IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL.
17, 2022
Redactable Blockchain in Decentralized Setting
Jinhua Ma , Shengmin Xu , Jianting Ning , Member, IEEE, Xinyi Huang ,
and Robert H. Deng , Fellow, IEEE
Abstract— Immutability has been widely accepted as a funda-
mental property protecting the security of blockchain technology.
However, this property impedes the development of blockchain
because of the abuse of blockchain storage and legal obligations.
To mitigate this issue, a novel construction of blockchain,
called redactable blockchain, was introduced. It enables a central
authority to issue the rewriting privilege to a particular party
who can rewrite a registered object, e.g., a block or a transaction,
in a controlled way. Unfortunately, the central authority must be
fully trusted and is an obvious target suffering from various
attacks. In this paper, we introduce a redactable blockchain
controlled at a fine-grained level in a decentralized setting. In our
solution, the rewriting privilege is issued by multiple author-
ities for reducing the vulnerability of the centralized setting.
To formalize our solution, we introduce a novel cryptographic
notion, called decentralized policy-based chameleon hash (DPCH),
with the formal definition and security model. By applying
several simple cryptographic tools, such as chameleon hash,
digital signature, and multi-authority attribute-based encryption,
we present the generic construction of DPCH along with rigorous
security proofs. By applying RSA-based chameleon hash and BLS
short signature, we give a practical instantiation of DPCH with
performance evaluation. The comprehensive evaluation shows
that our solution has superior performance than the state-of-
the-art solution.
Index Terms— Chameleon hash, redactable blockchain, decen-
tralized blockchain rewriting.
Manuscript received September 13, 2021; revised November 26, 2021,
January 12, 2022, and February 13, 2022; accepted February 14, 2022. Date
of publication March 4, 2022; date of current version March 25, 2022. This
work was supported in part by the National Natural Science Foundation of
China under Grant 62102090, Grant 62032005, Grant 61972094, and Grant
61872089; in part by the Science Foundation of Fujian Provincial Science and
Technology Agency under Grant 2020J02016; in part by the Young Talent
Promotion Project of the Fujian Science and Technology Association; and in
part by the AXA Research Fund. The associate editor coordinating the review
of this manuscript and approving it for publication was Dr. Ghassan Karame.
(Corresponding author: Shengmin Xu.)
Jinhua Ma and Xinyi Huang are with the Fujian Provincial Key Lab-
oratory of Network Security and Cryptology, College of Computer and
Cyber Security, Fujian Normal University, Fuzhou 350117, China (e-mail:
jinhuama55@hotmail.com; xyhuang81@gmail.com).
Shengmin Xu is with the Fujian Provincial Key Laboratory of Net-
work Security and Cryptology, College of Computer and Cyber Security,
Fujian Normal University, Fuzhou 350117, China, and also with the Secure
Mobile Center, Singapore Management University, Singapore 178902 (e-mail:
smxu1989@gmail.com).
Jianting Ning is with the Fujian Provincial Key Laboratory of Network
Security and Cryptology, College of Computer and Cyber Security, Fujian
Normal University, Fuzhou 350117, China, and also with the State Key Lab-
oratory of Information Security, Institute of Information Engineering, Chinese
Academy of Sciences, Beijing 100093, China (e-mail: jtning88@gmail.com).
Robert H. Deng is with the School of Computing and Information
Systems, Singapore Management University, Singapore 178902 (e-mail:
robertdeng@smu.edu.sg).
Digital Object Identifier 10.1109/TIFS.2022.3156808
1556-6021 © 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
1227
I. I NTRODUCTION
B LOCKCHAIN has attracted extensive attention in the
most recent decade. With the continuous development,
tremendous blockchain-based applications have appeared, i.e.,
digital currency [1]–[3], supply chain [4], insurance [5],
healthcare [6], and energy [7]. As an append-only hash-
chain, each block includes a reference linking to the previous
block and a set of valid transactions. Immutability, as one
of the crucial properties, ensures that the registered object,
i.e., a block or a transaction, cannot be modified once it has
been confirmed by the chain. Due to unpredictable blockchain
forking, most blockchain systems reserve immutability relying
on heuristics. A stable object must be confirmed by several
subsequent blocks, where Bitcoin [1] requires 6 confirmations
(approximate 1 hour) and Ethereum [2] needs 30 confirmations
(about 6 minutes) [8].
Although immutability offers the security of blockchain,
it hinders the development of blockchain. The object rewriting
evolves into a basic requirement since the abuse of blockchain
storage and legal obligations. Nowadays, blockchain storage
has already been abused to spread improper content [9]–[12].
The chain participants may be afraid of being accused of
possessing illegal information, and not willing to participate
and download the chain. Moreover, several data regulations,
such as the General Data Protection Regulation (GDPR) [13]
and “the right to be forgotten” [14], enable people to manage
their personal data. It is obvious that the blockchain storage
cannot be altered due to blockchain’s immutability. To break
the blockchain immutability in a controlled way, the concept
of redactable blockchain was introduced.
A. Existing Solutions
Based on the authority of rewriting privileges, the exist-
ing redactable blockchain technologies can be classified into
two approaches: permissioned and permissionless. In the per-
missioned setting [15]–[20], the traditional hash function is
replaced by the trapdoor-based chameleon hash [21]. The trap-
door holder can rewrite the registered object without altering
its hash and breaking the link of each two adjacent blocks.
Ateniese et al. [15] introduced the seminal work by applying
the chameleon hash function and public-key infrastructure to
realize block-level rewriting. To improve the expressiveness,
Derler et al. [16] proposed a transaction-level rewriting con-
trolled in a fine-grained way by introducing a cryptographic
primitive, called policy-based chameleon hash (PCH). In PCH,
a central authority issues a secret key associated with a set of
 1228
C OMPARISON OF R EDACTABLE B LOCKCHAIN
attributes to a trapdoor holder and the registered transaction
is specified by an access structure. The trapdoor holder can
rewrite the transaction if his/her attributes satisfy the associ-
ated access structure. They left the decentralized construction
of PCH as a future work (in [16] Page 7, Remark 2). Based
on PCH, many sequential works are introduced and mainly
focus on usability, such as accountability [17], [22], self-
management [19], revocability [18], [20], and k-time modifi-
cation operation [23]. The decentralized PCH is missed in the
literature. In the permissionless setting [24], blockchain rewrit-
ing is based on the consensus-based e-voting mechanism [25]
to eliminate the risk from the central structure. Each chain
participant can propose a rewriting request and the rewriting
request can be executed if it gathers enough votes. In TABLE I,
we list several differences of the current redactable blockchain
technologies.
B. Motivation
In current redactable blockchain solutions exist several
security concerns. The PCH-based blockchain rewriting mech-
anism requires a fully trusted central authority, which is a very
strong assumption since the privilege of the central authority
is out of control. The central authority holding the rewriting
privileges of any access policy can manipulate any registered
object to control the blockchain. Moreover, a malicious central
authority may frame misbehaviors, e.g., operating malicious
rewriting and selling rewriting privileges, to an innocent chain
participant. Such centralized construction is a very obvious
attacking target and shortcoming in the current PCH-based
redactable blockchain.
The consensus-based blockchain rewriting mechanism is
based on the consensus-based e-voting technology, which is
vulnerable to bribing and selfish mining attacks [26]. In reality,
the malicious miner may collude with others to control the
rewriting privilege. Moreover, the rational miners may spend
more cost on mining rather than verifying the rewriting request
is reasonable or not. Furthermore, it faces several security
issues since rational miners could be bribed and the rewrit-
ing privilege could be compromised by the selfish mining
attack. Although proactive secret sharing [27] can be used to
offer decentralized construction in blockchain, it requests that
majority group members are trusted and there are multiple
interactions for selecting group members and holding the
secret key. Hence, the following problem arises naturally:
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
TABLE I
“Can we design a practical and secure redactable
blockchain without the fully trusted central authority?”
C. Contribution
In this paper, we give an affirmative answer to the above
problem by introducing a novel cryptographic notion, called
decentralized policy-based chameleon hash (DPCH). DPCH
resists the collusion attacks among authorities and trapdoor
holders. To improve performance, our solution does not require
any interaction between authorities. The major contributions
of this work are threefold.
• Decentralized transaction-level blockchain rewriting.
We introduce the first transaction-level blockchain rewrit-
ing controlled in a fine-grained way without any
fully trusted central authority. Compared to the previ-
ous solutions, our solution offers a stronger security
model that allows the adversary to compromise the
authority.
• Generic construction of DPCH with rigorous security
proofs. To formalize our solution, we introduce a novel
cryptographic notion DPCH with formal definition and
present three security models for DPCH by considering
different types of adversaries. A unique feature of DPCH
is that it supports decentralized authorization in the per-
missioned setting. We give the first generic framework of
DPCH with rigorous security proofs.
• Practical instantiation with performance analysis.
We give an instantiation of DPCH based on
the prime-order pairing and RSA groups as the
previous solution [16]. We validate its practicality via
implementation and evaluation, which demonstrates that
our DPCH can be effectively integrated into blockchain
and enjoys superior performances than the state-of-the-art
solution.
II. OVERVIEW
In this section, we provide a high-level overview of our solu-
tion and the intuition behind it. Our decentralized blockchain
rewriting mechanism is based on DPCH. DPCH is built
from a chameleon hash, digital signature, and multi-authority
attribute-based encryption (MA-ABE). To highlight the intu-
ition of our solution, we consider a simple system model in
Fig. 1. There are three types of entities: a transaction owner,
a transaction modifier, and a set of authorities.
 MA et al.: REDACTABLE BLOCKCHAIN IN DECENTRALIZED SETTING
Fig. 1. System model of decentralized redactable blockchain.
A. System Overview
The scenario of DPCH-based blockchain rewriting includes
the following four steps.
1) System initialization. One of the multiple authorities
initializes the system by publishing a public parameter.
The public parameter does not have any secret informa-
tion and anyone is allowed to check its validity. The
other authorities initialize their public-secret keypairs
individually.
2) Modifier Registration. The modifier requires a unique
global identifier, the corresponding certification
(e.g., a digital signature), and a chameleon-hash secret
key from the authority who initializes the public
parameter. After validating the global identifier and
certification, the modifier requests the attribute-based
secret key from the other authorities.
3) Mutable Transaction Publication. A transaction owner
appends a mutable transaction to the blockchain using
the intuition behind PCH [16]. PCH outputs two
chameleon hashes and a ciphertext to derive mutable
transactions. In particular, the transaction owner picks a
fresh chameleon-hash key pair, and seals the secret key
as the ephemeral trapdoor to derive a ciphertext with an
access policy. Two chameleon hashes are the hash val-
ues from the transaction with different chameleon-hash
public keys. One is from the public parameter, and the
other one is the public component corresponding to
the ephemeral trapdoor. The transaction owner cannot
modify the transaction individually since he/she knows
the ephemeral trapdoor but the chameleon-hash secret
key.
4) Mutable Transaction Rewriting. A transaction modi-
fier is allowed to rewrite the mutable transaction if
he/she possesses both the chameleon-hash secret key and
valid attribute-based secret key. The valid attribute-based
secret key is used to fetch the ephemeral trapdoor by
decrypting the ciphertext within the mutable transaction.
B. Technical Overview
The technical overview of DPCH-based blockchain rewrit-
ing includes the following three building blocks.
• MA-ABE. MA-ABE [28] offers fine-grained access
control and decentralized privilege issuing to control
blockchain rewriting. We recall the security model, static
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
1229
security [29], for MA-ABE. The static security requires
that all adversarial queries are immediately sent to the
challenger, once the public parameters are released.
• Chameleon Hash. Chameleon hash provides mutable
transaction rewriting. This building block is used twice
to generate two hash values to forbid the transaction
owner to modify the mutable transaction individually and
fine-grained rewriting privilege control by sealing the
ephemeral trapdoor via MA-ABE. We recall the security
models [30], strong indistinguishability, and collision
resistance, for chameleon hashes in the next section.
• Digital Signature. Digital signature offers authentication
and integrity. Each transaction modifier is assigned a
unique global identifier and is issued a unique certifi-
cation via the digital signature. Each authority verifies
the certification and conducts attribute-based secret key
issuing. We recall the security model, existential unforge-
ability under chosen message attacks (EUF-CMA), for
digital signatures in the next section. Note that authenti-
cated channels are optional to replace digital signatures.
However, in the untrusted and decentralized blockchain
environment, it is hard to build an authenticated chan-
nel and the number of authenticated channels could be
numerous.
C. Instantiation
For constructing a practical DPCH, we rely on the MA-ABE
in prime-order pairing groups [29], the RSA-based chameleon
hash [30], and the BLS short signature [31]. To improve
the performance, we also apply hybrid encryption rather
than asymmetric-key encryption only, where AES is used to
instantiate the symmetric-key encryption. In particular, the
symmetric-key encryption mechanism seals the ephemeral
trapdoor under a symmetric key k. Then, the symmetric key k
is encoded to k̃, where k̃ is in the message domain of MA-ABE
rather than the key domain of the symmetric-key encryption.
The message k̃ is encrypted via MA-ABE to offer an access
control at a fine-grained level.
III. P RELIMINARIES
In this section, we recall access structure and several
building blocks, including MA-ABE, chameleon hash, and
digital signature, which are used in our proposed decentralized
redactable blockchain.
A. Access Structure
Definition 1 (Access Structure): Let U denote the universe
of attributes. A collection A ⊆ 2U \{∅} of non-empty sets is an
access structure on U. The sets in A are called the authorized
sets, and the sets not in A are called the unauthorized sets.
A collection A ⊆ 2U \ {∅} is called monotone if ∀B, C ∈ A:
if B ∈ A and B ⊆ C, then C ∈ A.
B. Multi-Authority Attribute-Based Encryption
Definition 2 (MA-ABE): A multi-authority attribute-based
encryption ABEMC (with the attribute universe U, the author-
ity universe U and the global identifier universe GID)
 1230 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
supports the possible policies 2U \ {∅} and the message space
M. It involves three types of entities: authorities, data owners,
and data users, and contains the following four algorithms:
ABEMC .GlobalSetup(1λ ) → gp: The probabilistic global
setup algorithm1 takes as input a security parameter λ ∈ N,
and outputs a public global parameter gp.
ABEMC .AuthSetup(θ ) → ( pkθ , skθ ): The probabilistic
authority setup is run by the authority θ ∈ U . On input
an authority identifier θ ∈ U , and output a public-secret key
pair ( pkθ , skθ ).
ABEMC .KeyGen(gi d, skθ , A) → sk gid,A : The probabilis-
tic key generation algorithm is run by the authority θ ∈ U .
On input a global identifier gi d ∈ GID, a secret key skθ and
an attribute A ∈ U, and output a secret key sk gid,A , where
A ∈ U is the attribute controlled by the authority θ ∈ U .
ABEMC .Enc({ pkθ }, A, m) → c: The probabilistic encryp-
tion algorithm is run by each data owner. On input a set of
public keys { pkθ }, an access structure A ⊆ 2U \ {∅} and a
message m ∈ M, and output a ciphertext c, where { pkθ } is
the public key set of the relevant authorities whose attributes
are used to derive the access structure A ⊆ 2U \ {∅}.
ABEMC .Dec({sk gid,A }, c) → m: The deterministic
decryption algorithm is run by the data user gi d ∈ GID.
On input a set of secret keys {sk gid,A } and a ciphertext c, and
output a message m ∈ M.
We recall the static security model [29] between a chal-
lenger and an attacker. In contrast to the standard model,
the static model requires the adversary to sent the querying
messages once it receives the public parameters.
Definition 3 (Static Security): Let ABEMC = issue the secret key of each authority or multiple interactions
(GlobalSetup, AuthSetup, KeyGen, Enc, Dec) be an
MA-ABE scheme. The static security definition of MA-ABE
in the chosen-ciphertext attack (CCA) setting is based on the
following experiment:
λ in our proposed decentralized redactable blockchain.
Expstatic
ABEMC ,A (1 )
LS , LQ ← ∅;
gp ← ABEMC .GlobalSetup(1λ );
(C , N , Q, Q , m 0 , m 1 , A∗ ) ← A(gp);
//C ⊆ U , N ⊆ U , C ∩ N = ∅
//Q ⊆ {GID, U} for querying secret keys
//Q ⊆ {GID, U} for initializing users
∀θ ∈ N : ( pkθ , skθ ) ← ABEMC .AuthSetup(θ );
∀(gi d, S) ∈ Q : //S = (A1 , A2 , . . . , Ak ) and S | A∗
LS ← LS ∪ S;
∀A ∈ S :
θ ← F(A);
//F : U → U maps attributes to their authority
sk gid,A ← ABEMC .KeyGen(gi d, skθ , A);
∀(gi d  , S  ) ∈ Q : //S  = (A1 , A2 , . . . , Ak )
∀A ∈ S  :
1 The setup algorithm needs a trusted environment but it does not output
any secret information. For simplicity, in our proposed redactable blockchain,
we assume the global parameter gp is a part of blockchain system parameters.
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
θ  ← F(A );

