Improved Cloud-Assisted Privacy-Preserving Profile-Matching Scheme in Mobile Social Networks

Due to the transparency of the wireless channel


Introduction
With the rapid development of Internet technology, mobile devices such as mobile phones and tablets have gradually become popular in people's daily life in recent years. Some social networks such as WeChat, Twitter, and Facebook are gradually integrated into people's life, and people would like to share some opinions, pictures, and videos with others.
erefore, people are more willing to find potential friends with similar interests in mobile social networks.
Profile-matching is the most effective way to measure the proximity between users' personal profiles. e user's personal profile is often defined as a vector in practical applications, and each dimension of the vector represents an attribute corresponding to a hobby, such as football, photography, and religion. Each attribute value is represented by an integer between 0 and 10 or a larger range. e attribute value indicates the degree of the interest. e value 0 means that the user has no interest in the item, and value 10 represents that the user is particularly fond of it. Moreover, social proximity is often defined as the inner product of two users' vectors [1][2][3]. Since the inner product is the sum of the products of the corresponding attributes between the two vectors, it cannot accurately show the proximity between users. For example, the vector of user A is u A � (3,4,7,8), user B is u B � (10, 10, 10, 10), and user C is u C � (4, 3,8,7). User A wants to find a person with a higher proximity between user B and user C. If the inner product of two vectors is chosen as a measurement, it is surprising that user B meets higher requirements than user C. To get more accurate social proximity results, it is preferred to adopt cosine proximity result between the two normalized vectors as the standard.
In addition, users' profiles often contain sensitive data and they do not want to expose their personal information. One way to protect the users' privacy is to encrypt the data by cryptographic technologies, but the structure of raw data will be essentially damaged after encryption, causing difficulties in reprocessing the data. e homomorphic encryption technology [4][5][6][7] has its unique advantages in encrypted data processing. In particular, partial homomorphic encryption technique [8] is more suitable for many realistic applications [9].
In many existing profile-matching works [1,10,11], a large amount of interactions are often required between user mobile terminals to obtain matching results, which will bring heavy computational costs and communication overhead to users. In addition, users also need to stay online during the matching process. Fortunately, with the development of cloud computing technology [12,13], the cloud platform can provide users with huge storage space and abundant computing resources. Outsourcing computing and storage to the cloud can effectively reduce the burden on the users' mobile terminals. Gao et al. [2] transfer users' work to the cloud with the help of two cooperative but noncollusive clouds, and users can go offline after uploading their profiles to the cloud. Gao et al.'s scheme utilizes an ElGamal-like proxy re-encryption [14] algorithm with additive homomorphic property, which leads to the issues of key management and the leakage of re-encryption keys. Furthermore, the ElGamal-like algorithm requires that the size of the plaintext cannot exceed 40 bits in order to ensure the decryption efficiency; thus it cannot be applied to the scenarios requiring high data accuracy.
e main contributions of our work are as follows: (i) We improve the HRES algorithm [15] in order to avoid the drawbacks in [2]. e improved algorithm supports one homomorphic multiplication and arbitrarily many homomorphic additions, which can effectively avoid the key leakage and the key management issues caused during users' uploading reencryption keys. (ii) is paper utilizes the homomorphic multiplication property of the improved HRES algorithm to compute the cosine result between the normalized vectors as the standard for measuring proximity. Our proposal can effectively ensure the accuracy of the matching results and improve the social experience of the users. Furthermore, the improved HRES algorithm can prove to be semantically secure, and the profile-matching protocol is also secure in the sense that both clouds cannot get useful information about users' data under the non-collusion security model.
In the coarse-grained profilematching schemes, the matching proximity is often defined as a set intersection or the cardinality of intersections of user's attribute sets, but this solution cannot further distinguish the specific relevance between users. In 2011, Li et al. [16] proposed two distributed privacy-preserving profile-matching protocols, which deploy the homomorphic property of Shamir secret sharing scheme [20] to calculate the intersections of users' private sets without relying on a trusted third party. However, the coarse-grained profile matching cannot accurately measure the proximity of users.

