Privacy-Preserving Fine-Grained Redaction with Policy Fuzzy Matching in Blockchain-Based Mobile Crowdsensing

: The redactable blockchain has emerged as a promising technique in mobile crowdsensing, allowing users to break immutability in a controlled manner selectively. Unfortunately, current ﬁne-grained redactable blockchains suffer two signiﬁcant limitations in terms of security and functionality, which severely impede their application in mobile crowdsensing. For security, the transparency of the blockchain allows anyone to access both the data and policy, which consequently results in a breach of user privacy. Regarding functionality, current solutions cannot support error tolerance during policy matching, thereby limiting their applicability in various situations, such as ﬁngerprint-based and face-based identiﬁcation scenarios. This paper presents a privacy-preserving ﬁne-grained redactable blockchain with policy fuzzy matching, named PRBFM. PRBFM supports fuzzy policy matching and partitions users’ privileges without compromising user privacy. The idea of PRBFM is to leverage threshold linear secret sharing based on the Lagrange interpolation theorem to distribute the decryption keys and chameleon hash trapdoors. Additionally, we have incorporated a privacy-preserving policy matching delegation mechanism into PRBFM to minimize user overhead. Our security analysis demonstrates that PRBFM can defend against the chosen-ciphertext attack. Moreover, experiments conducted on the FISCO blockchain platform show that PRBFM is at least 7.8 times faster than existing state-of-the-art solutions.


Introduction
With the increasing prevalence of intelligent terminals, particularly in light of contemporary trends such as "Industrie 4.0" [1] and the IoT, mobile crowdsensing has emerged as a promising application that leverages smart devices in mobile networks to utilize idle resources for sensing tasks effectively [2]. However, the current mobile crowdsensing paradigms primarily rely on centralized platforms that are not entirely trustworthy in practice and give rise to issues such as fraud, security vulnerabilities, and the single point of failure [3]. Consequently, the adoption of blockchain techniques has become widespread as a means to address these challenges. In essence, the immutability of blockchain serves as a critical measure against any manipulation of registered objects for illicit gains [4,5].
However, the immutability of blockchain may impede the application of the blockchain. Nowadays, the blockchain ecosystem is plagued by the presence of inappropriate materials, such as fake news, copyrighted content, and sensitive data [6][7][8][9]. Researchers have discovered that individuals with malicious intent can upload objectionable material (such as malware or pornographic links) onto the Bitcoin blockchain [7]. Regrettably, no effective methods currently exist to prevent the dissemination of this harmful content throughout the Bitcoin network. Participants on the chain may be concerned about being associated 1.
How to enable fine-grained redactable blockchain with fuzzy policy matching; 2.
How to conceal the policy based on fuzzy policy matching; 3.
How to ensure data privacy while maintaining privilege downward compatibility (i.e., allowing redactable users to access the data) through policy concealment; 4.
How to minimize user overhead in a privacy-preserving paradigm.

Contribution
In this paper, we provide a positive answer to the aforementioned problems by proposing a privacy-preserving fine-grained redactable blockchain with fuzzy policy matching (PRBFM). Specifically, PRBFM supports fuzzy policy matching and partitions users' privileges without compromising user privacy. The main contributions are illustrated below. • We introduce a novel privacy-preserving fine-grained redactable blockchain with fuzzy policy matching for mobile crowdsensing scenarios. Concretely, to achieve data privacy preservation and fuzzy matching for the redactable blockchain, we leverage the Lagrange interpolation theorem-based secret sharing to distribute the data decryption keys and chameleon hash trapdoors. • To further satisfy the requirement of privacy-preserving policy matching and reduce the user overhead, we design a privacy-preserving policy matching delegation mechanism for PRBFM. • A formal security analysis is provided to demonstrate the security of PRBFM against chosen-ciphertext attacks in a random oracle model. Subsequently, we employ a real-world dataset to perform experiments on the FISCO blockchain platform. The experimental results demonstrate that our schemes outperform related existing solutions, with a speed improvement of a minimum of 7.8×.

Roadmap
The structure of this paper is shown in Figure 1. Section 2 details the system model, threat model, and problem formulation. Proceeding further, Section 3 presents the preliminaries utilized in PRBFM. Subsequently, in Section 4, we formalize our scheme by presenting the definition and detailed construction of PRBFM, while the analysis and applications are discussed in Section 5. Several experiments based on the FISCO blockchain and the real-world dataset are conducted in Section 6. Finally, we discuss several related works about the redactable blockchain in Section 7 before reaching the conclusion in Section 8.

