On the Complexity of Scrypt and Proofs of Space in the Parallel Random Oracle Model

Joël Alwen, Binyi Chen, Chetan Kamath, Vladimir Kolmogorov, Krzysztof Pietrzak and Stefano Tessaro.

In EUROCRYPT, May 2016.


We investigate lower bounds in terms of time and memory on the parallel complexity of an adversary A computing labels of randomly selected challenge nodes in direct acyclic graphs, where the w-bit label of a node is the hash h(.) (modelled as a random oracle with w-bit output) of the labels of its parents. Specific instances of this general problem underlie both proofs-of-space protocols [Dziembowski et al. CRYPTO'15] as well as memory-hardness proofs including scrypt, a widely deployed password hashing and key-derivation function which is e.g. used within Proofs-of-Work for digital currencies like Litecoin.

Current lower bound proofs for these problems only consider restricted algorithms A which perform only a single H(.) query at a time and which only store individual labels (but not arbitrary functions thereof). This paper substantially improves this state of affairs;
Our first set of results shows that even when allowing multiple parallel h queries, the ``cumulative memory complexity'' (CMC), as recently considered by Alwen and Serbinenko [STOC '15], of scrypt is at least $w (n/log(n))^2$, when scrypt invokes h n times. Our lower bound holds for adversaries which can store (1) Arbitrary labels (i.e., random oracle outputs) and (2) Certain natural functions of these labels, e.g., linear combinations. The exact power of such adversaries is captured via the combinatorial abstraction of parallel ``entangled'' pebbling games on graphs, which we introduce and study.

We introduce a combinatorial quantity γn and under the conjecture that it is upper bounded by some constant, we show that the above lower bound on the CMC also holds for arbitrary algorithms A, storing in particular arbitrary functions of their labels. We also show that under the same conjecture, the time complexity of computing the label of a random node in a graph on n nodes (given an initial kw-bit state) reduces tightly to the time complexity for entangled pebbling on the same graph (given an initial k-node pebbling). Under the conjecture, this solves the main open problem from the work of Dziembowski et al.

In fact, we note that every non-trivial upper bound on γn will lead to the first non-trivial bounds for general adversaries for this problem.


ePrint version