Bandwidth-Hard Functions: Reductions and Lower Bounds
نویسندگان
چکیده
Memory Hard Functions (MHFs) have been proposed as an answer to the growing inequality between the computational speed of general purpose CPUs and Application Specific Integrated Circuits (ASICs). MHFs have seen widespread applications including password hashing, key stretching and proofs of work. Several metrics have been proposed to quantify the ‘memory hardness’ of a function. Cumulative memory complexity (CMC) [AS15] (or amortized Area × Time complexity [ABH17]) attempts to quantify the amortized cost to acquire/build the hardware to evaluate the function — amortized by the number of instances of the function that can be evaluated of this hardware. By contrast, bandwidth hardness [RD17] attempts to quantify the amortized energy costs of evaluating this function on hardware — which in turn is largely dominated by the number of cache misses. Ideally, a good MHF would be both bandwidth hard and have high cumulative memory complexity. While the cumulative memory complexity of leading MHF candidates is well understood, little is known about the bandwidth hardness of many of the most prominent MHF candidates. Our contributions are as follows: First, we provide the first reduction proving that, in the parallel random oracle model, the bandwidth hardness of a Data-Independent Memory Hard Function (iMHF) is described by the red-blue pebbling cost of the directed acyclic graph (DAG) associated with that iMHF. Second, we show that the goals of designing an MHF with high CMC/bandwidth hardness are well aligned. In particular, we prove that any function with high CMC also has relatively high bandwidth costs. This result leads to the first unconditional lower bound on the bandwidth cost of scrypt. Third, we analyze the bandwidth hardness of several prominent iMHF candidates such as Argon2i [BDK15], winner of the password hashing competition, aATSample and DRSample [ABH17] — the first practical iMHF with asymptotically optimal CMC. More specifically, we show that Argon2i is maximally bandwidth hard as long as the cache-size m is at most m ∈ O ( n2/3− ) where n is the total number of data-labels produced during computation. We also show that aATSample and DRSample are maximally bandwidth hard as long as the cache-size is m ∈ O ( n1− ) . Finally, we show that the problem of finding a red-blue pebbling with minimum bandwidth cost is NP-hard.
منابع مشابه
W-Hardness Under Linear FPT-Reductions: Structural Properties and Further Applications
The notion of linear fpt-reductions has been recently used to derive strong computational lower bounds for well-known NP-hard problems. In this paper, we formally investigate the notions of W [t]-hardness and W [t]-completeness under the linear fpt-reduction, and study structural properties of the corresponding complexity classes. Additional complexity lower bounds on important computational pr...
متن کاملLower bounds on the signed (total) $k$-domination number
Let $G$ be a graph with vertex set $V(G)$. For any integer $kge 1$, a signed (total) $k$-dominating functionis a function $f: V(G) rightarrow { -1, 1}$ satisfying $sum_{xin N[v]}f(x)ge k$ ($sum_{xin N(v)}f(x)ge k$)for every $vin V(G)$, where $N(v)$ is the neighborhood of $v$ and $N[v]=N(v)cup{v}$. The minimum of the values$sum_{vin V(G)}f(v)$, taken over all signed (total) $k$-dominating functi...
متن کاملComplexity of Boolean Functions
s of Presentation: Paul Beame: Time-Space Tradeoffs and Multiparty Communication Complexity 9 Beate Bollig: Exponential Lower Bounds for Integer Multiplication Using Universal Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Philipp Wölfel: On k-wise l-mixed Boolean Functions . . . . . . . . . . . . . . 10 Elizabeta Okol’nishnikova: On One Lower Bound for Branching Progra...
متن کاملA little advice can be very helpful
Proving superpolylogarithmic lower bounds for dynamic data structures has remained an open problem despite years of research. Recently, Pǎtraşcu proposed an exciting new approach for breaking this barrier via a two player communication model in which one player gets private advice at the beginning of the protocol. He gave reductions from the problem of solving an asymmetric version of set-disjo...
متن کاملInequalities of Ando's Type for $n$-convex Functions
By utilizing different scalar equalities obtained via Hermite's interpolating polynomial, we will obtain lower and upper bounds for the difference in Ando's inequality and in the Edmundson-Lah-Ribariv c inequality for solidarities that hold for a class of $n$-convex functions. As an application, main results are applied to some operator means and relative operator entropy.
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2018 شماره
صفحات -
تاریخ انتشار 2018