There are PoW algorithms specifically developed to resist GPU and ASIC. Typically they do this by being memory intensive instead of (or in addition to) being compute intensive.
Regardless, you need a device that’s more powerful than whatever the attacker is using.
The article says they target 1 minute solve times under load. If that’s 1 minute on a 5GHz, 64 core machine with 512GB ram, an A100 and an FPGA, then it’s going to be at least 5-15 minutes on your phone.
Also, the server farm can parallelize work across an arbitrary number of challenges, but legitimate users cannot.
Requiring regular users to compute PoW is a terrible idea. Actually it has the exact opposite effect. It will keep the attackers in, and the regular users out.
The problem is that we don't know how much is a cheap computation without first relying on a marketplace of computation and discovering the price. That marketplace of computation does exist, and it's called blockchain.
I think this just crowdsources the server’s load. Servers will certainly have to handle fewer requests thanks to PoW, at the expense of clients’s CPU time.
The upside is that the server does not go down, so at least some users will be able to access the website, compared to zero users
>The upside is that the server does not go down, so at least some users will be able to access the website, compared to zero users
Yes but the price is very important. Imagine you visit a country, and paid car rides, (i.e. taxis) cost one thousand dollars per hour. It might be the best ride you have ever taken, but it excludes 99.999% of the users due to price.
The problem is, it is impossible to figure out, how much computation is a cheap computation without first relying on a marketplace of computation and discover the price that way. The blockchain technology serves exactly that purpose. The producers of PoW, the miners, sell their PoW to consumers. Consumers bargain the price, by using it less when it's expensive, and more when it's cheap.
The blockchain logic states that:
"Requiring users to give proof of burnt energy -> good idea"
"Requiring users to burn energy themselves and then give proof of burnt energy -> terrible idea"
The article itself lacks details on what proof of work actually is - based on your answer I’m assuming compute rather than captcha. Is there any example algorithms that are easy to understand? I’m curious to see an algo that’s expensive for the client but cheap for the server to verify, I assume it involves reversing an equation or similar?
One of the most known compute based PoW algorithms is the one used by Bitcoin.
Basically it goes like this:
You are challenged to use some piece of data given to you, and to add some data to it, which will produce a hash with a given number of leading zeroes.
For example let’s say I challenge you to find a sha3 hash of (“response to codetrotter for comment 37255449 on HN” + any data of your choosing), with difficulty set to 3. Meaning that in order for me to accept the hash, it has to have at least three leading zeroes.
The higher the difficulty, the higher number of leading zeroes I ask for from you. Which in turn means it will take you more time to find. Because the only way to find a fitting hash is to try a bunch of different data until you find a fitting hash.
The neat thing is that while it takes a lot of time for you to find a matching hash, it is trivially simple for me to validate your claim when you’ve found a matching hash.
For this kind of PoW, people have developed software that runs on GPU faster than most CPU can do. And then they developed specialised hardware to be even faster - ASICs.
That in turn is where memory-based algorithms come into play. To make the people with GPUs and ASICs not have an advantage over others.
Edit: these are examples of CPU-bound PoW. But the general idea with PoW is that you have some hash-like function H() with no known inverse function such that the only feasible way to determine the output is just running the function. The client runs H(x) with a different input x every time. If the output is a high enough number, the server lets the client though.
The server runs H() to verify, and this is easy to parallelize. But in order to get through the server, the client must run H() many times on average.
Also server provides a salt to prevent the client from reusing their old hashes. And the server usually indicates how high the output of H() must be (this is called the difficulty).
> But the general idea with PoW is that you have some hash-like function H()
No; that's a particular PoW algorithm called Hashcash [1]. There are other, asymmetric ones, where PoW verification is different from a solution attempt, including the Equi-X PoW that ToR is implementing.
