ArticlePDF Available

Hashcash - A Denial of Service Counter-Measure

  • Cypherspace


Hashcash was originally proposed as a mechanism to throttle systematic abuse of un-metered internet resources such as email, and anonymous remailers in May 1997. Five years on, this paper captures in one place the various applications, improvements suggested and related subsequent publications, and describes initial experience from experiments using hashcash.
Hashcash - A Denial of Service Counter-Measure
Adam Back
1st August 2002
Hashcash was originally proposed as a mechanism to throttle systematic abuse of un-metered internet resources
such as email, and anonymous remailers in May 1997. Five years on, this paper captures in one place the various
applications, improvements suggested and related subsequent publications, and describes initial experience from
experiments using hashcash.
The hashcash CPU cost-function computes a token which can be used as a proof-of-work. Interactive and non-
interactive variants of cost-functions can be constructed which can be used in situations where the server can issue
a challenge (connection oriented interactive protocol), and where it can not (where the communication is store–and–
forward, or packet oriented) respectively.
Key Words: hashcash, cost-functions
1 Introduction
Hashcash [1] was originally proposed as a mechanism to throttle systematic abuse of un-metered internet resources
such as email, and anonymous remailers in May 1997. Five years on, this paper captures in one place the various
applications, improvements suggested and related subsequent publications, and describes initial experience from ex-
periments using hashcash.
The hashcash CPU cost-function computes a token which can be used as a proof-of-work. Interactive and non-
interactive variants of cost-functions can be constructed which can be used in situations where the server can issue
a challenge (connection oriented interactive protocol), and where it can not (where the communication is store–and–
forward, or packet oriented) respectively.
At the time of publication of [1] the author was not aware of the prior work by Dwork and Naor in [2] who
proposed a CPU pricing function for the application of combatting junk email. Subsequently applications for cost-
functions have been further discussed by Juels and Brainard in [3]. Jakobsson and Juels propose a dual purpose for
the work spent in a cost-function: to in addition perform an otherwise useful computation in [4].
2 Cost-Functions
A cost-function should be efficiently verifiable, but parameterisably expensive to compute. We use the following
notation to define a cost-function.
In the context of cost-functions we use client to refer to the user who must compute a token (denoted ) using a
cost-function MINT() which is used to create tokens to participate in a protocol with a server. We use the term mint
for the cost-function because of the analogy between creating cost tokens and minting physical money.
The server will check the value of the token using an evaluation function VALUE(), and only proceed with the
protocol if the token has the required value.
The functions are parameterised by the amount of work that the user will have to expend on average to mint a
With interactive cost-functions, the server issues a challenge to the client – the server uses the CHAL function
to compute the challenge. (The challenge function is also parameterised by the work factor.)
CHAL server challenge function
MINT mint token based on challenge
VALUE token evaluation function
With non-interactive cost-functions the client choses it’s own challenge or random start value in the MINT() func-
tion, and there is no CHAL() function.
MINT mint token
VALUE token evaluation function
Clearly a non-interactive cost-function can be used in an interactive setting, whereas the converse is not possible.
2.1 Publicly Auditable, Probabilistic Cost
A publicly auditable cost-function can be efficiently verified by any third party without access to any trapdoor
or secret information. (When we say publicly auditable we mean implicitly that the cost-function is efficiently
publicly auditable compared to the cost of minting the token, rather than auditable in the weaker sense that the
auditor could repeat the work done by the client.)
A fixed cost cost-function takes a fixed amount of resources to compute. The fastest algorithm to mint a fixed
cost token is a deterministic algorithm.
A probabilistic costcost-functionis onewhere the cost to theclient ofminting a tokenhasa predictable expected
time, but a random actualtime as the client canmost efficientlycomputethe cost-function by starting ata random
start value. Sometimes the client will get lucky and start close to the solution.
There are two types of probabilistic cost bounded probabilistic cost and unbounded probabilistic cost.
An unbounded probabilistic cost cost-function, can in theory take forever to compute, though the proba-
blity of taking significantly longer than expected decreases rapidly towards zero. (An example would be
the cost-function of being required to throw a head with a fair coin; in theory the user could be unlucky
and end up throwing many tails, but in practice the probability of not throwing a head for throws tends
towards rapidly as .)
With a bounded probabilistic cost cost-function there is a limit to how unlucky the client can be in it’s
search for the solution; for example where the client is expected to search some key space for a known
solution; the size of the key space imposes an upper bound on the cost of finding the solution.
2.2 Trapdoor-free
A disadvantage of known solution cost-functions is that the challenger can cheaply create tokens of arbitrary value.
This precludes public audit where the server may have a conflict of interests, for example in web hit metering, where
the server may have an interest to inflate the number of hits on it’s page where it is being paid per hit by an advertiser.
A trapdoor-free cost-function is one where the server has no advantage in minting tokens.
An example of a trapdoor-free cost-function is the Hashcash [1] cost-function. Juels and Brainard’s client-puzzle
cost-function is an example of a known-solution cost-function where the server has an advantage in minting tokens.
