On the Complexity of Scrypt and Proofs of Space in the Parallel Random Oracle Model.

of a node is the hash h (modelled as a random oracle with w-bit output) of the labels of its parents. ... We investigate lower bounds in terms of time and memory on the parallel complexity of an adversary A computing labels of randomly selected challenge nodes in direct acyclic graphs, where the w-bit label ... This work was done in part while the authors were visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through ...

doi:10.1007/978-3-662-49896-5_13 fatcat:vi4jj37t4negbmthhobqm3m4jm

We prove that scrypt is optimally memory hard, i.e., its cumulative memory complexity (cmc) in the parallel random oracle model is Ω(n 2 w), where w and n are the output length and number of invocations ... This paper focuses on scrypt, a simple candidate MHF designed by Percival, and described in RFC 7914. ... We are also grateful to anonymous referees and Jeremiah Blocki for their careful reading of our proof and detailed suggestions. ...

doi:10.1007/978-3-319-56617-7_2 fatcat:hgoqht4am5hv7gzssya5icaxta

The techniques we develop are general: we also use them to give a proof of security of the scrypt and Argon2i password-hashing functions in the random-oracle model. ... This is the first practical cryptographic hash function that: (i) has proven memory-hardness properties in the random-oracle model, (ii) uses a password-independent access pattern, and (iii) meets or exceeds ... Opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of DARPA. ...

doi:10.1007/978-3-662-53887-6_8 fatcat:suv2aimhkvcelggdqh45jmgfie

Cryptographic hash functions have wide applications including password hashing, pricing functions for spam and denial-of-service countermeasures and proof of work in cryptocurrencies. ... We propose a model for hardware energy cost that has sound foundations in practice. We then analyze the bandwidth hardness property of ASIC resistant candidates. ... Acknowledgements: The authors are grateful to Krzysztof Pietrzak, Joël Alwen and Jeremiah Blocki for valuable discussions. ...

doi:10.1007/978-3-319-70500-2_16 fatcat:unrob26zazdarb4pbnz6efgo6y

Specifically, in the random oracle model we show how to construct explicit constant rate LDCs with locality of polylog in the security parameter against various resource constrained channels. ... Constructions of locally decodable codes (LDCs) have one of two undesirable properties: low rate or high locality (polynomial in the length of the message). ... Parallel Random Oracle Model Computation in the pROM proceeds in rounds. ...

doi:10.4230/lipics.itc.2020.16 dblp:conf/icits/BlockiKZ20 fatcat:yo542jd4uzakbmrcwwbpffzeq4

Open Access

Specifically, in the random oracle model we show how to construct explicit constant rate LDCs with locality of polylog in the security parameter against various resource constrained channels. ... Constructions of locally decodable codes (LDCs) have one of two undesirable properties: low rate or high locality (polynomial in the length of the message). ... This research was supported in part by the National Science Foundation (CCF Award #1910659). ...

arXiv:1909.11245v4 fatcat:mmvd3aartzh4xow6lbdcc5s6j4

Multiple Versions

Our first contribution is a security proof for the original PoS from CRYPTO'15 in the random oracle model (the original proof only applied to a restricted class of adversaries which can store a subset ... We discuss how some of these variants can be used as proofs of catalytic space (PoCS), a notion we put forward in this work, and which basically is a PoS where most of the space required by the prover ... An exception is the recent security proof for the datadependent MHF called SCRYPT [7] , which proves that SCRYPT has high cumulative memory complexity in the parallel random-oracle model. ...

doi:10.4230/lipics.itcs.2019.59 dblp:conf/innovations/Pietrzak19 fatcat:voopwoywivda7fdq77ock2vjwm

We investigate whether there are inherent limits of parallelization in the (randomized) massively parallel computation (MPC) model by comparing it with the (sequential) RAM model. ... Based on the widely-used random oracle methodology in cryptography with a cryptographic hash function h:{0,1}^n →{0,1}^n computable in time t_h, we show that there exists a function that can be computed ... The security (i.e., lower bounds on the so-called "cumulative memory complexity") of MHFs is analyzed in the RO model based on the random oracle methodology. ...

arXiv:2008.06554v1 fatcat:vacszplacjhtlaaiyu2nc4vl2y

This design is based on (1) employing a symmetric cipher, the Advanced Encryption Standard (AES), as a pseudo-random generator and (2) taking advantage of the support for the hardware acceleration for ... as Scrypt and Argon2, with favorable results. ... Diffie-Hellman assumption in the random oracle model. ...

