# ASIC-Resistant Proof of Work based on Power Analysis of Low-end Microcontrollers

No Author Given

No Institute Given

Abstract. Application-Specific Integrated Circuit (ASIC)-resistant Proof-of-Work (PoW) is widely adopted in modern cryptocurrency. The operation of ASIC-resistant PoW on ASIC is designed to be inefficient due to its special features. In this paper, we firstly introduce a novel ASIC-resistant PoW for low-end microcontrollers. We utilized the measured power trace during the cryptographic function on certain input values. Afterward, the post-processing routine is performed on the power trace to remove the noise. The refined power trace is always constant information depending on input values. By performing the hash function with the power trace, the final output is obtained. This framework is working efficiently on microcontrollers and the power trace depends on certain in-put values, which is not predictable and computed by ASIC.

**Keywords:** ASIC-Resistant  $\cdot$  Proof of Work  $\cdot$  Power Analysis  $\cdot$  Microcontroller  $\cdot$  Blockchain.

# 1 Introduction

Modern cryptocurrency, such as Bitcoin, Ethereum, and Monero, uses Proof of Work (PoW) consensus algorithm in order to ensure the integrity of blocks [1–3]. The work must be hard on the requester side, while it should be easy for the service provider. Bitcoin utilized the hash function to satisfy the special condition. The hash function can be efficiently computed on Application-Specific Integrated Circuit (ASIC). Since the ASIC is designed for PoW, the consensus is dominated by ASIC machine, which threatens the decentralization of blockchain network (i.e. Bitcoin). In order to overcome the domination of ASIC machine on the consensus, modern cryptocurrency uses multi-hash PoW, memory hard PoW, and programmatic PoW. Since the ASIC is targeted chip, the irregular pattern can lead to inefficient computation on ASIC.

In this paper, we present a new technique to prevent mining monopoly caused by special mining devices, such as ASIC and FPGA. Proposed methods allow anyone to work on performing a cryptographic module on a micro controller. In the microcontroller, the power trace generated during the execution of the crypto-module shows different values depending on the input parameters. With this unique power trace, the PoW consensus is performed with ASIC-resistnace feature.

#### 1.1 Research Contributions

- Novel ASIC-resistant proof of work based on power analysis Previous ASIC-resistant PoW methods are based on multi-hash, memory hard, and programmatic. The proposed method presents first ASIC-resistant PoW based on power analysis. The power trace during cryptography encryption (e.g. AES) on the microcontroller is utilized for the source of PoW. Since the power trace depends on the target microcontroller, cryptography encryption, and input values, the proposed PoW cannot be emulated by ASIC and FPGA. For this reason, we achieved the ASIC-resistant feature.
- Post-processing for noise elimination The raw power trace contains noise information. Small noise can alter the result of cryptography operations, significantly. In order to filter out the noise from the raw power trace, Fast Fourier Transform (FFT) is performed. This method efficiently removes the high frequency. After the post-processing, the refined information is used as a source for PoW.
- In-depth analysis of novel PoW based on various block ciphers The performance is evaluated on microcontroller. We perform the experiment with various block ciphers. The result shows that the novel PoW is working on all block ciphers without difficulty.
- Low cost and low power consumption Existing asic resistance algorithms target commercial computers. The proposed method is efficient in low-cost microcontrollers used in IoT. The low cost and low power consumption of embedded processors can contribute to the decentralization of virtual currency by reducing the accessibility of miners.

The paper is organized as follows. In Section 2, the background of ASIC-resistance PoW algorithm and power analysis is described. In Section 3, the proposed technique is described. In Section 4 the evaluation of PoW method is given. Section 5 concludes the paper.

#### 2 Related Works

## 2.1 Proof-of-Work

Since 1992, many PoW based applications have been developed to resolve many real-world problems. In [4], the PoW technique was utilized to block junk emails by requesting to the sender to compute some function of the message. Similarly, the PoW technique was applied to uncheatable benchmark, metering web-sites accesses, lottery scheme, and PoW-puzzles [5–9].

In 1993, the first PoW algorithm was suggested by Cynthia and Moni [10]. Afterward, PoW method was applied to Bitcoin in 2009 [1]. In order to add a new block in Bitcoin, the value using SHA-256 must be smaller than the target difficulty. The Bitcoin is one of the most popular and successful hashcash, which was ideated in 1997 and detailed in 2002 [11].