System Model
In this section, we formulate the problem addressed by the proposed PRBFM scheme. This scheme involves three different types of entities: nodes, users, and data owners. The nodes are responsible for storing the data of corresponding owners and executing data queries from users with permission. Notably, the nodes can be divided into three main types: privilege nodes (i.e., consortium nodes), storage nodes (i.e., cloud nodes), and computation nodes (i.e., edge nodes). The users usually represent requesters in realistic mobile crowdsensing scenarios. According to their attributes and the policy of the data owner, they can be split into three roles: unauthorized users, authorized users, and authorized modifiers. Unauthorized users are unable to perform any actions on the uploaded data. Authorized users have read-only access to the uploaded data. On the other hand, authorized modifiers can both access and modify the contents of the uploaded data. Similar to the users, the data owners mainly represent individuals or organizations in real-world mobile crowdsensing scenarios. Their prior task is to crowdsense raw data, then encrypt and upload them to the blockchain. The system model is presented in Figure 2.

Threat Model
In blockchain-based mobile crowdsensing scenarios, it is assumed that the privileged nodes, such as the government, organization administrators, and manufacturers, are trustworthy entities as they regulate the blockchain and authorize user privileges [28][29][30]. Conversely, other entities such as users, data owners, storage nodes, and computation nodes are semi-honest. Though they are expected to follow protocols faithfully, they have the curiosity to probe others' private data, which may lead to unwanted inferences [7,31]. Additionally, users may maliciously collude with other entities except for the privileged nodes, resulting in attacks such as privilege escalation and privacy eavesdropping. We summarize the potential attacks below.
• Unauthorized access attack: Since encrypted data submitted by corresponding owners may contain commercially sensitive or private details, they become a prime target of potential adversaries. One such threat is the unauthorized access attack, whereby individuals without authorization may attempt to read or modify the data. • Eavesdropping attack: An unauthorized party may eavesdrop on data transmitted through public channels in an attempt to deduce sensitive details from the intercepted ciphertext. • User inferring attack: Attributes and policies may contain specific characteristics of individuals, such as their occupation, rank, or identity. An attack that expert adversaries may use to elicit sensitive information without knowing personal identifiers, such as the user identity or type of encrypted data, is known as the user inferring attack. • Identity disguising attack: Access to encrypted data is determined based on specific attributes of individual users, including their identity. As a result, identity disguising attacks occur when unauthorized entities attempt to appear as authorized readers or modifiers. These attacks may involve disguising the encryption key with unauthorized attributes or attaching unauthorized attributes to obtained ciphertexts to mislead other entities. In some instances, unauthorized actors may alter or tamper with the message to deceive other parties. • Collusion attack: Unauthorized entities may collaborate to perform various attacks, including those outlined above. For example, unauthorized users may pool their secret keys to recover encrypted data without proper authorization. They may also ex-change keys to obtain encrypted data without proper authorization from the specified sender's attributes.

Problem Statement and Design Goals
The problem addressed in this paper is as follows: a data owner encrypts plaintext message m based on a readability policy Pr and an editability policy P e(Pr ⊂ P e). The resulting encryption (C, H) is then submitted to blockchain nodes. Simultaneously, a user with attributes σ exists. The design goal of PRBFM is to achieve a secure redactable blockchain in which the user can read m only when Pr ⊂ σ and can edit only if P e ⊂ σ while maintaining the confidentiality of sensitive data, including data from owners, user attributes, and owner policies, to avoid exposure to other parties.

Chameleon Hash
Ateniese et al. [16] proposed the chameleon hash. A chameleon hash system typically comprises five algorithms that can be executed in polynomial time. These definitions are illustrated below: • PPGen(1 λ ). This algorithm's input is the security parameter λ. The output of this algorithm is the public parameters PP. Notably, we implicitly assume that mpk is the input for the subsequent algorithms. • KeyGen(PP). This algorithm uses the public parameters PP as input and generates the public key pk and secret key sk as output. • HashGen(pk, m). This algorithm takes the public key pk and plaintext message m as input, and outputs the hash h and random value r. • Verify(pk, m, r, h). This algorithm takes the public key pk, plaintext message m, random value r, and hash h as input, and generates the decision result d as output. Specifically, d is equal to 1 if the hash is valid, and 0 otherwise. • Adapt(sk, m, m , r, h). This algorithm takes the secret key sk, plaintext message m, alternate message m , random value r, and hash h as input, and generates the alternate random value r as output.
We make the assumption, without loss of generality, that the Adapt algorithm always requires the hash h for verification. If h is invalid, the algorithm outputs ⊥ instead of the alternate random value r .

