Session 8B: Blockchain and Distributed Systems ASIA CCS ’21, June 7–11, 2021, Virtual Event, Hong
ASIA CCS ’21, June 7–11, 2021, Virtual Event, Hong Kong
Redactable Blockchain Supporting Supervision and
Self-Management
Yanxue Jia† , Shi-Feng Sun‡†∗ , Yi Zhang† , Zhiqiang Liu† , Dawu Gu†∗
†
Shanghai Jiao Tong University, Shanghai, China
‡ Monash University, Melbourne, Australia
{jiayanxue,zy0105,ilu_zq,dwgu}@sjtu.edu.cn,[email protected]
ABSTRACT
The immutability of blockchain is crucial to the security of many
blockchain applications, while it is still desired or even legally
obliged to allow for redacting the contents of blockchain for some
scenarios. In this work, we revisit the conflict between the im-
mutability and redaction of blockchain, and put forward a new
fine-grained redactable blockchain with a semi-trusted regulator,
who follows our protocol but has a tendency to abuse his power.
To the best of our knowledge, it is the first blockchain that not only
supports the supervision of blockchain content, but also allows
users themselves to manage their own data. To this end, we intro-
duce a new variant of chameleon-hash function, named stateful
Chameleon Hash with Revocable Subkey, which is important for
building our redactable blockchain and may be of independent in-
terest. We also propose a black-box construction from standard
chameleon-hash functions, and prove its security properties un-
der our proposed security notions. At last, we provide a proof-of-
concept implementation. The evaluation results demonstrate that
our redactable blockchain is practical and can be adopted with small
additional overhead compared to the immutable blockchain.
CCS CONCEPTS
• Security and privacy → Information accountability and us-
age control; Usability in security and privacy.
KEYWORDS
Blockchain; Supervision; Self-management; Chameleon hash
ACM Reference Format:
Yanxue Jia, Shi-Feng Sun, Yi Zhang, Zhiqiang Liu, Dawu Gu. 2021. Redactable
Blockchain Supporting Supervision and Self-Management. In Proceedings
of the 2021 ACM Asia Conference on Computer and Communications Security
(ASIA CCS ’21), June 7–11, 2021, Virtual Event, Hong Kong. ACM, New York,
NY, USA, 15 pages. https://doi.org/10.1145/3433210.3453091
∗ Corresponding authors.
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. Copyrights for components of this work owned by others than ACM
must be honored. Abstracting with credit is permitted. To copy otherwise, or republish,
to post on servers or to redistribute to lists, requires prior specific permission and/or a
fee. Request permissions from [email protected].
ASIA CCS ’21, June 7–11, 2021, Virtual Event, Hong Kong.
© 2021 Association for Computing Machinery.
ACM ISBN 978-1-4503-8287-8/21/06. . . $15.00
https://doi.org/10.1145/3433210.3453091
844
1 INTRODUCTION
Blockchain technology originating from Bitcoin [17] has received
extensive attention in recent years. With the development of smart
contracts, its application scope has gradually expanded to many
other fields, such as supply chain, insurance and medical system.
In brief, blockchain is a decentralized, distributed ledger, in which
the transactions stored cannot be mutated ever again.
It is agreed well that the immutability is essential to the security
of blockchain applications. For example, the immutability of finan-
cial information in cryptocurrencies prevents anyone from deleting
existing transactions to gain more profits, and the immutability
of supply information in supply chains guarantees the reliability
of the source of the goods. However, it also brings about certain
unfavorable aspects which may impede the adoption of blockchain
or not desired for some new applications.
There are some fields in a transaction to support users to insert ar-
bitrary data into their transactions, like the operations “OP_RETURN"
and “Coinbase" in Bitcoin. This leaves the users the ability of posting
messages that may even contain illegal and/or improper contents,
e.g., copyright violations, child pornography and private informa-
tion. As investigated by Matzutt et al. [16], 118.53 MB arbitrary
Bitcoin data (before August 31, 2017) includes 7 files that infringe
copyright, 7 images and information that violate privacy, 274 links
to illegal websites and so on. Unfortunately, these content would be
recorded permanently in blockchain, and might affect severely the
whole blockchain ecosystem as the honest users may choose to stop
using the system for fear of being prosecuted due to broadcasting
or possessing illicit data. Therefore, it is necessary to regulate the
content to be posted in a blockchain.
The regulation can de facto be established by simply setting a
filter rule and letting miners just pack the transactions that con-
form to the rule. However, according to the quantitative analysis
in [16], an improper file could be inserted separately into multi-
ple transactions, and thus it is not easy for miners to detect it. As
mentioned in [11], it is not feasible to check for malicious content
from incoming transactions before they are inserted into the chain.
Therefore, setting a rule is necessary, but only relying solely on the
rule is not enough for tackling above concerns and it is desirable to
adjust the way of building blockchain so that the harmful data that
was eventually stored on the blockchain can be redacted by a regu-
lator in time. In real situations, the regulator could be an authority
who is responsible for making the rule to protect users’ privacy,
such as European Union introduced a new General Data Protec-
tion Regulation (GDPR) [2]. An authority may have a reputation to
maintain and more procedures to protect against misbehavior, so it
is reasonable to assume that the regulator is semi-trusted. In other
Session 8B: Blockchain and Distributed Systems
words, we can only assume that the regulator does not deviate from
the protocol specification, but cannot guarantee that the regulator
will manage the data on the chain in full compliance with the rule.
For example, he may optionally delete users’ personal data. There-
fore, it is necessary to allow users to monitor the behavior of the
regulator (i.e., authority), in order to prevent the regulator from
abusing his power, and ensure a free, fair and legal environment
for blockchain.
On the other hand, the “Right to be Forgotten" has recently been
imposed as a key Data Subject Right by GDPR of the European
Union, which means that people have the right to ask for deleting
their personal data. Thus, using immutable blockchain to record
personal information will be no longer legal again. As the increas-
ing applications of blockchain, some personal information might
be stored on the chain or revealed from the metadata of the chain,
as reported by the Open Data Institute (ODI) [19]. For example, in
a blockchain-based medical system, disease information may be
recorded on the chain. Once it is no longer necessary, the owner
should have the right to delete it from the system in light of the
regulation. Therefore, in order to comply with various data protec-
tion legislations, it is important to make blockchain allow users to
manage their own data.
In addition, it is desired to prevent some special data fields (e.g.,
senders, receivers, amounts in Bitcoin) that involve the security of
blockchain from being modified by malicious players. To summarize,
the question is how to design a blockchain that satisfies all the
following properties:
• Supervision of improper content. There is a regulator
to deal with improper content that are not filtered out by
regulation rules. Moreover, the regulator is able to revoke
the right of a user to redact his own data (see below).
• Self-management of personal data. Each user can man-
age his own data in a blockchain, as long as the data is not
related to the blockchain security, and the data cannot be
redacted by others excluding the regulator.
• Protection of data involving security. The data involving
the security of blockchain, e.g., input/output addresses and
amount in Bitcoin, cannot be changed by malicious parties.
In this work, we aim to build a new blockchain with all desired
features outlined before, and make affirmative progress towards
this direction. Section 1.2 summarizes the main contributions.
1.1 Technical overview
As mentioned above, although the immutability is essential to the
security of blockchain, it also impedes the wide deployment of
blockchain. Therefore, it is an important mission to find a way to
redact both the improper content and personal information on the
blockchain while protecting the data involving security; the former
allows us to remove the malicious data escaping the regulation rules,
while the latter gives users the ability to modify their own data.
Based on the realistic considerations, we assume that the regulator
responsible for removing the improper content is semi-trusted, but
even then, it is not easy to achieve both at the same time. There are
three challenges as follows:
• The first is that the ability to redact personal data might be
abused intentionally by a malicious data owner, because he
845
ASIA CCS ’21, June 7–11, 2021, Virtual Event, Hong Kong
can insert arbitrary improper content into his transactions
again after the regulator deletes the previous malicious data.
• The second is that how the regulator’s behavior can be moni-
tored by the honest users, to guarantee that the modifications
performed by the regulator are in line with the rule.
• The third is that how to ensure that a new node can get a
chain containing the latest content of modified transactions.
In other words, we need to ensure that a new node can detect
an obsolete chain from a malicious full node who refuses to
modify transactions.
To overcome the first obstacle, we introduce a new variant of
chameleon-hash function, called stateful Chameleon Hash with Re-
vocable Subkey (sCHRS). Unlike the standard chameleon-hash func-
tion, our sCHRS has two kinds of trapdoors that can be used to
find collisions, namely master private key 𝑚𝑠𝑘 and subordinate
private key 𝑠𝑠𝑘. More importantly, 𝑚𝑠𝑘 can revoke the right of
𝑠𝑠𝑘 to find collisions. In our application, the regulator holds 𝑚𝑠𝑘
and users generate their own 𝑠𝑠𝑘. Therefore, once observing data
owner’s malicious behavior, the regulator is able to revoke his right
of redacting personal data. Specifically, we replace the standard
hash function used to compute leaf nodes of Merkle tree with our
sCHRS. By finding a collision, a user can request full nodes to re-
place the content of his own transaction with a new one, likewise,
the regulator can deal with the improper content as well as revoke
the corresponding 𝑠𝑠𝑘. Subsequently, a modification request con-
taining the new content and validation information for the collision
is broadcast to the full nodes.
To overcome the latter two difficulties, each time a modifica-
tion needs to be proposed, besides the modification request, we
require the modifier (user/regulator) to broadcast a corresponding
witness transaction that records which transaction is modified and
the updated status of this transaction. After verification, miners
will package the valid witness transactions (please see Section 4 for
more validation details). Once a witness transaction is confirmed,
which means that the majority of honest nodes accept the change,
full nodes will modify the previous transaction according to the
corresponding modification request received before.
More specifically, to monitor the behavior of the regulator, min-
ers should check if the new content included in a modification
request from the regulator conforms to the rule. If so, miners will
package the corresponding valid witness transaction. We did men-
tion earlier that it would be unrealistic for miners to review the
content of all the transactions. However, compared to transactions
(ordinary transactions/witness transactions) proposed by users, the
witness transactions issued by the regulator are relatively few, and
thus it is reasonable for miners to check it.
For the third challenge, a new node can detect an obsolete chain
by a confirmed witness transaction where the latest status of a
modified transaction is recorded. As mentioned before, since there
are so many transactions proposed by users that the content cannot
be checked by miners, it is possible for users to insert improper
content. Therefore, the regulator should be able to modify any
transaction issued by users, including witness transactions and
ordinary transactions.
Having solved the three main problems, there is another impor-
tant problem to be solved, that is How to protect the data (e.g., senders,
Session 8B: Blockchain and Distributed Systems
receivers, amounts in Bitcoin) involving security of blockchain. We
will give a detailed explanation of the data related to security in Sec-
tion 4.1. We solve this problem by splitting a transaction into two
parts, the standard part and the arbitrary part. Roughly speaking,
a standard part consists of the fields that involve the security, and
thus only the semi-trusted regulator can modify it, and his modifi-
cation will be monitored by the full nodes. And an arbitrary part
refers to the personal data inserted arbitrarily by users, and thus it
can be modified by its owner and supervised by the regulator.
In a nutshell, we leverage our sCHRS and the witness transaction
to overcome the three challenges, and split a transaction into two
parts to protect the data involving security. Eventually, we build
a new redactable blockchain enjoying three features, i.e., supervi-
sion of improper content, self-management of personal data and
protection of data involving security.
1.2 Our Contributions
We revisit the conflict between the immutability of blockchain and
the necessity of redacting the content of blockchain. As mentioned
above, we propose a novel redactable blockchain by introducing a
new cryptographic primitive named stateful Chameleon Hash with
Revocable Subkey (sCHRS) and a witness transaction that is a new
type of transaction. More specifically, our main contributions are
as follows.
• In Section 3, we propose the syntax and formal security prop-
erties of sCHRS. Then we present a black-box construction
of sCHRS by employing only standard chameleon hash func-
tions 1 , and prove that the construction meets the proposed
security properties as long as the underlying chameleon hash
functions are secure.
• We put forward a generic redactable blockchain by leverag-
ing sCHRS in Section 4. Our design supports people’s right
to be forgotten and the redaction of improper content, as
well as the protection of blockchain with respect to certain
specific data fields. In our setting, besides users who may
be honest or malicious, there exists a semi-trusted regula-
tor (e.g., a data protection officer) who is responsible for
force modifications of the harmful content on blockchain.
To prevent the regulator from abusing his power, we allow
miners to monitor his behaviors through witness transac-
tions. At the same time, the witness transactions recorded
on chain can help a new node detect whether a transaction
is outdated.
• We instantiate the black-box construction of sCHRS with
two RSA-based standard chameleon hash functions and de-
velop a proof-of-concept implementation in Section 5. The
experimental results demonstrate that a practical redactable
blockchain with the three features can be obtained following
the proposed mechanism.
