Static-Memory-Hard Functions, and Modeling the Cost of Space vs. Time

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11239)


A series of recent research starting with (Alwen and Serbinenko, STOC 2015) has deepened our understanding of the notion of memory-hardness in cryptography—a useful property of hash functions for deterring large-scale password-cracking attacks—and has shown memory-hardness to have intricate connections with the theory of graph pebbling. Definitions of memory-hardness are not yet unified in the somewhat nascent field of memory-hardness, however, and the guarantees proven to date are with respect to a range of proposed definitions. In this paper, we observe two significant and practical considerations that are not analyzed by existing models of memory-hardness, and propose new models to capture them, accompanied by constructions based on new hard-to-pebble graphs. Our contribution is two-fold, as follows. First, existing measures of memory-hardness only account for dynamic memory usage (i.e., memory read/written at runtime), and do not consider static memory usage (e.g., memory on disk). Among other things, this means that memory requirements considered by prior models are inherently upper-bounded by a hash function’s runtime; in contrast, counting static memory would potentially allow quantification of much larger memory requirements, decoupled from runtime. We propose a new definition of static-memory-hard function (SHF) which takes static memory into account: we model static memory usage by oracle access to a large preprocessed string, which may be considered part of the hash function description. Static memory requirements are complementary to dynamic memory requirements: neither can replace the other, and to deter large-scale password-cracking attacks, a hash function will benefit from being both dynamic-memory-hard and static-memory-hard. We give two SHF constructions based on pebbling. To prove static-memory-hardness, we define a new pebble game (“black-magic pebble game”), and new graph constructions with optimal complexity under our proposed measure. Moreover, we provide a prototype implementation of our first SHF construction (which is based on pebbling of a simple “cylinder” graph), providing an initial demonstration of practical feasibility for a limited range of parameter settings. Secondly, existing memory-hardness models implicitly assume that the cost of space and time are more or less on par: they consider only linear ratios between the costs of time and space. We propose a new model to capture nonlinear time-space trade-offs: e.g., how is the adversary impacted when space is quadratically more expensive than time? We prove that nonlinear tradeoffs can in fact cause adversaries to employ different strategies from linear tradeoffs.

Please refer to the full version of our paper for all results, proofs, appendices, and implementation details [DLP18].



We are grateful to Jeremiah Blocki, Krzysztof Pietrzak, and Joël Alwen for valuable feedback on earlier versions of this paper. We thank Ling Ren for helpful technical discussions. We also thank Erik D. Demaine and Shafi Goldwasser for their advice on this paper. Finally, we thank our anonymous reviewers for insightful comments.

Sunoo’s research is supported by NSF MACS (CNS-1413920), DARPA IBM (W911NF-15-C-0236), SIMONS Investigator Award Agreement Dated June 5th, 2012, and the Center for Science of Information (CSoI), an NSF Science and Technology Center, under grant agreement CCF-0939370.


