Redactable Blockchain From Decentralized Chameleon Hash Functions

Download as pdf or txt
Download as pdf or txt
You are on page 1of 13

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL.

17, 2022 2771

Redactable Blockchain From Decentralized


Chameleon Hash Functions
Meng Jia , Jing Chen , Kun He , Ruiying Du, Li Zheng, Mingxi Lai, Donghui Wang , and Fei Liu

Abstract— Blockchain is a technology with decentralization “The DAO” attack in Ethereum caused by vulnerable smart
and immutability features and has been employed for auditing contracts [7], which even lead to a hard fork to eliminate
by many applications. However, immutability sometimes limits negative effects. On the other hand, many applications need
the application of blockchain technology. For example, vulner-
able smart contracts on blockchain cannot be redacted due a mechanism to redact transactions. For example, identity
to immutability. The existing redactable blockchain solutions certificates stored on the blockchain may be revoked due
either have a low efficiency or violate the decentralization to the compromise of certificate authorities [8]. Therefore,
feature. Moreover, those solutions lack mechanisms for tracing it is necessary to design a redactable blockchain, in which
redaction history and checking block consistency. In this paper, transactions or blocks storing transactions can be redacted
we present an efficient redactable blockchain with traceability
in the decentralized setting. Specifically, we propose a decen- without affecting other transactions and blocks.
tralized chameleon hash function for redactable blockchain The existing redactable blockchain solutions can be divided
that every redaction must be approved by multiple blockchain into two categories according to redacting permissions: cen-
nodes. We also design a redactable blockchain structure that tralized and decentralized. In the centralized setting, a trans-
maintains all redactions of a block and encodes the redacted action or a block is redacted by one blockchain node [9].
blocks into an RSA accumulator. Then, we propose an efficient
block consistency check protocol based on the RSA accumulator. However, these solutions have the single point of failure
Finally, we conduct experiments and compare our scheme with problem, e.g., the blockchain node is compromised or offline.
another decentralized redactable blockchain to demonstrate that In the decentralized setting, a transaction or a block is redacted
our solution is efficient in practice. by many blockchain nodes collaboratively. The existing decen-
Index Terms— Redactable blockchain, decentralization, tralized solutions adopted either voting mechanisms [10] or
chameleon hash. threshold chameleon hash functions [11]. Based on the voting
I. I NTRODUCTION mechanism, any blockchain node can propose to redact a block
or a transaction and the proposal reaches a consensus after
T HE blockchain technology introduced by Nakamoto [1]
has been instantiated as decentralized systems like Bit-
coin and Ethereum. Recently, researchers have designed var-
generating threshold blocks for voting [10]. However, it takes
a long time to vote for the proposal and to check whether a
ious applications [2] based on those blockchain systems, redaction reaches a consensus by traversing the blocks. Based
such as identity management [3], [4], smart city [5], and on the threshold chameleon hash function, every blockchain
e-health [6]. All these applications rely on the immutability node holds a part of the chameleon hash key and the threshold
of blockchain systems, which means that the transactions blockchain nodes can redact a block collaboratively [11]. It is
(e.g., identities, sensor data, and health information) stored efficient to check whether a redaction reaches a consensus by
in the blocks cannot be tampered with once they reach a comparing the chameleon hashes of the redacted block and
consensus. the original block.
However, immutability also raises some problems in prac- Unfortunately, existing solutions based on the threshold
tice. On the one hand, some blockchain systems have encoun- chameleon hash functions have three problems. First, those
tered illegal transactions in practice, such as the famous solutions either leak the private key after a redaction [9]
or rely on a trusted party for chameleon hash key genera-
Manuscript received 18 January 2022; revised 6 May 2022; accepted 10 July tion and distribution [11], which violates the decentralization
2022. Date of publication 20 July 2022; date of current version 8 August
2022. This work was supported in part by the National Key Research and of blockchain systems. Moreover, they do not consider the
Development Program of China under Grant 2021YFB2700200; in part by dynamics of blockchain nodes in the blockchain systems.
the Fundamental Research Funds for the Central Universities under Grant Second, those solutions cannot provide redaction history for
2042022kf1195 and Grant 2042022kf0046; in part by the National Natural
Science Foundation of China under Grant U1836202, Grant 62076187, and traceability, which is important for the management of the
Grant 62172303; and in part by Huawei Technologies Company Ltd. The data (e.g., certificates) life cycle and the audit of redactions.
associate editor coordinating the review of this manuscript and approving it Third, they do not consider block consistency, which means
for publication was Prof. Debdeep Mukhopadhyay. (Corresponding authors:
Jing Chen; Kun He.) that blockchain nodes may still maintain the original blocks.
Meng Jia, Jing Chen, Kun He, Ruiying Du, Li Zheng, and Mingxi A straightforward approach for block consistency is traversing
Lai are with the Key Laboratory of Aerospace Information Secu- the blocks and checking the redaction log (e.g., the redaction
rity and Trusted Computing, Ministry of Education, School of Cyber
Science and Engineering, Wuhan University, Wuhan 430072, China request) on-chain. However, it is inefficient especially as the
(e-mail: [email protected]; [email protected]; [email protected]; blockchain is grown.
[email protected]; [email protected]; [email protected]). In this paper, we present an efficient redactable blockchain
Donghui Wang and Fei Liu are with Huawei, Beijing 100031, China (e-mail:
[email protected]; [email protected]). in the decentralized setting. Specifically, the blockchain nodes
Digital Object Identifier 10.1109/TIFS.2022.3192716 generate the chameleon hash key collaboratively and update
1556-6021 © 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:45:25 UTC from IEEE Xplore. Restrictions apply.
2772 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022

the shares regularly to accommodate the new blockchain nodes permissionless blockchain systems), but to have enough full
and to withdraw the shares from offline nodes. To redact a nodes in our system so that the compromised full nodes will
block, the threshold blockchain nodes work collaboratively not exceed a threshold.
with the chameleon hash key, record the redaction request
and history, and insert the redacted blocks into an RSA B. Threat Model
accumulator. Finally, the blockchain nodes can check whether
a block is redacted with the proofs of the RSA accumulator. From the practical perspective, we assume that the capabil-
The main contributions are as follows. ities of an adversary are as follows.
• To tackle the trust party problem, we propose a decentral- • The adversary can eavesdrop and tamper with messages

ized chameleon hash function where the key is generated between the blockchain nodes in an untrusted network.
by multiple blockchain nodes collaboratively without any • The adversary can control a number of blockchain nodes,

trusted party. Considering the dynamics of nodes, we fur- but cannot control more than 51% computing power in
ther extend the decentralized chameleon hash function to the blockchain system.
support threshold redacting and proactive updating. • The adversary may compromise full nodes at any time,

