Proof of Work

KayakNet uses Proof-of-Work (PoW) as an anti-Sybil mechanism to prevent attackers from creating many fake nodes.

What is Proof of Work?

PoW requires nodes to solve a computational puzzle before joining the network. This makes creating many identities expensive.

How It Works

Challenge-Response

New Node                    Existing Node
    │                             │
    │──────── Connect ───────────▶│
    │                             │
    │◀─────── Challenge ──────────│
    │   (random bytes, difficulty) │
    │                             │
    │   [Compute solution]        │
    │                             │
    │──────── Solution ──────────▶│
    │                             │
    │◀─────── Accepted ───────────│
    │   (join network)            │
    │                             │

The Puzzle

Find a nonce such that:

HASH(challenge || nonce) has D leading zero bits

Where:

challenge = Random 32 bytes from server
nonce = 64-bit number found by node
D = Difficulty (number of zero bits required)
HASH = BLAKE2b-256

Example

Challenge: 0x1234...abcd
Difficulty: 20 (20 leading zero bits)

Node tries:
  nonce=0: HASH = 0xf1a2... (0 zeros) ✗
  nonce=1: HASH = 0x8b3c... (0 zeros) ✗
  ...
  nonce=1485721: HASH = 0x00000f... (20 zeros) ✓

Solution found!

Configuration

Default Settings

Parameter

Value

Description

Difficulty

Leading zero bits

Timeout

60s

Max time to solve

Expiry

5min

Challenge validity

Adjusting Difficulty

# Lower difficulty (faster join, less protection)
./kayakd --pow-difficulty 16

# Higher difficulty (slower join, more protection)
./kayakd --pow-difficulty 24

Time to Solve

Difficulty

Average Time

Hardware

~100ms

Modern CPU

~500ms

Modern CPU

~10s

Modern CPU

~2min

Modern CPU

Security Properties

What PoW Prevents

Sybil Attacks - Creating many fake nodes is expensive
Spam - Sending many messages requires many nodes
Eclipse Attacks - Surrounding target needs many nodes

Cost Analysis

To create 1000 fake nodes:

Difficulty 20: ~500 seconds of CPU time
Difficulty 24: ~3 hours of CPU time
Plus electricity cost

What PoW Doesn't Prevent

Well-funded attackers - Can afford computation
Botnet operators - Free computing power
ASIC attacks - Specialized hardware

Implementation Details

Hash Function

Using BLAKE2b for:

Speed (faster than SHA-256)
Security (256-bit output)
ASIC resistance (memory-hard)

Nonce Search

func SolvePow(challenge []byte, difficulty int) uint64 {
    target := big.NewInt(1)
    target.Lsh(target, uint(256-difficulty))
    
    var nonce uint64
    for {
        data := append(challenge, uint64ToBytes(nonce)...)
        hash := blake2b.Sum256(data)
        
        if new(big.Int).SetBytes(hash[:]).Cmp(target) < 0 {
            return nonce
        }
        nonce++
    }
}

Verification

func VerifyPow(challenge []byte, nonce uint64, difficulty int) bool {
    data := append(challenge, uint64ToBytes(nonce)...)
    hash := blake2b.Sum256(data)
    
    // Check leading zeros
    leadingZeros := countLeadingZeros(hash[:])
    return leadingZeros >= difficulty
}

Challenge Management

Challenge Generation

func GenerateChallenge() []byte {
    challenge := make([]byte, 32)
    rand.Read(challenge)
    return challenge
}

Challenge Storage

Challenges are stored with:

Timestamp (for expiry)
Node public key (to prevent reuse)
One-time use flag

Rate Limiting

Additional protection:

Max 5 challenges per IP per minute
Failed attempts increase cooldown
IP banning for excessive failures

Alternatives Considered

Why Not Proof of Stake?

Requires cryptocurrency
Complexity for users
Chicken-egg problem

Why Not CAPTCHA?

Requires human interaction
Not automatable
Centralized verification

Why Not Trust on First Use?

Initial join could be Sybil
No cost to create nodes
Easy to abuse

Future Improvements

Planned

Adaptive Difficulty - Adjust based on network size
Memory-Hard PoW - Better ASIC resistance
Stake + PoW - Hybrid approach

Research

Proof of Space-Time
VDF (Verifiable Delay Functions)
Social trust graphs

PreviousTraffic Analysis Resistance NextThreat Model

Last updated 2 hours ago

Good afternoon

hashtagWhat is Proof of Work?

hashtagHow It Works

hashtagChallenge-Response

hashtagThe Puzzle

hashtagExample

hashtagConfiguration

hashtagDefault Settings

hashtagAdjusting Difficulty

hashtagTime to Solve

hashtagSecurity Properties

hashtagWhat PoW Prevents

hashtagCost Analysis

hashtagWhat PoW Doesn't Prevent

hashtagImplementation Details

hashtagHash Function

hashtagNonce Search

hashtagVerification

hashtagChallenge Management

hashtagChallenge Generation

hashtagChallenge Storage

hashtagRate Limiting

hashtagAlternatives Considered

hashtagWhy Not Proof of Stake?

hashtagWhy Not CAPTCHA?

hashtagWhy Not Trust on First Use?

hashtagFuture Improvements

hashtagPlanned

hashtagResearch

What is Proof of Work?

How It Works

Challenge-Response

The Puzzle

Example

Configuration

Default Settings

Adjusting Difficulty

Time to Solve

Security Properties

What PoW Prevents

Cost Analysis

What PoW Doesn't Prevent

Implementation Details

Hash Function

Nonce Search

Verification

Challenge Management

Challenge Generation

Challenge Storage

Rate Limiting

Alternatives Considered

Why Not Proof of Stake?

Why Not CAPTCHA?

Why Not Trust on First Use?

Future Improvements

Planned

Research