The primitive function of hash cash is a hash function. A number of hash functions are employed by modern cryptocurrency to improve both performance

and security. SHA-256 is designed in 2001 by the NSA and chosen by NIST as U.S FIPS. SHA-256 generates 256-bit wise output, which is used in Bitcoin and Bitcoin Cash. Ethash is hash function for the Ethereum consunsus protocol. The hash function is combination of Keccak, Hashimoto, and Dagger algorithm to ensure ASIC-resistant [12–14]. Scrypt is password-based key-derivation function, which uses a large amount of memory than others [15]. The memory-hardness ensures the ASIC-resistant feature. The hash function is used in Litecoin. Random memory access based protocol, namely Cryptonote, is used in CryptoNight PoW algorithm for Monero [16]. The details of ASIC-resistant PoW are covered in Section 2.2.

The hashcash-based PoW is efficient and easy to implement on any platforms. However, the scheme requires huge computational power to generate the valid block. According to [17], Bitcoin miners consumes 0.33% of the world's electricity. In order to save the wasted electricity, PoW side of consensus for useful results through PoW was presented (i.e. Bread Pudding Protocols). One example is a solving scientific problems. In 2013, a PoW protocol for Cunningham chains of primes was proposed [18]. Furthermore, a PoW protocol was also designed for other problems such as DNA and RNA sequencing. Alternatively, MicroMint and data handling have been also actively investigated [19, 20].

In the PoW protocol, the miner firstly solves the problem and then broadcasts the new block. When the block is valid, the miner receives the certain reward. With above principle, the protocol constructs huge distributed networks under trust. However, unexpected condition can lead to trouble. In order to resolve this issue, there are certain criteria to select the fork block. First, the oldest fork block is selected. Second, the longest fork block is selected. Third, the chain with the greatest amount of computational power spent is selected [21].

As the PoW is widely used in practice, a number of attacks have been performed on it. The most well-known attacks on blockchain with PoW protocol is 51% attacks. This attack can be triggered when the malicious user controls more than half of the network's computing power. This attack occurred in 2018 for BTC Gold and ZenCash [22]. Moreover, a number of attacks on PoW protocol, such as selfish mining attacks, network-level attacks, pool related attacks, and goldfinger attacks have been investigated [23–26].

As we explored the blockchain technology with PoW protocol above, it has many new features together with many open problems. In this paper, we focused on ASIC-resistant PoW for low-end Internet of Things.

#### 2.2 ASIC-Resistant PoW

Recently, Application-Specific Integrated Circuits (ASICs) designed for PoW calculation dominate consensus, threatening the decentralization of blockchain. In order to prevent the ASIC approach, the ASIC-resistant PoW algorithm was introduced.

Multi-hash PoW Multi-hash PoW achieves ASIC immunity by using multiple hashing functions linked together in successive steps to resolve the dependency

#### 4 No Author Given

on a single hashing function, one of the weaknesses of the PoW algorithm. These include Quarkcoin<sup>1</sup> and LYRA2RE<sup>2</sup>. However, the multiple hash PoW mechanism is not sufficient to prevent ASIC-based mining. The ASIC resistance is analyzed by implementing a multi-hash PoW in a field-programmable gate array (FPGA). As a result, the multi-hash pow showed ASIC resistance at a level similar to the PoW mechanism that could not block the ASIC.

Memory-hard PoW The memory-hard PoW is a pow where the proofer uses a lot of memory capacity for proof and the verifier uses a small amount of memory space and time to verify the work. With this bounding, it makes no sense to use ASICs to speed up computation. Ethereum's Ethash<sup>3</sup> and CryptNight [16] are Memory hard Pow. However, an ASIC system targeting such a memory hard PoW algorithm was also introduced.

Memory-bound PoW Memory-bound PoW [27–29] traverses a random path on a large table of random numbers, making multiple memory accesses. Memory-bound PoWs have the risk of having a memory access pattern in cryptographic hashing, and have the disadvantage of having to send a large random table between the attestor and the verifier over the network [30].

