Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attacking Data Independent Memory Hard Functions

Published byMadison Garrison Modified over 5 years ago

Similar presentations

Presentation on theme: "Attacking Data Independent Memory Hard Functions"— Presentation transcript:

1 Attacking Data Independent Memory Hard Functions
Jeremiah Blocki (Microsoft Research/Purdue) Joel Alwen (IST Austria)

2 Motivation: Password Storage
jblocki, Username jblocki Salt 89d978034a3f6 Hash 85e23cfe0021f584e3db87aa72630a9a2345c062 Suppose that I register for an account at playstation.com SHA1( d978034a3f6)=85e23cfe0021f584e3db87aa72630a9a2345c062 +

3 Offline Attacks: A Common Problem
Password breaches at major companies have affected millions of users. Unfortunately, offline dictionary attacks are quite common. Password breaches at major companies have affected millions of users.

4 Offline dictionary attacks are also very powerful
Offline dictionary attacks are also very powerful. Some password hash functions can be evaluated at 348 billion hashes per second! How can we defend against these attacks?

5 Goal: Moderately Expensive Hash Function
Equitable Cost? One proposed defense is to intentionally make the cryptographic hash function more expensive to evaluate by using a cryptographic hash function like BRCRYPT or sCrypt. The tradeoff is that making the hash function more expensive to evaluate increases costs for the adversary and a legitimate server. Note: This slide could be skipped if the presentation is too long.

6 Bitcoin Mining (SHA256) is not Equitable!
Cost(SHA256) varies by a factor of 106

7 Memory Costs: Equitable Across Architectures

8 Outline Motivation Data Independent Memory Hard Functions (iMHFs)
Graph Pebbling Measuring Pebbling Costs Desiderata Attacks iMHFs Constructing iMHFs (New!) Open Questions

9 Memory Hard Function (MHF)
Intuition: computation costs dominated by memory costs Data Independent Memory Hard Function (iMHF) Memory access pattern should not depend on input

10 iMHF (fG,H) Defined by H: 0,1 2𝑘→ 0,1 𝑘 (Random Oracle)
DAG G (encodes data-dependencies) Maximum indegree: 𝛿=O 1 2 4 Input: 1 1 Output: fG,H (pwd,salt)= L4 3 pwd, salt 𝐿3=𝐻(𝐿2,𝐿1) 𝐿1=𝐻(𝑝𝑤𝑑,𝑠𝑎𝑙𝑡)

11 Evaluating an iMHF (pebbling)
2 4 Output: L4 Input: 1 1 3 pwd, salt 𝐿3=𝐻(𝐿2,𝐿1) 𝐿1=𝐻(𝑝𝑤𝑑,𝑠𝑎𝑙𝑡) Pebbling Rules : 𝑃 =P1,…,Pt⊂𝑉 s.t. Pi+1⊂Pi∪ 𝑥∈𝑉 parents 𝑥 ⊂Pi (need dependent values) n∈ Pt (must finish and output Ln)

12 Pebbling Example 1 1 2 3 3 4 4 5 5

13 Pebbling Example 1 2 3 4 5 P1 = {1}

14 Pebbling Example 1 2 3 4 5 P1 = {1} P2 = {1,2}

15 Pebbling Example 1 2 3 4 5 P1 = {1} P2 = {1,2} P3 = {3}

16 Pebbling Example 1 2 3 4 5 P1 = {1} P2 = {1,2} P3 = {3} P4 = {3,4}

17 Pebbling Example P1 = {1} P2 = {1,2} P3 = {3} P4 = {3,4} P5 = {5} 1 2

18 Measuring Cost: Attempt 1
Space × Time (ST)-Complexity ST 𝐺 = min 𝑃 𝑡 𝑃 × max 𝑖≤ 𝑡 𝑃 𝑃 𝑖 Rich Theory Space-time tradeoffs But not appropriate for password hashing Problem: Does not amortize! 𝑆𝑇 𝐺,𝐺 <2×𝑆𝑇(𝐺)

