Data-Independent Memory Hard Functions: New Attacks and Stronger Constructions

Memory-hard functions (MHFs) are a key cryptographic primitive underlying the design of moderately expensive password hashing algorithms and egalitarian proofs of work. Over the past few years several increasingly stringent goals for an MHF have been proposed including the requirement that the MHF have high sequential space-time (ST) complexity, parallel space-time complexity, amortized area-time (aAT) complexity and sustained space complexity. Data-Independent Memory Hard Functions (iMHFs) are of special interest in the context of password hashing as they naturally resist side-channel attacks. iMHFs can be specified using a directed acyclic graph (DAG) $G$ with $N=2^n$ nodes and low indegree and the complexity of the iMHF can be analyzed using a pebbling game. Recently, Alwen et al. [CCS 17] constructed a DAG called DRSample that has aAT complexity at least $\Omega\left( N^2/\log N\right)$. Asymptotically DRSample outperformed all prior iMHF constructions including Argon2i, winner of the password hashing competition (aAT cost $\mathcal{O}\left(N^{1.767}\right)$), though the constants in these bounds are poorly understood. We show that the greedy pebbling strategy of Boneh et al. [ASIACRYPT 16] is particularly effective against DRSample e.g., the aAT cost is $\mathcal{O}\left( N^2/\log N\right)$. In fact, our empirical analysis {\em reverses} the prior conclusion of Alwen et al. that DRSample provides stronger resistance to known pebbling attacks for practical values of $N \leq 2^{24}$. We construct a new iMHF candidate (DRSample+BRG) by using the bit-reversal graph to extend DRSample. We then prove that the construction is asymptotically optimal under every MHF criteria, and we empirically demonstrate that our iMHF provides the best resistance to {\em known} pebbling attacks. For example, we show that any parallel pebbling attack either has aAT cost $\omega(N^2)$ or requires at least $\Omega(N)$ steps with $\Omega(N/\log N)$ pebbles on the DAG. This makes our construction the first practical iMHF with a strong sustained space-complexity guarantee and immediately implies that any parallel pebbling has aAT complexity $\Omega(N^2/\log N)$. We also prove that any sequential pebbling (including the greedy pebbling attack) has aAT cost $\Omega\left( N^2\right)$ and, if a plausible conjecture holds, any parallel pebbling has aAT cost $\Omega(N^2 \log \log N/\log N)$ --- the best possible bound for an iMHF

Identification of Genes Required for Neural-Specific Glycosylation Using Functional Genomics

Glycosylation plays crucial regulatory roles in various biological processes such as development, immunity, and neural functions. For example, α1,3-fucosylation, the addition of a fucose moiety abundant in Drosophila neural cells, is essential for neural development, function, and behavior. However, it remains largely unknown how neural-specific α1,3-fucosylation is regulated. In the present study, we searched for genes involved in the glycosylation of a neural-specific protein using a Drosophila RNAi library. We obtained 109 genes affecting glycosylation that clustered into nine functional groups. Among them, members of the RNA regulation group were enriched by a secondary screen that identified genes specifically regulating α1,3-fucosylation. Further analyses revealed that an RNA–binding protein, second mitotic wave missing (Swm), upregulates expression of the neural-specific glycosyltransferase FucTA and facilitates its mRNA export from the nucleus. This first large-scale genetic screen for glycosylation-related genes has revealed novel regulation of fucTA mRNA in neural cells

Ubiquitous Weak-key Classes of BRW-polynomial Function

BRW-polynomial function is suggested as a preferred alternative of polynomial function, owing to its high efficiency and seemingly non-existent weak keys. In this paper we investigate the weak-key issue of BRW-polynomial function as well as BRW-instantiated cryptographic schemes. Though, in BRW-polynomial evaluation, the relationship between coefficients and input blocks is indistinct, we give out a recursive algorithm to compute another $(2^{v+1}-1)$-block message, for any given $(2^{v+1}-1)$-block message, such that their output-differential through BRW-polynomial evaluation, equals any given $s$-degree polynomial, where $v\ge\lfloor\log_2(s+1)\rfloor$. With such algorithm, we illustrate that any non-empty key subset is a weak-key class in BRW-polynomial function. Moreover any key subset of BRW-polynomial function, consisting of at least $2$ keys, is a weak-key class in BRW-instantiated cryptographic schemes like the Wegman-Carter scheme, the UHF-then-PRF scheme, DCT, etc. Especially in the AE scheme DCT, its confidentiality, as well as its integrity, collapses totally, when using weak keys of BRW-polynomial function, which are ubiquitous

