Tamper-evident audit logs: how hash chaining and signatures work
Every compliance regime asks for audit logs, but a log file the operator can edit is not evidence — after an incident, "here is our log" carries no weight if you could have changed it. Tamper-evidence closes that gap: it makes any alteration to the record detectable, so a log becomes something an auditor, regulator or court can actually rely on.
Hash chaining links every entry
Each log entry includes the cryptographic hash of the previous entry, forming a chain. Change one byte of any past record — or delete an entry — and every hash downstream no longer matches, so the tampering is immediately visible. This is the same construction that underpins blockchains, applied to a private log. It does not require distributed consensus; it just makes the record self-checking, so edits cannot pass silently.
Signatures make it non-repudiable
Hash chaining detects alteration, but you also need to prove who produced the record and prevent someone from rebuilding the whole chain to hide a change. Signing entries — or periodic checkpoints of the chain — with a private key ties the record to a specific signer and stops silent reconstruction. Anyone with the public key can verify the signature and the chain together, establishing authenticity and integrity without trusting the log’s owner.
Why post-quantum, and the honest limit
Audit records often need to hold up for years — well into the window where classical signatures become forgeable — so sign with post-quantum ML-DSA (Dilithium, FIPS 204). Honest scope: tamper-evidence proves the record was not altered after signing and identifies who signed it; it does not prove the events were recorded honestly in the first place, which depends on capturing entries at the source. The crypto is resistant to known attacks per NIST, not unbreakable.
Try it yourself — live, free, verifiable in 30 seconds:
Make records tamper-evident with ProofMind →