Full text

1. Introduction

Since its introduction in 2008, blockchain technology, as a disruptive innovation, has demonstrated immense potential in the field of decentralized data management [1,2]. Blockchain organizes data in a unique “chain-like” structure by segmenting it into blocks and connecting them sequentially [3]. Each block not only records current transaction information but also contains the hash value of the preceding block, ensuring data integrity and tamper resistance [4]. In a decentralized network, all nodes collectively maintain the ledger and rely on consensus algorithms (such as Practical Byzantine Fault Tolerance (PBFT) and Proof of Work (PoW)) to verify and record transactions [5]. This trustless mechanism significantly reduces transaction costs while enhancing system efficiency and security.

With its characteristics of decentralization, immutability, and high transparency, blockchain has become a crucial tool for driving digital transformation [6]. In Blockchain 3.0, the application of alliance chain is continuously expanding. It addresses numerous challenges associated with trust and security in traditional centralized systems and has been widely applied in fields such as fintech, supply chain management, healthcare, elderly care, energy trading, intellectual property protection, and food traceability [7,8,9,10]. By leveraging distributed ledgers and consensus mechanisms, alliance chain ensures data integrity and reliability without the need for third-party intermediaries.

However, as alliance chain evolves rapidly and its application scenarios grow more complex, its core feature of immutability has revealed a series of limitations in practical use, particularly in areas such as data regulation, privacy protection, and dynamic data management.

Firstly, in terms of data regulation, the openness of alliance chain allows users to freely upload data. While this promotes information sharing and transparency, it also introduces potential risks of unverified data. False, malicious, or erroneous data may enter the alliance chain and spread across the network, posing significant threats to public safety or the normal functioning of systems [11]. For instance, in the context of the Internet of Vehicles, inaccurate traffic data could directly endanger driving safety or lead to traffic accidents. Therefore, how to implement the review and removal of inappropriate data on the alliance chain has become a core issue in data management.

Secondly, data privacy protection has emerged as an unavoidable challenge in alliance chain applications. Although alliance chain safeguards the security of data transmission and storage through encryption technologies, its immutability makes it impossible to delete sensitive information stored on the chain, potentially leading to privacy breaches or misuse by malicious actors. Within the framework of personal information protection regulations, such as the General Data Protection Regulation (GDPR), alliance chain systems need to support the deletion of records containing private data to comply with regulatory requirements and enhance user trust [12].

Lastly, regarding data updates, traditional alliance chains lack flexible modification mechanisms, making dynamic management extremely difficult. For example, when a user’s identity is preemptively registered by a malicious attacker or when errors exist in on-chain data, the immutability of traditional alliance chains prevents legitimate users from correcting or updating the relevant information [13]. This limitation significantly reduces the adaptability and efficiency of alliance chain in dynamic, real-world application scenarios.

To this end, redactable blockchain has gradually become a focal point in blockchain technology research and application, providing innovative solutions to address the limitations of flexibility and privacy protection. Redactable blockchain retains the decentralized and highly secure nature of alliance chains while introducing functionalities for data modification, deletion, and updating. By leveraging encryption technologies and optimized consensus mechanisms, it ensures the security and transparency of the data redaction process [14,15]. Compared to traditional alliance chain, redactable alliance chain offers the following advantages:

Enhanced Data Governance: By incorporating mechanisms for reviewing and deleting on-chain data, it prevents the spread of false or illegal information, thereby improving the credibility and security of the system.

Redactable alliance chains allow users to modify, delete, or update on-chain data under specific conditions by a flexible redaction mechanism. The implementation of such technology typically relies on advanced cryptographic tools and multi-party consensus mechanisms, such as chameleon hashes and zero-knowledge proofs, to ensure the security, transparency, and auditability of data redaction. This innovation opens new possibilities for the diverse application of alliance chain technology [16,17].

Redactable alliance chains demonstrate broad application prospects across various fields. It can be used in the IoV to dynamically correct traffic data, ensuring driving safety [18]. It can also be applied in food traceability to eliminate harmful or counterfeit information within the supply chain [19]. Additionally, it can be used in healthcare data management to ensure the effective protection of patient privacy while enabling dynamic updates [20]. However, research on redactable alliance chain also faces numerous challenges, such as how to ensure the allocation and management of redaction rights, how to design an efficient redaction consensus mechanism, and how to achieve privacy protection while maintaining data transparency.

Therefore, this paper implements redactable alliance chains using a dual-hash function and ensures accountability of the redaction process through a hash function that can be updated via sub-keys. In addition, a consensus group partitioning method is employed to establish a multi-center alliance chain, with a redaction center responsible for review. This approach not only addresses the limitations of traditional alliance chains, which cannot redact data, but also effectively improves the redaction efficiency of the alliance chain. The main contributions of this paper are as follows:

The K-medoids clustering algorithm is employed to select the redaction center and consensus committees, and a redaction request verification algorithm is developed. The redaction center utilizes this algorithm to review redaction requests, preventing unreasonable block redaction. Subsequently, the consensus committees can simultaneously perform consensus operations to execute block redaction or block consensus, thereby improving consensus efficiency. Moreover, the consensus committees hold key information, preventing the misuse of redaction rights.

2. Related Work

In recent years, redactable blockchain has become an emerging research hotspot. Immutability is regarded as the irreplaceable cornerstone of blockchain technology [21]. However, in practical applications, alliance chain technology has been found to have urgent data redaction needs in areas such as information supervision, privacy protection, data updates, and scalability. To enable the effective redaction of block data, scholars have conducted extensive research. Ateniese et al. [22] proposed the first redactable solution to modify and delete data on the chain. This solution uses the Chameleon hash function, which allows for the determination of valid hash collisions through secret trapdoor information, thereby enabling information redaction. Huang et al. [23] studied a redaction scheme based on time-updatable Chameleon Hash (TUCH) and linkable and redactable ring signature (LRRS) algorithms. This scheme supports anonymous redaction with low modification costs. Pang Jun et al. [24] proposed a redactable blockchain model that reconstructs the underlying structure of the blockchain and adds a temporal-based index to achieve logical blockchain redaction by appending transactions. These schemes, using Chameleon hashes and temporal indexes, achieve effective redaction of block data but overlook the risks of abuse due to the centralization of redaction rights.

