mirror of
https://github.com/0xb100d/manifestos.git
synced 2025-12-16 23:54:22 +01:00
Create hashcash-adamback2002
This commit is contained in:
0xb100d
541
hashcash-adamback2002
Normal file
541
hashcash-adamback2002
Normal file
@@ -0,0 +1,541 @@
|
||||
http://hashcash.org/papers/hashcash.pdf
|
||||
|
||||
Hashcash - A Denial of Service Counter-Measure
|
||||
Adam Back
|
||||
e-mail: adam@cypherspace.org
|
||||
1st August 2002
|
||||
Abstract
|
||||
Hashcash was originally proposed as a mechanism to throttle systematic abuse of un-metered internet resources
|
||||
such as email, and anonymous remailers in May 1997. Five years on, this paper captures in one place the various
|
||||
applications, improvements suggested and related subsequent publications, and describes initial experience from
|
||||
experiments using hashcash.
|
||||
The hashcash CPU cost-function computes a token which can be used as a proof-of-work. Interactive and noninteractive
|
||||
variants of cost-functions can be constructed which can be used in situations where the server can issue
|
||||
a challenge (connection oriented interactive protocol), and where it can not (where the communication is store–and–
|
||||
forward, or packet oriented) respectively.
|
||||
Key Words: hashcash, cost-functions
|
||||
1 Introduction
|
||||
Hashcash [1] was originally proposed as a mechanism to throttle systematic abuse of un-metered internet resources
|
||||
such as email, and anonymous remailers in May 1997. Five years on, this paper captures in one place the various
|
||||
applications, improvements suggested and related subsequent publications, and describes initial experience from experiments
|
||||
using hashcash.
|
||||
The hashcash CPU cost-function computes a token which can be used as a proof-of-work. Interactive and noninteractive
|
||||
variants of cost-functions can be constructed which can be used in situations where the server can issue
|
||||
a challenge (connection oriented interactive protocol), and where it can not (where the communication is store–and–
|
||||
forward, or packet oriented) respectively.
|
||||
At the time of publication of [1] the author was not aware of the prior work by Dwork and Naor in [2] who
|
||||
proposed a CPU pricing function for the application of combatting junk email. Subsequently applications for costfunctions
|
||||
have been further discussed by Juels and Brainard in [3]. Jakobsson and Juels propose a dual purpose for
|
||||
the work spent in a cost-function: to in addition perform an otherwise useful computation in [4].
|
||||
2 Cost-Functions
|
||||
A cost-function should be efficiently verifiable, but parameterisably expensive to compute. We use the following
|
||||
notation to define a cost-function.
|
||||
In the context of cost-functions we use client to refer to the user who must compute a token (denoted
|
||||
) using a
|
||||
cost-function MINT() which is used to create tokens to participate in a protocol with a server. We use the term mint
|
||||
for the cost-function because of the analogy between creating cost tokens and minting physical money.
|
||||
The server will check the value of the token using an evaluation function VALUE(), and only proceed with the
|
||||
protocol if the token has the required value.
|
||||
The functions are parameterised by the amount of work ✁ that the user will have to expend on average to mint a
|
||||
token.
|
||||
With interactive cost-functions, the server issues a challenge ✂ to the client – the server uses the CHAL ✄✆☎ function
|
||||
to compute the challenge. (The challenge function is also parameterised by the work factor.)
|
||||
1
|
||||
✝✞✟
|
||||
✂✡✠ CHAL ✄☞☛✍✌✎✁✏☎ server challenge function
|
||||
|
||||
✠ MINT ✄✑✂✒☎ mint token based on challenge
|
||||
✓ ✠ VALUE ✄
|
||||
☎ token evaluation function
|
||||
With non-interactive cost-functions the client choses it’s own challenge or random start value in the MINT() function,
|
||||
and there is no CHAL() function. ✔
|
||||
✠ MINT ✄✆☛✍✌✕✁✏☎ mint token
|
||||
✓ ✠ VALUE ✄
|
||||
☎ token evaluation function
|
||||
Clearly a non-interactive cost-function can be used in an interactive setting, whereas the converse is not possible.
|
||||
2.1 Publicly Auditable, Probabilistic Cost ✖
|
||||
A publicly auditable cost-function can be efficiently verified by any third party without access to any trapdoor
|
||||
or secret information. (When we say publicly auditable we mean implicitly that the cost-function is efficiently
|
||||
publicly auditable compared to the cost of minting the token, rather than auditable in the weaker sense that the
|
||||
auditor could repeat the work done by the client.) ✖
|
||||
A fixed cost cost-function takes a fixed amount of resources to compute. The fastest algorithm to mint a fixed
|
||||
cost token is a deterministic algorithm. ✖
|
||||
A probabilistic cost cost-function is one where the cost to the client of minting a token has a predictable expected
|
||||
time, but a random actual time asthe client can most efficiently compute the cost-function by starting at a random
|
||||
start value. Sometimes the client will get lucky and start close to the solution.
