applied
sciences
Article
A Redactable Blockchain Scheme Supporting
Quantum-Resistance and Trapdoor Updates
Xiayu Wang 1 , Yineng Chen 2, * , Xinghui Zhu 1 , Cheng Li 1 and Kui Fang 1, *
Citation: Wang, X.; Chen, Y.; Zhu, X.;
Li, C.; Fang, K. A Redactable
Blockchain Scheme Supporting
Quantum-Resistance and Trapdoor
Updates. Appl. Sci. 2024, 14, 832.
https://doi.org/10.3390/app14020832
Academic Editor: Gianluca Lax
Received: 21 December 2023
Revised: 14 January 2024
Accepted: 16 January 2024
Published: 18 January 2024
Copyright: © 2024 by the authors.
Licensee MDPI, Basel, Switzerland.
This article is an open access article
distributed under the terms and
conditions of the Creative Commons
Attribution (CC BY) license (https://
creativecommons.org/licenses/by/
4.0/).
Appl. Sci. 2024, 14, 832. https://doi.org/10.3390/app14020832
1 College of Information and Intelligence, Hunan Agricultural University, Changsha 410128, China;
summerrain@stu.hunau.edu.cn (X.W.); zhuxh@hunau.edu.cn (X.Z.); lc1462418876@stu.hunau.edu.cn (C.L.)
2 School of Information Science and Engineering, Hunan Women’s University, Changsha 410004, China
* Correspondence: yinengchen@hunau.edu.cn (Y.C.); fk@hunau.edu.cn (K.F.)
Abstract: Applying chameleon hash functions to redactable blockchains is still challenging work.
Most redactable blockchain solutions using this technique have potential problems, such as too weak
decentralization performance and trapdoors with exposure risks. In addition, quantum computing
also threatens the security of blockchain systems. The above two issues imply that the development
of redactable blockchains is still constrained, and that quantum-resistance will be requirements
for blockchain applications. Therefore, we constructed a chameleon hash function over lattices
while utilizing a hierarchical identity mechanism to manage trapdoors and assign edit permissions.
This variant of the chameleon hash function can support trapdoor updates and quantum-resistant
performance, namely a hierarchical identity-based chameleon hash with revocable subkey (HIBCH-
RS). We demonstrated the safety performance of HIBCH-RS by defining its safety concepts of collision
resistance. Our HIBCH-RS scheme provides a solution for implementing a redactable blockchain
with identity encryption and post-quantum cryptography. Finally, this quantum-resistant redactable
blockchain was implemented on the Hyperledger Fabric blockchain platform.
Keywords: redactable blockchain; updatable trapdoor; quantum-resistant; hierarchical identity-based
chameleon hash; Hyperledger Fabric; self-management
1. Introduction
Blockchain technology has significantly and extensively revolutionized diverse sectors
such as healthcare, insurance, supply chain management, and food safety, among others in
recent years [1]. However, it is imperative to acknowledge that despite its vast potential,
this emerging technology is still in its early stages of development, particularly concerning
the prominent challenges currently being unveiled. For instance, because of persistent
attacks and disruptions, an extensive volume of illicit information and redundant data
have accumulated within the blockchain system. The bitcoin network has experienced
multiple hard forks due to the implementation of new rules, incompatible upgrades, and
rollback to fraudulent behaviors [2]. Similarly, numerous other blockchain systems may
conceal vulnerabilities within smart contract modules [3], consensus protocols [4], and
others. These vulnerabilities pose significant threats to the security and privacy of the
blockchain system. Recent years have revealed that the inherent immutability of blockchain
has led to escalating system storage costs and diminishing performance [5]. Hence, there is
an urgent need for a technology that can solve the above problems.
Diverse initiatives have emerged to enhance blockchain systems, including blockchain
pruning [6,7], integration with IPFS technology [8,9], blockchain sharding techniques, and
multi-chain architectures [10,11]. Among these approaches, redactable blockchain stands
out, seeking to bolster blockchain’s storage efficiency and security at both the underlying
structure and legal levels. Redactable blockchain refers to a system that, by introducing
specific mechanisms, allows data already recorded on the chain to be modified or deleted
https://www.mdpi.com/journal/applsci
Appl. Sci. 2024, 14, 832 2 of 23

while maintaining overall data consistency and security. Although this redactable approach
sparks controversy as it compromises the tamper-resistant feature, its practical utility for
blockchains is undeniable because (1) redactable technology empowers blockchains to
swiftly restore their original states after an attack, (2) helps avert the exposure of blockchain
users’ private information, (3) deletes unlawful data stored within the blockchain, and
(4) enables blockchain to be downsized efficiently.
The redactable concept holds promise as a valuable feature catering to the evolving
landscape of blockchain applications.

1.1. Problem and Motivation

The implementation of redactable blockchain allows for the modification or removal
of specific data entries within the ledger when encountering illegal data, privacy breaches,
and other situations. On the other hand, some application scenarios require frequent data
modification, such as mobile networks [12], medical applications [13], and so on.
Second, we review the key issues that need to be taken care of in the design of
redactable schemes, mainly including:
• How to balance variability and security;
• How to balance decentralization and assigning edit permissions;
• How to consider the compatibility between variability and existing blockchain systems.
Nonetheless, designing a redactable scheme that meets all these requirements simulta-
neously is a huge challenge, and few existing schemes can accommodate all requirements.
Therefore, we focus on some work to balance the above issues.
Furthermore, the emergence of quantum computing poses a distinct threat to conven-
tional public key cryptosystems and hash algorithms, consequently impacting blockchain
security. In the realm of post-quantum encryption techniques for blockchain applications,
lattice ciphers have emerged as a mature and efficient cryptographic solution, as demon-
strate in [14]. The work of [15] designed quantum-resistant redactable blockchain schemes
using latticed cryptography which provide insights into the realization of more secure
redactable technologies. Nevertheless, existing lattice-based redactable blockchain is rare
and there is no solution realistically deployed in blockchain for experimentation. For exam-
ple, Wu’s work proposes schemes only to implement chameleon hash functions combined
with blockchain, and has no practical application [15].
Chameleon hashing enables physical modifications to the blockchain, but the key
problem is that it can lead to trapdoor exposure. Therefore, to protect against trapdoor
exposure, Ateniese et al. proposed to manage trapdoor exposure by using the secret
sharing and the multiparty computation (MPC) protocol [16]. However, trapdoor sharing
potentially results in reduced efficiency.
The hierarchical identity structure combined with blockchain can provide strong
support in data management and user verification [17,18]. Therefore, this structure is
consistent with the goals of our work. In the existing hierarchical identity cryptographic
structure, we have the problem of parent nodes forging the identity of child nodes as well
as a linear or even exponential growth of the delegated key dimension.
Based on the abovementioned issues, to harmonize key management and chameleon
hash function functionality while mitigating concerns such as key exposure, we propose the
development of a chameleon hash function grounded in hierarchical identity. Our objective
is to construct a redactable scheme characterized by compatibility, quantum resistance, and
updatable trapdoor functionality, all the while adhering to the decentralized attributes
intrinsic to blockchain technology.

1.2. Related Work

This section outlines recent research in the field, focusing on two distinct editing
techniques: those utilizing chameleon hashing and those abstaining from its use.
Chameleon Hashing. Ateniese et al. are the trailblazers in the exploration of redactable
blockchains. Their approach involved substituting the hash algorithm G used in bitcoin
Appl. Sci. 2024, 14, 832 3 of 23

with an enhanced chameleon hash, which leveraged the MPC protocol to distribute trap-
doors to a trusted subset capable of managing these trapdoors effectively [16]. Collaborating
with Accenture, the authors further demonstrated the practical application of their concept
on the Hyperledger Fabric platform. This pioneering research has aroused the research
interest of many scholars, and based on the problems it exposed, there have been various
kinds of research in recent years on the design of chameleon hash functions for security
construction, trapdoor restriction, editing permissions restriction, data management, and
consistency, respectively.
In the realm of chameleon hash algorithms, several issues have garnered attention. To
address efficiency and instantiation challenges, Khalili et al. introduced a chameleon hash
for chosen-ciphertext attack (CCA) secure encryption of a random field R [19]. Responding
to similar concerns, Derler et al. introduced the concept of stronger full collision-resistance
(F-CollRes) and developed a black box structure employing simulation-sound extractable
non-interactive zero-knowledge proof (SSE-NIZK) through the utilization of a chameleon
hash [20]. Building upon these developments, ref. [21] focused on constructing an identity-
based chameleon hash (IBCH). Subsequently, a hierarchical identity-based chameleon hash
(HIBCH) was proposed in [22], but these two schemes are more specifically applicable to
hash signatures.
Regarding trapdoor and edit permission management, Derler et al. proposed policy-
based chameleon hashing (PCH) by integrating attribute-based encryption (CP-ABE) and
temporary trapdoors [23]. This redactable scheme combines keys and attributes and
restricts edit permissions by formulating attribute policies. Nonetheless, its reliance on a
fully trusted central authority creates a centrality problem. Therefore, Ma et al. proposed a
chameleon hash structure based on multi-authority decentralization (DPCH) [24], which
effectively prevents conspiracy attacks, in contrast to [23].
Wei et al.’s chameleon hash scheme with a changeable trapdoor (CHCT) enables the
updating of trapdoors after computing hash collisions [25]. Recently, Jia et al. introduced
the concept of stateful chameleon hashing with revocable subkeys, constructed a redactable
blockchain with a black box structure, supported full supervision, and allowed user data
self-management [26]. Drawing inspiration from this work, our study also incorporates
data self-management. Furthermore, addressing concerns about inconsistency, Jia et al.
took a step forward by designing an RSA-based accumulator structure aimed at consistency
verification [27]. In addition, they devised edit chains, linking edit histories to counter
traceability issues within the system.
In recent years, post-quantum encryption technology has been gradually maturing
and standardizing. Wu et al. applied a lattice-based chameleon hash function in the context
of editable blockchains, introducing the concept of quantum resistance [15]. Meanwhile,
Peng et al. devised a more comprehensive lattice-based blockchain editing scheme [28].
However, the former primarily focuses on the construction of the chameleon hash and
introduces key sharing, while the latter requires further refinement in its scheme design.
Non-Chameleon Hashing. Puddu et al. proposed an extended redactable model for
single-chain transactions based on consensus control, in which editing operations are reached
by sending mutating transactions or extending things and specifying the active transaction in
this structure [29]. Nevertheless, these mutable transactions merely serve to logically identify
valid transactions, while the encrypted error messages remain physically preserved. Marsalek
et al. introduced the concept of a correction chain for the storage of rectified data [30]. Similarly,
Deuber et al. proposed the double hash chain model and employed it to maintain a copy of
the Merkle tree root [31]. The above two double-hash chain patterns use a voting mechanism
to realize the coding and thus require many voting cycles.
We list several typical redactable schemes in Table 1 to highlight their modeling
features. Compared to existing work, this paper not only focuses on granularity and
security, but also adds work on data management and the question of how to assign
editing permissions.
Appl. Sci. 2024, 14, 832 4 of 23

Table 1. Comparison of typical redactable blockchain models.

Self
Mode References Grain Security Model 4 Features Edit Permissions
Management
Sender/Recipient/User/Smart
Non-CH [29] Ts 1 Y2 - C 3 &T 3
Contract
[16] Bs 1 N2 ROM/SM C Central/Users Set
CH [26] Ts Y ROM C&R 3 &A 3 Personal and Regulator
[24] Ts N IND-CCA C&A 3 Controlled Multiple
[15] Ts N GGM/ROM - Central/Multiple/(Any/Subset)
Lattice-CH [28] Bs N - C Any
Ours Ts Y ROM T&A&C&R Multiple
1 “Ts”: transactions”; Bs”: blocks. 2 “Y”: The realization of self-management was a consideration; “N”: the
realization of self-management was not a consideration. 3 “C”: The redactable scheme design paid attention to
consistency; “R”: the key has revocability; “A”: the editing scheme can achieve accountability; “T”: the editing
scheme achieves traceability. 4 “ROM”: the Random Oracle Model; “SM”: the Standard Model; “IND-CCA”: the
indistinguishability under the chosen-ciphertext attack; “GGM”: the Generic Group Model.

1.3. Contributions
For this paper, we separately worked on security, decentralized features, and compat-
ibility to achieve a redactable blockchain with quantum-resistant and revocable subkey
capabilities. The specific contributions of the scheme are delineated as follows:
1. Hierarchical identity-based chameleon hash: To regulate edit permissions and facili-
tate trapdoor management, this paper employed hierarchical identity for the decen-
tralized delegation of trapdoors. Simultaneously, we introduced the concept of a slave
key algorithm within hierarchical identity to avoid parent nodes that can deduce child
nodes’ keys and the key dimensions increasing during the key delegation process.
This integration imparted the revocable subkey mechanism’s delegation attributes.
2. Redactable scheme with quantum resistance and revocability: We used a lattice-based
cryptographic scheme to support more secure editing operations. In the redactable
scheme, we also implemented the method of withdrawing the edit operation by
saving the edit history.
3. Private data were edited and managed by the individual user: We cryptographically
verified private data to protect the security and privacy of the redactable blockchain.
4. Addressing consistency, traceability, and accountability problems: In Section 4, we
present three algorithms to illustrate how to achieve consistency, traceability, and
accountability. For this, we advocate caching modify transactions with consensus
authority nodes before their final commitment. The block number recording the edit
history is stored in the redactable transaction to prove whether the transaction was
modified. Demonstrating the viability of our redactable scheme, we opted for the
Hyperledger Fabric platform, a widely embraced federated blockchain solution, to
implement the scheme.
Therefore, It is a novel work to use a hierarchical identity structure to manage the
trapdoor of chameleon hashing. However, in this paper, through analysis and design, we
have circumvented its drawbacks and realized the possibility of combining hierarchical
identity structure with chameleon hashing.
Secondly, chameleon hash functions based on post-quantum cryptography for resisting
quantum attacks are a novel work in recent years, and few schemes can demonstrate their
performance through experiments. However, this paper not only reports a real-world
deployment with Hyperledger Fabric but also provides concrete performance data.

2. Preliminaries
Lattices are geometric objects that can be graphically described as an infinite, regular
set of intersections of an n-dimensional lattice [32]. Ajtai investigated certain difficult prob-
Appl. Sci. 2024, 14, 832 5 of 23

lems with lattices and proposed how to construct hard-to-break cryptographic functions in
cryptography [33].
The description of the symbols and abbreviations appearing in this paper are shown
in Table 2.
Table 2. Description of symbols.

Symbols Description
←R A random variable from a certain distribution
λ Security parameter
A The matrix is denoted in bold and capitals
a The vector is denoted in bold and lowercase
AT , aT The transpose of the matrix or vector
n, q Positive integer
Zq The set of integers {0, · · · , q − 1} of modulus q
β The upper limit
LWE Learning with errors
ISIS Inhomogeneous small integer solution
idℓ The identity of level ℓ
idℓ−1 , id*ℓ The parent of identity at level ℓ

2.1. Concepts of Lattices

A lattice is defined as a discrete additive subgroup on Rm and is usually represented by a
line combination of a set of linearly independent vectors.nThe q-ary integer lattice definedoon Zq . is
given as: Λ⊥ (B) = {x ∈ Zn : Bx = 0 modq}, Λ⊥ n m
u (B) = x ∈ Z : Bx = u modq, u ∈ Zq , where
the matrix B = [b1, . . . , bn ] ∈ Rm×n is called basis of the lattice.
The norm of matrix B is denoted as the maximum norm of the column vector,
i.e., ∥B∥ = maxi ∥bi ∥ (in addition, ∥·∥∞ stands for infinite norm). The singular value
of matrix B is denoted as the maximum norm on the unit vector u, i.e., s1 (B) = max u ∥Bu∥.

Definition 1 (Learning with errors (LWE) [34]). LWE is a class of problems solving learning with
error parity. For a
positive integer n and a sufficiently large integer q, then an instance of the LWE
problem Zq , n, χ − LWE is to find the vector s′ ∈ Znq s.t. A ∈ Zm×n , ∥As′ − (As + e)∥ ≤ β,
β > 0 being the upper limit of the error, and s ∈ Znq is the unknown vector in the LWE. Vector e comes
from the noise distribution χ.

Definition 2 (Inhomogeneous small integer solution (ISIS)). ISIS is the problem of solving the short
vector on a lattice. Let n, m, q be positive integers. Given a uniform random matrix A ∈ Znq ×m and a
random vector u ∈ Znq . If we find a vector v ∈ Zm q satisfying Av = u mod q and ∥v∥ ≤ β, we have
solved an ISISq,m,β -instance problem.

Gaussian sampling over lattices is proved to be a simple and effective tool for analyzing
lattice complexity problems [35].

