3670 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 15, NO.

6, JUNE 2019

Building Redactable Consortium Blockchain

for Industrial Internet-of-Things
Ke Huang , Xiaosong Zhang , Yi Mu , Senior Member, IEEE, Xiaofen Wang,
Guomin Yang , Senior Member, IEEE, Xiaojiang Du , Senior Member, IEEE,
Fatemeh Rezaeibagha , Qi Xia , and Mohsen Guizani , Fellow, IEEE

Abstract—Applying consortium blockchain as a trust forks. Basically, TCH is the first TCH and ASCS is a public-
layer for heterogeneous industrial Internet-of-Things de- key signature supporting file-level and block-level modifica-
vices is cost-effective. However, with an increase in com- tions of signatures without impairing authentications. Ad-
puting power, some powerful attacks (e.g., the 51% attack) ditionally, ASCS achieves accountability to avoid abuse of
are inevitable and will cause severe consequences. Re- redaction. While security analysis validates our proposals,
cent studies also confirm that anonymity and immutability the simulation results show that redaction is acceptably ef-
of blockchain have been abused to facilitate black market ficient if it is executed at a small scale or if we adopt a
trades, etc. To operate controllable blockchain for IIoT de- coarse-grained redaction while sacrificing some securities.
vices, it is necessary to rewrite blockchain history back to a
normal state once the chain is breached. Ateniese et al. pro- Index Terms—Chameleon hash (CH), chameleon signa-
posed redactable blockchain by using chameleon hash (CH) ture (CS), consortium blockchain, industrial Internet-of-
to replace traditional hash function, it allows blockchain his- Things (IIoT), sanitization.
tory to be written when needed (EuroS&P 2017). However,
we cannot apply this idea directly to IIoT without solving
the following problems: (1) achieve a decentralized design I. INTRODUCTION
of CH; (2) update the signatures accordingly to authenticate
HE industrial Internet-of-Things (IIoT) envisions connec-
the redacted contents; (3) satisfy the low-computing need
of the individual IIoT device. In this paper, we overcome the
above issues by proposing the first threshold chameleon
T tions and interactions of massive heterogeneous devices
for a smarter and more autonomous industry [1], [2]. Gener-
hash (TCH) and accountable-and-sanitizable chameleon ally, IIoT devices are geographically distributed, computation-
signature (ASCS) schemes. Based on them, we build a
ally limited and adopt different techniques. This requires a de-
redactable consortium blockchain which is efficient for IIoT
devices to operate. It allows a group of authorized sensors centralized, efficient, and cross-platform trust layer to connect
to write and rewrite blockchain without causing any hard all IIoT devices [3], [4]. However, there is no conventional net-
work structure which can achieve these features efficiently. The
Manuscript received January 27, 2019; accepted February 17, 2019. blockchain proposed by Nakamoto [5] is considered as a prefer-
Date of publication February 22, 2019; date of current version June 12, able answer as it provides a public, decentralized, and immutable
2019. This work was supported in part by the National Key R&D Program trust layer [6], [7]. While integrating blockchain with IIoT net-
of China under Grant 2017YFB0802300, in part by the National Natural
Science Foundation of China under Grants U1833122, 61572115, and work, efficiency and security are two crucial aspects to consider
61872087, in part by the Sichuan Provincial Major Frontier Issues under [7], [8]. For efficiency, it is suggested to adopt lightweight cryp-
Grant 2016JY0007, and in part by the foundation from the State Key tographic schemes as most IIoT devices have limited computing
Laboratory of Integrated Services Networks, Xidian University (ISN18-
09). Paper no. TII-19-0278. (Corresponding author: Ke Huang.) resources. For security, the underlying cryptographic schemes
K. Huang, X. Zhang, X. Wang, and Q. Xia are with the Center for such as SHA-256 and elliptic curve discrete signature algorithm
Cyber Security, the College of Computer Science and Engineering, Uni- (ECDSA) [9] were well studied. Noticeably, public blockchain
versity of Electronic Science and Technology of China, Chengdu 611731,
China (e-mail:, [email protected]; [email protected]; has recently been accused of abusing anonymity and immutabil-
[email protected]; [email protected]). ity to facilitate black market trades, finance terrorists and dis-
Y. Mu is with the Fujian Provincial Key Laboratory of Network Security tribute illegal contents, etc [10]. Meanwhile, attacks against
and Cryptology, College of Mathematics and Informatics, Fujian Normal
University, Fuzhou 350007, China (e-mail:, [email protected]). blockchain are evolving to become stronger and more powerful
G. Yang is with the Institute of Cybersecurity and Cryptology, School (the well known 51% attack has already been witnessed [11]),
of Computing and Information Technology, University of Wollongong, they pose significant threats to those relying on blockchain to
Wollongong 2519, Australia (e-mail:, [email protected]).
X. Du is with the Department of Computer and Information Sciences, build trust, especially for industries where valuable, sensitive,
Temple University Philadelphia, PA 19122 USA (e-mail:, [email protected]). and real-time activities are taking place.
F. Rezaeibagha is with the SMART Infrastructure, University of Wol- To repair blockchain from corruptions, Ateniese et al. [10]
longong, Wollongong 2519, Australia (e-mail:, [email protected]).
M. Guizani is with the Department of Electrical and Computer proposed the notion of “redactable blockchain” by enabling
Engineering, University of Idaho, Moscow, ID 83843 USA (e-mail:, chameleon hash (CH) [12] to rewrite blockchain history. How-
[email protected]). ever, this idea cannot be applied to a typical IIoT scenario due to
Color versions of one or more of the figures in this paper are available
online at http://ieeexplore.ieee.org. 1) lack of a threshold version of CH;
Digital Object Identifier 10.1109/TII.2019.2901011 2) no authentication to validate redaction; and
1551-3203 © 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications standards/publications/rights/index.html for more information.

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:41:40 UTC from IEEE Xplore. Restrictions apply.
 HUANG et al.: BUILDING REDACTABLE CONSORTIUM BLOCKCHAIN FOR INDUSTRIAL INTERNET-OF-THINGS 3671