19 Measuring Cost: Attempt 2
Cumulative Complexity (CC) CC 𝐺 = min 𝑃 𝑖=1 𝑡 𝑃 𝑃 𝑖 Amortization CC 𝐺,𝐺 =2×CC(𝐺)

20 Pebbling Example (CC) CC 𝐺 ≤ 𝑖=1 5 𝑃 𝑖 =1+2+1+2+1 =7 P1 = {1}
3 4 5 P1 = {1} CC 𝐺 ≤ 𝑖=1 5 𝑃 𝑖 = =7 P2 = {1,2} P3 = {3} P4 = {3,4} P5 = {5}

21 Energy Complexity ER 𝐺 = min 𝑃 𝑖=1 𝑡 𝑃 𝑃 𝑖 +R 𝑃 𝑖 \ 𝑃 𝑖−1
Energy Ratio: Cost to compute H in memory-watt-tocks R≈3,000 Memory costs in memory-watt-tocks

22 Energy Complexity ER 𝐺 =θ CC(𝐺)
ER 𝐺 = min 𝑃 𝑖=1 𝑡 𝑃 𝑃 𝑖 +R 𝑃 𝑖 \ 𝑃 𝑖−1 ER 𝐺 =θ CC(𝐺) Memory costs (equitable) Cost of querying H (inequitable)

23 Naïve Pebbling Algorithm
Sequential Algorithm (Naïve) Constraint: One new pebble per round Example Naïve (Pebble in Topological Order) Never discard pebbles Time: n Average #pebbles: n/2. ER(Naïve) = θ Rn+n2

24 Amortized Attack Quality
Quality𝑅 𝐴 = ER(Naïve) ER 𝐴 ×#𝑖𝑛𝑠𝑡(𝐴)

25 Desiderata Find a DAG G and a sequential pebbling algorithm N with
Constant Indegree (𝛿=2) QualityR(A) ≤𝑐 for every adversary A (c small). ER(Naive) ≥ 𝑛2 𝜏 +R𝑛 for some small value 𝜏.

26 Desiderata … Find a DAG G and a sequential pebbling algorithm N with
Constant Indegree (𝛿=2) QualityR(A) ≤𝑐 for every adversary A (c small). ER(Naive) ≥ 𝑛2 𝜏 +R𝑛 for some small value 𝜏. The following DAG satisfies Goals 1 and 2, but not 3. 1 2 3 n

27 Desiderata … Find a DAG G and a sequential pebbling algorithm N with
Constant Indegree (𝛿=2) QualityR(A) ≤𝑐 for every adversary A (c small). ER(Naive) ≥ 𝑛2 𝜏 +R𝑛 for some small value 𝜏. 1 2 3 n

28 Desiderata … Find a DAG G and a sequential pebbling algorithm N with
Constant Indegree (𝛿=2) QualityR(A) ≤𝑐 for every adversary A (c small). ER(Naive) ≥ 𝑛2 𝜏 +R𝑛 for some small value 𝜏. 1 2 3 n

29 Desiderata Find a DAG G and a sequential pebbling algorithm Naïve with Constant Indegree (𝛿=2) QualityR(A) ≤𝑐 for every adversary A (c small). ER(Naïve) ≥ 𝑛2 𝜏 +R𝑛 (𝜏 small). 1 2 3 n

30 ER(Naive)=ER(G)=n+Rn Cost dominated by queries to H (inequitable)
Desiderata ER(Naive)=ER(G)=n+Rn Cost dominated by queries to H (inequitable) Find a DAG G and a sequential pebbling algorithm N with Constant Indegree (𝛿=2) QualityR(A) ≤𝑐 for every adversary A (c small). ER(Naive) ≥ 𝑛2 𝜏 +R𝑛 for some small value 𝜏. 1 2 3 n

31 Memory costs should dominate
Desiderata Find a DAG G and a sequential pebbling algorithm N with Constant Indegree (𝛿=2) QualityR(A) ≤𝑐 for every adversary A (c small). ER(Naive) ≥ 𝑛2 𝜏 +R𝑛 for some small value 𝜏. Memory costs should dominate

32 c-Ideal iMHF Find a DAG G and a sequential pebbling algorithm N with
Constant Indegree (𝛿=2) QualityR(A) ≤𝑐 for every adversary A (c small). ER(Naive) ≥ 𝑛2 𝜏 +R𝑛 for 𝜏=𝑂(1).