Definition 3 (Discrete Gaussian distribution). ρs,c (x) denotes a Gaussian

 function centered
at c with s as the Gaussian parameter. Then, ∀x ∈ Λ, ρs,c (x) = exp −π ∥x − c∥2 /s2 denote
the Gaussian function on the lattice, and the Gaussian distribution on the lattice is denoted as
∀x ∈ Λ, DΛ,s,c (x) = ρρs,c((Λx)) , ρs,c (Λ) = ∑ x∈Λ ρs,c (x).
s,c

In this paper, we use the Gaussian sampling lemma shown in Lemma 1.

Lemma 1. Let y ← R χm , x ← R χ, d∈ Zm . Then, the length of the product of the error y and
√
the vector satisfies dT y ≤ ∥d∥qαω
p

logm + ∥d∥ m/2 with negligible probability. Then,
p

| x | ≤ qαω logm + 1/2 with negligible probability.
Appl. Sci. 2024, 14, 832 6 of 23

This paper combines the trapdoor generation algorithm TrapGen, Gaussian sampling
algorithm SampleD, and trapdoor delegation algorithm Deltrap in [36], and the FRD en-
coding in [37].

Definition 4. TrapGen: For n ≥ 1, q > 2, there is an efficient randomized algorithm that

generates matrix A ∈ Znq ×m and G-trapdoor R ∈ Znk×w from distribution DZ,ω (√logn) with
 
R
invertible tag H ∈ Znq ×n satisfying A = HG mod q.
Iw

Definition 5. SampleD: There is a E ∈ Zm×n that samples from a probabilistic polynomial time
√ SampleD (R, A, H, U, σ) satisfying AE = U mod q with Gaussian parameter σ,
(PPT) algorithm
and ∥E∥ ≤ σ m with an overwhelming probability.

Definition 6. DelTrap: A PPT algorithm DelTrap(A, H, R,σd )delegates its trapdoor key for
R′
sub-members and generates a new trapdoor key R′ satisfying A = HG.
Iw

Definition 7. FRD encoding: Let the node ID of hierarchy k(k ≥ 0) be a k-dimensional vector,
which we denote by idℓ = (d1 , d2 , . . . , dℓ ). When ℓ = 0, ID is the primary node. An efficient FRD
coding algorithm exists to map the identity ID to a matrix, i.e., H f rd : ID ∈ Zk → Znq ×n .

2.2. Hierarchical Identity-Based Chameleon Hashing

Ateniese et al. designed a chameleon hash function based on identity encryption [21].
In IBCH, the trusted authority can extract a new secret key or trapdoor secret for an identity
ID using a deterministic algorithm. As an extension of IBCH, HIBCH organizes identities
into hierarchies, and keys are delegated between them.

Definition 8. The HIBCH scheme is generally defined as the following set of algorithms:

Algorithm Setup generates the public parameter pp and the master key mk for the
input security parameter λ. Typically, the algorithm is run by private key generator (PKG).
Algorithm Extract outputs the trapdoor or secret key for the user of an identity ID
with the secret key of the ID’s parent.
Algorithm Hash encrypts the message m using the public parameter pp and an identity
ID. It randomly chooses parameter r and outputs a hash value of m.
Algorithm Forge looks for collisions of hash values for a new message m′ . Usually, the
algorithm takes the hash value, an identity ID, and its key of the original message m as
inputs, and outputs a new parameter r.

Definition 9. Enhanced collision resistance. A secure chameleon

h hash algorithmiis enhanced
CR
collision resistance (CR) when challenger A holds that Pr ExptA,CH (n, q, ID ) = 1 ≤ negl (n).
The ExptCR
A,CH ( n ) is the experiment depicted below:
Run PP, MK ← Setup(1n , q), Q ← ∅;
Run ASID , SID ← SlaveKey(1n , q, ID );

Run FID , RID , EID ← DelKey ASID , SID , ID ;
Forge
Run ( M, r, h, M′ , r′ ) ← AQPP,ID (·) ( PP);
If CH ( PP, M )|r = CH ( PP, M′ )|r′ ∧ ( M ̸= M′ ) ∧ (h ∈
/ Q): return 1; otherwise: return 0.
Forge ′
The Q PP.ID ((h, M, r), M ) is defined as follows:
If CH ( PP, M)|r ̸= h : return ⊥;
If CH ( PP, M)|r = h :
Run r′ ← Forge(FID , RID , EID , M′ , h)
If r′ = ⊥: return ⊥;
Q ← Q { M, M′ } ;
S
 Appl. Sci. 2024, 14, 832 7 of 23

return r′ .

3. Hierarchical Identity-Based Chameleon Hash with Revocable Subkey

The hierarchical identity-based chameleon hash with revocable subkey (HIBCH-RS)
model extends the IBCH model, introducing a hierarchical structure of user identities. In
this section, we give a formal definition of the lattice-based HIBCH-RS scheme. Then, we
analyze its correctness and security.
At level ℓ, let idℓ = (d1 , d2 , . . . , dℓ ) represent the identity of a specific user while its
parent node’s identity is represented by idℓ−1 = (d1 , d2 , . . . , dℓ−1 ) or id*ℓ . This ensures that
the composition of the vector serves as a prefix to the IDs of its child nodes. To satisfy the
massive user base in the blockchain, we can even assume that there is no upper bound on ℓ.
In the traditional hierarchical identity encryption scheme, the parent node generates
the trapdoor information of the child node and hence the problem of the parent node
forging the identity of the child node occurs. This scheme is only applicable for mutual
communication between nodes. In contrast, in a redactable blockchain, the trapdoor
between nodes should be confidential and independent and at the same time constrained.
Based on the above description, this paper realized this secure key delegation method by
adding a slave key algorithm. When a user with delegation rights assigns a key, executing
the SlaveKey algorithm generates a slave key pair for the subordinate user. This slave key
pair is then employed to generate the key pair for the subordinate user. This procedure
ensures that the keys between the user and the sub-user remain confidential. Additionally,
the user can utilize the slave key pair to recover, update, and disable the trapdoors of sub-
user. In the event of key abuse, the system can execute the Update algorithm to regenerate a
new key.
Eventually, the HIBCH-RS model consists of the following six algorithms: initial
algorithm Setup, slave key algorithm SlaveKey, delegated algorithm DelKey, i.e., extracting
the algorithm in HIBCH, key updating algorithm Update, chameleon hash algorithm CH,
and collision-finding algorithm Forge.
Appl. Sci. 2024, 14, x FOR PEER REVIEW3.1. Syntax of HIBCH-RS 8 of 24

Trapdoors for chameleon hash functions are usually managed through the key sharing
method, but this mechanism requires a lot of interaction time and is less efficient. Therefore,
subordinate key between
we introduced parent and
the mechanism for child nodes, unlike
hierarchical the
identity hierarchical of
management identity encryp-
trapdoors. Trap-
tion schemes
doors of [22,37–39].
between users are The HIBCH-RS
independent model
but at theencompasses six probabilistic
same time controllable. polyno-
In Figure 1, we
mial-time
show how(PPT)
thealgorithms:
chameleon Setup, SlaveKey,
algorithm DelKey,
achieves this Update,
propertyCH, andhierarchical
using Forge. identity.

Figure
Figure 1. Delegating
1. Delegating trapdoor
trapdoor model
model of HIBCH-RS.
of HIBCH-RS.

In Figure 1, the trusted party can be a regulator and performs initialization operations
𝑆𝑒𝑡𝑢𝑝(1 , 𝑞) → (𝑃𝑃, 𝑀𝐾): Run by any trusted node, the initialization operation of the
in HIBCH-RS. Subsequently, the trusted party delegates the trapdoor to the node members
model takes as inputs the security parameter 𝑛, the positive integer 𝑞, and outputs the
by generating the slave key, while the node members can repeat the operation of the trusted
public parameter 𝑃𝑃 and the master key 𝑀𝐾.
𝑆𝑙𝑎𝑣𝑒𝐾𝑒𝑦(1 , 𝑞, 𝐼𝐷) → (𝑨𝑺𝒊𝒅 , 𝑺𝒊𝒅𝓵 ): Run by 𝒊𝒅𝓵 , to obtain the slave key before dele-
𝓵
gating the trapdoor. The algorithm takes 𝑛, 𝑞, 𝐼𝐷 as inputs and outputs the salve public
key 𝑨𝑺𝒊𝒅 , and slave secret key 𝑺𝒊𝒅𝓵 for 𝐼𝐷.
𝓵
𝐷𝑒𝑙𝐾𝑒𝑦(𝑨𝑺𝒊𝒅∗ , 𝑺𝒊𝒅∗𝓵 , 𝒊𝒅𝓵 ) → (𝑭𝒊𝒅𝓵 , 𝑹𝒊𝒅𝓵 , 𝑬𝒊𝒅𝓵 ): Run by 𝒊𝒅𝓵 node, use parent node slave
𝓵
Appl. Sci. 2024, 14, 832 8 of 23

party to delegate the trapdoor to other nodes. The trusted party public key is used for
chameleon hash encryption and the trapdoor information is used to find collisions. In
this hierarchical structure, the parent node removes and updates the child node trapdoor
information by withdrawing or updating the slave key. This paper introduces a subordinate
key between parent and child nodes, unlike the hierarchical identity encryption schemes
of [22,37–39]. The HIBCH-RS model encompasses six probabilistic polynomial-time (PPT)
algorithms: Setup, SlaveKey, DelKey, Update, CH, and Forge.
Setup(1n , q) → ( PP, MK ) : Run by any trusted node, the initialization operation of
the model takes as inputs the security parameter n, the positive integer q, and outputs the
public parameter PP and the master key  MK.
SlaveKey(1n , q, ID ) → ASid , Sidℓ : Run by idℓ , to obtain the slave key before dele-
ℓ
gating the trapdoor. The algorithm takes n, q, ID as inputs and outputs the salve public
key ASid , and slave secret key Sidℓ for ID.
ℓ  


DelKey AS * , Sid* , idℓ → Fidℓ , Ridℓ , Eidℓ : Run by idℓ node, use parent node slave key
id ℓ
ℓ
to generate delegated trapdoor, take slave public key AS * , slave private key Sid* and idℓ as
id ℓ
ℓ
inputs, output the public key Fidℓ , trapdoor Ridℓ , and personal key Eidℓ .
 
′
U pdate(1n , q, idℓ , RL) → AS′ id , Sid ℓ
, RL ′ : Run by the id , this algorithm is run when
ℓ
ℓ
the user is untrustworthy in the delegate and needs to recycle and update its key. The
algorithm takes n,q, revocation list RL and a new random tagH′ℓ as inputs. Outputs are a
′
new salve key pair AS′ id , Sid ℓ
and updated list RL′ .
ℓ
CH ( PP, M) → (h, r, (str, ver)): Input the public parameters PP and message M. Com-
pute the hash value of M. Outputs the hash value h, the random field r, and the verification
pair (str, ver).
Forge Fidℓ , Ridℓ , Eidℓ , M′ , h → r′ : Run by idℓ when there is a need to modify message

data to find a collision, this algorithm has as inputs public key Fidℓ , trapdoor key Ridℓ , personal
key Eidℓ , message M′ , and outputs collision r′ , and satisfies CH (A, M, E)|r = CH Fidℓ , M, Eidℓ |r′ ,

and M ̸= M′ .
Formally, when ℓ = 0, A = Fid0 , we use Fid0 instead of A in the security proof. Next,
we discuss the security requirements of HIBCH-RS.
h i
• Correctness. Formally, if message M, M′ and identity idi, it has Pr ExptCOR
A,HIBCH−RS (n, q) = 1
≥ 1 − negl(n), where the experiment ExptCOR
A,HIBCH−RS is described as below:
Run (A, E), MK ← Setup(1n , q),
Run (h, r, (str, ver)) ← CH (A, E, M )
 
Run Fidi , Ridi , Eidi ← DelKey AS * , Sid* , idi
id i
i

Run r′ ← Forge Fidi , Ridi , Eidi , M′ , h
If CheckCH ′ ′
PP,key ((h, M, r), (h, M , r )) = 1: return 1.
idi

The CheckCH
PP,key is defined as following:
idi
 
If CH ( PP, M) r = h ∧ CH keyidi , M′ r′ = h′ ∧ h = h′ ∧ M ̸= M′ :
return 1; otherwise: return 0.
• Revocability. For any idi , if it satisfies {Fidi , Ridi , Eidi ← DelKey(AS * , Sid* , idi )|Hi , G,
id i
i
′ , R′ , E′ ′ ′ ′ ′ ′
Fidi idi idi ← DelKey (AS * , Sid* , idi )|Hi , G}, Fidi · Ridi ̸ = Hi · G, and when
id
i i

(Hi − Hi′ )
is invertible, ′
= Fidi −[0|H′ G|0], Fid
Fidi
′ ·R
i
′
idi ̸ = (Hi − Hi ) · G. At the same
time, the system can still effectively recover, update, or disable disclosed trapdoor
keys when malicious users are present. This security requirement proves that the old
trapdoor key does not work properly.
 key pair we is updated,
want tokey 𝑲
confirm pair
𝑰𝑫
mation. is isaaIfupdated,
matrix
trapdoor
a malicious 𝑲
of changes.
𝑹𝑰𝑫 𝑰𝑫 user is athe
of matrix
Therefore,
makes formaof changes.
[request it is possible Therefore,
to modify]. Since to other
forge
𝑹𝑰𝑫it is a possible
is the ran-
private data toor forge a
non-ed-
𝑹𝑰𝑫 its
thatedit permissions,
satisfies this 𝑹𝑰𝑫situation andsatisfies
that then with update the
this the trapdoor
probability
situation withof 𝑛𝑒𝑔(𝑛).
information.
the 𝑰 ∈ ℤ × Forofthe
probability 𝑛𝑒𝑔(𝑛).
above cases,
itable transactions, the regulator may be able to automatically lock the malicious
3. First, the when doma malicious
illegal vector
behavior
3. First, thatofuser
when came
malicious
exists frominusers
a permissions.
malicious a child𝑠𝑎𝑚𝑝𝑙𝑒𝐷can
user beexists
node, , we
fully itsin can
considered
parenta child alsonode, represent
and canmeasures 𝑹𝑰𝑫thecanas be𝑹can 𝑰𝑫 =disable the
user’s edit Furthermore, if anode malicious itsdisable
parent
user node
refuses to
𝒙 ∗ cooperate in re-
childtaken [𝒙to … 𝒙child
ensure the
],by aoverall security of the system. □ slave = as𝒊 the
node 𝟏trapdoor 𝒘 vokingupdating
nodean
form trapdoor
that thecomes
insecure slave bytrapdoor updating
fromkey information
the key, the
definition we can as[36].
key
well
addinformation
Weas
thethealso
user tag the𝒙well
toinfor-
have as 𝒊revocation
𝒙
∈ tag list,infor-
restrict
mation, and ( ×at the
)×
Appl. Sci. 2024,ℤ14, 832 , 𝒙 isits same
mation, time and add at the child
same node’s
time add identity
the childto the
node’s revocation identity list
to and
the revocation
the aboveand
list
Theorem 3 (𝑅𝑒𝑠𝑖𝑠𝑡𝑎𝑛𝑐𝑒
edit permissions,
a𝑡𝑜vector
𝑐𝑜𝑙𝑙𝑖𝑠𝑖𝑜𝑛 whose 𝑓𝑜𝑟𝑔𝑒𝑟𝑦 𝑖𝑡ℎ and row 𝑢𝑛𝑑𝑒𝑟
then
is 1,𝑎𝑐𝑡𝑖𝑣𝑒update
and the the
other
𝑎𝑡𝑡𝑎𝑐𝑘𝑠).
trapdoorrows
Assume
information.
are 0 with
that the For
adversary proba- cases, 9 of 23
remove its edit permissions.
remove the its
illegal Secondly,
edit
behavior permissions. ifof a malicious
malicious Secondly, users user if
can delegates
a bemalicious
fully illegitimate
user
considered delegates
and illegitimate
measures can be
𝒜 can make
trapdoor mostof𝒬𝑛𝑒𝑔(𝑛).
bility
information adaptation
trapdoorto other
In thisqueries.
information
ideal case,
users,Ifwe 𝒜can canother
to
𝑲break𝑰𝑫 is the
update
constant.
users, itssecurity
trapdoor
we can
However,
of update
HIBCH-RS
information
in practice,
by by
its trapdoor a non-neg-when the
as- information by as-
key pair is taken
updated, to 𝑲ensure is a the matrix overall of security
changes. ofTherefore,
the system. it □
is possible to forge a
ligible
signing advantage,
its childthe node detailed
signingto other proof
its child 𝑰𝑫
is asnode
legitimate defined to by
nodes other 𝐸𝑥𝑝𝑡
and 𝒜,
legitimate
then updating nodes(𝑛, 𝑞)its andintrapdoor
the
then following.
updating
infor- its trapdoor infor-
𝑹𝑰𝑫 that satisfies this • situation
Resistancetocollisionforgeryunderactiveattacks
with the probability of 𝑛𝑒𝑔(𝑛). ( RCF). For any PPT adversary A,
mation. If a malicious Theoremmation. user3If makes
a malicious
(𝑅𝑒𝑠𝑖𝑠𝑡𝑎𝑛𝑐𝑒 a request user
RCF𝑡𝑜 𝑐𝑜𝑙𝑙𝑖𝑠𝑖𝑜𝑛
to makesmodify𝑓𝑜𝑟𝑔𝑒𝑟𝑦 ahother
request private
to modify
𝑢𝑛𝑑𝑒𝑟 data
𝑎𝑐𝑡𝑖𝑣𝑒 orother
non-ed-
𝑎𝑡𝑡𝑎𝑐𝑘𝑠).private
i data or
Assume thatnon-ed-
adversary
Proof.3. First,First,the when
challenger a malicious 𝒞 if user
initializes Adv exists
set 𝒬 in a child ≔ Pr∅. node,
Expt
During RCF its theparentphase, node
( n,theq ) can
= 1 disable
challenger ≤ negl the
(n)malicious
, the chameleon hash
itable transactions, 𝒜 itable
the
can regulator
maketransactions,
most may
𝒬 A the
be able
,H
adaptation IBCH regulator− to automatically
RS
queries. may If 𝒜 be A,H
can ableIBCH
break lock
to−the automatically
the
RS malicious
security of lock
HIBCH-RS the by a non-neg-
𝒞user’s
executes child following:
node trapdoor byalgorithm updating construct the slave of key theinformation as well isascollision-resistant
the tag infor-
edit the permissions.
ligibleuser’s Furthermore,
edit
advantage, permissions.
the detailed if a malicious
Furthermore,
proof is as userdefined ifHIBCH-RS
refuses
a malicious
by 𝐸𝑥𝑝𝑡 to model
cooperate
user refuses
in re-
(𝑛, 𝑞) listto cooperate
in the under
following. in re-active attacks.
mation, and at the sameThe time add the child node’s identity to𝒜,the revocation and
Generate
voking an insecurevoking𝑃𝑃, 𝑀𝐾 ←
trapdoor 𝐻𝐼𝐵𝐶𝐻 an key, −
insecure 𝑅𝑆. 𝑆𝑒𝑡𝑢𝑝(1
weexperiment
cantrapdoor add the , 𝑞)Expt
key, .
𝒞user
RCF
Awe toIBCH
,H can
the− add RS is
revocationthe described
userlist, to the as follows:
restrict
revocation list, restrict
Sample remove 𝑯𝓵 ←its ℤits edit
𝒏×𝒏
. then permissions. Secondly, if a malicious user delegates illegitimate
its edit permissions, 𝒒 and edit permissions,
update the and trapdoor
MK𝒞← then update
information. the trapdoor
, q) ,𝒬its For the
≔ ∅ information
information.
above cases,
theFor the above cases,
 ∅. During
PP,users, Setup n Q Forge
Generate trapdoor 𝑨
Proof.
information
, 𝑺 ←
First, the
𝑆𝑙𝑎𝑣𝑒𝐾𝑒𝑦(1 toRunchallenger
other , 𝑞, 𝒊𝒅 ) we,
initializes
can update (1 set trapdoor phase,
by as-the challenger
the illegal behavior 𝑺 𝒞𝒊 the of 𝒊malicious
𝒊𝒅 illegalthe behavior users can of maliciousbe fully considered
𝒊 𝒞 users cannbe and fully measures
considered can be and measures can be

