Ciphertext-Policy Attribute-Based Encryption with Outsourced Set Intersection in Multimedia Cloud Computing

: In a multimedia cloud computing system, suppose all cloud users outsource their own data sets to the cloud in the encrypted form. Each outsourced set is associated with an access structure such that a valid data user, Bob, with the credentials satisfying the access structure is able to conduct computing over outsourced encrypted set (e.g., decryption or other kinds of computing function). Suppose Bob needs to compute the set intersection over a data owner Alice’s and his own outsourced encrypted sets. Bob’s simple solution is to download Alice’s and Bob’s outsourced encrypted sets, perform set intersection operation, and decrypt the set intersection ciphertexts. A better solution is for Bob to delegate the cloud to calculate the set intersection, without giving the cloud any ability in breaching the secrecy of the sets. To solve this problem, this work introduces a novel primitive called ciphertext-policy attribute-based encryption with outsourced set intersection for multimedia cloud computing. It is the ﬁrst cryptographic algorithm supporting a fully outsourced encrypted storage, computation delegation, ﬁne-grained authorization security for ciphertext-policy model, without relying on an online trusted authority or data owners, and multi-elements set, simultaneously. We construct a scheme that provably satisﬁes the desirable security properties, and analyze its efﬁciency.


Introduction
The multimedia cloud computing has been a successful computing paradigm since it can offer mass data storage and elastic but powerful computing capabilities at an affordable price. Cloud users, e.g., data owners and data users, can outsource their multimedia data to the cloud, then access it and share it with other users at anytime from anywhere. However, since data outsourcing will undermine the control capability for data owners since the outsourced data resides in the cloud service providers' scope, it inevitably raises the security concerns regarding the data confidentiality, data integrity, and data access control. While it is natural to encrypt data before outsourcing it to the cloud, it indeed raises another issue about how to facilitate the cloud to perform some specific function over outsourced encrypted data without compromising data privacy.
In this paper, we study the problem of set intersection over outsourced encrypted data sets, which is a variant of the private set intersection (PSI) problem [1] that has been extensively studied. In the traditional setting of PSI, two data users, holding their own data sets at local, joint compute the data sets' intersection in a manner that they only obtain the information about the intersection but nothing else. PSI has been widely adopted to many practical applications, such as private data mining, private matching, credit information system, anti-epidemic information system, and educational resources sharing, etc.
Problem. For the multimedia cloud computing scenario, the cloud users (i.e., the data owners and the data users) no longer store their own data sets at local and calculate the set intersection by themselves. Instead, the cloud users expect to outsource them to the cloud in encrypted form and entrust the cloud to help them complete the set intersection operation. While several works have studied PSI over outsourced encrypted data in the cloud [2][3][4], it certainly raises a difficulty for the data owners on how to enforce that their encrypted data can be used to perform by only some specific users. That is, how can the data owners limit the ability for the data users on performing set intersection by complying with certain control policies.
Motivation. For this problem, Shi et al. combined key-policy attribute-based encryption and PSI to propose KP-ABSI to support fine-grained authorization for PSI computation [5]. In their protocol, it restricts PSI operation permissions through access control policy, embedded in data users' secret keys. However, in KP-ABSI , the access structure is associated with data users instead of outsourced data sets. So, it is not particularly suitable for achieving access control over cloud data. Recently, Ali et al. proposed a ciphertextpolicy attribute-based set intersection solution [6] to realize fine-grained authorization for outsourced data sets of data owners. Unfortunately, in their protocol, the data sets of the data users must be in plaintext form and the data users should execute PSI operations at local. It is not applicable to the case where all cloud users outsourced their encrypted data sets to the cloud and delegate PSI computation to the cloud. To our knowledge (cf. Section 2), none of the existing schemes consider this problem how to achieve the following objectives simultaneously: (1) All cloud users should outsource their data sets in the ciphertext form to the cloud. (2) The cloud users should be able to preserve data privacy while allowing the set intersection delegation to the cloud. (3) The cloud users should be able to accomplish fine-grained access control to the set operation permissions over their outsourced encrypted data sets. (4) It should not rely on the always online trusted authority and the data owners.
Our Contributions. For solving the above problem, this work introduces a novel notion called ciphertext-policy attribute-based encryption with outsourced set intersection (CP-ABSI) for multimedia cloud computing. In CP-ABSI, all cloud users encrypt their own data sets by customizing an access structure before outsourcing. An authorized data user (Bob), whose attributes satisfy the access structure of the data owner's (Alice) data set, can delegate the set intersection calculation between Alice's and Bob's data sets to the cloud by generating a token. This work presents the formal definition of CP-ABSI with security properties, then presents a specific scheme. There are five characteristic properties for our CP-ABSI scheme: (1) It supports fully outsourced encrypted data sets for all cloud users, including data owners and data users. (2) The cloud can be delegated to execute PSI operations and not acquire any additional information beyond the result of encrypted set intersection. (3) It combines PSI and CP-ABE to realize fine-grained authorization for outsourced set intersection operation. (4) The data owner and the trusted authority are not required to participate in the interaction. (5) It supports multi-elements data sets. It is suitable for multimedia cloud computing.

