Designing Proof of Human-Work Puzzles for Cryptocurrency and Beyond

  • Jeremiah BlockiEmail author
  • Hong-Sheng Zhou
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9986)


We introduce the novel notion of a Proof of Human-work (PoH) and present the first distributed consensus protocol from hard Artificial Intelligence problems. As the name suggests, a PoH is a proof that a human invested a moderate amount of effort to solve some challenge. A PoH puzzle should be moderately hard for a human to solve. However, a PoH puzzle must be hard for a computer to solve, including the computer that generated the puzzle, without sufficient assistance from a human. By contrast, CAPTCHAs are only difficult for other computers to solve — not for the computer that generated the puzzle. We also require that a PoH be publicly verifiable by a computer without any human assistance and without ever interacting with the agent who generated the proof of human-work. We show how to construct PoH puzzles from indistinguishability obfuscation and from CAPTCHAs. We motivate our ideas with two applications: HumanCoin and passwords. We use PoH puzzles to construct HumanCoin, the first cryptocurrency system with human miners. Second, we use proofs of human work to develop a password authentication scheme which provably protects users against offline attacks.


Hash Function Random Oracle Random Oracle Model Human Work Sybil Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



The authors thank paper shepherd Peter Gaži for his very constructive feedback which helped us to improve the quality of the paper. In particular, we are thankful for his suggestions about formalizing security statements involving hard AI problems.

The authors also thank Andrew Miller, and the PC of ITCS 2016 and TCC 2016B for their helpful comments.