sk gid  
 ,A ← ABEMC .KeyGen(gi d , sk θ  , A );
LQ ← LQ ∪ {(gi d  , {sk gid

 ,A })};
b ∈ {0, 1};
c∗ ← ⊥ if m 0 , m 1 ∈ M ∨ |m 0 | = |m 1 | ∨ A∗ ∩ LS = ∅
else c∗ ← ABEMC .Enc({ pkθ∗ }, A∗ , m b ); //
{ pkθ∗ } = C ∪ N
b ← AODec (·,·)({ pkθ }, {gi d, {sk gid,A }}, c∗ );
//A gets public keys of all non-corrupted authorities
//and secrets keys of all users required in Q
return 1 if b = b .
Oracle ODec (gi d, c)
return ⊥ if c = c∗ ∨ (gi d, {sk gid,A }) ∈ LQ
for some {sk gid,A };
return ABEMC .Dec({sk gid,A }, c);
An MA-ABE scheme ABEMC is said to be static secure if
for any probabilistic polynomial-time (PPT) adversary A, the
following advantage is negligible:
 
Advstatic λ  static λ 
ABEMC ,A (1 ) = Pr[ExpABEMC ,A (1 ) = 1] − 1/2 .
Remark: Static security has been accepted in the decen-
tralized MA-ABE schemes [29], [32], where the decentraliza-
tion means no interaction between each authority. Selective
security has been considered in the early works [28], [33].
However, these works need either a centralized authority to
among authorities to simulate a centralized authority. Hence,
MA-ABE with selective security is not compatible with
the setting of decentralized blockchain. Therefore, we apply
MA-ABE with static security as an important building block
C. Chameleon Hash
Definition 4 (Chameleon Hashes): A chameleon hash CH
contains the following 5 algorithms:
CH.Setup(1λ ) → pp: On input a security parameter
λ ∈ N, the probabilistic setup algorithm outputs a public
parameter pp.
CH.KeyGen( pp) → ( pk, sk): On input a public parameter
pp, the probabilistic key generation algorithm outputs a
public-secret key pair ( pk, sk).
CH.Hash( pk, m) → (h, r ): On input pk and a message
m ∈ M, the probabilistic hash algorithm outputs a hash h
and a randomness r .
CH.Verify( pk, m, h, r ) → {0, 1}: On input pk, m, h, and r ,
the deterministic verification algorithm outputs 1 if (h, r ) is
valid; otherwise, outputs 0.
CH.Adapt(sk, m, m  , h, r ) → r  : On input a secret key sk,
m ∈ M, a message m  ∈ M, h and r , the deterministic
adaption algorithm outputs a randomness r  .
We recall the security notations of chameleon hashes [30]:
strong indistinguishability and collision resistance. Strong
indistinguishability requires that the adversary cannot judge
 MA et al.: REDACTABLE BLOCKCHAIN IN DECENTRALIZED SETTING 1231

whether the randomness r is derived from the hash algorithm DS.Setup(1λ ) → pp: On input a security parameter
or the adaption algorithm. Collision resistance allows the λ ∈ N, the probabilistic setup algorithm outputs a public
adversary to access the adaptive oracle, and the adversary parameter pp.
cannot find any collisions for the messages which have not DS.KeyGen( pp) → ( pk, sk): On input pp, the probabilis-
been queried to the adaptive oracle. tic key generation algorithm outputs a public-secret key pair
Definition 5 (Strong Indistinguishability): The strong indis- ( pk, sk).
tinguishability of a chameleon hash scheme CH = (Setup, DS.Sign(sk, m) → σ : On input sk and a message m ∈ M,
KeyGen, Hash, Verify, Adapt) is based on the following the probabilistic signing algorithm outputs a signature σ .
experiment: ExpSIND (1λ ) DS.Verify( pk, m, σ ) → {0, 1}: On input pk, m and σ , the
CH,A
deterministic verification algorithm outputs 1 if σ is a valid
pp ← CH.Setup(1λ ); signature; otherwise, outputs 0.
( pk, sk) ← CH.KeyGen( pp); Definition 8 (EUF-CMA): The EUF-CMA of a DS scheme
b ← {0, 1}; is based on the following experiment:
ExpEUF -CMA (1λ ) Oracle OSign (m)
b  ← AOHashOrAdapt(·,·) ( pp, pk, sk); DS ,A
pp ← DS.Setup(1λ ); σ ← DS.Sign(sk, m);
return 1 if b = b . Q ← ∅; Q ← Q ∪ {m};
Oracle OHashOrAdapt (m, m  ) (m ∗ , σ ∗ ) ← AOSign (·) ( pp, pk); return σ .
(h, r ) ← CH.Hash( pk, m  ); return 1 if m ∈ Q ∧
DS.Verify( pk, σ ) = 1.
r etur n (h, r ) if b = 0;
A DS scheme is said to be EUF-CMA if for any PPT adversary
(h  , r  ) ← CH.Hash( pk, m); A, the following advantage is negligible:
r  ← CH.Adapt(sk, m, m  , h  , r  ); -CMA (1λ ) = Pr[ExpEUF-CMA (1λ )].
AdvEUF
return (h  , r  ). DS ,A DS ,A

