Abstract
Blockchain is a multiparty protocol to reach agreement on the order of events, and to record them consistently and immutably without centralized trust. In some cases, however, the blockchain can benefit from some controlled mutability. Examples include removing private information or unlawful content, and correcting protocol vulnerabilities which would otherwise require a hard fork. Two approaches to control the mutability are: moderation, where one or more designated administrators can use their private keys to approve a redaction, and voting, where miners can vote to endorse a suggested redaction. In this paper, we first present several attacks against existing redactable blockchain solutions. Next, we provide a definitional framework for moderated redactable blockchains. Finally, we propose a provable and efficient construct, which applies a single digital signature per redaction, achieving a much simpler and secure result compared to the prior art in the moderated setting.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ateniese, G., Magri, B., Venturi, D., Andrade, E.: Redactable blockchain-or-rewriting history in bitcoin and friends. In: EuroS&P. IEEE (2017)
Boneh, D., Shen, E., Waters, B.: Strongly unforgeable signatures based on computational Diffie-Hellman. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 229–240. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853_15
CoinDesk: Understanding The DAO Attack (2016). https://tinyurl.com/dao-attack
Council of European Union: Regulation (EU) 2016/679: General Data Protection Regulation (GDPR) (2016). https://gdpr-info.eu
Derler, D., Ramacher, S., Slamanig, D., Striecks, C.: I Want to Forget: Fine-Grained Encryption with Full Forward Secrecy in the Distributed Setting. IACR Cryptology ePrint Archive (2019)
Derler, D., Samelin, K., Slamanig, D., Striecks, C.: Fine-Grained and Controlled Rewriting in Blockchains: Chameleon-Hashing Gone Attribute-Based. IACR Cryptology ePrint Archive (2019)
Deuber, D., Magri, B., Thyagarajan, S.A.K.: Redactable blockchain in the permissionless setting. In: Symposium on Security and Privacy. IEEE (2019)
Dousti, M.S., Küpçü, A.: Moderated Redactable Blockchains: A Definitional Framework with an Efficient Construct. IACR Cryptology ePrint Archive (2020)
Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_10
Grigoriev, D., Shpilrain, V.: RSA and Redactable Blockchains. arXiv report 2001.10783 (2020)
Hargreaves, S., Cowley, S.: How Porn Links and Ben Bernanke Snuck Into Bitcoin’s Code (2013). https://tinyurl.com/bitcoin-snuck
Hopkins, C.: If You Own Bitcoin, You Also Own Links to Child Porn (2020). https://tinyurl.com/bitcoin-child
Kolb, J., AbdelBaky, M., Katz, R.H., Culler, D.E.: Core concepts, challenges, and future directions in blockchain: a centralized tutorial. ACM Comput. Surv. 53(1), 1–39 (2020)
Liu, J.K., Au, M.H., Susilo, W., Zhou, J.: Short generic transformation to strongly unforgeable signature in the standard model. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 168–181. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15497-3_11
Lumb, R.: Downside of Bitcoin: A Ledger That Can’t Be Corrected (2016). https://tinyurl.com/btc-immutable
Nakamoto, S.: Bitcoin: A Peer-to-Peer Electronic Cash System (2009). http://www.bitcoin.org/bitcoin.pdf
Pass, R., Shi, E.: FruitChains: a fair blockchain. In: Symposium on Principles of Distributed Computing (2017)
Pearson, J.: The Bitcoin Blockchain Could Be Used to Spread Malware, INTERPOL Says (2015). https://tinyurl.com/bitcoin-malware
Puddu, I., Dmitrienko, A., Capkun, S.: \(\mu \)chain: How to Forget Without Hard Forks. IACR Cryptology ePrint Archive (2017)
Wood, G.: Ethereum: A Secure Decentralised Generalised Transaction Ledger. Ethereum Project yellow paper (2014)
Acknowledgment
The second author acknowledges support from TÜBİTAK, the Scientific and Technological Research Council of Turkey, under project number 119E088.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A An Incorrect and Insecure Construct
A An Incorrect and Insecure Construct
In this appendix, we present a construct that is both incorrect and insecure, but helps in understanding the way our definitional framework works. Normal blocks do not include any information about each other (such as the hash of the previous block). Such information, necessary for the secure operation of an ordinary blockchain, is abstracted via the ideal functionality in the model: The adversary is not allowed to make any direct writes to the ledger, and therefore the challenger can keep the ledger blocks in their total order. The redactability is achieved with a signature scheme strongly unforgeable under adaptive chosen-message attack (sUF-CMA), denoted \(({{\,\mathrm{\mathsf {GenSig}}\,}}, {{\,\mathrm{\mathsf {Sign}}\,}}, {{\,\mathrm{\mathsf {VerifySig}}\,}})\): The challenger installs a redacted block only if its witness holds the signature of itself and the next block. The reversion attack (Sect. 4) is prevented by introducing version numbers in the block structure: Initially, each block carries version 1. Upon each redaction, the version number is incremented. The verification function of the blockchain checks whether the version of a redacted block is strictly greater than the version of the block being replaced. This way, the adversary cannot reinstall a previously valid block again.
