A Privacy-Preserving Friend Matching Scheme Based on Attribute Encryption in Mobile Social Networks

Abstract

In mobile social networks, users can easily communicate with others through smart devices. Therefore, the protection of user privacy in social networks is becoming a significant subject. To solve this problem, this paper proposes a fine-grained data access control scheme that uses attributes to match friends. In our scheme, the friend-making parties generate friend preference and self-description lists, respectively, realizing attribute hiding by converting friendship preference into ciphertext access control policies and self-description into attribute keys. The social platform matches user profiles to quickly eliminate unmatched users and avoids invalid decryption. In order to reduce the computational burden and communication cost of mobile devices, we adopt an algorithm mechanism for outsourcing decryption. When the user meets the matching conditions, the algorithm outsources the bilinear pair operation with large computation to the friend server. After that, the user finally decrypts the ciphertext. Security analysis shows that our scheme is safe and effective. In addition, performance evaluation shows that the proposed scheme is efficient and practical.

1. Introduction

With the popularity of mobile devices and the increasing development of interpersonal social interaction, mobile social networks [1] play a key role in users’ daily lives. A large number of social software (such as WeChat, Weibo, Facebook, and Twitter) integrate user information into a data pool to meet the needs of social network users for making friends. Users can share their photos, videos, and other personal data on these apps to discover new friends, enabling other users to access data anytime and anywhere, making social networks popular around the world. At the same time, this widespread trend also brings challenges to massive data and their efficient sharing. The security issues in social networks may hinder their rapid development in some way, including privacy risks [2,3], identity theft [4,5], malware, and forged personal information [6]. The user information collected by social platforms contains great value, which can be used for advertising, commercial, and political purposes. Taking privacy risks as an example, users will publish their data to social software service providers for data sharing. However, social platforms are considered to be honest but also curious.

On the one hand, it will honestly perform the tasks assigned by the system. On the other hand, it hopes to learn as much as possible about the data, which may raise privacy issues, for example, by observing the other party’s daily WeChat steps and whether the moments of friends are updated to judge the activity of the target group. Additionally, the consumption ability of the target group can be judged by observing the shopping hobbies of the users. Once this information is leaked, the confidentiality of the data will be threatened. It is easy to be used by unauthorized users for various illegal activities.

Therefore, how to achieve efficient data access and fine-grained data sharing while protecting user privacy and security is a major challenge at present and also an important research direction for mobile social activities.

In this paper, in order to achieve a fast decryption of users, while ensuring the privacy security of matching users and fine-grained access control, we propose a CP-ABE mobile social network outsourcing decryption scheme. We introduce a matching stage before decryption, and most of the decryption tasks are carried out by the entrusted social network platform. The working principle of the matching algorithm is to determine whether the friend requester’s self-description attribute set contains the friend preference attribute set defined by the friend data owner. In other words, it is to judge whether the requester’s attributes meet the publisher’s access policy. In case the user information is successfully matched, the friend server replaces the mobile device to perform most of the decryption calculations without leaking data.

The main contributions of our proposal are listed below.

•

We propose a CP-ABE privacy-preserving friend matching scheme, which realizes efficient sharing and fine-grained access control of friend data and expands the scope of making friends, which is more practical.

•

The friend-making model proposed matches the information first and then decrypts it. By introducing a matching algorithm, when a large number of users want to retrieve data from the friend server, the friend center can quickly exclude unmatched users and return the corresponding ciphertext to the matched users.

•

We optimize an outsourcing decryption algorithm, which divides the user key into two parts. The length of the private key used for user decryption is short and constant, which greatly saves the storage overhead of the user. After the ciphertext is outsourced to the friend server, the computing cost of the client is reduced to a pairing operation, which greatly improves the computing efficiency.

•

The proposed scheme uses the symmetric key to encrypt private files, and uses the LSSS access structure to encrypt the symmetric key, effectively avoiding the leakage of privacy.

The remainder of this paper is organized as follows: Section 2 presents related work. Section 3 describes the preliminaries. Section 4 discusses the system model, framework, and security model. Section 5 gives a detailed implementation of our scheme. The security and performance analyses are provided in Section 6 and Section 7, respectively. Finally, we summarize this paper in Section 8.

2. Related Work

In mobile social networks, users’ privacy can be protected by data encryption technology. Sahai and Waters proposed a new encryption mechanism in 2005, called attribute-based encryption (ABE) [7]. ABE implements flexible one-to-many encryption instead of one-to-one encryption, which has significant advantages over traditional public key encryption. After their work, ABE was developed into two forms: key policy attribute-based encryption (KP-ABE) [8,9,10,11] and ciphertext policy attribute-based encryption (CP-ABE) [12,13,14,15]. Among them, CP-ABE is considered to be a promising encrypted data access control technology in cloud computing. It allows users to encrypt data by specifying access control policies for user attributes so that only users whose attributes meet the policy can decrypt the corresponding data. Compared with KP-ABE, CP-ABE is more suitable for multi-user scenarios such as mobile social networks and smart healthcare.

In order to achieve fine-grained access control of encrypted IOT data on the cloud, Li et al. [16] proposed a traceable ciphertext policy attribute-based encryption scheme to ensure user privacy. Wang et al. [17] proposed an efficient hierarchical file attribute-based encryption scheme, which integrates the hierarchical access structure into a single access structure and uses the integrated access structure to encrypt layered files, saving ciphertext storage space and reducing the time cost of encryption.

To achieve secure and fine-grained data dissemination in open social networks, the literature [18] used attribute-based conditional proxy re-encryption to ensure that only data disseminators whose attributes meet the access policy can disseminate data to their own social space. The literature [19] proposed a hierarchical management scheme that uses attributes to match friends, which aims to promote social network users to find friends safely and efficiently. In order to quickly match friends, the literature [20] designed a new CP-ABE-scheme-based privacy protection attribute matching scheme for mobile social networks, in which users could efficiently match friends almost without interaction.

However, as the complexity of access control policies increases, the computational overhead of decryption becomes very high. In most existing CP-ABE schemes, multiple pairing operations are usually required. For users with access rights, directly decrypting data will bear a great computational burden, especially for users with frequent data interaction and sharing, such as in the mobile social network application background and in the background of a mobile social network application. In order to solve the above problems, schemes [21,22,23] outsourced heavy calculations to proxy servers to reduce the computational overhead of decryption, allowing users to “borrow” computing resources from third-party service providers to perform heavy decryption work without data leakage. However, in the traditional ABE outsourcing decryption work, the user only knows whether the attributes and the policy match after repeated decryption attempts. This usually requires multiple pairing operations in most existing ABE schemes, which will undoubtedly cause serious time lag for users.

3. Preliminaries

3.1. Access Structure

An access structure $\Lambda$ [24] is established according to the attribute domain U, where $\Lambda$ is a non-empty attribute set, and the set in $\Lambda$ is called the authorized set. An access structure $\Lambda$ is said to be monotonic, and for any sets B and C, if $B\in \Lambda ,B\in C$, then $C\in \Lambda$.

