RBAU: Noval Redactable Model with Audit Mechanism and Key Update for Alliance Chain

Abstract

With the widespread application of alliance chain technology in diverse scenarios, its immutability has gradually revealed certain limitations in practical use. To address this challenge, a redactable alliance chain innovatively introduces functionalities for data modification, deletion, and updating. However, issues related to redaction permissions, auditing, and security hinder its development. To overcome these challenges, the K-medoids clustering algorithm is first employed to select a redaction center and a consensus committee. The redaction center reviews redaction requests, while the consensus committee groups redaction blocks and reaches block consensus. Next, a dual-hash function scheme is proposed, where a subkey-updatable chameleon hash function collaborates with a standard hash function. The system’s master key can revoke a user’s redaction rights by updating their subkey. Based on this framework, a block redaction strategy comprising four phases and nine execution algorithms is introduced, enabling an auditable, accountable, and subkey-updatable RBAU. Security analysis and experimental results demonstrate that the proposed model excels in correctness, resistance to collision of the original key, resistance to collision of the updated key, user subkey updatability, and master key immutability. Additionally, the algorithm’s execution time, transaction execution time, block size, and redaction time are comparable to those of the pre-improvement alliance chain.

1. Introduction

Since its introduction in 2008, blockchain technology, as a disruptive innovation, has demonstrated immense potential in the field of decentralized data management [1,2]. Blockchain organizes data in a unique “chain-like” structure by segmenting it into blocks and connecting them sequentially [3]. Each block not only records current transaction information but also contains the hash value of the preceding block, ensuring data integrity and tamper resistance [4]. In a decentralized network, all nodes collectively maintain the ledger and rely on consensus algorithms (such as Practical Byzantine Fault Tolerance (PBFT) and Proof of Work (PoW)) to verify and record transactions [5]. This trustless mechanism significantly reduces transaction costs while enhancing system efficiency and security.

With its characteristics of decentralization, immutability, and high transparency, blockchain has become a crucial tool for driving digital transformation [6]. In Blockchain 3.0, the application of alliance chain is continuously expanding. It addresses numerous challenges associated with trust and security in traditional centralized systems and has been widely applied in fields such as fintech, supply chain management, healthcare, elderly care, energy trading, intellectual property protection, and food traceability [7,8,9,10]. By leveraging distributed ledgers and consensus mechanisms, alliance chain ensures data integrity and reliability without the need for third-party intermediaries.

However, as alliance chain evolves rapidly and its application scenarios grow more complex, its core feature of immutability has revealed a series of limitations in practical use, particularly in areas such as data regulation, privacy protection, and dynamic data management.

Firstly, in terms of data regulation, the openness of alliance chain allows users to freely upload data. While this promotes information sharing and transparency, it also introduces potential risks of unverified data. False, malicious, or erroneous data may enter the alliance chain and spread across the network, posing significant threats to public safety or the normal functioning of systems [11]. For instance, in the context of the Internet of Vehicles, inaccurate traffic data could directly endanger driving safety or lead to traffic accidents. Therefore, how to implement the review and removal of inappropriate data on the alliance chain has become a core issue in data management.

Secondly, data privacy protection has emerged as an unavoidable challenge in alliance chain applications. Although alliance chain safeguards the security of data transmission and storage through encryption technologies, its immutability makes it impossible to delete sensitive information stored on the chain, potentially leading to privacy breaches or misuse by malicious actors. Within the framework of personal information protection regulations, such as the General Data Protection Regulation (GDPR), alliance chain systems need to support the deletion of records containing private data to comply with regulatory requirements and enhance user trust [12].

Lastly, regarding data updates, traditional alliance chains lack flexible modification mechanisms, making dynamic management extremely difficult. For example, when a user’s identity is preemptively registered by a malicious attacker or when errors exist in on-chain data, the immutability of traditional alliance chains prevents legitimate users from correcting or updating the relevant information [13]. This limitation significantly reduces the adaptability and efficiency of alliance chain in dynamic, real-world application scenarios.

To this end, redactable blockchain has gradually become a focal point in blockchain technology research and application, providing innovative solutions to address the limitations of flexibility and privacy protection. Redactable blockchain retains the decentralized and highly secure nature of alliance chains while introducing functionalities for data modification, deletion, and updating. By leveraging encryption technologies and optimized consensus mechanisms, it ensures the security and transparency of the data redaction process [14,15]. Compared to traditional alliance chain, redactable alliance chain offers the following advantages:

• Enhanced Data Governance: By incorporating mechanisms for reviewing and deleting on-chain data, it prevents the spread of false or illegal information, thereby improving the credibility and security of the system.
• Improved Privacy Protection: It allows users to delete or modify on-chain private information under specific conditions, ensuring compliance with relevant laws and regulations while safeguarding user data.
• Support for Dynamic Data Updates: Through flexible data redaction functionalities, it enables secure and verified mechanisms for data modification or updates, facilitating dynamic management of on-chain information and effectively overcoming application bottlenecks of traditional alliance chains in data update scenarios.
• Operational Flexibility: The ability to update data enhances the adaptability of alliance chain systems to evolving demands, making them more efficient and user-friendly.

Redactable alliance chains allow users to modify, delete, or update on-chain data under specific conditions by a flexible redaction mechanism. The implementation of such technology typically relies on advanced cryptographic tools and multi-party consensus mechanisms, such as chameleon hashes and zero-knowledge proofs, to ensure the security, transparency, and auditability of data redaction. This innovation opens new possibilities for the diverse application of alliance chain technology [16,17].

Redactable alliance chains demonstrate broad application prospects across various fields. It can be used in the IoV to dynamically correct traffic data, ensuring driving safety [18]. It can also be applied in food traceability to eliminate harmful or counterfeit information within the supply chain [19]. Additionally, it can be used in healthcare data management to ensure the effective protection of patient privacy while enabling dynamic updates [20]. However, research on redactable alliance chain also faces numerous challenges, such as how to ensure the allocation and management of redaction rights, how to design an efficient redaction consensus mechanism, and how to achieve privacy protection while maintaining data transparency.

Therefore, this paper implements redactable alliance chains using a dual-hash function and ensures accountability of the redaction process through a hash function that can be updated via sub-keys. In addition, a consensus group partitioning method is employed to establish a multi-center alliance chain, with a redaction center responsible for review. This approach not only addresses the limitations of traditional alliance chains, which cannot redact data, but also effectively improves the redaction efficiency of the alliance chain. The main contributions of this paper are as follows:

• The K-medoids clustering algorithm is employed to select the redaction center and consensus committees, and a redaction request verification algorithm is developed. The redaction center utilizes this algorithm to review redaction requests, preventing unreasonable block redaction. Subsequently, the consensus committees can simultaneously perform consensus operations to execute block redaction or block consensus, thereby improving consensus efficiency. Moreover, the consensus committees hold key information, preventing the misuse of redaction rights.
• A system master key generation algorithm, a user sub-key generation algorithm, and a key update algorithm are designed. A chameleon hash algorithm with updatable sub-keys is proposed, enabling the system master key to revoke a user’s redaction rights by updating their sub-key. Additionally, a dual-hash function scheme is constructed, wherein standard hash values generated by a conventional hash function are used for redaction transactions, while a chameleon hash function with updatable sub-keys is applied to generate hash values for non-redaction transactions.
• A block redaction strategy is designed, which is divided into four phases: initialization, block generation, block redaction, and key update. The execution process of nine algorithms is developed, including the redaction request generation algorithm, collision algorithm, key update algorithm, and others.

2. Related Work

In recent years, redactable blockchain has become an emerging research hotspot. Immutability is regarded as the irreplaceable cornerstone of blockchain technology [21]. However, in practical applications, alliance chain technology has been found to have urgent data redaction needs in areas such as information supervision, privacy protection, data updates, and scalability. To enable the effective redaction of block data, scholars have conducted extensive research. Ateniese et al. [22] proposed the first redactable solution to modify and delete data on the chain. This solution uses the Chameleon hash function, which allows for the determination of valid hash collisions through secret trapdoor information, thereby enabling information redaction. Huang et al. [23] studied a redaction scheme based on time-updatable Chameleon Hash (TUCH) and linkable and redactable ring signature (LRRS) algorithms. This scheme supports anonymous redaction with low modification costs. Pang Jun et al. [24] proposed a redactable blockchain model that reconstructs the underlying structure of the blockchain and adds a temporal-based index to achieve logical blockchain redaction by appending transactions. These schemes, using Chameleon hashes and temporal indexes, achieve effective redaction of block data but overlook the risks of abuse due to the centralization of redaction rights.

