[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ Skip to main content
Log in

Bandwidth-Hard Functions: Reductions and Lower Bounds

  • Research Article
  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

Memory Hard Functions (MHFs) have been proposed as an answer to the growing inequality between the computational speed of general purpose CPUs and ASICs. MHFs have seen widespread applications including password hashing, key stretching and proofs of work. Several metrics have been proposed to quantify the memory hardness of a function. Cumulative memory complexity (CMC) quantifies the cost to acquire/build the hardware to evaluate the function repeatedly at a given rate. By contrast, bandwidth hardness quantifies the energy costs of evaluating this function. Ideally, a good MHF would be both bandwidth hard and have high CMC. While the CMC of leading MHF candidates is well understood, little is known about the bandwidth hardness of many prominent MHF candidates. Our contributions are as follows: First, we provide the first reduction proving that, in the parallel random oracle model (pROM), the bandwidth hardness of a data-independent MHF (iMHF) is described by the red-blue pebbling cost of the directed acyclic graph associated with that iMHF. Second, we show that the goals of designing an MHF with high CMC/bandwidth hardness are well aligned. Any function (data-independent or not) with high CMC also has relatively high bandwidth costs. Third, we prove that in the pROM the prominent iMHF candidates such as Argon2i, aATSample and DRSample are maximally bandwidth hard. Fourth, we prove the first unconditional tight lower bound on the bandwidth hardness of a prominent data-dependent MHF called Scrypt in the pROM. Finally, we show the problem of finding the minimum cost red–blue pebbling of a directed acyclic graph is NP-hard.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (United Kingdom)

Instant access to the full article PDF.

Fig. 1

Similar content being viewed by others

Notes

  1. This is the best possible lower bound for CMC. In particular, any MHF that can be evaluated in time \({\mathcal {O}}\left( n\right) \) on a sequential computer has cumulative memory cost at most \({\mathcal {O}}\left( n^2\right) \). This follows because we can only fill \({\mathcal {O}}\left( n\right) \) blocks of memory in \({\mathcal {O}}\left( n\right) \) sequential steps. At best we can hope that the attacker will also need to lock up \(\Omega (n)\) blocks of memory for \(\Omega (n)\) steps.

  2. In contrast to [3], we use energy cost to refer to bandwidth cost.

  3. The specification of Argon2i has changed several times, but the only changes that affect our analysis are changes that affect the underlying DAG G. A change to the edge distribution was introduced in v1.2 where a non-uniform indexing was introduced. We use Argon2iB to refer to the version that is currently being considered for standardization by the Cryptography Form Research Group (CFRG) of the IRTF [13].

  4. Prior work [5] gave a theoretical construction of an iMHF with \(\Omega \left( \frac{n^2 \cdot w}{\log n} \right) \) (matching \(\textsf{DRSample}\) and \(\textsf{aATSample}\)), but to the best of our knowledge no implementation exists. By contrast, \({\textsf{DRSample}} \) can be easily implemented by modifying the source code for Argon2iB and these modifications do not adversely impact performance [4]. Any iMHF \(f_{G,H}\) has \({\textsf{cmc}} \) at most \({\textsf{cmc}} \left( f_{G,H}\right) \in {\mathcal {O}}\left( \frac{n^2 \cdot w \cdot \log \log n}{\log n}\right) \) [2, 3] so \({\textsf{cmc}} \left( {\textsf{DRSample}} \right) \in \Omega \left( \frac{n^2 \cdot w}{\log n} \right) \) and \({\textsf{cmc}} \left( {\textsf{aATSample}} \right) \in \Omega \left( \frac{n^2 \cdot w}{\log n} \right) \) [4] are essentially tight.

  5. For \(\textsf{DRSample}\) it suffices to show that this property holds for sufficiently many blocks B.

  6. In particular, \({\textsf{rbpeb}} ^{\parallel }(G,m) = 0\) if and only if there is a legal black pebbling of G using at most m black pebbles where the latter decision problem is PSPACE complete [23].

  7. In particular, if \(c_r > 0\) and \(c_b/c_r = {{\textsf{poly}}} (n)\) we are guaranteed that the optimal red–blue pebbling runs in time at most \({{\textsf{poly}}} (n)\). Thus, yes instances of our decision problem admit a polynomial size witness.

  8. In some cases we may have \(v \in B_{i-1}\) and \({\textsf{parents}} (v) \subset R_{i-1}\) so that we could place a red pebble on node v using either a red move or a blue move. In such cases we will assume that this is accomplished by a red move, since blue moves will be more expensive.

  9. In this subsection we use \(R_i\) to denote messages from cache to memory instead of a pebbling configuration.

  10. To see that \({\textsf{rbpeb}} ^{\parallel }(G,m)\) and \({\textsf{rbpeb}} (G,m)\) are not identically equivalent quantities, consider the complete directed bipartite graph \(K_{m,m}\) with m sources A and m sink nodes B(m is also the cache size). In the parallel model we can finish in two steps with zero blue moves: \(R_0 = \emptyset \), \(R_1 = A\), \(R_2 = B\). In the sequential pebble game we would have to keep pebbles on A while we begin placing pebbles on B one by one. Each time we place a red-pebble on a node \(y \in B\) we need to evict some node \(x \in A\) by converting x into a blue node (and then bring it back into the cache-later).

  11. While there is no notion of a cache in the \(\textsf{pROM}\) model of [8] we could trivially set \(\alpha _i = \left( \sigma _i, \xi _{i}\right) \) so that the state \(\alpha _i\) explicitly includes the contents in cache \(\sigma _{i}\) as well as the content in main memory \(\xi _i\).

  12. To see this consider any directed path in \(G-R-B'\) ending at some node \(v \in T_i\) in our target set. By definition none of the nodes in this directed path contain a red-pebble at the start. While it is possible that some of the intermediate nodes on the path initially contain blue pebbles these pebbles on \(B \setminus B'\) will not be converted to red-pebbles in a blue move (otherwise they would be in the set \(B'\) and would have already been deleted). Thus, to place a red-pebble on any node u in our path (including nodes in \(B \setminus B'\)) the parents of node u must first have a red-pebble. By backward induction each of the nodes on our path will need to be pebbled with a red-pebble (in topological order) before we can place a red-pebble on node v.

  13. The Argon2iB edge distribution depends on a parameter \(N>n\). We make the mild assumption that \(N \ge 6n\) where n is the number of nodes in the graph. This assumption would hold in practical instantations of Argon2iB i.e., the Argon2i implementation sets \(N=2^{32}\) while we would expect the running time parameter to be at most \(n \le 2^{24}\).

References

  1. M. Abadi, M. Burrows, M.S. Manasse, T. Wobber, Moderately hard, memory-bound functions. ACM Trans. Internet Techn. 5(2):299–327 (2005)

  2. J. Alwen, J. Blocki, Efficiently computing data-independent memory-hard functions, in Matthew Robshaw and Jonathan Katz, editors, CRYPTO 2016, Part II, volume 9815 of LNCS (Springer, Heidelberg, 2016), pp. 241–271.

  3. J. Alwen, J. Blocki. Towards practical attacks on argon2i and balloon hashing, in Security and Privacy (EuroS &P), 2017 IEEE European Symposium on (IEEE, 2017), pp. 142–157

  4. J. Alwen, J. Blocki, B. Harsha, Practical graphs for optimal side-channel resistant memory-hard functions, in Bhavani M. Thuraisingham, David Evans, Tal Malkin, and Dongyan Xu, editors, ACM CCS 2017 (ACM Press, 2017) pp. 1001–1017

  5. J. Alwen, J. Blocki, K. Pietrzak, Depth-robust graphs and their cumulative memory complexity, in Jean-Sébastien Coron and Jesper Buus Nielsen, editors, EUROCRYPT 2017, Part III, volume 10212 of LNCS (Springer, Heidelberg, 2017) pp. 3–32

  6. J. Alwen, B. Chen, K. Pietrzak, L. Reyzin, S. Tessaro. Scrypt is maximally memory-hard. In Jean-Sébastien Coron and Jesper Buus Nielsen, editors, EUROCRYPT 2017, Part III, volume 10212 of LNCS (Springer, Heidelberg, 2017) pp. 33–62

  7. J. Alwen, S.F. de Rezende, J. Nordström, M. Vinyals. Cumulative space in black-white pebbling and resolution, in Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science, 9–11 January 2017, Berkeley, California USA (2016)

  8. J. Alwen, V. Serbinenko, High parallel complexity graphs and memory-hard functions, in Rocco A. Servedio and Ronitt Rubinfeld, editors, 47th ACM STOC (ACM Press, 2015), pp. 595–603

  9. A. Back. Hashcash-a denial of service counter-measure (2002)

  10. D.J. Bernstein. Cache-timing attacks on AES (2005).

  11. A. Biryukov, D. Dinu, D. Khovratovich, Fast and tradeoff-resilient memory-hard functions for cryptocurrencies and password hashing. IACR Cryptology ePrint Arch. 2015, 430 (2015)

  12. A. Biryukov, D. Dinu, D. Khovratovich, Argon2: new generation of memory-hard functions for password hashing and other applications, in IEEE European Symposium on Security and Privacy, EuroS &P 2016, Saarbrücken, Germany, March 21–24, 2016 (2016) pp. 292–302

