Tagged Chameleon Hash from Lattices and Application to Redactable Blockchain

Li, Yiming; Liu, Shengli

doi:10.1007/978-3-031-57725-3_10

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14603))

Included in the following conference series:

IACR International Conference on Public-Key Cryptography

148 Accesses

Abstract

Chameleon hash (CH) is a trapdoor hash function. Generally it is hard to find collisions, but with the help of a trapdoor, finding collisions becomes easy. CH plays an important role in converting a conventional blockchain to a redactable one. However, most of existing CH schemes are too weak to support redactable blockchains. The currently known CH schemes serving for redactable blockchains have the best security of so-called “full collision resistance ($\text {f-CR}$)”, but they are built either in the random oracle model or rely on heavy tools like the simulation-sound extractable non-interactive zero-knowledge (SSE-NIZK) proof system. Moreover, up to now there is no CH scheme with post-quantum $\text {f-CR}$ security in the standard model. Therefore, no CH can support redactable blockchains in a post-quantum way without relying on random oracles.

In this paper, we introduce a variant of CH, namely tagged chameleon hash (tCH). Tagged chameleon hash takes a tag into hash evaluations and collision finding algorithms. We define two security notions for tCH, restricted collision resistance ($\text {r-CR}$) and full collision resistance ($\text {f-CR}$), and prove the equivalence between $\text {r-CR}$ and $\text {f-CR}$ when tCH works in the one-time tag mode. We propose a tCH scheme from lattices without using any NIZK proof, and prove that its restricted collision resistance is reduced to the Short Integer Solution (SIS) assumption in the standard model. We also show how to apply tCH to a blockchain in one-time tag mode so that the blockchain can be compiled to a redactable one. Our tCH scheme provides the first post-quantum solution for redactable blockchains, without resorting to random oracles or NIZK proofs. Besides, we also construct a more efficient tCH scheme with $\text {r-CR}$ tightly reduced to SIS in the random oracle model, which may be of independent interest.

You have full access to this open access chapter, Download conference paper PDF

Keywords

1 Introduction

The chameleon hash (CH) was first introduced by Krawczyk and Rabin [25] and it can be seen as a trapdoor collision resistant hash function. Informally, a CH is associated with a public parameter pp and a trapdoor td. With pp, one can efficiently evaluate the hash value for any given message, and with td, one can efficiently find collisions for any target hash value. The fundamental security requirement of a chameleon hash, namely the collision resistance, assures that any adversary cannot find collisions without the knowledge of td. Since its introduction, chameleon hash has developed different security notions, serving for a wide range of applications. There are mainly four kinds of security notions for CH, as we summarized below.

Weak Collision Resistance. The weak collision resistance ($\text {w-CR}$) for CH is the basic security requirement formalized in [25] and it assures the infeasibility of finding a collision $(h^*,m^*,r^*,m^{\prime *},r^{\prime *})$ s.t. $m^{*}\ne m^{\prime *}$ but $h^*=\textsf{Hash}(m^*;r^*)=\textsf{Hash}(m^{\prime *};r^{\prime *})$ without the trapdoor. The $\text {w-CR}$ CH is often used to construct chameleon signatures [25] and lift non-adaptively secure signatures to adaptively secure ones [23, 28, 31]. However, most of CH schemes with $\text {w-CR}$ suffer from a so-called key-exposure problem, that is, anyone can recover the trapdoor after seeing only one collision with two different messages. A sequence of works [4, 10, 11] have identified this problem and proposed different CHs with key-exposure freeness. However, such CHs are still insufficient for the security requirements asked from more complicated applications.

Enhanced Collision Resistance. The enhanced collision resistance ($\text {e-CR}$) was first proposed by Ateniese et al. [3] as a strengthening of the weak collision resistance. It assures the infeasibility of finding a collision $(h^*,m^*,r^*,m^{\prime *},r^{\prime *})$ if no collision for this specific $h^*$ has ever been revealed to the adversary before. A chameleon hash with $\text {e-CR}$ was suggested to construct a redactable blockchain [3, 24, 38], but in fact, $\text {e-CR}$ is still not strong enough to deal with attacks on a redactable blockchain system as we will discuss later.

Standard Collision Resistance. The standard collision resistance ($\text {s-CR}$) was introduced by Camenisch et al. [9] and it assures the infeasibility of finding a collision $(h^*,m^*,r^*,m^{\prime *},r^{\prime *})$ if no collision involving the target message $m^*$ has ever been revealed to the adversary before. A CH with $\text {s-CR}$ can be used to construct sanitizable signatures [9] and redactable blockchains. However, $\text {s-CR}$ is still insufficient for the security requirements asked by a redactable blockchain.

Full Collision Resistance. The full collision resistance ($\text {f-CR}$) was introduced by Derler, Samelin and Slamanig [13] as a combination of $\text {e-CR}$ and $\text {s-CR}$^{Footnote 1}. It assures the infeasibility of finding a collision $(h^*,m^*,r^*,m^{\prime *},r^{\prime *})$ if no collision for the target hash-message pair $(h^*,m^*)$ has ever been revealed to the adversary before. To the best of our knowledge, $\text {f-CR}$ is the strongest one among all security notions of a chameleon hash, and it is adequate for most of the applications of chameleon hash, especially for redactable blockchain.

Redactable blockchain is an important application of a chameleon hash and it has high requirements for CH. Recall that blockchain was originally designed to satisfy immutability, i.e., the infeasibility of tampering the messages stored in the blocks. However, rigid immutability might not be friendly for healthy developments of blockchains. For example, once some illegal or malicious information is stored in blocks, it is hardly to be erased any more. In fact, the European General Data Protection Regulation (GDPR) has suggested the “right to be forgotten”. Therefore, researches on technical tools for changing or deleting sensitive information stored in blocks draw more attentions in the academic society. This yields the so-called redactable blockchain. In a redactable blockchain, immutability becomes flexible in the sense that a trusted regulation party (or multi-parties) can use a trapdoor to redact the chain by rewriting blocks in the chain according to the well-accepted regulation rules. We refer readers to [3] for more discussions about the necessity of a redactable blockchain.

Given the concept of redactable blockchain, how to do the redactions in a secure and controlled way has become a critical problem to be solved. As summarized by [39], there are four mechanisms to achieve redactable blockchains, that is, the consensus-based, chameleon hash-based, mate-transaction-based, and pruning-based. For the consensus-based mechanisms, redactions are performed by on-chain voting, like the hard fork and [14, 36]; for the mate-transaction-based mechanisms, redactions are triggered by a special transaction called the mate-transaction, like [16, 17, 34]; for the pruning-based mechanisms, redactions are made by pruning transactions or blocks when some conditions are satisfied, like [27, 35]. Ateniese et al. [3] suggested to construct redactable blockchains with the help of CH, that is, the chameleon hash-based redactable blockchains. In this paper, we focus on this type of redaction mechanism.

Below we briefly describe the suggestion of constructing a redactable blockchain from a chameleon hash in [3] and show the security requirements of CH.

Redactable Blockchain from CH. A conventional blockchain can be converted to a redactable one by replacing one of the hash functions used to construct blocks with a chameleon one [3]. Let $\mathcal {H}=(\textsf{Setup},\textsf{Hash},\textsf{Adapt})$ be a chameleon hash, where the setup algorithm is used to generate the public parameter and trapdoor, i.e., $(pp,td)\leftarrow \textsf{Setup}(1^\kappa )$, the hash algorithm is used to evaluate the hash value for a given message with some randomness, i.e., $h\leftarrow \textsf{Hash}(m;r)$, and the adaptation algorithm is used to find a collision with td, i.e., $r'\leftarrow \textsf{Adapt}(td,h,m,r,m')$ s.t. $h=\textsf{Hash}(m;r)=\textsf{Hash}(m';r')$.

For a CH-based redactable blockchain, a trusted regulation party is granted to generate $(pp,td)\leftarrow \textsf{Setup}(1^\kappa )$ and then publish pp. A miner collects the message m, evaluates $h\leftarrow \textsf{Hash}(m;r)$, constructs a valid block B containing the triple (h, m, r) as well as other information required, and finally appends it to the blockchain. When an adaptation is required from m to $m'$ in some block B^{Footnote 2}, the trusted authority computes $r'\leftarrow \textsf{Adapt}(td,h,m,r,m')$, replaces (m, r) stored in B with $(m',r')$ while keeping other information unchanged, and finally publishes the redacted block. In this way, we obtain a redactable blockchain.

Security Requirements of CH in Redactable Blockchain. In a redactable blockchain, each block $B_j$ records information of $(h_j,m_j,r_j)$ and we denote it by $B_j=\langle h_j,m_j,r_j \rangle $. Adaptations for block $B_j$ result in multiple new adapted blocks $\{B_j^i=\langle h_j,m_j^{i},r_j^{i} \rangle \}_{i\in [n_j]}$ s.t. $h_j=\textsf{Hash}(m_j;r_j)=\textsf{Hash}(m_j^{i};r_j^{i})$ for $i\in [n_j]$. Now we consider the adversary’s attack on redactions in a redactable blockchain. The adversary sees all original blocks $B_1,B_2,B_3,\cdots $ and all corresponding adapted blocks $\{B_1^i\}_{i\in [n_1]},\{B_2^i\}_{i\in [n_2]},\{B_3^i\}_{i\in [n_3]},\cdots $, where each $n_j=\textsf{poly}(\kappa )$ denotes the number of adaptations for block $B_j$. The aim of an adversary is to redact the chain by adapting some block $B_j=\langle h_j,m_j,r_j \rangle $ to a new one $B^*=\langle h^*,m^*,r^* \rangle $ s.t. $h^*=h_j=\textsf{Hash}(m_j;r_j)=\textsf{Hash}(m^*;r^*)$, where $m^*$ is the adapted message satisfying $m^*\notin \{m_j\}\cup \{m_j^{i}\}_{i\in [n_j]}$, in other words, $(h^*,m^*)$ is fresh w.r.t. $B_j$ and $\{B_j^i\}_{i\in [n_j]}$. Note that we do not exclude the possibility that $m^*$ belongs to $\{m_{j'}\}\cup \{m_{j'}^{i}\}_{i\in [n_{j'}]}$ with $j\ne j'$. See Fig. 1.

Obviously, to make sure that the adversary succeeds in redacting blocks with negligible probability, it suffices for a chameleon hash to be full collision resistant. In contrast, $\text {e-CR}$ and $\text {s-CR}$ are not sufficient. Firstly, the adversary can obtain multiple adapted blocks $\{B_j^i=\langle h_j,m_j^i,r_j^i \rangle \}_{i\in [n_j]}$ for the target hash value $h_j=h^*$, so, $\text {e-CR}$ is not enough for CH. Secondly, the adversary may obtain some adapted block $B_{j'}^i=\langle h_{j'},m^*,r_{j'}^i\rangle $ with $j\ne j'$, and hence $\text {s-CR}$ is not enough either.

To the best of our knowledge, only a CH with $\text {f-CR}$ security is sufficient to the security requirements of a redactable blockchain. However, existing CH schemes with $\text {f-CR}$ [12, 13] are all generic constructions relying on some heavy building blocks like the simulation-sound extractable non-interactive zero knowledge (SSE-NIZK) proof system [13]. Besides, almost all instantiations of CH with $\text {f-CR}$ security are based on pairings or the discrete logarithm (DL) assumption, and hence are not secure against quantum adversaries. The only known post-quantum instantiation is based on the learning parity with noise (LPN) assumption in the random oracle (RO) model [12]. Then a natural question arises:

“Can we construct a post-quantum chameleon hash function serving for a redactable blockchain in the standard model (especially without relying on a NIZK proof system)?”

In this paper, we provide a new approach to this problem. We take into considerations some nice properties of a redactable blockchain so that the security requirements for CH can be weakened. That makes possible simpler constructions of CH serving for a secure redactable blockchain. In more details, we have the following three observations for a CH-based redactable blockchain.

Observation 1. Each settled block can be uniquely indexed by a unique identifier $\tau $ (like the timestamp, the hash value of its previous block or its position in the chain). Taking $\tau $ into account results in blocks of the form $B=\langle \tau ,h,m,r\rangle $.
Observation 2. Each block has a chameleon hash value h and identifier $\tau $, and adaptations towards that block keep h and $\tau $ unchanged. Together with observation 1, we know that each tag $\tau $ is uniquely bound with one block (and hence the chameleon hash value h).
Observation 3. All adaptations towards a specific block are made with fresh messages. In a redactable blockchain, this can be easily accomplished by appending a unique (e.g. increasing) counter value to the adapted message.

Now we additionally take $\tau $ as input for chameleon hash evaluations and adaptations, and this results in a new variant of CH, namely the tagged CH (tCH). Next we consider the full collision resistance for a tagged CH. The adversary can see many tuples $(\tau ,h,m,r)$ as well as their adaptations $(\tau ,h,m',r')$, where m is the original message and $m'$ is the adapted message s.t. $h=\textsf{Hash}(\tau ,m;r)=\textsf{Hash}(\tau ,m';r')$. Let $\mathcal {Q}$ record tuples $(\tau ,h,m)$ and the adapted tuples $(\tau ,h,m')$. The adversary wins if it finally comes up with a forgery $(\tau ^*,h^*,m^*,r^*,m^{\prime *},r^{\prime *})$ such that

$$\begin{aligned} h^*=\textsf{Hash}(\tau ^*,m^*;r^*)=\textsf{Hash}(\tau ^*,m^{\prime *};r^{\prime *}),~ m^*\ne m^{\prime *},~ (\tau ^*,h^*,m^*)\notin \mathcal {Q}. \end{aligned}$$

(1)

Obviously, the full collision resistance of tCH is sufficient for a redactable blockchain. But actually, the three observations can help to change the security requirements of tCH to a weaker variant. Note that in (1.1), we have

$$\begin{aligned} &(\tau ^*,h^*,m^*)\notin \mathcal {Q}\\ \Leftrightarrow &\big ( (\tau ^*,h^*,m^*)\notin \mathcal {Q}\wedge (\tau ^*,\cdot ,m^{\prime *})\notin \mathcal {Q}\big ) \vee \big ( (\tau ^*,h^*,m^*)\notin \mathcal {Q}\wedge (\tau ^*,\cdot ,m^{\prime *})\in \mathcal {Q}\big )\\ \Leftrightarrow &\big ( (\tau ^*,\cdot ,m^*)\notin \mathcal {Q}\wedge (\tau ^*,\cdot ,m^{\prime *})\notin \mathcal {Q}\big ) \vee \big ( (\tau ^*,\cdot ,m^*)\notin \mathcal {Q}\wedge (\tau ^*,h^*,m^{\prime *})\in \mathcal {Q}\big ), \end{aligned}$$

where $(\tau ^*,\cdot ,m^{\prime *})\notin \mathcal {Q}$ means that there exists no h such that $(\tau ^*,h,m^{\prime *})\in \mathcal {Q}$, while $(\tau ^*,\cdot ,m^{\prime *})\in \mathcal {Q}$ means that there exists an h such that $(\tau ^*,h,m^{\prime *})\in \mathcal {Q}$. Here “$\Leftarrow $” holds obviously, and “$\Rightarrow $” holds due to the observation 2. By observation 2, for any adapted blocks with $(\tau ^*,h^*,\cdot ,\cdot )$ we know that $\tau ^*$ is uniquely bound with $h^*$, so $(\tau ^*,h^*,m^*)\notin \mathcal {Q}\Rightarrow (\tau ^*,\cdot ,m^*)\notin \mathcal {Q}$ and $(\tau ^*,\cdot ,m^{\prime *})\in \mathcal {Q}\Rightarrow (\tau ^*,h^*,m^{\prime *})\in \mathcal {Q}$ (otherwise, $\tau ^*$ corresponds to both $h^*$ and some $h\ne h^*$ in the blockchain system, which is impossible).

Define a predicate $\textsf{Valid}$ as $\textsf{Valid}(\tau ^*,h^*,m^*,m^{\prime *})=1$ if $\big ( (\tau ^*,\cdot ,m^*)\notin \mathcal {Q}\wedge (\tau ^*,\cdot ,m^{\prime *})\notin \mathcal {Q}\big ) \vee \big ( (\tau ^*,\cdot ,m^*)\notin \mathcal {Q}\wedge (\tau ^*,h^*,m^{\prime *})\in \mathcal {Q}\big )$. Now (1.1) becomes:

$$\begin{aligned} h^*=\textsf{Hash}(\tau ^*,m^*;r^*)=&\textsf{Hash}(\tau ^*,m^{\prime *};r^{\prime *}),~m^*\ne m^{\prime *},~ \textsf{Valid}(\tau ^*,h^*,m^*,m^{\prime *})=1. \end{aligned}$$

According to observation 2 again, it is reasonable to assume that there do not exist $(\tau ,h,\cdot )$ and $(\tau ,h'',\cdot )$ with $h\ne h''$ among those tuples and adapted tuples contained in $\mathcal {Q}$. Furthermore, according to observation 3, we can require that all adapted messages w.r.t. a block (and hence a unique $\tau $) are distinct.

Hence for redactable blockchain, we arrive at a security requirement for tCH which is weaker than the full collision resistance. We call such a security requirement restricted collision resistance since it has more restrictions on adversaries compared with the full one (see Fig. 3 for their formal definitions). Now the problem can be simplified as follows.

“Can we construct a post-quantum tagged chameleon hash function with restricted collision resistance in the standard model (especially without relying on a NIZK proof system)?”

1.1 Our Contributions

In this paper, we answer the above question in the affirmative and have made the following three contributions.

New Concept of Tagged Chameleon Hash (tCH). We introduce a new primitive, named tagged chameleon hash (tCH), which additionally takes as input a tag $\tau $ for hash evaluations and adaptations. We provide two CR security notions for our tCH. One is the full collision resistance ($\text {f-CR}$) and the other is the restricted collision resistance ($\text {r-CR}$). The full collision resistance is defined similar to that of a tag-free CH [13]. That is, it is infeasible to find $(\tau ^*,h^*,m^*,r^*,m^{\prime *},r^{\prime *})$ s.t. $m^*\ne m^{\prime *}$ and $h^*=\textsf{Hash}(\tau ^*,m^*;r^*)=\textsf{Hash}(\tau ^*,m^{\prime *};$ $r^{\prime *})$ even if the adversary sees many adaptation outputs $r'$ by issuing queries $(\tau ,h,m,r,m')$ of its choice. The only limitation is that $(\tau ^*,h^*,m^*)$ does not appear in its queries. Restricted collision resistance is weaker than the full one in the sense that the adversary’s behaviors and winning conditions are further restricted. Meanwhile, we also require statistical indistinguishability from tCH which asks that the hash value and randomness are statistically close to the adapted ones.

We show that if tCH works in the one-time tag mode, the two CR security notions are equivalent to each other. Here the one-time tag mode requires that each invocation of hash evaluation takes a fresh and distinct tag as input.

Constructions of tCH from Lattices. We provide two constructions of tCH from lattices and prove their $\text {r-CR}$ security.

Our first tCH construction achieves the restricted collision resistance in the standard model. The restricted collision resistance of our tCH is tightly reduced to the SIS assumption and the pseudorandomness of a pseudorandom function (PRF). Given the LWE-based PRFs like [5], our construction yields the first $\text {r-CR}$ secure tCH from LWE and SIS in the standard model.
Our second tCH construction achieves the restricted collision resistance in the random oracle model. It is more efficient than the first one and is tightly reduced to the SIS assumption.

