Efficient Attribute-Based Secure Data Sharing with Hidden Policies and Traceability in Mobile Health Networks

Mobile health (also written as mHealth) provisions the practice of public health supported by mobile devices. mHealth systems let patients and healthcare providers collect and share sensitive information, such as electronic and personal health records (EHRs) at any time, allowing more rapid convergence to optimal treatment. Key to achieving this is securely sharing data by providing enhanced access control and reliability. Typically, such sharing follows policies that depend on patient and physician preferences defined by a set of attributes. In mHealth systems, not only the data but also the policies for sharing it may be sensitive since they directly contain sensitive information which can reveal the underlying data protected by the policy. Also, since the policies usually incur linearly increasing communication costs, mHealth is inapplicable to resource-constrained environments. Lastly, access privileges may be publicly known to users, so a malicious user could illegally share his access privileges without the risk of being traced. In this paper, we propose an efficient attribute-based secure data sharing scheme in mHealth. The proposed scheme guarantees a hidden policy, constant-sized ciphertexts, and traces, with security analyses. The computation cost to the user is reduced by delegating approximately 50% of the decryption operations to the more powerful storage systems.


Introduction
mHealth is an abbreviation for mobile health, which can encompass a wide range of healthcare technologies such as mobile computing, medical sensors, and communication technologies [1].Rapid growth in wireless communications, availability and miniaturization of mobile devices, and computing resources in parallel with mobile and wearable systems can boost the wide adoption of mHealth.Such developments can greatly impact on and reshape the processes of existing healthcare services.For instance, semiconductorimplanted smart intelligent sensors will allow drugs to be delivered in real time to a personal server when they sense a patient who needs a dose of drugs.Personal servers, such as mobile devices, supply global connectivity to the storage center, which can thereby serve clinical healthcare from a distance [2].The storage center holds the information that forms the electronic health record (EHR), a digital version of a patient's paper chart.Physicians intermittently upload diagnostic reports based on their observations of the EHRs stored in the storage center.Figure 1 shows an example of an mHealth monitoring and data transfer system.Reportedly, a growing number of healthcare-specific mobile applications are available, and it has been estimated that about 500 million patients around the globe will be in the reach of such apps as of 2015 [3].
EHRs contain sensitive information such as patients' medical history, diagnoses, immunization dates, allergies, and medications, which are bound to the real identities of patients.That is, whoever can freely access the storage center is able to learn both the identity and clinical information of a specific patient, which clearly threatens the patient's privacy.Thus, privacy concerns are arguably a major issue, and related requirements are enacted nationwide.For example, in the United States compliance to HIPPA (Health Information Technology for Economic and Clinical Health Act) encourages healthcare providers to not only adopt EHRs but also keep them confidential [4].This clearly indicates that EHRs must be kept under strict conditions and be accessible only by the authorized user.Unfortunately, standard encryption schemes are not suitable for mHealth systems for the following reasons [5].
(i) Absence of Proper Access Control.Well-known encryption schemes, such as AES, guarantee the confidentiality of data if security parameters are well-chosen.However, such schemes are not designed to support fine-grained access control.
(ii) Expensive Key Management.Public key encryption schemes do not support one-to-many relationships between the ciphertext and decryption key, necessitating the burdensome distribution and management of public keys.
Since healthcare delivery is a decentralized process taking place across many institutional boundaries, standard approaches to securing health records include role-based access control because the flexible assignment of permissions to a wide range of user is possible only with fine-grained access control.At the same time, the confidentiality of EHRs must be maintained without hindering clinical care by denying legitimate access requests of authorized users, such as doctors, nurses, lab technicians, researchers, and receptionists [6,7].Thus, a variety of policy-based encryption schemes have been proposed to share data securely and provide reliable access control [8][9][10][11].These schemes are promising in that the accessibility of shared data is dependent on the user's capacity to satisfy a given policy.Furthermore, encryptors do not require a priori knowledge of the recipients, such as identities or certificates.Specifically, ciphertext policy attribute-based encryption (CP-ABE) allows the construction of policies by utilizing attributes as public keys, thereby protecting shared data against unauthorized users [12][13][14][15][16].As access to EHRs varies across the space of uneven distributions of healthcare providers and consumers and among population groups with different socioeconomic and demographic characteristics [17], CP-ABE is a convincing alternative to the conventional cryptographic primitive for mHealth.CP-ABE can provide fine-grained and flexible access control to the shared data in mHealth systems.
It is notable that not only the data, but also the policies for sharing that data are sensitive.Typically, the access policies may reveal sensitive information, such as the underlying data, the identity of a patient, or symptoms indicating what diseases a patient is suffering from.To some extent, patients are reluctant to expose such private information, preferring instead to keep their privacy intact through securing both the EHRs and their access policies.Although CP-ABE provides a desirable access policy, it has one drawback: the access policies attached to ciphertexts are public.From these access policies, unauthorized users can learn information about the underlying data itself.This weakness is known as the policy privacy problem.
To overcome the policy privacy problem, several CP-ABE schemes with hidden access policies were proposed [9,18].In these schemes, the encryptor-chosen access policies are associated with each ciphertext in a way hidden such that even an authorized user learns no information about the underlying policy other than that he is authorized to decrypt.Although these schemes feature hidden policies, they suffer from being inefficient; that is, the ciphertext size is linear with respect to the number of attributes in the access policy.
To limit ciphertext size, Zhou et al. introduced a CP-ABE scheme which provides both a hidden access policy and a constant-sized ciphertext [19].However, their scheme lacks user traceability.In general, most CP-ABE schemes supporting constant-sized ciphertext or hidden access policies cannot trace malicious users who illegally share their decryption keys.Specifically, the secret keys of policy-based encryption consist of sharable attributes so that the decryption keys have no uniquely identifiable information.Thus, if a malicious user leaks his decryption key to others, then there is no clear evidence indicating that the key belongs to him.Although Li et al. proposed a CP-ABE scheme featuring a hidden access policy and traceability [20], it lacks constant-sized ciphertext, resulting in increased communication and storage costs.

