Guided tour puzzle protocol

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Guided tour puzzle (GTP) protocol is a cryptographic protocol for mitigating application layer denial of service attacks. It aims to overcome the shortcoming of computation-based puzzle protocols, in which clients are required to compute hard CPU or memory-bound puzzles that favor clients with abundant computational resources. Guided tour puzzle protocol can be seen as a form of proof-of-work (POW) protocol.


The protocol steps of the guided tour puzzle protocol is similar to that of client puzzle protocol. All clients are required to complete a guided tour puzzle prior to receiving service from the server, if the server suspects it is currently under denial of service attack or its load exceeds a pre-defined threshold. Simply put, a guided tour puzzle is a tour that needs to be completed by taking multiple round-trips to a set of special nodes, called tour guides, in a sequential order. It is called a guided tour, because the order in which the tour guides are visited is unknown to the client, and each tour guide has to direct the client towards the next tour guide for the client to complete the tour in correct order. A single tour guide may appear multiple times in a tour, so the term stop is used to denote a single appearance of a tour guide in a tour. A client knows which tour guide is at the next stop, only after completing its visit to the current stop.

Solving a guided tour puzzle is essentially equal to completing a guided tour in the correct order. Starting from the first stop, the client contacts each stop and receives a reply. Each reply contains a unique token. The token in the reply message from the current stop is used for computing the address of the next stop tour guide. The address of the first stop tour guide is computed using the token contained in the server's first reply message that informs the client of the start of a puzzle process.

The client must send the token received from the current stop tour guide to the next stop tour guide, which will use it as an input to its token calculation function. The token received from the last stop tour guide plus the token from the server's puzzle message are sent to the server as the proof of completion of a tour. The server can efficiently validate these two tokens, and grants service to the client only after proving their validity.

Protocol Steps[edit]

Example of a guided tour puzzle when the number of tour guides is 2, and the tour length is 5. The order of the tour is: G1 -> G0 -> G1 -> G1 -> G0.

Before the guided tour puzzle can start, N tour guides has to be set up in the system, where N \ge 2. Meanwhile, the server establishes a shared secret k_{js} with each tour guide G_{j} using a secure channel, where 0\leq j<N. The server keeps a short-lived secret K_{s} for computing the first hash value that is returned to the client as part of a puzzle message. A puzzle message also contains the length of the tour L, which is used to control the difficulty of a guided tour puzzle. The figure shows an example of a guided tour when N=2 and L=5.

The details of the each protocol step of the guided tour puzzle protocol is explained in the following.[1]

  • Service request: A client x sends a service request to the server. If the server load is normal, the client's request is serviced as usual; if the server is overloaded, then it proceeds to the initial puzzle generation step.
  • Initial puzzle generation: the server replies to the client x with a puzzle message that informs the client to complete a guided tour. The puzzle message contains the length of the tour L and a hash value h_0. The server computes h_0 using the following formula:
h_{0} = hash(A_{x}\; ||\; L\; ||\; ts\; ||\; K_{s})
where, || means concatenation, A_{x} is the address (or any unique value) of the client x, ts is a coarse timestamp, and hash is a cryptographic hash function such as SHA-1.
  • Puzzle solving: A client computes the index of the tour guide at the l-th stop of its tour using the following formula:
S_{l}=(h_{l-1}\; mod\; N)
where, 0 < l \leq L. When contacted by a client x, a tour guide G_j computes a hash value h_{l} (0 < l \leq L) using the formula:
h_{l} = hash(h_{l-1}\; ||\; l\; ||\; L\; ||\; A_{x}\; ||\; ts\; ||\; k_{js})
where, l means the l-th stop of the client's tour, k_{js} is the shared key between the tour guide G_{j} and the server. After client x receives the server's reply message, it starts a guided tour by computing the index S_{1} of the first tour guide using formula for $S_l$. The client then sends a set of values (h_0, 1, L) to the tour guide G_{S_1}, where the second value denotes which stop of a tour the client is currently at. As a response, the client receives a hash value h_1 from the tour guide G_{S_1}, where h_1 is computed using the formula for h_l. The client x repeats this process L-1 more times and contacts the tour guides G_{S_2}, G_{S_3}, ..., G_{S_L}. The reply message from the last-stop tour guide G_{S_L} contains the last hash value h_L, and the client x sends (h_0,\; h_L) to the server as the puzzle answer.
  • Puzzle verification: when the server receives a request from client x with a puzzle answer (h'_{0}, h'_{L}) attached, it first checks to see if h'_{0} is equal to the h_{0} it computed using the formula for h_0. If so, the server computes h_L by repeatedly using the formula for h_l, and verifies that h'_{L} is equal to h_{L}. If both hash values are valid, the server allocates resources to process the client's request. Since the server knows the shared keys k_{1s}, k_{2s}, \dots, k_{Ns}, it can compute the chain of hashes h_1, h_2, ..., h_L without contacting any tour guide. A loose time synchronization between the server and tour guides is required in order to compute the same hash value at the server and tour guides.

Comparison to other puzzle protocols[edit]

CPU-bound computational puzzle protocols, such as the Client Puzzle Protocol, can mitigate the effect of denial of service attack, because the more an attacker wants to overwhelm the server, the more puzzles it has to compute, and the more computational resources of its own it needs to expend. However, due to the variation in the computational powers of clients, clients with strong computational power can solve puzzles at much higher rate than the destitute clients, and can unfairly take up most of the server resources.[1][2][3]

Another crucial shortcoming of computational puzzle protocols is that all clients, including all legitimate clients, are required to perform such CPU-intensive computations that do not contribute to any meaningful service or application.

Guided tour puzzle protocol enforces delay on the clients through round trip delays, so that clients' requests arrive at a rate that is sustainable by the server. The advantage of using round-trip delays, as opposed to hard computational problems, is that the round trip delay of a small packet is determined mostly by the processing delays, queuing delays, and propagation delays at the intermediate routers, therefore is beyond the control of end hosts (clients). As such, even an attacker with abundant computational resources cannot unfairly take advantage over poorly provisioned legitimate clients.

Furthermore, in guided tour puzzle protocol, the computation required for the client is trivial. Since the length of a guided tour is usually a small number in the order of tens or lower, the bandwidth overhead for completing a guided tour is also trivial. As a result, clients are not burdened with heavy computations that is usually required by CPU-bound or memory bound puzzle protocols.

See also[edit]


  1. ^ a b Mehmud Abliz and Taieb Znati. A Guided Tour Puzzle for Denial of Service Prevention. In Proceedings of the Annual Computer Security Applications Conference (ACSAC) 2009, pages 279-288, Honolulu, HI, Dec 2009.
  2. ^ Martin Abadi, Mike Burrows, Mark Manasse and Ted Wobber. Moderately Hard, Memory-bound Functions. In Proceedings of NDSS 2003, pages 25-39, 2003.
  3. ^ Cynthia Dwork, Andrew Goldberg, and Moni Naor. On Memory-Bound Functions for Fighting Spam. In Proceedings of CRYPTO 2003, pages 426-444, 2003.

External links[edit]