Client-puzzles as specified in the paper are in addition not publicly auditable, though this is due to a storage optimiza-
tion and not inherent to their design.
3 The Hashcash cost-function
Hashcash is a non-interactive, publicly auditable, trapdoor-free cost function with unbounded probabilistic cost.
First we introduce some notation: consider bitstring , we define to means the bit at offset i, where
is the left-most bit, and is the right-most bit. means the bit-wise substring between and including bits
and , . So .
We define a binary infix comparison operator where b is the length of the common left-substring from the two
Hashcash is computed relative to a service-name , to prevent tokens minted for one server being used on another
(servers only accept tokens minted using their own service-name). The service-name can be any bit-string which
uniquely identifies the service (eg. host name, email address, etc).
The hashcash function is defined as (note this is an improved simplifed variant since initial publication see note in
section 5:
PUBLIC: hash function with output size bits
MINT find st
The hashcash cost-function is based on finding partial hash collisions on the all 0 bits -bit string . The fastest
algorithm for computing partial collisions is brute force. There is no challenge as the client can safely choose his
own random challenge, and so the hashcash cost-function is a trapdoor-free and non-interactive cost-function. In
addition the Hashcash cost-function is publicly auditable, because anyone can efficiently verify any published tokens.
(In practice should be chosen to be large enough to make the probability that clients reuse a previously used start
value negligible; bits should be enough even for a busy server.)
The server needs to keep a double spending database of spent tokens, to detect and reject attempts to spend the
same token again. To prevent the database growing indefinitely, the service string can include the time at which it was
minted. This allows the server to discard entries from the spent database after they have expired. Some reasonable
expiry period should be chosen to take account of clock inaccuracy, computation time, and transmission delays.
Hashcash was originally proposed as a counter-measure against email spam, and against systematic abuse of
anonymous remailers. It is necessary to use non-interactive cost-functions for these scenarios as there is no channel
for the server to send a challenge over. However one advantage of interactive cost-functions is that it is possible
to prevent pre-computation attacks. For example, if there is a cost associated with sending each email this may be
sufficient to limit the scale of email abuse perpetrated by spammers; however for a pure DoS-motivated attack a
determined adversary may spend a year pre-computing tokens to all be valid on the same day, and on that day be able
to temporarily overload the system.
It would be possible to reduce the scope for such pre-computation attacks by using a slowly changing beacon
(unpredictable broadcast authenticated value changing over time) such as say this weeks winning lottery numbers. In
this event the current beacon value is included in the start string, limiting pre-computation attacks to being conducted
within the time period between beacon value changes.
4 Interactive Hashcash
With the interactive form of hashcash, for use in interactive settings such as TCP, TLS, SSH, IPSEC etc connection
establishment a challenge is chosen by the server. The aim of interactive hashcash is to defend server resources from
premature depletion, and provide graceful degradation of service with fair allocation across users in the face of a DoS
attack where one user attempts to deny service to the other users by consuming as many server resources as he can. In
the case of security protocols such as TLS, SSH and IPSEC with computationally expensive connection establishment
phases involving public key crypto the server resource being defended is the servers available CPU time.
The interactive hashcash cost-function is defined as follows:
CHAL choose
MINT find st
4.1 Dynamic throttling
With interactive hashcash it becomes possible to dynamically adjust the work factor required for the client based on
server CPU load. The approach also admits the possibility that interactive hashcash challenge-response would only
be used during periods of high load. This makes it possible to phase-in DoS resistent protocols without breaking
backwards compatibility with old client software. Under periods of high load non-hashcash aware clients would be
unableto connect, or would beplaced ina limited connection pool subject toolderless effective DoS counter-measures
such as random connection dropping.
4.2 hashcash-cookies
With connection-slot depletion attacks such as the syn-flood attack, and straight-forward TCP connection-slot deple-
tion the server resource that is being consumed is space available to the TCP stack to store per-connection state.
In this scenario it may be desirable to avoid keeping per connection state, until the client has computed a token
with the interactive hashcash cost-function. This defense is similar to the syn-cookie defense to the syn-flood attack,
but here we propose to additionally impose a CPU cost on the connecting machine to reserve a TCP connection-slot.
To avoid storing the challenge in the connection state (which itself consumes space) the server may choose to
compute a keyed MAC of the information it would otherwise store and sent it to the client as part of the challenge so
it can verify the authenticity of the challenge and token when the client returns them. (This general technique of
sending a record you would otherwise store together with a MAC to the entity the information is about is referred
to as a symmetric key certificate.) This approach is analogous to the technique used in syn-cookies, and Juels and
Brainard proposed a related approach but at the application protocol level in their client-puzzles paper.
For example with MAC function keyed by server key the challenge MAC could be computed as:
PUBLIC: MAC function
CHAL choose
The client must send the MAC , and the challenge and challenge parameters with the response token so
that the server can verify the challenge and the response. The server should also include in the MAC the connection
parameters, at minimum enough to identify the connection-slot and some time measurement or increasing counter
so that old challenge responses can not be collected and re-used after the connection-slots are free. The challenge and
MAC would be sent in the TCP SYN-ACK response message, and the client would include the interactive hashcash
token (challenge-response) in the TCP ACK message. As with syn-cookies, the server would not need to keep any
state per connection prior to receiving the TCP ACK.