A chameleon hash scheme CH is said to be strong indistin-

guishable if for any PPT adversary A, the following advantage IV. D ECENTRALIZED P OLICY-BASED C HAMELEON H ASH
is negligible: In this section, we introduce the formal definition of DPCH
  and its security model. We present the generic construction
AdvSIND λ  SIND λ 
CH,A (1 ) = Pr[ExpCH,A (1 ) = 1] − 1/2 . of DPCH based on a chameleon hash with ephemeral trap-
doors [30], MA-ABE [29] and digital signature [31] in Fig. 2.
Definition 6 (Collision Resistance): The collision We also present rigorous security proof for our proposed
resistance of a CH scheme is based on the following generic construction. Finally, based on the proposed generic
experiment: construction, we give a practical instantiation of DPCH.
λ
ExpCR
CH,A (1 )
pp ← CH.Setup(1λ ); A. Formal Definition of DPCH
( pk, sk) ← CH.KeyGen( pp); Definition 9 (Decentralized Policy-Based Chameleon
Q ← ∅; Hashes): A decentralized policy-based chameleon hash
DPCH with the attribute universe U, the authority universe
(m ∗ , r ∗ , m ∗ , r ∗ , h ∗ ) ← AOAdapt (·,·,·,·)( pp, pk); U and the global identifier universe GID that supports the
r etur n 1 if m ∗ ∈ Q ∧ m ∗ = m ∗ ∧ possible policies 2U \ {∅} and the message space M consists
CH.Verify( pk, m ∗ , h ∗ , r ∗ ) = CH. of the following seven algorithms:
Verify( pk, m ∗ , h ∗ , r ∗ ) = 1. DPCH.Setup(1λ ) → ( pp, pk, sk): The probabilistic setup
algorithm is run by the authorities. On input a security
Oracle OAdapt (m, m  , r, h) parameter λ ∈ N, and output a public parameter pp (which is
r  ← CH.Adapt(sk, m, m  , h, r ); an implicit input of all other algorithms), and a public-secret
Q ← Q ∪ {m, m  }; key pair ( pk, sk).
return r  . DPCH.ModSetup(sk, gi d) → (sk gid , σgid ): The proba-
bilistic modifier setup algorithm is run by each authority.
A CH scheme is said to be collision resistant if for any PPT On input a secret key sk and a global identifier gi d ∈ GID,
adversary A, the following advantage is negligible: and output a secret key sk gid and a signature σgid .
DPCH.AuthSetup(θ ) → ( pkθ , skθ ): The probabilistic
λ λ
AdvCR CR
CH,A (1 ) = Pr[ExpCH,A (1 ) = 1]. authority setup algorithm is run by each authority. On input
an authority identifier θ ∈ U , and output a public-secret key
pair ( pkθ , skθ ).
D. Digital Signature DPCH.ModKeyGen( pk, gi d, σgid , skθ , A) → sk gid,A /⊥:
Definition 7 (Digital Signatures): A digital signature DS The probabilistic modifier key generation algorithm is run by
scheme includes the following four algorithms: each authority. On input pk, gi d ∈ GID, σgid , skθ and an

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
 1232
Fig. 2.
attribute A ∈ U, and output a secret key sk gid,A or a failure
symbol ⊥ representing invalid gi d.
DPCH.Hash( pk, { pkθ }, A, m) → ( pk et d , h, r, c): The
probabilistic hash algorithm is run by the transaction owner.
On input pk, a set of public keys { pkθ }, an access structure
A ⊆ 2U \ {∅} and a message m ∈ M, and output a public key
pk et d , a hash h, a randomness r and a ciphertext c, where
pk et d is the public component of the ephemeral trapdoor and
c seals the secret component sk et d .
DPCH.Verify( pk, pk et d , m, h, r ) → {0, 1}: The determin-
istic verification algorithm is run by any entity. On input pk,
pk et d , m ∈ M, h and r , and output 1 if (h, r ) is valid;
otherwise, output 0.
DPCH.Adapt(sk gid , {sk gid,A }, c, m, m  , h, r ) → r  : The
deterministic adaption algorithm is run by the transaction
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
Generic construction of DPCH.
modifier. On input sk gid , a set of secret keys {sk gid,A }, c,
messages m and m  , h and r , and output a randomness r  .
B. Security Model of DPCH
This section presents three security models of DPCH,
including indistinguishability, outsider collision resistance, and
insider collision resistance, based on the previous blockchain
rewriting solution [16].
Definition 10 (Indistinguishability): The indistinguishabil-
ity of DPCH is based on the following experiment:
λ
ExpIND
DPCH,A (1 )
( pp, pk, sk) ← DPCH.Setup(1λ );
({ pkθ }, {skθ }) ← A( pp, pk, sk); //Corrupt all authorities
b ← {0, 1}; //b impacts the returns of OHashOrAdapt (·, ·, ·)
 MA et al.: REDACTABLE BLOCKCHAIN IN DECENTRALIZED SETTING
b ← AOHashOrAdapt(·,·,·) (sk, {skθ });
return 1 if b = b .
Oracle OHashOrAdapt (m, m  , A)
( pk et d , h  , r  , c) ← DPCH.Hash( pk, { pkθ }, A, m  );
r etur n ( pk et d , h  , r  , c) if b = 0;
( pk et d , h, r, c) ← DPCH.Hash( pk, { pkθ }, A, m);
(gid, sk gid , σgid ) ← DPCH.ModSetup(sk);
sk gid,A ← DPCH.ModKeyGen( pk, gid, σgid , skθ , A);
r  ← DPCH.Adaptive(sk gid , {sk gid,A }, c, m, m  , h, r );
//{sk gid,A } associated with {A} s.t. {A} | A
return ( pk et d , h  , r  , c).
A DPCH is said to be indistinguishable if for any PPT
adversary A, the following advantage is negligible:
 
AdvIND λ  IND λ 
DPCH,A (1 ) = Pr[ExpDPCH,A (1 ) = 1] − 1/2 .
Definition 11 (Outsider Collision Resistance): The
outsider collision resistance of DPCH is based on the
following experiment:
Oracle OAdapt (gid, c, m, m  , h, r )
return ⊥ if DPCH.Verify( pk, pk et d , m, h, r ) = 0 ∨
(gid, {sk gid,A }) ∈ LQ for some {sk gid,A };
r  ← DPCH.Adapt(sk gid , {sk gid,A }, c, m, m  , h, r );
LM ← LM ∪ {m, m  };
return r  .
Oracle OModReg (gid, S)
(sk gid , σgid ) ← DPCH.ModSetup(sk, gid);
∀A ∈ S : sk gid,A ← DPCH.ModKeyGen( pk, gid, σgid , skθ , A);
LQ ← {(gid, {sk gid,A })}.
ExpOCR λ
DPCH,A (1 )
LQ , LM ← ∅;
( pp, pk, sk) ← DPCH.Setup(1λ );
( pkθ , skθ ) ← DPCH.AuthSetup(θ);
( pk ∗et d , m ∗ , r ∗ , m ∗ , r ∗ , h ∗ ) ← AO ( pp, pk, { pkθ }),
where O ← OModReg (·, ·), OAdapt (·, ·, ·, ·, ·, ·);
return 1 if m ∗ ∈ LM ∧ m ∗ ∈ m ∗ ∧
DPCH.Verify( pk, pk ∗et d , m ∗ , h ∗ , r ∗ ) = 1 ∧
DPCH.Verify( pk, pk ∗et d , m ∗ , h ∗ , r ∗ ) = 1.
A DPCH is said to be outsider collision resistant if for any
PPT adversary A, the following advantage is negligible:
λ λ
AdvOCR OCR
DPCH,A (1 ) = Pr[ExpDPCH,A (1 ) = 1].
Definition 12 (Insider Collision Resistance): The insider
collision resistance of DPCH is based on the following
experiment:
ExpICR λ Query: A queries (m, m  , A) to OHashOrAdapt (·, ·, ·). B
DPCH,A (1 )
LS , LQ , LH ← ∅;
( pp, pk, sk) ← DPCH.Setup(1λ );
(C , N , Q, Q , A∗ ) ← A( pp, pk);
//C ⊆ U ∪ {0}, N ⊆ U ∪ {0}, C ∩ N = ∅,
//Q ⊆ {GID, GIDσ , U} for querying secret keys
//Q ⊆ {GID, GIDσ , U } for initializing users
//0 denotes the authority with the key pair ( pk, sk)
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
1233
∀θ ∈ N : ( pkθ , skθ ) ← DPCH.AuthSetup(θ);
∀(gid, σgid , S) ∈ Q : //S = (A 1 , A 2 , . . . , A k ), S | A
LS ← LS ∪ S;
∀A ∈ S : θ ← F(A); //F : U → U
sk gid,A ← DPCH.ModKeyGen( pk, gid, σgid , skθ , A);
∀(gid  , σgid
 , S  ) ∈ Q : //S  = (A  , A  , . . . , A  )
1 2 k
∀A  ∈ S  : θ  ← F(A  );
   
sk gid  ,A ← DPCH.ModKeyGen( pk, gid , σgid , sk θ  , A );
LQ ← LQ ∪ {(gid, {sk gid 
 ,A })};
 
