Professional Documents
Culture Documents
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
1228 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
TABLE I
C OMPARISON OF R EDACTABLE B LOCKCHAIN
attributes to a trapdoor holder and the registered transaction “Can we design a practical and secure redactable
is specified by an access structure. The trapdoor holder can blockchain without the fully trusted central authority?”
rewrite the transaction if his/her attributes satisfy the associ-
ated access structure. They left the decentralized construction C. Contribution
of PCH as a future work (in [16] Page 7, Remark 2). Based In this paper, we give an affirmative answer to the above
on PCH, many sequential works are introduced and mainly problem by introducing a novel cryptographic notion, called
focus on usability, such as accountability [17], [22], self- decentralized policy-based chameleon hash (DPCH). DPCH
management [19], revocability [18], [20], and k-time modifi- resists the collusion attacks among authorities and trapdoor
cation operation [23]. The decentralized PCH is missed in the holders. To improve performance, our solution does not require
literature. In the permissionless setting [24], blockchain rewrit- any interaction between authorities. The major contributions
ing is based on the consensus-based e-voting mechanism [25] of this work are threefold.
to eliminate the risk from the central structure. Each chain
• Decentralized transaction-level blockchain rewriting.
participant can propose a rewriting request and the rewriting
We introduce the first transaction-level blockchain rewrit-
request can be executed if it gathers enough votes. In TABLE I,
ing controlled in a fine-grained way without any
we list several differences of the current redactable blockchain
fully trusted central authority. Compared to the previ-
technologies.
ous solutions, our solution offers a stronger security
model that allows the adversary to compromise the
B. Motivation authority.
In current redactable blockchain solutions exist several • Generic construction of DPCH with rigorous security
security concerns. The PCH-based blockchain rewriting mech- proofs. To formalize our solution, we introduce a novel
anism requires a fully trusted central authority, which is a very cryptographic notion DPCH with formal definition and
strong assumption since the privilege of the central authority present three security models for DPCH by considering
is out of control. The central authority holding the rewriting different types of adversaries. A unique feature of DPCH
privileges of any access policy can manipulate any registered is that it supports decentralized authorization in the per-
object to control the blockchain. Moreover, a malicious central missioned setting. We give the first generic framework of
authority may frame misbehaviors, e.g., operating malicious DPCH with rigorous security proofs.
rewriting and selling rewriting privileges, to an innocent chain • Practical instantiation with performance analysis.
participant. Such centralized construction is a very obvious We give an instantiation of DPCH based on
attacking target and shortcoming in the current PCH-based the prime-order pairing and RSA groups as the
redactable blockchain. previous solution [16]. We validate its practicality via
The consensus-based blockchain rewriting mechanism is implementation and evaluation, which demonstrates that
based on the consensus-based e-voting technology, which is our DPCH can be effectively integrated into blockchain
vulnerable to bribing and selfish mining attacks [26]. In reality, and enjoys superior performances than the state-of-the-art
the malicious miner may collude with others to control the solution.
rewriting privilege. Moreover, the rational miners may spend
more cost on mining rather than verifying the rewriting request II. OVERVIEW
is reasonable or not. Furthermore, it faces several security In this section, we provide a high-level overview of our solu-
issues since rational miners could be bribed and the rewrit- tion and the intuition behind it. Our decentralized blockchain
ing privilege could be compromised by the selfish mining rewriting mechanism is based on DPCH. DPCH is built
attack. Although proactive secret sharing [27] can be used to from a chameleon hash, digital signature, and multi-authority
offer decentralized construction in blockchain, it requests that attribute-based encryption (MA-ABE). To highlight the intu-
majority group members are trusted and there are multiple ition of our solution, we consider a simple system model in
interactions for selecting group members and holding the Fig. 1. There are three types of entities: a transaction owner,
secret key. Hence, the following problem arises naturally: a transaction modifier, and a set of authorities.
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
MA et al.: REDACTABLE BLOCKCHAIN IN DECENTRALIZED SETTING 1229
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
1230 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
supports the possible policies 2U \ {∅} and the message space θ ← F(A );
M. It involves three types of entities: authorities, data owners,
sk gid
,A ← ABEMC .KeyGen(gi d , sk θ , A );
and data users, and contains the following four algorithms:
LQ ← LQ ∪ {(gi d , {sk gid
,A })};
ABEMC .GlobalSetup(1λ ) → gp: The probabilistic global
setup algorithm1 takes as input a security parameter λ ∈ N, b ∈ {0, 1};
and outputs a public global parameter gp. c∗ ← ⊥ if m 0 , m 1 ∈ M ∨ |m 0 | = |m 1 | ∨ A∗ ∩ LS = ∅
ABEMC .AuthSetup(θ ) → ( pkθ , skθ ): The probabilistic else c∗ ← ABEMC .Enc({ pkθ∗ }, A∗ , m b ); //
authority setup is run by the authority θ ∈ U . On input
{ pkθ∗ } = C ∪ N
an authority identifier θ ∈ U , and output a public-secret key
pair ( pkθ , skθ ). b ← AODec (·,·)({ pkθ }, {gi d, {sk gid,A }}, c∗ );
ABEMC .KeyGen(gi d, skθ , A) → sk gid,A : The probabilis- //A gets public keys of all non-corrupted authorities
tic key generation algorithm is run by the authority θ ∈ U . //and secrets keys of all users required in Q
On input a global identifier gi d ∈ GID, a secret key skθ and
an attribute A ∈ U, and output a secret key sk gid,A , where return 1 if b = b .
A ∈ U is the attribute controlled by the authority θ ∈ U . Oracle ODec (gi d, c)
ABEMC .Enc({ pkθ }, A, m) → c: The probabilistic encryp- return ⊥ if c = c∗ ∨ (gi d, {sk gid,A }) ∈ LQ
tion algorithm is run by each data owner. On input a set of for some {sk gid,A };
public keys { pkθ }, an access structure A ⊆ 2U \ {∅} and a
message m ∈ M, and output a ciphertext c, where { pkθ } is return ABEMC .Dec({sk gid,A }, c);
the public key set of the relevant authorities whose attributes An MA-ABE scheme ABEMC is said to be static secure if
are used to derive the access structure A ⊆ 2U \ {∅}. for any probabilistic polynomial-time (PPT) adversary A, the
ABEMC .Dec({sk gid,A }, c) → m: The deterministic following advantage is negligible:
decryption algorithm is run by the data user gi d ∈ GID.
Advstatic λ static λ
On input a set of secret keys {sk gid,A } and a ciphertext c, and ABEMC ,A (1 ) = Pr[ExpABEMC ,A (1 ) = 1] − 1/2 .
output a message m ∈ M. Remark: Static security has been accepted in the decen-
We recall the static security model [29] between a chal- tralized MA-ABE schemes [29], [32], where the decentraliza-
lenger and an attacker. In contrast to the standard model, tion means no interaction between each authority. Selective
the static model requires the adversary to sent the querying security has been considered in the early works [28], [33].
messages once it receives the public parameters. However, these works need either a centralized authority to
Definition 3 (Static Security): Let ABEMC = issue the secret key of each authority or multiple interactions
(GlobalSetup, AuthSetup, KeyGen, Enc, Dec) be an among authorities to simulate a centralized authority. Hence,
MA-ABE scheme. The static security definition of MA-ABE MA-ABE with selective security is not compatible with
in the chosen-ciphertext attack (CCA) setting is based on the the setting of decentralized blockchain. Therefore, we apply
following experiment: MA-ABE with static security as an important building block
λ in our proposed decentralized redactable blockchain.