|
||||
There are two types of probabilistic cost bounded probabilistic cost and unbounded probabilistic cost.
|
||||
– An unbounded probabilistic cost cost-function, can in theory take forever to compute, though the probablity
|
||||
of taking significantly longer than expected decreases rapidly towards zero. (An example would be
|
||||
the cost-function of being required to throw a head with a fair coin; in theory the user could be unlucky
|
||||
and end up throwing many tails, but in practice the probability of not throwing a head for ✗ throws tends
|
||||
towards ✘ rapidly as ✙✛✚✛✜✣✢✥✤✧✦★✄✪✩✫ ☎ ✢✭✬ ✘.)
|
||||
– With a bounded probabilistic cost cost-function there is a limit to how unlucky the client can be in it’s
|
||||
search for the solution; for example where the client is expected to search some key space for a known
|
||||
solution; the size of the key space imposes an upper bound on the cost of finding the solution.
|
||||
2.2 Trapdoor-free
|
||||
A disadvantage of known solution cost-functions is that the challenger can cheaply create tokens of arbitrary value.
|
||||
This precludes public audit where the server may have a conflict of interests, for example in web hit metering, where
|
||||
the server may have an interest to inflate the number of hits on it’s page where it is being paid per hit by an advertiser. ✖
|
||||
A trapdoor-free cost-function is one where the server has no advantage in minting tokens.
|
||||
An example of a trapdoor-free cost-function is the Hashcash [1] cost-function. Juels and Brainard’s client-puzzle
|
||||
cost-function is an example of a known-solution cost-function where the server has an advantage in minting tokens.
|
||||
Client-puzzles as specified in the paper are in addition not publicly auditable, though this is due to a storage optimization
|
||||
and not inherent to their design.
|
||||
2
|
||||
3 The Hashcash cost-function
|
||||
Hashcash is a non-interactive, publicly auditable, trapdoor-free cost function with unbounded probabilistic cost.
|
||||
First we introduce some notation: consider bitstring ☛ ✬✯✮ ✘✰✌✲✱✴✳✶✵, we define ✷☛✥✸✺✹ to means the bit at offset i, where
|
||||
✷☛✥✸ ✩
|
||||
is the left-most bit, and ✷☛✥✸✼✻ ✽✾✻ is the right-most bit. ✷☛✲✸✆✹❀✿❁✿❁✿ ❂ means the bit-wise substring between and including bits
|
||||
❃
|
||||
and ❄ , ✷☛✲✸ ✹✺✿❁✿❁✿ ❂ ✬
|
||||
✷☛✲✸ ✹❆❅✏❇❈❇✛❇❉❅ ✷☛✲✸ ❂ . So ☛ ✬
|
||||
✷☛✲✸ ✩
|
||||
✿❁✿❁✿ ✻ ✽✾✻ .
|
||||
We define a binary infix comparison operator ❊ ❋❍●❏■ ✬▲❑ where b is the length of the common left-substring from the two
|
||||
bit-strings.
|
||||
▼
|
||||
❊ ❋❍●◆■ ✬P❖❘◗ ✷▼
|
||||
✸ ✩❚❙✬
|
||||
✷◗
|
||||
✸ ✩ ▼
|
||||
❊ ❋❍●◆■ ✬ ❑ ◗ ❯
|
||||
✹❈❱ ✩
|
||||
✿❁✿❁✿ ❑
|
||||
✷▼
|
||||
✸✑✹ ✬
|
||||
✷◗
|
||||
✸✑✹
|
||||
Hashcash is computed relative to a service-name ☛, to prevent tokens minted for one server being used on another
|
||||
(servers only accept tokens minted using their own service-name). The service-name can be any bit-string which
|
||||
uniquely identifies the service (eg. host name, email address, etc).
|
||||
The hashcash function is defined as (note this is an improved simplifed variant since initial publication see note in
|
||||
section 5:
|
||||
✝❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲ ✞
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲✟
|
||||
PUBLIC: hash function ❳P✄✎❨ ☎ with output size ✗ bits
|
||||
|
||||
✠ MINT ✄✆☛✍✌✎✁❩☎ find ▼✡❬❪❭ ✮ ✘✰✌✲✱✴✳❫✵ st ❳❴✄✆☛ ❅ ▼
|
||||
☎ ❊ ❋❍●◆■ ✬❴❵ ✘
|
||||
✢
|
||||
return ✄✆☛✍✌ ▼
|
||||
☎
|
||||
✓ ✠ VALUE ✄
|
||||
☎ ❳❴✄✆☛ ❅ ▼
|
||||
☎❛❊ ❋❍●◆■ ✬❴❜ ✘
|
||||
✢
|
||||
return ❝
|
||||
The hashcash cost-function is based on finding partial hash collisions on the all 0 bits ✗-bit string ✘
|
||||
✢
|
||||
. The fastest
|
||||
algorithm for computing partial collisions is brute force. There is no challenge as the client can safely choose his
|
||||
own random challenge, and so the hashcash cost-function is a trapdoor-free and non-interactive cost-function. In
|
||||
addition the Hashcash cost-function is publicly auditable, because anyone can efficiently verify any published tokens.
