Ablockchainbasedproperty

ownershiprecordingsystem
byAlexMizrahialex.mizrahi@chromaway.com

Overview
Foranykindofahighvalueproperty(realestate,cars,art)itisimportanttohaveaccuraterecords
whichidentifythecurrentownerandprovideaproofthatheisindeedtheowner.Theserecords
canbeusedto

protectowners'rights(e.g.incaseoftheft)
resolvedisputes
makesureownershipiscorrectlytransferredtoanewowneraftersale
preventsalefraud

Thusitiscrucialtomaintaincorrectnessandcompletenessofthisinformation,andprevent
unauthorized,fraudulentchanges.

Fromthepointofviewofacomputersecurityexpert,currentlypeoplehavetorelyonatrustedthird
party.E.g.agovernmentagencymightberesponsibleforkeepingtrackofownershipinformation.
Sometimes,theserecordsarenotpreservedinasystematicway.

Isitpossibletokeeptrackofpropertyownershipthroughsomekindofadistributedsystemwhich
won'trelyontrust?Whatwoulditrequire?

Atminimum,weneedaconsensusaboutthecurrentownerandabilityforthatownertoidentify
himself.

ThesameproblemwassolvedbySatoshiNakamotowhenhecreated:

consensusisestablishedusingtheblockchain(whichkeepsrecordsofprevioustransactions)
andproofofworkwhichmakeschanginghistoricrecordsprohibitivelycostly
correctnessisguaranteedbyprotocolrules
onwercanbeidentifiedusingpublickeycryptography
Naturally,wewouldwanttoreusethissolution.Inprinciple,anyprotocolwithsimilarpropertiescan
beusefulforkeepingpropertyownershiprecords.

ButitisalsopossibletoreuseBitcoinitself.Conventionally,bitcoinsarefungible.However,itis
possibletocreatenonfungibletokensbytrackingaspecific"coin"throughthetransactionhistory,
whichispreservedintheblockchain.Thisconceptisknownascoloredcoins,althoughitwasfirst
describedbyMikeHearninhisSmartPropertyarticle:

SmartpropertyispropertywhoseownershipiscontrolledviatheBitcoinblockchain,using
contracts.Examplescouldincludephysicalpropertysuchascars,phonesorhouses.Smart
propertyalsoincludesnonphysicalpropertylikesharesinacompanyoraccessrightstoa
remotecomputer.Makingpropertysmartallowsittobetradedwithradicallylesstrust.This
reducesfraud,mediationfeesandallowstradestotakeplacethatotherwisewouldnever
havehappened.Forexample,itallowsstrangerstoloanyoumoneyovertheinternettaking
yoursmartpropertyascollateral,whichshouldmakelendingmorecompetitiveandthuscredit
cheaper.

Let'sgothroughtheprocessindetail:

1. Atsomepoint,apropertyisassociatedwithacertaintransactionoutput,whichiscalleda
'genesistransactionoutput'.Thattransactionoutput(coin)belongstotheinitialowner
recordedbythesystem.(InMikeHearn'sexamplewithacar,agenesistransactionoutputis
establishedonafactorywhichhaveproducedacar,andthatfactoryistheinitialowner.)
2. Whenthepropertyissoldortransferred,atransactionoutputwhichbelongstotheprevious
ownerisspent,andatransactionoutputwhichbelongstoanewowneriscreatedinthesame
transaction,whichneedstobecreatedaccordingtocertainrules.
3. Whensomebodyneedstoidentifyanowner,hewillgothroughthetransactionhistorystarting
fromthegenesistransactionuptoanunspenttransactionoutput.Theowneroftheunspent
transactionoutputisthecurrentowneroftheproperty.BitcoinblockchainhashisBitcoin
address(inageneralcase,scriptPubKey),andheisabletoprovethatheistheownerby
signingamessagewiththeprivatekeyassociatedwiththataddress(ingeneralcase,by
producingscriptSigwhichsatisfiesscriptPubKey).

Itisimportanttonotethatinthiscasepropertyownershipisassociatedwithacertainprivatekey
ratherthanwithacertainperson.Ifweassumethatonlyonepersonisinpossessionofthatprivate
key,theeffectisthesame.However,aprivatekeycanbelostorstolen.Also,insomecasesa
legalsystem(courts)mightoverrideownershipwhichwasrecordedintheblockchain.Wemust
takethisintoaccountifwewanttobuildarobustsystem.

Inthefollowingsectionswewilloutlinepossiblewaystoexgtendthisbasicsystemandanalyzeits
properties.