To ensure the legality and effectiveness of blockchain redaction, scholars have designed decentralized solutions. Lv Weilang et al. [25] designed a redactable scheme suitable for alliance chain. In this scheme, the trapdoors produced by the Chameleon hash algorithm are managed by multiple nodes, so the solution does not affect the integrity verification of the blockchain and enables multi-party consensus modification of transaction data. Wu et al. [26] addressed the issue of Chameleon Hash functions being vulnerable to quantum attacks by proposing a lattice-based single-trapdoor key-hiding Chameleon Hash function, both with and without lattice trapdoors. In the case without a trapdoor, this solution uses a fully distributed key management mechanism to avoid abuse of redaction rights and implements block redaction using the universal framework of Ateniese et al. [22]. In the case of a trapdoor, the scheme adopts a voting strategy to limit redaction rights. Ma et al. [27] proposed a fine-grained, distributed redactable blockchain. This scheme uses a decentralized policy-based Chameleon Hash (DPCH), where redaction rights are controlled by multiple authoritative agencies, avoiding security issues caused by centralization. Jia et al. [28] proposed an efficient redactable blockchain with traceability in a decentralized environment. This scheme uses a decentralized Chameleon Hash function, requiring that each redaction be approved by multiple blockchain nodes. All block redacts are stored on the block, and the redaction block is encoded into an RSA accumulator [29]. Additionally, the scheme designs a block consistency check protocol based on the RSA accumulator. Li et al. [30] proposed a redactable blockchain model using a non-interactive Chameleon Hash (NITCH), supporting the dynamic distribution of partial trapdoor keys. Users who hold a certain share of the trapdoor keys can obtain valid hash collisions.

To limit malicious user redaction behavior, some scholars have designed accountable or punishable solutions. Tian et al. [31] designed a policy-based Chameleon Hash algorithm with black-box accountability (PCHBA). Black-box accountability allows authoritative agencies to link modified transactions to the responsible party in case of disputes. All users can interact with the black-box and query the modifying party. Jia et al. [32] re-examined the conflict between blockchain immutability and redaction and proposed a fine-grained redactable blockchain with a semi-trusted regulator. This scheme supports content supervision on the blockchain and allows users to manage their own data. Ren Yanli et al. [33] proposed a fair redactable blockchain solution, which allows users to supervise redactors and set corresponding punishment mechanisms for malicious behavior, ensuring the fairness of redaction rights (

Table 1. Comparison of literature.

Literature	Redaction Function	Redaction Mode	Degree of Decentralization	Redaction Review
[22]	Chameleon hash	Physics	Centralization	Uncensorable
[23]	Chameleon hash	Physics	Centralization	Uncensorable
[24]	Timing index Chameleon hash	Logic	Centralization	Uncensorable
[25]	Chameleon hash	Physics	Multicenter	Uncensorable
[26]	Chameleon hash	Physics	Semi-decentralized	Uncensorable
[27]	Chameleon hash	Physics	Semi-decentralized	Uncensorable
[28]	Chameleon hash	Physics	Semi-decentralized	Uncensorable
[30]	Chameleon hash	Physics	Semi-decentralized	Uncensorable
[31]	Chameleon hash	Physics	Semi-decentralized	Uncensorable
[32]	Chameleon hash	Physics	Semi-decentralized	Review
[33]	Chameleon hash	Physics	Semi-decentralized	Review

).

This paper implements the redaction capability of the alliance chain using dual hash functions, and ensures accountability of the redaction process through a subkey-updatable hash function. Additionally, a consensus group division method is employed to achieve a multi-center redactable alliance chain, with redaction reviews conducted through a redaction center.

3. Redactable Model

3.1. Architecture

This redactable model is composed of user nodes, consensus nodes, the redaction center, and the consensus committee, as shown in Figure 1.

• User Node: This entity represents a user of the system, participating in the initiation and verification of various transactions. Transactions initiated by user nodes are primarily categorized into two types: redaction transactions and non-redaction transactions. The redaction transaction requires prior review by the redaction center before being executed by the consensus nodes, rather than being directly processed by the consensus nodes.
• Consensus node: This entity acts as the executor of block operations. When a transaction involves block modification, the consensus node performs the corresponding redaction operations. Conversely, the consensus node is responsible for packaging all transactions to generate a new block.
• Redaction Center: This entity serves as the reviewer for redaction requests. The Redaction Center is responsible for verifying the validity of redaction requests and assessing the reasonableness of the proposed redaction. Once approved, the Redaction Center generates the corresponding redaction transaction, signs it, and forwards it to the consensus nodes for transaction packaging and block redaction.
• Consensus Committee: This entity is composed of all consensus nodes. The Consensus Committee conducts transaction consensus through a consensus algorithm to ensure block consistency across all nodes. In addition, the Consensus Committee maintains the key information of the chameleon hash functions within all blocks, including the system’s master key pair and all users’ subordinate key pairs.

3.2. Model Design

Without loss of generality, we denote sets as uppercase, handwritten, bold letters (e.g., D). The i-th row of W is denoted by Wi, and the element found in the j-th column of i-th row in W is denoted as Wij. To ease reading, we summarize the frequently used notations in

Table 2. Summary of the main symbols.

Notation	Definition	Notation	Definition	Notation	Definition
$v_i$	node	$h_i$	Hash value	${DPK}_i$	Data public key
$V_i$	cluster	${pp}_i$	Common parameter	$m$	message
$A_i$	Agency	${sk}_i$	Private key	$r_i$	Check string
$C_i$	Redaction Center	${MSK}_i$	System private key	${st}_i$	Status flag
$O_i$	Organization	${DSK}_i$	Data private key	$b_i$	Test value
$T_i$	Consensus Committee	${pk}_i$	Public key	$rep$	Redact request
${CH}_i$	Chameleon hash algorithmd	${PK}_i$	System public key

.

3.2.1. Review and Consensus Mechanism

(1)

Grouping method of consensus nodes

Definition 1 (Consensus Node).

$V\left\{v_1,v_2,\cdots ,v_n\right\}$. $V$ is the set of nodes, and $n$ is the number of nodes. $v_i$is the i-th node. Nodes are classified into honest nodes and malicious nodes. Honest nodes maintain the success of the consensus mechanism, while malicious nodes disrupt the consensus mechanism or alter the information within the alliance chain network.

Suppose there be $p$ features for the alliance chain nodes, and let $v_i=\left\{v_{i1},v_{i2},\cdots ,v_{ip}\right\}(i=\left\{\mathrm{1,2},\cdots ,n\right\})$ represent the feature values of the $i$-th node in the $p$ feature. Then, the feature set $V=\left\{v_1,v_2,\cdots ,v_n\right\}$ for the $n$ nodes can be represented as

$$V=\left[\begin{array}{c}{v}_1\\ v_2\\ \begin{array}{c}⋮\\ v_n\end{array}\end{array}\right]=\left[\begin{array}{ccc}{v}_{11}& v_{12}& \begin{array}{cc}\cdots & v_{1p}\end{array}\\ v_{21}& v_{22}& \begin{array}{cc}\cdots & v_{2p}\end{array}\\ \begin{array}{c}⋮\\ v_{n1}\end{array}& \begin{array}{c}⋮\\ v_{n2}\end{array}& \begin{array}{cc}\begin{array}{c}\\ \cdots \end{array}& \begin{array}{c}⋮\\ v_{np}\end{array}\end{array}\end{array}\right]$$

(1)

Compared to other clustering algorithms, K-medoids offers flexibility in handling arbitrary distance metrics, robustness to outliers, interpretability of medoids, and suitability for mixed or complex data types. These characteristics make it an ideal choice when dealing with the diversity and irregular structure of alliance chain data, ensuring that the resulting clusters reflect meaningful and consistent node groupings while minimizing the impact of noise or outliers. Using the K-medoids algorithm to calculate the similarity between alliance chain redaction nodes, the distance function between two nodes, $v_i$ and $v_n$, is represented by Euclidean distance, denoted as

$$d\left(v_i,v_n\right)=‖v_i-v_n‖=\sqrt{\sum _{j=1}^p{\left(v_{ij}-v_{nj}\right)}^2}$$

(2)

The K-medoids algorithm clusters $V$ into $K$ clusters, denoted as $V=\{V_1,V_2,\dots {,V}_k\}$. Within each cluster $V_i$, the similarity among nodes $v_i$ is high, while their similarity to nodes in other clusters is relatively low. The objective function is calculated in Equation

$$Min\left(T\left(c\right)\right)=\sum _{i=1}^n\sum _{k=1}^K{u}_{ik}d\left(v_i,c_k\right)$$

(3)

where, $c_k$ is the medoid of the k-th cluster, and $u_{ik}$ is an indicator variable. For $u_{ik}$ value, if $c_k$ belongs to the k-th cluster, then $u_{ik}$ = 1; otherwise, $u_{ik}$ = 0.

Definition 2 (Agency).

$A\left\{A_1,A_2,\cdots ,A_k\right\}$. Each cluster $A_i$ consists of nodes with similar characteristics, identified using the K-medoids algorithm. Suppose contains $m$ nodes, then $A_i$ can be represented as $A_i \left\{a_{i1},a_{i2},\cdots ,a_{im}\right\}(1<m<n-k)$. Where, $a_{ij}$ denotes the $j$-th node in the $i$-th agency.

(2)

Methods for Constructing the Redactorial Center and Consensus Committee

Using the Euclidean distance to calculate the similarity between the node $v_i$ within a cluster and the center $v_k$ of other clusters, the formula for the objective function is

$$D\left(k\right)=\sum _{i=1}^n\sum _{k=1}^{K}d\left(v_i,v_k\right)$$

(4)

The institution of $Min\left(D\right(K\left)\right)$ is referred to as the central institution. In other words, the central institution consists of a collection of nodes with multiple features.

