Privacy-Preserving Fine-Grained Redaction with Policy Fuzzy Matching in Blockchain-Based Mobile Crowdsensing

Abstract

The redactable blockchain has emerged as a promising technique in mobile crowdsensing, allowing users to break immutability in a controlled manner selectively. Unfortunately, current fine-grained redactable blockchains suffer two significant limitations in terms of security and functionality, which severely impede their application in mobile crowdsensing. For security, the transparency of the blockchain allows anyone to access both the data and policy, which consequently results in a breach of user privacy. Regarding functionality, current solutions cannot support error tolerance during policy matching, thereby limiting their applicability in various situations, such as fingerprint-based and face-based identification scenarios. This paper presents a privacy-preserving fine-grained redactable blockchain with policy fuzzy matching, named PRBFM. PRBFM supports fuzzy policy matching and partitions users’ privileges without compromising user privacy. The idea of PRBFM is to leverage threshold linear secret sharing based on the Lagrange interpolation theorem to distribute the decryption keys and chameleon hash trapdoors. Additionally, we have incorporated a privacy-preserving policy matching delegation mechanism into PRBFM to minimize user overhead. Our security analysis demonstrates that PRBFM can defend against the chosen-ciphertext attack. Moreover, experiments conducted on the FISCO blockchain platform show that PRBFM is at least 7.8 times faster than existing state-of-the-art solutions.

1. Introduction

With the increasing prevalence of intelligent terminals, particularly in light of contemporary trends such as “Industrie 4.0” [1] and the IoT, mobile crowdsensing has emerged as a promising application that leverages smart devices in mobile networks to utilize idle resources for sensing tasks effectively [2]. However, the current mobile crowdsensing paradigms primarily rely on centralized platforms that are not entirely trustworthy in practice and give rise to issues such as fraud, security vulnerabilities, and the single point of failure [3]. Consequently, the adoption of blockchain techniques has become widespread as a means to address these challenges. In essence, the immutability of blockchain serves as a critical measure against any manipulation of registered objects for illicit gains [4,5].

However, the immutability of blockchain may impede the application of the blockchain. Nowadays, the blockchain ecosystem is plagued by the presence of inappropriate materials, such as fake news, copyrighted content, and sensitive data [6,7,8,9]. Researchers have discovered that individuals with malicious intent can upload objectionable material (such as malware or pornographic links) onto the Bitcoin blockchain [7]. Regrettably, no effective methods currently exist to prevent the dissemination of this harmful content throughout the Bitcoin network. Participants on the chain may be concerned about being associated with illegal issues, discouraging their involvement in and use of the chain. Furthermore, certain blockchain systems have faced the issue of illicit transactions in practical scenarios. For instance, a well-known incident called the “The DAO” attack took place in Ethereum due to the presence of susceptible smart contracts [9]. This attack even necessitated a hard fork to mitigate the resulting adverse consequences. Additionally, various data regulations and requirements, such as the General Data Protection Regulation (GDPR) [10] and the concept of “the right to be forgotten” [11], empower individuals to manage their personal data [12,13,14]. However, because of the immutability of blockchain, it is evident that the information stored on the chain cannot be altered [15].

In order to break the immutability of the blockchain in a controlled manner selectively, the idea of the redactable blockchain was introduced by Ateniese et al. [16]. However, their method is on the basis of the policy-based chameleon hash (PCH) [6] that inherits the limitations of traditional attribute-based encryption (ABE) [17]. To address this problem, Tian et al. [18] proposed a novel implementation of attribute-based traitor tracing (ABTT) [19,20] that utilizes Hierarchical Identity-Based Encryption (HIBE) and one-time signature schemes. However, this proposed scheme only provides limited accountability. Therefore, Xu et al. [21] proposed a novel scheme of PCH with black-box accountability (PCHA) to overcome this challenge. Moreover, to satisfy the growing need in real-world scenarios, various redactable blockchain schemes have been proposed with necessity characters: dynamism [22], verifiability [23], and flexibility [24].

Unfortunately, these aforementioned redactable blockchain schemes all fall short in the aspects of security and functionality. For security, the data and policy can be accessed by any entity because of the transparency of the blockchain, which may result in potential privacy leakage. When it comes to functionality, existing works lack support for error tolerance during policy matching [25]. For instance, in some real-world scenarios such as fingerprint identification [26] or face recognition [27], it is almost impossible to achieve a 100% perfect match. To sum up, there is an urgent need for a fine-grained redactable blockchain with policy fuzzy matching in a privacy-preserving manner. Hence, four challenges arise:

• How to enable fine-grained redactable blockchain with fuzzy policy matching;
• How to conceal the policy based on fuzzy policy matching;
• How to ensure data privacy while maintaining privilege downward compatibility (i.e., allowing redactable users to access the data) through policy concealment;
• How to minimize user overhead in a privacy-preserving paradigm.

1.1. Contribution

In this paper, we provide a positive answer to the aforementioned problems by proposing a privacy-preserving fine-grained redactable blockchain with fuzzy policy matching (PRBFM). Specifically, PRBFM supports fuzzy policy matching and partitions users’ privileges without compromising user privacy. The main contributions are illustrated below.

• We introduce a novel privacy-preserving fine-grained redactable blockchain with fuzzy policy matching for mobile crowdsensing scenarios. Concretely, to achieve data privacy preservation and fuzzy matching for the redactable blockchain, we leverage the Lagrange interpolation theorem-based secret sharing to distribute the data decryption keys and chameleon hash trapdoors.
• To further satisfy the requirement of privacy-preserving policy matching and reduce the user overhead, we design a privacy-preserving policy matching delegation mechanism for PRBFM.
• A formal security analysis is provided to demonstrate the security of PRBFM against chosen-ciphertext attacks in a random oracle model. Subsequently, we employ a real-world dataset to perform experiments on the FISCO blockchain platform. The experimental results demonstrate that our schemes outperform related existing solutions, with a speed improvement of a minimum of $7.8\times$.

1.2. Roadmap

The structure of this paper is shown in Figure 1. Section 2 details the system model, threat model, and problem formulation. Proceeding further, Section 3 presents the preliminaries utilized in PRBFM. Subsequently, in Section 4, we formalize our scheme by presenting the definition and detailed construction of PRBFM, while the analysis and applications are discussed in Section 5. Several experiments based on the FISCO blockchain and the real-world dataset are conducted in Section 6. Finally, we discuss several related works about the redactable blockchain in Section 7 before reaching the conclusion in Section 8.

2. Problem Formulation

2.1. System Model

In this section, we formulate the problem addressed by the proposed PRBFM scheme. This scheme involves three different types of entities: nodes, users, and data owners. The nodes are responsible for storing the data of corresponding owners and executing data queries from users with permission. Notably, the nodes can be divided into three main types: privilege nodes (i.e., consortium nodes), storage nodes (i.e., cloud nodes), and computation nodes (i.e., edge nodes). The users usually represent requesters in realistic mobile crowdsensing scenarios. According to their attributes and the policy of the data owner, they can be split into three roles: unauthorized users, authorized users, and authorized modifiers. Unauthorized users are unable to perform any actions on the uploaded data. Authorized users have read-only access to the uploaded data. On the other hand, authorized modifiers can both access and modify the contents of the uploaded data. Similar to the users, the data owners mainly represent individuals or organizations in real-world mobile crowdsensing scenarios. Their prior task is to crowdsense raw data, then encrypt and upload them to the blockchain. The system model is presented in Figure 2.

2.2. Threat Model

In blockchain-based mobile crowdsensing scenarios, it is assumed that the privileged nodes, such as the government, organization administrators, and manufacturers, are trustworthy entities as they regulate the blockchain and authorize user privileges [28,29,30]. Conversely, other entities such as users, data owners, storage nodes, and computation nodes are semi-honest. Though they are expected to follow protocols faithfully, they have the curiosity to probe others’ private data, which may lead to unwanted inferences [7,31]. Additionally, users may maliciously collude with other entities except for the privileged nodes, resulting in attacks such as privilege escalation and privacy eavesdropping. We summarize the potential attacks below.