Threshold Linear Shamir Secret Sharing
In [32], Shamir proposed a Lagrange interpolation theorem-based secret sharing scheme. Given k points (x 1 , y 1 ), · · · , (x k , y k ) on the 2-D plane where the values of x i are distinct, there is one and only one interpolation polynomial q(x) of degree k − 1 that satisfies: Without loss of generality, we can assume that the confidential data D are a number. To divide D into n shares, denoted as D i , i = 1, 2, · · · , n, a random polynomial q(x) of degree k − 1 is selected as: where a 0 = D. For i = 1, 2, · · · , n, the corresponding piece D i is computed as D i = q(i).
Using the Lagrange interpolation technique, the coefficient of f can be computed when given any subset of k shares from D i . The secret data D can be obtained by calculating D = q(0). Note that if we have fewer than k shares, D cannot be reconstructed. Specifically, having only k − 1 or fewer shares does not reveal any information about D.

Bilinear Group
Definition 1. (Bilinear Group). Suppose G 1 , G 2 , and G T are three bilinear groups. There exists a binlinear map e : Let these three groups have the same prime order p. The generators of G 1 and G 2 are g and h, respectively. The map e has the following two properties: Binlinearity and Non-degeneration.
If G 1 = G 2 , it is called symmetric pairing. Otherwise, two different types of asymmetric pairing exist based on the existence of the isomorphism function that from G 2 to G 1 .
Then, we present the computationally intractable problem that is utilized in this paper.

Definition 2.
(Decisional Modified Bilinear Diffie-Hellman Problem (MBDFH). Let g a i , g b j , g c k and e(g 1 , g 2 ) z evaluate whether e(g 1 , g 2 ) ab c = e(g 1 , g 2 ) z , where i, j, k ∈ {1, 2}. Suppose there exists an algorithm that generates the group as G, the distribution D is defined as follows: Suppose A represents a probabilistic polynomial-time (PPT) adversary breaking the MBDH problem.

Adv MBDH
is negligible for the security parameter λ.

Proposed PRBFM
The primary objective of PRBFM is to utilize two techniques. The first technique involves employing Lagrange secret sharing and a chameleon hash, which allow us to create a redactable blockchain having privilege downward compatibility and fuzzy matching while still maintaining privacy. Meanwhile, the second technique involves designing a privacy-preserving matching delegation mechanism, which minimizes user overhead.

Brief Definition
Before illustrating the details of PRBFM, we will first provide a brief definition: Definition 3. PRBFM comprises eight polynomial-time algorithms: Setup, KeyGen, Encrypt, Verify, TrGen, Match, Read, and Edit.
• Setup (λ → (mpk, msk)). The algorithm yields the master secret key msk and master public key mpk when given a security parameter λ. For simplicity, mpk is implicitly assumed to be taken as input by all other algorithms. • KeyGen ((msk, σ) → sk). The algorithm takes σ and msk as inputs and produces the user's secret key sk. • Encrypt ((m, x, P r , P e ) → (C, H)). The algorithm takes message m ∈ M, Chameleon hash trapdoor x, readability policy P r , and editability policy P e (P r ⊂ P e ) as inputs and outputs ciphertext C along with the corresponding hash value H = (h, r h ). • Read ((C 1 , sk) → m| ⊥). Given the ciphertext C 1 and the secret key sk as inputs, the algorithm retrieves the message m only if σ ⊂ P r . Otherwise, the algorithm returns an error symbol ⊥. • Edit ((C 2 , sk, m , P r , P e ) → (C , H )). Given the ciphertext C 2 , secret key sk, and new message m along with their respective policies (P r , P e ), the algorithm generates a new ciphertext C and hash value H = (h, r h ). Importantly, the editability feature preserves the correspondence of on-chain hashes and off-chain data.

Detailed Construction
We now describe the detail of PRBFM. Setup λ → (mpk, msk): Based on the decentralized key generation protocol, multiple privilege nodes cooperate to generate the system parameters. • Generate the description of bilinear map Γ = (p, g, G, G T , e), where e : G × G → G T . Subsequently, assume the attribute universe as U and the size of U as n. Set the threshold of policy matching as d. Next, generate n random values {r i } n . Then, compute {R i = g r i } n . Next, select a random value α ∈ Z p and a hash function Generate the master secret key msk = ({r i } n , α) and the master public key KeyGen (msk, σ) → sk: A user selects a privilege node for registration, and the privilege node combines the user's attribute set to generate the secret key.
Then, return sk to the user. Encrypt (m, x, P r , P e ) → (C, H): based on readability and editability policies, a user generates the ciphertext and hash value.