2) We propose ASCS. It is a public-key signing scheme

supporting block-level and file-level modifications of a
signature without impairing authentication. The redac-
tion level of signature (coarse-grained or fine-grained)
is based on the choice of parameter. Our ASCS allows
authorized sensors to modify signatures efficiently with-
out users’ consents, so the signatures committed to new
contents can still pass verifications.
3) We show how to construct a RCB with TCH and ASCS
and apply it to IIoT environments in Section VI. That
helps remove disruptions from blockchain once the chain
breached.
4) We give security analysis and simulations to validate our
proposals. The simulation results show that the redaction
Fig. 1. Framework of RCB for IIoT.
of RCB is acceptably efficient for IIoT devices if it is exe-
cuted at a small scale or run as file-level (coarse-grained)
by sacrificing security for the purposed of efficiency.
3) not satisfy the need for low cost for IIoT device.
To fill these gaps, we propose a novel threshold chameleon B. Organization
hash (TCH) and accountable-and-sanitizable chameleon sig- The rest of this paper is organized as follows: in Section II,
nature (ASCS) as building blocks for a new chain, called: we give a basic mathematical knowledge for this work; in
redactable consortium blockchain (RCB). A framework of RCB Section III, we provide definitions and security models of TCH
is shown in Fig. 1. and ASCS; in Sections IV and V, we give concrete construc-
As it is shown in Fig. 1, we adopt consortium blockchain tions and security analysis of TCH and ASCS, respectively;
[13] to build trust for IIoT devices (denoted as user sensors) in Section VI, we show how to construct RCB and apply it
at layer 1. First, a chain manager selects k authorized sensors to IIoT; in Section VII, we show performance analysis of our
and t judge sensors and initiates the chain by publishing the TCH and ASCS based on simulations; in Section VIII, we give
first block. Then it goes off-line and let authorized sensors to background of related work; Section IX concludes the paper.
write and maintain RCB. The user sensors generate and sign
transactions by our ASCS (as shown at layer 2), and send them
to authorized sensors at layer 3 for verification. If a block on II. PRELIMINARIES
chain is corrupted (say block 3), k authorized sensors can update A. Complexity Assumption
signatures to commit to a new block 3’ with our ASCS and
Let G be a cyclic multiplicative group of prime order q and
compute the hash collision for block 3 and 3’ with our TCH,
generator g. We have the following complexity assumptions
the derived collision can enable redaction (as marked by blue
in G.
arrows, from block 3 to block 3’) without causing any hard forks
Discrete logarithm problem (DLP): Given g a ∈ G where a ∈
[10] or invalidating authentications. Whenever a dispute occurs
Zq , there is no probabilistic polynomial time (PPT) adversary
on a certain transaction, t judge sensors settle the dispute by
𝒜 who can compute a with non-negligible probability.
running a denial protocol to reveal either it is generated from
Computational Diffie-Hellman Problem (CDHP) [14]: Given
a user sensor or authorized sensors (marked by red arrows).
g, g a , g b ∈ G where a, b ∈ Zq , there is no PPT adversary 𝒜 who
This accountability can prevent abuse of redaction power as
can compute g ab with non-negligible probability.
it allows redaction to be accounted and audited at any time.
Decisional Diffie-Hellman problem (DDHP): Given
Our RCB can be seen as a general trust layer for all cases of
g, g a , g b , g c ∈ G where a, b, c ∈ Zq , decide whether c = ab.
IIoT. We will show how to construct and deploy RCB for IIoT
A gap Diffie-Hellman (GDH) is a group where CDHP is hard
in Section VI.
and DDHP is easy on it. It can be constructed from supersingular
elliptic curves or hyperelliptic curves over finite fields [15]. We
A. Contributions say g, g a , g b , g c  is a Diffie-Hellman tuple if c = ab mod q.
In this paper, we propose notions of TCH and ASCS for
building RCB under IIoT. RCB serves as a redactable trust layer B. Proofs of Knowledge
while satisfying the need for decentralization, authentication, A proof of knowledge (PoK) allows one with secret x ∈ Zq
and computing-limit for IIoT devices. to prove x = logyg without leaking secret information x [16].
Our contributions can be highlighted as below.
1) We propose the first TCH in this paper. It allows k autho-
III. DEFINITIONS
rized sensors to compute a hash collision collaboratively
in order to rewrite block contents. Our TCH is decentral- In this section, we show definitions and security requirements
ized and efficient. for TCH and ASCS, respectively.

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:41:40 UTC from IEEE Xplore. Restrictions apply.
 3672 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 15, NO. 6, JUNE 2019

A. System Model of RCB (tk1 , . . . , tkk ), a tuple (m, n, I, σ), a new message m ,
The framework of our RCB is shown in Fig. 1, it mainly customized identity CID and user’s verification key spk,
consists of four parties as identified below. output sanitized signature σ  or ⊥.
Chain manager: The entity who selects a group of authorized 7) ASCS.Deny((m∗ , n∗ , I ∗ ), σ ∗ ) → (error, 0, 1): On input
sensors and judge sensors for writing the chain and settling a dispute tuple ((m∗ , n∗ , I ∗ ), σ ∗ ) including dispute mes-
disputes on the chain. After publishing the first block, it let sage m∗ , and its corresponding number of blocks n∗ ,
authorized sensors to take over RCB and goes off-line. sanitizable set I ∗ and signature σ ∗ , output error, 0 or 1.
User sensor (a.k.a. signer): Individual IIoT device with lim-
ited computing power. It uses our ASCS as signing scheme D. Security Requirements of TCH
to authenticate transaction and delegate authorized sensors to
update signatures as agreed (by file-level or block-level). Definition 3: A secure TCH function should satisfy the fol-
Authorized sensors (a.k.a. sanitizers or receivers): k sensors lowing properties [17]:
which are authorized to write and redact blockchain by collab- 1) Semantic security: The output of the proposed TCH does
oration. During redaction, they will update signatures without not reveal any information of message m to be signed
signers’ helps and enable block redaction without causing any [18].
hard forks or impairing authentications on RCB. 2) Collision-resistance: Without knowing the trapdoor
Judge sensors (a.k.a. trusted third parties): t trusted sensors key x, no adversary can efficiently find collision for
who are summoned during the dispute, they can reveal whether any pairs of (m, r) and (m , r ) under customized
the signature is generated from user sensor or authorized identity CID such that TCH.Hash(hk, CID, m, r) =
sensors. TCH.Hash(hk, CID, m , r ) holds.
3) Key-exposure freeness: If no collision of TCH is
given under a customized identity CID, no ad-
B. Threshold Chameleon Hash versary can efficiently find a collision for a given
Definition 1: The TCH consists of four algorithms as follows: TCH.Hash(CID, m, r) even if the adversary can query
1) TCH.Setup(λ) → (ParamTCH ): On input a security pa- random oracle TCH.Hash() for any inputs except the
rameter λ, output system parameter paramTCH . customized identity CID.
2) TCH.KeyGen(ParamTCH ) → ((tk1 , . . . , tkk ), hk) :
On input ParamTCH , output a set of threshold trapdoor E. Security Requirements of ASCS
keys (tk1 , . . . , tkk ) and a hash key hk.
3) TCH.Hash(hk, CID, m, r) → (h) : On input a hash Definition 4: A secure ASCS should satisfy the following
key hk, a customized identity CID, a message m and a properties [17], [19]:
chameleon randomness r, output a chameleon hash h. 1) Unforgeability: No one except the signer can generate
4) TCH.Forge((tk1 , . . . , tkk ), (m, h, r), m ) → (r ) : On a valid signature which was not been previously gener-
input a set of threshold trapdoor keys (tk1 , . . . , tkk ), a ated. The receiver can only forge a signature which is
tuple (m, h, r) and a new message m , output a new ran- previously signed.
dom number r . 2) Indistinguishability: The distributions of output
ASCS.Sign and ASCS.Sanitize should be computation-
ally indistinguishable.
C. Accountable-and-Sanitizable Chameleon Signature
3) Nontransferability: The receivers of signature (autho-
Definition 2: The ASCS consists of six algorithms as follows: rized sensors) cannot convince any third parties the va-
1) ASCS.Setup(λ) → (ParamASCS ): On input a security lidity of a signature.
parameter λ, output system parameters ParamASCS . 4) Nonrepudiation: The signer cannot deny a legitimate sig-
2) ASCS.KeyGen(ParamASCS ) → ((tk1 , . . . , tkk ), hk, nature generated by himself.
3) spk, ssk): On input ParamASCS , output a set of threshold 5) Deniability: The signer can deny a forgery of signature
trapdoor keys (tk1 , . . . , tkk ), a chameleon hash hk, user’s by revealing a collision as a proof.
signing key ssk and verification key spk. 6) Sanitizer-accountability: No malicious sanitizer can con-
4) ASCS.Sign(hk, CID, (m, n, I), ssk) → (σ): On input vince the judge to accuse the signer of signing the mes-
a hash key hk, a customized identity CID, a tuple sage which has not been signed by the signer.
(m, n, I) including message m to be signed, number of 7) Signer-accountability: No malicious signer can convince
blocks n, a set of sanitizable indexes I, and user’s signing the judge to accuse a sanitizer of sanitizing the signature
key ssk, output signature σ. which has not been sanitized by the sanitizer.
5) ASCS.Verify((tk1 , . . . , tkk ), (m, n, I, σ), spk) →
(0, 1): On input a set of threshold trapdoor keys
(tk1 , . . . , tkk ), a tuple (m, n, I, σ), signer’s verification IV. PROPOSED TCH AND SECURITY ANALYSIS
key spk, output 0 or 1. In this section, we propose a concrete construction of TCH
6) ASCS.Sanitize((tk1 , . . . , tkk ), (m, n, I, σ), m , CID, and security analysis. Simply, our TCH is the foundation of this
spk) → (σ  or⊥): On input a set of trapdoor keys work, it serves a theoretical basis for both redactable blockchain