33 Outline Motivation Data Independent Memory Hard Functions (iMHFs)
Attacks General Attack on Non Depth Robust DAGs Existing iMHFs are not Depth Robust No c-Ideal iMHF exists Constructing iMHFs (New!) Open Questions

34 Depth Robustness Definition: A DAG G=(V,E) is (e,d)-reducible if there exists 𝑆⊆𝑉 s.t. 𝑆 ≤𝑒 and depth(G-S) ≤d. Otherwise, we say that G is (e,d)-depth robust. Example: (1,2)-reducible 1 2 3 4 5

35 Depth Robustness Definition: A DAG G=(V,E) is (e,d)-reducible if there exists 𝑆⊆𝑉 s.t. 𝑆 ≤𝑒 and depth(G-S) ≤d. Otherwise, we say that G is (e,d)-depth robust. Example: (1,2)-reducible 1 2 3 4 5

36 Attacking (e,d)-reducible DAGs
Input: |S| ≤e such that depth(G-S) = d, g > d Light Phase (g rounds): Discard most pebbles! Only keep pebbles on S and on parents of the g new nodes to be pebbled in this phase. Round Cost: ≤ e + 𝛿g + R Balloon Phase (d rounds): Greedily Recover Missing Pebbles Takes at most d steps. Cost: ≤ dn+Rn In ≤ d rounds we can recover all of the pebbles. One Balloon Phase: Cost = O(dn) All Balloon Phases: Total Cost= O(dn2/g). Each round of a balloon phase is potentially very expensive. Key: balloon phase ends quickly! Light Phase: Discard most pebbles! Only keep pebbles on parents of next g nodes. One Light Phase: Cost = O(g|S|) All Light Phases: Total Cost = O(g|S|(n/g))= O(n|S|)

37 Attacking (e,d)-reducible DAGs
In ≤ d rounds we can recover all of the pebbles. One Balloon Phase: Cost = O(dn) All Balloon Phases: Total Cost= O(dn2/g). Each round of a balloon phase is potentially very expensive. Key: balloon phase ends quickly!

38 Main Theorem Theorem (Depth-Robustness is a necessary condition): If G is (e,d)- reducible then is an (efficient) attack A such that ER 𝐴 ≤𝑒𝑛+𝛿𝑔𝑛+ 𝑛 𝑔 𝑛𝑑 +𝑛R+ 𝑛 𝑔 𝑛R.

39 Main Theorem Theorem (Depth-Robustness is a necessary condition): If G is (e,d)- reducible then is an (efficient) attack A such that ER 𝐴 ≤𝑒𝑛+𝛿𝑔𝑛+ 𝑛 𝑔 𝑛𝑑 +𝑛R+ 𝑛 𝑔 𝑛R. Never delete pebbles from nodes x∈𝑆, where 𝑆 =𝑒 depth(G-S) ≤𝑑 #pebbling rounds

40 Main Theorem Theorem (Depth-Robustness is a necessary condition): If G is (e,d)- reducible then is an (efficient) attack A such that ER 𝐴 ≤𝑒𝑛+𝛿𝑔𝑛+ 𝑛 𝑔 𝑛𝑑 +𝑛R+ 𝑛 𝑔 𝑛R. Maintain pebbles on parents of next g nodes to be pebbled. #pebbling rounds

41 Main Theorem Theorem (Depth-Robustness is a necessary condition): If G is not (e,d)- node robust then is an (efficient) attack A such that ER 𝐴 ≤𝑒𝑛+𝛿𝑔𝑛+ 𝑛 𝑔 𝑛𝑑 +𝑛R+ 𝑛 𝑔 𝑛R. Length of a balloon phase #balloon phases Max #pebbles on G In each round of balloon phase

42 Main Theorem Theorem (Depth-Robustness is a necessary condition): If G is not (e,d)- node robust then is an (efficient) attack A such that ER 𝐴 ≤𝑒𝑛+𝛿𝑔𝑛+ 𝑛 𝑔 𝑛𝑑 +𝑛R+ 𝑛 𝑔 𝑛R. Set 𝑔= 𝑛𝑑 ER 𝐴 =O 𝑒𝑛+ 𝑛3𝑑 .