1.3 Related Work
Redactable blockchain. Existing research on redactable blockchain
can be divided into two categories, depending on the need for a
1 Forthe sake of distinction, we refer to the chameleon hash in Definition 2.1 as the
standard chameleon hash, and denote our new variant as sCHRS.
846
ASIA CCS ’21, June 7–11, 2021, Virtual Event, Hong Kong
trusted regulator or committee. Deuber et al. [11] proposed to mod-
ify a confirmed block by publishing a new block, which gets enough
votes, to substitute it, so it does not need a trusted party or commit-
tee. In contrast, the works [4], [10] and [18] need a trusted party or
committee to manage the private keys related to the rewriting.
Deuber et al. [11] put forward a redactable blockchain focusing
on permissionless setting in which no trusted parties are involved.
Their protocol allows anyone to propose a new block (not means
the block that is to extend the chain) to replace the old confirmed
block, then all nodes in the network would vote for the new block.
Finally, the new block will be accepted when it gets enough votes. In
order to protect the data involving security, the scheme only allows
redactions that do not affect a transaction’s consistency. However,
if there is improper content in the data involving security, it cannot
deal with them, so it does not achieve a thorough supervision of
improper content. As for the self-management of personal data,
due to the fact that anyone has a chance to propose a new block
to replace the old confirmed one, personal data is possible to be
modified by an unrelated person.
Ateniese et al. [4] is the first to introduce the concept of redactable
blockchain, and they replaced the standard hash function used to
compute the hash value of an entire block with chameleon-hash
functions. By this way, the content of any block can be modified or
deleted with the knowledge of chameleon-hash trapdoor without
affecting the hash value of original block. Thus, a trusted regula-
tor holding the trapdoor can supervise the content of blockchain.
Recently, it has been commercially adopted by a large consultancy
company Accenture [1]. Analogously, Derler et al. [10] replaced the
standard hash function used to compute Merkle tree leaf nodes with
a new variant of chameleon hash called Policy-based Chameleon-
Hash function (PCH), and presented a modular construction by
combining ciphertext-policy attribute-based encryption (CP-ABE)
[12] and chameleon-hashes with ephemeral trapdoors (CHET) [9].
This scheme allows users to manage their own data and it is more
fine-grained. [4] and [10] support supervision and self-management,
respectively, but neither does both at the same time. Our work is
inspired by them, and supports supervision and self-management
at the same time.
Another relevant work is 𝜇Chain proposed by Puddu et al. [18],
which needs a trusted party or committee as well. Unlike the previ-
ous two schemes, [18] does not use the (variants of) chameleon-hash
functions, but stores multiple versions of the encrypted transactions
in the blockchain, with the trusted party releasing the decryption
keys for active versions. Because all transactions are permanently
stored on the blockchain, the scheme does not fully support super-
vision and self-management.
In the four schemes mentioned above, [11], [4] and [18] can
completely protect the data involving security. [11] does not allow
anyone to modify the data involving security, [4] only allows the
trusted parties to rewrite the blockchain, and [18] proposed to
mutate all affected transactions through a cascading effect in order
to maintain transaction consistency. However, [10] gives every user
with required attributes the power to modify his transactions, but
these users may redact the fields involving security.
We summarize and compare existing redactable blockchain with
our work in Table 1. From the summary, we can see that only our
work can achieve all desirable features with a semi-trusted regulator
Session 8B: Blockchain and Distributed Systems
Table 1: Comparison of existing redactable blockchains.
Granularity Supervision of Self-management
References
level improper content of personal data
[11] block ⊖ ×
[4] block ✓ ×
[10] transaction × ✓
[18] transaction ⊖ ⊖
Ours transaction fields ✓ ✓
“ ✓ ": Well-done; “⊖": Considered but needs further improvements; “×": Not achieved.
Granularity refers to the control granularity of modification rights. The smaller granularity is, the more flexible the management of modification right is.
- “block level": the right to modify is limited to a block;
- “transaction level": the right to modify is limited to a particular transaction;
- “transaction fields level": the right to modify is limited to some fields in a transaction.
at the same time, and our work allows for more granular control
over transaction modifications.
Chameleon-hash function. Chameleon-hash functions were ini-
tially introduced by Krawczyk and Rabin [14] based on the work
of Brassard et al. [8]. Then the primitive was generalized to the
identity-based setting [3, 21]. Subsequently, Bao et al. [5] proposed
a hierarchical identity-based chameleon-hash function, where an
identity at depth 𝑘 of the hierarchy is represented as a vector of
dimension 𝑘, and the trapdoor for an identity can be generated by
its parents. Although the regulator and users in our setting form
a two-level hierarchy, we cannot use the scheme in [5]. This is
because the users in our redactable blockchain need to generate
their own key pairs by themselves rather than to get them from the
regulator. Recently, Camenisch et al. [9] presented a new form of
chameleon-hash function called chameleon-hash with ephemeral
trapdoors denoted as CHET, where the one holding the long-term
key cannot find the collisions unless he also has the ephemeral trap-
door, which is chosen freshly for each new hash. Later, Krenn et al.
[15] proposed the notion of chameleon-hashes with dual long-term
trapdoors (CHLT for short). It modified the scheme in [9] so that
both keys are long-term keys, which makes key management more
flexible.
2 PRELIMINARIES
In this section, we recall the formal definition of chameleon-hashes
and its security properties.
Definition 2.1 (Chameleon Hashes). A chameleon hash with mes-
sage space M consists of a tuple of polynomial-time algorithms
CH = (ParGenCH, KGenCH, HashCH, AdaptCH, CheckCH ):
$ tion of collision-resistance property in [9], and we call it enhanced
• pp ←− ParGenCH (1𝜆 ): The public parameter generation
algorithm ParGenCH takes as input a security parameter 𝜆
and outputs public parameters pp.
$
• (𝑠𝑘, 𝑝𝑘) ←− KGenCH (pp): The key generation algorithm
KGenCH takes as input the public parameters pp and outputs
a private and public key pair (𝑠𝑘, 𝑝𝑘).
$
• (ℎ, 𝑟 ) ←− HashCH (𝑝𝑘, 𝑚): The hashing algorithm HashCH
takes as input a public key 𝑝𝑘 and a message 𝑚 ∈ M, and
outputs a hash ℎ and its check string 𝑟 .
$
• 𝑟 ′ ←− AdaptCH (𝑠𝑘, (ℎ, 𝑟, 𝑚), 𝑚 ′ ): The adaptation algorithm
AdaptCH takes as input a private key 𝑠𝑘, a triple of old hash ℎ,
847
ASIA CCS ’21, June 7–11, 2021, Virtual Event, Hong Kong
Protection of data Regulator
data involving security (Committee)
✓ No need
✓ Trusted
× Trusted
✓ Trusted
✓ Semi-trusted
check string 𝑟 and message 𝑚, and a new message 𝑚 ′ ∈ M,
then outputs a new check string 𝑟 ′ .
• {0, 1} ← CheckCH (𝑝𝑘, (ℎ, 𝑟, 𝑚)): The deterministic verifica-
tion algorithm CheckCH takes as input the public key 𝑝𝑘, a
triple of hash value ℎ, check string 𝑟 and message 𝑚 ∈ M. It
then outputs 1 if (ℎ, 𝑟 ) is a valid hash/check string pair for
the message 𝑚, otherwise outputs 0.
The authors in [9] proposed a stronger collision-resistance based
on the original collision-resistance property by allowing an adver-
sary to query a collision-finding oracle, but they did not give a
new name to the stronger security property. Almost at the same
time, Camenisch et al. in [4] gave a similar definition to the stronger
collision-resistance and renamed it to enhanced collision-resistance,
where they also considered that an adversary has access to a collision-
finding oracle. However, there is a subtle difference between the
two definitions. Roughly speaking, in [4], the enhanced collision-
resistance requires that an adversary cannot find any collisions
of hash values that have not been queried to the collision-finding
oracle. Whereas the collision-resistance in [9] requires that an ad-
versary cannot find a collision for two messages, at least one of
which has not been queried. In other words, the definition in [9]
requires that the adversary not only cannot find a collision of a new
hash value, but also cannot find a new collision of a hash value that
has been queried.
In our redactable blockchain, modifying a transaction means
finding a collision, and we expect that an adversary cannot mod-
ify a transaction not belonging to him even after seeing arbitrary
modifications to the transaction. Therefore, the definition in [9] is
more suitable for our application. In this paper, we use the defini-
collision-resistance too.
As in [4], we only consider correctness and enhanced collision-
resistance as fundamental security properties. In our redactable
blockchain, we do not attempt to hide whether a transaction has
been modified, and thus indistinguishability regarded as a funda-
mental security property in [9] is not needed in our paper.
Definition 2.2 (Secure Chameleon Hash). A chameleon hash CH
is secure, if it satisfies the correctness and enhanced collision-
resistance properties.
Correctness guarantees that the hash/check string pairs and
collisions computed correctly can pass the verification with an
Session 8B: Blockchain and Distributed Systems
overwhelming probability. Enhanced collision-resistance requires
that, even given access to a collision-finding oracle, an efficient
adversary without the trapdoor cannot find any collision for the
messages that have not been queried to the oracle.
$
Correctness. For all 𝜆 ∈ N, 𝑚 ∈ M, any pp ←− ParGenCH (1𝜆 ),
$ $
(𝑠𝑘, 𝑝𝑘) ←− KGenCH (pp), (ℎ, 𝑟 ) ←− HashCH (𝑝𝑘, 𝑚) and 𝑟 ′ ←−
AdaptCH (𝑠𝑘, (ℎ, 𝑟, 𝑚), 𝑚 ′ ), where AdaptCH can be queried poly(𝜆)
times, it holds that CheckCH (𝑝𝑘, (ℎ, 𝑟, 𝑚)) = 1 and CheckCH (𝑝𝑘, (ℎ,
𝑟 ′, 𝑚 ′ )) = 1.
Enhanced Collision-Resistance. Formally, a chameleon hash
CH is enhanced collision-resistant, if for any efficient adversary
A it holds that Pr[ExptCR
A,CH
(𝜆) = 1] ≤ negl(𝜆), where the corre-
sponding experiment ExptCR
A,CH
(𝜆) is depicted in Fig. 1.
ExptCR
A,CH
(𝜆) :
pp ← ParGenCH (1𝜆 );
(𝑠𝑘, 𝑝𝑘) ← KGenCH (pp), 𝑄 ← ∅;
Adapt
O ( ·,·)
(𝑚 ∗, 𝑟 ∗, 𝑚 ′∗, 𝑟 ′∗, ℎ ∗ ) ← A (𝑠𝑘,𝑝𝑘 ) (𝑝𝑘);
if (CheckCH (𝑝𝑘, (ℎ ∗, 𝑟 ∗, 𝑚 ∗ )) = 1 ∧ CheckCH (𝑝𝑘, (ℎ ∗, 𝑟 ′∗, 𝑚 ′∗ )) =
1 ∧ 𝑚 ′∗ ∉ 𝑄 ∧ 𝑚 ∗ ≠ 𝑚 ′∗ ), return 1.
Adapt
O (𝑠𝑘,𝑝𝑘) ((ℎ, 𝑟, 𝑚), 𝑚 ′ )
if CheckCH (𝑝𝑘, (ℎ, 𝑟, 𝑚)) = 0, return ⊥;
else 𝑟 ′ ← AdaptCH (𝑠𝑘, (ℎ, 𝑟, 𝑚), 𝑚 ′ );
if 𝑟 ′ =⊥: return ⊥;
else 𝑄 ← 𝑄 ∪ {𝑚, 𝑚 ′ };
return 𝑟 ′ .
Figure 1: The experiment for Enhanced Collision-
Resistance.
3 CHAMELEON HASH WITH REVOCABLE
SUBKEY
Our purpose is to design a framework of blockchain, where users
can manage their own data included in their transactions, and
the regulator can deal with improper data while depriving the
corresponding user of the right to modify the transaction. To this
end, we essentially need a variant of chameleon-hash function that
has a master key pair (for the regulator) and multiple subordinate
key pairs (for the users). Moreover, all of the key pairs can find
collisions and the master key pair can revoke the right of any
subordinate key pair to find collisions of certain hash values, not
all the hash values related to the subordinate key pair.
Recalling the definitions of AdaptCH (𝑠𝑘, (ℎ, 𝑟, 𝑚), 𝑚 ′ ) and
CheckCH (𝑝𝑘, (ℎ, 𝑟, 𝑚)), we find that as long as the user still holds
the 𝑠𝑘 and ℎ is unchanged, the user must be able to find collisions.
To overcome this obstacle, we introduce a “state" for each hash value
ℎ in our new variant, and each state implies which subordinate key
pair has the right to find collisions. Once a valid revocation occurs,
the corresponding state will change. And the state will be also taken
into account to check whether a hash value/check string pair is
valid beyond public keys. Thus the holder of master key pair needs
to maintain the state, which will be shared with the parties who will
check the hash value. We must admit that maintaining a state for
ASIA CCS ’21, June 7–11, 2021, Virtual Event, Hong Kong
each hash value is not desirable in practice, but fortunately in our
application the blockchain itself could be naturally used to record
and share these states. We call the new variant stateful Chameleon
Hash with Revocable Subkey (sCHRS), and we will give the specific
definitions and security properties next.
$
3.1 Syntax of sCHRS
A sCHRS consists of seven polynomial-time algorithms sCHRS =
(ParGensCHRS, MKGensCHRS, SKGensCHRS, HashsCHRS, AdaptsCHRS,
RevokesCHRS, ChecksCHRS ):
$
• ppsCHRS ←− ParGensCHRS (1𝜆 ): The algorithm takes as in-
put a security parameter 𝜆 and outputs public parameter
ppsCHRS which would be taken as an implicit input of all
other algorithms.
$
• (𝑚𝑠𝑘, 𝑚𝑝𝑘) ←− MKGensCHRS (ppsCHRS ): The algorithm takes
as input the public parameter ppsCHRS and outputs a master
key pair (𝑚𝑠𝑘, 𝑚𝑝𝑘).
$
• (𝑠𝑠𝑘𝑖 , 𝑠𝑝𝑘𝑖 ) ←− SKGensCHRS (ppsCHRS ): The algorithm takes
as input the public parameter ppsCHRS and outputs a subor-
dinate key pair (𝑠𝑠𝑘𝑖 , 𝑠𝑝𝑘𝑖 ).
$
• (ℎ, 𝑟, 𝑠𝑡 0 ) ←− HashsCHRS (𝑚𝑝𝑘, 𝑠𝑝𝑘𝑖 , 𝑚): The algorithm takes
as input a master public key 𝑚𝑝𝑘, a subordinate public key
𝑠𝑝𝑘𝑖 and a message 𝑚 ∈ M. It outputs a hash ℎ , its check
string 𝑟 and the initial state 𝑠𝑡 0 .
$
• 𝑟 ′ ←− AdaptsCHRS (𝑠𝑘, (ℎ, 𝑟, 𝑚, 𝑠𝑝𝑘𝑖 ), 𝑚 ′ ): The algorithm
takes as input a private key 𝑠𝑘 that could be 𝑠𝑠𝑘𝑖 or 𝑚𝑠𝑘,
a tuple (ℎ, 𝑟, 𝑚, 𝑠𝑝𝑘𝑖 ), and a new message 𝑚 ′ ∈ M, then
outputs a new check string 𝑟 ′ .
$
• (𝑟 ′, (𝑠𝑠𝑘𝑖′, 𝑠𝑝𝑘𝑖′ ), 𝑠𝑡 𝑗+1 ) ←− RevokesCHRS (𝑚𝑠𝑘, (ℎ, 𝑟, 𝑚, 𝑠𝑝𝑘𝑖 ),
𝑠𝑡 𝑗 , 𝑚 ′ ): The algorithm takes as input a master secret key
𝑚𝑠𝑘, a tuple (ℎ, 𝑟, 𝑚, 𝑠𝑝𝑘𝑖 ), a message 𝑚 ′ ∈ M (𝑚 ′ could be
equal to 𝑚), and a current state 𝑠𝑡 𝑗 . It then outputs a new
check string 𝑟 ′ , a new subordinate key pair (𝑠𝑠𝑘𝑖′, 𝑠𝑝𝑘𝑖′ ) and a
new state 𝑠𝑡 𝑗+1 to revoke the right of old key pair (𝑠𝑠𝑘𝑖 , 𝑠𝑝𝑘𝑖 )
to find collisions of ℎ.
• 𝑏 ← ChecksCHRS (𝑚𝑝𝑘, ℎ, 𝑠𝑡, (𝑠𝑝𝑘𝑖′, 𝑟 ′, 𝑚 ′ )): The determinis-
tic algorithm uses the hash value ℎ’s current state 𝑠𝑡 to check
if (ℎ, 𝑟 ′, 𝑚 ′ ) is valid under (𝑚𝑝𝑘, 𝑠𝑝𝑘𝑖′ ). If it is valid, 𝑏 = 1,
otherwise, 𝑏 = 0.
Compared to the standard chameleon-hash function defined
in Definition 2.1, AdaptsCHRS in sCHRS allows the subordinate
secret key or the master secret key to find collisions. ChecksCHRS
is similar to CheckCH . The main difference is that ChecksCHRS
also takes into account the current state 𝑠𝑡 when judging validity
besides public keys (i.e., master public key and subordinate public
key). In addition, sCHRS adds MKGensCHRS and RevokesCHRS for
the master key pair.
Specifically, MKGensCHRS is used to generate a master key pair
(𝑚𝑠𝑘, 𝑚𝑝𝑘), which can correspond to multiple subordinate key
pairs (𝑠𝑠𝑘𝑖 , 𝑠𝑝𝑘𝑖 ). When a hash value is first generated, there is a
corresponding initial state 𝑠𝑡 0 . RevokesCHRS uses 𝑚𝑠𝑘 to update the
state and generate a new subordinate key pair to revoke the old
one while choosing whether to find a collision of the hash value.
848
Session 8B: Blockchain and Distributed Systems ASIA CCS ’21, June 7–11, 2021, Virtual Event, Hong Kong

