Professional Documents
Culture Documents
sciences
Article
A Redactable Blockchain Scheme Supporting
Quantum-Resistance and Trapdoor Updates
Xiayu Wang 1 , Yineng Chen 2, * , Xinghui Zhu 1 , Cheng Li 1 and Kui Fang 1, *
1 College of Information and Intelligence, Hunan Agricultural University, Changsha 410128, China;
summerrain@stu.hunau.edu.cn (X.W.); zhuxh@hunau.edu.cn (X.Z.); lc1462418876@stu.hunau.edu.cn (C.L.)
2 School of Information Science and Engineering, Hunan Women’s University, Changsha 410004, China
* Correspondence: yinengchen@hunau.edu.cn (Y.C.); fk@hunau.edu.cn (K.F.)
Abstract: Applying chameleon hash functions to redactable blockchains is still challenging work.
Most redactable blockchain solutions using this technique have potential problems, such as too weak
decentralization performance and trapdoors with exposure risks. In addition, quantum computing
also threatens the security of blockchain systems. The above two issues imply that the development
of redactable blockchains is still constrained, and that quantum-resistance will be requirements
for blockchain applications. Therefore, we constructed a chameleon hash function over lattices
while utilizing a hierarchical identity mechanism to manage trapdoors and assign edit permissions.
This variant of the chameleon hash function can support trapdoor updates and quantum-resistant
performance, namely a hierarchical identity-based chameleon hash with revocable subkey (HIBCH-
RS). We demonstrated the safety performance of HIBCH-RS by defining its safety concepts of collision
resistance. Our HIBCH-RS scheme provides a solution for implementing a redactable blockchain
with identity encryption and post-quantum cryptography. Finally, this quantum-resistant redactable
blockchain was implemented on the Hyperledger Fabric blockchain platform.
while maintaining overall data consistency and security. Although this redactable approach
sparks controversy as it compromises the tamper-resistant feature, its practical utility for
blockchains is undeniable because (1) redactable technology empowers blockchains to
swiftly restore their original states after an attack, (2) helps avert the exposure of blockchain
users’ private information, (3) deletes unlawful data stored within the blockchain, and
(4) enables blockchain to be downsized efficiently.
The redactable concept holds promise as a valuable feature catering to the evolving
landscape of blockchain applications.
with an enhanced chameleon hash, which leveraged the MPC protocol to distribute trap-
doors to a trusted subset capable of managing these trapdoors effectively [16]. Collaborating
with Accenture, the authors further demonstrated the practical application of their concept
on the Hyperledger Fabric platform. This pioneering research has aroused the research
interest of many scholars, and based on the problems it exposed, there have been various
kinds of research in recent years on the design of chameleon hash functions for security
construction, trapdoor restriction, editing permissions restriction, data management, and
consistency, respectively.
In the realm of chameleon hash algorithms, several issues have garnered attention. To
address efficiency and instantiation challenges, Khalili et al. introduced a chameleon hash
for chosen-ciphertext attack (CCA) secure encryption of a random field R [19]. Responding
to similar concerns, Derler et al. introduced the concept of stronger full collision-resistance
(F-CollRes) and developed a black box structure employing simulation-sound extractable
non-interactive zero-knowledge proof (SSE-NIZK) through the utilization of a chameleon
hash [20]. Building upon these developments, ref. [21] focused on constructing an identity-
based chameleon hash (IBCH). Subsequently, a hierarchical identity-based chameleon hash
(HIBCH) was proposed in [22], but these two schemes are more specifically applicable to
hash signatures.
Regarding trapdoor and edit permission management, Derler et al. proposed policy-
based chameleon hashing (PCH) by integrating attribute-based encryption (CP-ABE) and
temporary trapdoors [23]. This redactable scheme combines keys and attributes and
restricts edit permissions by formulating attribute policies. Nonetheless, its reliance on a
fully trusted central authority creates a centrality problem. Therefore, Ma et al. proposed a
chameleon hash structure based on multi-authority decentralization (DPCH) [24], which
effectively prevents conspiracy attacks, in contrast to [23].
Wei et al.’s chameleon hash scheme with a changeable trapdoor (CHCT) enables the
updating of trapdoors after computing hash collisions [25]. Recently, Jia et al. introduced
the concept of stateful chameleon hashing with revocable subkeys, constructed a redactable
blockchain with a black box structure, supported full supervision, and allowed user data
self-management [26]. Drawing inspiration from this work, our study also incorporates
data self-management. Furthermore, addressing concerns about inconsistency, Jia et al.
took a step forward by designing an RSA-based accumulator structure aimed at consistency
verification [27]. In addition, they devised edit chains, linking edit histories to counter
traceability issues within the system.
In recent years, post-quantum encryption technology has been gradually maturing
and standardizing. Wu et al. applied a lattice-based chameleon hash function in the context
of editable blockchains, introducing the concept of quantum resistance [15]. Meanwhile,
Peng et al. devised a more comprehensive lattice-based blockchain editing scheme [28].
However, the former primarily focuses on the construction of the chameleon hash and
introduces key sharing, while the latter requires further refinement in its scheme design.
Non-Chameleon Hashing. Puddu et al. proposed an extended redactable model for
single-chain transactions based on consensus control, in which editing operations are reached
by sending mutating transactions or extending things and specifying the active transaction in
this structure [29]. Nevertheless, these mutable transactions merely serve to logically identify
valid transactions, while the encrypted error messages remain physically preserved. Marsalek
et al. introduced the concept of a correction chain for the storage of rectified data [30]. Similarly,
Deuber et al. proposed the double hash chain model and employed it to maintain a copy of
the Merkle tree root [31]. The above two double-hash chain patterns use a voting mechanism
to realize the coding and thus require many voting cycles.
We list several typical redactable schemes in Table 1 to highlight their modeling
features. Compared to existing work, this paper not only focuses on granularity and
security, but also adds work on data management and the question of how to assign
editing permissions.
Appl. Sci. 2024, 14, 832 4 of 23
Self
Mode References Grain Security Model 4 Features Edit Permissions
Management
Sender/Recipient/User/Smart
Non-CH [29] Ts 1 Y2 - C 3 &T 3
Contract
[16] Bs 1 N2 ROM/SM C Central/Users Set
CH [26] Ts Y ROM C&R 3 &A 3 Personal and Regulator
[24] Ts N IND-CCA C&A 3 Controlled Multiple
[15] Ts N GGM/ROM - Central/Multiple/(Any/Subset)
Lattice-CH [28] Bs N - C Any
Ours Ts Y ROM T&A&C&R Multiple
1 “Ts”: transactions”; Bs”: blocks. 2 “Y”: The realization of self-management was a consideration; “N”: the
realization of self-management was not a consideration. 3 “C”: The redactable scheme design paid attention to
consistency; “R”: the key has revocability; “A”: the editing scheme can achieve accountability; “T”: the editing
scheme achieves traceability. 4 “ROM”: the Random Oracle Model; “SM”: the Standard Model; “IND-CCA”: the
indistinguishability under the chosen-ciphertext attack; “GGM”: the Generic Group Model.
1.3. Contributions
For this paper, we separately worked on security, decentralized features, and compat-
ibility to achieve a redactable blockchain with quantum-resistant and revocable subkey
capabilities. The specific contributions of the scheme are delineated as follows:
1. Hierarchical identity-based chameleon hash: To regulate edit permissions and facili-
tate trapdoor management, this paper employed hierarchical identity for the decen-
tralized delegation of trapdoors. Simultaneously, we introduced the concept of a slave
key algorithm within hierarchical identity to avoid parent nodes that can deduce child
nodes’ keys and the key dimensions increasing during the key delegation process.
This integration imparted the revocable subkey mechanism’s delegation attributes.
2. Redactable scheme with quantum resistance and revocability: We used a lattice-based
cryptographic scheme to support more secure editing operations. In the redactable
scheme, we also implemented the method of withdrawing the edit operation by
saving the edit history.
3. Private data were edited and managed by the individual user: We cryptographically
verified private data to protect the security and privacy of the redactable blockchain.
4. Addressing consistency, traceability, and accountability problems: In Section 4, we
present three algorithms to illustrate how to achieve consistency, traceability, and
accountability. For this, we advocate caching modify transactions with consensus
authority nodes before their final commitment. The block number recording the edit
history is stored in the redactable transaction to prove whether the transaction was
modified. Demonstrating the viability of our redactable scheme, we opted for the
Hyperledger Fabric platform, a widely embraced federated blockchain solution, to
implement the scheme.
Therefore, It is a novel work to use a hierarchical identity structure to manage the
trapdoor of chameleon hashing. However, in this paper, through analysis and design, we
have circumvented its drawbacks and realized the possibility of combining hierarchical
identity structure with chameleon hashing.
Secondly, chameleon hash functions based on post-quantum cryptography for resisting
quantum attacks are a novel work in recent years, and few schemes can demonstrate their
performance through experiments. However, this paper not only reports a real-world
deployment with Hyperledger Fabric but also provides concrete performance data.
2. Preliminaries
Lattices are geometric objects that can be graphically described as an infinite, regular
set of intersections of an n-dimensional lattice [32]. Ajtai investigated certain difficult prob-
Appl. Sci. 2024, 14, 832 5 of 23
lems with lattices and proposed how to construct hard-to-break cryptographic functions in
cryptography [33].
The description of the symbols and abbreviations appearing in this paper are shown
in Table 2.
Table 2. Description of symbols.
