# Cryptographic puzzles and DoS resilience, revisited

## Abstract

Cryptographic puzzles (or client puzzles) are moderately difficult problems that can be solved by investing non-trivial amounts of computation and/or storage. Devising models for cryptographic puzzles has only recently started to receive attention from the cryptographic community as a first step toward rigorous models and proofs of security of applications that employ them (e.g. Denial-of-Service (DoS) resistance). Unfortunately, the subtle interaction between the complex scenarios for which cryptographic puzzles are intended and typical difficulties associated with defining concrete security easily leads to flaws in definitions and proofs. Indeed, as a first contribution we exhibit shortcomings of the state-of-the-art definition of security of cryptographic puzzles and point out some flaws in existing security proofs. The main contribution of this paper are new security definitions for puzzle difficulty. We distinguish and formalize two distinct flavors of puzzle security which we call optimality and fairness and in addition, properly define the relation between solving one puzzle versus solving multiple ones. We demonstrate the applicability of our notions by analyzing the security of two popular puzzle constructions. We briefly investigate existing definitions for the related notion of security against DoS attacks. We demonstrate that the only rigorous security notion proposed to date is not sufficiently demanding (as it allows to prove secure protocols that are clearly not DoS resistant) and suggest an alternative definition. Our results are not only of theoretical interest: the better characterization of hardness for puzzles and DoS resilience allows establishing formal bounds on the effectiveness of client puzzles which confirm previous empirical observations. We also underline clear practical limitations for the effectiveness of puzzles against DoS attacks by providing simple rules of thumb that can be easily used to discard puzzles as a valid countermeasure for certain scenarios.

## Keywords

Client puzzle DoS resilience PoW protocols## Mathematics Subject Classification (2010)

94A60## Notes

### Acknowledgments

We thank Douglas Stebila and to the anonymous referees for their comments and feedback on our work. First author was partially supported by National Research Grants CNCSIS UEFISCDI, Project Number PNII IDEI 940/2008–2011 and POSDRU/21/1.5/G/13798, inside POSDRU Romania 2007–2013.