For backwards compatibility with syn-cookie aware TCP stacks, a hashcash-cookie aware TCP stack would only
turn on hashcash-cookies when it detected that it was subject to a TCP connection-depletion attack. Similar arguments
as given by Dan Bernstein in [5] can be used to show that backwards compatibility is retained, namely under syn-flood
attacks Bernstein’s arguments show how to provide backwards compatibility with non syn-cookie aware implementa-
tions; similarly under connection-depletion attack hashcash-cookies are only turned on at a point where service would
anyway otherwise be unavailable to a non-hashcash-cookie aware TCP stack.
As the flood increases in severity the hashcash-cookie algorithm would increase the collision size required to be in
the TCP ACK message. The hashcash-cookie aware client can still connect (albeit increasinly slowly) with a more fair
chance against the DoS attacker presuming the DoSer has limited CPU resources. The DoS attacker will effectively
be pitting his CPU against all the other (hashcash-cookie aware) clients also trying to connect. Without the hashcash-
cookie defense the DoSer can flood the server with connection establishments and can more easily tie up all it’s slots
by completing n connections per idle connection time-out where n is the size of the connection table, or pinging the
connections once per idle connection time-out to convince the server they are alive.
Connections will be handed out to users collectively in rough proportion to their CPU resources, and so fairness is
CPU resource based (presuming each user is trying to open as many connections as he can) so the result will be biased
in favor of clients with fast processors as they can compute more interactive-hashcash challenge-response tokens per
5 Hashcash improvements
In the initially published hashcash scheme, the target string to find a hash collision on was chosen fairly by using the
hash of the service-name (and respectively the service-name and challenge in the interactive setting). A subsequent
improvement suggested independently by Hal Finney [6] and Thomas Boschloo [7] for hashcash is to find a collision
against a fixed output string. Their observation is that a fixed collision target is also fair, simpler and reduces verifica-
tion cost by a factor of 2. A fixed target string which is convenient to compare trial collisions against is the k-bit string
where is the hash output size.
6 Low Variance
Ideallycost-functiontokens should takea predictable amount of computingresources tocompute. Juels andBrainard’s
client-puzzle construction provides a probabilistic bounded-cost by issuing challenges with known-solutions, however
while this limits thetheoretical worst case runningtime, itmakes limited practicaldifference to the variance andtypical
experienced running time. The technique of using known solutions is also not applicable to the non-interactive setting.
It is an open question as to whether there exist probabilistic bounded-cost, or fixed-cost non-interactive cost-functions
with the same order of magnitude of verification cost as hashcash.
The other more significant incremental improvement due to Juels and Brainard is the suggestion to use multiple
sub-puzzles with the same expected cost, but lower variance in cost. This technique should be applicable to both the
non-interactive and interactive variants of hashcash.
6.1 Non-Parallelizability and Distributed DoS
Roger Dingledine, Michael Freedman and David Molnar put forward the argument that non-parallelizable cost-
functions are less vulnerable to Distributed DoS (DDoS) in chapter 16 of [8]. Their argument is that non-parallelizable
cost-functions frustrate DDoS because the attacker is then unable sub-divide and farm out the work of computing an
individual token.
The author described a fixed-cost cost-function in [9] using Rivest, Shamir and Wagner’s time-lock puzzle [10]
which also happens to be non-parallelizable. The time-lock puzzle cost-function can be used in either an interactive
or non-interactive setting as it is safe for the user to chose their own challenge. The applicability of Rivest et al’s
time-lock puzzle as a cost-function was also subsequently observed by Dingledine et al in [8].
For completeness we present the time-lock puzzle based fixed-cost and non-parallelizable cost-function from [9]
PRIVATE: primes and
CHAL choose
MINT compute
VALUE compute
if return
else return
The client does not know , and so the most efficient method for the client to calculate MINT() is repeated
exponentiation, which requires exponentiations. The challenger knows which allows a more efficient compu-
tation by reducing the exponent , so the challenger can execute VALUE() with 2 modular exponentiations.
The challenger as a side-effect has a trapdoor in computing the cost-function as he can compute MINT() efficiently
using the same algorithm.
We argue however that the added DDoS protection provided by non-parallelizable cost-functions is marginal:
unless the server restricts the number of challenges it hands out to a recognizably unique client the DDoS attacker can
farm out multiple challenges as easily as farmout a sub-divided single challenge, and consume resources on the server
at the same rate as before. Further it is not that hard for a single client to masquerade as multiple clients to a server.
Consider also: the DDoS attacker has generally due to the nature of his method of commandeering nodes an equal
number of network connected nodes at his disposal as processors. He can therefore in any case have each attack
node directly participate in the normal protocol indistinguisably from any legitimate user. This attack strategy is also
otherwise optimal anyway as the attack nodes will present a varied set of source addresses which will foil attempts
at per-connection fairness throttling strategies and router based DDoS counter-measures based on volume of traffic
across IP address ranges. Therefore for the natural attack node marshalling patterns non-parallelizable cost-functions
offer limited added resistance.
