Bringing Order to Chaos: The Case of Collision-Resistant Chameleon-Hashes

. Chameleon-hash functions, introduced by Krawczyk and Rabin (NDSS’00), are trapdoor collision-resistant hash-functions parametrized by a public key. If the corresponding secret key is known, arbitrary collisions for the hash-function can be found efficiently. Chameleon-hash functions have prominent applications in the design of cryptographic primitives, such as lifting non-adaptively secure signatures to adaptively secure ones. Recently, this primitive also received a lot of attention as a building block in more complex cryptographic applications, ranging from editable blockchains to advanced signature and encryption schemes. We observe that, in latter applications, various different notions of collision-resistance are used, and it is not always clear if the respective notion really covers what seems intuitively required by the application. Therefore, we revisit existing collision-resistance notions in the literature, study their relations, and by means of selected applications discuss which practical impact different notions of collision-resistance might have. Moreover, we provide a stronger, and arguably more desirable, notion of collision-resistance than what is known from the literature (which we call full collision-resistance). Finally, we present a surprisingly simple, and efficient, black-box construction of chameleon-hash functions achieving this strong notion of full collision-resistance.


Introduction
A chameleon-hash function (CH) is a trapdoor collision-resistant hash-function parameterized by a public key.If the corresponding secret key is known, arbitrary collisions for the hash function, i.e., distinct messages m = m yielding the same hash value h, can be efficiently found.Over the years, they have proven to be a very useful tool in theory, as well as practice.Exemplary, CHs are used to construct on/offline signatures [17,26,42], and to generically lift non-adaptively secure signature schemes to adaptively secure ones (cf.[42]), see e.g., Hohenberger and Waters [35].If CHs are tightly-secure, they are used to generically construct tightly-secure signatures [12].Likewise, CHs are used to generically construct strong one-time signatures as shown by Mohassel [39], inspired by a concrete construction from Pedersen commitments by Groth [30].Zhang [46] shows how to construct IND-CCA secure public-key encryption from tag-based encryption (TBE) or identity-based encryption (IBE) and CHs.Bellare and Ristov made the interesting discovery that chameleon-hashes and Σ-protocols, i.e., three round public-coin honest-verifier zero-knowledge proofs of knowledge, are equivalent [10,11].CHs are also used to construct sanitizable signatures [3,14,15], i.e., signatures where a designated entity can modify certain parts of a signed message without invalidating the respective signature under controlled conditions.Furthermore, CHs have been used by Steinfeld et al. [44] to extend Schnorr and RSA signatures to the universal designated-verifier setting [43].Also, different flavors of chameleon-hashing such as (hierarchical) identity-based [5,7] or policy-based chameleon-hash functions [21,41] have been studied.
In a more applied setting, CHs have shown to be valuable to construct integrity measurement and remote attestation mechanisms (denoted chameleon attestation) [2], and are used in vehicular ad-hoc networks (VANETs) [33] or handover authentication in mobile networks [18].More recently, CHs have been used as a means to rewrite blocks in blockchains by replacing the hash function to chain blocks and/or to hash transactions by chameleon-hashes [4,21], to which we come back in Sect. 5.This brief discussion already shows that chameleon-hashes are used in a wide spectrum of different applications requiring different strength of the respective chameleon-hash.Consequently, authors often introduce some ad-hoc notion of collision-resistance for their applications, or even ignore that applications might require a stronger notion.Subsequently, we briefly discuss the different notions which are most commonly found in the literature.
Formalizing Chameleon-Hashes.The concept of chameleon-hashing dates back to the notion of trapdoor commitments introduced by Brassard et al. [13], and was firstly coined chameleon-hashing by Krawczyk and Rabin [37] with an instantiation based on the well-known trapdoor-commitment scheme by Pedersen [40].Later, Ateniese and de Medeiros in [6] observed that the initial collisionresistance notion (which we denote W-CollRes) is rather weak (it does not give the adversary access to any collisions), and, more importantly, it is also satisfied by chameleon-hashes suffering from a key-exposure problem.Namely, when seeing a single collision for some hash h, it allows to publicly extract the secret trapdoor.Thus, any further guarantees are lost.While this is a desirable property for the initial use in chameleon signatures [37], and is also sufficient for the lifting compiler to adaptively secure signatures [42] (as no collision is ever revealed), it is too weak for many other applications.The key-exposure freeness definition in [6] is for the specific case of public-coin chameleon-hashing (where verifying the chameleon-hash is essentially re-computing it).To address this, Ateniese et al. [4] introduced a related notion called enhanced collision-resistance (which we denote E-CollRes) for the generalized case of secret-coin chameleon-hashing (which is the setting that we also consider).The latter notion allows the adversary to see collisions, but it is not allowed to see any collision for the target hash, i.e., the hash corresponding to the collision it computes.Hence, once a single collision for a hash h is seen, an adversary can find arbitrary collisions for that particular hash h.Recently, Khalili et al. [36] have pointed out issues regarding the practicality of the concrete random-oracle model instantiation 4 , proposed by Ateniese et al. in [4], and propose alternative constructions in the standard model.In another work Camenisch et al. [15] proposed an alternative collision-resistance notion which allows the adversary to see arbitrary collisions also for the target hash, but not for the target message, i.e., the message used in the collision output by the adversary has never been queried.In other words, once a collision for a message m is seen, an adversary is allowed to find arbitrary other hashes h with the queried messages.Arguably, this notion seems more realistic as it is better compatible with practical applications (e.g., one can often make the messages unique by appending a tag/nonce), and thus we denote it as standard collision-resistance (or S-CollRes).
Motivation and Contribution.The previous discussion already illustrates that there are many different collision-resistance notions.While this does not necessarily point to an issue, we observe that it is not always clear whether the respective notion does really cover what is required by the respective application.Moreover, it is not clear if the last notion discussed above (S-CollRes) is already the most desirable notion, or, if even stronger notions are achievable, and do have practical relevance.Motivated by these observations, we provide the following contributions: Relations among Properties.We discuss the different security notions of chameleon-hashes, and rigorously study relations among them.Most importantly, we, for the first time, clarify the picture of existing collision-resistance notions by showing implications, and separations, (cf. Figure 1 for an overview).In the course of showing separations, we also provide a construction of a chameleonhash satisfying the E-CollRes notion, which clearly demonstrates weaknesses of this notion.