  13. A. Biryukov, D. Dinu, D. Khovratovich, S. Josefsson, The memory-hard argon2 password hash and proof-of-work function (2016)

  14. J. Blocki, B. Harsha, S. Kang, S. Lee, L. Xing, S. Zhou, Data-independent memory hard functions: New attacks and stronger constructions, in Alexandra Boldyreva and Daniele Micciancio, editors, CRYPTO 2019, Part II, volume 11693 of LNCS (Springer, Heidelberg, 2019), pp. 573–607

  15. J. Blocki, B. Harsha, S. Zhou, On the economics of offline password cracking, In 2018 IEEE Symposium on Security and Privacy (IEEE Computer Society Press, 2018) pp. 853–871

  16. J. Blocki, S. Zhou, On the depth-robustness and cumulative pebbling cost of Argon2i, in Yael Kalai and Leonid Reyzin, editors, TCC 2017, Part I, volume 10677 of LNCS (Springer, Heidelberg, 2017) pp. 445–465

  17. D. Boneh, H. Corrigan-Gibbs, S. E. Schechter. Balloon hashing: A memory-hard function providing provable protection against sequential attacks, in Jung Hee Cheon and Tsuyoshi Takagi, editors, ASIACRYPT 2016, Part I, volume 10031 of LNCS (Springer, Heidelberg, 2016) pp. 220–248

  18. E.D. Demaine, Q.C. Liu, Inapproximability of the standard pebble game and hard to pebble graphs, in Algorithms and Data Structures - 15th International Symposium, WADS 2017, St. John’s, NL, Canada, July 31 - August 2, 2017, Proceedings (2017), pp. 313–324

  19. C. Dwork, M. Naor, Pricing via processing or combatting junk mail, in Advances in Cryptology - CRYPTO, 12th Annual International Cryptology Conference, Proceedings (1992), pp 139–147

  20. S. Dziembowski, T. Kazana, D. Wichs, Key-evolution schemes resilient to space-bounded leakage, in Advances in Cryptology - CRYPTO - 31st Annual Cryptology Conference, Proceedings (2011), pp. 335–353

  21. S. Dziembowski, T. Kazana, D. Wichs, One-time computable self-erasing functions, in Theory of Cryptography - 8th Theory of Cryptography Conference, TCC Proceedings (2011), pp 125–143

  22. C. Forler, S. Lucks, J. Wenzel, Catena: a memory-consuming password scrambler. Cryptology ePrint Archive, Report 2013/525 (2013). https://eprint.iacr.org/2013/525

  23. J.R. Gilbert, T. Lengauer, R.E. Tarjan, The pebbling problem is complete in polynomial space, in Proceedings of the 11h Annual ACM Symposium on Theory of Computing (STOC) (1979), pp. 237–248.

  24. J.-W. Hong, H.T. Kung, I/O complexity: the red–blue pebble game, in Proceedings of the 13th Annual ACM Symposium on Theory of Computing, May 11–13, 1981, Milwaukee, Wisconsin, USA (1981), pp. 326–333

  25. T. Lengauer, R.E. Tarjan, Asymptotically tight bounds on time-space trade-offs in a pebble game. J. ACM 29(4), 1087–1130 (1982)

  26. Q. Liu, Red-blue and standard pebble games: complexity and applications in the sequential and parallel models. Master’s thesis, Massachusetts Institute of Technology (2017)

  27. S. Nakamoto, Bitcoin: a peer-to-peer electronic cash system (2008)

  28. C. Percival, Stronger key derivation via sequential memory-hard functions. BSDCan (2009)

  29. Password hashing competition, 2013–2015

  30. L. Ren, S. Devadas, Bandwidth hard functions for ASIC resistance, in Yael Kalai and Leonid Reyzin, editors, TCC 2017, Part I, volume 10677 of LNCS (Springer, Heidelberg, 2017), pp. 466–492

  31. G. Schnitger. On depth-reduction and grates, in 24th Annual Symposium on Foundations of Computer Science (1983), pp. 323–328

  32. C.A. Tovey. A simplified np-complete satisfiability problem. Discrete Appl. Math. 8(1), 85–89 (1984)

Download references

Acknowledgements

The authors would like to thank Daniel Wichs for helpful discussion and anonymous reviewers for important comments that improved the presentation of the paper. The research was supported in part by the National Science Foundation under NSF Awards #1704587 and #1649515 and #1755708 and #2047272 and by a gift from Protocol Labs. The views expressed in this paper are those of the authors and do not necessarily reflect those of the National Science Foundation or Protocol Labs. This work was done in part while Samson Zhou was affiliated with Purdue University and Carnegie Mellon University.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Jeremiah Blocki.

Additional information

Communicated by Stefano Tessaro.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Specification of Candidate iMHFs

In this section we give provide detailed descriptions of the iMHFs analyzed in the main body of the paper. \(\textsf{DRSample}\) is described in Algorithm 1, aATSample is described in Algorithm 2, Argon2iB is described in Algorithm 3 and Argon2iA is described in Algorithm 4. The aATSample construction in Algorithm 2 uses \(\textsf{DRSample}\) (Algorithm 1) as a building block. Intuitively, the subgraph induced by the first n/2 nodes form a \(\textsf{DRSample}\) graph with n/2 nodes and the following n/2 nodes form a path with additional parents selected from \(\textsf{DRSample}\).

Algorithm 1
figure a

An algorithm for sampling depth-robust graphs. [4]

Algorithm 2
figure b

An algorithm for sampling a high aAT graph. [4]

Algorithm 3
figure c

An algorithm for sampling depth-robust graphs. [11]

Algorithm 4
figure d

An algorithm for sampling depth-robust graphs. [11]

Missing Proofs

Reminder of Theorem 5.2. Let \(G=([n],E)\) be any DAG such that \((j,j+1) \in E\) for each \(j<n\), let c be a positive integer and let \(T_i=((i-1)c\ell +1,ic\ell ]\),

$$\begin{aligned} {\textsf{rbpeb}} ^{\parallel }(G,m) \ge \sum _{i=1}^{\left\lfloor \frac{n}{c\ell } \right\rfloor } \min _{R, B' \subseteq [(i-1)c\ell ] : \left| R \right| \le m} \left( \left| B' \right| c_b + \left| {\textsf{ancestors}} _{G-R-B'}(T_i)\right| c_r\right) . \end{aligned}$$

Proof of Theorem 5.2

(Sketch) Repeatedly invoke Lemma 5.1. Consider an optimal red–blue pebbling and let \(t_i\) denote the first time we place a pebble on node \(ic\ell \). For each i the red–blue cost incurred between steps \(t_{i-1}+1\) and \(t_i\) starting from some red–blue configuration \(B_{t_{i-1}},R_{t_{i-1}}\) is at least

$$\begin{aligned}&{\textsf{rbpeb}} ^{\parallel }(G,m, T_i , B_{t_{i-1}}, R_{t_{i-1}}) \\&\quad \ge \min _{B' \subseteq [(i-1)c\ell ] } \left( \left| B' \right| c_b + \left| {\textsf{ancestors}} _{G-{R_{t_{i-1}}}-B'}(T_i)\right| c_r\right) \\&\quad \ge \min _{R, B' \subseteq [(i-1)c\ell ] : \left| R \right| \le m} \left( \left| B' \right| c_b + \left| {\textsf{ancestors}} _{G-R-B'}(T_i)\right| c_r\right) . \end{aligned}$$

To complete the proof we observe that

$$\begin{aligned} {\textsf{rbpeb}} ^{\parallel }(G,m)&\ge \sum _{i=1}^{\left\lfloor \frac{n}{c\ell } \right\rfloor } {\textsf{rbpeb}} ^{\parallel }(G,m, T_i , B_{t_{i-1}}, R_{t_{i-1}}) \end{aligned}$$

\(\square \)

1.1 \(\textsf{aATSample}\)

Reminder of Lemma 5.6. Let \(i>\frac{n}{2}\) and \(T=[i,i+\ell -1]\) be an interval of length \(\ell =\frac{n}{\log n}\). Then for any parameters \(c \ge 1\) and \(m \le \frac{n}{16 c \log n}\) a graph generated by \({\textsf{aATSample}} (n,c)\) satisfies the following property:

$$\begin{aligned} \min _{R, B' \subseteq [i-1] : \left| R \right| \le m} \left( \left| B' \right| c_b + \left| {\textsf{ancestors}} _{G-R-B'}(T)\right| c_r\right) \ge \min \left( \frac{n}{16 c\log n} c_b ,\frac{n}{8} c_r\right) \end{aligned}$$

Proof of Lemma 5.6

We first consider casework on the size of \(B'\). If \(|B'|\ge \frac{n}{16c \log n}\), then we trivially have \(|B'|c_b\ge \frac{n}{16c\log n} c_b \). Otherwise, we have \(|B'|\le \frac{n}{16c\log n}\), in which case \(|R\cup B'| \le \frac{n}{8 c\log n}\) since \(|R|\le m\). We now lower bound \(\left| {\textsf{ancestors}} _{G-R-B'}(T)\right| c_r\) under the assumption that \(|R\cup B'|<\frac{n}{8c\log n}\).

