An enhanced media ciphertext-policy attribute-based encryption algorithm on media cloud

With the development of cloud computing, more and more video services are moving to the cloud. How to realize fine-grained access control of those data on cloud becomes an urgent problem. Attribute-based encryption provides a solution. However, heavy computation is still a bottleneck restricting the wider application of attribute-based encryption in cloud computing. In addition, we find that expression of the access control structure on media cloud can be further improved. To solve these problems, we propose an enhanced media ciphertext-policy attribute-based encryption algorithm and introduce its two key components, the multiple access tree and the key chain. To increase the scalability of the proposed algorithm, we discussed the issues of multi-authorization, user revocation, and 1 −n multiple access tree. Security analysis shows that enhanced media ciphertext-policy attribute-based encryption can successfully resist chosen-plaintext attacks under the decisional bilinear Diffie–Hellman assumption. Performance analysis proves both theoretically and practically that the proposed algorithm incurs less computational cost than the traditional ciphertext-policy attribute-based encryption, multi-message ciphertext-policy attribute-based encryption, and scalable ciphertext-policy attribute-based encryption by optimizing the access control structure. Our proposed algorithm has strong practical significance in media cloud.


Introduction
Media cloud provides video storage, processing, and distribution services to users. How to realize fine-grained access control of massive amounts of videos is a huge challenge for the media cloud. 1 Ciphertext-policy attributebased encryption (CP-ABE) is an important technology to tackle this challenge in application scenarios such as personal health records (PHR) 2,3 and smart girds. 4,5 In CP-ABE, conversion from the access control policy to the access structure is an important step. However, when CP-ABE is applied in media cloud, the traditional conversion methods become inefficient. On media cloud, one video file is often available with different resolutions. The fact is that users with access to high-resolution videos are always allowed to access low-resolution versions. For example, paying users can watch a movie in all three versions: the standard definition (SD) version, the high definition (HD) version, the ultra-high definition (UHD) version; registered users can watch the movie in HD or SD versions, and guests can only watch the movie in the SD version. The corresponding access control policies (Table 1) have the following inclusion relation: r1 & r2 & r3. Meanwhile, these policies share some common attributes, such as video id (vid) and category. We define an attribute as a common attribute when the attribute has the same name and value in different policies.
In this article, we assume that the access tree is the default method to finish conversion from policy to access structure. When using the CP-ABE scheme proposed by Hong et al., 6 the three aforementioned policies have to be converted into three corresponding access trees. Wu et al. 7 presented a multi-message CP-ABE (MCP-ABE) scheme in which a single access tree could be used to describe all policies. Compared with CP-ABE, MCP-ABE needs to maintain fewer and simpler access structures. Ma et al. 8 optimized the access tree in their CP-ABE algorithm called scalable ciphertextpolicy attribute-based encryption (SCP-ABE), and expanded the access control rules from one dimension to three dimensions, thereby reducing the time required for encryption and decryption. However, access trees in both MCP-ABE and SCP-ABE are efficient only when representing the access control rules with full inclusion relations. When there exists any common attribute, the efficiency of access trees reduces, because the common attributes have to be described repeatedly on different levels of the tree.
To solve this problem, we propose a new access tree called multiple access tree (MAT) and a new one-way key chain scheme. On the basis of these two components, we introduce a novel enhanced-media Ciphertext-policy attribute-based encryption (eM-CP-ABE) algorithm. Then, eM-CP-ABE is applied to media cloud for fine-grained access control. Two steps are required: first, the video is divided into segments according to resolution or time and encrypted by the advanced encryption standard (AES). Note that different segments correspond to different keys. Second, these symmetric keys are encrypted by eM-CP-ABE to achieve fine-grained access control. The contribution of our proposed algorithm is reflected in the following four aspects: 1. In the encryption process, eM-CP-ABE consumes less time and space than MCP-ABE; in the decryption process, when an authorized user switch from a high-level resource to a low-level resource, only two hash operations need to be performed without any new decryption operations. Compared with SCP-ABE, eM-CP-ABE has better performance both in encryption and decryption processes. 2. Using one 1 À n MAT, eM-CP-ABE can encrypt several videos with different privilege levels. It significantly reduces the cost of generating and maintaining access structures. 3. eM-CP-ABE has strong scalability. We have proved that both multi-authorization and user revocation are feasible when the eM-CP-ABE algorithm is used. 4. We have also proved security of the eM-CP-ABE algorithm. It can successfully resist chosen-plaintext attacks (CPAs) under the decisional bilinear Diffie-Hellman (DBDH) assumption.
The rest of the article is organized as follows: section ''Related work'' provides an overview of the related work. Section ''Preliminary'' presents necessary preliminary knowledge. Section ''Proposed algorithm'' introduces eM-CP-ABE and its extensions. Section ''Security analysis'' analyzes eM-CP-ABE in terms of security. Section ''Performance analysis'' analyzes the operation overheads of the proposed algorithm. Finally, section ''Conclusion'' presents the conclusion.