• To solve the traceability problem, we design a new struc- but the number of compromised full nodes cannot exceed
ture that links the redaction history of one block to form a the threshold. Moreover, it cannot calculate the random-
redaction chain. Moreover, this design is compatible with ness without the private key of the chameleon hash.
most existing blockchain systems.
• To solve the block consistency problem, we develop C. Design Goals
a block consistency check protocol based on the RSA We aim to design a redactable blockchain in the decentral-
accumulator, in which whether a block is redacted can ized setting that satisfies the following goals.
be determined in a constant time by a membership/
• Decentralization. Redacting a block must be approved
non-membership proof.
by the full nodes that exceed a threshold and reach a
• We conduct experiments on our redactable blockchain
consensus in the blockchain system.
and compare it with another decentralized solution.
• Traceability. The life cycle of all transactions is honestly
The experimental results demonstrate that our redactable
recorded in the blockchain and can be efficiently audited.
blockchain is efficient in practice.
• Efficiency. The processes of redacting blocks and check-
This paper is organized as follows. We introduce the sys- ing block consistency can be efficiently executed.
tem model, threat model, and design goals in Section II.
In Section III, we describe some backgrounds and building
blocks. Then, we present our redactable blockchain solution III. P RELIMINARIES
in Section IV. In Section V and Section VI, we analyze A. Blockchain Structure
the security and evaluate the performance of our proposal, We describe an abstraction of the structure employed in
respectively. Finally, we review related work in Section VII the existing blockchain systems, such as Bitcoin, Ethereum,
and conclude our work in Section VIII. and Fabric. A blockchain is composed of a number of blocks,
each of which consists of two parts: header and body. The
II. P ROBLEM S TATEMENT header consists of two fields (note that we ignore other fields
A. System Model in this abstraction), prev_hash and m_root, where the
former is the header’s hash value of the preceding block and
There are two kinds of entities in our system: blockchain the latter is the summary of the corresponding body. The body
node and client. Their functions are as follows. consists of a number of transactions. All blocks form a chain
• A blockchain node generates transactions, maintains the by prev_hash and the index of a block in the chain is called
redactable blockchain, and provides services to clients. its height (the height is increased one by one from the genesis
Particularly, the full node is a special kind of blockchain block whose height is 1).
node that generates blocks. In the existing blockchain systems, prev_hash is com-
• A client refers to an entity that may not belong to the puted via a collision-resistant hash function, such as SHA-256,
blockchain system. The client checks whether a block has to ensure that no one can redact the blocks. Moreover, all
been redacted through blockchain nodes before it uses the transactions in a body constitute a Merkle hash tree and
data stored on the blockchain. m_root is the root of that tree to ensure that no one can
We suppose that all blockchain nodes hold public keys of redact the transactions.
the full nodes and know their online statuses, and the full
nodes will not be offline during the execution of a protocol.
Moreover, all protocols are executed in a synchronous setting, B. Digital Signature
where the full nodes can get the data from each other in a short Let DS = (KeyGen, Sign, Verify) be a digital signature
time. In permissionless blockchain systems, such as Bitcoin, scheme [12].
the full nodes can be determined by enumerating the entities • ( pk, sk) ← KeyGen(1λ ). With the input of a security
that have generated blocks. In other words, it is not necessary parameter λ, this algorithm outputs a pair of public and
to discover all full nodes (which is impossible in realistic private keys ( pk, sk).

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:45:25 UTC from IEEE Xplore. Restrictions apply.
JIA et al.: REDACTABLE BLOCKCHAIN FROM DECENTRALIZED CHAMELEON HASH FUNCTIONS 2773

• σ ← Sign(sk, m). With the input of a private key sk and r0 such that â0 SH(x̂) + r0 SH(x) = 1, and outputs a
a message m, this algorithm outputs a signature σ . new non-membership proof π  ← (â, b̂) if accSH(x̂)â =
• δ ← Verify( pk, m, σ ). With the input of a public key pk b̂SH(x) g1, where â = â0 a mod SH(x), b̂ = accr b mod N
and a message-signature pair (m, σ ), this algorithm out- and âSH(x̂) = r SH(x) + a.
puts a bit δ where 0/1 indicates that the message-signature To reduce the computational complexity of getting each mem-
pair is invalid/valid. bership and non-membership proof from O(γ ) to O(1), the
blockchain nodes can maintain them locally and update them
C. RSA Accumulator by UpdateMem and UpdateNonMem after every element
RSA accumulator is a data structure that encodes a set insertion. The correctness and security are proved in [13], [14].
into a short digest and provides efficient membership and D. Gap Diffie-Hellman
non-membership proofs [13]. We employ parts of the pro-
posed RSA accumulator schemes [13], [14] which supports Let G be a cyclic multiplicative group of prime order p
efficient membership and non-membership proof update and and g is a generator of G. A Diffie-Hellman tuple on G is the
consists of eight algorithms ACC = (PPGen, Insert, four tuple (g, g x , g y , g x y ), where x, y ∈ Z∗p . We review the
GenMem, GenNonMem, CheckMem, CheckNonMem, following two problems about the Diffie-Hellman tuple.
• Computational Diffie-Hellman (CDH) problem [15]:
UpdateMem, UpdateNonMem) as follows.
Given (g, g x , g y ), where x, y ∈ Z∗p , to calculate g x y .
• (N, g1 , acc) ← PPGen(1λ ). With the input of a security
• Decisional Diffie-Hellman (DDH) problem [16]: Given
parameter λ, this algorithm generates a random modulus
(g, g x , g y , g z ), where x, y, z ∈ Z∗p , to decide whether
N = p1 q1 of length λ where p1 , q1 , p12−1 , q12−1 are all
gx y = gz .
primes, a group G1 of quadratic residues modulo N, a set
We say G is a Gap Diffie-Hellman (GDH) group if the
X λ that denotes the set of all primes in Z2λ−2/2 , and
DDH problem can be solved in polynomial time but there is
outputs the random modulus N, a random initial digest
no polynomial time algorithm to solve the CDH problem with
g1 ∈ G1 and a digest acc ← g1 .
non-negligible probability [17], [18].
• acc  ← Insert(acc, x). With the input of a digest acc and
an element x, this algorithm outputs an updated digest IV. R EDACTABLE B LOCKCHAIN
acc ← accSH(x) mod N, where SH is a special hash A. Overview
function that maps x into a prime in X λ .
We aim to design a redactable blockchain in the decentral-
• π ← GenMem(g1 , acc, S, x). With  the input of an
γ ized setting. To solve the trusted party problem, we propose a
initial digest g1 and a digest acc = g1 i=1 SH(x i ) of a set decentralized chameleon hash function in Section IV-B, where
S = {x 1 , . . . , x γ }, and an element x ∈ S, this algorithm no entity can restore the chameleon hash key. To solve the
outputs a membership proof π ← acc1/SH(x). traceability and block consistency problems, we present a
• π ← GenNonMem(g1 , S, x). With the input of the redactable blockchain structure in Section IV-C, which links
initial digest g1 , a set S = {x 1 , . . . , x γ }, and an element the redaction history of a block and records the redacted blocks
x ∈ / S, this algorithm outputs a non-membership proof in an RSA accumulator. Based on the decentralized chameleon
π ← (a = a0 , b = g1−a1 ) ∈ Z2λ−2/2 × G1 , where a0 and hash function and the redactable blockchain structure, we pro-
γ
a1 are random integers that satisfy a0 · i=1 SH(x i ) + pose our redactable blockchain solution in Section IV-D.
a1 · SH(x) = 1. Specifically, we design an efficient block consistency check
• δ ← CheckMem(acc, x, π). With the input of a digest protocol based on the RSA accumulator.
acc of a set S, an element x, and a membership proof π,
this algorithm outputs δ ← 1 to indicate x ∈ S if acc = B. Decentralized Chameleon Hash Function
π SH(x) and δ ← 0 otherwise. The existing chameleon hash functions and their variants
• δ ← CheckNonMem(g1 , acc, x, π). With the input of are designed for the centralized setting, in which there is
an initial digest g1 and a digest acc of a set S, an element an entity that possesses the private key for redaction [19].
x, and a non-membership proof π = (a, b), this algorithm However, in an (especially permissionless) blockchain system,
outputs δ ← 1 to indicate x ∈ / S if acca = bSH(x) g1 mod it is difficult to specify such an entity due to the requirement
N and δ ← 0 otherwise. of decentralization. To tackle this problem, we develop a
• π  ← UpdateMem(acc, x, π, x̂). With the input of the cryptographic primitive, called decentralized chameleon hash
digest acc, an element x, the membership proof π of the function, that no entity can restore the private key even
element x, and an element x̂ to be inserted, this algorithm with numerous adaptions. We first present the syntax of
outputs a new membership proof π  ← π SH(x̂) mod N if decentralized chameleon hash function and then describe an
acc ← Insert(acc, x̂) and acc = π SH(x), and π  ← ⊥ instantiation.
otherwise. 1) Syntax: We use {outi }ti=1 ← Protocol({i n i }ti=1 ) to
• π  ← UpdateNonMem(g1 , acc, x, π, x̂). With the input represent a protocol executed by t participants {P1 , . . . , Pt },
of the initial digest g1 , the digest acc, an element x where the input and output of Pi are i n i and outi ,
not in the accumulator, a non-membership proof π = respectively. A decentralized chameleon hash function
(a, b) of the element x and an element x̂ = x to be DCH = (KeyGen, Hash, ReHash, Adapt, Verify) consists
inserted, this algorithm generates two integers â0 and of the following five protocols and algorithms.

