 All right. Thanks for the introduction. So I'm excited to tell you more about data independent memory hard functions. So let me start off with a motivation, which is really why I started working on memory hard functions. So password storage. We have an attacker that breaks into an authentication server, steals a hash of a user's password. And now the attacker can try as many guesses as they want offline to crack the user's password. They're really only limited by the resources that they invest in this attack. Unfortunately, these attacks are an increasingly common problem. At this point, breaches happen so fast that I'm not even able to keep this slide up to date. And we've had billions of user accounts that have been affected. So the goal of a memory hard function, intuitively, we want a moderately expensive hash function, which should be fast to evaluate on a personal computer, and expensive to evaluate even if the attacker is using some application specific integrated circuit. So maybe some supercomputer as shown on the left here. So intuitively, memory hard function is a function where computation costs should be dominated by memory cost. So our goal here is we want to force the attacker to lock up large amounts of memory for the entire duration of computation. And this intuitively implies that the computation will be expensive even if the adversary is using customized hardware. So we have a couple examples of memory hard functions. Scrypt is a prime example. Here, Scrypt is an example of a data-dependent memory hard function. So the memory access pattern here depends on the user's input. And so we have to worry about side-channel leakage. So a side-channel might leak information about the user's input, which in this case might be a sensitive password. So in this talk, we're going to focus entirely on something called data-independent memory hard functions. These are just memory hard functions whose memory access pattern does not leak any information about the user's input. So to specify a data-independent memory hard function, we need to do two things. We need to specify a directed acyclic graph g and a labeling function h. Now, typically h we think of as being a random oracle. As we saw in the last talk, it's OK for h to be ideal permutation or an ideal cipher. So there's other ways to build h here, but in this talk we'll focus on random oracles. Intuitively, the DAG encodes data dependencies. So the label of an internal node is the hash of the labels of its parents. And the output of this function is just the label of the last node in this graph. So we'll use big n to denote the total number of graphs. And typically, we'll assume that, at least in this talk, we'll assume that n is a power of 2. So we'll use little n for that power. OK, so when we talk about evaluating a memory hard function, a common way to describe evaluation strategies is in terms of graph pebbling. So here we've got a graph. We start off with no pebbles in the graph. Then we can place a pebble on the source. Now that we have a pebble on node 1, we can place a pebble on node 2. Now we can place a pebble on node 3. Now we have the data to pebble node 4, pebble node 5, et cetera. So the rules of a pebbling is basically you have to wait to pebble a node until all the dependent data labels are already in memory. All right, so when we talk about evaluation, we're typically going to use the language of graph pebbling. All right, so now the important question is, how do we measure the cost of a pebbling? And there's a couple different approaches. One nice initial attempt is space-time complexity. So here you just look at the maximum number of pebbles on the graph at any point in time in the pebbling, multiplied by the total time. So this is maximum space used, multiplied by time. So what's the problem with this? Well, the problem is that space-time complexity doesn't amortize nicely. So as we can see on this slide, let's suppose that we have a computation that requires a lot of space initially and then runs for a lot of time without much space at all. In this case, if the attacker wants to compute multiple instances of this function, they can compute all of those instances at one time, interleave them. And here the space-time complexity of computing multiple instances is roughly the same space-time complexity of computing just one instance of the function. So if this is a password attacker, we don't want to give the attacker this advantage. So Alwin and Sermonenko proposed a different metric called cumulative memory complexity or cumulative pebbling complexity for graphs. Here we're just going to sum over all pebbling rounds, total number of pebbles on the graph at that point in time. So instead of the area around this curve, we're going to look at the area under the curve. The nice thing about this is that it actually approximates amortized area-time complexity quite nicely. The cumulative memory complexity of computing two instances of this function is two times the complexity of computing one instance of the function. So we're going to use this notion of attack quality when