I Introduction and Background
Secure Logging. Logging is indispensable for many secure IT systems. While there is no unanimous agreement on the definition of a secure logging system, it can be regarded as a database system which securely keeps track of records for security-critical data. A secure logging scheme has a wide range of applications. It can be a stand-alone system or an integral part of a larger system.
An event logging system is one traditional application of secure logging. It records system events of forensic value in a protected database. Such logging systems are security-critical regular targets of sophisticated attackers trying to eliminate their footprints. Therefore, it is important to prevent unauthorized modifications and deletions of the log entries. Timestamping service is an infrastructure used to prove the existence of certain digital data prior to a specific point in time. It is important to guarantee the accuracy and validity of the timing information of data and events, since its defect may have significant security and financial implications. Therefore, the accuracy and immutability of the timestamps are essential.
The security of many systems today is bootstrapped from securely obtaining some specific authoritative information. For example, a PKI is meaningless if the users relying on it cannot obtain the correct certificates in the first place [4, 28]. Another example are trusted directory servers , which when attacked can compromise properties of a relying infrastructure . To address these issues, transparency logs [18, 12, 8, 35] have been proposed, which are services securely maintaining a list or dictionary of objects. To prevent malicious entries from being inserted into the log without being noticed, the dictionary should be append-only. Moreover, participants should have a singleton view of the dictionary, i.e., the log should not be able to equivocate – this usually requires a gossip protocol to be deployed [9, 25].
Desired Properties. From the example applications presented, we can extract a list of desired properties:
Availability: The logger can log artifacts without significant delays. For clients relying on the log server, all logged artifacts and events can be accessed. Authenticity: It should be verifiable who has created or submitted the logged artifacts. Immutability: Once an artifact has been logged, it cannot be altered or removed without being noticed. Non-equivocation: All system participants should have a unified view of the logs. The log server cannot present different views of the log for different users. Freshness: Some applications may demand the freshness property, which allows to order the logged artifacts (weak freshness) or even to determine the exact time of them up to certain precision (strong freshness).
Blockchain and Secure Logging. Blockchain technologies, like Bitcoin  and Ethereum , are successful beyond all expectations. This success is mainly driven by their properties: consensus: all parties can (eventually) agree on the current state of the system, transparency: all transactions (of all participants) are visible to anyone, irreversibility: blockchains have the append-only property which implies that whenever a transaction is appended to a blockchain it cannot be retrospectively modified or removed, decentralization and openness: everyone can participate in the system, and no centralized entity authorizes participants or their transactions, availability: the infrastructure is robust as it can tolerate a large fraction of faulty participants. Due to these properties, the blockchain technology enables novel applications like cryptocurrencies and smart contracts. Even now, shortly after their advents, these systems are successful and as a consequence of this success developers and researchers try to reuse blockchain infrastructures to build new or enhance existing systems.
A secure logging service based on decentralized blockchain technology could have great potential and could be deployed by multiple existing applications and used for empowering novel ones. In fact, there are proposals that try to use blockchain as a logging-related service. For instance, blockchain-based timestamping , trusted record-keeping service , decentralized audit systems , document signing infrastructures , timestamped commitments , or secure off-line payment systems . Another line of research in this area is to design transparency schemes based on blockchain technologies, such as key transparency , certificate transparency [21, 33], binary transparency , or log transparency . Other related work includes providing legacy content (e.g., web content) to smart contracts [38, 27, 15].
However, there are many challenges associated with designing and deploying such systems. In this work, we study these systems, their logging-relevant properties, show their limitations, and research opportunities.
Ii Selected Blockchain Platforms
|tx arrival||public-key||publicly||data||timestamp||data size||data|
|Bitcoin||10 min||yes||yes||chain||2 h||220 Bytes||OP_RETURN|
|Ethereum||15 sec||yes||yes||chain||15 s||780 KBytes||smart contract|
|IOTA||net. latency||yes||yes||DAG||1.27 KBytes||message|
Note that, in IOTA, there is no validity check of the timestamp; thus it can be arbitrary and we use to represent it.
