Sustained Space Complexity

  • Joël Alwen
  • Jeremiah Blocki
  • Krzysztof Pietrzak
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10821)


Memory-hard functions (MHF) are functions whose evaluation cost is dominated by memory cost. MHFs are egalitarian, in the sense that evaluating them on dedicated hardware (like FPGAs or ASICs) is not much cheaper than on off-the-shelf hardware (like x86 CPUs). MHFs have interesting cryptographic applications, most notably to password hashing and securing blockchains.

Alwen and Serbinenko [STOC’15] define the cumulative memory complexity (cmc) of a function as the sum (over all time-steps) of the amount of memory required to compute the function. They advocate that a good MHF must have high cmc. Unlike previous notions, cmc takes into account that dedicated hardware might exploit amortization and parallelism. Still, cmc has been critizised as insufficient, as it fails to capture possible time-memory trade-offs; as memory cost doesn’t scale linearly, functions with the same cmc could still have very different actual hardware cost.

In this work we address this problem, and introduce the notion of sustained-memory complexity, which requires that any algorithm evaluating the function must use a large amount of memory for many steps. We construct functions (in the parallel random oracle model) whose sustained-memory complexity is almost optimal: our function can be evaluated using n steps and \(O(n/\log (n))\) memory, in each step making one query to the (fixed-input length) random oracle, while any algorithm that can make arbitrary many parallel queries to the random oracle, still needs \(\varOmega (n/\log (n))\) memory for \(\varOmega (n)\) steps.

As has been done for various notions (including cmc) before, we reduce the task of constructing an MHFs with high sustained-memory complexity to proving pebbling lower bounds on DAGs. Our main technical contribution is the construction is a family of DAGs on n nodes with constant indegree with high “sustained-space complexity”, meaning that any parallel black-pebbling strategy requires \(\varOmega (n/\log (n))\) pebbles for at least \(\varOmega (n)\) steps.

Along the way we construct a family of maximally “depth-robust” DAGs with maximum indegree \(O(\log n)\), improving upon the construction of Mahmoody et al. [ITCS’13] which had maximum indegree \(O\left( \log ^2 n \cdot {{\mathsf {polylog}}} (\log n)\right) \).



This work was supported by the European Research Council under ERC consolidator grant (682815 - TOCNeT) and by the National Science Foundation under NSF Award #1704587. The opinions expressed in this paper are those of the authors and do not necessarily reflect those of the European Research Council or the National Science Foundation.


