A Redactable Blockchain Scheme Supporting Quantum-Resistance and Trapdoor Updates

Abstract

Applying chameleon hash functions to redactable blockchains is still challenging work. Most redactable blockchain solutions using this technique have potential problems, such as too weak decentralization performance and trapdoors with exposure risks. In addition, quantum computing also threatens the security of blockchain systems. The above two issues imply that the development of redactable blockchains is still constrained, and that quantum-resistance will be requirements for blockchain applications. Therefore, we constructed a chameleon hash function over lattices while utilizing a hierarchical identity mechanism to manage trapdoors and assign edit permissions. This variant of the chameleon hash function can support trapdoor updates and quantum-resistant performance, namely a hierarchical identity-based chameleon hash with revocable subkey (HIBCH-RS). We demonstrated the safety performance of HIBCH-RS by defining its safety concepts of collision resistance. Our HIBCH-RS scheme provides a solution for implementing a redactable blockchain with identity encryption and post-quantum cryptography. Finally, this quantum-resistant redactable blockchain was implemented on the Hyperledger Fabric blockchain platform.

1. Introduction

Blockchain technology has significantly and extensively revolutionized diverse sectors such as healthcare, insurance, supply chain management, and food safety, among others in recent years [1]. However, it is imperative to acknowledge that despite its vast potential, this emerging technology is still in its early stages of development, particularly concerning the prominent challenges currently being unveiled. For instance, because of persistent attacks and disruptions, an extensive volume of illicit information and redundant data have accumulated within the blockchain system. The bitcoin network has experienced multiple hard forks due to the implementation of new rules, incompatible upgrades, and rollback to fraudulent behaviors [2]. Similarly, numerous other blockchain systems may conceal vulnerabilities within smart contract modules [3], consensus protocols [4], and others. These vulnerabilities pose significant threats to the security and privacy of the blockchain system. Recent years have revealed that the inherent immutability of blockchain has led to escalating system storage costs and diminishing performance [5]. Hence, there is an urgent need for a technology that can solve the above problems.

Diverse initiatives have emerged to enhance blockchain systems, including blockchain pruning [6,7], integration with IPFS technology [8,9], blockchain sharding techniques, and multi-chain architectures [10,11]. Among these approaches, redactable blockchain stands out, seeking to bolster blockchain’s storage efficiency and security at both the underlying structure and legal levels. Redactable blockchain refers to a system that, by introducing specific mechanisms, allows data already recorded on the chain to be modified or deleted while maintaining overall data consistency and security. Although this redactable approach sparks controversy as it compromises the tamper-resistant feature, its practical utility for blockchains is undeniable because (1) redactable technology empowers blockchains to swiftly restore their original states after an attack, (2) helps avert the exposure of blockchain users’ private information, (3) deletes unlawful data stored within the blockchain, and (4) enables blockchain to be downsized efficiently.

The redactable concept holds promise as a valuable feature catering to the evolving landscape of blockchain applications.

1.1. Problem and Motivation

The implementation of redactable blockchain allows for the modification or removal of specific data entries within the ledger when encountering illegal data, privacy breaches, and other situations. On the other hand, some application scenarios require frequent data modification, such as mobile networks [12], medical applications [13], and so on.

Second, we review the key issues that need to be taken care of in the design of redactable schemes, mainly including:

• How to balance variability and security;
• How to balance decentralization and assigning edit permissions;
• How to consider the compatibility between variability and existing blockchain systems.

Nonetheless, designing a redactable scheme that meets all these requirements simultaneously is a huge challenge, and few existing schemes can accommodate all requirements. Therefore, we focus on some work to balance the above issues.

Furthermore, the emergence of quantum computing poses a distinct threat to conventional public key cryptosystems and hash algorithms, consequently impacting blockchain security. In the realm of post-quantum encryption techniques for blockchain applications, lattice ciphers have emerged as a mature and efficient cryptographic solution, as demonstrate in [14]. The work of [15] designed quantum-resistant redactable blockchain schemes using latticed cryptography which provide insights into the realization of more secure redactable technologies. Nevertheless, existing lattice-based redactable blockchain is rare and there is no solution realistically deployed in blockchain for experimentation. For example, Wu’s work proposes schemes only to implement chameleon hash functions combined with blockchain, and has no practical application [15].

Chameleon hashing enables physical modifications to the blockchain, but the key problem is that it can lead to trapdoor exposure. Therefore, to protect against trapdoor exposure, Ateniese et al. proposed to manage trapdoor exposure by using the secret sharing and the multiparty computation (MPC) protocol [16]. However, trapdoor sharing potentially results in reduced efficiency.

The hierarchical identity structure combined with blockchain can provide strong support in data management and user verification [17,18]. Therefore, this structure is consistent with the goals of our work. In the existing hierarchical identity cryptographic structure, we have the problem of parent nodes forging the identity of child nodes as well as a linear or even exponential growth of the delegated key dimension.

Based on the abovementioned issues, to harmonize key management and chameleon hash function functionality while mitigating concerns such as key exposure, we propose the development of a chameleon hash function grounded in hierarchical identity. Our objective is to construct a redactable scheme characterized by compatibility, quantum resistance, and updatable trapdoor functionality, all the while adhering to the decentralized attributes intrinsic to blockchain technology.

1.2. Related Work

This section outlines recent research in the field, focusing on two distinct editing techniques: those utilizing chameleon hashing and those abstaining from its use.

Chameleon Hashing. Ateniese et al. are the trailblazers in the exploration of redactable blockchains. Their approach involved substituting the hash algorithm G used in bitcoin with an enhanced chameleon hash, which leveraged the MPC protocol to distribute trapdoors to a trusted subset capable of managing these trapdoors effectively [16]. Collaborating with Accenture, the authors further demonstrated the practical application of their concept on the Hyperledger Fabric platform. This pioneering research has aroused the research interest of many scholars, and based on the problems it exposed, there have been various kinds of research in recent years on the design of chameleon hash functions for security construction, trapdoor restriction, editing permissions restriction, data management, and consistency, respectively.

In the realm of chameleon hash algorithms, several issues have garnered attention. To address efficiency and instantiation challenges, Khalili et al. introduced a chameleon hash for chosen-ciphertext attack (CCA) secure encryption of a random field R [19]. Responding to similar concerns, Derler et al. introduced the concept of stronger full collision-resistance (F-CollRes) and developed a black box structure employing simulation-sound extractable non-interactive zero-knowledge proof (SSE-NIZK) through the utilization of a chameleon hash [20]. Building upon these developments, ref. [21] focused on constructing an identity-based chameleon hash (IBCH). Subsequently, a hierarchical identity-based chameleon hash (HIBCH) was proposed in [22], but these two schemes are more specifically applicable to hash signatures.

Regarding trapdoor and edit permission management, Derler et al. proposed policy-based chameleon hashing (PCH) by integrating attribute-based encryption (CP-ABE) and temporary trapdoors [23]. This redactable scheme combines keys and attributes and restricts edit permissions by formulating attribute policies. Nonetheless, its reliance on a fully trusted central authority creates a centrality problem. Therefore, Ma et al. proposed a chameleon hash structure based on multi-authority decentralization (DPCH) [24], which effectively prevents conspiracy attacks, in contrast to [23].

Wei et al.’s chameleon hash scheme with a changeable trapdoor (CHCT) enables the updating of trapdoors after computing hash collisions [25]. Recently, Jia et al. introduced the concept of stateful chameleon hashing with revocable subkeys, constructed a redactable blockchain with a black box structure, supported full supervision, and allowed user data self-management [26]. Drawing inspiration from this work, our study also incorporates data self-management. Furthermore, addressing concerns about inconsistency, Jia et al. took a step forward by designing an RSA-based accumulator structure aimed at consistency verification [27]. In addition, they devised edit chains, linking edit histories to counter traceability issues within the system.

In recent years, post-quantum encryption technology has been gradually maturing and standardizing. Wu et al. applied a lattice-based chameleon hash function in the context of editable blockchains, introducing the concept of quantum resistance [15]. Meanwhile, Peng et al. devised a more comprehensive lattice-based blockchain editing scheme [28]. However, the former primarily focuses on the construction of the chameleon hash and introduces key sharing, while the latter requires further refinement in its scheme design.

Non-Chameleon Hashing. Puddu et al. proposed an extended redactable model for single-chain transactions based on consensus control, in which editing operations are reached by sending mutating transactions or extending things and specifying the active transaction in this structure [29]. Nevertheless, these mutable transactions merely serve to logically identify valid transactions, while the encrypted error messages remain physically preserved. Marsalek et al. introduced the concept of a correction chain for the storage of rectified data [30]. Similarly, Deuber et al. proposed the double hash chain model and employed it to maintain a copy of the Merkle tree root [31]. The above two double-hash chain patterns use a voting mechanism to realize the coding and thus require many voting cycles.

We list several typical redactable schemes in

Table 1. Comparison of typical redactable blockchain models.

Mode	References	Grain	Self Management	Security Model 4	Features	Edit Permissions
Non-CH	[29]	Ts 1	Y 2	-	C 3&T 3	Sender/Recipient/User/Smart Contract
CH	[16]	Bs 1	N 2	ROM/SM	C	Central/Users Set
	[26]	Ts	Y	ROM	C&R 3&A 3	Personal and Regulator
	[24]	Ts	N	IND-CCA	C&A 3	Controlled Multiple
Lattice-CH	[15]	Ts	N	GGM/ROM	-	Central/Multiple/(Any/Subset)
	[28]	Bs	N	-	C	Any
	Ours	Ts	Y	ROM	T&A&C&R	Multiple

¹ “Ts”: transactions;” Bs”: blocks. ² “Y”: The realization of self-management was a consideration; “N”: the realization of self-management was not a consideration. ³ “C”: The redactable scheme design paid attention to consistency; “R”: the key has revocability; “A”: the editing scheme can achieve accountability; “T”: the editing scheme achieves traceability. ⁴ “ROM”: the Random Oracle Model; “SM”: the Standard Model; “IND-CCA”: the indistinguishability under the chosen-ciphertext attack; “GGM”: the Generic Group Model.

to highlight their modeling features. Compared to existing work, this paper not only focuses on granularity and security, but also adds work on data management and the question of how to assign editing permissions.

1.3. Contributions

For this paper, we separately worked on security, decentralized features, and compatibility to achieve a redactable blockchain with quantum-resistant and revocable subkey capabilities. The specific contributions of the scheme are delineated as follows:

• Hierarchical identity-based chameleon hash: To regulate edit permissions and facilitate trapdoor management, this paper employed hierarchical identity for the decentralized delegation of trapdoors. Simultaneously, we introduced the concept of a slave key algorithm within hierarchical identity to avoid parent nodes that can deduce child nodes’ keys and the key dimensions increasing during the key delegation process. This integration imparted the revocable subkey mechanism’s delegation attributes.
• Redactable scheme with quantum resistance and revocability: We used a lattice-based cryptographic scheme to support more secure editing operations. In the redactable scheme, we also implemented the method of withdrawing the edit operation by saving the edit history.
• Private data were edited and managed by the individual user: We cryptographically verified private data to protect the security and privacy of the redactable blockchain.
• Addressing consistency, traceability, and accountability problems: In Section 4, we present three algorithms to illustrate how to achieve consistency, traceability, and accountability. For this, we advocate caching modify transactions with consensus authority nodes before their final commitment. The block number recording the edit history is stored in the redactable transaction to prove whether the transaction was modified. Demonstrating the viability of our redactable scheme, we opted for the Hyperledger Fabric platform, a widely embraced federated blockchain solution, to implement the scheme.

Therefore, It is a novel work to use a hierarchical identity structure to manage the trapdoor of chameleon hashing. However, in this paper, through analysis and design, we have circumvented its drawbacks and realized the possibility of combining hierarchical identity structure with chameleon hashing.

