Moderately Hard Functions: Definition, Instantiations, and Applications

Several cryptographic schemes and applications are based on functions that are both reasonably efficient to compute and moderately hard to invert, including client puzzles for Denial-of-Service protection, password protection via salted hashes, or recent proof-of-work blockchain systems. Despite their wide use, a definition of this concept has not yet been distilled and formalized explicitly. Instead, either the applications are proven directly based on the assumptions underlying the function, or some property of the function is proven, but the security of the application is argued only informally. The goal of this work is to provide a (universal) definition that decouples the efforts of designing new moderately hard functions and of building protocols based on them, serving as an interface between the two.

[1]  Adam Stubblefield,et al.  Using Client Puzzles to Protect TLS , 2001, USENIX Security Symposium.

[2]  F. Frances Yao,et al.  Design and Analysis of Password-Based Key Derivation Functions , 2005, IEEE Trans. Inf. Theory.

[3]  Mihir Bellare,et al.  Multi-instance Security and Its Application to Password-Based Cryptography , 2012, CRYPTO.

[4]  Stefan Dziembowski,et al.  Key-Evolution Schemes Resilient to Space-Bounded Leakage , 2011, CRYPTO.

[5]  Alex Biryukov,et al.  Tradeoff Cryptanalysis of Memory-Hard Functions , 2015, ASIACRYPT.

[6]  Nir Bitansky,et al.  Time-Lock Puzzles from Randomized Encodings , 2016, IACR Cryptol. ePrint Arch..

[7]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[8]  Moni Naor,et al.  Pebbling and Proofs of Work , 2005, CRYPTO.

[9]  Stephen A. Cook,et al.  An observation on time-storage trade off , 1973, J. Comput. Syst. Sci..

[10]  Stefan Dziembowski,et al.  One-Time Computable Self-erasing Functions , 2011, TCC.

[11]  Jonathan Katz,et al.  Fixing Cracks in the Concrete: Random Oracles with Auxiliary Input, Revisited , 2017, EUROCRYPT.

[12]  Alex Biryukov,et al.  Argon2: New Generation of Memory-Hard Functions for Password Hashing and Other Applications , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[13]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[14]  Moni Naor,et al.  Moderately Hard Functions: From Complexity to Spam Fighting , 2003, FSTTCS.

[15]  Mihir Bellare,et al.  Verifiable partial key escrow , 1997, CCS '97.

[16]  Alex Biryukov,et al.  Equihash: Asymmetric Proof-of-Work Based on the Generalized Birthday Problem , 2016, NDSS.

[17]  Aggelos Kiayias,et al.  Proofs of Work for Blockchain Protocols , 2017, IACR Cryptol. ePrint Arch..

[18]  Hovav Shacham,et al.  Careful with Composition: Limitations of the Indifferentiability Framework , 2011, EUROCRYPT.

[19]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[20]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[21]  Aggelos Kiayias,et al.  The Bitcoin Backbone Protocol: Analysis and Applications , 2015, EUROCRYPT.

[22]  Hong-Sheng Zhou,et al.  TwinsCoin: A Cryptocurrency via Proof-of-Work and Proof-of-Stake , 2018, BCC '18.

[23]  Colin Percival STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS , 2009 .

[24]  Stefano Tessaro,et al.  Scrypt Is Maximally Memory-Hard , 2017, EUROCRYPT.

[25]  Stefan Lucks,et al.  Catena: A Memory-Consuming Password Scrambler , 2013, IACR Cryptol. ePrint Arch..

[26]  Hongjun Wu POMELO A Password Hashing Algorithm (Version 2) , 2015 .

[27]  Bogdan Warinschi,et al.  Security Notions and Generic Constructions for Client Puzzles , 2009, ASIACRYPT.

[28]  Colin Boyd,et al.  Stronger Difficulty Notions for Client Puzzles and Denial-of-Service-Resistant Protocols , 2011, CT-RSA.

[29]  Giuseppe Ateniese,et al.  Proofs of Space: When Space Is of the Essence , 2014, SCN.

[30]  Ghassan O. Karame,et al.  Low-Cost Client Puzzles Based on Modular Exponentiation , 2010, ESORICS.

[31]  Joël Alwen,et al.  High Parallel Complexity Graphs and Memory-Hard Functions , 2015, IACR Cryptol. ePrint Arch..

[32]  Sebastian Faust,et al.  Efficient Algorithms for Broadcast and Consensus Based on Proofs of Work , 2017, IACR Cryptol. ePrint Arch..

[33]  Ueli Maurer,et al.  Abstract Cryptography , 2011, ICS.

