Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks
Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks
Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks
1 Introduction
2
more powerful attacks against Argon2i are impossible under our adversary
model.
– Password-independent memory-access pattern. The memory-access pattern
of the Balloon algorithm is independent of the password being hashed. Pass-
word-hashing functions that lack this property are vulnerable to a crippling
attack in the face of an adversary who learns the memory-access patterns
of the hashing computation, e.g., via cache side-channels [25, 62, 87]. The
attack, which we describe in Appendix G.2, makes it possible to run a dic-
tionary attack with very little memory. A hashing function with a password-
independent memory-access pattern eliminates this threat.
– Performant. The Balloon algorithm is easy to implement and it matches
or exceeds the performance of the fastest comparable password-hashing al-
gorithms, Argon2i [19] and Catena [42], when instantiated with standard
cryptographic primitives (Section 6).
We analyze the memory-hardness properties of the Balloon function using
pebble games, which are arguments about the structure of the data-dependency
graph of the underlying computation [54, 65, 67, 81, 85]. Our analysis uses
the framework of Dwork, Naor, and Wee [37]—later applied in a number of
cryptographic works [6, 8, 38, 39, 42]—to relate the hardness of pebble games
to the hardness of certain computations in the random-oracle model [14].
The crux of our analysis is a new observation about the properties of “random
sandwich graphs,” a class of graphs studied in prior work on pebbling [6, 8]. To
show that our techniques are broadly applicable, we apply them in Appendices F
and G to give simple proofs of memory-hardness, in the random-oracle model, for
the Argon2i and scrypt functions. We prove stronger memory-hardness results
about the Balloon algorithm, but these auxiliary results about Argon2i and
scrypt may be of independent interest to the community.
The performance of the Balloon hashing algorithm is surprisingly good, given
that our algorithm offers stronger proven security properties than other practical
memory-hard functions with a password-independent memory access patterns.
For example, if we configure Balloon to use Blake2b as the underlying hash
function [10], run the construction for five “rounds” of hashing, and set the space
parameter to require the attacker to use 1 MiB of working space to compute
the function, then we can compute Balloon Hashes at the rate of 13 hashes per
second on a modern server, compared with 12.8 for Argon2i, and 2.1 for Catena
DBG (when Argon2i and Catena DBG are instantiated with Blake2b as the
underlying cryptographic hash function).3
Caveat: Parallel Attacks. The definition of memory-hardness we use puts a lower-
bound on the time-space product of computing a single instance of the Balloon
function on a sequential (single-core) computer. In reality, an adversary mount-
ing a dictionary attack would want to compute billions of instances of the Bal-
loon function, perhaps using many processors running in parallel. Alwen and
3
The relatively poor performance of Argon2i here is due to the attack we present in
Section 4. It allows an attacker to save space in computing Argon2i with no increase
in computation time.
3
Serbinenko [8], formalizing earlier work by Percival [68], introduce a new com-
putational model—the parallel random-oracle model (pROM)—and a memory-
hardness criterion that addresses the shortcomings of the traditional model. In
recent work, Alwen and Blocki prove the surprising result that no function that
uses a password-independent memory access pattern can be optimally memory-
hard in the pROM [3]. In addition, they give a special-purpose pROM algorithm
for computing Argon2i, Balloon, and other practical (sequential) memory-hard
functions with some space savings. We discuss this important class of attacks
and the relevant related work in Section 5.1.
Contributions. In this paper, we
– introduce and analyze the Balloon hashing function, which has stronger prov-
able security guarantees than prior practical memory-hard functions (Sec-
tion 3),
– present a practical memory-saving attack against the Argon2i password-
hashing algorithm (Section 4), and
– explain how to ameliorate the danger of massively parallel attacks against
memory-hard functions with a password-independent access pattern (Sec-
tion 5.1)
– prove the first known time-space lower bounds for Argon2i and an idealized
variant of scrypt, in the random-oracle model. (See Appendices F and G.)
2 Security Definitions
This section summarizes the high-level security and functionality goals of a pass-
word hashing function in general and the Balloon hashing algorithm in particu-
lar. We draw these aims from prior work on password hashing [68, 75] and also
from the requirements of the recent Password Hashing Competition [64].
2.1 Syntax
The Balloon password hashing algorithm takes four inputs: a password, salt,
time parameter, and space parameter. The output is a bitstring of fixed length
(e.g., 256 or 512 bits). The password and salt are standard [59], but we elaborate
on the role of the latter parameters below.
4
Space Parameter (Buffer Size). The space parameter, which we denote as “n”
throughout, indicates how many fixed-size blocks of working space the hash
function will require during the course of its computation, as in scrypt [68]. At
a high level, a memory-hard function should be “easy” to compute with n blocks
of working space and should be “hard” to compute with much less space than
that. We make this notion precise later on.
Time Parameter (Number of Rounds). The Balloon function takes as input a
parameter r that determines the number of “rounds” of computation it performs.
As in bcrypt [75], the larger the time parameter, the longer the hash computation
will take. On memory-limited platforms, a system administrator can increase
the number of rounds of hashing to increase the cost of computing the function
without increasing the algorithm’s memory requirement. The choice of r has
an effect on the memory-hardness properties of the scheme: the larger r is, the
longer it takes to compute the function in small space.
2.2 Memory-Hardness
5
information about the password will leak to other users on the same machine
via cache or other side-channels [25, 62, 87]. This may be especially important in
cloud-computing environments, in which many mutually distrustful users share
a single physical host [78].
Creating a memory-hard function with a password-independent access pat-
tern presents a technical challenge: since the data-access pattern depends only
upon the salt—which an adversary who steals the password file knows—the ad-
versary can compute the entire access pattern in advance of a password-guessing
attack. With the access pattern in hand, the adversary can expend a huge amount
of effort to find an efficient strategy for computing the hash function in small
space. Although this pre-computation might be expensive, the adversary can
amortize its cost over billions of subsequent hash evaluations. A function that is
memory-hard and that uses a password-independent data access pattern must
be impervious to all small-space strategies for computing the function so that it
maintains its strength in the face of these pre-computation attacks. (Indeed, as
we discuss in Section 5.1, Alwen and Blocki show that in some models of com-
putation, memory-hard functions with password-independent access patterns do
not exist [3].)
If necessary, we can modify the Balloon function so that it provides the stan-
dard properties of second-preimage resistance and collision resistance [57]. It is
possible to achieve these properties in a straightforward way by composing the
Balloon function B with a standard cryptographic hash function H as
3.1 Algorithm
4
We are eliding important definitional questions about what it even means, in a formal
sense, for a function to be collision resistant [17, 79].
6
func Balloon(block_t passwd, block_t salt,
int s_cost, // Space cost (main buffer size)
int t_cost): // Time cost (number of rounds)
int delta = 3 // Number of dependencies per block
int cnt = 0 // A counter (used in security proof)
block_t buf[s_cost]): // The main buffer
7
place. At each mixing step, for each block i in the buffer, the routine up-
dates the contents of block i to be equal to the hash of block (i − 1) mod n,
block i, and δ other blocks chosen “at random” from the buffer. (See The-
orem 1 for an illustration of how the choice of δ affects the security of the
scheme.)
Since the Balloon functions are deterministic functions of their arguments,
the dependencies are not chosen truly at random but are sampled using a
pseudorandom stream of bits generated from the user-specific salt.
3. Extract. In the last step, the Balloon algorithm outputs the last block of
the buffer.
The following theorem demonstrates that attackers who attempt to compute the
Balloon function in small space must pay a large penalty in computation time.
The complete theorem statement is given in Theorem 33 (Appendix E).
r · n2
S·T ≥ .
32
When δ = 7 and S < n/64, one obtains the stronger bound:
(2r − 1)n2
S·T ≥ .
32
Thus, attackers who attempt to compute the Balloon function in very small
space must pay a large penalty in computation time. The proof of the theorem
is given in the appendices: Appendix B introduces graph pebbling arguments,
8
which are the basis for our memory-hardness proofs. Appendix C proves a key
combinatorial lemma required for analysis of the Balloon functions. Appendix D
recalls sandwich graphs and proves that stacks of random sandwich graphs are
hard to pebble. Appendix E puts all of the pieces together to complete the proof
of Theorem 1.
Here we sketch the main ideas in the proof of Theorem 1.
Proof idea. The proof makes use of pebbling arguments, a classic technique
for analyzing computational time-space trade-offs [48, 54, 67, 71, 81, 88] and
memory-hard functions [8, 37, 38, 42]. We apply pebbling arguments to the data-
dependency graph corresponding to the computation of the Balloon function (See
Figure 2 for an example graph). The graph contains a vertex for every random
oracle query made during the computation of Balloon: vertex vi in the graph
represents the response to the ith random-oracle query. An edge (vi , vj ) indicates
that the input to the jth random-oracle query depends on the response of the
ith random-oracle query.
The data-dependency graph for a Balloon computation naturally separates
into r + 1 layers—one for each round of mixing (Figure 3). That is, a vertex on
level ` ∈ {1, . . . , r} of the graph represents the output of a random-oracle query
made during the `th mixing round.
The first step in the proof shows that the data-dependency graph of a Balloon
computation satisfies certain connectivity properties, defined below, with high
probability. The probability is taken over the choice of random oracle H, which
determines the data-dependency graph. Consider placing a pebble on each of a
subset of the vertices of the data-dependency graph of a Balloon computation.
Then, as long as there are “not too many” pebbles on the graph, we show that
the following two properties hold with high probability:
9
input
L0
L1
L2
output
10
arbitrary adversary can compute the Balloon function in small time and space
(Theorem 33).
11
n/3 space incurs a 16, 384× computational penalty [19, Section 5.4]. We com-
pute the function in n/2.7 ≈ n/3 space with no computational penalty.
