Foundations, Properties, and Security Applications of Puzzles: A Survey

04/23/2019 ∙ by Isra Mohamed Ali, et al. ∙ Hamad Bin Khalifa University 0

Cryptographic algorithms have been used not only to create robust ciphertexts, but also to generate cryptograms that, contrary to the classic goal of cryptography, are meant to be broken. These cryptograms, generally called puzzles, required the use of a certain amount of resources to find the solution, introducing a time delay and, in some cases, an economic cost. These powerful features have made puzzles the core of many security protocols, giving them increasingly importance in the IT security landscape. The concept of puzzle has subsequently been extended to other types of schemes that do not use cryptographic functions, like CAPTCHAs, used to discriminate humans from machines, and has experienced a renewed interest with the advent of Bitcoin. In this paper, we provide a comprehensive study of the most important puzzle construction schemes present in the literature, categorizing them according to several attributes, such as resource type, verification type, and applications. We have redefined the term puzzle by collecting and integrating the scattered notions used in different works, to cover all the existing applications. Finally, we provide an overview of the possible applications, identifying key requirements and different design approaches. Then, we highlight features and limitations of each approach, providing a useful guide for the future development of new puzzle schemes.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

The concept of a ’puzzle’ in the field of security dates back to 1978, when was first introduced by Merkle [1] as a method for key agreement over insecure channels. Since the mid nineties, puzzles have witnessed a growing interest by the research community in a variety of security fields ranging from cryptography and network security to computer performance and bio-metric technologies.

Puzzles constitute the core of many security protocols. They have been proposed as a mechanism for a number of security goals, including defending against large-scale attacks, delaying the disclosure of information, creating uncheatable benchmarks, achieving consensus, and differentiating between humans and internet bots.

A puzzle is a moderately hard problem that is much easier to verify than to solve. Two key features of puzzles are the asymmetry and adjustability of workload. The solver is forced to dedicate a non-trivial amount of resources to find a solution, while the verifier can instantly check its validity and correctness. The adjustability of its hardness enables the verifier to control the minimal amount of time and resources to be spent by the solver.

The process of spending resources to solve a puzzle not only introduces a time delay, but also adds an economic cost. The combination of these two effects makes puzzles a powerful tool that can be utilized to limit the abilities of adversaries and prevent them from gaining significant influence. The first to observe this were Dwork and Naor [2] in 1992, who proposed a type of puzzles, called pricing functions, as a solution to combat spam. In a similar context, client-puzzles were later introduced by Juels and Brainard [3] to defend against denial of service attacks. The general idea of such puzzles is to associate a cost for each resource allocation request by requiring the client to solve a puzzle before the server engages in any costly operation, hence making large-scale attacks infeasible.

One of the most impactful adaptations of puzzles is in cryptocurrencies and other emerging technologies of blockchain. The idiosyncratic features of the puzzles known as proofs-of-work, had paved the way to the implementation of a fully decentralized peer-to-peer cryptocurrency system. The idea of using puzzles in the creation of a digital-cash payment system has been long investigated [4, 5, 6], but only successfully implemented when Nakamoto first launched the Bitcoin project [7] in 2008. The puzzle is used to secure the public ledger of transactions by requiring miners to find a solution before being able to add a block to the ledger. The computational cost imposed by the puzzle prevents a computationally bounded adversary from double-spending transactions or effectively rewriting the ledger. The uniqueness and scarcity provided by the puzzle gives the currency an economic value and enables the process of minting currency [8]. Furthermore, the probabilistic nature of such puzzles along with the monetary rewards incentivize miners to participate in the system.

Another common adaptation of puzzles is in Bot detection by web-based services. Companies such as Google, Yahoo, and Paypal, use a special type of puzzles, widely known as CAPTCHAs, to ensure that the client is a human being and not an automated program. This type of puzzles enables human identification by using AI-hard problems that, ideally, can not be solved by machines but can be easily solved by a simple human interaction [9]. The human feature provided by this type of puzzles is leveraged to slow attackers down and prevent abuse caused by malicious bot programs masquerading as humans.

The early puzzle designing approaches concentrated on computational problems that are evaluated by the number of CPU-cycles required to find a solution. An example of such puzzles is the one used in many proposals, including Bitcoin, and was initially introduced by Back [10] in the HasCash system in 1997. The puzzle requires finding an input to a hash function such that the result has a fixed number of trailing zeros. A major drawback of such puzzles is the possible mismatch of processing speeds among different types of machines and over time [11]. This problem was addressed by Abadi et al. [12] in 2003, who introduced an alternative computational approach that relies on memory-latency, known as memory-bound functions. Since memory-latency varies much less than CPU-speeds, most recent systems will solve the puzzle at about the same speed. Another approach was to rely on network latency by Abliz and Tznati [13]. Subsequently, several works that rely on memory and bandwidth were presented in different research areas.

Although there have been a wide-range of applications for puzzles and a number of proposed construction schemes, as far as we know, there has not been any attempt to characteristically distinguish puzzles from other related notions. In this paper, we define the term ’puzzle’ as an umbrella name that covers all moderately hard functions which are relatively easier to verify than to solve.

Contributions This work can be seen as an extensive introduction to puzzles which provides the reader with a theoretical background and an overview on the different types of puzzles. Our work aims to fill the gap between the rapid-growing works on puzzles and the lack of a comprehensive survey that covers the different types of puzzles. Another aim is to clarify the connections and differences between the terms and notions used to describe a puzzle. We summarize our contributions of this work as follows:

  • Collect and integrate the scattered notions of puzzles into a uniform introductory work.

  • Determine the criteria for puzzle categorization.

  • Provide an overview of the applications of puzzles, and identify the key requirements and the challenges faced in each application field.

  • Examine the different approaches used in the design of puzzles, and identify the features and limitations of each one, ideally inspiring the development of effective puzzle schemes.

Roadmap. The rest of this paper is organized as follows. Section 2 provides an introductory overview on puzzles and describes their different types. Section 3 lists the properties and idiosyncratic features of puzzles. Section 4 provides a survey on the applications of puzzles, states the key requirements for each field, and discusses the viability of puzzles in each application field. Section 5 provides an in-depth survey of the state-of-the-art construction schemes and further developments. Finally, Section 6 concludes the survey by summarizing the contributions.

Fig. 1: Phases of a puzzle scheme.

2 Foundations and Background

Unlike traditional security problems and algorithms, such as cryptograms which ideally cannot be cryptanalyzed, a puzzle is described as a problem that is meant to be solved [1]. It is easy to verify, such that it is easy to determine if the given inputs produce the given outputs, but moderately hard to solve, such that it is solvable in reasonable time [2]. Solving it involves performing a number of operations that require a specific amount of resources, such as CPU cycles, memory, bandwidth, and human’s attention. The terms ’easy’, ’moderate’, and ’hard’ are relatively used, since their exact definitions depend on the application and implementation of the puzzle.

The solution of a puzzle in some cases serves as a proof of work (PoW), in which it demonstrates to one party (the verifier) that the other party (the prover) has expended a certain level of computational effort in a specified time interval [14]. In this sense, the purpose of puzzles differs from the standard cryptographic objective of showing the possession of a secret to proving the ability to expend a certain amount of resources within a certain time interval instead. Anyone without the secret can solve the puzzle but only in one way, which includes dedicating a minimal amount of resources. In the following, we describe the abstract structure of puzzles and present their different categories.

2.1 Abstract Structure of Puzzles

The abstract structure of a puzzle scheme involves two parties, a verifier and a prover. The verifier determines the parameters of a puzzle and checks the correctness and validity of the solution submitted by the prover. The prover solves the puzzle to prove that it is a legitimate party or to obtain a specific reward.

A puzzle consists of three main components: input parameters, a difficulty-level parameter and a tunable function. Input parameters are application related data, such as the message in spam defense or block of transactions in cryptocurrencies. The difficulty-level parameter plays a role similar to that of a security parameter in a cryptosystem [2]. It determines the hardness of a puzzle and its effectiveness. The issuer should be able to tune the difficulty level flexibly according to the threat level and to accommodate Moore’s Law. Otherwise, the tunable function could not adapt to the changing amount of computational power and resources over time. In general, tuning the difficulty involves adjusting the size of the solution search space or revealing different degrees of the puzzle’s solution.

Any puzzle scheme can be abstracted into three main phases, as illustrated in Figure 1: Construction, Solving, and Verification. In the Construction phase, a puzzle may be constructed by the verifier or the prover, depending on the scheme type (whether it is interactive or non-interactive). It may also include some offline precomputations to reduce the online construction cost. This phase provides the two parties the information needed to execute subsequent phases. Once the puzzle is constructed, the prover starts performing the required operations to find a solution, and then submits it to the verifier within the specified time interval. In the Verification phase, the verifier checks the validity and correctness of the submitted solution. In some applications, such as time-release cryptography [15], an implicit puzzle scheme is used, where the verification phase is not explicitly required.

2.2 Types of Puzzles

Puzzles can be categorized based on their application, the resources required to solve them, or the verification type of the scheme. The application determines the way in which a puzzle can be utilized. It also defines the requirements and desirable properties of the puzzle scheme. The resources required to solve the puzzle defines the metric by which its hardness is measured, whether it is computational steps, memory accesses, memory space or bandwidth etc. Finally, the verification type refers to the means by which the solution of a puzzle is used and whether it requires implicit or explicit verification.

2.2.1 Application

A number of security protocols in the literature have relied on the use of puzzles. Historically, puzzles have been utilized as a pricing tool in order to assign a certain cost for accessing a resource or service, as a delaying tool to delay accessing a specific resource, as a metering tool to meter the access of a specific resource, as an identity assignment tool to achieve consensus in decentralized systems, and as a human identification tool to differentiate between humans and bots.

Following we list the different types of puzzles based on the way they are applied and present a brief description of each.

  • Pricing puzzle: As defined by Dwork and Naor [2], is a function that is moderately-hard to compute and requires a known lower-bound investment of resources. It is not amenable to amortization and cannot be computed more efficiently after some pre-processing. The difficulty of computing a pricing puzzle is leveraged to increase the cost of launching automated large-scale attacks. It is usually applied in contexts where the low cost of using a service leads to abuse.

  • Delaying puzzle: Also known as time-lock puzzle [15], it is a moderately-hard function that requires a precise amount of time (real time, not CPU-time) to compute. It can only be computed sequentially by performing a deterministic number of computations, and cannot be solved significantly faster with large investments in hardware. The number of computation steps required to find the solution is predetermined by the puzzle issuer allowing him to control precisely when the prover can access the ’locked’ resource.

  • Timing puzzle: As first introduced by Franklin and Malkhi [16], is a moderately-hard function that requires performing computations incrementally with increasingly large efforts invested. At every incremental step of the computation, a solver can produce a solution which verifies that a given state is indeed the current state of the computation [17]. The number of computation steps is determined in the solving phase instead of being fixed during the construction phase (as in delaying puzzles). The difficulty of solving a timing puzzle is used to ensure the security of a metering/measuring method.

  • AI-hard puzzle: As described by Ahn et al. [9], it is a function which can generate and grade tests that a certain fraction of the human population can pass but current computer programs cannot pass. Ideally, it is hard for a machine to compute, which allows ensuring that a human is in the communication channel and not a bot.

Puzzles provide several features that may be exploited to achieve a specific effect. For example, the process of spending resources to solve a puzzle results in a time delay, which enables the verifier to control when the prover may access the protected service. This feature is exploited by several schemes to achieve the timing effect. Generally, the application of a puzzle is motivated by one or more of the following features:

  • Computation: This feature requires dedicating a certain amount of resources to solve the puzzle. It is utilized in order to associate a cost to a specific service or activity, such as sending an email or mining cryptocurrencies.

  • Timing: This feature requires the prover to spend a specific amount of time in solving the puzzle. It is utilized to introduce a delay or to measure the time spent on a specific activity, such as visiting a website.

  • Human: As the name implies, this feature requires human interaction to find a solution, since it cannot be solved automatically by machines. It is utilized to differentiate between humans and machines.

The timing feature is tightly related to the other features, however, schemes which are mainly motivated by time are not affected by the amount of resources used to solve the puzzle. In particular, puzzles which are used as a timing or a delaying function cannot be solved faster using more resources, such as multi-processors in parallel computing. On the other hand, puzzles which are used as a pricing function are designed to ensure that the prover performs a certain amount of computational work that introduces a cost and limits the rate of a specific attack to the amount of resources available to adversaries. Unlike timing puzzles, the time required to solve a pricing puzzle is probabilistic, where it has a predictable expected time but a random actual time [10]. Finally, human puzzles, such as CAPTCHAs [9], are the only type of puzzles that has the human feature, in which they are mainly designed to ensure that the prover is a human. We would like to note that human puzzles may be considered as computational puzzles, where the computational work is performed by the human and the dedicated resource is his attention.

2.2.2 Resource Type

Puzzles are either CPU, memory, bandwidth, network or human bound (AI hard).

  • CPU-bound puzzles: the computation is measured by the number of CPU cycles required to find the solution, which varies vastly in time according to Moore’s law, as well as across different machines.

  • Memory-bound puzzles: the computation is evaluated either by the number of memory accesses or the amount of memory space required to solve a puzzle. Therefore, the computation speed of these schemes is bound by memory latency and bandwidth.

  • Bandwidth-bound puzzles: are evaluated by the amount of bandwidth dedicated to solve the puzzle.

  • Network-bound puzzles: the time required to solve the puzzle is bounded by network latency as, the solving process involves sending and receiving packets in a certain order.

  • Human-bound puzzles:

    are puzzles that cannot be computed by artificial intelligence but can be easily solved by a simple human interaction. They are evaluated not by the amount of computational resources but by the amount of attention a human dedicate to solve the puzzle.

