Chameleon Hashes in Post-Quantum Cryptography
- Chameleon hashes are trapdoor hash functions that allow controlled collision generation by a secret holder, enabling authorized malleability in cryptographic protocols.
- The McEliece-based construction uses binary Goppa codes and a random oracle (SHA-3) to achieve perfect transparency and robust post-quantum security.
- Integration into sanitizable signature schemes ensures controlled message modifications while maintaining immutability and resistance to adversarial attacks.
A chameleon hash function is a trapdoor hash primitive permitting collision generation by holders of a secret trapdoor, thereby supporting cryptographic protocols that require controlled malleability. McEliece-based chameleon hashes, constructed from the code-based McEliece cryptosystem, offer post-quantum security and enable advanced functionalities such as sanitizable signatures with rigorous transparency guarantees. These constructions are based on the hardness of syndrome decoding for random Goppa codes in the random oracle model and achieve perfect transparency by imposing precise weight constraints on the hash randomizer inputs (Ahmad et al., 24 Feb 2026).
1. McEliece-Based Chameleon Hash Construction
The McEliece-based chameleon hash follows a code-based paradigm where the trapdoor is derived from the structure of a binary Goppa code. Key generation (), hash evaluation (), and trapdoor collision-finding () are defined as follows:
- Key Generation ():
- Select a binary Goppa code with secret parity-check matrix .
- Generate an invertible matrix and permutation , and compute public key .
- Public key: ; Secret key: 0 Goppa code data.
- Hash Function (1):
- Let 2 be a random oracle instantiated as SHA-3 in counter mode.
- For message 3 and randomizer 4 with 5:
6
Trapdoor Collision-Finding (7):
- Given 8, a target 9, and the secret key, compute 0 such that 1 and 2.
- Using Patterson decoding on the secret Goppa code, the sanitizer computes the appropriate low-weight randomizer 3.
Key parameters adopt NIST Category-1 (Classic-McEliece) values: 4, satisfying quantum-resistant security levels (Ahmad et al., 24 Feb 2026).
2. Parameter Settings and Role of the Random Oracle
- Parameterization:
- Goppa code settings: 5, 6, 7.
- Randomizer 8 is sampled either uniformly from all 9 with 0 for perfect transparency, or from 1, introducing minimal statistical bias.
- Random Oracle Necessity:
- Instantiating 2 as a robust random oracle (SHA-3 in counter mode) prevents trivial linear collisions, as computing a preimage for 3 with a given syndrome is computationally infeasible.
- The random oracle model is essential for both collision resistance and hiding properties of the chameleon hash due to the structure of code-based hash evaluation.
3. Security Properties and Definitions
Security definitions formalize collision resistance, existential unforgeability (EUF), immutability, and transparency:
- Collision Resistance (CR):
- No PPT adversary without the trapdoor 4 can find distinct 5 such that 6 outside negligible probability.
- Existential Unforgeability (EUF) & Immutability:
- In the sanitizable signature context, built with two independent chameleon hashes, the scheme enforces that no adversary can forge a new valid signature (EUF), and unauthorized modification of immutable message blocks is impossible without forging a hash collision against the "non-sanitizable" hash.
- Transparency:
- Perfect transparency is achieved when sanitized and freshly signed signatures are statistically indistinguishable; this occurs if randomizers are sampled exactly at weight 7 (8), where 9 is the statistical distance between randomizer distributions.
4. Security Proof Techniques
- Syndrome Decoding Reduction:
- The security of collision resistance is reduced to the syndrome decoding (SD) problem for Goppa codes in the random oracle model: given any adversary finding collisions with probability 0, a reduction solves SD with advantage 1, 2 being oracle queries.
- Collision on the hash yields 3 of weight at most 4, satisfying 5 for appropriate syndrome 6.
- Immutability and EUF:
- Attacks against the scheme devolve to forging outer signatures or solving SD on the underlying non-sanitizable chameleon hash public key.
- Transparency Hybrid Arguments:
- Statistical indistinguishability arguments (as formalized through the statistical distance 7) yield a transparency bound scaling as 8, where 9 is the number of message blocks, and 0 is the outer signature EUF advantage.
5. Performance and Efficiency
Performance characterizations are derived for secure category parameters (1):
- Key and Signature Sizes:
- Public key size: Two matrices, each 2, total 3 KB.
- Signature size for 4 message blocks: Dilithium2 outer signature (2.4 KB) plus 5 randomizers (6 bytes), totaling 7 KB for 8.
- Computation:
- Hash computation: one matrix–vector product over 9 (cost 0 bit–ops).
- Collision generation (Patterson decoding): 1 bit–ops, 2 ms per block in practice.
| Scheme | Post-Quantum | Transparency | Public Key Size | Signature Size (10 blocks) |
|---|---|---|---|---|
| RSA-based | No | perfect | ~8 KB | ~0.3 KB |
| Lattice-based (2025) | Yes | weak (3) | ~850 KB | 5–6 KB |
| McEliece-based (Ahmad et al., 24 Feb 2026) | Yes | perfect (4) | ~655 KB | ~7 KB |
This code-based construction yields a smaller public key than lattice-based alternatives and uniquely attains perfect transparency, relying on the 45-year-old syndrome decoding hardness assumption.
6. Integration in Sanitizable Signature Schemes
The McEliece-based chameleon hash enables the first transparent, code-based, post-quantum sanitizable signature scheme:
- The sanitizer holds the trapdoor (Goppa code secret), allowing controlled message block modifications via trapdoor collisions, with all other blocks immutably bound.
- Transparency is enforced by requiring signers to sample randomizers exactly from Hamming weight 5, thus ensuring sanitized signatures cannot be distinguished from genuinely signed ones.
- Immutability guarantees are tightly linked to the collision resistance of the non-sanitizable chameleon hash, rendering unauthorized message manipulation cryptographically infeasible.
A plausible implication is significant potential for long-term secure applications where both malleability (for authorized content management) and provable post-quantum security are critical (Ahmad et al., 24 Feb 2026).