**Programmatic PoW** Programmatic PoW is a new way to increase the versatility of calculation by execute arbitrary code. A randomly generated program [31, 32] can be part of the operation. It is impractical to build special hardware modules that target each computational task. Therefore, ASICs perform less than general purpose computers in random programs. RandomX utilized this method approach<sup>4</sup>.

#### 2.3 Power Analysis and Its New Applications

Side-channel analysis is an attack technique that identifies confidential information from side information [33]. The known power consumption and the dependencies of the codes executed can be used as techniques for determining the similarity of the codes [34]. In [35], IP protection through similar power trace is suggested. According to previous works, the power trace can be utilized for identification of target program. We motivated from previous works and present novel PoW method based on power trace.

<sup>1</sup> http://www.quarkcoins.com

<sup>&</sup>lt;sup>2</sup> https://en.bitcoinwiki.org/wiki/Lyra2RE

<sup>&</sup>lt;sup>3</sup> https://github.com/ethereum/wiki/wiki/Ethash

<sup>4</sup> https://github.com/tevador/RandomX



Fig. 1. Working flow of proposed Proof of Work

## 3 Proposed Method

Special mining devices, such as ASIC and FPGA, hinder the safety of the blockchain network, which decreases the participation rates and increases entry barriers. The proposed technique attempts to solve the problem by utilizing the power trace of microcontrollers during the cryptography function to ensure the ASIC-resistant PoW. The main idea is based on the PoW of Bitcoin and the source code classification by analyzing power traces [34, 35].

#### Algorithm 1 Proposed PoW algorithm 1: procedure Proposed PoW(Block) 2: do 3: $Block.header.nonce \leftarrow Block.header.nonce + 1$ 4: $AES256.key \leftarrow SHA256(Block.header)$ 5: $AES256.text \leftarrow Block.header.nonce$ 6: $Block.header.trace \leftarrow PowerCapture(AES256)$ $Block.header.trace \leftarrow PostProcessor(Block.header.trace)$ 7: $Block.header \leftarrow Block.header + Block.header.trace$ 8: 9: $H \leftarrow Sha256(Block.header)$ 10: while H < Targetreturn Block 11: 12: end procedure

The working flow of proposed method is described in Figure 1. First, the block header information is filled with the version, previous blockhash, merklehash, time, bits, and nonce. Afterward the hash function (e.g. SHA-256) is performed on the block header. The output is used for the key value of the encryption module (e.g. AES). For the text part, the nonce is utilized. With these input values, the encryption module is executed on the target microcontroller. By

performing the encryption, the microcontroller generates certain power traces. These power traces may contain the noise. In order to remove the noise, the post-processing is performed on it. Then the refined power trace and block header is added together. The output of addition is used for the input value of hash function (e.g. Sha256). Finally, the evaluator checks whether the output of hash function meets the target value. If it satisfies the target value, the valid block is generated. Otherwise, the nonce increases and the routine is performed again. Detailed descriptions of proposed PoW method are given in Algorithm 1. In Step 3, the nonce value is updated. In Step 4 and 5, the output of SHA-256 on block header and nonce are used for key and text of AES-256 encryption, respectively. In Step 6 and 7, the power consumption is measured and post-processed. In Step 8, the block header and the power trace are added together. Finally, the information is used for the generation of target value. If the value is lower than the target, the block is generated, successfully. Otherwise, the computation is performed again after increasing the nonce value.

#### 3.1 Power trace based Proof of Work

This section describes the power trace based Proof of Work. The benefit of each step is discussed in detail.

Collection of power trace from microcontrollers In this step, AES-256 encryption is performed with the key and nonce. The output of power trace is stored in the block header. We ensure that the output of power trace contains the key and nonce information, since the power trace is varied depending on the input and algorithm. The power trace is post-processed and then used for the input value of the hash function (i.e. Sha256). Since the power trace information is unique, the hash function cannot be performed without previous steps. This is the main purpose of forcing the use of the microcontroller to generate the power trace through above steps.

Features of power consumption trace The power trace produced by operating the microcontroller exhibits different characteristics depending on the program being operated with certain input values. This feature indicates that the output of each trace is different for each active program, even if the same program is operated. Different output power traces are generated according to the input values of the active program. This unique characteristic of power consumption is utilized to prove the work. It prevents an attacker from entering arbitrary trace without rapidly changing or executing code to perform the high-speed mining.