sk = ⊥ if 0 ∈ C , else sk = sk;
//sk is kept secret if the authority with pk is non-corrupted
( pk ∗et d , m ∗ , r ∗ , m ∗ , r ∗ , h ∗ , c∗ ) ← AO ({ pkθ }, {gid, {sk gid,A },
sk  }), where O ← OHash (·, ·), OAdapt (·, ·, ·, ·, ·, ·).
return 1 if (h ∗ , r ∗ , A∗ , ·) ∈ LH ∧ (h ∗ , r ∗ , ·, m ∗ ) ∈ LH ∧
m = m ∗ ∧ DPCH.Verify( pk, pk ∗et d , m ∗ , h ∗ , r ∗ ) = 1 ∧
DPCH.Verify( pk, pk ∗et d , m ∗ , h ∗ , r ∗ ) = 1, for some A ∧
m ∗ = m ∗ ∧ A ∩ LS = ∅ ∧ (h ∗ , ·, A, m ∗ ) ∈ LH .
Oracle OHash (A, m)
( pk et d , h, r, c) ← DPCH.Hash( pk, { pkθ }, A, m);
LH ← LH ∪ {(h, r, A, m)};
return ( pk et d , h, r, c).
Oracle OAdapt (gid, c, m, m  , h, r )
r  ← DPCH.Adapt(sk gid , {sk gid,A }, c, m, m  , h, r );
LH ← LH ∪ {(h, r, A, m  )}
return r  .
A DPCH is said to be insider collision resistant if for any
PPT adversary A, the following advantage is negligible:
AdvICR λ ICR λ
DPCH,A (1 ) = Pr[ExpDPCH,A (1 ) = 1].
C. Security Proof
Theorem 1: The proposed DPCH is indistinguishable if the
underlying chameleon hash is strongly indistinguishable.
Proof: We assume there exists a PPT adversary A that
can break the indistinguishability security of our proposed
DPCH with non-negligible advantage. We can build a PPT
simulator B that can break the strongly indistinguishability
security of the underlying chameleon hash CCH with advantage
λ λ
as AdvSINDCH,B (1 ) = AdvDPCH,A (1 ).
IND
Setup: B generates the parameters ( pp, pk, sk) by running
DPCH.Setup(1λ ) except the chameleon hash related com-
ponent from CCH and starts A by sending ( pp, pk, sk). A
returns a public parameter pp, a set of public keys { pkθ } and
a set of secret keys {skθ } to B.
forwards (m, m  ) to CCH , and CCH returns (h, r ). B generates
a fresh chameleon hash key pair ( pk et d , sk et d ) and encrypts
the secret key sk et d under the access policy A to derive
the ciphertext c. B tosses a random coin coi n ∈ {0, 1}.
If coi n = 0, B generates (h  , r  ) via hashing the message
m  . If coi n = 1, B generates (h  , r  ) via hashing the message
m and adapting m to m  . B returns ( pk et d , (h, h  ), (r, r  ), c).
Guess: A outputs a bit b and B forwards b to CCH .
 1234 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022

Now we observe that the hash or adapt oracle is simulated
perfectly, and B wins with the same probability as A wins. 
Theorem 2: The proposed DPCH is outsider collision
resistant if the underlying chameleon hash is collision
resistant.
Proof: We assume there exists a PPT adversary A that can
break the outsider collision resistance of our proposed DPCH
with non-negligible advantage. We can build a PPT simulator
B that can break the collision resistance of the underlying
chameleon hash CCH with advantage as AdvCR
CH,B (1 ) =
AdvDPCH,A (1 ).
OCR λ
Setup: B generates the parameters ( pp, pk, sk) by running
DPCH.Setup(1λ ) except the chameleon hash related com-
ponent from CCH , and then initializes authorities by running
DPCH.Auth(θ ) for all θ ∈ U to obtain a set of public keys
{ pkθ } and a set of secret keys {skθ }.
Query: A can query the modifier register oracle
OModReg (·, ·) and the adaptive oracle OAdapt (·, ·, ·, ·, ·, ·).
Case 2: If N = {0}. In this case, the authority who
initializes the global identifier gi d and the long-term trapdoor
sk gid is honest, and other authorities are corrupted. In this
case, A can generate the secret keys on behalf of all authorities
without the long-term trapdoor sk for the newly joined modi-
fiers. Hence, if A can win the game, we can build a simulator
that breaks the collision resistance of chameleon hash schemes
λ λ
with the advantage AdvICR DPCH,A (1 ) = AdvCH,CCH (1 ).
CR
Case 3: If C = {0} and 0 ∈ C . In this case, some authori-
λ
ties including the authority who initializes the global identifier
gi d and the long-term trapdoor sk gid are corrupted. In this
case, A can generate the long-term trapdoor sk and issue
the signature σgid and secret keys on behalf of the corrupted
authorities for the newly joined modifiers. Hence, if A can
win the game, we can build a simulator that breaks the static
security of MA-ABE and the collision resistance of chameleon
λ
hash schemes with the advantage AdvICR DPCH,A (1 ) = q ·
λ λ
(AdvABEMC ,B (1 ) + AdvCH,CCH (1 )), where q denotes the
static CR

OModReg (gi d, S): A queries on the global identifier gi d
and an attribute set S to the modifier register oracle. It runs
DPCH.ModSetup(sk, gi d) to derive (sk gid , σgid ), and for
each A ∈ S, it finds the authority identifier θ ← F(A) and
runs DPCH.ModKeyGen( pk, gi d, σgid , skθ , A) to generate
sk gid,A . Note that the secret key (sk gid , {sk gid,A }) is kept by
B since A is the outsider.
OAdapt (gi d, c, m, m  , h, r ): A queries on the global identi-
fier gi d, a ciphertext c, two messages (m, m  ), a hash h and a
randomness r . Parse r = (r0 , r1 ) and h = (h 0 , h 1 ). It forwards
(m, m  , r0 , h 0 ) to CCH and obtains the randomness r0 . It then
runs DPCH.Adapt(gi d, c, m, m  , h, r ) to derive the rest of
randomnesses r1 . It returns (r0 , r1 ) to A.
Output: A outputs ( pk ∗et d , m ∗ , r ∗ , m ∗ , r ∗ , h ∗ ) to B. Parse
r = (r0∗ , r1∗ ), r ∗ = (r0∗ , r1∗ ) and h ∗ = (h ∗0 , h ∗1 ). B then
∗ the following three games. The adversary’s success probability
forwards (m ∗ , r0∗ , m ∗ , r0∗ , h ∗0 ) to CCH .
Now we observe that the hash or adapt oracle is simulated
perfectly, and B wins with the same probability as A wins. 
Theorem 3: The proposed DPCH is insider collision resis-
tant if the underlying MA-ABE provides static security in the
CCA setting, the chameleon hash is collision resistant, and the
digital signature scheme is EUF-CMA.
Recall the definition of the set corrupt authorities as C ⊆
U ∪ {0} and non-corrupt set of authorities as N ⊆ U ∪ {0},
where C ∩ N = ∅, C = ∅ and N = ∅. To prove this
theorem, we consider the following four cases:
Case 1: C = {0}. In this case, the authority who ini-
tializes the global identifier gi d and the long-term trapdoor
sk gid is the only corrupted authority, and other authorities
are honest. In this case, A can generate the long-term trap-
door sk and issue the signature σgid for the newly joined
modifiers. Hence, if A can win the game, we can build a
simulator that breaks the static security of MA-ABE and
the collision resistance of chameleon hash schemes with
λ λ
the advantage AdvICR DPCH,A (1 ) = q · (AdvABEMC ,B (1 ) +
static
λ
AdvCH,CCH (1 )), where q denotes the number of queries to
CR
number of queries to the oracle OHash (·, ·).
Case 4: If N = {0} and 0 ∈ N . In this case, some author-
ities including the authority who initializes the global identifier
gi d and the long-term trapdoor sk gid are honest. In this case,
A can generate the secret keys on behalf of the corrupted
authorities for the newly joined modifiers. Hence, if A can
wins the game, we can build a simulator that breaks the static
security of MA-ABE, the collision resistance of chameleon
hash schemes and the EUF-CMA of digital signatures with
λ λ
the advantage AdvICR DPCH,A (1 ) = q · (AdvABEMC ,B (1 ) +
static
AdvCR
CH,CCH (1λ ) + AdvEUF-CMA (1λ )), where q denotes the
DS ,CDS
number of queries to the oracle OHash (·, ·).
Proof (Theorem 3. Case 1): This case can be proved by
in Game i is denoted by Pr[Si ]. The adversary can query q
times OHash (·, ·) oracle queries.
Game 0: This is the original ICR security experiment as
shown in Definition 12.
Game 1: As Game 0, but we guess the i ∗ -th hash query
which returns h ∗ that will be attacked by the adversary.
We store the returning value ( pk et d , h, r, c) as well as the
corresponding ephemeral trapdoor sk ∗et d . If we detect our
guess is wrong at some point during the simulation, we abort.
The winning probability in Game 1 is the same as in
Game 0, except an abort happens. Hence, we have that
Pr[S1 ] = Pr[S0 ] · 1/q.
Game 2: As Game 1, but whenever we receive an adapt
query on (gi d, c, m, m  , h, r ) with c = c∗ , we do not decrypt,
but directly adapt using sk ∗et d .
The winning probability in Game 2 is the same as in Game 1
under the perfect correctness of the encryption scheme. Hence,
we have that Pr[S2 ] = Pr[S1 ].
Game 3: As Game 2, but we change the simulation of the
hash algorithm DPCH.Hash( pk, { pkθ }, A, m). For the i ∗ -th
query to hash algorithm, we use 0|sk | as the trapdoor instead
etd

the oracle OHash (·, ·). If guessing the i ∗ -th hash query with
the challenge ciphertext c∗ incorrectly, we abort. Therefore,
this game can be prefect simulated if i ∗ -th guessing correctly.
of the real trapdoor sk et d . Specifically, we generate ciphertext
c ← ABEMC .Enc({ pkθ }, A, 0|sk | ) and store sk et d locally
etd
rather than running c ← ABEMC .Enc({ pkθ }, A, sk et d ).