Expstatic
ABEMC ,A (1 )
LS , LQ ← ∅;
C. Chameleon Hash
gp ← ABEMC .GlobalSetup(1λ );
Definition 4 (Chameleon Hashes): A chameleon hash CH
(C , N , Q, Q , m 0 , m 1 , A∗ ) ← A(gp); contains the following 5 algorithms:
//C ⊆ U , N ⊆ U , C ∩ N = ∅ CH.Setup(1λ ) → pp: On input a security parameter
//Q ⊆ {GID, U} for querying secret keys λ ∈ N, the probabilistic setup algorithm outputs a public
//Q ⊆ {GID, U} for initializing users parameter pp.
CH.KeyGen( pp) → ( pk, sk): On input a public parameter
∀θ ∈ N : ( pkθ , skθ ) ← ABEMC .AuthSetup(θ ); pp, the probabilistic key generation algorithm outputs a
∀(gi d, S) ∈ Q : //S = (A1 , A2 , . . . , Ak ) and S | A∗ public-secret key pair ( pk, sk).
LS ← LS ∪ S; CH.Hash( pk, m) → (h, r ): On input pk and a message
∀A ∈ S : m ∈ M, the probabilistic hash algorithm outputs a hash h
and a randomness r .
θ ← F(A); CH.Verify( pk, m, h, r ) → {0, 1}: On input pk, m, h, and r ,
//F : U → U maps attributes to their authority the deterministic verification algorithm outputs 1 if (h, r ) is
sk gid,A ← ABEMC .KeyGen(gi d, skθ , A); valid; otherwise, outputs 0.
∀(gi d , S ) ∈ Q : //S = (A1 , A2 , . . . , Ak ) CH.Adapt(sk, m, m , h, r ) → r : On input a secret key sk,
m ∈ M, a message m ∈ M, h and r , the deterministic
∀A ∈ S : adaption algorithm outputs a randomness r .
1 The setup algorithm needs a trusted environment but it does not output We recall the security notations of chameleon hashes [30]:
any secret information. For simplicity, in our proposed redactable blockchain, strong indistinguishability and collision resistance. Strong
we assume the global parameter gp is a part of blockchain system parameters. indistinguishability requires that the adversary cannot judge
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
MA et al.: REDACTABLE BLOCKCHAIN IN DECENTRALIZED SETTING 1231
whether the randomness r is derived from the hash algorithm DS.Setup(1λ ) → pp: On input a security parameter
or the adaption algorithm. Collision resistance allows the λ ∈ N, the probabilistic setup algorithm outputs a public
adversary to access the adaptive oracle, and the adversary parameter pp.
cannot find any collisions for the messages which have not DS.KeyGen( pp) → ( pk, sk): On input pp, the probabilis-
been queried to the adaptive oracle. tic key generation algorithm outputs a public-secret key pair
Definition 5 (Strong Indistinguishability): The strong indis- ( pk, sk).
tinguishability of a chameleon hash scheme CH = (Setup, DS.Sign(sk, m) → σ : On input sk and a message m ∈ M,
KeyGen, Hash, Verify, Adapt) is based on the following the probabilistic signing algorithm outputs a signature σ .
experiment: ExpSIND (1λ ) DS.Verify( pk, m, σ ) → {0, 1}: On input pk, m and σ , the
CH,A
deterministic verification algorithm outputs 1 if σ is a valid
pp ← CH.Setup(1λ ); signature; otherwise, outputs 0.
( pk, sk) ← CH.KeyGen( pp); Definition 8 (EUF-CMA): The EUF-CMA of a DS scheme
b ← {0, 1}; is based on the following experiment:
ExpEUF -CMA (1λ ) Oracle OSign (m)
b ← AOHashOrAdapt(·,·) ( pp, pk, sk); DS ,A
pp ← DS.Setup(1λ ); σ ← DS.Sign(sk, m);
return 1 if b = b . Q ← ∅; Q ← Q ∪ {m};
Oracle OHashOrAdapt (m, m ) (m ∗ , σ ∗ ) ← AOSign (·) ( pp, pk); return σ .
(h, r ) ← CH.Hash( pk, m ); return 1 if m ∈ Q ∧
DS.Verify( pk, σ ) = 1.
r etur n (h, r ) if b = 0;
A DS scheme is said to be EUF-CMA if for any PPT adversary
(h , r ) ← CH.Hash( pk, m); A, the following advantage is negligible:
r ← CH.Adapt(sk, m, m , h , r ); -CMA (1λ ) = Pr[ExpEUF-CMA (1λ )].
AdvEUF
return (h , r ). DS ,A DS ,A
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
1232 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
attribute A ∈ U, and output a secret key sk gid,A or a failure modifier. On input sk gid , a set of secret keys {sk gid,A }, c,
symbol ⊥ representing invalid gi d. messages m and m , h and r , and output a randomness r .
DPCH.Hash( pk, { pkθ }, A, m) → ( pk et d , h, r, c): The
probabilistic hash algorithm is run by the transaction owner. B. Security Model of DPCH
On input pk, a set of public keys { pkθ }, an access structure
This section presents three security models of DPCH,
A ⊆ 2U \ {∅} and a message m ∈ M, and output a public key
including indistinguishability, outsider collision resistance, and
pk et d , a hash h, a randomness r and a ciphertext c, where
insider collision resistance, based on the previous blockchain
pk et d is the public component of the ephemeral trapdoor and
rewriting solution [16].
c seals the secret component sk et d . Definition 10 (Indistinguishability): The indistinguishabil-
DPCH.Verify( pk, pk et d , m, h, r ) → {0, 1}: The determin- ity of DPCH is based on the following experiment:
istic verification algorithm is run by any entity. On input pk, λ
ExpIND
DPCH,A (1 )
pk et d , m ∈ M, h and r , and output 1 if (h, r ) is valid;
otherwise, output 0. ( pp, pk, sk) ← DPCH.Setup(1λ );
DPCH.Adapt(sk gid , {sk gid,A }, c, m, m , h, r ) → r : The ({ pkθ }, {skθ }) ← A( pp, pk, sk); //Corrupt all authorities
deterministic adaption algorithm is run by the transaction b ← {0, 1}; //b impacts the returns of OHashOrAdapt (·, ·, ·)
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
MA et al.: REDACTABLE BLOCKCHAIN IN DECENTRALIZED SETTING 1233
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
1234 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
Now we observe that the hash or adapt oracle is simulated Case 2: If N = {0}. In this case, the authority who
perfectly, and B wins with the same probability as A wins. initializes the global identifier gi d and the long-term trapdoor
Theorem 2: The proposed DPCH is outsider collision sk gid is honest, and other authorities are corrupted. In this
resistant if the underlying chameleon hash is collision case, A can generate the secret keys on behalf of all authorities
resistant. without the long-term trapdoor sk for the newly joined modi-
Proof: We assume there exists a PPT adversary A that can fiers. Hence, if A can win the game, we can build a simulator
break the outsider collision resistance of our proposed DPCH that breaks the collision resistance of chameleon hash schemes
λ λ
with the advantage AdvICR DPCH,A (1 ) = AdvCH,CCH (1 ).
