Content uploaded by Maurantonio Caprolu
Author content
All content in this area was uploaded by Maurantonio Caprolu on Feb 28, 2020
Content may be subject to copyright.
1
Foundations, Properties, and Security Applications of Puzzles: A
Survey
ISRA MOHAMED ALI, MAURANTONIO CAPROLU, ROBERTO DI PIETRO,
Division of Information and Computing Technology (ICT)
College of Science and Engineering (CSE), Hamad Bin Khalifa University (HBKU)
Doha, Qatar
isali@mail.hbku.edu.qa, mcaprolu@mail.hbku.edu.qa, rdipietro@hbku.edu.qa
Cryptographic algorithms have been used not only to create robust ciphertexts but also to generate cryptograms
that, contrary to the classic goal of cryptography, are meant to be broken. ese cryptograms, generally called
puzzles, require the use of a certain amount of resources to be solved, hence introducing a cost that is oen
regarded as a time delay—though it could involve other metrics as well, such as bandwidth. ese powerful
features have made puzzles the core of many security protocols, acquiring increasing importance in the IT
security landscape. e concept of a puzzle has subsequently been extended to other types of schemes that do
not use cryptographic functions, such as CAPTCHAs, which are used to discriminate humans from machines.
Overall, puzzles have experienced a renewed interest with the advent of Bitcoin, which uses a CPU-intensive
puzzle as proof of work.
In this paper, we provide a comprehensive study of the most important puzzle construction schemes available
in the literature, categorizing them according to several aributes, such as resource type, verication type,
and applications. We have redened the term puzzle by collecting and integrating the scaered notions used
in dierent works, to cover all the existing applications. Moreover, we provide an overview of the possible
applications, identifying key requirements and dierent design approaches. Finally, we highlight the features
and limitations of each approach, providing a useful guide for the future development of new puzzle schemes.
ACM Reference format:
Isra Mohamed Ali, Maurantonio Caprolu, Roberto Di Pietro. 2019. Foundations, Properties, and Security
Applications of Puzzles: A Survey. 1, 1, Article 1 (Unpublished), 40 pages.
DOI: 10.1145/nnnnnnn.nnnnnnn
1 INTRODUCTION
e concept of ‘puzzle’ was introduced in the eld of security by Merkle in 1978, when he proposed
a puzzle to reach key agreement over insecure channels [
90
]. Since the mid-nineties, puzzles have
witnessed a growing interest by the research community in a variety of security elds ranging
from cryptography and network security to computer performance and bio-metric technologies.
Puzzles constitute the core of many security protocols. ey have been proposed as a security tool
to achieve various goals, including defending against large-scale aacks, delaying the disclosure of
information, creating uncheatable benchmarks, achieving consensus, and dierentiating between
humans and internet bots.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee
provided that copies are not made or distributed for prot or commercial advantage and that copies bear this notice and
the full citation on the rst page. Copyrights for components of this work owned by others than ACM must be honored.
Abstracting with credit is permied. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires
prior specic permission and/or a fee. Request permissions from permissions@acm.org.
©2019 ACM. XXXX-XXXX/2019/1-ART1 $15.00
DOI: 10.1145/nnnnnnn.nnnnnnn
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
arXiv:1904.10164v2 [cs.CR] 23 Feb 2020
1:2 Isra Mohamed Ali, Maurantonio Caprolu, Roberto Di Pietro
A puzzle is a moderately hard problem that is much easier to verify than to solve. Two key
features of puzzles are the asymmetry and adjustability of workload. e solver is forced to dedicate
a non-trivial amount of resources to nd a solution, while the verier can check its validity and
correctness with a much-reduced eort. e adjustability of its hardness enables the verier to
tune the minimal amount of time and resources to be spent by the solver.
e process of spending resources to solve a puzzle generally introduces a time delay and an
economic cost. e combination of these two eects makes puzzles a powerful tool that can be
utilized to limit the capability of an adversary and prevent him from gaining signicant inuence.
e rst to observe this phenomenon were Dwork and Naor [
44
] in 1992, who proposed a type of
puzzles, called pricing functions, as a solution to combat spam. In a similar context, client-puzzles
were later proposed by Juels and Brainard [
65
] to mitigate denial of service aacks. e general
idea of such puzzles is to associate a cost for each resource allocation request by requiring the client
to complete a task before the server performs any expensive operation, hence making large-scale
aacks infeasible.
One of the areas where puzzles have the most impact is in cryptocurrencies and other emerging
technologies, such as blockchain. e idiosyncratic features of the puzzles, known as proofs-of-work,
have paved the way to the implementation of a fully decentralized peer-to-peer cryptocurrency
system. e idea of using puzzles in the creation of a digital-cash payment system has been long
investigated [
36
,
116
,
122
], but only successfully implemented with the start of the Bitcoin project
[
98
] in 2008. e puzzle is used to secure the public ledger of transactions by requiring miners
to nd a solution before being able to add a block to the ledger. e computational cost imposed
by the puzzle prevents a computationally bounded adversary from double-spending transactions
or eectively rewriting the ledger. e uniqueness and scarcity provided by the puzzle gives the
currency an economic value and enables the process of minting currency [100].
Another common adaptation of puzzles is in Bot detection by web-based services. Companies
such as Google, Yahoo, and Paypal, use a special type of puzzles, widely known as CAPTCHAs, to
verify that the user is not a computer program. is type of puzzles enables human identication
by using AI-hard problems that, ideally, cannot be solved by machines but can be easily solved by a
simple human interaction [
128
]. e human feature provided by this type of puzzles is leveraged
to slow down aackers and to prevent abuse caused by malicious bot programs masquerading as
humans.
e early puzzle designing approaches concentrated on computational problems that are evalu-
ated by the number of CPU-cycles required to nd a solution. An example of such puzzles is the
one used in many proposals, including Bitcoin, and was initially introduced by Back [
10
] in the
Hashcash system in 1997. e puzzle requires nding an input to a hash function that produces an
output with a specic number of leading zeros. A major drawback of such puzzles is the possible
mismatch in the level of processing speeds over time and between dierent types of processors
[
43
]. is problem was addressed by Abadi et al. [
1
] in 2003, who introduced an alternative
computational approach that relies on memory-latency, known as memory-bound functions. Since
memory-latency values are normally more stable than CPU-speeds, most recent systems will solve
the puzzle at a similar speed. Another approach was to rely on network latency by Abliz and Tznati
[
2
]. Subsequently, several works that rely on memory and bandwidth were presented in dierent
research areas.
Although there have been several proposed construction schemes and a wide-range of applica-
tions for puzzles, to the best of our knowledge there has not been any aempt to characteristically
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
Foundations, Properties, and Security Applications of Puzzles: A Survey 1:3
Fig. 1. Phases of a puzzle scheme.
distinguish puzzles from other related notions. In this paper, we dene the term ‘puzzle’ as an um-
brella name subsuming all moderately hard functions that are relatively easier to verify than to solve.
Contributions
is work can be seen as an extensive introduction to puzzles, providing the
reader with a theoretical background and an overview on the dierent types of puzzles. Our work
aims to ll the gap between the growing works on puzzles and the lack of a comprehensive survey
that covers the dierent types of puzzles. Another aim is to clarify the connections and dierences
between the terms and notions used to describe a puzzle. We summarize our contributions as
follows:
•
We collect and integrate the scaered notions of puzzles into a uniform introductory work.
•We determine the criteria for puzzle categorization.
•
We provide an overview of the applications of puzzles and identify the key requirements
and challenges faced in each application eld.
•
We examine the dierent approaches used in the design of puzzles and identify the features
and limitations of each one, ideally inspiring the development of novel, eective puzzle
schemes.
Roadmap.
e rest of this paper is organized as follows. Section 2 provides an introductory
overview on puzzles and describes their dierent types. Section 3 lists the properties and idiosyn-
cratic features of puzzles. Section 4 provides a survey on the applications of puzzles, states the key
requirements for each eld, and discusses the viability of puzzles in each application eld. Section 5
provides an in-depth survey of the state-of-the-art construction schemes and further developments.
Finally, Section 7 concludes the survey by summarizing our contributions.
2 FOUNDATIONS AND BACKGROUND
Unlike traditional security problems and algorithms, such as cryptograms which ideally cannot be
cryptanalyzed, a puzzle is dened as a problem that is meant to be solved [
90
]. It is easy to verify,
such that it is easy to determine if the given inputs produce the given outputs, but moderately hard
to solve, such that it is solvable in a reasonable time [
44
]. Solving it involves performing a number
of operations that require a specic amount of resources, such as CPU cycles, memory, bandwidth,
and human’s aention. e terms ’easy’, ’moderate’, and ’hard’ are relatively used since their exact
denitions depend on the application and implementation of the puzzle.
e solution of a puzzle in some cases serves as a proof of work (PoW), in which it demonstrates
to one party (the verier) that the other party (the prover) has performed a specic amount of
computational work in a pre-dened time interval [
63
]. In this sense, the purpose of puzzles diers
from the standard cryptographic objective of showing the possession of a secret to proving the
ability to expend a certain amount of resources within a certain time interval instead [
63
]. Anyone
without the secret can solve the puzzle but only in one way, which includes dedicating a minimal
amount of resources. In the following, we describe the abstract structure of puzzles and present
their dierent categories.
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
1:4 Isra Mohamed Ali, Maurantonio Caprolu, Roberto Di Pietro
2.1 Abstract Structure of Puzzles
e abstract structure of a puzzle scheme involves two parties, a
verier
and a
prover
. e verier
determines the parameters of a puzzle and checks the correctness and validity of the solution
submied by the prover. e prover solves the puzzle to prove that it is a legitimate party or to
obtain a specic reward.
A puzzle consists of three main components:
input parameters
, a
diculty-level parameter
and a
tunable function
. Input parameters are application-related data, such as the message in
spam defense or block of transactions in cryptocurrencies. e diculty-level parameter plays a
role similar to that of a security parameter in a cryptosystem [
44
]. It determines the hardness of a
puzzle and its eectiveness. e issuer should be able to tune the diculty level exibly according
to the threat level and to accommodate Moore’s Law, such that the tunable function adapts to
the increasing amount of computational power and resources over time. In general, tuning the
diculty involves adjusting the size of the solution search space or revealing dierent degrees of
the puzzle’s solution.
Any puzzle scheme can be abstracted into three main phases, as illustrated in Figure 1:
Construc-
tion
,
Solving
, and
Verication
. In the Construction phase, a puzzle may be constructed by the
verier or the prover, depending on the scheme type (whether it is interactive or non-interactive).
It may also include some oine pre-computations to reduce the online construction cost. is
phase provides the two parties the information needed to execute subsequent phases. Once the
puzzle is constructed, the prover starts performing the required operations to nd a solution and
then submits it to the verier within the specied time interval. Finally, the verication phase
involves verifying the validity and correctness of the submied solution.
e execution of these phases is done through a protocol that can be either interactive or non-
interactive. e former involves multiple rounds of communication executed by both parties; the
prover and the verier. It terminates by either accepting or rejecting the submied solution, which
is decided by the verier in the verication phase. Non-interactive puzzles involve only one round
of communication that is either initiated by the prover, which constructs and solves the puzzle then
sends the solution to the verier, or by the verier, which constructs a puzzle that does not require
an explicit verication and then sends it to the prover. e laer is a special type of non-interactive
puzzles, known as implicit puzzles, where the verication is determined by the ability of the prover
to perform a certain task that can be done in the absence of the verier, such as in time-lock puzzles
[117]. We discuss the verication type and the interactivity of puzzles in Section 2.2.3.
2.2 Types of Puzzles
Puzzles can be categorized based on their application, the resources required to solve them, or
the verication type of the scheme. e application determines the way in which a puzzle can
be utilized. It also denes the requirements and desirable properties of the puzzle scheme. e
resources required to solve the puzzle dene the metric by which its hardness is measured, whether
it is computational steps, memory accesses, memory space or bandwidth etc. Finally, the verication
type refers to the means by which the solution of a puzzle is used and whether it requires implicit
or explicit verication. e rationale behind having more than one categorization is that none
of the cited aspects is directly related to each other. e resource type is not directly determined
by the application type, and vice versa. Furthermore, the verication type is determined by the
application eld and not by the application type itself. erefore, providing a single categorization
that combines any of these aspects may not be possible. In the following, we present the dierent
types of puzzles with respect to the aforementioned aspects and discuss their characteristics as
well as the relationships between the three aspects: application, resource type, and verication.
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
Foundations, Properties, and Security Applications of Puzzles: A Survey 1:5
2.2.1 Application. Puzzles have been relied on by several security protocols in the literature.
Historically, puzzles have been utilized as a pricing tool to assign a certain cost for accessing a
resource or service, as a delaying tool to delay accessing a specic resource, as a metering tool
to meter the access of a specic resource, as an identity assignment tool to achieve consensus in
decentralized systems, and as a human identication tool to discriminate against humans from bots.
In the following, we list the dierent types of puzzles based on the way they are applied and
present a brief description of each.
•Pricing puzzle
: As dened by Dwork and Naor [
44
], it is a function that is moderately-hard to com-
pute and requires a known lower-bound expenditure of resources. It is not amenable to amortization
and cannot be computed more eciently aer some pre-processing. e diculty of computing
a pricing puzzle is leveraged to increase the cost of launching automated large-scale aacks. It is
usually applied in contexts where the low cost of using a service leads to abuse.
•Delaying puzzle
: Also known as time-lock puzzle [
117
], it is a moderately-hard function that requires
a precise amount of time (real time, not CPU-time) to compute. It can only be computed sequentially
by performing a deterministic number of computations, and cannot be solved signicantly faster
with large investments in hardware. e number of computational steps required to nd the solution
is predetermined by the puzzle issuer allowing him to control precisely when the prover can access
the ’locked’ resource.
•Timing puzzle
: As rst introduced by Franklin and Malkhi [
51
], it is a moderately-hard function
that requires performing computations incrementally with increasingly large eorts invested. At
every stage of the computation, a solver can generate a solution which veries that a given state is
certainly the current state of the computation [
22
]. e number of computation steps is determined
in the solving phase instead of being xed during the construction phase (as in delaying puzzles). e
diculty of solving a timing puzzle is used to ensure the security of a metering/measuring method.
•AI-hard puzzle
: As described by Ahn et al. [
128
], it is a function that can generate and verify
problems that a dened portion of the human population can solve but current computer programs
cannot solve. Ideally, it is hard for a machine to compute, which allows ensuring that a human is in
the communication channel and not a bot.
Puzzles provide several features that may be exploited to achieve a specic eect. For example,
solving a puzzle requires spending resources hence introducing a time delay that allows the verier
to dene when the prover may access the protected service. is feature is exploited by several
schemes to achieve the timing eect. Generally, the application of a puzzle is motivated
by one or
more of the following features:
•Computation:
is feature requires dedicating a dened amount of resources to solve the puzzle. It
is utilized in order to associate a cost to a specic service or activity, such as sending an email or
mining cryptocurrencies.
•Timing:
is feature requires the prover to invest a specic amount of time in solving the puzzle. It
is utilized to introduce a delay or to measure the time spent on a specic activity, such as visiting a
website.
•Human:
As the name implies, this feature requires human interaction to nd a solution since it
cannot be solved automatically by machines. It is utilized to dierentiate between humans and
machines.
e timing feature is tightly related to the other features, however, schemes which are mainly
motivated by time are not aected by the amount of resources used to solve the puzzle. In particular,
puzzles that are used as a timing or a delaying function cannot be solved faster using more resources,
such as multi-processors in parallel computing. On the other hand, pricing puzzles, which are
used as a pricing function, are designed to ensure that the prover performs a certain amount of
computational work that introduces a cost and limits the rate of a specic aack to the amount of
resources available to adversaries. Unlike timing puzzles, the time required to solve a pricing puzzle
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
1:6 Isra Mohamed Ali, Maurantonio Caprolu, Roberto Di Pietro
is probabilistic, where it has a predictable expected time but a random actual time [
10
]. Finally,
human puzzles, such as CAPTCHAs [
128
], are the only type of puzzles that has the human feature,
in which they are mainly designed to ensure that the prover is a human. We would like to note
that human puzzles may be considered as computational puzzles, where the computational work is
performed by the human and the dedicated resource is his aention.
2.2.2 Resource Type. Puzzles are either CPU,memory,bandwidth,network or human bound (AI
hard).
•CPU-bound puzzles:
the computational work is quantied by the number of CPU cycles required
to nd the solution, which varies vastly in time according to Moore’s law, as well as across dierent
machines.
•Memory-bound puzzles:
the computation is evaluated either by the number of memory accesses
or the amount of memory space required to solve a puzzle. erefore, the computation speed of these
schemes is bound by memory latency and bandwidth.
•Bandwidth-bound puzzles:
are evaluated by the amount of bandwidth dedicated to solve the
puzzle.
•Network-bound puzzles:
the time required to solve the puzzle is bounded by network latency as
the solving process involves sending and receiving packets in a certain order.
•Human-bound puzzles:
are puzzles that cannot be computed by articial intelligence but can be
easily solved by a simple human interaction. ey are evaluated not by the amount of computational
resources but by the amount of aention a human dedicates to solve the puzzle.
In the general case, the resource type is neither directly related to, nor determined by, the
selected application type, since dierent types of resources can be used in the same application
eld. For example, there exist several implementations and proposals of puzzles in decentralized
cryptocurrencies that are bounded by dierent resources including CPU [
10
], memory [
16
], and
human interaction [
19
]. However, for specic applications, such as Bot detection, the only type
of resource that can be utilized to discriminate between humans and machines is human interac-
tion. Furthermore, the same type of resource can be used in dierent applications, such as CPU,
which bounds pricing puzzles applied in DoS defense, delaying puzzles applied in time-release
cryptography, and timing puzzles applied in uncheatable benchmarks.
2.2.3 Verification Type. e verication of a puzzle scheme can either be explicit, where it
is performed by the verier or implicit, where it is determined by the ability of the prover to
successfully complete a specic task without the involvement of the puzzle issuer [63].