Secondly, chameleon hash functions based on post-quantum cryptography for resisting quantum attacks are a novel work in recent years, and few schemes can demonstrate their performance through experiments. However, this paper not only reports a real-world deployment with Hyperledger Fabric but also provides concrete performance data.

2. Preliminaries

Lattices are geometric objects that can be graphically described as an infinite, regular set of intersections of an n-dimensional lattice [32]. Ajtai investigated certain difficult problems with lattices and proposed how to construct hard-to-break cryptographic functions in cryptography [33].

The description of the symbols and abbreviations appearing in this paper are shown in

Table 2. Description of symbols.

Symbols	Description
${\leftarrow }_R$	A random variable from a certain distribution
$\lambda$	Security parameter
$\mathit{A}$	The matrix is denoted in bold and capitals
$\mathit{a}$	The vector is denoted in bold and lowercase
${\mathit{A}}^{\mathit{T}}$,${\mathit{a}}^{\mathit{T}}$	The transpose of the matrix or vector
$n,q$	Positive integer
${\mathbb{Z}}_q$	The set of integers $\left\{0,\cdots ,q-1\right\}$ of modulus $q$
$\beta$	The upper limit
LWE	Learning with errors
ISIS	Inhomogeneous small integer solution
${\mathit{i}\mathit{d}}_{\mathcal{l}}$	The identity of level $\mathcal{l}$
${\mathit{i}\mathit{d}}_{\mathcal{l}-1},{\mathit{i}\mathit{d}}_{\mathcal{l}}^{\mathit{*}}$	The parent of identity at level $\mathcal{l}$

.

2.1. Concepts of Lattices

A lattice is defined as a discrete additive subgroup on ${\mathbb{R}}^{\mathrm{m}}$ and is usually represented by a line combination of a set of linearly independent vectors. The $q$-ary integer lattice defined on ${\mathbb{Z}}_q$. is given as: ${\Lambda }^{\perp }\left(\mathit{B}\right)=\left\{\mathit{x}\in {\mathbb{Z}}^n:\mathit{B}\mathit{x}=0 \mathit{mod}q\right\},{\Lambda }_u^{\perp }\left(\mathit{B}\right)=\left\{\mathit{x}\in {\mathbb{Z}}^n:\mathit{B}\mathit{x}=\mathit{u} \mathit{mod}q,\mathit{u}\in {\mathbb{Z}}_q^m\right\},$ where the matrix $\mathit{B}=\left[{\mathit{b}}_{\mathbf{1}},\dots ,{\mathit{b}}_{\mathit{n}}\right]\in {\mathbb{R}}^{m\times n}$ is called basis of the lattice.

The norm of matrix $\mathit{B}$ is denoted as the maximum norm of the column vector, i.e., $‖\mathit{B}‖={max}_i‖{\mathit{b}}_{\mathit{i}}‖$ (in addition, ${‖\cdot ‖}_{\mathrm{\infty }}$ stands for infinite norm). The singular value of matrix $\mathit{B}$ is denoted as the maximum norm on the unit vector u, i.e., $s_1\left(\mathit{B}\right)={max}_u‖\mathit{B}\mathit{u}‖$.

Definition 1

(Learning with errors (LWE) [34]). LWE is a class of problems solving learning with error parity. For a positive integer n and a sufficiently large integer q, then an instance of the LWE problem $\left({\mathbb{Z}}_q,n,\chi \right)-LWE$ is to find the vector $s^{\prime }\in {\mathbb{Z}}_q^n s.t. \mathit{A}\in {\mathbb{Z}}^{m\times n}, ‖\mathit{A}{\mathit{s}}^{\prime }-\left(\mathit{A}\mathit{s}+\mathit{e}\right)‖\le \beta ,\beta >0$ being the upper limit of the error, and $\mathit{s}\in {\mathbb{Z}}_q^n$ is the unknown vector in the LWE. Vector $e$ comes from the noise distribution $\chi$.

Definition 2

(Inhomogeneous small integer solution (ISIS)). ISIS is the problem of solving the short vector on a lattice. Let $n, m,q$ be positive integers. Given a uniform random matrix $\mathit{A}\in {\mathbb{Z}}_q^{n\times m}$ and a random vector $\mathit{u}\in {\mathbb{Z}}_q^n$. If we find a vector $\mathit{v}\in {\mathbb{Z}}_q^m$ satisfying $\mathit{A}\mathit{v}=\mathit{u} \mathit{mod} q$ and $‖\mathit{v}‖\le \beta$, we have solved an ${ISIS}_{q,m,\beta }$-instance problem.

Gaussian sampling over lattices is proved to be a simple and effective tool for analyzing lattice complexity problems [35].

Definition 3

(Discrete Gaussian distribution). ${\rho }_{s,\mathit{c}}\left(\mathit{x}\right)$ denotes a Gaussian function centered at $\mathit{c}$ with $s$ as the Gaussian parameter. Then, $\forall \mathit{x}\in \Lambda ,{\rho }_{s,\mathit{c}}\left(\mathit{x}\right)=exp(-\pi {‖\mathit{x}-\mathit{c}‖}^2/s^2)$ denote the Gaussian function on the lattice, and the Gaussian distribution on the lattice is denoted as $\forall \mathit{x}\in \mathit{\Lambda }, D_{\Lambda ,s,\mathit{c} }\left(\mathit{x}\right)=\frac{{\rho }_{s,\mathit{c}}\left(\mathit{x}\right)}{{\rho }_{s,\mathit{c}}\left(\mathit{\Lambda }\right)}, {\rho }_{s,\mathit{c}}\left(\mathit{\Lambda }\right)={\sum }_{x\in \Lambda }{\rho }_{s,\mathit{c}}(\mathit{x})$.

In this paper, we use the Gaussian sampling lemma shown in Lemma 1.

Lemma 1.

Let $\mathit{y}{\leftarrow }_R{\chi }^m,x{\leftarrow }_R\chi$, $\mathit{d}{\in \mathbb{Z}}^m$. Then, the length of the product of the error $y$ and the vector satisfies $\left|{\mathit{d}}^{\mathit{T}}\mathit{y}\right| \le ‖d‖q\alpha \omega \left(\sqrt{logm}\right)+‖\mathit{d}‖\sqrt{m}/2$ with negligible probability. Then, $\left|x\right|\le q\alpha \omega \left(\sqrt{logm}\right)+1/2$ with negligible probability.

This paper combines the trapdoor generation algorithm $TrapGen$, Gaussian sampling algorithm $SampleD,$ and trapdoor delegation algorithm $Deltrap$ in [36], and the $FRD$ encoding in [37].

Definition 4.

$TrapGen$: For $n\ge 1,q>2$, there is an efficient randomized algorithm that generates matrix $\mathit{A}\in {\mathbb{Z}}_q^{n\times \overline{m}}$ and G-trapdoor $\mathit{R}\in {\mathbb{Z}}^{nk\times w}$ from distribution ${\mathcal{D}}_{\mathbb{Z},\omega \left(\sqrt{\mathit{log}n}\right)}$ with invertible tag $\mathit{H}\in {\mathbb{Z}}_q^{n\times n}$ satisfying $\mathit{A}\left[\begin{array}{c}\mathit{R}\\ {\mathit{I}}_{\mathit{w}}\end{array}\right]=\mathit{H}\mathit{G} mod q$.

Definition 5.

$SampleD$: There is a $\mathit{E}\in {\mathbb{Z}}^{\overline{m}\times \overline{n}}$ that samples from a probabilistic polynomial time (PPT) algorithm $SampleD(\mathit{R},\mathit{A},\mathit{H},\mathit{U},\sigma )$ satisfying $\mathit{A}\mathit{E}=\mathit{U} \mathit{mod} q$ with Gaussian parameter $\sigma$, and $‖\mathit{E}‖\le \sigma \sqrt{m}$ with an overwhelming probability.

Definition 6.

$DelTrap$: A PPT algorithm $DelTrap(\mathit{A},\mathit{H},\mathit{R},{\sigma }_d)$ delegates its trapdoor key for sub-members and generates a new trapdoor key ${\mathit{R}}^{\prime }$ satisfying $\mathit{A}\left[\begin{array}{c}{\mathit{R}}^{\prime }\\ {\mathit{I}}_{\mathit{w}}\end{array}\right]=\mathit{H}\mathit{G}$.

Definition 7.

FRD encoding: Let the node ID of hierarchy $k(k\ge 0)$ be a k-dimensional vector, which we denote by ${\mathit{i}\mathit{d}}_{\mathcal{l}}=(d_1,d_2,\dots ,d_{\mathcal{l}})$. When $\mathcal{l}=0$, ID is the primary node. An efficient FRD coding algorithm exists to map the identity ID to a matrix, i.e., $H_{frd}:ID\in {\mathbb{Z}}^k\to {\mathbb{Z}}_q^{n\times n}$.

2.2. Hierarchical Identity-Based Chameleon Hashing

Ateniese et al. designed a chameleon hash function based on identity encryption [21]. In IBCH, the trusted authority can extract a new secret key or trapdoor secret for an identity ID using a deterministic algorithm. As an extension of IBCH, HIBCH organizes identities into hierarchies, and keys are delegated between them.

Definition 8.

The HIBCH scheme is generally defined as the following set of algorithms:

Algorithm $Setup$ generates the public parameter $pp$ and the master key $mk$ for the input security parameter $\lambda$. Typically, the algorithm is run by private key generator (PKG).

Algorithm $Extract$ outputs the trapdoor or secret key for the user of an identity ID with the secret key of the ID’s parent.

Algorithm $Hash$ encrypts the message $m$ using the public parameter $pp$ and an identity ID. It randomly chooses parameter $r$ and outputs a hash value of $m$.

Algorithm $Forge$ looks for collisions of hash values for a new message $m^{\prime }$. Usually, the algorithm takes the hash value, an identity ID, and its key of the original message $m$ as inputs, and outputs a new parameter $r$.

Definition 9.

Enhanced collision resistance. A secure chameleon hash algorithm is enhanced collision resistance (CR) when challenger $\mathcal{A}$ holds that $Pr[{Expt}_{\mathcal{A},CH}^{CR}\left(n,q,ID\right)=1]\le negl\left(n\right)$. The ${Expt}_{\mathcal{A},CH}^{CR}\left(n\right)$ is the experiment depicted below:

Run $PP,MK\leftarrow Setup\left(1^n,q\right),\mathcal{Q}\leftarrow \mathcal{\varnothing };$

Run ${\mathit{A}}_{{\mathit{S}}_{\mathit{I}\mathit{D}}}, {\mathit{S}}_{\mathit{I}\mathit{D}}\leftarrow SlaveKey\left(1^n,q,ID\right);$

Run ${\mathit{F}}_{\mathit{I}\mathit{D}},{\mathit{R}}_{\mathit{I}\mathit{D}},{\mathit{E}}_{\mathit{I}\mathit{D}}\leftarrow DelKey\left({\mathit{A}}_{{\mathit{S}}_{\mathit{I}\mathit{D}}}, {\mathit{S}}_{\mathit{I}\mathit{D}},ID\right);$

Run $\left(M,\mathit{r},\mathit{h},M^{\prime },{\mathit{r}}^{\prime }\right)\leftarrow {\mathcal{A}}^{{\mathcal{Q}}_{PP,ID}^{Forge}\left(\cdot \right)}\left(PP\right);$

If $CH\left(PP,M\right)\left|\mathit{r}=CH\left(PP,M^{\prime }\right)\right|{\mathit{r}}^{\prime }\wedge \left(M\ne M^{\prime }\right)\wedge \left(\mathit{h}\notin \mathcal{Q}\right)$: return 1; otherwise: return 0.

