Score:1

Memory-hard key derivation algorithm where all requested memory is needed at every time moment

in flag

Background. All MKDF (memory-hard KDF) algorithms that I know (Scrypt, Argon2, Balloon) don't really require all the memory at every moment during the run time of algorithm's implementation, but instead require a hefty computational penalty when less memory is used.

Roughly, the memory usage against time graph looks like this (of course, better MKDFs will have more adjacent spikes): enter image description here (Image from there)

I think this limitation (not needing memory at every moment) is due to how general purpose computers work (e.g. CPU, RAM).

Question. If we lax the assumption about hardware (e.g. allow for specialised hardware) can we define an MKDF algorithm that requires all its memory at every time moment? E.g. can we make it such that the graph shows a straight line?

My thoughts so far. Imagine if we have a mechanical memory plane, where the state of every memory bit is connected to the state of every other bit, such that if we flip one bit's value, it will cause to flip every other bit in the entire memory.

With this mechanical memory plane, we perform a single instruction that flips 1 bit, and that single operation will mechanically flip the state of all other bits.

If the relationship between the bits is not predictable (e.g. similar to how a small change in a block worth of clear text results in complete change in the cipher text), then I guess this mechanical memory has became an MKDF that can work like this:

  1. User initialises the memory by filling it with random bits that are generated off some seed. This is done only once.
  2. User encodes his password in the most significant bits the mechanical memory plane. This is obviously done every time the user wants to derive a more secure key off his password.
  3. As the user is encoding his password in the early bits of that mechanical memory sheet, the states of all bits in the mechanical memory sheet will be flipping in an unpredictable way.
  4. Finally, when the user is done encoding his password, he simply picks the least significant bits of that mechanical memory plane as the derived key.

If an adversary tries to do this with a smaller mechanical memory plane (with less memory bits), then his derived key will be totally random.

If my guesses are right, and that implementing such hardware is doable, then:

  • This is a platform for MKDF hardware-based algorithms that always require the same amount of memory, at every single time moment during the run-time of the key derivation function.
  • The user buys a single mechanical memory plane for his own logins, so the user can afford it as it's a single purchase. But the adversary will have to buy many of these sheets in order to do them in parallel. So I guess it's scalable for the user, but not scalable for the adversary.

I guess we can implement this mechanical memory plane using:

  • Entangled quanta is probably a more natural way of thinking about it.
  • A large mechanical board with lots of grease so that the cogs don't get stuck.
  • Electronics for a smaller and less greasy alternative.
caveman avatar
in flag
@kelalaka - True, but the amount is irrelevant to the question. For any amount of memory you set in them, the implementation does not need all of the memory at every single time moment.
caveman avatar
in flag
@kelalaka - I know that already. Added a graph to show better what I mean.
caveman avatar
in flag
Yes. Same graph; it's showing the concept, which applies to all MKDFs that I know so far (which is about 5?).
kelalaka avatar
in flag
Nope, just tested, definitely, Argon2 memory usage is not two spikes, there is very little memory drop time that cannot be used to amortize...
caveman avatar
in flag
@kelalaka - You're not understanding how that graph works. I'll stop here.
kelalaka avatar
in flag
I've looked at my memory increase per sec. And, there is much for the amortization at all. Install Argon2 and try.. ( see the image on the [chat](https://chat.stackexchange.com/transcript/message/59379296#59379296) )
ckamath avatar
ag flag
Good question. I think the notion that you are interested in is called *sustained space complexity* and was explored [here](https://eprint.iacr.org/2018/147). They also give construction of MHFs with high sustained space complexity in the random oracle model.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.