To ensure the legality and effectiveness of blockchain redaction, scholars have designed decentralized solutions. Lv Weilang et al. [25] designed a redactable scheme suitable for alliance chain. In this scheme, the trapdoors produced by the Chameleon hash algorithm are managed by multiple nodes, so the solution does not affect the integrity verification of the blockchain and enables multi-party consensus modification of transaction data. Wu et al. [26] addressed the issue of Chameleon Hash functions being vulnerable to quantum attacks by proposing a lattice-based single-trapdoor key-hiding Chameleon Hash function, both with and without lattice trapdoors. In the case without a trapdoor, this solution uses a fully distributed key management mechanism to avoid abuse of redaction rights and implements block redaction using the universal framework of Ateniese et al. [22]. In the case of a trapdoor, the scheme adopts a voting strategy to limit redaction rights. Ma et al. [27] proposed a fine-grained, distributed redactable blockchain. This scheme uses a decentralized policy-based Chameleon Hash (DPCH), where redaction rights are controlled by multiple authoritative agencies, avoiding security issues caused by centralization. Jia et al. [28] proposed an efficient redactable blockchain with traceability in a decentralized environment. This scheme uses a decentralized Chameleon Hash function, requiring that each redaction be approved by multiple blockchain nodes. All block redacts are stored on the block, and the redaction block is encoded into an RSA accumulator [29]. Additionally, the scheme designs a block consistency check protocol based on the RSA accumulator. Li et al. [30] proposed a redactable blockchain model using a non-interactive Chameleon Hash (NITCH), supporting the dynamic distribution of partial trapdoor keys. Users who hold a certain share of the trapdoor keys can obtain valid hash collisions.

To limit malicious user redaction behavior, some scholars have designed accountable or punishable solutions. Tian et al. [31] designed a policy-based Chameleon Hash algorithm with black-box accountability (PCHBA). Black-box accountability allows authoritative agencies to link modified transactions to the responsible party in case of disputes. All users can interact with the black-box and query the modifying party. Jia et al. [32] re-examined the conflict between blockchain immutability and redaction and proposed a fine-grained redactable blockchain with a semi-trusted regulator. This scheme supports content supervision on the blockchain and allows users to manage their own data. Ren Yanli et al. [33] proposed a fair redactable blockchain solution, which allows users to supervise redactors and set corresponding punishment mechanisms for malicious behavior, ensuring the fairness of redaction rights (Table 1).

This paper implements the redaction capability of the alliance chain using dual hash functions, and ensures accountability of the redaction process through a subkey-updatable hash function. Additionally, a consensus group division method is employed to achieve a multi-center redactable alliance chain, with redaction reviews conducted through a redaction center.

3. Redactable Model

3.1. Architecture

This redactable model is composed of user nodes, consensus nodes, the redaction center, and the consensus committee, as shown in Figure 1.

3.2. Model Design

Without loss of generality, we denote sets as uppercase, handwritten, bold letters (e.g., D). The i-th row of W is denoted by Wi, and the element found in the j-th column of i-th row in W is denoted as Wij. To ease reading, we summarize the frequently used notations in Table 2.

3.2.1. Review and Consensus Mechanism

Suppose there be $p$ features for the alliance chain nodes, and let $v_i=\left\{v_{i1},v_{i2},\cdots ,v_{ip}\right\}(i=\left\{\mathrm{1,2},\cdots ,n\right\})$ represent the feature values of the $i$-th node in the $p$ feature. Then, the feature set $V=\left\{v_1,v_2,\cdots ,v_n\right\}$ for the $n$ nodes can be represented as

(1)$V=\left[\begin{array}{c}{v}_1\\ v_2\\ \begin{array}{c}⋮\\ v_n\end{array}\end{array}\right]=\left[\begin{array}{ccc}{v}_{11}& v_{12}& \begin{array}{cc}\cdots & v_{1p}\end{array}\\ v_{21}& v_{22}& \begin{array}{cc}\cdots & v_{2p}\end{array}\\ \begin{array}{c}⋮\\ v_{n1}\end{array}& \begin{array}{c}⋮\\ v_{n2}\end{array}& \begin{array}{cc}\begin{array}{c}\\ \cdots \end{array}& \begin{array}{c}⋮\\ v_{np}\end{array}\end{array}\end{array}\right]$

Compared to other clustering algorithms, K-medoids offers flexibility in handling arbitrary distance metrics, robustness to outliers, interpretability of medoids, and suitability for mixed or complex data types. These characteristics make it an ideal choice when dealing with the diversity and irregular structure of alliance chain data, ensuring that the resulting clusters reflect meaningful and consistent node groupings while minimizing the impact of noise or outliers. Using the K-medoids algorithm to calculate the similarity between alliance chain redaction nodes, the distance function between two nodes, $v_i$ and $v_n$, is represented by Euclidean distance, denoted as

(2)$d\left(v_i,v_n\right)=‖v_i-v_n‖=\sqrt{\sum _{j=1}^p{\left(v_{ij}-v_{nj}\right)}^2}$

The K-medoids algorithm clusters $V$ into $K$ clusters, denoted as $V=\{V_1,V_2,\dots {,V}_k\}$. Within each cluster $V_i$, the similarity among nodes $v_i$ is high, while their similarity to nodes in other clusters is relatively low. The objective function is calculated in Equation

(3)$Min\left(T\left(c\right)\right)=\sum _{i=1}^n\sum _{k=1}^K{u}_{ik}d\left(v_i,c_k\right)$

Using the Euclidean distance to calculate the similarity between the node $v_i$ within a cluster and the center $v_k$ of other clusters, the formula for the objective function is

(4)$D\left(k\right)=\sum _{i=1}^n\sum _{k=1}^{K}d\left(v_i,v_k\right)$

The institution of $Min\left(D\right(K\left)\right)$ is referred to as the central institution. In other words, the central institution consists of a collection of nodes with multiple features.