2.2.3 Verification Type

The verification of a puzzle scheme can either be explicit, where it is performed by the verifier or implicit, where it is determined by the prover or any other party [14]. In Figure 2, we illustrate the different types of puzzle schemes based on the verification type and interactivity.

  • Explicit: In an explicit puzzle scheme, the solution serves as a way of convincing the verifier that a specific amount of effort is spent. The scheme can either be interactive of multiple communication rounds or non-interactive of one communication round, where the prover generates and solves the puzzle in the absence of the verifier. A non-interactive puzzle can be applied in an interactive scheme as a challenge-response protocol, while the converse is not possible. In non-interactive schemes, it is necessary to ensure that the prover cannot effectively control the puzzle generation nor he can precompute the solution. This can be achieved by referencing the puzzle generation to a public source of randomness.

  • Implicit: In an implicit puzzle scheme, the prover or any other party is capable of verifying a correct solution without the participation of the puzzle issuer (verifier). The verification is determined by the ability of the prover to perform a given task, such as decrypting a message using the key obtained from solving time-lock puzzles [15]. An implicit puzzle scheme is considered as a special type of non-interactive puzzle schemes since it requires only one communication round .

Fig. 2: Types of puzzle schemes: (a) is an explicit interactive scheme, (b) is an explicit non-interactive puzzle scheme, and (c) is an implicit puzzle scheme.
Categorized by Application Resource Type Verification
    Pricing function
    Delaying function
    Timing function
    AI-hard function
TABLE I: Categorization of puzzles.

3 Idiosyncratic Features

The fundamental requirement of a puzzle, as first introduced, is that it should be easy to verify but moderately hard to solve. With the evolution of puzzles in variant security fields many properties and desirable requirements were defined to form an effective puzzle. In this section we list and discuss the main properties of puzzles.

List of properties and characteristics

  1. Asymmetry: This property describes the nature of a puzzle, as introduced by Dwork and Naor [2]. The amount of work required by each party is asymmetric; it should be much easier for the verifier to generate a puzzle and verify a solution than for the prover to find a solution.

  2. Granularity and parameterization [2]: There should be proper parameters that could be adjusted to allow the puzzle to scale with Moore’s law. The verifier should be able to generate puzzles of fine-grained difficulty. This enables the verifier to adjust the puzzle difficulty flexibly according to the threat level against the underlying application. If the gap between two adjacent difficulty levels is large, then increasing the difficulty would add huge workload on legitimate parties. Linear-grained puzzles have the highest density of difficulty levels, while exponential-grained puzzles have the lowest density.

  3. Amortization-Freeness [2]: The prover should not be able to produce multiple solutions with a cost equivalent to that of producing one solution.

  4. Independence[2] /Correlation-free [51]: Solving a puzzle or knowing the solution of previous puzzles does not help in solving others.

  5. Efficiency: This describes the efficiency of a puzzle measured in terms of cost and overhead introduced to both parties of the puzzle scheme, as follows:

    1. Low construction and verification cost: It is not enough to maintain a work gap between the verifier and prover, but also to not incur a burden on the verifier that subjects it to resource-exhaustion attacks.

    2. Stateless [3]: A stateless puzzle scheme does not require the verifier to store any information to be able to verify a solution, which is desirable in constrained environments.

    3. Memory-less [18]: A memory-less puzzle scheme does not require the verifier to access the main memory for verification. This property is desirable for memory-bound/hard schemes to enable fast verification and allow low-memory verifiers to participate in the scheme.

    4. Minimum interference [51]: The operations performed to solve a puzzle should not interfere with concurrently running applications.

    5. Minimum communication complexity [19]: Refers to the bandwidth and number of rounds required to exchange puzzles and solutions between the two parties. A puzzle scheme should have very low communication complexity and should not add significant traffic to the network.

  6. Unforgeability [20]: Initially introduced by Chen [20], the prover should be unable to forge a puzzle in a way that allows him to precompute the solution. The lack of this property makes the puzzle ineffective in many applications, such as mitigating DoS attacks.

  7. Freshness [21]: This property is also referred to as tamper-resistance by Feng et al. [21], which indicates that the puzzle’s solution is not valid indefinitely and cannot be reused by other provers. In other words, the puzzle scheme should be resilient to replay and precomputation attacks.

  8. Uniqueness [21]:This could be a trivial property, however, in contexts such as time-release crypto, it is essential to have a unique solution for each puzzle since the solution is used as a key to decrypt the ciphertext.

  9. Puzzle fairness [51]: As defined by Abliz and Znati [51], the time required to solve a puzzle should be similar for all solvers despite their available resources (CPU, memory and bandwidth). This property eliminates the disparity problem between a powerful attacker and a legitimate prover.

  10. Non-parallelizability [15]: The puzzle can only be solved in sequential steps and cannot be solved in parallel using multiple machines. This property is necessary for achieving the timing effect and ensuring puzzle fairness. It ensures the effectiveness of a puzzle against high-end adversaries, who utilize parallel computing to solve the puzzle faster.

  11. Deterministic [22](Low cost variance): For delaying and timing puzzle schemes, such as time-lock puzzles [15]

    , the number of operations performed to solve a puzzle should be deterministic in order to control the amount of computing time required. Other type of puzzles may have a probabilistic cost, where solving the puzzle has a predictable expected time but a random actual time. In general, lower variance in cost provides better control over the puzzle difficulty and assures puzzle fairness.

  12. Progress-free [18]:

    In applications, such as cryptocurrencies, the scheme is required to be stochastic such that the probability of finding a solution grows steadily with time and is independent of the amount of effort already spent in solving the puzzle.

  13. Interactiveness [14]: A puzzle can be either interactive or non-interactive. The former requires the verifier to send the challenge (such as client puzzles against DoS), while the latter can be constructed in the absence of the verifier (such as PoWs used in blockchain systems).

  14. Publicly Verifiable [14]: In some non-interactive puzzle schemes, such as Hashcash, the verification can be performed by any other party without the participation of the puzzle issuer. This property is essential in decentralized systems, where any participant in the network can verify the solution without requiring a central authority or server.

  15. Trapdoor-based [2]: A trapdoor mechanism is used in some puzzles to lower the complexity of puzzle verification by storing private information that makes solving the puzzle easier. This property may preclude public auditing, where the verifier have conflict of interests, such as in web visit metering [16]. A trapdoor-free puzzle provides trust in decentralized systems, such as cryptocurrencies, by ensuring that the issuer has no advantage in solving the puzzle and cannot forge the proof.

4 Applications

The idea of using moderately hard problems that are much easier to verify than to solve have been long investigated in various application fields. Puzzles are referred to, in the literature, as proofs-of-work (PoWs), timing functions, delaying functions, cost/pricing functions, AI hard functions and CAPTCHAs. Each term is used to describe the application of a puzzle. Nevertheless, they all share the same property of being moderately hard to solve that a polynomial-time party can successfully find a solution by dedicating a specific amount of resources. Most puzzles were first designed for a specific application, however, researchers are currently investigating the possibility of designing a multipurpose moderately hard function that can be applied in several security fields [23].

In this section, we review the significant applications of puzzles and categorize them based on the way a puzzle is used (as a pricing, delaying, timing or AI function). We also discuss the key requirements and the viability of each type in each application field. Generally, all type of puzzles should be easy-to-verify, amortization-free, unforgeable, fresh, and efficient. For each application there are specific requirements and properties that are not as important as in other fields. In Table II we summarize the puzzles based on their application and present the key requirements for each application.

4.1 Pricing puzzles

The idea of pricing puzzles is to impose a cost for accessing services that can be easily abused by attackers. The requester of a service is charged with the amount of resources required to find the solution of a problem that is much harder to solve than to verify. Following we present the different security fields that pricing puzzles are applied in and discuss the key requirements and viability of each.

4.1.1 Key agreement

The notion of ‘puzzle’ was first introduced by Merkle [1], in 1978, as a method for key agreement over insecure channels. The objective is to allow any two parties to agree on a secret key that will not be known to eavesdroppers. In this scenario, the protocol initiator plays the role of the verifier, in which he constructs a puzzle consisting of N encrypted keys and verifies the solution submitted by the other party (prover). The other party solves the puzzle by selecting one of the encrypted keys and decrypting it using brute-force, then sending its ID to the verifier. Without knowing which key is mapped to that ID, an eavesdropper must decrypt the N keys at random until he encounters the correct one, which requires an effort of . Unlike other puzzle schemes, Merkle’s puzzle is required to be infeasible for any polynomial-time party. This requirement makes the method insecure, however, it offers the feature of workload adjustability. The puzzle issuer can control the solution cost by adjusting the difficulty parameter. This feature is exploited by several works to provide a light-weight pairwise key agreement protocol for resource-constrained environments, such as wireless sensor networks [24, 25] and low-energy Bluetooth devices [26].

4.1.2 Spam Defense

In 1992, Dwork and Naor [2] suggested using puzzles as an access control mechanism. They introduced the concept of pricing functions that increase the cost of sending emails in order to mitigate spam. Their approach is fundamentally an economic one, in which the processing time dedicated to solve the puzzle is a finite resource. Therefore, spammers are limited to the amount of computing resources they can afford, which prevents them from sending emails in bulk.

It is an non-interactive explicit puzzle scheme, where the prover is the sender of an email and the verifier is the recipient. The sender is required to construct the puzzle using time, destination, and message as input parameters, then find a solution and send it along with the email. The recipient verifies the attached solution and accepts the email only if the solution is valid.

In 1997, Back [10] rediscovered the idea and implemented the Hashcash system, which was originally intended for spam and DoS defense, and currently used in Bitcoin [7]. Hashcash is a non-interactive trapdoor-free proof-of-work system that has an unbounded probabilistic solution cost.

Requiring a puzzle for each email would not only disincentivize spammers but also prevent legitimate mass mailing since it requires a significant expenditure of resources. To solve this problem, Dwork and Naor [2] introduced the idea of a trapdoor-based puzzle, which is much easier to compute given some secret information. Legitimate bulk mail can only be sent cheaply by a centralized trusted authority that holds the secret information. While Hashcash is a decentralized solution that provides better efficiency and resiliency against pre-computation attacks, it does not solve the legitimate mass mailing problem. Nevertheless, it has been deployed in several projects including SpamAssasin [27] and Penny Post [28].

Key Requirements To be applied as an anti-spam mechanism, a puzzle scheme should not incur a significant burden on legitimate parties. It should be efficient and non-interactive to avoid requiring the recipient to interact with the sender before receiving an email. It should also consider the sharp disparities across computer systems, as observed by Abadi et al. [12], in which it may be ineffective against powerful spammers with high-end systems, restrictively slow for legitimate users with low-end systems, or both. They suggest using memory-bound puzzles since memory access speeds vary much less than processor speeds. Further developments on memory-bound puzzles in spam defense are proposed in [11, 29] and discussed in section 5.2.

Viability Laurie and Clayton [30] analyzed the viability of pricing puzzles as an anti-spam mechanism and concluded that a universal scheme where every email carries a fixed-cost puzzle is impractical for two reasons. First, a significant proportion of legitimate users are also affected by the added cost preventing them from accessing the service. Second, spammers can access insecure end-user machines to steal CPU-cycles and solve puzzles. Instead, they suggest incorporating puzzles with other techniques, such as whitelists, to vary the hardness of the puzzle and reduce the burden on legitimate senders. They also suggest using human-bound puzzles, such as CAPTCHAs [9], which are presumably more difficult to steal. On the other hand, several research papers showed that when used with other mechanisms, such as reputation systems [31], pricing puzzles can actually work in spam defense.

4.1.3 DoS Defense

Client puzzles are a type of pricing puzzles used to defend against denial of service (DoS) attacks. Namely, resource depletion attacks that prevent the victim from processing legitimate requests for a service in a server-client setting. Before allocating any resources for a given request, the server requires the client to commit some of its resources by solving a puzzle. Requests that do not include a correct solution are dropped. Legitimate clients may experience a degradation in service, however, attackers are unable to send large number of requests simultaneously due to the time delay introduced by the puzzle.

The two key features of a puzzle that qualify it as an anti-DoS mechanism is workload adjustability and asymmetry. The former allows the server to adjust the difficulty level of the puzzle according to the current threat level, by initially setting it to zero when there are no attacks and increasing it as the intensity of the attacks increases. While the latter shifts the workload from the server to the client as, it is much easier for the server (verifier) to generate and verify a puzzle than for the client (prover) to solve the puzzle.

The first construction scheme of client puzzles was proposed by Jules and Brainard [3] as a countermeasure to connection depletion attacks. Aura et al. [32] later improved and generalized the design of the puzzle to employ it in any authentication protocol. Many construction schemes have been subsequently proposed to protect various types of services including network IP and TCP channels [21, 33, 34, 35, 36], TLS [37, 38], capability-granting channels [39], and key agreement protocols [40]. Despite the various techniques used by these construction schemes, they all must satisfy the fundamental properties described by Feng et al. [21].

Key Requirements For a puzzle to be applied in DoS defense, it should be efficient enough to ensure the availability of the puzzle distribution service and avoid subjecting the scheme itself to a DoS attack. It should be resilient to precomputation attacks where the puzzle solution indicates that the computational effort was recently spent. Furthermore, robust authentication mechanisms must be employed to prevent attackers from spoofing puzzles and disabling the server by falsely triggering the puzzle mechanism against it.