•
Select two random values d 1 ∈ Z p and d 2 ∈ Z p . Generate the readability policy P r .
Select two random values d 3 ∈ Z p and d 4 ∈ Z p , and the chameleon secret key x. Generate the editability policy P e . Subsequently, compute Send the pair (C, H) to computation nodes and the chameleon hash h to the blockchain. Next, computation nodes upload the pairs to storage nodes. TrGen sk → T: a user leverages the secret key to generate a trapdoor and sends it to computation nodes.
• Select a random value t ∈ Z p and compute T 1 = g t . Then, utilize sk to compute Generate the trapdoor T = (T 1 , {T 2,i } σ i ) and send T to computation nodes. Match (C, T) → d m : computation nodes utilize the ciphertext and trapdoor to perform policy verification without compromising user privacy.

•
Obtain ciphertexts from the storage nodes. Based on the threshold d, respectively select d values from {C 2,i } P r i and {T 2,i } σ i to conduct a set P r,j . Then, for each P r,j , check the equation Π If the equation does not hold for all P r,j , computation nodes output d m = 0. Otherwise, record the set P r,j and computation nodes output d m = 1. In addition, it means that the user is an authorized reader of this message. • If d m equals to 1, computation nodes further select d values from {C 5,i } P e i and {T 2,i } σ i to conduct a set P e,j . Then, for each P e,j , check the equation Π If this equation holds, computation nodes output d m = 2, and it means that the user is an authorized modifier for this message. Then, record the set P e,j .
to the user. Read (C 1 , sk) → m: receiving the data from the computation nodes, the user utilizes his/her secret key to recover the message.
. Edit (C 2 , sk, m , P r , P e ) → (C , H ): based on the secret key, the user read and edit the message.

•
Perform the Read algorithm to recover the message m.
. If the user attempts to edit the message, generate a new message m . Subsequently, generate new readability policy P r and editability policy P e and compute the cipher-

Correctness Analysis
Theorem 1. In PRBFM, if and only if an attribute set σ of the user satisfies the policy of the data owner for readers, i.e., P r ⊂ σ, the d m = 1 and the user is an authorized reader.
Proof. From the Encrypt step, the data owner generates the ciphertext . Then, we concentrate on the correctness in the Match and the Read step. In the Match step, after receiving the trapdoor T = (T 1 , {T 2,i } σ i ), the computation nodes first respectively select d values from {C 2,i } P r i and {T 2,i } σ i to conduct a set P r,j according to the threshold d. Then, for each P r,j , the computation nodes compute Therefore, in the Match step, the correctness of PRBFM holds. In the Read step, a user gets C 1 = (P r,j , {C 1,i } P r i , C m ), and H from the computation nodes. Next, based on his/her secret key sk, the user computes On the basis of the Lagrange interpolation theorem, if and only if the policy P r satisfies P r ⊂ σ, the message m can be recovered and Equations (5) and (6) hold. Therefore, Theorem 1 is proven.

Theorem 2.
In PRBFM, if and only if an attribute set σ of the user satisfies the policy of the data owner for modifiers, i.e., P e ⊂ σ, the d m = 2 and the user is an authorized modifier.
Proof. Similar to Theorem 1, we first prove the correctness of evaluating whether a given user is an authorized modifier in the Match step. Concretely, the computation nodes first select d values from {C 5,i } P e i and {T 2,i } σ i to conduct a set P e,j . Then, for each P e,j , the computation nodes compute = e(C 6 , T 1 ).
Then, in the Edit step, if and only if P e ⊂ σ, the user can recover the chameleon secret key x as follows: where E = Π P e,j i=1 e(C 4,i , sk i ) and R = Π P r,j i=1 e(C 1,i , sk i ). Next, based on the x recovered according to Equation (8), the user computes r h = C m −C m x +r h . Notably, if and only if r h is calculated as mentioned above, the following equation holds: Otherwise, the x is not valid, and the modification is recognized as illegal. Therefore, Theorem 2 is proven.