43 Question Are existing iMHF candidates based on depth- robust DAGs?

44 Catena Catena Bit Reversal DAG ( BRG 𝜆 𝑛 )
𝜆-layers of nodes (𝜆≤5) Edges between layers correspond to the bit-reversal operation Theorem[LT82]: ST( BRG 1 𝑛 )=Ω 𝑛 2 Catena Butterfly ( DBG 𝜆 𝑛 ) 𝜆=𝑂( log 𝑛) -layers of nodes Edges between layers correspond to FFT DBG 𝜆 𝑛 is a “super-concentrator.” Theorem[LT82] => ST( BRG 1 𝑛 )=Ω 𝑛 2 log⁡(𝑛) Thomas Lengauer and Robert Endre Tarjan. Asymptotically Tight Bounds on Time-Space Trade-offs in a Pebble Game. J. ACM, 29(4):1087–1130, 1982

45 𝜆-Layered DAG (Catena)
2𝑛 𝜆+1 +1 2 3 4 5 𝑛 𝜆+1 Layer 𝜆 𝑛 𝜆+1 +1 +2 +3 4 5 2𝑛 𝜆+1 Layer 1 1 2 3 4 5 𝑛 𝜆+1 Layer 0

46 𝜆-Layered DAG (Catena)
2𝑛 𝜆+1 +1 2 3 4 5 𝑛 𝜆+1 Layer 𝜆 𝑛 𝜆+1 +1 +2 +3 4 5 2𝑛 𝜆+1 Layer 1 1 2 3 4 5 𝑛 𝜆+1 Layer 0

47 𝜆-Layered DAG (Catena)
2𝑛 𝜆+1 +1 2 3 4 5 𝑛 𝜆+1 Layer 𝜆 𝑛 𝜆+1 +1 +2 +3 4 5 2𝑛 𝜆+1 Layer 1 1 2 3 4 5 𝑛 𝜆+1 Layer 0 Disallowed! All edges must go to a higher layer (except for (i,i+1))

48 Layered Graphs are Reducible
Theorem (Layered Graphs Not Depth Robust): Let G be a 𝜆-Layered DAG then G is 𝑛 2/3 , 𝑛 1/3 𝜆+1 -reducible. Corollary: ER 𝐺 ≤𝑂 𝜆𝑛 5/3 . Attack Quality: QualityR 𝐴 =Ω 𝑛 1/3 𝜆 .

49 Layered Graphs are Reducible
Theorem (Layered Graphs Not Depth Robust): Let G be a 𝜆-Layered DAG then G is 𝑛 2/3 , 𝑛 1/3 𝜆+1 -reducible. Proof: Let 𝐒= 𝒊×𝒏 𝟏/𝟑 𝒊≤𝒏 𝟐/𝟑 any path p can spend at most 𝑛 1/3 steps on layer i. 𝑛 𝜆+1 1 2 𝑛 1/3 2𝑛 1/3 Layer 0 𝑛 1/3 𝑛 1/3

50 Layered Graphs are Reducible
Theorem (Layered Graphs Not Depth Robust): Let G be a 𝜆-Layered DAG then G is 𝑛 2/3 , 𝑛 1/3 𝜆+1 -reducible. Proof: Let 𝐒= 𝒊×𝒏 𝟏/𝟑 𝒊≤𝒏 𝟐/𝟑 any path p can spend at most 𝑛 1/3 steps on layer i. 𝑛 𝜆+1 1 2 𝑛 1/3 2𝑛 1/3 Layer 0 𝑛 1/3 𝑛 1/3