Fine-Grained Scheme.
For the fine-grained profilematching schemes [1,2,10], user's preference or behavior pattern is usually regarded as a multidimensional vector, and the social proximity is usually measured by the inner product between two users' vectors. For example, Zhang et al. [1] designed a fine-grained profile-matching protocol with three security levels. A user can initiate a matching query for their encrypted data with other users and finally obtains the proximity result by utilizing the homomorphic addition property of the Paillier cryptosystem [21]. However, it is required that both users stay online to perform multiple interactions during the execution of protocols, thus imposing a heavy communication and computational burden on mobile terminals. To tackle the above issues, Gao et al. [2] introduced a novel cloud-assisted profile-matching scheme under multiple keys. e cloud environment is composed of two cooperative but non-collusive clouds, and users in the social application could go offline after uploading their encrypted data. A friend finder can designate a target and initiate a matching query to the cloud; then, the two cloud servers return the matching result to the user through interactions. In their scheme, the clouds perform most of the computations, which effectively reduces the burden of users. And the data providers do not have to stay online all the time. However, the scheme [2] utilizes a secure ElGamal-like [14] proxy re-encryption algorithm to encrypt data, so each user needs to generate their secret keys and reencryption keys. Although schemes in a multiple-key environment could benefit from some existing technologies [22] that could create secure communicating groups within a secure group with exchange of small information, multiple keys increase additional burden of key management in our consideration. Moreover, it seems impossible to guarantee users' privacy once the user's re-encryption key is leaked in the process of uploading to the cloud. What is worse, Gao et al.'s scheme uses the inner product of two vectors to measure the matching degree. However, the ElGamal-like algorithm requires the size of the plaintext to be less than 40 bits to make sure that the ciphertext can be efficiently decrypted using Pollard's kangaroo algorithm [23] to solve the discrete logarithm problem for a relatively smaller integer. erefore, the scheme fails to provide high precision computations on the users' data.

Organization.
e rest of the paper is organized as follows. Section 2 gives some notations and the main part of the HRES algorithm [15]. Section 3 introduces the system and adversary models. Section 4 provides the construction of the improved algorithm and the profile-matching scheme. Section 5 presents the security proof of the improved HRES algorithm and the security analysis of the profile-matching protocol. Section 6 draws conclusions.

Preliminaries
In this section, we briefly introduce some notations appearing in this paper. We also introduce a fundamental HRES algorithm with two cooperative and non-collusive clouds and a data normalization method.

Notation.
In this paper, we write x ← X for assigning x a value X and denote the integer set 1, ..., n { } as [n]. In addition, a ⟶ b indicates that b is calculated by the algorithm a. We use ϕ(·) and λ(·) to denote the Euler and the Carmichael function, respectively. e ring Z n means the residue class ring of integers modulo n, i.e., 0, . . . , n − 1 { }. We use bold lowercase letters to represent vectors, and the Euclidean norm for a vector u is denoted as |u|. In addition, the bit length of an integer a is denoted as |a|. We use the symbol ⌈ · ⌉ to denote the ceiling function. Besides, u · v means the inner product of the two vectors u and v, and we use E PK (·) to denote the encryption function with the public key PK of the improved HRES algorithm that will be introduced in the next section.