Security Analysis
The security properties of PRBFM are formally defined based on its construction. These include privacy security, which encompasses data privacy, policy privacy, and attribute privacy, as well as user collusion resistance and collision resistance. The security model follows the oracle model and is indistinguishable under a chosen-ciphertext attack (IND-CCA). The experiment involves a PPT adversary A and a challenger C and is depicted in detail in Figure 4.

Setup:
The challenger C runs the Setup step to generate the master secret key msk = ({r i } n , α) and master public key mpk = ({R i } n , g α , H, Γ). Next, the challenger C publishes mpk to the adversary A. Phase 1: The challenger C permits adversary A to request the secret keys. In particular, the adversary A sends the attributes σ to C. The challenger C randomly generates a (d − 1)-degree polynomial q(x) and obtains the secret key Otherwise, m 1 is encrypted, and (C 1 , H 1 ) is sent to A. Notably, the secret key of the target user is not able to be requested in Phase 1. Phase 2: The challenger C performs similarly as it did in Phase 1, but A is able to request the secret key of the target user in Phase 2. Guess: The adversary A will submit a guess b of b, and its advantage to win the experiment can be represented as

Proof.
We here assume that if simulator B has the tuple (A, B, C, Z) = (g a , g b , g c , e(g, g) z ), he will manage to distinguish whether e(g, g) z is equal to e(g, g) ab c in the simulation. The detailed process of the simulation is illustrated as follows: Game 0. Game 0 is the original game, where nothing is different from the original scheme. Game 1. Game 1 differs from Game 0 in the Setup step. For any i ∈ σ: R i = g 1 ζ i ; for i ∈ σ: R i = g 1 ω i . Next, simulator B gives the public parameters to adversary A. From adversary A's view, the received public parameters are indistinguishable from the ones in Game 0. The adversary A will terminate the game and return fail if it can tell the difference with the advantage ε DL . Game 2. Game 2 differs from Game 0 in the KeyGen step. Adversary A requests for the secret key of the user. For any i ∈ σ: sk i = C ζ i q(i)∆ i,σ (0) ; for i ∈ σ: sk i = C ω i q(i)∆ i,σ (0) . Next, simulator B gives the secret key sk to adversary A. The adversary A will terminate the game and return fail if it can tell the difference with the advantage ε DL . For If Z = e(g, g) ab c and α = b c , we then obtain ω i . If Z = e(g, g) Z , because z is randomly selected, Z will be random from the view of the adversary A. The game will be terminated if A can tell the difference between Game 4 and Game 3. Otherwise, B is able to solve the MBDH problem. Concretely, if Z = e(g, g) z , Pr[b = b|Z = e(g, g) z ] = Pr[b = b|Z = e(g, g) z ] = 1 2 . If Z = e(g, g) ab c , the adversary A has an advantage ε to break the game. Next, the possibility of A's guess b = b is Pr[b = b|Z = e(g, g) ab c ] = 1 2 + ε . Therefore, the overall advantage of the simulator B for breaking the MBDH game is Adv MBDH The adversary A and the simulator B play the game as mentioned before, except σ = σ * . If adversary A can tell the difference between Game 4 and Game 5, simulator B has the advantage ε DL to break the discrete logarithm (DL) problem. Therefore, we obtain Adv A [b = b] = 2ε DL + H + 1 2 ε as the advantage for the adversary A to win the game. Because the MBDH problem is hard, the components in Adv A [b = b] are all negligible. Hence, the Adv A [b = b] is also negligible. Next, (C * 0 , H * 0 ) and (C * 1 , H * 1 ) are indistinguishable from the view of the adversary A. Hence, the PRBFM scheme is able to defend against the chosen-ciphertext attack, and Theorem 3 is proven. Proof. Obviously, the security of PRBFM includes data privacy. When it comes to attribute privacy, because the communication channel is secure, the user's attribute set σ can be pre-vented from being exposed to other entities except for selected privilege nodes during the KeyGen step. Next, in the Match step, the attribute privacy means the indistinguishability of T 0 = (T 0,1 , {T 0,2,i } σ 0 i ) and T 1 = (T 1,1 , {T 1,2,i } σ 1 i ). In particular, the simulator B first selects a random value α ∈ Z p . Then, it computes T b = (T b,0 = g α , {T b,1,i = g sk α i } σ b ) and sends T b to adversary A. Next, the adversary A has a negligible advantage ε to guess whether b = b as follows: Adv Attr−Pri Hence, adversary A is not able to violate the attribute privacy during the Match step. For other steps such as Setup, Encrypt, Verify, Read, and Edit, the adversary A is not able to get information related to the secret key sk. Therefore, attribute privacy in PRBFM is guaranteed.
For policy privacy, adversary A can violate it in two ways. The first is obtaining policies (P r , P e ) from the ciphertext C generated by the data owner. If the adversary A is able to obtain (P r , P e ) from C, similar to Theorem 3, simulator B has the ability to perform a PPT algorithm to break the MBDH problem. However, it is evident that the MBDH problem is hard. Thus, adversary A is not able to violate the policy privacy from the ciphertext C.

