rifflescrambler - a memory-hard password storing function · ot mine bitcoin use asic (mining...
TRANSCRIPT
RieScramblera memory-hard password storing function
Karol Gotfryd1, Paweª Lorek2, Filip Zagórski1,3
Wrocªaw University of Science and Technology
Wroclaw University
Faculty of Mathematics and Computer Science
Oktawave
ESORICS 2018Barcelona3-7 IX 2018
How to securely store a password?
• (user , password)
• Problem: admin learns users' passwords
• (user , fk(password)) for a secret key k where fk(·) is ablock-cipher e.g., DES-based function in crypt
• Problem: the function is invertible and an admin may
learn users' passwords
• (user , f (password)) for a one-way function f
• Problem: admin sees if two users use the same password
• (user , f (password , salt), salt) for a one-way function fand randomly selected salt
esorics:$6$7ZjSGA7u8hatiSnI$M4ITBK94tHHiKsIgCU4kBULaGF8z
zpU7PmfZab6aoesjNKaWt7oO6RtUYwbkD8FE7mDwiWvJzEmDbRy7L0HL
J/:17777:0:99999:7:::
• Problem: adversaries who use specialized hardware
How to securely store a password?
• (user , password)• Problem: admin learns users' passwords
• (user , fk(password)) for a secret key k where fk(·) is ablock-cipher e.g., DES-based function in crypt
• Problem: the function is invertible and an admin may
learn users' passwords
• (user , f (password)) for a one-way function f
• Problem: admin sees if two users use the same password
• (user , f (password , salt), salt) for a one-way function fand randomly selected salt
esorics:$6$7ZjSGA7u8hatiSnI$M4ITBK94tHHiKsIgCU4kBULaGF8z
zpU7PmfZab6aoesjNKaWt7oO6RtUYwbkD8FE7mDwiWvJzEmDbRy7L0HL
J/:17777:0:99999:7:::
• Problem: adversaries who use specialized hardware
How to securely store a password?
• (user , password)• Problem: admin learns users' passwords
• (user , fk(password)) for a secret key k where fk(·) is ablock-cipher e.g., DES-based function in crypt
• Problem: the function is invertible and an admin may
learn users' passwords
• (user , f (password)) for a one-way function f
• Problem: admin sees if two users use the same password
• (user , f (password , salt), salt) for a one-way function fand randomly selected salt
esorics:$6$7ZjSGA7u8hatiSnI$M4ITBK94tHHiKsIgCU4kBULaGF8z
zpU7PmfZab6aoesjNKaWt7oO6RtUYwbkD8FE7mDwiWvJzEmDbRy7L0HL
J/:17777:0:99999:7:::
• Problem: adversaries who use specialized hardware
How to securely store a password?
• (user , password)• Problem: admin learns users' passwords
• (user , fk(password)) for a secret key k where fk(·) is ablock-cipher e.g., DES-based function in crypt
• Problem: the function is invertible and an admin may
learn users' passwords
• (user , f (password)) for a one-way function f
• Problem: admin sees if two users use the same password
• (user , f (password , salt), salt) for a one-way function fand randomly selected salt
esorics:$6$7ZjSGA7u8hatiSnI$M4ITBK94tHHiKsIgCU4kBULaGF8z
zpU7PmfZab6aoesjNKaWt7oO6RtUYwbkD8FE7mDwiWvJzEmDbRy7L0HL
J/:17777:0:99999:7:::
• Problem: adversaries who use specialized hardware
How to securely store a password?
• (user , password)• Problem: admin learns users' passwords
• (user , fk(password)) for a secret key k where fk(·) is ablock-cipher e.g., DES-based function in crypt
• Problem: the function is invertible and an admin may
learn users' passwords
• (user , f (password)) for a one-way function f
• Problem: admin sees if two users use the same password
• (user , f (password , salt), salt) for a one-way function fand randomly selected salt
esorics:$6$7ZjSGA7u8hatiSnI$M4ITBK94tHHiKsIgCU4kBULaGF8z
zpU7PmfZab6aoesjNKaWt7oO6RtUYwbkD8FE7mDwiWvJzEmDbRy7L0HL
J/:17777:0:99999:7:::
• Problem: adversaries who use specialized hardware
How to securely store a password?
• (user , password)• Problem: admin learns users' passwords
• (user , fk(password)) for a secret key k where fk(·) is ablock-cipher e.g., DES-based function in crypt
• Problem: the function is invertible and an admin may
learn users' passwords
• (user , f (password)) for a one-way function f• Problem: admin sees if two users use the same password
• (user , f (password , salt), salt) for a one-way function fand randomly selected salt
esorics:$6$7ZjSGA7u8hatiSnI$M4ITBK94tHHiKsIgCU4kBULaGF8z
zpU7PmfZab6aoesjNKaWt7oO6RtUYwbkD8FE7mDwiWvJzEmDbRy7L0HL
J/:17777:0:99999:7:::
• Problem: adversaries who use specialized hardware
How to securely store a password?
• (user , password)• Problem: admin learns users' passwords
• (user , fk(password)) for a secret key k where fk(·) is ablock-cipher e.g., DES-based function in crypt
• Problem: the function is invertible and an admin may
learn users' passwords
• (user , f (password)) for a one-way function f• Problem: admin sees if two users use the same password
• (user , f (password , salt), salt) for a one-way function fand randomly selected salt
esorics:$6$7ZjSGA7u8hatiSnI$M4ITBK94tHHiKsIgCU4kBULaGF8z
zpU7PmfZab6aoesjNKaWt7oO6RtUYwbkD8FE7mDwiWvJzEmDbRy7L0HL
J/:17777:0:99999:7:::
• Problem: adversaries who use specialized hardware
How to securely store a password?
• (user , password)• Problem: admin learns users' passwords
• (user , fk(password)) for a secret key k where fk(·) is ablock-cipher e.g., DES-based function in crypt
• Problem: the function is invertible and an admin may
learn users' passwords
• (user , f (password)) for a one-way function f• Problem: admin sees if two users use the same password
• (user , f (password , salt), salt) for a one-way function fand randomly selected salt
esorics:$6$7ZjSGA7u8hatiSnI$M4ITBK94tHHiKsIgCU4kBULaGF8z
zpU7PmfZab6aoesjNKaWt7oO6RtUYwbkD8FE7mDwiWvJzEmDbRy7L0HL
J/:17777:0:99999:7:::
• Problem: adversaries who use specialized hardware
CPU vs GPU vs ASIC
Number of hashes (SHA-1/SHA-2) computed per second
• a good CPU: 1 GH/s (e.g., a server processor)
• a good GPU: 30 GH/s (Radeon RX Vega 56,NVIDIA 1080TI)
• a good ASIC: 14 000 GH/s (Antminer S9)
In fact it's even worse... because one should take into accountenergy consumption per hash... and then ASIC may be1 000 000 times more ecient. Eciency ≈ chip area.