The ${\mathcal{Q}}_{PP.ID}^{Forge}\left(\left(\mathit{h},M,\mathit{r}\right),M^{\prime }\right)$ is defined as follows:

If $CH\left(PP,M\right)|\mathit{r}\ne \mathit{h}$: return $\perp$;

If $CH\left(PP,M\right)|\mathit{r}=\mathit{h}$:

Run ${\mathit{r}}^{\prime }\leftarrow Forge({\mathit{F}}_{\mathit{I}\mathit{D}},{\mathit{R}}_{\mathit{I}\mathit{D}},{\mathit{E}}_{\mathit{I}\mathit{D}},M^{\prime },\mathit{h})$

If ${\mathit{r}}^{\prime }=\perp$: return $\perp$;

$\mathcal{Q}\leftarrow \mathcal{Q}\bigcup \{M,M^{\prime }\}$;

return ${\mathit{r}}^{\prime }$.

3. Hierarchical Identity-Based Chameleon Hash with Revocable Subkey

The hierarchical identity-based chameleon hash with revocable subkey (HIBCH-RS) model extends the IBCH model, introducing a hierarchical structure of user identities. In this section, we give a formal definition of the lattice-based HIBCH-RS scheme. Then, we analyze its correctness and security.

At level $\mathcal{l}$, let ${\mathit{i}\mathit{d}}_{\mathcal{l}}=(d_1,d_2,\dots ,d_{\mathcal{l}})$ represent the identity of a specific user while its parent node’s identity is represented by ${\mathit{i}\mathit{d}}_{\mathcal{l}-1}=\left(d_1,d_2,\dots ,d_{\mathcal{l}-1}\right)$ or ${\mathit{i}\mathit{d}}_{\mathcal{l}}^{\mathit{*}}$. This ensures that the composition of the vector serves as a prefix to the IDs of its child nodes. To satisfy the massive user base in the blockchain, we can even assume that there is no upper bound on $\mathcal{l}$.

In the traditional hierarchical identity encryption scheme, the parent node generates the trapdoor information of the child node and hence the problem of the parent node forging the identity of the child node occurs. This scheme is only applicable for mutual communication between nodes. In contrast, in a redactable blockchain, the trapdoor between nodes should be confidential and independent and at the same time constrained. Based on the above description, this paper realized this secure key delegation method by adding a slave key algorithm. When a user with delegation rights assigns a key, executing the SlaveKey algorithm generates a slave key pair for the subordinate user. This slave key pair is then employed to generate the key pair for the subordinate user. This procedure ensures that the keys between the user and the sub-user remain confidential. Additionally, the user can utilize the slave key pair to recover, update, and disable the trapdoors of sub-user. In the event of key abuse, the system can execute the Update algorithm to regenerate a new key.

Eventually, the HIBCH-RS model consists of the following six algorithms: initial algorithm Setup, slave key algorithm SlaveKey, delegated algorithm DelKey, i.e., extracting the algorithm in HIBCH, key updating algorithm Update, chameleon hash algorithm CH, and collision-finding algorithm Forge.

3.1. Syntax of HIBCH-RS

Trapdoors for chameleon hash functions are usually managed through the key sharing method, but this mechanism requires a lot of interaction time and is less efficient. Therefore, we introduced the mechanism for hierarchical identity management of trapdoors. Trapdoors between users are independent but at the same time controllable. In Figure 1, we show how the chameleon algorithm achieves this property using hierarchical identity.

In Figure 1, the trusted party can be a regulator and performs initialization operations in HIBCH-RS. Subsequently, the trusted party delegates the trapdoor to the node members by generating the slave key, while the node members can repeat the operation of the trusted party to delegate the trapdoor to other nodes. The trusted party public key is used for chameleon hash encryption and the trapdoor information is used to find collisions. In this hierarchical structure, the parent node removes and updates the child node trapdoor information by withdrawing or updating the slave key. This paper introduces a subordinate key between parent and child nodes, unlike the hierarchical identity encryption schemes of [22,37,38,39]. The HIBCH-RS model encompasses six probabilistic polynomial-time (PPT) algorithms: Setup, SlaveKey, DelKey, Update, CH, and Forge.

$Setup\left(1^n,q\right)\to \left(PP,MK\right)$: Run by any trusted node, the initialization operation of the model takes as inputs the security parameter $n$, the positive integer $q$, and outputs the public parameter $PP$ and the master key $MK$.

$SlaveKey(1^n,q,ID)\to ({\mathit{A}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}},{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}})$: Run by ${\mathit{i}\mathit{d}}_{\mathcal{l}}$, to obtain the slave key before delegating the trapdoor. The algorithm takes $n,q,ID$ as inputs and outputs the salve public key ${\mathit{A}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}}$, and slave secret key ${\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}$ for $ID$.

$DelKey({\mathit{A}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}^{\mathrm{*}}}},{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}^{\mathrm{*}}},{\mathit{i}\mathit{d}}_{\mathcal{l}})\to ({\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}},{\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}},{\mathit{E}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}})$: Run by ${\mathit{i}\mathit{d}}_{\mathcal{l}}$ node, use parent node slave key to generate delegated trapdoor, take slave public key ${\mathit{A}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}^{\mathrm{*}}}}$, slave private key ${\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}^{\mathrm{*}}}$ and ${\mathit{i}\mathit{d}}_{\mathcal{l}}$ as inputs, output the public key ${\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}$, trapdoor ${\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}$, and personal key ${\mathit{E}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}$.

$Update\left(1^n,q,{\mathit{i}\mathit{d}}_{\mathcal{l}},\mathit{R}\mathit{L}\right)\to ({\mathit{A}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}}^{\prime },{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}^{\prime },\mathit{R}{\mathit{L}}^{\prime })$: Run by the ${\mathit{i}\mathit{d}}_{\mathcal{l}}$, this algorithm is run when the user is untrustworthy in the delegate and needs to recycle and update its key. The algorithm takes $n$,$q$, revocation list $\mathit{R}\mathit{L}$ and a new random $tag{\mathit{H}}_{\mathcal{l}}^{\prime }$ as inputs. Outputs are a new salve key pair ${\mathit{A}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}}^{\prime },{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}^{\prime }$ and updated list $\mathit{R}{\mathit{L}}^{\prime }$.

$CH(PP,M)\to (\mathit{h},\mathit{r},(str,\mathit{v}\mathit{e}\mathit{r}\left)\right)$: Input the public parameters $PP$ and message $M$. Compute the hash value of $M$. Outputs the hash value $\mathit{h}$, the random field $\mathit{r},$ and the verification pair $(str,\mathit{v}\mathit{e}\mathit{r})$.

$Forge({\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}},{\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}},{\mathit{E}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}},M^{\prime },\mathit{h})\to {\mathit{r}}^{\prime }$: Run by ${\mathit{i}\mathit{d}}_{\mathcal{l}}$ when there is a need to modify message data to find a collision, this algorithm has as inputs public key ${\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}$, trapdoor key ${\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}$, personal key ${\mathit{E}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}$, message $M^{\prime },$ and outputs collision ${\mathit{r}}^{\prime }$, and satisfies ${CH(\mathit{A},M,\mathit{E})}_{|\mathit{r}}$ = ${CH({\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}},M,{\mathit{E}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}})}_{|r^{\prime }}$, and $M\ne M^{\prime }$.

Formally, when $\mathcal{l}=0$, $\mathit{A}={\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathbf{0}}}$, we use ${\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathbf{0}}}$ instead of $\mathit{A}$ in the security proof. Next, we discuss the security requirements of HIBCH-RS.