As well as the arguments against the practical efficacy and value of non-parallelizable cost-functions, to date
non-parallelizable cost functions have had orders of magnitude slower verification functions than non-parallelizable
cost-functions. This is because thenon-parallelizablecost-functions so far discussedin theliterature are related to trap-
door public key cryptography constructs which are inherently less efficient. It is an open question as to whether there
exist non-parallelizable cost-functions based on symmetric-key (or public-key) constructs with verification functions
of the same order of magnitude as those of symmetric-crypto based cost-functions.
While for the application of time-lock puzzles to cost-functions, a reduced public key size could be used to speed
up the verification function, this approach introduces risk that the modulus will be factored with the result that the
attacker gains a big advantage in minting tokens. (Note: factoring is itself a largely parallelizable computation.)
To combat this the server should change the public parameters periodically. However in the particular case of the
public parameters used by time-lock puzzles (which are the same as the RSA modulus used in RSA encryption), this
operation is itself moderately expensive, so this operation would not be performed too frequently. It would probably
not be wise to deploy software based on key sizes below 768 bits for this aplication, in addition it wouldhelp to change
keys periodically, say every hour or so. (RSA modulii of 512 bits have recently been factored by a closed group as
discussed in [11] and more recently have been demonstrated by Nicko van Someren et al to be factorizable using
standard equipment in an office as reported in [12]; DDoS attackers are known be able to muster significant resources,
probably easily exceeding those used in this demonstration.)
The time-lock puzzle cost-function also is necessarily trap-door as the server needs a private verification-key to
allow it to efficiently verify tokens. The existance of a verification-key presents the added risk of key compromise
allowing the attacker to by-pass the cost-function protection. (The interactive hashcash cost-function by comparison
is trap-door-free, so there is no key which would allow an attacker a short-cut in computing tokens). In fact if the
verification-key were compromised, it could be replaced, but this need adds complexity and administrative overhead
as this event needs to be detected and manual intervention or some automated detection triggering key-replacement
The time-lock puzzle cost-function also will tend to have larger messages as there is a need to communicate
planned and emergency re-keyed public parameters. For some applications, for example the syn-cookie and hashcash-
cookie protocols, space is at a premium due to backwards compatibility and packet size constraints imposed by the
network infrastructure.
So in summary we argue that non-parallelizable cost-functions are of questionable practical value in protecting
against DDoS attacks, have more expensive verification functions, incur the risk of verification key compromise and
attendant key management complexities, have larger messages, and are significantly more complex to implement. We
therefore recommend instead the simpler hashcash protocol (or if the public-auditability and non-interactive options
are not required Juels and Brainards client-puzzles are roughly equivalent).
7 Applications
Apart from the initially proposed applications for hashcash of throttling DoS against remailer networks and detering
email spam, since publicationthe followingapplications havebeen discussed, explored and insome cases implemented
and deployed:
hashcash-cookies, a potential extension of the syn-cookie as discussed in section 4.2 for allowing more graceful
service degradation in the face of connection-depletion attacks.
interactive-hashcash as discussed in section 4 for DoS throttling and graceful service degradation under CPU
overload attacks on security protocols with computationally expensive connection establishment phases. No
deployment but the analogous client-puzzle system was implemented with TLS in [13]
hashcash throttling of DoS publication floods in anonymous publication systems such as Freenet [14], Publius
[15], Tangler [16],
hashcash throttling of service requests in the cryptographic Self-certifying File System [17]
hashcash throttling of USENET flooding via mail2news networks [18]
hashcash as a minting mechanism for Wei Dai’s b-money electronic cash proposal, an electronic cash scheme
without a banking interface [19]
8 Cost-function classification scheme
We list here a classification of characteristics of cost-functions. We use the following notation to denote the properties
of a cost-function:
Where is theefficiency: value means efficiently-verifiable verifiablewithcost comparable to orlowerthan
the cost of verifying symmetric key constructs such as hashcash which consume just a single compression round of an
iterative compression function based hash function such as SHA1 or MD5. Value
means practically-verifiable
we mean less efficiently than efficienty-verifiable, but still efficient enough to be practical for some applications, for
example the author considers the time-lock puzzle based cost-function with it’s two modular exponentiations to fall
into this category. Value means verifiable but impractical, that the cost-function is verifiable but the verification
function is impractically slow such that the existance of the cost-function serves only as a proof of concept to be
improved upon for practical use.
And is a characterization of the standard-deviation, value means fixed-cost, means bounded
probabilistic cost and means unbounded probabilistic cost. Note by bounded probabilistic-cost we mean
usefully bounded a bound in the work factor in excess of a work-factor that an otherwise functionally similar
unbounded cost-function would only reach with negligible probability would not be useful.
And denotes that the cost-function is interactive, and that the cost-function is non-interactive.
