1. Introduction
With the popularity of mobile devices and the increasing development of interpersonal social interaction, mobile social networks [
1] play a key role in users’ daily lives. A large number of social software (such as WeChat, Weibo, Facebook, and Twitter) integrate user information into a data pool to meet the needs of social network users for making friends. Users can share their photos, videos, and other personal data on these apps to discover new friends, enabling other users to access data anytime and anywhere, making social networks popular around the world. At the same time, this widespread trend also brings challenges to massive data and their efficient sharing. The security issues in social networks may hinder their rapid development in some way, including privacy risks [
2,
3], identity theft [
4,
5], malware, and forged personal information [
6]. The user information collected by social platforms contains great value, which can be used for advertising, commercial, and political purposes. Taking privacy risks as an example, users will publish their data to social software service providers for data sharing. However, social platforms are considered to be honest but also curious.
On the one hand, it will honestly perform the tasks assigned by the system. On the other hand, it hopes to learn as much as possible about the data, which may raise privacy issues, for example, by observing the other party’s daily WeChat steps and whether the moments of friends are updated to judge the activity of the target group. Additionally, the consumption ability of the target group can be judged by observing the shopping hobbies of the users. Once this information is leaked, the confidentiality of the data will be threatened. It is easy to be used by unauthorized users for various illegal activities.
Therefore, how to achieve efficient data access and fine-grained data sharing while protecting user privacy and security is a major challenge at present and also an important research direction for mobile social activities.
In this paper, in order to achieve a fast decryption of users, while ensuring the privacy security of matching users and fine-grained access control, we propose a CP-ABE mobile social network outsourcing decryption scheme. We introduce a matching stage before decryption, and most of the decryption tasks are carried out by the entrusted social network platform. The working principle of the matching algorithm is to determine whether the friend requester’s self-description attribute set contains the friend preference attribute set defined by the friend data owner. In other words, it is to judge whether the requester’s attributes meet the publisher’s access policy. In case the user information is successfully matched, the friend server replaces the mobile device to perform most of the decryption calculations without leaking data.
The main contributions of our proposal are listed below.
- •
We propose a CP-ABE privacy-preserving friend matching scheme, which realizes efficient sharing and fine-grained access control of friend data and expands the scope of making friends, which is more practical.
- •
The friend-making model proposed matches the information first and then decrypts it. By introducing a matching algorithm, when a large number of users want to retrieve data from the friend server, the friend center can quickly exclude unmatched users and return the corresponding ciphertext to the matched users.
- •
We optimize an outsourcing decryption algorithm, which divides the user key into two parts. The length of the private key used for user decryption is short and constant, which greatly saves the storage overhead of the user. After the ciphertext is outsourced to the friend server, the computing cost of the client is reduced to a pairing operation, which greatly improves the computing efficiency.
- •
The proposed scheme uses the symmetric key to encrypt private files, and uses the LSSS access structure to encrypt the symmetric key, effectively avoiding the leakage of privacy.
The remainder of this paper is organized as follows:
Section 2 presents related work.
Section 3 describes the preliminaries.
Section 4 discusses the system model, framework, and security model.
Section 5 gives a detailed implementation of our scheme. The security and performance analyses are provided in
Section 6 and
Section 7, respectively. Finally, we summarize this paper in
Section 8.
2. Related Work
In mobile social networks, users’ privacy can be protected by data encryption technology. Sahai and Waters proposed a new encryption mechanism in 2005, called attribute-based encryption (ABE) [
7]. ABE implements flexible one-to-many encryption instead of one-to-one encryption, which has significant advantages over traditional public key encryption. After their work, ABE was developed into two forms: key policy attribute-based encryption (KP-ABE) [
8,
9,
10,
11] and ciphertext policy attribute-based encryption (CP-ABE) [
12,
13,
14,
15]. Among them, CP-ABE is considered to be a promising encrypted data access control technology in cloud computing. It allows users to encrypt data by specifying access control policies for user attributes so that only users whose attributes meet the policy can decrypt the corresponding data. Compared with KP-ABE, CP-ABE is more suitable for multi-user scenarios such as mobile social networks and smart healthcare.