  1. [AB16]
    Alwen, J., Blocki, J.: Efficiently computing data-independent memory-hard functions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 241–271. Springer, Heidelberg (2016). Scholar
  2. [AB17]
    Alwen, J., Blocki, J.: Towards practical attacks on Argon2i and balloon hashing. In: Proceedings of the 2nd IEEE European Symposium on Security and Privacy (EuroS&P 2017), pp. 142–157. IEEE (2017).
  3. [ABH17]
    Alwen, J., Blocki, J., Harsha, B.: Practical graphs for optimal side-channel resistant memory-hard functions. In: ACM CCS 2017, pp. 1001–1017. ACM Press (2017)Google Scholar
  4. [ABP17]
    Alwen, J., Blocki, J., Pietrzak, K.: Depth-robust graphs and their cumulative memory complexity. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 3–32. Springer, Cham (2017). Scholar
  5. [ABP18]
    Alwen, J., Blocki, J., Pietrzak, K.: Sustained space complexity. Cryptology ePrint Archive, Report 2018/147 (2018).
  6. [ABW03]
    Abadi, M., Burrows, M., Wobber, T.: Moderately hard, memory-bound functions. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2003, San Diego, California, USA (2003)Google Scholar
  7. [ACP+17]
    Alwen, J., Chen, B., Pietrzak, K., Reyzin, L., Tessaro, S.: Scrypt is maximally memory-hard. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 33–62. Springer, Cham (2017). Scholar
  8. [AdRNV17]
    Alwen, J., de Rezende, S.F., Nordström, J., Vinyals, M.: Cumulative space in black-white pebbling and resolution. In: 8th Innovations in Theoretical Computer Science (ITCS) Conference, Berkeley, 9–11 January 2017Google Scholar
  9. [AS15]
    Alwen, J., Serbinenko, V.: High parallel complexity graphs and memory-hard functions. In: Proceedings of the Eleventh Annual ACM Symposium on Theory of Computing, STOC 2015 (2015).
  10. [AT17]
    Alwen, J., Tackmann, B.: Moderately hard functions: definition, instantiations, and applications. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 493–526. Springer, Cham (2017). Scholar
  11. [BDK16]
    Biryukov, A., Dinu, D., Khovratovich, D.: Argon2: new generation of memory-hard functions for password hashing and other applications. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 292–302. IEEE (2016)Google Scholar
  12. [BHZ18]
    Blocki, J., Harsha, B., Zhou, S.: On the economics of offline password cracking. IEEE Secur. Priv. (2018, to appear)Google Scholar
  13. [Can01]
    Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd Annual Symposium on Foundations of Computer Science, Las Vegas, Nevada, pp. 136–145. IEEE, October 2001Google Scholar
  14. [Coo73]
    Cook, S.A.: An observation on time-storage trade off. In: Proceedings of the Fifth Annual ACM Symposium on Theory of Computing, STOC 1973, pp. 29–33. ACM, New York (1973)Google Scholar
  15. [Cox16]
    Cox, B.: Re: [Cfrg] Balloon-Hashing or Argon2i. CFRG Mailinglist, August 2016.
  16. [CP18]
    Cohen, B., Pietrzak, K.: Simple proofs of sequential work. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part II. LNCS, vol. 10821, pp. 451–467. Springer, Cham (2018)Google Scholar
  17. [CS76]
    Cook, S., Sethi, R.: Storage requirements for deterministic polynomialtime recognizable languages. J. Comput. Syst. Sci. 13(1), 25–37 (1976)CrossRefzbMATHGoogle Scholar
  18. [DGN03]
    Dwork, C., Goldberg, A., Naor, M.: On memory-bound functions for fighting spam. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 426–444. Springer, Heidelberg (2003). Scholar
  19. [EGS75]
    Erdös, P., Graham, R.L., Szemerédi, E.: On sparse graphs with dense long paths. Technical report, Stanford, CA, USA (1975)Google Scholar
  20. [GG81]
    Gabber, O., Galil, Z.: Explicit constructions of linear-sized superconcentrators. J. Comput. Syst. Sci. 22(3), 407–420 (1981)MathSciNetCrossRefzbMATHGoogle Scholar
  21. [HP70]
    Hewitt, C.E., Paterson, M.S.: Record of the project MAC conference on concurrent systems and parallel computation. In: Comparative Schematology, pp. 119–127. ACM, New York (1970)Google Scholar
  22. [HPV77]
    Hopcroft, J., Paul, W., Valiant, L.: On time versus space. J. ACM 24(2), 332–337 (1977)MathSciNetCrossRefzbMATHGoogle Scholar
  23. [Kal00]
    Kaliski, B.: PKCS# 5: password-based cryptography specification version 2.0 (2000)Google Scholar
  24. [MMV13]
    Mahmoody, M., Moran, T., Vadhan, S.P.: Publicly verifiable proofs of sequential work. In: Kleinberg, R.D. (ed.) Innovations in Theoretical Computer Science, ITCS 2013, Berkeley, CA, USA, 9–12 January 2013, pp. 373–388. ACM (2013)Google Scholar
  25. [MRH04]
    Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random Oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004). Scholar
  26. [Per09]
    Percival, C.: Stronger key derivation via sequential memory-hard functions. In: BSDCan 2009 (2009)Google Scholar
  27. [PHC]
    Password hashing competition.
  28. [PJ12]
    Percival, C., Josefsson, S.: The scrypt password-based key derivation function (2012)Google Scholar
  29. [PTC76]
    Paul, W.J., Tarjan, R.E., Celoni, J.R.: Space bounds for a game on graphs. In: Proceedings of the Eighth Annual ACM Symposium on Theory of Computing, STOC 1976, pp. 149–160. ACM, New York (1976)Google Scholar
  30. [RD16]
    Ren, L., Devadas, S.: Proof of space from stacked expanders. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9985, pp. 262–285. Springer, Heidelberg (2016). Scholar
  31. [RD17]
    Ren, L., Devadas, S.: Bandwidth hard functions for ASIC resistance. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 466–492. Springer, Cham (2017). Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Joël Alwen
    • 1
    • 3
  • Jeremiah Blocki
    • 2
  • Krzysztof Pietrzak
    • 1
  1. 1.IST AustriaKlosterneuburgAustria
  2. 2.Purdue UniversityWest LafayetteUSA
  3. 3.Wickr Inc.San FranciscoUSA

Personalised recommendations