And denotes that the cost-function is publicly auditable, denotes that the cost-functionis not publicly auditable,
which means inpractice thatit is only verifiable by the serviceusing a private key material. Note bypublic-auditability
we mean efficiently publicly-auditable, and would not consider repeating the work of the token minter as adequate
efficiency to classify.
And denotes that the server has a trapdoor in computing the cost-function, conversely denotes that server has
no trapdoor in computing the cost-function.
And denotes that the cost-function is parallelizable, deontes that the cost-function is non-parallelizable.
trapdoor-free trapdoor
interactive hashcash client-puzzles
non-interactive hashcash
8.1 Open Problems
existance of efficiently-verifiable non-interactive fixed-cost cost-functions (and the related
weaker problem: existance of same with probabilistic bounded-cost )
existance of efficiently-verifiable non-interactive non-parallelizable cost-functions (and the related
weaker problem: existance of same in interactive setting )
existance of publicly-auditable non-interactive fixed-cost cost-functions (and the related weaker
problem: existance of same with bounded probabilistic-cost )
[1] Adam Back. Hashcash, May 1997. Published at
[2] Cynthia Dwork and Moni Naor. Pricing via processing or combatting junk mail. In Proceedings of Crypto,
1992. Also available as
[3] Ari Juels and John Brainard. Client puzzles: A cryptographic countermeasure against connection depletion
attacks. In Network and Distributed System Security Symposium, 1999. Also available as http://www.
[4] Markus Jakobsson and Ari Juels. Proofs of work and bread pudding protocols. In Proceedings of the IFIP TC6
and TC11 Joint Working Conference on Communications and Multimedia Security (CMS ’99), Leuven, Belgium,
September 1999. Also available as
[5] Dan Bernstein. Syn cookies. Published at
[6] Hal Finney. Personal communication, Mar 2002.
[7] Thomas Boschloo. Personal communication, Mar 2002.
[8] Andy Oram, editor. Peer-to-Peer: Harnessing the Power of Disruptive Technologies. O’Reilly
and Associates, 2001. Chapter 16 also available as
[9] Adam Back. Hashcash - amortizable publicly auditable cost functions. Early draft of paper, 2000.
[10] Ronald L Rivest, Adi Shamir, and David A Wagner. Time-lock puzzles and timed-release crypto. Tech-
nical Report MIT/LCS/TR-684, 1996. Also available as˜rivest/
[11] Herman te Riele. Security of e-commerce threatened by 512-bit number factorization. Published at http:
//˜kik/persb-UK.html, Aug 1999.
[12] Dennis Fisher. Experts debate risks to crypto, Mar 2002. Also available as
[13] Drew Dean and Adam Stubblefield. Using cleint puzzles to protect tls. In Proceedings of the 10th USENIX
Security Symposium, Aug 2001. Also available as˜astubble/papers.
[14] Ian Clarke, OskarSandberg, Brandon Wiley, andTheodore Hong. Freenet: A distributedanonymous information
storage and retrieval system. In Hannes Federrath, editor, Proceedings of the International Workshop on Design
Issues in Anonymity and Unobservability. Springer, 2001. Also available as http://freenetproject.
[15] Marc Waldman, Aviel D Rubin, and Lorrie Faith Cranor. Publius: A robust, tamper-evident, censorship-
resistant web publishing system. In Proceedings of the 9th USENIX Security Symposium, Aug 2000.
Also available as
[16] Marc Waldman and David Mazieres. Tangler: A censorship resistant publishing system based on document
entanglement. In Proceedings of the 8th ACM Conference on Computer and Communication Security, Nov
2001. Also available as˜waldman/.
[17] David Mazieres. Self-certifying File System. PhD thesis, Massachusetts Institute of Technology, May 2000. Also
available as˜dm/.
[18] Alex de Joode. Hashcash support at dizum mail2news gateway. Published at
hashcash/, 2002.
[19] Wei Dai. b-money. Published at˜weidai/bmoney.txt, Nov 1998.
... Bitcoin, proposed by Satoshi Nakamoto 1 in 2008 [202] on the Cryptography mailing list [203] is the first fully decentralized digital cash system, also called a "cryptocurrency". In that, Bitcoin ends the 25year long search for a fully decentralized digital cash system without trusted third parties, by cleverly combining existing ideas and techniques such as linked hash/signature chains [129,169], Hashcash Proof-of-Work [20], b-money [65], Merkle Trees [177] and Byzantine Quorum systems [155,166]. This combination yields a linked hash chain of so-called blocks, where each block's hash depends on the preceding block while additionally being a Proof-of-Work (PoW). ...
... The process of finding a block can be seen as a sequence of Bernoulli trials with success probability 2 −d until the first success, therefore, X is geometrically distributed. In expectation, the number of operations to find a block is then 20 20 The expected value of a geometrically distributed r.v. is 1 p , where p denotes the success probability of the Bernoulli trial. ...