Relations between CH collision-resistance properties
Stronger Notion.We find that the strongest existing collision-resistance notions, i.e., E-CollRes and S-CollRes (which are incomparable), might still be too weak for practical applications, see, e.g., Sect. 5.In particular, even if S-CollRes is satisfied, the hash values might still be malleable leaving space for potential realworld attacks.Consequently, we propose a stronger notion coined full collisionresistance (or F-CollRes for short), which enforces that the adversary cannot (except with negligible probability) output any new collisions and covers what one intuitively expects from collision-resistance.
Black-Box Construction.We present a simple black-box construction of a chameleon-hash function satisfying this strong F-CollRes notion.Considering the complexity of existing constructions in [4,36] which only achieve the weaker notion of E-CollRes, this is somewhat surprising.To recall, the construction from Ateniese et al. [4] starts from a public-coin chameleon-hash function that satisfies W-CollRes, uses an IND-CPA secure encryption scheme to encrypt the randomness of the chameleon-hash and then uses a true-simulation extractable (tSE) NIZK [25], which is in turn based on a NIZK and an IND-CCA secure publickey encryption scheme, to prove that the ciphertext is an encryption of the randomness.The constructions from Khalili et al. [36], which avoid the aforementioned issues with [4], are based on another new public-coin chameleonhash function that satisfies W-CollRes and then either uses Groth-Sahai NIZK proofs [32] and the IND-CCA secure Cramer-Shoup encryption scheme [20] or a succinct non-interactive argument of knowledge (SNARK).Both constructions in [36] basically follow the generic template in [4].In contrast, our black-box construction of a F-CollRes chameleon-hash is constructed from perfectly correct (multi-challenge) IND-CPA secure encryption, e.g., ElGamal encryption, and a simulation-sound extractable non-interactive zero-knowledge proof (SSE-NIZK), e.g., applying the compiler of Faust et al. [27] to a Fiat-Shamir transformed Σprotocol.The basic idea is that the chameleon-hash is the encryption c of the message m and the randomness of the chameleon-hash is a NIZK proof s.t.either c correctly encrypts m under the pk of CH or one knows the secret key sk corresponding to pk.Interestingly, already a perfectly-binding commitment (without any hiding) is sufficient to achieve the F-CollRes notion, but instead a multi-challenge IND-CPA secure encryption scheme as a perfectly-binding commitment is used to additionally achieve the indistinguishability property of the CH, i.e., that fresh and adapted hashes are indistinguishable, a notion that is considered standard for chameleon-hashes.
Applications.We discuss how our stronger notion allows to strengthen the security of existing applications and in particular will discuss what problems may be caused by different notions of collision-resistance within recent applications to redactable blockchains [4,21].Here, either the hash function to chain blocks in a blockchain or the hash functions to aggregate transactions within single blocks (usually by means of a Merkle-tree) are replaced by a chameleon-hash function.

Preliminaries
Notation.With λ ∈ N we denote our security parameter.All algorithms implicitly take 1 λ as an additional input.We write a ← r A(x) if the output of a probabilistic algorithm A with input x is assigned to a and use a ← A(x) if A is deterministic.An algorithm is efficient, if it runs in probabilistic polynomial time (PPT) in the length of its input.All algorithms are PPT, if not explicitly mentioned otherwise.If we want to make the random coins used by an algorithm A explicit, we use the notation a ← r A(x; ξ).We write (a; ξ) ← r A(x), if we need to access the random coins ξ internally drawn by A. Most algorithms may return a special error symbol ⊥ / ∈ {0, 1} * , denoting an exception.Returning output ends execution of an algorithm or an oracle.To make the presentation in the security proofs more compact, we occasionally use (a, ⊥) ← r A(x) to indicate that the second output is either ignored or not returned by A. If S is a finite set, we write a ← r S to denote that a is chosen uniformly at random from S. M denotes a message space of a scheme, and we generally assume that M is derivable from the scheme's public parameters or its public key.For a list we require that there is an injective, and efficiently reversible, encoding, that maps the list to {0, 1} * .A function ν : N → R ≥0 is negligible, if it vanishes faster than every inverse polynomial, i.e., ∀k ∈ N, ∃n 0 ∈ N such that ν(n) ≤ n −k , ∀n > n 0 .