signing its
𝒊𝒅 executes
child node toRunfollowing:
other ASlegitimate , S ← nodes SlaveKey and 1then id*i ;
, q, updating its trapdoor infor-
taken to ensure the taken
overall to security
ensure the
of the id* system.
overall * security □ of the system. □
𝑭𝒊𝒅𝒊 , 𝑹𝒊𝒅𝒊If
and mation. , 𝑬a𝒊𝒅malicious
← 𝐷𝑒𝑙𝐾𝑒𝑦user
Generate 𝑃𝑃, 𝑀𝐾
𝑨𝑺makes ←
, 𝑺𝒊𝒅∗𝒊 ,a𝒊𝒅
i 𝐻𝐼𝐵𝐶𝐻
id
request
i𝒊 . − 𝑅𝑆. 𝑆𝑒𝑡𝑢𝑝(1
to modify , 𝑞)
 other𝒞 private .  data or non-ed-
𝒊 𝒊𝒅𝒊∗
𝒏×𝒏
Sample 𝑯 𝓵 ← ℤ 𝒒 . 𝒞
←
Theorem𝑝𝑝 ∶=itable
3 (𝑅𝑒𝑠𝑖𝑠𝑡𝑎𝑛𝑐𝑒 𝑯transactions,
𝑃𝑃,Theorem
𝓵 , 𝑭𝑡𝑜 , 𝑇𝐼 ∶=the
3 (𝑅𝑒𝑠𝑖𝑠𝑡𝑎𝑛𝑐𝑒
𝒊𝒅𝒊 𝑐𝑜𝑙𝑙𝑖𝑠𝑖𝑜𝑛 (𝑝𝑝, regulator
Run 𝑹𝒊𝒅F𝒊 ,id𝑡𝑜
𝑓𝑜𝑟𝑔𝑒𝑟𝑦
,𝒊𝒅R)may
𝑬i 𝑢𝑛𝑑𝑒𝑟 id and
𝑐𝑜𝑙𝑙𝑖𝑠𝑖𝑜𝑛
𝒊 i 𝑎𝑐𝑡𝑖𝑣𝑒
, Eidbe isend
able
𝑓𝑜𝑟𝑔𝑒𝑟𝑦 𝑝𝑝totoautomatically
DelKey
𝑎𝑡𝑡𝑎𝑐𝑘𝑠). 𝒜. AS * , Sid* , idlock ; the malicious
, 𝑞,𝑢𝑛𝑑𝑒𝑟 id𝑎𝑐𝑡𝑖𝑣𝑒 𝑎𝑡𝑡𝑎𝑐𝑘𝑠).
Assume i adversary
ithat Assume that adversary
user’s edit Generate
permissions. 𝑨Furthermore,
𝑺𝒊𝒅𝒊 , 𝑺𝒊𝒅𝒊 ← 𝑆𝑙𝑎𝑣𝑒𝐾𝑒𝑦(1 if a malicious 𝒊𝒅user 𝒊 )𝒞 , irefuses to cooperate in re-
𝒜 can make most 𝒬
Second, 𝒜𝒜 query:
adaptation
can makequeries. most 𝒬Define 𝒜 can
Ifadaptation keybreak queries.
: = theF security
,IfR 𝒜 , can
E of HIBCH-RS
break
; the security
by a non-neg-
of HIBCH-RS by a non-neg-
idwe idi idi idi
𝑀 , 𝑀voking
ligible advantage, ∈the
ℳ, an insecure
and
ligible
detailed 𝒖and
advantage,
proof
𝒊𝒅 ← 𝑭 ℤtrapdoor
is
𝒊𝒅
𝒏×𝟏
𝒒
𝒊
,
as 𝑹
the , 𝒉
defined
𝒊𝒅 ,,𝑬
detailed
𝒊𝒊
key,
(𝑠𝑡𝑟,
𝒊𝒅 by
𝒊* *
← 𝒗𝒆𝒓) 𝐷𝑒𝑙𝐾𝑒𝑦
proof
i
𝐸𝑥𝑝𝑡
can
←is as
add
𝑪𝑯(𝑨, 𝑨
defined
𝑺
the
∗ 𝑀, 𝑺 ,
(𝑛,
user
by
𝒊𝒅 ∗ , 𝒊𝒅to
𝑬)|𝒓
𝑞) 𝐸𝑥𝑝𝑡 in
𝒊𝒊.
 the
the. revocation
following.
Q Forge (·)(𝑛,  list,restrict
𝑞) in the following.
its edit
𝐢
Run then hupdate , r , M*the ,𝒜,Mtrapdoor
′* , r′*𝒊𝒅, 𝒊( str, 𝒊ver) 𝒜,
𝒞← A For thekey above ;cases,
Generate ( 𝑀permissions,
,𝑀 ,𝒉 𝑝𝑝 𝒊 , 𝒓∶=
and
𝒊 , (𝑠𝑡𝑟,
𝑃𝑃, 𝒗𝒆𝒓)).
𝑯 , 𝑭 , 𝑇𝐼 ∶= (𝑝𝑝, 𝑹 , 𝑬
information.
) and send 𝑝𝑝 to  𝒜. idi
the illegal behavior of 𝓵 𝒊𝒅𝒊 users can be𝒊𝒅fully
malicious 𝒊𝒅𝒊considered and measures can be

𝒊
Then,
Proof. First, thethe challenger
challenger
Proof. First, 𝒞 the
𝒞 initializes
executes Define
challenger set the𝒬 Hash 𝒞 initializes
following: M ≔(∅. h, r, Mset
During ), Hash 𝒬the M * ≔ ∅.
phase, h*the
, r* ,challenger
During M* the ; phase, the challenger
Second, 𝒜
taken to ensure the overall security of the system. □ query:
𝒞 executes the following: 𝒞 executes the following: 𝒏×𝟏
 
𝑀 , 𝑀 ∈ ℳ, If rand * ̸= ⊥ 𝒖𝒊𝒅 , Check
𝐢
← ℤ𝒒PP,key CH , 𝒉𝒊 , (𝑠𝑡𝑟,( Hash 𝒗𝒆𝒓)M ← 𝑪𝑯(𝑨,
, Hash M * ) =𝑀 1 ,and
𝑬)|𝒓𝒊 .h , M , (str, ver) ∈
* * / Q Forge :
Generate 𝑃𝑃, 𝑀𝐾 ←Generate 𝐻𝐼𝐵𝐶𝐻 −𝑃𝑃, 𝑅𝑆. 𝑀𝐾
𝑀 𝑆𝑒𝑡𝑢𝑝(1
, 𝑀 ←, 𝒉 𝐻𝐼𝐵𝐶𝐻 , 𝒓, 𝑞), 𝒞 .− 𝑅𝑆.
(𝑠𝑡𝑟, 𝒗𝒆𝒓)). 𝑆𝑒𝑡𝑢𝑝(1
id i , 𝑞)𝒞 .
Theorem 3 (𝑅𝑒𝑠𝑖𝑠𝑡𝑎𝑛𝑐𝑒 𝑡𝑜 𝑐𝑜𝑙𝑙𝑖𝑠𝑖𝑜𝑛 Generate (
1;𝑓𝑜𝑟𝑔𝑒𝑟𝑦
𝒊otherwise:
𝒊 𝑢𝑛𝑑𝑒𝑟 𝑎𝑐𝑡𝑖𝑣𝑒 0. 𝑎𝑡𝑡𝑎𝑐𝑘𝑠). Assume that adversary
Sample 𝑯𝓵 ← ℤ𝒏×𝒏 .Sample 𝑯 𝓵 ← ℤ𝒏×𝒏
return
𝒒 . 𝒞
return
𝒜 can make 𝒒most 𝒬Then, adaptationthe challenger
queries.Q𝒊𝒅 If 𝒜 executes
can break thethe following:
security of HIBCH-RS by a non-neg-
Generate 𝑨𝑺𝒊𝒅 , 𝑺𝒊𝒅𝒊 Generate ← 𝑆𝑙𝑎𝑣𝑒𝐾𝑒𝑦(1 𝑨 𝒊𝒅The , 𝑺, 𝒊𝒅
𝑞, ←𝒊 )𝑆𝑙𝑎𝑣𝑒𝐾𝑒𝑦(1
Forge
𝒞,
is defined as , 𝑞,follows:
𝒊𝒅 ) ,
ligible advantage,𝒊 the detailed𝑺proof 𝒊 is𝒊 asVeridefined
fy by 𝐸𝑥𝑝𝑡𝒜, 𝒊′′ 𝒞 (𝑛, 𝑞) in the following.  
If Checkkey (str, ver) = 1, ∃(h , M) and M′ ∈ / QForge h′′ = h : run r′ ← Forge keyidi , M′, h
V
and 𝑭𝒊𝒅𝒊 , 𝑹𝒊𝒅𝒊 , 𝑬𝒊𝒅𝒊 ← and 𝐷𝑒𝑙𝐾𝑒𝑦 𝑭𝒊𝒅𝒊 , 𝑹𝑨 , 𝑬∗ ,𝒊𝒅𝑺𝒊𝒊𝒅←
𝒊𝒅𝑺𝒊 𝒊𝒅 ∗ , 𝒊𝒅
𝒊
𝐷𝑒𝑙𝐾𝑒𝑦
idi𝒊 . 𝑨𝑺𝒊𝒅∗ , 𝑺𝒊𝒅∗𝒊 , 𝒊𝒅𝒊 .
Proof. First, the challenger 𝒞if 𝒊initializes r′ ̸= ⊥: define 𝒞set 𝒬Q Forge 𝒊
≔Q ∅.Forge
During 𝒞∪ {(( ver), h,the
str,phase,
the , ((str, ver), h, M′ )}
M )challenger
𝑝𝑝 ∶= 𝑃𝑃, 𝑯𝓵 , 𝑭𝒊𝒅𝒊 𝑝𝑝 , 𝑇𝐼∶= ∶= (𝑝𝑝, 𝑃𝑃, 𝑯 𝑹𝓵𝒊𝒅, 𝒊𝑭, 𝑬 𝒊𝒅𝒊𝒅 , )𝑇𝐼 and ∶= (𝑝𝑝,
send 𝑹 𝑝𝑝
𝒊𝒅𝒊 , 𝑬to 𝒊𝒅𝒊 𝒜.
) and send 𝑝𝑝 to 𝒜.
𝒞 executes the following: return 𝒊 𝒊 ′
r.
Second, 𝒜 query: Second, 𝒜 query:
Generate 𝑃𝑃, 𝑀𝐾𝒏×𝟏 ← 𝐻𝐼𝐵𝐶𝐻 − 𝑅𝑆. 𝑆𝑒𝑡𝑢𝑝(1 Veri f y , 𝑞)𝒞 . as follows:
𝑀 , 𝑀 ∈ ℳ, and 𝒖𝒊𝒅 𝑀← , 𝑀ℤ𝒒∈ ℳ, , 𝒉𝒊and (𝑠𝑡𝑟,Check
,The 𝒖𝒗𝒆𝒓)
𝒊𝒅𝐢 ←key ←ℤid𝒏×𝟏
𝒒𝑪𝑯(𝑨,
is
, 𝒉defined
𝒊 , (𝑠𝑡𝑟,
𝑀 , 𝑬)|𝒓 𝒗𝒆𝒓) 𝒊 . ← 𝑪𝑯(𝑨, 𝑀 , 𝑬)|𝒓𝒊 .
Sample 𝑯𝓵 𝐢← ℤ𝒏×𝒏 𝒒 . i
Generate ( 𝑀 , 𝑀 , 𝒉Generate ,
𝒊 𝒊𝒓 , (𝑠𝑡𝑟, ( 𝑀
𝒗𝒆𝒓)). ,
If 𝑀 str , 𝒉 = ,
𝒊 𝒊 𝒓⊥ ,
, (𝑠𝑡𝑟,
ver = 𝒗𝒆𝒓)).
⊥ : return 1.
Generate 𝑨 𝑺𝒊𝒅𝒊 , 𝑺𝒊𝒅𝒊 ← 𝑆𝑙𝑎𝑣𝑒𝐾𝑒𝑦(1 , 𝑞, 𝒊𝒅𝒊 )𝒞 ,
Then, the challenger Then,𝒞 executes the challenger Ifthestrfollowing: 𝒞, ver executes ̸= ⊥: the runfollowing:
 