In the CP-ABE scheme, only users with authorized attribute sets can decrypt the ciphertext. In this paper, we only consider the monotonic access structure. The access structure of this scheme uses the operator “AND” to connect different attributes and “OR” to connect different values of the same attribute. Suppose that all attributes $U=\{A_1,A_2,\cdots ,A_n\}$ and the set $A_i=\{a_{i,1},a_{i,2},\cdots ,a_{i,m_i}\}$. We establish the user’s attribute list $L=\{l_q,l_2,\cdots ,l_n\},l_i\in A_i$, and set the access structure $\Lambda =\{{\Lambda }_1,{\Lambda }_2,\cdots ,{\Lambda }_q\}$, ${\Lambda }_j\in A_i$. Only if $l_i\in {\Lambda }_j$, $i=1,2,\cdots ,n$, $j=1,2,\cdots ,n$ we say that the user’s attribute list satisfies the defined access structure $\Lambda$.

3.2. Linear Secret Sharing Scheme

Assuming that p is prime, when the following conditions are true, we say that the linear secret sharing scheme (LSSS) [25] on the attribute domain U is linear on $Z_p$.

(1)

The secret shared value assigned to each attribute constitutes a vector on $Z_p$.

(2)

For an access policy on U, there is an $l\times n$ shared matrix M and an attribute mapping function $\rho$ to map each row in M to a specific attribute in U. It satisfies the following conditions: $\overrightarrow{z}=\{s,z_2,\cdots ,z_n\}$, where $z_2,\cdots ,z_n$ is random elements in $Z_p$, and $M\overrightarrow{z}$ is a vector composed of l sharing shares of the secret value with respect to the linear secret sharing scheme, where ${\left(M\overrightarrow{z}\right)}_j$ is the share allocated to the attribute $\rho \left(j\right)$, and $(M,\rho )$ is called the access policy.

The linear secret sharing scheme satisfies the requirements of reconstruction and security. Specifically, if S is the authorization set of policy $(M,\rho )$, there is a set of constants ${\{w_i\in Z_p\}}_{i\in l}$ meeting $w_i{M}_i=(1,0,\cdots ,0)$, where I represents the set of rows corresponding to an attribute in S, that is, $I=\left\{i\right|\rho \left(i\right)\in S\bigcap i\in \left[l\right]\}$. Obviously, the secret value can be recovered by ${\sum }_{i\in l}{w}_i{\lambda }_i=s$. At the same time, there is no such set of constants that satisfy the conditions in any unauthorized set.

3.3. Security Assumption

A decisional q-parallel bilinear Diffie–Hellman exponent (q-parallel BDHE) [25] is defined as follows: Let G be a group with an order of a prime number p and g be a generator of G. Choose $s,a,b_1,\cdots ,b_q\in Z_p$ at random. If the following parameters are given to adversary $\mathcal{A}$:

$$\begin{array}{c}\hfill y=\left\{\left.\begin{array}{c}g,g^s,g^a,\cdots ,g^{a^q},g^{a^{q+2}},\cdots ,g^{a^{2q}},\hfill \\ \left\{{\left.g^{s{b}_j},g^{a/b_j},\cdots ,g^{a^q/b_j},g^{a^{q+2}/b_j},\cdots ,g^{a^{2q}/b_j}\right\}}_{\forall 1\le j\le q}\right.,\hfill \\ \left\{{\left.g^{as{b}_k/b_j},\cdots ,g^{a^{q}s{b}_k/b_j}\right\}}_{\forall 1\le j,k\le q,k\ne j}\right.\hfill \end{array}\right\}\right.\end{array}$$

$\mathcal{A}$ will not be able to distinguish $e{(g,g)}^{a^{q+1}s}$ from a random element $R\in G_T$. The advantage obtained by $\mathcal{A}$ in the q-parallel BDHE is as follows:

$$\begin{array}{c}\hfill |Pr[\mathcal{A}(y,e{(g,g)}^{a^{q+l}s})=0]-\left|Pr[\mathcal{A}(y,R)=0]\right|\le \epsilon \end{array}$$

The q-parallel BDHE is said to hold on to group G if the attacker $\mathcal{A}$ does not solve the problem with a non-negligible advantage in any polynomial time.

4. System Definition

4.1. System Model

Four entities are included in our system, namely, key generation center (KGC), friend server (FS), friend data owner (DO), and friend data requester (DR), as shown in Figure 1.

•

Key generation center (KGC): As a trusted authority, it is mainly responsible for system initialization, generating system parameters and master keys. At the same time, it manages system attributes and generates attribute keys and user private keys according to user attributes.

•

Friend server (FS): As a semi-credible authority, the FS is considered to have powerful storage and computing resources. As a matching service provider, the FS stores the DO’s matching reference information, searches for matching friends based on the DR’s requests, and finally helps the matching parties to establish contact. Meanwhile, in order to improve the decryption efficiency of the client, the FS can partially decrypt the original ciphertext, reducing the computational burden of the friend data requester.

•

Data owner (DO): In order to better match friends, the DOs register on the FS and publish their own friend match reference information. The friend data owners want fine-grained access control over friend data; they will use the CP-ABE scheme to encrypt the friend data and then upload the encrypted data to the FS.

•

Data requester (DR): The DR initiates a friend-making request to the FS, and only when his/her attributes meet the access policy defined by the DO can the ciphertext be decrypted successfully. For unauthorized users, they can neither recover the plaintext nor guess the attributes involved in the access policy.

4.2. Friend Matching

(1) User profile: In the system model of this paper, the matching reference information of each DO and the query information of the DR all contain four domains, namely, user identity $ID$, self-description S, friend-making preference P, and friend file F. The reference information describes “what kind of person (S) am I, who (P) I hope to make friends with, this is my detailed introduction (F)”, as shown in

Table 1. Friend-making user information.

User $\mathbf{ID}$	Self-Description (S)	Friend Preference (P)	Friend File (F)
$I{D}_1$	$S_{I{D}_1}$	$P_{I{D}_1}$	$F_{I{D}_1}$
$I{D}_2$	$S_{I{D}_2}$	$P_{I{D}_2}$	$F_{I{D}_2}$
⋯	⋯	⋯	⋯
$I{D}_n$	$S_{I{D}_n}$	$P_{I{D}_n}$	$F_{I{D}_n}$

. The $ID$ in Table 1 is the unique identifier of the user registered in the friend server. Self-description S and friend-making preference P describe the user’s own characteristics and friend-making goals, respectively. In this paper, self-description is equivalent to the set of attributes that DRs submit to the FS, and friend preference is equivalent to the access policies defined by DOs. The friend file F contains the user’s photos, videos, exercise data, contact information, and other private data.

According to the above description, each user in the social network system will generate a personal profile as matching reference information. In this paper, the user profile is a set of attributes. To facilitate the description, we take the self-description of a user, Bob, as an example. As shown in

Table 2. Self-description of Bob.