we evaluate memory hard functions. So the naive sequential pebbling is just going to cost n squared over 2, roughly, pebble node 1, pebble node 2. Keep all the pebbles on the graph. At the end of the day, your cost is roughly n squared over 2. So intuitively, we want to ensure that the optimal pebbling that the attacker might try is nearly as expensive as this naive pebbling strategy. So the attack quality really measures the attacker's success in reducing his cost. So we can talk about the quality of a pebbling attack as the ratio n squared over 2 divided by the cumulative cost of the pebbling. So for example, if we have a pebbling with attack quality 10, this means that the attacker reduced his cost by one order of magnitude. All right, one more metric to measure the quality of a memory hard function, sustained space complexity. So here, this is actually a more stringent requirement than cumulative memory complexity. So we'll define S sustained space complexity as the time or number of pebbling rounds in which the attacker has at least S pebbles on the graph. So intuitively, if we have S sustained space complexity t, then the cumulative memory complexity has to be at least S times t. So this is a stronger requirement. And intuitively, if we have high ST sustained space complexity, then we can rule out attacks in which the attacker has low memory usage for any point in time. What I'll say about this is that building a graph with high sustained space complexity is a very challenging goal. So we gave a theoretical construction at EuroCrypt last year, but there are no known practical constructions with strong sustained space complexity guarantees. OK, good. So let me give you a brief overview of what we know about constructing and attacking depth-for-bust graphs. In particular, there's a property called depth-for-bustness, which is really the key to analyzing data independent memory hard functions. So depth-for-bustness, given a DAG G, we say that it's ED depth-for-bust if for all sets of E nodes, deleting those nodes from the graph still leaves a path of length at least D. So we can say that a graph is ED depth-for-bust if it satisfies this property. If it doesn't satisfy this property, we can say that the graph is ED-reducible. So here's an example of an ED-reducible graph. If we delete these two nodes, then the longest remaining path in the graph is two. So crypto 2016, we gave an attack which shows that if your graph is not depth-for-bust, then we can get parallel pebbling attack that has cumulative memory complexity little o of n squared. So in other words, the attack quality is going to be omega of 1. A corollary here is actually any directed acyclic graph with n degree 2 has cumulative memory complexity at most n squared log log n over log n. So there's this general upper bound. And this actually separates data independent memory hard functions from data dependent memory hard functions. So data dependent memory hard functions, we can get all the way up to n squared, but that's not possible for data independent memory hard functions. And in fact, for practical instantiations of memory hard functions like argon2i, we can get even higher quality attacks. So what about building a secure memory hard function? Well, there's this generic lower bound that says that if your graph is ED depth-for-bust, then your cumulative pebbling cost is at least e times d. And at CCS in 2017, we gave a practical construction of a graph that's ED depth-for-bust, where e is n over log n, d is omega n. Here, this means that CC is at least n squared over log n. OK, so this is nice. Theoretically, this is nearly optimal. And so if we compare to argon2i, asymptotically, dr sample is superior. So then, of course, we can ask the important question. Well, sometimes theory is different from practice. So what about the constant factors here? And in the CCS paper, our empirical analysis suggested that theory matched practice. So here, we can see the best pebbling attack we found against dr sample, and it has low quality. And then we can look at the best attack we found against argon2i, and it has higher quality. So empirically, the theory seemed to match practice. So now I can tell you about our contributions. So we present a new analysis of the greedy pebbling attack, and we show that it's surprisingly effective against dr sample. And in fact, it reverses prior conclusions. So actually, argon2i now provides stronger resistance to known pebbling attacks than dr sample, at least for practical parameter regimes. We also give a new heuristic algorithm for constructing small depth reducing sets. Unfortunately, for lack of time, I'm not going to be able to describe that. But you can see the paper for details. I'll just remark that it significantly improves on prior algorithms in all of our empirical analysis. And it potentially has implications for many other cryptographic objects where depth robust graphs are used, such as proofs of replication, proofs of space, obviously memory hard functions, et cetera. OK, another contribution here, and this is a trivial observation, but