Bringing Order to Chaos: The Case of Collision-Resistant Chameleon-Hashes

Derler, David; Samelin, Kai; Slamanig, Daniel

doi:10.1007/s00145-024-09510-9

Bringing Order to Chaos: The Case of Collision-Resistant Chameleon-Hashes

Research Article
Open access
Published: 02 July 2024

Volume 37, article number 29, (2024)
Cite this article

Download PDF

You have full access to this open access article

Journal of Cryptology Aims and scope Submit manuscript

Bringing Order to Chaos: The Case of Collision-Resistant Chameleon-Hashes

Download PDF

David Derler¹,
Kai Samelin² &
Daniel Slamanig³

587 Accesses
1 Citation
Explore all metrics

Abstract

Chameleon-hash functions, introduced by Krawczyk and Rabin (NDSS’00), are trapdoor collision-resistant hash functions parametrized by a public key. If the corresponding secret key is known, arbitrary collisions for the hash function can be found efficiently. Chameleon-hash functions have prominent applications in the design of cryptographic primitives, such as lifting non-adaptively secure signatures to adaptively secure ones. Recently, this primitive also received a lot of attention as a building block in more complex cryptographic applications, ranging from editable blockchains to advanced signature and encryption schemes. We observe that, in latter applications, various different notions of collision-resistance are used, and it is not always clear if the respective notion really covers what seems intuitively required by the application. Therefore, we revisit existing collision-resistance notions in the literature, study their relations, and by means of selected applications discuss which practical impact different notions of collision-resistance might have. Moreover, we provide a stronger, and arguably more desirable, notion of collision-resistance than what is known from the literature (which we call full collision-resistance). Finally, we present a surprisingly simple, and efficient, black-box construction of chameleon-hash functions achieving this strong notion of full collision-resistance.

Bringing Order to Chaos: The Case of Collision-Resistant Chameleon-Hashes

Chameleon-Hashes with Ephemeral Trapdoors

Chameleon-Hashes with Dual Long-Term Trapdoors and Their Applications

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

1 Introduction

A chameleon-hash function ($\textsf{CH}$) is a trapdoor collision-resistant hash function parametrized by a public key. If the corresponding secret key is known, arbitrary collisions for the hash function, i.e., distinct messages $m\ne m'$ yielding the same hash value h, can be efficiently found. Over the years, they have proven to be a very useful tool in theory, as well as in practice. Exemplary, $\textsf{CH}$s have been suggested by Shamir and Tauman [52] to construct online/offline signatures [21, 33, 34] (cf. also Sect. 6). Moreover, Shamir and Tauman in [52] showed that $\textsf{CH}$s can be used to generically lift non-adaptively secure signature schemes to adaptively secure ones, which has subsequently been used for instance by Hohenberger and Waters [43] to obtain short signatures under the RSA assumption in the standard model. If $\textsf{CH}$s are tightly secure, they can be used to generically construct tightly secure signatures [14]. Likewise, $\textsf{CH}$s are used to generically construct strong one-time signatures as shown by Mohassel [49], inspired by a concrete construction by Groth [38]. Zhang [57] shows how to construct IND-CCA secure public-key encryption from tag-based encryption (TBE) or identity-based encryption (IBE) and $\textsf{CH}$s. Bellare and Ristov [11, 12] made the interesting discovery that chameleon-hashes in the sense of Krawczyk and Rabin [46] are equivalent to $\Sigma $-protocols, i.e., three round public-coin honest-verifier zero-knowledge proofs of knowledge. $\textsf{CH}$s are also used to construct sanitizable signatures [4, 17, 18], i.e., signatures where a designated entity can modify certain parts of a signed message without invalidating the respective signature under controlled conditions. Furthermore, $\textsf{CH}$s have been used by Steinfeld et al. [54] to extend Schnorr and RSA signatures to the universal designated-verifier setting [53]. Also, different flavors of chameleon-hashing such as (hierarchical) identity-based [6, 8] or policy-based chameleon-hash functions [26, 51] have been studied.

In a more applied setting, $\textsf{CH}$s have shown to be valuable to construct integrity measurement and remote attestation mechanisms (denoted chameleon attestation) [2], and are used in vehicular ad-hoc networks (VANETs) [41] or handover authentication in mobile networks [22]. More recently, $\textsf{CH}$s have been used as a means to rewrite blocks in blockchains by replacing the hash function to chain blocks and/or to hash transactions by chameleon-hashes [5, 26], to which we come back in Sect. 6. This brief discussion already shows that chameleon-hashes are used in a wide spectrum of different applications requiring different strength of the respective chameleon-hash. Consequently, authors often introduce some ad-hoc notion of collision-resistance for their applications, or even ignore that applications might require a stronger notion. Subsequently, we briefly discuss the different notions which are most commonly found in the literature.

1.1 Formalizing Chameleon-Hashes

The concept of chameleon-hashing dates back to the notion of trapdoor commitments introduced by Brassard et al. [16] and was firstly coined chameleon-hashing by Krawczyk and Rabin [46] with an instantiation based on the well-known trapdoor-commitment scheme by Pedersen [50]. Later, Ateniese and de Medeiros [7] observed that the initial collision-resistance notion (which we denote $\textsf{W}\text {-}\textsf{CollRes}$) is rather weak (it does not give the adversary access to any collisions), and, more importantly, it is also satisfied by chameleon-hashes suffering from the key-exposure problem. Namely, when seeing a single collision for some hash h, it allows to publicly extract the secret trapdoor. Thus, any further guarantees are lost. While this is a desirable property for the initial use in chameleon signatures [46], and is also sufficient for the lifting compiler to adaptively secure signatures [52] (as no collision is ever revealed), it is too weak for many other applications. The key-exposure freeness definition by Ateniese and de Medeiros [7] is for the specific case of public-coin chameleon-hashing (where verifying the chameleon-hash is essentially re-computing it). To address this, Ateniese et al. [5] introduced a related notion called enhanced collision-resistance (which we denote $\textsf{E}\text {-}\textsf{CollRes}$) for the generalized case of secret-coin chameleon-hashing (which is the setting that we also consider). The latter notion allows the adversary to see collisions, but it is not allowed to see any collision for the target hash, i.e., the hash corresponding to the collision it computes. Hence, once a single collision for a hash h is seen, an adversary can potentially find arbitrary collisions for that particular hash h. Recently, Khalili et al. [45] have pointed out issues regarding the practicality of the concrete random-oracle model instantiation,^{Footnote 1} proposed by Ateniese et al. in [5], and propose alternative constructions in the standard model. In another work, Camenisch et al. [18] proposed an alternative collision-resistance notion which allows the adversary to see arbitrary collisions also for the target hash, but not for the target message, i.e., the message used in the collision output by the adversary has never been queried. In other words, once a collision for a message m is seen, an adversary is allowed to find arbitrary other hashes $h'$ with the queried messages. Arguably, this notion seems more realistic as it is better compatible with practical applications (e.g., one can often make the messages unique by appending a tag/nonce), and thus we denote it as standard collision-resistance (or $\textsf{S}\text {-}\textsf{CollRes}$).

1.2 Motivation and Contribution

The previous discussion already illustrates that there are many different collision-resistance notions. While this does not necessarily point to an issue, we observe that it is not always clear whether the respective notion does really cover what is required by the respective application. Moreover, it is not clear if the last notion discussed above ($\textsf{S}\text {-}\textsf{CollRes}$) is already the most desirable notion, or, if even stronger notions are achievable, and do have practical relevance. Motivated by these observations, we provide the following contributions:

1.2.1 Relations among Properties

We discuss the different security notions of chameleon-hashes, and rigorously study relations among them. Most importantly, we, for the first time, clarify the picture of existing collision-resistance notions by showing implications, and separations, (cf. Figure 1 for an overview). In the course of showing separations, we also provide a construction of a chameleon-hash satisfying the $\textsf{E}\text {-}\textsf{CollRes}$ notion, but which clearly demonstrates weaknesses of this notion.

1.2.2 Stronger Notion

We find that the strongest existing collision-resistance notions, i.e., $\textsf{E}\text {-}\textsf{CollRes}$ and $\textsf{S}\text {-}\textsf{CollRes}$ (which are incomparable), might still be too weak for practical applications, see, e.g., Sect. 6. In particular, even if $\textsf{S}\text {-}\textsf{CollRes}$ is satisfied, the hash values might still be malleable leaving space for potential real-world attacks. Consequently, we propose a stronger notion coined full collision-resistance (or $\textsf{F}\text {-}\textsf{CollRes}$ for short), which enforces that the adversary cannot (except with negligible probability) output any new collisions and covers what one intuitively expects from collision-resistance.

1.2.3 Black-Box Construction

We present a simple, yet elegant, black-box construction of a chameleon-hash function satisfying this strong $\textsf{F}\text {-}\textsf{CollRes}$ notion. Considering the complexity of existing constructions in [5, 45], this is somewhat surprising. To recall, the construction from Ateniese et al. [5] starts from a public-coin chameleon-hash function that satisfies $\textsf{W}\text {-}\textsf{CollRes}$, uses an IND-CPA-secure encryption-scheme to encrypt the randomness of the chameleon-hash and then uses a true-simulation extractable (tSE) NIZK [32],^{Footnote 2} which is, in turn, based on a NIZK and an IND-CCA secure public-key encryption scheme, to prove that the ciphertext is an encryption of the randomness. The constructions by Khalili et al. [45], which avoid the aforementioned issues with [5], are based on another new public-coin chameleon-hash function that satisfies $\textsf{W}\text {-}\textsf{CollRes}$ and then either uses Groth–Sahai NIZK proofs [40] and the IND-CCA secure Cramer–Shoup encryption scheme [25] or a succinct non-interactive argument of knowledge (SNARK). Both constructions by Khalili et al. [45] basically follow the generic template in [5]. In contrast, our black-box construction of a $\textsf{F}\text {-}\textsf{CollRes}$ chameleon-hash is constructed from perfectly correct (multi-challenge) IND-CPA secure encryption, e.g., ElGamal encryption, and a simulation-sound extractable non-interactive zero-knowledge proof (SSE-NIZK), e.g., applying the compiler of Faust et al. [35] to a Fiat-Shamir transformed $\Sigma $-protocol. The basic idea is that the chameleon-hash is the encryption c of the message m and the randomness of the chameleon-hash is a NIZK proof s.t. either c correctly encrypts m under the $\textsf{pk}$ of $\textsf{CH}$ or one knows the secret key $\textsf{sk}$ corresponding to $\textsf{pk}$. Interestingly, already a perfectly binding commitment (without any hiding) is sufficient to achieve the $\textsf{F}\text {-}\textsf{CollRes}$ notion, but instead a multi-challenge IND-CPA secure encryption scheme as a perfectly binding commitment is used to additionally achieve the indistinguishability property of the $\textsf{CH}$, i.e., that fresh and adapted hashes are indistinguishable, a notion that is considered standard for chameleon-hashes.

1.2.4 Applications

We discuss how our stronger notion allows to strengthen the security of existing applications. In particular, in Sect. 6 we discuss what problems may be caused by different notions of collision-resistance within recent applications to redactable blockchains [5, 26]. Here, either the hash function to chain blocks in a blockchain or the hash functions to aggregate transactions within single blocks (usually by means of a Merkle-tree) are replaced by a chameleon-hash function. Moreover, we take a second look at online/offline signatures and discuss how chameleon-hashes providing a stronger collision-resistance notion than the $\textsf{W}\text {-}\textsf{CollRes}$ notion used by Shamir and Tauman in [52] allows to re-use offline signatures and add more robustness at the cost of a more expensive offline phase and a slightly more costly online phase.

1.3 Differences to the Conference Version

Compared to the conference version published at IACR PKC 2020 [29], this version in Sect. 3.3 includes a more complete treatment of indistinguishability and in particular stronger indistinguishability notions and their relations. Moreover, in Sect. 4.1 it includes examples of existing chameleon-hashes providing the $\textsf{W}\text {-}\textsf{CollRes}$ and $\textsf{S}\text {-}\textsf{CollRes}$ notions, and, in Sect. 4.2 the full proofs of our construction providing $\textsf{E}\text {-}\textsf{CollRes}$. Finally, in Sect. 6.2 as an additional application we discuss the use of chameleon-hashes with stronger collision-resistance notions in online/offline signatures.

1.4 Follow-up Work

Derler et al. in SCN’20 [28] show how to remove the requirement to rely on public-key encryption from the approach presented in this paper. In particular, they show how to construct fully collision-resistant chameleon-hashes based on SSE NIZKs and non-interactive commitment schemes. They then present an instantiation from the discrete logarithm (DL) problem and a concrete construction from the learning parity with noise (LPN) problem. Latter yields the first chameleon-hash from post-quantum assumptions that provides a collision-resistance notion stronger than $\textsf{W}\text {-}\textsf{CollRes}$ (as, e.g., the lattice-based chameleon-hash by Cash et al. from EC’10 [19]). In PKC’24, Li and Liu [47] introduce a lattice-based $\textsf{F}\text {-}\textsf{CollRes}$ chameleon-hash without resorting to random oracles or NIZK proofs by relying on the new notion of tagged chameleon hashes. Very recently, Bellare, Riepel and Shea [13] initiated the formal study of backdoored hash functions, which are closely related to chameleon-hashes, and introduce a notion of $\textsf{F}\text {-}\textsf{CollRes}$ for such hash functions.

2 Preliminaries

2.1 Notation

With $\lambda \in \mathbb {N}$ we denote our security parameter. All algorithms implicitly take $1^\lambda $ as an additional input. We write $a \leftarrow _\$A(x)$ if the output of a probabilistic algorithm A with input x is assigned to a and use $a \leftarrow A(x)$ if A is deterministic. An algorithm is efficient, if it runs in probabilistic polynomial time (PPT) in the length of its input. All algorithms are PPT, if not explicitly mentioned otherwise. If we want to make the random coins used by an algorithm A explicit, we use the notation $a \leftarrow _\$A(x;\xi )$. We write $(a;\xi ) \leftarrow _\$A(x)$, if we need to access the random coins $\xi $ internally drawn by A. Most algorithms may return a special error symbol $\perp \ \notin \{0,1\}^*$, denoting an exception. Returning output ends execution of an algorithm or an oracle. To make the presentation in the security proofs more compact, we occasionally use $(a,\bot )\leftarrow _\$A(x)$ to indicate that the second output is either ignored or not returned by A. If S is a finite set, we write $a \leftarrow _\$S$ to denote that a is chosen uniformly at random from S. $\mathcal {M}$ denotes a message space of a scheme, and we generally assume that $\mathcal {M}$ is derivable from the scheme’s public parameters or its public key. For a list we require that there is an injective, and efficiently reversible, encoding, that maps the list to $\{0,1\}^*$. A function $\nu :\mathbb {N}\rightarrow \mathbb {R}_{\ge 0}$ is negligible, if it vanishes faster than every inverse polynomial, i.e., $\forall k\in \mathbb {N}$, $\exists n_0\in \mathbb {N}$ such that $\nu (n)\le n^{-k}$, $\forall n>n_0$.