Construction 2 (Insecure and Incorrect)
The redactable blockchain \(\mathcal {RBC}_\mathrm {bad}\) is defined as follows. The block structure is \(B \overset{\mathrm {\scriptscriptstyle def}}{=}(C, V, W)\), where each block contains content C, version V, and witness W.
-
\({{\,\mathrm{\mathsf {Gen}}\,}}(1^\lambda )\) simply calls the generator for the underlying signature scheme to obtain the public and private keys: \((pk, sk) \leftarrow {{\,\mathrm{\mathsf {GenSig}}\,}}(1^\lambda )\). It sets \(\mathcal {L}\leftarrow [B_0]\), where \(B_0 \leftarrow (\varepsilon , 1, \varepsilon )\).
-
\({{\,\mathrm{\mathsf {Create}}\,}}(pk, \mathcal {L}, C)\) returns \(B \leftarrow (C, 1, \varepsilon )\).
-
\({{\,\mathrm{\mathsf {Verify}}\,}}(pk, \mathcal {L}, i, B)\) returns 1 if and only if all of the following conditions hold:
-
\(\bullet \) B has correct structure, and \(i \le \ell + 1\) is a positive integer.
-
\(\bullet \) \(\mathrm {\Phi }(\mathbf {V}, i, V)\) returns 1: This happens if and only if \((i=\ell +1) \wedge (V=1)\) (the block is being appended and has version 1), or \((i\le \ell ) \wedge (\mathbf {V}[i] < V)\) (an existing block is being redacted, and the new version is greater than the existing one to foil reversion attacks).
-
\(\bullet \) \(\mathrm {\Psi }(pk, \mathcal {L}^*)\) returns 1: This happens if and only if for every pair \((B,B')\) of subsequent blocks in \(\mathcal {L}^*\), if \({{\,\mathrm{\mathsf {Version}}\,}}(B) > 1\) (i.e., if B is redacted), then
(7)where \(W \overset{\mathrm {\scriptscriptstyle def}}{=}{{\,\mathrm{\mathsf {Witness}}\,}}(B)\), and (i.e., block B except W). Put simply, this means that W is a valid signature on \(C \mathbin {||}V \mathbin {||}C' \mathbin {||}V' \mathbin {||}W'\).
-
-
\({{\,\mathrm{\mathsf {Redact}}\,}}(sk, \mathcal {L}, i, C)\): Creates \(B \leftarrow (C, V, W)\) using content C, where \(V \leftarrow {{\,\mathrm{\mathsf {Version}}\,}}(\mathcal {L}[i]) + 1 \) and W is a signature on the current block except W itself (denoted ), as well as the next block \(\mathcal {L}[i+1]\):
Notice that incrementing the version number, as well as the computation of witness by signing the current and next blocks, are consistent with the requirements of \({{\,\mathrm{\mathsf {Verify}}\,}}\).
-
\({{\,\mathrm{\mathsf {Install}}\,}}(pk, \mathcal {L}, i, B)\): Works exactly as specified in Definition 3.
Correctness Issues. A series of valid actions can put the ledger in a state that block creation for appending is no longer possible, violating the first requirement of Definition 4. For instance, let \(C_1\), \(C_1'\) and \(C_2\) be any valid contents, and consider the following actions, following \((pk, sk, \mathcal {L}) \leftarrow {{\,\mathrm{\mathsf {Gen}}\,}}(1^\lambda )\):
The first line creates and appends a block, the second line redacts it, and the third line tries to append a new block. The last \({{\,\mathrm{\mathsf {Install}}\,}}\) fails as it calls \({{\,\mathrm{\mathsf {Verify}}\,}}\), which in turn calls \(\mathrm {\Psi }\): Since the version of \(B_1'\) is greater than 1, \(\mathrm {\Psi }\) requires it to hold a signature containing information about the next block, as per Eq. (7), which is not the case.