̸= ⊥ eidi ← SampleD keyidi , define z = str − eidi · ver, return 1.
and 𝑭𝒊𝒅𝒊 , 𝑹𝒊𝒅𝒊 , 𝑬𝒊𝒅𝒊 ← 𝐷𝑒𝑙𝐾𝑒𝑦 𝑨𝑺𝒊𝒅∗ , 𝑺𝒊𝒅∗𝒊 , 𝒊𝒅𝒊 .
otherwise:𝒊 return 0. 𝒞
𝑝𝑝 ∶= 𝑃𝑃, 𝑯𝓵 , 𝑭𝒊𝒅𝒊 •, 𝑇𝐼 ∶= (𝑝𝑝, 𝑹𝒊𝒅𝒊 , 𝑬𝒊𝒅𝒊 ) and sendFor
Forgeryindistinguishability. 𝑝𝑝users to 𝒜. and messages M, M’ with identity ID, if it holds that
Second, 𝒜 query: n 
′) ← CH(A,M′,E),r ← Forge (A ,R ,E ,M′,h ID,r′ ,
 o
{(h,r )|( h,r ) ← CH ( A,M,E )} ≈ ( h,r ) ( h,r
𝑀 , 𝑀 ∈ ℳ, and 𝒖𝒊𝒅𝐢 ← ℤ𝒏×𝟏 𝒒 , 𝒉𝒊 , (𝑠𝑡𝑟, 𝒗𝒆𝒓) ← 𝑪𝑯(𝑨, 𝑀 , 𝑬)|𝒓𝒊 .
idk idk idk
then the construction of HIBCH-RS satisfies forgery indistinguishability.
Generate ( 𝑀 , 𝑀 , 𝒉𝒊 , 𝒓𝒊 , (𝑠𝑡𝑟, 𝒗𝒆𝒓)).
Then, the challenger 3.2.𝒞Construction
executes theoffollowing: HIBCH-RS
This section shows the detailed construction details of the HIBCH-RS model with
updatable subkeys. The concrete implementation of the model contains the following
algorithm.
• Setup(1n , q) : Given a security parameter n and any integer q ≥ 2, let m = nk,
w = nk, m = m + w. Run algorithm TrapGen(1n , q) → (A, R) such that A ∈ Znq ×m ,
R ∈ Zm ×w . Generate randomly U ← Zn×n , compute E ← SampleD (R, A, H, U, σ )
q R q
such as AE = Umod q. Finally, algorithm output public parameter PP = (A, U, E), mas-
ter key MK = R.
• SlaveKey(1n , q, ID ) : Randomly sample V ∈ Zm ×w from
q
D Zm ,σs , and an error T ∈ Z m × w from χ. Compute Sidℓ = H f rd (idℓ ) · V + T. Ran-
h i
domly choose ASid ∈ Zq n × m and H-tag Hℓ , then ASid = ASid Hℓ G − ASid ·Sidℓ modq.
ℓ ℓ ℓ ℓ
Finally, algorithm output ASid and Sidℓ .
  ℓ

• DelKey AS * , Sid* , idℓ : At level ℓ, idℓ = (d1, d2, . . . , dℓ ) is a ℓ-dimensional vector.

id ℓ
ℓ
Let Kid = Hfrd (idℓ ) · Cmod q where C is chosen randomly from Znq ×w . For tag H*ℓ at
 
* n×(m+w)
level ℓ − 1 is generated and sent by idℓ , and Fidℓ = AS * Kid ∈ Zq . Eval-
id
  ℓ

uate Ridℓ ← DelTrap Fidℓ , H*ℓ , Sid* , σ to obtain a trapdoor for idℓ . Generate personal
ℓ d

key Eidℓ ← Sample Ridℓ , Fidℓ , Hℓ , U, σ for idℓ . Finally, algorithm output Fidℓ , Ridℓ , and Eidℓ .
Appl. Sci. 2024, 14, 832 10 of 23

• U pdate(1n , q, RL): If the key is found to be exposed or an illegitimate edit request,

then the algorithm is executed to update the key for the edit member. The parent node
updates a reversible tag H′ℓ byh the algorithm of [32]i 6.1. Then, the slave key pair is
′ ′
updated to Sid ℓ
and AS′ id = ASid H′ℓ G − ASid ·Sid ℓ
modq and the ID of the revoked
ℓ  ℓ ℓ
′

key is appended to RL = idi , . . . , idj , , so RL = idi , . . . , idj , idr . The algorithm
outputs new tag H′ℓ and RL′ to generate a new key for the user.
• CH (A, M, E): Input public parameter PP = (A, E) and message M, compute
chameleon hash and verification pair. If a transaction is identified as public-modifiable,
then we use PP to calculate the hash value. Let c = HM ( M) where HM : {0, 1}∗ → {0, 1}m ,
sample r ← R DZm ,σ , compute the chameleon hash of message M as: h = Ar +
ET c mod q; str = ⊥, ver = ⊥. If a transaction is identified as belonging to an individual,
then we give editing rights to the individual. Suppose this transaction belongs to idℓ ,
then idℓ calculates an extra verification pair and fills them into the block. In
other
words, select randomly uidℓ ∈ Znq ,sidℓ ∈ Znq and x ← R χ, and mid = H sidℓ , ID mod 2,
then str = uidℓ T · sidℓ + x + mid ⌈q/2⌉mod q, ver = Fidℓ T · sidℓ + y mod q where y ← R
χ. Algorithm output hash value h, collision string r, and verification pair (str, ver). We
illustrate the operation of the algorithm in Algorithm 1 in a simple code language.
Algorithm 1 Chameleon hash function.
c : H M ( M) and r ← R DZm ,σ3
h = Ar + ET cmod q
if M is public:
str = ⊥, ver = ⊥
else if M is private:
// Hash map
of identity ID
mid : H sidℓ ,
u ← R Znq , s ← R DZ,σ , x ← R χ, y ← R χ
str = uT s + x + mid ⌈q/2⌉mod q
ver = FTidℓ s + ymod q
return h, r, (str, ver)

Forge Fidℓ , Ridℓ , Eidℓ , M′ , h : Input the public key and the trapdoor key of idℓ , finding the


•
collisions of chameleon hash. For personal data, the ability of idℓ users to decrypt str is
verified to determine whether they have the permission to edit the private data, and the
hash collision is calculated if the verification is passed, and the editing request is rejected
if
it is not passed. idℓ provides the decryption key didℓ ← SampleD Ridℓ , Fidℓ , H*ℓ , uidℓ , σ .
 
Then, compute z = str − didℓ T · ver mod q. If |z − ⌈q/2⌉| < ⌈q/4⌉ and mid = 1,
output True; otherwise output False. If |z − ⌈q/2⌉| > ⌈q/4⌉ and mid = 0, output True;
otherwise output False. For public transaction data or personal data with successful
verification, idℓ users can easily calculate hash collisions. Let c′ = H M ( M′ ). Then,
sample r′ from SampleD such that Fidℓ · r′ = h − Eidℓ T · c′ mod q. Output the collision r′ .
We illustrate the operation of the algorithm in Algorithm 2 in a simple code language.

Algorithm 2 Chameleon hash forge function.

If new message M′ is private:
// Decryption key of user ID: d
z = str − d · vermodq
if [(|z − ⌈q/2⌉| > ⌈q/4⌉ and mid = 0)
or (|z − ⌈q/2⌉| < ⌈q/4⌉) and mid = 1]:
// Hash map of message M′
c′ : H M ( M ′ )
u = h − ETidℓ · c′ modq
r′ ← SampleD Ridℓ , Fidℓ , Hℓ , u, σ

return r′ .
return ⊥.
Appl. Sci. 2024, 14, 832 11 of 23

3.3. Security Analysis

3.3.1. Parameters
We identify whether a user has the right to edit a particular private transaction by
verifying the user’s ability to decrypt it. During the decryption operation by the user
at level ℓ, we have z = str − didℓ T · ver = mid ⌈q/2⌉ + x − didℓ T y. By the correctness
√
of SampleD we know that didℓ T < σ m holds with overwhelming probability. By
√
Lemma 1, we have the error term x − didℓ T y ≤ σ mαq ω
p
p

logm + αq ω logm .
Therefore, when we set the upper limit of the error term to be less than ⌈q/4⌉, it means that
the decryption algorithm is correct. At this point, we can correctly solve a LWE instance
problem.
Micciancio et al. defines the concept of a smoothing parameter as a measure of the
Gaussian on the lattice [40]. When the standard deviation of the Gaussian on the lattice dis-
tribution is larger than this parameter, the modal lattice points in this
pdistribution

p are almost
close to being uniformly distributed. This paper defines σs = r = ω log n ≈ ln(2/ϵ)/π.
By defining random
√ √matrices

sampled from
the 0-sub-Gaussian
√ √in [41],

we know that
s1(R) ≤ σO m + w for MK and s1 Ridℓ ≤ σO m + w + w for the delegation
q
trapdoor. For instance, we set the Gaussian parameter as σ ≥ 7(s1(R))2 + 1ω logn
p

√
)ω logn . Meanwhile, in this paper, we set the parameters m = 2nψ+1,
p

and σd ≥ p5s1(R
q = m3 ω logn , where the real number ψ satisfies logq < nψ .

3.3.2. Security

Theorem 1 (Correctness). The construction of HIBCH-RS meets the requirement of correctness.

Proof. For the hash value h and identity ID, it is easy to confirm that ID uses the trap-
door information to compute a new r′ from sampleD RID , FID , Hi , h − ETID · cmodq, σ so

that FID · r′ + ETID · cmodq = h. So HIBCHRS satisfies correctness. □

Theorem 2 (Revocability). The construction of HIBCH-RS meets the requirement of revocability.

Proof. We discuss the revocability of HIBCH-RS in the following two scenarios.

1. In [36], R is also a trapdoor for A′ = A − [0|H′ G] with tag (H − H′ ) for any H′ , as long
as (H − H′ ) is invertible modulo q. At this point, the old trapdoor is still available
even after updating the public key. However, thish useful feature does not apply i to
HIBCH-RS. To prove the above, we have FID = AS HG − AS * ·SID* K with a
ID*
 ID
R
tag H and ID. From the DelKey algorithm, we know that FID · ID = HG. We now
I
assume that there is an invertible tag (H − H′ ) such that FID ′ = F − [0|H′ G|0]. So,
ID
 
′ , then F′ · R ID
if R is also a trapdoor FID ID should be equal to (H − H′ )G. While
I
 
RID
currently HG − [0|H′ G|0] · = HG − [0|H′ G ] · RID . However, it is obvious
I
that [0|H′ G ] · RID ̸= ′
 H G.  
′ ′ RID ′ ′ ′ RID
2. Any H , FID · ̸= H G. First of all, we assume ∃H , FID · = H′ G. We also
I I
h i  
′ = A′ ′ · ′ G − K . Then, A − ′
know FID S *
ID
K ID , A
ID
S * R ID = H ID ID
S * A
ID
S * · RID =
(H − H′ )G, so we can derive that [0|(H − H′ )G ]"· RID = (H −#H′ )G. In other words,
R*ID ∈ Zm ×w
q
we want to confirm a trapdoor RID of the form w × w . Since RID is the ran-
I ∈ Zq
dom vector
 that came
 from sampleD, we can also represent RID as
RID = x1 · · · xw , a form that comes from the definition [36]. We also have
 2. Any 𝑯′, 𝑭𝑰𝑫 ⋅ 𝑰𝑫 ≠ 𝑯′𝑮. First of all, we assume ∃𝑯′, 𝑭𝑰𝑫 ⋅ 𝑰𝑫 = 𝑯′𝑮. We also
𝑰 𝑰
know 𝑭𝑰𝑫 = [𝑨𝑺𝑰𝑫∗ |𝑲𝑰𝑫 ] , 𝑨𝑺𝑰𝑫∗ ⋅ 𝑹𝑰𝑫 = 𝑯 𝑮 − 𝑲𝑰𝑫 . Then, 𝑨𝑺𝑰𝑫∗ − 𝑨𝑺𝑰𝑫∗ ⋅ 𝑹𝑰𝑫 =
R PEER REVIEW
(𝑯 − 𝑯′)𝑮, so we can derive that [𝟎|(𝑯 − 𝑯 )𝑮] ⋅ 𝑹𝑰𝑫 = (𝑯 − 𝑯 )𝑮. In other words,
12 of 24
𝑹∗𝑰𝑫 ∈ ℤ ×
Appl. Sci. 2024, 14, 832 we want to confirm a trapdoor 𝑹𝑰𝑫 of the form [ ]. Since 𝑹𝑰𝑫 is12the ran-
of 23
𝑰∈ℤ ×
dom vector that came from 𝑠𝑎𝑚𝑝𝑙𝑒𝐷 , we can also represent 𝑹𝑰𝑫 as 𝑹𝑰𝑫 =
1. In [36], 𝑹 is also a trapdoor for " 𝑨′ = # 𝑨 − [0|𝑯′𝑮] with tag (𝑯 − 𝑯′) for any 𝑯′, as 𝒙∗𝒊
long as (𝑯 − 𝑯′) is invertible modulo [𝒙𝟏 x*… q. 𝒙At 𝒘 ], a form that comes from the definition [36]. We also have 𝒙𝒊 =
this point, the old trapdoor is still availa- ∈
xi =( ×∼i )×∈ Zq
( m × w )× 1 ∼
, x is a vector whose ith row is 1, and the other rows are 0 with 𝒙
ble even after updating the public ℤ xkey. ,However,𝒙 is a vector thiswhoseuseful 𝑖𝑡ℎ featurerow doesis 1, and not apply
the other rows are 0 with the proba-
to HIBCH-RS. To prove the above, thebility we of 𝑛𝑒𝑔(𝑛).
probabilityhave 𝑭
of𝑰𝑫neg = [𝑨
In(this |𝑯𝑮
ideal
n)𝑺. 𝑰𝑫In∗ this − 𝑨
case, 𝑺𝑰𝑫𝑲
ideal ∙ 𝑺
∗case,
𝑰𝑫 𝑰𝑫
∗
is K |𝑲] with
constant. aHowever,
ID is constant. in practice,
However, when the
in practice,
whenkey the
pair key is pair
updated, is 𝑲
updated, is Ka is
matrix𝑹 a matrix
𝑰𝑫 of of
changes. changes. Therefore,
Therefore, it is it is
possiblepossible
to to a
forge
tag 𝑯 and ID. From the 𝐷𝑒𝑙𝐾𝑒𝑦 algorithm, we know that 𝑰𝑫 𝑭𝑰𝑫 ⋅
ID = 𝑯𝑮. We now
𝑹𝑰𝑫a that
forge RID that satisfies
satisfies this situation
this situation with𝑰with the probability
the probability of 𝑛𝑒𝑔(𝑛).
of neg(n).
assume that there is an invertible tag (𝑯 − 𝑯′) such that 𝑭𝑰𝑫 = 𝑭𝑰𝑫 − [𝟎|𝑯 𝑮|𝟎]. So,
3. 3. First, when
First, when a𝑹 malicious
a malicious user userexistsexistsin a child
in a node,
child its node,parent node can
its parent disable
node can the childthe
disable
if 𝑹 is also a trapdoor 𝑭𝑰𝑫 ,node then 𝑭 ⋅ 𝑰𝑫 should be equal to (𝑯 − 𝑯′)𝑮. While
trapdoor
𝑰𝑫 by updating the slave key information
child node 𝑰trapdoor by updating the slave key information as well as the tag infor- as well as the tag information,
𝑹
and at=the
currently 𝑯𝑮 − [𝟎|𝑯 𝑮|𝟎] ⋅ mation,
𝑰𝑫 𝑯𝑮same
and
− [𝟎|𝑯 attime
the𝑮]add
⋅ 𝑹𝑰𝑫the
same . timechild
However,add node’s
the isidentity
it child node’s
obvious tothat
the revocation
identity to the list and remove
revocation list and
its𝑰remove
edit permissions. Secondly, ifSecondly,
its edit permissions. a malicious if auser delegates
malicious userillegitimate
delegates trapdoor
illegitimate
[𝟎|𝑯 𝑮] ⋅ 𝑹𝑰𝑫 ≠ 𝑯 𝑮. information to other users, we can update its trapdoor information by assigning its
𝑹 trapdoor information to other users,
𝑹𝑰𝑫 we can update its trapdoor information by as-
2. Any 𝑯′, 𝑭𝑰𝑫 ⋅ 𝑰𝑫 ≠ 𝑯′𝑮. First child of all,
node we
to assume
other ∃𝑯′
legitimate
signing its child node to other legitimate , 𝑭 ⋅
nodes
𝑰𝑫 and= 𝑯′𝑮
then
nodes . We also
updating
and thenits trapdoor
updating its information.
trapdoor infor-
𝑰 𝑰
know 𝑭𝑰𝑫 = [𝑨𝑺𝑰𝑫∗ |𝑲𝑰𝑫 ] , 𝑨𝑺𝑰𝑫 If a malicious
mation.
⋅ 𝑹 =If 𝑯a user
malicious
𝑮 − 𝑲makes . user a
Then, request
makes 𝑨 ato modify
request
− 𝑨 toother
⋅modify
𝑹 =private
other data
privateor non-editable
data or non-ed-
∗ 𝑰𝑫 𝑰𝑫 𝑺𝑰𝑫∗ 𝑺𝑰𝑫∗ 𝑰𝑫
transactions,
itable the regulator
transactions, the may be able
regulator may tobeautomatically
able to lock the malicious
automatically lock the user’s
malicious
(𝑯 − 𝑯′)𝑮, so we can derive that [𝟎|(𝑯 − 𝑯 )𝑮] ⋅ 𝑹𝑰𝑫 = (𝑯 − 𝑯 )𝑮. In other words,
edit permissions.
user’s edit permissions. Furthermore, if a malicious user refuses to cooperate in revoking
𝑹∗𝑰𝑫 ∈Furthermore,
ℤ × if a malicious user refuses to cooperate in re-
we want to confirm a trapdoor 𝑹𝑰𝑫 ofan
an voking
insecure the form [ key,
trapdoor
insecure we can
trapdoor ].
key, add
Since
we the 𝑹user
can 𝑰𝑫add istothetheran-
the revocation
user list, restrictlist,
to the revocation its edit
restrict
permissions, ∈ ℤ × the trapdoor
𝑰update
its edit permissions, and then update the trapdoor information. For the abovethe
and then information. For the above cases, cases,
dom vector that came from 𝑠𝑎𝑚𝑝𝑙𝑒𝐷
illegal behavior , we can alsousers
of malicious represent 𝑹𝑰𝑫 considered
as 𝑹𝑰𝑫 = and measures can be taken
the illegal behavior of maliciouscan be fully
users can be fully 𝒙 ∗ considered and measures can be
[𝒙𝟏 … 𝒙𝒘 ], a form that comes to ensure
takenfrom tothe
the overall
ensure thesecurity
definition [36].of
overall thealso
We
security system. the□
ofhave 𝒙𝒊 = 𝒊□ ∈
system. 𝒙
( × )×
ℤ , 𝒙 is a vector whose 𝑖𝑡ℎ row is 1, and the other rows are 0 with the proba-
bility of 𝑛𝑒𝑔(𝑛). In thisTheorem Theorem
ideal 3𝑲 (𝑅𝑒𝑠𝑖𝑠𝑡𝑎𝑛𝑐𝑒
3 ( Resistance
case, 𝑡𝑜 𝑐𝑜𝑙𝑙𝑖𝑠𝑖𝑜𝑛
to collision f orgery 𝑓𝑜𝑟𝑔𝑒𝑟𝑦
under 𝑢𝑛𝑑𝑒𝑟 𝑎𝑐𝑡𝑖𝑣𝑒 )𝑎𝑡𝑡𝑎𝑐𝑘𝑠).
active attacks . Assume that Assume that adversary
adversary A can
𝑰𝑫 is constant. However, in practice, when the
make𝒜 can
most Q
make most
adaptation 𝒬 adaptation
queries. If
key pair is updated, 𝑲𝑰𝑫 is a matrix of changes. Therefore, it is possible to forge a A
queries.
can If
break𝒜 can
the break
security the security
of HIBCH-RS of HIBCH-RS
by a by a non-neg-
non-negligible
𝐸𝑥𝑝𝑡 𝒜, ( n, q ) in (𝑛,
the𝑞)
RCF
𝑹 that satisfies this situation ligiblewith
advantage, advantage,
the the
detailed theproof
probabilitydetailed
is asofproof
defined
𝑛𝑒𝑔(𝑛). is as
by defined
ExptA byIBCH
,H − RS in the following.
following.
𝑰𝑫
3. First, when a malicious user exists in a child node, its parent node can disable the
child node trapdoor byProof. Proof.First,
updating First,
the slave the challenger
the challenger
key information 𝒞C initializes
initializes
as well setas𝒬Q
set theForge ∅.
tag≔infor-
∅. During
Duringthe thephase,
phase, thethe chal-
challenger
𝒞
lenger C executes
executes the the following:
following:
mation, and at the same time add the child node’s identity to the revocation list and
remove its edit permissions.Generate PP, MK 𝑃𝑃,
Generate
Secondly, ←if aH𝑀𝐾 IBCH← 𝐻𝐼𝐵𝐶𝐻
malicious − RS.Setup − 𝑅𝑆.
user (𝑆𝑒𝑡𝑢𝑝(1
delegates , 𝑞)𝒞 .
1n , q)C . illegitimate
𝒏×𝒏
trapdoor information to other Sample
Sample Hℓ ← we
users, Zq𝑯can
n ×
𝓵 ←
n ℤ𝒒 . its trapdoor information by as-
. update
Generate
signing its child node to other legitimate Generate
A Sid , S 𝑨 ←
𝑺
nodes , 𝑺and
𝒊𝒅𝒊 ←then
𝒊𝒅𝒊 SlaveKey
𝑆𝑙𝑎𝑣𝑒𝐾𝑒𝑦(1, q, idi )C ,, its
(1nupdating 𝑞, 𝒊𝒅 𝒊 )𝒞 ,
trapdoor infor-
i idi
mation. If a malicious user makes a request to modify other
and 𝑭𝒊𝒅𝒊 , 𝑹𝒊𝒅𝒊 , 𝑬𝒊𝒅𝒊 ← 𝐷𝑒𝑙𝐾𝑒𝑦 𝑨𝑺𝒊𝒅∗ , 𝑺𝒊𝒅𝒊 , 𝒊𝒅𝒊 .
 private  data
∗ or non-ed-
itable transactions, theand Fidi , Ridmay
regulator i
, Eidbe i
←able DelKey AS * , Sid* , id𝒊ilock. the malicious
to automatically 𝒞
id i
user’s edit permissions.ppFurthermore, 𝑝𝑝 ∶= 𝑃𝑃, 𝑯 , 𝑭
𝓵 𝒊𝒅𝒊 , 𝑇𝐼 ∶= i(𝑝𝑝, 𝑹
𝒊𝒅𝒊 , to
𝑬𝒊𝒅
C ) and send 𝑝𝑝 to 𝒜.
:= PP, Hℓ , Fidi , TI := pp, Ridi , Eidi and send pp toinAre-
if a malicious user refuses cooperate
𝒊