In order to achieve fine-grained access control of encrypted IOT data on the cloud, Li et al. [
16] proposed a traceable ciphertext policy attribute-based encryption scheme to ensure user privacy. Wang et al. [
17] proposed an efficient hierarchical file attribute-based encryption scheme, which integrates the hierarchical access structure into a single access structure and uses the integrated access structure to encrypt layered files, saving ciphertext storage space and reducing the time cost of encryption.
To achieve secure and fine-grained data dissemination in open social networks, the literature [
18] used attribute-based conditional proxy re-encryption to ensure that only data disseminators whose attributes meet the access policy can disseminate data to their own social space. The literature [
19] proposed a hierarchical management scheme that uses attributes to match friends, which aims to promote social network users to find friends safely and efficiently. In order to quickly match friends, the literature [
20] designed a new CP-ABE-scheme-based privacy protection attribute matching scheme for mobile social networks, in which users could efficiently match friends almost without interaction.
However, as the complexity of access control policies increases, the computational overhead of decryption becomes very high. In most existing CP-ABE schemes, multiple pairing operations are usually required. For users with access rights, directly decrypting data will bear a great computational burden, especially for users with frequent data interaction and sharing, such as in the mobile social network application background and in the background of a mobile social network application. In order to solve the above problems, schemes [
21,
22,
23] outsourced heavy calculations to proxy servers to reduce the computational overhead of decryption, allowing users to “borrow” computing resources from third-party service providers to perform heavy decryption work without data leakage. However, in the traditional ABE outsourcing decryption work, the user only knows whether the attributes and the policy match after repeated decryption attempts. This usually requires multiple pairing operations in most existing ABE schemes, which will undoubtedly cause serious time lag for users.
3. Preliminaries
3.1. Access Structure
An access structure
[
24] is established according to the attribute domain
U, where
is a non-empty attribute set, and the set in
is called the authorized set. An access structure
is said to be monotonic, and for any sets
B and
C, if
, then
.
In the CP-ABE scheme, only users with authorized attribute sets can decrypt the ciphertext. In this paper, we only consider the monotonic access structure. The access structure of this scheme uses the operator “AND” to connect different attributes and “OR” to connect different values of the same attribute. Suppose that all attributes and the set . We establish the user’s attribute list , and set the access structure , . Only if , , we say that the user’s attribute list satisfies the defined access structure .
3.2. Linear Secret Sharing Scheme
Assuming that
p is prime, when the following conditions are true, we say that the linear secret sharing scheme (LSSS) [
25] on the attribute domain
U is linear on
.
- (1)
The secret shared value assigned to each attribute constitutes a vector on .
- (2)
For an access policy on U, there is an shared matrix M and an attribute mapping function to map each row in M to a specific attribute in U. It satisfies the following conditions: , where is random elements in , and is a vector composed of l sharing shares of the secret value with respect to the linear secret sharing scheme, where is the share allocated to the attribute , and is called the access policy.
The linear secret sharing scheme satisfies the requirements of reconstruction and security. Specifically, if S is the authorization set of policy , there is a set of constants meeting , where I represents the set of rows corresponding to an attribute in S, that is, . Obviously, the secret value can be recovered by . At the same time, there is no such set of constants that satisfy the conditions in any unauthorized set.
3.3. Security Assumption
A decisional
q-parallel bilinear Diffie–Hellman exponent (
q-parallel BDHE) [
25] is defined as follows: Let
G be a group with an order of a prime number
p and
g be a generator of
G. Choose
at random. If the following parameters are given to adversary
:
will not be able to distinguish
from a random element
. The advantage obtained by
in the
q-parallel BDHE is as follows:
The
q-parallel BDHE is said to hold on to group
G if the attacker
does not solve the problem with a non-negligible advantage in any polynomial time.
4. System Definition
4.1. System Model
Four entities are included in our system, namely, key generation center (KGC), friend server (FS), friend data owner (DO), and friend data requester (DR), as shown in
Figure 1.
- •
Key generation center (KGC): As a trusted authority, it is mainly responsible for system initialization, generating system parameters and master keys. At the same time, it manages system attributes and generates attribute keys and user private keys according to user attributes.