Symbols Description
←R A random variable from a certain distribution
λ Security parameter
A The matrix is denoted in bold and capitals
a The vector is denoted in bold and lowercase
AT , aT The transpose of the matrix or vector
n, q Positive integer
Zq The set of integers {0, · · · , q − 1} of modulus q
β The upper limit
LWE Learning with errors
ISIS Inhomogeneous small integer solution
idℓ The identity of level ℓ
idℓ−1 , id*ℓ The parent of identity at level ℓ
Definition 1 (Learning with errors (LWE) [34]). LWE is a class of problems solving learning with
error parity. For apositive integer n and a sufficiently large integer q, then an instance of the LWE
problem Zq , n, χ − LWE is to find the vector s′ ∈ Znq s.t. A ∈ Zm×n , ∥As′ − (As + e)∥ ≤ β,
β > 0 being the upper limit of the error, and s ∈ Znq is the unknown vector in the LWE. Vector e comes
from the noise distribution χ.
Definition 2 (Inhomogeneous small integer solution (ISIS)). ISIS is the problem of solving the short
vector on a lattice. Let n, m, q be positive integers. Given a uniform random matrix A ∈ Znq ×m and a
random vector u ∈ Znq . If we find a vector v ∈ Zm q satisfying Av = u mod q and ∥v∥ ≤ β, we have
solved an ISISq,m,β -instance problem.
Gaussian sampling over lattices is proved to be a simple and effective tool for analyzing
lattice complexity problems [35].
Lemma 1. Let y ← R χm , x ← R χ, d∈ Zm . Then, the length of the product of the error y and
√
the vector satisfies dT y ≤ ∥d∥qαω
p
logm + ∥d∥ m/2 with negligible probability. Then,
p
| x | ≤ qαω logm + 1/2 with negligible probability.
Appl. Sci. 2024, 14, 832 6 of 23
This paper combines the trapdoor generation algorithm TrapGen, Gaussian sampling
algorithm SampleD, and trapdoor delegation algorithm Deltrap in [36], and the FRD en-
coding in [37].
Definition 5. SampleD: There is a E ∈ Zm×n that samples from a probabilistic polynomial time
√ SampleD (R, A, H, U, σ) satisfying AE = U mod q with Gaussian parameter σ,
(PPT) algorithm
and ∥E∥ ≤ σ m with an overwhelming probability.
Definition 6. DelTrap: A PPT algorithm DelTrap(A, H, R,σd )delegates its trapdoor key for
R′
sub-members and generates a new trapdoor key R′ satisfying A = HG.
Iw
Definition 7. FRD encoding: Let the node ID of hierarchy k(k ≥ 0) be a k-dimensional vector,
which we denote by idℓ = (d1 , d2 , . . . , dℓ ). When ℓ = 0, ID is the primary node. An efficient FRD
coding algorithm exists to map the identity ID to a matrix, i.e., H f rd : ID ∈ Zk → Znq ×n .
Definition 8. The HIBCH scheme is generally defined as the following set of algorithms:
Algorithm Setup generates the public parameter pp and the master key mk for the
input security parameter λ. Typically, the algorithm is run by private key generator (PKG).
Algorithm Extract outputs the trapdoor or secret key for the user of an identity ID
with the secret key of the ID’s parent.
Algorithm Hash encrypts the message m using the public parameter pp and an identity
ID. It randomly chooses parameter r and outputs a hash value of m.
Algorithm Forge looks for collisions of hash values for a new message m′ . Usually, the
algorithm takes the hash value, an identity ID, and its key of the original message m as
inputs, and outputs a new parameter r.
return r′ .
Trapdoors for chameleon hash functions are usually managed through the key sharing
method, but this mechanism requires a lot of interaction time and is less efficient. Therefore,
subordinate key between
we introduced parent and
the mechanism for child nodes, unlike
hierarchical the
identity hierarchical of
management identity encryp-
trapdoors. Trap-
tion schemes
doors of [22,37–39].
between users are The HIBCH-RS
independent model
but at theencompasses six probabilistic
same time controllable. polyno-
In Figure 1, we
mial-time
show how(PPT)
thealgorithms:
chameleon Setup, SlaveKey,
algorithm DelKey,
achieves this Update,
propertyCH, andhierarchical
using Forge. identity.
Figure
Figure 1. Delegating
1. Delegating trapdoor
trapdoor model
model of HIBCH-RS.
of HIBCH-RS.
In Figure 1, the trusted party can be a regulator and performs initialization operations
𝑆𝑒𝑡𝑢𝑝(1 , 𝑞) → (𝑃𝑃, 𝑀𝐾): Run by any trusted node, the initialization operation of the
in HIBCH-RS. Subsequently, the trusted party delegates the trapdoor to the node members
model takes as inputs the security parameter 𝑛, the positive integer 𝑞, and outputs the
by generating the slave key, while the node members can repeat the operation of the trusted
public parameter 𝑃𝑃 and the master key 𝑀𝐾.
𝑆𝑙𝑎𝑣𝑒𝐾𝑒𝑦(1 , 𝑞, 𝐼𝐷) → (𝑨𝑺𝒊𝒅 , 𝑺𝒊𝒅𝓵 ): Run by 𝒊𝒅𝓵 , to obtain the slave key before dele-
𝓵
gating the trapdoor. The algorithm takes 𝑛, 𝑞, 𝐼𝐷 as inputs and outputs the salve public
key 𝑨𝑺𝒊𝒅 , and slave secret key 𝑺𝒊𝒅𝓵 for 𝐼𝐷.
𝓵
𝐷𝑒𝑙𝐾𝑒𝑦(𝑨𝑺𝒊𝒅∗ , 𝑺𝒊𝒅∗𝓵 , 𝒊𝒅𝓵 ) → (𝑭𝒊𝒅𝓵 , 𝑹𝒊𝒅𝓵 , 𝑬𝒊𝒅𝓵 ): Run by 𝒊𝒅𝓵 node, use parent node slave
𝓵
Appl. Sci. 2024, 14, 832 8 of 23
party to delegate the trapdoor to other nodes. The trusted party public key is used for
chameleon hash encryption and the trapdoor information is used to find collisions. In
this hierarchical structure, the parent node removes and updates the child node trapdoor
information by withdrawing or updating the slave key. This paper introduces a subordinate
key between parent and child nodes, unlike the hierarchical identity encryption schemes
of [22,37–39]. The HIBCH-RS model encompasses six probabilistic polynomial-time (PPT)
algorithms: Setup, SlaveKey, DelKey, Update, CH, and Forge.
Setup(1n , q) → ( PP, MK ) : Run by any trusted node, the initialization operation of
the model takes as inputs the security parameter n, the positive integer q, and outputs the
public parameter PP and the master key MK.
SlaveKey(1n , q, ID ) → ASid , Sidℓ : Run by idℓ , to obtain the slave key before dele-
ℓ
gating the trapdoor. The algorithm takes n, q, ID as inputs and outputs the salve public
key ASid , and slave secret key Sidℓ for ID.
ℓ
DelKey AS * , Sid* , idℓ → Fidℓ , Ridℓ , Eidℓ : Run by idℓ node, use parent node slave key
id ℓ
ℓ
to generate delegated trapdoor, take slave public key AS * , slave private key Sid* and idℓ as
id ℓ
ℓ
inputs, output the public key Fidℓ , trapdoor Ridℓ , and personal key Eidℓ .
′
U pdate(1n , q, idℓ , RL) → AS′ id , Sid ℓ
, RL ′ : Run by the id , this algorithm is run when
ℓ
ℓ
the user is untrustworthy in the delegate and needs to recycle and update its key. The
algorithm takes n,q, revocation list RL and a new random tagH′ℓ as inputs. Outputs are a
′
new salve key pair AS′ id , Sid ℓ
and updated list RL′ .
ℓ
CH ( PP, M) → (h, r, (str, ver)): Input the public parameters PP and message M. Com-
pute the hash value of M. Outputs the hash value h, the random field r, and the verification
pair (str, ver).
Forge Fidℓ , Ridℓ , Eidℓ , M′ , h → r′ : Run by idℓ when there is a need to modify message
data to find a collision, this algorithm has as inputs public key Fidℓ , trapdoor key Ridℓ , personal
key Eidℓ , message M′ , and outputs collision r′ , and satisfies CH (A, M, E)|r = CH Fidℓ , M, Eidℓ |r′ ,
and M ̸= M′ .
Formally, when ℓ = 0, A = Fid0 , we use Fid0 instead of A in the security proof. Next,
we discuss the security requirements of HIBCH-RS.
h i
• Correctness. Formally, if message M, M′ and identity idi, it has Pr ExptCOR
A,HIBCH−RS (n, q) = 1
≥ 1 − negl(n), where the experiment ExptCOR
A,HIBCH−RS is described as below:
Run (A, E), MK ← Setup(1n , q),
Run (h, r, (str, ver)) ← CH (A, E, M )
Run Fidi , Ridi , Eidi ← DelKey AS * , Sid* , idi
id i
i
Run r′ ← Forge Fidi , Ridi , Eidi , M′ , h
If CheckCH ′ ′
PP,key ((h, M, r), (h, M , r )) = 1: return 1.
idi
The CheckCH
PP,key is defined as following:
idi
If CH ( PP, M) r = h ∧ CH keyidi , M′ r′ = h′ ∧ h = h′ ∧ M ̸= M′ :
return 1; otherwise: return 0.