Related Work
Although PSI has been widely studied previously, all existing solutions did not resolve the problems considered in this work. We brief the relevant technologies below and compare them with our CP-ABSI as shown in Table 1.
Two-party Private Set Intersection. In this scenario, it only involves two participants, a client and a server, both of whom work interactively to accomplish the set intersection operation with their own data sets [7,8]. Unfortunately, these solutions cannot be adapted to cloud architecture; for that, both parties have to decrypt all of their outsourced encrypted data sets and do the heavy computations for PSI at local. Obviously, they cannot support fine-grained authorization and the data owner should be always online. Table 1. Property summary for PSI schemes. "×" means not supported, " √ " means supported, "CP" means ciphertextpolicy and "KP" means key-policy. In the related work and our solution in this paper. Fully outsourced encrypted storage means that all cloud users, including data owners and data users, can outsource their data sets in encrypted form. Computation delegation means it supports delegating PSI operations to the cloud. Fine-grained authorization security (as defined in Definition 4) means that it supports fine-grained authorization security with key-policy or ciphertext-policy setting. Without always online trusted authority or data owner means that it is not required that the trusted authority or data owners are always online. Multi-elements set means it supports multiple elements data set.

Schemes
Fully Outsourced Encrypted Storage

Fine-Grained Authorization Security
Without Always Online Trusted Authority or Data Owner