Bitcoin. Bitcoin  is the first and largest cryptocurrency and due to its open, distributed, decentralized nature, and use of public-key cryptography, it offers (transaction) authenticity and a certain degree of availability. The Bitcoin network maintains a distributed and replicated ledger (i.e., blockchain) – an append-only linked list of blocks (containing transactions). Since the system is permissionless, any participant can vote her own view of the current state by trying to append new blocks to the blockchain. To combat Sybil attacks and reach an agreement on the system state across the network, Bitcoin employs the Nakamoto consensus where a solution of a computational puzzle, serving as a Proof-of-Work (PoW) must be presented to append a new block to the blockchain. An incentive structure is embedded in the protocol to encourage participants constantly competing to put their own blocks onto the blockchain.
The global ledger is append-only, and once a block is stable in the blockchain, its data cannot be retrospectively modified or removed without significant computational resources. Moreover, the whole network has a unified view of the blockchain. These properties lead to a natural way to build a secure logging system providing the non-equivocation property, where we can record the log statements on the blockchain. This can be done by sending special transactions in the Bitcoin network. For example, the OP_RETURN code allows adding 220 Bytes of arbitrary data to a transaction output.
Since every block of the Bitcoin blockchain has a timestamp, when recording data on the blockchain, it may be tempted to use the same timestamp for the data. In practice, timestamps can differ radically from the actual time, and they are susceptible to manipulation [14, 6, 34]. Hence, the accurate time cannot be determined and extra caution must be taken when using the Bitcoin timestamps. Bitcoin introduces the unspent transaction output (UTXO) model where new transactions can spend only UTXOs (i.e., actual coins) included in existing transactions. Bitcoin introduces light SPV clients which can interact with the blockchain without possessing and validating all blocks (they store and validate only short block headers).
Ethereum. Ethereum  is a decentralized and open replicated state machine whose state is maintained as a PoW blockchain. Ethereum keeps track of a general-purpose state which can be represented as a global dictionary comprised by key-value pairs. The state transition of Ethereum is processed by the so-called Ethereum virtual machine executing code (called smart contract) written in a Turing complete language. Ethereum introduces a native cryptocurrency called ether and the notion of gas. Ether is not only an integral part of the underlying PoW based blockchain, but also intended as a utility currency to purchase the gas that will be consumed when using the system resources. This provides economic incentives and security to the system.
Since Ethereum uses a similar consensus mechanism as Bitcoin, any secure logging systems implemented based on Bitcoin can also be realized over Ethereum, and they can achieve similar properties with respect to availability, authenticity, immutability and non-equivocation. Moreover, with Ethereum one can implement smart contracts with almost arbitrary logic. Thus, compared to Bitcoin, Ethereum is a more suitable choice if a logging service requires actions or computations to be executed automatically according to the current state and user inputs. Finally, Ethereum provides a better freshness property than Bitcoin, however, nodes of the Ethereum network rely on the NTP  servers, and therefore their timestamps are generated in a centralized way to some extent.
IOTA. There are multiple proposals aiming to improve the efficiency of blockchain-based systems by deploying directed acyclic graph (DAG) instead [26, 30, 29, 31, 19]. IOTA  is a permissionless distributed ledger where transactions are stored in a data structure whose logical topology forms a DAG. This design aspires to resolve some inherent scalability issues of chain style blockchain and positions itself as suitable for IoT applications.
In the IOTA terminology, the tangle is the data structure storing the distributed ledger, whose vertices are called sites. Each site contains one transaction issued by the IOTA user network. To be permanently attached to the tangle and become one site, a transaction must directly approve two existing transactions (sites) in the tangle. If there is a path from site to site , we say that site is indirectly approved by site . The genesis site is directly or indirectly approved by all sites (excluding itself) in the tangle. The tips are those sites that have not been approved by any site. Consequently, the chronological order of two sites cannot be determined unless there is a path connecting them. Thus even the weak freshness on different paths cannot be determined. In IOTA, anyone can issue a data transaction with arbitrary content of about 1.27 KBytes. Though each transaction has a timestamp field, it is not verified when the transaction is added to the IOTA network which means this timestamp can be any time with the correct format. Therefore, it is challenging to build time-sensitive logging systems relying only upon IOTA. Currently, the security of the IOTA network is ensured by an entity called coordinator who verifies all transactions, that is, a transaction cannot be a part of the tangle without the coordinator’s approval. Consequently, the community calls into question the (de)centralization nature of IOTA, and we do not find any convincing response from the IOTA Foundation.
