Permissionless Blockchains and Secure Logging
aa r X i v : . [ c s . CR ] M a r Permissionless Blockchains and Secure Logging
Chunpeng Ge , Siwei Sun , ∗ , and Pawel Szalachowski ST Electronics - SUTD Cyber Security Laboratory, Singapore University of Technology and Design,
Singapore Data Assurance and Communication Security Research Center, CAS,
China
Abstract —The blockchain technology enables mutu-ally untrusting participants to reach consensus on thestate of a distributed and decentralized ledger (called ablockchain) in a permissionless setting. The consensusprotocol of the blockchain imposes a unified view of thesystem state over the global network, and once a blockis stable in the blockchain, its data is visible to all usersand cannot be retrospectively modified or removed.Due to these properties, the blockchain technologyis regarded as a general consensus infrastructure andbased on which a variety of systems have been built.This article presents a study and survey of permis-sionless blockchain systems in the context of securelogging. We postulate the most essential propertiesrequired by a secure logging system and by consideringa wide range of applications, we give insights into howthe blockchain technology matches these requirements.Based on the survey, we motivate related researchperspectives and challenges for blockchain-based securelogging systems, and we highlight potential solutions tosome specific problems.
I. Introduction and Background
Secure Logging.
Logging is indispensable for many se-cure IT systems. While there is no unanimous agreementon the definition of a secure logging system, it can be re-garded as a database system which securely keeps track ofrecords for security-critical data. A secure logging schemehas a wide range of applications. It can be a stand-alonesystem or an integral part of a larger system.An event logging system is one traditional application ofsecure logging. It records system events of forensic value ina protected database. Such logging systems are security-critical regular targets of sophisticated attackers trying toeliminate their footprints. Therefore, it is important toprevent unauthorized modifications and deletions of thelog entries.
Timestamping service is an infrastructure usedto prove the existence of certain digital data prior to aspecific point in time. It is important to guarantee theaccuracy and validity of the timing information of dataand events, since its defect may have significant securityand financial implications. Therefore, the accuracy andimmutability of the timestamps are essential.The security of many systems today is bootstrappedfrom securely obtaining some specific authoritative infor-mation. For example, a PKI is meaningless if the usersrelying on it cannot obtain the correct certificates in thefirst place [4], [28]. Another example are trusted directory
This research was supported by ST Electronics and NationalResearch Foundation (NRF), Prime Minister’s Office Singapore, un-der Corporate Laboratory @ University Scheme (Programme Title:STEE Infosec - SUTD Corporate Laboratory). ∗ This work was done while the author was at SUTD. servers [32], which when attacked can compromise prop-erties of a relying infrastructure [24]. To address theseissues, transparency logs [8], [12], [18], [35] have beenproposed, which are services securely maintaining a list ordictionary of objects. To prevent malicious entries frombeing inserted into the log without being noticed, thedictionary should be append-only. Moreover, participantsshould have a singleton view of the dictionary, i.e., the logshould not be able to equivocate – this usually requires agossip protocol to be deployed [9], [25].
Desired Properties.
From the example applications pre-sented, we can extract a list of desired properties:
Availability:
The logger can log artifacts without signif-icant delays. For clients relying on the log server, alllogged artifacts and events can be accessed.
Authenticity:
It should be verifiable who has created or submittedthe logged artifacts.
Immutability:
Once an artifact hasbeen logged, it cannot be altered or removed withoutbeing noticed.
Non-equivocation:
All system participantsshould have a unified view of the logs. The log servercannot present different views of the log for different users.
Freshness:
Some applications may demand the freshnessproperty, which allows to order the logged artifacts (weakfreshness) or even to determine the exact time of them upto certain precision (strong freshness).
Blockchain and Secure Logging.
