Tamper-resistant architecture of Server-Driven UI with real-time Merkle proof verification
Vladyslav Ananchenko, Yurii LotiukServer-driven user interface systems require protection from unauthorised modifications to ensure the integrity and security of displayed data. The purpose of this study was to develop a cryptographically verifiable change log of the user interface for systems with a Server-Driven User Interface. Within the study, methods of theoretical modelling, experimental testing, software implementation, and analysis of the regulatory framework were applied to design, verify, and evaluate a cryptographic change log in a client-interface environment. The main results showed that the use of signed structured interface blocks with hashing and digital signatures ensured the impossibility of undetected interface modification on the client side. Construction of the change log based on a hash tree guaranteed authenticity, immutability, and cryptographic verification of each interface element even under complex distributed conditions. Integration with advanced React rendering mechanisms enabled real-time verification of interface authenticity, ensuring compliance with international standards for personal data protection and transaction security. Furthermore, the results showed that client verification of Merkle proofs for blocks in React detected modifications before rendering, with an average verification time of 0.328 milliseconds per block. Auditing of blueprint file changes and the publish-subscribe system ensured data traceability and relevance, while component rendering after updates lasted only 2.7 milliseconds for the main component and 0.4 milliseconds for the button. Experiments confirmed a 94% attack-blocking rate, a reduction in rendering latency (from 850 to 300 milliseconds under slow network conditions), and a cache hit rate maintained at 94-95% under low load. Combined with improved key interface-interaction metrics, these results demonstrate the effectiveness of the proposed architecture. The obtained findings may be used by developers of critical web applications to implement secure interfaces that verify integrity in real time and comply with international security requirements
References
[1] Agarwal, M.K., Sarden, D., Ramesh, S., & Singh, R. (2024). Endpoint controls through a lens of PCI DSS. In M. Gupta, R. Singh, J. Walp & R. Sharman (Eds.), Advances in enterprise technology risk assessment (pp. 245-282). London: IGI Global. doi: 10.4018/979-8-3693-4211-4.ch009.
[2] Almeida, P.S. (2024). Approaches to conflict-free replicated data types. ACM Computing Surveys, 57(2), article number 51. doi: 10.1145/3695249.
[3] Azhar, H.B., Butt, K.K., Awan, N.U., & Irshad, O. (2025). Quantum-resistant merkle trees enhancing data integrity with post-quantum cryptography and zero-knowledge proof. Journal of Computing & Biomedical Informatics, 8(2). doi: 10.56979/802/2025.
[4] Badra, M., & Borghol, R. (2018). Long-term integrity and non-repudiation protocol for multiple entities. Sustainable Cities and Society, 40, 189-193. doi: 10.1016/j.scs.2017.11.023.
[5] Cai, X.-Q., Wang, T.-Y., Wei, C.-Y., & Gao, F. (2022). Cryptanalysis of quantum digital signature for the access control of sensitive data. Physica A: Statistical Mechanics and its Applications, 593, article number 126949. doi: 10.1016/j. physa.2022.126949.
[6] Chavan, Y., Jadhav, A., Kulkarni, S., Malpure, S., & Mandal, S. (2025). Nexify: A scalable and secure community server for real-time communication. International Journal of Advanced Research in Science Communication and Technology, 5(4), 547-551. doi: 10.48175/IJARSCT-25172.
[7] Christensen, L.D. (2025). Financial fraud and the PSD2. In L.D. Christensen (Ed.), EU payment services: Regulation and innovation (pp. 145-181). Oxford: Oxford University Press. doi: 10.1093/9780198949084.003.0006.
[8] Du, P., Liu, Y., Li, Y., & Yin, H. (2022). EthMB+: A tamper-proof data query model based on b+ tree and Merkle tree. In Y. Sun, L. Cai, W. Wang, X. Song & Z. Lu (Eds.), Blockchain technology and application (pp. 49-59). Singapore: Springer. doi: 10.1007/978-981-19-8877-6_4.
[9] Ethan, M. (2025). Frontend-driven backpressure handling for real-time APIs. Retrieved from https://www.researchgate. net/publication/393981918_Frontend-Driven_Backpressure_Handling_for_Real-Time_APIs.
[10] Fadilpaši , S. (2025). Major breach at medical billing giant sees data on 5.4 million users stolen – here’s what we know. Retrieved from https://www.techradar.com/pro/security/major-breach-at-medical-billing-giant-sees-data-on-5-4million-users-stolen.
[11] Fugkeaw, S., Deevijit, J., Ueasathitwong, P., & Thanyasukpaisal, T. (2025). EVSEB: Efficient and verifiable searchable encryption with boolean search for encrypted cloud logs. IEEE Access, 99, 101177-101195. doi: 10.1109/ ACCESS.2025.3577466.
[12] Ganji, B., Rezaee, A., Adabi, S., & Movaghar, A. (2024). Model verification of real-time and distributed stream processing architecture. Computing, 107(1), article number 17. doi: 10.1007/s00607-024-01384-w.
[13] Girnus, P. (2025). CVE-2025-0411: Ukrainian organizations targeted in zero-day campaign and homoglyph attacks. Retrieved from https://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizationstargeted.html.