2.2 Building Blocks

We now present the building blocks we require. These include key-verifiable multi-challenge IND-CPA (mcIND-CPA) secure public-key encryption schemes $\mathsf {\Omega }$, digital signature schemes $\mathsf {\Sigma }$, and non-interactive zero-knowledge proofs $\mathsf {\Pi }$.

2.2.1 Public-Key Encryption Schemes

Subsequently, we define public-key encryption schemes.

Definition 1

(Public-Key Encryption Scheme) A public-key encryption scheme $\mathsf {\Omega }$ consists of five algorithms $\{\textsf{PG}_\mathsf {\Omega },\textsf{KG}_\mathsf {\Omega },\textsf{Enc},\textsf{Dec}, \textsf{KVf}_\mathsf {\Omega }\}$, such that:

$\textsf{PG}_\mathsf {\Omega }$.:

The algorithm $\textsf{PG}_\mathsf {\Omega }$ outputs the public parameters of the scheme:

$$\begin{aligned} {\textsf{pp}_\mathsf {\Omega }}\leftarrow _\$\textsf{PG}_\mathsf {\Omega }(1^\lambda ). \end{aligned}$$

It is assumed that ${\textsf{pp}_\mathsf {\Omega }}$ is an implicit input to all other algorithms.

$\textsf{KG}_\mathsf {\Omega }$.:

The algorithm $\textsf{KG}_\mathsf {\Omega }$ outputs the key pair, on input ${\textsf{pp}_\mathsf {\Omega }}$:

$$\begin{aligned} ({\textsf{sk}_\mathsf {\Omega }}, {\textsf{pk}_\mathsf {\Omega }}) \leftarrow _\$\textsf{KG}_\mathsf {\Omega }({\textsf{pp}_\mathsf {\Omega }}). \end{aligned}$$

$\textsf{Enc}$.:

The algorithm $\textsf{Enc}$ gets as input the public key ${\textsf{pk}_\mathsf {\Omega }}$, and a message $m \in \mathcal {M}$ to encrypt. It outputs a ciphertext c:

$$\begin{aligned} c \leftarrow _\$\textsf{Enc}({\textsf{pk}_\mathsf {\Omega }}, m). \end{aligned}$$

$\textsf{Dec}$.:

The deterministic algorithm $\textsf{Dec}$ outputs a message $m \in \mathcal {M} \cup \{ \bot \}$ on input ${\textsf{sk}_\mathsf {\Omega }}$, and a ciphertext c:

$$\begin{aligned} m \leftarrow \textsf{Dec}({\textsf{sk}_\mathsf {\Omega }}, c). \end{aligned}$$

$\textsf{KVf}_\mathsf {\Omega }$.:

The deterministic algorithm $\textsf{KVf}_\mathsf {\Omega }$ decides whether a given public key ${\textsf{pk}_\mathsf {\Omega }}$ corresponds to a given secret key ${\textsf{sk}_\mathsf {\Omega }}$:

$$\begin{aligned} d \leftarrow \textsf{KVf}_\mathsf {\Omega }({\textsf{pk}_\mathsf {\Omega }}, {\textsf{sk}_\mathsf {\Omega }}). \end{aligned}$$

Definition 2

(Correctness) A public key encryption scheme $\mathsf {\Omega }$ is called correct, if for all security parameters $\lambda \in \mathbb {N}$, for all ${\textsf{pp}_\mathsf {\Omega }}\leftarrow _\$\textsf{PG}_\mathsf {\Omega }(1^\lambda )$, for all $({\textsf{sk}_\mathsf {\Omega }}, {\textsf{pk}_\mathsf {\Omega }}) \leftarrow _\$\textsf{KG}_\mathsf {\Omega }({\textsf{pp}_\mathsf {\Omega }})$, for all $m \in \mathcal {M}$, for all $c \leftarrow _\$\textsf{Enc}({\textsf{pk}_\mathsf {\Omega }}, m)$, we have that $m = \textsf{Dec}({\textsf{sk}_\mathsf {\Omega }}, c)$ and that for all ${\textsf{sk}_\mathsf {\Omega }}'$ we have that $\textsf{KVf}_\mathsf {\Omega }({\textsf{pk}_\mathsf {\Omega }}, {\textsf{sk}_\mathsf {\Omega }}') = 1 \implies m = \textsf{Dec}({\textsf{sk}_\mathsf {\Omega }}', c)$.

Definition 3

(Multi-Challenge IND-CPA Security) A public-key encryption scheme $\mathsf {\Omega }$ is multi-challenge IND-CPA secure (mcIND-CPA), if for any PPT adversary $\mathcal {A}$ there exists a negligible function $\nu $ such that:

$$\begin{aligned} \left| \Pr \left[ {\textbf{Exp}^{\mathsf {mcIND\text{- }CPA}}_{\mathcal {A},\mathsf {\Omega }}(\lambda )} = 1\right] - \nicefrac {1}{2}\right| \le \nu (\lambda ). \end{aligned}$$

The corresponding experiment is depicted in Fig. 2.

Bellare et al. have shown, via a hybrid argument, that mcIND-CPA is equivalent to standard, i.e., “single-message”, IND-CPA [9]. We opted for using mcIND-CPA, because it allows writing our proofs down more compactly, improving readability.

2.2.2 Digital Signature Schemes

Subsequently, we define signature schemes.

Definition 4

(Digital Signatures) A digital signature scheme $\mathsf {\Sigma }$ consists of four algorithms $\{\textsf{PG}_\mathsf {\Sigma }, \textsf{KG}_\mathsf {\Sigma },\textsf{Sgn}_\mathsf {\Sigma },\textsf{Vrf}_\mathsf {\Sigma }\}$ such that:

$\textsf{PG}_\mathsf {\Sigma }$.:

The algorithm $\textsf{PG}_\mathsf {\Sigma }$ outputs the public parameters

$$\begin{aligned} \textsf{pp}_{\mathsf {\Sigma }}\leftarrow _\$\textsf{PG}_\mathsf {\Sigma }(1^\lambda ). \end{aligned}$$

We assume that $\textsf{pp}_{\mathsf {\Sigma }}$ is implicit input to all other algorithms.

$\textsf{KG}_\mathsf {\Sigma }$.:

The algorithm $\textsf{KG}_\mathsf {\Sigma }$ outputs the public and private key of the signer, where $\lambda $ is the security parameter:

$$\begin{aligned} (\textsf{sk}_\mathsf {\Sigma }, \textsf{pk}_\mathsf {\Sigma }) \leftarrow _\$\textsf{KG}_\mathsf {\Sigma }(\textsf{pp}_{\mathsf {\Sigma }}). \end{aligned}$$

$\textsf{Sgn}_\mathsf {\Sigma }$.:

The algorithm $\textsf{Sgn}_\mathsf {\Sigma }$ gets as input the secret key $\textsf{sk}_\mathsf {\Sigma }$ and the message $m \in \mathcal {M}$ to sign. It outputs a signature:

$$\begin{aligned} \sigma \leftarrow _\$\textsf{Sgn}_\mathsf {\Sigma }(\textsf{sk}_\mathsf {\Sigma }, m). \end{aligned}$$

$\textsf{Vrf}_\mathsf {\Sigma }$.:

The deterministic algorithm $\textsf{Vrf}_\mathsf {\Sigma }$ outputs a decision bit $d \in \{0,1\}$, indicating if the signature $\sigma $ is valid, w.r.t. $\textsf{pk}_\mathsf {\Sigma }$ and m:

$$\begin{aligned} d \leftarrow \textsf{Vrf}_\mathsf {\Sigma }(\textsf{pk}_\mathsf {\Sigma }, m, \sigma ). \end{aligned}$$

Definition 5

(Correctness) A digital signature scheme $\mathsf {\Sigma }$ is called correct, if for all security parameters $\lambda \in \mathbb {N}$, for all $\textsf{pp}_{\mathsf {\Sigma }}\leftarrow _\$\textsf{PG}_\mathsf {\Sigma }(1^\lambda )$, for all $(\textsf{sk}_\mathsf {\Sigma },\textsf{pk}_\mathsf {\Sigma }) \leftarrow _\$\textsf{KG}_\mathsf {\Sigma }(\textsf{pp}_{\mathsf {\Sigma }})$, for all $m \in \mathcal {M}$, $\textsf{Vrf}_\mathsf {\Sigma }(\textsf{pk}_\mathsf {\Sigma },m,\textsf{Sgn}_\mathsf {\Sigma }(\textsf{sk}_\mathsf {\Sigma },m)) =1$ is true.

We require existential unforgeability under adaptively chosen message attacks (eUNF-CMA security). In a nutshell, unforgeability requires that an adversary $\mathcal {A}$ cannot (except with negligible probability) come up with a signature for a message $m^*$ for which the adversary did not see any signature before, even if the adversary $\mathcal {A}$ is allowed to adaptively query for signatures on messages of its own choice.

Definition 6

(Unforgeability) We say a digital signature scheme $\mathsf {\Sigma }$ scheme is unforgeable, if for every PPT adversary $\mathcal {A}$, there exists a negligible function $\nu $ such that:

$$\begin{aligned} \Pr \left[ {\textbf{Exp}^{\mathsf {eUNF\text{- }CMA}}_{\mathcal {A},\mathsf {\Sigma }}(\lambda )} = 1\right] \le \nu (\lambda ). \end{aligned}$$

The corresponding experiment is depicted in Fig. 3.

For Construction 3, we require that the size of signatures is independent of the size of the signed messages.

2.2.3 Non-Interactive Proof Systems.

Let L be an NP-language with associated witness relation R, i.e., such that $L = \{ x \mid \exists w: R(x,w) = 1\}$. A non-interactive proof system allows to prove membership of some statement x in the language L. More formally, such a system is defined as follows.

Definition 7

(Non-Interactive Proof System) A non-interactive proof system $\mathsf {\Pi }$ for language L consists of three algorithms $\{\textsf{PG}_\mathsf {\Pi },\textsf{Prf}_\mathsf {\Pi },\textsf{Vfy}_\mathsf {\Pi }\}$, such that:

$\textsf{PG}_\mathsf {\Pi }$.:: The algorithm $\textsf{PG}_\mathsf {\Pi }$ outputs public parameters of the scheme, where $\lambda $ is the security parameter:
$$\begin{aligned} \textsf{crs}_\mathsf {\Pi }\leftarrow _\$\textsf{PG}_\mathsf {\Pi }(1^\lambda ). \end{aligned}$$
$\textsf{Prf}_\mathsf {\Pi }$.:: The algorithm $\textsf{Prf}_\mathsf {\Pi }$ outputs the proof $\pi $, on input of the CRS $\textsf{crs}_\mathsf {\Pi }$, statement x to be proven, and the corresponding witness w:
$$\begin{aligned} \pi \leftarrow _\$\textsf{Prf}_\mathsf {\Pi }(\textsf{crs}_\mathsf {\Pi }, x, w). \end{aligned}$$
$\textsf{Vfy}_\mathsf {\Pi }$.:: The deterministic algorithm $\textsf{Vfy}_\mathsf {\Pi }$ verifies the proof $\pi $ by outputting a bit $d \in \{0, 1\}$, w.r.t. to some CRS $\textsf{crs}_\mathsf {\Pi }$ and some statement x:
$$\begin{aligned} d \leftarrow \textsf{Vfy}_\mathsf {\Pi }(\textsf{crs}_\mathsf {\Pi }, x, \pi ). \end{aligned}$$

Definition 8

(Correctness) A non-interactive proof system is called correct, if for all $\lambda \in \mathbb {N}$, for all $\textsf{crs}_\mathsf {\Pi }\leftarrow _\$\textsf{PG}_\mathsf {\Pi }(1^\lambda )$, for all $x \in L$, for all w such that $R(x,w) = 1$, for all $\pi \leftarrow _\$\textsf{Prf}_\mathsf {\Pi }(\textsf{crs}_\mathsf {\Pi }, x, w)$, it holds that $\textsf{Vfy}_\mathsf {\Pi }(\textsf{crs}_\mathsf {\Pi }, x, \pi ) = 1$.

In the context of (zero-knowledge) proof-systems, correctness is sometimes also referred to as completeness. In addition, we require two standard security notions for zero-knowledge proofs of knowledge: zero-knowledge and simulation-sound extractability. We define them analogously to the definitions given in [27].

Informally speaking, zero-knowledge says that the receiver of the proof $\pi $ does not learn anything except the validity of the statement.

Definition 9

(Zero-Knowledge) A non-interactive proof system $\mathsf {\Pi }$ for language L is zero-knowledge, if for any PPT adversary $\mathcal {A}$, there exists an PPT simulator $\textsf{SIM}= (\textsf{SIM}_1, \textsf{SIM}_2)$ such that there exist negligible functions $\nu _1$ and $\nu _2$ such that

$$\begin{aligned} \biggl | \Pr \left[ \textsf{crs}_\mathsf {\Pi }\leftarrow _\$\textsf{PG}_\mathsf {\Pi }(1^\lambda )\right. ~:~&\left. \mathcal {A}(\textsf{crs}_\mathsf {\Pi }) = 1 \right] - \\&\Pr \left[ (\textsf{crs}_\mathsf {\Pi }, \tau ) \leftarrow _\$\textsf{SIM}_1(1^\lambda ) ~:~ \mathcal {A}(\textsf{crs}_\mathsf {\Pi }) = 1 \right] \biggr | \le \nu _1(\lambda ), \end{aligned}$$

and that

$$\begin{aligned} \left| \Pr \left[ {\textbf{Exp}^{\mathsf {Zero\text{- }Knowledge}}_{\mathcal {A},\mathsf {\Pi },\textsf{SIM}}(\lambda )}=1\right] - \nicefrac {1}{2}\right| \le \nu _2(\lambda ), \end{aligned}$$

where the corresponding experiment is depicted in Fig. 4.

Simulation-sound extractability says that every adversary who is able to come up with a proof $\pi ^*$ for a statement must know the witness, even when seeing simulated proofs for adaptively chosen statements potentially not in L. Clearly, this implies that the proofs output by a simulation-sound extractable proof-systems are non-malleable.

