The Parallel Reversible Pebbling Game: Analyzing the Post-Quantum Security of iMHFs

CryptoDB

The Parallel Reversible Pebbling Game: Analyzing the Post-Quantum Security of iMHFs

Authors:	Jeremiah Blocki , Purdue University Blake Holman , Purdue University Seunghoon Lee , Purdue University
Download:	Search ePrint Search Google
Presentation:	Slides
Conference:	TCC 2022
Abstract:	The classical (parallel) black pebbling game is a useful abstraction which allows us to analyze the resources (space, space-time, cumulative space) necessary to evaluate a function $f$ with a static data-dependency graph $G$ . Of particular interest in the field of cryptography are data-independent memory-hard functions $f_{G, H}$ which are defined by a directed acyclic graph (DAG) $G$ and a cryptographic hash function $H$ . The pebbling complexity of the graph $G$ characterizes the amortized cost of evaluating $f_{G, H}$ multiple times as well as the total cost to run a brute-force preimage attack over a fixed domain $X$ , i.e., given $y \in {0, 1}^{*}$ find $x \in X$ such that $f_{G, H} (x) = y$ . While a classical attacker will need to evaluate the function $f_{G, H}$ at least $m = \| X \|$ times a quantum attacker running Grover's algorithm only requires $O (\sqrt{m})$ blackbox calls to a quantum circuit $C_{G, H}$ evaluating the function $f_{G, H}$ . Thus, to analyze the cost of a quantum attack it is crucial to understand the space-time cost (equivalently width times depth) of the quantum circuit $C_{G, H}$ . We first observe that a legal black pebbling strategy for the graph $G$ does not necessarily imply the existence of a quantum circuit with comparable complexity --- in contrast to the classical setting where any efficient pebbling strategy for $G$ corresponds to an algorithm with comparable complexity evaluating $f_{G, H}$ . Motivated by this observation we introduce a new parallel reversible pebbling game which captures additional restrictions imposed by the No-Deletion Theorem in Quantum Computing. We apply our new reversible pebbling game to analyze the reversible space-time complexity of several important graphs: Line Graphs, Argon2i-A, Argon2i-B, and DRSample. Specifically, (1) we show that a line graph of size $N$ has reversible space-time complexity at most $O (N^{1 + \frac{2}{\sqrt{\log N}}})$ . (2) We show that any $(e, d)$ -reducible DAG has reversible space-time complexity at most $O (N e + d N 2^{d})$ . In particular, this implies that the reversible space-time complexity of Argon2i-A and Argon2i-B are at most $O (N^{2} \log \log N / \sqrt{\log N})$ and $O (N^{2} / \sqrt[3]{\log N})$ , respectively. (3) We show that the reversible space-time complexity of DRSample is at most $O (N^{2} \log \log N / \log N)$ . We also study the cumulative pebbling cost of reversible pebblings extending a (non-reversible) pebbling attack of Alwen and Blocki on depth-reducible graphs.

BibTeX

@inproceedings{tcc-2022-32581,
  title={The Parallel Reversible Pebbling Game: Analyzing the Post-Quantum Security of iMHFs},
  publisher={Springer-Verlag},
  author={Jeremiah Blocki and Blake Holman and Seunghoon Lee},
  year=2022
}

International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

The Parallel Reversible Pebbling Game: Analyzing the Post-Quantum Security of iMHFs

BibTeX

International Association for Cryptologic Research

International Associationfor Cryptologic Research

CryptoDB

The Parallel Reversible Pebbling Game: Analyzing the Post-Quantum Security of iMHFs

BibTeX

International Association
for Cryptologic Research