Ciphertext-Policy Attribute-Based Encryption with Outsourced Set Intersection in Multimedia Cloud Computing

Abstract

In a multimedia cloud computing system, suppose all cloud users outsource their own data sets to the cloud in the encrypted form. Each outsourced set is associated with an access structure such that a valid data user, Bob, with the credentials satisfying the access structure is able to conduct computing over outsourced encrypted set (e.g., decryption or other kinds of computing function). Suppose Bob needs to compute the set intersection over a data owner Alice’s and his own outsourced encrypted sets. Bob’s simple solution is to download Alice’s and Bob’s outsourced encrypted sets, perform set intersection operation, and decrypt the set intersection ciphertexts. A better solution is for Bob to delegate the cloud to calculate the set intersection, without giving the cloud any ability in breaching the secrecy of the sets. To solve this problem, this work introduces a novel primitive called ciphertext-policy attribute-based encryption with outsourced set intersection for multimedia cloud computing. It is the first cryptographic algorithm supporting a fully outsourced encrypted storage, computation delegation, fine-grained authorization security for ciphertext-policy model, without relying on an online trusted authority or data owners, and multi-elements set, simultaneously. We construct a scheme that provably satisfies the desirable security properties, and analyze its efficiency.

1. Introduction

The multimedia cloud computing has been a successful computing paradigm since it can offer mass data storage and elastic but powerful computing capabilities at an affordable price. Cloud users, e.g., data owners and data users, can outsource their multimedia data to the cloud, then access it and share it with other users at anytime from anywhere. However, since data outsourcing will undermine the control capability for data owners since the outsourced data resides in the cloud service providers’ scope, it inevitably raises the security concerns regarding the data confidentiality, data integrity, and data access control. While it is natural to encrypt data before outsourcing it to the cloud, it indeed raises another issue about how to facilitate the cloud to perform some specific function over outsourced encrypted data without compromising data privacy.

In this paper, we study the problem of set intersection over outsourced encrypted data sets, which is a variant of the private set intersection (PSI) problem [1] that has been extensively studied. In the traditional setting of PSI, two data users, holding their own data sets at local, joint compute the data sets’ intersection in a manner that they only obtain the information about the intersection but nothing else. PSI has been widely adopted to many practical applications, such as private data mining, private matching, credit information system, anti-epidemic information system, and educational resources sharing, etc.

Problem. For the multimedia cloud computing scenario, the cloud users (i.e., the data owners and the data users) no longer store their own data sets at local and calculate the set intersection by themselves. Instead, the cloud users expect to outsource them to the cloud in encrypted form and entrust the cloud to help them complete the set intersection operation. While several works have studied PSI over outsourced encrypted data in the cloud [2,3,4], it certainly raises a difficulty for the data owners on how to enforce that their encrypted data can be used to perform by only some specific users. That is, how can the data owners limit the ability for the data users on performing set intersection by complying with certain control policies.

Motivation. shi2021delegated. In their protocol, it restricts PSI operation permissions through access control policy, embedded in data users’ secret keys. However, in $\mathsf{KP}$-$\mathsf{ABSI}$, the access structure is associated with data users instead of outsourced data sets. So, it is not particularly suitable for achieving access control over cloud data. Recently, Ali et al. proposed a ciphertext-policy attribute-based set intersection solution [6] to realize fine-grained authorization for outsourced data sets of data owners. Unfortunately, in their protocol, the data sets of the data users must be in plaintext form and the data users should execute PSI operations at local. It is not applicable to the case where all cloud users outsourced their encrypted data sets to the cloud and delegate PSI computation to the cloud. To our knowledge (cf. Section 2), none of the existing schemes consider this problem how to achieve the following objectives simultaneously: (1) All cloud users should outsource their data sets in the ciphertext form to the cloud. (2) The cloud users should be able to preserve data privacy while allowing the set intersection delegation to the cloud. (3) The cloud users should be able to accomplish fine-grained access control to the set operation permissions over their outsourced encrypted data sets. (4) It should not rely on the always online trusted authority and the data owners.

Our Contributions. For solving the above problem, this work introduces a novel notion called ciphertext-policy attribute-based encryption with outsourced set intersection ($\mathsf{CP}$-$\mathsf{ABSI}$) for multimedia cloud computing. In $\mathsf{CP}$-$\mathsf{ABSI}$, all cloud users encrypt their own data sets by customizing an access structure before outsourcing. An authorized data user (Bob), whose attributes satisfy the access structure of the data owner’s (Alice) data set, can delegate the set intersection calculation between Alice’s and Bob’s data sets to the cloud by generating a token. This work presents the formal definition of $\mathsf{CP}$-$\mathsf{ABSI}$ with security properties, then presents a specific scheme. There are five characteristic properties for our $\mathsf{CP}$-$\mathsf{ABSI}$ scheme: (1) It supports fully outsourced encrypted data sets for all cloud users, including data owners and data users. (2) The cloud can be delegated to execute PSI operations and not acquire any additional information beyond the result of encrypted set intersection. (3) It combines PSI and CP-ABE to realize fine-grained authorization for outsourced set intersection operation. (4) The data owner and the trusted authority are not required to participate in the interaction. (5) It supports multi-elements data sets. It is suitable for multimedia cloud computing.

2. Related Work

Although PSI has been widely studied previously, all existing solutions did not resolve the problems considered in this work. We brief the relevant technologies below and compare them with our $\mathsf{CP}$-$\mathsf{ABSI}$ as shown in Table 1.

Table 1. Property summary for PSI schemes. “×” means not supported, “√” means supported, “CP” means ciphertext-policy and “KP” means key-policy. In the related work and our solution in this paper. Fully outsourced encrypted storage means that all cloud users, including data owners and data users, can outsource their data sets in encrypted form. Computation delegation means it supports delegating PSI operations to the cloud. Fine-grained authorization security (as defined in Definition 4) means that it supports fine-grained authorization security with key-policy or ciphertext-policy setting. Without always online trusted authority or data owner means that it is not required that the trusted authority or data owners are always online. Multi-elements set means it supports multiple elements data set.

Schemes	Fully Outsourced Encrypted Storage	Computation Delegation	Fine-Grained Authorization Security	Without Always Online Trusted Authority or Data Owner	Multi-Elements Set
Two-party Private Set Intersection [7,8]	×	×	×	×	√
Three-party Private Set Intersection [2,3,4,9]	√	√	×	×	√
Symmetric/Asymmetric Encryption with Equality Test [10,11]	√	√	×	√	×
KP-ABEET [12]	√	√	×	×	×
CP-ABEET  [13,14]	√	√	×	×	×
AB-PSI [6]	×	×	$\mathsf{CP}$	√	√
$\mathsf{KP}$-$\mathsf{ABSI}$ [5]	√	√	$\mathsf{KP}$	√	√
Our $\mathsf{CP}$-$\mathsf{ABSI}$	√	√	$\mathsf{CP}$	√	√

Two-party Private Set Intersection. In this scenario, it only involves two participants, a client and a server, both of whom work interactively to accomplish the set intersection operation with their own data sets [7,8]. Unfortunately, these solutions cannot be adapted to cloud architecture; for that, both parties have to decrypt all of their outsourced encrypted data sets and do the heavy computations for PSI at local. Obviously, they cannot support fine-grained authorization and the data owner should be always online.

Three-party Private Set Intersection. In this model, it includes three participants, i.e., the cloud servers, the data owners, and data users, where the data owners and the data users wish to outsource set intersection operations to the server. For example, refs. [2,3,4,9] considered outsourcing set intersection operations to the cloud while preserving the privacy of the data sets. In addition, symmetric/asymmetric encryption with equality test, e.g., [10,11], is a specific solution for one-element data sets. Unfortunately, all of these solutions ask for the data owner to always be online or have no authorization mechanism. Thus, traditional three-party PSI protocols are impractical for the cloud system.

Attribute-based Encryption ($\mathsf{ABE}$). A reliable solution for realizing fine-grained authorization for outsourced data is $\mathsf{ABE}$, introduced by Sahai and Waters [15]. This technique allows the data users with appropriate attributes to decrypt the ciphertexts under an access structure. There are two types of $\mathsf{ABE}$: ciphertext-policy $\mathsf{ABE}$ ($\mathsf{CP}$-$\mathsf{ABE}$) in which the ciphertext is generated under an access structure (e.g., [16,17]) and key-policy $\mathsf{ABE}$ ($\mathsf{KP}$-$\mathsf{ABE}$) in which the private key is generated under an access structure (e.g., [18,19]). $\mathsf{ABE}$ also can be combined with other techniques to provide fine-grained operation and computation, e.g., attribute-based keyword search (e.g., [20]) or attribute-based proxy re-encryption (e.g., [21]).