• Unauthorized access attack: Since encrypted data submitted by corresponding owners may contain commercially sensitive or private details, they become a prime target of potential adversaries. One such threat is the unauthorized access attack, whereby individuals without authorization may attempt to read or modify the data.
• Eavesdropping attack: An unauthorized party may eavesdrop on data transmitted through public channels in an attempt to deduce sensitive details from the intercepted ciphertext.
• User inferring attack: Attributes and policies may contain specific characteristics of individuals, such as their occupation, rank, or identity. An attack that expert adversaries may use to elicit sensitive information without knowing personal identifiers, such as the user identity or type of encrypted data, is known as the user inferring attack.
• Identity disguising attack: Access to encrypted data is determined based on specific attributes of individual users, including their identity. As a result, identity disguising attacks occur when unauthorized entities attempt to appear as authorized readers or modifiers. These attacks may involve disguising the encryption key with unauthorized attributes or attaching unauthorized attributes to obtained ciphertexts to mislead other entities. In some instances, unauthorized actors may alter or tamper with the message to deceive other parties.
• Collusion attack: Unauthorized entities may collaborate to perform various attacks, including those outlined above. For example, unauthorized users may pool their secret keys to recover encrypted data without proper authorization. They may also exchange keys to obtain encrypted data without proper authorization from the specified sender’s attributes.

2.3. Problem Statement and Design Goals

The problem addressed in this paper is as follows: a data owner encrypts plaintext message m based on a readability policy $\mathcal{P}r$ and an editability policy $\mathcal{P}e(\mathcal{P}r\subset \mathcal{P}e)$. The resulting encryption $(C,H)$ is then submitted to blockchain nodes. Simultaneously, a user with attributes $\sigma$ exists. The design goal of PRBFM is to achieve a secure redactable blockchain in which the user can read m only when $\mathcal{P}r\subset \sigma$ and can edit only if $\mathcal{P}e\subset \sigma$ while maintaining the confidentiality of sensitive data, including data from owners, user attributes, and owner policies, to avoid exposure to other parties.

3. Preliminaries

3.1. Chameleon Hash

Ateniese et al. [16] proposed the chameleon hash. A chameleon hash system typically comprises five algorithms that can be executed in polynomial time. These definitions are illustrated below:

• PPGen(${\mathbf{1}}^{\mathit{\lambda }}$). This algorithm’s input is the security parameter $\lambda$. The output of this algorithm is the public parameters $PP$. Notably, we implicitly assume that $mpk$ is the input for the subsequent algorithms.
• KeyGen($\mathit{P}$). This algorithm uses the public parameters $PP$ as input and generates the public key $pk$ and secret key $sk$ as output.
• HashGen($\mathit{p}\mathit{k},\mathit{m}$). This algorithm takes the public key $pk$ and plaintext message m as input, and outputs the hash h and random value r.
• Verify($\mathit{p}\mathit{k},\mathit{m},\mathit{r},\mathit{h}$). This algorithm takes the public key $pk$, plaintext message m, random value r, and hash h as input, and generates the decision result d as output. Specifically, d is equal to 1 if the hash is valid, and 0 otherwise.
• Adapt($\mathit{s}\mathit{k},\mathit{m},{\mathit{m}}^{{}^{\prime }},\mathit{r},\mathit{h}$). This algorithm takes the secret key $sk$, plaintext message m, alternate message $m^{\prime }$, random value r, and hash h as input, and generates the alternate random value $r^{\prime }$ as output.

We make the assumption, without loss of generality, that the $Adapt$ algorithm always requires the hash h for verification. If h is invalid, the algorithm outputs ⊥ instead of the alternate random value $r^{\prime }$.

3.2. Threshold Linear Shamir Secret Sharing

In [32], Shamir proposed a Lagrange interpolation theorem-based secret sharing scheme. Given k points $(x_1,y_1),\cdots ,(x_k,y_k)$ on the 2-D plane where the values of $x_i$ are distinct, there is one and only one interpolation polynomial $q\left(x\right)$ of degree $k-1$ that satisfies:

$$y_i=q\left(x_i\right),\forall i=1,2,\cdots ,k.$$

(1)

Without loss of generality, we can assume that the confidential data D are a number. To divide D into n shares, denoted as $D_i,i=1,2,\cdots ,n$, a random polynomial $q\left(x\right)$ of degree $k-1$ is selected as:

$$q\left(x\right)=a_0+a_{1}x+\cdots +a_{k-1}{x}_{k-1},$$

(2)

where $a_0=D$. For $i=1,2,\cdots ,n$, the corresponding piece $D_i$ is computed as $D_i=q\left(i\right)$.

Using the Lagrange interpolation technique, the coefficient of f can be computed when given any subset of k shares from $D_i$. The secret data D can be obtained by calculating $D=q\left(0\right)$. Note that if we have fewer than k shares, D cannot be reconstructed. Specifically, having only $k-1$ or fewer shares does not reveal any information about D.

3.3. Bilinear Group

Definition 1. 

(Bilinear Group). Suppose ${\mathbb{G}}_1,{\mathbb{G}}_2$, and ${\mathbb{G}}_T$ are three bilinear groups. There exists a binlinear map $e:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$, where $|{\mathbb{G}}_1|=|{\mathbb{G}}_2|=|{\mathbb{G}}_T|=p$.

Let these three groups have the same prime order p. The generators of ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ are g and h, respectively. The map e has the following two properties: Binlinearity and Non-degeneration.

If ${\mathbb{G}}_1={\mathbb{G}}_2$, it is called symmetric pairing. Otherwise, two different types of asymmetric pairing exist based on the existence of the isomorphism function that from ${\mathbb{G}}_2$ to ${\mathbb{G}}_1$.

Then, we present the computationally intractable problem that is utilized in this paper.

Definition 2. 

(Decisional Modified Bilinear Diffie-Hellman Problem (MBDFH). Let $g_i^a,g_j^b,g_k^c$ and $e{(g_1,g_2)}^z$ evaluate whether $e{(g_1,g_2)}^{\frac{ab}{c}}=e{(g_1,g_2)}^z$, where $i,j,k\in \{1,2\}$. Suppose there exists an algorithm that generates the group as $\mathcal{G}$, the distribution D is defined as follows:

$$\begin{array}{cc}\hfill \mathbb{G}& \stackrel{def}{=}(q,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,g_1,g_2,e)\leftarrow \mathcal{G},a,b,c,z\in {\mathbb{Z}}_q,\hfill \\ \hfill D& \stackrel{def}{=}(G;g_1,g_2,g_i^a,g_j^b,g_k^c,i,j,k\in \{1,2\}).\hfill \end{array}$$

(3)

Suppose $\mathcal{A}$ represents a probabilistic polynomial-time (PPT) adversary breaking the MBDH problem.

$$\begin{array}{c}\hfill Ad{v}_{\mathcal{A}}^{MBDH}\left(\lambda \right)\stackrel{def}{=}|Pr[\mathcal{A}(D,e{(g_1,g_2)}^{\frac{ab}{c}})]-Pr[\mathcal{A}(D,e{(g_1,g_2)}^z)]|\end{array}$$

(4)

is negligible for the security parameter λ.

4. Proposed PRBFM

The primary objective of PRBFM is to utilize two techniques. The first technique involves employing Lagrange secret sharing and a chameleon hash, which allow us to create a redactable blockchain having privilege downward compatibility and fuzzy matching while still maintaining privacy. Meanwhile, the second technique involves designing a privacy-preserving matching delegation mechanism, which minimizes user overhead.

4.1. Brief Definition

Before illustrating the details of PRBFM, we will first provide a brief definition:

Definition 3. 

PRBFM comprises eight polynomial-time algorithms: Setup, KeyGen, Encrypt, Verify, TrGen, Match, Read, and Edit.