Building Blocks
We now present the building blocks we require.These include key-verifiable multi-challenge IND-CPA (mcIND-CPA) secure public-key encryption schemes Ω, digitall signature schemes Σ, and non-interactive zero-knowledge proofs Π.
Public-Key Encryption Schemes.Subsequently, we define public-key encryption schemes.
Definition 1 (Public-Key Encryption Scheme).A public-key encryption scheme Ω consists of five algorithms {PG Ω , KG Ω , Enc, Dec, KVf Ω }, such that: PG Ω .The algorithm PG Ω outputs the public parameters of the scheme: It is assumed that pp Ω is an implicit input to all other algorithms.KG Ω .The algorithm KG Ω outputs the key pair, on input pp Ω : Enc.The algorithm Enc gets as input the public key pk Ω , and a message m ∈ M to encrypt.It outputs a ciphertext c: c ← r Enc(pk Ω , m).
Definition 3 (Multi-Challenge IND-CPA Security).A public-key encryption scheme Ω is multi-challenge IND-CPA secure (mcIND-CPA), if for any PPT adversary A there exists a negligible function ν such that: The corresponding experiment is depicted in Figure 2.
Bellare et al. have shown, via a hybrid argument, that mcIND-CPA is equivalent to standard, i.e., "single-message", IND-CPA [8].We opted for using mcIND-CPA, because it allows writing our proofs down more compactly, improving readability.
Digital Signature Schemes.Subsequently, we define signature schemes.
Definition 4 (Digital Signatures).A digital signature scheme Σ consists of four algorithms {PG Σ , KG Σ , Sgn Σ , Vrf Σ } such that: PG Σ .The algorithm PG Σ outputs the public parameters We assume that pp Σ contains 1 λ and is implicit input to all other algorithms.KG Σ .The algorithm KG Σ outputs the public and private key of the signer, where λ is the security parameter: Sgn Σ .The algorithm Sgn Σ gets as input the secret key sk Σ and the message m ∈ M to sign.It outputs a signature: We require existential unforgeability under adaptively chosen message attacks (eUNF-CMA security).In a nutshell, unforgeability requires that an adversary A cannot (except with negligible probability) come up with a signature for a message m * for which the adversary did not see any signature before, even if the adversary A is allowed to adaptively query for signatures on messages of its own choice.
where Sgn Σ on input skΣ and m: Fig. 3. Unforgeability Definition 6 (Unforgeability).We say a digital signature scheme Σ scheme is unforgeable, if for every PPT adversary A, there exists a negligible function ν such that: The corresponding experiment is depicted in Figure 3.
For Construction 1, we require that the size of signatures is independent of the size of the signed messages.
Non-Interactive Proof Systems.Let L be an NP-language with associated witness relation R, i.e., such that L = {x | ∃w : R(x, w) = 1}.A non-interactive proof system allows to prove membership of some statement x in the language L.More formally, such a system is defined as follows.
Definition 7 (Non-Interactive Proof System).A non-interactive proof system Π for language L consists of three algorithms {PG Π , Prf Π , Vfy Π }, such that: The algorithm PG Π outputs public parameters of the scheme, where λ is the security parameter: Prf Π .The algorithm Prf Π outputs the proof π, on input of the CRS crs Π , statement x to be proven, and the corresponding witness w: Vfy Π .The deterministic algorithm Vfy Π verifies the proof π by outputting a bit d ∈ {0, 1}, w.r.t. to some CRS crs Π and some statement statement x: In the context of (zero-knowledge) proof-systems, correctness is sometimes also referred to as completeness.In addition, we require two standard security notions for zero-knowledge proofs of knowledge: zero-knowledge and simulation-sound extractability.We define them analogously to the definitions given in [22].
Informally speaking, zero-knowledge says that the receiver of the proof π does not learn anything except the validity of the statement.Definition 9 (Zero-Knowledge).A non-interactive proof system Π for language L is zero-knowledge, if for any PPT adversary A, there exists an PPT where P0 on input x, w: return π ←r PrfΠ(crsΠ, x, w), if R(x, w) = 1 return ⊥ and P1 on input x, w:

and that
Pr Exp Zero-Knowledge where the corresponding experiment is depicted in Figure 4.
Simulation-sound extractability says that every adversary who is able to come up with a proof π * for a statement must know the witness, even when seeing simulated proofs for adaptively chosen statements potentially not in L. Clearly, this implies that the proofs output by a simulation-sound extractable proof-systems are non-malleable.Note that the definition of simulation-sound extractability where SIM on input x: of [30] is stronger than ours in the sense that the adversary also gets the trapdoor ζ as input.However, in our context this weaker notion (previously also used e.g. in [1,25]) suffices.
Definition 10 (Simulation-Sound Extractability).A zero-knowledge noninteractive proof system Π for language L is said to be simulation-sound extractable, if for any PPT adversary A, there exists a PPT extractor and that there exist a negligible function ν so that where the corresponding experiment is depicted in Figure 5.

