This document discusses memory hard functions (mhfs) in cryptography, which require significant memory for evaluation and serve as proof-of-work. It contrasts mhfs with memory bound functions and explains their measurement through cumulative memory complexity, physical time integration, and memory bandwidth consumption. The document further categorizes mhfs into data-dependent and data-independent types, highlighting their applications in password hashing and potential vulnerabilities, especially in data-dependent functions.

1. BLOCKCHAIN TECHNOLOGY
Dr.P.Vishvapathi
Professor, CSE Department

2. I UNIT
MEMORY HARD ALGORITHM

3. • In cryptography, a memory hard
function (MHF) is a function that costs
significant amount of memory to evaluate.
• It is different from memory bound functions,
the latter incurs cost by slowing down
computation through memory latency.
• MHFs find their use as a form of proof-of-work
.

4. • There are different ways to measure the memory
hardness of a function. A commonly seen measure
is Cumulative Memory Complexity (CMC). In a
parallel model, CMC measures memory hardness
by summing up all the inputs on each step.
• Another viable measure is integrating memory
against physical time.
• Yet another measure is the memory bandwidth
consumption on a memory bus. This category of
functions are also dubbed "Bandwidth-hard
functions".

5. • There is a reason why MHFs cost a lot of memory instead of,
say, CPU cycles.
• Bitcoin used repeated evaluation of SHA function as proof of
work, but it turned out that modern general purpose
processors, i.e. off-the-shelf CPUs are very inefficient when
tasked to compute a fixed function over and over.
• Miners adopted application-specific integrated circuits, ASICs,
and achieved 10^16 speedup. While this is fine for what
bitcoin is good for, we want a more "egalitarian" hardness
measure.
• In other words, we want everyone to be equally inefficient in
computing the function even if they have an ASIC.

6. Because if some people can evaluate the function
efficiently and some can't, then in order to make the
function relatively hard for the short-cut takers, we will
make the function too hard for a regular user.
If everyone is inefficient, then everyone can evaluate a
moderately-hard function.
Over time, it has been recognized that memory cost
remains fairly equal across the board. Hence MHF.

7. Based on their evaluation patterns, MHFs can be put into two camps:
data-dependent (dMHF) and data-independent (iMHF). dMHFs are that
which sometimes you don't know which pieces of information you
would still need for later calculations, and iMHFs are ones that there's
no such ambiguity. Examples of dMHFs are scrypt, argon2d.
Examples of iMHFs are argon2i, catena. Many of these MHFs are
developed to be used as password hashing functions exactly because
of their memory hardness.
dMHFs have the glaring problem that they are prone to side channel
attacks like cache timing. People tend towards iMHFs for this reason,
especially when you are doing password hashing. However iMHFs are
mathematically proven to have weaker memory hardness properties
than dMHFs.