• Setup ($\lambda \to (mpk,msk)$). The algorithm yields the master secret key $msk$ and master public key $mpk$ when given a security parameter λ. For simplicity, $mpk$ is implicitly assumed to be taken as input by all other algorithms.
• KeyGen ($(msk,\sigma )\to sk$). The algorithm takes σ and $msk$ as inputs and produces the user’s secret key $sk$.
• Encrypt ($(m,x,{\mathcal{P}}_r,{\mathcal{P}}_e)\to (C,H)$). The algorithm takes message $m\in \mathcal{M}$, Chameleon hash trapdoor x, readability policy ${\mathcal{P}}_r$, and editability policy ${\mathcal{P}}_e({\mathcal{P}}_r\subset {\mathcal{P}}_e)$ as inputs and outputs ciphertext C along with the corresponding hash value $H=(h,r_h)$.
• Verify ($(C,H)\to d_v$). The algorithm produces a verification result $d_v$ by validating the pair $(C,H)$, with $d_v\in 0,1$.
• TrGen ($sk\to T$). The algorithm takes the secret key $sk$ as input to generate the trapdoor T, which is composed of $T_1$ and ${T_{2,i}}_i^{\sigma }$.
• Match ($(T,C)\to d_m$). Given the trapdoor T and the ciphertext C, the algorithm outputs a match result $d_m\in 0,1,2$ to indicate different levels of access. Specifically, $(C^1,H)$ is returned when $d_m=1$, and $(C^2,H)$ is returned when $d_m=2$.
• Read ($(C^1,sk)\to m|\perp$). Given the ciphertext $C^1$ and the secret key $sk$ as inputs, the algorithm retrieves the message m only if $\sigma \subset {\mathcal{P}}_r$. Otherwise, the algorithm returns an error symbol ⊥.
• Edit ($(C^2,sk,m^{{}^{\prime }},{\mathcal{P}}_r^{{}^{\prime }},{\mathcal{P}}_e^{{}^{\prime }})\to (C^{{}^{\prime }},H^{{}^{\prime }})$). Given the ciphertext $C^2$, secret key $sk$, and new message $m^{{}^{\prime }}$ along with their respective policies $({\mathcal{P}}_r^{{}^{\prime }},{\mathcal{P}}_e^{{}^{\prime }})$, the algorithm generates a new ciphertext $C^{{}^{\prime }}$ and hash value $H^{{}^{\prime }}=(h,r_h^{{}^{\prime }})$. Importantly, the editability feature preserves the correspondence of on-chain hashes and off-chain data.

4.2. Detailed Construction

We now describe the detail of PRBFM.

Setup $\lambda \to (mpk,msk)$: Based on the decentralized key generation protocol, multiple privilege nodes cooperate to generate the system parameters.

• Generate the description of bilinear map $\mathsf{\Gamma }=(p,g,\mathbb{G},{\mathbb{G}}_T,e)$, where $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$. Subsequently, assume the attribute universe as $\mathcal{U}$ and the size of $\mathcal{U}$ as n. Set the threshold of policy matching as d. Next, generate n random values ${\left\{r_i\right\}}^n$. Then, compute ${\{R_i=g^{r_i}\}}^n$. Next, select a random value $\alpha \in {\mathbb{Z}}_p$ and a hash function $H[·]:{\mathbb{G}}_T\to {\{0,1\}}^{*}$.
• Generate the master secret key $msk=({\left\{r_i\right\}}^n,\alpha )$ and the master public key $mpk=({\left\{R_i\right\}}^n,g^{\alpha },H,\mathsf{\Gamma })$.

KeyGen $(msk,\sigma )\to sk$: A user selects a privilege node for registration, and the privilege node combines the user’s attribute set to generate the secret key.

• Randomly generate a $(d-1)$-degree polynomial $q\left(x\right)=\alpha +a_{1}x+a_2{x}^2+\cdots +a_{d-1}{x}^{d-1}$, where $q\left(0\right)=\alpha$. Then, for each attribute $i\in \sigma$, compute $q\left(i\right)$. Subsequently, utilize the Lagrange interpolation theorem to compute the Lagrange parameters ${\left\{{\mathsf{\Delta }}_{i,\sigma }\left(0\right)\right\}}_i^{\sigma }$.
• Generate the secret key $sk={\{s{k}_i=g^{\frac{q\left(i\right){\mathsf{\Delta }}_{i,\sigma }\left(0\right)}{r_i}}\}}_i^{\sigma }$. Then, return $sk$ to the user.

Encrypt $(m,x,{\mathcal{P}}_r,{\mathcal{P}}_e)\to (C,H)$: based on readability and editability policies, a user generates the ciphertext and hash value.

• Select two random values $d_1\in {\mathbb{Z}}_p$ and $d_2\in {\mathbb{Z}}_p$. Generate the readability policy ${\mathcal{P}}_r$. Compute ${\{C_{1,i}=R_i^{d_1}\}}_i^{{\mathcal{P}}_r}$ and ${\{C_{2,i}=R_i^{d_2}\}}_i^{{\mathcal{P}}_r}$. Subsequently, compute $C_3=g^{\alpha d_2}$ and $C_m=m\oplus H\left[e{(g,g)}^{\alpha d_1}\right]$.
• Select two random values $d_3\in {\mathbb{Z}}_p$ and $d_4\in {\mathbb{Z}}_p$, and the chameleon secret key x. Generate the editability policy ${\mathcal{P}}_e$. Subsequently, compute ${\{C_{4,i}=R_i^{d_3}\}}_i^{{\mathcal{P}}_e}$, ${\{C_{5,i}=R_i^{d_4}\}}_i^{{\mathcal{P}}_e}$, $C_6=g^{\alpha d_4}$, and $C_7=g^x$. To guarantee the right downward compatibility, compute $C_x=x\oplus H\left[e{(g,g)}^{\alpha d_1}\right]\oplus H\left[e{(g,g)}^{\alpha d_3}\right]$.
• Select a random value $r_h\in {\mathbb{Z}}_p$ to compute the chameleon hash $h=g^{C_m}{g}^{x{r}_h}$.
• Generate the ciphertext $C=({\left\{C_{1,i}\right\}}_i^{{\mathcal{P}}_r},{\left\{C_{2,i}\right\}}_i^{{\mathcal{P}}_r},C_3$, ${\left\{C_{4,i}\right\}}_i^{{\mathcal{P}}_e}$, ${\left\{C_{5,i}\right\}}_i^{{\mathcal{P}}_e},C_6,C_7,C_m,C_x)$ and hash value $H=(h,r_h)$.
• Send the pair $(C,H)$ to computation nodes and the chameleon hash h to the blockchain. Next, computation nodes upload the pairs to storage nodes.

Verify $(C,H)\to d_v$: computation nodes verify the validity of the pair $(C,H)$ and output a verification result.

• Check the equation $h\stackrel{?}{=}{g}^{C_m}{C}_7^{r_h}$. If the equation holds, output $d_v$ as 1. Otherwise, output $d_v$ as 0 prompts the storage nodes that the pair $(C,H)$ is invalid.

TrGen $sk\to T$: a user leverages the secret key to generate a trapdoor and sends it to computation nodes.

• Select a random value $t\in {\mathbb{Z}}_p$ and compute $T_1=g^t$. Then, utilize $sk$ to compute ${\{T_{2,i}=s{k}_i^t\}}_i^{\sigma }$.
• Generate the trapdoor $T=(T_1,{\left\{T_{2,i}\right\}}_i^{\sigma })$ and send T to computation nodes.

Match $(C,T)\to d_m$: computation nodes utilize the ciphertext and trapdoor to perform policy verification without compromising user privacy.

