research-article

Practical Graphs for Optimal Side-Channel Resistant Memory-Hard Functions

Authors:

Joel Alwen,

Jeremiah Blocki,

Ben HarshaAuthors Info & Claims

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Pages 1001 - 1017

https://doi.org/10.1145/3133956.3134031

Published: 30 October 2017 Publication History

Get Access

Abstract

A memory-hard function (MHF) ƒn with parameter n can be computed in sequential time and space n. Simultaneously, a high amortized parallel area-time complexity (aAT) is incurred per evaluation. In practice, MHFs are used to limit the rate at which an adversary (using a custom computational device) can evaluate a security sensitive function that still occasionally needs to be evaluated by honest users (using an off-the-shelf general purpose device). The most prevalent examples of such sensitive functions are Key Derivation Functions (KDFs) and password hashing algorithms where rate limits help mitigate off-line dictionary attacks. As the honest users' inputs to these functions are often (low-entropy) passwords special attention is given to a class of side-channel resistant MHFs called iMHFs.

Essentially all iMHFs can be viewed as some mode of operation (making n calls to some round function) given by a directed acyclic graph (DAG) with very low indegree. Recently, a combinatorial property of a DAG has been identified (called "depth-robustness") which results in good provable security for an iMHF based on that DAG. Depth-robust DAGs have also proven useful in other cryptographic applications. Unfortunately, up till now, all known very depth-robust DAGs are impractically complicated and little is known about their exact (i.e. non-asymptotic) depth-robustness both in theory and in practice.

In this work we build and analyze (both formally and empirically) several exceedingly simple and efficient to navigate practical DAGs for use in iMHFs and other applications. For each DAG we:

Prove that their depth-robustness is asymptotically maximal.

Prove bounds of at least 3 orders of magnitude better on their exact depth-robustness compared to known bounds for other practical iMHF.

Implement and empirically evaluate their depth-robustness and aAT against a variety of state-of-the art (and several new) depth-reduction and low aAT attacks. We find that, against all attacks, the new DAGs perform significantly better in practice than Argon2i, the most widely deployed iMHF in practice.

Along the way we also improve the best known empirical attacks on the aAT of Argon2i by implementing and testing several heuristic versions of a (hitherto purely theoretical) depth-reduction attack. Finally, we demonstrate practicality of our constructions by modifying the Argon2i code base to use one of the new high aAT DAGs. Experimental benchmarks on a standard off-the-shelf CPU show that the new modifications do not adversely affect the impressive throughput of Argon2i (despite seemingly enjoying significantly higher aAT).

Supplemental Material

MP4 File

Download
2923.28 MB

References

[1]

Martin Abadi, Mike Burrows, Mark Manasse, and Ted Wobber 2005. Moderately Hard, Memory-bound Functions. ACM Trans. Internet Technol. Vol. 5, 2 (May 2005), 299--327. /10.1109/SFCS.1983.38

Digital Library

Google Scholar

[2]

Leslie G. Valiant. 1977. Graph-Theoretic Arguments in Low-Level Complexity. Mathematical Foundations of Computer Science 1977, 6th Symposium, Tatranska Lomnica, Czechoslovakia, September 5-9, 1977, Proceedings (Lecture Notes in Computer Science), Jozef Gruska (Ed.), Vol. Vol. 53. Springer, 162--176. https://doi.org/10.1007/3-540-08353-7_135

Crossref

Google Scholar

[3]

Vitalik Buterin. 2013. Ethereum. (2013). https://www.ethereum.org/

Google Scholar

[4]

Hongjun Wu. 2015. POMELO -- A Password Hashing Algorithm. (2015).

Google Scholar

[5]

Zerocoin Electric Coin Company. 2016. ZCash. (2016). https://z.cash/

Google Scholar

Cited By

View all

Bursuc SGil-Pons RMauw STrujillo-Rasua R(2024)Software-Based Memory Erasure with Relaxed Isolation Requirements2024 IEEE 37th Computer Security Foundations Symposium (CSF)10.1109/CSF61375.2024.00022(01-16)Online publication date: 8-Jul-2024
https://doi.org/10.1109/CSF61375.2024.00022
Bai WBlocki JAmeri M(2024)Cost-asymmetric memory hard password hashingInformation and Computation10.1016/j.ic.2023.105134297:COnline publication date: 2-Jul-2024
https://dl.acm.org/doi/10.1016/j.ic.2023.105134
Blocki JLiu PRen LZhou S(2024)Bandwidth-Hard Functions: Reductions and Lower BoundsJournal of Cryptology10.1007/s00145-024-09497-337:2Online publication date: 12-Mar-2024
https://dl.acm.org/doi/10.1007/s00145-024-09497-3
Show More Cited By

Index Terms

Practical Graphs for Optimal Side-Channel Resistant Memory-Hard Functions
1. Security and privacy
  1. Cryptography
    1. Symmetric cryptography and hash functions
      1. Hash functions and message authentication codes