Homomorphic Re-Encryption.
Re-encryption technology supports a proxy transferring decryption authority without decrypting ciphertext [24]. On this basis, homomorphic re-encryption supports homomorphic operation on ciphertext, which is more suitable for data dissemination in networks with special needs. In 2017, Ding et al. proposed a HRES homomorphic re-encryption scheme [15], which includes two non-collusive cloud servers, CA and CB, that jointly manage the ciphertext data. e data owner encrypts his data with the public key generated by negotiation between the two cloud servers, and the ciphertexts can be correctly decrypted only if the two cloud servers cooperate with each other. e HRES consists of the following algorithms.
(i) KeyGen. Given a security parameter κ, let n � pq be a safe RSA modulus, where p and q are primes of the form of p � 2p′ + 1 and q � 2q ′ + 1, and p ′ and q ′ are primes of equal bit length. Let g be an element of the maximal order λ(n 2 ) � lcm(ϕ(p 2 ), (q 2 )) � 2np ′ q ′ in Z n 2 . e two cloud servers CA and CB, respectively, generate their own key pairs: (sk CA � a ∈ Z λ(n 2 ) , pk CA � g a (mod n 2 )) and (sk CB � b ∈ Z λ(n 2 ) , pk CB � g b (mod n 2 )). erefore, CA negotiates with CB to generate their Diffie-Hellman key PK � pk sk CB CA � pk sk CA CB � g ab (mod n 2 ). (ii) Enc. Given the Diffie-Hellman key PK and a message m ∈ Z n , output the ciphertext as follows: c � E PK (m) � (ξ, ζ) � ((1 + mn)PK r (mod n 2 ), g r (mod n 2 )), where E PK (m) indicates the ciphertext encrypted with PK and r is a random integer selected from Z λ(n 2 ) . (iii) Partial Dec1. Given sk CA � a and a ciphertext c � E PK (m) ∈ Z 2 n 2 , the cloud CA can transfer the above ciphertext into another ciphertext as where E pk CB (m) indicates that the ciphertext can be decrypted with sk CB . (iv) Partial Dec2. Given sk CB � b and a ciphertext E pk CB (m), the cloud CB can decrypt the plaintext as follows: where the function L n (·) is defined as L n (x) � x − 1/n.

Normalization Method.
is section mainly introduces a common data standardization method: Z-score standardization method, which standardizes data based on the mean and variance of the original data. e processed data obeys the normal distribution; that is, the mean value of the data is 0 and the standard deviation is 1. e conversion formula is as follows: where x * represents the processed data, x is the mean of the samples and σ denotes the standard deviation of the samples.
In the proposed scheme, the raw data need to be normalized before processing. e reason for this operation is that the values of data from different sources are quite different. In order to eliminate the influence of different numerical range and make the data comparable, data need to be normalized. Hence, Z-score method is adopted to make the data at the same level, which is convenient for analyzing the data. Figure 1, our system model contains three entities: a friend finder (Alice), the cloud environment, and other users. Each entity is described as follows: Alice is marked as a friend finder who wants to find friends that have similar interests with her in the social network. e cloud environment includes two cloud servers, CA and CB, which can provide users with enormous storage space for storing personal profiles and a large amount of Security and Communication Networks computing resources. rough cooperating, CA and CB can help Alice calculate the proximities with other users, and the privacy of the two users will be not compromised. ere are many other users in social networks who prefer to outsource the encrypted data representing their preferences to the cloud CA.

System Model. As shown in
Each user registers a personal account in the mobile social network and then fills in the personal information. e personal information contains user's preferences that can be used as a measurement for profile matching. However, the user does not want to reveal his private data in order to avoid illegal use [25]. Personal profile is often defined as a multidimensional vector u � (u 1 , u 2 , . . . , u n ), and each dimension represents an attribute corresponding to a hobby, such as cooking and tourism. Each attribute value may be represented by an integer ranging from 0 to 10, or a larger range. e bigger the number is, the more the users like the item will be, and vice versa. To better measure the proximity between users, the cosine value of normalized vectors with Z-score method is taken in this paper.

reat Model.
In the honest-but-curious model, an external adversary and an internal adversary are considered. An external adversary mainly refers to an eavesdropper who can get some information (e.g., encrypted data) through the transparent channel by eavesdropping. An internal adversary is an honest-butcurious entity such that he faithfully follow the agreement but attempt to collect and reveal private information during the execution of the agreement. e friend finder may want to expose other users' profiles, while the two clouds may want to reveal the users' personal data in the social networks. Moreover, it is assumed that the two clouds will never collude with each other and the users will not deliberately attempt to guess the cosine result by adjusting the vector multiple times.