• $\mathit{C}\mathit{o}\mathit{r}\mathit{r}\mathit{e}\mathit{c}\mathit{t}\mathit{n}\mathit{e}\mathit{s}\mathit{s}.$ Formally, if message $M,M^{\prime }$ and identity ${\mathit{i}\mathit{d}}_{\mathit{i}}$, it has $\mathrm{Pr}\left[{Expt}_{\mathcal{A},HIBCH-RS}^{COR}\left(n,q\right)=1\right]\ge 1-negl\left(n\right)$, where the experiment ${Expt}_{\mathcal{A},HIBCH-RS}^{COR}$ is described as below:
  • Run $(\mathit{A},\mathit{E}),MK\leftarrow Setup\left(1^n,q\right),$
  • Run $(\mathit{h},\mathit{r},(str,\mathit{v}\mathit{e}\mathit{r}\left)\right)\leftarrow CH(\mathit{A},\mathit{E},M)$
  • Run ${\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}},{\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}},{\mathit{E}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}\leftarrow DelKey\left({\mathit{A}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}^{\mathrm{*}}}},{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}^{\mathrm{*}}},{\mathit{i}\mathit{d}}_{\mathit{i}}\right)$
  • Run ${\mathit{r}}^{\prime }\leftarrow Forge({\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}},{\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}},{\mathit{E}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}},M^{\prime },\mathit{h})$
  • If ${Check}_{PP,{key}_{{id}_i}}^{CH}\left(\left(\mathit{h},M,\mathit{r}\right),\left(\mathit{h},M^{\prime },{\mathit{r}}^{\prime }\right)\right)=1$: return 1.
  • The ${Check}_{PP,{key}_{{id}_i}}^{CH}$ is defined as following:
  • If $CH\left(PP,M\right)|\mathit{r}=\mathit{h}\wedge CH\left({key}_{{id}_i},M^{\prime }\right)|{\mathit{r}}^{\prime }={\mathit{h}}^{\prime }\wedge \mathit{h}={\mathit{h}}^{\prime }\wedge M\ne M^{\prime }$:
  • return 1; otherwise: return 0.
• $\mathit{R}\mathit{e}\mathit{v}\mathit{o}\mathit{c}\mathit{a}\mathit{b}\mathit{i}\mathit{l}\mathit{i}\mathit{t}\mathit{y}.$ For any ${id}_i$, if it satisfies $\{{\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}},{\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}},{\mathit{E}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}\leftarrow DelKey\left({\mathit{A}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}^{\mathrm{*}}}},{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}^{\mathrm{*}}},{\mathit{i}\mathit{d}}_{\mathit{i}}\right)|{\mathit{H}}_{\mathit{i}},\mathit{G},{\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}^{\prime },{\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}^{\prime },{\mathit{E}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}^{\prime }\leftarrow DelKey\left({\mathit{A}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}^{\mathrm{*}}}}^{\prime },{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}^{\mathrm{*}}}^{\prime },{\mathit{i}\mathit{d}}_{\mathit{i}}\right)|{\mathit{H}}_{\mathit{i}}^{\prime },\mathit{G}\}$, ${\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}^{\prime }\cdot {\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}\ne {\mathit{H}}_{\mathit{i}}^{\prime }\cdot \mathit{G}$, and when $({\mathit{H}}_{\mathit{i}}-{\mathit{H}}_{\mathit{i}}^{\prime })$ is invertible, ${\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}^{\prime }={\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}-\left[\mathbf{0}\right|{\mathit{H}}^{\prime }\mathit{G}\left|\mathbf{0}\right]$, ${\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}^{\prime }\cdot {\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}\ne ({\mathit{H}}_{\mathit{i}}-{\mathit{H}}_{\mathit{i}}^{\prime })\cdot \mathit{G}$. At the same time, the system can still effectively recover, update, or disable disclosed trapdoor keys when malicious users are present. This security requirement proves that the old trapdoor key does not work properly.
• $\mathit{Resistance}\mathit{to}\mathit{collision}\mathit{forgery}\mathit{under}\mathit{active}\mathit{attacks}\left(\mathit{RCF}\right)$. For any PPT adversary $\mathcal{A}$, if ${Adv}_{\mathcal{A},HIBCH-RS}^{RCF}≔\mathrm{Pr}\left[{Expt}_{\mathcal{A},HIBCH-RS}^{RCF}\left(n,q\right)=1\right]\le negl\left(n\right)$, the chameleon hash algorithm construct of the HIBCH-RS model is collision-resistant under active attacks. The experiment ${Expt}_{\mathcal{A},HIBCH-RS}^{RCF}$ is described as follows:
  • Run $PP,MK\leftarrow Setup(1^n,q)$, ${\mathcal{Q}}_{Forge}≔\mathrm{\varnothing }$
  • Run ${{\mathit{A}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}^{\mathrm{*}}}},\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}^{\mathrm{*}}}\leftarrow SlaveKey\left(1^n,q,{\mathit{i}\mathit{d}}_{\mathit{i}}^{\mathrm{*}}\right)$;
  • Run ${\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}},{\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}},{\mathit{E}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}\leftarrow DelKey\left({\mathit{A}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}^{\mathrm{*}}}},{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}^{\mathrm{*}}},{\mathit{i}\mathit{d}}_{\mathit{i}}\right)$;
  • Define ${key}_{{id}_i}:={\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}},{\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}},{\mathit{E}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}$;
  • Run $({\mathit{h}}^{\mathrm{*}},{\mathit{r}}^{\mathrm{*}},M^{\mathrm{*}},M^{\prime \mathrm{*}},{\mathit{r}}^{\prime \mathrm{*}},(str,\mathit{v}\mathit{e}\mathit{r}\left)\right)\leftarrow {\mathcal{A}}^{{\mathcal{Q}}_{Forge}(\cdot )}\left({key}_{{id}_i}\right)$;
  • Define ${Hash}_M≔(\mathit{h},\mathit{r},M)$, ${Hash}_{M^{\mathrm{*}}}≔({\mathit{h}}^{\mathrm{*}},{\mathit{r}}^{\mathrm{*}},M^{\mathrm{*}})$;
  • If ${\mathit{r}}^{\mathrm{*}}\ne \perp ,{Check}_{PP,{key}_{{id}_i}}^{CH}\left({Hash}_M,{Hash}_{M^{\mathrm{*}}}\right)=1$ and $({\mathit{h}}^{\mathrm{*}},M^{\mathrm{*}},(str,\mathit{v}\mathit{e}\mathit{r}\left)\right)\notin {\mathcal{Q}}_{Forge}$:
  • return 1; otherwise: return 0.
  • The ${\mathcal{Q}}_{Forge}$ is defined as follows:
  • If ${Check}_{{key}_{{id}_i}}^{Verify}\left(str,\mathit{v}\mathit{e}\mathit{r}\right)=1,\exists \left({\mathit{h}}^{″},M\right)and M^{\prime }\notin {\mathcal{Q}}_{Forge}\bigwedge {\mathit{h}}^{″}=\mathit{h}:$ run ${\mathit{r}}^{\prime }\leftarrow Forge({key}_{{id}_i},M^{\prime },\mathit{h})$
  • if ${\mathit{r}}^{\prime }\ne \perp$: define ${\mathcal{Q}}_{Forge}≔{\mathcal{Q}}_{Forge}\cup \left\{\right(\left(str,\mathit{v}\mathit{e}\mathit{r}\right),\mathit{h},M),(\left(str,\mathit{v}\mathit{e}\mathit{r}\right),\mathit{h},M^{\prime }\left)\right\}$
  • return ${\mathit{r}}^{\prime }$.
  • The ${Check}_{{key}_{{id}_i}}^{Verify}$ is defined as follows:
  • If $str=\perp ,\mathit{v}\mathit{e}\mathit{r}=\perp$: return 1.
  • If $str\ne \perp ,\mathit{v}\mathit{e}\mathit{r}\ne \perp$: run ${\mathit{e}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}\leftarrow SampleD\left({key}_{{id}_i}\right)$, define $z=str-{\mathit{e}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}\cdot \mathit{v}\mathit{e}\mathit{r}$, return 1. otherwise: return 0.
• $\mathit{Forgery}\mathit{indistinguishability}.$ For users and messages $M,M\mathrm{’}$ with identity ID, if it holds that $\left\{\left(\mathit{h},\mathit{r}\right)|\left(\mathit{h},\mathit{r}\right)\leftarrow CH\left(\mathit{A},M,\mathit{E}\right)\right\}\approx \{\left(\mathit{h},\mathit{r}\right)\left|\left(\mathit{h},{\mathit{r}}^{\prime }\right)\leftarrow CH\left(\mathit{A},M^{\prime },\mathit{E}\right),\mathit{r}\leftarrow Forge\left({(\mathit{A}}_{{\mathit{i}\mathit{d}}_{\mathit{k}}},{\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathit{k}}},{\mathit{E}}_{{\mathit{i}\mathit{d}}_{\mathit{k}}},M^{\prime },\mathit{h}\right)\right|ID,{\mathit{r}}^{\prime }\}$, then the construction of HIBCH-RS satisfies forgery indistinguishability.

3.2. Construction of HIBCH-RS

This section shows the detailed construction details of the HIBCH-RS model with updatable subkeys. The concrete implementation of the model contains the following algorithm.

• $Setup\left(1^n,q\right):$ Given a security parameter $n$ and any integer $q\ge 2$, let $\overline{m}=nk,w=nk,m=\overline{m}+w$. Run algorithm $\mathit{T}\mathit{r}\mathit{a}\mathit{p}\mathit{G}\mathit{e}\mathit{n}(1^n,q)\to (\mathit{A},\mathit{R})$ such that $\mathit{A}\in {\mathbb{Z}}_q^{n\times m},\mathit{R}\in {\mathbb{Z}}_q^{\overline{m}\times w}$. Generate randomly $\mathit{U}{\leftarrow }_R{\mathbb{Z}}_q^{n\times n},$ compute $\mathit{E}\leftarrow SampleD(\mathit{R},\mathit{A},\mathit{H},\mathit{U},\sigma )$ such as $\mathit{A}\mathit{E}=\mathit{U}mod q$. Finally, algorithm output public parameter $PP=\left(\mathit{A},\mathit{U},\mathit{E}\right),$ master key $MK=\mathit{R}.$
• $SlaveKey\left(1^n,q,ID\right):$ Randomly sample $\mathit{V}\in {\mathbb{Z}}_q^{\overline{m}\times w}$ from ${\mathcal{D}}_{Z^{\overline{m}},{\sigma }_s}$, and an error $\mathit{T}\in {\mathbb{Z}}^{\overline{m}\times w}$ from $\chi$. Compute ${\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}=H_{frd}\left({\mathit{i}\mathit{d}}_{\mathcal{l}}\right)\cdot \mathit{V}+\mathit{T}.$ Randomly choose ${\overline{\mathit{A}}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}}\in {\mathbb{Z}}_q^{n\times \overline{m}}$ and H-tag ${\mathit{H}}_{\mathcal{l}}$, then ${\mathit{A}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}}=\left[{\overline{\mathit{A}}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}}\right|{\mathit{H}}_{\mathcal{l}}\mathit{G}-{\overline{\mathit{A}}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}}·{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}]\mathit{mod}q$. Finally, algorithm output ${\mathit{A}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}}$ and ${\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}$.
• $DelKey\left({\mathit{A}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}^{\mathrm{*}}}},{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}^{\mathrm{*}}},{\mathit{i}\mathit{d}}_{\mathcal{l}}\right):$ At level $\mathcal{l}$, ${\mathit{i}\mathit{d}}_{\mathcal{l}}=\left(d_1,d_2,\dots ,d_{\mathcal{l}}\right)$ is a $\mathcal{l}$-dimensional vector. Let ${\mathit{K}}_{\mathit{i}\mathit{d}}={\mathit{H}}_{\mathit{f}\mathit{r}\mathit{d}}\left({\mathit{i}\mathit{d}}_{\mathcal{l}}\right)\cdot \mathit{C}mod q$ where $\mathit{C}$ is chosen randomly from ${\mathbb{Z}}_q^{n\times w}$. For tag ${\mathit{H}}_{\mathcal{l}}^{\mathrm{*}}$ at level $\mathcal{l}-1$ is generated and sent by ${\mathit{i}\mathit{d}}_{\mathcal{l}}^{\mathrm{*}}$, and ${\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}=\left[{\mathit{A}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}^{\mathrm{*}}}}\right|{\mathit{K}}_{\mathit{i}\mathit{d}}]\in {\mathbb{Z}}_q^{n\times (m+w)}$. Evaluate ${\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}\leftarrow DelTrap({\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}},{\mathit{H}}_{\mathcal{l}}^{\mathrm{*}},{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}^{\mathrm{*}}},\sigma }_d)$ to obtain a trapdoor for ${\mathit{i}\mathit{d}}_{\mathcal{l}}$. Generate personal key ${\mathit{E}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}\leftarrow Sample({\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}},{\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}},{\mathit{H}}_{\mathcal{l}},\mathit{U},\sigma )$ for ${\mathit{i}\mathit{d}}_{\mathcal{l}}$. Finally, algorithm output ${\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}},{\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}},{and \mathit{E}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}$.
• $Update(1^n,q,\mathit{R}\mathit{L})$: If the key is found to be exposed or an illegitimate edit request, then the algorithm is executed to update the key for the edit member. The parent node updates a reversible tag ${\mathit{H}}_{\mathcal{l}}^{\prime }$ by the algorithm of [32] 6.1. Then, the slave key pair is updated to ${\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}^{\prime }$ and ${\mathit{A}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}}^{\prime }=\left[{\overline{\mathit{A}}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}}\right|{\mathit{H}}_{\mathcal{l}}^{\prime }\mathit{G}-{\overline{\mathit{A}}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}}·{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}^{\prime }]\mathit{mod}q$ and the ID of the revoked key is appended to $\mathit{R}\mathit{L}=\{{\mathit{i}\mathit{d}}_{\mathit{i}},\dots ,{\mathit{i}\mathit{d}}_{\mathit{j}},\}$, so $\mathit{R}{\mathit{L}}^{\prime }=\{{\mathit{i}\mathit{d}}_{\mathit{i}},\dots ,{\mathit{i}\mathit{d}}_{\mathit{j}},{\mathit{i}\mathit{d}}_{\mathit{r}}\}$. The algorithm outputs new tag ${\mathit{H}}_{\mathcal{l}}^{\prime }$ and $\mathit{R}{\mathit{L}}^{\prime }$ to generate a new key for the user.
• $CH(\mathit{A},M,\mathit{E})$: Input public parameter $PP=(\mathit{A},\mathit{E})$ and message $M$, compute chameleon hash and verification pair. If a transaction is identified as public-modifiable, then we use PP to calculate the hash value. Let $\mathit{c}=H_M\left(M\right)$ where $H_M:{\left\{\mathrm{0,1}\right\}}^{*}\to {\left\{\mathrm{0,1}\right\}}^{\overline{m}}$, sample $\mathit{r}{\leftarrow }_R{D}_{{\mathbb{Z}}^{\overline{m}},\sigma }$, compute the chameleon hash of message $M$ as: $\mathit{h}=\mathit{A}\mathit{r}+{\mathit{E}}^{\mathit{T}}\mathit{c} mod q$; $str=\perp , \mathit{v}\mathit{e}\mathit{r}=\perp$. If a transaction is identified as belonging to an individual, then we give editing rights to the individual. Suppose this transaction belongs to ${\mathit{i}\mathit{d}}_{\mathcal{l}}$, then ${\mathit{i}\mathit{d}}_{\mathcal{l}}$ calculates an extra verification pair and fills them into the block. In other words, select randomly ${\mathit{u}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}\in {\mathbb{Z}}_{\mathit{q}}^{\mathit{n}}$,${\mathit{s}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}\in {\mathbb{Z}}_q^n and x{\leftarrow }_R\chi$, and $m_{id}=H({\mathit{s}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}},ID) mod 2$, then $str={{\mathit{u}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}}^{\mathit{T}}\cdot {\mathit{s}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}+x+m_{id}⌈q/2⌉mod q$, $\mathit{v}\mathit{e}\mathit{r}={{\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}}^{\mathit{T}}\cdot {\mathit{s}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}+\mathit{y} mod q \mathrm{w}\mathrm{h}\mathrm{e}\mathrm{r}\mathrm{e} \mathit{y}{\leftarrow }_R\chi .$ Algorithm output hash value $\mathit{h}$, collision string $\mathit{r},$ and verification pair $(str,\mathit{v}\mathit{e}\mathit{r})$. We illustrate the operation of the algorithm in Algorithm 1 in a simple code language.