• Obtain ciphertexts from the storage nodes. Based on the threshold d, respectively select d values from ${\left\{C_{2,i}\right\}}_i^{{\mathcal{P}}_r}$ and ${\left\{T_{2,i}\right\}}_i^{\sigma }$ to conduct a set ${\mathcal{P}}_{r,j}$. Then, for each ${\mathcal{P}}_{r,j}$, check the equation ${\mathsf{\Pi }}_{i=1}^{{\mathcal{P}}_{r,j}}e(C_{2,i},T_{2,i})\stackrel{?}{=}e(C_3,T_1)$.
• If the equation does not hold for all ${\mathcal{P}}_{r,j}$, computation nodes output $d_m=0$. Otherwise, record the set ${\mathcal{P}}_{r,j}$ and computation nodes output $d_m=1$. In addition, it means that the user is an authorized reader of this message.
• If $d_m$ equals to 1, computation nodes further select d values from ${\left\{C_{5,i}\right\}}_i^{{\mathcal{P}}_e}$ and ${\left\{T_{2,i}\right\}}_i^{\sigma }$ to conduct a set ${\mathcal{P}}_{e,j}$. Then, for each ${\mathcal{P}}_{e,j}$, check the equation ${\mathsf{\Pi }}_{i=1}^{{\mathcal{P}}_{e,j}}e(C_{5,i},T_{2,i})\stackrel{?}{=}e(C_6,T_1)$. If this equation holds, computation nodes output $d_m=2$, and it means that the user is an authorized modifier for this message. Then, record the set ${\mathcal{P}}_{e,j}$.
• If $d_m$ equals to 1, return $C^1=({\mathcal{P}}_{r,j},{\left\{C_{1,i}\right\}}_i^{{\mathcal{P}}_r},C_m)$ to the user. If $d_m$ equals to 2, return $C^2=({\mathcal{P}}_{r,j}$, ${\mathcal{P}}_{e,j}$, ${\left\{C_{1,i}\right\}}_i^{{\mathcal{P}}_r}$, ${\left\{C_{4,i}\right\}}_i^{{\mathcal{P}}_e}$, $C_m,C_x)$ to the user.

Read $(C^1,sk)\to m$: receiving the data from the computation nodes, the user utilizes his/her secret key to recover the message.

• Compute $R={\mathsf{\Pi }}_{i=1}^{{\mathcal{P}}_{r,j}}e(C_{1,i},s{k}_i)=e{(g,g)}^{\alpha d_1}$. Recover the message $m=C_m\oplus H\left[R\right]$.

Edit $(C^2,sk,m^{{}^{\prime }},{\mathcal{P}}_r^{{}^{\prime }},{\mathcal{P}}_e^{{}^{\prime }})\to (C^{{}^{\prime }},H^{{}^{\prime }})$: based on the secret key, the user read and edit the message.

• Perform the Read algorithm to recover the message m.
• Compute $E={\mathsf{\Pi }}_{i=1}^{{\mathcal{P}}_{e,j}}e(C_{4,i},s{k}_i)=e{(g,g)}^{\alpha d_3}$. Recover the message $x=C_x\oplus H\left[E\right]\oplus H\left[R\right]$. If the user attempts to edit the message, generate a new message $m^{{}^{\prime }}$. Subsequently, generate new readability policy ${\mathcal{P}}_r^{{}^{\prime }}$ and editability policy ${\mathcal{P}}_e^{{}^{\prime }}$ and compute the ciphertext $C^{{}^{\prime }}=({\{C_{1,i}^{{}^{\prime }}\}}_i^{{\mathcal{P}}_r^{{}^{\prime }}},{\{C_{2,i}^{{}^{\prime }}\}}_i^{{\mathcal{P}}_r^{{}^{\prime }}},C_3^{{}^{\prime }}$, ${\{C_{4,i}^{{}^{\prime }}\}}_i^{{\mathcal{P}}_e^{{}^{\prime }}},{\{C_{5,i}^{{}^{\prime }}\}}_i^{{\mathcal{P}}_e^{{}^{\prime }}},C_6^{{}^{\prime }},C_7,C_m^{{}^{\prime }},C_x^{{}^{\prime }})$. Next, compute $r_h^{{}^{\prime }}$=$\frac{C_m-C_m^{{}^{\prime }}}{x}$$+r_h$ and generate $H^{{}^{\prime }}=(h,r_h^{{}^{\prime }})$.
• Send the new pair $(C^{{}^{\prime }},H^{{}^{\prime }})$ to computation nodes.

The workflow of PRBFM is shown in Figure 3.

5. Analysis and Discussion

5.1. Correctness Analysis

Theorem 1. 

In PRBFM, if and only if an attribute set σ of the user satisfies the policy of the data owner for readers, i.e., ${\mathcal{P}}_r\subset \sigma$, the $d_m=1$ and the user is an authorized reader.

Proof. 

From the Encrypt step, the data owner generates the ciphertext $C=({\{C_{1,i}\}}_i^{{\mathcal{P}}_r},{\{C_{2,i}\}}_i^{{\mathcal{P}}_r}$,$C_3$, ${\{C_{4,i}\}}_i^{{\mathcal{P}}_e}$, ${\{C_{5,i}\}}_i^{{\mathcal{P}}_e},C_6,C_7$$,C_m,C_x)$ and hash value $H=(h,r_h)$. Then, we concentrate on the correctness in the Match and the Read step. In the Match step, after receiving the trapdoor $T=(T_1,{\left\{T_{2,i}\right\}}_i^{\sigma })$, the computation nodes first respectively select d values from ${\left\{C_{2,i}\right\}}_i^{{\mathcal{P}}_r}$ and ${\left\{T_{2,i}\right\}}_i^{\sigma }$ to conduct a set ${\mathcal{P}}_{r,j}$ according to the threshold d. Then, for each ${\mathcal{P}}_{r,j}$, the computation nodes compute

$$\begin{array}{cc}\hfill {\mathsf{\Pi }}_{i=1}^{{\mathcal{P}}_{r,j}}e(C_{2,i},T_{2,i})& ={\mathsf{\Pi }}_{i=1}^{{\mathcal{P}}_{r,j}}e(R_i^{d_2},s{k}_i^t)\hfill \\ \hfill & ={\mathsf{\Pi }}_{i=1}^{{\mathcal{P}}_{r,j}}e(g^{d_2·r_i},g^{\frac{q\left(i\right)·{\mathsf{\Delta }}_{i,\sigma }\left(0\right)·t}{r_i}})\hfill \\ \hfill & =e{(g,g)}^{d_2·t·{\sum }_{i=1}^{{\mathcal{P}}_{r,j}}(q\left(i\right)·{\mathsf{\Delta }}_{i,\sigma }\left(0\right))}\hfill \\ \hfill & =e(g^{\alpha d_2},g^t)\hfill \\ \hfill & =e(C_3,T_1).\hfill \end{array}$$

(5)

Therefore, in the Match step, the correctness of PRBFM holds. In the Read step, a user gets $C^1=({\mathcal{P}}_{r,j},{\left\{C_{1,i}\right\}}_i^{{\mathcal{P}}_r},C_m)$, and H from the computation nodes. Next, based on his/her secret key $sk$, the user computes

$$\begin{array}{cc}\hfill & C_m\oplus H[{\mathsf{\Pi }}_{i=1}^{{\mathcal{P}}_{r,j}}e(C_{1,i},s{k}_i)]\hfill \\ & =C_m\oplus H[{\mathsf{\Pi }}_{i=1}^{{\mathcal{P}}_{r,j}}e(g^{d_1·r_i},g^{\frac{q\left(i\right){\mathsf{\Delta }}_{i,\sigma }\left(0\right)}{r_i}})]\hfill \\ \hfill & =C_m\oplus H[e{(g,g)}^{d_1·{\sum }_{i=1}^{{\mathcal{P}}_{r,j}}(q\left(i\right)·{\mathsf{\Delta }}_{i,\sigma }\left(0\right))}]\hfill \\ \hfill & =m\oplus H[e{(g,g)}^{\alpha d_1}]\oplus H[e{(g,g)}^{\alpha d_1}]\hfill \\ \hfill & =m.\hfill \end{array}$$

(6)

On the basis of the Lagrange interpolation theorem, if and only if the policy ${\mathcal{P}}_r$ satisfies ${\mathcal{P}}_r\subset \sigma$, the message m can be recovered and Equations (5) and (6) hold. Therefore, Theorem 1 is proven. □

Theorem 2. 

In PRBFM, if and only if an attribute set σ of the user satisfies the policy of the data owner for modifiers, i.e., ${\mathcal{P}}_e\subset \sigma$, the $d_m=2$ and the user is an authorized modifier.

Proof. 

