Blockchain Meet Oracle

Introducing ProvenDB for Oracle

Guy Harrison
ProvenDB
10 min readMar 3, 2021

--

The invention of digital storage has revolutionized our world even more than digital computing. While the first generation of digital computers were used almost exclusively for number-crunching, today computers are far more likely to be used for information management. Without the digital storage capabilities provided by today's database management systems, our “Big Data” world could not exist.

Information technology has changed our lives — but not always for the better. Advances in database technology allow us to process a far greater Velocity, Volume, and Variety of data than ever before. These are the famous “three Vs” of Big Data. However, there’s a missing V in this formulation — Veracity. Because digital information is so easy to copy and manipulate it’s also easy to fabricate or falsify. Once written, digital information can be overwritten without a trace. The result is the proliferation of fake news, forged and tampered documents, and a general reduction in trust within society.

There’s a missing “V” in the Big Data equation — Veracity

The problem of trust exists within database services as well. Typically, the contents of a database like Oracle are ultimately determined by application code or a DBA. If a row in the database has a creation date of two years ago, you generally have no practical way of proving that the row wasn’t really created or modified yesterday.

Blockchain offers a solution to the digital trust dilemma. Once written, public blockchain records cannot be overwritten. For the first time, we have a digital medium that is truly immutable and whose timestamp is absolutely trustworthy.

Blockchain offers a solution to the digital trust dilemma.

Unfortunately, a blockchain is not a database. It doesn’t provide the storage capabilities, functionality or throughput that we need to build modern applications. Therefore, if we want to use blockchain to add trust to modern applications we have to find a way to link blockchain to existing database systems.

ProvenDB for Oracle

We built ProvenDB to bridge the gap between blockchain and database systems. ProvenDB integrates a MongoDB-compatible database service with public blockchain capabilities; providing the best of both worlds — at least if you are happy with the MongoDB document database model.

However, if you want to integrate an Oracle database with a public blockchain you’ve been out of luck — until now! We are very happy to announce ProvenDB for Oracle, which allows you to anchor your Oracle data to the public blockchain of your choice. The resulting blockchain proofs allow you to prove the origin date of your Oracle data and to prove that the data has not been tampered with.

How it works

When data is added to or modified in a database being monitored by ProvenDB for Oracle, cryptographic signatures of the data are created. These signatures can be “signed” by your company’s cryptographic key (possibly the same key that guarantees the identity of your website). These signatures are aggregated and anchored to a public Blockchain such as Bitcoin, Hedera, or Ethereum.

ProvenDB for Oracle architecture

Once anchored to the public Blockchain, the signatures form an impeccable and irrefutable proof of the integrity and origin time of the Oracle rows. The Blockchain record — which cannot be altered by any known technology — proves the overall integrity and timestamp of items in the database, eliminating any possibility of undetected tampering or backdating.

ProvenDB for Oracle integrates with the Oracle Flashback query and Oracle Flashback Data Archive technologies. If these are enabled, ProvenDB for Oracle allows you to generate and validate proofs for historical data as well as the current contents of the database. Using ProvenDB for Oracle in conjunction with Oracle Flashback technologies, you can maintain a fully auditable, tamper-proof history of data changes with the integrity and provenance of every data item backed by immutable blockchain proofs.

What about 21c Oracle Blockchain tables?

Oracle 21c supports a new “Blockchain” table type. A blockchain table is an append-only table in which each new row is cryptographically dependent on a previous row. Oracle Blockchain tables serve a useful purpose but are not truly immutable or tamper-proof. A Database Administrator could potentially “fake” a blockchain table with an apparent timestamp simply by manipulating the system clock. To prevent tampering, Oracle recommends that you periodically export hashes and sequence numbers from the database so that any attempt to change these within the database can be detected[1].

ProvenDB for Oracle is compatible with Oracle Blockchain tables and can be used to create “real” blockchain anchors that will detect any attempt to create a falsified blockchain ledger. Furthermore, ProvenDB for Oracle offers capabilities in advance of the Oracle Blockchain table capability — it can be used with any table type, and can be used with Oracle versions prior to 21c.

[1] https://blogs.oracle.com/imc/managing-blockchain-tables-in-oracle-database-20c

Getting started

Download provendb-oracle from the ProvenDB for Databases home page at https://www.provendb.com/solutions/fordatabases. Run the installation script to install the provendb-oracle binaries on your desktop.

