ownershiprecordingsystem
byAlexMizrahialex.mizrahi@chromaway.com
Overview
Foranykindofahighvalueproperty(realestate,cars,art)itisimportanttohaveaccuraterecords
whichidentifythecurrentownerandprovideaproofthatheisindeedtheowner.Theserecords
canbeusedto
protectowners'rights(e.g.incaseoftheft)
resolvedisputes
makesureownershipiscorrectlytransferredtoanewowneraftersale
preventsalefraud
Thusitiscrucialtomaintaincorrectnessandcompletenessofthisinformation,andprevent
unauthorized,fraudulentchanges.
Fromthepointofviewofacomputersecurityexpert,currentlypeoplehavetorelyonatrustedthird
party.E.g.agovernmentagencymightberesponsibleforkeepingtrackofownershipinformation.
Sometimes,theserecordsarenotpreservedinasystematicway.
Isitpossibletokeeptrackofpropertyownershipthroughsomekindofadistributedsystemwhich
won'trelyontrust?Whatwoulditrequire?
Atminimum,weneedaconsensusaboutthecurrentownerandabilityforthatownertoidentify
himself.
ThesameproblemwassolvedbySatoshiNakamotowhenhecreated:
consensusisestablishedusingtheblockchain(whichkeepsrecordsofprevioustransactions)
andproofofworkwhichmakeschanginghistoricrecordsprohibitivelycostly
correctnessisguaranteedbyprotocolrules
onwercanbeidentifiedusingpublickeycryptography
Naturally,wewouldwanttoreusethissolution.Inprinciple,anyprotocolwithsimilarpropertiescan
beusefulforkeepingpropertyownershiprecords.
ButitisalsopossibletoreuseBitcoinitself.Conventionally,bitcoinsarefungible.However,itis
possibletocreatenonfungibletokensbytrackingaspecific"coin"throughthetransactionhistory,
whichispreservedintheblockchain.Thisconceptisknownascoloredcoins,althoughitwasfirst
describedbyMikeHearninhisSmartPropertyarticle:
SmartpropertyispropertywhoseownershipiscontrolledviatheBitcoinblockchain,using
contracts.Examplescouldincludephysicalpropertysuchascars,phonesorhouses.Smart
propertyalsoincludesnonphysicalpropertylikesharesinacompanyoraccessrightstoa
remotecomputer.Makingpropertysmartallowsittobetradedwithradicallylesstrust.This
reducesfraud,mediationfeesandallowstradestotakeplacethatotherwisewouldnever
havehappened.Forexample,itallowsstrangerstoloanyoumoneyovertheinternettaking
yoursmartpropertyascollateral,whichshouldmakelendingmorecompetitiveandthuscredit
cheaper.
Let'sgothroughtheprocessindetail:
1. Atsomepoint,apropertyisassociatedwithacertaintransactionoutput,whichiscalleda
'genesistransactionoutput'.Thattransactionoutput(coin)belongstotheinitialowner
recordedbythesystem.(InMikeHearn'sexamplewithacar,agenesistransactionoutputis
establishedonafactorywhichhaveproducedacar,andthatfactoryistheinitialowner.)
2. Whenthepropertyissoldortransferred,atransactionoutputwhichbelongstotheprevious
ownerisspent,andatransactionoutputwhichbelongstoanewowneriscreatedinthesame
transaction,whichneedstobecreatedaccordingtocertainrules.
3. Whensomebodyneedstoidentifyanowner,hewillgothroughthetransactionhistorystarting
fromthegenesistransactionuptoanunspenttransactionoutput.Theowneroftheunspent
transactionoutputisthecurrentowneroftheproperty.BitcoinblockchainhashisBitcoin
address(inageneralcase,scriptPubKey),andheisabletoprovethatheistheownerby
signingamessagewiththeprivatekeyassociatedwiththataddress(ingeneralcase,by
producingscriptSigwhichsatisfiesscriptPubKey).
Itisimportanttonotethatinthiscasepropertyownershipisassociatedwithacertainprivatekey
ratherthanwithacertainperson.Ifweassumethatonlyonepersonisinpossessionofthatprivate
key,theeffectisthesame.However,aprivatekeycanbelostorstolen.Also,insomecasesa
legalsystem(courts)mightoverrideownershipwhichwasrecordedintheblockchain.Wemust
takethisintoaccountifwewanttobuildarobustsystem.
Inthefollowingsectionswewilloutlinepossiblewaystoexgtendthisbasicsystemandanalyzeits
properties.