Related work
CP-ABE was first proposed in 2007. 9 In CP-ABE, user keys are associated with sets of attributes, whereas ciphertexts are associated with policies. CP-ABE is widely used in fine-grained access control of data outsourced on the cloud. However, the problem is that CP-ABE entails heavy computation and complex conversion from access policy to access structure.
Heavy computation will degrade real-time performance and increase the workload of computation. To optimize real-time performance, Li et al. 10 introduced online/offline ABE. A similar online/offline scheme was proposed by Cui et al. 11 The online/offline transfer technology allows the computation tasks to be outsourced to public cloud servers. However, the online/ offline transfer technology can just transfer the workload of computation, but cannot reduce it. Expanding the single authorization center to multi-authorization centers can improve the efficiency of key generation. Han et al. 12 introduced a decentralized CP-ABE scheme, in which each authority can work on one unique attribute subset independently. The robust and auditable access control (RAAC) scheme was proposed in 2017. In RAAC, any authority can manage the whole attribute set individually and an auditing mechanism is introduced to coordinate all authorities' work. 13 Multiauthorization greatly improves the performance of key generation, but does not reduce the workload of encryption and decryption in CP-ABE. Xue et al. 14 proposed an attribute-based controlled collaborative access control scheme, in which multiple users having different attribute sets could collaborate to gain access permission. The scheme is efficient in terms of storage and computation overhead, but user collusion is forbidden in most scenarios of the media cloud. However, addition of many practical factors makes the access structure more expressive. The factor of time was introduced to realize time-release encryption. 6,15 In some existing studies, [16][17][18][19] user revocation was supported in their CP-ABE schemes. In studies by Ning et al., 20,21 illegitimate access could be traced. However, the problem of complex conversion from access policy to access structure remains unsolved. Traditional access trees are inefficient when the corresponding access control policies have the inclusion relationships such as file system. In hierarchical file systems, if a user can decrypt a file corresponding to a level node in the access structure tree, he or she can decrypt all these files corresponding to the lower level nodes. To avoid repetitive description of attributes on different levels, Wang et al. 22 used an integrated access structure to encrypt multiple files on different levels separately. As only one file can be encrypted on each level, the scheme proposed by Yeh et al. 2 is not practical. Li et al. 23 proposed an extended file hierarchy CP-ABE scheme (EFH-CP-ABE), which could encrypt several files on the same access level. To simplify the complex structure of inclusion relation among these privilege levels, Bobba et al. 24 introduced a ciphertext-policy attributeset-based encryption (CP-ASBE) scheme in which the set of user attributes was extended into a recursive set structure. CP-ASBE was used in the conditional access system to resist collusion attacks. 25 Based on CP-ASBE, Wan et al. 26 proposed a hierarchical attributeset-based encryption (HASBE) algorithm. HASBE builds a hierarchical system model and realizes the key delegation scheme and user revocation scheme. Teng et al. 27 improved the HASBE algorithm by keeping the length of the ciphertext and the number of bilinearity operation fixed. However, if strict mutual exclusion cannot be satisfied between different privilege levels, the common attributes will still be described repeatedly.
The same problem is faced in media cloud. CP-ABE is widely used to ensure the security of outsourced videos and support flexible video services. 7,8,28 Yang et al. 28 used traditional access trees that could not improve the efficiency. Access trees both in MCP-ABE 7 and SCP-ABE 8 can represent the access control rules with full inclusion relation efficiently. However, when there is any common attribute, these trees become less efficient because the common attributes have to be described repeatedly on different levels of the tree.
In this article, we propose a new access tree called MAT and a new one-way key chain scheme. On the basis of these two components, we introduce a novel encryption algorithm called eM-CP-ABE. In the encryption process, one 1 À n MAT can be flexibly used to encrypt several videos with multiple levels of privilege, thus considerably reducing the cost of generating and maintaining access structures. In the decryption process, user on the jth level will get two secret numbers, a j and a 0 , and the key corresponding to this level is k j = H 2 (a j jja 0 ). When the user accesses the low level i = j À 1, the key corresponding to the ith level is k i = H 2 (H 2 (a j jji)jja 0 ). Only two hash operations are needed to complete the access control.