[34]  Pekka Nikander,et al.  DOS-Resistant Authentication with Client Puzzles , 2000, Security Protocols Workshop.

[35]  Ari Juels,et al.  $evwu Dfw , 1998 .

[36]  Dan Boneh,et al.  Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks , 2016, ASIACRYPT.

[37]  Birgit Pfitzmann,et al.  A model for asynchronous reactive systems and its application to secure message transmission , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[38]  Ueli Maurer,et al.  Query-Complexity Amplification for Random Oracles , 2015, ICITS.

[39]  Arjan Jeckmans,et al.  Practical Client Puzzle from Repeated Squaring , 2009 .

[40]  Robert E. Tarjan,et al.  Asymptotically tight bounds on time-space trade-offs in a pebble game , 1982, JACM.

[41]  Jeremiah Blocki,et al.  Depth-Robust Graphs and Their Cumulative Memory Complexity , 2017, EUROCRYPT.

[42]  Leonid Reyzin,et al.  On the Memory-Hardness of Data-Independent Password-Hashing Functions , 2016, IACR Cryptol. ePrint Arch..

[43]  Stefan Dziembowski,et al.  Proofs of Space , 2015, CRYPTO.

[44]  Bogdan Groza,et al.  On Chained Cryptographic Puzzles , 2006 .

[45]  Geraint Price A General Attack Model on Hash-Based Client Puzzles , 2003, IMACC.

[46]  Adam Back,et al.  Hashcash - A Denial of Service Counter-Measure , 2002 .

[47]  Vladimir Kolmogorov,et al.  On the Complexity of Scrypt and Proofs of Space in the Parallel Random Oracle Model , 2016, EUROCRYPT.

[48]  Alex Biryukov,et al.  Symmetrically and Asymmetrically Hard Cryptography ( Full Version ) * , 2017 .

[49]  Qiang Tang,et al.  On Non-Parallelizable Deterministic Client Puzzle Scheme with Batch Verification Modes , 2010 .

[50]  Ran Canetti,et al.  Hardness Amplification of Weakly Verifiable Puzzles , 2005, TCC.

[51]  Ueli Maurer,et al.  Constructive Cryptography - A New Paradigm for Security Definitions and Proofs , 2011, TOSCA.

[52]  Colin Boyd,et al.  Toward Non-parallelizable Client Puzzles , 2007, CANS.

[53]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[54]  Jeremiah Blocki,et al.  Efficiently Computing Data-Independent Memory-Hard Functions , 2016, CRYPTO.

[55]  Martin Mauve,et al.  Non-Parallelizable and Non-Interactive Client Puzzles from Modular Square Roots , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[56]  Ted Wobber,et al.  Moderately hard, memory-bound functions , 2005, TOIT.

[57]  Ueli Maurer,et al.  From Indifferentiability to Constructive Cryptography (and Back) , 2016, TCC.

[58]  Jeremiah Blocki,et al.  Towards Practical Attacks on Argon2i and Balloon Hashing , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[59]  Bogdan Warinschi,et al.  Cryptographic puzzles and DoS resilience, revisited , 2014, Des. Codes Cryptogr..

[60]  Dominique Unruh,et al.  Random Oracles and Auxiliary Input , 2007, CRYPTO.

[61]  S. Vadhan,et al.  Time-Lock Puzzles in the Random Oracle , 2011 .

[62]  C. Thomborson,et al.  Area-time complexity for VLSI , 1979, STOC.

[63]  Manoj Prabhakaran,et al.  Resource Fairness and Composability of Cryptographic Protocols , 2006, Journal of Cryptology.

[64]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[65]  Ueli Maurer,et al.  Indistinguishability of Random Systems , 2002, EUROCRYPT.

[66]  Douglas Stebila,et al.  Towards Denial-of-Service-Resilient Key Agreement Protocols , 2009, ACISP.

[67]  Ueli Maurer,et al.  Resource-Restricted Indifferentiability , 2013, IACR Cryptol. ePrint Arch..

[68]  Moni Naor,et al.  On Memory-Bound Functions for Fighting Spam , 2003, CRYPTO.

[69]  Marcin Andrychowicz,et al.  Distributed Cryptography Based on the Proofs of Work , 2014, IACR Cryptol. ePrint Arch..

[70]  Jeremiah Blocki,et al.  Practical Graphs for Optimal Side-Channel Resistant Memory-Hard Functions , 2017, IACR Cryptol. ePrint Arch..

[71]  Salil P. Vadhan,et al.  Publicly verifiable proofs of sequential work , 2013, ITCS '13.

[72]  Alon Rosen,et al.  Public Verification of Private Effort , 2015, TCC.