51 ST complexity vs CC complexity
CC(BRG 1 𝑛 )≪ ST(BRG 1 𝑛 )=Ω 𝑛 2 Previous attacks on Catena ( BRG 𝜆 𝑛 ) [AS15] CC(BRG 1 𝑛 )≤𝑂 𝑛 1.5 [BK15] ST(BRG 𝜆 𝑛 )≤𝑂 𝑛 for 𝜆 > 1. Our result CC(BRG 𝜆 𝑛 ) ≤𝑂 𝑛 1.67 Applies to all Catena variants. Alwen/Serbinenko Alex Biryukov and Dmitry Khovratovich

52 Argon2i [BDK] Argon2: Winner of the password hashing competition[2015]
Authors recommend Argon2i variant (data-independent) for password hashing. Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich from University of Luxembourg.

53 Argon2i 1 2 3 4 i n

54 Argon2i random predecessor r(i) < i 1 2 3 4 i n Indegree: 𝛿=2

55 Argon2i is a layered DAG (almost)
n Layer 4 𝑛 𝑛 3/4 +1 +2 +3 + 4 𝑛 2𝑛 3/4 Layer 1 3 𝑛 3/4 1 2 4 𝑛 Layer 0

56 Argon2i is a layered DAG (almost)
Definition: 𝑆2= 𝑣𝑖 𝑣 𝑟(𝑖) and v𝑖 in same layer n Layer 4 𝑛 𝑛 3/4 +1 +2 +3 + 4 𝑛 2𝑛 3/4 Layer 1 3 𝑛 3/4 1 2 4 𝑛 Layer 0 𝐂𝐥𝐚𝐢𝐦: E 𝑆2 =𝑂 𝑛 3/4 log 𝑛

57 Argon2i is a layered DAG (almost)
Definition: 𝑆2= 𝑣𝑖 𝑣 𝑟(𝑖) and v𝑖 in same layer Layer 4 𝑛 𝑛 3/4 +1 +2 +3 + 4 𝑛 2𝑛 3/4 Layer 1 3 𝑛 3/4 1 2 4 𝑛 Layer 0 𝐸 𝐿𝑎𝑦𝑒𝑟 𝑖∩𝑆2 ≤ 𝑛 3/4 𝑖 Pr 𝑣∈𝑆2 𝑣 𝑖𝑛 𝐿𝑎𝑦𝑒𝑟 𝑖 ≤ 1 𝑖

58 Argon2i is a layered DAG (almost)
Definition: 𝑆2= 𝑣𝑖 𝑣 𝑟(𝑖) and v𝑖 in same layer n Layer 4 𝑛 𝑛 3/4 +1 +2 +3 + 4 𝑛 2𝑛 3/4 Layer 1 3 𝑛 3/4 1 2 4 𝑛 Layer 0 𝐂𝐥𝐚𝐢𝐦: E 𝑆2 =𝑂 𝑛 3/4 log 𝑛

59 Argon2i is a layered DAG (almost)
Let S = S1+S2 n Layer 4 𝑛 𝑛 3/4 +1 +2 +3 + 4 𝑛 2𝑛 3/4 Layer 1 3 𝑛 3/4 1 2 4 𝑛 Layer 0 𝐅𝐚𝐜𝐭: E 𝑆 =𝑂 𝑛 3/4 log 𝑛 and depth(G-S)≤ 𝑛 .

60 Argon2i is a layered DAG (almost)
Let S = S1+S2 n Layer 4 𝑛 𝑛 3/4 +1 +2 +3 + 4 𝑛 2𝑛 3/4 Layer 1 3 𝑛 3/4 1 2 4 𝑛 Layer 0 𝐓𝐡𝐞𝐨𝐫𝐞𝐦: G is (2 𝑛 3/4 log 𝑛 , 𝑛 )-reducible with high probability.