|
||||
(In practice ❞ ▼
|
||||
❞ should be chosen to be large enough to make the probability that clients reuse a previously used start
|
||||
value negligible; ❞ ▼
|
||||
❞ ✬
|
||||
✱✪❡✴❢ bits should be enough even for a busy server.)
|
||||
The server needs to keep a double spending database of spent tokens, to detect and reject attempts to spend the
|
||||
same token again. To prevent the database growing indefinitely, the service string can include the time at which it was
|
||||
minted. This allows the server to discard entries from the spent database after they have expired. Some reasonable
|
||||
expiry period should be chosen to take account of clock inaccuracy, computation time, and transmission delays.
|
||||
Hashcash was originally proposed as a counter-measure against email spam, and against systematic abuse of
|
||||
anonymous remailers. It is necessary to use non-interactive cost-functions for these scenarios as there is no channel
|
||||
for the server to send a challenge over. However one advantage of interactive cost-functions is that it is possible
|
||||
to prevent pre-computation attacks. For example, if there is a cost associated with sending each email this may be
|
||||
sufficient to limit the scale of email abuse perpetrated by spammers; however for a pure DoS-motivated attack a
|
||||
determined adversary may spend a year pre-computing tokens to all be valid on the same day, and on that day be able
|
||||
to temporarily overload the system.
|
||||
It would be possible to reduce the scope for such pre-computation attacks by using a slowly changing beacon
|
||||
(unpredictable broadcast authenticated value changing over time) such as say this weeks winning lottery numbers. In
|
||||
this event the current beacon value is included in the start string, limiting pre-computation attacks to being conducted
|
||||
within the time period between beacon value changes.
|
||||
4 Interactive Hashcash
|
||||
With the interactive form of hashcash, for use in interactive settings such as TCP, TLS, SSH, IPSEC etc connection
|
||||
establishment a challenge is chosen by the server. The aim of interactive hashcash is to defend server resources from
|
||||
premature depletion, and provide graceful degradation of service with fair allocation across users in the face of a DoS
|
||||
attack where one user attempts to deny service to the other users by consuming as many server resources as he can. In
|
||||
3
|
||||
the case of security protocols such as TLS, SSH and IPSEC with computationally expensive connection establishment
|
||||
phases involving public key crypto the server resource being defended is the servers available CPU time.
|
||||
The interactive hashcash cost-function is defined as follows:
|
||||
✝❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲ ✞
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲✟
|
||||
✂❣✠ CHAL ✄☞☛✍✌✎✁✏☎ choose ❤ ❬✐❭ ✮ ✘✰✌✲✱❥✳ ✢
|
||||
return ✄☞☛✍✌✎✁✧✌✼❤✲☎
|
||||
|
||||
✠ MINT ✄☞❦✭☎ find ▼✡❬❪❭ ✮ ✘✰✌✲✱❥✳✪✵ st ❳P✄☞☛ ❅ ❤ ❅ ▼
|
||||
☎❧❊ ❋❍●◆■ ✬❴❵ ✘
|
||||
✢
|
||||
return ✄☞☛✍✌ ▼
|
||||
☎
|
||||
✓ ✠ VALUE ✄❀♠✏☎ ❳P✄☞☛ ❅ ❤ ❅ ▼
|
||||
☎❛❊ ❋❍●❏■ ✬ ❜ ✘
|
||||
✢
|
||||
return ❝
|
||||
4.1 Dynamic throttling
|
||||
With interactive hashcash it becomes possible to dynamically adjust the work factor required for the client based on
|
||||
server CPU load. The approach also admits the possibility that interactive hashcash challenge-response would only
|
||||
be used during periods of high load. This makes it possible to phase-in DoS resistent protocols without breaking
|
||||
backwards compatibility with old client software. Under periods of high load non-hashcash aware clients would be
|
||||
unable to connect, or would be placed in a limited connection poolsubject to older less effective DoS counter-measures
|
||||
such as random connection dropping.
|
||||
4.2 hashcash-cookies
|
||||
With connection-slot depletion attacks such as the syn-flood attack, and straight-forward TCP connection-slot depletion
|
||||
the server resource that is being consumed is space available to the TCP stack to store per-connection state.