.
voking an insecure trapdoor Second,
key, we can 𝒜 add query: the user to the revocation list, restrict
Second, A query:
its edit permissions, and then′ update 𝑀 , 𝑀 ∈the ℳ,trapdoor ← ℤ𝒏×𝟏
and 𝒖𝒊𝒅𝐢information. 𝒒 , 𝒉𝒊 , (𝑠𝑡𝑟, 𝒗𝒆𝒓) ← 𝑪𝑯(𝑨, 𝑀 , 𝑬)|𝒓𝒊 .
Mi , Mi ∈Generate M, and(u𝑀idi, 𝑀 ←, Z n×1 , h , ( str, verFor )
the above
← CH(A, Mi , E) ri .
cases,
the illegal behavior of malicious users can be fully𝒊 considered 𝒉q , 𝒓 𝒊 , (𝑠𝑡𝑟,
i 𝒗𝒆𝒓)). and measures can be
□ 𝒞 )executes
Then, , the ′ h , r , ( str, ver
taken to ensure the overall Generate
security (Miof Mthei , challenger
system.
i i ). the following:
Then, the challenger C executes the following:

Theorem 3 (𝑅𝑒𝑠𝑖𝑠𝑡𝑎𝑛𝑐𝑒 𝑡𝑜 𝑐𝑜𝑙𝑙𝑖𝑠𝑖𝑜𝑛Sample d𝑓𝑜𝑟𝑔𝑒𝑟𝑦 idi ← SampleD 𝑢𝑛𝑑𝑒𝑟 𝑎𝑐𝑡𝑖𝑣𝑒 Ridi , F𝑎𝑡𝑡𝑎𝑐𝑘𝑠).
idi , Hℓ , uidAssume
ℓ
,σ that adversary
𝒜 can make most 𝒬 adaptation if ∃( h′′ , MIf 𝒜 can M′ ∈ Q Forge h′′ ̸= h, − adid · ver, z > 4q , return ⊥;
V
queries. ) and break the security and z = strby
of HIBCH-RS non-neg-
i
otherwise,
ligible advantage, the detailed proof continue.
is as defined by 𝐸𝑥𝑝𝑡𝒜, (𝑛, 𝑞)
in the following.
Generate ri′ ← Forge Fidi , Ridi , Eidi , M′ , h ;
Proof. First, the challenger 𝒞 ri′ to A set and𝒬Q Forge ≔Q , ((str, ver), h, M′ )}.
 ∅.Forge
Sendinitializes During ∪ {((the ver), h,the
str,phase, M )challenger
𝒞 executes the following: For the Forgery group h* , r* , M* , M′* , r′* , (str, ver) , the challenger C calculates:


Generate 𝑃𝑃, 𝑀𝐾 ← 𝐻𝐼𝐵𝐶𝐻 − 𝑅𝑆. ′*

𝑆𝑒𝑡𝑢𝑝(1 T, 𝑞)𝒞 .  ′*  √
′ * ′*
Sample 𝑯𝓵 ← ℤ𝒒 . |{z}i |{z} hi − Eidi · H M with ri ≤ σ m, and M ̸= M .
𝒏×𝒏 F id · r =
Generate 𝑨𝑺𝒊𝒅 , 𝑺𝒊𝒅𝒊 ← 𝑆𝑙𝑎𝑣𝑒𝐾𝑒𝑦(1 v
, 𝑞, 𝒊𝒅𝒊 )𝒞 , u
| {z }
A
𝒊
Finally, if the above condition is satisfied, then return 1.
and 𝑭𝒊𝒅𝒊 , 𝑹𝒊𝒅𝒊 , 𝑬𝒊𝒅𝒊 ← 𝐷𝑒𝑙𝐾𝑒𝑦 𝑨𝑺𝒊𝒅∗ , 𝑺𝒊𝒅∗𝒊 , 𝒊𝒅𝒊 . h i
𝒊 𝒞 RCF
Thus, through the above process, we can calculate Pr ExptA ,H IBCH − RS ( n, q ) = 1 . □
𝑝𝑝 ∶= 𝑃𝑃, 𝑯𝓵 , 𝑭𝒊𝒅𝒊 , 𝑇𝐼 ∶= (𝑝𝑝, 𝑹𝒊𝒅𝒊 , 𝑬𝒊𝒅𝒊 ) and send 𝑝𝑝 to 𝒜.
Second, 𝒜 query:
𝑀 , 𝑀 ∈ ℳ, and 𝒖𝒊𝒅𝐢 ←Theorem ℤ𝒏×𝟏 4 ( Forgery indistinguishability). By this theorem, we show that the hash distribu-
𝒒 , 𝒉𝒊 , (𝑠𝑡𝑟, 𝒗𝒆𝒓) ← 𝑪𝑯(𝑨, 𝑀 , 𝑬)|𝒓𝒊 .
tion DCH of a message M is statistically close to the distribution D Forge of a message M′ .
Generate ( 𝑀 , 𝑀 , 𝒉𝒊 , 𝒓𝒊 , (𝑠𝑡𝑟, 𝒗𝒆𝒓)).
Then, the challenger 𝒞 executes the following:
 voking an insecure trapdoor key, we can add the user to the revocation list, restrict
its edit permissions, and then update the trapdoor information. For the above cases,
the illegal behavior of malicious users can be fully considered and measures can be
taken to ensure the overall security of the system. □
Appl. Sci. 2024, 14, 832 13 of 23
Theorem 3 (𝑅𝑒𝑠𝑖𝑠𝑡𝑎𝑛𝑐𝑒 𝑡𝑜 𝑐𝑜𝑙𝑙𝑖𝑠𝑖𝑜𝑛 𝑓𝑜𝑟𝑔𝑒𝑟𝑦 𝑢𝑛𝑑𝑒𝑟 𝑎𝑐𝑡𝑖𝑣𝑒 𝑎𝑡𝑡𝑎𝑐𝑘𝑠). Assume that adversary
𝒜 can make most 𝒬 adaptation queries. If 𝒜 can break the security of HIBCH-RS by a non-neg-
ligible advantage,
Proof. First, the Dthe detailed proof is as defined by 𝐸𝑥𝑝𝑡𝒜,
CH was defined as below:
(𝑛, 𝑞) in the following.

Proof. First, the challenger 𝒞 ′initializes 𝒬Zm ,σ , c≔ H ( M′ ), the phase, the challenger
∅.MDuring
 
′ ′ r← R D
set


DCH := M ,r ,h ,
𝒞 executes the following: h′ = Ar + ET cmodq n,q,PP
Generate 𝑃𝑃, 𝑀𝐾 ← 𝐻𝐼𝐵𝐶𝐻 − 𝑅𝑆. 𝑆𝑒𝑡𝑢𝑝(1 , 𝑞)𝒞 .
Next, 𝑯𝓵 ← ℤ𝒏×𝒏
we defined
Sample 𝒒the. D Forge as:
Generate
 𝑨 𝑺𝒊𝒅𝒊 𝒊𝒅𝒊 ← 𝑆𝑙𝑎𝑣𝑒𝐾𝑒𝑦(1 , 𝑞, 𝒊𝒅𝒊 )𝒞 ,
, 𝑺   
$
 r ← R, h ← CH ( A, M, E ) , R id ← DelKey A S , S id , id k ,
= 𝑭𝒊𝒅M𝒊 ,′𝑹
D Forgeand , r,𝒊𝒅h𝒊 , 𝑬𝒊𝒅𝒊 ← 𝐷𝑒𝑙𝐾𝑒𝑦 𝑨𝑺𝒊𝒅∗ , 𝑺𝒊𝒅∗𝒊 , 𝒊𝒅𝒊 k. idk k


.
𝒊
 r ← Forge (A idk ,𝒞Ridk , Eidk , M′ , h 
𝑝𝑝 ∶= 𝑃𝑃, 𝑯𝓵 , 𝑭𝒊𝒅𝒊 , 𝑇𝐼 ∶= (𝑝𝑝, 𝑹𝒊𝒅𝒊 , 𝑬𝒊𝒅𝒊 ) and send 𝑝𝑝 to 𝒜. n,q,ID
Second, 𝒜 query:
It is known that r is indistinguishable from r since r, r are Gaussian sampling distributions.
𝑀 , 𝑀 ∈ ℳ, and 𝒖𝒊𝒅 ← ℤ𝒏×𝟏 𝒒 , 𝒉𝒊 , (𝑠𝑡𝑟, 𝒗𝒆𝒓) ← 𝑪𝑯(𝑨, 𝑀 , 𝑬)|𝒓𝒊 .
Therefore, the distribution D𝐢CH ≈ DForge , which means that they are indistinguishable. □
Generate ( 𝑀 , 𝑀 , 𝒉𝒊 , 𝒓𝒊 , (𝑠𝑡𝑟, 𝒗𝒆𝒓)).
Then, the challenger 𝒞 executes the following:
Based on the analysis, devising an editable scheme grounded in the HIBCH-RS model
imparts quantum-resistant characteristics. Concurrently, the security of the editable method
is contingent upon the safety of the foundational algorithm.

4. Redactable Programs
This paper is dedicated to the formulation of a redactable blockchain that empha-
sizes compatibility. In this context, compatibility pertains to the ability of the redactable
blockchain structure to integrate with data structure, the consensus protocols, block, and
chain structures, and more. Secondly, aiming at the consistency of the block, this paper
deals with the edit request through the majority node agreement mechanism. To improve
efficiency, multiple edit requests are packaged into a group of requests and sent to verifica-
tion nodes for approval. Finally, to achieve the traceability and accountability of editing
operations, this paper divides blocks into ordinary blocks and redactable blocks. We then
trace the history of edits by packaging edit requests into the form of ordinary blocks.
Revocable lists are also used to hold users accountable for unreliable or malicious changes.
In this section, we detail how this mechanism is implemented in conjunction with
Hyperledger Fabric.

4.1. Editorial Role

Editor: Typically, the editorial member is made up of a group of trusted nodes. Initially,
a set of trusted nodes is randomly selected by the regulator among all nodes. Then, the
regulator judges the validity and legality of the editing operation to eliminate the malicious
modifiers among the editorial members. We can also add new editorial members to the
group. Finally, these trusted nodes can obtain the trapdoor in the HIBCH-RS scheme and
then make edit requests. The node that is deleted from the editing group uses the Update
algorithm to retrieve its trapdoor information and add it to the revocation list.
Edit request handler: This role is typically held by the consensus node. In this
article, an edit request can be viewed as a transaction. The difference is that for ordinary
transactions, the consensus node is only responsible for packaging blocks, but it needs to
be reviewed whether the edit request transaction can be packaged into blocks.
Regulator: Regulator can choose from the full range of nodes. Primarily, the regulator
oversees the trapdoor delegation process. Additionally, the regulator exercises control over
the consensus authority to prevent inadvertent exposure of conflicting key information.

4.2. Editorial Process

In redactable Hyperledger Fabric, we show the block structure of the major changes
as block headers and transactions data. The detailed structure is shown in Figure 2.
 over the consensus authority to prevent inadvertent exposure of conflicting key infor-
mation.

4.2. Editorial Process

Appl. Sci. 2024, 14, 832 In redactable Hyperledger Fabric, we show the block structure of the major changes
14 of 23
as block headers and transactions data. The detailed structure is shown in Figure 2.

2. The redactable block structure

Figure 2. structure of
of Hyperledger
Hyperledger Fabric.
Fabric.

