A note on the security of equihash

Leo Alcock, Ling Ren

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Proof-of-work (PoW) has recently become the backbone of cryptocurrencies. However, users with Application Specific Integrated Circuits (ASICs) can produce PoWsolutions at orders of magnitude lower cost than typical CPU/GPU users. Memory-hard PoWs, i.e., PoWschemes that require a lot of memory to generate proofs, have been proposed as a way to reduce the advantage of ASIC-equipped users. Equihash is a recent memory-hard PoW proposal adopted by the cryptocurrency Zcash. Its simplicity, compact proof size, and tunable parameters make it a good candidate for practical protocols. However, we find its security analysis and claims are fiawed. Most importantly, we refute Equihash's claim that its security is based on Wagner's algorithm for the generalized birthday problem. Furthermore, no tradeo--resistance bound is known for Equihash, and its analysis on the expected number of solution is incorrect. Our -ndings do not expose any immediate threat to Equihash. The main purpose of this short note is to raise awareness that Equihash should be considered a heuristic scheme with no formally proven security guarantees.

Original languageEnglish (US)
Title of host publicationCCSW 2017 - Proceedings of the 2017 Cloud Computing Security Workshop, co-located with CCS 2017
PublisherAssociation for Computing Machinery, Inc
Pages51-55
Number of pages5
ISBN (Electronic)9781450353939
DOIs
StatePublished - Nov 3 2017
Externally publishedYes
Event8th ACM Cloud Computing Security Workshop, CCSW 2017 - Dallas, United States
Duration: Nov 3 2017 → …

Publication series

NameCCSW 2017 - Proceedings of the 2017 Cloud Computing Security Workshop, co-located with CCS 2017

Conference

Conference8th ACM Cloud Computing Security Workshop, CCSW 2017
CountryUnited States
CityDallas
Period11/3/17 → …

ASJC Scopus subject areas

  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'A note on the security of equihash'. Together they form a unique fingerprint.

Cite this