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:41:40 UTC from IEEE Xplore. Restrictions apply.
 HUANG et al.: BUILDING REDACTABLE CONSORTIUM BLOCKCHAIN FOR INDUSTRIAL INTERNET-OF-THINGS 3673

and our next proposal: ASCS. It allows collisions of CH to be collision-resistant. Note, we use h̄ (an input element of CDHP
found by distributed manner. instance) to distinguish from parameter h in TCH.Hash.
Key-exposure Freeness: Suppose to find a hash collision for
A. Construction of TCH Scheme a given TCH.Hash(hk, CID, m, r) under a customized iden-
TCH.Setup (λ) → (ParamTCH ) : On input a security pa- tity CID, an adversary is allowed to query the random ora-
rameter λ, choose a GDH group G [15] generated by g of order cle of TCH.Hash() for polynomially many times on inputs
q. Set H0 : {0, 1}∗ → G∗ , H1 : {0, 1}∗ → Zq . Output system (hk, CIDj , mj , rj ) but except on CID. This equals breaking
parameter paramTCH = { G, q, g, H0 , H1 }. the unforgeability of GDH signature [15].
TCH.KeyGen(ParamTCH ) → ((tk1 , . . . , tkk ), hk) : On
input system parameter ParamTCH , k authorized sensors V. PROPOSED ASCS AND SECURITY ANALYSIS
compute by a sequence of ring as follows: each ith member
R We propose a concrete construction of ASCS scheme and
(1 ≤ i ≤ k) chooses a random integer xi ← Zq∗ as its thresh-
security analysis in this section. Simply, our ASCS combines
old trapdoor key tki = xi and relays g x i to the (i + 1)th
the notion of chameleon signature (CS) and sanitizable signature
member. Meanwhile, the ith member received g x i − 1 from
(SS), it allows redaction to take place differently according to
the (i − 1)th member, it computes g (x i − 1 )x i and sends to the
the set of the sanitizable set while a new denial protocol is
next member. After k steps, each member derived a hash key
designed to hold redaction accountable at any time.
hk = g (x 1 ·...· x k ) (an example is shown in Section VII, Fig. 3).
Denote tk = (x1 · . . . · xk ) as trapdoor key and hk as hash key.
TCH.Hash (hk, CID, m, r) → (h). On input a hash key A. Construction of ASCS Scheme
hk, a customized identity CID (it can limit the key exposure to
ASCS.Setup: (λ) → (ParamASCS ) : On input a security pa-
leakage of trapdoor key associated with chosen identity [17]),
R rameter λ, choose a GDH group G [15] generated by g of order
compute h = H0 (CID, hk). Select a random number α ← Zq∗ , q. Set H0 : {0, 1}∗ → G∗ , H1 : {0, 1}∗ → Zq . Output system
compute r = (g α , hk α ). Output h = g α hH 1 (m ) . parameters ParamASCS = {G, q, g, H0 , H1 }.
TCH.Forge ((tk1 , . . . , tkk ), (m, h, r), m ) → (r ). On in- ASCS.KeyGen (ParamASCS ) → ((tk1 , . . . , tkk ), hk, spk,
put a set of threshold trapdoor keys (tk1 , . . . , tkk ), a tu- ssk) : On input ParamASCS , choose a set of threshold keys
ple (m, h, r) where r = (g α , hk α ) and a new message m . (tk1 , . . . , tkk ) for each ith member of k authorized sensors
A ring of authorized sensors compute collision as follows: R
 where tki = xi and xi ← Zq∗ for 1 ≤ i ≤ k. Publish hash key
the ith member computes (hx i (H 1 (m )−H 1 (m )) ) and relays R
to the (i + 1)th member. Meanwhile, the ith member re- hk = g (x 1 ·...·x k ) . Then, the user sensor chooses random xs ← Zq∗

ceives (hx i − 1 (H 1 (m )−H 1 (m )) ) from the (i − 1)th member, it as signing key ssk = xs and publishes the verification key

can then compute (hx i ·(x i − 1 )(H 1 (m )−H 1 (m )) ) and sends to spk = g x s .
the (i + 1)th sensor. After k steps, each member i derives ASCS.Sign (hk, CID, (m, n, I), ssk) → (σ) : On input
 
(h(x 1 ·...· x k )(H 1 (m )−H 1 (m )) ) and computes r = (g a , hk a ) =

hash key hk, a customized identity CID, a tuple (m, n, I)
 
(g a · hH 1 (m )−H 1 (m ) , hk a · h(x 1 ·...·x k )(H 1 (m )−H 1 (m )) ) as a new including message m, corresponding number of blocks n, a set

randomness. The forgery succeeds if g a hH 1 (m ) = g a hH 1 (m )

of sanitizable indices I ⊆ [1, n], and user’s signing key ssk.
 