Blockchain technolo-gies, like Bitcoin [23] and Ethereum [37], are successfulbeyond all expectations. This success is mainly driven bytheir properties: consensus : all parties can (eventually)agree on the current state of the system, transparency :all transactions (of all participants) are visible to anyone, irreversibility : blockchains have the append-only propertywhich implies that whenever a transaction is appendedto a blockchain it cannot be retrospectively modifiedor removed, decentralization and openness : everyone canparticipate in the system, and no centralized entity au-thorizes participants or their transactions, availability : theinfrastructure is robust as it can tolerate a large fraction offaulty participants. Due to these properties, the blockchaintechnology enables novel applications like cryptocurrenciesand smart contracts. Even now, shortly after their advents,these systems are successful and as a consequence of thissuccess developers and researchers try to reuse blockchaininfrastructures to build new or enhance existing systems.A secure logging service based on decentralizedblockchain technology could have great potential andcould be deployed by multiple existing applications andused for empowering novel ones. In fact, there are pro-posals that try to use blockchain as a logging-relatedservice. For instance, blockchain-based timestamping [1], trusted record-keeping service [13], decentralized auditsystems [20], document signing infrastructures [16], times-tamped commitments [10], or secure off-line payment sys-tems [11]. Another line of research in this area is to designtransparency schemes based on blockchain technologies,such as key transparency [5], certificate transparency [21],[33], binary transparency [3], or log transparency [36].Other related work includes providing legacy content (e.g.,web content) to smart contracts [15], [27], [38].However, there are many challenges associated with de-signing and deploying such systems. In this work, we studythese systems, their logging-relevant properties, show theirlimitations, and research opportunities.
II. Selected Blockchain Platforms
Bitcoin.
Bitcoin [23] is the first and largest cryptocur-rency and due to its open, distributed, decentralized na-ture, and use of public-key cryptography, it offers (trans-action) authenticity and a certain degree of availability.The Bitcoin network maintains a distributed and repli-cated ledger (i.e., blockchain) – an append-only linkedlist of blocks (containing transactions). Since the systemis permissionless, any participant can vote her own viewof the current state by trying to append new blocksto the blockchain. To combat Sybil attacks and reachan agreement on the system state across the network,Bitcoin employs the Nakamoto consensus where a solutionof a computational puzzle, serving as a Proof-of-Work(PoW) must be presented to append a new block to theblockchain. An incentive structure is embedded in theprotocol to encourage participants constantly competingto put their own blocks onto the blockchain.The global ledger is append-only, and once a block isstable in the blockchain, its data cannot be retrospectivelymodified or removed without significant computationalresources. Moreover, the whole network has a unified viewof the blockchain. These properties lead to a naturalway to build a secure logging system providing the non-equivocation property, where we can record the log state-ments on the blockchain. This can be done by sendingspecial transactions in the Bitcoin network. For example,the
OP RETURN code allows adding 220 Bytes of arbitrarydata to a transaction output.Since every block of the Bitcoin blockchain has a times-tamp, when recording data on the blockchain, it may betempted to use the same timestamp for the data. In prac-tice, timestamps can differ radically from the actual time,and they are susceptible to manipulation [6], [14], [34].Hence, the accurate time cannot be determined and extracaution must be taken when using the Bitcoin timestamps.Bitcoin introduces the unspent transaction output (UTXO)model where new transactions can spend only UTXOs(i.e., actual coins) included in existing transactions. Bit-coin introduces light
SPV clients which can interact withthe blockchain without possessing and validating all blocks(they store and validate only short block headers).
Ethereum.
Ethereum [7] is a decentralized and openreplicated state machine whose state is maintained as a PoW blockchain. Ethereum keeps track of a general-purpose state which can be represented as a global dic-tionary comprised by key-value pairs. The state transitionof Ethereum is processed by the so-called
Ethereum virtualmachine executing code (called smart contract ) writtenin a Turing complete language. Ethereum introduces anative cryptocurrency called ether and the notion of gas .Ether is not only an integral part of the underlying PoWbased blockchain, but also intended as a utility currencyto purchase the gas that will be consumed when using thesystem resources. This provides economic incentives andsecurity to the system.Since Ethereum uses a similar consensus mechanism asBitcoin, any secure logging systems implemented basedon Bitcoin can also be realized over Ethereum, and theycan achieve similar properties with respect to availability,authenticity, immutability and non-equivocation. More-over, with Ethereum one can implement smart contractswith almost arbitrary logic. Thus, compared to Bitcoin,Ethereum is a more suitable choice if a logging servicerequires actions or computations to be executed auto-matically according to the current state and user inputs.Finally, Ethereum provides a better freshness propertythan Bitcoin, however, nodes of the Ethereum network relyon the NTP [22] servers, and therefore their timestampsare generated in a centralized way to some extent.
