DEFenD: A Secure and Privacy-Preserving Decentralized System for Freight Declaration

03/25/2018 ∙ by Daniël Vos, et al. ∙ Delft University of Technology 0

Millions of shipping containers filled with goods move around the world every day. Before such a container may enter a trade bloc, the customs agency of the goods' destination country must ensure that it does not contain illegal or mislabeled goods. Due to the high volume of containers, customs agencies make a selection of containers to audit through a risk analysis procedure. Customs agencies perform risk analysis using data sourced from a centralized system that is potentially vulnerable to manipulation and malpractice. Therefore we propose an alternative: DEFenD, a decentralized system that stores data about goods and containers in a secure and privacy-preserving manner. In our system, economic operators make claims to the network about goods they insert into or remove from containers, and encrypt these claims so that they can only be read by the destination country's customs agency. Economic operators also make unencrypted claims about containers with which they interact. Unencrypted claims can be validated by the entire network of customs agencies. Our key contribution is a data partitioning scheme and several protocols that enable such a system to utilize blockchain and its powerful validation principle, while also preserving the privacy of the involved economic operators. Using our protocol, customs agencies can improve their risk analysis and economic operators can get through customs with less delay. We also present a reference implementation built with Hyperledger Fabric and analyze to what extent our implementation meets the requirements in terms of privacy-preservation, security, scalability, and decentralization.



There are no comments yet.


page 1

page 2

page 3

page 4

Code Repositories

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

In today’s economy, many countries have specialized in producing certain goods: the Netherlands grows the most tulips, China assembles iPhones, and Honduras is the biggest producer of coffee [1]. These exports are consumed by people all over the world, so millions of containers full of goods move in and out of the world’s ports every day [2].

Before any goods may enter a trade bloc, they must be cleared by the relevant customs agency. The customs agency at the destination country of the goods taxes the goods, and attempts to prevent forbidden goods from entering their trade bloc. However, customs agencies are only able to audit on the order of 1% of incoming containers due to the high volume of containers they are processing [3]. Therefore, customs agencies must determine which small portion of the containers to examine.

To decide which containers to examine, the customs agencies estimate for each container the risk that it is carrying illegal or mislabeled goods. Customs agencies audit those containers with the highest estimated risk. This risk analysis depends heavily on the available data and its quality and reliability.

In a typical scenario, there are two types of parties involved. The economic operators move goods in and out of containers and move containers around the world. The customs agencies need reliable data on these goods and container movements for their risk analysis calculations. The economic operators create data about their goods and containers, and customs agencies consume that data. The transfer of data from economic operator to customs agency in the current system is based around a bill of lading.

A bill of lading is an aggregate of information about all the goods on a single shipment of containers coming into a port. It is created by the economic operator in charge of that shipment, and sent to the relevant customs agency at least 24 hours before the ship arrives in the port. This system has three major shortcomings:

  • The bill of lading does not tell a customs agency through which other ports a container of goods may have traveled.

  • The bill of lading is an aggregation, so it is not the original source of data.

  • The bill of lading is only required to be received 24 hours before a ship’s arrival.

These shortcomings make it more difficult for customs agencies to predict which containers must be audited.

A naive solution to this problem would be to create a central trusted authority that collects data from all economic operators from the various online locations where it is available [4]. Such a centralized system exist: ConTraffic, a “web-based geographical information system enabling interactive visualization of container movements” collects data by mining public data repositories of economic operators [5]. This centralized approach has several drawbacks. A central authority could alter the data, and could decide to exclude or mistreat specific economic operators. Therefore, such a centralized system requires trust, which cannot be expected of all economic operators and customs agencies in the world.

These security concerns raise the need for a decentralized system, in which involved parties put their trust into a system rather than an organization. This system should enable different, mutually untrusted entities to collaborate and be privacy-preserving, secure, scalable, and decentralized.