Iii Selected Blockchain-based Logging Systems
Namecoin. Namecoin is a decentralized key-value pairing log system based on a Bitcoin hard fork  preserving its main properties. Namecoin achieves human-readability, strong ownership and decentralization for a naming log system while no previous systems can provide both these three properties. In Namecoin, a user registers a key-value record on the blockchain by issuing a special transaction containing the record. Once this transaction is included in the blockchain, the record creation operation is done. This record and owner address will be seen by every node in the blockchain network. For updating the record, the owner issues a transaction containing the updated information. The initial motivation for Namecoin was to create an alternative to DNS. The latency of creating and updating records is capped by the Bitcoin’s consensus protocol, and its average time is 60 minutes. The authentication property is achieved by a pseud-anonymous address as its identity. For freshness, Namecoin can prove the order of the name-value records. However, the exact time of a record cannot be guaranteed.
Commitcoin. Commitcoin  is a timestamped commitment scheme based on Bitcoin. When the commitment is opened, anyone can be convinced that the commitment was made before a certain time. Assume that Alice is a Bitcoin user with a key pair who wants to make a commitment of message . Alice first computes the commitment of the message with random number , and then derives a new key pair with the private key . Then Alice signs a Bitcoin transaction which sends 2 bitcoins from to with secret key and randomness , producing signature . Alice signs another transaction which send bitcoin from to with secret key and randomness , producing signature . The signed transactions are broadcast to the Bitcoin network to be included in the public blockchain, which proves that Alice knows the corresponding private keys of and . Alice can make the commitment publicly available by signing a transaction which returns the remaining 1 bitcoin from back to with secret key and previously used randomness and broadcasting the resulting signature to the Bitcoin network. Note that this operation effectively leaks to the public since the same key and randomness are used to generate the signatures and . Finally, Alice can open the commitment by announcing , and the timestamp of the block containing indicates a rough time at which the commitment was created. The accuracy of commitment timestamps depends on Bitcoin timestamps.
Catena. Catena  is an efficient non-equivocation scheme built on top of Bitcoin. A Catena log is bootstrapped by issuing an initial transaction to the Bitcoin blockchain called the genesis transaction. To issue the first statement in the log associated with a genesis transaction, Catena commits the statement via an OP_RETURN transaction whose input is the UTXO of the genesis block. Similarly, any subsequent log statement is embedded in an OP_RETURN transaction that spends the UTXO of , creating a chain of transactions with log statements rooted at the genesis transaction. The statements are verified against the genesis block. The resistance against equivocation is as strong as that of Bitcoin, since inconsistent statement chains imply a double spending at some point of the chain. Catena is an example of an application inheriting the security of the underlying blockchain.
Contour. Contour  presents a proactive mechanism for binary transparency. Contour is built on top of the Bitcoin blockchain. Whenever the authority wants to issue a package, it incorporates the hash value of each binary as a leaf of a Merkle tree with root . Once the Merkle tree reaches a threshold size, the authority issues a blockchain transaction in which is embedded as one of the output by using OP_RETURN. Like in Catena , every such transaction must spend a previous transaction output that is spent by the authority. When a client requests a software updating, accompanying with the requested binary, two inclusion proofs which assert the binary has been added in the log and is thus accessible to the monitor are sent to the auditor. The proofs convince the auditor that a) the relevant binary is included in the Merkle tree represented by and b) the transaction is included in the block. The authority cannot mutate nor equivocate a published binary as long as the Bitcoin platform is secure.
Data Feed for Smart Contracts. Data feeds for smart contract make off-chain data available for on-chain smart-contract-based applications. Town Crier  relies on a trusted execution environment (TEE) to implement a service which contacts a content provider, verifies and parses its data, and provides it to a smart contract on demand. It does not involve the content provider in the protocol, however, it requires trust in the TEE platform used. TLS-N  provides a transport-layer approach, where content providers can provide non-repudiation for their application-layer data (e.g., HTTP). It is a more general solution, however, it requires low-level protocol changes and content providers must deploy the protocol. PDFS  is an application-layer solution giving content providers smart contracts used to verify the authenticity of their published content. In PDFS, off-chain data is obtained from a content provider’s website and its identity is authenticated by a TLS certificate. The scheme provides a payment framework, non-equivocation, and censorship evidence for content providers but it requires them to deploy (only application-level changes are required).
