High Parallel Complexity Graphs and Memory-Hard Functions

Alwen, Joël; Serbinenko, Vladimir

doi:10.1145/2746539.2746622

Cited by 66 publications

(74 citation statements)

References 38 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Without this constraint it would be much easier, but also much less interesting, to prove our results. 1 Another aspect worth pointing out is that although the reversible pebble game is weaker than the standard pebble game, it is technically much more challenging to analyze. The reason for this is that a standard pebbling will always progress in a "forward sweep" through the graph in topological order, and so one can often assume without loss of generality that once one has pebbled through some subgraph the pebbling will never touch this subgraph again.…”

Section: A Our Resultsmentioning

confidence: 99%

Hardness of Approximation in PSPACE and Separation Results for Pebble Games

Chan

Lauria

Nordström

et al. 2015

2015 IEEE 56th Annual Symposium on Foundations of Computer Science

View full text Add to dashboard Cite

We consider the pebble game on DAGs with bounded fan-in introduced in [Paterson and Hewitt '70] and the reversible version of this game in [Bennett '89], and study the question of how hard it is to decide exactly or approximately the number of pebbles needed for a given DAG in these games.We prove that the problem of deciding whether s pebbles suffice to reversibly pebble a DAG G is PSPACEcomplete, as was previously shown for the standard pebble game in [Gilbert, Lengauer and Tarjan '80]. Via two different graph product constructions we then strengthen these results to establish that both standard and reversible pebbling space are PSPACE-hard to approximate to within any additive constant. To the best of our knowledge, these are the first hardness of approximation results for pebble games in an unrestricted setting (even for polynomial time). Also, since [Chan '13] proved that reversible pebbling is equivalent to the games in [Dymond and Tompa '85] and [Raz and McKenzie '99], our results apply to the Dymond-Tompa and Raz-McKenzie games as well, and from the same paper it follows that resolution depth is PSPACE-hard to determine up to any additive constant.We also obtain a multiplicative logarithmic separation between reversible and standard pebbling space. This improves on the additive logarithmic separation previously known and could plausibly be tight, although we are not able to prove this.We leave as an interesting open problem whether our additive hardness of approximation result could be strengthened to a multiplicative bound if the computational resources are decreased from polynomial space to the more common setting of polynomial time. In the pebble game first studied by Paterson and Hewitt [26], one starts with an empty directed acyclic graph (DAG) G with bounded fan-in (and which in this paper in addition will always have a single sink) and places pebbles on the vertices according to the following rules:• If all (immediate) predecessors of an empty vertex v contain pebbles, a pebble may be placed on v.• A pebble may be removed from any vertex at any time. The goal is to get a pebble on the sink vertex of G with all other vertices being empty, and to do so while minimizing the total number of pebbles on G at any given time (the pebbling price of G). This game models computations with execution independent of the actual input. A pebble on a vertex indicates that the corresponding value is currently kept in memory and the objective is to perform the computation with the minimum amount of memory.The pebble game has been used to study flowcharts and recursive schemata [26] Bennett [3] introduced the reversible pebble game as part of a broader program [2] to investigate possibilities to eliminate (or significantly reduce) energy dissipation in logical computation. Another reason reversible computation is of interest is that observation-free quantum computation is inherently reversible. In the reversible pebble game, the moves performed in reverse order should also constitute a legal pebbling, whi...

show abstract

Section: A Our Resultsmentioning

confidence: 99%

Hardness of Approximation in PSPACE and Separation Results for Pebble Games

Chan

Lauria

Nordström

et al. 2015

2015 IEEE 56th Annual Symposium on Foundations of Computer Science

View full text Add to dashboard Cite

show abstract

“…Depending on the architecture, the costs vary significantly for the same algorithm A. For the ASIC-equipped attackers, who can use parallel computing cores, it is widely suggested that the costs can be approximated by the time-area product AT [9,11,28,35]. Here T is the time complexity of the used algorithm and A is the sum of areas needed to implement the memory cells and the area needed to implement the cores.…”