We analyze a idealized version the Argon2i algorithm, which is slightly sim-
pler than that proposed in the Argon2i v1.2.1 specification [19]. Our idealized
analysis underestimates the efficacy of our small-space computation strategy, so
the strategy we propose is actually more effective at computing Argon2i than the
analysis suggests. The idealized analysis yields an expected n/4 storage cost, but
as Figure 4 demonstrates, empirically our strategy allows computing single-pass
Argon2i with only n/5 blocks of storage. This analysis focuses on the single-
threaded instantiation of Argon2i—we have not tried to extend it to the many-
threaded variant.
x1 = H(passwd, salt k 1)
x2 = H(passwd, salt k 2)
xi = H(xi−1 , xri ) where ri ∈ {1, . . . , i − 1}
12
Predicted
Memory in use
N/4
N/5
Actual
0
Time
Fig. 4: Space used by our algorithm for computing single-pass Argon2i during a
single hash computation.
Our analysis splits the Argon2i computation into discrete time steps, where
time step t begins at the moment at which the algorithm invokes the compression
function H for the tth time.
13
5 Discussion
14
An impressive recent line of work has uncovered many new results in this
model:
– Alwen and Blocki [3, 4] show that, in the pROM, there does not exist a per-
fectly memory-hard function (in the amortized sense) that uses a password-
independent memory-access pattern. In the sequential setting, Balloon and
other memory-hard functions require space S and time T to compute such
that S · T ∈ Ω(n2 ). In the parallel setting, Alwen and Blocki show that the
best one can hope for, in terms of amortized space usage is Ω(n2 / log n). Ad-
ditionally, they give special-case attack algorithms for computing many can-
didate password-hashing algorithms in the pROM. Their algorithm computes
Balloon, for example, using an amortized time-space product of roughly
O(n7/4 ).10
– Alwen et al. [6] show that the amortized space-time complexity of the single-
round Balloon function is at least Ω̃(n5/3 ), where the Ω̃(·) ignores logarith-
mic factors of n. This result puts a limit on the effectiveness of parallel
attacks against Balloon.
– Alwen et al. [5] construct a memory-hard function with a password-independ-
ent access pattern and that has an asymptotically optimal amortized time-
space product of S · T ∈ Ω(n2 / log n). Whether this construction is useful
for practical purposes will depend heavily on value of the constant hidden
in the Ω(·). In practice, a large constant may overwhelm the asymptotic
improvement.
– Alwen et al. [6] prove, under combinatorial conjectures11 that scrypt is near-
optimally memory-hard in the pROM. Unlike Balloon, scrypt uses a data-
dependent access pattern—which we would like to avoid—and the data-
dependence of scrypt’s access pattern seems fundamental to their security
analysis.
As far as practical constructions go, these results leave the practitioner with
two options, each of which has a downside:
Option 1. Use scrypt, which seems to protect against parallel attacks, but which
uses a password-dependent access pattern and is weak in the face of an
adversary that can learn memory access information. (We describe the attack
in Appendix G.2.)
Option 2. Use Balloon Hashing, which uses a password-independent access pat-
tern and is secure against sequential attacks, but which is asymptotically
weak in the face of a massively parallel attack.
15
and the other defends against massively parallel attacks. For the moment, let
us stipulate that the pROM attacks on vanilla Balloon (and all other practi-
cal password hashing algorithms using data-independent access patterns) make
these algorithms less-than-ideal to use on their own. Can we somehow combine
the two constructions to get a “best-of-both-worlds” practical password-hashing
algorithm? The answer is yes: compose a data-independent password-hashing
algorithm, such as Balloon, with a data-dependent scheme, such as scrypt.
To use the composed scheme, one would first run the password through the
data-independent algorithm and next run the resulting hash through the data-
dependent algorithm.12
It is not difficult to show that the composed scheme is memory-hard against
either: (a) an attacker who is able to learn the function’s data-access pattern on
the target password, or (b) an attacker who mounts an attack in the pROM using
the parallel algorithm of Alwen and Blocki [3]. The composed scheme defends
against the two attacks separately but does not defend against both of them
simultaneously: the composed function does not maintain memory-hardness in
the face of an attacker who is powerful enough to get access-pattern information
and mount a massively parallel attack. It would be even better to have a practical
construction that could protect against both attacks simultaneously, but the best
known algorithms that do this [5, 8] are likely too inefficient to use in practice.
The composed function is almost as fast as Balloon on its own—adding the
data-dependent hashing function call is effectively as costly as increasing the
round count of the Balloon algorithm by one.
16
function against a sequential attacker AS using space S to be the ratio:
STf (AS )
Q[AS , f ] = .
Tf (Honest)
n (2r − 1)n
Q[AS , Balloon(r=1) ] ≥ ; Q[AS , Balloon(r>1) ] ≥
64 32(r + 1)
n rr
Q[AS , Catena-BRG] ≥ ; Q[AS , Catena-DBG] ≥
32 2r log2 n
n
Q[AS , Argon2i] ≥
1536
From these quality ratios, we can draw a few conclusions about the protection
these functions provide against one class of small-space attackers (using S ≈
n/64):
6 Experimental Evaluation
17
6.1 Experimental Set-up
Our experiments use the OpenSSL implementation (version 1.0.1f) of SHA-512
and the reference implementations of three other cryptographic hash functions
(Blake2b, ECHO, and SHA-3/Keccak). We use optimized versions of the un-
derlying cryptographic primitives where available, but the core Balloon code is
written entirely in C. Our source code is available at https://crypto.stanford.
edu/balloon/ under the ISC open-source license. We used a workstation run-
ning an Intel Core i7-6700 CPU (Skylake) at 3.40 GHz with 8 GiB of RAM
for our performance benchmarks. We compiled the code for our timing results
with gcc version 4.8.5 using the -O3 option. We average all of our measurements
over 32 trials. We compare the Balloon functions against Argon2i (v.1.2.1) [19]
and Catena [42]. For comparison purposes, we implemented the Argon2i, Catena
BRG, and Catena DBG memory-hard algorithms in C.
On the Choice of Cryptographic Primitives. The four memory-hard functions
we evaluate (Argon2i, Balloon, Catena-BRG, Catena-DBG) are all essentially
modes of operation for an underlying cryptographic hash function. The choice
of the underlying hash function has implications for the performance and the
security of the overall construction. To be conservative, we instantiate all of the
algorithms we evaluate with the Blake2b as the underlying hash function [10].
Memory-hard functions going back at least as far as scrypt [68] have used
reduced-round hash functions as their underlying cryptographic building block.
Following this tradition, the Argon2i specification proposes using a new and very
fast reduced-round hash function as its core cryptographic primitive. Since the
Argon2i hash function does not satisfy basic properties of a traditional crypto-
graphic hash function (e.g., it is not collision resistant), modeling it as a random
oracle feels particularly problematic. Since our goal in this work is to analyze
memory-hard functions with provable security guarantees, we instantiate the
memory-hard functions we evaluate with traditional cryptographic hashes for
the purposes of this evaluation.
That said, we stress that the Balloon construction is agnostic to the choice
of underlying hash function—it is a mode of operation for a cryptographic hash
function—and users of the Balloon construction may instantiate it with a faster
reduced-round hash function (e.g., scrypt’s BlockMix or Argon2i’s compression
function) if they so desire.
18
to be equal to the block size of the underlying compression function, to avoid
the issues discussed in Appendix B.3. The charted results for Argon2i incor-
porate the fact that an adversary can compute many-pass Argon2i (v.1.2.1) in
a factor of e ≈ 2.72 less working space than the defender must allocate for
the computation and can compute single-pass Argon2i with a factor of four
less space (see Section 4). For comparison, we also plot the space usage of two
non-memory-hard password hashing functions, bcrypt [75] (with cost = 12) and
PBKDF2-SHA512 [49] (with 105 iterations).
105 105
Hashes/sec (one core)
100 100
10−1 10−1
16 KiB 1 MiB 64 MiB 16 KiB 1 MiB 64 MiB
Minimum buffer size required Minimum buffer size required
Fig. 5: The Balloon algorithm outperforms Argon2i and Catena DBG for many
settings of the security parameters, and Balloon is competitive with Catena
BRG. We instantiate Argon2i, Balloon, and Catena with Blake2b as the under-
lying cryptographic hash function.
19
Blake2b
Bytes written/sec
ECHO
SHA-3
226 SHA-512
225
16 KiB 256 KiB 4 MiB
Buffer size (bytes)
Fig. 6: Throughput for the Balloon algorithm when instantiated with different
compression functions. The dotted lines indicate the sizes of the L1, L2, and L3
caches on our test machine.
Finally, Figure 6 shows the result of instantiating the Balloon algorithm con-
struction with four different standard cryptographic hash functions: SHA-3 [18],
Blake2b [10], SHA-512, and ECHO (a SHA-3 candidate that exploits the AES-NI
instructions) [15]. The SHA-3 function (with rate = 1344) operates on 1344-bit
blocks, and we configure the other hash functions to use 512-bit blocks.
On the x-axis, we plot the buffer size used in the Balloon function and on the
y-axis, we plot the rate at which the Balloon function fills memory, in bytes of
written per second. As Figure 6 demonstrates, Blake2b and ECHO outperform
the SHA functions by a bit less than a factor of two.
7 Related Work
20
costlier md5crypt to replace crypt, but hardware improvements also rendered
that design outmoded [31].
Provos and Mazières saw that, in the face of ever-increasing processor speeds,
any fixed password hashing algorithm would eventually become easy to compute
and thus ineffective protection against dictionary attacks. Their solution, bcrypt,
is a password hashing scheme with a variable “hardness” parameter [75]. By pe-
riodically ratcheting up the hardness, a system administrator can keep the time
needed to compute a single hash roughly constant, even as hardware improves.
