## Non-Parallelizable and Non-Interactive Client Puzzles from Modular Square Roots

### Cached

### Download Links

Citations: | 1 - 1 self |

### BibTeX

@MISC{Jerschow_non-parallelizableand,

author = {Yves Igor Jerschow and Martin Mauve},

title = {Non-Parallelizable and Non-Interactive Client Puzzles from Modular Square Roots},

year = {}

}

### OpenURL

### Abstract

Abstract—Denial of Service (DoS) attacks aiming to exhaust the resources of a server by overwhelming it with bogus requests have become a serious threat. Especially protocols that rely on public key cryptography and perform expensive authentication handshakes may be an easy target. A well-known countermeasure against DoS attacks are client puzzles. The victimized server demands from the clients to commit computing resources before it processes their requests. To get service, a client must solve a cryptographic puzzle and submit the right solution. Existing client puzzle schemes have some drawbacks. They are either parallelizable, coarse-grained or can be used only interactively. In case of interactive client puzzles where the server poses the challenge an attacker might mount a counterattack on the clients by injecting fake packets containing bogus puzzle parameters. In this paper we introduce a novel scheme for client puzzles which relies on the computation of square roots modulo a prime. Modular square root puzzles are non-parallelizable, i. e., the solution cannot be obtained faster than scheduled by distributing the puzzle to multiple machines or CPU cores, and they can be employed both interactively and non-interactively. Our puzzles provide polynomial granularity and compact solution and verification functions. Benchmark results demonstrate the feasibility of our approach to mitigate DoS attacks on hosts in 1 or even 10 GBit networks. In addition, we show how to raise the efficiency of our puzzle scheme by introducing a bandwidth-based cost factor for the client. Keywords—client puzzles, Denial of Service (DoS), network protocols, authentication, computational puzzles

### Citations

2477 | Handbook of Applied Cryptography
- Menezes, Oorschot, et al.
- 1996
(Show Context)
Citation Context ...ed as being 1 if a is quadratic p residue, -1 if a is a quadratic non-residue and 0 if operating in Zp and a = 0. The Legendre symbol can be efficiently computed in O((log p) 2 ) bit operations [26], =-=[27]-=-. Finding a square root modulo p is quite easy for half of the primes p, namely if p ≡ 3 (mod 4). In this case the solution is given by x = a (p+1)/4 mod p. (3) For half of the remaining primes where ... |

915 |
A course in computational algebraic number theory
- Cohen
- 1993
(Show Context)
Citation Context ... defined as being 1 if a is quadratic p residue, -1 if a is a quadratic non-residue and 0 if operating in Zp and a = 0. The Legendre symbol can be efficiently computed in O((log p) 2 ) bit operations =-=[26]-=-, [27]. Finding a square root modulo p is quite easy for half of the primes p, namely if p ≡ 3 (mod 4). In this case the solution is given by x = a (p+1)/4 mod p. (3) For half of the remaining primes ... |

179 | Pricing via processing or combatting junk mail
- Dwork, Naor
- 1993
(Show Context)
Citation Context ...ample on memory [15]–[17], bandwidth [18], [19], or human interaction [20]. Besides DoS protection various other applications for computational puzzles have been proposed, e. g., mitigating spam [2], =-=[21]-=-, uncheatable benchmarks [22], a zero-knowledge protocol for timed-release encryption and signatures [23], a timed commitment scheme for contract signing [24], or offline submission of documents [25].... |

155 |
Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks
- Juels, Brainard
- 1999
(Show Context)
Citation Context ...APOL). By flooding valid-looking requests, for example authentication handshakes, an attacker may try to overload his victim. A wellknown countermeasure against resource exhaustion are client puzzles =-=[1]-=-–[3]. A server being under attack processes requests only from those clients that themselves spend resources in solving a cryptographic puzzle and submit the right solution. Puzzle verification must b... |

134 | DoS-resistant authentication with client puzzles
- Aura, Nikander, et al.
- 2000
(Show Context)
Citation Context ...). By flooding valid-looking requests, for example authentication handshakes, an attacker may try to overload his victim. A wellknown countermeasure against resource exhaustion are client puzzles [1]–=-=[3]-=-. A server being under attack processes requests only from those clients that themselves spend resources in solving a cryptographic puzzle and submit the right solution. Puzzle verification must be ch... |