Algorithm 1 Chameleon hash function.

$c:H_M\left(M\right)$ and $\mathit{r}{\leftarrow }_R{D}_{{\mathbb{Z}}^{\overline{m}},{\sigma }_3}$ $\mathit{h}=\mathit{A}\mathit{r}+{\mathit{E}}^{\mathit{T}}\mathit{c}\mathit{mod} q$ if $M$ is public:   $str=\perp ,\mathit{v}\mathit{e}\mathit{r}=\perp$ else if $M$ is private:   // Hash map of identity ID   $m_{id}:H\left({\mathit{s}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}\right)$,    $\mathit{u}{\leftarrow }_R{\mathbb{Z}}_q^n$, $\mathit{s}{\leftarrow }_R{\mathcal{D}}_{\mathbb{Z},\sigma }$, $x{\leftarrow }_R\chi$, $\mathit{y}{\leftarrow }_R\chi$   $str={\mathit{u}}^{\mathit{T}}\mathit{s}+x+m_{id}⌈q/2⌉mod q$   $\mathit{v}\mathit{e}\mathit{r}={\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}^{\mathit{T}}\mathit{s}+\mathit{y}\mathit{mod} q$ return $\mathit{h},\mathit{r},(str,\mathit{v}\mathit{e}\mathit{r})$

• $Forge\left({\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}},{\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}},{\mathit{E}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}},M^{\prime },\mathit{h}\right):$ Input the public key and the trapdoor key of ${\mathit{i}\mathit{d}}_{\mathcal{l}}$, finding the collisions of chameleon hash. For personal data, the ability of ${\mathit{i}\mathit{d}}_{\mathcal{l}}$ users to decrypt $str$ is verified to determine whether they have the permission to edit the private data, and the hash collision is calculated if the verification is passed, and the editing request is rejected if it is not passed. ${\mathit{i}\mathit{d}}_{\mathcal{l}}$ provides the decryption key ${\mathit{d}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}\leftarrow SampleD\left({\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}},{\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}},{\mathit{H}}_{\mathcal{l}}^{\mathrm{*}},{\mathit{u}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}},\sigma \right).$ Then, compute $z=\left(str-{{\mathit{d}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}}^{\mathit{T}}\cdot \mathit{v}\mathit{e}\mathit{r}\right)mod q$. If $\left|z-⌈q/2⌉\right|<⌈q/4⌉and m_{id}=1$, output True; otherwise output False. If $\left|z-⌈q/2⌉\right|>⌈q/4⌉and m_{id}=0$, output True; otherwise output False. For public transaction data or personal data with successful verification, ${\mathit{i}\mathit{d}}_{\mathcal{l}}$ users can easily calculate hash collisions. Let ${\mathit{c}}^{\prime }=H_M\left(M^{\prime }\right)$. Then, sample ${\mathit{r}}^{\prime }$ from $SampleD$ such that ${\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}\cdot {\mathit{r}}^{\prime }=\mathit{h}-{{\mathit{E}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}}^{\mathit{T}}\cdot {\mathit{c}}^{\prime }mod q$. Output the collision ${\mathit{r}}^{\prime }$. We illustrate the operation of the algorithm in Algorithm 2 in a simple code language.

Algorithm 2 Chameleon hash forge function.

If new message $M^{\prime }$ is private: // Decryption key of user ID: $\mathit{d}$   $z=str-\mathit{d}\cdot \mathit{v}\mathit{e}\mathit{r}\mathit{mod}q$  if [($\left|z-⌈q/2⌉\right|>⌈q/4⌉$ and $m_{id}=0$)   or ($\left|z-⌈q/2⌉\right|<⌈q/4⌉$) and $m_{id}=1$]:   // Hash map of message $M^{\prime }$    ${\mathit{c}}^{\prime }:H_M\left(M^{\prime }\right)$   $\mathit{u}=\mathit{h}-{\mathit{E}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}^{\mathit{T}}\cdot {\mathit{c}}^{\prime }modq$   ${\mathit{r}}^{\prime }\leftarrow SampleD({\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}},{\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}},{\mathit{H}}_{\mathcal{l}},\mathit{u},\sigma )$    return ${\mathit{r}}^{\prime }$. return $\perp$.

3.3. Security Analysis

3.3.1. Parameters

We identify whether a user has the right to edit a particular private transaction by verifying the user’s ability to decrypt it. During the decryption operation by the user at level $\mathcal{l}$, we have $z=str-{{\mathit{d}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}}^{\mathit{T}}\cdot \mathit{v}\mathit{e}\mathit{r}={\mathit{m}}_{\mathit{i}\mathit{d}}⌈q/2⌉+x-{{\mathit{d}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}}^{\mathit{T}}\mathit{y}$. By the correctness of $SampleD$ we know that $‖{{\mathit{d}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}}^{\mathit{T}}‖<\sigma \sqrt{m}$ holds with overwhelming probability. By Lemma 1, we have the error term $\left|x-{{\mathit{d}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}}}^{\mathit{T}}\mathit{y}\right| \le \sigma \sqrt{m}\alpha q \omega \left(\sqrt{logm}\right)+\alpha q \omega \left(\sqrt{logm}\right)$. Therefore, when we set the upper limit of the error term to be less than $⌈q/4⌉$, it means that the decryption algorithm is correct. At this point, we can correctly solve a LWE instance problem.

Micciancio et al. defines the concept of a smoothing parameter as a measure of the Gaussian on the lattice [40]. When the standard deviation of the Gaussian on the lattice distribution is larger than this parameter, the modal lattice points in this distribution are almost close to being uniformly distributed. This paper defines ${\sigma }_s=r=\omega \left(\sqrt{\log n}\right) \approx \sqrt{\mathrm{l}\mathrm{n}(2/ϵ)/\pi }$. By defining random matrices sampled from the 0-sub-Gaussian in [41], we know that $s1\left(R\right)\le \sigma \mathsf{O}\left(\sqrt{m}+\sqrt{w}\right)$ for $MK$ and $s1\left(R_{{id}_{\mathcal{l}}}\right)\le \sigma O(\sqrt{m+w}+\sqrt{w})$ for the delegation trapdoor. For instance, we set the Gaussian parameter as $\sigma \ge \sqrt{7{\left(s1\left(R\right)\right)}^2+1}\omega \left(\sqrt{logn}\right)$ and ${\sigma }_d\ge \sqrt{5}s1\left(R\right)\omega \left(\sqrt{logn}\right)$. Meanwhile, in this paper, we set the parameters $m=2n^{\psi +1}, q=m^3\omega \left(\sqrt{logn}\right)$, where the real number $\psi$ satisfies $logq<n^{\psi }$.

3.3.2. Security

Theorem 1

($Correctness$). The construction of HIBCH-RS meets the requirement of correctness.

Proof. 

For the hash value $\mathit{h}$ and identity ID, it is easy to confirm that ID uses the trapdoor information to compute a new ${\mathit{r}}^{\prime }$ from $sampleD({\mathit{R}}_{\mathit{I}\mathit{D}},{\mathit{F}}_{\mathit{I}\mathit{D}},{\mathit{H}}_{\mathit{i}},\mathit{h}-{\mathit{E}}_{\mathit{I}\mathit{D}}^{\mathit{T}}\cdot \mathit{c}\mathit{m}\mathit{o}\mathit{d}\mathit{q},\sigma )$ so that ${\mathit{F}}_{\mathit{I}\mathit{D}}\cdot {\mathit{r}}^{\prime }+{\mathit{E}}_{\mathit{I}\mathit{D}}^{\mathit{T}}\cdot \mathit{c}\mathit{m}\mathit{o}\mathit{d}\mathit{q}=\mathit{h}$. So HIBCHRS satisfies correctness. □

Theorem 2

($Revocability$). The construction of HIBCH-RS meets the requirement of revocability.

Proof. 

We discuss the revocability of HIBCH-RS in the following two scenarios.

