One-Time Computable Self-erasing Functions

Dziembowski, Stefan; Kazana, Tomasz; Wichs, Daniel

doi:10.1007/978-3-642-19571-6_9

Cited by 42 publications

(35 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Using the notion of hash graphs [DNW05,DKW11] we show how to obtain a family of functions f G from (single source and sink) DAGs G in the pROM. The main technical contribution of this section is a theorem lower-bounding the amortized hardness f G in the pROM using the CC of G in the parallel pebbling game.…”

Section: Our Contributionmentioning

confidence: 99%

“…More recently in the field of cryptography (a two colour variant of) the game has been used to prove lower-bounds on the number of cache misses [DNW05] or space required [DFKP13,ABFG13,FLW13] to compute certain functions by a sequential random access machine in the ROM. Finally an application of similar flavour demonstrated in [DKW11] shows how to ensure a function can be computed no more than once on memoryrestricted secure hardware.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

High Parallel Complexity Graphs and Memory-Hard Functions

Alwen

Serbinenko

2015

Proceedings of the Forty-Seventh Annual ACM Symposium on Theory of Computing

View full text Add to dashboard Cite

Abstract. We develop new theoretical tools for proving lower-bounds on the (amortized) complexity of functions in a parallel setting. We demonstrate their use by constructing the first provably secure Memory-hard functions (MHF); a class of functions recently gaining acceptance in practice as an effective means to counter brute-force attacks on security relevant functions.Pebbling games over graphs have proven to be a powerful abstraction for a wide variety of computational models. A dominant application of such games is proving complexity lower-bounds using "pebbling reductions". These bound the complexity of a given function fG in some computational model M of interest in terms of the pebbling complexity of a related graph G, where the pebbling complexity is defined via a pebbling game G. In particular, finding a function with high complexity in M is reduced to (the hopefully simpler task of) finding graphs with high pebbling complexity in G. We introduce a very simple and natural pebbling game Gp for abstracting parallel computation models. As an important conceptual contribution we also define a natural measure of pebbling complexity called cumulative complexity (CC) and show how it overcomes a crucial shortcoming in the parallel setting exhibited by more traditional complexity measures used in past reductions. Next (analogous to the results of Tarjan et. al. [PTC76,LT82] for sequential pebbling games) we demonstrates, via a novel and non-tibial proof, an explicit construction of a constant in-degree family of graphs whose CC in Gp approaches maximality to within a polylogarithmic factor for any graph of equal size.To demonstrate the use of these theoretical tools we give an example in the field of cryptography, by constructing the first provably secure Memory-hard function (MHF). Introduced by Percival [Per09], an MHF can be computed efficiently on a sequential machine but further requires the same amount of memory (or much greater time) amortized per evaluation on a parallel machine. Thus, while a say an ASIC or FPGA may be faster than a CPU, the increased cost of working memory negates this advantage. In particular MHFs crucially underly the ASIC/FPGAresistant proofs-of-work of the crypto-currency Litecoin[Cha11], the brute-force resistant key-derivation function scrypt [Per09] and can be used to increase the cost to an adversary of recovering passwords from a compromised login server. To place these applications on more sound theoretic footing we first provide a new formal definition (in the Random Oracle Model) and an accompanying notion of amortized memory hardness to capture the intuitive property of an MHF (thereby remedying an important issue with the original definition of [Per09]). Next we define a mapping from a graph G to a related function fG. Finally we prove a pebbling reduction bounding the amortized memory hardness per evaluation of fG in terms of the CC of G in the game Gp. Together with the construction above, this gives rise to the first provably secure example of an MHF.

show abstract

Section: Our Contributionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

High Parallel Complexity Graphs and Memory-Hard Functions

Alwen

Serbinenko

2015

Proceedings of the Forty-Seventh Annual ACM Symposium on Theory of Computing

View full text Add to dashboard Cite

show abstract

“…(See, e.g., [10,11] for similar proofs.) In obtaining a configuration of its storage H , an adversary A is allowed to play a pebble game.…”