and g, hk, g a , hk a  is a valid Diffie-Hellman tuple; otherwise, Output signature σ for m where σ is as follows:
(m , r ) and (m, r) are not a collision. 1) If I = [1, n], denote this case as ASCS.CS:
R
a) Pick a random number ac ← Zq∗ , compute rc =
B. Security Analysis of TCH Scheme (g a c , hk a c ) and set r̄ = rc .
Our proposed TCH satisfies the following properties. b) Run TCH.Hash(hk, CID, m, rc ) to generate hc .
Semantic Security: For each CH value h, a customized Compute SIGNssk (hc ) with ssk.
identity CID and message m, there is always one spe- c) Output signature σ = SIGNssk (hc )||r̄.
cific chameleon randomness r such that r = (g a , hk a ) = 2) If I = [1, n]: denote this case as ASCS.SS:
(x 1 ·...· x k ) a) Divide message m into n blocks as: m = m1 ||..||mn .
((h · h−H 1 (m ) ), (h · h−H 1 (m ) ) )) and h = g α hH 1 (m ) b) For each sanitizable index i ∈ I, choose random
holds. Therefore, the probability distributions of output R
TCH.Hash(m) and TCH.Hash(m ) is computationally indis- ri ← Zq∗ and run TCH.Hash(hk, CID, mi , ri ) to
tinguishable. compute hi . Set r̄ = {ri }i∈I .
Collision-resistance: Conversely, suppose our TCH is not c) Let m i = hi for each i ∈ I where m i = mi for i ∈
collision-resistant and there exists adversary who can effi- [1, n]\I. Derive m̃ = m 1 || . . . ||m
n .
R
ciently find the collision of TCH. Given (g, g x , h̄), the ad- d) Select a random number ac ← Zq∗ and compute rc =
versary can find (m, r) and (m , r ) as a collision where (g a c , hk a c ), Set r̄ = r̄||rc .
 
g α hH 1 (m ) = g a hH 1 (m ) holds. Therefore, we can compute e) Run TCH.Hash(hk, CID, m̃, rc ) to generate hc .
  −1
h̄x = (hk α /hk a )(H 1 (m )−H 1 (m )) as a solution to a CDHP Compute SIGNssk (hc ) with ssk.
in group G. Since CDHP in G is hard, our proposed TCH is f) Output signature σ = SIGNssk (hc )||r̄ .

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:41:40 UTC from IEEE Xplore. Restrictions apply.
 3674 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 15, NO. 6, JUNE 2019

Here, we adopt the [15] as underlying signing scheme random number for generating chameleon randomness
SIGN(). rc = (g α c , hk α c ).
ASCS.Verify ((tk1 , . . . , tkk ), (m, n, I, σ), spk) → (0, 1) : 3) On receiving the proof, each judge sensor first ex-
On input a set of threshold trapdoor keys (tk1 , . . . , tkk ), a tu- tracts rc = (g α c , hk α c ) from σ, and checks whether
ple (m, n, I, σ) and a verification key spk, k authorized sensors g, hk, g α c , hk α c  is a Diffie-Hellman
 tuple, hc =
verify as follows. g α c hk H 1 (m ) , m∗ = m and is valid. If all hold, out-
First, parse σ = SIGNssk (hc )||r̄ and derive rc = (g a c , hk a c ) put 1; otherwise output 0.
from r̄. Then, k authorized sensors compute (g a c )(x 1 ·...·x k ) Consequently, if most of the judge sensors output error, it
by a sequence of ring as previously mentioned. Output 0 if indicates σ ∗ is invalid; if most of them output 0, it indicates σ ∗
(g a c )(x 1 ·...·x k ) = hk a c does not hold and terminates; otherwise, is originally generated from user sensor; if most of them output
proceeds as follows. 1, it indicates σ ∗ is generated from authorized sensors.
1) If I = [1, n], run TCH.Hash(hk, CID, m, rc ) to com-
pute hc . Given spk, verify SIGNssk (hc ). If valid, output
1; otherwise, output 0 and terminates.
2) If I = [1, n]: B. Security Analysis of ASCS Scheme
a) Parse σ = SIGNssk (hc )||r̄ where r̄ = {ri }i∈I . Our proposed ASCS satisfies the following properties.
b) Divide message m into n blocks as: m = m1 ||..||mn . Unforgeability: Suppose an adversary who can generate valid
c) For each i ∈ I, run TCH.Hash(hk, CID, mi , ri ) to signatures to pass our verification algorithm ASCS.Verify where
compute hi and set m i = hi . For i ∈ [1, n]\I, set he may either forge a signature of SIGN() or find a collision of a
mi = mi . Derive m̃ = m 1 || . . . ||
mL . previously generated signature. This implies breaking unforge-
d) Run TCH.Hash(hk, CID, m̃, rc ) to compute hc , ability of SIGN() or collision-resistance of TCH. Meanwhile,
and verify SIGNssk (hc ) by spk, if valid, output 1; the forgery is meaningless since the signer can deny the forgery
otherwise, output 0. at any time by ASCS.Deny. We can, therefore, reduce our un-
ASCS.Sanitize ((tk1 , . . . , tkk ), (m, n, I, σ), m , CID, spk) forgeability to the underlying signature we use and collision-
→ (σ  or⊥) : On input a set of threshold trapdoor keys resistance of TCH.
(tk1 , . . . , tkk ), a tuple (m, n, I, σ), a new message m Indistinguishable: Based on [18], it is obvious that the output
(m = m), a customized identity CID and a verification key distributions of our ASCS.Sign and ASCS.Sanitize are indistin-
spk. Authorized sensors first run ASCS.Verify to verify σ. If guishable.
output 0, abort; otherwise, proceed with sanitization as follows. Nontransferable: No authorized sensors can convince any
1) If I = [1, n]: third parties of the validity of the signature. The reason is that
a) Parse σ = SIGNssk (hc )||r̄ where r̄ = (rc = (g a c , algorithm ASCS.Verifiy requires taking each threshold trapdoor
hk a c )). key as input, so the verification is privately verifiable. Mean-
b) Compute hc and run TCH.Forge((tk1 , . . . , tkk ), while, according to [20], nontransferability can also be derived
(m, hc , rc ), m ) to generate rc . Set r̄ = rc from semantic-security of our underlying TCH.
c) Output σ  = SIGNssk (hc )||r̄. Nonrepudiation: Conversely, we suppose signer can deny a
2) If I = [1, n]: signature generated by himself. Suppose ((m∗ , n∗ , I ∗ ), σ ∗ ) is a
a) Parse σ = SIGNssk (hc )||r̄ where r̄ = {ri }i∈I . dispute pair, the signer can deny this pair by revealing a collision
∗ ∗  
b) Divide message as: m = m1 || . . . ||mn and m = ((m , n , I  ), σ  ) to satisfy g a c hH 1 (m ) = g a c hH 1 (m ) . Meaning
m1 || . . . ||mn . Set I  = {i ∈ I|mi = mi }, if I  = ∅, that he can find (m , rc ) as a TCH collision against (m∗ , rc∗ ).
 

