Attacking Data Independent Memory Hard Functions Jeremiah Blocki (Microsoft Research/Purdue) Joel Alwen (IST Austria)

Motivation: Password Storage jblocki, 123456 Username jblocki Salt 89d978034a3f6 Hash 85e23cfe0021f584e3db87aa72630a9a2345c062 Suppose that I register for an account at playstation.com SHA1(12345689d978034a3f6)=85e23cfe0021f584e3db87aa72630a9a2345c062 +

Offline Attacks: A Common Problem Password breaches at major companies have affected millions of users. Unfortunately, offline dictionary attacks are quite common. Password breaches at major companies have affected millions of users.

Offline dictionary attacks are also very powerful Offline dictionary attacks are also very powerful. Some password hash functions can be evaluated at 348 billion hashes per second! How can we defend against these attacks?

Goal: Moderately Expensive Hash Function Equitable Cost? One proposed defense is to intentionally make the cryptographic hash function more expensive to evaluate by using a cryptographic hash function like BRCRYPT or sCrypt. The tradeoff is that making the hash function more expensive to evaluate increases costs for the adversary and a legitimate server. Note: This slide could be skipped if the presentation is too long.

Bitcoin Mining (SHA256) is not Equitable! Cost(SHA256) varies by a factor of 106

Memory Costs: Equitable Across Architectures

Outline Motivation Data Independent Memory Hard Functions (iMHFs) Graph Pebbling Measuring Pebbling Costs Desiderata Attacks iMHFs Constructing iMHFs (New!) Open Questions

Memory Hard Function (MHF) Intuition: computation costs dominated by memory costs Data Independent Memory Hard Function (iMHF) Memory access pattern should not depend on input

iMHF (fG,H) Defined by H: 0,1 2𝑘→ 0,1 𝑘 (Random Oracle) DAG G (encodes data-dependencies) Maximum indegree: 𝛿=O 1 2 4 Input: 1 1 Output: fG,H (pwd,salt)= L4 3 pwd, salt 𝐿3=𝐻(𝐿2,𝐿1) 𝐿1=𝐻(𝑝𝑤𝑑,𝑠𝑎𝑙𝑡)

Evaluating an iMHF (pebbling) 2 4 Output: L4 Input: 1 1 3 pwd, salt 𝐿3=𝐻(𝐿2,𝐿1) 𝐿1=𝐻(𝑝𝑤𝑑,𝑠𝑎𝑙𝑡) Pebbling Rules : 𝑃 =P1,…,Pt⊂𝑉 s.t. Pi+1⊂Pi∪ 𝑥∈𝑉 parents 𝑥 ⊂Pi+1 (need dependent values) n∈ Pt (must finish and output Ln)

Pebbling Example 1 1 2 3 3 4 4 5 5

Pebbling Example 1 2 3 4 5 P1 = {1}

Pebbling Example 1 2 3 4 5 P1 = {1} P2 = {1,2}

Pebbling Example 1 2 3 4 5 P1 = {1} P2 = {1,2} P3 = {3}

Pebbling Example 1 2 3 4 5 P1 = {1} P2 = {1,2} P3 = {3} P4 = {3,4}

Pebbling Example P1 = {1} P2 = {1,2} P3 = {3} P4 = {3,4} P5 = {5} 1 2

Measuring Cost: Attempt 1 Space × Time (ST)-Complexity ST 𝐺 = min 𝑃 𝑡 𝑃 × max 𝑖≤ 𝑡 𝑃 𝑃 𝑖 Rich Theory Space-time tradeoffs But not appropriate for password hashing Problem: Does not amortize! 𝑆𝑇 𝐺,𝐺 <2×𝑆𝑇(𝐺)

Measuring Cost: Attempt 2 Cumulative Complexity (CC) CC 𝐺 = min 𝑃 𝑖=1 𝑡 𝑃 𝑃 𝑖 Amortization CC 𝐺,𝐺 =2×CC(𝐺)

Pebbling Example (CC) CC 𝐺 ≤ 𝑖=1 5 𝑃 𝑖 =1+2+1+2+1 =7 P1 = {1} 3 4 5 P1 = {1} CC 𝐺 ≤ 𝑖=1 5 𝑃 𝑖 =1+2+1+2+1 =7 P2 = {1,2} P3 = {3} P4 = {3,4} P5 = {5}

Energy Complexity ER 𝐺 = min 𝑃 𝑖=1 𝑡 𝑃 𝑃 𝑖 +R 𝑃 𝑖 \ 𝑃 𝑖−1 Energy Ratio: Cost to compute H in memory-watt-tocks R≈3,000 Memory costs in memory-watt-tocks