In the consensus process of the alliance chain, the Redaction Center does not have an independent consensus but needs to participate in the consensus of other k-1 institutions. Therefore, the Redaction Center forms a consensus group with the other institutions, consisting of k-1 participants.

There are honest nodes and malicious nodes in the group, with the malicious nodes disrupting the consensus. Additionally, having too many nodes in the group participating in consensus transactions can also increase the consensus time. Therefore, it is necessary to select honest nodes to participate in the consensus, forming a consensus committee.

Each consensus algorithm of a consensus committee is independent and does not affect others. Therefore, the k-1 group consensus algorithms can proceed simultaneously.

3.2.2. Security Scheme of Double Hash Functions

In alliance blockchains, blocks are typically composed of a block header and a block body. The block body mainly stores transaction information and hash values. The hash functions used in these blocks are collision-resistant. Once the transaction information in a block is altered, the corresponding hash value changes as well, making it difficult to modify the block data. Therefore, this section designs a redactable block structure, as shown in Figure 2.

In the redactable block structure, hash functions are divided into two types: standard hash and subkey-updatable chameleon hash. The subkey-updatable chameleon hash function is an improvement based on the team’s research on the quantum-resistant hash algorithm HIBCH-RS, achieved through the modification of Algorithm 2, Algorithm 3, and Algorithm 8 in the redactable strategy [12]. In the leaf nodes of the block body, there are two methods for generating hash values from transaction information. One method involves transaction information that does not involve block modification, with nodes using the subkey-updatable chameleon hash function for hashing. This is because non-redactable transaction information may be modified by subsequent redaction transactions. In contrast, nodes use the standard hash function for hashing. This is because the information of redaction transactions, as records of block modification, has the characteristic of being immutable. Additionally, in all non-leaf nodes of the block body, the standard hash function is used for hashing.

This block structure allows users with chameleon hash keys to perform redaction operations on block data while ensuring hash consistency of the block. Moreover, the redaction information is stored completely and effectively within the block, ensuring that redaction records are query.

3.2.3. Redactable Strategies

To achieve redaction in blockchain, this paper employs the CHSU instead of the standard hash function. The system first generates a set of public parameters, including public parameters for two foundational chameleon hash functions. Then, the system performs key generation, which includes the system’s master key pair and subkey pairs for individual users. When a blockchain user identifies the need to redact a block, they can initiate a redaction request. Upon receiving the request, the redaction center reviews the legality of the user’s redaction and the rationality of the proposed changes. If the request is approved, the redaction center generates a redaction transaction and sends it to the consensus nodes. The consensus nodes first request the system master key from the consensus committee. They then calculate a hash collision based on the redaction transaction information and update the transaction data in the old block. New verification character combinations and other redaction information are stored as auxiliary data. Finally, the consensus nodes broadcast the redaction results, and other nodes validate these results before performing the corresponding local redaction. The information from the redaction transaction is packaged by the consensus nodes into a newly generated block, serving as a record of the redaction.

Overall, the model’s workflow is divided into four stages: initialization, block generation, block redaction, and key updating, as shown in Figure 3.

Both algorithms are executed only once during the initialization phase. In the output of the system master key pair, the public key ${pk}_{CHSU}$ is publicly accessible to all users. The private key ${sk}_{CHSU}$, however, is held by the consensus committee and can only be accessed by consensus nodes during block operations.

The subkey generation algorithm is executed once for each user during the initialization phase. In the output subkey pair, the public key ${pk}_{uid}$ is publicly accessible to all users. In contrast, the private key ${sk}_{uid}$ is held by the user and is only used as an input during block editing operations.

Whenever a new block is generated in the system, the hash algorithm is executed by consensus nodes. The resulting hash value, verification string, and other related information are publicly accessible.

Note that the key update algorithm does not directly replace the original user key pair with a new one. Instead, the algorithm updates the keys specifically for the hash value $h$, the verification string $r$, and the message $m$. The new private key ${sk}_{uid}^{\prime }$ is held by the system, while the user retains the original private key ${ sk}_{uid}$. Consequently, the user can no longer use ${sk}_{uid}$ to redact the message.

4. Experiments and Discussion

4.1. Safety Analysis

Explaining the security of RBAU through the following properties and proofs.

Definition (Secure RBAU): If RBAU satisfies correctness, key collision resistance, subkey updatability, and master key non-updatability, it is secure.

Property: If the chameleon hash functions ${\mathrm{C}\mathrm{H}}_1$ and ${\mathrm{C}\mathrm{H}}_2$ are secure, then RBAU is also secure.

Explanation: Since RBAU is constructed from two secure chameleon hash functions ${\mathrm{C}\mathrm{H}}_1$ and ${\mathrm{C}\mathrm{H}}_2$, their enhanced collision resistance and correctness ensure the security of the RBAU.

Furthermore, the correctness, original key collision resistance, updated key collision resistance, the subkey updatability, and the non-updatability of the master key of RBAU are demonstrated as follows.

4.1.1. Correctness

The correctness requirement in RBAU is that all hash and checksum string combinations correctly generated by ${\mathrm{H}\mathrm{a}\mathrm{s}\mathrm{h}}_{\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}$, ${\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}_{\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}$, and ${\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}_{\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}$ must pass the check by ${\mathrm{V}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{f}\mathrm{y}}_{\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}$. The experiment ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{C}\mathrm{o}\mathrm{r}}\left(\lambda \right)$ defines correctness, and the specific process is shown in Figure 4. Formally, if all adversaries $\mathrm{A}$ believe $\mathrm{P}\mathrm{r}\left[{\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{C}\mathrm{o}\mathrm{r}}\left(\lambda \right)=1\right]=1$, then RBAU is correct.