  1. 1.
    Andrychowicz, M., Dziembowski, S., Malinowski, D., Mazurek, L.: Secure multiparty computations on Bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 443–458. IEEE Computer Society Press, May 2014Google Scholar
  2. 2.
    Aspnes, J., Jackson, C., Krishnamurthy, A.: Exposing computationally-challenged Byzantine impostors. Technical report YALEU/DCS/TR-1332, Yale University Department of Computer Science, July 2005Google Scholar
  3. 3.
    Back, A.: Hashcash – a denial of service counter-measure (2002).
  4. 4.
    Barak, B., Bitansky, N., Canetti, R., Kalai, Y.T., Paneth, O., Sahai, A.: Obfuscation for evasive functions. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 26–51. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  5. 5.
    Ben-Sasson, E., Chiesa, A., Garman, C., Green, M., Miers, I., Tromer, E., Virza, M., Zerocash: decentralized anonymous payments from Bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 459–474. IEEE Computer Society Press, May 2014Google Scholar
  6. 6.
    Ben-Sasson, E., Chiesa, A., Green, M., Tromer, E., Virza, M.: Secure sampling of public parameters for succinct zero knowledge proofs. In: 2015 IEEE Symposium on Security and Privacy, pp. 287–304. IEEE Computer Society Press, May 2015Google Scholar
  7. 7.
    Bentov, I., Kumaresan, R.: How to use Bitcoin to design fair protocols. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 421–439. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  8. 8.
    Bentov, I., Lee, C., Mizrahi, A., Rosenfeld, M.: Proof of activity: extending Bitcoins proof of work via proof of stake. In: Proceedings of the ACM SIGMETRICS 2014 Workshop on Economics of Networked Systems, NetEcon (2014)Google Scholar
  9. 9.
    Blocki, J., Blum, M., Datta, A.: GOTCHA password hackers! In: AISec 2013, Proceedings of the 2013 ACM Workshop on Artificial Intelligence and Security, pp. 25–34 (2013).
  10. 10.
    Blocki, J., Komanduri, S., Cranor, L.F., Datta, A.: Spaced repetition and mnemonics enable recall of multiple strong passwords. In: NDSS 2015. The Internet Society, February 2015Google Scholar
  11. 11.
    Blocki, J., Komanduri, S., Procaccia, A., Sheffet, O.: Optimizing password composition policies. In: Proceedings of the Fourteenth ACM Conference on Electronic Commerce, pp. 105–122. ACM (2013)Google Scholar
  12. 12.
    Blocki, J., Zhou, H.-S.: Designing proof of human-work puzzles for cryptocurrency and beyond. In: IACR Cryptology ePrint Archive 2016/145 (2016).
  13. 13.
    Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Symposium on Security and Privacy, pp. 538–552. IEEE Computer Society Press, May 2012Google Scholar
  14. 14.
    Bonneau, J., Miller, A., Clark, J., Narayanan, A., Kroll, J.A., Felten, E.W.: SoK: research perspectives and challenges for Bitcoin and cryptocurrencies. In: 2015 IEEE Symposium on Security and Privacy, pp. 104–121. IEEE Computer Society Press, May 2015Google Scholar
  15. 15.
    Bonneau, J., Schechter, S.: Toward reliable storage of 56-bit keys in human memory. In: Proceedings of the 23rd USENIX Security Symposium, August 2014Google Scholar
  16. 16.
    Bursztein, E., Aigrain, J., Moscicki, A., Mitchell, J.C.: The end is nigh: generic solving of text-based captchas. In: 8th USENIX Workshop on Offensive Technologies (WOOT 2014), San Diego, CA, August 2014. USENIX Association (2014)Google Scholar
  17. 17.
    Bursztein, E., Bethard, S., Fabry, C., Mitchell, J.C., Jurafsky, D.: How good are humans at solving CAPTCHAs? A large scale evaluation. In: 2010 IEEE Symposium on Security and Privacy, pp. 399–413. IEEE Computer Society Press, May 2010Google Scholar
  18. 18.
    Canetti, R., Halevi, S., Steiner, M.: Mitigating dictionary attacks on password-protected local storage. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 160–179. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  19. 19.
    Chellapilla, K., Simard, P.Y.: Using machine learning to break visual human interaction proofs (HIPs). In: Neural Information Processing Systems (NIPS), pp. 265–272 (2004).
  20. 20.
    Douceur, J.R.: The Sybil attack. In: Druschel, P., Kaashoek, F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, pp. 251–260. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  21. 21.
    Dwork, C., Goldberg, A.V., Naor, M.: On memory-bound functions for fighting spam. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 426–444. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  22. 22.
    Dwork, C., Halpern, J.Y., Waarts, O.: Performing work efficiently in the presence of faults. SIAM J. Comput. 27(5), 1457–1491 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 139–147. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  24. 24.
    Dziembowski, S.: How to pair with a human. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 200–218. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  25. 25.
    Dziembowski, S., Faust, S., Kolmogorov, V., Pietrzak, K.: Proofs of space. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 585–605. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  26. 26.
    Elson, J., Douceur, J.R., Howell, J., Saul, J.: Asirra: a CAPTCHA that exploits interest-aligned manual image categorization. In: Ning, P., di Vimercati, S.D.C. Syverson, P.F. (eds.) ACM CCS 2007, pp. 366–374. ACM Press, October 2007Google Scholar
  27. 27.
    Eyal, I., Sirer, E.G.: Majority is not enough: Bitcoin mining is vulnerable. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 431–449. Springer, Heidelberg (2014)Google Scholar
  28. 28.
    Florêncio, D., Herley, C.: Where do security policies come from. In: Proceedings of SOUPS, p. 10 (2010)Google Scholar