119 |
Using client puzzles to protect tls
- DEAN, STUBBLEFIELD
- 2001
(Show Context)
Citation Context ...of CPU-bound client puzzles has been applied to authentication protocols in general by Aura et al. in [3]. An implementation of client puzzles to protect the TLS handshake against DoS is described in =-=[8]-=-. Hash-reversal puzzles can be used both interactively and non-interactively. They are simple to construct and verify but have the disadvantage of being highly parallelizable and provide only exponent... |

103 | Time-lock puzzles and timed-release crypto
- Rivest, Shamir, et al.
- 1996
(Show Context)
Citation Context ... can be also employed non-interactively, has a small memory footprint, and is easy to implement. Non-parallelizable puzzles based on repeated squaring are well-known in timed-release cryptography. In =-=[11]-=- Rivest et al. introduced interactive time-lock puzzles to encrypt messages that can be decrypted by others only after a pre-determined amount of time has passed. Like the RSA cryptosystem time-lock p... |

89 | Hashcash: a denial of service counter-measure
- Back
- 2002
(Show Context)
Citation Context ...or example on memory [15]–[17], bandwidth [18], [19], or human interaction [20]. Besides DoS protection various other applications for computational puzzles have been proposed, e. g., mitigating spam =-=[2]-=-, [21], uncheatable benchmarks [22], a zero-knowledge protocol for timed-release encryption and signatures [23], a timed commitment scheme for contract signing [24], or offline submission of documents... |

85 | Moderately hard, memory-bound functions
- Abadi, Burrows, et al.
- 2005
(Show Context)
Citation Context ... any trapdoor information.Further client puzzle architectures are, e. g., [12]–[14]. Puzzle-based DoS defense mechanisms can also rely on other payment schemes than CPU cycles, for example on memory =-=[15]-=-–[17], bandwidth [18], [19], or human interaction [20]. Besides DoS protection various other applications for computational puzzles have been proposed, e. g., mitigating spam [2], [21], uncheatable be... |

81 | On memory-bound functions for fighting spam - Dwork, Goldberg, et al. - 2003 |

73 |
Defending against denial-of-service attacks with puzzle auctions
- Wang, Reiter
- 2003
(Show Context)
Citation Context ...elizable solution function that relies on modular exponentiation. Apart from that, our approach is different and does not use any trapdoor information.Further client puzzle architectures are, e. g., =-=[12]-=-–[14]. Puzzle-based DoS defense mechanisms can also rely on other payment schemes than CPU cycles, for example on memory [15]–[17], bandwidth [18], [19], or human interaction [20]. Besides DoS protect... |

61 | DDoS Defense by Offense
- Walfish, Vutukuru, et al.
- 2006
(Show Context)
Citation Context ...tion.Further client puzzle architectures are, e. g., [12]–[14]. Puzzle-based DoS defense mechanisms can also rely on other payment schemes than CPU cycles, for example on memory [15]–[17], bandwidth =-=[18]-=-, [19], or human interaction [20]. Besides DoS protection various other applications for computational puzzles have been proposed, e. g., mitigating spam [2], [21], uncheatable benchmarks [22], a zero... |

54 |
M.: Timed commitments
- Boneh, Naor
- 2000
(Show Context)
Citation Context ...een proposed, e. g., mitigating spam [2], [21], uncheatable benchmarks [22], a zero-knowledge protocol for timed-release encryption and signatures [23], a timed commitment scheme for contract signing =-=[24]-=-, or offline submission of documents [25]. III. MODULAR SQUARE ROOTS A. Extracting Square Roots Modulo a Prime Let p be an odd prime and a ∈ Z∗ p an integer, i. e., 1 ≤ a ≤ p−1. The solution of the co... |

48 | New client puzzle outsourcing techniques for DoS resistance
- Waters, Juels, et al.
- 2004
(Show Context)
Citation Context ...only interactively. Waters et al. suggested a client puzzle scheme based on the Diffie-Hellman key exchange where puzzle construction and distribution are outsourced to a secure entity called bastion =-=[10]-=-. The bastion periodically issues puzzles for a specific number of virtual channels that are valid during the next time slot. Puzzle construction is quite expensive since it requires a modular exponen... |