terminates; otherwise, go to the next step. As the trapdoor key is controlled by authorized sensors by the
c) For each i ∈ I  , run TCH.Forge((tk1 , . . . , tkk ), threshold, this implies breaking collision-resistance of TCH.
(m, h, r), m ) to derive ri and set ri = ri . Derive Deniability: Suppose ((m∗ , n∗ , I ∗ ), σ ∗ ) is a dispute pair
r̄ = {ri }i∈I . forged from a previous pair ((m, n, I), σ) generated by the
d) Output σ  = SIGNssk (hc )||r̄ . signer. Then, the  signer can deny the dispute pair by reveal-
ASCS.Deny ((m∗ , n∗ , I ∗ ), σ ∗ ) → (error, 0, 1). On input a ing ((m, n, I), σ, ). As the signer cannot forge a collision, we
dispute tuple ((m∗ , n∗ , I ∗ ), σ ∗ ) where σ ∗ = SIGNssk (hc )||r̄ can reduce deniability to collision-resistance of TCH.
∗ ∗
and rc∗ = (g a c , hk a c ) is the chameleon randomness encapsu- Sanitizer-accountability: Conversely, suppose there exists a
∗
lated in σ . The t judge sensors proceed denial protocol as malicious sanitizer who can forge (m∗ , σ ∗ ) and convince the
follows. judge sensors to accuse the signer of generating it. So, (m∗ , σ ∗ )
∗
1) First, each judge sensor checks whether g, hk, g a c , can pass verification of ASCS.Verify and be used as a proof
a ∗c
hk  is a valid Diffie-Hellman tuple, if not, output error against dispute during ASCS.Deny. As discussed, this implies
and terminates; otherwise, go to the next step. breaking both unforgeability and deniability of our ASCS.
2) Next, each judge sensor contacts the signer for denial, if Signer-accountability: Conversely, suppose there exists a ma-
the signer accepts directly, output 0; otherwise,  the signer
 licious signer who can convince the judge sensors to accuse the
denies by revealing a proof ((m, n, I), σ, ) where sanitizer of generating (m∗ , σ ∗ ). So, he can forward (m∗ , σ ∗ )
αc
is a noninteractive PoK [16] of αc = loggg and αc is the to the judge sensors by ASCS.Deny, and the protocol outputs 1

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:41:40 UTC from IEEE Xplore. Restrictions apply.
 HUANG et al.: BUILDING REDACTABLE CONSORTIUM BLOCKCHAIN FOR INDUSTRIAL INTERNET-OF-THINGS 3675

as result. Since the signer cannot forge a collision of TCH, this TABLE I
DEFINITIONS AND CONVERSIONS OF PRIMITIVE OPERATIONS
implies breaking collision-resistance and deniability.

VI. CONSTRUCTING AND APPLYING RCB FOR IIOT

A. Constructing RCB
To setup RCB, a chain manager first runs TCH.Setup and
ASCS.Setup to generate system parameters. Then, it selects k
authorized sensors and runs TCH.KeyGen to generate a set of
threshold trapdoor key (tk1 , . . . , tkk ) and hash key hk. To note,
this procedure is dominated by a chain manager. It arranges each
membership and corresponding position during ring formation.
Next, the manager uses TCH and ASCS as system hash function TABLE II
COMPUTATION COST OF SIMILAR CH SCHEMES
(instead of SHA-256) and digital signature (instead of ECDSA
[9]) to power blockchain. See concrete details below.
First, we review how bitcoin generates each transaction: sup-
pose owner 1 wishes to transfer the coin to another user (say
owner 2), he first computes a hash by taking the previous trans-
action and public key of owner 2 as inputs. Then, he signs the
derived hash with his private key and adds this signature to the
block. Analogically, RCB asks owner 1 to sign by taking the
same information as mentioned earlier (as m) and the public Denote: k as a number of authorized sensors; CDHP: Computational Diffie-Hellman
key of authorized sensors (as hk) as inputs to ASCS.Sign. Thus, Problem; q-SDHP: q-Strong Diffie-Hellman Problem.
the derived signature allows redaction to be made by running
ASCS.Santitize among a group of authorized sensors. The core
concept is to sign on an output of TCH.Hash, so the derived to [13], the disorders on the chain can be efficiently resolved
signature is redactable. through rewriting block contents. To convert [13] to a RCB,
Second, as defined by bitcoin [5], it requires hashing all trans- the core idea is to use our proposed TCH and ASCS to re-
actions into a merkle tree in order to generate a block. Thus, place the underlying hash function and digital signature, and re-
the old block only needs to keep a root instead of all interior vise their blockchain consensus mechanism to be a TCH-based
information. Analogically, our RCB replaces this root with a proof-of-work.
TCH.Hash output of it (say h). Thus, it allows authorized sen-
sors to find a collision by running TCH.Forge without altering VII. PERFORMANCE ANALYSIS
the hash. Consequently, the redaction can take place while block In this section, we provide complexity analysis and simulation
hash is unchanged and signatures are valid. results of our TCH and ASCS for evaluations.
Last and not least, it is necessary to reach 100% agreement
among all authorized sensors as a consensus to redact a block A. Complexity Analysis
in our RCB, as redaction requires the cooperation of each party
in the ring (as defined by TCH.Forge and ASCS.Sanitize). This First, we adopt BLS signature [15] as the underlying signing
is easy to implement by use of smart contract which executes scheme SIGN() in our ASCS. For ease of numerical analy-
codes automatically if certain conditions are triggered (e.g., sis, we show definitions and conversions of primitive opera-
violations of certain regulations, etc). As authorized sensors are tions in Table I based on [21], [22]. We use Tm (group multi-
assumed to be trusted, block redaction can always be executed plication) as a unit of measurement for following complexity
by a deterministic and secure way (guaranteed by the security analysis.
analysis of our TCH and ASCS). Due to space limit, details are Based on [17], [18], [23] and [17], [23]–[26], we list the com-
omitted here. plexity of similar schemes in Tables II and III, respectively. We
set k = 1, l = 1 and l = 1 to derive a lower bond for compar-
ison. As shown in Table II, our TCH is as efficient as others
B. Applying RCB for IIoT while the cost of forging is linear with k. As shown in Table III,
Trivially, RCB can be introduced to replace any traditional our ASCS works in two cases: ASCS.CS (when I = [1, n])
consortium blockchain used for specific industrial scenarios. for file-level modification and ASCS.SS (when I = [1, n]) for
Take a recent proposal [13] as an example, the proposed con- block-level modification. Simply speaking, we apply ASCS.CS
sortium blockchain for energy trading can be revised to be for signing if all blocks are set to be sanitizable; otherwise, we
redactable. We assume transaction servers in [13] misbehave use ASCS.SS. As observed, it is obvious that ASCS.CS is more
during collection and counting of energy trades (or being cor- efficient than ASCS.SS since it requires running TCH.Hash
rupted to do so), which will cause disorders to the distribution of only once. We conducted simulations to show a quantitative
energy coins and interrupt energy trades. By applying redaction analysis next.

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:41:40 UTC from IEEE Xplore. Restrictions apply.
 3676 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 15, NO. 6, JUNE 2019