- •
Friend server (FS): As a semi-credible authority, the FS is considered to have powerful storage and computing resources. As a matching service provider, the FS stores the DO’s matching reference information, searches for matching friends based on the DR’s requests, and finally helps the matching parties to establish contact. Meanwhile, in order to improve the decryption efficiency of the client, the FS can partially decrypt the original ciphertext, reducing the computational burden of the friend data requester.
- •
Data owner (DO): In order to better match friends, the DOs register on the FS and publish their own friend match reference information. The friend data owners want fine-grained access control over friend data; they will use the CP-ABE scheme to encrypt the friend data and then upload the encrypted data to the FS.
- •
Data requester (DR): The DR initiates a friend-making request to the FS, and only when his/her attributes meet the access policy defined by the DO can the ciphertext be decrypted successfully. For unauthorized users, they can neither recover the plaintext nor guess the attributes involved in the access policy.
4.2. Friend Matching
(1) User profile: In the system model of this paper, the matching reference information of each DO and the query information of the DR all contain four domains, namely, user identity
, self-description
S, friend-making preference
P, and friend file
F. The reference information describes “what kind of person (
S) am I, who (
P) I hope to make friends with, this is my detailed introduction (
F)”, as shown in
Table 1. The
in
Table 1 is the unique identifier of the user registered in the friend server. Self-description
S and friend-making preference
P describe the user’s own characteristics and friend-making goals, respectively. In this paper, self-description is equivalent to the set of attributes that DRs submit to the FS, and friend preference is equivalent to the access policies defined by DOs. The friend file
F contains the user’s photos, videos, exercise data, contact information, and other private data.
According to the above description, each user in the social network system will generate a personal profile as matching reference information. In this paper, the user profile is a set of attributes. To facilitate the description, we take the self-description of a user, Bob, as an example. As shown in
Table 2, the first column displays the attribute category names, and the second column displays the corresponding attribute values. Specifically, let
A be an attribute space containing attribute categories, that is,
. There are
candidate values for each
, namely,
. The user profile (hereinafter referred to as the attribute list) is generated in two steps. First, select the attribute category from
A; second, select a specific attribute value for each attribute category from the candidate values.
The user’s self-description attribute list comes from a different attribute category. In other words, for and , if , then . Similarly, the user’s friend-making preference attribute list is also generated in the same way. For different users, the length of the attribute list may not be the same. In this paper, the elements in the attribute list are arranged in the order in which the corresponding attribute category appears in the attribute space.
(2) Profile matching: We assume that Alice and Bob are representatives of the friend data owners and requesters, respectively, in the social network system
. If Alice wants to search for friends in the social network system, a friend-making preference attribute list is generated by Alice, and
is the self-description attribute list uploaded by Bob. In this paper, if the friend-making preference attribute set is a proper subset of the self-description attribute set, the match is said to be successful. For example, suppose that Alice’s friend-making preference is
and Bob’s self-description is
. Obviously, Bob meets Alice’s friend-making preference; then we consider that the matching operation is successful. The attribute matching between Alice and Bob can be represented by the following function:
Now a specific example is given to illustrate the process of making friends. If Alice in
Figure 1 wants to find a male who is between 18 and 30 years old and loves music through a mobile social network, Alice will encrypt her privacy file with a symmetric key and upload the encrypted privacy file to the friend server for management. The friend server will generate a storage address for the corresponding encrypted file. At the same time, Alice will submit his/her own access control policy (namely, friend-making preference) to the friend server. If, in the mobile social network, the self-description of a friend requester, Bob, exactly matches Alice’s friend-making preferences, Bob will obtain Alice’s sensitive files and make friends successfully.
4.3. Algorithm Definition
Generally, the following seven algorithms are included in our scheme:
: Given the security parameters and system attribute sets U, KGC runs the algorithm to output the system public key and master key .
: Taking a user attribute set S as input, KGC runs the algorithm to generate the attribute key and private key associated with the attribute set for the user.
: Taking the system public key , symmetric key K, and friend-making file F as input, the DO outputs the ciphertext of the file.
: The system public key , symmetric key K, and access policy defined by the friend data owner DO are input, and the DO outputs the symmetric key ciphertext .
: Enter the friend-making preference reminder vector of the user and the self-description reminder vector of the user . Then the FS matches the information of and . If the match is successful, the FS outputs 1; otherwise, 0.