The underlying reason is that, in this particular construct, it is meaningless for the last block of the ledger to be redacted, as there is no next block to sign. It is possible not to increase version number for redacting the last block, or disallow such redaction by requiring \(i \ne \ell \) in designing \({{\,\mathrm{\mathsf {Redact}}\,}}\).
One can violate the second requirement of Definition 4 as well, by following a series of valid actions that put the ledger in a state where redaction of some blocks are impossible. Let \(\mathcal {L}\leftarrow [B_0, B_1, B_2, B_3]\) be a ledger constructed by appending three blocks, and \(C_1'\) and \(C'_2\) be valid contents. Consider the following actions:
Again, the last install fails: For the pair \((B_1', B_2')\), algorithm \(\mathrm {\Psi }\) requires \(B_1'\) to hold a signature on (see Eq. (7)). However, \(B_1'\) is redacted prior to \(B_2'\): As a result, \(B_1'\) holds a signature on , which becomes invalid after \(B_2\) is redacted. Consequently, the second requirement of Definition 4 is violated.
The underlying reason is the indifference in the verification algorithms as to which block is newer. The next section shows how using unique versions can resolve this issue.
Security Issues. On the surface, it seems that the adversary cannot succeed in Experiment 2. An informal (and false) argument is as follows: We use an adversary who succeeds in the game as a subroutine, to forge a valid signature on an arbitrary message. The forger simulates the challenger. It gives the public key of the signature scheme to the adversary, and answers all redaction queries by using the signing oracle. When the adversary outputs a successful redaction (i, B), the witness W is a valid signature on the message . The forger outputs (m, W) as a valid message-signature pair.
The fallacy in the above argument is that the forger must output a new pair (m, W), as required by sUF-CMA signature forgery. However, the informal proof does not show that this pair is new. In fact, as is explained below, it is easy for an adversary to succeed in the game without forging any signature.
Adversary \(\mathcal {A}\) proceeds as follows: It creates a block \(B \leftarrow (\texttt {"original"}, 1, \varepsilon )\), and appends it three times by calling the \({{\,\mathrm{\mathtt {INST}}\,}}\) interface of the challenger on queries (1, B), (2, B) and (3, B), respectively. At this point, \(\mathcal {L}= [B_0, B, B, B]\).
Next, \(\mathcal {A}\) queries the \({{\,\mathrm{\mathtt {REDC}}\,}}\) interface of the challenger on \((1, \texttt {"modified"})\), and receives \(B' \leftarrow (\texttt {"modified"}, 2, W)\), where W is a signature on , where is \(\texttt {"modified"} \mathbin {||}2\).
While the redaction was requested for position 1, the adversary uses position 2: She outputs \((2, B')\), and halts.
At this point, \({{\,\mathrm{\mathsf {Hist}}\,}}= \{ (1,B') \}\), and therefore \((2, B')\) is new. Furthermore, \(B'\) is a valid redaction for position 2, since \(\mathcal {L}[3] = \mathcal {L}[2] = B\). We conclude that the adversary breaks the security by outputting a successful reduction, without forging a new signature. The underlying reason for this attack is duplicate blocks in the ledger. Construct 1 in Sect. 6 resolved this issue by incorporating unique versioning.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Dousti, M.S., Küpçü, A. (2020). Moderated Redactable Blockchains: A Definitional Framework with an Efficient Construct. In: Garcia-Alfaro, J., Navarro-Arribas, G., Herrera-Joancomarti, J. (eds) Data Privacy Management, Cryptocurrencies and Blockchain Technology. DPM CBT 2020 2020. Lecture Notes in Computer Science(), vol 12484. Springer, Cham. https://doi.org/10.1007/978-3-030-66172-4_23
Download citation
DOI: https://doi.org/10.1007/978-3-030-66172-4_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-66171-7
Online ISBN: 978-3-030-66172-4
eBook Packages: Computer ScienceComputer Science (R0)