Depth-Robust Graphs and Their Cumulative Memory Complexity Jol Alwen - - PowerPoint PPT Presentation
Depth-Robust Graphs and Their Cumulative Memory Complexity Jol Alwen IST Austria Jeremiah Blocki Purdue University Krzysztof Pietrzak IST Austria Moderately Hard Function Intuitive Properties: 1. Computable by honest party. 2.
Joël Alwen – IST Austria Jeremiah Blocki – Purdue University Krzysztof Pietrzak – IST Austria
Intuitive Properties: 1. Computable by honest party. 2. Brute-force evaluation is very expensive for adversary.
Intuitive Properties: 1. Computable by honest party. 2. Brute-force evaluation is very expensive for adversary. Applications: Limit the rate of invocations of a critical function.
Intuitive Properties: 1. Computable by honest party. 2. Brute-force evaluation is very expensive for adversary. Applications: Limit the rate of invocations of a critical function.
Intuitive Properties: 1. Computable by honest party. 2. Brute-force evaluation is very expensive for adversary. Applications: Limit the rate of invocations of a critical function.
In practice cost-effective brute-forcing often uses GPUs, FGPAs & ASICs.
1. Can be computed in sequential time n. 2. Requires as much parallel space-time as possible for any function satisfying 1.
In practice cost-effective brute-forcing often uses GPUs, FGPAs & ASICs.
computation.
1. Can be computed in sequential time n. 2. Requires as much parallel space-time as possible for any function satisfying 1.
In practice cost-effective brute-forcing often uses GPUs, FGPAs & ASICs.
computation.
1. Can be computed in sequential time n. 2. Requires as much parallel space-time as possible for any function satisfying 1.
VLSI: “Area x Time” (AT) complexity used to measure efficiency of a circuit
In practice cost-effective brute-forcing often uses GPUs, FGPAs & ASICs.
computation. [Per09] : “expensive” ≈ large “space × parallel-time” (ST) complexity
1. Can be computed in sequential time n. 2. Requires as much parallel space-time as possible for any function satisfying 1.
VLSI: “Area x Time” (AT) complexity used to measure efficiency of a circuit
ℕ In practice cost-effective brute-forcing often uses GPUs, FGPAs & ASICs.
computation. [Per09] : “expensive” ≈ large “space × parallel-time” (ST) complexity
1. Can be computed in sequential time n. 2. Requires as much parallel space-time as possible for any function satisfying 1. Requires as much parallel space-time as possible for any function satisfying 1.
algorithms input-dependent or not?
algorithms input-dependent or not?
iMHF advantage: Implementations easier to secure against certain cache-timing attacks.
Problem:
Problem:
space time S1 T1 ST1 = S1 × T1 cost of computing f once
Problem:
space time S1 T1 S3 T3 ST1 = S1 × T1 cost of computing f once
Problem:
space time S1 T1 S3 T3 ST1 = S1 × T1 cost of computing f once cost of computing f three times
≈ S3 × T3 = ST3
Problem: function fn (consisting of n RO calls) such that: 𝑇𝑈 𝑔 × 𝑜 =𝑃(𝑇𝑈 𝑔 ) 𝑜 𝑜 × 𝑜 𝑜 𝑜 × 𝑜 × 𝑜 𝑔 × 𝑜 [AS15] ∃ function fn (consisting of n RO calls) such that: 𝑇𝑈 𝑔× 𝑜 = 𝑃(𝑇𝑈 𝑔 )
space time S1 T1 S3 T3 ST1 = S1 × T1 cost of computing f once cost of computing f three times
≈ S3 × T3 = ST3
iterations space m t
iterations space m t
ST Cost
iterations space m t
ST Cost Cumulative Memory Cost
iterations space
⇒ can always place a pebble on source nodes
Parallel Pebbling Game: Same as Black Pebbling, except can touch many pebbles per iteration. Complexity: Cumulative Pebbling Complexity (CPC).