Definition 3 (Redaction Center).

$C\left\{c_1,c_2,{\dots ,c}_m\right\}$. $C$ is the central institution of $A$, meaning $C\in A$. $c_i$ is a node in $A_i$, meaning ${c_i\in A}_i$. $C$ possesses the characteristics of any institution $A_i$.

In the consensus process of the alliance chain, the Redaction Center does not have an independent consensus but needs to participate in the consensus of other k-1 institutions. Therefore, the Redaction Center forms a consensus group with the other institutions, consisting of k-1 participants.

Definition 4 (Organization).

$O\left\{O_1,O_2,\cdots ,O_{k-1}\right\}$. Agency $A_i$ together with the Redaction Center $C$, forms the organization $O_i$, that is $O_i\left\{o_{i1},o_{i2},\cdots ,o_{is}\right\}(1<s<n-k)$. Where, $C$ is a member of any group $O_i$ and must participate in the consensus of group $O_i$.

There are honest nodes and malicious nodes in the group, with the malicious nodes disrupting the consensus. Additionally, having too many nodes in the group participating in consensus transactions can also increase the consensus time. Therefore, it is necessary to select honest nodes to participate in the consensus, forming a consensus committee.

Definition 5 (Consensus Committee).

$T:\left\{T_1,T_2,\cdots ,T_{k-1}\right\}$. Honest nodes are selected from group $O_i$ to form the consensus committee $T_i$, that is $T_i: \left\{t_{i1},t_{i2},\cdots ,t_{is}\right\}(1<s<n-k)$. The consensus committee is responsible for reaching consensus on both non-redaction transactions and block redaction transactions. The consensus algorithm uses the FCBFT consensus mechanism developed by the research team.

Each consensus algorithm of a consensus committee is independent and does not affect others. Therefore, the k-1 group consensus algorithms can proceed simultaneously.

3.2.2. Security Scheme of Double Hash Functions

In alliance blockchains, blocks are typically composed of a block header and a block body. The block body mainly stores transaction information and hash values. The hash functions used in these blocks are collision-resistant. Once the transaction information in a block is altered, the corresponding hash value changes as well, making it difficult to modify the block data. Therefore, this section designs a redactable block structure, as shown in Figure 2.

In the redactable block structure, hash functions are divided into two types: standard hash and subkey-updatable chameleon hash. The subkey-updatable chameleon hash function is an improvement based on the team’s research on the quantum-resistant hash algorithm HIBCH-RS, achieved through the modification of Algorithm 2, Algorithm 3, and Algorithm 8 in the redactable strategy [12]. In the leaf nodes of the block body, there are two methods for generating hash values from transaction information. One method involves transaction information that does not involve block modification, with nodes using the subkey-updatable chameleon hash function for hashing. This is because non-redactable transaction information may be modified by subsequent redaction transactions. In contrast, nodes use the standard hash function for hashing. This is because the information of redaction transactions, as records of block modification, has the characteristic of being immutable. Additionally, in all non-leaf nodes of the block body, the standard hash function is used for hashing.

This block structure allows users with chameleon hash keys to perform redaction operations on block data while ensuring hash consistency of the block. Moreover, the redaction information is stored completely and effectively within the block, ensuring that redaction records are query.

3.2.3. Redactable Strategies

To achieve redaction in blockchain, this paper employs the CHSU instead of the standard hash function. The system first generates a set of public parameters, including public parameters for two foundational chameleon hash functions. Then, the system performs key generation, which includes the system’s master key pair and subkey pairs for individual users. When a blockchain user identifies the need to redact a block, they can initiate a redaction request. Upon receiving the request, the redaction center reviews the legality of the user’s redaction and the rationality of the proposed changes. If the request is approved, the redaction center generates a redaction transaction and sends it to the consensus nodes. The consensus nodes first request the system master key from the consensus committee. They then calculate a hash collision based on the redaction transaction information and update the transaction data in the old block. New verification character combinations and other redaction information are stored as auxiliary data. Finally, the consensus nodes broadcast the redaction results, and other nodes validate these results before performing the corresponding local redaction. The information from the redaction transaction is packaged by the consensus nodes into a newly generated block, serving as a record of the redaction.

Overall, the model’s workflow is divided into four stages: initialization, block generation, block redaction, and key updating, as shown in Figure 3.

(1)

Initialization Phase (Algorithms 1–3)

Algorithm 1: Initialization algorithm ${Setup}_{CHSU}\left(\lambda \right)\to \left({pp}_{CHSU}\right)$

The input $\lambda$ is a security parameter, and the output ${ pp}_{CHSU}$ is a public parameter. The algorithm is constructed based on two fundamental chameleon hash functions, ${CH}_1$ and ${CH}_2$. First, the algorithm runs the initialization algorithms ${Setup}_{{CH}_1}\left(\lambda \right)$ and ${Setup}_{{CH}_2}\left(\lambda \right)$, respectively, obtaining the public parameters ${pp}_1$ and ${ pp}_2$. Then, the algorithm sets the public parameter is ${pp}_{CHSU}=\left({pp}_1{,pp}_2\right)$. Finally, the algorithm output is ${pp}_{CHSU}$.

Algorithm 2: The master key generation algorithm ${KeyGen}_{CHSU}\left({pp}_{CHSU}\right)\to \left({sk}_{CHSU},{pk}_{CHSU}\right)$

The input ${pp}_{CHSU}$ is the public parameter. The algorithm uses the key generation algorithm ${KeyGen}_1\left({pp}_1\right)$ of ${CH}_1$ to generate a key pair $\left({sk}_1,{pk}_1\right)$. Then, the algorithm sets the system master key pair is $\left({sk}_{CHSU},{pk}_{CHSU}\right)=\left({sk}_1,{pk}_1\right)$. Finally, the algorithm outputs are $\left({sk}_{CHSU},{pk}_{CHSU}\right)$.

Both algorithms are executed only once during the initialization phase. In the output of the system master key pair, the public key ${pk}_{CHSU}$ is publicly accessible to all users. The private key ${sk}_{CHSU}$, however, is held by the consensus committee and can only be accessed by consensus nodes during block operations.

Algorithm 3: The subkey generation algorithm ${UkeyGen}_{CHSU}\left({pp}_{CHSU}\right)\to \left({sk}_{uid},{pk}_{uid}\right)$

The input ${pp}_{CHSU}$ is the public parameter. First, the algorithm uses the key generation algorithm ${KeyGen}_{{CH}_2}\left({pp}_2\right)$ of ${CH}_2$ to generate a key pair $\left({sk}_{{CH}_2},{pk}_{{CH}_2}\right)$. Then, the algorithm set the user subkey pair is $\left({sk}_{uid},{pk}_{uid}\right)=\left({sk}_{{CH}_2},{pk}_{{CH}_2}\right)$. Finally, the algorithm outputs are $\left({sk}_{uid},{pk}_{uid}\right)$.

The subkey generation algorithm is executed once for each user during the initialization phase. In the output subkey pair, the public key ${pk}_{uid}$ is publicly accessible to all users. In contrast, the private key ${sk}_{uid}$ is held by the user and is only used as an input during block editing operations.

(2)

Block Generation Phase (Algorithms 4 and 5)

Algorithm 4: The hash algorithm ${Hash}_{CHSU}\left({pk}_{CHSU},{pk}_{uid},m\right)\to \left(h,r,st\right)$

The inputs consist of the master public key ${pk}_{CHSU}$, the sub-public key ${pk}_{uid}$, and the message $m$. First, the algorithm computes a hash value and verification string $\left(h_2,r_2\right)$ using the hash algorithm ${Hash}_{{CH}_2}\left({pk}_{uid},m\right)$ of the ${CH}_2$. Then, it calculates another hash value and verification string $\left(h_1,r_1\right)$ using the hash algorithm ${Hash}_{{CH}_1}\left({pk}_{CHSU},h_2\left|\right|{st}_0\right)$ of the ${CH}_1$. Where, $h_2\left|\right|{st}_0$ is formed by concatenating the hash value $h_2$ and the state identifier ${st}_0$, where the state identifier is ${st}_0={pk}_{uid}$. The algorithm sets the tuple containing the hash value, verification string, and state identifier is $\left(h,r,{st}_0\right)=\left(h_1,\left(r_1,r_2,h_2\right),{pk}_{uid}\right)$. Finally, the algorithm outputs are $\left(h,r,{st}_0\right)$.

Whenever a new block is generated in the system, the hash algorithm is executed by consensus nodes. The resulting hash value, verification string, and other related information are publicly accessible.

Algorithm 5: The hash verification algorithm ${Verify}_{CHSU}\left({pk}_{CHSU},h,st,\left({pk}_{uid},r,m\right)\right)\to b$

The inputs consists of the main public key ${pk}_{CHSU}$, hash value $h$, status flag $st$, subkey public key ${pk}_{uid}$, verification string combination $r$, and message $m$. First, the algorithm checks if the current $st$ matches ${pk}_{uid}$. If they do not match, the verification fails, and the algorithm directly sets the verification value $b=0$ and output $b$. Otherwise, the algorithm computes the verification value $b_2$ using the hash verification algorithm ${Verify}_{{CH}_2}\left({pk}_{uid},\left(h_2,r_2,m\right)\right)$ of the ${CH}_2$, followed by computing the verification value $b_1$ using the hash verification algorithm ${Verify}_{{CH}_1}\left({pk}_{CHSU},\left(h_1,r_1,h_2\left|\right|st\right)\right)$ of the ${CH}_1$. Finally, the algorithm sets the verification value $b=\left(b_1\cap b_2\right)$ and output $b$.