Recommendations

Hash functions and the (amplified) boomerang attack
CRYPTO'07: Proceedings of the 27th annual international cryptology conference on Advances in cryptology

Since Crypto 2004, hash functions have been the target of many attacks which showed that several well-known functions such as SHA-0 or MD5 can no longer be considered secure collision free hash functions. These attacks use classical cryptographic ...
Side Channel Analysis of Some Hash Based MACs: A Response to SHA-3 Requirements
Information and Communications Security
Abstract
The forthcoming NIST’s Advanced Hash Standard (AHS) competition to select SHA-3 hash function requires that each candidate hash function submission must have at least one construction to support FIPS 198 HMAC application. As part of its evaluation,...
Collision Attack on 4-Branch, Type-2 GFN Based Hash Functions Using Sliced Biclique Cryptanalysis Technique
Information Security and Cryptology
Abstract
In this work, we apply the sliced biclique cryptanalysis technique to show 8-round collision attack on a hash function based on 4-branch, Type-2 Generalized Feistel Network (Type-2 GFN). This attack is generic and works on 4-branch, Type-2 GFN ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

October 2017

2682 pages

ISBN:9781450349468

DOI:10.1145/3133956

General Chair:
Bhavani Thuraisingham
The University of Texas at Dallas, USA
,
Program Chairs:
David Evans
University of Virginia
,
Tal Malkin
Columbia University
,
Dongyan Xu
Purdue University

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

European Research Council, ERC consolidator grant

Conference

CCS '17

Sponsor:

SIGSAC

CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security

October 30 - November 3, 2017

Texas, Dallas, USA

Acceptance Rates

CCS '17 Paper Acceptance Rate 151 of 836 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

29
Total Citations
View Citations
307
Total Downloads

Downloads (Last 12 months)13
Downloads (Last 6 weeks)4

Reflects downloads up to 03 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Bursuc SGil-Pons RMauw STrujillo-Rasua R(2024)Software-Based Memory Erasure with Relaxed Isolation Requirements2024 IEEE 37th Computer Security Foundations Symposium (CSF)10.1109/CSF61375.2024.00022(01-16)Online publication date: 8-Jul-2024
https://doi.org/10.1109/CSF61375.2024.00022
Bai WBlocki JAmeri M(2024)Cost-asymmetric memory hard password hashingInformation and Computation10.1016/j.ic.2023.105134297:COnline publication date: 2-Jul-2024
https://dl.acm.org/doi/10.1016/j.ic.2023.105134
Blocki JLiu PRen LZhou S(2024)Bandwidth-Hard Functions: Reductions and Lower BoundsJournal of Cryptology10.1007/s00145-024-09497-337:2Online publication date: 12-Mar-2024
https://dl.acm.org/doi/10.1007/s00145-024-09497-3
Charbit PCouteau GMeyer PNaserasr R(2024)A Note on Low-Communication Secure Multiparty Computation via Circuit Depth-ReductionTheory of Cryptography10.1007/978-3-031-78023-3_6(167-199)Online publication date: 3-Dec-2024
https://doi.org/10.1007/978-3-031-78023-3_6
Auerbach BGünther CPietrzak K(2024)Trapdoor Memory-Hard FunctionsAdvances in Cryptology – EUROCRYPT 202410.1007/978-3-031-58734-4_11(315-344)Online publication date: 26-May-2024
https://dl.acm.org/doi/10.1007/978-3-031-58734-4_11
Blocki JLiu P(2023)Towards a Rigorous Statistical Analysis of Empirical Password Datasets2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179431(606-625)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179431
Block ABlocki J(2023)Computationally Relaxed Locally Decodable Codes, Revisited2023 IEEE International Symposium on Information Theory (ISIT)10.1109/ISIT54713.2023.10206655(2714-2719)Online publication date: 25-Jun-2023
https://doi.org/10.1109/ISIT54713.2023.10206655
Ateniese GChen LFrancati DPapadopoulos DTang Q(2023)Verifiable Capacity-Bound Functions: A New Primitive from Kolmogorov ComplexityPublic-Key Cryptography – PKC 202310.1007/978-3-031-31371-4_3(63-93)Online publication date: 7-May-2023
https://dl.acm.org/doi/10.1007/978-3-031-31371-4_3
Saeed HMalik HBashir UAhmad ARiaz SIlyas MBukhari WKhan M(2022)Blockchain technology in healthcare: A systematic reviewPLOS ONE10.1371/journal.pone.026646217:4(e0266462)Online publication date: 11-Apr-2022
https://doi.org/10.1371/journal.pone.0266462
Blocki JHolman BLee S(2022)The Parallel Reversible Pebbling Game: Analyzing the Post-quantum Security of iMHFsTheory of Cryptography10.1007/978-3-031-22318-1_3(52-79)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1007/978-3-031-22318-1_3
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Hash functions and the (amplified) boomerang attack

Side Channel Analysis of Some Hash Based MACs: A Response to SHA-3 Requirements

Collision Attack on 4-Branch, Type-2 GFN Based Hash Functions Using Sliced Biclique Cryptanalysis Technique