Similar to Theorem 1, we first prove the correctness of evaluating whether a given user is an authorized modifier in the Match step. Concretely, the computation nodes first select d values from ${\left\{C_{5,i}\right\}}_i^{{\mathcal{P}}_e}$ and ${\left\{T_{2,i}\right\}}_i^{\sigma }$ to conduct a set ${\mathcal{P}}_{e,j}$. Then, for each ${\mathcal{P}}_{e,j}$, the computation nodes compute

$$\begin{array}{cc}\hfill {\mathsf{\Pi }}_{i=1}^{{\mathcal{P}}_{e,j}}e(C_{5,i},T_{2,i})& ={\mathsf{\Pi }}_{i=1}^{{\mathcal{P}}_{e,j}}e(g^{d_4·r_i},g^{\frac{q\left(i\right)·{\mathsf{\Delta }}_{i,\sigma }\left(0\right)·t}{r_i}})\hfill \\ \hfill & =e{(g,g)}^{d_4·t·{\sum }_{i=1}^{{\mathcal{P}}_{e,j}}(q\left(i\right)·{\mathsf{\Delta }}_{i,\sigma }\left(0\right))}\hfill \\ \hfill & =e(C_6,T_1).\hfill \end{array}$$

(7)

Then, in the Edit step, if and only if ${\mathcal{P}}_e\subset \sigma$, the user can recover the chameleon secret key x as follows:

$$\begin{array}{cc}\hfill C_x\oplus H\left[E\right]\oplus H\left[R\right]& =C_x\oplus H[e{(g,g)}^{d_3·{\sum }_{i=1}^{{\mathcal{P}}_{e,j}}(q\left(i\right)·{\mathsf{\Delta }}_{i,\sigma }\left(0\right))}]\oplus H\left[R\right]\hfill \\ \hfill & =C_x\oplus H[e{(g,g)}^{\alpha d_3}]\oplus H[e{(g,g)}^{\alpha d_1}]\hfill \\ \hfill & =x.\hfill \end{array}$$

(8)

where $E={\mathsf{\Pi }}_{i=1}^{{\mathcal{P}}_{e,j}}e(C_{4,i},s{k}_i)$ and $R={\mathsf{\Pi }}_{i=1}^{{\mathcal{P}}_{r,j}}e(C_{1,i},s{k}_i)$. Next, based on the x recovered according to Equation (8), the user computes $r_h^{{}^{\prime }}$=$\frac{C_m-C_m^{{}^{\prime }}}{x}$$+r_h$. Notably, if and only if $r_h^{{}^{\prime }}$ is calculated as mentioned above, the following equation holds:

$$g^{C_m}·C_7^{r_h}\stackrel{?}{=}{g}^{C_m^{{}^{\prime }}}·C_7^{r_{h^{{}^{\prime }}}}.$$

(9)

Otherwise, the x is not valid, and the modification is recognized as illegal. Therefore, Theorem 2 is proven. □

5.2. Security Analysis

The security properties of PRBFM are formally defined based on its construction. These include privacy security, which encompasses data privacy, policy privacy, and attribute privacy, as well as user collusion resistance and collision resistance. The security model follows the oracle model and is indistinguishable under a chosen-ciphertext attack (IND-CCA). The experiment involves a PPT adversary $\mathcal{A}$ and a challenger $\mathcal{C}$ and is depicted in detail in Figure 4.

Theorem 3. 

For two multiplicative groups $(\mathbb{G},{\mathbb{G}}_T,e)$, and a bilinear map $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$, if the Decisionla MBDH problem is hard in $(\mathbb{G},{\mathbb{G}}_T,e)$, any PPT adversaries are not able to violate the read-only ciphertext indistinguishability by adopting the chosen-ciphertext attack in the random oracle model.

Proof. 

We here assume that if simulator $\mathcal{B}$ has the tuple $(A,B,C,$$Z)$=$(g^a,g^b,$$g^c,$$e{(g,g)}^z)$, he will manage to distinguish whether $e{(g,g)}^z$ is equal to $e{(g,g)}^{\frac{ab}{c}}$ in the simulation. The detailed process of the simulation is illustrated as follows:

Game 0. Game 0 is the original game, where nothing is different from the original scheme.

Game 1. Game 1 differs from Game 0 in the Setup step. For any $i\in \sigma$: $R_i=g^{\frac{1}{{\zeta }_i}}$; for $i\notin \sigma$: $R_i=g^{\frac{1}{{\omega }_i}}$. Next, simulator $\mathcal{B}$ gives the public parameters to adversary $\mathcal{A}$. From adversary $\mathcal{A}$’s view, the received public parameters are indistinguishable from the ones in Game 0. The adversary $\mathcal{A}$ will terminate the game and return fail if it can tell the difference with the advantage ${\epsilon }_{DL}$.

Game 2. Game 2 differs from Game 0 in the KeyGen step. Adversary $\mathcal{A}$ requests for the secret key of the user. For any $i\in \sigma$: $s{k}_i=C^{{\zeta }_{i}q\left(i\right){\mathsf{\Delta }}_{i,\sigma }\left(0\right)}$; for $i\notin \sigma$: $s{k}_i=C^{{\omega }_{i}q\left(i\right){\mathsf{\Delta }}_{i,\sigma }\left(0\right)}$. Next, simulator $\mathcal{B}$ gives the secret key $sk$ to adversary $\mathcal{A}$. The adversary $\mathcal{A}$ will terminate the game and return fail if it can tell the difference with the advantage ${\epsilon }_{DL}$.

Game 3. Game 3 differs from Game 2 in terms of the hash oracle ${\mathcal{O}}_H$. Simulator $\mathcal{B}$ submits the message m to ${\mathcal{O}}_H$ and receives the requested hash value. During the i-th request, simulator $\mathcal{B}$ generates the hash value $H\left(i\right)=ms{g}_i$ and stores $H\left(i\right)$ as $|ms{g}_i|=|m|$. The adversary $\mathcal{A}$ will terminate the game and return fail if it can tell the difference with the advantage ${\epsilon }_H$.

Game 4. Game 4 differs from Game 3 in terms of Challenge. The adversary $\mathcal{A}$ submits two challenge messages $m_0$ and $m_1$ to simulator $\mathcal{B}$, where $|m_0|=|m_1|$. The simulator $\mathcal{B}$ flips a coin b and returns a challenge encryption $C_b$. Then, for $i\in \sigma$, simulator $\mathcal{B}$ computes

$$\begin{array}{cc}\hfill C_{m^{*}}& =m\oplus H\left[Z\right]\hfill \\ \hfill C_{1,i}^{*}& =B^{d_1}\hfill \\ \hfill C_{2,i}^{*}& =C^{d_2}\hfill \\ \hfill C_3^{*}& =A^{{\eta }_i}.\hfill \end{array}$$

(10)

For $i\notin \epsilon$, $\mathcal{B}$ computes

$$\begin{array}{cc}\hfill C_{m^{*}}& =m\oplus H\left[Z\right]\hfill \\ \hfill C_{1,i}^{*}& =B^{\frac{{\mu }_{i,1}}{{\omega }_i}}\hfill \\ \hfill C_{2,i}^{*}& =C^{\frac{{\mu }_{i,2}}{{\omega }_i}}\hfill \\ \hfill C_3^{*}& =A^{{\eta }_i}.\hfill \end{array}$$

(11)

If $Z=e{(g,g)}^{\frac{ab}{c}}$ and ${\alpha }^{{}^{\prime }}=\frac{b}{c}$, we then obtain $C_{m^{*}}=$$m\oplus H[Z]=$$m\oplus H[e{(g,g)}^{\frac{ab}{c}}]=$$m\oplus H[e{(g,g)}^{a{\alpha }^{{}^{\prime }}}]$, $C_3^{*}=$$A^{{\eta }_i}=$$g^{a{\eta }_i}$. For $i\in \sigma$, $C_{1,i}^{*}=$$B^{d_1}=$$g^{b{d}_1}$ and $C_{2,i}^{*}=$$C^{d_2}=$$g^{c{d}_2}$; for $i\notin \sigma$, $C_{1,i}^{*}=$$B^{\frac{{\mu }_{i,1}}{{\omega }_i}}=$$g^{b\frac{{\mu }_{i,1}}{{\omega }_i}}$ and $C_{2,i}^{*}=C^{\frac{{\mu }_{i,2}}{{\omega }_i}}=g^{c\frac{{\mu }_{i,2}}{{\omega }_i}}$.

