Towards Practical Data-Dependent Memory-Hard Functions with Optimal Sustained Space Trade-offs in the Parallel Random Oracle Model

TL;DR

This paper introduces a practical data-dependent memory-hard function called EGSample, which achieves strong trade-offs between sustained space and cumulative memory costs, with formal proofs in the dynamic pebbling and parallel random oracle models.

Contribution

EGSample is a new MHF that avoids expensive combinatorial constructions and has provable optimal trade-offs in both theoretical models.

Findings

EGSample matches the best known trade-offs in the dynamic pebbling model.

In the parallel random oracle model, any evaluation incurs high memory lockup or costs.

The paper provides new techniques for analyzing memory-hard functions in these models.

Abstract

Memory-Hard Functions (MHF) are a useful cryptographic primitive to build egalitarian proofs-of-work and to help protect low entropy secrets (e.g., user passwords) against brute-forces attacks. Ideally, we would like for a MHF to have the property that (1) an honest party can evaluate the function in sequential time $\Omega(N)$, and (2) any parallel party that evaluates the function is forced to lockup $\Omega(N)$ memory for $\Omega(N)$ sequential steps. Unfortunately, this goal is not quite achievable, so prior work of Blocki and Holman [BH22] focused on designing MHFs with strong tradeoff guarantees between sustained-space complexity (SSC) and cumulative memory costs (CMC). However, their theoretical construction is not suitable for practical deployment due to the reliance on expensive constructions of combinatorial graphs. Furthermore, there is no formal justification for the heuristic use of the dynamic pebbling game in MHF analysis so we cannot rule out the possibility that there are more efficient attacks in the Parallel Random Oracle Model (PROM). Towards the goal of developing a practical MHF with provably strong SSC/CMC tradeoffs we develop a new MHF called EGSample which does not rely on expensive combinatorial constructions like [BH22]. In the dynamic pebbling model, we prove equivalent SSC/CMC tradeoffs for EGSample i.e., any the dynamic pebbling strategy either (1) locks up $\Omega(N)$ memory for $\Omega(N)$ steps, or (2) incurs cumulative memory cost at least $\Omega(N^{3-\epsilon})$. We also develop new techniques to directly establish SSC/CMC tradeoffs in the parallel random oracle model. In particular, we prove that {\em any} PROM algorithm evaluating our MHF either (1) locks up $\Omega(N)$ blocks of memory for $\Omega(N)$ steps or (2) incurs cumulative memory cost at least $\Omega(N^{2.5-\epsilon})$.