Efficiently Computing Data-Independent Memory-Hard Functions

A memory-hard function (MHF) f is equipped with a space cost sigma and time cost tau parameter such that repeatedly computing f(sigma, tau) on an application specific integrated circuit (ASIC) is not economically advantageous relative to a general purpose computer. Technically we would like that any (generalized) circuit for evaluating an iMHF f(sigma, tau) has area x time (AT) complexity at Theta(sigma(2) * tau). A data- independent MHF (iMHF) has the added property that it can be computed with almost optimal memory and time complexity by an algorithm which accesses memory in a pattern independent of the input value. Such functions can be specified by fixing a directed acyclic graph (DAG) G on n = Theta(sigma* tau) nodes representing its computation graph. In this work we develop new tools for analyzing iMHFs. First we define and motivate a new complexity measure capturing the amount of energy (i.e. electricity) required to compute a function. We argue that, in practice, this measure is at least as important as the more traditional AT-complexity. Next we describe an algorithm A for repeatedly evaluating an iMHF based on an arbitrary DAG G. We upperbound both its energy and AT complexities per instance evaluated in terms of a certain combinatorial property of G. Next we instantiate our attack for several general classes of DAGs which include those underlying many of the most important iMHF candidates in the literature. In particular, we obtain the following results which hold for all choices of parameters sigma and tau ( and thread-count) such that n = sigma * tau - The Catena-Dragonfly function of [FLW13] has AT and energy complexities O(n(1.67)). - The Catena-Butterfly function of [FLW13] has complexities is O(n(1.67)) - The Double-Buffer and the Linear functions of [CGBS16] both have complexities in O(n(1.67)) - The Argon2i function of [BDK15] (winner of the Password Hashing Competition [PHC]) has complexities O(n(7/4) log(n)). The Single- Buffer function of [CGBS16] has complexities O(n(7/4) log(n)). - Any iMHF can be computed by an algorithm with complexities O(n2 /log(1-epsilon) (n)) for all epsilon > 0. In particular when tau= 1 this shows that the goal of constructing an iMHF with AT-complexity Theta(sigma(2) * tau) is unachievable. Along the way we prove a lemma upper-bounding the depth-robustness of any DAG which may prove to be of independent interest.