A remaining weakness of bcrypt is that it exercises only a small fraction of
the CPU’s resources—it barely touches the L2 and L3 caches during its execu-
tion [56]. To increase the cost of custom password-cracking hardware, Reinhold’s
HEKS hash [76] and Percival’s popular scrypt routine consume an adjustable
amount of storage space [68], in addition to time, as they compute a hash. Bal-
loon, like scrypt, aims to be hard to compute in little space. Unlike scrypt,
however, we require that our functions’ data access pattern be independent of
the password to avoid leaking information via cache-timing attacks [25, 62, 87]
(see also the attack in Appendix G.2). The Dogecoin and Litecoin [24] crypto-
currencies have incorporated scrypt as an ASIC-resistant proof-of-work function.
The recent Password Hashing Competition motivated the search for memory-
hard password-hashing functions that use data-independent memory access pat-
terns [64]. The Argon2 family of functions, which have excellent performance and
an appealingly simple design, won the competition [19]. The Argon2 functions
lack a theoretical analysis of the feasible time-space trade-offs against them; us-
ing the same ideas we have used to analyze the Balloon function, we provide the
first such result in Appendix F.
The Catena hash functions [42], which became finalists in the Password
Hashing Competition, are memory-hard functions whose analysis applies peb-
bling arguments to classic graph-theoretic results of Lengauer and Tarjan [54].
The Balloon analysis we provide gives a tighter time-space lower bounds than
Catena’s analysis can provide in many cases, and the Balloon algorithm outper-
forms the more robust of the two Catena algorithms (see Section 6). Biryokov
and Khovratovich demonstrated a serious flaw in the security analysis of one
of the Catena variants, and they provide a corresponding attack against that
Catena variant [22].
The other competition finalists included a number of interesting designs that
differ from ours in important ways. Makwa [73] supports offloading the work of
password hashing to an untrusted server but is not memory-hard. Lyra [2] is a
memory-hard function but lacks proven space-time lower bounds. Yescrypt [69]
is an extension of scrypt and uses a password-dependent data access pattern.
Ren and Devadas [77] give an analysis of the Balloon algorithm using bi-
partite expanders, following the pebbling techniques of Paul and Tarjan [66].
Their results imply that an adversary that computes the n-block r-round Bal-
loon function in n/8 space, must use at least 2r n/c time to compute the func-
tion (for some constant c), with high probability in the random-oracle model.
We prove the stronger statement that an adversary’s space-time product must
21
satisfy: S · T ∈ Ω(n2 ) for almost all values of S. Ren and Devadas also prove
statements showing that algorithms computing the Balloon functions efficiently
must use a certain amount of space at many points during their computation.
Our time-space lower bounds only show that the adversary must use a certain
amount of space a some point during the Balloon computation.
Proofs of Space. Dziembowski et al. [38] and Ateniese et al. [9] study proofs-of-
space. In these protocols, the prover and verifier agree on a large bitstring that
the prover is supposed to store. Later on, the prover can convince the verifier that
the prover has stored some large string on disk, even if the verifier does not store
the string herself. Spacemint proposes building a cryptocurrency based upon a
proof-of-space rather than a proof-of-work [63]. Ren and Devadas propose using
the problem of pebbling a Balloon graph as the basis for a proof of space [77].
22
8 Conclusion
We have introduced the Balloon password hashing algorithm. The Balloon algo-
rithm is provably memory-hard (in the random-oracle model against sequential
adversaries), exhibits a password-independent memory access pattern, and meets
or exceeds the performance of the fastest heuristically secure schemes. Using a
novel combinatorial pebbling argument, we have demonstrated that password-
hashing algorithms can have memory-hardness proofs without sacrificing prac-
ticality.
This work raises a number of open questions:
– Are there efficient methods to defend against cache attacks on scrypt (Ap-
pendix G.2)? Could a special-purpose ORAM scheme help [44]?
– Are there practical memory-hard functions with password-independent ac-
cess patterns that retain their memory-hardness properties under parallel
attacks [8]? The recent work of Alwen et al. [4] is promising, though it is still
unclear whether the pROM-secure constructions will be competitive with
Balloon for concrete settings of the parameters.
– Is it possible to build hardware that effectively implements the pROM at-
tacks [3, 4, 5] against Argon2i and Balloon at realistic parameter sizes? What
efficiency gain would this pROM hardware have over a sequential ASIC at
attacking these constructions? Are these parallel attacks still practical in
hardware when the function’s memory-access pattern depends on the salt
(as Balloon’s access pattern does)?
23
Bibliography
[1] Abadi, M., Burrows, M., Manasse, M., Wobber, T.: Moderately hard,
memory-bound functions. ACM Transactions on Internet Technology 5(2),
299–327 (2005)
[2] Almeida, L.C., Andrade, E.R., Barreto, P.S.L.M., Simplicio Jr., M.A.: Lyra:
Password-based key derivation with tunable memory and processing costs.
Journal of Cryptographic Engineering 4(2), 75–89 (2014)
[3] Alwen, J., Blocki, J.: Efficiently computing data-independent memory-hard
functions. In: CRYPTO (2016)
[4] Alwen, J., Blocki, J.: Towards practical attacks on Argon2i and Bal-
loon Hashing. Cryptology ePrint Archive, Report 2016/759 (2016), http:
//eprint.iacr.org/2016/759
[5] Alwen, J., Blocki, J., Pietrzak, K.: The pebbling complexity of depth-robust
graphs. Manuscript (Personal Communication) (2016)
[6] Alwen, J., Chen, B., Kamath, C., Kolmogorov, V., Pietrzak, K., Tessaro,
S.: On the complexity of scrypt and proofs of space in the parallel random
oracle model. In: EUROCRYPT 2016, pp. 358–387. Springer (2016)
[7] Alwen, J., Chen, B., Kamath, C., Kolmogorov, V., Pietrzak, K., Tessaro,
S.: On the complexity of scrypt and proofs of space in the parallel random
oracle model. Cryptology ePrint Archive, Report 2016/100 (2016), http:
//eprint.iacr.org/
[8] Alwen, J., Serbinenko, V.: High parallel complexity graphs and memory-
hard functions. In: STOC. pp. 595–603 (2015)
[9] Ateniese, G., Bonacina, I., Faonio, A., Galesi, N.: Proofs of space: When
space is of the essence. In: Security and Cryptography for Networks, pp.
538–557. Springer (2014)
[10] Aumasson, J.P., Neves, S., Wilcox-O’Hearn, Z., Winnerlein, C.: BLAKE2:
simpler, smaller, fast as MD5. In: Applied Cryptography and Network Se-
curity. pp. 119–135. Springer (2013)
[11] Back, A.: Hashcash–a denial of service counter-measure. http://www.
cypherspace.org/hashcash/ (May 1997), accessed 9 November 2015
[12] Bellare, M., Boldyreva, A., Palacio, A.: An uninstantiable random-oracle-
model scheme for a hybrid-encryption problem. In: EUROCRYPT 2004. pp.
171–188. Springer (2004)
[13] Bellare, M., Ristenpart, T., Tessaro, S.: Multi-instance security and its
application to password-based cryptography. In: CRYPTO, pp. 312–329.
Springer (2012)
[14] Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for
designing efficient protocols. In: CCS. pp. 62–73. ACM (1993)
[15] Benadjila, R., Billet, O., Gilbert, H., Macario-Rat, G., Peyrin, T., Robshaw,
M., Seurin, Y.: SHA-3 proposal: ECHO. Submission to NIST (updated)
(2009)
[16] Bennett, C.H.: Time/space trade-offs for reversible computation. SIAM
Journal on Computing 18(4), 766–776 (1989)
[17] Bernstein, D.J., Lange, T.: Non-uniform cracks in the concrete: the power
of free precomputation. In: ASIACRYPT, pp. 321–340. Springer (2013)
[18] Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak sponge func-
tion family. Submission to NIST (Round 2) (2009)
[19] Biryukov, A., Dinu, D., Khovratovich, D.: Argon2 design document (version
1.2.1) (Oct 2015)
[20] Biryukov, A., Dinu, D., Khovratovich, D.: Fast and tradeoff-resilient
memory-hard functions for cryptocurrencies and password hashing. Cryp-
tology ePrint Archive, Report 2015/430 (2015), http://eprint.iacr.org/
[21] Biryukov, A., Dinu, D., Khovratovich, D.: Argon2 design document (version
1.3) (Feb 2016)
[22] Biryukov, A., Khovratovich, D.: Tradeoff cryptanalysis of memory-hard
functions. In: ASIACRYPT. pp. 633–657. Springer (2015)
[23] Bitcoin wiki - mining comparison. https://en.bitcoin.it/wiki/Mining_
hardware_comparison
[24] Bonneau, J., Miller, A., Clark, J., Narayanan, A., Kroll, J.A., Felten, E.W.:
SoK: Research perspectives and challenges for Bitcoin and cryptocurrencies.
In: Symposium on Security and Privacy. IEEE (May 2015)
[25] Bonneau, J., Mironov, I.: Cache-collision timing attacks against AES. In:
CHES 2006, pp. 201–215. Springer (2006)
[26] Boyen, X.: Halting password puzzles. In: USENIX Security (2007)
[27] Canetti, R., Goldreich, O., Halevi, S.: The Random Oracle Methodology,
revisited. Journal of the ACM 51(4), 557–594 (2004)
[28] Canetti, R., Halevi, S., Steiner, M.: Mitigating dictionary attacks on
password-protected local storage. In: CRYPTO 2006, pp. 160–179. Springer
(2006)
[29] Chan, S.M.: Just a pebble game. In: IEEE Conference on Computational
Complexity. pp. 133–143. IEEE (2013)
[30] Coron, J., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-damgård revisited:
How to construct a hash function. In: CRYPTO. pp. 430–448 (2005)
[31] CVE-2012-3287: md5crypt has insufficient algorithmic complexity.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3287 (2012),
accessed 9 November 2015
[32] Damgård, I.B.: A design principle for hash functions. In: CRYPTO. pp.