nevertheless one I include because I think it's important. So there's an easy way to parallelize computation of the argon2i round function. And if you implement this, it actually increases or it reduces the attacker's cost by nearly an order of magnitude. So what about on the positive side? Well, we give a new construction of a data independent memory hard function by combining dr sample with a graph called a bit reversal graph. And we show that this graph has optimal resistance to all known pebbling attacks. And also, it's the first practical construction with strong sustained space complexity guarantees. I'll say more about that in a bit. So we also give a new pebbling reduction for the XOR labeling rule. I'll say more about that in a bit. But this is the labeling rule that is used in practice. So I should contrast the pebbling reduction with Binny and Stefano's reduction. So we're still assuming that H is a random oracle here. But the way that the random oracle is used in practice uses this XOR labeling rule. The way, well, prior pebbling reductions assumed that the random oracle was used in a much different way. And that can introduce some challenges. We also give a construction of an inherently sequential round function so we can reclaim this order of magnitude cost reduction. So let me start off by telling you about the greedy pebbling attack. And this is actually quite a simple attack. So here, we're going to pebble nodes in topological order. And we're just going to discard a node on pebble v after that pebble is no longer needed. So as soon as we've pebbled the greatest child of node v, we can remove our pebble on node v. So it's a simple sequential pebbling strategy. And Bonet et al showed that the strategy yields attack quality roughly 5 against argon2i. So now the parallel pebbling attacks against argon2i, they actually yield a higher quality attack. So we get omega n to the 0.22. So it's an asymptotic improvement, not a constant factor improvement. And for this reason, in our CCS paper, we actually didn't look at the performance of the greedy pebbling algorithm. And in hindsight, that was a mistake. So what we show in this paper is that the greedy pebbling algorithm is effective against ER sample. Namely, it achieves attack quality log n. And this actually matches the asymptotic lower bound. We prove that CC is at least n squared over log n. So this is tight. What's important here is that we have good constant factors. So now if we redo the plot, including the greedy pebbling strategy, here's argon2i. And here's attack quality versus DR sample. So we have high quality attacks against both. But we have even higher quality attacks against DR sample. And this is, even if we go all the way up to n is equal to 2 to the 24, which I think is on the higher end of what one might consider for parameter settings. OK. Now I'll just advertise here. Our new construction is down at the bottom of this plot. So we do find a way to fix the problem. OK. So now we have an attack, which is surprisingly effective against DR sample. We'd like to construct a new DAG, which provides strong resistance to both attacks. So the parallel depth reducing attacks from crypto 2016 were especially effective against argon2i and many other IMHF candidates. DR sample was specifically designed to resist these types of attacks. But as we just showed, the greedy pebbling attack is effective against DR sample. So to construct a DAG that resists both attacks, we start off with this bit reversal graph. Here, we can represent each node by a bit sequence. And we have two layers of nodes. And we'll have an edge from, let's look at this node, 0, 1, 1. So if we reverse those bits, that's 1, 1, 0. So we'll add an edge from here to 1, 1, 0. Now, this is an old graph. It was analyzed by Lingrower and Tarjan back in 1982. And they showed that any sequential pebbling has spacetime complexity n squared. In fact, for this reason, this was the basis of the Katana IMHF proposal. So a natural question to ask is what about the cumulative memory complexity of sequential pebblings? And this is a harder result. But if you use the right potential function, you can actually prove that the cumulative memory complexity is still n squared. So not just the spacetime complexity, but the cumulative memory complexity is also n squared. But this is only for sequential pebblings. So unfortunately, the bit reversal graph is not a good candidate when we use it alone. The reason is that all one in Serbanenko back in 2015, they gave a parallel pebbling with spacetime complexity end of the 1.5. So if you allow for parallel pebblings, actually the spacetime complexity is not very high. So to patch this problem, we overlay the bit reversal graph with a depth robust graph, in particular dr sample. So if we start with dr sample, our depth robust graph on the bottom, and our bit reversal graph on the top, all we're going to do is we're going to move dr sample on top of the bit reversal graph. And this gives us our overlaid graph. The first layer now represents the depth robust graph, and we have all the same edges