Cryptology ePrint Archive: Report 2015/430

Fast and Tradeoff-Resilient Memory-Hard Functions for Cryptocurrencies and Password Hashing

Alex Biryukov and Daniel Dinu and Dmitry Khovratovich

Abstract: Memory-hard functions are becoming an important tool in the design of password hashing schemes, cryptocurrencies, and more generic proof-of-work primitives that are x86-oriented and can not be computed on dedicated hardware more efficiently.

We develop a simple and cryptographically secure approach to the design of such functions and show how to exploit the architecture of modern CPUs and memory chips to make faster and more secure schemes compared to existing alternatives such as scrypt. We also propose cryptographic criteria for the components, that prevent cost reductions using time-memory tradeoffs and side-channel leaks. The concrete proof-of-work instantiation, which we call Argon2, can fill GBytes of RAM within a second, is resilient to various tradeoffs, and is suitable for a wide range of applications, which aim to bind a computation to a certain architecture.

Concerning potential DoS attacks, our scheme is lightweight enough to offset the bottleneck from the CPU to the memory bus thus leaving sufficient computing power for other tasks. We also propose parameters for which our scheme is botnet resistant. As an application, we suggest a cryptocurrency design with fast and memory-hard proof-of-work, which allows memoryless verification.

Category / Keywords: cryptographic protocols / memory-hard, cryptocurrency, bitcoin, tradeoff

Date: received 6 May 2015

Contact author: khovratovich at gmail com; alex biryukov@uni lu; dumitru-daniel dinu@uni lu

Available format(s): PDF | BibTeX Citation

Version: 20150506:142233 (All versions of this report)

Short URL: ia.cr/2015/430

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]