**Post-Processing for noise filtering** The trace of power consumption from the microcontroller may contain noise. To prevent false positives due to noise, Fast Fourier Transform (FFT) is applied to noise filtering from the power trace.



Fig. 2. Power consumption traces (top) with noise and (bottom) without noise.

FFT is applied to the acquired power trace, which removes the high frequency, and then converted back to signal at frequency. Power traces with noise and without noise are displayed at the top and bottom of the Figure 2, respectively. The power trace with noise shows more clear information than that of without case.

High entropy for input value The proposed PoW generates the block depending on valid input value. With the input value, the AES-256 encryption is performed on the microcontroller. The AES-256 cipher uses 32-byte keys and 16-byte plain text, respectively. The key uses the hash (i.e. SHA-256) value of the block header. The plaintext is a 16-byte nonce value. The complexity of key and plain text is 2<sup>384</sup> since key and plaintext are 256-bit and 128-bit, respectively. For this reason, it is impossible to perform the brute-force attack and make a table through pre-computation in advance. Since the block header contains a nonce, the key changes whenever the nonce value changes. The key has randomness due to hash function. This randomness does not allow the attacker to operate the microcontroller in advance to generate a power consumption trace. Since the power consumption trace is output differently depending on the function and input value operated by the microcontroller, it is difficult to predict the power trace value.

Finding the target with hash function In PoW of Bitcoin, the hash value of a block is generated by combining the creation time, version, bit, root hash, hash of the previous block, and a temporary value called nonce. If the newly created hash value is smaller than a certain target value, a new block is created

and connected to the existing blockchain network. In the proposed method, the block generation time, version, bit, root hash, previous block hash, nonce, and power consumption trace are combined together to generate the block hash value. This step is used to ensure unique power trace to be unpredictable.

Verification with power trace Blocks created in the blockchain are propagated to other nodes and verified whether the hash values match to certain level. In the proposed method, the power consumption trace is checked in addition to the existing method to verify that the creator of the block worked on the microcontroller with the correct code and input values.



Fig. 3. Comparison of correlation coefficient for power traces (left) without post-processing and (right) with post-processing.

Trace verification Even if the same program code and input value are used in the microcontroller, the power trace does not appear due to the noise generated during collection. Therefore, simply comparing the values of the power consumption trace cannot confirm whether the power consumption trace uses the same code and input value. For this reason, filtering with FFT is performed on the power trace to remove the noise. Afterward, each of the same input values are characterized by a high correlation coefficient compared to other input values. In Figure 3, the distribution of the correlation coefficient is narrow for the same input value when FFT is applied to the power trace. This experiment confirmed that filtering with FFT function is working, properly. Differences in correlation coefficients are confirmed during experiments. Detailed descriptions of proposed Trace verification method are given in Algorithm 2. In Step 2, the power trace is capture during the AES256 encryption. In Step 3, the power trace is postprocessed. In Step 4, the correlation coefficient between refined power trace and valid power trace is calculated. In Step 5  $\sim$  8, the correlation is compared with certain threshold. If the value is over the threshold, the verification is confirmed.

Power trace based verification process First, the cryptographic program works on the microcontroller using the key and nonce values stored in block

#### Algorithm 2 Power Consumption Trace Verification algorithm

```
1: procedure Trace_Verification(key, nonce, validate_trace)
2: trace \leftarrow Power\_capture(AES256(key, nonce))
3: refined\_trace \leftarrow Post\_processing(trace)
4: col \leftarrow Correlation\_coefficient(refined\_trace, valid\_trace)
5: if col > Threshold then
6: return\ True
7: end\ if
8: return\ False
9: end\ procedure
```

values. During the execution, the power consumption trace is generated and captured. The power consumption trace is then filtered using FFT function. Afterward, the correlation coefficient between filtered trace and the valid trace is calculated. If the value exceeds the threshold, the verification is confirmed. This is novel approach to utilize the power trace for verification.

#### 3.2 Advantages of the proposed method

This section shows that the above-mentioned proposed technique is faithfully satisfied with the requirements of the Pow technique. In particular, it describes how to solve the problem, unlike the previous known methods.

