned out that existing (on-line) authenticated encryption schemes cannot longer beconsidered secure, i.e. they can guarantee neither data privacy nor data integrity. Therefore, we present two novel authenticated encryption scheme, namely COFFE and McOE, which are not only secure in the standard model but also reasonably secure in our generalized security model, i.e. both preserve full data inegrity. In addition, McOE preserves a resonable level of data privacy.
The second part of this thesis starts with proposing the hash function Twister-Pi, a revised version of the accepted SHA-3 candidate Twister. We not only fixed all known security issues
of Twister, but also increased the overall soundness of our hash-function design.
Furthermore, we present some fundamental groundwork in the area of password-hashing schemes. This research was mainly inspired by the medial omnipresence of password-leakage incidences. We show that the password-hashing scheme scrypt is vulnerable against cache-timing attacks due to the existence of a password-dependent memory-access pattern. Finally, we introduce Catena the first password-hashing scheme that is both memory-consuming and resistant against cache-timing attacks