• In [36], $\mathit{R}$ is also a trapdoor for ${\mathit{A}}^{\prime }=\mathit{A}-\left[0\right|{\mathit{H}}^{\prime }\mathit{G}]$ with tag $(\mathit{H}-{\mathit{H}}^{\prime })$ for any ${\mathit{H}}^{\prime }$, as long as $(\mathit{H}-{\mathit{H}}^{\prime })$ is invertible modulo q. At this point, the old trapdoor is still available even after updating the public key. However, this useful feature does not apply to HIBCH-RS. To prove the above, we have ${\mathit{F}}_{\mathit{I}\mathit{D}}=\left[{\overline{\mathit{A}}}_{{\mathit{S}}_{{\mathit{I}\mathit{D}}^{\mathrm{*}}}}\right|\mathit{H}\mathit{G}-{\overline{\mathit{A}}}_{{\mathit{S}}_{{\mathit{I}\mathit{D}}^{\mathrm{*}}}}·{\mathit{S}}_{{\mathit{I}\mathit{D}}^{\mathrm{*}}}\left|\mathit{K}\right]$ with a tag $\mathit{H}$ and ID. From the $DelKey$ algorithm, we know that ${\mathit{F}}_{\mathit{I}\mathit{D}}\cdot \left[\begin{array}{c}{\mathit{R}}_{\mathit{I}\mathit{D}}\\ \mathit{I}\end{array}\right]=\mathit{H}\mathit{G}$. We now assume that there is an invertible tag $(\mathit{H}-{\mathit{H}}^{\prime })$ such that ${\mathit{F}}_{\mathit{I}\mathit{D}}^{\prime }={\mathit{F}}_{\mathit{I}\mathit{D}}-\left[\mathbf{0}\left|{\mathit{H}}^{\prime }\mathit{G}\right|\mathbf{0}\right]$. So, if $\mathit{R}$ is also a trapdoor ${\mathit{F}}_{\mathit{I}\mathit{D}}^{\prime }$, then ${\mathit{F}}_{\mathit{I}\mathit{D}}^{\prime }\cdot \left[\begin{array}{c}{\mathit{R}}_{\mathit{I}\mathit{D}}\\ \mathit{I}\end{array}\right]$ should be equal to $(\mathit{H}-{\mathit{H}}^{\prime })\mathit{G}$. While currently $\mathit{H}\mathit{G}-\left[\mathbf{0}\left|{\mathit{H}}^{\prime }\mathit{G}\right|\mathbf{0}\right]\cdot \left[\begin{array}{c}{\mathit{R}}_{\mathit{I}\mathit{D}}\\ \mathit{I}\end{array}\right]=\mathit{H}\mathit{G}-\left[\mathbf{0}|{\mathit{H}}^{\prime }\mathit{G}\right]\cdot {\mathit{R}}_{\mathit{I}\mathit{D}}$. However, it is obvious that $\left[\mathbf{0}|{\mathit{H}}^{\prime }\mathit{G}\right]\cdot {\mathit{R}}_{\mathit{I}\mathit{D}}\ne {\mathit{H}}^{\prime }\mathit{G}$.
• Any ${\mathit{H}}^{\prime }$, ${\mathit{F}}_{\mathit{I}\mathit{D}}^{\prime }\cdot \left[\begin{array}{c}{\mathit{R}}_{\mathit{I}\mathit{D}}\\ \mathit{I}\end{array}\right]\ne {\mathit{H}}^{\prime }\mathit{G}.$ First of all, we assume $\exists {\mathit{H}}^{\prime }$, ${\mathit{F}}_{\mathit{I}\mathit{D}}^{\prime }\cdot \left[\begin{array}{c}{\mathit{R}}_{\mathit{I}\mathit{D}}\\ \mathit{I}\end{array}\right]={\mathit{H}}^{\prime }\mathit{G}$. We also know ${\mathit{F}}_{\mathit{I}\mathit{D}}^{\prime }=\left[{\mathit{A}}_{{\mathit{S}}_{{\mathit{I}\mathit{D}}^{\mathrm{*}}}}^{\prime }\right|{\mathit{K}}_{\mathit{I}\mathit{D}}]$, ${\mathit{A}}_{{\mathit{S}}_{{\mathit{I}\mathit{D}}^{\mathrm{*}}}}^{\prime }\cdot {\mathit{R}}_{\mathit{I}\mathit{D}}={\mathit{H}}^{\prime }\mathit{G}-{\mathit{K}}_{\mathit{I}\mathit{D}}$. Then, $\left({\mathit{A}}_{{\mathit{S}}_{{\mathit{I}\mathit{D}}^{\mathrm{*}}}}-{\mathit{A}}_{{\mathit{S}}_{{\mathit{I}\mathit{D}}^{\mathrm{*}}}}^{\prime }\right)\cdot {\mathit{R}}_{\mathit{I}\mathit{D}}=(\mathit{H}-{\mathit{H}}^{\prime })\mathit{G}$, so we can derive that $\left[\mathbf{0}|\left(\mathit{H}-{\mathit{H}}^{\prime }\right)\mathit{G}\right]\cdot {\mathit{R}}_{\mathit{I}\mathit{D}}=\left(\mathit{H}-{\mathit{H}}^{\prime }\right)\mathit{G}$. In other words, we want to confirm a trapdoor ${\mathit{R}}_{\mathit{I}\mathit{D}}$ of the form $\left[\begin{array}{c}{\mathit{R}}_{\mathit{I}\mathit{D}}^{\mathbf{*}}\in {\mathbb{Z}}_q^{\overline{m}\times w}\\ \mathit{I}\in {\mathbb{Z}}_q^{w\times w}\end{array}\right]$. Since ${\mathit{R}}_{\mathit{I}\mathit{D}}$ is the random vector that came from $sampleD$, we can also represent ${\mathit{R}}_{\mathit{I}\mathit{D}}$ as ${\mathit{R}}_{\mathit{I}\mathit{D}}=\left[\begin{array}{cc}{\mathit{x}}_{\mathbf{1}}& \begin{array}{cc}\cdots & {\mathit{x}}_{\mathit{w}}\end{array}\end{array}\right]$, a form that comes from the definition [36]. We also have ${\mathit{x}}_{\mathit{i}}=\left[\begin{array}{c}{\mathit{x}}_{\mathit{i}}^{\mathrm{*}}\\ \tilde{\mathit{x}}\end{array}\right]\in {\mathbb{Z}}_q^{(\overline{m}\times w)\times 1},\tilde{\mathit{x}}$ is a vector whose $ith$ row is 1, and the other rows are 0 with the probability of $neg\left(n\right)$. In this ideal case, ${\mathit{K}}_{\mathit{I}\mathit{D}}$ is constant. However, in practice, when the key pair is updated, ${\mathit{K}}_{\mathit{I}\mathit{D}}$ is a matrix of changes. Therefore, it is possible to forge a ${\mathit{R}}_{\mathit{I}\mathit{D}}$ that satisfies this situation with the probability of $neg\left(n\right)$.
• First, when a malicious user exists in a child node, its parent node can disable the child node trapdoor by updating the slave key information as well as the tag information, and at the same time add the child node’s identity to the revocation list and remove its edit permissions. Secondly, if a malicious user delegates illegitimate trapdoor information to other users, we can update its trapdoor information by assigning its child node to other legitimate nodes and then updating its trapdoor information. If a malicious user makes a request to modify other private data or non-editable transactions, the regulator may be able to automatically lock the malicious user’s edit permissions. Furthermore, if a malicious user refuses to cooperate in revoking an insecure trapdoor key, we can add the user to the revocation list, restrict its edit permissions, and then update the trapdoor information. For the above cases, the illegal behavior of malicious users can be fully considered and measures can be taken to ensure the overall security of the system. □

Theorem 3

$\left(Resistance to collision forgery under active attacks\right)$. Assume that adversary $\mathcal{A}$ can make most $\mathcal{Q}$ adaptation queries. If $\mathcal{A}$ can break the security of HIBCH-RS by a non-negligible advantage, the detailed proof is as defined by ${Expt}_{\mathcal{A},HIBCH-RS}^{RCF}\left(n,q\right)$ in the following.

Proof. 

First, the challenger $\mathcal{C}$ initializes set ${\mathcal{Q}}_{Forge}≔\mathrm{\varnothing }$. During the phase, the challenger $\mathcal{C}$ executes the following:

• Generate $PP,MK\leftarrow {HIBCH-RS.Setup(1^n,q)}_{\mathcal{C}}$.
• Sample ${\mathit{H}}_{\mathcal{l}}\leftarrow {\mathbb{Z}}_{\mathit{q}}^{\mathit{n}\times \mathit{n}}$.
• Generate ${{\mathit{A}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}},\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}\leftarrow {SlaveKey\left(1^n,q,{\mathit{i}\mathit{d}}_{\mathit{i}}\right)}_{\mathcal{C}}$,
• and ${\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}},{\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}},{\mathit{E}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}\leftarrow {DelKey\left({\mathit{A}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}^{\mathrm{*}}}},{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}^{\mathrm{*}}},{\mathit{i}\mathit{d}}_{\mathit{i}}\right)}_{\mathcal{C}}$.
• $pp:=\left(PP,{\mathit{H}}_{\mathcal{l}},{\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}\right),TI:=(pp,{\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}},{\mathit{E}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}})$ and send $pp$ to $\mathcal{A}$.
• Second, $\mathcal{A}$ query:
• $M_i,M_i^{\prime }\in \mathcal{M}$, and ${\mathit{u}}_{{\mathit{i}\mathit{d}}_{\mathbf{i}}}\leftarrow {\mathbb{Z}}_{\mathit{q}}^{\mathit{n}\times 1},{\mathit{h}}_{\mathit{i}},(str,\mathit{v}\mathit{e}\mathit{r})\leftarrow \mathit{C}\mathit{H}\left(\mathit{A},M_i,\mathit{E}\right)|{\mathit{r}}_{\mathit{i}}$.
• Generate ($M_i,M_i^{\prime },{\mathit{h}}_{\mathit{i}},{\mathit{r}}_{\mathit{i}},(str,\mathit{v}\mathit{e}\mathit{r})$).
• Then, the challenger $\mathcal{C}$ executes the following:
• Sample ${\mathit{d}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}\leftarrow SampleD({\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}},{\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}},{\mathit{H}}_{\mathcal{l}},{\mathit{u}}_{{\mathit{i}\mathit{d}}_{\mathcal{l}}},\sigma )$
• if $\exists \left({\mathit{h}}^{″},M\right)and M^{\prime }\in {\mathcal{Q}}_{Forge}\bigwedge {\mathit{h}}^{″}\ne \mathit{h}$, and $z=str-{\mathit{d}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}\cdot \mathit{v}\mathit{e}\mathit{r},z>\frac{q}{4}$, return $\perp$;
• otherwise, continue.
• Generate ${\mathit{r}}_{\mathit{i}}^{\prime }\leftarrow Forge({\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}},{\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}},{\mathit{E}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}},M^{\prime },\mathit{h})$;
• Send ${\mathit{r}}_{\mathit{i}}^{\prime }$ to $\mathcal{A}$ and ${\mathcal{Q}}_{Forge}≔{\mathcal{Q}}_{Forge}\cup \left\{\right(\left(str,\mathit{v}\mathit{e}\mathit{r}\right),\mathit{h},M),(\left(str,\mathit{v}\mathit{e}\mathit{r}\right),\mathit{h},M^{\prime }\left)\right\}$.
• For the Forgery group $({\mathit{h}}^{\mathrm{*}},{\mathit{r}}^{\mathrm{*}},M^{\mathrm{*}},M^{\prime \mathrm{*}},{\mathit{r}}^{\prime \mathrm{*}},(str,\mathit{v}\mathit{e}\mathit{r}\left)\right)$, the challenger $\mathcal{C}$ calculates:
• $\underset{\mathit{A}}{\underbrace{{\mathit{F}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}}}\cdot \underset{\mathit{v}}{\underbrace{{\mathit{r}}^{\prime \mathrm{*}}}}=\underset{\mathit{u}}{\underbrace{{\mathit{h}}_{\mathit{i}}-{\mathit{E}}_{{\mathit{i}\mathit{d}}_{\mathit{i}}}^{\mathit{T}}\cdot H\left(M^{\prime \mathrm{*}}\right)}}$ with $‖{\mathit{r}}_{\mathit{i}}^{\prime }‖\le \sigma \sqrt{m}$, and $M^{\mathrm{*}}\ne M^{\prime \mathrm{*}}$.
• Finally, if the above condition is satisfied, then return 1.
• Thus, through the above process, we can calculate $\mathrm{P}\mathrm{r}[{Expt}_{\mathcal{A},HIBCH-RS}^{RCF}\left(n,q\right)=1]$. □

Theorem 4

$(Forgery indistinguishability)$. By this theorem, we show that the hash distribution ${\mathcal{D}}_{CH}$ of a message $M$ is statistically close to the distribution ${\mathcal{D}}_{Forge}$ of a message $M^{\prime }$.

Proof. 

First, the ${\mathcal{D}}_{CH}$ was defined as below:

$${\mathcal{D}}_{CH}:={\left\{\left(M^{\prime },{\mathit{r}}^{\prime },{\mathit{h}}^{\prime }\right)|\begin{array}{c}r{\leftarrow }_R{D}_{{\mathbb{Z}}^{\overline{m}},\sigma },c≔H_M\left(M^{\prime }\right),\\ {\mathit{h}}^{\prime }=Ar+{\mathit{E}}^{T}cmodq\end{array}\right\}}_{n,q,PP},$$

Next, we defined the ${\mathcal{D}}_{Forge}$ as:

$${\mathcal{D}}_{Forge}={\left\{\left(M^{\prime },\overline{\mathit{r}},\mathit{h}\right)|\begin{array}{c}r\stackrel{\mathrm{\$}}{\leftarrow }R,h\leftarrow CH\left(\mathit{A},M,\mathit{E}\right),{\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathit{k}}}\leftarrow DelKey\left({\mathit{A}}_{{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathit{k}}}},{\mathit{S}}_{{\mathit{i}\mathit{d}}_{\mathit{k}}},{\mathit{i}\mathit{d}}_{\mathit{k}}\right),\\ \overline{\mathit{r}}\leftarrow Forge{(\mathit{A}}_{{\mathit{i}\mathit{d}}_{\mathit{k}}},{\mathit{R}}_{{\mathit{i}\mathit{d}}_{\mathit{k}}},{\mathit{E}}_{{\mathit{i}\mathit{d}}_{\mathit{k}}},M^{\prime },h)\end{array}\right\}}_{n,q,ID}.$$

It is known that $\mathit{r}$ is indistinguishable from $\overline{\mathit{r}}$ since $\mathit{r},\overline{\mathit{r}}$ are Gaussian sampling distributions. Therefore, the distribution ${\mathcal{D}}_{CH}\approx {\mathcal{D}}_{Forge},$ which means that they are indistinguishable. □

Based on the analysis, devising an editable scheme grounded in the HIBCH-RS model imparts quantum-resistant characteristics. Concurrently, the security of the editable method is contingent upon the safety of the foundational algorithm.