Energy Complexity ER 𝐺 =θ CC(𝐺) ER 𝐺 = min 𝑃 𝑖=1 𝑡 𝑃 𝑃 𝑖 +R 𝑃 𝑖 \ 𝑃 𝑖−1 ER 𝐺 =θ CC(𝐺) Memory costs (equitable) Cost of querying H (inequitable)

Naïve Pebbling Algorithm Sequential Algorithm (Naïve) Constraint: One new pebble per round Example Naïve (Pebble in Topological Order) Never discard pebbles Time: n Average #pebbles: n/2. ER(Naïve) = θ Rn+n2

Amortized Attack Quality Quality𝑅 𝐴 = ER(Naïve) ER 𝐴 ×#𝑖𝑛𝑠𝑡(𝐴)

Desiderata Find a DAG G and a sequential pebbling algorithm N with Constant Indegree (𝛿=2) QualityR(A) ≤𝑐 for every adversary A (c small). ER(Naive) ≥ 𝑛2 𝜏 +R𝑛 for some small value 𝜏.

Desiderata … Find a DAG G and a sequential pebbling algorithm N with Constant Indegree (𝛿=2) QualityR(A) ≤𝑐 for every adversary A (c small). ER(Naive) ≥ 𝑛2 𝜏 +R𝑛 for some small value 𝜏. The following DAG satisfies Goals 1 and 2, but not 3. … 1 2 3 n

Desiderata … Find a DAG G and a sequential pebbling algorithm N with Constant Indegree (𝛿=2) QualityR(A) ≤𝑐 for every adversary A (c small). ER(Naive) ≥ 𝑛2 𝜏 +R𝑛 for some small value 𝜏. … 1 2 3 n

Desiderata … Find a DAG G and a sequential pebbling algorithm N with Constant Indegree (𝛿=2) QualityR(A) ≤𝑐 for every adversary A (c small). ER(Naive) ≥ 𝑛2 𝜏 +R𝑛 for some small value 𝜏. … 1 2 3 n

Desiderata Find a DAG G and a sequential pebbling algorithm Naïve with Constant Indegree (𝛿=2) QualityR(A) ≤𝑐 for every adversary A (c small). ER(Naïve) ≥ 𝑛2 𝜏 +R𝑛 (𝜏 small). … 1 2 3 n

ER(Naive)=ER(G)=n+Rn Cost dominated by queries to H (inequitable) Desiderata ER(Naive)=ER(G)=n+Rn Cost dominated by queries to H (inequitable) Find a DAG G and a sequential pebbling algorithm N with Constant Indegree (𝛿=2) QualityR(A) ≤𝑐 for every adversary A (c small). ER(Naive) ≥ 𝑛2 𝜏 +R𝑛 for some small value 𝜏. … 1 2 3 n

Memory costs should dominate Desiderata Find a DAG G and a sequential pebbling algorithm N with Constant Indegree (𝛿=2) QualityR(A) ≤𝑐 for every adversary A (c small). ER(Naive) ≥ 𝑛2 𝜏 +R𝑛 for some small value 𝜏. Memory costs should dominate

c-Ideal iMHF Find a DAG G and a sequential pebbling algorithm N with Constant Indegree (𝛿=2) QualityR(A) ≤𝑐 for every adversary A (c small). ER(Naive) ≥ 𝑛2 𝜏 +R𝑛 for 𝜏=𝑂(1).

Outline Motivation Data Independent Memory Hard Functions (iMHFs) Attacks General Attack on Non Depth Robust DAGs Existing iMHFs are not Depth Robust No c-Ideal iMHF exists Constructing iMHFs (New!) Open Questions

Depth Robustness Definition: A DAG G=(V,E) is (e,d)-reducible if there exists 𝑆⊆𝑉 s.t. 𝑆 ≤𝑒 and depth(G-S) ≤d. Otherwise, we say that G is (e,d)-depth robust. Example: (1,2)-reducible 1 2 3 4 5

Depth Robustness Definition: A DAG G=(V,E) is (e,d)-reducible if there exists 𝑆⊆𝑉 s.t. 𝑆 ≤𝑒 and depth(G-S) ≤d. Otherwise, we say that G is (e,d)-depth robust. Example: (1,2)-reducible 1 2 3 4 5

