Delegated Key-Policy Attribute-Based Set Intersection over Outsourced Encrypted Data Sets for CloudIoT

Private set intersection (PSI) is a fundamental cryptographic primitive, allowing two parties to calculate the intersection of their data sets without exposing additional private information. In cloud-based IoTsystem, IoT-enabled devices would like to outsource their data sets in their encrypted form to the cloud. In this scenario, how to delegate the set intersection computation over outsourced encrypted data sets to the cloud and how to achieve the fine-grained access control for PSI without divulging any additional information to the cloud are still open problems. With that in mind, in this work, we combine key-policy attributebased encryption (KP-ABE) and PSI to introduce such a novel concept, called delegated key-policy attribute-based set intersection over outsourced encrypted data sets (KP-ABSI), to solve this problem. ,en we propose a first concrete KP-ABSI scheme and analyze its efficiency.


Introduction
Internet of ings (IoT) is enabling Smart City initiatives all over the world. Recently, IoT-based applications have been widely developed, such as smart grid and smart healthcare [1,2]. With the growth of IoT, enormous amount of data is generated by IoT-enabled devices. ey need to be stored, processed, and accessed. us, Alessio et al. firstly merged cloud and IoT to introduce a new paradigm named Clou-dIoT to solve the issues [3]. For cloud-based IoT, the research on the security and privacy for the big data of IoT is a hot spot.
Private set intersection (PSI), firstly proposed by [4], is a special case of secure multiparty computation. It enables two parties to calculate the set intersection of their data sets under the condition of privacy preservation. It is applied to many practical scenarios, such as IoT and internet-based personal health record (PHR) systems. In traditional PSI solutions, the data users hold their own data sets. However, in CloudIoT computing, data users (i.e., IoT-enabled devices) with limited computing power and storage resources would like to outsource their data sets to the cloud. For confidentiality and privacy, data sets should be encrypted before outsourcing. Cloud service providers provide flexible services to fulfill cloud users' demand.
Based on this, we research on PSI over outsourced encrypted data sets in the CloudIoT system. In this scenario, the data users (i.e., the IoT-enabled devices) will encrypt and outsource their data sets to the cloud and then delegate the cloud to perform the set intersection. It has been studied by some works [5][6][7]. But it indeed raises a concern on how to enforce fine-grained access control for limiting the cloud's capability on computing set intersection. For this, Mohammad Ali et. al combined ciphertext-policy attributebased encryption and private set intersection to propose an attribute-based private set intersection [8]. However, in their solution, the data user, who requests the set intersection operation, should hold the data sets in plaintext form. It does not really focus on outsourced encrypted data sets. Besides, there is still no solution for key-policy setting.
In this paper, we firstly combined key-policy attributebased encryption and private set intersection to introduce a novel concept called delegated key-policy attribute-based set intersection over outsourced encrypted data sets (KP-ABSI). KP-ABSI focuses on the problem of set intersection over outsourced data sets in the cloud paradigm. It allows data owners to specify some attributes set on his/her data set and encrypt it before outsourcing, respectively. A data user with proper access control policy (satisfied by the attribute set specified by the data owner and himself/herself ) can generate a token to delegate the cloud sever to perform the set intersection over his/her and the data owner's outsourced encrypted data sets. We formally give the definition and security notion for KP-ABSI and propose a concrete construction.
Our KP-ABSI scheme has three distinctive properties: (1) Our solution realizes fine-grained authorization for set intersection over encrypted outsourced data sets by combining KP-ABE and PSI. (2) e cloud server cannot obtain any information about the plaintexts beyond the result of set intersection, which is also with the form of ciphertexts. (3) Compared with existing PSI schemes, our schemes do not require interaction with the data owner or the trusted authority.