If $Z=e{(g,g)}^Z$, because z is randomly selected, Z will be random from the view of the adversary $\mathcal{A}$. The game will be terminated if $\mathcal{A}$ can tell the difference between Game 4 and Game 3. Otherwise, $\mathcal{B}$ is able to solve the MBDH problem. Concretely, if $Z=e{(g,g)}^z$, $Pr[b^{{}^{\prime }}=b|Z=e{(g,g)}^z]$$=Pr[b^{{}^{\prime }}\ne b|Z=e{(g,g)}^z]$$=\frac{1}{2}$. If $Z=e{(g,g)}^{\frac{ab}{c}}$, the adversary $\mathcal{A}$ has an advantage ${\epsilon }^{{}^{\prime }}$ to break the game. Next, the possibility of $\mathcal{A}$’s guess $b=b^{{}^{\prime }}$ is $Pr[b^{{}^{\prime }}=b|Z=e{(g,g)}^{\frac{ab}{c}}]$$=\frac{1}{2}+{\epsilon }^{{}^{\prime }}$. Therefore, the overall advantage of the simulator $\mathcal{B}$ for breaking the MBDH game is $Ad{v}_{\mathcal{B}}^{MBDH}[b^{{}^{\prime }}=b]$$=|\frac{1}{2}Pr[b^{{}^{\prime }}=b|Z=e{(g,g)}^z]$$+\frac{1}{2}Pr[b^{{}^{\prime }}=b|Z=e{(g,g)}^{\frac{ab}{c}}]$$-\frac{1}{2}|$$=\frac{1}{2}{\epsilon }^{{}^{\prime }}$.

Game 5. The adversary $\mathcal{A}$ and the simulator $\mathcal{B}$ play the game as mentioned before, except $\sigma \ne {\sigma }^{*}$. If adversary $\mathcal{A}$ can tell the difference between Game 4 and Game 5, simulator $\mathcal{B}$ has the advantage ${\epsilon }_{DL}$ to break the discrete logarithm (DL) problem. Therefore, we obtain $Ad{v}_{\mathcal{A}}[b^{{}^{\prime }}=b]=2{\epsilon }_{DL}+{ϵ}_H+\frac{1}{2}{\epsilon }^{{}^{\prime }}$ as the advantage for the adversary $\mathcal{A}$ to win the game. Because the MBDH problem is hard, the components in $Ad{v}_{\mathcal{A}}[b^{{}^{\prime }}=b]$ are all negligible. Hence, the $Ad{v}_{\mathcal{A}}[b^{{}^{\prime }}=b]$ is also negligible. Next, $(C_0^{*},H_0^{*})$ and $(C_1^{*},H_1^{*})$ are indistinguishable from the view of the adversary $\mathcal{A}$. Hence, the PRBFM scheme is able to defend against the chosen-ciphertext attack, and Theorem 3 is proven. □

Theorem 4. 

The security of PRBFM includes data privacy, attribute privacy, and policy privacy.

Proof. 

Obviously, the security of PRBFM includes data privacy. When it comes to attribute privacy, because the communication channel is secure, the user’s attribute set $\sigma$ can be prevented from being exposed to other entities except for selected privilege nodes during the KeyGen step. Next, in the Match step, the attribute privacy means the indistinguishability of $T_0=(T_{0,1},{\left\{T_{0,2,i}\right\}}_i^{{\sigma }_0})$ and $T_1=(T_{1,1},{\left\{T_{1,2,i}\right\}}_i^{{\sigma }_1})$. In particular, the simulator $\mathcal{B}$ first selects a random value $\alpha \in {\mathbf{Z}}_p$. Then, it computes $T_b=(T_{b,0}=g^{\alpha },{\{T_{b,1,i}=g^{s{k}_i^{\alpha }}\}}^{{\sigma }_b})$ and sends $T_b$ to adversary $\mathcal{A}$. Next, the adversary $\mathcal{A}$ has a negligible advantage $\epsilon$ to guess whether $b=b^{{}^{\prime }}$ as follows:

$$Ad{v}_{\mathcal{A}}^{Attr-Pri}[b^{{}^{\prime }}=b|\mathcal{A}({\sigma }_0,{\sigma }_1,T_b)]\le \epsilon .$$

(12)

Hence, adversary $\mathcal{A}$ is not able to violate the attribute privacy during the Match step. For other steps such as Setup, Encrypt, Verify, Read, and Edit, the adversary $\mathcal{A}$ is not able to get information related to the secret key $sk$. Therefore, attribute privacy in PRBFM is guaranteed.

For policy privacy, adversary $\mathcal{A}$ can violate it in two ways. The first is obtaining policies $({\mathcal{P}}_r,{\mathcal{P}}_e)$ from the ciphertext $\mathcal{C}$ generated by the data owner. If the adversary $\mathcal{A}$ is able to obtain $({\mathcal{P}}_r,{\mathcal{P}}_e)$ from $\mathcal{C}$, similar to Theorem 3, simulator $\mathcal{B}$ has the ability to perform a PPT algorithm to break the MBDH problem. However, it is evident that the MBDH problem is hard. Thus, adversary $\mathcal{A}$ is not able to violate the policy privacy from the ciphertext $\mathcal{C}$. □

Theorem 5. 

If the correctness of the Lagrange interpolation theorem-based secret sharing scheme [32] holds and Theorem 3 is proven, PRBFM can defend against the user collusion attack.

Proof. 

Here, we assume that the user may colludes with other users, but there is no collusion with the blockchain nodes. In the KeyGen step, the privilege node randomly generates a Lagrange polynomial $q\left(x\right)$. Then, it calculates $q\left(i\right)$ and the Lagrange parameters ${\left\{{\mathsf{\Delta }}_{i,\sigma }\left(0\right)\right\}}_i^{\sigma }$ for each attribute $i\in \sigma$. In PRBFM, only the privilege nodes can obtain ${\left\{q\left(i\right)\right\}}_i^{\sigma }$ and ${\left\{{\mathsf{\Delta }}_{i,\sigma }\right\}}_i^{\sigma }$. Suppose an unauthorized user with $q^{{}^{\prime }}\left(1\right){\mathsf{\Delta }}_{1,\sigma }^{{}^{\prime }}\left(0\right)$ collude with $d-1$ unauthorized users who have $\{q^{{}^{\prime }}\left(i\right)$${\mathsf{\Delta }}_{i,\sigma }^{{}^{\prime }}{\left(0\right)\}}_{i=1}^d$, and their aim is to violate the readability governance in PRBFM. According to Equation (6), $m=C_m$$\oplus H[{\mathsf{\Pi }}_{i=1}^{{\mathcal{P}}_{r,j}}$$e(C_{1,i},$$s{k}_i)]$. Next, the unauthorized user computes

$$\begin{array}{cc}\hfill & C_m\oplus H[{\mathsf{\Pi }}_{i=1}^{{\mathcal{P}}_{r,j}}e(C_{1,i},s{k}_i)]\hfill \\ & =C_m\oplus H[{\mathsf{\Pi }}_{i=1}^{{\mathcal{P}}_{r,j}}e(g^{d_1·r_i},g^{\frac{q^{{}^{\prime }}\left(i\right){\mathsf{\Delta }}_{i,\sigma }^{{}^{\prime }}\left(0\right)}{r_i}})]\hfill \\ \hfill & =C_m\oplus H[e{(g,g)}^{d_1·{\sum }_{i=1}^{{\mathcal{P}}_{r,j}}(q^{{}^{\prime }}\left(i\right)·{\mathsf{\Delta }}_{i,\sigma }^{{}^{\prime }}\left(0\right))}].\hfill \end{array}$$

(13)

On the basis of the correctness of the Lagrange interpolation theorem-based secret sharing scheme, we can indicate that ${\sum }_{i=1}^{{\mathcal{P}}_{r,j}}(q^{{}^{\prime }}\left(i\right)·{\mathsf{\Delta }}_{i,\sigma }^{{}^{\prime }}\left(0\right))$ is not equivalent to the secret value $\alpha$. Hence, the user cannot violate the readability governance. The user collusion resistance of the editability governance can also be proved in a similar way as the proof of the readability analyzed above. □

Theorem 6. 