According to the relation between $\text {f-CR}$ and $\text {r-CR}$, both of our two tCHs can provide security guarantee as good as $\text {f-CR}$ when working in the one-time tag mode. We stress that our tCH schemes are free of NIZK proof systems.

Application of tCH in Redactable Blockchain. Each settled block can be uniquely indexed by a unique identifier $\tau $ in the redactable blockchain. So different blocks have distinct identifiers $\tau $. When a tCH is applied to the blockchain, we can take $\tau $ as the tag of tCH to compute hash values for messages stored in blocks, and hence each hash value (for a settled block) is computed from a distinct tag. Note that, adaptations are made only for those settled blocks. In this way, the tCH already works in the one-time tag mode for the redactable blockchain. Therefore, our tCH schemes with restricted collision resistance serve for redactable blockchains perfectly.

1.2 Related Works

Chameleon Hash. Krawczyk and Rabin [25] proposed two CH constructions with $\text {w-CR}$ based on the claw-free trapdoor permutations [22] and the Pedersen’s commitment scheme [32] respectively. Chen, Zhang and Kim [11] proposed the first key-exposure free CH from the computational Diffie-Hellman (CDH) assumption based on the gap Diffie-Hellman (GDH) group. Ateniese and de Medeiros [4] also proposed several key-exposure free CHs from various assumptions like the RSA and the discrete logarithm (DL) assumptions. Later in 2017, Ateniese et al. [3] proposed a generic way to lift a CH from $\text {w-CR}$ to $\text {e-CR}$ with helps of a CPA secure public key encryption (PKE) and a true-simulation extractable non-interactive zero knowledge (tSE-NIZK) proof system. Ateniese et al. [3] instantiated the generic construction from the decisional Diffie-Hellman assumption in the random oracle model, and from k-linear assumption in the standard model, respectively. Since then, several efficient CH schemes with $\text {e-CR}$ have been proposed from various assumptions. Khalili, Dakhilalian and Susilo [24] proposed two CHs with $\text {e-CR}$: one is constructed by combining a weak CH with Groth-Sahai NIZK proof and Cramer-Shoup PKE, and the other is constructed with the ZK-SNARKs. Wu, Ke and Du [38] gave two CH schemes from the lattice-based assumptions in the generic group model (GGM) and in the random oracle model (ROM), respectively. As for $\text {s-CR}$, Camenisch et al. [9] proposed an $\text {s-CR}$ secure CH based on the one-more RSA assumption in the random oracle model. Recently, Derler, Samelin and Slamanig [13] suggested $\text {f-CR}$ as a more desirable security notion for a CH, and proposed a generic construction of a $\text {f-CR}$ secure CH with building blocks a CPA secure PKE and a simulation-sound extractable non-interactive zero knowledge (SSE-NIZK) proof. Derler, Samelin and Slamanig [13] provided instantiations of the generic construction based on the DDH assumption in ROM, and based on the symmetric external Diffie-Hellman (SXDH) assumption in the standard model, respectively. Later, Deler et al. [12] proposed a relatively simpler generic $\text {f-CR}$ secure CH construction with building blocks a non-interactive commitment scheme and also an SSE-NIZK. Deler et al. [12] instantiated the generic construction from the DL assumption in ROM, and from the LPN assumption in ROM, respectively.

1.3 Technique Overview

In this subsection, we provide high-level ideas of our tCH constructions from lattices. We propose two tCH schemes: one is in the standard model and the other is in the random oracle model. Both of our tCHs are constructed and proved following a partitioning proof strategy, which has been used in designing advanced signatures and public-key encryptions [6, 7, 37]. To do the “partitioning”, our tCH in the standard model uses a pseudorandom function (PRF) and homomorphic evaluation techniques [6,7,8, 20], while our tCH in the ROM relies on the re-programmable property of random oracles.

Here we provide a brief description of our tCH in the standard model. The public parameter pp consists of a random matrix $\textbf{A}\in \mathbb {Z}_q^{n\times m}$, a PRF’s secret key $\textbf{k}$ (only used for the security proof), and random matrices $\textbf{A}_1,\dots ,\textbf{A}_k,\hat{\textbf{A}}_1,\dots ,\hat{\textbf{A}}_h\in \mathbb {Z}_q^{n\times w}$ (which will be used for embedding $\textbf{k}$ and messages to be hashed in the security proof). The master trapdoor mtd is set as a trapdoor $\textbf{T}_{\textbf{A}}$ of $\textbf{A}$ s.t. $\textbf{T}_{\textbf{A}}$ is small and $\textbf{A}\cdot \textbf{T}_{\textbf{A}}=0^{n\times m}$.

To hash a message $\textbf{m}=(m_1,\dots ,m_h)\in \{0,1\}^h$ w.r.t. a tag $\tau $, we first sample $\textbf{y}$ uniformly at random, and then construct a circuit $C[\tau \Vert \textbf{m},\textbf{y}](\cdot )$ s.t. $C[\tau \Vert \textbf{m},\textbf{y}](\textbf{k})$ returns 1 if $\textsf{PRF}(\textbf{k},\tau \Vert \textbf{m})= \textbf{y}$, and returns 0 otherwise. We further construct a matrix $\textbf{F}:=[\textbf{A}|\textbf{A}_{\textsf{prf}}]\in \mathbb {Z}_q^{n\times (m+w)}$ from pp, $\textbf{m}$ and $\tau $, where $\textbf{A}_{\textsf{prf}}$ is generated through homomorphic evaluations on $C[\tau \Vert \textbf{m},\textbf{y}](\cdot )$ with $\textbf{A}_1,\dots ,\textbf{A}_k$. The hash value is computed as $\textbf{h}:=\textbf{F}\cdot \textbf{e}$ with $\textbf{e}\in \mathbb {Z}^{m+w}$ a short integer vector sampled from the discrete Gaussian distribution; the randomness r includes $\textbf{e}$, $\textbf{y}$ and other randomnesses used to generate $\textbf{F}$.

To find a collision $r'$ towards $(\tau ,\textbf{h},\textbf{m},r,\textbf{m}')$ so that $(\tau ,\textbf{m},r)$ and $(\tau ,\textbf{m}',r')$ both hash to $\textbf{h}$, we first construct $\textbf{F}':=[\textbf{A}|\textbf{A}_{\textsf{prf}}']$ from pp, $\tau $ and $\textbf{m}'$. Then we can find a short integer vector $\textbf{e}'$ s.t. $\textbf{h}=\textbf{F}'\cdot \textbf{e}'$ with the help of $\textbf{T}_{\textbf{A}}$ through trapdoor delegation [33] and preimage sampling [19].

Now we are ready to sketch the security proof. In the security experiment of $\text {r-CR}$, adversary $\mathcal {A}$ can make multiple adaptation queries and for each query $(\tau _i,\textbf{h}_i,\textbf{m}_i,r_i,\textbf{m}_i')$, the challenger responds $\mathcal {A}$ with a randomness $r_i'$ s.t. $\textbf{h}_i=\textsf{Hash}(\tau _i,\textbf{m}_i;r_i)=\textsf{Hash}(\tau _i,\textbf{m}'_i;r_i')$. Then in the challenge phase, $\mathcal {A}$ submits its forgery $(\tau ^*,\textbf{h}^*,\textbf{m}^*,r^*,\textbf{m}^{\prime *},r^{\prime *})$ and it wins if $\textbf{h}^*=\textsf{Hash}(\tau ^*,\textbf{m}^*;r^*)=\textsf{Hash}(\tau ^*,$ $\textbf{m}^{\prime *};r^{\prime *})$, $\textbf{m}^{\prime *}\ne \textbf{m}^*$ and $\textsf{Valid}(\tau ^*,\textbf{h}^*,\textbf{m}^*,\textbf{m}^{\prime *})=1$. The reduction algorithm can embed a SIS problem instance into the random matrix $\textbf{A}$, but then there are two problems to be solved.

Problem I: Since $\textbf{A}$ is a SIS instance now, the trapdoor $\textbf{T}_{\textbf{A}}$ of $\textbf{A}$ is unknown to the reduction algorithm. In this case, how to find a collision for $(\tau _i,\textbf{h}_i,\textbf{m}_i,r_i,\textbf{m}_i')$ without $\textbf{T}_{\textbf{A}}$ upon the adversary’s adaptation queries?
Problem II: How does the reduction algorithm derive a valid solution to the SIS problem when $\mathcal {A}$ successfully finds a valid collision?

For expression simplicity, let’s introduce some facts for tCH first. Consider all valid adaptation queries $\{(\tau _i,\textbf{h}_i,\textbf{m}_i,r_i,\textbf{m}'_i)\}$ submitted by $\mathcal {A}$ in the $\text {r-CR}$ security experiment, where $\tau _i$ is bound to a unique $\textbf{h}_i$ and $\textsf{Hash}(\tau _i,\textbf{m}_i;r_i)=\textbf{h}_i$. Then all valid adaptation queries constitute a sequence of trees. Let $\tau _i$ index the trees. Tree $\tau _i$ has a root $(\tau _i,\tilde{\textbf{m}}_i)$ which is NOT an adapted tuple, and all non-root nodes $\{(\tau _i,\textbf{m}_i')\}$ in the tree are adapted from their parent nodes. For $\mathcal {A}$’s forgery $(\tau ^*,\textbf{h}^*,\textbf{m}^*,$ $r^*,\textbf{m}^{\prime *},r^{\prime *})$, it requires that $(\tau ^*,\textbf{m}^*)$ never appears in adaptation queries, so $(\tau ^*,\textbf{m}^*)$ does not belong to any adaptation tree. The other tuple $(\tau ^*,\textbf{m}^{\prime *})$ either lies in some adaptation tree $\tau _i$ (Case I), or does not belong to any adaptation tree (Case II). See Fig. 2 for a demonstration.

Now let us see how to solve the above two problems. We give an adaptive partition of all tag-and-message tuples $\{(\tau _i,\textbf{m}_i),(\tau _i,\textbf{m}_i')\}$ in adaptation queries and tuples $(\tau ^*,\textbf{m}^*),(\tau ^*,\textbf{m}^{\prime *})$ in the forgery according to whether $\textsf{PRF}(\textbf{k},\tau \Vert \textbf{m})=\textbf{y}$, where $\textbf{y}$ is a randomness included in r.

For the root node $(\tau _i,\tilde{\textbf{m}}_i)$ in each tree (say tree $\tau _i$), its corresponding $\tilde{\textbf{y}}_i$ is chosen by the adversary who knows nothing about $\textsf{PRF}(\textbf{k},\tau _i\Vert \tilde{\textbf{m}}_i)$. Then $\textsf{PRF}(\textbf{k},\tau _i\Vert \tilde{\textbf{m}}_i)\ne \tilde{\textbf{y}}_i$ due to the pseudorandomness of PRF, and hence $C[\tau _i\Vert \tilde{\textbf{m}}_i,$ $\tilde{\textbf{y}}_i](\textbf{k})=0$.
For those non-root nodes in tree $\tau _i$, they must be adapted tuples $(\tau _i,\textbf{m}_i')$. We choose $\textbf{y}_i'$ s.t. $\textbf{y}_i'=\textsf{PRF}(\textbf{k},\tau _i\Vert \textbf{m}_i')$ and hence $C[\tau _i\Vert \textbf{m}_i',\textbf{y}_i'](\textbf{k})=1$.
For the node $(\tau ^*,\textbf{m}^*)$ in the forgery, it is submitted by the adversary and does not belong to any adaptation tree, so $\textsf{PRF}(\textbf{k},\tau ^*\Vert \textbf{m}^*)\ne \textbf{y}^*$ and hence $C[\tau ^*\Vert \textbf{m}^*,\textbf{y}^*](\textbf{k})=0$ due to the pseudorandomness of PRF.
For the node $(\tau ^*,\textbf{m}^{\prime *})$ in the forgery, we consider two cases.
- Case I: $(\tau ^*,\textbf{m}^{\prime *})$ lies in some tree $\tau _i$. Then it can be a root with $\textsf{PRF}(\textbf{k},\tau ^*\Vert \textbf{m}^{\prime *})\ne \textbf{y}^{\prime *}$ and $C[\tau ^*\Vert \textbf{m}^{\prime *},\textbf{y}^{\prime *}](\textbf{k})=0$, or an adapted tuple with $\textsf{PRF}(\textbf{k},\tau ^*\Vert \textbf{m}^{\prime *})= \textbf{y}^{\prime *}$ and $C[\tau ^*\Vert \textbf{m}^{\prime *},\textbf{y}^{\prime *}](\textbf{k})=1$.
- Case II: $(\tau ^*,\textbf{m}^{\prime *})$ does not belong to any adaptation tree. Then $\textsf{PRF}(\textbf{k},$ $\tau ^*\Vert \textbf{m}^{\prime *})\ne \textbf{y}^{\prime *}$ and $C[\tau ^*\Vert \textbf{m}^{\prime *},\textbf{y}^{\prime *}](\textbf{k})=0$ due to the pseudorandomness of PRF.

In conclusion, for those adapted tuples $\{(\tau _i,\textbf{m}_i')\}$, they all satisfy $C[\tau _i\Vert \textbf{m}_i',$$\textbf{y}_i'](\textbf{k})=1$, see nodes in blue dashed boxes in Fig. 2. In Case I, we have $(\tau ^*,\textbf{m}^*)$ and $(\tau ^*=\tau _i,\tilde{\textbf{m}}_i)$ s.t. $C[\tau ^*\Vert \textbf{m}^{*},\textbf{y}^*](\textbf{k})=C[\tau ^*\Vert \tilde{\textbf{m}}_i,\tilde{\textbf{y}}_i](\textbf{k})=0$. In Case II, we have $(\tau ^*,\textbf{m}^*)$ and $(\tau ^*,\textbf{m}^{\prime *})$ s.t. $C[\tau ^*\Vert \textbf{m}^*,\textbf{y}^*](\textbf{k})=C[\tau ^*\Vert \textbf{m}^{\prime *},\textbf{y}^{\prime *}](\textbf{k})=0$. See nodes in red dashed boxes in Fig. 2.

To implement the partitioning strategy, we embed the PRF’s key $\textbf{k}$ in $\textbf{A}_i$, that is, we generate $\textbf{A}_i:=\textbf{A}\textbf{R}_i+k_i\textbf{G}$ instead of $\textbf{A}_i\xleftarrow {\mathsf {\$}}\mathbb {Z}_q^{n\times w}$, where $\textbf{R}_i\in \mathbb {Z}_q^{m\times w}$ is a randomly chosen short matrix and $\textbf{G}\in \mathbb {Z}_q^{n\times w}$ is the gadget matrix [28]. This change is statistically indistinguishable to $\mathcal {A}$ due to the leftover hash lemma. For each adaptation query $(\tau _i,\textbf{h}_i,\textbf{m}_i,r_i,\textbf{m}_i')$, we compute $\textbf{y}'_i:=\textsf{PRF}(\textbf{k},\tau _i\Vert \textbf{m}'_i)$ instead of $\textbf{y}'_i\xleftarrow {\mathsf {\$}}\{0,1\}^y$, and these two ways of generating $\textbf{y}'_i$ are computationally indistinguishable due to the pseudorandomness of PRF. Then $C[\tau _i\Vert \textbf{m}_i',\textbf{y}_i'](\textbf{k})=1$ and we have $\textbf{F}'_{i}:=[\textbf{A}|\textbf{A}_{\textsf{prf},i}']=[\textbf{A}|\textbf{A}\textbf{R}_{\textsf{prf},i}'+C[\tau _i\Vert \textbf{m}_i',\textbf{y}_i'](\textbf{k})\cdot \textbf{G}]=[\textbf{A}|\textbf{A}\textbf{R}_{\textsf{prf},i}'+\textbf{G}]$ through homomorphic evaluations. Note that $\textbf{F}_{i}'\cdot [-\textbf{R}_{\textsf{prf},i}^{'\top }|\textbf{I}^\top ]^\top =\textbf{G}$, and hence $\textbf{R}_{\textsf{prf},i}'$ is a gadget trapdoor [28] for $\textbf{F}_{i}'$. Given the gadget trapdoor $\textbf{R}_{\textsf{prf},i}'$, the reduction can also generate a delegated trapdoor for $\textbf{F}_{i}'$ efficiently [28], and then find a collision for $(\tau _i,\textbf{h}_i,\textbf{m}_i,r_i,\textbf{m}'_i)$ with the help of the delegated trapdoor. This solves the problem I. Then for the problem II, as we analyzed before, there exist $(\tau ^*,\textbf{m}^*)$ (the forgery tuple) and some $(\tau ^*,\bar{\textbf{m}})$ s.t. $C[\tau ^*\Vert \textbf{m}^*,\textbf{y}^*](\textbf{k})=0$ and $C[\tau ^*\Vert \bar{\textbf{m}},\bar{\textbf{y}}](\textbf{k})=0$. Hence we have $\textbf{F}^*=[\textbf{A}|\textbf{A}_{\textsf{prf}}^*]=[\textbf{A}|\textbf{A}\textbf{R}_{\textsf{prf}}^*+C[\tau ^*\Vert \textbf{m}^*,\textbf{y}^*](\textbf{k})\cdot \textbf{G}]=[\textbf{A}|\textbf{A}\textbf{R}_{\textsf{prf}}^*+0\cdot \textbf{G}]$ and $\bar{\textbf{F}}=[\textbf{A}|\bar{\textbf{A}}_{\textsf{prf}}]=[\textbf{A}|\textbf{A}\bar{\textbf{R}}_{\textsf{prf}}+C[\tau ^*\Vert \bar{\textbf{m}},\bar{\textbf{y}}](\textbf{k})\cdot \textbf{G}]=[\textbf{A}|\textbf{A}\bar{\textbf{R}}_{\textsf{prf}}+0\cdot \textbf{G}]$ due to homomorphic evaluations. If $\mathcal {A}$ wins, it holds that $\textbf{h}^*=[\textbf{A}|\textbf{A}\textbf{R}_{\textsf{prf}}^*]\cdot \textbf{e}^{*}=[\textbf{A}|\textbf{A}\bar{\textbf{R}}_{\textsf{prf}}]\cdot \bar{\textbf{e}}$, and then $\textbf{A}\cdot ([\textbf{I}|\textbf{R}_{\textsf{prf}}^*]\textbf{e}^*-[\textbf{I}|\bar{\textbf{R}}_{\textsf{prf}}]\bar{\textbf{e}})=0^{n\times m}$. The short vector $\textbf{v}:=([\textbf{I}|\textbf{R}_{\textsf{prf}}^*]\textbf{e}^*-[\textbf{I}|\bar{\textbf{R}}_{\textsf{prf}}]\bar{\textbf{e}})$ serves as a solution to the SIS problem.

There is a subtlety in above SIS solution $\textbf{v}$ in the reduction. For valid solution, we have to make sure that $\textbf{v}\ne 0^m$. To this end, we construct those $\textbf{F}$ as $[\textbf{A}|\textbf{A}_\textsf{prf}+\sum _i m_i\hat{\textbf{A}}_i]$ with public parameters $\hat{\textbf{A}}_i=\textbf{A}\hat{\textbf{R}}_i$. This change does not influence the correctness and the partitioning strategy. We refer readers to Subsect. 4.1 for a more detailed description.

We note that, by replacing the homomorphic evaluations related algorithms with random oracles, namely $\textbf{F}:=[\textbf{A}|\textsf{H}(\textbf{A},\tau \Vert \textbf{m})]$ and $\textsf{H}$ is a hash function modeled as a random oracle, we obtain a tCH in the ROM. To see this, the re-programmable properties of random oracles can also play the role of implementing the partition strategy, and hence the above reduction still holds.