doi:10.3390/sym10120705 fatcat:2zmwx5k2vjf4dly2umqsrq2dum

DOAJ Szczepanski

The main efficiency metrics for a cryptographic primitive are its speed, its code size and its memory complexity. ... For a variety of reasons, many algorithms have been proposed that, instead of optimizing, try to increase one of these hardness forms. ... The work of Léo Perrin was supported by the CORE project ACRYPT (ID C12-15-4009992) funded by the Fonds National de la Recherche, Luxembourg. ...

doi:10.1007/978-3-319-70700-6_15 fatcat:ppxfwa4pgfhpxlnycdbyx7mpna

To compute such a proof, the prover must use a specified amount of space, i.e., we are not interested in the number of accesses to the main memory (as in memory-bound proof of work) but rather on the amount ... We give a complete and detailed algorithmic description of our model. ... We are grateful to Krzysztof Pietrzak for his insightful comments and suggestions. References ...

doi:10.1007/978-3-319-10879-7_31 fatcat:tm6osznpdzcd7d5howg2njos2i

Recently, proof of space (PoS) has been suggested as a more egalitarian alternative to the traditional hash-based proof of work. ... In PoS, a prover proves to a verifier that it has dedicated some specified amount of space. ... At the moment, PoTS and PoPS are still far less efficient than PoW in terms of proof size and verifier complexity. A PoW is a single hash, while a PoS consists of hundreds (or more) of Merkle paths. ...

doi:10.1007/978-3-662-53641-4_11 fatcat:fz5nszj5jngtpmaqtpnvw427j4

We give the first lower bounds on the memory hardness of the Catena and Balloon Hashing functions in a parallel model of computation and we give the first lower bounds of any kind for (a version) of Argon2i ... -The sequential space-time pebbling complexity Πst(Gn) should be as close as possible to Π cc(Gn) (to ensure that using many cores in parallel and amortizing over many instances does not give much of an ... The first and third authors were supported by the ERC starting grant (259668-PSPC). ...

doi:10.1007/978-3-319-56617-7_1 fatcat:22amxglqore6demzrsy2dwl3wm

We develop new theoretical tools for proving lower-bounds on the (amortized) complexity of functions in a parallel setting. ... We demonstrate their use by constructing the first provably secure Memory-hard functions (MHF); a class of functions recently gaining acceptance in practice as an effective means to counter brute-force ... In particular G ω,φ,i has (φ + 1)I nodes which we identify with the set V = N <(φ+1)I such that the nodes of D 4 φ−j ω,I are numbered in topological order. ...

doi:10.1145/2746539.2746622 dblp:conf/stoc/AlwenS15 fatcat:mlcyoknonveyvcq46q2icczwjq

A memory-hard function (MHF) f n with parameter n can be computed in sequential time and space n. Simultaneously, a high amortized parallel area-time complexity (aAT) is incurred per evaluation. ... Finally, for the best performing of the new DAGs we implement an iMHF using the Argon2i round function and code base and show that on a standard off-the-shelf CPU the new iMHF can actually be evaluated ... Thus the memory-hardness of the graph functions is usually analyzed in the random oracle (RO) model where h is modeled as an ideal compression function (i.e. fixed input length RO). ...

doi:10.1145/3133956.3134031 dblp:conf/ccs/AlwenBH17 fatcat:st4qlbjw7jaapdz3j4iscvv7ni

On the Complexity of Scrypt and Proofs of Space in the Parallel Random Oracle Model [chapter]

Preserved Fulltext

Scrypt Is Maximally Memory-Hard [chapter]

Preserved Fulltext

Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks [chapter]

Preserved Fulltext

Bandwidth Hard Functions for ASIC Resistance [chapter]

Preserved Fulltext

On Locally Decodable Codes in Resource Bounded Channels

Preserved Fulltext

On Locally Decodable Codes in Resource Bounded Channels [article]

Preserved Fulltext

Other Versions

Proofs of Catalytic Space

Preserved Fulltext

On the Hardness of Massively Parallel Computation [article]

Preserved Fulltext

Optimizing a Password Hashing Function with Hardware-Accelerated Symmetric Encryption

Preserved Fulltext

Symmetrically and Asymmetrically Hard Cryptography [chapter]

Preserved Fulltext

Proofs of Space: When Space Is of the Essence [chapter]

Preserved Fulltext

Proof of Space from Stacked Expanders [chapter]

Preserved Fulltext

Depth-Robust Graphs and Their Cumulative Memory Complexity [chapter]

Preserved Fulltext

High Parallel Complexity Graphs and Memory-Hard Functions

Preserved Fulltext

Practical Graphs for Optimal Side-Channel Resistant Memory-Hard Functions

Preserved Fulltext