• Revocability. For any idi , if it satisfies {Fidi , Ridi , Eidi ← DelKey(AS * , Sid* , idi )|Hi , G,
id i
i
′ , R′ , E′ ′ ′ ′ ′ ′
Fidi idi idi ← DelKey (AS * , Sid* , idi )|Hi , G}, Fidi · Ridi ̸ = Hi · G, and when
id
i i
(Hi − Hi′ )
is invertible, ′
= Fidi −[0|H′ G|0], Fid
Fidi
′ ·R
i
′
idi ̸ = (Hi − Hi ) · G. At the same
time, the system can still effectively recover, update, or disable disclosed trapdoor
keys when malicious users are present. This security requirement proves that the old
trapdoor key does not work properly.
key pair we is updated,
want tokey 𝑲
confirm pair
𝑰𝑫
mation. is isaaIfupdated,
matrix
trapdoor
a malicious 𝑲
of changes.
𝑹𝑰𝑫 𝑰𝑫 user is athe
of matrix
Therefore,
makes formaof changes.
[request it is possible Therefore,
to modify]. Since to other
forge
𝑹𝑰𝑫it is a possible
is the ran-
private data toor forge a
non-ed-
𝑹𝑰𝑫 its
thatedit permissions,
satisfies this 𝑹𝑰𝑫situation andsatisfies
that then with update the
this the trapdoor
probability
situation withof 𝑛𝑒𝑔(𝑛).
information.
the 𝑰 ∈ ℤ × Forofthe
probability 𝑛𝑒𝑔(𝑛).
above cases,
itable transactions, the regulator may be able to automatically lock the malicious
3. First, the when doma malicious
illegal vector
behavior
3. First, thatofuser
when came
malicious
exists frominusers
a permissions.
malicious a child𝑠𝑎𝑚𝑝𝑙𝑒𝐷can
user beexists
node, , we
fully itsin can
considered
parenta child alsonode, represent
and canmeasures 𝑹𝑰𝑫thecanas be𝑹can 𝑰𝑫 =disable the
user’s edit Furthermore, if anode malicious itsdisable
parent
user node
refuses to
𝒙 ∗ cooperate in re-
childtaken [𝒙to … 𝒙child
ensure the
],by aoverall security of the system. □ slave = as𝒊 the
node 𝟏trapdoor 𝒘 vokingupdating
nodean
form trapdoor
that thecomes
insecure slave bytrapdoor updating
fromkey information
the key, the
definition we can as[36].
key
well
addinformation
Weas
thethealso
user tag the𝒙well
toinfor-
have as 𝒊revocation
𝒙
∈ tag list,infor-
restrict
mation, and ( ×at the
)×
Appl. Sci. 2024,ℤ14, 832 , 𝒙 isits same
mation, time and add at the child
same node’s
time add identity
the childto the
node’s revocation identity list
to and
the revocation
the aboveand
list
Theorem 3 (𝑅𝑒𝑠𝑖𝑠𝑡𝑎𝑛𝑐𝑒
edit permissions,
a𝑡𝑜vector
𝑐𝑜𝑙𝑙𝑖𝑠𝑖𝑜𝑛 whose 𝑓𝑜𝑟𝑔𝑒𝑟𝑦 𝑖𝑡ℎ and row 𝑢𝑛𝑑𝑒𝑟
then
is 1,𝑎𝑐𝑡𝑖𝑣𝑒update
and the the
other
𝑎𝑡𝑡𝑎𝑐𝑘𝑠).
trapdoorrows
Assume
information.
are 0 with
that the For
adversary proba- cases, 9 of 23
remove its edit permissions.
remove the its
illegal Secondly,
edit
behavior permissions. ifof a malicious
malicious Secondly, users user if
can delegates
a bemalicious
fully illegitimate
user
considered delegates
and illegitimate
measures can be
𝒜 can make
trapdoor mostof𝒬𝑛𝑒𝑔(𝑛).
bility
information adaptation
trapdoorto other
In thisqueries.
information
ideal case,
users,Ifwe 𝒜can canother
to
𝑲break𝑰𝑫 is the
update
constant.
users, itssecurity
trapdoor
we can
However,
of update
HIBCH-RS
information
in practice,
by by
its trapdoor a non-neg-when the
as- information by as-
key pair is taken
updated, to 𝑲ensure is a the matrix overall of security
changes. ofTherefore,
the system. it □
is possible to forge a
ligible
signing advantage,
its childthe node detailed
signingto other proof
its child 𝑰𝑫
is asnode
legitimate defined to by
nodes other 𝐸𝑥𝑝𝑡
and 𝒜,
legitimate
then updating nodes(𝑛, 𝑞)its andintrapdoor
the
then following.
updating
infor- its trapdoor infor-
𝑹𝑰𝑫 that satisfies this • situation
Resistancetocollisionforgeryunderactiveattacks
with the probability of 𝑛𝑒𝑔(𝑛). ( RCF). For any PPT adversary A,
mation. If a malicious Theoremmation. user3If makes
a malicious
(𝑅𝑒𝑠𝑖𝑠𝑡𝑎𝑛𝑐𝑒 a request user
RCF𝑡𝑜 𝑐𝑜𝑙𝑙𝑖𝑠𝑖𝑜𝑛
to makesmodify𝑓𝑜𝑟𝑔𝑒𝑟𝑦 ahother
request private
to modify
𝑢𝑛𝑑𝑒𝑟 data
𝑎𝑐𝑡𝑖𝑣𝑒 orother
non-ed-
𝑎𝑡𝑡𝑎𝑐𝑘𝑠).private
i data or
Assume thatnon-ed-
adversary
Proof.3. First,First,the when
challenger a malicious 𝒞 if user
initializes Adv exists
set 𝒬 in a child ≔ Pr∅. node,
Expt
During RCF its theparentphase, node
( n,theq ) can
= 1 disable
challenger ≤ negl the
(n)malicious
, the chameleon hash
itable transactions, 𝒜 itable
the
can regulator
maketransactions,
most may
𝒬 A the
be able
,H
adaptation IBCH regulator− to automatically
RS
queries. may If 𝒜 be A,H
can ableIBCH
break lock
to−the automatically
the
RS malicious
security of lock
HIBCH-RS the by a non-neg-
𝒞user’s
executes child following:
node trapdoor byalgorithm updating construct the slave of key theinformation as well isascollision-resistant
the tag infor-
edit the permissions.
ligibleuser’s Furthermore,
edit
advantage, permissions.
the detailed if a malicious
Furthermore,
proof is as userdefined ifHIBCH-RS
refuses
a malicious
by 𝐸𝑥𝑝𝑡 to model
cooperate
user refuses
in re-
(𝑛, 𝑞) listto cooperate
in the under
following. in re-active attacks.
mation, and at the sameThe time add the child node’s identity to𝒜,the revocation and
Generate
voking an insecurevoking𝑃𝑃, 𝑀𝐾 ←
trapdoor 𝐻𝐼𝐵𝐶𝐻 an key, −
insecure 𝑅𝑆. 𝑆𝑒𝑡𝑢𝑝(1
weexperiment
cantrapdoor add the , 𝑞)Expt
key, .
𝒞user
RCF
Awe toIBCH
,H can
the− add RS is
revocationthe described
userlist, to the as follows:
restrict
revocation list, restrict
Sample remove 𝑯𝓵 ←its ℤits edit
𝒏×𝒏
. then permissions. Secondly, if a malicious user delegates illegitimate
its edit permissions, 𝒒 and edit permissions,
update the and trapdoor
MK𝒞← then update
information. the trapdoor
, q) ,𝒬its For the
≔ ∅ information
information.
above cases,
theFor the above cases,
∅. During
PP,users, Setup n Q Forge
Generate trapdoor 𝑨
Proof.
information
, 𝑺 ←
First, the
𝑆𝑙𝑎𝑣𝑒𝐾𝑒𝑦(1 toRunchallenger
other , 𝑞, 𝒊𝒅 ) we,
initializes
can update (1 set trapdoor phase,
by as-the challenger
the illegal behavior 𝑺 𝒞𝒊 the of 𝒊malicious
𝒊𝒅 illegalthe behavior users can of maliciousbe fully considered
𝒊 𝒞 users cannbe and fully measures
considered can be and measures can be
signing its
𝒊𝒅 executes
child node toRunfollowing:
other ASlegitimate , S ← nodes SlaveKey and 1then id*i ;
, q, updating its trapdoor infor-
taken to ensure the taken
overall to security
ensure the
of the id* system.
overall * security □ of the system. □
𝑭𝒊𝒅𝒊 , 𝑹𝒊𝒅𝒊If
and mation. , 𝑬a𝒊𝒅malicious
← 𝐷𝑒𝑙𝐾𝑒𝑦user
Generate 𝑃𝑃, 𝑀𝐾
𝑨𝑺makes ←
, 𝑺𝒊𝒅∗𝒊 ,a𝒊𝒅
i 𝐻𝐼𝐵𝐶𝐻
id
request
i𝒊 . − 𝑅𝑆. 𝑆𝑒𝑡𝑢𝑝(1
to modify , 𝑞)
other𝒞 private . data or non-ed-
𝒊 𝒊𝒅𝒊∗
𝒏×𝒏
Sample 𝑯 𝓵 ← ℤ 𝒒 . 𝒞
←
Theorem𝑝𝑝 ∶=itable
3 (𝑅𝑒𝑠𝑖𝑠𝑡𝑎𝑛𝑐𝑒 𝑯transactions,
𝑃𝑃,Theorem
𝓵 , 𝑭𝑡𝑜 , 𝑇𝐼 ∶=the
3 (𝑅𝑒𝑠𝑖𝑠𝑡𝑎𝑛𝑐𝑒
𝒊𝒅𝒊 𝑐𝑜𝑙𝑙𝑖𝑠𝑖𝑜𝑛 (𝑝𝑝, regulator
Run 𝑹𝒊𝒅F𝒊 ,id𝑡𝑜
𝑓𝑜𝑟𝑔𝑒𝑟𝑦
,𝒊𝒅R)may
𝑬i 𝑢𝑛𝑑𝑒𝑟 id and
𝑐𝑜𝑙𝑙𝑖𝑠𝑖𝑜𝑛
𝒊 i 𝑎𝑐𝑡𝑖𝑣𝑒
, Eidbe isend
able
𝑓𝑜𝑟𝑔𝑒𝑟𝑦 𝑝𝑝totoautomatically
DelKey
𝑎𝑡𝑡𝑎𝑐𝑘𝑠). 𝒜. AS * , Sid* , idlock ; the malicious
, 𝑞,𝑢𝑛𝑑𝑒𝑟 id𝑎𝑐𝑡𝑖𝑣𝑒 𝑎𝑡𝑡𝑎𝑐𝑘𝑠).