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:45:25 UTC from IEEE Xplore. Restrictions apply.
2774 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022

• { pk, ski }ti=1 ← KeyGen({1λ , 1t }ti=1 ). In this key genera- (m, r = (g e , g se )), and an adapted message m  ∈ {0, 1}∗ , the
tion protocol, each participant Pi takes as input a security participant Pi (i ∈ {1, . . . , t}) executes as follows.
 
parameter λ and the number of participants t, and outputs • Calculate g e ← g e u m−m , where u ← H(g s , m).

a public key pk and a share of the corresponding private • Calculate ηi ← (g e )λi ·si , where λi =
t ID( P j )
key ski . j =1, j  =i ID( P j )−ID( Pi ) , and send ηi to participant
• (r, h) ← Hash( pk, m). This hashing algorithm takes as P j , where j ∈ {1, . . . , t} \ {i }.
input a public key pk and a message m, and outputs a • When receiving (η1 , . . . , ηi−1 , ηi+1 , . . . , ηt ), calculate
 t
randomness r and a hash h. g se ← j =1 η j and output the adapted randomness
• h ← ReHash( pk, (m, r )). This rehashing algorithm 
r = (g , g ).e  se 

takes as input a public key pk and an original e) Verification: With the input of a public key g s ,
message-randomness pair (m, r ), and outputs a hash h. an original message-randomness pair (m, r = (g e , g se )), and
• {r  }ti=1 ← Adapt({sk i , pk, (m, r ), m  }ti=1 ). In this adap-
 
an adaption (m  , r  = (g e , g se )), this algorithm computes
 
tation protocol, each participant Pi takes as input its share u ← H(g s , m). Then it outputs 1 if g e u m = g e u m and
ski , a public key pk, a message-randomness pair (m, r ),  
(g, g s , g e , g se ) is a Diffie-Hellman tuple and 0 otherwise.
and an adapted message m  , and outputs an adapted
randomness r  . C. Redactable Blockchain Structure
• δ ← Verify( pk, (m, r ), (m  , r  )). This verification algo- To support the traceability of redacted transactions and the
rithm takes as input a public key pk, an original message- verification of block consistency, we design a new structure for
randomness pair (m, r ), and an adaption (m  , r  ), and organizing blocks that contain redactable transactions, which
outputs a bit δ where 0/1 indicates that the adaption also changes the fields in the block header, as shown in
(m  , r  ) is invalid/valid. Fig. 1. Note that our design is compatible with the blockchain
The correctness of decentralized chameleon hash function structure described in Section III-A, which means that most
requires that for all { pk, ski }ti=1 ← KeyGen({1λ, 1t }ti=1 ), existing blockchain systems (e.g., Bitcoin and Ethereum) can
all m, m  ∈ {0, 1}∗ , all (r, h) ← Hash( pk, m), and be upgraded to be redactable.
all {r  }ti=1 ← Adapt({ski , pk, (m, r ), m  }ti=1 ), we have 1) Block Organization: Instead of replacing the original
ReHash( pk, (m, r )) = h and Verify( pk, (m, r ), transactions or the corresponding blocks when redacting,
(m  , r  )) = 1. we retain all original data for traceability. More specifically,
2) Instantiation: Let G be a GDH group of prime order a replica of a block is generated for redaction, in which
p (depended on the security parameter λ), g is a generator original transactions are replaced with redacted ones. Then,
of G, and ID : {0, 1}∗ → Z∗p , we give an instantiation of the original block and the redacted block form a redaction
decentralized chameleon hash function based on a traditional chain and are placed at the height of the original block in
chameleon hash function proposed by Chen et al. [20]. the blockchain. Each redaction chain can be extended with
a) Key generation: With the input of a security parameter a replica of the latest redacted block, which enables the
λ and the number of participants t, the participant Pi (i ∈ traceability property.
{1, . . . , t}) executes as follows. t −1 To limit the influence of redaction, the redacted block
• Select a (t − 1)-degree polynomial f i (x) = j
j =0 ai, j x , headers should have the same hash value as the original one,

where ai,0 , . . . , ai,t −1 ∈ Z p are random coefficients. which means that the field prev_hash in the subsequent
• Send ( f i (ID(P j )), (g f i (ID( P1 )) , . . . , g f i (ID( Pt )) ), g ai,0 ) to blocks do not need to be redacted. To this end, we change the
participant P j , where i ∈ {1, . . . , t} \ {i }. function that generates prev_hash from the traditional hash,
• When receiving ( f j (ID(Pi )), (g f j (ID( P1 )) , . . . , g f j (ID( Pt )) ), such as SHA-256 in Bitcoin, to the decentralized chameleon
g a j,0 ) from participant P j , check
t whether (g, f j (ID(Pi )), hash (see Section IV-B). Therefore, a block in the redactable
g f j (ID( Pi )) ) is correct and k=1 g λk · f j (ID( Pk )) = g a j,0 blockchain points to the preceding block and all redactions of
 ID( P j ) the preceding block at the same time.
holds, where λk = tj =1, j =k ID( P j )−ID( Pk ) .
 t 2) Block Header: According to our block organization,
• Output the public key g ← s
j =1 g a j,0 , where s =
t t we modify the field prev_hash and extend three new fields
j =1 a j,0 , and the private key si ← j =1 f j (ID(Pi )) = in the block header as follows.
f (ID(Pi )), where f (x) = tj =1 f j (x). • prev_hash: This field stores the header’s hash value
b) Hashing: With the input of a public key g s and a of the preceding block. The hash value is computed via
message m ∈ {0, 1}∗ , this algorithm first computes u ← the decentralized chameleon hash function. All block
H(g s , m), where H : G × {0, 1}∗ → G is a cryptographic hash headers at different heights form a chain by this field
function, and selects a random integer e ∈ Z∗p . Then, it outputs as in traditional blockchain systems.
the randomness r = (g e , g se ) and the hash h ← g e u m . • last_hash: This field stores the header’s hash value
c) Rehashing: With the input of a public key g s and of the block that is redacted to the current block. The
an original message-randomness pair (m, r = (g e , g se )), this hash value is computed via the hash function for the RSA
algorithm computes u ← H(g s , m) and outputs the hash accumulator. All block headers at the same height form
h ← ge um . a redaction chain by this field.
d) Adaptation: With the input of a share si , • acc: This field stores the digest of the RSA accumulator,
a public key g s , an original message-randomness pair which encodes the value on last_hash in all blocks.

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:45:25 UTC from IEEE Xplore. Restrictions apply.
JIA et al.: REDACTABLE BLOCKCHAIN FROM DECENTRALIZED CHAMELEON HASH FUNCTIONS 2775

Fig. 1. Redactable blockchain structure, where m_root represents the Merkle hash root as in traditional blockchain systems. The blocks ➀, ➂, and ➄ are
at the same height and form a redaction chain. The transaction t x1 in the block ➀ is redacted to t x1 in the block ➂ through the redaction request t xreq1
contained in the block ➁ and the redacted block ➀ is also recorded in the block ➁ by computing acc2 = acc1 last_hash 3 . Similarly, the transactions t x2 and
t x3 in the block ➂ are redacted to t x2 and t x3 in the block ➄ through the redaction request t xreq2 contained in the block ➃ and the redacted block ➂ is
recorded in the block ➃ by computing acc4 = acc2 last_hash 5 .

full nodes generate the public-private pair of chameleon hash


function collaboratively for redacting the blocks.
a) RSA accumulator initialization: The blockchain nodes
generate the parameters of the RSA accumulator collabo-
ratively by (N, g1 , acc) ← ACC.P PGen(1λ ) and record
(acc, g1, N) in the genesis block. The blockchain nodes use
the methods in [21] and [22] to generate N and g1 in
a decentralized manner respectively, and they maintain the
blockchain only if some full node stores these parameters in
the genesis block.
b) Digital signature key generation: A blockchain
node P generates a pair of public-private keys ( pk DS DS
P , sk P )
λ
by DS.KeyGen(1 ). Then, the blockchain node publishes the
public key pk DS P and keeps the private key sk DS P secret. For
Fig. 2. Deployment of redactable blockchain. simplicity, we use ID(P) to denote of the identity of the
blockchain node ID( pk DS ∗ ∗
P ), where ID : {0, 1} → Z p is the
That means we can check whether a block has been function described in Section IV-B.
redacted through this field. It is necessary since a block c) Chameleon hash key generation: Suppose there are n
cannot point to subsequent redactions in our design (we ordered full nodes, denoted as {P1 , . . . , Pn }. For our purpose,
do not really redact a block for traceability). we can sort n full nodes by the hash values of their identities
• rand: This field stores the randomness used in a and the timestamp of the current block. The chameleon hash
chameleon hash value to ensure that the original block key generation in our redactable blockchain consists of three
and all its subsequent redactions can be at the same steps. First, the first t full nodes execute the key generation
height, i.e., they have the same chameleon hash value. protocol of the decentralized chameleon hash function to
share a secret key. Then, considering that an adversary may
D. Phases in Redactable Blockchain compromise t − 1 full nodes before and in the share update
Now we are ready to present our redactable blockchain phase separately, the full nodes adapt the threshold to 2t − 1
solution, which consists of five phases: initialization, share (2t −1 > (t −1)+(t −1)) for share update. Third, the secret key
update, block generation, block redaction, and consistency is re-shared among n full nodes to support threshold redacting,
check, as shown in Fig. 2. Considering the dynamics of full which means that any t  out of n full nodes can redact a block
nodes in practice (e.g., the joining and leaving of the full collaboratively, where t  ≥ t.
nodes), we extend the decentralized chameleon hash function Step 1. The full nodes {P1 , . . . , Pt } generate the chameleon
proposed in Section IV-B to support threshold redacting and hash keys {g s , si }ti=1 ← DCH.KeyGen({1λ , 1t }ti=1 ), where
proactive updating. t ≤ n2 .
1) Initialization: In this phase, the blockchain nodes ini- Step 2. Full nodes {P1 , . . . , P2t } execute {F(x,
tialize the RSA accumulator and prepare the cryptographic ID(Pi ))}2ti=1 ← Transform({2t − 1, si }i=1 ) as follows.
t