Symmetric/Asymmetric
Encryption with Equality Test [10,11] Three-party Private Set Intersection. In this model, it includes three participants, i.e., the cloud servers, the data owners, and data users, where the data owners and the data users wish to outsource set intersection operations to the server. For example, refs. [2][3][4]9] considered outsourcing set intersection operations to the cloud while preserving the privacy of the data sets. In addition, symmetric/asymmetric encryption with equality test, e.g., [10,11], is a specific solution for one-element data sets. Unfortunately, all of these solutions ask for the data owner to always be online or have no authorization mechanism. Thus, traditional three-party PSI protocols are impractical for the cloud system.
Attribute-based Encryption (ABE). A reliable solution for realizing fine-grained authorization for outsourced data is ABE, introduced by Sahai and Waters [15]. This technique allows the data users with appropriate attributes to decrypt the ciphertexts under an access structure. There are two types of ABE: ciphertext-policy ABE (CP-ABE) in which the ciphertext is generated under an access structure (e.g., [16,17]) and key-policy ABE (KP-ABE) in which the private key is generated under an access structure (e.g., [18,19]). ABE also can be combined with other techniques to provide fine-grained operation and computation, e.g., attribute-based keyword search (e.g., [20]) or attribute-based proxy re-encryption (e.g., [21]).
Attribute-based Set Intersection. The first attribute-based set intersection solution is attribute-based encryption with equality test (ABEET). ABEET supports access control and set intersection computation delegation, but only for one-element data sets. Zhu et al. and Wang et al., respectively, present the first KP-ABEET and CP-ABEET [12,13]. After that, Cui et al. presented a performance enhanced ciphertext-policy construction [14]. Unfortunately, in these schemes, the trapdoor is generated with the master secret key held by the trusted authority and the data owner is required to participate in the delegating phase to send its token to the cloud. So, the trusted authority and the data owners should be always online. Even worse, in existing ABEET schemes, the cloud server without token A,C can obtain set intersection A ∩ C with token A,B for A ∩ B and token B,C for B ∩ C. So, they actually cannot achieve fine-grained authorization security, which will be illustrated in Definition 4. It is impractical and secure enough for distributed cloud computing. The first attribute-based solution for multi-elements set intersection is proposed by Mohammad Ali et. al. It achieves fine-grained authorization security and is not dependent on an online trusted authority or data owners. However, in Ali's scheme, data users must store the plaintext form of their set and execute PSI operations at local. It is not supporting fully outsourced encrypted storage and computation delegation, so it is not applied to our scenario where the data sets of all cloud users are encrypted in the cloud. Later, Shi et al. introduced a KP-ABSI scheme by combining KP-ABE and PSI to achieve fully outsourced encrypted storage and computation delegation. However, it is still not applied to our scenario since it implements access control for cloud users instead of cloud data sets [5].
For that, in this work, we combine PSI and CP-ABE to propose a novel primitive named ciphertext-policy attribute-based encryption with outsourced set intersection (CP-ABSI), implementing access control for ciphertext data sets. Compared with existing solutions, our CP-ABSI can support a fully outsourced encrypted storage, computation delegation, fine-grained authorization security for ciphertext-policy(CP) model, without relying on an online trusted authority or data owners, and multi-elements set, simultaneously. Figure 1 highlights the system model, which consists of three entities-a cloud server, a trusted attribute authority, and the cloud users, e.g., a data owner (named Alice), an authorized data user (named Bob), and an unauthorized data user (named Calos). The cloud affords for the cloud users computing and storing supporting. The trusted attribute authority issues data users' secret keys in line with their attribute certificates. The data owner (i.e., Alice), which can be either individuals or organizations, encrypt their private data sets according to an access control policy and then outsource them to the cloud server. An authorized user (i.e., Bob), whose attributes satisfy Alice's and his own access structures simultaneously, can delegate set intersection operations over Alice's and his own encrypted data sets to the cloud. Whereas any unauthorized user, i.e., Calos, whose attributes do not satisfy the access structure of Alice, cannot outsource the set intersection operations to the cloud. Here, we suppose that the cloud is honest but curious, meaning that it runs the protocols honestly but attempts to obtain privacy information about the data sets.

System Model
A cloud user is malicious and might collude with the semi-trusted cloud.

Formal Definition
Here is shown the formal definition of CP-ABSI (ciphertext-policy attribute-based encryption with outsourced set intersection), in which ciphertexts are generated under an access structure. T is denoted as an access policy and UA is denoted as an attribute set, respectively, in CP-ABSI. Let F(T, UA) = 1 if and only if T is satisfied by UA in CP-ABSI. Definition 1. (CP-ABSI) A scheme for CP-ABSI has the following algorithms: (pk, msk) ← Setup(1 ): The trusted attribute authority bootstraps the master private key msk and the public parameters pk as input a security parameter .
sk ← KeyGen(msk, UA): The trusted attribute authority generates secret keys sk for a data user. c ← Enc(D, T): Given T, a cloud user (data owner or data user) encrypts their private data set D. Then they outsource the ciphertexts to the cloud.
token ← TokenGen(sk): A data user runs this algorithm to generate a token to delegate the set intersection operations between the data owner's and his own encrypted data sets to the cloud, where the token token will be sent to the cloud for this purpose.