Attacking (e,d)-reducible DAGs Input: |S| ≤e such that depth(G-S) = d, g > d Light Phase (g rounds): Discard most pebbles! Only keep pebbles on S and on parents of the g new nodes to be pebbled in this phase. Round Cost: ≤ e + 𝛿g + R Balloon Phase (d rounds): Greedily Recover Missing Pebbles Takes at most d steps. Cost: ≤ dn+Rn In ≤ d rounds we can recover all of the pebbles. One Balloon Phase: Cost = O(dn) All Balloon Phases: Total Cost= O(dn2/g). Each round of a balloon phase is potentially very expensive. Key: balloon phase ends quickly! Light Phase: Discard most pebbles! Only keep pebbles on parents of next g nodes. One Light Phase: Cost = O(g|S|) All Light Phases: Total Cost = O(g|S|(n/g))= O(n|S|)

Attacking (e,d)-reducible DAGs In ≤ d rounds we can recover all of the pebbles. One Balloon Phase: Cost = O(dn) All Balloon Phases: Total Cost= O(dn2/g). Each round of a balloon phase is potentially very expensive. Key: balloon phase ends quickly!

Main Theorem Theorem (Depth-Robustness is a necessary condition): If G is (e,d)- reducible then is an (efficient) attack A such that ER 𝐴 ≤𝑒𝑛+𝛿𝑔𝑛+ 𝑛 𝑔 𝑛𝑑 +𝑛R+ 𝑛 𝑔 𝑛R.

Main Theorem Theorem (Depth-Robustness is a necessary condition): If G is (e,d)- reducible then is an (efficient) attack A such that ER 𝐴 ≤𝑒𝑛+𝛿𝑔𝑛+ 𝑛 𝑔 𝑛𝑑 +𝑛R+ 𝑛 𝑔 𝑛R. Never delete pebbles from nodes x∈𝑆, where 𝑆 =𝑒 depth(G-S) ≤𝑑 #pebbling rounds

Main Theorem Theorem (Depth-Robustness is a necessary condition): If G is (e,d)- reducible then is an (efficient) attack A such that ER 𝐴 ≤𝑒𝑛+𝛿𝑔𝑛+ 𝑛 𝑔 𝑛𝑑 +𝑛R+ 𝑛 𝑔 𝑛R. Maintain pebbles on parents of next g nodes to be pebbled. #pebbling rounds

Main Theorem Theorem (Depth-Robustness is a necessary condition): If G is not (e,d)- node robust then is an (efficient) attack A such that ER 𝐴 ≤𝑒𝑛+𝛿𝑔𝑛+ 𝑛 𝑔 𝑛𝑑 +𝑛R+ 𝑛 𝑔 𝑛R. Length of a balloon phase #balloon phases Max #pebbles on G In each round of balloon phase

Main Theorem Theorem (Depth-Robustness is a necessary condition): If G is not (e,d)- node robust then is an (efficient) attack A such that ER 𝐴 ≤𝑒𝑛+𝛿𝑔𝑛+ 𝑛 𝑔 𝑛𝑑 +𝑛R+ 𝑛 𝑔 𝑛R. Set 𝑔= 𝑛𝑑 ER 𝐴 =O 𝑒𝑛+ 𝑛3𝑑 .

Question Are existing iMHF candidates based on depth- robust DAGs?

Catena Catena Bit Reversal DAG ( BRG 𝜆 𝑛 ) 𝜆-layers of nodes (𝜆≤5) Edges between layers correspond to the bit-reversal operation Theorem[LT82]: ST( BRG 1 𝑛 )=Ω 𝑛 2 Catena Butterfly ( DBG 𝜆 𝑛 ) 𝜆=𝑂( log 𝑛) -layers of nodes Edges between layers correspond to FFT DBG 𝜆 𝑛 is a “super-concentrator.” Theorem[LT82] => ST( BRG 1 𝑛 )=Ω 𝑛 2 log⁡(𝑛) Thomas Lengauer and Robert Endre Tarjan. Asymptotically Tight Bounds on Time-Space Trade-offs in a Pebble Game. J. ACM, 29(4):1087–1130, 1982

𝜆-Layered DAG (Catena) … 2𝑛 𝜆+1 +1 2 3 4 5 𝑛 𝜆+1 Layer 𝜆 … … … 𝑛 𝜆+1 +1 +2 +3 4 5 2𝑛 𝜆+1 Layer 1 … 1 2 3 4 5 𝑛 𝜆+1 Layer 0