Our Construction
In this section, we give the improved HRES algorithm and our privacy-preserving profile-matching scheme.

Improved HRES Algorithm.
In order to support homomorphic multiplication computations, a slight modification has been made on the original HRES algorithm. Here it is required that the two clouds CA and CB will not collude with each other and cooperate to perform decryption operations. e improved algorithm includes the following algorithms: KeyGen, Enc, Partial Dec1, Partial Dec2, and Evaluation.
(i) KeyGen. Choose a large prime integer p. Note that the multiplicative group Z * p 3 has primitive roots of order ϕ(p 3 ) � p 2 (p − 1), and hence the algorithm can randomly choose a generator g with order ϕ(p 3 ) � p 2 (p − 1) from Z * p 3 . en the two cloud servers CA and CB, respectively, generate their own key pairs: ). erefore, CA negotiates with CB to generate their Diffie-Hellman key PK � g ab (mod p 3 ).
(ii) Enc. Given the Diffie-Hellman key PK and a plaintext message m, where m ∈ Z p , output the ciphertext as follows: where E PK (m) indicates the ciphertext encrypted with PK and r is a random integer selected from Z ϕ(p 3 ) . (iii) Partial Dec1. Given sk CA and a ciphertext E PK (m) ∈ Z 2 p 3 , the cloud CA can transfer the above ciphertext into another ciphertext as where E pk CB (m) indicates that the ciphertext can be decrypted with sk CB . (iv) Partial Dec2. Given sk CB and a ciphertext E pk CB (m) ∈ Z 2 p 3 , the cloud CB can output the plaintext as follows: where the function L p (·) is defined as (v) Homomorphic evaluation. We first show that the improved scheme supports k + 1 homomorphic additions. Given any k + 1 ciphertexts, namely, for )with the underlying plaintext being m i for i � 1, . . . , k + 1, we firstly show that our improved algorithm supports k + 1 homomorphic additions.
From the refreshed ciphertext c � (ξ, ζ), the cloud CA can use his secret key sk CA � a to partially decrypt the ciphertext as e cloud CB can further decrypt the ciphertext c 2 � (ξ 2 , ζ 2 ) using his secret key sk CB � b as follows. e cloud CB first computes Accordingly, it is easy to verify where the cloud CB can obtain the plaintext Note that |m| + 1 < p − |k| should hold, i.e., k+1 i�1 m i is needed. erefore, our scheme supports k + 1 homomorphic additions on ciphertexts.

Privacy-Preserving Profile
Matching. In this part, the improved HRES algorithm is adopted to implement our privacy-preserving profile-matching scheme. Suppose that Alice's vector is v � (v 1 , . . . , v n ) and that Bob's vector is u � (u 1 , . . . , u n ). e cosine value of the two vectors can be calculated as In particular, cos(u, v) ∈ [0, 1] since u i and v i are nonnegative integers. Users can encrypt their vectors with the Diffie-Hellman key PK and then outsource their encrypted data to CA. e procedure for the data outsourcing is presented in Algorithm 1 and the privacy-preserving profile-matching scheme is shown as Algorithm 2.

Correctness and Security
In this section, we firstly give the correctness analysis of our protocol and then prove that the improved HRES algorithm is semantically secure with rigorous method. At last, we prove that our profile-matching scheme is secure under the semihonest model.