UseoftheBitcoinblockchain
Asitwasmentionedintheoverviewsection,inprinciple,anypublicledgesystemsimilartoBitcoin
canbeusedforkeepingownershiprecords.However,theuseofspecificatllytheBitcoin
blockchainhascertainadvantages:

Reducedimplementationcost:weonlyneedathinlayerontopofBitcoin,thereisnoneedto
implementacryptocurrencyfromscratch.
Security:BypiggybackingontopofBitcoin,weinherititssecurityproperties.Itiscrucialfor
suchasystemtobetamperproof,andBitcoiniscurrentlythecryptocurrencywhichissecured
bythelargesthashrate.
Persistence:Signiificanttotalvalueofallbitcoinsinexistencecreateahugefinancial
incentivetokeepthesystemaliveandhealthy.
IntegrationwithBitcoinasapaymentsystem:Anabilitytoswapbitcoinsandcoloredcoinsin
oneatomictransactionmakesitpossibletodotrustlesstrades.E.g.ifacarandapayment
foracararesentthroughonetransaction,anyproblemwithatransaction(e.g.adounle
spend)willinvalidatethetrade.Thusitisimpossiblethatabuyerwillendupwithacarwhen
hehaven'tpaid,justasitisimpossiblethatsellerwillreceiveamoneywithouttransferring
ownershipofthecar.Bitcoiniscurrentlythelargestcryptocurrency,whichmakeintegration
withitinterestinganduseful.

However,thefollowingsectionsofthisdocumentarenotspecifictotheBitcoinblockchain(andin
somecases,notspecifictocoloredcoins)andcanberelevantifadifferentcryptocurrency
substrateisbeingused.

Propertyregistryandcatalog
Whenpropertytransfersaresecuredbytheblockchain,wenolongerneedtorelyonatrusted
partytoverifythem.However,anassociatedbetweenaparticularpropertyandagenesis
transactionoutputbecomestheweakestlink.
E.g.supposesomebodyclaimsthatacertaincoinrepresentsownershipofthehouse.Hecan
demonstatethatheistheownerofanunspentcoinbysigningamessageusinghisprivatekey,
andhecandemonstratethetransactionhistoryinvolvingthatcoin.Buthowcanwecheckthata
particularcoinrepresentsaparticularhouse?Howdowecheckthattherearenoothercoinswhich
representit?

Intheexamplewiththecar,thefactorywhichmanufacturedthecarwasresponsibleforassotiating
acoloredcoinwithacar.Atagorachipattachedtoaphysicalobjectmightbeusedtorefertoa
genesisoutput,andthusestablishanassociation.Butthisisreliableonlyaslongasinformation
containedinthattagorchipcannotbealtered,andthecannotbedetaching.(Or,rather,detaching
themisimpracticalorprohibitivelyexpensive.)

Butwecan'trelyontagsinthecasewitharealestate,forexample,thusweneedsomekindofa
registrywhichwillberesponsibleforassociationbetweenobjectsandcorrespondingcolored
coins.Let'sassumethatforakindofobjectsweareinterestedin,wecangenerateproperty
identifierswhichunambiguouslypointtoanobject(e.g.coordinates,streetaddress,device
identifieretc.).Thenaregistrywillmapgenesistransactionoutputstopropertyidentifiers,and
propertyidentifierstogenesistransactionoutputs.

Isitpossibletomakethisregistrydistributedandtrustless?Itmightworkforsomeproblem
domains,e.g.inNamecoin,thefirstpersonwhotriestoregisteranamegetsit.Butthisdoesn't
workinageneralcase.

Thusaregistryneedstobeatrustedthirdparty.Wecan'tcompletelyescapefromthatmodel,
however,wecantrytominimizerelianceontrustandimposeruleswhichwouldmakecheating
hard,evidentandprovable.

Particulalry,trustismuchlessofaconcernwhentheregistryisforcedtooperateinatransparent
wayandcryptographicprotocolsareusedtoauthenticateinformationsuppliedbytheregistry.

Thiscanbeaccomplishedbymakingregistry'scompletecatalogopenlyaccessibletoeveryone.