2 Preliminaries

Notations. In this paper, column vectors are denoted by bold lower-case letters like $\textbf{x}$ and the i-th component of $\textbf{x}$ is denoted by $x_i$. Specifically, let $0^k$ denote the k-dimensional zero vector $(0,0,\dots ,0)^\top \in \mathbb {Z}_q^k$. For two bit strings $\textbf{x}_1\in \{0,1\}^n$ and $\textbf{x}_2\in \{0,1\}^m$, let $\textbf{x}_1\Vert \textbf{x}_2\in \{0,1\}^{n+m}$ denote the concatenation of $\textbf{x}_1$ and $\textbf{x}_2$. Matrices are denoted by bold upper-case letters like $\textbf{A}$ and the i-th column of $\textbf{A}$ is denoted by $\textbf{a}_i$. The transpose of $\textbf{A}$ is denoted by $\textbf{A}^\top $. Let $\textbf{I}_{k}\in \{0,1\}^{k\times k}$ denote the k-dimensional identity matrix. For matrices $\textbf{A}\in \mathbb {Z}_q^{n\times m}$ and $\textbf{B}\in \mathbb {Z}_q^{k\times s}$, denote by $\textbf{A}\otimes \textbf{B}$ the Kronecker product of $\textbf{A}$ and $\textbf{B}$. For a vector $\textbf{x}=(x_1,x_2,\dots ,x_{n})^\top \in \mathbb {Z}^n$, let $\Vert \textbf{x}\Vert :=(\sum _{i\in [n]}x_i^2)^{\frac{1}{2}}$ denote the $\ell _2$ norm of $\textbf{x}$. For a matrix $\textbf{A}=(\textbf{a}_1,\textbf{a}_2,\dots ,\textbf{a}_{m})\in \mathbb {Z}^{n\times m}$ with $\textbf{a}_i\in \mathbb {Z}^n$, let $\Vert \textbf{A}\Vert :=\max _{i\in [m]}\Vert \textbf{a}_i\Vert $ denote the $\ell _2$ norm of $\textbf{A}$, $\tilde{\textbf{A}}$ denote the Gram-Schmidt orthogonalization of $\textbf{A}$, and $s_1(\textbf{A}):=\max _{\Vert \textbf{x}\Vert =1}\Vert \textbf{A}\textbf{x}\Vert $ the largest singular value of $\textbf{A}$.

For an integer $n\in \mathbb {N}$, let [n] denote the finite set $\{1,2,\dots ,n\}$. For a distribution (or a random variable) X, let $x \leftarrow X$ denote the process of sampling x according to X. For a finite set $\mathcal {X}$, let $x\xleftarrow {\mathsf {\$}}\mathcal {X}$ denote the process of sampling x from $\mathcal {X}$ uniformly at random.

Let $\kappa $ denote the security parameter and $\textsf{poly}(\kappa )$ denote the polynomial function. An algorithm is efficient if it runs in $\textsf{poly}(\kappa )$-time. Let $\textsf{negl}:\mathbb {N}\rightarrow \mathbb {R}$ denote the negligible function, i.e., for any polynomial $\textsf{poly}(n)$, there exists an $n'\in \mathbb {N}$ s.t. for all $n>n'$, $\textsf{negl}(n) < 1/\textsf{poly}(n)$. For a primitive $\textsf{XX}$ and a security notion $\textsf{YY}$, we denote by $\textsf{Exp}_{\textsf{XX},\mathcal {A}}^{\textsf{YY}}(\kappa )\Rightarrow b$ a security experiment interacting with adversary $\mathcal {A}$ and returning a bit b. Furthermore, we denote by $\textsf{Adv}_{\textsf{XX},\mathcal {A}}^{\textsf{YY}}(\kappa )$ the advantage of $\mathcal {A}$ in $\textsf{Exp}_{\textsf{XX},\mathcal {A}}^{\textsf{YY}}(\kappa )$, and define $\textsf{Adv}_{\textsf{XX}}^{\textsf{YY}}(\kappa ):=\max _{\text {PPT} \mathcal {A}}\textsf{Adv}_{\textsf{XX},\mathcal {A}}^{\textsf{YY}}(\kappa )$.

Let X and Y be two random variables over support $\mathcal {S}$, then the statistical distance between X and Y is defined by $\textsf{SD}(X,Y ) = 1/2 \cdot \sum _{s\in \mathcal {S}}|\Pr [X= s] -\Pr [Y = s]|$. We say that X and Y are statistically indistinguishable and denote it by $X\approx _s Y$ if $\textsf{SD}(X,Y)\le \textsf{negl}(\kappa )$. If $\textsf{SD}(X,Y)=0$, then X and Y has the same distribution and we denote it by $X\equiv Y$.

Definition 1

(Average min-entropy [15]). Let X and Y be two random variables. The min-entropy of X is defined as $\textsf{H}_{\infty }(X):=-\log \left( \max _x\Pr [X=x]\right) $. The average min-entropy of X given Y is defined as $\tilde{\textsf{H}}_{\infty }(X\mid Y):=-\log \left[ \mathbb {E}_{y\leftarrow Y}\right. $ $\left. (\max _x\Pr [X=x\mid Y=y])\right] $.

Lemma 1

([15]). Let X, Y be two random variables and Y has at most $2^\ell $ possible values, then $\tilde{\textsf{H}}_{\infty }(X|Y)\ge \textsf{H}_{\infty }(X)-\ell $.

2.1 Lattice Background

Let k, n, m, q be positive integers. Given n ($n\le m$) linearly independent basis vectors $\textbf{a}_1,\dots ,\textbf{a}_n \in \mathbb {R}^m$, construct a matrix $\textbf{A}\in \mathbb {R}^{n\times m}$ as $\textbf{A}^\top :=(\textbf{a}_1,\dots ,\textbf{a}_n)$. Define the m-dimensional lattice generated by $\textbf{A}$ as $\Lambda (\textbf{A}):=\{\textbf{y}\in \mathbb {R}^m~|~\textbf{y}=\textbf{A}^\top \textbf{x},\textbf{x}\in \mathbb {Z}^n\}$. We also define the following m-dimensional q-ary integer lattices: $\Lambda _q(\textbf{A}):=\{\textbf{y}\in \mathbb {Z}^{m}~|~\textbf{y}=\textbf{A}^\top \textbf{x}\mod q,\textbf{x}\in \mathbb {Z}_q^n\}$; $\Lambda _q^{\bot }(\textbf{A}):=\{\textbf{x}\in \mathbb {Z}^m~|~\textbf{A}\textbf{x}=0^n \mod q\}$. For any vector $\textbf{u}\in \mathbb {Z}_q^n$, define the coset (or shifted lattice) $\Lambda _q^{\textbf{u}}(\textbf{A}):=\{\textbf{x}\in \mathbb {Z}^m~|~\textbf{A}\textbf{x}=\textbf{u}\mod q\}$.

Definition 2

(Discrete Gaussian distribution). The Gaussian function with parameter s and center $\textbf{c}\in \mathbb {R}^n$ is defined as $\rho _{s,\textbf{c}}:\mathbb {R}^n\rightarrow \mathbb {R}$, $\rho _{s,\textbf{c}}(\textbf{x}):=\exp (-\pi \Vert \textbf{x}-\textbf{c}\Vert ^2/s^2)$. For a countable set $\mathcal {S}\subset \mathbb {R}^n$, the discrete Gaussian distribution $D_{\mathcal {S},s,\textbf{c}}$ parameterized with s and $\textbf{c}$ is defined as $D_{\mathcal {S},s,\textbf{c}}(\textbf{x}):=\rho _{s,\textbf{c}}(\textbf{x})/\sum _{\textbf{x}\in \mathcal {S}}\rho _{s,\textbf{c}}(\textbf{x})$ for $\textbf{x}\in \mathcal {S}$ and $D_{\mathcal {S},s,\textbf{c}}(\textbf{x}):=0$ for $\textbf{x}\notin \mathcal {S}$. Usually, s is omitted when $s=1$ and $\textbf{c}$ is omitted if $\textbf{c}=\textbf{0}$.

Lemma 2

(Randomness extraction [1, 19]). Let q, n, m be positive integers s.t. q is a prime and $m\ge 3n\log q$. Then:

If $\textbf{A}\xleftarrow {\mathsf {\$}}\mathbb {Z}_q^{n\times m}$, $\textbf{s}\xleftarrow {\mathsf {\$}}\{1,-1\}^{m}$ and $\textbf{u}\xleftarrow {\mathsf {\$}}\mathbb {Z}_q^{n}$, then $\textsf{SD}((\textbf{A},\textbf{A}\textbf{s}),(\textbf{A},\textbf{u}))\le 2^{-n}$.
If $\textbf{A}\xleftarrow {\mathsf {\$}}\mathbb {Z}_q^{n\times m}$, $\textbf{s}\leftarrow D_{\mathbb {Z}^m,\gamma }$ with Gaussian parameter $\gamma \ge \omega (\sqrt{\log m})$ and $\textbf{u}\xleftarrow {\mathsf {\$}}\mathbb {Z}_q^{n}$, then $\textsf{SD}((\textbf{A},\textbf{A}\textbf{s}),(\textbf{A},\textbf{u}))\le 2^{-n}$.

In this paper, we consider two types of lattice trapdoors. Let q, n, m be integers and define $w:=n\lceil \log q\rceil $. Firstly, for a matrix $\textbf{A}\in \mathbb {Z}_q^{n\times m}$, we consider a non-singular square matrix $\textbf{T}_{\textbf{A}}\in \mathbb {Z}_q^{m\times m}$ of short integer vectors such that $\textbf{A}\textbf{T}_{\textbf{A}}=0^{n\times m} \mod q$, and call it a trapdoor of $\textbf{A}$. We also consider the G-trapdoor (gadget trapdoor) proposed by Micciancio and Peikert [28]. A G-trapdoor for a matrix $\textbf{A}\in \mathbb {Z}_q^{n\times m}$ is a matrix $\textbf{R}\in \mathbb {Z}^{(m-w) \times w}$ s.t. $\textbf{A}\cdot [-\textbf{R}^{\top }|\textbf{I}_w^\top ]^\top =\textbf{G}$, where $\textbf{G}\in \mathbb {Z}_q^{n\times w}$ is the gadget matrix (see Definition 3). Clearly, if $\textbf{A}=[\bar{\textbf{A}}|\bar{\textbf{A}}\textbf{R}+\textbf{G}]$, then $\textbf{R}$ is the G-trapdoor for $\textbf{A}$. Below we recall some definitions and lemmas related to afore-mentioned two trapdoors.

Lemma 3

(Trapdoor generation [2]). Let q, n, m be positive parameters s.t. q is odd, $q\ge 3$ and $m=O(n\log q)$. There exists a PPT algorithm $\textsf{TrapGen}(1^n,1^m,q)$ that outputs matrices $\textbf{A}\in \mathbb {Z}_q^{n\times m}$ and $\textbf{T}_{\textbf{A}}\in \mathbb {Z}^{m\times m}$ s.t. the distribution of $\textbf{A}$ is statistically close to a uniform rank n matrix in $\mathbb {Z}_q^{n\times m}$ and matrix $\textbf{T}_{\textbf{A}}$ is a trapdoor for $\textbf{A}$ satisfying $\textbf{A}\textbf{T}_{\textbf{A}}=0^{n\times m}$, $\Vert \tilde{\textbf{T}}_{\textbf{A}}\Vert \le O(\sqrt{n\log q})$ and $\Vert \textbf{T}_{\textbf{A}}\Vert \le O(n\log q)$ with all but $2^{-n}$ probability.

Lemma 4

(Preimage sampling [19]). Let $q,n,m,\gamma $ be positive parameters s.t. $q\ge 2$. Let $\textbf{A}\in \mathbb {Z}_q^{n\times m}$ be a matrix with a trapdoor $\textbf{T}_{\textbf{A}}\in \mathbb {Z}^{m\times m}$. Let $\gamma \ge \Vert \tilde{\textbf{T}}_{\textbf{A}}\Vert \cdot \omega (\sqrt{\log m})$. For any $\textbf{u}\in \mathbb {Z}_q^n$, there exists a PPT algorithm $\textsf{SamplePre}(\textbf{A},\textbf{T}_{\textbf{A}},$ $\textbf{u},\gamma )$ that outputs $\textbf{s}\in \mathbb {Z}_q^m$ with distribution statistically close to $D_{\Lambda _q^{\textbf{u}}(\textbf{A}),\gamma }$.

Lemma 5

(Trapdoor delegation [33]). Let $q,n,m,m',\bar{m}$ be positive parameters and $\bar{m}=m+m'$. Let $\textbf{A}\in \mathbb {Z}_q^{n\times m}$ and $\textbf{A}'\in \mathbb {Z}_q^{n\times m'}$ be matrices and $\textbf{T}_{\textbf{A}}\in \mathbb {Z}^{m\times m}$ be a trapdoor for $\textbf{A}$. There exists a deterministic polynomial-time algorithm $\textsf{TrapDel}([\textbf{A}|\textbf{A}'],\textbf{T}_{\textbf{A}})$ that outputs a trapdoor $\textbf{T}_{\textbf{A}|\textbf{A}'}\in \mathbb {Z}_q^{\bar{m}\times \bar{m}}$ for the matrix $[\textbf{A}|\textbf{A}']$. Besides, it holds that $\Vert \tilde{\textbf{T}}_{\textbf{A}|\textbf{A}'}\Vert =\Vert \tilde{\textbf{T}}_{\textbf{A}}\Vert $.

Definition 3

(Gadget matrix [28]). For any integer modulus q, the gadget vector over $\mathbb {Z}_q$ is defined as $\textbf{g}^\top :=(1,2,4,\dots ,2^{\lceil \log q \rceil -1})\in \mathbb {Z}_q^{1\times \lceil \log q \rceil }$. Let $w:=n \lceil \log q \rceil $, the gadget matrix $\textbf{G}$ with full row rank is defined as:

$$\begin{aligned} \textbf{G}=\textbf{I}_n\otimes \textbf{g}^\top =\left( \begin{matrix} ~\textbf{g}^\top ~&{}\textbf{0}&{}\textbf{0}&{}\textbf{0}\\ \textbf{0}&{}~\textbf{g}^\top ~&{}\textbf{0}&{}\textbf{0}\\ \vdots &{}\vdots &{}\ddots &{}\vdots \\ \textbf{0}&{}\textbf{0}&{}\textbf{0}&{}~\textbf{g}^\top ~\\ \end{matrix}\right) \in \mathbb {Z}_q^{n \times w}. \end{aligned}$$

Lemma 6

(G-to-Basis [28]). Let n, m, q be positive integers and define $w:=n\lceil \log q \rceil $. Let $\textbf{A}\in \mathbb {Z}_q^{n\times m}$ be a matrix with a G-trapdoor $\textbf{R}\in \mathbb {Z}^{(m-w)\times w}$. There exists a PPT algorithm $\textsf{GtoBasis}(\textbf{R})$ that returns a trapdoor $\textbf{T}_{\textbf{A}}\in \mathbb {Z}^{m\times m}$ of $\textbf{A}$. Moreover, the trapdoor $\textbf{T}_{\textbf{A}}$ satisfies $\Vert \widetilde{\textbf{T}}_{\textbf{A}}\Vert \le \sqrt{5}(s_1(\textbf{R})+1)$.

We recall in Lemma 7 the results of homomorphic evaluations established by a sequence of works [6,7,8, 20] . Lemma 8 provides two statistically indistinguishable methods to generate $(\textbf{A},\textbf{h},\textbf{e})$ s.t. $\textbf{h}=\textbf{A}\textbf{e}$, where $\textbf{h}$ follows the uniform distribution and $\textbf{e}$ is short.

Lemma 7

(Homomorphic evaluation [6,7,8, 20]). Let $q,n,m,\ell $ and k be positive integers and define $w:=n\lceil \log q \rceil $. Let $\textbf{G}\in \mathbb {Z}_q^{n\times w}$ be the gadget matrix. Given a NAND boolean circuit $C:\{0,1\}^\ell \rightarrow \{0,1\}^k$ with circuit depth d, vector $\textbf{x}=(x_1,\dots ,x_\ell )^\top \in \{0,1\}^\ell $, and matrices $\textbf{A}\in \mathbb {Z}_q^{n\times m}$, $(\textbf{A}_i\in \mathbb {Z}_q^{n\times w})_{i\in [\ell ]}$ and $(\textbf{R}_i\in \{\pm 1\}^{m\times w})_{i\in [\ell ]}$, there exist two efficient deterministic algorithms.

Algorithm $\textsf{Eval}_{pub}(C,\textbf{A},(\textbf{A}_i)_{i\in [\ell ]})$ takes as inputs the circuit C and matrices $\textbf{A}$, $(\textbf{A}_i)_{i\in [\ell ]}$, and outputs a matrix $\textbf{A}_C\in \mathbb {Z}_q^{n\times kw}$.
Algorithm $\textsf{Eval}_{prv}(C,\textbf{A},\textbf{x},(\textbf{R}_i)_{i\in [\ell ]})$ takes as inputs the circuit C, matrix $\textbf{A}$, vector $\textbf{x}$ and matrices $(\textbf{R}_i)_{i\in [\ell ]}$, and outputs a matrix $\textbf{R}_C\in \mathbb {Z}^{m\times kw}$.

Homomorphism. If $\textbf{A}_i=\textbf{A}\textbf{R}_i+x_i\cdot \textbf{G}\in \mathbb {Z}_q^{n\times w}$ for all $i\in [\ell ]$, $\textbf{A}_C\leftarrow \textsf{Eval}_{pub}(C,\textbf{A},(\textbf{A}_i)_{i\in [\ell ]})$ and $\textbf{R}_C\leftarrow \textsf{Eval}_{prv}(C,\textbf{A},\textbf{x},(\textbf{R}_{i})_{i\in [\ell ]})$, then we have $\textbf{A}_C=\textbf{A}\textbf{R}_C+C(\textbf{x})\otimes \textbf{G}$, where $s_1(\textbf{R}_C)\le O(4^d\cdot m^{\frac{3}{2}})$. Particularly, when C is in the circuit class $NC^1$, i.e., C is of depth $d=c\log \ell $ for some constant c, we have $s_1(\textbf{R}_C)\le O(\ell ^{2c}\cdot m^{\frac{3}{2}})$.

Lemma 8

([19]). Let n, m, q be integers and $\gamma >2\sqrt{n\log q}$, then for all but negligible probability over $(\textbf{A},\textbf{T}_\textbf{A})\leftarrow \textsf{TrapGen}(1^n,1^m,q)$, it holds that

$$\begin{aligned} \{(\textbf{A},\textbf{h},\textbf{e})~|~\textbf{h}\xleftarrow {\mathsf {\$}}\mathbb {Z}_q^n,\textbf{e}\leftarrow \textsf{SamplePre}(\textbf{A},&\textbf{T}_{\textbf{A}},\textbf{h},\gamma )\}\approx _s\\ &\{(\textbf{A},\textbf{h},\textbf{e})~|~\textbf{e}\leftarrow D_{\mathbb {Z}^m,\gamma },\textbf{h}:=\textbf{A}\textbf{e}\}. \end{aligned}$$

2.2 Computational Assumption

Definition 4

(The SIS assumption). Let q, n, m be positive integers and $\beta $ be a positive real. The (homogeneous) short integer solution (SIS) assumption $\textsf{SIS}_{n,q,\beta ,m}$ states that for any PPT adversary $\mathcal {A}$, its advantage satisfies:

$$\begin{aligned} \textsf{Adv}_{[n,q,\beta ,m],\mathcal {A}}^{\textsf{SIS}}(\kappa ):=\Pr \big [\mathcal {A}(\textbf{A})\rightarrow \textbf{e}: \textbf{A}\textbf{e}=0^n\wedge \textbf{e}\ne 0^m\wedge \Vert \textbf{e}\Vert \le \beta \big ]\le \textsf{negl}(\kappa ), \end{aligned}$$

where $\textbf{A}\xleftarrow {\mathsf {\$}}\mathbb {Z}_q^{n\times m}$ and $0^n=(0,\dots ,0)^{\top }\in \mathbb {Z}_q^{n}$.