Moreover, the master secret key and the subordinate secret key ExptCORR
A,sCHRS
(𝜆):
both can find collisions by AdaptsCHRS without changing the state. $
ppsCHRS ←− ParGensCHRS (1𝜆 );
$
3.2 Security Properties of sCHRS (𝑚𝑠𝑘, 𝑚𝑝𝑘) ←− MKGensCHRS (ppsCHRS );
$
In this section, we formally define the security properties of sCHRS, (𝑠𝑠𝑘, 𝑠𝑝𝑘) ←− SKGensCHRS (ppsCHRS );
including correctness, revocability, secret-key collision-resistance and SPriKey := 𝑠𝑠𝑘, SPubKey := 𝑠𝑝𝑘;
master-key revocation-resistance. Informally, the revocability re- $
𝑚 ←− M;
quires that, once a subordinate key pair (𝑠𝑠𝑘, 𝑠𝑝𝑘) is revoked and $
the corresponding state changes, the revoked secret key 𝑠𝑠𝑘 loses (ℎ, 𝑟, 𝑠𝑡 0 ) ←− HashsCHRS (𝑚𝑝𝑘, 𝑠𝑝𝑘, 𝑚);
the right to find collisions of a certain hash value again. The secret- Mhash := (ℎ, 𝑟, 𝑚), State := 𝑠𝑡 0 ;
key collision-resistance requires that a collision under public keys Signal := Continue;
SKAdapt ,O MKAdapt ,O Revoke
(𝑚𝑝𝑘, 𝑠𝑝𝑘) cannot be found without the corresponding private Signal ← A O (𝑚𝑝𝑘, SPubKey, State);
key 𝑚𝑠𝑘 or 𝑠𝑠𝑘, no matter the 𝑠𝑠𝑘 comes from SKGensCHRS or if Signal = Stop,
RevokesCHRS . Master-key revocation-resistance requires that any- parse Mhash := (ℎ ∗, 𝑟 ∗, 𝑚 ∗ );
one not holding the master secret key cannot revoke the right of a 𝑏 = ChecksCHRS (𝑚𝑝𝑘, ℎ ∗, State, (SPubKey, 𝑟 ∗, 𝑚 ∗ ));
subordinate key pair to find collisions of a certain hash value. return b.
SKAdapt
Definition 3.1 (Secure sCHRS). A sCHRS is secure, if it satisfies O (SPriKey,𝑚𝑝𝑘,SPubKey) (𝑚 ′ )
correctness, revocability, secret-key collision-resistance and master- parse Mhash := (ℎ, 𝑟, 𝑚);
key revocation-resistance properties. 𝑟 ′ ← AdaptsCHRS (SPriKey, (ℎ, 𝑟, 𝑚, SPubKey), 𝑚 ′ );
We note that the secret-key collision-resistance includes three Mhash := (ℎ, 𝑟 ′, 𝑚 ′ );
cases: collision-resistance against original subordinate secret key
generated by SKGensCHRS , against master secret key generated MKAdapt
O (𝑚𝑠𝑘,𝑚𝑝𝑘,SPubKey) (𝑚 ′ )
by MKGensCHRS and against new subordinate secret key coming
from RevokesCHRS . For simplicity, we refer to the first two as orig- parse Mhash := (ℎ, 𝑟, 𝑚);
inal secret-key collision-resistance and the third as new sub-key 𝑟 ′ ← AdaptsCHRS (𝑚𝑠𝑘, (ℎ, 𝑟, 𝑚, SPubKey), 𝑚 ′ );
collision-resistance. Mhash := (ℎ, 𝑟 ′, 𝑚 ′ );
Correctness. It requires that all hash/check string pairs correctly
O Revoke
(𝑚𝑠𝑘,𝑚𝑝𝑘,SPubKey,State)
(𝑚 ′ )
generated from HashsCHRS , AdaptsCHRS or RevokesCHRS can pass
the verification of ChecksCHRS . We use the following experiment parse Mhash := (ℎ, 𝑟, 𝑚);
in Fig. 2 to define correctness. Formally, a sCHRS is correct, if for (𝑟 ′, (𝑠𝑠𝑘 ′, 𝑠𝑝𝑘 ′ ), 𝑠𝑡 ′ ) ←
all efficient adversary A it holds that Pr[ExptCORR (𝜆) = 1] = 1. RevokesCHRS (𝑚𝑠𝑘, (ℎ, 𝑟, 𝑚, SPubKey), State, 𝑚 ′ );
A,sCHRS
In ExptCORR (𝜆), the variables (SPriKey, SPubKey, Mhash, State) Mhash := (ℎ, 𝑟 ′, 𝑚 ′ ), State := 𝑠𝑡 ′ ;
A,sCHRS SPriKey := 𝑠𝑠𝑘 ′, SPubKey := 𝑠𝑝𝑘 ′ ;
can be changed by oracles, and State is updated by O Revoke and
$
could be obtained by the adversary. A can query different 𝑚 ′ ←− Figure 2: The experiment for Correctness.
M randomly chosen by himself to the three oracles poly(𝜆) times.
Once the adversary completes the query, he will set Signal to Stop. to compute (ℎ, 𝑟, 𝑚, 𝑠𝑡). A will query O Revoke a time to revoke
Then ExptCORR (𝜆) will check the validity of Mhash with respect (𝑠𝑠𝑘, 𝑠𝑝𝑘) while getting a new subordinate public key 𝑠𝑝𝑘 ′ , and the
A,sCHRS
revoked subordinate public key is denoted as RevKey. After that,
to SPubKey under the current state. If it is valid, ExptCORR (𝜆)
A,sCHRS ExptRev
A,sCHRS
(𝜆) will maintain the State for ℎ. Then A queries
outputs 1, otherwise, outputs 0.
O SKAdapt to get collisions under the new subordinate key pair. If A
Revocability. In sCHRS, the party possessing the master private can find a valid collision of ℎ with respect to the revoked subordinate
key 𝑚𝑠𝑘 can revoke the right of original subordinate key pair to key pair (𝑠𝑠𝑘, 𝑠𝑝𝑘) after a while, he wins the experiment. Moreover,
find collisions of a certain hash value. The revocability requires the message 𝑚 ′∗ computed by A could be queried before.
that, once the original subordinate key pair (𝑠𝑠𝑘, 𝑠𝑝𝑘) used to com-
pute ℎ is revoked, 𝑠𝑠𝑘 cannot find valid collisions of ℎ. It is worth Original Secret-Key Collision-Resistance. It requires that
noting that the revoked subordinate key (𝑠𝑠𝑘, 𝑠𝑝𝑘) cannot be used an efficient adversary A without the subordinate secret key 𝑠𝑠𝑘
to find valid collisions of ℎ, but can still be used to compute other and the master secret key 𝑚𝑠𝑘 cannot find any collision under
chameleon hash values and the corresponding collisions. In other the corresponding public keys (𝑠𝑝𝑘, 𝑚𝑝𝑘). It is formally defined
words, if a subordinate key pair used to compute ℎ is revoked, other via an experiment ExptOSKCR
A,sCHRS
(𝜆) in Fig. 4. Formally, a sCHRS
chameleon hash values computed by this key pair are not affected. is Collision-Resistant against Original Secret Key, if for all efficient
It is formally defined in an experiment ExptRev A,sCHRS
(𝜆) shown in adversary A it holds that Pr[ExptOSKCR A,sCHRS
(𝜆) = 1] ≤ negl(𝜆).
Fig. 3. Formally, a sCHRS is Revocable, if for all efficient adversary In the experiment, A with public keys (𝑠𝑝𝑘, 𝑚𝑝𝑘) is given access
A it holds that Pr[ExptRevA
(𝜆) = 1] ≤ negl(𝜆). to two adaption oracles O SKAdapt and O MKAdapt . These two oracles
In the experiment, A holding the master public key 𝑚𝑝𝑘 will use 𝑠𝑠𝑘 and 𝑚𝑠𝑘 to find collisions, respectively. A can repeatedly
choose a subordinate key pair (𝑠𝑠𝑘, 𝑠𝑝𝑘), then use 𝑠𝑝𝑘 and 𝑚𝑝𝑘 query different tuples ((ℎ, 𝑟, 𝑚, 𝑠𝑡), 𝑚 ′ ) to the two oracles. If (ℎ, 𝑟, 𝑚)