In the correctness experiment, variables such as the user’s private key $\mathrm{U}\mathrm{s}\mathrm{k}$, user’s public key $\mathrm{U}\mathrm{p}\mathrm{k}$, message hash ${\mathrm{h}}_{\mathrm{m}}$, and state $\mathrm{S}\mathrm{t}\mathrm{a}\mathrm{t}\mathrm{e}$ can be modified by the oracle ${\mathrm{O}}^{\mathrm{s}\mathrm{k}\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}$ or ${\mathrm{O}}^{\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}$. The adversary $\mathrm{A}$ can obtain the $\mathrm{S}\mathrm{t}\mathrm{a}\mathrm{t}\mathrm{e}$ modified by ${\mathrm{O}}^{\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}$. Within polynomial time $\mathrm{p}\mathrm{l}\mathrm{o}\mathrm{y}\left(\lambda \right)$, A can freely make collision queries and update queries by ${\mathrm{O}}^{\mathrm{s}\mathrm{k}\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}$ or ${\mathrm{O}}^{\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}$, respectively. Once all queries are completed, $\mathrm{A}$ will set the flag signal $\mathrm{S}\mathrm{i}\mathrm{g}\mathrm{n}\mathrm{a}\mathrm{l}$ to $\mathrm{S}\mathrm{t}\mathrm{o}\mathrm{p}$. Then, ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{C}\mathrm{o}\mathrm{r}}\left(\lambda \right)$ will check the validity of ${\mathrm{h}}_{\mathrm{m}}$. If valid, ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{C}\mathrm{o}\mathrm{r}}\left(\lambda \right)$ outputs 1; otherwise, it outputs 0.

Clearly, the correctness guarantees of the two underlying Chameleon hashes ensure the correctness of RBAU.

4.1.2. Original Key Collision Resistance

The requirement for the original key’s resistance to collision is that, when the user’s key is $\mathrm{U}\mathrm{s}\mathrm{k}$ and the master key is $\mathrm{M}\mathrm{s}\mathrm{k}$, an attacker $\mathrm{A}$ without any key cannot find any collisions. Experiment ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{N}\mathrm{s}\mathrm{k}\mathrm{C}\mathrm{R}}\left(\lambda \right)$ defines the original key’s collision resistance, with the specific process shown in Figure 5. Formally, if all attackers $\mathrm{A}$ believe in $\mathrm{P}\mathrm{r}\left[{\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{N}\mathrm{s}\mathrm{k}\mathrm{C}\mathrm{R}}\left(\lambda \right)=1\right]\le \mathrm{n}\mathrm{e}\mathrm{g}\mathrm{l}\left(\lambda \right)$, then RBAU possess initial key collision resistance, where $\mathrm{n}\mathrm{e}\mathrm{g}\mathrm{l}\left(\lambda \right)$ is a negligible probability.

Challenger $\mathrm{A}$ holding the public key of $(\mathrm{U}\mathrm{p}\mathrm{k},\mathrm{M}\mathrm{p}\mathrm{k})$ can query the oracle ${\mathrm{O}}^{\mathrm{s}\mathrm{k}\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}$ for collision queries and request different tuples $(\left(\mathrm{h},\mathrm{r},\mathrm{m},\mathrm{s}\mathrm{t}\right),{\mathrm{m}}^{\prime })$. If $\left(\mathrm{h},\mathrm{r},\mathrm{m},\mathrm{s}\mathrm{t}\right)$ is valid under the public key $(\mathrm{U}\mathrm{p}\mathrm{k},\mathrm{M}\mathrm{p}\mathrm{k})$ and state $\mathrm{s}\mathrm{t}$, then $\mathrm{A}$ will obtain a collision for the hash $\mathrm{h}$ corresponding to $\mathrm{U}\mathrm{p}\mathrm{k}$, meaning $\mathrm{A}$ is allowed to generate any hash value ${\mathrm{h}}^{*}$ and ${\mathrm{s}\mathrm{t}}^{*}$. After completing all queries, if $\mathrm{A}$ can produce a valid collision, ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{N}\mathrm{s}\mathrm{k}\mathrm{C}\mathrm{R}}\left(\lambda \right)$ outputs 1.

If $\mathrm{A}$ is an adversary capable of breaking the original key collision resistance of RBAU, then we can construct another adversary $\mathrm{B}$, which can break the enhanced collision resistance of the foundational chameleon hashes ${\mathrm{C}\mathrm{H}}_1$ and ${\mathrm{C}\mathrm{H}}_2$ by $\mathrm{A}$. $\mathrm{B}$ receives the public key $\mathrm{M}\mathrm{p}\mathrm{k}$ from challenger ${\mathrm{C}}_1$ and the sub-public key $\mathrm{U}\mathrm{p}\mathrm{k}$ from challenger ${\mathrm{C}}_2$ as challenge keys, and then sends them to $\mathrm{A}$. $\mathrm{A}$ can select $\left(\mathrm{m},{\mathrm{m}}^{\prime }\right)$ based on $(\mathrm{U}\mathrm{p}\mathrm{k},\mathrm{M}\mathrm{p}\mathrm{k})$ and compute ${\mathrm{H}\mathrm{a}\mathrm{s}\mathrm{h}}_{\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}\left(\mathrm{U}\mathrm{p}\mathrm{k},\mathrm{M}\mathrm{p}\mathrm{k},\mathrm{m}\right)\to \left(\mathrm{h},\mathrm{r},\mathrm{s}\mathrm{t}\right)$. Then, $\mathrm{A}$ sends $\left(\mathrm{U}\mathrm{p}\mathrm{k},\left(\mathrm{h},\mathrm{r},\mathrm{m},\mathrm{s}\mathrm{t}\right),{\mathrm{m}}^{\prime }\right)$ to $\mathrm{B}$ to query the oracle ${\mathrm{O}}^{\mathrm{s}\mathrm{k}\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}$.

