article

Modular square root puzzles: Design of non-parallelizable and non-interactive client puzzles

Authors:

Yves Igor Jerschow,

Martin MauveAuthors Info & Claims

Computers and Security, Volume 35

Pages 25 - 36

https://doi.org/10.1016/j.cose.2012.11.008

Published: 01 June 2013 Publication History

Abstract

Denial of Service (DoS) attacks aiming to exhaust the resources of a server by overwhelming it with bogus requests have become a serious threat. Especially protocols that rely on public key cryptography and perform expensive authentication handshakes may be an easy target. A well-known countermeasure against resource depletion attacks are client puzzles. The victimized server demands from the clients to commit computing resources before it processes their requests. To get service, a client must solve a cryptographic puzzle and submit the right solution. Existing client puzzle schemes have some drawbacks. They are either parallelizable, coarse-grained or can be used only interactively. In case of interactive client puzzles where the server poses the challenge an attacker might mount a counterattack on the clients by injecting faked packets with bogus puzzle parameters bearing the server's sender address. In this paper we introduce a novel scheme for client puzzles which relies on the computation of square roots modulo a prime. Modular square root puzzles are non-parallelizable, i.e., the solution cannot be obtained faster than scheduled by distributing the puzzle to multiple machines or CPU cores, and they can be employed both interactively and non-interactively. Our puzzles provide polynomial granularity and compact solution and verification functions. Benchmark results demonstrate the feasibility of our approach to mitigate DoS attacks on hosts in 1 or even 10 Gbit networks. In addition, we show how to raise the efficiency of our puzzle scheme by introducing a bandwidth-based cost factor for the client. Furthermore, we also investigate the construction of client puzzles from modular cube roots.

References

[1]

Moderately hard, memory-bound functions. ACM Transactions on Internet Technology. v5. 299-327.

[2]

Using smoothness to achieve parallelism. In: STOC '88: proceedings of the 20th annual ACM Symposium on Theory of Computing, pp. 528-538.

[3]

On taking roots in finite fields. In: SFCS '77: proceedings of the 18th annual Symposium on Foundations of Computer Science, pp. 175-178.

Digital Library

[4]

CAPTCHA: using hard AI problems for security. In: EUROCRYPT '03: proceedings of the 22nd international conference on theory and applications of cryptographic techniques, pp. 294-311.

[5]

DOS-resistant authentication with client puzzles. In: Revised papers from the 8th international workshop on security protocols, pp. 170-177.

[6]

Algorithmic number theory. Efficient algorithms, 1996.MIT Press.

[7]

Hashcash - a denial of service counter-measure.

[8]

Timed commitments. In: CRYPTO '00: proceedings of the 20th annual international cryptology conference on advances in cryptology, pp. 236-254.

[9]

Towards uncheatable benchmarks. In: Proceedings of the 8th annual structure in complexity theory conference, pp. 2-11.

[10]

Fast Montgomery modular multiplication and RSA cryptographic processor architectures. In: Proceedings of the 37th asilomar conference on signals, systems, and computers, pp. 379-384.

[11]

Un metodo per la risolutione della congruenza di secondo grado. Rendiconto dell'Accademia Scienze Fisiche e Matematiche. v9 i3. 154-163.

[12]

A course in computational algebraic number theory. Springer.

[13]

Denial of service via algorithmic complexity attacks. In: SSYM'03: proceedings of the 12th conference on USENIX security symposium,

[14]

Using client puzzles to protect TLS. In: SSYM'01: proceedings of the 10th USENIX security symposium,

[15]

Efficient memory bound puzzles using pattern databases. In: ACNS 2006: proceedings of the 4th international conference on applied cryptography and network security, pp. 98-113.

[16]

DDoS attacks and defense mechanisms: classification and state-of-the-art. Computer Networks. v44 i5. 643-666.

[17]

Pricing via processing or combatting junk mail. In: CRYPTO '92: proceedings of the 12th annual international cryptology conference on advances in cryptology, pp. 139-147.

[18]

On memory-bound functions for fighting spam. In: CRYPTO '03: proceedings of the 23rd annual international cryptology conference on advances in cryptology, pp. 426-444.

[19]

GMP: GNU multiple precision arithmetic library. http://gmplib.org.

[20]

Efficient acceleration of asymmetric cryptography on graphics hardware. In: AFRICACRYPT '09: proceedings of the 2nd international conference on cryptology in Africa, pp. 350-367.

[21]

Enhancing ZRTP by using computational puzzles. Journal of Universal Computer Science. v14 i5. 693-716.

[22]

Offline submission with RSA time-lock puzzles. In: CIT 2010: proceedings of the 10th IEEE international conference on Computer and Information Technology, pp. 1058-1064.

[23]

Secure client puzzles based on random beacons. In: IFIP networking 2012: proceedings of the 11th international conference on networking, pp. 184-197.

[24]

Counter-flooding: DoS protection for public key handshakes in LANs. In: ICNS 2009: proceedings of the 5th International Conference on Networking and Services, pp. 376-382.

[25]

Client puzzles: a cryptographic countermeasure against connection depletion attacks. In: NDSS '99: proceedings of the Network and Distributed System Security Symposium,

[26]

Low-cost client puzzles based on modular exponentiation. In: ESORICS 2010: proceedings of the 15th European Symposium on Research in Computer Security, pp. 679-697.