Chameleon-Hashes, Revisited
In this section we present the formal framework for chameleon-hashes, their security properties with a special focus on the collision-resistance notion and then show relations and separations between the security properties.

Framework
We now present the framework for chameleon-hashes.We rely on the most recent comprehensive framework by Camenisch et al. [15], which is, in turn, based upon work done by Ateniese et al. and Brzuska et al. [4,14].Definition 11.A chameleon-hash CH is a tuple of five PPT algorithms (CHPG, CHKG, CHash, CHCheck, CHAdapt), such that: CHPG.The algorithm CHPG, on input a security parameter λ outputs public parameters of the scheme: We assume that pp ch is implicit input to all other algorithms.CHKG.The algorithm CHKG, on input the public parameters pp ch outputs the private and public keys of the scheme: CHash.The algorithm CHash gets as input the public key pk ch , and a message m to hash.It outputs a hash h, and some randomness r:5 (h, r) ← r CHash(pk ch , m).
CHCheck.The deterministic algorithm CHCheck gets as input the public key pk ch , a message m, randomness r, and a hash h.It outputs a bit d ∈ {0, 1}, indicating whether the hash h is valid: CHAdapt.The algorithm CHAdapt on input of a secret key sk ch , the message m, new message m , randomness r, and hash h outputs new randomness r :

Indistinguishability
Indistinguishability requires that the randomness r does not reveal if it was obtained through CHash or CHAdapt.Upon setup, a challenger generates a key pair (sk ch , pk ch ) for CH (along with some public parameters), and draws a bit b ← r {0, 1}.The challenger initializes the adversary with the pk ch and gives the adversary access to a HashOrAdapt oracle, which allows the adversary to submit two messages m, m .Depending on the bit b, the challenger then either hashes m directly (b = 0), of first hashes m, and then adapts m to m (b = 1).The resulting hash/randomness pair (h, r) (or (h , r ) resp.) is the oracle's output to the adversary.The adversary's objective is to guess the bit b.Note that all keys are generated honestly and the adversary gets access to a collision-finding oracle CHAdapt for arbitrary hashes, meaning that the adversary may also input hashes generated by the HashOrAdapt-oracle.We stress that there may be scenarios where indistinguishability is not required or even hindering.
Definition 13 (Indistinguishability).A chameleon-hash CH is indistinguishable, if for any PPT adversary A there exists a negligible function ν such that where the corresponding experiment is depicted in Figure 6.
where HashOrAdapt on input skch, m, m , b: Fig. 6.CH Indistinguishability Samelin and Slamanig recently introduced full indistinguishability [41], which, in turn, generalizes the notion of strong indistinguishability by Derler et al [21].In their notion, the adversary is even allowed to generate the keys which are used for hashing and adapting (in the strong version, the adversary only knows all keys, but cannot generate them).
We do neither consider full nor strong indistinguishability as fundamental for chameleon-hashes, but examine these notions to achieve a more complete picture of the relations.The formal definitions of full and strong indistinguishability are given in in the full version of this paper, where we also prove that full indistinguishability is strictly stronger than strong indistinguishability, which, in turn, is strictly stronger than indistinguishability.

Collision-Resistance
In this section we revisit existing collision-resistance notions, introduce a stronger and more desirable notion of collision-resistance dubbed full collision-resistance (or F-CollRes for short) and discuss how these notions differ.The main idea behind collision-resistance in general is to argue that an adversary that has no access to the secret key sk ch cannot find any collisions, i.e,.pairs (m, r) and (m , r ) and hash value h s.t.CHCheck(pk ch , m, r, h) = CHCheck(pk ch , m , r , h) = 1.In the weakest case, the adversary has no access to any other collisions, whereas in stronger notions the adversary is explicitly allowed to obtain collisions for arbitrary hashes via a CHAdapt oracle (we indicate these by using boxes).We present all the different notions in Figure 7, where we indicate the differences in the winning conditions by using boxes.In all the experiments the challenger generates a key pair (sk ch , pk ch ) honestly (along with some public parameters) and the adversary is then initialized with pk ch .We now discuss the where CHAdapt on input skch, m, m , r, h: where CHAdapt on input skch, m, m , r, h: where CHAdapt on input skch, m, m , r, h: experiment with X ∈ {W, E, S, F}.
differences of the single collision resistance notions, where in the weakest case the adversary has no access to an CHAdapt oracle (which allows the adversary to adaptively ask for collisions with messages and hashes of its own choice), but in all other cases the adversary does.To vertically align the experiments, we insert boxes for lines which are missing in one experiment but are present in the other.
Weak Collision-Resistance (W-CollRes) [37].The adversary A wins, if it can come up with a collision for the given public key.Enhanced Collision-Resistance (E-CollRes) [4].The adversary gets access to a collision-finding oracle CHAdapt , which outputs a collision for adversarially chosen hashes, but also keeps track of each queried hash h using the list Q.The adversary wins, if it comes up with a collision for the given public key for an adverserially chosen hash h * never input to CHAdapt .
Standard Collision-Resistance (S-CollRes) [15].The adversary gets access to a collision-finding oracle CHAdapt , which outputs a collision for the adversarially chosen hash, but also keeps track of each of the queried messages m and m , using the list Q.The adversary wins, if it comes up with a collision for the given public key for an adversarially chosen h * for which the message m * output by the adversary was never queried to the collision-finding oracle.Full Collision-Resistance (F-CollRes).The adversary gets access to a collisionfinding oracle CHAdapt , which outputs a collision for the adversarially chosen hash, but also keeps track of each of the queried hash/message pair (h, m) and (h, m ), using the list Q.The adversary wins, if it comes up with a hash/message pair (h * , m * ), for the given public key, never queried to or output from the collision-finding oracle. 6ow, we formally define security with respect to all the collision-resistance notions.