In Figure 2, we illustrate the dierent types of puzzle schemes based on the verication type
and interactivity. An explicit puzzle scheme can be executed through both interactive and non-
interactive protocols, while an implicit puzzle scheme is only executed through a non-interactive
protocol since it requires one round of communication only. Consider
(P, V)
as a two-party
protocol through which a puzzle scheme is executed, where
P
is the prover and
V
is the verier. An
interactive puzzle scheme is considered as a two-message
1(P, V)
protocol, while a non-interactive
puzzle scheme is considered as a one-message (P, V) protocol.
In an explicit two-message
(P, V)
protocol,
V
executes
Construct
and then sends the generated
puzzle
Puzz(In,t, k)
to
P
, where
In
is a set of
n
application related input parameters,
t
is the
maximum time required to solve the puzzle, and
k
is the diculty level parameter. Upon receiving
the puzzle,
P
executes
Solve
and then sends the produced solution
S
to
V
. e protocol terminates
by Vexecuting Verify(S, In,t, k) that outputs either accept or reject.
1
We highlight that such a protocol involves at least two messages, that may increment based on the designed scheme and
application eld.
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
Foundations, Properties, and Security Applications of Puzzles: A Survey 1:7
Verifier Prover
Construct Puzzle
Solution
(a)
Explicit
(Interactive)
Prover
Puzzle
Solution
(b)
Explicit
(Non-interactive)
Prover
Construct Puzzle
Solution
(c)
Implicit
(Non-interactive)
Verifier Verifier
Solve Solve
Verify VerifyVerify
Construct
Solve
Fig. 2. Types of puzzle schemes based on the verification and interactivity: (a) is an explicit interactive scheme,
(b) is an explicit non-interactive puzzle scheme, and (c) is an implicit non-interactive puzzle scheme.
In an explicit one-message
(P, V)
protocol,
P
executes both
Construct
and
Solve
, then sends
a message containing both the generated
Puzz(In,t, k)
and the produced solution
S
. Upon
receiving the message, Vexecutes Verify(S, In,t, k) that outputs either accept or reject.
Finally, in an implicit one-message
(P, V)
protocol,
V
executes
Construct
and then sends the
generated puzzle
Puzz(In,t, k)
to
P
.
P
then executes both
Solve
and
Verify(S, In,t, k)
,
where the laer outputs either success or failure.
In the following, we discuss each verication type and provide some examples.
•Explicit:
In an explicit puzzle scheme, the solution serves as a way of convincing the verier that a
specic amount of eort is spent. e scheme can either be interactive of multiple communication
rounds or non-interactive of one communication round, where the prover generates and solves the
puzzle in the absence of the verier. A non-interactive puzzle can be applied in an interactive scheme
as a challenge-response protocol, while the converse is not possible. In non-interactive schemes, it
is necessary to ensure that the prover cannot eectively control the puzzle generation nor he can
precompute the solution. is can be achieved by referencing the puzzle generation to a public source
of randomness. An example of an explicit puzzle scheme that can be used in both interactive and
non-interactive seings is the Hashcash proof-of-work scheme [
10
], which is also used in Bitcoin
[98].
•Implicit:
In an implicit puzzle scheme, anyone, including the prover, can verify a correct solution
without the participation of the puzzle issuer [
63
]. e verication is determined by the prover’s
ability to carry out a particular task, such as decrypting a message using the key obtained from solving
time-lock puzzles [
117
]. An implicit puzzle scheme is considered as a special type of non-interactive
puzzle schemes since it requires only one communication round.
e type of verication is determined by the specied application eld. In particular, explicit
verication is required when the solution is used as a proof to convince the verier that the prover
did solve the puzzle. is includes pricing puzzles used for DoS defense and cryptocurrencies, AI-
hard puzzles used for Bot detection, timing puzzles used to produce uncheatable benchmarks, and
delaying puzzles used to produce timestamps. Contrarily, the delaying puzzle used in time-release
cryptography does not require explicit verication, since the solution reveals a key that is used
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
1:8 Isra Mohamed Ali, Maurantonio Caprolu, Roberto Di Pietro
Verifier Prover
Construct Puzzle
Solution
(a)
Explicit
(Interactive)
Prover
Puzzle
Solution
(b)
Explicit
(Non-interactive)
Prover
Construct Puzzle
Solution
(c)
Implicit
(Non-interactive)
Verifier Verifier
Solve Solve
Verify VerifyVerify
Construct
Solve
Fig. 3. Types of puzzle schemes based on the verification and interactivity: (a) is an explicit interactive scheme,
(b) is an explicit non-interactive puzzle scheme, and (c) is an implicit non-interactive puzzle scheme.
Categorized by Application Resource Type Verication
Types
•Pricing function
•Delaying function
•Timing function
•AI-hard function
•CPU-bound
•Memory-bound
•Bandwidth-bound
•Network-bound
•Human-bound
•Explicit
•Implicit
Table 1. Categorization of puzzles.
to decrypt a ciphertext. e solution does not serve as a proof of work, but rather as a way to
guarantee that the key is only obtained aer a certain amount of computational time has passed.
3 IDIOSYNCRATIC FEATURES
e fundamental requirement of a puzzle, as rst introduced, is that it should be easy to verify but
moderately hard to solve. With the evolution of puzzles in various security elds, many properties
and desirable requirements were dened to form an eective puzzle. In the following, we list
these properties and provide a brief description of each one. e rst seven properties are the
fundamental properties that dene a puzzle, which are common among all types of puzzles, while
the rest are essential for specic application elds, but not for all applications.
(1) Asymmetry:
is property describes the nature of a puzzle, as introduced by Dwork and
Naor [
44
]. e amount of work required by each party is asymmetric; it should be much
easier for the verier to produce a puzzle and verify a solution than for the prover to nd a
solution.
(2) Granularity and parameterization [44]:
ere should be proper parameters that could
be adjusted to allow the puzzle to scale with Moore’s law. e verier should be able to
exibly adjust the puzzle diculty according to the threat level against the underlying
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
Foundations, Properties, and Security Applications of Puzzles: A Survey 1:9
protected service. For instance, if the dierence between two adjacent diculty levels is
large, then increasing the diculty would add a huge workload on legitimate parties. Linear-
grained puzzles have the highest density of diculty levels, while exponential-grained
puzzles have the lowest density.
(3) Amortization-Freeness [44]:
e prover should not be able to produce multiple solutions
with a cost equivalent to that of producing one solution.
(4) Independence[44] /Correlation-free [51]:
Solving a puzzle or knowing the solution of
previous puzzles does not help in solving others.
(5) Eciency:
is describes the eciency of a puzzle measured in terms of cost and overhead
introduced to both parties of the puzzle scheme, as follows:
(a) Low construction and verication cost:
It is not enough to maintain a work gap
between the verier and prover, but also to not incur a burden on the verier that
subjects it to resource-exhaustion aacks.
(b) Stateless [65]:
A stateless puzzle scheme does not require the verier to store any
information to be able to verify a solution, which is desirable in constrained environ-
ments.
(c) Memory-less [18]:
A memory-less puzzle scheme does not require the verier to
access the main memory for verication. is property is desirable for memory-
bound/hard schemes to enable fast verication and allow low-memory veriers to
participate in the scheme.
(d) Minimum interference [51]:
e operations performed to solve a puzzle should not
interfere with concurrently running applications.
(e) Minimum communication complexity [123]:
Refers to the bandwidth and number
of rounds required to exchange puzzles and solutions between the two parties. A
puzzle scheme should have very low communication complexity and should not add
signicant trac to the network.
(6) Unforgeability [34]:
Initially introduced by Chen [
34
], the prover should be unable to
forge a puzzle in a way that allows him to precompute the solution. e lack of this property
makes the puzzle ineective in many applications, such as mitigating DoS aacks.
(7) Freshness [50]:
is property is also referred to as tamper-resistance by Feng et al. [
50
],
which indicates that the puzzle’s solution is not valid indenitely and cannot be reused
by other provers. In other words, the puzzle scheme should be resilient to replay and
precomputation aacks.
(8) Uniqueness [50]:
Having a unique solution for each puzzle is essential in contexts such
as time-release crypto, since the solution is used as a key to decrypt the ciphertext.
(9) Puzzle fairness [2]:
As dened by Abliz and Znati [
2
], the time required to solve a
puzzle should be similar for all solvers despite their available resources (CPU, memory and
bandwidth). is property eliminates the disparity problem between a powerful aacker
and a legitimate prover.
(10) Non-parallelizability [117]:
e puzzle can only be solved in sequential steps and cannot
be solved in parallel using multiple machines. is property is necessary for achieving the
timing eect and ensuring puzzle fairness. It ensures the eectiveness of a puzzle against
high-end adversaries, who utilize parallel computing to solve the puzzle faster.
(11) Deterministic [30](Low-cost variance):
For delaying and timing puzzle schemes, such
as time-lock puzzles [
117
], the number of operations performed to solve a puzzle should be
deterministic in order to control the amount of computing time required. Other types of
puzzles may have a probabilistic cost, where solving the puzzle has a predictable expected
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
1:10 Isra Mohamed Ali, Maurantonio Caprolu, Roberto Di Pietro
time but a random actual time. In general, lower variance in cost provides beer control
over the puzzle diculty and assures puzzle fairness.
(12) Progress-free [18]:
In applications, such as cryptocurrencies, the scheme is required to
have a random probability distribution, such that the probability of nding a solution is
independent of the amount of eort already spent in solving the puzzle.
(13) Interactiveness [63]:
A puzzle can be either interactive or non-interactive. e former
requires the verier to send the challenge (such as client puzzles against DoS), while the
laer can be constructed without the need for the verier’s participation (such as PoWs
used in blockchain systems).
(14) Publicly Veriable [63]:
In some non-interactive puzzle schemes, such as Hashcash, the
verication can be performed by any other party without the participation of the puzzle
issuer. is property is essential in decentralized systems, where any participant in the
network can verify the solution without requiring a central authority or server.
(15) Trapdoor-based [44]:
A trapdoor mechanism is used in some puzzles to lower the com-
plexity of puzzle verication by storing secret information that reduces the amount of time
needed in solving the puzzle signicantly. is property may preclude public auditing,
where the verier has a conict of interests, such as in web visit metering [
51
]. A trapdoor-
free puzzle provides trust in decentralized systems, such as cryptocurrencies, by ensuring
that the issuer has no advantage in solving the puzzle and cannot forge the proof.
4 APPLICATIONS
e idea of using moderately hard problems that are much easier to verify than to solve have been
long investigated in various application elds. Puzzles are referred to, in the literature, as proofs-of-
work (PoWs), timing functions, delaying functions, cost/pricing functions, AI hard functions and
CAPTCHAs. Each term is used to describe the application of a puzzle. Nevertheless, they all share
the same property of being moderately hard to solve that a polynomial-time party is capable of
nding a solution by dedicating a specic amount of resources. Most puzzles were rst designed for
a specic application, however, researchers are currently investigating the possibility of designing
a multipurpose moderately hard function that can be applied in several security elds [4].
In this section, we review the signicant applications of puzzles and categorize them based
on the way a puzzle is used (as a pricing, delaying, timing or AI function). We also discuss the
key requirements and the viability of each type in each application eld. Given the ndings
of the study we have conducted on puzzles and their utilization in a wide range of application
elds, we conclude that all types of puzzles should be asymmetric, parameterizable, amortization
and correlation free, unforgeable, fresh, and ecient
2
. For each application, there are specic
requirements and properties that are not as important as in other elds. In addition, the level
of eciency in terms of construction cost and the granularity of the puzzle are relative to the
application eld, where the puzzle’s eectiveness in some applications is restricted by the easiness
of its construction, by the ability to nely tune its diculty or both. In Table 2, we present the key
requirements for each application eld. 3
2Please refer to Section 3 for the description of each of the listed property/requirement.
3
We highlight that Table 2 is derived based on the study we have conducted on the application aspect of puzzles, which
includes a review and an analysis of the dierent construction schemes targeting the specied application elds, in addition
to, works that study the challenges faced by the employment of puzzles as a security mechanism in some application elds.
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
Foundations, Properties, and Security Applications of Puzzles: A Survey 1:11
4.1 Pricing puzzles
e idea of pricing puzzles is to impose a cost for accessing services that can be easily abused by
aackers. e requester of a service is charged with the amount of resources required to nd the
solution of a problem that is much harder to solve than to verify. In what follows, we present the
dierent security elds that pricing puzzles are applied in and discuss the key requirements and
viability of each.
4.1.1 Key agreement. e notion of ‘puzzle’ was rst introduced by Merkle [
90
], in 1978, as
a method for key agreement over insecure channels. e objective is to allow any two parties
to agree on a secret key that will not be known to eavesdroppers. In this scenario, the protocol
initiator plays the role of the verier, in which he constructs a puzzle consisting of N encrypted
keys and veries the solution submied by the other party (prover). e other party solves the
puzzle by selecting one of the encrypted keys and decrypting it using brute-force, then sending
its ID to the verier. Without knowing which key is mapped to that ID, an eavesdropper must
decrypt the N keys at random until he encounters the correct one, which requires an eort of
O(N2)
.
Unlike other puzzle schemes, Merkle’s puzzle is required to be infeasible for any polynomial-time
party. is requirement makes the method insecure, however, it oers the feature of workload
adjustability. e puzzle issuer can control the solution cost by adjusting the diculty parameter.
is feature is exploited by several works to provide a light-weight pairwise key agreement protocol
for resource-constrained environments, such as wireless sensor networks [
111
,
136
] and low-energy
Bluetooth devices [107].
4.1.2 Spam Defense. In 1992, Dwork and Naor [
44
] suggested using puzzles as an access control
mechanism. ey introduced the concept of pricing functions that increase the cost of sending
emails in order to mitigate spam. eir approach is fundamentally an economic one, in which the
processing time dedicated to solve the puzzle is a nite resource. erefore, spammers are limited
to the amount of computing resources they can aord, which prevents them from sending emails
in bulk.
It is a non-interactive explicit puzzle scheme, where the prover is the sender of an email and the
verier is the recipient. e sender is required to construct the puzzle using time, destination, and
message as input parameters, then nd a solution and send it along with the email. e recipient
veries the aached solution and accepts the email only if the solution is valid.
In 1997, Back [
10
] rediscovered the idea and implemented the Hashcash system, which was
originally intended for spam and DoS defense, and currently used in Bitcoin [
98
]. Hashcash is a
non-interactive trapdoor-free proof-of-work scheme that has an unbounded probabilistic solution
cost.
Requiring a puzzle for each email would not only disincentivize spammers but also prevent
legitimate mass mailing since it requires a signicant expenditure of resources. To solve this
problem, Dwork and Naor [
44
] introduced the idea of a trapdoor-based puzzle, which is much
easier to compute given some secret information. Legitimate bulk mail can only be sent cheaply by
a centralized trusted authority that holds the secret information. While Hashcash is a decentralized
solution that provides beer eciency and resiliency against pre-computation aacks, it does not
solve the legitimate mass mailing problem. Nevertheless, it has been deployed in several projects
including SpamAssasin 4and Penny Post 5.
Key Requirements
To be applied as an anti-spam mechanism, a puzzle scheme should not
incur a signicant burden on legitimate parties. It should be ecient and non-interactive to avoid
4hps://spamassassin.apache.org
5hp://pennypost.sourceforge.net/PennyPost
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
1:12 Isra Mohamed Ali, Maurantonio Caprolu, Roberto Di Pietro
requiring the recipient to interact with the sender before receiving an email. It should also consider
the sharp disparities across computer systems, as observed by Abadi et al. [
1
], that could make
the scheme ineective against powerful spammers with powerful hardware, restrictively slow for
legitimate clients with regular personal computers. ey suggest using memory-bound puzzles
because memory access speeds dier signicantly less than processor speeds. Further developments
on memory-bound puzzles in spam defense are proposed in [43, 45] and discussed in Section 5.2.
Viability
Laurie and Clayton [
73
] analyzed the viability of pricing puzzles as an anti-spam
mechanism and concluded that a universal scheme where every email carries a xed-cost puzzle is
impractical for two reasons. First, a signicant proportion of legitimate users are also aected by
the added cost preventing them from accessing the service. Second, malicious users can steal CPU
cycles by accessing insecure machines, using someone else’s resources to solve puzzles. Instead,
they suggest incorporating puzzles with other techniques, such as whitelists, to vary the hardness
of the puzzle and reduce the burden on legitimate senders. ey also suggest using human-bound
puzzles, such as CAPTCHAs [
128
], which are presumably more dicult to steal. On the other hand,
several research papers have demonstrated the feasibility of pricing puzzles against spam when
used in parallel with other techniques, such as reputation systems [81].
4.1.3 DoS Defense. Client puzzles are a type of pricing puzzles used to defend against denial of
service (DoS) aacks. Namely, resource depletion aacks that prevent the victim from processing
legitimate requests for a service in a server-client seing. Before allocating any resources for
a given request, the server requires the client to commit a portion of its resources by solving
a puzzle. Requests that do not include a correct solution are dropped. Legitimate clients may
experience a degradation in service, however, aackers are unable to send a large number of
requests simultaneously due to the time delay introduced by the puzzle.
e two key features of a puzzle that qualify it as an anti-DoS mechanism is workload adjustability
and asymmetry. e former allows the server to tune the diculty level of the puzzle according to
the current threat level, by initially seing it to zero when there are no aacks and increasing it
as the intensity of the aacks increases. While the laer shis the workload from the server to
the client as, it is much easier for the server (verier) to construct and verify a puzzle than for the
client (prover) to solve the puzzle.
e rst construction scheme of client puzzles was proposed by Jules and Brainard [
65
] as a
countermeasure to connection depletion aacks. Aura et al. [
9
] later improved and generalized
the design of the puzzle to employ it in any authentication protocol. Many construction schemes
have been subsequently proposed to protect various types of services including network IP and
TCP channels [
50
,
89
,
101
,
133
,
134
], TLS [
39
,
102
], capability-granting channels [
104
], and key
agreement protocols [
120
]. Despite the various techniques used by these construction schemes,
they all must satisfy the fundamental properties described by Feng et al. [50].