416–427 (1989)
[33] Di Crescenzo, G., Lipton, R., Walfish, S.: Perfectly secure password pro-
tocols in the bounded retrieval model. In: Theory of Cryptography, pp.
225–244. Springer (2006)
[34] Dürmuth, M.: Useful password hashing: how to waste computing cycles with
style. In: New Security Paradigms Workshop. pp. 31–40. ACM (2013)
[35] Dwork, C., Goldberg, A., Naor, M.: On memory-bound functions for fighting
spam. In: CRYPTO, pp. 426–444. Springer (2003)
[36] Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In:
CRYPTO 1992. pp. 139–147. Springer (1993)
25
[37] Dwork, C., Naor, M., Wee, H.: Pebbling and proofs of work. In: CRYPTO.
pp. 37–54 (2005)
[38] Dziembowski, S., Faust, S., Kolmogorov, V., Pietrzak, K.: Proofs of space.
In: CRYPTO (2015)
[39] Dziembowski, S., Kazana, T., Wichs, D.: One-time computable self-erasing
functions. In: Theory of Cryptography, pp. 125–143. Springer (2011)
[40] Evans Jr, A., Kantrowitz, W., Weiss, E.: A user authentication scheme not
requiring secrecy in the computer. Communications of the ACM 17(8), 437–
442 (1974)
[41] Feldmeier, D.C., Karn, P.R.: UNIX password security–ten years later. In:
CRYPTO 1989. pp. 44–63. Springer (1990)
[42] Forler, C., Lucks, S., Wenzel, J.: Memory-demanding password scrambling.
In: ASIACRYPT, pp. 289–305. Springer (2014)
[43] Garay, J., Johnson, D., Kiayias, A., Yung, M.: Resource-based corruptions
and the combinatorics of hidden diversity. In: ITCS. pp. 415–428. ACM
(2013)
[44] Goldreich, O., Ostrovsky, R.: Software protection and simulation on obliv-
ious RAMs. Journal of the ACM 43(3), 431–473 (1996)
[45] Goldwasser, S., Kalai, Y.T.: On the (in)security of the Fiat-Shamir
paradigm. In: FOCS. pp. 102–113. IEEE (2003)
[46] Groza, B., Warinschi, B.: Revisiting difficulty notions for client puzzles and
DoS resilience. In: Information Security, pp. 39–54. Springer (2012)
[47] Ho, S.: Costco, Sam’s Club, others halt photo sites over possi-
ble breach. http://www.reuters.com/article/2015/07/21/us-cyberattack-
retail-idUSKCN0PV00520150721 (Jul 2015), accessed 9 November 2015
[48] Hopcroft, J., Paul, W., Valiant, L.: On time versus space. Journal of the
ACM (JACM) 24(2), 332–337 (1977)
[49] Kaliski, B.: PKCS #5: Password-based cryptography specification, version
2.0. IETF Network Working Group, RFC 2898 (Sep 2000)
[50] Kelsey, J., Schneier, B., Hall, C., Wagner, D.: Secure applications of low-
entropy keys. In: Information Security, pp. 121–134. Springer (1998)
[51] Kirk, J.: Internet address overseer ICANN resets passwords after
website breach. http://www.pcworld.com/article/2960592/security/icann-
resets-passwords-after-website-breach.html (Aug 2015), accessed 9 Novem-
ber 2015
[52] Klein, D.V.: Foiling the cracker: A survey of, and improvements to, password
security. In: Proceedings of the 2nd USENIX Security Workshop. pp. 5–14
(1990)
[53] Krantz, L.: Harvard says data breach occurred in June. http:
//www.bostonglobe.com/metro/2015/07/01/harvard-announces-data-
breach/pqzk9IPWLMiCKBl3IijMUJ/story.html (Jul 2015), accessed 9
November 2015
[54] Lengauer, T., Tarjan, R.E.: Asymptotically tight bounds on time-space
trade-offs in a pebble game. Journal of the ACM 29(4), 1087–1130 (1982)
[55] Leong, P., Tham, C.: UNIX password encryption considered insecure. In:
USENIX Winter. pp. 269–280 (1991)
26
[56] Malvoni, K., Designer, S., Knezovic, J.: Are your passwords safe: Energy-
efficient bcrypt cracking with low-cost parallel hardware. In: USENIX Work-
shop on Offensive Technologies (2014)
[57] Menezes, A.J., Van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied
Cryptography. CRC press (1996)
[58] Merkle, R.C.: One way hash functions and DES. In: CRYPTO. pp. 428–446
(1989)
[59] Morris, R., Thompson, K.: Password security: A case history. Communica-
tions of the ACM 22(11), 594–597 (1979)
[60] Nielsen, J.B.: Separating random oracle proofs from complexity theoretic
proofs: The non-committing encryption case. In: CRYPTO 2002, pp. 111–
126. Springer (2002)
[61] Nordström, J.: New wine into old wineskins: A survey of some pebbling clas-
sics with supplemental results. http://www.csc.kth.se/~jakobn/research/
PebblingSurveyTMP.pdf (Mar 2015), accessed 9 November 2015
[62] Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures:
the case of AES. In: CT-RSA 2006, pp. 1–20. Springer (2006)
[63] Park, S., Pietrzak, K., Alwen, J., Fuchsbauer, G., Gazi, P.: Spacemint:
a cryptocurrency based on proofs of space. Tech. rep., Cryptology ePrint
Archive, Report 2015/528 (2015)
[64] Password hashing competition. https://password-hashing.net/
[65] Paterson, M.S., Hewitt, C.E.: Comparative schematology. In: Record of the
Project MAC conference on concurrent systems and parallel computation.
pp. 119–127. ACM (1970)
[66] Paul, W.J., Tarjan, R.E.: Time-space trade-offs in a pebble game. Acta
Informatica 10(2), 111–115 (1978)
[67] Paul, W.J., Tarjan, R.E., Celoni, J.R.: Space bounds for a game on graphs.
Mathematical Systems Theory 10(1), 239–251 (1976)
[68] Percival, C.: Stronger key derivation via sequential memory-hard functions.
In: BSDCan (May 2009)
[69] Peslyak, A.: yescrypt. https://password-hashing.net/submissions/specs/
yescrypt-v2.pdf (Oct 2015), accessed 13 November 2015
[70] Peterson, A.: E-Trade notifies 31,000 customers that their contact info may
have been breached in 2013 hack. https://www.washingtonpost.com/news/
the-switch/wp/2015/10/09/e-trade-notifies-31000-customers-that-their-
contact-info-may-have-been-breached-in-2013-hack/ (Oct 2015), accessed
9 November 2015
[71] Pippenger, N.: A time-space trade-off. Journal of the ACM (JACM) 25(3),
509–515 (1978)
[72] Pippenger, N., Fischer, M.J.: Relations among complexity measures. Jour-
nal of the ACM 26(2), 361–381 (1979)
[73] Pornin, T.: The Makwa password hashing function. http://www.bolet.org/
makwa/ (Apr 2015), accessed 13 November 2015
[74] Privacy Rights Clearinghouse: Chronology of data breaches. http://www.
privacyrights.org/data-breach, accessed 9 November 2015
27
[75] Provos, N., Mazières, D.: A future-adaptable password scheme. In: USENIX
Annual Technical Conference. pp. 81–91 (1999)
[76] Reinhold, A.: HEKS: A family of key stretching algorithms (Draft G).
http://world.std.com/~reinhold/HEKSproposal.html (Jul 2001), accessed
13 November 2015
[77] Ren, L., Devadas, S.: Proof of space from stacked expanders. Cryptology
ePrint Archive, Report 2016/333 (2016), http://eprint.iacr.org/
[78] Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of
my cloud: exploring information leakage in third-party compute clouds. In:
CCS. pp. 199–212. ACM (2009)
[79] Rogaway, P.: Formalizing human ignorance. In: VIETCRYPT, pp. 211–228.
Springer (2006)
[80] Savage, J.E.: Models of computation: Exploring the Power of Computing.
Addison-Wesley (1998)
[81] Sethi, R.: Complete register allocation problems. SIAM journal on Com-
puting 4(3), 226–248 (1975)
[82] Smith, A., Zhang, Y.: Near-linear time, leakage-resilient key evolution
schemes from expander graphs. IACR Cryptology ePrint Archive, Report
2013/864 (2013)
[83] Stebila, D., Kuppusamy, L., Rangasamy, J., Boyd, C., Nieto, J.G.: Stronger
difficulty notions for client puzzles and denial-of-service-resistant protocols.
In: CT-RSA, pp. 284–301. Springer (2011)
[84] Takala, R.: UVA site back online after chinese hack. http:
//www.washingtonexaminer.com/uva-site-back-online-after-chinese-
hack/article/2570383 (Aug 2015), accessed 9 November 2015
[85] Tompa, M.: Time-space tradeoffs for computing functions, using connectiv-
ity properties of their circuits. In: STOC. pp. 196–204. ACM (1978)
[86] Tracy, A.: In wake of T-Mobile and Experian data breach, John Legere
did what all CEOs should do after a hack. http://www.forbes.com/sites/
abigailtracy/2015/10/02/in-wake-of-t-mobile-and-experian-data-breach-
john-legere-did-what-all-ceos-should-do-after-a-hack/ (Oct 2015), accessed
9 November 2015
[87] Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and
countermeasures. Journal of Cryptology 23(1), 37–71 (2010)
[88] Valiant, L.G.: Graph-theoretic arguments in low-level complexity. In:
Gruska, J. (ed.) Mathematical Foundations of Computer Science, Lecture
Notes in Computer Science, vol. 53, pp. 162–176. Springer Berlin Heidelberg
(1977)
[89] Vaughan-Nichols, S.J.: Password site LastPass warns of data breach.
http://www.zdnet.com/article/lastpass-password-security-site-hacked/
(Jun 2015), accessed 9 November 2015
[90] Wagner, D., Goldberg, I.: Proofs of security for the Unix password hashing
algorithm. In: ASIACRYPT 2000, pp. 560–572. Springer (2000)
28
A Details of the Attack on Argon2
The equality on the right-hand side comes from the fact that Ui,t0 and Ui,t00 are
independent events for t0 6= t00 .