keys used in the system. Specifically, all nodes generate • Full node Pi selects a (2t − 1)-degree polynomial
 −1
public-private key pairs for signing and verifying the trans- Fi (ID(Pi ), y) = si + 2tj =1 bi, j y j , where i ∈ {1, . . . , t}

and bi,1 , . . . , bi,2t −1 ∈ Z p .
actions as in traditional blockchain systems. Moreover, the

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:45:25 UTC from IEEE Xplore. Restrictions apply.
2776 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022

• Full node Pi sends (Fi (ID(Pi ), ID(P j )), (g Fi (ID( Pi ), Algorithm 1 Block Generation
ID( P1 )) , . . . , g Fi (ID( Pi ),ID( P2t )) ), g si )) to full node P ,
j 1: procedure G EN R EQ (B, t x, g s , g)
where i ∈ {1, . . . , t} and j ∈ {1, . . . , 2t} \ {i }. 2: header , r  , acc ← GetHR(B)
• When receiving (F j (ID(P j ), ID(Pi )), (g F j (ID( P j ), 3: pr ev_hash ← DCH.ReHash(g s , (header  − r  , r  ))
ID( P1 )) , . . . , g F j (ID( P j ),ID( P2t )) ), g s j )) from full node P ,
j 4: if DH(g, g s , r  ) then
full node Pi checks the correctness by a similar way 5: for i tem in t x do
in the key generation protocol of the decentralized 6: if RedactTx(i tem) then
chameleon hash function in Section IV-B. 7: last_hash  ← GetSH(i tem)
• Full node Pi outputs a (t − 1)-degree polynomial 8: acc ← ACC.Insert(acc , last_hash  )
F(x, ID(Pi )) with t shares (F1 (ID(P1 ), ID(Pi )),. . . , 9: end if
Ft (ID(Pt ), ID(Pi ))), where i ∈ {1, . . . , 2t}. 10: end for
Step 3. Full nodes {P1 , . . . , Pn } execute {F(ID(Pi ), 11: acc ← acc
y)}ni=1 ← HandOut(F(x, ID(Pi ))}2t i=1 ) as follows. m_r oot ← MHT(t x)
 F ID( P1 ),
12:
 $
• Full node Pi sends
 F(ID(P j ), ID(P i )), g 13: e ← Z∗p
ID( Pi )   r ← (g e , g se )
,. . . , g F (ID( Pn ),ID( Pi )) , g F (0,ID( Pi )) ) to full node 14:

P j , where i ∈ {1, . . . , 2t} and j ∈ {1, . . . , n} \ {i }. 15: header ← Con( pr ev_hash, ⊥, m_r oot, acc, r )
• When receiving (F(ID(P j ), ID(Pi )), (g F (ID( P1 ), 16: return (header, t x)
ID( Pi )) ,. . . , g F (ID( Pn ),ID( Pi )) ), g F (0,ID( Pi )) )) 17: end if
from full
18: return ⊥
node P j , full node Pi checks the correctness by a similar
19: end procedure
way in the key generation protocol of the decentralized
chameleon hash function in Section IV-B.
• Full node Pi outputs a (2t − 1)-degree polynomial
F(ID(Pi ), y) with 2t shares (F(ID(Pi ), ID(P1 )), . . . , block on-chain is the block B of height height − 1. Then,
F(ID(Pi ), ID(P2t ))), where i ∈ {1, . . . , n}. a full node P packages valid transactions t x and performs the
2) Share Update: The full nodes may join or leave the Algorithm 1 to generate the original block of height height
blockchain network and an adversary may steal more than with the structure described in Section IV-C.
t shares over time to restore the private key s. Therefore, First, the full node P gets the block header header , and the
 
the full nodes need to proactive the shares regularly [23]. fields rand r  = (g e , g se ) and acc acc from the block B
We describe the process of adapting (t, n) to (t  , n  ) (t  ≥ t (Line 2). Next, the full node P calculates the chameleon

and t  ≤ n2 ), where t  and n  are the new threshold and hash pr ev_hash of the block (Line 3) and checks whether
 
number of total full nodes, respectively. This process requires (g, g s , g e , g se ) is a Diffie-Hellman tuple (Line 4). Then, the
the participation of all full nodes, denoted as {P1 , . . . , Pn }. full node checks whether the transactions t x contain valid
Suppose t full nodes (P1 , . . . , Pt ) that hold the shares redaction requests, and inserts the last_hash  in the valid
F(ID(P1 ), y), . . . , F(ID(Pt ), y) from the previous period and redaction requests into acc (Line 5-9). Then, it generates
2t  −t active full nodes (Pt +1 , . . . , P2t  ) that generate the latest the Merkle hash root m_r oot of transactions (Line 10) and
blocks are selected to update shares. calculates the randomness r = (g e , g se ) with a random number
Step 1. Full nodes {P1 , . . . , P2t  } execute {F  (x, e (Line 11-12). Finally, the full node P follows the consensus
 
ID(Pi )}2t i=1 } ← Zero(F(ID(Pi ), y), t − 1}i=1 ) as follows.
t
to complete the block header (Line 13) and returns the block
• Full nodes {P1 , . . . , P2t  } execute the similar steps (header, t x) of height height (Line 14).

{F(x, ID(Pi ))}2t i=1 ← HandOut(F(ID(Pi ), y)}ti=1 ), After generating the block, every blockchain node
 
{R(ID(Pi ), y)}i=1 ← Transform({t  − 1, 0}2t
2t
i=1 ) and updates the RSA accumulator acc locally with

{R(x, ID(Pi )}2t i=1 ← HandOut({R(ID(Pi ), y)}i=1 ) to
2t ACC.UpdateMem() and ACC.UpdateNonMem() for
chameleon hash key generation in Section IV-D.1, where membership/non-membership proofs.
R(x, y) is a random (t  − 1, 2t  − 1)-degrees polynomial 4) Block Redaction: The full nodes can redact transactions
of R(0, 0) = 0. in the blocks that are not redacted, but they can only redact
• Full node Pi outputs a (2t  − 1)-degree polynomial a block at one time. When a full node P needs to redact
F  (x, ID(Pi )) = F(x, ID(Pi )) + R(x, ID(Pi )) where i ∈ transactions t x in a block B of height height, it first checks
{1, . . . , 2t  }. whether B is redacted with the RSA accumulator acc locally.
Step 2. Full nodes {P1 , . . . , Pn } execute the similar If the block B is not redacted, the full node P performs the
 
step {F  (ID(Pi ), y)}ni=1 ← HandOut({F(x, ID(Pi )}2t i=1 to protocol shown in Fig. 3 to redact it.
step 3 in chameleon hash key generation in Section IV-D.1. First, the full node P and the blockchain nodes generate new
The private key shares are updated from F(x, y) to transactions t x  = (t x 1 , . . . , t x γ ) to replace transactions t x =
F  (x, y) = F(x, y) + R(x, y) of degree (t  − 1, 2t  − 1) and (t x 1 , . . . , t x γ ) addressed by addrt x = (addrt x1 , . . . , addrt xγ )
F  (0, 0) = F(0, 0) = s. in the block B. Then, the full node P checks the signatures
3) Block Generation: Any blockchain node can generate of (t x i , t x i ) (i ∈ {1, . . . , γ }) by DS.Verify to ensure that
a transaction and sign it with DS.Sign. Then, it broadcasts the transactions are generated by the same blockchain node
the transaction to all full nodes. We suppose that the latest or t x i is signed by the full node P (Step ➀). Then, the full