Related Work
Although the scholars have carried out extensive research on PSI, the existing solutions cannot solve the problems considered in this paper. In the following part, we will briefly introduce the related works. In general, they can be divided into three categories as follows.
Two-Party Private Set Intersection. e traditional PSI has two participants, a data owner and a data user. Both of them hold their own data sets and interactively compute the set intersection [9,10]. However, twoparty PSI does not apply to cloud computing because two parties must hold their data sets by themselves.
ree-Party Private Set Intersection. Typically, threeparty PSI involves three participants: a data owner, a data user, and the cloud server. e data user and the data owner would like to outsource their data sets to the cloud and delegate set intersection computation to the cloud. [5,7,11]. Moreover, public key encryption with equality test [12][13][14][15] can also be used to attain this goal. However, in these solutions, there is not any authorization mechanism and the data owner online is required to authorize the data user. So, they are not practical in the cloud computing. Attribute-Based Encryption. ABE, which is introduced by Sahai and Waters, achieves fine-grained access control for outsourced data [16]. ere are two variants of ABE: key-policy attribute-based encryption (KP-ABE) where the decryption key is associated with the access control policy (e.g., [17][18][19]) and ciphertext-policy attributebased encryption (CP-ABE) where the ciphertext is associated with the access control policy (e.g., [20][21][22]). In 2017, Zhu et al. presented a key-policy attribute-based encryption with equality test, which can be utilized to do the set intersection over outsourced encrypted data set of one element. After that, Wang et al. proposed the first ciphertext-policy attribute-based encryption with equality test scheme [23,24]. Later, Cui et al. improved its efficiency [25]. However, attribute-based encryption with equality test is only for one element. For this, in 2020, Mohammad Ali et. al firstly combined CP-ABE and PSI to propose an attribute-based set intersection scheme [8]. It achieves fine-grained access control for set intersection computation. Unfortunately, their solution requires the data user to hold his/her data set in the plaintext form. It did not really focus on outsourced encrypted data sets in the cloud computing. Moreover, there are no key-policy setting solutions for attribute-based set intersection. us, in this paper, we combine KP-ABE with PSI to introduce a novel primitive-delegated key-policy attributebased set intersection over outsourced encrypted data sets (KP-ABSI). For fairness, we summarize the properties of KP-ABSI scheme in Table 1.

System Model.
e system model for KP-ABSI is shown in Figure 1. ere are three participants: the trusted attribute authority, the cloud users (e.g., data owner Alice, authorized data user Bob, and unauthorized data user Carlos), and the cloud server. e trusted attribute authority primarily initiates the public parameters and issues private keys for data users according to their access control polices. Cloud server provides powerful storage and computing services for cloud users. e cloud users outsource their private data sets to the cloud server. Specifically, a cloud user, Alice, outsources her data set to the cloud in encrypted form, where the encryption is conducted according to some attribute set UAtt A . An authorized user, Bob, whose access control policy is satisfied by the attribute set UAtt A , can delegate to the cloud the computation of set intersection between Alice's outsourced encrypted sets and his own outsourced encrypted sets (Bob naturally has the private key to decrypt his own outsourced encrypted data). Meanwhile, any unauthorized user, Carlos, is neither able to decrypt Alice's outsourced encrypted data sets nor able to delegate the cloud to perform the set intersection operation.
In this model, we assume that the cloud is semitrusted (i.e., honest-but-curious), which means that the cloud honestly executes the protocol for two honest users, but tries to learn useful information beyond the ciphertexts through set intersection operations. Cloud users may be malicious and may collude with each other. We even allow a malicious user, say Bob, to collude with the semitrusted cloud. However, in this case, we cannot require that the cloud be not able to decrypt the honest user's, say Alice, ciphertext data set when the malicious and colluding user, Bob, has the private key for decrypting Alice's data set (e.g., Bob can simply give his private key to the cloud).

Functional Definition.
In this part, we introduce the formal definition for delegated key-policy attribute-based set intersection over outsourced encrypted data sets (KP-ABSI), where private keys are associated with access control policies. For convenience, we denote by UAtt an attribute set and by T an access policy in KP-ABSI. Let F(UAtt, T) � 1 if and only if UAtt satisfies T in KP-ABSI.