CPC-cost =
Parallel Pebbling Game: Same as Black Pebbling, except can touch many pebbles per iteration. Complexity: Cumulative Pebbling Complexity (CPC).
CPC-cost = 1+
Parallel Pebbling Game: Same as Black Pebbling, except can touch many pebbles per iteration. Complexity: Cumulative Pebbling Complexity (CPC).
CPC-cost = 2+ 1+
Parallel Pebbling Game: Same as Black Pebbling, except can touch many pebbles per iteration. Complexity: Cumulative Pebbling Complexity (CPC).
CPC-cost = 2+ 1 = 4 1+
Parallel Pebbling Game: Same as Black Pebbling, except can touch many pebbles per iteration. Complexity: Cumulative Pebbling Complexity (CPC).
CPC-cost = 2+ 1 = 4 CPC(Graph G) := min CPC(Pebbling of G) 1+
⟹ 𝐷𝑁𝐷 𝑔 ≥ 𝐷𝑄𝐷(𝐻)/4
⟹ 𝐷𝑁𝐷 𝑔 ≥ 𝐷𝑄𝐷(𝐻)/4
MHF Upper Bound Lower Bound
Argon2i-A Balloon Hashing
𝑃 𝑜1.75 [AB16] −
Argon2i-B
𝑃 𝑜1.8 [AB17] −
Catena
𝑃 𝑜1.67 [AB16] −
AS15
− Ω 𝑜2/log10 (𝑜) [AS15]
Any iMHF
𝑃
𝑜2loglog(𝑜) log(𝑜)
[AB16] −
SCRYPT (dMHF)
𝑃 𝑜2 −
MHF Upper Bound Lower Bound
Argon2i-A Balloon Hashing
𝑃 𝑜1.71 [This Work] 𝑃 𝑜1.75 [AB16] Ω 𝑜1.6
[This Work]
Argon2i-B
𝑃 𝑜1.8 [AB17] Ω 𝑜1.6
[This Work]
Catena
𝑃 𝑜1.618 [This Work] 𝑃 𝑜1.67 [AB16] Ω 𝑜1.5 [This Work]
AS15
− Ω 𝑜2/log10 (𝑜) [AS15]
This Work
− Ω 𝑜2/log (𝑜)
Any iMHF
𝑃
𝑜2loglog(𝑜) log(𝑜)
[AB16] −
SCRYPT (dMHF)
𝑃 𝑜2 Ω 𝑜2 [Next Talk]
A directed ac
A directed ac
A directed ac(n), Ω(n))-depth-robust with indegree O(log(n)).
History:
Lemma “Indegree Reduction”: If G has indegree 𝜀 and is (e,d)-depth- robust then there exists H with indegree 2 and: size(H) ≤ 2𝜀*size(G) H is (e,d𝜀)-depth-robust 𝐢𝐟𝐩𝐬𝐟𝐧: Let G=(V,E) be (e,d)-depth-robust then CPC 𝐻 > 𝑓𝑒. Corollary: There is a DAG G with maximum indegree 𝜀 = 2 and ER 𝐻 = Ω
𝑜2 log 𝑜 . Furthermore, there is a sequential pebbling
algorithm N with cost ER 𝑂 = 𝑃
𝑜2 log 𝑜 .
Let G=(V,E) be (e,d)-depth-robust then CPC 𝐻 𝐻𝐻 𝐻 >𝑓𝑓𝑒𝑒. Lemma “Indegree Reduction”: If G has indegree 𝜀 and is (e,d)-depth- robust then there exists H with indegree 2 and: size(H) ≤ 2𝜀*size(G) H is (e,d𝜀)-depth-robust 𝐔𝐢𝐟𝐩𝐬𝐟𝐧: Let G=(V,E) be (e,d)-depth-robust then CPC 𝐻 > 𝑓𝑒. Corollary: There is a DAG G with maximum indegree 𝜀 = 2 and ER 𝐻 = Ω
𝑜2 log 𝑜 . Furthermore, there is a sequential pebbling
algorithm N with cost ER 𝑂 = 𝑃
𝑜2 log 𝑜 .
