Static-Memory-Hard Functions, and Modeling the Cost of Space vs. Time

A series of recent research starting with (Alwen and Serbinenko, STOC 2015) has deepened our understanding of the notion of memory-hardness in cryptography — a useful property of hash functions for deterring large-scale password-cracking attacks — and has shown memory-hardness to have intricate connections with the theory of graph pebbling. Definitions of memory-hardness are not yet unified in the somewhat nascent field of memory-hardness, however, and the guarantees proven to date are with respect to a range of proposed definitions. In this paper, we observe two significant and practical considerations that are not analyzed by existing models of memory-hardness, and propose new models to capture them, accompanied by constructions based on new hard-to-pebble graphs. Our contribution is two-fold, as follows. First, existing measures of memory-hardness only account for dynamic memory usage (i.e., memory read/written at runtime), and do not consider static memory usage (e.g., memory on disk). Among other things, this means that memory requirements considered by prior models are inherently upper-bounded by a hash function’s runtime; in contrast, counting static memory would potentially allow quantification of much larger memory requirements, decoupled from runtime. We propose a new definition of static-memory-hard function (SHF) which takes static memory into account: we model static memory usage by oracle access to a large preprocessed string, which may be considered part of the hash function description. Static memory requirements are complementary to dynamic memory requirements: neither can replace the other, and to deter large-scale password-cracking attacks, a hash function will benefit from being both dynamic memory-hard and static-memory-hard. We give two SHF constructions based on pebbling. To prove static-memory-hardness, we define a new pebble game (“black-magic pebble game”), and new graph constructions with optimal complexity under our proposed measure. Moreover, we provide a prototype implementation of our first SHF construction (which is based on pebbling of a simple “cylinder” graph), providing an initial demonstration of practical feasibility for a limited range of parameter settings. Secondly, existing memory-hardness models implicitly assume that the cost of space and time are more or less on par: they consider only linear ratios between the costs of time and space. We propose a new model to capture nonlinear time-space trade-offs: e.g., how is the adversary impacted when space is quadratically more expensive than time? We prove that nonlinear tradeoffs can in fact cause adversaries to employ different strategies from linear tradeoffs. Finally, as an additional contribution of independent interest, we present an asymptotically tight graph construction that achieves the best possible space complexity up to log log n-factors for an existing memory-hardness measure called cumulative complexity in the sequential pebbling model

Fork-Resilient Continuous Group Key Agreement

Continuous Group Key Agreement (CGKA) lets a evolving group of clients agree on a sequence of group keys. An important application of CGKA is scalable asynchronous end-to-end (E2E) encrypted group messaging. A major problem preventing the use of CGKA over unreliable infrastructure are so-called forks. A fork occurs when group members have diverging views of the group\u27s history (and thus its current state); e.g. due to network or server failures. Once communication channels are restored, members resolve a fork by agreeing on the state of the group again. Today\u27s CGKA protocols make fork resolution challenging, as natural resolution strategies seem to conflict with the way the protocols enforce group state agreement and forward secrecy. Meanwhile, secure group messaging protocols which do support fork resolution do not scale nearly as well as CGKA does. In this work, we pave the way to practical scalable E2E messaging over unreliable infrastructure. To that end, we generalize CGKA to Fork Resilient-CGKA which allows clients to process significantly more types of out-of-order network traffic. This is important for many natural fork resolution procedures as they are based, in part, on replaying missed traffic. Next, we give two FR-CGKA constructions: a practical one based on the CGKA underlying the MLS messaging standard and an optimally secure one (albeit with only theoretical efficiency). To further assist with fork resolution, we introduce a simple new abstraction to describe a client\u27s local protocol state. The abstraction describes all and only the information relevant to natural fork resolution, making it easier for higher-level fork resolution procedures to work with and reason about. We define a black-box extension of an FR-CGKA which maintains such a description of a client\u27s internal state. Finally, as a proof of concept, we give a basic fork resolution protocol