As
As shown
shown in in Figure
Figure 2,2, we replace the
we replace the hash
hash algorithm
algorithm in in the
the Merkel
Merkel tree
tree with
with HIBCH-
HIBCH-
RS and add key fields for the redacted transaction. B Number
RS and add key fields for the redacted transaction. 𝐵 𝑁𝑢𝑚𝑏𝑒𝑟 denotes the editing
er denotes the editing history
his-
block number.
tory block number.
Formally,
Formally, aa redactable
redactable block representedasasRB
block isisrepresented 𝑅𝐵=< =< Head,
𝐻𝑒𝑎𝑑, Tx 𝑇𝑥 𝑙𝑖𝑠𝑡, >,, where
list, > where the the
block
block header is abstracted as block number, the hash value of the preceding block and
header is abstracted as block number, the hash value of the preceding block and the
the
data
data hash,
hash, denoted
denoted as 𝐻𝑒𝑎𝑑=<
as Head = <Number,
𝑁𝑢𝑚𝑏𝑒𝑟, PreHash,
𝑃𝑟𝑒𝐻𝑎𝑠ℎ,DataHash𝐷𝑎𝑡𝑎𝐻𝑎𝑠ℎ > >.. Meanwhile,
Meanwhile, the the chain
chain
structure
structure isis delineated
delineatedas asC𝐶=< =<B𝐵0 , ,RB
𝑅𝐵1 ,,.…. .,,𝐵Bi,,𝐵Ber j,,… .>
. .> . Inother
. In otherwords,
words, there
there are
are three
three
types of blocks in the redactable blockchain proposed in this paper: ordinary non-redactable
types of blocks in the redactable blockchain proposed in this paper: ordinary non-redacta-
blocks Bi , redactable blocks RB j , and blocks that record editing operations Ber .
ble blocks 𝐵 , redactable blocks 𝑅𝐵 , and blocks that record editing operations 𝐵 .
Figure 3 depicts the transaction flow for redactable Hyperledger Fabric to perform an
Figure 3Indepicts
edit request. Fabric, the
the transaction
editing requestflow for redactable
initiated Hyperledger
by the client is first sentFabric
to thetoendorsing
perform
nodes for processing. Subsequently, the approved requests are temporarily storedthe
an edit request. In Fabric, the editing request initiated by the client is first sent to en-
at the
dorsing nodes for processing. Subsequently, the approved requests
consensus nodes, awaiting validation and submission. Distinction arises between the are temporarily stored
at the consensus
editing procedures nodes, awaiting
for public andvalidation and submission.
personal transaction data. Distinction
Specifically,arises
in thebetween
case of
personal transaction data, the modify content (MC) must be maintained as in
the editing procedures for public and personal transaction data. Specifically, the case of
confidential
personal transaction
information, data, the
thus ensuring modify
data content
privacy. The (MC) must be node
validation maintained
is solelyas responsible
confidential for in-
formation, thus ensuring data privacy. The validation node is
confirming the endorsement strategy and the legitimacy of the modification. Ultimately, solely responsible for con-
firming
the the endorsement
agreed-upon modifiedstrategy and the
transaction legitimacyfor
is submitted of accurate
the modification.
modificationUltimately,
within thethe
Appl. Sci. 2024, 14, x FOR PEER REVIEW
agreed-uponTherefore,
modified the transaction is submitted for is
accurate modification 15 of 24
blockchain. edit request transaction compatible with thewithin the block-
transaction flow
chain.
of Therefore,
a normal the edit request transaction is compatible with the transaction flow of a
transaction.
normal transaction.

Figure
Figure 3.
3. Modify the transaction flow.

Specifically, we divide
divide the
the editing
editing process
process into
into the
the following
following stages:
stages:
Creation ofof an
anedit
editrequest: Theprocess
request:The process commences
commences with
with thethe creation
creation of edit
of an an edit
re-
request
quest byby a memberwho
a member whopossesses
possessesthe
thetrapdoor
trapdoorkey.
key.This
Thisevent
eventtriggers
triggers the
the generation
generation of
a modification transaction (MT). MT comprises two principal components: the modified
content (MC) and the key parameter (KP).
• Modified content (MC): MC encompasses several elements, including the transaction
ID (TxID) of the transaction being revised, the hash value of the transaction, the iden-
tification of the member initiating the edit request, and the new content. If we would
like to delete illegal information, the new content will be defined as empty.
• Key parameter (KP): The KP encompasses the hash collision 𝒓′. Importantly, this
component determines the ability to accurately modify the transaction within the
Appl. Sci. 2024, 14, 832 15 of 23

• Modified content (MC): MC encompasses several elements, including the transaction

ID (TxID) of the transaction being revised, the hash value of the transaction, the
identification of the member initiating the edit request, and the new content. If we
would like to delete illegal information, the new content will be defined as empty.
• Key parameter (KP): The KP encompasses the hash collision r′ . Importantly, this
component determines the ability to accurately modify the transaction within the
block in a physical sense. Notably, the field related to KP remains concealed from all
parties until the completion of the request submission process.
By adhering to this structured sequence, the editing process is systematically orches-
trated, fostering transparency and control over modifications to blockchain data.
Validation of editing requests:
• Public transaction data: In scenarios involving public transaction data, the consensus
body disseminates MC to a randomly selected subset of n members. These members
assess the content and respond with a agree message if they approve. Conversely,
a reject message is transmitted if they disagree. The validation process hinges on
accumulating a specific number of agree responses, indicating the legitimacy and
consistency of the edit request.
• Personal transaction data: For personal data, which is confidential, nodes have re-
stricted access to MC. Rather, nodes provide feedback solely on whether they consent
to the block modification.
Submission of editing requests: The edit request is temporarily stored within the
consensus organization. During this period, the user is precluded from submitting multiple
edit requests for the same transaction data simultaneously.
Upon approval of the edits, the consensus nodes package the modified transaction
(MT) into a block that records editing operations. Finally, the edit block is appended to the
blockchain through broadcast, culminating in the formation of the updated chain: C ′ =<
B0 , B1 , . . . , Bn′ , Be >.
Withdrawal or deletion of an edit request manifests in the following three scenarios,
which transpire prior to the submission of the edit request:
• The originator of the request initiates a withdrawal. Upon this decision, the consensus
body eliminates the edit request from local records.
• Illegal requests. Before submission, the edit request undergoes verification by the
nodes through broadcast. If the edit is determined to be unlawful or if the regulatory
entity identifies the modifier’s identity as illicit, or if verification of the personal
data modifier’s identity fails, the consensus body eliminates the request from local
records. The regulator exercises the authority to decide whether to incorporate the
edit requestor’s identity into the revocation list, contingent upon the severity of the
violation.
• If no response is received within a designated timeframe, the edit request is discarded.
By implementing these withdrawal mechanisms, our model ensures effective manage-
ment of edit requests, safeguarding the integrity and legality of the blockchain’s contents.
We describe this new editing scheme in Algorithm 3, and we also describe the specific
mechanism of content consistency in the algorithm.
 g as (𝑯 − 𝑯′) is invertible modulo q. At this point, the old trapdoor is still availa-
even after updating the public key. However, this useful feature does not apply
HIBCH-RS. To prove the above, we have 𝑭𝑰𝑫 = [𝑨𝑺𝑰𝑫∗ |𝑯𝑮 − 𝑨𝑺𝑰𝑫∗ ∙ 𝑺𝑰𝑫∗ |𝑲] with a
𝑹
𝑯 and ID. From the 𝐷𝑒𝑙𝐾𝑒𝑦 algorithm, we know that 𝑭𝑰𝑫 ⋅ 𝑰𝑫 = 𝑯𝑮. We now
Appl. Sci. 2024, 14, 832
𝑰
ume that there is an invertible tag (𝑯 − 𝑯′) such that 𝑭𝑰𝑫 = 𝑭𝑰𝑫 − [𝟎|𝑯 𝑮|𝟎]. So, 16 of 23
𝑹
𝑹 is also a trapdoor 𝑭𝑰𝑫 , then 𝑭𝑰𝑫 ⋅ 𝑰𝑫 should be equal to (𝑯 − 𝑯′)𝑮. While
𝑰
𝑹
rently 𝑯𝑮 − [𝟎|𝑯 𝑮|𝟎] ⋅ 𝑰𝑫 = 𝑯𝑮 − [𝟎|𝑯 𝑮] ⋅ 𝑹𝑰𝑫
Algorithm . However,
3 Block redact. it is obvious that
𝑰
𝑯 𝑮] ⋅ 𝑹𝑰𝑫 ≠ 𝑯 𝑮. Input: The new content M′ , transaction ID of Txi , redactor identity ID, and revocation list RL.
𝑹 𝑹𝑰𝑫 RB′ and block and edit request transaction Ber .
y 𝑯′, 𝑭𝑰𝑫 ⋅ 𝑰𝑫 ≠ 𝑯′𝑮. First of all, we assume Output: ∃𝑯′ The ,redacted
𝑭𝑰𝑫 ⋅ block = 𝑯′𝑮 i . We also
𝑰 Extract block by Txi , output 𝑰 RBi = {header, {. . . Txi . . .}}.
ow 𝑭𝑰𝑫 = [𝑨𝑺𝑰𝑫∗ |𝑲𝑰𝑫 ] , 𝑨𝑺𝑰𝑫∗ ⋅ 𝑹𝑰𝑫 = 𝑯 𝑮if−H𝑲IBCH 𝑰𝑫 . − RS.CH (𝑨
Then, ′ , E−
𝑺𝑰𝑫∗ ID ,𝑨Tx
FID ′
𝑺𝑰𝑫 ∗ ri⋅ =
i )| 𝑹𝑰𝑫 RB=i .H IBCH − RSi then:
′ ′ , RB .H IBCH − RS )
− 𝑯′)𝑮, so we can derive that [𝟎|(𝑯 − 𝑯 r)𝑮] i ←− ⋅ 𝑹H IBCH
𝑰𝑫 = (𝑯 − − 𝑯
RS.Forge)𝑮. (
In F ID , R
other ID , E
words,
ID , M i i
= ℤ ri , MCi = { Txi , RBi .H IBCH − RSi , ID, M′ } to nodes
 ′
∗ ×
send MT 𝑹𝑰𝑫i ∈
want to confirm a trapdoor 𝑹𝑰𝑫 of the form n := [0 ]. Since 𝑹𝑰𝑫 is the ran-
𝑰∈ℤ ×
for reply := (reply1 , . . . replyn ) do: //consistency
m vector that came from 𝑠𝑎𝑚𝑝𝑙𝑒𝐷 , ifwe can also represent 𝑹𝑰𝑫 as 𝑹𝑰𝑫 =
reply = ‘agree’ then:
… 𝒙𝒘 ], a form that comes from the definition n + 1We also have 𝒙𝒊 = 𝒊 ∈
n =[36].
𝒙∗
× )× if n ≥ sum(sendnodes)/2 and ID ∈ / RL 𝒙 then:
, 𝒙 is a vector whose 𝑖𝑡ℎ row is 1, andBthe=other rows are 0
{header, {. . . MT i . . .}} with the proba-
eri
ty of 𝑛𝑒𝑔(𝑛). In this ideal case, 𝑲𝑰𝑫 is constant.Ber Number However,
′ = { BN in1 ,practice, when the }

. .′. , Bei .header.Number
y pair is updated, 𝑲𝑰𝑫 is a matrix of changes. ′ ′
Therefore, it is possible to ′
forge a


Txi = ri , str, m idi , M′ , Be Number
𝑫 that satisfies this situation with the probability
RB i of 𝑛𝑒𝑔(𝑛).
= header, . . . Tx i . . .
′
RBits
st, when a malicious user exists in a childreturn node, i , Bparent
eri node can disable the
ld node trapdoor by updating the slave key information as well as the tag infor-
tion, and at the same time add the child 4.3.node’s
Accountability
identity to andthe Traceability
revocation list and
move its edit permissions. Secondly, if a Redactable
malicious user delegates
blockchain necessitate illegitimate ongoing maintenance and security assessments.
pdoor information to other users, we can Hence,update its trapdoor
this subsection information
delineates by as-
the mechanisms employed to establish accountability and
ning its child node to other legitimate nodes and then
traceability within updating its trapdoor
the blockchain, infor-fortifying the overall security of the system.
thereby
tion. If a malicious user makes a request toInmodify the design other detailed
private data or non-ed-
in [27], edit operations are parallelized alongside modified
ble transactions, the regulator may beblocks,able togiving automatically
rise to an lock editthe malicious
chain. However, our approach can align with the pre-
r’s edit permissions. Furthermore, if aestablished
malicious user structure refuses andtoseamlessly
cooperateintegrate in re- with the blockchain system.
king an insecure trapdoor key, we can add In theAlgorithm
user to the 4, revocation
we design alist, restrict scheme for the history of editing operations.
traceability
edit permissions, and then update the In trapdoor information.
the redactable For the above
block structure, cases, transaction contains a list of edited historical
a redactable
illegal behavior of malicious users can block number
be fully transactions
considered and measures(Be Number) canassociated
be with it. From the list, we can trace all
en to ensure the overall security of thethe actions
system. □ to the redacted transaction.

m 3 (𝑅𝑒𝑠𝑖𝑠𝑡𝑎𝑛𝑐𝑒 𝑡𝑜 𝑐𝑜𝑙𝑙𝑖𝑠𝑖𝑜𝑛 𝑓𝑜𝑟𝑔𝑒𝑟𝑦 𝑢𝑛𝑑𝑒𝑟 𝑎𝑐𝑡𝑖𝑣𝑒4 𝑎𝑡𝑡𝑎𝑐𝑘𝑠).