Lemma 9

(The hardness of SIS [19, 29, 30]). For any $m =\textsf{poly}(n)$ and any sufficiently large $q\ge \beta \cdot \textsf{poly}(n)$, solving $\textsf{SIS}_{n,q,\beta ,m}$ with non-negligible probability is at least as hard as solving the decisional approximate shortest vector problem $\textsf{GapSVP}_{\gamma }$ and the approximate shortest independent vector problem $\textsf{SIVP}_{\gamma }$ in the worst case with overwhelming probability, for some $\gamma =\beta \cdot \textsf{poly}(n)$.

Since GapSVP and SIVP are well-studied worst-case hard problems on lattices, the reduction from GapSVP and SIVP to SIS in Lemma 9 makes the SIS assumption a widely-accepted post-quantum assumption.

2.3 Pseudorandom Function

Definition 5

(Pseudorandom function family [21]). A pseudorandom function family $\textsf{PRF}:=\{F:\mathcal {K}\times \mathcal {X}\rightarrow \mathcal {Y}\}$ is equipped with two polynomial time algorithms $(\textsf{Setup},\textsf{PRF})$ defined below.

$\textsf{Setup}(1^\kappa )$ takes as input the security parameter $\kappa \in \mathbb {N}$ and outputs a public parameter pp.
$\textsf{PRF}(pp,k,x)$ takes as inputs the public parameter pp, key $k\in \mathcal {K}$ and message $x\in \mathcal {X}$, and outputs $y\in \mathcal {Y}$. For simplicity, we will omit pp and just write it as $\textsf{PRF}(k,x)$ when the context is clear.

Pseudorandomness. Let $\textsf{RF}:\mathcal {X}\rightarrow \mathcal {Y}$ be a truly random function. For any PPT adversary $\mathcal {A}$, its advantage satisfies $\textsf{Adv}_{\textsf{PRF},\mathcal {A}}^{pse}(\kappa ):=\big |\Pr [\mathcal {A}^{\mathcal {O}_{\textsf{PRF}}(\cdot )}(pp)\Rightarrow 1]-\Pr [\mathcal {A}^{\mathcal {O}_{\textsf{RF}}(\cdot )}(pp)\Rightarrow 1]\big | \le \textsf{negl}(\kappa )$, where $pp\leftarrow \textsf{Setup}(1^\kappa )$, $k\xleftarrow {\mathsf {\$}}\mathcal {K}$, oracle $\mathcal {O}_{\textsf{PRF}}(x)$ returns $\textsf{PRF}(pp,k,x)$ and oracle $\mathcal {O}_{\textsf{RF}}(x)$ returns $\textsf{RF}(x)$.

3 Tagged Chameleon Hash

In this section, we propose a new primitive named tagged chameleon hash (tCH), which is characterized by four algorithms, the setup algorithm, hash algorithm, adapt algorithm and check algorithm. The setup algorithm generates public parameters pp along with a trapdoor td. The hash algorithm is a randomized one used for evaluating the hash value of a message m w.r.t. a tag $\tau $ and it outputs a randomness r serving as the witness of hashing relation among h, m and $\tau $. For simplicity, we just call h the hash value of $(\tau ,m,r)$. Given $(\tau ,h, m, r,m')$, where h is the hash value of $(\tau ,m,r)$ and $m'$ is a new message, the adapt algorithm uses the trapdoor td to find a randomness $r'$ so that $(\tau , m, r)$ and $(\tau , m', r')$ collide at the same hash value h. The check algorithm is used to decide whether h is the hash value of a tag-message-randomness triple $(\tau , m, r)$. For a tCH, we define the statistical indistinguishability, and provide two security notions: one is the full collision resistance ($\text {f-CR}$) defined following [13], and the other is a weaker one named the restricted collision resistance ($\text {r-CR}$). We show that when tCH works in the one-time tag mode, $\text {f-CR}$ and $\text {r-CR}$ are equivalent.

Definition 6

(Tagged chameleon hash). Let $\mathcal {M}$ be the message space and $\mathcal {T}$ be the tag space. A tagged chameleon hash (tCH) $\textsf{tCH}$ consists of four polynomial time algorithms $\textsf{tCH}=(\textsf{Setup},\textsf{Hash},\textsf{Adapt},\textsf{Check})$ defined as follows.

$\textsf{Setup}(1^\kappa )$ takes as input the security parameter $\kappa \in \mathbb {N}$ and returns a public parameter pp and a trapdoor td.
$\textsf{Hash}(pp,\tau ,m)$ takes as inputs the public parameter pp, a tag $\tau \in \mathcal {T}$ and a message $m\in \mathcal {M}$, and returns a hash value h and a randomness r.
$\textsf{Adapt}(td,\tau ,h,m,r,m')$ takes as inputs the trapdoor td, a tag $\tau \in \mathcal {T}$, a hash value h, a message $m\in \mathcal {M}$, a randomness r and a fresh target message $m'\in \mathcal {M}$, and returns a new randomness $r'$.
$\textsf{Check}(pp,\tau ,h,m,r)$ takes as inputs the public parameter pp, a tag $\tau \in \mathcal {T}$, a hash value h, a message $m\in \mathcal {M}$ and a randomness r, and returns a decision bit $b\in \{0,1\}$.

For expression simplicity, we will sometimes omit the “pp” part in the inputs of $\textsf{Hash}$ and $\textsf{Check}$, and just write them as $\textsf{Hash}(\tau ,m)$ and $\textsf{Check}(\tau ,h,m,r)$ respectively when the context is clear.

-Correctness. For all tag $\tau \in \mathcal {T}$ and messages $m,m'\in \mathcal {M}$, for all $(pp,td)\leftarrow \textsf{Setup}(1^\kappa )$, $(h,r)\leftarrow \textsf{Hash}(pp,\tau ,m)$ and $r'\leftarrow \textsf{Adapt}(td,\tau ,h,m,r,m')$, we have
$$\begin{aligned} \Pr \big [\textsf{Check}(pp,\tau ,h,m,r)=\textsf{Check}(pp,\tau ,h,m',r')=1\big ]\ge 1-\textsf{negl}(\kappa ). \end{aligned}$$
-Statistical Indistinguishability. For all tag $\tau \in \mathcal {T}$ and messages $m,m'\in \mathcal {M}$, and for $(pp,td)\leftarrow \textsf{Setup}(1^\kappa )$, it holds that
$$\begin{aligned} \big \{(h,r)~&|~(h,r)\leftarrow \textsf{Hash}(pp,\tau ,m)\big \}\\ \approx _{s}&~\big \{(h,r)~|~(h,r')\leftarrow \textsf{Hash}(pp,\tau ,m'),r\leftarrow \textsf{Adapt}(td,\tau ,h,m',r',m)\big \}. \end{aligned}$$
-Full collision resistance (f-CR). For any PPT adversary $\mathcal {A}$, its advantage satisfies $\textsf{Adv}_{\textsf{tCH},\mathcal {A}}^{fcr}(\kappa ):=\Pr [\textsf{Exp}_{\textsf{tCH},\mathcal {A}}^{fcr}(\kappa )\Rightarrow 1]\le \textsf{negl}(\kappa )$, where the experiment $\textsf{Exp}_{\textsf{tCH},\mathcal {A}}^{fcr}$ is described in Fig. 3 (left).
-Restricted collision resistance (r-CR). For any PPT adversary $\mathcal {A}$, its advantage satisfies $\textsf{Adv}_{\textsf{tCH},\mathcal {A}}^{rcr}(\kappa ):=\Pr [\textsf{Exp}_{\textsf{tCH},\mathcal {A}}^{rcr}(\kappa )\Rightarrow 1]\le \textsf{negl}(\kappa )$, where the experiment $\textsf{Exp}_{\textsf{tCH},\mathcal {A}}^{rcr}$ is described in Fig. 3 (right).

One-time tag mode for tCH. In this paper, we consider a special working mode for tagged chameleon hash, where every invocation of hash evaluation takes as input a distinct tag. The special working mode is named one-time tag mode. Note that in a tCH-based redactable blockchain, tCH just works in this mode when setting the unique identifier of the block (like the timestamp, hash value of its previous block, or its position in the chain) as its tag.

Definition 7

(One-time tag mode). A tCH scheme $\textsf{tCH}=(\textsf{Setup},$$\textsf{Hash},\textsf{Adapt},$ $\textsf{Check})$ works in the one-time tag mode if any $Q=\textsf{poly}(\kappa )$ invocations of $\textsf{Hash}(pp,\tau _i,m_i)$ with $i\in [Q]$, we have $\tau _k\ne \tau _j$ for any $k,j\in [Q]$ and $k\ne j$.

Next we show that $\text {f-CR}$ is equivalent to $\text {r-CR}$ in the one-time tag mode. It is easy to see that $\text {f-CR}$ implies $\text {r-CR}$. As for the other direction, we show in Theorem 1 that $\text {r-CR}$ implies $\text {f-CR}$ when a tCH works in the one-time tag mode.

Theorem 1

If a tagged chameleon hash $\textsf{tCH}$ satisfies the restricted collision resistance, then it also satisfies the full collision resistance when it is used in the one-time tag mode. More precisely, for any PPT adversary $\mathcal {A}$, it holds that

$$\begin{aligned} \textsf{Adv}_{\textsf{tCH},\mathcal {A}}^{fcr}(\kappa )\le \textsf{Adv}_{\textsf{tCH}}^{rcr}(\kappa ). \end{aligned}$$

A high-level idea of proof for Theorem 1 has been described in the introduction, and see our full version [26] for the detailed proof.

Remark. Ateniese and de Medeiros considered a chameleon hash with labels (abbrv., labeled CH) in [4]. Our tCH and labeled CH both take an extra tag/label as input, but they have different syntax, security notions and applications.

Syntax difference. Labeled CH involves an additional algorithm $\textsf{IForge}$, which generates $(m'',r'')$ given a collision pair $(\tau ,h,m,r,m',r')$ s.t. $h=\textsf{Hash}(\tau ,m'';$ $r'')=\textsf{Hash}(\tau ,m';r')=\textsf{Hash}(\tau ,m;r)$. In other words, anyone who obtains a collision for $(\tau ,h)$ can freely generate a new collision for the same $(\tau ,h)$. In contrast, our tCH can find a collision only with a secret trapdoor.
Security difference. Labeled CH requires a weaker security named the key-exposure freeness, which assures the infeasibility of finding a collision $(\tau ^*,h^*,$ $m^*,r^*,m^{\prime *},r^{\prime *})$ when no collision for the specific $\tau ^*$ has been revealed. In contrast, our CR/fCR allows the adversary to see polynomial collisions for the same target tag.
Application difference. Labeled CH is usually used to construct chameleon signature and it is not secure enough to be used in a redactable blockchain. Note that adversaries in a redactable blockchain may obtain multiple collisions towards one $(\tau ,h)$. With labeled CH, any one is able to create collisions for $(\tau ,h)$ using algorithm $\textsf{IForge}$, and then redactable blockchain becomes insecure. In contrast, our tCH with $\text {f-CR}$ security (or $\text {r-CR}$ security in one-time tag mode) serves for the security requirement from a redactable blockchain.

4 Lattice-Based Tagged Chameleon Hash

In this section, we propose two tCH constructions satisfying the restricted collision resistance based on the SIS assumption. In Subsect. 4.1, we propose a tCH construction in the standard model. In Subsect. 4.2, we provide another tCH scheme with tight security in the random oracle model.

4.1 tCH in the Standard Model

In this subsection, we propose a tCH construction from lattices, namely $\textsf{tCH}$, in the standard model.

First we introduce the building blocks and some notations used in our tCH construction. Let n, q, m be positive integers, and define $w:=n\lceil \log q\rceil $.

A pseudorandom function $\textsf{PRF}=(\textsf{PRF}.\textsf{Setup},\textsf{PRF})$ with key space $\{0,1\}^k$, input space $\{0,1\}^x$ and output space $\{0,1\}^y$.
Define a circuit $C[\textbf{x},\textbf{y}]:\{0,1\}^k\rightarrow \{0,1\}$ w.r.t. $\textsf{PRF}$ as below, where $\textbf{x}\in \{0,1\}^x$ and $\textbf{y}\in \{0,1\}^y$ are hard-wired to the circuit.
$$\begin{aligned} C[\textbf{x},\textbf{y}](\textbf{k})=\left\{ \begin{aligned} &~~1~~~\text {if } \textsf{PRF}(\textbf{k},\textbf{x})=\textbf{y},\\ &~~0~~~\text {otherwise.} \end{aligned}\right. \end{aligned}$$
(2)

Our tCH construction $\textsf{tCH}$ is given in Fig. 4.

Parameter setting. Parameters of our tCH construction include the security parameter $\kappa $, the dimension parameters k, x, y, t, h, the SIS parameters $n,m,q,\beta $ and the Gaussian parameter $\gamma $. Define $w:=n\lceil \log q\rceil $. The afore-mentioned parameters are required to satisfy the following conditions simultaneously.

Let $k,x,y,t,h=\textsf{poly}(\kappa )$ be positive integers and $x=t+h+k$.
Let $n,q,m, \beta $ be positive parameters, $n,m,\beta ,q=\textsf{poly}(\kappa )$ and $\beta \cdot \textsf{poly}(n)\le q$ so that the SIS problem is hard according to Lemma 9.
Let $\gamma \ge O(\kappa ^c)\cdot \omega (\sqrt{m+w})$ with some constant c and $\gamma \ge O(n\log q)\cdot \omega (\sqrt{m+w})$ so that Lemma 4 can be applied.
Let $m=O(n\log q)$ and $\gamma \cdot O(\kappa ^c)\cdot \sqrt{m+w}\le \beta $ with some constant c to serve for our security proof.

Theorem 2

Let $\textsf{PRF}$ be a pseudorandom function. Given parameters described above, construction $\textsf{tCH}$ in Fig. 4 is a tagged chameleon hash if the $\textsf{SIS}_{n,q,\beta ,m}$ assumption holds. Furthermore, restricted collision resistance of $\textsf{tCH}$ is tightly reduced to the SIS assumption and the pseudorandomness of $\textsf{PRF}$:

$$\begin{aligned} \Pr [\textsf{Exp}_{\textsf{tCH},\mathcal {A}}^{rcr}(\kappa )\Rightarrow 1]\le \textsf{Adv}_{[n,q,\beta ,m]}^{\textsf{SIS}}(\kappa )+2\textsf{Adv}_{\textsf{PRF}}^{pse}(\kappa )+2^{-O(\kappa )}. \end{aligned}$$

$\underline{\textit{Correctness}~\textit{of}~\textsf {tCH}\textit{.}}$ It follows directly from Lemma 5 (trapdoor delegation), Lemma 4 (preimage sampling) and Lemma 7 (homomorphic evaluation), and we omit the proof of it here.

$\underline{\textit{Proof}~\textit{of}~\textit{statistical}~\textit{indistinguishability}~\textit{for}~\textsf {tCH}\textit{.}}$ We prove that, given tag $\tau $ and messages $\textbf{m},\textbf{m}'$, the distribution of $(\textbf{h},r)$ generated by Hash is statistically close to that generated by Hash-then-Adapt.

First consider the distribution of $(\textbf{h},r)$ generated by Hash, i.e., $(\textbf{h},r)\leftarrow \textsf{Hash}(\tau ,\textbf{m})$. It follows the distribution $D_{\textsf{H}}$ defined below:

$$\begin{aligned} D_{\textsf{H}}:=\left\{ (\textbf{h},r=(\textbf{z},\textbf{y},\textbf{e}))~\left| ~\begin{aligned} &\textbf{z}\xleftarrow {\mathsf {\$}}\{0,1\}^\kappa ,\textbf{y}\xleftarrow {\mathsf {\$}}\{0,1\}^y,\\ &\textbf{e}\leftarrow D_{\mathbb {Z}^{m+w},\gamma }, \textbf{h}=[\textbf{A}|\textbf{A}_{\textsf{prf}}]\cdot \textbf{e}\end{aligned}\right\} \right. , \end{aligned}$$

where $\textbf{A}_\textsf{prf}$ is deterministically computed from $\tau ,\textbf{m}$, the public parameters $(\textbf{A},$ $\{\textbf{A}_i\}_{i\in [k]},$ $\{\hat{\textbf{A}}_i\}_{i\in [h]})$ and uniformly chosen $\textbf{z},\textbf{y}$ (see algorithm $\textsf{Hash}$ in Fig. 4).

Next consider the distribution of $(\textbf{h},r)$ generated by Hash-then-Adapt, i.e., first $(\textbf{h},r'=(\textbf{z}',\textbf{y}',\textbf{e}'))\leftarrow \textsf{Hash}(\tau ,\textbf{m}')$ and then $r\leftarrow \textsf{Adapt}(td,\tau ,\textbf{h},\textbf{m}',r',\textbf{m})$. It follows the distribution $ D_{\textsf{H} \& \textsf{A}}$ defined below:

where $\textbf{A}_\textsf{prf}$ is computed in the same way as above, and $\textbf{A}'_{\textsf{prf}}$ is generated similar to $\textbf{A}_{\textsf{prf}}$ but with $\textbf{m}',\textbf{z}'$ and $\textbf{y}'$.

First we show that $\textbf{h}:=[\textbf{A}|\textbf{A}'_{\textsf{prf}}] \cdot \textbf{e}'$ in $ D_{\textsf{H} \& \textsf{A}}$ is statistically close to the uniform distribution over $\mathbb {Z}_q^n$. Note that

$$\begin{aligned} \textbf{h}:=[\textbf{A}|\textbf{A}'_{\textsf{prf}}] \cdot \textbf{e}'=\textbf{A}\textbf{e}'_1+\textbf{A}'_{\textsf{prf}}\textbf{e}'_2\approx _s \textbf{u}'+\textbf{A}'_{\textsf{prf}}\textbf{e}'_2\equiv \textbf{u}, \end{aligned}$$

where $\textbf{u}',\textbf{u}\xleftarrow {\mathsf {\$}}\mathbb {Z}_q^{n}$, $\textbf{e}'=(\textbf{e}_1'\Vert \textbf{e}_2')\leftarrow D_{\mathbb {Z}^{m+w},\sigma }$, $\textbf{e}_1'\in \mathbb {Z}_q^m$ and $\textbf{e}_2'\in \mathbb {Z}_q^w$. The “$\approx _s$” follows from Lemma 2 and “$\equiv $” follows from the uniformity of $\textbf{u}'$. Therefore, it holds that $ D_{\textsf{H} \& \textsf{A}}\approx _s D'_{\textsf{H} \& \textsf{A}}$, where

Then according to Lemma 8, $ D_{\textsf{H}}\approx _s D'_{\textsf{H} \& \textsf{A}}$. Therefore, $ D_{\textsf{H}}\approx _s D_{\textsf{H} \& \textsf{A}}$ by triangle inequality and this proves the statistical indistinguishability of $\textsf{tCH}$. $\square $

$\underline{\textit{Proof}~\textit{of}~\textit{restricted}~\textit{collision}~\textit{resistance}~\textit{for}~\textsf {tCH}\textit{.}}$ We define a sequence of hybrid games $\textsf{G}_0\sim \textsf{G}_4$, where $\textsf{G}_0$ is identical to $\textsf{Exp}_{\textsf{tCH},\mathcal {A}}^{rcr}(\kappa )$ defined in Fig. 3. We show that $\textsf{G}_{i}$ and $\textsf{G}_{i-1}$ are indistinguishable for all $i\in [4]$, and in $\textsf{G}_4$, the adversary wins with negligible probability. The differences between adjacent games are highlighted in . Assume that $\mathcal {A}$ makes at most Q adaptation queries.