Definition 14 (X Collision-Resistance).
A chameleon-hash CH offers X collision-resistance with X ∈ {W, E, S, F}, if for any PPT adversary A there exists a negligible function ν such that where the corresponding experiment is depicted in Figure 7.
Discussion of the Notions.W-CollRes is the notion introduced in the first work on chameleon-hashes by Krawczyk and Rabin [37] and essentially represents the binding notion of a trapdoor-commitment scheme.Note that due to not giving access to a collision-finding oracle it gives no guarantees whatsoever if the adversary sees a single collision for any hash computed for the given public key. 7The E-CollRes notion has been introduced by Ateniese et al. [4] and we note that there exists a definition in the setting of public-coin chameleon hashes, i.e., where the CHCheck algorithm simply re-runs the CHash, which is called keyexposure freeness [6,16].It captures requirements similar to the ones captured by E-CollRes, but it is not directly comparable as we are considering the more general secret-coin setting.We note that the E-CollRes notion allows the adversary to come up with arbitrary collisions for hashes it has seen a collision for.The S-CollRes notion has been introduced by Camenisch et al. [15], and it captures all of the intuitive requirements of real-world applications of chameleon-hashes.Yet, it still allows the hash itself to be malleable which might still be problematic in certain applications.Finally, our new F-CollRes notion enforces that the adversary cannot (except with negligible probability) output any new collisions and seems to be the most desirable notion for collision-resistance.

Uniqueness
Camenisch et al. [15] defined a property called uniqueness.Uniqueness requires that for each hash/message pair, exactly one randomness can be found, even if the adversary A controls all values, but the public parameters.8 Exp Uniqueness Fig. 8. Uniqueness Definition 15 (Uniqueness).A chameleon-hash CH is unique, if for any PPT adversary A there exists a negligible function ν such that The corresponding experiment is depicted in Figure 8.
We do not consider uniqueness as a fundamental property, as there are only very few applications requiring this notion [15,41].However, to obtain a more complete picture with respect to the relations of the security properties, we also investigate uniqueness.

Relationships between Properties
Below we show relations and separations between the security properties of chameleon-hashes.
Collision-Resistance Properties.We start by analyzing how the various collision-resistance notions are related.
Theorem 1.Standard collision-resistance is strictly stronger than weak collision-resistance.
Proof.We first prove that standard collision-resistance implies weak collisionresistance and then give a counterexample showing that the other direction of the implication does not hold.