: After entering the attribute key and ciphertext of the friend requester, the FS partially decrypts the original ciphertext and then obtains the ciphertext .
: Input the private key and ciphertext of the friend requester DR; the DR fully decrypts the ciphertext sent by the FS, and finally obtains the privacy file of the DO.
In this scheme, the user’s security key is divided into two parts. One part is hidden in , which we call the “attribute key”, which can be shared with the friend server, and the other part is hidden in and must be kept secret by the user. Once the FS receives the ciphertext , two operations need to be performed. First, the FS runs a “match” decryption test on the user to check whether the user has the ability to decrypt. If the matching test returns 1, the FS will use the attribute key of the corresponding DR to partially decrypt the original ciphertext to generate , and send to the DR.
The basic flow process diagram of our scheme is shown in
Figure 2. In the initialization phase, KGC runs the
algorithm to generate the system public key and master key. At the same time, the
algorithm is used to generate private keys and attribute keys for users by KGC in the system. The friend data owner DO defines an access policy, runs the
and
algorithm to generate an accessible ciphertext for the friend data requester DR. Then the DO outsources the encrypted data to the FS. The DR sends a request to access the ciphertext to the FS. After receiving the request, the FS runs the
algorithm to compare the information, and checks whether the attributes of the DR meet the friend-making access policy defined by the DO.
If the DR’s self-description meets the DO’s friend-making preferences, indicating that the requester is the expected target friend, the FS runs the algorithm. The FS uses the DR’s attribute key to partially decrypt the ciphertext, and sends it to the DR. Then the DR runs the algorithm, decrypts the ciphertext with his/her own private key, and finally obtains the DO’s private file, thereby obtaining the DO’s contact information and other information, that is, making friends successfully.
4.4. Security Model
In order to prove the security of the scheme and ensure the security and privacy of both friend-making parties in the social network, we have designed a game between the attacker and the challenger : indistinguishability against selective access policy and chosen plaintext attacks (IND-SAP-CPA).
Initialization: chooses an arbitrary challenge access policy and submits it to .
Setup: runs the algorithm to generate the system public key and master key ; sends the public parameters to and keeps the master key secret.
Phase 1: At this phase, will answer the private key query put forward by . Private key query: Given an attribute set S, runs the algorithm and returns the corresponding decryption key to , where the attribute set S does not satisfy the access policy .
Challenge: This phase requires the construction of the challenge ciphertext . provides with two messages, and , of equal length; randomly throws a coin ; encrypts under ; and then passes the challenge ciphertext to .
Query phase 2: Repeat the work of query phase 1.
Guess: will finally output a guess : if , then wins. advantage in this game is defined as follows:
If the probability of attacker
winning in the above game is negligible in all polynomial time, then the scheme in this paper is called IND-SAP-CPA security.
5. The Proposed Scheme
In this paper, the process of making friends in social networks mainly includes five stages: system initialization, key generation, information matching, data encryption, and decryption.
The algorithm of each stage is described as follows:
System initialization: KGC runs the
algorithm to generate the system public key and master key. KGC inputs the security parameter
and the attribute domain
. Let
G and
be the multiplicative cyclic groups of the order prime
p,
g the generator of
G, and
a bilinear map. KGC randomly selects
. Let
mod
p. For each attribute in
U, KGC randomly selects the group element
, calculating the system public key
and master key
, as follows:
Finally, KGC publishes the system public key and keeps the system master key secret.
Key generation: Assuming that a friend data requester wants to search for friends through the friend server in the mobile social network, he/she first needs to register on the friend server, and then submit his/her attributes S (self-description) to KGC, and then KGC will run the algorithm to generate the corresponding security key. The details are as follows:
- (1)
KGC randomly selects t, sets .
- (2)
KGC creates the user key into two parts: one part is
, the “attribute key” that can be shared with the friend server, and the other part is
, which is the user’s private “security key”, only saved by the user. KGC calculates the attribute key
and the user’s private key
.
KGC sends the key to the friend data requester through a secure channel.