Preliminary
To ensure the independence of the article, the relevant information is given in this section.

Bilinear maps
Let G 0 , G T be two multiplicative cyclic groups of prime order p. Let g be a generator of G 0 and e be a bilinear map, e : G 0 3 G 0 ! G T . The bilinear map e has the following properties: 1. Bilinearity: 8a, b 2 Z p and g 1 , g 1 2 G 0 , and we have e(g a 1 , g b 2 ) = e(g 1 , g 1 ) ab . 2. Non-degeneracy: There exists g 1 , g 1 2 G 0 such that e(g 1 , g 1 ) 6 ¼ 1, which means the map does not send all pairs in G 0 3 G 0 to the identity in G T . 3. Computability: There is an efficient algorithm to compute e(g 1 , g 1 ) for all g 1 , g 1 2 G 0 .

Access structure
Let fP 1 , P 2 , . . . , P n g be a set of parties. A collection A 2 fP 1 , P 2 , ..., P n g is monotone if 8B, C; if B 2 A and B C then C 2 A. An access structure is a collection A of non-empty subset of fP 1 , P 2 , . . . , P n g, that is, The sets in A are called authorized sets, and the sets not in A are called unauthorized sets.
In CP-ABE, a set of attributes is used as the decryption key, and an access structure is used to encrypt the plaintext. We describe the access structure in terms of an access tree. If and only if a set of attributes satisfies the access tree, the ciphertext can be decrypted correctly.

Access tree T
Let T be a tree representing an access structure. A nonleaf node x of the tree is described by its child number num x and a threshold value k x , where 0 ł k x ł num x . We denote the parent of the node x by parent(x). The children of x are numbered from 1 to num. The function index (x) returns such a number associated with the node x. When x is a leaf node, we denote the attribute in x by attr(x).

DBDH assumption
Let a, b, c, z 2 Z p be chosen at random and g be a generator of G 0 . The DBDH assumption is that no probabilistic polynomial-time algorithm B can distinguish the tuple (A = g a , B = g b , C = g c , e(g, g) abc ) from the tuple (A = g a , B = g b , C = g c , e(g, g) z ) with more than a negligible advantage. The advantage of B is where the probability is taken over the random choice of the generator g, the random choice of a, b, c, z in Z Ã p , and the random bits consumed by B.

Proposed algorithm
In this section, eM-CP-ABE is described in detail. First, two important components that construct the proposed algorithm is introduced. Then, the model and implementation of eM-CP-ABE are proposed. Last, multiauthorization, user revocation, and 1 À n MAT are discussed.