Iv Research Perspectives and Challenges
Reliable Timestamps. Bitcoin timestamps may be inaccurate. Thus, it is a valuable research topic to investigate how to enhance the Bitcoin protocol with existing trusted timestamping services, which can provide evidence that a block is created within a sharper time interval. One possible solution is that we can combine the timestamp protocol  with the blockchain platforms as previously presented . The main idea is that one can issue transactions with timestamp authority’s timestamped and signed messages containing references to known blocks of the blockchain. Then the time interval in which a given block between two blocks containing timestamped messages can be derived according to the order of the blocks. That is, we insert anchor points with more accurate timing information into the blockchain. A similar idea can be applied to DAG-based systems like IOTA. One can insert anchor points with reliable timing information and pointers to existing sites. However, this approach requires not only anchor points but also weak freshness, which is not provided by IOTA. Consequently, to what extent we can improve the freshness property of IOTA is probabilistic in nature which deserves further investigation.
Cryptographic Data Structures. Currently, most blockchain technologies such as Bitcoin and Ethereum attain their security properties in a decentralized way at the cost of highly redundant and replicated data and computation. However, storing all logged data on-chain may be impractical, expensive, or undesired (for privacy issues), and this issue calls for efficient cryptographic data structures securely binding on-chain and off-chain data that ideally fulfill the following properties: a) the data structure can produce a “digest” with a fairly small size from the ever-increasing log entries. b) From the cryptographic data structure, the log server can efficiently generate compact proofs with rich semantics (e.g., append-only proof, (non)membership of objects). c) The proofs can be verified by clients efficiently. d) The blockchain transaction model implies that any data on-chain is publicly accessible. Therefore, it is desirable if the cryptographic data structure facilitates the implementation of privacy and access control policies in the system.
We conduct a study and survey of secure logging systems based on blockchain technologies. The essential properties for secure logging systems are identified and by concrete examples, we show how the blockchain technology is leveraged to fulfill these requirements. We also identify several deficiencies of current systems, and make an initial attempt to solve them. We signal further research that is needed to better understand and resolve these deficiencies.
-  “Open timestamps,” https://opentimestamps.org/, 2018.
-  C. Adams, P. Cain, D. Pinkas, and R. Zuccherato, “Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP),” RFC 3161 (Proposed Standard), Internet Engineering Task Force, 2001, updated by RFC 5816. [Online]. Available: http://www.ietf.org/rfc/rfc3161.txt
-  M. Al-Bassam and S. Meiklejohn, “Contour: A practical system for binary transparency,” in Data Privacy Management, Cryptocurrencies and Blockchain Technology. Springer, 2018, pp. 94–110.
-  C. Arthur, “Rogue web certificate could have been used to attack iran dissidents (august 2011),” URL: http://www. guardian. co. uk/technology/2011/aug/30/faked-web-certificate-iran-dissidents.
-  J. Bonneau, “Ethiks: Using ethereum to audit a coniks key transparency log,” in International Conference on Financial Cryptography and Data Security. Springer, 2016, pp. 95–105.
-  A. Boverman, “Timejacking & bitcoin,” https://culubas.blogspot.sg/2011/05/timejacking-bitcoin_802.html, 2011.
-  V. Buterin, “Ethereum: A next-generation smart contract and decentralized application platform, 2013,” URL http://ethereum. org/ethereum. html, 2017.
-  M. Chase and S. Meiklejohn, “Transparency overlays and applications,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016, pp. 168–179.
-  L. Chuat, P. Szalachowski, A. Perrig, B. Laurie, and E. Messeri, “Efficient gossip protocols for verifying the consistency of certificate logs,” arXiv preprint arXiv:1511.01514, 2015.
-  J. Clark and A. Essex, “Commitcoin: Carbon dating commitments with bitcoin - (short paper),” in Financial Cryptography and Data Security - 16th International Conference, FC 2012, Kralendijk, Bonaire, Februray 27-March 2, 2012, Revised Selected Papers, 2012, pp. 390–398.
-  A. Dmitrienko, D. Noack, and M. Yung, “Secure wallet-assisted offline bitcoin payments with double-spender revocation,” in Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. ACM, 2017.
-  B. Dowling, F. Günther, U. Herath, and D. Stebila, “Secure logging schemes and certificate transparency,” in European Symposium on Research in Computer Security. Springer, 2016.
