Attribute-Based Encryption Resilient to Auxiliary Input

Abstract

The auxiliary input model defines a class of computationally uninvertible function families \(\mathcal {F}\) to simulate a large class of leakage. Such a function \(f\in \mathcal {F}\) can information-theoretically reveal the entire secret key SK, but it is still computationally infeasible to recover SK from f(SK). That means SK can be used for multiple tasks, since SK doesn’t need to be continually refreshed. We propose the first CP-ABE scheme based on linear secret sharing schemes, that can tolerate leakage on master key and attribute-based secret keys with auxiliary input(AI). For the security proof of our scheme, we present three modified assumptions in composite order bilinear groups, and prove their hardness. Under these modified assumptions, our scheme can be proved AI-CPA secure in the standard model. Finally, we devise a key-policy ABE scheme also resilient to auxiliary input.

Appendices

A Proofs of Three Modified Assumptions

We adopt the notion of [4] to denote an element \(g_1^{a_1}g_2^{a_2}g_3^{a_3}\) of \(\mathbb {G}\) as \((a_1,a_2,a_3)\). The element \(\hat{e}(g_1,g_1)^{a_1}\hat{e}(g_2,g_2)^{a_2}\hat{e}(g_3,g_3)^{a_3}\) in \(\mathbb {G}_T\) will be denoted by \([a_1,a_2,a_3]\). We use capital letter to denote the random variables. For example, \(X=(X_1,Y_1,Z_1)\) is denoted as a random element of \(\mathbb {G}\). We say that X is dependent on \(\{A_i\}\), if there exists values \(\lambda _i\in \mathbb {Z}_N\) such that \(X=\sum _i \lambda _i A_i\). Otherwise, X is independent on \(\{A_i\}\). For the security proof, we should review the following two theorems from [9].

Theorem 3

(Theorem A.1 in [9]). Let \(N=\prod _{i=1}^m p_i\) be a product of distinct primes, each greater than \(2^\lambda \). Let \(\{A_i\}\) be a random variables set over \(\mathbb {G}\), and let \(\{B_i\}, T_0, T_1\) be random variables over \(\mathbb {G}_T\), where all variables have the degree greater than t. The following game between an adversary \(\mathfrak {A}\) and a challenger \(\mathfrak {C}\) is in generic group model.

Given \(N,\{A_i\},\{B_i\}\), \(\mathfrak {C}\) chooses a random bit b, and sends \(T_b\) to \(\mathfrak {A}\). \(\mathfrak {A}\) outputs a bit \(b'\), and succeeds the game if \(b'=b\).

If the following conditions are satisfied, then \(\mathfrak {C}\) can find a nontrivial factor of N by using \(\mathfrak {A}\) in time polynomial in \(\lambda \) with probability at least \(\delta -\mathcal {O}(q^2t/2^\lambda )\).

1. 1.

   Each of \(T_0\) and \(T_1\) is independent of \(\{B_i\}\cup \{e(A_i,A_j)\}\).

2. 2.

   \(\mathcal {A}\) issuing at most q queries and having advantage \(\delta \) in the above game.

Theorem 4

(Theorem A.2 in [9]). Let \(N=\prod _{i=1}^m p_i\) be a product of distinct primes, each greater than \(2^\lambda \). Let \(\{A_i\}\) be a random variables set over \(\mathbb {G}\), and let \(\{B_i\}, T_0, T_1\) be random variables over \(\mathbb {G}_T\), where all variables have the degree greater than t. The game between an adversary \(\mathfrak {A}\) and a challenger \(\mathfrak {C}\) is the same as above.

Let \(S:=\{i|\hat{e}(T_0,A_i)\ne \hat{e}(T_1,A_i)\}\). If the following conditions are satisfied, then \(\mathfrak {C}\) can find a nontrivial factor of N by using \(\mathfrak {A}\) in time polynomial in \(\lambda \) with probability at least \(\delta -\mathcal {O}(q^2t/2^\lambda )\).

1. 1.

   Each of \(T_0\) and \(T_1\) is independent of \(\{A_i\}\).

2. 2.

   For all \(k\in S\), \(\hat{e}(T_0,A_k)\) and \(\hat{e}(T_1,A_k)\) are independent of \(\{B_i\}\cup \{\hat{e}(A_i,A_j)\}\cup \{\hat{e}(T_1,A_i)\}_{i\ne k}\).

3. 3.

   \(\mathcal {A}\) issuing at most q queries and having advantage \(\delta \) in the above game.