61 … … … … … … Argon2i is a layered DAG (almost) Layer 4 𝑛 Layer 1
Let S = S1+S2 n Layer 4 𝑛 𝑛 3/4 +1 +2 +3 + 4 𝑛 2𝑛 3/4 Layer 1 3 𝑛 3/4 1 2 4 𝑛 Layer 0 Corollary: ER 𝐺 ≤𝑂 𝑛 7/4 log 𝑛 . QualityR 𝐴 ≤Ω 𝑛 1/4 log 𝑛 .

62 Do c-Ideal iMHFs exist? Reminder: DAG G and a sequential pebbling algorithm N with Constant Indegree (𝛿=2) QualityR(A) ≤𝑐 for every adversary A (c small). ER(Naive) ≥ 𝑛2 𝜏 +R𝑛 for 𝜏=𝑂(1). 𝐓𝐡𝐦[𝐀𝐒𝟏𝟓]: There is a DAG G with CC 𝐺 =Ω 𝑛 2 log 10+𝜀 𝑛 and 𝛿=2. 𝐂𝐨𝐫𝐨𝐥𝐥𝐚𝐫𝐲: G is c=polylog(n)-Ideal.

63 Do c-Ideal iMHFs exist? 𝐋𝐞𝐦𝐦𝐚[𝐕𝐚𝐥𝐢𝐚𝐧𝐭𝟕𝟕]: Let G=(V,E) be a DAG with depth d≤𝑛 then there is a set S⊂𝑉 of at most 𝑛𝛿 log 𝑑 nodes such that depth(G-S)≤ 𝑑 2 . 𝐓𝐡𝐞𝐨𝐫𝐞𝐦: Let G=(V,E) be a DAG with n nodes then there is a set S⊂𝑉 of 𝑛𝛿 log log 𝑛 log 𝑛 edges such that depth(G-S)≤ 𝑛 log 𝑛 . 𝐂𝐨𝐫𝐨𝐥𝐥𝐚𝐫𝐲: Let G=(V,E) be a DAG with n nodes then for any constant 𝜀>0 ER 𝐺 =𝑜 𝑛 2 log 1−𝜀 𝑛

64 NO! If c=O(1). Do c-Ideal iMHFs exist?
𝐂𝐨𝐫𝐨𝐥𝐥𝐚𝐫𝐲: Let G=(V,E) be a DAG with n nodes then for any constant 𝜀>0 ER 𝐺 =𝑜 𝑛 2 log 1−𝜀 𝑛 NO! If c=O(1).

65 Practical Consequences (R = 3,000)

66 Outline Motivation Data Independent Memory Hard Functions (iMHFs)
Attacks Constructing iMHFs (New!) Joint work with Joel Alwen and Krzystof Pietrzak Open Questions Joint work with Joel Alwen and Krzysztof Pietrzak

67 New (Positive) Results
𝐊𝐞𝐲 𝐓𝐡𝐞𝐨𝐫𝐞𝐦: Let G=(V,E) be (e,d)-depth robust then CC(G)≥𝑒𝑑. 𝐓𝐡𝐞𝐨𝐫𝐞𝐦[𝐄𝐆𝐒𝟕𝟓]: There is an Ω 𝑛 ,Ω 𝑛 -depth robust DAG G with indegree 𝛿=𝑂 log 𝑛 . 𝐂𝐨𝐫𝐨𝐥𝐥𝐚𝐫𝐲: There is a DAG G with indegree 𝛿=𝑂 log 𝑛 and CC(G)≥Ω 𝑛 2 . 𝐓𝐡𝐞𝐨𝐫𝐞𝐦 (𝐈𝐧𝐝𝐞𝐠𝐫𝐞𝐞 𝐑𝐞𝐝𝐮𝐜𝐭𝐢𝐨𝐧): Let G’ be a DAG with n’ = n/(2𝛿′) nodes and indegree 𝛿’. If G’ is (e’,d’)-depth robust then we can construct a DAG G on n nodes such that G is (e’,d = 𝛿’d’)-depth robust and has maximum indegree 𝛿=2.

