## 1. Introduction

A blockchain is a distributed database that is used to maintain a continuously growing list of records, called blocks. Each block contains a link to the previous (or the next) block. A blockchain is typically managed by a peer-to-peer network collectively adhering to a protocol for validating new blocks. By design, blockchains are inherently resistant to modification of the data. Once recorded, the data in any given block cannot be altered retroactively without the alteration of all preceding (or subsequent) blocks and a collusion of the network majority.

A blockchain can be either public or private. Usually, when people talk about public blockchains, they mean that anyone can write data. A typical example of a public blockchain is bitcoin. In contrast, a private blockchain network is where the participants are known and trusted: for example, an industry group, or a military unit, or in fact any private network, big or small. In particular, what is now called by a popular name The Internet of things

is a good example of a private network where the blockchain technology could be very useful. The Internet of things (IoT) is the inter-networking of physical devices (also referred to as “smart devices”), e.g. vehicles, or buildings, or other items embedded with electronics, software, sensors, and network connectivity which enable these objects to collect and exchange data. The world of IoT is quickly evolving and growing at an exponential rate. Experts estimate that the IoT will consist of about 30 billion objects by 2020.

Concerns have been raised that the Internet of things is being developed rapidly without appropriate consideration of the profound security challenges involved. Most of the technical security issues are similar to those of conventional servers, workstations and smartphones, but the firewall, security update and anti-malware systems used for those are generally unsuitable for the much smaller, less capable, IoT devices. In particular, computer-controlled devices in vehicles such as brakes, engine, locks, etc., have been shown to be vulnerable to attackers who have access to the on-board network. In some cases, vehicle computer systems are Internet-connected, allowing them to be exploited remotely.

Blockchain technology would provide at least a partial solution to these security problems.

### 1.1. Immutable and redactable blockchains

The role of hash functions in a blockchain is similar to that of page numbering in a book. There is, however, an important difference. With books, predictable page numbers make it easy to know the order of the pages. If you ripped out all the pages and shuffled them, it would be easy to put them back into the correct order where the story makes sense. With blockchains, each block references the previous (or the next) block, not by the block number, but by the block’s hash function (the “fingerprint”), which is smarter than a page number because the fingerprint itself is determined by the contents of the block.

By using a fingerprint instead of a timestamp or a numerical sequence reflecting the block number, one also gets a nice way of validating the data. In any blockchain, you can generate the block fingerprints yourself by using the corresponding hashing algorithm. If the fingerprints are consistent with the data, and the fingerprints join up in a chain, then you can be sure that the blockchain is internally consistent. There are several ways to securely join blocks in a chain. One of the ways is, informally, as follows. Every block has a prefix, which is the hash (or, more generally, a one-way function) of the fingerprint of the previous block . If anyone wants to meddle with any of the data, they would have to regenerate all the fingerprints from that point forwards and the blockchain will look different.

A blockchain is immutable if, once data has been written to a blockchain no one, not even a central authority (e.g. a system administrator), can change it. This provides benefits for audit. As a provider of data you can prove that your data has not been altered, and as a recipient of data you can be sure that the data has not been altered. These benefits are useful for databases of financial transactions, for example.

On the other hand, with a private blockchain, someone with higher privileged access, like a systems administrator, may be able to change the data. So how do we manage the risk of an intruder changing data to his advantage if changing is made easy? The answer to that is provided by redactable blockchains; these should involve hash functions with a trapdoor or, more generally, one-way functions with a trapdoor. Trapdoor hash functions are a highly useful cryptographic primitive; in particular, it allows an authorized party to compute a collision with a given hash value, even though the hash function is second pre-image resistant to those who do not know a trapdoor. This property is therefore very useful in application to private blockchains since it makes it possible for an authorized party but not for an intruder to make changes in a blockchain if needed. We give more details in Section 2.

The need for a blockchain (even a public one!) to be redactable is well explained in [5]: “That permanence has been vital in building trust in the decentralized currencies, which are used by millions of people. But it could severely limit blockchain’s usefulness in other areas of financial services relied on by billions of people. By clashing with new privacy laws like the “right to be forgotten” and by making it nearly impossible to resolve human error and mischief efficiently, the blockchain’s immutability could end up being its own worst enemy.”

## 2. Redactable blockchain structure

Recall that a blockchain is immutable if, once data has been written to a blockchain no one, not even a central authority, can change it. This is achieved by using a hash function to “seal” each individual block, i.e., each block has a fingerprint , and then connecting blocks in a chain by using another hash function (or just a one-way function) , as described in our Section 1.1. That way, the blocks become connected in an immutable blockchain because if somebody tampers with one of the blocks and changes it, he will have to change all blocks going forward (or backward), together with their fingerprints, to preserve consistency of the whole blockchain. This is considered logistically infeasible in most real-life scenarios.