|
||||
In this scenario it may be desirable to avoid keeping per connection state, until the client has computed a token
|
||||
with the interactive hashcash cost-function. This defense is similar to the syn-cookie defense to the syn-flood attack,
|
||||
but here we propose to additionally impose a CPU cost on the connecting machine to reserve a TCP connection-slot.
|
||||
To avoid storing the challenge in the connection state (which itself consumes space) the server may choose to
|
||||
compute a keyed MAC of the information it would otherwise store and sent it to the client as part of the challenge so
|
||||
it can verify the authenticity of the challenge and token when the client returns them. (This general technique – of
|
||||
sending a record you would otherwise store together with a MAC to the entity the information is about – is referred
|
||||
to as a symmetric key certificate.) This approach is analogous to the technique used in syn-cookies, and Juels and
|
||||
Brainard proposed a related approach but at the application protocol level in their client-puzzles paper.
|
||||
For example with MAC function ♥ keyed by server key ♦ the challenge MAC could be computed as:
|
||||
✝❲
|
||||
❲
|
||||
❲
|
||||
❲ ✞
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲✟
|
||||
PUBLIC: MAC function ♥♣✄✎❨❈✌❫❨ ☎
|
||||
✂❣✠ CHAL ✄❀✁❩☎ choose ❤ ❬ ❭
|
||||
✮ ✘q✌✲✱✴✳ ✢
|
||||
compute rs✠ ♥♣✄✺♦★✌✎t ❅ ☛ ❅✈✉❧❅ ✁ ❅ ❤✲☎
|
||||
return ✄❀t✾✌✇☛✴✌ ✉✌✕✁✧✌✕❤①✌✕r❣☎
|
||||
The client must send the MAC r, and the challenge ❤ and challenge parameters ✉ with the response token so
|
||||
that the server can verify the challenge and the response. The server should also include in the MAC the connection
|
||||
parameters, at minimum enough to identify the connection-slot and some time measurement or increasing counter t
|
||||
so that old challenge responses can not be collected and re-used after the connection-slots are free. The challenge and
|
||||
MAC would be sent in the TCP SYN-ACK response message, and the client would include the interactive hashcash
|
||||
token (challenge-response) in the TCP ACK message. As with syn-cookies, the server would not need to keep any
|
||||
state per connection prior to receiving the TCP ACK.
|
||||
For backwards compatibility with syn-cookie aware TCP stacks, a hashcash-cookie aware TCP stack would only
|
||||
turn on hashcash-cookies when it detected that it was subject to a TCP connection-depletion attack. Similar arguments
|
||||
as given by Dan Bernstein in [5] can be used to show that backwards compatibility is retained, namely under syn-flood
|
||||
attacks Bernstein’s arguments show how to provide backwards compatibility with non syn-cookie aware implementations;
|
||||
similarly under connection-depletion attack hashcash-cookies are only turned on at a point where service would
|
||||
anyway otherwise be unavailable to a non-hashcash-cookie aware TCP stack.
|
||||
4
|
||||
As the flood increases in severity the hashcash-cookie algorithm would increase the collision size required to be in
|
||||
the TCP ACK message. The hashcash-cookie aware client can still connect (albeit increasinly slowly) with a more fair
|
||||
chance against the DoS attacker presuming the DoSer has limited CPU resources. The DoS attacker will effectively
|
||||
be pitting his CPU against all the other (hashcash-cookie aware) clients also trying to connect. Without the hashcashcookie
|
||||
defense the DoSer can flood the server with connection establishments and can more easily tie up all it’s slots
|
||||
by completing n connections per idle connection time-out where n is the size of the connection table, or pinging the
|
||||
connections once per idle connection time-out to convince the server they are alive.
|
||||
Connections will be handed out to users collectively in rough proportion to their CPU resources, and so fairness is
|
||||
CPU resource based (presuming each user is trying to open as many connections as he can) so the result will be biased
|
||||
in favor of clients with fast processors as they can compute more interactive-hashcash challenge-response tokens per
|
||||
second.
|
||||
5 Hashcash improvements
|
||||
In the initially published hashcash scheme, the target string to find a hash collision on was chosen fairly by using the
|
||||
hash of the service-name (and respectively the service-name and challenge in the interactive setting). A subsequent
|
||||
improvement suggested independently by Hal Finney [6] and Thomas Boschloo [7] for hashcash is to find a collision
|
||||
against a fixed output string. Their observation is that a fixed collision target is also fair, simpler and reduces verification
|
||||
cost by a factor of 2. A fixed target string which is convenient to compare trial collisions against is the k-bit string
|
||||
✘
|
||||
✢
|
||||
where ✗ is the hash output size.
|
||||
6 Low Variance
|
||||
Ideally cost-function tokensshould take a predictable amount of computing resourcesto compute. Juels and Brainard’s
|
||||
client-puzzle construction provides a probabilistic bounded-cost by issuing challenges with known-solutions, however
|
||||
while thislimits the theoretical worst case running time, it makeslimited practical difference to the variance and typical
|
||||
experienced running time. The technique of using known solutions is also not applicable to the non-interactive setting.
