Chalima Dimitra Nassar Kyriakidou,,George C. Polyzos,

DOI: https://doi.org/10.18178/ijbta.2024.2.1.16-24

2024-01-01

Abstract:The shift from centralized identity systems to decentralized alternatives is becoming more imminent. Users are increasingly encouraged to embrace the principles of Self-Sovereign Identity (SSI), relying on two key components, Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs), to regain total ownership and control over their identity and data, as well as how and to whom they are shared. This emphasizes a pressing need for VC wallet solutions that are not only user-friendly, but also uncompromisingly secure. In this paper, we introduce VC-Vault, an innovative wallet application that incorporates the principles of SSI and conforms to the European Blockchain Services Infrastructure (EBSI) standards. VC-Vault operates across both desktop and mobile platforms, delivering a coherent and effortless user experience. By establishing seamless integration with EBSI services, SSI principles, and VCs, VC-Vault places the control of digital identity and credentials firmly in the discretion of users.

Daniele Friolo,Geoffrey Goodell,Dann Toliver,Hazem Danny Nakib

2024-10-14

Abstract:This article builds upon the protocol for digital transfers described by Goodell, Toliver, and Nakib, which combines privacy by design for consumers with strong compliance enforcement for recipients of payments and self-validating assets that carry their own verifiable provenance information. We extend the protocol to allow for the verification that reissued assets were created in accordance with rules prohibiting the creation of new assets by anyone but the issuer, without exposing information about the circumstances in which the assets were created that could be used to identify the payer. The modified protocol combines an audit log with zero-knowledge proofs, so that a consumer spending an asset can demonstrate that there exists a valid entry on the audit log that is associated with the asset, without specifying which entry it is. This property is important as a means to allow money to be reissued within the system without the involvement of system operators within the zone of control of the original issuer. Additionally, we identify a key property of privacy-respecting electronic payments, wherein the payer is not required to retain secrets arising from one transaction until the following transaction, and argue that this property is essential to framing security requirements for storage of digital assets and the risk of blackmail or coercion as a way to exfiltrate information about payment history. We claim that the design of our protocol strongly protects the anonymity of payers with respect to their payment transactions, while preventing the creation of assets by any party other than the original issuer without destroying assets of equal value.

Cryptography and Security,Computers and Society

Jagger Bellagarda,Adnan M. Abu-Mahfouz

DOI: https://doi.org/10.3390/math10213934

IF: 2.4

2022-10-24

Mathematics

Abstract:As of 2022, non-fungible tokens, or NFTs, the smart contract powered tokens that represent ownership in a specific digital asset, have become a popular investment vehicle. In 2021, NFT trading reached USD 17.6 billion and entered mainstream media with several celebrities and major companies launching tokens within the space. The rapid rise in popularity of NFTs has brought with it a number of risks and concerns, two of which will be discussed and addressed in this technical paper. Data storage of the underlying digital asset connected to an NFT is held off-chain in most cases and is therefore out of the NFT holders' control. This issue will be discussed and addressed using a theoretical workflow developed and presented for a system that converges NFTs and verifiable credentials with the aim of storing underlying NFT digital assets in a decentralized manner. The second issue focuses on the rise of NFT infringements and fraud within the overall NFT space. This will be discussed and addressed through the development of a practical application, named "Connect2NFT". The main functionality of this practical application will enable users to connect their Twitter social media accounts to the NFTs they own, thus ensuring that potential buyers or viewers of the NFT can comprehensively conclude who is the authentic owner of a specific NFT. An individual performance analysis of the proposed solution will be conducted in addition to being compared and evaluated against similar applications. Thorough development, implementation, and testing has been performed in order to establish a practical solution that can be tested and applied to current NFT use cases. The theoretical NFT storage solution is a minor but equally important contribution in comparison.