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:45:25 UTC from IEEE Xplore. Restrictions apply.
JIA et al.: REDACTABLE BLOCKCHAIN FROM DECENTRALIZED CHAMELEON HASH FUNCTIONS 2777

Fig. 4. Consistency check protocol.

broadcasts it in the blockchain network (Step ➈). The request


data is valid as long as 1 ← DCH.Verify(g s , (header −
r, r ), (( pr ev_hash, last_hash  , m_r oot  , acc), r  )). Then, the
full node packages the transaction t xreq in a block as shown
Fig. 3. Block redaction protocol. in Section IV-D.3. After t xreq is on-chain, all blockchain
nodes redact the block header header to header  ←
( pr ev_hash, last_hash  , m_r oot  , acc, r  ) (Step ➉).
Algorithm 2 Redaction Request Generation
5) Consistency Check: Redactions result in different blocks
1: procedure G EN R EQ (height, addrt x , t x  , B)
at the same block height, the clients need to check whether
2: m_r oot, header ← Upd(B, addrt x , t x  )
a block B has been redacted when they check the validity of
3: last_hash  ← SH(header )
the block from the blockchain nodes.
4: r eq ← (height, last_hash  , addrt x , t x  , m_r oot)
As shown in Fig. 4, the client sends the query
5: return r eq
(height, hash B ) to a blockchain node, where hash B =
6: end procedure
H(header ) is the hash of the block header header (Step ➀).
Then, the blockchain node locates the block B and the
proof locally with the query. If the block has been
node P performs Algorithm 2 to generate the redaction request redacted, the blockchain node gets the membership proof
(Step ➁). Specifically, the full node P replaces the transactions (hash B , π) locally or calculates it by π ← ACC.GenMem
addressed by addrt x with new transactions t x  in the block B, (g1 , acc, S, hash B ), and acc is the digest of all redacted
and generates the new Merkle hash root m_r oot  (Line 2). blocks S. Otherwise, the blockchain node gets the
Then, it calculates the hash last_hash  of the redacted block non-membership proof (hash B , π = (a, b)) with the similar
header header = ( pr ev_hash, last_hash, m_r oot, acc, r ) way. Then, it returns the block B and the proof to the client
(Line 3). Finally, the full node P generates and returns the (Step ➁). After receiving the block and the membership/non-
redaction request r eq = (last_hash  , addrt x , t x  , m_r oot  ) membership proof, the client first checks the transactions and
(Line 4-5). the integrity of the block (Step ➂). If it is valid, the client
Then, the full node P sends the redaction request r eq to can check the consistency of the block by ACC.CheckMem
other full nodes {P1 , . . . , Pn }\{P}. After receiving the request (acc, hash B , π) or ACC.CheckNonMem(g1 , acc, hash B ,
r eq, the full nodes {P1 , . . . , Pn } locate block B by last_hash  (a, b)) locally or check it with the help of a blockchain node
and perform the same way as P to check whether B has been (Step ➃-➆).
redacted. Then, they verify the γ pairs of transactions (t x i , t x i ) To reduce the computational complexity on the client side,
(i ∈ {1, . . . , γ }). If the full nodes {P1 , . . . , Pt  } agree with the the client first generates a random prime number l ← {0, 1}len
redaction r eq, they return (ID(P1 ), . . . , ID(Pt  )) to P, where (len ∈ Z∗p ) and sends (l, hash B ) to the blockchain node P
t  ≥ t and t is the threshold of the private key (Step ➂). Then, (Step ➃). The blockchain node P calculates (e1 , Q 1 ) and
the t  +1 full nodes {P, P1 , . . . , Pt  } calculate the new random- returns them to the client if the block has been redacted, where
 
ness r  = (g e , g se ) with DCH.Adapt({si , g s , ((header0 − SH(hash B ) = l · q1 + e1 and Q 1 = π q1 . If the block has
t +1
r0 ), r0 ), ( pr ev_hash, last_hash  , m_r oot  , acc)}i=1 ), where not been redacted, the blockchain node calculates (e1 , e2 ) and
header0 and r0 are the block header and randomness of the (Q 1 , Q 2 ) and returns them to the client, where SH(hash B ) =
original block of height height, and {s1 , . . . , st  +1 } are shares l·q1 +e1 , a = l·q2 +e2 and Q 1 = b q1 , Q 2 = accq2 (Step ➄-➅).
of {P, P1 , . . . , Pt  } (Step ➃-➆). Finally, the client checks whether Q l2 · acce2 = Q l1 · be1 g1
Finally, the full node P generates the hashes hash t x  = (Step ➆). If the membership proof is correct, the block has
(H(t x 1 ), . . . , H(t x γ )) and packages data = (addrt x , hash t x  , been redacted. If the non-membership proof is correct, the
m_r oot  , last_hash  , r  ) into a transaction t xreq (Step ➇), and block has not been redacted.

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:45:25 UTC from IEEE Xplore. Restrictions apply.
2778 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022

V. S ECURITY A NALYSIS
We examine our redactable blockchain with respect to the
design goals in Section II through the following theorems.
Theorem 1 (Decentralization): Under the threat model in
Section II-B, redacting a block must be approved by the full
nodes that exceed a threshold and reach a consensus in the
blockchain system, if the underlying chameleon hash function
is collision-resistant.
Proof: (sketch) Redacting a block needs to calculate the Fig. 5. Time of Proof-of-Work consensus (calculating the nonce) with
different targets and numbers of blocks in Bitcoin and our solution.
new message-randomness pair with the private key s. There-
fore, the decentralization of our redactable blockchain relies
on the proposed decentralized chameleon hash function. and clients are deployed on a server with Intel Xeon
To calculate the randomness of the chameleon hash, Gold 5218 CPU @2.30GHz and 32GB DDR4, and Ubuntu
an entity uses either the existing adaptions or the private 18.04 64bit operating system. To evaluate the efficiency of
key. For the former case, the security of our decentral- our solution, we conduct experiments and compare it with
ized chameleon hash function is reduced to the underlying RB-ABE [24] and RBPS [10] in terms of block generation
chameleon hash function. Specifically, the existing adaptions (Section VI-A), redaction (Section VI-B) and consistency
 
