The cumulative pebbling complexity of a directed acyclic graph G is defined
as cc(G)=minP∑i∣Pi∣, where the minimum is taken over all
legal (parallel) black pebblings of G and ∣Pi∣ denotes the number of
pebbles on the graph during round i. Intuitively, cc(G) captures
the amortized Space-Time complexity of pebbling m copies of G in parallel.
The cumulative pebbling complexity of a graph G is of particular interest in
the field of cryptography as cc(G) is tightly related to the
amortized Area-Time complexity of the Data-Independent Memory-Hard Function
(iMHF) fG,H [AS15] defined using a constant indegree directed acyclic
graph (DAG) G and a random oracle H(⋅). A secure iMHF should have
amortized Space-Time complexity as high as possible, e.g., to deter brute-force
password attacker who wants to find x such that fG,H(x)=h. Thus, to
analyze the (in)security of a candidate iMHF fG,H, it is crucial to
estimate the value cc(G) but currently, upper and lower bounds for
leading iMHF candidates differ by several orders of magnitude. Blocki and Zhou
recently showed that it is NP-Hard to compute cc(G), but
their techniques do not even rule out an efficient
(1+ε)-approximation algorithm for any constant ε>0. We
show that for any constant c>0, it is Unique Games hard to approximate
cc(G) to within a factor of c.
(See the paper for the full abstract.)Comment: 28 pages, updated figures and corrected typo