We develop a simple and cryptographically secure approach to the design of such functions and show how to exploit the architecture of modern CPUs and memory chips to make faster and more secure schemes compared to existing alternatives such as scrypt. We also propose cryptographic criteria for the components, that prevent cost reductions using time-memory tradeoffs and side-channel leaks. The concrete proof-of-work instantiation, which we call Argon2, can fill GBytes of RAM within a second, is resilient to various tradeoffs, and is suitable for a wide range of applications, which aim to bind a computation to a certain architecture.
Concerning potential DoS attacks, our scheme is lightweight enough to offset the bottleneck from the CPU to the memory bus thus leaving sufficient computing power for other tasks. We also propose parameters for which our scheme is botnet resistant. As an application, we suggest a cryptocurrency design with fast and memory-hard proof-of-work, which allows memoryless verification.
Category / Keywords: cryptographic protocols / memory-hard, cryptocurrency, bitcoin, tradeoff Date: received 6 May 2015 Contact author: khovratovich at gmail com; alex biryukov@uni lu; dumitru-daniel dinu@uni lu Available format(s): PDF | BibTeX Citation Version: 20150506:142233 (All versions of this report) Short URL: ia.cr/2015/430 Discussion forum: Show discussion | Start new discussion