Correctness.
In our scheme, CB can correctly decrypt and obtain the result of σ i (u i ′ − v i ′ ) without revealing any useful information. e demonstration is shown as follows. Firstly, CA computes We can verify that Input: A user Bob wants to outsource his personal profile to CA and holds a private vector u � 〈u 1 , . . . , u n 〉.
Output: e encrypted result E PK (u′), E PK (τ 1 σ B ) and E PK (s B ) are sent to CA.
(1) CA executes KeyGen algorithm of the improved HRES algorithm with CB to generate their respective key pairs 〈pk CA , sk CA 〉〈pk CB , sk CB 〉 and their Diffie-Hellman key PK 2 . ereafter, PK 2 is issued to the users in social networks. (2) Firstly, Bob normalizes his vector with Z-score method and then converts each element of the normalized vector to an integer by multiplying it with a pretreatment public integer l 1 and ceiling. Finally, Bob gets his matching vector u′ � 〈u 1 ′ , u 2 ′ , ..., u n ′ 〉 and calculates s B � n i�1 u ′ 2 1 , σ B � u′| . (3) Bob negotiates with the CA to run the Diffie-Hellman key exchange protocol to generate a secret random integer τ 1 . (4) After encrypting the following values: E PK 2 (u′)←〈E PK 2 (u 1 ′ ), E PK 2 (u 2 ′ ), . . . , E PK 2 (u n ′ )〉, E PK 2 (s B ), and E PK 2 (τ 1 σ B ), Bob uploads these encrypted values to CA.
(1) Alice executes the KeyGen algorithm of the improved HRES algorithm with CA to generate their respective key pairs 〈pk A , sk A 〉, 〈pk CA ′ , sk CA ′ 〉 and their Diffie-Hellman key PK 1 . en, PK 1 is assigned to the cloud CB. (2) Alice sends her encrypted profile to CA for querying the proximity with Bob in the social networks.
(i) Alice also needs to process her normalized vector with the public number l 1 to get the result v′ � 〈v 1 ′ , ..., v n ′ 〉, and calculates s A � n i�1 v ′ 2 1 , σ A � v′| . (ii) Alice negotiates with CA to run the Diffie-Hellman key exchange protocol to generate a secret random integer τ 2 . (iii) Alice uploads the encrypted values E PK 2 (v′), E PK 2 (τ 2 σ A ), and E PK 2 (s A ) to CA.
Security and Communication Networks en, CA generates the random integers σ i to obfuscate , and the final result can be obtained through the following formula: where ′ }| < p, and it cannot reveal information about u i ′ and v i ′ . On the other hand, we will prove that Alice can obtain a more accurate cosine result as follows.
us, CA can compute and get E . We find that when the pretreatment number l 2 is large, (τ 1 τ 2 β 2 · u ′ ∘ v ′ ) is closer to the cosine result cos(u ′ , v ′ ).

Security Proof of Improved Algorithm.
In this subsection, the semantic security of the improved HRES algorithm is proved through three theorems. We first prove that the DDH problem in G (the cyclic group of modulo p 3 ) is hard to solve. Based on this conclusion, the improved HRES algorithm could be semantically secure.

Theorem 1.
Let G be the cyclic group of modulo p 3 , and g be a generator of G. e discrete logarithm problem (in G) is hard to solve.
Proof. For the sake of contradiction, it is assumed that the discrete logarithm problem (in G) is not difficult; i.e., there exists an oracle that can solve the discrete logarithm problem (in G) in polynomial time. For example, given an input A ≡ g a mod p 3 , the oracle returns the index a as output.
(1) Note that, if g is a generator of Z p and satisfies g p− 1 ≠ 1mod p 2 , g is also a generator of G. Our strategy is as follows. Let B ≡ g b mod p, we can assume that there exists an integer b ′ that satisfies B ≡ g b′ mod p, such that the equation b ≡ b ′ mod ϕ(p) holds. Multiply simultaneously both sides of the equation by p 2 and the equation can be obtained. us, it has g bp 2 ≡ g b′p 2 mod p 3 .
Since B ≡ g b′ mod p, B can be denoted as B � g b′ + kp where k is an integer. us, B p 2 can be written as the following formula: We can obtain B p 2 ≡ g b′p 2 mod p 3 . en, we query the oracle for solving the discrete logarithm problem in G to get the result b ′ p 2 with g b′p 2 mod p 3 as input.
And of course b ′ can be solved out. is implies that, if the discrete logarithm problem in G were not difficult, the discrete logarithm problem in Z p turns out to be easy as well. It is contradictory obviously. (2) If g is a generator of Z p and satisfies g p− 1 ≡ 1mod p 2 , g + p is also the generator that belongs to both Z p and G. e proof process is similar to the above one and we will not describe it here.