... Intuitively, the more adversarial nodes there are in bucket b, the more unlikely it becomes not to get queried during the lookup-process. Figure 15 shows the result of Equation (20). It depicts the probability for the adversary to receive a FindNode-Request over the number of adversarial nodes in bucket b, which is assumed to be at full capacity, i.e., k = N + a 46 46 In Figure 15, the numerator of Equation (20) is to this end adapted to N + 1 − a. ...
Die Erfindung von Bitcoin hat ein großes Interesse an dezentralen Systemen geweckt. Eine häufige Zuschreibung an dezentrale Systeme ist dabei, dass eine Dezentralisierung automatisch zu einer höheren Sicherheit und Widerstandsfähigkeit gegenüber Angriffen führt. Diese Dissertation widmet sich dieser Zuschreibung, indem untersucht wird, ob dezentralisierte Anwendungen tatsächlich so robust sind. Dafür werden exemplarisch drei Systeme untersucht, die häufig als Komponenten in komplexen Blockchain-Anwendungen benutzt werden: Ethereum als Infrastruktur, IPFS zur verteilten Datenspeicherung und schließlich "Stablecoins" als Tokens mit Wertstabilität. Die Sicherheit und Robustheit dieser einzelnen Komponenten bestimmt maßgeblich die Sicherheit des Gesamtsystems in dem sie verwendet werden; darüber hinaus erlaubt der Fokus auf Komponenten Schlussfolgerungen über individuelle Anwendungen hinaus. Für die entsprechende Analyse bedient sich diese Arbeit einer empirisch motivierten, meist Netzwerklayer-basierten Perspektive -- angereichert mit einer ökonomischen im Kontext von Wertstabilen Tokens. Dieses empirische Verständnis ermöglicht es Aussagen über die inhärenten Eigenschaften der studierten Systeme zu treffen. Ein zentrales Ergebnis dieser Arbeit ist die Entdeckung und Demonstration einer "Eclipse-Attack" auf das Ethereum Overlay. Mittels eines solchen Angriffs kann ein Angreifer die Verbreitung von Transaktionen und Blöcken behindern und Netzwerkteilnehmer aus dem Overlay ausschließen. Des weiteren wird das IPFS-Netzwerk umfassend analysiert und kartografiert mithilfe (1) systematischer Crawls der DHT sowie (2) des Mitschneidens von Anfragenachrichten für Daten. Erkenntlich wird hierbei, dass die hybride Overlay-Struktur von IPFS Segen und Fluch zugleich ist, da das Gesamtsystem zwar robust gegen Angriffe ist, gleichzeitig aber eine umfassende Überwachung der Netzwerkteilnehmer ermöglicht wird. Im Rahmen der wertstabilen Kryptowährungen wird ein Klassifikations-Framework vorgestellt und auf aktuelle Entwicklungen im Gebiet der "Stablecoins" angewandt. Mit diesem Framework wird somit (1) der aktuelle Zustand der Stablecoin-Landschaft sortiert und (2) ein Mittel zur Verfügung gestellt, um auch zukünftige Designs einzuordnen und zu verstehen.
... We denote the set of miner nodes by M where M ⊆ N . To mine, m ∈ M has to solve a computation-intensive puzzle (i.e., Proof of Work [17]) using its computational hashing power q m where q m > 0. Given a block header h i and a threshold µ 5 (i.e., the difficulty level), each miner repeatedly selects a nonce value η i until it get a hash-code lower than µ with brute force. The miner then creates an ith block b i and broadcasts it to its neighbours N m . ...
... The secondary effect of this improvement is that knowing the exact block b i may reduce this excessive processing cost for validation since UXTOs can be found much more quickly 17 . Currently, there are around 100 million of UTXOs in Bitcoin 18 . ...
... DPoS,, last access on 24/03/2022.17 The expensive element of transaction validation is the verification of the script[48].18 ...
The proof-of-work (PoW) algorithm has been initially used in Bitcoin and is now one of the mainstream consensus algorithms to create immutable ledgers of transactions. However, it is still not very well understood, and as such, its entire strength remains undervalued. While some researchers classify it as a Nakamoto consensus algorithm, some other researchers do not even consider it as a consensus algorithm. In this article, the objective is to shed light on classifying PoW. To this end, we make a theoretical analysis from a coordination perspective, and then we conclude that PoW is a stigmergic consensus algorithm where the trace left by an action in the blockchain through indirect coordination of agents stimulates a subsequent action and eventually creates a single chain of blocks. In other words, PoW is a form of stigmergic coordination toward emergent behavior of a blockchain system. Based on this identification, we further analyze the fundamental properties of PoW. Finally, we reengineer PoW by improving its missing stigmergic mechanisms, and we provide a discussion.
... The idea behind a PoW protocol is to make validation tasks difficult to perform, but trivial to verify. This idea was first presented as a solution to the email-spamming issue [134] and applied in a system called Hashcash [135]. The email sender should solve a cryptopuzzle finding the hash of a string, containing all the necessary information of the receiver, which has to meet a certain target. ...