Contribution.
In this paper, we propose an efficient attributebased secure data sharing scheme for mHealth with hidden policies and traceability.The proposed scheme enforces hidden access policies with wildcards and supports constantsized ciphertext, regardless of the number of attributes.Also, we embed a uniquely identifiable point into each decryption key in order to prevent the user from intentionally distributing the decryption key to others, thereby achieving traceability.Additionally, the proposed scheme allows users to outsource part of the decryption process to the more powerful storage center to minimize computation cost at the user side.Our performance results show that the storage center computes almost 50% of the decryption process on behalf of users.To the best of our knowledge, this is the first construction that achieves all these functionalities simultaneously.
Organization.The rest of this paper is organized as follows.We begin with a discussion of related work in Section 2. In Section 3, we describe the cryptographic background and define a general CP-ABE with a hidden policy, constant-sized ciphertext, and traceability.Section 4 describes the mHealth architecture and security model.In Section 5, we present the construction of the proposed scheme in detail, followed by a performance analysis in Section 6.We analyze its security in Section 7 and conclude the paper in Section 8.

Related Work
The idea of Identity-Based Encryption (IBE) was first introduced by Shamir [21].In IBE, the encryptor makes an access policy based on an identity, and only a user with the matching identity obtains the decryption privilege.Encryption by identity, however, leads to the following limitations: lack of one-to-many relationship between the ciphertext and decryption key and the need for the encryptor to know each user's identity in advance.Later, Sahai and Waters introduced Fuzzy Identity-Based Encryption, which is the first prototype of attribute-based encryption (ABE) [22].While the IBE scheme views an identity as a string of characters, in ABE, an identity is viewed as a set of descriptive attributes (a.k.a., identity set) such as name and affiliation.The ABE scheme allows the encryption of a message based on some identity set   , and the decryption ability is given if and only if a user's set  is close enough to   to satisfy a systemdefined threshold.This property enables fine-grained access control and a one-to-many relationship between a ciphertext and its receivers since anyone whose identity set satisfies a given threshold can obtain the decryption privilege.However, the threshold semantics are not very expressive and cannot support fine-grained access control.This drawback means that the threshold-based ABE scheme cannot be applied to more general systems.
In CP-ABE [12][13][14][15][16], a ciphertext is associated with an access policy and decryption keys are labeled with an arbitrary number of attributes.The encryptor specifies an access policy over encryptor-chosen attributes.The access right is given if and only if the attributes in the decryption key satisfy the access policy in the ciphertext.In these schemes, however, the size of a ciphertext has a linear relationship with the number of attributes in the access policies, resulting in inapplicability for resource-constrained environments.
To limit the size of ciphertexts, Zhou and Huang proposed constant-sized CP-ABE (C-CP-ABE) with a logical AND access policy with wildcards [23].This scheme limits the size of each ciphertext to up to 300 bytes in total, where a ciphertext consists of encrypted data, an access policy, and 2 bilinear group elements.Chen et al. further improved the C-CP-ABE scheme in terms of security [24] making it CPAsecure under a well-established assumption in the standard model without loss of efficiency.Overall, these schemes successfully make the size of ciphertexts constant.However, they reveal the underlying access policy publicly.