Theorem 2. Let p be a large prime. Let G be the cyclic group of modulo p 3 , and g be a generator of G. e Decisional Diffie-Hellman problem (in G) is difficult.
Proof. For the sake of contradiction, it is assumed that the Decisional Diffie-Hellman (in G) is not difficult. It means that there exists an adversaryA D D H who can find a random integer z such that g xy ≡ g z mod p 3 . We assume that R is a random quadruple and D is a DH quadruple, where R � 〈g, g x , g y , g z 〉 and D � 〈g, g x , g y , g xy 〉.
(1) Note that, if g is a generator of Z p and satisfies g p− 1 ≠ 1mod p 2 , g is also a generator of G. If A D D H can find a random integer z that satisfies g xy ≡ g z mod p 3 , xy ≡ zmod ϕ(p 3 ) can be derived. Hence, equation xy ≡ zmod (p − 1) holds. Besides, since g is a generator of Z p , we can also get the equation g xy ≡ g z mod p. We thus state that if there exists an adversary A DDH who can distinguish the random quadruple R from DH quadruple D, A DDH can also distinguish R and D in Z p . However, the DDH assumption in Z p is difficult, so the original hypothesis does not hold. us, we can get a conclusion that DDH assumption (in G) is also difficult.
(2) If g is a generator of Z p and satisfies g p− 1 ≡ 1mod p 2 , then g + pis also the generator that belongs to both Z p and G. e proof process is similar to the above one and we will not describe it here.

Theorem 3. If Decisional Diffie-Hellman assumption in
holds, the improved HRES algorithm Π presented in Section 5.1 is semantically secure.
Proof. During the KeyGen phase, the cloud servers CA and CB negotiate with each other to generate their Diffie-Hellman key. Due to the difficulty of discrete logarithm problem in Z * p 3 , it is negligible to get any information about sk 1 , sk 2 , or sk 1 · sk 2 for any adversaries.
For the sake of contradiction, it is assumed that the scheme Π is not semantically secure; i.e., there exists a polynomial time adversary A Π which can break semantic security with nonnegligible probability ξ. A Π constructs a distinguisher β that can solve the DDH problem in Z * p 3 . e construction is as follows.
Given a challenge quadruple ζ � 〈g, g a , g b , T〉, where a, b ∈ Z * p 3 , the goal of the distinguisher β is to determine T � g ab or T � R, where R is a random integer in Z * p 3 . e challenger sends the public key PK � g a to the adversary A Π . en, the adversary A Π submits two challenge messages (m 0 , m 1 ) of equal length to the challenger based on his prior knowledge, and then the challenger returns C � (g b , T(1 + m d p))mod p 3 as a challenge ciphertext to the adversary A Π , in which d ∈ 0, 1 { }. Finally, the adversary outputs d ′ as the guess result. If d � d ′ , the challenger outputs T � g ab ; otherwise, it outputs T � R. e discussion is as follows: (1) If T � g ab , then C is a valid ciphertext and the probability of adversary guessing correctly is equal to 1/2 + ξ. mp) is independent of the encrypted message because the random value R is uniformly and randomly distributed among Z * p 3 . erefore, the probability that the adversary guesses correctly is 1/2.
As a result, if the distinguisher can break the scheme Π with a nonnegligible probability ξ, the adversary A Π can attack the DDH assumption in Z * p 3 with the same advantage. For the reason that the DDH assumption in Z * p 3 is difficult, our improved scheme Π is semantically secure.