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
 MA et al.: REDACTABLE BLOCKCHAIN IN DECENTRALIZED SETTING
The claim that Game 2 and Game 3 are indistinguishable
under the static security of ABEMC in the CCA setting,
i.e., | Pr[S3 ] − Pr[S2 ]| = Advstatic λ
ABEMC ,B (1 ). To prove the
claim, we show that we can use a challenger CABE static
MC
the static security model with the CCA setting to effectively
interpolate between Game 2 and Game 3. In particular, con-
sider the following hybrid game: Upon initialization we obtain
gpABEMC from CABE static , set sk ← ⊥ and complete the
MC
remainder of the setup honestly based on the security para-
meter and bilinear group description in gpABEMC to derive
( pp, sk). After receiving (C , N , Q, Q , A∗ ), we forward
(C , N , Q, Q , sk ∗et d , 0|sk | , A∗ ) to CABE
etd static
MC
and obtain
∗
({ pkθ }, {gi d, {sk gid,A }}, c ). To simulate queries to the adap-
tion oracle OAdapt , we use decryption oracle ODec provided by
CABE
static to reveal the trapdoor and complete reminder follow
MC
the adaption algorithm DPCH.Adapt. The hash oracle OHash
is simulated based on its index i . For the i -th query with
i = i ∗ , we run DPCH.Hash to respond to the hash query.
For the i ∗ -th query, we directly use sk ∗et d as the ephemeral
trapdoor to hash message and c∗ as the sealed ephemeral
trapdoor. Now, we observe that aborting as soon as we detect
that our guess of index i ∗ is wrong ensures that we will
never have to answer queries which involve queries to the
challenger’s oracle which would not be answered. If the bit b
of the challenger is 0 we perfectly, simulate Game 2, whereas
we perfectly simulate Game 3 if b = 1. This proves the claim.
To prove Game 3, we use the challenger of collision resis-
tant chameleon hash CCH and honestly complete the initial-
ization to simulate the long-term trapdoor. Then we simulate
the hash oracle OHash and the adaption oracle OAdapt as in
Game 3. To simulate the i -th with i = i ∗ hash oracle, we use
the challenger of collision resistant chameleon hash CCH i to
setup the ephemeral trapdoor and seal the ephemeral trapdoor
via ABEMC .Enc. For the i ∗ -th hash oracle, as the ciphertext c
already encrypts 0|sk | instead of sk ∗et d , we do not require to
etd
know sk ∗et d . For the adaption oracle, we only modify the sim-
ulation for queries with respect to sk ∗et d returned upon the i ∗ -
th query to OHash in that we use CCH to compute the adapted
hashes. Finally, A returns ( pk ∗et d , m ∗ , r ∗ , m ∗ , r ∗ , h ∗ , c∗ ) to
B, where r ∗ = (r0∗ , r1∗ ), r ∗ = (r0∗ , r1∗ ) and h ∗ = (h ∗0 , h ∗1 ).
B forwards (m ∗ , r1∗ , m ∗ , r1∗ , h ∗1 ) as the collision. Hence,
λ guess is wrong at some point during the simulation, we abort.
we have that Pr[S3 ] = AdvCR CH,CCH (1 ).
As we have shown above, the advantage of any adversary
in the final game is bounded by the advantage of any adver-
sary in the private collision freeness game, i.e., Pr[S3 ] =
λ Game 2: As Game 1, but whenever we receive an adapt
AdvCR CH,CCH (1 ). This yields the following bound for the
λ λ
original game as AdvICR DPCH,A (1 ) = q · (AdvABEMC ,B (1 ) +
static
λ
AdvCR CH,CCH (1 )), which concludes the proof.
Proof (Theorem 3. Case 2): We prove the second case by
security reduction. We assume there exists a PPT adversary
A that can break the insider collision resistance by corrupting
the authorities who do not contribute the public parameters in
our proposed DPCH with non-negligible advantage. We can
build a PPT simulator B that breaks the collision resistance
of the underlying chameleon hash CH with advantage as
λ λ
AdvICRDPCH,A (1 ) = AdvCH,CCH (1 ).
CR
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
1235
Setup: B generates the parameters ( pp, pk, sk) by running
DPCH.Setup(1λ ) except the chameleon hash related com-
ponent from the challenger CCH , where the corresponding
in chameleon hash secret key, as the long-term trapdoor in
our scheme, is unknown to B. Note that, due to the other
authorities are corrupted, B does not need to simulate the rest
of the authorities.
Query: A is allowed to query the following oracle
adaptively.
• A can query on the access structure A and the message
m to the hash oracle OHash . It runs the hash algorithm
DPCH.Hash( pk, { pkθ }, A, m) to derive ( pk et d , h, r, c).
It returns ( pk et d , h, r, c) to A.
• A can query on the global identifier gi d, the ciphertext
c, two messages m, m  , the hash r and the randomness r
to the adaption oracle OAdapt . Due to all authorities who
can issue the attribute keys are corrupted, A can reveal
any ciphertext and B does not have the knowledge of
any attribute key. Hence, it aborts if A = ∅. Parse h =
(h 0 , h 1 ) and r = (r0 , r1 ). It forwards (m, m  , r0 , h 0 ) to
the adaption oracle OAdapt provided by CCH and obtains
r0 . It completes the rest components of DPCH.Adapt to
obtain r1 and returns (r0 , r1 ) to A.
Output: A outputs ( pk ∗et d , m ∗ , r ∗ , m ∗ , r ∗ , h ∗ , c∗ ) to B,
where r ∗ = (r0∗ , r1∗ ), r ∗ = (r0∗ , r1∗ ) and h ∗ = (h ∗0 , h ∗1 ). B
forwards (m ∗ , r0∗ , m ∗ , r0∗ , h ∗0 ) as the collision for chameleon
hashes to CCH .
Now we observe that the hash or adapt oracle is simulated
perfectly, and B wins with the same probability as A wins.
This yields the following bound for the original game as
λ λ
DPCH,A (1 ) = AdvCH,CCH (1 ), which concludes the
AdvICR CR
proof. 
Proof (Theorem 3. Case 3): We prove the third case by
the following three games.
Game 0: This is the original ICR security experiment as
shown in Definition 12.
Game 1: As Game 0, but we guess the i ∗ -th hash query
which returns h ∗ that will be attacked by the adversary.
We store the returning value ( pk et d , h, r, c) as well as the
corresponding ephemeral trapdoor sk ∗et d . If we detect our
The winning probability in Game 1 is the same as in
Game 0, except an abort happens. Hence, we have that
Pr[S1 ] = Pr[S0 ] · 1/q.
query on (gi d, c, m, m  , h, r ) with c = c∗ , we do not decrypt,
but directly adapt using sk ∗et d .
 The winning probability in Game 2 is the same as in Game
1 under the perfect correctness of the encryption scheme.
Hence, we have that Pr[S2 ] = Pr[S1 ].
Game 3: As Game 2, but we change the simulation of the
hash algorithm DPCH.Hash( pk, { pkθ }, A, m). For the i ∗ -th
query to hash algorithm, we use 0|sk | as the trapdoor instead
etd
et d
of the real trapdoor sk . Specifically, we generate ciphertext
c ← ABEMC .Enc({ pkθ }, A, 0|sk | ) and store sk et d locally
etd
rather than running c ← ABEMC .Enc({ pkθ }, A, sk et d ).
 1236 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
The claim that Game 2 and Game 3 are indistinguishable
under the static security of ABEMC in the CCA setting,
i.e., | Pr[S3 ] − Pr[S2 ]| = Advstatic λ
ABEMC ,B (1 ). To prove the
claim, we show that we can use a challenger CABE static in
MC
the static security model with the CCA setting to effectively
interpolate between Game 2 and Game 3. In particular, con-
sider the following hybrid game: Upon initialization we obtain
gpABEMC from CABE static , set sk ← ⊥ and complete the
MC
remainder of the setup honestly based on the security para-
meter and bilinear group description in gpABEMC to derive
( pp, sk). After receiving (C , N , Q, Q , A∗ ), we forward
(C , N , Q, Q , sk ∗et d , 0|sk | , A∗ ) to CABE
etd static
MC
and obtain
∗
({ pkθ }, {gi d, {sk gid,A }}, c ). To simulate queries to the adap-
tion oracle OAdapt , we use decryption oracle ODec provided by
CABE
static
MC
to reveal the trapdoor and complete reminder follow
the adaption algorithm DPCH.Adapt. The hash oracle OHash
is simulated based on its index i . For the i -th query with
i = i ∗ , we run DPCH.Hash to respond to the hash query.
For the i ∗ -th query, we directly use sk ∗et d as the ephemeral
trapdoor to hash message and c∗ as the sealed ephemeral
trapdoor. Now, we observe that aborting as soon as we detect
that our guess of index i ∗ is wrong ensures that we will
never have to answer queries which involve queries to the
challenger’s oracle which would not be answered. If the bit b
of the challenger is 0 we perfectly, simulate Game 2, whereas
we perfectly simulate Game 3 if b = 1. This proves the claim.
To prove Game 3, we use the challenger of collision resis-
tant chameleon hash CCH and honestly complete the initial-
ization to simulate the long-term trapdoor. Then we simulate
the hash oracle OHash and the adaption oracle OAdapt as in
Game 3. To simulate the i -th with i = i ∗ hash oracle, we use
the challenger of collision resistant chameleon hash CCH i to
setup the ephemeral trapdoor and seal the ephemeral trapdoor
via ABEMC .Enc. For the i ∗ -th hash oracle, as the ciphertext c
already encrypts 0|sk | instead of sk ∗et d , we do not require to
etd
know sk ∗et d . For the adaption oracle, we only modify the sim-
ulation for queries with respect to sk ∗et d returned upon the i ∗ -
th query to OHash in that we use CCH to compute the adapted
hashes. Finally, A returns ( pk ∗et d , m ∗ , r ∗ , m ∗ , r ∗ , h ∗ , c∗ ) to
B, where r ∗ = (r0∗ , r1∗ ), r ∗ = (r0∗ , r1∗ ) and h ∗ = (h ∗0 , h ∗1 ).
B forwards (m ∗ , r1∗ , m ∗ , r1∗ , h ∗1 ) as the collision. Hence,
λ of the challenger is 0 we perfectly, simulate Game 2, whereas
we have that Pr[S3 ] = AdvCRCH,CCH (1 ).
As we have shown above, the advantage of any adversary
in the final game is bounded by the advantage of any adver-
sary in the private collision freeness game, i.e., Pr[S3 ] =
λ lenger of collision resistant chameleon hash CCH to manage
AdvCRCH,CCH (1 ). This yields the following bound for the
λ λ
DPCH,A (1 ) = q · (AdvABEMC ,B (1 ) +
original game as AdvICR static
λ
AdvCRCH,CCH (1 )), which concludes the proof.  A may attempt to forge the signature to win the game,
Proof (Theorem 3. Case 4): We prove the forth case by
the following three games.