Attribute Category	Attribute Value
Age	26
Sex	Male
Blood type	O
Address	Xinhua Street
School	Oxford
Profession	Teacher
Interest	Music, sports, travel

, the first column displays the attribute category names, and the second column displays the corresponding attribute values. Specifically, let A be an attribute space containing attribute categories, that is, $A=\{A_1,A_2,\cdots ,A_n\}$. There are $m_i$ candidate values for each $A_i\in A$, namely, $A_i=\{a_{i1},a_{i2},\cdots ,a_{i{m}_i}\}$. The user profile (hereinafter referred to as the attribute list) is generated in two steps. First, select the attribute category from A; second, select a specific attribute value for each attribute category from the candidate values.

The user’s self-description attribute list comes from a different attribute category. In other words, for $s_i\in A_{k_1}$ and $s_j\in A_{k_2}$, if $s_i\ne s_j$, then $k_1\ne k_2$. Similarly, the user’s friend-making preference attribute list $P=\{P_1,P_2,\cdots ,P_{n^{\prime }}\}$ is also generated in the same way. For different users, the length of the attribute list may not be the same. In this paper, the elements in the attribute list are arranged in the order in which the corresponding attribute category appears in the attribute space.

(2) Profile matching: We assume that Alice and Bob are representatives of the friend data owners and requesters, respectively, in the social network system $P_a$. If Alice wants to search for friends in the social network system, a friend-making preference attribute list is generated by Alice, and $S_b$ is the self-description attribute list uploaded by Bob. In this paper, if the friend-making preference attribute set is a proper subset of the self-description attribute set, the match is said to be successful. For example, suppose that Alice’s friend-making preference is $P_a=\{male,18<age<30,music\}$ and Bob’s self-description is $S_b=\{male,age=26,teacher,music\}$. Obviously, Bob meets Alice’s friend-making preference; then we consider that the matching operation is successful. The attribute matching between Alice and Bob can be represented by the following function:

$$Match(Alice,Bob)=\left\{\begin{array}{c}1,P_a\subseteq S_b\hfill \\ 0,other\hfill \end{array}\right.$$

Now a specific example is given to illustrate the process of making friends. If Alice in Figure 1 wants to find a male who is between 18 and 30 years old and loves music through a mobile social network, Alice will encrypt her privacy file with a symmetric key and upload the encrypted privacy file to the friend server for management. The friend server will generate a storage address for the corresponding encrypted file. At the same time, Alice will submit his/her own access control policy (namely, friend-making preference) to the friend server. If, in the mobile social network, the self-description of a friend requester, Bob, exactly matches Alice’s friend-making preferences, Bob will obtain Alice’s sensitive files and make friends successfully.

4.3. Algorithm Definition

Generally, the following seven algorithms are included in our scheme:

• $\mathit{Setup}({\mathbf{1}}^{\mathit{\lambda }},\mathit{U})\to (\mathit{PK},\mathit{MK})$: Given the security parameters and system attribute sets U, KGC runs the algorithm to output the system public key $PK$ and master key $MK$.
• $\mathit{KeyGen}(\mathit{PK},\mathbf{MK},\mathit{S})\to (\mathit{AK},\mathit{SK})$: Taking a user attribute set S as input, KGC runs the algorithm to generate the attribute key $AK$ and private key $SK$ associated with the attribute set for the user.
• ${\mathit{Enc}}_{\mathbf{1}}(\mathit{PK},\mathit{K},\mathit{F})\to \mathit{CF}$: Taking the system public key $PK$, symmetric key K, and friend-making file F as input, the DO outputs the ciphertext of the file.
• ${\mathit{Enc}}_{\mathbf{2}}(\mathit{PK},\mathit{K},(\mathit{M},\mathit{\rho }))\to \mathit{CT}$: The system public key $PK$, symmetric key K, and access policy $(M,P)$ defined by the friend data owner DO are input, and the DO outputs the symmetric key ciphertext $CT$.
• $\mathit{Match}({\mathit{RP}}_{\mathit{a}},{\mathit{RS}}_{\mathit{b}})\to \mathbf{1}/\mathbf{0}$: Enter the friend-making preference reminder vector $R{P}_a$ of the user $U_a$ and the self-description reminder vector $R{S}_b$ of the user $U_b$. Then the FS matches the information of $U_a$ and $U_b$. If the match is successful, the FS outputs 1; otherwise, 0.
• ${\mathit{Dec}}_{\mathbf{1}}(\mathit{AK},\mathit{CT})\to {\mathit{CT}}^{\prime }$: After entering the attribute key $AK$ and ciphertext $CT$ of the friend requester, the FS partially decrypts the original ciphertext and then obtains the ciphertext ${\mathit{CT}}^{\prime }$.
• ${\mathit{Dec}}_{\mathbf{2}}(\mathit{SK},{\mathit{CT}}^{\prime })\to \mathit{F}$: Input the private key $SK$ and ciphertext ${\mathit{CT}}^{\prime }$ of the friend requester DR; the DR fully decrypts the ciphertext sent by the FS, and finally obtains the privacy file of the DO.

In this scheme, the user’s security key is divided into two parts. One part is hidden in $AK$, which we call the “attribute key”, which can be shared with the friend server, and the other part is hidden in $SK$ and must be kept secret by the user. Once the FS receives the ciphertext $CT$, two operations need to be performed. First, the FS runs a “match” decryption test on the user to check whether the user has the ability to decrypt. If the matching test returns 1, the FS will use the attribute key $AK$ of the corresponding DR to partially decrypt the original ciphertext to generate ${\mathit{CT}}^{\prime }$, and send ${\mathit{CT}}^{\prime }$ to the DR.

The basic flow process diagram of our scheme is shown in Figure 2. In the initialization phase, KGC runs the $Setup$ algorithm to generate the system public key and master key. At the same time, the $KeyGen$ algorithm is used to generate private keys and attribute keys for users by KGC in the system. The friend data owner DO defines an access policy, runs the $En{c}_1$ and $En{c}_2$ algorithm to generate an accessible ciphertext for the friend data requester DR. Then the DO outsources the encrypted data to the FS. The DR sends a request to access the ciphertext to the FS. After receiving the request, the FS runs the $Match$ algorithm to compare the information, and checks whether the attributes of the DR meet the friend-making access policy defined by the DO.

If the DR’s self-description meets the DO’s friend-making preferences, indicating that the requester is the expected target friend, the FS runs the $De{c}_1$ algorithm. The FS uses the DR’s attribute key to partially decrypt the ciphertext, and sends it to the DR. Then the DR runs the $De{c}_2$ algorithm, decrypts the ciphertext with his/her own private key, and finally obtains the DO’s private file, thereby obtaining the DO’s contact information and other information, that is, making friends successfully.

4.4. Security Model

In order to prove the security of the scheme and ensure the security and privacy of both friend-making parties in the social network, we have designed a game between the attacker $\mathcal{A}$ and the challenger $\mathcal{C}$: indistinguishability against selective access policy and chosen plaintext attacks (IND-SAP-CPA).