UseoftheBitcoinblockchain
Asitwasmentionedintheoverviewsection,inprinciple,anypublicledgesystemsimilartoBitcoin
canbeusedforkeepingownershiprecords.However,theuseofspecificatllytheBitcoin
blockchainhascertainadvantages:
Reducedimplementationcost:weonlyneedathinlayerontopofBitcoin,thereisnoneedto
implementacryptocurrencyfromscratch.
Security:BypiggybackingontopofBitcoin,weinherititssecurityproperties.Itiscrucialfor
suchasystemtobetamperproof,andBitcoiniscurrentlythecryptocurrencywhichissecured
bythelargesthashrate.
Persistence:Signiificanttotalvalueofallbitcoinsinexistencecreateahugefinancial
incentivetokeepthesystemaliveandhealthy.
IntegrationwithBitcoinasapaymentsystem:Anabilitytoswapbitcoinsandcoloredcoinsin
oneatomictransactionmakesitpossibletodotrustlesstrades.E.g.ifacarandapayment
foracararesentthroughonetransaction,anyproblemwithatransaction(e.g.adounle
spend)willinvalidatethetrade.Thusitisimpossiblethatabuyerwillendupwithacarwhen
hehaven'tpaid,justasitisimpossiblethatsellerwillreceiveamoneywithouttransferring
ownershipofthecar.Bitcoiniscurrentlythelargestcryptocurrency,whichmakeintegration
withitinterestinganduseful.
However,thefollowingsectionsofthisdocumentarenotspecifictotheBitcoinblockchain(andin
somecases,notspecifictocoloredcoins)andcanberelevantifadifferentcryptocurrency
substrateisbeingused.
Propertyregistryandcatalog
Whenpropertytransfersaresecuredbytheblockchain,wenolongerneedtorelyonatrusted
partytoverifythem.However,anassociatedbetweenaparticularpropertyandagenesis
transactionoutputbecomestheweakestlink.
E.g.supposesomebodyclaimsthatacertaincoinrepresentsownershipofthehouse.Hecan
demonstatethatheistheownerofanunspentcoinbysigningamessageusinghisprivatekey,
andhecandemonstratethetransactionhistoryinvolvingthatcoin.Buthowcanwecheckthata
particularcoinrepresentsaparticularhouse?Howdowecheckthattherearenoothercoinswhich
representit?
Intheexamplewiththecar,thefactorywhichmanufacturedthecarwasresponsibleforassotiating
acoloredcoinwithacar.Atagorachipattachedtoaphysicalobjectmightbeusedtorefertoa
genesisoutput,andthusestablishanassociation.Butthisisreliableonlyaslongasinformation
containedinthattagorchipcannotbealtered,andthecannotbedetaching.(Or,rather,detaching
themisimpracticalorprohibitivelyexpensive.)
Butwecan'trelyontagsinthecasewitharealestate,forexample,thusweneedsomekindofa
registrywhichwillberesponsibleforassociationbetweenobjectsandcorrespondingcolored
coins.Let'sassumethatforakindofobjectsweareinterestedin,wecangenerateproperty
identifierswhichunambiguouslypointtoanobject(e.g.coordinates,streetaddress,device
identifieretc.).Thenaregistrywillmapgenesistransactionoutputstopropertyidentifiers,and
propertyidentifierstogenesistransactionoutputs.
Isitpossibletomakethisregistrydistributedandtrustless?Itmightworkforsomeproblem
domains,e.g.inNamecoin,thefirstpersonwhotriestoregisteranamegetsit.Butthisdoesn't
workinageneralcase.
Thusaregistryneedstobeatrustedthirdparty.Wecan'tcompletelyescapefromthatmodel,
however,wecantrytominimizerelianceontrustandimposeruleswhichwouldmakecheating
hard,evidentandprovable.
Particulalry,trustismuchlessofaconcernwhentheregistryisforcedtooperateinatransparent
wayandcryptographicprotocolsareusedtoauthenticateinformationsuppliedbytheregistry.
Thiscanbeaccomplishedbymakingregistry'scompletecatalogopenlyaccessibletoeveryone.
I.e.anyonecanrequestacompletecatalogfromregistry,whichwillreplywithalistof(property
identifier,genesistransactionoutput)pairs,withwholemessagebeingsignedwithregistry'spublic
key.Thisaloneisenoughtodetectbasicproblems(e.g.duplicateorambiguousidentifiers)and
attacks(ifyouhavetwomessageswithdifferentassociation,youcandetectthatthisregistryis
faultyandprovethistoothers).