2 and ER 𝐻 𝐻𝐻 𝐻 =Ω 𝑜 2 log 𝑜 𝑜 2 log 𝑜 𝑜 2 𝑜𝑜 𝑜 2 2 𝑜 2 𝑜 2 log 𝑜 log 𝑜 log log 𝑜 𝑜𝑜 log 𝑜 𝑜 2 log 𝑜 𝑜 2 log 𝑜 . Furthermore, there is a sequential pebbling algorithm N with cost ER 𝑂 𝑂𝑂 𝑂 =𝑃𝑃 𝑜 2 log 𝑜 𝑜 2 log 𝑜 𝑜 2 𝑜𝑜 𝑜 2 2 𝑜 2 𝑜 2 log 𝑜 log 𝑜 log log 𝑜 𝑜𝑜 log 𝑜 𝑜 2 log 𝑜 𝑜 2 log 𝑜 . Let G=(V,E) be (e,d)-depth-robust then CPC 𝐻 𝐻𝐻 𝐻 >𝑓𝑓𝑒𝑒. Lemma “Indegree Reduction”: If G has indegree 𝜀 and is (e,d)-depth- robust then there exists H with indegree 2 and: size(H) ≤ 2𝜀*size(G) H is (e,d𝜀)-depth-robust 𝐔𝐢𝐟𝐩𝐬𝐟𝐧: Let G=(V,E) be (e,d)-depth-robust then CPC 𝐻 > 𝑓𝑒. Corollary: There is a DAG G with maximum indegree 𝜀 = 2 and ER 𝐻 = Ω
𝑜2 log 𝑜 . Furthermore, there is a sequential pebbling
ER 𝑂 = 𝑃
𝑜2 log 𝑜
𝜀 = 2 ER 𝐻 = Ω
𝑜2 log 𝑜
ER 𝑂 = 𝑃
𝑜2 log 𝑜
1. Lower Bound CPC(G) in terms of Dispersal properties of G 2. Analyze Dispersal properties of Catena (Dragonfly and Butterfly versions)
“The proof of this result is really an incredibly simple and beautiful two-line argument….I generally view simplicity as a positive, and this is the right proof. But there is such as thing as too simple...”
Given: DAG G = (V,E) is (e,d)-Depth-Robust
Fix an optimal pebbling of G: 𝑄 = (𝑄
1, 𝑄2, 𝑄3, … )
Given: DAG G = (V,E) is (e,d)-Depth-Robust 𝑄𝑗 ⊆ 𝑊
Number of Pebbles on G
Time
Fix an optimal pebbling of G: 𝑄 = (𝑄
1, 𝑄2, 𝑄3, … )
Given: DAG G = (V,E) is (e,d)-Depth-Robust 𝑄𝑗 ⊆ 𝑊
Number of Pebbles on G
Time
Fix an optimal pebbling of G: 𝑄 = (𝑄
1, 𝑄2, 𝑄3, … )
Given: DAG G = (V,E) is (e,d)-Depth-Robust 𝑄𝑗 ⊆ 𝑊
Fact 1: Area under curve = CPC (G)
Number of Pebbles on G
Time
Fix an optimal pebbling of G: 𝑄 = (𝑄
1, 𝑄2, 𝑄3, … )
Given: DAG G = (V,E) is (e,d)-Depth-Robust 𝑄𝑗 ⊆ 𝑊
Fact 1: Area under curve = CPC (G) Fact 2: 𝑄 pebbles every node in G at least once.