Partition the nodes [n/2] into \(\frac{n}{2k} \) intervals \([1,k], [k+1,2k],\ldots \) where \(k= 2 c \log n\) and \(c \ge 1\) is the parameter used in Algorithm 2 (\(\textsf{aATSample}\)). Observe that for each interval \([(v-1)k+1, vk]\) the graph G contains an edge from some node \(x \in [vk-k/2+1, vk]\) (the second half of the interval) to some node \(y \in T\). Let \(B_k = \{v \le \frac{n}{2k}~: [(v-1)k+1,vk] \cap (R\cup B') \ne \emptyset \}\) denote the set of intervals which intersect with \(R \cup B'\). Clearly, \(|B_k| \le |R \cup B'| \le \frac{n}{8 c\log n}\). We claim that if \(v \not \in B_k\) then every node in \([(v-1)k, vk-k/2]\) (first half of the interval) is also in \( {\textsf{ancestors}} _{G-R-B'}(T)\). To see this observe that for each interval \([(v-1)k+1, vk]\) the graph G contains an edge from some node \(x \in [vk-k/2+1, vk]\) to some node \(y \in T\) and the entire interval \([(v-1)k+1, vk]\) is disjoint from \(B' \cup R\). Thus, we have at least \(\frac{k}{2}\left( \frac{n}{2k} - |B_k|\right) = \frac{n}{8}\) nodes in \( {\textsf{ancestors}} _{G-R-B'}(T)\). \(\square \)

1.2 \(\textsf{DRSample}\)

Reminder of Lemma 5.5. Suppose \(m={\mathcal {O}}\left( n^\rho \right) \) for some constant \(0<\rho <1\) and \(i>\frac{n}{2}\). Let \(T=[i,i+\ell -1]\) be an interval of length \(\ell \ge 16\,m/(1-\rho )\). Then a graph generated by \({\textsf{DRSample}} \) satisfies the following with high probability:

$$\begin{aligned}&\min _{R \subseteq [i-1] : \left| R \right| \le m} \min _{B' \subseteq [i-1] } \left( \left| B' \right| c_b + \left| {\textsf{ancestors}} _{G-R-B'}(T)\right| c_r\right) \\&\quad \ge \min \left( \frac{(1-\rho )\ell }{8} c_b,\left( \frac{(1-\rho )\ell }{16}\right) \sqrt{\frac{n}{64\ell }} c_r\right) \end{aligned}$$

Proof of Lemma 5.5

Let \(T=[i,i+\ell ]\) where \(\ell \ge 16\,m/(1-\rho )\) for some constant \(\frac{1}{2}<\rho <1\) and let r(j) denote the predecessor of a node j in the graph (besides \(j-1\)) i.e., \(r(j) = \texttt{GetParent}(j,2)\). We first note that if \(|B'| \ge \frac{c \ell }{2}\) for the constant \(c=\frac{1-\rho }{4}\) then \(|B'| c_b \ge \frac{c \ell }{2} c_b\) and we are immediately done. Otherwise, we let \(b=\sqrt{\frac{n}{64\ell }}\) and for \(i < j \le i+ \ell \), let \(X_j\) be an indicator random variable for the event \({\textsf{far}} (j)\), which we define to be the event that \(|r(j)-r(k)|>b\) for all \(k\in [i,j-1]\) and \(r(j) < i\). Observe that if \({\textsf{far}} (j)=1\) then either \(B' \cup R\) contains some node in the interval \([r(j)-b,r(j)]\) or these nodes will be contained in \({\textsf{ancestors}} _{G-R-B'}(T)\). In particular, if \(X=\sum _{i \in T} X_i\) we have \({\textsf{ancestors}} _{G-R-B'}(T) \ge \left( X-m -|B'|\right) \). It remains to lower bound X. Observe that for any setting of \(r(i),\ldots , r(j-1)\) the set \(S = \bigcup _{y=i}^{j-1} [r(y)-b,r(y)+b]\) has size at most \((2b+1)(j-i)\) and thus \(\Pr [r(j) \in S]\) is maximized when \(S=[i-(2b+1)(j-i),i-1]\). Hence,

$$\begin{aligned} \textbf{Pr}\left[ {\textsf{far}} (j)\right]&\ge \textbf{Pr}\left[ r(j)<i-(j-i)(2b+1)\right] \\&\ge \textbf{Pr}\left[ j-r(j)> \ell + (j-i)(2b+1)\right] \\&\ge \textbf{Pr}\left[ j-r(j)> \ell + (\ell )(2b+1)\right] \\&\ge \textbf{Pr}\left[ j-r(j) > \frac{\sqrt{n\ell }}{2}\right] \end{aligned}$$

since \(j\le i+\ell \) and \(b=\sqrt{\frac{n}{64\ell }}\). In the last inequality we assume that \(n \ge 64 \ell \) so that \(b \ge 1\) and \(\ell + \ell (2b+1) \le 4 \ell b = \frac{\sqrt{n\ell }}{2}\). Hence,

$$\begin{aligned} \textbf{Pr}\left[ {\textsf{far}} (j)\right]&\ge \frac{\log (j)-\log \sqrt{n\ell }}{\log (j)}\ge 1-\left( \frac{1}{2}-\frac{\rho }{2}\right) \left( \frac{\log (n)}{\log (n)-1}\right) \\&\ge \frac{1}{2}-\frac{\rho }{2}-o(1) = \Omega (1). \end{aligned}$$

Let \(c=\frac{1-\rho }{4}\) With high probability, \(X = \sum _{k=i}^{i+\ell } X_k > c\ell \). Setting \(\ell \ge 4\,m/c\), then with high probability, the number of ancestors of T in \(G-R-B'\) is at least

$$\begin{aligned} (X-|R|-|B'|)b&\ge (X-m-|B'|)b\\&\ge \left( \frac{c\ell }{4}\right) \sqrt{\frac{n}{64\ell }}, \end{aligned}$$

for \(|B'|\le \frac{c\ell }{2}\). Thus, either \(|B'|\ge \frac{c\ell }{2}\) or \(\left| {\textsf{ancestors}} _{G-R-B'}(T)\right| \ge \left( \frac{c\ell }{4}\right) \sqrt{\frac{n}{64\ell }}\). It follows that

$$\begin{aligned}{} & {} \min _{R \subseteq [i-1]: \left| R \right| \le m} \min _{B' \subseteq [i-1] } \left( \left| B' \right| c_b + \left| {\textsf{ancestors}} _{G-R-B'}(T)\right| c_r\right) \\{} & {} \quad \ge \min \left( \frac{c\ell }{2} c_b,\left( \frac{c\ell }{4}\right) \sqrt{\frac{n}{64\ell }} c_r\right) . \end{aligned}$$

\(\square \)

We now give an alternate bound for \(\textsf{DRSample}\) when the cache has size \({\mathcal {O}}\left( n^{\rho }/\log n\right) \) for any \(0<\rho <1\). It shows that either the pebbling has \({\tilde{\Omega }}(n)\) blue moves or there are at least \({\tilde{\Omega }}(n^{2-\rho })\) red moves. The alternate bound is incomparable to our prior bound showing that any pebbling either has \(\Omega (n)\) blue moves or at least \(\Omega (n^{3/2-3\rho /2})\) red moves. In particular, we cannot minimize the number of blue moves without paying a steep cost in the number of red moves.

Lemma B.1

Suppose \(m=C n^\rho /\log n\) for some constants \(C>0\) and \(0 < \rho \le 1\) and \(i>\frac{n}{2}\). Let \(T=[i,i+\ell -1]\) be an interval of length \(\ell =100m \log n\). Then a graph generated by \({\textsf{DRSample}} \) satisfies the following with high probability:

$$\begin{aligned} \min _{R \subseteq [i-1] : \left| R \right| \le m} \min _{B' \subseteq [i-1] } \left( \left| B' \right| c_b + \left| {\textsf{ancestors}} _{G-R-B'}(T)\right| c_r\right) \ge \min \left( m c_b, \frac{ n}{24} \cdot c_r \right) . \end{aligned}$$

Proof

Let T be an interval of length \(\ell \). If \(|B'| > m\) then we immediately have \(\left| B' \right| c_b > m c_b\). Thus, in the remainder of the proof we assume that \(|B'| \le m\) so that \(\left| R \cup B' \right| \le 2\,m\). Partition nodes in G into intervals \(I_1,I_2,\ldots \) of length \(k=\frac{n}{12m} = {\mathcal {O}}\left( n^{1-\rho } \log n\right) \) where \(I_j = [(j-1)k+1,jk]\). Let \(L_j = [(j-1)k+\lceil k/2\rceil + 1,jk]\) (resp. \(F_j = [(j-1)k+ 1,(j-1)k+\lceil k/2\rceil ]\)) denote the last (resp. first) half of the nodes in \(I_j\). Now for each \(j \in T\) define the random variable \(X_j=1\) if for some \(i' \le \frac{n}{2k}\) we have \(r(j) \in L_{i'}\) and for all prior nodes \(i \le j' < j\) in the interval T we have \(r(j') \not \in E_{i'}\); otherwise \(X_j=0\). Intuitively, \(X_j =1\) if the edge r(j) is connected to (the second half of) a new interval. Let \(B_k = \{ i' ~:~ \left| I_{i'} \cap (B' \cup R) \right| \ge 1\}\) be the set of intervals that contain some node in \(B' \cup R\) and let \(X = \sum _{j \in T} X_j \). Observe that there are at least \(X - |B_k| -m \ge X-2Cn^{1-\epsilon }\) intervals \(I_{i'}\) such that (1) the interval \(I_{i'}\) contains no node in \(B' \cup R\) i.e., \(I_{i'} \cap (B' \cup R) = \{\}\), and (2) there is an edge (r(j), j) with \(j \in T\) and \(r(j) \in L_{i'}\). For each such interval \(I_{i'}\) the entire interval \(F_{i'}\) is contained in \({\textsf{ancestors}} _{G-R-B'}(T)\) because the graph G contains all directed edges of the form \((i,i+1)\) for \(i < n\).