|
||||
It is an open question as to whether there exist probabilistic bounded-cost, or fixed-cost non-interactive cost-functions
|
||||
with the same order of magnitude of verification cost as hashcash.
|
||||
The other more significant incremental improvement due to Juels and Brainard is the suggestion to use multiple
|
||||
sub-puzzles with the same expected cost, but lower variance in cost. This technique should be applicable to both the
|
||||
non-interactive and interactive variants of hashcash.
|
||||
6.1 Non-Parallelizability and Distributed DoS
|
||||
Roger Dingledine, Michael Freedman and David Molnar put forward the argument that non-parallelizable costfunctions
|
||||
are less vulnerable to Distributed DoS (DDoS) in chapter 16 of [8]. Their argument is that non-parallelizable
|
||||
cost-functions frustrate DDoS because the attacker is then unable sub-divide and farm out the work of computing an
|
||||
individual token.
|
||||
The author described a fixed-cost cost-function in [9] using Rivest, Shamir and Wagner’s time-lock puzzle [10]
|
||||
which also happens to be non-parallelizable. The time-lock puzzle cost-function can be used in either an interactive
|
||||
or non-interactive setting as it is safe for the user to chose their own challenge. The applicability of Rivest et al’s
|
||||
time-lock puzzle as a cost-function was also subsequently observed by Dingledine et al in [8].
|
||||
For completeness we present the time-lock puzzle based fixed-cost and non-parallelizable cost-function from [9]
|
||||
here:
|
||||
5
|
||||
✝❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲ ✞
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲
|
||||
❲✟
|
||||
PUBLIC: ② ✬
|
||||
✉④③
|
||||
PRIVATE: primes ✉ and ③ ✌❆⑤❧✄✺②✒☎ ✬
|
||||
✄✉⑦⑥ ✱⑧☎✥✄ ③⑨⑥ ✱✪☎
|
||||
✂❣✠ CHAL ✄✆☛✍✌✎✁✏☎ choose ❤ ❬ ❭
|
||||
✷✘q✌✎②✒☎
|
||||
return ✄✆☛✍✌✕❤①✌✕✁✏☎
|
||||
|
||||
✠ MINT ✄✑✂✒☎ compute ▼ ✠⑩❳P✄☞☛ ❅ ❤✲☎
|
||||
compute ◗ ✠
|
||||
▼④❶✪❷ ✄❀✜❹❸✶❺✣②✒☎
|
||||
return ✄✆☛✍✌✕❤①✌✕✁✧✌ ◗
|
||||
☎
|
||||
✓ ✠ VALUE ✄
|
||||
☎ compute ▼ ✠❻❳P✄✆☛ ❅ ❤✲☎
|
||||
compute ❼❚✠ ▼❵ ✜❽❸✶❺❾⑤❧✄❀②✒☎
|
||||
if ▼④❿ ✬➀◗ ✄✺✜❹❸➁❺✣②✒☎ return ✁
|
||||
else return ✘
|
||||
The client does not know ⑤❛✄✺②✒☎ , and so the most efficient method for the client to calculate MINT() is repeated
|
||||
exponentiation, which requires ✁ exponentiations. The challenger knows ⑤❧✄✺②✒☎ which allows a more efficient computation
|
||||
by reducing the exponent ✜❹❸✶❺④⑤❧✄✺②✒☎ , so the challenger can execute VALUE() with 2 modular exponentiations.
|
||||
The challenger as a side-effect has a trapdoor in computing the cost-function as he can compute MINT() efficiently
|
||||
using the same algorithm.
|
||||
We argue however that the added DDoS protection provided by non-parallelizable cost-functions is marginal:
|
||||
unless the server restricts the number of challenges it hands out to a recognizably unique client the DDoS attacker can
|
||||
farm out multiple challenges as easily as farm out a sub-divided single challenge, and consume resources on the server
|
||||
at the same rate as before. Further it is not that hard for a single client to masquerade as multiple clients to a server.
|
||||
Consider also: the DDoS attacker has generally due to the nature of his method of commandeering nodes an equal
|
||||
number of network connected nodes at his disposal as processors. He can therefore in any case have each attack
|
||||
node directly participate in the normal protocol indistinguisably from any legitimate user. This attack strategy is also
|
||||
otherwise optimal anyway as the attack nodes will present a varied set of source addresses which will foil attempts
|
||||
at per-connection fairness throttling strategies and router based DDoS counter-measures based on volume of traffic
|
||||
across IP address ranges. Therefore for the natural attack node marshalling patterns non-parallelizable cost-functions
|
||||
offer limited added resistance.