Algorithm Trace edit Assume
history. that adversary
make most 𝒬 adaptation queries. If 𝒜 can break theThe
Input: security of HIBCH-RS
redacted transaction Txby ia. non-neg-
𝐸𝑥𝑝𝑡𝒜, The edit(𝑛,
dvantage, the detailed proof is as defined by Output: 𝑞) inlist
history theEHL
following.
i.
Extract Be Numberi = { BN 1 , . . . , BN n } by Txi .
irst, the challenger 𝒞 initializes set 𝒬 for i≔(∅. 1, .During
. . , n) do:the phase, the challenger
tes the following: Extract edit block Beri by BN i .
′ ′
nerate 𝑃𝑃, 𝑀𝐾 ← 𝐻𝐼𝐵𝐶𝐻 − 𝑅𝑆. 𝑆𝑒𝑡𝑢𝑝(1 , 𝑞)EHL i = { Ber1 .MT 1 .M , . . . , Beri .MT i .M }
𝒞.
return EHLi
mple 𝑯𝓵 ← ℤ𝒏×𝒏 𝒒 .
nerate 𝑨𝑺𝒊𝒅 , 𝑺𝒊𝒅𝒊 ← 𝑆𝑙𝑎𝑣𝑒𝐾𝑒𝑦(1 , 𝑞, 𝒊𝒅𝒊 )𝒞 ,
𝒊 For accountability, we give details in Algorithms 5 and 6. In Algorithm 5, we mainly
d 𝑭𝒊𝒅𝒊 , 𝑹𝒊𝒅𝒊 , 𝑬𝒊𝒅𝒊 ← 𝐷𝑒𝑙𝐾𝑒𝑦 𝑨𝑺𝒊𝒅∗ , 𝑺𝒊𝒅∗𝒊 , 𝒊𝒅𝒊 .
implement how to restrict or reclaim the editor’s permission when there is an illegal edit
𝒊 𝒞
∶= 𝑃𝑃, 𝑯 , 𝑭 , 𝑇𝐼 ∶= (𝑝𝑝, 𝑹 , 𝑬 ) and send 𝑝𝑝 to 𝒜.malicious users to the revocation list.
𝓵 𝒊𝒅𝒊 𝒊𝒅𝒊
request
𝒊𝒅𝒊
by adding
ond, 𝒜 query:
𝑀 ∈ ℳ, and 𝒖𝒊𝒅𝐢 ← ℤ𝒏×𝟏 Algorithm 5 Accountability for edit request.
𝒒 , 𝒉𝒊 , (𝑠𝑡𝑟, 𝒗𝒆𝒓) ← 𝑪𝑯(𝑨, 𝑀 , 𝑬)|𝒓𝒊 .
nerate ( 𝑀 , 𝑀 , 𝒉𝒊 , 𝒓𝒊 , (𝑠𝑡𝑟, 𝒗𝒆𝒓)). Input: Illegal edit request ERi and revocation list RL.
en, the challenger 𝒞 executes the following: Output: The revocation list RL′ .
Send ERi to verifiers nodes
Receive reply := (reply1 , . . . replyn )
if sum(replyi = ‘reject′ ) > n do:
rID := ERi .MC.ID
RL′ = { RL, rID }
Delete ERi
return RL′ .
st, when a malicious user exists in a child node, its parent node can disable the
ld node trapdoor by updating the slave key information as well as the tag infor-
tion, and at the same time add the child node’s identity to the revocation list and
move its edit permissions. Secondly, if a malicious user delegates illegitimate
pdoor information to14,
Appl. Sci. 2024, other
832 users, we can update its trapdoor information by as- 17 of 23
ning its child node to other legitimate nodes and then updating its trapdoor infor-
tion. If a malicious user makes a request to modify other private data or non-ed-
ble transactions, the regulator may be ableAlgorithmto automatically lock the
6 implements howmalicious
to roll back the edit operation. It is important to note that
r’s edit permissions. Furthermore, if athis malicious
rollbackuser refuses
requires to cooperate
a member in re- privileges to perform and is strictly monitored
with higher
king an insecure trapdoor key, we canbecause add theituser to thethe
removes revocation
edits thatlist,
haverestrict
already been performed.
edit permissions, and then update the trapdoor information. For the above cases,
illegal behavior of malicious users can Algorithm
be fully considered andedit
6 Rollback the measures
operation.can be
en to ensure the overall security of the system. □
Input: The redacted transaction Txi , the number of rollback times m(m ≤ n), and identity ID.
Output: The rollback block RB′ .
m 3 (𝑅𝑒𝑠𝑖𝑠𝑡𝑎𝑛𝑐𝑒 𝑡𝑜 𝑐𝑜𝑙𝑙𝑖𝑠𝑖𝑜𝑛 𝑓𝑜𝑟𝑔𝑒𝑟𝑦 𝑢𝑛𝑑𝑒𝑟 𝑎𝑐𝑡𝑖𝑣𝑒
Extract RB by𝑎𝑡𝑡𝑎𝑐𝑘𝑠).
Txi ; Extract Assume
Be by that
RB.Badversary
e Numberi .BNn−m
make most 𝒬 adaptation queries. If 𝒜 can break RB = RB; RB .ri = Bei .MTi .ri by a non-neg-
′ the security′ ′ of HIBCH-RS ′
vantage, the detailed proof is as defined by 𝐸𝑥𝑝𝑡
RB′ .Tx
𝒜,i = Bei .MT (𝑛,
i .M𝑞)
′ ; BinNumber ′
e the following.
i = {BN1 , . . . , BNn−m }
′
MTi = {r , MCi = {Txi , ID, h, }}
irst, the challenger 𝒞 initializes set 𝒬 for j≔(∅. n −During
m + 1, .the . . , nphase,
) do: the challenger
tes the following: Extract Be j by BN j
nerate 𝑃𝑃, 𝑀𝐾 ← 𝐻𝐼𝐵𝐶𝐻 − 𝑅𝑆. 𝑆𝑒𝑡𝑢𝑝(1 , 𝑞)Delete 𝒞.
Bej .MTi
mple 𝑯 ← ℤ𝒏×𝒏 . return RB′
𝓵 𝒒
nerate 𝑨𝑺𝒊𝒅 , 𝑺𝒊𝒅𝒊 ← 𝑆𝑙𝑎𝑣𝑒𝐾𝑒𝑦(1 , 𝑞, 𝒊𝒅𝒊 )𝒞 ,
𝒊
Furthermore, our edit cache structure significantly curbs the likelihood of unautho-
d 𝑭𝒊𝒅𝒊 , 𝑹𝒊𝒅𝒊 , 𝑬𝒊𝒅𝒊 ← 𝐷𝑒𝑙𝐾𝑒𝑦 𝑨𝑺𝒊𝒅∗ , 𝑺𝒊𝒅∗𝒊 , 𝒊𝒅rized
𝒊 . edit operations. Recognizing that editing operations may be essential but sporadic
𝒊 𝒞
∶= 𝑃𝑃, 𝑯𝓵 , 𝑭𝒊𝒅𝒊 , 𝑇𝐼 ∶= (𝑝𝑝, 𝑹𝒊𝒅𝒊 , 𝑬𝒊𝒅𝒊 ) andwithin the𝑝𝑝
send blockchain
to 𝒜. ecosystem, preserving the history of such operations does not unduly
ond, 𝒜 query: strain the system. Quite the opposite: it bolsters the legitimacy and security of editing
𝒏×𝟏 endeavors.
𝑀 ∈ ℳ, and 𝒖𝒊𝒅𝐢 ← ℤ𝒒 , 𝒉𝒊 , (𝑠𝑡𝑟, 𝒗𝒆𝒓) ← 𝑪𝑯(𝑨, 𝑀 , 𝑬)|𝒓𝒊 .
By implementing these measures, our model ensures a robust framework for account-
nerate ( 𝑀 , 𝑀 , 𝒉𝒊 , 𝒓𝒊 , (𝑠𝑡𝑟, 𝒗𝒆𝒓)).
ability, traceability, and secure edit operations, thereby enhancing the overall stability and
en, the challenger 𝒞 executes the following:
credibility of the blockchain system.

5. Experiments and Results Analysis

In this section, we verify the model and scheme proposed in this paper through two
main experiments. First, we demonstrate the performance of the HIBCH-RS model through
experiments, and showcase the tangible outcomes of the optimized and innovative method-
ology proposed in this paper. Then, in a second experiment, we deploy the redactable
scheme in Hyperledger Fabric to test performance. In recent years, very few redactable
schemes with quantum-resistant properties have been deployed in blockchain systems.
Therefore, this article reports the performance of the lattice-based cryptographic redactable
scheme.
The experimental procedures were carried out on an Ubuntu 20.04.4 LTS operating
system, which is a 64-bit environment. The hardware configuration encompassed an 8-
core Intel Core i7-9700 CPU running at 3.00 GHz. The implementation of the HIBCH-RS
model was accomplished utilizing Python 3.9.2. Subsequently, the deployable editable
solution was executed on the federated Hyperledger Fabric 2.4.1 blockchain framework.
The evaluation of blockchain performance was conducted through the utilization of the
Hyperledger Caliper Benchmarks.

5.1. Performance of HIBCH-RS

We provide a proof-of-concept of the HIBCH-RS scheme in this subsection and give
analytical results experimentally to verify its efficiency and practicality.

5.1.1. Evaluation Time and Size of the Hierarchical Model

From the parameter analysis in Section 3.3.1, we selected four sets of parameters for
the experiment in Table 3.
Appl. Sci. 2024, 14, 832 18 of 23

Table 3. The selected parameter groups.

Parameter Group n m w
Group 1 20 920 460
Group 2 40 2080 1040
Group 3 60 3480 1740
Group 4 80 5120 2560

Generally, in the public key model of lattice cryptosystems, n should be greater than
256. In this experiment, to compare the effect of parameter changes on the model as well as
Appl. Sci. 2024, 14, x FOR PEER REVIEW
to reduce the computing time to improve the efficiency, we select the case where n is1920~80.
of 24

In Figure 4, we use pg to denote a set of parameters.

(a) (b) (c)

Figure 4.
Figure 4. Comparison
Comparisonofofrunning
runningtimes and
times size.
and (a) The
size. run run
(a) The timetime
of HIBCH-RS with with
of HIBCH-RS update algo-
update
rithm; (b) the public key size; (c) the private or trapdoor size.
algorithm; (b) the public key size; (c) the private or trapdoor size.

From
In the Figure 4, we can see
first experiment, we that thethe
tested trapdoor
time anddelegation algorithm
secret key size of consumes
the runs ofmore the
time and produces
hierarchical algorithm larger trapdoor
in the HIBCH-RS matrix elements
model, as the parameters change. This is be-
respectively.
causeFrom
in the algorithm
Figure 4, we wecanhave used
see that the𝑛𝑘 times the
trapdoor SampleDalgorithm
delegation Gaussianconsumes
sampling more
algorithm
time
and the SampleD algorithm performs a complex Gaussian sampling
and produces larger trapdoor matrix elements as the parameters change. This is because that causes the size of
thethe
in delegated
algorithm trapdoor
we have to used
be linear with the dimensions
nk times of the delegated
SampleD Gaussian samplingpublic key [36].
algorithm and
In future
the SampleD experiments, we will look
algorithm performs to establish
a complex moresampling
Gaussian efficient andthat stable
causesGaussian
the size ofsam-
the
pling algorithms
delegated trapdoor fortoimprovement.
be linear withOn the the other hand,
dimensions as delegated
of the can be seen in Figure
public 4, we
key [36]. In
added experiments,
future the Slavekey algorithm,
we will lookwhich runs inmore
to establish much less time
efficient and than
stablethe Setup algorithm.
Gaussian sampling
Therefore, the
algorithms for addition
improvement. of thisOnalgorithm
the other doeshand,notas
put toobemuch
can seen burden
in Figure on4,the
wesystem.
added For
the
the storage expense shown in Figure 4b,c, among the public key
Slavekey algorithm, which runs in much less time than the Setup algorithm. Therefore, the of the public parameter
PP, master
addition of key, and delegated
this algorithm doespublic
not putkey, tooand much delegated
burden on trapdoor, the trapdoor
the system. storage
For the storage
expense is shown
higher inbecause
Figure 4b,c, among the
the trapdoor public key
is generated byofthe
theDelTrap
public algorithm,
parameter which
PP, master
runs
𝑛𝑘 times
key, and delegated
the SampleD public key, and delegated trapdoor, the trapdoor storage expense is
algorithm.
higher because
Next, the trapdoor
we observe is generated
that some schemes byfor DelTrap algorithm,
thehierarchical identitywhich runs nkare
encryption times the
related
SampleD
to the numberalgorithm.
of layers of delegation, such as schemes with a hierarchical identity-based
Next, weencryption
puncturable observe that modelsome schemes
(HIBPE) for hierarchical
in [38], identity
and the efficient encryptionhierarchical
quantum-safe are related
to the number of
identity-based layers of delegation,
cryptosystem such as
with traceable schemes(AHIBET)
identities with a hierarchical
in [39]. identity-based
puncturable
In Tableencryption
4, we list the model (HIBPE)
delegated key insizes
[38], for
andboth
the efficient
schemesquantum-safe
and HIBCH-RS. hierarchical
identity-based cryptosystem with traceable identities (AHIBET) in [39].
TableIn 4. Table 4, we list
Comparison the delegated
of delegation key sizes for both schemes and HIBCH-RS.
key sizes.

Model Size (Public Key) Size (Trapdoor) Parameter

HIBCH-RS 𝑛 × (𝑚 + 2𝑤) (𝑚 + 𝑤) × 𝑤 𝑚 = 𝑛𝑙𝑜𝑔𝑞
HIBPE 𝑛 × ℓ∗ 𝑚 (ℓ + 𝜂 ∗ + 1)𝑚 × (ℓ + 𝜂 + 1)𝑚 𝑚 = 𝑛𝑙𝑜𝑔𝑞
AHIBET 𝑛 × (𝑚 + ℓ𝑤) (𝑚 + ℓ𝑤) × (𝑚 + ℓ𝑤) 𝑤 = 𝑛𝑙𝑜𝑔𝑞, 𝑚 ≥ 𝑤 + 𝜔(𝑙𝑜𝑔𝑛)
* ℓ is level of identity, ℓ < 𝑑, where 𝑑 is the maximum hierarchical depth. 𝜂 is the number of punc-
tured times.

From the experimental results shown in Table 4, the key size of the HIBPE and
AHIBET models increases linearly with increasing levels. In our model, due to the intro-
duction of the slave key algorithm, the size of the delegated key can be fixed in a certain
Appl. Sci. 2024, 14, 832 19 of 23

Table 4. Comparison of delegation key sizes.

Model Size (Public Key) Size (Trapdoor) Parameter

HIBCH-RS n × (m + 2w) (m + w) × w m = nlogq
HIBPE n × ℓ∗ m (ℓ + η ∗ + 1)m × (ℓ + η + 1)m m = nlogq
AHIBET n × (m + ↕w) (m + ↕w) × (m + ↕w) w = nlogq, m ≥ w + ω (logn)
∗ℓ is level of identity, ℓ < d, where d is the maximum hierarchical depth. η is the number of punctured times.

From the experimental results shown in Table 4, the key size of the HIBPE and AHIBET
models increases linearly with increasing levels. In our model, due to the introduction of
the slave key algorithm, the size of the delegated key can be fixed in a certain dimension.

5.1.2. Comparison of Time to Compute Chameleon Hash and Find Collisions

In a second experiment, we tested the chameleon hashing algorithm of HIBCH-RS. In
this
Appl. Sci. 2024, 14, x FOR PEER REVIEW
experiment, we compare chameleon hash and find hash collision runtimes. 20 of 24
However, we omitted the comparison with the chameleon hash construction scheme
from section 4.1 of [15], which exhibits a notably extended duration for finding collisions
within a discrete Gaussian distribution.
In Figure5a,
In Figure 5a,wewecancan
seesee
thatthat for chameleon
for chameleon hash hash encryption
encryption of data,
of public publicthedata,
HIBCH-the
HIBCH-RS
RS model can model
have can have
better better performance.
performance. However, to However, to management
realize the realize the management of
of private data,
private data, we sacrifice time for the generation of check fields, so the performance
we sacrifice time for the generation of check fields, so the performance of the chameleon of the
chameleon
hash functionhash
is function is slightly
slightly worse thanworse
that ofthan
[15].that of approach
This [15]. This approach
takes extratakes
timeextra time
but helps
but helps improve the overall security and management
improve the overall security and management of the model. of the model.

(a) (b)

Figure
Figure 5.
5. Comparison
Comparison ofof hash
hash running
running times.
times. (a)
(a) The
The run
run time
time of
of the
the chameleon
chameleon hash
hash algorithm
algorithm in
in
HIBCH-RS
HIBCH-RS scheme; (b) the run time of the forge algorithm in the HIBCH-RS scheme [15].

From Figure 5a,b, we

From we can see the time differences
differences in computing the chameleon
chameleon hash
among the three algorithms
among the three algorithms areare relatively minor. This is attributed to the closely matched
to the closely matched
complexities of the chameleon hash proposed by [15] and the HIBCH-RS model.
complexities of the chameleon hash proposed by [15] and the HIBCH-RS model. However, However,
the HIBCH-RS
the HIBCH-RS model
model demonstrates
demonstrates notably
notably enhanced
enhanced efficiency
efficiency when
when itit comes
comes to
to the
the
computation of
computation of hash
hash collisions.
collisions.

5.1.3. Scalability
5.1.3. Scalability
In this paper, the scalability of HIBCH-RS refers to the fact that the system can still
In this paper, the scalability of HIBCH-RS refers to the fact that the system can still
maintain its existing efficiency and correctness in the face of large-scale modification
maintain its existing efficiency and correctness in the face of large-scale modification re-
requests, large-scale node users, and complex problems. First, the hierarchical identity
quests, large-scale node users, and complex problems. First, the hierarchical identity
structure of HIBCH-RS has controllable time complexity and space complexity in delegating
structure of HIBCH-RS has controllable time complexity and space complexity in delegat-
keys, and the system performance will not be dramatically degraded with the growth of
ing keys, and the system performance will not be dramatically degraded with the growth
data or users. Secondly, in terms of privilege control and access efficiency, the design of the
of data or users. Secondly, in terms of privilege control and access efficiency, the design
of the HIBCH-RS model can effectively realize the control of privileges, in that only users
with trapdoors can perform editing operations. Meanwhile, the algorithms can be effi-
ciently converted between different layers when performing encryption and collision-
finding operations. This scalable performance can be demonstrated in the experiments.
 Appl. Sci. 2024, 14, 832 20 of 23

HIBCH-RS model can effectively realize the control of privileges, in that only users with
trapdoors can perform editing operations. Meanwhile, the algorithms can be efficiently
converted between different layers when performing encryption and collision-finding
operations. This scalable performance can be demonstrated in the experiments.
Appl. Sci. 2024, 14, x FOR PEER REVIEW 21 of 24
5.2. Performance of HIBCH-RS-Based Redactable Blockchain
The redactable blockchain scheme based HIBCH-RS, as elaborated in Section 4, boasts
be entrusted toacross
compatibility various chain
a centralized types, including
organization, public, alliance,
while concurrently and private
imposing chains. on
constraints
In the context of
users possessing edit permissions.public chains, the scheme necessitates nearly complete decentraliza-
tionToof delegated
concretizekeys. theseAtconcepts,
this point,this
editable
papernodes are added
proceeded to the hierarchical
to implement identity
the redacting
by application in a decentralized way. To establish this dynamic,
scheme using the Fabric platform, which is an alliance chain framework featuring a plug-a reward and punishment
mechanism
gable mechanism.can be Ininstituted, wherewe
this subsection, nodes that adhere
elucidated to agreed-upon
the integration rules can
of the editing receive
scheme,
rewards, while those that deviate may face penalties.
ensuring compatibility within the Fabric ecosystem.
Within an alliance chain, the scheme can be overseen by a certificate authority and
monitored by the regulator.
Redactable Hyperledger In a private chain, this delegated management structure can be
Fabric
entrusted to a centralized organization, while concurrently imposing constraints on users
Schemesedit
possessing forpermissions.
implementing redactable blockchains based on post-quantum ciphers
are in Totheconcretize
minority, thesefollowed by equally
concepts, fewerproceeded
this paper schemes for to building
implement editability in practical
the redacting scheme
platforms. Thus, there are almost no practical schemes that we can
using the Fabric platform, which is an alliance chain framework featuring a pluggable compare. For the above
mech-
reasons,
anism. In in this
thissubsection,
experimentwe weelucidated
demonstrate the performance
the integration of this scheme,
of the editing paper’s ensuring
scheme
mainly in termswithin
compatibility of the processing efficiency of editable requests, the size of editable blocks,
the Fabric ecosystem.
and the throughput of editable requests. The parameter 𝑝𝑔 = 60 was chosen for this part
ofRedactable
the experiment, and theFabric
Hyperledger test was in terms of blocks. The experimental results are shown
by Figure 6.
Schemes for implementing redactable blockchains based on post-quantum ciphers
are Redactable
in the minority, blocks cost some
followed extra storage
by equally due to storing
fewer schemes the editing
for building information
editability as-
in practical
sociated
platforms. with them,
Thus, but are
there as can be seen
almost in Figureschemes
no practical 6a, this that
extrawecost
can is compare.
small, andFor in practice,
the above
every transaction
reasons, in the block
in this experiment wemay not always
demonstrate beperformance
the allowed to be ofeditable. As ascheme
this paper’s result, mainly
block
sizes tend to be smaller than shown in the pictures above. Second, in
in terms of the processing efficiency of editable requests, the size of editable blocks, andFigure 6b, we show
the
thethroughput
throughputof of edit request
editable processing.
requests. The experiment
The parameter pg = 60 was chosen
tested using
for thisthe caliper
part of the
tool, and the choice
experiment, and the oftest
the was
number of transactions
in terms of blocks. stored in the blockresults
The experimental and the number
are shownof by
transactions
Figure 6. sent is shown in Table 5.