To compute the probability that block i is not used at time t0 , consider
that there are t0 − 1 blocks to choose from and t0 − 2 of them are not block i:
0
−2
Pr[Ui,t0 ] = tt0 −1 . Plugging this back into Equation 1, we get:
n 0
Y t −2 t−1
Pr [Ai,t ] = 0−1
=
0
t n −1
t =t+1
14
As described in Section 4.2, the contents of block i in Argon2i are derived from the
R
contents of block i − 1 and a block chosen at random from the set ri ← {1, . . . , i − 1}.
Throughout our analysis, all probabilities are taken over the random choices of the
ri values.
29
Now we substitute this back into our original expression for S(t):
t
X t−1 t(t − 1)
S(t) = t − =t−
i=1
n−1 n−1
Taking the derivative S 0 (t) and setting it to zero allows us to compute the value
t for which the expected storage is maximized. The maximum is at t = n/2 and
the expected number of blocks required is S(n/2) ≈ n/4.
Larger in-degree. A straightforward extension of this analysis handles the
case in which δ random blocks—instead of one—are hashed together with the
prior block at each step of the algorithm. Our analysis demonstrates that, even
with this strategy, single-pass Argon2i is vulnerable to pre-computation attacks.
The maximum space usage comes at t∗ = n/(δ + 1)1/δ , and the expected space
usage over time S(t) is:
tδ+1 δ
S(t) ≈ t − so S(t∗ ) ≈ n.
nδ (δ + 1)1+1/δ
30
The total storage required is then:
n n i
X X n−1 1
S(t) = n − E[Bi,t ] = n − ≈n−n 1− .
i=1 i=1
n e
Thus, even after many passes over the memory, Argon2i can still be computed
in roughly n/e space with no time penalty.
B Pebble Games
In this section, we introduce pebble games and explain how to use them to
analyze the Balloon algorithm.
31
B.2 Pebbling in the Random-Oracle Model
Dwork, Naor, and Wee [37] demonstrated that there is a close relationship be-
tween the pebbling problem on a graph G and the problem of computing a
certain function fG in the random-oracle model [14]. This observation became
the basis for the design of the Catena memory-hard hash function family [42]
and is useful for our analysis as well.
Since the relationship between G and fG will be important for our construc-
tion and security proofs, we will summarize here the transformation of Dwork
et al. [37], as modified by Alwen and Serbinenko [8]. The transformation from
directed acyclic graph G = (V, E) to function fG works by assigning a label to
each vertex v ∈ V , with the aid of a cryptographic hash function H. We write
the vertex set of G topologically {v1 , . . . v|V | } such that v1 is a source and v|V |
is a sink and, to simplify the discussion, we assume that G has a unique sink
node.
Definition 3 (Labeling). Let G = (V, E) be a directed graph with maximum
in-degree δ and a unique sink vertex, let x ∈ {0, 1}k be a string, and let H :
δ
Z|V | × {0, 1}k ∪ {⊥} → {0, 1}k be a function, modeled as a random oracle.
We define the labeling of G relative to H and x as:
(
H(i, x, ⊥, . . . , ⊥) if vi is a source
labelx (vi ) =
H(i, labelx (z1 ), . . . , labelx (zδ )) o.w.
32
We use a version of their result due to Dziembowski et al. [39]. The proba-
bilities in the following theorems are over the choice of the random oracle and
the randomness of the adversary.
Proof. The first two parts are a special case of Theorem 4.2 of Dziembowski et
al. [39]. To apply their theorem, consider the running time and space usage of
the algorithm Asmall they define, setting c = 0. The third part of the theorem
follows immediately from the pebbling they construct in the proof: there is at
most one pebble placement per oracle call. There are at most T oracle calls, so
the total number of placements is bounded by T .
Informally, the lemma states that an algorithm using Sk bits of space will
rarely be able to generate a sequence of random oracle queries whose corre-
sponding pebbling places more than S pebbles on the graph or makes an invalid
pebbling move.
The essential point, as captured in the following theorem, is that if we can
construct a graph G that takes a lot of time to pebble when using few pebbles,
then we can construct a function fG that requires a lot of time to compute with
high probability when using small space, in the random oracle model.
33
By construction of G, there does not exist a pebbling of G using S ∗ pebbles
and T ∗ pebble placements. Thus, whenever A succeeds at computing fG (·)
it must be that either (1) the pebbling we extract from A is invalid, (2) the
pebbling we extract from A uses more than S ∗ pebbles, or (3) the pebbling we
extract from A uses more than T ∗ moves. From Theorem 4, the probability of
the first event is at most T /2k , the probability of the second event is at most
1/2k , and the probability of the third event is zero.
By the Union Bound, we find that:
T 1 T +1
Pr[A succeeds] ≤ k
+ k = .
2 2 2k
The beauty of the pebbling paradigm is that it allows us to reason about the
memory-hardness of certain functions by simply reasoning about the properties
of graphs. That said, applying the pebbling model requires some care. For
...
...
...
34
requires that the entire string (x1 , . . . , xn ) be written onto the oracle tape (i.e.,
be in memory) at the moment when the machine queries the oracle.
In practice, the hash function H used to construct the labeling of the pebble
graph is not a random oracle, but is often a Merkle-Damgård-style hash func-
tion [32, 58] built from a two-to-one compression function C : {0, 1}2k → {0, 1}k
as
H(x1 , . . . , xn ) = C(xn , C(xn−1 , . . . , C(x1 , ⊥) . . . )).
If H is one such hash function, then the computation of H(x1 , . . . , xn ) requires
at most a constant number of blocks of storage on the work and oracle tapes at
any moment, since the Merkle-Damgård hash can be computed incrementally.
The bottom line is that pebbling lower bounds suggest that the labeling of
certain graphs, like the one depicted in Figure 7, require Θ(n) blocks of storage
to compute with high probability in the random oracle model. However, when
H is a real Merkle-Damgård hash function, these functions actually take Õ(1)
space to compute. The use of incrementally computable compression functions
has led to actual security weaknesses in candidate memory-hard functions in the
past [20, Section 4.2], so these theoretical weaknesses have bearing on practice.
This failure of the random oracle model is one of the very few instances
in which a practical scheme that is proven secure in the random-oracle model
becomes insecure after replacing the random oracle with a concrete hash function
(other examples include [12, 27, 45, 60]). While prior works study variants of the
Merkle-Damgård construction that are indifferentiable from a random oracle [30],
they do not factor these space usage issues into their designs.
To sidestep this issue entirely, we use the random oracle only to model com-
pression functions with a fixed finite domain (i.e., two-to-one compression func-
tions) whose internal state size is as large as their output size. For example,
we model the compression function of SHA-512 as a random oracle, but do not
model the entire [infinite-domain] SHA-512 function as a random oracle. When
we use a sponge function, like SHA-3 [18], we use it as a two-to-one compression
function, in which we extract only as many bits of output as the capacity of the
sponge.
35
define the spread of the list X after removing S as the sum of the lengths of the
segments defined by X whose rightmost endpoints are not in S. Symbolically,
we can let X0 = 0 and define the spread as:
X
spreadS (X) = (Xi − Xi−1 ).
Xi ∈X\S
spread{} (X) = (2 − 0) + (2 − 2) + (4 − 2) + (7 − 4) = 7
spread{7} (X) = (2 − 0) + (2 − 2) + (4 − 2) = 4
spread{2,7} (X) = (4 − 2) = 2
spread{2,4,7} (X) = 0
In computing spreadS (·), we remove all segments whose right endpoint falls
into the set S. If there are many such segments (i.e., as when we compute
spread{2} ((2, 2, 4, 7)) = 5), we remove all of them.
We say that a list of integers is well-spread if the spread of the list is larger
than a certain threshold, even after removing any subset of segments of a par-
ticular size.
Definition 6 (Well-Spread List). Let X be a list of integers X ⊆ {1, . . . , n}
and let σ be an integer such that σ ≤ |X|. Then X is (σ, ρ)-well-spread if for all
subsets S ⊆ X of size σ, spreadS (X) ≥ ρ.
So, for example, a list X of integers is (n/8, n/4)-well-spread if, for all sets S ⊆ X
of size n/8, we have that spreadS (X) ≥ n/4.
The following lemma demonstrates that a list of random integers is well-
spread with all but negligible probability.
Lemma 7 (Big Spread Lemma) For all positive integers δ ≥ 3, ω ≥ 2, and
2ω n
n, and for all positive integers m such that 2ω < m < 2(2−ω+ δ ) δe , a list of δm
elements sampled independently and uniformly at random from {1, . . . , n} is an
δ
(m, n/2ω )-well-spread set with probability at least 1 − 2ω+2 · 2[(1−ω) 2 +ω]m
Lemma 7 states (very roughly) that if you divide the integers (1, . . . , n) into
δm segments at random, and then remove the the m longest segments, the
remaining segments have length at least n/2ω , with very high probability.
