On Thu, 21 May 2020 10:47:07 +0200 Michał Górny <mgo...@gentoo.org> wrote:
> An alternative of using a proof-of-work algorithm was suggested to me > yesterday. The idea is that every submission has to be accompanied with > the result of some cumbersome calculation that can't be trivially run > in parallel or optimized out to dedicated hardware. If the proof of work mechanism was restricted to ID generation, then the amoritized cost would be acceptable. So instead of the ID being generated locally, you'd send a request asking for an ID, it would send you the challenge math, you'd send the answer, and then you'd get your ID. And their ID would be an encoded copy of their input vectors and responses, a random chunk, and chunk representing the signature of IV/RESPONSE/RAND. Or something like that. But the gist is it would be impossible to use ID's not generated by the server. Then the spam factor to monitor wouldn't be submission rates, it would be "New ID request" rates, as these should never be needed to be generated in large volumes. _And_ taking 5 minutes for ID generation wouldn't be a terrible thing. ( We could possibly collect anonymous stats on ID generation rates, and average times to generate a response to a challenge, and use that to determine what our challenge complexity should be )
pgpRtdZuRbfZX.pgp
Description: OpenPGP digital signature