CPU vs GPU vs ASIC
Number of hashes (SHA-1/SHA-2) computed per second
• a good CPU: 1 GH/s (e.g., a server processor)
• a good GPU: 30 GH/s (Radeon RX Vega 56,NVIDIA 1080TI)
• a good ASIC: 14 000 GH/s (Antminer S9)
In fact it's even worse... because one should take into accountenergy consumption per hash... and then ASIC may be1 000 000 times more ecient. Eciency ≈ chip area.
CPU vs GPU vs ASIC
Number of hashes (SHA-1/SHA-2) computed per second
• a good CPU: 1 GH/s (e.g., a server processor)
• a good GPU: 30 GH/s (Radeon RX Vega 56,NVIDIA 1080TI)
• a good ASIC: 14 000 GH/s (Antminer S9)
In fact it's even worse... because one should take into accountenergy consumption per hash... and then ASIC may be1 000 000 times more ecient. Eciency ≈ chip area.
CPU vs GPU vs ASIC
Number of hashes (SHA-1/SHA-2) computed per second
• a good CPU: 1 GH/s (e.g., a server processor)
• a good GPU: 30 GH/s (Radeon RX Vega 56,NVIDIA 1080TI)
• a good ASIC: 14 000 GH/s (Antminer S9)
In fact it's even worse... because one should take into accountenergy consumption per hash... and then ASIC may be1 000 000 times more ecient. Eciency ≈ chip area.
CPU vs GPU vs ASIC
Number of hashes (SHA-1/SHA-2) computed per second
• a good CPU: 1 GH/s (e.g., a server processor)
• a good GPU: 30 GH/s (Radeon RX Vega 56,NVIDIA 1080TI)
• a good ASIC: 14 000 GH/s (Antminer S9)
In fact it's even worse... because one should take into accountenergy consumption per hash... and then ASIC may be1 000 000 times more ecient. Eciency ≈ chip area.
CPU vs GPU vs ASIC
Number of hashes (SHA-1/SHA-2) computed per second
• a good CPU: 1 GH/s (e.g., a server processor)
• a good GPU: 30 GH/s (Radeon RX Vega 56,NVIDIA 1080TI)
• a good ASIC: 14 000 GH/s (Antminer S9)
In fact it's even worse... because one should take into accountenergy consumption per hash... and then ASIC may be1 000 000 times more ecient. Eciency ≈ chip area.
Relation to blockchain
• To mine Bitcoin use ASIC (mining ≈ computing SHA-1)
• To mine Ethereum use GPU (mining ≈ computingArgon)
The main dierence between Bitcoin and Ethereum (in thecontext of this talk) is: mining Ethereum involves evaluationof a memory-hard function while Bitcoin does not.
Relation to blockchain
• To mine Bitcoin use ASIC (mining ≈ computing SHA-1)
• To mine Ethereum use GPU (mining ≈ computingArgon)
The main dierence between Bitcoin and Ethereum (in thecontext of this talk) is: mining Ethereum involves evaluationof a memory-hard function while Bitcoin does not.
Relation to blockchain
• To mine Bitcoin use ASIC (mining ≈ computing SHA-1)
• To mine Ethereum use GPU (mining ≈ computingArgon)
The main dierence between Bitcoin and Ethereum (in thecontext of this talk) is: mining Ethereum involves evaluationof a memory-hard function while Bitcoin does not.
Relation to blockchain
• To mine Bitcoin use ASIC (mining ≈ computing SHA-1)
• To mine Ethereum use GPU (mining ≈ computingArgon)
The main dierence between Bitcoin and Ethereum (in thecontext of this talk) is: mining Ethereum involves evaluationof a memory-hard function while Bitcoin does not.
Goal
We want to have a function for password-storing that:
• is memory-hard thus limiting advantage of specializedpassword-breaking hardware
• side-channel resistant memory-access pattern shouldnot leak the information about a processed password
• But in the context of blockchain: it does not matter
• ecient
Goal
We want to have a function for password-storing that:
• is memory-hard thus limiting advantage of specializedpassword-breaking hardware
• side-channel resistant memory-access pattern shouldnot leak the information about a processed password
• But in the context of blockchain: it does not matter
• ecient
Goal
We want to have a function for password-storing that:
• is memory-hard thus limiting advantage of specializedpassword-breaking hardware
• side-channel resistant memory-access pattern shouldnot leak the information about a processed password• But in the context of blockchain: it does not matter
• ecient
Goal
We want to have a function for password-storing that:
• is memory-hard thus limiting advantage of specializedpassword-breaking hardware
• side-channel resistant memory-access pattern shouldnot leak the information about a processed password• But in the context of blockchain: it does not matter
• ecient
Memory hardness
Informally, a memory-hard function with hardness parameter Nrequires space S and time T to compute, where
S · T ∈ Ω(N2)
If an adversary tries to save space he would pay a price incomputation time.
Memory hardness
Informally, a memory-hard function with hardness parameter Nrequires space S and time T to compute, where
S · T ∈ Ω(N2)
If an adversary tries to save space he would pay a price incomputation time.
Sequential complexity
The sequential complexity Πst(G ) of a directed acyclic graphG : the time it takes to label (pebble/evaluate) the graphtimes the maximal number of memory cells the best sequentialalgorithm needs to evaluate (pebble) the graph.