The granularity of the puzzle, which represents the density of difficulty-levels, should be high in order to allow the server to finely control the amount of computational effort spent by the client. Finally, forcing all clients to solve puzzles before allowing access is crucial to mitigate the attack, however, not all clients have the same capabilities. Therefore, the scheme must also consider low-power clients and adjust the level of puzzle complexity to match the client’s capabilities in order to achieve puzzle fairness [41].

Viability The main challenge faced in deploying puzzles as a DoS countermeasure is determining and setting the appropriate difficulty level that limits the abilities of attackers but not legitimate parties. From an economic perspective, the effectiveness of a pricing puzzle can only be achieved when the amount of work required from legitimate clients and attackers differ significantly [30]. The construction scheme must identify and discriminate against known malicious behaviour [41]. Most client puzzle schemes set the difficulty based on a single metric, such as the load on the system [3, 37, 39], the rate at which the client sends requests [21, 42], or the level of demand for the service [34, 35]. However, using a single metric has been proven to be insufficient [43], as it provides clients weak access guarantees at high per-request overhead.

The viability of client puzzles remains an open question. Issues such as constructing puzzles efficiently while ensuring non-parallelizability, adjusting the puzzle difficulty to prevent subversion while maximizing server utilization, and attaining equitable fairness must all be addressed to incentivize its deployment.

4.1.4 P2P Systems and Cryptocurrencies

In the context of decentralized systems, pricing puzzles are used to address various security issues including Sybil [44] and collusion [45] attacks, achieving consensus in a Byzantine setting, and incentivizing correct behaviour by requiring participants to present a proof-of-work and rewarding them for participation. They have found important applications in creating decentralized cryptocurrencies, such as the recent systems Bitcoin [7], Ethereum [46], and Litecoin [47], or earlier schemes such as the Micromint system of Rivest and Shamir [4].

Decentralized dynamic systems are highly vulnerable to the Sybil attack [44], whereby the attacker exploits the low cost of forging multiple identities that allows him to control a substantial fraction of the system and execute further attacks to subvert the system. Pricing puzzles have been long investigated as a decentralized Sybil defence mechanism in a variety of p2p network settings and overlays, including structured [48, 49, 50, 51], and unstructured [7, 46] overlays. The idea is to impose a computational cost on maintaining an identity within the system, hence limiting the proportion of Sybil nodes to the proportion of resources that an adversary can control per time unit.

In p2p identity systems, such as SybilControl [51], the puzzle is used as a distributed admission control mechanism that grants nodes the permission to join and stay functional in the system. In this protocol, all nodes are required to periodically solve a unique puzzle and collectively verify solutions of other nodes. If a node fails to compute the puzzle within the specified time interval, its identity gets revoked.

Decentralized cryptocurrencies, such as Bitcoin [7] and Ethereum [46], utilize pricing puzzles to achieve several goals at once. They exploit the scarcity and uniqueness provided by pricing puzzles to create economic value and mint crypto-currency. More importantly, they use the pricing puzzle as a key component in the blockchain protocol to achieve consensus and prevent double spending [8].

Blockchain is described as a cryptographic data-structure in which a public ledger, that is shared and agreed on by all nodes of the network, is recorded. Compared with the original design of identity pricing puzzle schemes [48, 49], the puzzle in a blockchain network is not used for direct identity verification between peers. Instead, peers are expected to collectively verify puzzle solutions broadcasted by other peers in order to determine who’s block will be considered as the next block in the chain. The Sybil and double-spending attacks are mitigated by associating a computational cost to the process of adding a block to the chain. A comprehensive survey of the consensus protocol design and the consequent influence of blockchain networks is presented by Wang et al. [52].

The cryptocurrency is created by nodes, known as ’miners’, through a process that involves processing a block of transactions and finding a solution to a pricing puzzle that makes the block valid. Once a miner solves the puzzle, it broadcasts the proposed block to all other nodes, and receives a reward only if the block is accepted by the majority of nodes. The validation of that block is done independently by each node in the network, which includes verifying the puzzle solution and correctness of each transaction within the block. Miners are incentivized to act honestly since incorrect puzzle solutions would result in the rejection of the block by the majority of nodes, hence losing the reward and wasting the effort spent in solving the puzzle. Further technical details on Bitcoin and digital currencies is presented in [53].

The difficulty of the pricing puzzle determines the rate at which blocks are added to the blockchain. It is adjusted such that, it is hard enough for an adversary to interfere and alter the system, but easy enough for miners to construct new blocks and unify their views of the public ledger. The robustness of the consensus protocol is achieved under the assumption that a majority of the computing power is held by honest participants who follow the longest chain rule. Formal analysis of blockchain’s security under different network assumptions appear in

[54, 55, 56, 57].

Key Requirements Efficiency is one of the key requirements of a puzzle scheme to be applied in dynamic decentralized P2P systems. The puzzle should be easy to construct and verify, stateless, and compact in order to provide scalability for the underlying protocol. Since a trusted third party does not exist in such environments, the puzzle should be non-interactive, trapdoor-free, and publicly verifiable. Any node in the network should be able to efficiently verify the puzzle solution of any other node without the access to a trapdoor or any secret information. The trapdoor-free property is essential to provide trust in the system.

The freshness of the puzzle should be guaranteed at the execution stage. In particular, the puzzle solution should be unpredictable and non-reusable such that, the computational work is guaranteed and the proof is unforgeable. The puzzle scheme should ensure fairness, in which the probability of solving the puzzle at any given time is proportional to the computational power of the node. This is crucial for cryptocurrencies since solving the puzzle has economical value. Finally, the hardness of the puzzle should be adjustable in order to adapt with the changing scale and settings of the p2p network.

Viability Notably, the most impactful application of pricing puzzles to this date is in the implementation of permissionless p2p systems, namely, blockchain emerging technologies. Although, examples such as Bitcoin and Ethereum demonstrate the success of pricing puzzles in practice, several concerns are raised by the research community regarding the stability of these systems [58], the high power consumption [59] and wastage of resources which increases proportionally to the system’s popularity [60]. Furthermore, the parallelizability nature of the utilized puzzle schemes allow nodes to increase their voting power by using customized hardware (such as ASICs) that solves the puzzle substantially faster. This development in hardware subverts the pricing puzzle approach and implies several threats. In particular, it diminishes the democratic value of decentralized cryptocurrencies by suppressing low-end nodes [53], and enable powerful nodes to collude and alter the system [61]. Several puzzle schemes have been proposed to address these issues including, ASIC-resistant puzzles [18, 62], non-outsourceable puzzles [63], useful puzzles [64, 64, 65], and eco-friendly puzzles [66, 67].

4.2 Delaying and Timing puzzles

The timing feature of a puzzle is exploited by several schemes either to slow down attackers, to lock resources for a precise amount of time, or to measure the time spent accessing a resource. Unlike pricing schemes, delaying and timing schemes are concerned with making CPU time and real time agree with an approximate precision. They achieve this by using inherently sequential problems that have a deterministic solution cost. It is important to note that the solution time of these puzzles is approximately controllable, since different computer systems operate at different speeds. Following we discuss the different application fields of these types of puzzles.

4.2.1 Uncheatable Benchmarks and Auditable Metering

The first proposal in designing a puzzle that requires solving an inherently sequential problem seems to appear in the application of hardware benchmarking in 1993 by Cai et al. [22, 68]. The idea is to validate the performance of a specific hardware by having it compute a puzzle that reflects its computation power. The asymmetry feature provided by puzzles allows customers with low-end machines to verify the benchmark of high-end computer vendors. A customer constructs the puzzle and sends it to a hardware vendor, who finds a solution and submits it as a verification of the claimed hardware performance. The customer then verifies the puzzle and checks that the solution time is indeed within the claimed bound. The soundness of the puzzle scheme would guarantee that the vendor could not cheat by optimizing his code or modifying it.

Franklin and Malkhi [16] initiated the idea of metering client accesses via a timing puzzle. They provided a lightweight security solution for the problem of forged client website visits. The timing puzzle requires an incremental amount of computations which makes forging a large number of client visits expensive and time-consuming. The solution of the puzzle serves as an evidence that a certain amount of time has elapsed. At each webpage visit, the client is required to compute a timing function that requires performing repeated hashing incrementally until the end of the visit. The result is then sent to an auditing proxy which verifies its correctness. The main drawback of their construction scheme is the requirement of reconstructing the puzzle for accurate verification, which was later addressed by Chen and Mao [69].

Key Requirements In addition to being non-parallelizable and deterministic, a timing puzzle must provide the ability of applying it incrementally in order to reflect the actual continuous time being spent. The solver should be able to produce solutions that are extendable, where the puzzle difficulty is not set in advance, but is incremental with the time spent in computing it. Forging access duration or performance records should require a known investment of resources that grows proportionally to the amount of forgery. For public auditing, the puzzle should be trapdoor free, in which there is no shortcut available for the prover to find a solution with fewer resources.

Viability Timing puzzles may be considered as an unreliable metering method due to the fact that the accuracy of real-time measurement depends on several factors including network delay, bandwidth and computational power [70]. Moreover, they only offer lightweight security requiring precise bounds on the attacker’s computation speed. An attacker can fool the verifier with an amount of computational resources proportional to the amount of fraud.

4.2.2 Time-Release Cryptography and Time-stamps

The idea of time-release cryptography is to ”send data into the future” by encrypting a message that can only be decrypted after a pre-determined amount of time has passed. In 1996, Rivest et al. [15] implemented this idea using time-lock puzzles, which can be applied in delayed digital cash payments, sealed-bid auctions and key escrow. They have also been proposed for other applications such as, enabling offline submission [71], providing pseudonymous secure computation [72], constructing a two-round concurrent non-malleable commitment [73], and supporting digital forgetting [74].

Time-lock puzzle is a cryptographic primitive which allows locking data in a way that it can only be released after a certain time delay. It is an implicit trapdoor-based puzzle scheme, where the solution reveals the key that decrypts the encrypted data. In [15], the puzzle issuer selects the desired time delay and constructs a modular exponentiation puzzle that can only be solved by performing t modular squaring operations sequentially. The number of squaring operations can be exactly controlled hence providing the ability to finely tune the difficulty of the puzzle. The verification is not explicitly required, however, can be done more efficiently by anyone who can access the trapdoor which is created in the construction phase.

Inspired by time-lock puzzles, Mahmoudy et al.[75] introduced the concept of proof of sequential work (PoSW), an explicit time-lock puzzle scheme which enables the solver to prove that a specific number of computation steps was performed sequentially on a given challenge. The solution of the puzzle is publicly verifiable and indicates that an approximate number of time units have elapsed since receiving the puzzle. They propose using PoSW to produce relative timestamps for documents, whereby a d-timestamp of a document at time T proves the existence of that document at time . A stamper specifies the desirable duration d, constructs and solves the puzzle by using the document as an input parameter. The verifier then checks the validity of the timestamp by verifying the solution of the puzzle.

Further developments on such construction schemes have been proposed to provide better efficiency [76] and uniqueness [77]. Uniqueness is important to guarantee that the solver cannot produce multiple solutions at the same cost of one. Boneh et al. [17] study the problem of constructing delaying puzzles, which they refer to as ’verifiable delaying functions’, and present further applications of such puzzles, including randomness beacons, proof of replication and resource-efficient blockchains.

Key Requirements The key requirements for such applications are non -parallelizability and hardware-independence. The solution time should not depend on the amount of hardware being used. A solver who uses large amount of investments in hardware, namely parallel computing, should not be able to solve the puzzle substantially faster than the pre-determined time. Finally, the time required to construct and verify the puzzle should be much less than the solution time.

Viability The main challenge that may hinder the deployment of a delaying puzzle in a specific application is the requirement of exact guarantees on the precision timing, which cannot be achieved due to the existence of variations in speed of single computers. For other settings where there are no trusted third parties available, the puzzle construction schemes proposed in [15] are unsuitable since generating the puzzle requires knowing the (secret) puzzle solution in advance and verification requires accessing a trapdoor. Although the schemes proposed in [75, 76] provide public verifiability, their security are only proved in the random oracle model and the uniqueness of the produced solution is not guaranteed.

4.3 AI-hard puzzles

AI-hard puzzles, widely known as captchas, are intended to ensure the presence of a human in a communication channel by using hard AI problems that differentiate between humans and bots. They are puzzles that are easy-to-solve for humans but hard-to-solve for automated computer programs. Following we present the main security fields in which human-bound puzzles are used and discuss their key requirements.

4.3.1 Bot Detection in Web-based Services

The first to suggest using a reverse Turing test for verifying that a human is the one requesting a service over the web was Naor [78] in 1996. Several practical examples were then proposed and developed [79, 80, 81]. In 2000, Von Ahn et al. [82] introduced the notion of a CAPTCHA and provided a formal framework that models it as a hard AI problem in [9]. CAPTCHA can be considered as a trapdoor-based explict puzzle scheme whose underlying hardness assumption is based on an AI problem that can only be solved by a human. A typical CAPTCHA puzzle is constructed by first generating a random target solution, such as a text or an image, and then performing distortion techniques to that solution in order to make it hard for computers to solve the puzzle. The target solution, which is generated in the construction phase, is later used by the verifier to check the correctness of the solution submitted by the prover.

CAPTCHAs are used by Google, Yahoo, PayPal and many other popular web-based services to prevent abuse caused by malicious bot programs masquerading as humans. Such abuse include automated account registration, password guessing attacks, systematical database mining, and massive voting in polls. Before being able to access the service, a client is required to prove that he is a human by solving a given instance of the puzzle. The human feature provided by this type of puzzles slows attackers down and prevents them from sending large amount of fake requests generated by automated programs.