(3)

Block Redaction Phase (Algorithms 6–8)

Algorithm 6: The redaction request generation algorithm ${Verify}_{CHSU}\left({pk}_{CHSU},h,st,\left({pk}_{uid},r,m\right)\right)\to b$

The inputs are a message $m$, user key ${sk}_{uid}$, hash value $h$, checksum combination $r$, status flag $st$, and new message $m^{\prime }$. The algorithm sets the redaction request $rep=\left({sk}_{uid},\left(h,r,m,st\right),m^{\prime }\right)$, then outputs $rep$.

Algorithm 7: The redaction request verification algorithm $EditVer\left(rep\right)\to \left(T_{edit}or\perp \right)$

The input $rep$ is the redaction request. The algorithm is executed by the redaction center. Upon receiving the $rep$, the algorithm first uses the hash verification algorithm ${Verify}_{CHSU}\left({pk}_{CHSU},h,st,\left({pk}_{uid},r,m\right)\right)$ to verify whether the information matches. If it does not match, the algorithm directly output $\perp$. Conversely, if it matches, the algorithm proceeds to review the content of the new message $m^{\prime }$. If the review is successful, the algorithm sets the redaction transaction $T_{edit}=\left({sk}_{uid},\left(h,r,m,st\right),m^{\prime },E_s\right)$ and outputs $T_{edit}$, where the redaction flag $E_s$ is the signature of the redaction center. Conversely, if the review fails, the algorithm output is $\perp$.

Algorithm 8: The redaction algorithm ${Adapt}_{CHSU}\left(sk,\left(h,r,m,{pk}_{uid}\right),m^{\prime }\right)\to r^{\prime }$

The inputs consists of the secret key $sk$, the hash value $h$, the checksum combination $r$, the message $m$, the subkey public key ${pk}_{uid}$, and the new message $m^{\prime }$. However, the secret key input $sk$ can either be the master key ${sk}_{CHSU}$ or the user key ${sk}_{uid}$. When the user key ${sk}_{uid}$ is provided as input, the algorithm utilizes the collision algorithm ${Adapt}_{{CH}_2}\left({sk}_{uid},\left(h_2,r_2,m\right),m^{\prime }\right)$ of ${CH}_2$ to compute a random value $r_2^{\prime }$. Subsequently, the algorithm sets the verification string combination $r^{\prime }=\left(r_1,r_2^{\prime },h_2\right)$ and outputs $r^{\prime }$. Conversely, when the master key ${sk}_{CHSU}$ is used as input, the algorithm first calculates the hash value and verification string $\left(h_2^{\prime },r_2^{\prime }\right)$ via the hashing algorithm ${Hash}_{{CH}_2}\left({pk}_{uid},m^{\prime }\right)$ of ${CH}_2$. The algorithm then employs the collision algorithm ${Adapt}_{{CH}_1}\left({sk}_{CHSU},\left(h_1,r_1,h_2\left|\right|{pk}_{uid}\right),h_2^{\prime }\left|\right|{pk}_{uid}\right)$ of ${CH}_1$ to compute the verification string $r_1^{\prime }$. Finally, it sets the verification string combination $r^{\prime }=\left({r_1^{\prime },r_2^{\prime },h}_2^{\prime }\right)$ and outputs $r_1^{\prime }$.

(4)

Key Update Phase (Algorithm 9)

Algorithm 9: The key update algorithm ${Update}_{CHSU}\left({sk}_{CHSU},\left(h,r,m,{pk}_{uid}\right),{st}_i\right)\to \left(r^{\prime },\left({sk}_{uid}^{\prime },{pk}_{uid}^{\prime }\right),{st}_{i+1}\right)$

The inputs consist of the master key ${sk}_{CHSU}$, hash value $h$, checksum combination $r$, message $m$, user public key ${pk}_{uid}$, and status flag ${st}_i$, with $h=h_1$ and $r=\left({r_1,r_2,h}_2\right)$. First, the algorithm computes the key pair $\left({sk}_2^{\prime },{pk}_2^{\prime }\right)$ using the key generation algorithm ${KeyGen}_{{CH}_2}\left({pp}_2\right)$ from ${CH}_2$. Then, the algorithm calculates the hash value and checksum $\left(h_2^{\prime },r_2^{\prime }\right)$ using the hash algorithm ${Hash}_{{CH}_2}\left({pk}_2^{\prime },m\right)$ from ${CH}_2$. Next, the algorithm computes the new checksum $r_1^{\prime }$ using the collision algorithm ${Adapt}_{{CH}_1}\left({sk}_{CHSU},\left(h_1,r_1,h_2\left|\right|{st}_i\right),h_2^{\prime }\left|\right|{st}_{i+1}\right)$ from ${CH}_1$, where ${st}_{i+1}={pk}_2^{\prime }$. Finally, the algorithm sets the checksum combination $r^{\prime }=\left({r_1^{\prime },r_2^{\prime },h}_2^{\prime }\right)$ and the new key pair $\left({sk}_{uid}^{\prime },{pk}_{uid}^{\prime }\right)=\left({sk}_2^{\prime },{pk}_2^{\prime }\right)$, and outputs $\left(r^{\prime },\left({sk}_{uid}^{\prime },{pk}_{uid}^{\prime }\right),{st}_{i+1}\right)$.

Note that the key update algorithm does not directly replace the original user key pair with a new one. Instead, the algorithm updates the keys specifically for the hash value $h$, the verification string $r$, and the message $m$. The new private key ${sk}_{uid}^{\prime }$ is held by the system, while the user retains the original private key ${ sk}_{uid}$. Consequently, the user can no longer use ${sk}_{uid}$ to redact the message.

4. Experiments and Discussion

4.1. Safety Analysis

Explaining the security of RBAU through the following properties and proofs.

Definition (Secure RBAU): If RBAU satisfies correctness, key collision resistance, subkey updatability, and master key non-updatability, it is secure.

Property: If the chameleon hash functions ${\mathrm{C}\mathrm{H}}_1$ and ${\mathrm{C}\mathrm{H}}_2$ are secure, then RBAU is also secure.

Explanation: Since RBAU is constructed from two secure chameleon hash functions ${\mathrm{C}\mathrm{H}}_1$ and ${\mathrm{C}\mathrm{H}}_2$, their enhanced collision resistance and correctness ensure the security of the RBAU.

Furthermore, the correctness, original key collision resistance, updated key collision resistance, the subkey updatability, and the non-updatability of the master key of RBAU are demonstrated as follows.

4.1.1. Correctness

The correctness requirement in RBAU is that all hash and checksum string combinations correctly generated by ${\mathrm{H}\mathrm{a}\mathrm{s}\mathrm{h}}_{\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}$, ${\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}_{\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}$, and ${\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}_{\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}$ must pass the check by ${\mathrm{V}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{f}\mathrm{y}}_{\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}$. The experiment ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{C}\mathrm{o}\mathrm{r}}\left(\lambda \right)$ defines correctness, and the specific process is shown in Figure 4. Formally, if all adversaries $\mathrm{A}$ believe $\mathrm{P}\mathrm{r}\left[{\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{C}\mathrm{o}\mathrm{r}}\left(\lambda \right)=1\right]=1$, then RBAU is correct.

In the correctness experiment, variables such as the user’s private key $\mathrm{U}\mathrm{s}\mathrm{k}$, user’s public key $\mathrm{U}\mathrm{p}\mathrm{k}$, message hash ${\mathrm{h}}_{\mathrm{m}}$, and state $\mathrm{S}\mathrm{t}\mathrm{a}\mathrm{t}\mathrm{e}$ can be modified by the oracle ${\mathrm{O}}^{\mathrm{s}\mathrm{k}\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}$ or ${\mathrm{O}}^{\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}$. The adversary $\mathrm{A}$ can obtain the $\mathrm{S}\mathrm{t}\mathrm{a}\mathrm{t}\mathrm{e}$ modified by ${\mathrm{O}}^{\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}$. Within polynomial time $\mathrm{p}\mathrm{l}\mathrm{o}\mathrm{y}\left(\lambda \right)$, A can freely make collision queries and update queries by ${\mathrm{O}}^{\mathrm{s}\mathrm{k}\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}$ or ${\mathrm{O}}^{\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}$, respectively. Once all queries are completed, $\mathrm{A}$ will set the flag signal $\mathrm{S}\mathrm{i}\mathrm{g}\mathrm{n}\mathrm{a}\mathrm{l}$ to $\mathrm{S}\mathrm{t}\mathrm{o}\mathrm{p}$. Then, ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{C}\mathrm{o}\mathrm{r}}\left(\lambda \right)$ will check the validity of ${\mathrm{h}}_{\mathrm{m}}$. If valid, ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{C}\mathrm{o}\mathrm{r}}\left(\lambda \right)$ outputs 1; otherwise, it outputs 0.