Attribute-based Set Intersection. The first attribute-based set intersection solution is attribute-based encryption with equality test (ABEET). ABEET supports access control and set intersection computation delegation, but only for one-element data sets. Zhu et al. and Wang et al., respectively, present the first KP-ABEET and CP-ABEET [12,13]. After that, Cui et al. presented a performance enhanced ciphertext-policy construction [14]. Unfortunately, in these schemes, the trapdoor is generated with the master secret key held by the trusted authority and the data owner is required to participate in the delegating phase to send its token to the cloud. So, the trusted authority and the data owners should be always online. Even worse, in existing ABEET schemes, the cloud server without ${\mathsf{token}}_{\mathsf{A},\mathsf{C}}$ can obtain set intersection $A\cap C$ with ${\mathsf{token}}_{\mathsf{A},\mathsf{B}}$ for $A\cap B$ and ${\mathsf{token}}_{\mathsf{B},\mathsf{C}}$ for $B\cap C$. So, they actually cannot achieve fine-grained authorization security, which will be illustrated in Definition 4. It is impractical and secure enough for distributed cloud computing. The first attribute-based solution for multi-elements set intersection is proposed by Mohammad Ali et. al. It achieves fine-grained authorization security and is not dependent on an online trusted authority or data owners. However, in Ali’s scheme, data users must store the plaintext form of their set and execute PSI operations at local. It is not supporting fully outsourced encrypted storage and computation delegation, so it is not applied to our scenario where the data sets of all cloud users are encrypted in the cloud. Later, Shi et al. introduced a $\mathsf{KP}$-$\mathsf{ABSI}$ scheme by combining $\mathsf{KP}$-$\mathsf{ABE}$ and PSI to achieve fully outsourced encrypted storage and computation delegation. However, it is still not applied to our scenario since it implements access control for cloud users instead of cloud data sets [5].

For that, in this work, we combine PSI and $\mathsf{CP}$-$\mathsf{ABE}$ to propose a novel primitive named ciphertext-policy attribute-based encryption with outsourced set intersection ($\mathsf{CP}$-$\mathsf{ABSI}$), implementing access control for ciphertext data sets. Compared with existing solutions, our $\mathsf{CP}$-$\mathsf{ABSI}$ can support a fully outsourced encrypted storage, computation delegation, fine-grained authorization security for ciphertext-policy($\mathsf{CP}$) model, without relying on an online trusted authority or data owners, and multi-elements set, simultaneously.

3. Problem Formulation

3.1. System Model

Figure 1 highlights the system model, which consists of three entities—a cloud server, a trusted attribute authority, and the cloud users, e.g., a data owner (named Alice), an authorized data user (named Bob), and an unauthorized data user (named Calos). The cloud affords for the cloud users computing and storing supporting. The trusted attribute authority issues data users’ secret keys in line with their attribute certificates. The data owner (i.e., Alice), which can be either individuals or organizations, encrypt their private data sets according to an access control policy and then outsource them to the cloud server. An authorized user (i.e., Bob), whose attributes satisfy Alice’s and his own access structures simultaneously, can delegate set intersection operations over Alice’s and his own encrypted data sets to the cloud. Whereas any unauthorized user, i.e., Calos, whose attributes do not satisfy the access structure of Alice, cannot outsource the set intersection operations to the cloud.

Figure 1. System model of $\mathsf{CP}$-$\mathsf{ABSI}$.

Here, we suppose that the cloud is honest but curious, meaning that it runs the protocols honestly but attempts to obtain privacy information about the data sets.

A cloud user is malicious and might collude with the semi-trusted cloud.

3.2. Formal Definition

Here is shown the formal definition of $\mathsf{CP}$-$\mathsf{ABSI}$ (ciphertext-policy attribute-based encryption with outsourced set intersection), in which ciphertexts are generated under an access structure. $\mathsf{T}$ is denoted as an access policy and $\mathsf{UA}$ is denoted as an attribute set, respectively, in $\mathsf{CP}$-$\mathsf{ABSI}$. Let $F(\mathsf{T},\mathsf{UA})=1$ if and only if $\mathsf{T}$ is satisfied by $\mathsf{UA}$ in $\mathsf{CP}$-$\mathsf{ABSI}$.

Definition. 1.

($\mathsf{CP}$-$\mathsf{ABSI}$) A scheme for $\mathsf{CP}$-$\mathsf{ABSI}$ has the following algorithms:

$(\mathsf{pk},\mathsf{msk})\leftarrow \mathsf{Setup}\left(1^{\ell }\right)$: The trusted attribute authority bootstraps the master private key $\mathsf{msk}$ and the public parameters $\mathsf{pk}$ as input a security parameter ℓ.

$\mathsf{sk}\leftarrow \mathsf{KeyGen}(\mathsf{msk},\mathsf{UA})$: The trusted attribute authority generates secret keys $\mathsf{sk}$ for a data user.

$\mathsf{c}\leftarrow \mathsf{Enc}(\mathsf{D},\mathsf{T})$: Given $\mathsf{T}$, a cloud user (data owner or data user) encrypts their private data set $\mathsf{D}$. Then they outsource the ciphertexts to the cloud.

$\mathsf{token}\leftarrow \mathsf{TokenGen}\left(\mathsf{sk}\right)$: A data user runs this algorithm to generate a token to delegate the set intersection operations between the data owner’s and his own encrypted data sets to the cloud, where the token $\mathsf{token}$ will be sent to the cloud for this purpose.

$\mathsf{rslt}\leftarrow \mathsf{SI}(\mathsf{token},\mathsf{c},{\mathsf{c}}^{\prime })$: The cloud server runs this algorithm to calculate the set intersection $\mathsf{rslt}$, only if $\mathsf{UA}$ associated to $\mathsf{token}$ meets both $F(\mathsf{T},\mathsf{UA})=1$ and $F({\mathsf{T}}^{\prime },\mathsf{UA})=1$, where $\mathsf{T}$ and ${\mathsf{T}}^{\prime }$ are specified by $\mathsf{c}$ of the data owner and ${\mathsf{c}}^{\prime }$ of the data user, respectively.

The correctness of $\mathsf{CP}$-$\mathsf{ABSI}$ scheme can be defined as: With $(\mathsf{pk},\mathsf{msk})\leftarrow \mathsf{Setup}\left(1^{\ell }\right)$, $\mathsf{sk}\leftarrow \mathsf{KeyGen}(\mathsf{msk},\mathsf{UA})$, $\mathsf{token}\leftarrow \mathsf{TokenGen}\left(\mathsf{sk}\right)$, $\mathsf{c}\leftarrow \mathsf{Enc}(\mathsf{D},\mathsf{T})$ for set $\mathsf{D}$ and ${\mathsf{c}}^{\prime }\leftarrow \mathsf{Enc}({\mathsf{D}}^{\prime },{\mathsf{T}}^{\prime })$ for set ${\mathsf{D}}^{\prime }$, if $F(\mathsf{T},\mathsf{UA})=1$ and $F({\mathsf{T}}^{\prime },\mathsf{UA})=1$, $\mathsf{rslt}$ is the ciphertext of set intersection $\mathsf{D}\cap {\mathsf{D}}^{\prime }$, where $\mathsf{rslt}\leftarrow \mathsf{SI}(\mathsf{c},{\mathsf{c}}^{\prime },\mathsf{token})$.

3.3. Security Definitions

It is said that the $\mathsf{CP}$-$\mathsf{ABSI}$ scheme is secure if it satisfies the following security properties: selective security against chosen-plaintext attack, one-wayness under a chosen-plaintext attack, and fine-grained authorization security.

Selective security against chosen-plaintext attack: Intuitively, this property says that a probabilistic polynomial-time (PPT) adversary $\mathcal{A}$, modeling malicious unauthorized data users, cannot obtain any useful information about the encrypted sets without being given the corresponding tokens, where the term “selective” means that it asks for the adversary $\mathcal{A}$ to choose $\mathsf{T}$ which parties to compromise before initializing the public parameters. This security property can be formally defined by the game between $\mathcal{A}$ and a challenger as follows.

Setup: $\mathcal{A}$ chooses ${\mathsf{T}}^{*}$ and sends it to the challenger. Then the challenger executes $\mathsf{Setup}$ to bootstrap $\mathsf{msk}$ and $\mathsf{pk}$, it sets $\mathsf{msk}$ as the master private key and sends $\mathsf{pk}$ to $\mathcal{A}$ as a public key.