If the chameleon hash [16] satisfies the collision resistance, PRBFM can defend against hash collision in the random oracle model.

Proof. 

In PRBFM, the Lagrange interpolation theorem is utilized to enhance the chameleon hash-based redactable blockchain with PRBFM and bilateral access control. Thus, the collision resistance problem of PRBFM is equivalent to the collision resistance of the chameleon hash. Hence, Theorem 6 is proven. □

5.3. Complexity Analysis

In

Table 1. Comparison table of some recently proposed schemes.

Scheme	Computational Complexity				Space Complexity
	KeyGen	Encrypt	Verify	Edit	System Parameter	Encryption Key	Decryption Key	Ciphertext
Derler et al.’s [6] scheme	$\mathcal{O}\left(2\sigma \right)$	$\mathcal{O}\left({\sigma }^2\right)$	$\mathcal{O}\left(1\right)$	$\mathcal{O}({\sigma }^2+2\sigma )$	$\mathcal{O}\left(1\right)$	$\mathcal{O}\left(\sigma \right)$	$\mathcal{O}\left(2\sigma \right)$	$\mathcal{O}\left(3\sigma \right)$
Ma et al.’s [7] scheme	$\mathcal{O}\left(\sigma \right)$	$\mathcal{O}\left(2\sigma \right)$	$\mathcal{O}\left(1\right)$	$\mathcal{O}\left(6\sigma \right)$	$\mathcal{O}\left(1\right)$	$\mathcal{O}\left(\sigma \right)$	$\mathcal{O}\left(2\sigma \right)$	$\mathcal{O}\left(4\sigma \right)$
Xu et al.’s [21] scheme	$\mathcal{O}(\sigma +l)$	$\mathcal{O}\left({\sigma }^2\right)$	$\mathcal{O}\left(1\right)$	$\mathcal{O}(l^2+3l)$	$\mathcal{O}\left(1\right)$	$\mathcal{O}\left(\sigma \right)$	$\mathcal{O}\left(\sigma \right)$	$\mathcal{O}\left(2\sigma \right)$
PRBFM	$\mathcal{O}\left(\sigma \right)$	$\mathcal{O}({\mathcal{P}}_r+{\mathcal{P}}_e)$	$\mathcal{O}\left(1\right)$	$\mathcal{O}\left(3\sigma \right)$	$\mathcal{O}\left(1\right)$	$\mathcal{O}({\mathcal{P}}_r+{\mathcal{P}}_e)$	$\mathcal{O}\left(\sigma \right)$	$\mathcal{O}({\mathcal{P}}_r+{\mathcal{P}}_e)$

, we present the comparison among some recently proposed schemes and PRBFM from the aspects of computational complexity and space complexity, where l is the size of the identity space in Xu et al.’s [21] scheme.

For computational complexity, PRBFM is comparable to that of Xu et al.’s and Ma et al.’s schemes and significantly outperforms that of Derler et al.’s scheme. PRBFM’s key generation step has a computational complexity of $\mathcal{O}\left(\sigma \right)$ because its privilege nodes randomly select one Lagrange polynomial and perform operations. The computational complexity of the encryption algorithm is about the number of attributes and the size of the policy rather than their multiplication. For the verification steps, it only calculates one equation instead of processing more verification steps in Ma et al.’s scheme and Derler et al.’s scheme, which makes its complexity $\mathcal{O}\left(1\right)$. When it comes to the Read and Edit step, the computational complexity of PRBFM is also comparable to other schemes as it is only related to the size of the policy and the number of attributes.

The space complexity of PRBFM’s system parameter is fixed because of the utilization of collision-resistant hash functions, making it comparable with other schemes. The space complexity of the Encrypt, Read, and Edit processes are also influenced by the policy size and number of attributes, respectively. Additionally, since they are determined by the size of the policy and the number of attributes, the space complexity of the ciphertext and the trapdoor is comparable to others.

5.4. Application Discussion

This part explores the potential applications of PRBFM in real-world scenarios. As previously demonstrated, PRBFM successfully addresses limitations in terms of security and functionality. Consequently, PRBFM can be applied in diverse and intricate real-world scenarios while ensuring data privacy preservation.

• Smart Medical: Drug testing in the smart medical scenario, based on mobile crowdsourcing, can utilize various sensors. Typically, access to these medical data is limited to patients with specific symptoms. However, attaining a 100% match using patients’ physiological data is not feasible, considering the variability of these numerical values. Furthermore, since these physiological data belong to the patients themselves, it is crucial to protect their privacy. Consequently, based on its characters, PRBFM can be applied in this scenario to overcome these challenges.
• Smart Transportation: Some companies may employ vehicles equipped with sensors to collect and update transportation data for the purpose of offering predictive services. However, to alleviate the server load, only vehicles in specific conditions (e.g., traffic jams) would be granted access to these prediction data, as using the strict match rule to judge the satisfaction of the conditions is unrealistic. Thus, in this scenario, there is a significant need for fuzzy matching with data privacy preservation, making it conducive to adopting PRBFM.

6. Experimental Evaluation

6.1. Experimental Settings

6.1.1. Setup

We have implemented a prototype system to evaluate the experimental performance of PRBFM. The system programming was carried out in Java, utilizing the Java Pairing-Based Cryptography (JPBC) library. Then, the Type A curve with 80-bit security was selected as the symmetric pairing (Type-I). For the blockchain system, we opted for the FISCO blockchain because of its reliability. To test our schemes, we employed five cloud servers with eight CPUs and 32 GB RAM as blockchain nodes. Of these nodes, two were chosen to be the privilege nodes. To simulate users and data owners, volunteers utilized PCs with 16 GB RAM to communicate with the blockchain nodes. We assumed each user would select a maximum of 100 attributes (i.e., affiliation, occupation, and gender) without loss of generality. Each experiment was conducted ten times, and the average cost was recorded as the final result.

6.1.2. Dataset

To show the efficacy of our proposed schemes, we deployed the MHN dataset, which holds millions of published news headlines sourced from the Australian Broadcasting Corporation. In the course of the experiments, the data owner chooses a headline randomly and uploads it to the blockchain nodes.

6.1.3. Baselines for Comparison

We conducted an assessment of the effectiveness of our proposed PRBFM model by comparing it with other recent fine-grained redactable blockchain schemes, including Derler et al.’s scheme [6], Ma et al.’s scheme [7], and Xu et al.’s scheme [21].

6.1.4. Metrics

To more fully evaluate the performance of PRBFM, we will measure it by four types of metrics:

• The running time for key generation;
• Time consumption on the data owner side;
• Time consumption on the user side;
• Consumption on the blockchain node side.

6.2. Experimental Results

First, we measure the performance of the KeyGen step on the privilege node regarding computational costs. We varied the number of attributes from 10 to 100, and the results are displayed in Figure 5. The experimental results indicate that the PRBFM schemes are more efficient in comparison to other schemes. For instance, when the size of attributes is set to 100, PRBFM takes only 1 s to complete key generation, while Derler et al.’s scheme, Ma et al.’s scheme, and Xu et al.’s scheme require 17s, 6s, and 10s, respectively. The reason for this disparity is that the privilege nodes in PRBFM only select one Lagrange polynomial randomly and perform operations with $\mathcal{O}\left(\sigma \right)$ complexity. In contrast, the three other proposed schemes require pairing operations or hash calculations to obtain the secret key.

To measure the time consumption on the data owner side, we set the policy range from 10 to 100, as shown in Figure 6. Derler et al.’s scheme and Xu et al.’s scheme incur larger time consumption due to extra exponent operations. In contrast, Ma et al.’s scheme and PRBFM exhibit better performance. Additionally, the Adapt step in Ma et al.’s scheme requires extra pairing operations for policy matching, resulting in larger time consumption for Ma et al.’s scheme than PRBFM.

Regarding Figure 7a, the time consumption is evaluated with the policy size ranging from 10 to 100. The practicality of the Verify step in all schemes for real-world scenarios is evident. Notably, PRBFM only needs to verify the generic trapdoor, while Derler et al.’s scheme and Ma et al.’s scheme are required to verify both the generic and ephemeral trapdoor. Therefore, the time consumption for Derler et al.’s and Ma et al.’s schemes is comparatively higher than PRBFM’s. Additionally, Xu et al.’s scheme requires more time-consuming operations during the verification step, resulting in it having a higher time consumption than any other scheme.