Security Definitions
It is said that the CP-ABSI scheme is secure if it satisfies the following security properties: selective security against chosen-plaintext attack, one-wayness under a chosenplaintext attack, and fine-grained authorization security.
Selective security against chosen-plaintext attack: Intuitively, this property says that a probabilistic polynomial-time (PPT) adversary A, modeling malicious unauthorized data users, cannot obtain any useful information about the encrypted sets without being given the corresponding tokens, where the term "selective" means that it asks for the adversary A to choose T which parties to compromise before initializing the public parameters. This security property can be formally defined by the game between A and a challenger as follows.
Setup: A chooses T * and sends it to the challenger. Then the challenger executes Setup to bootstrap msk and pk, it sets msk as the master private key and sends pk to A as a public key.

Guess:
A guess σ is replied by A. A wins the security game if σ = σ . Definition 2. If the advantage | Pr[σ = σ] − 1/2| that A wins the selective security game is negligible, the CP-ABSI construction is selective secure.
One-wayness security: Intuitively, this property requires that any PPT adversary A, modeling honest-but-curious cloud server, even with a token, is unable to acquire any useful information about the plaintexts corresponding to the ciphertexts in question. Note that, given a target ciphertext and the appropriate token, where the term "appropriate" means the credentials that generate the token satisfy the access control policy associated to the target ciphertext, A can purposefully choose and encrypt a data set element with public parameters, and compare their chosen ciphertext with the target ciphertext. Obliviously, brute-force attack is inevitable, so it is just demanded that A have no better strategy. The one-wayness security can be defined by the following game.

Setup:
The challenger produces msk, pk by executing Setup, sets msk as the master secret key, and sends pk to A as the public parameters. Phase 1: A can query following oracles for polynomial-many times, the challenger bookkeeps a list L UA initially empty. Definition 3. If the advantage | Pr[d ∈ D * ] − m|D * | |Msg| |, in which Msg is the domain size of set elements and m is the number of guess/brute-force attacks A makes, that A wins the one-wayness security game is negligible, the CP-ABSI construction is one-wayness secure.
Fine-grained authorization: The adversary A, modeling the honest-but-curious cloud server, cannot use the known tokens to obtain set intersection if the credentials that generate the tokens do not satisfy the access control policies associated to two ciphertexts simultaneously. Intuitively, A cannot use token A,B for A ∩ B and token B,C for B ∩ C to achieve set intersection A ∩ C, if token A,B and token B,C whose associated attribute sets do not satisfy A and C's access structure simultaneously. This can be formalized via the following fine-grained authorization security game.

Setup:
The challenger produces msk, pk by executing Setup, sets msk as the master private key, and returns pk back to A . Phase 1: A can make polynomial-many oracle queries as follows, and the challenger bookkeeps two lists L UA and L token initially empty. Challenge: A selects T * 1 and T * 2 , and sends them to the challenger. The challenger chooses two sets D 0 , D 1 , selects σ R ← {0, 1}, replies c * 1 ← Enc(D 0 , T * 1 ) and c * 2 ← Enc(D σ , , T * 2 ) back to A. It is required that • ∀UA ∈ L UA , F(T * 1 , UA) and F(T * 2 , UA) cannot be 1 simultaneously.

Guess:
A guess σ is replied by A. A wins the fine-grained authorization game if σ = σ . Definition 4. If the advantage | Pr[σ = σ] − 1 2 | that A wins fine-grained authorization security game is negligible, the CP-ABSI construction is fine-grained authorization secure.
• Choose a, b R ← Z p , then make the public parameter as pk = (e, G, G T , g, g a , g b , H 1 , H 2 ) and the master secret key as msk = (a, b) KeyGen(msk, pk, UA): It picks t R ← Z p , then calculates X 1 = g at and X 2 = g bt . For each attribute at i ∈ UA, it selects c i R ← Z p , and computes Y i = g abt H 1 (at i ) c i and Z i = g c i . It sets the private key as sk = (UA, X 1 , . Enc(D, T, pk): Given set D = {d 0 , . . . , d n } where d j ∈ {0, 1} * , it encrypts D as follows: It picks r 1 , r 2 R ← Z p and computes A 1 = g br 1 , A 2 = g a(r 1 +r 2 ) H 2 (d j ) for each d j . It runs {q v (0)|v ∈ leaf(T)} ← Share(T, r 2 ) and computes B v = g q v (0) , C v = H 1 (att(v)) q v (0) for each v ∈ leaf(T). It sets the ciphertext as c = {c 0 , . . . , c n }, where c j = (T, A 1 , A 2 , {B v , C v |v ∈ leaf(T)}).

