 I will give the talk. Okay, thanks. Good morning, everyone. So, the talk today is about complexity analysis of S-CREF function in the parallel random oracle model and its application in the proof of space. But for time reason, I'm going to focus on the S-CREF function analysis and the mid-part of proof of space. The paper is my joint work with Joe Elvin, Chitin Kumar, Floodman Kongroff, Chishito Pratchak from ISD Austria and Chishito Tsaro from UCSB. Let's consider the following scenario. A user wants to register a new account in the website. He'll input his login ID and the password and the website will store the information in the server and later when the user login, the website will check if the password is consistent with the information in the server. But this kind of scheme is very insecure as the hacker can steal the information in the server and so now he can also login as another user and more seriously is that the password will be leaked. So mostly a random hash function f is used instead of storing ID and the password we store the ID and the hash of the password and also the thoughts. So now the website will check if the hash of the passwords is consistent with the information in the server. But for now the adversary, even if he knows the information in the server, the only thing he can do to login as other user accounts is to enumerate all possible passwords until the hash of the password is consistent. So now the question is what is the right function f should we use? And the answer is that we should use a moderately hard function f. We let C to be the least close to compute function f. On one hand we hope that C is not too large so that the user can use it. On the other hand we hope C is not too small so that it's hard for an adversary to execute a brute force attack as I mentioned before with low cost. So what is the right cost metric of C? Should be time, memory or energy? So traditionally the time complexity is considered where we measured our cost by the running time computation. So mostly in practice the solution for this is to use the iteration scheme where we can run the string iteratively as output last label. But this kind of a scheme has a problem that by the optimization of hardware we can use some application specific integral circuits say ASICs to speed up the hashing power considerably at the equal time cost. So now the adversary using ASICs can compute multiple inputs with the same time cost. So now the scheme is the longer safe against brute force attack. So motivated by this Percival in 2009 proposed the notion of sequential memory hardness. And the function f is called sequential memory hard if f on the one hand can be computed sequentially with a cost for example on the other hand it should be not computed with cost much lower. Like for example on to the right-hand side the function f is defined as epsilon for any constant epsilon larger than zero and the right-hand requirement still satisfied even if the adversary can do the parallel computation. So in particular here the cost means the size time complexity which is the multiplication of the memory size using computation and also the running time computation. Designing a sequential memory hard function has been a very very important goal. So it is now the primary target for password hashing computation. There are many proposed designs for sequential memory hard functions. For example as script Katina, Argon2i, Argon2d and balloon hashing and probably even more. But a very few of this scheme has a good proof of security analysis. So now in this case we are analyzing the core components of script called ROMX function will give a better security analysis of this function and to note that the ROMX function is very similar to the core components of Argon2d so our results will also have the attention to this and in the rest of talk I'll just use the script and ROMX function interchangeably by script I'll also mean ROMX function. ROMX function consists of two phases. It's based on a standard run-match function which can be implemented for example by SHA256 and in the first phase it's similar to the typical scheme that we compute n random string labels interchangeably and we will take output as the input of the second phase and the second phase will also compute n random string labels but here to compute a label xid from the previous label for example here is s and we will pick the corresponding xid computing the first phase and we will take the extra value of xid and the previous label s and invoke the hash function h once and compute the next label. So so on and so forth and until finally we compute the last label which is sn which is also the output of the ROMX function. First of all we will take out the memory hash function and on the one hand there is a strategy that computes this function rather fast but it will incur a large memory cost. The idea is that after the first phase the adversary will remember all the labels computing the first phase which is xi and in the second phase to compute a label after computing the corresponding index the function will invoke h once and compute the next label quickly and since there are n random string labels and the total running time will be on and the memory size is also on. On the other hand if we only have a small memory call memory we have to run this kind of function rather long for a long time to see this is to compute a label now after we compute id0 we have to run this label from the very beginning that's from x1 to x2 to x3 and only after id number of steps we can recover xid and compute the next label. Seeing there are n random string labels and for each label in expectation you need to take on steps so in expectation totally you need to run on square times though you only use constant memory blocks. So generally as you can see in this example we can prove that under the random oracle model well we treat the function h as a random oracle given a single input for any of the adversaries who use space sn and time tn for any constant epsilon larger than 0 the size time complexity is omega n to the 2 minus epsilon and note in each step the adversaries can query bounded function f on multiple inputs in parallel can we guarantee that no matter what strategy or adversary use we still guarantee that the cost of computing them in parallel is approximately equal to the cost of computing them in parallel. So in this example we can compute the function f on multiple inputs in parallel can we guarantee that no