Name Maintainer Permission Consensus GitHub
Chain Chain Inc Permissioned Federated Consensus [6] chain/chain
Corda R3 Permissioned (Custom) corda/corda
Ethereum Ethereum Foundation Both Proof-of-Work [7] ethereum/go-ethereum
Hyperledger Fabric The Linux Foundation, IBM Permissioned (Custom) hyperledger/fabric
Hyperledger Iroha The Linux Foundation Permissioned Byzantine Fault Tolerance [8] hyperledger/iroha
Hyperledger Sawtooth lake The Linux Foundation, Intel Corporation Both Proof of Elapsed Time [9] hyperledger/sawtooth-core
Kadena Kadena LLC Permissioned ScalableBFT [10] (closed source)
MultiChain Coin Sciences Ltd Permissioned Practical BFT [11] multichain/multichain
OpenChain Coinprism Permissioned Partionned Consensus [12] openchain/openchain
Quorum JPMorgan Chase & Co. Permissioned Raft [13] jpmorganchase/quorum
Ripple Ripple Permissioned Ripple [14] ripple/rippled
Tendermint All In Bits, Inc. Permissioned Byzantine Fault Tolerance [8] tendermint/tendermint
TABLE I: Comparison of blockchain implementations.

We propose a decentralized system named DEFenD: a secure and privacy-preserving DEcentralized system for Freight Declaration, which enables economic operators and customs agencies to collaborate in an environment that does not require centralized trust, also when they do not have a direct business connection.

In our proposal, economic operators share data about containers and the goods within them through the network. When an economic operator inserts or removes goods from a container, they send this information to the network as an encrypted claim. This claim can only be decrypted by the customs agency at the goods’ country of destination. Whenever a container changes hands, the involved economic operators create a signed unencrypted claim specifying the involved parties, as well as when and where this happened. Any customs agency can then observe the whole history of the container in question.

While the entire network can observe the container movements, the package information is only available to the destination agency. This preserves the privacy of the economic operators. Any alterations or mismatching data about the container movements can then easily be detected, resulting in a significant increase in the detection of high-risk containers.

In this paper, to the best of our knowledge, we propose the first decentralized system for freight declaration. The mechanism currently in use is not reliable, causing significant loss in container fraud detection accuracy. Our proposal presents a secure, privacy-aware, scalable system that solves the fundamental trust problem in the container shipment industry. We present the design details of the system using available blockchain technology, and introduce the key data partitioning schema that allows for validation while preserving key privacy requirements. We believe our proposal will enable a number of customs agencies and economic operators to start collaborating in freight declaration without having to trust any one authority to keep their data secure.

The rest of the paper is organized as follows. In Section II, we present the building blocks of our system; in Section IV, we describe our proposal; in Section V we detail and analyze our system design; and finally, we conclude in Section VI.

Ii Background

A blockchain is often referred to as a “shared ledger”, which is a type of distributed database technology. Many nodes form a peer-to-peer network that maintains this shared ledger consisting of transactions. These nodes use a consensus algorithm to determine which data may be added to their copy of the shared ledger.

Nodes in a blockchain network are responsible for maintaining the data in the shared ledger. In a permissionless blockchain, such as Bitcoin [7], any internet-connected computer, capable of understanding the blockchain network’s protocol can participate in the network. In a permissioned blockchain, only select nodes may participate.

A shared ledger is a distributed append-only database present on each node. Data is added to the ledger in the form of blocks. As a new block is added to the ledger, the nodes synchronize their copies of the shared ledger by applying the consensus algorithm. In a public blockchain, anyone can read the data in the shared ledger, while in a private blockchain, all or some of the data in the shared ledger is encrypted.

Data is transmitted as transactions from one party to another. In Bitcoin, for example, a transaction consists of some amount of bitcoin being sent from one address to another [7].

The consensus algorithm determines how each node adds blocks of new transactions to its copy of the shared ledger. Examples of consensus algorithms include Byzantine Fault Tolerance replication [8] and Proof-of-Work [7] (see Table I for more consensus algorithms).

The key feature of blockchain is that it enables trust without requiring a central authority, since the truth is determined by an agreed-upon consensus algorithm. As long as the majority of a network is not collaborating to pollute the blockchain with incorrect data, its integrity is guaranteed [7].

After Bitcoin’s rapid rise in popularity in the past few years, many different blockchain implementations have emerged; Table I contains a comparison of key aspects of a selection of such blockchain implementations.

Iii Related Work

In recent years, many companies have explored blockchain projects and prototypes for their respective industries. The container shipping industry is no exception: A.P. Moller–Maersk Group (“Maersk” hereinafter) has launched a project in collaboration with EY (Ernst & Young) and Microsoft Corporation to launch a marine insurance blockchain that would help reduce the market’s inefficiencies. A prototype of the platform has been built on Microsoft Azure to “make auditing aspects of a shipping supply chain easier, to improve the tamper-resistance and sharing of data in realtime, and to enable many different parties to settle upon the terms of premiums in a more timely fashion” [15]. The platform was to be deployed in January 2018, but no further news has emerged about it.