... As presented in Chapter 1 (Section 1.3), blockchain transactions are collected in blocks, validated and published on the distributed ledger. Nakamoto [20] proposed a Proof-of-Work system based on Back's Hashcash algorithm [135] that validates blocks and chains them one to another. Let us recollect that the Proof-of-Work system requires finding an input of a predefined one-way function (e.g., hash function) generating an output that meets the difficulty target. ...
The disruptive technology born in 2008 with Bitcoin and known as blockchain represents a significant quality leap from the distributed database technology. Distributed systems theory provides then models and techniques to analyze some protocols characterizing the technology, however in order to analyze a blockchain system additional considerations on its users need to be done. This thesis aims at analyzing the different behaviors of the users operating in blockchains or more in general in DLTs (i.e., Distributed Ledger Technologies).The latter are considered as rational agents, fully aware of all actions available to them and capable of choosing the one they feel is the best for themselves. Game theory is then used to model situations where users are called to choose and perform certain actions within the DLT environment. This thesis analyzes different users as well as different blockchains with the scope of providing a general overview on the topic and formal results on their behaviors ; users may indeed be honest vis-à-vis of other users or they may behave maliciously (as Byzantine nodes) attacking the blockchain system.
... The initial introduction of the client puzzle was given by Dwork and Naor [13] to combat the spam attacks. Client puzzles can be categorized into different types based on the resource used by the client for solving the puzzle such as number of CPU cycles or a number of memory access, quantifying CPUbound puzzles [5] and memory-bound puzzles [1] respectively. Several client puzzles such as Time-lock puzzles [29], Hash-chain [24] and Equihash [7] are employed in the blockchain ecosystem. ...
Denial of Service (DoS) attacks are a growing threat in network services. The frequency and intensity of DoS attacks are rapidly increasing day by day. The immense financial potential of the Cryptocurrency market is a prevalent target of the DoS attack. The DoS attack events are kept on happening in cryptocurrencies and the blockchain ecosystem. To the best of our knowledge, there has not been any study on the DoS attack on the blockchain ecosystem. In this paper, we identify ten entities in the blockchain ecosystem and we scrutinize the DoS attacks on them. We also present the DoS mitigation techniques applicable to the blockchain services. Additionally, we propose a DoS mitigation technique by the use of verifiable delay function (VDF).
... Blockchains started with the Bitcoin-paper [29], published under the pseudonym of Satoshi Nakamoto. Bitcoin incorporated then existing technologies like cryptographic hashes, cryptographic signatures and was built on prior ideas like DigiCash (using Blind Signatures) [30] and Proof of Work (POW) Hashcash [31]. The purpose of Bitcoin was to create a peer-to-peer version of electronic cash. ...
... The initial introduction of the client puzzle was given by Dwork and Naor [13] to combat the spam attacks. Client puzzles can be categorized into different types based on the resource used by the client for solving the puzzle such as number of CPU cycles or a number of memory access, quantifying CPUbound puzzles [5] and memory-bound puzzles [1] respectively. Several client puzzles such as Time-lock puzzles [29], Hash-chain [24] and Equihash [7] are employed in the blockchain ecosystem. ...
Full-text available
Denial of Service (DoS) attacks are a growing threat in network services. The frequency and intensity of DoS attacks are rapidly increasing day by day. The immense financial potential of the Cryptocurrency market is a prevalent target of the DoS attack. The DoS attack events are kept on happening in cryptocurrencies and the blockchain ecosystem. To the best of our knowledge, there has not been any study on the DoS attack on the blockchain ecosystem. In this paper, we identify ten entities in the blockchain ecosystem and we scrutinize the DoS attacks on them. We also present the DoS mitigation techniques applicable to the blockchain services. Additionally, we propose a DoS mitigation technique by the use of verifiable delay function (VDF).
... To implement the distributed timestamp server on the peerto-peer network, bitcoin uses the hashcash [10] proof of work algorithm with SHA-256 being used as the cryptographic hash function. The algorithm is a complex cryptographic puzzle with the goal of getting the hash value less than the given target value. ...
Full-text available
Recently, there has been a remarkable amount of research being done in both, the fields of Blockchain and Internet of Things (IoT). Blockchain technology synergises well with IoT, solving key problems such as privacy, concerns with interoperability and security. However, the consensus mechanisms that allows trustless parties to maintain an agreement, the same algorithms that underpins cryptocurrency mining, are usually extremely computationally expensive, making implementation on low-power IoT devices difficult. More importantly, mining requires downloading and synchronizing hundred of gigabytes worth of blocks which is far beyond the capabilities of most IoT devices. In this paper, we present an efficient, portable and platform-agnostic cryptocurrency mining algorithm using the Stratum protocol to avoid downloading the entire blockchain. We implement the algorithm in four different platforms- PC, ESP32, an emulator and an old PlayStation Portable (PSP) to demonstrate that it is indeed possible for any device to mine cryptocurrencies with no assumptions except the ability to connect to the internet. To make sure of ease of portability on any platform and for reproducibility of the reported results we make the implementation publicly available with detailed instructions at:
... Bitcoin tak samo jak jego poprzednicy użył algorytmu proof-of-work [9], jednak nie tylko do wytwarzania nowych jednostek, ale przede wszystkim do osiągnię-cia globalnego konsensusu -rozwiązując w ten sposób problem podwójnego wydawania (ang. double spending problem). ...