Theorem 5.
If the correctness of the Lagrange interpolation theorem-based secret sharing scheme [32] holds and Theorem 3 is proven, PRBFM can defend against the user collusion attack.
Proof. Here, we assume that the user may colludes with other users, but there is no collusion with the blockchain nodes. In the KeyGen step, the privilege node randomly generates a Lagrange polynomial q(x). Then, it calculates q(i) and the Lagrange param- In PRBFM, only the privilege nodes can obtain {q(i)} σ i and {∆ i,σ } σ i . Suppose an unauthorized user with q (1)∆ 1,σ (0) collude with d − 1 unauthorized users who have {q (i)∆ i,σ (0)} d i=1 , and their aim is to violate the readability governance in PRBFM. According to Equation (6), m = C m ⊕H[Π P r,j i=1 e(C 1,i , sk i )]. Next, the unauthorized user computes On the basis of the correctness of the Lagrange interpolation theorem-based secret sharing scheme, we can indicate that ∑ is not equivalent to the secret value α. Hence, the user cannot violate the readability governance. The user collusion resistance of the editability governance can also be proved in a similar way as the proof of the readability analyzed above. Theorem 6. If the chameleon hash [16] satisfies the collision resistance, PRBFM can defend against hash collision in the random oracle model.

Proof.
In PRBFM, the Lagrange interpolation theorem is utilized to enhance the chameleon hash-based redactable blockchain with PRBFM and bilateral access control. Thus, the collision resistance problem of PRBFM is equivalent to the collision resistance of the chameleon hash. Hence, Theorem 6 is proven.

Complexity Analysis
In Table 1, we present the comparison among some recently proposed schemes and PRBFM from the aspects of computational complexity and space complexity, where l is the size of the identity space in Xu et al.'s [21] scheme.  The space complexity of PRBFM's system parameter is fixed because of the utilization of collision-resistant hash functions, making it comparable with other schemes. The space complexity of the Encrypt, Read, and Edit processes are also influenced by the policy size and number of attributes, respectively. Additionally, since they are determined by the size of the policy and the number of attributes, the space complexity of the ciphertext and the trapdoor is comparable to others.

Application Discussion
This part explores the potential applications of PRBFM in real-world scenarios. As previously demonstrated, PRBFM successfully addresses limitations in terms of security and functionality. Consequently, PRBFM can be applied in diverse and intricate real-world scenarios while ensuring data privacy preservation.

•
Smart Medical: Drug testing in the smart medical scenario, based on mobile crowdsourcing, can utilize various sensors. Typically, access to these medical data is limited to patients with specific symptoms. However, attaining a 100% match using patients' physiological data is not feasible, considering the variability of these numerical values. Furthermore, since these physiological data belong to the patients themselves, it is crucial to protect their privacy. Consequently, based on its characters, PRBFM can be applied in this scenario to overcome these challenges. • Smart Transportation: Some companies may employ vehicles equipped with sensors to collect and update transportation data for the purpose of offering predictive services. However, to alleviate the server load, only vehicles in specific conditions (e.g., traffic jams) would be granted access to these prediction data, as using the strict match rule to judge the satisfaction of the conditions is unrealistic. Thus, in this scenario, there is a significant need for fuzzy matching with data privacy preservation, making it conducive to adopting PRBFM. We have implemented a prototype system to evaluate the experimental performance of PRBFM. The system programming was carried out in Java, utilizing the Java Pairing-Based Cryptography (JPBC) library. Then, the Type A curve with 80-bit security was selected as the symmetric pairing (Type-I). For the blockchain system, we opted for the FISCO blockchain because of its reliability. To test our schemes, we employed five cloud servers with eight CPUs and 32 GB RAM as blockchain nodes. Of these nodes, two were chosen to be the privilege nodes. To simulate users and data owners, volunteers utilized PCs with 16 GB RAM to communicate with the blockchain nodes. We assumed each user would select a maximum of 100 attributes (i.e., affiliation, occupation, and gender) without loss of generality. Each experiment was conducted ten times, and the average cost was recorded as the final result.