PoW requirements PoW is designed to prevent blockchain network attacks like Sybil Attack. There are several requirements to achieve the safe PoW. The PoW is difficult to prove. However the verification should be an easy problem for provers. Bitcoin uses a hash to satisfy these requirements. However, Bitcoin is vulnerable to ASIC attack. The proposed method satisfies asymmetry by using the same hash function. PoW should be impossible to optimize depending on certain conditions. If someone finds an optimization method, they will take advantage of it. This creates the centralization problem of the blockchain network. Bitcoin is a cryptocurrency that is difficult for ordinary miners to participate in, as it is a miner that can perform fast calculations such as ASIC using SHA256.

ASIC resistance Previous methods can be optimized with ASICs. In the proposed method, the step of using the designated code in the microcontroller must be performed by adding the verification step that the microcontroller performed the same code and input value. Therefore, ASIC is meaningless in our scenario because optimization with ASIC is impossible. Since the output power consumption trace information is used as the input value of the hash calculation (SHA-256), the hash calculation using parallel processing is impossible. Due to non-optimization and parallelism constraints, the proposed method achieved the ASIC resistance.

Operation time The proposed proof-of-work execution time is the microcontroller multiplied by the number of iterations times the sum of the cryptographic module execution time and the hash operation time. Since the number of repetitions cannot be adjusted, the execution time of the cryptographic module in the microcontroller is fixed. Since the parallel operation is impossible, the only way to reduce execution time is to compute the hash algorithm quickly on the microcontroller. However, the computation speed cannot be enhanced, because the target microcontroller has certain resource-constrained features. Therefore, it is expected that miners will use a general-purpose microcontroller capable of hashing at an appropriate speed because there is no reason to purchase special mining equipment at a high cost.

Flexibility of encryption module on microcontrollers The encryption module operated by the microcontroller is changeable. The reason for using the AES-256 encryption module is that it is international standard. Furthermore, if the input value is the same, the intermediate value and the output value are the same. With this feature the power consumption trace can be verified. The proposed method uses AES-256 in the microcontroller, but other block ciphers can be used for this function if it has good cryptography features and efficiency.

Using low-end processors The existing AISC resistance algorithm works efficiently in commercial computers. Because the operation of commercial computers can be implemented in ASIC, existing methods rely on predictions that the cost of development will be higher than performance improvements when the algorithms are run on ASIC. However, due to the unique nature of the power waveform, the proposed method requires computation at the corresponding microcontroller. Therefore, it is impossible to implement ASIC. And in the proposed technique, several devices can be used to compute the hash. This hashing operation takes place after the operation in the microcontroller in the previous phase, so even if the hashing operation operates quickly, it does not achieve much efficiency. Therefore, this hash operation is efficient when using embedded controllers. Table 1 shows the difference. Assuming that the microcontroller measuring the power consumption and the device performing the hash operation perform the same task, operation on another device is not more efficient than operation on the controller used by the low end processors device. The larger the work in the microcontroller, the less efficient it is. These advantages can contribute to promoting decentralization of cryptocurrency by increasing the accessibility of miners.

#### 4 Evaluation

In this section, we evaluate the proposed method on the microcontroller. We firstly introduce the experiment environment and result in detail.

**Table 1.** Compare the speed difference and efficiency between processors when processors collecting power waveforms use Atmaga128 and hash operations are performed with Atmaga128 and calculated from other processors.

| Processor     | DMIPS | Speed ratio | Efficiency |  |
|---------------|-------|-------------|------------|--|
| Atmega128     | 32    | 1:1         | 0%         |  |
| Raspberry Pi  |       |             |            |  |
| ARM 1176      | 850   | 1:26.6      | 93%        |  |
| Cortex-A7     | 1500  | 1:46.9      | 97%        |  |
| Cortex-A53    | 3500  | 1:109       | 98%        |  |
| Commercial PC |       |             |            |  |
| Phenom II     | 12000 | 1:375       | 99.5%      |  |
| Core i7 930   | 16500 | 1:516       | 99.6%      |  |
| Core i7 4820K | 23600 | 1:738       | 99.7%      |  |

## 4.1 Experiment environment

The proposed method is relied on the power trace information. For this reason, the high-quality power trace information is important. We collected the power consumption of the microcontroller through ChipWhispererLite XMEGA (8-bit processor). The sampling rate is 7.38 million samples per second (MS/s) and this is working frequency of target processor. The source code of microcontroller is written in C language and compiled with the AVR-GCC. For the power trace collection, we used the ChipWhispererLite API version 5.1. The experiment code is written in Python.