Security Analysis
Theorem 1. The CP-ABSI scheme is selective secure against chosen-plaintext attack in the generic bilinear group model as specified in Definition 2.
Proof. It is first to show that the scheme is secure when |D| = 1, and then extend it to the case |D| > 1.
Since in the challenge phase of the game, A's aim is to distinguish g a(r 1 +r 2 ) H 2 (d 0 ) and g a(r 1 +r 2 ) H 2 (d 1 ), where D 0 = {d 0 } and D 1 = {d 1 }. The probabilities of A distinguishing g a(r 1 +r 2 ) H 2 (d 0 ) from g θ and distinguishing g θ from g a(r 1 +r 2 ) H 2 (d 1 ) where θ R ← Z p are the same. Therefore, if A distinguishes g a(r 1 +r 2 ) H 2 (d 0 ) from g a(r 1 +r 2 ) H 2 (d 1 ) with probability µ, then A distinguishes between g a(r 1 +r 2 ) H 2 (d 0 ) and g θ with probability µ/2. We consider the following adjusted game, in which A attempts to discriminate between g a(r 1 +r 2 ) and g θ with θ ∈ Z p .

Setup:
The challenger randomly picks a, b R ← Z p , sets public parameter as (G, G T , e, p, g, g a , g b ), and transfers them to A. It bookkeeps two initially empty lists List H 1 (at j , α j ) and List H 2 (d, γ). A can query polynomially many times for O H 1 and O H 2 .
O H 1 (at j ): If at j has not been queried before, it picks α j R ← Z p , replies g α j to A and inserts (at j , α j ) into List H 1 ; Else, it retrieves α j from List H 1 and replies g α j to A.
O H 2 (d): If an element d was queried before, it searches γ from List H 2 and sends g γ back to A; else, it picks γ R ← Z p , inserts (d, γ) into List H 2 , then sends g γ back to A. Phase 1: A can query the oracles polynomially many times as follows.
and sets sk = (UA, X 1 = g at (u) , O token (UA): The challenger chooses k (u) R ← Z p and calculates token = (UA,X 1 = X k (u) Challenge: A chooses and transfers an access policy T * to the challenger., which is not satisfied by any UA that was queried to O KeyGen . The challenger picks two equal length messages (d 0 , d 1 ) uniformly at random from the message space, selects r 1 , r 2 R ← Z p and σ R ← {0, 1}, and runs {q v (0)|v ∈ leaf(T * )} ← Share(T * , r 2 ). If σ = 0, then the challenger computes c * = (A 1 = g br 1 , Phase 2: A queries the oracles as in Phase 1.

Guess: A outputs a guess σ of σ.
In the generic model, if it is distinguishable between e(g, g) a(r 1 +r 2 ) and g θ for A, it should build e(g, g) Γa(r 1 +r 2 ) with certain g Γ . Then it will be shown that the probability that A build e(g, g) Γa(r 1 +r 2 ) for certain g Γ is negligible, possibly taking advantage of the oracles' outputs. Table 2 lists all the possible queries to group oracle G T .
Let us discuss the way building e(g, g) Γa(r 1 +r 2 ) with certain Γ. Since only the term br 1 has the element r 1 , the only way of building e(g, g) Γa(r 1 +r 2 ) for A is building e(g, g) Γ abr 2 , where Γ = Γ b. Obviously, to construct Γ abr 2 , A needs to use q v (0), α j q v (0), c and abt (u) k (u) + α j c (u) j k (u) . However, only under the condition that the attribute set satisfies T * can r 2 be reconstructed. Thus far, it is shown that A can gain a negligible advantage in the modified game. Intuitively, for the general case of |D| > 1, we can also prove that the scheme is selective secure against chosen-plaintext attack as in [5]. Table 2. Possible group oracle G T queries in the selective security game.