849
Session 8B: Blockchain and Distributed Systems ASIA CCS ’21, June 7–11, 2021, Virtual Event, Hong Kong

ExptRev
A
(𝜆): ExptOSKCR
A,sCHRS
(𝜆):
ppsCHRS ← ParGensCHRS (1𝜆 ); $
ppsCHRS ←− ParGensCHRS (1𝜆 );
(𝑚𝑠𝑘, 𝑚𝑝𝑘) ← MKGensCHRS (ppsCHRS ); $
RevKey :=⊥, SPubKey :=⊥, SPriKey :=⊥; (𝑚𝑠𝑘, 𝑚𝑝𝑘) ←− MKGensCHRS (ppsCHRS );
$
State :=⊥, Mhash := (⊥, ⊥, ⊥); (𝑠𝑠𝑘, 𝑠𝑝𝑘) ←− SKGensCHRS (ppsCHRS );
Revoke ,O SKAdapt
(𝑚 ′∗, 𝑟 ′∗ ) ← A O (𝑚𝑝𝑘, SPubKey, State); 𝑄 ← ∅;
parse Mhash = (ℎ ∗, 𝑟 ∗, 𝑚 ∗ ), (ℎ ∗, (𝑚 ∗, 𝑟 ∗, 𝑠𝑡 ∗ ), (𝑚 ′∗, 𝑟 ′∗ )) ← A O
SKAdapt ,O MKAdapt
(𝑠𝑝𝑘, 𝑚𝑝𝑘);
if (ChecksCHRS (𝑚𝑝𝑘, ℎ ∗, State, (RevKey, 𝑟 ′∗, 𝑚 ′∗ )) = 1), 𝑏 1 = ChecksCHRS (𝑚𝑝𝑘, ℎ ∗, 𝑠𝑡 ∗, (𝑠𝑝𝑘, 𝑟 ∗, 𝑚 ∗ ));
return 1. 𝑏 2 = ChecksCHRS (𝑚𝑝𝑘, ℎ ∗, 𝑠𝑡 ∗, (𝑠𝑝𝑘, 𝑟 ′∗, 𝑚 ′∗ ));
O Revoke
(𝑚𝑠𝑘,𝑚𝑝𝑘,SPubKey,State)
(𝑠𝑝𝑘, (ℎ, 𝑟, 𝑚, 𝑠𝑡), 𝑚 ′ ) // one time. if (𝑏 1 = 1 ∧ 𝑏 2 = 1 ∧ {𝑚 ∗, 𝑚 ′∗ } ⊈ 𝑄 ∧ 𝑚 ∗ ≠ 𝑚 ′∗ ),
if ChecksCHRS (𝑚𝑝𝑘, ℎ, 𝑠𝑡, (𝑠𝑝𝑘, 𝑟, 𝑚)) = 0, return ⊥; return 1.
SKAdapt
else, (𝑟 ′, (𝑠𝑠𝑘 ′, 𝑠𝑝𝑘 ′ ), 𝑠𝑡 ′ ) ← RevokesCHRS (𝑚𝑠𝑘, (ℎ, 𝑟, 𝑚, 𝑠𝑝𝑘), 𝑠𝑡, 𝑚 ′ ); O (𝑠𝑠𝑘,𝑠𝑝𝑘,𝑚𝑝𝑘) ((ℎ, 𝑟, 𝑚, 𝑠𝑡), 𝑚 ′ )
𝑏 = ChecksCHRS (𝑚𝑝𝑘, ℎ, 𝑠𝑡 ′, (𝑠𝑝𝑘 ′, 𝑟 ′, 𝑚 ′ )); if ChecksCHRS (𝑚𝑝𝑘, ℎ, 𝑠𝑡, (𝑠𝑝𝑘, 𝑟, 𝑚)) = 0, return ⊥;
if 𝑏 = 0, return ⊥; else, 𝑟 ′ ← AdaptsCHRS (𝑠𝑠𝑘, (ℎ, 𝑟, 𝑚, 𝑠𝑝𝑘), 𝑚 ′ );
else, RevKey := 𝑠𝑝𝑘; 𝑏 = ChecksCHRS (𝑚𝑝𝑘, ℎ, 𝑠𝑡, (𝑠𝑝𝑘, 𝑟 ′, 𝑚 ′ ));
SPubKey := 𝑠𝑝𝑘 ′ , SPriKey := 𝑠𝑠𝑘 ′ ; if 𝑏 = 0, return ⊥;
Mhash := (ℎ, 𝑟 ′, 𝑚 ′ ), State := 𝑠𝑡 ′ ; else, 𝑄 ← 𝑄 ∪ {𝑚, 𝑚 ′ };
return (𝑟 ′, 𝑠𝑝𝑘 ′, 𝑠𝑡 ′ ). return 𝑟 ′ .
SKAdapt
O (SPriKey,𝑚𝑝𝑘,SPubKey,State) (𝑚 ′′ ) MKAdapt
O (𝑚𝑠𝑘,𝑚𝑝𝑘,𝑠𝑝𝑘) ((ℎ, 𝑟, 𝑚, 𝑠𝑡), 𝑚 ′ )
parse Mhash = (ℎ, 𝑟 ′, 𝑚 ′ ); if ChecksCHRS (𝑚𝑝𝑘, ℎ, 𝑠𝑡, (𝑠𝑝𝑘, 𝑟, 𝑚)) = 0, return ⊥;
𝑟 ′′ ← AdaptsCHRS (SPriKey, (ℎ, 𝑟 ′, 𝑚 ′, SPubKey), 𝑚 ′′ ); else, 𝑟 ′ ← AdaptsCHRS (𝑚𝑠𝑘, (ℎ, 𝑟, 𝑚, 𝑠𝑝𝑘), 𝑚 ′ );
𝑏 = ChecksCHRS (𝑚𝑝𝑘, ℎ, State, (SPubKey, 𝑟 ′′, 𝑚 ′′ )); 𝑏 = ChecksCHRS (𝑚𝑝𝑘, ℎ, 𝑠𝑡, (𝑠𝑝𝑘, 𝑟 ′, 𝑚 ′ ));
if 𝑏 = 0, return ⊥; if 𝑏 = 0, return ⊥;
else, Mhash := (ℎ, 𝑟 ′′, 𝑚 ′′ ); else, 𝑄 ← 𝑄 ∪ {𝑚, 𝑚 ′ };
return 𝑟 ′′ . return 𝑟 ′ .

Figure 3: The experiment for Revocability.
is valid under (𝑚𝑝𝑘, 𝑠𝑝𝑘) and the state 𝑠𝑡, A will obtain a collision
of ℎ with respect to 𝑠𝑝𝑘. ExptOSKCR
A,sCHRS
(𝜆) does not need to maintain
the state, because A is allowed to generate a arbitrary hash value ℎ ∗
and its state 𝑠𝑡 ∗ . After the query, if A can generate a valid collision
under public keys (𝑚𝑝𝑘, 𝑠𝑝𝑘) that has not been queried before,
ExptOSKCR
A,sCHRS
(𝜆) outputs 1.
New Sub-Key Collision-Resistance. In a sCHRS, the origi-
nal subordinate key pair (𝑠𝑠𝑘, 𝑠𝑝𝑘) involved in computing (ℎ, 𝑟 )
can be revoked by RevokesCHRS , which will output a new subordi-
nate key pair (𝑠𝑠𝑘 ′, 𝑠𝑝𝑘 ′ ). This property requires that an efficient
adversary A without the new subordinate private key 𝑠𝑠𝑘 ′ cannot
find any collision under the new subordinate public key 𝑠𝑝𝑘 ′ , even
if he possesses the original subordinate secret key 𝑠𝑠𝑘. It is formally
defined by an experiment ExptNSKCR (𝜆) in Fig. 5. Formally, a
A,sCHRS
sCHRS is Collision-Resistant against New Sub-Key, if for all efficient
adversary A it holds that Pr[ExptNSKCRA,sCHRS
(𝜆) = 1] ≤ negl(𝜆).
In the experiment, A holding the master public key 𝑚𝑝𝑘 will
choose a subordinate key pair (𝑠𝑠𝑘, 𝑠𝑝𝑘), then use 𝑠𝑝𝑘 and 𝑚𝑝𝑘
to compute (ℎ, 𝑟, 𝑚, 𝑠𝑡). A will query O Revoke a time to revoke
(𝑠𝑠𝑘, 𝑠𝑝𝑘) while getting a new subordinate public key 𝑠𝑝𝑘 ′ . After
that, A is still permitted to query O SKAdapt to get collisions under
the new subordinate key pair. And ExptNSKCR A,sCHRS
(𝜆) maintains a
State for ℎ. The experiment is similar to ExptRev
A,sCHRS
(𝜆), except
that A needs to use the new subordinate public key to win the
Figure 4: The experiment for Original Secret-Key Collision-
Resistance.
experiment rather than the revoked public key, and the message
𝑚 ′∗ generated by A cannot be queried before.
Master-Key Revocation-Resistance. Briefly, this property
requires that an efficient adversary A without the master private
key cannot revoke a subordinate key pair (𝑠𝑝𝑘, 𝑠𝑠𝑘). It is formally
defined by an experiment ExptMKRR (𝜆) in Fig. 6. Formally, a
A,sCHRS
sCHRS is Revocation-Resistant against Master Key, if for all efficient
adversary A it holds that Pr[ExptMKRR (𝜆) = 1] ≤ negl(𝜆).
A,sCHRS
In this experiment, A with the master public key 𝑚𝑝𝑘 is given
access to a revocation oracle O Revoke . A can choose a subordinate
key pair (𝑠𝑝𝑘, 𝑠𝑠𝑘), and compute a valid tuple (ℎ, 𝑟, 𝑚, 𝑠𝑡) with re-
spect to the key pair. Then A selects a new message 𝑚 ′ and queries
(𝑠𝑝𝑘, (ℎ, 𝑟, 𝑚, 𝑠𝑡), 𝑚 ′ ) to the oracle, which will return a new check
string 𝑟 ′ , a new subordinate public key 𝑠𝑝𝑘 ′ and a new state 𝑠𝑡 ′
to him. The adversary can repeat the process poly(𝜆) times with
different inputs. ExptMKRR (𝜆) does not need to maintain the
A,sCHRS
state, because A is allowed to generate a arbitrary hash value ℎ ∗
and its two states 𝑠𝑡 ∗ and 𝑠𝑡 ′∗ . After the query, if A can perform
a new valid revocation related to (ℎ ∗, 𝑚 ∗, 𝑟 ∗, 𝑠𝑝𝑘 ∗, 𝑠𝑡 ∗ ) chosen by
himself, ExptMKRR
A,sCHRS
(𝜆) outputs 1.