Key Requirements For a puzzle to be applied in DoS defense, it should be ecient enough to
guarantee the availability of the puzzle distribution service and avoid subjecting the scheme itself
to a DoS aack. It should be resilient to precomputation aacks where the puzzle solution indicates
that the computational eort was recently spent. Furthermore, robust authentication mechanisms
must be employed to prevent aackers from spoong puzzles and disabling the server by falsely
triggering the puzzle mechanism against it [49].
e granularity of the puzzle, which represents the density of diculty-levels, should be high
in order to allow the server to nely control the amount of computational eort spent by the
client. Finally, forcing all clients to solve puzzles before allowing access is crucial to mitigate the
aack, however, not all clients have the same capabilities. erefore, the scheme must also consider
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
Foundations, Properties, and Security Applications of Puzzles: A Survey 1:13
low-power clients and adjust the level of puzzle complexity to match the client’s capabilities in
order to achieve puzzle fairness [49].
Viability
e main challenge faced in deploying puzzles as a DoS countermeasure is determining
and seing the appropriate diculty level that limits the abilities of aackers but not legitimate
parties. From an economic perspective, the eectiveness of a pricing puzzle can only be achieved
when the amount of work required from legitimate clients and aackers dier signicantly [
73
].
e construction scheme must identify and discriminate against known malicious behavior [
49
].
Most client puzzle schemes set the diculty based on a single metric, such as the load on the
system [
39
,
65
,
104
], the rate at which the client sends requests [
50
,
66
], or the level of demand for
the service [
133
,
134
]. However, using a single metric has been proven to be insucient [
56
], as it
provides clients weak access guarantees at high per-request overhead.
e viability of client puzzles remains an open question. Issues such as constructing puzzles
eciently while ensuring non-parallelizability, adjusting the puzzle diculty to prevent subversion
while maximizing server utilization, and aaining equitable fairness must all be addressed to
incentivize its deployment.
4.1.4 P2P Systems and Cryptocurrencies. In the context of decentralized systems, pricing puzzles
are used to address various security issues including Sybil [
42
] and collusion [
112
] aacks, achieving
consensus in a Byzantine seing, and incentivizing correct behaviour by requiring participants to
submit a puzzle solution that serves as a proof-of-work and then rewarding them for participation.
is type of puzzles is utilized by important applications in creating decentralized cryptocurrencies,
such as the recent systems Bitcoin [98], Ethereum [137], and Litecoin [76], or prior schemes such
as the Micromint system of Rivest and Shamir [116].
Decentralized dynamic systems are highly vulnerable to the Sybil aack [
42
], whereby the
aacker exploits the low cost of forging multiple identities that allows him to control a substantial
fraction of the system and execute further aacks to subvert the system. Pricing puzzles have been
long investigated as a decentralized Sybil defense mechanism in a variety of p2p network seings
and overlays, including structured [
7
,
24
,
78
,
118
], and unstructured [
98
,
137
] overlays. e idea is
to impose a computational cost on maintaining an identity within the system, hence limiting the
proportion of Sybil nodes to the proportion of resources that an adversary can control per time
unit.
In p2p identity systems, such as SybilControl [
78
], the puzzle is used as a distributed admission
control mechanism that grants nodes the permission to join and stay functional in the system. In
this protocol, all nodes are required to periodically solve a unique puzzle and collectively verify
solutions of other nodes. If a node fails to compute the puzzle within the specied time interval, its
identity gets revoked.
Decentralized cryptocurrencies, such as Bitcoin [
98
] and Ethereum [
137
], utilize pricing puzzles
to achieve several goals at once. ey exploit the scarcity and uniqueness provided by pricing
puzzles to create economic value and mint crypto-currency. More importantly, they use the pricing
puzzle as a key component in the blockchain protocol to achieve consensus and prevent double
spending [100].
Blockchain is described as a cryptographic data-structure in which a transaction ledger, that is
shared and agreed on by all nodes of the network, is recorded. Compared with the original design
of identity pricing puzzle schemes [
7
,
24
], the puzzle in a blockchain network is not used in the
identity verication of participating peers. Instead, the peers are expected to collectively verify
puzzle solutions broadcasted by other peers in order to determine who’s block will be considered
as the next block in the chain. e Sybil and double-spending aacks are mitigated by associating
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
1:14 Isra Mohamed Ali, Maurantonio Caprolu, Roberto Di Pietro
a computational cost to the process of adding a block to the chain. A comprehensive survey of the
consensus protocol design and the eects of blockchain networks is presented by Wang et al. [
132
].
e cryptocurrency is created by nodes, known as ‘miners’, through a process that involves
processing a block of transactions and nding a solution to a pricing puzzle that makes the block
valid. Once a miner solves the puzzle, it broadcasts the proposed block to all other nodes, and
receives a reward only if the block is accepted by the majority of nodes. e validation of that block
is done independently by each node in the network, which includes verifying the puzzle solution
and correctness of each transaction within the block. Miners are incentivized to act honestly since
incorrect puzzle solutions would result in the rejection of the block by the majority of nodes, hence
losing the reward and wasting the eort spent in solving the puzzle. Further technical details on
Bitcoin and digital currencies is presented in [126].
e rate at which blocks are appended to the ledger is determined by the diculty of the
puzzle. It is adjusted such that, it is hard enough for an adversary to interfere and alter the
system, but easy enough for miners to construct new blocks and unify their views of the public
ledger. e robustness of the consensus protocol relies on the assumption that more than 51% of
the computational resources are possessed by honest participants who follow the longest chain
rule. Formal analysis of blockchain’s security under dierent network assumptions appear in
[54, 55, 94, 105].
Key Requirements
Eciency is one of the key requirements of a puzzle scheme to be applied
in dynamic decentralized P2P systems. e puzzle should be easy to construct and verify, stateless,
and compact in order to provide scalability for the underlying protocol. Given the lack of a trusted
third party in such environments, the puzzle should be non-interactive,trapdoor-free, and publicly
veriable. Any node in the network should be able to eciently verify the puzzle solution of any
other node without the access to a trapdoor or any secret information. e trapdoor-free property
is essential to provide trust in the system.
e freshness property of the puzzle should be ensured at the execution phase [
132
]. In particular,
the puzzle solution should be non-reusable and unpredictable such that, the computational work is
guaranteed and the proof is unforgeable. Furthermore, fairness should be ensured, such that the
probability of nding a solution is directly proportional to the computational power of the node
at any given time. is is crucial for cryptocurrencies since solving the puzzle has an economical
value. Finally, the hardness of the puzzle should be adjustable in order to adapt to the changing
scale and seings of the p2p network.
Viability
Notably, the most impactful application of pricing puzzles to this date is in the imple-
mentation of permissionless p2p systems, namely, blockchain emerging technologies. Although
examples such as Bitcoin and Ethereum demonstrate the success of pricing puzzles in practice,
several concerns are raised by the research community regarding the stability of these systems
[
23
], the high power consumption [
85
] and wastage of resources which increases proportionally
to the system’s popularity [
48
]. Furthermore, the parallelizability nature of the utilized puzzle
schemes allows nodes to increase their voting power by using customized hardware (such as ASICs)
that solves the puzzle substantially faster. is development in hardware subverts the pricing
puzzle approach and implies several threats. In particular, it diminishes the democratic value of
decentralized cryptocurrencies by suppressing low-end nodes [
126
], and enable powerful nodes
to collude and alter the system [47]. Several puzzle schemes have been proposed to address these
issues including, ASIC-resistant puzzles [
18
,
115
], non-outsourceable puzzles [
93
], useful puzzles
[12, 12, 92], and eco-friendly puzzles [19, 46].
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
Foundations, Properties, and Security Applications of Puzzles: A Survey 1:15
4.2 Delaying and Timing puzzles
e timing feature of a puzzle is exploited by several schemes either to slow down aackers, to
lock resources for a precise amount of time, or to measure the time spent accessing a resource.
Unlike pricing schemes, delaying and timing schemes are concerned with making CPU time and
real time agree with an approximate precision. ey achieve this by using inherently sequential
problems that have a deterministic solution cost. It is important to note that the solution time of
these puzzles is approximately controllable since dierent computer systems operate at dierent
speeds. In what follows, we discuss the dierent application elds of these types of puzzles.
4.2.1 Uncheatable Benchmarks and Auditable Metering. e rst proposal in designing a puzzle
that requires solving an inherently sequential problem seems to appear in the application of
hardware benchmarking in 1993 by Cai et al. [
30
,
31
]. e idea is to validate the performance of
specic hardware by having it compute a puzzle that reects its computation power. e asymmetry
feature provided by puzzles allows customers with low-end machines to verify the benchmark of
high-end computer vendors. A customer provides the hardware vendor with a puzzle, who nds
a solution and submits it as a verication of the claimed hardware performance. e customer
then veries the puzzle and checks that the solution time is indeed within the claimed bound. e
soundness of the puzzle scheme would guarantee that the vendor could not cheat by optimizing
his code or modifying it.
Franklin and Malkhi [
51
] proposed the idea of metering client accesses via a timing puzzle. ey
presented a lightweight solution to the problem of forged client website visits. e timing puzzle
requires an incremental amount of computations which makes forging a large number of client
visits expensive and time-consuming. e solution of the puzzle serves as evidence that a specic
amount of time has passed. At each webpage visit, the client is asked to compute a timing function
that requires performing repeated hashing incrementally until the end of the visit. e result is then
sent to an auditing proxy which veries its correctness. e main drawback of their construction
scheme is the requirement of reconstructing the puzzle for accurate verication, which was later
addressed by Chen and Mao [33].
Key Requirements
In addition to being non-parallelizable and deterministic, a timing puzzle
must provide the ability of applying it incrementally to reect the actual continuous-time being
spent. e solver should be able to produce extendable solutions, where the puzzle diculty is not
set in advance but is incremental with the time spent in computing it. Forging access duration or
performance records should require a known amount of resources that increases proportionally to
the amount of forgery. For public auditing, the puzzle should be trapdoor free, in which there is no
shortcut available for the prover to nd a solution with fewer resources.
Viability
Timing puzzles may be considered as an unreliable metering method due to the
existence of several uncontrollable factors that may aect the accuracy of real-time measurement,
including network delay, bandwidth, and computational power [
21
]. Moreover, the existing timing
puzzle schemes only oer lightweight security requiring precise limits on the adversary’s processing
speed.
4.2.2 Time-Release Cryptography and Time-stamps. e idea of time-release cryptography is to
”send data into the future” by encrypting a message that can only be decrypted aer a pre-dened
amount of time has passed. In 1996, Rivest et al. [
117
] implemented this idea using time-lock puzzles,
which can be applied to delay sealed-bid auctions, digital cash payments, and key escrow. ey
have also been proposed for other applications such as, enabling oine submission [
64
], providing
pseudonymous secure computation [
69
], constructing a two-round concurrent non-malleable
commitment [80], and supporting digital forgeing [5].
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
1:16 Isra Mohamed Ali, Maurantonio Caprolu, Roberto Di Pietro
Time-lock puzzle is a cryptographic primitive that allows locking data, making it accessible only
aer a certain delay. It is an implicit trapdoor-based puzzle scheme, where the solution reveals
the key that decrypts the encrypted data. In [
117
], the puzzle issuer selects the desired time delay
and constructs a modular exponentiation puzzle that can only be solved by performing tmodular
squaring operations sequentially. e number of squaring operations can be exactly controlled
hence providing the ability to nely tune the diculty of the puzzle. e verication is not explicitly
required, however, can be done more eciently by anyone who can access the trapdoor which is
created in the construction phase.
Inspired by time-lock puzzles, Mahmoudy et al.[
87
] introduced the concept of proof of sequential
work (PoSW), an explicit time-lock puzzle scheme which enables the solver to prove that a specic
number of computation steps was performed sequentially on a given challenge. e solution of the
puzzle is publicly veriable and indicates that an approximate number of time units have passed
since receiving the puzzle. ey propose using PoSW to produce relative timestamps for documents,
whereby a timestamp dof a document at time Tproves the existence of that document at time
T−d
. A stamper species the desirable duration d, constructs and solves the puzzle by using the
document as an input parameter. e verier then checks the validity of the timestamp by verifying
the solution of the puzzle.
Further developments on such construction schemes have been proposed to provide beer
eciency [
35
] and uniqueness [
108
]. Uniqueness is important to guarantee that the solver cannot
produce multiple solutions at the same cost of one. Boneh et al. [
22
] study the problem of
constructing delaying puzzles, which they refer to as ’veriable delaying functions’, and present
further applications of such puzzles, including randomness beacons, proof of replication and
resource-ecient blockchains.
Key Requirements
e key requirements for such applications are non-parallelizability and
hardware-independence. e solution time should not depend on the amount of hardware being
used. A solver who uses a large amount of investments in hardware, namely parallel computing,
should not be able to nd a solution substantially faster than the pre-determined time. Finally, the
time required to construct and verify the puzzle should be much less than the solution time.
Viability
e main challenge that may hinder the deployment of a delaying puzzle in a specic
application is the requirement of exact guarantees on the precision timing, which cannot be
achieved due to the existence of variations in the speed of single computers. For other seings
where there are no trusted third parties available, the puzzle construction schemes proposed in [
117
]
are unsuitable since generating the puzzle requires knowing the (secret) puzzle solution in advance
and verication requires accessing a trapdoor. Although the schemes proposed in [
35
,
87
] provide
public veriability, their security is only proved in the random oracle model and the uniqueness of
the produced solution is not guaranteed.
4.3 AI-hard puzzles
AI-hard puzzles, widely known as CAPTCHAs, are intended to ensure the presence of a human
in a communication channel by using hard AI problems that dierentiate between humans and
bots. ey are puzzles that are easy-to-solve for humans but hard-to-solve for automated computer
programs. In the following, we present the main security elds in which human-bound puzzles are
used and discuss their key requirements.
4.3.1 Bot Detection in Web-based Services. e rst to suggest using a reverse Turing test for
verifying that a human is the one requesting a service over the web was Naor [
99
] in 1996. Several
practical examples were then proposed and developed [
11
,
79
,
109
]. In 2000, Von Ahn et al. [
20
]
introduced the notion of a CAPTCHA and provided a formal framework that models it as a hard AI
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
Foundations, Properties, and Security Applications of Puzzles: A Survey 1:17
problem in [
128
]. CAPTCHA can be considered as a trapdoor-based explicit puzzle scheme whose
diculty is based on an AI problem that can only be solved by a human. A typical CAPTCHA
puzzle is constructed by rst generating a random target solution, such as a text or an image, and
then performing distortion techniques to that solution in order to make it hard for computers to
solve the puzzle. e target solution, which is generated in the construction phase, is later used by
the verier to check the correctness of the solution submied by the prover.
CAPTCHAs are used by Google and many other popular web-based services to mitigate abuse
caused by malicious bot programs masquerading as humans. Such abuse includes automated
account registration, password guessing aacks, systematical database mining, and massive voting
in polls. Before being able to access the service, a client is required to prove that he is a human by
solving a given instance of the puzzle. e human feature provided by this type of puzzles slows
aackers down and prevents them from sending a large number of fake requests generated by
automated programs.
Many variations of construction schemes exist in the literature which are based on dierent AI
problems, including reading distorted text [
129
], audio recognition [
74
,
91
], human face recognition
[
57
], and emergent-image recognition [
52
]. A comprehensive review of the dierent categories
and sub-applications of CAPTCHA is presented by Hidalgo and Alvarez [
60
]. Despite the many
variations of AI-hard puzzles, such schemes are based on the hypothesis that the underlying AI
problem cannot be solved by the adversary’s machine more accurately than what is currently
known in the AI eld [128].
Key Requirements
To provide both practicality and usability, the puzzle should be easy-to-
construct for the puzzle generator machine and easy-to-solve for the human solver. Humans should
be able to solve the puzzle eortlessly with a negligible error rate. e hardness of the puzzle
should be adjustable such that both robustness and usability are guaranteed even with the advance
of technology. e best known programs for solving the underlying AI hard problem should fail on
a non-negligible portion of the puzzles, despite that the method of constructing the puzzle instances
is known [
99
]. Finally, the puzzle scheme should be fair that does not discriminate against disabled
people and involve dierent sensory abilities, including hearing and vision.
Viability
e main issue that faces the deployment of AI-hard puzzles in web-based services is
seing the appropriate diculty that ensures both resistance against machine-learning aacks and
human usability. e same distortion methods used to make the puzzle unsolvable by machines can
also signicantly degrade human usability [
140
]. CAPTCHAs are oen hard for humans to solve
due to a number of demographic factors such as age, language, and education [
29
]. Furthermore,
this type of puzzles fails to recognize people with visual and hearing impairments as humans, which
prevents them from accessing the underlying protected web service [
60
]. ese usability issues
may drive customers to abandon services that deploy CAPTCHAs resulting in nancial losses for
those companies.
Although many construction schemes have been successfully aacked using machine-learning
techniques [
28
,
95
,
138
,
139
], a signicant gap between human intelligence and the current articial
intelligence still exists. However, this does not ensure the security and eectiveness of the puzzle
scheme as it is still vulnerable to human relay aacks, whereby the puzzle is outsourced to paid
human-solvers [
37
]. Motoyama et al.[
97
] analyzed the behavior and dynamics of CAPTCHAs from
an economic perspective. ey conclude that CAPTCHA is a low-impact mechanism that reduces
the aacker’s protability hence minimizing the cost and legitimate user impact of more expensive
secondary defenses. However, they may be ineective in scenarios where the prot gained from
launching the aack is much greater than the cost associated with paying humans to solve the
puzzle.
