TLS Client Puzzles Extension

Document Type Expired Internet-Draft (individual)
Authors Erik Nygren  , Samuel Erb  , Alex Biryukov  , Dmitry Khovratovich  , Ari Juels 
Last updated 2017-06-28 (latest revision 2016-12-25)
Stream (None)
Intended RFC status (None)
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


Client puzzles allow a TLS server to defend itself against asymmetric DDoS attacks. In particular, it allows a server to request clients perform a selected amount of computation prior to the server performing expensive cryptographic operations. This allows servers to employ a layered defense that represents an improvement over pure rate-limiting strategies. Client puzzles are implemented as an extension to TLS 1.3 [I-D.ietf-tls-tls13] wherein a server can issue a HelloRetryRequest containing the puzzle as an extension. The client must then resend its ClientHello with the puzzle results in the extension.


Erik Nygren (
Samuel Erb (
Alex Biryukov (
Dmitry Khovratovich (
Ari Juels (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)