[eudoxus]

> To be fair I haven't kept up-to-date with blockchains, but I find it hard to believe that any existing blockchain could solve this. Transparency logs can.

Any insight as to why you think blockchains can't handle this?

The only fundemental difference between blockchains and transparency logs is the trust assumptions and censorship resistence. Its fairly easy to reason about a transparency log as a permissioned blockchain. Conversely, a blockchain could be seen as a permissionless transparency log.

[JanisErdmanis]

> blockchain could be seen as a permissionless transparency log

This is not the case. The essence of the transparency logs are thin clients which can do monitoring of the append only nature of the ledger. This allows accountability to be distributed more widelly wheras in blockchain one would need to retrieve the full ledger to do such testing.

On the other hand the responsability of adding records to the ledger in transparency log lies to a single authorithy whereas in permissionless blockchain it lies to individuals who solve the puzzle. However in practice there is centralisation of the computation power making the record inclusion also centralised.

The censorship resistance is somewhat a wicked problem. With transparency logs solve the by counter logging. In cases authorithy does not accepts a record it can be delivered to a counter authorithy. The counter authorithy also keeps records of main authorithy and thus users can eventually switch to it. This is though a manual process, but perhaps one can figure out a protocol to do such thing automatically.

[kfreds]

Sort-of. Here's how I think about it.

The fundamental value of a transparency log is to provide trivial discoverability. Say an attacker has compromised a code signing key and is using it to sign a malicious software update. Let's also assume that the attacker can distribute this update to a client that will trust it. Such a targeted attack is not trivially discoverable by the software vendor if the client's trust policy only requires a code signing signature by the compromised key. If the client's trust policy were to also require a proof that the signature is included in a trusted transparency log, the software vendor can discover the attack if it monitors the log. Note that transparency logs doesn't directly prevent attacks - it makes them discoverable.

Transparency systems based on transparency logs have five components: Log, Submitter, Client, Monitor and Auditor or Witness(es). The Log is a Merkle tree with its current root tree hash signed. In the example above the Client would be the software updating mechanism, which has a given Log in its trust policy. The Client will only trust a software update from the Submitter if the Submitter's signature and the update's hash are included in the Log. The Monitor regularly polls the Log for new entries it cares about, in this case software updates signed by the Submitter's public key. The Auditor is another party that regularly polls the Log, but the Auditor's job is not to discover log entries that constitute an attack. Instead, the Auditor's job is to monitor the Log's consistency - i.e. whether the log has removed any previously added entries. This is called a split-view attack, and it is a concern in all widely deployed transparency logs today. An alternative to Auditors is cosigning Witnesses, which proactively witness a Log's consistency, and whose witness signatures are required by the Client in order for it to trust the Log. This results in a much stronger threat model. See sigsum.org for more details on such a design.

Getting back to your comment:

- Yes, Clients are "thin", to use blockchain terminology, but they don't monitor the Log in order to detect attacks. The Log is part of their trust policy for making some trust decision, such as trusting a software update. Monitoring the Log for new entries that indicate e.g. key compromise is the Monitor's job.

- Regarding accountability: The Client's trust policy in conjunction with the Log and the Monitor increases the Submitter's accountability to the Client. Similarly the Auditors or Witnesses increases the Log's accountability to Clients, Submitter and Monitors.

- Regarding inclusion in the Log (or blockchain) I'd use the word "authority" as in who has the power to prevent something from being included. As you point out a transparency log is a central entity which has the sole power to decide what gets included or not. If the log is shut down, or its public key destroyed, nor more inclusions are possible. In this sense a blockchain is far more censorship-resistant than a transparency log. In other words, it is important that Clients trust multiple logs for redundancy. The consensus mechanism of a transparencty log is simply a public-key signature, as opposed to an emergent authority in the form of e.g. a distributed timestamp server based on SHA256. This vast difference in how the database's integrity is defined - the consensus mechanism - is why blockchains work better than transparency logs for censorship-resistant digital currency, whereas transparency logs work better than blockchains for efficient inclusion- and consistency proofs.