Components
MAT. MAT is introduced to improve the expression efficiency of access control tree in eM-CP-ABE. In our article, MAT's nodes are divided into three types: virtual nodes, attribute nodes, and ordinary nodes. A virtual node n v is represented by k n v = 0 and num n v = 1. A subtree with a virtual node as its parent consists of one ''trunk'' and some ''branches.'' Trunk is used to describe the inclusion relation between adjacent levels. Branches are used to describe the particular rules of each level. The parent of a virtual node is represented as y = parent(n v ). If a parent node y has num y children nodes, including num 0 y virtual nodes, then the threshold value of y satisfies 0 ł k y ł num y À num 0 y . All leaf nodes are called attribute nodes. The rest of the nodes are called ordinary nodes. We also make the following assumptions: 1. num y .num 0 y : The inequality means that common attributes must exist. 2. The parent of a virtual node cannot be a virtual node. 3. The virtual node has one and only one child (num n v = 1), which consists of one ''trunk'' and some ''branches.'' We define a MAT with n virtual nodes as 1 À n MAT. Figure 1 shows a 1 À 2 MAT.
Satisfying an access tree. To clearly describe the process, MATs T in Figure 1 are illustrated as an example. The process can be extended to more complex trees.
Step 1. List all hierarchical trees rooted at the virtual node. There are two qualified hierarchical trees (T 1 , T 2 )in Figure 1.
Step 2. Delete all virtual nodes and their descendants, and obtain the base tree T 0 .
Key chain. Without loss of generality, we assume there is a 1 À 1 MAT (Figure 2), which is used to encrypt one video with l privilege levels and m common attributes. We assume the video is divided into l units and its first j units are organized into an access level L j . The corresponding user has privilege p j , j = 0, . . . , l. By following the same operations in the study by Wu et al., 7 we define a binary dominant relation " on the set of privilege fp 1 , . . . , p l g: p i " p j if and only if L i L j , that is, The goal we need to achieve is that if the user can access the content of level j, then the user should at least have the key parameters a 0 , a j . Through a 0 , a j , the user can deduce fa i : 1 ł i ł jg. Our design is as follows: Step 1. Find a one-way hash function H 2 ( Ã ), with the following characteristics: 1. Input data of arbitrary lengths and output data of fixed lengths. 2. For a given input, it is easy to calculate the output. 3. For a given output, it is not computationally feasible to find a correct input.
Step 2. For the highest privilege level l, we choose a number a l uniformly at random from Z Ã p . Then, we choose a 0 uniformly at random Z Ã p . The key corresponding to the level l is k l = H 2 (a l jja 0 ). Then, the number corresponding to the jth level is a j = H 2 (k j + 1 jjj), and the key corresponding to the level j is k j = H 2 (a j jja 0 ), where 1 ł j\l À 1.
Step 3. The final key chain fk 1 , . . . , k l g can be used as the keys of a symmetric encryption algorithm, such as AES, to encrypt l video units separately.
When a set of attributes satisfies both the base tree constructed by the common attributes (a 0 ) and the jth level of the hierarchical trees (a j ), k j can be calculated by k j = H 2 (a j jja 0 ). Also, using a 0 , a j , k i can be calculated when 1 ł i\j. Due to the unidirectionality of H 2 (Ã), the low-level user cannot be calculated to obtain the high-level key.
Using MAT and key chain. In this part, we show how to use MAT and the key chain to convert complex policies into access trees. According to Table 1, we add the time factor to construct more complex access rules (Table 2). In this scenario, the common attributes (id, category, and duration) of the three rules must be described in each branch of CP-ABE or MCP-ABE, which considerably reduces the expression efficiency of the access control structure. The rules that conform to the ABAC format 29 are described in Table 2.
We assume that two bits are used to describe the user's type (Paying: uType=11, Registered:  uType=10, and Guest: uType=01). In CP-ABE, three rules will be converted into three access trees ( Figure 3). We use the integer comparison technology 9 to describe the expiration time ''duration \30.''T1 is the access tree of r1 and is used to encrypt the key corresponding to the SD video. As shown in Figure 3(a), any user can access the specific SD video. T2 is the access tree of r2 and is used to encrypt the key corresponding to the HD video. As shown in Figure 3(b), only the user whose ''uType'' attribute value is ''11'' or ''10'' has access to the specific HD video. Similarly, in T3, the user with ''uType'' value of ''11'' can access the specific UHD video.
In MCP-ABE, the three rules will be converted into one complex access tree (Figure 4). In MCP-ABE, a special access tree is consisted of one ''trunk'' and some ''branches.'' As shown in Figure 4, the trunk represents the inclusion relationship between the three rules, r1 & r2 & r3. On each level, the branches represent the details of the corresponding rule. However, the common attributes need to be described on each level repeatedly in MCP-ABE.
We use MAT and key chain to simplify the access tree. As shown in Figure 5, subtrees of the common attributes are extracted to form the base tree, which is then merged with the hierarchical tree through an  ordinary node. The access tree described in Figure 5 has one virtual node, so we call it 1 À 1 MAT. Four secrets, a 0 , a 1 , a 2 , a 3 , need to be shared by the ''branches.'' Among them, a 0 , a 3 are randomly chosen in Z Ã p .
Compared with CP-ABE and MCP-ABE, the eM-CP-ABE algorithm realizes expression of the three rules with a simpler tree structure and fewer nodes.