## References

- 1.Abadi M., Burrows M., Manasse M., Wobber T.: Moderately hard, memory-bound functions. ACM Trans. Internet Technol.
**5**, 299–327 (2005).Google Scholar - 2.Abliz M., Znati T.: A guided tour puzzle for denial of service prevention. In: Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC ’09, pp. 279–288. IEEE Computer Society, Washington, DC (2009).Google Scholar
- 3.Aura T., Nikander P., Leiwo J.: DoS-resistant authentication with client puzzles. In: Revised Papers from the 8th International Workshop on Security Protocols, pp. 170–177. Springer, London (2001).Google Scholar
- 4.Back A.: Hashcash–a denial of service counter-measure. Technical Report (2002).Google Scholar
- 5.Bellare M., Impagliazzo R., Naor M.: Does parallel repetition lower the error in computationally sound protocols. In: Proceedings of 38th Annual Symposium on Foundations of Computer Science, pp. 374–383. IEEE, Los Alamitos (1997).Google Scholar
- 6.Bellare M., Ristenpart T., Tessaro S.: Multi-instance security and its application to password-based cryptography. In: Advances in Cryptology, CRYPTO 2012, pp. 312–329. Springer, Heidelberg (2012).Google Scholar
- 7.Bencsáth B., Vajda I., Buttyán L.: A game based analysis of the client puzzle approach to defend against dos attacks. Proc. SoftCOM.
**11**, 763–767 (2003).Google Scholar - 8.Boyd C., Gonzalez-Nieto J., Kuppusamy L., Narasimhan H., Rangan C., Rangasamy J., Smith J., Stebila D., Varadarajan V.: An investigation into the detection and mitigation of denial of service (Dos) attacks: critical information infrastructure protection. In: Cryptographic Approaches to Denial-of-Service Resistance, p. 183. Springer, Heidelberg (2011).Google Scholar
- 9.Chen L., Morrissey P., Smart N.P., Warinschi B.: Security notions and generic constructions for client puzzles. In: Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, ASIACRYPT ’09, pp. 505–523. Springer, Heidelberg (2009).Google Scholar
- 10.Dean D., Stubblefield A.: Using client puzzles to protect TLS. In: Proceedings of the 10th conference on USENIX Security Symposium, SSYM’01, vol. 10, p. 1. USENIX Association, Berkeley (2001).Google Scholar
- 11.Dwork C., Goldberg A., Naor M.: On memory-bound functions for fighting spam. In: Proceedings of the 23rd Annual International Cryptology Conference, pp. 426–444. Springer, New York (2003).Google Scholar
- 12.Dwork C., Naor M.: Pricing via processing or combating junk mail. In: Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology, pp. 139–147. Springer, London (1993).Google Scholar
- 13.Fallah M.: A puzzle-based defense strategy against flooding attacks using game theory. IEEE Trans. Dependable Secur. Comput.
**7**(1), 5–19 (2010).Google Scholar - 14.Gao Y., Susilo W., Mu Y., Seberry J.: Efficient trapdoor-based client puzzle against DoS attacks. In: Network Security, pp. 229–249 (2010).Google Scholar
- 15.Gao Y.: Efficient trapdoor-based client puzzle system against DoS attacks. Technical, Report (2005).Google Scholar
- 16.Grimaldi R.P.: Generating functions, Chap. 3.2. In: Rosen, K.H. (ed.) Handbook of Discrete and Combinatorial Mathematics. CRC, Boca Raton (1999).Google Scholar
- 17.Groza B., Warinschi B.: Revisiting difficulty notions for client puzzles and DoS resilience. In: Gollmann, D., Freiling, F. (eds.) Information Security Conference (ISC), LNCS, vol. 7483, pp. 39–54. Springer, Heidelberg (2012).Google Scholar
- 18.Jeckmans A.: Computational puzzles for spam reduction in SIP. Draft (2007).Google Scholar
- 19.Jeckmans A.: Practical client puzzle from repeated squaring. Technical Report (2009).Google Scholar
- 20.Jerschow Y.I., Mauve M.: Non-parallelizable and non-interactive client puzzles from modular square roots. In: Sixth International Conference on Availability, Reliability and Security, ARES 2011, pp. 135–142 (2011).Google Scholar
- 21.Juels A., Brainard J.: Client puzzles: A cryptographic countermeasure against connection depletion attacks. In Proceedings of NDSS ’99 (Networks and Distributed, Security Systems), pp. 151–165 (1999).Google Scholar
- 22.Karame G., Čapkun S.: Low-cost client puzzles based on modular exponentiation. In: Proceedings of the 15th European Conference on Research in Computer Security. ESORICS’10, pp. 679–697. Springer, New York (2010).Google Scholar
- 23.Laurie B., Clayton R., Proof-of-work proves not to work; version 0.2. In: Workshop on Economics and Information, Security (2004).Google Scholar
- 24.Liu D., Camp L.: Proof of work can work. In: Fifth Workshop on the Economics of Information, Security (2006).Google Scholar
- 25.Narasimhan H., Varadarajan V., Rangan C.: Game theoretic resistance to denial of service attacks using hidden difficulty puzzles. In: Information Security, Practice and Experience, pp. 359–376 (2010).Google Scholar
- 26.Rangasamy J., Stebila D., Boyd C., Nieto J.: An integrated approach to cryptographic mitigation of denial-of-service attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 114–123. ACM, New York (2011).Google Scholar
- 27.Rivest R., Shamir A., Wagner D.: Time-lock puzzles and timed-release crypto. Technical Report. MIT Press, Cambridge (1996).Google Scholar
- 28.Stebila D., Kuppusamy L., Rangasamy J., Boyd C., Nieto J.G.: Stronger difficulty notions for client puzzles and denial-of-service-resistant protocols. In: Proceedings of the 11th International Conference on Topics in cryptology: CT-RSA 2011, CT-RSA’11, pp. 284–301. Springer, Heidelberg (2011).Google Scholar
- 29.Suriadi S., Stebila D., Clark A., Liu H.: Defending web services against denial of service attacks using client puzzles. In: 2011 IEEE International Conference on Web Services (ICWS), pp. 25–32. IEEE, New York (2011).Google Scholar
- 30.Tang Q., Jeckmans A.: On Non-parallelizable Deterministic Client Puzzle Scheme with Batch Verification Modes. Springer, Heidelberg (2010).Google Scholar
- 31.Tritilanunt S., Boyd C., Foo E., Nieto J.M.G.: Toward non-parallelizable client puzzles. In: Proceedings of the 6th International Conference on Cryptology and Network Security, CANS’07, pp. 247–264. Springer, Heidelberg (2007).Google Scholar