IOTA.
There are multiple proposals aiming to improvethe efficiency of blockchain-based systems by deployingdirected acyclic graph (DAG) instead [19], [26], [29]–[31].IOTA [26] is a permissionless distributed ledger wheretransactions are stored in a data structure whose logicaltopology forms a DAG. This design aspires to resolve someinherent scalability issues of chain style blockchain andpositions itself as suitable for IoT applications.In the IOTA terminology, the tangle is the data struc-ture storing the distributed ledger, whose vertices arecalled sites . Each site contains one transaction issued bythe IOTA user network. To be permanently attached tothe tangle and become one site , a transaction must directlyapprove two existing transactions ( sites ) in the tangle. Ifthere is a path from site B to site A , we say that site A isindirectly approved by site B . The genesis site is directlyor indirectly approved by all sites (excluding itself) in the tangle . The tips are those sites that have not been ap-proved by any site . Consequently, the chronological orderof two sites cannot be determined unless there is a pathconnecting them. Thus even the weak freshness on dif-ferent paths cannot be determined. In IOTA, anyone canissue a data transaction with arbitrary content of about1.27 KBytes. Though each transaction has a timestampfield, it is not verified when the transaction is added tothe IOTA network which means this timestamp can be anytime with the correct format. Therefore, it is challengingto build time-sensitive logging systems relying only uponIOTA. Currently, the security of the IOTA network isensured by an entity called coordinator who verifies alltransactions, that is, a transaction cannot be a part of the tangle without the coordinator’s approval. Consequently, TABLE I: Logging-Related Features of Selected Platforms.tx arrival public-key publicly data timestamp data size data
Platforms time identities accessible structure range per tx recordingBitcoin 10 min yes yes chain 2 h 220 Bytes
OP RETURN
Ethereum 15 sec yes yes chain 15 s 780 KBytes smart contractIOTA net. latency yes yes DAG ⊥ ⊥ to represent it. the community calls into question the (de)centralizationnature of IOTA, and we do not find any convincingresponse from the IOTA Foundation. III. Selected Blockchain-based Logging Systems
Namecoin.
Namecoin is a decentralized key-value pairinglog system based on a Bitcoin hard fork [17] preservingits main properties. Namecoin achieves human-readability,strong ownership and decentralization for a naming logsystem while no previous systems can provide both thesethree properties. In Namecoin, a user registers a key-valuerecord on the blockchain by issuing a special transactioncontaining the record. Once this transaction is included inthe blockchain, the record creation operation is done. Thisrecord and owner address will be seen by every node in theblockchain network. For updating the record, the ownerissues a transaction containing the updated information.The initial motivation for Namecoin was to create analternative to DNS. The latency of creating and updatingrecords is capped by the Bitcoin’s consensus protocol,and its average time is 60 minutes. The authenticationproperty is achieved by a pseud-anonymous address asits identity. For freshness, Namecoin can prove the orderof the name-value records. However, the exact time of arecord cannot be guaranteed.
Commitcoin.
Commitcoin [10] is a timestamped com-mitment scheme based on Bitcoin. When the commitmentis opened, anyone can be convinced that the commitmentwas made before a certain time. Assume that Alice is aBitcoin user with a key pair ( sk, pk ) who wants to makea commitment of message m . Alice first computes thecommitment c of the message m with random number r , and then derives a new key pair ( sk ′ , pk ′ ) with theprivate key sk ′ = c . Then Alice signs a Bitcoin transaction τ which sends 2 bitcoins from pk to pk ′ with secretkey sk and randomness ρ , producing signature σ . Alicesigns another transaction τ which send 1 bitcoin from pk ′ to pk with secret key sk ′ and randomness ρ ′ , producingsignature σ . The signed transactions are broadcast to theBitcoin network to be included in the public blockchain,which proves that Alice knows the corresponding privatekeys of pk and pk ′ . Alice can make the commitmentpublicly available by signing a transaction τ which returnsthe remaining 1 bitcoin from pk ′ back to pk with secret key sk ′ and previously used randomness ρ ′ and broadcastingthe resulting signature σ to the Bitcoin network. Notethat this operation effectively leaks sk ′ = c to the publicsince the same key and randomness are used to generatethe signatures σ and σ [10]. Finally, Alice can open thecommitment by announcing ( m, r ), and the timestamp ofthe block containing τ indicates a rough time at which the commitment was created. The accuracy of commitmenttimestamps depends on Bitcoin timestamps. Catena.
