Introduction

Memory hard function is abbreviated as MHF. In cryptography, the memory hard function (MHF) is a function that requires a lot of memory to complete. MHF is mainly used in proof of work. Because it takes a lot of memory, MHF will also be used in the password hash to prevent malicious cracking.

Also familiar with MHF is an MBF (memory-bound function), which is called a memory-bound function, which slows down the calculation speed through memory delay, thereby incurring calculation costs.

Why do we need MHF

We know that the execution of an application requires two parts, one part is the CPU, which is used to provide computing power, and the other part is memory, which is used to provide storage capacity.

In terms of Bitcoin, Bitcoin mining is actually a function of repeatedly calculating SHA-2. When the result is small enough, mining is successful. But for traditional CPUs, when the task is to calculate the same fixed function repeatedly, the efficiency will be very low. So miners invented specific application integrated circuits (ASICs), or mining machines, to greatly improve the efficiency of this calculation. Since then, mining has only been in the hands of miners or mining pools, because ordinary people simply cannot compete with them.

Because SHA-2 only relies on the CPU, if the CPU is good enough, or ASIC is used to optimize the algorithm, it can surpass others and gain an advantage.

And what comes with it is the meaningless waste of computing power and the surge in electricity consumption. This is actually not what we want. So a new algorithm is needed to change this situation.

We noticed that in addition to the CPU, the program also needs to use memory, which is a scarce resource compared to the CPU. For example, if calculating a function requires 1G of space, for ordinary people, an 8-core 16G computer can calculate 16 functions at the same time. If you want to speed up the calculation, you need to increase the memory space, and the speed increase will not be too obvious, so if you use the memory as the calculation limit, you can greatly reduce the malicious calculation, so that encryption and decryption become relatively fair.

Therefore, we need MHF.

Memory hard evaluation method

So what is called memory hard? We can measure it from three aspects. The first aspect is the cumulative memory complexity, referred to as CMC for short. In the parallel model, CMC measures the difficulty of memory by adding up all the inputs of each step.

Another method is to use the product of time and memory to measure. Another method is to calculate the consumption of memory bandwidth on the memory bus. This type of function is also called bandwidth-hard functions (BHF).

Types of MHF

According to the evaluation method of MHF, MHF can be divided into two types, namely data-dependent (dMHF) and data-independent (iMHF).

Data-dependent (dMHF) means that the data calculated later needs to depend on the previous data, but it is uncertain which messages are needed.

Data-independent (iMHF) means that the data on which subsequent calculations depend is determined.

Examples of dMHFs are scrypt and Argon2d. Examples of iMHFs are Argon2i and catena.

Due to the memory characteristics of MHF, it is very suitable for use as a password hash function.

Because dMHF is data-dependent, it has stronger memory-hard characteristics in cryptography than iMHF. But dMHF has a problem, that is, it is vulnerable to side-channel attacks such as cache timing. For this reason, people tend to use iMHFs as a cryptographic encryption algorithm.

The cryptographic significance of MHF

We know that MHF is mainly used for password encryption, mainly to resist ASIC (application integrated circuit) cracking. Above we mentioned 3 kinds of measurement methods, here we use the product of time and memory to express.

Normally, given the password P and the salt S, we use the Hash function H to generate the result Tag.

But for the cracker, what they get is Tag and S, and hope to obtain P through various reverse methods, as shown below:

In the case of password hashing, we assume that the password creator allocates a certain execution time (such as 1 second) and a certain number of CPU cores (such as 4 cores) to each password. Then he uses the maximum amount of memory M to hash the password.

So for password crackers, they use ASIC to crack. Assuming that the memory area that needs to be used is A, the time T to run the ASIC is determined by the length of the longest calculation chain and the ASIC memory latency. I want to maximize the product of AT. So as to achieve the meaning of preventing cracking.

Generally speaking, the memory of an ASIC machine must be smaller than the ordinary memory M, assuming A=aM, where a <1. According to the principle of time trade-off, when the memory is used less, the corresponding calculation time will naturally become longer. Assuming that C(a) times need to be calculated, then the corresponding calculation time will be extended to D(a) times.

We can get the following maximization formula:
image.png

If in the above formula, when a approaches 0, D(a)> 1/a. In other words, as long as the used memory becomes smaller, the product of memory and time will be larger than before. For such a function, we call it a memory-hard function.

Application of memory-hard in MHF

Considering the application of memory-hard in MHF, it is necessary to prepare some initial data through memory before calculating the password hash. These initialization tasks are the essence of memory-hard.

The initialization of the memory array B[i] can be briefly summarized as the following steps:

Initial value: image.png

For index j from 1 to t in the memory array, we initialize it in the following way:

image.png

Where G is the compression function and image.png is the index function.

According to image.png , we can divide MHF into two types, one is data independent type, that is to say image.png does not depend on the input password P and salt S, then the entire memory array B value can be obtained in the password and Salt was built before, and can be calculated at the same time with the help of parallel computing functions.

Assuming that the memory occupied by a computing core G is beta times the total memory, then the product of time and memory in this case is:

image.png

If image.png depends on the entered password P and salt S, then I call this situation data independent. In this case, parallel calculations cannot be performed. If the final number of calculations is a tree with an average depth of D, then the product of time and memory in this case can be expressed as:

image.png

The above is the cryptographic meaning of MHF.

This article has been included in http://www.flydean.com/memory-hard/

The most popular interpretation, the most profound dry goods, the most concise tutorial, and many tips you don't know are waiting for you to discover!

Welcome to pay attention to my official account: "Program those things", know technology, know you better!


flydean
890 声望433 粉丝

欢迎访问我的个人网站:www.flydean.com


引用和评论

0 条评论