CR
with non-negligible advantage. We can build a PPT simulator
B that can break the collision resistance of the underlying Case 3: If C = {0} and 0 ∈ C . In this case, some authori-
chameleon hash CCH with advantage as AdvCR λ
CH,B (1 ) = ties including the authority who initializes the global identifier
AdvDPCH,A (1 ).
OCR λ
gi d and the long-term trapdoor sk gid are corrupted. In this
Setup: B generates the parameters ( pp, pk, sk) by running case, A can generate the long-term trapdoor sk and issue
DPCH.Setup(1λ ) except the chameleon hash related com- the signature σgid and secret keys on behalf of the corrupted
ponent from CCH , and then initializes authorities by running authorities for the newly joined modifiers. Hence, if A can
DPCH.Auth(θ ) for all θ ∈ U to obtain a set of public keys win the game, we can build a simulator that breaks the static
{ pkθ } and a set of secret keys {skθ }. security of MA-ABE and the collision resistance of chameleon
λ
Query: A can query the modifier register oracle hash schemes with the advantage AdvICR DPCH,A (1 ) = q ·
OModReg (·, ·) and the adaptive oracle OAdapt (·, ·, ·, ·, ·, ·). λ λ
(AdvABEMC ,B (1 ) + AdvCH,CCH (1 )), where q denotes the
static CR
OModReg (gi d, S): A queries on the global identifier gi d number of queries to the oracle OHash (·, ·).
and an attribute set S to the modifier register oracle. It runs Case 4: If N = {0} and 0 ∈ N . In this case, some author-
DPCH.ModSetup(sk, gi d) to derive (sk gid , σgid ), and for ities including the authority who initializes the global identifier
each A ∈ S, it finds the authority identifier θ ← F(A) and gi d and the long-term trapdoor sk gid are honest. In this case,
runs DPCH.ModKeyGen( pk, gi d, σgid , skθ , A) to generate A can generate the secret keys on behalf of the corrupted
sk gid,A . Note that the secret key (sk gid , {sk gid,A }) is kept by authorities for the newly joined modifiers. Hence, if A can
B since A is the outsider. wins the game, we can build a simulator that breaks the static
OAdapt (gi d, c, m, m , h, r ): A queries on the global identi- security of MA-ABE, the collision resistance of chameleon
fier gi d, a ciphertext c, two messages (m, m ), a hash h and a hash schemes and the EUF-CMA of digital signatures with
randomness r . Parse r = (r0 , r1 ) and h = (h 0 , h 1 ). It forwards λ λ
the advantage AdvICR DPCH,A (1 ) = q · (AdvABEMC ,B (1 ) +
static
(m, m , r0 , h 0 ) to CCH and obtains the randomness r0 . It then
runs DPCH.Adapt(gi d, c, m, m , h, r ) to derive the rest of AdvCR
CH,CCH (1λ ) + AdvEUF-CMA (1λ )), where q denotes the
DS ,CDS
randomnesses r1 . It returns (r0 , r1 ) to A. number of queries to the oracle OHash (·, ·).
Output: A outputs ( pk ∗et d , m ∗ , r ∗ , m ∗ , r ∗ , h ∗ ) to B. Parse Proof (Theorem 3. Case 1): This case can be proved by
r = (r0∗ , r1∗ ), r ∗ = (r0∗ , r1∗ ) and h ∗ = (h ∗0 , h ∗1 ). B then
∗ the following three games. The adversary’s success probability
forwards (m ∗ , r0∗ , m ∗ , r0∗ , h ∗0 ) to CCH . in Game i is denoted by Pr[Si ]. The adversary can query q
Now we observe that the hash or adapt oracle is simulated times OHash (·, ·) oracle queries.
perfectly, and B wins with the same probability as A wins. Game 0: This is the original ICR security experiment as
Theorem 3: The proposed DPCH is insider collision resis- shown in Definition 12.
tant if the underlying MA-ABE provides static security in the Game 1: As Game 0, but we guess the i ∗ -th hash query
CCA setting, the chameleon hash is collision resistant, and the which returns h ∗ that will be attacked by the adversary.
digital signature scheme is EUF-CMA. We store the returning value ( pk et d , h, r, c) as well as the
Recall the definition of the set corrupt authorities as C ⊆ corresponding ephemeral trapdoor sk ∗et d . If we detect our
U ∪ {0} and non-corrupt set of authorities as N ⊆ U ∪ {0}, guess is wrong at some point during the simulation, we abort.
where C ∩ N = ∅, C = ∅ and N = ∅. To prove this The winning probability in Game 1 is the same as in
theorem, we consider the following four cases: Game 0, except an abort happens. Hence, we have that
Case 1: C = {0}. In this case, the authority who ini- Pr[S1 ] = Pr[S0 ] · 1/q.
tializes the global identifier gi d and the long-term trapdoor Game 2: As Game 1, but whenever we receive an adapt
sk gid is the only corrupted authority, and other authorities query on (gi d, c, m, m , h, r ) with c = c∗ , we do not decrypt,
are honest. In this case, A can generate the long-term trap- but directly adapt using sk ∗et d .
door sk and issue the signature σgid for the newly joined The winning probability in Game 2 is the same as in Game 1
modifiers. Hence, if A can win the game, we can build a under the perfect correctness of the encryption scheme. Hence,
simulator that breaks the static security of MA-ABE and we have that Pr[S2 ] = Pr[S1 ].
the collision resistance of chameleon hash schemes with Game 3: As Game 2, but we change the simulation of the
λ λ hash algorithm DPCH.Hash( pk, { pkθ }, A, m). For the i ∗ -th
the advantage AdvICR DPCH,A (1 ) = q · (AdvABEMC ,B (1 ) +
static
query to hash algorithm, we use 0|sk | as the trapdoor instead
etd
λ
AdvCH,CCH (1 )), where q denotes the number of queries to
CR
the oracle OHash (·, ·). If guessing the i ∗ -th hash query with of the real trapdoor sk et d . Specifically, we generate ciphertext
c ← ABEMC .Enc({ pkθ }, A, 0|sk | ) and store sk et d locally
etd
the challenge ciphertext c∗ incorrectly, we abort. Therefore,
this game can be prefect simulated if i ∗ -th guessing correctly. rather than running c ← ABEMC .Enc({ pkθ }, A, sk et d ).
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
MA et al.: REDACTABLE BLOCKCHAIN IN DECENTRALIZED SETTING 1235
The claim that Game 2 and Game 3 are indistinguishable Setup: B generates the parameters ( pp, pk, sk) by running
under the static security of ABEMC in the CCA setting, DPCH.Setup(1λ ) except the chameleon hash related com-
i.e., | Pr[S3 ] − Pr[S2 ]| = Advstatic λ
ABEMC ,B (1 ). To prove the ponent from the challenger CCH , where the corresponding
claim, we show that we can use a challenger CABE static
MC
in chameleon hash secret key, as the long-term trapdoor in
the static security model with the CCA setting to effectively our scheme, is unknown to B. Note that, due to the other
interpolate between Game 2 and Game 3. In particular, con- authorities are corrupted, B does not need to simulate the rest
sider the following hybrid game: Upon initialization we obtain of the authorities.
gpABEMC from CABE static , set sk ← ⊥ and complete the Query: A is allowed to query the following oracle
MC adaptively.
remainder of the setup honestly based on the security para-
meter and bilinear group description in gpABEMC to derive • A can query on the access structure A and the message
( pp, sk). After receiving (C , N , Q, Q , A∗ ), we forward m to the hash oracle OHash . It runs the hash algorithm
(C , N , Q, Q , sk ∗et d , 0|sk | , A∗ ) to CABE
etd static
MC
and obtain DPCH.Hash( pk, { pkθ }, A, m) to derive ( pk et d , h, r, c).