Many variations of construction schemes exist in the literature which are based on different AI problems, including reading distorted text [83], audio recognition [84, 85]

, human face recognition

[86], and emergent-image recognition [87]. A comprehensive review on the different categories and sub-applications of CAPTCHA is presented by Hidalgo and Alvarez [88]. Despite the many variations of AI-hard puzzles, they are all based on the assumption that an adversary’s machine cannot solve the underlying AI problem with higher accuracy than what is currently known to the AI community [9].

Key Requirements To provide both practicality and usability, the puzzle should be easy-to-construct for the puzzle generator machine and easy-to-solve for the human solver. Humans should be able to solve a given instance of the puzzle effortlessly with very few errors. The hardness of the puzzle should be adjustable such that both robustness and usability are guaranteed even with the advance of technology. The best known programs for solving the underlying AI hard problem should fail on a non-negligible fraction of the puzzles, even if the method of constructing the puzzle instances is known. Finally, the puzzle scheme should be fair and avoid discrimination of people with disabilities by providing different sensory abilities, such as vision and hearing.


The main issue that faces the deployment of AI-hard puzzles in web-based services is setting the appropriate difficulty that ensures both resistance against machine-learning attacks and human usability. The same distortion methods used to make the puzzle unsolvable by machines can also significantly degrade human usability

[89]. CAPTCHAs are often hard for humans to solve due to a number of demographic factors such as age, language, and education [90]. Furthermore, these type of puzzles fail to recognize people with visual and hearing impairments as humans, which prevents them from accessing the underlying protected web service [88]. These usability issues may drive customers to abandon services that deploy CAPTCHAs resulting in financial losses for those companies.

Although many construction schemes have been successfully attacked using machine-learning techniques [91, 92, 93, 94], a significant gap between human intelligence and the current artificial intelligence still exists. However, this does not ensure the security and effectiveness of the puzzle scheme as it is still vulnerable to human relay attacks, whereby the puzzle is outsourced to paid human-solvers [95]. Motoyama et al.[96] analyzed the behavior and dynamics of CAPTCHAs from an economic prospective. They conclude that CAPTCHA is a low-impact mechanism which reduces the attacker’s profitability hence minimizing the cost and legitimate user impact of heavier-weight secondary defenses. However, they may be ineffective in scenarios where the profit gained from launching the attack is several orders of magnitude larger than the cost associated with paying humans to solve the puzzle.

4.3.2 Decentralized Cryptocurrencies

Recently, Blocki and Zhou [67] introduced the notion of proof-of-human-work (PoH), a human-in-the-loop puzzle that is publicly verifiable and can be used to build a decentralized cryptocurrency system. It is a non-interactive explicit puzzle scheme that can only be solved with sufficient human assistance. Unlike the traditional standalone CAPTCHA, the solution of the puzzle is unknown to the puzzle-generator machine and the difficulty is adjustable.

The scheme involves two types of puzzles, a CAPTCHA and a pricing puzzle similar to that used in Bitcoin. In order to produce a valid block, the miner is required to first prove that he is a human by solving a CAPTCHA instance, then use the obtained solution as an input parameter to the pricing puzzle. The CAPTCHA instance is constructed obliviously using the universal samplers developed by Hofheinz et al.[97], whereby it is generated along with a verification tag inside an obfuscator and the corresponding solution remains concealed in the obfuscated program. Since the puzzle can only be solved by humans and the solution is unknown to the verifier, the verification tag is used to allow verifying the submitted solution without requiring human assistance. This feature provides public verifiability, in which anyone in the network can verify the submitted solution. The difficulty of the puzzle is adjusted by having the verifier reject a valid solution with a certain probability so that the human miner would need to generate and solve a specific number of puzzles to produce a valid proof-of-human-work.

The human feature provided by the AI-hard puzzle is exploited to satisfy properties that traditional cryptocurrencies such as Bitcoin lack, which are eco-friendliness, usefulness and centralization-resistance. Eco-friendliness and usefulness are achieved by relying on human effort instead of computational power. The human effort may involve performing educational [98] or productive [99] tasks in order to avoid wasting human cycles. While centralization-resistance is achieved by ensuring fairness, in which any two humans will generally perform a comparable amount of work to solve the puzzle.

Key Requirements In the context of cryptocurrencies, the AI-hard puzzle should be efficient and trapdoor-free, in which it is easy for a machine to construct, but difficult for any machine (including the puzzle-generator machine) to solve without sufficient human assistance. It must be non-interactive and publicly verifiable such that it is easy for a machine to verify the puzzle solution without any human assistance. Moreover, the puzzle verifier must be able to ensure, without interacting with any other human or machine, that the puzzle issuer did not already have a solution to the puzzle. Finally, the puzzle scheme should provide sufficient density of difficulty-levels to allow adjusting its hardness according to the changing scale and settings of the system.

Viability The viability of AI-hard puzzles in decentralized cryptocurrencies is affected by two main challenges. First, a trapdoor-free construction scheme whereby the solution is unknown to any party throughout the generation of the puzzle is required in order to provide trust in the system. This challenge is addressed by the authors of HumanCoin system [67] using indistinguishability obfuscation (IO), however, the current development achievements in IO do not provide a practical solution hence their approach is currently impractical. Furthermore, their proposed system requires an initial trusted setup phase since the party generating the system might be able to insert a trapdoor allowing him to mine coins without any human effort. Second, the security and stability of the system relies on the hardness of the underlying AI problem. The life of such cryptocurrency is anticipated to be shorter than other cryptocurrencies such as Bitcoin, which rely on cryptographic primitives, since AI breakthroughs are achieved more frequently. Therefore, achieving and maintaining trust using AI-hard puzzles in such cryptocurrency systems remains an open question.

Key Requirements
Application Field
Easy to
Spam defense
DoS defense
Delayed Disclosure
Auditable metering
Uncheatable Benchmarks
Bot Detection

TABLE II: Key requirements of puzzles for each application field.

5 Construction Schemes

As discussed previously, puzzles may be categorized based on several aspects including the ways they are applied, the type of verification, and the type of resource that bounds the scheme. In this section we categorize them based on the resource that bounds the puzzle scheme which includes: CPU, memory, and bandwidth. We survey state-of-the-art puzzles by focusing on the type of construction scheme and present further developments and improvements on these schemes.

5.1 CPU-Bound Schemes

5.1.1 Merkle Puzzles

Computational puzzles were first introduced by Merkle [1] as a method to establish secure key agreement over insecure channels. The main designing goal was to create a work gap between legitimate parties and passive adversaries in order to guarantee secure key distribution. The puzzle is based on symmetric cryptography and is constructed by generating N encrypted keys, each having a unique ID. The other legitimate party solves the puzzle by selecting one of the keys and decrypting it by brute-force then submitting its ID. To know the key, an eavesdropper must decrypt all N keys since he cannot determined which of the IDs is mapped to the key. The puzzle’s difficulty is adjusted by adjusting the size of the key used to perform the encryption. As a key agreement protocol, this scheme is impractical and insecure, in which the optimum work gap that can be achieved using this method, as proven by Barak and Mahmoudy [100], is quadratic. However, it was the building block towards public key cryptography. Merkle puzzles are different than the following puzzles as, both parties are required to perform the same amount of work O(N), hence it is not asymmetric.

5.1.2 Pricing functions

Dwork and Naor [2] were the first to suggest using puzzles as an access control mechanism in order to combat email spam. They used the puzzle as a ‘pricing function’ to assign a computational cost to resource allocation requests. Their goal is to increase the cost of sending an email for spammers by forcing them to compute a unique puzzle for each recipient. They proposed three puzzle schemes. The first scheme is based on factoring a square root and the other two are based on digital signature schemes with smaller security parameters. The first is verified by squaring the submitted solution, while the digital signature based schemes are verified using trapdoors to reduce the verification cost. The availability of trapdoors in their scheme is essential, not only to reduce the verification cost but to allow legitimate mass mailing by specific authorities. Solving the puzzle requires forging a signature without actually breaking a private key using a moderately hard algorithm such as, the Pollard algorithm. The proposed schemes satisfy the amortization-freeness property, but are prone to pre-computation attacks which weakens the effectiveness of the puzzle. Furthermore, similar to previous schemes, it suffers from inefficiency requiring relatively high construction cost.

5.1.3 Time-lock and Delaying functions

Rivest et al.[15] rediscovered the idea of puzzles to implement time-release cryptography and introduced the notion of time-lock puzzles, which are computational puzzles that require a precise amount of time to solve. Their designing goal was to create a puzzle that can only be solved sequentially by performing a deterministic number of operations. The puzzle is used to allow encrypting a message that can only be decrypted (unlocked) after a predetermined period of time specified by the puzzle issuer elapses. This type of puzzles is different than traditional PoW schemes, in which the solution of the puzzle serves as a decryption key rather than a method of convincing the verifier. In particular, the verification is not performed by the verifier but determined by the ability of the prover to decrypt the encrypted message using the solution of the puzzle.

Time-lock puzzles rely on the intractability of factoring large integers. To construct the puzzle, the issuer first sets its parameters by generating a composite modulus N as the product of two large secret primes p and q, and determines the time required to solve the puzzle , where S is the number of squaring operations current machines can run per second, and T is the desired time specified by the puzzle creator. The issuer then generates the puzzle by encrypting a message m with key K and encrypting the key as . The puzzle is given as (N, a, t, , ) and the solution of the puzzle reveals the key that decrypts the message. Solving it requires performing t modular squaring sequentially starting with a. The difficulty of the puzzle is adjusted by increasing or decreasing t, which provides fine granularity. Knowing , the verifier can use the trapdoor given by Euler’s function to compute the solution in modular multiplications.

Time-lock puzzles guarantee non-parallelizability and deterministic computation, which provides fine-grained difficulty adjustment. However, the requirement of generating large prime numbers and performing modular exponentiations for every puzzle is resource-exhausting, which makes it impractical and unsuitable for resource-constrained environments.

Efficiency. To reduce the construction and verification cost, Karame and Capkun [101] proposed using an RSA key pair with smaller exponent and a semi-prime modulus. They based their puzzle construction on the intractability assumption in RSA, which states that it is computationally intractable to compute a small private exponent when the public key is larger by several orders of magnitude than the semi-prime modulus. The cost incurred on the verifier in their puzzle scheme is decreased by a factor of , where k is a security parameter. Despite the significant cost reduction, it is still sufficiently expensive that it cannot be deployed in large-scale environments. Furthermore, their scheme does not provide fine grained control over the difficulty level as, the gap between two subsequent difficulty levels is significantly increased compared to the previous time-lock puzzle scheme [15]. Further efficiency improvements on modular-exponentiation based puzzles are proposed in [102]. Tang and Jackmans [19] introduced two batch verification modes for the construction scheme proposed in [15] to improve the verification efficiency and make it suitable for a server-client communication model.

5.1.4 HashCash and Client puzzles

Inspired by the idea of pricing functions [2], Juels and Brainard [3] introduced client puzzles to mitigate connection depletion attacks. The objective is to have the clients commit their resources before establishing a connection, by requiring them to solve computational puzzles for each request. Since an attacker generates a large number of connection requests, it must solve a correspondingly large number of puzzles. Therefore, precluding attackers from overwhelming the server and allowing legitimate clients to establish a connection. Unlike previous puzzles, client puzzles do not incur high cost on the verifier, in which they are easy to construct and can be constructed in a stateless way.

The server constructs the puzzle using a hash function that takes as an input a bitstring X of length l and produces a hash image Y. The puzzle is given as (), where the first k bits of X are hidden. Clients must perform a brute-force search for the k missing bits that produces Y and submit the solution with the request. The problem of solution pre-computation is addressed by embedding a time-stamp in the puzzle and requiring the client to submit the solution within a specified time interval. The difficulty is adjusted by increasing/decreasing the number of bits to be searched for. To decrease the probability of guessing the solution and to have a finer difficulty adjustment, they suggest composing the puzzle of m independent sub-puzzles, each requiring a unique k-bit solution. This composition may increase the difficulty for an attacker in guessing the solution, but the granularity is still coarse having the difficulty level grow exponentially. Furthermore, the efficiency of the puzzle decreases as the number of sub-puzzles increases.

Aura et al. [14] improved client puzzle’s efficiency by reducing its length and minimizing the number of hash calls needed for both construction and verification. They generalized the design of the puzzle to employ it in any authentication protocol. The puzzle is generated by the client, unlike the previous scheme [3], where the server generates both hash input and output. In this scheme, the client is given a nonce and is required to find a bit-string X that if hashed together with the nonce (and other client data) produces a hash image with k leading zero bits. For verification, the server performs a single hash call to check if the submitted solution produces k leading zero bits. These improvements motivated further practical implementations of client puzzles. Dean and Stubblefield [37] provided a compatible implementation of this scheme to protect TLS servers, Moskowitz et al. [103] adapted it in the Host Identity Protocol (HIP), and Wang and Reiter [35] integrated it in the network layer to mitigate bandwidth-exhaustion attacks. One additional feature that this construction offers, as proposed by Back [10], is that it can also be used in a non-interactive way, where the prover chooses the challenge and the solution can be publicly verified.

Fig. 3: Hashcash puzzle construction [14]

Despite the efficiency improvements, this puzzle construction, which was initially implemented by Back in the HashCash system [10] and currently used in Bitcoin [7], provides coarser difficulty levels disabling the verifier from flexibly adjusting the difficulty according to the threat level. Furthermore, it is highly parallelizable and has a probabilistic solving cost with high variance. These drawbacks may prevent puzzle fairness and reduce the effectiveness of the puzzle. Parallelizability gives adversaries, with higher CPU-speed, great advantage over legitimate parties, while probabilistic cost does not guarantee that the time required to solve the puzzle is similar to all clients. The search process for n-bits might terminate after the first try or after performing all of the tries.