Catena [36] is an efficient non-equivocationscheme built on top of Bitcoin. A Catena log is boot-strapped by issuing an initial transaction to the Bitcoinblockchain called the genesis transaction . To issue the firststatement in the log associated with a genesis transaction,Catena commits the statement s via an OP RETURN transaction whose input is the UTXO of the genesis block.Similarly, any subsequent log statement s i +1 is embeddedin an OP RETURN transaction that spends the UTXO of s i , creating a chain of transactions with log statementsrooted at the genesis transaction. The statements areverified against the genesis block. The resistance againstequivocation is as strong as that of Bitcoin, since incon-sistent statement chains imply a double spending at somepoint of the chain. Catena is an example of an applicationinheriting the security of the underlying blockchain. Contour.
Contour [3] presents a proactive mechanismfor binary transparency. Contour is built on top of theBitcoin blockchain. Whenever the authority wants to issuea package, it incorporates the hash value of each binary asa leaf of a Merkle tree with root h b . Once the Merkle treereaches a threshold size, the authority issues a blockchaintransaction tx in which h b is embedded as one of the out-put by using OP RETURN . Like in Catena [36], every suchtransaction tx must spend a previous transaction outputthat is spent by the authority. When a client requestsa software updating, accompanying with the requestedbinary, two inclusion proofs which assert the binary hasbeen added in the log and is thus accessible to the monitorare sent to the auditor. The proofs convince the auditorthat a) the relevant binary is included in the Merkle treerepresented by h b and b) the transaction tx is included inthe block. The authority cannot mutate nor equivocate apublished binary as long as the Bitcoin platform is secure. Data Feed for Smart Contracts.
Data feeds for smartcontract make off-chain data available for on-chain smart-contract-based applications. Town Crier [38] relies on atrusted execution environment (TEE) to implement aservice which contacts a content provider, verifies andparses its data, and provides it to a smart contract ondemand. It does not involve the content provider in theprotocol, however, it requires trust in the TEE platformused. TLS-N [27] provides a transport-layer approach,where content providers can provide non-repudiation fortheir application-layer data (e.g., HTTP). It is a moregeneral solution, however, it requires low-level protocolchanges and content providers must deploy the protocol.PDFS [15] is an application-layer solution giving content
Blockchain based secure logging syste m s K ey tr an s pa re n cy [ ] AutenticityImmutabilityNon-equivocation even for SPV nodesActive defence for spilt view attackKey privacyWeak freshness, not accurate timestamp3 minutes write latency, no read latency C ertific a te tr an s pa re n cy [ ] AutenticityImmutabilityNon-equivocation even for SPV nodesActive defence for spilt view attackWeak freshness, not accurate timestamp3 minutes write latency, no read latency L og tr an s pa re n cy [ ] AutenticityImmutabilityNon-equivocation even for SPV nodesActive defence for spilt view attackWeak freshness, not accurate timestamp1 hour write latency, no read latency T i m est amp service [ ] AutenticityImmutabilityNon-equivocationWeak freshness, not accurate timestamp1 hour write latency, no read latency
Nam i ng and st o r ag e service [ , ] AutenticityImmutabilityNon-equivocationWeak freshness, not accurate timestamp1 hour write latency, no read latency B i na ry tr an s pa re n cy [ ] AutenticityImmutabilityNon-equivocation even for SPV nodesActive defence for spilt view attackWeak freshness, not accurate timestamp1 hour write latency, no read latency T r an s pa re n cy da t a fee d [ ] AutenticityImmutabilityNon-equivocationWeak freshness, not accurate timestamp3 minutes write latency, no read latency Li m it a ti on s P erf o r man ce Fig. 1: Categorization of blockchain-based secure logging systems. providers smart contracts used to verify the authenticityof their published content. In PDFS, off-chain data isobtained from a content provider’s website and its identityis authenticated by a TLS certificate. The scheme providesa payment framework, non-equivocation, and censorshipevidence for content providers but it requires them todeploy (only application-level changes are required).
