Paper 2018/221

Bandwidth-Hard Functions: Reductions and Lower Bounds

Jeremiah Blocki, Peiyuan Liu, Ling Ren, and Samson Zhou


Memory Hard Functions (MHFs) have been proposed as an answer to the growing inequality between the computational speed of general purpose CPUs and Application Specific Integrated Circuits (ASICs). MHFs have seen widespread applications including password hashing, key stretching and proofs of work. Several metrics have been proposed to quantify the ``memory hardness'' of a function. Cumulative memory complexity (CMC) (Alwen and Serbinenko, STOC 2015) (or amortized Area $\times$ Time complexity (Alwen et. al., CCS 2017)) attempts to quantify the cost to acquire/build the hardware to evaluate the function --- after normalizing the time it takes to evaluate the function repeatedly at a given rate. By contrast, bandwidth hardness (Ren and Devadas, TCC 2017) attempts to quantify the energy costs of evaluating this function --- which in turn is largely dominated by the number of cache misses. Ideally, a good MHF would be both bandwidth hard and have high cumulative memory complexity. While the cumulative memory complexity of leading MHF candidates is well understood, little is known about the \emph{bandwidth hardness} of many prominent MHF candidates. Our contributions are as follows: First, we provide the first reduction proving that, in the parallel random oracle model, the bandwidth hardness of a Data-Independent Memory Hard Function (iMHF) is described by the red-blue pebbling cost of the directed acyclic graph (DAG) associated with that iMHF. Second, we show that the goals of designing an MHF with high CMC/bandwidth hardness are well aligned. In particular, we prove that any function (data-independent or not) with high CMC also has relatively high bandwidth costs. Third, we analyze the bandwidth hardness of several prominent iMHF candidates such as Argon2i (Biryukov et. al., 2015), winner of the password hashing competition, aATSample and DRSample (Alwen et. al., CCS 2017) --- the first practical iMHF with essentially asymptotically optimal CMC. We prove that in the parallel random oracle model each iMHFs are maximally bandwidth hard. Fourth, we analyze the bandwidth hardness of a prominent dMHF called Scrypt. We prove the first unconditional tight lower bound on the energy cost of Scrypt in the parallel random oracle model. Finally, we show that the problem of finding the minimum cost red-blue pebbling of a directed acyclic graph is NP-hard.

Note: Full version of CCS 2018 paper. The original version of this paper appeared at CCS 2018 with Jeremiah Blocki, Ling Ren and Samson Zhou as authors. The updated paper includes full/unconditional lower bound on the bandwidth hardness of Scrypt resolving an open question from the original version of the paper. Peiyuan Liu has been added as an author for her contributions to the new Scrypt lower bound. The updated paper also corrects several bugs in the paper.

Available format(s)
Publication info
Published elsewhere. Major revision.Proceedings of the 25th ACM Conference on Computer Security (CCS 2018)
CryptanalysisHash FunctionsBandwidth-Hard FunctionsMHFsArgon2iscryptRed-blue pebbling
Contact author(s)
liu2039 @ purdue edu
2022-05-05: last of 7 revisions
2018-02-27: received
See all versions
Short URL
Creative Commons Attribution


      author = {Jeremiah Blocki and Peiyuan Liu and Ling Ren and Samson Zhou},
      title = {Bandwidth-Hard Functions: Reductions and Lower Bounds},
      howpublished = {Cryptology ePrint Archive, Paper 2018/221},
      year = {2018},
      doi = {10.1145/3243734.3243773},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.