How about obese scrypt? Computing our ROM content from a site-specific(?) seed value at service startup may take ~1 minute (e.g., 60 GB at 1 GB/s) Loading it from an SSD may take ~5 minutes (e.g., 60 GB at 200 MB/s) Alternatively, we can mmap() it and start serving requests right away, getting to full speed in a few minutes as the content gets cached in RAM Then we don't have to store the seed value on the server - in fact, we don't have to store it at all (nor to ever have had it) The entire site-specific ROM would have to be stolen and distributed to all attack nodes (in addition to them needing this much RAM for sane speed)