Definition 1.
Delegated key-policy attribute-based set intersection over outsourced encrypted data sets (KP-ABSI) includes five algorithms as follows: (pk, mk) ⟵ Setup(1 ℓ ): Given a security parameter ℓ as input, the trusted attribute authority initializes the system public parameters pk and the master secret key mk. sk ⟵ KeyGen(mk, T): Given the master secret key mk and an access control policy T, the trusted attribute authority issues private keys sk for a data user. cph ⟵ Enc(D, UAtt): Given an attribute set UAtt, a data user encrypts his/her private data set D to the ciphertext cph. e resulting ciphertexts will be outsourced to the cloud. tkn ⟵ TokenGen(sk): With his/her private key sk, the data user generates a token tkn and delegates the set intersection computation to the cloud. rslt ⟵ SI(tkn, cph, cph ′ ): e cloud utilizes tkn to compute, on behalf of two data users, the set intersection rslt only if the access control policy T corresponding to tkn satisfies both F(UAtt, T) � 1 and F(UAtt ′ , T) � 1, where the attribute sets UAtt and UAtt ′ are, respectively, specified by cph and cph ′ . We say that a KP-ABSI scheme is correct if the following holds: Given (pk, mk) ⟵ Setup(1 ℓ ), sk ⟵ KeyGen(mk, T), tkn ⟵ TokenGen(sk), and cph ⟵ Enc(D, UAtt) for set D and cph ′ ⟵ Enc(D ′ ,

Security Definitions.
e security for KP-ABSI can be expressed by the three properties as follows.

Selective Security against Chosen-Plaintext Attack.
It indicates that a probabilistic polynomial-time (PPT) adversary A, without being given the corresponding tokens, is not able to obtain any useful information about the encrypted data sets. Notice that "selective" means that Table 1: Property summary for PSI solutions in the literature and KP-ABSI in this paper. PSI delegation means that the data owners can delegate set intersection operations to the cloud. Outsourced encrypted data set means it can do PSI over outsourced encrypted data sets in the cloud. Fine-grained authorization means that it supports attribute-based access control policy.

Schemes
PSI delegation Outsourced encrypted data sets Fine-grained authorization Two-party PSI [9,10] ✕ ✕ ✕ ree-party PSI [5,12] ✓ Trusted attribute authority  adversary A should choose a target attribute set UAtt * which it wants to challenge before the public parameters are generated. e security definition for selective security against chosen-plaintext attack can be formalized via the following game between an adversary A and a challenger.
Setup: A selects a target attribute set UAtt * and sends it to the challenger. e challenger runs Setup algorithm to initialize pk and mk, sends pk to A, and sets mk as the master private key. Phase 1: e adversary A can make polynomial queries for the following oracles: O KeyGen (T): If F(UAtt * , T) � 1, the challenger aborts; otherwise, the challenger returns sk ⟵ KeyGen(mk, pk, T) to A. O TokenGen (T): If F(UAtt * , T) � 1, the challenger aborts; otherwise, the challenger calculates sk ⟵ KeyGen(mk, T) and returns tkn ⟵ TokenGen(sk) to A.
Challenge: e adversary A randomly gives two data en, the challenger picks σ ⟵ R 0, 1 { } at random, builds the challenge ciphertext cph * � Enc (D σ , UAtt * ), and sends cph * to A. Phase 2: Same as Phase 1. Guess: A eventually outputs a guess σ ′ of σ. If σ � σ ′ , we say that A wins the game.

Definition 2.
We say that a KP-ABSI scheme is selective secure against chosen-plaintext attack, if any PPT adversary A wins the above game with a negligible advantage, where the advantage can be described as |Pr[σ ′ � σ] − 1/2|.

One-Way Security against Chosen-Plaintext Attack.
It says that a PPT adversary A, even given an appropriate token, cannot obtain the plaintexts corresponding to the ciphertexts. Note that the term "appropriate" means that the access control policy that generates the token is satisfied by the attribute set associated with the target ciphertext. Of course, A can choose a plaintext data set of its choice, encrypt it with public keys, and then utilize the token to check whether or not the target ciphertext is equal to the ciphertext of his choice. In other words, this type of bruteforce attack is inherent to the set intersection problem and we can only demand that A cannot have any attack strategy significantly better than the brute-force attack, as captured by this property via the following game between an adversary A and a challenger.
Setup: e challenger runs Setup to initialize (pk, mk), sends pk to A, and sets mk as the master private key. Phase 1: e adversary A can make polynomial queries for the following oracles. Meanwhile, the challenger maintains a list L T , which is initially empty.  Challenge: A gives a target attribute set UAtt * to the challenger, where, ∀T ∈ L T , F(UAtt * , T) � 0. e challenger selects an access control T * such that F(UAtt * , T * ) � 1, picks D * uniformly at random, runs cph * ⟵ Enc(D * , UAtt * ) and tkn * ⟵ TokenGen (KeyGen(T * )), and returns cph * , tkn * to A. Phase 2: A executes the same as in Phase 1, except that F(UAtt * , T) � 0 when querying O KeyGen (T). Guess: A outputs a guess d. If d ∈ D * , we say that A wins the game.
Definition 3. We say that a KP-ABSI scheme achieves oneway security against chosen-plaintext attack if, for any PPT adversary A, the advantage of A winning the game is negligible, where the advantage is defined as |Pr[d ∈ D * ] − (m|D * |/|Msg|)|, where m is the number of guess/ brute-force attacks A makes, and Msg is the message space of set elements.