IV. Research Perspectives and Challenges
Reliable Timestamps.
Bitcoin timestamps may be inac-curate. Thus, it is a valuable research topic to investigatehow to enhance the Bitcoin protocol with existing trustedtimestamping services, which can provide evidence thata block is created within a sharper time interval. Onepossible solution is that we can combine the timestampprotocol [2] with the blockchain platforms as previouslypresented [34]. The main idea is that one can issue transac-tions with timestamp authority’s timestamped and signedmessages containing references to known blocks of theblockchain. Then the time interval in which a given blockbetween two blocks containing timestamped messages canbe derived according to the order of the blocks. Thatis, we insert anchor points with more accurate timinginformation into the blockchain. A similar idea can beapplied to DAG-based systems like IOTA. One can insertanchor points with reliable timing information and point-ers to existing sites. However, this approach requires notonly anchor points but also weak freshness, which is notprovided by IOTA. Consequently, to what extent we canimprove the freshness property of IOTA is probabilistic in nature which deserves further investigation.
Cryptographic Data Structures.
Currently, mostblockchain technologies such as Bitcoin and Ethereumattain their security properties in a decentralized wayat the cost of highly redundant and replicated data andcomputation. However, storing all logged data on-chainmay be impractical, expensive, or undesired (for privacyissues), and this issue calls for efficient cryptographicdata structures securely binding on-chain and off-chaindata that ideally fulfill the following properties: a) thedata structure can produce a “digest” with a fairly smallsize from the ever-increasing log entries. b) From thecryptographic data structure, the log server can efficientlygenerate compact proofs with rich semantics (e.g., append-only proof, (non)membership of objects). c) The proofs canbe verified by clients efficiently. d) The blockchain trans-action model implies that any data on-chain is publiclyaccessible. Therefore, it is desirable if the cryptographicdata structure facilitates the implementation of privacyand access control policies in the system.
V. Conclusions
We conduct a study and survey of secure loggingsystems based on blockchain technologies. The essentialproperties for secure logging systems are identified and byconcrete examples, we show how the blockchain technologyis leveraged to fulfill these requirements. We also identifyseveral deficiencies of current systems, and make an initialattempt to solve them. We signal further research that isneeded to better understand and resolve these deficiencies.
References
Data Privacy Management, Cryp-tocurrencies and Blockchain Technology . Springer, 2018, pp.94–110.[4] C. Arthur, “Rogue web certificate could have been used toattack iran dissidents (august 2011),” .[5] J. Bonneau, “Ethiks: Using ethereum to audit a coniks keytransparency log,” in
International Conference on FinancialCryptography and Data Security . Springer, 2016, pp. 95–105.[6] A. Boverman, “Timejacking & bitcoin,”https://culubas.blogspot.sg/2011/05/timejacking-bitcoin 802.html,2011.[7] V. Buterin, “Ethereum: A next-generation smart contractand decentralized application platform, 2013,”
URL { http://ethereum. org/ethereum. html } , 2017.[8] M. Chase and S. Meiklejohn, “Transparency overlays and appli-cations,” in Proceedings of the 2016 ACM SIGSAC Conferenceon Computer and Communications Security . ACM, 2016, pp.168–179.[9] L. Chuat, P. Szalachowski, A. Perrig, B. Laurie, and E. Messeri,“Efficient gossip protocols for verifying the consistency of cer-tificate logs,” arXiv preprint arXiv:1511.01514 , 2015.[10] J. Clark and A. Essex, “Commitcoin: Carbon dating commit-ments with bitcoin - (short paper),” in
