Challenge-response security testing with sequential puzzles. Users must solve each challenge before subsequent challenges are revealed — continues Broder's long-running CAPTCHA-design lineage that began at AltaVista.
Patent Overview
- Inventor
- Andrei Broder
- Assignee
- Yahoo! Inc.
- Filed
- 2011-08-10
- Granted
- 2013-08-27
The Challenge
The Challenge
Bots are increasingly sophisticated at solving single-puzzle CAPTCHAs. Multi-step CAPTCHAs that require sequential puzzle solving force bots to invest computation serially, making mass-scale automation more expensive than single-puzzle approaches.
- Single-Puzzle CAPTCHAs Are Solvable — ML-driven bots solve single CAPTCHAs reliably. Stronger defense required.
- Serial Solving Multiplies Cost — Sequential puzzles force serial computation. Mass scaling becomes expensive.
- Time-Consuming Decryption Per Puzzle — Per puzzle, decryption is itself time-consuming. Cumulative cost rises.
- Solution Reveals Next Puzzle — Per solved puzzle, next puzzle decrypts. Can't parallelize across puzzles.
- UX Trade-Off Must Be Tolerable — Multi-step adds user friction. Difficulty must balance security against UX.
Innovation
How The System Works
The system presents an encrypted puzzle chain, requires the user to solve each puzzle in sequence, decrypts the next puzzle only after the current solution is verified, and accepts the challenge as passed only when the full chain is solved.
- Generate Puzzle Chain — Per challenge, generate a chain of puzzles, each encrypted.
- Present First Puzzle — Initial puzzle presented to user.
- User Solves — User solves the current puzzle.
- Verify And Decrypt Next — Solution verified; next puzzle decrypted and presented.
- Continue Chain — Process repeats through chain.
- Accept On Full Completion — Challenge passes only on full-chain completion.
- Adapt Difficulty — Per user behavior, difficulty adapts to balance security and UX.
Serial Solving Beats Parallel Attack
The patent's load-bearing idea is that serial puzzle chains force serial computation. Bots can parallelize single-puzzle attacks but cannot bypass the serial constraint of decrypt-after-solve chains.
Time-Consuming Sequential Decryption
Per puzzle, decryption is time-consuming. Per chain, only sequential solving advances. The double constraint multiplies bot cost.
- Encrypted Puzzle Chains — Chain of puzzles, each encrypted; reveal-after-solve.
- Time-Consuming Decryption — Per puzzle, decryption itself costs time.
- Full-Chain Acceptance — Challenge passes only on completion of entire chain.
Technical Foundation
Technical Foundation
The patent specifies the chain generator, puzzle presenter, solution verifier, decryptor, completion gate, and difficulty adapter.
- Chain Generator — Per challenge, generates encrypted puzzle chain.
- Puzzle Presenter — Per puzzle, presents to user.
- Solution Verifier — Verifies submitted solutions.
- Decryptor — Decrypts next puzzle on verified solution.
- Completion Gate — Accepts challenge only on full-chain completion.
- Difficulty Adapter — Adapts puzzle difficulty based on context and behavior.
The Process
The Process
Per challenge, the chain is presented and solved serially.
- Generate Chain — Encrypted chain generated.
- Present First — First puzzle shown.
- User Solves — Solution submitted.
- Verify — Solution verified.
- Decrypt Next — Next puzzle decrypted.
- Repeat — Loop until chain end.
- Accept — Full-chain completion accepted.
Quality Control
Quality Control
CAPTCHA effectiveness depends on balanced design. The patent specifies safeguards.
- Difficulty Calibration — Per puzzle, difficulty calibrated to balance security and human-solvability.
- Chain-Length Tuning — Chain length tuned. Too short loses security; too long damages UX.
- Adaptive Adjustment — Per session, difficulty adapts based on user behavior signals.
- Accessibility Support — Alternative puzzle types for accessibility users.
- Continuous Refresh — Puzzle types and difficulty refresh against attacker capabilities.
Real-World Application
Multi-step CAPTCHA is one approach in the broader CAPTCHA evolution. Broder's long lineage in CAPTCHA design from AltaVista onward influences how challenge-response systems balance security and user experience.
- Serial chain Defense Pattern — Sequential puzzles force serial bot computation.
- Time-consuming decryption Cost Multiplier — Per puzzle, decryption itself costs time.
- Adaptive difficulty UX Balance — Difficulty adapts to balance security and UX.
Why Bot Defenses Affect SEO Indirectly
Sites with strong bot defenses reduce manipulated-signal noise (fake reviews, fake clicks, click fraud). The cleaner signal compounds across organic search quality.
Why CAPTCHA Design Influences Form-Submission Patterns
User-facing CAPTCHAs gate form submissions, which gate lead capture and account creation. Form-conversion economics depend on CAPTCHA UX design quality.
<\/section>What This Means for SEO
What This Means for SEO
This patent strengthens CAPTCHA by chaining encrypted puzzles that must be solved serially, each decrypting the next, to make mass automation expensive. SEO implication: bot defense reduces manipulated-signal noise, and CAPTCHA UX directly shapes form-conversion economics.
- Serial Puzzles Raise The Cost Of Spam — Chained, decrypt-after-solve puzzles force bots into serial computation that does not parallelize. The point is to make mass fake-account and spam-submission attacks expensive, which keeps fake signals out of your data.
- Cleaner Signal Follows Stronger Defense — Reducing automated fake reviews, fake clicks, and click fraud leaves you with cleaner behavioral signal. That cleaner signal compounds across organic search quality and reputation systems.
- CAPTCHA Gates Your Conversion Funnel — User-facing CAPTCHAs sit on form submissions that gate lead capture and account creation. The friction you choose directly shapes form-conversion economics, so defense strength and conversion are a tradeoff to manage deliberately.
- Chain Length Is A UX Lever — The patent tunes chain length because too short loses security and too long damages UX. On your own forms, the same principle applies: match challenge difficulty to the value and abuse-risk of the action.
- Adaptive Difficulty Targets Suspicious Sessions — Difficulty adapts to behavior signals within a session. Well-implemented adaptive defense lets genuine users pass easily while escalating only for suspicious traffic, protecting both conversion and signal.
- Accessibility Alternatives Keep Humans In — Alternative puzzle types serve accessibility users. Defenses that lack them turn away real customers, costing conversions and the genuine signal those visits would have produced.
- Defense Is An Arms Race, Not A Setting — Puzzle types refresh against evolving attacker capability. Treating bot defense as continuously maintained, not set-and-forget, keeps your signal clean as automated solvers improve.