Further efficiency improvements were proposed and the aforementioned problems of client puzzles were addressed by several researches. We categorize them based on the problems and puzzle features being discussed in each, as follows:

Determining the difficulty level. The difficulty of a puzzle determines its security and effectiveness. Setting the difficulty to a low level may reduce the workload on the adversaries which allows them to successfully launch an attack, while setting it to a high level may deter honest parties from participating in the underlying application. In the presence of an adversary with unknown computing power, it may be difficult to properly adjust the difficulty level without increasing the cost for legitimate clients. Wang and Reiter [34] addressed this problem by using an auction mechanism. They introduced the concept of ‘puzzle auctions’, where each client is allowed to set the hardness of the puzzle it solves. The server then allocates its resources to the client that solved the hardest puzzle (the one with the highest difficulty level). They assume that a legitimate client will work harder than a compromised zombie client, since attackers will not increase the workload of these zombies above a certain threshold to avoid detection. They argue that this mechanism is efficient in a way that the client can raise its bid just above the attacker’s bid to win an auction. However, it gives unfair advantage to clients with higher computation power and potentially to powerful attackers. In addition, it adds more rounds to the scheme by requiring the client to submit more than one puzzle solution of increasing difficulty levels until a connection is established.

Granularity. Feng et al. [21] addressed the coarseness problem of hash-based puzzles by providing the client a hint along with the puzzle. The hint is a value near to the solution which reduces the brute-force search space. To solve a puzzle, the client starts at the hint and searches the range linearly for the solution. Puzzle difficulty can be adjusted finely by adjusting the accuracy of the hint. This scheme provides a better control over the difficulty level, but it can only be applied interactively requiring the verifier to generate a puzzle for each client instead of just sending a challenge as in [14].

Reducing construction cost. To eliminate the computational load of generating puzzles from the verifier, Waters et al. [104] proposed puzzle outsourcing mechanisms. Their goal is to protect the puzzle scheme itself from being subject to a DoS attack and reduce client delay added by the previous puzzle schemes. The puzzle, which is based on the Diffie-Hellman problem, is constructed by a third party called bastion. The construction requires modular exponentiations while the verification, which is performed by the server, requires a memory lookup and one modular exponentiation. The client is required to invert a discrete logarithm using some partial information. This information is represented as specific range of seed values. The client performs a brute-force search for the solution seed within the specified range. Since the verifier can control the size of the range, it can linearly adjust the difficulty of the puzzle. The client delay is reduced by allowing it to compute solutions offline and requiring it solve a puzzle per time interval instead of per request. The per time interval requirement prevents adversaries from precomputing solutions. Although the construction is outsourced and many servers can rely on puzzles distributed by the same bastion, it is still expensive due to the modular exponentiation, making it inefficient and unscalable. In addition, the solution finding process in this scheme is similar to that in hash-based schemes, it requires performing exhaustive search within a specific range which is a highly parallelizable task.

Gao [105] suggested adding a pre-construction stage to allow the server to compute expensive operations in idle time and reuse the calculated parameters during online puzzle construction by combining them with time parameters. The author developed two trapdoor-based puzzle schemes, one is RSA-based and the other is based on the discrete-logarithm problem. Both schemes require modular arithmetic calculations not only in the pre-construction stage but also in the online construction phase. As the previous scheme [104], they provide fast verification via a memory look-up and linear granularity, however, the solving process is also highly parallelizable.

Non-parallelizability. Generally, non-parallelizability is important to control the timing feature of a puzzle, where the solution time should be approximately controllable by the verifier. This property is crucial to allow the verifier to appropriately set the difficulty, which is not possible due to the huge disparity in computing power between machines. Non-parallelizability is important in applications that require puzzle fairness and prevent an adversary that uses parallel computing from solving puzzles significantly faster than the expected time. Non-parallelizable CPU-bound puzzle schemes are either based on an inherently sequential problem [15][106] or utilize a chaining technique [51][107][108].

Time-lock puzzles [15] are based on repeated squaring which ensures non-parallelizability, however, they cannot be employed in large-scale and resource-constrained environments due to their high construction cost. Two hash-based schemes that offer non-parallelizability were proposed by Ma [107] and Gorza and Petrica [108]. These schemes utilize puzzle chaining technique, which requires sequential solving steps to complete the whole puzzle chain. Although they were designed to reward the client for partially solving a chain, we also discuss the possibility of using this type of construction as one puzzle that has one solution. A puzzle chain consists of a set of puzzles that can only be solved in a specific order, in which solving a puzzle requires computing the solution of the predecessor puzzle. In each puzzle chain there is at least one puzzle that does not depend on any other puzzle.

Ma [107] utilizes hash chain, which was initially introduced by Lamport [109], to construct the puzzle. The goal is to provide a receiver the control over which packets to receive. This is achieved by forcing the sender to invert a hash chain, where each inverted hash value permits sending m packets only. The sender must first send a ‘request-to-send’ packet to the receiver. The receiver then computes a hash chain (, ,…,) of length k and responds with a puzzle given as (, K). A sender wishing to send m packets is required to find the first predecessor hash value only, and is allowed to send a maximum of packets by inverting the whole chain (, ,…,). To verify a single solution, the receiver is required to store the current values of and K, then perform a single hash operation to check if the submitted hash value is equivalent to the current . The stored hash value is replaced by its predecessor after every m packets received. Puzzle difficulty can be adjusted by adjusting the number of packets m and the length of the chain K. As a stand-alone puzzle, the construction cost is relatively high and the verification may require reconstructing the puzzle chain in some settings to avoid memory exhaustion attacks. In addition, adjusting the difficulty is not as flexible as the author claims, where inverting a chain of hash values may not always be achieved in reasonable time and setting the digest’s size to lower number of bits (16-bits as suggested) makes solving the puzzle as easy as constructing it.

In Groza and Petrica [108]’s scheme, the puzzle chain is given as ( ), where P is the puzzle and r is a string of random bits. The chain is constructed by first concatenating two state-dependent random values, and r, then double hashing them to form the first puzzle in the chain . The rest of the chain is generated by XORing two new state-dependent values and with the hashed output of the previous state-dependent values and , then double hashing the result, . Solving the puzzle requires solving the chain in the order it was constructed, starting with then finding the of each . Similar to the previous scheme, it is an inefficient stand-alone puzzle requiring the verifier to perform three hash operations for each puzzle in the chain for both construction and verification. Both schemes only guarantee partial non-parallelizability as, each puzzle in the chain can be solved in parallel, hence they do not actually solve the CPU-speed disparity problem.

To achieve non-parallelizability with cheaper construction and verification cost, Tritilanunt et al. [106] proposed a new puzzle scheme that is based on the subset sum problem, which is a variant of the knapsack problem. Given a set of items, each with a specific weight, the solver must determine the number of items that can be included in a fixed-size knapsack. In other words, given a set of positive integers ) and a positive integers, find a subset of a that sums up to s. Solving the puzzle can be done by bruteforce which is highly parallelizable, however, the puzzle difficulty is set such that it is more efficient to apply Lenstra’s lattice reduction algorithm LLL [110] instead. The algorithm requires recursive computations, hence it cannot be parallelized. Both construction and verification are cheap requiring one hash operation and some additions. This scheme provides non-parallelizability, deterministic computation and polynomial granularity. However, the LLL algorithm suffers from huge memory requirements which limits its deployment in general applications. In addition, it does not solve the resource disparity problem as, according to the authors, the solving algorithm may not be executed using platforms of a lower power than PCs.

5.1.5 Summary of CPU-bound Puzzles

Most CPU-bound puzzle schemes are based on cryptographic hash inversions [10, 3, 32, 34, 21] or digital signature algorithms [2, 104, 105]. In general, hash-based puzzle schemes are more efficient where the generation and verification requires only one or two cryptographic hash operations. However, they suffer from three fundamental drawbacks. The first is coarse-grained difficulty adjustment, where adjacent difficulties vary by a factor of two. This may not allow the verifier to flexibly adjust the difficulty according to the threat level, hence reducing the effectiveness of the puzzle. Although some variants, such as Hint-based [21], provide linear granularity, they can only be applied interactively. The second is parallelizability which introduces the CPU-speed disparity problem and gives powerful adversaries advantage over honest parties. Finally, the solution finding process of these puzzles is probabilistic and its cost variance is very high that it does not guarantee fairness as, some provers may get lucky and find the solution much faster than others. On the other hand, number theoretic puzzles, such as time-lock puzzles [15], provide finer granularity and low solution cost variance, but are less efficient requiring the verifier to perform large integer modular exponentiations which is unsuitable for resource-constrained environments. Considering parallelizability, both time-lock puzzles and knapsack-based puzzles ensure non-parallelizability, however as discussed previously, the former requires the verifier to perform expensive operations, while that latter suffers from huge memory requirements for solving the puzzle.

The lack of an efficient and non-parallelizable CPU-bound function led researchers to investigate the utilization of other resources, such as memory [12, 11], bandwidth [111, 13], and human’s attention [78, 9], which are discussed in the following sections.

Category Puzzle Scheme
Easy to
Easy to
Low Cost
Based on
Non-Hash Based Merkle [1] Exponential

Pricing functions [2] Exponential

Time-lock [15] Linear

Subset-Sum [106] Polynomial

Client Puzzles [3] Exponential
Hash Inversion

HashCash [10] Exponential
Hash Inversion

Hint-based [21] Linear
Hash Inversion

Hash-chain [107][108] Linear partial
Hash chain

TABLE III: Summary of CPU-bound schemes.

5.2 Memory-Bound and Memory-Hard Schemes

Using memory-intensive computations in a puzzle scheme have been proposed by several works [12, 112, 66, 113], with different notions, to provide both equitable computation and resistance against specialized hardware, such as GPUs and ASICs. The solution cost of the puzzle is measured either by the number of accesses to the main memory or the amount of memory space rather than the number of computation operations.

Memory-bound schemes require a lot of memory accesses to evaluate. The solution time is bound by the memory latency, in which the complexity is measured by the number of cache misses and not the actual amount of memory being employed. The adversary’s goal in such a scheme is to reduce the number of memory accesses by either benefiting from cache or performing intensive computations instead. On the other hand, memory-hard schemes require a lot of memory space to evaluate. The complexity is measured by the number of memory locations being used for a given number of operations. The adversary’s goal in such a scheme is to use less memory space by trading it for time or extra computations.

A memory-bound function may be considered as memory-hard in the sense that the amount of memory required is greater than the cache’s size. While a memory-hard function is memory-bound only if the locality is good in its memory access pattern such that it results in a certain number of cache misses [62].

5.2.1 Easy-to-compute functions

It has always been an acknowledged problem with CPU-bound puzzle schemes that the amount of computing power available to provers varies significantly. Abadi et al. [12] addressed this problem and were the first to introduced the notion of memory-bound puzzles. The goal is to construct a puzzle that most recent systems will evaluate at approximately the same speed by relying on memory latency instead of CPU-speed. They proposed a memory-bound puzzle that consists of an easy-to-compute pseudo-random function F(), which its inverse requires more time-consuming computations than accessing the memory (i.e. inverting it can be done more efficiently via the space-time tradeoff). The verifier selects an integer from the domain and computes , where . The puzzle is given as and a checksum of the sequence . Solving the puzzle requires building a table for and working backwards from to find a pre-image , such that the checksum of the path from to matches that of the challenge. Since there exist several pre-images that lead to multiple paths, the solver is forced to explore a tree of pre-images that has a depth k, root and a total size of . The parameters n and k, are chosen carefully to ensure that the table cannot be stored in cache, thus in the best case scenario, the number of cache misses required is also . Verification requires k forward computations of F(), which increases exponentially as the CPU-cost of F() decreases (i.e. the processing speed of the current machines increases according to Moore’s Law).

They also discuss a variant of this scheme that can be applied in a non-interactive setting. The challenge is not presented by the verifier, rather produced by a pseudo-random generator using some application related data, such as a message in combating spam, as the seed.

The main drawback of the scheme proposed in [12] is the existence of a time-space tradeoff for inverting the function F(), which may allow adversaries to circumvent the scheme using higher computation power and only rarely accessing the memory. The puzzle complexity is highly affected by current processing speeds, in which it requires more memory and higher verification cost to keep pace with Moore’s law. Consequently, its efficiency decreases which hinders its large-scale deployment and practical implementation. In addition, the work ratio between the two parties is quadratic and cannot be increased due to the fact that deeper trees allow the solver to benefit from cache and invert several values in the cost of just one memory access.

5.2.2 MBound

Dwork et al.[11] argued that easy-to-compute functions [12] may be solved with very few memory accesses which diminishes the memory latency effect and hence do not solve the problem. They further explored memory-bound functions and defined a class of functions based on “pointer-chasing” in a large random table T. The table T is of a fixed size that is approximately twice as large as the largest existing current cache and is shared between the two parties. The solver is forced to perform random walks through T to find a path with specific characteristics. A walk is a path that requires making a series of sequential random accesses to T, where contents of the current accessed location determine the subsequent location to be accessed. Solving the puzzle is done by executing an algorithm (called MBound) that terminates successfully if after l walking steps the last n-bits of the hash output are zeros. The algorithm is executed times until a successful path is found. The prover then submits the solution given as the hash-output along with the trial number , which identifies the correct path. The verifier then explores the identified path k by performing l memory accesses to T and checks that the submitted hash value is correct and ends with zeros.

Using the random oracle model the authors prove a lower bound of on the number of amortized memory accesses that an adversary must expend per puzzle. The expected number of walks to be performed by the solver is , thus the total expected cost for computing the puzzle is cache misses, while the verification cost is l cache misses.