We apply these two theorems to prove the hardness of our modified assumptions in generic group model.

modified 1-SDP assumption. To prove this assumption, we will use Theorem 4. Firstly, we can express this assumption as:

$$\begin{aligned} A_1= & {} (1,0,0), A_2=(0,0,X_3)\\ \{T_{0i}= & {} (X_{1i},X_{2i},0)\}_{i\in [m]}, \{T_{1i}=(X_{1i},0,0)\}_{i\in [m]} \end{aligned}$$

Since \(\hat{e}(T_{0i},A_1)=[X_{1i},0,0]=\hat{e}(T_{1i},A_1)=[X_{1i},0,0]\) and \(\hat{e}(T_{0i},A_2)=[0,0,0]=\hat{e}(T_{1i},A_2)=[0,0,0]\), we can note that \(S=\emptyset \), and for all \(i\in [m]\), \(T_{0i}\) and \(T_{1i}\) are independent of \(\{A_1,A_2\}\) since \(X_{1i}\) does not exist in both \(A_1\) and \(A_2\). Then, in the game of Theorem 4, if \(\exists i\in [m]\), the adversary \(\mathfrak {A}\) can distinguish \(T_{0i}\) and \(T_{1i}\) with probability \(\delta \), then N can be factored with probability less than \(\delta \). Since it is hard to find a nontrivial factor of N, then the modified 1-SDP assumption is secure.

modified 2-SDP assumption. To prove this assumption, we will also use Theorem 4. Firstly, we can express this assumption as:

$$\begin{aligned} A_1=(1,0,0), \{A_{2i}=(X_{1i},X_{2i},0)\}_{i\in [m]}, A_3=(0,0,X_3), A_4=(0,Y_2,Y_3) \end{aligned}$$

$$\begin{aligned} T_0=(Z_1,Z_2,Z_3), T_1=(Z_1,0,Z_3) \end{aligned}$$

We note that \(S=\{\{2i\}_{i\in [m]},4\}\) in this case. It is clear that

1. 1.

   Both \(T_0\) and \(T_1\) are independent of \(\{A_i\}\), since \(Z_1\) cannot be found in \(A_i\)’s.

2. 2.

   Since \(\hat{e}(T_0, A_{2i})= [X_{1i}Z_1,X_{2i}Z_2,0]\),

   $$\begin{aligned} \{\hat{e}(T_0,A_i)\}_{i\in \{1,3,4\}}=\{[Z_1,0,0],[0,0,X_3Z_3],[0,Y_2Z_2,Y_3Z_3]\} \end{aligned}$$

   and

   $$\begin{aligned} \{\hat{e}(T_0,A_{2j})\}_{j\in [m],j\ne i}=\{X_{1j}Z_1,X_{2j}Z_2,0\}_{j\in [m],j\ne i} \end{aligned}$$

   \(\hat{e}(T_0, A_{2i})\) is independent of \(\{\hat{e}(A_i,A_j)\}\cup \{\hat{e}=(T_0,A_i)\}_{i\in \{1,3,4\}}\cup \{\hat{e}=(T_0,A_{2j})\}_{j\in [m],j\ne i}\). We can find that it is impossible to obtain \(X_{1i}Z_1\) in the first coordinate of a combination of elements of \(\{\hat{e}(A_i,A_j)\}\cup \{\hat{e}=(T_0,A_i)\}_{i\in \{1,3,4\}}\cup \{\hat{e}=(T_0,A_{2j})\}_{j\in [m],j\ne i}\). Obviously, \(\hat{e}(T_1, A_{2i})\) is also independent of \(\{\hat{e}(A_i,A_j)\}\cup \{\hat{e}=(T_0,A_i)\}_{i\in \{1,3,4\}}\cup \{\hat{e}=(T_0,A_{2j})\}_{j\in [m],j\ne i}\) due to the same reason.

3. 3.

   From \(\hat{e}(T_0,A_4)=[0,Y_2Z_2,Y_3Z_3]\) and \(\hat{e}(T_1,A_4)=[0,0,Y_3Z_3]\), we can conclude that \(\hat{e}(T_0,A_4)\) and \(\hat{e}(T_1,A_4)\) are both independent of \(\{\hat{e}(A_i,A_j)\}\cup \{\hat{e}=(T_0,A_i)\}_{i\ne 4}\), since we cannot obtain \(Y_3Z_3\) in the third coordinate of a combination of elements of \(\{\hat{e}(A_i,A_j)\}\cup \{\hat{e}=(T_0,A_i)\}_{i\ne 4}\).