68 New (Positive) Results
𝐓𝐡𝐞𝐨𝐫𝐞𝐦 (𝐈𝐧𝐝𝐞𝐠𝐫𝐞𝐞 𝐑𝐞𝐝𝐮𝐜𝐭𝐢𝐨𝐧): Let G’ be a DAG with n’ = n/(2𝛿′) nodes and indegree 𝛿’. If G’ is (e’,d’)-depth robust then we can construct a DAG G on n nodes such that G is (e’,d = 𝛿’d’)-depth robust and has maximum indegree 𝛿=2. 𝐂𝐨𝐫𝐨𝐥𝐥𝐚𝐫𝐲: There is a DAG G with maximum indegree 𝛿=2 and CC(G)=Ω 𝑛 2 log 𝑛 . 𝐓𝐡𝐞𝐨𝐫𝐞𝐦: There is a DAG G with maximum indegree 𝛿=2 and CC(G)=Ω 𝑛 2 log 𝑛 . Furthermore, there is a sequential pebbling algorithm N with cost CC(N) =𝑂 𝑛 2 log 𝑛 .

69 (c,𝜏) -Ideal iMHFs Exist
Find a DAG G and a sequential pebbling algorithm N with Constant Indegree (𝛿=2) QualityR(A) ≤𝑐 for every adversary A (c=O(1)). ER(Naive) ≥ 𝑛2 𝜏 +R𝑛 (𝜏=𝑂( log 𝑛 ) ).

70 Proof of Key Theorem 𝐊𝐞𝐲 𝐓𝐡𝐞𝐨𝐫𝐞𝐦: Let G=(V,E) be (e,d)-depth robust then CC(G)≥𝑒𝑑. Proof: Let P1,…Pt denote an (optimal) pebbling of G. For 0< i < d define Si= 𝑃 𝑖 ∪ 𝑃 𝑑+𝑖 ∪ 𝑃 2𝑑+𝑖 ∪… one of the sets Si has size at most CC(G)/d. Now we claim that d ≤ depth(G-Si) because any path in G-Si must have been completely pebbled at some point. Thus, it must have been pebbled entirely during the some interval of length d. Thus, G is (CC(G)/d,d)-reducible. It follows that CC(G)≥𝑒𝑑.

71 Pebbling Equivalence 𝐓𝐡𝐞𝐨𝐫𝐞𝐦 𝐀𝐒𝟏𝟓 (𝐈𝐧𝐟𝐨𝐫𝐦𝐚𝐥): Let H be a random oracle and let G be a DAG with constant indegree. For any pROM adversary A which evaluates (multiple instances of) fH,G we have Cost A = 𝑖=1 𝑇 𝐴 𝜎 𝑖 = θ 𝐶𝐶 𝐺 × #𝑖𝑛𝑠𝑡(𝐴)

72 Miscellaneous Results
New Lower Bounds: CC(Argon2i) ≥ Ω 𝑛 1.5 CC(Catena) ≥ Ω 𝑛 1.5 New Upper Bounds: CC(Argon2i) = 𝑂 𝑛 1.71 CC(Catena) = 𝑂 𝑛 1.618

73 Open Questions Computational Complexity of CC(G)
Efficient Algorithm to Approximate CC(G)? Hardness of Approximation? Improved Constructions of Depth-Robust Graphs Constants matter! What is CC(Argon2i)? Upper Bound: n1.71 Lower Bound: n1.5

Download ppt "Attacking Data Independent Memory Hard Functions"

Similar presentations

Routing Complexity of Faulty Networks Omer Angel Itai Benjamini Eran Ofek Udi Wieder The Weizmann Institute of Science.

Routing Complexity of Faulty Networks Omer Angel Itai Benjamini Eran Ofek Udi Wieder The Weizmann Institute of Science.
Lower Bounds for Additive Spanners, Emulators, and More David P. Woodruff MIT and Tsinghua University To appear in FOCS, 2006.

Lower Bounds for Additive Spanners, Emulators, and More David P. Woodruff MIT and Tsinghua University To appear in FOCS, 2006.
Complexity Theory Lecture 6

Complexity Theory Lecture 6
Communication Lower Bound for the Fast Fourier Transform Michael Anderson Communication-Avoiding Algorithms (CS294) Fall 2011.