37 |
Five numbertheoretic algorithms
- Shanks
- 1972
(Show Context)
Citation Context ...ining case p ≡ 1 (mod 8) is the most difficult one. However, there exist two well-known algorithms [28], [29] to compute square roots modulo p for all primes p, namely the Tonelli-Shanks method [30], =-=[31]-=- (see Algorithm 1 [27]) and the Cipolla-Lehmer method [32], [33] (see Algorithm 2 [27]). The group-theoretic Tonelli-Shanks method has a running time of O((log p) 4 ) bit operations if p − 1 contains ... |

35 | Survey of network-based defense mechanisms countering the dos and ddos problems
- PENG, LECKIE, et al.
- 2007
(Show Context)
Citation Context ...t by a bandwidth-based cost factor. Finally, we conclude the paper with a summary in Section VI. II. RELATED WORK A comprehensive survey on DoS attacks and proposed defense mechanisms can be found in =-=[7]-=-. The authors classify four categories of defense: (1) attack prevention, (2) attack detection, (3) attack source identification, and (4) attack reaction. In [1] Juels and Brainard introduced client p... |

29 | Mitigating Bandwidth-Exhaustion Attacks using Congestion Puzzles - Wang, Reiter - 2004 |

26 | Exploiting the Power of GPUs for Asymmetric Cryptography
- Szerwinski, Güneysu
- 2008
(Show Context)
Citation Context ...t for benign clients such long delays seem to be hardly reasonable. Fast modular exponentiation has been also successfully implemented in hardware, especially on FPGAs [37], [38], and for modern GPUs =-=[39]-=-, [40], which are very competitive. A few years ago FPGAs outperformed ordinary software implementations, but a current comparison [39] shows that nowadays FPGAs are about as fast as software implemen... |

25 |
Algorithmic Number Theory, Volume I: Efficient Algorithms
- Bach, Shallit
- 1996
(Show Context)
Citation Context ...ion exists: { x = a (p+3)/8 mod p if a (p−1)/4 mod p = 1 2a(4a) (p−5)/8 mod p otherwise. (4) The remaining case p ≡ 1 (mod 8) is the most difficult one. However, there exist two well-known algorithms =-=[28]-=-, [29] to compute square roots modulo p for all primes p, namely the Tonelli-Shanks method [30], [31] (see Algorithm 1 [27]) and the Cipolla-Lehmer method [32], [33] (see Algorithm 2 [27]). The group-... |

22 | The Design and Implementation of Network Puzzles
- Feng, Kaiser, et al.
- 2005
(Show Context)
Citation Context ...construct and verify but have the disadvantage of being highly parallelizable and provide only exponential granularity. To make them fine-grained Feng et al. proposed hint-based hash reversal puzzles =-=[9]-=- where the server gives the client a hint about the range within which the solution lies. Thus, the granularity becomes linear. The drawback is that hint-based puzzles can be employed only interactive... |

21 |
Computer technology applied to the theory of numbers
- Lehmer
- 1969
(Show Context)
Citation Context ...re exist two well-known algorithms [28], [29] to compute square roots modulo p for all primes p, namely the Tonelli-Shanks method [30], [31] (see Algorithm 1 [27]) and the Cipolla-Lehmer method [32], =-=[33]-=- (see Algorithm 2 [27]). The group-theoretic Tonelli-Shanks method has a running time of O((log p) 4 ) bit operations if p − 1 contains a large power of two in its prime factorization. But for small s... |

19 |
Bemerkung über die Auflösung quadratischer Congrenzen, Göttinger Nachrichten
- Tonelli
- 1891
(Show Context)
Citation Context ...e remaining case p ≡ 1 (mod 8) is the most difficult one. However, there exist two well-known algorithms [28], [29] to compute square roots modulo p for all primes p, namely the Tonelli-Shanks method =-=[30]-=-, [31] (see Algorithm 1 [27]) and the Cipolla-Lehmer method [32], [33] (see Algorithm 2 [27]). The group-theoretic Tonelli-Shanks method has a running time of O((log p) 4 ) bit operations if p − 1 con... |

17 |
Using smoothness to achieve parallelism
- Adleman, Kompella
- 1988
(Show Context)
Citation Context ...me. NC ⊆ P represents the class of problems that can be efficiently solved by a parallel computer. However, it is still an open question whether modular exponentiation is P-complete, i. e., not in NC =-=[34]-=-, [35]. Likewise, it is unknown if factoring is really not in P. We now want to point out those parts of modular square root computation that are parallelizable. If applying the basic binary exponenti... |