eM-CP-ABE
eM-CP-ABE model. Figure 6 shows the model of eM-CP-ABE. The system consists of five participants. They are media cloud, video provider, video consumer, attribute authority center, and trusted encryption center.
The proposed eM-CP-ABE has five functions: Setup, Encrypt, KeyGen, Decrypt, and Delegate.
Setup(l). Executed by the authorization center. Its input is security parameter l and output is the public key PK and the master key MK. Encrypt(PK, M, T). Executed by the trusted encryption center. Its inputs are PK, plaintext M, MAT T, and its output is ciphertext CT . We assume that ciphertext CT contains T already. KeyGen(MK, S). Executed by the attribute authority center. We define the universe of attributes S. A video consumer provides his or her own set of attributes S S to the attribute authority center and applies his or her secret key SK. Inputs of the function are MK and S, and its output is SK.
Decrypt(PK, CT , SK). Executed by the video consumer. Its inputs are PK, CT , and SK and its output is plaintext M. Delegate(SK, S 0 ). SK is a secret key for the set of attributes S. The function Delegate can generate a secret key SK 0 for the set of attributes S 0 when S 0 satisfies S 0 S and S 0 6 ¼ [. This function will be used then to extend the attribute authority center.
eM-CP-ABE algorithm. We take 1 À 1 MAT (Figure 2) as an example to describe the eM-CP-ABE algorithm. We assume that one video has l units corresponding to l privilege levels. There is at least one common attribute on the l privilege levels.
Setup(l). Let G 0 , G T be two multiplicative cyclic groups of prime order p. Let g be a generator of G 0 and e be a bilinear map, and e : G 0 3 G 0 ! G T . Choose a and b uniformly at random from Z Ã p , a, b2 R Z Ã p . Then, the public key is published as PK = (G 0 , g, g 1 , g 2 , f 1 ), where g 1 = g b , g 2 = e(g, g) a , f 1 = g 1=b , and the master key MK is (b, g a ). Encrypt(PK, M, T). The 1 À 1 MAT T is divided into a base tree T 0 and a hierarchical tree T 1 (Figure 7). For each node N in trees T 0 and T 1 , we choose a polynomial f N randomly, set the degree q N = k N À 1, where k N is the threshold of node N and set f N (0) = f parent(N ) (index(N)).
We choose a 0 , a l , s 0 , s l 2 R Z p uniformly at random from Z p . N R denotes the root node of T 0 and N v denotes the root node of T 1 . Then, we set f N R (0) = s 0 and f N v (0) = s l . Using the established polynomial of each node, the secrets, s 0 , s l , are shared. The set of leaf nodes in T is denoted by N leaf , where n i 2 N leaf . The set of nodes in T 1 0 s trunk is denoted by fN 1 , . . . , N l g. The ciphertext has two parts. In the first part, a symmetric encryption algorithm E(m, k) is used to encrypt each video unit. The second part is ABE. The whole ciphertext is expressed as   where B 0 = a 0 e(g, g) as 0 , C 0 = g bs 0 , B 1 = a l e(g, g) as l , C 1 = g bs l B N i = a i e(g, g) af N i (0) , a i = H 2 (k j + 1 jjj), This means it is hard to find two pre-values that can generate the same hash value.
KeyGen (MK, S ). We choose r2 R Z Ã p uniformly at random from Z Ã p . Then, we randomly choose r j 2 R Z Ã p , 8j 2 S. The secret key SK is where D = g (a + r)=b , D j = g r H 1 (j) r j and D j 0 = g r j .
Decrypt(PK, CTs, SK). The video consumer does the following operations to realize decryption.
Step 1. To determine whether the set of attributes S satisfies the access tree T : T(S) = T 0 (S) and T 1 (S). When T(S) = 1, go to Step 2; otherwise, return.
Step 2. We define DecryptNode(CTs, SK, x) as a recursive algorithm, where x is a node in T 0 . The following two cases are discussed.
x is a non-leaf node. Considering that all node Z = fz 1 , z 2 , . . . , z n g are children of x, we set F z = fF z i = DecryptNode(CTs, SK, z i )jz i 2 Zg. Let S x be an arbitrary k x -sized set of children nodes z i such that F z i 6 ¼ ?. If no such set exists, then the node is not satisfied and the function returns ?.
Otherwise, we compute When x = N R , we obtain A = DecryptNode CTs, ð SK, N R Þ = e(g, g) rs 0 after recursion. Then Step 3. The key of the ith level k i = H 2 (a i jja 0 ) is obtained. Using the key chain, the keys used by lower levels are generated.