Full-text available
Bitcoin wprowadził innowację na wielu płaszczyznach. Jako pierwszy rozwiązał problem osiągania konsensusu w sieciach otwartych, stworzył zagadkę ekonomiczną w postaci globalnej waluty deflacyjnej, pozwolił na transfer pieniędzy tym, którzy wcześniej byli wykluczeni bankowo, ale przede wszystkim stworzył fundamenty pod platformę zdecentralizowanego zaufania. Zapoczątkował technologie zdecentralizowanych aplikacji, które dotychczas nie mogły istnieć bez zaufanej trzeciej strony. W pracy opisana została ta ostatnia płaszczyzna.
Full-text available
Blockchain enables a digital society where people can contribute, collaborate, and transact without having to second-guess trust and transparency. It is the technology behind the success of Bitcoin, Ethereum, and many disruptive applications and platforms that have positive impact in numerous sectors, including finance, education, health care, environment, transportation, and philanthropy, to name a few. This chapter provides a friendly description of essential concepts, mathematics, and algorithms that lay the foundation for blockchain technology.
Full-text available
We present a distributed efficiently amortizable CPU cost-function with no trap--door. The absence of a trap--door allows us to avoid needing to trust any party.
Conference Paper
ABSTRACT We describe the design of a censorship-resistant system that em- ploys a unique document,storage mechanism.,Newly published documents,are dependent,on the blocks of previously published documents. We call this dependency,an entanglement. Entangle- ment makes replication of previously published content an intrinsic part of the publication process. Groups of files, called collections, can be published together and named,in a host-independent manner. Individual documents,within a collection can be securely updated in such a way that future readers of the collection see and tamper- check the updates. The system employs,a self-policing network of servers designed to eject non-compliant servers and prevent them from doing more harm than good.
Conference Paper
We formalize the notion of a proof of work (POW). In many cryptographic protocols, a prover seeks to convince a verifier that she possesses knowledge of a secret or that a certain mathematical relation holds true. By contrast, in a POW, a prover demonstrates to a verifier that she has performed a certain amount of computational work in a specified interval of time. POWs have served as the basis of a number of security protocols in the literature, but have hitherto lacked careful characterization. In this paper, we offer definitions treating the notion of a POW and related concepts. We also introduce the dependent idea of a bread pudding protocol. Bread pudding is a dish that originated with the purpose of reusing bread that has gone stale. In the same spirit, we define a bread pudding protocol to be a POW such that the computational effort invested in the proof may be reused by the verifier to achieve a separate, useful, and verifiably correct computation. As an example of a bread pudding protocol, we show how the MicroMint scheme of Rivest and Shamir can be broken up into a collection of POWs. These POWs can not only serve in their own right as mechanisms for security protocols, but can also be harvested in order to outsource the MicroMint minting operation to a large group of untrusted computational devices.
Conference Paper
We present a computational technique for combatting junk mail, in particular, and controlling access to a shared resource, in general. The main idea is to require a user to compute a moderately hard, but not intractable, function in order to gain access to the resource, thus preventing frivolous use. To this end we suggest several pricing functions, based on, respectively, extracting square roots modulo a prime, the Fiat-Shamir signature scheme, and the Ong-Schnorr-Shamir (cracked) signature scheme.
Conference Paper
Client puzzles are commonly proposed as a solution to denial-of-service attacks. However, very few implemen- tations of the idea actually exist, and there are a num- ber of subtle details in the implementation. In this pa- per, we describe our implementation of a simple and backwards compatible client puzzle extension to TLS. We also present measurements of CPU load and latency when our modified library is used to protect a secure webserver. These measurements show that client puz- zles are a viable method for protecting SSL servers from SSL based denial-of-service attacks.
Our motivation is the notion of "timed-release crypto", where the goal is to encrypt a message so that it can not be decrypted by anyone, not even the sender, until a pre-determined amount of time has passed. The goal is to "send information into the future." This problem was first discussed by Timothy May [6]. What are the applications of "timed-release crypto"? Here are a few possibilities (some due to May): -- A bidder in an auction wants to seal his bid so that it can only be opened after the bidding period is closed. -- A home owner wants to give his mortgage holder a series of encrypted mortgage payments. These might be encrypted digital cash with different decryption dates, so that one payment becomes decryptable (and thus usable by the bank) at the beginning of each successive month. -- An individual wants to encrypt his diaries so that they are only decryptable after fifty years. -- A key-escrow scheme can be based on timed-release crypto, so that the government can get...
We describe a system that we have designed and implemented for publishing content on the web. Our publishing scheme has the property that it is very di#cult for any adversary to censor or modify the content. In addition, the identity of the publisher is protected once the content is posted. Our system di#ers from others in that we provide tools for updating or deleting the published content, and users can browse the content in the normal point and click manner using a standard web browser and a client-side proxy that we provide. All of our code is freely available. 1