Efficiently Computing Data-Independent Memory-Hard Functions

A memory-hard function MHF f is equipped with a space cost $${\sigma } $$ and time cost $${\tau } $$ parameter such that repeatedly computing $$f_{{\sigma },{\tau }}$$ on an application specific integrated circuit ASIC is not economically advantageous relative to a general purpose computer. Technically we would like that any generalized circuit for evaluating an iMHF $$f_{{\sigma },{\tau }}$$ has area $$\times $$ time AT complexity at $$\varTheta {\sigma } ^2 * {\tau }$$ . A data-independent MHF iMHF has the added property that it can be computed with almost optimal memory and time complexity by an algorithm which accesses memory in a pattern independent of the input value. Such functions can be specified by fixing a directed acyclic graph DAG G on $$n=\varTheta {\sigma } * {\tau }$$ nodes representing its computation graph. In this work we develop new tools for analyzing iMHFs. First we define and motivate a new complexity measure capturing the amount of energy i.e. electricity required to compute a function. We argue that, in practice, this measure is at least as important as the more traditional AT-complexity. Next we describe an algorithm $${{\mathcal {A}}} $$ for repeatedly evaluating an iMHF based on an arbitrary DAG G. We upperbound both its energy and AT complexities per instance evaluated in terms of a certain combinatorial property of G. Next we instantiate our attack for several general classes of DAGs which include those underlying many of the most important iMHF candidates in the literature. In particular, we obtain the following results which hold for all choices of parameters $${\sigma } $$ and $${\tau } $$ and thread-count such that $$n={\sigma } *{\tau } $$ . The Catena-Dragonfly function ofi¾?[FLW13] has AT and energy complexities $$On^{1.67}$$ .The Catena-Butterfly function ofi¾?[FLW13] has complexities is $$On^{1.67}$$ .The Double-Buffer and the Linear functions ofi¾?[CGBS16] both have complexities in $$On^{1.67}$$ .The Argon2i function ofi¾?[BDK15] winner of the Password Hashing Competitioni¾?[PHC] has complexities $$On^{7/4}\log n$$ .The Single-Buffer function ofi¾?[CGBS16] has complexities $$On^{7/4}\log n$$ .Any iMHF can be computed by an algorithm with complexities $$On^2/\log ^{1-{\epsilon }}n$$ for all $${\epsilon } > 0$$ . In particular when $${\tau } =1$$ this shows that the goal of constructing an iMHF with AT-complexity $$\varTheta {\sigma } ^2 * {\tau }$$ is unachievable. Along the way we prove a lemma upper-bounding the depth-robustness of any DAG which may prove to be of independent interest.

[1]  Ran Canetti,et al.  POSH: a generalized captcha with security applications , 2008, AISec '08.

[2]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[3]  Karen A. Scarfone,et al.  Guide to Enterprise Password Management , 2009 .

[4]  Oded Goldreich,et al.  Towards a theory of software protection and simulation by oblivious RAMs , 1987, STOC.

[5]  Steven Alexander,et al.  Password Protection for Modern Operating Systems , 2004, login Usenix Mag..

[6]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[7]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[8]  Dan Boneh,et al.  Balloon Hashing: Provably Space-Hard Hash Functions with Data-Independent Access Patterns , 2016, IACR Cryptol. ePrint Arch..

[9]  Manuel Blum,et al.  GOTCHA password hackers! , 2013, AISec.

[10]  Tanja Lange,et al.  Non-uniform cracks in the concrete: the power of free precomputation , 2012, IACR Cryptol. ePrint Arch..

[11]  Joseph Bonneau,et al.  Cache-Collision Timing Attacks Against AES , 2006, CHES.

[12]  Sushil Jajodia,et al.  Moving Target Defense - Creating Asymmetric Uncertainty for Cyber Threats , 2011, Moving Target Defense.

[13]  Salil P. Vadhan,et al.  Publicly verifiable proofs of sequential work , 2013, ITCS '13.

[14]  Ari Juels,et al.  A New Two-Server Approach for Authentication with Short Secrets , 2003, USENIX Security Symposium.

[15]  Moni Naor,et al.  On Memory-Bound Functions for Fighting Spam , 2003, CRYPTO.

[16]  Arvind Narayanan,et al.  Bitcoin and Cryptocurrency Technologies - A Comprehensive Introduction , 2016 .

[17]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[18]  Elaine Shi,et al.  Oblivious RAM with O((logN)3) Worst-Case Cost , 2011, ASIACRYPT.

[19]  Moni Naor,et al.  Pebbling and Proofs of Work , 2005, CRYPTO.

[20]  Ronald L. Rivest,et al.  Honeywords: making password-cracking detectable , 2013, CCS.

[21]  Ran Canetti,et al.  Mitigating Dictionary Attacks on Password-Protected Local Storage , 2006, CRYPTO.

[22]  Jan Camenisch,et al.  Practical yet universally composable two-server password-authenticated secret sharing , 2012, CCS.

[23]  Alex Biryukov,et al.  Fast and Tradeoff-Resilient Memory-Hard Functions for Cryptocurrencies and Password Hashing , 2015, IACR Cryptol. ePrint Arch..

[24]  Cormac Herley,et al.  Where do security policies come from? , 2010, SOUPS.

[25]  Joël Alwen,et al.  High Parallel Complexity Graphs and Memory-Hard Functions , 2015, IACR Cryptol. ePrint Arch..

[26]  P. Erdoes,et al.  On sparse graphs with dense long paths. , 1975 .

[27]  E. Felten,et al.  Bitcoin and Cryptocurrency Technologies: a , 2022 .

[28]  Vladimir Kolmogorov,et al.  On the Complexity of Scrypt and Proofs of Space in the Parallel Random Oracle Model , 2016, EUROCRYPT.

[29]  Udi Manber,et al.  A simple scheme to make passwords based on one-way functions much harder to crack , 1996, Comput. Secur..

[30]  Dan Boneh,et al.  Kamouflage: Loss-Resistant Password Management , 2010, ESORICS.

[31]  Onur Aciiçmez,et al.  Cache Based Remote Timing Attack on the AES , 2007, CT-RSA.

[32]  Ted Wobber,et al.  Moderately hard, memory-bound functions , 2005, TOIT.

[33]  Alex Biryukov,et al.  Tradeoff Cryptanalysis of Memory-Hard Functions , 2015, ASIACRYPT.

[34]  Anupam Datta,et al.  CASH: A Cost Asymmetric Secure Hash Algorithm for Optimal Password Protection , 2015, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[35]  Burton S. Kaliski,et al.  PKCS #5: Password-Based Cryptography Specification Version 2.0 , 2000, RFC.

[36]  Colin Percival STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS , 2009 .

[37]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[38]  Stefan Lucks,et al.  Catena: A Memory-Consuming Password Scrambler , 2013, IACR Cryptol. ePrint Arch..

[39]  Ariel D. Procaccia,et al.  Optimizing password composition policies , 2013, EC.

[40]  Robert E. Tarjan,et al.  Asymptotically tight bounds on time-space trade-offs in a pebble game , 1982, JACM.

[41]  Leslie G. Valiant,et al.  Graph-Theoretic Arguments in Low-Level Complexity , 1977, MFCS.