850
Session 8B: Blockchain and Distributed Systems ASIA CCS ’21, June 7–11, 2021, Virtual Event, Hong Kong

ExptNSKCR
A
(𝜆): 3.3 Black-box construction of sCHRS
ppsCHRS ← ParGensCHRS (1𝜆 ); In this section, we will give a black-box construction in Fig. 7 to
(𝑚𝑠𝑘, 𝑚𝑝𝑘) ← MKGensCHRS (ppsCHRS ); realise the above primitive sCHRS, and rigorously prove that the
SPubKey :=⊥, SPriKey :=⊥, Mhash := (⊥, ⊥, ⊥); construction can meet the security properties of sCHRS.
State :=⊥;
𝑄 ← ∅; 3.3.1 Basic idea. Our intuition is to design a hierarchical chameleon
Revoke ,O SKAdapt hash by embedding one to the other: Given a message 𝑚, we com-
(𝑚 ′∗, 𝑟 ′∗ ) ← A O (𝑚𝑝𝑘);
pute the hash value ℎ 2 of the message using CH2 , then use this
parse Mhash = (ℎ ∗, 𝑟 ∗, 𝑚 ∗ );
hash value as the input of CH1 to compute the external hash value
𝑏 = ChecksCHRS (𝑚𝑝𝑘, ℎ ∗, State, (SPubKey, 𝑟 ′∗, 𝑚 ′∗ ));
ℎ 1 , which is the hash value of sCHRS. In this way, the one holding
if (𝑏 = 1 ∧ 𝑚 ′∗ ∉ 𝑄),
the private key of CH2 can change the message without changing
return 1.
ℎ 2 and ℎ 1 by finding collisions of ℎ 2 . Moreover, the one possessing
O Revoke
(𝑚𝑠𝑘,𝑚𝑝𝑘,SPubKey,State)
(𝑠𝑝𝑘, (ℎ, 𝑟, 𝑚, 𝑠𝑡), 𝑚 ′ ) // one time. the private key of CH1 can also modify the message by finding
if ChecksCHRS (𝑚𝑝𝑘, ℎ, 𝑠𝑡, (𝑠𝑝𝑘, 𝑟, 𝑚)) = 0, return ⊥; collisions of ℎ 1 while generating a new inner key pair and changing
else, (𝑟 ′, (𝑠𝑠𝑘 ′, 𝑠𝑝𝑘 ′ ), 𝑠𝑡 ′ ) ← RevokesCHRS (𝑚𝑠𝑘, (ℎ, 𝑟, 𝑚, 𝑠𝑝𝑘), 𝑠𝑡, 𝑚 ′ ); ℎ 2 to ℎ 2′ . Henceforth, anyone who holds the original private key of
𝑏 = ChecksCHRS (𝑚𝑝𝑘, ℎ, 𝑠𝑡 ′, (𝑠𝑝𝑘 ′, 𝑟 ′, 𝑚 ′ )); CH2 cannot find collisions of ℎ 2′ to change the message.
if 𝑏 = 0, return ⊥; Intuitively, we can use the key pairs of CH1 and CH2 as the
else, SPubKey := 𝑠𝑝𝑘 ′ , SPriKey := 𝑠𝑠𝑘 ′ ; master key pair and the subordinate key pair of sCHRS, respectively.
Mhash := (ℎ, 𝑟 ′, 𝑚 ′ ), State := 𝑠𝑡 ′ ; However, the challenging problem is that even though the original
𝑄 ← 𝑄 ∪ {𝑚 ′ }; private key cannot find collisions of ℎ 2′ , it can still find collisions
return (𝑟 ′, 𝑠𝑝𝑘 ′, 𝑠𝑡 ′ ). of ℎ 2 and keep ℎ 1 constant. And if we only use ℎ 1 and public keys
involved to check if a collision is valid, the collision found by the
SKAdapt
O (SPriKey,𝑚𝑝𝑘,SPubKey,State) (𝑚 ′′ ) original private key of ℎ 2 is still valid. Obviously, this problem is
consistent with our previous observation. As mentioned earlier, to
parse Mhash = (ℎ, 𝑟 ′, 𝑚 ′ ); resolve this problem, we introduce a state for each hash value to
𝑟 ′′ ← AdaptsCHRS (SPriKey, (ℎ, 𝑟 ′, 𝑚 ′, SPubKey), 𝑚 ′′ ); check whether a collision is valid beyond the hash value itself and
𝑏 = ChecksCHRS (𝑚𝑝𝑘, ℎ, State, (SPubKey, 𝑟 ′′, 𝑚 ′′ )); corresponding public keys.
if 𝑏 = 0, return ⊥; In essence, the state needs to have the following two features:
else, 𝑄 ← 𝑄 ∪ {𝑚 ′′ };
• It can be updated as the subordinate key pair changes;
Mhash := (ℎ, 𝑟 ′′, 𝑚 ′′ );
• Only the holder of the master secret key can update it with-
return 𝑟 ′′ .
out changing the hash value.
Figure 5: The experiment for new sub-key collision resis- To achieve the first feature, we require that the state is derived
tance. from the subordinate public key whose secret key has the right to
find collisions of the hash value. More specifically, if 𝑠𝑝𝑘𝑖 is the
qualified subordinate public key for ℎ at some point, the state 𝑠𝑡 of
ℎ can be computed from an injective function 𝑓 , i.e., 𝑠𝑡 = 𝑓 (𝑠𝑝𝑘𝑖 ).
ExptMKRR
A,sCHRS
(𝜆):
In our construction, we directly set 𝑠𝑝𝑘𝑖 as 𝑠𝑡.
ppsCHRS ← ParGensCHRS (1𝜆 ); To achieve the second feature, we take the state and the inner
(𝑚𝑠𝑘, 𝑚𝑝𝑘) ← MKGensCHRS (ppsCHRS ), 𝑄 ← ∅; hash value ℎ 2 together as the input of CH1 to compute the external
Revoke
(ℎ ∗, (𝑠𝑝𝑘 ∗, 𝑚 ∗, 𝑟 ∗, 𝑠𝑡 ∗ ), (𝑠𝑝𝑘 ′∗, 𝑚 ′∗, 𝑟 ′∗, 𝑠𝑡 ′∗ )) ← A O (𝑚𝑝𝑘); hash value ℎ 1 . In this way, only the one holding the secret key of
∗ ∗
𝑏 1 = ChecksCHRS (𝑚𝑝𝑘, ℎ , 𝑠𝑡 , (𝑠𝑝𝑘 , 𝑟 , 𝑚 )); ∗ ∗ ∗ CH1 can change the state. And once the state changes, the one
𝑏 2 = ChecksCHRS (𝑚𝑝𝑘, ℎ ∗, 𝑠𝑡 ′∗, (𝑠𝑝𝑘 ′∗, 𝑟 ′∗, 𝑚 ′∗ )); holding the original private key can still find collisions of ℎ 2 , but
if (𝑏 1 = 1 ∧ 𝑏 2 = 1 ∧ {(𝑠𝑝𝑘 ∗, 𝑚 ∗, 𝑠𝑡 ∗ ), (𝑠𝑝𝑘 ′∗, 𝑚 ′∗, 𝑠𝑡 ′∗ )} ⊈ 𝑄∧ cannot maintain the external hash value ℎ 1 unchanged.
𝑠𝑡 ∗ ≠ 𝑠𝑡 ′∗ ), return 1. In a nutshell, we leverage two secure chameleon-hashes and
O Revoke (𝑠𝑝𝑘, (ℎ, 𝑟, 𝑚, 𝑠𝑡), 𝑚 ′ ) introduce a state for each hash value to construct our sCHRS.
(𝑚𝑠𝑘,𝑚𝑝𝑘)
if ChecksCHRS (𝑚𝑝𝑘, ℎ, 𝑠𝑡, (𝑠𝑝𝑘, 𝑟, 𝑚)) = 0, return ⊥; 3.3.2 Concrete Construction. Fig. 7 shows the details about the
else, (𝑟 ′, (𝑠𝑠𝑘 ′, 𝑠𝑝𝑘 ′ ), 𝑠𝑡 ′ ) ← RevokesCHRS (𝑚𝑠𝑘, (ℎ, 𝑟, 𝑚, 𝑠𝑝𝑘), 𝑠𝑡, 𝑚 ′ ); black-box construction of sCHRS. ParGensCHRS uses the public
𝑏 = ChecksCHRS (𝑚𝑝𝑘, ℎ, 𝑠𝑡 ′, (𝑠𝑝𝑘 ′, 𝑟 ′, 𝑚 ′ )); parameters of CH1 and CH2 as the public parameter ppsCHRS .
if 𝑏 = 0, return ⊥; MKGensCHRS and SKGensCHRS use the key generation algorithms
else, 𝑄 ← 𝑄 ∪ {(𝑠𝑝𝑘, 𝑚, 𝑠𝑡), (𝑠𝑝𝑘 ′, 𝑚 ′, 𝑠𝑡 ′ )}; of CH1 and CH2 respectively to generate multiple subordinate key
return (𝑟 ′, 𝑠𝑝𝑘 ′, 𝑠𝑡 ′ ). pairs and a master key pair (𝑚𝑠𝑘, 𝑚𝑝𝑘). For the simplicity, we only
take (𝑠𝑠𝑘𝑖 , 𝑠𝑝𝑘𝑖 ) as an example. As mentioned above, algorithm
Figure 6: The experiment for Master-Key Revocation- HashsCHRS computes the hash/check string pair (ℎ 2, 𝑟 2 ) of mes-
Resistance. sage 𝑚 using 𝑠𝑝𝑘𝑖 first and set 𝑠𝑝𝑘𝑖 as the initial state 𝑠𝑡 0 . Then it
uses 𝑚𝑝𝑘 to compute the hash/check string pair (ℎ 1, 𝑟 1 ) of message
(ℎ 2 ||𝑠𝑡 0 ). And we take ℎ 1 as our sCHRS hash value ℎ.

851
Session 8B: Blockchain and Distributed Systems ASIA CCS ’21, June 7–11, 2021, Virtual Event, Hong Kong

Then there is an adaption algorithm AdaptsCHRS , which actually of message 𝑚 ′ . Since the holder of 𝑠𝑠𝑘𝑖 does not have 𝑠𝑠𝑘𝑖′ , he can-
implies two adaptions using subordinate private key 𝑠𝑠𝑘𝑖 and master not find collisions of ℎ 2′ . Then it updates state to 𝑠𝑡 𝑗+1 = 𝑝𝑘 2′ , which
private key 𝑚𝑠𝑘 respectively to find collisions. More specifically, means the original (𝑠𝑠𝑘𝑖 , 𝑠𝑝𝑘𝑖 ) is revoked. After that, RevokesCHRS
when the key is 𝑠𝑠𝑘𝑖 , i.e., the private key of CH2 , AdaptsCHRS can adapts the input of ℎ 1 to (ℎ 2′ ||𝑠𝑡 𝑗+1 ) where 𝑠𝑡 𝑗+1 is known by all the
find a collision of ℎ 2 by adapting 𝑟 2 to 𝑟 2′ to keep ℎ 1 unchanged. parties who will check the hash value. Henceforth, it is 𝑠𝑡 𝑗+1 to be
When the key is 𝑚𝑠𝑘, i.e., the private key of CH1 , AdaptsCHRS can used to check if a collision is valid, instead of 𝑠𝑡 𝑗 .
use 𝑠𝑝𝑘𝑖 to generate ℎ 2′ of a new message 𝑚 ′ then finds the collision The check algorithm ChecksCHRS uses the current state 𝑠𝑡 to
of ℎ 1 by 𝑚𝑠𝑘. check if (ℎ, 𝑟 ′ ) is valid. More specifically, after confirming that 𝑠𝑝𝑘𝑖
is consistent with 𝑠𝑡, the algorithm basically checks if the external
$
(ppsCHRS ) ←− ParGensCHRS (1𝜆 ): hash value ℎ 1 and the inner hash value ℎ 2′ both are valid. And the
messages of ℎ 2′ and ℎ 1 are 𝑚 ′ and ℎ 2′ ||𝑠𝑡, respectively.
pp1 ← ParGenCH1 (1𝜆 );
pp2 ← ParGenCH2 (1𝜆 ); 3.3.3 Security. We will explain the security of the above black-box
ppsCHRS = (pp1, pp2 ). construction by proving the following Theorem 3.2.
$
(𝑚𝑠𝑘, 𝑚𝑝𝑘) ←− MKGensCHRS (ppsCHRS ): Theorem 3.2. If CH1 and CH2 are secure, the black-box construc-
(𝑠𝑘 1, 𝑝𝑘 1 ) ← KGenCH1 (pp1 ); tion in Fig. 7 is secure.
return (𝑚𝑠𝑘, 𝑚𝑝𝑘) = (𝑠𝑘 1, 𝑝𝑘 1 ). Proof. We reduce the security of sCHRS to the enhanced collision-
$
(𝑠𝑠𝑘𝑖 , 𝑠𝑝𝑘𝑖 ) ←− SKGensCHRS (ppsCHRS ): resistance and correctness of the two underlying chameleon-hashes
(𝑠𝑘 2, 𝑝𝑘 2 ) ← KGenCH2 (pp2 ); CH1 and CH2 . We will prove correctness, revocability, original secret-
return (𝑠𝑠𝑘𝑖 , 𝑠𝑝𝑘𝑖 ) = (𝑠𝑘 2, 𝑝𝑘 2 ). key collision-resistance, new sub-key collision-resistance and master-
$ key revocation-resistance respectively.
(ℎ, 𝑟, 𝑠𝑡 0 ) ←− HashsCHRS (𝑚𝑝𝑘, 𝑠𝑝𝑘𝑖 , 𝑚):
(ℎ 2, 𝑟 2 ) ← HashCH2 (𝑠𝑝𝑘𝑖 , 𝑚); Correctness. It is obvious that the correctness of the two under-
𝑠𝑡 0 = 𝑠𝑝𝑘𝑖 ; lying secure chameleon-hashes CH1 and CH2 can guarantee the
(ℎ 1, 𝑟 1 ) ← HashCH1 (𝑚𝑝𝑘, ℎ 2 ||𝑠𝑡 0 ); correctness of sCHRS.
return (ℎ, 𝑟, 𝑠𝑡 0 ) = (ℎ 1, (𝑟 1, 𝑟 2, ℎ 2 ), 𝑠𝑝𝑘𝑖 ). Revocability. In our construction, we set the injective function
$ 𝑓 : publickey → state as a identity mapping, i.e., 𝑓 (𝑠𝑝𝑘) = 𝑠𝑝𝑘,
𝑟′ ←− AdaptsCHRS (𝑠𝑘, (ℎ, 𝑟, 𝑚, 𝑠𝑝𝑘𝑖 ), 𝑚 ′ ):
parse ℎ = ℎ 1 , 𝑟 = (𝑟 1, 𝑟 2, ℎ 2 ); thus the possibility that the revobility of our black-box construc-
if 𝑠𝑘 = 𝑠𝑠𝑘𝑖 , tion is broken is equal to the possibility that the two key pairs
𝑟 2′ ← AdaptCH2 (𝑠𝑠𝑘𝑖 , (ℎ 2, 𝑟 2, 𝑚), 𝑚 ′ ); randomly generated from SKGensCHRS are same. So the possibility
return 𝑟 ′ = (𝑟 1, 𝑟 2′ , ℎ 2 ). is negligible.
if 𝑠𝑘 = 𝑚𝑠𝑘, Original Secret-Key Collision-Resistance. Let A be an
(ℎ 2′ , 𝑟 2′ ) ← HashCH2 (𝑠𝑝𝑘𝑖 , 𝑚 ′ ); adversary who can break the original secret-key collision-resistance
𝑟 1′ ← AdaptCH1 (𝑚𝑠𝑘, (ℎ 1, 𝑟 1, ℎ 2 ||𝑠𝑝𝑘𝑖 ), ℎ 2′ ||𝑠𝑝𝑘𝑖 ); of our construction in Fig. 7, then we can construct another adver-
return 𝑟 ′ = (𝑟 1′ , 𝑟 2′ , ℎ 2′ ). sary B who uses A to break the enhanced collision-resistance of the
$
(𝑟 ′, (𝑠𝑠𝑘𝑖′, 𝑠𝑝𝑘𝑖′ ), 𝑠𝑡 𝑗+1 ) ←− RevokesCHRS (𝑚𝑠𝑘, (ℎ, 𝑟, 𝑚, 𝑠𝑝𝑘𝑖 ), 𝑠𝑡 𝑗 , 𝑚 ′ ): underlying chameleon hash CH1 and CH2 . Adversary B receives
𝑚𝑝𝑘 and 𝑠𝑝𝑘 as his challenge keys from challenger C1 and chal-
parse ℎ = ℎ 1 , 𝑟 = (𝑟 1, 𝑟 2, ℎ 2 );
lenger C2 respectively, then he sends the (𝑚𝑝𝑘, 𝑠𝑝𝑘) to A. A can
(𝑠𝑘 2′ , 𝑝𝑘 2′ ) ← KGenCH2 (pp2 );
choose (𝑚, 𝑚 ′ ) according to (𝑚𝑝𝑘, 𝑠𝑝𝑘) and computes (ℎ, 𝑟, 𝑠𝑡) ←
(ℎ 2′ , 𝑟 2′ ) ← HashCH2 (𝑝𝑘 2′ , 𝑚 ′ );
HashsCHRS (𝑚𝑝𝑘, 𝑠𝑝𝑘, 𝑚), then sends (𝑠𝑝𝑘, (ℎ, 𝑟, 𝑚, 𝑠𝑡), 𝑚 ′ ) to B to
𝑠𝑡 𝑗+1 = 𝑝𝑘 2′ ;
query O SKAdapt or O MKAdapt . B simulates the O MKAdapt as fol-
𝑟 1′ ← AdaptCH1 (𝑚𝑠𝑘, (ℎ 1, 𝑟 1, ℎ 2 ||𝑠𝑡 𝑗 ), ℎ 2′ ||𝑠𝑡 𝑗+1 );
lows. Once B receives (𝑠𝑝𝑘, (ℎ, 𝑟, 𝑚, 𝑠𝑡), 𝑚 ′ ), he check the correct-
return (𝑟 ′, (𝑠𝑠𝑘 ′, 𝑠𝑝𝑘 ′ ), 𝑠𝑡 𝑗+1 ) = ((𝑟 1′ , 𝑟 2′ , ℎ 2′ ), (𝑠𝑘 2′ , 𝑝𝑘 2′ ), 𝑝𝑘 2′ ).
ness of (ℎ, 𝑟, 𝑚, 𝑠𝑝𝑘, 𝑠𝑡). If it is correct, B parses ℎ = ℎ 1 and 𝑟 =
𝑏 ← ChecksCHRS (𝑚𝑝𝑘, ℎ, 𝑠𝑡, (𝑠𝑝𝑘𝑖′, 𝑟 ′, 𝑚 ′ )):
(𝑟 1, 𝑟 2, ℎ 2 ), then computes (ℎ 2′ , 𝑟 2′ ) ← HashCH2 (𝑠𝑝𝑘, 𝑚 ′ ). B sends
if 𝑠𝑡 ≠ 𝑠𝑝𝑘𝑖′ , return 0; ((ℎ 1, 𝑟 1, ℎ 2 ||𝑠𝑝𝑘), ℎ 2′ ||𝑠𝑝𝑘) to challenger C1 for finding collisions.
else, parse ℎ = ℎ 1, 𝑟 ′ = (𝑟 1′ , 𝑟 2′ , ℎ 2′ ); After verifying that this is a valid query, challenger C1 will use
𝑏 2 = CheckCH2 (𝑠𝑝𝑘𝑖′, (ℎ 2′ , 𝑟 2′ , 𝑚 ′ )); 𝑚𝑠𝑘 to find the collision and respond 𝑟 1′ to B. Finally, B sends
𝑏 1 = CheckCH1 (𝑚𝑝𝑘, (ℎ 1, 𝑟 1′ , ℎ 2′ ||𝑠𝑡)); (𝑟 1′ , 𝑟 2′ , ℎ 2′ ) to A. To simulate O SKAdapt , B queries C2 for 𝑟 2′′ ←
return 𝑏 1 ∧ 𝑏 2 . AdaptCH2 (𝑠𝑠𝑘, (ℎ 2, 𝑟 2, 𝑚), 𝑚 ′ ), then B sends (𝑟 1, 𝑟 2′ , ℎ 2 ) to A. A re-
turns (ℎ ∗, (𝑚 ∗, 𝑟 ∗, 𝑠𝑡 ∗ ), (𝑚 ′∗, 𝑟 ′∗ )) to B, B parse 𝑟 ∗ = (𝑟 1∗, 𝑟 2∗, ℎ ∗2 )
Figure 7: The black-box construction of sCHRS. and 𝑟 ′∗ = (𝑟 1′∗, 𝑟 2′∗, ℎ 2′∗ ). If the response can pass the verification in
Fig. 4 and ℎ ∗2 = ℎ 2′∗ , B can use (ℎ ∗, (𝑚 ∗, 𝑟 2∗ ), (𝑚 ′∗, 𝑟 2′∗ )) to break C2 .
The revocation algorithm RevokesCHRS uses 𝑚𝑠𝑘 to revoke a sub- And if the response can pass the verification in Fig. 4 and ℎ ∗2 ≠ ℎ 2′∗ ,
ordinate key pair and update the state. RevokesCHRS first generates B can use (ℎ ∗, (ℎ ∗2 ||𝑠𝑡 ∗, 𝑟 1∗ ), (ℎ 2′∗ ||𝑠𝑡 ∗, 𝑟 1′∗ )) to break C1 . Therefore,
a new key pair of CH2 denoted as (𝑠𝑘 2′ , 𝑝𝑘 2′ ) and uses the new subor- the possibility that A can break the original secret-key collision-
dinate public key 𝑝𝑘 2′ to compute the hash/check string pair (ℎ 2′ , 𝑟 2′ ) resistance of our black-box construction is 𝑝 = 𝑝 1 + 𝑝 2 , where 𝑝 1 is