𝜆-Layered DAG (Catena) … 2𝑛 𝜆+1 +1 2 3 4 5 𝑛 𝜆+1 Layer 𝜆 … … … 𝑛 𝜆+1 +1 +2 +3 4 5 2𝑛 𝜆+1 Layer 1 … 1 2 3 4 5 𝑛 𝜆+1 Layer 0

𝜆-Layered DAG (Catena) … 2𝑛 𝜆+1 +1 2 3 4 5 𝑛 𝜆+1 Layer 𝜆 … … … 𝑛 𝜆+1 +1 +2 +3 4 5 2𝑛 𝜆+1 Layer 1 … 1 2 3 4 5 𝑛 𝜆+1 Layer 0 Disallowed! All edges must go to a higher layer (except for (i,i+1))

Layered Graphs are Reducible Theorem (Layered Graphs Not Depth Robust): Let G be a 𝜆-Layered DAG then G is 𝑛 2/3 , 𝑛 1/3 𝜆+1 -reducible. Corollary: ER 𝐺 ≤𝑂 𝜆𝑛 5/3 . Attack Quality: QualityR 𝐴 =Ω 𝑛 1/3 𝜆 .

Layered Graphs are Reducible Theorem (Layered Graphs Not Depth Robust): Let G be a 𝜆-Layered DAG then G is 𝑛 2/3 , 𝑛 1/3 𝜆+1 -reducible. Proof: Let 𝐒= 𝒊×𝒏 𝟏/𝟑 𝒊≤𝒏 𝟐/𝟑 any path p can spend at most 𝑛 1/3 steps on layer i. … … … … … … 𝑛 𝜆+1 1 2 𝑛 1/3 2𝑛 1/3 Layer 0 𝑛 1/3 𝑛 1/3

Layered Graphs are Reducible Theorem (Layered Graphs Not Depth Robust): Let G be a 𝜆-Layered DAG then G is 𝑛 2/3 , 𝑛 1/3 𝜆+1 -reducible. Proof: Let 𝐒= 𝒊×𝒏 𝟏/𝟑 𝒊≤𝒏 𝟐/𝟑 any path p can spend at most 𝑛 1/3 steps on layer i. … … … … … … 𝑛 𝜆+1 1 2 𝑛 1/3 2𝑛 1/3 Layer 0 𝑛 1/3 𝑛 1/3

ST complexity vs CC complexity CC(BRG 1 𝑛 )≪ ST(BRG 1 𝑛 )=Ω 𝑛 2 Previous attacks on Catena ( BRG 𝜆 𝑛 ) [AS15] CC(BRG 1 𝑛 )≤𝑂 𝑛 1.5 [BK15] ST(BRG 𝜆 𝑛 )≤𝑂 𝑛 1.8 for 𝜆 > 1. Our result CC(BRG 𝜆 𝑛 ) ≤𝑂 𝑛 1.67 Applies to all Catena variants. Alwen/Serbinenko Alex Biryukov and Dmitry Khovratovich

Argon2i [BDK] Argon2: Winner of the password hashing competition[2015] Authors recommend Argon2i variant (data-independent) for password hashing. Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich from University of Luxembourg.

Argon2i … 1 2 3 4 i n

Argon2i random predecessor r(i) < i … 1 2 3 4 i n Indegree: 𝛿=2

Argon2i is a layered DAG (almost) … … n Layer 4 𝑛 … … 𝑛 3/4 +1 +2 +3 + 4 𝑛 2𝑛 3/4 Layer 1 … … 3 𝑛 3/4 1 2 4 𝑛 Layer 0

Argon2i is a layered DAG (almost) Definition: 𝑆2= 𝑣𝑖 𝑣 𝑟(𝑖) and v𝑖 in same layer … … n Layer 4 𝑛 … … 𝑛 3/4 +1 +2 +3 + 4 𝑛 2𝑛 3/4 Layer 1 … … 3 𝑛 3/4 1 2 4 𝑛 Layer 0 𝐂𝐥𝐚𝐢𝐦: E 𝑆2 =𝑂 𝑛 3/4 log 𝑛

Argon2i is a layered DAG (almost) Definition: 𝑆2= 𝑣𝑖 𝑣 𝑟(𝑖) and v𝑖 in same layer … … Layer 4 𝑛 … … 𝑛 3/4 +1 +2 +3 + 4 𝑛 2𝑛 3/4 Layer 1 … … 3 𝑛 3/4 1 2 4 𝑛 Layer 0 𝐸 𝐿𝑎𝑦𝑒𝑟 𝑖∩𝑆2 ≤ 𝑛 3/4 𝑖 Pr 𝑣∈𝑆2 𝑣 𝑖𝑛 𝐿𝑎𝑦𝑒𝑟 𝑖 ≤ 1 𝑖