#### 4.2 Uniqueness of power consumption

We run the AES-256 encryption module on the microcontroller to collect the power consumption traces generated from the same input value, and collect two 2,000 traces of 1,000 in order to confirm that the power consumption is unique according to the input variable when the encryption module is executed on the microcontroller. The correlation coefficient between the two groups was obtained. Cases include different plaintext, different key, and different both values. 2,000 traces of power consumption are collected. All the collected trace were filtered using FFT function. Afterward, two groups of 1,000 were created and correlation coefficients between the two groups were obtained. Table 2 shows the statistical values of the results. Both the key and the input showed a relatively higher correlation coefficient than the other case. In particular, the minimum value when the key and the input are the same is larger than the maximum value when the key is only different. This is clearly seen in Figure 4. There is no common value for the same input value and different input values. Between the minimum value in the same case and the maximum value in the other case, there is large gap. For this reason, we can classify this, correctly.

The same experiment was performed for LEA, ARIA, and SEED [36–38] to confirm that other ciphers having the same intermediate value and output value also have these characteristics.



**Fig. 4.** Correlation coefficient between power consumption traces, S/D, D/S, S/S, and D/D represent same key/different plaintext, different key/same plaintext, same key/same plaintext, and different key/different plaintext, respectively.

LEA showed a wider range of correlation coefficients than the results of AES. In addition, AES is less than the minimum value of 0.0005 for the same input value. There is no common value for the same input value and different input values. Therefore, it was confirmed that LEA can also be used as a working cryptographic module.

ARIA showed higher correlation coefficient than AES for other input values. In addition, there was a difference between the minimum value for the same input value and the maximum value for other inputs, such as 0.0017. The ARIA does not have a common value for the same input value and different input values. Therefore, we confirmed that the ARIA can also be used as a working cryptographic module.

SEED is similar to the result of AES. This confirmed that the block cipher can be used as a cryptographic module that works. There is no common value for the same input value and different input values.

#### 4.3 Lightweight PoW for low-end microcontrollers

In Table 3, the comparison result is given. Previous methods suggested the hard problem not to be solved by ASIC. However, the problem is even hard for the users. On the other hand, the proposed method is efficient even for the low-end IoT devices, because the hard problem comes from varied power trace features related with microcontrollers, cryptographic modules, and input values. This is easy for microcontrollers but it is hard to emulate. We ensure that this is the first practical PoW method for low-end IoT devices.

**Table 2.** Correlation coefficient between power consumption traces with different block ciphers.

| Measurement (key/plaintex)        | Maximum | Minimum | Mean    | First Quartile | Third Quartile |
|-----------------------------------|---------|---------|---------|----------------|----------------|
| AES                               |         |         |         |                |                |
| Same key/Different plaintext      | 0.99656 | 0.99433 | 0.99549 | 0.99519        | 0.99578        |
| Different key/Same plaintext      | 0.99619 | 0.99406 | 0.99516 | 0.99488        | 0.99542        |
| Same key/Same plaintext           | 0.99965 | 0.99820 | 0.99884 | 0.99859        | 0.99903        |
| Different key/Different plaintext | 0.99605 | 0.99361 | 0.99493 | 0.99461        | 0.99524        |
| LEA                               |         |         |         |                |                |
| Same key/Different plaintext      | 0.99495 | 0.99093 | 0.99288 | 0.99236        | 0.99337        |
| Different key/Same plaintext      | 0.99502 | 0.99114 | 0.99283 | 0.99231        | 0.99331        |
| Same key/Same plaintext           | 0.99980 | 0.99670 | 0.99809 | 0.99756        | 0.99854        |
| Different key/Different plaintext | 0.99471 | 0.99093 | 0.99271 | 0.99221        | 0.99317        |
| ARIA                              |         |         |         |                |                |
| Same key/Different plaintext      | 0.99612 | 0.99417 | 0.99505 | 0.99483        | 0.99526        |
| Different key/Same plaintext      | 0.99611 | 0.99409 | 0.99498 | 0.99476        | 0.99518        |
| Same key/Same plaintext           | 0.99987 | 0.99872 | 0.99919 | 0.99900        | 0.99937        |
| Different key/Different plaintext | 0.99594 | 0.99401 | 0.99492 | 0.99469        | 0.99514        |
| SEED                              |         |         |         |                |                |
| Same key/Different plaintext      | 0.99222 | 0.98817 | 0.99034 | 0.98990        | 0.99080        |
| Different key/Same plaintext      | 0.99263 | 0.98849 | 0.99050 | 0.99005        | 0.99097        |
| Same key/Same plaintext           | 0.99993 | 0.99834 | 0.99901 | 0.99875        | 0.99927        |
| Different key/Different plaintext | 0.99218 | 0.98801 | 0.99023 | 0.98976        | 0.99068        |