[JanisErdmanis]

I generally agree with what you have said. However regarding this part

> Yes, Clients are "thin", to use blockchain terminology, but they don't monitor the Log in order to detect attacks

The clients can monitor the ledger via consistency proots and it is highly beneficial as that prevents any chances of split being undetected view without requiring to trust other parties in the process. Clients submiting the record to the chain they can get inclusion proofs, but they can also at random times can query that the previous chain root commitment is consistent with existing one in the process keeping consistency proof chain. If it isn't judiciary actions in the presence of evidence can be taken against the authorithy. This is particulary interesting when ledger hosts votes which allows for a fully centralized deployment which is the basis of an voting system I am developing [1].

> it is important that Clients trust multiple logs for redundancy

Replication solves the issue that the records would would always be available which can be done by anyone who has stakes in the integrity of the ledger. Wheras the censorship reistance is an emergent phenomena where multiple people organize and collect unincluded records and overthrows the authorithy. Thus there is no actually need for Clients to trust multiple logs. Clients only need to trust that they would be able to do incident response in the case of misbehaving authorithy.

[1]: https://janiserdmanis.org/artefacts/EVOTEID-2023-poster.pdf

[kfreds]

> The clients can monitor the ledger via consistency proots and it is highly beneficial as that prevents any chances of split being undetected view without requiring to trust other parties in the process. Clients submiting the record to the chain they can get inclusion proofs, but they can also at random times can query that the previous chain root commitment is consistent with existing one in the process keeping consistency proof chain.

The design you're describing doesn't have those security properties.

A malicious or compromised Log conducts a split-view attack by showing different views of the Log to different parties. This is done by providing different parties with different inclusion proofs and consistency proofs. Thus the Log remains consistent from the respective network vantage points of the target(s). They all see an append-only log.

A Client or Monitor shouldn't merely be concerned with whether the Log is consistent from their vantage point. It should be concerned with whether the Log is globally consistent, i.e. whether all views of the Log are consistent with each other. Historically this has led to designs where the Clients gossip consistency information to each other, the introduction of Log Auditors and witness cosigning. I prefer witness cosigning, although to be fair Clients gossiping can work in some designs. Apple's transparency log design is one example, if I remember correctly. It's been a while since I thought about transparency logs.

[JanisErdmanis]

> A malicious or compromised Log conducts a split-view attack by showing different views of the Log to different parties. This is done by providing different parties with different inclusion proofs and consistency proofs. Thus the Log remains consistent from the respective network vantage points of the target(s). They all see an append-only log.

You are spot on the vantage points. It is therefore at utmost necessity that the server does not know who has made a request, is not able to track clients. This is why requests need to be routed through anonymization service like TOR to preserve a single consitent view. The client only gives away the current root commit index they have stored locally which gives a little wiggle room there to be malicious. The latter can also be improved by first asking for the current tree root commitment and then aksing consitency proof with respect to locally stored commitment.

The global consistency in this design is achieved by the server not knowing who makes requests and thus gosiping is not needed.

[FiloSottile]

We considered this design and rejected it because it requires an ultimately unwinnable cat-and-mouse game of fingerprint resistance.

Things the log can use to partition the users include their Tor version, HTTP library behavior, contact periodicity... the list goes on and on, and keeps restricting the use cases where it can be deployed securely even just in theory.

Witness cosigning is secure even if the way you fetch the proofs is completely attacker-controlled, which is closer to user expectations of regular digital signatures.

[kfreds]

> Any insight as to why you think blockchains can't handle this?

As you point out yourself the trust assumptions are fundamentally different. As a result a transparency log can produce an inclusion proof and a consistency proof that is on the order of a few kilobytes large. A trust policy for such a verifier would be of similar size.

How large would the equivalent inclusion- and consistency proofs for a proof-of-work-based blockchain be? What would the trust policy look like? Presumably the verifier would use some historical block as a starting point, which would constitute the trust policy. It would then need to process the entire blockchain from that point and onwards up until the point of inclusion. That's way more than a few kilobytes.

Again, I haven't paid attention to blockchains for a long time so there might be some consensus mechanism out there that has solved this somehow. I'd love to be proven wrong.