• Initialization: $\mathcal{A}$ chooses an arbitrary challenge access policy $(M^{*},{\rho }^{*})$ and submits it to $\mathcal{C}$.
• Setup: $\mathcal{C}$ runs the $Setup(1^{\lambda },U)$ algorithm to generate the system public key $PK$ and master key $MK$; $\mathcal{C}$ sends the public parameters $PK$ to $\mathcal{A}$ and keeps the master key $MK$ secret.
• Phase 1: At this phase, $\mathcal{C}$ will answer the private key query put forward by $\mathcal{A}$. Private key query: Given an attribute set S, $\mathcal{C}$ runs the $KeyGen(PK,MK,S)$ algorithm and returns the corresponding decryption key to $\mathcal{A}$, where the attribute set S does not satisfy the access policy $(M^{*},{\rho }^{*})$.
• Challenge: This phase requires the construction of the challenge ciphertext $C{T}^{*}$. $\mathcal{A}$ provides $\mathcal{C}$ with two messages, $K_0$ and $K_1$, of equal length; randomly throws a coin $b\in \{0,1\}$; encrypts $K_b$ under $(M^{*},{\rho }^{*})$; and then passes the challenge ciphertext $C{T}^{*}=Enc(PK,K_b,(M^{*},{\rho }^{*}))$ to $\mathcal{A}$.
• Query phase 2: Repeat the work of query phase 1.
• Guess: $\mathcal{A}$ will finally output a guess $b^{\prime }$: if $b^{\prime }=b$, then $\mathcal{A}$ wins. ${\mathcal{A}}^{\prime }s$ advantage in this game is defined as follows:

If the probability of attacker $\mathcal{A}$ winning in the above game is negligible in all polynomial time, then the scheme in this paper is called IND-SAP-CPA security.

$$\begin{array}{c}\hfill \epsilon =Ad{v}_{\mathcal{A}}^{IND-SAP-CPA}=|Pr[b^{\prime }=b]-\frac{1}{2}|\end{array}$$

5. The Proposed Scheme

In this paper, the process of making friends in social networks mainly includes five stages: system initialization, key generation, information matching, data encryption, and decryption.

The algorithm of each stage is described as follows:

System initialization: KGC runs the $Setup(1^{\lambda },U)\to (PK,MK)$ algorithm to generate the system public key and master key. KGC inputs the security parameter $\lambda$ and the attribute domain $U=\{at{t}_1,at{t}_2,\cdots ,at{t}_{\left|U\right|}\}$. Let G and $G_T$ be the multiplicative cyclic groups of the order prime p, g the generator of G, and $e:G\times G\to G_T$ a bilinear map. KGC randomly selects $\alpha ,\beta \in Z_p^{*}$. Let $\gamma =(\alpha +\beta )$ mod p. For each attribute in U, KGC randomly selects the group element $h_{at{t}_1},h_{at{t}_2},\cdots ,h_{at{t}_{\left|U\right|}\in G}$, calculating the system public key $PK$ and master key $MK$, as follows:

$$\begin{array}{ccc}\hfill & PK=\{g,e{(g,g)}^{\gamma },g^{\gamma },h_{at{t}_1},h_{at{t}_2},\cdots ,h_{at{t}_{\left|U\right|}}\}\hfill & \\ \hfill & MK=\{\alpha ,\beta ,\gamma \}\hfill \end{array}$$

Finally, KGC publishes the system public key $PK$ and keeps the system master key $MK$ secret.

Key generation: Assuming that a friend data requester wants to search for friends through the friend server in the mobile social network, he/she first needs to register on the friend server, and then submit his/her attributes S (self-description) to KGC, and then KGC will run the $KeyGen(PK,MK,S)$ algorithm to generate the corresponding security key. The details are as follows:

(1)

KGC randomly selects t, $z=Z_p^{*}$ sets $\tilde{t}=\frac{t}{z}$.

(2)

KGC creates the user key into two parts: one part is $AK$, the “attribute key” that can be shared with the friend server, and the other part is $SK$, which is the user’s private “security key”, only saved by the user. KGC calculates the attribute key $AK$ and the user’s private key $SK$.

$$\begin{array}{ccc}\hfill & AK=\{V_1=g^{\alpha /z}{g}^{\gamma \tilde{t}},E=g^{\tilde{t}},\forall at{t}_x\in S:V_x=h_{at{t}_x}^{\tilde{t}}\}\hfill & \\ \hfill & SK=\{z,V_2=g^{\beta /z}{g}^{\gamma \tilde{t}}\}\hfill \end{array}$$

KGC sends the key $(AK,SK)$ to the friend data requester through a secure channel.

Data encryption: Since the friend server is not completely trusted, that is, the server may peek into the private data uploaded by the friend data owners, in order to hide their sensitive data, the DO will encrypt their own data. The DO adopts a double encryption for the data as follows:

(1)

The DO establishes multiple different friend files according to his/her own actual needs. For different files, the DO will use different keys for encryption. Suppose that the DO randomly selects a friend file and sets its number as $F_i$, $i\in \{1,2,\cdots ,n\}$, and then randomly selects the key K from a set of symmetric keys, performs symmetric encryption on the file $F_i$, and obtains the file ciphertext $CF$.

(2)

In order to ensure the DO’s own friend-making preferences and the privacy of the symmetric key, the DO uses his/her own friend-making preferences as an access control policy to encrypt the symmetric key K and obtain the symmetric key ciphertext $CT$.

The DO sets his/her friend-making preference (access control policy) in the form of an LSSS access structure $(M,\rho )$, where M represents the $l\times n$ linear secret sharing matrix, and $\rho$ is a mapping function that maps each row in M to a unique attribute in the attribute domain U, where $\left\{{\rho }_i\right|1\le i\le l\}$ represents the attribute used in the access structure $(M,\rho )$. The DO first randomly selects a set of random numbers s, $z_2,\cdots ,z_n\in Z_p$ (these random numbers will be used to share the secret value s), and constructs a vector ${\lambda }_i=M_{i}v$. For $i=\{1,\cdots ,l\}$, calculate ${\lambda }_i=M_{i}v$ to obtain a set of encrypted secret values, where $M_i$ represents the i-th row in the matrix M. In addition, the DO randomly selects $r_1,r_2,\cdots ,r_n\in Z_p$ and obtains the ciphertext $CT$ as follows:

$$\begin{array}{ccc}\hfill & CT=\{(M,\rho ),C,C^{\prime },{\{C_i,D_i\}}_{i\in \left[l\right]}\}\hfill & \\ \hfill & C=K·e{(g,g)}^{\gamma s},C^{\prime }=g^s,{\{C_i=g^{\gamma {\lambda }_i}{h}_{{\rho }_i}^{-r_i},D_i=g^{r_i}\}}_{i\in \left[l\right]}\hfill \end{array}$$

The DO uploads the data packet to the friend server FS in response to the query from the requester.