Butitdoesn'tpreventmoresophisticatedattacks,e.g.aregistrymightsentmodifiedcatalogonly
toaspecificuser,whichwon'tbeabletodetectwrongdoingwithoutanexternalpointofrefernce.
Thisisanotherproblemwhichcanbesolvedusingtheblockchain:whenacompletecatalogis
publishedintheblockchain(andcanbeobtained,e.g.byscanningthewholeblockchainfor
messageswhicharesignedbyacertainpublickeywhichisassociatedwithaparticularregistry),
everybodyhasthesameview,andthustargettedattacksbecomeimpossible.Itisalsoimpossible
tomodifyhistoricregistationrecords,sothereisonlyabrieftimeintervalwherewrongdoingis
evenpossible.
(Note:Catalogcanbeseenasanappendonlylogofregistrationentries.)
Notethatitisusuallyundersirabletoputsignificantamountofinformationintotheblockchain,in
thatcaseit'spossbletopublishareferencetocataloginsteadofacompletecatalog,forthesame
effect.Wewillcoverthisinappendix.
Nowlet'sgothroughacompleteexample.Supposeacertainregistryisresponsibleforrealestate
registrationinacertaingeographicarea.Apersonwhowishestoregisterhispropertywillcometo
thisregistrywithallrequireddocumentswhichprovethatheisthecurrentowner.Iftheregistry
determinesthatprovidedinformationiscorrect,itwillcreateagenesistransactionwhichwill:
containunambiguouspropertyidentifier
willbesignedwiththeregistry'spublickey
genesistransactionoutputwillpointtocurrentowner'sBitcoinaddress
Oncethisinformationisintheblockchain,theownercantransferpropertywithoutanyfurther
interactionwithregistry.
Theonlypossibleproblemhereisthataregistrycansendacoloredcointoanaddresswhich
doesn'tbelongtotheowner.Theownercandetectthisbywatchingtheblockchainforhisproperty
identifier.Disputeneedstobesolvedoutsideofthesystem(e.g.throughlitigation).
Transfersecurity
Asitwasnotedabove,cryptographicapproachrequiresustousepublic/privatekeystoidentify
andauthenticatethecurrentowner.However,inpracticeitisdesirabletoassociateownershipwith
aspecificperson,asaprivatekeycanbestolenorlost.
Thisisatradeoff:weeitherneedtorelyonatrustedthirdpartytoauthenticateownersandrecord
transactions,orweneedtorelyoncryptography.Bothapproacheshaveadvantagesand
disadvantages.
Notethatit'spossibletousetheblockchainforrecordkeepingevenifownerisauthenticated
usinghisnameanddocuments:inthatcaseregistry'sprivate&publickeyswillbeused,and
owner'sname(aswellasotherrelevantinformation)canbeaddedtoatransactionasmetadata.
Useoftheblockchainhasthesamebenefitsasdescribedintheprevioussection:transferhistory
willbesecurelypreservedintheblockchain.However,ownerswillhavetorelyonregistrytodo
authenticationproperly.
Ahybridapproachisalsopossible:acoloredcoinwhichrepresentspropertyownershipwillsend
to2of2multisigaddress,whichrequiressignaturesbothfromtheregistryandfromtheownerto
unlock.Inthiscaseownercannottransferhispropertywithoutinteractionwithregistry,however,
neithercanregistrydotransactionswithoutowner'sconsent.Thisscehemecanprovideextra
security:aregistrycanperformadditionalauthenticationstepstomakesurethattransferis
correctlyauthorized.
Forextratransparency,detailsaboutthetransfercanbeembeddedintothetransaction,andthus
preservedintheblockchain.
Ownershipoverrides
Inanidealworld,wewouldallrelyoncryptographyanddistributedconsensus.Butourworldisn't
ideal,thuswehavetodealwiththefactthatownershipcanbechanged,forexample,through
litigation.Asystemwhichcannotaddressthisissuecanbeimpractical.
Webelievethatthebestwaytoaddressthisistooverrideassociationontheregistrylevel,aswe
arerelyingonatrustedthirdpartyanyway.Aregistryshouldcomplywithcourt'sorderstoreassign
ownership.
Ifweassumethatappendonlylogisusedasacatalog(i.e.eachentryispublishedinthe
blockchain),thenaregistrywillneedtopublishanotherentrywithsameidentifierandaflagthatan
oldoneisreplaced.Abuyerwhoisinterestedinthepropertywillbeabletodetectthesituation
andpaycloserattention.