4. Redactable Programs

This paper is dedicated to the formulation of a redactable blockchain that emphasizes compatibility. In this context, compatibility pertains to the ability of the redactable blockchain structure to integrate with data structure, the consensus protocols, block, and chain structures, and more. Secondly, aiming at the consistency of the block, this paper deals with the edit request through the majority node agreement mechanism. To improve efficiency, multiple edit requests are packaged into a group of requests and sent to verification nodes for approval. Finally, to achieve the traceability and accountability of editing operations, this paper divides blocks into ordinary blocks and redactable blocks. We then trace the history of edits by packaging edit requests into the form of ordinary blocks. Revocable lists are also used to hold users accountable for unreliable or malicious changes.

In this section, we detail how this mechanism is implemented in conjunction with Hyperledger Fabric.

4.1. Editorial Role

Editor: Typically, the editorial member is made up of a group of trusted nodes. Initially, a set of trusted nodes is randomly selected by the regulator among all nodes. Then, the regulator judges the validity and legality of the editing operation to eliminate the malicious modifiers among the editorial members. We can also add new editorial members to the group. Finally, these trusted nodes can obtain the trapdoor in the HIBCH-RS scheme and then make edit requests. The node that is deleted from the editing group uses the Update algorithm to retrieve its trapdoor information and add it to the revocation list.

Edit request handler: This role is typically held by the consensus node. In this article, an edit request can be viewed as a transaction. The difference is that for ordinary transactions, the consensus node is only responsible for packaging blocks, but it needs to be reviewed whether the edit request transaction can be packaged into blocks.

Regulator: Regulator can choose from the full range of nodes. Primarily, the regulator oversees the trapdoor delegation process. Additionally, the regulator exercises control over the consensus authority to prevent inadvertent exposure of conflicting key information.

4.2. Editorial Process

In redactable Hyperledger Fabric, we show the block structure of the major changes as block headers and transactions data. The detailed structure is shown in Figure 2.

As shown in Figure 2, we replace the hash algorithm in the Merkel tree with HIBCH-RS and add key fields for the redacted transaction. $B_{er}Number$ denotes the editing history block number.

Formally, a redactable block is represented as $RB=<Head,Tx list,>$, where the block header is abstracted as block number, the hash value of the preceding block and the data hash, denoted as $Head=<Number, PreHash,DataHash>$. Meanwhile, the chain structure is delineated as $C=<B_0,{RB}_1,\dots ,B_i,B_{{er}_j},\dots >$. In other words, there are three types of blocks in the redactable blockchain proposed in this paper: ordinary non-redactable blocks $B_i$, redactable blocks ${RB}_j$, and blocks that record editing operations $B_{er}$.

Figure 3 depicts the transaction flow for redactable Hyperledger Fabric to perform an edit request. In Fabric, the editing request initiated by the client is first sent to the endorsing nodes for processing. Subsequently, the approved requests are temporarily stored at the consensus nodes, awaiting validation and submission. Distinction arises between the editing procedures for public and personal transaction data. Specifically, in the case of personal transaction data, the modify content (MC) must be maintained as confidential information, thus ensuring data privacy. The validation node is solely responsible for confirming the endorsement strategy and the legitimacy of the modification. Ultimately, the agreed-upon modified transaction is submitted for accurate modification within the blockchain. Therefore, the edit request transaction is compatible with the transaction flow of a normal transaction.

Specifically, we divide the editing process into the following stages:

Creation of an edit request: The process commences with the creation of an edit request by a member who possesses the trapdoor key. This event triggers the generation of a modification transaction (MT). MT comprises two principal components: the modified content (MC) and the key parameter (KP).

• Modified content (MC): MC encompasses several elements, including the transaction ID (TxID) of the transaction being revised, the hash value of the transaction, the identification of the member initiating the edit request, and the new content. If we would like to delete illegal information, the new content will be defined as empty.
• Key parameter (KP): The KP encompasses the hash collision ${\mathit{r}}^{\prime }$. Importantly, this component determines the ability to accurately modify the transaction within the block in a physical sense. Notably, the field related to KP remains concealed from all parties until the completion of the request submission process.

By adhering to this structured sequence, the editing process is systematically orchestrated, fostering transparency and control over modifications to blockchain data.

Validation of editing requests:

• Public transaction data: In scenarios involving public transaction data, the consensus body disseminates MC to a randomly selected subset of n members. These members assess the content and respond with a agree message if they approve. Conversely, a reject message is transmitted if they disagree. The validation process hinges on accumulating a specific number of agree responses, indicating the legitimacy and consistency of the edit request.
• Personal transaction data: For personal data, which is confidential, nodes have restricted access to MC. Rather, nodes provide feedback solely on whether they consent to the block modification.

Submission of editing requests: The edit request is temporarily stored within the consensus organization. During this period, the user is precluded from submitting multiple edit requests for the same transaction data simultaneously.

Upon approval of the edits, the consensus nodes package the modified transaction (MT) into a block that records editing operations. Finally, the edit block is appended to the blockchain through broadcast, culminating in the formation of the updated chain: $C^{\prime }=<B_0,B_1,\dots ,B_n^{\prime },B_e>$.

Withdrawal or deletion of an edit request manifests in the following three scenarios, which transpire prior to the submission of the edit request:

• The originator of the request initiates a withdrawal. Upon this decision, the consensus body eliminates the edit request from local records.
• Illegal requests. Before submission, the edit request undergoes verification by the nodes through broadcast. If the edit is determined to be unlawful or if the regulatory entity identifies the modifier’s identity as illicit, or if verification of the personal data modifier’s identity fails, the consensus body eliminates the request from local records. The regulator exercises the authority to decide whether to incorporate the edit requestor’s identity into the revocation list, contingent upon the severity of the violation.
• If no response is received within a designated timeframe, the edit request is discarded.

By implementing these withdrawal mechanisms, our model ensures effective management of edit requests, safeguarding the integrity and legality of the blockchain’s contents.

We describe this new editing scheme in Algorithm 3, and we also describe the specific mechanism of content consistency in the algorithm.

Algorithm 3 Block redact.

Input: The new content $M^{\prime }$, transaction ID of ${Tx}_i$, redactor identity $ID$, and revocation list $RL$.  Output: The redacted block ${RB}_i^{\prime }$ and block and edit request transaction $B_{er}$.  Extract block by ${Tx}_i$, output ${RB}_i=\{header,\left\{\dots {Tx}_i\dots \right\}\}$.  if $HIBCH-RS.CH({\mathit{F}}_{\mathit{I}\mathit{D}}^{\prime },{\mathit{E}}_{\mathit{I}\mathit{D}}^{\prime },{Tx}_i)|r_i={RB}_i.{HIBCH-RS}_i$ then:  ${\mathit{r}}_i^{\prime }⟵HIBCH-RS.Forge({\mathit{F}}_{\mathit{I}\mathit{D}},{\mathit{R}}_{\mathit{I}\mathit{D}},{\mathit{E}}_{\mathit{I}\mathit{D}},M^{\prime },{RB}_i.{HIBCH-RS}_i)$   send ${MT}_i=\{{\mathit{r}}_i^{\prime },{MC}_i=\{{Tx}_i,{RB}_i.{HIBCH-RS}_i,ID,M^{\prime }\left\}\right\}$ to nodes   $n:=0$   for $reply:=({reply}_1,\dots {reply}_n)$ do:   //consistency   if $reply=\mathrm{‘}agree\mathrm{’}$ then:     $n=n+1$   if $n\ge sum\left(sendnodes\right)/2$ and $ID\notin RL$ then:   $B_{{er}_i}=\{header,\left\{\dots {MT}_i\dots \right\}\}$   $B_{er}Numbe{r}^{\prime }=\{{BN}_1,\dots ,B_{e_i}.header.Number\}$   ${Tx}_i^{\prime }=({\mathit{r}}_i^{\prime },\left(str,m_{{id}_i}\right),M^{\prime },B_{e}Numbe{r}^{\prime })$   ${RB}_i=\{header,\left\{\dots {Tx}_i^{\prime }\dots \right\}\}$   return ${RB}_i^{\prime }$, $B_{{er}_i}$

4.3. Accountability and Traceability

Redactable blockchain necessitate ongoing maintenance and security assessments. Hence, this subsection delineates the mechanisms employed to establish accountability and traceability within the blockchain, thereby fortifying the overall security of the system.

In the design detailed in [27], edit operations are parallelized alongside modified blocks, giving rise to an edit chain. However, our approach can align with the pre-established structure and seamlessly integrate with the blockchain system.

In Algorithm 4, we design a traceability scheme for the history of editing operations. In the redactable block structure, a redactable transaction contains a list of edited historical block number transactions ($B_{e}Number$) associated with it. From the list, we can trace all the actions to the redacted transaction.

Algorithm 4 Trace edit history.

Input: The redacted transaction ${Tx}_i$. Output: The edit history list ${EHL}_i$. Extract ${B_{e}Number}_i=\{{BN}_1,\dots ,{BN}_n\}$ by ${Tx}_i$. for $i≔(1,\dots ,n)$ do:   Extract edit block $B_{{er}_i}$ by ${BN}_i$.   ${EHL}_i=\{B_{{er}_1}.{MT}_1.M^{\prime },\dots ,B_{{er}_i}.{MT}_i.M^{\prime }\}$  return ${EHL}_i$

For accountability, we give details in Algorithms 5 and 6. In Algorithm 5, we mainly implement how to restrict or reclaim the editor’s permission when there is an illegal edit request by adding malicious users to the revocation list.

Algorithm 5 Accountability for edit request.

Input: Illegal edit request ${ER}_i$ and revocation list $RL$. Output: The revocation list $R{L}^{\prime }$. Send ${ER}_i$ to verifiers nodes Receive $reply:=({reply}_1,\dots {reply}_n)$  if $sum\left({reply}_i=‘reject’\right)>n$ do:   $rID:={ER}_i.MC.ID$   $R{L}^{\prime }=\{RL,rID\}$    Delete ${ER}_i$  return $R{L}^{\prime }$.

Algorithm 6 implements how to roll back the edit operation. It is important to note that this rollback requires a member with higher privileges to perform and is strictly monitored because it removes the edits that have already been performed.

Algorithm 6 Rollback the edit operation.

