Cryptographic puzzles and DoS resilience, revisited

Cryptographic puzzles (or client puzzles) are moderately difficult problems that can be solved by investing non-trivial amounts of computation and/or storage. Devising models for cryptographic puzzles has only recently started to receive attention from the cryptographic community as a first step toward rigorous models and proofs of security of applications that employ them (e.g. Denial-of-Service (DoS) resistance). Unfortunately, the subtle interaction between the complex scenarios for which cryptographic puzzles are intended and typical difficulties associated with defining concrete security easily leads to flaws in definitions and proofs. Indeed, as a first contribution we exhibit shortcomings of the state-of-the-art definition of security of cryptographic puzzles and point out some flaws in existing security proofs. The main contribution of this paper are new security definitions for puzzle difficulty. We distinguish and formalize two distinct flavors of puzzle security which we call optimality and fairness and in addition, properly define the relation between solving one puzzle versus solving multiple ones. We demonstrate the applicability of our notions by analyzing the security of two popular puzzle constructions. We briefly investigate existing definitions for the related notion of security against DoS attacks. We demonstrate that the only rigorous security notion proposed to date is not sufficiently demanding (as it allows to prove secure protocols that are clearly not DoS resistant) and suggest an alternative definition. Our results are not only of theoretical interest: the better characterization of hardness for puzzles and DoS resilience allows establishing formal bounds on the effectiveness of client puzzles which confirm previous empirical observations. We also underline clear practical limitations for the effectiveness of puzzles against DoS attacks by providing simple rules of thumb that can be easily used to discard puzzles as a valid countermeasure for certain scenarios.

[1]  Arjan Jeckmans,et al.  Practical Client Puzzle from Repeated Squaring , 2009 .

[2]  L. Jean Camp,et al.  Proof of Work can Work , 2006, WEIS.

[3]  Yi Mu,et al.  Efficient Trapdoor-Based Client Puzzle Against DoS Attacks , 2010 .

[4]  Moni Naor,et al.  On Memory-Bound Functions for Fighting Spam , 2003, CRYPTO.

[5]  Qiang Tang,et al.  On Non-Parallelizable Deterministic Client Puzzle Scheme with Batch Verification Modes , 2010 .

[6]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[7]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[8]  Bogdan Warinschi,et al.  Revisiting Difficulty Notions for Client Puzzles and DoS Resilience , 2012, ISC.

[9]  Taieb Znati,et al.  A Guided Tour Puzzle for Denial of Service Prevention , 2009, 2009 Annual Computer Security Applications Conference.

[10]  L. Buttyán,et al.  A Game Based Analysis of the Client Puzzle Approach to Defend Against DoS Attacks , 2003 .

[11]  Ben Laurie,et al.  “ Proof-of-Work ” Proves Not to Work version 0 . 2 , 2004 .

[12]  Colin Boyd,et al.  Toward Non-parallelizable Client Puzzles , 2007, CANS.

[13]  Ghassan O. Karame,et al.  Low-Cost Client Puzzles Based on Modular Exponentiation , 2010, ESORICS.

[14]  Mehran S. Fallah A Puzzle-Based Defense Strategy Against Flooding Attacks Using Game Theory , 2010, IEEE Transactions on Dependable and Secure Computing.

[15]  C. Pandu Rangan,et al.  Game Theoretic Resistance to Denial of Service Attacks Using Hidden Difficulty Puzzles , 2010, ISPEC.

[16]  Moni Naor,et al.  Does parallel repetition lower the error in computationally sound protocols? , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[17]  Colin Boyd,et al.  An integrated approach to cryptographic mitigation of denial-of-service attacks , 2011, ASIACCS '11.

[18]  Ed Dawson,et al.  An Investigation into the Detection and Mitigation of Denial of Service (DoS) Attacks , 2011 .

[19]  Bogdan Warinschi,et al.  Security Notions and Generic Constructions for Client Puzzles , 2009, ASIACRYPT.

[20]  Colin Boyd,et al.  Stronger Difficulty Notions for Client Puzzles and Denial-of-Service-Resistant Protocols , 2011, CT-RSA.

[21]  Ted Wobber,et al.  Moderately hard, memory-bound functions , 2005, TOIT.

[22]  Adam Stubblefield,et al.  Using Client Puzzles to Protect TLS , 2001, USENIX Security Symposium.

[23]  Mihir Bellare,et al.  Multi-instance Security and Its Application to Password-Based Cryptography , 2012, CRYPTO.

[24]  Martin Mauve,et al.  Non-Parallelizable and Non-Interactive Client Puzzles from Modular Square Roots , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[25]  Yi Gao,et al.  Efficient trapdoor-based client puzzle system against DoS attacks , 2005 .

[26]  Cullen Jennings Computational Puzzles for SPAM Reduction in SIP , 2007 .

[27]  Adam Back,et al.  Hashcash - A Denial of Service Counter-Measure , 2002 .

[28]  Douglas Stebila,et al.  Defending Web Services against Denial of Service Attacks Using Client Puzzles , 2011, 2011 IEEE International Conference on Web Services.

[29]  Pekka Nikander,et al.  DOS-Resistant Authentication with Client Puzzles , 2000, Security Protocols Workshop.

[30]  Ari Juels,et al.  $evwu Dfw , 1998 .