Conclusion
Ablockchainbasedpropertyownershiprecordingsystemdescribedinthisarticleeliminatesmost
potentialfailuresandattacksthroughtransparencyanduseofcryptographicprimitivesfor
authentication.Thusitcanbeusedtoreducerelianceontrustedthirdparties,reducecosts
(throughautomatization)andreducenumberfraudanderrors.
AppendixA:Technicalimplementation
Overview
Inthisappendixwewillcoveranimplementatonofblockchainbnasedpropertyownership
recordingsystemusingtheBitcoinblockchainandcoloredcoins.
WeneedtotakeintoaccountthattheBitcoinblockchainspaceisascarceandvaluableresource,
thusitcannotbeusedforpublishingarbitraryinformation.Insteadofthat,wewillhashinformation
wewishtopublish,andembedthosehashesintotransactions.Informationitselfcanbeobtained
fromapartywhichgeneratedit,i.e.theregistry.Thiswaywestillgetaconsensusoverwhat
informationwaspublished,butonlyaslongasregistryisaccessibleandcanprovideinformation.
Headersonlyclients
Ideally,wewantclientstobeabletoverifyinformationwithouttheneedtoscanthewhole
blockchain,i.e.havingonlyheadersandrelevantdata.Butwewon'taddressthisissueindetail,
andinsteadwillassumethatclientisabletoscanthewholeblockchain.
Registry
WeassumethataregistryisassociatedwithacertainBitcoinaddressorasetofaddresses
whichitwillusetopublishpropertyassociationtransactions.
Eachsuchtransaction:
containsaninputspendingcoinsfromregistry'sBitcoinaddress
hasdatacontainedinOP_RETURNoutput(seebelow)
hasagenesisoutputwhichassignscoloredcointopropertyowner
Ifepobccolorkernelisbeingused,transactionmustalsobeavalidepobcgenesistransaction.
Dataconsistsofa'propertyassociationentry'tagandahashoftheregistrationentry.
Inthemostbasicformregistrationentryisjustapropertyidentifier,however,itcanalsocontain
metadata,suchasadateofregistation,ahashofadocumentwhichwasprovidedduring
registation,ahashorregistrationrequestandsoon.
AregistrymustprovideanAPIwhichallowsclientstofetchregistationentriesbytheirhashes.
Chainofentries
Inordertomakeitpossibleforthinclientstoverifythatthecompletecatalogisdownloaded,all
propertyassociationtransactionsmustbeorganizedintoachain:eachsuchtransactionmusthave
anininputlinkedtoanoutputofprevioussuchtransaction.Conceptually,wecanseeitasa
coloredcoinwhichisassociatedwiththeregistryitself:itmustbeusedineveryassocation
transaction.Havingregistry'schaingenesistransactionandcurrentUTXO,athinclientcanobtain
thewholechain.
Transfertransactions
Inthemostsimplecases,somethingassimpleasepobccolorkernelcanbeusedfortransfer
transactions.Theadvantageofusingepobcisthatitiswelltestedandwillbeinteroperablewith
othercoloredcoinswhicharebasedonepobc.(E.g.itispossibletobuyacoloredcoin
representedhouseusingcoloredcoinrepresentedgoldusinganatomictransaction.)
Ifitisdesirable,itispossibletoembdedahashofmetadataaboutthetransferinOP_RETURN
output.Thismetadatacanincludethenameofnewowner,dateoftransactionandsoon.
epobciscompatiblewithmultisigscripts,thusitisn'tnecessarytomodifycolorkerneltoenable
multisiguse.
Clientsoftware
Clientsoftwarecanbeconsideredanormalcoloredcoinwalletwithextrafunctionality:
Itshouldbeabletoobtainanentirecatalogofaspecifiedregistry,eitherbyscanningthe
wholeblockchain,orthroughtheprocesswhichscansthechain.
Itshouldbeabletorepresentpropertyidentifiersinahumanreadableform,toprovideaway
tosearchforaspecificentry,checkforduplicatesetc.
Provideawayforanownertoauthenticatehimself,i.e.signamessagewithaprivatekey
correspondingtopropertyheowns.
Provideawaytoverifyauthentication:findapublickeycorrespondingtoaspecificproperty
andcheckmessagesignature.
Ifaspecialmultisignatureisbeingused,clientsoftwaremustbeabletocreatetransactions
withit.