While previous works feature open access policies, Hur introduced a CP-ABE scheme with hidden access policy in smart grid [9].To preserve policy privacy, a one-way anonymous key agreement scheme is used as a building block in order to replace identity hashes with user-generated pseudonyms.However, this scheme does not support constant-sized ciphertext.Interestingly, an efficient CP-ABE scheme with a hidden policy was proposed [19].In this scheme, AND-gate access policies with wildcards are used and each ciphertext header requires 2 bilinear group elements, each of which is limited to 100 bytes in total.Also, access policies are obfuscated by computing the intersection between a given access policy and an all-wildcard attribute set.This technique, however, partially leaks the access policy, because unauthorized users can guess at a minimum which attributes are treated as do not care.In addition, the user must run the decryption algorithm at least once, to determine whether he satisfies the access policy, since only decryption failure notifies whether the decryption key satisfies the underlying access policy.
The ability to resist illegal key sharing is a highly desirable characteristic for ABE.To achieve this, Li et al. introduced a user-accountable CP-ABE scheme that binds user identity in the private key, thereby allowing illegally-shared keys to be traced [25].Although this methodology has also been adopted by other traceable CP-ABE schemes [26,27], none of them fully support either constant-sized ciphertext or hidden access policies.In addition to supporting these features, in this paper, we also insert a unique identifier into each private key such that any key can be traced in constant time, regardless of the number of attributes.

Bilinear Map.
Let G 0 be a multiplicative cyclic group of large prime order .The bilinear map  is defined as follows: (iii) Nondegeneracy.(, ) ̸ = 1, where  is the generator of G 0 .
(iv) Computability.There exists an efficient algorithm to compute the bilinear map .

Security Assumption.
The security of the proposed scheme is based on the Bilinear Diffie-Hellman Exponent assumption (BDHE) [28].Let G 0 be a bilinear group of large prime order  and let  be a generator of G 0 .The -BDHE problem in G 0 is defined as follows.Given the vector of 2+1 elements as the input where   +1 is not in the vector, the goal of the computational -BDHE problem is to compute (, ℎ)  +1 .Define the set  ,, as Then, we have the following definition.
Definition 1 (Decisional -BDHE).The decisional -BDHE assumption is said to be hold in G 0 if there is no probabilistic polynomial time adversary who is able to distinguish ⟨ℎ, ,  ,, ,  (, ℎ) with nonnegligible advantage, where ,  ∈ Z  and , ℎ ∈ G 0 are chosen independently and uniformly at random.
Formally, we have the following -SDH assumption.
Assumption 2 (-SDH).The -Strong Diffie-Hellman problem in G 0 is defined as follows: given a where the probability is over the random choice of  in Z *  .

One-Way Anonymous Key Agreement.
In this paper, the key idea used to obfuscate attributes in the policy starts from Boneh-Franklin Identity-Based Encryption [30].In their scheme, a private key generator (PKG) takes the role of issuing private keys.It generates a private key   = (ID  )  ∈ G 0 for each user ID  using a master secret , where  : {0, 1} * → G 0 is a cryptographic hash function.
Based on [30], Kate et al. proposed a one-way anonymous key agreement scheme by replacing (ID  ) with a pseudonym chosen by each user [31].This scheme guarantees anonymity for just one receiver when two users engage in it.We give a specific example as follows.Suppose Alice and Bob hold identity ID  and identity ID  , respectively, and they are clients of the same key authority which holds a master secret .Given the private key   =    = (ID  )  , Alice wants to communicate with Bob, without disclosing her identity.
To achieve this, the key agreement protocol runs as follows: ( In this noninteractive manner, the session key is implicitly authenticated such that Alice is assured that the no one can derive the key other than Bob.Based on the BDH assumption, this protocol is proved to be secure in the random oracle model satisfying unconditional anonymity, no impersonation, and session key secrecy.To hide the policy we exploit the technique used in [9] as a building block instead of building a new method for policy obfuscation from scratch.