Game $\textsf{G}_0$. Game $\textsf{G}_0$ is identical to $\textsf{Exp}_{\textsf{tCH},\mathcal {A}}^{rcr}(\kappa )$ defined by Fig. 3.

0.
The challenger $\mathcal {C}$ initializes set $\mathcal {Q}_{\textsf{Adapt}}:=\emptyset $.
1.
During the setup phase, the challenger $\mathcal {C}$ proceeds as follows.
- Generate $pp_{\textsf{prf}}\leftarrow \textsf{PRF}.\textsf{Setup}(1^\kappa )$.
- Generate $(\textbf{A},\textbf{T}_{\textbf{A}})\leftarrow \textsf{TrapGen}(1^n,1^{m},q)$.
- Sample $\textbf{A}_i\xleftarrow {\mathsf {\$}}\mathbb {Z}_q^{n\times w}$ for $i\in [k]$. Sample $\hat{\textbf{A}}_i\xleftarrow {\mathsf {\$}}\mathbb {Z}_q^{n\times w}$ for $i\in [h]$.
- $pp:=(pp_{\textsf{prf}},\textbf{A},\{\textbf{A}_i\}_{i\in [k]},\{\hat{\textbf{A}}_i\}_{i\in [h]})$, $td:=(pp,\textbf{T}_{\textbf{A}})$ and send pp to $\mathcal {A}$.
2.
Upon an adaptation query $(\tau ,\textbf{h},\textbf{m},r,\textbf{m}')$ from $\mathcal {A}$, $\mathcal {C}$ proceeds as follows.
- If $\exists ~(\tau ,\textbf{h}'',\textbf{m})\in \mathcal {Q}_{\textsf{Adapt}}\wedge \textbf{h}''\ne \textbf{h}$, or $\exists ~ (\tau ,\cdot ,\textbf{m}')\in \mathcal {Q}_{\textsf{Adapt}}$, or $\textsf{Check}(\tau ,$ $\textbf{h},\textbf{m},r)=0$ holds, return $\bot $; otherwise, continue.
- Sample $\textbf{z}'\xleftarrow {\mathsf {\$}}\{0,1\}^\kappa $ and set $\textbf{x}':=\tau \Vert \textbf{m}'\Vert \textbf{z}'$.
- Sample $\textbf{y}'\xleftarrow {\mathsf {\$}}\{0,1\}^y$ and construct $C[\textbf{x}',\textbf{y}']$ as defined by (2).
- $\textbf{C}'_{\textsf{prf}}\leftarrow \textsf{Eval}_{pub}(C[\textbf{x}',\textbf{y}'](\cdot ),\textbf{A},\{\textbf{A}_i\}_{i\in [k]})$ and $\textbf{B}'_{\textsf{prf}}:=\sum _{i\in [h]}m'_i\hat{\textbf{A}}_i$.
- Set $\textbf{A}'_{\textsf{prf}}:=\textbf{C}'_{\textsf{prf}}+\textbf{B}'_{\textsf{prf}}$. Delegate $\textbf{T}_{\textbf{A}|\textbf{A}'_{\textsf{prf}}}\leftarrow \textsf{TrapDel}([\textbf{A}|\textbf{A}'_{\textsf{prf}}],\textbf{T}_{\textbf{A}})$.
- $\textbf{e}'=(\textbf{e}'_1,\textbf{e}'_2)\leftarrow \textsf{SamplePre}([\textbf{A}|\textbf{A}'_{\textsf{prf}}],\textbf{T}_{\textbf{A}|\textbf{A}'_{\textsf{prf}}},\textbf{h},\gamma )$ s.t. $\textbf{e}'_2\ne 0^{w}$.
- Send $r':=(\textbf{z}',\textbf{y}',\textbf{e}')$ to $\mathcal {A}$ and $\mathcal {Q}_{\textsf{Adapt}}:=\mathcal {Q}_{\textsf{Adapt}}\cup \{(\tau ,\textbf{h},\textbf{m}),(\tau ,\textbf{h},\textbf{m}')\}$.
3.
On receiving the forgery $(\tau ^*,\textbf{h}^*,\textbf{m}^*,r^*,\textbf{m}^{\prime *},r^{\prime *})$, $\mathcal {C}$ makes the following checks, and returns 0 if any of them fails. Otherwise, $\mathcal {C}$ returns 1.
- Check if $\textsf{Check}(\tau ^*,\textbf{h}^*,\textbf{m}^*,r^*)=\textsf{Check}(\tau ^*,\textbf{h}^*,\textbf{m}^{\prime *},r^{\prime *})=1$.
- Check if $\textbf{m}^*\ne \textbf{m}^{\prime *}$ and $\textsf{Valid}(\tau ^*,\textbf{h}^*,\textbf{m}^*,\textbf{m}^{\prime *})=1$.

By definition, we have $\Pr [\textsf{G}_0\Rightarrow 1]=\Pr [\textsf{Exp}_{\textsf{tCH},\mathcal {A}}^{rcr}(\kappa )\Rightarrow 1]$.

Game $\textsf{G}_1$. Game $\textsf{G}_1$ is similar to $\textsf{G}_0$ except for the generation of $\textbf{y}'$ in the adaptation query phase. In $\textsf{G}_0$, $\textbf{y}'$ is sampled uniformly at random for each adaptation query. In $\textsf{G}_1$, $\textbf{y}'$ is computed by $\textsf{PRF}$, i.e., $\textbf{y}'\leftarrow \textsf{PRF}(\textbf{k},\textbf{x}')$, where key $\textbf{k}\xleftarrow {\mathsf {\$}}\{0,1\}^k$ is sampled in the setup phase.

$1'.$:: During the setup phase, the challenger $\mathcal {C}$ proceeds as follows.

Generate $pp_{\textsf{prf}}\leftarrow \textsf{PRF}.\textsf{Setup}(1^\kappa )$ and .
Generate $(\textbf{A},\textbf{T}_{\textbf{A}})\leftarrow \textsf{TrapGen}(1^n,1^{m},q)$.
Sample $\textbf{A}_i\xleftarrow {\mathsf {\$}}\mathbb {Z}_q^{n\times w}$ for $i\in [k]$. Sample $\hat{\textbf{A}}_i\xleftarrow {\mathsf {\$}}\mathbb {Z}_q^{n\times w}$ for $i\in [h]$.
$pp:=(pp_{\textsf{prf}},\textbf{A},\{\textbf{A}_i\}_{i\in [k]},\{\hat{\textbf{A}}_i\}_{i\in [h]})$, $td:=(pp,\textbf{T}_{\textbf{A}})$ and send pp to $\mathcal {A}$.

$2'.$:: Upon an adaptation query $(\tau ,\textbf{h},\textbf{m},r,\textbf{m}')$ from $\mathcal {A}$, $\mathcal {C}$ proceeds as follows.

If $\exists ~(\tau ,\textbf{h}'',\textbf{m})\in \mathcal {Q}_{\textsf{Adapt}}\wedge \textbf{h}''\ne \textbf{h}$, or $\exists ~ (\tau ,\cdot ,\textbf{m}')\in \mathcal {Q}_{\textsf{Adapt}}$, or $\textsf{Check}(\tau ,$ $\textbf{h},\textbf{m},r)=0$ holds, return $\bot $; otherwise, continue.
Sample $\textbf{z}'\xleftarrow {\mathsf {\$}}\{0,1\}^\kappa $ and set $\textbf{x}':=\tau \Vert \textbf{m}'\Vert \textbf{z}'$.
and construct $C[\textbf{x}',\textbf{y}']$ as defined by (2).
$\textbf{C}'_{\textsf{prf}}\leftarrow \textsf{Eval}_{pub}(C[\textbf{x}',\textbf{y}'](\cdot ),\textbf{A},\{\textbf{A}_i\}_{i\in [k]})$ and $\textbf{B}'_{\textsf{prf}}:=\sum _{i\in [h]}m'_i\hat{\textbf{A}}_i$.
Set $\textbf{A}'_{\textsf{prf}}:=\textbf{C}'_{\textsf{prf}}+\textbf{B}'_{\textsf{prf}}$. Delegate $\textbf{T}_{\textbf{A}|\textbf{A}'_{\textsf{prf}}}\leftarrow \textsf{TrapDel}([\textbf{A}|\textbf{A}'_{\textsf{prf}}],\textbf{T}_{\textbf{A}})$.
$\textbf{e}'=(\textbf{e}'_1,\textbf{e}'_2)\leftarrow \textsf{SamplePre}([\textbf{A}|\textbf{A}'_{\textsf{prf}}],\textbf{T}_{\textbf{A}|\textbf{A}'_{\textsf{prf}}},\textbf{h},\gamma )$ s.t. $\textbf{e}'_2\ne 0^{w}$.
Send $r':=(\textbf{z}',\textbf{y}',\textbf{e}')$ to $\mathcal {A}$ and $\mathcal {Q}_{\textsf{Adapt}}:=\mathcal {Q}_{\textsf{Adapt}}\cup \{(\tau ,\textbf{h},\textbf{m}),(\tau ,\textbf{h},\textbf{m}')\}$.

Lemma 10

Games $\textsf{G}_1$ and $\textsf{G}_2$ are computationally indistinguishable due to the pseudorandomness of $\textsf{PRF}$, i.e., $|\Pr [\textsf{G}_1\Rightarrow 1]-\Pr [\textsf{G}_2\Rightarrow 1]|\le \textsf{Adv}_{\textsf{PRF}}^{pse}(\kappa )+2^{-O(\kappa )}$.

Proof of Lemma 10 (sketch). Note that $\textbf{z}'\xleftarrow {\mathsf {\$}}\{0,1\}^\kappa $ is sampled uniformly at random for each adaptation query, then all $\textbf{x}'=\tau \Vert \textbf{m}'\Vert \textbf{z}'$ constructed for the adaptation queries are different from each other with probability $1-2^{-O(\kappa )}$. Now according to the pseudorandomness of $\textsf{PRF}$, we know that the distribution of $\textbf{y}'\xleftarrow {\mathsf {\$}}\{0,1\}^y$ is computationally indistinguishable from that of $\textbf{y}'\leftarrow \textsf{PRF}(\textbf{k},\textbf{x}')$ and this proves Lemma 10. $\square $

Game $\textsf{G}_2$. Game $\textsf{G}_2$ is similar to $\textsf{G}_1$ except for the generations of $\{\textbf{A}_i\}_{i\in [k]}$ and $\{\hat{\textbf{A}}_i\}_{i\in [h]}$ in the setup phase, and the computations of $\textbf{A}'_{\textsf{prf}}$ in the adaptation query phase. In $\textsf{G}_1$, $\textbf{A}_i\xleftarrow {\mathsf {\$}}\mathbb {Z}_q^{n\times w}$ and $\hat{\textbf{A}}_i\xleftarrow {\mathsf {\$}}\mathbb {Z}_q^{n\times w}$ are sampled uniformly at random in the setup phase, and $\textbf{A}'_{\textsf{prf}}$ is computed by $\textsf{Eval}_{pub}$ from $\textbf{A}_i$’s and $\hat{\textbf{A}}_i$’s when answering each adaptation query. In $\textsf{G}_2$, $\textbf{A}_i$ and $\hat{\textbf{A}}_i$ are computed by $\textbf{A}_i:=\textbf{A}\textbf{R}_i+k_i\textbf{G}$ and $\hat{\textbf{A}}_i:=\textbf{A}\hat{\textbf{R}}_i$ with $\textbf{R}_{i}\xleftarrow {\mathsf {\$}}\{\pm 1\}^{m\times w}$ and $\hat{\textbf{R}}_i\xleftarrow {\mathsf {\$}}\{\pm 1\}^{m\times w}$ in the setup phase, and $\textbf{A}'_{\textsf{prf}}:=\textbf{A}\textbf{R}'_{\textsf{prf}}+\textbf{G}$ when answering each adaptation query with $\textbf{R}'_{\textsf{prf}}$ computed by $\textsf{Eval}_{prv}$ from $\textbf{R}_i$’s and $\hat{\textbf{R}}_i$’s.

$1''.$:: During the setup phase, the challenger $\mathcal {C}$ proceeds as follows.

Generate $pp_{\textsf{prf}}\leftarrow \textsf{PRF}.\textsf{Setup}(1^\kappa )$ and sample $\textbf{k}\xleftarrow {\mathsf {\$}}\{0,1\}^k$.
Generate $(\textbf{A},\textbf{T}_{\textbf{A}})\leftarrow \textsf{TrapGen}(1^n,1^{m},q)$.
$pp:=(pp_{\textsf{prf}},\textbf{A},\{\textbf{A}_i\}_{i\in [k]},\{\hat{\textbf{A}}_i\}_{i\in [h]})$, $td:=(pp,\textbf{T}_{\textbf{A}})$ and send pp to $\mathcal {A}$.

$2''.$:: Upon an adaptation query $(\tau ,\textbf{h},\textbf{m},r,\textbf{m}')$ from $\mathcal {A}$, $\mathcal {C}$ proceeds as follows.

If $\exists ~(\tau ,\textbf{h}'',\textbf{m})\in \mathcal {Q}_{\textsf{Adapt}}\wedge \textbf{h}''\ne \textbf{h}$, or $\exists ~ (\tau ,\cdot ,\textbf{m}')\in \mathcal {Q}_{\textsf{Adapt}}$, or $\textsf{Check}(\tau ,$ $\textbf{h},\textbf{m},r)=0$ holds, return $\bot $; otherwise, continue.
Sample $\textbf{z}'\xleftarrow {\mathsf {\$}}\{0,1\}^\kappa $ and set $\textbf{x}':=\tau \Vert \textbf{m}'\Vert \textbf{z}'$.
Compute $\textbf{y}'\leftarrow \textsf{PRF}(\textbf{k},\textbf{x}')$ and construct $C[\textbf{x}',\textbf{y}']$ as defined by (2).
.
Delegate $\textbf{T}_{\textbf{A}|\textbf{A}'_{\textsf{prf}}}\leftarrow \textsf{TrapDel}([\textbf{A}|\textbf{A}'_{\textsf{prf}}],\textbf{T}_{\textbf{A}})$.
$\textbf{e}'=(\textbf{e}'_1,\textbf{e}'_2)\leftarrow \textsf{SamplePre}([\textbf{A}|\textbf{A}'_{\textsf{prf}}],\textbf{T}_{\textbf{A}|\textbf{A}'_{\textsf{prf}}},\textbf{h},\gamma )$ s.t. $\textbf{e}'_2\ne 0^{w}$.
Send $r':=(\textbf{z}',\textbf{y}',\textbf{e}')$ to $\mathcal {A}$ and $\mathcal {Q}_{\textsf{Adapt}}:=\mathcal {Q}_{\textsf{Adapt}}\cup \{(\tau ,\textbf{h},\textbf{m}),(\tau ,\textbf{h},\textbf{m}')\}$.

Lemma 11

Games $\textsf{G}_1$ and $\textsf{G}_2$ are statistically indistinguishable and $|\Pr [\textsf{G}_1\Rightarrow 1]-\Pr [\textsf{G}_2\Rightarrow 1]|\le 2^{-O(\kappa )}$.

Proof of Lemma 11. For each $i\in [k]$, we have

$$\begin{aligned} \textbf{A}_i:=\textbf{A}\textbf{R}_i+k_i\textbf{G}\text { (in }\textsf{G}_2\text {) }\approx _{s} \textbf{U}_i+k_i\textbf{G}~\equiv ~\textbf{U}'_i=:\textbf{A}_i\text { (in }\textsf{G}_1\text {) }, \end{aligned}$$

where $\textbf{R}_i\xleftarrow {\mathsf {\$}}\{\pm 1\}^{m\times w}$ and $\textbf{U}_i,\textbf{U}'_i\xleftarrow {\mathsf {\$}}\mathbb {Z}_q^{n\times w}$. The “$\approx _{s}$” follows from Lemma 2 (randomness extraction) and the triangle inequality. The “$\equiv $” holds due to the uniformity of $\textbf{U}_i$. Similarly, we can prove that the distribution of $\{\hat{\textbf{A}}_i\}_{i\in [h]}$ in $\textsf{G}_1$ is statistically indistinguishable from that of $\{\hat{\textbf{A}}_i\}_{i\in [h]}$ in $\textsf{G}_2$ by

$$\begin{aligned} \hat{\textbf{A}}_i:=\textbf{A}\hat{\textbf{R}}_i\text { (in }\textsf{G}_2\text {) }~\approx _{s} ~\textbf{U}_i=:\hat{\textbf{A}}\text { (in }\textsf{G}_1\text {) }, \end{aligned}$$

where $\textbf{R}_i\xleftarrow {\mathsf {\$}}\{\pm 1\}^{m\times w}$ and $\textbf{U}_i\xleftarrow {\mathsf {\$}}\mathbb {Z}_q^{n\times w}$.

Next we show that $\textbf{A}_{\textsf{prf}}'$ computed by $\textsf{Eval}_{pub}$ from $\textbf{A}_i$’s and $\hat{\textbf{A}}_i$’s in $\textsf{G}_1$ is identical to that computed by $\textsf{Eval}_{prv}$ from $\textbf{R}_i$’s and $\hat{\textbf{R}}_i$’s in $\textsf{G}_2$. Given $\textbf{A}_i=\textbf{A}\textbf{R}_i+k_i\textbf{G}$ for $i\in [k]$, we have $\textbf{C}_{\textsf{prf}}':=\textbf{A}\textbf{S}'_{\textsf{prf}}+C[\textbf{x}',\textbf{y}'](\textbf{k})\cdot \textbf{G}=\textbf{A}\textbf{S}'_{\textsf{prf}}+\textbf{G}$ with $\textbf{C}'_{\textsf{prf}}\leftarrow \textsf{Eval}_{pub}(C[\textbf{x}',\textbf{y}'](\cdot ),\textbf{A},$ $\{\textbf{A}_i\}_{i\in [k]})$ and $\textbf{S}'_{\textsf{prf}}\leftarrow \textsf{Eval}_{prv}(C[\textbf{x}',\textbf{y}'](\cdot ),\textbf{A},\textbf{k},\{\textbf{R}_i\}_{i\in [k]})$ due to Lemma 7 (homomorphic evaluation) and the fact that $\textbf{y}'=\textsf{PRF}(\textbf{k},\textbf{x}')$. Besides, given $\hat{\textbf{A}}_i=\textbf{A}\hat{\textbf{R}}_i$, we have $\textbf{B}'_{\textsf{prf}}:=\sum _{i\in [h]}m'_i\hat{\textbf{A}}_i=\textbf{A}\sum _{i\in [h]}m'_i\hat{\textbf{R}}_i=\textbf{A}\textbf{P}'_{\textsf{prf}}$. Then it holds that $\textbf{A}'_{\textsf{prf}}:=\textbf{C}'_{\textsf{prf}}+\textbf{B}'_{\textsf{prf}}=\textbf{A}\textbf{S}'_{\textsf{prf}}+\textbf{G}+\textbf{A}\textbf{P}'_{\textsf{prf}}=\textbf{A}\textbf{R}'_{\textsf{prf}}+\textbf{G}$ with $\textbf{R}'_{\textsf{prf}}=\textbf{S}'_{\textsf{prf}}+\textbf{P}'_{\textsf{prf}}$. This completes the proof. $\square $

Game $\textsf{G}_3$. Game $\textsf{G}_3$ is similar to $\textsf{G}_2$ except for the generation of the trapdoor $\textbf{T}_{\textbf{A}|\textbf{A}'_{\textsf{prf}}}$ in the adaptation query phase. In $\textsf{G}_2$, $\textbf{T}_{\textbf{A}|\textbf{A}'_{\textsf{prf}}}$ is delegated from $\textbf{T}_{\textbf{A}}$. In $\textsf{G}_3$, $\textbf{T}_{\textbf{A}|\textbf{A}'_{\textsf{prf}}}$ is generated from a G-trapdoor of $[\textbf{A}|\textbf{A}'_{\textsf{prf}}]$.