Information matching: In practice, the number of potential matching users is usually much smaller than the total number of registered users on the network. Based on this fact, we designed a mechanism to quickly filter out invalid users to improve the efficiency of friend matching. The key data structure of this mechanism is the reminder vector $RP$, which contains the number and characteristics of attributes in the friend-making preference attribute list P. The reminder vector $RP$ is sent to the friend server by the friend data owner. For users participating in the matching, use the same method to generate their own query attribute list $RS$ and upload it to the friend server. After receiving the query package, the friend server compares the requester’s attribute list with the data owner’s reminder vector to determine whether it is a potential friend of the data owner. If the pre-matching is successful, the next matching calculation will be carried out; otherwise, the matching ends. The specific algorithm is shown as follows:

Assume that there are attributes in the user’s attribute list $L=\{l_1,l_2,\cdots ,l_n\}$, $\lambda$ is a prime number $(\lambda >n)$, and $Hash$ is a secure hash function whose output is n bits in length. For $l_k\in L$, let $r_k\equiv Hash\left(l_k\right)$ mod $\lambda$, and the reminder vector $RL=\{r_1,r_2,\cdots ,r_n\}$. For two attributes $l_i$ and $l_j$,$r_i\equiv Hash\left(l_i\right)mod\lambda$, $r_j\equiv Hash\left(l_j\right)mod\lambda$, if $r_i\ne r_j$, $l_i\ne l_j$.

(1)

For the DO’s friend preference attribute list $P=\{p_1,p_2,\cdots .p_m\}$, let $r{p}_i\equiv Hash\left(p_i\right)mod\lambda$; the DO generates a friend preference reminder vector $RP=\{r{p}_1,r{p}_2,\cdots ,r{p}_m\}$ and uploads it to the FS. In the same way, the DR uses the same method to calculate $r{s}_j\equiv Hash\left(s_j\right)mod\lambda$ for self-description $S=\{s_1,s_2,\cdots ,s_q\}$, and generates the self-description reminder vector $RS=\{r{s}_1,r{s}_2,\cdots ,r{s}_q\}$, where $1\le i\le m,1\le j\le q$. In our system model, the number of attributes is not necessarily the same for different users. According to our definition of “match”, for any potential matching user, the length of the DR’s self-description attribute list must be greater than or equal to the length of the DO’s friend-making preference attribute list. After receiving the attribute list of the DR, the FS compares the length of $\left|RP\right|$ and $\left|RS\right|$. If $\left|RP\right|>\left|RS\right|$ or the values of $r{p}_i$ and $r{s}_j$ are different under the same attribute category, it indicates that the DR’s self-description does not conform to the DO’s friend-making preferences and the matching is terminated; otherwise, proceed to the next matching step.

(2)

After passing the pre-match in the first step, the FS checks whether the DR has the ability to decrypt the ciphertext. Let $I=\{I:{\rho }_i\in S\}$,; when the attributes S of the DR meet the access policy $(M,\rho )$ defined by the DO, there exists a set of constants ${\{w_i\in Z_p^{*}\}}_{i\in I}$ such that ${\sum }_{i\in I}{w}_i{\lambda }_i=s$. The FS calculates whether there is a set of correct constants $w_i$ meeting ${\sum }_{i\in I}{M}_i{w}_i=(1,0,\cdots 0)$, where $M_i$ represents the row vector corresponding to the attribute value submitted by the DR. If the value of $w_i$ can be obtained successfully, it indicates that the matching is successful, and proceeds to the next decryption algorithm.

Data decryption: If the DR initiates a friend search request to the FS, the FS will first match the DR’s information and checks whether the DR meets the DO’s friend-making conditions. If the pre-matching is successful, the DR can send its own attribute key $AK$ to the FS and use the FS to perform partial decryption to reduce his/her own computing burden. If the DR fully meets the DO’s friend-making goal, it can be successfully decrypted. The algorithm details are as follows:

(1)

$De{c}_1(AK,CT)\to C{T}^{\prime }$: The FS enters the attribute key $AK$ of the DR and the ciphertext $CT$ uploaded by the DO and computes $C{T}^{\prime }$, as follows:

$$\begin{array}{ccc}\hfill & C{T}^{\prime }=\frac{e(C^{\prime },V_1)}{{\left({\prod }_{i\in I}{\left(e(C_i,E)e(D_i,V_{{\rho }_i})\right)}^{w_i}\right)}^2}\hfill & \end{array}$$

Then the FS sends the ciphertext $C{T}^{\prime }$ and the DO’s sensitive data file ciphertext $CF$ to the DR, and the DR can fully decrypt the friend-making file as follows:

(2)

$De{c}_2(SK,C{T}^{\prime })\to F$: The DR enters his/her own decryption private key $SK=\{z,V_2\}$ and partial decryption $C{T}^{\prime }$ sent by the FS and the computes parameter B: $B=e(V_2,C^{\prime })·C{T}^{\prime }$.

The symmetric key K can be obtained as $K=\frac{C}{B^z}$.

Correctness:

$$\begin{array}{cc}\hfill C{T}^{\prime }& =\frac{e(C^{\prime },V_1)}{{\left({\prod }_{i\in I}{\left(e(C_i,E)e(D_i,V_{{\rho }_i})\right)}^{w_i}\right)}^2}\hfill \\ \hfill & =\frac{e(g^s,g^{\alpha /z}{g}^{\gamma \tilde{t}})}{{\left({\prod }_{i\in I}{\left(e(g^{\gamma {\lambda }_i}{h}_{{\rho }_i}^{-r_i},g^{\tilde{t}})e(g^{r_i},h_{{\rho }_i}^{\tilde{t}})\right)}^{w_i}\right)}^2}\hfill \\ \hfill & =\frac{e{(g,g)}^{s\alpha /z}e{(g,g)}^{s\gamma \tilde{t}}}{{\left({\prod }_{i\in I}{\left(e(g^{\gamma {\lambda }_i},g^{\tilde{t}})e(h_{{\rho }_i}^{-r_i},g^{\tilde{t}})e(g^{r_i},h_{{\rho }_i}^{\tilde{t}})\right)}^{w_i}\right)}^2}\hfill \\ \hfill & =\frac{e{(g,g)}^{s\alpha /z}e{(g,g)}^{s\gamma \tilde{t}}}{{\left(e{(g^{\gamma },g^{\tilde{t}})}^{{\sum }_{i\in I}{w}_i{\lambda }_i}\right)}^2}=\frac{e{(g,g)}^{s\alpha /z}e{(g,g)}^{s\gamma \tilde{t}}}{{\left(e{(g,g)}^{s\gamma \tilde{t}}\right)}^2}\hfill \\ \hfill & =\frac{e{(g,g)}^{s\alpha /z}}{e{(g,g)}^{s\gamma \tilde{t}}}\hfill \\ \hfill B& =e(V_2,C^{\prime })·C{T}^{\prime }=\frac{e(g^{\beta /z}{g}^{\gamma \tilde{t}},g^s)e{(g,g)}^{s\alpha /z}}{\left(e{(g,g)}^{s\gamma \tilde{t}}\right)}\hfill \\ \hfill & =\frac{e(g^{\beta /z},g^s)e(g^{\gamma \tilde{t}},g^s)e{(g,g)}^{s\alpha /z}}{\left(e{(g,g)}^{s\gamma \tilde{t}}\right)}=e{(g,g)}^{s\beta /z}e{(g,g)}^{s\alpha /z}\hfill \\ \hfill & =e{(g,g)}^{s(\alpha +\beta )/z}=e{(g,g)}^{s\gamma /z}\hfill \\ \hfill K& =\frac{C}{B^z}=\frac{C}{{\left(e{(g,g)}^{s\gamma /z}\right)}^z}=\frac{K·e{(g,g)}^{\gamma s}}{{\left(e{(g,g)}^{s\gamma /z}\right)}^z}=\frac{K·e{(g,g)}^{\gamma s}}{e{(g,g)}^{s\gamma }}\hfill \end{array}$$

6. Security Analysis

6.1. Security Proof

Assume that the decisional q-parallel BDHE assumption holds in groups G and $G_T$. For any probability polynomial-time adversary, the successful advantage is negligible for the proposed scheme under the decisional q-parallel BDHE assumption.

