Privacy-Preserving Graph Operations for Mobile Authentication

Along with the fast development of wireless technologies, smart devices have become an integral part of our daily life. Authentication is one of the most common and effective methods for these smart devices to prevent unauthorized access. Moreover, smart devices tend to have limited computing power, and they may possess sensitive data. In this paper, we investigate performing graph operations in a privacy-preserving manner, which can be used for anonymous authentication for smart devices. We propose two protocols that allow two parties to jointly compute the intersection and union of their private graphs. Our protocols utilize homomorphic encryption to prevent information leakage during the process, and we provide security proofs of the protocols in the semihonest setting. At last, we implement and evaluate the efficiency of our protocols through experiments on real-world graph data.


Introduction
With the rapid development of IoT technology, we are surrounded by various types of smart devices in our daily life, such as sensors, wearable devices, and smart vehicles [1]. Authentication is one of the most important mechanisms to provide security protection for these smart devices [2], and authentication for light-weighted devices has become a hot research topic in the past years [3,4].
In recent years, researchers have proposed several mobile authentication schemes based on graph data structure and graph algorithms [5][6][7]. Graph data and graph processing are well studied for the last decades [8,9], since they can help to solve many practical problems in different application areas, such as web data processing [10], data mining [11], social networking [12], biological networking [13], and communication networking [14].
1.1. Motivation. In this paper, we consider the problem of computing graph operations between two parties while preventing information leakage, which has great potential in smart device authentication. For example, when the mobile devices communicate with cloud servers, they need to first jointly perform identity authentication for security protec-tion. Since the mobile devices may contain sensitive information of the users and the cloud servers cannot be fully trusted in general, the privacy leakage problem for mobile authentication has become a security threat [15]. In order to protect the privacies of the mobile devices, the devices can model their identities and properties as graph-structured data, and the cloud servers can model their authentication policies as graph-structured data as well. After that, the identity authentication process can be converted into performing graph operations in a privacy-preserving manner.

Our Contributions.
We study the problem of performing graph intersection and union while protecting the privacies of the input graphs. Suppose that for two parties, Alice and Bob, each has a private graph, denoted as G A and G B , respectively. Alice wishes to learn the intersection and union of these two graphs. In other words, Alice wishes to learn G I = G A T G B and G U = G A S G B . In addition, both Alice and Bob do not wish to reveal any information about their graphs to the other party. The contributions of this paper can be summarized as below: (i) We present two graph operation protocols between two parties, a server and a client. The first protocol allows the server and the client to jointly compute the intersection of their input graphs, and the second protocol computes the union of the input graphs. Our constructions first use the Paillier cryptosystem and oblivious polynomial evaluation to compute the intersection and the union of the vertices. After that, we use the homomorphic property of the Paillier cryptosystem to compute the edge intersection and union (ii) We provide the security models of the protocols, and we prove that the protocols are secure in the semihonest setting. Furthermore, we analyze the information leakage and propose methods to minimize the leakages (iii) We discuss the efficiencies of the protocols in terms of computation costs and communication costs. At last, we implement our constructions and perform experiments on real-world graph data An earlier version of this paper was presented at the 22nd Australasian Conference on Information Security and Privacy, 2017 [16]. The previous work presented a private graph intersection protocol with rough analysis. This paper extends the previous work by presenting a private graph union protocol with detailed analysis and experimental results.

Related Work
There are many different approaches to construct authentication schemes for smart devices. Among them, graphbased authentication schemes are widely used in IoT [5,17,18]. In 2002, Micali and Rivest [19] first introduced the transitive signature based on graph theory, which provides an unforgeable signature for undirected graphs. After that, various graph-based signature and authentication schemes were proposed [5][6][7]. In 2017, Chuang et al. [5] proposed an authentication system in Internet of Things based on multigraph zero-knowledge. The system provides suitable security protection for IoT authentication services. The proposed multigraph zero-knowledge procedure is faster than traditional zero-knowledge methods and ECC-based solutions. The experiment results indicate that the system is lightweighted and highly adaptive. Lin et al. [6] proposed a transitively graph authentication scheme for blockchain-based identity management systems in 2018. The system is used to bind a digital identity object to its real-world entity, therefore achieving identity authentication. The system is constructed based on transitively closed undirected graphs and vertex signatures. According to the evaluation results, the system is efficient, even when the graph dynamically adds or deletes vertices and edges. In 2019, Shao et al. [7] proposed a multifactor authentication scheme using a fuzzy graph domination model. The scheme is adaptive choosing one or multiple privacy-preserving identities to authenticate the users. The authors designed a weighted vertex-edge dominating set to solve the weighted domination problem on fuzzy graphs. Compared to existing solutions, the scheme is more efficient for solving instances with moderate orders.
In this work, we consider the problem of performing graph intersection and union in the privacy-preserving manner and proposed two secure multiparty computation protocols. Secure Multiparty computation (MPC) has been extensively studied over the past decades. Generally speaking, MPC allows multiple participants to jointly perform certain computations without losing the privacy of their input data, even when some players cheat during the process. MPC was first formally introduced by Yao in 1982 [20] and extended by Goldreich et al. [21]. Their works convert certain computation problems into a combinatorial circuit, then the parties perform computations over the gates in the circuit. After that, a large number of MPC protocols have been proposed to solve various problems, such as privacy-preserving set operations [22] and private information retrieval [23].