Originally, blockchains were created to support the bitcoin network, which is public. Immutability for such a network is crucial. More recently, as we have pointed out in the Introduction, with the idea of the Internet of Things gaining momentum, private networks (small or large) have taken the center stage, and this creates new challenges. In particular, it is desirable, while preserving the tampering detection property, to allow someone with higher privileged access like a systems administrator or another authority to be able to change the data or erase (“forget”) it [12]. A blockchain that can be changed like that is called redactable.

To make a blockchain redactable, trapdoor hash functions are useful. Trapdoor hash functions have been considered before (see e.g. [14]), but having just any trapdoor hash function is not enough to make a blockchain redactable since the authority who wants to change a block usually wants to change it to a particular block . A way to make a blockchain redactable was first suggested in [1]. Recently, [4] claimed the first efficient redactable public blockchain construction. We also mention chameleon hash functions [9] that were recently used [3], [10] in redactable blockchain constructions.

Our approach is focused on private blockchains. It is quite different from [1], [4] and other methods and is simple and easily implementable. Notably, our method can be used in conjunction with any reasonable hash function that is used to build a blockchain. Public immutability of a blockchain (see Section 3.3) in our construction is based on the computational hardness of the RSA problem and not on properties of the underlying hash function. Corruption resistance (see Section 3.4) is based on the computational hardness of the discrete logarithm problem.

### 2.1. A particular blockchain structure we use

There are several possible structures of a redactable blockchain. Our general method should work with any known structure, but to make an exposition as clear as possible we choose a very simple structure as follows. Each block will be in 3 parts: a permanent prefix , the actual content , and a redactable suffix . There is also a hash , where is a public hash function, and a public one-way function such that . To make such a blockchain redactable, a central authority should have a private key that would allow for replacing with an arbitrary of his/her choice, so that upon a suitable selection of the new suffix , the equality would still hold.

Instead of having the prefix of depend on the block , one can have the prefix of depend on , in which case the integrity check will have the form . Our method, with minor modification, works with this structure just as well.

We emphasize again that the hash function and the one-way function should be public since anyone should be able to create a new block in the chain as well as verify the integrity of the blockchain.

## 3. An RSA-based implementation

A particular implementation of the general redactable blockchain structure described above is inspired by the ideas underlying the well-known RSA encryption scheme [13] (see also [2], [7], [8] for later developments).

Public information:

– a large integer , which is a product of two large primes

– a hash function , e. g. SHA-256. (We emphasize again that our method can be used with any reasonable hash function, so the reader can replace SHA-256 here with his/her favorite hash function.)

Private information:

– prime factors of . These and should be safe primes (see e.g. [2]), as in modern implementations of RSA. A safe prime is of the form , where is another prime.

Block structure. In each block , there will be a prefix , the actual content (e. g. a transaction description), and a suffix , which is a nonzero integer modulo . We also want not to have order 2, i.e., . Thus, whoever builds a block , selects at random on integers between 1 and and then checks if . If , random selection of is repeated. Once a proper is selected, a public hash function (e. g. SHA-256) is applied to concatenation of and to produce , and is then converted to an integer modulo . The prefix of the next block is then computed as .

### 3.1. Private redactability

Now suppose the central authority, Alice, who is in possession of the private key, wants to change the content of a block from to but does not want to change any other block. Then Alice computes the hash and converts it to an integer modulo . The number should be relatively prime to , the Euler function of

. If it is not, then Alice uses a padding to have

relatively prime to . Once it is, Alice finds the inverse of modulo . Then she computes . The integrity check now gives: because and .### 3.2. Padding

Note that since , we have . If is not relatively prime to , this means that either (1) is even, or (2)

is odd but is divisible by a large prime (recall that

and are safe primes, i.e., and are primes). Thus, our padding is going to be as follows: if is even, we just add 1 to . If is even and divisible by or (this is unlikely but possible), then instead of , the padding of can be . Then . If is divisible by or , then instead of , the padding is going to be . Then . Both and cannot be divisible by or , but (although very unlikely) one can be divisible by and the other by . In that case, the padding is going to be .Similarly, if is odd but is divisible by or (this is unlikely but possible), the padding of is going to be either , or , or , or .

### 3.3. Public immutability

As can be seen from the “Block structure” paragraph above, a party who would like to change the content of a single block, would have to essentially solve the RSA problem: recover from , , and , where is relatively prime to . This is considered computationally infeasible for an appropriate choice of and a random .