∗
({ pkθ }, {gi d, {sk gid,A }}, c ). To simulate queries to the adap- It returns ( pk et d , h, r, c) to A.
tion oracle OAdapt , we use decryption oracle ODec provided by • A can query on the global identifier gi d, the ciphertext
CABE
static to reveal the trapdoor and complete reminder follow c, two messages m, m , the hash r and the randomness r
MC
the adaption algorithm DPCH.Adapt. The hash oracle OHash to the adaption oracle OAdapt . Due to all authorities who
is simulated based on its index i . For the i -th query with can issue the attribute keys are corrupted, A can reveal
i = i ∗ , we run DPCH.Hash to respond to the hash query. any ciphertext and B does not have the knowledge of
For the i ∗ -th query, we directly use sk ∗et d as the ephemeral any attribute key. Hence, it aborts if A = ∅. Parse h =
trapdoor to hash message and c∗ as the sealed ephemeral (h 0 , h 1 ) and r = (r0 , r1 ). It forwards (m, m , r0 , h 0 ) to
trapdoor. Now, we observe that aborting as soon as we detect the adaption oracle OAdapt provided by CCH and obtains
that our guess of index i ∗ is wrong ensures that we will r0 . It completes the rest components of DPCH.Adapt to
never have to answer queries which involve queries to the obtain r1 and returns (r0 , r1 ) to A.
challenger’s oracle which would not be answered. If the bit b
of the challenger is 0 we perfectly, simulate Game 2, whereas Output: A outputs ( pk ∗et d , m ∗ , r ∗ , m ∗ , r ∗ , h ∗ , c∗ ) to B,
we perfectly simulate Game 3 if b = 1. This proves the claim. where r ∗ = (r0∗ , r1∗ ), r ∗ = (r0∗ , r1∗ ) and h ∗ = (h ∗0 , h ∗1 ). B
To prove Game 3, we use the challenger of collision resis- forwards (m ∗ , r0∗ , m ∗ , r0∗ , h ∗0 ) as the collision for chameleon
tant chameleon hash CCH and honestly complete the initial- hashes to CCH .
ization to simulate the long-term trapdoor. Then we simulate Now we observe that the hash or adapt oracle is simulated
the hash oracle OHash and the adaption oracle OAdapt as in perfectly, and B wins with the same probability as A wins.
Game 3. To simulate the i -th with i = i ∗ hash oracle, we use This yields the following bound for the original game as
λ λ
DPCH,A (1 ) = AdvCH,CCH (1 ), which concludes the
AdvICR CR
the challenger of collision resistant chameleon hash CCH i to
setup the ephemeral trapdoor and seal the ephemeral trapdoor proof.
via ABEMC .Enc. For the i ∗ -th hash oracle, as the ciphertext c Proof (Theorem 3. Case 3): We prove the third case by
already encrypts 0|sk | instead of sk ∗et d , we do not require to
etd
the following three games.
know sk ∗et d . For the adaption oracle, we only modify the sim- Game 0: This is the original ICR security experiment as
ulation for queries with respect to sk ∗et d returned upon the i ∗ - shown in Definition 12.
th query to OHash in that we use CCH to compute the adapted Game 1: As Game 0, but we guess the i ∗ -th hash query
hashes. Finally, A returns ( pk ∗et d , m ∗ , r ∗ , m ∗ , r ∗ , h ∗ , c∗ ) to which returns h ∗ that will be attacked by the adversary.
B, where r ∗ = (r0∗ , r1∗ ), r ∗ = (r0∗ , r1∗ ) and h ∗ = (h ∗0 , h ∗1 ). We store the returning value ( pk et d , h, r, c) as well as the
B forwards (m ∗ , r1∗ , m ∗ , r1∗ , h ∗1 ) as the collision. Hence, corresponding ephemeral trapdoor sk ∗et d . If we detect our
λ guess is wrong at some point during the simulation, we abort.
we have that Pr[S3 ] = AdvCR CH,CCH (1 ). The winning probability in Game 1 is the same as in
As we have shown above, the advantage of any adversary
Game 0, except an abort happens. Hence, we have that
in the final game is bounded by the advantage of any adver-
Pr[S1 ] = Pr[S0 ] · 1/q.
sary in the private collision freeness game, i.e., Pr[S3 ] =
λ Game 2: As Game 1, but whenever we receive an adapt
AdvCR CH,CCH (1 ). This yields the following bound for the query on (gi d, c, m, m , h, r ) with c = c∗ , we do not decrypt,
λ λ
original game as AdvICR DPCH,A (1 ) = q · (AdvABEMC ,B (1 ) +
static
but directly adapt using sk ∗et d .
λ
AdvCR CH,CCH (1 )), which concludes the proof. The winning probability in Game 2 is the same as in Game
Proof (Theorem 3. Case 2): We prove the second case by 1 under the perfect correctness of the encryption scheme.
security reduction. We assume there exists a PPT adversary Hence, we have that Pr[S2 ] = Pr[S1 ].
A that can break the insider collision resistance by corrupting Game 3: As Game 2, but we change the simulation of the
the authorities who do not contribute the public parameters in hash algorithm DPCH.Hash( pk, { pkθ }, A, m). For the i ∗ -th
query to hash algorithm, we use 0|sk | as the trapdoor instead
etd
our proposed DPCH with non-negligible advantage. We can
build a PPT simulator B that breaks the collision resistance et d
of the real trapdoor sk . Specifically, we generate ciphertext
c ← ABEMC .Enc({ pkθ }, A, 0|sk | ) and store sk et d locally
etd
of the underlying chameleon hash CH with advantage as
λ λ
AdvICRDPCH,A (1 ) = AdvCH,CCH (1 ). rather than running c ← ABEMC .Enc({ pkθ }, A, sk et d ).
CR
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
1236 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
The claim that Game 2 and Game 3 are indistinguishable our guess is wrong at some point during the simulation,
under the static security of ABEMC in the CCA setting, we abort.
i.e., | Pr[S3 ] − Pr[S2 ]| = Advstatic λ
ABEMC ,B (1 ). To prove the
The winning probability in Game 1 is the same as in
claim, we show that we can use a challenger CABE static in Game 0, except an abort happens. Hence, we have that
MC
Pr[S1 ] = Pr[S0 ] · 1/q.
the static security model with the CCA setting to effectively
Game 2: As Game 1, but whenever we receive an adapt
interpolate between Game 2 and Game 3. In particular, con-
query on (gi d, c, m, m , h, r ) with c = c∗ , we do not decrypt,
sider the following hybrid game: Upon initialization we obtain
but directly adapt using sk ∗et d .
gpABEMC from CABE static , set sk ← ⊥ and complete the
MC The winning probability in Game 2 is the same as in Game 1
remainder of the setup honestly based on the security para-
under the perfect correctness of the encryption scheme. Hence,
meter and bilinear group description in gpABEMC to derive
we have that Pr[S2 ] = Pr[S1 ].