Clearly, the correctness guarantees of the two underlying Chameleon hashes ensure the correctness of RBAU.

4.1.2. Original Key Collision Resistance

The requirement for the original key’s resistance to collision is that, when the user’s key is $\mathrm{U}\mathrm{s}\mathrm{k}$ and the master key is $\mathrm{M}\mathrm{s}\mathrm{k}$, an attacker $\mathrm{A}$ without any key cannot find any collisions. Experiment ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{N}\mathrm{s}\mathrm{k}\mathrm{C}\mathrm{R}}\left(\lambda \right)$ defines the original key’s collision resistance, with the specific process shown in Figure 5. Formally, if all attackers $\mathrm{A}$ believe in $\mathrm{P}\mathrm{r}\left[{\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{N}\mathrm{s}\mathrm{k}\mathrm{C}\mathrm{R}}\left(\lambda \right)=1\right]\le \mathrm{n}\mathrm{e}\mathrm{g}\mathrm{l}\left(\lambda \right)$, then RBAU possess initial key collision resistance, where $\mathrm{n}\mathrm{e}\mathrm{g}\mathrm{l}\left(\lambda \right)$ is a negligible probability.

Challenger $\mathrm{A}$ holding the public key of $(\mathrm{U}\mathrm{p}\mathrm{k},\mathrm{M}\mathrm{p}\mathrm{k})$ can query the oracle ${\mathrm{O}}^{\mathrm{s}\mathrm{k}\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}$ for collision queries and request different tuples $(\left(\mathrm{h},\mathrm{r},\mathrm{m},\mathrm{s}\mathrm{t}\right),{\mathrm{m}}^{\prime })$. If $\left(\mathrm{h},\mathrm{r},\mathrm{m},\mathrm{s}\mathrm{t}\right)$ is valid under the public key $(\mathrm{U}\mathrm{p}\mathrm{k},\mathrm{M}\mathrm{p}\mathrm{k})$ and state $\mathrm{s}\mathrm{t}$, then $\mathrm{A}$ will obtain a collision for the hash $\mathrm{h}$ corresponding to $\mathrm{U}\mathrm{p}\mathrm{k}$, meaning $\mathrm{A}$ is allowed to generate any hash value ${\mathrm{h}}^{*}$ and ${\mathrm{s}\mathrm{t}}^{*}$. After completing all queries, if $\mathrm{A}$ can produce a valid collision, ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{N}\mathrm{s}\mathrm{k}\mathrm{C}\mathrm{R}}\left(\lambda \right)$ outputs 1.

If $\mathrm{A}$ is an adversary capable of breaking the original key collision resistance of RBAU, then we can construct another adversary $\mathrm{B}$, which can break the enhanced collision resistance of the foundational chameleon hashes ${\mathrm{C}\mathrm{H}}_1$ and ${\mathrm{C}\mathrm{H}}_2$ by $\mathrm{A}$. $\mathrm{B}$ receives the public key $\mathrm{M}\mathrm{p}\mathrm{k}$ from challenger ${\mathrm{C}}_1$ and the sub-public key $\mathrm{U}\mathrm{p}\mathrm{k}$ from challenger ${\mathrm{C}}_2$ as challenge keys, and then sends them to $\mathrm{A}$. $\mathrm{A}$ can select $\left(\mathrm{m},{\mathrm{m}}^{\prime }\right)$ based on $(\mathrm{U}\mathrm{p}\mathrm{k},\mathrm{M}\mathrm{p}\mathrm{k})$ and compute ${\mathrm{H}\mathrm{a}\mathrm{s}\mathrm{h}}_{\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}\left(\mathrm{U}\mathrm{p}\mathrm{k},\mathrm{M}\mathrm{p}\mathrm{k},\mathrm{m}\right)\to \left(\mathrm{h},\mathrm{r},\mathrm{s}\mathrm{t}\right)$. Then, $\mathrm{A}$ sends $\left(\mathrm{U}\mathrm{p}\mathrm{k},\left(\mathrm{h},\mathrm{r},\mathrm{m},\mathrm{s}\mathrm{t}\right),{\mathrm{m}}^{\prime }\right)$ to $\mathrm{B}$ to query the oracle ${\mathrm{O}}^{\mathrm{s}\mathrm{k}\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}$.

First, $\mathrm{B}$ calculates ${\mathrm{V}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{f}\mathrm{y}}_{\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}\left(\mathrm{M}\mathrm{p}\mathrm{k},\mathrm{h},\mathrm{s}\mathrm{t},\left(\mathrm{U}\mathrm{p}\mathrm{k},\mathrm{r},\mathrm{m}\right)\right)$. If the result is 0, the call ends. If the result is 1 and $\mathrm{s}\mathrm{k}$ = $\mathrm{M}\mathrm{s}\mathrm{k}$, $\mathrm{B}$ parses $\mathrm{h}$ = ${\mathrm{h}}_1$ and $\mathrm{r}$ = (${\mathrm{r}}_1,{\mathrm{r}}_2,{\mathrm{h}}_2)$, then calculates ${\mathrm{H}\mathrm{a}\mathrm{s}\mathrm{h}}_{{\mathrm{C}\mathrm{H}}_2}\left(\mathrm{U}\mathrm{p}\mathrm{k},{\mathrm{m}}^{\prime }\right)\to ({\mathrm{r}}_2^{\prime },{\mathrm{h}}_2^{\prime })$. $\mathrm{B}$ sends $\left(\left({\mathrm{h}}_1,{\mathrm{r}}_1,{\mathrm{h}}_2\left|\right|\mathrm{U}\mathrm{p}\mathrm{k}\right),{\mathrm{h}}_2^{\prime }\right)$ to ${\mathrm{C}}_1$ to query the collision ${\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}_{{\mathrm{C}\mathrm{H}}_2}\left(\mathrm{M}\mathrm{s}\mathrm{k},\left({\mathrm{h}}_1,{\mathrm{r}}_1,{\mathrm{h}}_2\left|\right|\mathrm{U}\mathrm{p}\mathrm{k}\right),{\mathrm{h}}_2^{\prime }\left|\right|\mathrm{U}\mathrm{p}\mathrm{k}\right)\to {\mathrm{r}}_1^{\prime }$. After validating the query, ${\mathrm{C}}_1$ uses the key $\mathrm{M}\mathrm{s}\mathrm{k}$ to calculate the new collision ${\mathrm{r}}_1^{\prime }$ and returns it to $\mathrm{B}$. Finally, $\mathrm{B}$ sends $({\mathrm{r}}_1^{\prime },{\mathrm{r}}_2^{\prime },{\mathrm{h}}_2^{\prime })$ to $\mathrm{A}$. If the result is 1 and $\mathrm{s}\mathrm{k}$ = $\mathrm{M}\mathrm{s}\mathrm{k}$, $\mathrm{B}$ parses $\mathrm{h}$ = ${\mathrm{h}}_1$ and $\mathrm{r}$ = (${\mathrm{r}}_1,{\mathrm{r}}_2,{\mathrm{h}}_2$), then $\mathrm{B}$ queries ${\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}_{{\mathrm{C}\mathrm{H}}_2}\left(\mathrm{U}\mathrm{s}\mathrm{k},\left({\mathrm{h}}_2,{\mathrm{r}}_2,\mathrm{m}\right),{\mathrm{m}}^{\prime }\right)\to {\mathrm{r}}_1^{\prime \prime }$ from ${\mathrm{C}}_2$, and finally, $\mathrm{B}$ sends $({\mathrm{r}}_1,{\mathrm{r}}_2^{\prime },{\mathrm{h}}_2)$ to $\mathrm{A}$.

$\mathrm{A}$ returns $\left({\mathrm{h}}^{*},\left({\mathrm{m}}^{*},{\mathrm{r}}^{*},{\mathrm{s}\mathrm{t}}^{*}\right),{(\mathrm{m}}^{\prime *}{,\mathrm{r}}^{\prime *})\right)$ to $\mathrm{B}$, then $\mathrm{B}$ analyzes ${\mathrm{r}}^{*}$ = $\left({\mathrm{r}}_1^{*},{\mathrm{r}}_2^{*},{\mathrm{h}}_2^{*}\right)$ and ${\mathrm{r}}^{\prime *}$ = $\left({\mathrm{r}}_1^{\prime *},{\mathrm{r}}_2^{\prime *},{\mathrm{h}}_2^{\prime *}\right)$. If the result can be validated through the verification in Figure 4, and ${\mathrm{h}}_2^{*}$ = ${\mathrm{h}}_2^{\prime *}$, $\mathrm{B}$ can use it to break $\left({\mathrm{h}}^{*},\left({\mathrm{m}}^{*},{\mathrm{r}}_2^{*}\right),{(\mathrm{m}}^{\prime *},{\mathrm{r}}_2^{\prime *})\right)$ and decrypt ${\mathrm{C}}_2$. On the other hand, ${\mathrm{h}}_2^{*}$ ≠ ${\mathrm{h}}_2^{\prime *}$, $\mathrm{B}$ can also use $\left({\mathrm{h}}^{*},\left({\mathrm{h}}_2^{*}\left|\right|{\mathrm{s}\mathrm{t}}^{*},{\mathrm{r}}_1^{*}\right),\left({\mathrm{h}}_2^{\prime *}\right||{\mathrm{s}\mathrm{t}}^{*},{\mathrm{r}}_2^{\prime *})\right)$ to break ${\mathrm{C}}_1$. Therefore, the probability that $\mathrm{A}$ can break the original key’s collision resistance of RBAU is $\mathrm{p}$ = ${\mathrm{p}}_1+{\mathrm{p}}_2$, where ${\mathrm{p}}_1$ is the probability that $\mathrm{B}$ can break the enhanced collision resistance of ${\mathrm{C}\mathrm{H}}_1$, and ${\mathrm{p}}_2$ is the probability that $\mathrm{B}$ can break the enhanced collision resistance of ${\mathrm{C}\mathrm{H}}_2$, both of which can be neglected.