  29. 29.
    Garay, J., Kiayias, A., Leonardos, N.: The Bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015)Google Scholar
  30. 30.
    Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th FOCS, pp. 40–49. IEEE Computer Society Press, October 2013Google Scholar
  31. 31.
    Goldwasser, S., Rothblum, G.N.: On best-possible obfuscation. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 194–213. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  32. 32.
    Hofheinz, D., Jager, T., Khurana, D., Sahai, A., Waters, B., Zhandry, M.: How to generate and use universal samplers. Cryptology ePrint Archive, Report 2014/507 (2014).
  33. 33.
    Hwang, K.-F., Huang, C.-C., You, G.-N.: A spelling based CAPTCHA system by using click. In: 2012 International Symposium on Biometrics and Security Technologies (ISBAST), pp. 1–8, March 2012Google Scholar
  34. 34.
    Kani, J., Nishigaki, M.: Gamified CAPTCHA. In: Marinos, L., Askoxylakis, I. (eds.) HAS 2013. LNCS, vol. 8030, pp. 39–48. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  35. 35.
    Khot, R.A., Srinathan, K.: iCAPTCHA: image tagging for free. In: Proceedings of Conference on Usable Software and Interface Design (2009)Google Scholar
  36. 36.
    Kiayias, A., Zhou, H.-S., Zikas, V.: Fair and robust multi-party computation using a global transaction ledger. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 705–734. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49896-5_25 CrossRefGoogle Scholar
  37. 37.
    Komanduri, S., Shay, R., Kelley, P., Mazurek, M., Bauer, L., Christin, N., Cranor, L., Egelman, S.: Of passwords, people: measuring the effect of password-composition policies. In: Proceedings of the Annual Conference on Human Factors in Computing Systems, pp. 2595–2604. ACM (2011)Google Scholar
  38. 38.
    Kosba, A., Miller, A., Shi, E., Wen, Z., Papamanthou, C.: Hawk: the blockchain model of cryptography and privacy-preserving smart contracts. In: IEEE Symposium on Security and Privacy (2016)Google Scholar
  39. 39.
    Kumarasubramanian, A., Ostrovsky, R., Pandey, O., Wadia, A.: Cryptography using captcha puzzles. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 89–106. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  40. 40.
    Lamport, L., Shostak, R., Pease, M.: The byzantine generals problem. ACM Trans. Program. Lang. Syst. (TOPLAS) 4(3), 382–401 (1982)CrossRefzbMATHGoogle Scholar
  41. 41.
    Merkle, R.C.: A digital signature based on a conventional encryption function. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 369–378. Springer, Heidelberg (1988)Google Scholar
  42. 42.
    Miller, A., Kosba, A.E., Katz, J., Shi, E.: Nonoutsourceable scratch-off puzzles to discourage bitcoin mining coalitions. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 15, pp. 680–691. ACM Press, October 2015Google Scholar
  43. 43.
    Mori, G., Malik, J.: Recognizing objects in adversarial clutter: breaking a visual CAPTCHA. In: IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR), pp. 134–144 (2003)Google Scholar
  44. 44.
    Motoyama, M., Levchenko, K., Kanich, C., McCoy, D., Voelker, G.M., Savage, S.: Re: CAPTCHAs-understanding CAPTCHA-solving services in an economic context. In: 19th USENIX Security Symposium, Washington, DC, USA, 11–13 August 2010, Proceedings, pp. 435–462 (2010)Google Scholar
  45. 45.
    Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008).
  46. 46.
    Narayanan, A., Bonneau, J., Felten, E., Miller, A.: Bitcoin and Cryptocurrency Technology (online course) (2015).
  47. 47.
    Park, S., Pietrzak, K., Kwon, A., Alwen, J., Fuchsbauer, G., Gaži, P.: Spacemint: a cryptocurrency based on proofs of space. Cryptology ePrint Archive, Report 2015/528 (2015).
  48. 48.
    Pass, R., Seeman, L.: abhi shelat. Analysis of the blockchain protocol in asynchronous networks. In: Cryptology ePrint Archive, Report 2016/454 (2016).
  49. 49.
    Rogaway, P.: Formalizing human ignorance. In: Nguyên, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 211–228. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  50. 50.
    Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B. (ed.) 46th ACM STOC, pp. 475–484. ACM Press, May/June 2014Google Scholar
  51. 51.
    Sapirshtein, A., Sompolinsky, Y., Zohar, A.: Optimal selfish mining strategies in bitcoin. In: FC (2016).
  52. 52.
    Sauer, G., Hochheiser, H., Feng, J., Lazar, J.: Towards a universally usable CAPTCHA. In: Proceedings of the 4th Symposium on Usable Privacy and Security (2008)Google Scholar
  53. 53.
    Szabo, N.: Formalizing and securing relationships on public networks. In: First Monday (1997).
  54. 54.
    Tam, J., Simsa, J., Hyde, S., Von Ahn, L.: Breaking audio captchas. Advan. Neural Inf. Process. Syst. 1(4), 1625–1632 (2008)Google Scholar
  55. 55.
    Ahn, L., Blum, M., Hopper, N.J., Langford, J.: CAPTCHA: using hard AI problems for security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  56. 56.
    Von Ahn, L., Maurer, B., McMillen, C., Abraham, D., Blum, M.: reCAPTCHA: human-based character recognition via web security measures. Science 321(5895), 1465–1468 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  57. 57.
    Waters, B., Juels, A., Halderman, J.A., Felten, E.W.: New client puzzle outsourcing techniques for DoS resistance. In: Atluri, V., Pfitzmann, B., Mc-Daniel, P. (eds.) ACM CCS 2004, pp. 246–256. ACM Press, October (2004)Google Scholar
  58. 58.
    Wilkins, J.: Strong CAPTCHA guidelines v1.2. (2009).

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.Purdue UniversityWest LafayetteUSA
  2. 2.Virginia Commonwealth UniversityRichmondUSA

Personalised recommendations