number of steps is approximately equal to the cost of computing them sequentially. But unfortunately if you consider cost as a size time complexity the answer is no. Why? Let's imagine there is a function f and on input 1 the computing process is like this. In the first step the adversaries have to incur a large memory cost say n but later on in each step he only need to use one memory size to play n number of steps to finish computation so get together outputs and computing f on input 2 is similar. So now computing the both input sequentially has cost n multiplied 2m because n is the memory size used and 2m is the running time of computing them sequentially so the cost is n multiplied 2m but on the other hand if you compute them in parallel we can achieve much lower cost. In the first step we compute input 1 which has memory cost n and in the second step we continue computing input 1 but we also initiate computation of input 2 and in this step we have memory cost n plus 1 and we keep on computing both inputs so on and so forth and after n plus 1 number of steps we can generate output of both input 1 and input 2 and this time the corresponding complexity becomes n plus 1 multiplied n plus 1 because running time is n plus 1 and memory size n plus 1 and it is much lower than computing them sequentially. Therefore size and complexity is not robust against computing multiple inputs. To handle this problem Alvin and Shapinco in 2015 proposed a new notion called the communitive memory complexity in the PRO model and in the PRO model he can query a lot of parallel queries to the random oracles and after receiving the output he can generate a new memory state s1 and then he can continue as queries to random oracle input and generate the second state so on and so forth until finally he can generate output of the function and we define the CMT of the versary to be the sum of the memory state size through the whole computation and basically it is the communitive sum of memory uses to the computation and this is a group approximation to an important hardware metric called area time complexity which is the product of runtime and area of the circuit computation. A good property of CMT is that now it is robust against multiple inputs in parallel so see the previous example now the CMT becomes m plus m minus one because in the last m minus one step we only use one memory block in each step and computing them in parallel doesn't help anymore now because you can see in the previous example the CMT two multiply m plus m minus one which is the exact cost of computing them in parallel so it is good to use the CMT instead of size complexity so now let's revisit our memory definition so now we would like to say that function f is memory hard if f on one hand can be computed sequentially with CMT for example o n square on the other hand cannot be computed with CMT much lower even with the parallel computation power and the first result is saying that under the pure model given a single input x for any anniversary who computes x and for any constant epsilon larger than zero the CMT is omega n to the 2 minus epsilon and in each step the reverse like in pure model definition can carry unbounding number of our inputs in parallel in one step but this result holds true so there is a caveat this result holds true for arbitrary anniversary only if we have to rely on a conjecture so if the conjecture is not true we may not say this so if we don't want to rely on any conjecture we may need to restrict the set of anniversary as pre-computation for example may just consider a simple anniversary which only store the random oracle's output in their memory state but this is not true so there are definitely more powerful anniversary for example anniversary after knowing several labels he can choose to only memorize the x value of his labels and later on as long as this figure he knows any three values out of four labels he can generate the rest label for free and this kind of functionality is now achievable by simple anniversary is inside and the entangle of anniversary says that after knowing any set of labels he can choose to generate a encoding of these label sets where the size of the encoding can be any chosen integer t and later on as I know any L minus t labels in the sets I can generate the rest labels for free and our second result saying that on the PROM model given a simple input for any entangle of anniversary this result will hold true and there is no conjecture but for simplicity in this talk we may just focus on the result with respect to simple anniversary but I emphasize that all the results will hold true in the entangled case okay so now let's analyze S3 function with respect to CMT how to analyze it the idea of AS15 was to model the function of memory half function by pebbling game which is proposed by dwork now and way in 2005 but note in their approach we require that the memory half function should be data independence while S3 is not data independent so their approach doesn't perfect solve this problem but let's first introduce what pebbling game is which is helpful so in pebbling game there is a graph maps to a particular label in the memory half function computation and the age represents dependency between the labels for example here the value of L5 depends on the value of L3 and L4 so there is an age from 3 to 3 to 5 and 4 to 5 moreover the graph can be pebbled so storing a label in the MHF is equivalent to storing a pebbled note in the graph and more generally a memory state with size S in MHF can be mapped to a pebbling configuration with S pebbles and AS15 model the MHF computation by pebbling game in particular a computation with memory space S can be modeled by our pebbling game with S pebbles so in each step the adversary can do the following first he can put a pebbled note if all of his parents are pebbled and for example here since we already pebbled 1, 2, 3 we can simultaneously pebble 4 and 5 and this corresponds to the carrying our input in the PIRROR model and second we can also remove any set of pebbles in the configuration this corresponds to releasing memory in the MHF computation and the goal of the adversary is to pebble the output note which corresponds to generate output function okay so similar to the commutative memory complexity AS15 defines corresponding parallel commutative pebbling complexity which is similar is the minimum over a possible adversary the sum of the configuration size where the configuration size