4.1.3. Updated Key Collision Resistance

In RBAU, ${\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}_{\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}$ can update the subkeys involved in the calculation of $\left(\mathrm{h},\mathrm{r}\right)$ and output the new subkey pair $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime },{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }\right)$. The update key collision resistance requires that, when the subpublic key is ${\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }$, the adversary $\mathrm{A}$ holding the original subkey ${\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}$ cannot find any collisions. Experiment ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{N}\mathrm{s}\mathrm{k}\mathrm{C}\mathrm{R}}\left(\lambda \right)$ defines the update key collision resistance, and the specific process is shown in Figure 6. Formally, if all adversaries A consider $\mathrm{P}\mathrm{r}\left[{\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{N}\mathrm{s}\mathrm{k}\mathrm{C}\mathrm{R}}\left(\lambda \right)=1\right]\le \mathrm{n}\mathrm{e}\mathrm{g}\mathrm{l}\left(\lambda \right)$, then RBAU has updated key collision resistance.

An adversary $\mathrm{A}$ holding the master public key $\mathrm{M}\mathrm{p}\mathrm{k}$ can compute the tuple $\left(\mathrm{h},\mathrm{r},\mathrm{m},\mathrm{s}\mathrm{t}\right)$ using a user’s subkey pair $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}\right)$. Then, $\mathrm{A}$ can call the oracle ${\mathrm{O}}^{\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}$ to obtain a new sub-public key ${\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }$. Afterward, with the subkey pair $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime },{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }\right)$, $\mathrm{A}$ can still call ${\mathrm{O}}^{\mathrm{s}\mathrm{k}\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}$ to compute a valid collision for $\mathrm{h}$. However, the message ${\mathrm{m}}^{\prime *}$ cannot be queried. The experiment ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{C}\mathrm{o}\mathrm{r}}\left(\lambda \right)$ will maintain the hash state value $\mathrm{s}\mathrm{t}$ of $\mathrm{h}$. After some time, if $\mathrm{A}$ can find a valid collision for $\mathrm{h}$ with the new subkey pair $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime },{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }\right)$, then ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{C}\mathrm{o}\mathrm{r}}\left(\lambda \right)$ outputs 1.

Opponent $\mathrm{B}$ receives public key $\mathrm{M}\mathrm{p}\mathrm{k}$ and sub-public key ${\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}$ as challenge keys from challengers ${\mathrm{C}}_1$ and ${\mathrm{C}}_2$, respectively, then sends $\mathrm{M}\mathrm{p}\mathrm{k}$ to $\mathrm{A}$. $\mathrm{A}$ selects $\left(\mathrm{m},{\mathrm{m}}^{\prime }\right)$ based on $\left(\mathrm{M}\mathrm{p}\mathrm{k},{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}\right)$ and computes ${\mathrm{H}\mathrm{a}\mathrm{s}\mathrm{h}}_{\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}\left(\mathrm{M}\mathrm{p}\mathrm{k},{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},\mathrm{m}\right)\to \left(\mathrm{h},\mathrm{r},\mathrm{s}\mathrm{t}\right)$. Then $\mathrm{A}$ sends $\left({\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},\left(\mathrm{h},\mathrm{r},\mathrm{m},\mathrm{s}\mathrm{t}\right),{\mathrm{m}}^{\prime }\right)$ to $\mathrm{B}$, calling the oracle ${\mathrm{O}}^{\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}$.

After receiving the tuple $\left({\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},\left(\mathrm{h},\mathrm{r},\mathrm{m},\mathrm{s}\mathrm{t}\right)\right)$, $\mathrm{B}$ checks its correctness. If correct, $\mathrm{B}$ selects ${\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }$ as the new sub-public key, parses $\mathrm{h}$ = ${\mathrm{h}}_1$ and $\mathrm{r}$ = (${\mathrm{r}}_1,{\mathrm{r}}_2,{\mathrm{h}}_2)$, and then calculates ${\mathrm{H}\mathrm{a}\mathrm{s}\mathrm{h}}_{{\mathrm{C}\mathrm{H}}_2}\left({\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime },\mathrm{m}\right)\to ({\mathrm{r}}_2^{\prime },{\mathrm{h}}_2^{\prime })$. $\mathrm{B}$ sends $\left.\left(({\mathrm{h}}_1,{\mathrm{r}}_1,{\mathrm{h}}_2||{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}\right.),{\mathrm{h}}_2^{\prime }||{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }\right)$ to challenger ${\mathrm{C}}_1$ to find a collision. Then, $\mathrm{B}$ sets the state of $\mathrm{h}$ to ${\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }$. After validating the query, challenger ${\mathrm{C}}_1$ finds the collision using $\mathrm{M}\mathrm{s}\mathrm{k}$ and returns ${\mathrm{r}}_1^{\prime }$ to $\mathrm{B}$. Finally, $\mathrm{B}$ sends $\left(\right({\mathrm{r}}_1^{\prime },{\mathrm{r}}_2^{\prime },{\mathrm{h}}_2^{\prime }),{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime })$ to $\mathrm{A}$.

$\mathrm{A}$ can select any ${\mathrm{m}}^{\prime \prime }\in \mathrm{M}$ and query ${\mathrm{O}}^{\mathrm{s}\mathrm{k}\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}$. $\mathrm{B}$ can query ${\mathrm{C}}_2$ to get ${\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}_{{\mathrm{C}\mathrm{H}}_2}\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime },\left({\mathrm{h}}_2^{\prime },{\mathrm{r}}_2^{\prime },\mathrm{m}\right),{\mathrm{m}}^{\prime }\right)\to {\mathrm{r}}_2^{\prime \prime }$ to simulate ${\mathrm{O}}^{\mathrm{s}\mathrm{k}\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}$. $\mathrm{A}$ can query ${\mathrm{O}}^{\mathrm{s}\mathrm{k}\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}$ multiple times within polynomial time $\mathrm{p}\mathrm{l}\mathrm{o}\mathrm{y}\left(\lambda \right)$. A returns ${(\mathrm{m}}^{\prime *},{\mathrm{r}}^{\prime *})$ to $\mathrm{B}$, and $\mathrm{B}$ parses ${\mathrm{r}}^{\prime *}$ = $\left({\mathrm{r}}_1^{\prime *},{\mathrm{r}}_2^{\prime *},{\mathrm{h}}_2^{\prime *}\right)$. If the result is validated through the verification in Figure 5, it means ${(\mathrm{h}}_2^{\prime *}\left|\right|{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime })$ is the message of ${\mathrm{h}}_1$. If ${\mathrm{h}}_2^{\prime *}$ = ${\mathrm{h}}_2^{\prime }$, $\mathrm{B}$ can use $\left({(\mathrm{m}}^{\prime *}\right|\left|{\mathrm{r}}_2^{\prime *}\right)$ to break ${\mathrm{C}}_2$. Conversely, $\mathrm{B}$ can use ${(\mathrm{h}}_2^{\prime *}\left|\right|{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime })$ to break ${\mathrm{C}}_1$. Therefore, the possibility that $\mathrm{A}$ can break the update key collision resistance of RBAU is $\mathrm{p}$ = ${\mathrm{p}}_1+{\mathrm{p}}_2$. Similarly, both can be neglected.

4.1.4. The Subkey Updatability

The holder of the master key $\mathrm{M}\mathrm{s}\mathrm{k}$ can limit the collision of a specific hash value $\mathrm{h}$ by updating the sub-key pair $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}\right)$. The requirement for sub-key updateability is that once the sub-key pair $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}\right)$ related to the hash value $\mathrm{h}$ is updated, its holder will no longer be able to compute any collisions for hash value $\mathrm{h}$. Experiment ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{U}\mathrm{p}\mathrm{d}}\left(\lambda \right)$ defines key updatability, and the specific process is shown in Figure 7. Formally, if all adversaries $\mathrm{A}$ believe in $\mathrm{P}\mathrm{r}\left[{\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{U}\mathrm{p}\mathrm{d}}\left(\lambda \right)=1\right]\le \mathrm{n}\mathrm{e}\mathrm{g}\mathrm{l}\left(\mathsf{\lambda }\right)$, RBAU is sub-key updatable. It is worth noting that although the updated user key $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime },{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }\right)$ cannot compute a valid collision for $\mathrm{h}$, it can still compute collisions for other hash values.