S-CollRes =⇒ W-CollRes:
Assume A to be an adversary who breaks weak collision-resistance.We now construct an adversary B which breaks standard collision-resistance.In particular, B proceeds as follows.It receives pp ch and pk ch from its own challenger, and uses both to initialize A. Whenever A outputs a winning tuple (m * , r * , m * , r * , h * ), B returns that tuple to its own challenger.As the collision-finding oracle was never queried, that tuple also makes B win the standard collision-resistance game with the same probability A wins the weak collision-resistance game.W-CollRes =⇒ S-CollRes: The CH by Krawczyk and Rabin [37] provides a counterexample: it is weakly collision-resistant, but does not offer standard collision-resistance. Observe that it is possible to trivially extract the secret key from a collision.That collision is obtained from the collision-finding oracle in the standard collision-resistance game (cf. the full version of this paper).
Theorem 2. Enhanced collision-resistance is strictly stronger than weak collision-resistance.
Proof.The proof is identical to the one of Theorem 1.
Theorem 3. Full collision-resistance is strictly stronger than standard collisionresistance.
Proof.We first prove that full collision-resistance implies standard collisionresistance and then give a counterexample showing that the other direction of the implication does not hold.
F-CollRes =⇒ S-CollRes: Assume A to be an adversary who breaks standard collision-resistance.Now we construct an adversary B which breaks full collision-resistance.In particular, B proceeds as follows.It receives pp ch and pk ch from its own challenger, and uses both to initialize A. All queries to the collision-finding oracle are relayed to B's own oracle.Whenever A outputs a winning tuple (m * , r * , m * , r * , h * ), B returns that tuple to its own challenger.As m * = m * must be true, and m * was never queried to A's collision-finding oracle, this also means that (h * , m * ) was never queried to B's oracle, thus meeting the winning condition.S-CollRes =⇒ F-CollRes: The scheme by Camenisch et al. [15] provides a counterexample: it offers standard collision-resistance, but does not offer full collision-resistance.In particular, their construction is re-randomizable (cf. the full version of this paper).In more detail, to show that this construction is not fully collision-resistant, consider the following strategy: Receive pk ch = (N, H) and pp ch = e.Compute (h, r) ← r CHash(pk ch , m), with m random.Then, ask for an adaption (h, r, m) to (h, r , m ), for some random m = m.Then, compute h * ← h2 e mod N , r * 1 ← 2r mod N , and r * 2 ← 2r mod N .Because no collision for h * was computed, this construction cannot be fully collision-resistant.Note, this works, as H(m)(2r) e ≡ h2 e (mod N ) for any input.Also note that the attack above also breaks enhanced collisionresistance (we will later use this to derive a corollary).
Theorem 4. Full collision-resistance is strictly stronger than enhanced collision-resistance.
Before we provide the proof of Theorem 4, we provide a novel construction of a chameleon-hash satisfying the E-CollRes notion that is used to separate the notions F-CollRes and E-CollRes.Construction.Our CH presented below provides E-CollRes, but allows to efficiently find arbitrary collisions for a given hash, once a single collision was seen.However, it is not possible to find collisions for any other hash.The main idea is to encrypt a message m using a mcIND-CPA secure encryption scheme Ω and use the ciphertext as the hash.The randomness r of the chameleon-hash is the public key pk Ω of a freshly sampled key-pair (sk Ω , pk Ω ) of Ω, the encryption c of a signature σ under pk Ω and a SSE NIZK π for the following language: Informally, this language requires the prover to show that it either knows the randomness ξ attesting that h is a well-formed encryption of m, or a valid signature σ for h.The basic idea of the construction is that when computing a hash, the witness ξ is used.The randomness includes an encryption of the signature (initially one on 0) under the public key pk Ω .Note that the trick is that for adaption one computes a signature σ for h, uses σ as a witness, and includes an encryption of σ under pk Ω in the randomness.Clearly, now seeing a single collision allows to compute arbitrary collisions for the hash h.This CH can be instantiated by instantiating Σ as structure-preserving signatures (SPS) in type-III bilinear groups (assuming SXDH), e.g., Groth's SPS [31].Thus, Ω can be ElGamal [29] in one of the base-groups.The algorithm KVf Ω is simply checking whether g sk Ω = g x = pk Ω , while for Π, a suitable instantiation is a Fiat-Shamir transformed Σ-protocol in the random-oracle model [28], which also works very well with ElGamal encryption and Groth's signature scheme.
We defer the proof of Construction 1 to the full version of this paper.We are now ready to present the proof of Theorem 4.
Proof.We first prove that full collision-resistance implies enhanced collisionresistance and then give a counterexample showing that the other direction of the implication does not hold.
F-CollRes =⇒ E-CollRes: Assume A to be an adversary who breaks the enhanced collision-resistance.We can then construct an adversary B which breaks the full collision-resistance.In particular, B proceeds as follows.It receives pp ch and pk ch from its own challenger, and uses both to initialize A. All queries to the collision-finding oracle are relayed to B's own oracle.Whenever A outputs a winning tuple (m * , r * , m * , r * , h * ), B returns that tuple to its own challenger.As m * = m * must be true, and h * was never queried to A's collision-finding oracle, this also means that (h * , m * ) was never queried to B's oracle, thus meeting the winning condition.
Theorem 5. Enhanced collision-resistance and standard collision-resistance together imply full collision-resistance.
Proof.The theorem above is proven using a sequence of games.
Game 0: The original full collision-resistance game.
Game 1: As Game 0, we abort, if the adversary A outputs (m * , r * , m * , r * , h * ) such that the winning conditions are met, but h * was never queried to the collision-finding oracle.Transition -Game 0 → Game 1: If this is the case, we build an adversary B which breaks the enhanced collision-resistance of the underlying scheme.Namely, B receives pk ch and uses it to initialize A. Every adaption query by A is answered by B using its own oracle.Once A outputs (m * , r * , m * , r In Game 2, the adversary can no longer win the full collision-resistance game.This proves the theorem.
The corollary below follows from the constructions used in the proofs of Theorem 3 and Theorem 4, which provide standard collision-resistance but not enhanced collision-resistance, and vice versa.
Corollary 1.Standard collision-resistance and enhanced collision-resistance are independent.
Additional Separations.We now prove some additional separations.We note that indistinguishability is strictly weaker than full indistinguishability (as formally shown in the full version of this paper).
Theorem 6.Even full indistinguishability and uniqueness together do not imply weak collision-resistance.
Proof.Assume the following contrived construction of a chameleon-hash: Clearly, this construction is fully indistinguishable and unique.Finding collisions, however, is a trivial task.
Theorem 7.Even full collision-resistance and uniqueness together do not imply indistinguishability.
Theorem 8.Even full collision-resistance and full indistinguishability together do not imply uniqueness.

Fully Collision-Resistant Chameleon-Hashes
We are now ready to present our black-box construction of fully collision-resistant chameleon-hashes.