|
||||
As well as the arguments against the practical efficacy and value of non-parallelizable cost-functions, to date
|
||||
non-parallelizable cost functions have had orders of magnitude slower verification functions than non-parallelizable
|
||||
cost-functions. Thisis because the non-parallelizable cost-functionsso far discussed in the literature are related to trapdoor
|
||||
public key cryptography constructs which are inherently less efficient. It is an open question as to whether there
|
||||
exist non-parallelizable cost-functions based on symmetric-key (or public-key) constructs with verification functions
|
||||
of the same order of magnitude as those of symmetric-crypto based cost-functions.
|
||||
While for the application of time-lock puzzles to cost-functions, a reduced public key size could be used to speed
|
||||
up the verification function, this approach introduces risk that the modulus will be factored with the result that the
|
||||
attacker gains a big advantage in minting tokens. (Note: factoring is itself a largely parallelizable computation.)
|
||||
To combat this the server should change the public parameters periodically. However in the particular case of the
|
||||
public parameters used by time-lock puzzles (which are the same as the RSA modulus used in RSA encryption), this
|
||||
operation is itself moderately expensive, so this operation would not be performed too frequently. It would probably
|
||||
not be wise to deploy software based on key sizes below 768 bits for this aplication, in addition it would help to change
|
||||
keys periodically, say every hour or so. (RSA modulii of 512 bits have recently been factored by a closed group as
|
||||
discussed in [11] and more recently have been demonstrated by Nicko van Someren et al to be factorizable using
|
||||
standard equipment in an office as reported in [12]; DDoS attackers are known be able to muster significant resources,
|
||||
probably easily exceeding those used in this demonstration.)
|
||||
The time-lock puzzle cost-function also is necessarily trap-door as the server needs a private verification-key to
|
||||
allow it to efficiently verify tokens. The existance of a verification-key presents the added risk of key compromise
|
||||
allowing the attacker to by-pass the cost-function protection. (The interactive hashcash cost-function by comparison
|
||||
is trap-door-free, so there is no key which would allow an attacker a short-cut in computing tokens). In fact if the
|
||||
verification-key were compromised, it could be replaced, but this need adds complexity and administrative overhead
|
||||
as this event needs to be detected and manual intervention or some automated detection triggering key-replacement
|
||||
implemented.
|
||||
6
|
||||
The time-lock puzzle cost-function also will tend to have larger messages as there is a need to communicate
|
||||
planned and emergency re-keyed public parameters. For some applications, for example the syn-cookie and hashcashcookie
|
||||
protocols, space is at a premium due to backwards compatibility and packet size constraints imposed by the
|
||||
network infrastructure.
|
||||
So in summary we argue that non-parallelizable cost-functions are of questionable practical value in protecting
|
||||
against DDoS attacks, have more expensive verification functions, incur the risk of verification key compromise and
|
||||
attendant key management complexities, have larger messages, and are significantly more complex to implement. We
|
||||
therefore recommend instead the simpler hashcash protocol (or if the public-auditability and non-interactive options
|
||||
are not required Juels and Brainard’s client-puzzles are roughly equivalent).
|
||||
7 Applications
|
||||
Apart from the initially proposed applications for hashcash of throttling DoS against remailer networks and detering
|
||||
emailspam,since publication the following applications have been discussed, explored and in some casesimplemented
|
||||
and deployed: ✖
|
||||
hashcash-cookies, a potential extension of the syn-cookie as discussed in section 4.2 for allowing more graceful
|
||||
service degradation in the face of connection-depletion attacks. ✖
|
||||
interactive-hashcash as discussed in section 4 for DoS throttling and graceful service degradation under CPU
|
||||
overload attacks on security protocols with computationally expensive connection establishment phases. No
|
||||
deployment but the analogous client-puzzle system was implemented with TLS in [13] ✖
|
||||
hashcash throttling of DoS publication floods in anonymous publication systems such as Freenet [14], Publius
|
||||
[15], Tangler [16], ✖
|
||||
hashcash throttling of service requests in the cryptographic Self-certifying File System [17] ✖
|
||||
hashcash throttling of USENET flooding via mail2news networks [18] ✖
|
||||
hashcash as a minting mechanism for Wei Dai’s b-money electronic cash proposal, an electronic cash scheme
|
||||
without a banking interface [19]
|
||||
8 Cost-function classification scheme
|
||||
We list here a classification of characteristics of cost-functions. We use the following notation to denote the properties
|
||||
of a cost-function:
|
||||
✄✕✷➂ ✬➃✮ ✱✴✌ ✫✩ ✌✕✘✶✳❫✸☞✌✪✷➄ ✬➅✮ ✘q✌ ✫✩ ✌✲✱✴✳✲✸❍✌❫✷ ✮ ❃
|
||||
✌✈➆➇❍✳❫✸☞✌✪✷ ✮⑧➈ ✌✥➆➈
|
||||
✳✲✸❍✌❫✷ ✮
|
||||
t✾✌ ➆
|
||||
t✼✳❫✸☞✌✪✷ ✮✉✌✍➆✉✳❫✸✑☎
|
||||
Where ➂ isthe efficiency: value ➂ ✬
|
||||
✱ means efficiently-verifiable – verifiable with cost comparable to or lower than
|
||||
the cost of verifying symmetric key constructs such as hashcash which consume just a single compression round of an
|
||||
iterative compression function based hash function such as SHA1 or MD5. Value ➂ ✬
|
||||
✫✩ means practically-verifiable
|
||||
we mean less efficiently than efficienty-verifiable, but still efficient enough to be practical for some applications, for
|
||||
example the author considers the time-lock puzzle based cost-function with it’s two modular exponentiations to fall
|
||||
into this category. Value ➂ ✬
|
||||
✘ means verifiable but impractical, that the cost-function is verifiable but the verification
|
||||
function is impractically slow such that the existance of the cost-function serves only as a proof of concept to be
|
||||
improved upon for practical use.