Input: The redacted transaction ${\mathrm{T}\mathrm{x}}_{\mathrm{i}}$, the number of rollback times $\mathrm{m}(\mathrm{m}\le \mathrm{n})$, and identity ID. Output: The rollback block $\mathrm{R}{\mathrm{B}}^{\prime }$. Extract $\mathrm{R}\mathrm{B}$ by ${\mathrm{T}\mathrm{x}}_{\mathrm{i}}$; Extract ${\mathrm{B}}_{\mathrm{e}}$ by $\mathrm{R}\mathrm{B}.{{\mathrm{B}}_{\mathrm{e}}\mathrm{N}\mathrm{u}\mathrm{m}\mathrm{b}\mathrm{e}\mathrm{r}}_{\mathrm{i}}.{\mathrm{B}\mathrm{N}}_{\mathrm{n}-\mathrm{m}}$ $\mathrm{R}{\mathrm{B}}^{\prime }=\mathrm{R}\mathrm{B}$; $\mathrm{R}{\mathrm{B}}^{\prime }.{\mathrm{r}}_{\mathrm{i}}^{\prime }={\mathrm{B}}_{{\mathrm{e}}_{\mathrm{i}}}.{\mathrm{M}\mathrm{T}}_{\mathrm{i}}.{\mathrm{r}}_{\mathrm{i}}^{\prime }$ $\mathrm{R}{\mathrm{B}}^{\prime }.{\mathrm{T}\mathrm{x}}_{\mathrm{i}}={\mathrm{B}}_{{\mathrm{e}}_{\mathrm{i}}}.{\mathrm{M}\mathrm{T}}_{\mathrm{i}}.{\mathrm{M}}^{\prime }$; ${{\mathrm{B}}_{\mathrm{e}}\mathrm{N}\mathrm{u}\mathrm{m}\mathrm{b}\mathrm{e}\mathrm{r}}_{\mathrm{i}}^{\prime }=\{{\mathrm{B}\mathrm{N}}_1,\dots ,{\mathrm{B}\mathrm{N}}_{\mathrm{n}-\mathrm{m}}\}$ ${\mathrm{M}\mathrm{T}}_{\mathrm{i}}=\{{\mathrm{r}}^{\prime },{\mathrm{M}\mathrm{C}}_{\mathrm{i}}=\{{\mathrm{T}\mathrm{x}}_{\mathrm{i}},\mathrm{I}\mathrm{D},\mathrm{h},\left\}\right\}$  for $\mathrm{j}≔(\mathrm{n}-\mathrm{m}+1,\dots ,\mathrm{n})$ do:   Extract ${\mathrm{B}}_{{\mathrm{e}}_{\mathrm{j}}}$ by ${\mathrm{B}\mathrm{N}}_{\mathrm{j}}$    Delete ${\mathrm{B}}_{{\mathrm{e}}_{\mathrm{j}}}.{\mathrm{M}\mathrm{T}}_{\mathrm{i}}$  return $\mathrm{R}{\mathrm{B}}^{\prime }$

Furthermore, our edit cache structure significantly curbs the likelihood of unauthorized edit operations. Recognizing that editing operations may be essential but sporadic within the blockchain ecosystem, preserving the history of such operations does not unduly strain the system. Quite the opposite: it bolsters the legitimacy and security of editing endeavors.

By implementing these measures, our model ensures a robust framework for accountability, traceability, and secure edit operations, thereby enhancing the overall stability and credibility of the blockchain system.

5. Experiments and Results Analysis

In this section, we verify the model and scheme proposed in this paper through two main experiments. First, we demonstrate the performance of the HIBCH-RS model through experiments, and showcase the tangible outcomes of the optimized and innovative methodology proposed in this paper. Then, in a second experiment, we deploy the redactable scheme in Hyperledger Fabric to test performance. In recent years, very few redactable schemes with quantum-resistant properties have been deployed in blockchain systems. Therefore, this article reports the performance of the lattice-based cryptographic redactable scheme.

The experimental procedures were carried out on an Ubuntu 20.04.4 LTS operating system, which is a 64-bit environment. The hardware configuration encompassed an 8-core Intel Core i7-9700 CPU running at 3.00 GHz. The implementation of the HIBCH-RS model was accomplished utilizing Python 3.9.2. Subsequently, the deployable editable solution was executed on the federated Hyperledger Fabric 2.4.1 blockchain framework. The evaluation of blockchain performance was conducted through the utilization of the Hyperledger Caliper Benchmarks.

5.1. Performance of HIBCH-RS

We provide a proof-of-concept of the HIBCH-RS scheme in this subsection and give analytical results experimentally to verify its efficiency and practicality.

5.1.1. Evaluation Time and Size of the Hierarchical Model

From the parameter analysis in Section 3.3.1, we selected four sets of parameters for the experiment in

Table 3. The selected parameter groups.

Parameter Group	n	m	w
Group 1	20	920	460
Group 2	40	2080	1040
Group 3	60	3480	1740
Group 4	80	5120	2560

.

Generally, in the public key model of lattice cryptosystems, n should be greater than 256. In this experiment, to compare the effect of parameter changes on the model as well as to reduce the computing time to improve the efficiency, we select the case where n is 20~80. In Figure 4, we use pg to denote a set of parameters.

In the first experiment, we tested the time and secret key size of the runs of the hierarchical algorithm in the HIBCH-RS model, respectively.

From Figure 4, we can see that the trapdoor delegation algorithm consumes more time and produces larger trapdoor matrix elements as the parameters change. This is because in the algorithm we have used $nk$ times the SampleD Gaussian sampling algorithm and the SampleD algorithm performs a complex Gaussian sampling that causes the size of the delegated trapdoor to be linear with the dimensions of the delegated public key [36]. In future experiments, we will look to establish more efficient and stable Gaussian sampling algorithms for improvement. On the other hand, as can be seen in Figure 4, we added the Slavekey algorithm, which runs in much less time than the Setup algorithm. Therefore, the addition of this algorithm does not put too much burden on the system. For the storage expense shown in Figure 4b,c, among the public key of the public parameter PP, master key, and delegated public key, and delegated trapdoor, the trapdoor storage expense is higher because the trapdoor is generated by the DelTrap algorithm, which runs $nk$ times the SampleD algorithm.

Next, we observe that some schemes for hierarchical identity encryption are related to the number of layers of delegation, such as schemes with a hierarchical identity-based puncturable encryption model (HIBPE) in [38], and the efficient quantum-safe hierarchical identity-based cryptosystem with traceable identities (AHIBET) in [39].

In

Table 4. Comparison of delegation key sizes.

Model	Size (Public Key)	Size (Trapdoor)	Parameter
HIBCH-RS	$n\times (\overline{m}+2w)$	$(\overline{m}+w)\times w$	$\overline{m}=nlogq$
HIBPE	$n\times {\mathcal{l}}^{*}m$	$\left(\mathcal{l}+{\eta }^{*}+1\right)m\times \left(\mathcal{l}+\eta +1\right)m$	$m=nlogq$
AHIBET	$n\times \left(m+\mathcal{l}w\right)$	$\left(m+\mathcal{l}w\right)\times \left(m+\mathcal{l}w\right)$	$w=nlogq,m\ge w+\omega \left(logn\right)$

* $\mathcal{l}$ is level of identity, $\mathcal{l}<d$, where d is the maximum hierarchical depth. $\eta$ is the number of punctured times.

, we list the delegated key sizes for both schemes and HIBCH-RS.

From the experimental results shown in Table 4, the key size of the HIBPE and AHIBET models increases linearly with increasing levels. In our model, due to the introduction of the slave key algorithm, the size of the delegated key can be fixed in a certain dimension.

5.1.2. Comparison of Time to Compute Chameleon Hash and Find Collisions

In a second experiment, we tested the chameleon hashing algorithm of HIBCH-RS. In this experiment, we compare chameleon hash and find hash collision runtimes.

However, we omitted the comparison with the chameleon hash construction scheme from section 4.1 of [15], which exhibits a notably extended duration for finding collisions within a discrete Gaussian distribution.

In Figure 5a, we can see that for chameleon hash encryption of public data, the HIBCH-RS model can have better performance. However, to realize the management of private data, we sacrifice time for the generation of check fields, so the performance of the chameleon hash function is slightly worse than that of [15]. This approach takes extra time but helps improve the overall security and management of the model.

From Figure 5a,b, we can see the time differences in computing the chameleon hash among the three algorithms are relatively minor. This is attributed to the closely matched complexities of the chameleon hash proposed by [15] and the HIBCH-RS model. However, the HIBCH-RS model demonstrates notably enhanced efficiency when it comes to the computation of hash collisions.

5.1.3. Scalability

In this paper, the scalability of HIBCH-RS refers to the fact that the system can still maintain its existing efficiency and correctness in the face of large-scale modification requests, large-scale node users, and complex problems. First, the hierarchical identity structure of HIBCH-RS has controllable time complexity and space complexity in delegating keys, and the system performance will not be dramatically degraded with the growth of data or users. Secondly, in terms of privilege control and access efficiency, the design of the HIBCH-RS model can effectively realize the control of privileges, in that only users with trapdoors can perform editing operations. Meanwhile, the algorithms can be efficiently converted between different layers when performing encryption and collision-finding operations. This scalable performance can be demonstrated in the experiments.

5.2. Performance of HIBCH-RS-Based Redactable Blockchain

The redactable blockchain scheme based HIBCH-RS, as elaborated in Section 4, boasts compatibility across various chain types, including public, alliance, and private chains.

In the context of public chains, the scheme necessitates nearly complete decentralization of delegated keys. At this point, editable nodes are added to the hierarchical identity by application in a decentralized way. To establish this dynamic, a reward and punishment mechanism can be instituted, where nodes that adhere to agreed-upon rules can receive rewards, while those that deviate may face penalties.

Within an alliance chain, the scheme can be overseen by a certificate authority and monitored by the regulator. In a private chain, this delegated management structure can be entrusted to a centralized organization, while concurrently imposing constraints on users possessing edit permissions.

To concretize these concepts, this paper proceeded to implement the redacting scheme using the Fabric platform, which is an alliance chain framework featuring a pluggable mechanism. In this subsection, we elucidated the integration of the editing scheme, ensuring compatibility within the Fabric ecosystem.

Redactable Hyperledger Fabric

Schemes for implementing redactable blockchains based on post-quantum ciphers are in the minority, followed by equally fewer schemes for building editability in practical platforms. Thus, there are almost no practical schemes that we can compare. For the above reasons, in this experiment we demonstrate the performance of this paper’s scheme mainly in terms of the processing efficiency of editable requests, the size of editable blocks, and the throughput of editable requests. The parameter $pg=60$ was chosen for this part of the experiment, and the test was in terms of blocks. The experimental results are shown by Figure 6.

Redactable blocks cost some extra storage due to storing the editing information associated with them, but as can be seen in Figure 6a, this extra cost is small, and in practice, every transaction in the block may not always be allowed to be editable. As a result, block sizes tend to be smaller than shown in the pictures above. Second, in Figure 6b, we show the throughput of edit request processing. The experiment was tested using the caliper tool, and the choice of the number of transactions stored in the block and the number of transactions sent is shown in

Table 5. The number of transactions stored in the block and the number of transactions sent.

	Exp1	Exp2	Exp3	Exp4	Exp5
Transaction per block	10	100	200	500	1000
Send transaction number	400	4000	8000	20,000	40,000

.

As can be seen from Figure 6b, the redactable transaction throughput is low compared to the normal transaction throughput, but this is sufficient in a redactable blockchain.

In this paper, in the parameter configuration, the caching time of the edit request was specified as 5 s. Finally, the selected personal and public transaction data were edited and verified. We tested the time of Algorithm 3 and results are displayed in

Table 6. Runtimes for different types of data modification.

	Public Transactions Data	Private Transactions Data
Time(s)	4.66	8.29

. When compared to modifying public transaction data, the alteration of private transactions introduced an extra authentication time for the user. Specifically, the time required for editing a block in the quantum-resistant redactable blockchain exceeded 4.66 s, but the maximum time did not exceed 8.29 s.

6. Conclusions

Designing a secure and compatible redactable blockchain protocol is a challenging task. In this paper, we introduce the HIBCH-RS model with subkey updates and trapdoor updates. Using this model, we constructed redactable schemes that excelled in both security and compatibility. The scheme represents a significant innovation and breakthrough compared to many editing techniques that still focus on key sharing. In future work, we will try to incorporate user attributes to enhance the division of edit permissions. In addition, we will improve the efficiency of the algorithm by improving the discrete Gaussian function. In the design of a redactable scheme, we propose to incorporate traceability and accountability. It is worth noting that to enhance the practical applicability of the editing scheme, the design of the scheme should continue to focus on how to apply it in both public and private chain schemes.