We then evaluate the time consumption of the trapdoor generation in terms of the user and blockchain nodes. More specifically, we randomly select multiple policy sets with varying data sizes. We denote the total number of policy sets as $A_p$. Initially, the user is required to obtain the trapdoor related to their attributes, with the number of requests ranging from 10 to 50. Figure 7b indicates that when a user sends 50 data requests to PCBR with $A_p=5$, the time consumption is 26 s, which is considered practical for real-world scenarios.

During the Match stage, we experimented with varying the size of the policy between 10 and 100. To illustrate the results of the experiment for the readability and editability policy match, Figure 8a,b, respectively, display the outcomes. We observed that as the size of the policy increased, the time taken to complete the process increased as well for both readability and editability policy match. Moreover, both matching processes took less than 2 s, indicating the viability of PRBFM. Notably, implementing some cryptographic techniques, such as those presented in [33,34], may improve the efficiency of our proposed strategies. Due to space constraints, we reserve the investigation of streamlining our techniques for future research.

Next, we evaluate the time consumption for the Read step in terms of authorized readers. In Figure 7c, the number of requesters ranges from 10 to 50, while the value of $A_p$ is set at 1 and 5. Since in the PRBFM scheme, the set $\mathcal{P}r,j$ is utilized by authorized readers to recover the message with linear complexity while delegating the policy-matching process to the blockchain nodes, the time consumption for message reading is relatively low. As illustrated in Figure 7c, even with five separate policy sets ($Ap=5$) and 50 requests, an authorized reader can read messages within 0.8 s.

In this part, we assessed the time consumption among Derler et al.’s scheme, Ma et al.’s scheme, Xu et al.’s scheme, and PRBFM for authorized modifiers. As demonstrated in Figure 7d, PRBFM is more effective than the other schemes when it comes to message editing. This outcome is due to the better performance of PRBFM in the two significant operations (i.e., chameleon secret key recovery and the Encrypt step) of the Edit step.

Finally, we evaluated the proposed schemes’ performance in terms of costs (i.e., gas) on the FISCO blockchain. We varied the policy size from 10 to 100, and the experimental results are exhibited in Figure 8c,d. As illustrated, the gas cost for PRBFM is lower than that of the other schemes. This result is due to PRBFM exclusively updating or requesting one hash value, whereas Ma et al.’s scheme, Derler et al.’s scheme, and Xu et al.’s scheme involve 2, 4, and 6 values, respectively.

7. Related Works

In this section, we introduce the existing studies of the redactable blockchain.

Ateniese et al. [16] proposed the idea of a redactable blockchain. Their scheme uses a permissioned blockchain that needs a central authority to grant rewriting privileges to a designated party, referred to as the “modifier.” The designated modifier could coordinate and delete specific content from the blockchain by utilizing a large-scale MPC protocol. This protocol enables block-level rewriting with coarse-grained control, achieved through the use of public key infrastructure (PKI), and an enhanced collision-resistant chameleon hash [31]. The enhanced collision-resistant chameleon hash facilitates modification of the hash link between block headers, while the PKI ensures the sealing of the chameleon hash trapdoor.

Derler et al. [6] introduced a permissioned redactable blockchain that allows for flexible rewriting of privileges through transaction-level rewriting controlled at a fine-grained level. Unlike the research conducted in [16], the authors of [6] employed chameleon hash to hash the transactions during the computation of the Merkle root. To formalize their solution, they presented a new concept called policy-based chameleon hash (PCH), which is derived from chameleon hashes with ephemeral trapdoors (CHET) [35] and attribute-based encryption (ABE) [36].

Deuber et al. [37] presented a permissionless block-level redactable blockchain that eliminates the requirement for a trusted central authority through the use of consensus-based voting. In their approach, the block header is modified to include two hash links. If a proposal for modification garners enough votes, it is approved by breaking one of the links while leaving the other intact. However, this scheme has the drawback of providing weak accountability, as the identity of the modifier can be traced from the proposed pool. Furthermore, this redactable blockchain inherits the vulnerability of consensus-based voting algorithms, rendering it susceptible to bribing and selfish mining attacks.

Regarding the revocability of the redactable blockchain, Panwar et al. [38] introduced a permissioned redactable blockchain that incorporates dynamic group signature schemes (DGSS) and revocable FAME (RFAME) to achieve traceability and revocability. Traceability ensures the life cycle of all transactions is honestly recorded in the blockchain for assisting in tracking history transactions, while revocability can be used to revoke the editing authority of malicious modifiers. However, traceability offers limited accountability, as accountability is to identify who made a particular transaction or redaction, which is more complicated than traceability. Moreover, the secure assignment of the updated secret key is crucial. To address this challenge, Xu et al. [8] introduced the concept of revocable policy-based chameleon hash (RPCH) and implemented it to facilitate efficient privilege revocation. The cost of implementing revocability in RPCH is almost insignificant compared to FAME [36].

To address the requirement for accountability in a redactable blockchain, Tian et al. [18] were the first to explore accountability using a policy-based chameleon hash (PCH). However, their solution only supports weak accountability. Specifically, it could only link the modified transaction while lacking the ability to identify potential key leakage. To address these issues, Xu et al. [21] presented a novel design of PCH called black-box accountability (PCHA) and introduced a practical attribute-based traitor tracing (ABTT) scheme with adaptive security.

For rewriting authorization in a decentralized environment, Zhang et al. [17] presented a multi-authority policy-based chameleon hash (MPCH), and Ma et al. [7] introduced a decentralized policy-based chameleon hash (DPCH). Both MPCH and DPCH employ CHET for data rewriting management and utilize multi-authority attribute-based encryption (MA-ABE) to handle rewriting privileges. However, their schemes do not support dynamic nodes, as the departure of participants would result in a single point of failure. Therefore, Zhang et al. [22] propose a novel dynamic and decentralized attribute-based chameleon hash (DACH) to enable the blockchain history’s mutability. By leveraging DACH, their scheme achieves a decentralized, secure, and dynamically redactable blockchain (SDRchain).

Xu et al. [39] introduced a novel redactable blockchain named k-time modifiable and epoch-based redactable blockchain (KERB), which draws inspiration from the double-authentication preventing signature (DAPS) to regulate rewriting privileges. However, due to the restrictions on the number of k-times and epochs, it is necessary to combine customized k-times and epochs, which has yet to be accomplished. To tackle this challenge, Liu et al. [24] selected times and epochs as the controlling factors, restricting users from invoking the credential show method based on customized times within each epoch established by the certificate authority. In their approach, users can redact their credentials to achieve selective disclosure.

Shen et al. [23] propose a verifiable and redactable blockchain that allows for full editing operations, thus supporting verifiability. Their scheme successfully combines the complete editability of block objects and the verifiability of the blockchain state with reasonable additional costs. Specifically, the authors have built a redactable blockchain using a double trapdoor chameleon hash family, which allows for computationally efficient block editing while maintaining resistance against key exposure. However, these presented schemes ignore the privacy of sensitive data and do not support error tolerance during policy matching. Thus, the PRBFM scheme proposed in this paper is designed for fine-grained redactable blockchain with policy fuzzy matching in a privacy-preserving manner.

8. Conclusions

In this paper, we proposed a novel privacy-preserving fine-grained redactable blockchain with fuzzy policy matching for mobile crowdsensing scenarios. Firstly, we presented the PRBFM scheme utilizing Lagrange secret sharing and chameleon hash. Then, we combined the policy paradigm in PRBFM to further design a privacy-preserving policy matching delegation mechanism to protect policy privacy and reduce user overhead. Additionally, we formally analyzed the security of our scheme under IND-CCA, and also provided a detailed complexity analysis in terms of computational and special. Finally, we implemented and measured our scheme on the FISCO blockchain and demonstrated that our scheme outperforms existing works. For future work, we intend to further reduce user overhead with the use of bilateral access control and provide more fine-grained permission management (e.g., usability, readability, and editability).