To: email@example.com Subject: RPOW - Reusable Proofs of Work Date: Sun, 15 Aug 2004 10:43:09 -0700 (PDT) From: hal at finney dot org ("Hal Finney")
I'd like to invite members of this list to try out my new hashcash-based server, rpow.net.
This system receives hashcash as a Proof of Work (POW) token, and in exchange creates RSA-signed tokens which I call Reusable Proof of Work (RPOW) tokens.
RPOWs can then be transferred from person to person and exchanged for new RPOWs at each step. Each RPOW or POW token can only be used once but since it gives birth to a new one, it is as though the same token can be handed from person to person.
Because RPOWs are only created from equal-value POWs or RPOWs, they are as rare and "valuable" as the hashcash that was used to create them. But they are reusable, unlike hashcash.
The new concept in the server is the security model. The RPOW server is running on a high-security processor card, the IBM 4758 Secure Cryptographic Coprocessor, validated to FIPS-140 level 4.
This card has the capability to deliver a signed attestation of the software configuration on the board, which any (sufficiently motivated) user can verify against the published source code of the system.
This lets everyone see that the system has no back doors and will only create RPOW tokens when supplied with POW/RPOW tokens of equal value.
This is what creates trust in RPOWs as actually embodying their claimed values, the knowledge that they were in fact created based on an equal value POW (hashcash) token.
I have a lot more information about the system at rpow.net, along with downloadable source code.
There is also a crude web interface which lets you exchange POWs for RPOWs without downloading the client.
This system is in early beta right now so I'd appreciate any feedback if anyone has a chance to try it out. Please keep in mind that if there are problems I may need to reload the server code, which will invalidate any RPOW tokens which people have previously created. So don't go too crazy hoarding up RPOWs quite yet.
Thanks very much -
(The RPOW project is now terminated. These pages are maintained for historical purposes.)
The RPOW system provides for proof of work (POW) tokens to be reused.
A POW token is something that takes a relatively long time to compute but which can be checked quickly.
RPOW uses hashcash, which are values whose SHA-1 hashes have many high bits of zeros.
Normally POW tokens can't be reused because that would allow them to be double-spent.
But RPOW allows for a limited form of reuse: sequential reuse. This lets a POW token be used once, then exchanged for a new one, which can again be used once, then once more exchanged, etc.
This approach makes POW tokens more practical for many purposes and allows the effective cost of a POW token to be raised while still allowing systems to use them effectively.
This is useful functionality, but the unique feature of the RPOW system is its approach to security.
RPOW is the first public implementation of a server designed to allow users throughout the world to verify its correctness and integrity in real time.
Based on principles similar to those proposed for so-called "Trusted Computing", RPOW allows third parties to dynamically and remotely verify what program is running on the RPOW server.
The RPOW server is implemented on a high-quality secure processor, the IBM 4758 PCI Cryptographic Coprocessor, which has been validated to the highest level of security publicly available, FIPS-140 level 4.
The 4758 is a self-contained single-board computer which has its own device key, generated on-board, which never leaves the card. That key can issue cryptographically signed attestations which describe the software configuration running on the card, including the SHA-1 hash of the application program.
The source code to the RPOW server is available from the download page.
Using publicly available tools, anyone can build from this source code a memory image identical to that running on the RPOW server.
If the SHA-1 hash of this file matches that being reported by the 4758 device key, the user can conclude that the supplied source code is what is actually running on the 4758.
By inspecting the source code he can then make sure there are no "back doors" or loopholes that would allow the owner/operator or designer of the system to defeat its security, for example by creating RPOW tokens without doing the required work.
Allowing clients to dynamically validate the security of a server turns the concept of Trusted Computing on its head.
Rather than a threat to individual privacy, the technology becomes a boon to privacy and an empowering force for end users on the net.
Security researcher Nick Szabo has coined the term bit gold for information objects which are provably costly to create.
He suggests that these could even serve as the foundation for a sort of payment system, playing the role in the informational world of gold in the physical world.
RPOW would facilitate the use of POW tokens as a form of bit gold by allowing the tokens to be passed and exchanged from person to person.
POW tokens have been proposed as a form of pseudo-payment in several applications.
One example is email. An email message containing a POW token would be relatively costly to send in terms of computing power. A POW token could then be a sign that the message was not spam.
Using RPOW tokens for email would have advantages, as people could then reuse tokens from incoming email in outgoing email.
Spammers will have no such advantages since almost all of their email is outgoing.
Reuse allows the cost of the POW token to be much higher since most people won't have to generate them, making the system more effective as an anti spam measure.
The RPOW system is just the first of what are planned as a series of systems which use this approach, which I call Transparent Servers.
Such systems publish their source code for review and inspection, and use Trusted Computing-like features to prove that they are running the program generated by that code.
This will provide an unprecedented level of transparency and visibility into the workings of network servers.
Perhaps most importantly, the use of transparency can actually increase end-user privacy.
For the first time, users will be able to verify how network servers will handle sensitive information they provide.
In the case of the RPOW server, users can see that the program makes no record of transactions and creates no linkage between the RPOW issued in one exchange with the same RPOW when it is later deposited, thereby protecting privacy.
In addition, the basic security goal of the system, that it will never issue RPOWs without receiving a POW or RPOW of equal value, can be independently verified.
Not even the owner of the RPOW server can break these rules.
For more information on the techniques used to provide these new and previously unavailable assurances, see the security page.