Related work
• PBKDF/PBKDF-2 (2000)
• bcrypt (1999)
• scrypt (Percival 2009; used in e.g., Litecoin)
• Password Hashing Competition (2015):
• winner: Argon2 (Biryukov, Dinu, Khovratovich; used in
e.g., Ethereum)• special recognition: Catena, Lyra2, yescrypt, Makwa
• BalloonHashing (Asiacrypt 2016, Corrigan-Gibbs, Boneh)
Related work
• PBKDF/PBKDF-2 (2000)
• bcrypt (1999)
• scrypt (Percival 2009; used in e.g., Litecoin)
• Password Hashing Competition (2015):
• winner: Argon2 (Biryukov, Dinu, Khovratovich; used in
e.g., Ethereum)• special recognition: Catena, Lyra2, yescrypt, Makwa
• BalloonHashing (Asiacrypt 2016, Corrigan-Gibbs, Boneh)
Related work
• PBKDF/PBKDF-2 (2000)
• bcrypt (1999)
• scrypt (Percival 2009; used in e.g., Litecoin)
• Password Hashing Competition (2015):
• winner: Argon2 (Biryukov, Dinu, Khovratovich; used in
e.g., Ethereum)• special recognition: Catena, Lyra2, yescrypt, Makwa
• BalloonHashing (Asiacrypt 2016, Corrigan-Gibbs, Boneh)
Related work
• PBKDF/PBKDF-2 (2000)
• bcrypt (1999)
• scrypt (Percival 2009; used in e.g., Litecoin)
• Password Hashing Competition (2015):
• winner: Argon2 (Biryukov, Dinu, Khovratovich; used in
e.g., Ethereum)• special recognition: Catena, Lyra2, yescrypt, Makwa
• BalloonHashing (Asiacrypt 2016, Corrigan-Gibbs, Boneh)
Related work
• PBKDF/PBKDF-2 (2000)
• bcrypt (1999)
• scrypt (Percival 2009; used in e.g., Litecoin)
• Password Hashing Competition (2015):• winner: Argon2 (Biryukov, Dinu, Khovratovich; used in
e.g., Ethereum)
• special recognition: Catena, Lyra2, yescrypt, Makwa
• BalloonHashing (Asiacrypt 2016, Corrigan-Gibbs, Boneh)
Related work
• PBKDF/PBKDF-2 (2000)
• bcrypt (1999)
• scrypt (Percival 2009; used in e.g., Litecoin)
• Password Hashing Competition (2015):• winner: Argon2 (Biryukov, Dinu, Khovratovich; used in
e.g., Ethereum)• special recognition: Catena, Lyra2, yescrypt, Makwa
• BalloonHashing (Asiacrypt 2016, Corrigan-Gibbs, Boneh)
Related work
• PBKDF/PBKDF-2 (2000)
• bcrypt (1999)
• scrypt (Percival 2009; used in e.g., Litecoin)
• Password Hashing Competition (2015):• winner: Argon2 (Biryukov, Dinu, Khovratovich; used in
e.g., Ethereum)• special recognition: Catena, Lyra2, yescrypt, Makwa
• BalloonHashing (Asiacrypt 2016, Corrigan-Gibbs, Boneh)
PBKDF
. . .v0 vN
input output
• G = (V ,E ),
• V = v0, v1, . . . , vN−1, vN,• E = (vi , vi+1), i = 0, . . . ,N − 1 (i.e., a path)
• The value at vertex v0 := x ,
• vi+1 := F (vi)
• T = N but it is enough that S = O(1) so
• S · T = Πst(PBKDF ) = O(N) It is not memory-hard
PBKDF
. . .v0 vN
input output
• G = (V ,E ),
• V = v0, v1, . . . , vN−1, vN,• E = (vi , vi+1), i = 0, . . . ,N − 1 (i.e., a path)
• The value at vertex v0 := x ,
• vi+1 := F (vi)
• T = N but it is enough that S = O(1) so
• S · T = Πst(PBKDF ) = O(N) It is not memory-hard
PBKDF
. . .v0 vN
input output
• G = (V ,E ),• V = v0, v1, . . . , vN−1, vN,
• E = (vi , vi+1), i = 0, . . . ,N − 1 (i.e., a path)
• The value at vertex v0 := x ,
• vi+1 := F (vi)
• T = N but it is enough that S = O(1) so
• S · T = Πst(PBKDF ) = O(N) It is not memory-hard
PBKDF
. . .v0 vN
input output
• G = (V ,E ),• V = v0, v1, . . . , vN−1, vN,• E = (vi , vi+1), i = 0, . . . ,N − 1 (i.e., a path)
• The value at vertex v0 := x ,
• vi+1 := F (vi)
• T = N but it is enough that S = O(1) so
• S · T = Πst(PBKDF ) = O(N) It is not memory-hard
PBKDF
. . .v0 vN
input output
• G = (V ,E ),• V = v0, v1, . . . , vN−1, vN,• E = (vi , vi+1), i = 0, . . . ,N − 1 (i.e., a path)
• The value at vertex v0 := x ,
• vi+1 := F (vi)
• T = N but it is enough that S = O(1) so
• S · T = Πst(PBKDF ) = O(N) It is not memory-hard
PBKDF
. . .v0 vN
input output
• G = (V ,E ),• V = v0, v1, . . . , vN−1, vN,• E = (vi , vi+1), i = 0, . . . ,N − 1 (i.e., a path)
• The value at vertex v0 := x ,
• vi+1 := F (vi)
• T = N but it is enough that S = O(1) so
• S · T = Πst(PBKDF ) = O(N) It is not memory-hard
PBKDF
. . .v0 vN
input output
• G = (V ,E ),• V = v0, v1, . . . , vN−1, vN,• E = (vi , vi+1), i = 0, . . . ,N − 1 (i.e., a path)
• The value at vertex v0 := x ,
• vi+1 := F (vi)
• T = N but it is enough that S = O(1) so
• S · T = Πst(PBKDF ) = O(N) It is not memory-hard
PBKDF
. . .v0 vN
input output
• G = (V ,E ),• V = v0, v1, . . . , vN−1, vN,• E = (vi , vi+1), i = 0, . . . ,N − 1 (i.e., a path)
• The value at vertex v0 := x ,
• vi+1 := F (vi)
• T = N but it is enough that S = O(1) so
• S · T = Πst(PBKDF ) = O(N) It is not memory-hard
scrypt
• v 00=input, v0i =F (v 0i−1), i = 1, . . . ,N − 1
• v 10=F (v 0N−1), v 1i =F (v 1i−1), i = 1, . . . ,N − 1• v 1i =F (v 0i−1 ⊕ v 1
v0i−1 mod N
), i = 1, . . . ,N
. . .
. . .
v 00
v 10
v 0N−1
v 1N−1
• is memory hard Πst(scrypt) = Ω(N2)• but has password dependent memory access pattern (onewho gains access to a sever may be able to breakpasswords by discarding computation that does not followmemory access pattern)
scrypt
• v 00=input, v0i =F (v 0i−1), i = 1, . . . ,N − 1
• v 10=F (v 0N−1), v 1i =F (v 1i−1), i = 1, . . . ,N − 1• v 1i =F (v 0i−1 ⊕ v 1
v0i−1 mod N
), i = 1, . . . ,N
. . .
. . .
v 00
v 10
v 0N−1
v 1N−1
• is memory hard Πst(scrypt) = Ω(N2)• but has password dependent memory access pattern (onewho gains access to a sever may be able to breakpasswords by discarding computation that does not followmemory access pattern)
scrypt
• v 00=input, v0i =F (v 0i−1), i = 1, . . . ,N − 1
• v 10=F (v 0N−1), v 1i =F (v 1i−1), i = 1, . . . ,N − 1• v 1i =F (v 0i−1 ⊕ v 1
v0i−1 mod N
), i = 1, . . . ,N
. . .
. . .
v 00
v 10
v 0N−1
v 1N−1
• is memory hard Πst(scrypt) = Ω(N2)• but has password dependent memory access pattern (onewho gains access to a sever may be able to breakpasswords by discarding computation that does not followmemory access pattern)
scrypt
• v 00=input, v0i =F (v 0i−1), i = 1, . . . ,N − 1
• v 10=F (v 0N−1), v 1i =F (v 1i−1), i = 1, . . . ,N − 1• v 1i =F (v 0i−1 ⊕ v 1
v0i−1 mod N
), i = 1, . . . ,N
. . .