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
1:18 Isra Mohamed Ali, Maurantonio Caprolu, Roberto Di Pietro
4.3.2 Decentralized Cryptocurrencies. Recently, Blocki and Zhou [
19
] introduced the concept
of proof-of-human-work (PoH), a human-in-the-loop puzzle that is publicly veriable and can
be used to build a decentralized cryptocurrency system. It is a non-interactive explicit puzzle
scheme that can only be solved with sucient human assistance. Unlike the traditional standalone
CAPTCHA, the solution of the puzzle is unknown to the puzzle-generator machine and the diculty
is adjustable.
e scheme involves two types of puzzles, a CAPTCHA and a pricing puzzle similar to that
used in Bitcoin. To produce a valid block, the miner is required to rst prove that he is a human
by solving a CAPTCHA instance, then use the obtained solution as an input parameter to the
pricing puzzle. e CAPTCHA instance is constructed obliviously using the universal samplers
developed by Hoeinz et al. [
61
]. e instance is generated along with a verication tag, and the
corresponding solution remains concealed in the obfuscated program.
is feature provides public veriability, where anyone in the network can verify the submied
solution. e diculty of the puzzle is adjusted by having the verier reject a valid solution with
a certain probability so that the human miner have to generate and solve a specic number of
puzzles to produce a valid proof-of-human-work.
e human feature provided by the AI-hard puzzle is exploited to satisfy properties that traditional
cryptocurrencies such as Bitcoin lack, which are eco-friendliness, usefulness, and centralization-
resistance. Eco-friendliness and usefulness are achieved by relying on human eort instead of
computational power. e human eort may involve performing educational [
70
] or productive
[
62
] tasks in order to avoid wasting human cycles. While centralization-resistance is achieved by
ensuring fairness, where any two humans are capable of performing a similar amount of work to
solve the puzzle.
Key Requirements
In the context of cryptocurrencies, the AI-hard puzzle should be ecient
and trapdoor-free, such that it is easy for a machine to construct, but dicult for any machine
(including the puzzle-generator machine) to solve without sucient human assistance. It must be
non-interactive and publicly veriable such that a machine can easily verify the puzzle solution and
ensure that the issuer does not already have the solution without any human assistance. Finally, the
puzzle scheme should provide a sucient density of diculty-levels to allow adjusting its hardness
according to the changing scale and seings of the system.
Viability
e viability of AI-hard puzzles in decentralized cryptocurrencies is aected by two
main challenges. First, a trapdoor-free construction scheme whereby the solution is unknown
to any party throughout the generation of the puzzle is required to provide trust in the system.
is challenge is addressed by the authors of HumanCoin system [
19
] using indistinguishably
obfuscation (IO), however, the current development achievements in IO do not provide a practical
solution hence their approach is currently impractical. Furthermore, their proposed system requires
an initial trusted setup phase since the party generating the system may embed a trapdoor allowing
it to produce coins without involving any human work. Second, the security and stability of the
system rely on the hardness of the underlying AI problem. e life of such cryptocurrency is
anticipated to be shorter than other cryptocurrencies that depend on cryptographic primitives
since AI breakthroughs are achieved more frequently. erefore, achieving and maintaining trust
using AI-hard puzzles in such cryptocurrency systems remains an open question.
5 CONSTRUCTION SCHEMES
As discussed previously, puzzles may be categorized based on several aspects including the ways
they are applied, the type of verication, and the type of resource that bounds the scheme. In this
section, we categorize them based on the resource that bounds the puzzle scheme which includes:
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
Foundations, Properties, and Security Applications of Puzzles: A Survey 1:19
Key Requirements
Application Field Easy to
construct
Fine-
grained
Deterministic
computation
Non-
parallelizable
Non-
interactive
Publicly
veriable
State
-less
Trapdoor
-less
Fair
Spam defense X X
DoS defense X X X X
Cryptocurrencies X X X X X
Delayed Disclosure X X X
Auditable metering X X X
Uncheatable Benchmarks X X X
Bot Detection X X
Table 2. Key requirements of puzzles for each application field.
CPU, memory, and bandwidth. We survey state-of-the-art puzzles by focusing on the type of
construction scheme and present further developments and improvements on these schemes.
5.1 CPU-Bound Schemes
5.1.1 Merkle Puzzles. Computational puzzles were rst introduced by Merkle [
90
] as a method
to establish a secure key agreement over insecure channels. e main designing goal was to create
a work gap between legitimate parties and passive adversaries in order to guarantee secure key
distribution. e puzzle is based on symmetric cryptography and is constructed by generating N
encrypted keys, each having a unique ID. e other legitimate party solves the puzzle by selecting
one of the keys and decrypting it by brute-force then submiing its ID. To know the key, an
eavesdropper must decrypt all N keys since he cannot determine which of the IDs is mapped
to the key. e puzzle’s diculty is adjusted by adjusting the size of the key used to perform
the encryption. As a key agreement protocol, this scheme is impractical and insecure, since the
optimum work gap that can be achieved using this method, as proven by Barak and Mahmoudy
[
13
], is quadratic. However, it was the building block towards public key cryptography. Merkle
puzzles are dierent than the following puzzles as both parties are required to perform a similar
amount of work O(N), hence it is not asymmetric.
5.1.2 Pricing functions. Dwork and Naor [
44
] were the rst to suggest using puzzles as an
access control mechanism to combat email spam. ey used the puzzle as a ‘pricing function’ to
assign a computational cost to resource allocation requests. eir goal is to increase the cost of
sending an email for spammers by forcing them to compute a unique puzzle for each recipient.
ey proposed three puzzle schemes. e rst scheme is based on factoring a square root and the
other two are based on digital signature schemes with smaller security parameters. e rst is
veried by squaring the submied solution, while the digital signature based schemes are veried
using trapdoors to reduce the verication cost. e availability of trapdoors in their scheme is
essential, not only to reduce the verication cost but to allow legitimate mass mailing by specic
authorities. Solving the puzzle requires forging a signature without actually breaking a private key
using a moderately hard algorithm such as, the Pollard algorithm. e proposed schemes satisfy
the amortization-freeness property, but are prone to pre-computation aacks which weakens the
eectiveness of the puzzle. Furthermore, similar to previous schemes, it suers from ineciency
requiring relatively high construction cost.
5.1.3 Time-lock and Delaying functions. Rivest et al.[
117
] rediscovered the idea of puzzles to
implement time-release cryptography and introduced the notion of time-lock puzzles, which are
computational puzzles that can only be solved in a precise amount of time. eir designing goal
was to create a puzzle that can only be solved sequentially by performing a deterministic number of
operations. e puzzle is used to allow encrypting a message that can only be decrypted (unlocked)
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
1:20 Isra Mohamed Ali, Maurantonio Caprolu, Roberto Di Pietro
aer a predetermined period of time specied by the puzzle issuer elapses. is type of puzzles is
dierent than traditional PoW schemes, in which the solution of the puzzle serves as a decryption
key rather than a method of convincing the verier. In particular, the verication is not performed
by the verier but determined by the ability of the prover to decrypt the encrypted message using
the solution of the puzzle.
e hardness of Time-lock puzzles relies upon the infeasibility of factoring large integers. To
construct the puzzle, the issuer rst sets its parameters by generating a composite modulus N as
the result of multiplying two large private prime numbers pand q. It determines the time required
to solve the puzzle
t=TS
, where Sis the number of squaring operations current machines can run
per second, and Tis the desired time specied by the puzzle creator. e issuer then generates
the puzzle by encrypting a message mwith key Kand encrypting the key as
Ck=K+a2tmod N
.
e puzzle is given as (N, a, t,
Ck
,
Cm
) and the solution of the puzzle reveals the key that decrypts
the message. Solving it requires performing tmodular squaring sequentially starting with a. e
diculty of the puzzle is adjusted by increasing or decreasing t, which provides ne granularity.
Knowing
Φ(N)
, the verier can use the trapdoor given by Euler’s function to compute the solution
in O(log N)modular multiplications.
Time-lock puzzles guarantee non-parallelizability and deterministic computation, which provides
ne-grained diculty adjustment. However, the requirement of generating large prime numbers
and performing modular exponentiations for every puzzle is resource-exhausting, which makes it
impractical and unsuitable for resource-constrained environments.
Eciency.
To reduce the construction and verication cost, Karame and Capkun [
68
] proposed
using an RSA key pair with a smaller exponent and a semi-prime modulus. ey based their
puzzle construction on the intractability assumption in RSA, which states that computing a private
exponent when the semi-prime modulus is less by multiple orders of magnitude than the public
key is computationally infeasible. Given kas a security parameter, the verication cost in the
proposed scheme is reduced by a factor of
|N|
k
. Despite the signicant cost reduction, it is still
suciently expensive that it cannot be deployed in large-scale environments. Furthermore, their
scheme does not provide ne-grained control over the diculty level as, the gap between two subse-
quent diculty levels is signicantly increased compared to the previous time-lock puzzle scheme
[
117
]. Further eciency improvements on modular-exponentiation based puzzles are proposed in
[
110
]. Tang and Jackmans [
123
] introduced dierent verication modes for the construction phase
proposed in [
117
] to increase the verication eciency and make it suitable for a server-client
communication model.
5.1.4 Hashcash and Client puzzles. Inspired by the idea of pricing functions [
44
], Juels and
Brainard [
65
] proposed client puzzles to mitigate connection depletion aacks. e objective is
to have the clients commit their resources before establishing a connection, by requiring them to
solve computational puzzles for each request. Since the adversary would send a great number of
connection requests, it must solve each puzzle associated with each request. erefore, precluding
aackers from overwhelming the server and allowing legitimate clients to establish a connection.
Unlike previous puzzles, client puzzles do not incur high cost on the verier, in which they are
easy to construct and can be constructed in a stateless way.
e server constructs the puzzle using a hash function that processes a bitstring Xof length
las input and produces a hash image Y. e puzzle is given as (
X<k+
1
,l>, Y
), where the
rst kbits of Xare hidden. Clients must perform a brute-force search for the kmissing bits that
produces Yand submit the solution with the request. e problem of solution pre-computation is
addressed by embedding a time-stamp in the puzzle and requiring the client to submit the solution
within a specied time interval. e diculty is tuned by increasing/decreasing the number of
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
Foundations, Properties, and Security Applications of Puzzles: A Survey 1:21
bits to be searched for. To decrease the probability of guessing the solution and to have a ner
diculty adjustment, they suggest composing the puzzle of mindependent sub-puzzles, each
requiring a unique k-bit solution. is composition may increase the diculty for an aacker in
guessing the solution, but the granularity is still coarse having the diculty level grow exponentially.
Furthermore, the eciency of the puzzle decreases as the number of sub-puzzles increases.
Eciency.
Aura et al. [
63
] improved the client puzzle’s eciency by reducing its length and
minimizing the number of hash calls needed for both construction and verication. ey generalized
the design of the puzzle to employ it in any authentication protocol. e puzzle is generated by the
client, unlike the previous scheme [
65
], where the server generates both hash input and output.
In this scheme, the client is given a nonce
Ns
and is required to nd a bit-string Xthat if hashed
together with the nonce (and other client data) produces a hash image with kleading zero bits.
For verication, the server performs a single hash call to check if the submied solution produces
kleading zero bits. ese improvements motivated further practical implementations of client
puzzles. Dean and Stubbleeld [
39
] provided a compatible implementation of this scheme to protect
TLS servers, Moskowitz et al. [
96
] adapted it in the Host Identity Protocol (HIP), and Wang and
Reiter [
134
] integrated it in the network layer to mitigate bandwidth-exhaustion aacks. One
additional feature that this construction oers, as proposed by Back [
10
], is that it can also be
used in a non-interactive seing, where the prover chooses the challenge and the solution can be
publicly veried.
Fig. 4. Hashcash puzzle construction [63]
Despite the eciency improvements, this puzzle construction, which was initially implemented
by Back in the Hashcash system [
10
] and currently used in Bitcoin [
98
], provides coarser diculty
levels disabling the verier from exibly adjusting the diculty according to the threat level.
Furthermore, it is highly parallelizable and has a probabilistic solving cost with high variance.
ese drawbacks may prevent puzzle fairness and reduce the eectiveness of the puzzle. Paral-
lelizability gives adversaries, with higher CPU-speed, a great advantage over legitimate parties,
while probabilistic cost does not guarantee that the time required to solve the puzzle is similar to
all clients. e search process for n-bits might abort aer the rst try or aer performing all of the
2ntries.
5.1.5 Client Puzzle Variants. Further eciency improvements were proposed and the aforemen-
tioned problems of client puzzles were addressed by several researches. In this subsection, we
categorize them based on the problems and puzzle features being discussed in each.
Determining the diculty level.
e diculty of a puzzle determines its security and eec-
tiveness. Seing the diculty to a low level may reduce the workload on the adversaries which
allows them to successfully launch an aack, while seing it to a high level may deter honest
parties from participating in the underlying application. Given the existence of an adversary
with unknown computing power, it may be dicult to properly adjust the diculty level without
increasing the cost for legitimate clients. Wang and Reiter [
133
] addressed this problem by using an
auction mechanism. ey introduced the concept of ‘puzzle auctions’, where each client is allowed
to set the hardness of the puzzle it solves. e server then assigns its resources to the client that
solved the hardest puzzle (the one with the highest diculty level). ey assume that a legitimate
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
1:22 Isra Mohamed Ali, Maurantonio Caprolu, Roberto Di Pietro
client would expend more resources than a compromised zombie client, since aackers will not
increase the workload of these zombies above a certain threshold to avoid detection. ey argue
that this mechanism is eective, where clients can win an auction by raising their bids just above
the aacker’s bid. However, it gives an unfair advantage to clients with higher computation power
and, potentially, to powerful aackers. In addition, it adds more rounds to the scheme by requiring
the client to submit more than one puzzle solution of increasing diculty levels until a connection
is established.
Granularity.
Feng et al. [
50
] addressed the coarseness problem of hash-based puzzles by
providing the client with a hint along with the puzzle. e hint is a value near to the solution which
reduces the brute-force search space. To solve a puzzle, the client starts at the hint and searches the
range linearly for the solution. Puzzle diculty can be adjusted nely by adjusting the accuracy of
the hint. is scheme provides beer control over the diculty level, but it can only be applied
interactively requiring the verier to generate a puzzle for each client instead of just sending a
challenge as in [63].
Reducing construction cost.
To eliminate the computational load of generating puzzles from
the verier, Waters et al. [
135
] proposed puzzle outsourcing mechanisms. eir goal is to protect the
puzzle scheme itself from being subject to a DoS aack and reduce client delay added by the previous
puzzle schemes. e puzzle, which is based on the Die-Hellman problem, is constructed by a third
party called bastion. e construction requires modular exponentiations while the verication,
which is performed by the server, requires a memory lookup and one modular exponentiation. e
client is required to invert a discrete logarithm using some partial information. is information
is represented as a specic range of seed values. e client performs a brute-force search for
the solution seed within the specied range. Since the verier can control the size of the range,
it can linearly adjust the diculty of the puzzle. e client delay is reduced by allowing it to
compute solutions oine and requiring it to solve a puzzle per time interval instead of per request.
e per time interval requirement prevents adversaries from precomputing solutions. Although
the construction is outsourced and the same bastion can generate puzzles that can be utilized by
multiple servers, it is still expensive due to the modular exponentiation, making it inecient and
unscalable. In addition, the solution nding process in this scheme is similar to that in hash-based
schemes, it requires performing an exhaustive search within a specic range which is a highly
parallelizable task.
Gao [
53
] suggested adding a pre-construction stage to allow the server to compute expensive
operations in idle time and reuse the calculated parameters during online puzzle construction by
combining them with time parameters. e author developed two trapdoor-based puzzle schemes,
one is RSA-based and the other is based on the discrete logarithm problem. Both schemes require
modular arithmetic calculations not only in the pre-construction stage but also in the online
construction phase. As the previous scheme [
135
], they provide fast verication via a memory
look-up and linear granularity, however, the solving process is also highly parallelizable.
Non-parallelizability.
Generally, non-parallelizability is important to control the timing feature
of a puzzle, where the solution time should be approximately controllable by the verier. is
property is crucial to allow the verier to appropriately set the diculty, which is not possible due
to the huge disparity in computing power between machines. Non-parallelizability is important in
applications that require puzzle fairness and prevent an adversary that uses parallel computing
from solving puzzles signicantly faster than the expected time. Non-parallelizable CPU-bound
puzzle schemes are either based on an inherently sequential problem [
117
][
124
] or utilize a chaining
technique [86][58].
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
Foundations, Properties, and Security Applications of Puzzles: A Survey 1:23
Time-lock puzzles [
117
] are based on repeated squaring which ensures non-parallelizability,
however, they cannot be employed in large-scale and resource-constrained environments due
to their high construction cost. Two hash-based schemes that oer non-parallelizability were
proposed by Ma [
86
] and Gorza and Petrica [
58
]. ese schemes utilize puzzle chaining technique,
which requires sequential solving steps to complete the whole puzzle chain. Although they were
designed to reward the client for partially solving a chain, we also discuss the possibility of using
this type of construction as one puzzle that has one solution. A puzzle chain consists of a set of
puzzles that can only be solved in a specic order, in which solving a puzzle requires computing
the solution of the predecessor puzzle. In each puzzle chain, there is at least one puzzle that does
not depend on any other puzzle.
Ma [
86
] utilizes hash chain, which was initially introduced by Lamport [
72
], to construct the
puzzle. e goal is to provide a receiver the control over which packets to receive. is is achieved
by forcing the sender to invert a hash chain, where each inverted hash value permits sending m
packets only. A ‘request-to-send’ packet must be sent rst by the sender before sending any further
packets. e receiver then computes a hash chain (
h0
,
h1
,…,
hk
) of length kand responds with a
puzzle given as (
hk
, K). A sender wishing to send mpackets is required to nd the rst predecessor
hash value
hk−1
only, and is allowed to send a maximum of
m×K
packets by inverting the whole
chain (
hk−1
,
hk−2
,…,
h0
). To verify a single solution, the receiver is required to store the current
values of
hk
and K, then perform a single hash operation to check if the submied hash value
is equivalent to the current
hk
. e stored hash value is replaced by its predecessor aer every
mpackets received. Puzzle diculty can be adjusted by varying the number of packets mand
the length of the chain K. As a stand-alone puzzle, the construction cost is relatively high and
the verication may require reconstructing the puzzle chain in some seings to avoid memory
exhaustion aacks. In addition, adjusting the diculty is not as exible as the author claims, where
inverting a chain of hash values may not always be achieved in reasonable time and seing the
digest’s size to lower number of bits (16-bits as suggested) lowers the diculty level, which makes
the process of nding a solution as easy as constructing the puzzle [124].