Assume i adversary
ithat Assume that adversary
user’s edit Generate
permissions. 𝑨Furthermore,
𝑺𝒊𝒅𝒊 , 𝑺𝒊𝒅𝒊 ← 𝑆𝑙𝑎𝑣𝑒𝐾𝑒𝑦(1 if a malicious 𝒊𝒅user 𝒊 )𝒞 , irefuses to cooperate in re-
𝒜 can make most 𝒬
Second, 𝒜𝒜 query:
adaptation
can makequeries. most 𝒬Define 𝒜 can
Ifadaptation keybreak queries.
: = theF security
,IfR 𝒜 , can
E of HIBCH-RS
break
; the security
by a non-neg-
of HIBCH-RS by a non-neg-
idwe idi idi idi
𝑀 , 𝑀voking
ligible advantage, ∈the
ℳ, an insecure
and
ligible
detailed 𝒖and
advantage,
proof
𝒊𝒅 ← 𝑭 ℤtrapdoor
is
𝒊𝒅
𝒏×𝟏
𝒒
𝒊
,
as 𝑹
the , 𝒉
defined
𝒊𝒅 ,,𝑬
detailed
𝒊𝒊
key,
(𝑠𝑡𝑟,
𝒊𝒅 by
𝒊* *
← 𝒗𝒆𝒓) 𝐷𝑒𝑙𝐾𝑒𝑦
proof
i
𝐸𝑥𝑝𝑡
can
←is as
add
𝑪𝑯(𝑨, 𝑨
defined
𝑺
the
∗ 𝑀, 𝑺 ,
(𝑛,
user
by
𝒊𝒅 ∗ , 𝒊𝒅to
𝑬)|𝒓
𝑞) 𝐸𝑥𝑝𝑡 in
𝒊𝒊.
the
the. revocation
following.
Q Forge (·)(𝑛, list,restrict
𝑞) in the following.
its edit
𝐢
Run then hupdate , r , M*the ,𝒜,Mtrapdoor
′* , r′*𝒊𝒅, 𝒊( str, 𝒊ver) 𝒜,
𝒞← A For thekey above ;cases,
Generate ( 𝑀permissions,
,𝑀 ,𝒉 𝑝𝑝 𝒊 , 𝒓∶=
and
𝒊 , (𝑠𝑡𝑟,
𝑃𝑃, 𝒗𝒆𝒓)).
𝑯 , 𝑭 , 𝑇𝐼 ∶= (𝑝𝑝, 𝑹 , 𝑬
information.
) and send 𝑝𝑝 to 𝒜. idi
the illegal behavior of 𝓵 𝒊𝒅𝒊 users can be𝒊𝒅fully
malicious 𝒊𝒅𝒊considered and measures can be
𝒊
Then,
Proof. First, thethe challenger
challenger
Proof. First, 𝒞 the
𝒞 initializes
executes Define
challenger set the𝒬 Hash 𝒞 initializes
following: M ≔(∅. h, r, Mset
During ), Hash 𝒬the M * ≔ ∅.
phase, h*the
, r* ,challenger
During M* the ; phase, the challenger
Second, 𝒜
taken to ensure the overall security of the system. □ query:
𝒞 executes the following: 𝒞 executes the following: 𝒏×𝟏
𝑀 , 𝑀 ∈ ℳ, If rand * ̸= ⊥ 𝒖𝒊𝒅 , Check
𝐢
← ℤ𝒒PP,key CH , 𝒉𝒊 , (𝑠𝑡𝑟,( Hash 𝒗𝒆𝒓)M ← 𝑪𝑯(𝑨,
, Hash M * ) =𝑀 1 ,and
𝑬)|𝒓𝒊 .h , M , (str, ver) ∈
* * / Q Forge :
Generate 𝑃𝑃, 𝑀𝐾 ←Generate 𝐻𝐼𝐵𝐶𝐻 −𝑃𝑃, 𝑅𝑆. 𝑀𝐾
𝑀 𝑆𝑒𝑡𝑢𝑝(1
, 𝑀 ←, 𝒉 𝐻𝐼𝐵𝐶𝐻 , 𝒓, 𝑞), 𝒞 .− 𝑅𝑆.
(𝑠𝑡𝑟, 𝒗𝒆𝒓)). 𝑆𝑒𝑡𝑢𝑝(1
id i , 𝑞)𝒞 .
Theorem 3 (𝑅𝑒𝑠𝑖𝑠𝑡𝑎𝑛𝑐𝑒 𝑡𝑜 𝑐𝑜𝑙𝑙𝑖𝑠𝑖𝑜𝑛 Generate (
1;𝑓𝑜𝑟𝑔𝑒𝑟𝑦
𝒊otherwise:
𝒊 𝑢𝑛𝑑𝑒𝑟 𝑎𝑐𝑡𝑖𝑣𝑒 0. 𝑎𝑡𝑡𝑎𝑐𝑘𝑠). Assume that adversary
Sample 𝑯𝓵 ← ℤ𝒏×𝒏 .Sample 𝑯 𝓵 ← ℤ𝒏×𝒏
return
𝒒 . 𝒞
return
𝒜 can make 𝒒most 𝒬Then, adaptationthe challenger
queries.Q𝒊𝒅 If 𝒜 executes
can break thethe following:
security of HIBCH-RS by a non-neg-
Generate 𝑨𝑺𝒊𝒅 , 𝑺𝒊𝒅𝒊 Generate ← 𝑆𝑙𝑎𝑣𝑒𝐾𝑒𝑦(1 𝑨 𝒊𝒅The , 𝑺, 𝒊𝒅
𝑞, ←𝒊 )𝑆𝑙𝑎𝑣𝑒𝐾𝑒𝑦(1
Forge
𝒞,
is defined as , 𝑞,follows:
𝒊𝒅 ) ,
ligible advantage,𝒊 the detailed𝑺proof 𝒊 is𝒊 asVeridefined
fy by 𝐸𝑥𝑝𝑡𝒜, 𝒊′′ 𝒞 (𝑛, 𝑞) in the following.
If Checkkey (str, ver) = 1, ∃(h , M) and M′ ∈ / QForge h′′ = h : run r′ ← Forge keyidi , M′, h
V
and 𝑭𝒊𝒅𝒊 , 𝑹𝒊𝒅𝒊 , 𝑬𝒊𝒅𝒊 ← and 𝐷𝑒𝑙𝐾𝑒𝑦 𝑭𝒊𝒅𝒊 , 𝑹𝑨 , 𝑬∗ ,𝒊𝒅𝑺𝒊𝒊𝒅←
𝒊𝒅𝑺𝒊 𝒊𝒅 ∗ , 𝒊𝒅
𝒊
𝐷𝑒𝑙𝐾𝑒𝑦
idi𝒊 . 𝑨𝑺𝒊𝒅∗ , 𝑺𝒊𝒅∗𝒊 , 𝒊𝒅𝒊 .
Proof. First, the challenger 𝒞if 𝒊initializes r′ ̸= ⊥: define 𝒞set 𝒬Q Forge 𝒊
≔Q ∅.Forge
During 𝒞∪ {(( ver), h,the
str,phase,
the , ((str, ver), h, M′ )}
M )challenger
𝑝𝑝 ∶= 𝑃𝑃, 𝑯𝓵 , 𝑭𝒊𝒅𝒊 𝑝𝑝 , 𝑇𝐼∶= ∶= (𝑝𝑝, 𝑃𝑃, 𝑯 𝑹𝓵𝒊𝒅, 𝒊𝑭, 𝑬 𝒊𝒅𝒊𝒅 , )𝑇𝐼 and ∶= (𝑝𝑝,
send 𝑹 𝑝𝑝
𝒊𝒅𝒊 , 𝑬to 𝒊𝒅𝒊 𝒜.
) and send 𝑝𝑝 to 𝒜.
𝒞 executes the following: return 𝒊 𝒊 ′
r.