Iv DEFenD- A Decentralized System for Freight Declaration

Field Container claims Package claims
Container ID The ISO 6346 container identification number [16]
Shipment ID Concatination of the ship’s IMO number [17] and date of departure in ISO 8601 format [18] (N/A)
Package ID (N/A) This package’s identification number, defined by the shipper
From Economic operator who has this container (N/A)
To Economic operator who receives this container (N/A)
Sender (N/A) Person / company who sends this package
Receiver (N/A) Person / company who receives this package
Time Time of claim submission in ISO [18] format
Location Longitude and latitude of the location at which the claim was made
Weight Weight of this container, in kilograms Weight of this package, in kilograms
Action (N/A) INSERT if package was inserted into container; REMOVE if it was removed”
Contents (N/A) Description of this package’s contents
TABLE II: Fields stored in container and package claims

DEFenD is a secure and privacy-preserving decentralized system for freight declaration. It is built on a blockchain consisting of a network of certified nodes managed by customs agencies and economic operators. For DEFenD, we assume that:

  1. Economic operators trust the customs agency of their own country. DEFenD must be implemented on a permissioned blockchain to ensure that only verified economic operators can submit data; the party that issues the certificates to enable this participation is the customs agency of the economic operator’s country of origin; so they must be trusted to not abuse those certificates.

  2. Customs agencies do not trust customs agencies outside their trade bloc. If there was complete trust between all customs agencies, a centralized system could be maintained by one of them; this is not the case.

  3. Packages in the system only move by shipping container. We do not consider the movement of packages by other modes of transportation.

Based upon these assumptions, we aim to achieve the following goals with DEFenD:

Iv-1 Privacy-preserving

In order to preserve the privacy of economic operators DEFenD must support visibility restrictions on the claims that economic operators post about the goods they are transporting. Most importantly, economic operators must not have the ability to read the data in each others’ claims. Furthermore, only the customs agencies that are in the trade bloc that the package is destined for should be able to read the data in the claims, since economic operators do not necessarily trust every customs agency.

Iv-2 Secure

Non-repudiation is key to the security of the system because we want to make sure an economic operator can never deny a claim they made. To achieve this DEFenD must enforce that no economic operator in the system can alter previously submitted data. Economic operators can only submit new data when they have been granted access to the system by customs agencies. Claims about containers should only be accepted as long as the economic operators that submitted them are likely interacting with the containers.

Iv-3 Scalable

DEFenD must be able to handle enough transactions to support economic operators submitting transactions at any time. To support a gradual rollout, DEFenD must be able to track containers and packages even when not all economic operators in the supply chain participate in the system.

Iv-4 Decentralized

DEFenD must be decentralized to avoid the shortcomings of a centralized system, such as the potential for a central database to be manipulated.

Iv-a Protocol Overview

procedure Validate()
      Query blockchain for latest accepted claim about
     if isCustoms(then
         accept() Start a new trusted chain
     else if  and  then
         if  and and  then If matching claim by exists in
              accept() Accept both claims
               Clear of wrong claims to save memory
         else If matching claim by does not (yet) exist in
               Add to          
         reject() Only customs agencies may create new trusted chains      
Algorithm 1 Validate container claim by operator about container , with validation pool .

To meet these goals given our assumptions, we define DEFenD with the following entities:

  • Economic operators are companies that either insert or remove packages from containers or transport containers. Economic operators submit data about the goods that they are handling to the blockchain network in the form of claims.

  • Customs agencies process these claims and attempt to reach consensus over whether or not to append submitted claims to their shared ledger.

  • Containers carry one or multiple packages of goods in them, and are identified by a container number that is specified according to the ISO 6346 standard [16].

  • Packages are identified by the combination of container number, time and a number identifying them inside the container.

  • Data that is submitted to the blockchain network about containers or packages are referred to as container claims and package claims. Claims are data objects that are signed by an economic operator.

The DEFenD protocol consists of the following three sub-protocols:

  1. The claim submission protocol (Section IV-B) specifies how economic operators submit data to the blockchain. It is run on nodes belonging to economic operators.

  2. The container claim validation protocol (Section IV-C) determines whether data submitted by economic operators is valid and should be added to the shared ledger. It is run on nodes belonging to customs agencies.