In Groza and Petrica [
58
]’s scheme, the puzzle chain is given as (
[P0,r0],[P1,r1]..., [Pn,rn]
), where
Pis the puzzle and ris a string of random bits. e chain is constructed by rst concatenating two
state-dependent random values,
ρ
and r, then double hashing them to form the rst puzzle in the
chain
P0=H2(ρ0||r0)
. e remainder of the chain is created by XORing the result of hashing the
previous state-dependent values
ρi−1
and
ri−1
with two new state-dependent values
ρi
and
ri
, then
double hashing the result,
Pi=H2((ρi||ri) ⊕ H(ρi−1|||ri−1))
. Solving the puzzle requires solving
the chain in the order it was constructed, starting with
P0
then nding the
ρi
of each
Pi
. Similar to
the previous scheme, it is an inecient stand-alone puzzle requiring the verier to perform three
hash operations for each puzzle in the chain for both construction and verication. Both schemes
only guarantee partial non-parallelizability as, each puzzle in the chain can be solved in parallel,
hence they do not actually solve the CPU-speed disparity problem.
To achieve non-parallelizability with cheaper construction and verication cost, Tritilanunt et al.
[
124
] proposed a new puzzle scheme that relies on the subset sum problem, which is a variant of
the knapsack problem. Given a set of objects, each has a specic weight, the prover must determine
the number of objects that can be included in a xed-size knapsack. In other words, given a set of
positive integers
(a0,a1, .. ., an
) and a positive integerS, nd a subset of athat sums up to S. Solving
the puzzle can be done by bruteforce which is highly parallelizable, however, the puzzle diculty
is set such that it is more ecient to apply Lenstra’s laice reduction algorithm LLL [
77
] instead.
e algorithm requires recursive computations, hence it cannot be parallelized. Both construction
and verication are cheap requiring one hash operation and some additions. is scheme provides
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
1:24 Isra Mohamed Ali, Maurantonio Caprolu, Roberto Di Pietro
Properties
Category Puzzle Scheme Easy to
construct
Easy to
verify Granularity Low Cost
Variance
Non-
parallelizable
Non-
interactive
Publicly
veriable
State
-less Based on
Non-Hash
Based
Merkle [90] 7 3 Exponential 7 7 7 7 7 Symmetric
Crypto.
Pricing functions [44] 7 3 Exponential 7 7 3 7 7 Digital
Signatures
Time-lock [117] 7 3 Linear 3 3 7 3 7 Repeated
Squaring
Subset-Sum [124] 3 3 Polynomial 3 7 7 3 3 Subset-Sum
problem
Hash-Based
Client Puzzles [65] 3 3 Exponential 7 7 7 7 3 Multiple
Hash Inversion
Hashcash [10] 3 3 Exponential 7 7 3 3 3 Single
Hash Inversion
Hint-based [50] 3 3 Linear 7 7 7 7 7 Single
Hash Inversion
Hash-chain [86][58] 7 3 Linear 7partial 7 7 7 Hash chain
reversal
Table 3. Summary of CPU-bound schemes.
non-parallelizability, deterministic computation and polynomial granularity. However, the LLL
algorithm suers from huge memory requirements that limit its deployment in general applications.
In addition, it does not solve the resource disparity problem as, according to the authors, the solving
algorithm may not be executed using platforms of a lower power than PCs.
5.1.6 Summary of CPU-bound Puzzles. Most CPU-bound puzzle schemes are based on crypto-
graphic hash inversions [
9
,
10
,
50
,
65
,
133
] or digital signature algorithms [
44
,
53
,
135
]. In general,
hash-based puzzle schemes are more ecient where the generation and verication requires an
insignicant number of cryptographic hash operations. However, they suer from three funda-
mental drawbacks. e rst is coarse-grained diculty adjustment, where adjacent diculties
vary by a factor of two. is may not allow the verier to exibly adjust the diculty according to
the threat level, hence reducing the eectiveness of the puzzle. Although some variants, such as
Hint-based [
50
], provide linear granularity, they can only be applied interactively. e second is
parallelizability which introduces the CPU-speed disparity problem and gives powerful adversaries
advantage over honest parties. Finally, the solution-nding process of these puzzles is probabilistic
and its cost variance is very high that it does not guarantee fairness as some provers may get
lucky and nd the solution much faster than others. On the other hand, number-theoretic puzzles,
such as time-lock puzzles [
117
], provide ner granularity and low solution cost variance, but are
less ecient requiring the verier to compute large integer modular exponentiations which is
unsuitable for resource-constrained environments. Considering parallelizability, both time-lock
puzzles and knapsack-based puzzles ensure non-parallelizability, however as discussed previously,
the former requires the verier to perform expensive operations, while that laer suers from huge
memory requirements for solving the puzzle.
e lack of an ecient and non-parallelizable CPU-bound function led researchers to investigate
the utilization of other resources, such as memory [
1
,
43
], bandwidth [
2
,
131
], and human’s aention
[99, 128], which are discussed in the following sections.
5.2 Memory-Bound and Memory-Hard Schemes
Using memory-intensive computations in a puzzle scheme has been proposed by several works
[
1
,
8
,
46
,
106
], with dierent notions, to provide both equitable computation and resistance against
specialized hardware, such as GPUs and ASICs. e solution cost of the puzzle is measured either
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
Foundations, Properties, and Security Applications of Puzzles: A Survey 1:25
by the number of accesses to the main memory or the amount of memory space rather than the
number of computation operations.
Memory-bound
puzzle schemes require a signicant number of memory accesses to be solved.
e solution time is bound by the memory latency, in which the complexity is measured by the
number of cache misses and not the actual amount of memory being employed. e adversary’s
goal in such a scheme is to decrease the number of memory accesses by either beneting from
cache or performing intensive computations instead. On the other hand,
memory-hard
puzzle
schemes require a signicant amount of memory space to solve. e complexity is measured by
the number of memory locations being used for a given number of operations. e adversary’s
goal in such a scheme is to use less memory space by trading it for time or extra computations.
A memory-bound function may be considered as memory-hard in the sense that the amount of
memory required is greater than the cache’s size. While a memory-hard function is memory-bound
only if the locality is good in its memory access paern such that it results in a certain number of
cache misses [115].
5.2.1 Easy-to-compute functions. A well-known problem with CPU-bound puzzle schemes is
the signicant variations in the amount of computing power available to provers. Abadi et al.
[
1
] addressed this problem and were the rst to introduce the notion of memory-bound puzzles.
e goal is to construct a puzzle that latest systems can compute at a similar speed by relying
on memory latency instead of CPU-speed. ey proposed a memory-bound puzzle that consists
of an easy-to-compute pseudo-random function F(), which its inverse
F−1()
requires more time-
consuming computations than accessing the memory (i.e. inverting it can be done more eciently
via the space-time tradeo). e verier selects an integer
x0
from the domain
[
0
...(
2
n−
1
)]
and
computes
xi+1=F(xi) ⊕ i
, where 0
<i<k
. e puzzle is given as
xk
and a checksum of the
sequence
(x0,x1, .. ., xk)
. Solving the puzzle requires constructing a table for
F−1()
and working
backwards from
xk
to nd a pre-image
x0
0
, such that the checksum of the path from
x0
0
to
xk
matches
that of the challenge. Since there exist several pre-images that lead to multiple paths, the solver
is forced to explore a tree of pre-images that has a depth k, root
xk
and a total size of
O(k2)
. e
parameters nand k, are chosen carefully to ensure that the table cannot be stored in cache, thus in
the best case scenario, the number of cache misses required is also
O(k2)
. Verication requires k
forward computations of F(), which increases exponentially as the CPU-cost of F() decreases (i.e.
the processing speed of the current machines increases according to Moore’s Law).
ey also discuss a variant of this scheme that can be applied in a non-interactive seing. e
challenge is not presented by the verier, rather produced by a pseudo-random generator using
some application related data, such as a message in combating spam, as the seed.
e main drawback of the scheme proposed in [
1
] is the existence of a time-space tradeo for
inverting the function F(), which may allow adversaries to circumvent the scheme using higher
computation power and only rarely accessing the memory. e puzzle complexity is highly aected
by current processing speeds, in which it requires more memory and higher verication cost to
keep pace with Moore’s law. Consequently, its eciency decreases which hinders its large-scale
deployment and practical implementation. In addition, the work ratio between the two parties is
quadratic and cannot be increased since deeper trees allow the solver to benet from cache and
invert several values in the cost of just one memory access.
5.2.2 MBound. Dwork et al.[
43
] argued that easy-to-compute functions [
1
] may be solved with
very few memory accesses which diminishes the memory latency eect and hence do not solve the
problem. ey further explored memory-bound functions and dened a class of functions based
on “pointer-chasing” in a large random table T. e table Tis of a xed size that is approximately
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
1:26 Isra Mohamed Ali, Maurantonio Caprolu, Roberto Di Pietro
double the size of the largest current existing cache and is shared between the two parties. e
solver is forced to perform random walks through Tto nd a path with specic characteristics. A
walk is a path that requires making a series of sequential random accesses to T, where contents
of the current accessed location determine the subsequent location to be accessed. Solving the
puzzle is done by executing an algorithm (called MBound) that terminates successfully if aer l
walking steps the last n-bits of the hash output are zeros. e algorithm is executed
k
times until a
successful path is found. e prover then submits the solution given as the hash-output along with
the trial number
k
, which identies the correct path. e verier then explores the identied path
kby performing lmemory accesses to Tand checks that the submied hash value is correct and
ends with nzeros.
Using the random oracle model the authors prove a lower bound of
Ω(
2
n·l)
on the number of
amortized memory accesses that an adversary must expend per puzzle. e number of walks to be
performed by the solver is 2
n
, thus the total expected cost for computing the puzzle is 2
n·l
cache
misses, while the verication cost is lcache misses.
On a follow-up work, Dwork et al.[
45
] addressed the high communication complexity required
for distributing and updating the incompressible large table by allowing the table to be constructed
using graph pebbling. ey observed that the table construction must also be memory-bound in
order to prevent adversaries from exploiting the compact description of Tand produce elements in
cache whenever they are needed, only rarely accessing the memory.
Graph Pebbling.
Pebbling is described as a game played on a directed acyclic graph (DAG).
Finishing the game requires pebbling all output vertices (nodes with no children) of the graph. A
non-input vertex (a node with parents) can only be pebbled when all of its predecessor vertices
(parents) are pebbled. A pebble can be removed from the graph at any time. e player has a
number of pebbles and its goal is to place the pebbles on the output vertices eciently, by using
few moves and having few pebbles on the graph at any time. Graph pebbling is used by several
papers to model memory-bounded computations, where the time-space tradeo is obtained by
showing that there is no optimal pebbling strategy that uses a few simultaneous pebbles. Generally,
each pebble represents the output of a computation and performing a specic computation using
previously computed output is represented as the placing of a pebble. A more detailed description
of pebble games is presented in [83].
In this scheme, a pebble corresponds to a label of n-bits and placing a pebble corresponds
to labeling a vertex by calling a hash function and storing the newly computed value in cache.
Constructing the table requires pebbling the DAG D, where the labels of the output vertices are the
elements of table T. e DAG has Ninput vertices (numbered 1,2,…N ), Noutput vertices (numbered
N+1, N+2,..,2N) and a constant indegree. e size of the graph is
O(n|T|loд|T|)
and consists of a
stack of N-superconcentrators, which provide sharp tradeos having the time required to pebble
the output vertices with less than
N
pebbles at least exponential in the depth of the graph. erefore,
the time required to pebble the outputs is superpolynomial in
|T|
(the number of elements in T).
Table construction is done by both parties only once, the table is then stored in main memory to
execute the MBound algorithm [
43
]. is reduces communication cost, however, the requirement of
constructing a table incurs a relatively high cost on the verier and eliminates the easy-to-construct
property.
ere are two main drawbacks of the aforementioned memory-bound puzzles that hinder their
deployment. First, both verication and solving costs increase to accommodate to the current
cache size, which reduces the puzzle’s eciency and disables legitimate parties with low memory
resources from participating in the scheme. Second, the diculty level cannot be adjusted exibly,
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
Foundations, Properties, and Security Applications of Puzzles: A Survey 1:27
in which it is constrained by the requirement of ne-tuning several parameters depending on the
system’s cache and memory congurations.
5.2.3 Paern Database. Doshi et al. [
41
] noticed that the memory accesses described in prior
memory-bound puzzle schemes are not associated with a known problem, hence lack the algorithmic
foundation that allows exible tuning of diculty parameters. ey where the rst to propose
deriving memory-bound puzzles from heuristic search methods.
e proposed construction scheme is based on a heuristic search technique using paern
databases for the Sliding Tile problem [
84
]. e Sliding Tile problem requires nding a path
(using only the following moves: le, right, up, down) to slide the tiles on a grid from the initial
state to the target state.
Solving the problem can be done eciently using existing computational algorithms, such as the
A* algorithm together with the Manhaan Distance heuristic. However, using a memory-based
heuristic is more ecient, where the precise distance from the initial state to the abstract target
state is computed and stored in a look-up table called paern database.
Given a pool of target states (
G0...Gn
), the prover precomputes the paern database that corre-
sponds to these states oine. e verier constructs the puzzle by randomly choosing ftarget
states from the pool and performing dmoves at random to each target
Gi
in order to create finitial
states. e verier then computes a message authentication code (MAC) over the performed moves
and stores it in memory. e diculty of the puzzle can be tuned by increasing or decreasing the
number of target states fand the number of moves d. e puzzle is given as the ftarget states, the
corresponding initial states, and checksums
Cj
, 1
≤j≤d
, where each checksum is computed over
the jth move of each state.
e prover then uses the computed paern database to complete a guided search for every target
state. All initial states are solved simultaneously as, the prover must rst deduce the right set of
moves for a given diculty level i, 1
≤i≤d
, such that the checksum of the corresponding moves
matches
Cj
. Since dierent states are stored in dierent parts of the memory, forcing the prover
to search for multiple states simultaneously results in cache misses hence ensures main-memory
access. Once all the target states are reached, the prover submits the dmoves performed on the f
initial states. e verier then checks that the moves are correct by computing the MAC of these
moves and comparing it to the one stored.
Although the scheme provides beer exibility in tuning the puzzle diculty, it is inecient in
terms of both construction and communication costs. For each puzzle, the verier is required to
perform
d∗f
moves and compute
d
checksums, while communication involves transmiing two
sets of states (both initial and target) along with dchecksums and a MAC.
5.2.4 Scrypt. In 2009, Percival [
106
] proposed Scrypt and introduced the concept of memory-
hard functions that entail signicant amount of memory to evaluate and require a large number
of computations if less memory is utilized. Scrypt is a memory-hard key derivation function
used for password hashing to increase the cost of brute-force dictionary aacks, whereby the
aacker iterates through a number of likely passwords and apply the function to each password
guess. e designing goal of the scheme is to reduce the advantage gained by adversaries who
use custom-designed parallel circuits, while maintaining low per-evaluation cost of the honest
user. is is achieved by requiring an amount of memory that is approximately proportional to the
number of operational steps performed to evaluate the function.
e scheme consists of several memory-hard functions, we briey describe the construction
of ROMix which constitutes the core of Scrypt. e basic idea of the algorithm, as described by
Percival, is to sequentially compute a large number of random values and then access each value
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
1:28 Isra Mohamed Ali, Maurantonio Caprolu, Roberto Di Pietro
Properties
Category Puzzle Scheme Easy to
construct
Memory-less
verication Granularity Low Cost
Variance
Non-
parallelizable
Non-
interactive
Publicly
veriable
State
-less Based on
Heuristic
Search
Easy-to-compute
functions [1] 3 3 polynomial 7partial 7 7 7 Depth-rst
search
Paern
Database [41] 7 3 polynomial 7partial 7 7 3 Sliding Tile
Problem
Cuckoo Cycle [125] 3 3 exponential 7 7 3 3 3 Graph
Cycle Finding
Equihash [18] 3 3 exponential 7partial 3 3 3 k-XOR
Birthday Problem
Graph
Pebbling
Compact-
MBound [45] 7 7 exponential 7partial 3 7 7 Graph
Pebbling
Litecoin-
(Scrypt)[76] 3 3 exponential 7 3 3 3 3 Graph
Pebbling Reduction
MTP-
Argon2d [17] 3 3 exponential 7partial 3 3 3 Graph
Pebbling Reduction
Proof of space [46] 7 3 linear 7partial 7 7 7 Graph
Pebbling
Table 4. Summary of Memory-bound schemes.
randomly to ensure that they are all stored in RAM. Given a
k
-bit input value
B
, a chain of Ninput
values (X0, .. ., XN−1) is computed as follows:
•X0=Band Xi=H(Xi−1)for i=1, .., N−1, where His a hash function.
A chain of Noutput values (V0, . .., Vn) is then computed as follows:
•V0=H(XN−1)
,
Vi=H(Vi−1⊕XVi−1mod N )
for
i=
1
, .., N
, where
VN
is the nal output of
the function.
e default strategy of computing Scrypt is to sequentially compute each
Xi
in the input chain
and store it in the memory, and then compute each Viof the output chain and fetch each Xifrom
memory as needed in order to produce the nal output
VN
. Two recent works show that Scrypt
provides almost optimal resistance against ASICs from both the area [
3
] and energy [
115
] aspects.
However, this is only achieved if the memory requirement of the scheme is large enough, which
consequently incurs high construction and verication costs.
Scrypt is used as a pricing puzzle by several cryptocurrencies including Litecoin and Dogecoin,
where the amount of memory is reduced in order to provide faster verication. To append a block
to the chain, the miner is required to nd a nonce nthat if hashed along with the block’s header B
using Scrypt, produces a nal output
VN
that is less than a specic target value T. e solution is
given as (B,n,
VN
). Verication requires a single call to Scrypt and a single comparison operation to
check the output value (
VN
) against the target value T. e memory hardness of Scrypt can be set
by increasing or decreasing the CPU/memory cost parameter N, while puzzle diculty is adjusted
by tuning the target value T.