( pp, sk). After receiving (C , N , Q, Q , A∗ ), we forward
Game 3: As Game 2, but we change the simulation of the
(C , N , Q, Q , sk ∗et d , 0|sk | , A∗ ) to CABE
etd static
MC
and obtain hash algorithm DPCH.Hash( pk, { pkθ }, A, m). For the i ∗ -th
∗
({ pkθ }, {gi d, {sk gid,A }}, c ). To simulate queries to the adap- query to hash algorithm, we use 0|sk | as the trapdoor instead
etd
tion oracle OAdapt , we use decryption oracle ODec provided by of the real trapdoor sk et d . Specifically, we generate ciphertext
CABE
static
MC
to reveal the trapdoor and complete reminder follow c ← ABEMC .Enc({ pkθ }, A, 0|sk | ) and store sk et d locally
etd
the adaption algorithm DPCH.Adapt. The hash oracle OHash rather than running c ← ABEMC .Enc({ pkθ }, A, sk et d ).
is simulated based on its index i . For the i -th query with The claim that Game 2 and Game 3 are indistinguishable
i = i ∗ , we run DPCH.Hash to respond to the hash query. under the static security of ABEMC in the CCA setting,
For the i ∗ -th query, we directly use sk ∗et d as the ephemeral i.e., | Pr[S3 ] − Pr[S2 ]| = Advstatic λ
ABEMC ,B (1 ). To prove the
trapdoor to hash message and c∗ as the sealed ephemeral
claim, we show that we can use a challenger CABE static in
trapdoor. Now, we observe that aborting as soon as we detect MC
the static security model with the CCA setting to effectively
that our guess of index i ∗ is wrong ensures that we will
interpolate between Game 2 and Game 3. In particular, con-
never have to answer queries which involve queries to the
sider the following hybrid game: Upon initialization we obtain
challenger’s oracle which would not be answered. If the bit b
gpABEMC from CABE static , set sk ← ⊥ and complete the
of the challenger is 0 we perfectly, simulate Game 2, whereas MC
remainder of the setup honestly based on the security para-
we perfectly simulate Game 3 if b = 1. This proves the claim.
meter and bilinear group description in gpABEMC to derive
To prove Game 3, we use the challenger of collision resis-
( pp, sk). After receiving (C , N , Q, Q , A∗ ), we forward
tant chameleon hash CCH and honestly complete the initial-
(C , N , Q, Q , sk ∗et d , 0|sk | , A∗ ) to CABE
etd static and obtain
ization to simulate the long-term trapdoor. Then we simulate ∗ MC
({ pkθ }, {gi d, {sk gid,A }}, c ). To simulate queries to the adap-
the hash oracle OHash and the adaption oracle OAdapt as in
tion oracle OAdapt , we use decryption oracle ODec provided by
Game 3. To simulate the i -th with i = i ∗ hash oracle, we use
the challenger of collision resistant chameleon hash CCH i to CABE
static
MC
to reveal the trapdoor and complete reminder follow
setup the ephemeral trapdoor and seal the ephemeral trapdoor the adaption algorithm DPCH.Adapt. The hash oracle OHash
via ABEMC .Enc. For the i ∗ -th hash oracle, as the ciphertext c is simulated based on its index i . For the i -th query with
already encrypts 0|sk | instead of sk ∗et d , we do not require to
etd
i = i ∗ , we run DPCH.Hash to response the hash query.
know sk ∗et d . For the adaption oracle, we only modify the sim- For the i ∗ -th query, we directly use sk ∗et d as the ephemeral
ulation for queries with respect to sk ∗et d returned upon the i ∗ - trapdoor to hash message and c∗ as the sealed ephemeral
th query to OHash in that we use CCH to compute the adapted trapdoor. Now, we observe that aborting as soon as we detect
hashes. Finally, A returns ( pk ∗et d , m ∗ , r ∗ , m ∗ , r ∗ , h ∗ , c∗ ) to that our guess of index i ∗ is wrong ensures that we will
B, where r ∗ = (r0∗ , r1∗ ), r ∗ = (r0∗ , r1∗ ) and h ∗ = (h ∗0 , h ∗1 ). never have to answer queries which involve queries to the
B forwards (m ∗ , r1∗ , m ∗ , r1∗ , h ∗1 ) as the collision. Hence, challenger’s oracle which would not be answered. If the bit b
λ of the challenger is 0 we perfectly, simulate Game 2, whereas
we have that Pr[S3 ] = AdvCRCH,CCH (1 ). we perfectly simulate Game 3 if b = 1. This proves the claim.
As we have shown above, the advantage of any adversary
To prove Game 3, we use the challenger of EUF-CMA
in the final game is bounded by the advantage of any adver-
digital signature CDS to handle the signature and the chal-
sary in the private collision freeness game, i.e., Pr[S3 ] =
λ lenger of collision resistant chameleon hash CCH to manage
AdvCRCH,CCH (1 ). This yields the following bound for the the chameleon hash. More precisely, A can win the game from
λ λ
DPCH,A (1 ) = q · (AdvABEMC ,B (1 ) +
original game as AdvICR static
the following two methods.
λ
AdvCRCH,CCH (1 )), which concludes the proof. A may attempt to forge the signature to win the game,
Proof (Theorem 3. Case 4): We prove the forth case by denoted as E 1 . In particular, we have that N = {0} and
the following three games. 0 ∈ N , which means A cannot obtain the signing key sk
Game 0: This is the original ICR security experiment as and may win the game by forging σgid . σgid can be used to
shown in Definition 12. impersonate gi d to obtain the secret key that can be used
Game 1: As Game 0, but we guess the i ∗ -th hash query to adapt the challenge message. To simulate this game, B
which returns h ∗ that will be attacked by the adversary. needs to interact with CDS to complete the initialization by
We store the returning value ( pk et d , h, r, c) as well as simulating the digital signature. In particular, B receives the
the corresponding ephemeral trapdoor sk ∗et d . If we detect public parameter and the public key of the digital signature
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
MA et al.: REDACTABLE BLOCKCHAIN IN DECENTRALIZED SETTING 1237
scheme ( ppDS , pkDS ) to complete the component of the 2) Security: The PCH-based redactable blockchain [16]
digital signature in the setup algorithm. After seeing the provides CCA secure, where it applies ABE [35] with the
public parameter and the public key, A returns a set of security against the chosen-plaintext attack (CPA security) and
corrupted authorities C , a set of non-corrupted authorities Fujisaki-Okamoto (FO) transformation [34] to realize CCA
N , a list of queries Q and a challenge policy A∗ , where security. To offer comparable security and decryption oracle to
Q ⊆ {GID, GID σ , U} and GID σ is a set of signatures about support adaption oracle in our DPCH scheme, we transfer the
the global identifier gi d ∈ GID under the public key pk. underlying MA-ABE [29] with CPA security to CCA security
B runs the authority setup algorithm DPCH.AuthSetup(θ ) via FO transformation. Specifically, we use FO transformation
for all θ ∈ N to derive a set of key pair ({ pkθ }, {skθ }). in the hash algorithm and adaption algorithm to realize the
For each (gi d, σgid , S) ∈ Q, B runs the modify key gener- transformation from CPA security to CCA security. In the
ation algorithm DPCH.ModKeyGen( pk, gi d, σgid , skθ , Sθ ) hash algorithm, we choose a randomness rt and use a hash
to derive the secret key sk gid,Sθ . B forwards (gi d, σgid ) to function Ht with input rt to derive all the randomnesses being
CDS as the forged message and signature pair. B returns used in MA-ABE to generate a ciphertext c, where MA-ABE
({ pkθ }, {sk gid,Sθ }) to A. seals rt and a symmetric key k. In the adaption algorithm,
A may attempt to adapt the hash result to win the game, the randomness rt is revealed first and used to generate a
denoted as E 2 . For the components related to chameleon hash, ciphertext c . It aborts if c = c , which is the core technology
CCH is used to complete the initialization by simulating the to realize CCA security from a CPA secure scheme.