16 | Timed-Release Cryptography
- Mao
- 2004
(Show Context)
Citation Context ...s other applications for computational puzzles have been proposed, e. g., mitigating spam [2], [21], uncheatable benchmarks [22], a zero-knowledge protocol for timed-release encryption and signatures =-=[23]-=-, a timed commitment scheme for contract signing [24], or offline submission of documents [25]. III. MODULAR SQUARE ROOTS A. Extracting Square Roots Modulo a Prime Let p be an odd prime and a ∈ Z∗ p a... |

14 |
Fast montgomery modular multiplication and RSA cryptographic processor architectures
- Mclvor, McLoone, et al.
(Show Context)
Citation Context ...e with hash-reversal puzzles, but for benign clients such long delays seem to be hardly reasonable. Fast modular exponentiation has been also successfully implemented in hardware, especially on FPGAs =-=[37]-=-, [38], and for modern GPUs [39], [40], which are very competitive. A few years ago FPGAs outperformed ordinary software implementations, but a current comparison [39] shows that nowadays FPGAs are ab... |

11 |
How to Maximize the Potential of FPGA Resources for Modular Exponentiation
- Suzuki
- 2007
(Show Context)
Citation Context ... hash-reversal puzzles, but for benign clients such long delays seem to be hardly reasonable. Fast modular exponentiation has been also successfully implemented in hardware, especially on FPGAs [37], =-=[38]-=-, and for modern GPUs [39], [40], which are very competitive. A few years ago FPGAs outperformed ordinary software implementations, but a current comparison [39] shows that nowadays FPGAs are about as... |

11 | Efficient Acceleration of Asymmetric Cryptography on Graphics Hardware
- Harrison, Waldron
(Show Context)
Citation Context ...benign clients such long delays seem to be hardly reasonable. Fast modular exponentiation has been also successfully implemented in hardware, especially on FPGAs [37], [38], and for modern GPUs [39], =-=[40]-=-, which are very competitive. A few years ago FPGAs outperformed ordinary software implementations, but a current comparison [39] shows that nowadays FPGAs are about as fast as software implementation... |

10 |
metodo per la risolutione della congruenza di secondo grado, Rendiconto dell’Accademia Scienze Fisiche e Matematiche 9 (3
- Cipolla, Un
- 1903
(Show Context)
Citation Context ...r, there exist two well-known algorithms [28], [29] to compute square roots modulo p for all primes p, namely the Tonelli-Shanks method [30], [31] (see Algorithm 1 [27]) and the Cipolla-Lehmer method =-=[32]-=-, [33] (see Algorithm 2 [27]). The group-theoretic Tonelli-Shanks method has a running time of O((log p) 4 ) bit operations if p − 1 contains a large power of two in its prime factorization. But for s... |

8 | Efficient memory bound puzzles using pattern databases
- Doshi, Monrose, et al.
(Show Context)
Citation Context ...trapdoor information.Further client puzzle architectures are, e. g., [12]–[14]. Puzzle-based DoS defense mechanisms can also rely on other payment schemes than CPU cycles, for example on memory [15]–=-=[17]-=-, bandwidth [18], [19], or human interaction [20]. Besides DoS protection various other applications for computational puzzles have been proposed, e. g., mitigating spam [2], [21], uncheatable benchma... |

8 | A Sublinear-Time Parallel Algorithm for Integer Modular Exponentiation. Available from http://citeseer.nj.nec.com/sorenson99 sublineartime.html
- Sorenson
(Show Context)
Citation Context ... ⊆ P represents the class of problems that can be efficiently solved by a parallel computer. However, it is still an open question whether modular exponentiation is P-complete, i. e., not in NC [34], =-=[35]-=-. Likewise, it is unknown if factoring is really not in P. We now want to point out those parts of modular square root computation that are parallelizable. If applying the basic binary exponentiation ... |

7 |
Toward non-parallelizable client puzzles
- Tritilanunt, Boyd, et al.
(Show Context)
Citation Context ...irable property is nonparallelizability, which prevents an attacker from obtaining the solution faster than scheduled by distributing the puzzle to multiple CPU cores or to other compromised machines =-=[4]-=-– [6]. Existing client puzzle schemes are either parallelizable, coarse-grained or can be used only interactively. Interactive puzzles have the drawback that the packet with the puzzle parameters sent... |