Based on the security model defined in this paper, we simulated the security game between the adversary $\mathcal{A}$ and the challenger $\mathcal{B}$. Suppose that there is a polynomial time adversary $\mathcal{A}$, which can attempt to break the IND-SAP-CPA security of our scheme with an advantage of $\epsilon$. We define a simulator to try to solve the decisional q-parallel BDHE problem; then there exists $\mathcal{B}$ to solve the decisional q-parallel BDHE problem with a probability of $\epsilon /2$. The simulation process is as follows:

The challenger $\mathcal{B}$ first makes the following settings: randomly selects $s,a,b_1,\cdots ,$$b_q\in Z_p$, and gives the following:

$$\begin{array}{c}\hfill y=\left\{\left.\begin{array}{c}g,g^s,g^a,\cdots ,g^{a^q},g^{a^{q+2}},\cdots ,g^{a^{2q}},\hfill \\ \left\{{\left.g^{s{b}_j},g^{a/b_j},\cdots ,g^{a^q/b_j},g^{a^{q+2}/b_j},\cdots ,g^{a^{2q}/b_j}\right\}}_{\forall 1\le j\le q}\right.,\hfill \\ \left\{{\left.g^{as{b}_k/b_j},\cdots ,g^{a^{q}s{b}_k/b_j}\right\}}_{\forall 1\le j,k\le q,k\ne j}\right.\hfill \end{array}\right\}\right.\end{array}$$

$\mathcal{B}$ selects $\mu \in \{0,1\}$ at random. If $\mu =0$, let $T=e{(g,g)}^{a^{q+1}s}$; if $\mu =1$, $\mathcal{B}$ randomly selects $T\in Z_p$.

Initialization: $\mathcal{A}$ sends the access policy $(M^{*},{\rho }^{*})$ that it wants to challenge to $\mathcal{B}$, where $M^{*}$ has $n^{*}$ columns.

Setup: $\mathcal{B}$ randomly selects ${\gamma }^{\prime }\in Z_p$ and sets $e{(g,g)}^{\gamma }=e(g^a,g^{a^q})e{(g,g)}^{{\gamma }^{\prime }}$, which is equivalent to implicitly setting $\gamma ={\gamma }^{\prime }+a^{q+1}$. $\mathcal{B}$ sets the group elements $h_{at{t}_1},h_{at{t}_2},\cdots ,h_{at{t}_{\left|U\right|}}\in G$ as follows: For each x of $1\le x\le U$, there is a random value $z_x\in Z_p$ corresponding to it. Let X denote the set of index i, where ${\rho }^{*}\left(i\right)=x$. $\mathcal{B}$ calculates $h_{at{t}_x}$ as follows:

$$\begin{array}{cc}\hfill & \tilde{t}=r+{\beta }_1{a}^q={\beta }_2{a}^{q-1}+\cdots +{\beta }_{n^{*}}{a}^{q-n^{*}+1}\hfill \end{array}$$

If $X=⌀$, then $h_{at{t}_x}=g^{z_x}$. It should be noted that $h_{at{t}_x}$ is randomly distributed because $g^{z_x}$ is random.

Query phase 1: At this phase, $\mathcal{B}$ builds a tuple list $L_{SK}=(S,SK,AK)$, which is initially empty. Suppose that $\mathcal{A}$ makes a key query request for an attribute set S that does not meet the access policy $(M^{*},{\rho }^{*})$, and $\mathcal{B}$ will answer $\mathcal{A}$’s private key query.

If the attribute set S has been queried, $\mathcal{B}$ retrieves the key from the list $L_{SK}$, and then returns $(SK,AK)$ to $\mathcal{A}$. Otherwise, $\mathcal{B}$ sets the vector $\beta =({\beta }_1,{\beta }_1,\cdots ,{\beta }_n^{*})\in Z_p^{n^{*}}$, and ${\beta }_1=-1$, and for all i satisfying ${\rho }^{*}\left(i\right)\in S$, $\beta M_i^{*}=0$. According to the definition of LSSS, the vector satisfying this condition must exist. $\mathcal{B}$ randomly selects ${\alpha }^{\prime },{\beta }^{\prime }\in Z_p$, and sets ${\gamma }^{\prime }=({\alpha }^{\prime }+{\beta }^{\prime })$ mod p, $\alpha ={\alpha }^{\prime }+a^{q+1},\beta ={\beta }^{\prime }$. Then $\mathcal{B}$ calculates $V_2=g^{{\beta }^{\prime }/z}{g}^{\gamma \tilde{t}}=g^{\beta /z}{g}^{\gamma \tilde{t}}$. $\mathcal{B}$ randomly selects $r\in Z_p$ and calculates $E=g^r{\prod }_{i=1}^{n^{*}}{\left(g^{a^{q+1-i}}\right)}^{{\beta }_i}=g^{\tilde{t}}$, which is equivalent to implicitly defining $\tilde{t}$ as follows:

$$\begin{array}{cc}\hfill & \tilde{t}=r+{\beta }_1{a}^q={\beta }_2{a}^{q-1}+\cdots +{\beta }_{n^{*}}{a}^{q-n^{*}+1}\hfill \end{array}$$

According to this definition, the term $g^{-a^{q+1}}$ can be included in $g^{a\tilde{t}}$, and the unknown term $g^{\alpha }$ can be eliminated when constructing $V_1$. $\mathcal{B}$ calculates $V_1$ in the following way:

$$\begin{array}{cc}\hfill & V_1=g^{{\alpha }^{\prime }/z}{g}^{\gamma r}\prod _{i\in [2,n^{*}]}{\left(g^{a^{q+2-i}}\right)}^{{\beta }_i}=g^{\alpha /z}{g}^{\gamma \tilde{t}}\hfill \end{array}$$

Next, $\mathcal{B}$ starts to calculate ${\left\{V_x\right\}}_{at{t}_x\in S}$. For each $at{t}_x\in S$, if no i meets ${\rho }^{*}\left(i\right)=x$, then $\mathcal{B}$ can set $V_x=h_{at{t}_x}^{\tilde{t}}={\left(g^{z_x}\right)}^t={\left(g^{\tilde{t}}\right)}^{z_x}=E^{z_x}$. If multiple i meet ${\rho }^{*}\left(i\right)=x$, since $\mathcal{B}$ cannot simulate $g^{a^{q+1/b_i}}$, it is necessary to satisfy the expression of $V_x$ that does not contain the term of $g^{a^{q+1}/b_i}$. According to $\beta M_i^{*}=0$, $\mathcal{B}$ can construct $V_x$ as follows:

$$V_x=E^{z_x}\prod _{i\in X}\prod _{j\in [1,n^{*}]}{\left(g^{(a^j/b_i)r}\prod _{k\in [1,n^{*}],k\ne j}{\left(g^{a^{(q+1+j-k)}/b_i}\right)}^{w_k}\right)}^{M_{i,j}^{*}}$$

$\mathcal{B}$ adds the generated key to list $L_{SK}=(S,SK,AK)$ and sends it to $\mathcal{A}$.