Although a work gap between the two parties is maintained by having the prover perform
multiple Scrypt calls to nd the solution while only a single call is required for verication, the
scheme is symmetric in terms of memory requirements. Furthermore, its adaptation in Litecoin
cryptocurrency is not ASIC-resistant having ASIC mining rigs hundreds of times more ecient.
5.2.5 Cuckoo Cycle. Tromp [
125
] proposed a memory-bound puzzle scheme based on nding
constant sized cyclic subgraphs in a pseudo-random graph. e designing goal is to make mining
cryptocurrencies on commodity hardware cost-eective by relying on memory-latency instead
of computation speed in the evaluation of the puzzle. e puzzle is constructed by generating
a directed bipartite graph with Nvertices and Medges from a given set of input nonces using
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
Foundations, Properties, and Security Applications of Puzzles: A Survey 1:29
Cuckoo hashing [
103
]. e prover is required to nd a set of Lnonces whose corresponding edges
form an L-cycle in the graph and whose hash digest is less than a given target hash value T, where
0
≤T≤
2
256
. e memory-hardness of the scheme is determined by the ratio
M/N
and the
cycle length L, while the diculty of the puzzle is adjusted by tuning the target hash value T. e
verication cost is linear in Land independent of both Mand N.
5.2.6 Proof of Space. Dziembowski et al. [
46
] and Ateniese et al. [
8
] introduced the notion
of proof of space (PoS) independently, each with a dierent denition and security guarantees.
Generally, PoS is an interactive memory-hard puzzle scheme where the solution serves as a compact
proof that the prover did possess and dedicate a signicant amount of space. Unlike memory-bound
schemes [
1
,
43
,
125
], PoS schemes rely on memory space instead of memory latency in the evaluation
of the puzzle. Both PoS construction schemes are based on directed acyclic graphs (DAGs) that
have high pebbling complexity and use the Merkle hash tree to enable ecient verication.
Given a challenge nonce id, the prover is required to build a graph G = (V, E) of Nvertices
and store the label of each vertex
v
computed as
lv=Hid (v,Hid (lp1, . ., lpd ))
, where
Hid
is a hash
function that depends on the identier id and
lp1, . .., lpd
are the labels of
v
’s predecessors (parents).
e identier is used to ensure that the same dedicated space cannot be leveraged for more than
one proof. Once the labels are computed, the prover commits to these labels by constructing a
Merkle hash tree
τ=τH(l1, ...lN)
and submiing the computed root of the tree,
Φ
, to the verier.
At this point, the verier checks the consistency (correctness) of the root
Φ
by asking the prover to
open the labels of
c
vertices and their predecessors. e opening of a label
lvci
is the path from the
root
Φ
to the leaf associated to vertex
v
in the Merkle tree
τ
. Given the labels of all the predecessors
of vertex
v
, the verier can check if the label
lvci
is correctly computed as described above. e
solution is accepted only if all
c
openings and labels are computed correctly. To label a vertex vin
graph G, the prover must compute and save on his memory the label values of all the predecessors
lp1, . ., lpd
of the vertex. e labeling of the graph presents a proof that the prover has handled at
least Nspace.
e denition of PoS introduced in [
46
] extends that of Ateniese et al. [
8
] by including an
additional phase, called execution phase, that allows the verier to repeatedly challenge the prover
and check if it is still dedicating the specied amount of space. e purpose of the additional
phase is to allow honest provers to respond to the repeated challenges by accessing the Nspace,
produced in the initialization phase, while using lile computation hence addressing the high
energy consumption drawback of CPU-bound puzzles. is formation of PoS is also referred to as
proof of persistent space by Ren and Devadas [114].
Although these construction schemes provide strong security guarantees by forcing a cheating
prover to either expend
O(N)
space or time in order to produce an acceptable proof, they are both
based on superconcentrators which are relatively slow [17].
5.2.7 Equihash. Biryukov and Khovratovich [
18
] observed that any determined NP-complete
problem can be used to design a memory-bound puzzle with tunable parameters, where its memory
hardness is determined by the time-memory tradeos of the best known algorithms. ey proposed
Equihash, a proof-of-work scheme based on the k-dimensional generalized birthday problem [
130
].
In the generalized birthday problem, there are ksets of n-bit strings and the goal is to nd kstrings
that XOR to zero. In Equihash, the kstrings are generated randomly using the hash function H.
e optimal solution algorithm to this problem has a time and space complexity of
O(
2
n
k+1)
[
130
]),
hence it is a memory-intensive algorithm. In addition, using 1
/q
less memory results in
O(qk
2)
times more calls to the hash function, which limits the computation advantage of parallelization to
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
1:30 Isra Mohamed Ali, Maurantonio Caprolu, Roberto Di Pietro
the amount of memory bandwidth available. e verication requires performing 2
k
hashs and
XORs.
5.2.8 MTP-Argon2d. Biryukov et al. [
17
] proposed a non-interactive memory-hard puzzle scheme,
called Merkle Tree Proof (MTP), based on the memory-hard function Argon2d [
16
]. ey describe
dierent instantiation seings of the scheme to be applied in crypto-currency, time-release cryp-
tography and disk encryption. Similar to PoS schemes [
8
,
46
], this scheme leverages a Merkle hash
tree construction over an array of memory segments to allow fast and memory-less verication.
Given the challenge I, the prover constructs the puzzle by generating Msegments of memory
B[
1
],B[
2
], .. ., B[M]
using Argon2d from the given challenge. It then constructs a Merkle hash tree
over the Msegments commiing to the segments’ values. e root of the Merkle tree is declared
as
Φ
. Each memory segment
B[j]
is an output of of Argon2d’s compression function F, which
processes the preceding segment
B[j−
1
]
and
B[ϕ(j)]
, where
ϕ(j)
is a data-dependent indexing
function that produces a memory segment index ranging in [1...j).
e prover solves the puzzle by accessing Lmemory segments of
B[
1
],B[
2
], .. ., B[M]
pseudoran-
domly in the sequence
B[j1],B[j2], .., B[jL−1],B[jL]
to nd a nonce Nthat if hashed with the root
Φ
and the segments
B[ji]
produces a hash output
YL
with dtrailing zeros (where
ji
is determined
from the nonce N, the root
Φ
, and the values of the preceding segments in the sequence). e
solution is given as (
Φ,N,L
), where
L
is the opening of 2
∗L
memory segments
B[ji−
1
],B[ϕ(ji)]
.
e verier then validates the openings
L
and regenerates all
B[ji]=F(B[ji−
1
],B[ϕ(ji)])
to
verify that
YL
has dtrailing zeros. e memory hardness of the scheme is highly dependent on the
hardness of Argon2d and can be adjusted by tuning the parameters. e diculty of the puzzle is
tuned by increasing or decreasing the number of trailing zeros d.
5.3 Bandwidth and Network Bound Schemes
Walsh et al. [
131
] were the rst to suggest using bandwidth as a currency to pay for a service in
order to mitigate DoS aacks. ey did not propose a puzzle scheme, but introduced the idea of
using bandwidth resources to weaken powerful aackers with higher CPU and memory resources
than legitimate clients. e proposed system, called Speak-up, crowds out aackers by encouraging
clients to send higher volumes of trac for their legitimate requests to be served rst. e authors
assume that aackers are already dedicating the highest amount of upload bandwidth resources to
perform the DoS aack which prevents them from reacting to the encouragement.
In what follows, we describe the dierent puzzle construction schemes found in the literature
that rely either on bandwidth resources or network latency in the evaluation of the puzzle.
5.3.1 Guided Tour Puzzles. Abliz and Tznati [
2
] introduced the idea of network-bound puzzles
to overcome the shortcomings of previous client puzzle schemes, which include parallelizability
and computational disparities among clients. eir scheme requires the client to collect tokens
from tour guides (a pre-specied set of nodes) in order to be able to solve the puzzle and have their
query processed by the service provider. e tour guides are used to introduce a delay between
client requests. e authors suggest network latency as a solution to eliminate the disparity in the
amount of resources between a powerful adversary and a legitimate client. Non-parallelizability is
achieved by the random selection of the next tour guide to be visited at each tour guide stop (hence
the name guided tour) and by requiring the client to submit the hash values from the previous tour
guides at each stop. e diculty is tuned by increasing or decreasing the tour length (number of
tour guides) by one which provides linear puzzle granularity.
5.3.2 Bandwidth Puzzles. Reiter et al. [
112
] proposed a bandwidth-bound puzzle scheme to
validate that a peer did actually expend a certain amount of communication resources and relayed
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
Foundations, Properties, and Security Applications of Puzzles: A Survey 1:31
data to peers in a P2P content-distribution system. e main goal is to prevent colluding aackers
from earning rewards by claiming that they have exchanged data to each other without actually
transferring any data. If a le sharing P2P network does not implement a robust incentive mecha-
nism, some peers could trick the system by claiming to have transferred a certain amount of les
to other peers, without having done so, causing the entire system to fail [
141
]. For example, if
Alice and Bob are friends, Alice may claim to have transferred a certain amount of data to Bob.
When the P2P system asks Bob about this transaction, Bob will conrm that he has received the
data because he is Alice’s friend. In this way, Alice will get improper credits. In the proposed
scheme, the P2P network includes a central credit management entity, the verier. When the
verier suspects collusion between two or more clients, he will simultaneously send a puzzle to
the suspected peers, who then become the provers of the bandwidth puzzle scheme. e puzzle
must have at least two main properties: (i) the solution stage must take time; and, (ii) the puzzle
can only be solved if the prover owns the le in question. When the verier suspects collusion
between Alice and Bob, he will simultaneously send two dierent puzzles, one to Alice and one
to Bob, asking the solution within a certain time threshold. If Alice has not shared the le with
Bob, Alice can solve her puzzle and send the solution to the verier within the threshold, while
Bob cannot do the same, since he does not have the le. At this point, Bob could send his puzzle to
Alice, asking her to solve it. Although Alice is able to solve Bob’s puzzle, she is unable to solve
two puzzles within the threshold. For this reason, At least one between Alice or Bob will fail in
replying to the verier with the correct solution, revealing the collusion. eir puzzle scheme can
be considered relevant to proofs of data possession mechanisms as the solution depends on the
possession of the content. Finding the solution is relatively easy for provers who possesses the
content, while more dicult for those who do not. Each puzzle is composed of a hash function and
a collection of index-sets, where each set contains k random content indices. e verier constructs
a puzzle by hashing the content bits which are indexed by a pseudorandomly selected index-set
and aached together in a certain order. Finding the solution of the puzzle requires determining
which of the index-sets is the pre-image of the hash. e puzzles are issued simultaneously to a
group of provers and must be solved within a specic time. is prevents a content-holder from
colluding with others by solving their puzzles, since he can only solve one puzzle at a time. On a
follow up work, Zhang [
141
] studied the eectiveness of the proposed scheme [
112
] and provided a
lower bound on the number of content bits aackers should possess to be able to defeat the scheme
with a denite probability. is lower bound could be used to properly set the puzzle’s parameters
in real-world systems to improve the overall security.
6 FURTHER DEVELOPMENTS
Aer discussing the main approaches used in designing the dierent types of puzzles, it is possible
to draw a high-level view of the state-of-the-art in this eld. e limitations highlighted in
Section 5 could be used to identify future developments, driven by the need to improve the
performance/eectiveness of the puzzles. Moreover, brand-new properties required by the adoption
of new technologies could also lead to further advancement in puzzle construction schemes.
6.1 Edge/Fog Architecture
e microservice architecture, enabled by several virtualization techniques such as containers and
unikernels, is increasingly used in the cloud environment, as well as in the edge/fog architecture [
32
].
In this context, bandwidth/network bound puzzle schemes could be very important to mitigate one
of the major security concerns, the DDoS aack problem, which aims to destroy the availability of
services. Unfortunately, existing schemes described in Section 5.3 are not feasible for this specic
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
1:32 Isra Mohamed Ali, Maurantonio Caprolu, Roberto Di Pietro
scenario, due to the high workload required at the server-side to generate the puzzle. For this
reason, further research eorts are required to design more ecient schemes with low construction
and verication costs, suitable for this kind of scenario. Moreover, bandwidth/network bound
puzzle schemes are normally used too high in the TCP/IP protocol stack (i.e. application layer),
leaving the underlying layers exposed to DDoS aacks. By moving the application of the puzzles
to the lower layer, it may be possible to block DDoS aacks in advance, also protecting the upper
layers.
6.2 Resource Constraint Devices
e massive adoption of IoT networks has signicantly changed the architecture of end-user
applications, designed to minimize latency in client-server communications and works on devices
with limited resources. Many research eorts have been made to ensure the portability of existing
puzzle technologies on this new architecture, but some use-cases, such as blockchain-based appli-
cations, still require several advancements. e high amount of electricity required to solve some
CPU-bound puzzles used in dierent cryptocurrency schemes has triggered a heavy debate [
38
],
that highlighted the weaknesses of this type of puzzles. Consequently, several new memory-
bound schemes have been proposed and used as proof-of-work in some cryptocurrencies [
59
], to
overcome these issues. One of the most successful proposals in this context is CryptoNote [
127
],
a memory-bound scheme designed to ensure the fairness property of the puzzle. is scheme
has been used as a proof of work in several cryptocurrencies, in an aempt to make CPU-based
mining equally ecient compared to the GPU-based one, limiting the advantages of using ASICs
6
hardware for crypto-mining activities. However, the CryptoNote scheme has not been suciently
discussed in the literature. For this reason, given the increasing aention it is receiving, important
research eorts are needed to verify the soundness of the mathematical properties underlying this
scheme, as well as the resistance against the circumvent memory aack. Moreover, some of its
properties make the cryptocurrencies based on this scheme appealing to malicious actors, because
also resource constraint devices can be used for mining activities [
75
]. Consequently, the need to
modify the characteristics of the puzzles in order to prevent illegal behavior, as well as to develop
valid countermeasures arises, opening new interesting research perspectives.
6.3 Anonymous Networks
Anonymous communications have been introduced to increase the users’ privacy within the shared
public network environment. eir aim is to provide anonymity between users, apart from content
privacy and integrity, ensured by other technologies [
113
]. Examples of anonymous networks are
Virtual Private Networks (VPNs), Onion routing, web MIXes, peer-to-peer anonymous communica-
tions systems, and possibly others. ese systems, apart from other aacks that compromise the
anonymity, are vulnerable to DDoS aacks that aim to disrupt the service.
Acronym of e Onion Router, the Tor network [
40
] not only allows users to be anonymous to the
website, but also the website to be anonymous to the users. is requires the establishment of a
circuit that makes use of dierent levels of encryption. Beyond the privacy problems that users can
still be aected to [
71
,
121
], the Tor network can be subjected to dierent denial of service aacks.
An example of this type of aack was discussed in [
14
], that proposes CellFlood, a brand-new denial
of service aack targeting Tor routers that impacts the router ability to create a new circuit. e
same authors, in the same paper, have shown how a puzzle can be used even in this context, since
they allow Tor routers under aack to slow down the aacking hosts, which maintains their ability
to manage legitimate client requests. However, the authors used a CPU-bound puzzle, that does not
6Application Specic Integrated Circuits: hardware systems specically designed for crypto-mining activities.
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
Foundations, Properties, and Security Applications of Puzzles: A Survey 1:33
meet the key requirements of the peer-to-peer network puzzles, discussed in Section 4.1.4, most of
which are also valid for the Tor Network. In this context, further research eorts are needed to
design new puzzle schemes feasible for the anonymous network environment. Bandwidth/network
bound puzzle schemes could be considered in this scenario, with the aim of improving the eciency
and fairness of the overall architecture.
6.4 New Generation of Mobile Networks
e advent of new Generation Wireless System (such as the 5G and, in perspective, 6G) is radically
reshaping the business opportunities of mobile network operators. With the enhancement of several
network capabilities, including bandwidth, latency, and data rate, the 5G technology allows the
implementation of several use-cases not viable with previous mobile communication technologies.
Indeed, in addition to providing voice and data connectivity services, the 5G technology supports
new applications such as vehicle to vehicle communication, industrial automation, smart cities,
and health applications, just to cite a few. e introduction of these new applications has led to
a new call for evaluating the security of the technologies, architectures, and scenarios involved
in this new mobile communication landscape [
15
]. Although the major threats are mostly the
same of current/previous communication technologies (jamming, DDoS, MITM, eavesdropping,
etc.), the 5G environment demands the study of new requirements for the development of eective
countermeasures. In such a scenario, puzzles could play a key role in providing powerful features,
already consolidated in previous technologies, to the new security mechanisms developed for the
5G architecture.
e performance that 5G can guarantee enable the ultra-reliable and ultra-low latency services
required by the Vehicular Ad-hoc Networks (VANETs) to implement road safety, intelligent trac
management, information dissemination among vehicles, automatic driving, etc. For the security
of these services, however, the reliability and authenticity of the information exchanged between
vehicles, as well as the ones exchanged between vehicles and road infrastructure, becomes crucial.
For this reason, several authentication schemes have been proposed to protect communications
within VANETs. Regardless of their implementation details, all the proposed protocols suer from
DoS aacks that, in the low latency and high bandwidth 5G architecture, can be easily performed.
To mitigate this problem, a puzzle-based co-authentication scheme has been presented in [
82
]. e
main goal of this proposal is to make the number of authentication requests that a vehicle can
generate in a specic time interval, less than or equal to the number of requests that a legitimate
vehicle can verify in the same amount of time. e authors modeled their puzzle as a variant of
the Hashcash [
10
] scheme, carefully adjusting the diculty level to achieve the aforementioned
condition. Although promising, this solution has several limitations. First, the proposed counter-
measure are eective under the assumption that the aacker has the same computational power
of the legitimate vehicles. An aacker equipped with more powerful hardware could solve the
puzzles eciently, easily bypassing the countermeasure.
e use of a CPU-bound scheme in 5G networks could also lead to other problems. e energy
consumption needed for the computation of the solution, for example, could be a serious disad-
vantage, especially for resource constraint devices typically used in mobile networks. Besides,
bandwidth-bound puzzles may also be ineective in this new network architecture due to the
increase in bandwidth available for individual devices in the 5G environment. Indeed, further
research eorts are needed to identify all these limitations and collect new specications to design
a new generation of puzzle schemes tailored to the peculiarities of the 5G network architecture.