Thus, from Theorem 4, modified 2-SDP assumption is generically secure on the condition that it is hard to factor N.

modified BSDP assumption. We use Theorem 3. to prove this assumption. Firstly, we can express this assumption as:

$$\begin{aligned} A_1= & {} (1,0,0),\{A_{2i}=(1/b_i,0,0)\}_{i\in [m]},\{A_{3i}=(b_i\alpha _i,X_2,0)\}_{i\in [m]},A_4=(0,0,X_3),\\ \{A_{5i}= & {} (b_is_i,Y_2,0)\}_{i\in [m]},A_6=(0,Z_2,0), T_0=[\sum _{i=1}^m \alpha _ib_is_i,0,0], T_1=[Z_1,Z_2,Z_3]. \end{aligned}$$

We note that

1. 1.

   It is clear that the only way to obtain \(\sum _{i=1}^m \alpha _ib_is_i\) is to compute \(\prod _{i=1}^m \hat{e}(A_{3i},A_{5i})\). However, \(\prod _{i=1}^m \hat{e}(A_{3i},A_{5i})=[\sum _{i=1}^m \alpha _ib_is_i,(X_2Y_2)^m,0]\), then \((X_2Y_2)^m\) are left in the second coordinate that cannot be canceled. So \(T_0\) is independent of \(\{\hat{e}(A_i,A_j)\}\).

2. 2.

   \(T_1\) is independent of \(\{\hat{e}(A_i,A_j)\}\), because \(Z_1,Z_2,Z_3\) cannot be found in \(\{A_i\}\).

From the discussion above, we can conclude that the modified BSDP assumption is generically secure under Theorem 3.

B Proofs of Lemma 1–4

Lemma 1

If \(Adv_{A}^{Game_{rl}}-Adv_{A}^{Game_{rt}}\ge \epsilon \), then Assumption 2 is broken.

Proof:

Let \(\mathbb {A}^*\) denote the challenge access structure. For every \(\mathcal {S}^*\in \mathbb {A}^*\), assuming that \(\mathcal {S}^*=\{S_1,\cdots ,S_n\}\) has n attributes¹⁰, we define a superset of \(\mathcal {S}^*\) as \(\mathbb {S}^*=\{S_1'| S_1'=S_1\mod p_2\}\cup \cdots \cup \{S_n'|S_n'=S_n\mod p_2\}\). Let \(\varOmega ^*\) denote the collection of all \(\mathbb {S}^*\)s. If adversary \(\mathfrak {A}\) makes key query on an attribute set \(\varXi \notin \mathbb {A}^*\), for \(\forall S_i'\in \varXi \), the challenger \(\mathfrak {C}\) answers as follows:

• If \(S'_i\notin \mathbb {S}^*\), for \(\forall \mathbb {S}^*\in \varOmega ^*\), then \(\mathfrak {C}\) responses by using MSK and the KeyGen algorithm.

• If \(S'_i\in \mathbb {S}^*\), for \(\exists \mathbb {S}^*\in \varOmega ^*\), then \(S'_i\ne S_i\) and \(S'_i=S_i\mod p_2\). \(\mathfrak {C}\) computes \(a=\gcd (S_i-S_i^*,N)\). We denote \(b=N/a\), where \(N=p_1p_2p_3\). We assume that \((g,X_1X_2,X_3,Y_2Y_3,T)\) is an instance from 2-SDP assumption.

  1. 1.

     If \(a=p_1p_2\) and \(b=p_3\), then \(\mathfrak {C}\) can check whether \(a=p_1p_2\) from \((X_1X_2)^{a}=1\). If the equation holds, then \(\mathfrak {C}\) can distinguish between \(T\in \mathbb {G}_{p_1p_3}\) and \(T\in \mathbb {G}\) by using \(\hat{e}(Y_2Y_3,T)^b \mathop {=}\limits ^{?}1\).

  2. 2.

     If \(a=p_2p_3\) and \(b=p_1\), then \(\mathfrak {C}\) checks whether \(a=p_2p_3\) from \((Y_2Y_3)^{a}=1\). \(\mathfrak {C}\) also can distinguish between \(T\in \mathbb {G}_{p_1p_3}\) and \(T\in \mathbb {G}\) by using \(\hat{e}(X_1X_2,T)^b\) \(\mathop {=}\limits ^{?}1\).

  3. 3.