long-term trapdoor. In particular, B receives the public parame- Remark: Our instantiation applies RSA-based chameleon
ter and the public key of the long-term trapdoor ( ppCH , pkCH ) hash with collision resistance. A formal classification of
to complete the component of the chameleon hash in the chameleon hash is introduced by Derler et al. [36], where
setup algorithm. Then, we simulate the hash oracle OHash a stronger notion of collision-resistance than the one we used
and the adaption oracle OAdapt as in Game 3. To simulate is presented. The strong notion requires the cost cryptographic
the i -th with i = i ∗ hash oracle, we use the challenger of tool, e.g., non-interactive zero-knowledge proof, that sacrifices
collision resistant chameleon hash CCH i to setup the ephemeral the performance of transaction hashing and finding collision.
trapdoor and seal the ephemeral trapdoor via ABEMC .Enc. Hence, based on the generic constriction in Fig. 2 and the
For the i ∗ -th hash oracle, as the ciphertext c already encrypts strong notion of collision-resistance chameleon hash [36],
0|sk | instead of sk ∗et d , we do not require to know sk ∗et d .
etd
an instantiation of decentralized redactable blockchain can
For the adaption oracle, we only modify the simulation for be built with strong collision-resistance by sacrificing perfor-
queries with respect to sk ∗et d returned upon the i ∗ -th query mance.
to OHash in that we use CCH to compute the adapted hashes.
Finally, A returns ( pk ∗et d , m ∗ , r ∗ , m ∗ , r ∗ , h ∗ , c∗ ) to B, where
r ∗ = (r0∗ , r1∗ ), r ∗ = (r0∗ , r1∗ ) and h ∗ = (h ∗0 , h ∗1 ). B forwards V. DPCH-BASED R EDACTABLE B LOCKCHAIN
(m ∗ , r1∗ , m ∗ , r1∗ , h ∗1 ) as the collision. Hence, we have that In this section, we introduce the DPCH-Based Redactable
Pr[S3 |E 2 ] = AdvCR λ Blockchain, including the system model and threat model.
CH,CCH (1 ).
As we have shown above, the advantage of any adver- Besides, we show that DPCH can be effectively integrated
sary in the final game is bounded by the advantage of into the chain to realize blockchain rewriting.
any adversary in the private collision freeness game, i.e.,
λ EUF-CMA λ
Pr[S3 ] = AdvCR CH,CCH (1 ) + AdvDS ,CDS (1 ). This yields the A. System Model
λ
following bound for the original game as AdvICR DPCH,A (1 ) = The system model of decentralized redactable blockchain
λ λ EUF-CMA λ
ABEMC ,B (1 ) + AdvCH,CCH (1 ) + AdvDS ,CDS (1 )),
q · (Advstatic CR involves three types of entities: a transaction owner, a trans-
which concludes the proof. action modifier, and a set of authorities. The number of
transaction modifiers is assumed to be a small amount because
D. An Instantiation of DPCH rewriting in blockchains cannot be performed by the majority
We give an instantiation of the DPCH scheme in Fig. 3, of system users, and each modifier has a unique global identi-
where the chameleon hash is instanced by the RSA-based fier. The chain participant could be any party, i.e., authorities,
solution [30] and the digital signature is instanced by the transaction owners and transaction modifiers. As shown in
BLS short signature [31]. To improve the efficiency and Fig. 1 and the system overview in Section II, there are four
security, we apply key encapsulation mechanism (KEM) and processes in decentralized blockchain rewriting:
Fujisaki-Okamoto transformation [34]. 1) System initialization includes two phases as in Fig. 4:
1) Efficiency: We use KEM to improve the performance, • Public parameter initialization: One of the multiple
where KEM is hybrid encryption combining the symmetric authorities initializes the public parameter by run-
key encryption (e.g., AES) and the asymmetric key encryption. ning DPCH.Setup(1λ ) to obtain the public para-
KEM reduces the cost since the asymmetric key encryption meter pp, the public key pk and the secret key
mechanism is expensive and the symmetric encryption is fast. sk. It publishes ( pp, pk) to chain participants, and
In our instantiation, the asymmetric key encryption mechanism keeps sk secret.
encrypts a symmetric key k and sk et d is sealed by the symmet- • Authority parameter initialization: The other author-
ric key encryption mechanism SE = (KeyGen, Enc, Dec). ities initialize their key pairs individually. For the
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
1238 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
MA et al.: REDACTABLE BLOCKCHAIN IN DECENTRALIZED SETTING 1239
authority θ , it runs DPCH.AuthSetup(θ ) to obtain returns 1, the chain participant propagates this
the public key pkθ and the secret key skθ . It pub- transaction to other chain participants.
lishes pkθ to chain participants and keeps skθ secret. 4) Mutable transaction rewriting consists of two phases as
2) Modifier registration includes two phases as in Fig. 5: in Fig. 7:
• Global identifier initialization: Each modifier is • Transaction rewriting: To alert a mutable
issued a unique global identifier gi d. Specifi- transaction with the registered object
cally, after receiving the request for gi d, the m to m , the transaction modifier runs
authority who initializes the public parameter runs DPCH.Adapt(sk gid , {sk gid,A }, c, m, m , h, r )
DPCH.ModSetup(sk, gi d) to derive a secret key to find the arbitrary collision r . Then, the
sk gid and a signature σgid . transaction modifier propagates m , h and r to
• Attribute initialization: After validating gi d and chain participants.
σgid , the modifier can require the attribute-based • Transaction verification: Each chain
secret key from the other authorities. For the participant runs the verification algorithm
authority θ , it aborts the request by return- DPCH.Verify( pk, pk et d , m , h, r ) to validate
ing ⊥ if gi d and σgid is invalid; otherwise, the transaction. If the verification algorithm
it runs DPCH.ModKeyGen( pk, gi d, σgid , skθ , A) returns 1, the chain participant rewrites the
to issue the secret key sk gid,A to the user with gi d. mutable transaction with the registered object m
3) Mutable transaction publication consists of two phases and propagates this transaction to other chain
as in Fig. 6: participants.
• Transaction generation: To generate a mutable B. Threat Model
transaction with the object m, the transaction owner In our threat model, we assume that the transaction owner
runs DPCH.Hash( pk, { pkθ }, A, m) to derive a and at least one of the multiple authorities are honest. The
public key pk et d , a hash h, a randomness r and a transaction owner honestly generates the mutable transactions
ciphertext c. Then, the transaction owner broadcasts and at least one of the multiple authorities preserves the secret
{ pkθ }, A, m, pk et d , h, r and c to chain participants. key honestly. Multiple authorities and transaction modifiers
• Transaction verification: Each chain may collude to launch various types of attacks. In the follow-
participant runs the verification algorithm ing, we list several security properties our proposed blockchain
DPCH.Verify( pk, pk et d , m, h, r ) to validate has and possible attacks launched by malicious authorities and
the transaction. If the verification algorithm transaction modifiers.
