| SPDX-FileCopyrightText | SPDX-License-Identifier | title | author | footer | description | keywords | color | class | style | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
© 2024 Menacit AB <[email protected]> |
CC-BY-SA-4.0 |
Practical cryptography course: Proof of Work |
Joel Rangsmo <[email protected]> |
© Course authors (CC BY-SA 4.0) |
Usage of cryptographic hashing for PoW |
|
#ffffff |
|
section.center {
text-align: center;
}
table strong {
color: #d63030;
}
table em {
color: #2ce172;
}
|
What enables email spam, and how could we solve it?
Anyone can send anyone a message at (almost) zero cost.
Couldn't we just charge a tiny fee per message?
How would you even implement that?
Any other ways we could introduce cost?
Computations require processing.
Processing requires hardware and electricity.
Hardware and electricity ain't free!
Calculating a hash requires quite many CPU cycles.
How can we prove that the user has wasted processing power on hashing?
Let's steal a few tricks from hash-based authentication!
Sender: I got some email for you!
Receiver: Stop right there! Before I accept your email, I want you to provide a hash of some data prefixed with "fiskburk" that ends with "ff".
Sender: Okay - hold on a second... *crunching*... If I hash "fiskburk24077-29047-32326" I get a hash ending with "ff"!
Receiver: I get the same result - handover that email, will you?
Costly to find proof, but cheap to very!*
#!/usr/bin/env bash
# Validate that at least two command line arguments are provided
if [[ -z "${2}" ]]; then
echo "Usage: ${0} <PREFIX_SEED> <EXPECTED_SUFFIX>"
exit 1
fi
PREFIX_SEED="${1}"
EXPECTED_SUFFIX="${2}"
# Loop until solution for PoW is found
time while true; do
# Grab some random data to include in hash calculation
INPUT_DATA="${RANDOM}-${RANDOM}-${RANDOM}"
# Hash specified seed together with random input data, only include hash from output
HASH="$(echo -n ${PREFIX_SEED} ${INPUT_DATA} | sha256sum | cut -d ' ' -f 1)"
# If the suffix of the generated hash matches the specified suffix, challenge is solved
if [[ "${HASH}" == *${EXPECTED_SUFFIX} ]]; then
echo "${EXPECTED_SUFFIX}: sha256(${PREFIX_SEED} + ${INPUT_DATA}) == ${HASH}"
# Stop loop once finished
break
fi
done
$ resources/misc/pow.sh
Usage: resources/misc/pow.sh <PREFIX_SEED> <EXPECTED_SUFFIX>
$ resources/misc/pow.sh "asdasdasdasd" "ff"
ff: sha256(asdasdasdasd + 16083-12281-837) == d60ee[...]3b13e1ff
real 0m0.138s
$ resources/misc/pow.sh "asdasdasdasd" "fff"
fff: sha256(asdasdasdasd + 22132-31048-7135) == 3be[...]37371fff
real 0m22.333s
$ resources/misc/pow.sh "asdasdasdasd" "ffff"
ffff: sha256(asdasdasdasd + 19378-5998-4075) == fb8[...]370ffff
real 1m23.770s
- Online rate-limiting
- Alternative to captcha
- Anti-scraping
- "Mining" in cryptocurrencies
Whatever you can imagine!
Done with your other tasks and wanna try implementing PoW?
Modify the client and server from "pwd_hash" lab to utilize PoW instead of/in addition to password-based authentication.
courses+crypto_011601@%EMAIL_DOMAIN%
