Our modern world relies on a growing number of interconnected and interacting devices, leading to a plethora of logs establishing audit trails for all kinds of events. Simultaneously, logs become increasingly important for forensic investigations, and thus, an adversary will aim to alter logs to avoid culpability, e.g., by compromising devices that generate and store logs. Thus, it is essential to ensure that no one can tamper with any logs without going undetected. However, existing approaches to establish tamper evidence of logs do not scale and cannot protect the increasingly large number of devices found today, as they impose large storage or network overheads. Additionally, most schemes do not provide an efficient mechanism to prove that individual events have been logged to establish accountability when different devices interact. This paper introduces a novel scheme for practical large-scale tamper-evident logging with the help of a trusted third party. To achieve this, we present a new binary hash tree construction designed around timestamps to achieve constant storage overhead with a configured temporal resolution. Additionally, our design enables the efficient construction of shareable proofs, proving that an event was indeed logged. Our evaluation shows that - using practical parameters - our scheme can localize any tampering of logs with a sub-second resolution, with a constant overhead of ~8KB per hour per device.

翻译：当今世界依赖数量不断增长且相互连接与交互的设备，这催生了大量用于建立各类事件审计追踪的日志记录。与此同时，日志在取证调查中愈发重要，因此攻击者会试图篡改日志以逃避责任（例如通过入侵生成和存储日志的设备）。因此，确保任何未被察觉的日志篡改行为无法得逞至关重要。然而，现有实现日志防篡改的技术方案因存储或网络开销过大而无法扩展，难以保护当今日益庞大的设备群。此外，大多数方案缺乏高效机制来证明单个事件已被记录，从而无法在不同设备交互时建立问责制。本文提出了一种借助可信第三方实现实用化大规模防篡改日志的新方案。为此，我们设计了一种基于时间戳的新型二叉哈希树结构，通过配置时间分辨率实现恒定存储开销。该方案还支持高效构建可共享的证明，用以证实事件确已被记录。评估表明，使用实际参数时，本方案能以亚秒级分辨率定位任何日志篡改行为，每台设备每小时恒定开销约为8KB。