     If \(a=p_2\) and \(b=p_1p_3\), then \(\mathfrak {C}\) can distinguish between \(T\in \mathbb {G}_{p_1p_3}\) and \(T\in \mathbb {G}\) by using \(T^b\mathop {=}\limits ^{?}1\).   \(\square \)

Then, the challenge ciphertext is converted into semi-functional in \(Game_0\).

Lemma 2

If \(Adv_{A}^{Game_{rt}}-Adv_{A}^{Game_{0}}\ge \epsilon \), then modified Assumption 1 is broken.

Proof:

Given an instance \((N,g_1,X_3,\mathbb {G},\mathbb {G}_T,(T_i)_{i\in [m]})\) of modified 1-SDP assumption, \(\mathfrak {C}\) constructs the master public key MPK as

$$\begin{aligned} <g_1,X_3,(g_1^{a/b_i})_{i\in [m]},B_1,\cdots ,B_m,h_1,\cdots ,h_U,(y_i=\hat{e}(g_1,B_i)^{\alpha _i})_{i\in [m]}>, \end{aligned}$$

where \(a,\alpha _i,b_i\in \mathbb {Z}_N\). The master secret key \(MSK=(g_1^{\alpha _i}X_3^{u_i})_{i\in [m]}\). \(\mathfrak {C}\) can answer the key extraction queries, key leakage queries and key update queries from \(\mathfrak {A}\). In the challenge phase, \(\mathfrak {A}\) provides the challenge message and access structure as \((M_0,M_1,\mathbb {A}^*)\). Then, \(\mathfrak {C}\) randomly chooses values \(\tilde{\lambda }_1,\cdots ,\tilde{\lambda }_l,r_1,\cdots ,r_l\in \mathbb {Z}_N\), and outputs the ciphertext \(CT^*\) as

$$\begin{aligned} <M_b\cdot \prod _{i=1}^m \hat{e}(g_1^{\alpha _i},T_i),(T_i)_{i\in [m]},(C_i=T_i^{a\tilde{\lambda }_i}h_{\rho (i)}^{-r_i},D_i=g_1^{r_i})_{i\in [l]}> \end{aligned}$$

If \(T_i=g_1^{b_is_{i}}g_2^{c_i}\in \mathbb {G}_{p_1p_2}\), then \(CT^*\) is

$$\begin{aligned} <M_b\cdot \prod _{i=1}^m \hat{e}(g_1^{\alpha _i},B_i^{s_i}),(B_i^{s_{i}}g_2^{\delta _i})_{i\in [m]},(C_i=g_1^{a\lambda _i}h_{\rho (i)}^{-r_i}g_2^{\tau _i},D_i=g_1^{r_i})_{i\in [l]}>, \end{aligned}$$

where \(\delta _i=c_i,\lambda _i=b_i\cdot s_i\cdot \tilde{\lambda }_i,\tau _i=ac\tilde{\lambda }_i\). This is a semi-functional ciphertext, and \(\mathfrak {C}\) simulates \(Game_0\). If \(T_i\in \mathbb {G}_{p_1}\), \(\mathfrak {C}\) can simulate a normal ciphertext game \(Game_{rt}\). Thus, if \(\mathfrak {A}\) can distinguish between a semi-functional ciphertext and a normal ciphertext with a non-negligible probability, then \(\mathfrak {C}\) can use \(\mathfrak {A}\)’s output to break the modified Assumption 1.    \(\square \)

Let Q denote the times of queries that \(\mathfrak {A}\) issues when the challenge ciphertext is semi-functional. We set two types of attribute-based private key as follows:

• Type I: \(<(g_1^{\alpha _i+at/b_i}\cdot g_2^{z_i} g_3^{y_{1i}+u_i})_{i\in [m]}, g_1^tg_2^dg_3^{y_2}, (h_x^tg_3^{y_{3x}})_{x\in \mathbb {S}}>\)

• Type II: \(<(g_1^{\alpha _i+at/b_i}\cdot g_3^{y_{1i}+u_i})_{i\in [m]}, g_1^tg_2^dg_3^{y_2}, (h_x^tg_3^{y_{3x}})_{x\in \mathbb {S}}>\)

For \(k=1,\cdots ,Q-1\), in \(Game_k\), the first \(k-1\) keys are semi-functional of type II, the k-th key is semi-functional of type I, and the rest keys are normal. Thus, in \(Game_Q\), all keys are semi-functional of type II.

Lemma 3

If \(Adv_{A}^{Game_{k+1}}-Adv_{A}^{Game_{k}}\ge \epsilon \), then modified Assumption 2 is broken.

