Bandwidth-Hard Functions: Reductions and Lower Bounds

Jeremiah Blocki; Peiyuan Liu; Ling Ren; Samson Zhou

Paper 2018/221

Bandwidth-Hard Functions: Reductions and Lower Bounds

Jeremiah Blocki

Peiyuan Liu

Ling Ren

Samson Zhou

Abstract

Memory Hard Functions (MHFs) have been proposed as an answer to the growing inequality between the computational speed of general purpose CPUs and Application Specific Integrated Circuits (ASICs). MHFs have seen widespread applications including password hashing, key stretching and proofs of work. Several metrics have been proposed to quantify the ``memory hardness'' of a function. Cumulative memory complexity (CMC) (Alwen and Serbinenko, STOC 2015) (or amortized Area Time complexity (Alwen et. al., CCS 2017)) attempts to quantify the cost to acquire/build the hardware to evaluate the function --- after normalizing the time it takes to evaluate the function repeatedly at a given rate. By contrast, bandwidth hardness (Ren and Devadas, TCC 2017) attempts to quantify the energy costs of evaluating this function --- which in turn is largely dominated by the number of cache misses. Ideally, a good MHF would be both bandwidth hard and have high cumulative memory complexity. While the cumulative memory complexity of leading MHF candidates is well understood, little is known about the \emph{bandwidth hardness} of many prominent MHF candidates. Our contributions are as follows: First, we provide the first reduction proving that, in the parallel random oracle model, the bandwidth hardness of a Data-Independent Memory Hard Function (iMHF) is described by the red-blue pebbling cost of the directed acyclic graph (DAG) associated with that iMHF. Second, we show that the goals of designing an MHF with high CMC/bandwidth hardness are well aligned. In particular, we prove that any function (data-independent or not) with high CMC also has relatively high bandwidth costs. Third, we analyze the bandwidth hardness of several prominent iMHF candidates such as Argon2i (Biryukov et. al., 2015), winner of the password hashing competition, aATSample and DRSample (Alwen et. al., CCS 2017) --- the first practical iMHF with essentially asymptotically optimal CMC. We prove that in the parallel random oracle model each iMHFs are maximally bandwidth hard. Fourth, we analyze the bandwidth hardness of a prominent dMHF called Scrypt. We prove the first unconditional tight lower bound on the energy cost of Scrypt in the parallel random oracle model. Finally, we show that the problem of finding the minimum cost red-blue pebbling of a directed acyclic graph is NP-hard.

Note: Appeared in Journal of Cryptology 2024, extended full version of CCS 2018 paper. The original version of this paper appeared at CCS 2018 with Jeremiah Blocki, Ling Ren and Samson Zhou as authors. The updated paper includes full/unconditional lower bound on the bandwidth hardness of Scrypt resolving an open question from the original version of the paper. Peiyuan Liu has been added as an author for her contributions to the new Scrypt lower bound. The updated paper also corrects several bugs in the paper.

Metadata

Available format(s): PDF
Category: Foundations
Publication info: Published elsewhere. Major revision. (Extended full version) Journal of Cryptology 2024; Proceedings of the 25th ACM Conference on Computer Security (CCS 2018)
DOI: 10.1007/s00145-024-09497-3
Keywords: Cryptanalysis Hash Functions Bandwidth-Hard Functions MHFs Argon2i scrypt Red-blue pebbling
Contact author(s): jblocki @ purdue edu
liu2039 @ purdue edu
renling @ illinois edu
samsonzhou @ gmail com
History: 2024-08-05: last of 9 revisions; 2018-02-27: received; See all versions
Short URL: https://ia.cr/2018/221
License: CC BY

BibTeX

@misc{cryptoeprint:2018/221,
      author = {Jeremiah Blocki and Peiyuan Liu and Ling Ren and Samson Zhou},
      title = {Bandwidth-Hard Functions: Reductions and Lower Bounds},
      howpublished = {Cryptology {ePrint} Archive, Paper 2018/221},
      year = {2018},
      doi = {10.1007/s00145-024-09497-3},
      url = {https://eprint.iacr.org/2018/221}
}