Definitions.
In this section, we define a general CP-ABE with hidden policy, constant-sized ciphertexts, and traceability capabilities for secure data sharing.The scheme consists of the following seven algorithms: (i)  () → (, ).The well-formed decryption key is guaranteed to work correctly in the well-formed decryption process.
In the proposed scheme, each public key component is mapped to an attribute value   .When encrypting data, the encryptor specifies an access policy , where   ∈ {+, −, * }.
The decryption succeeds only when the user's attribute set  satisfies the (obfuscated) policy .

mHealth Architecture
4.1.System Model.In mHealth systems, intelligent wireless sensors perform data acquisition and processing [32].Individual sensors monitor certain physiological signals and communicate with each other and the personal server such as a tablet PC as shown in Figure 1.Then, the personal server integrates the data received from the different sensors and plays the role of a gateway by sending data to the upper layer of the mHealth system.From a security point of view, the mHealth system components are categorized as follows: (1) Trust Authority.This is a key entity that issues the public and secret parameters for the mHealth system.It publishes diverse access privileges to individual entities based on their attributes.The trust authority is assumed to be fully trusted in the mHealth system [10].
(2) Storage Center.This is a data repository center that stores EHRs.In mHealth systems, hospitals or clinics with certain qualifications certified by the trust authority can be employed as a storage center.It is assumed to be honest-but-curious [10].Thus, it will honestly execute the assigned tasks and like to learn as much information from the encrypted data as possible.
(3) Encryptor.This is a patient who generates data and sends it to the storage center.It uses mobile devices to interact with the storage center.Encryptors are responsible for defining access policy based on attributes, obfuscating the policy, associating it with the data, and encrypting the data according to the policy.Hereafter, we will use "encryptor" and "patient" interchangeably.
(4) User.This includes entities such as the patient, physicians, nurses, lab technicians, researchers, or receptionists who want to access EHRs contained in the storage center.A user will be authorized to decrypt a ciphertext given by the storage center if and only if his key satisfies the access policy of that ciphertext.

Security Model
CPA Security.The security model of the proposed scheme is similar to that of the CP-ABE scheme with constant-sized ciphertexts [23] except that each key query is labeled with an explicit identity and attributes are obfuscated.We first introduce the semantic security game.A CP-ABE scheme is considered to be CPA-secure if no probabilistic polynomial time adversaries have nonnegligible advantages in the following CPA security game.
(i) Init.The adversary chooses a challenge access policy  and gives it to the challenger.(vi) Guess.The adversary outputs a guess   ∈ {0, 1}.
The adversary wins the game if   =  under the restriction that  cannot satisfy the access policy .The adversary may run Phase 2 to make multiple key queries in the midst of the challenge.Note that the adversary declares the access policy at the start of the game.The advantage of an adversary in this game is defined as Traceability.The traceability definition for the proposed scheme is described by the following security game: (i) Setup.The challenger runs the Setup algorithm to obtain the public parameter PK.Then, the challenger gives PK to the adversary.(ii) KeyQuery.The adversary makes decryption key queries -times to the challenger, where sets of attributes (id 1 ,  1 ), . . ., (id  ,   ) correspond to decryption keys.(iii) KeyForgery.The adversary outputs a decryption key SK * .

Storage center User
(1) Encrypt ( 2) Token Policy Privacy.While sharing data in the mHealth system, the storage center or unauthorized users must learn no information about the attributes associated with the access policy of the encrypted data.Also, even authorized users should not obtain any information about these attributes other than the fact that they are authorized to access the data.