Fine-Grained Authorization Security.
is property says that the cloud is unable to utilize the given tokens to conduct set intersection over ciphertexts if no access control policy (associated with the data user's private key) that generates the tokens is satisfied by both of the attribute sets associated with the two ciphertexts. More specifically, consider the token tkn 1 that can be used to conduct set intersection over ciphertexts cph 1 and cph 2 and the token tkn 2 that can be used to conduct set intersection over ciphertexts cph 2 and cph 3 . If the access control policy that is used to generate tkn 1 is not satisfied by the attribute set associated with ciphertext cph 3 , and the access control policy that is used to generate tkn 2 is not satisfied by the attribute set associated with ciphertext cph 1 ; then the cloud cannot do the set intersection computation over ciphertexts cph 1 and cph 3 by using tkn 1 and/or tkn 2 . e definition for fine-grained authorization security can be described via a game between an adversary A and a challenger.
Setup: e challenger runs Setup to initialize (pk, mk), sends pk to A, and sets mk as the master secret key. Phase 1: e adversary A makes polynomial queries for the following oracles. Meanwhile, the challenger maintains two lists L T and L tkn , which are empty initially. e challenger runs sk ⟵ KeyGen (mk, T) and tkn ⟵ TokenGen(sk), returns tkn back to A, and records T to L tkn .
Phase 2: A executes the same as in Phase 1, except for the following:

Basic Idea.
To illustrate the idea, let a data user's private key be (g at , g bt ), which can be generated by running q v (0) | v ∈ lvs(T) ⟵ Share(T, abt) for some random t and setting (g q v (0) H 1 (att(v)) t v , g t v ), where t v is a random number with respect to leaf v ∈ lvs(T). A set element d is encrypted into two parts: e first part is related to d; namely, where g is a generator of G, r 1 and r 2 are two random numbers, H 1 , H 2 are two hash functions, and a, b are private keys. e second part is related to the attribute set corresponding to the access control policy in question, namely, H 1 (at i ) r 2 for at i ∈ UAtt.
A data user can generate the token as g atk , g btk , (g q v (0)k H 1 (att(v)) kt v , g kt v ) , by which the cloud is able to translate the ciphertext into an intermediate form e (H 2 (d), g) btk once the attribute set UAtt satisfies the access control policy T.

KP-ABSI Construction
Setup(1 ℓ ): Given the security parameter ℓ as input, the public parameters and the master secret key can be generated as follows: Let (e, q, g, g T , G, G T ) ⟵ BMapGen(1 ℓ ).
Let H 1 : 0, 1 { } * ⟶ G and H 2 : 0, 1 { } * ⟶ G be two secure hash functions that are modeled as random oracles. Select a, b ⟵ R Z p and set the public parameters and the master secret key as pk � e, G, G T , g, g a , g b , KeyGen(mk, T): Given access tree T, this algorithm selects t ⟵ R Z p , computes X 1 � g at and X 2 � g bt , and e secret key is Enc(D, UAtt): Given set for outsourcing, D � d 0 , . . . , d n , this algorithm encrypts the set as follows: for each d j , it selects r 1 , r 2 ⟵ R Z p , sets e set of ciphertexts is cph � cph 0 , . . . , cph n . TokenGen(sk): Given secret key sk, this algorithm selects k ⟵ R Z p , sets X 1 � X k 1 � g atk and X 2 � X k 2 � g btk , and computes Y v � Y k v and Z v � Z k v for leaf v ∈ lvs(T). e token is SI(tkn, cph, cph ′ ): Given cph � cph 0 , . . . , cph n , cph ′ � cph 0 ′ , . . . , cph m ′ , and tkn, this algorithm is executed as follows: Given cph j ∈ cph, it selects an attribute set S ∈ UAtt satisfying T. If S does not exist, it returns 0. Otherwise, it computes for all v ∈ lvs(T) with att(v) � at i , computes and e correctness of the above KP-ABSI scheme can be verified by following the protocol. In what follows, we analyze its security.