are a number of g e ·s , where g e consists of a hash of a check (Section VI-C). Furthermore, to evaluate whether the
message. As no entity can find the hash collisions of the RSA accumulator will affect the efficiency as the redactable
message m, the existing adaptions are useless to forgery the blockchain is extended, we conduct experiments to evaluate
randomness. the performance of the RSA accumulator. We repeat the
For the latter case, in the steady state, the private  −1 keyi experiments 1000 times and record the average value to reduce
s is encoded into a polynomial F(x, 0) = s + ti=1 ai x the experimental errors.
of degree t − 1, and n blockchain nodes hold shares
((ID(P1 ), F(ID(P1 ), 0)), . . . , (ID(Pn ), F(ID(Pn ), 0))) of the
polynomial F(x, 0). According to Lagrange’s interpolation A. Efficiency of Block Generation
theorem, it needs more than t − 1 shares to restore the private Our solution has replaced the inner hash function in the
key s. Therefore, the adversary cannot restore the private Proof-of-Work blockchain with a chameleon hash function
key as it only gets at most t − 1 shares. In the process of that is mostly exponentiation operations. To provide a relevant
updating the private key, a blockchain node can get at most difficulty value in the redactable blockchain based on the
two polynomials F(i, y) of degree 2t −1 and F(x, i ) of degree Proof-of-Work, we conduct experiments to study the time of
t −1 at the same time. The blockchain node cannot restore the block generation in Bitcoin (the same for RBPS [10]) and our
private key as it only holds one share of (t, n) and one share solution.
of (2t, n) threshold secret shares, respectively. Moreover, the In Bitcoin, block generation consists of calculating the
adversary can get t − 1 shares of the old polynomial F(x, 0) Merkle root and the previous hash, and Proof-of-Work based
and t −1 shares of the updated polynomial F  (x, 0). However, on the hash function. In our solution, it consists of calcu-
it still cannot restore the private key which is the same as in lating the Merkle root and the previous chameleon hash,
the steady state. updating the RSA accumulator, and Proof-of-Work based
In conclusion, redacting a block must be approved by the on the chameleon hash function. The time of updating the
full nodes that exceed a threshold and reach a consensus in RSA accumulator (insertion) is shown in Section VI-D.1,
the blockchain system. and the time is negligible because of the limited number
Theorem 2 (Traceability): Under the threat model in of insertions in a block and the batching techniques [13].
Section II-B, the life cycle of all transactions is honestly We further adjust the targets (difficulty equals target in the
recorded in the blockchain and can be efficiently audited, if the genesis block divided by the current target) and numbers of
hash functions are collision-resistant. blocks and compare the time of Proof-of-Work in Bitcoin and
Proof: (sketch) Note that all block headers at the same our solution. As shown in Fig. 5, the time of calculating the
height form a redaction chain by the field last_hash, which nonce increases with the number of blocks and decreases of
is calculated by the hash function SH in the RSA accumulator, targets. Our solution consumes more time than Bitcoin with
and all transactions are summarized in the header by the the same targets because Proof-of-Work in our solution is
field m_root, which is calculated by the hash function in mostly exponentiation operations that are less efficient than
the Merkle hash tree. Since the hash functions are collision- hash operations in Bitcoin.
resistant, these fields ensure that the life cycle of all trans- Therefore, our solution can set a larger target to improve
actions is honestly recorded. Moreover, all transactions can the efficiency of block generation in the redactable blockchain
be efficiently audited with proofs of RSA accumulator and based on Proof-of-Work.
Merkle hash tree.
VI. E VALUATION B. Efficiency of Block Redaction
We develop a proof of concept implementation in Python To evaluate the efficiency of block redaction, we con-
(version 3.6.9) to evaluate our solution. Blockchain nodes duct experiments to study the time of block redaction in
Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:45:25 UTC from IEEE Xplore. Restrictions apply.
JIA et al.: REDACTABLE BLOCKCHAIN FROM DECENTRALIZED CHAMELEON HASH FUNCTIONS 2779

Fig. 6. Time of adaption and verification for redacting a transaction with Fig. 9. Time of checking whether a block is redacted with different number
different numbers of attributes in RB-ABE [24]. of blocks behind the original block in RBPS [10].

Fig. 7. Time for proposing and voting when redacting a block with different
Fig. 10. Time of checking the membership/non-membership proofs with
thresholds in RBPS [10].
different numbers of redacted blocks in our solution.

for adaption and combination increases with the threshold,


and adaption consumes the most time because of the massive
calculation for Lagrangian coefficients. Moreover, the time of
verifying a block remains stable when the threshold increases,
which means the thresholds do not affect the consensus
efficiency of the redaction on-chain. The time of proposing
a redaction request equals the latency of a block, and it is less
Fig. 8. Time of an adaption and verifying the adaption with different than 0.01s in our proof of concept implementation.
thresholds in our solution. Compared with our solution, the centralized RB-ABE con-
sumes less time, but ours is in the decentralized setting, and
RB-ABE [24], RBPS [10] and our solution. Particularly, the decentralized RBPS consumes much more time than our
we ignore the network latency. solution.
In RB-ABE, the time consists of adapting the randomness
and verifying the adaption, we adjust the number of attributes
to evaluate the respective time. As shown in Fig. 6, the time C. Efficiency of Consistency Check
of adaption increases with the number of attributes, and the RB-ABE needs not consistency check as they redact trans-
time of verification remains stable. According to our analysis, actions locally and do not reach a consensus on the redactions
the verification only checks the chameleon hash, which means in the network. We conduct experiments to study the time of
anyone who holds the attributes can redact the corresponding consistency check in RBPS and our solution.
transactions and cannot achieve accountability. In RBPS, it consists of checking the redaction request
In RBPS, a blockchain node proposes a redaction request, and votes for the request. The blockchain node traverses the
and the other blockchain nodes vote for it in the next several blocks after the original block for the request and the votes.
blocks. We adjust the number of blocks for voting and record We adjust the number of blocks where the request and votes
the time for appending the proposal and votes on-chain. lie after the original block and record the time for the check.
As shown in Fig. 7, the time of proposing and voting increases As shown in Fig. 9, the time of checking the consistency of a
with the number of blocks. The time for voting may be even block increases with the number of blocks, which means the
more in practice as the interval for blocks can be several efficiency of the consistency check decreases as the blockchain
seconds (e.g., 14s in Ethereum) or minutes (e.g., 10min in is grown. Moreover, if a block has not been redacted, the
Bitcoin), while it is less than 0.01s in our proof of concept blockchain nodes need to traverse all blocks after the original
implementation. block to confirm it.
In our solution, the time consists of an adaption for a In our solution, there are two kinds of proofs and the
part of the new randomness, a combination for the threshold blockchain nodes maintain them locally. The membership
parts, proposing a redaction request, and verification for the proofs are for redacted blocks, and the non-membership proofs
chameleon hash of the adaptions. For the adaption, combina- are for blocks that have not been redacted. We fix the length
tion and verification, we adjust the thresholds of full nodes of a block header’s hash in the RSA accumulator to 256 bits.
and test the respective time. As shown in Fig. 8, the time For the redacted blocks, we adjust the number of elements

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:45:25 UTC from IEEE Xplore. Restrictions apply.
2780 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022

TABLE I
T IME C OMPLEXITY AND T IME (S ECONDS ) OF A LGORITHMS W ITH D IFFERENT N UMBER OF E LEMENTS

Fig. 11. Space cost of membership proof for all elements and each element Fig. 12. Space cost of different numbers of non-membership proofs with
with different numbers of elements in the RSA accumulator. different numbers of elements in the RSA accumulator.

in the RSA accumulator. As shown in Fig. 10, the time of the number of elements in the RSA accumulator increases,
checking a membership/non-membership proof on the client which means the efficiency of the RSA accumulator will not
side is constant with the number of redacted blocks in the RSA decrease when the redacted blocks increase or when the chain
accumulator, which means that consistency check is efficient is extended.
on the client side even with lots of redactions. Moreover, the 2) Space Cost: Considering the space cost, RSA accumula-
time is even smaller with the length of l in Section IV-D.5. tor supports membership proofs and non-membership proofs.
Therefore, the client can set a shorter l to reduce the time of For the membership proofs, we adjust the number of ele-
checking the consistency of a block. ments in the RSA accumulator and test the space cost for all
Compared with our solution which is about 10ms for elements and each element. As shown in Fig. 11, the space
membership proof and 20ms for non-membership proof, RBPS for all elements increases with the number of elements in the
consumes much more time for checking the consistency of a RSA accumulator, and the space for each element remains
block and it is about 200s for 30k blocks, and RBPS is less stable (about 0.97KB) when the number of elements in the
efficient when the blockchain is grown. RSA accumulator increases.
For the non-membership proofs, we adjust the number
D. Performance of RSA Accumulator of elements (the blocks that have been redacted) in the
We conduct experiments to evaluate the algorithm efficiency RSA accumulator and test the space for different num-
and the space cost of the RSA accumulator. bers of non-membership proofs (the blocks that have not
1) Efficiency: We analyze the time complexity of algorithms been redacted). As shown in Fig. 12, the space for all
in the RSA accumulator (Section III-C) and conduct experi- non-membership proofs increases with the number of non-
ments to evaluate the efficiency of these algorithms. membership proofs, and the space for each non-membership
As shown in Table. I, the time complexity for gen- proof remains stable (about 0.98KB per proof) when the
erating membership proof and non-membership proof is number of elements in the RSA accumulator increases.
O(n). However, the efficiency keeps stable (O(1)) if the In conclusion, our solution is much more efficient than
blockchain nodes maintain the proofs locally and update RBPS for block redaction and consistency check in the
them with UpdateMem and UpdateNonMem after each decentralized setting, and the redactable blockchain is stable
insertion. Then, we conduct experiments to evaluate the and the chain extension do not affect the efficiency. More-
efficiency of these algorithms. Specifically, we adjust the over, the blockchain nodes can set a larger target to improve
number of elements, and test the time for inserting an ele- the efficiency of block generation in our solution based on
ment (Insert), generating (GenMem and GenNonMem), Proof-of-Work.
checking (CheckMem and CheckNonMem), and updating
(UpdateMem and UpdateNonMem) an element’s member- VII. R ELATED W ORK
ship proof and an element’s non-membership proof. As shown In 2017, Ateniese et al. [9] proposed the first redactable
in Table. I, the time for insertion, checking and updating mem- blockchain, and subsequent research on the work emerged
bership proof and non-membership proof remain stable when endlessly [10], [11], [24]–[31]. According to the redacting