Proposed Scheme
5.1.System Architecture.The proposed data sharing process in the mHealth system runs as follows.An encryptor defines the access policy with a set of attributes, encrypts the EHRs associated with clinical reports under the policy, and uploads the ciphertext and the obfuscated policy to the storage center.When a user wants to access the uploaded data, he first generates a token using his attributes and sends it to the storage center.If the attributes in the token satisfy the access policy, then the storage center partially decrypts the ciphertext and sends the result to the user.Then, the user finishes the decryption of the ciphertext using his secret key and the partially decrypted ciphertext as inputs.The outline of data sharing process is depicted in Figure 2.
(, , ) → (). is an AND-gate access policy with  attributes specified by an encryptor   , where each attribute is either positive/negative or wildcard.The algorithm chooses a random  ∈ Z *  and computes   = (ℎ  , ()),  1 (  ) for all  ∈ , where  1 is a hash function  : G 1 → {0, 1} log  .Then, the access policy  is obfuscated by replacing each attribute with  1 (  ).
Next, the algorithm picks a random  ∈ Z  and computes a one-time symmetric key Key = (  ,  1 )  .It encrypts the message  as {} Key and computes   .Then, it computes The encryptor uploads CT to the storage center.
(   , Λ) → ( Λ,  ).When a user   needs to access the ciphertext of   in the storage center with a set of attributes Λ ⊨ ,   receives   from the storage center and generates the token for Λ as follows.For all  ∈ Λ, the algorithm computes   = (  ,    ) = (  , ()  ).Then, it constructs the token TK Λ,  = {  | ∀ ∈ Λ,   =  1 (  )}.Each   will be used as an index for the obfuscated attribute .The user   sends TK Λ,  to the storage center. ( Λ,  , ) → (  ).Given TK Λ,  from the user   , the storage center checks if each   in the token satisfies the access policy associated with CT.If satisfied, the storage center partially decrypts CT using (id   , {    | ∀ ∈    }) as for all  ∈ .Then, it computes a production of all   as CT  = ∏ ∈   .The storage center sends CT  to   .
(,   , ) →   or ⊤.SK  is called well-formed if it passes the following conditions hold: If SK  is well-formed, the algorithm searches   in .If   is in , the algorithm outputs the corresponding id  , and if not, the algorithm outputs the corresponding id 0 indicating that the corresponding identity never appears in .If SK  is not well-formed, the algorithm outputs ⊤.

Performance Analysis
In this section, we analyze the performance of the proposed scheme compared with the previous schemes including a constant-sized ciphertexts scheme [23], a hidden policy scheme [25], and a traceability scheme [26].We compare each scheme in several ways such as the computational cost of encryption and decryption and the ciphertext length and in terms of the complexity assumption.Also, we implemented the proposed scheme to evaluate its actual performance.We programmed our system using the Java-based pairing based cryptography (jPBC) library [33] on a GIGABYTE desktop with 4 Intel Core i5-3570 3.40 GHz CPUs, 4 GB RAM, and running Windows 7 Ultimate K. Table 1 shows the results of comparing the different schemes.The notations we use in the table are as follows:  denotes the number of attributes involved in the access policy,  denotes the number of attributes in the attribute universe, ex denotes the exponentiation operation, and denotes  the paring operation.Note that, following convention, the bit-length of the expression of the access policy and its computational costs over Z  are ignored.
In terms of computational cost, the constant-sized ciphertext scheme [23] shows the best encryption phase efficiency, requiring a constant number of exponentiations.The proposed scheme also needs two exponentiations in data encryption, but an additional  operations are required to obfuscate the access policy.In the decryption phase, the proposed scheme requires more computations than [23] since the user identity is exponentiated to every attribute value to support traceability.In contrast to [25,26], the proposed scheme requires approximately  number of exponentiations.With regard to the ciphertext length, the proposed scheme and [23] guarantee constant-sized ciphertext.On the other hand, the hidden policy scheme [25] and the traceability scheme [26] incur linearly increasing ciphertexts as the attribute number  increases.Overall, the proposed scheme is efficient in terms of the ciphertext size and provides hidden policy traceability at the cost of more exponentiation operations.
Figure 3 shows the computation overhead incurred in the core algorithms, Setup, KeyGen, Encrypt, GenToken, Decrypt, PDecrypt, and Trace, under various conditions.to the number of attributes.generation process requires a pairing operation time linear to the number of attributes.Figure 3(e) shows the partial decryption time at the storage center and decryption time at the user against the number of attributes.Interestingly, the storage center can undertake nearly 50% of whole decryption process on behalf of users.This property can be most useful for relatively resource-constrained user side devices.Lastly, Figure 3(f) shows the trace time with different numbers of attributes and users.The trace time depends only but not strongly on the number of users.
Further Efficiency Improvement.jPBC is a complete Java port of the PBC library which was originally written in C [34].Java is widely considered to be slower than C because Java programs run on the Java Virtual Machine rather than directly on the computer's processor.Based on this, we additionally provide benchmark comparison results between jPBC and PBC in order to demonstrate how fast the proposed scheme can be when it is implemented in C language [33].
Table 2 shows the performance comparison between Java and C with respect to pairing and exponentiation operations conducted on the same machine.The two libraries were applied to the curve  2 =  3 +  over the field F  for some prime  = 3 mod 4. The order of F  is some prime factor of  + 1 [33].Since the cost of the pairing operation in PBC is approximately 12 seconds less than in jPBC, PBC is expected to improve the performance of pairing-dependent algorithms, such as GenToken and policy obfuscation process in Encrypt, by up to 81%.Similarly, the cost of the exponentiation operations in G 1 and G  are reduced by 14.47 and 1.583 seconds, respectively.Such a difference between the two libraries implies that moving from Java to C implementation of the proposed scheme can speed up the Setup and KeyGen algorithms by approximately 77.8% and the PDecrypt and Decrypt algorithms by approximately 74.9%.