Argon2i is a layered DAG (almost) Definition: 𝑆2= 𝑣𝑖 𝑣 𝑟(𝑖) and v𝑖 in same layer … … n Layer 4 𝑛 … … 𝑛 3/4 +1 +2 +3 + 4 𝑛 2𝑛 3/4 Layer 1 … … 3 𝑛 3/4 1 2 4 𝑛 Layer 0 𝐂𝐥𝐚𝐢𝐦: E 𝑆2 =𝑂 𝑛 3/4 log 𝑛

Argon2i is a layered DAG (almost) Let S = S1+S2 … … n Layer 4 𝑛 … … 𝑛 3/4 +1 +2 +3 + 4 𝑛 2𝑛 3/4 Layer 1 … … 3 𝑛 3/4 1 2 4 𝑛 Layer 0 𝐅𝐚𝐜𝐭: E 𝑆 =𝑂 𝑛 3/4 log 𝑛 and depth(G-S)≤ 𝑛 .

Argon2i is a layered DAG (almost) Let S = S1+S2 … … n Layer 4 𝑛 … … 𝑛 3/4 +1 +2 +3 + 4 𝑛 2𝑛 3/4 Layer 1 … … 3 𝑛 3/4 1 2 4 𝑛 Layer 0 𝐓𝐡𝐞𝐨𝐫𝐞𝐦: G is (2 𝑛 3/4 log 𝑛 , 𝑛 )-reducible with high probability.

… … … … … … Argon2i is a layered DAG (almost) Layer 4 𝑛 Layer 1 Let S = S1+S2 … … n Layer 4 𝑛 … … 𝑛 3/4 +1 +2 +3 + 4 𝑛 2𝑛 3/4 Layer 1 … … 3 𝑛 3/4 1 2 4 𝑛 Layer 0 Corollary: ER 𝐺 ≤𝑂 𝑛 7/4 log 𝑛 . QualityR 𝐴 ≤Ω 𝑛 1/4 log 𝑛 .

Do c-Ideal iMHFs exist? Reminder: DAG G and a sequential pebbling algorithm N with Constant Indegree (𝛿=2) QualityR(A) ≤𝑐 for every adversary A (c small). ER(Naive) ≥ 𝑛2 𝜏 +R𝑛 for 𝜏=𝑂(1). 𝐓𝐡𝐦[𝐀𝐒𝟏𝟓]: There is a DAG G with CC 𝐺 =Ω 𝑛 2 log 10+𝜀 𝑛 and 𝛿=2. 𝐂𝐨𝐫𝐨𝐥𝐥𝐚𝐫𝐲: G is c=polylog(n)-Ideal.

Do c-Ideal iMHFs exist? 𝐋𝐞𝐦𝐦𝐚[𝐕𝐚𝐥𝐢𝐚𝐧𝐭𝟕𝟕]: Let G=(V,E) be a DAG with depth d≤𝑛 then there is a set S⊂𝑉 of at most 𝑛𝛿 log 𝑑 nodes such that depth(G-S)≤ 𝑑 2 . 𝐓𝐡𝐞𝐨𝐫𝐞𝐦: Let G=(V,E) be a DAG with n nodes then there is a set S⊂𝑉 of 𝑛𝛿 log log 𝑛 log 𝑛 edges such that depth(G-S)≤ 𝑛 log 𝑛 . 𝐂𝐨𝐫𝐨𝐥𝐥𝐚𝐫𝐲: Let G=(V,E) be a DAG with n nodes then for any constant 𝜀>0 ER 𝐺 =𝑜 𝑛 2 log 1−𝜀 𝑛

NO! If c=O(1). Do c-Ideal iMHFs exist? 𝐂𝐨𝐫𝐨𝐥𝐥𝐚𝐫𝐲: Let G=(V,E) be a DAG with n nodes then for any constant 𝜀>0 ER 𝐺 =𝑜 𝑛 2 log 1−𝜀 𝑛 NO! If c=O(1).