(a) (b)
Figure
Figure6.6.Redactable blockchain
Redactable performance.
blockchain (a) Comparison
performance. of block
(a) Comparison size,size,
of block withwith
the difference be-
the difference
tween the redactable block and the original block structure shown in detail. (b) Showing the
between the redactable block and the original block structure shown in detail. (b) Showing the perfor-
mance of transactions
performance per second.
of transactions per second.

Table 5. The numberblocks

Redactable of transactions
cost somestored in the
extra block and
storage duethe
to number
storingofthe
transactions sent.
editing information
associated with them, but as can be seen
Exp1in Figure 6a, this extra
Exp2 Exp3cost isExp4
small, and Exp5
in practice,
every transaction in the block may not always be allowed to be editable. As a result, block
Transaction per block 10 100 200 500 1000
sizes tend to be smaller than shown in the pictures above. Second, in Figure 6b, we show
Send transaction number 400 4000 8000 20,000 40,000

As can be seen from Figure 6b, the redactable transaction throughput is low com-
pared to the normal transaction throughput, but this is sufficient in a redactable block-
chain.
In this paper, in the parameter configuration, the caching time of the edit request was
Appl. Sci. 2024, 14, 832 21 of 23

the throughput of edit request processing. The experiment was tested using the caliper
tool, and the choice of the number of transactions stored in the block and the number of
transactions sent is shown in Table 5.

Table 5. The number of transactions stored in the block and the number of transactions sent.

Exp1 Exp2 Exp3 Exp4 Exp5

Transaction per block 10 100 200 500 1000
Send transaction number 400 4000 8000 20,000 40,000

As can be seen from Figure 6b, the redactable transaction throughput is low compared
to the normal transaction throughput, but this is sufficient in a redactable blockchain.
In this paper, in the parameter configuration, the caching time of the edit request was
specified as 5 s. Finally, the selected personal and public transaction data were edited
and verified. We tested the time of Algorithm 3 and results are displayed in Table 6.
When compared to modifying public transaction data, the alteration of private transactions
introduced an extra authentication time for the user. Specifically, the time required for
editing a block in the quantum-resistant redactable blockchain exceeded 4.66 s, but the
maximum time did not exceed 8.29 s.

Table 6. Runtimes for different types of data modification.

Public Transactions Data Private Transactions Data

Time(s) 4.66 8.29

6. Conclusions
Designing a secure and compatible redactable blockchain protocol is a challenging
task. In this paper, we introduce the HIBCH-RS model with subkey updates and trapdoor
updates. Using this model, we constructed redactable schemes that excelled in both security
and compatibility. The scheme represents a significant innovation and breakthrough
compared to many editing techniques that still focus on key sharing. In future work,
we will try to incorporate user attributes to enhance the division of edit permissions. In
addition, we will improve the efficiency of the algorithm by improving the discrete Gaussian
function. In the design of a redactable scheme, we propose to incorporate traceability and
accountability. It is worth noting that to enhance the practical applicability of the editing
scheme, the design of the scheme should continue to focus on how to apply it in both public
and private chain schemes.

Author Contributions: Conceptualization, X.W.; methodology, X.W. and Y.C.; software, X.W. and
C.L.; validation, Y.C.; formal analysis, Y.C.; investigation, X.W. and C.L.; resources, X.Z. and K.F.;
data curation, X.W.; writing—original draft preparation, X.W.; writing—review and editing, Y.C.;
visualization, C.L.; supervision, K.F.; project administration, Y.C.; funding acquisition, X.Z. and K.F.
All authors have read and agreed to the published version of the manuscript.
Funding: This research was funded by “Science Research Excellent Youth Project of Hunan Provincial
Department of Education under grant number 23B0906”, “Science Research Excellent Youth Project of
Hunan Provincial Department of Education e under grant number 23B0920”, “The Key Research and
Development Project of Hunan Province, China, grand number 2023NK2011”, “Scientific Research
Fund of Hunan Provincial Education Department, grand number 21A0599” and “Key project of the
14th Five-Year Plan of Education Science of Hunan Province, grand number XJK23AJD016”.
Institutional Review Board Statement: Not applicable.
Informed Consent Statement: Not applicable.
Data Availability Statement: Data are contained within the article.
Acknowledgments: This work was supported by the project of “The discipline of business manage-
ment of provincial-level application characteristics of Hunan Women’s University”.
Appl. Sci. 2024, 14, 832 22 of 23

Conflicts of Interest: The authors declare no conflicts of interest.

References
1. Al-Jaroodi, J.; Mohamed, N. Blockchain in industries: A survey. IEEE Access 2019, 7, 36500–36515. [CrossRef]
2. Saad, M.; Spaulding, J.; Njilla, L.; Kamhoua, C.; Shetty, S.; Nyang, D.; Mohaisen, D. Exploring the attack surface of blockchain: A
comprehensive survey. IEEE Commun. Surv. Tutor. 2020, 22, 1977–2008. [CrossRef]
3. Wang, Y.; He, J.; Zhu, N.; Yi, Y.; Zhang, Q.; Song, H.; Xue, R. Security enhancement technologies for smart contracts in the
blockchain: A survey. Trans. Emerg. Telecommun. Technol. 2021, 32, e4341. [CrossRef]
4. Velliangiri, S.; Karthikeyan, P. Blockchain technology: Challenges and security issues in consensus algorithm. In Proceedings of
the 2020 International Conference on Computer Communication and Informatics (ICCCI), Coimbatore, India, 22–24 January 2020;
pp. 1–8.
5. Chou, I.T.; Su, H.H.; Hsueh, Y.L.; Hsueh, C.W. Bc-store: A scalable design for blockchain storage. In Proceedings of the 2nd
International Electronics Communication Conference, Singapore, 8–10 July 2020; pp. 33–38.
6. Chan, W.K.; Chin, J.J.; Goh, V.T. Simple and scalable blockchain with privacy. J. Inf. Secur. Appl. 2021, 58, 102700. [CrossRef]
7. Matzutt, R.; Kalde, B.; Pennekamp, J.; Drichel, A.; Henze, M.; Wehrle, K. How to securely prune bitcoin’s blockchain. In
Proceedings of the 2020 IFIP Networking Conference (Networking), Paris, France, 22–26 June 2020; pp. 298–306.
8. Azbeg, K.; Ouchetto, O.; Andaloussi, S.J. BlockMedCare: A healthcare system based on IoT, Blockchain and IPFS for data
management security. Egypt. Inform. J. 2022, 23, 329–343.
9. Athanere, S.; Thakur, R. Blockchain based hierarchical semi-decentralized approach using IPFS for secure and efficient data
sharing. J. King Saud Univ.-Comput. Inf. Sci. 2022, 34, 1523–1534.
10. Liu, Y.; Liu, J.; Salles, M.A.V.; Zhang, Z.; Li, T.; Hu, B.; Henglein, F.; Lu, R. Building blocks of sharding blockchain systems:
Concepts, approaches, and open problems. Comput. Sci. Rev. 2022, 46, 100513. [CrossRef]
11. Kong, X.; Zhang, J.; Wang, H.; Shu, J. Framework of decentralized multi-chain data management for power systems. CSEE J.
Power Energy Syst. 2019, 6, 458–468.
12. Xu, J.; Xue, K.; Tian, H.; Hong, J.; Wei, D.S.; Hong, P. An identity management and authentication scheme based on redactable
blockchain for mobile networks. IEEE Trans. Veh. Technol. 2020, 69, 6688–6698.
13. Yeh, L.Y.; Hsu, W.H.; Shen, C.Y. GDPR-Compliant Personal Health Record Sharing Mechanism with Redactable Blockchain and
Revocable IPFS. IEEE Trans. Dependable Secur. Comput. 2023. [CrossRef]
14. Fernandez-Carames, T.M.; Fraga-Lamas, P. Towards post-quantum blockchain: A review on blockchain cryptography resistant to
quantum computing attacks. IEEE Access 2020, 8, 21091–21116. [CrossRef]
15. Wu, C.; Ke, L.; Du, Y. Quantum resistant key-exposure free chameleon hash and applications in redactable blockchain. Inf. Sci.
2021, 548, 438–449.
16. Ateniese, G.; Magri, B.; Venturi, D.; Andrade, E. Redactable blockchain-or-rewriting history in bitcoin and friends. In Proceedings
of the 2017 IEEE European Symposium on Security and Privacy (EuroS&P), Paris, France, 26–28 April 2017; pp. 111–126.
17. Wan, Z.; Liu, W.; Cui, H. HIBEChain: A hierarchical identity-based blockchain system for large-scale IoT. IEEE Trans. Dependable
Secur. Comput. 2022, 20, 1286–1301.
18. Pavithran, D.; Al-Karaki, J.N.; Shaalan, K. Edge-based blockchain architecture for event-driven IoT using hierarchical identity
based encryption. Inf. Process. Manag. 2021, 58, 102528.
19. Khalili, M.; Dakhilalian, M.; Susilo, W. Efficient chameleon hash functions in the enhanced collision resistant model. Inf. Sci. 2020,
510, 155–164. [CrossRef]
20. Derler, D.; Samelin, K.; Slamanig, D. Bringing order to chaos: The case of collision-resistant chameleon-hashes. In Proceedings of
the Public-Key Cryptography–PKC 2020: 23rd IACR International Conference on Practice and Theory of Public-Key Cryptography,
Edinburgh, UK, 4–7 May 2020; pp. 462–492.
21. Ateniese, G.; de Medeiros, B. Identity-Based Chameleon Hash and Applications. In Financial Cryptography, Proceedings of the
8th International Conference, FC 2004, Key West, FL, USA, 9–12 February 2004; Lecture Notes in Computer Science; Juels, A., Ed.;
Springer: Berlin/Heidelberg, Germany, 2004; pp. 164–180.
22. Bao, F.; Deng, R.H.; Ding, X.; Lai, J.; Zhao, Y. Hierarchical identity-based chameleon hash and its applications. In Proceedings of
the Applied Cryptography and Network Security: 9th International Conference, Nerja, Spain, 7–10 June 2011; pp. 201–219.
23. Derler, D.; Samelin, K.; Slamanig, D.; Striecks, C. Fine-grained and controlled rewriting in blockchains: Chameleon-hashing gone
attribute-based. IACR Cryptol. ePrint Arch. 2019, 2019, 406.
24. Ma, J.; Xu, S.; Ning, J.; Huang, X.; Deng, R.H. Redactable blockchain in decentralized setting. IEEE Trans. Inf. Forensics Secur. 2022,
17, 1227–1242. [CrossRef]
25. Wei, J.; Zhu, Q.; Li, Q.; Nie, L.; Shen, Z.; Choo, K.K.R.; Yu, K. A redactable blockchain framework for secure federated learning in
industrial Internet of Things. IEEE Internet Things J. 2022, 9, 17901–17911.
26. Jia, Y.; Sun, S.F.; Zhang, Y.; Liu, Z.; Gu, D. Redactable blockchain supporting supervision and self-management. In Proceedings of
the 2021 ACM Asia Conference on Computer and Communications Security, Hong Kong, China, 7–11 June 2021; pp. 844–858.
27. Jia, M.; Chen, J.; He, K.; Du, R.; Zheng, L.; Lai, M.; Wang, D.; Liu, F. Redactable Blockchain from Decentralized Chameleon Hash
Functions. IEEE Trans. Inf. Forensics Secur. 2022, 17, 2771–2783. [CrossRef]
Appl. Sci. 2024, 14, 832 23 of 23

28. Peng, C.; Xu, H.; Li, P. Redactable Blockchain Using Lattice-based Chameleon Hash Function. In Proceedings of the 2022
International Conference on Blockchain Technology and Information Security, Huaihua, China, 15–17 July 2022; pp. 94–98.
29. Puddu, I.; Dmitrienko, A.; Capkun, S. µchain: How to Forget without Hard Forks. IACR Cryptol. ePrint Arch. 2017, 2017, 106.
30. Marsalek, A.; Zefferer, T. A correctable public blockchain. In Proceedings of the 2019 18th IEEE International Conference on
Trust, Security And Privacy in Computing and Communications/13th IEEE International Conference on Big Data Science and
Engineering, Rotorua, New Zealand, 5–8 August 2019; pp. 554–561.
31. Deuber, D.; Magri, B.; Thyagarajan, S.A.K. Redactable blockchain in the permissionless setting. In Proceedings of the 2019 IEEE
Symposium on Security and Privacy, San Francisco, CA, USA, 19–23 May 2019; pp. 124–138.
32. Nejatollahi, H.; Dutt, N.; Ray, S.; Regazzoni, F.; Banerjee, I.; Cammarota, R. Post-quantum lattice-based cryptography implementa-
tions: A survey. ACM Comput. Surv. 2019, 51, 1–41. [CrossRef]
33. Ajtai, M.; Dwork, C. A public-key cryptosystem with worst-case/average-case equivalence. In Proceedings of the Twenty-Ninth
Annual ACM Symposium on Theory of Computing, El Paso, TX, USA, 4–6 May 1997; pp. 284–293.
34. Regev, O. On lattices, learning with errors, random linear codes, and cryptography. J. ACM 2009, 56, 1–40.
35. Gentry, C.; Peikert, C.; Vaikuntanathan, V. Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of the
Fortieth Annual ACM Symposium on Theory of Computing, Victoria, BC, Canada, 17–20 May 2008; pp. 197–206.
36. Vershynin, R. Introduction to the non-asymptotic analysis of random matrices. arXiv 2010, arXiv:1011.3027.
37. Micciancio, D.; Peikert, C. Trapdoors for lattices: Simpler, tighter, faster, smaller. In Proceedings of the Annual Interna-
tional Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, 15–19 April 2012; Springer:
Berlin/Heidelberg, Germany, 2012; pp. 700–718.
38. Agrawal, S.; Boneh, D.; Boyen, X. Efficient lattice (H) IBE in the standard model. In Proceedings of the Advances in Cryptology–
EUROCRYPT 2010: 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Riviera,
French, 30 May–3 June 2010.
39. Dutta, P.; Jiang, M.; Duong, D.H.; Susilo, W.; Fukushima, K.; Kiyomoto, S. Hierarchical identity-based puncturable encryption
from lattices with application to forward security. In Proceedings of the 2022 ACM on Asia Conference on Computer and
Communications Security, Nagasaki, Japan, 30 May–3 June 2022; pp. 408–422.
40. Van Nguyen, N.A.; Pham, M.T.T. Quantum-safe Anonymous Hierarchical Identity-Based Encryption with Traceable Identities.
Comput. Stand. Interfaces 2023, 84, 103695. [CrossRef]
41. Micciancio, D.; Regev, O. Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 2007, 37, 267–302.

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual
author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to
people or property resulting from any ideas, methods, instructions or products referred to in the content.