First, $\mathrm{B}$ calculates ${\mathrm{V}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{f}\mathrm{y}}_{\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}\left(\mathrm{M}\mathrm{p}\mathrm{k},\mathrm{h},\mathrm{s}\mathrm{t},\left(\mathrm{U}\mathrm{p}\mathrm{k},\mathrm{r},\mathrm{m}\right)\right)$. If the result is 0, the call ends. If the result is 1 and $\mathrm{s}\mathrm{k}$ = $\mathrm{M}\mathrm{s}\mathrm{k}$, $\mathrm{B}$ parses $\mathrm{h}$ = ${\mathrm{h}}_1$ and $\mathrm{r}$ = (${\mathrm{r}}_1,{\mathrm{r}}_2,{\mathrm{h}}_2)$, then calculates ${\mathrm{H}\mathrm{a}\mathrm{s}\mathrm{h}}_{{\mathrm{C}\mathrm{H}}_2}\left(\mathrm{U}\mathrm{p}\mathrm{k},{\mathrm{m}}^{\prime }\right)\to ({\mathrm{r}}_2^{\prime },{\mathrm{h}}_2^{\prime })$. $\mathrm{B}$ sends $\left(\left({\mathrm{h}}_1,{\mathrm{r}}_1,{\mathrm{h}}_2\left|\right|\mathrm{U}\mathrm{p}\mathrm{k}\right),{\mathrm{h}}_2^{\prime }\right)$ to ${\mathrm{C}}_1$ to query the collision ${\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}_{{\mathrm{C}\mathrm{H}}_2}\left(\mathrm{M}\mathrm{s}\mathrm{k},\left({\mathrm{h}}_1,{\mathrm{r}}_1,{\mathrm{h}}_2\left|\right|\mathrm{U}\mathrm{p}\mathrm{k}\right),{\mathrm{h}}_2^{\prime }\left|\right|\mathrm{U}\mathrm{p}\mathrm{k}\right)\to {\mathrm{r}}_1^{\prime }$. After validating the query, ${\mathrm{C}}_1$ uses the key $\mathrm{M}\mathrm{s}\mathrm{k}$ to calculate the new collision ${\mathrm{r}}_1^{\prime }$ and returns it to $\mathrm{B}$. Finally, $\mathrm{B}$ sends $({\mathrm{r}}_1^{\prime },{\mathrm{r}}_2^{\prime },{\mathrm{h}}_2^{\prime })$ to $\mathrm{A}$. If the result is 1 and $\mathrm{s}\mathrm{k}$ = $\mathrm{M}\mathrm{s}\mathrm{k}$, $\mathrm{B}$ parses $\mathrm{h}$ = ${\mathrm{h}}_1$ and $\mathrm{r}$ = (${\mathrm{r}}_1,{\mathrm{r}}_2,{\mathrm{h}}_2$), then $\mathrm{B}$ queries ${\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}_{{\mathrm{C}\mathrm{H}}_2}\left(\mathrm{U}\mathrm{s}\mathrm{k},\left({\mathrm{h}}_2,{\mathrm{r}}_2,\mathrm{m}\right),{\mathrm{m}}^{\prime }\right)\to {\mathrm{r}}_1^{\prime \prime }$ from ${\mathrm{C}}_2$, and finally, $\mathrm{B}$ sends $({\mathrm{r}}_1,{\mathrm{r}}_2^{\prime },{\mathrm{h}}_2)$ to $\mathrm{A}$.

$\mathrm{A}$ returns $\left({\mathrm{h}}^{*},\left({\mathrm{m}}^{*},{\mathrm{r}}^{*},{\mathrm{s}\mathrm{t}}^{*}\right),{(\mathrm{m}}^{\prime *}{,\mathrm{r}}^{\prime *})\right)$ to $\mathrm{B}$, then $\mathrm{B}$ analyzes ${\mathrm{r}}^{*}$ = $\left({\mathrm{r}}_1^{*},{\mathrm{r}}_2^{*},{\mathrm{h}}_2^{*}\right)$ and ${\mathrm{r}}^{\prime *}$ = $\left({\mathrm{r}}_1^{\prime *},{\mathrm{r}}_2^{\prime *},{\mathrm{h}}_2^{\prime *}\right)$. If the result can be validated through the verification in Figure 4, and ${\mathrm{h}}_2^{*}$ = ${\mathrm{h}}_2^{\prime *}$, $\mathrm{B}$ can use it to break $\left({\mathrm{h}}^{*},\left({\mathrm{m}}^{*},{\mathrm{r}}_2^{*}\right),{(\mathrm{m}}^{\prime *},{\mathrm{r}}_2^{\prime *})\right)$ and decrypt ${\mathrm{C}}_2$. On the other hand, ${\mathrm{h}}_2^{*}$ ≠ ${\mathrm{h}}_2^{\prime *}$, $\mathrm{B}$ can also use $\left({\mathrm{h}}^{*},\left({\mathrm{h}}_2^{*}\left|\right|{\mathrm{s}\mathrm{t}}^{*},{\mathrm{r}}_1^{*}\right),\left({\mathrm{h}}_2^{\prime *}\right||{\mathrm{s}\mathrm{t}}^{*},{\mathrm{r}}_2^{\prime *})\right)$ to break ${\mathrm{C}}_1$. Therefore, the probability that $\mathrm{A}$ can break the original key’s collision resistance of RBAU is $\mathrm{p}$ = ${\mathrm{p}}_1+{\mathrm{p}}_2$, where ${\mathrm{p}}_1$ is the probability that $\mathrm{B}$ can break the enhanced collision resistance of ${\mathrm{C}\mathrm{H}}_1$, and ${\mathrm{p}}_2$ is the probability that $\mathrm{B}$ can break the enhanced collision resistance of ${\mathrm{C}\mathrm{H}}_2$, both of which can be neglected.