Extension
Multi-authorization. In the cloud environment, when a large number of users access a hot video content in a short time, it poses a big challenge for the attribute authorization center. Extending the single authorization center to multiple centers can alleviate the pressure effectively. Using KeyGen and Delegate functions, the single authorization center is extended to authorization centers ( Figure 8). We assume that each attribute authorization center can complete the authorization service independently: AA ij ! S ij and jS ij j ø jS Max j. For the attribute authorization center, there exists AA Center ! S.
Step 3. where D = g (a + r)=b , D j = g r H 1 (j) r j , D j 0 = g r j .
Step 1. Check the legitimacy of AA i(n + 1) .
User revocation. To realize user revocation, eM-CP-ABE adds timestamps to the MAT and attribute sets separately. Compared with CP-ABE, eM-CP-ABE is more flexible when the timestamp is added in a branch, then the algorithm implements user revocation on the corresponding privilege level. When the timestamp is a set of common attributes, the algorithm implements user revocation on all privilege levels, that is, the plaintext M is encrypted under the timestamp x and the expiration time y labeled in a user's attribute set. When y ł x, the user cannot decrypt the ciphertext correctly.
12n MAT. When using ABE, different access control trees need to be established for data with different access requirements. Generation and maintenance of a large number of access trees is a tough task. A 1 À n MAT can describe the access structure of n videos with different access rules. In 1 À n MAT, the base tree is designed to describe the common rules of the videos, and n hierarchical trees are used to describe the private rules of different videos. This method reduces both the number of trees and the operations required for encryption. Figure 9 shows a 1 À n MAT. The base tree has m 0 common attributes and n hierarchical trees. We assume that the jth video has l j (1 ł j ł n) privilege levels, and the ciphertext can be obtained as follows where CT 0 j is the jth encrypted video.
where T is the 1 À n MAT.

Selective-set model
There are four common types of attacks: ciphertext only, known plaintext, chosen plaintext, and chosen ciphertext. The CPA is the most powerful type of attack. If an algorithm can resist this attack, it can also resist other types of attack. To prove that eM-CP-ABE is secure, we first define a selective-set model based on CPAs. The model is described as follows: Init. The adversary declares the 1 À n MAT, T Ã , that he wants to be challenged upon. The T Ã is sent to the challenger. Setup. The challenger runs the Setup algorithm, and then gives the public parameters to the adversary. Phase 1. The adversary is allowed to issue queries for private keys for many attribute sets S 1 , . . . , S q , where T Ã (S i ) = 0 for all i 2 1, q ½ . Challenge. The adversary submits two messages of equal length, M 0 and M 1 . The challenger flips a random coin m, and encrypts M m with T Ã . The ciphertext CT Ã is passed to the adversary. Phase 1. Phase 1 is repeated. Guess. The adversary outputs a guess m 0 of m.
The advantage of an adversary in this game is defined as Pr½m 0 = m À 1=2.