Challenge: $\mathcal{A}$ provides $\mathcal{B}$ with two challenge messages $K_0$ and $K_1$ of equal length. $\mathcal{B}$ randomly selects $b\in \{0,1\}$ and calculates the ciphertext:

$$C^{*}=K_b·T·e{(g,g)}^{{\gamma }^{\prime }s},C^{\prime *}=g^s$$

Then $\mathcal{B}$ chooses random numbers $y_2^{\prime },\cdots ,y_n^{\prime }$ and uses the following vector to divide the secret value s:

$$\eta =(s,sa+y_2^{\prime },s{a}^2+y_3^{\prime },\cdots ,s{a}^{n-1}+y_n^{\prime })$$

In addition, $\mathcal{B}$ chooses random numbers $r_1,r_2^{\prime },\cdots ,r_l^{\prime }$ and defines $A_i$ as the set of all k satisfying ${\rho }^{*}\left(i\right)={\rho }^{*}\left(k\right)$ and $k\ne i$. The settings of $C_i,D_i$ in the challenge ciphertext are as follows:

$$\begin{array}{cc}\hfill C_i=& h_{{\rho }_i^{*}}^{r_i^{\prime }}\left(\prod _{j\in [2,n]}{\left(g^a\right)}^{M_{i,j}^{*}{y}_j^{\prime }}\right)·{\left(g^{b_{i}s}\right)}^{-z_{{\rho }_i^{*}}}·\hfill \\ & \left(\prod _{k\in A_i}\prod _{j\in [1,n]}{\left(g^{a_j·s·(b_i/b_k)}\right)}^{M_{k,j}^{*}}\right),D_i=g^{r_i^{\prime }}{g}^{-s{b}_i}\hfill \end{array}$$

Query phase 2: Repeat the operation in query phase 1.

Guess: $\mathcal{A}$ outputs the guess value of b. If $b^{\prime }=b$, $\mathcal{B}$ outputs ${\mu }^{\prime }=0$, which means $T=e{(g,g)}^{a^{q+1}s}$; if $b^{\prime }\ne b$, $\mathcal{B}$ outputs ${\mu }^{\prime }=1$, which means $T\in G_T$. When $\mu =0$, $\mathcal{A}$ obtains a valid ciphertext $K_b$. By definition, $\mathcal{A}$’s advantage in this case is $\epsilon$, so $Pr[b^{\prime }=b|\mu =0]=1/2+\epsilon$. When $b^{\prime }=b$, $\mathcal{B}$ guesses ${\mu }^{\prime }=0$, so $Pr[{\mu }^{\prime }=\mu |\mu =0]=1/2+\epsilon$. When $\mu =1$, it means that $\mathcal{A}$ cannot obtain any information about b, so $Pr[b^{\prime }=b|\mu =1]=1/2$. When $b^{\prime }\ne b$, $\mathcal{B}$ guesses ${\mu }^{\prime }=1$, so $Pr[{\mu }^{\prime }=\mu |\mu =1]=1/2$.

It can be obtained from this that the advantage of solving the decisional q-parallel BDHE problem is as follows:

$$\frac{1}{2}Pr[{\mu }^{\prime }=\mu |\mu =0]-\frac{1}{2}Pr[{\mu }^{\prime }=\mu |\mu =1]=\frac{\epsilon }{2}$$

Therefore, $\mathcal{B}$ can solve the decisional q-parallel BDHE problem with the advantage of $\epsilon /2$, and this conclusion obviously contradicts the currently recognized decisional q-parallel BDHE assumption. Therefore, the assumption does not hold; that is, the scheme can achieve IND-SAP-CPA security.

6.2. Achieving Goals

In this section, we illustrate how the proposed scheme can effectively achieve privacy protection and fine-grained access control.

The proposed scheme achieves privacy protection. The friend data owner first uses a random symmetric key to encrypt social privacy files, and uses CP-ABE to encrypt the symmetric key. Since the symmetric encryption and CP-ABE scheme are secure, the confidentiality of outsourced social data can be guaranteed. In addition, the $RP$ and $RS$ uploaded by the data owner and the requester are only fuzzy descriptions of self-description and friend-making preferences, which only implies the length of the attribute and the remainder feature of the parameter $\lambda$, since there are multiple different attribute values that may produce the same result after the remainder of $\lambda$; therefore, the friend server cannot infer the specific attribute information of both parties through the reminder vector, which effectively guarantees the confidentiality and privacy protection of the friend-making data.

The proposed scheme achieves fine-grained access control of friend-making data. This scheme allows friend data owners to flexibly set different data access control policies according to their actual needs. In the encryption phase of the scheme, data owners can encrypt private files according to their own access policies (namely, friend-making preferences), and then outsource the initial ciphertext to the social network friend server. Specifically, the encrypted data access policy defined in the access structure supports complex operations, including “AND” and “OR”, which can represent any set of conditions. Additionally, in the decryption process, only when the self-description attribute set of the data requester meets the friend-making preference attribute defined by the data owner can the requester decrypt the ciphertext successfully. Thus, this structure enables fine-grained access control over social data.

7. Performance Analysis

In order to further understand the effectiveness and practicability of the proposed scheme in a social network system, we compared this scheme with similar encryption schemes [24,25,26] in terms of computational and communication cost. These schemes and our scheme all use the CP-ABE method of LSSS access policy to achieve privacy protection.

7.1. Computational Analysis

In terms of computational overhead, we mainly conduct the comparative analysis from four phases: system setup, key generation, data encryption, and data decryption, as shown in

Table 3. Comparisons of computational cost.

Schemes	Setup	Key Generation	Data Encryption	Data Decryption
Cui [24]	$5T_e+T_p$	$(5u+3)T_e+4T_m$	$(8l+2)T_e+(l+3)T_m$	$u{T}_e+(6u+1)T_p+(5u+1)T_m$
Yang [25]	$2T_e+T_p$	$(u+2)T_e$	$(2l+2)T_e+(l+1)T_m$	$u{T}_e+(2u+1)T_p+(u+2)T_m$
Li [26]	$T_e+T_p$	$(u+2)T_e+T_m$	$(2l+6)T_e+(2l+4)T_m$	$8T_p+8T_m$
Ours	$T_e+T_p$	$(u+3)T_e$	$(3l+2)T_e+(l+1)T_m$	$(u+1)T_e+2u{T}_p+(u+3)T_m$

. In order to simplify the description, we use $T_e$ to denote the calculation cost of a single exponential operation in group G or $G_T$, and use $T_p$, $T_h$, and $T_m$ to denote the calculation cost of a single pairing operation, hash operation, and multiplication operation, respectively, and u denotes the number of attributes submitted by the user, and l represents the number of attributes in the access policy defined by the friend data owner.