Phase 1: $\mathcal{A}$ can make queries for polynomial-many times as follows:

• ${\mathcal{O}}_{\mathsf{KeyGen}}\left(\mathsf{UA}\right)$: If $F({\mathsf{T}}^{*},\mathsf{UA})=1$, the challenger aborts; else, it executes $\mathsf{sk}\leftarrow \mathsf{KeyGen}(\mathsf{msk},\mathsf{pk},\mathsf{UA})$ and sends $\mathsf{sk}$ back to $\mathcal{A}$.
• ${\mathcal{O}}_{\mathsf{TokenGen}}\left(\mathsf{UA}\right)$: If $F({\mathsf{T}}^{*},\mathsf{UA})=1$, then the challenger aborts the simulation; otherwise, it executes $\mathsf{sk}\leftarrow \mathsf{KeyGen}(\mathsf{msk},\mathsf{UA})$, $\mathsf{token}\leftarrow \mathsf{TokenGen}\left(\mathsf{sk}\right)$ and sends $\mathsf{token}$ to $\mathcal{A}$.

Challenge: $\mathcal{A}$ selects two data sets ${\mathsf{D}}_0$ and ${\mathsf{D}}_1$ where $|{\mathsf{D}}_0|=|{\mathsf{D}}_1|$ but ${\mathsf{D}}_0\ne {\mathsf{D}}_1$, and sends them to the challenger. The challenger picks $\sigma \stackrel{R}{\leftarrow }\{0,1\}$, executes ${\mathsf{c}}^{*}=\mathsf{Enc}({\mathsf{D}}_{\sigma },{\mathsf{T}}^{*})$ and returns ${\mathsf{c}}^{*}$ back to $\mathcal{A}$.

Phase 2: $\mathcal{A}$ executes as in Phase 1.

Guess: A guess ${\sigma }^{\prime }$ is replied by $\mathcal{A}$. $\mathcal{A}$ wins the security game if $\sigma ={\sigma }^{\prime }$.

Definition 2.

If the advantage $|Pr[{\sigma }^{\prime }=\sigma ]-1/2|$ that $\mathcal{A}$ wins the selective security game is negligible, the $\mathsf{CP}$-$\mathsf{ABSI}$ construction is selective secure.

One-wayness security: Intuitively, this property requires that any PPT adversary $\mathcal{A}$, modeling honest-but-curious cloud server, even with a token, is unable to acquire any useful information about the plaintexts corresponding to the ciphertexts in question. Note that, given a target ciphertext and the appropriate token, where the term “appropriate” means the credentials that generate the token satisfy the access control policy associated to the target ciphertext, $\mathcal{A}$ can purposefully choose and encrypt a data set element with public parameters, and compare their chosen ciphertext with the target ciphertext. Obliviously, brute-force attack is inevitable, so it is just demanded that $\mathcal{A}$ have no better strategy. The one-wayness security can be defined by the following game.

Setup: The challenger produces $\mathsf{msk},\mathsf{pk}$ by executing $\mathsf{Setup}$, sets $\mathsf{msk}$ as the master secret key, and sends $\mathsf{pk}$ to $\mathcal{A}$ as the public parameters.

Phase 1: $\mathcal{A}$ can query following oracles for polynomial-many times, the challenger bookkeeps a list $L_{\mathsf{UA}}$ initially empty.

• ${\mathcal{O}}_{\mathsf{KeyGen}}\left(\mathsf{UA}\right)$: The challenger replies $\mathsf{sk}\leftarrow \mathsf{KeyGen}(\mathsf{msk},\mathsf{UA})$ to $\mathcal{A}$ and inserts $\mathsf{UA}$ to $L_{\mathsf{UA}}$.
• ${\mathcal{O}}_{\mathsf{TokenGen}}\left(\mathsf{UA}\right)$: The challenger replies $\mathsf{token}\leftarrow \mathsf{TokenGen}\left(\mathsf{sk}\right)$ (where $\mathsf{sk}\leftarrow \mathsf{KeyGen}$$(\mathsf{msk},\mathsf{UA})$) to $\mathcal{A}$.

Challenge: $\mathcal{A}$ selects and sends ${\mathsf{T}}^{*}$ to the challenger, where $\forall \mathsf{UA}\in L_{\mathsf{UA}},$$F({\mathsf{T}}^{*},\mathsf{UA})=0$. The challenger chooses ${\mathsf{UA}}^{*}$ such that $F({\mathsf{T}}^{*},{\mathsf{UA}}^{*})=1$, selects ${\mathsf{D}}^{*}$ uniformly at random, calculates ${\mathsf{c}}^{*}\leftarrow \mathsf{Enc}({\mathsf{D}}^{*},{\mathsf{T}}^{*})$ and ${\mathsf{token}}^{*}\leftarrow \mathsf{TokenGen}\left(\mathsf{KeyGen}\left({\mathsf{UA}}^{*}\right)\right)$. Then return ${\mathsf{c}}^{*},{\mathsf{token}}^{*}$ back to $\mathcal{A}$.

Phase 2: It is similar to Phase 1, except that $F({\mathsf{T}}^{*},\mathsf{UA})=0$ when querying ${\mathcal{O}}_{\mathsf{KeyGen}}\left(\mathsf{UA}\right)$.

Guess: A guess d is replied by $\mathcal{A}$. $\mathcal{A}$ wins the one-wayness security game if $d\in {\mathsf{D}}^{*}$.

Definition 3.

If the advantage $|Pr[d\in {\mathsf{D}}^{*}]-\frac{m|{\mathsf{D}}^{*}|}{\left|\mathsf{Msg}\right|}|$, in which $\mathsf{Msg}$ is the domain size of set elements and m is the number of guess/brute-force attacks $\mathcal{A}$ makes, that $\mathcal{A}$ wins the one-wayness security game is negligible, the $\mathsf{CP}$-$\mathsf{ABSI}$ construction is one-wayness secure.

Fine-grained authorization: The adversary $\mathcal{A}$, modeling the honest-but-curious cloud server, cannot use the known tokens to obtain set intersection if the credentials that generate the tokens do not satisfy the access control policies associated to two ciphertexts simultaneously. Intuitively, $\mathcal{A}$ cannot use ${\mathsf{token}}_{\mathsf{A},\mathsf{B}}$ for $A\cap B$ and ${\mathsf{token}}_{\mathsf{B},\mathsf{C}}$ for $B\cap C$ to achieve set intersection $A\cap C$, if ${\mathsf{token}}_{\mathsf{A},\mathsf{B}}$ and ${\mathsf{token}}_{\mathsf{B},\mathsf{C}}$ whose associated attribute sets do not satisfy A and C’s access structure simultaneously. This can be formalized via the following fine-grained authorization security game.

Setup: The challenger produces $\mathsf{msk},\mathsf{pk}$ by executing $\mathsf{Setup}$, sets $\mathsf{msk}$ as the master private key, and returns $\mathsf{pk}$ back to $\mathcal{A}$.

Phase 1: $\mathcal{A}$ can make polynomial-many oracle queries as follows, and the challenger bookkeeps two lists $L_{\mathsf{UA}}$ and $L_{\mathsf{token}}$ initially empty.

• ${\mathcal{O}}_{\mathsf{KeyGen}}\left(\mathsf{UA}\right)$: The challenger replies $\mathsf{sk}\leftarrow \mathsf{KeyGen}(\mathsf{msk},\mathsf{UA})$ back to $\mathcal{A}$ and adds $\mathsf{UA}$ to $L_{\mathsf{UA}}$.
• ${\mathcal{O}}_{\mathsf{TokenGen}}\left(\mathsf{UA}\right)$: The challenger replies $\mathsf{token}\leftarrow \mathsf{TokenGen}\left(\mathsf{sk}\right)$ (where $\mathsf{sk}\leftarrow \mathsf{KeyGen}$$(\mathsf{msk},\mathsf{UA})$) to $\mathcal{A}$ and insert $\mathsf{UA}$ into $L_{\mathsf{token}}$.

Challenge: $\mathcal{A}$ selects ${\mathsf{T}}_1^{*}$ and ${\mathsf{T}}_2^{*}$, and sends them to the challenger. The challenger chooses two sets ${\mathsf{D}}_0,{\mathsf{D}}_1$, selects $\sigma \stackrel{R}{\leftarrow }\{0,1\}$, replies ${\mathsf{c}}_1^{*}\leftarrow \mathsf{Enc}({\mathsf{D}}_0,{\mathsf{T}}_1^{*})$ and ${\mathsf{c}}_2^{*}\leftarrow \mathsf{Enc}({\mathsf{D}}_{\sigma },,{\mathsf{T}}_2^{*})$ back to $\mathcal{A}$. It is required that

• $\forall \mathsf{UA}\in L_{\mathsf{UA}}$, $F({\mathsf{T}}_1^{*},\mathsf{UA})$ and $F({\mathsf{T}}_2^{*},\mathsf{UA})$ cannot be 1 simultaneously.
• $\forall \mathsf{UA}\in L_{\mathsf{token}}$, $F({\mathsf{T}}_1^{*},\mathsf{UA})$ and $F({\mathsf{T}}_2^{*},\mathsf{UA})$ cannot be 1 simultaneously.

