Disproving the Conjectures from “On the Complexity of Scrypt and Proofs of Space in the Parallel Random Oracle Model”

Abstract

In the paper “On the Complexity of Scrypt and Proofs of Space in the Parallel Random Oracle Model” (Eurocrypt 2016) Joël Alwen et al. focused on proving a lower bound of the complexity of a general problem that underlies both proofs of space protocols [Dziembowski et al. CRYPTO 2015] as well as data-dependent memory-hard functions like \(\mathsf {scrypt}\) — a key-derivation function that is used e.g. as proofs of work in cryptocurrencies like Litecoin.

In that paper the authors introduced a sequence \(\gamma _n\) and conjectured that this sequence is upper bounded by a constant. Alwen et al. proved (among other results) that the Cumulative Memory Complexity of the hash function \(\mathsf {scrypt}\) is lower bounded by \(\varOmega (n^2/(\gamma _n \cdot \log ^2(n)))\). If the sequence \(\gamma _n\) is indeed bounded by a constant then this lower bound can be simplified to \(\varOmega (n^2/\log ^2(n))\).

In this paper we first show that \(\gamma _n > c \sqrt{\log (n)}\) and then we strengthen our result and prove that \(\gamma _{n} \ge \frac{\sqrt{n}}{poly(\log (n))}\).

Alwen et al. introduced also a weaker conjecture, that is also sufficient for their results — they introduced another sequence \(\varGamma _n\) and conjectured that it is upper bounded by a constant. We show that this conjecture is also false, namely: \(\varGamma _n \ge c\sqrt{\log (n)}\).

This work was supported by the Polish National Science Centre grant 2014/13/B/ST6/03540.