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
1240 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
MA et al.: REDACTABLE BLOCKCHAIN IN DECENTRALIZED SETTING 1241
to rewrite the blockchain locally and Thyagarajan et al. [41] setting in previous redactable blockchains [15]–[20], [23] and
resorted to side-chain technology to manage the content of the modification privilege is controlled at a fine-grained level.
each block. However, in the above two strategies [40], [41], We presented a practical instantiation, and demonstrated that
the rewriting approach only affects the local copy and the the proposed instantiation is more efficient than the previous
original transaction remains unchanged. solution [16]. We believe our proposed scheme is a promising
solution for blockchain rewriting for decentralized settings.
B. Cryptography-Based Solutions
The future work could be designing adaptively CCA-secure
To redact block data globally, Ateniese et al. [15] pre- MA-ABE (in prime-order pairing groups) adapting to decen-
sented the concept of redactable blockchain. In this solution, tralized blockchain rewriting, e.g., the adversary does not need
the traditional hash function is replaced by the chameleon to claim the challenge message in advance.
hash [21]. The hashing of the block header is associated
with a public key, and the chameleon hash behaves like a R EFERENCES
collision-resistant hash function if the chameleon trapdoor is [1] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,”
unknown. To rewrite blockchain, the trapdoor holder can easily Decentralized Bus. Rev., p. 21260, 2008. [Online]. Available:
http://bitcoin.org/bitcoin.pdf
find valid collisions without changing the hash output. How- [2] G. Wood, “Ethereum: A secure decentralised generalised transaction
ever, this approach only offers a block-level data redaction at ledger,” Ethereum Project Yellow Paper, vol. 151, pp. 1–32, Apr. 2014.
a coarse-grained level since it applies public key infrastructure [3] F. Armknecht, G. O. Karame, A. Mandal, F. Youssef, and E. Zenner,
“Ripple: Overview and outlook,” in Proc. TRUST, vol. 9229, 2015,
to manage the chameleon trapdoor and the chameleon trapdoor pp. 163–180.
only binds the block header. [4] M. Kouhizadeh and J. Sarkis, “Blockchain practices, potentials, and
perspectives in greening supply chains,” Sustainability, vol. 10, no. 10,
To enrich the approach of access control, Derler et al. [16] p. 3652, Oct. 2018.
introduced a novel concept, called policy-based chameleon [5] M. Raikwar, S. Mazumdar, S. Ruj, S. Sen Gupta, A. Chattopadhyay, and
hash (PCH), to realize redactable blockchain with K.-Y. Lam, “A blockchain framework for insurance processes,” in Proc.
9th IFIP Int. Conf. New Technol., Mobility Secur. (NTMS), Feb. 2018,
transaction-level redaction controlled at a fine-grained pp. 1–4.
level. PCH is based on the chameleon hashes with ephemeral [6] M. Mettler, “Blockchain technology in healthcare: The revolution starts
trapdoors [30] and attribute-based encryption [35]. Each here,” in Proc. IEEE 18th Int. Conf. e-Health Netw., Appl. Services
(Healthcom), Sep. 2016, pp. 1–3.
transaction is associated with an access policy and the [7] J. Wu and N. Tran, “Application of blockchain technology in sustainable
trapdoor holder can rewrite the transaction if his/her attributes energy systems: An overview,” Sustainability, vol. 10, no. 9, p. 3067,
satisfy the access policy. Based on PCH, many sequential Aug. 2018.
[8] Cryptocurrency Deposit Processing Times. Accessed: Sep. 1,
works are introduced and mainly focus on usability, 2021. [Online]. Available: https://support.kraken.com/hc/en-us/articles/
such as accountability [17], [22], self-management [19], 203325283-Cryptocurrency-deposi% t-processing-times
[9] S. Hargreaves and S. Cowley. (2013). How Porn Links and
revocability [18], [20], and k-time modification operation [23]. Ben Bernanke Snuck into Bitcoin’s Code. [Online]. Available:
To eliminate the trusted central authority, Deuber et al. [24] https://money.cnn.com/2013/05/02/technology/security/bitcoin-
introduced an efficient redactable blockchain in the permis- porn/index.html
[10] H. Moonie. (2016). Man’s ‘Right to be Forgotten’ Case Stalls
sionless setting. The proposed scheme relies on consensus- After he is Found on the Bitcoin Blockchain. [Online]. Available:
based voting. The block can be rewritten if a modification https://medium.com/@hankmoonie/mans-right-to-be-forgotten-case-
request from a chain participant gathers enough votes from stalls-after he-is-found-on-the-bitcoin-blockchain-1a32c4fc0963
[11] C. Hopkins. (2015). If you Own Bitcoin, You Also Own Links to Child
miners. However, it has several security threats since it suffers Porn. [Online]. Available: https://www.dailydot.com/business/bitcoin-
from bribing and selfish mining attacks. child-porn-transaction-code/
[12] J. Pearson. (2015). The Bitcoin Blockchain Could be Used
to Spread Malware, Interpol Says. [Online]. Available:
VIII. C ONCLUSION https://www.vice.com/en_us/article/ezv8jn/the-bitcoin-blockchain-
In this paper, we proposed a generic construction of a could-be-u% sed-to-spread-malware-interpol-says
[13] P. Voigt and A. V. dem Bussche, “The EU general data protection
decentralized policy-based chameleon hash for blockchain regulation (GDPR),” A Practical Guide, 1st, ed. Cham, Switzerland:
rewriting. The proposed framework eliminates the centralized Springer, 2017.
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
1242 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
[14] J. M. L. Alfonsín, “Argentina: The right to be forgotten,” in Jinhua Ma received the M.S. and Ph.D. degrees
The Right To Be Forgotten. Cham, Switzerland: Springer, 2020, from the School of Mathematics and Informat-
pp. 239–248. [Online]. Available: https://link.springer.com/chapter/ ics, Fujian Normal University, China, in 2016 and
10.1007/978-3-030-33512-0_12 2020, respectively. She was a Research Scientist
[15] G. Ateniese, B. Magri, D. Venturi, and E. Andrade, “Redactable with the School of Information Systems, Singapore
blockchain or rewriting history in bitcoin and friends,” in Proc. IEEE Management University, Singapore. She is currently
Eur. Symp. Secur. Privacy (EuroS&P), Apr. 2017, pp. 111–126. a Lecturer with Fujian Normal University, China.
[16] D. Derler, K. Samelin, D. Slamanig, and C. Striecks, “Fine-grained and Her research interests include cryptography and
controlled rewriting in blockchains: Chameleon-hashing gone attribute- information security.
based,” IACR Cryptol. ePrint Arch., Tech. Rep. 2019/406, 2019.
[Online]. Available: https://eprint.iacr.org/2019/406
[17] Y. Tian, N. Li, Y. Li, P. Szalachowski, and J. Zhou, “Policy-based Shengmin Xu received the Ph.D. degree from the
chameleon hash for blockchain rewriting with black-box accountability,” School of Computing and Information Technology,
in Proc. ACSAC, 2020, pp. 813–828. University of Wollongong, Australia, in 2018. He is
[18] G. Panwar, R. Vishwanathan, and S. Misra, “ReTRACe: Revocable and currently a Research Scientist at Singapore Man-
traceable blockchain rewrites using attribute-based cryptosystems,” in agement University, Singapore. Previously, he was
Proc. 26th ACM Symp. Access Control Models Technol., Jun. 2021, a Research Fellow at the Singapore University of
pp. 103–114. Technology and Design, Singapore. He has pub-
[19] Y. Jia, S.-F. Sun, Y. Zhang, Z. Liu, and D. Gu, “Redactable blockchain lished over 30 research papers in top international
supporting supervision and self-management,” in Proc. ACM Asia Conf. conferences and journals, including ESORICS,
Comput. Commun. Secur., May 2021, pp. 844–858. ACSAC, ACM ASIACCS, IEEE T RANSACTIONS
[20] S. Xu, J. Ning, J. Ma, G. Xu, J. Yuan, and R. H. Deng, “Revocable ON I NFORMATION F ORENSICS AND S ECURITY ,
policy-based chameleon hash,” in Proc. ESORICS, 2021, pp. 327–347. and IEEE T RANSACTIONS ON D EPENDABLE AND S ECURE C OMPUTING.