On a follow up work, Dwork et al.[29] addressed the high communication complexity required for distributing and updating the incompressible large table by allowing the table to be constructed using graph pebbling. They observed that the table construction must also be memory-bound in order to prevent adversaries from exploiting the compact description of T and produce elements in cache whenever they are needed, only rarely accessing the memory.

Graph Pebbling. Pebbling is described as a game played on a directed acyclic graph (DAG). Finishing the game requires pebbling all output vertices (nodes with no children) of the graph. A non-input vertex (a node with parents) can only be pebbled when all of its predecessors (parents) are pebbled. A pebble can be removed from the graph at any time. The player has a number of pebbles and its goal is to place the pebbles on the output vertices efficiently, by using few moves and having few pebbles on the graph at any time. The pebble game is used to model memory-bounded computations, where the time-space tradeoff is obtained by showing that there is no optimal pebbling strategy that uses few simultaneous pebbles. Generally, each pebble represents the result of a computation and placing a pebble represents performing a specific computation of a result using previously computed results. A more detailed description of pebble games is presented in [114].

In this scheme, a pebble corresponds to a label of n-bits and placing a pebble corresponds to labeling a vertex by calling a hash function and storing the newly computed value in cache. Constructing the table requires pebbling the DAG D, where the labels of the output vertices are the elements of table T. The DAG has N input vertices (numbered 1,2,…N), N output vertices (numbered N+1, N+2,..,2N) and a constant indegree. The size of the graph is and consists of a stack of N-superconcentrators, which provide sharp tradeoffs having the time required to pebble the output vertices with less than pebbles at least exponential in the depth of the graph. Therefore, the time required to pebble the outputs is superpolynomial in (the number of elements in T). Table construction is done by both parties only once, the table is then stored in main memory to execute the MBound algorithm [11]. This reduces communication cost, however, the requirement of constructing a table incurs a relatively high cost on the verifier and eliminates the easy-to-construct property.

There are two main drawbacks of the aforementioned memory-bound puzzles that hinder their deployment. First, both verification and solving costs increase to accommodate with the current cache size, which reduces the puzzle’s efficiency and disables legitimate parties with low memory resources from participating in the scheme. Second, the difficulty level cannot be adjusted flexibly, in which it is constrained by the requirement of fine-tuning several parameters based on the system’s cache and memory configurations.

5.2.3 Pattern Database

Doshi et al. [115]

noticed that the memory accesses described in prior memory-bound puzzle schemes are not associated to a known problem, hence lack the algorithmic foundation that allows flexible tuning of difficulty parameters. They where the first to propose deriving memory-bound puzzles from heuristic search methods.

The proposed construction scheme is based on heuristic search using pattern databases for the Sliding Tile problem [116]. The Sliding Tile problem requires finding a path (from the set of moves: left, right, up, down) to slide the tiles on a grid from the initial state to the goal state.

Solving the problem can be done efficiently using existing computational algorithms, such as the A* algorithm along with the Manhattan Distance heuristic. However, using a memory based heuristic is more efficient, where the exact distance from the initial state to the abstract goal state is computed and stored in a lookup table called pattern database.

Given a pool of goal states (), the prover precomputes the pattern database that corresponds to these states offline. The verifier constructs the puzzle by randomly choosing f goal states from the pool and performing d moves at random to each goal in order to create f initial states. The verifier then computes a message authentication code (MAC) over the performed moves and stores it in memory. The difficulty of the puzzle can be adjusted by increasing or decreasing the number of goal states f and the number of moves d. The puzzle is given as the f goal states, the corresponding initial states and checksums , , where each checksum is computed over the jth move of each state.

The prover then uses the pattern database and performs a guided search for each goal state. All initial states are solved simultaneously as, the prover must first deduce the right set of moves for a given difficulty level j, , such that the checksum of those moves matches . Since different states are stored in different parts of the memory, forcing the prover to search for multiple states simultaneously results in cache misses hence ensures main-memory access. Once all goal states are reached, the prover submits the d moves performed on the f initial states. The verifier then checks that the moves are correct by computing the MAC of these moves and comparing it to the one stored.

Although the scheme provides better flexibility in tuning the puzzle difficulty, it is inefficient in terms of both construction and communication cost. For each puzzle, the verifier is required to perform moves and compute checksums, while communication involves transmitting two sets of states (both initial and goal) along with checksums and a MAC.

5.2.4 Scrypt

In 2009, Percival [112] proposed Scrypt and introduced the concept of memory-hard functions that require large amount of memory to evaluate and impose computation penalties if less memory is used. Scrypt is a memory-hard key derivation function used for password hashing to increase the cost of brute-force dictionary attacks, whereby the attacker iterates through a number of likely passwords and apply the function to each password guess. The designing goal of the scheme is to reduce the advantage gained by adversaries who use custom-designed parallel circuits, while maintaining low per-evaluation cost of the honest user. This is achieved by requiring an amount of memory that is approximately proportional to the number of operations performed to evaluate the function.

The scheme consists of several memory-hard functions, we briefly describe the construction of ROMix which constitutes the core of Scrypt. The basic idea of the algorithm, as described by Percival, is to sequentially compute a large number of random values and then access each value randomly to ensure that they are all stored in RAM. Given a -bit input value , a chain of N input values () is computed as follows:

  • and for , where H is a hash function.

A chain of N output values () is then computed as follows:

  • , for , where is the final output of the function.

The default strategy of computing Scrypt is to sequentially compute each in the input chain and store it in the memory, and then compute each of the output chain and fetch each from memory as needed in order to produce the final output . Two recent works show that scrypt offers nearly optimal ASIC resistance from both the energy [62] and area [117] aspects. However, this is only achieved when its memory requirement is sufficiently large which consequently incurs high construction and verification costs.

Scrypt is used as a pricing puzzle by several cryptocurrencies including Litecoin and Dogecoin, where the amount of memory is reduced in order to provide faster verification. To add a block to the chain, the miner is required to find a nonce n that if hashed together with the block’s header B using Scrypt, produces a final output that is less than a specific target value T. The solution is given as (B, n, ). Verification requires a single call to Scrypt and a single comparison operation to check the output value () against the target value T. The memory hardness of Scrypt can be set by increasing or decreasing the CPU/memory cost parameter N, while puzzle difficulty is adjusted by tuning the target value T.

Although a work gap between the two parties is maintained by having the prover perform multiple Scrypt calls to find the solution while only a single call is required for verification, the scheme is symmetric in terms of memory requirements. Furthermore, its adaptation in Litecoin cryptocurrency is not ASIC-resistant having ASIC mining rigs hundreds of time more efficient.

Category Puzzle Scheme
Easy to
Low Cost
Based on
Heuristic Search
functions [12]
polynomial partial
Database [115]
polynomial partial
Sliding Tile
Cuckoo Cycle [118] exponential
Cycle Finding
Equihash [18] exponential partial
Birthday Problem
Graph Pebbling
MBound [29]
exponential partial
Pebbling Reduction
Argon2d [119]
exponential partial
Pebbling Reduction
Proof of space [66] linear partial
TABLE IV: Summary of Memory-bound schemes.

5.2.5 Cuckoo Cycle

Tromp [118] proposed a memory-bound puzzle scheme based on finding constant sized cyclic subgraphs in a pseudo-random graph. The designing goal is to make mining cryptocurrencies on commodity hardware cost-effective by relying on memory-latency instead of computation speed in the evaluation of the puzzle. The puzzle is constructed by generating a directed bipartite graph with N vertices and M edges from a given set of input nonces using Cuckoo hashing [120]. The prover is required to find a set of L nonces whose corresponding edges form an L-cycle in the graph and whose hash digest is less than a given target hash value T, where . The memory-hardness of the scheme is determined by the ratio and the cycle length L, while the difficulty of the puzzle is adjusted by tuning the target hash value T. The verification cost is linear in L and independent of both M and N.

5.2.6 Proof of Space

Dziembowski et al. [66] and Ateniese et al. [113] introduced the notion of proof of space (PoS) independently, each with a different definition and security guarantees. Generally, PoS is an interactive memory-hard puzzle scheme where the solution serves as a compact proof that the prover did possess and dedicate a significant amount of space. Unlike memory-bound schemes [12, 11, 118], PoS schemes rely on memory space instead of memory latency in the evaluation of the puzzle. Both PoS construction schemes are based on directed acyclic graphs (DAGs) that have high pebbling complexity and use the Merkle hash tree to enable efficient verification.

Given a challenge nonce id, the prover is required to construct a graph G = (V, E) of N vertices and store the label of each vertex computed as , where is a hash function that depends on the identifier id and are the labels of ’s predecessors (parents). The identifier is used to ensure that the same space cannot be used for two different proofs. Once the labels are computed, the prover commits to these labels by computing a Merkle hash tree and sending its root to the verifier. At this point, the verifier checks the consistency (correctness) of the root by asking the prover to open the labels of c vertices and their predecessors. The opening of a label is the path from the root to the leaf corresponding to vertex v in the Merkle tree . Given the labels of all the predecessors of vertex v, the verifier can check if the label is correctly computed as described above. The solution is accepted only if all c openings and labels are computed correctly. To label a vertex v in graph G, the prover must calculate and store the label values of all the predecessors of the vertex. The labeling of the graph provides evidence that the prover has handled at least N space.

The definition of PoS introduced in [66] extends that of Ateniese et al. [113] by including an additional phase, called execution phase, that allows the verifier to repeatedly challenge the prover and check if it is still dedicating the specified amount of space. The purpose of the additional phase is to allow honest provers to respond to the repeated challenges by accessing the N space, produced in the initialization phase, while using little computation hence addressing the high energy consumption drawback of CPU-bound puzzles. This formation of PoS is also referred to as proof of persistent space by Ren and Devadas [121].

Although these construction schemes provide strong security guarantees by forcing a cheating prover to either expend space or time in order to produce an acceptable proof, they are both based on superconcentrators which are relatively slow [119].

5.2.7 Equihash

Biryukov and Khovratovich [18] observed that any identified NP-complete problem can be used to design a memory-bound puzzle with tunable parameters, where its memory hardness is determined by the time-space tradeoffs of the best known algorithms. They proposed Equihash, a proof-of-work scheme based on the k-dimensional generalized birthday problem [122]. In the generalized birthday problem, there are k sets of n-bit strings and the goal is to find k strings such that they XOR to zero. In Equihash, the k strings are generated randomly using the hash function H. It is shown in [122] that the best solution algorithm to this problem has a time and space complexity of and hence it is a memory-intensive algorithm. In addition, using less memory leads to times more queries to the hash function, which limits the computation advantage of parallelization to the amount of memory bandwidth available. The verification requires performing hashs and XORs.

5.2.8 MTP-Argon2d

Biryukov et al. [119] proposed a non-interactive memory-hard puzzle scheme, called Merkle Tree Proof (MTP), based on the memory-hard function Argon2d [123]. They describe different instantiation settings of the scheme to be applied in crypto-currency, time-release cryptography and disk encryption. Similar to PoS schemes [66, 113], this scheme uses a Merkle hash tree construction over a large array of blocks to allow fast and memory-less verification. Given the challenge I, the prover constructs the puzzle by generating M blocks of memory using Argon2d from the given challenge, and then computes a Merkle hash tree with root over the M blocks committing to the blocks’ values. Each block is generated using the internal compression function F of Argon2d, which takes the previous block and as inputs, where is a data-dependent indexing function that produces a block index in the range . The prover then solves the puzzle by accessing L blocks of at pseudo-random locations in a sequence and finding a nonce N that if hashed together with the root and the block produces a hash output with d trailing zeros (where depends on , N and on the values of the previous blocks in the sequence). The solution is given as (), where is the opening of blocks . The verifier then checks that the openings are valid and reproduces all to verify that has d trailing zeros. The memory hardness of the scheme depends on the hardness of Argon2d and can be adjusted by tuning the parameters. The difficulty of the puzzle is adjusted by increasing or decreasing the number of trailing zeros d.

5.3 Bandwidth and Network Bound Schemes

Walfish et al. [111] were the first to suggest using bandwidth as a currency to pay for a service in order to mitigate DoS attacks. They did not propose a puzzle scheme, but introduced the idea of using bandwidth resources to weaken powerful attackers with higher CPU and memory resources than legitimate clients. A system, called Speak-up, that crowds out attacker by encouraging clients to send higher volumes of traffic in order for their requests to be processed first. They assume that attackers are already using the highest amount of upload bandwidth resources to perform the DoS attack which prevents them from reacting to the encouragement. The encouragement is achieved by implementing a virtual auction, where clients who have sent the highest number of dummy bytes on a separate payment channel are served first.

5.3.1 Guided Tour Puzzles

Abliz and Tznati [13] introduced the concept of network-bound puzzles to overcome the shortcomings of previous client puzzle schemes, which include parallelizability and computational disparities among clients. Their scheme requires the client to collect tokens from tour guides (a pre-specified set of nodes in the network) in order to be able to solve the puzzle and have their query processed by the service provider. The tour guides are used to introduce a delay between client requests. The authors suggest that network latency provides a good solution to the resource disparity problem between a powerful adversary and a legitimate client. Non-parallelizability is achieved by the random selection of the next tour guide to be visited at each tour guide stop (hence the name guided tour) and by requiring the client to submit the hash values from the previous tour guides at each stop. The difficulty is adjusted by increasing or decreasing the tour length (number of tour guides) by one which provides linear puzzle granularity.