$2'''.$:: Upon an adaptation query $(\tau ,\textbf{h},\textbf{m},r,\textbf{m}')$ from $\mathcal {A}$, $\mathcal {C}$ proceeds as follows.

If $\exists ~(\tau ,\textbf{h}'',\textbf{m})\in \mathcal {Q}_{\textsf{Adapt}}\wedge \textbf{h}''\ne \textbf{h}$, or $\exists ~ (\tau ,\cdot ,\textbf{m}')\in \mathcal {Q}_{\textsf{Adapt}}$, or $\textsf{Check}(\tau ,$ $\textbf{h},\textbf{m},r)=0$ holds, return $\bot $; otherwise, continue.
Sample $\textbf{z}'\xleftarrow {\mathsf {\$}}\{0,1\}^\kappa $ and set $\textbf{x}':=\tau \Vert \textbf{m}'\Vert \textbf{z}'$.
Compute $\textbf{y}'\leftarrow \textsf{PRF}(\textbf{k},\textbf{x}')$ and construct $C[\textbf{x}',\textbf{y}']$ as defined by (2).
$\textbf{S}'_{\textsf{prf}}\leftarrow \textsf{Eval}_{prv}(C[\textbf{x}',\textbf{y}'](\cdot ),\textbf{A},\textbf{k},\{\textbf{R}_i\}_{i\in [k]})$ and $\textbf{P}'_{\textsf{prf}}:=\sum _{i\in [h]}m'_i\hat{\textbf{R}}_i$.
Set $\textbf{R}'_{\textsf{prf}}:=\textbf{S}'_{\textsf{prf}}+\textbf{P}'_{\textsf{prf}}$ and $\textbf{A}'_{\textsf{prf}}:=\textbf{A}\textbf{R}'_{\textsf{prf}}+\textbf{G}$. .
$\textbf{e}'=(\textbf{e}'_1,\textbf{e}'_2)\leftarrow \textsf{SamplePre}([\textbf{A}|\textbf{A}'_{\textsf{prf}}],\textbf{T}_{\textbf{A}|\textbf{A}'_{\textsf{prf}}},\textbf{h},\gamma )$ s.t. $\textbf{e}'_2\ne 0^{w}$.
Send $r':=(\textbf{z}',\textbf{y}',\textbf{e}')$ to $\mathcal {A}$ and $\mathcal {Q}_{\textsf{Adapt}}:=\mathcal {Q}_{\textsf{Adapt}}\cup \{(\tau ,\textbf{h},\textbf{m}),(\tau ,\textbf{h},\textbf{m}')\}$.

Lemma 12

Games $\textsf{G}_2$ and $\textsf{G}_3$ are statistically indistinguishable and $|\Pr [\textsf{G}_2\Rightarrow 1]-\Pr [\textsf{G}_3\Rightarrow 1]|\le 2^{-\kappa }$.

Proof of Lemma 12. Note that the changes in $\textsf{G}_3$ only influence the sampling of $\textbf{e}'$ during the adaptation query phase, then it suffices to show that the distribution of $\textbf{e}'$ in $\textsf{G}_3$ is identical to that in $\textsf{G}_2$. In $\textsf{G}_2$, $\textbf{T}_{\textbf{A}|\textbf{A}'_{\textsf{prf}}}$ is delegated from $\textbf{T}_{\textbf{A}}$ and of norm $\Vert \tilde{\textbf{T}}_{\textbf{A}|\textbf{A}'_{\textsf{prf}}}\Vert =\Vert \tilde{\textbf{T}}_{\textbf{A}}\Vert \le O(\sqrt{n\log q})$ according to Lemma 5 (trapdoor delegation). Together with Lemma 4 (preimage sampling) and the parameter setting that $\gamma > O(\sqrt{n\log q})\cdot \omega (\sqrt{m+w})$, the vector $\textbf{e}'$ sampled in $\textsf{G}_2$ follows the distribution $D_{\Lambda _q^{\textbf{h}}(\textbf{A}),\gamma }$. In $\textsf{G}_3$, we have $\textbf{A}'_{\textsf{prf}}=\textbf{A}\textbf{R}'_{\textsf{prf}}+\textbf{G}$, and hence $\textbf{R}'_{\textsf{prf}}$ is a G-trapdoor for $[\textbf{A}|\textbf{A}'_{\textsf{prf}}]$ according to [28]. Then according to Lemma 6 (G-to-basis), $\textbf{T}_{\textbf{A}|\textbf{A}_{\textsf{prf}}'}$ generated from the G-trapdoor $\textbf{R}'_{\textsf{prf}}$ is also a trapdoor for $[\textbf{A}|\textbf{A}'_{\textsf{prf}}]$ with norm $\Vert \tilde{\textbf{T}}_{\textbf{A}|\textbf{A}'_\textsf{prf}}\Vert =\sqrt{5}(s_1(\textbf{R}'_{\textsf{prf}})+1)\le O(\kappa ^c)$ for some constant c. Together with Lemma 4 (preimage sampling) and the parameter setting that $\gamma \ge O(\kappa ^c)\cdot \omega (\sqrt{m+w})$, the vector $\textbf{e}'$ sampled in $\textsf{G}_3$ also follows the distribution $D_{\Lambda _q^{\textbf{h}}(\textbf{A}),\gamma }$. This completes the proof. $\square $

Game $\textsf{G}_4$. Game $\textsf{G}_4$ is similar to $\textsf{G}_3$ except for the generation of $\textbf{A}$ in the setup phase. In $\textsf{G}_3$, $\textbf{A}$ is generated by algorithm $(\textbf{A},\textbf{T}_{\textbf{A}})\leftarrow \textsf{TrapGen}(1^n,1^m,q)$. In $\textsf{G}_4$, $\textbf{A}\xleftarrow {\mathsf {\$}}\mathbb {Z}_q^{n\times m}$ is sampled uniformly at random.

$1'''.$:: During the setup phase, the challenger $\mathcal {C}$ proceeds as follows.

Generate $pp_{\textsf{prf}}\leftarrow \textsf{PRF}.\textsf{Setup}(1^\kappa )$ and sample $\textbf{k}\xleftarrow {\mathsf {\$}}\{0,1\}^k$.
Sample
Sample $\textbf{R}_i\xleftarrow {\mathsf {\$}}\{\pm 1\}^{m\times w}$ and set $\textbf{A}_i:=\textbf{A}\textbf{R}_i+k_i\textbf{G}$ for $i\in [k]$. Sample $\hat{\textbf{R}}_i\xleftarrow {\mathsf {\$}}\{\pm 1\}^{m\times w}$ and set $\hat{\textbf{A}}_i:=\textbf{A}\hat{\textbf{R}}_i$ for $i\in [h]$.
$pp:=(pp_{\textsf{prf}},\textbf{A},\{\textbf{A}_i\}_{i\in [k]},\{\hat{\textbf{A}}_i\}_{i\in [h]})$, and send pp to $\mathcal {A}$.

Lemma 13

Games $\textsf{G}_3$ and $\textsf{G}_4$ are statistically indistinguishable and $|\Pr [\textsf{G}_3\Rightarrow 1]-\Pr [\textsf{G}_4\Rightarrow 1]|\le 2^{-\kappa }$.

Lemma 13 holds directly from Lemma 3 (trapdoor generation).

Next we show that any PPT adversary $\mathcal {A}$ wins in $\textsf{G}_4$ with negligible probability. To do this, we classify the adversaries into two types, $\mathcal {A}^{(I)}$ and $\mathcal {A}^{(II)}$.

Type I: $\mathcal {A}^{(I)}$ finally submits a forgery $(\tau ^*,\textbf{h}^*,\textbf{m}^*,r^*,\textbf{m}^{\prime *},r^{\prime *})$ satisfying the first $\textsf{Valid}$ condition, i.e., $(\tau ^*,\cdot ,\textbf{m}^*)\notin \mathcal {Q}_{\textsf{Adapt}}\wedge (\tau ^*,\textbf{h}^*,\textbf{m}^{\prime *})\in \mathcal {Q}_{\textsf{Adapt}}$.
Type II: $\mathcal {A}^{(II)}$ finally submits a forgery $(\tau ^*,\textbf{h}^*,\textbf{m}^*,r^*,\textbf{m}^{\prime *},r^{\prime *})$ satisfying the second $\textsf{Valid}$ condition, i.e., $(\tau ^*,\cdot ,\textbf{m}^*)\notin \mathcal {Q}_{\textsf{Adapt}}\wedge (\tau ^*,\cdot ,\textbf{m}^{\prime *})\notin \mathcal {Q}_{\textsf{Adapt}}$.

Next we show in Lemma 14 that $\mathcal {A}^{(I)}$ and $\mathcal {A}^{(II)}$ hardly win in $\textsf{G}_4$.

Lemma 14

For any PPT adversary $\mathcal {A}^{(T)}$ with $T\in \{I,II\}$, it holds that $\Pr [\textsf{G}_{4}\Rightarrow 1]\le \textsf{Adv}^{pse}_{\textsf{PRF}}(\kappa )+\textsf{Adv}_{[n,q,\beta ,m]}^{\textsf{SIS}}(\kappa )+2^{-\kappa }$.

Proof of Lemma 14. We consider $\mathcal {A}^{(I)}$ and $\mathcal {A}^{(II)}$ separately.

First, we prove that if there exists a PPT $\mathcal {A}^{(I)}$ that wins in $\textsf{G}_4$, then we construct a PPT algorithm $\mathcal {B}^{(I)}$ to solve the SIS problem.

Algorithm $\mathcal {B}^{(I)}$. Given an SIS instance $\textbf{A}\in \mathbb {Z}_q^{n\times m}$, $\mathcal {B}^{(I)}$ aims to obtain a non-zero short vector $\textbf{v}\in \mathbb {Z}_q^m$ s.t. $\textbf{A}\textbf{v}=0^n$. It proceeds as follows.

0.
The algorithm $\mathcal {B}^{(I)}$ initializes sets $\mathcal {Q}_{\textsf{Adapt}}:=\emptyset $ and $\mathcal {Q}_{r}:=\emptyset $.
1.
During the setup phase, the challenger $\mathcal {B}^{(I)}$ proceeds as follows.
- Generate $pp_{\textsf{prf}}\leftarrow \textsf{PRF}.\textsf{Setup}(1^\kappa )$ and sample $\textbf{k}\xleftarrow {\mathsf {\$}}\{0,1\}^k$.
- Sample $\textbf{R}_i\xleftarrow {\mathsf {\$}}\{\pm 1\}^{m\times w}$ and set $\textbf{A}_i:=\textbf{A}\textbf{R}_i+k_i\textbf{G}$ for $i\in [k]$. Sample $\hat{\textbf{R}}_i\xleftarrow {\mathsf {\$}}\{\pm 1\}^{m\times w}$ and set $\hat{\textbf{A}}_i:=\textbf{A}\hat{\textbf{R}}_i$ for $i\in [h]$. (Note that $\textbf{A}$ is the SIS instance.)
- Send $pp=(pp_{\textsf{prf}},\textbf{A},\{\textbf{A}_i\}_{i\in [k]},\{\hat{\textbf{A}}_i\}_{i\in [h]})$ to $\mathcal {A}^{(I)}$.
2.
Upon an adaptation query $(\tau ,\textbf{h},\textbf{m},r,\textbf{m}')$ from $\mathcal {A}^{(I)}$, $\mathcal {B}^{(I)}$ proceeds as follows.
- If $\exists ~(\tau ,\textbf{h}'',\textbf{m})\in \mathcal {Q}_{\textsf{Adapt}}\wedge \textbf{h}''\ne \textbf{h}$, or $\exists ~ (\tau ,\cdot ,\textbf{m}')\in \mathcal {Q}_{\textsf{Adapt}}$, or $\textsf{Check}(\tau ,$ $\textbf{h},\textbf{m},r)=0$ holds, return $\bot $; otherwise, continue.
- Sample $\textbf{z}'\xleftarrow {\mathsf {\$}}\{0,1\}^\kappa $ and set $\textbf{x}':=\tau \Vert \textbf{m}'\Vert \textbf{z}'$.
- Compute $\textbf{y}'\leftarrow \textsf{PRF}(\textbf{k},\textbf{x}')$ and construct $C[\textbf{x}',\textbf{y}']$ as defined by (2).
- $\textbf{S}'_{\textsf{prf}}\leftarrow \textsf{Eval}_{prv}(C[\textbf{x}',\textbf{y}'](\cdot ),\textbf{A},\textbf{k},\{\textbf{R}_i\}_{i\in [k]})$ and $\textbf{P}'_{\textsf{prf}}:=\sum _{i\in [h]}m'_i\hat{\textbf{R}}_i$.
- Set $\textbf{R}'_{\textsf{prf}}:=\textbf{S}'_{\textsf{prf}}+\textbf{P}'_{\textsf{prf}}$ and $\textbf{A}'_{\textsf{prf}}:=\textbf{A}\textbf{R}'_{\textsf{prf}}+\textbf{G}$. Generate $\textbf{T}_{\textbf{A}|\textbf{A}'_{\textsf{prf}}}\leftarrow \textsf{GtoBasis}(\textbf{R}'_{\textsf{prf}})$.
- $\textbf{e}'=(\textbf{e}'_1,\textbf{e}'_2)\leftarrow \textsf{SamplePre}([\textbf{A}|\textbf{A}'_{\textsf{prf}}],\textbf{T}_{\textbf{A}|\textbf{A}'_{\textsf{prf}}},\textbf{h},\gamma )$ s.t. $\textbf{e}'_2\ne 0^{w}$.
- Send $r':=(\textbf{z}',\textbf{y}',\textbf{e}')$ to $\mathcal {A}^{(I)}$. Set $\mathcal {Q}_{\textsf{Adapt}}:=\mathcal {Q}_{\textsf{Adapt}}\cup \{(\tau ,\textbf{h},\textbf{m}),(\tau ,\textbf{h},\textbf{m}')\}$ and $\mathcal {Q}_{r}:=\mathcal {Q}_{r}\cup \{(\tau ,\textbf{h},\textbf{m},r),(\tau ,\textbf{h},\textbf{m}',r')\}$.
3.
Upon a forgery tuple $(\tau ^*,\textbf{h}^*,\textbf{m}^*,r^*,\textbf{m}^{\prime *},r^{\prime *})$, if $\mathcal {A}^{(I)}$ wins, it holds that $\textbf{m}^*\ne \textbf{m}^{\prime *}$, $\textsf{Check}(\tau ^*,\textbf{h}^*,\textbf{m}^*,r^*)=\textsf{Check}(\tau ^*,$ $\textbf{h}^*,\textbf{m}^{\prime *},r^{\prime *})=1$ and $(\tau ^*,\cdot ,\textbf{m}^*)\notin \mathcal {Q}_{\textsf{Adapt}}\wedge (\tau ^*,\textbf{h}^*,\textbf{m}^{\prime *})\in \mathcal {Q}_{\textsf{Adapt}}$. Find $(\tau ^*,\textbf{h}^*,\bar{\textbf{m}})\in \mathcal {Q}_{\textsf{Adapt}}$ s.t. $(\tau ^*,\textbf{h}^*,\bar{\textbf{m}},\bar{r})\in \mathcal {Q}_r$, $\textsf{Check}(\tau ^*,\textbf{h}^*,\bar{\textbf{m}},\bar{r})=1$ and $\bar{\textbf{m}}$ is never queried to $\mathcal {O}_{\textsf{Adapt}}$ as the adapted message w.r.t. tag $\tau ^*$. Then $\mathcal {B}^{(I)}$ computes a SIS solution as follows.
- Parse $\bar{r}=(\bar{\textbf{z}},\bar{\textbf{y}},\bar{\textbf{e}})$ and $r^*=(\textbf{z}^*,\textbf{y}^*,\textbf{e}^*)$.
- Set $\bar{\textbf{x}}:=\tau ^*\Vert \bar{\textbf{m}}\Vert \bar{\textbf{z}}$ and $\textbf{x}^*:=\tau ^*\Vert \textbf{m}^*\Vert \textbf{z}^*$. Construct $C[\bar{\textbf{x}},\bar{\textbf{y}}]$ and $C[\textbf{x}^*,\textbf{y}^*]$.
- $\bar{\textbf{C}}_{\textsf{prf}}\leftarrow \textsf{Eval}_{pub}(C[\bar{\textbf{x}},\bar{\textbf{y}}](\cdot ),\textbf{A},\{\textbf{A}_i\}_{i\in [k]})$ and $\bar{\textbf{B}}_{\textsf{prf}}:=\sum _{i\in [h]}\bar{m}_i\hat{\textbf{A}}_i$.
- $\bar{\textbf{S}}_{\textsf{prf}}\leftarrow \textsf{Eval}_{prv}(C[\bar{\textbf{x}},\bar{\textbf{y}}](\cdot ),\textbf{A},\textbf{k},\{\textbf{R}_i\}_{i\in [k]})$ and $\bar{\textbf{P}}_{\textsf{prf}}:=\sum _{i\in [h]}\bar{m}_i\hat{\textbf{R}}_i$.
- Set $\bar{\textbf{A}}_{\textsf{prf}}:=\bar{\textbf{C}}_{\textsf{prf}}+\bar{\textbf{B}}_{\textsf{prf}}$ and $\bar{\textbf{R}}_{\textsf{prf}}:=\bar{\textbf{S}}_{\textsf{prf}}+\bar{\textbf{P}}_{\textsf{prf}}$.
- $\textbf{C}^*_{\textsf{prf}}\leftarrow \textsf{Eval}_{pub}(C[\textbf{x}^*,\textbf{y}^*](\cdot ),\textbf{A},\{\textbf{A}_i\}_{i\in [k]})$ and $\textbf{B}^*_{\textsf{prf}}:=\sum _{i\in [h]}m^*_i\hat{\textbf{A}}_i$.
- $\textbf{S}^*_{\textsf{prf}}\leftarrow \textsf{Eval}_{prv}(C[\textbf{x}^*,\textbf{y}^*](\cdot ),\textbf{A},\textbf{k},\{\textbf{R}_i\}_{i\in [k]})$ and $\textbf{P}_{\textsf{prf}}^*:=\sum _{i\in [h]}m_i^*\hat{\textbf{R}}_i$.
- Set $\textbf{A}^*_{\textsf{prf}}:=\textbf{C}^*_{\textsf{prf}}+\textbf{B}^*_{\textsf{prf}}$ and $\textbf{R}_{\textsf{prf}}^*:=\textbf{S}^*_{\textsf{prf}}+\textbf{P}_{\textsf{prf}}^*$.
- Compute and return $\textbf{v}:=[\textbf{I}_m|\textbf{R}^*_{\textsf{prf}}] \cdot \textbf{e}^*-[\textbf{I}_m|\bar{\textbf{R}}_{\textsf{prf}}] \cdot \bar{\textbf{e}}$ to its own challenger.