4.1.3. Updated Key Collision Resistance

In RBAU, ${\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}_{\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}$ can update the subkeys involved in the calculation of $\left(\mathrm{h},\mathrm{r}\right)$ and output the new subkey pair $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime },{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }\right)$. The update key collision resistance requires that, when the subpublic key is ${\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }$, the adversary $\mathrm{A}$ holding the original subkey ${\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}$ cannot find any collisions. Experiment ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{N}\mathrm{s}\mathrm{k}\mathrm{C}\mathrm{R}}\left(\lambda \right)$ defines the update key collision resistance, and the specific process is shown in Figure 6. Formally, if all adversaries A consider $\mathrm{P}\mathrm{r}\left[{\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{N}\mathrm{s}\mathrm{k}\mathrm{C}\mathrm{R}}\left(\lambda \right)=1\right]\le \mathrm{n}\mathrm{e}\mathrm{g}\mathrm{l}\left(\lambda \right)$, then RBAU has updated key collision resistance.

An adversary $\mathrm{A}$ holding the master public key $\mathrm{M}\mathrm{p}\mathrm{k}$ can compute the tuple $\left(\mathrm{h},\mathrm{r},\mathrm{m},\mathrm{s}\mathrm{t}\right)$ using a user’s subkey pair $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}\right)$. Then, $\mathrm{A}$ can call the oracle ${\mathrm{O}}^{\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}$ to obtain a new sub-public key ${\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }$. Afterward, with the subkey pair $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime },{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }\right)$, $\mathrm{A}$ can still call ${\mathrm{O}}^{\mathrm{s}\mathrm{k}\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}$ to compute a valid collision for $\mathrm{h}$. However, the message ${\mathrm{m}}^{\prime *}$ cannot be queried. The experiment ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{C}\mathrm{o}\mathrm{r}}\left(\lambda \right)$ will maintain the hash state value $\mathrm{s}\mathrm{t}$ of $\mathrm{h}$. After some time, if $\mathrm{A}$ can find a valid collision for $\mathrm{h}$ with the new subkey pair $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime },{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }\right)$, then ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{C}\mathrm{o}\mathrm{r}}\left(\lambda \right)$ outputs 1.

Opponent $\mathrm{B}$ receives public key $\mathrm{M}\mathrm{p}\mathrm{k}$ and sub-public key ${\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}$ as challenge keys from challengers ${\mathrm{C}}_1$ and ${\mathrm{C}}_2$, respectively, then sends $\mathrm{M}\mathrm{p}\mathrm{k}$ to $\mathrm{A}$. $\mathrm{A}$ selects $\left(\mathrm{m},{\mathrm{m}}^{\prime }\right)$ based on $\left(\mathrm{M}\mathrm{p}\mathrm{k},{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}\right)$ and computes ${\mathrm{H}\mathrm{a}\mathrm{s}\mathrm{h}}_{\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}\left(\mathrm{M}\mathrm{p}\mathrm{k},{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},\mathrm{m}\right)\to \left(\mathrm{h},\mathrm{r},\mathrm{s}\mathrm{t}\right)$. Then $\mathrm{A}$ sends $\left({\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},\left(\mathrm{h},\mathrm{r},\mathrm{m},\mathrm{s}\mathrm{t}\right),{\mathrm{m}}^{\prime }\right)$ to $\mathrm{B}$, calling the oracle ${\mathrm{O}}^{\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}$.

After receiving the tuple $\left({\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},\left(\mathrm{h},\mathrm{r},\mathrm{m},\mathrm{s}\mathrm{t}\right)\right)$, $\mathrm{B}$ checks its correctness. If correct, $\mathrm{B}$ selects ${\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }$ as the new sub-public key, parses $\mathrm{h}$ = ${\mathrm{h}}_1$ and $\mathrm{r}$ = (${\mathrm{r}}_1,{\mathrm{r}}_2,{\mathrm{h}}_2)$, and then calculates ${\mathrm{H}\mathrm{a}\mathrm{s}\mathrm{h}}_{{\mathrm{C}\mathrm{H}}_2}\left({\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime },\mathrm{m}\right)\to ({\mathrm{r}}_2^{\prime },{\mathrm{h}}_2^{\prime })$. $\mathrm{B}$ sends $\left.\left(({\mathrm{h}}_1,{\mathrm{r}}_1,{\mathrm{h}}_2||{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}\right.),{\mathrm{h}}_2^{\prime }||{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }\right)$ to challenger ${\mathrm{C}}_1$ to find a collision. Then, $\mathrm{B}$ sets the state of $\mathrm{h}$ to ${\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }$. After validating the query, challenger ${\mathrm{C}}_1$ finds the collision using $\mathrm{M}\mathrm{s}\mathrm{k}$ and returns ${\mathrm{r}}_1^{\prime }$ to $\mathrm{B}$. Finally, $\mathrm{B}$ sends $\left(\right({\mathrm{r}}_1^{\prime },{\mathrm{r}}_2^{\prime },{\mathrm{h}}_2^{\prime }),{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime })$ to $\mathrm{A}$.