Note that the definition of simulation-sound extractability of [38] is stronger than ours in the sense that the adversary also gets the trapdoor $\zeta $ as input. However, in our context this weaker notion (previously also used, e.g., in [1, 32]) suffices.

Definition 10

(Simulation-Sound Extractability) A zero-knowledge non-interactive proof system $\mathsf {\Pi }$ for language L is said to be simulation-sound extractable, if for any PPT adversary $\mathcal {A}$, there exists a PPT extractor $\mathcal {E} = (\mathcal {E}_1, \mathcal {E}_2)$, such that

$$\begin{aligned} \biggl | \Pr \left[ (\textsf{crs}_\mathsf {\Pi }, \tau ) \leftarrow _\$\textsf{SIM}_1(1^\lambda ) \right. ~:~&\left. \mathcal {A}(\textsf{crs}_\mathsf {\Pi }, \tau ) = 1 \right] - \\&\Pr \left[ (\textsf{crs}_\mathsf {\Pi }, \tau , \zeta ) \leftarrow _\$\mathcal {E}_1(1^\lambda ) ~:~ \mathcal {A}(\textsf{crs}_\mathsf {\Pi }, \tau ) = 1 \right] \biggr | = 0, \end{aligned}$$

and that there exist a negligible function $\nu $ so that

$$\begin{aligned} \Pr \left[ {\textbf{Exp}^{\textsf{SimSoundExt}}_{\mathcal {A},\mathsf {\Pi },\mathcal {E}}(\lambda )}\right] =1 \le \nu (\lambda ), \end{aligned}$$

where $\textsf{SIM}= (\textsf{SIM}_1, \textsf{SIM}_2)$ is as in Definition 9 and the corresponding experiment is depicted in Fig. 5.

3 Chameleon-Hashes, Revisited

In this section, we present the formal framework for chameleon-hashes, their security properties with a special focus on the collision-resistance notion, and then show relations and separations between the security properties.

3.1 Framework

We now present the framework for chameleon-hashes. We rely on the most recent comprehensive framework by Camenisch et al. [18], which is, in turn, based upon work done by Ateniese et al. and Brzuska et al. [5, 17].

Definition 11

A chameleon-hash $\textsf{CH}$ is a tuple of five PPT algorithms $(\textsf{CHPG},\textsf{CHKG},\textsf{CHash},\textsf{CHCheck},\textsf{CHAdapt})$, such that:

$\textsf{CHPG}$.:

The algorithm $\textsf{CHPG}$, on input a security parameter $\lambda $ outputs public parameters of the scheme:

$$\begin{aligned}\textsf{pp}_{\textsf{ch}}\leftarrow _\$\textsf{CHPG}(1^\lambda ).\end{aligned}$$

We assume that $\textsf{pp}_{\textsf{ch}}$ is implicit input to all other algorithms.

$\textsf{CHKG}$.:

The algorithm $\textsf{CHKG}$, on input the public parameters $\textsf{pp}_{\textsf{ch}}$ outputs the private and public keys of the scheme:

$$\begin{aligned} (\textsf{sk}_{\textsf{ch}}, \textsf{pk}_{\textsf{ch}}) \leftarrow _\$\textsf{CHKG}(\textsf{pp}_{\textsf{ch}}). \end{aligned}$$

$\textsf{CHash}$.:

The algorithm $\textsf{CHash}$ gets as input the public key $\textsf{pk}_{\textsf{ch}}$, and a message m to hash. It outputs a hash h, and some randomness r^{Footnote 3}:

$$\begin{aligned} (h, r) \leftarrow _\$\textsf{CHash}(\textsf{pk}_{\textsf{ch}}, m). \end{aligned}$$

$\textsf{CHCheck}$.:: The deterministic algorithm $\textsf{CHCheck}$ gets as input the public key $\textsf{pk}_{\textsf{ch}}$, a message m, randomness r, and a hash h. It outputs a bit $d \in \{0, 1\}$, indicating whether the hash h is valid:
$$\begin{aligned} d \leftarrow \textsf{CHCheck}(\textsf{pk}_{\textsf{ch}}, m, r, h). \end{aligned}$$
$\textsf{CHAdapt}$.:: The algorithm $\textsf{CHAdapt}$ on input of a secret key $\textsf{sk}_{\textsf{ch}}$, the message m, new message $m'$, randomness r, and hash h outputs new randomness $r'$:
$$\begin{aligned} r' \leftarrow _\$\textsf{CHAdapt}(\textsf{sk}_{\textsf{ch}}, m,m', r, h). \end{aligned}$$

Definition 12

(Correctness) A chameleon-hash is called correct, if for all security parameters $\lambda \in \mathbb {N}$, for all $\textsf{pp}_{\textsf{ch}}\leftarrow _\$\textsf{CHPG}(1^\lambda )$, for all $(\textsf{sk}_{\textsf{ch}}, \textsf{pk}_{\textsf{ch}}) \leftarrow _\$\textsf{CHKG}(\textsf{pp}_{\textsf{ch}})$, for all $m \in \mathcal {M}$, for all $(h, r) \leftarrow _\$\textsf{CHash}(\textsf{pk}_{\textsf{ch}}, m)$, for all $m' \in \mathcal {M}$, we have for all $r' \leftarrow _\$\textsf{CHAdapt}(\textsf{sk}_{\textsf{ch}}, m, m', r, h)$, that $1=\textsf{CHCheck}(\textsf{pk}_{\textsf{ch}}, m,r, h) =\textsf{CHCheck}(\textsf{pk}_{\textsf{ch}}, m', r', h)$.

3.2 Collision-Resistance, Revisited

In this section we revisit existing collision-resistance notions, introduce a stronger and more desirable notion of collision-resistance dubbed full collision-resistance (or $\textsf{F}\text {-}\textsf{CollRes}$ for short) and discuss how these notions differ. The main idea behind collision-resistance in general is to argue that an adversary that has no access to the secret key $\textsf{sk}_{\textsf{ch}}$ cannot find any collisions, i.e., pairs (m, r) and $(m',r')$ and hash value h s.t. $\textsf{CHCheck}(\textsf{pk}_{\textsf{ch}}, m, r, h) = \textsf{CHCheck}(\textsf{pk}_{\textsf{ch}}, m', r', h) = 1$. In the weakest case, the adversary has no access to any other collisions, whereas in stronger notions the adversary is explicitly allowed to obtain collisions for arbitrary hashes via a $\textsf{CHAdapt}'$ oracle (we indicate these by using boxes). We present all the different notions in Fig. 6, where we indicate the differences in the winning conditions by using boxes.

In all the experiments the challenger generates a key pair $(\textsf{sk}_{\textsf{ch}}, \textsf{pk}_{\textsf{ch}})$ honestly (along with some public parameters) and the adversary is then initialized with $\textsf{pk}_{\textsf{ch}}$. We now discuss the differences of the single collision-resistance notions, where in the weakest case the adversary has no access to an $\textsf{CHAdapt}'$ oracle (which allows the adversary to adaptively ask for collisions with messages and hashes of its own choice), but in all other cases the adversary does. To vertically align the experiments, we insert boxes for lines which are missing in one experiment but are present in the other.

Weak Collision-Resistance ($\textsf{W}\text {-}\textsf{CollRes}$) [46] The adversary $\mathcal {A}$ wins, if it can come up with a collision for the given public key.
Enhanced Collision-Resistance ($\textsf{E}\text {-}\textsf{CollRes}$) [5] The adversary gets access to a collision-finding oracle $\textsf{CHAdapt}'$, which outputs a collision for adversarially chosen hashes, but also keeps track of each queried hash h using the list $\mathcal {Q}$. The adversary wins, if it comes up with a collision for the given public key for an adversarially chosen hash $h^*$ never input to $\textsf{CHAdapt}'$.
Standard Collision-Resistance ($\textsf{S}\text {-}\textsf{CollRes}$) [18] The adversary gets access to a collision-finding oracle $\textsf{CHAdapt}'$, which outputs a collision for the adversarially chosen hash, but also keeps track of each of the queried messages m and $m'$, using the list $\mathcal {Q}$. The adversary wins, if it comes up with a collision for the given public key for an adversarially chosen $h^*$ for which the message $m^*$ output by the adversary was never queried to the collision-finding oracle.
Full Collision-Resistance ($\textsf{F}\text {-}\textsf{CollRes}$). The adversary gets access to a collision-finding oracle $\textsf{CHAdapt}'$, which outputs a collision for the adversarially chosen hash, but also keeps track of each of the queried hash/message pair (h, m) and $(h, m')$, using the list $\mathcal {Q}$. The adversary wins, if it comes up with a hash/message pair $(h^*, m^*)$, for the given public key, never queried to or output from the collision-finding oracle.^{Footnote 4}

Now, we formally define security with respect to all the collision-resistance notions.

Definition 13

($\textsf{X}$ Collision-Resistance) A chameleon-hash $\textsf{CH}$ offers X collision-resistance with $\textsf{X}\in \{\textsf{W}, \textsf{E},\textsf{S}, \textsf{F}\}$, if for any PPT adversary $\mathcal {A}$ there exists a negligible function $\nu $ such that

$$\begin{aligned} \Pr [{\textbf{Exp}^{\mathsf {X-CollRes}}_{\mathcal {A},\textsf{CH}}(\lambda )}=1] \le \nu (\lambda ), \end{aligned}$$

where the corresponding experiment is depicted in Fig. 6.

3.2.1 Discussion of the Notions

$\textsf{W}\text {-}\textsf{CollRes}$ is the notion introduced in the first work on chameleon-hashes by Krawczyk and Rabin [46] and essentially represents the binding notion of a trapdoor-commitment scheme. Note that due to not giving access to a collision-finding oracle it gives no guarantees whatsoever if the adversary sees a single collision for any hash computed for the given public key.^{Footnote 5} The $\textsf{E}\text {-}\textsf{CollRes}$ notion has been introduced by Ateniese et al. [5] and we note that there exists a definition in the setting of public-coin chameleon-hashes, i.e., where the $\textsf{CHCheck}$ algorithm simply re-runs the $\textsf{CHash}$, which is called key-exposure freeness [7, 20]. It captures requirements similar to the ones captured by $\mathsf{E-CollRes}$, but it is not directly comparable as we are considering the more general secret-coin setting. We note that the $\textsf{E}\text {-}\textsf{CollRes}$ notion allows the adversary to come up with arbitrary collisions for hashes it has seen a collision for. The $\mathsf{S-CollRes}$ notion has been introduced by Camenisch et al. [18], and it captures all of the intuitive requirements of real-world applications of chameleon-hashes. Yet, it still allows the hash itself to be malleable which might still be problematic in certain applications. Finally, our new $\textsf{F}\text {-}\textsf{CollRes}$ notion enforces that the adversary cannot (except with negligible probability) output any new collisions and seems to be the most desirable notion for collision-resistance.

3.3 Indistinguishability, Revisited

In a nutshell, indistinguishability requires that an adversary cannot decide whether randomness was obtained through $\textsf{CHash}$ or $\textsf{CHAdapt}$.

We present the respective formal security games in Fig. 7. We highlight differences by using boxes, and missing parts using boxes.

3.3.1 (Normal) Indistinguishability ($\textsf{N}\text {-}\textsf{Ind}$)

Normal Indistinguishability (we sometimes refer to this notion simply as “Indistinguishability”, as this is the standard name in the literature) requires that the randomness r does not reveal if it was obtained through $\textsf{CHash}$ or $\textsf{CHAdapt}$.

Upon setup, the challenger generates a key pair $(\textsf{sk}_{\textsf{ch}}, \textsf{pk}_{\textsf{ch}})$ for $\textsf{CH}$ (along with some public parameters $\textsf{pp}_{\textsf{ch}}$), and draws a bit $b \leftarrow _\$\{0,1\}$. The challenger initializes the adversary with the $\textsf{pk}_{\textsf{ch}}$ and gives the adversary access to a $\textsf{HashOrAdapt}$ oracle, which allows the adversary to submit two messages m, $m'$. Depending on the bit b, the challenger then either hashes $m'$ directly ($b=0$), or first hashes m, and then adapts m to $m'$ ($b=1$). The resulting hash/randomness pair (h, r) (or $(h', r'')$ resp.) is the oracle’s output to the adversary. The adversary’s objective is to guess the bit b. Note that all keys are generated honestly. The adversary gets access to a collision-finding oracle $\textsf{CHAdapt}$ for arbitrary hashes, meaning that the adversary may also input hashes generated by the $\textsf{HashOrAdapt}$-oracle.

Samelin and Slamanig recently introduced full indistinguishability [51], which, in turn, generalizes the notion of strong indistinguishability by Derler et al. [26]. In their notion, the adversary is even allowed to generate the keys which are used for hashing and adapting (in the strong version, the adversary only knows all keys, but cannot generate them). See below for more information. Finally, we introduce an additional notion, dubbed enhanced indistinguishability, where the adversary not only receives the secret key generated, but the randomness r used for generation. This notion may be useful in context where randomness leaks to the adversary.

3.3.2 Strong Indistinguishability ($\textsf{S}\text {-}\textsf{Ind}$)

Strong indistinguishability requires that a randomness r does not reveal whether it was generated using $\textsf{CHash}$ or $\textsf{CHAdapt}$, even if the adversary $\mathcal {A}$ additionally receives the generated secret key. This also means that the collision-finding oracle can be dropped, as the adversary can find collisions on its own.

3.3.3 Enhanced Indistinguishability ($\textsf{E}\text {-}\textsf{Ind}$)

Enhanced indistinguishability requires that a randomness r does not reveal whether it was generated using $\textsf{CHash}$ or $\textsf{CHAdapt}$, even if the adversary $\mathcal {A}$ knows the randomness $\xi $ used to generate the secret key. Again, this also means that the collision-finding oracle can be dropped, as the adversary can find collisions on its own.

3.3.4 Full Indistinguishability ($\textsf{F}\text {-}\textsf{Ind}$)

Full indistinguishability requires that a randomness r does not reveal whether it was generated using $\textsf{CHash}$ or $\textsf{CHAdapt}$, even if the adversary $\mathcal {A}$ controls all values, but the public parameters.^{Footnote 6} Once more, this also means that the collision-finding oracle can be dropped, as the adversary can find collisions on its own.