Financial Cryptographyand Data Security - 16th International Conference, FC 2012,Kralendijk, Bonaire, Februray 27-March 2, 2012, Revised Se-lected Papers , 2012, pp. 390–398.[11] A. Dmitrienko, D. Noack, and M. Yung, “Secure wallet-assistedoffline bitcoin payments with double-spender revocation,” in
Proceedings of the 2017 ACM on Asia Conference on Computerand Communications Security . ACM, 2017.[12] B. Dowling, F. G¨unther, U. Herath, and D. Stebila, “Securelogging schemes and certificate transparency,” in
European Sym-posium on Research in Computer Security . Springer, 2016.[13] Y. Gao and H. Nobuhara, “A decentralized trusted timestamp-ing based on blockchains,”
IEEJ Journal of Industry Applica-tions , 2017.[14] A. Gervais, H. Ritzdorf, G. O. Karame, and S. Capkun, “Tam-pering with the delivery of blocks and transactions in bitcoin,” in
Proceedings of the 22nd ACM SIGSAC Conference on Computerand Communications Security . ACM, 2015, pp. 692–705.[15] J. Guarnizo and P. Szalachowski, “PDFS: practical data feedservice for smart contracts,”
CoRR , vol. abs/1808.06641, 2018.[Online]. Available: http://arxiv.org/abs/1808.06641[16] C. J¨amthagen and M. Hell, “Blockchain-based publishing layerfor the keyless signing infrastructure,” in
Ubiquitous Intelli-gence & Computing, Advanced and Trusted Computing, Scal-able Computing and Communications, Cloud and Big DataComputing, Internet of People, and Smart World Congress(UIC/ATC/ScalCom/CBDCom/IoP/SmartWorld), 2016 IntlIEEE Conferences arXiv preprint arXiv:1805.03870 , 2018.[20] Z. Li, “Will blockchain change the audit?” 2017.[21] S. Matsumoto and R. M. Reischuk, “Ikp: Turning a pki aroundwith blockchains.”
IACR Cryptology ePrint Archive , vol. 2016,p. 1018, 2016.[22] D. Mills et al. , “Network time protocol,” RFC 958, M/A-COMLinkabit, Tech. Rep., 1985.[23] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,”2008. [24] L. Nordberg, “Tor consensus transparency, take two,”http://archives:seul:org/tor/dev/Feb-2016/msg00099:html,2016.[25] L. Nordberg, D. Gillmor, and T. Ritter, “Gossiping in ct,”
Internet-Draft draft-linus-trans-gossip-ct-02 , 2015.[26] S. Popov, “The tangle,” cit. on , p. 131, 2016.[27] H. Ritzdorf, K. W¨ust, A. Gervais, G. Felley et al. , “Tls-n: Non-repudiation over tls enabling ubiquitous content signing,” in
Network and Distributed System Security Symposium (NDSS) ,2018.[28] P. Roberts, “Phony ssl certificates issued for google, yahoo,skype, others,”
Threat Post, March , 2011.[29] Y. Sompolinsky and A. Zohar, “Phantom: A scalable blockdagprotocol,” 2018.[30] Y. Sompolinsky, Y. Lewenberg, and A. Zohar, “Spectre: Seri-alization of proof-of-work events: confirming transactions viarecursive elections,” 2016.[31] Y. Sompolinsky and A. Zohar, “Secure high-rate transactionprocessing in bitcoin,” in
International Conference on FinancialCryptography and Data Security . Springer, 2015, pp. 507–527.[32] P. Syverson, R. Dingledine, and N. Mathewson, “Tor: Thesecondgeneration onion router,” in
Usenix Security , 2004.[33] P. Szalachowski, “Blockchain-based tls notary service,” arXivpreprint arXiv:1804.00875 , 2018.[34] ——, “(short paper) towards more reliable bitcoin timestamps,”in . IEEE, 2018, pp. 101–104.[35] A. Tomescu, V. Bhupatiraju, D. Papadopoulos, C. Papaman-thou, N. Triandopoulos, and S. Devadas, “Transparency logsvia append-only authenticated dictionaries,”
IACR CryptologyePrint Archive , vol. 2018, p. 721, 2018. [Online]. Available:https://eprint.iacr.org/2018/721[36] A. Tomescu and S. Devadas, “Catena: Efficient non-equivocation via bitcoin,” in . IEEE, 2017, pp. 393–409.[37] G. Wood, “Ethereum: A secure decentralised generalised trans-action ledger,”
Ethereum project yellow paper , 2014.[38] F. Zhang, E. Cecchetti, K. Croman, A. Juels, and E. Shi,“Town crier: An authenticated data feed for smart contracts,” in