Phase 2: It is similar to Phase 1, except that:

• For any query for ${\mathcal{O}}_{\mathsf{KeyGen}}\left(\mathsf{UA}\right)$ or ${\mathcal{O}}_{\mathsf{TokenGen}}\left(\mathsf{UA}\right)$, $F({\mathsf{T}}_1^{*},\mathsf{UA})$ and $F({\mathsf{T}}_2^{*},\mathsf{UA})$ cannot be 1 simultaneously.

Guess: A guess ${\sigma }^{\prime }$ is replied by $\mathcal{A}$. $\mathcal{A}$ wins the fine-grained authorization game if $\sigma ={\sigma }^{\prime }$.

Definition 4.

If the advantage $|Pr[{\sigma }^{\prime }=\sigma ]-\frac{1}{2}|$ that $\mathcal{A}$ wins fine-grained authorization security game is negligible, the $\mathsf{CP}$-$\mathsf{ABSI}$ construction is fine-grained authorization secure.

4. Scheme Construction

4.1. $\mathsf{CP}$-$\mathsf{ABSI}$ Construction

The $\mathsf{CP}$-$\mathsf{ABSI}$ scheme is described as follows.

$\mathsf{Setup}$($1^{\ell }$): Given security parameter ℓ, it generates the public parameter and master key as follows:

• Set $(e,q,g,g_T,G,G_T)\leftarrow \mathsf{BMapGen}\left(1^{\ell }\right)$.
• Let $H_1:{\{0,1\}}^{*}\to G$ and $H_2:{\{0,1\}}^{*}\to G$ be two secure hash functions.
• Choose $a,b\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$, then make the public parameter as $\mathsf{pk}=(e,G,G_T,g,g^a,g^b,H_1,H_2)$ and the master secret key as $\mathsf{msk}=(a,b)$

$\mathsf{KeyGen}(\mathsf{msk},\mathsf{pk},\mathsf{UA})$: It picks $t\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$, then calculates $X_1=g^{at}$ and $X_2=g^{bt}$. For each attribute ${\mathsf{at}}_i\in \mathsf{UA}$, it selects $c_i\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$, and computes $Y_i=g^{abt}{H}_1{\left({\mathsf{at}}_i\right)}^{c_i}$ and $Z_i=g^{c_i}$. It sets the private key as $\mathsf{sk}=(\mathsf{UA},X_1,X_2,\left\{(Y_i,Z_i)\right|{\mathsf{at}}_i\in \mathsf{UA}\}).$

$\mathsf{Enc}(\mathsf{D},\mathsf{T},\mathsf{pk})$: Given set $\mathsf{D}=\{d_0,\dots ,d_n\}$ where $d_j\in {\{0,1\}}^{*}$, it encrypts $\mathsf{D}$ as follows: It picks $r_1,r_2\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$ and computes $A_1=g^{b{r}_1},A_2=g^{a(r_1+r_2)}{H}_2\left(d_j\right)$ for each $d_j$. It runs $\left\{q_v\left(0\right)\right|v\in \mathsf{leaf}\left(\mathsf{T}\right)\}\leftarrow \mathsf{Share}(\mathsf{T},r_2)$ and computes $B_v=g^{q_v\left(0\right)},C_v=H_1{\left(\mathsf{att}\left(v\right)\right)}^{q_v\left(0\right)}$ for each $v\in \mathsf{leaf}\left(\mathsf{T}\right)$. It sets the ciphertext as $\mathsf{c}=\{{\mathsf{c}}_0,\dots ,{\mathsf{c}}_n\}$, where ${\mathsf{c}}_j=(\mathsf{T},A_1,A_2,\{B_v,C_v|v\in \mathsf{leaf}\left(\mathsf{T}\right)\})$.

$\mathsf{TokenGen}(\mathsf{sk},\mathsf{pk})$: It selects $k\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$, computes $\widehat{Y_i}=Y_i^k,\widehat{Z_i}=Z_i^k$ for each ${\mathsf{at}}_i\in \mathsf{UA}$, and sets $\widehat{X_1}=X_1^k,\widehat{X_2}=X_2^k$. It sets the token as $\mathsf{token}=(\mathsf{UA},\widehat{{\mathsf{X}}_{\mathsf{1}}},\widehat{{\mathsf{X}}_{\mathsf{2}}},\{\widehat{{\mathsf{Y}}_{\mathsf{i}}},\widehat{{\mathsf{Z}}_{\mathsf{i}}}|{\mathsf{at}}_{\mathsf{i}}\in \mathsf{UA}\}).$

$\mathsf{SI}(\mathsf{token},\mathsf{c},{\mathsf{c}}^{\prime })$: As input $\mathsf{c}=\{{\mathsf{c}}_0,\dots ,{\mathsf{c}}_n\}$, ${\mathsf{c}}^{\prime }=\{{\mathsf{c}}_0^{\prime },\dots ,{\mathsf{c}}_m^{\prime }\}$ and a token $\mathsf{token}$, it executes as follows:

• For ${\mathsf{c}}_j\in \mathsf{c}$, it arbitrarily chooses a subset $S\in \mathsf{UA}$ satisfying $\mathsf{T}$. If there is no such S, 0 is returned. Else, it calculates $E_v=e(\widehat{Y_i},B_v)/e(\widehat{Z_i},C_v)=e{(g,g)}^{abtk{q}_v\left(0\right)}$, where $\mathsf{att}\left(v\right)={\mathsf{at}}_i$. Then it runs $E_{\mathsf{root}}=e{(g,g)}^{abtk{r}_2}\leftarrow \mathsf{Combine}(\mathsf{T},E_v|\mathsf{att}\left(v\right)\in S)$, and computes $E_1=e(A_1,\widehat{X_1})=e{(g,g)}^{abtk{r}_1}$ and $E_{2j}=e(A_2,\widehat{X_2})/\left(E_{\mathsf{root}}{E}_1\right)=e{(H_2\left(d_j\right),g)}^{bkt}.$ It sets $E=\{E_{20},\dots ,E_{2n}\}$.
• For ${\mathsf{c}}_j^{\prime }\in {\mathsf{c}}^{\prime }$, it arbitrarily chooses a subset $S^{\prime }\in \mathsf{UA}$ satisfying ${\mathsf{T}}^{\prime }$. If there is no such $S^{\prime }$, 0 is returned. Else, it calculates $E_v^{\prime }=e(\widehat{Y_i},B_v^{\prime })/e(\widehat{Z_i},C_v^{\prime })=e{(g,g)}^{abtk{q}_v\left(0\right)}$, where $\mathsf{att}\left(v\right)={\mathsf{at}}_i$. Then it runs $E_{\mathsf{root}}^{\prime }=e{(g,g)}^{abtk{r}_2^{\prime }}\leftarrow \mathsf{Combine}({\mathsf{T}}^{\prime },E_v^{\prime }|\mathsf{att}\left(v\right)\in S^{\prime })$, and computes $E_1^{\prime }=e(A_1^{\prime },\widehat{X_1})=e{(g,g)}^{abtk{r}_1^{\prime }}$ and $E_{2j}^{\prime }=e(A_2^{\prime },\widehat{X_2})/\left(E_{\mathsf{root}}^{\prime }{E}_1^{\prime }\right)=e{(H_2\left(d_j^{\prime }\right),g)}^{bkt}.$ It sets $E^{\prime }=\{E_{20}^{\prime },\dots ,E_{2m}^{\prime }\}$.
• It outputs the set intersection $\mathsf{rslt}=\left\{{\mathsf{c}}_j\right|{\mathsf{c}}_j\in \mathsf{c},E_{2j}\in E\cap E^{\prime }\}$.

we can verify the correctness for $\mathsf{CP}$-$\mathsf{ABSI}$ construction easily according to the protocols. Then its security properties will be analyzed.

4.2. Security Analysis

Theorem 1.

The $\mathsf{CP}$-$\mathsf{ABSI}$ scheme is selective secure against chosen-plaintext attack in the generic bilinear group model as specified in Definition 2.

Proof. 

It is first to show that the scheme is secure when $\left|\mathsf{D}\right|=1$, and then extend it to the case $\left|\mathsf{D}\right|>1$.