Furthermore, while the deployment of 5G is at its beginning, the scientic community already
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
1:34 Isra Mohamed Ali, Maurantonio Caprolu, Roberto Di Pietro
began the design of the next generation of mobile networks: the 6G. is technology, although still
in its design stage, is expected to merge the physical and the digital world by providing full support
to a large variety of sensors, thus enabling many new use cases [
67
]. In this context, the security
risks will grow as the possible threats cross from the digital to the physical world, magnifying the
consequences of possible successful aacks. is scenario increases the need to develop eective
defenses and, as already mentioned, puzzles could be very useful to this end.
6.5 antum and Post-quantum Era
Classical computers perform logical operations and store data relying on the denite position of
individual bits, represented as binary states 0 and 1. antum computing, instead, makes use of
quantum mechanical phenomena to manipulate and store data, acquiring the potential to process
exponentially more data compared to classical computers. e potential danger posed to IT security
by quantum computing was rst established in 1994, by a US mathematician and computer scientist,
Peter Shor. He published a quantum computer algorithm [
119
] able to theoretically break, in a
maer of seconds, some of the most used encryption techniques previously assumed secure.
e vast majority of puzzles are resistant to the threat introduced by this technology. In fact,
quantum computing only increases the computational power of an aacker, with no eect on
puzzles bounded to resources other than the CPU, such as the memory or the network. e only
category of puzzle that could be exposed to this threat is, therefore, the CPU-bound schemes.
However, not all CPU-bound puzzles will be compromised by quantum computing. Indeed, several
works demonstrated that quantum computers are capable of solving complex problems unfeasible
for classic computers only by using algorithms that exploit the power of quantum parallelism.
For example, a quantum computer cannot be faster than a standard one in multiplications [
88
].
antum computers could be used to eciently solve some problems underlying the asymmetric
cryptography, such as the large prime integer factorization and the discrete logarithm problem,
while they could be not so ecient in computing the pre-image of a hash function, or in generating
a collision. Consequently, the hash-based puzzles can be safely used in the post-quantum era
as long as they use a hash function that provides an output with an adequate length, such as
sha-2 and sha-3 [
88
]. Further research eorts are needed in this eld to evaluate the security of
the non-hash-based puzzles in the quantum world and, if necessary, make them resistant against
quantum computation. e rst eort in this direction has been made by Brassard et al. in [
26
,
27
],
where the authors provided a quantum-resistant key establishment scheme based on Merkle puzzle.
e eld though, from the research perspective, is still an open and exciting one.
6.6 Location-Based Services
e new generation of mobile networks, together with the mobile devices market, is also pushing
the spreading of a new category of services, called Location-Based Services (LBSs). LBSs provide
users with accurate and targeted information based on their geographic location, enabling a wide
range of use cases, especially in VANETs. In this context, the validation of the real position of a
client requesting access to an LBS service becomes of primary importance to ensure the security
and stability of the entire system. Several mechanisms, called proof-of-location, have been proposed
to solve this problem. e proof-of-location aims to certify the presence of a device in a specic
geographical coordinate, at a particular instant of time. Puzzles could be used in this context
to allow a prover to demonstrate his geographic location to a verier. Researchers have started
studying this scenario in [
6
,
25
], proposing a blockchain-based proof-of-location mechanism to
ensure location trustworthiness without compromising user privacy.
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
Foundations, Properties, and Security Applications of Puzzles: A Survey 1:35
7 CONCLUSION
In this paper, we have provided an extensive introduction to the concept of ‘puzzle’ and presented
the evolution of this notion. We have studied the various types of puzzles from dierent perspectives
and classied them based on the way they are applied, how the solution is used, and the required
resources that bound their solving time. Based on our extensive review on the applications of
puzzles, we have identied the key requirements that must be satised for a puzzle to be applied in
a particular eld. We have also investigated the inuence and impact of puzzles, and carved out
the elements that hinder their eectiveness in each of the addressed elds. Moreover, we have
provided a thorough review of the dierent types of construction schemes including CPU-bound,
memory-bound, memory-hard, and bandwidth-bound schemes. For each type, we examined the
dierent approaches and techniques used in designing the puzzle and highlighted their distinctive
characteristics. We have also identied the limitations and benets provided by each technique.
Further, we have also provided a few research directions that may lead to new insights in the
eld of puzzles. Finally this survey, other than being interesting on its own, can be also used as a
guideline for designing eective puzzles for a wide range of applications.
ACKNOWLEDGMENTS
e authors would like to thank the anonymous reviewers for their comments and suggestions,
that helped improving the quality of the manuscript.
is publication was partially supported by awards NPRP 11S-0109-180242, UREP 23-065-1-014,
and NPRP X-063-1-014 from the QNRF-Qatar National Research Fund, a member of e Qatar
Foundation. e information and views set out in this publication are those of the authors and do
not necessarily reect the ocial opinion of the QNRF.
REFERENCES
[1]
Martin Abadi, Mike Burrows, Mark Manasse, and Ted Wobber. 2005. Moderately hard, memory-bound functions.
ACM Transactions on Internet Technology (TOIT) 5, 2 (2005), 299–327.
[2]
Mehmud Abliz and Taieb Znati. 2009. A guided tour puzzle for denial of service prevention. In Computer Security
Applications Conference, 2009. ACSAC’09. Annual. IEEE, 279–288.
[3]
Jo
¨
el Alwen, Binyi Chen, Krzysztof Pietrzak, Leonid Reyzin, and Stefano Tessaro. 2017. Scrypt is maximally memory-
hard. In Annual International Conference on the eory and Applications of Cryptographic Techniques. Springer, 33–62.
[4]
Jo
¨
el Alwen and Bj
¨
orn Tackmann. 2017. Moderately hard functions: Denition, instantiations, and applications. In
eory of Cryptography Conference. Springer, 493–526.
[5]
Ghous Amjad, Muhammad Shujaat Mirza, and Christina P
¨
opper. 2018. Forgeing with Puzzles: Using Cryptographic
Puzzles to support Digital Forgeing. In Proceedings of the Eighth ACM Conference on Data and Application Security
and Privacy. ACM, 342–353.
[6]
M. Amorei, G. Brambilla, F. Medioli, and F. Zanichelli. 2018. Blockchain-Based Proof of Location. In 2018 IEEE
International Conference on Soware ality, Reliability and Security Companion (QRS-C). 146–153. hps://doi.org/
10.1109/QRS-C.2018.00038
[7]
James Aspnes, Collin Jackson, and Arvind Krishnamurthy. 2005. Exposing computationally-challenged Byzantine
impostors. Technical Report. Technical Report YALEU/DCS/TR-1332, Yale University Department of Computer
Science.
[8]
Giuseppe Ateniese, Ilario Bonacina, Antonio Faonio, and Nicola Galesi. 2014. Proofs of space: When space is of the
essence. In International Conference on Security and Cryptography for Networks. Springer, 538–557.
[9]
Tuomas Aura, Pekka Nikander, and Jussipekka Leiwo. 2000. DOS-resistant authentication with client puzzles. In
International workshop on security protocols. Springer, 170–177.
[10] Adam Back et al. 2002. Hashcash-a denial of service counter-measure.
[11]
Henry S Baird, Allison L Coates, and Richard J Fateman. 2003. Pessimalprint: a reverse turing test. International
Journal on Document Analysis and Recognition 5, 2-3 (2003), 158–163.
[12]
Marshall Ball, Alon Rosen, Manuel Sabin, and Prashant Nalini Vasudevan. 2018. Proofs of Work From Worst-Case
Assumptions. In Annual International Cryptology Conference. Springer, 789–819.
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
1:36 Isra Mohamed Ali, Maurantonio Caprolu, Roberto Di Pietro
[13]
Boaz Barak and Mohammad Mahmoody-Ghidary. 2009. Merkle puzzles are optimal—an O (n2)-query aack on any
key exchange from a random oracle. In Advances in Cryptology-CRYPTO 2009. Springer, 374–390.
[14]
Marco Valerio Barbera, Vasileios P Kemerlis, Vasilis Pappas, and Angelos D Keromytis. 2013. CellFlood: Aacking
Tor onion routers on the cheap. In European Symposium on Research in Computer Security. Springer, 664–681.
[15]
S. P. Bendale and J. Rajesh Prasad. 2018. Security reats and Challenges in Future Mobile Wireless Networks. In
2018 IEEE Global Conference on Wireless Computing and Networking (GCWCN). 146–150. hps://doi.org/10.1109/
GCWCN.2018.8668635
[16]
Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich. 2016. Argon2: new generation of memory-hard functions for
password hashing and other applications. In Security and Privacy (EuroS&P), 2016 IEEE European Symposium on. IEEE,
292–302.
[17] Alex Biryukov and Dmitry Khovratovich. 2016. Egalitarian Computing.. In USENIX Security Symposium. 315–326.
[18]
Alex Biryukov and Dmitry Khovratovich. 2017. Equihash: Asymmetric proof-of-work based on the generalized
birthday problem. Ledger 2 (2017), 1–30.
[19]
Jeremiah Blocki and Hong-Sheng Zhou. 2016. Designing proof of human-work puzzles for cryptocurrency and
beyond. In eory of Cryptography Conference. Springer, 517–546.
[20]
M Blum, LA Von Ahn, J Langford, and N Hopper. 2000. e captcha project (completely automatic public turing test
to tell computers and humans apart). School of Computer Science, Carnegie-Mellon University, hp://www.captcha.net
(2000).
[21]
Carlo Blundo and Stelvio Cimato. 2004. A soware infrastructure for authenticated web metering. Computer 37, 4
(2004), 28–33.
[22]
Dan Boneh, Joseph Bonneau, Benedikt B
¨
unz, and Ben Fisch. 2018. Veriable delay functions. In Annual International
Cryptology Conference. Springer, 757–788.
[23]
Joseph Bonneau, Andrew Miller, Jeremy Clark, Arvind Narayanan, Joshua A Kroll, and Edward W Felten. 2015.
Sok: Research perspectives and challenges for bitcoin and cryptocurrencies. In Security and Privacy (SP), 2015 IEEE
Symposium on. IEEE, 104–121.
[24]
Nikita Borisov. 2006. Computational Puzzles as Sybil Defenses. In Proceedings of the Sixth IEEE International Conference
on Peer-to-Peer Computing. IEEE Computer Society, 171–176.
[25]
Giacomo Brambilla, Michele Amorei, and Francesco Zanichelli. 2016. Using blockchain for peer-to-peer proof-of-
location. arXiv preprint arXiv:1607.00174 (2016).
[26]
Gilles Brassard, Peter Høyer, Kassem Kalach, Marc Kaplan, Sophie Laplante, and Louis Salvail. 2011. Merkle Puzzles
in a antum World. In Advances in Cryptology – CRYPTO 2011, Phillip Rogaway (Ed.). Springer Berlin Heidelberg,
Berlin, Heidelberg, 391–410.
[27]
G. Brassard and L. Salvail. 2008. antum Merkle Puzzles. In Second International Conference on antum, Nano and
Micro Technologies (ICQNM 2008). 76–79. hps://doi.org/10.1109/ICQNM.2008.16
[28]
Elie Bursztein, Jonathan Aigrain, Angelika Moscicki, and John C Mitchell. 2014. e End is Nigh: Generic Solving of
Text-based CAPTCHAs. In 8th {USENIX}Workshop on Oensive Technologies ({WOOT}14). USENIX.
[29]
Elie Bursztein, Steven Bethard, Celine Fabry, John C Mitchell, and Dan Jurafsky. 2010. How good are humans at
solving CAPTCHAs? A large scale evaluation. In Security and Privacy (SP), 2010 IEEE Symposium on. IEEE, 399–413.
[30]
J-Y Cai, Richard J Lipton, Robert Sedgewick, and AC-C Yao. 1993. Towards uncheatable benchmarks. In Structure in
Complexity eory Conference, 1993., Proceedings of the Eighth Annual. IEEE, 2–11.
[31]
Jin-Yi Cai, Ajay Nerurkar, and Min-You Wu. 1998. Making benchmarks uncheatable. In Computer Performance and
Dependability Symposium, 1998. IPDS’98. Proceedings. IEEE International. IEEE, 216–226.
[32]
M. Caprolu, R. Di Pietro, F. Lombardi, and S. Raponi. 2019. Edge Computing Perspectives: Architectures, Technologies,
and Open Security Issues. In 2019 IEEE International Conference on Edge Computing (EDGE). 116–123. hps:
//doi.org/10.1109/EDGE.2019.00035
[33]
Liqun Chen and Wenbo Mao. 2001. An auditable metering scheme for web advertisement applications. In International
Conference on Information Security. Springer, 475–485.
[34]
Liqun Chen, Paul Morrissey, Nigel P Smart, and Bogdan Warinschi. 2009. Security notions and generic constructions
for client puzzles. In International Conference on the eory and Application of Cryptology and Information Security.
Springer, 505–523.
[35] Bram Cohen and Krzysztof Pietrzak. 2018. Simple proofs of sequential work. In Annual International Conference on
the eory and Applications of Cryptographic Techniques. Springer, 451–467.
[36] W Dai. 1998. B-money proposal.
[37]
Dancho Danchev. 2008. Inside India’s CAPTCHA solving economy. (2008). hps://www.zdnet.com/article/
inside-indias- captcha-solving- economy/
[38]
Alex de Vries. 2018. Bitcoin’s Growing Energy Problem. Joule 2, 5 (2018), 801 – 805. hps://doi.org/10.1016/j.joule.
2018.04.016
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
Foundations, Properties, and Security Applications of Puzzles: A Survey 1:37
[39]
Drew Dean and Adam Stubbleeld. 2001. Using Client Puzzles to Protect TLS.. In USENIX Security Symposium,
Vol. 42.
[40]
Roger Dingledine, Nick Mathewson, and Paul Syverson. 2004. Tor: e second-generation onion router. Technical
Report. Naval Research Lab Washington DC.
[41]
Sujata Doshi, Fabian Monrose, and Aviel D Rubin. 2006. Ecient memory bound puzzles using paern databases. In
International Conference on Applied Cryptography and Network Security. Springer, 98–113.
[42] John R Douceur. 2002. e sybil aack. In International workshop on peer-to-peer systems. Springer, 251–260.
[43]
Cynthia Dwork, Andrew Goldberg, and Moni Naor. 2003. On memory-bound functions for ghting spam. In Annual
International Cryptology Conference. Springer, 426–444.
[44]
Cynthia Dwork and Moni Naor. 1992. Pricing via processing or combaing junk mail. In Annual International
Cryptology Conference. Springer, 139–147.
[45]
Cynthia Dwork, Moni Naor, and Hoeteck Wee. 2005. Pebbling and proofs of work. In Annual International Cryptology
Conference. Springer, 37–54.
[46]
Stefan Dziembowski, Sebastian Faust, Vladimir Kolmogorov, and Krzysztof Pietrzak. 2015. Proofs of space. In Annual
Cryptology Conference. Springer, 585–605.
[47]
Iay Eyal and Emin G
¨
un Sirer. 2018. Majority is not enough: Bitcoin mining is vulnerable. Commun. ACM 61, 7
(2018), 95–102.
[48]
P. Fairley. 2017. Blockchain world - Feeding the blockchain beast if bitcoin ever does go mainstream, the electricity
needed to sustain it will be enormous. IEEE Spectrum 54, 10 (October 2017), 36–59. hps://doi.org/10.1109/MSPEC.
2017.8048837
[49]
Wu-chang Feng. 2003. e case for TCP/IP puzzles. In ACM SIGCOMM Computer Communication Review, Vol. 33.
ACM, 322–327.
[50]
Wu-chi Feng, E Kaiser, and Antoine Luu. 2005. Design and implementation of network puzzles. In INFOCOM 2005.
24th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings IEEE, Vol. 4. IEEE,
2372–2382.
[51]
Mahew K Franklin and Dahlia Malkhi. 1997. Auditable metering with lightweight security. In International Conference
on Financial Cryptography. Springer, 151–160.
[52]
Song Gao, Manar Mohamed, Nitesh Saxena, and Chengcui Zhang. 2015. Emerging image game CAPTCHAs for
resisting automated and human-solver relay aacks. In Proceedings of the 31st Annual Computer Security Applications
Conference. ACM, 11–20.
[53] Yi Gao. 2005. Ecient trapdoor-based client puzzle system against DoS aacks. (2005).
[54]
Juan Garay, Aggelos Kiayias, and Nikos Leonardos. 2015. e bitcoin backbone protocol: Analysis and applications.
In Annual International Conference on the eory and Applications of Cryptographic Techniques. Springer, 281–310.
[55]
Juan A Garay, Aggelos Kiayias, and Giorgos Panagiotakos. 2017. Proofs of work for blockchain protocols. Technical
Report. Cryptology ePrint Archive, Report 2017/775.
[56]
Virgil D Gligor. 2003. Guaranteeing access in spite of distributed service-ooding aacks. In International Workshop
on Security Protocols. Springer, 80–96.
[57]
Gaurav Goswami, Brian M Powell, Mayank Vatsa, Richa Singh, and Afzel Noore. 2014. FaceDCAPTCHA: Face
detection based color image CAPTCHA. Future Generation Computer Systems 31 (2014), 59–68.
[58]
Bogdan Groza and Dorina Petrica. 2006. On chained cryptographic puzzles. In 3rd Romanian-Hungarian Joint
Symposium on Applied Computational Intelligence (SACI), Timisoara, Romania. Citeseer, 25–26.