TABLE III
COMPUTATION COST OF SIMILAR SIGNATURE SCHEMES

Fig. 2. Computational cost on single IIoT device. (a) Time cost of

ASCS.Sign. (b) Time cost of TCH.Forge. (c) Time cost of ASCS.Sanitize.
Denote: n as the number of blocks in each file; k as the number of authorized sensors; l (d) Time cost of ASCS.Verify.
as the number of indexes in sanitizable set I , i.e., l = |I |; l  as number of sanitization
operations, i.e., l  = |I  | where I  includes indexes of blocks being sanitized; CS:
Chameleon Signature; SS: Sanitizable Signature; N/A, not applicable to this function;
for the lower bound of Brzuska [25], we assume the length of message |m | is two
16, 64, respectively. For the case of ASCS.CS, we assume all
bits (one for fixed block, one for admissible block), so we derive a lower bound of
6T e ≈ 126T m . blocks are sanitizable. For the case of ASCS.SS, we assume 50%
of blocks are sanitizable and we sanitize all of them (100%). For
TABLE IV example, when n = 2, we apply ASCS.SS to two 1-KB blocks
PERFORMANCE OF HASH COMPUTING where the first block is sanitizable and the second one is fixed.
We also show results of [23] and [26] for comparison. As it is
shown in Fig. 2(a), the cost of ASCS.SS rises fast with l while
others remain constant. The main reason is that our ASCS.SS
requires running TCH.Hash for each sanitizable block while
others do not.
Assuming the power and current draw for our sensor device
B. Experimental Results
is 3.0 V and 8.0 mA. The energy consumption of the tested sen-
In this section, we conduct experiments on sensor devices sor for running TCH.Hash is 3.0 × 8.0 × 0.028 = 0.672 mJ.
and laptops, respectively, for the quantitative analysis of our The energy consumption for running ASCS.CS when l = 64 is
scheme’s performance. We first give parameters for the imple- 3.0 × 8.0 × 1.687 = 40.488 mJ. Based on the results shown in
mentation and then show simulations results. Fig. 2(a), if we limit the number of sanitizable blocks l to 64, the
1) Implementation and Setup: For simulations, we use PBC- cost for running ASCS.SS will always be lower than 40.488 mJ
0.5.13 [27] for all algebraic operations and OpenSSL for com- which is acceptably low for the IIoT device. However, if we set
munications. We choose to curve as Type-A which is super all blocks to be sanitizable (fix to the case of ASCS.CS), the
singular curve y 2 = x3 + x with an embedding degree of 2. cost will be decreased to a constant and low level. However, this
Our experiments are tested on two different platforms: algo- sacrifices security as it allows arbitrary modifications of a com-
rithm TCH.Hash() and ASCS.Sign() are run on Raspberry Pi mitted message (a coarse-grained redaction) while ASCS.SS
3 model B (sensor device); TCH.Forge(), ASCS.Sanitize(), limits modifications to admissible-blocks only.
ASCS.Sign() and ASCS.Deney() are run on a laptop with Intel To note, the choice between ASCS.CS and ASCS.SS depends
i5-3210M CPU and 2 core processors running at 2.3 GHz and on the setting of I and n. Although we can fix them as global
4-GB RAM with 32-bits Windows 7 SP1 operating system. The parameters in ASCS.Setup for a certain case, we allow the
reason for testing on different platforms is that we assume user signer to select them for ease of discussions in this paper.
sensor is computationally limited and authorized sensors are 3) Performance of Other Algorithms: In this part, we show an
computationally unlimited. We fix block size to 1 KB. Each of example of computing “by a sequence of ring” in TCH.KeyGen
our test results is taken by a mean of 10 consecutive executions. in Fig. 3. To note, this procedure is manipulated by a chain man-
2) Performance of on an Actual Sensor: We compare the ager which dominates the entire formation of ring-based mem-
results of hashing 1-KB block in Table IV. bership. For ease of understanding, we extract this procedure
As shown in Table IV, our TCH is efficient in computing hash. by k rounds. To follow, round 1 begins with sensor 2 and ends
For the testing performance of ASCS.Sign, we first implement with sensor 1 by deriving hk. Analogically, after k rounds, each
on 1-KB block directly. Next, we incrementally set n to be 2, 4, member of the ring can get hk.

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:41:40 UTC from IEEE Xplore. Restrictions apply.
 HUANG et al.: BUILDING REDACTABLE CONSORTIUM BLOCKCHAIN FOR INDUSTRIAL INTERNET-OF-THINGS 3677

key-exposure free CH in the GDH groups. Ateniese [20] pre-

sented three key-exposure CH schemes. Then, Chen et al. [17]
proposed a key-exposure free CH and CS based on the DLP.
Recently, Camenisch et al. [29] proposed CH with ephemeral
trapdoors to prevent trapdoor holder from finding collisions if
no other ephemeral trapdoor is leaked. Krenn et al. [30] pro-
posed chameleon-hashes with dual long-term trapdoors where
the hashing party can choose between using a fresh second trap-
door and reusing an existing one. So far, no TCH is proposed.
Fig. 3. Example of computing by the sequence of the ring.
Ateniese et al. [19] proposed the first SS based on CS [12]
which allows a semi-trusted third party to modify signatures
Based on the above-mentioned idea, we programmed a se- moderately. Later on, SS schemes follow inner-and-outer signa-
quential computation for ease of simulations and divided the ture structures to avoid the linear cost of sanitization and adopt
total cost by k as an average cost for each node. We randomly different underlying signatures to offer distinct properties [24].
select two 1-KB blocks as m and m , respectively. We range k Brzuska et al. [24] formally investigated several security prop-
from 10 to 50 and show the linear relationship between thresh- erties and their relationships. Then, Brzuska et al. [31] defined
old and computing cost in Fig. 2(b). As it is shown, the cost for unlinkability specifically to prevent linking sanitized signatures
each node to run TCH.Forge() increases linearly with k. This is to the same message. Canard et al. [32] considered a multi-
due to the fact that the bigger k is, the more rounds are executed players (n signers and m sanitizers) scenario based on the work
for forging a collision. by Brzuska et al. [31]. Simply, our ASCS can be considered
To test ASCS.Sanitize, we incrementally set n to 1, 2, 4, 8, a subset case (1 signer and k sanitizers) of [32], in which the
64 for case of ASCS.CS and assume all blocks are sanitizable; underlying CH of our scheme is a threshold version. Later,
for the case of ASCS.CS, we set the first half of blocks as Fleischhacker et al. [25] proposed the first efficient unlinkable
sanitizable. For both cases, we sanitize 50% of the sanitizable SS where the signer can sign the message with the rerandomized
blocks, i.e., we set l to 0, 1, 2, 4, 32, respectively. For example, key. To note, we choose to focus on accountability (instead of
for ASCS.SS with n = 4, we apply TCH.Forge for the first unlinkability) in order to bring verifiability and auditability in
two blocks to derive new randomness. Meanwhile, we apply blockchain with redaction. Recently, Lai et al. [26] proposed
different k for both cases to analyze how the cost is influenced two generic constructions for efficient instantiations of SSs in
by the threshold number k. The results are shown in Fig. 3(c). the standard model. The reader is referred to references [33]–
As given, the time cost of sanitization for ASCS.CS remains [34] for more details.
constant regardless of k and l . However, the cost of sanitization
for ASCS.SS is factored by both k and l . Finally, the cost of IX. CONCLUSION
verification for the case of ASCS.CS is linear with l as shown
in Fig. 3(d). The reason is the same as discussed in ASCS.Sign. In this paper, we proposed two theoretical primitives needed
To conclude, the cost of signing and redaction generally de- to build a RCB for IIoT devices, namely TCH and ASCS.
pends on the scale of redaction and the processing-particle (file- The design of TCH and ASCS caters for decentralization,
level or block-level) we choose. It coincides with the conclusion modifiable-authentication and low computing requirements of
we draw from Fig. 3(a). Although our ASCS is less efficient than IIoT-based trust layer. To avoid abuse of redaction, accountabil-
peer works in case of ASCS.SS (when |I| is large), it is still ac- ity is achieved so that the origin of any dispute signatures can
ceptable if we consider the following conditions. be revealed. The use of RCB empowers IIoT devices to operate
1) Rare occurrence of block redaction. blockchain in a controllable way so as to prevent severe con-
2) Prevention of misuse or collusion (as redaction requires sequences. The experimental results showed that redaction is
full participation of all authorized nodes and costs highly. efficient if it is maintained at a small scale or if the redaction is
3) The redaction cost is negligible for authorized sensors executed at file-level with a sacrifice of security. This is reason-
which are assumed to be computationally powerful (e.g., able since redaction is only needed for a few parts on the chain
fog servers). (important statistics), and there is always a tradeoff between
security and efficiency.
VIII. RELATED WORK
REFERENCES
In this paper, we study CH, chameleon signature (CS) [12],
and SS [19] for building RCB. We review these works as follows. [1] S. Jeschke, C. Brecher, T. Meisen, D. Ozdemir, and T. Eschert, “Industrial
internet of things and cyber manufacturing systems,” Ind. Internet Things.,
Krawczyk and Rabin [12] first proposed CS to achieve the pp. 3–19, 2017.
notion of “undeniable signature” [28]. Later, Ateniese and [2] E. Sisinni, A. Saifullah, S. Han, U. Jennehag, and M. Gidlund, “Industrial
Medeiros [18] extended [12] by proposing the first identity- internet of things: Challenges, opportunities, and directions,” IEEE Trans.
Ind. Informat., vol. 14, no. 11, pp. 4724–4734, Nov. 2018.
based CH against the key-exposure problem. In [18], cus- [3] R. Lacuesta, G. Palacios-Navarro, C. Cetina, L. Penalver, and J. Lloret,
tomized identity is used to limit leakage of the trapdoor to “Internet of things: Where to be is to trust,” EURASIP J. Wireless Commun.
every single transaction. Chen et al. [23] proposed the first Netw., vol. 2012, no. 1, pp. 1–16, 2012.