Next thing is to install our metadata tables into your target Oracle instance:

% provendb-oracle install --oracleConnect=mubuntu.local:1521/orcl \         --provendbUser=myProvenDB   --createDemoAccount \
--config=myConfigFile.yaml --sysPassword=oracle \
--provendbPassword=a_12Burewoww6
13:29:25.922 INFO Connecting to Oracle as SYS...
13:29:26.476 INFO Connected to SYS
13:29:26.477 INFO Installing ProvenDB for Oracle users and tables
13:29:26.477 INFO Creating myProvenDB user
13:29:26.782 INFO Creating myProvenDBdemo account
13:29:26.928 INFO Installing ProvenDB user tables
13:29:27.343 INFO Connected to myProvenDB
13:29:27.583 INFO Creating demo tables
13:29:27.757 INFO Connected to myProvenDBdemo
13:29:28.232 INFO Install complete
13:29:28.239 INFO Wrote new config to myConfigFile.yaml

We created a new user myProvenDB and created some demo tables into the myProvenDBDemo account. We created a configuration file myConfigFile.yaml that contains these connection credentials.

Next, we need to get an API key for the ProvenDB service. Sign up for a free ProvenDB account at provendb.com. Then from the ProvenDB dashboard, select “Manage API Keys” from the left menu bar (1), Click the “+” symbol to generate a new API key (2), Select “Proofable” as the application type (3) and then click “Generate New Token” (4)

Copy the resulting API key and keep it safe.

The API key needs to be added to the configuration file that you created when you installed the Oracle tables. Using an editor of your choice, add that token to the file:

You can also change your default blockchain here. By default, we use Hedera HashGraph, but you can also choose ETH_MAINNET for Ethereum or BTC_TESTNET for the Bitcoin blockchain (test net only in the current release). You can also use the test nets for any of these blockchains if you want very fast response times for testing purposes. Of course, proofs written to test nets are not immutable and should not be used for production.

Anchoring data to the Blockchain.

Now that we have configured provendb-oracle, we are ready to anchor data to the blockchain. Here’s a simple example where we anchor some data from one of the demo tables:

% provendb-oracle anchor --config=myConfigFile.yaml \
--tables=MYPROVENDBDEMO.CONTRACTSTABLE — where=”CONTRACTID<=10"

14:05:23.623 INFO Anchoring Tables: MYPROVENDBDEMO.CONTRACTSTABLE
14:05:25.354 INFO Connecting to Proofable
14:05:25.569 INFO MYPROVENDBDEMO.CONTRACTSTABLE is not flashback managed
14:05:25.591 INFO Processing MYPROVENDBDEMO.CONTRACTSTABLE
14:05:25.591 INFO Where: CONTRACTID<=10
14:05:25.636 INFO → Anchoring data to HEDERA
14:05:25.636 INFO 10 keys
Anchoring proof: BATCHING
Anchoring proof: QUEUING
Anchoring proof: PROCESSING
Anchoring proof: PENDING
Anchoring proof: CONFIRMED
14:05:51.173 INFO Proof tDDdgnRO2tFHP6ziPO00T9 created and stored to DB

We’ve taken 10 rows from the CONTRACTSTABLE, created digital signatures for them, and posted that signature to the blockchain. We can now check to make sure that nothing has changed since the proof was created:

% provendb-oracle validate --proofId=tDDdgnRO2tFHP6ziPO00T9 
--config=myConfigFile.yaml

14:09:41.110 INFO Connecting to Proofable
14:09:41.131 INFO Validating proofId: tDDdgnRO2tFHP6ziPO00T9
14:09:41.131 INFO Retrieving proof details for tDDdgnRO2tFHP6ziPO00T9
14:09:41.230 INFO MYPROVENDBDEMO.CONTRACTSTABLE is not flashback managed
14:09:41.240 INFO Getting Proof
14:09:41.925 INFO Loading table data
14:09:41.926 INFO Processing MYPROVENDBDEMO.CONTRACTSTABLE
14:09:41.926 INFO Where: CONTRACTID<=10
14:09:41.955 INFO Validating table data against proof
{
trie: {
id: ‘tArSqAWPsoG8RS_ya7hfzZ’,
root: ‘4310a5a0748c87e11ca0064e58669de5f01173c95cac10954c3aafbd0abd3385’
},
proof: {
id: ‘pdWvjIUOaOHbWPyKm-0bOk’,
verified: true,
/* I removeded some info here */
txnUri: ‘https://explorer.kabuto.sh/testnet/transaction/5555ff6680d596e4486d822f11c851c1f5bcb58c5d0e1eb082c1374ac7d660abec49ba112212274fd93ef4f1111ff0fd'
},
keyValues: { total: 10, passed: 10, changed: [], untracked: [], missing: [] }
}
14:09:42.597 INFO All keys validated
14:09:42.598 INFO Proof written to tDDdgnRO2tFHP6ziPO00T9.provendb