Second, 𝒜 query: Second, 𝒜 query:
Generate 𝑃𝑃, 𝑀𝐾𝒏×𝟏 ← 𝐻𝐼𝐵𝐶𝐻 − 𝑅𝑆. 𝑆𝑒𝑡𝑢𝑝(1 Veri f y , 𝑞)𝒞 . as follows:
𝑀 , 𝑀 ∈ ℳ, and 𝒖𝒊𝒅 𝑀← , 𝑀ℤ𝒒∈ ℳ, , 𝒉𝒊and (𝑠𝑡𝑟,Check
,The 𝒖𝒗𝒆𝒓)
𝒊𝒅𝐢 ←key ←ℤid𝒏×𝟏
𝒒𝑪𝑯(𝑨,
is
, 𝒉defined
𝒊 , (𝑠𝑡𝑟,
𝑀 , 𝑬)|𝒓 𝒗𝒆𝒓) 𝒊 . ← 𝑪𝑯(𝑨, 𝑀 , 𝑬)|𝒓𝒊 .
Sample 𝑯𝓵 𝐢← ℤ𝒏×𝒏 𝒒 . i
Generate ( 𝑀 , 𝑀 , 𝒉Generate ,
𝒊 𝒊𝒓 , (𝑠𝑡𝑟, ( 𝑀
𝒗𝒆𝒓)). ,
If 𝑀 str , 𝒉 = ,
𝒊 𝒊 𝒓⊥ ,
, (𝑠𝑡𝑟,
ver = 𝒗𝒆𝒓)).
⊥ : return 1.
Generate 𝑨 𝑺𝒊𝒅𝒊 , 𝑺𝒊𝒅𝒊 ← 𝑆𝑙𝑎𝑣𝑒𝐾𝑒𝑦(1 , 𝑞, 𝒊𝒅𝒊 )𝒞 ,
Then, the challenger Then,𝒞 executes the challenger Ifthestrfollowing: 𝒞, ver executes ̸= ⊥: the runfollowing:
̸= ⊥ eidi ← SampleD keyidi , define z = str − eidi · ver, return 1.
and 𝑭𝒊𝒅𝒊 , 𝑹𝒊𝒅𝒊 , 𝑬𝒊𝒅𝒊 ← 𝐷𝑒𝑙𝐾𝑒𝑦 𝑨𝑺𝒊𝒅∗ , 𝑺𝒊𝒅∗𝒊 , 𝒊𝒅𝒊 .
otherwise:𝒊 return 0. 𝒞
𝑝𝑝 ∶= 𝑃𝑃, 𝑯𝓵 , 𝑭𝒊𝒅𝒊 •, 𝑇𝐼 ∶= (𝑝𝑝, 𝑹𝒊𝒅𝒊 , 𝑬𝒊𝒅𝒊 ) and sendFor
Forgeryindistinguishability. 𝑝𝑝users to 𝒜. and messages M, M’ with identity ID, if it holds that
Second, 𝒜 query: n
′) ← CH(A,M′,E),r ← Forge (A ,R ,E ,M′,h ID,r′ ,
o
{(h,r )|( h,r ) ← CH ( A,M,E )} ≈ ( h,r ) ( h,r
𝑀 , 𝑀 ∈ ℳ, and 𝒖𝒊𝒅𝐢 ← ℤ𝒏×𝟏 𝒒 , 𝒉𝒊 , (𝑠𝑡𝑟, 𝒗𝒆𝒓) ← 𝑪𝑯(𝑨, 𝑀 , 𝑬)|𝒓𝒊 .
idk idk idk
then the construction of HIBCH-RS satisfies forgery indistinguishability.
Generate ( 𝑀 , 𝑀 , 𝒉𝒊 , 𝒓𝒊 , (𝑠𝑡𝑟, 𝒗𝒆𝒓)).
Then, the challenger 3.2.𝒞Construction
executes theoffollowing: HIBCH-RS
This section shows the detailed construction details of the HIBCH-RS model with
updatable subkeys. The concrete implementation of the model contains the following
algorithm.
• Setup(1n , q) : Given a security parameter n and any integer q ≥ 2, let m = nk,
w = nk, m = m + w. Run algorithm TrapGen(1n , q) → (A, R) such that A ∈ Znq ×m ,
R ∈ Zm ×w . Generate randomly U ← Zn×n , compute E ← SampleD (R, A, H, U, σ )
q R q
such as AE = Umod q. Finally, algorithm output public parameter PP = (A, U, E), mas-
ter key MK = R.
• SlaveKey(1n , q, ID ) : Randomly sample V ∈ Zm ×w from
q
D Zm ,σs , and an error T ∈ Z m × w from χ. Compute Sidℓ = H f rd (idℓ ) · V + T. Ran-
h i
domly choose ASid ∈ Zq n × m and H-tag Hℓ , then ASid = ASid Hℓ G − ASid ·Sidℓ modq.
ℓ ℓ ℓ ℓ
Finally, algorithm output ASid and Sidℓ .
ℓ
uate Ridℓ ← DelTrap Fidℓ , H*ℓ , Sid* , σ to obtain a trapdoor for idℓ . Generate personal
ℓ d
key Eidℓ ← Sample Ridℓ , Fidℓ , Hℓ , U, σ for idℓ . Finally, algorithm output Fidℓ , Ridℓ , and Eidℓ .
Appl. Sci. 2024, 14, 832 10 of 23
Forge Fidℓ , Ridℓ , Eidℓ , M′ , h : Input the public key and the trapdoor key of idℓ , finding the
•
collisions of chameleon hash. For personal data, the ability of idℓ users to decrypt str is
verified to determine whether they have the permission to edit the private data, and the
hash collision is calculated if the verification is passed, and the editing request is rejectedif
it is not passed. idℓ provides the decryption key didℓ ← SampleD Ridℓ , Fidℓ , H*ℓ , uidℓ , σ .
Then, compute z = str − didℓ T · ver mod q. If |z − ⌈q/2⌉| < ⌈q/4⌉ and mid = 1,
output True; otherwise output False. If |z − ⌈q/2⌉| > ⌈q/4⌉ and mid = 0, output True;
otherwise output False. For public transaction data or personal data with successful
verification, idℓ users can easily calculate hash collisions. Let c′ = H M ( M′ ). Then,
sample r′ from SampleD such that Fidℓ · r′ = h − Eidℓ T · c′ mod q. Output the collision r′ .
We illustrate the operation of the algorithm in Algorithm 2 in a simple code language.
return r′ .
return ⊥.
Appl. Sci. 2024, 14, 832 11 of 23
3.3.2. Security
Proof. For the hash value h and identity ID, it is easy to confirm that ID uses the trap-
door information to compute a new r′ from sampleD RID , FID , Hi , h − ETID · cmodq, σ so
Proof. First, the challenger 𝒞 ′initializes 𝒬Zm ,σ , c≔ H ( M′ ), the phase, the challenger
∅.MDuring
′ ′ r← R D
set
DCH := M ,r ,h ,
𝒞 executes the following: h′ = Ar + ET cmodq n,q,PP
Generate 𝑃𝑃, 𝑀𝐾 ← 𝐻𝐼𝐵𝐶𝐻 − 𝑅𝑆. 𝑆𝑒𝑡𝑢𝑝(1 , 𝑞)𝒞 .
Next, 𝑯𝓵 ← ℤ𝒏×𝒏
we defined
Sample 𝒒the. D Forge as:
Generate
𝑨 𝑺𝒊𝒅𝒊 𝒊𝒅𝒊 ← 𝑆𝑙𝑎𝑣𝑒𝐾𝑒𝑦(1 , 𝑞, 𝒊𝒅𝒊 )𝒞 ,
, 𝑺
$
r ← R, h ← CH ( A, M, E ) , R id ← DelKey A S , S id , id k ,
= 𝑭𝒊𝒅M𝒊 ,′𝑹
D Forgeand , r,𝒊𝒅h𝒊 , 𝑬𝒊𝒅𝒊 ← 𝐷𝑒𝑙𝐾𝑒𝑦 𝑨𝑺𝒊𝒅∗ , 𝑺𝒊𝒅∗𝒊 , 𝒊𝒅𝒊 k. idk k
.
𝒊
r ← Forge (A idk ,𝒞Ridk , Eidk , M′ , h
𝑝𝑝 ∶= 𝑃𝑃, 𝑯𝓵 , 𝑭𝒊𝒅𝒊 , 𝑇𝐼 ∶= (𝑝𝑝, 𝑹𝒊𝒅𝒊 , 𝑬𝒊𝒅𝒊 ) and send 𝑝𝑝 to 𝒜. n,q,ID
Second, 𝒜 query:
It is known that r is indistinguishable from r since r, r are Gaussian sampling distributions.
𝑀 , 𝑀 ∈ ℳ, and 𝒖𝒊𝒅 ← ℤ𝒏×𝟏 𝒒 , 𝒉𝒊 , (𝑠𝑡𝑟, 𝒗𝒆𝒓) ← 𝑪𝑯(𝑨, 𝑀 , 𝑬)|𝒓𝒊 .
Therefore, the distribution D𝐢CH ≈ DForge , which means that they are indistinguishable. □
Generate ( 𝑀 , 𝑀 , 𝒉𝒊 , 𝒓𝒊 , (𝑠𝑡𝑟, 𝒗𝒆𝒓)).
Then, the challenger 𝒞 executes the following:
Based on the analysis, devising an editable scheme grounded in the HIBCH-RS model
imparts quantum-resistant characteristics. Concurrently, the security of the editable method
is contingent upon the safety of the foundational algorithm.