Proof of Space from Stacked Expanders

Recently, proof of space (PoS) has been suggested as a more egalitarian alternative to the traditional hash-based proof of work. In PoS, a prover proves to a verifier that it has dedicated some specified amount of space. A closely related notion is memory-hard functions (MHF), functions that require a lot of memory/space to compute. While making promising progress, existing PoS and MHF have several problems. First, there are large gaps between the desired space-hardness and what can be proven. Second, it has been pointed out that PoS and MHF should require a lot of space not just at some point, but throughout the entire computation/protocol; few proposals considered this issue. Third, the two existing PoS constructions are both based on a class of graphs called superconcentrators, which are either hard to construct or add a logarithmic factor overhead to efficiency. In this paper, we construct PoS from stacked expander graphs. Our constructions are simpler, more efficient and have tighter provable space-hardness than prior works. Our results also apply to a recent MHF called Balloon hash. We show Balloon hash has tighter space-hardness than previously believed and consistent space-hardness throughout its computation

Protein-Protein Interactions of Tandem Affinity Purified Protein Kinases from Rice

Eighty-eight rice (Oryza sativa) cDNAs encoding rice leaf expressed protein kinases (PKs) were fused to a Tandem Affinity Purification tag (TAP-tag) and expressed in transgenic rice plants. The TAP-tagged PKs and interacting proteins were purified from the T1 progeny of the transgenic rice plants and identified by tandem mass spectrometry. Forty-five TAP-tagged PKs were recovered in this study and thirteen of these were found to interact with other rice proteins with a high probability score. In vivo phosphorylated sites were found for three of the PKs. A comparison of the TAP-tagged data from a combined analysis of 129 TAP-tagged rice protein kinases with a concurrent screen using yeast two hybrid methods identified an evolutionarily new rice protein that interacts with the well conserved cell division cycle 2 (CDC2) protein complex

Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks

We present the Balloon password-hashing algorithm. This is the first practical cryptographic hash function that: (i) has proven memory-hardness properties in the random-oracle model, (ii) uses a password-independent access pattern, and (iii) meets or exceeds the performance of the best heuristically secure password-hashing algorithms. Memory-hard functions require a large amount of working space to evaluate efficiently and when used for password hashing, they dramatically increase the cost of offline dictionary attacks. In this work, we leverage a previously unstudied property of a certain class of graphs (“random sandwich graphs”) to analyze the memory-hardness of the Balloon algorithm. The techniques we develop are general: we also use them to give a proof of security of the scrypt and Argon2i password-hashing functions in the random-oracle model. Our security analysis uses a sequential model of computation, which essentially captures attacks that run on single-core machines. Recent work shows how to use massively parallel special-purpose machines (e.g., with hundreds of cores) to attack Balloon and other memory-hard functions. We discuss these important attacks, which are outside of our adversary model, and propose practical defenses against them. To motivate the need for security proofs in the area of password hashing, we demonstrate and implement a practical attack against Argon2i that successfully evaluates the function with less space than was previously claimed possible. Finally, we use experimental results to compare the performance of the Balloon hashing algorithm to other memory-hard functions

Indifferentiable Authenticated Encryption

We study Authenticated Encryption with Associated Data (AEAD) from the viewpoint of composition in arbitrary (single-stage) environments. We use the indifferentiability framework to formalize the intuition that a “good” AEAD scheme should have random ciphertexts subject to decryptability. Within this framework, we can then apply the indifferentiability composition theorem to show that such schemes offer extra safeguards wherever the relevant security properties are not known, or cannot be predicted in advance, as in general-purpose crypto libraries and standards. We show, on the negative side, that generic composition (in many of its configurations) and well-known classical and recent schemes fail to achieve indifferentiability. On the positive side, we give a provably indifferentiable Feistel-based construction, which reduces the round complexity from at least 6, needed for blockciphers, to only 3 for encryption. This result is not too far off the theoretical optimum as we give a lower bound that rules out the indifferentiability of any construction with less than 2 rounds

Presymptomatic alterations in energy metabolism and oxidative stress in the APP23 mouse model of Alzheimer disease

Glucose hypometabolism is the earliest symptom observed in the brains of Alzheimer disease (AD) patients. In a former study, we analyzed the cortical proteome of the APP23 mouse model of AD at presymptomatic age (1 month) using a 2-D electrophoresis-based approach. Interestingly, long before amyloidosis can be observed in APP23 mice, proteins associated with energy metabolism were predominantly altered in transgenic as compared to wild-type mice indicating presymptomatic changes in energy metabolism. In the study presented here, we analyzed whether the observed changes were associated with oxidative stress and confirmed our previous findings in primary cortical neurons, which exhibited altered ADP/ATP levels if transgenic APP was expressed. Reactive oxygen species produced during energy metabolism have important roles in cell signaling and homeostasis as they modify proteins. We observed an overall up-regulation of protein oxidation status as shown by increased protein carbonylation in the cortex of presymptomatic APP23 mice. Interestingly, many carbonylated proteins, such as Vilip1 and Syntaxin were associated to synaptic plasticity. This demonstrates an important link between energy metabolism and synaptic function, which is altered in AD. In summary, we demonstrate that changes in cortical energy metabolism and increased protein oxidation precede the amyloidogenic phenotype in a mouse model for AD. These changes might contribute to synaptic failure observed in later disease stages, as synaptic transmission is particularly dependent on energy metabolism