$\mathrm{A}$ can select any ${\mathrm{m}}^{\prime \prime }\in \mathrm{M}$ and query ${\mathrm{O}}^{\mathrm{s}\mathrm{k}\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}$. $\mathrm{B}$ can query ${\mathrm{C}}_2$ to get ${\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}_{{\mathrm{C}\mathrm{H}}_2}\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime },\left({\mathrm{h}}_2^{\prime },{\mathrm{r}}_2^{\prime },\mathrm{m}\right),{\mathrm{m}}^{\prime }\right)\to {\mathrm{r}}_2^{\prime \prime }$ to simulate ${\mathrm{O}}^{\mathrm{s}\mathrm{k}\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}$. $\mathrm{A}$ can query ${\mathrm{O}}^{\mathrm{s}\mathrm{k}\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}$ multiple times within polynomial time $\mathrm{p}\mathrm{l}\mathrm{o}\mathrm{y}\left(\lambda \right)$. A returns ${(\mathrm{m}}^{\prime *},{\mathrm{r}}^{\prime *})$ to $\mathrm{B}$, and $\mathrm{B}$ parses ${\mathrm{r}}^{\prime *}$ = $\left({\mathrm{r}}_1^{\prime *},{\mathrm{r}}_2^{\prime *},{\mathrm{h}}_2^{\prime *}\right)$. If the result is validated through the verification in Figure 5, it means ${(\mathrm{h}}_2^{\prime *}\left|\right|{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime })$ is the message of ${\mathrm{h}}_1$. If ${\mathrm{h}}_2^{\prime *}$ = ${\mathrm{h}}_2^{\prime }$, $\mathrm{B}$ can use $\left({(\mathrm{m}}^{\prime *}\right|\left|{\mathrm{r}}_2^{\prime *}\right)$ to break ${\mathrm{C}}_2$. Conversely, $\mathrm{B}$ can use ${(\mathrm{h}}_2^{\prime *}\left|\right|{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime })$ to break ${\mathrm{C}}_1$. Therefore, the possibility that $\mathrm{A}$ can break the update key collision resistance of RBAU is $\mathrm{p}$ = ${\mathrm{p}}_1+{\mathrm{p}}_2$. Similarly, both can be neglected.

4.1.4. The Subkey Updatability

The holder of the master key $\mathrm{M}\mathrm{s}\mathrm{k}$ can limit the collision of a specific hash value $\mathrm{h}$ by updating the sub-key pair $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}\right)$. The requirement for sub-key updateability is that once the sub-key pair $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}\right)$ related to the hash value $\mathrm{h}$ is updated, its holder will no longer be able to compute any collisions for hash value $\mathrm{h}$. Experiment ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{U}\mathrm{p}\mathrm{d}}\left(\lambda \right)$ defines key updatability, and the specific process is shown in Figure 7. Formally, if all adversaries $\mathrm{A}$ believe in $\mathrm{P}\mathrm{r}\left[{\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{U}\mathrm{p}\mathrm{d}}\left(\lambda \right)=1\right]\le \mathrm{n}\mathrm{e}\mathrm{g}\mathrm{l}\left(\mathsf{\lambda }\right)$, RBAU is sub-key updatable. It is worth noting that although the updated user key $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime },{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }\right)$ cannot compute a valid collision for $\mathrm{h}$, it can still compute collisions for other hash values.

In the experiment, adversary $\mathrm{A}$ holds the public key $\mathrm{M}\mathrm{p}\mathrm{k}$ and selects a user sub-key pair $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}\right)$. Then, using ${\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}$ and $\mathrm{M}\mathrm{p}\mathrm{k}$, they compute the tuple $\left(\mathrm{h},\mathrm{r},\mathrm{m},\mathrm{s}\mathrm{t}\right)$. $\mathrm{A}$ will call the oracle ${\mathrm{O}}^{\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}$ and obtain a new sub-key pair $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime },{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }\right)$, where $\mathrm{O}\mathrm{p}\mathrm{k}$ represents the original sub-public key ${\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}$. Experiment ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{U}\mathrm{p}\mathrm{d}}\left(\lambda \right)$ will maintain the state st of the hash value $\mathrm{h}$. Then, $\mathrm{A}$ uses the new sub-key pair $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime },{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }\right)$ and calls the oracle ${\mathrm{O}}^{\mathrm{s}\mathrm{k}\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}$ to obtain a valid collision for $\mathrm{h}$. The message ${\mathrm{m}}^{\prime *}$ can be queried. After some time, if $\mathrm{A}$ can find a valid collision for the original sub-key pair $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}\right)$ with respect to $\mathrm{h}$, then ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{U}\mathrm{p}\mathrm{d}}\left(\lambda \right)$ outputs 1.

In RBAU, the injective function $\mathrm{f}:\mathrm{p}\mathrm{k}\to \mathrm{s}\mathrm{t}\mathrm{a}\mathrm{t}\mathrm{e}$ is set as the identity mapping. Therefore, the probability of sub-key updatability being compromised is equivalent to the probability that two key pairs randomly generated from ${\mathrm{U}\mathrm{s}\mathrm{k}\mathrm{G}\mathrm{e}\mathrm{n}}_{\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}$ are the same. However, this probability is negligible. Thus, RBAU is sub-key updatable.

4.1.5. The Non-Updatability of the Master Key

The requirement for the non-updatability of the master key is that an adversary $\mathrm{A}$, who does not have the master key $\mathrm{M}\mathrm{s}\mathrm{k}$, cannot update the user key pair sp. It is formally defined by experiment ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{M}\mathrm{s}\mathrm{k}\mathrm{R}\mathrm{R}}\left(\lambda \right)$, as shown in Figure 8. Formally, if all adversaries $\mathrm{A}$ believe in $\mathrm{P}\mathrm{r}\left[{\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{M}\mathrm{s}\mathrm{k}\mathrm{R}\mathrm{R}}\left(\lambda \right)=1\right]\le \mathrm{n}\mathrm{e}\mathrm{g}\mathrm{l}\left(\lambda \right)$, then RBAU has master key non-updatability.