Table 3. Comparison of PoW method.

| Method                      | ASIC Development   | Low-end IoT |  |
|-----------------------------|--------------------|-------------|--|
| Multi-hash PoW              | Possible           | -           |  |
| Memory-hard PoW [16]        | Possible           | -           |  |
| Memory-bound PoW [27–29]    | Possible           | -           |  |
| Programmatic PoW [31, 32]   | Possible           | -           |  |
| This work (Power-trace PoW) | Partially possible |             |  |

## 5 Conclusion

In this paper, we presented the novel ASIC-resistant PoW based on power analysis of low-end microcontrollers. This approach is based on the unique power consumption pattern performing the cryptography function on the microcontroller. The power trace is post-processed with FFT to meet the certain quality of PoW source. Finally, the refined information is used for the block generation. In order to confirm the practicality of proposed method, we implemented the method on the low-end microcontroller and 4 different block ciphers are evaluated. The result shows that the proposed method is efficiently working on target microcontrollers.

As a future work, In terms of attack scenario, we will investigate the ASIC based emulation for power trace. Furthermore, we will also explore the deep-learning based emulation to break through the proposed method.

## References

- 1. S. Nakamoto, "Bitcoin: A peer-to-peer electronic cash system," 2008.
- G. Wood et al., "Ethereum: A secure decentralised generalised transaction ledger," Ethereum project yellow paper, vol. 151, no. 2014, pp. 1–32, 2014.
- 3. S. Noether and A. Mackenzie, "Ring confidential transactions," vol. 1, pp. 1–18, 2016.
- 4. C. Dwork and M. Naor, "Pricing via processing or combatting junk mail," in *Annual International Cryptology Conference*, pp. 139–147, Springer, 1992.
- J.-Y. Cai, R. J. Lipton, R. Sedgewick, and A.-C. Yao, "Towards uncheatable benchmarks," in [1993] Proceedings of the Eight Annual Structure in Complexity Theory Conference, pp. 2–11, IEEE, 1993.
- S. Ar and J.-Y. Cai, "Reliable benchmarks using numerical instability.," in SODA, pp. 34–43, 1994.
- M. K. Franklin and D. Malkhi, "Auditable metering with lightweight security," in International Conference on Financial Cryptography, pp. 151–160, Springer, 1997.
- 8. D. M. Goldschlag and S. G. Stubblebine, "Publicly verifiable lotteries: Applications of delaying functions," in *International Conference on Financial Cryptography*, pp. 214–226, Springer, 1998.
- R. L. Rivest, A. Shamir, and D. A. Wagner, "Time-lock puzzles and timed-release crypto," 1996.
- 10. C. Dwork and M. Naor, "Pricing via processing or combatting junk mail," in *Annual International Cryptology Conference*, pp. 139–147, Springer, 1992.
- 11. A. Back et al., "Hashcash-a denial of service counter-measure," 2002.
- G. Bertoni, J. Daemen, M. Peeters, and G. Van Assche, "Keccak," in Annual international conference on the theory and applications of cryptographic techniques, pp. 313–314, Springer, 2013.
- 13. T. Dryja, "Hashimoto: I/o bound proof of work," 2009.
- 14. V. Buterin, "Dagger: A memory-hard to compute, memory-easy to verify scrypt alternative," tech. rep., Technical Report, 2013. URL http://www. hashcash.org/papers/dagger. html, 2013.
- 15. C. Percival, "Stronger key derivation via sequential memory-hard functions," 2009.
- 16. N. Van Saberhagen, "Cryptonote v 2.0," 2013.
- 17. A. De Vries, "Bitcoin's growing energy problem," *Joule*, vol. 2, no. 5, pp. 801–805, 2018.
- 18. K. S. Primecoin, "Cryptocurrency with prime number proof-of-work {J}," *July 7th*, 2013.
- R. L. Rivest and A. Shamir, "Payword and micromint: Two simple micropayment schemes," in *International workshop on security protocols*, pp. 69–87, Springer, 1996
- A. Miller, A. Juels, E. Shi, B. Parno, and J. Katz, "Permacoin: Repurposing bitcoin work for data preservation," in 2014 IEEE Symposium on Security and Privacy, pp. 475–490, IEEE, 2014.
- 21. Y. Sompolinsky and A. Zohar, "Secure high-rate transaction processing in bitcoin," in *International Conference on Financial Cryptography and Data Security*, pp. 507–527, Springer, 2015.
- 22. J. Jang and H.-N. Lee, "Profitable double-spending attacks," arXiv preprint arXiv:1903.01711, 2019.
- 23. I. Eyal and E. G. Sirer, "Majority is not enough: Bitcoin mining is vulnerable," in *International conference on financial cryptography and data security*, pp. 436–454, Springer, 2014.