Thus,

$$\begin{aligned} \left| {\textsf{ancestors}} _{G-R-B'}(T) \right| \ge \left( X-2m \right) \frac{k}{2}. \end{aligned}$$

We now argue that \(X \ge \min \{ \frac{n}{4k}, \frac{\ell }{25 \log n}\}\) with high probability. To see this observe that if \(X_1+\cdots + X_{j-1} \le \frac{n}{4k}\) then there at least \(\frac{n}{4k}\) of the intervals \(I_1,\ldots I_{\frac{n}{2k}}\) are still “uncovered” and for each uncovered interval \(I_{i'}\) we have

$$\begin{aligned} \Pr [r(j) \in F_{i'}] \ge \frac{k}{2 n \log n}. \end{aligned}$$

Thus, we have

Thus, in expectation we have \({\mathbb {E}}[X] \ge \min \{ \frac{n}{4k}, \frac{\ell }{8 \log n}\}\). We picked our parameters such that \(\frac{n}{4k} = 3\,m\) and \( \frac{\ell }{25 \log n} = 4\,m\). We can apply concentration bounds to argue that (whp) we have \(X \ge \frac{\ell }{4k} \ge 3m\). To see this we can introduce new random variables \(Y_j\) such that \(Y_j=1\) if either \(X_j=1\) or \(X_1+\cdots + X_{j-1} \ge \frac{n}{4k}\). By definition, we have \(\sum _{j \in T} Y_j \ge \frac{n}{4k}\) if and only if \(\sum _{j \in T} X_j \ge \frac{n}{4k}\). We also have \(\Pr [Y_j = 1 ~| Y_i=y_i,\ldots Y_{j-1}=y_{j-1}] \ge \frac{1}{8 \log n}\) for all prior outcomes \(y_i,\ldots , y_{j-1} \in \{0,1\}\). We can apply concentration bounds to upper bound \(\Pr [Y \le \frac{n}{4k}]\) (e.g., see Generalized Hoeffding Inequality [6, Claim 7]) because \(\Pr [Y_j = 1 ~| ~ (Y_i,\ldots , Y_{j-1})= (y_i,\ldots , y_{j-1})] \ge \frac{1}{8 \log n}\) for all prior outcomes \(y_i, \ldots , y _{j-1} \in \{0,1\}\). It follows that (whp) \(X-2m \ge m\) and

$$\begin{aligned} \left| {\textsf{ancestors}} _{G-R-B'}(T) \right| \ge m \frac{k}{2} = \frac{n}{24}. \end{aligned}$$

\(\square \)

Theorem B.2

Let G be a graph generated by \({\textsf{DRSample}} \) and \(0<\rho \le 1\). Then there exists a constant \(C>0\) so that for all \(m\le Cn^{\rho }/\log n\), it follows that

$$\begin{aligned} {\textsf{rbpeb}} ^{\parallel }(G,m)\ge C \cdot \min \left( \frac{n}{\log n} c_b, \frac{n^{2}}{m \log n} c_r\right) \end{aligned}$$

with high probability.

Proof

Applying Lemma B.1 to each of the disjoint \(\frac{n}{\ell } = \frac{n}{100 m \log n}\) intervals in the second half of graph G and observing that \(\ell ={\mathcal {O}}\left( n^\rho \right) \), it follows from Theorem 5.2 that

$$\begin{aligned}{\textsf{rbpeb}} ^{\parallel }(G,m) \ge \min \left( {\Omega }(n/\log n)c_b,{\Omega }(n^{2}/(m \log n))c_r\right) .\end{aligned}$$

\(\square \)

We remark that if \(m = o(n/\log n)\) in Theorem B.2, e.g., \(m=n/(\log n \log \log n)\), then we have \(\frac{n^2}{m} = \omega (n c_r)\) and \({\textsf{rbpeb}} ^{\parallel }(G,m)\ge C \cdot \min (\frac{n}{\log n} c_b, \omega (n c_r))\).

1.3 Argon2i Edge Distribution

Reminder of Lemma 5.3. Let G be a random Argon2iB (resp. Argon2iA) graph with n nodes then for any \(1 \le j < i-1 \le n\) we have \(\Pr [r(i) = j] \ge \frac{1}{3n}\) (resp. \(\Pr [r(i) = j] \ge \frac{1}{n}\)).

Proof of Lemma 5.3

Let \(1 \le j< i-1 < n\) be given. For Argon2iA the edge distribution for r(i) is uniform over the set \(\{1,\ldots , i-2\}\) so for any \(j \le i-2\) we have \(\Pr [r(i) = j] = \frac{1}{i-2} \ge \frac{1}{n}\). In the Argon2iB edge distribution to determine the value \(r(i) < i-1\) for the directed edge (r(i), i) we have

$$\begin{aligned} \Pr [r(i) = j] = \Pr _{x \in [N]}\left[ i \left( 1-\frac{x^2}{N^2}\right) \in (j-1,j] \right] \end{aligned}$$

where \(N \ge {6}n\) and the randomness is taken over the selection of \(x \in [N]\). Equivalently, \(r(i)=j\) whenever

$$\begin{aligned}(i-j+1) \frac{N^2}{i} \ge x^2 \ge (i-j) \frac{N^2}{i}. \end{aligned}$$

The above probability is minimized when \(j=1\) and \(i=n\). Thus, it suffices to lower bound \(\Pr [r(n) = 1] \ge \frac{1}{3n}\). Observe that

$$\begin{aligned} \Pr [r(n) = 1 ]= & {} \Pr \left[ (i-j+1) \frac{N^2}{i} \ge x^2 \ge (i-j) \frac{N^2}{i} \right] \\= & {} \Pr \left[ N \ge x \ge N \sqrt{(n-1)/n} \right] \\= & {} \frac{N - \lceil N \sqrt{(n-1)/n} \rceil }{N} \\\ge & {} \frac{N-N\sqrt{(n-1)/n} {- 1} }{N} \\\ge & {} \left( 1-\sqrt{\frac{n-1}{n} } {- \frac{1}{6n}} \right) \\\ge & {} \frac{1}{3n}. \end{aligned}$$

The last line follows because \(1-\frac{1}{2n} \ge \sqrt{\frac{n-1}{n}}\) i.e.,

$$\begin{aligned} \left( 1-\frac{1}{2n}\right) ^2 = 1-\frac{1}{n} + \frac{1}{4n^2} \ge \frac{n-1}{n}. \end{aligned}$$

\(\square \)

Background on the Gilbert et al. Black Pebbling Reduction

Gilbert et al. [23] showed that the minimum space black pebbling problem was \(\mathsf {PSPACE-Hard}\) by reduction from the Truly Quantified Boolean Formula (TQBF) problem. They provide a construction from any instance of TQBF to a DAG \(G_{TQBF}\) with pebbling number \(3n+3\) if and only if the instance is satisfiable, where the pebbling number of a DAG G is \(\min _{P = (P_1,\ldots ,P_t) \in {{\mathcal {P}}}^{\parallel }} \max _{i \le t} \left| P_i \right| \), the number of pebbles necessary to pebble G. For our purposes it will be sufficient to describe how their reduction map 3-SAT instance \(\phi \) to a DAG \(G_{\phi }\) (observe that a 3-SAT instance can be viewed as a TQBF instance in which all of the quantifiers are existential).

An important gadget in their construction is the so-called pyramid DAG, whose key property is that any legal pebbling of a k-pyramid requires at least k pebbles on the DAG at some point in time. A k-pyramid consists of \(\sum _{i=1}^k i\) nodes, including k sources and a unique sink node. Formally, a pyramid graph \(\Delta _k\) has nodes \(V=\{v_{i,j}~:~ 1 \le j \le k, 1 \le i\le k-j+1\}\) with k sources \(v_{i,1}\) for \(i \le k\) and one sink node \(v_{k,k}\). The edge set is defined as \(E = \{ (v_{i,j}, v_{i,j+1})~:~k > j \ge 1 \} \cup \{(v_{i,j}, v_{i,j+1})~:~1\le j<k, i < k-j+1 \}\). We use both \(\Delta _k\) and a triangle with the number k inside to denote a k-pyramid (see Fig. 2 for an example of a 3-pyramid). The space complexity of \(\Delta _k\) is exactly k.