4. Redactable Programs
This paper is dedicated to the formulation of a redactable blockchain that empha-
sizes compatibility. In this context, compatibility pertains to the ability of the redactable
blockchain structure to integrate with data structure, the consensus protocols, block, and
chain structures, and more. Secondly, aiming at the consistency of the block, this paper
deals with the edit request through the majority node agreement mechanism. To improve
efficiency, multiple edit requests are packaged into a group of requests and sent to verifica-
tion nodes for approval. Finally, to achieve the traceability and accountability of editing
operations, this paper divides blocks into ordinary blocks and redactable blocks. We then
trace the history of edits by packaging edit requests into the form of ordinary blocks.
Revocable lists are also used to hold users accountable for unreliable or malicious changes.
In this section, we detail how this mechanism is implemented in conjunction with
Hyperledger Fabric.
As
As shown
shown in in Figure
Figure 2,2, we replace the
we replace the hash
hash algorithm
algorithm in in the
the Merkel
Merkel tree
tree with
with HIBCH-
HIBCH-
RS and add key fields for the redacted transaction. B Number
RS and add key fields for the redacted transaction. 𝐵 𝑁𝑢𝑚𝑏𝑒𝑟 denotes the editing
er denotes the editing history
his-
block number.
tory block number.
Formally,
Formally, aa redactable
redactable block representedasasRB
block isisrepresented 𝑅𝐵=< =< Head,
𝐻𝑒𝑎𝑑, Tx 𝑇𝑥 𝑙𝑖𝑠𝑡, >,, where
list, > where the the
block
block header is abstracted as block number, the hash value of the preceding block and
header is abstracted as block number, the hash value of the preceding block and the
the
data
data hash,
hash, denoted
denoted as 𝐻𝑒𝑎𝑑=<
as Head = <Number,
𝑁𝑢𝑚𝑏𝑒𝑟, PreHash,
𝑃𝑟𝑒𝐻𝑎𝑠ℎ,DataHash𝐷𝑎𝑡𝑎𝐻𝑎𝑠ℎ > >.. Meanwhile,
Meanwhile, the the chain
chain
structure
structure isis delineated
delineatedas asC𝐶=< =<B𝐵0 , ,RB
𝑅𝐵1 ,,.…. .,,𝐵Bi,,𝐵Ber j,,… .>
. .> . Inother
. In otherwords,
words, there
there are
are three
three
types of blocks in the redactable blockchain proposed in this paper: ordinary non-redactable
types of blocks in the redactable blockchain proposed in this paper: ordinary non-redacta-
blocks Bi , redactable blocks RB j , and blocks that record editing operations Ber .
ble blocks 𝐵 , redactable blocks 𝑅𝐵 , and blocks that record editing operations 𝐵 .
Figure 3 depicts the transaction flow for redactable Hyperledger Fabric to perform an
Figure 3Indepicts
edit request. Fabric, the
the transaction
editing requestflow for redactable
initiated Hyperledger
by the client is first sentFabric
to thetoendorsing
perform
nodes for processing. Subsequently, the approved requests are temporarily storedthe
an edit request. In Fabric, the editing request initiated by the client is first sent to en-
at the
dorsing nodes for processing. Subsequently, the approved requests
consensus nodes, awaiting validation and submission. Distinction arises between the are temporarily stored
at the consensus
editing procedures nodes, awaiting
for public andvalidation and submission.
personal transaction data. Distinction
Specifically,arises
in thebetween
case of
personal transaction data, the modify content (MC) must be maintained as in
the editing procedures for public and personal transaction data. Specifically, the case of
confidential
personal transaction
information, data, the
thus ensuring modify
data content
privacy. The (MC) must be node
validation maintained
is solelyas responsible
confidential for in-
formation, thus ensuring data privacy. The validation node is
confirming the endorsement strategy and the legitimacy of the modification. Ultimately, solely responsible for con-
firming
the the endorsement
agreed-upon modifiedstrategy and the
transaction legitimacyfor
is submitted of accurate
the modification.
modificationUltimately,
within thethe
Appl. Sci. 2024, 14, x FOR PEER REVIEW
agreed-uponTherefore,
modified the transaction is submitted for is
accurate modification 15 of 24
blockchain. edit request transaction compatible with thewithin the block-
transaction flow
chain.
of Therefore,
a normal the edit request transaction is compatible with the transaction flow of a
transaction.
normal transaction.
Figure
Figure 3.
3. Modify the transaction flow.
Specifically, we divide
divide the
the editing
editing process
process into
into the
the following
following stages:
stages:
Creation ofof an
anedit
editrequest: Theprocess
request:The process commences
commences with
with thethe creation
creation of edit
of an an edit
re-
request
quest byby a memberwho
a member whopossesses
possessesthe
thetrapdoor
trapdoorkey.
key.This
Thisevent
eventtriggers
triggers the
the generation
generation of
a modification transaction (MT). MT comprises two principal components: the modified
content (MC) and the key parameter (KP).
• Modified content (MC): MC encompasses several elements, including the transaction
ID (TxID) of the transaction being revised, the hash value of the transaction, the iden-
tification of the member initiating the edit request, and the new content. If we would
like to delete illegal information, the new content will be defined as empty.
• Key parameter (KP): The KP encompasses the hash collision 𝒓′. Importantly, this
component determines the ability to accurately modify the transaction within the
Appl. Sci. 2024, 14, 832 15 of 23
Parameter Group n m w
Group 1 20 920 460
Group 2 40 2080 1040
Group 3 60 3480 1740
Group 4 80 5120 2560
Generally, in the public key model of lattice cryptosystems, n should be greater than
256. In this experiment, to compare the effect of parameter changes on the model as well as
Appl. Sci. 2024, 14, x FOR PEER REVIEW
to reduce the computing time to improve the efficiency, we select the case where n is1920~80.
of 24
From
In the Figure 4, we can see
first experiment, we that thethe
tested trapdoor
time anddelegation algorithm
secret key size of consumes
the runs ofmore the
time and produces
hierarchical algorithm larger trapdoor
in the HIBCH-RS matrix elements
model, as the parameters change. This is be-
respectively.
causeFrom
in the algorithm
Figure 4, we wecanhave used
see that the𝑛𝑘 times the
trapdoor SampleDalgorithm
delegation Gaussianconsumes
sampling more
algorithm
time
and the SampleD algorithm performs a complex Gaussian sampling
and produces larger trapdoor matrix elements as the parameters change. This is because that causes the size of
thethe
in delegated
algorithm trapdoor
we have to used
be linear with the dimensions
nk times of the delegated
SampleD Gaussian samplingpublic key [36].
algorithm and
In future
the SampleD experiments, we will look
algorithm performs to establish
a complex moresampling
Gaussian efficient andthat stable
causesGaussian
the size ofsam-
the
pling algorithms
delegated trapdoor fortoimprovement.
be linear withOn the the other hand,
dimensions as delegated
of the can be seen in Figure
public 4, we
key [36]. In
added experiments,
future the Slavekey algorithm,
we will lookwhich runs inmore
to establish much less time
efficient and than
stablethe Setup algorithm.
Gaussian sampling
Therefore, the
algorithms for addition
improvement. of thisOnalgorithm
the other doeshand,notas
put toobemuch
can seen burden
in Figure on4,the
wesystem.
added For
the
the storage expense shown in Figure 4b,c, among the public key
Slavekey algorithm, which runs in much less time than the Setup algorithm. Therefore, the of the public parameter
PP, master
addition of key, and delegated
this algorithm doespublic
not putkey, tooand much delegated
burden on trapdoor, the trapdoor
the system. storage
For the storage
expense is shown
higher inbecause
Figure 4b,c, among the
the trapdoor public key
is generated byofthe
theDelTrap
public algorithm,
parameter which
PP, master
runs
𝑛𝑘 times
key, and delegated
the SampleD public key, and delegated trapdoor, the trapdoor storage expense is
algorithm.
higher because
Next, the trapdoor
we observe is generated
that some schemes byfor DelTrap algorithm,
thehierarchical identitywhich runs nkare
encryption times the
related
SampleD
to the numberalgorithm.
of layers of delegation, such as schemes with a hierarchical identity-based
Next, weencryption
puncturable observe that modelsome schemes
(HIBPE) for hierarchical
in [38], identity
and the efficient encryptionhierarchical
quantum-safe are related
to the number of
identity-based layers of delegation,
cryptosystem such as
with traceable schemes(AHIBET)
identities with a hierarchical
in [39]. identity-based
puncturable
In Tableencryption
4, we list the model (HIBPE)
delegated key insizes
[38], for
andboth
the efficient
schemesquantum-safe
and HIBCH-RS. hierarchical
identity-based cryptosystem with traceable identities (AHIBET) in [39].
TableIn 4. Table 4, we list
Comparison the delegated
of delegation key sizes for both schemes and HIBCH-RS.
key sizes.
From the experimental results shown in Table 4, the key size of the HIBPE and
AHIBET models increases linearly with increasing levels. In our model, due to the intro-
duction of the slave key algorithm, the size of the delegated key can be fixed in a certain
Appl. Sci. 2024, 14, 832 19 of 23
From the experimental results shown in Table 4, the key size of the HIBPE and AHIBET
models increases linearly with increasing levels. In our model, due to the introduction of
the slave key algorithm, the size of the delegated key can be fixed in a certain dimension.
(a) (b)
Figure
Figure 5.
