Client puzzles are cryptographic problems that are neither easy nor hard to solve. Most puzzles are based on either number theoretic or hash inversions problems. Hash-based puzzles are very efficient but so far have been shown secure only in the random oracle model; number theoretic puzzles, while secure in the standard model, tend to be inefficient. In this paper, we solve the problem of constructing cryptographic puzzles that are secure in the standard model and are very efficient. We present

more »

... an efficient number theoretic puzzle that satisfies the puzzle security definition of Chen et al. (ASIACRYPT 2009). To prove the security of our puzzle, we introduce a new variant of the interval discrete logarithm assumption which may be of independent interest, and show this new problem to be hard under reasonable assumptions. Our experimental results show that, for 512-bit modulus, the solution verification time of our proposed puzzle can be up to 50× and 89× faster than the Karame-Čapkun puzzle and the Rivest et al.'s time-lock puzzle respectively. In particular, the solution verification time of our puzzle is only 1.4× slower than that of Chen et al.'s efficient hash based puzzle.