### 3.4. Corruption resistance

Another way of unauthorized modification of a block in a blockchain is corruption, i.e., changing the content of the block to something meaningless. To do that, the intruder can start with a random and then look for a number such that , for a given . This mathematical problem that the intruder would have to solve is known as the discrete logarithm problem and is considered computationally infeasible if is sufficiently large.

Two-step attack. The reason why our blockchain integrity condition is and not just is the following “two-step” attack. Suppose the integrity condition was , and suppose the attacker was able to find out that the block was changed so that , and that the attacker got a hold of , and . We will now omit the index to make the following easier to read.

The attacker can corrupt this block (i.e., change it to something meaningless) as follows. Generically, so we may assume that there are such that . Then . Now if and , then . Thus, the attacker can find another suffix, , and such that and therefore corrupt the block .

The reason why this (or similar) attack does not work if the integrity condition is is that does not imply .

## 4. Other authenticated data structures

A “chain”, or a path, is the simplest kind of a connected graph. This type is adequate and sufficient for public data structures such as cryptocurrencies, except that in those, occasional “forks” may exist, in which case the underlying graph is a tree. Authenticated data structures built on trees were considered before (see e.g. [11]), albeit not in the context of the present paper (i.e., not in terms of redactability). Here we explain how to make a data structure redactable if the underlying graph has a node of degree greater than 2. The following procedure easily generalizes to an arbitrary underlying graph.

Suppose three blocks , , and are connected in a chain as usual, but the block is also connected to another block , which means that in the underlying graph the node corresponding to the block has degree 3. Suppose now a central authority wants to modify content of the block . If she follows our procedure from Section 3, she would have to find a suffix for the block such that and at the same time , where is the prefix of the block . This system of equations will not have a solution if . A way around this is introducing an “intermediate” block between and . The prefix of will be the same as that of , i.e., equal to . The content of can just indicate that this block is intermediate, i.e., does not have any other function. The suffix will be selected following the procedure in Section 3, i.e., so that .

Acknowledgement. Both authors are grateful to the Hausdorff Research Institute for Mathematics, Bonn for its hospitality during the work on this project.

## References

- [1] G. Ateniese, B. Magri, D. Venturi, E. Andrade, Redactable blockchain – or – rewriting history in bitcoin and friends, in: 2017 IEEE European Symposium on Security and Privacy, INSPEC Accession Number: 17011479. (See also https://eprint.iacr.org/2016/757.pdf)
- [2] J. Benaloh, Dense probabilistic encryption, First Ann. Workshop on Selected Areas in Cryptology, 1994, 120–128.
- [3] D. Derler, K. Samelin, D. Slamanig, and C. Striecks, Fine-grained and controlled rewriting in blockchains: chameleon-hashing gone attribute-based, in: Network and Distributed Systems Security (NDSS 2019).
- [4] D. Deuber, B. Magri, S. A. K. Thyagarajan, Redactable blockchain in the permissionless setting, in: 2019 IEEE Symposium on Security and Privacy, 124–138. (See also https://arxiv.org/abs/1901.03206)
- [5] Downside of bitcoin: A ledger that can’t be corrected, The New York Times, 2016. https://tinyurl.com/ydxjlf9e
- [6] J. von zur Gathen, I. E. Shparlinski, Generating safe primes, J. Math. Cryptol. 7 (2013), 333–365.
- [7] S. Goldwasser. S. Micali, Probabilistic encryption, J. Comput. Syst. Sci. 28 (1984), 270–299.
- [8] D. Grigoriev, I. Ponomarenko, Homomorphic public-key cryptosystems and encrypting Boolean circuits, Appl. Algebra Engrg. Comm. Comput. 17 (2006), 239–255.
- [9] H. Krawczyk and T. Rabin, Chameleon signatures, in: Network and Distributed System Security Symposium (NDSS 2000).
- [10] S. Krenn, H. C. Pöhls, K. Samelin, D. Slamanig, Chameleon-hashes with dual long-term trapdoors and their applications, in: Progress in Cryptology – AFRICACRYPT 2018, Lecture Notes Comp. Sci. 10831, 11–32.
- [11] R. C. Merkle, A digital signature based on a conventional encryption function, in: Advances in Cryptology – CRYPTO ’87. Lecture Notes Comp. Sci. 293 (1987), 369–378.
- [12] I. Puddu, A. Dmitrienko, S. Capkun, chain: How to forget without hard forks, preprint, https://eprint.iacr.org/2017/106.pdf
- [13] R. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM 21 (1978), 120–126.
- [14] F.-Y. Yang, Improvement on a trapdoor hash function, Int. J. Network Security 9 (2009), 17–21.

Comments

There are no comments yet.