Paper 2026/1024

Separating the Pebbling Model from the Random Oracle Model

David Engström, Lund University

Leonid Reyzin, Boston University

Abstract

The security of cryptographic constructions that enforce resource usage, such as Proofs of Work or Proofs of Space, is often shown in the random oracle model. This model restricts the class of possible adversaries, because it assumes that the adversary can access some function RO only as a black box, via queries. When the resource in question is space, the random oracle model is often further idealized by assuming that the outputs of RO are usable only in a black box manner: they are either stored whole or discarded whole by the adversary, and are never computed upon, except when provided as inputs to RO. In this idealization, they are often called "pebbles," and space usage is counted in terms of pebbles stored. In some cases, it is known that the pebbling model does not add further restrictions on the adversary, because the bit strings that correspond to the pebbles can actually be extracted from the adversary's memory. In other cases, this question has been open for over a decade. We resolve the open question by showing that the pebbling model does not realistically model adversarial capabilities in two important cases. Specifically, we construct a family of Proofs of Space and a family of Memory-Hard Functions in the pebbling model for which an algorithm that is allowed to treat outputs of RO as bit strings and compute upon them (simply by XORing subsets of them) can be significantly more efficient that an algorithm limited to pebbling.

@misc{cryptoeprint:2026/1024,
      author = {Susanna F. de Rezende and David Engström and Leonid Reyzin},
      title = {Separating the Pebbling Model from the Random Oracle Model},
      howpublished = {Cryptology {ePrint} Archive, Paper 2026/1024},
      year = {2026},
      url = {https://eprint.iacr.org/2026/1024}
}