. . .
v 00
v 10
v 0N−1
v 1N−1
• is memory hard Πst(scrypt) = Ω(N2)• but has password dependent memory access pattern (onewho gains access to a sever may be able to breakpasswords by discarding computation that does not followmemory access pattern)
scrypt
• v 00=input, v0i =F (v 0i−1), i = 1, . . . ,N − 1
• v 10=F (v 0N−1), v 1i =F (v 1i−1), i = 1, . . . ,N − 1• v 1i =F (v 0i−1 ⊕ v 1
v0i−1 mod N
), i = 1, . . . ,N
. . .
. . .
v 00
v 10
v 0N−1
v 1N−1
• is memory hard Πst(scrypt) = Ω(N2)• but has password dependent memory access pattern (onewho gains access to a sever may be able to breakpasswords by discarding computation that does not followmemory access pattern)
scrypt
• v 00=input, v0i =F (v 0i−1), i = 1, . . . ,N − 1
• v 10=F (v 0N−1), v 1i =F (v 1i−1), i = 1, . . . ,N − 1• v 1i =F (v 0i−1 ⊕ v 1
v0i−1 mod N
), i = 1, . . . ,N
. . .
. . .
v 00
v 10
v 0N−1
v 1N−1
• is memory hard Πst(scrypt) = Ω(N2)• but has password dependent memory access pattern (onewho gains access to a sever may be able to breakpasswords by discarding computation that does not followmemory access pattern)
scrypt
• v 00=input, v0i =F (v 0i−1), i = 1, . . . ,N − 1
• v 10=F (v 0N−1), v 1i =F (v 1i−1), i = 1, . . . ,N − 1• v 1i =F (v 0i−1 ⊕ v 1
v0i−1 mod N
), i = 1, . . . ,N
. . .
. . .
v 00
v 10
v 0N−1
v 1N−1
• is memory hard Πst(scrypt) = Ω(N2)• but has password dependent memory access pattern (onewho gains access to a sever may be able to breakpasswords by discarding computation that does not followmemory access pattern)
scrypt
• v 00=input, v0i =F (v 0i−1), i = 1, . . . ,N − 1
• v 10=F (v 0N−1), v 1i =F (v 1i−1), i = 1, . . . ,N − 1• v 1i =F (v 0i−1 ⊕ v 1
v0i−1 mod N
), i = 1, . . . ,N
. . .
. . .
v 00
v 10
v 0N−1
v 1N−1
• is memory hard Πst(scrypt) = Ω(N2)• but has password dependent memory access pattern (onewho gains access to a sever may be able to breakpasswords by discarding computation that does not followmemory access pattern)
scrypt
• v 00=input, v0i =F (v 0i−1), i = 1, . . . ,N − 1
• v 10=F (v 0N−1), v 1i =F (v 1i−1), i = 1, . . . ,N − 1• v 1i =F (v 0i−1 ⊕ v 1
v0i−1 mod N
), i = 1, . . . ,N
. . .
. . .
v 00
v 10
v 0N−1
v 1N−1
• is memory hard Πst(scrypt) = Ω(N2)• but has password dependent memory access pattern (onewho gains access to a sever may be able to breakpasswords by discarding computation that does not followmemory access pattern)
scrypt
• v 00=input, v0i =F (v 0i−1), i = 1, . . . ,N − 1
• v 10=F (v 0N−1), v 1i =F (v 1i−1), i = 1, . . . ,N − 1• v 1i =F (v 0i−1 ⊕ v 1
v0i−1 mod N
), i = 1, . . . ,N
. . .
. . .
v 00
v 10
v 0N−1
v 1N−1• is memory hard Πst(scrypt) = Ω(N2)
• but has password dependent memory access pattern (onewho gains access to a sever may be able to breakpasswords by discarding computation that does not followmemory access pattern)
scrypt
• v 00=input, v0i =F (v 0i−1), i = 1, . . . ,N − 1
• v 10=F (v 0N−1), v 1i =F (v 1i−1), i = 1, . . . ,N − 1• v 1i =F (v 0i−1 ⊕ v 1
v0i−1 mod N
), i = 1, . . . ,N
. . .
. . .
v 00
v 10
v 0N−1
v 1N−1• is memory hard Πst(scrypt) = Ω(N2)• but has password dependent memory access pattern (onewho gains access to a sever may be able to breakpasswords by discarding computation that does not followmemory access pattern)
BalloonHashing
• v 00=input, v0i =F (v 0i−1), i = 1, . . . ,N − 1
• v 10=F (v 0N−1), v 1i =F (v 1i−1), i = 1, . . . ,N − 1• v 1i =F (v 0i ⊕ v 0i−1⊕v 0r ) (if r > i) orv 1i =F (v 0i ⊕ v 0i−1⊕v 1r ) (if r < i),where r =Random(0, . . . ,N − 1), i = 1, . . . ,N − 1
. . .
. . .
v 00
v 10
v 0N−1
v 1N−1
• computation graph depends on salt (and is passwordindependent)• but proof works for in-degree δ ≥ 7
BalloonHashing
• v 00=input, v0i =F (v 0i−1), i = 1, . . . ,N − 1
• v 10=F (v 0N−1), v 1i =F (v 1i−1), i = 1, . . . ,N − 1• v 1i =F (v 0i ⊕ v 0i−1⊕v 0r ) (if r > i) orv 1i =F (v 0i ⊕ v 0i−1⊕v 1r ) (if r < i),where r =Random(0, . . . ,N − 1), i = 1, . . . ,N − 1
. . .
. . .
v 00
v 10
v 0N−1
v 1N−1
• computation graph depends on salt (and is passwordindependent)• but proof works for in-degree δ ≥ 7
BalloonHashing
• v 00=input, v0i =F (v 0i−1), i = 1, . . . ,N − 1
• v 10=F (v 0N−1), v 1i =F (v 1i−1), i = 1, . . . ,N − 1• v 1i =F (v 0i ⊕ v 0i−1⊕v 0r ) (if r > i) orv 1i =F (v 0i ⊕ v 0i−1⊕v 1r ) (if r < i),where r =Random(0, . . . ,N − 1), i = 1, . . . ,N − 1
. . .
. . .
v 00
v 10
v 0N−1
v 1N−1
• computation graph depends on salt (and is passwordindependent)• but proof works for in-degree δ ≥ 7
BalloonHashing
• v 00=input, v0i =F (v 0i−1), i = 1, . . . ,N − 1
• v 10=F (v 0N−1), v 1i =F (v 1i−1), i = 1, . . . ,N − 1• v 1i =F (v 0i ⊕ v 0i−1⊕v 0r ) (if r > i) orv 1i =F (v 0i ⊕ v 0i−1⊕v 1r ) (if r < i),where r =Random(0, . . . ,N − 1), i = 1, . . . ,N − 1
. . .
. . .
v 00
v 10
v 0N−1
v 1N−1
• computation graph depends on salt (and is passwordindependent)• but proof works for in-degree δ ≥ 7
BalloonHashing
• v 00=input, v0i =F (v 0i−1), i = 1, . . . ,N − 1
• v 10=F (v 0N−1), v 1i =F (v 1i−1), i = 1, . . . ,N − 1• v 1i =F (v 0i ⊕ v 0i−1⊕v 0r ) (if r > i) orv 1i =F (v 0i ⊕ v 0i−1⊕v 1r ) (if r < i),where r =Random(0, . . . ,N − 1), i = 1, . . . ,N − 1
. . .