[14] Havatiuk, M., & Saiapina, I. (2025). Improved method of targeted user interface updates for enhancing the efficiency of web applications based on reactive streams and virtual DOM. Technical Engineering, 95(1), 259-265. doi: 10.26642/ ten-2025-1(95)-259-265.
[15] Joodala, A. (2025). A cloud-native approach to SOC 2, HIPAA, and GDPR compliance using AWS microservices. International Journal of Innovative Research in Engineering & Multidisciplinary Physical Sciences, 13(3). doi: 10.37082/ IJIRMPS.v13.i3.232605.
[16] Jose, N. (2025). Event-driven architecture in retail: Real-time inventory synchronization for omnichannel retail. International Journal of Computing and Engineering, 7(16), 13-23. doi: 10.47941/ijce.3014.
[17] Kuznetsov, O., Frontoni, E., Kuznetsova, K., & Arnesano, M. (2025). Optimizing Merkle proof size through path length analysis: A probabilistic framework for efficient blockchain state verification. Future Internet, 17(2), article number 72. doi: 10.3390/fi17020072.
[18] Li, J., & Li, H. (2025). Evolution of application security based on OWASP top 10 and CWE/SANS top 25 with predictions for the 2025 OWASP top 10. In 8th International conference on inventive computation technologies (pp. 1178-1183). Kirtipur: IEEE. doi: 10.1109/ICICT64420.2025.11004742.
[19] Odeh, A., & Abu Taleb, A. (2025). Federated learning and blockchain framework for scalable and secure IoT access control. Computers, Materials & Continua, 84(1), 447-461. doi: 10.32604/cmc.2025.065426.
[20] Orynchak, A., Kuzmenko, O., & Svintsytska, O. (2024). Real-time threat detection with javascript: Monitoring and response mechanisms. Technical Engineering, 93(1), 201-210. doi: 10.26642/ten-2024-1(93)-201-210.
[21] Osilaja, A., Raheem, A., & Edmund, E. (2024). Enhancing software security with blockchain integration for decentralized and tamper-proof application architectures. World Journal of Advanced Research and Reviews, 24(3), 2750-2767. doi: 10.30574/wjarr.2024.24.3.3977.
[22] Patel, O. (2022). Merkle proof verification for zero knowledge transaction validation. International Journal of All Research Education & Scientific Methods, 10(5), 3533-3547.
[23] Ridhorkar, S., & Mishra, S.S. (2024). Implementing quantum resistant algorithm in blockchain-based applications. International Journal of Advanced Research in Science Communication and Technology, 4(7), 650-659. doi: 10.48175/ IJARSCT-17899.
[24] Rubel, M.T., Emran, A.K., Islam, M.K., Nayem, M.A., & Hasan, S. (2025). From ledger to ledgerless: Evaluating blockchain-driven real-time financial reconciliation in U.S. public companies. International Journal for Multidisciplinary Research, 7(4). doi: 10.36948/ijfmr.2025.v07i04.49709.
[25] Sathio, A.A., Rind, M.M., & Awan, S.A. (2025). ClusterPioneer voting: A scalable and energy-efficient consensus mechanism for permissioned-blockchain (DeFi) system. Research Square. doi: 10.21203/rs.3.rs-7099560/v1.
[26] Shahzad, I., Maqsood, M.W., Latif, S., & Ijaz, H.M. (2025). Decentralized IoT-based architectures for tamper-proof agricultural sensor networks: Ensuring end-to-end data integrity and transparent governance. Kashf Journal of Multidisciplinary Research, 2(5), 39-55. doi: 10.71146/kjmr442.
[27] Sharma, G. (2025). Kernel-embedded blockchain architecture for transparent AI decision auditing. Journal of Information Systems Engineering & Management, 10(47), 183-205. doi: 10.52783/jisem.v10i47s.9246.
[28] Shport, L. (2025). Enhancing the security of interbank payments with, a comprehensive cryptographic architecture. Information Technology and Society, 16(1), 276-280. doi: 10.32689/maup.it.2025.1.36.
[29] Sienkiewicz, H. (2025). Article cybersecurity impacts of the EU GDPR. Retrieved from https://www.researchgate.net/ publication/393802678_Article_Cybersecurity_Impacts_of_the_EU_GDPR.
[30] Undirwadkar, A.J. (2025). The rise of server-driven UI: A paradigm shift in mobile app development. World Journal of Advanced Engineering Technology and Sciences, 15(2), 55-61. doi: 10.30574/wjaets.2025.15.2.0538.
[31] Vennamaneni, P.R. (2025). Building compliance-driven AI systems: Navigating IEC 62304 and PCI-DSS constraints. International Journal of Networks and Security, 5(1), 62-90. doi: 10.55640/ijns-05-01-06.
[32] Wagh, S., Vadhel, S., Tiwari, R., Bidaye, V., & Kachare, A. (2025). React-Nex – a modular component library with AI-driven code generation. International Journal of Scientific Research in Engineering and Management, 9(4), 1-9. doi: 10.55041/IJSREM44477.