Queries 1 Queries 2 Queries 3 Queries 4
a c Theorem 2. The CP-ABSI scheme is one-wayness secure if hash function H 2 is one-way.
Proof. Suppose there is a PPT adversary A winning the game for one-wayness with a non-negligible advantage µ, a challenger can be simulated to break one-wayness for H 2 .
Given H 2 (d * ) = y * , the challenger executes the following game.
Setup: It chooses a, b R ← Z p , sets msk = (a, b), and transfers pk = (G, G T , e, p, g, g a , g b ) to A. If k = j, c k is the same with that in the real scheme; • If k = j, set A 1 = g br 1 , A 2 = g a(r 1 +r 2 ) y * , by choosing r 1 , r 2 R ← Z p at random and setting d j = d * implicitly. Then run {q v (0)|v ∈ leaf(T * )} ← Share(T * , r 2 ) and compute The challenger chooses an attribute set UA * such that F(UA * , T * ) = 1, and forwards to the adversary A token * ← TokenGen(KeyGen(msk, pk, UA * ), pk) and c * = (c).

Phase 2:
It is the same as that defined by the game.

Guess: The challenger wins if A replies a guess
where |D * | is the data set size. Therefore, if A wins the game for one-wayness with a non-negligible advantage µ, the challenger can break the one-wayness for H 2 with a non-negligible probability that is at least 1 |D * | ( m|D * | |Msg| + µ).
Theorem 3. The CP-ABSI scheme is fine-grained authorization secure in the generic bilinear group model.

Setup:
The challenger picks a, b R ← Z p and transfers pk = (G, G T , e, g, p, g a , g b ) to A. The challenger bookkeeps lists List H 1 (at j , α j ) and List H 2 (D, γ), which are empty initially, and A can query O H 1 and O H 2 in polynomially many times as follows: O H 1 (at j ): Given the attribute at j , if at j has not been queried before, it picks α j R ← Z p , replies g α j , and inserts (at j , α j ) into List H 1 ; Else, it replies g α j by searching α j from List H 1 .
O H 2 (D): If D has been queried before, then it searches γ from List H 2 and sends g γ back to A; otherwise, it picks γ R ← Z p , replies g γ to A, and inserts (D, γ) into List H 2 .

Phase 1:
The challenger bookkeeps two initially empty lists L UA and L token . A can query the oracles polynomially many times.
. It returns sk to A and adds UA to L UA .
|at j ∈ UA}). It sends token to A and inserts UA into L token .

Guess:
A guess σ of σ is output by A.
In this game, A attempts to determine whether D σ is equal to D 0 . Since each message in data sets is encrypted independently, A needs to determine whether d σ,w is equal to d 0,i for i, w ∈ {0, ..., n}. The only way is to judge whether or not g β σ is same as g β 0 . Since in the generic model, the only way that A can determine β σ is equal to β 0 is that there are two queries ν = γ 1 + γ 2 β 0,i and ν = γ 1 + γ 2 β σ,w for some γ 1 and γ 2 into G or G T . We artificially add the query ν − ν = γ 2 (β 0 − β σ ) to A's queries. Then, it will be shown that A never makes any query for g γ 2 (β 0 −β σ,w ) . We can see that β 0 only appears in the term a(r 1 + r 2 ) + β 0,i and β σ,w only appears in the term a(r 3 + r 4 ) + β σ,w . So, A needs to construct g γ 2 a(r 1 +r 2 −r 3 −r 4 ) . Table 3 lists all the queries to group oracle G T .
In the above game, r 1 only appears in the term br 1 and br 3 only appears in the term br 3 . Let γ 2 = bγ 2 for some γ 2 , and then A needs to construct γ 2 ab(r 2 − r 4 ). Since r 2 is independent with r 4 , A needs to construct γ 2 abr 2 and γ 2 abr 4 . The only way to construct γ 2 abr 2 needs to use (q v (0), α j q v (0)) and (c j k (u) ) related to key or token queries labeled with (UA (u) , t (u) ). q v (0) is r 2 's secret share associated to T 1 . So, abt (u) r 2 or abt (u) k (u) r 2 can be only reconstructed if F(UA (u) , T 1 ). Let Ω is a set of t (u) such that γ 2 abr 2 for γ = t (u) c or γ = k (u) t (u) c, where g c is known to A, can be reconstructed. For any t (u) ∈ Ω, γ 2 abr 4 = abr 4 t (u) c or γ 2 abr 4 = abr 4 t (u) k (u) c can be reconstructed only if the key or token query labeled with (UA (u) , t (u) ) satisfies F(UA (u) , T 2 ). However, there is no key or token query labeled with (UA (u) , t (u) ) satisfying not only F(UA (u) , T 1 ) = 1 but also F(UA (u) , T 2 ) = 1. Therefore, there is no γ 2 such that γ 2 abr 2 and γ 2 abr 4 can both be reconstructed.
As with the evidence in Theorem 1, it can be shown that our solution is also finegrained authorization secure for |D 0 | = |D 1 | > 1. This completes the proof. Table 3. Possible queries for group oracle G T in fine-grained authorization game.

