## 1 INTRODUCTION

A chameleon hash function is a trapdoor collision-resistant hash function. That is, the chameleon hash function is resistant to the computation of collisions without knowledge of the associated trapdoor. However, collisions are efficiently computable with knowledge of the trapdoor.

When a chameleon hash function is used in hash-and-sign construction of a signature scheme, it provides many interesting features of the signature scheme. In the chameleon signature schemes, the trapdoor collision resistance of a chameleon hash function makes the chameleon signatures to provide nontransferability of the signatures [1]. In the sanitizable signature schemes, the trapdoor collision resistance of a chameleon hash function allows the sanitizer to replace some portion of the signed document with other appropriate messages, without any interaction with the signer of the document [2]. One can strengthen the security of weakly secure signature scheme by using a chameleon hash scheme [3, 4].

Ateniese *et al*. considered the situation where hash collisions disclose the trapdoor of the underlying chameleon hash. They called this situation as the key exposure problem of the chameleon hash schemes and showed that it threats the transferability of the chameleon signatures in [5]. If the underlying chameleon hash scheme has the key exposure problem, any forged chameleon signature discloses the trapdoor of the chameleon hash as long as the underlying signature scheme is secure. Because any incidence of forgery would be serious to the receiver, one could believe that the receiver never forges. Therefore, one could approve the signature claims made by the receiver, and this threatens the nontransferability of chameleon signatures. Hence, a chameleon hash function should be key exposure free to be employed in chameleon signatures.

As a solution of the key exposure problem of chameleon hash schemes, a method of separating the long-term trapdoor and ephemeral trapdoors was proposed in [5]. The ephemeral trapdoor is associated to a label , which is transaction dependent, and it includes a nonce and an information on the receiver. What is exposed by a hash collision is not the long-term trapdoor but the ephemeral trapdoor associated with . One of the main issues of this approach is how to compose the label .

In [5], Ateniese *et al*. first introduced the idea of identity (ID)-based chameleon hashing to solve the key exposure problem. The ephemeral label is a customized ID of the receiver, and only the trusted authority will provide the trapdoor information associated with the to the receiver as in any ID-based system. Therefore, the receiver must communicate with the trusted authority to obtain the trapdoor information associated with . Their scheme offers only a partial solution to the key exposure problem. In [6], Chen *et al*. provided the first full construction of a key exposure free chameleon hash function, working in the setting of gap groups with bilinear pairings. In [7], Ateniese *et al*. proposed key exposure free chameleon hash functions based on the strong RSA problem, RSA[*n*, *n*], and the strong Diffie–Hellman assumption on a gap-decisional Diffie–Hellman (DDH) group. In the schemes of [6, 7], the ephemeral label is chosen by the signer.

In [8], Gao *et al*. presented the first key exposure free chameleon hash function based on discrete logarithm problem (DLP). As claimed in [8], their chameleon hash function has all advantages of the previous schemes to be employed for chameleon signatures except the interaction between the signer and the verifier for every transaction. In their scheme, each ephemeral label contains an auxiliary part (*g*^{t}, *ENC*_{K}(*t*)), where *K* is the secret key of the receiver. Therefore, the ephemeral labels in the scheme of Gao *et al*. can be managed solely by the receiver, and an interaction with the receiver is inevitable.

In this paper, we introduce a notion of key exposure threshold that can be considered as an extended notion of key exposure freeness. Informally speaking, in the chameleon hash with key exposure threshold *τ*, the long-term trapdoor can be disclosed only after exposing *τ* or more ephemeral trapdoors. The key exposure free chameleon hash scheme can be considered as a chameleon hash with key exposure threshold *τ* = *∞*. We also construct chameleon hash schemes *CH*_{τ} with the key exposure threshold *τ* based on DLP. In our schemes, the ephemeral labels are ElGamal encryption with the receiver's public key, and anyone can compute the ephemeral labels. The scheme *CH*_{τ} does not require any interaction with the receiver for *τ* < *∞*. For *τ* = *∞*, the ephemeral labels can be managed by a trusted party, and the interaction between the signer and verifier can be relaxed to an interaction with the trusted third party in *CH*_{∞}. We believe this is a proper assumption in real-world business scenario such as auction systems because there is an authorized judge who should be able to determine the validity of the signature in the event of legal disputes between the signer and the receiver.

The rest of the paper is organized as follows. In Section 2, we review the definitions and requirements of chameleon hash scheme and propose a new notion of chameleon hash with key exposure threshold. In Section 3, we propose a new chameleon hash scheme *CH*_{τ} with key exposure threshold *τ* and a key exposure free chameleon hash scheme *CH*_{∞} based on Schnorr signature and ElGamal encryption with their security analysis. In Section 5, we conclude our paper.