Communication Lower Bound for the Fast Fourier Transform Michael Anderson Communication-Avoiding Algorithms (CS294) Fall 2011.
Routing and Congestion Problems in General Networks Presented by Jun Zou CAS 744.

Routing and Congestion Problems in General Networks Presented by Jun Zou CAS 744.
1 SOFSEM 2007 Weighted Nearest Neighbor Algorithms for the Graph Exploration Problem on Cycles Eiji Miyano Kyushu Institute of Technology, Japan Joint.

1 SOFSEM 2007 Weighted Nearest Neighbor Algorithms for the Graph Exploration Problem on Cycles Eiji Miyano Kyushu Institute of Technology, Japan Joint.
DIMACS Streaming Data Working Group II On the Optimality of the Holistic Twig Join Algorithm Speaker: Byron Choi (Upenn) Joint Work with Susan Davidson.

DIMACS Streaming Data Working Group II On the Optimality of the Holistic Twig Join Algorithm Speaker: Byron Choi (Upenn) Joint Work with Susan Davidson.
© The McGraw-Hill Companies, Inc., 2005 2 -1 Chapter 2 The Complexity of Algorithms and the Lower Bounds of Problems.

© The McGraw-Hill Companies, Inc., Chapter 2 The Complexity of Algorithms and the Lower Bounds of Problems.
Parallel Scheduling of Complex DAGs under Uncertainty Grzegorz Malewicz.

Parallel Scheduling of Complex DAGs under Uncertainty Grzegorz Malewicz.
Complexity 15-1 Complexity Andrei Bulatov Hierarchy Theorem.

Complexity 15-1 Complexity Andrei Bulatov Hierarchy Theorem.
Graph Sparsifiers by Edge-Connectivity and Random Spanning Trees Nick Harvey U. Waterloo C&O Joint work with Isaac Fung TexPoint fonts used in EMF. Read.

Graph Sparsifiers by Edge-Connectivity and Random Spanning Trees Nick Harvey U. Waterloo C&O Joint work with Isaac Fung TexPoint fonts used in EMF. Read.
1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 8 May 4, 2005

1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 8 May 4, 2005
Cache Placement in Sensor Networks Under Update Cost Constraint Bin Tang, Samir Das and Himanshu Gupta Department of Computer Science Stony Brook University.

Cache Placement in Sensor Networks Under Update Cost Constraint Bin Tang, Samir Das and Himanshu Gupta Department of Computer Science Stony Brook University.
The k-server Problem Study Group: Randomized Algorithm Presented by Ray Lam August 16, 2003.

The k-server Problem Study Group: Randomized Algorithm Presented by Ray Lam August 16, 2003.
2 -1 Chapter 2 The Complexity of Algorithms and the Lower Bounds of Problems.

2 -1 Chapter 2 The Complexity of Algorithms and the Lower Bounds of Problems.
CS151 Complexity Theory Lecture 6 April 15, 2004.

CS151 Complexity Theory Lecture 6 April 15, 2004.
The community-search problem and how to plan a successful cocktail party Mauro SozioAris Gionis Max Planck Institute, Germany Yahoo! Research, Barcelona.

The community-search problem and how to plan a successful cocktail party Mauro SozioAris Gionis Max Planck Institute, Germany Yahoo! Research, Barcelona.
The Complexity of Algorithms and the Lower Bounds of Problems

The Complexity of Algorithms and the Lower Bounds of Problems
Packing Element-Disjoint Steiner Trees Mohammad R. Salavatipour Department of Computing Science University of Alberta Joint with Joseph Cheriyan Department.

Packing Element-Disjoint Steiner Trees Mohammad R. Salavatipour Department of Computing Science University of Alberta Joint with Joseph Cheriyan Department.
Dana Moshkovitz, MIT Joint work with Subhash Khot, NYU.

Dana Moshkovitz, MIT Joint work with Subhash Khot, NYU.

Similar presentations

Ads by Google