Definition 14

($\mathsf X$ Indistinguishability) A chameleon-hash $\textsf{CH}$ offers $\mathsf X$ indistinguishability with $\textsf{X} \in \{\textsf{N}, \textsf{S}, \textsf{E}, \textsf{F}\}$, if for any PPT adversary $\mathcal {A}$ there exists a negligible function $\nu $ such that

$$\begin{aligned} \left| \Pr [{\textbf{Exp}^{\mathsf {X-Ind}}_{\mathcal {A},\textsf{CH}}(\lambda )} = 1] - \nicefrac {1}{2} \right| \le \nu (\lambda ). \end{aligned}$$

The corresponding experiments are depicted in Fig. 7.

We only consider normal indistinguishability as fundamental for chameleon-hashes, but examine stronger notions to achieve a more complete picture of the relations. We also stress that there may be scenarios where some sort of indistinguishability is not required or even hindering.

3.4 Uniqueness

Camenisch et al. [18] defined a property called uniqueness. Uniqueness requires that for each hash/message pair, exactly one randomness can be found, even if the adversary $\mathcal {A}$ controls all values, but the public parameters.^{Footnote 7}

Definition 15

(Uniqueness) A chameleon-hash $\textsf{CH}$ is unique, if for any PPT adversary $\mathcal {A}$ there exists a negligible function $\nu $ such that

$$\begin{aligned} \Pr [{\textbf{Exp}^{\textsf{Uniqueness}}_{\mathcal {A},\textsf{CH}}(\lambda )} = 1] \le \nu (\lambda ). \end{aligned}$$

The corresponding experiment is depicted in Fig. 8.

We do not consider uniqueness as a fundamental property, as there are only very few applications requiring this notion [18, 51]. However, to obtain a more complete picture with respect to the relations of the security properties, we also investigate uniqueness.

4 Relationships between Properties of Chameleon-Hashes

Below we show relations and separations between the security properties of chameleon-hashes. Before doing so, we recall in Sect. 4.1 examples of chameleon-hashes providing the $\textsf{W}\text {-}\textsf{CollRes}$ and $\textsf{S}\text {-}\textsf{CollRes}$ notions, respectively.

4.1 Existing Constructions of Chameleon-Hashes

4.1.1 Instantiation of a Weakly Collision-Resistant $\textsf{CH}$

We recall the initial $\textsf{CH}$ construction by Krawczyk and Rabin [46] in Construction 1.

Note that a collision-resistant hash function is applied to the message prior to chameleon-hashing to extend the domain, which is a standard technique. Seeing a collision (if not resulting from the collision-resistant hash function) allows to extract the $\textsf{sk}_{\textsf{ch}}$ by computing $x \leftarrow \nicefrac {(H(m)-H(m'))}{(r'-r)} \bmod q$.

4.1.2 Instantiation of a Standard Collision-Resistant $\textsf{CH}$

We recall a construction by Camenisch et al. from [18] in Construction 2. Before we do so, we recall some background on the setup the scheme requires: Let $(N,p,q,e,d) \leftarrow _\$\textsf{RSAKG}(1^\lambda )$ be an instance generator which returns an RSA modulus $N = pq$, where p and q are distinct primes, $e > 1$ is an integer co-prime to $\varphi (n)$, and $de \equiv 1 \bmod \varphi (n)$. The scheme requires that $\textsf{RSAKG}$ always outputs moduli of the same bit-length, based on $\lambda $, and that the one-more RSA assumption holds [10].

4.2 Collision-Resistance Properties

We start by analyzing how the various collision-resistance notions are related.

Theorem 1

Standard collision-resistance is strictly stronger than weak collision-resistance.

Proof

We first prove that standard collision-resistance implies weak collision-resistance. Then we give a counterexample showing that the other direction of the implication does not hold.

$\mathsf{S-CollRes} \implies \mathsf{W-CollRes}$: Assume $\mathcal {A}$ to be an adversary who breaks weak collision-resistance. We now construct an adversary $\mathcal {B}$ which breaks standard collision-resistance. In particular, $\mathcal {B}$ proceeds as follows. It receives $\textsf{pp}_{\textsf{ch}}$ and $\textsf{pk}_{\textsf{ch}}$ from its own challenger, and uses both to initialize $\mathcal {A}$. Whenever $\mathcal {A}$ outputs a winning tuple $(m^*, r^*, m'^*, r'^*, h^*)$, $\mathcal {B}$ returns that tuple to its own challenger. As the collision-finding oracle was never queried, that tuple also makes $\mathcal {B}$ win the standard collision-resistance game with the same probability $\mathcal {A}$ wins the weak collision-resistance game.

: The $\textsf{CH}$ by Krawczyk and Rabin [46] provides a counterexample: it is weakly collision-resistant, but does not offer standard collision-resistance. Observe that it is possible to trivially extract the secret key from a collision. That collision is obtained from the collision-finding oracle in the standard collision-resistance game (cf. Section 4.1 for more details). $\square $

Theorem 2

Enhanced collision-resistance is strictly stronger than weak collision-resistance.

Proof

The proof is identical to the one of Theorem 1. $\square $

Theorem 3

Full collision-resistance is strictly stronger than standard collision-resistance.

Proof

We first prove that full collision-resistance implies standard collision-resistance and then give a counterexample showing that the other direction of the implication does not hold.

$\mathsf{F-CollRes} \implies \mathsf{S-CollRes}$: Assume $\mathcal {A}$ to be an adversary who breaks standard collision-resistance. Now we construct an adversary $\mathcal {B}$ which breaks full collision-resistance. In particular, $\mathcal {B}$ proceeds as follows. It receives $\textsf{pp}_{\textsf{ch}}$ and $\textsf{pk}_{\textsf{ch}}$ from its own challenger, and uses both to initialize $\mathcal {A}$. All queries to the collision-finding oracle are relayed to $\mathcal {B}$’s own oracle. Whenever $\mathcal {A}$ outputs a winning tuple $(m^*, r^*, m'^*, r'^*, h^*)$, $\mathcal {B}$ returns that tuple to its own challenger. As $m^* \ne m'^*$ must be true, and $m^*$ was never queried to $\mathcal {A}$’s collision-finding oracle, this also means that $(h^*, m^*)$ was never queried to $\mathcal {B}$’s oracle, thus meeting the winning condition.

The scheme by Camenisch et al. [18] (See Construction 2) provides a counterexample: it offers standard collision-resistance, but does not offer full collision-resistance. In particular, their construction is re-randomizable (cf. Section 4.1 for more details).

In more detail, to show that this construction is not fully collision-resistant, consider the following strategy: Receive $\textsf{pk}_{\textsf{ch}}= (N,H)$ and $\textsf{pp}_{\textsf{ch}}= e$. Compute $(h, r) \leftarrow _\$\textsf{CHash}(\textsf{pk}_{\textsf{ch}}, m)$, with m random. Then, ask for an adaption (h, r, m) to $(h, r', m')$, for some random $m' \ne m$. Then, compute $h^* \leftarrow h2^e \mod N$, $r_1^* \leftarrow 2r \mod N$, and $r_2^* \leftarrow 2r' \mod N$. Because no collision for $h^*$ was computed, this construction cannot be fully collision-resistant. Note, this works, as $H(m)(2r)^e \equiv h2^e \pmod N$ for any input. Also note that the attack above also breaks enhanced collision-resistance (we will later use this to derive a corollary). $\square $

Theorem 4

Full collision-resistance is strictly stronger than enhanced collision-resistance.

Before we provide the proof of Theorem 4, we provide a novel construction of a chameleon-hash satisfying the $\textsf{E}\text {-}\textsf{CollRes}$ notion that is used to separate the notions $\textsf{F}\text {-}\textsf{CollRes}$ and $\textsf{E}\text {-}\textsf{CollRes}$.

4.2.1 Construction

Our $\textsf{CH}$ presented below provides $\textsf{E}\text {-}\textsf{CollRes}$, but allows to efficiently find arbitrary collisions for a given hash, once a single collision was seen. However, it is not possible to find collisions for any other hash. The main idea is to encrypt a message m using a mcIND-CPA secure encryption scheme $\mathsf {\Omega }$ and use the ciphertext as the hash. The randomness r of the chameleon-hash is the public key ${\textsf{pk}_\mathsf {\Omega }}'$ of a freshly sampled key-pair $({\textsf{sk}_\mathsf {\Omega }}', {\textsf{pk}_\mathsf {\Omega }}')$ of $\mathsf {\Omega }$, the encryption $c'$ of a signature $\sigma $ under ${\textsf{pk}_\mathsf {\Omega }}'$ and a SSE NIZK $\pi $ for the following language:

$$\begin{aligned} \begin{aligned} L {:}{=} \{ ({\textsf{pk}_\mathsf {\Omega }},\textsf{pk}_\mathsf {\Sigma }, h, m)~&|~ \exists ~(\sigma ,\xi )~:\\ {}&~ h = \textsf{Enc}({\textsf{pk}_\mathsf {\Omega }}, m;~\xi ) ~\vee ~ \textsf{Vrf}_\mathsf {\Sigma }(\textsf{pk}_\mathsf {\Sigma }, h, \sigma )=1\}. \end{aligned} \end{aligned}$$

(1)

Informally, this language requires the prover to show that it either knows the randomness $\xi $ attesting that h is a well-formed encryption of m, or a valid signature $\sigma $ for h. The basic idea of the construction is that when computing a hash, the witness $\xi $ is used. The randomness includes an encryption of the signature (initially one on 0) under the public key ${\textsf{pk}_\mathsf {\Omega }}'$. Note that the trick is that for adaption one computes a signature $\sigma $ for h, uses $\sigma $ as a witness, and includes an encryption of $\sigma $ under ${\textsf{pk}_\mathsf {\Omega }}'$ in the randomness. Clearly, now seeing a single collision allows to compute arbitrary collisions for the hash h.

This $\textsf{CH}$ can be instantiated by instantiating $\mathsf {\Sigma }$ as structure-preserving signatures (SPS) in type-III bilinear groups (assuming SXDH), e.g., Groth’s SPS [39]. Thus, $\mathsf {\Omega }$ can be ElGamal [37] in one of the base-groups. The algorithm $\textsf{KVf}_\mathsf {\Omega }$ is simply checking whether $g^{{\textsf{sk}_\mathsf {\Omega }}} = g^x = {\textsf{pk}_\mathsf {\Omega }}$, while for $\mathsf {\Pi }$, a suitable instantiation is a Fiat-Shamir transformed $\Sigma $-protocol in the random-oracle model [36], which also works very well with ElGamal encryption and Groth’s signature scheme.

Subsequently, we use and $ \rightsquigarrow $ to highlight the changes we make in the algorithms throughout a sequence of games (and we only show the changes).

Theorem 5

If $\mathsf {\Omega }$, $\mathsf {\Sigma }$, and $\mathsf {\Pi }$ are correct, then Construction 3 is correct.

Correctness follows from inspection and the (perfect) correctness of the used primitives.

While indistinguishability is technically not needed for proving the separation we are after in this section, we nevertheless prove it here for completeness.

Theorem 6

If $\mathsf {\Omega }$ is mcIND-CPA secure and $\mathsf {\Pi }$ is zero-knowledge, then Construction 3 is indistinguishable ($\textsf{N}\text {-}\textsf{Ind}$).

Proof

To prove indistinguishability, we use a sequence of games:

Game 0:
The original indistinguishability game.
Game 1:
As Game 0, but we modify the algorithms $\textsf{CHPG}$, $\textsf{CHash}$, and $\textsf{CHAdapt}$ used within the game as follows:

$Transition - Game \,0 \rightarrow Game \,1:$ We bound the probability for an adversary to detect this game change by presenting a hybrid game, which, depending on a zero-knowledge challenger $\mathcal {C}^\textsf{zk}$, either produces the distribution in Game 0 or Game 1, respectively. In particular, assume the following changes:

Clearly, if the challenger’s internal bit is 0 we simulate the distribution in Game 0, whereas we simulate the distribution in Game 1 otherwise. We have that $|\Pr [S_0] - \Pr [S_1]| \le \nu _\textsf{zk}(\lambda )$.

${\hbox {Game \,2:}}$ As Game 1, but we further modify the $\textsf{CHash}$ algorithm as follows:

$Transition - Game \,1 \rightarrow Game \,2:$ We bound the probability for an adversary to distinguish between two consecutive games by introducing a hybrid game which uses a mcIND-CPA challenger to interpolate between two consecutive games:

Now, depending on the challenger’s bit, we either simulate Game 1 or Game 2. Thus we have that $|\Pr [S_1] - \Pr [S_{2}]| \le \nu _\mathsf{mc-cpa}(\lambda )$

${\hbox {Game}} 3_i (1 \le i \le q):$ As Game $3_{i-1}$ (resp. Game 2 if $i=0$) but we modify the $\mathsf HashOrAdapt$ as follows. We let q be an upper bound on the queries to the $\mathsf HashOrAdapt$ oracle. Up to query number i, we do the following:

For every query after query i we simulate $\mathsf HashOrAdapt$ as in Game 2.

${\hbox {Transition - Game}} 3_{i} \rightarrow {\hbox {Game}} 3_{i+1} ({\hbox {resp. Game \,2}} \rightarrow 3_1):$ We bound the probability for an adversary to distinguish between two consecutive games by introducing a hybrid game which interpolates between to subsequent games. Then, up to query number $i -1$, we do the following:

In query number i we do the following:

For every query after query i we simulate $\mathsf HashOrAdapt$ as in Game 2. Now, depending on the challenger’s bit, we either simulate Game i or Game $i+1$. Thus, we have that $|\Pr [S_2] - \Pr [S_{3_q}]| \le q\cdot \nu _\mathsf{mc-cpa}(\lambda )$, where q is the overall number of queries to $\mathsf HashOrAdapt$.^{Footnote 8}

Now, the indistinguishability game is independent of the bit b, proving indistinguishability. $\square $

Theorem 7

If $\mathsf {\Omega }$ is perfectly correct, $\mathsf {\Sigma }$ is unforgeable, and $\mathsf {\Pi }$ is zero-knowledge as well as simulation-sound extractable, then Construction 3 provides enhanced collision-resistance.

Proof

To prove enhanced collision-resistance, we use a sequence of games.

Game 0:
The original enhanced collision-resistance game.
Game 1:
As Game 0, but we modify the $\textsf{CHPG}$ and the $\textsf{CHAdapt}$ as follows:

${\hbox {Transition - Game}} 0 \rightarrow {\hbox {Game \,1}}:$ We bound the probability for an adversary to detect this game change by presenting a hybrid game, which, depending on a zero-knowledge challenger $\mathcal {C}^\textsf{zk}$, either produces the distribution in Game 0 or Game 1, respectively.