Efficiency Analysis
Here, we measure the performance of CP-ABSI and other related works about attributebased set intersection by the asymptotic complexity. Pairing operation time is denoted by P, hash operation time is denoted by H, group exponentiation time in G is denoted by E, and group exponentiation time in G T is denoted by E T . The multiplication operation is ignored since it has much higher efficiency compared to the above operations.
For analyzing the performance of CP-ABSI clearly, firstly we compared it with KP-ABSI [5], as in Table 4, as follows: Table 4. Efficiency comparison between KP-ABSI and our CP-ABSI . Note that here, both sets are n in size, the number of a data user's attributes is S, the number of attributes involved in the access tree is N.

KP-ABSI [5]
CP-ABSI KeyGen (3N + 2)E + NH (2S + 3)E + SH Enc (S + 3)nE + (S + 1)nH (2N + 2)nE + (N + 1)nH It shows that KeyGen in the CP-ABSI scheme is more expensive than that in the KP-ABSI scheme, while Enc in the CP-ABSI scheme is more expensive than that in the KP-ABSI scheme. In both schemes, the TokenGen algorithm and the SI algorithm incur almost the same cost. SI algorithm can be delegated to the cloud server. However, our CP-ABSI can specify the access structure over outsourced data sets directly, while KP-ABSI can only access control for users because of its key-policy setting.
Additionally, as we showed in Section 2, on one hand, Ali's solution [6] requires the data user to store complete sets of big data and spend more time than nE + nH for PSI operation at local. This has a great burden on the computing and storage for the cloud users. On the other hand, ABEET solutions [12][13][14] cannot support multi-elements data sets and fine-grained authorization security. Even worse, they require the data owners and trusted authority to always be online. So, the communication cost is too high and they are not applicable to the distributed cloud scenario.
Thus, our CP-ABSI is the most practical and secure solution than existing attributebased set intersection schemes for cloud computing.

Conclusions
We introduced a novel application of multimedia cloud computing: ciphertext-policy attribute-based encryption with outsourced set intersection. This application has five properties: (1) All cloud users outsource their encrypted data sets to a cloud, where each outsourced data set has an associated access control policy. (2) A data user who has the credentials that satisfy the data owner's access control policy is able to delegate to the cloud the set intersection operation between his own and the data owner's data sets. (3) The cloud helps data users calculate the set intersection without being capable of learning any additional useful information and without being given the data user's credentials. (4) It is not required that the data owners and the trusted authority are always online. (5) It supports multi-elements data sets.
There are many interesting problems for future research in multimedia cloud computing. First, our schemes do not hide what credentials the data user possesses. How to hide such information is an open problem. Second, our main contribution is not for high performance, but for new cryptographic functions and security in this work. So, it is also interesting to design a high performance CP-ABSI scheme in future work.