Abstract
Proof-of-work is a central concept in modern cryptocurrencies and denial-ofservice protection tools, but the requirement for fast verification so far has made it an easy prey for GPU-, ASIC-, and botnet-equipped users. The attempts to rely on memory-intensive computations in order to remedy the disparity between architectures have resulted in slow or broken schemes. In this paper we solve this open problem and show how to construct an asymmetric proof-of-work (PoW) based on a computationally-hard problem, which requires a great deal of memory to generate a proof (called a ”memory-hardness” feature) but is instant to verify. Our primary proposal, Equihash, is a PoW based on the generalized birthday problem and enhanced Wagner’s algorithm for it. We introduce the new technique of algorithm binding to prevent cost amortization and demonstrate that possible parallel implementations are constrained by memory bandwidth. Our scheme has tunable and steep time-space tradeoffs, which impose large computational penalties if less memory is used. Our solution is practical and ready to deploy: a reference implementation of a proof-of-work requiring 700 MB of RAM runs in 15 seconds on a 2.1 GHz CPU, increases the computations by a factor of 1000 if memory is halved, and presents a proof of just 120 bytes long.
Highlights
Request of intensive computations as a countermeasure against spam was first proposed by Dwork and Naor in 1992,33 and as denial of service (DoS) protection in the form of TLS client puzzle by Dean and Stubblefield in 2001.29 The amount of work is certified by a proof, called proof-of-work, which is feasible to get by an ordinary user, but at the same time slows down multiple requests from the single machine or a botnet
Outline—This paper is structured as follows: first, we review the properties required from an asymmetric proof-of-work and show how to adapt a computationally-hard problem for a PoW (Section 2); we review the generalized birthday problem and Wagner’s algorithm in Section 3 and outline our primary proposal in Section 4; and the new results on the time-space tradeoffs and parallelism are proven in Sections 5 and 6
Given a list of requirements for an asymmetric and ASIC-resistant PoW we identified the generalized birthday problem as the one with a scrutinized algorithms decently studied for tradeoffs
Summary
Request of intensive computations as a countermeasure against spam was first proposed by Dwork and Naor in 1992,33 and as denial of service (DoS) protection in the form of TLS client puzzle by Dean and Stubblefield in 2001.29 The amount of work is certified by a proof, called proof-of-work, which is feasible to get by an ordinary user, but at the same time slows down multiple requests from the single machine or a botnet. An adversary trying to use 250 MB of memory would pay 1000-fold in computations using the best tradeoff strategy, whereas a memoryless algorithm would require prohibitive 275 hash function calls These properties and performance are unachievable by existing proposals. Outline—This paper is structured as follows: first, we review the properties required from an asymmetric proof-of-work and show how to adapt a computationally-hard problem for a PoW (Section 2); we review the generalized birthday problem and Wagner’s algorithm in Section 3 and outline our primary proposal in Section 4; and the new results on the time-space tradeoffs and parallelism are proven in Sections 5 and 6.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
