Disproving the Conjectures from “On the Complexity of Scrypt and Proofs of Space in the Parallel Random Oracle Model”

Abstract

In the paper “On the Complexity of Scrypt and Proofs of Space in the Parallel Random Oracle Model” (Eurocrypt 2016) Joël Alwen et al. focused on proving a lower bound of the complexity of a general problem that underlies both proofs of space protocols [Dziembowski et al. CRYPTO 2015] as well as data-dependent memory-hard functions like scrypt — a key-derivation function that is used e.g. as proofs of work in cryptocurrencies like Litecoin. In that paper the authors introduced a sequence γn and conjectured that this sequence is upper bounded by a constant. Alwen et al. proved (among other results) that the Cumulative Memory Complexity of the hash function scrypt is lower bounded by Ω(n2/ (γn· log 2(n))). If the sequence γn is indeed bounded by a constant then this lower bound can be simplified to Ω(n2/log 2(n)). In this paper we first show that γn>clog(n) and then we strengthen our result and prove that γn≥npoly(log(n)). Alwen et al. introduced also a weaker conjecture, that is also sufficient for their results — they introduced another sequence Γn and conjectured that it is upper bounded by a constant. We show that this conjecture is also false, namely: Γn≥clog(n).