d d d d d d
Number of Pebbles on G
Time
𝑇1: = 𝑄
1 ∪ 𝑄𝑒+1 ∪ 𝑄2𝑒+1 ∪ … ⊆ 𝑊
Number of Pebbles on G
Time
𝑇1: = 𝑄
1 ∪ 𝑄𝑒+1 ∪ 𝑄2𝑒+1 ∪ … ⊆ 𝑊
𝑇2: = 𝑄2 ∪ 𝑄𝑒+2 ∪ 𝑄2𝑒+2 ∪ … ⊆ 𝑊
Number of Pebbles on G
Time
𝑇1: = 𝑄
1 ∪ 𝑄𝑒+1 ∪ 𝑄2𝑒+1 ∪ … ⊆ 𝑊
𝑇2: = 𝑄2 ∪ 𝑄𝑒+2 ∪ 𝑄2𝑒+2 ∪ … ⊆ 𝑊 … 𝑇𝑒: = 𝑄𝑒 ∪ 𝑄2𝑒 ∪ 𝑄3𝑒 ∪ … ⊆ 𝑊 𝑇𝑗 ≤ 𝐷𝑄𝐷(𝐻)
𝑗=𝑒 𝑗=1
Number of Pebbles on G
Time
⇒ ∃𝑗 such that 𝑇𝑗 ≤ 𝐷𝑄𝐷(𝐻) 𝑒 𝑇1: = 𝑄
1 ∪ 𝑄𝑒+1 ∪ 𝑄2𝑒+1 ∪ … ⊆ 𝑊
𝑇2: = 𝑄2 ∪ 𝑄𝑒+2 ∪ 𝑄2𝑒+2 ∪ … ⊆ 𝑊 … 𝑇𝑒: = 𝑄𝑒 ∪ 𝑄2𝑒 ∪ 𝑄3𝑒 ∪ … ⊆ 𝑊
Let graph G’ = G with nodes in 𝑇𝑗 removed.
𝑗+𝑘𝑒 = ∅ ∀𝑘.
P’ legally pebbles every node in G’ at least once. Notice: Every d steps P’ has no pebbles on G’. ⇒ No path in G’ is longer than d-1. ⇒ 𝑓 < 𝑇𝑗 ≤
𝐷𝑄𝐷(𝐻) 𝑒
⇒ 𝑓𝑒 < 𝐷𝑄𝐷 𝐻 .
Let graph G’ = G with nodes in 𝑇𝑗 removed.
𝑗+𝑘𝑒 = ∅ ∀𝑘.
P’ legally pebbles every node in G’ at least once. Notice: Every d steps P’ has no pebbles on G’. ⇒ No path in G’ is longer than d-1. ⇒ 𝑓 < 𝑇𝑗 ≤
𝐷𝑄𝐷(𝐻) 𝑒
⇒ 𝑓𝑒 < 𝐷𝑄𝐷 𝐻 .
Fact 2: 𝑄 pebbles every node in G at least once.
P’ legally pebbles every node in G’ at least once. Let graph G’ = G with nodes in 𝑇𝑗 removed.
⇒ P’ legally pebbles every node in G’ at least once. Notice: Every d steps P’ has no pebbles on G’. ⇒ No path in G’ is longer than d-1. ⇒ 𝑓 < 𝑇𝑗 ≤
𝐷𝑄𝐷(𝐻) 𝑒
⇒ 𝑓𝑒 < 𝐷𝑄𝐷 𝐻 .
P’ legally pebbles every node in G’ at least once. Let graph G’ = G with nodes in 𝑇𝑗 removed.
⇒ P’ legally pebbles every node in G’ at least once. Notice: Every d steps P’ has no pebbles on G’. ⇒ No path in G’ is longer than d-1. ⇒ 𝑓 < 𝑇𝑗 ≤
𝐷𝑄𝐷(𝐻) 𝑒
⇒ 𝑓𝑒 < 𝐷𝑄𝐷 𝐻 .
Fact 3: Pebbling a path of length d takes at least d time.
P’ legally pebbles every node in G’ at least once. Let graph G’ = G with nodes in 𝑇𝑗 removed.