Clearly, if the challenger’s internal bit is 0, we simulate the distribution in Game 0, whereas we simulate the distribution in Game 1 otherwise. We have that $|\Pr [S_0] - \Pr [S_1]| \le \nu _\textsf{zk}(\lambda )$.

Game 2:
As Game 1, but we further modify the $\textsf{CHPG}$ algorithm as follows:

$Transition - Game \,1 \rightarrow Game \,2:$ Under simulation-sound extractability, Game 1 and Game 2 are indistinguishable. That is, $|\Pr [S_1] - \Pr [S_2]| = 0$.

${\hbox {Game \,3:}}$ As Game 2, but we keep a list $\mathcal {Q}$ of all hashes h previously submitted to the collision-finding oracle which are accepted by the $\textsf{CHCheck}$ algorithm.

$Transition - Game \,2 \rightarrow Game \,3:$ This change is conceptual, and thus, we have $|\Pr [S_2] - \Pr [S_3]| = 0$.

${\hbox {Game \,4:}}$ As Game 3, but for every valid collision $(m^*, r^*, m'^*, r'^*, h^*)$ output by the adversary we observe that either $(h^*, m^*, r^*)$ or $(h^*, m'^*, r'^*)$ must be a “fresh” collision, i.e., $h^* \notin \mathcal {Q}$. We assume, without loss of generality, that $(m'^*, r'^*)$ is the “fresh” collision. We run $(\textsf{sk}', \sigma ') \leftarrow _\$\mathcal {E}_2(\textsf{crs}_\mathsf {\Pi }, \zeta , ({\textsf{pk}_\mathsf {\Omega }}, h^*, m'^*),r'^*)$ and abort if the extraction fails. We call this event $E_1$.

$Transition - Game \,3 \rightarrow Game \,4:$ Game 3 and Game 4 proceed identically, unless $E_1$ occurs. Assume, toward contradiction, that event $E_1$ occurs with non-negligible probability. We now construct an adversary $\mathcal {B}$ which breaks the simulation-sound extractability property of the NIZK proof system with non-negligible probability. We engage with a simulation-sound extractability challenger $\mathcal {C}^\textsf{sse}$ and modify the algorithms as follows:

In the end, we output $((\textsf{pk}_\mathsf {\Sigma }, h^*, m'^*), r'^*)$ to the challenger. This shows that we have $|\Pr [S_3] - \Pr [S_4]| \le \nu _\textsf{sse}(\lambda )$.

Reduction to eUNF-CMA: We are now ready to construct an adversary $\mathcal {B}$ which breaks the unforgeability of the underlying $\mathsf {\Sigma }$. Our adversary $\mathcal {B}$ proceeds as follows. It receives $\textsf{pp}_{\mathsf {\Sigma }}$ and $\textsf{pk}_\mathsf {\Sigma }$ from its own challenger. To generate $\sigma _0$, $\mathcal {B}$ simply queries its signature oracle to obtain it on the message 0. It embeds them straightforwardly inside $\textsf{pp}_{\textsf{ch}}$ and $\textsf{pk}_{\textsf{ch}}$ to initialize $\mathcal {A}$. For adaption, a new signature $\sigma '$ must be generated and encrypted. Those signatures are also obtained by querying the signature oracle. Now we know that we have extracted two witnesses $(\textsf{sk}, \sigma )$ as well as $(\textsf{sk}'', \sigma '')$ where one attests membership of $(\textsf{pk}_\mathsf {\Sigma }, h^*, m'^*)$ in L, and one attests membership of $(\textsf{pk}_\mathsf {\Sigma }, h^*, m'')$ for some fresh $h^*$ in L. By the perfect correctness of the signature scheme, we know that at most one of them must be signature for $h^*$. However, as the signature was never queried, $(h^*, \sigma )$ (or $(h^*, \sigma '')$ resp.) must be a validating signature, breaking the unforgeability of the used $\mathsf {\Sigma }$. Now, we have that $\Pr [S_4] \le \nu _\mathsf{eunf-cma}(\lambda )$. This concludes the proof. $\square $

We are now ready to present the proof of Theorem 4.

Proof

We first prove that full collision-resistance implies enhanced collision-resistance and then give a counterexample showing that the other direction of the implication does not hold.

$\mathsf{F-CollRes} \implies \mathsf{E-CollRes}$: Assume $\mathcal {A}$ to be an adversary who breaks the enhanced collision-resistance. We can then construct an adversary $\mathcal {B}$ which breaks the full collision-resistance. In particular, $\mathcal {B}$ proceeds as follows. It receives $\textsf{pp}_{\textsf{ch}}$ and $\textsf{pk}_{\textsf{ch}}$ from its own challenger, and uses both to initialize $\mathcal {A}$. All queries to the collision-finding oracle are relayed to $\mathcal {B}$’s own oracle. Whenever $\mathcal {A}$ outputs a winning tuple $(m^*, r^*, m'^*, r'^*, h^*)$, $\mathcal {B}$ returns that tuple to its own challenger. As $m^* \ne m'^*$ must be true, and $h^*$ was never queried to $\mathcal {A}$’s collision-finding oracle, this also means that $(h^*, m^*)$ was never queried to $\mathcal {B}$’s oracle, thus meeting the winning condition.

The scheme presented in Construction 3 gives a counterexample: it allows finding arbitrarily many collisions for a given hash h, if it sees a single one, but for no other $h' \ne h$. In more detail, to show that this construction is not fully collision-resistant, consider the following strategy. Receive $\textsf{pk}_{\textsf{ch}}= ({\textsf{pk}_\mathsf {\Omega }}, \textsf{pk}_\mathsf {\Sigma })$ and $\textsf{pp}_{\textsf{ch}}= ({\textsf{pp}_\mathsf {\Omega }}, \textsf{crs}_\mathsf {\Pi }, \textsf{pp}_{\mathsf {\Sigma }})$. Compute $(h, r) \leftarrow _\$\textsf{CHash}(\textsf{pk}_{\textsf{ch}}, m)$, with m random. Also store the secret key ${\textsf{sk}_\mathsf {\Omega }}'$. Then, ask for an adaption (h, r, m) to $(h, r', m')$, where $r' = (\pi , c'', {\textsf{pk}_\mathsf {\Omega }}')$, for some random $m'$. Then, compute $\sigma \leftarrow \textsf{Dec}({\textsf{sk}_\mathsf {\Omega }}', c'')$. Then arbitrary collisions for h are generated by executing $\textsf{CHAdapt}$ in a similar way the owner of $\textsf{pk}_{\textsf{ch}}$ does for finding collisions, due to the knowledge of $\sigma $ for h. Because such collisions can only be generated for already seen collisions w.r.t. h, enhanced collision-resistance holds, but full collision-resistance does not. Also note that standard collision-resistance does not hold for Construction 3 for the same reason (we will later use this to derive a corollary). $\square $

Theorem 8

Enhanced collision-resistance and standard collision-resistance together imply full collision-resistance.

Proof

The theorem above is proven using a sequence of games.

Game 0:
The original full collision-resistance game.
Game 1:
As Game 0, we abort, if the adversary $\mathcal {A}$ outputs $(m^*, r^*, m'^*, r'^*, h^*)$ such that the winning conditions are met, but $h^*$ was never queried to the collision-finding oracle.

$Transition - Game \,0 \rightarrow Game \,1:$ If this is the case, we build an adversary $\mathcal {B}$ which breaks the enhanced collision-resistance of the underlying scheme. Namely, $\mathcal {B}$ receives $\textsf{pk}_{\textsf{ch}}$ and uses it to initialize $\mathcal {A}$. Every adaption query by $\mathcal {A}$ is answered by $\mathcal {B}$ using its own oracle. Once $\mathcal {A}$ outputs $(m^*, r^*, m'^*, r'^*, h^*)$, $\mathcal {B}$ returns $(m^*, r^*, m'^*, r'^*, h^*)$ to its own challenger. As $h^*$ was never seen, $\mathcal {B}$ wins its own game. $|\Pr [S_0] - \Pr [S_1]| \le \nu _\mathsf{enh-collres}(\lambda )$ follows.

${\hbox {Game \,2:}}$ As Game 1, we abort, if the adversary $\mathcal {A}$ outputs $(m^*, r^*, m'^*, r'^*, h^*)$ such that the winning conditions are met, but $m^*$ was never queried to the collision-finding oracle.

$Transition - Game \,1 \rightarrow Game \,2:$ If this is the case, we build an adversary $\mathcal {B}$ which breaks the standard collision-resistance of the underlying scheme. Namely, $\mathcal {B}$ receives $\textsf{pk}_{\textsf{ch}}$ and uses it to initialize $\mathcal {A}$. Every adaption query by $\mathcal {A}$ is answered by $\mathcal {B}$ using its own oracle. Once $\mathcal {A}$ outputs $(m^*, r^*, m'^*, r'^*, h^*)$, $\mathcal {B}$ returns $(m^*, r^*, m'^*, r'^*, h^*)$ to its own challenger. As $m^*$ was never seen, $\mathcal {B}$ wins its own game. $|\Pr [S_1] - \Pr [S_2]| \le \nu _\mathsf{st-collres}(\lambda )$ follows.

In Game 2, the adversary can no longer win the full collision-resistance game. This proves the theorem. $\square $

The corollary below follows from the constructions used in the proofs of Theorem 3 and Theorem 4, which provide standard collision-resistance but not enhanced collision-resistance, and vice versa.

Corollary 1

Standard collision-resistance and enhanced collision-resistance are independent.

4.3 Relations Between Indistinguishability Notions.

We formally prove that full indistinguishability is strictly stronger than enhanced indistinguishability. Enhanced indistinguishability is strictly stronger than strong indistinguishability, which, in turn, is strictly stronger than indistinguishability (cf. Figure 9 for an overview).

Theorem 9

Full Indistinguishability is strictly stronger than Enhanced Indistinguishability.

Proof

We first prove that full indistinguishability implies enhanced indistinguishability and then give a counterexample showing that the other direction of the implication does not hold.

$\mathsf{F-Ind} \implies \mathsf{E-Ind}$: Assume $\mathcal {A}$ to be an adversary who wins the full indistinguishability game with some probability (non-negligibly) larger than $\nicefrac {1}{2}$. Now, we construct an adversary $\mathcal {B}$ which wins the enhanced indistinguishability game with the same probability. In particular, $\mathcal {B}$ proceeds as follows. It receives $\textsf{pp}_{\textsf{ch}}$ from its own challenger, generates $(\textsf{sk}_{\textsf{ch}}, \textsf{pk}_{\textsf{ch}}; \xi )$ honestly, and uses $\textsf{pp}_{\textsf{ch}}$ and $\xi $ to initialize $\mathcal {A}$. All queries to the collision-finding oracle are answered by querying $\mathcal {B}$’s own oracle (with the honestly generated keys). Whenever $\mathcal {A}$ outputs a bit a, $\mathcal {B}$ returns that bit to its own challenger. As the simulation is perfect, $\mathcal {B}$’s winning probability equals the one of $\mathcal {A}$.

Let $\textsf{CH}{:}{=} (\textsf{CHPG},\textsf{CHKG},\textsf{CHash},\textsf{CHCheck}, \textsf{CHAdapt})$ be a fully indistinguishable chameleon-hash. We define a chameleon-hash $\textsf{CH}' {:}{=} (\textsf{CHPG}', \textsf{CHKG}',\textsf{CHash}',\textsf{CHCheck}', \textsf{CHAdapt}')$, which internally uses $\textsf{CH}$ as presented in Construction 4.

The basic idea is that in case particular random coins $\xi $ are drawn, at each adaption, the message in question is augmented with a bit indicating that an adaption happened. As this particular randomness ($\xi = 0$) is never drawn with overwhelming probability, knowing the randomness does not help – being able to choose it, however, makes creating a distinguisher trivial.

Clearly, if all parties generate their keys honestly (and thus a 0 is appended to the public key with overwhelming probability), the last bit appended to the randomness is always 0 after adaption, is never appended at hashing, and is independent of the message hashed. If, however, the adversary can choose randomness $\xi $, it can generate a $\textsf{pk}_{\textsf{ch}}$ with an appended 1, thus making adaption append a 1, while hashing still appends a 0. This trivially breaks full indistinguishability. $\square $

Theorem 10

Enhanced Indistinguishability is strictly stronger than Strong Indistinguishability.

Proof

We first prove that enhanced indistinguishability implies strong indistinguishability and then give a counterexample showing that the other direction of the implication does not hold.

$\mathsf{E-Ind} \implies \mathsf{S-Ind}$: Assume $\mathcal {A}$ to be an adversary who wins the strong indistinguishability game with non-negligible probability. Using $\mathcal {A}$ we construct an adversary $\mathcal {B}$ which wins the enhanced indistinguishability game with the same probability: $\mathcal {B}$ receives $\textsf{pp}_{\textsf{ch}}$ and r from its own challenger, generating $(\textsf{sk}_{\textsf{ch}}, \textsf{pk}_{\textsf{ch}}) \leftarrow _\$\textsf{CHKG}(\textsf{pp}_{\textsf{ch}}; \xi )$. It uses $(\textsf{sk}_{\textsf{ch}}, \textsf{pk}_{\textsf{ch}})$ to initialize $\mathcal {A}$. All queries to the collision-finding oracle are answered by querying $\mathcal {B}$’s own oracle. Whenever $\mathcal {A}$ outputs a bit a, $\mathcal {B}$ returns that bit to its own challenger. As the simulation is perfect, $\mathcal {B}$’s winning probability equals the one of $\mathcal {A}$.

Let $\textsf{CH}{:}{=} (\textsf{CHPG},\textsf{CHKG},\textsf{CHash},\textsf{CHCheck}, \textsf{CHAdapt})$ be chameleon-hash with enhanced indistinguishability. We define a chameleon-hash $\textsf{CH}' {:}{=} (\textsf{CHPG}', \textsf{CHKG}',\textsf{CHash}',\textsf{CHCheck}', \textsf{CHAdapt}')$, which internally uses $\textsf{CH}$ as presented in Construction 5.

The basic idea is that at key generation a key pair $({\textsf{sk}_\mathsf {\Omega }}, {\textsf{pk}_\mathsf {\Omega }}$) for an encryption scheme is generated. The secret key ${\textsf{sk}_\mathsf {\Omega }}$ is discarded and thus not part of $\textsf{sk}_{\textsf{ch}}$. At each hashing, the message is also encrypted using the public key ${\textsf{pk}_\mathsf {\Omega }}$ and the ciphertext is attached to the randomness. Assuming the security of the encryption scheme, this does not leak any information about the message (and notice that no decryption oracle is provided, thus IND-CPA suffices), even if the secret key $\textsf{sk}_{\textsf{ch}}$ is known. If, however, the random coins used to generate the key material become known, an adversary can simply generate ${\textsf{sk}_\mathsf {\Omega }}$ and decrypt the ciphertexts and compare the content with the message in question.