To prove Lemma 7, we need one related lemma. In the hypothesis of the
following lemma, we choose d distinct integers from {1, . . . , n} at random without
replacement, and we use these integers to break the range (1, . . . , n) into d + 1
segments. The lemma states that if f is an arbitrary function of the lengths of
the segments, then the probability that f takes on value 1 is invariant under a
reordering of the segments.
36
(L1 , . . . , Ld+1 ), where Li = Yi − Yi−1 . Then, for all functions f : Zd+1 → {0, 1},
and for all permutations π on d + 1 elements,
Pr f (L1 , . . . , Ld+1 ) = 1 = Pr f (Lπ(1) , . . . , Lπ(d+1) ) = 1 .
In the second step, we just renamed the variables on the right-hand side.
Now, we claim that Pr[L = `] = Pr[π(L) = `]. To see this, we first compute
the probability Pr[L = `]. This is just the probability of choosing a particular
set of Rs that corresponds to the lengths in ` (up to reordering), so
(R1 = `1 ) ∧
Pr[L = `] = d! · Pr (R2 = `1 + `2 ) ∧ .
(R1 ,...,Rd )
(R3 = `1 + `2 + `3 ) ∧ . . .
Since `i > 0 for all i ∈ {1, . . . , d}, we are asking for the probability that
(R1 , . . . , Rd ) take on a particular set of d distinct values. This probability is
1 1 1 (n − d)!
· ··· = ,
n n−1 n−d+1 n!
so
−1
d!(n − d)! n
Pr[L = `] = = .
n! d
37
Proof of Lemma 7. Let R = (R1 , . . . , Rδm ) be integers sampled independently
and uniformly at random from {1, . . . , n}. We want to show that for all subsets
S ⊆ R of size at most m, spreadS (R) ≥ n/2ω . To do so, we first define a bad
event B, then show that bounding Pr[B] is enough to prove the lemma, and
finally we bound Pr[B].
P Pδm
The last equality holds because Xi ∈RP(Xi − Xi−1 ) = i=1 (Xi − Xi−1 ) = Xδm .
But, by definition of S, spreadS (R) = Xi ∈R\S (Xi − Xi−1 ), and we know that
spreadS (R) < n/2ω , so we have that
X
(Xi − Xi−1 ) ≥ (1 − 2−ω )n.
Xi ∈S 0
This establishes that bounding the probability of the bad event B is enough to
prove the lemma.
Strategy to Bound Pr[B]. We now bound the probability of the bad event
B. To execute this analysis, let D be a random variable denoting the num-
ber of distinct integers in the list of random integers R. For any fixed integer
d∗ ∈ {1, . . . , δm}, we can write:
To bound Pr[B], we take d∗ = δm/2 and then bound the two probabilities on
the right-hand side.
Bounding Pr[D < d∗ ]. We now compute Pr[D < d∗ ]. The probability of this
event is at most the probability that we throw δm balls into n bins, and all δm
balls fall into a set of d∗ = δm/2 bins.
∗ δm ∗ δm ∗ δm−d∗
∗ n d n · e d d ∗ d ∗
Pr[D < d ] ≤ ∗
≤ ∗
= ed . (4)
d n d n n
38
2ω
Recall that d∗ = δm/2. By the hypothesis of the lemma, m < 2(1−ω+ δ )
2n
δe .
2ω
Therefore, δme/(2n) < 2(1−ω+ δ ) . Then from (4), we have:
δm/2 δm/2
∗ δme 2ω δ
Pr[D < d ] ≤ ≤ 2(1−ω+ δ ) ≤ 2[(1−ω) 2 +ω]m . (5)
2n
Bounding Pr[B|D = d]. We now bound the probability of the bad event B,
conditioned on there being exactly d distinct integers in the list R, for some
d ≥ d∗ .
Step 1: Consider sets of distinct elements. Recall that the bad event B occurs
if there is a subset S 0 ⊆ X = (X1 , . . . , Xδm+1 ) of size at most (m + 1), such that
−ω
P
Xi ∈S 0 (Xi − Xi−1 ) ≥ (1 − 2 )n.
0
Whenever bad event B occurs, there is also a subset Sdist of distinct integers
0
in X such that Sdist (a) also has this “bad” property and (b) has size at most
0
(m+1). Furthermore, if there exists one such set Sdist with size less than (m+1),
there also exists a “bad” set of distinct elements with size exactly (m+1), as long
aslong as m + 1 ≤ d. (Since d ≥ d∗ = δm/2, it always holds that m + 1 ≤ d.)
0
So, we need only to bound the probability that there exists a bad subset Sdist
of distinct integers of size exactly (m + 1).
Step 2: Apply Lemma 8 to simplify the calculation. Write the d distinct integers
in R in ascending order as Y = (Y1 , . . . , Yd ). We must bound the probability
0
that a size-(m + 1) subset Sdist ⊆ Y is bad. Fix a set of indices I ⊆ {1, . . . , d + 1}
0
of size (m + 1). We bound the probability that the subset Sdist = {Yi | i ∈ I} is
bad.
Let f : Zd+1 → {0, 1} be a function that returns 1 if its first (m + 1) argu-
ments sum to at least (1 − 2−ω )n, and that outputs 0 otherwise. Use the Y s to
define lengths (L0 , . . . , Ld+1 ) as in Lemma 8. Let π be a permutation on d + 1
elements such that if i ∈ I, then Li appears as one of the first m + 1 elements
of (Lπ(1) , . . . , Lπ(d+1) ).
Then, for all d ∈ {d∗ , . . . , δm+1}, we can calculate the probability that there
exists a bad subset S 0 ⊆ Y of size (m + 1) as:
" #
X
−ω
Pr Li ≥ (1 − 2 )n | D = d = Pr[ f (Lπ(1) , . . . , Lπ(d+1) ) = 1 D = d ]
i∈I
= Pr[ f (L1 , . . . , Ld+1 ) = 1 D = d ]
= Pr[ (L1 + · · · + Lm+1 ) ≥ (1 − 2−ω )n D = d ].
39
which is the probability that a single set is bad. We then apply the Union Bound
over all possible sets to bound Pr[B|D = d].
The event L1 +L2 +...+Lm+1 ≥ (1−2−ω )n can only happen when d−(m+1)
of the integers are greater than 2−ω n. (Otherwise the first m+1 segments would
have length less than (1 − 2−ω )n.)
The probability of this event is no greater than the probability that d−(m+1)
balls thrown independently at random into n bins all end up in the rightmost
2−ω n bins. This probability is at most (2−ω )(d−m−1) , so
ω(d−m−1)
−ω 1
Pr[ (L1 + L2 + ... + Lm+1 ) ≥ (1 − 2 )n | D = d ] ≤ .
2
d+1
Then we apply the Union Bound over all m+1 possible size-(m + 1) subsets
S 0 of segments that could be large to get:
ω(d−m−1)
d+1 1
Pr[ B | D = d ] ≤
m+1 2
≤ 2d+1 2−ω(d−m−1) = 2(1−ω)d+ωm+ω+1 . (6)
≤ 2(1−ω)(δm/2)+ωm+ω+1
δ
≤ 2ω+1 2[(1−ω) 2 +ω]m . (8)
40
D Sandwich Graphs
In this section we recall the definition of sandwich graphs [8], and introduce a
few transformations on sandwich graphs that are useful for our analysis of the
Balloon functions.
D.1 Definitions
Definition 9 (Sandwich Graph [8]). A sandwich graph is a directed acyclic
graph G = (U ∪ V, E) on 2n vertices, which we label as U = {u1 , . . . , un } and
V = {v1 , . . . , vn }. The edges of G are such that
– there is a (ui , ui+1 ) edge for i = 1, . . . , n − 1,
– there is a (un , v1 ) edge,
– there is a (vi , vi+1 ) edge for i = 1, . . . , n − 1, and
– all other edges cross from U to V .
Figure 9 (left) depicts a sandwich graph. If G = (U ∪ V, E) is a sandwich
graph, we refer to the vertices in U as the “top” vertices and vertices in V as the
“bottom” vertices.
Definition 10 (Well-Spread Predecessors). Let G = (U ∪ V, E) be a sand-
wich graph and fix a subset of vertices V 0 ⊂ V . Write the immediate predecessors
of V 0 in U as P = {ui1 , ui2 , . . . , ui|P | }. Then we say that the predecessors of
V 0 are (σ, ρ)-well spread if the corresponding set of integers {i1 , i2 , . . . , i|P | } is
(σ, ρ)-well spread, in the sense of Definition 6.
Definition 11 (Avoiding Set). Let G = (U ∪V, E) be a directed acyclic graph.
We say that the subset V 0 ⊂ V is a (σ, ρ)-avoiding set if, after placing σ pebbles
anywhere on the graph, except on V 0 , there are at least ρ distinct vertices in U
on unpebbled paths to V 0 .16
Figure 8 gives an example of an avoiding set.
41
U
V
V0
Fig. 8: The set V 0 is a (1, 4)-avoiding set: after placing any single pebble on the
graph (except on vertices in V 0 ), there will still be at least four vertices in U on
unpebbled paths to V 0 .
Sandwich graphs are useful in part because they maintain certain connectivity
properties under a “localizing” transformation. Let G be a sandwich graph. Let
(a1 , . . . , an ) be the top vertices of the graph G and let (an+1 , . . . , a2n ) be the bot-
tom vertices. The localized graph L(G) on vertices (a1 , . . . , a2n ) has the property
that every predecessor of a vertex ai falls into the set {amax{1,i−n} , . . . , ai−1 }. (In
the unlocalized graph, ai ’s predecessors fell into the larger set {amax{1,i−2n} , ai−1 }.)
If we think of the set {amax{1,i−n} , . . . , ai−1 } as the vertices “nearby” to vertex
ai , then the localizing transformation ensures that the predecessors of every
vertex ai all fall into this set of nearby vertices. Figure 9 demonstrates this
transformation.