Game 0: This is the original ICR security experiment as
shown in Definition 12.
Game 1: As Game 0, but we guess the i ∗ -th hash query
which returns h ∗ that will be attacked by the adversary.
We store the returning value ( pk et d , h, r, c) as well as
the corresponding ephemeral trapdoor sk ∗et d . If we detect
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
our guess is wrong at some point during the simulation,
we abort.
The winning probability in Game 1 is the same as in
Game 0, except an abort happens. Hence, we have that
Pr[S1 ] = Pr[S0 ] · 1/q.
Game 2: As Game 1, but whenever we receive an adapt
query on (gi d, c, m, m  , h, r ) with c = c∗ , we do not decrypt,
but directly adapt using sk ∗et d .
The winning probability in Game 2 is the same as in Game 1
under the perfect correctness of the encryption scheme. Hence,
we have that Pr[S2 ] = Pr[S1 ].
Game 3: As Game 2, but we change the simulation of the
hash algorithm DPCH.Hash( pk, { pkθ }, A, m). For the i ∗ -th
query to hash algorithm, we use 0|sk | as the trapdoor instead
etd
of the real trapdoor sk et d . Specifically, we generate ciphertext
c ← ABEMC .Enc({ pkθ }, A, 0|sk | ) and store sk et d locally
etd
rather than running c ← ABEMC .Enc({ pkθ }, A, sk et d ).
The claim that Game 2 and Game 3 are indistinguishable
under the static security of ABEMC in the CCA setting,
i.e., | Pr[S3 ] − Pr[S2 ]| = Advstatic λ
ABEMC ,B (1 ). To prove the
claim, we show that we can use a challenger CABE static in
MC
the static security model with the CCA setting to effectively
interpolate between Game 2 and Game 3. In particular, con-
sider the following hybrid game: Upon initialization we obtain
gpABEMC from CABE static , set sk ← ⊥ and complete the
MC
remainder of the setup honestly based on the security para-
meter and bilinear group description in gpABEMC to derive
( pp, sk). After receiving (C , N , Q, Q , A∗ ), we forward
(C , N , Q, Q , sk ∗et d , 0|sk | , A∗ ) to CABE
etd static and obtain
∗ MC
({ pkθ }, {gi d, {sk gid,A }}, c ). To simulate queries to the adap-
tion oracle OAdapt , we use decryption oracle ODec provided by
CABE
static
MC
to reveal the trapdoor and complete reminder follow
the adaption algorithm DPCH.Adapt. The hash oracle OHash
is simulated based on its index i . For the i -th query with
i = i ∗ , we run DPCH.Hash to response the hash query.
For the i ∗ -th query, we directly use sk ∗et d as the ephemeral
trapdoor to hash message and c∗ as the sealed ephemeral
trapdoor. Now, we observe that aborting as soon as we detect
that our guess of index i ∗ is wrong ensures that we will
never have to answer queries which involve queries to the
challenger’s oracle which would not be answered. If the bit b
we perfectly simulate Game 3 if b = 1. This proves the claim.
To prove Game 3, we use the challenger of EUF-CMA
digital signature CDS to handle the signature and the chal-
the chameleon hash. More precisely, A can win the game from
the following two methods.
denoted as E 1 . In particular, we have that N = {0} and
0 ∈ N , which means A cannot obtain the signing key sk
and may win the game by forging σgid . σgid can be used to
impersonate gi d to obtain the secret key that can be used
to adapt the challenge message. To simulate this game, B
needs to interact with CDS to complete the initialization by
simulating the digital signature. In particular, B receives the
public parameter and the public key of the digital signature
 MA et al.: REDACTABLE BLOCKCHAIN IN DECENTRALIZED SETTING
scheme ( ppDS , pkDS ) to complete the component of the
digital signature in the setup algorithm. After seeing the
public parameter and the public key, A returns a set of
corrupted authorities C , a set of non-corrupted authorities
N , a list of queries Q and a challenge policy A∗ , where
Q ⊆ {GID, GID σ , U} and GID σ is a set of signatures about
the global identifier gi d ∈ GID under the public key pk.
B runs the authority setup algorithm DPCH.AuthSetup(θ )
for all θ ∈ N to derive a set of key pair ({ pkθ }, {skθ }).
For each (gi d, σgid , S) ∈ Q, B runs the modify key gener-
ation algorithm DPCH.ModKeyGen( pk, gi d, σgid , skθ , Sθ )
to derive the secret key sk gid,Sθ . B forwards (gi d, σgid ) to
CDS as the forged message and signature pair. B returns
({ pkθ }, {sk gid,Sθ }) to A.
A may attempt to adapt the hash result to win the game,
denoted as E 2 . For the components related to chameleon hash,
CCH is used to complete the initialization by simulating the
long-term trapdoor. In particular, B receives the public parame-
ter and the public key of the long-term trapdoor ( ppCH , pkCH )
to complete the component of the chameleon hash in the
setup algorithm. Then, we simulate the hash oracle OHash
and the adaption oracle OAdapt as in Game 3. To simulate
the i -th with i = i ∗ hash oracle, we use the challenger of
collision resistant chameleon hash CCH i to setup the ephemeral
trapdoor and seal the ephemeral trapdoor via ABEMC .Enc.
For the i ∗ -th hash oracle, as the ciphertext c already encrypts
0|sk | instead of sk ∗et d , we do not require to know sk ∗et d .
etd
For the adaption oracle, we only modify the simulation for
queries with respect to sk ∗et d returned upon the i ∗ -th query
to OHash in that we use CCH to compute the adapted hashes.
Finally, A returns ( pk ∗et d , m ∗ , r ∗ , m ∗ , r ∗ , h ∗ , c∗ ) to B, where
r ∗ = (r0∗ , r1∗ ), r ∗ = (r0∗ , r1∗ ) and h ∗ = (h ∗0 , h ∗1 ). B forwards
(m ∗ , r1∗ , m ∗ , r1∗ , h ∗1 ) as the collision. Hence, we have that
Pr[S3 |E 2 ] = AdvCR λ Blockchain, including the system model and threat model.
CH,CCH (1 ).
As we have shown above, the advantage of any adver-
sary in the final game is bounded by the advantage of
any adversary in the private collision freeness game, i.e.,
λ EUF-CMA λ
Pr[S3 ] = AdvCR CH,CCH (1 ) + AdvDS ,CDS (1 ). This yields the
λ
following bound for the original game as AdvICR DPCH,A (1 ) =
λ λ EUF-CMA λ
ABEMC ,B (1 ) + AdvCH,CCH (1 ) + AdvDS ,CDS (1 )),
q · (Advstatic CR
which concludes the proof.
D. An Instantiation of DPCH
We give an instantiation of the DPCH scheme in Fig. 3,
where the chameleon hash is instanced by the RSA-based
solution [30] and the digital signature is instanced by the
BLS short signature [31]. To improve the efficiency and
security, we apply key encapsulation mechanism (KEM) and
Fujisaki-Okamoto transformation [34].
1) Efficiency: We use KEM to improve the performance,
where KEM is hybrid encryption combining the symmetric
key encryption (e.g., AES) and the asymmetric key encryption.
KEM reduces the cost since the asymmetric key encryption
mechanism is expensive and the symmetric encryption is fast.
In our instantiation, the asymmetric key encryption mechanism
encrypts a symmetric key k and sk et d is sealed by the symmet-
ric key encryption mechanism SE = (KeyGen, Enc, Dec).
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
1237
2) Security: The PCH-based redactable blockchain [16]
provides CCA secure, where it applies ABE [35] with the
security against the chosen-plaintext attack (CPA security) and
Fujisaki-Okamoto (FO) transformation [34] to realize CCA
security. To offer comparable security and decryption oracle to
support adaption oracle in our DPCH scheme, we transfer the
underlying MA-ABE [29] with CPA security to CCA security
via FO transformation. Specifically, we use FO transformation
in the hash algorithm and adaption algorithm to realize the
transformation from CPA security to CCA security. In the
hash algorithm, we choose a randomness rt and use a hash
function Ht with input rt to derive all the randomnesses being
used in MA-ABE to generate a ciphertext c, where MA-ABE
seals rt and a symmetric key k. In the adaption algorithm,
the randomness rt is revealed first and used to generate a
ciphertext c . It aborts if c = c , which is the core technology
to realize CCA security from a CPA secure scheme.
Remark: Our instantiation applies RSA-based chameleon
hash with collision resistance. A formal classification of
chameleon hash is introduced by Derler et al. [36], where
a stronger notion of collision-resistance than the one we used
is presented. The strong notion requires the cost cryptographic
tool, e.g., non-interactive zero-knowledge proof, that sacrifices
the performance of transaction hashing and finding collision.
Hence, based on the generic constriction in Fig. 2 and the
strong notion of collision-resistance chameleon hash [36],
an instantiation of decentralized redactable blockchain can
be built with strong collision-resistance by sacrificing perfor-
mance.
V. DPCH-BASED R EDACTABLE B LOCKCHAIN
In this section, we introduce the DPCH-Based Redactable
Besides, we show that DPCH can be effectively integrated
into the chain to realize blockchain rewriting.
A. System Model
The system model of decentralized redactable blockchain
involves three types of entities: a transaction owner, a trans-
 action modifier, and a set of authorities. The number of
transaction modifiers is assumed to be a small amount because
rewriting in blockchains cannot be performed by the majority
of system users, and each modifier has a unique global identi-
fier. The chain participant could be any party, i.e., authorities,
transaction owners and transaction modifiers. As shown in
Fig. 1 and the system overview in Section II, there are four
processes in decentralized blockchain rewriting:
1) System initialization includes two phases as in Fig. 4:
• Public parameter initialization: One of the multiple
authorities initializes the public parameter by run-
ning DPCH.Setup(1λ ) to obtain the public para-
meter pp, the public key pk and the secret key
sk. It publishes ( pp, pk) to chain participants, and
keeps sk secret.
• Authority parameter initialization: The other author-
ities initialize their key pairs individually. For the
 1238 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022