We show the existence of tuple $(\tau ^*,\textbf{h}^*,\bar{\textbf{m}})\in \mathcal {Q}_{\textsf{Adapt}}$ in step 3. The adversary may issue multiple adaptation queries centered around $(\tau ^*, \textbf{h}^*)$, but there must be a root tuple $(\tau ^*,\textbf{h}^*,\bar{\textbf{m}}, \bar{\textbf{r}})$ such that all other tuples $(\tau ^*,\textbf{h}^*,\cdot , \cdot )$ are adapted from it directly or indirectly. According to the specification of $\mathcal {O}_{\textsf{Adapt}}$, all the target new messages w.r.t. $\tau ^*$ are different from the root message $\bar{\textbf{m}}$. Consequently, tuple $(\tau ^*,\textbf{h}^*,\bar{\textbf{m}}, \bar{\textbf{r}})$ satisfies $(\tau ^*,\textbf{h}^*,\bar{\textbf{m}},\bar{r})\in \mathcal {Q}_{r}$, $\textsf{Check}(\tau ^*,\textbf{h}^*,\bar{\textbf{m}},\bar{r})=1$ and $\bar{\textbf{m}}$ is never queried to $\mathcal {O}_{\textsf{Adapt}}$ as the adapted message w.r.t. $\tau ^*$.

Next we show that $\textbf{v}$ is a valid solution to the SIS problem. Note that $(\tau ^*,\cdot ,\textbf{m}^*)\notin \mathcal {Q}_{\textsf{Adapt}}$ is never queried to the adaptation oracle, then nothing about $\textsf{PRF}(\textbf{k},\textbf{x}^*)$ with $\textbf{x}^*=\tau ^*\Vert \textbf{m}^*\Vert \textbf{z}^*$ is revealed to $\mathcal {A}^{(I)}$. For $\textbf{y}^*$ chosen by $\mathcal {A}^{(I)}$, $\textbf{y}^*=\textsf{PRF}(\textbf{k},\textbf{x}^*)$ hardly holds due to the pseudorandomness of $\textsf{PRF}$. Then with overwhelming probability, $C[\textbf{x}^*,\textbf{y}^*](\textbf{k})=0$ and

$$\begin{aligned} \textbf{A}^*_{\textsf{prf}}=\textbf{A}\textbf{R}^*_{\textsf{prf}}+C[\textbf{x}^*,\textbf{y}^*](\textbf{k})\cdot \textbf{G}=\textbf{A}\textbf{R}^*_{\textsf{prf}}+0\cdot \textbf{G}=\textbf{A}\textbf{R}^*_{\textsf{prf}}. \end{aligned}$$

Besides, since $(\tau ^*,\textbf{h}^*,\bar{\textbf{m}})\in \mathcal {Q}_{\textsf{Adapt}}$ and $\bar{\textbf{m}}$ is never queried to $\mathcal {Q}_{\textsf{Adapt}}$ as a target new message under tag $\tau ^*$ before, we know that $(\tau ^*,\textbf{h}^*,\bar{\textbf{m}},\bar{r})$ is generated by $\mathcal {A}^{(I)}$ itself and $\textsf{PRF}(\textbf{k},\bar{\textbf{x}})$ with $\bar{\textbf{x}}=\tau ^*\Vert \bar{\textbf{m}}\Vert \bar{\textbf{z}}$ is never obtained by $\mathcal {A}^{(I)}$. Through an analogous analysis, we know that with overwhelming probability,

$$\begin{aligned} \bar{\textbf{A}}_{\textsf{prf}}=\textbf{A}\bar{\textbf{R}}_{\textsf{prf}}+C[\bar{\textbf{x}},\bar{\textbf{y}}](\textbf{k})\cdot \textbf{G}=\textbf{A}\bar{\textbf{R}}_{\textsf{prf}}+0\cdot \textbf{G}=\textbf{A}\bar{\textbf{R}}_{\textsf{prf}}. \end{aligned}$$

Furthermore, since $\textsf{Check}(\tau ^*,\textbf{h}^*,\textbf{m}^*,r^*)=\textsf{Check}(\tau ^*,\textbf{h}^*,\bar{\textbf{m}},\bar{r})=1$, we have

$$\begin{aligned}{}[\textbf{A}|\textbf{A}_{\textsf{prf}}^*]\cdot \textbf{e}^*=\textbf{h}^*=[\textbf{A}|\bar{\textbf{A}}_{\textsf{prf}}]\cdot \bar{\textbf{e}}~\Leftrightarrow ~&[\textbf{A}|\textbf{A}\textbf{R}^*_{\textsf{prf}}]\cdot \textbf{e}^*-[\textbf{A}|\textbf{A}\bar{\textbf{R}}_{\textsf{prf}}]\cdot \bar{\textbf{e}}=0^n\\ \Leftrightarrow ~&\textbf{A}\underbrace{([\textbf{I}_m|\textbf{R}^*_{\textsf{prf}}]\cdot \textbf{e}^*-[\textbf{I}_m|\bar{\textbf{R}}_{\textsf{prf}}]\cdot \bar{\textbf{e}})}_{=:\textbf{v}\in \mathbb {Z}_q^{m}}=0^n, \end{aligned}$$

where $\textbf{e}^*=(\textbf{e}^*_1,\textbf{e}^*_2)$, $\Vert \textbf{e}^*\Vert \le \gamma \sqrt{m+w}$, $\textbf{e}_2^*\ne 0^w$, $\bar{\textbf{e}}=(\bar{\textbf{e}}_1,\bar{\textbf{e}}_2)$, $\Vert \bar{\textbf{e}}\Vert \le \gamma \sqrt{m+w}$ and $\bar{\textbf{e}}_2\ne 0^w$. Together with our parameter setting that $\gamma \cdot O(\kappa ^c)\cdot \sqrt{m+w}\le \beta $, we have $\Vert \textbf{v}\Vert \le O(\kappa ^c)\cdot \gamma \sqrt{m+w}\le \beta $ for some constant c.

It remains to show that $\textbf{v}=([\textbf{I}_m|\textbf{R}^*_{\textsf{prf}}]\cdot \textbf{e}^*-[\textbf{I}_m|\bar{\textbf{R}}_{\textsf{prf}}]\cdot \bar{\textbf{e}})\ne 0^m$. Denote by $\textbf{r}_i^*$ (resp., $\bar{\textbf{r}}_i$, $\textbf{s}_i^*$, $\textbf{p}_i^*$ and $\{\hat{\textbf{r}}_{j,i}\}_{j\in [h]}$) the i-th column of $\textbf{R}^*_{\textsf{prf}}$ (resp., $\bar{\textbf{R}}_{\textsf{prf}}$, $\textbf{S}^*_{\textsf{prf}}$, $\textbf{P}^*_{\textsf{prf}}$ and $\{\hat{\textbf{R}}_j\}_{j\in [h]}$), and $e^*_{2,i}$ the i-th item of $\textbf{e}_2^*$. Recall that $\textbf{r}^*_i=\textbf{s}_i^*+\textbf{p}^*_i=\textbf{s}_i^*+\sum _{j\in [h]}m_j^*\hat{\textbf{r}}_{j,i}$. Since $(\tau ^*,\cdot ,\textbf{m}^*)\notin \mathcal {Q}_{\textsf{Adapt}}$ and $(\tau ^*,\textbf{h}^*,\bar{\textbf{m}})\in \mathcal {Q}_{\textsf{Adapt}}$, we know that $\bar{\textbf{m}}\ne \textbf{m}^*$ and hence there must exist some index $\iota \in [h]$ s.t. $\bar{m}_\iota \ne m^*_\iota $. W.l.o.g., let $\bar{m}_\iota =0$ and $m^*_\iota =1$. Besides, since $\textbf{e}^*_2\ne 0^w$, there must exist some index $\nu \in [w]$ s.t. $e^*_{2,\nu }\ne 0$. Now we show that $\textbf{v}=0^m$ holds with negligible probability. Note that

$$\begin{aligned} \textbf{v}&=\textbf{e}_1^*+\textbf{R}_{\textsf{prf}}^*\textbf{e}_2^*-\bar{\textbf{e}}_1-\bar{\textbf{R}}_{\textsf{prf}}\bar{\textbf{e}}_2=0^m\nonumber \\ \Leftrightarrow ~\hat{\textbf{r}}_{\iota ,\nu }&=\underbrace{(\bar{\textbf{e}}_1+\bar{\textbf{R}}_{\textsf{prf}}\bar{\textbf{e}}_2-\textbf{e}_1^*-\sum \nolimits _{i\ne \nu }\textbf{r}^*_i e^*_{2,i})/e_{2,\nu }^*-\textbf{s}_{\nu }^*-\sum \nolimits _{j\ne \iota }m_j^*\hat{\textbf{r}}_{j,\nu }}_{=:W}. \end{aligned}$$

(3)

Recall that $\hat{\textbf{r}}_{\iota ,\nu }$ is sampled uniformly from $\{1, -1\}^m$ and the only information of $\hat{\textbf{r}}_{\iota ,\nu }$ revealed to $\mathcal {A}^{(I)}$ is $\textbf{u}=\textbf{A}\hat{\textbf{r}}_{\iota ,\nu }\in \mathbb {Z}_q^n$. Together with Lemma 1 and the parameter setting that $m\ge O(n\log q)$, $\tilde{\textbf{H}}_{\infty }(\hat{\textbf{r}}_{\iota ,\nu }|\textbf{u})\ge \textbf{H}_{\infty }(\hat{\textbf{r}}_{\iota ,\nu })-n\log q=m-n\log q\ge \kappa $ and $\hat{\textbf{r}}_{\iota ,\nu }$ still has high entropy. Further since “W” in Eq. (3) is independent of $\hat{\textbf{r}}_{\iota ,\nu }$, we have $\hat{\textbf{r}}_{\iota ,\nu }=W$ with probability $2^{-\kappa }$. Then Eq. (3) holds with a negligible probability and $\textbf{v}=0^m$ holds with negligible probability.

Now we have proved that $\textbf{v}$ is a valid solution for SIS and $\Pr [\textsf{G}_{4}\Rightarrow 1|\mathcal {A}^{(I)}]\le \textsf{Adv}^{pse}_{\textsf{PRF}}(\kappa )+\textsf{Adv}_{[n,q,\beta ,m]}^{\textsf{SIS}}(\kappa )+2^{-\kappa }$.

Next, we prove that if there exists a PPT $\mathcal {A}^{(II)}$ that wins in $\textsf{G}_4$, then we construct a PPT algorithm $\mathcal {B}^{(II)}$ to solve the SIS problem. The algorithm $\mathcal {B}^{(II)}$ is similar to $\mathcal {B}^{(I)}$ except for the step 3, as described below.

3.
Upon a forgery tuple $(\tau ^*,\textbf{h}^*,\textbf{m}^*,r^*,\textbf{m}^{\prime *},r^{\prime *})$, if $\mathcal {A}^{(II)}$ wins, it holds that $\textbf{m}^*\ne \textbf{m}^{\prime *}$, $\textsf{Check}(\tau ^*,\textbf{h}^*,\textbf{m}^*,r^*)=\textsf{Check}(\tau ^*,$ $\textbf{h}^*,\textbf{m}^{\prime *},r^{\prime *})=1$ and $(\tau ^*,\cdot ,\textbf{m}^*)\notin \mathcal {Q}_{\textsf{Adapt}}\wedge (\tau ^*,\cdot ,\textbf{m}^{\prime *})\notin \mathcal {Q}_{\textsf{Adapt}}$. Then $\mathcal {B}^{(II)}$ computes a SIS solution as follows.
- Parse $r^*=(\textbf{z}^*,\textbf{y}^*,\textbf{e}^*)$ and $r^{\prime *}=(\textbf{z}^{\prime *},\textbf{y}^{\prime *},\textbf{e}^{\prime *})$. Set $\textbf{x}^*:=\tau ^*\Vert \textbf{m}^*\Vert \textbf{z}^*$ and $\textbf{x}^{\prime *}:=\tau ^*\Vert \textbf{m}^{\prime *}\Vert \textbf{z}^{\prime *}$. Construct $C[\textbf{x}^*,\textbf{y}^*]$ and $C[\textbf{x}^{\prime *},\textbf{y}^{\prime *}]$.
- $\textbf{C}^*_{\textsf{prf}}\leftarrow \textsf{Eval}_{pub}(C[\textbf{x}^*,\textbf{y}^*](\cdot ),\textbf{A},\{\textbf{A}_i\}_{i\in [k]})$ and $\textbf{B}^*_{\textsf{prf}}:=\sum _{i\in [h]}m^*_i\hat{\textbf{A}}_i$.
- $\textbf{S}^*_{\textsf{prf}}\leftarrow \textsf{Eval}_{prv}(C[\textbf{x}^*,\textbf{y}^*](\cdot ),\textbf{A},\textbf{k},\{\textbf{R}_i\}_{i\in [k]})$ and $\textbf{P}_{\textsf{prf}}^*:=\sum _{i\in [h]}m_i^*\hat{\textbf{R}}_i$.
- Set $\textbf{A}^*_{\textsf{prf}}:=\textbf{C}^*_{\textsf{prf}}+\textbf{B}^*_{\textsf{prf}}$ and $\textbf{R}_{\textsf{prf}}^*:=\textbf{S}^*_{\textsf{prf}}+\textbf{P}_{\textsf{prf}}^*$.
- $\textbf{C}^{\prime *}_{\textsf{prf}}\leftarrow \textsf{Eval}_{pub}(C[\textbf{x}^{\prime *},\textbf{y}^{\prime *}](\cdot ),\textbf{A},\{\textbf{A}_i\}_{i\in [k]})$ and $\textbf{B}^{\prime *}_{\textsf{prf}}:=\sum _{i\in [h]}m^{\prime *}_i\hat{\textbf{A}}_i$.
- $\textbf{S}^{\prime *}_{\textsf{prf}}\leftarrow \textsf{Eval}_{prv}(C[\textbf{x}^{\prime *},\textbf{y}^{\prime *}](\cdot ),\textbf{A},\textbf{k},\{\textbf{R}_i\}_{i\in [k]})$ and $\textbf{P}_{\textsf{prf}}^{\prime *}:=\sum _{i\in [h]}m_i^{\prime *}\hat{\textbf{R}}_i$.
- Set $\textbf{A}^{\prime *}_{\textsf{prf}}:=\textbf{C}^{\prime *}_{\textsf{prf}}+\textbf{B}^{\prime *}_{\textsf{prf}}$ and $\textbf{R}_{\textsf{prf}}^{\prime *}:=\textbf{S}^{\prime *}_{\textsf{prf}}+\textbf{P}_{\textsf{prf}}^{\prime *}$.
- Compute and return $\textbf{v}:=[\textbf{I}_m|\textbf{R}^*_{\textsf{prf}}]\cdot \textbf{e}^*-[\textbf{I}_m|\textbf{R}^{\prime *}_{\textsf{prf}}]\cdot \textbf{e}^{\prime *}$ to its challenger.

Then we show that $\textbf{v}$ is a valid solution to the SIS problem. Note that $(\tau ^*,\cdot ,\textbf{m}^*)\notin \mathcal {Q}_{\textsf{Adapt}}$ and $(\tau ^*,\cdot ,\textbf{m}^{\prime *})\notin \mathcal {Q}_{\textsf{Adapt}}$ are not queried to the adaptation oracle, so nothing about $\textsf{PRF}(\textbf{k},\textbf{x}^*)$ and $\textsf{PRF}(\textbf{k},\textbf{x}^{\prime *})$ with $\textbf{x}^*=\tau ^*\Vert \textbf{m}^*\Vert \textbf{z}^*$ and $\textbf{x}^{\prime *}=\tau ^*\Vert \textbf{m}^{\prime *}\Vert \textbf{z}^{\prime *}$, has ever been revealed to $\mathcal {A}^{(II)}$, and hence $\textsf{PRF}(\textbf{k},\textbf{x}^*)$ and $\textsf{PRF}(\textbf{k},\textbf{x}^{\prime *})$ are pseudorandom due to the pseudorandomness of $\textsf{PRF}$. As a consequence, neither $\textbf{y}^*=\textsf{PRF}(\textbf{k},\textbf{x}^*)$ nor $\textbf{y}^{\prime *}=\textsf{PRF}(\textbf{k},\textbf{x}^{\prime *})$ holds except for negligible probability, where $\textbf{y}^*$ and $\textbf{y}^{\prime *}$ are chosen by $\mathcal {A}^{(II)}$, and this leads to $C[\textbf{x}^*,\textbf{y}^*](\textbf{k})=0$ and $C[\textbf{x}^{\prime *},\textbf{y}^{\prime *}](\textbf{k})=0$. Therefore,

$$\begin{aligned} \textbf{A}^*_{\textsf{prf}}&=\textbf{A}\textbf{R}^*_{\textsf{prf}}+C[\textbf{x}^*,\textbf{y}^*](\textbf{k})\cdot \textbf{G}=\textbf{A}\textbf{R}^*_{\textsf{prf}}+0\cdot \textbf{G}=\textbf{A}\textbf{R}^*_{\textsf{prf}}\\ \textbf{A}^{\prime *}_{\textsf{prf}}&=\textbf{A}\textbf{R}^{\prime *}_{\textsf{prf}}+C[\textbf{x}^{\prime *},\textbf{y}^{\prime *}](\textbf{k})\cdot \textbf{G}=\textbf{A}\textbf{R}^{\prime *}_{\textsf{prf}}+0\cdot \textbf{G}=\textbf{A}\textbf{R}^{\prime *}_{\textsf{prf}}. \end{aligned}$$

Through an analogous analysis as before, $\textbf{v}:=[\textbf{I}_m|\textbf{R}^*_{\textsf{prf}}]\cdot \textbf{e}^*-[\textbf{I}_m|\textbf{R}_{\textsf{prf}}^{\prime *}]\cdot \textbf{e}^{\prime *}$ is a valid SIS solution with overwhelming probability. Now we obtain $\Pr [\textsf{G}_{4}\Rightarrow 1|\mathcal {A}^{(II)}]\le \textsf{Adv}^{pse}_{\textsf{PRF}}(\kappa )+\textsf{Adv}_{[n,q,\beta ,m]}^{\textsf{SIS}}(\kappa )+2^{-\kappa }$. $\square $

From Lemma 14, we have

$$\begin{aligned} \Pr [\textsf{G}_4\Rightarrow 1]&=\Pr [\textsf{G}_{4}\Rightarrow 1|\mathcal {A}^{(I)}]\Pr [\mathcal {A}^{(I)}]+\Pr [\textsf{G}_{4}\Rightarrow 1|\mathcal {A}^{(II)}]\Pr [\mathcal {A}^{(II)}]\nonumber \\ &\le \textsf{Adv}^{pse}_{\textsf{PRF}}(\kappa )+\textsf{Adv}^{\textsf{SIS}}_{[n,q,\beta ,m]}(\kappa )+2^{-O(\kappa )}. \end{aligned}$$

(4)

Finally combining Lemmas 10, 11, 12, 13 and (4), it holds that

$$\begin{aligned} & \quad \Pr [\textsf{Exp}_{\textsf{tCH},\mathcal {A}}^{rcr}(\kappa )\Rightarrow 1]\nonumber \\ &\le \big |\Pr [\textsf{G}_0\Rightarrow 1]-\Pr [\textsf{G}_1\Rightarrow 1]\big |+\big |\Pr [\textsf{G}_1\Rightarrow 1]-\Pr [\textsf{G}_2\Rightarrow 1]\big |\nonumber \\ & \quad +\big |\Pr [\textsf{G}_2\Rightarrow 1]-\Pr [\textsf{G}_3\Rightarrow 1]\big |+|\Pr [\textsf{G}_3\Rightarrow 1]-\Pr [\textsf{G}_4\Rightarrow 1]|+\Pr [\textsf{G}_4\Rightarrow 1]\nonumber \\ &\le \textsf{Adv}_{[n,q,\beta ,m]}^{\textsf{SIS}}(\kappa )+2\textsf{Adv}_{\textsf{PRF}}^{pse}(\kappa )+2^{-O(\kappa )}. \end{aligned}$$

(5)

By (5), it is easy to see that the $\text {r-CR}$ security of $\textsf{tCH}$ can be tightly reduced to the SIS assumption and the pseudorandomness of $\textsf{PRF}$. Given the concrete PRF schemes [5], our $\textsf{tCH}$ enjoys $\text {r-CR}$ based on the SIS and LWE assumptions. $\blacksquare $

4.2 tCH with Tight Security in ROM

In this subsection, we provide another lattice-based tCH construction, namely $\textsf{tCH}'$, with $\text {r-CR}$ security proved in the random oracle model. Compared with $\textsf{tCH}$ in Fig. 4, our second tCH construction replaces the underlying homomorphic evaluations and PRF with a hash function (which is modeled as a random oracle), and hence achieves better efficiency and tightness. Let $\textsf{H}:\mathbb {Z}_q^{n\times m}\times \{0,1\}^x\rightarrow \mathbb {Z}_q^{n\times w}$ be a hash function. Our tCH scheme $\textsf{tCH}'$ is given in Fig. 5.