In the experiment, an adversary $\mathrm{A}$ holding the public key $\mathrm{M}\mathrm{p}\mathrm{k}$ can query the oracle ${\mathrm{O}}^{\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}$. $\mathrm{A}$ can select a user key pair $\left(\mathrm{s}\mathrm{k},\mathrm{p}\mathrm{k}\right)$ and compute a tuple $\left(\mathrm{h},\mathrm{r},\mathrm{m},\mathrm{s}\mathrm{t}\right)$. Then, $\mathrm{A}$ selects a new message ${\mathrm{m}}^{\prime }$ and queries the oracle ${\mathrm{O}}^{\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}$ for $\left(\mathrm{p}\mathrm{k},\left(\mathrm{h},\mathrm{r},\mathrm{m},\mathrm{s}\mathrm{t}\right)\right)$. ${\mathrm{O}}^{\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}$ returns a new verification string ${\mathrm{r}}^{\prime }$, a new user public key ${\mathrm{p}\mathrm{k}}^{\prime }$, and a new state ${\mathrm{s}\mathrm{t}}^{\prime }$ to $\mathrm{A}$. $\mathrm{A}$ can repeat the above process with different inputs within polynomial time $\mathrm{p}\mathrm{l}\mathrm{o}\mathrm{y}\left(\lambda \right)$. ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{M}\mathrm{s}\mathrm{k}\mathrm{R}\mathrm{R}}\left(\lambda \right)$ does not require the maintenance of state, as it allows $\mathrm{A}$ to generate arbitrary hash values ${\mathrm{h}}^{*}$ as well as two state values ${\mathrm{s}\mathrm{t}}^{*}$ and $\mathrm{s}{\mathrm{t}}^{\prime *}$. After the query, if $\mathrm{A}$ can perform a new update related to the selected tuple $\left({\mathrm{h}}^{*},{\mathrm{m}}^{*},{\mathrm{r}}^{*},{\mathrm{p}\mathrm{k}}^{*},{\mathrm{s}\mathrm{t}}^{*}\right)$, ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{M}\mathrm{s}\mathrm{k}\mathrm{R}\mathrm{R}}\left(\lambda \right)$ outputs 1.

Adversary $\mathrm{B}$ receives $\mathrm{M}\mathrm{p}\mathrm{k}$ as the challenge key from challenger ${\mathrm{C}}_1$ and sends it to $\mathrm{A}$. $\mathrm{A}$ can select $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}\right)$ and $\mathrm{m}$ based on $\mathrm{M}\mathrm{p}\mathrm{k}$ and compute ${\mathrm{H}\mathrm{a}\mathrm{s}\mathrm{h}}_{\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}\left(\mathrm{M}\mathrm{p}\mathrm{k},{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},\mathrm{m}\right)\to \left(\mathrm{h},\mathrm{r},\mathrm{s}\mathrm{t}\right)$, then send $\left({\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},\left(\mathrm{h},\mathrm{r},\mathrm{m},\mathrm{s}\mathrm{t}\right),{\mathrm{m}}^{\prime }\right)$ to $\mathrm{B}$ for querying the oracle ${\mathrm{O}}^{\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}$. After receiving $\left({\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},\left(\mathrm{h},\mathrm{r},\mathrm{m},\mathrm{s}\mathrm{t}\right)\right)$, $\mathrm{B}$ checks its correctness. If correct, $\mathrm{B}$ first parses $\mathrm{h}$ = ${\mathrm{h}}_1$ and $\mathrm{r}$ = (${\mathrm{r}}_1,{\mathrm{r}}_2,{\mathrm{h}}_2)$. Then, $\mathrm{B}$ randomly selects a new sub-key pair $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime },{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }\right)$ and computes ${\mathrm{H}\mathrm{a}\mathrm{s}\mathrm{h}}_{{\mathrm{C}\mathrm{H}}_2}\left({\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime },\mathrm{m}\right)\to ({\mathrm{r}}_2^{\prime },{\mathrm{h}}_2^{\prime })$. $\mathrm{B}$ sends $\left.\left(({\mathrm{h}}_1,{\mathrm{r}}_1,{\mathrm{h}}_2||{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}\right.),{\mathrm{h}}_2^{\prime }||{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }\right)$ to challenger ${\mathrm{C}}_1$ to find a collision. After validating the query, challenger ${\mathrm{C}}_1$ will use $\mathrm{M}\mathrm{s}\mathrm{k}$ to find the collision and return ${\mathrm{r}}_1^{\prime }$ to $\mathrm{B}$. Finally, $\mathrm{B}$ sends $\left(\right({\mathrm{r}}_1^{\prime },{\mathrm{r}}_2^{\prime },{\mathrm{h}}_2^{\prime }),{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime })$ back to $\mathrm{A}$.

A returns $\left({\mathrm{h}}^{*},{({\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{*},\mathrm{m}}^{*},{\mathrm{r}}^{*},{\mathrm{s}\mathrm{t}}^{*}),{({\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime *},\mathrm{m}}^{*},{\mathrm{r}}^{\prime *},{\mathrm{s}\mathrm{t}}^{\prime *})\right)$ to $\mathrm{B}$. $\mathrm{B}$ parses ${\mathrm{r}}^{*}$ = $\left({\mathrm{r}}_1^{*},{\mathrm{r}}_2^{*},{\mathrm{h}}_2^{*}\right)$ and ${\mathrm{r}}^{\prime *}$ = $\left({\mathrm{r}}_1^{\prime *},{\mathrm{r}}_2^{\prime *},{\mathrm{h}}_2^{\prime *}\right)$. If the result can be validated through Figure 7, $\mathrm{B}$ can use hh to break ${\mathrm{C}}_1$. Therefore, the possibility that $\mathrm{A}$ can break RBAU’s master key non-updatability is equal to the possibility that B can break the enhanced collision resistance of ${\mathrm{C}\mathrm{H}}_1$, which can be considered negligible.