Efficiently Computing Data-Independent Memory-Hard Functions

A memory-hard function (MHF) f is equipped with a space cost σ and time cost τ parameter such that repeatedly computing fσ,τ on an application specific integrated circuit (ASIC) is not economically advantageous relative to a general purpose computer. Technically we would like that any (generalized) circuit for evaluating an iMHF fσ,τ has area × time (AT) complexity at Θ(σ ∗ τ). A data-independent MHF (iMHF) has the added property that it can be computed with almost optimal memory and time complexity by an algorithm which accesses memory in a pattern independent of the input value. Such functions can be specified by fixing a directed acyclic graph (DAG) G on n = Θ(σ ∗τ) nodes representing its computation graph. In this work we develop new tools for analyzing iMHFs. First we define and motivate a new complexity measure capturing the amount of energy (i.e. electricity) required to compute a function. We argue that, in practice, this measure is at least as important as the more traditional AT-complexity. Next we describe an algorithm A for repeatedly evaluating an iMHF based on an arbitrary DAG G. We upperbound both its energy and AT complexities per instance evaluated in terms of a certain combinatorial property of G. Next we instantiate our attack for several general classes of DAGs which include those underlying many of the most important iMHF candidates in the literature. In particular, we obtain the following results which hold for all choices of parameters σ and τ (and thread-count) such that n = σ ∗ τ . • The Catena-Dragonfly function of [FLW13] has AT and energy complexities O(n). • The Catena-Butterfly function of [FLW13] has complexities is O(n). • The Double-Buffer and the Linear functions of [CGBS16] both have complexities in O(n). • The Argon2i function of [BDK15] (winner of the Password Hashing Competition [PHC]) has complexities O(n log(n)). • The Single-Buffer function of [CGBS16] has complexities O(n log(n)). • Any iMHF can be computed by an algorithm with complexities O(n/ log1− (n)) for all > 0. In particular when τ = 1 this shows that the goal of constructing an iMHF with AT-complexity Θ(σ ∗ τ) is unachievable. Along the way we prove a lemma upper-bounding the depth-robustness of any DAG which may prove to be of independent interest.