Theorem 1. Under the DLN assumption, the above KP-ABSI scheme achieves the selective security against chosen-plaintext attacks in the random oracle as specified in Definition 2.
Firstly, we prove that our scheme achieves the security goal when |D| � 1 (i.e., the message space has a single element) and then extends the proof to the case |D| > 1.
Proof. We show that if there is a PPT adversary A that wins the selective security game with a nonnegligible advantage μ, then a challenger that can solve the DLN problem with the advantage at least μ/2 can be constructed. Specifically, given a DLN instance (g, h, f, f r 1 , g r 2 , Q), where g, f, h, Q ⟵ R G and r 1 , r 2 ⟵ R Z p are unknown, the game is simulated by the challenger as follows.
Setup: e adversary A gives an attribute set UAtt * to the challenger. en the challenger produces the bilinear map e: G × G ⟶ G T , constructs g b � f and g a � h with a and b unknown, and sets pk � (e, g, f, h, G, G T ). e challenger sends pk to A. e challenger maintains two lists List H 1 (at i , α i , β i ) and List H 2 (d, c) Given a secret value λ v , this procedure builds the polynomial for each node of subtree T v , where F(UAtt * , T v ) � 1. Suppose that the threshold value of node v is k v ; it lets q v (0) � λ v and chooses k v − 1 coefficients uniformly at random to uniquely determine the polynomial q v . en it recursively runs PolySat(T v′ , UAtt * , λ v′ ) to build the polynomial for each child node v ′ of v, by letting where λ v is unknown to the challenger, this procedure is to build the polynomial for each node of subtree T v , where F(UAtt * , T v ) � 0. Assume that the threshold value of node v is k v and V is the set of children of node v such that, ∀v ′ ∈ V, F(UAtt * , T v′ ) � 1. Since . It then determines the other k v − |V| points of polynomial q v such that g q v (0) � g λ v . For each child node v ′ of node v, it executes the following: Based on the two procedures above, the challenger executes PolyUnsat(T, UAtt * , g a ) by implicitly defining q root (0) � a. Note that, for each v ∈ lvs(T), the challenger knows q v (0) if att(v) ∈ UAtt * and knows g q v (0) otherwise. erefore, it generates credentials as follows by selecting t ⟵ R Z p and setting X 1 � h t and X 2 � f t (while noting that btq v (0) is the secret share of abt ): If att(v) � at j for some at j ∈ UAtt * , it selects t v ′ and the following: O tkn (T): e challenger queries O KeyGen (T) to obtain sk and returns tkn ⟵ TokenGen(sk) to A.
So far, we have shown that our KP-ABSI scheme is selective secure against chosen-plaintext attack when |D| � 1. In what follows, we prove that our KP-ABSI scheme achieves the selective security against chosen-plaintext attack for the general case of |D| > 1.
Suppose that A gives two sets D 0 � (d 0 , . . . , d n ) and D 1 � (d 0 ′ , . . . , d n ′ ). Denote by cph (i) the encryption of (d 0 , . . . , d i , d i+1 ′ , . . . , d n ′ ), meaning that cph (n) is the encryption of D 0 and cph (− 1) is the encryption of D 1 . e Challenge phase is extended to accommodate an additional adversary A ′ as follows: Note that A ′ sends to A the ciphertext cph (i) if σ � 0 and the ciphertext cph (i− 1) if σ � 1. Denote by A(cph (i) ) the guess of A with ciphertexts cph (i) . en we show the probability that A ′ wins the game. Note that erefore, the probability that A ′ wins the game is Pr A cph (n) � 0 where ε is negligible because the advantage that A ′ wins the game is negligible. us, the probability that A distinguishes cph − 1 from cph n is 1 2 at is, the advantage of A distinguishing cph − 1 from cph n is at most (n + 1)ε. erefore, the scheme achieves the selective security against chosen-plaintext attack when |D| ≥ 1. □ Theorem 2. Given one-way hash function H 2 , the above KP-ABSI scheme achieves the one-way security against chosenplaintext attack as specified in Definition 3.