Fig. 2
figure 2

A 3-Pyramid

Fig. 3
figure 3

A variable gadget \(G_{x_i}\) with \(x_i\) set to “true” (left figure) and \(x_i\) set to “false” (right figure). The node \(q_{i-1}\) actually belongs to \(G_{x_{i-1}}\). It is drawn here to illustrate how variable gadgets are connected

Construction of \(G_{\phi }\). Consider a 3-SAT formula \(\phi \) with variables \(x_1,\ldots , x_n\) and 3CNF clauses \(C_1, \ldots , C_c\). For each variable \(x_i\), there is a variable gadget \(G_{x_i}\) and for each clause \(C_j\), there is a clause gadget \(G_{C_j}\). Each clause gadget has a sink node \(p_j\) that is connected to one of the source nodes in \(G_{C_{j+1}}\), and there is a special source node \(p_0\) that is connected to one of the source nodes in \(G_{C_1}\). The variable gadget \(G_{x_i}\) is shown in Fig. 3. This gadget in turn is constructed from three pyramid graphs \(\Delta _{3i+1}, \Delta _{3i+2}\) and \(\Delta _{3i+3}\). The remaining nodes in \(G_{x_i}\) are \(x_i, x_i', {\overline{x}}_i', {\overline{x}}_i, a_i,b_i\) and \(q_i\). While the node \(c_i\) is a source node in \(G_{x_i}\), it will not be a source node in the final graph \(G_{\phi }\) since we will add the edges \((q_{i-1}, c_i)\) for each \(i > 1\) and \((p_m,c_1)\) for \(i=1\). By contrast, the source nodes in the pyramids \(\Delta _{3i+1}, \Delta _{3i+2}\) and \(\Delta _{3i+3}\) will remain source nodes in the final graph \(G_{\phi }\). The graph \(G_{\phi }\) contains a unique sink node \(q_n\) from the gadget \(G_{x_n}\).

For each clause \(C_j\), there exists a corresponding clause gadget that is a 3-pyramid with sink node \(p_j\), as previously discussed. Suppose the three variables appearing in the clause are \(y_{j,1},y_{j,2},y_{j,3}\in \{x_1,\ldots ,x_n,\overline{x_1},\ldots ,\overline{x_n}\}\) and the three source nodes of the 3-pyramid are nodes \(v_{j,1},v_{j,2},v_{j,3}\). Then we create incoming edges \((p_{j-1},v_{j,1})\) and \((y_{j,1},v_{j,1})\) to \(v_{j,1}\), incoming edges \((y_{j,1},v_{j,2})\) and \((y_{j,2},v_{j,2})\) to \(v_{j,2}\), and incoming edges \((y_{j,2},v_{j,3})\) and \((y_{j,3},v_{j,3})\) to \(v_{j,3}\). Note that we can only pebble the clause gadget \(C_j\) if there exist pebbles on nodes \(y_{j,1},y_{j,2},y_{j,3}\), corresponding to assignments for these variables. Finally for the final clause \(C_c\), we create an edge between \(p_c\) and node \(q_0\) of the variable gadget corresponding to \(x_1\).

Any instance of TQBF in which each quantifier is an existential quantifier requires at most a quadratic number of pebbling moves. Specifically, we look at instances of 3-SAT, such as in Fig. 4. In such a graph representing an instance of 3-SAT, the sink node to be pebbled is \(q_n\). By design of the construction, any true statement requires exactly three pebbles for each pyramid representing a clause. On the other hand, a false clause requires four pebbles, so that false statements require more pebbles. Thus, by providing extraneous additions to the construction which force the number of pebbling moves to be a known constant, we can extract the pebbling number, given the space-time complexity. For more details, see the full description in [23].

Fig. 4
figure 4

Graph \(G_{TQBF}\) for \(\exists x_1, x_2,x_3,x_4\) s.t. \((x_1\vee x_2\vee x_4)\wedge (x_2\vee x_3\vee {\overline{x}}_1)\)

1.1 Pebbling Strategy

Gilbert et al. [23] show that the DAG \(G_{\phi }\) has pebbling number \(3n+3\) if and only if \(\phi \) is satisfiable. We outline the pebbling strategy below as this will be important to build intuition for our modified construct. We start off by placing a pebble on the sink nodes of every pyramid graph. The graph has 3n pyramid graphs \(\Delta _{3n+3},\Delta _{3n+2},\ldots , \Delta _4\) where \(\Delta _{3i+1}, \Delta _{3i+2}\) and \(\Delta _{3i+3}\) are associated with the variable gadget \(G_{x_i}\). We pebble the pyramid graphs in descending order of size i.e., we first place a pebble on the sink of \(\Delta _{3n+3}\) using space \(3n+3\) and \(\sum _{i =1}^{3n+3} i\) sequential pebbling moves. We then discard all pebbles on \(\Delta _{3n+3}\) except for the sink node and move on to pebble \(\Delta _{3n+2}\) etc... After the sink of each pyramid has been pebbled we move each variable gadget to a true/false configuration as shown in Fig. 3. We first slide a pebble from the sink of \(\Delta _{3i+2}\) to node \({\overline{x}}_i'\). Next if the variable \(x_i\) is assigned to be true in the satisfying assignment we slide a pebble from node \(x_i'\) to \(x_i\). On the other hand if \(x_i\) is assigned to be false we instead slide a pebble from node \({\overline{x}}_i'\) to node \({\overline{x}}_i\). Assuming the boolean formula is satisfiable we can now walk all the way across the clause gadgets to the node \(q_0 = p_c\) without ever placing more than \(3n+3\) pebbles on the graph.

Advancing a Pebble from \(q_{i-1}\) to \(q_i\). We will maintain the invariant that when we reach node \(q_{i-1}\) with a pebble we will have \(3n-3i+3+1\) pebbles on the graph. The steps to move a pebble from \(q_{i-1}\) (the source in \(G_{x_i}\)) to \(q_i\) (the sink) depend on whether or not \(G_{x_i}\) is in the true or false configuration. If we are in the true configuration then we can place a pebble on \({\overline{x}}_i\) (keeping the pebble on node \({\overline{x}}_i'\) for the time being!) and then we slide the pebble on node \(q_{i-1}\) to node \(c_i\) followed by nodes \(b_i\), \(a_i\) and \(q_{i+1}\). If instead we are in the false configuration then we can start by sliding the pebble on node \(q_{i-1}\) to node \(c_i\) and then to node \(b_i\). At this point we will need to pause to re-pebble node \({\overline{x}}_i'\) before we can place our pebble on node \(a_i\). To place a pebble on node \({\overline{x}}_i'\) we will need to re-pebble the pyramid \(\Delta _{3i+1}\). To ensure we have enough space we can first discard all pebbles on \(G_{x_i}\) except for nodes \(b_i\) and \(x_i'\) leaving us with a total of \(3(n-i)+2\) pebbles on \(G_{\phi }\) (including the 3 pebbles on \(G_{x_{j}}\) for each \(j \ge i\)). Since \(3n+3-3(n-i)-2=3i+1\) we have just enough available space to accomplish this task. Once we place a pebble on the sink of \(\Delta _{3i+1}\) we can slide this pebble to node \({\overline{x}}_i'\) and then slide this pebble to \(a_i\). Now we can slide the pebble on \(x_i'\) to \(x_i\) and finally shift our pebble from \(a_i\) to \(q_i\). Once we place a pebble on node \(q_i\) we can discard pebbles from every other node in \(G_{x_i}\) so that the total number of pebbles on the graph is \(1+3(n-i-1)\) (3 pebbles on \(G_{x_j}\) for each \(n \ge j > i\)) and our invariant is maintained.

1.2 Red–Blue Pebbling Strategy

Setting our cache size \(m=3n+3\) we would like to claim that \(G_{\phi }\) also has higher red–blue pebbling cost whenever \(\phi \) is not satisfiable. Intuitively, a black pebbling which only uses \(3n+3\) pebbles corresponds to a red–blue pebbling strategy with no expensive blue moves i.e., \(3n+3\) red pebbles are sufficient. Unfortunately, the claim is not true about the graph \(G_{\phi }\). In particular, the optimal red–blue pebbling may not place each variable gadget \(G_{x_i}\) in a true or false configuration. In particular, instead of placing a variable gadget \(x_i\) in the false configuration \(x_i\) it would be better to maintain red-pebbles on nodes \(x_i\) and \({\overline{x}}_i\). Instead of discarding a pebble on node \({\overline{x}}_i'\) we simply place a blue pebble on this node. This allows us to avoid re-pebbling the pyramid \(\Delta _{3i+1}\) later on when moving our pebble from node \(q_{i-1}\) to \(q_i\). This strategy incurs two extra blue moves (cost: \(2c_b\)) but saves at least \(\sum _{i=1}^{3i+1} i\) red moves (cost: \(\Theta (i^2 c_r)\)). We address the issue by adding an additional path gadget to form a new graph \(H_{\phi }\). Intuitively, the path gadget forces us to pebble every node in \(\Delta _{3i+1}\) twice. We can then prove that \(H_{\phi }\) has higher red–blue pebbling cost (with \(m=3n+4\)) whenever \(\phi \) is not satisfiable. Intuitively, when \(\phi \) is not satisfiable the pebbling will need to make at least 1 blue move without reducing the number of red-moves (each node in \(\Delta _{3i+1}\) still needs to be pebbled twice). If \(\phi \) is satisfiable a red–blue pebbling will essentially follow the same strategy for \(G_{\phi }\) to avoid any blue moves with a few additional steps to pebble the path gadget.