5.3.2 Bandwidth Puzzles

Reiter et al. [45] proposed a bandwidth-bound puzzle scheme to validate that a peer did actually expend a certain amount of communication resources and relayed data to peers in a P2P content-distribution system. The main goal is to prevent colluding attackers from earning rewards by claiming that they have served data to each other without actually transferring any data. Their puzzle scheme is related to proofs of data possession mechanisms, as the solution depends on the possession of the content. Finding the solution is relatively simple for provers who have the content, while more difficult for those who don’t. Each puzzle consists of a hash function and a collection of index-sets, where each set is a set of k random content indices. The verifier constructs a puzzle by hashing the content bits which are indexed by a pseudorandomly chosen index-set and appended together in a certain order. Solving the puzzle requires finding which of the index-sets is the preimage of the hash. The puzzles are issued simultaneously to a group of provers and must be solved within a specific time. This prevents a content-holder from colluding with others by solving their puzzles, since he can only solve one puzzle at a time. Furthermore, Zhang [124] studied the performance of the bandwidth puzzle and provided a lower bound on the average number of content bits attackers should receive to be able to defeat the puzzle scheme with a definite probability.

6 Conclusion

In this paper, we have provided an extensive introduction to the concept of ’puzzle’ and presented the evolution of this notion. We studied the various types of puzzles from different perspectives and provided different classifications of puzzles based on the way they are applied, the means the puzzle solution is used, and the resource that bounds the solving time. Based on our extensive review on the applications of puzzles, we have identified the key requirements that must be satisfied for a puzzle to be applied in a particular field. We have also investigated the influence and impact of puzzles, and underlined some of the practical limitations for their effectiveness in each field.

We have provided a thorough review of the different types of construction schemes including CPU-bound, memory-bound, memory-hard, and bandwidth-bound schemes. For each type, we examined the different approaches and techniques used in designing the puzzle and highlighted their distinctive characteristics. We have also identified the limitations and benefits provided by each technique. This summary of the different types of construction schemes may be used as a guideline for further developments in designing effective puzzles.

Finally, in this work we have provided the reader with an overview on puzzles by integrating the scattered notions related to puzzles into a uniform introductory work. We aim to provide a solid scientific contribution that will serve as a useful outline for further understanding about puzzles, and for potential research directions that may lead to new insights in the field of puzzles.