mathematics

Zeshun Shi,Jeroen Bergers,Ken Korsmit,Zhiming Zhao

DOI: https://doi.org/10.48550/arXiv.2207.00370

2022-07-01

Cryptography and Security

Abstract:Data tampering is often considered a severe problem in industrial applications as it can lead to inaccurate financial reports or even a corporate security crisis. A correct representation of data is essential for companies' core business processes and is demanded by investors and customers. Traditional data audits are performed through third-party auditing services; however, these services are expensive and can be untrustworthy in some cases. Blockchain and smart contracts provide a decentralized mechanism to achieve secure and trustworthy data integrity verification; however, existing solutions present challenges in terms of scalability, privacy protection, and compliance with data regulations. In this paper, we propose the AUtomated and Decentralized InTegrity vErification Model (AUDITEM) to assist business stakeholders in verifying data integrity in a trustworthy and automated manner. To address the challenges in existing integrity verification processes, our model uses carefully designed smart contracts and a distributed file system to store integrity verification attributes and uses blockchain to enhance the authenticity of data certificates. A sub-module called Data Integrity Verification Tool (DIVT) is also developed to support easy-to-use interfaces and customizable verification operations. This paper presents a detailed implementation and designs experiments to verify the proposed model. The experimental and analytical results demonstrate that our model is feasible and efficient to meet various business requirements for data integrity verification.

Qianwen Wei,Shujun Li,Wei Li,Hong Li,Mingsheng Wang

DOI: https://doi.org/10.1007/978-3-030-23597-0_29

2019-01-01

Abstract:In Bitcoin, the knowledge of private key equals to the ownership of bitcoin, which occurs two problems: the first problem is that the private key must be kept properly, and the second one is that once the private key is given, it can't be taken back, hence the bitcoin system can only implement the transfer function. In this paper, we first propose a new digital signature algorithm and use it to design an online wallet, which can help the user derive the signature without obtaining the user's private key. Secondly, using our proposed online wallet, we extend the application of private key so that the cryptocurrency system can implement the authorization function. In more detail, we define a new primitive that we call decentralized hierarchical authorized payment scheme (DHAP scheme). We next propose a concrete instantiation and prove its correctness. Finally, we analyze the security and usability of our scheme. For security, we prove our scheme to be secure under the random oracle model. For usability, we examine its performance and compare it with bitcoin's performance.

Tianle Sun,Ningyu He,Jiang Xiao,Yinliang Yue,Xiapu Luo,Haoyu Wang

2024-05-31

Abstract:In Ethereum, the practice of verifying the validity of the passed addresses is a common practice, which is a crucial step to ensure the secure execution of smart contracts. Vulnerabilities in the process of address verification can lead to great security issues, and anecdotal evidence has been reported by our community. However, this type of vulnerability has not been well studied. To fill the void, in this paper, we aim to characterize and detect this kind of emerging vulnerability. We design and implement AVVERIFIER, a lightweight taint analyzer based on static EVM opcode simulation. Its three-phase detector can progressively rule out false positives and false negatives based on the intrinsic characteristics. Upon a well-established and unbiased benchmark, AVVERIFIER can improve efficiency 2 to 5 times than the SOTA while maintaining a 94.3% precision and 100% recall. After a large-scale evaluation of over 5 million Ethereum smart contracts, we have identified 812 vulnerable smart contracts that were undisclosed by our community before this work, and 348 open source smart contracts were further verified, whose largest total value locked is over $11.2 billion. We further deploy AVVERIFIER as a real-time detector on Ethereum and Binance Smart Chain, and the results suggest that AVVERIFIER can raise timely warnings once contracts are deployed.

Cryptography and Security,Software Engineering

Thomas Hardjono,Alexander Lipton,Alex Pentland

DOI: https://doi.org/10.48550/arXiv.2005.14689

2020-05-29

Cryptography and Security

Abstract:The emerging virtual asset service providers (VASP) industry currently faces a number of challenges related to the Travel Rule, notably pertaining to customer personal information, account number and cryptographic key information. VASPs will be handling virtual assets of different forms, where each may be bound to different private-public key pairs on the blockchain. As such, VASPs also face the additional problem of the management of its own keys and the management of customer keys that may reside in a customer wallet. The use of attestation technologies as applied to wallet systems may provide VASPs with suitable evidence relevant to the Travel Rule regarding cryptographic key information and their operational state. Additionally, wallet attestations may provide crypto-asset insurers with strong evidence regarding the key management aspects of a wallet device, thereby providing the insurance industry with measurable levels of assurance that can become the basis for insurers to perform risk assessment on crypto-assets bound to keys in wallets, both enterprise-grade wallets and consumer-grade wallets.