  1. [AAC+17]
    Abusalah, H., Alwen, J., Cohen, B., Khilko, D., Pietrzak, K., Reyzin, L.: Beyond Hellman’s time-memory trade-offs with applications to proofs of space. 10625, 357–379 (2017)Google Scholar
  2. [AB16]
    Alwen, J., Blocki, J.: Efficiently computing data-independent memory-hard functions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 241–271. Springer, Heidelberg (2016). Scholar
  3. [ABH17]
    Alwen, J., Blocki, J., Harsha, B.: Practical graphs for optimal side-channel resistant memory-hard functions. In: CCS, pp. 1001–1017. ACM (2017)Google Scholar
  4. [ABP17a]
    Alwen, J., Blocki, J., Pietrzak, K.: Depth-robust graphs and their cumulative memory complexity. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 3–32. Springer, Cham (2017). Scholar
  5. [ABP17b]
    Alwen, J., Blocki, J., Pietrzak, K.: Sustained space complexity. CoRR, abs/1705.05313 (2017)Google Scholar
  6. [ACK+16]
    Alwen, J., Chen, B., Kamath, C., Kolmogorov, V., Pietrzak, K., Tessaro, S.: On the complexity of scrypt and proofs of space in the parallel random oracle model. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 358–387. Springer, Heidelberg (2016). Scholar
  7. [ACP+16]
    Alwen, J., Chen, B., Pietrzak, K., Reyzin, L., Tessaro, S.: Scrypt is maximally memory-hard. IACR Cryptology ePrint Archive 2016:989 (2016)Google Scholar
  8. [ADN+10]
    Alwen, J., Dodis, Y., Naor, M., Segev, G., Walfish, S., Wichs, D.: Public-key encryption in the bounded-retrieval model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 113–134. Springer, Heidelberg (2010). Scholar
  9. [AdRNV17]
    Alwen, J., de Rezende, S.F., Nordström, J., Vinyals, M.: Cumulative space in black-white pebbling and resolution. In: ITCS, LIPIcs, vol. 67, pp. 38:1–38:21. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik (2017)Google Scholar
  10. [ADW09]
    Alwen, J., Dodis, Y., Wichs, D.: Survey: leakage resilience and the bounded retrieval model. In: Kurosawa, K. (ed.) ICITS 2009. LNCS, vol. 5973, pp. 1–18. Springer, Heidelberg (2010). Scholar
  11. [AS15]
    Alwen, J., Serbinenko, V.: High parallel complexity graphs and memory-hard functions. In: Servedio, R.A., Rubinfeld, R. (eds.) Proceedings of the Forty-Seventh Annual ACM on Symposium on Theory of Computing, STOC 2015, Portland, OR, USA, 14–17 June 2015, pp. 595–603. ACM (2015)Google Scholar
  12. [AT17]
    Alwen, J., Tackmann, B.: Moderately hard functions: definition, instantiations, and applications. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 493–526. Springer, Cham (2017). Scholar
  13. [BDPA08]
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). Scholar
  14. [Ben89]
    Bennett, C.H.: Time/space trade-offs for reversible computation. SIAM J. Comput. 18(4), 766–776 (1989)MathSciNetCrossRefGoogle Scholar
  15. [BK15]
    Biryukov, A., Khovratovich, D.: Tradeoff cryptanalysis of memory-hard functions. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 633–657. Springer, Heidelberg (2015). Scholar
  16. [BKR16]
    Bellare, M., Kane, D., Rogaway, P.: Big-key symmetric encryption: resisting key exfiltration. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 373–402. Springer, Heidelberg (2016). Scholar
  17. [BR93]
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) CCS 1993, Proceedings of the 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, USA, 3–5 November 1993, pp. 62–73. ACM (1993)Google Scholar
  18. [BZ16]
    Blocki, J., Zhou, S.: On the computational complexity of minimal cumulative cost graph pebbling. CoRR, abs/1609.04449 (2016)Google Scholar
  19. [BZ17]
    Blocki, J., Zhou, S.: On the depth-robustness and cumulative pebbling cost of Argon2i. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 445–465. Springer, Cham (2017). Scholar
  20. [CDD+07]
    Cash, D., Ding, Y.Z., Dodis, Y., Lee, W., Lipton, R., Walfish, S.: Intrusion-resilient key exchange in the bounded retrieval model. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 479–498. Springer, Heidelberg (2007). Scholar
  21. [Cha73]
    Chandra, A.K.: Efficient compilation of linear recursive programs. In: SWAT (FOCS), pp. 16–25. IEEE Computer Society (1973)Google Scholar
  22. [CLW06]
    Di Crescenzo, G., Lipton, R.J., Walfish, S.: Perfectly secure password protocols in the bounded retrieval model. In: Halevi and Rabin [HR06], pp. 225–244Google Scholar
  23. [Coo73]
    Cook, S.A.: An observation on time-storage trade off. In: Proceedings of the Fifth Annual ACM Symposium on Theory of Computing, STOC 1973, pp. 29–33. ACM, New York (1973)Google Scholar
  24. [CS74]
    Cook, S., Sethi, R.: Storage requirements for deterministic/polynomial time recognizable languages. In: Proceedings of the Sixth Annual ACM Symposium on Theory of Computing, STOC 1974, pp. 33–39. ACM, New York (1974)Google Scholar