852
Session 8B: Blockchain and Distributed Systems
the negligible possibility that B can break the enhanced collision-
resistance of CH1 and 𝑝 2 is the negligible possibility that B can
break the enhanced collision-resistance of CH2 .
New Sub-Key Collision-Resistance. Let A be an adversary
who can break the new sub-key collision-resistance of our con-
struction in Fig. 7, then we can construct another adversary B
who uses A to break the enhanced collision-resistance of the un-
derlying chameleon hash CH1 and CH2 . Adversary B receives
𝑚𝑝𝑘 and 𝑠𝑝𝑘 ′ as his challenge keys from challenger C1 and chal-
lenger C2 respectively, then he sends the 𝑚𝑝𝑘 to A. A can choose
(𝑠𝑠𝑘, 𝑠𝑝𝑘) and (𝑚, 𝑚 ′ ) according to 𝑚𝑝𝑘 and computes (ℎ, 𝑟, 𝑠𝑡) ←
HashsCHRS (𝑚𝑝𝑘, 𝑠𝑝𝑘, 𝑚), then sends (𝑠𝑝𝑘, (ℎ, 𝑟, 𝑚, 𝑠𝑡), 𝑚 ′ ) to B to
query O Revoke one time. B simulates the O Revoke as follows. Once B
receives (𝑠𝑝𝑘, (ℎ, 𝑟, 𝑚, 𝑠𝑡), 𝑚 ′ ), he check the correctness of (ℎ, 𝑟, 𝑚,
𝑠𝑝𝑘, 𝑠𝑡). If it is correct, B selects 𝑠𝑝𝑘 ′ as the new subordinate pub-
lic key and parses ℎ = ℎ 1 and 𝑟 = (𝑟 1, 𝑟 2, ℎ 2 ), then computes
(ℎ 2′ , 𝑟 2′ ) ← HashCH2 (𝑠𝑝𝑘 ′, 𝑚 ′ ). B sends ((ℎ 1, 𝑟 1, ℎ 2 ||𝑠𝑝𝑘), ℎ 2′ ||𝑠𝑝𝑘 ′ )
to challenger C1 for finding collisions. Then B set the current
state for ℎ as 𝑠𝑝𝑘 ′ . After verifying that this is a valid query, chal-
lenger C1 will use 𝑚𝑠𝑘 to find the collision and respond 𝑟 1′ to B.
Finally, B sends ((𝑟 1′ , 𝑟 2′ , ℎ 2′ ), 𝑠𝑝𝑘 ′ ) to A. Then A can choose ar-
bitrary 𝑚 ′′ ∈ M , and query O SKAdapt . B can query C2 to get
𝑟 2′′ ← AdaptCH2 (𝑠𝑠𝑘 ′, (ℎ 2′ , 𝑟 2′ , 𝑚 ′ ), 𝑚 ′′ ) to simulate O SKAdapt . A
can query O SKAdapt poly(𝜆) times. A returns (𝑚 ′∗, 𝑟 ′∗ ) to B, B
parse 𝑟 ′∗ = (𝑟 1′∗, 𝑟 2′∗, ℎ 2′∗ ). If the response can pass the verification
in Fig. 5, it means that ℎ 2′∗ ||𝑠𝑝𝑘 ′ is a message of ℎ 1 . If ℎ 2′∗ = ℎ 2′ , B
can use (𝑚 ′∗, 𝑟 2′∗ ) to break C2 . And if ℎ 2′∗ ≠ ℎ 2′ , B can use ℎ 2′∗ ||𝑠𝑝𝑘 ′
to break the enhanced collision-resistance of CH1 . Therefore, the
possibility that A can break the new sub-key collision-resistance of
our black-box construction is 𝑝 = 𝑝 1 + 𝑝 2 , where 𝑝 1 is the negligi-
ble possibility that B can break the enhanced collision-resistance
of CH1 and 𝑝 2 is the negligible possibility that B can break the
enhanced collision-resistance of CH2 .
Master-Key Revocation-Resistance. Let A be an adver-
sary which can break the master-key revocation-resistance of our
construction in Fig. 7, then we can construct another adversary
B to break the enhanced collision-resistance of the underlying
chameleon hash CH1 . Adversary Adversary B receives 𝑚𝑝𝑘 as his
challenge key from challenger C1 , then he sends the 𝑚𝑝𝑘 to A. A
can choose (𝑠𝑠𝑘, 𝑠𝑝𝑘) and (𝑚, 𝑚 ′ ) according to 𝑚𝑝𝑘 and computes
(ℎ, 𝑟, 𝑠𝑡) ← HashsCHRS (𝑚𝑝𝑘, 𝑠𝑝𝑘, 𝑚), then sends (𝑠𝑝𝑘, (ℎ, 𝑟, 𝑚, 𝑠𝑡),
𝑚 ′ ) to B to query O Revoke . B simulates the O Revoke as follows.
Once B receives (𝑠𝑝𝑘, (ℎ, 𝑟, 𝑚, 𝑠𝑡), 𝑚 ′ ), he check the correctness of
(ℎ, 𝑟, 𝑚, 𝑠𝑝𝑘, 𝑠𝑡). If it is correct, B parses ℎ = ℎ 1 and 𝑟 = (𝑟 1, 𝑟 2, ℎ 2 ),
then randomly chooses a new key pair (𝑠𝑠𝑘 ′, 𝑠𝑝𝑘 ′ ) and computes
(ℎ 2′ , 𝑟 2′ ) ← HashCH2 (𝑠𝑝𝑘 ′, 𝑚 ′ ). B sends ((ℎ 1, 𝑟 1, ℎ 2 ||𝑠𝑝𝑘), ℎ 2′ ||𝑠𝑝𝑘 ′ )
to challenger C1 for finding collisions. After verifying that this
is a valid query, challenger C1 will use 𝑚𝑠𝑘 to find the collision
and respond 𝑟 1′ to B. Finally, B sends ((𝑟 1′ , 𝑟 2′ , ℎ 2′ ), 𝑠𝑝𝑘 ′ ) to A. A
returns (ℎ ∗, (𝑠𝑝𝑘 ∗, 𝑚 ∗, 𝑟 ∗, 𝑠𝑡 ∗ ), (𝑠𝑝𝑘 ′∗, 𝑚 ′∗, 𝑟 ′∗, 𝑠𝑡 ′∗ )) to B, B parse
𝑟 ∗ = (𝑟 1∗, 𝑟 2∗, ℎ ∗2 ) and 𝑟 ′∗ = (𝑟 1′∗, 𝑟 2′∗, ℎ 2′∗ ). If the response can pass the
verification in Fig. 6, B can use (ℎ ∗, (ℎ ∗2 ||𝑠𝑡 ∗, 𝑟 1∗ ), (ℎ 2′∗ ||𝑠𝑡 ′∗, 𝑟 1′∗ )) to
break C1 . Therefore, the possibility that A can break the master-
key revocation-resistance of our black-box construction is equal to
853
ASIA CCS ’21, June 7–11, 2021, Virtual Event, Hong Kong
the negligible possibility that B can break the enhanced collision-
resistance of CH1 .
□
4 REDACTABLE BLOCKCHAIN
In this section, we will describe how to construct a redactable
blockchain by using the sCHRS and witness transaction. In con-
sideration of the actual situation, we assume that users could be
malicious but the regulator is semi-trusted. More specifically, we
assume that the regulator will follow our protocol, but he has a
tendency to abuse his power to freely modify the content on chain.
For example, he might delete personal data in which there is no ma-
licious content. Therefore, we allow the full nodes to monitor each
modification proposed by the regulator. Our redactable blockchain
enjoys the three features mentioned in Section 1: supervision of
improper content, self-management of personal data and protection
of data involving security. As far as we know, our design is the first
to meet all three requirements at the same time.
In order to protect the fields involving blockchain security, we
split a transaction into two parts, the standard part to store the data
involving security and the arbitrary part to store personal data. Next,
we will first take Bitcoin as an example to explain the standard part
and arbitrary part. Although Bitcoin is permissionless while our
design is more suitable for the permissioned blockchain, we take it
as an example given that Bitcoin is a typical blockchain application
and its block structure is widely learned by other applications.
4.1 Standard Part and Arbitrary Part
Immutability is a key to guarantee the security of the blockchain,
but the fact is that not everything in a transaction should be im-
mutable. We regard the content that cannot be inserted arbitrarily
as the standard part and regard the rest that does not affect the se-
curity of blockchain and can be inserted arbitrarily as the arbitrary
part. Next, we take Bitcoin as an example to explain the two parts.
In Bitcoin, what should not be changed is the trading informa-
tion includes amount, input addresses, output addresses and so
on. Because if an output address in a transaction is deleted, the
subsequent transactions involving the address would be invalid.
However, there are some fields have no concern with trading, e.g.,
“coinbase" and OP_RETURN. These fields are used to insert arbi-
trary data. The field “coinbase" only exists in coinbase transactions.
A miner who successfully generates a block can write any data in
this field. There are many opcodes that can be used to write the
script of output. OP_RETURN is one of these opcodes, and users
can use it to insert arbitrary data to scriptPubKey. In Bitcoin, we
define the content introduced by “coinbase" and OP_RETURN as
an arbitrary part, and the other content as a standard part.
Matzutt et al. surveyed methods to insert arbitrary data into Bit-
coin’s blockchain and the utilization of these methods in [16]. The
survey found that 80.91% non-financial content is inserted by the
intended data insertion methods, i.e., OP_RETURN and “coinbase",
and 19.09% is implicitly written to the input/output script or non-
standard transactions. For example, a malicious user can insert the
fixed-length hexadecimal encoding of any improper content into
an output address of a Pay-to-PubkeyHash (P2PKH) transaction
(please see more details in [16]).
Session 8B: Blockchain and Distributed Systems
In our redactable blockchain, 80.91% non-financial content should
be in the arbitrary part, and 19.09% should belong to the standard
part. And if there is improper content in an arbitrary part, the regu-
lator can modify it and deprive the corresponding user of the right
to modify it again, but for the improper content in a standard part,
it can only be modified by the regulator.
In summary, in our redactable blockchain, malicious users can
only change the arbitrary part where their personal data could be
recorded, and we rely on a semi-trusted regulator to supervise the
standard part and arbitrary part.
4.2 Basic idea
The basic idea of our redactable blockchain is to use sCHRS and CH
to compute the chameleon hash values of the arbitrary part and the
standard part of a transaction respectively. Then these hash values
will be as leaf nodes of the Merkle tree, whose root will not change as
long as its leaf nodes do not change. A user holding his subordinate
secret key 𝑠𝑠𝑘𝑖 can find collisions of the leaf nodes containing
the arbitrary part issued by himself to realize self-management of
personal data. The master secret key 𝑚𝑠𝑘 of sCHRS and the trapdoor
𝑠𝑘 CH of CH are only held by the regulator. Thus the regulator can
modify both parts and revoke the users’ secret keys of sCHRS to
realize supervision of improper content. Note that a user can use a
subordinate key pair for multiple transactions. However, we only
want to revoke his right to modify the transactions containing
improper content, not all the transactions related to the subordinate
key pair. To achieve protection of data involving security, we classify
fields involving blockchain security as the standard part, so they can
only be modified by the semi-trusted regulator, whose behaviors
will be monitored by miners.
We will describe our redactable blockchain from two aspects,
i.e., blockchain structure and modification process.
4.3 Structure
Fig. 8 shows the structure of our redactable blockchain. Besides the
master key pair (𝑚𝑝𝑘, 𝑚𝑠𝑘) of sCHRS and the key pair (𝑝𝑘 CH, 𝑠𝑘 CH )
of CH mentioned before, the regulator also has a signature key pair
(𝑝𝑘𝑟 , 𝑠𝑘𝑟 ). We leverage the signature 2 of regulator and witness
transaction to ensure that an updated state of a sCHRS hash value
is consistent across all the full nodes. More specifically, a new state
will be accepted by the full nodes only if it has a signature of the
regulator. And the digest of the signature will be included into a
witness transaction that could be confirmed by all the full nodes.
More details will be described in Section 4.4. Anyone in the net-
work can get 𝑚𝑝𝑘, 𝑝𝑘 CH and 𝑝𝑘𝑟 , but cannot get the corresponding
secret keys. A user has two key pairs, one is (𝑠𝑝𝑘𝑖 , 𝑠𝑠𝑘𝑖 ) for sCHRS,
and the other is (𝑝𝑘𝑢 , 𝑠𝑘𝑢 ) for signature. Users generate the sub-
ordinate key pair (𝑠𝑝𝑘𝑖 , 𝑠𝑠𝑘𝑖 ) by themselves, and they can reuse a
subordinate key pair as many times as they want.
When a user wants to issue a transaction TX𝑘 , he should compute
the sCHRS hash value of the arbitrary part using 𝑠𝑝𝑘𝑖 . It is possible
for others to compute a different sCHRS hash value using other
subordinate public key whose secret key is not known by the user
2 For
a regulator committee, we can use a threshold signature to prevent a regulator
from performing a modification without others’ agreement. In this work, we do not
discuss the situation.
854
ASIA CCS ’21, June 7–11, 2021, Virtual Event, Hong Kong
after the transaction is broadcast. To prevent the behavior, the user
needs to sign the sCHRS hash value and the initial state, and put
the signature public key 𝑝𝑘𝑢 into the standard part of transaction
to prevent others from using other signing key to generate the
signature. If 𝑠𝑝𝑘𝑖 is revoked, there will be a signature of the regulator
to replace the original signature. Finally, the user broadcasts the
transaction and the related information as shown in Fig. 8.
Once receiving a transaction, a miner needs to verify the correct-
ness of its sCHRS hash value besides the transaction and signature.
If these are valid, the miner will take the sCHRS hash value as a
leaf node of Merkle tree, and add the rest (including check string,
the initial state, the subordinate public key and the signature) to a
set, named Auxiliary set, which is stored in the block body. And the
standard part is added into Merkle tree after being computed by
CH, and the corresponding check string is added to the Auxiliary
set too. The Auxiliary set will be updated with each modification.
In a nutshell, the header of our block is the same as the one of
immutable block. The major changes of our redactable blockchain
from the immutable blockchain are mainly reflected in the con-
struction of Merkle tree and the existence of Auxiliary set.
4.4 Modification process
We take 𝑚 3 in Fig. 9 as an example to explain the modification
process, and all the rectangles in Fig. 9 represent confirmed blocks.
Since 𝑚 3 is added into the Merkle tree by sCHRS, it can be modified
by the user who issued the transaction or the regulator. If it is 𝑚 1 or
𝑚 2 computed by CH to be modified, only the regulator can perform
the modification, and the process is similar with modifying 𝑚 3 .
Therefore, we will only explain in detail how to modify 𝑚 3 , and
the process is the same no matter the modifier is the user or the
regulator without revoking. If the regulator wants to revoke the
current subordinate key pair for sCHRS(𝑚 3 ), the regulator also
needs to broadcast the content included in red square brackets.
When a modifier (user/regulator) wants to change the content
of a transaction, he needs to broadcast a modification request and
a witness transaction. The witness transaction is a special trans-
action that only has standard part including a field to record the
latest status of a past transaction. Taking Fig. 9 as an example, the
modification request includes a 𝑖𝑑 to identify which content will be
modified, a new content 𝑚 3′ , a corresponding new check string 𝑟 3′
and a subordinate public key 𝑠𝑝𝑘 ′ whose secret key is used to find
the collision. According to 𝑖𝑑, the modifier can get the signature 𝜎3
from the corresponding Auxiliary set. Then, the witness transaction
contains the hash value 𝜔 = H(𝑚 3′ ||𝜎3 ) and the 𝑖𝑑 in the standard
part. If the modification is accompanied by a revocation, in addition
to the above, the modification request also includes a new state 𝑠𝑡 3′
and a signature 𝜎3′ signed by the regulator on (sCHRS(𝑚 3 ), 𝑠𝑡 3′ ).
And the 𝜔 in the witness transaction is the digest of 𝑚 3′ ||𝜎3′ .
After receiving a modification request and its witness transaction,
miners will execute different verification processes depending on
whether there is a revocation.
Verify a modification without revoking. Miners need to ex-
tract the original content according to 𝑖𝑑, including 𝑚 3 , sCHRS
hash value ℎ 3 , the current state 𝑠𝑡 3 and the signature 𝜎3 . Then, they
will check the following:
Session 8B: Blockchain and Distributed Systems ASIA CCS ’21, June 7–11, 2021, Virtual Event, Hong Kong