Construction
The main idea of our construction is to encrypt a message m using an mcIND-CPA secure encryption scheme and use the ciphertext as the hash, i.e., it is very close to our "contrived" construction providing enhanced collision-resistance given in Construction 1.However, it has some important, and subtle, differences.Namely, the randomness r is a SSE NIZK attesting membership of a tuple containing the public key used for encryption, the hash, as well as the hashed message in the following NP-language: Informally, this language requires the prover to demonstrate that it either knows the randomness ξ attesting that h is a well-formed encryption of m under the CH key pk Ω , or it knows a secret key sk Ω corresponding to pk Ω , instead of encrypting a signature and proving the verification relation.Our construction of a fully collision-resistant CH is presented as Construction 2. We note that compared to Ateniese et al. [4] we cannot use true-simulation extractable NIZKs (tSE-NIZKs) [25] and need SSE NIZKs.

Security
Subsequently, we prove the security of our CH in Construction 2.

Theorem 9.
If Ω is correct and Π is complete, then CH in Construction 2 is correct.
Correctness follows from inspection and the (perfect) correctness of the used primitives.
Theorem 10.If Ω is mcIND-CPA secure, and Π is zero-knowledge, then CH in Construction 2 is indistinguishable.
In the proof, we use frameboxes and to highlight the changes we make in the algorithms throughout a sequence of games (and we only show the changes).
Transition -Game 1 → Game 2: We bound the probability for an adversary to distinguish between two consecutive games by introducing a hybrid game which uses a multi-challenge IND-CPA challenger to interpolate between two consecutive games.
Theorem 11.If Ω is perfectly correct and mcIND-CPA secure, and Π is zeroknowledge as well as simulation-sound extractable, then CH in Construction 2 is fully collision-resistant.
Proof.To prove full collision-resistance, we use a sequence of games.
Game 0: The original full collision-resistance game.Game 1: As Game 0, but we modify the CHPG and the CHAdapt algorithm as follows: CHPG (1 λ ) : CHAdapt (sk ch , m, m , r, h) : Transition -Game 0 → Game 1: We bound the probability for an adversary to detect this game change by presenting a hybrid game, which, depending on a zero-knowledge challenger C zk , either produces the distribution in Game 0 or Game 1, respectively.
CHAdapt (sk ch , m, m , r, h) : Clearly, if the challenger's internal bit is 0 we simulate the distribution in Game 0, whereas we simulate the distribution in Game 1 otherwise.We have that | Pr[S 0 ] − Pr[S 1 ]| ≤ ν zk (λ).Game 2: As Game 1, but we further modify the CHPG algorithm as follows: own challenger (for encryption), simply decrypting the returned ciphertext, and answering with the correct bit.We have that Pr[S 5 ] ≤ ν mc-cpa (λ).This concludes the proof.

Concrete Instantiation
A suitable instantiation for Ω is ElGamal [29].The algorithm KVf Ω is simply checking whether g sk Ω = g x = pk Ω .Note that for Π we only need to extract a bounded number of times (i.e., twice).To this end one may use Fiat-Shamir transformed Σ-protocols for DLOG relations in the random-oracle model [28] when additionally applying the compiler by Faust et al. [27].In particular, Faust et al. show that such proofs are simulation-sound extractable when additionally including the statement x upon hashing in the challenge computation and if the Σ-protocol provides a property called quasi-unique responses.The latter is straightforward for the statements which need to be proven in our context.See, e.g., [23], for a detailed discussion of this transformation.
For the sake of completeness and to demonstrate how efficiently our approach can be instantiated, we provide this concrete instantiation as Construction 3. Therefore, let (G, g, q) ← r GGen(1 λ ) be an instance generator which returns a prime-order, and multiplicatively written, group G where the DDH problem is hard, along with a generator g such that g = G.Note that an SSE NIZK for the required L in (3) can easily be obtained as an equality proof of two discrete logarithms together with an or composition of a proof of a discrete logarithm [19] of Fiat-Shamir transformed Σ-protocols discussed above. (3)
Construction 3: Concrete instantiation of a Fully Collision-Resistant CH using SSE NIZKs based on Groth-Sahai NIZKs, one can use the compiler in [22] to efficiently achieve simulation-sound extractability.We, however, note that a naive instantiation of our template in the standard model would still require to include bit-wise proofs of the parts of the witness which are in Z q , which would, all in all, require a number of group elements in the order of 1k − 2k (a very rough estimate; thus we also omit the remaining costs which is indicated by "−" in Table 1).It seems that switching to a variant of ElGamal in the target group (and maybe some other tweaks) would help to work around the requirement of having bit-wise proofs.Optimizing this instantiation is not in the scope of this work and therefore we only give our rough estimates in the table.Finally, we note that we omit comparing our scheme given in Construction 1 as it is contrived and its sole purpose is to prove a separation result.