Proof of security
We prove that the security of eM-CP-ABE in the selective-set model reduces to the hardness of the DBDH assumption. Theorem 1. If an adversary can break our scheme in the selective-set model, then a simulator can be constructed to play the DBDH game with a nonnegligible advantage.
Proof. We suppose there exists a polynomial-time adversary A that can attack eM-CP-ABE in the selective-set model with advantage e. Then, we can build a simulator B that can play the DBDH game with advantage e=2. The simulation process is as follows: First, the challenger provides two groups G 0 , G T with an efficient bilinear map, e and a generator g. Then, the challenger throws a fair coin m out of view of B. If m = 0, the challenger sets A, B, C, Z ð Þ= (g a , g b , g c , e(g, g) abc ); otherwise, the challenger sets (A, B, C, Z) = (g a , g b , g c , e(g, g) z ). a, b, c, z are randomly chosen in Z Ã p .
Init. The simulator B runs a polynomial-time adversary A. A chooses the 1 À n MAT T Ã that it wishes to be challenged upon.
Setup. B chooses a random a 0 2 R Z p , and sets a = a 0 À a + ab. It calculates g 2 = e(g, g) a = e(g, g) a 0 Àa e(g, g) ab and sets g 1 = g b = B = g b . Then, it gives PK to A. Phase 1. A asks for the keys corresponding to any attributes set S(T Ã (s) = 0) from B. B chooses a random r 0 2 R Z p and sets r = r 0 + a À ab. There exists D = g (a + r)=b = g (a 0 + r 0 )=b . Then, we randomly choose gives the SK to A. Challenge. A submits two messages of equal length, M 0 and M 1 , to B. The challenger gets m by flipping a coin. Then, M m is encrypted with T Ã . The ciphertext CT Ã is sent to A. In CT Ã , there exists B 0 = x 0 e(g, g) as 0 , C 0 = g bs 0 .

Phase 2.
The simulator repeats what it did in Phase 1. Guess. A submits its guess m 0 of m. If m 0 = m, it indicates that A is given a valid BDH-tuple, (g a , g b , g c , T = e(g, g) abc ); otherwise, it is given a random four-tuple (g a , g b , g c , T = R).
If m 0 = m, A finishes the guess game with the advantage of e. Thus Pr B g a , g b , g c , T = e g, g ð Þ abc = 0 Or else, the ciphertext CT Ã is completely random. It means that A cannot get any information from CT Ã . Then The overall advantage of the simulator B in the DBDH game is Above all, eM-CP-ABE can successfully resist chosen plaintext attacks under the DBDH assumption.

Performance analysis
Compared with the MCP-ABE 7 and CP-ABE, 9 the time and space complexity of eM-CP-ABE perform better in the following scenario. In addition, eM-CP-ABE consumes much less time than SCP-ABE 8 for each attribute in the encryption and decryption processes.
We assume a 1 À 1 MAT will encrypt one video with l.1 privilege levels and m 0 .0 common attributes. The ith level at the hierarchical tree has m i, 1 leaf nodes (except the trunk). We can obtain m 1 = P l i = 1 m i, 1 . The number of all related attributes is m = m 1 + m 0 . In Figure 10(a), the 1 À 1 MAT has l = 3, m 0 = 3, m 1, 1 = 3, m 2, 1 = 1 and m 3, 1 = 2. To achieve the same access control, MCP-ABE needs a more complex tree (Figure 10(b)) and CP-ABE needs three trees ( Figure  10(c)).
On the basis of Figure 10, we discuss the time and space complexity of KeyGen, Encryption, and Decryption of the three algorithms. The time taken to perform an exponential operation is denoted as E. The time taken to perform a bilinear operation is denoted as P.

KeyGen
For the three algorithms, there is the same attributes set S. The time complexity of executing KeyGen is positively correlated to the cardinality of the attributes set jSj, and the value is (2jSj + 1)E. The three algorithms have the same time complexity in KeyGen. Similarly, the private key lengths of the three algorithms are (2jSj + 1). So, they have the same space complexity.