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:41:40 UTC from IEEE Xplore. Restrictions apply.
 3678 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 15, NO. 6, JUNE 2019

[4] S. Sicari, A. Rizzardi, L. A. Grieco, and A. Coen-Porisini, “Security, [32] S. Canard, A. Jambert, and R. Lescuyer, “Sanitizable signatures with
privacy and trust in internet of things: The road ahead,” Comput. Netw., several signers and sanitizers,” in Proc. Int. Conf. Cryptol. Afirca, 2012,
vol. 76, pp. 146–164, Jan. 2015. vol. 7374, pp. 35–52.
[5] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” 2008. [33] M. Fischlin and P. Harasser, “Invisible sanitizable signatures and public-
[Online]. Available at: https://bitcoin.org/bitcoin.pdf key encryption are equivalent,” in Proc. Int. Conf. Appl. Cryptogr. Netw.
[6] G. Zyskind, O. Nathan, and A. S. Pentland, “Decentralizing privacy: Us- Secur., 2018, vol. 10892, pp. 202–220.
ing blockchain to protect personal data,” in Proc. IEEE Secur. Privacy [34] A. Bilzhause, H. C. Pohls, and K. Samelin, “Position paper: The past,
Workshops, 2015, pp. 180–184. present, and future of sanitizable and redactable signatures,” in Proc. Int.
[7] X. Du, Y. Xiao, M. Guizani, and H. H. Chen, “An effective key manage- Conf. Availability, Rel., Security, Sep. 2017, Paper 87.
ment scheme for heterogeneous sensor networks,” Ad Hoc Netw., vol. 5,
no. 1, pp. 24–34, Jan. 2007.
[8] X. Du and H. H. Chen, “Security in wireless sensor networks,” IEEE
Wireless Commun. Mag., vol. 15, no. 4, pp. 60–66, Aug. 2008.
[9] X. Du, M. Guizani, Y. Xiao, and H. H. Chen, “A routing-driven elliptic
curve cryptography based key management scheme for heterogeneous
Ke Huang received the M.S. degree in 2015
sensor networks,” IEEE Trans. Wireless Commun., vol. 8, no. 3, pp. 1223–
from the University of Electronic Science and
1229, Mar. 2009.
[10] G. Ateniese, B. Magri, D. Venturi, and E. Andrade, “Redactable Technology of China, Chengdu, China, where
he is currently working toward the Ph.D. degree
blockchain – or – rewriting history in bitcoin and friends,” in Proc. IEEE
in the College of Computer Science and Engi-
Eur. Symp. Secur. Privacy 2017, pp. 111–126.
neering.
[11] M. Ali, J. Nelson, R. Shea, and M. J. Freedman, “Blockstack: A global
He is a Visiting Student with the University of
naming and storage system secured by blockchains,” in Proc. USENIX
Wollongong, Wollongong, NSW, Australia, from
Annu. Techn. Conf., 2016, pp. 181–194.
2017 to 2019. His research interests include
[12] H. Krawczyk and T. Rabin, “Chameleon signatures,” in Proc. Netw. Dis-
trib. Syst. Security, 2000, pp. 143–154. blockchain and Internet of Things.
[13] Z. Li, J. Kang, R. Yu, D. Ye, Q. Deng, and Y. Zhang, “Consortium
blockchain for secure energy trading in industrial internet of things,” IEEE
Trans Ind. Informat., vol. 14, no. 8, pp. 3690–3700, Aug. 2017.
[14] W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Trans.
Inf. Theory, vol. 22, no. 6, pp. 644–654, Nov. 1976.
[15] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the weil
Xiaosong Zhang received the Ph.D. degree in
pairing,” in Proc. Adv. Cryptol. – ASIACRYPT, 2001, vol. 2248, pp. 514–
computer science from University of Electronic
532.
Science and Technology of China (UESTC),
[16] J. Camenisch and M. Stadler, “Efficient group signature schemes for large Chengdu, China, in 2011.
groups,” in Proc. Int. Cryptol. Conf., 1997, pp. 410–424.
He is currently a Professor with the
[17] X. Chen, F. Zhang, H. Tian, B. Wei, and K. Kim, “Key-exposure free
UESTC. He is the Cheung Kong Scholar Dis-
chameleon hashing and signatures based on discrete logarithm systems,”
tinguished Professor. His research interests in-
Compt. Elect. Eng., vol. 37, no. 4, pp. 614–623, 2009.
clude blockchain, big data security, AI security,
[18] G. Ateniese and B. D. Medeiros, “Identity-based chameleon hash and
etc.
applications,” Financial Cryptogr., vol. 3110, pp. 164–180, 2004.
[19] G. Ateniese, D. H. Chou, B. D. Medeiros, and G. Tsudik, “Sanitizable
signatures,” Comput. Secur., vol. 3679, pp. 159–177, 2005.
[20] G. Ateniese and B. D. Medeiros, “On the key exposure problem in
chameleon hashes,” Secur. Commun. Netw., vol. 3352, pp. 165–179,
2004.
[21] A. Karati, S. H. Islam, and M. Karuppiah, “Provably secure and
lightweight certificateless signature scheme for IIoT environments,” IEEE Yi Mu (SM’03) received the Ph.D. degree from
Trans. Ind. Informat., vol. 14, no. 8, pp. 3701–3711, Aug. 2018. the Australian National University, Canberra,
[22] F. Zhang, R. Safavi-Naini, and W. Susilo, “An efficient signature ACT, Australia, in 1994.
scheme from bilinear pairings and its applications,” Public Key Cryptogr., He currently is a Professor with Fujian Nor-
vol. 2947, pp. 277–290, 2004. mal University, Fuzhou, China. Prior to that, he
[23] X. Chen, F. Zhang, and K. Kim, “Chameleon hashing without key expo- was a Professor with the University of Wollon-
sure,” in Proc. Inf. Secur., 2004, pp. 87–98. gong, Wollongong, NSW, Australia. His current
[24] C. Brzuska et al., “Security of sanitizable signatures revisited,” Public research interests include network cybersecu-
Key Cryptogr., vol. 5443, pp. 317–336, 2009. rity and cryptography.
[25] N. Fleischhacker, J. Krupp, G. Malavolta, J. Schneider, D. Schroder, and Dr. Mu was the Editor-in-Chief of International
M. Simkin, “Efficient unlinkable sanitizable signatures from signatures Journal of Applied Cryptography and served as
Associate Editor for several other international journals.
with re-randomizable keys,” Public Key Cryptogr., vol. 9614, pp. 301–
330, 2016.
[26] R. W. F. Lai, T. Zhang, S. S. M. Chow, and D. Schroder, “Efficient
sanitizable signatures without random oracles,” in Proc. Compt. Secur.,
ESORICS, 2016, vol. 9878, pp. 363–380.
[27] B. Lynn, “The pairing-based cryptography library (0.5.13),” [Online].
Available at: http://crysp.uwaterloo.ca/software/PBCWrapper/
[28] D. Chaum and H. V. Antwerpen, “Undeniable signatures,” Adv. Cryptol.,
Xiaofen Wang received the Ph.D. and M.S. de-
vol. 435, pp. 212–221, 1989.
[29] J. Camenisch, D. Derler, S. Krenn, H. C. Pohls, K. Samelin, and D. grees in cryptography from Xidian University,
Xi’an, China, in 2009 and 2006, respectively.
Slamanig, “Chameleon-hashes with ephemeral trapdoors,” Public Key
She is currently an Associate Professor with the
Cryptogr., vol. 10175, pp. 152–182, 2017.
College of Computer Science and Engineering,
[30] S. Krenn, H. C. Pöhls, K. Samelin, and D. Slamanig, “Chameleon-hashes
with dual long-term trapdoors and their applications,” in Proc. Int. Conf. University of Electronic Science and Technology
of China, Chengdu, China. Her research inter-
Cryptol. Africa, 2018, vol. 10831, pp. 11–32.
ests include cryptography and cloud computing.
[31] C. Brzuska, M. Fischlin, A. Lehmann, and D. Schroder, “Unlinkability
of sanitizable signatures,” Public Key Cryptogr., vol. 6056, pp. 444–461,
2010.