Clearly, in the $\mathsf{S-Ind}$ experiment, ${\textsf{sk}_\mathsf {\Omega }}$ is discarded at key generation and is thus not given to the adversary. If, however, the adversary knows the randomness used to generate the keys, it can re-create ${\textsf{sk}_\mathsf {\Omega }}$. Consequently, $\mathsf{E-Ind}$ is trivially broken by decrypting c contained in r. $\square $

Theorem 11

Strong Indistinguishability is strictly stronger than (Normal) Indistinguishability.

Proof

We first prove that full indistinguishability implies indistinguishability and then give a counterexample showing that the other direction of the implication does not hold.

$\mathsf{S-Ind} \implies \textsf{Ind}$: Assume $\mathcal {A}$ to be an adversary who wins the indistinguishability game with non-negligible probability. Using $\mathcal {A}$ we construct an adversary $\mathcal {B}$ which wins the strong indistinguishability game with the same probability: $\mathcal {B}$ receives $\textsf{pp}_{\textsf{ch}}$ from its own challenger, receiving $(\textsf{sk}_{\textsf{ch}}, \textsf{pk}_{\textsf{ch}})$, and uses $\textsf{pp}_{\textsf{ch}}$ and $\textsf{pk}_{\textsf{ch}}$ to initialize $\mathcal {A}$. All queries to the collision-finding oracle are answered by querying $\mathcal {B}$’s own oracle. Whenever $\mathcal {A}$ outputs a bit a, $\mathcal {B}$ returns that bit to its own challenger. As the simulation is perfect, $\mathcal {B}$’s winning probability equals the one of $\mathcal {A}$.

Our scheme given in Construction 9 provides a suitable counterexample. In particular, due to the used encryption, knowledge of the secret key allows extracting the original message m. In more detail, to show that this construction is not strongly indistinguishable, consider the following strategy. The key pair $(\textsf{sk}_{\textsf{ch}}, \textsf{pk}_{\textsf{ch}})$ is generated by the challenger, but (according to the game) known to the adversary. Obtain a challenge tuple $(h,r) \leftarrow _\$\textsf{HashOrAdapt}(\textsf{pk}_{\textsf{ch}},\textsf{sk}_{\textsf{ch}},m,m')$, where $m \ne m'$ are random messages. Then, let $m'' \leftarrow \textsf{Dec}(\textsf{sk}_{\textsf{ch}},h)$. If $m =m''$, return 0. Otherwise, return 1. Clearly, this strategy always allows learning the challenger’s bit. $\square $

4.4 Additional Separations

We now prove some additional separations. We note that indistinguishability is strictly weaker than full indistinguishability (as formally shown in Sect. 3.3).

Theorem 12

Even full indistinguishability and uniqueness together do not imply weak collision-resistance.

Proof

Consider the contrived construction given in Construction 6. The basic idea is to only make one randomness valid for all messages.

Clearly, this construction is fully indistinguishable and unique. Finding collisions, however, is a trivial task. $\square $

Theorem 13

Even full collision-resistance and uniqueness together do not imply indistinguishability.

Proof

Assume $\textsf{CH}{:}{=} (\textsf{CHPG}, \textsf{CHKG}, \textsf{CHash}, \textsf{CHCheck}, \textsf{CHAdapt})$ to be a fully collision-resistant, unique, and fully indistinguishable chameleon-hash. In Construction 7, we construct a $\textsf{CH}'$ which offers full collision-resistance and uniqueness, but is not indistinguishable. The basic idea is to manipulate the hash to contain additional information about whether an adaption took place by appending the message itself.

Clearly, $\textsf{CH}'$ is still fully collision-resistant and unique, but looking at the appended messages allows deciding whether an adaption has occurred. $\square $

Theorem 14

Even full collision-resistance and full indistinguishability together do not imply uniqueness.

Proof

Assume $\textsf{CH}{:}{=} (\textsf{CHPG}, \textsf{CHKG}, \textsf{CHash}, \textsf{CHCheck}, \textsf{CHAdapt})$ to be a fully collision-resistant, unique, and fully indistinguishable chameleon-hash. We construct $\textsf{CH}'$ as given in Construction 8. The basic idea is to append a random bit to the randomness r which is ignored during verification.

Clearly, $\textsf{CH}'$ is still fully collision-resistant and fully indistinguishable, but changing the bit in the randomness r is trivial, breaking uniqueness. $\square $

5 Fully Collision-Resistant Chameleon-Hashes

We are now ready to present our black-box construction of fully collision-resistant chameleon-hashes.

5.1 Construction

The main idea of our construction is to encrypt a message m using an mcIND-CPA secure encryption scheme and use the ciphertext as the hash, i.e., it is very close to our “contrived” construction providing enhanced collision-resistance given in Construction 3. However, it has some important, and subtle, differences.

Namely, the randomness r is a SSE NIZK attesting membership of a tuple containing the public key used for encryption, the hash, as well as the hashed message in the following NP-language:

$$\begin{aligned} L {:}{=} \{ ({\textsf{pk}_\mathsf {\Omega }}, h, m) ~|~ \exists ~({\textsf{sk}_\mathsf {\Omega }}, \xi )~:~h = \textsf{Enc}({\textsf{pk}_\mathsf {\Omega }}, m;~\xi ) ~\vee ~ \textsf{KVf}_\mathsf {\Omega }({\textsf{pk}_\mathsf {\Omega }}, {\textsf{sk}_\mathsf {\Omega }}) = 1\}.\nonumber \\ \end{aligned}$$

(2)

Informally, this language requires the prover to demonstrate that it either knows the randomness $\xi $ attesting that h is a well-formed encryption of m under the $\textsf{CH}$ key ${\textsf{pk}_\mathsf {\Omega }}$, or it knows a secret key ${\textsf{sk}_\mathsf {\Omega }}$ corresponding to ${\textsf{pk}_\mathsf {\Omega }}$, instead of encrypting a signature and proving the verification relation. Our construction of a fully collision-resistant $\textsf{CH}$ is presented as Construction 9. We note that compared to Ateniese et al. [5] we cannot use true-simulation extractable NIZKs (tSE-NIZKs) [32] and need SSE NIZKs.

5.2 Security

Subsequently, we prove the security of our $\textsf{CH}$ in Construction 9.

Theorem 15

If $\mathsf {\Omega }$ is correct and $\mathsf {\Pi }$ is complete, then $\textsf{CH}$ in Construction 9 is correct.

Correctness follows from inspection and the (perfect) correctness of the used primitives.

Theorem 16

If $\mathsf {\Omega }$ is mcIND-CPA secure, and $\mathsf {\Pi }$ is zero-knowledge, then $\textsf{CH}$ in Construction 9 is indistinguishable ($\textsf{N}\text {-}\textsf{Ind}$).

In the proof, we use and $ \rightsquigarrow $ to highlight the changes we make in the algorithms throughout a sequence of games (and we only show the changes).

Proof

To prove indistinguishability, we use a sequence of games:

Game 0:
The original indistinguishability game.
Game 1:
As Game 0, but we modify the algorithms $\textsf{CHPG}$, $\textsf{CHash}$, and $\textsf{CHAdapt}$ used inside the game:

$Transition - Game \,0 \rightarrow Game \,1:$ We bound the probability for an adversary to detect this game change by presenting a hybrid game, which, depending on a zero-knowledge challenger $\mathcal {C}^\textsf{zk}$, either produces the distribution in Game 0 or Game 1, respectively. In particular, assume that we use the following changes:

Clearly, if the challenger’s internal bit is 0, we simulate the distribution in Game 0, whereas we simulate the distribution in Game 1 otherwise. We have that $|\Pr [S_0] - \Pr [S_1]| \le \nu _\textsf{zk}(\lambda )$.

Game 2:
As Game 1, but we further modify the $\textsf{CHash}$ algorithm as follows:

$Transition - Game \,1 \rightarrow Game \,2:$ We bound the probability for an adversary to distinguish between two consecutive games by introducing a hybrid game which uses a multi-challenge IND-CPA challenger to interpolate between two consecutive games.

Now, depending on the challenger’s bit, we either simulate Game 1 or Game 2. Thus we have that $|\Pr [S_1] - \Pr [S_{2_i}]| \le \nu _\mathsf{mc-cpa}(\lambda )$

Now, the indistinguishability game is independent of the bit b, proving indistinguishability. $\square $

Theorem 17

If $\mathsf {\Omega }$ is perfectly correct and mcIND-CPA secure and $\mathsf {\Pi }$ is zero-knowledge as well as simulation-sound extractable, then $\textsf{CH}$ in Construction 9 is fully collision-resistant.

Proof

To prove full collision-resistance, we use a sequence of games.

Game 0:
The original full collision-resistance game.
Game 1:
As Game 0, but we modify the $\textsf{CHPG}$ and the $\textsf{CHAdapt}$ algorithm as follows:

$Transition - Game \,0 \rightarrow Game \,1:$ We bound the probability for an adversary to detect this game change by presenting a hybrid game, which, depending on a zero-knowledge challenger $\mathcal {C}^\textsf{zk}$, either produces the distribution in Game 0 or Game 1, respectively.

Clearly, if the challenger’s internal bit is 0 we simulate the distribution in Game 0, whereas we simulate the distribution in Game 1 otherwise. We have that $|\Pr [S_0] - \Pr [S_1]| \le \nu _\textsf{zk}(\lambda )$.

Game 2:
As Game 1, but we further modify the $\textsf{CHPG}$ algorithm as follows:

$Transition - Game \,1 \rightarrow Game \,2:$ Under simulation-sound extractability, Game 1 and Game 2 are indistinguishable. That is, $|\Pr [S_1] - \Pr [S_2]| = 0$.

${\hbox {Game \,3:}}$ As Game 2, but we keep a list $\mathcal {Q}$ of all tuples (h, r, m) previously submitted to the collision-finding oracle which are accepted by the $\textsf{CHCheck}$ algorithm, where h was never submitted to the collision-finding oracle before.

$Transition - Game \,2 \rightarrow Game \,3:$ This change is conceptual, i.e., $|\Pr [S_2] - \Pr [S_3]|= 0$.

${\hbox {Game \,4:}}$ As Game 3, but for every valid collision $(m^*, r^*, m'^*, r'^*, h^*)$ output by the adversary we observe that either $(m^*, r^*)$ or $(m'^*, r'^*)$ must be a “fresh” collision, i.e., one that was never output by the collision-finding oracle. We assume, without loss of generality, that $(m'^*, r'^*)$ is the “fresh” collision. We run $(\textsf{sk}', \xi ') \leftarrow _\$\mathcal {E}_2(\textsf{crs}_\mathsf {\Pi }, \zeta , ({\textsf{pk}_\mathsf {\Omega }}, h^*, m'^*), r'^*)$ and abort if the extraction fails. We call this event $E_1$.

$Transition - Game \,3 \rightarrow Game \,4:$ Game 3 and Game 4 proceed identically, unless $E_1$ occurs. Assume, toward contradiction, that event $E_1$ occurs with non-negligible probability. We now construct an adversary $\mathcal {B}$ which breaks the simulation-sound extractability property of the NIZK proof system with non-negligible probability. We engage with a simulation-sound extractability challenger $\mathcal {C}^\textsf{sse}$ and modify the algorithms as follows:

In the end we output $(({\textsf{pk}_\mathsf {\Omega }}, h^*, m'^*), r'^*)$ to the challenger. This shows that we have $|\Pr [S_3] - \Pr [S_4]| \le \nu _\textsf{sse}(\lambda )$.

${\hbox {Game \,5:}}$ As Game 4, but we observe that if $(m^*, r^*)$ does not correspond to a fresh collision for $h^*$ in the above sense, then we will have an entry $(h^*,r,m) \in \mathcal {Q}$ where (m, r) is a “fresh” collision, i.e., one computed by the adversary. We run the extractor for the fresh collision, i.e., either obtain $(\textsf{sk}'', \xi '') \leftarrow _\$\mathcal {E}_2(\textsf{crs}_\mathsf {\Pi }, \zeta , ({\textsf{pk}_\mathsf {\Omega }}, h^*, m^*), r^*)$ or $(\textsf{sk}'', \xi '') \leftarrow _\$\mathcal {E}_2(\textsf{crs}_\mathsf {\Pi }, \zeta , ({\textsf{pk}_\mathsf {\Omega }}, h^*,m), r)$, respectively. In case the extraction fails, we abort. We call the abort event $E_2$.

$Transition - Game \,4 \rightarrow Game \,5:$ Analogously to the transition between Game 3 and Game 4, we argue that Game 4 and Game 5 proceed identically unless $E_2$ occurs which is why we do not restate the reduction to simulation-sound extractability here. We have that $|\Pr [S_4] - \Pr [S_5]| \le \nu _\textsf{sse}(\lambda )$.

${\hbox {Reduction to mcIND-CPA:}}$ We are now ready to construct an adversary $\mathcal {B}$ which breaks the mcIND-CPA security of the underlying $\mathsf {\Omega }$. Our adversary $\mathcal {B}$ proceeds as follows. It receives ${\textsf{pp}_\mathsf {\Omega }}$ and ${\textsf{pk}_\mathsf {\Omega }}$ from its own challenger. It embeds them straightforwardly as $\textsf{pp}_{\textsf{ch}}$ and $\textsf{pk}_{\textsf{ch}}$ to initialize $\mathcal {A}$. Now we know that we have extracted two witnesses $(\textsf{sk}, \xi )$ as well as $(\textsf{sk}'', \xi '')$ where one attests membership of $({\textsf{pk}_\mathsf {\Omega }}, h^*, m'^*)$ in L and one attests membership of $({\textsf{pk}_\mathsf {\Omega }}, h^*, m'')$ for some $m'' \ne m'^*$ in L. By the perfect correctness of the encryption scheme, we know that at most one of them can be consistent with the ciphertext contained in $h^*$, which implies that either $\textsf{sk}$ or $\textsf{sk}''$ will be the key for the underlying encryption scheme (which of them we figure out by using $\textsf{KVf}_\mathsf {\Omega }$). With knowledge of the key, $\mathcal {B}$ trivially breaks the mcIND-CPA security of the underlying $\mathsf {\Omega }$ by randomly sending two distinct messages to its own challenger (for encryption), simply decrypting the returned ciphertext, and answering with the correct bit. We have that $\Pr [S_5] \le \nu _\mathsf{mc-cpa}(\lambda )$. This concludes the proof. $\square $

5.3 Concrete Instantiation

A suitable instantiation for $\mathsf {\Omega }$ is ElGamal [37]. The algorithm $\textsf{KVf}_\mathsf {\Omega }$ is simply checking whether $g^{{\textsf{sk}_\mathsf {\Omega }}} = g^x = {\textsf{pk}_\mathsf {\Omega }}$. Note that for $\mathsf {\Pi }$ we only need to extract a bounded number of times (i.e., twice). To this end one may use Fiat-Shamir transformed $\Sigma $-protocols for DLOG relations in the random-oracle model [36] when additionally applying the compiler by Faust et al. [35]. In particular, Faust et al. show that such proofs are simulation-sound extractable when additionally including the statement x upon hashing in the challenge computation and if the $\Sigma $-protocol provides a property called quasi-unique responses. The latter is straightforward for the statements which need to be proven in our context. See, e.g., [30], for a detailed discussion of this transformation.