Thomas Hardjono

DOI: https://doi.org/10.48550/arXiv.2102.12473

2021-02-24

Cryptography and Security

Abstract:In this paper we focus on one part of the trust infrastructures needed for the future virtual assets industry, namely the attestation infrastructure related to key management in private wallet systems. Our focus is on regulated private wallets utilizing trusted hardware, and the capability of the wallet to yield attestation evidence suitable to address requirements in several use-cases, such as asset insurance and regulatory compliance. We argue that attestation services will be needed as a core part of the key management lifecycle for private wallets in true decentralized systems.

Chien-Ming Chen,Qingkai Miao,Saru Kumari,Muhammad Khurram Khan,Joel J. P. C. Rodrigues

DOI: https://doi.org/10.1109/jiot.2024.3360280

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:The Internet of Vehicles (IoV) integrates wireless, mobile networking, cloud infrastructure, IoT, and wireless sensor networks, establishing an intelligent transportation system. While electric vehicles (EVs) contribute to environmental sustainability, they encounter challenges; battery-swapping technology emerges as a viable solution. Nevertheless, concerns arise regarding data security, privacy, and potential single points of failure. To address these issues, we propose a privacy-preserving authentication protocol based on intelligent blockchain. This protocol ensures the security and reliability of data storage and transaction verification processes, simultaneously upholding privacy, including user anonymity and untraceability. Additionally, leveraging the decentralized nature of intelligent blockchain, each participating node retains a copy of the data and verifies it through consensus algorithms to ensure its integrity and credibility. Verification using the Real-Oracle Random (ROR) model demonstrates both effectiveness and security, with informal analysis confirming resilience against known attacks. Comparative analysis underscores the proposed protocol’s security and performance advantages, placing emphasis on its reliability.

computer science, information systems,telecommunications,engineering, electrical & electronic

Haya R. Hasan,Khaled Salah,Ammar Battah,Mohammad Madine,Ibrar Yaqoob,Raja Jayaraman,Mohammed Omar

DOI: https://doi.org/10.1109/access.2022.3192388

IF: 3.9

2022-07-30

IEEE Access

Abstract:Non-Fungible Tokens (NFTs) have recently received immense popularity in the digital art industry. An NFT represents ownership of a unique item that is stored on the blockchain and cannot be changed, replaced, and copied. The current NFT ecosystem falls short in trust features and is prone to illegitimate users, threats, and vulnerabilities. In this paper, we propose a blockchain-based solution for the NFT ecosystem that incorporates registration of the participating actors, involves a decentralized reputation system, provides incentives to its users through rewards, and penalizes misconduct. Our system design is built to ensure trust and credibility in the NFT ecosystem. The proposed solution leverages blockchain's intrinsic security features such as transparency, tamper-proof logs, data integrity, accountability, and non-repudiation. We use the decentralized storage of the InterPlanetary File System (IPFS) to store the NFTs' metadata, whereas their hash is stored on the chain. We present algorithms along with their implementation, testing, and validation details. We demonstrate how our solution, as well as smart contract code, is secure enough against common security threats and attacks. We make our smart contract code publicly available on the GitHub repository.

computer science, information systems,telecommunications,engineering, electrical & electronic

Swapna Krishnakumar Radha,Andrey Kuehlkamp,Jarek Nabrzyski

DOI: https://doi.org/10.5121/csit.2024.141910

2024-12-02

Abstract:Attestation of documents like legal papers, professional qualifications, medical records, and commercial documents is crucial in global transactions, ensuring their authenticity, integrity, and trustworthiness. Companies expanding operations internationally need to submit attested financial statements and incorporation documents to foreign governments or business partners to prove their businesses and operations' authenticity, legal validity, and regulatory compliance. Attestation also plays a critical role in education, overseas employment, and authentication of legal documents such as testaments and medical records. The traditional attestation process is plagued by several challenges, including time-consuming procedures, the circulation of counterfeit documents, and concerns over data privacy in the attested records. The COVID-19 pandemic brought into light another challenge: ensuring physical presence for attestation, which caused a significant delay in the attestation process. Traditional methods also lack real-time tracking capabilities for attesting entities and requesters. This paper aims to propose a new strategy using decentralized technologies such as blockchain and self-sovereign identity to overcome the identified hurdles and provide an efficient, secure, and user-friendly attestation ecosystem.

