Equihash: Asymmetric Proof-of-Work Based on the Generalized Birthday Problem

The proof-of-work is a central concept in modern cryptocurrencies, but the requirement for fast verification so far made it an easy prey for GPU-, ASIC-, and botnet-equipped users. The attempts to rely on memory-intensive computations in order to remedy the disparity between architectures have resulted in slow or broken schemes. In this paper we solve this open problem and show how to construct an asymmetric proof-of-work (PoW) based on a computationally hard problem, which requires a lot of memory to generate a proof (called ”memory-hardness” feature) but is instant to verify. Our primary proposal is a PoW based on the generalized birthday problem and enhanced Wagner’s algorithm for it. We introduce the new technique of algorithm binding to prevent cost amortization and demonstrate that possible parallel implementations are constrained by memory bandwidth. Our scheme has tunable and steep time-space tradeoffs, which impose large computational penalties if less memory is used. Our solution is practical and ready to deploy: a reference implementation of a proof-of-work requiring 700 MB of RAM runs in 30 seconds on a 1.8 GHz CPU, increases the computations by the factor of 1000 if memory is halved, and presents a proof of just 148 bytes long.

[1]  Adam Stubblefield,et al.  Using Client Puzzles to Protect TLS , 2001, USENIX Security Symposium.

[2]  Allan Borodin,et al.  Time-space tradeoffs for undirected graph traversal , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[3]  D. Bernstein Better price-performance ratios for generalized birthday attacks , 2007 .

[4]  Pradeep Dubey,et al.  Fast sort on CPUs and GPUs: a case for bandwidth oblivious SIMD sort , 2010, SIGMOD Conference.

[5]  David A. Bader,et al.  A Randomized Parallel Sorting Algorithm with an Experimental Study , 1998, J. Parallel Distributed Comput..

[6]  Dongrui Fan,et al.  High performance comparison-based sorting algorithm on many-core GPUs , 2010, 2010 IEEE International Symposium on Parallel & Distributed Processing (IPDPS).

[7]  Stuart E. Schechter,et al.  Balloon Hashing : a Provably Memory-Hard Function with a Data-Independent Access Pattern , 2016 .

[8]  Jeremy Clark,et al.  SoK: Research Perspectives and Challenges for Bitcoin and Cryptocurrencies , 2015, 2015 IEEE Symposium on Security and Privacy.

[9]  Adi Shamir,et al.  Analysis of Bernstein's Factorization Circuit , 2002, ASIACRYPT.

[10]  Adi Shamir,et al.  Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and Combinatorial Search Problems , 2012, CRYPTO.

[11]  Markus Jakobsson,et al.  Proofs of Work and Bread Pudding Protocols , 1999, Communications and Multimedia Security.

[12]  Arnold L. Rosenberg,et al.  A Tight Layout of the Butterfly Network , 1996, SPAA '96.

[13]  Adi Shamir,et al.  A T=O(2n/2), S=O(2n/4) Algorithm for Certain NP-Complete Problems , 1981, SIAM J. Comput..

[14]  Yu Sasaki,et al.  Refinements of the k-tree Algorithm for the Generalized Birthday Problem , 2015, ASIACRYPT.

[15]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[16]  Alistair Sinclair,et al.  The Extended k-tree Algorithm , 2011, Journal of Cryptology.

[17]  Moni Naor,et al.  On Memory-Bound Functions for Fighting Spam , 2003, CRYPTO.

[18]  Antoine Joux,et al.  Improved Generic Algorithms for Hard Knapsacks , 2011, IACR Cryptol. ePrint Arch..

[19]  Moni Naor,et al.  Pebbling and Proofs of Work , 2005, CRYPTO.

[20]  Alex Biryukov,et al.  Argon2: New Generation of Memory-Hard Functions for Password Hashing and Other Applications , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[21]  Peter Kulchyski and , 2015 .

[22]  Dan S. Wallach,et al.  Denial of Service via Algorithmic Complexity Attacks , 2003, USENIX Security Symposium.

[23]  Georg Fuchsbauer,et al.  SpaceMint: A Cryptocurrency Based on Proofs of Space , 2018, ERCIM News.

[24]  Leonid Reyzin,et al.  On the Memory-Hardness of Data-Independent Password-Hashing Functions , 2016, IACR Cryptol. ePrint Arch..

[25]  David Blaauw,et al.  Exploring DRAM organizations for energy-efficient and resilient exascale memories , 2013, 2013 SC - International Conference for High Performance Computing, Networking, Storage and Analysis (SC).

[26]  Mihir Bellare,et al.  A New Paradigm for Collision-Free Hashing: Incrementality at Reduced Cost , 1997, EUROCRYPT.

[27]  Hartmut Schmeck,et al.  Systolic Sorting on a Mesh-Connected Network , 1985, IEEE Transactions on Computers.

[28]  David A. Wagner,et al.  A Generalized Birthday Problem , 2002, CRYPTO.

[29]  Bala Ravikumar,et al.  Coping with Erroneous Information while Sorting , 1991, IEEE Trans. Computers.

[30]  Antoine Joux,et al.  Decoding Random Binary Linear Codes in 2n/20: How 1+1=0 Improves Information Set Decoding , 2012, IACR Cryptol. ePrint Arch..

[31]  Sanguthevar Rajasekaran,et al.  Optimal and Sublogarithmic Time Randomized Parallel Sorting Algorithms , 1989, SIAM J. Comput..

[32]  Stefan Dziembowski,et al.  Proofs of Space , 2015, CRYPTO.

[33]  Adam Back,et al.  Hashcash - A Denial of Service Counter-Measure , 2002 .

[34]  Leslie G. Valiant,et al.  On Time Versus Space , 1977, JACM.

[35]  Ted Wobber,et al.  Moderately hard, memory-bound functions , 2005, TOIT.

[36]  Daniel J. Bernstein,et al.  Circuits for Integer Factorization: A Proposal , 2001 .

[37]  Gabriel Nivasch,et al.  Cycle detection using a stack , 2004, Inf. Process. Lett..

[38]  Lance Fortnow,et al.  Time-Space Tradeoffs for Satisfiability , 2000, J. Comput. Syst. Sci..

[39]  Antoine Joux,et al.  New Generic Algorithms for Hard Knapsacks , 2010, EUROCRYPT.

[40]  Stefan Savage,et al.  Botcoin: Monetizing Stolen Cycles , 2014, NDSS.

[41]  John Tromp,et al.  Cuckoo Cycle: A Memory Bound Graph-Theoretic Proof-of-Work , 2015, Financial Cryptography Workshops.

[42]  Paul C. van Oorschot,et al.  Parallel Collision Search with Cryptanalytic Applications , 2013, Journal of Cryptology.

[43]  Paul Kirchner Improved Generalized Birthday Attack , 2011, IACR Cryptol. ePrint Arch..

[44]  Adi Shamir,et al.  On the cryptocomplexity of knapsack systems , 1979, STOC.

[45]  Jeremiah Blocki,et al.  Efficiently Computing Data-Independent Memory-Hard Functions , 2016, CRYPTO.

[46]  A. Grimshaw,et al.  High Performance and Scalable Radix Sorting: a Case Study of Implementing Dynamic Parallelism for GPU Computing , 2011, Parallel Process. Lett..

[47]  Rainer Steinwandt,et al.  A Dedicated Sieving Hardware , 2003, Public Key Cryptography.

[48]  Alex Biryukov,et al.  Tradeoff Cryptanalysis of Memory-Hard Functions , 2015, ASIACRYPT.

[49]  Colin Percival STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS , 2009 .