Data encryption: Since the friend server is not completely trusted, that is, the server may peek into the private data uploaded by the friend data owners, in order to hide their sensitive data, the DO will encrypt their own data. The DO adopts a double encryption for the data as follows:
- (1)
The DO establishes multiple different friend files according to his/her own actual needs. For different files, the DO will use different keys for encryption. Suppose that the DO randomly selects a friend file and sets its number as , , and then randomly selects the key K from a set of symmetric keys, performs symmetric encryption on the file , and obtains the file ciphertext .
- (2)
In order to ensure the DO’s own friend-making preferences and the privacy of the symmetric key, the DO uses his/her own friend-making preferences as an access control policy to encrypt the symmetric key K and obtain the symmetric key ciphertext .
The DO sets his/her friend-making preference (access control policy) in the form of an LSSS access structure
, where
M represents the
linear secret sharing matrix, and
is a mapping function that maps each row in
M to a unique attribute in the attribute domain
U, where
represents the attribute used in the access structure
. The DO first randomly selects a set of random numbers
s,
(these random numbers will be used to share the secret value
s), and constructs a vector
. For
, calculate
to obtain a set of encrypted secret values, where
represents the
i-th row in the matrix
M. In addition, the DO randomly selects
and obtains the ciphertext
as follows:
The DO uploads the data packet to the friend server FS in response to the query from the requester.
Information matching: In practice, the number of potential matching users is usually much smaller than the total number of registered users on the network. Based on this fact, we designed a mechanism to quickly filter out invalid users to improve the efficiency of friend matching. The key data structure of this mechanism is the reminder vector , which contains the number and characteristics of attributes in the friend-making preference attribute list P. The reminder vector is sent to the friend server by the friend data owner. For users participating in the matching, use the same method to generate their own query attribute list and upload it to the friend server. After receiving the query package, the friend server compares the requester’s attribute list with the data owner’s reminder vector to determine whether it is a potential friend of the data owner. If the pre-matching is successful, the next matching calculation will be carried out; otherwise, the matching ends. The specific algorithm is shown as follows:
Assume that there are attributes in the user’s attribute list , is a prime number , and is a secure hash function whose output is n bits in length. For , let mod , and the reminder vector . For two attributes and ,, , if , .
- (1)
For the DO’s friend preference attribute list , let ; the DO generates a friend preference reminder vector and uploads it to the FS. In the same way, the DR uses the same method to calculate for self-description , and generates the self-description reminder vector , where . In our system model, the number of attributes is not necessarily the same for different users. According to our definition of “match”, for any potential matching user, the length of the DR’s self-description attribute list must be greater than or equal to the length of the DO’s friend-making preference attribute list. After receiving the attribute list of the DR, the FS compares the length of and . If or the values of and are different under the same attribute category, it indicates that the DR’s self-description does not conform to the DO’s friend-making preferences and the matching is terminated; otherwise, proceed to the next matching step.
- (2)
After passing the pre-match in the first step, the FS checks whether the DR has the ability to decrypt the ciphertext. Let ,; when the attributes S of the DR meet the access policy defined by the DO, there exists a set of constants such that . The FS calculates whether there is a set of correct constants meeting , where represents the row vector corresponding to the attribute value submitted by the DR. If the value of can be obtained successfully, it indicates that the matching is successful, and proceeds to the next decryption algorithm.
Data decryption: If the DR initiates a friend search request to the FS, the FS will first match the DR’s information and checks whether the DR meets the DO’s friend-making conditions. If the pre-matching is successful, the DR can send its own attribute key to the FS and use the FS to perform partial decryption to reduce his/her own computing burden. If the DR fully meets the DO’s friend-making goal, it can be successfully decrypted. The algorithm details are as follows:
- (1)
: The FS enters the attribute key
of the DR and the ciphertext
uploaded by the DO and computes
, as follows:
Then the FS sends the ciphertext and the DO’s sensitive data file ciphertext to the DR, and the DR can fully decrypt the friend-making file as follows:
- (2)
: The DR enters his/her own decryption private key and partial decryption sent by the FS and the computes parameter B: .
The symmetric key K can be obtained as .
6. Security Analysis
6.1. Security Proof
Assume that the decisional q-parallel BDHE assumption holds in groups G and . For any probability polynomial-time adversary, the successful advantage is negligible for the proposed scheme under the decisional q-parallel BDHE assumption.