Security Analysis of Our Protocol.
e security analysis of our privacy-preserving profile-matching scheme under the semihonest model will be presented in this subsection with a real and ideal paradigm [2,26]. For any adversaries who attack a real protocol execution, there exists an adversary who attacks an ideal execution, such that the input and output distributions of the adversary and participants in both the real and the ideal executions are fundamentally the same.
Theorem 4. Our profile-matching scheme described in Section 5 can securely obtain the matching result through the calculations on ciphertexts under the semihonest and noncollusive adversaries.
Proof. In this scheme, there are mainly four parties: Alice, Bob, CA, and CB. We can construct four simulators Sim � 〈Sim A , Sim B , Sim CA , Sim CB 〉 against four types of adversaries 〈A A , A B , A CA , A CB 〉 that will corrupt the privacy of Alice, Bob, CA, and CB, respectively.
Sim A simulates A A as follows: After receiving the normalized vector v ′ � 〈v 1 ′ , v 2 ′ , . . . , v n ′ 〉, Sim A encrypts v ′ and n i�1 v ′ 2 i , respectively, to get E PK 2 (v ′ ) and E PK 2 (s A ). en, Sim A chooses a random integer τ 2 and encrypts τ 2 , and sends the partial decryption result E PK A (τ 1 τ 2 β 2 · U ′ ∘ v ′ ) processed by its secret key to A A . e view of A A involves the normalized vector v ′ � 〈v 1 ′ , v 2 ′ , . . . , v n ′ 〉, the encrypted results set {E PK 2 (v ′ ), E PK 2 (s A ), E PK 2 (τ 2 σ A ), E PK A (τ 1 τ 2 β 2 · U ′ ∘ v ′ )}, and the decryption result cos(U ′ , v ′ ). e view of A A in real and ideal executions is indistinguishable owing to the semantic security of the improved HRES scheme mentioned above. Sim B simulates A B as follows: After receiving the normalized vector U ′ � 〈u 1 ′ , u 2 ′ , . . . , u n ′ 〉, Sim B encrypts U ′ and n i�1 u ′ 2 i , respectively, to get E PK 2 (U ′ ) and E PK 2 (s B ). After that, Sim B chooses a random integer τ 1 and encrypts en Sim B sends the encrypted results to A B . e view of A B involves the normalized vector U ′ � 〈u 1 ′ , u 2 ′ , . . . , u n ′ 〉 and the encrypted result set E PK 2 (U ′ ), E PK 2 (s B ), E PK 2 (τ 1 σ B ) . e view of A B in real and ideal executions is indistinguishable owing to the semantic security of the improved HRES scheme mentioned above.
en, Sim CA encrypts them as E PK 2 (U ′ ), E PK 2 (v ′ ), E PK 2 (s B ), and E PK 2 (s A ). Sim CA generates two random integers τ 1 , τ 2 ; respectively, obtains the encrypted values E PK 2 (τ 1 σ B )· E PK 2 (τ 2 σ A ); and partially decrypts the above result. Finally, it generates random integers σ i , ω and computes e view of A CA in the real and ideal executions is indistinguishable owing to the semantic security of the improved HRES scheme mentioned above.