  • [1] R. C. Merkle, “Secure communications over insecure channels,” Communications of the ACM, vol. 21, no. 4, pp. 294–299, 1978.
  • [2] C. Dwork and M. Naor, “Pricing via processing or combatting junk mail,” in Annual International Cryptology Conference.   Springer, 1992, pp. 139–147.
  • [3] A. Juels and J. G. Brainard, “Client puzzles: A cryptographic countermeasure against connection depletion attacks.” in NDSS, vol. 99, 1999, pp. 151–165.
  • [4] R. L. Rivest and A. Shamir, “Payword and micromint: Two simple micropayment schemes,” in International Workshop on Security Protocols.   Springer, 1996, pp. 69–87.
  • [5] W. Dai, “B-money proposal,” 1998.
  • [6] N. Szabo, “Bit gold. unenumerated,” 2008.
  • [7] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” 2008.
  • [8] A. Narayanan and J. Clark, “Bitcoin’s academic pedigree,” Communications of the ACM, vol. 60, no. 12, pp. 36–45, 2017.
  • [9] L. Von Ahn, M. Blum, N. J. Hopper, and J. Langford, “Captcha: Using hard ai problems for security,” in International Conference on the Theory and Applications of Cryptographic Techniques.   Springer, 2003, pp. 294–311.
  • [10] A. Back et al., “Hashcash-a denial of service counter-measure,” 2002.
  • [11] C. Dwork, A. Goldberg, and M. Naor, “On memory-bound functions for fighting spam,” in Annual International Cryptology Conference.   Springer, 2003, pp. 426–444.
  • [12] M. Abadi, M. Burrows, M. Manasse, and T. Wobber, “Moderately hard, memory-bound functions,” ACM Transactions on Internet Technology (TOIT), vol. 5, no. 2, pp. 299–327, 2005.
  • [13] M. Abliz and T. Znati, “A guided tour puzzle for denial of service prevention,” in Computer Security Applications Conference, 2009. ACSAC’09. Annual.   IEEE, 2009, pp. 279–288.
  • [14] M. Jakobsson and A. Juels, “Proofs of work and bread pudding protocols,” in Secure Information Networks.   Springer, 1999, pp. 258–272.
  • [15] R. L. Rivest, A. Shamir, and D. A. Wagner, “Time-lock puzzles and timed-release crypto,” 1996.
  • [16] M. K. Franklin and D. Malkhi, “Auditable metering with lightweight security,” in International Conference on Financial Cryptography.   Springer, 1997, pp. 151–160.
  • [17] D. Boneh, J. Bonneau, B. Bünz, and B. Fisch, “Verifiable delay functions,” in Annual International Cryptology Conference.   Springer, 2018, pp. 757–788.
  • [18] A. Biryukov and D. Khovratovich, “Equihash: Asymmetric proof-of-work based on the generalized birthday problem,” Ledger, vol. 2, pp. 1–30, 2017.
  • [19] Q. Tang and A. Jeckmans, “On non-parallelizable deterministic client puzzle scheme with batch verification modes,” Centre for Telematics and Information Technology University of Twente, 2010.
  • [20] L. Chen, P. Morrissey, N. P. Smart, and B. Warinschi, “Security notions and generic constructions for client puzzles,” in International Conference on the Theory and Application of Cryptology and Information Security.   Springer, 2009, pp. 505–523.
  • [21] W.-c. Feng, E. Kaiser, and A. Luu, “Design and implementation of network puzzles,” in INFOCOM 2005. 24th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings IEEE, vol. 4.   IEEE, 2005, pp. 2372–2382.
  • [22] J.-Y. Cai, R. J. Lipton, R. Sedgewick, and A.-C. Yao, “Towards uncheatable benchmarks,” in Structure in Complexity Theory Conference, 1993., Proceedings of the Eighth Annual.   IEEE, 1993, pp. 2–11.
  • [23] J. Alwen and B. Tackmann, “Moderately hard functions: Definition, instantiations, and applications,” in Theory of Cryptography Conference.   Springer, 2017, pp. 493–526.
  • [24] A. Rasheed and R. Mahapatra, “Key predistribution schemes for establishing pairwise keys with a mobile sink in sensor networks,” IEEE Transactions on Parallel and Distributed Systems, vol. 22, no. 1, pp. 176–184, 2011.
  • [25] D. Westhoff and F. Armknecht, “Method for electing aggregator nodes in a network,” Mar. 15 2011, uS Patent 7,907,548.
  • [26] H. Perrey, O. Ugus, and D. Westhoff, “Wisec’2011 poster: security enhancement for bluetooth low energy with merkle’s puzzle,” ACM SIGMOBILE Mobile Computing and Communications Review, vol. 15, no. 3, pp. 45–46, 2011.
  • [27] “Apache spamassassin open source anti-spam platform,”, accessed: September 2018.
  • [28] “The penny post software project on sourceforge,”, accessed: September 2018.
  • [29] C. Dwork, M. Naor, and H. Wee, “Pebbling and proofs of work,” in Annual International Cryptology Conference.   Springer, 2005, pp. 37–54.
  • [30] B. Laurie and R. Clayton, “Proof-of-work proves not to work; version 0.2,” in Workshop on Economics and Information, Security, 2004.
  • [31] D. Liu and L. J. Camp, “Proof of work can work.” 2006.
  • [32] T. Aura, P. Nikander, and J. Leiwo, “Dos-resistant authentication with client puzzles,” in International workshop on security protocols.   Springer, 2000, pp. 170–177.
  • [33] T. J. McNevin, J.-M. Park, and R. Marchany, “ptcp: A client puzzle protocol for defending against resource exhaustion denial of service attacks,” Virginia Tech Univ., Dept. Elect. Comput. Eng., Blacksburg, VA, USA, Tech. Rep. TR-ECE-04-10, 2004.
  • [34] X. Wang and M. K. Reiter, “Defending against denial-of-service attacks with puzzle auctions,” in Security and Privacy, 2003. Proceedings. 2003 Symposium on.   IEEE, 2003, pp. 78–92.
  • [35] ——, “Mitigating bandwidth-exhaustion attacks using congestion puzzles,” in Proceedings of the 11th ACM Conference on Computer and Communications Security, ser. CCS ’04.   New York, NY, USA: ACM, 2004, pp. 257–267. [Online]. Available:
  • [36] M. A. Noureddine, A. Fawaz, T. Basar, and W. H. Sanders, “Revisiting client puzzles for state exhaustion attacks resilience,” arXiv preprint arXiv:1807.11892, 2018.
  • [37] D. Dean and A. Stubblefield, “Using client puzzles to protect tls.” in USENIX Security Symposium, vol. 42, 2001.
  • [38] E. Nygren, S. Erb, A. Biryukov, D. Khovratovich, and A. Juels, “Tls client puzzles extension,” Internet Engineering Task Force, Tech. Rep., Dec, 2016.
  • [39] B. Parno, D. Wendlandt, E. Shi, A. Perrig, B. Maggs, and Y.-C. Hu, “Portcullis: protecting connection setup from denial-of-capability attacks,” ACM SIGCOMM Computer Communication Review, vol. 37, no. 4, pp. 289–300, 2007.
  • [40] D. Stebila and B. Ustaoglu, “Towards denial-of-service-resilient key agreement protocols,” in Australasian Conference on Information Security and Privacy.   Springer, 2009, pp. 389–406.
  • [41] W.-c. Feng, “The case for tcp/ip puzzles,” in ACM SIGCOMM Computer Communication Review, vol. 33, no. 4.   ACM, 2003, pp. 322–327.
  • [42] E. Kaiser and W.-c. Feng, “mod kapow: Protecting the web with transparent proof-of-work,” in INFOCOM Workshops 2008, IEEE.   IEEE, 2008, pp. 1–6.
  • [43] V. D. Gligor, “Guaranteeing access in spite of distributed service-flooding attacks,” in International Workshop on Security Protocols.   Springer, 2003, pp. 80–96.
  • [44] J. R. Douceur, “The sybil attack,” in International workshop on peer-to-peer systems.   Springer, 2002, pp. 251–260.
  • [45] M. K. Reiter, V. Sekar, C. Spensky, and Z. Zhang, “Making peer-assisted content distribution robust to collusion using bandwidth puzzles,” in International Conference on Information Systems Security.   Springer, 2009, pp. 132–147.
  • [46] G. Wood, “Ethereum: A secure decentralised generalised transaction ledger,” Ethereum project yellow paper, vol. 151, pp. 1–32, 2014.
  • [47] C. Lee, “Litecoin-open source p2p digital currency,” 2011,
  • [48] J. Aspnes, C. Jackson, and A. Krishnamurthy, “Exposing computationally-challenged byzantine impostors,” Technical Report YALEU/DCS/TR-1332, Yale University Department of Computer Science, Tech. Rep., 2005.
  • [49] N. Borisov, “Computational puzzles as sybil defenses,” in Proceedings of the Sixth IEEE International Conference on Peer-to-Peer Computing.   IEEE Computer Society, 2006, pp. 171–176.
  • [50] H. Rowaihy, W. Enck, P. McDaniel, and T. La Porta, “Limiting sybil attacks in structured p2p networks,” in INFOCOM 2007. 26th IEEE International Conference on Computer Communications. IEEE.   IEEE, 2007, pp. 2596–2600.
  • [51] F. Li, P. Mittal, M. Caesar, and N. Borisov, “Sybilcontrol: Practical sybil defense with computational puzzles,” in Proceedings of the seventh ACM workshop on Scalable trusted computing.   ACM, 2012, pp. 67–78.
  • [52] W. Wang, D. T. Hoang, Z. Xiong, D. Niyato, P. Wang, P. Hu, and Y. Wen, “A survey on consensus mechanisms and mining management in blockchain networks,” CoRR, vol. abs/1805.02707, 2018. [Online]. Available:
  • [53] F. Tschorsch and B. Scheuermann, “Bitcoin and beyond: A technical survey on decentralized digital currencies,” IEEE Communications Surveys & Tutorials, vol. 18, no. 3, pp. 2084–2123, 2016.
  • [54] A. Miller and J. J. LaViola Jr, “Anonymous byzantine consensus from moderately-hard puzzles: A model for bitcoin,” Available on line: http://nakamotoinstitute. org/research/anonymous-byzantine-consensus, 2014.
  • [55] J. Garay, A. Kiayias, and N. Leonardos, “The bitcoin backbone protocol: Analysis and applications,” in Annual International Conference on the Theory and Applications of Cryptographic Techniques.   Springer, 2015, pp. 281–310.
  • [56] R. Pass, L. Seeman, and A. Shelat, “Analysis of the blockchain protocol in asynchronous networks,” in Annual International Conference on the Theory and Applications of Cryptographic Techniques.   Springer, 2017, pp. 643–673.
  • [57] J. A. Garay, A. Kiayias, and G. Panagiotakos, “Proofs of work for blockchain protocols,” Cryptology ePrint Archive, Report 2017/775, Tech. Rep., 2017.
  • [58] J. Bonneau, A. Miller, J. Clark, A. Narayanan, J. A. Kroll, and E. W. Felten, “Sok: Research perspectives and challenges for bitcoin and cryptocurrencies,” in Security and Privacy (SP), 2015 IEEE Symposium on.   IEEE, 2015, pp. 104–121.
  • [59] L. Luu, R. Saha, I. Parameshwaran, P. Saxena, and A. Hobor, “On power splitting games in distributed computation: The case of bitcoin pooled mining,” in Computer Security Foundations Symposium (CSF), 2015 IEEE 28th.   IEEE, 2015, pp. 397–411.
  • [60] P. Fairley, “Blockchain world - feeding the blockchain beast if bitcoin ever does go mainstream, the electricity needed to sustain it will be enormous,” IEEE Spectrum, vol. 54, no. 10, pp. 36–59, October 2017.
  • [61] I. Eyal and E. G. Sirer, “Majority is not enough: Bitcoin mining is vulnerable,” Communications of the ACM, vol. 61, no. 7, pp. 95–102, 2018.
  • [62] L. Ren and S. Devadas, “Bandwidth hard functions for asic resistance,” in Theory of Cryptography Conference.   Springer, 2017, pp. 466–492.
  • [63] A. Miller, A. Kosba, J. Katz, and E. Shi, “Nonoutsourceable scratch-off puzzles to discourage bitcoin mining coalitions,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security.   ACM, 2015, pp. 680–691.
  • [64] M. Ball, A. Rosen, M. Sabin, and P. N. Vasudevan, “Proofs of work from worst-case assumptions,” in Annual International Cryptology Conference.   Springer, 2018, pp. 789–819.
  • [65] A. Miller, A. Juels, E. Shi, B. Parno, and J. Katz, “Permacoin: Repurposing bitcoin work for data preservation,” in 2014 IEEE Symposium on Security and Privacy (SP).   IEEE, 2014, pp. 475–490.
  • [66] S. Dziembowski, S. Faust, V. Kolmogorov, and K. Pietrzak, “Proofs of space,” in Annual Cryptology Conference.   Springer, 2015, pp. 585–605.
  • [67] J. Blocki and H.-S. Zhou, “Designing proof of human-work puzzles for cryptocurrency and beyond,” in Theory of Cryptography Conference.   Springer, 2016, pp. 517–546.
  • [68] J.-Y. Cai, A. Nerurkar, and M.-Y. Wu, “Making benchmarks uncheatable,” in Computer Performance and Dependability Symposium, 1998. IPDS’98. Proceedings. IEEE International.   IEEE, 1998, pp. 216–226.
  • [69] L. Chen and W. Mao, “An auditable metering scheme for web advertisement applications,” in International Conference on Information Security.   Springer, 2001, pp. 475–485.
  • [70] C. Blundo and S. Cimato, “A software infrastructure for authenticated web metering,” Computer, vol. 37, no. 4, pp. 28–33, 2004.
  • [71] Y. I. Jerschow and M. Mauve, “Offline submission with rsa time-lock puzzles,” in 2010 10th IEEE International Conference on Computer and Information Technology (CIT 2010).   IEEE, 2010, pp. 1058–1064.
  • [72] J. Katz, A. Miller, and E. Shi, “Pseudonymous secure computation from time-lock puzzles,” 2014.
  • [73] H. Lin, R. Pass, and P. Soni, “Two-round and non-interactive concurrent non-malleable commitments from time-lock puzzles,” in Foundations of Computer Science (FOCS), 2017 IEEE 58th Annual Symposium on.   IEEE, 2017, pp. 576–587.
  • [74] G. Amjad, M. S. Mirza, and C. Pöpper, “Forgetting with puzzles: Using cryptographic puzzles to support digital forgetting,” in Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy.   ACM, 2018, pp. 342–353.
  • [75] M. Mahmoody, T. Moran, and S. Vadhan, “Publicly verifiable proofs of sequential work,” in Proceedings of the 4th conference on Innovations in Theoretical Computer Science.   ACM, 2013, pp. 373–388.
  • [76] B. Cohen and K. Pietrzak, “Simple proofs of sequential work,” in Annual International Conference on the Theory and Applications of Cryptographic Techniques.   Springer, 2018, pp. 451–467.
  • [77] K. Pietrzak, “Simple verifiable delay functions.” IACR Cryptology ePrint Archive, vol. 2018, p. 627, 2018.
  • [78] M. Naor, “Verification of a human in the loop or identification via the turing test,” Unpublished draft from http://www. wisdom. weizmann. ac. il/~ naor/PAPERS/human abs. html, 1996.
  • [79] M. D. Lillibridge, M. Abadi, K. Bharat, and A. Z. Broder, “Method for selectively restricting access to computer systems,” Feb. 27 2001, uS Patent 6,195,698.
  • [80] H. S. Baird, A. L. Coates, and R. J. Fateman, “Pessimalprint: a reverse turing test,” International Journal on Document Analysis and Recognition, vol. 5, no. 2-3, pp. 158–163, 2003.
  • [81] R. Ramanathan, A. Raghav, and C. M. Combel, “Spam reduction in real time communications by human interaction proof,” Jul. 23 2013, uS Patent 8,495,727.
  • [82] M. Blum, L. Von Ahn, J. Langford, and N. Hopper, “The captcha project (completely automatic public turing test to tell computers and humans apart),” School of Computer Science, Carnegie-Mellon University, http://www. captcha. net, 2000.
  • [83] L. Von Ahn, B. Maurer, C. McMillen, D. Abraham, and M. Blum, “recaptcha: Human-based character recognition via web security measures,” Science, vol. 321, no. 5895, pp. 1465–1468, 2008.
  • [84] J. Lazar, J. Feng, T. Brooks, G. Melamed, B. Wentz, J. Holman, A. Olalere, and N. Ekedebe, “The soundsright captcha: an improved approach to audio human interaction proofs for blind users,” in Proceedings of the SIGCHI conference on human factors in computing systems.   ACM, 2012, pp. 2267–2276.
  • [85] H. Meutzner, S. Gupta, and D. Kolossa, “Constructing secure audio captchas by exploiting differences between humans and machines,” in Proceedings of the 33rd annual ACM conference on human factors in computing systems.   ACM, 2015, pp. 2335–2338.
  • [86] G. Goswami, B. M. Powell, M. Vatsa, R. Singh, and A. Noore, “Facedcaptcha: Face detection based color image captcha,” Future Generation Computer Systems, vol. 31, pp. 59–68, 2014.
  • [87] S. Gao, M. Mohamed, N. Saxena, and C. Zhang, “Emerging image game captchas for resisting automated and human-solver relay attacks,” in Proceedings of the 31st Annual Computer Security Applications Conference.   ACM, 2015, pp. 11–20.
  • [88] J. M. G. Hidalgo and G. Alvarez, “Captchas: An artificial intelligence application to web security,” in Advances in Computers.   Elsevier, 2011, vol. 83, pp. 109–181.
  • [89] J. Yan and A. S. El Ahmad, “Usability of captchas or usability issues in captcha design,” in Proceedings of the 4th symposium on Usable privacy and security.   ACM, 2008, pp. 44–52.
  • [90] E. Bursztein, S. Bethard, C. Fabry, J. C. Mitchell, and D. Jurafsky, “How good are humans at solving captchas? a large scale evaluation,” in Security and Privacy (SP), 2010 IEEE Symposium on.   IEEE, 2010, pp. 399–413.
  • [91] J. Yan and A. S. El Ahmad, “A low-cost attack on a microsoft captcha,” in Proceedings of the 15th ACM conference on Computer and communications security.   ACM, 2008, pp. 543–554.
  • [92] E. Bursztein, J. Aigrain, A. Moscicki, and J. C. Mitchell, “The end is nigh: Generic solving of text-based captchas,” in 8th USENIX Workshop on Offensive Technologies (WOOT 14).   USENIX, 2014.
  • [93] G. Mori and J. Malik, “Recognizing objects in adversarial clutter: Breaking a visual captcha,” in Computer Vision and Pattern Recognition, 2003. Proceedings. 2003 IEEE Computer Society Conference on, vol. 1.   IEEE, 2003, pp. I–I.
  • [94] Y. Xu, G. Reynaga, S. Chiasson, J.-M. Frahm, F. Monrose, and P. C. van Oorschot, “Security and usability challenges of moving-object captchas: Decoding codewords in motion.” in USENIX security symposium, 2012, pp. 49–64.
  • [95] D. Danchev, “Inside india’s captcha solving economy,” 2008. [Online]. Available:
  • [96] M. Motoyama, K. Levchenko, C. Kanich, D. McCoy, G. M. Voelker, and S. Savage, “Re: Captchas-understanding captcha-solving services in an economic context.” in USENIX Security Symposium, vol. 10, 2010, p. 3.
  • [97] D. Hofheinz, T. Jager, D. Khurana, A. Sahai, B. Waters, and M. Zhandry, “How to generate and use universal samplers,” in International Conference on the Theory and Application of Cryptology and Information Security.   Springer, 2016, pp. 715–744.
  • [98] R. A. Khot and K. Srinathan, “icaptcha: Image tagging for free,” in the Proc. Conference on Usable Software and Interface Design, vol. 2, 2009, p. 26.
  • [99] K.-F. Hwang, C.-C. Huang, and G.-N. You, “A spelling based captcha system by using click,” in Proceedings of the 2012 International Symposium on Biometrics and Security Technologies.   IEEE Computer Society, 2012, pp. 1–8.
  • [100] B. Barak and M. Mahmoody-Ghidary, “Merkle puzzles are optimal—an o (n2)-query attack on any key exchange from a random oracle,” in Advances in Cryptology-CRYPTO 2009.   Springer, 2009, pp. 374–390.
  • [101] G. O. Karame and S. Čapkun, “Low-cost client puzzles based on modular exponentiation,” in European Symposium on Research in Computer Security.   Springer, 2010, pp. 679–697.
  • [102] J. Rangasamy, D. Stebila, L. Kuppusamy, C. Boyd, and J. G. Nieto, “Efficient modular exponentiation-based puzzles for denial-of-service protection,” in International Conference on Information Security and Cryptology.   Springer, 2011, pp. 319–331.
  • [103] R. Moskowitz, P. Nikander, P. Jokela, and T. Henderson, “Host identity protocol,” Tech. Rep., 2008.
  • [104] B. Waters, A. Juels, J. A. Halderman, and E. W. Felten, “New client puzzle outsourcing techniques for dos resistance,” in Proceedings of the 11th ACM conference on Computer and communications security.   ACM, 2004, pp. 246–256.
  • [105] Y. Gao, “Efficient trapdoor-based client puzzle system against dos attacks,” 2005.
  • [106] S. Tritilanunt, C. Boyd, E. Foo, and J. M. G. Nieto, “Toward non-parallelizable client puzzles,” in International Conference on Cryptology and Network Security.   Springer, 2007, pp. 247–264.
  • [107] M. Ma, “Mitigating denial of service attacks with password puzzles,” in Information Technology: Coding and Computing, 2005. ITCC 2005. International Conference on, vol. 2.   IEEE, 2005, pp. 621–626.
  • [108] B. Groza and D. Petrica, “On chained cryptographic puzzles,” in 3rd Romanian-Hungarian Joint Symposium on Applied Computational Intelligence (SACI), Timisoara, Romania.   Citeseer, 2006, pp. 25–26.
  • [109] L. Lamport, “Password authentication with insecure communication,” Communications of the ACM, vol. 24, no. 11, pp. 770–772, 1981.
  • [110] A. K. Lenstra, H. W. Lenstra, and L. Lovász, “Factoring polynomials with rational coefficients,” Mathematische Annalen, vol. 261, no. 4, pp. 515–534, 1982.
  • [111] M. Walfish, M. Vutukuru, H. Balakrishnan, D. Karger, and S. Shenker, “Ddos defense by offense,” ACM Transactions on Computer Systems (TOCS), vol. 28, no. 1, p. 3, 2010.
  • [112] C. Percival, “Stronger key derivation via sequential memory-hard functions,” 2009.
  • [113] G. Ateniese, I. Bonacina, A. Faonio, and N. Galesi, “Proofs of space: When space is of the essence,” in International Conference on Security and Cryptography for Networks.   Springer, 2014, pp. 538–557.
  • [114] Q. Liu, “Red-blue and standard pebble games: complexity and applications in the sequential and parallel models,” Ph.D. dissertation, Massachusetts Institute of Technology, 2017.
  • [115] S. Doshi, F. Monrose, and A. D. Rubin, “Efficient memory bound puzzles using pattern databases,” in International Conference on Applied Cryptography and Network Security.   Springer, 2006, pp. 98–113.
  • [116] S. Loyd, Mathematical puzzles.   Courier Corporation, 1959, vol. 1.
  • [117] J. Alwen, B. Chen, K. Pietrzak, L. Reyzin, and S. Tessaro, “Scrypt is maximally memory-hard,” in Annual International Conference on the Theory and Applications of Cryptographic Techniques.   Springer, 2017, pp. 33–62.
  • [118] J. Tromp, “Cuckoo cycle: a memory bound graph-theoretic proof-of-work,” in International Conference on Financial Cryptography and Data Security.   Springer, 2015, pp. 49–62.
  • [119] A. Biryukov and D. Khovratovich, “Egalitarian computing.” in USENIX Security Symposium, 2016, pp. 315–326.
  • [120] R. Pagh and F. F. Rodler, “Cuckoo hashing,” Journal of Algorithms, vol. 51, no. 2, pp. 122–144, 2004.
  • [121] L. Ren and S. Devadas, “Proof of space from stacked expanders,” in Theory of Cryptography Conference.   Springer, 2016, pp. 262–285.
  • [122] D. Wagner, “A generalized birthday problem,” in Annual International Cryptology Conference.   Springer, 2002, pp. 288–304.
  • [123] A. Biryukov, D. Dinu, and D. Khovratovich, “Argon2: new generation of memory-hard functions for password hashing and other applications,” in Security and Privacy (EuroS&P), 2016 IEEE European Symposium on.   IEEE, 2016, pp. 292–302.
  • [124] Z. Zhang, “A new bound on the performance of the bandwidth puzzle,” IEEE Transactions on Information Forensics and Security, vol. 7, no. 2, pp. 731–742, 2012.