Proof:

Provided an instance \((g_1,(X_{1i}X_{2i})_{i\in [m]},X_3,Y_2Y_3,T)\) of modified 2-SDP assumption, \(\mathfrak {C}\) constructs the master public key

$$\begin{aligned} MPK:<\!\varTheta ,g_1,g_3,(g_1^{a/b_i})_{i\in [m]},B_1,\cdots ,B_m,h_1,\cdots ,h_U,(y_i\!=\!e(g_1,B_i)^{\alpha _i})_{i\in [m]}>, \end{aligned}$$

and the master secret key \(MSK=(g_1^{\alpha _i}g_3^{u_i})_{i\in [m]}\). In the first \(k-1\) key queries, \(\mathfrak {C}\) answers with \(<(g_1^{\alpha _i+at/b_i}\cdot g_3^{y_{1i}+u_i})_{i\in [m]}, g_1^t(Y_2Y_3)^hg_3^{y_2}, (h_x^tg_3^{y_{3x}})_{x\in \mathbb {S}}>\), which is a type II semi-functional key. For \(k+1\)-th to Q-th queries, \(\mathfrak {C}\) answers with normal keys.

For the k-th query, \(\mathfrak {C}\) answers the key as follows:

1. 1.

   \(<(g_1^{\alpha _i}\cdot T^a\cdot g_3^{y_{1i}+u_i})_{i\in [m]}, T\cdot g_3^{y_2}, (h_x^tg_3^{y_{3x}})_{x\in \mathbb {S}}>\)

2. 2.

   \(<(g_1^{\alpha _i}\cdot T^a\cdot g_3^{y_{1i}+u_i})_{i\in [m]}, T\cdot g_3^{y_2}\cdot (Y_2Y_3)^h, (h_x^tg_3^{y_{3x}})_{x\in \mathbb {S}}>\)

In case 1, if \(T=g_1^tg_2^rg_3^s\in \mathbb {G}\), then the k-th key is a semi-functional key of type I. If \(T=g_1^tg_3^s\in \mathbb {G}_{p_1p_3}\), the k-th key is a normal form key.

In case 2, if \(T=g_1^tg_2^rg_3^s\in \mathbb {G}\), then the k-th key is a semi-functional key of type I. However, if \(T=g_1^tg_3^s\in \mathbb {G}_{p_1p_3}\), the k-th key is a type II semi-functional key.

When \(\mathfrak {A}\) makes a key leakage query, \(\mathfrak {C}\) returns \(f(MSK',\mathfrak {Q},MPK,\mathbb {S})\), where \(MSK'\) is semi-functional, and for the last entry \(<\cdot ,\mathbb {S},SK'_{\mathbb {S}}>\in \mathfrak {Q}\), \(SK'_{\mathbb {S}}\) is a type II semi-functional key.

When \(\mathfrak {A}\) makes a key update query, \(\mathfrak {C}\) returns a type II semi-functional key \(SK'_{\mathbb {S}}\) and the update times \(j'\), then puts \(<j',\mathbb {S},SK'_{\mathbb {S}}>\) to \(\mathfrak {Q}\).

In the challenge phase, \(\mathfrak {C}\) randomly chooses \(\tilde{\lambda }_1,\cdots ,\tilde{\lambda }_l\in \mathbb {Z}_N\), and returns the ciphertext as

$$\begin{aligned} C=M_b\prod _{i=1}^m \hat{e}(g_1^{\alpha _i},X_{1i}X_{2i}),(C_i'=X_{1i}X_{2i})_{i\in [m]},(C_i=(X_{1i}X_{2i})^{a\tilde{\lambda }_i}h_{\rho (i)}^{-r_i},D_i=g_1^{r_i})_{i\in [l]}. \end{aligned}$$

If we let \(X_{1i}X_{2i}=g_1^{b_is_i}g_2^{c_i}\), then

$$\begin{aligned} C=M_b\prod _{i=1}^m \hat{e}(g_1^{\alpha _i},B_i^{s_i}),(C_i'=B_i^{s_i}g_2^{\delta _i})_{i\in [m]},(C_i=g_1^{a\lambda _i}h_{\rho (i)}^{-r_i}g_2^{\tau _i},D_i=g_1^{r_i})_{i\in [l]}, \end{aligned}$$

where \(\delta _i=c_i,\lambda _i=b_i\cdot s_i\cdot \tilde{\lambda }_i,\tau _i=ac\tilde{\lambda }_i\). This is a semi-functional ciphertext.