Multicast Key Agreement, Revisited

Multicast Key Agreement (MKA) is a long-overlooked natural primitive of large practical interest. In traditional MKA, an omniscient group manager privately distributes secrets over an untrusted network to a dynamically-changing set of group members. The group members are thus able to derive shared group secrets across time, with the main security requirement being that only current group members can derive the current group secret. There indeed exist very efficient MKA schemes in the literature that utilize symmetric-key cryptography. However, they lack formal security analyses, efficiency analyses regarding dynamically changing groups, and more modern, robust security guarantees regarding user state leakages: forward secrecy (FS) and post-compromise security (PCS). The former ensures that group secrets prior to state leakage remain secure, while the latter ensures that after such leakages, users can quickly recover security of group secrets via normal protocol operations. More modern Secure Group Messaging (SGM) protocols allow a group of users to asynchronously and securely communicate with each other, as well as add and remove each other from the group. SGM has received significant attention recently, including in an effort by the IETF Messaging Layer Security (MLS) working group to standardize an eponymous protocol. However, the group key agreement primitive at the core of SGM protocols, Continuous Group Key Agreement (CGKA), achieved by the TreeKEM protocol in MLS, suffers from bad worst-case efficiency and heavily relies on less efficient (than symmetric-key cryptography) public-key cryptography. We thus propose that in the special case of a group membership change policy which allows a single member to perform all group additions and removals, an upgraded version of classical Multicast Key Agreement (MKA) may serve as a more efficient substitute for CGKA in SGM. We therefore present rigorous, stronger MKA security definitions that provide increasing levels of security in the case of both user and group manager state leakage, and that are suitable for modern applications, such as SGM. We then construct a formally secure MKA protocol with strong efficiency guarantees for dynamic groups. Finally, we run experiments which show that the left-balanced binary tree structure used in TreeKEM can be replaced with red-black trees in MKA for better efficiency

The Height and Size of Random Hash Trees and Random Pebbled Hash Trees

The random hash tree and the N-tree were introduced by Ehrlich in 1981. In the random hash tree, n data points are hashed to values X 1 ,...,X n , independently and identically distributed random variables taking values that are uniformly distributed on [0, 1]. Place the X i 's in n equal-sized buckets as in hashing with chaining. For each bucket with at least two points, repeat the same process, keeping the branch factor always equal to the number of bucketed points. If Hn is the height of tree obtained in this manner, we show that Hn/ log 2 n 1 in probability. In the random pebbled hash tree, we remove one point randomly and place it in the present node (as with the digital search tree modification of a trie) and perform the bucketing step as above on the remaining points (if any). With this simple modification, Hn in probability. We also show that the expected number of nodes in the random hash tree and random pebbled hash tree is asymptotic to 2.3020238 ...n and 1.4183342 ...n, respectively

Security Analysis and Improvements for the IETF MLS Standard for Group Messaging

Secure messaging (SM) protocols allow users to communicate securely over untrusted infrastructure. In contrast to most other secure communication protocols (such as TLS, SSH, or Wireguard), SM sessions may be long-lived (e.g., years) and highly asynchronous. In order to deal with likely state compromises of users during the lifetime of a session, SM protocols do not only protect authenticity and privacy, but they also guarantee forward secrecy (FS) and post-compromise security (PCS). The former ensures that messages sent and received before a state compromise remain secure, while the latter ensures that users can recover from state compromise as a consequence of normal protocol usage. SM has received considerable attention in the two-party case, where prior work has studied the well-known double-ratchet paradigm in particular and SM as a cryptographic primitive in general. Unfortunately, this paradigm does not scale well to the problem of secure group messaging (SGM). In order to address the lack of satisfactory SGM protocols, the IETF has launched the message-layer security (MLS) working group, which aims to standardize an eponymous SGM protocol. In this work we analyze the TreeKEM protocol, which is at the core of the SGM protocol proposed by the MLS working group. On a positive note, we show that TreeKEM achieves PCS in isolation (and slightly more). However, we observe that the current version of TreeKEM does not provide an adequate form of FS. More precisely, our work proceeds by formally capturing the exact security of TreeKEM as a so-called continuous group key agreement (CGKA) protocol, which we believe to be a primitive of independent interest. To address the insecurity of TreeKEM, we propose a simple modification to TreeKEM inspired by recent work of Jost et al. (EUROCRYPT \u2719) and an idea due to Kohbrok (MLS Mailing List). We then show that the modified version of TreeKEM comes with almost no efficiency degradation but achieves optimal (according to MLS specification) CGKA security, including FS and PCS. Our work also lays out how a CGKA protocol can be used to design a full SGM protocol. Finally, we propose and motivate an extensive list of potential future research directions for the area

Cliff ecology: Extent, biota, and recreation of cliff environments in the New River Gorge, WV