  25. [DFKP15]
    Dziembowski, S., Faust, S., Kolmogorov, V., Pietrzak, K.: Proofs of space. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 585–605. Springer, Heidelberg (2015). Scholar
  26. [DKW10]
    Dziembowski, S., Kazana, T., Wichs, D.: One-time computable and uncomputable functions. IACR Cryptology ePrint Archive 2010:541 (2010)Google Scholar
  27. [DKW11]
    Dziembowski, S., Kazana, T., Wichs, D.: One-time computable self-erasing functions. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 125–143. Springer, Heidelberg (2011). Scholar
  28. [DL17]
    Demaine, E.D., Liu, Q.C.: Inapproximability of the standard pebble game and hard to pebble graphs. Algorithms and Data Structures. LNCS, vol. 10389, pp. 313–324. Springer, Cham (2017). Scholar
  29. [DLP18]
    Dryja, T., Liu, Q.C., Park, S.: Static-memory-hard functions and nonlinear space-time tradeoffs via pebbling. IACR Cryptology ePrint Archive 2018:205 (2018)Google Scholar
  30. [Dzi06]
    Dziembowski, S.: Intrusion-resilience via the bounded-storage model. In: Halevi and Rabin [HR06], pp. 207–224CrossRefGoogle Scholar
  31. [ER61]
    Erdős, P., Rényi, A.: On a classical problem of probability theory. Magyar Tudományos Akadémia Matematikai Kutató Intézetének Közleményei 6, 215–220 (1961)MathSciNetzbMATHGoogle Scholar
  32. [FLW13]
    Forler, C., Lucks, S., Wenzel, J.: Catena: a memory-consuming password scrambler. IACR Cryptology ePrint Archive 2013:525 (2013)Google Scholar
  33. [GLT80]
    Gilbert, J.R., Lengauer, T., Tarjan, R.E.: The pebbling problem is complete in polynomial space. 9, 513–524 (1980)Google Scholar
  34. [HPV77]
    Hopcroft, J., Paul, W., Valiant, L.: On time versus space. J. ACM 24(2), 332–337 (1977)MathSciNetCrossRefGoogle Scholar
  35. [HR06]
    Halevi, S., Rabin, T. (eds.): TCC 2006. LNCS, vol. 3876. Springer, Heidelberg (2006)zbMATHGoogle Scholar
  36. [JWK81]
    Jia-Wei, H., Kung, H.T.: I/o complexity: the red-blue pebble game. In: Proceedings of the 13th Annual ACM Symposium on Theory of Computing, STOC 1981, pp. 326–333 (1981)Google Scholar
  37. [LT82]
    Lengauer, T., Tarjan, R.E.: Asymptotically tight bounds on time-space trade-offs in a pebble game. J. ACM 29(4), 1087–1130 (1982)MathSciNetCrossRefGoogle Scholar
  38. [Mer79]
    Merkle, R.C.: Secrecy, authentication, and public key systems. Ph.D. thesis, Stanford, CA, USA (1979). AAI8001972Google Scholar
  39. [Nor12]
    Nordström, J.: On the relative strength of pebbling and resolution. ACM Trans. Comput. Log. 13(2), 16:1–16:43 (2012)MathSciNetCrossRefGoogle Scholar
  40. [Nor15]
    Nordstrom, J.: New wine into old wineskins: a survey of some pebbling classics with supplemental results (2015)Google Scholar
  41. [Per09]
    Percival, C.: Stronger key derivation via sequential memory-hard functions. Presented at BSDCan 2009 (2009).
  42. [PH70]
    Paterson, M.S., Hewitt, C.E.: Comparative Schematology. In: Record of the Project MAC Conference on Concurrent Systems and Parallel Computation, pp. 119–127. ACM, New York (1970)Google Scholar
  43. [Pip82]
    Pippenger, N.: Advances in pebbling. In: Nielsen, M., Schmidt, E.M. (eds.) ICALP 1982. LNCS, vol. 140, pp. 407–417. Springer, Heidelberg (1982). Scholar
  44. [Pot17]
    Potechin, A.: Bounds on monotone switching networks for directed connectivity. J. ACM 64(4), 29:1–29:48 (2017)MathSciNetCrossRefGoogle Scholar
  45. [RD17]
    Ren, L., Devadas, S.: Bandwidth hard functions for ASIC resistance. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 466–492. Springer, Cham (2017). Scholar
  46. [Set75]
    Sethi, R.: Complete register allocation problems. SIAM J. Comput. 4(3), 226–248 (1975)MathSciNetCrossRefGoogle Scholar
  47. [SS79a]
    Savage, J.E., Swamy, S.: Space-time tradeoffs for oblivious integer multiplication. In: Maurer, H.A. (ed.) ICALP 1979. LNCS, vol. 71, pp. 498–504. Springer, Heidelberg (1979). Scholar
  48. [SS79b]
    Swamy, S., Savage, J.E.: Space-time tradeoffs for linear recursion. In: Proceedings of the 6th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, POPL 1979, pp. 135–142. ACM, New York (1979)Google Scholar
  49. [Tom81]
    Tompa, M.: Corrigendum: time-space tradeoffs for computing functions, using connectivity properties of their circuits. J. Comput. Syst. Sci. 23(1), 106 (1981)CrossRefGoogle Scholar
  50. [Val77]
    Valiant, L.G.: Graph-theoretic arguments in low-level complexity. In: Proceedings of 6th Symposium on Mathematical Foundations of Computer Science 1977, Tatranska Lomnica, Czechoslovakia, 5–9 September 1977, pp. 162–176 (1977)Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.MIT Media LabCambridgeUSA
  2. 2.MIT CSAILCambridgeUSA

Personalised recommendations