means the number of pebbles in a pebbling configuration and for example in this figure the best strategy is as follows and the corresponding PCPC is 8 so now the natural question comes can we model the computation of S-query function with the pebbling game but as I mentioned before no because the pebble graph is not fixed and the S-query function is data dependent why because the ID we compute in the second phase is dependent on the value of the label S but fortunately we propose a new game called the randomized pebbling game which may help solve the problem and we have a reduction showing that the lower bound of PCPC for randomized pebbling game can give us a CMC of S-query function with respect to simple adversary and notes that we have similar results for lower bound of PCPC on a particular pebbling game and similar reduction for entangled adversary but for simplicity so now it's sufficient to only concede a randomized pebbling game and analyze this PCPC to get the lower bound of S-query so essentially randomized pebbling game model the second phase of S-query function computation there's a line graph with N-nodes where each node corresponding to a label computes in the first phase which is XI and initially adversary will choose an initial configuration P-0 and in each round the adversary will send a random challenge node which corresponds to ID and now the adversary's task in this round is to pebble this node and in each step he can do whatever he does in the normal pebbling game and after he pebble it the challenger will send a new random challenge independent challenge so on and so forth so in the second round he'll also need to pebble it so on and so forth and the adversary succeeds in pebbling all random challenge nodes and we define the PCPC exactly similar to the normal pebbling game which is the minimum or all possible adversary the expectation of the sum of configuration size where the randomness is taken over the adversary strategy and more crucially also over the choice of the random challenges in each round so our key line might say that the PCPC of randomized pebbling game can be lower bounded by omega n squared over log n squared so given this lemma we can prove the excreted bounds further excreted function so next I'll roughly introduce the proofing tradition of the lemma let's first consider the following problem after fixing a configuration P a new random chance coming and now the question is how long it takes to pebble this particular challenge and we only care about time and obviously the best strategy is to find the nearest pebble nodes on the left and keep pebble it and this figure it takes three steps and we define TIP to be the minimum number of steps to pebble a particular node i and we define the potential of a configuration P to be the minimum expected number of steps to pebble a random challenge condition on configuration P and then we have the 5P equals the sum of TIP divided by n since for a random challenge it has n possible choices and each choice has the same probability and our idea now to prove the lemma is that we will move the adversary into a much simpler game how to do that that's for any adversary in a randomized pebbling game let's see before the jace challenge is coming suppose the initial configuration is P0 and then the jace challenge is coming and suppose it takes an adversary about K steps to pebble this challenge nodes and go on for the next round and our reflection is that K will be at least approximately around the potential of P0 and though we need a little more trick to argue it but let's just assume it so now we will be able to put adversary into a new game which is much simpler but still care for analysis so the first random challenge and the only constraint in each round is that we have to ask the adversary to take these K number of steps in these rounds so more specific we consider expectation game initially the adversary will take initial configuration P0 and now in each round condition on the current configuration P the challenge will compute the potential of P and ask the adversary to take at least these number of steps in each round and then the adversary will obey the rule and run these number of steps and go on for the next round and the challenge will compute the corresponding potential and ask to take these number of steps and the game ends whenever adversary finish all n rounds and we define the PCPC exactly the same as in the randomized pebbling game and we have a reduction showing that the lower bound for PCPC of expectation game is the lower bound of PCPC for randomized pebbling game so to prove the lemma is sufficient to analyze the expectation game now and to analyze the PCPC of expectation game rely on two crucial observations that's for any pebbling configuration P first lemma is that the size of the configuration multiply the potential of configuration is large say omega n and after one step of configuration change the corresponding potential can decrease by at most one based on these two properties we can prove that the PCPC in the expectation game is lower bounded by omega n squared over log n squared this is one of the core theorems in the work but for time reason more details can be found in the proof so finally let's look at the first lower bounds on cumulative memory complexity which we think is I think better than size M complexity for S3 function with respect to entangle adversary and under a conjecture our results will hold true for the arbitrary adversary so it is an open question that whether our result holds true for arbitrary adversary without relying on any conjecture and moreover our proof technique can be found in the base and more details about this can be found in the full version of the paper okay and that's all thanks for your attention you have time for questions so this last thing it's still open as of today this you know arbitrary conjecture is it still open I think maybe still open but close to the answer but for arbitrary attackers so it's almost solved the thing is that there are some conjecture that make this things not tight, the reduction not tight but maybe there are also other analysis or approach that without any conjecture we can still prove the results so this looks square n I guess just to make sure what is the tight what do you expect so is a way to babble it it's a square step is it close to tight I mean can there like some oh that's okay I see also there is a better proof yeah alright so let's send the speaker thank you