In the experiment, adversary $\mathrm{A}$ holds the public key $\mathrm{M}\mathrm{p}\mathrm{k}$ and selects a user sub-key pair $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}\right)$. Then, using ${\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}$ and $\mathrm{M}\mathrm{p}\mathrm{k}$, they compute the tuple $\left(\mathrm{h},\mathrm{r},\mathrm{m},\mathrm{s}\mathrm{t}\right)$. $\mathrm{A}$ will call the oracle ${\mathrm{O}}^{\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}$ and obtain a new sub-key pair $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime },{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }\right)$, where $\mathrm{O}\mathrm{p}\mathrm{k}$ represents the original sub-public key ${\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}$. Experiment ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{U}\mathrm{p}\mathrm{d}}\left(\lambda \right)$ will maintain the state st of the hash value $\mathrm{h}$. Then, $\mathrm{A}$ uses the new sub-key pair $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime },{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }\right)$ and calls the oracle ${\mathrm{O}}^{\mathrm{s}\mathrm{k}\mathrm{A}\mathrm{d}\mathrm{a}\mathrm{p}\mathrm{t}}$ to obtain a valid collision for $\mathrm{h}$. The message ${\mathrm{m}}^{\prime *}$ can be queried. After some time, if $\mathrm{A}$ can find a valid collision for the original sub-key pair $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}\right)$ with respect to $\mathrm{h}$, then ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{U}\mathrm{p}\mathrm{d}}\left(\lambda \right)$ outputs 1.

In RBAU, the injective function $\mathrm{f}:\mathrm{p}\mathrm{k}\to \mathrm{s}\mathrm{t}\mathrm{a}\mathrm{t}\mathrm{e}$ is set as the identity mapping. Therefore, the probability of sub-key updatability being compromised is equivalent to the probability that two key pairs randomly generated from ${\mathrm{U}\mathrm{s}\mathrm{k}\mathrm{G}\mathrm{e}\mathrm{n}}_{\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}$ are the same. However, this probability is negligible. Thus, RBAU is sub-key updatable.

4.1.5. The Non-Updatability of the Master Key

The requirement for the non-updatability of the master key is that an adversary $\mathrm{A}$, who does not have the master key $\mathrm{M}\mathrm{s}\mathrm{k}$, cannot update the user key pair sp. It is formally defined by experiment ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{M}\mathrm{s}\mathrm{k}\mathrm{R}\mathrm{R}}\left(\lambda \right)$, as shown in Figure 8. Formally, if all adversaries $\mathrm{A}$ believe in $\mathrm{P}\mathrm{r}\left[{\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{M}\mathrm{s}\mathrm{k}\mathrm{R}\mathrm{R}}\left(\lambda \right)=1\right]\le \mathrm{n}\mathrm{e}\mathrm{g}\mathrm{l}\left(\lambda \right)$, then RBAU has master key non-updatability.

In the experiment, an adversary $\mathrm{A}$ holding the public key $\mathrm{M}\mathrm{p}\mathrm{k}$ can query the oracle ${\mathrm{O}}^{\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}$. $\mathrm{A}$ can select a user key pair $\left(\mathrm{s}\mathrm{k},\mathrm{p}\mathrm{k}\right)$ and compute a tuple $\left(\mathrm{h},\mathrm{r},\mathrm{m},\mathrm{s}\mathrm{t}\right)$. Then, $\mathrm{A}$ selects a new message ${\mathrm{m}}^{\prime }$ and queries the oracle ${\mathrm{O}}^{\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}$ for $\left(\mathrm{p}\mathrm{k},\left(\mathrm{h},\mathrm{r},\mathrm{m},\mathrm{s}\mathrm{t}\right)\right)$. ${\mathrm{O}}^{\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}$ returns a new verification string ${\mathrm{r}}^{\prime }$, a new user public key ${\mathrm{p}\mathrm{k}}^{\prime }$, and a new state ${\mathrm{s}\mathrm{t}}^{\prime }$ to $\mathrm{A}$. $\mathrm{A}$ can repeat the above process with different inputs within polynomial time $\mathrm{p}\mathrm{l}\mathrm{o}\mathrm{y}\left(\lambda \right)$. ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{M}\mathrm{s}\mathrm{k}\mathrm{R}\mathrm{R}}\left(\lambda \right)$ does not require the maintenance of state, as it allows $\mathrm{A}$ to generate arbitrary hash values ${\mathrm{h}}^{*}$ as well as two state values ${\mathrm{s}\mathrm{t}}^{*}$ and $\mathrm{s}{\mathrm{t}}^{\prime *}$. After the query, if $\mathrm{A}$ can perform a new update related to the selected tuple $\left({\mathrm{h}}^{*},{\mathrm{m}}^{*},{\mathrm{r}}^{*},{\mathrm{p}\mathrm{k}}^{*},{\mathrm{s}\mathrm{t}}^{*}\right)$, ${\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathrm{A},\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}^{\mathrm{M}\mathrm{s}\mathrm{k}\mathrm{R}\mathrm{R}}\left(\lambda \right)$ outputs 1.

Adversary $\mathrm{B}$ receives $\mathrm{M}\mathrm{p}\mathrm{k}$ as the challenge key from challenger ${\mathrm{C}}_1$ and sends it to $\mathrm{A}$. $\mathrm{A}$ can select $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}\right)$ and $\mathrm{m}$ based on $\mathrm{M}\mathrm{p}\mathrm{k}$ and compute ${\mathrm{H}\mathrm{a}\mathrm{s}\mathrm{h}}_{\mathrm{C}\mathrm{H}\mathrm{S}\mathrm{U}}\left(\mathrm{M}\mathrm{p}\mathrm{k},{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},\mathrm{m}\right)\to \left(\mathrm{h},\mathrm{r},\mathrm{s}\mathrm{t}\right)$, then send $\left({\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},\left(\mathrm{h},\mathrm{r},\mathrm{m},\mathrm{s}\mathrm{t}\right),{\mathrm{m}}^{\prime }\right)$ to $\mathrm{B}$ for querying the oracle ${\mathrm{O}}^{\mathrm{U}\mathrm{p}\mathrm{d}\mathrm{a}\mathrm{t}\mathrm{e}}$. After receiving $\left({\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}},\left(\mathrm{h},\mathrm{r},\mathrm{m},\mathrm{s}\mathrm{t}\right)\right)$, $\mathrm{B}$ checks its correctness. If correct, $\mathrm{B}$ first parses $\mathrm{h}$ = ${\mathrm{h}}_1$ and $\mathrm{r}$ = (${\mathrm{r}}_1,{\mathrm{r}}_2,{\mathrm{h}}_2)$. Then, $\mathrm{B}$ randomly selects a new sub-key pair $\left({\mathrm{s}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime },{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }\right)$ and computes ${\mathrm{H}\mathrm{a}\mathrm{s}\mathrm{h}}_{{\mathrm{C}\mathrm{H}}_2}\left({\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime },\mathrm{m}\right)\to ({\mathrm{r}}_2^{\prime },{\mathrm{h}}_2^{\prime })$. $\mathrm{B}$ sends $\left.\left(({\mathrm{h}}_1,{\mathrm{r}}_1,{\mathrm{h}}_2||{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}\right.),{\mathrm{h}}_2^{\prime }||{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime }\right)$ to challenger ${\mathrm{C}}_1$ to find a collision. After validating the query, challenger ${\mathrm{C}}_1$ will use $\mathrm{M}\mathrm{s}\mathrm{k}$ to find the collision and return ${\mathrm{r}}_1^{\prime }$ to $\mathrm{B}$. Finally, $\mathrm{B}$ sends $\left(\right({\mathrm{r}}_1^{\prime },{\mathrm{r}}_2^{\prime },{\mathrm{h}}_2^{\prime }),{\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime })$ back to $\mathrm{A}$.

A returns $\left({\mathrm{h}}^{*},{({\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{*},\mathrm{m}}^{*},{\mathrm{r}}^{*},{\mathrm{s}\mathrm{t}}^{*}),{({\mathrm{p}\mathrm{k}}_{\mathrm{u}\mathrm{i}\mathrm{d}}^{\prime *},\mathrm{m}}^{*},{\mathrm{r}}^{\prime *},{\mathrm{s}\mathrm{t}}^{\prime *})\right)$ to $\mathrm{B}$. $\mathrm{B}$ parses ${\mathrm{r}}^{*}$ = $\left({\mathrm{r}}_1^{*},{\mathrm{r}}_2^{*},{\mathrm{h}}_2^{*}\right)$ and ${\mathrm{r}}^{\prime *}$ = $\left({\mathrm{r}}_1^{\prime *},{\mathrm{r}}_2^{\prime *},{\mathrm{h}}_2^{\prime *}\right)$. If the result can be validated through Figure 7, $\mathrm{B}$ can use hh to break ${\mathrm{C}}_1$. Therefore, the possibility that $\mathrm{A}$ can break RBAU’s master key non-updatability is equal to the possibility that B can break the enhanced collision resistance of ${\mathrm{C}\mathrm{H}}_1$, which can be considered negligible.