Cryptography and Security

Fuchen Ma,Meng Ren,Ying Fu,Mingzhe Wang,Huizhong Li,Houbing Song,Yu Jiang

DOI: https://doi.org/10.1016/j.ipm.2021.102565

IF: 7.466

2021-01-01

Information Processing & Management

Abstract:Smart contracts are more sensitive from a security perspective than other software due to several reasons. First, smart contracts are immutable thus cannot be easily patched once deployed. Second, smart contracts are directly tied to payments and can hold millions of dollars' worth of digital currencies. Third, smart contracts are still a new practice thus do not have best coding practices and development lifecycles tailored for decentralized apps yet. Even though several testing and verification tools have been developed, smart contract vulnerabilities remain a clear and present danger. In this paper, we present an approach that is different from existing ones that attempt to eliminate vulnerabilities from smart contracts. Instead, we fortify Ethereum virtual machines (EVM) to stop dangerous transactions once vulnerabilities are detected in real-time. Since proving programs written in Turing-complete languages is undecidable, our approach complements current approaches by catching vulnerabilities and interrupts their executions during runtime. We have implemented our reinforcement on two widely used EVMs (js-evm and FISCO-BCOS-evm). The reinforced EVMs detects and interrupts all the vulnerabilities, 20% of them missed by testing tools, in 100 real smart contracts. Our approach is practical with less than 34% overhead. In fact, the reinforced FISCO-BCOS-evm has been integrated into the official release of FISCO-BCOS adopted by a large Chinese bank WeBank.

Jiayue Zhou,Jianan Hong,Chengchen Zhu,Futai Zou,Cunqing Hua

DOI: https://doi.org/10.1109/icnc59896.2024.10556332

2024-01-01

Abstract:Blockchain technology has emerged as a popular research topic, particularly in the area of identity management, which provides with a decentralized ID system due to its inherent distributed architecture. This paper focuses on the security issues for vehicular ad-hoc networks (VANETs), where there exists significant obstacles to deploy blockchain-based identity manage-ment system. The idea of lightweight node seems to address such issues, as it provides a local transaction query method. However, it cannot directly suit the complex identity management scenario, as malicious revoked users can successfully exploit spoofing attacks to mislead the lightweight nodes. This paper therefore proposes a new blockchain-enabled identity management scheme for VANET system, which realizes extremely short-latency identity verification with the idea lightweight node. Especially, to achieve trustful revocation for lightweight node, we leverage the mechanism of redactable blockchain with chameleon hash, as well our tailored security protocols. The proposed scheme offers a highly secure, distributed and low-cost identity management system. The experimental result shows our advantage in terms of functionality and efficiency.

Xinying Yang,Ruide Zhang,Cong Yue,Yang Liu,Beng Chin Ooi,Qun Gao,Yuan Zhang,Hao Yang

DOI: https://doi.org/10.1145/3589774

2023-01-01

Abstract:Blockchain-like ledger databases emerge in recent years as a more efficient alternative to permissioned blockchains. Conventional ledger databases mostly rely on authenticated structures such as the Merkle tree and transparency logs for supporting auditability, and hence they suffer from the performance problem. As opposed to conventional ledger DBMSes, we design VeDB - a high-performance verifiable software (Ve-S) and hardware (Ve-H) enabled DBMS with rigorous auditability for better user options and broad applications. In Ve-S, we devise a novel verifiable Shrubs array (VSA) with two-layer ordinals (serial numbers) which outperforms conventional Merkle tree-based models due to lower CPU and I/O cost. It enables rigorous auditability through its efficient credible timestamp range authentication method, and fine-grained data verification at the client side, which are lacking in state-of-the-art relational ledger databases. In Ve-H, we devise a non-intrusive trusted affiliation by TEE leveraging digest signing, monotonic counters, and trusted timestamps in VeDB, which supports both data notarization and lineage applications. The experimental results show that VeDB-VSA outperforms Merkle tree-based authenticated data structures (ADS) up to 70× and 3.7× for insertion and verification; and VeDB Ve-H data lineage verification is 8.5× faster than Ve-S.