Encryption
The time needed by CP-ABE, MCP-ABE, and eM-CP-ABE to satisfy the access control ( Figure 10) is shown in Table 3. Compared with MCP-ABE, eM-CP-ABE has one more P, but 2lm 0 À 1 À 2m 0 less E. In the situation that (2lm 0 À 1 À 2m 0 )E À P.0, eM-CP-ABE has better performance.
The theoretical analysis above proves that eM-CP-ABE consumes less encryption time than CP-ABE and MCP-ABE with the increase of m 0 . The same conclusion is reached from the practical experiment ( Figure  11). In this experiment, we assume that a group of access control policies exist that satisfy the following conditions 1. l = 3; 2. m 0 = ceiling(m=10).
Note that eM-CP-ABE is used as a digital envelope to encrypt the secret keys, not the content. Therefore, the size and resolution of videos have no effect on the efficiency of eM-CP-ABE. The three elements that affect eM-CP-ABE are l, m, and m 0 . All experiments are implemented by C+ + and run on a computer (Inter (R) Core (TM) i5-8300H CPU at 2.30 GHz, 8-GB RAM, Win-1064bit system).
In Figure 11, when m = 10, m 0 = 1, eM-CP-ABE and MCP-ABE consume similar time for encryption, slightly better than CP-ABE. With the increase of m, eM-CP-ABE has more advantages over MCP-ABE and CP-ABE in terms of the encryption time. For example, when m = 100, m 0 = 10, eM-CP-ABE  There are different ciphertext lengths in the three algorithms shown in Table 4. When m 0 .0 and l.2, the space complexity of the proposed algorithm is lower than M-CP-ABE and the value is 2(l À 2)m 0 .

Decryption
We assume that the user has the second privilege in Figure 10, the MCP-ABE needs to iterate the DecryptNode function according to the access tree ( Figure 12(a)), and the corresponding access structure for the eM-CP-ABE is Figure 12(b). They have the same decryption process. Let us consider another scenario. When the user wants to switch from a higher level privilege to lower level, CP-ABE needs to reexecute the decryption function. As the number of leaf nodes increases, so does the decryption time. When only one leaf node exists, the decryption time is about 15 ms, and when the number of leaf nodes is 10, the decryption time is 78 ms. The average computation time per 10 attributes of SCP-ABE is 25 ms. However, for eM-CP-ABE, the decryption time is a constant. To realize this switch of privilege, eM-CP-ABE only need to perform one and two hash operations, respectively. The hash operation takes much less time than the decryption function in ABE, about 3-8 ms, thus greatly reducing the decryption time.

Deployment
We deployed the streaming media system supporting HTTP live streaming (HLS) under the media framework proposed by Li et al. 30 The system is shown in Figure 13. The video provider in User Area sends video and the corresponding access control policy to the media cloud. In media cloud, there are two areas: work and service. In work area, the whole video is divided into several segments; then, AES is used to encrypt the video segments with different keys; last, these keys are encrypted by eM-CP-ABE. In service area, authorization center, video storage and distribution are deployed. The video consumer in user area gets the video through the following steps:   1. Send the ABE key request to authorization center; 2. Get the SK; 3. Get the index file including the encrypted video segments keys from the video storage and distribution; 4. Decrypt the video segments keys using eM-CP-ABE; 5. Get the encrypted video segments from the video storage and distribution; 6. Decrypt the video segments using AES.
In this system, we implemented the decryption algorithm in Android version 4.2.2. After the two levels of decryption (ABE and AES), the plain-video segments are obtained. Then, the video segments are combined and played ( Figure 14). In the full video playing process, the CPU consumption is stable (between 15% and 25%). It proves that the application based on our proposed algorithm can complete the video on-demand service smoothly.

Conclusion
Media cloud built by cloud providers collects the videos from video providers and provides kinds of video services with guaranteed quality to video consumers. Meanwhile, for video providers, they pay attention to whether the media cloud can provide effective copyright protection; for video consumers, they are concerned about whether the media cloud can respond to their request in real time. Therefore, how to establish a fine-grained and fast video access control scheme is a major challenge for media cloud.
In this article, eM-CP-ABE is proposed to meet the requirement of multi-level access control of massive videos in the mobile environment. Based on the MCP-ABE, the virtual node and key chain are introduced to construct a new hierarchical access control structure. In the new structure, common attributes are extracted to the root node to save the encryption cost. When the user switches from a higher level privilege to a lower level, only a few hash operations are required without re-calling decryption in ABE, which greatly saves the decryption time and computation consumption.
In addition, we discussed the extended application of the proposed algorithm. Multi-authorization can improve the scalability of the algorithm. Using integer comparison, user revocation can be realized. More important, the access tree in eM-CP-ABE can be extended to 1 À n MAT that improves the efficiency of the access control structure and saves the cost of tree generation and maintenance. We proved that eM-CP-ABE can successfully resist CPAs under the DBDH assumption. Performance analysis and experiment show that the proposed algorithm is better than MCP-ABE and CP-ABE in the encryption process.