Since in the challenge phase of the game, $\mathcal{A}$’s aim is to distinguish $g^{a(r_1+r_2)}{H}_2\left(d_0\right)$ and $g^{a(r_1+r_2)}{H}_2\left(d_1\right)$, where ${\mathsf{D}}_0=\left\{d_0\right\}$ and ${\mathsf{D}}_1=\left\{d_1\right\}$. The probabilities of $\mathcal{A}$ distinguishing $g^{a(r_1+r_2)}{H}_2\left(d_0\right)$ from $g^{\theta }$ and distinguishing $g^{\theta }$ from $g^{a(r_1+r_2)}{H}_2\left(d_1\right)$ where $\theta \stackrel{R}{\leftarrow }{\mathbb{Z}}_p$ are the same. Therefore, if $\mathcal{A}$ distinguishes $g^{a(r_1+r_2)}{H}_2\left(d_0\right)$ from $g^{a(r_1+r_2)}{H}_2\left(d_1\right)$ with probability $\mu$, then $\mathcal{A}$ distinguishes between $g^{a(r_1+r_2)}{H}_2\left(d_0\right)$ and $g^{\theta }$ with probability $\mu /2$. We consider the following adjusted game, in which $\mathcal{A}$ attempts to discriminate between $g^{a(r_1+r_2)}$ and $g^{\theta }$ with $\theta \in {\mathbb{Z}}_p$.

Setup: The challenger randomly picks $a,b\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$, sets public parameter as $(G,G_T,e,p,g,$$g^a,g^b)$, and transfers them to $\mathcal{A}$. It bookkeeps two initially empty lists $Lis{t}_{H_1}({\mathsf{at}}_j,{\alpha }_j)$ and $Lis{t}_{H_2}(d,\gamma )$. $\mathcal{A}$ can query polynomially many times for ${\mathcal{O}}_{H_1}$ and ${\mathcal{O}}_{H_2}$.

${\mathcal{O}}_{H_1}\left({\mathsf{at}}_j\right)$: If ${\mathsf{at}}_j$ has not been queried before, it picks ${\alpha }_j\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$, replies $g^{{\alpha }_j}$ to $\mathcal{A}$ and inserts $({\mathsf{at}}_j,{\alpha }_j)$ into $Lis{t}_{H_1}$; Else, it retrieves ${\alpha }_j$ from $Lis{t}_{H_1}$ and replies $g^{{\alpha }_j}$ to $\mathcal{A}$.

${\mathcal{O}}_{H_2}\left(d\right)$: If an element d was queried before, it searches $\gamma$ from $Lis{t}_{H_2}$ and sends $g^{\gamma }$ back to $\mathcal{A}$; else, it picks $\gamma \stackrel{R}{\leftarrow }{\mathbb{Z}}_p$, inserts $(d,\gamma )$ into $Lis{t}_{H_2}$, then sends $g^{\gamma }$ back to $\mathcal{A}$.

Phase 1: $\mathcal{A}$ can query the oracles polynomially many times as follows.

${\mathcal{O}}_{\mathsf{KeyGen}}\left(\mathsf{UA}\right)$: The challenger selects $t^{\left(u\right)}\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$. For each ${\mathsf{at}}_j\in \mathsf{UA}$, it chooses $c_j^{\left(u\right)}\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$, and sets $\mathsf{sk}=(\mathsf{UA},X_1=g^{a{t}^{\left(u\right)}},X_2=g^{b{t}^{\left(u\right)}}\{Y_j=g^{ab{t}^{\left(u\right)}+{\alpha }_j{c}_j^{\left(u\right)}},Z_j=g^{c_j^{\left(u\right)}}|{\mathsf{at}}_j\in \mathsf{UA}\}).$

${\mathcal{O}}_{\mathsf{token}}\left(\mathsf{UA}\right)$: The challenger chooses $k^{\left(u\right)}\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$ and calculates $\mathsf{token}=(\mathsf{UA},\widehat{{\mathsf{X}}_{\mathsf{1}}}={\mathsf{X}}_{\mathsf{1}}^{{\mathsf{k}}^{\left(\mathsf{u}\right)}}={\mathsf{g}}^{{\mathsf{at}}^{\left(\mathsf{u}\right)}{\mathsf{k}}^{\left(\mathsf{u}\right)}},\widehat{{\mathsf{X}}_{\mathsf{2}}}={\mathsf{X}}_{\mathsf{2}}^{{\mathsf{k}}^{\left(\mathsf{u}\right)}}={\mathsf{g}}^{{\mathsf{bt}}^{\left(\mathsf{u}\right)}{\mathsf{k}}^{\left(\mathsf{u}\right)}},\{\widehat{{\mathsf{Y}}_{\mathsf{j}}}={\mathsf{Y}}_{\mathsf{j}}^{{\mathsf{k}}^{\left(\mathsf{u}\right)}}={\mathsf{g}}^{{\mathsf{abt}}^{\left(\mathsf{u}\right)}{\mathsf{k}}^{\left(\mathsf{u}\right)}+{\alpha }_{\mathsf{j}}{\mathsf{c}}_{\mathsf{j}}^{\left(\mathsf{u}\right){\mathsf{k}}^{\left(\mathsf{u}\right)}}},\widehat{{\mathsf{Z}}_{\mathsf{j}}}={\mathsf{Z}}_{\mathsf{j}}^{{\mathsf{k}}^{\left(\mathsf{u}\right)}}={\mathsf{g}}^{{\mathsf{c}}_{\mathsf{j}}^{\left(\mathsf{u}\right)}{\mathsf{k}}^{\left(\mathsf{u}\right)}}|{\mathsf{at}}_{\mathsf{j}}\in \mathsf{UA}\}).$

Challenge: $\mathcal{A}$ chooses and transfers an access policy ${\mathsf{T}}^{*}$ to the challenger., which is not satisfied by any $\mathsf{UA}$ that was queried to ${\mathcal{O}}_{\mathsf{KeyGen}}$. The challenger picks two equal length messages $(d_0,d_1)$ uniformly at random from the message space, selects $r_1,r_2\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$ and $\sigma \stackrel{R}{\leftarrow }\{0,1\}$, and runs $\left\{q_v\left(0\right)\right|v\in \mathsf{leaf}\left({\mathsf{T}}^{*}\right)\}\leftarrow \mathsf{Share}({\mathsf{T}}^{*},r_2)$. If $\sigma =0$, then the challenger computes ${\mathsf{c}}^{*}=(A_1=g^{b{r}_1},A_2=g^{\theta },\{B_v=g^{q_v\left(0\right)},C_v=g^{{\alpha }_j{q}_v\left(0\right)}|v\in \mathsf{leaf}\left({\mathsf{T}}^{*}\right)\}),$ where $\mathsf{att}\left(v\right)={\mathsf{at}}_j$. Otherwise, it calculates ${\mathsf{c}}^{*}=(A_1=g^{b{r}_1},A_2=g^{a(r_1+r_2)},\{B_v=g^{q_v\left(0\right)},C_v=g^{{\alpha }_j{q}_v\left(0\right)}|v\in \mathsf{leaf}\left({\mathsf{T}}^{*}\right)\}),$ where $\mathsf{att}\left(v\right)={\mathsf{at}}_j$. At last, it returns ${\mathsf{c}}^{*}$ to $\mathcal{A}$.

Phase 2: $\mathcal{A}$ queries the oracles as in Phase 1.

Guess: $\mathcal{A}$ outputs a guess ${\sigma }^{\prime }$ of $\sigma$.

In the generic model, if it is distinguishable between $e{(g,g)}^{a(r_1+r_2)}$ and $g^{\theta }$ for $\mathcal{A}$, it should build $e{(g,g)}^{\Gamma a(r_1+r_2)}$ with certain $g^{\Gamma }$. Then it will be shown that the probability that $\mathcal{A}$ build $e{(g,g)}^{\Gamma a(r_1+r_2)}$ for certain $g^{\Gamma }$ is negligible, possibly taking advantage of the oracles’ outputs. Table 2 lists all the possible queries to group oracle $G_T$.

Table 2. Possible group oracle $G_T$ queries in the selective security game.