Kota Chin,Keita Emura,Kazumasa Omote

DOI: https://doi.org/10.48550/arXiv.2309.03480

2023-09-07

Cryptography and Security

Abstract:Account abstraction allows a contract wallet to initiate transaction execution. Thus, account abstraction is useful for preserving the privacy of externally owned accounts (EOAs) because it can remove a transaction issued from an EOA to the contract wallet and hides who issued the transaction by additionally employing anonymous authentication procedures such as ring signatures. However, unconditional anonymity is undesirable in practice because it prevents to reveal who is accountable for a problem when it arises. Thus, maintaining a balancing between anonymity and accountability is important. In this paper, we propose an anonymous yet accountable contract wallet system. In addition to account abstraction, the proposed system also utilizes accountable ring signatures (Bootle et al., ESORICS 2015). The proposed system provides (1) anonymity of a transaction issuer that hides who agreed with running the contract wallet, and (2) accountability of the issuer, which allows the issuer to prove they agreed with running the contract wallet. Moreover, due to a security requirement of accountable ring signatures, the transaction issuer cannot claim that someone else issued the transaction. This functionality allows us to clarify the accountability involved in issuing a transaction. In addition, the proposed system allows an issuer to employ a typical signature scheme, e.g., ECDSA, together with the ring signature scheme. This functionality can be considered an extension of the common multi-signatures that require a certain number of ECDSA signatures to run a contract wallet. The proposed system was implemented using zkSync (Solidity). We discuss several potential applications of the proposed system, i.e., medical information sharing and asset management.

James Austgen,Andrés Fábrega,Mahimna Kelkar,Dani Vilardell,Sarah Allen,Kushal Babel,Jay Yu,Ari Juels

2024-12-04

Abstract:Inherent in the world of cryptocurrency systems and their security models is the notion that private keys, and thus assets, are controlled by individuals or individual entities. We present Liquefaction, a wallet platform that demonstrates the dangerous fragility of this foundational assumption by systemically breaking it. Liquefaction uses trusted execution environments (TEEs) to encumber private keys, i.e., attach rich, multi-user policies to their use. In this way, it enables the cryptocurrency credentials and assets of a single end-user address to be freely rented, shared, or pooled. It accomplishes these things privately, with no direct on-chain traces. Liquefaction demonstrates the sweeping consequences of TEE-based key encumbrance for the cryptocurrency landscape. Liquefaction can undermine the security and economic models of many applications and resources, such as locked tokens, DAO voting, airdrops, loyalty points, soulbound tokens, and quadratic voting. It can do so with no on-chain and minimal off-chain visibility. Conversely, we also discuss beneficial applications of Liquefaction, such as privacy-preserving, cost-efficient DAOs and a countermeasure to dusting attacks. Importantly, we describe an existing TEE-based tool that applications can use as a countermeasure to Liquefaction. Our work prompts a wholesale rethinking of existing models and enforcement of key and asset ownership in the cryptocurrency ecosystem.

Cryptography and Security

Guohua Tian,Jianghong Wei,Mirosław Kutyłowski,Willy Susilo,Xinyi Huang,Xiaofeng Chen,Miroslaw Kutylowski

DOI: https://doi.org/10.1109/tc.2022.3230900

IF: 3.183

2022-01-01

IEEE Transactions on Computers

Abstract:Driven by various legal obligations and service requirements, the redactable blockchain was introduced to balance the modifiability and immutability of blockchain technology. However, such a blockchain inevitably generates one or even more acceptable versions for the same block data, enabling malicious full nodes to deceive light/new nodes with old data and even disrupt the consistency of the blockchain ledger. In this paper, we introduce the concept of verifiable redactable blockchain (VRBC) to provide efficient validity verification for on-chain data. To this end, we design a novel authentication data structure, called blockchain authentication tree (BAT), which utilizes a chameleon hash function and aggregatable vector commitment to bind continuously-appended blocks. Based on this, we propose an efficient VRBC scheme supporting integrity auditing, which not only allows light nodes to query and validate on-chain data, but also enables new nodes to check the integrity of the blockchain ledger before synchronizing it, effectively avoiding resource waste and security risks caused by invalid queries and ledger synchronization. Furthermore, we introduce some optimized strategies to improve the performance of the proposed scheme and extend it to transaction-level and permissionless VRBC, respectively. Finally, we demonstrate the practicability of the proposed scheme through detailed security analysis and visual performance evaluation.