Broadcast , and

A user A semi-trusted regulator A miner

preHash
Arbitrary part ( ) Standard part ( ) Broadcast
Auxiliary
Nonce
set list

Merkle_root

: stateful Chameleon Hash with Revocable Subkey;

Leaf nodes
: standard Chameleon Hash;
: standard Hash function;

Figure 8: The structure of our Redactable blockchain.

To be modified.
Has been modified.
About witness transaction
Auxiliary Auxiliary Auxiliary
Root Root Root
set set set [......] Be added for the regulator
to revoke.

Before Modification
Modifier Broadcasts
is a signature on the message
modification request
signed by the
id, [ ]
regulator.

witness transaction is the signature in the

id, || Auxiliary set or the signature
signed by the regulator.

Auxiliary Auxiliary Auxiliary Auxiliary

Root Root Root Root
set set set set

After Modification

id ||

id ||

Figure 9: The process of modification.

• When the modification is issued by the regulator, to check
whether 𝑚 3 really needs to be changed to 𝑚 3′ according to
the rule, like GDPR; (Note that if the modification is for a
standard part, miners also need to check whether the modi-
fication undermines the blockchain security.)
• If (ℎ 3, 𝑟 3′ , 𝑚 3′ ) is a valid collision under the current state 𝑠𝑡 3 ;
• If 𝜔 is the hash value of 𝑚 3′ ||𝜎3 .
Verify a modification with revoking. After getting the orig-
inal content 𝑚 3 and its sCHRS hash value ℎ 3 , the miners need to
check the following:
• If 𝑚 3 really needs to be changed to 𝑚 3′ and the original
subordinate key pair should be revoked according to the
rule, like GDPR;
• If (ℎ 3, 𝑟 3′ , 𝑚 3′ ) is a valid collision under the new state 𝑠𝑡 3′ ;
• If 𝜎3′ is a valid signature on (ℎ 3, 𝑠𝑡 3′ ) under the regulator’s
verification key 𝑝𝑘𝑟 ;
• If 𝜔 is the hash value of 𝑚 3′ ||𝜎3′ .
If all the above requirements are met, the witness transaction is
valid and will be packaged into a new block. More specifically, 𝑖𝑑 ||𝜔
will be added into the Merkle tree by CH. Once the block containing
the witness transaction is confirmed, the full nodes will replace
𝑚 3 with 𝑚 3′ , and update the corresponding content (including the
check string, the state, the subordinate public key and the signature)
in Auxiliary set.
From the above process, we can see that a modification takes
effect only if the corresponding witness transaction is confirmed. As
for the modification proposed by the regulator, besides correctness,
miners also need to check if the new content complies with the
rule. In this way, miners can monitor the behaviors of the regulator
to prevent him from maliciously tampering with the data on the
chain. In practice, the modifications proposed by users are relatively
numerous, so it is unrealistic to expect miners to check if the new
content of users’ modifications conforms to the rule. Thus the
content of transactions submitted by users is ultimately checked
by the regulator. In addition, for all the valid modifications, there
is a witness transaction to record the latest status of the modified
transaction. Therefore, no full node can reject a valid modification to
fool a new player with an obsolete chain. Moreover, the consistency
of blockchain guarantees the new state will be consistent across
the full nodes as long as the regulator is semi-trusted.