connecting the first and second layer. So empirical analysis demonstrates that this graph is resistant to all known pebbling attacks. So it inherits resistance to depth reducing attacks from dr sample. It inherits resistance to sequential pebblings from the bit reversal graph. And this includes the greedy pebbling attack in any variant of the greedy pebbling attack, because we can show that it resists any sequential pebbling strategy. But more interesting, this combined graph actually yields stronger new properties. So it's the first graph with strong sustained space complexity guarantees. So in particular, we can prove that any parallel pebbling of this graph either has maximal sustained space complexity and overlog n pebbles for n rounds, or the cumulative cost of this pebbling is even larger than n squared. So this graph actually achieves high sustained space complexity. And in fact, if you play with these parameters, you can guarantee that you need s pebbles for t rounds. And you get a steeper penalty if you decrease s here. We can also prove that under plausible conjectures, which see the paper for those conjectures, any parallel pebbling has cumulative cost at least n squared log log n over log n. So we pick up this extra log n factor, and this would be an asymptotically tight result. We can also now turn our attention back to pebbling reductions. So Alwin and Sermonenko previously showed that any algorithm evaluating our memory hard function, the parallel random model, can be described in terms of an equivalent cost pebbling strategy. So the implication now is that to analyze the graph, it's sufficient to understand the pebbling cost of g. But now we're going to open the hood a little bit and ask what's the labeling function that's used. So in Alwin and Sermonenko, they assume that the labeling function used concatenation of labels. So before we apply the hash function, we concatenate all the parent values and then hash them together. Now in practice, something different is done. Namely, we take all the parent labels, we XOR them together, and then we hash. So we'll call this the XOR label rule. And this tends to be what's used in practice, namely because it's much more efficient. So this prior intuition that we can focus on pebbling cost, one might wonder, is this actually still true for IMHFs that use the XOR labeling rule? And actually the answer is not always. So here's a graph where if you use the XOR labeling rule, the function that you define is actually a constant function. And here, the problem is that W and X, they have the same sets of parents, which means that they're going to have the same labels. And now Y is the hash of label W, XOR, label X, which is just the hash of label 0. So in fact, it's pretty easy to compute this function. And the cost is not at all related to the pebbling cost of this graph. So what we can show is that if your graph satisfies this property, which we call the unique parent property, that now the same pebbling reduction can go through. So namely, the cost of pebbling the graph is equal to the cumulative memory complexity of the function. Here we lose a factor of delta, where delta is the maximum indegree of the graph. And we might ask, is this reduction, is this loss of the delta factor necessary? It turns out it is. So if you take the complete graph, delta is n. The cumulative memory complexity is just n, but the cumulative pebbling complexity is n squared. So in this case, loss of delta is actually necessary in the theorem. But I'll remark that in practice, delta is a small constant, and the unique parent property does hold in practice. So this pebbling reduction covers all of the interesting examples that we would see in practice. So we also find a way to improve the round function. I will remark that we implemented our construction. And you can see here, whether we use the old edge structure or our new edge structure, whether we use the old round function or our new inherently sequential round function, the performance is the same. So the optimal thing to do would be to use this dr sample plus bit reversal graph edge structure, use the inherently sequential round function. This is going to maximize the attacker's cost. So I'm running out of time. I'll just throw up a few open questions. I think one of the biggest open questions is really tightening some of these bounds, these concrete bounds, on cc of g. So we have asymptotically, we're almost there, but there's large gaps between the lower bounds and upper bounds in terms of constant factors. All right, so I will close there. Thank you, Jeremiah. We have time for one quick question if someone has something. You had inputs to some of your functions where the inputs were XORed. And so the question arises, does it make sense to compute partial XORs ahead of time? So the question is, when you're doing XORs, can you compute partial XORs ahead of time? And the answer is yes. You can compute partial XORs ahead of time. And this is actually the reason why we lose this factor of delta in our reduction. So this is exactly the challenge. OK, thank you, Jeremiah.