Queries 1	Queries 2	Queries 3	Queries 4
a	$c_j^{\left(u\right)}$	$c_j^{\left(u\right)}{k}^{\left(u\right)}$	$q_v\left(0\right)$
b	$a{t}^{\left(u\right)}$	$a{t}^{\left(u\right)}{k}^{\left(u\right)}$	${\alpha }_j{q}_v\left(0\right)$
${\alpha }_j$	$b{t}^{\left(u\right)}$	$b{t}^{\left(u\right)}{k}^{\left(u\right)}$
$b{r}_1$	$ab{t}^{\left(u\right)}+{\alpha }_j{c}_j^{\left(u\right)}$	$ab{t}^{\left(u\right)}{k}^{\left(u\right)}+{\alpha }_j{c}_j^{\left(u\right)}{k}^{\left(u\right)}$

Let us discuss the way building $e{(g,g)}^{\Gamma a(r_1+r_2)}$ with certain $\Gamma$. Since only the term $b{r}_1$ has the element $r_1$, the only way of building $e{(g,g)}^{\Gamma a(r_1+r_2)}$ for $\mathcal{A}$ is building $e{(g,g)}^{{\Gamma }^{\prime }ab{r}_2}$, where $\Gamma ={\Gamma }^{\prime }b$. Obviously, to construct ${\Gamma }^{\prime }ab{r}_2$, $\mathcal{A}$ needs to use $q_v\left(0\right)$, ${\alpha }_j{q}_v\left(0\right)$, $c_j^{\left(u\right)}$, $c_j^{\left(u\right)}{k}^{\left(u\right)}$, $ab{t}^{\left(u\right)}+{\alpha }_j{c}_j^{\left(u\right)}$ and $ab{t}^{\left(u\right)}{k}^{\left(u\right)}+{\alpha }_j{c}_j^{\left(u\right)}{k}^{\left(u\right)}$. However, only under the condition that the attribute set satisfies ${\mathsf{T}}^{*}$ can $r_2$ be reconstructed.

Thus far, it is shown that $\mathcal{A}$ can gain a negligible advantage in the modified game.

Intuitively, for the general case of $\left|\mathsf{D}\right|>1$, we can also prove that the scheme is selective secure against chosen-plaintext attack as in [5]. □

Theorem 2.

The $\mathsf{CP}$-$\mathsf{ABSI}$ scheme is one-wayness secure if hash function $H_2$ is one-way.

Proof. 

Suppose there is a PPT adversary $\mathcal{A}$ winning the game for one-wayness with a non-negligible advantage $\mu$, a challenger can be simulated to break one-wayness for $H_2$.

Given $H_2\left(d^{*}\right)=y^{*}$, the challenger executes the following game.

Setup: It chooses $a,b\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$, sets $\mathsf{msk}=(a,b)$, and transfers $\mathsf{pk}=(G,G_T,e,p,g,g^a,g^b)$ to $\mathcal{A}$.

Phase 1: It keeps an initially empty list $L_{\mathsf{UA}}$. $\mathcal{A}$ is able to query the following oracles in polynomially many times:

${\mathcal{O}}_{\mathsf{KeyGen}}\left(\mathsf{UA}\right)$: For an attribute set $\mathsf{UA}$, it returns $\mathsf{sk}\leftarrow \mathsf{KeyGen}(\mathsf{msk},\mathsf{pk},\mathsf{UA})$ to $\mathcal{A}$ and inserts $\mathsf{UA}$ into $L_{\mathsf{UA}}$.

${\mathcal{O}}_{\mathsf{token}}\left(\mathsf{UA}\right)$: For an attribute set $\mathsf{UA}$, it replies $\mathsf{token}\leftarrow \mathsf{TokenGen}\left(\mathsf{KeyGen}\right(\mathsf{msk},\mathsf{pk},\mathsf{UA}),\mathsf{pk})$.

Challenge: $\mathcal{A}$ transfers to the challenger an access control policy ${\mathsf{T}}^{*}$, where $\forall \mathsf{UA}\in L_{\mathsf{UA}}$, $F(\mathsf{UA},{\mathsf{T}}^{*})=0$. The challenger selects $j\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$ and generates a data set ${\mathsf{D}}^{*}=(d_0,d_1,...,d_{|{\mathsf{D}}^{*}|-1})$, where $d_0,...,d_{j-1},d_{j+1},...,d_{|{\mathsf{D}}^{*}|-1}$ are chosen from $\mathsf{Msg}$ at random and $d_j$ is set as $d_j=d^{*}$ implicitly. It sets the ciphertext $\mathsf{c}={\left\{{\mathsf{c}}_k\right\}}_{k\in [0,|{\mathsf{D}}^{*}|-1]}$ as follows:

• If $k\ne j$, ${\mathsf{c}}_k$ is the same with that in the real scheme;
• If $k=j$, set $A_1=g^{b{r}_1},A_2=g^{a(r_1+r_2)}{y}^{*}$, by choosing $r_1,r_2\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$ at random and setting $d_j=d^{*}$ implicitly. Then run $\left\{q_v\left(0\right)\right|v\in \mathsf{leaf}\left({\mathsf{T}}^{*}\right)\}\leftarrow \mathsf{Share}({\mathsf{T}}^{*},r_2)$ and compute $B_v=g^{q_v\left(0\right)},C_v=H_1{\left(\mathsf{att}\left(v\right)\right)}^{q_v\left(0\right)}$ for each $v\in \mathsf{leaf}\left({\mathsf{T}}^{*}\right)$. At last it sets ${\mathsf{c}}_k=({\mathsf{T}}^{*},A_1,A_2,\{B_v,C_v|v\in \mathsf{leaf}\left({\mathsf{T}}^{*}\right)\})$

The challenger chooses an attribute set ${\mathsf{UA}}^{*}$ such that $F({\mathsf{UA}}^{*},{\mathsf{T}}^{*})=1$, and forwards to the adversary $\mathcal{A}$${\mathsf{token}}^{*}\leftarrow \mathsf{TokenGen}\left(\mathsf{KeyGen}\right(\mathsf{msk},\mathsf{pk},$${\mathsf{UA}}^{*}),\mathsf{pk})$ and ${\mathsf{c}}^{*}=\left(\mathsf{c}\right)$.

Phase 2: It is the same as that defined by the game.

Guess: The challenger wins if $\mathcal{A}$ replies a guess d satisfying $d=d^{*}$.

It is shown that if $\mathcal{A}$ outputs $d\in {\mathsf{D}}^{*}$ with probability $|Pr[d\in {\mathsf{D}}^{*}]-\frac{m|{\mathsf{D}}^{*}|}{\left|\mathsf{Msg}\right|}|=\mu$, then $Pr[d\in {\mathsf{D}}^{*}]=\frac{m|{\mathsf{D}}^{*}|}{\left|\mathsf{Msg}\right|}+\mu$. Moreover, $Pr[d:d=d^{*}]\ge \frac{Pr[d\in {\mathsf{D}}^{*}]}{|{\mathsf{D}}^{*}|}=\frac{1}{|{\mathsf{D}}^{*}|}(\frac{m|{\mathsf{D}}^{*}|}{\left|\mathsf{Msg}\right|}+\mu )$, where $|{\mathsf{D}}^{*}|$ is the data set size. Therefore, if $\mathcal{A}$ wins the game for one-wayness with a non-negligible advantage $\mu$, the challenger can break the one-wayness for $H_2$ with a non-negligible probability that is at least $\frac{1}{|{\mathsf{D}}^{*}|}(\frac{m|{\mathsf{D}}^{*}|}{\left|\mathsf{Msg}\right|}+\mu )$. □

Theorem 3.

The $\mathsf{CP}$-$\mathsf{ABSI}$ scheme is fine-grained authorization secure in the generic bilinear group model.

Proof. 

We first show that the $\mathsf{CP}$-$\mathsf{ABSI}$ construction is fine-grained authorization secure while $|{\mathsf{D}}_0|=|{\mathsf{D}}_1|=1$.

Setup: The challenger picks $a,b\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$ and transfers $\mathsf{pk}=(G,G_T,e,g,p,g^a,g^b)$ to $\mathcal{A}$. The challenger bookkeeps lists $Lis{t}_{H_1}({\mathsf{at}}_j,{\alpha }_j)$ and $Lis{t}_{H_2}(\mathsf{D},\gamma )$, which are empty initially, and $\mathcal{A}$ can query ${\mathcal{O}}_{H_1}$ and ${\mathcal{O}}_{H_2}$ in polynomially many times as follows:

${\mathcal{O}}_{H_1}\left({\mathsf{at}}_j\right)$: Given the attribute ${\mathsf{at}}_j$, if ${\mathsf{at}}_j$ has not been queried before, it picks ${\alpha }_j\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$, replies $g^{{\alpha }_j}$, and inserts $({\mathsf{at}}_j,{\alpha }_j)$ into $Lis{t}_{H_1}$; Else, it replies $g^{{\alpha }_j}$ by searching ${\alpha }_j$ from $Lis{t}_{H_1}$.

${\mathcal{O}}_{H_2}\left(\mathsf{D}\right)$: If $\mathsf{D}$ has been queried before, then it searches $\gamma$ from $Lis{t}_{H_2}$ and sends $g^{\gamma }$ back to $\mathcal{A}$; otherwise, it picks $\gamma \stackrel{R}{\leftarrow }{\mathbb{Z}}_p$, replies $g^{\gamma }$ to $\mathcal{A}$, and inserts $(\mathsf{D},\gamma )$ into $Lis{t}_{H_2}$.

