AuthSC: Mind the Gap between Web and Smart Contracts (2004.14033v1)

Abstract: Although almost all information about Smart Contract addresses is shared via websites, emails, or other forms of digital communication, Blockchains and distributed ledger technology are unable to establish secure bindings between websites and corresponding Smart Contracts. For a user, it is impossible to differentiate whether a website links to a legitimate Smart Contract set up by owners of a business or to an illicit contract aiming to steal users' funds. Surprisingly, current attempts to solve this issue mostly comprise of information redundancy, e.g., displaying contract addresses multiple times in varying forms of images and texts. These processes are burdensome, as the user is responsible for verifying the correctness of an address. More importantly, they do not address the core issue, as the contract itself does not contain information about its authenticity. To solve current issues for these applications and increase security, we propose a solution that facilitates publicly issued SSL/TLS-certificates of Fully-Qualified Domain Names (FQDN) to ensure the authenticity of Smart Contracts and their owners. Our approach combines on-chain identity assertion utilizing signatures from the respective certificate and off-chain authentication of the Smart Contract stored on the Blockchain. This approach allows to tackle the aforementioned issue and further enables applications such as the identification of consortia members in permissioned networks. The system is open and transparent, as the only requirement for usage is ownership of an SSL/TLS-certificate. To enable privacy-preserving authenticated Smart Contracts, we allow one-way and two-way binding between website and contract. Further, low creation and maintenance costs, a widely accepted public key infrastructure and user empowerment will drive potential adaption of Ethereum Authenticated Smart Contracts (AuthSC).