So for instance, if I issue an update against the CONTRACTSTABLE:

% sqlplus  myprovendbdemo/a_12Burewoww6@mubuntu.local:1521/orclConnected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
SQL> update contractstable set mytimestamp=sysdate;100 rows updated.SQL> commit;Commit complete.

Then, as expected, validation fails:

% provendb-oracle validate --proofId=tDDdgnRO2tFHP6ziPO00T9 --config=myConfigFile.yaml
16:26:35.816 INFO Connecting to Proofable
16:26:35.827 INFO Validating proofId: tDDdgnRO2tFHP6ziPO00T9
16:26:35.924 INFO MYPROVENDBDEMO.CONTRACTSTABLE is not flashback managed
16:26:35.931 INFO Getting Proof
16:26:36.487 INFO Loading table data
16:26:36.487 INFO Processing MYPROVENDBDEMO.CONTRACTSTABLE
16:26:36.487 INFO Where: CONTRACTID<=10
16:26:36.510 INFO Validating table data against proof
{
trie: {
id: 't-09HHXlqJ8AVeuuzCjblC',
/* some information removed */
txnUri: 'https://explorer.kabuto.sh/testnet/transaction/5555ff6680d596e4486d822f11c851c1f5bcb58c5d0e1eb082c1374ac7d660abec49ba112212274fd93ef4f1111ff0fd'
},
keyValues: {
total: 10,
passed: 0,
changed: [
'AAATlwAAMAAAL20AAA',
'AAATlwAAMAAAL20AAB',
'AAATlwAAMAAAL20AAC',
'AAATlwAAMAAAL20AAD',
'AAATlwAAMAAAL20AAE',
'AAATlwAAMAAAL20AAF',
'AAATlwAAMAAAL20AAG',
'AAATlwAAMAAAL20AAH',
'AAATlwAAMAAAL20AAI',
'AAATlwAAMAAAL20AAJ'
],
untracked: [],
missing: []
}
}
16:26:36.845 ERROR Proof not validated!
16:26:36.851 INFO Proof written to tDDdgnRO2tFHP6ziPO00T9.provendb```

Tracking historical versions

For insert only data — such as in Oracle blockchain tables — these static proofs are very useful. They can be used to prove — without a doubt — that no-one has modified table data since it was inserted. However, what about the more common case where updates are allowed?

We can create a proof for a historical version of a row using the Oracle System Change Number (SCN) to create a proof against a snapshot of the table data. This is done by using the — includeScn flag of the anchor command.

provendb-oracle anchor --config=myConfigFile.yaml --tables=MYPROVENDBDEMO.CONTRACTSTABLEFBDA --includeScn
16:31:30.160 INFO Anchoring Tables: MYPROVENDBDEMO.CONTRACTSTABLEFBDA
16:31:30.463 INFO Connecting to Proofable
16:31:30.515 INFO Flashback Archive last Purge Time 2021-02-01T10:29:25.000Z
16:31:30.523 INFO Processing MYPROVENDBDEMO.CONTRACTSTABLEFBDA
16:31:30.523 INFO Where:
16:31:30.628 INFO --> Anchoring data to HEDERA
16:31:30.628 INFO 100 keys
Anchoring proof: PROCESSING
Anchoring proof: PENDING
Anchoring proof: CONFIRMED
16:31:54.306 INFO Proof tMAT6g1vzkNeJt5NYaftjX created and stored to DB

These proofs can be used to validate a specific version of a row. We can see what versions exist for a specific row using the history command. For instance, here we see we have proofs for three different versions of a specific row:

% provendb-oracle history --config=myConfigFile.yaml 
--tables=MYPROVENDBDEMO.CONTRACTSTABLEFBDA --where=contractid=1
Table: MYPROVENDBDEMO.CONTRACTSTABLEFBDA
-----------------------------------------
Rowid Proof key
startDate endDate
AAATlyAAMAAAL3EAAA tMAT6g1vzkNeJt5NYaftjX AAATlyAAMAAAL3EAAA.3801760
2021-02-01T13:31:30.000Z 2021-02-01T13:31:30.000Z
AAATlyAAMAAAL3EAAA tMT57jXfxcH67ZehDb2oHM AAATlyAAMAAAL3EAAA.3802072
2021-02-01T13:32:45.000Z 2021-02-01T13:32:45.000Z
AAATlyAAMAAAL3EAAA t-DHayZWlMceGFAUm3zKKC AAATlyAAMAAAL3EAAA.3802246
2021-02-01T13:33:12.000Z 2021-02-01T13:33:12.000Z

If the table is managed by a Flashback Data archive, then we can confirm the validity of the row at any time. Even if there is no Flashback archive, we can still export a copy of the data and the proof when the proof is created — I’ll explain how to do that in a future post.

Here we validate a row for a specific Rowid and SCN combination (the RowId identifies the unique row, and the SCN identifies the specific snapshot):

% provendb-oracle validate --config=myConfigFile.yaml --rowId=AAATlyAAMAAAL3EAAA.380207216:45:44.177 INFO  Validating row: AAATlyAAMAAAL3EAAA.3802072
16:45:45.302 INFO Rowid validation passed {"total":1,"passed":1,"changed":[],"untracked":[],"missing":[]}
16:45:45.306 INFO Wrote proof for AAATlyAAMAAAL3EAAA.3802072 to AAATlyAAMAAAL3EAAA.3802072.provendb
16:45:45.306 INFO Row proof written to AAATlyAAMAAAL3EAAA.3802072.provendb

Monitoring for changes

It would be very tedious to have to issue provendb-oracle commands whenever a transaction occurred. Therefore we offer the monitor command which will watch for changes in table data. In it’s simplest form, the monitor command looks for any changes in the table, though you can specify a WHERE clause as well if you want.

% provendb-oracle monitor  --config=myConfigFile.yaml --tables=MYPROVENDBDEMO.CONTRACTSTABLEFBDA16:56:20.984 INFO  Checking all tables...
16:56:21.037 INFO Flashback Archive last Purge Time 2021-02-01T10:29:25.000Z
16:56:21.052 INFO Monitoring with 120ms interval.
16:56:21.053 INFO Processing all table changes
16:56:21.053 INFO Processing MYPROVENDBDEMO.CONTRACTSTABLEFBDA
16:56:21.053 INFO Where:
16:56:21.081 INFO Start SCN=3803479 current SCN=3803479
16:56:21.166 INFO --> Anchoring data to HEDERA
16:56:21.166 INFO 100 keys
Anchoring proof: BATCHING
Anchoring proof: QUEUING
Anchoring proof: PROCESSING
Anchoring proof: PENDING
Anchoring proof: CONFIRMED
16:56:45.367 INFO Sleeping for 120 seconds
16:56:45.367 INFO Will awake on dbms_alert
16:58:47.516 INFO Processing all table changes
16:58:47.517 INFO Processing MYPROVENDBDEMO.CONTRACTSTABLEFBDA
16:58:47.517 INFO Where:
16:58:47.530 INFO Start SCN=3803479 current SCN=3803570
16:58:47.562 INFO No new data to anchor
16:58:47.562 INFO Sleeping for 120 seconds

In this example, monitor looked for changes in the CONTRACTSFBDA table, awaking every 120 seconds to do so. Provendb-oracle uses flashback queries to check for all changes during this period — so even if a row had been updated multiple times, we’d still capture all of the changes.

You can configure a DBMS_ALERT to wake up the monitor whenever a transaction completes against the table. See the documentation for an example of this.

Give it a try

ProvenDB for Oracle is now available for early adopters. You can download the binaries for Linux, windows or mac here, and follow the instructions in the documentation to install the utility. We’d love to hear what you think.

ProvenDB uses Blockchain technology to provide the world’s first entirely trustworthy database. Immutable versions of database state are anchored to the Blockchain, delivering an unparalleled level of data integrity. ProvenDB allows developers to build high-performance applications that include cryptographic proof of data integrity and provenance without having to understand Blockchain programming complexities. Setup a free account today at ProvenDB.com.

--

--

Guy Harrison
ProvenDB

CTO at ProvenDB.com. Author of many books on database technology. Hopeless old geek. http://guyharrison.net