Lemma C.1

[23] The quantified Boolean formula

$$\begin{aligned} Q_1x_1Q_2x_2\cdots Q_nx_nF_n \end{aligned}$$

is true if and only if the corresponding DAG \(G_{TQBF}\) has pebbling number \(3n+3\).

NP-Hardness of the Red–Blue Pebbling Cost

In this section, we consider the computational complexity of computing \({\textsf{rbpeb}} ^{\parallel }\left( G,m\right) \), defining a decision version below and showing it is \({\texttt{NP}-\texttt{Hard}} \).

The decision problem \({\textsf{rbpeb}} ^{\parallel }\) is defined as follows:

Input: a DAG G on n nodes, parameter \(c_b, c_r\), and integers \(m,d>0\).

Output: Yes, if \({\textsf{rbpeb}} ^{\parallel }(G,m) \le d\); otherwise No.

We now show that it is \({\texttt{NP}-\texttt{Hard}} \) to compute \({\textsf{rbpeb}} ^{\parallel }(G,m)\). Quanquan Liu [26] observed that when \(c_r=0\) the problem is \(\mathsf {PSPACE-Hard}\) via a straightforward reduction from minimum space black pebbling. As we observed previously, when \(c_b/c_r \in {\mathcal {O}}\left( {{\textsf{poly}}} (n)\right) \) the decision problem is in \({\texttt {NP} } \) and has a fundamentally different structure. We show that even when the cost of red moves is significant, the problem remains \({\texttt{NP}-\texttt{Hard}} \). We first reduce from a version of \({\mathsf {3-SAT}} \) in which each variable appears in exactly 4 clauses and the negation of each variable also appears in exactly 4 clauses. Moreover, no consecutive \(\frac{n}{105}\) clauses share the same variable (or negation). We show this version of \({\mathsf {3-SAT}} \) is \({\texttt{NP}-\texttt{Hard}} \) in Theorem D.2, but first we show that even if each variable and negation appear in exactly 4 clauses, determining whether a 3CNF is satisfiable is \({\texttt{NP}-\texttt{Hard}} \).

Lemma D.1

Let \(\phi \) be a 3CNF formula with n variables and \(m=\frac{8}{3}n\) clauses such that each variable appears in exactly 4 clauses and the negation of each variable also appears in exactly 4 clauses. Then determining whether \(\phi \) is satisfiable is \({\texttt{NP}-\texttt{Hard}} \).

Proof

[32] shows that if \(\phi '\) is a 3CNF formula with n variables such that each variable or its negation appears in at most 4 clauses each and no clause contains the same literal multiple times, then determining whether \(\phi '\) is satisfiable is \({\texttt{NP}-\texttt{Hard}} \). We show that \(\phi '\) can be transformed into a 3CNF formula \(\phi \) so that each variable and its negation appear in exactly 4 clauses each.

We first transform \(\phi '\) so that each variable and its negation appear exactly 4 times. For each variable \(x_i\) that does not appear 4 times, we can force \(x_i\) to appear 4 times by appending \(\phi '\) with the clause \((x_i\vee x_{n+j}\vee \lnot x_{n+j})\) for a new variable \(x_{n+j}\) that has not previously appeared in \(\phi '\). We can do this until all n original variables and their negations appear exactly 4 times each. Now we may have some variables \(x_j\), \(\lnot x_j\) for \(j>n\) that only appear once. We thus append further \(\phi '\) by additional clauses with variables \(x_k,x_{k+1},x_{k+2}\) that have not appeared in \(\phi '\), but are set to true. Namely, we append \(\phi '\) with \((x_j\vee x_k\vee \lnot x_k), (x_j\vee x_k\vee \lnot x_k), (x_j\vee x_k\vee \lnot x_k), (\lnot x_j\vee x_k\vee \lnot x_k), (\lnot x_j\vee x_{k+1}\vee \lnot x_{k+1}), (\lnot x_j\vee x_{k+1}\vee \lnot x_{k+1}), (x_{k+1}\vee x_{k+2}\vee \lnot x_{k+2}), (x_{k+1}\vee x_{k+2}\vee \lnot x_{k+2}), (\lnot x_{k+1}\vee x_{k+2}\vee \lnot x_{k+2}), (\lnot x_{k+1}\vee x_{k+2}\vee \lnot x_{k+2})\). Since we add at most 21n variables \(x_j\) with \(j>n\), then the total number of variables in the resulting \(\phi '\) is at most 22n and the total number of clauses is at most 64n. Note that these extra clauses are inherently satisfiable, but do not affect the original clauses, so that resulting 3CNF formula is satisfiable if and only if the original 3CNF formula is satisfiable. Since it is \({\texttt{NP}-\texttt{Hard}} \) to determine whether \(\phi '\) is satisfiable, then it is also \({\texttt{NP}-\texttt{Hard}} \) to determine whether \(\phi \) is satisfiable. \(\square \)

We now show that such a 3CNF formula can be written so that no consecutive \(\frac{n}{105}\) clauses share the same variable (or negation).

Theorem D.2

Let \(\phi \) be a 3CNF formula with n variables and \(c=\frac{8}{3}n\) clauses such that each variable appears in exactly 4 clauses and the negation of each variable also appears in exactly 4 clauses. Furthermore, suppose that no consecutive \(\frac{n}{105}\) clauses share the same variable (or negation). Then determining whether \(\phi \) is satisfiable is \({\texttt{NP}-\texttt{Hard}} \).

Proof

Let \(\phi '\) be a 3CNF formula with n variables such that each variable or its negation appears in at most 4 clauses each and no clause contains the same literal multiple times. We now reorder \(\phi '\) to obtain a 3CNF formula \(\phi \) so that no consecutive \(\frac{n}{105}\) clauses share the same variable. We use a greedy strategy to construct the first part of \(\phi \). We arbitrarily pick a clause in \(\phi '\) to be the first clause of \(\phi \) and then repeatedly append clauses in \(\phi '\) that that do not share variables with any of the last \(\frac{n}{105}\) clauses, until this is no longer possible. Then there are at most \(\frac{n}{35}\) variables in the last \(\frac{n}{105}\) clauses, so there are at most \(r\le \frac{(8-1)n}{35}=\frac{n}{5}\) remaining clauses in \(\phi '\) that use one of these variables.

For each remaining clause \(c_i\), we search for an interval of \(\frac{n}{50}\) clauses that do not intersect with \(c_i\) and insert \(c_i\) in the middle of this interval. Such an interval must exist since there are at least 50 such disjoint intervals and each of the 3 variables appearing in \(c_i\) can intersect with at most 8 of these intervals. Thus \(\phi \) has the desired form that each variable and its negation appear in exactly 4 clauses each and no consecutive \(\frac{n}{105}\) clauses share the same variable (or negation). Moreover, \(\phi \) is satisfiable if and only if \(\phi '\) is satisfiable by construction. Since it is \({\texttt{NP}-\texttt{Hard}} \) to determine whether \(\phi '\) is satisfiable, then it is also \({\texttt{NP}-\texttt{Hard}} \) to determine whether \(\phi \) is satisfiable. \(\square \)

We now use a 3CNF formula satisfying the form of Theorem D.2 to show that the problem \({\textsf{rbpeb}} ^{\parallel }\) is \({\texttt{NP}-\texttt{Hard}} \).

Theorem D.3

For \(c_b>{10,000}c_r\), the problem \({\textsf{rbpeb}} ^{\parallel }\) is \({\texttt{NP}-\texttt{Hard}} \).

Gilbert et al. showed that the minimum space black pebbling problem was \(\mathsf {PSPACE-Hard}\) by reduction from the Truly Quantified Boolean Formula (TQBF) problem. For more details about the Gilbert et al. [23] reduction, we refer an interested reader to Appendix C. We note that an instance \(\phi \) of \({\mathsf {3-SAT}} \) with n variables and c clauses is still a TQBF instance (albeit with no \(\forall \) quantifiers). Thus, given an instance \(\phi \) of \({\mathsf {3-SAT}} \) satisfying the conditions in Theorem D.2 with n variables and c clauses, we can create the corresponding DAG \(G_\phi \), as described in the reduction of Gilbert et al. [23]. The graph \(G_{\phi }\) has the property that it can be pebbled with at most \(3n+3\) black pebbles if and only if \(\phi \) is satisfiable.

In particular, the optimal pebbling for \(G_{\phi }\) first uses \(3n+3\) pebbles for \(\Delta _{3n+3}\) and then leaves three pebbles on the corresponding existential quantifier for \(x_n\), including a pebble at the node corresponding to the value of \(x_n\), so that the sink node \(q_n\) can eventually be pebbled. The optimal pebbling then uses 3n additional pebbles for \(\Delta _{3n}\) and determines the value of \(x_{n-1}\), so that the total number of pebbles at any point is still at most \(3n+3\). This process continues so that pebbling \(G_{\phi }\) requires at least \(3n+3\) pebbles until there is a value for each variable and the sink node can be pebbled. On the other hand, if \(\phi \) is not satisfiable, then some variable must be “set” to both true and false, requiring an additional pebble. Hence the pebbling requires at least \(3n+4\) black pebbles.