Proof. We prove this theorem by showing that if there is a PPT adversary A winning the one-way security game against chosen-plaintext attack with a nonnegligible advantage μ, Security and Communication Networks then a challenger breaking the one-way hash function H 2 can be simulated.
Given H 2 (d * ) � y * , the challenger can simulate the oneway security game as follows: Setup: e challenger randomly picks a, b ⟵ R Z p , produces pk � (e, G, G T , g, p, g a , g b ), mk � (a, b), and sends pk to A. Phase 1: e challenger maintains a list L T , which is empty initially. A makes polynomial queries for the following oracles: O KeyGen (T): Given an access control policy T, it returns sk ⟵ KeyGen(mk, pk, T) to A and adds T to L T . O tkn (T): Given an access control policy T, it runs tkn ⟵ TokenGen(KeyGen(mk, pk, T), pk) and returns tkn to A. Challenge: A gives an attribute set UAtt * to the challenger, where, ∀T ∈ L T , F(UAtt * , T) � 0. e challenger picks j ⟵ R Z p and sets a data set If k ≠ j, cph k is generated the same as in the real construction. If k � j, by randomly choosing r 1 , r 2 ⟵ R Z p and implicitly setting d j � d * . e challenger chooses an access tree T * satisfying F(UAtt * , T * ) � 1, runs tkn * ⟵ TokenGen(KeyGen(mk, pk, T * ), pk), and returns (cph * � (cph), tkn * ) to the adversary A. Phase 2: e adversary A executes the same as in Phase 1 while complying with the necessary requirements defined by the game.
Guess: A will eventually output a guess d to the challenger. e challenger wins if d � d * .
e KP-ABSI achieves fine-grained authorization security in the generic bilinear group model as specified in Definition 4. Proof. Similar to the proof for eorem 1, firstly, we prove that our KP-ABSI scheme achieves fine-grained authorization when the challenge size |D 0 | � |D 1 | � 1 and then extend the proof to the case of challenge size |D 0 | � |D 1 | > 1.
Setup: e challenger randomly picks a, b ⟵ R Z p , produces pk � (e, G, G T , g, p, g a , g b ), and sends pk to A. e challenger maintains two lists List H 1 (at j , α j ) and List H 2 (d, β), which are empty initially. A can make polynomial queries for the following O H 1 and O H 2 . O H 1 (at j ): Given an attribute at j , if at j was queried before, the challenger returns g α j by retrieving α j from List H 1 ; otherwise, the challenger picks α j ⟵ R Z p , records (at j , α j ) to List H 1 , and returns g α j to A. O H 2 (d): Given a message d, if d was queried before, the challenger returns g β ; otherwise, the challenger picks β ⟵ R Z p , records (d, β) to List H 2 , and returns g β to A.
Phase 1: e challenger keeps the two lists, L T and L tkn , which are initially empty. A can make polynomial queries for the following oracles. O KeyGen (T): e challenger selects t (u) ⟵ R Z p and runs q v (0) (u) | v ∈ lvs(T) ⟵ Share(T, abt (u) ). For each node v ∈ lvs(T), the challenger chooses t (u) v ⟵ R Z p and sets sk � T, X 1 � g at (u) , where att(v) � at j . e challenger sends sk to A and records T to L T .
| v ∈ lvs(T) , where att(v) � at j . It returns tkn to A and adds T to L tkn . Challenge: A chooses two attribute sets UAtt * 1 and UAtt * 2 with the following restrictions: (1) ∀T ∈ L T , F(UAtt * 1 , T) and F(UAtt * 2 , T) cannot output 1 at the same time, and, (2) ∀T ∈ L tkn , F(UAtt * 1 , T) and F(UAtt * 2 , T) cannot output 1 at the same time. en, A sends UAtt * 1 and UAtt * 2 to the challenger. e challenger chooses two sets e challenger randomly picks σ ⟵ R 0, 1 { } and r 3 , r 4 ⟵ R Z p for d σ and sets Phase 2: Same as Phase 1. Guess: Finally, A will eventually output a guess σ ′ of σ.