[59]
R. Han, N. Foutris, and C. Kotselidis. 2019. Demystifying Crypto-Mining: Analysis and Optimizations of Memory-Hard
PoW Algorithms. In 2019 IEEE International Symposium on Performance Analysis of Systems and Soware (ISPASS).
22–33. hps://doi.org/10.1109/ISPASS.2019.00011
[60]
Jos
´
e Mar
´
ıa G
´
omez Hidalgo and Gonzalo Alvarez. 2011. Captchas: An articial intelligence application to web security.
In Advances in Computers. Vol. 83. Elsevier, 109–181.
[61]
Dennis Hoeinz, Tibor Jager, Dakshita Khurana, Amit Sahai, Brent Waters, and Mark Zhandry. 2016. How to
generate and use universal samplers. In International Conference on the eory and Application of Cryptology and
Information Security. Springer, 715–744.
[62]
Kuo-Feng Hwang, Cian-Cih Huang, and Geeng-Neng You. 2012. A Spelling Based CAPTCHA System by Using Click.
In Proceedings of the 2012 International Symposium on Biometrics and Security Technologies. IEEE Computer Society,
1–8.
[63]
Markus Jakobsson and Ari Juels. 1999. Proofs of work and bread pudding protocols. In Secure Information Networks.
Springer, 258–272.
[64]
Yves Igor Jerschow and Martin Mauve. 2010. Oine submission with rsa time-lock puzzles. In 2010 10th IEEE
International Conference on Computer and Information Technology (CIT 2010). IEEE, 1058–1064.
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
1:38 Isra Mohamed Ali, Maurantonio Caprolu, Roberto Di Pietro
[65]
Ari Juels and John G Brainard. 1999. Client puzzles: A Cryptographic countermeasure against connection depletion
aacks.. In NDSS, Vol. 99. 151–165.
[66]
Ed Kaiser and Wu-chang Feng. 2008. mod kapow: Protecting the web with transparent proof-of-work. In INFOCOM
Workshops 2008, IEEE. IEEE, 1–6.
[67]
Raimo Kantola. 2019. 6G Network Needs to Support Embedded Trust. In Proceedings of the 14th International
Conference on Availability, Reliability and Security (ARES ’19). Association for Computing Machinery, New York, NY,
USA, Article Article 104, 5 pages. hps://doi.org/10.1145/3339252.3341498
[68]
Ghassan O Karame and Srdjan
ˇ
Capkun. 2010. Low-cost client puzzles based on modular exponentiation. In European
Symposium on Research in Computer Security. Springer, 679–697.
[69]
Jonathan Katz, Andrew Miller, and Elaine Shi. 2014. Pseudonymous secure computation from time-lock puzzles.
(2014).
[70]
Rohit Ashok Khot and Kannan Srinathan. 2009. iCAPTCHA: Image tagging for free. In the Proc. Conference on Usable
Soware and Interface Design, Vol. 2. 26.
[71]
Massimo La Morgia, Alessandro Mei, Simone Raponi, and Julinda Stefa. 2018. Time-Zone Geolocation of Crowds in
the Dark Web. In 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS). IEEE, 445–455.
[72]
Leslie Lamport. 1981. Password authentication with insecure communication. Commun. ACM 24, 11 (1981), 770–772.
[73]
Ben Laurie and Richard Clayton. 2004. Proof-of-work proves not to work; version 0.2. In Workshop on Economics and
Information, Security.
[74]
Jonathan Lazar, Jinjuan Feng, Tim Brooks, Genna Melamed, Brian Wentz, Jon Holman, Abiodun Olalere, and Nnanna
Ekedebe. 2012. e SoundsRight CAPTCHA: an improved approach to audio human interaction proofs for blind
users. In Proceedings of the SIGCHI conference on human factors in computing systems. ACM, 2267–2276.
[75]
E. Le Jamtel. 2018. Swimming in the Monero pools. In 2018 11th International Conference on IT Security Incident
Management IT Forensics (IMF). 110–114. hps://doi.org/10.1109/IMF.2018.00016
[76] Charles Lee. 2011. Litecoin-open source p2p digital currency. hps://litecoin.org/.
[77]
Arjen Klaas Lenstra, Hendrik Willem Lenstra, and L
´
aszl
´
o Lov
´
asz. 1982. Factoring polynomials with rational coecients.
Math. Ann. 261, 4 (1982), 515–534.
[78]
Frank Li, Prateek Mial, Mahew Caesar, and Nikita Borisov. 2012. SybilControl: Practical Sybil defense with
computational puzzles. In Proceedings of the seventh ACM workshop on Scalable trusted computing. ACM, 67–78.
[79]
Mark D Lillibridge, Martin Abadi, Krishna Bharat, and Andrei Z Broder. 2001. Method for selectively restricting
access to computer systems. US Patent 6,195,698.
[80]
Huijia Lin, Rafael Pass, and Pratik Soni. 2017. Two-round and non-interactive concurrent non-malleable commitments
from time-lock puzzles. In Foundations of Computer Science (FOCS), 2017 IEEE 58th Annual Symposium on. IEEE,
576–587.
[81] Debin Liu and L Jean Camp. 2006. Proof of Work can Work.
[82]
P. Liu, B. Liu, Y. Sun, B. Zhao, and I. You. 2018. Mitigating DoS Aacks Against Pseudonymous Authentication
rough Puzzle-Based Co-Authentication in 5G-VANET. IEEE Access 6 (2018), 20795–20806. hps://doi.org/10.1109/
ACCESS.2018.2826518
[83]
anquan Liu. 2017. Red-blue and standard pebble games: complexity and applications in the sequential and parallel
models. Ph.D. Dissertation. Massachuses Institute of Technology.
[84] Sam Loyd. 1959. Mathematical puzzles. Vol. 1. Courier Corporation.
[85]
Loi Luu, Ratul Saha, Inian Parameshwaran, Prateek Saxena, and Aquinas Hobor. 2015. On power spliing games in
distributed computation: e case of bitcoin pooled mining. In Computer Security Foundations Symposium (CSF), 2015
IEEE 28th. IEEE, 397–411.
[86]
Miao Ma. 2005. Mitigating denial of service aacks with password puzzles. In Information Technology: Coding and
Computing, 2005. ITCC 2005. International Conference on, Vol. 2. IEEE, 621–626.
[87]
Mohammad Mahmoody, Tal Moran, and Salil Vadhan. 2013. Publicly veriable proofs of sequential work. In
Proceedings of the 4th conference on Innovations in eoretical Computer Science. ACM, 373–388.
[88] Vasileios Mavroeidis, Kamer Vishi, Mateusz D. Zych, and Audun Jøsang. 2018. e Impact of antum Computing
on Present Cryptography. International Journal of Advanced Computer Science and Applications 9, 3 (2018). hps:
//doi.org/10.14569/IJACSA.2018.090354
[89]
Timothy J McNevin, Jung-Min Park, and Randolph Marchany. 2004. pTCP: A client puzzle protocol for defending
against resource exhaustion denial of service aacks. Virginia Tech Univ., Dept. Elect. Comput. Eng., Blacksburg, VA,
USA, Tech. Rep. TR-ECE-04-10 (2004).
[90] Ralph C Merkle. 1978. Secure communications over insecure channels. Commun. ACM 21, 4 (1978), 294–299.
[91]
Hendrik Meutzner, Santosh Gupta, and Dorothea Kolossa. 2015. Constructing secure audio captchas by exploiting
dierences between humans and machines. In Proceedings of the 33rd annual ACM conference on human factors in
computing systems. ACM, 2335–2338.
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
Foundations, Properties, and Security Applications of Puzzles: A Survey 1:39
[92]
Andrew Miller, Ari Juels, Elaine Shi, Bryan Parno, and Jonathan Katz. 2014. Permacoin: Repurposing bitcoin work
for data preservation. In 2014 IEEE Symposium on Security and Privacy (SP). IEEE, 475–490.
[93]
Andrew Miller, Ahmed Kosba, Jonathan Katz, and Elaine Shi. 2015. Nonoutsourceable scratch-o puzzles to discourage
bitcoin mining coalitions. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications
Security. ACM, 680–691.
[94]
Andrew Miller and Joseph J LaViola Jr. 2014. Anonymous byzantine consensus from moderately-hard puzzles: A
model for bitcoin. Available on line: hp://nakamotoinstitute. org/research/anonymous-byzantine-consensus (2014).
[95]
Greg Mori and Jitendra Malik. 2003. Recognizing objects in adversarial cluer: Breaking a visual CAPTCHA. In
Computer Vision and Paern Recognition, 2003. Proceedings. 2003 IEEE Computer Society Conference on, Vol. 1. IEEE,
I–I.
[96]
Robert Moskowitz, Pekka Nikander, Petri Jokela, and omas Henderson. 2008. Host identity protocol. Technical
Report.
[97]
Marti Motoyama, Kirill Levchenko, Chris Kanich, Damon McCoy, Georey M Voelker, and Stefan Savage. 2010. Re:
CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context.. In USENIX Security Symposium,
Vol. 10. 3.
[98] Satoshi Nakamoto. 2008. Bitcoin: A peer-to-peer electronic cash system. (2008).
[99]
Moni Naor. 1996. Verication of a human in the loop or Identication via the Turing Test. Unpublished dra from
hp://www. wisdom. weizmann. ac. il/˜ naor/PAPERS/human abs. html (1996).
[100] Arvind Narayanan and Jeremy Clark. 2017. Bitcoin’s academic pedigree. Commun. ACM 60, 12 (2017), 36–45.
[101]
Mohammad A Noureddine, Ahmed Fawaz, Tamer Basar, and William H Sanders. 2018. Revisiting Client Puzzles for
State Exhaustion Aacks Resilience. arXiv preprint arXiv:1807.11892 (2018).
[102]
Erik Nygren, Samuel Erb, Alex Biryukov, Dmitry Khovratovich, and Ari Juels. 2016. TLS client puzzles extension.
Internet Engineering Task Force, Tech. Rep., Dec (2016).
[103] Rasmus Pagh and Flemming Friche Rodler. 2004. Cuckoo hashing. Journal of Algorithms 51, 2 (2004), 122–144.
[104]
Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce Maggs, and Yih-Chun Hu. 2007. Portcullis: protecting
connection setup from denial-of-capability aacks. ACM SIGCOMM Computer Communication Review 37, 4 (2007),
289–300.
[105]
Rafael Pass, Lior Seeman, and Abhi Shelat. 2017. Analysis of the blockchain protocol in asynchronous networks. In
Annual International Conference on the eory and Applications of Cryptographic Techniques. Springer, 643–673.
[106] Colin Percival. 2009. Stronger key derivation via sequential memory-hard functions. (2009).
[107]
Heiner Perrey, Osman Ugus, and Dirk Westho. 2011. WiSec’2011 poster: security enhancement for bluetooth low
energy with Merkle’s puzzle. ACM SIGMOBILE Mobile Computing and Communications Review 15, 3 (2011), 45–46.
[108] Krzysztof Pietrzak. 2018. Simple Veriable Delay Functions. IACR Cryptology ePrint Archive 2018 (2018), 627.
[109]
Rajesh Ramanathan, Amritansh Raghav, and Craig M Combel. 2013. Spam reduction in real time communications by
human interaction proof. US Patent 8,495,727.
[110]
Jothi Rangasamy, Douglas Stebila, Lakshmi Kuppusamy, Colin Boyd, and Juan Gonzalez Nieto. 2011. Ecient modular
exponentiation-based puzzles for denial-of-service protection. In International Conference on Information Security and
Cryptology. Springer, 319–331.
[111]
Amar Rasheed and Rabi Mahapatra. 2011. Key predistribution schemes for establishing pairwise keys with a mobile
sink in sensor networks. IEEE Transactions on Parallel and Distributed Systems 22, 1 (2011), 176–184.
[112]
Michael K Reiter, Vyas Sekar, Chad Spensky, and Zhenghao Zhang. 2009. Making peer-assisted content distribution
robust to collusion using bandwidth puzzles. In International Conference on Information Systems Security. Springer,
132–147.
[113]
Jian Ren and Jie Wu. 2010. Survey on anonymous communications in computer networks. Computer Communications
33, 4 (2010), 420 – 431. hps://doi.org/10.1016/j.comcom.2009.11.009
[114]
Ling Ren and Srinivas Devadas. 2016. Proof of space from stacked expanders. In eory of Cryptography Conference.
Springer, 262–285.
[115]
Ling Ren and Srinivas Devadas. 2017. Bandwidth hard functions for ASIC resistance. In eory of Cryptography
Conference. Springer, 466–492.
[116]
Ronald L Rivest and Adi Shamir. 1996. PayWord and MicroMint: Two simple micropayment schemes. In International
Workshop on Security Protocols. Springer, 69–87.
[117] Ronald L Rivest, Adi Shamir, and David A Wagner. 1996. Time-lock puzzles and timed-release crypto. (1996).
[118]
Hosam Rowaihy, William Enck, Patrick McDaniel, and Tom La Porta. 2007. Limiting sybil aacks in structured p2p
networks. In INFOCOM 2007. 26th IEEE International Conference on Computer Communications. IEEE. IEEE, 2596–2600.
[119]
Peter W Shor. 1994. Algorithms for quantum computation: Discrete logarithms and factoring. In Foundations of
Computer Science, 1994 Proceedings., 35th Annual Symposium on. Ieee, 124–134.
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
1:40 Isra Mohamed Ali, Maurantonio Caprolu, Roberto Di Pietro
[120]
Douglas Stebila and Berkant Ustaoglu. 2009. Towards denial-of-service-resilient key agreement protocols. In
Australasian Conference on Information Security and Privacy. Springer, 389–406.
[121]
Yixin Sun, Anne Edmundson, Laurent Vanbever, Oscar Li, Jennifer Rexford, Mung Chiang, and Prateek Mial. 2015.
{
RAPTOR
}
: Routing Aacks on Privacy in Tor. In 24th
{
USENIX
}
Security Symposium (
{
USENIX
}
Security 15).
271–286.
[122] N Szabo. 2008. Bit gold.
[123]
Qiang Tang and Arjan Jeckmans. 2010. On non-parallelizable deterministic client puzzle scheme with batch verication
modes. Centre for Telematics and Information Technology University of Twente (2010).
[124]
Suratose Tritilanunt, Colin Boyd, Ernest Foo, and Juan Manuel Gonz
´
alez Nieto. 2007. Toward non-parallelizable
client puzzles. In International Conference on Cryptology and Network Security. Springer, 247–264.
[125]
John Tromp. 2015. Cuckoo cycle: a memory bound graph-theoretic proof-of-work. In International Conference on
Financial Cryptography and Data Security. Springer, 49–62.
[126]
Florian Tschorsch and Bj
¨
orn Scheuermann. 2016. Bitcoin and beyond: A technical survey on decentralized digital
currencies. IEEE Communications Surveys & Tutorials 18, 3 (2016), 2084–2123.
[127] Nicolas Van Saberhagen. 2013. CryptoNote v 2.0.
[128]
Luis Von Ahn, Manuel Blum, Nicholas J Hopper, and John Langford. 2003. CAPTCHA: Using hard AI problems for
security. In International Conference on the eory and Applications of Cryptographic Techniques. Springer, 294–311.
[129]
Luis Von Ahn, Benjamin Maurer, Colin McMillen, David Abraham, and Manuel Blum. 2008. recaptcha: Human-based
character recognition via web security measures. Science 321, 5895 (2008), 1465–1468.
[130]
David Wagner. 2002. A generalized birthday problem. In Annual International Cryptology Conference. Springer,
288–304.
[131]
Michael Walsh, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Sco Shenker. 2010. DDoS defense by
oense. ACM Transactions on Computer Systems (TOCS) 28, 1 (2010), 3.
[132]
Wenbo Wang, Dinh ai Hoang, Zehui Xiong, Dusit Niyato, Ping Wang, Peizhao Hu, and Yonggang Wen. 2018. A
Survey on Consensus Mechanisms and Mining Management in Blockchain Networks. CoRR abs/1805.02707 (2018).
arXiv:1805.02707 hp://arxiv.org/abs/1805.02707
[133]
XiaoFeng Wang and Michael K Reiter. 2003. Defending against denial-of-service aacks with puzzle auctions. In
Security and Privacy, 2003. Proceedings. 2003 Symposium on. IEEE, 78–92.
[134]
XiaoFeng Wang and Michael K. Reiter. 2004. Mitigating Bandwidth-exhaustion Aacks Using Congestion Puzzles. In
Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS ’04). ACM, New York, NY,
USA, 257–267. hps://doi.org/10.1145/1030083.1030118
[135]
Brent Waters, Ari Juels, J Alex Halderman, and Edward W Felten. 2004. New client puzzle outsourcing techniques for
DoS resistance. In Proceedings of the 11th ACM conference on Computer and communications security. ACM, 246–256.
[136]
Dirk Westho and Frederik Armknecht. 2011. Method for electing aggregator nodes in a network. US Patent
7,907,548.
[137]
Gavin Wood. 2014. Ethereum: A secure decentralised generalised transaction ledger. Ethereum project yellow paper
151 (2014), 1–32.
[138]
Yi Xu, Gerardo Reynaga, Sonia Chiasson, Jan-Michael Frahm, Fabian Monrose, and Paul C van Oorschot. 2012.
Security and Usability Challenges of Moving-Object CAPTCHAs: Decoding Codewords in Motion.. In USENIX
security symposium. 49–64.
[139]
Je Yan and Ahmad Salah El Ahmad. 2008. A Low-cost Aack on a Microso CAPTCHA. In Proceedings of the 15th
ACM conference on Computer and communications security. ACM, 543–554.
[140]
Je Yan and Ahmad Salah El Ahmad. 2008. Usability of CAPTCHAs or usability issues in CAPTCHA design. In
Proceedings of the 4th symposium on Usable privacy and security. ACM, 44–52.
[141]
Zhenghao Zhang. 2012. A new bound on the performance of the bandwidth puzzle. IEEE Transactions on Information
Forensics and Security 7, 2 (2012), 731–742.
, Vol. 1, No. 1, Article 1. Publication date: Unpublished.