In fact, if variable \(x_i\) is “set” to both true and false, then the nodes in \(\Delta _{3i+3}\) and the node \({\overline{x}}'_i\) need to be pebbled twice in a legal black pebbling. For red-blue pebblings, we could potentially use an extra blue move to store the sink of \(\Delta _{3i+3}\) rather than completely repebbling \(\Delta _{3i+3}\). Thus we create an extra gadget that requires \(\Delta _{3i+3}\) and \({\overline{x}}'_i\) to be completely repebbled, so that the strategy of storing \({\overline{x}}'_i\) and the sink of \(\Delta _{3i+3}\) is useless.

We detail a gadget to append to \(G_\phi \) to create a graph \(H_\phi \) so that \({\textsf{rbpeb}} ^{\parallel }(H_\phi ,m)=d:=\frac{6n^3+27n^2+61n+20+12c}{2}\) if \(\phi \) is a satisfiable assignment, but \({\textsf{rbpeb}} ^{\parallel }(H_\phi ,m)>d\) if \(\phi \) is not satisfiable. The key goal of the additional gadget is to ensure that we cannot significantly reduce the number of red moves (computation costs) by including a few blue moves. Moreover, by setting \(m\ge 3n+4\) to be large, then there is no restriction on the number of red moves.

For DAG \(G_\phi \) corresponding to n variables, there exist unique k-pyramids for \(k=4,\ldots ,3n+2,3n+3\). Let \(\Delta _i\) be the i-pyramid and let \(\alpha _i\) be the vertex above the apex of pyramid \(\Delta _i\). Let \(P_1\) be a directed path with 3n vertices so that there exists an edge from the apex of \(\Delta _{3n+4-i}\) to vertex i of \(P_1\), for each \(1\le i\le 3n\). Thus \(P_1\) requires all sinks of the pyramids to be pebbled. See Fig. 5 for an example of \(P_1\).

We then connect the final vertex of \(P_1\) to a directed path \(P_2\) with

$$\begin{aligned}&\left( \frac{(3n+2)(3n+1)}{2}+1\right) +\left( \frac{(3n-1)(3n-2)}{2}+1\right) +\cdots \\&\quad + \left( 28+1\right) +\left( 10+1\right) =\frac{3n^3+9n^2+10n}{2} \end{aligned}$$

vertices. Moreover, the first \(\frac{(3n+2)(3n+1)}{2}\) vertices of \(P_2\) each have an edge from separate vertices of \(\Delta _{3n+1}\), starting with the vertices in the bottom layer and moving upwards. More specifically, let \(u_1,\ldots ,u_{3n+1}\) be the \(3n+1\) vertices at the bottom layer of \(\Delta _{3n+1}\) and \(v_1,\ldots ,v_{3n+1}\) be the first \(3n+1\) vertices of \(P_2\). Then there exist edges \((u_i,v_i)\) for each \(i\in [3n+1]\). Similarly, let \(y_1,\ldots ,y_{3n}\) be the 3n vertices at the next layer of \(\Delta _{3n+1}\) and \(z_1,\ldots ,z_{3n}\) be the next 3n vertices of \(P_2\), following \(v_{3n+1}\). Then there exist edges \((y_i,z_i)\) for each \(i\in [3n]\), and so forth until all vertices of \(\Delta _{3n+1}\) have an outgoing edge to a separate vertex of \(P_2\). We also create an edge to the following vertex from the vertex \(\alpha _{3n+1}\). This ensures that \(\Delta _{3n+1}\) must be completely repebbled, so that any strategy of saving a pebble on a particular node of \(\Delta _{3n+1}\), such as its sink \(\alpha _{3n+1}\), is useless.

The next \(\frac{(3n-1)(3n-2)}{2}\) vertices of \(P_2\) each have an edge from separate vertices of \(\Delta _{3n-2}\), starting with the vertices in the bottom layer and moving upwards. We also create an edge to the following vertex from the vertex \(\alpha _{3n-2}\). We continue this process until all vertices from all pyramids of the form \(\Delta _{3i+1}\) are connected to \(P_2\), as well as the vertices \(\alpha _{3i+1}\). Finally, we connect \(P_2\) to the same sink node as \(G_{\phi }\). Thus \(P_2\) ensures that all pyramids of the form \(\Delta _{3i+1}\) must be completely repebbled. See Fig. 5 for an example of \(P_2\).

Then by setting P to be the path \(P_1\) concatenated with \(P_2\), we have the following result:

Lemma D.4

P contains exactly \(3n+3+\sum _{i=1}^n\left( \frac{(3i+2)(3i+1)}{2}+1\right) =\frac{3n^3+9n^2+16n+6}{2}\) vertices.

Let \(H_\phi =G_\phi \cup P\) and recall that P and \(G_{\phi }\) have the same sink node. We claim that \(H_\phi \) with capacity \(3n+4\) will have a certain pebbling cost if and only if \(\phi \) is satisfiable. Thus, if \(\phi \) is satisfiable, the optimal pebbling will correspond to the minimum space black pebbling and will require 0 blue moves. We first claim that if \(\phi \) is unsatisfiable, then \(H_\phi \) has pebbling number at least \(3n+5\).

Lemma D.5

\(H_\phi \) has pebbling number \(3n+4\) if and only if \(\phi \) is satisfiable.

Fig. 5
figure 5

Path P that is used in \(H_\phi \)

Proof

We first note that if \(\phi \) is satisfiable, then \(H_\phi \) has pebbling number \(3n+3\). Recall that there exists a valid pebbling Q of \(G_\phi \) with pebbling number \(3n+3\) that begins with all \(3n+3\) pebbles on the pyramid graph \(\Delta _{3n+3}\) at some point. When the apex of \(\Delta _{3n+3}\) is pebbled by Q, we can begin pebbling P in the next step. We keep a single pebble on path P and move the pebble forward along \(P_1\) whenever the apex of the next pyramid is pebbled. The pebbling strategy Q must then pebble each of the pyramids \(\Delta _{3n+2},\ldots ,\Delta _4\) in that order, which allows us to completely pebble the path \(P_1\) using at most \(3n+3\) pebbles in total. We then proceed with the pebbling strategy Q, observing that the sink of \(G_\phi \) has two parents: a node representing the variable \(x_n\) set to true and some other node, say \(\beta \). At some point Q will pebble \(\beta \), at which point we maintain pebbles on \(\beta \) and P. We then hold the pebble on \(\beta \) while we pebble \(P_2\), which can be done using \(3n+3\) additional pebbles. When the final node of \(P_2\) is pebbled, we can use \(\beta \) to pebble the sink node of \(G_\phi \), using \(3n+4\) pebbles in total.

Suppose by way of contradiction, there exists an unsatisfiable \(\phi \) such that each pebbling \(Q=\{Q_1,Q_2,\ldots \}\) of \(H_\phi \) has pebbling number at most \(3n+4\). By Lemma C.1, \(G_\phi \) has pebbling number at least \(3n+4\) if \(\phi \) is unsatisfiable. Thus there exists a time in which there are at least \(3n+4\) pebbles on \(G_\phi \), i.e., \(|Q_t\cap G_\phi |\ge 3n+4\). Let t be the final time in the pebbling Q, in which there are at least \(3n+4\) pebbles on \(G_{\phi }\). Moreover, we can assume without loss of generality that the sink node of \(G_\phi \) is not pebbled at time t, since the pebbling will not need any other pebbles in future steps, as the pebbling can terminate after pebbling the sink node. Since \(G_\phi \) and P only intersect at the sink node and \(Q_t\) already has at least \(3n+4\) nodes at \(G_\phi \) and no pebble on the sink node, then either \(Q_t\) contains at least \(3n+5\) pebbles or \(P_t\) has no pebbles on P, i.e., either \(|Q_t|\ge 3n+5\) or \(G_\phi \cap P=\emptyset \). We have by assumption that \(|Q_t|\le 3n+4\), so it follows that there must be no pebbles on P.

