Memory-Tight Reductions [chapter]

Benedikt Auerbach, David Cash, Manuel Fersch, Eike Kiltz
2017 Lecture Notes in Computer Science  
Cryptographic reductions typically aim to be tight by transforming an adversary A into an algorithm that uses essentially the same resources as A. In this work we initiate the study of memory efficiency in reductions. We argue that the amount of working memory used (relative to the initial adversary) is a relevant parameter in reductions, and that reductions that are inefficient with memory will sometimes yield less meaningful security guarantees. We then point to several common techniques in
more » ... ductions that are memory-inefficient and give a toolbox for reducing memory usage. We review common cryptographic assumptions and their sensitivity to memory usage. Finally, we prove an impossibility result showing that reductions between some assumptions must unavoidably be either memory-or time-inefficient. This last result follows from a connection to data streaming algorithms for which unconditional memory lower bounds are known.
doi:10.1007/978-3-319-63688-7_4 fatcat:mhn6mmbgtbgtvb3xxn223s3iva