We can thus conclude that, if \(T\in \mathbb {G}\), \(\mathfrak {C}\) can simulate \(Game_{k+1}\). Otherwise, \(\mathfrak {C}\) can simulate \(Game_{k}\). From the above analysis, \(\mathfrak {A}\) cannot distinguish between type I semi-functional key and normal form key in case 1, and \(\mathfrak {A}\) also cannot distinguish between type I semi-functional key and type II semi-functional key in case 2. Thus, if an adversary has a non-negligible probability in \(Adv_{A}^{Game_{k+1}}-Adv_{A}^{Game_{k}}\), then \(\mathfrak {C}\) can break the modified 2-SDP assumption.    \(\square \)

The final game \(Game_f\) is the same as \(Game_Q\) except that the message is masked with a random element in \(\mathbb {G}_T\), instead of \(M_0,M_1\). That is to say, the value of b is information theoretically hidden from \(\mathfrak {A}\).

Lemma 4

If \(Adv_{A}^{Game_{Q}}-Adv_{A}^{Game_{f}}\ge \epsilon \), then modified Assumption 3(modified BSDP assumption) is broken.

Proof:

Given an instance \((g_1,(g_1^{1/b_i})_{i\in [m]},(B_i^{\alpha _i}X_2)_{i\in [m]},X_3,(B_i^{s_i}Y_2)_{i\in [m]},\) \(Z_2,T)\) of modified BSDP assumption, \(\mathfrak {C}\) sets \(g_3=X_3,g_2=Z_2,y_i=\hat{e}(g_1,B_i^{\alpha _i}X_2)=\hat{e}(g_1,B_i)^{\alpha _i}\). \(\mathfrak {C}\) constructs the master public key MPK and the master secret key \(MSK=(B_i^{\alpha _i}X_2\cdot g_3^{u_i})_{i\in [m]}\).

In key extraction phase, \(\mathfrak {C}\) can answer all key queries as

$$\begin{aligned}&SK_{\mathbb {S}}=<(K_{1i})_{i\in [m]},K_2,(K_{3x})_{x\in \mathbb {S}}>\\&=<((B_i^{\alpha _i}X_2)\cdot g_1^{at/b_i}\cdot g_3^{y_{1i}+u_i})_{i\in [m]}, g_1^tg_3^{y_2}, (h_x^tg_3^{y_{3x}})_{x\in \mathbb {S}}>. \end{aligned}$$

\(\mathfrak {C}\) also can answer the key leakage queries and key update queries from \(\mathfrak {A}\), since it knows MSK.

In the challenge phase, \(\mathfrak {C}\) randomly chooses \(\tilde{\lambda }_1,\cdots ,\tilde{\lambda }_l,r_1,\cdots ,r_l\in \mathbb {Z}_N\) returns the ciphertext \(CT^*\) as

$$\begin{aligned} <M_b\cdot T, (B_i^{s_i}Y_2)_{i\in [m]}, (C_i=(B_i^{s_i}Y_2)^{a\tilde{\lambda }_i}h_{\rho (i)}^{-r_i},D_i=g_1^{r_i})_{i\in [l]}>, \end{aligned}$$

where T is the assumption term. Let \(B_i^{s_i}Y_2=B_i^{s_i}g_2^{c_i}\), then

$$\begin{aligned} <M_b\cdot T, (B_i^{s_i}g_2^{\delta _i})_{i\in [m]}, (C_i=g_1^{a\lambda _i}h_{\rho (i)}^{-r_i}g_2^{\tau _i},D_i=g_1^{r_i})_{i\in [l]}>, \end{aligned}$$

where \(\delta _i=c_i,\lambda _i=b_i\cdot s_i\cdot \tilde{\lambda }_i,\tau _i=ac\tilde{\lambda }_i\). If \(T=\prod _{i=1}^{m}\hat{e}(g_1,B_i)^{\alpha _i s_i}\), then \(CT^*\) is a semi-functional ciphertext and \(\mathfrak {C}\) can simulate \(Game_Q\) in this case. However, if \(T\in \mathbb {G}_T\) is random element, then \(\mathfrak {C}\) can simulate \(Game_f\). Thus, if the adversary \(\mathfrak {A}\) has non-negligible for distinguishing between \(Game_f\) and \(Game_Q\), then \(\mathfrak {C}\) can break the modified BSDP assumption by using \(\mathfrak {A}\)’s output with the same probability.    \(\square \)