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:45:25 UTC from IEEE Xplore. Restrictions apply.
JIA et al.: REDACTABLE BLOCKCHAIN FROM DECENTRALIZED CHAMELEON HASH FUNCTIONS 2781

TABLE II
T HE C OMPARISON OF R EDACTABLE B LOCKCHAIN

permissions, we divide the related works into two categories: problem, and Zhang et al. [26] introduced multiple attribute
centralized and decentralized. We have listed 12 solutions, six authorities to issue the attribute private keys to the blockchain
of them adopted centralized settings, and the rest including nodes. However, the CP-ABE scheme cannot achieve account-
our solution adopted decentralized settings. For these solu- ability, Tian et al. [29] and Chen et al. [20] adopted and fur-
tions, we show (i) whether there is a centralized authority, ther extended the ciphertext-policy attribute-based chameleon
(ii) who can redact the blockchain, (iii) the key technology, hash function with accountability or modification times.
(iv) whether the committee is dynamic after the initialization The centralized setting is efficient in practice, and it is
setup, (v) whether it achieves accountability, (vi) whether the suitable for some situations where an authority needs to
key is used without exposure, (vii) whether the redaction manage or control the blockchain. However, the centralized
reaches on-chain consensus, (viii) the time complexity of solution has a single point of failure problem, if the authority
consistency check in Table. II. is compromised, the blockchain may be controlled by the
adversary. Moreover, existing systems based on permissionless
A. Centralized Setting blockchain such as the digital currency are decentralized and
In a centralized setting, only one organization or several cannot be controlled by an authority. Moreover, the client can-
blockchain nodes are allowed to redact the blocks or transac- not know whether the transaction is redacted unless it traverses
tions in the blockchain. the entire blockchain, which is costly for the blockchain nodes.
To redact a blockchain, Ateniese et al. [9] introduced the
chameleon hash into the blockchain and only one central- B. Decentralized Setting
ized organization that holds the private key can redact the In a decentralized setting, any blockchain node can request
blocks. To alleviate the single point of failure for redaction, to redact the blocks and the malicious redaction can be filtered
Dousti and Küpçü [25] proposed that several authorities can by multiparty consensus. According to the key technology,
redact the blockchain. To achieve flexible permissions con- the decentralized solutions can be divided into two categories:
trol, Derler et al. [24] proposed the ciphertext-policy attribute- consensus on voting ( [10]) and chameleon hash-based ([9],
based chameleon hash function, the attribute authority issues [11], [30], [31] and ours).
the attribute private keys to the blockchain nodes. When 1) Consensus Voting Mechanism: Deuber et al. [10] intro-
the blockchain node uploads the redactable transactions, duced the voting mechanism. A blockchain node gener-
it encrypts the ephemeral trapdoor with access structure, and ates a redaction request for a block or a transaction, and
the private keys with corresponding attributes can redact the other blockchain nodes vote for the redaction by storing
transactions. Moreover, the consensus is performed locally, the hash of the redaction request in the generated blocks
which means that every blockchain node holds different data. (e.g, 1024 blocks). Therefore, it takes a long time to vote
One attribute authority may cause the single point of failure and check the validation of a redaction, as they need to be

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:45:25 UTC from IEEE Xplore. Restrictions apply.
2782 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022

confirmed by traversing the transactions for the redaction log, [7] N. Atzei, M. Bartoletti, and T. Cimoli, “A survey of attacks on ethereum
and the efficiency will decrease as the number of transactions smart contracts (SoK),” in Proc. Eur. Joint Conf. Theory Pract. Softw.
(POST), 2017, pp. 164–186.
increases. [8] M. Jia et al., “PROCESS: Privacy-preserving on-chain certificate sta-
2) Chameleon Hash Function: Huang et al. [30] and tus service,” in Proc. IEEE Conf. Comput. Commun. (INFOCOM),
Wu et al. [31] adopted (n, n) adopted threshold scheme May 2021, pp. 1–10.
[9] G. Ateniese, B. Magri, D. Venturi, and E. R. Andrade, “Redactable
based on ring signature and lattice in the chameleon hash blockchain–or–rewriting history in bitcoin and friends,” in Proc. IEEE
respectively. Each redaction must be approved by the pre- Eur. Symp. Secur. Privacy (EuroS&P), Apr. 2017, pp. 111–126.
defined n blockchain nodes, and any blockchain node that [10] D. Deuber, B. Magri, and S. A. K. Thyagarajan, “Redactable blockchain
in the permissionless setting,” in Proc. IEEE Symp. Secur. Privacy (SP),
is offline makes the redaction fail. Zhang et al. [11] adopted May 2019, pp. 124–138.
(t, n) threshold chameleon hash algorithm to modify the [11] J. Zhang et al., “Serving at the edge: A redactable blockchain with fixed
transactions. However, the key generation algorithm requires storage,” in Proc. Web Inf. Syst. Appl. (WISA), 2020, pp. 654–667.
[12] K. Gjøsteen and T. Jager, “Practical and tightly-secure digital signatures
a trusted dealer, which means that the dealer holds the whole and authenticated key exchange,” in Proc. Annu. Int. Cryptol. Conf.
private key. Ateniese et al. [9] proposed that the pre-defined (CRYPTO), 2018, pp. 95–125.
blockchain nodes generate the chameleon hash private key [13] D. Boneh, B. Bünz, and B. Fisch, “Batching techniques for accumulators
with applications to IOPs and stateless blockchains,” in Proc. Annu. Int.
collaboratively. When a blockchain node needs to redact a Cryptol. Conf. (CRYPTO), 2019, pp. 561–586.
block, it collects the threshold shares and restore the private [14] J. Li, N. Li, and R. Xue, “Universal accumulators with efficient non-
key to redact the block. However, the key may be exposed, membership proofs,” in Proc. Appl. Cryptography Netw. Secur. (ACNS),
2007, pp. 253–269.
which means that anyone can redact the blocks once the private [15] A. Joux and K. Nguyen, “Separating decision Diffie–Hellman from
key is restored. computational Diffie–Hellman in cryptographic groups,” J. Cryptol.,
The comparison is shown in Table. II. Each chameleon vol. 16, no. 4, pp. 239–247, Sep. 2003.
[16] D. Boneh, “The decision Diffie–Hellman problem,” in Proc. Algorithmic
hash-based solution except ours has some of the following Number Theory, 3rd Int. Symp. (ANTS), 1998, pp. 48–63.
drawbacks: (i) the key generation relies on a centralized party, [17] T. Okamoto and D. Pointcheval, “The gap-problems: A new class of
(ii) the committee holding the chameleon hash key is settled problems for the security of cryptographic schemes,” in Proc. Int.
Workshop Public Key Cryptography (PKC), 2001, pp. 104–118.
in the setup phase and does not consider the dynamic nature [18] W. Castryck, J. Sotáková, and F. Vercauteren, “Breaking the decisional
of nodes joining/leaving the network, (iii) the key is exposed Diffie–Hellman problem for class group actions using genus theory,” in
with several redactions, (iv) the scheme does not consider Proc. Annu. Int. Cryptol. Conf. (CRYPTO), 2020, pp. 92–120.
[19] J. Camenisch, D. Derler, S. Krenn, H. C. Pöhls, K. Samelin, and
the consistency check problem. Our solution has settled all D. and Slamanig, “Chameleon-hashes with ephemeral trapdoors and
the problems of the chameleon hash based solutions, and our applications to invisible sanitizable signatures,” in Proc. Public-Key
solution is more efficient than RBPS [10] as we have shown Cryptography (PKC), 2017, pp. 152–182.
[20] X. Chen, F. Zhang, H. Tian, B. Wei, and K. Kim, “Discrete logarithm
in the Section VI-B and VI-C. based chameleon hashing and signatures without key exposure,” Comput.
Elect. Eng., vol. 37, no. 4, pp. 614–623, 2011.
[21] D. Boneh and M. Franklin, “Efficient generation of shared RSA keys,”
VIII. C ONCLUSION J. ACM, vol. 48, no. 4, pp. 702–722, Jul. 2001.
[22] E. K. Kogias, D. Malkhi, and A. Spiegelman, “Asynchronous distributed
To solve the problems of traceability and block consis- key generation for computationally-secure randomness, consensus, and
tency in the redactable blockchain, we propose a redactable threshold signatures,” in Proc. ACM SIGSAC Conf. Comput. Commun.
blockchain in the decentralized setting. Our solution is based Secur., Oct. 2020, pp. 1751–1767.
[23] S. K. D. Maram et al., “CHURP: Dynamic-committee proactive secret
on a decentralized chameleon hash function and an efficient sharing,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur.,
consistency check protocol based on the RSA accumulators. Nov. 2019, pp. 2369–2386.
The security analysis and experimental results show that our [24] D. Derler, K. Samelin, D. Slamanig, and C. Striecks, “Fine-grained and
controlled rewriting in blockchains: Chameleon-hashing gone attribute-
proposal provides efficient redaction and block consistency based,” in Proc. Netw. Distrib. Syst. Secur. Symp., 2019, pp. 1–51.
check in practice. [25] M. S. Dousti and A. Küpçü, “Moderated redactable blockchains: A
definitional framework with an efficient construct,” in Proc. Data
Privacy Manage., Cryptocurrencies Blockchain Technol. (DPM/CBT),
R EFERENCES 2020, pp. 355–373.
[26] Z. Zhang, T. Li, Z. Wang, and J. Liu, “Redactable transactions in
[1] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” Decen- consortium blockchain: Controlled by multi-authority CP-ABE,” in
tralized Bus. Rev., p. 21260, 2008. Proc. Inf. Secur. Privacy (ACISP), 2021, pp. 408–429.
[2] A. Imteaj, M. H. Amini, and P. M. Pardalos, Foundations of Blockchain: [27] Y. Jia, S.-F. Sun, Y. Zhang, Z. Liu, and D. Gu, “Redactable blockchain
Theory and Applications. Springer, 2021. supporting supervision and self-management,” in Proc. ACM Asia Conf.
[3] J. Chen, S. Yao, Q. Yuan, K. He, S. Ji, and R. Du, “CertChain: Comput. Commun. Secur., May 2021, pp. 844–858.
Public and efficient certificate audit based on blockchain for TLS [28] S. Xu, J. Ning, J. Ma, X. Huang, and R. H. Deng, “K-time modifiable
connections,” in Proc. IEEE Conf. Comput. Commun. (INFOCOM), and epoch-based redactable blockchain,” IEEE Trans. Inf. Forensics
Apr. 2018, pp. 2060–2068. Security, vol. 16, pp. 4507–4520, 2021.
[4] M. Y. Kubilay, M. S. Kiraz, and H. A. Mantar, “CertLedger: A new [29] Y. Tian, N. Li, Y. Li, P. Szalachowski, and J. Zhou, “Policy-based
PKI model with certificate transparency based on blockchain,” Comput. chameleon hash for blockchain rewriting with black-box account-
Secur., vol. 85, pp. 333–352, Aug. 2019. ability,” in Proc. Annu. Comput. Secur. Appl. Conf. (ACSAC), 2020,
[5] C. Cai, Y. Zheng, Y. Du, Z. Qin, and C. Wang, “Towards private, pp. 813–828.
robust, and verifiable crowdsensing systems via public blockchains,” [30] K. Huang et al., “Building redactable consortium blockchain for indus-
IEEE Trans. Dependable Secure Comput., vol. 18, no. 4, pp. 1893–1907, trial Internet-of-Things,” IEEE Trans. Ind. Informat., vol. 15, no. 6,
Aug. 2021. pp. 3670–3679, Jun. 2019.
[6] G. S. Aujla and A. Jindal, “A decoupled blockchain approach for [31] C. Wu, L. Ke, and Y. Du, “Quantum resistant key-exposure free
edge-envisioned IoT-based healthcare monitoring,” IEEE J. Sel. Areas chameleon hash and applications in redactable blockchain,” Inf. Sci.,
Commun., vol. 39, no. 2, pp. 491–499, Feb. 2021. vol. 548, pp. 438–449, Feb. 2021.