  3. The economic operator certification protocol (Section IV-D) lets customs agencies allow or revoke access to economic operator in the blockchain network. The certification protocol is run on nodes belonging to customs agencies.

We describe each sub-protocol in detail in the following sections.

(a) Trusted chain of transactions accepted by the validation algorithm.

(b) Chain of transactions with a new claim waiting for a match in the validation pool.

(c) Trusted chain of transactions accepted by the validation algorithm with a new transaction of two claims appended.
Fig. 1: Chains of transactions submitted by economic operators, same colors refer to the same transaction but made by different parties. a b c shows the process of adding a new transaction to the chain.

Iv-B Claim Submission Protocol

Economic operators submit container claims and package claims to the network. Container claims tell customs agencies how containers are moving around the world, and package claims tell customs agencies what packages of goods are inside these containers. The data fields in each of these types of claims are described in Table II. We depict a container claim as , where is the economic operator that hands container to economic operator . is the signer of this claim and must be the same as either or . In the case that the next operator does not participate in the system, an economic operator should claim . Then, When an operator that participates in the system receives again, should claim . Before claims are appended to the shared ledger, customs agencies will run the validation protocol on claims. Package claims must be encrypted using the public key of the destination’s customs agency before they are submitted. Economic operators also add a plain-text field to package-claims to indicate which customs agency has the private key that can be used to decrypt the claim.

Iv-C Validation Protocol

Algorithm 1 validates a submitted container claim and determines whether it should be added to the shared ledger. It first checks that the economic operator in the from part of the new claim is actually in possession of the claim. It then makes sure that both economic operators involved in the claim agree on what happened. If both of these conditions are true, the claims are added to the shared ledger.

Given a container claim , a previously accepted transaction of to , and container ’s validation pool , Algorithm 1 first queries the blockchain for the latest claim about , as shown in Figure (a)a. If exists and has been given to (which is the case in the example), then the new claim will be added to the pool of to-be-validated claims . This scenario is shown in Figure (b)b. The claim will only be accepted when is submitted as shown in Figure (c)c. Claims are not required to be submitted in the order of from-operator then to-operator, they are always added to when no matching claim is found.

If has not been given to in the previous transaction, the new claim can only be accepted if a customs agency has submitted the claim to reset the chain. This is required when operators can not confirm transactions and therefore the trusted chain is broken.

To save memory in the validation, all claims in the to-be-validated pool about container can be cleared when a claim is accepted for . Also claims that contain impossible data can be left out of the validation pool.

Iv-D Certification Protocol

When an economic operator is to be added to the network, the customs agency in its country can certify that operator. This is done by generating a digital certificate that is signed by the newly added economic operator to prove that it has the correct key. When an economic operator misbehaves, the customs agency in their country can revoke the operator’s certificate to restrict access to the blockchain. A revocation list is kept by the certificate authority, and blockchain nodes verify that claims have signatures that are generated using certificates that do not occur in the revocation list.

To add or remove customs agencies from the system, the customs agency nodes participate in a vote to reach consensus.

V System Design and Analysis

Fig. 2: System architecture for PassPort.

We present a reference implementation for DEFenD, which implements all the protocols in Sections IV-B, IV-C and IV-D. As shown in Figure 2, several nodes exist on the blockchain network. Such nodes may be customs agency nodes (e.g. nodes run by customs agencies that follow the customs agencies protocol) or economic operator nodes (e.g. nodes run by economic operators that follow the economic operator protocol). These nodes communicate with each other over gRPC111gRPC stands for “gRPC Remote Process Call.” See Each node has its own web server, which wraps its functionality in an API, with which it communicates over gRPC as well. The clients each communicate with the web server via REST over HTTP.

In the next sections, we describe each component in detail.

V-a System Design

V-A1 Blockchain

We implement the blockchain component using Hyperledger Fabric [19]. We compare several blockchain implementations in Table I. Hyperledger Fabric is ideal for our protocol since it offers a private permissioned blockchain that supports at least 1,000 transactions per second (see Section V-B) and allows for a pluggable custom consensus algorithm.

V-A2 Client-Server Interaction

For customs agencies and economic operators to interact with their peers in the blockchain network we implement a web server that wraps networking complexity in a RESTful API. The server receives API calls from two GUIs: One for economic operators and one for customs agencies. The customs agencies get an overview of shipments and containers, along with their estimated risk level. The GUI for economic operators mainly comprises of forms that are used to submit claims.