We use this localizing transformation to make more efficient use of buffer
space in the Balloon algorithm. It is possible to pebble a localized sandwich
graph in linear time with n + O(1) pebbles, whereas a non-localized sandwich
graph can require as many as 2n pebbles in the worst case. This transformation
makes computing the Balloon function easier for anyone using n space, while
maintaining the property that the function is hard to compute in much less
space. (Smith and Zhang find a similar locality property useful in the context
of leakage-resilient cryptography [82].)
42
set
{(ũi , ṽi ) | i ∈ {1, . . . , n}} ∪
{(ũi , ũi+1 ) | i ∈ {1, . . . , n − 1}} ∪
{(ṽi , ṽi+1 ) | i ∈ {1, . . . , n − 1}} ∪
L(E) =
{(ũn , ṽ1 )} ∪
{(ṽi , ṽj ) | (ui , vj ) ∈ E and i ≤ j} ∪
{(ũi , ṽj ) | (ui , vj ) ∈ E and i > j}.
Fig. 9: A sandwich graph G (left) and the corresponding localized graph L(G)
(right).
Proof. Fix a pebbling of L(G) using σ pebbles with no pebbles on V 0 . For every
edge (ui , vj ) ∈ U × V in G, there is either (a) a corresponding edge in L(G), or
(b) a pair of edges (ui , vi ) and (vi , vj ) in L(G). If the vertex vi does not contain
a pebble, then for analyzing the avoiding-set property, we can consider there
to exist a (ui , vj ) edge. There are now at most σ pebbled U -to-V 0 edges. By
Lemma 12, the (σ, ρ)-avoiding set property follows.
The next set of graph transformations we use allows us to reduce the in-degree
of the graph from δ down to 2 without affecting the key structural properties
of the graph. Reducing the degree of the graph allows us to instantiate our
construction with a standard two-to-one compression function and avoids the
issues raised in Appendix B.3. The strategy we use follows the technique of Paul
and Tarjan [66].
43
Definition 19. Let G = (U ∪ V, E) be a (possibly localized) sandwich graph.
We say that the degree-reduced graph D(G) is the graph in which each vertex
vi ∈ V in G of in-degree δ+1 is replaced with a path “gadget” whose vertices have
in-degree at most 2. The original predecessor vertex vi−1 is at the beginning of
the path, there are δ − 1 internal vertices on the path, and the original vertex
vi is at the end of the path. The δ other predecessors of vi are connected to the
vertices of the path (see Figure 10).
By construction, vertices in D(G) have in-degree at most two. If G is a sand-
wich graph on 2n vertices, then D(G) still has n “top” vertices and n “bottom”
vertices. If the graph G had out-degree at most δ, then the vertex and edge sets
of D(G) are at most a factor of (δ − 1) larger than in G, since each gadget has
at most (δ − 1) vertices. The degree-reduced graph D(G) has extra “middle”
vertices (non-top non-bottom vertices) consisting of the internal vertices of the
degree-reduction gadgets (Figure 10).
D(UU) D(U )
Fig. 10: A portion of a sandwich graph G (left) and the same portion of the
corresponding degree-reduced graph D(G) (right). The shaded vertices are part
of the degree-reduction gadget.
44
D.3 Pebbling Sandwich Graphs
Lemma 23 Let G = (U ∪ V, E) be a (κ, σ, ρ)-consecutively-avoiding sandwich
graph on 2n vertices. Let M be a legal sequence of pebbling moves that begins with
no pebbles on the bottom half of the graph and that pebbles the topologically last
vertex in G at some point. Then we can divide M into L = n/(2κ) subsequences
of legal pebbling moves M1 , . . . , ML such that each subsequence Mi pebbles at
least ρ unpebbled vertices in U .
The proof follows the idea of Lengauer and Tarjan’s analysis of pebbling
strategies for the “bit-reversal” graph [54].
Proof. Label the vertices in V in topological order as (v1 , . . . , vn ). Divide these
vertices into bn/κc intervals of size κ. The last vertex in each of the intervals is
then: vκ , v2κ , v3κ , . . . , vbn/κcκ .
Consider any legal sequence of pebbling moves M of the last vertex in G.
Let t0 = 0 and let ti be the time step at which vertex viκ (the last vertex in the
ith interval) first receives a pebble. We know that at ti−1 , there are no pebbles
on the ith interval—this is because, by the structure of a sandwich graph, all of
the pebbles in V must be pebbled in order. Thus, between ti−1 and ti , every
dependency of the vertices in interval i must receive a pebble.
These are κ consecutive vertices. Since G is (κ, σ, ρ)-consecutively avoiding,
the vertices in interval i are a (σ, ρ)-avoiding set. By the definition of an avoiding
set, at time ti−1 there must be at least ρ unpebbled dependencies in U of the
vertices in the ith interval. All of these vertices must receive pebbles by time ti .
Thus, in each time interval, the M must pebble a set of ρ unpebbled vertices
in U .
We have that κ ≤ n, so bn/κc ≥ n/(2κ), so there are at least n/(2κ) sets of
ρ unpebbled vertices in U that receive pebbles during the pebbling.
We now let the subsequence Mi defined in the lemma be the sequence of
pebbling moves between ti−1 and ti , and the lemma follows.
Proof. By Lemma 23, the pebbling pebbles at least ρ unpebbled vertices at least
n/(2κ) times, so the total time required must be at least ρn
2κ .
45
L0
L1
L2
L3
Fig. 11: A stack of d = 3 sandwich graphs. The top vertices of the stack are at
level L0 and the bottom vertices are at level L3 .
– M beings in configuration C,
– M at some point places a pebble on every vertex in V 0 , and
– M never uses more than σ pebbles,
Base case (d = 1). By the fact that the graph G is (σ, 2σ)-everywhere avoiding,
the σ vertices in the set V 0 must have at least 2σ unpebbled dependencies on
the top level of the graph. These unpebbled predecessors of vertices in V 0 all
must receive pebbles during M, so M must contain at least 2σ moves.
Induction Step. As in the base case, we know that there are at least 2σ
unpebbled level-(d − 1) dependencies of V 0 that must receive pebbles during M.
Now we can divide M into two sub-sequences of consecutive pebbling moves:
M = M1 kM2 . We divide the pebbling moves such that M1 consists of the
moves during which the first σ of the 2σ unpebbled dependencies receive pebbles,
and M2 consists of the rest of the moves.
Note now that the induction hypothesis applies to both M1 and M2 :
Thus the total number of pebbling moves required in M is at least 2 · (2d−1 σ),
which proves the lemma.
46
D.4 Random Sandwich Graphs
Now we introduce two special types of sandwich graphs that we use in the
analysis of the Balloon function. Alwen and Blocki [3] use the same type of
sandwich graphs in their analysis (indeed, their work has inspired our use of
sandwich graphs), though the results we prove here are new.
We then apply the Union Bound over all sets of m consecutive vertices to find
the probability that there exists a bad set. For each choice of m, there are at
most n sets V 0 of consecutive vertices, so
n X
X n ∞
X
Pr[∃ bad set] ≤ 26 2−m/2 ≤ n · 26 2−m/2
i=1 m=1 m=n0
r n0 2−n0 /2
Pr[∃ bad set] ≤ n · 26 · ≤ n · 26 · .
1−r 1 − 2−1/2
Proof. Let δ = 7 and ω = 5. First, consider the probability that a single set
V 0 ⊂ V in G induces a set that is not (n/64, n/32)-well spread.
47
Let m = n/2ω+1 . Since we have 22ω+1 < n, by the hypothesis of the lemma,
2ω
2 < n/2ω+1 = m. By the hypothesis of the lemma, δe < 23+ δ , so
ω
2ω
δe < 23+ δ
2ω
nδe < 23+ δ n
3+ 2ω n
n<2 δ
δe
n 2ω n
m= < 2(2−ω+ δ ) .
2ω+1 δe
2ω n
Since 2ω < m < 2(2−ω+ δ ) δe , m satisfies the conditions of Lemma 7.
The probability that a single set V 0 ⊂ V in G induces a set that is not
δ
(n/2ω+1 , n/2ω )-well spread is then is at most 2ω+2 · 2[(1−ω) 2 +ω]m . by Lemma 7.
Let k = (1 − ω) 2δ + ω. We then apply the Union Bound over sets V 0 of size
n/2ω+1 to find the probability that there exists a bad set V 0 :
n n
Pr[∃ bad set] ≤ · 2ω+2 · (2k ) 2ω+1
n/2ω+1
ω+1n
n·e 2 n
≤ ω+1
· 2ω+2 · (2k ) 2ω+1
n/2
n n
≤ e · 2ω+1 2ω+1 · 2ω+2 · (2k ) 2ω+1
n
≤ 2ω+2 e · 2ω+1 · 2k 2ω+1
n
≤ 2ω+2 2log2 e+ω+1+k 2ω+1 .
Lemma 30 Let Gn,d be a depth-d stack of 3-random sandwich graphs with n ver-
tices on each level. Then, every sandwich graph in the stack is an (m, m, n/16)-
consecutively avoiding graph, for 16 < n0 and all n0 ≤ m < n/6, except with
probability
pconsec (n, d, n0 ) ≤ 28 · d · n · 2−n0 /2 .
Moreover, Gn,d is a depth-d stack of 7-random sandwich graphs, then every
sandwich graph in the stack is (n/64, n/32)-everywhere avoiding when 211 < n,
except with probability:
Proof. The probability that Gn,d does not satisfy the first property is at most
pconsec ≤ 28 · d · n · 2−n0 /2 by Lemma 28 and a Union Bound over the d levels
48
of the graph. The probability that Gn,d does not satisfy the second property is
at most pevery ≤ 128 · d · 2−n/50 by Lemma 29 and an application of the Union
Bound over the d levels of the graph.