855
Session 8B: Blockchain and Distributed Systems
5 PROOF-OF-CONCEPT IMPLEMENTATION
To evaluate the performance of our redactable blockchain, we in-
stantiate our black-box construction of sCHRS with the RSA-based
chameleon hash function in [9], the details of which are recalled
in Fig. 11. As mentioned before, [9] proposed a stronger collision-
resistance (namely, enhanced collision-resistance in Definition 2.2).
In addition, they also gave a RSA-based chameleon-hash meeting
the stronger collision-resistance and correctness under the one-
more RSA-inversion assumption [6] in the random oracle model
[7]. Therefore, according to Theorem 3.2, our sCHRS derived from
two secure RSA-based chameleon-hashes is secure as well. As for
the parameters in RSA-based chameleon hash function, we set the
length of RSA-moduli to 2048 bits, and use SHA-512 to implement
random oracles.
Bitcoin is a typical blockchain application, and its design ideas
are widely learned by other applications, no matter in permissioned
or permissionless settings. Thus we implement the main functionali-
ties of our redactable blockchain based on Bitcoin. More specifically,
we use Python 3.7 to implement the creation, verification and mod-
ification of transactions, as well as the generation of blocks with an
Intel Core Pentium G3260 [email protected] and a 8GB RAM running
Windows 10. Then we test the runtimes of these main functionali-
ties themselves without considering the impact of communication,
and simulate corresponding functionalities of Bitcoin under the
same conditions for a fair comparison.
We demonstrate that our redactable blockchain is practical from
two aspects. The first is how much the additional overhead is,
relative to Bitcoin, when no modification happens. And the second
is how long it takes to generate and verify a modification request.
5.1 Additional overhead
Without considering the modifications, the additional overhead of
our redactable blockchain relative to the original Bitcoin is mainly
reflected in the following four aspects:
• Users need to compute a hash value of the arbitrary part of
a transaction using HashsCHRS before broadcasting it.
• When getting a new transaction, besides verifying the val-
idation of the transaction itself, miners also need to check
the hash value of its arbitrary part by ChecksCHRS .
• There are more leaf nodes of a Merkle tree while the number
of transactions included is the same, since we separate a
transaction into two parts, each occupying a leaf node.
• In addition to the content included in a Bitcoin block, there
also is an Auxiliary set in our block. Thus, we need to test
whether the extra cost will affect the availability of our
redactable blockchain.
Create a transaction. We test the runtime of creating a trans-
action by a user, and the result is shown in Fig. 10. It is noted that
we do not change the structure of a transaction, a transaction is the
same size as a bitcoin transaction. Considering that a user needs to
generate an unlocking script for each input, we test the changes
in the runtime of generating a transaction as the number of inputs
increases from 1 to 20, while the number of outputs is fixed to
2. We can see that the runtime of generating a new transaction
in our redactable blockchain is about 0.1 seconds longer than the
runtime in Bitcoin on average. Therefore, computing a hash value
856
ASIA CCS ’21, June 7–11, 2021, Virtual Event, Hong Kong
of the arbitrary part using HashsCHRS would not add a significant
computational burden to users.
Verify a transaction. In Bitcoin, miners are just required to
verify the validity of every transaction before packing them, but in
redactable blockchain, in addition to the basic verification, miners
also need to verify the chameleon hash value of the arbitrary part us-
ing ChecksCHRS . Fig. 10 shows that miners in redactable blockchain
take 0.1 seconds longer to validate a transaction than the miners in
Bitcoin on average. Although miners in the blockchain would re-
ceive many transactions at the same time, they can verify received
transactions in parallel. Therefore, the additional validation process
does not affect the availability of our redactable blockchain.
Generate a block. In practice, miners can pack transactions
while validating them, but for the sake of an accurate test, we
separate the two steps completely. Specifically, we do not package
transactions until the number of valid transactions reaches a certain
number, and we set the difficulty target as 0 to precisely measure
the time of the operation regardless of the overhead of the proof-
of-work. In the experiment, we set the number of transactions in a
block from 1500 to 2500. We can see from Fig. 10 that due to the
increase in leaf nodes, it takes the miner nearly a second longer
to generate a block. Fortunately, miners can construct the Merkle
tree while verifying transactions as mentioned before, and some
optimizations for Merkle tree generation can reduce this time, but
we do not optimize the process in the experiment. Therefore, the
runtime is acceptable in practice.
Block size. Besides the same content stored in Bitcoin blocks,
our redactable blocks also need to contain a check string set shown
in Fig. 8. Thus, we compare the size of a redactable block with the
size of a Bitcoin block in Fig. 10 without considering the limit on
the size of Bitcoin blocks. We can see that the redactable block
size is about 1.5MB larger than the bitcoin block size, which seems
not to be a marginal quantity. Nevertheless, in an actual deploy-
ment scenario, the block size can be adjusted according to the ac-
tual situation of the network, and some scalability techniques (e.g.,
Sharding[13, 20]) can be used to improve throughput. Therefore, a
limited increase in block size does not undermine the availability
of the redactable blockchain.
To sum up, the additional overhead resulting from adding modi-
fication functionality to the blockchain seems not to be negligible,
but there are exiting techniques related to scalability (e.g., Sharding,
parallelization) to reduce the additional overhead, and thus it would
not affect the availability. Nevertheless, finding a more efficient
construction of sCHRS that can shorten the runtime of verifying a
transaction and reduce the block size is a important future work.
5.2 Modification
In this section, we test the runtimes of generating a modification
request and verifying it as well as its witness transaction.
The modification of an arbitrary part can be divided into two
categories: one is initiated by the user, and the other is caused by the
regulator when revoking the subordinate key pair. And the standard
part can only be modified by the regulator. From the results shown
in Table 2, we can see that the runtime of generating a modification
request is about 5 seconds. Since that the process is executed by a
Session 8B: Blockchain and Distributed Systems
Figure 10: The additive overhead relative to Bitcoin.
pp ← ParGenCH (1𝜆 ): On input a security parameter 𝜆, it outputs
the public parameter pp ← (1𝜆 , 𝑒), where 𝑒 is larger than any
𝑁 generated by RSAKGen(1𝜆 ), which returns (𝑁 , 𝑝, 𝑞, 𝑒, 𝑑) where
𝑁 = 𝑝 · 𝑞, 𝑝 and 𝑞 are distinct primes, 𝑒 > 1 is an integer co-prime
to 𝜑 (𝑁 ) and 𝑒 > 𝑁 , and 𝑑𝑒 ≡ 1 mod 𝜑 (𝑁 )..
(𝑠𝑘, 𝑝𝑘) ← KGenCH (pp): On input pp run (𝑁 , 𝑝, 𝑞, 𝑒, 𝑑) ←
RSAKGen(1𝜆 ), choose a hash function 𝐻 : {0, 1}∗ → Z∗𝑁 , com-
pute 𝑑, s.t., 𝑑𝑒 ≡ 1 mod 𝜑 (𝑁 ), set 𝑠𝑘 = 𝑑, 𝑝𝑘 = (𝑁 , 𝐻 ), and return
(𝑠𝑘, 𝑝𝑘).
(ℎ, 𝑟 ) ← HashCH (𝑝𝑘, 𝑚): On input a public key 𝑝𝑘 = (𝑁 , 𝐻 ) and a
message 𝑚 ∈ M, choose 𝑟 ← Z∗𝑁 compute ℎ = 𝐻 (𝑚)𝑟 𝑒 mod 𝑁
and output (ℎ, 𝑟 ).
𝑟 ′ ← AdaptCH (𝑝𝑘, (ℎ, 𝑟, 𝑚), 𝑚 ′ ): On input a private key 𝑠𝑘 = 𝑑,
messages 𝑚, 𝑚 ′ ∈ M, a hash ℎ, and check string 𝑟 and 𝑟 ′ , the
adaptation algorithm outputs ⊥ if CheckCH (𝑝𝑘, ℎ, 𝑟, 𝑚) ≠ 1, oth-
erwise, let 𝑥 = 𝐻 (𝑚), 𝑥 ′ = 𝐻 (𝑚 ′ ), 𝑦 = 𝑥𝑟 𝑒 mod 𝑁 and return
𝑟 ′ = (𝑦 · 𝑥 ′−1 )𝑑 mod 𝑁 .
{0, 1} ← HashCheckCH (𝑝𝑘, (ℎ, 𝑟, 𝑚)): On input a public key 𝑝𝑘 =
(𝑁 , 𝐻 ), a message 𝑚 ∈ M, a hash ℎ, and a check string 𝑟 , it com-
putes ℎ ′ = 𝐻 (𝑚)𝑟 𝑒 mod 𝑁 and outputs 1 if ℎ ′ = ℎ, otherwise,
outputs 0.
Figure 11: RSA-based Chameleon-Hash.
user or the regulator alone and does not require collaboration with
others, it is acceptable.
When receiving a modification, miners just need to verify the
modification and change the original transaction if the correspond-
ing modification is valid, and the verification time is less than 0.1
seconds in our experiments.
Table 2: Runtimes of the different modifications.
Arbitrary Part Standard
User Regulator (to revoke) Part
Runtime (s) 5.07 5.79 4.82
6 DISCUSSION
The consistency. Actually, only the data involving the blockchain
security (i.e., standard part) should be consistent across all parties,
and these data can only be modified by the semi-trusted regulator.
Recall our redactable blockchain, the consistency is guaranteed
by witness transactions recording digests of the corresponding
modifications. The semi-trusted regulator will follow our protocol
857
ASIA CCS ’21, June 7–11, 2021, Virtual Event, Hong Kong
to send a witness transaction for each modification, and thus the
consistency of standard part can be guaranteed, while this is the
reason why our work cannot support a malicious regulator.
The state of sCHRS. Our sCHRS needs a state that is maintained
by the holder of the master key pair and should be shared with the
parties who will check the hash value. In our application, we can
leverage the blockchain to store the states, however, it is desirable
to realize a stateless Chameleon Hash with Revocable Subkey for
more application scenarios, which are left as the future work.
ACKNOWLEDGMENTS
We would like to thank anonymous reviewers for their comments
and suggestions. This work is supported in part by the Key (Key-
grant) Project of Chinese Ministry of Education (No. 2020KJ010201),
the Shanghai Science and Technology Innovation Fund (Grant
No. 19511101403), and the National Natural Science Foundation of
China (NSFC) (No. 61802255).
REFERENCES
[1] 2016. Accenture files patent for editable blockchain. Business Insider Deutschland.
https://tinyurl.com/yblq9zdp.
[2] 2016. General Data Protection Regulation. https://gdpr-info.eu/.
[3] Giuseppe Ateniese and Breno de Medeiros. 2004. Identity-Based Chameleon
Hash and Applications. In Financial Cryptography, 8th International Conference,
FC 2004, Key West, FL, USA, February 9-12, 2004. Revised Papers. 164–180.
[4] Giuseppe Ateniese, Bernardo Magri, Daniele Venturi, and Ewerton R. Andrade.
2017. Redactable Blockchain - or - Rewriting History in Bitcoin and Friends.
In 2017 IEEE European Symposium on Security and Privacy, EuroS&P 2017, Paris,
France, April 26-28, 2017. 111–126.
[5] Feng Bao, Robert H. Deng, Xuhua Ding, Junzuo Lai, and Yunlei Zhao. 2011.
Hierarchical Identity-Based Chameleon Hash and Its Applications. In Applied
Cryptography and Network Security - 9th International Conference, ACNS 2011,
Nerja, Spain, June 7-10, 2011. Proceedings. 201–219.
[6] Mihir Bellare, Chanathip Namprempre, David Pointcheval, and Michael Semanko.
2003. The One-More-RSA-Inversion Problems and the Security of Chaum’s Blind
Signature Scheme. Journal of Cryptology 16, 3 (2003).
[7] Mihir Bellare and Phillip Rogaway. 1993. Random Oracles are Practical: A Para-
digm for Designing Efficient Protocols. In CCS ’93, Proceedings of the 1st ACM
Conference on Computer and Communications Security, Fairfax, Virginia, USA,
November 3-5, 1993. 62–73.
[8] Gilles Brassard, David Chaum, and Claude Crépeau. 1988. Minimum disclosure
proofs of knowledge. Journal of computer and system sciences 37, 2 (1988), 156–
189.
[9] Jan Camenisch, David Derler, Stephan Krenn, Henrich C. Pöhls, Kai Samelin, and
Daniel Slamanig. 2017. Chameleon-Hashes with Ephemeral Trapdoors - And
Applications to Invisible Sanitizable Signatures. In Public-Key Cryptography - PKC
2017 - 20th IACR International Conference on Practice and Theory in Public-Key
Cryptography, Amsterdam, The Netherlands, March 28-31, 2017, Proceedings, Part
II. 152–182.
[10] David Derler, Kai Samelin, Daniel Slamanig, and Christoph Striecks. 2019. Fine-
Grained and Controlled Rewriting in Blockchains: Chameleon-Hashing Gone
Attribute-Based. In 26th Annual Network and Distributed System Security Sympo-
sium, NDSS 2019, San Diego, California, USA, February 24-27, 2019.
[11] Dominic Deuber, Bernardo Magri, and Sri Aravinda Krishnan Thyagarajan. 2019.
Redactable Blockchain in the Permissionless Setting. CoRR abs/1901.03206 (2019).
Session 8B: Blockchain and Distributed Systems
[12] Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters. 2006. Attribute-
based encryption for fine-grained access control of encrypted data. In Proceedings
of the 13th ACM Conference on Computer and Communications Security, CCS 2006,
Alexandria, VA, USA, Ioctober 30 - November 3, 2006. 89–98.
[13] Eleftherios Kokoris-Kogias, Philipp Jovanovic, Linus Gasser, Nicolas Gailly, Ewa
Syta, and Bryan Ford. 2018. OmniLedger: A Secure, Scale-Out, Decentralized
Ledger via Sharding. In 2018 IEEE Symposium on Security and Privacy, SP 2018,
Proceedings, 21-23 May 2018, San Francisco, California, USA. 583–598. https:
//doi.org/10.1109/SP.2018.000-5
[14] Hugo Mario Krawczyk and Tal D Rabin. 2000. Chameleon hashing and signatures.
US Patent 6,108,783.
[15] Stephan Krenn, Henrich C. Pöhls, Kai Samelin, and Daniel Slamanig. 2018.
Chameleon-Hashes with Dual Long-Term Trapdoors and Their Applications.
In Progress in Cryptology - AFRICACRYPT 2018 - 10th International Conference on
Cryptology in Africa, Marrakesh, Morocco, May 7-9, 2018, Proceedings. 11–32.
[16] Roman Matzutt, Jens Hiller, Martin Henze, Jan Henrik Ziegeldorf, Dirk Müllmann,
Oliver Hohlfeld, and Klaus Wehrle. 2018. A Quantitative Analysis of the Impact
of Arbitrary Blockchain Content on Bitcoin. In Financial Cryptography and Data
858
ASIA CCS ’21, June 7–11, 2021, Virtual Event, Hong Kong
Security - 22nd International Conference, FC 2018, Nieuwpoort, Curaçao, February
26 - March 2, 2018, Revised Selected Papers. 420–438.
[17] Satoshi Nakamoto. [n.d.]. Bitcoin: A peer-to-peer electronic cash system. http:
//bitcoin.org/bitcoin.pdf,2008.
[18] Ivan Puddu, Alexandra Dmitrienko, and Srdjan Capkun. 2017. 𝜇 chain: How to
Forget without Hard Forks. IACR Cryptology ePrint Archive 2017 (2017), 106.
http://eprint.iacr.org/2017/106
[19] James Smith, Jeni Tennison, Peter Wells, Jamie Fawcett, and Stuart Harrison. 2016.
Applying blockchain technology in global data infrastructure. https://theodi.org/
article/applying-blockchain-technology-in-global-data-infrastructure.
[20] Mahdi Zamani, Mahnush Movahedi, and Mariana Raykova. 2018. RapidChain:
Scaling Blockchain via Full Sharding. In Proceedings of the 2018 ACM SIGSAC
Conference on Computer and Communications Security, CCS 2018, Toronto, ON,
Canada, October 15-19, 2018. 931–948. https://doi.org/10.1145/3243734.3243853
[21] Fangguo Zhang, Reihaneh Safavi-Naini, and Willy Susilo. 2003. ID-Based
Chameleon Hashes from Bilinear Pairings. IACR Cryptology ePrint Archive 2003
(2003), 208.