|
||||
And ➄ is a characterization of the standard-deviation, value ➄ ✬
|
||||
✘ means fixed-cost, ➄ ✬
|
||||
✫✩ means bounded
|
||||
probabilistic cost and ➄ ✬
|
||||
✱ means unbounded probabilistic cost. Note by bounded probabilistic-cost we mean
|
||||
usefully bounded – a bound in the work factor in excess of a work-factor that an otherwise functionally similar
|
||||
unbounded cost-function would only reach with negligible probability would not be useful.
|
||||
And ❃
|
||||
denotes that the cost-function is interactive, and ➆➇ that the cost-function is non-interactive.
|
||||
And ➈
|
||||
denotesthat the cost-function is publicly auditable, ➆➈
|
||||
denotesthat the cost-function is not publicly auditable,
|
||||
which means in practice that it is only verifiable by the service using a private key material. Note by public-auditability
|
||||
7
|
||||
we mean efficiently publicly-auditable, and would not consider repeating the work of the token minter as adequate
|
||||
efficiency to classify.
|
||||
And t denotes that the server has a trapdoor in computing the cost-function, conversely ➆
|
||||
t denotes that server has
|
||||
no trapdoor in computing the cost-function.
|
||||
And ✉ denotes that the cost-function is parallelizable, ✉➆ deontes that the cost-function is non-parallelizable.
|
||||
trapdoor-free trapdoor
|
||||
interactive hashcash client-puzzles
|
||||
✄✺➂ ✬
|
||||
✱✴✌✼➄ ✬
|
||||
✱✴✌ ❃
|
||||
✌ ➈
|
||||
✌ ➆
|
||||
t✇✌ ✉☎ ✄✺➂ ✬
|
||||
✱✍✌✕➄ ✬
|
||||
✫✩ ✌ ❃
|
||||
✌ ➈
|
||||
✌✕t✾✌ ✉☎
|
||||
time-lock
|
||||
✄✺➂ ✬
|
||||
✫✩ ✌✕➄ ✬
|
||||
✘q✌ ❃
|
||||
✌✲➆➈
|
||||
✌✕t✾✌✴➆✉☎
|
||||
non-interactive hashcash
|
||||
✄✺➂ ✬
|
||||
✱✍✌✕➄ ✬
|
||||
✱✍✌✈➆➇✈✌ ➈
|
||||
✌ ➆
|
||||
t✾✌ ✉☎
|
||||
time-lock
|
||||
✄✆➂ ✬
|
||||
✫✩ ✌✼➄ ✬
|
||||
✘q✌✎➆➇✈✌✲➆➈
|
||||
✌✎t✾✌➉➆✉☎
|
||||
8.1 Open Problems ✖
|
||||
existance of efficiently-verifiable non-interactive fixed-cost cost-functions ✄✺➂ ✬
|
||||
✱✍✌✕➄ ✬
|
||||
✘✰✌✈➆➇❍☎ (and the related
|
||||
weaker problem: existance of same with probabilistic bounded-cost ✄✺➂ ✬
|
||||
✱✴✌✼➄ ✬
|
||||
✫✩ ✌✎➆➇☞☎ ) ✖
|
||||
existance of efficiently-verifiable non-interactive non-parallelizable cost-functions ✄✺➂ ✬
|
||||
✱✴✌✈➆➇✎✌✍➆✉☎ (and the related
|
||||
weaker problem: existance of same in interactive setting ✄✺➂ ✬
|
||||
✱✴✌ ❃
|
||||
✌✍➆✉☎ ) ✖
|
||||
existance of publicly-auditable non-interactive fixed-cost cost-functions ✄✺➄ ✬
|
||||
✘✰✌✈➆➇✈✌ ➈
|
||||
☎ (and the related weaker
|
||||
problem: existance of same with bounded probabilistic-cost ✄✆➄ ✬
|
||||
✫✩ ✌✈➆➇✈✌ ➈
|
||||
☎ )
|
||||
8
|
||||
References
|
||||
[1] Adam Back. Hashcash, May 1997. Published at http://www.cypherspace.org/hashcash/.
