Re: [TLS] TLS client puzzles

Bill Cox <> Thu, 30 June 2016 15:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2045A12D185 for <>; Thu, 30 Jun 2016 08:17:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.126
X-Spam-Status: No, score=-4.126 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VRakYJV-5vIW for <>; Thu, 30 Jun 2016 08:17:45 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4DC5A12D0B6 for <>; Thu, 30 Jun 2016 08:07:58 -0700 (PDT)
Received: by with SMTP id m127so54060352vkb.3 for <>; Thu, 30 Jun 2016 08:07:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=IL17pg9AE4zWBVt+US5ot0m+K9Ju35jKZUFCWfRQVLA=; b=XOCw0wkiBCN4pp1mxR4Ra7GwkHuHw9hbRgWJxCYuo0JjBtHL0mXee40kKPonNTyz7f YbXtuT7gvngvGXIz0YuoMH2QmREAb8AwgNYUW6q+C0xkKZjF6gHPYBeJPt8E3GVbA18t Rwo2CVBTAtpd/Xpc6lYXkCZBz484s3pll3+q867w2MjBsxb5xfIPzNFTBOOieX6OkkTI ODgKdKAzUMAWOB5AOJ15ajs+BPMwUfSJdrE+yda0ttrMv5EJgaawQ8MRiv4bqyIZscJy avFJlV9mILbxj7mfQHvHecTEPoNmfQLis6JAcrFp1q09/VJj7L7cQ+0a5i+lAzs19b82 dLFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=IL17pg9AE4zWBVt+US5ot0m+K9Ju35jKZUFCWfRQVLA=; b=YKux3FmgGLybZtb0/B+5MLaj6HcFiMvJwr2QX1thWjo+Q+mXK3B4oM6Ufmjfx7bPn5 GBbDL1wTtLWG83tB5rHObaEbzgWDC7V3qXMmLLTHd8vCc4lmf3bFRNMtL56L0ZvrzxkE rVJhGZDrYcXPTJbqcRI9wEkfFQkxmGFwgYziERHJYi4SmjStyDj5D18+9a+6klNefXlN 7MLO69D82cnjBN7KDc/81NZYARUF4rV5Ni8Hjzdoe+koZzS82Ve94C/ZvGwEUmZTGucT VtSZDTC5KHRE9Z7s1/5hSnJV+rL6NMuuwkSpDqCS37a5G/dZcJKKTuYXQ3UwDpPj2ZPS 38vA==
X-Gm-Message-State: ALyK8tI03v2v/dL54m/bNGNaiuAr1/9SFqmvswkK/lJ2MJMzlXXr2eHfm/IHEq4H7BHA1kpJVKlcQsi2iYl1IRPh
X-Received: by with SMTP id c34mr5727900uac.79.1467299277188; Thu, 30 Jun 2016 08:07:57 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Thu, 30 Jun 2016 08:07:56 -0700 (PDT)
In-Reply-To: <>
References: <> <> <>
From: Bill Cox <>
Date: Thu, 30 Jun 2016 08:07:56 -0700
Message-ID: <>
To: Yoav Nir <>
Content-Type: multipart/alternative; boundary="94eb2c04812832dbc80536803cb9"
Archived-At: <>
Cc: "<>" <>, Dmitry Khovratovich <>
Subject: Re: [TLS] TLS client puzzles
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Jun 2016 15:17:47 -0000

Equihash looks like a nice advance, so kudos to Dmitry's team.  So long as
we're on this topic, I'll mention an alternative that addresses some of
your concerns.  I do not recommend making it an official part of TLS, as I
feel that TLS is already vastly too complex.  However, this algorithm is
very cool:

Makwa <> is a "recommended"
algorithm from the password-hashing contest.  It is a proof-of-work
algorithm with fast verification, but is not memory-hard.  However, that
seems OK, since Makwa supports "delegation".  An IoT device can ask any
Makwa hashing provider on the Internet to do the proof of work for it, and
the result is as secure as if the IoT device had done it.  This solves the
concern about leaving under-powered devices behind, while aiding in DDoS

If widely adopted, with ASIC implementations, it would also defeat
botnets.  ASICs would many times more efficient than CPUs at Makwa, IIRC,
about 4000X in my last analysis.  Even botnets would have difficulty
competing with a legit ASIC Makwa provider.

My own dumb-idea related to Makwa is to use it as a PoW in a block-chain
based crypto-coin.  If miners are going to waste crazy amounts of
electricity mining anyway, at least they could help defeat DDoS attacks
while they are at it.  This might also create a method for IoT devices to
pay for the PoW service in nano transactions.

No way would I ever want such a beast bolted into TLS :>  Maybe as a DDoS
extension API in OpenSSL?