5. Comparison
Comparison ofof hash
hash running
running times.
times. (a)
(a) The
The run
run time
time of
of the
the chameleon
chameleon hash
hash algorithm
algorithm in
in
HIBCH-RS
HIBCH-RS scheme; (b) the run time of the forge algorithm in the HIBCH-RS scheme [15].
5.1.3. Scalability
5.1.3. Scalability
In this paper, the scalability of HIBCH-RS refers to the fact that the system can still
In this paper, the scalability of HIBCH-RS refers to the fact that the system can still
maintain its existing efficiency and correctness in the face of large-scale modification
maintain its existing efficiency and correctness in the face of large-scale modification re-
requests, large-scale node users, and complex problems. First, the hierarchical identity
quests, large-scale node users, and complex problems. First, the hierarchical identity
structure of HIBCH-RS has controllable time complexity and space complexity in delegating
structure of HIBCH-RS has controllable time complexity and space complexity in delegat-
keys, and the system performance will not be dramatically degraded with the growth of
ing keys, and the system performance will not be dramatically degraded with the growth
data or users. Secondly, in terms of privilege control and access efficiency, the design of the
of data or users. Secondly, in terms of privilege control and access efficiency, the design
of the HIBCH-RS model can effectively realize the control of privileges, in that only users
with trapdoors can perform editing operations. Meanwhile, the algorithms can be effi-
ciently converted between different layers when performing encryption and collision-
finding operations. This scalable performance can be demonstrated in the experiments.
Appl. Sci. 2024, 14, 832 20 of 23
HIBCH-RS model can effectively realize the control of privileges, in that only users with
trapdoors can perform editing operations. Meanwhile, the algorithms can be efficiently
converted between different layers when performing encryption and collision-finding
operations. This scalable performance can be demonstrated in the experiments.
Appl. Sci. 2024, 14, x FOR PEER REVIEW 21 of 24
5.2. Performance of HIBCH-RS-Based Redactable Blockchain
The redactable blockchain scheme based HIBCH-RS, as elaborated in Section 4, boasts
be entrusted toacross
compatibility various chain
a centralized types, including
organization, public, alliance,
while concurrently and private
imposing chains. on
constraints
In the context of
users possessing edit permissions.public chains, the scheme necessitates nearly complete decentraliza-
tionToof delegated
concretizekeys. theseAtconcepts,
this point,this
editable
papernodes are added
proceeded to the hierarchical
to implement identity
the redacting
by application in a decentralized way. To establish this dynamic,
scheme using the Fabric platform, which is an alliance chain framework featuring a plug-a reward and punishment
mechanism
gable mechanism.can be Ininstituted, wherewe
this subsection, nodes that adhere
elucidated to agreed-upon
the integration rules can
of the editing receive
scheme,
rewards, while those that deviate may face penalties.
ensuring compatibility within the Fabric ecosystem.
Within an alliance chain, the scheme can be overseen by a certificate authority and
monitored by the regulator.
Redactable Hyperledger In a private chain, this delegated management structure can be
Fabric
entrusted to a centralized organization, while concurrently imposing constraints on users
Schemesedit
possessing forpermissions.
implementing redactable blockchains based on post-quantum ciphers
are in Totheconcretize
minority, thesefollowed by equally
concepts, fewerproceeded
this paper schemes for to building
implement editability in practical
the redacting scheme
platforms. Thus, there are almost no practical schemes that we can
using the Fabric platform, which is an alliance chain framework featuring a pluggable compare. For the above
mech-
reasons,
anism. In in this
thissubsection,
experimentwe weelucidated
demonstrate the performance
the integration of this scheme,
of the editing paper’s ensuring
scheme
mainly in termswithin
compatibility of the processing efficiency of editable requests, the size of editable blocks,
the Fabric ecosystem.
and the throughput of editable requests. The parameter 𝑝𝑔 = 60 was chosen for this part
ofRedactable
the experiment, and theFabric
Hyperledger test was in terms of blocks. The experimental results are shown
by Figure 6.
Schemes for implementing redactable blockchains based on post-quantum ciphers
are Redactable
in the minority, blocks cost some
followed extra storage
by equally due to storing
fewer schemes the editing
for building information
editability as-
in practical
sociated
platforms. with them,
Thus, but are
there as can be seen
almost in Figureschemes
no practical 6a, this that
extrawecost
can is compare.
small, andFor in practice,
the above
every transaction
reasons, in the block
in this experiment wemay not always
demonstrate beperformance
the allowed to be ofeditable. As ascheme
this paper’s result, mainly
block
sizes tend to be smaller than shown in the pictures above. Second, in
in terms of the processing efficiency of editable requests, the size of editable blocks, andFigure 6b, we show
the
thethroughput
throughputof of edit request
editable processing.
requests. The experiment
The parameter pg = 60 was chosen
tested using
for thisthe caliper
part of the
tool, and the choice
experiment, and the oftest
the was
number of transactions
in terms of blocks. stored in the blockresults
The experimental and the number
are shownof by
transactions
Figure 6. sent is shown in Table 5.
(a) (b)
Figure
Figure6.6.Redactable blockchain
Redactable performance.
blockchain (a) Comparison
performance. of block
(a) Comparison size,size,
of block withwith
the difference be-
the difference
tween the redactable block and the original block structure shown in detail. (b) Showing the
between the redactable block and the original block structure shown in detail. (b) Showing the perfor-
mance of transactions
performance per second.
of transactions per second.
As can be seen from Figure 6b, the redactable transaction throughput is low com-
pared to the normal transaction throughput, but this is sufficient in a redactable block-
chain.
In this paper, in the parameter configuration, the caching time of the edit request was
Appl. Sci. 2024, 14, 832 21 of 23
the throughput of edit request processing. The experiment was tested using the caliper
tool, and the choice of the number of transactions stored in the block and the number of
transactions sent is shown in Table 5.
Table 5. The number of transactions stored in the block and the number of transactions sent.
As can be seen from Figure 6b, the redactable transaction throughput is low compared
to the normal transaction throughput, but this is sufficient in a redactable blockchain.
In this paper, in the parameter configuration, the caching time of the edit request was
specified as 5 s. Finally, the selected personal and public transaction data were edited
and verified. We tested the time of Algorithm 3 and results are displayed in Table 6.
When compared to modifying public transaction data, the alteration of private transactions
introduced an extra authentication time for the user. Specifically, the time required for
editing a block in the quantum-resistant redactable blockchain exceeded 4.66 s, but the
maximum time did not exceed 8.29 s.
6. Conclusions
Designing a secure and compatible redactable blockchain protocol is a challenging
task. In this paper, we introduce the HIBCH-RS model with subkey updates and trapdoor
updates. Using this model, we constructed redactable schemes that excelled in both security
and compatibility. The scheme represents a significant innovation and breakthrough
compared to many editing techniques that still focus on key sharing. In future work,
we will try to incorporate user attributes to enhance the division of edit permissions. In
addition, we will improve the efficiency of the algorithm by improving the discrete Gaussian
function. In the design of a redactable scheme, we propose to incorporate traceability and
accountability. It is worth noting that to enhance the practical applicability of the editing
scheme, the design of the scheme should continue to focus on how to apply it in both public
and private chain schemes.
Author Contributions: Conceptualization, X.W.; methodology, X.W. and Y.C.; software, X.W. and
C.L.; validation, Y.C.; formal analysis, Y.C.; investigation, X.W. and C.L.; resources, X.Z. and K.F.;
data curation, X.W.; writing—original draft preparation, X.W.; writing—review and editing, Y.C.;
visualization, C.L.; supervision, K.F.; project administration, Y.C.; funding acquisition, X.Z. and K.F.
All authors have read and agreed to the published version of the manuscript.
Funding: This research was funded by “Science Research Excellent Youth Project of Hunan Provincial
Department of Education under grant number 23B0906”, “Science Research Excellent Youth Project of
Hunan Provincial Department of Education e under grant number 23B0920”, “The Key Research and
Development Project of Hunan Province, China, grand number 2023NK2011”, “Scientific Research
Fund of Hunan Provincial Education Department, grand number 21A0599” and “Key project of the
14th Five-Year Plan of Education Science of Hunan Province, grand number XJK23AJD016”.
Institutional Review Board Statement: Not applicable.
Informed Consent Statement: Not applicable.
Data Availability Statement: Data are contained within the article.
Acknowledgments: This work was supported by the project of “The discipline of business manage-
ment of provincial-level application characteristics of Hunan Women’s University”.
Appl. Sci. 2024, 14, 832 22 of 23
References
1. Al-Jaroodi, J.; Mohamed, N. Blockchain in industries: A survey. IEEE Access 2019, 7, 36500–36515. [CrossRef]
2. Saad, M.; Spaulding, J.; Njilla, L.; Kamhoua, C.; Shetty, S.; Nyang, D.; Mohaisen, D. Exploring the attack surface of blockchain: A
comprehensive survey. IEEE Commun. Surv. Tutor. 2020, 22, 1977–2008. [CrossRef]
3. Wang, Y.; He, J.; Zhu, N.; Yi, Y.; Zhang, Q.; Song, H.; Xue, R. Security enhancement technologies for smart contracts in the
blockchain: A survey. Trans. Emerg. Telecommun. Technol. 2021, 32, e4341. [CrossRef]
4. Velliangiri, S.; Karthikeyan, P. Blockchain technology: Challenges and security issues in consensus algorithm. In Proceedings of
the 2020 International Conference on Computer Communication and Informatics (ICCCI), Coimbatore, India, 22–24 January 2020;
pp. 1–8.