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:41:40 UTC from IEEE Xplore. Restrictions apply.
 HUANG et al.: BUILDING REDACTABLE CONSORTIUM BLOCKCHAIN FOR INDUSTRIAL INTERNET-OF-THINGS 3679

Guomin Yang (SM’17) received the Bachelor’s, Qi Xia received the B.S, M.S, and Ph.D. de-
Master’s, and Ph.D. degrees in computer sci- grees in computer science from the University
ence from City University of Hong Kong, Hong of Electronic Science and Technology of China
Kong, in 2004, 2006, and 2009, respectively. (UESTC), Chengdu, China, in 2002, 2006, and
Before joining UOW in 2012, he was a Re- 2010, respectively.
search Scientist with the Temasek Laborato- She was a Visiting Scholar with the University
ries, National University of Singapore, Singa- of Pennsylvania, Philadelphia, PA, USA, from
pore. He is currently an Associate Professor 2013 to 2014, and has authored or coauthored
with the Institute of Cybersecurity and Cryptol- more than twenty papers. She is the PI of the
ogy (iC2), School of Computing and Information National Key Research and Development Pro-
Technology, University of Wollongong, Wollon- gram of China in cyber security. She is the Vice
gong, NSW, Australia. His research interests include applied cryptogra- Dean of the Center for Cyber Security and currently an Associate Pro-
phy and network security. fessor with UESTC.
Dr. Yang was the recipient of the Australian Research Council Dis-
covery Early Career Researcher Award, in 2015.

Xiaojiang Du (M’03–SM’09) received the B.S.

and M.S. degrees in electrical engineering (Au-
tomation Department) from Tsinghua University,
Beijing, China, in 1996 and 1998, respectively.
Mohsen Guizani (S’85–M’89–SM’99–F’09) re-
He received the M.S. and Ph.D. degrees in elec-
ceived the B.S. (with distinction) and M.S. de-
trical engineering from the University of Mary-
land College Park, MD, USA, in 2002 and 2003, grees in electrical engineering, the M.S. and
Ph.D. degrees in computer engineering from
respectively.
Syracuse University, Syracuse, NY, USA, in
He is currently a Full Professor with the De-
partment of Computer and Information Sci- 1984, 1986, 1987, and 1990, respectively.
He is currently a Professor and Chair of the
ences, Temple University, Philadelphia, PA,
electrical and computer engineering with the
USA. He has authored or coauthored more than 200 journals and con-
University of Idaho, Moscow, ID, USA. Previ-
ference papers, and has been awarded more than five million dollars
research grants from the US National Science Foundation and Army ously, he served as the Associate Vice President
of Graduate Studies, Qatar University, Chair of
Research Office. His research interests include security, wireless net-
the Computer Science Department, Western Michigan University, Chair
works, and computer networks.
of the Computer Science Department, University of West Florida. He also
served in academic positions at the University of Missouri-Kansas City,
University of Colorado-Boulder, Syracuse University and Kuwait Univer-
sity. He has authored nine books and more than 450 publications in
Fatemeh Rezaeibagha received the Bache- refereed journals and conferences. His research interests include wire-
lor of Information Technology Engineering from less communications and mobile computing, computer networks, mobile
Azad University, Tehran, Iran, in 2009, the M.S. cloud computing, and security and smart grid.
degree in information security from Luleå Uni- Dr. Guizani has guest edited a number of special issues in IEEE
versity of Technology, Luleå, Sweden, in 2013, journals and magazines. He also served as a member, Chair, and the
and the Ph.D. degree in computer science from General Chair of a number of international conferences. He served as
UOW, Australia in 2017. She is currently an the IEEE Computer Society Distinguished Speaker from 2003 to 2005.
associate research fellow at the SMART In- He was selected as the Best Teaching Assistant for two consecutive
frastructure, University of Wollongong, Wollon- years at Syracuse University. He was the recipient of the Best Research
gong, NSW, Australia. Her major research inter- Award from three institutions. He was the Chair of the IEEE Communica-
est include cryptography, blockchain, and cyber tions Society Wireless Technical Committee and the Chair of the TAOS
security. Technical Committee.

Authorized licensed use limited to: UNIVERSIDADE FEDERAL DE SANTA CATARINA. Downloaded on January 18,2024 at 19:41:40 UTC from IEEE Xplore. Restrictions apply.