Low-Cost Client Puzzles Based on Modular Exponentiation

Karame, Ghassan; Čapkun, Srđjan

doi:10.1007/978-3-642-15497-3_41

Cited by 18 publications

(32 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Recently, Karame andČapkun [12] improved the verification efficiency of Rivest et al's puzzle by a factor of |n| 2k for a given RSA modulus n, where k is the security parameter. More details on these two puzzles will be provided in Section 2.…”

Section: Puzzle Propertiesmentioning

confidence: 99%

“…3. In order to validate the performance of our puzzle, we give experimental results and compare them with the performances of Rivest et al's time-lock puzzle [18] and Karame andČapkun's puzzle [12], which is the most efficient non-parallelisable puzzle in the literature. Our results suggest that our puzzle reduces the solution verification time by approximately 99 times when compared to Rivest et al's time-lock puzzle and 30 times when compared to Karame andČapkun, for 1024-bit moduli.…”

Section: Contributionsmentioning

confidence: 99%

See 1 more Smart Citation

Efficient Modular Exponentiation-Based Puzzles for Denial-of-Service Protection

Rangasamy

Stebila

Kuppusamy

et al. 2012

Information Security and Cryptology - ICISC 2011

View full text Add to dashboard Cite

Abstract. Client puzzles are moderately-hard cryptographic problems -neither easy nor impossible to solve -that can be used as a countermeasure against denial of service attacks on network protocols. Puzzles based on modular exponentiation are attractive as they provide important properties such as non-parallelisability, deterministic solving time, and linear granularity. We propose an efficient client puzzle based on modular exponentiation. Our puzzle requires only a few modular multiplications for puzzle generation and verification. For a server under denial of service attack, this is a significant improvement as the best known non-parallelisable puzzle proposed by Karame andČapkun (ESORICS 2010) requires at least 2k-bit modular exponentiation, where k is a security parameter. We show that our puzzle satisfies the unforgeability and difficulty properties defined by Chen et al. (Asiacrypt 2009). We present experimental results which show that, for 1024-bit moduli, our proposed puzzle can be up to 30× faster to verify than the Karame-Čapkun puzzle and 99× faster than the Rivest et al.'s time-lock puzzle.

show abstract

Section: Puzzle Propertiesmentioning

confidence: 99%

Section: Contributionsmentioning

confidence: 99%

Efficient Modular Exponentiation-Based Puzzles for Denial-of-Service Protection

Rangasamy

Stebila

Kuppusamy

et al. 2012

Information Security and Cryptology - ICISC 2011

View full text Add to dashboard Cite

show abstract

“…Consider two representative proof of work puzzles from the literature (and recall c is the commitment value and d is a difficulty parameter). The first puzzle (P rs ), based on repeated squaring, is to compute Solve(d, c, N ) = c [29,6,21]. The second puzzle (P h ), based on hash preimages, is to find an x such that y = H(c, x) has d leading zeros (where H is a cryptographic hash function)…”