5. Chou, I.T.; Su, H.H.; Hsueh, Y.L.; Hsueh, C.W. Bc-store: A scalable design for blockchain storage. In Proceedings of the 2nd
International Electronics Communication Conference, Singapore, 8–10 July 2020; pp. 33–38.
6. Chan, W.K.; Chin, J.J.; Goh, V.T. Simple and scalable blockchain with privacy. J. Inf. Secur. Appl. 2021, 58, 102700. [CrossRef]
7. Matzutt, R.; Kalde, B.; Pennekamp, J.; Drichel, A.; Henze, M.; Wehrle, K. How to securely prune bitcoin’s blockchain. In
Proceedings of the 2020 IFIP Networking Conference (Networking), Paris, France, 22–26 June 2020; pp. 298–306.
8. Azbeg, K.; Ouchetto, O.; Andaloussi, S.J. BlockMedCare: A healthcare system based on IoT, Blockchain and IPFS for data
management security. Egypt. Inform. J. 2022, 23, 329–343.
9. Athanere, S.; Thakur, R. Blockchain based hierarchical semi-decentralized approach using IPFS for secure and efficient data
sharing. J. King Saud Univ.-Comput. Inf. Sci. 2022, 34, 1523–1534.
10. Liu, Y.; Liu, J.; Salles, M.A.V.; Zhang, Z.; Li, T.; Hu, B.; Henglein, F.; Lu, R. Building blocks of sharding blockchain systems:
Concepts, approaches, and open problems. Comput. Sci. Rev. 2022, 46, 100513. [CrossRef]
11. Kong, X.; Zhang, J.; Wang, H.; Shu, J. Framework of decentralized multi-chain data management for power systems. CSEE J.
Power Energy Syst. 2019, 6, 458–468.
12. Xu, J.; Xue, K.; Tian, H.; Hong, J.; Wei, D.S.; Hong, P. An identity management and authentication scheme based on redactable
blockchain for mobile networks. IEEE Trans. Veh. Technol. 2020, 69, 6688–6698.
13. Yeh, L.Y.; Hsu, W.H.; Shen, C.Y. GDPR-Compliant Personal Health Record Sharing Mechanism with Redactable Blockchain and
Revocable IPFS. IEEE Trans. Dependable Secur. Comput. 2023. [CrossRef]
14. Fernandez-Carames, T.M.; Fraga-Lamas, P. Towards post-quantum blockchain: A review on blockchain cryptography resistant to
quantum computing attacks. IEEE Access 2020, 8, 21091–21116. [CrossRef]
15. Wu, C.; Ke, L.; Du, Y. Quantum resistant key-exposure free chameleon hash and applications in redactable blockchain. Inf. Sci.
2021, 548, 438–449.
16. Ateniese, G.; Magri, B.; Venturi, D.; Andrade, E. Redactable blockchain-or-rewriting history in bitcoin and friends. In Proceedings
of the 2017 IEEE European Symposium on Security and Privacy (EuroS&P), Paris, France, 26–28 April 2017; pp. 111–126.
17. Wan, Z.; Liu, W.; Cui, H. HIBEChain: A hierarchical identity-based blockchain system for large-scale IoT. IEEE Trans. Dependable
Secur. Comput. 2022, 20, 1286–1301.
18. Pavithran, D.; Al-Karaki, J.N.; Shaalan, K. Edge-based blockchain architecture for event-driven IoT using hierarchical identity
based encryption. Inf. Process. Manag. 2021, 58, 102528.
19. Khalili, M.; Dakhilalian, M.; Susilo, W. Efficient chameleon hash functions in the enhanced collision resistant model. Inf. Sci. 2020,
510, 155–164. [CrossRef]
20. Derler, D.; Samelin, K.; Slamanig, D. Bringing order to chaos: The case of collision-resistant chameleon-hashes. In Proceedings of
the Public-Key Cryptography–PKC 2020: 23rd IACR International Conference on Practice and Theory of Public-Key Cryptography,
Edinburgh, UK, 4–7 May 2020; pp. 462–492.
21. Ateniese, G.; de Medeiros, B. Identity-Based Chameleon Hash and Applications. In Financial Cryptography, Proceedings of the
8th International Conference, FC 2004, Key West, FL, USA, 9–12 February 2004; Lecture Notes in Computer Science; Juels, A., Ed.;
Springer: Berlin/Heidelberg, Germany, 2004; pp. 164–180.
22. Bao, F.; Deng, R.H.; Ding, X.; Lai, J.; Zhao, Y. Hierarchical identity-based chameleon hash and its applications. In Proceedings of
the Applied Cryptography and Network Security: 9th International Conference, Nerja, Spain, 7–10 June 2011; pp. 201–219.
23. Derler, D.; Samelin, K.; Slamanig, D.; Striecks, C. Fine-grained and controlled rewriting in blockchains: Chameleon-hashing gone
attribute-based. IACR Cryptol. ePrint Arch. 2019, 2019, 406.
24. Ma, J.; Xu, S.; Ning, J.; Huang, X.; Deng, R.H. Redactable blockchain in decentralized setting. IEEE Trans. Inf. Forensics Secur. 2022,
17, 1227–1242. [CrossRef]
25. Wei, J.; Zhu, Q.; Li, Q.; Nie, L.; Shen, Z.; Choo, K.K.R.; Yu, K. A redactable blockchain framework for secure federated learning in
industrial Internet of Things. IEEE Internet Things J. 2022, 9, 17901–17911.
26. Jia, Y.; Sun, S.F.; Zhang, Y.; Liu, Z.; Gu, D. Redactable blockchain supporting supervision and self-management. In Proceedings of
the 2021 ACM Asia Conference on Computer and Communications Security, Hong Kong, China, 7–11 June 2021; pp. 844–858.
27. Jia, M.; Chen, J.; He, K.; Du, R.; Zheng, L.; Lai, M.; Wang, D.; Liu, F. Redactable Blockchain from Decentralized Chameleon Hash
Functions. IEEE Trans. Inf. Forensics Secur. 2022, 17, 2771–2783. [CrossRef]
Appl. Sci. 2024, 14, 832 23 of 23
28. Peng, C.; Xu, H.; Li, P. Redactable Blockchain Using Lattice-based Chameleon Hash Function. In Proceedings of the 2022
International Conference on Blockchain Technology and Information Security, Huaihua, China, 15–17 July 2022; pp. 94–98.
29. Puddu, I.; Dmitrienko, A.; Capkun, S. µchain: How to Forget without Hard Forks. IACR Cryptol. ePrint Arch. 2017, 2017, 106.
30. Marsalek, A.; Zefferer, T. A correctable public blockchain. In Proceedings of the 2019 18th IEEE International Conference on
Trust, Security And Privacy in Computing and Communications/13th IEEE International Conference on Big Data Science and
Engineering, Rotorua, New Zealand, 5–8 August 2019; pp. 554–561.
31. Deuber, D.; Magri, B.; Thyagarajan, S.A.K. Redactable blockchain in the permissionless setting. In Proceedings of the 2019 IEEE
Symposium on Security and Privacy, San Francisco, CA, USA, 19–23 May 2019; pp. 124–138.
32. Nejatollahi, H.; Dutt, N.; Ray, S.; Regazzoni, F.; Banerjee, I.; Cammarota, R. Post-quantum lattice-based cryptography implementa-
tions: A survey. ACM Comput. Surv. 2019, 51, 1–41. [CrossRef]
33. Ajtai, M.; Dwork, C. A public-key cryptosystem with worst-case/average-case equivalence. In Proceedings of the Twenty-Ninth
Annual ACM Symposium on Theory of Computing, El Paso, TX, USA, 4–6 May 1997; pp. 284–293.
34. Regev, O. On lattices, learning with errors, random linear codes, and cryptography. J. ACM 2009, 56, 1–40.
35. Gentry, C.; Peikert, C.; Vaikuntanathan, V. Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of the
Fortieth Annual ACM Symposium on Theory of Computing, Victoria, BC, Canada, 17–20 May 2008; pp. 197–206.
36. Vershynin, R. Introduction to the non-asymptotic analysis of random matrices. arXiv 2010, arXiv:1011.3027.
37. Micciancio, D.; Peikert, C. Trapdoors for lattices: Simpler, tighter, faster, smaller. In Proceedings of the Annual Interna-
tional Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, 15–19 April 2012; Springer:
Berlin/Heidelberg, Germany, 2012; pp. 700–718.
38. Agrawal, S.; Boneh, D.; Boyen, X. Efficient lattice (H) IBE in the standard model. In Proceedings of the Advances in Cryptology–
EUROCRYPT 2010: 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Riviera,
French, 30 May–3 June 2010.
39. Dutta, P.; Jiang, M.; Duong, D.H.; Susilo, W.; Fukushima, K.; Kiyomoto, S. Hierarchical identity-based puncturable encryption
from lattices with application to forward security. In Proceedings of the 2022 ACM on Asia Conference on Computer and
Communications Security, Nagasaki, Japan, 30 May–3 June 2022; pp. 408–422.
40. Van Nguyen, N.A.; Pham, M.T.T. Quantum-safe Anonymous Hierarchical Identity-Based Encryption with Traceable Identities.
Comput. Stand. Interfaces 2023, 84, 103695. [CrossRef]
41. Micciancio, D.; Regev, O. Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 2007, 37, 267–302.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual
author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to
people or property resulting from any ideas, methods, instructions or products referred to in the content.