|
||||
[2] Cynthia Dwork and Moni Naor. Pricing via processing or combatting junk mail. In Proceedings of Crypto,
|
||||
1992. Also available as http://www.wisdom.weizmann.ac.il:81/Dienst/UI/2.0/Describe/
|
||||
ncstrl.weizmann_il/CS95-20.
|
||||
[3] Ari Juels and John Brainard. Client puzzles: A cryptographic countermeasure against connection depletion
|
||||
attacks. In Network and Distributed System Security Symposium, 1999. Also available as http://www.
|
||||
rsasecurity.com/rsalabs/staff/bios/ajuels/publications/client-puzzles/.
|
||||
[4] Markus Jakobsson and Ari Juels. Proofs of work and bread pudding protocols. In Proceedings of the IFIP TC6
|
||||
and TC11 Joint Working Conference on Communications and Multimedia Security (CMS ’99), Leuven, Belgium,
|
||||
September 1999. Also available as http://citeseer.nj.nec.com/238810.html.
|
||||
[5] Dan Bernstein. Syn cookies. Published at http://cr.yp.to/syncookies.html.
|
||||
[6] Hal Finney. Personal communication, Mar 2002.
|
||||
[7] Thomas Boschloo. Personal communication, Mar 2002.
|
||||
[8] Andy Oram, editor. Peer-to-Peer: Harnessing the Power of Disruptive Technologies. O’Reilly
|
||||
and Associates, 2001. Chapter 16 also available as http://freehaven.net/doc/oreilly/
|
||||
accountability-ch16.html.
|
||||
[9] Adam Back. Hashcash - amortizable publicly auditable cost functions. Early draft of paper, 2000.
|
||||
[10] Ronald L Rivest, Adi Shamir, and David A Wagner. Time-lock puzzles and timed-release crypto. Technical
|
||||
Report MIT/LCS/TR-684, 1996. Also available as http://theory.lcs.mit.edu/˜rivest/
|
||||
publications.html.
|
||||
[11] Herman te Riele. Security of e-commerce threatened by 512-bit number factorization. Published at http:
|
||||
//www.cwi.nl/˜kik/persb-UK.html, Aug 1999.
|
||||
[12] Dennis Fisher. Experts debate risks to crypto, Mar 2002. Also available as http://www.eweek.com/
|
||||
article/0,3658,s=720&a=24663,00.asp.
|
||||
[13] Drew Dean and Adam Stubblefield. Using cleint puzzles to protect tls. In Proceedings of the 10th USENIX
|
||||
Security Symposium, Aug 2001. Also available as http://www.cs.rice.edu/˜astubble/papers.
|
||||
html.
|
||||
[14] Ian Clarke, Oskar Sandberg, Brandon Wiley, and Theodore Hong. Freenet: A distributed anonymous information
|
||||
storage and retrieval system. In Hannes Federrath, editor, Proceedings of the International Workshop on Design
|
||||
Issues in Anonymity and Unobservability. Springer, 2001. Also available as http://freenetproject.
|
||||
org/cgi-bin/twiki/view/Main/Papers.
|
||||
[15] Marc Waldman, Aviel D Rubin, and Lorrie Faith Cranor. Publius: A robust, tamper-evident, censorshipresistant
|
||||
web publishing system. In Proceedings of the 9th USENIX Security Symposium, Aug 2000.
|
||||
Also available as http://www.usenix.org/publications/library/proceedings/sec2000/
|
||||
waldman/waldman_html/v2.html.
|
||||
[16] Marc Waldman and David Mazieres. Tangler: A censorship resistant publishing system based on document
|
||||
entanglement. In Proceedings of the 8th ACM Conference on Computer and Communication Security, Nov
|
||||
2001. Also available as http://www.cs.nyu.edu/˜waldman/.
|
||||
[17] David Mazieres. Self-certifying File System. PhD thesis, Massachusetts Institute of Technology, May 2000. Also
|
||||
available as http://scs.cs.nyu.edu/˜dm/.
|
||||
9
|
||||
[18] Alex de Joode. Hashcash support at dizum mail2news gateway. Published at https://ssl.dizum.com/
|
||||
hashcash/, 2002.
|
||||
[19] Wei Dai. b-money. Published at http://www.eskimo.com/˜weidai/bmoney.txt, Nov 1998.
|
||||
10
|
||||
Reference in New Issue
Block a user