[21] H. Krawczyk and T. Rabin, “Chameleon hashing and signatures,” in
His research interests include information security, cloud computing, and
Proc. IACR, 1998, p. 10.
[22] K. Samelin and D. Slamanig, “Policy-based sanitizable signatures,” in blockchain.
Proc. CT-RSA, 2020, pp. 538–563. Jianting Ning (Member, IEEE) received the Ph.D.
[23] S. Xu, J. Ning, J. Ma, X. Huang, and R. H. Deng, “K-time modifiable degree from the Department of Computer Science
and epoch-based redactable blockchain,” IEEE Trans. Inf. Forensics and Engineering, Shanghai Jiao Tong University,
Security, vol. 16, pp. 4507–4520, 2021. in 2016. He is currently a Professor with the Fujian
[24] D. Deuber, B. Magri, and S. A. K. Thyagarajan, “Redactable blockchain Provincial Key Laboratory of Network Security and
in the permissionless setting,” in Proc. IEEE Symp. Secur. Privacy (SP), Cryptology, College of Computer and Cyber Secu-
May 2019, pp. 124–138. rity, Fujian Normal University, China. Previously,
[25] T. Kohno, A. Stubblefield, A. D. Rubin, and D. S. Wallach, “Analysis
he was a Research Scientist at the School of Infor-
of an electronic voting system,” in Proc. IEEE Symp. Secur. Privacy,
mation Systems, Singapore Management University,
May 2004, p. 27.
[26] A. Sapirshtein, Y. Sompolinsky, and A. Zohar, “Optimal selfish mining and a Research Fellow at the Department of Com-
strategies in bitcoin,” in Proc. FC, vol. 9603, 2016, pp. 515–532. puter Science, National University of Singapore.
[27] F. Benhamouda et al., “Can a public blockchain keep a secret?” in Proc. His research interests include applied cryptography and information secu-
TCC, 2020, pp. 260–290. rity. He has published papers in major conferences/journals, such as ACM
[28] M. Chase, “Multi-authority attribute based encryption,” in Proc. TCC, CCS, NDSS, ASIACRYPT, ESORICS, ACSAC, IEEE T RANSACTIONS ON
S. P. Vadhan, Ed., vol. 4392, 2007, pp. 515–534. I NFORMATION F ORENSICS AND S ECURITY, and IEEE T RANSACTIONS ON
[29] Y. Rouselakis and B. Waters, “Efficient statically-secure large-universe D EPENDABLE AND S ECURE C OMPUTING.
multi-authority attribute-based encryption,” in Proc. FC, R. Böhme and
T. Okamoto, Eds., vol. 8975, 2015, pp. 315–332. Xinyi Huang received the Ph.D. degree from the
[30] J. Camenisch, D. Derler, S. Krenn, H. C. Pöhls, K. Samelin, and School of Computer Science and Software Engineer-
D. Slamanig, “Chameleon hashes with ephemeral trapdoors- and ing, University of Wollongong, Australia, in 2009.
applications to invisible sanitizable signatures,” in Proc. PKC, 2017, He is currently a Professor at the Fujian Provincial
pp. 152–182. Key Laboratory of Network Security and Cryp-
[31] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the Weil tology, College of Computer and Cyber Security,
pairing,” in Proc. ASIACRYPT, 2001, pp. 514–532. Fujian Normal University, China. His work has been
[32] A. B. Lewko and B. Waters, “Decentralizing attribute-based encryption,” cited more than 6000 times at Google Scholar. His
in Proc. EUROCRYPT, 2011, pp. 568–588. research interests include cryptography and informa-
[33] M. Chase and S. S. M. Chow, “Improving privacy and security in multi- tion security. He has published over 130 research
authority attribute-based encryption,” in Proc. 16th ACM Conf. Comput. papers in refereed international conferences and
Commun. Secur. (CCS), 2009, pp. 121–130. journals. He has served as the program/general chair or a program committee
[34] E. Fujisaki and T. Okamoto, “Secure integration of asymmetric and member in over 120 international conferences. He is in the Editorial Board
symmetric encryption schemes,” in Proc. CRYPTO, 1999, pp. 537–554. of International Journal of Information Security.
[35] S. Agrawal and M. Chase, “FAME: Fast attribute-based message encryp-
tion,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., D. Evans, Robert H. Deng (Fellow, IEEE) is currently an
T. Malkin, and D. Xu, Eds., Oct. 2017, pp. 665–682. AXA Chair Professor of cybersecurity, the Director
[36] D. Derler, K. Samelin, and D. Slamanig, “Bringing order to chaos: of the Secure Mobile Centre, and the Deputy Dean
The case of collision-resistant chameleon-hashes,” in Proc. PKC, 2020, for Faculty and Research of the School of Comput-
pp. 462–492. ing and Information Systems, Singapore Manage-
[37] A. De Caro and V. Iovino, “JPBC: Java pairing based cryptography,” in ment University. His research interests are in the
Proc. IEEE Symp. Comput. Commun. (ISCC), Jun. 2011, pp. 850–855. areas of data security and privacy, network security,
[38] E. Barker et al., Recommendation for Key Management: Part 1: and applied cryptography. He is a fellow of the
General. Gaithersburg, MD, USA: National Institute of Standards Academy of Engineering Singapore. He received
and Technology, Technology Administration, 2006. [Online]. Available: the Outstanding University Researcher Award from
https://blkcipher.pl/assets/pdfs/NIST.SP.800-57pt1r5.pdf the National University of Singapore, a Lee Kuan
[39] I. Puddu, A. Dmitrienko, and S. Capkun, “μchain: How to forget without Yew Fellowship for Research Excellence from SMU, and an Asia-Pacific
hard forks,” IACR Cryptol. ePrint Arch., Tech. Rep. 2017/106, 2017. Information Security Leadership Achievements Community Service Star from
[Online]. Available: https://eprint.iacr.org/2017/106 International Information Systems Security Certification Consortium. He is
[40] M. Florian, S. Henningsen, S. Beaucamp, and B. Scheuermann, “Erasing a Steering Committee Chair of the ACM Asia Conference on Computer
data from blockchain nodes,” in Proc. IEEE Eur. Symp. Secur. Privacy and Communications Security. He serves/served on the editorial boards of
Workshops (EuroS&PW), Jun. 2019, pp. 367–376. ACM Transactions on Privacy and Security, IEEE S ECURITY & P RIVACY,
[41] S. A. K. Thyagarajan, A. Bhat, B. Magri, D. Tschudi, and IEEE T RANSACTIONS ON D EPENDABLE AND S ECURE C OMPUTING, IEEE
A. Kate, “Reparo: Publicly verifiable layer to repair blockchains,” 2020, T RANSACTIONS ON I NFORMATION F ORENSICS AND S ECURITY, and Jour-
arXiv:2001.00486. nal of Computer Science and Technology.
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.