Phase 1: The challenger bookkeeps two initially empty lists $L_{\mathsf{UA}}$ and $L_{\mathsf{token}}$. $\mathcal{A}$ can query the oracles polynomially many times.

${\mathcal{O}}_{\mathsf{KeyGen}}\left(\mathsf{UA}\right)$: It picks $t^{\left(u\right)}\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$. For each ${\mathsf{at}}_j\in \mathsf{UA}$, it chooses $c_j^{\left(u\right)}\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$, and sets $\mathsf{sk}=(\mathsf{UA},X_1=g^{a{t}^{\left(u\right)}},X_2=g^{b{t}^{\left(u\right)}},\{Y_j=g^{ab{t}^{\left(u\right)}+{\alpha }_j{c}_j^{\left(u\right)}},Z_j=g^{c_j^{\left(u\right)}}|{\mathsf{at}}_j\in \mathsf{UA}\}).$ It returns $\mathsf{sk}$ to A and adds $\mathsf{UA}$ to $L_{\mathsf{UA}}$.

${\mathcal{O}}_{\mathsf{token}}\left(\mathsf{UA}\right)$: The challenger selects $k^{\left(u\right)}\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$, runs ${\mathcal{O}}_{\mathsf{KeyGen}}\left(\mathsf{UA}\right)$. For each ${\mathsf{at}}_j\in \mathsf{UA}$, it chooses $c_j^{\left(u\right)}\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$, and sets $\mathsf{token}=(\mathsf{UA},\widehat{{\mathsf{X}}_{\mathsf{1}}}={\mathsf{X}}_{\mathsf{1}}^{{\mathsf{k}}^{\left(\mathsf{u}\right)}}={\mathsf{g}}^{{\mathsf{at}}^{\left(\mathsf{u}\right)}{\mathsf{k}}^{\left(\mathsf{u}\right)}},\widehat{{\mathsf{X}}_{\mathsf{1}}}={\mathsf{X}}_{\mathsf{2}}^{{\mathsf{k}}^{\left(\mathsf{u}\right)}}={\mathsf{g}}^{{\mathsf{bt}}^{\left(\mathsf{u}\right)}{\mathsf{k}}^{\left(\mathsf{u}\right)}},\{\widehat{{\mathsf{Y}}_{\mathsf{j}}}={\mathsf{Y}}_{\mathsf{j}}^{{\mathsf{k}}^{\left(\mathsf{u}\right)}}={\mathsf{g}}^{{\mathsf{abt}}^{\left(\mathsf{u}\right)}{\mathsf{k}}^{\left(\mathsf{u}\right)}+{\alpha }_{\mathsf{j}}{\mathsf{c}}_{\mathsf{j}}^{\left(\mathsf{u}\right){\mathsf{k}}^{\left(\mathsf{u}\right)}}},\widehat{{\mathsf{Z}}_{\mathsf{j}}}={\mathsf{Z}}_{\mathsf{j}}^{{\mathsf{k}}^{\left(\mathsf{u}\right)}}={\mathsf{g}}^{{\mathsf{c}}_{\mathsf{j}}^{\left(\mathsf{u}\right)}{\mathsf{k}}^{\left(\mathsf{u}\right)}}|{\mathsf{at}}_{\mathsf{j}}\in \mathsf{UA}\}).$ It sends $\mathsf{token}$ to $\mathcal{A}$ and inserts $\mathsf{UA}$ into $L_{\mathsf{token}}$.

Challenge: The adversary $\mathcal{A}$ selects access control policies ${\mathsf{T}}_1^{*},{\mathsf{T}}_2^{*}$ and sends them to the challenger. We require that (1) $\forall \mathsf{UA}\in L_{\mathsf{UA}}$, $F({\mathsf{T}}_1^{*},\mathsf{UA})$ and $F({\mathsf{T}}_2^{*},\mathsf{UA})$ cannot output 1 simultaneously, and (2) $\forall \mathsf{UA}\in L_{\mathsf{UA}}$, $F({\mathsf{T}}_1^{*},\mathsf{UA})$ and $F({\mathsf{T}}_2^{*},\mathsf{UA})$ cannot output 1 simultaneously. The challenger chooses two data sets $({\mathsf{D}}_0=(d_{0,0},...,d_{0,n}),{\mathsf{D}}_1=(d_{1,0},...,d_{1,n}))$ of equal length.

For each $d_{0,i},0\le i\le n$, the challenger selects $r_1,r_2\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$ and runs $\left\{q_v\left(0\right)\right|v\in \mathsf{leaf}\left({\mathsf{T}}_1^{*}\right)\}\leftarrow \mathsf{Share}({\mathsf{T}}_1^{*},r_2)$. It computes ${\mathsf{c}}_{1,i}^{*}=(A_1=g^{b{r}_1},A_2=g^{a(r_1+r_2)+{\beta }_{0,i}},B_v=g^{q_v\left(0\right)},\{C_v=g^{{\alpha }_j{q}_v\left(0\right)}|v\in \mathsf{leaf}\left({\mathsf{T}}_1^{*}\right)\})$, where $\mathsf{att}\left(v\right)={\mathsf{at}}_j$.

It selects $\sigma \stackrel{R}{\leftarrow }\{0,1\}$ and for each $d_{\sigma ,w},0\le w\le n,$ it selects $r_3,r_4\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$ and runs $\left\{q_v^{\prime }\left(0\right)\right|v\in \mathsf{leaf}\left({\mathsf{T}}_2^{*}\right)\}\leftarrow \mathsf{Share}({\mathsf{T}}_2^{*},r_4)$. It calculates $ciphe{r}_{2,w}^{*}=(A_1^{\prime }=g^{b{r}_3},A_2^{\prime }=g^{a(r_3+r_4)+{\beta }_{\sigma ,w}},B_v^{\prime }=g^{q_v^{\prime }\left(0\right)},\{C_v^{\prime }=g^{{\alpha }_j{q}_v^{\prime }\left(0\right)}|v\in \mathsf{leaf}\left({\mathsf{T}}_2^{*}\right)\}),$ where $\mathsf{att}\left(v\right)={\mathsf{at}}_j$.

At last, it returns ${\mathsf{c}}_1^{*}=({\mathsf{c}}_{1,0}^{*},...,{\mathsf{c}}_{1,n}^{*}),{\mathsf{c}}_2^{*}=({\mathsf{c}}_{2,0}^{*},...,{\mathsf{c}}_{2,n}^{*})$ to $\mathcal{A}$.

Phase 2: It is the same as that defined by the game.

Guess: A guess ${\sigma }^{\prime }$ of $\sigma$ is output by $\mathcal{A}$.

In this game, $\mathcal{A}$ attempts to determine whether ${\mathsf{D}}_{\sigma }$ is equal to ${\mathsf{D}}_0$. Since each message in data sets is encrypted independently, $\mathcal{A}$ needs to determine whether $d_{\sigma ,w}$ is equal to $d_{0,i}$ for $i,w\in \{0,...,n\}$. The only way is to judge whether or not $g^{{\beta }_{\sigma }}$ is same as $g^{{\beta }_0}$. Since in the generic model, the only way that $\mathcal{A}$ can determine ${\beta }_{\sigma }$ is equal to ${\beta }_0$ is that there are two queries $\nu ={\gamma }_1+{\gamma }_2{\beta }_{0,i}$ and ${\nu }^{\prime }={\gamma }_1+{\gamma }_2{\beta }_{\sigma ,w}$ for some ${\gamma }_1$ and ${\gamma }_2$ into G or $G_T$. We artificially add the query $\nu -{\nu }^{\prime }={\gamma }_2({\beta }_0-{\beta }_{\sigma })$ to $\mathcal{A}$’s queries. Then, it will be shown that $\mathcal{A}$ never makes any query for $g^{{\gamma }_2({\beta }_0-{\beta }_{\sigma ,w})}$. We can see that ${\beta }_0$ only appears in the term $a(r_1+r_2)+{\beta }_{0,i}$ and ${\beta }_{\sigma ,w}$ only appears in the term $a(r_3+r_4)+{\beta }_{\sigma ,w}$. So, $\mathcal{A}$ needs to construct $g^{{\gamma }_{2}a(r_1+r_2-r_3-r_4)}$. Table 3 lists all the queries to group oracle $G_T$.

Table 3. Possible queries for group oracle $G_T$ in fine-grained authorization game.