V-B Analysis

In Section IV we have put forward some goals for DEFenD that we have addressed in our implementation. We now evaluate DEFenD in regards to these requirements.

V-B1 Privacy-preserving

Since package data is encrypted using asymmetric encryption, only entities that have access to the private key can read the data. In the case of our protocol only the customs agency that will receive a package in their port has access to that private key. This means that economic operators can never read package data from others, only customs agencies that they will definitely interact with can.

V-B2 Secure

To ensure that economic operators can only submit claims if they have been granted access to the blockchain network, customs agencies run a certificate authority node, which grants the economic operators a key, which is part of their certificate, that they can use to sign their claims. Nodes in the system will immediately reject claims that are signed by revoked certificates.

We also introduce a protocol that ensures that economic operators can only make claims about containers they likely interacted with; economic operators’ claims are in fact transactions. Economic operator can therefore only make a claim about container if there is another economic operator that made a claim saying, provided with , and thus confirms ’s claim.

V-B3 Scalable

Because economic operators must have the ability to make claims to other economic operators that are not part of the system we introduce an operator that represents a hole in the system. This means that containers can leave and reenter the system.

For a scalable system we must support sufficient throughput. We determine the amount of transactions that DEFenD must support as follows. As of 2012, there are approximately 32.9 million TEU222Twenty-foot Equivalent Unit, a standard shipping container size shipping containers globally [20] (order of magnitude: ). Because a single voyage takes days or weeks to complete, we generously estimate that a single container may ‘switch hands’ up to times per year. Each time a container ‘switches hands’, this requires a transaction. We estimate the amount of containers switching hands per second in Equation 1:


The only nodes that participate in the consensus algorithm are customs agencies, in the World Customs Organization 182 countries are included[21]. In practice, however, countries have formed customs unions reducing the need for every country to run their own node. Currently shipping is dominated by trade between 24 customs unions[22]. Therefore the system must be able to support a maximum of approximately 24 nodes.

Our system must also consider what goods go into containers. If containers have a Full Container Load (FCL), this is one ‘package’ per container per trip, but they have a Less than Container Load (LCL), this means multiple ‘packages’ per container per trip.

So DEFenD must have a throughput of at least transactions per second and be able to support around 24 nodes. Hyperledger Fabric has been shown to support this throughput in recent benchmarks and currently supports up to 16 nodes[23]. With the release of Hyperledger Fabric version 1.1 a promise for higher scalability and performance have been made[24].

V-B4 Decentralized

Our implementation is decentralized as it uses a blockchain framework that runs on multiple nodes, it ensures that no single party controls the data in the system. By doing so, we remove trust that is required between parties.

Vi Conclusion

The shipping industry is responsible for the movement of millions of containers every day. Before these containers may enter a trade bloc, they must be cleared by the relevant customs agency. Because of the high volume of containers that must be processed each day, customs agencies perform risk analysis to decide which containers to audit. Risk analysis requires lots of data, which in the current system is potentially vulnerable to manipulation and malpractice because it is centralized and collected by a single authority.

In this work we have presented DEFenD, a secure and privacy-preserving decentralized system for freight declaration that does not require the trust between entities that is required in centralized systems. In DEFenD, economic operators make claims about the packages of goods and containers with which they interact, customs agencies validate those claims. Customs agencies and economic operators participate in a blockchain that validates this data and stores it in a secure and privacy-preserving manner. Our two key contributions are a data partitioning scheme and several protocols to enable this, and a reference implementation built on Hyperledger Fabric.

Firstly, our data partitioning scheme and protocols allow DEFenD to take advantage of the powerful validation principles enabled by blockchain, while hiding certain parts of the data to preserve the privacy of the involved economic operators. In our system, claims about the movement of containers are unencrypted, and can be validated to ensure that 1) the claim fits in the preceding chain of claims about that container and that 2) both parties involved in the claim agree on its contents. Claims about packages are encrypted so that only the customs agency at the goods’ country of destination can see them. Hiding this critical link in the data means that only the appropriate customs agency can recreate the exact path that goods took to get to their country. This knowledge can improve the customs agency’s risk analysis.

Secondly, our reference implementation built on Hyperledger Fabric shows that it is possible to implement DEFenD on a blockchain that meets our privacy-preservation, security, scalability, and decentralization requirements.

In future work, the combined container claim and package claim data provided by DEFenD could be used to further automate customs agencies’ taxation procedures.