Security and Communication Networks 9
Sim CB simulates A CB as follows: Sim CB chooses random integers r i , m i , t i , where i ∈ [n], and then encrypts them as (E PK 2 (m i ) · E − 1 PK 2 (t i )) r i , E PK 2 ((r i m i ) 2 ). en, it picks a random number s and encrypts it as E PK 1 (s), E PK 2 (s). Sim CB re-encrypts them with the secret key of CA and sends the values (E PK 2 (m i ) · E − 1 PK 2 (t i )) r i , E PK 2 ((r i m i ) 2 ), E PK 1 (s), E PK 2 (s), r i (m i − t i ), and (r i m i ) 2 to A CB . e view of A CB is the above encrypted values and some obfuscated data. Although A CB can decrypt and obtain the obfuscated data, the random numbers selected by the simulator are uniformly and randomly distributed in the message space, so they are the obfuscated messages. e view of A CB in real and ideal executions is indistinguishable owing to the semantic security of the improved HRES scheme mentioned above.

Evaluation
6.1. Comparison. In this subsection, we mainly discuss the advantages of our scheme compared with the existing privacy-preserving profile-matching schemes [1,2,11,27] in Table 1. ese schemes [1,11,27] require users to stay online simultaneously to obtain matching results through multiple interactions, resulting in additional computational costs and communication overheads on mobile devices of users. In our scheme, users only need to encrypt their personal profiles and upload them to the cloud, and then they can go offline. For a Friend finder, he can designate a target to initiate a matching query and ultimately get the matching result. Most computations are undertaken by the two cloud servers, which can greatly reduce the burden of users. Compared with the scheme in [2], the users do not need to upload the re-encryption keys when uploading their encrypted data, thereby avoiding the risk of the users' personal data leakage due to the reencryption key leakage and reducing the burden of the key management. We use the cosine scores of two vectors as the matching result instead of the intersection of two sets or the inner product of two vectors. In particular, the proposed scheme supports processing larger data. erefore, the proposed scheme is fine-grained, and the precision of matching result is high.

Simulation.
In order to better demonstrate the performance of our scheme and compare it with Gao's scheme [2], we simulated two profile-matching protocols separately. Simulations are conducted using the PBC library on a computer equipped with a 2.5 GHz Intel core i5-3210 processor with 4 GB of RAM. e dimension n of users' vector is set as 20, and we compared the two system performances with the increase in the number of the data bits.
e results are shown in Figures 2 and 3. More intuitive comparison results are shown in Figure 4. As the number of data bits increases, the decryption time of Gao's scheme will increase exponentially, and the time spent by cloud servers and users increases. Specifically, our scheme has no limit on the length of the data. And as the length increases, the time consumed does not change significantly.  [1] No No Yes Yes Scheme [2] Yes No Yes No Scheme [11] No No Yes Yes Scheme [27] No Yes Yes Yes

Complexity Analysis.
In this subsection, we review some existing conclusions before analyzing the computational complexity of our scheme. e complexity of calculating modular multiplication and modular exponentiation is O(log 2 p) and O(log 3 p), respectively, where p is the modulus.
First, we analyze the computational complexity of the improved HRES algorithm. e Enc involves two modular multiplications, a modular addition and two modular exponentiations. Hence, the computational complexity of this part is O(log 3 p). e Partial Dec1 only needs a modular exponentiation, so the computational complexity is O (log 3 p). Similarly, the Partial Dec2 involves a modular exponentiation, a modular inversion, a modular multiplication, a subtraction, and a division. Hence, the corresponding computational complexity is O(log 3 p). On this basis, we could deduce that the computational complexity of the procedure executed by Alice is O(log 3 p), and the same for Bob, CA, and CB.

Conclusion
In this paper, we propose a privacy-preserving profilematching scheme over improved HRES algorithm in mobile social networks. e improved algorithm can support onetime homomorphic multiplication and arbitrarily many homomorphic additions. Compared with the original scheme [2], the key management burden can be reduced, and the privacy problem of users caused by the re-encryption keys leakage can be effectively solved. In addition, our scheme utilizes the cosine result between two normalized vectors as the standard for measuring the users' proximity, which can effectively improve the social experience of the users. Even if users with ulterior motives collude with one of the clouds, the personal data of other users will not be revealed. At last, we prove that our scheme is secure under the semihonest model through strict security analysis.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.