Dataset
To show the efficacy of our proposed schemes, we deployed the MHN dataset, which holds millions of published news headlines sourced from the Australian Broadcasting Corporation. In the course of the experiments, the data owner chooses a headline randomly and uploads it to the blockchain nodes.

Baselines for Comparison
We conducted an assessment of the effectiveness of our proposed PRBFM model by comparing it with other recent fine-grained redactable blockchain schemes, including Derler et al.'s scheme [6], Ma et al.'s scheme [7], and Xu et al.'s scheme [21].

Metrics
To more fully evaluate the performance of PRBFM, we will measure it by four types of metrics:

•
The running time for key generation; • Time consumption on the data owner side; • Time consumption on the user side; • Consumption on the blockchain node side.

Experimental Results
First, we measure the performance of the KeyGen step on the privilege node regarding computational costs. We varied the number of attributes from 10 to 100, and the results are displayed in Figure 5 To measure the time consumption on the data owner side, we set the policy range from 10 to 100, as shown in Figure 6 We then evaluate the time consumption of the trapdoor generation in terms of the user and blockchain nodes. More specifically, we randomly select multiple policy sets with varying data sizes. We denote the total number of policy sets as A p . Initially, the user is required to obtain the trapdoor related to their attributes, with the number of requests ranging from 10 to 50. Figure 7b indicates that when a user sends 50 data requests to PCBR with A p = 5, the time consumption is 26 s, which is considered practical for real-world scenarios.
During the Match stage, we experimented with varying the size of the policy between 10 and 100. To illustrate the results of the experiment for the readability and editability policy match, Figure 8a,b, respectively, display the outcomes. We observed that as the size of the policy increased, the time taken to complete the process increased as well for both readability and editability policy match. Moreover, both matching processes took less than 2 s, indicating the viability of PRBFM. Notably, implementing some cryptographic techniques, such as those presented in [33,34], may improve the efficiency of our proposed strategies. Due to space constraints, we reserve the investigation of streamlining our techniques for future research. 6L]HRISROLF\ 5XQQLQJWLPHPV 'HUOHUVVFKHPH 0DVVFKHPH ;XVVFKHPH 35%)0 Next, we evaluate the time consumption for the Read step in terms of authorized readers. In Figure 7c, the number of requesters ranges from 10 to 50, while the value of A p is set at 1 and 5. Since in the PRBFM scheme, the set Pr, j is utilized by authorized readers to recover the message with linear complexity while delegating the policy-matching process to the blockchain nodes, the time consumption for message reading is relatively low. As illustrated in Figure 7c, even with five separate policy sets (Ap = 5) and 50 requests, an authorized reader can read messages within 0.8 s.
In  Figure 7d, PRBFM is more effective than the other schemes when it comes to message editing. This outcome is due to the better performance of PRBFM in the two significant operations (i.e., chameleon secret key recovery and the Encrypt step) of the Edit step.
Finally, we evaluated the proposed schemes' performance in terms of costs (i.e., gas) on the FISCO blockchain. We varied the policy size from 10 to 100, and the experimental results are exhibited in Figure 8c