6 | A remark on the computation of cube roots in finite fields, Cryptology ePrint Archive, Report 2009/457
- Nishihara, Harasawa, et al.
- 2009
(Show Context)
Citation Context ...ists: { x = a (p+3)/8 mod p if a (p−1)/4 mod p = 1 2a(4a) (p−5)/8 mod p otherwise. (4) The remaining case p ≡ 1 (mod 8) is the most difficult one. However, there exist two well-known algorithms [28], =-=[29]-=- to compute square roots modulo p for all primes p, namely the Tonelli-Shanks method [30], [31] (see Algorithm 1 [27]) and the Cipolla-Lehmer method [32], [33] (see Algorithm 2 [27]). The group-theore... |

5 | BAP: Broadcast Authentication Using Cryptographic Puzzles - Schaller, Čapkun, et al. |

5 |
CAPTCHA: Using Hard AI
- Ahn, Blum, et al.
- 2003
(Show Context)
Citation Context ...tectures are, e. g., [12]–[14]. Puzzle-based DoS defense mechanisms can also rely on other payment schemes than CPU cycles, for example on memory [15]–[17], bandwidth [18], [19], or human interaction =-=[20]-=-. Besides DoS protection various other applications for computational puzzles have been proposed, e. g., mitigating spam [2], [21], uncheatable benchmarks [22], a zero-knowledge protocol for timed-rel... |

4 |
Low-cost client puzzles based on modular exponentiation
- Karame, Capkun
- 2010
(Show Context)
Citation Context ...e property is nonparallelizability, which prevents an attacker from obtaining the solution faster than scheduled by distributing the puzzle to multiple CPU cores or to other compromised machines [4]– =-=[6]-=-. Existing client puzzle schemes are either parallelizable, coarse-grained or can be used only interactively. Interactive puzzles have the drawback that the packet with the puzzle parameters sent from... |

4 |
Enhancing ZRTP by using Computational Puzzles
- Hlavacs, Gansterer, et al.
- 2008
(Show Context)
Citation Context ...ble solution function that relies on modular exponentiation. Apart from that, our approach is different and does not use any trapdoor information.Further client puzzle architectures are, e. g., [12]–=-=[14]-=-. Puzzle-based DoS defense mechanisms can also rely on other payment schemes than CPU cycles, for example on memory [15]–[17], bandwidth [18], [19], or human interaction [20]. Besides DoS protection v... |

3 | Offline Submission with RSA Time-Lock Puzzles
- Jerschow, Mauve
(Show Context)
Citation Context ... [21], uncheatable benchmarks [22], a zero-knowledge protocol for timed-release encryption and signatures [23], a timed commitment scheme for contract signing [24], or offline submission of documents =-=[25]-=-. III. MODULAR SQUARE ROOTS A. Extracting Square Roots Modulo a Prime Let p be an odd prime and a ∈ Z∗ p an integer, i. e., 1 ≤ a ≤ p−1. The solution of the congruence x2 ≡ a (mod p) is called a squar... |

2 |
M.: Counter-Flooding: DoS Protection for Public Key Handshakes in LANs
- Jerschow, Scheuermann, et al.
- 2009
(Show Context)
Citation Context ...Further client puzzle architectures are, e. g., [12]–[14]. Puzzle-based DoS defense mechanisms can also rely on other payment schemes than CPU cycles, for example on memory [15]–[17], bandwidth [18], =-=[19]-=-, or human interaction [20]. Besides DoS protection various other applications for computational puzzles have been proposed, e. g., mitigating spam [2], [21], uncheatable benchmarks [22], a zero-knowl... |

1 |
Towards benchmarks
- Cai, Lipton, et al.
- 1993
(Show Context)
Citation Context ...ndwidth [18], [19], or human interaction [20]. Besides DoS protection various other applications for computational puzzles have been proposed, e. g., mitigating spam [2], [21], uncheatable benchmarks =-=[22]-=-, a zero-knowledge protocol for timed-release encryption and signatures [23], a timed commitment scheme for contract signing [24], or offline submission of documents [25]. III. MODULAR SQUARE ROOTS A.... |