If A can determine whether d 0 is equal to d σ or not, A also can determine whether g β σ is equal to g β 0 or not. e only way for A to achieve this is to construct a query Γ 2 (β 0 − β σ ) for some Γ 2 . To prove eorem 3, we will show that A can never construct a query for Γ 2 (β 0 − β σ ). Table 2 shows all the possible queries of G by means of the bilinear map and group elements given to the adversary. Note that β 0 , β σ only incurs in terms a(r 1 + r 2 ) + β 0 and a(r 3 + r 4 ) + β σ , respectively. us, A must construct g Γ 2 a(r 1 +r 2 − r 3 − r 4 ) for obtaining g Γ 2 (β 0 − β σ ) . Moreover, since (r 1 , r 2 ) and (r 3 , r 4 ) are independent, A must construct g Γ 2 a(r 1 +r 2 ) and g Γ 2 a(r 3 +r 4 ) for the same Γ 2 . en we show that adversary A can never build g Γ 2 a(r 1 +r 2 ) and g Γ 2 a(r 3 +r 4 ) for the same Γ 2 .
To construct Γ 2 a(r 1 + r 2 ) for A, as r 1 only appears in the term br 1 , we let Γ 2 � Γ 2 ′ b for some Γ 2 ′ . at is, A needs to construct the term Γ 2 ′ abr 2 . In order to get that, the only way of constructing Γ 2 ′ abr 2 is to apply tkn 1 in Table 2 with B j � g α j r 2 | at j ∈ UAtt * 1 of cph * 1 , which will result in e(g, g) abtkr 2 , meaning that A can construct the query abtkr 2 .
at is, Γ 2 can be written as Similarly, we can show that Γ 2 can be written as Γ 2 � Γ 2 ′ b � Γ ′ ′ 2 t ′ kb for a known constant Γ ′ ′ 2 to build Γ 2 a(r 3 + r 4 ). Since t and t ′ are unknown to A, then Γ 2 ′ cannot be constructed, since A cannot find a known constant Γ ′ ′ 2 that is the product of t and t ′ . In conclusion, A is able to construct g Γ 2 a(r 1 +r 2 ) and g Γ 2 a(r 3 +r 4 ) for the same Γ 2 with a negligible probability and get a negligible advantage in the fine-grained authorization game.
Similar to the proof in eorem 1, an adversary A ′ can be simulated and it can be proved that if A can break the fine-grained authorization security for |D 0 | � |D 1 | > 1, then A ′ can break the fined-grained authorization security for |D 0 | � |D 1 | � 1. is completes the proof. □ 4.4. Efficiency Analysis. Now we evaluate the efficiency of the schemes in terms of the asymptotic computational complexity. e asymptotic complexity is measured in terms of operations: H denotes the operation of mapping a bit-string to an element of G, E denotes the group exponentiation operation in G, E T denotes the group exponentiation operation in G T , and P denotes the pairing operation. We ignore the multiplication operations because they are much more efficient than the operations mentioned above (Table  3).

Conclusions
In this paper, we present a novel cryptographic primitive: delegated key-policy attribute-based set intersection over outsourced encrypted data sets (KP-ABSI). It simultaneously achieves the following: (1) Each data owner outsources his/her data set in encrypted form to a cloud, where the outsourced data set is associated with an attribute set. (2) A data user is associated with an access control policy that is satisfied by the attribute sets of two encrypted data sets (owned by two data owners, respectively) and can delegate to the cloud the set intersection computation over the two data owners' outsourced encrypted data sets. (3) e cloud can conduct the set intersection operation on behalf of the data user without being able to obtain any useful information about the data owners' plaintext data set. us, our scheme can solve the PSI problem in CloudIoT system. Of course, in our solution, the cloud is semihonest. How to build a construction in the malicious model is still an open problem.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that they have no conflicts of interest. Table 3: N is the number of attributes involved in the access tree in question, S is the number of a data user's attributes, and n is the size of sets (here we assume that both sets have the same size n).