. . .
v 00
v 10
v 0N−1
v 1N−1
• computation graph depends on salt (and is passwordindependent)• but proof works for in-degree δ ≥ 7
BalloonHashing
• v 00=input, v0i =F (v 0i−1), i = 1, . . . ,N − 1
• v 10=F (v 0N−1), v 1i =F (v 1i−1), i = 1, . . . ,N − 1• v 1i =F (v 0i ⊕ v 0i−1⊕v 0r ) (if r > i) orv 1i =F (v 0i ⊕ v 0i−1⊕v 1r ) (if r < i),where r =Random(0, . . . ,N − 1), i = 1, . . . ,N − 1
. . .
. . .
v 00
v 10
v 0N−1
v 1N−1
• computation graph depends on salt (and is passwordindependent)• but proof works for in-degree δ ≥ 7
BalloonHashing
• v 00=input, v0i =F (v 0i−1), i = 1, . . . ,N − 1
• v 10=F (v 0N−1), v 1i =F (v 1i−1), i = 1, . . . ,N − 1• v 1i =F (v 0i ⊕ v 0i−1⊕v 0r ) (if r > i) orv 1i =F (v 0i ⊕ v 0i−1⊕v 1r ) (if r < i),where r =Random(0, . . . ,N − 1), i = 1, . . . ,N − 1
. . .
. . .
v 00
v 10
v 0N−1
v 1N−1
• computation graph depends on salt (and is passwordindependent)• but proof works for in-degree δ ≥ 7
BalloonHashing
• v 00=input, v0i =F (v 0i−1), i = 1, . . . ,N − 1
• v 10=F (v 0N−1), v 1i =F (v 1i−1), i = 1, . . . ,N − 1• v 1i =F (v 0i ⊕ v 0i−1⊕v 0r ) (if r > i) orv 1i =F (v 0i ⊕ v 0i−1⊕v 1r ) (if r < i),where r =Random(0, . . . ,N − 1), i = 1, . . . ,N − 1
. . .
. . .
v 00
v 10
v 0N−1
v 1N−1
• computation graph depends on salt (and is passwordindependent)• but proof works for in-degree δ ≥ 7
BalloonHashing
• v 00=input, v0i =F (v 0i−1), i = 1, . . . ,N − 1
• v 10=F (v 0N−1), v 1i =F (v 1i−1), i = 1, . . . ,N − 1• v 1i =F (v 0i ⊕ v 0i−1⊕v 0r ) (if r > i) orv 1i =F (v 0i ⊕ v 0i−1⊕v 1r ) (if r < i),where r =Random(0, . . . ,N − 1), i = 1, . . . ,N − 1
. . .
. . .
v 00
v 10
v 0N−1
v 1N−1
• computation graph depends on salt (and is passwordindependent)• but proof works for in-degree δ ≥ 7
BalloonHashing
• v 00=input, v0i =F (v 0i−1), i = 1, . . . ,N − 1
• v 10=F (v 0N−1), v 1i =F (v 1i−1), i = 1, . . . ,N − 1• v 1i =F (v 0i ⊕ v 0i−1⊕v 0r ) (if r > i) orv 1i =F (v 0i ⊕ v 0i−1⊕v 1r ) (if r < i),where r =Random(0, . . . ,N − 1), i = 1, . . . ,N − 1
. . .
. . .
v 00
v 10
v 0N−1
v 1N−1
• computation graph depends on salt (and is passwordindependent)
• but proof works for in-degree δ ≥ 7
BalloonHashing
• v 00=input, v0i =F (v 0i−1), i = 1, . . . ,N − 1
• v 10=F (v 0N−1), v 1i =F (v 1i−1), i = 1, . . . ,N − 1• v 1i =F (v 0i ⊕ v 0i−1⊕v 0r ) (if r > i) orv 1i =F (v 0i ⊕ v 0i−1⊕v 1r ) (if r < i),where r =Random(0, . . . ,N − 1), i = 1, . . . ,N − 1
. . .
. . .
v 00
v 10
v 0N−1
v 1N−1
• computation graph depends on salt (and is passwordindependent)• but proof works for in-degree δ ≥ 7
Catena
v 00 v 0i v 0i+1 v 07
v 33 v 37. . .
input
• Catena-BRG (BitReversalGraph) each row the same,stacking graphs does not increase adversary penalty• Catena-BFG (Buttery Graph) consists of λ-stackedCooley-Tukey FFT graphs; exponential penalty foradversary but computation graph is the same for each salt
Catena
v 00 v 0i v 0i+1 v 07
v 33 v 37. . .
input
• Catena-BRG (BitReversalGraph) each row the same,stacking graphs does not increase adversary penalty• Catena-BFG (Buttery Graph) consists of λ-stackedCooley-Tukey FFT graphs; exponential penalty foradversary but computation graph is the same for each salt
Catena
v 00 v 0i v 0i+1 v 07
v 33 v 37. . .
input
• Catena-BRG (BitReversalGraph) each row the same,stacking graphs does not increase adversary penalty• Catena-BFG (Buttery Graph) consists of λ-stackedCooley-Tukey FFT graphs; exponential penalty foradversary but computation graph is the same for each salt
Catena
v 00 v 0i v 0i+1 v 07
v 33 v 37. . .
input
• Catena-BRG (BitReversalGraph) each row the same,stacking graphs does not increase adversary penalty
• Catena-BFG (Buttery Graph) consists of λ-stackedCooley-Tukey FFT graphs; exponential penalty foradversary but computation graph is the same for each salt
Catena
v 00 v 0i v 0i+1 v 07
v 33 v 37. . .
input
• Catena-BRG (BitReversalGraph) each row the same,stacking graphs does not increase adversary penalty• Catena-BFG (Buttery Graph) consists of λ-stackedCooley-Tukey FFT graphs; exponential penalty foradversary but computation graph is the same for each salt
Argon
• lack of formal proof
• fast (but works over a round-reduced Blake)
Argon
• lack of formal proof
• fast (but works over a round-reduced Blake)
Comparison
Lemma (Catena DFG)Any adversary using S ≤ N/20 memory cells requires Tplacements such that
T ≥ N
(λN
64S
)λ
for DFGλN .
Lemma (Balloon)Any adversary using S ≤ N/64 memory cells, for in-degreeδ = 7 and λ rounds requires
T ≥ (2λ − 1)N2
32S
placements for BHGλσ.
RieScrambler
• Goal: to design a family of graphs that would enforcememory-hardness
Superconcentrator
Denition (N-Superconcentrator)A directed acyclic graph G = 〈V ,E 〉 with a set of vertices Vand a set of edges E , a bounded indegree, N inputs, and Noutputs is called a N-Superconcentrator if for every k suchthat 1 ≤ k ≤ N and for every pair of subsets V1 ⊂ V of kinputs and V2 ⊂ V of k outputs, there are k vertex-disjointpaths connecting the vertices in V1 to the vertices in V2.