I.e.anyonecanrequestacompletecatalogfromregistry,whichwillreplywithalistof(property
identifier,genesistransactionoutput)pairs,withwholemessagebeingsignedwithregistry'spublic
key.Thisaloneisenoughtodetectbasicproblems(e.g.duplicateorambiguousidentifiers)and
attacks(ifyouhavetwomessageswithdifferentassociation,youcandetectthatthisregistryis
faultyandprovethistoothers).
Butitdoesn'tpreventmoresophisticatedattacks,e.g.aregistrymightsentmodifiedcatalogonly
toaspecificuser,whichwon'tbeabletodetectwrongdoingwithoutanexternalpointofrefernce.

Thisisanotherproblemwhichcanbesolvedusingtheblockchain:whenacompletecatalogis
publishedintheblockchain(andcanbeobtained,e.g.byscanningthewholeblockchainfor
messageswhicharesignedbyacertainpublickeywhichisassociatedwithaparticularregistry),
everybodyhasthesameview,andthustargettedattacksbecomeimpossible.Itisalsoimpossible
tomodifyhistoricregistationrecords,sothereisonlyabrieftimeintervalwherewrongdoingis
evenpossible.

(Note:Catalogcanbeseenasanappendonlylogofregistrationentries.)

Notethatitisusuallyundersirabletoputsignificantamountofinformationintotheblockchain,in
thatcaseit'spossbletopublishareferencetocataloginsteadofacompletecatalog,forthesame
effect.Wewillcoverthisinappendix.

Nowlet'sgothroughacompleteexample.Supposeacertainregistryisresponsibleforrealestate
registrationinacertaingeographicarea.Apersonwhowishestoregisterhispropertywillcometo
thisregistrywithallrequireddocumentswhichprovethatheisthecurrentowner.Iftheregistry
determinesthatprovidedinformationiscorrect,itwillcreateagenesistransactionwhichwill:

containunambiguouspropertyidentifier
willbesignedwiththeregistry'spublickey
genesistransactionoutputwillpointtocurrentowner'sBitcoinaddress

Oncethisinformationisintheblockchain,theownercantransferpropertywithoutanyfurther
interactionwithregistry.

Theonlypossibleproblemhereisthataregistrycansendacoloredcointoanaddresswhich
doesn'tbelongtotheowner.Theownercandetectthisbywatchingtheblockchainforhisproperty
identifier.Disputeneedstobesolvedoutsideofthesystem(e.g.throughlitigation).

Transfersecurity
Asitwasnotedabove,cryptographicapproachrequiresustousepublic/privatekeystoidentify
andauthenticatethecurrentowner.However,inpracticeitisdesirabletoassociateownershipwith
aspecificperson,asaprivatekeycanbestolenorlost.
Thisisatradeoff:weeitherneedtorelyonatrustedthirdpartytoauthenticateownersandrecord
transactions,orweneedtorelyoncryptography.Bothapproacheshaveadvantagesand
disadvantages.

Notethatit'spossibletousetheblockchainforrecordkeepingevenifownerisauthenticated
usinghisnameanddocuments:inthatcaseregistry'sprivate&publickeyswillbeused,and
owner'sname(aswellasotherrelevantinformation)canbeaddedtoatransactionasmetadata.
Useoftheblockchainhasthesamebenefitsasdescribedintheprevioussection:transferhistory
willbesecurelypreservedintheblockchain.However,ownerswillhavetorelyonregistrytodo
authenticationproperly.

Ahybridapproachisalsopossible:acoloredcoinwhichrepresentspropertyownershipwillsend
to2of2multisigaddress,whichrequiressignaturesbothfromtheregistryandfromtheownerto
unlock.Inthiscaseownercannottransferhispropertywithoutinteractionwithregistry,however,
neithercanregistrydotransactionswithoutowner'sconsent.Thisscehemecanprovideextra
security:aregistrycanperformadditionalauthenticationstepstomakesurethattransferis
correctlyauthorized.

Forextratransparency,detailsaboutthetransfercanbeembeddedintothetransaction,andthus
preservedintheblockchain.

Ownershipoverrides
Inanidealworld,wewouldallrelyoncryptographyanddistributedconsensus.Butourworldisn't
ideal,thuswehavetodealwiththefactthatownershipcanbechanged,forexample,through
litigation.Asystemwhichcannotaddressthisissuecanbeimpractical.

Webelievethatthebestwaytoaddressthisistooverrideassociationontheregistrylevel,aswe
arerelyingonatrustedthirdpartyanyway.Aregistryshouldcomplywithcourt'sorderstoreassign
ownership.