For the sake of completeness and to demonstrate how efficiently our approach can be instantiated, we provide this concrete instantiation as Construction 10. Therefore, let $(\mathbb {G}, g, q) \leftarrow _\$\textsf{GGen}(1^\lambda )$ be an instance generator which returns a prime-order, and multiplicatively written, group $\mathbb {G}$ where the DDH problem is hard, along with a generator g such that $\langle g \rangle = \mathbb {G}$. Note that an SSE NIZK for the required L in (3) can easily be obtained as an equality proof of two discrete logarithms together with an or composition of a proof of a discrete logarithm [24] of Fiat-Shamir transformed $\Sigma $-protocols discussed above.

$$\begin{aligned} L {:}{=} \{ (y, h, m) ~|~ \exists ~(x, \xi )~:~h = (g^\xi ,m\cdot y^\xi ) ~\vee ~ y=g^x\}. \end{aligned}$$

(3)

5.4 Comparison

Subsequently, in Table 1 we compare existing constructions of chameleon-hashes providing the $\textsf{W}\text {-}\textsf{CollRes}$, $\textsf{E}\text {-}\textsf{CollRes}$ and $\textsf{S}\text {-}\textsf{CollRes}$ notions with instantiations of our approach (in the random oracle and standard model) providing the stronger $\textsf{F}\text {-}\textsf{CollRes}$ notion. Here E denotes an exponentiation in the respective algebraic structure, “?” denotes that it is unclear how efficient this can be realized due to requirement of an invertible onto mapping into the used group (cf. the discussion in [45]). $\mathsf SM$ and $\mathsf RO$ denote the standard and the random oracle model, respectively.

Table 1 Comparison of different chameleon-hash functions

Full size table

Furthermore, DDH, SXDH, PKoE, and OM-RSA denote the decisional Diffie–Hellman, the symmetric DDH, the power knowledge of exponent [42], and the one-more RSA inversion [10] assumptions. We also stress that for constructions relying on SXDH, for typical instantiations of type-III bilinear groups, we have that $|\mathbb {G}_2|=2(|\mathbb {G}_1| - 1) + 1$ (where $|\cdot |$ denotes the size of the representation of a group element). Regarding our construction in the standard model, e.g., using SSE NIZKs based on Groth–Sahai NIZKs, one can use the compiler in [27] to efficiently achieve simulation-sound extractability. We, however, note that a naive instantiation of our template in the standard model would still require to include bit-wise proofs of the parts of the witness which are in $\mathbb {Z}_q$, which would, all in all, require a number of group elements in the order of $1k - 2k$ (a very rough estimate; thus we also omit the remaining costs which is indicated by “−” in Table 1). It seems that switching to a variant of ElGamal in the target group (and maybe some other tweaks) would help to work around the requirement of having bit-wise proofs. While we are not able to provide a more efficient instantiation, we hope that future work will be able to do so. Finally, we note that we omit comparing our scheme given in Construction 3 as it is contrived and its sole purpose is to prove a separation result.

6 Applications

In this section we discuss (stronger) collision-resistance notions of chameleon-hashes in context of two applications, namely redactable blockchains as well as online/offline signatures.

6.1 Redactable Blockchains

While one of the major goals of blockchains is their immutability and in particular their use as an immutable append-only log, recently, starting with the work of Ateniese et al. [5], there has been an increasing interest in blockchains that allow some controlled after-the-fact modification of their content. This is motivated by illegal content that was shown to be included into the Bitcoin blockchain [48], which represents a significant challenge for law enforcement agencies [55], as well as legislations like the European General Data Protection Regulation (GDPR) and the associated “right to be forgotten”. Solutions to this problem may either be for the permissioned- or permissionless-blockchain setting and cryptographic in nature [5, 26, 51] or non-cryptographic, where in the latter case it is based on the consensus layer of the blockchain [31].

We are considering the former and focus on block-level rewriting (change entire blocks) of blockchains instead of transaction-level rewriting (change single transactions within a block) in a permissionless setting (such as Bitcoin), as this illustrates the problem with much wider implications. In the following we are using the notation used in [5], and describe a block as triple of the form $B=\langle s,x,\texttt {ctr}\rangle $, where $s\in \{0,1\}^\lambda $, $x\in \{0,1\}^*$ and $\texttt {ctr}\in \mathbb {N}$ and a block is valid if

$$\begin{aligned} {\textbf {validblock}}_q^D(B):=(H(\texttt {ctr},G(s,x))<D)~\wedge ~(\texttt {ctr}<q)=1. \end{aligned}$$

Here, $H:\{0, 1\}^* \rightarrow \{0, 1\}^{2\lambda }$ and $G:\{0, 1\}^* \rightarrow \{0,1\}^{2\lambda }$ are collision-resistant hash functions, and the parameters $D\in \mathbb {N}$ and $q\in \mathbb {N}$ are the difficulty level of the block and the maximum number of hash queries that a user is allowed to make in any given round of the protocol, respectively. The chaining of blocks is now done by requiring that when attaching a (valid) block $B'=\langle s',x',\texttt {ctr'}\rangle $ we have that $s'=H(\texttt {ctr}, G(s, x))$. Now to make blocks redactable, one changes the description of blocks to $B=\langle s,x,\texttt {ctr},(h,r)\rangle $ where the new component is a chameleon-hash (h, r) and the validation predicate changes to

$$\begin{aligned} {\textbf {validblock}}_q^D(B):=&(H(\texttt {ctr},h)<D)~\wedge ~\textsf{CHCheck}(\textsf{pk}_{\textsf{ch}}, (s,x), r, h)=1~\wedge ~\\&(\texttt {ctr}<q)=1. \end{aligned}$$

Chaining is now done by requiring that when attaching a (valid) block $B'=\langle s',x',\texttt {ctr'}\rangle $ we have that $s'=H(\texttt {ctr},h)$. Observe that now computing a collision in the chameleon-hash gives very much power as it basically allows to rewrite the entire history of the blockchain.

Ateniese et al. in [5] discuss different ways to control this power to actually compute collisions (i.e., run $\textsf{CHAdapt}$) where (1) either $\textsf{sk}_{\textsf{ch}}$ may be available to some fully trusted single party only, or (2) $\textsf{sk}_{\textsf{ch}}$ is generated using a multi-party computation (MPC) protocol and $\textsf{CHAdapt}$ is also performed in a distributed way by some set of parties. We will discuss the implications of different collision-resistance notions to this setting, which is independent of which of these two approaches is going to be used.

We recall that Ateniese et al. [5], who introduced this application, rely on $\textsf{E}\text {-}\textsf{CollRes}$ and Derler et al. in more recent work in [26] rely on $\textsf{S}\text {-}\textsf{CollRes}$. Now, note that in such a permissionless setting as discussed above, where everybody is allowed to participate, it is reasonable to assume that an adversary sees the collisions computed for any blocks over some time in the system (as they will be broadcasted). Now let us discuss the single notions:

Weak Collision-Resistance ($\textsf{W}\text {-}\textsf{CollRes}$) A chameleon-hash providing this notion of collision-resistance provides absolutely no guarantees, as after seeing a single collision all guarantees are lost. A prime example is the Pedersen $\textsf{CH}$ due to Krawczyk and Rabin [46] (cf. Sect. 4.1), where a single seen collision exposes the secret key $\textsf{sk}_{\textsf{ch}}$ to everybody. Clearly, this has significant consequences in the above scenario as then everybody can arbitrarily alter the blockchain.
Enhanced Collision-Resistance ($\textsf{E}\text {-}\textsf{CollRes}$) Recall that an adversary, when attacking some hash $h^*$, must have never input $h^*$ to $\textsf{CHAdapt}'$. Now, this means that if an adversary targets a specific hash and then happens to see a collision for this hash (for some reason), suddenly all guarantees are lost and arbitrary collisions could be computed. Note that our construction in Sect. 4 clearly demonstrates potential problems with $\textsf{CH}$s only satisfying this notion. This still represents a significant problem with this application.
Standard Collision-Resistance ($\textsf{S}\text {-}\textsf{CollRes}$) Recall, that an adversary is only restricted to not query message $m^*$ (which is associated with the computed collision $h^*$) was never queried to the collision-finding oracle. While this still might be problematic in the redactable blockchain setting, messages can very likely be made unique by perpending a large enough random tag/nonce (note that in this could easily be done in the block format of, e.g., the Bitcoin block structure). So, this notion seems suitable if the aforementioned constrained may, under certain circumstances, be guaranteed to be met, but is far away from being ideal.
Full Collision-Resistance ($\textsf{F}\text {-}\textsf{CollRes}$) We recall that, here, only the collision $(h^*, m^*)$ was not generated by the collision-finding oracle, but there is no other restriction whatsoever. Consequently, this collision-resistance notion seems the “right” notion as no issues on higher levels need to be considered and very strong guarantees are already provided by the notion itself.

6.2 Online/Offline Signatures

Online/offline signatures (OOS) [33, 34] are signatures which run in two phases, a potentially computationally expensive offline phase and a more efficient online phase. Latter clearly should be more efficient than the full signing algorithm. Thus, if the online phase is then run by a resource constrained signer, this allows such signers to compute signatures even if it might be too expensive to run the full signing algorithm of the respective signature scheme.

6.2.1 Hash-sign-switch OOS

In [52], Shamir and Tauman introduced the so called hash-sign-switch paradigm for OOS. Here, the key pair of any signature scheme is extended by the key pair of a chameleon-hash. The offline phase represents computing a signature on a chameleon-hash value h of a random message $m'$ (the hash part). The online phase then represents computing a collision for h with the message m to be signed (the switch part). Shamir and Tauman in [52] propose (among an instantiation based on factoring) the use of the $\textsf{W}\text {-}\textsf{CollRes}$ by Krawczyk and Rabin [46]. Note that this requires that for every offline signature, a new signature for a fresh chameleon-hash needs to be computed. Otherwise, due to the key-exposure of the chameleon-hash the so obtained OOS gets insecure, i.e., one can forge signatures for arbitrary messages after seeing two signatures.

6.2.2 Key-exposure in OOS

Chen et al. in [21] observe that this key-exposure problem in OOS following this “hash-sign-switch” paradigm might impose a huge storage overhead due to the number of precomputed signatures in the offline phase. They then suggest to fix this problem by introducing a special double-trapdoor hash family based on the discrete logarithm assumption combined with a one-time trapdoor/hash key pair for each message signing. Although this removes a part of the problem, this is still not entirely generic and imposes an additional overhead.

We want to stress, that besides the storage overhead pointed out by Chen et al. [21], constructing such OOS using a chameleon-hash providing only $\textsf{W}\text {-}\textsf{CollRes}$ might be even more problematic when it comes to what we informally call robustness. Imagine that due to a fault or some behavior triggered by an adversary, one of the signatures precomputed in the offline phase gets reused in the online phase. Then, the OOS is immediately completely broken. Note that this is somewhat reminiscent of the problem of secret key leakage when reusing the randomness in Schnorr-type signatures as repeatedly seen in case of ECDSA in practice (cf. [44]).

6.2.3 $\textsf{F}\text {-}\textsf{CollRes}$ CH in OOS

Now, when instantiating OOS on the “hash-sign-switch” paradigm based on a $\textsf{F}\text {-}\textsf{CollRes}$ chameleon-hash instead, this immediately resolves the above robustness issue and yields a completely generic solution. More so, in the offline phase only a single signature needs to be precomputed, which can be reused for all online signing operations while allowing the adversary to query signatures for arbitrary messages. Clearly, when it comes to concrete efficiency, it needs to be guaranteed that the online part remains more efficient than the signing operation of the underlying signature scheme. Taking for instance the concrete instantiation in Sect. 5.3, precomputing all the message-independent values of the $\mathsf Adapt$ algorithm except for $u_2$ (which is critical to robustness) in the offline phase, then the online phase requires two exponentiations. So while this does not yield a benefit when building OOS on Schnorr-type signatures, it will so for instance when using the BLS signature scheme [15] (where an estimate of signing including the hashing to the curve [56] requires a cost of strictly more than two exponentiations).^{Footnote 9}

Relying on a $\textsf{F}\text {-}\textsf{CollRes}$ chameleon-hash thus provides a fully generic construction of OOS with this robustness feature (in contrast to [21] which is based on the discrete logarithm assumption), and using the recent results in [28] even immediately yields a construction from post-quantum assumptions.

Notes

The requirement for an invertible encoding into the group introduces an enormous efficiency penalty, and thus their instantiation is incomplete. Moreover, it was only recently shown that the proposed chameleon-hash fulfills our stronger definition [23].
In true-simulation extractability the simulator can only be used for statements inside the language.
We note that the randomness r is also sometimes called “check value” [5].
In the case $(h'^*, m'^*)$ is the new hash/message pair, simply switch names.
A slightly stronger notion has been proposed by Zhang in [57] where the adversary sees a hash on a random message and is then given a single collision on a message of its choice. We do not cover this notion here as it seems to be tailored to the specific applications in [57] and all notions stronger than $\textsf{W}\text {-}\textsf{CollRes}$ considered here cover more general cases.
Lifting this definition to also cover those parameters is straightforward.
Lifting this definition to also cover those parameters is straightforward.
Note, if unrolled, using the bounds of Bellare et al. [9], $|\Pr [S_2] - \Pr [S_{3_q}]| \le 2q\cdot \nu _\textsf{cpa}(\lambda )$ follows.
We note that even without any precomputation for the chameleon-hash and only using pre-computation tables for the static generator $g_1$ and public key y of 16 $\mathbb {G}_1$ elements each (as used in libraries such as RELIC [3]) and multi-base scalar multiplications this amounts to the cost of three exponentiations. Finally, one could even reduce the cost to a single exponentiation, but then one needs to ensure that the precomputed $u_2$ value never gets reused.