...
Superconcentrator
Denition (N-Superconcentrator)A directed acyclic graph G = 〈V ,E 〉 with a set of vertices Vand a set of edges E , a bounded indegree, N inputs, and Noutputs is called a N-Superconcentrator if for every k suchthat 1 ≤ k ≤ N and for every pair of subsets V1 ⊂ V of kinputs and V2 ⊂ V of k outputs, there are k vertex-disjointpaths connecting the vertices in V1 to the vertices in V2.
...
Superconcentrator
Denition (N-Superconcentrator)A directed acyclic graph G = 〈V ,E 〉 with a set of vertices Vand a set of edges E , a bounded indegree, N inputs, and Noutputs is called a N-Superconcentrator if for every k suchthat 1 ≤ k ≤ N and for every pair of subsets V1 ⊂ V of kinputs and V2 ⊂ V of k outputs, there are k vertex-disjointpaths connecting the vertices in V1 to the vertices in V2.
...
Superconcentrator
Denition (N-Superconcentrator)A directed acyclic graph G = 〈V ,E 〉 with a set of vertices Vand a set of edges E , a bounded indegree, N inputs, and Noutputs is called a N-Superconcentrator if for every k suchthat 1 ≤ k ≤ N and for every pair of subsets V1 ⊂ V of kinputs and V2 ⊂ V of k outputs, there are k vertex-disjointpaths connecting the vertices in V1 to the vertices in V2.
...
Superconcentrator
Denition (N-Superconcentrator)A directed acyclic graph G = 〈V ,E 〉 with a set of vertices Vand a set of edges E , a bounded indegree, N inputs, and Noutputs is called a N-Superconcentrator if for every k suchthat 1 ≤ k ≤ N and for every pair of subsets V1 ⊂ V of kinputs and V2 ⊂ V of k outputs, there are k vertex-disjointpaths connecting the vertices in V1 to the vertices in V2.
...
Superconcentrator
Denition (N-Superconcentrator)A directed acyclic graph G = 〈V ,E 〉 with a set of vertices Vand a set of edges E , a bounded indegree, N inputs, and Noutputs is called a N-Superconcentrator if for every k suchthat 1 ≤ k ≤ N and for every pair of subsets V1 ⊂ V of kinputs and V2 ⊂ V of k outputs, there are k vertex-disjointpaths connecting the vertices in V1 to the vertices in V2.
...
Superconcentrator
Denition (N-Superconcentrator)A directed acyclic graph G = 〈V ,E 〉 with a set of vertices Vand a set of edges E , a bounded indegree, N inputs, and Noutputs is called a N-Superconcentrator if for every k suchthat 1 ≤ k ≤ N and for every pair of subsets V1 ⊂ V of kinputs and V2 ⊂ V of k outputs, there are k vertex-disjointpaths connecting the vertices in V1 to the vertices in V2.
...
Stacked superconcentrators
Denition ((N, λ)-Superconcentrator)Let Gi , i = 0, . . . , λ− 1 be N-Superconcentrators. Let G bethe graph created by joining the outputs of Gi to thecorresponding inputs of Gi+1, i = 0, . . . , λ− 2. Graph G iscalled (N, λ)-Superconcentrator.
Time-memory tradeo
Theorem (Lower bound for a(N, λ)-Superconcentrator (Lengauer 1982))Pebbling a (N, λ)-Superconcentrator using S ≤ N/20 pebblesrequires T placements such that
T ≥ N
(λN
64S
)λ
.
Rie Shue
• How to obtain a random permutation?
• Shue cards!
• Rie shue:
Rie Shue
• How to obtain a random permutation?
• Shue cards!
• Rie shue:
Rie Shue
• How to obtain a random permutation?
• Shue cards!
• Rie shue:
Time-reversed rie-shue
RieShue
1 step of (time reversal of) Rie Shue
• Given permutation π of N cards assign random bit toeach card.
• Put all the cards with assigned bit 0 to the top keepingtheir relative ordering.
When a permutation is random? How many steps are needed?= study the rate of convergence of a Markov chain.
RieShue
Markov chains and Strong Stationary Times (SST)
• Xk : an ergodic Markov chain on E = 0, 1 . . . ,M − 1(in our case M = N!) with stationary distribution π (inour case π(x) = 1
N!).
• Denote by L(Xk) the distribution of the chain at step k .•
dTV (L(Xk), π) =1
2
∑x∈E
|Pr(Xk = x)− π(x)|
• Denition: Random variable T is a Strong Stationary
Time for X if it is a stopping time such that
∀(x ∈ E) Pr(Xk = i |T = k) = π(k).
• Lemma (Aldous & Diaconis) dTV (L(Xk), π) ≤ Pr(T > k)• Moreover, stopping chain at T , i.e., returning XT givesan unbiased sample from stationary distribution π(perfect simulation).
RieShue
Markov chains and Strong Stationary Times (SST)
• Xk : an ergodic Markov chain on E = 0, 1 . . . ,M − 1(in our case M = N!) with stationary distribution π (inour case π(x) = 1
N!).
• Denote by L(Xk) the distribution of the chain at step k .
•dTV (L(Xk), π) =
1
2
∑x∈E
|Pr(Xk = x)− π(x)|
• Denition: Random variable T is a Strong Stationary
Time for X if it is a stopping time such that
∀(x ∈ E) Pr(Xk = i |T = k) = π(k).
• Lemma (Aldous & Diaconis) dTV (L(Xk), π) ≤ Pr(T > k)• Moreover, stopping chain at T , i.e., returning XT givesan unbiased sample from stationary distribution π(perfect simulation).
RieShue
Markov chains and Strong Stationary Times (SST)
• Xk : an ergodic Markov chain on E = 0, 1 . . . ,M − 1(in our case M = N!) with stationary distribution π (inour case π(x) = 1
N!).
• Denote by L(Xk) the distribution of the chain at step k .•
dTV (L(Xk), π) =1
2
∑x∈E
|Pr(Xk = x)− π(x)|
• Denition: Random variable T is a Strong Stationary
Time for X if it is a stopping time such that
∀(x ∈ E) Pr(Xk = i |T = k) = π(k).
• Lemma (Aldous & Diaconis) dTV (L(Xk), π) ≤ Pr(T > k)• Moreover, stopping chain at T , i.e., returning XT givesan unbiased sample from stationary distribution π(perfect simulation).
RieShue
Markov chains and Strong Stationary Times (SST)
• Xk : an ergodic Markov chain on E = 0, 1 . . . ,M − 1(in our case M = N!) with stationary distribution π (inour case π(x) = 1
N!).
• Denote by L(Xk) the distribution of the chain at step k .•
dTV (L(Xk), π) =1
2
∑x∈E
|Pr(Xk = x)− π(x)|
• Denition: Random variable T is a Strong Stationary
Time for X if it is a stopping time such that
∀(x ∈ E) Pr(Xk = i |T = k) = π(k).
