• PDF / 614,966 Bytes
• 27 Pages / 439.37 x 666.142 pts Page_size
• 41 Downloads / 188 Views

DOWNLOAD

REPORT

Abstract. Cryptographic hash functions have wide applications including password hashing, pricing functions for spam and denial-of-service countermeasures and proof of work in cryptocurrencies. Recent progress on ASIC (Application Specific Integrated Circuit) hash engines raise concerns about the security of the above applications. This leads to a growing interest in ASIC resistant hash function and ASIC resistant proof of work schemes, i.e., those that do not give ASICs a huge advantage. The standard approach towards ASIC resistance today is through memory hard functions or memory hard proof of work schemes. However, we observe that the memory hardness approach is an incomplete solution. It only attempts to provide resistance to an ASIC’s area advantage but overlooks the more important energy advantage. In this paper, we propose the notion of bandwidth hard functions to reduce an ASIC’s energy advantage. CPUs cannot compete with ASICs for energy efficiency in computation, but we can rely on memory accesses to reduce an ASIC’s energy advantage because energy costs of memory accesses are comparable for ASICs and CPUs. We propose a model for hardware energy cost that has sound foundations in practice. We then analyze the bandwidth hardness property of ASIC resistant candidates. We find scrypt, CatenaBRG and Balloon are bandwidth hard with suitable parameters. Lastly, we observe that a capacity hard function is not necessarily bandwidth hard, with a stacked double butterfly graph being a counterexample.

1

Introduction

Cryptographic hash functions have a wide range of applications in both theory and practice. Two of the major applications are password protection and more recently proof of work. It is well known that service providers should store hashes of user passwords. This way, when a password hash database is breached, an adversary still has to invert the hash function to obtain user passwords. Proof of work, popularized by its usage in the Bitcoin cryptocurrency for reaching consensus [43], has earlier been used as “pricing functions” to defend against email spam and denial-of-service attacks [19,30]. In the last few years, driven by the immense economic incentives in the Bitcoin mining industry, there has been amazing progress in the development of ASIC (Application Specific Integrated Circuit) hash units. These ASIC hash engines are specifically optimized for computing SHA-256 hashes and offer c International Association for Cryptologic Research 2017  Y. Kalai and L. Reyzin (Eds.): TCC 2017, Part I, LNCS 10677, pp. 466–492, 2017. https://doi.org/10.1007/978-3-319-70500-2_16

Bandwidth Hard Functions for ASIC Resistance

467

incredible speed and energy efficiency that CPUs cannot hope to match. A stateof-the-art ASIC Bitcoin miner [1] computes 13 trillion hashes at about 0.1 nJ energy cost per hash. This is roughly 200,000× faster and 40,000× more energy efficient than a state-of-the-art multi-core CPU. These ASIC hash engines call the security of password hashing and pricing functions into question. For ASICequipped

Recommend Documents

VLSI Design A Practical Guide for FPGA and ASIC Implementations

206 80 8MB

Graph Bandwidth

151 56 20MB

Optimal Nash Equilibria for Bandwidth Allocation

180 16 11MB

Higher structural connectivity and resistance against invasions of soil bioengineering over hard-engineering for riverba

125 19 960KB

High-Bandwidth Memory Interface

199 72 7MB

Hard Science from Hard Materials

217 28 83KB

Hard Negative Examples are Hard, but Useful

208 42 149MB

A Parallel Elastic Haptic Thimble for Wide Bandwidth Cutaneous Feedback

191 68 77MB

Narrow bandwidth fiber-optic spectral combs for renewable hydrogen detection

189 115 2MB

Integrated Wide-Bandwidth Current Sensing

204 113 11MB

Sampling, Memory Depth, and Bandwidth

139 30 16MB

Hard Sonnet in a Hard Time

179 26 95KB