Fig. 3. An instantiation of DPCH.

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
 MA et al.: REDACTABLE BLOCKCHAIN IN DECENTRALIZED SETTING
Fig. 4. System initialization.
Fig. 5. Modifier registration.
authority θ , it runs DPCH.AuthSetup(θ ) to obtain
the public key pkθ and the secret key skθ . It pub-
lishes pkθ to chain participants and keeps skθ secret.
2) Modifier registration includes two phases as in Fig. 5:
• Global identifier initialization: Each modifier is
issued a unique global identifier gi d. Specifi-
cally, after receiving the request for gi d, the
authority who initializes the public parameter runs
DPCH.ModSetup(sk, gi d) to derive a secret key
sk gid and a signature σgid .
• Attribute initialization: After validating gi d and
σgid , the modifier can require the attribute-based
secret key from the other authorities. For the
authority θ , it aborts the request by return-
ing ⊥ if gi d and σgid is invalid; otherwise,
it runs DPCH.ModKeyGen( pk, gi d, σgid , skθ , A)
to issue the secret key sk gid,A to the user with gi d.
3) Mutable transaction publication consists of two phases
as in Fig. 6:
• Transaction generation: To generate a mutable
transaction with the object m, the transaction owner
runs DPCH.Hash( pk, { pkθ }, A, m) to derive a
public key pk et d , a hash h, a randomness r and a
ciphertext c. Then, the transaction owner broadcasts
{ pkθ }, A, m, pk et d , h, r and c to chain participants.
• Transaction verification: Each chain
participant runs the verification algorithm
DPCH.Verify( pk, pk et d , m, h, r ) to validate
the transaction. If the verification algorithm
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
1239
Fig. 6. Mutable transaction publication.
Fig. 7. Mutable transaction rewriting.
returns 1, the chain participant propagates this
transaction to other chain participants.
4) Mutable transaction rewriting consists of two phases as
in Fig. 7:
• Transaction rewriting: To alert a mutable
transaction with the registered object
m to m  , the transaction modifier runs
DPCH.Adapt(sk gid , {sk gid,A }, c, m, m  , h, r )
to find the arbitrary collision r  . Then, the
transaction modifier propagates m  , h and r  to
chain participants.
• Transaction verification: Each chain
participant runs the verification algorithm
DPCH.Verify( pk, pk et d , m  , h, r  ) to validate
the transaction. If the verification algorithm
returns 1, the chain participant rewrites the
mutable transaction with the registered object m 
and propagates this transaction to other chain
participants.
B. Threat Model
In our threat model, we assume that the transaction owner
and at least one of the multiple authorities are honest. The
transaction owner honestly generates the mutable transactions
and at least one of the multiple authorities preserves the secret
key honestly. Multiple authorities and transaction modifiers
may collude to launch various types of attacks. In the follow-
ing, we list several security properties our proposed blockchain
has and possible attacks launched by malicious authorities and
transaction modifiers.
 1240
1) Indistinguishability: This security property ensures pri-
vacy of mutable transactions. It is infeasible to identify a muta-
ble transaction derived by the hash algorithms or the adaption
algorithm. In reality, the malicious authorities and transaction
modifiers can collude to identify a mutable transaction has
been modified or not to learn the additional information.
We formalize this property by introducing the security model,
called indistinguishability, as shown in Definition 10. In this
security model, we assume that all the chain participants could
be malicious by allowing the attacker to know the system
secret key sk, where this security model is stronger than our
threat model. Based on sk, the attacker can corrupt all the
authorities and transaction modifiers. In Theorem 1, we give
the formal proof that shows our proposed DPCH is secure in
this security model.
2) Collision Resistance: This property guarantees the secu-
rity of mutable transactions. A mutable transaction cannot be
altered by the malicious chain participants whose attributes do
not satisfy the access policy of the transaction. The malicious
transaction modifiers can collude and attempt to rewrite the
mutable transactions without valid authorization. We formal-
ize this property by introducing two security models, called
outsider collision resistance and insider collision resistance,
as shown in Definition 11 and Definition 12, respectively.
• In the security model of outsider collision resistance,
we allow the attacker to corrupt a part of the transaction
modifier, called outsiders, whose attributes do not satisfy
the access policy of the targeting mutable transaction.
In Theorem 2, we give the formal proof that shows our
proposed DPCH is secure in this security model.
• In the security model of insider collision resistance,
we allow the attacker to corrupt a part of transaction mod-
ifier and authorities, called insiders, where the attributes
of insiders do not satisfy the access policy of the targeting
mutable transaction. In Theorem 3, we give the formal
proof that shows our proposed DPCH is secure in this
security model.
To sum up, we consider indistinguishability and collision
resistance in our threat model, which follows the definition of
previous solutions [15], [16] and is suitable to the blockchain
environment. To formalize our threat model, we give the
formal security model, as shown in Section IV-B, to capture
each security property. Each property has been preserved via
formal security proofs as shown in Section IV-C.
C. An Application of DPCH
Fig. 8 presents the application of DPCH for decentral-
ized redactable blockchain. Four transactions are included
in the block Bi , where m i,1 and m i,4 are mutable trans-
actions associated with an access structure A and m i,2
and m i,3 are immutable transactions hashed by the tradi-
tional collision-resistant hash function h. When the mutable
transaction needs to be altered, a transaction modifier with
DPCH-based decryption key associated with the attributes S
satisfying S | A can compute valid chameleon randomness
r without modifying its hash value, hence, Merkle root is
never modified. The transaction modifier then broadcasts the
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
Fig. 8. DPCH for decentralized blockchain rewriting.
modified transaction and the randomness r to the network. All
participants verify the correctness of the mutable transaction
and then update the local copy with the new message and
randomness pair if the transaction is valid.
VI. P ERFORMANCE A NALYSIS
Our implementation was carried out on a personal com-
puter equipped with Windows 10 (x64), Intel i7 7820HQ @
2.90GHz, 16GB Memory, and performed in Jave 8 using JPBC
library [37]. We used MNT224 curve for pairing and 2048-bit
RSA group for the chameleon hash. MNT224 curve is the best
Type-III curve in PBC and offers a 96-bit security level [35].
2048-bit RSA group offers a 112-bit security level [38].
We present the experimental performances of key generation,
hash and adaption between the redactable blockchain with
fine-grained access control [16] and ours.
As shown in Fig. 9, our solution has better performance
in terms of key generation, hash and adaption. The main
reason is that the efficiency of underlying asymmetric encryp-
tion scheme. DSSS19 [16] applies ABE [35] and we use
MA-ABE [29], where ABE [35] with adaptive secure is less
efficient than MA-ABE [29] with static secure.
VII. R ELATED W ORK
Based on the technologies behind blockchain rewriting,
it can be categorized into two types: non-cryptography-based
solutions and cryptography-based solutions. The former is usu-
ally based on the protocol/mechanism or system-level access
control to realize blockchain rewriting. The latter applies the
cryptographic tool to achieve secure blockchain rewriting.
The former usually considers security analysis rather than the
rigorous security proof as shown in the latter.
A. Non-Cryptography-Based Solutions
Puddu et al. [39] designed a new blockchain construction,
called μchain, and the blockchain rewriting is subject to a
voting-like approach. Specifically, in μchain, all transactions
are encrypted and a dynamic proactive secret sharing scheme
as an extension of Shamir’s secret sharing scheme is used
to elect decryption key. This approach is impractical since
the group for electing is assumed to be majority trusted and
multiple interactions among the group participants.
To mitigate the cost of chain participants, Florian et al. [40]
presented a data erasing strategy that enables every participant
 MA et al.: REDACTABLE BLOCKCHAIN IN DECENTRALIZED SETTING
Fig. 9.
to rewrite the blockchain locally and Thyagarajan et al. [41]
resorted to side-chain technology to manage the content of
each block. However, in the above two strategies [40], [41],
the rewriting approach only affects the local copy and the
original transaction remains unchanged.
B. Cryptography-Based Solutions
To redact block data globally, Ateniese et al. [15] pre-
sented the concept of redactable blockchain. In this solution,
the traditional hash function is replaced by the chameleon
hash [21]. The hashing of the block header is associated
with a public key, and the chameleon hash behaves like a
collision-resistant hash function if the chameleon trapdoor is
unknown. To rewrite blockchain, the trapdoor holder can easily
find valid collisions without changing the hash output. How-
ever, this approach only offers a block-level data redaction at
a coarse-grained level since it applies public key infrastructure
to manage the chameleon trapdoor and the chameleon trapdoor
only binds the block header.
To enrich the approach of access control, Derler et al. [16]
introduced a novel concept, called policy-based chameleon
hash (PCH), to realize redactable blockchain with
transaction-level redaction controlled at a fine-grained
level. PCH is based on the chameleon hashes with ephemeral
trapdoors [30] and attribute-based encryption [35]. Each
transaction is associated with an access policy and the
trapdoor holder can rewrite the transaction if his/her attributes
satisfy the access policy. Based on PCH, many sequential
works are introduced and mainly focus on usability,
such as accountability [17], [22], self-management [19],
revocability [18], [20], and k-time modification operation [23].
To eliminate the trusted central authority, Deuber et al. [24]
introduced an efficient redactable blockchain in the permis-
sionless setting. The proposed scheme relies on consensus-
based voting. The block can be rewritten if a modification
request from a chain participant gathers enough votes from
miners. However, it has several security threats since it suffers
from bribing and selfish mining attacks.
VIII. C ONCLUSION
In this paper, we proposed a generic construction of a
decentralized policy-based chameleon hash for blockchain
rewriting. The proposed framework eliminates the centralized
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
1241
Experimental performance.
setting in previous redactable blockchains [15]–[20], [23] and
the modification privilege is controlled at a fine-grained level.
We presented a practical instantiation, and demonstrated that
the proposed instantiation is more efficient than the previous