(a) when δ ≥ 3: S · T ≥ dn2 /32 for space usage n0 ≤ S, except with probability
pconsec (n, d, n0 ) defined in Lemma 30, and
(b) when δ ≥ 7: S · T ≥ (2d − 1)n2 /32 for space usage n0 ≤ S < n/64, when
211 < n, except with probability pevery (n, d), defined in Lemma 30.
n2 (d − 1)n2 dn2
T ≥ + = ,
32S 32S 32S
and Part (a) is proved.
To prove Part (b): To place a pebble the first pebble on the last level of the
graph, we must first place a pebble on the last vertex of level d − 1 of the graph.
By the induction hypothesis, this requires at least Td−1 ≥ (2d−1 − 1)n2 /(32S)
pebbling moves, if S satisfies the bound of part (b) of the lemma and δ ≥ 7.
49
(t−1) (t−1) (t−1) (t−1) (t−1) (t−1) (t−1) (t−1) (t−1) (t−1) (t−1) (t−1)
v1 v2 v3 v4 v1 v2 v3 v4 v1 v2 v3 v4
• • • • • • • • • • • •
• • • • • • • • • • • •
(t) (t) (t) (t) (t) (t) (t) (t) (t) (t) (t) (t)
v1 v2 v3 v4 v1 v2 v3 v4 v1 v2 v3 v4
Fig. 12: Components of the data-dependency graph for one Balloon mixing
(t)
round. Here, vi represents the value stored in the ith block in the main memory
buffer at the tth mixing round.
n 2d n 2d−1 n2
Td ≥ · = .
2S 32 32S
So the total time to place a pebble on the last vertex of the d-th level of the
graph is:
50
Claim 32 The output of the n-block r-round Balloon construction is the label-
ing, in the sense of Definition 3, of a depth-r stack of localized and degree-reduced
δ-random sandwich graphs.
rn2 rn2
T < and σ < S ∗ k − log2 − k,
32S ∗ 32S ∗
for some n0 and S ∗ satisfying 16 < n0 ≤ S ∗ < n/6, then the probability that A
succeeds is at most
T +1
+ pconsec (n, r, n0 ),
2k
where pconsec (·, ·, ·) is defined in Lemma 30.
Proof of Theorem 33. Fix an algorithm A. By Claim 32, A outputs the labeling
of a depth-r stack of 3-random sandwich graphs. By Lemma 31, shows that
pebbling these graphs with n0 ≤ S < n/6 pebbles takes time at least n2 /(32S),
except with some small probability. Let B denote this event that the pebbling
bound does not hold.
Then we have:
51
F Argon2i Proof of Security
In this section, we show that the proof techniques we introduce for the analysis of
the Balloon algorithm can also apply to prove the first known memory-hardness
results on the Argon2i algorithm.
We focus here on the single-pass variant of Argon2i, described in Section 4,
and do not attempt to generalize our results to the multi-pass variant. As in
Section 4, we analyze an idealized version of Argon2i, in which the randomly
chosen predecessor of a vertex is chosen using the uniform distribution over the
topologically prior vertices.
Note that the memory-hardness theorem that we are able to prove here about
single-pass Argon2i is much weaker than the corresponding theorem we can prove
about the Balloon algorithm (Informal Theorem 1). Essentially, this theorem
says that an attacker computing single-pass Argon2i cannot save more than a
factor of 1536× in space without having to pay with some increase in computa-
tion cost.
For the purposes of the security analysis, it will be more convenient to look at
the graph A2n . Take the graph A2n with and write its vertex set in topological
order as: (u1 , . . . , un , v1 , . . . , vn ). We can now think of the u vertices as the “top”
vertices of the graph, and the v vertices as the “bottom” vertices in the graph.
Then we have the following claim:
Claim 35 Consider any set of 12m bottom vertices of the graph A2n , for m >
16. These vertices are an (m, n/16)-avoiding set, in the sense of Definition 11,
except with probability 27−m/2 .
Proof. Let vi be some bottom vertex in A2n . The vertex vi has one predecessor
(call it pred(vi )) chosen i.u.r. from the set {u1 , . . . , un , v1 , . . . , vi−1 }. Conditioned
on the event that that pred(vi ) ∈ {u1 , . . . , un }, this predecessor is chosen i.u.r.
from the set of top vertices {u1 , . . . , un }. Let Ti be an indicator random variable
taking on value “1” when vertex vi ’s randomly chosen predecessor is a top vertex.
Then Pr[Ti = 1] ≥ 1/2.
Fix a set V 0 of κm vertices on the bottom half of the graph. We want to show
that, with high probability, V 0 has at least 3m predecessors in the top-half of
the graph. The expected number of top-half predecessors of the set V 0 is at least
κm/2, and we want to bound the probability that there are at most 3m top-
half predecessors. A standard Chernoff bound gives that, for κm independent
52
Poisson trials with success probability at least 1/2, the probability that fewer
than 3m of them succeed is bounded by
" # κm
( )(1 − κ6 )2
X
Pr Ti < 3m < exp − 2 ,
0
2
vi ∈V
Now, by Lemma 7 (with δ = 3 and ω = 4), the probability that the prede-
cessors of set V 0 are not (m, n/16)-well-spread over the top vertices is at most
26 2−m/2 . By the Union Bound, the probability that either V 0 has fewer than 3m
i.u.r. top-half predecessors or that these predecessors are poorly spread is at most
26−m/2 +2−m ≤ 27−m/2 . By Lemma 12, the set V 0 is then an (m, n/16)-avoiding
set, except with probability 27−m/2 .
Proof of Theorem 34. Fix an integer n0 . We show that A2n is a (12m, m, n/16)-
consecutively avoiding graph when n0 ≤ m ≤ n/12, except with probability
n2 27−n0 /2 . The probability that any consecutive set of 12m vertices
Pn on Pnthe bot-
tom level of the graph is not an (m, n/16)-avoiding set is at most i=1 m=n0 27−m/2 ≤
n2 27−n0 /2 , using Claim 35 and the Union Bound.
Now, we apply Corollary 24 (with κ = 12m, σ = m, ρ = n/16) to conclude
n2
that pebbling A2n with at most S pebbles requires at least T ≥ 384S pebbling
moves, when n0 < S < n/12, except with probability n2 27−n0 /2 . Alternatively,
we can write: S · T ≥ n2 /384. Since pebbling A2n takes at least 2n pebbling
moves, this bound holds for n/12 ≤ S ≤ 2n as well.
Now, since we are interested in the complexity of pebbling An (not A2n ),
we can divide the ns by two to find that pebbling An with at most S pebbles
requires S · T ≥ n2 /1536 pebbling moves, when n0 < S, except with probability
at most n2 25−n0 /2 .
We can convert the pebbling lower bound into a time-space lower bound in
the random-oracle model using the techniques of Appendix E.
G Analysis of Scrypt
In this section, we show that the proof techniques we have used to analyze the
memory-hardness of the Balloon algorithm are useful for analyzing scrypt.
53
in the random-oracle model [68]. Although scrypt uses a password-dependent
access pattern, we show that even if scrypt used a password-independent access
pattern, it would be still be a memory-hard function in the sense of Section 2.2.
Alwen et al. [6] give a proof memory-hardness of scrypt in the stronger par-
allel random-oracle model (Section 5.1) under combinatorial conjectures (see
Footnote 11). Here we prove memory-hardness in the traditional sequential
random-oracle model. Our goal is not to prove a more powerful statement about
scrypt—just to show that our techniques are easy to apply and are broadly rel-
evant to the analysis of memory-hard functions.
Simplified scrypt. The simplified variant of scrypt we consider here—which op-
erates on a buffer (x1 , . . . , xn ) of n memory blocks using random oracles H1 , H2 ,
and H3 —operates as follows:
Theorem 36 Fix a positive integer n0 > 16. Let Gn denote the data-dependency
graph for the core scrypt function (ROMix) on n memory blocks. Then any strat-
egy for pebbling Gn using at most S pebbles requires at least T pebbling moves,
such that:
n2
S·T ≥ ,
96
for S > n0 , with probability n2 26−n0 /2 .
54
n2 26−n0 /2 , the graph Gn is (3m, m, n/16)-consecutively avoiding for m ≥ n0 .
Now we can apply Corollary 24 (with κ = 3S, σ = S, and ρ = n/16) to conclude
that pebbling Gn with at most S pebbles, for n0 ≤ S ≤ n/6, requires at least
n2
T ≥ 96S pebbling moves with high probability. Thus, we have S · T ≥ n2 /96
when n0 ≤ S.
As in Appendix E, we can now turn the pebbling lower-bound into a time-
space lower bound in the random-oracle model. We omit the details, since the
conversion is mechanical.
Since the space usage of this attack algorithm is constant, the time-space product
is only O(n) instead of Ω(n2 ), so scrypt essentially loses its memory-hardness
19
See Appendix G for a sketch of the core scrypt algorithm.
55
completely in the face of an attacker who learns the first few bits of the memory
access pattern.20
Of course, a valid question is whether a real-world attacker could ever learn
any bits of the access pattern of scrypt on a user’s password. It is certainly plau-
sible that an attacker could use cache-timing channels—such as exist for certain
block ciphers [25]—to extract memory-access pattern information, especially if
a malicious user and an honest user are colocated on the same physical machine
(e.g., as in a shared compute cluster). Whether or not these attacks are practical
today, it seems prudent to design our password-hashing algorithms to withstand
attacks by the strongest possible adversaries.
20
Here we have assumed that the attacker knows the entire access pattern, but a
similarly devastating attack applies even if the attacker only knows the first few
memory address locations.
56