It can be seen from Table 3 that, in the system setup phase, the computational burden of the scheme in this paper is the smallest, and the computation cost is significantly lower than that of Cui [24] and Yang [25]. In the key generation phase, the calculation cost of our scheme is lower than that of Cui [24]. As the scheme in this paper sets the user’s security key into two parts, the attribute key $AK$ and the user’s private key $SK$, the calculation cost is higher than that of Yang [25] and Li [26]. In addition, the calculation burden of all the schemes in Table 3 is positively correlated with the number of attributes submitted by the user. Obviously, in the data encryption stage, the efficiency of this scheme is higher than those of other schemes, and the computational burden increases as the number of attributes increases. In the data decryption stage, the efficiency of the proposed scheme is better than that of Cui [24] and Yang [25], and is also related to the number of attributes. Although the overall decryption efficiency of that of Li [26] is higher than that of the proposed scheme, no matching operation is performed before decryption. When the user is unable to decrypt the ciphertext, time will be wasted and efficiency will be reduced. Due to the difference in system model, this scheme reduces the computational burden of the user side by outsourcing decryption calculations to the friend server. Most of the complex calculations are performed by the friend server with strong computing capacity, while the client only needs $T_e+T_p$ to complete ciphertext decryption. Through comparative analysis, it is found that the overall efficiency of our scheme is higher than those of other schemes.

7.2. Communication Analysis

In

Table 4. Comparisons of communication cost.

Schemes	Public Key	Master Key	Userprivate Key	Ciphertext
Cui [24]	$9\left|G\right|+|G_T|+|H|$	$\left|G\right|+4|Z_p|$	$(2+5u)\left|G\right|$	$(6l+1)\left|G\right|+|G_T|+|(M,\rho )|$
Yang [25]	$(2+N)\left|G\right|+|G_T|$	$\left|G\right|$	$(2+u)\left|G\right|$	$(l+1)\left|G\right|+|G_T|+|(M,\rho )|$
Li [26]	$(5+N)\left|G\right|+|G_T|$	$(1+N)|Z_p|$	$2\left|G\right|$	$5\left|G\right|+2|G_T|$
Ours	$(2+N)\left|G\right|+|G_T|$	$3\left|G\right|$	$(3+u)\left|G\right|$	$(2l+1)\left|G\right|+|G_T|+|(M,\rho )|$

, we compare and analyze the communication cost of the scheme, mainly from the storage capacity of the system public key, system master key, user private key, and encrypted ciphertext. Let $\left|G\right|,|G_T|,|Z_p|,|H|$ denote the lengths of the groups $G,G_T,Z_p$ and hash function, respectively, and represent the number of attributes contained in the system. It can be found that our scheme requires $(2+N)\left|G\right|+|G_T|$ storage cost to generate the system public key, which is lower than those of other schemes. In this paper, the storage costs of the master key, user private key, and ciphertext are $3\left|G\right|,(2+N)\left|G\right|+|G_T|$, and $(2l+1)\left|G\right|+|G_T|+|(M,\rho )|$ respectively. Although the storage capacity of our scheme is higher than that of Li [26], from the perspective of security, this scheme increases the difficulty of the attacker’s destruction and improves the security of the system.

7.3. Performance Analysis

We simulated our scheme on a Linux system of a Lenovo laptop. The device processor is AMD Ryzen 5-3500U with Radeon Vega Mobile Gfx (2.10 GHz), the memory is 12.0 GB, and the PBC library is used to implement all algorithms. Take the number of attributes in the access policy and the number of attributes submitted by the requester as variables to test the running time of each scheme. All results are based on the average running time of 50 experiments.

Figure 3a shows that the key generation time of all the schemes in Table 3 basically increases linearly with the number of attributes submitted by users. Due to the addition of a large number of exponential operations, the computation cost of Cui [24] is the highest. The calculation time of our scheme is basically the same as those of Li [26] and Yang [25].

Figure 3b reflects the change of the data encryption time with the increase in the number of attributes in the access policy. Obviously, the scheme in this paper has more advantages in computation time at this phase. The decryption calculations of our scheme and the scheme of Li [26] are divided into two parts: one is calculated by the third-party platform, and the other is calculated by the data requester. The decryption operations of Cui [24] and Yang [25] are all calculated by the user.

Figure 3c compares the complete decryption time of the schemes, including all the time cost of successfully restoring the original ciphertext to plaintext. As the number of attributes increases, the calculation time of the scheme of Li [26] basically remains unchanged, which is consistent with its computation cost $8T_p+8T_m$. Meanwhile, it can be observed that the overall decryption efficiency of the proposed scheme is higher than that of Cui [24] and Yang [25].

Both the of scheme Li [26] and our scheme introduce outsourcing decryption. The experimental results in Figure 3d show that our scheme is superior to the of Li [26] in decryption time on mobile devices of user terminals. In addition, other schemes do not match user information before decryption. If users cannot decrypt the ciphertext, it will waste time and reduce efficiency. In the pre-matching algorithm of our scheme, the reminder vector $RL=\{r_1,r_2,\cdots ,r_n\}$ generated by the user is closely related to the parameter $\lambda$, where $r_k\equiv Hash\left(l_k\right)mod\lambda$. Theoretically, the smaller $\lambda$ is, the fuzzier the generated reminder vector will be and the longer the matching time will be consumed. Conversely, the larger $\lambda$ is, the more accurate the generated reminder vector is, and the matching time is shorter. In order to intuitively describe the computational efficiency of the pre-matching algorithm under different $\lambda$, we conducted the following experiment. Set the number of self-description attributes of the friend requester to be fixed at 10, change the number of friend-making preference attributes of the data owner from 1 to 10, and test the running time of the matching algorithm; the experimental results are shown in Figure 4. Obviously, the running result is consistent with the theoretical analysis. In practical applications, we should pay attention to that, although the calculation efficiency will increase with the increase in $\lambda$; the more accurate the reminder vector will reduce the security of the system. Therefore, we should determine $\lambda$ based on the balance between efficiency and security.

8. Conclusions

Aiming at the privacy protection problem of friend matching in mobile social networks, we propose a private data sharing scheme based on attribute encryption, in which the friend data owner can flexibly set his/her own access control policy according to his/her actual needs. Only data requesters whose attributes meet the access policy can access the data owner’s social space. In order to achieve efficient and secure data sharing on mobile clients with limited resources, this paper introduces a “matching” algorithm before decryption to quickly filter out unmatched users, making the original CP-ABE structure suitable for our application scenarios and improving the friend-making efficiency. At the same time, to reduce the user’s decryption overhead, this paper outsources a large number of decryption matching operations to the friend server provider, which greatly improves the decryption efficiency of the users. Experimental analysis shows that our scheme is secure and effective, and can be applied to a variety of application scenarios, such as patient matching in online medical social networks. In the future, we will consider the weight of user interest to calculate the matching degree between users more accurately so as to obtain faster encryption and decryption speeds and improve the user experience of smart mobile terminals.