Welcome to the resource topic for 2018/944
Title:
Data-Independent Memory Hard Functions: New Attacks and Stronger Constructions
Authors: Jeremiah Blocki, Ben Harsha, Siteng Kang, Seunghoon Lee, Lu Xing, Samson Zhou
Abstract:Memory-hard functions (MHFs) are a key cryptographic primitive underlying the design of moderately expensive password hashing algorithms and egalitarian proofs of work. Over the past few years several increasingly stringent goals for an MHF have been proposed including the requirement that the MHF have high sequential space-time (ST) complexity, parallel space-time complexity, amortized area-time (aAT) complexity and sustained space complexity. Data-Independent Memory Hard Functions (iMHFs) are of special interest in the context of password hashing as they naturally resist side-channel attacks. iMHFs can be specified using a directed acyclic graph (DAG) G with N=2^n nodes and low indegree and the complexity of the iMHF can be analyzed using a pebbling game. Recently, Alwen et al. [CCS 17] constructed a DAG called DRSample that has aAT complexity at least \Omega\left( N^2/\log N\right). Asymptotically DRSample outperformed all prior iMHF constructions including Argon2i, winner of the password hashing competition (aAT cost \mathcal{O}\left(N^{1.767}\right)), though the constants in these bounds are poorly understood. We show that the greedy pebbling strategy of Boneh et al. [ASIACRYPT 16] is particularly effective against DRSample e.g., the aAT cost is \mathcal{O}\left( N^2/\log N\right). In fact, our empirical analysis {\em reverses} the prior conclusion of Alwen et al. that DRSample provides stronger resistance to known pebbling attacks for practical values of N \leq 2^{24}. We construct a new iMHF candidate (DRSample+BRG) by using the bit-reversal graph to extend DRSample. We then prove that the construction is asymptotically optimal under every MHF criteria, and we empirically demonstrate that our iMHF provides the best resistance to {\em known} pebbling attacks. For example, we show that any parallel pebbling attack either has aAT cost \omega(N^2) or requires at least \Omega(N) steps with \Omega(N/\log N) pebbles on the DAG. This makes our construction the first practical iMHF with a strong sustained space-complexity guarantee and immediately implies that any parallel pebbling has aAT complexity \Omega(N^2/\log N). We also prove that any sequential pebbling (including the greedy pebbling attack) has aAT cost \Omega\left( N^2\right) and, if a plausible conjecture holds, any parallel pebbling has aAT cost \Omega(N^2 \log \log N/\log N) — the best possible bound for an iMHF.
ePrint: https://eprint.iacr.org/2018/944
Talk: https://www.youtube.com/watch?v=5VXdlhRmxUk
See all topics related to this paper.
Feel free to post resources that are related to this paper below.
Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.
For more information, see the rules for Resource Topics .