engineering, electrical & electronic,computer science, hardware & architecture

Jeba N,Anas S,Anuragav S,Abhishek R,Sachin K

2024-03-08

Abstract:Innovative solution for addressing the challenges in the legal records management system through a blockchain-based eVault platform. Our objective is to create a secure, transparent, and accessible ecosystem that caters to the needs of all stakeholders, including lawyers, judges, clients, and registrars. First and foremost, our solution is built on a robust blockchain platform like Ethereum harnessing the power of smart contracts to manage access, permissions, and transactions effectively. This ensures the utmost security and transparency in every interaction within the system. To make our eVault system user-friendly, we've developed intuitive interfaces for all stakeholders. Lawyers, judges, clients, and even registrars can effortlessly upload and retrieve legal documents, track changes, and share information within the platform. But that's not all; we've gone a step further by incorporating a document creation and saving feature within our app and website. This feature allows users to generate and securely store legal documents, streamlining the entire documentation process.

Cryptography and Security,Computers and Society

Yangfei Lin,Jie Li,Shigetomo Kimura,Yuanyuan Yang,Yusheng Ji,Yangjie Cao

DOI: https://doi.org/10.1109/jiot.2021.3102236

IF: 10.6

2022-03-01

IEEE Internet of Things Journal

Abstract:The applications of Internet of Things have emerged in every aspect of people's life. The volume of data gathered can be enormous. Enterprises and personal consumers are increasingly reliant on cloud storage services instead of local storage. While they enjoy the convenience of cloud storage services, they also worry about the integrity of the cloud-stored data since they do not physically own the data. To enable public integrity auditing, third-party auditors as trusted ones verify data integrity on behalf of the data owner. However, the vulnerability of auditors should also be considered. We propose a consortium blockchain-based public integrity verification system (CBPIV). In CBPIV, the auditor behaviors are recorded in the consortium blockchain so that authorized parties can audit the auditor to see if the verification results are correct. A smart contract is deployed to check the behavior of the auditor automatically, which can trigger alerts for unusual behaviors. The evaluation on both security and performance shows that our proposed scheme is secure and alleviates the burden on data owners of limited computation capability.

computer science, information systems,telecommunications,engineering, electrical & electronic

Emanuel Vieira,João Almeida,Joaquim Ferreira,Paulo C. Bartolomeu

2024-01-25

Abstract:Cooperative driving is an emerging paradigm to enhance the safety and efficiency of autonomous vehicles. To ensure successful cooperation, road users must reach a consensus for making collective decisions, while recording vehicular data to analyze and address failures related to such agreements. This data has the potential to provide valuable insights into various vehicular events, while also potentially improving accountability measures. Furthermore, vehicles may benefit from the ability to negotiate and trade services among themselves, adding value to the cooperative driving framework. However, the majority of proposed systems aiming to ensure data security, consensus, or service trading, lack efficient and thoroughly validated mechanisms that consider the distinctive characteristics of vehicular networks. These limitations are amplified by a dependency on the centralized support provided by the infrastructure. Furthermore, corresponding mechanisms must diligently address security concerns, especially regarding potential malicious or misbehaving nodes, while also considering inherent constraints of the wireless medium. We introduce the Verifiable Event Extension (VEE), an applicational extension designed for Intelligent Transportation System (ITS) messages. The VEE operates seamlessly with any existing standardized vehicular communications protocol, addressing crucial aspects of data security, consensus, and trading with minimal overhead. To achieve this, we employ blockchain techniques, Byzantine fault tolerance (BFT) consensus protocols, and cryptocurrency-based mechanics. To assess our proposal's feasibility and lightweight nature, we employed a hardware-in-the-loop setup for analysis. Experimental results demonstrate the viability and efficiency of the VEE extension in overcoming the challenges posed by the distributed and opportunistic nature of wireless vehicular communications.

Distributed, Parallel, and Cluster Computing