Based on the security model defined in this paper, we simulated the security game between the adversary and the challenger . Suppose that there is a polynomial time adversary , which can attempt to break the IND-SAP-CPA security of our scheme with an advantage of . We define a simulator to try to solve the decisional q-parallel BDHE problem; then there exists to solve the decisional q-parallel BDHE problem with a probability of . The simulation process is as follows:
The challenger
first makes the following settings: randomly selects
, and gives the following:
selects at random. If , let ; if , randomly selects .
Initialization: sends the access policy that it wants to challenge to , where has columns.
Setup: randomly selects
and sets
, which is equivalent to implicitly setting
.
sets the group elements
as follows: For each
x of
, there is a random value
corresponding to it. Let
X denote the set of index
i, where
.
calculates
as follows:
If , then . It should be noted that is randomly distributed because is random.
Query phase 1: At this phase, builds a tuple list , which is initially empty. Suppose that makes a key query request for an attribute set S that does not meet the access policy , and will answer ’s private key query.
If the attribute set
S has been queried,
retrieves the key from the list
, and then returns
to
. Otherwise,
sets the vector
, and
, and for all
i satisfying
,
. According to the definition of LSSS, the vector satisfying this condition must exist.
randomly selects
, and sets
mod
p,
. Then
calculates
.
randomly selects
and calculates
, which is equivalent to implicitly defining
as follows:
According to this definition, the term
can be included in
, and the unknown term
can be eliminated when constructing
.
calculates
in the following way:
Next,
starts to calculate
. For each
, if no
i meets
, then
can set
. If multiple
i meet
, since
cannot simulate
, it is necessary to satisfy the expression of
that does not contain the term of
. According to
,
can construct
as follows:
adds the generated key to list and sends it to .
Challenge: provides
with two challenge messages
and
of equal length.
randomly selects
and calculates the ciphertext:
Then
chooses random numbers
and uses the following vector to divide the secret value
s:
In addition,
chooses random numbers
and defines
as the set of all
k satisfying
and
. The settings of
in the challenge ciphertext are as follows:
Query phase 2: Repeat the operation in query phase 1.
Guess: outputs the guess value of b. If , outputs , which means ; if , outputs , which means . When , obtains a valid ciphertext . By definition, ’s advantage in this case is , so . When , guesses , so . When , it means that cannot obtain any information about b, so . When , guesses , so .
It can be obtained from this that the advantage of solving the decisional
q-parallel BDHE problem is as follows:
Therefore, can solve the decisional q-parallel BDHE problem with the advantage of , and this conclusion obviously contradicts the currently recognized decisional q-parallel BDHE assumption. Therefore, the assumption does not hold; that is, the scheme can achieve IND-SAP-CPA security.
6.2. Achieving Goals
In this section, we illustrate how the proposed scheme can effectively achieve privacy protection and fine-grained access control.
The proposed scheme achieves privacy protection. The friend data owner first uses a random symmetric key to encrypt social privacy files, and uses CP-ABE to encrypt the symmetric key. Since the symmetric encryption and CP-ABE scheme are secure, the confidentiality of outsourced social data can be guaranteed. In addition, the and uploaded by the data owner and the requester are only fuzzy descriptions of self-description and friend-making preferences, which only implies the length of the attribute and the remainder feature of the parameter , since there are multiple different attribute values that may produce the same result after the remainder of ; therefore, the friend server cannot infer the specific attribute information of both parties through the reminder vector, which effectively guarantees the confidentiality and privacy protection of the friend-making data.
The proposed scheme achieves fine-grained access control of friend-making data. This scheme allows friend data owners to flexibly set different data access control policies according to their actual needs. In the encryption phase of the scheme, data owners can encrypt private files according to their own access policies (namely, friend-making preferences), and then outsource the initial ciphertext to the social network friend server. Specifically, the encrypted data access policy defined in the access structure supports complex operations, including “AND” and “OR”, which can represent any set of conditions. Additionally, in the decryption process, only when the self-description attribute set of the data requester meets the friend-making preference attribute defined by the data owner can the requester decrypt the ciphertext successfully. Thus, this structure enables fine-grained access control over social data.