Section: Attackers and Cost Estimatesmentioning

confidence: 99%

“…A simple tradeoff for scrypt has been known in folklore and was recently formalized in [20]. Alwen and Serbinenko analyzed a simplified version of Catena in [9]. Designers of Lyra2 and Catena attempted to attack their own designs in the original submissions [20,25].…”

Section: Introductionmentioning

confidence: 99%

Tradeoff Cryptanalysis of Memory-Hard Functions

Biryukov

Khovratovich

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We explore time-memory and other tradeoffs for memory-hard functions, which are supposed to impose significant computational and time penalties if less memory is used than intended. We analyze three finalists of the Password Hashing Competition: Catena, which was presented at Asiacrypt 2014, yescrypt and Lyra2. We demonstrate that Catena's proof of tradeoff resilience is flawed, and attack it with a novel precomputation tradeoff. We show that using M 4/5 memory instead of M we have no time penalties and reduce the AT cost by the factor of 25. We further generalize our method for a wide class of schemes with predictable memory access. For a wide class of data-dependent schemes, which addresses memory unpredictably, we develop a novel ranking tradeoff and show how to decrease the time-memory and the time-area product by significant factors. We then apply our method to yescrypt and Lyra2 also exploiting the iterative structure of their internal compression functions. The designers confirmed our attacks and responded by adding a new mode for Catena and tweaking Lyra2.

show abstract

“…If we model the hash function H as a random oracle [12], then the sender must compute an expected 2 t hashes until she finds such a σ. 4 A useful property of this PoW is that there is no speedup when one has to find many proofs, i.e., finding s proofs requires s2 t evaluations. The value t should be chosen such that it is not much of a burden for a party sending out a few emails per day (say, it takes 10 seconds to compute), but is expensive for a Spammer trying to send millions of messages.…”

Section: Introductionmentioning

confidence: 99%

“…In [1] Abadi, Burrows, Manasse and Wobber observed that CPU speeds may differ significantly between different devices and proposed as an alternative measure the number of times the memory is accessed (i.e., the number of cache misses) in order to compute the proof. This approach was formalized and further improved in [19,55,21,4], which use pebbling based techniques. Such memory-hard functions cannot be used as PoS as the memory required to compute and verify the function is the same for provers and verifiers.…”

Section: Introductionmentioning

confidence: 99%

Proofs of Space

Dziembowski

Faust

Kolmogorov

et al. 2015

Lecture Notes in Computer Science

247

159

View full text Add to dashboard Cite

Abstract. Proofs of work (PoW) have been suggested by Dwork and Naor (Crypto'92) as protection to a shared resource. The basic idea is to ask the service requestor to dedicate some non-trivial amount of computational work to every request. The original applications included prevention of spam and protection against denial of service attacks. More recently, PoWs have been used to prevent double spending in the Bitcoin digital currency system. In this work, we put forward an alternative concept for PoWs -so-called proofs of space (PoS), where a service requestor must dedicate a significant amount of disk space as opposed to computation. We construct secure PoS schemes in the random oracle model (with one additional mild assumption required for the proof to go through), using graphs with high "pebbling complexity" and Merkle hash-trees. We discuss some applications, including follow-up work where a decentralized digital currency scheme called Spacecoin is constructed that uses PoS (instead of wasteful PoW like in Bitcoin) to prevent double spending. The main technical contribution of this work is the construction of (directed, loop-free) graphs on N vertices with in-degree O(log log N ) such that even if one places Θ(N ) pebbles on the nodes of the graph, there's a constant fraction of nodes that needs Θ(N ) steps to be pebbled (where in every step one can put a pebble on a node if all its parents have a pebble).

show abstract

High Parallel Complexity Graphs and Memory-Hard Functions

Cited by 66 publications

References 38 publications

Hardness of Approximation in PSPACE and Separation Results for Pebble Games

Hardness of Approximation in PSPACE and Separation Results for Pebble Games

Tradeoff Cryptanalysis of Memory-Hard Functions

Proofs of Space

Contact Info

Product

Resources

About