Application: Redactable Blockchains
While one of the major goals of blockchains is their immutability and in particular their use as an immutable append-only log, recently, starting with the work of Ateniense et al. [4], there has been an increasing interest in blockchains that allow some controlled after-the-fact modification of their content.This is motivated by illegal content that was shown to be included into the Bitcoin blockchain [38], which represents a significant challenge for law enforcement agencies [45], as well as legislations like the European General Data Protection Regulation (GDPR) and the associated "right to be forgotten".Solutions to this problem may either be for the permissioned-or permissionless-blockchain setting and cryptographic in nature [4,21,41] or non-cryptographic, where in the latter case it is based on the consensus layer of the blockchain [24].We are considering the former and focus on block-level rewriting (change entire blocks) of blockchains instead of transaction-level rewriting (change single transactions within a block) in a permissionless setting (such as Bitcoin), as this illustrates the problem with much wider implications.In the following we are using the notation used in [4], and describe a block as triple of the form B = s, x, ctr , where s ∈ {0, 1} λ , x ∈ {0, 1} * and ctr ∈ N and a block is valid if validblock D q (B) := (H(ctr, G(s, x)) < D) ∧ (ctr < q) = 1.Here, H : {0, 1} * → {0, 1} 2λ and G : {0, 1} * → {0, 1} 2λ are collision-resistant hash functions, and the parameters D ∈ N and q ∈ N are the difficulty level of the block and the maximum number of hash queries that a user is allowed to make in any given round of the protocol, respectively.The chaining of blocks is now done by requiring that when attaching a (valid) block B = s , x , ctr' we have that s = H(ctr, G(s, x)).Now to make blocks redactable, one changes the description of blocks to B = s, x, ctr, (h, r) where the new component is a chameleon-hash (h, r) and the validation predicate changes to validblock D q (B) :=(H(ctr, h) < D) ∧ CHCheck(pk ch , (s, x), r, h) = 1 ∧ (ctr < q) = 1.
Chaining is now done by requiring that when attaching a (valid) block B = s , x , ctr' we have that s = H(ctr, h).Observe that now computing a collision in the chameleon-hash gives very much power as it basically allows to rewrite the entire history of the blockchain.
Ateniese et al. in [4] discuss different ways to control this power to actually compute collisions (i.e., run CHAdapt) where 1) either sk ch may be available to some fully trusted single party only, or 2) sk ch is generated using a multi-party computation (MPC) protocol and CHAdapt is also performed in a distributed way by some set of parties.We will discuss the implications of different collisionresistance notions to this setting, which is independent of which of these two approaches is going to be used.
We recall that Ateniese et al. [4], who introduced this application, rely on E-CollRes and Derler et al. in more recent work in [21] rely on S-CollRes.Now, note that in such a permissionless setting as discussed above, where everybody is allowed to participate, it is reasonable to assume that an adversary sees the collisions computed for any blocks over some time in the system (as they will be broadcasted).Now let us discuss the single notions: Weak Collision-Resistance (W-CollRes).A chameleon-hash providing this notion of collision-resistance provides absolutely no guarantees, as after seeing a single collision all guarantees are lost.A prime example is the Pedersen CH due to Krawczyk and Rabin [37] (cf. the full version of this paper), where a single seen collision exposes the secret key sk ch to everybody.Clearly, this has significant consequences in the above scenario as then everybody can arbitrarily alter the blockchain.Enhanced Collision-Resistance (E-CollRes).Recall that an adversary when attacking some hash h * must have never input h * to CHAdapt .Now, this means that if an adversary targets a specific hash and then happens to see a collision for this hash (for some reason), suddenly all guarantees are lost and arbitrary collisions could be computed.Note that our construction in Sect.3.5 clearly demonstrates potential problems with CHs only satisfying this notion.This still represents a significant problem with this application.Standard Collision-Resistance (S-CollRes).Recall, that an adversary is only restricted to not query message m * (which is associated to the computed collision h * ) was never queried to the collision-finding oracle.While this still might be problematic in the redactable blockchain setting, messages can very likely be made unique by perpending a large enough random tag/nonce (note that in this could easily be done in the block format of e.g., the Bitcoin block structure).So, this notion seems suitable if the aforementioned constrained may, under certain circumstances, be guaranteed to be met, but is far away from being ideal.Full Collision-Resistance (F-CollRes).We recall that, here, only the collision (h * , m * ) was not generated by the collision-finding oracle, but there is no other restriction whatsoever.Consequently, this collision-resistance notion seems the "right" notion as no issues on higher levels need to be considered and very strong guarantees are already provided by the notion itself.

Transition -Game 1 → 2 :
Game Under simulation-sound extractability, Game 1 and Game 2 are indistinguishable.That is, | Pr[S 1 ] − Pr[S 2 ]| = 0. Game 3: As Game 2, but we keep a list Q of all tuples (h, r, m) previously submitted to the collision-finding oracle which are accepted by the CHCheck algorithm, where h was never submitted to the collision-finding oracle before.
) to its own challenger.As h * was never seen, B wins its own game.|Pr[S0 ] − Pr[S 1 ]| ≤ ν enh-collres (λ) follows.Game 2: As Game 1, we abort, if the adversary A outputs (m * , r * , m * , r * , h * ) such that the winning conditions are met, but m * was never queried to the collision-finding oracle.Transition -Game 1 → Game 2: If this is the case, we build an adversary B which breaks the standard collision-resistance of the underlying scheme.Namely, B receives pk ch and uses it to initialize A. Every adaption query by A is answered by B using its own oracle.Once A outputs (m * , h * ), B returns (m * , r * , m * , r * , h * * , r * , m * , r * , h * ), B returns (m * , r * , m * , r * , h * ) to its own challenger.As m * was never seen, B wins its own game.| Pr[S 1 ] − Pr[S 2 ]| ≤ ν st-collres (λ) follows.