solution [16]. We believe our proposed scheme is a promising
solution for blockchain rewriting for decentralized settings.
The future work could be designing adaptively CCA-secure
MA-ABE (in prime-order pairing groups) adapting to decen-
tralized blockchain rewriting, e.g., the adversary does not need
to claim the challenge message in advance.
R EFERENCES
[1] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,”
Decentralized Bus. Rev., p. 21260, 2008. [Online]. Available:
http://bitcoin.org/bitcoin.pdf
[2] G. Wood, “Ethereum: A secure decentralised generalised transaction
ledger,” Ethereum Project Yellow Paper, vol. 151, pp. 1–32, Apr. 2014.
[3] F. Armknecht, G. O. Karame, A. Mandal, F. Youssef, and E. Zenner,
“Ripple: Overview and outlook,” in Proc. TRUST, vol. 9229, 2015,
pp. 163–180.
[4] M. Kouhizadeh and J. Sarkis, “Blockchain practices, potentials, and
perspectives in greening supply chains,” Sustainability, vol. 10, no. 10,
p. 3652, Oct. 2018.
[5] M. Raikwar, S. Mazumdar, S. Ruj, S. Sen Gupta, A. Chattopadhyay, and
K.-Y. Lam, “A blockchain framework for insurance processes,” in Proc.
9th IFIP Int. Conf. New Technol., Mobility Secur. (NTMS), Feb. 2018,
pp. 1–4.
[6] M. Mettler, “Blockchain technology in healthcare: The revolution starts
here,” in Proc. IEEE 18th Int. Conf. e-Health Netw., Appl. Services
(Healthcom), Sep. 2016, pp. 1–3.
[7] J. Wu and N. Tran, “Application of blockchain technology in sustainable
energy systems: An overview,” Sustainability, vol. 10, no. 9, p. 3067,
Aug. 2018.
[8] Cryptocurrency Deposit Processing Times. Accessed: Sep. 1,
2021. [Online]. Available: https://support.kraken.com/hc/en-us/articles/
203325283-Cryptocurrency-deposi% t-processing-times
[9] S. Hargreaves and S. Cowley. (2013). How Porn Links and
Ben Bernanke Snuck into Bitcoin’s Code. [Online]. Available:
https://money.cnn.com/2013/05/02/technology/security/bitcoin-
porn/index.html
[10] H. Moonie. (2016). Man’s ‘Right to be Forgotten’ Case Stalls
After he is Found on the Bitcoin Blockchain. [Online]. Available:
https://medium.com/@hankmoonie/mans-right-to-be-forgotten-case-
stalls-after he-is-found-on-the-bitcoin-blockchain-1a32c4fc0963
[11] C. Hopkins. (2015). If you Own Bitcoin, You Also Own Links to Child
Porn. [Online]. Available: https://www.dailydot.com/business/bitcoin-
child-porn-transaction-code/
[12] J. Pearson. (2015). The Bitcoin Blockchain Could be Used
to Spread Malware, Interpol Says. [Online]. Available:
https://www.vice.com/en_us/article/ezv8jn/the-bitcoin-blockchain-
could-be-u% sed-to-spread-malware-interpol-says
[13] P. Voigt and A. V. dem Bussche, “The EU general data protection
regulation (GDPR),” A Practical Guide, 1st, ed. Cham, Switzerland:
Springer, 2017.
 1242 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
[14] J. M. L. Alfonsín, “Argentina: The right to be forgotten,” in
The Right To Be Forgotten. Cham, Switzerland: Springer, 2020,
pp. 239–248. [Online]. Available: https://link.springer.com/chapter/
10.1007/978-3-030-33512-0_12
[15] G. Ateniese, B. Magri, D. Venturi, and E. Andrade, “Redactable
blockchain or rewriting history in bitcoin and friends,” in Proc. IEEE
Eur. Symp. Secur. Privacy (EuroS&P), Apr. 2017, pp. 111–126.
[16] D. Derler, K. Samelin, D. Slamanig, and C. Striecks, “Fine-grained and
controlled rewriting in blockchains: Chameleon-hashing gone attribute-
based,” IACR Cryptol. ePrint Arch., Tech. Rep. 2019/406, 2019.
[Online]. Available: https://eprint.iacr.org/2019/406
[17] Y. Tian, N. Li, Y. Li, P. Szalachowski, and J. Zhou, “Policy-based
chameleon hash for blockchain rewriting with black-box accountability,”
in Proc. ACSAC, 2020, pp. 813–828.
[18] G. Panwar, R. Vishwanathan, and S. Misra, “ReTRACe: Revocable and
traceable blockchain rewrites using attribute-based cryptosystems,” in
Proc. 26th ACM Symp. Access Control Models Technol., Jun. 2021,
pp. 103–114.
[19] Y. Jia, S.-F. Sun, Y. Zhang, Z. Liu, and D. Gu, “Redactable blockchain
supporting supervision and self-management,” in Proc. ACM Asia Conf.
Comput. Commun. Secur., May 2021, pp. 844–858.
[20] S. Xu, J. Ning, J. Ma, G. Xu, J. Yuan, and R. H. Deng, “Revocable
policy-based chameleon hash,” in Proc. ESORICS, 2021, pp. 327–347.
[21] H. Krawczyk and T. Rabin, “Chameleon hashing and signatures,” in
Proc. IACR, 1998, p. 10.
[22] K. Samelin and D. Slamanig, “Policy-based sanitizable signatures,” in
Proc. CT-RSA, 2020, pp. 538–563.
[23] S. Xu, J. Ning, J. Ma, X. Huang, and R. H. Deng, “K-time modifiable
and epoch-based redactable blockchain,” IEEE Trans. Inf. Forensics
Security, vol. 16, pp. 4507–4520, 2021.
[24] D. Deuber, B. Magri, and S. A. K. Thyagarajan, “Redactable blockchain
in the permissionless setting,” in Proc. IEEE Symp. Secur. Privacy (SP),
May 2019, pp. 124–138.
[25] T. Kohno, A. Stubblefield, A. D. Rubin, and D. S. Wallach, “Analysis
of an electronic voting system,” in Proc. IEEE Symp. Secur. Privacy,
May 2004, p. 27.
[26] A. Sapirshtein, Y. Sompolinsky, and A. Zohar, “Optimal selfish mining
strategies in bitcoin,” in Proc. FC, vol. 9603, 2016, pp. 515–532.
[27] F. Benhamouda et al., “Can a public blockchain keep a secret?” in Proc.
TCC, 2020, pp. 260–290.
[28] M. Chase, “Multi-authority attribute based encryption,” in Proc. TCC,
S. P. Vadhan, Ed., vol. 4392, 2007, pp. 515–534.
[29] Y. Rouselakis and B. Waters, “Efficient statically-secure large-universe
multi-authority attribute-based encryption,” in Proc. FC, R. Böhme and
T. Okamoto, Eds., vol. 8975, 2015, pp. 315–332.
[30] J. Camenisch, D. Derler, S. Krenn, H. C. Pöhls, K. Samelin, and
D. Slamanig, “Chameleon hashes with ephemeral trapdoors- and
applications to invisible sanitizable signatures,” in Proc. PKC, 2017,
pp. 152–182.
[31] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the Weil
pairing,” in Proc. ASIACRYPT, 2001, pp. 514–532.
[32] A. B. Lewko and B. Waters, “Decentralizing attribute-based encryption,”
in Proc. EUROCRYPT, 2011, pp. 568–588.
[33] M. Chase and S. S. M. Chow, “Improving privacy and security in multi-
authority attribute-based encryption,” in Proc. 16th ACM Conf. Comput.
Commun. Secur. (CCS), 2009, pp. 121–130.
[34] E. Fujisaki and T. Okamoto, “Secure integration of asymmetric and
symmetric encryption schemes,” in Proc. CRYPTO, 1999, pp. 537–554.
[35] S. Agrawal and M. Chase, “FAME: Fast attribute-based message encryp-
tion,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., D. Evans,
T. Malkin, and D. Xu, Eds., Oct. 2017, pp. 665–682.
[36] D. Derler, K. Samelin, and D. Slamanig, “Bringing order to chaos:
The case of collision-resistant chameleon-hashes,” in Proc. PKC, 2020,
pp. 462–492.
[37] A. De Caro and V. Iovino, “JPBC: Java pairing based cryptography,” in
Proc. IEEE Symp. Comput. Commun. (ISCC), Jun. 2011, pp. 850–855.
[38] E. Barker et al., Recommendation for Key Management: Part 1:
General. Gaithersburg, MD, USA: National Institute of Standards
and Technology, Technology Administration, 2006. [Online]. Available:
https://blkcipher.pl/assets/pdfs/NIST.SP.800-57pt1r5.pdf
[39] I. Puddu, A. Dmitrienko, and S. Capkun, “μchain: How to forget without
hard forks,” IACR Cryptol. ePrint Arch., Tech. Rep. 2017/106, 2017.
[Online]. Available: https://eprint.iacr.org/2017/106
[40] M. Florian, S. Henningsen, S. Beaucamp, and B. Scheuermann, “Erasing
data from blockchain nodes,” in Proc. IEEE Eur. Symp. Secur. Privacy
Workshops (EuroS&PW), Jun. 2019, pp. 367–376.
[41] S. A. K. Thyagarajan, A. Bhat, B. Magri, D. Tschudi, and
A. Kate, “Reparo: Publicly verifiable layer to repair blockchains,” 2020,
arXiv:2001.00486.
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:53:55 UTC from IEEE Xplore. Restrictions apply.
Jinhua Ma received the M.S. and Ph.D. degrees
from the School of Mathematics and Informat-
ics, Fujian Normal University, China, in 2016 and
2020, respectively. She was a Research Scientist
with the School of Information Systems, Singapore
Management University, Singapore. She is currently
a Lecturer with Fujian Normal University, China.
Her research interests include cryptography and
information security.
Shengmin Xu received the Ph.D. degree from the
School of Computing and Information Technology,
University of Wollongong, Australia, in 2018. He is
currently a Research Scientist at Singapore Man-
agement University, Singapore. Previously, he was
a Research Fellow at the Singapore University of
Technology and Design, Singapore. He has pub-
lished over 30 research papers in top international
conferences and journals, including ESORICS,
ACSAC, ACM ASIACCS, IEEE T RANSACTIONS
ON I NFORMATION F ORENSICS AND S ECURITY ,
and IEEE T RANSACTIONS ON D EPENDABLE AND S ECURE C OMPUTING.
His research interests include information security, cloud computing, and
blockchain.
Jianting Ning (Member, IEEE) received the Ph.D.
degree from the Department of Computer Science
and Engineering, Shanghai Jiao Tong University,
in 2016. He is currently a Professor with the Fujian
Provincial Key Laboratory of Network Security and
Cryptology, College of Computer and Cyber Secu-
rity, Fujian Normal University, China. Previously,
he was a Research Scientist at the School of Infor-
mation Systems, Singapore Management University,
and a Research Fellow at the Department of Com-
puter Science, National University of Singapore.
His research interests include applied cryptography and information secu-
rity. He has published papers in major conferences/journals, such as ACM
CCS, NDSS, ASIACRYPT, ESORICS, ACSAC, IEEE T RANSACTIONS ON
I NFORMATION F ORENSICS AND S ECURITY, and IEEE T RANSACTIONS ON
D EPENDABLE AND S ECURE C OMPUTING.
Xinyi Huang received the Ph.D. degree from the
School of Computer Science and Software Engineer-
ing, University of Wollongong, Australia, in 2009.
He is currently a Professor at the Fujian Provincial
Key Laboratory of Network Security and Cryp-
tology, College of Computer and Cyber Security,
Fujian Normal University, China. His work has been
cited more than 6000 times at Google Scholar. His
research interests include cryptography and informa-
tion security. He has published over 130 research
papers in refereed international conferences and
journals. He has served as the program/general chair or a program committee
member in over 120 international conferences. He is in the Editorial Board
of International Journal of Information Security.
Robert H. Deng (Fellow, IEEE) is currently an
AXA Chair Professor of cybersecurity, the Director
of the Secure Mobile Centre, and the Deputy Dean
for Faculty and Research of the School of Comput-
ing and Information Systems, Singapore Manage-
ment University. His research interests are in the
areas of data security and privacy, network security,
and applied cryptography. He is a fellow of the
Academy of Engineering Singapore. He received
the Outstanding University Researcher Award from
the National University of Singapore, a Lee Kuan
Yew Fellowship for Research Excellence from SMU, and an Asia-Pacific
Information Security Leadership Achievements Community Service Star from
International Information Systems Security Certification Consortium. He is
a Steering Committee Chair of the ACM Asia Conference on Computer
and Communications Security. He serves/served on the editorial boards of
ACM Transactions on Privacy and Security, IEEE S ECURITY & P RIVACY,
IEEE T RANSACTIONS ON D EPENDABLE AND S ECURE C OMPUTING, IEEE
T RANSACTIONS ON I NFORMATION F ORENSICS AND S ECURITY, and Jour-
nal of Computer Science and Technology.