• Lemma (Aldous & Diaconis) dTV (L(Xk), π) ≤ Pr(T > k)• Moreover, stopping chain at T , i.e., returning XT givesan unbiased sample from stationary distribution π(perfect simulation).
RieShue
Markov chains and Strong Stationary Times (SST)
• Xk : an ergodic Markov chain on E = 0, 1 . . . ,M − 1(in our case M = N!) with stationary distribution π (inour case π(x) = 1
N!).
• Denote by L(Xk) the distribution of the chain at step k .•
dTV (L(Xk), π) =1
2
∑x∈E
|Pr(Xk = x)− π(x)|
• Denition: Random variable T is a Strong Stationary
Time for X if it is a stopping time such that
∀(x ∈ E) Pr(Xk = i |T = k) = π(k).
• Lemma (Aldous & Diaconis) dTV (L(Xk), π) ≤ Pr(T > k)
• Moreover, stopping chain at T , i.e., returning XT givesan unbiased sample from stationary distribution π(perfect simulation).
RieShue
Markov chains and Strong Stationary Times (SST)
• Xk : an ergodic Markov chain on E = 0, 1 . . . ,M − 1(in our case M = N!) with stationary distribution π (inour case π(x) = 1
N!).
• Denote by L(Xk) the distribution of the chain at step k .•
dTV (L(Xk), π) =1
2
∑x∈E
|Pr(Xk = x)− π(x)|
• Denition: Random variable T is a Strong Stationary
Time for X if it is a stopping time such that
∀(x ∈ E) Pr(Xk = i |T = k) = π(k).
• Lemma (Aldous & Diaconis) dTV (L(Xk), π) ≤ Pr(T > k)• Moreover, stopping chain at T , i.e., returning XT givesan unbiased sample from stationary distribution π(perfect simulation).
RieShue
Recall one step of (time reversal of) Rie Shue:
• Given permutation π of N cards assign random bit toeach card.
• Put all the cards with assigned bit 0 to the top keepingtheir relative ordering.
Strong Stationary Time for (time reversal of) Rie Shue:
• Initially mark all(N
2
)pairs of cards as unmarked
• At each step if cards i and j were assigned dierent bits,mark pair (i , j)
• If all pairs are marked then STOP.
Let T be the described SST. We have
ET = 2 log2 N
RieShue
Recall one step of (time reversal of) Rie Shue:
• Given permutation π of N cards assign random bit toeach card.
• Put all the cards with assigned bit 0 to the top keepingtheir relative ordering.
Strong Stationary Time for (time reversal of) Rie Shue:
• Initially mark all(N
2
)pairs of cards as unmarked
• At each step if cards i and j were assigned dierent bits,mark pair (i , j)
• If all pairs are marked then STOP.
Let T be the described SST. We have
ET = 2 log2 N
RieShue
step: 1 step: 2 step: 3
1
2
3
4
5
6
0
0
1
0
1
1
1
2
4
3
5
6
0
1
0
1
1
0
1
4
6
2
3
5
1
0
1
1
1
0
4
5
1
6
2
3
Figure: Sample execution (time reversed) Rie Shue for 6 cards.step: 1 step: 2 step: 3
pairs mixed
(1,3), (1,5),(1,6) (1,2), (1,3), (1,5) (1,4), (1,5)(2,3), (2,5), (2,6) (2,4),(2,6) (2,4), (2,6)(3,4), (4,5), (4,6) (3,4), (3,6), (4,5) (3,4), (3,5), (5,6)
(5,6)sum(pairs)=9 sum(pairs)=13 sum(pairs)=15
STOP
Figure: Pairs mixed at each step. New pairs are bolded. Stop
when(62
)= 15 pairs are marked.
RieShue
step: 1 step: 2 step: 3
1
2
3
4
5
6
0
0
1
0
1
1
1
2
4
3
5
6
0
1
0
1
1
0
1
4
6
2
3
5
1
0
1
1
1
0
4
5
1
6
2
3
Figure: Sample execution (time reversed) Rie Shue for 6 cards.step: 1 step: 2 step: 3
pairs mixed
(1,3), (1,5),(1,6) (1,2), (1,3), (1,5) (1,4), (1,5)(2,3), (2,5), (2,6) (2,4),(2,6) (2,4), (2,6)(3,4), (4,5), (4,6) (3,4), (3,6), (4,5) (3,4), (3,5), (5,6)
(5,6)sum(pairs)=9 sum(pairs)=13 sum(pairs)=15
STOP
Figure: Pairs mixed at each step. New pairs are bolded. Stop
when(62
)= 15 pairs are marked.
RieShue
step: 1 step: 2 step: 3
1
2
3
4
5
6
0
0
1
0
1
1
1
2
4
3
5
6
0
1
0
1
1
0
1
4
6
2
3
5
1
0
1
1
1
0
4
5
1
6
2
3
Figure: Sample execution (time reversed) Rie Shue for 6 cards.step: 1 step: 2 step: 3
pairs mixed
(1,3), (1,5),(1,6) (1,2), (1,3), (1,5) (1,4), (1,5)(2,3), (2,5), (2,6) (2,4),(2,6) (2,4), (2,6)(3,4), (4,5), (4,6) (3,4), (3,6), (4,5) (3,4), (3,5), (5,6)
(5,6)sum(pairs)=9 sum(pairs)=13 sum(pairs)=15
STOP
Figure: Pairs mixed at each step. New pairs are bolded. Stop
when(62
)= 15 pairs are marked.
RieShue
step: 1 step: 2 step: 3
1
2
3
4
5
6
0
0
1
0
1
1
1
2
4
3
5
6
0
1
0
1
1
0
1
4
6
2
3
5
1
0
1
1
1
0
4
5
1
6
2
3
Figure: Sample execution (time reversed) Rie Shue for 6 cards.step: 1 step: 2 step: 3
pairs mixed
(1,3), (1,5),(1,6) (1,2), (1,3), (1,5) (1,4), (1,5)(2,3), (2,5), (2,6) (2,4),(2,6) (2,4), (2,6)(3,4), (4,5), (4,6) (3,4), (3,6), (4,5) (3,4), (3,5), (5,6)
(5,6)sum(pairs)=9 sum(pairs)=13 sum(pairs)=15
STOP
Figure: Pairs mixed at each step. New pairs are bolded. Stop
when(62
)= 15 pairs are marked.
RieShue
step: 1 step: 2 step: 3
1
2
3
4
5
6
0
0
1
0
1
1
1
2
4
3
5
6
0
1
0
1
1
0
1
4
6
2
3
5
1
0
1
1
1
0
4
5
1
6
2
3
Figure: Sample execution (time reversed) Rie Shue for 6 cards.step: 1 step: 2 step: 3
pairs mixed
(1,3), (1,5),(1,6) (1,2), (1,3), (1,5) (1,4), (1,5)(2,3), (2,5), (2,6) (2,4),(2,6) (2,4), (2,6)(3,4), (4,5), (4,6) (3,4), (3,6), (4,5) (3,4), (3,5), (5,6)
(5,6)sum(pairs)=9 sum(pairs)=13 sum(pairs)=15
STOP
Figure: Pairs mixed at each step. New pairs are bolded. Stop
when(62
)= 15 pairs are marked.