[27]

Computer technology applied to the theory of numbers. In: Studies in number theory, Prentice Hall, Englewood Cliffs, NJ. pp. 117-151.

[28]

Timed-release cryptography. In: SAC 2001: proceedings of the 8th annual international workshop on Selected Areas in Cryptography, pp. 342-357.

[29]

Wireless client puzzles in IEEE 802.11 networks: security by wireless. In: WiSec '08: proceedings of the ACM conference on Wireless Network Security, pp. 36-45.

[30]

Handbook of applied cryptography. CRC Press.

[31]

A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Computer Communication Review. v34 i2. 39-53.

[32]

A remark on the computation of cube roots in finite fields.

[33]

Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Computing Surveys. v39 i1. 3

[34]

Time-lock puzzles and timed-release Crypto. Massachusetts Institute of Technology, Cambridge, MA, USA.

[35]

BAP: broadcast authentication using cryptographic puzzles. In: ACNS '07: proceedings of the 5th international conference on Applied Cryptography and Network Security, pp. 401-419.

[36]

Five number-theoretic algorithms. In: Proceedings of the 2nd Manitoba conference on numerical mathematics, pp. 51-70.

[37]

A sublinear-time parallel algorithm for integer modular exponentiation. In: Proceedings of the conference on the mathematics of public-key cryptography, pp. 528-538.

[38]

How to maximize the potential of FPGA resources for modular exponentiation. In: CHES '07: proceedings of the 9th international workshop on Cryptographic Hardware and Embedded Systems, pp. 272-288.

[39]

Exploiting the power of GPUs for asymmetric cryptography. In: CHES '08: proceedings of the 10th international workshop on Cryptographic Hardware and Embedded Systems, pp. 79-99.

[40]

On non-parallelizable deterministic client puzzle scheme with batch verification modes. Centre for Telematics and Information Technology, University of Twente.

[41]

Bemerkung über die Auflösung quadratischer Congruenzen. Göttinger Nachrichten. 344-346.

[42]

Toward non-parallelizable client puzzles. In: CANS 2007: proceedings of the 6th international conference on Cryptology & Network Security, pp. 247-264.

[43]

The design and implementation of network puzzles. In: INFOCOM 2005: proceedings of the 24th IEEE conference on computer communications, pp. 2372-2382.

[44]

DDoS defense by offense. In: SIGCOMM '06: proceedings of the 2006 conference on applications, technologies, architectures, and protocols for computer communications, pp. 303-314.

[45]

A multi-layer framework for puzzle-based denial-of-service defense. International Journal of Information Security. v7. 243-263.

[46]

New client puzzle outsourcing techniques for DoS resistance. In: CCS '04: proceedings of the 11th ACM conference on Computer and Communications Security, pp. 246-256.

Cited By

Raikwar MGligoroski D(2021)Non-Interactive VDF Client Puzzle for DoS MitigationProceedings of the 2021 European Interdisciplinary Cybersecurity Conference10.1145/3487405.3487406(32-38)Online publication date: 10-Nov-2021
https://dl.acm.org/doi/10.1145/3487405.3487406
Gupta DSaia JYoung M(2018)Proof of Work Without All the WorkProceedings of the 19th International Conference on Distributed Computing and Networking10.1145/3154273.3154333(1-10)Online publication date: 4-Jan-2018
https://dl.acm.org/doi/10.1145/3154273.3154333

Modular square root puzzles: Design of non-parallelizable and non-interactive client puzzles
1. Security and privacy

Recommendations

Non-Parallelizable and Non-Interactive Client Puzzles from Modular Square Roots
ARES '11: Proceedings of the 2011 Sixth International Conference on Availability, Reliability and Security

Denial of Service (DoS) attacks aiming to exhaust the resources of a server by overwhelming it with bogus requests have become a serious threat. Especially protocols that rely on public key cryptography and perform expensive authentication handshakes ...
Secure client puzzles based on random beacons
IFIP'12: Proceedings of the 11th international IFIP TC 6 conference on Networking - Volume Part II

Denial of Service (DoS) attacks pose a fast-growing threat to network services in the Internet, but also corporate Intranets and public local area networks like Wi-Fi hotspots may be affected. Especially protocols that perform authentication and key ...
The Moderately Hard DoS-Resistant Authentication Protocol on Client Puzzles

Denial-of-service (DoS) attacks against server resources exhaustion are a major security threat to the Internet. A number of defense mechanisms have been proposed against such attacks. Recently, Aura et al. proposed a solution to resist DoS attacks ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Computers and Security

Computers and Security Volume 35, Issue

June, 2013

52 pages

ISSN:0167-4048

Issue’s Table of Contents

Copyright © Elsevier Ltd © 2012.

Publisher

Elsevier Advanced Technology Publications

United Kingdom

Publication History

Published: 01 June 2013

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Raikwar MGligoroski D(2021)Non-Interactive VDF Client Puzzle for DoS MitigationProceedings of the 2021 European Interdisciplinary Cybersecurity Conference10.1145/3487405.3487406(32-38)Online publication date: 10-Nov-2021
https://dl.acm.org/doi/10.1145/3487405.3487406
Gupta DSaia JYoung M(2018)Proof of Work Without All the WorkProceedings of the 19th International Conference on Distributed Computing and Networking10.1145/3154273.3154333(1-10)Online publication date: 4-Jan-2018
https://dl.acm.org/doi/10.1145/3154273.3154333

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents