Memory-Hard Functions from Cryptographic Primitives

Chen, Binyi; Tessaro, Stefano

doi:10.1007/978-3-030-26951-7_19

Cited by 6 publications

(26 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The main contribution is a reduction to the energy complexity of the constructed function from the red-blue pebbling complexity of the underlying depth-robust graph. The results extend the theory developed by Chen and Tessaro [13] who established an analogous relation for the cumulative memory complexity [7] of a random permutation based memory-hard function and the black pebbling complexity of the underlying graph.…”

Section: Our Contributionssupporting

confidence: 83%

“…We note that the construction of a random permutation based bandwidth-hard function could be dug out from two previous works. One can use the technique of [13] to first prove memory-hardness and then apply a result from [11]. The later work showed a lower bound of energy cost by the square root of the memory-cost.…”

Section: Impact Of Our Resultsmentioning

confidence: 99%

“…If a node has a single predecessor, then the labelling function outputs π(x) ⊕ x where x is the label of the predecessor. The main technical contribution of our work is to devise a compression argument which works for any constant in-degree ( [13] crucially requires indegree to be 2), even when the labelling function does not take the identity of the node. The adversary can make inverse queries to the underlying primitive (in our case, random permutation).…”

Section: Our Contributionsmentioning

confidence: 99%

“…Finally, we extend the output length of the bandwidth-hard function by extending the technique of [13] and show a direct way to convert any depth-robust graph G into a bandwidth-hard function.…”

Section: Our Contributionsmentioning

confidence: 99%

See 3 more Smart Citations

Bandwidth-Hard Functions from Random Permutations

Bhattacharyya¹,

Mandal²

2022

Preprint

View full text Add to dashboard Cite

ASIC hash engines are specifically optimized for parallel computations of cryptographic hashes and thus a natural environment for mounting brute-force attacks on hash functions. Two fundamental advantages of ASICs over general purpose computers are the area advantage and the energy efficiency. The memory-hard functions approach the problem by reducing the area advantage of ASICs compared to general-purpose computers. Traditionally, memory-hard functions have been analyzed in the (parallel) random oracle model. However, as the memory-hard security game is multi-stage, indifferentiability does not apply and instantiating the random oracle becomes a non-trivial problem. Chen and Tessaro (CRYPTO 2019) considered this issue and showed how random oracles should be instantiated in the context of memory-hard functions. The Bandwidth-Hard functions, introduced by Ren and Devadas (TCC 2017), aim to provide ASIC resistance by reducing the energy advantage of ASICs. In particular, bandwidth-hard functions provide ASIC resistance by guaranteeing high run time energy cost if the available cache is not large enough. Previously, bandwidth-hard functions have been analyzed in the parallel random oracle model. In this work, we show how those random oracles can be instantiated using random permutations in the context of bandwidth-hard functions. Our results are generic and valid for any hard-to-pebble graphs.

show abstract

Section: Our Contributionssupporting

confidence: 83%

Section: Impact Of Our Resultsmentioning

confidence: 99%

Section: Our Contributionsmentioning

confidence: 99%

Section: Our Contributionsmentioning

confidence: 99%

See 2 more Smart Citations

Bandwidth-Hard Functions from Random Permutations

Bhattacharyya¹,

Mandal²

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…To prevent 51% attacks, PoW should minimize the difference of computational advantage between dedicated hardware (ASIC) and ordinary CPUs as possible. A solution for this purpose is a memory-hard function that consumes a large number of memory accesses [2]- [4].…”

Section: Introductionmentioning

confidence: 99%

A Proof of Work Based on Key Recovery Problem of Cascade Block Ciphers with ASIC Resistance

ASANUMA

Isobe

2022

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

Hashcash, which is a Proof of Work (PoW) of bitcoin, is based on a preimage problem of hash functions of SHA-2 and RIPEMD. As these hash functions employ the Merkle-Damgard (MD) construction, a preimage can be found with negligible memory. Since such calculations can be accelerated by dedicated ASICs, it has a potential risk of a so-called 51% attack. To address this issue, we propose a new PoW scheme based on the key recovery problem of cascade block ciphers. By choosing the appropriate parameters, e.g., block sizes and key sizes of underlying block ciphers, we can make this problem a memory-hard problem such that it requires a lot of memory to efficiently solve it. Besides, we can independently adjust the required time complexity and memory complexity, according to requirements by target applications and progress of computational power.

show abstract