RieShue
step: 1 step: 2 step: 3
1
2
3
4
5
6
0
0
1
0
1
1
1
2
4
3
5
6
0
1
0
1
1
0
1
4
6
2
3
5
1
0
1
1
1
0
4
5
1
6
2
3
Figure: Sample execution (time reversed) Rie Shue for 6 cards.step: 1 step: 2 step: 3
pairs mixed
(1,3), (1,5),(1,6) (1,2), (1,3), (1,5) (1,4), (1,5)(2,3), (2,5), (2,6) (2,4),(2,6) (2,4), (2,6)(3,4), (4,5), (4,6) (3,4), (3,6), (4,5) (3,4), (3,5), (5,6)
(5,6)sum(pairs)=9 sum(pairs)=13 sum(pairs)=15
STOP
Figure: Pairs mixed at each step. New pairs are bolded. Stop
when(62
)= 15 pairs are marked.
RieShue
step: 1 step: 2 step: 3
1
2
3
4
5
6
0
0
1
0
1
1
1
2
4
3
5
6
0
1
0
1
1
0
1
4
6
2
3
5
1
0
1
1
1
0
4
5
1
6
2
3
Figure: Sample execution (time reversed) Rie Shue for 6 cards.step: 1 step: 2 step: 3
pairs mixed
(1,3), (1,5),(1,6) (1,2), (1,3), (1,5) (1,4), (1,5)(2,3), (2,5), (2,6) (2,4),(2,6) (2,4), (2,6)(3,4), (4,5), (4,6) (3,4), (3,6), (4,5) (3,4), (3,5), (5,6)
(5,6)sum(pairs)=9 sum(pairs)=13 sum(pairs)=15
STOP
Figure: Pairs mixed at each step. New pairs are bolded. Stop
when(62
)= 15 pairs are marked.
Graph generation example
Let π = [6, 5, 4, 7, 0, 1, 2, 3]
element nal position trajectory0 → 4 = (100)2 0011 → 5 = (101)2 101
2 → 6 = (110)2 0113 → 7 = (111)2 1114 → 2 = (010)2 0105 → 1 = (001)2 1006 → 0 = (000)2 0007 → 3 = (011)2 110
• 0123456701010101
• 0246135701100101
• 0615243710101010
• 65470123
Graph generation example
Let π = [6, 5, 4, 7, 0, 1, 2, 3]
element nal position trajectory0 → 4 = (100)2 0011 → 5 = (101)2 101
2 → 6 = (110)2 0113 → 7 = (111)2 1114 → 2 = (010)2 0105 → 1 = (001)2 1006 → 0 = (000)2 0007 → 3 = (011)2 110
• 0123456701010101
• 0246135701100101
• 0615243710101010
• 65470123
Graph generation example
Let π = [6, 5, 4, 7, 0, 1, 2, 3]
element nal position trajectory0 → 4 = (100)2 0011 → 5 = (101)2 101
2 → 6 = (110)2 0113 → 7 = (111)2 1114 → 2 = (010)2 0105 → 1 = (001)2 1006 → 0 = (000)2 0007 → 3 = (011)2 110
• 0123456701010101
• 0246135701100101
• 0615243710101010
• 65470123
Graph generation example
Let π = [6, 5, 4, 7, 0, 1, 2, 3]
element nal position trajectory0 → 4 = (100)2 0011 → 5 = (101)2 101
2 → 6 = (110)2 0113 → 7 = (111)2 1114 → 2 = (010)2 0105 → 1 = (001)2 1006 → 0 = (000)2 0007 → 3 = (011)2 110
• 0123456701010101
• 0246135701100101
• 0615243710101010
• 65470123
Graph generation example
Let π = [6, 5, 4, 7, 0, 1, 2, 3]
element nal position trajectory0 → 4 = (100)2 0011 → 5 = (101)2 101
2 → 6 = (110)2 0113 → 7 = (111)2 1114 → 2 = (010)2 0105 → 1 = (001)2 1006 → 0 = (000)2 0007 → 3 = (011)2 110
• 0123456701010101
• 0246135701100101
• 0615243710101010
• 65470123
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0
1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0
1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1
0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1
0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0
1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0
1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1
0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1
0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0
1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0
1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1
0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1
0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1 0
10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1 0
10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1 0 1
0 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1 0 1
0 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1 0 10
1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1 0 10
1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1 0 10 1
1 0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1 0 10 1
1 0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1 0 10 1 1
0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1 0 10 1 1
0 0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1 0 10 1 1 0
0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1 0 10 1 1 0
0 1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1 0 10 1 1 0 0
1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1 0 10 1 1 0 0
1 0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1 0 10 1 1 0 0 1
0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1 0 10 1 1 0 0 1
0 11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1 0 10 1 1 0 0 1 0
11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1 0 10 1 1 0 0 1 0
11 0 1 0 1 0 1 0
...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1 0 10 1 1 0 0 1 0 1
1 0 1 0 1 0 1 0...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1 0 10 1 1 0 0 1 0 1
1 0 1 0 1 0 1 0...
Graph creation example
0 1 2 3 4 5 6 7
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
v 00 v 0i v 0i+1 v 07
v 03 v 37. . .
0 1 0 1 0 1 0 10 1 1 0 0 1 0 11 0 1 0 1 0 1 0
...
Graph properties
TheoremLet ρ = (ρ0, . . . , ρ2g−1) be a permutation of N = 2g elements,let B be its binary representation and letB = (B0, . . . ,Bg−1) =TraceTrajectories(B). Let G = RSG bean N-Double-Rie-Graph using B. Then G = RSG is anN-Superconcentrator.
Comparison
BHG7 BHG3 Argon2i Catena BFG RieScramblerServer 8λN 4λN 2λN 4λN 3λN
Attacker1 Ω(2λ−132S
N2)Ω(λN2
32S) Ω( N2
1536S) Ω(( λN
64S)λN) Ω( λN
64S)λN)
Attacker2 unknownSalt-dep. yes yes yes no yes
• Server - time T (for S = N)
• Attacker1 - time T (S ≤ N64)
• Attacker2 - time T ( N64≤ S ≤ N
20)
• BHG3 is BalloonHashing BHG graph for δ = 3
• BHG7 is BalloonHashing BHG graph for δ = 7)
• Catena (with Buttery graph)
Summary and future work
• We designed a new family of N! super-concentrators
• Resistance to parallel attacks(?)
• Simplications/speed up: can we have in-degree = 2?
• Implementation
Thank you
Summary and future work
• We designed a new family of N! super-concentrators
• Resistance to parallel attacks(?)
• Simplications/speed up: can we have in-degree = 2?
• Implementation
Thank you