Queries 1	Queries 2	Queries 3	Queries 4	Queries 5
a	$c_j^{\left(u\right)}$	$c_j^{\left(u\right)}{k}^{\left(u\right)}$	$q_v\left(0\right)$	${\alpha }_j{q}_v^{\prime }\left(0\right)$
b	$a{t}^{\left(u\right)}$	$a{t}^{\left(u\right)}{k}^{\left(u\right)}$	${\alpha }_j{q}_v\left(0\right)$	$a(r_1+r_2)+{\beta }_0$
${\alpha }_j$	$b{t}^{\left(u\right)}$	$b{t}^{\left(u\right)}{k}^{\left(u\right)}$	$b{r}_3$	$a(r_3+r_4)+{\beta }_{\sigma }$
$ab{t}^{\left(u\right)}+{\alpha }_j{c}_j^{\left(u\right)}$	$ab{t}^{\left(u\right)}{k}^{\left(u\right)}+{\alpha }_j{c}_j^{\left(u\right)}{k}^{\left(u\right)}$	$b{r}_1$	$q_v^{\prime }\left(0\right)$

In the above game, $r_1$ only appears in the term $b{r}_1$ and $b{r}_3$ only appears in the term $b{r}_3$. Let ${\gamma }_2=b{\gamma }_2^{\prime }$ for some ${\gamma }_2^{\prime }$, and then $\mathcal{A}$ needs to construct ${\gamma }_2^{\prime }ab(r_2-r_4)$. Since $r_2$ is independent with $r_4$, $\mathcal{A}$ needs to construct ${\gamma }_2^{\prime }ab{r}_2$ and ${\gamma }_2^{\prime }ab{r}_4$. The only way to construct ${\gamma }_2^{\prime }ab{r}_2$ needs to use ($q_v\left(0\right)$, ${\alpha }_j{q}_v\left(0\right)$) and ($c_j^{\left(u\right)},ab{t}^{\left(u\right)}+{\alpha }_j{c}_j^{\left(u\right)}$, $ab{t}^{\left(u\right)}{k}^{\left(u\right)}+{\alpha }_j{c}_j^{\left(u\right)}{k}^{\left(u\right)}$,$c_j^{\left(u\right)}{k}^{\left(u\right)}$) related to key or token queries labeled with (${\mathsf{UA}}^{\left(u\right)},t^{\left(u\right)}$). $q_v\left(0\right)$ is $r_2$’s secret share associated to ${\mathsf{T}}_1$. So, $ab{t}^{\left(u\right)}{r}_2$ or $ab{t}^{\left(u\right)}{k}^{\left(u\right)}{r}_2$ can be only reconstructed if $F({\mathsf{UA}}^{\left(u\right)},{\mathsf{T}}_1)$. Let $\Omega$ is a set of $t^{\left(u\right)}$ such that ${\gamma }_2^{\prime }ab{r}_2$ for ${\gamma }^{\prime }=t^{\left(u\right)}c$ or ${\gamma }^{\prime }=k^{\left(u\right)}{t}^{\left(u\right)}c$, where $g^c$ is known to $\mathcal{A}$, can be reconstructed. For any $t^{\left(u\right)}\in \Omega$, ${\gamma }_2^{\prime }ab{r}_4=ab{r}_4{t}^{\left(u\right)}c$ or ${\gamma }_2^{\prime }ab{r}_4=ab{r}_4{t}^{\left(u\right)}{k}^{\left(u\right)}c$ can be reconstructed only if the key or token query labeled with $({\mathsf{UA}}^{\left(u\right)},t^{\left(u\right)})$ satisfies $F({\mathsf{UA}}^{\left(u\right)},{\mathsf{T}}_2)$. However, there is no key or token query labeled with (${\mathsf{UA}}^{\left(u\right)},t^{\left(u\right)}$) satisfying not only $F({\mathsf{UA}}^{\left(u\right)},{\mathsf{T}}_1)=1$ but also $F({\mathsf{UA}}^{\left(u\right)},{\mathsf{T}}_2)=1$. Therefore, there is no ${\gamma }_2^{\prime }$ such that ${\gamma }_2^{\prime }ab{r}_2$ and ${\gamma }_2^{\prime }ab{r}_4$ can both be reconstructed.

Consequently, $g^{{\gamma }_{2}a(r_1+r_2-r_3-r_4)}$ and $g^{{\gamma }_2({\beta }_0-{\beta }_{\sigma })}$ for some ${\gamma }_2$ can be constructed by $\mathcal{A}$ with negligible probability, and it is fine-grained authorization secure for $|{\mathsf{D}}_0|=|{\mathsf{D}}_1|=1$.

As with the evidence in Theorem 1, it can be shown that our solution is also fine-grained authorization secure for $|{\mathsf{D}}_0|=|{\mathsf{D}}_1|>1$. This completes the proof. □

5. Efficiency Analysis

Here, we measure the performance of $\mathsf{CP}$-$\mathsf{ABSI}$ and other related works about attribute-based set intersection by the asymptotic complexity. Pairing operation time is denoted by P, hash operation time is denoted by H, group exponentiation time in G is denoted by E, and group exponentiation time in $G_T$ is denoted by $E_T$. The multiplication operation is ignored since it has much higher efficiency compared to the above operations.

For analyzing the performance of $\mathsf{CP}$-$\mathsf{ABSI}$ clearly, firstly we compared it with $\mathsf{KP}$-$\mathsf{ABSI}$ [5], as in Table 4, as follows:

Table 4. Efficiency comparison between $\mathsf{KP}$-$\mathsf{ABSI}$ and our $\mathsf{CP}$-$\mathsf{ABSI}$. Note that here, both sets are n in size, the number of a data user’s attributes is S, the number of attributes involved in the access tree is N.

Scheme	$\mathsf{KP}$-$\mathsf{ABSI}$ [5]	$\mathsf{CP}$-$\mathsf{ABSI}$
$\mathsf{KeyGen}$	$(3N+2)$E + NH	$(2S+3)$E + SH
$\mathsf{Enc}$	$(S+3)n$E + $(S+1)n$H	$(2N+2)n$E + $(N+1)n$H
$\mathsf{TokenGen}$	$(2N+2)$E	$(2S+4)$E
$\mathsf{SI}$	$(2S+2)·2n$P + $S·2n{E}_T$	$(2N+2)·2n$P + $N·2n{E}_T$

It shows that $\mathsf{KeyGen}$ in the $\mathsf{CP}$-$\mathsf{ABSI}$ scheme is more expensive than that in the $\mathsf{KP}$-$\mathsf{ABSI}$ scheme, while $\mathsf{Enc}$ in the $\mathsf{CP}$-$\mathsf{ABSI}$ scheme is more expensive than that in the $\mathsf{KP}$-$\mathsf{ABSI}$ scheme. In both schemes, the $\mathsf{TokenGen}$ algorithm and the $\mathsf{SI}$ algorithm incur almost the same cost. $\mathsf{SI}$ algorithm can be delegated to the cloud server. However, our $\mathsf{CP}$-$\mathsf{ABSI}$ can specify the access structure over outsourced data sets directly, while $\mathsf{KP}$-$\mathsf{ABSI}$ can only access control for users because of its key-policy setting.

Additionally, as we showed in Section 2, on one hand, Ali’s solution [6] requires the data user to store complete sets of big data and spend more time than nE + nH for PSI operation at local. This has a great burden on the computing and storage for the cloud users. On the other hand, ABEET solutions [12,13,14] cannot support multi-elements data sets and fine-grained authorization security. Even worse, they require the data owners and trusted authority to always be online. So, the communication cost is too high and they are not applicable to the distributed cloud scenario.

Thus, our $\mathsf{CP}$-$\mathsf{ABSI}$ is the most practical and secure solution than existing attribute-based set intersection schemes for cloud computing.

6. Conclusions

We introduced a novel application of multimedia cloud computing: ciphertext-policy attribute-based encryption with outsourced set intersection. This application has five properties: (1) All cloud users outsource their encrypted data sets to a cloud, where each outsourced data set has an associated access control policy. (2) A data user who has the credentials that satisfy the data owner’s access control policy is able to delegate to the cloud the set intersection operation between his own and the data owner’s data sets. (3) The cloud helps data users calculate the set intersection without being capable of learning any additional useful information and without being given the data user’s credentials. (4) It is not required that the data owners and the trusted authority are always online. (5) It supports multi-elements data sets.

There are many interesting problems for future research in multimedia cloud computing. First, our schemes do not hide what credentials the data user possesses. How to hide such information is an open problem. Second, our main contribution is not for high performance, but for new cryptographic functions and security in this work. So, it is also interesting to design a high performance $\mathsf{CP}$-$\mathsf{ABSI}$ scheme in future work.