References

M. Abe, B. David, M. Kohlweiss, R. Nishimaki, M. Ohkubo, Tagged one-time signatures: Tight security and optimal tag size, in PKC. (2013), pp. 312–331
S. Alsouri, Ö. Dagdelen, S. Katzenbeisser, Group-based attestation: Enhancing privacy and management in remote attestation, in Trust. (2010), pp. 63–77
D.F. Aranha, C.P.L. Gouvêa, T. Markmann, R.S. Wahby, K. Liao, RELIC is an Efficient LIbrary for Cryptography. https://github.com/relic-toolkit/relic
G. Ateniese, D.H. Chou, B. de Medeiros, G. Tsudik, Sanitizable signatures, in ESORICS. (2005), pp. 159–177
G. Ateniese, B. Magri, D. Venturi, E.R. Andrade, Redactable blockchain - or - rewriting history in bitcoin and friends, in EuroS &P. (2017), pp. 111–126
G. Ateniese, B. de Medeiros, Identity-based chameleon hash and applications, In FC. (2004), pp. 164–180
G. Ateniese, B. de Medeiros, On the key exposure problem in chameleon hashes, in SCN. (2004), pp. 165–179
F. Bao, R.H. Deng, X. Ding, J. Lai, Y. Zhao, Hierarchical identity-based chameleon hash and its applications, in ACNS. (2011), pp. 201–219
M. Bellare, A. Boldyreva, S. Micali, Public-key encryption in a multi-user setting: Security proofs and improvements, in Eurocrypt. (2000), pp. 259–274
M. Bellare, C. Namprempre, D. Pointcheval, M. Semanko, The one-more-rsa-inversion problems and the security of chaum’s blind signature scheme. J. Cryptol. 16(3), 185–215 (2003)
M. Bellare, T. Ristov, Hash functions from sigma protocols and improvements to VSH, in Asiacrypt. (2008), pp. 125–142
M. Bellare, T. Ristov, A characterization of chameleon hash functions and new, efficient designs. J. Cryptol. 27(4), 799–823 (2014)
M. Bellare, D. Riepel, L. Shea, Highly-effective backdoors for hash functions and beyond. Cryptology ePrint Archive, Paper 2024/536 (2024). https://eprint.iacr.org/2024/536
O. Blazy, S.A. Kakvi, E. Kiltz, J. Pan, Tightly-secure signatures from chameleon hash functions, in PKC. (2015), pp. 256–279
D. Boneh, B. Lynn, H. Shacham, Short signatures from the weil pairing, in C. Boyd, editors, Advances in Cryptology - ASIACRYPT 2001, 7th International Conference on the Theory and Application of Cryptology and Information Security, Gold Coast, Australia, December 9-13, 2001, Proceedings. Lecture Notes in Computer Science, vol. 2248 (Springer, 2001), pp. 514–532
G. Brassard, D. Chaum, C. Crépeau, Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988)
C. Brzuska, M. Fischlin, T. Freudenreich, A. Lehmann, M. Page, J. Schelbert, D. Schröder, F. Volk, Security of sanitizable signatures revisited, in PKC. (2009), pp. 317–336
J. Camenisch, D. Derler, S. Krenn, H.C. Pöhls, K. Samelin, D. Slamanig, Chameleon-hashes with ephemeral trapdoors - and applications to invisible sanitizable signatures, in PKC. (2017), pp. 152–182
D. Cash, D. Hofheinz, E. Kiltz, C. Peikert, Bonsai trees, or how to delegate a lattice basis, in Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Monaco / French Riviera, May 30 - June 3, 2010. Proceedings. (2010), pp. 523–552
X. Chen, F. Zhang, K. Kim, Chameleon hashing without key exposure, in ISC. (2004), pp. 87–98
X. Chen, F. Zhang, W. Susilo, Y. Mu, Efficient generic on-line/off-line signatures without key exposure, in ACNS. (2007), pp. 18–30
J. Choi, S. Jung, A handover authentication using credentials based on chameleon hashing. IEEE Commun. Lett. 14(1), 54–56 (2010)
A. Cingolani, Bitcoin as an Ideal Redactable Transaction Ledger. Master’s thesis, Sapienza University of Rome (2020)
R. Cramer, I. Damgård, B. Schoenmakers, Proofs of partial knowledge and simplified design of witness hiding protocols, in Crypto. (1994), pp. 174–187
R. Cramer, V. Shoup, A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack, in Crypto. (1998), pp. 13–25
D. Derler, K. Samelin, D. Slamanig, C. Striecks, Fine-grained and controlled rewriting in blockchains: Chameleon-hashing gone attribute-based, in NDSS (2019)
D. Derler, D. Slamanig, Key-homomorphic signatures: definitions and applications to multiparty signatures and non-interactive zero-knowledge. Des. Codes Cryptogr. 87(6), 1373–1413 (2019)
D. Derler, S. Krenn, K. Samelin, D. Slamanig, Fully collision-resistant chameleon-hashes from simpler and post-quantum assumptions, in C. Galdi, V. Kolesnikov, editors, Security and Cryptography for Networks - 12th International Conference, SCN 2020, Amalfi, Italy, September 14-16, 2020, Proceedings. Lecture Notes in Computer Science, vol. 12238 (Springer, 2020), pp. 427–447
D. Derler, K. Samelin, D. Slamanig, Bringing order to chaos: The case of collision-resistant chameleon-hashes, in A. Kiayias, M. Kohlweiss, P. Wallden, V. Zikas, editors, Public-Key Cryptography - PKC 2020. (2020), pp. 462–492
D. Derler, D. Slamanig, Highly-efficient fully-anonymous dynamic group signatures, in AsiaCCS. (2018), pp. 551–565
D. Deuber, B. Magri, S.A.K. Thyagarajan Redactable blockchain in the permissionless setting, in IEEE S &P. (2019), pp. 124–138
Y. Dodis, K. Haralambiev, A. López-Alt, D. Wichs Efficient public-key cryptography in the presence of key leakage, in Asiacrypt. (2010), pp. 613–631
S. Even, O. Goldreich, S. Micali, On-line/off-line digital signatures. J. Cryptol. 9(1), 35–67 (1996)
S. Even, O. Goldreich, S. Micali, On-line/off-line digital schemes, in G. Brassard, editors , Advances in Cryptology - CRYPTO ’89, 9th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20-24, 1989, Proceedings. Lecture Notes in Computer Science, vol. 435 (Springer, 1989), pp. 263–275
S. Faust, M. Kohlweiss, G.A. Marson, D. Venturi, On the non-malleability of the fiat-shamir transform, in Indocrypt. (2012), pp. 60–79
A. Fiat, A. Shamir, How to prove yourself: Practical solutions to identification and signature problems, in Crypto. (1986), pp. 186–194
T.E. Gamal, A public key cryptosystem and a signature scheme based on discrete logarithms, in Crypto. (1984), pp. 10–18
J. Groth, Simulation-sound NIZK proofs for a practical language and constant size group signatures, in Asiacrypt. (2006), pp. 444–459
J. Groth, Efficient fully structure-preserving signatures for large messages, in Asiacrypt. (2015), pp. 239–259
J. Groth, A. Sahai, Efficient non-interactive proof systems for bilinear groups, in Eurocrypt. (2008), pp. 415–432
S. Guo, D. Zeng, Y. Xiang, Chameleon hashing for secure and privacy-preserving vehicular communications. IEEE Trans. Parallel Distrib. Syst. 25(11) (2014)
S. Hada, T. Tanaka, On the existence of 3-round zero-knowledge protocols, in Crypto. (1998), pp. 408–423
S. Hohenberger, B. Waters, Short and stateless signatures from the RSA assumption, in Crypto. (2009), pp. 654–670
J. Jancar, V. Sedlacek, P. Svenda, M. Sýs, Minerva: The curse of ECDSA nonces systematic analysis of lattice attacks on noisy leakage of bit-length of ECDSA nonces. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(4), 281–308 (2020). https://doi.org/10.13154/tches.v2020.i4.281-308
M. Khalili, M. Dakhilalian, W. Susilo, Efficient chameleon hash functions in the enhanced collision resistant model. Inf. Sci. 510, 155–164 (2020)
H. Krawczyk, T. Rabin, Chameleon signatures, in NDSS. (2000), pp. 143–154
Y. Li, S. Liu, Tagged chameleon hash from lattices and application to redactable blockchain. Cryptology ePrint Archive, Paper 2023/774 (to appear at PKC 2024) (2023). https://eprint.iacr.org/2023/774
R. Matzutt, J. Hiller, M. Henze, J.H. Ziegeldorf, D. Müllmann, O. Hohlfeld, K. Wehrle, A quantitative analysis of the impact of arbitrary blockchain content on bitcoin, in FC. (2018), pp. 420–438
P. Mohassel, One-time signatures and chameleon hash functions, in SAC. (2010), pp. 302–319
T.P. Pedersen, Non-interactive and information-theoretic secure verifiable secret sharing, in Crypto. (1991), pp. 129–140
K. Samelin, D. Slamanig, Policy-based sanitizable signatures, in CT-RSA. (2020), pp. 538–563
A. Shamir, Y. Tauman, Improved online/offline signature schemes, in Crypto. (2001), pp. 355–367
R. Steinfeld, L. Bull, H. Wang, J. Pieprzyk, Universal designated-verifier signatures, in Asiacrypt. (2003), pp. 523–542
R. Steinfeld, H. Wang, J. Pieprzyk, Efficient extension of standard schnorr/rsa signatures into universal designated-verifier signatures, in PKC. (2004), pp. 86–100
G. Tziakouris, Cryptocurrencies - A forensic challenge or opportunity for law enforcement? an INTERPOL perspective. IEEE S &P 16(4) (2018)
R.S. Wahby, D. Boneh, Fast and simple constant-time hashing to the BLS12-381 elliptic curve. IACR Trans. Cryptogr. Hardw. Embed. Syst. 20(4), 154–179 (2019). https://doi.org/10.13154/tches.v2019.i4.154-179
R. Zhang, Tweaking TBE/IBE to PKE transforms with chameleon hash functions, in ACNS. (2007), pp. 323–339

Download references

Acknowledgements

We want to thank the anonymous reviewers for their helpful feedback. The work of D.S. was done while with AIT Austrian Institute of Technology. This work was supported by the EU’s Horizon 2020 ECSEL Joint Undertaking under grant agreement n$\circ $783119 (Secredas), from the European Union’s Horizon 2020 research and innovation programme under grant agreement n$\circ $871473 (Kraken) and by the Austrian Science Fund (FWF) and netidee SCIENCE under grant agreement P31621-N38 (Profet).

Funding

Open Access funding enabled and organized by Projekt DEAL.

Author information

Authors and Affiliations

DFINITY, Zurich, Switzerland
David Derler
Hamburg, Germany
Kai Samelin
Research Institute CODE, Universität der Bundeswehr München, Munich, Germany
Daniel Slamanig

Authors

David Derler
View author publications
You can also search for this author in PubMed Google Scholar
Kai Samelin
View author publications
You can also search for this author in PubMed Google Scholar
Daniel Slamanig
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daniel Slamanig.

Additional information

Communicated by Stefano Tessaro.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions

About this article

Cite this article

Derler, D., Samelin, K. & Slamanig, D. Bringing Order to Chaos: The Case of Collision-Resistant Chameleon-Hashes. J Cryptol 37, 29 (2024). https://doi.org/10.1007/s00145-024-09510-9

Download citation

Received: 18 July 2022
Revised: 06 May 2024
Accepted: 03 June 2024
Published: 02 July 2024
DOI: https://doi.org/10.1007/s00145-024-09510-9

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

Bringing Order to Chaos: The Case of Collision-Resistant Chameleon-Hashes

Abstract

Similar content being viewed by others

Bringing Order to Chaos: The Case of Collision-Resistant Chameleon-Hashes

Chameleon-Hashes with Ephemeral Trapdoors

Chameleon-Hashes with Dual Long-Term Trapdoors and Their Applications

1 Introduction

1.1 Formalizing Chameleon-Hashes

1.2 Motivation and Contribution

1.2.1 Relations among Properties

1.2.2 Stronger Notion

1.2.3 Black-Box Construction

1.2.4 Applications

1.3 Differences to the Conference Version

1.4 Follow-up Work

2 Preliminaries

2.1 Notation

2.2 Building Blocks

2.2.1 Public-Key Encryption Schemes

Definition 1

Definition 2

Definition 3

2.2.2 Digital Signature Schemes

Definition 4

Definition 5

Definition 6

2.2.3 Non-Interactive Proof Systems.

Definition 7

Definition 8

Definition 9

Definition 10

3 Chameleon-Hashes, Revisited

3.1 Framework

Definition 11

Definition 12

3.2 Collision-Resistance, Revisited

Definition 13

3.2.1 Discussion of the Notions

3.3 Indistinguishability, Revisited

3.3.1 (Normal) Indistinguishability (\(\textsf{N}\text {-}\textsf{Ind}\))

3.3.2 Strong Indistinguishability (\(\textsf{S}\text {-}\textsf{Ind}\))

3.3.3 Enhanced Indistinguishability (\(\textsf{E}\text {-}\textsf{Ind}\))

3.3.4 Full Indistinguishability (\(\textsf{F}\text {-}\textsf{Ind}\))

Definition 14

3.4 Uniqueness

Definition 15

4 Relationships between Properties of Chameleon-Hashes

4.1 Existing Constructions of Chameleon-Hashes

4.1.1 Instantiation of a Weakly Collision-Resistant \(\textsf{CH}\)

4.1.2 Instantiation of a Standard Collision-Resistant \(\textsf{CH}\)

4.2 Collision-Resistance Properties

Theorem 1

Proof

Theorem 2

Proof

Theorem 3

Proof

Theorem 4

4.2.1 Construction

Theorem 5

Theorem 6

Proof

Theorem 7

Proof

Proof

Theorem 8

Proof

Corollary 1

4.3 Relations Between Indistinguishability Notions.

Theorem 9

Proof

Theorem 10

Proof

Theorem 11

Proof

4.4 Additional Separations

Theorem 12

Proof

Theorem 13

Proof