Notice: Every d steps P’ has no pebbles on G’. Notice: Every d steps P’ has no pebbles on G’. ⇒ No path in G’ is longer than d-1. ⇒ 𝑓 < 𝑇𝑗 ≤
𝐷𝑄𝐷(𝐻) 𝑒
⇒ 𝑓𝑒 < 𝐷𝑄𝐷 𝐻 .
Fact 3: Pebbling a path of length d takes at least d time.
No path in G’ is longer than d-1. P’ legally pebbles every node in G’ at least once. Let graph G’ = G with nodes in 𝑇𝑗 removed.
Notice: Every d steps P’ has no pebbles on G’. ⇒ No path in G’ is longer than d-1. ⇒ No path in G’ is longer than d-1. ⇒ 𝑓 < 𝑇𝑗 ≤
𝐷𝑄𝐷(𝐻) 𝑒
⇒ 𝑓𝑒 < 𝐷𝑄𝐷 𝐻 .
No path in G’ is longer than d-1. P’ legally pebbles every node in G’ at least once. Let graph G’ = G with nodes in 𝑇𝑗 removed.
Notice: Every d steps P’ has no pebbles on G’. ⇒ No path in G’ is longer than d-1. ⇒ No path in G’ is longer than d-1. ⇒ 𝑓 < 𝑇𝑗 ≤
𝐷𝑄𝐷(𝐻) 𝑒
⇒ 𝑓𝑒 < 𝐷𝑄𝐷 𝐻 .
But G is (e,d)-depth robust
𝑓𝑓< 𝑇 𝑗 𝑇 𝑗 𝑇𝑇 𝑇 𝑗 𝑗𝑗 𝑇 𝑗 𝑇 𝑗 ≤ 𝐷𝑄𝐷(𝐻) 𝑒 𝐷𝐷𝑄𝑄𝐷𝐷(𝐻𝐻) 𝐷𝑄𝐷(𝐻) 𝑒 𝑒 𝑒 𝐷𝑄𝐷(𝐻) 𝑒 No path in G’ is longer than d-1. P’ legally pebbles every node in G’ at least once. Let graph G’ = G with nodes in 𝑇𝑗 removed.
Notice: Every d steps P’ has no pebbles on G’. ⇒ 𝑓 < 𝑇𝑗 ≤
𝐷𝑄𝐷(𝐻) 𝑒
⇒ No path in G’ is longer than d-1. ⇒ 𝑓 < 𝑇𝑗 ≤
𝐷𝑄𝐷(𝐻) 𝑒
⇒ 𝑓𝑒 < 𝐷𝑄𝐷 𝐻 .
𝑓𝑓𝑒𝑒<𝐷𝐷𝑄𝑄𝐷𝐷 𝐻 𝐻𝐻 𝐻 . 𝑓𝑓< 𝑇 𝑗 𝑇 𝑗 𝑇𝑇 𝑇 𝑗 𝑗𝑗 𝑇 𝑗 𝑇 𝑗 ≤ 𝐷𝑄𝐷(𝐻) 𝑒 𝐷𝐷𝑄𝑄𝐷𝐷(𝐻𝐻) 𝐷𝑄𝐷(𝐻) 𝑒 𝑒 𝑒 𝐷𝑄𝐷(𝐻) 𝑒 No path in G’ is longer than d-1. P’ legally pebbles every node in G’ at least once. Let graph G’ = G with nodes in 𝑇𝑗 removed.
Notice: Every d steps P’ has no pebbles on G’. ⇒ 𝑓𝑒 < 𝐷𝑄𝐷 𝐻 . ⇒ No path in G’ is longer than d-1. ⇒ 𝑓 < 𝑇𝑗 ≤
𝐷𝑄𝐷(𝐻) 𝑒
⇒ 𝑓𝑒 < 𝐷𝑄𝐷 𝐻 .