Related Works
In this section, we introduce the existing studies of the redactable blockchain. Ateniese et al. [16] proposed the idea of a redactable blockchain. Their scheme uses a permissioned blockchain that needs a central authority to grant rewriting privileges to a designated party, referred to as the "modifier." The designated modifier could coordinate and delete specific content from the blockchain by utilizing a large-scale MPC protocol. This protocol enables block-level rewriting with coarse-grained control, achieved through the use of public key infrastructure (PKI), and an enhanced collision-resistant chameleon hash [31]. The enhanced collision-resistant chameleon hash facilitates modification of the hash link between block headers, while the PKI ensures the sealing of the chameleon hash trapdoor.
Derler et al. [6] introduced a permissioned redactable blockchain that allows for flexible rewriting of privileges through transaction-level rewriting controlled at a finegrained level. Unlike the research conducted in [16], the authors of [6] employed chameleon hash to hash the transactions during the computation of the Merkle root. To formalize their solution, they presented a new concept called policy-based chameleon hash (PCH), which is derived from chameleon hashes with ephemeral trapdoors (CHET) [35] and attribute-based encryption (ABE) [36].
Deuber et al. [37] presented a permissionless block-level redactable blockchain that eliminates the requirement for a trusted central authority through the use of consensusbased voting. In their approach, the block header is modified to include two hash links. If a proposal for modification garners enough votes, it is approved by breaking one of the links while leaving the other intact. However, this scheme has the drawback of providing weak accountability, as the identity of the modifier can be traced from the proposed pool. Furthermore, this redactable blockchain inherits the vulnerability of consensus-based voting algorithms, rendering it susceptible to bribing and selfish mining attacks.
Regarding the revocability of the redactable blockchain, Panwar et al. [38] introduced a permissioned redactable blockchain that incorporates dynamic group signature schemes (DGSS) and revocable FAME (RFAME) to achieve traceability and revocability. Traceability ensures the life cycle of all transactions is honestly recorded in the blockchain for assisting in tracking history transactions, while revocability can be used to revoke the editing authority of malicious modifiers. However, traceability offers limited accountability, as accountability is to identify who made a particular transaction or redaction, which is more complicated than traceability. Moreover, the secure assignment of the updated secret key is crucial. To address this challenge, Xu et al. [8] introduced the concept of revocable policy-based chameleon hash (RPCH) and implemented it to facilitate efficient privilege revocation. The cost of implementing revocability in RPCH is almost insignificant compared to FAME [36].
To address the requirement for accountability in a redactable blockchain, Tian et al. [18] were the first to explore accountability using a policy-based chameleon hash (PCH). However, their solution only supports weak accountability. Specifically, it could only link the modified transaction while lacking the ability to identify potential key leakage. To address these issues, Xu et al. [21] presented a novel design of PCH called black-box accountability (PCHA) and introduced a practical attribute-based traitor tracing (ABTT) scheme with adaptive security.
For rewriting authorization in a decentralized environment, Zhang et al. [17] presented a multi-authority policy-based chameleon hash (MPCH), and Ma et al. [7] introduced a decentralized policy-based chameleon hash (DPCH). Both MPCH and DPCH employ CHET for data rewriting management and utilize multi-authority attribute-based encryption (MA-ABE) to handle rewriting privileges. However, their schemes do not support dynamic nodes, as the departure of participants would result in a single point of failure. Therefore, Zhang et al. [22] propose a novel dynamic and decentralized attribute-based chameleon hash (DACH) to enable the blockchain history's mutability. By leveraging DACH, their scheme achieves a decentralized, secure, and dynamically redactable blockchain (SDRchain).
Xu et al. [39] introduced a novel redactable blockchain named k-time modifiable and epoch-based redactable blockchain (KERB), which draws inspiration from the doubleauthentication preventing signature (DAPS) to regulate rewriting privileges. However, due to the restrictions on the number of k-times and epochs, it is necessary to combine customized k-times and epochs, which has yet to be accomplished. To tackle this challenge, Liu et al. [24] selected times and epochs as the controlling factors, restricting users from invoking the credential show method based on customized times within each epoch established by the certificate authority. In their approach, users can redact their credentials to achieve selective disclosure.
Shen et al. [23] propose a verifiable and redactable blockchain that allows for full editing operations, thus supporting verifiability. Their scheme successfully combines the complete editability of block objects and the verifiability of the blockchain state with reasonable additional costs. Specifically, the authors have built a redactable blockchain using a double trapdoor chameleon hash family, which allows for computationally efficient block editing while maintaining resistance against key exposure. However, these presented schemes ignore the privacy of sensitive data and do not support error tolerance during policy matching. Thus, the PRBFM scheme proposed in this paper is designed for finegrained redactable blockchain with policy fuzzy matching in a privacy-preserving manner.

Conclusions
In this paper, we proposed a novel privacy-preserving fine-grained redactable blockchain with fuzzy policy matching for mobile crowdsensing scenarios. Firstly, we presented the PRBFM scheme utilizing Lagrange secret sharing and chameleon hash. Then, we combined the policy paradigm in PRBFM to further design a privacy-preserving policy matching delegation mechanism to protect policy privacy and reduce user overhead. Additionally, we formally analyzed the security of our scheme under IND-CCA, and also provided a detailed complexity analysis in terms of computational and special. Finally, we implemented and measured our scheme on the FISCO blockchain and demonstrated that our scheme outperforms existing works. For future work, we intend to further reduce user overhead with the use of bilateral access control and provide more fine-grained permission management (e.g., usability, readability, and editability).

Conflicts of Interest:
The authors declare no conflict of interest.