Practical Consequences (R = 3,000)

Outline Motivation Data Independent Memory Hard Functions (iMHFs) Attacks Constructing iMHFs (New!) Joint work with Joel Alwen and Krzystof Pietrzak Open Questions Joint work with Joel Alwen and Krzysztof Pietrzak

New (Positive) Results 𝐊𝐞𝐲 𝐓𝐡𝐞𝐨𝐫𝐞𝐦: Let G=(V,E) be (e,d)-depth robust then CC(G)≥𝑒𝑑. 𝐓𝐡𝐞𝐨𝐫𝐞𝐦[𝐄𝐆𝐒𝟕𝟓]: There is an Ω 𝑛 ,Ω 𝑛 -depth robust DAG G with indegree 𝛿=𝑂 log 𝑛 . 𝐂𝐨𝐫𝐨𝐥𝐥𝐚𝐫𝐲: There is a DAG G with indegree 𝛿=𝑂 log 𝑛 and CC(G)≥Ω 𝑛 2 . 𝐓𝐡𝐞𝐨𝐫𝐞𝐦 (𝐈𝐧𝐝𝐞𝐠𝐫𝐞𝐞 𝐑𝐞𝐝𝐮𝐜𝐭𝐢𝐨𝐧): Let G’ be a DAG with n’ = n/(2𝛿′) nodes and indegree 𝛿’. If G’ is (e’,d’)-depth robust then we can construct a DAG G on n nodes such that G is (e’,d = 𝛿’d’)-depth robust and has maximum indegree 𝛿=2.

New (Positive) Results 𝐓𝐡𝐞𝐨𝐫𝐞𝐦 (𝐈𝐧𝐝𝐞𝐠𝐫𝐞𝐞 𝐑𝐞𝐝𝐮𝐜𝐭𝐢𝐨𝐧): Let G’ be a DAG with n’ = n/(2𝛿′) nodes and indegree 𝛿’. If G’ is (e’,d’)-depth robust then we can construct a DAG G on n nodes such that G is (e’,d = 𝛿’d’)-depth robust and has maximum indegree 𝛿=2. 𝐂𝐨𝐫𝐨𝐥𝐥𝐚𝐫𝐲: There is a DAG G with maximum indegree 𝛿=2 and CC(G)=Ω 𝑛 2 log 𝑛 . 𝐓𝐡𝐞𝐨𝐫𝐞𝐦: There is a DAG G with maximum indegree 𝛿=2 and CC(G)=Ω 𝑛 2 log 𝑛 . Furthermore, there is a sequential pebbling algorithm N with cost CC(N) =𝑂 𝑛 2 log 𝑛 .

(c,𝜏) -Ideal iMHFs Exist Find a DAG G and a sequential pebbling algorithm N with Constant Indegree (𝛿=2) QualityR(A) ≤𝑐 for every adversary A (c=O(1)). ER(Naive) ≥ 𝑛2 𝜏 +R𝑛 (𝜏=𝑂( log 𝑛 ) ).

Proof of Key Theorem 𝐊𝐞𝐲 𝐓𝐡𝐞𝐨𝐫𝐞𝐦: Let G=(V,E) be (e,d)-depth robust then CC(G)≥𝑒𝑑. Proof: Let P1,…Pt denote an (optimal) pebbling of G. For 0< i < d define Si= 𝑃 𝑖 ∪ 𝑃 𝑑+𝑖 ∪ 𝑃 2𝑑+𝑖 ∪… one of the sets Si has size at most CC(G)/d. Now we claim that d ≤ depth(G-Si) because any path in G-Si must have been completely pebbled at some point. Thus, it must have been pebbled entirely during the some interval of length d. Thus, G is (CC(G)/d,d)-reducible. It follows that CC(G)≥𝑒𝑑.

Pebbling Equivalence 𝐓𝐡𝐞𝐨𝐫𝐞𝐦 𝐀𝐒𝟏𝟓 (𝐈𝐧𝐟𝐨𝐫𝐦𝐚𝐥): Let H be a random oracle and let G be a DAG with constant indegree. For any pROM adversary A which evaluates (multiple instances of) fH,G we have Cost A = 𝑖=1 𝑇 𝐴 𝜎 𝑖 = θ 𝐶𝐶 𝐺 × #𝑖𝑛𝑠𝑡(𝐴)

Miscellaneous Results New Lower Bounds: CC(Argon2i) ≥ Ω 𝑛 1.5 CC(Catena) ≥ Ω 𝑛 1.5 New Upper Bounds: CC(Argon2i) = 𝑂 𝑛 1.71 CC(Catena) = 𝑂 𝑛 1.618

Open Questions Computational Complexity of CC(G) Efficient Algorithm to Approximate CC(G)? Hardness of Approximation? Improved Constructions of Depth-Robust Graphs Constants matter! What is CC(Argon2i)? Upper Bound: n1.71 Lower Bound: n1.5