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:45:25 UTC from IEEE Xplore. Restrictions apply.
JIA et al.: REDACTABLE BLOCKCHAIN FROM DECENTRALIZED CHAMELEON HASH FUNCTIONS 2783

Meng Jia received the B.S. degree in computer Li Zheng received the B.S. degree in computer
science and technology from Wuhan University, science and technology from Wuhan University,
Wuhan, China, in 2018, where she is currently pur- Wuhan, China, in 2020, where he is currently pursu-
suing the Ph.D. degree with the School of Cyber Sci- ing the Ph.D. degree with the School of Cyber Sci-
ence and Engineering. Her research interests include ence and Engineering. His research interests include
blockchain and applied cryptography. blockchain and applied cryptography.

Jing Chen received the Ph.D. degree in computer


science from the Huazhong University of Science
and Technology, Wuhan. He has been working as a
Full Professor with Wuhan University since 2015.
He has published more than 100 research papers in Mingxi Lai received the B.S. degree in computer
many international journals and conferences, such science and technology from Hunan University,
as IEEE T RANSACTIONS ON D EPENDABLE AND Hunan, China, in 2020. He is currently pursuing the
S ECURE C OMPUTING, IEEE T RANSACTIONS ON M.S. degree with the School of Cyber Science and
I NFORMATION F ORENSICS AND S ECURITY, IEEE Engineering, Wuhan University, Wuhan, China. His
T RANSACTIONS ON M OBILE C OMPUTING, IEEE research interest includes blockchain.
T RANSACTIONS ON C OMPUTERS , IEEE T RANS -
ACTIONS ON PARALLEL AND D ISTRIBUTED S YSTEMS , USENIX Security,
CCS, and INFOCOM. His research interests in computer science are in the
areas of network security and cloud security. He acts as a Reviewer for many
journals and conferences, such as IEEE T RANSACTIONS ON I NFORMATION
F ORENSICS AND S ECURITY, IEEE T RANSACTIONS ON C OMPUTERS , and
IEEE/ACM T RANSACTIONS ON N ETWORKING.

Kun He received the Ph.D. degree in computer sci-


ence from the Computer School, Wuhan University. Donghui Wang received the master’s degree in com-
He is currently an Associate Professor with Wuhan puter science from Jilin University. She is currently
University. He has published more than 20 research a Senior Engineer with Huawei Technologies Com-
papers in many international journals and confer- pany Ltd. She has more than ten years’ experience in
ences, such as IEEE T RANSACTIONS ON C OMPUT- research, security, analysis, and system design under
ERS , IEEE T RANSACTIONS ON D EPENDABLE AND various security projects. Her current research inter-
S ECURE C OMPUTING, IEEE T RANSACTIONS ON ests include blockchain, telecom network security,
M OBILE C OMPUTING, IEEE T RANSACTIONS ON and privacy protection.
PARALLEL AND D ISTRIBUTED S YSTEMS , USENIX
Security, CCS, and INFOCOM. His research inter-
ests include cryptography, network security, mobile computing, and cloud
computing.

Ruiying Du received the B.S., M.S., and


Ph.D. degrees in computer science from Wuhan
University, Wuhan, China, in 1987, 1994, and Fei Liu received the master’s degree in computer
2008, respectively. She is currently a Professor science from Shandong Industry University. She
at the School of Cyber Science and Engineering, is currently a Distinguished Engineer at Huawei
Wuhan University. She has published more than International Private Ltd. She has over 17 years’
80 research papers in many international journals experience of research and design in telecommuni-
and conferences, such as IEEE T RANSACTIONS cation, mobile services, terminals, and cyber security
ON PARALLEL AND D ISTRIBUTED S YSTEMS , through 2G to 5G. She is working on 6G end-
International Journal of Distributed and Parallel to-end security policy and technologies, including
Systems, INFOCOM, SECON, TrustCom, and NSS. trust model, security framework and architecture,
Her research interests include network security, wireless networks, cloud AAA, and AI for security.
computing, and mobile computing.

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:45:25 UTC from IEEE Xplore. Restrictions apply.

You might also like