Figure 1 :
Figure 1: Typical system architecture of mHealth monitoring systems.

(
ii) Setup.The challenger runs the Setup algorithm and gives the adversary the public parameter PK. (iii) Phase 1.The adversary queries the challenger for decryption keys corresponding to (id, ), where  ⊭ .The challenger answers with a decryption key SK for .The adversary repeats this phase adaptively.(iv) Challenge.The challenger obtains {⟨ 0 ,  1 ⟩, Key} by running the Encrypt algorithm.The challenger sets Key 0 = Key and picks a random Key 1 of the same length as Key 0 .It then flips a random coin  ∈ {0, 1} and gives {⟨ 0 ,  1 ⟩, Key  } to the adversary.(v) Phase 2. It is the same as Phase 1.

Figure 2 : 7 )
Figure 2: Overview of the proposed data sharing process.

Figure 3 :
Figure 3: Time costs of different algorithms.

Figure 3 (
b) shows the total key generation time against different numbers of attributes.The setup occurs only once at the start of the system, and key generation occurs every time a new user joins.Figure3(c)shows encryption time against different numbers of attributes.It increases linearly due to the time taken to obfuscate the policy attached to the data.Figure3(d)shows the token generation time against the number of attributes.The token
The Setup algorithm takes as input the number of attributes .It outputs a public key PK and a master key MK and initializes an identity table  = 0. (ii)  (, , , ) → ().The key generation algorithm takes as input the master key MK, the public key PK, and the user's attribute set  with identity id.It outputs a decryption key SK and inserts id into .(iii)(, , ) → ().The encryption algorithm takes as input the public key PK, an access policy , and a message .It outputs a ciphertext CT such that only the users whose decryption keys satisfying  should be able to extract .CT is associated with the obfuscated policy .(, ,   , ) →  or ⊥.The decryption algorithm takes as input the public key PK, a decryption key SK, and ciphertexts CT  , CT.If  ⊨ , then it outputs a message , where  is the user's attribute set and  is the access policy.Otherwise, it outputs ⊥ which indicates the failure of decryption.(vii) (, , ) →  or ⊤.The tracing algorithm takes as input the public key PK, a decryption key SK, and the table .It determines whether SK is well-formed indicating that SK is the real output of KeyGen.If SK is well-formed, the algorithm outputs an identity id which corresponds to SK. Otherwise it outputs ⊤ implying that SK is not well-formed.

Table 1 :
Comparison of different schemes.
7.1.Data Confidentiality.In this section, we reduce the chosen plaintext attack (CPA) security of the proposed scheme to a decisional -BDHE problem.Given an access policy , a user with an attribute set  ⊭  colludes with  ≤  decryption proxies.Intuitively, this attack works successfully if  ∪ { 1 , ...,   } ⊨ .Based on the CPA security game in Section 4.2, we have the following.Suppose that an adversary A's advantage for winning the game is .Then, we can construct a simulator B which solves the decisional -BDHE problem with the advantage /2.The simulator B takes an input vector (ℎ, ,  ,, , ),where  is either (, ℎ)  +1 or a random element in G 0 .Then, B breaks the decisional -BDHE problem with the advantage /2.Specifically, B takes a random decisional -BDHE challenge ⟨ℎ, ,  ,, , ⟩ as input, where  is either = (, ℎ)  +1or a random value.Next, B runs the following CPA game with the role of challenger.
Theorem 7. If a probabilistic polynomial time adversary wins the CPA security game with a nonnegligible advantage, then one can construct a simulator that distinguishes a -DBHE tuple with a nonnegligible advantage.Proof.