4.2. Experimental Results and Analysis

4.2.1. Experimental Environment

This experiment implements the Chameleon Hash algorithm based on Java 17.0.3 and uses the Type A prime-order elliptic curve from the JPBC 2.0.0 library to perform related bilinear pairings. The default public key length for the algorithm is 1024 bits, and the default private key length is 80 bits. To build a simulation environment for the FISCO BCOS alliance chain, this experiment installs several basic tools on an Ubuntu system, including OpenSSL, cURL, Git, Java, Solidity, and build_chain.sh. Among these, OpenSSL and cURL are dependencies for automated scripts when deploying nodes. Git is used as a version control tool for code development and testing. Java is used to call interfaces and serves as a tool for operations on the alliance chain. Solidity is used to implement specific business logic and develop smart contracts. build_chain.sh is a script tool for quickly setting up the blockchain. The device information for this experiment is shown in

Table 3. Environment of the experiment platform.

Configuration	Server	Computer
Memory	128 G	32 G
CPU	Intel Xeon Silver 4210(2) (Intel, Santa Clara, CA, USA)	i7-12700
Graphics card	RTX4090	RTX3070
Hard disk	6TSSD	1TSSD + 1THDD
OS	Ubuntu20.04/Win10	Ubuntu20.04
Bandwidth	300 M	300 M

.

4.2.2. Function Comparison

We compared our method with the literature [24,25,31,32,33] in terms of features such as technology, redaction type, decentralization degree, redaction review, personal data management, accountability, and key updatability, as shown in

Table 4. Comparison with advanced models.

Models	Blockchain-Based	Redaction Function	Redaction Mode	Degree of Decentralization	Redaction Review	Personal Data Management	Account- Ability	Key Update
Literature24	Alliance chain	Timing index	Logic	Multicenter	N	N	Y	N
Literature25	Alliance chain	Chameleon hash	Physics	Multicenter	N	N	Y	N
Literature31	Public chain	Chameleon hash	Physics	Semi-decentralized	N	N	Y	N
Literature32	Public chain	Chameleon hash	Physics	Semi-decentralized	Y	Y	Y	Y
Literature33	Public chain	Chameleon hash	Physics	Semi-decentralized	Y	N	Y	Y
Ours	Alliance chain	Chameleon hash	Physics	Multicenter	Y	Y	Y	Y

.

Clearly, this method is more comprehensive in its functionality. It supports redaction review, personal data management and redaction accountability. Moreover, it implements physical redaction and is multi-center. Additionally, it can revoke the redaction rights of malicious users through the update of sub-keys.

4.2.3. Algorithm Performance

To test the performance of this method, simulation experiments were conducted to evaluate the overhead of the sub-algorithms, and the results are shown in Figure 9. In the initialization phase, the execution time of the initialization algorithm (Setup) is negligible, while the execution time of the key generation algorithm (KeyGen) is 13 ms. In the block generation phase, the execution times of the hash generation algorithm (Hash) and the hash verification algorithm (Verify) are 45 ms each. In the block redaction phase, the execution time of the redaction request generation algorithm (RedactReq) is negligible, while the overhead of the redaction request verification algorithm (Redaction Ver) and the redaction algorithm (Adapt) is 55 ms and 23 ms, respectively. In the key update phase, the execution time of the key update algorithm (Update) is 59 ms. Note that the bit lengths of the system key pair and the user key pair are the same, and their generation overhead is roughly the same. In the figure, “Keygen” represents the generation overhead for both. Additionally, the time overhead of the redaction request verification algorithm is unstable and depends on the content of the redaction.

Clearly, the execution time of the Update algorithm is the longest. This is because its computation includes the full operations of the Keygen and Adapt algorithms, as well as part of the Hash algorithm. However, the Update algorithm is only executed when a malicious user is revoked from redaction a specific hash. Therefore, the actual execution frequency of the Update algorithm will be much lower than that of the other sub-algorithms. In conclusion, the execution times of the sub-algorithms in RBAU are acceptable.

The key length is a critical factor determining the security of the Chameleon Hash function. However, increasing the key length also increases the computational overhead and results in longer execution times. To balance algorithm efficiency and security, we tested the performance of each subalgorithm at key lengths of 80 bits, 160 bits, and 256 bits, with the results shown in Figure 9.

From Figure 10, it is evident that the execution time of each subalgorithm exhibits a linear relationship with the key length. Compared to the other two key lengths, the execution time is the longest when the key length is 256 bits. Specifically, the execution time of the Hash algorithm is approximately 137 ms, the Verify algorithm takes around 136 ms, and the Update algorithm has the longest execution time, about 177 ms. At the three key lengths tested, the execution times of the RBAU subalgorithms are all under 200 ms, which can generally meet the needs of food traceability scenarios.

4.2.4. Model Performance

To test the performance of the RBAU, the experiment compared it with the FISCO BCOS, which are networks that were set up. In both cases, the number of nodes was set to 100, with a consensus committee of five nodes.

(1)

Execution Time of the Transaction

The experiment tested the execution time of transactions on two blockchains, with the results shown in Figure 11. It can be observed from (a) that the execution time for the RBAU is slightly longer than that of FISCO. As shown in (b), when there are two transactions, the time difference between the two blockchains is smallest, about 0.04 s. However, when there are 18 transactions, the time difference is largest, around 0.08 s. The difference in execution time is mainly due to the RBAU using the Chameleon hash function instead of the standard hash function. The Chameleon hash function is more complex to compute, leading to a longer execution time. However, the time difference does not increase further as the number of transactions increases, remaining stable between 0.04 and 0.08 s. As shown in (c,d), the rate of change in execution time relative to transaction volume is concentrated between 0.04 and 0.05 s, with RBAU showing a more stable performance than FISCO.

(2)

Block Size of Transactions

The block size is one of the main indicators of the performance of alliance chains. To investigate this, an experiment was conducted comparing the block sizes of two blockchains with an equal number of transactions, as shown in Figure 12. It can be observed from (a) that the block size of both chains has a linear relationship with the number of transactions contained in the block. When the block contains 100 transactions, the RBAU has a block size of 102.4 KB, while FISCO’s block size is 81.9 KB. Clearly, the block size of the RBAU is slightly larger than that of FISCO. This difference is mainly due to the additional fields, such as extra data, added to the block structure in the RBAU. These fields increase the storage space required for each block. However, adding these extra elements is necessary to ensure that all redactions are recorded and can be held accountable. Moreover, as shown in (b), when each block contains 100 transactions, the block size difference between the two chains is only 20.48 KB.

(3)

Execution Time of Redaction

The execution time of redaction transactions and ordinary transactions in the RBAU was tested, and the results are shown in Figure 13. It can be observed from (a) that the execution time of redaction transactions is significantly longer than that of ordinary transactions. The execution time for two redaction transactions is approximately 0.41 s, while that for two ordinary transactions is about 0.22 s. As shown in (b), the average execution time difference per transaction between the two types is around 0.095 s at this stage. When each type of transaction is executed 20 times, the average execution time difference per transaction is approximately 0.026 s. Evidently, as the number of transactions increases, the execution time gap per transaction does not expand but rather decreases further. As shown in (c,d), the variation rate of redaction transaction time with transaction volume falls within the range of 0.03–0.09 s, and the stability of the variation rate for both types of transactions remains relatively consistent.

In summary, RBAU is comparable to FISCO in terms of transaction execution time, block size, and redaction execution time, with both demonstrating similar performance.

5. Conclusions

The alliance chain, with its characteristics of decentralization, immutability, and high transparency, has become a crucial supporting technology for driving digital transformation. However, as the application scenarios of alliance chain technology become increasingly complex, its core feature of immutability has gradually revealed limitations in practical use. To address this issue, RBAU introduces functionalities for data modification, deletion, and updating while maintaining the decentralization and high security of alliance chain technology. This provides an innovative solution to the shortcomings of flexibility and privacy protection in alliance chains. Therefore, this paper conducts an in-depth study on alliance chain redaction review and consensus mechanisms, hash function security schemes, and redaction strategies, proposing new methods for redactable blockchains.

• A redaction review and consensus mechanism for alliance chain is proposed. The K-medoids clustering algorithm is used to select the redaction center and multiple consensus committees. The redaction center utilizes a redaction request verification algorithm to conduct redaction reviews, while the consensus committees are grouped to perform block redaction and block consensus.
• A chameleon hash algorithm with updatable subkeys is proposed. The system master key enables the revocation of a user’s redaction rights by updating their subkey. Based on this, a dual-hash function scheme is implemented, enabling the chameleon hash function to work in coordination with standard hash functions.
• A redaction strategy is proposed to realize an RBAU model that supports redaction review, redaction accountability, personal data management, and subkey updates. Security analysis demonstrates the model’s security, and experimental results indicate that the performance of the RBAU is comparable to that of the FISCO alliance chain.

This model is capable of meeting the current demands of the alliance chain scenario, but as the number of nodes continues to grow on a large scale, the redaction efficiency will decrease. In the future, we will introduce reinforcement learning to optimize the consensus mechanism of the alliance chain. By adjusting the consensus participation weights and reward mechanisms based on the nodes’ response times, contributions, and other performance metrics, we aim to further improve redaction efficiency.