-  Y. Gao and H. Nobuhara, “A decentralized trusted timestamping based on blockchains,” IEEJ Journal of Industry Applications, 2017.
-  A. Gervais, H. Ritzdorf, G. O. Karame, and S. Capkun, “Tampering with the delivery of blocks and transactions in bitcoin,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 2015, pp. 692–705.
-  J. Guarnizo and P. Szalachowski, “PDFS: practical data feed service for smart contracts,” CoRR, vol. abs/1808.06641, 2018. [Online]. Available: http://arxiv.org/abs/1808.06641
-  C. Jämthagen and M. Hell, “Blockchain-based publishing layer for the keyless signing infrastructure,” in Ubiquitous Intelligence & Computing, Advanced and Trusted Computing, Scalable Computing and Communications, Cloud and Big Data Computing, Internet of People, and Smart World Congress (UIC/ATC/ScalCom/CBDCom/IoP/SmartWorld), 2016 Intl IEEE Conferences. IEEE, 2016.
-  Keybase.io, “Namecoin,” https://www.namecoin.org/., Accessed: 2016-05-15.
-  B. Laurie, A. Langley, and E. Kasper, “Certificate transparency,” Tech. Rep., 2013.
-  C. Li, P. Li, W. Xu, F. Long, and A. C.-c. Yao, “Scaling nakamoto consensus to thousands of transactions per second,” arXiv preprint arXiv:1805.03870, 2018.
-  Z. Li, “Will blockchain change the audit?” 2017.
-  S. Matsumoto and R. M. Reischuk, “Ikp: Turning a pki around with blockchains.” IACR Cryptology ePrint Archive, vol. 2016, p. 1018, 2016.
-  D. Mills et al., “Network time protocol,” RFC 958, M/A-COM Linkabit, Tech. Rep., 1985.
-  S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” 2008.
-  L. Nordberg, “Tor consensus transparency, take two,” http://archives:seul:org/tor/dev/Feb-2016/msg00099:html, 2016.
-  L. Nordberg, D. Gillmor, and T. Ritter, “Gossiping in ct,” Internet-Draft draft-linus-trans-gossip-ct-02, 2015.
-  S. Popov, “The tangle,” cit. on, p. 131, 2016.
-  H. Ritzdorf, K. Wüst, A. Gervais, G. Felley et al., “Tls-n: Non-repudiation over tls enabling ubiquitous content signing,” in Network and Distributed System Security Symposium (NDSS), 2018.
-  P. Roberts, “Phony ssl certificates issued for google, yahoo, skype, others,” Threat Post, March, 2011.
-  Y. Sompolinsky and A. Zohar, “Phantom: A scalable blockdag protocol,” 2018.
-  Y. Sompolinsky, Y. Lewenberg, and A. Zohar, “Spectre: Serialization of proof-of-work events: confirming transactions via recursive elections,” 2016.
-  Y. Sompolinsky and A. Zohar, “Secure high-rate transaction processing in bitcoin,” in International Conference on Financial Cryptography and Data Security. Springer, 2015, pp. 507–527.
-  P. Syverson, R. Dingledine, and N. Mathewson, “Tor: The secondgeneration onion router,” in Usenix Security, 2004.
-  P. Szalachowski, “Blockchain-based tls notary service,” arXiv preprint arXiv:1804.00875, 2018.
-  ——, “(short paper) towards more reliable bitcoin timestamps,” in 2018 Crypto Valley Conference on Blockchain Technology (CVCBT). IEEE, 2018, pp. 101–104.
-  A. Tomescu, V. Bhupatiraju, D. Papadopoulos, C. Papamanthou, N. Triandopoulos, and S. Devadas, “Transparency logs via append-only authenticated dictionaries,” IACR Cryptology ePrint Archive, vol. 2018, p. 721, 2018. [Online]. Available: https://eprint.iacr.org/2018/721
-  A. Tomescu and S. Devadas, “Catena: Efficient non-equivocation via bitcoin,” in 2017 38th IEEE Symposium on Security and Privacy (SP). IEEE, 2017, pp. 393–409.
-  G. Wood, “Ethereum: A secure decentralised generalised transaction ledger,” Ethereum project yellow paper, 2014.
-  F. Zhang, E. Cecchetti, K. Croman, A. Juels, and E. Shi, “Town crier: An authenticated data feed for smart contracts,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016, 2016, pp. 270–282.