Parameter setting. Parameters of $\textsf{tCH}'$ include the security parameter $\kappa $, the dimension parameters x, t, h, the SIS parameters $n,m,q,\beta $ and the Gaussian parameter $\gamma $. Define $w=n\lceil \log q\rceil $. The afore-mentioned parameters are required to satisfy the following restrictions simultaneously.

Let $x,t,h=\textsf{poly}(\kappa )$ be positive integers and $x=t+h+\kappa $.
Let $n,q,m, \beta $ be positive parameters, $n,m,\beta ,q=\textsf{poly}(\kappa )$ and $\beta \cdot \textsf{poly}(n)\le q$ so that the SIS problem is hard according to Lemma 9.
Let $\gamma \ge \omega (\sqrt{m(m+w)})$ so that Lemma 4 can be applied.
Let $m=O(n\log q)$ and $2\gamma \sqrt{m(m+w)}\le \beta $ to serve for our security proof.

Theorem 3

Let $\textsf{H}:\mathbb {Z}_q^{n\times m}\times \{0,1\}^x\rightarrow \mathbb {Z}_q^{n\times w}$ be a hash function modeled as a random oracle. Given parameters described above, construction $\textsf{tCH}'$ in Fig. 5 is a tagged chameleon hash if the $\textsf{SIS}_{n,q,\beta ,m}$ assumption holds. Furthermore, restricted collision resistance of $\textsf{tCH}'$ enjoys tight security:

$$\begin{aligned} \Pr [\textsf{Exp}_{\textsf{tCH}',\mathcal {A}}^{rcr}(\kappa )\Rightarrow 1] \le \textsf{Adv}_{[n,q,\beta ,m]}^{\textsf{SIS}}(\kappa )+2^{-O(\kappa )}. \end{aligned}$$

The correctness of $\textsf{tCH}'$ follows directly from Lemma 5 (trapdoor delegation) and Lemma 4 (preimage sampling). Proofs of statistical indistinguishability and restricted collision resistance for $\textsf{tCH}'$ are similar to those for $\textsf{tCH}$, and we provide them in our full version [26].

5 Application of tCH to the Redactable Blockchain

In this section, we show how to apply our tCH in constructing redactable blockchain. In Subsect. 5.1, we introduce some notations of a redactable blockchain. In Subsect. 5.2, we show how to redact a blockchain with a tCH. In Subsect. 5.3, we provide a security analysis of our redactable blockchain.

5.1 Redactable Blockchain

We follow notations of blockchain and redactable blockchain introduced in [3, 18]. According to [3], a redactable block uses two hash functions, one is a cryptographic hash and the other is a chameleon hash. Now we replace the chameleon hash with our tCH, and additionally introduce a unique identifier (like the timestamp, previous hash or position of the block in the chain) into each block to serve as the “tag $\tau $” of tCH. See Fig. 6 for a pictorial presentation.

Let $\textsf{H}:\{0,1\}^*\rightarrow \mathbb {N}$ be a cryptographic hash function and $\textsf{tCH}=(\textsf{Setup},\textsf{Hash},$ $\textsf{Adapt},\textsf{Check})$ be a tCH. In a redactable blockchain, each block B is of the form

$$\begin{aligned} B=\big \langle nonce,\tau ,\underbrace{s,tr}_{m},(h,r) \big \rangle , \end{aligned}$$

where $nonce\in \mathbb {N}$ denotes the nonce value, $\tau \in \{0,1\}^t$ denotes a unique identifier, $s\in \mathbb {N}$ is a hash value computed by $\textsf{H}$, $tr\in \{0,1\}^x$ denotes the information stored in a block, (h, r) is a hash-randomness pair computed by $\textsf{Hash}$ from $m:=(s\Vert tr)\in \{0,1\}^h$ w.r.t. $\tau $, i.e., $(h,r)\leftarrow \textsf{Hash}(\tau ,m)$. We say that a block B is valid if $\textsf{ValidRB}_q^D(B)=1$ with

$$\begin{aligned} \textsf{ValidRB}_q^D(B):=\big (\textsf{H}(nonce\Vert h\Vert \tau )<D\big )\wedge \big (\textsf{Check}(\tau ,h,m,r)=1\big ) \wedge \big (nonce<q\big ), \end{aligned}$$

where $D\in \mathbb {N}$ is the block’s difficulty level and $q\in \mathbb {N}$ denotes the maximum allowed number of hash queries in a round.

A redactable blockchain $\mathcal {C}$ is a sequence of valid blocks. The head of chain $\mathcal {C}$, denoted by $\textsf{head}(\mathcal {C})$, is the rightmost block in it. The length of chain $\mathcal {C}$, denoted by $\textsf{len}(\mathcal {C})$, is the number of blocks contained in it. Let $\mathcal {C}=\varepsilon $ if chain $\mathcal {C}$ is empty.

Any chain $\mathcal {C}'$ with head $\textsf{head}(\mathcal {C}')=\langle nonce',\tau ',s',tr',(h',r') \rangle $ can be extended to a longer one by appending a new valid block $B=\langle nonce,\tau ,s,tr,(h,r) \rangle $ satisfying $s=\textsf{H}(nonce'\Vert h'\Vert \tau ')$, and then the head of the extended chain $\mathcal {C}=\mathcal {C}'\Vert B$ is changed to $\textsf{head}(\mathcal {C})=B$. In case $\mathcal {C}'=\varepsilon $, any valid block B can append to it.

For a chain $\mathcal {C}$ with length $\textsf{len}(\mathcal {C})=n$ and any nonnegative integer $k\le n$, we denote by $\mathcal {C}^{\lceil k}$ the chain resulting from removing the k rightmost blocks of $\mathcal {C}$, and denote by $^{k\rceil }\mathcal {C}$ the chain resulting from removing the k leftmost blocks of $\mathcal {C}$.

5.2 Redacting Blocks

In this subsection, we provide a blockchain redacting algorithm to redact blocks. Let n, k be positive integers s.t. $k\le n$. The algorithm takes as inputs the public parameter and trapdoor of a tagged chameleon hash $\textsf{tCH}$, a blockchain $\mathcal {C}$ of length n, k target indices that represent the positions of blocks in $\mathcal {C}$ to be redacted, and k corresponding adapted messages for blocks to be redacted, and finally returns a redacted blockchain $\mathcal {C}'$. The detailed description is given in Algorithm 1.

5.3 Security Analysis

In this subsection, we provide a security analysis for the resulting redactable blockchain given a tCH with $\text {r-CR}$ security. Note that tCH works in the one-time tag mode in the redactable blockchain since the tCH hash value w.r.t. each settled block is computed with a unique tag and authorized adaptations are made only for those settled blocks. Then $\text {f-CR}$ of tCH is equivalent to $\text {r-CR}$ according to Theorem 1. Therefore, all we need to do is to prove that the redactable blockchain is secure as long as tCH has $\text {f-CR}$ security.

As we described in Subsect. 5.1, each block B in the chain is of the form $B=\langle nonce,\tau ,s,tr,(h,r) \rangle $. For expression simplicity, we only consider the tCH-related parts of each block and briefly write B as $B=\langle \tau , h,m,r \rangle $ (note that $m=s\Vert tr$). Recall that in a redactable blockchain system, the adversary sees all original blocks $B_1,B_2,B_3,\cdots $ and adapted blocks $\{B_1^i\}_{i\in [n_1]},\{B_2^i\}_{i\in [n_2]},\{B_3^i\}_{i\in [n_3]},$ $\cdots $, where each $n_j=\textsf{poly}(\kappa )$ denotes the number of adaptations for block $B_j$. The aim of an adversary is to redact the chain by adapting some block $B_j=\langle \tau _j,h_j,m_j,r_j \rangle $ to a new one $B^*=\langle \tau _j,h_j,m^*,r^* \rangle $, such that $h_j=\textsf{Hash}(\tau _j,m_j;r_j)=\textsf{Hash}(\tau _j,m^*;r^*)$ and $m^*\notin \{m_j\}\cup \{m_j^{i}\}_{i\in [n_j]}$ w.r.t. those $B_j$ and $\{B_j^i\}_{i\in [n_j]}$.

We show that if there exists an adversary $\mathcal {A}$ performing the above attack successfully, then we can break the full collision resistance of tCH. If $\mathcal {A}$ wins, it must hold that $h_j=\textsf{Hash}(\tau _j,m_j;r_j)=\textsf{Hash}(\tau _j,m^*;r^*)$ and $m^*$ is fresh w.r.t. $(\tau _j,h_j)$. In this case, we find a tuple $(\tau _j,h_j,m^*,r^*,m_j,r_j)$ s.t. $h_j=\textsf{Hash}(\tau _j,m_j;r_j)=\textsf{Hash}(\tau _j,m^*;r^*)$ and $(\tau _j,h_j,m^*)$ is fresh, and hence break the $\text {f-CR}$ of tCH.

Therefore, the security of the resulting redactable blockchain is reduced to the $\text {f-CR}$ security of tCH. Given the equivalence of $\text {f-CR}$ and $\text {r-CR}$ in the scenario of redactable blockchain, we know that, the redactable blockchain is secure as long as the underlying tCH has $\text {r-CR}$ security.

Finally with Theorems 2 and 3, both our tCHs in Subsect. 4.1 and Subsect. 4.2 can serve as secure compilers converting a conventional blockchain to a redactable one.

Notes

1.
According to [13], $\text {e-CR}$ and $\text {s-CR}$ are incomparable, which means that neither $\text {e-CR}$ implies $\text {s-CR}$ nor $\text {s-CR}$ implies $\text {e-CR}$.
2.
Here, adaptations are only allowed for blocks considered to be settled in the redact-able blockchain system.

References

Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_28
Chapter Google Scholar
Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. In: STACS, pp. 75–86 (2009)
Google Scholar
Ateniese, G., Magri, B., Venturi, D., Andrade, E.R.: Redactable blockchain - or - rewriting history in bitcoin and friends. In: EuroS &P, pp. 111–126 (2017)
Google Scholar
Ateniese, G., de Medeiros, B.: On the key exposure problem in chameleon hashes. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 165–179. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30598-9_12
Chapter Google Scholar
Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_42
Boneh, D., et al.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_30
Chapter Google Scholar
Boyen, X., Li, Q.: Towards tightly secure lattice short signature and ID-based encryption. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 404–434. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_14
Chapter Google Scholar
Brakerski, Z., Vaikuntanathan, V.: Lattice-based FHE as secure as PKE. In: ITCS (2014). https://doi.org/10.1145/2554797.2554799
Camenisch, J., Derler, D., Krenn, S., Pöhls, H.C., Samelin, K., Slamanig, D.: Chameleon-hashes with ephemeral trapdoors – and applications to invisible sanitizable signatures. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10175, pp. 152–182. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54388-7_6
Chapter Google Scholar
Chen, X., Tian, H., Zhang, F., Ding, Y.: Comments and improvements on key-exposure free chameleon hashing based on factoring. In: Lai, X., Yung, M., Lin, D. (eds.) Inscrypt 2010. LNCS, vol. 6584, pp. 415–426. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21518-6_29
Chapter Google Scholar
Chen, X., Zhang, F., Kim, K.: Chameleon hashing without key exposure. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 87–98. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30144-8_8
Chapter Google Scholar
Derler, D., Krenn, S., Samelin, K., Slamanig, D.: Fully collision-resistant chameleon-hashes from simpler and post-quantum assumptions. In: Galdi, C., Kolesnikov, V. (eds.) SCN 2020. LNCS, vol. 12238, pp. 427–447. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57990-6_21
Chapter Google Scholar
Derler, D., Samelin, K., Slamanig, D.: Bringing order to chaos: the case of collision-resistant chameleon-hashes. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12110, pp. 462–492. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9_16
Chapter Google Scholar
Deuber, D., Magri, B., Thyagarajan, S.A.K.: Redactable blockchain in the permissionless setting. In: IEEE Symposium on Security and Privacy, pp. 124–138 (2019). https://doi.org/10.1109/SP.2019.00039
Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 523–540. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_31
Chapter Google Scholar
Dorri, A., Kanhere, S.S., Jurdak, R.: MOF-BC: a memory optimized and flexible blockchain for large scale networks. Future Gener. Comput. Syst. 92, 357–373 (2019). https://doi.org/10.1016/J.FUTURE.2018.10.002
Article Google Scholar
Florian, M., Henningsen, S.A., Beaucamp, S., Scheuermann, B.: Erasing data from blockchain nodes. In: EuroS &P. pp. 367–376 (2019). https://doi.org/10.1109/EUROSPW.2019.00047
Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_10
Chapter Google Scholar
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206 (2008)
Google Scholar
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5
Chapter Google Scholar
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions (extended abstract). In: FOCS, pp. 464–479. IEEE Computer Society (1984)
Google Scholar
Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. (2) (1988). https://doi.org/10.1137/0217017
Hohenberger, S., Waters, B.: Short and stateless signatures from the RSA assumption. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 654–670. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_38
Chapter Google Scholar
Khalili, M., Dakhilalian, M., Susilo, W.: Efficient chameleon hash functions in the enhanced collision resistant model. Inf. Sci. 155–164 (2020)
Google Scholar
Krawczyk, H., Rabin, T.: Chameleon signatures. In: Proceedings of the Network and Distributed System Security Symposium. NDSS 2000, San Diego, California, USA (2000). https://www.ndss-symposium.org/ndss2000/chameleon-signatures/
Li, Y., Liu, S.: Tagged chameleon hash from lattice and application to redactable blockchain. ePrint (2023). https://eprint.iacr.org/2023/774
Matzutt, R., Kalde, B., Pennekamp, J., Drichel, A., Henze, M., Wehrle, K.: How to securely prune bitcoin’s blockchain. In: IFIP Networking Conference, pp. 298–306 (2020). https://ieeexplore.ieee.org/document/9142720
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41
Chapter Google Scholar
Micciancio, D., Peikert, C.: Hardness of SIS and LWE with small parameters. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 21–39. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_2
Chapter Google Scholar
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on gaussian measures. In: FOCS. IEEE Computer Society (2004). https://doi.org/10.1109/FOCS.2004.72
Pan, J., Wagner, B.: Short identity-based signatures with tight security from lattices. In: Cheon, J.H., Tillich, J.-P. (eds.) PQCrypto 2021 2021. LNCS, vol. 12841, pp. 360–379. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81293-5_19
Chapter Google Scholar
Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_9
Chapter Google Scholar
Peikert, C.: Bonsai trees (or, arboriculture in lattice-based cryptography). IACR Cryptology ePrint Archive (2009). http://eprint.iacr.org/2009/359
Puddu, I., Dmitrienko, A., Capkun, S.: $\mu $chain: how to forget without hard forks. IACR Cryptology ePrint Archive, p. 106 (2017). http://eprint.iacr.org/2017/106
Pyoung, C.K., Baek, S.J.: Blockchain of finite-lifetime blocks with applications to edge-based IoT. IEEE Internet Things J. 7(3), 2102–2116 (2020). https://doi.org/10.1109/JIOT.2019.2959599
Article Google Scholar
Thyagarajan, S.A.K., Bhat, A., Magri, B., Tschudi, D., Kate, A.: Reparo: Publicly verifiable layer to repair blockchains. In: Borisov, N., Diaz, C. (eds.) FC 2021. LNCS, vol. 12675, pp. 37–56. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-662-64331-0_2
Chapter Google Scholar
Tsabary, R.: Fully secure attribute-based encryption for t-CNF from LWE. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 62–85. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_3
Chapter Google Scholar
Wu, C., Ke, L., Du, Y.: Quantum resistant key-exposure free chameleon hash and applications in redactable blockchain. Inf. Sci. 438–449 (2021)
Google Scholar
Zhang, D., Le, J., Lei, X., Xiang, T., Liao, X.: Exploring the redaction mechanisms of mutable blockchains: a comprehensive survey. Int. J. Intell. Syst. 36(9), 5051–5084 (2021). https://doi.org/10.1002/INT.22502
Article Google Scholar

Download references

Acknowledgements

We would like to thank the reviewers for their valuable comments. The authors are partially sponsored by Guangdong Major Project of Basic and Applied Basic Research under Grant No. 2019B030302008, National Natural Science Foundation of China under Grant No. 61925207 and the National Key R &D Program of China under Grant No. 2022YFB2701500.

Author information

Authors and Affiliations

Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai, 200240, China
Yiming Li & Shengli Liu
State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, 100878, China
Yiming Li & Shengli Liu

Authors

Yiming Li
View author publications
You can also search for this author in PubMed Google Scholar
Shengli Liu
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shengli Liu .

Editor information

Editors and Affiliations

The University of Sydney, Sydney, NSW, Australia
Qiang Tang
The Australian National University, Acton, ACT, Australia
Vanessa Teague

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Li, Y., Liu, S. (2024). Tagged Chameleon Hash from Lattices and Application to Redactable Blockchain. In: Tang, Q., Teague, V. (eds) Public-Key Cryptography – PKC 2024. PKC 2024. Lecture Notes in Computer Science, vol 14603. Springer, Cham. https://doi.org/10.1007/978-3-031-57725-3_10

Download citation

DOI: https://doi.org/10.1007/978-3-031-57725-3_10
Published: 14 April 2024
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-57724-6
Online ISBN: 978-3-031-57725-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

Tagged Chameleon Hash from Lattices and Application to Redactable Blockchain