To pebble the sink node of \(H_{\phi }\), we must completely pebble P after time t. Thus we must pebble a pyramid graph \(\Delta _{3n+3}\) while holding a pebble on P, while requiring \(3n+4\) pebbles with no other pebbles on \(G_\phi \). However, because t is the final time in which Q has \(3n+4\) pebbles on \(G_\phi \), then Q can no longer pebble the sink node of \(G_\phi \), which is a contradiction. Hence, \(H_\phi \) has pebbling number \(3n+4\) if and only if \(\phi \) is satisfiable. \(\square \)

Lemma D.6

If \(\phi \) is satisfiable, then there exists a pebbling strategy of \(H_\phi \) with capacity \(3n+4\) and cost at most

$$\begin{aligned} \left( \frac{6n^3+27n^2+101n+20}{2}\right) c_r. \end{aligned}$$

Proof

The total number of nodes in \(G_\phi \) corresponding to variable assignments from the GLT construction is

$$\begin{aligned} 6n+\sum _{i=4}^{3n+3}i=\frac{9n^2+33n+12}{2}, \end{aligned}$$

since each existential quantifier gadget has six internal nodes in addition to the pyramids of size \(4,\ldots ,3n+3\). This can be visualized in Fig. 4 by the nodes on the left hand side, excluding the nodes \(q_i\). Additionally, there are n nodes \(q_i\), six nodes for each of the c clauses \(p_i\) for \(1\le i\le c\), and an additional node for \(p_0\). Moreover, it should be noted that since both \(x_i\) and \(\overline{x_i}\) appear in 4 clauses, then regardless of the configuration in Fig. 3, 4n additional pebbles are required for \(G_\phi \), either 4n pebbles on \(x_i\) or 4n pebbles on \(\overline{x_i}\). Thus the total number of nodes that must be pebbled in \(G_\phi \) is

$$\begin{aligned} 4n+6c+1+7n+\sum _{i=4}^{3n+3}i=\frac{9n^2+35n+14}{2}+6c+4n=\frac{9n^2+75n+14}{2}, \end{aligned}$$

where the last equality results from the fact that \(c=\frac{8}{3}n\).

By Lemma D.4, the number of nodes in the additional path P is \(\frac{3n^3+9n^2+16n+6}{2}\). Moreover, we can completely re-pebble each of the pyramids \(\Delta _{3i+1}\) a second time, as well as each \(\alpha _{3i+1}\), to pebble P, requiring an additional

$$\begin{aligned} \sum _{i=1}^n\left( \frac{(3i+2)(3i+1)}{2}+1\right) =\frac{3n^3+9n^2+10n}{2} \end{aligned}$$

steps. Namely, we walk a pebble down P so that the pebble is placed on each node of P for a single step. Accordingly, we begin pebbling each pyramid so that its apex contains a pebble in the round before the descendent of the apex in P contains a pebble.

Thus, the total number of steps required to pebble \(H_\phi \) is

$$\begin{aligned}{} & {} \frac{9n^2+75n+14}{2}+\frac{3n^3+9n^2+16n+6}{2}\\{} & {} \quad +\frac{3n^3+9n^2+10n}{2}=\frac{6n^3+27n^2+101n+20}{2}. \end{aligned}$$

Finally, recall from Lemma C.1 that the GLT construction has pebbling number \(3n+3\) for a satisfiable instance of \(\phi \). Since the nodes in P are ordered corresponding to the natural pebbling order in \(G_\phi \), a single additional pebble suffices for P. Thus, if the capacity of \(G_\phi \) is \(3n+4\), then all pebbling moves can be achieved with red moves, so there exists a pebbling strategy with total cost is \(\left( \frac{6n^3+27n^2+101n+20}{2}\right) c_r\). \(\square \)

Lemma D.7

If \(\phi \) is unsatisfiable, then the pebbling cost of \(H_\phi \) with capacity \(3n+4\) is greater than

$$\begin{aligned}\left( \frac{6n^3+27n^2+101n+20}{2}\right) c_r.\end{aligned}$$

Proof

If \(\phi \) is unsatisfiable, then \(H_\phi \) has pebbling number at least \(3n+5\) by Lemma D.5. Thus if \(H_\phi \) has capacity \(3n+4\), then \(H_\phi \) any red–blue pebbling strategy must have a blue pebble at some point. Suppose that our pebbling strategy makes k blue moves e.g., by placing blue pebbles on the top of \(3i+2\) pyramids. The only way such a strategy could be beneficial is if there is a large reduction in the number of red moves. We observe that in the pebbling strategy from Lemma D.6 almost all nodes are pebbled only once with the exception of (1) pyramids \(\Delta _{3i+1}\), which are each pebbled twice, and (2) the vertices corresponding \(x_i\) and/or \(\overline{x_i}\).

This pebbling strategy incurs 4n extra red moves on vertices \(\bigcup _{i \le n} \{x_i,{\overline{x}}_i\}\). We also remark that any pebbling strategy will need to place a red pebble on every node at least once. Since blue moves are more expensive the only reason to place a blue pebble on a node is if this allows us to reduce the number of red moves. Suppose that our pebbling strategy places \(k'\) blue pebbles on pyramids \(\Delta _{3i+1}\) and k blue pebbles on other nodes. We claim that the total cost of the red pebbling moves can be reduced by at most \(105(8/3)(k+2k'+3)(4c_r)+k'c_r\).

Suppose we place \(k'\) blue pebbles on pyramids \(\Delta _{3i+1}\). We can either keep blue pebbles on internal nodes of the pyramids or on top of the pyramid \(\Delta _{3i+1}\). Each blue pebble kept on some node of a pyramid \(\Delta _{3i+1}\) can save an additional red move in the pebbling strategy, but it does not free up any room for additional red pebbles in cache because the honest pebbling strategy does not store red pebbles on this pyramid. Thus the total cost of the red moves saved by the \(k'\) blue pebbles is at most \(k'c_b\).

Suppose we place k blue pebbles on nodes that are not in pyramids \(\Delta _{3i+1}\). Then each blue pebble will not save any red moves on the pyramids \(\Delta _{3i+1}\), but can save some of the 4n red moves on the nodes \(\{x_i,{\overline{x}}_i\}\). For each \(i\in [n]\), we define the indicator variable \(Y_i=1\) if and only if we reduce the red cost on variable gadget i to anything below \(4c_r\). Observe that if \(\sum Y_i > 105(8/3)(T)\), then there would be some point in time t where more than T variable gadgets have pebbles on both nodes \(x_i\) and \({\overline{x}}_i\). Suppose by way of contradiction that \(T>k+2k'+3\). Then we would have at least 4 pebbles on \(T-k'\) variable gadgets and at most \(k'\) variable gadgets with only two pebbles, for a total of \(3n+(T-k')-k' + 2 \ge 3n + k +5\) pebbles (extra two pebbles on path P and at least one on clause gadget). However, this contradicts the fact that we have at most \(3n+4+k\) total pebbles (red and blue) at all times in the pebbling. Thus, we have \(T\le k+2k'+3\), so that \(\sum Y_i\le 105(8/3)(k+2k'+3)\) and the total cost of the red moves saved by the k blue pebbles is at most \(105(8/3)(k+2k'+3)(4c_r)\).

In summary, for \(k+k'\ge 1\), the total cost of blue moves is \((k+k')c_b\) and the total number of saved red moves is at most \(105(8/3)(k+2k'+3)(4c_r)+k'c_r\). Thus for \(c_b>{10,000}c_r\), we have \((k+k')c_b>105(8/3)(k+2k'+3)(4c_r)+k'c_r\). Therefore, any pebbling strategy has a cost greater than \(\left( \frac{6n^3+27n^2+101n+20}{2}\right) c_r\). \(\square \)

Together, Lemmas D.6 and D.7 imply Theorem D.3.

Reminder of Theorem D.3. For \(c_b>{10,000}c_r\), the problem \({\textsf{rbpeb}} ^{\parallel }\) is \({\texttt{NP}-\texttt{Hard}} \).

Proof of Theorem D.3

First, we remark that given a DAG \(H_\phi \) with some capacity m, as well as a complete pebbling strategy as the certificate, the certificate can be verified in polynomial time by checking the validity of each step in the pebbling strategy. Thus, the computation of \({\textsf{rbpeb}} ^{\parallel }(H_\phi )\) is in \({\texttt {NP} } \).

We now reduce \({\mathsf {3-SAT}} \) to the computation of \({\textsf{rbpeb}} ^{\parallel }(H_\phi )\). Now, given an instance \(\phi \) of \({\mathsf {3-SAT}} \) with n variables, we construct the above DAG \(H_\phi \). This procedure clearly takes polynomial time. Moreover, by Lemma D.6, if \(\phi \) is satisfiable, then the optimal pebbling cost of \(H_\phi \) with capacity \(3n+4\) is exactly

$$\begin{aligned} \left( \frac{6n^3+27n^2+101n+20}{2}\right) c_r. \end{aligned}$$

On the other hand, by Lemma D.7, if \(\phi \) is unsatisfiable, then the pebbling cost of \(H_\phi \) with capacity \(3n+4\) is greater than

$$\begin{aligned} \left( \frac{6n^3+27n^2+101n+20}{2}\right) c_r. \end{aligned}$$

Thus, the computation of \({\textsf{rbpeb}} ^{\parallel }(H_\phi ,m)\) distinguishes whether \(\phi \) is satisfiable or not, for \(m\ge 3n+4\) and \(d=\frac{6n^3+27n^2+101n+20}{2}\). Since \({\mathsf {3-SAT}} \) is \({\texttt{NP}-\texttt{Hard}} \), it follows that the \({\textsf{rbpeb}} ^{\parallel }(H_\phi ,m)\) is \({\texttt{NP}-\texttt{Hard}} \). \(\square \)

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Blocki, J., Liu, P., Ren, L. et al. Bandwidth-Hard Functions: Reductions and Lower Bounds. J Cryptol 37, 16 (2024). https://doi.org/10.1007/s00145-024-09497-3

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00145-024-09497-3

Keywords

Navigation