The New River Gorge National River (NERI) contains an extensive network of exposed cliff-forming sandstone units, the most extensive in West Virginia and possibly within the entire Appalachian range. These cliff resources are critical to NERI\u27s national significance, and contain specialized and potentially rare plant communities (Vanderhorst 2001; Mahan 2004; Vanderhorst, Jeuck, and Gawler 2007). This project investigates the spatial distribution of cliffs, associated plant (vascular and non-vascular) and lichen communities, and the impacts to cliff environments caused by recreational rock climbing.;Using LiDAR in a GIS, we mapped all cliffs in the northern extent of NERI, from Keeney\u27s Creek to the Hawks Nest Dam. We randomly selected 36 potential cliff outcrops along gorge slopes to measure structure and inventory cliff face species along all outcrop-forming sandstones. We also sampled 111 Nuttall Sandstone cliffs desirable for rock climbing to assess impacts to cliff environments at three positions: cliff base, face, and top. We randomly selected 79 established rock climbs (experimental) stratified by climb difficulty, potential use intensity, and aspect. In addition, we selected 32 unclimbed sites (control) deemed climbable and stratified by estimated difficulty and aspect. We measured species richness, soils depths, hardened zone (compacted area) lengths, and evidence of anthropogenic disturbance to analyze recreational impacts by climb difficulty, use intensity, and climb style ( traditional or sport ).;Based on LiDAR, we estimate that there are 97 linear kilometers of exposed sandstone cliffs in the northern extent of NERI. Nuttall Sandstone differs in extent, structure and competence from the Raleigh, Guyandot, and Pineville Sandstones. Incompetent cliffs are more heterogeneous and sustain greater vascular species richness and frequency compared to sites desirable for rock climbing. Stepwise regression indicates 40% of overall cliff face species richness is determined by cliff angle and topography. We recorded 249 total species on cliff faces plus an additional 109 on cliff tops and base. Total species richness on cliff face ranges from 0 -- 49. Common cliff face plants include: Asplenium montanum Wild., Betula lenta L., Lasallia pennsylvanica (Hoffm.) Llano, Phsycia subtilis Degel., Leucobryum glaucum (Hedw.) Angstr., and Dicranella heteromalla (Hedwig) Schimper. Species of special interest include: Danthonia sericea Nutt., Dichanthelium acuminatum (Sw.) Gould & C.A. Clark ssp. columbianum, Chrysothrix susquehannensis Lendemer & Elix, Umbilicaria americana Poelt & T.H. Nash, Dicranum condensatum Hedw., and Brothera leana (Sull.) Mull. Hal.;Impacts to cliff environments from rock climbing are conditioned by climb difficulty, use intensity, and to some extent, climb style. Climb difficulty is highly correlated with cliff structure, with significant declines in topographic frequency and steeper cliff angles associated with more difficult climbs (r 2 = 0.63; P \u3c 0.01). Cliff face species richness declines with increases in climb difficulty (climbed or unclimbed) as well as with increased use intensity. A general linear model based on difficulty and use intensity explains 50% of the variability in total cliff face species richness. Of all cliff positions we investigated, cliff bases are most impacted by climbing, regardless of use intensity, difficulty, or style. Impacts to cliff tops are uncommon and are confined to low difficulty, popular, traditional climbs.;Sites desirable for rock climbing represent a subset of cliffs in NERI, differing from randomly selected and incompetent cliffs in structure and vascular richness and abundance. Rock climb difficulty (e.g., cliff structure) and use intensity are clear predictors of diversity and can be used to guide management. Future development of climbs on competent, low angle cliffs should be limited to preserve the most diverse environments. Cliff bases are the most consistently impacted, where beginner level climbs sustain the greatest impacts to soils, bryophyte species richness, and hardened zone lengths. Impacts to cliff tops are infrequent, occurring on less that 20% of sites and are confined to a subset of climbing (classified as: high use, traditional, \u3c5.9). To prevent further impacts to sensitive cliff tops, management should target current and future beginner level, highly popular, traditional style climbs and establish a perimeter to impede enhanced impacts. We suggest that trails at base and top be rerouted away from cliffs into the contiguous forest to limit unnecessary traffic along sensitive and unique cliff edges. We recommend the judicious placement of climbing anchors at moderate to high use sites, specifically placed \u3e2 m below cliff top above which height diversity is greatest. In addition, we recommend outreach to educate climbers about the negative effects of topping out (climbing on the top of the cliff rather than using anchors). Similarly, other recreational uses at cliff tops should be limited, especially trails and lookouts

LIPIcs, Volume 261, ICALP 2023, Complete Volume

LIPIcs, Volume 261, ICALP 2023, Complete Volum