- 24. E. Heilman, A. Kendler, A. Zohar, and S. Goldberg, "Eclipse attacks on bitcoin's peer-to-peer network," in 24th {USENIX} Security Symposium ({USENIX} Security 15), pp. 129–144, 2015.
- 25. P. Daian, I. Eyal, A. Juels, and E. G. Sirer, "(short paper) piecework: Generalized outsourcing control for proofs of work," in *International Conference on Financial Cryptography and Data Security*, pp. 182–190, Springer, 2017.
- J. A. Kroll, I. C. Davey, and E. W. Felten, "The economics of bitcoin mining, or bitcoin in the presence of adversaries," in *Proceedings of WEIS*, vol. 2013, p. 11, 2013
- 27. M. Abadi, M. Burrows, M. Manasse, and T. Wobber, "Moderately hard, memory-bound functions," *ACM Transactions on Internet Technology (TOIT)*, vol. 5, no. 2, pp. 299–327, 2005.
- 28. C. Dwork, A. Goldberg, and M. Naor, "On memory-bound functions for fighting spam," in *Annual International Cryptology Conference*, pp. 426–444, Springer, 2003.
- 29. C. Dwork, M. Naor, and H. Wee, "Pebbling and proofs of work," in *Annual International Cryptology Conference*, pp. 37–54, Springer, 2005.
- L. Ren and S. Devadas, "Bandwidth hard functions for ASIC resistance," in *Theory of Cryptography Conference*, pp. 466–492, Springer, 2017.
- 31. W. F. Bradley, "Superconcentration on a pair of butterflies," arXiv preprint arXiv:1401.7263, 2014.
- 32. S. A. Cook, "An observation on time-storage trade off," in *Proceedings of the fifth annual ACM symposium on Theory of computing*, pp. 29–33, 1973.
- 33. P. Kocher, J. Jaffe, and B. Jun, "Differential power analysis," in *Annual International Cryptology Conference*, pp. 388–397, Springer, 1999.
- 34. F. Durvaux, B. Gerard, and S. Kerckhof, "Intellectual property protection for integrated systems using soft physical hash functions," in *International Workshop on Information Security Applications*, pp. 208–225, Springer, 2012.
- 35. P. Samarin and K. Lemke-Rust, "Detecting similar code segments through side channel leakage in microcontrollers," in *International Conference on Information Security and Cryptology*, pp. 155–174, Springer, 2017.
- D. Kwon, J. Kim, S. Park, S. H. Sung, Y. Sohn, J. H. Song, Y. Yeom, E.-J. Yoon,
   S. Lee, J. Lee, et al., "New block cipher: ARIA," in *International Conference on Information Security and Cryptology*, pp. 432

  –445, Springer, 2003.
- 37. D. Hong, J.-K. Lee, D.-C. Kim, D. Kwon, K. H. Ryu, and D.-G. Lee, "LEA: A 128-bit block cipher for fast encryption on common processors," in *International Workshop on Information Security Applications*, pp. 3–27, Springer, 2013.
- 38. J. Park, S. Lee, J. Kim, and J. Lee, "The SEED encryption algorithm," 2005.