Section: Puzzle Propertiesmentioning

confidence: 99%

CommitCoin: Carbon Dating Commitments with Bitcoin

Clark

Essex

2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. In the standard definition of a commitment scheme, the sender commits to a message and immediately sends the commitment to the recipient interested in it. However the sender may not always know at the time of commitment who will become interested in verifying it. Further, when the interested party does emerge, it could be critical to establish when the commitment was made. Employing a proof of work protocol at commitment time will later allow anyone to "carbon date" when the commitment was made, approximately, without trusting any external parties. We present CommitCoin, an instantiation of this approach that harnesses the existing processing power of the Bitcoin peer-to-peer network; a network used to mint and trade digital cash. Introductory RemarksConsider the scenario where Alice makes an important discovery. It is important to her that she receives recognition for her breakthrough, however she would also like to keep it a secret until she can establish a suitable infrastructure for monetizing it. By forgoing publication of her discovery, she risks Bob independently making the same discovery and publicizing it as his own.Folklore suggests that Alice might mail herself a copy of her discovery and leave the letter sealed, with the postal service's timestamp intact, for a later resolution time. If Bob later claims the same discovery, the envelope can be produced and opened. In reality, this approach does not work as (among other shortcomings) most postal services are pleased to timestamp and deliver unsealed empty envelopes that can be retroactively stuffed with "discoveries."In our approach, Alice will use a commitment scheme to put the discovery in a "digital envelope" which can be opened at some later time, but only by Alice. Alice can safely disclose the commitment value to anyone, but she does not know ahead of time that Bob will rediscover her breakthrough. Alice might attempt to reach Bob by broadcasting the commitment value to as many people as possible or she might have a trusted/distributed third party timestamp it, however she is neither guaranteed to reach Bob, nor choose a party that Bob will trust.Instead we show that Alice can produce a commitment and later convince Bob that the commitment was made at roughly the correct time, premised on the assumption that she does not have unusual computational power. We call this "carbon dating." We show a general approach to carbon dating using moderately hard puzzles and then propose a specific instantiation: CommitCoin. CommitCoin harnesses the existing processing power of the Bitcoin network without trusting it, and is designed to leave the commitment value evident in the public Bitcoin transcript in a way that does not destroy currency. We use CommitCoin to augment the verifiability of a real-world election. Preliminaries and Related WorkCommitment Schemes. Briefly, Comm(m, r) takes message m and randomness r and produces commitment c. Open(c, m, r) takes the commitment and purported message and returns accept iff c is a valid commitment A shor...

show abstract

“…In mutual proofs of work, two parties prove to each other that they have computed some asserted amount of computational effort. This task is inspired by, and similar to, client puzzles [18,19,24,25,33] and puzzle auctions [35]. We give a protocol for mutual proofs of work whose computational task is computing hash chains.…”

Section: The Second Iterate Paradoxmentioning

confidence: 99%

“…We suggest that just such a setting could arise in protocols in which parties want to assert to each other, in a verifiable way, that they performed some amount of computation. Such a setting could arise when parties must (provably) compare assertions of computational power, as when using cryptographic puzzles [18,19,24,25,33,35]. Or this might work when trying to verifiably calibrate differing computational speeds of the two parties' computers.…”

Section: A Vulnerable Application: Mutual Proofs Of Workmentioning

confidence: 99%

To Hash or Not to Hash Again? (In)Differentiability Results for $$H^2$$ and HMAC

Dodis

Ristenpart

Steinberger

et al. 2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We show that the second iterate H 2 (M ) = H(H(M )) of a random oracle H cannot achieve strong security in the sense of indifferentiability from a random oracle. We do so by proving that indifferentiability for H 2 holds only with poor concrete security by providing a lower bound (via an attack) and a matching upper bound (via a proof requiring new techniques) on the complexity of any successful simulator. We then investigate HMAC when it is used as a general-purpose hash function with arbitrary keys (and not as a MAC or PRF with uniform, secret keys). We uncover that HMAC's handling of keys gives rise to two types of weak key pairs. The first allows trivial attacks against its indifferentiability; the second gives rise to structural issues similar to that which ruled out strong indifferentiability bounds in the case of H 2 . However, such weak key pairs do not arise, as far as we know, in any deployed applications of HMAC. For example, using keys of any fixed length shorter than d − 1, where d is the block length in bits of the underlying hash function, completely avoids weak key pairs. We therefore conclude with a positive result: a proof that HMAC is indifferentiable from a RO (with standard, good bounds) when applications use keys of a fixed length less than d − 1.

show abstract

Low-Cost Client Puzzles Based on Modular Exponentiation

Cited by 18 publications

References 34 publications

Efficient Modular Exponentiation-Based Puzzles for Denial-of-Service Protection

Efficient Modular Exponentiation-Based Puzzles for Denial-of-Service Protection

CommitCoin: Carbon Dating Commitments with Bitcoin

To Hash or Not to Hash Again? (In)Differentiability Results for $$H^2$$ and HMAC

Contact Info

Product

Resources

About