Section: A Butterfly Hourglass Functionmentioning

confidence: 97%

“…In a similar vein, Dziembowski, Kazana, and Wichs [11] introduce the notion of one-time computable pseudorandom functions (PRF). They consider a model in which computation of a PRF FK (·) requires so much memory that it forces overwriting of the key K itself.…”

Section: Related Workmentioning

confidence: 99%

Hourglass schemes

Dijk¹,

Juels²,

Oprea³

et al. 2012

Proceedings of the 2012 ACM Conference on Computer and Communications Security

View full text Add to dashboard Cite

We consider the following challenge: How can a cloud storage provider prove to a tenant that it's encrypting files at rest, when the provider itself holds the corresponding encryption keys? Such proofs demonstrate sound encryption policies and file confidentiality. (Cheating, cost-cutting, or misconfigured providers may bypass the computation/management burdens of encryption and store plaintext only.)To address this problem, we propose hourglass schemes, protocols that prove correct encryption of files at rest by imposing a resource requirement (e.g., time, storage or computation) on the process of translating files from one encoding domain (i.e., plaintext) to a different, target domain (i.e., ciphertext). Our more practical hourglass schemes exploit common cloud infrastructure characteristics, such as limited file-system parallelism and the use of rotational hard drives for at-rest files. For files of modest size, we describe an hourglass scheme that exploits trapdoor one-way permutations to prove correct file encryption whatever the underlying storage medium.We also experimentally validate the practicality of our proposed schemes, the fastest of which incurs minimal overhead beyond the cost of encryption. As we show, hourglass schemes can be used to verify properties other than correct encryption, e.g., embedding of "provenance tags" in files for tracing the source of leaked files. Of course, even if a provider is correctly storing a file as ciphertext, it could also store a plaintext copy to service tenant requests more efficiently. Hourglass schemes cannot guarantee ciphertext-only storage, a problem inherent when the cloud manages keys. By means of experiments in Amazon EC2, however, we demonstrate that hourglass schemes provide strong incentives for economically rational cloud providers against storage of extra plaintext file copies.

show abstract

“…The goal of the player is to pebble a certain vertex of the graph. This technique was used in cryptography already before [21][22][23]. For an introduction to the graph pebbling see, e.g., [48].…”

Section: Introductionmentioning

confidence: 99%

Proofs of Space

Dziembowski

Faust

Kolmogorov

et al. 2015

Lecture Notes in Computer Science

Self Cite

247

159

View full text Add to dashboard Cite

Abstract. Proofs of work (PoW) have been suggested by Dwork and Naor (Crypto'92) as protection to a shared resource. The basic idea is to ask the service requestor to dedicate some non-trivial amount of computational work to every request. The original applications included prevention of spam and protection against denial of service attacks. More recently, PoWs have been used to prevent double spending in the Bitcoin digital currency system. In this work, we put forward an alternative concept for PoWs -so-called proofs of space (PoS), where a service requestor must dedicate a significant amount of disk space as opposed to computation. We construct secure PoS schemes in the random oracle model (with one additional mild assumption required for the proof to go through), using graphs with high "pebbling complexity" and Merkle hash-trees. We discuss some applications, including follow-up work where a decentralized digital currency scheme called Spacecoin is constructed that uses PoS (instead of wasteful PoW like in Bitcoin) to prevent double spending. The main technical contribution of this work is the construction of (directed, loop-free) graphs on N vertices with in-degree O(log log N ) such that even if one places Θ(N ) pebbles on the nodes of the graph, there's a constant fraction of nodes that needs Θ(N ) steps to be pebbled (where in every step one can put a pebble on a node if all its parents have a pebble).

show abstract

One-Time Computable Self-erasing Functions

Cited by 42 publications

References 36 publications

High Parallel Complexity Graphs and Memory-Hard Functions

High Parallel Complexity Graphs and Memory-Hard Functions

Hourglass schemes

Proofs of Space

Contact Info

Product

Resources

About