Ifweassumethatappendonlylogisusedasacatalog(i.e.eachentryispublishedinthe
blockchain),thenaregistrywillneedtopublishanotherentrywithsameidentifierandaflagthatan
oldoneisreplaced.Abuyerwhoisinterestedinthepropertywillbeabletodetectthesituation
andpaycloserattention.
Conclusion
Ablockchainbasedpropertyownershiprecordingsystemdescribedinthisarticleeliminatesmost
potentialfailuresandattacksthroughtransparencyanduseofcryptographicprimitivesfor
authentication.Thusitcanbeusedtoreducerelianceontrustedthirdparties,reducecosts
(throughautomatization)andreducenumberfraudanderrors.

AppendixA:Technicalimplementation

Overview
Inthisappendixwewillcoveranimplementatonofblockchainbnasedpropertyownership
recordingsystemusingtheBitcoinblockchainandcoloredcoins.

WeneedtotakeintoaccountthattheBitcoinblockchainspaceisascarceandvaluableresource,
thusitcannotbeusedforpublishingarbitraryinformation.Insteadofthat,wewillhashinformation
wewishtopublish,andembedthosehashesintotransactions.Informationitselfcanbeobtained
fromapartywhichgeneratedit,i.e.theregistry.Thiswaywestillgetaconsensusoverwhat
informationwaspublished,butonlyaslongasregistryisaccessibleandcanprovideinformation.

Headersonlyclients
Ideally,wewantclientstobeabletoverifyinformationwithouttheneedtoscanthewhole
blockchain,i.e.havingonlyheadersandrelevantdata.Butwewon'taddressthisissueindetail,
andinsteadwillassumethatclientisabletoscanthewholeblockchain.

Registry
WeassumethataregistryisassociatedwithacertainBitcoinaddressorasetofaddresses
whichitwillusetopublishpropertyassociationtransactions.

Eachsuchtransaction:

containsaninputspendingcoinsfromregistry'sBitcoinaddress
hasdatacontainedinOP_RETURNoutput(seebelow)
hasagenesisoutputwhichassignscoloredcointopropertyowner
Ifepobccolorkernelisbeingused,transactionmustalsobeavalidepobcgenesistransaction.

Dataconsistsofa'propertyassociationentry'tagandahashoftheregistrationentry.

Inthemostbasicformregistrationentryisjustapropertyidentifier,however,itcanalsocontain
metadata,suchasadateofregistation,ahashofadocumentwhichwasprovidedduring
registation,ahashorregistrationrequestandsoon.

AregistrymustprovideanAPIwhichallowsclientstofetchregistationentriesbytheirhashes.

Chainofentries

Inordertomakeitpossibleforthinclientstoverifythatthecompletecatalogisdownloaded,all
propertyassociationtransactionsmustbeorganizedintoachain:eachsuchtransactionmusthave
anininputlinkedtoanoutputofprevioussuchtransaction.Conceptually,wecanseeitasa
coloredcoinwhichisassociatedwiththeregistryitself:itmustbeusedineveryassocation
transaction.Havingregistry'schaingenesistransactionandcurrentUTXO,athinclientcanobtain
thewholechain.

Transfertransactions
Inthemostsimplecases,somethingassimpleasepobccolorkernelcanbeusedfortransfer
transactions.Theadvantageofusingepobcisthatitiswelltestedandwillbeinteroperablewith
othercoloredcoinswhicharebasedonepobc.(E.g.itispossibletobuyacoloredcoin
representedhouseusingcoloredcoinrepresentedgoldusinganatomictransaction.)

Ifitisdesirable,itispossibletoembdedahashofmetadataaboutthetransferinOP_RETURN
output.Thismetadatacanincludethenameofnewowner,dateoftransactionandsoon.

epobciscompatiblewithmultisigscripts,thusitisn'tnecessarytomodifycolorkerneltoenable
multisiguse.

Clientsoftware
Clientsoftwarecanbeconsideredanormalcoloredcoinwalletwithextrafunctionality:

Itshouldbeabletoobtainanentirecatalogofaspecifiedregistry,eitherbyscanningthe
wholeblockchain,orthroughtheprocesswhichscansthechain.
Itshouldbeabletorepresentpropertyidentifiersinahumanreadableform,toprovideaway
tosearchforaspecificentry,checkforduplicatesetc.
Provideawayforanownertoauthenticatehimself,i.e.signamessagewithaprivatekey
correspondingtopropertyheowns.
Provideawaytoverifyauthentication:findapublickeycorrespondingtoaspecificproperty
andcheckmessagesignature.
Ifaspecialmultisignatureisbeingused,clientsoftwaremustbeabletocreatetransactions
withit.