Preliminary
In this section, we present the preliminaries related to our proposed protocols. First, we present the relevant notations that we used in this paper in Table 1.

Additive Homomorphic Encryption.
Homomorphic encryption schemes allow the users to perform certain computation operations on the ciphertext space, such as addition and multiplication. In our private graph operation protocols, we utilize an additive homomorphic encryption scheme called the Paillier cryptosystem, proposed by Paillier in 1999 [24]. The Paillier cryptosystem contains three algorithms, described as follows: ðpk, skÞ ← KeyGenð1 k Þ is the key generation algorithm. The input is a security parameter k. The outputs are a public key pk and a secret key sk. The public key contains a large number N which specifies the message space, the ciphertext space, and the random space to be ℤ N , ℤ * N 2 , and ℤ * N , respectively. t ⊕ ← Encðpk, t ; rÞ is the encryption algorithm. The input is the public key pk, a plaintext t ∈ ℤ N , and a random number r ∈ ℤ * N . The output is the ciphertext t ⊕ ∈ ℤ * N 2 . For simplicity, we use the notion t ⊕ = EncðtÞ.
t ← Decðsk, t ⊕ Þ is the decryption algorithm. The input is the secret key sk and a ciphertext t ⊕ ∈ ℤ * N 2 . The output is the plaintext t ∈ ℤ N . For simplicity, we use the notion t = Decð t ⊕ Þ.
3.1.2. IND-CPA Security. Two ciphertexts t ⊕ 0 and t ⊕ 1 are indistinguishable for probabilistic polynomial-time adversaries that only have access to the public parameters.
3.1.3. Homomorphic Property. For any two plaintexts t 0 , t 1 ∈ ℤ N , there exists an operation ⊕ in the ciphertext space, such that DecðEncðt 0 Þ ⊕ Encðt 1 ÞÞ = t 0 + t 1 . Furthermore, there exists another operation ⊗ in the ciphertext space, such that DecðEncðt 0 Þ ⊗ t 1 Þ = t 0 · t 1 . 3.3. Graph Representation. In our protocol, we represent a graph as G = ðV, EÞ, where V is the vertex collection and E is the edge collection. We represent the vertex collection as a sorted set with ascending order, V = fv 1 , v 2 , ⋯, v z g, where z is the number of vertices in G, v i ∈ ℤ, and v i < v i+1 for 1 ≤ i ≤ z − 1. We represent the edge collection as an adjacency matrix, where e i,j is the adjacency relation between the vertices v i and v j , and e i,j ∈ f0, 1g. If vertices v i and v j are adjacent, i.e., there is at least one edge that connects them, e i,j = 1; otherwise, e i,j = 0. Note that E is a square matrix with z rows and z columns. For an undirected graph, E is a symmetric matrix, since the edges are two-way. For example, we represent the directed graph illustrated in Figure 1 4. Definitions and Security Models 4.1. Protocol Definitions. We formally describe the private graph intersection (PGI) protocol and the private graph union (PGU) protocol. The protocols involve two participants, a server and a client, denoted as S and C, respectively. Each of the participants holds a private graph, which is intended to be kept secret from the other participant.
We denote the graphs of the server and client as G S = ðV S , E S Þ and G C = ðV C , E C Þ, respectively, where V and E are the sets of vertices and edges of the graphs. The intersection of G S and G C is defined as PGI and PGU allow the participants to jointly compute G I and G U , respectively, in a privacy-preserving manner. At the end of the protocols, only the server learns the result. The formal definitions of PGI and PGU are described as follows: Definition 1 (private graph intersection protocol). If both participants are honest, for any G S = ðV S , E S Þ and any G C = ðV C , E C Þ, the private graph intersection protocol computes G I = G S T G C . At the end of the protocol, only S learns G I .
Definition 2 (private graph union protocol). If both participants are honest, for any G S = ðV S , E S Þ and any G C = ðV C , E C Þ, the private graph union protocol computes G U = G S S G C . At the end of the protocol, only S learns G U .

Security Models.
When considering privacy protecting in authentication, the term privacy may have different definitions and properties, such as user identity and untraceability [29,30]. In this work, the privacies of the server and the client refer to any information about their graphs. Therefore, any information about the vertices and edges of the graphs is considered as private, such as the number of vertices, the number of edges, the values of the vertices, and whether two vertices are connected by an edge. The security goals of both PGI and PGU protocols are protecting the privacies of both the server and the client during the computation. In other words, both the server and the The server, the client G S , G C The server's graph, the client's graph We use the semihonest security model for both PGI and PGU, which means both the server and the client perform the protocols faithfully, but they may try to learn any information about the graph of the other participant. The security models are adopted from the work of [31][32][33].
While achieving no information leakage is the ideal goal, our protocols leak partial information during the process. The information leakages for PGI are defined as leakage functions L 1 and L 2 , and the information leakages for PGU are defined as L 3 and L 4 . The detailed information about the leakage functions are as follows: L 1 is the number of vertices in G C , L 2 is the vertex intersection V I and the number of vertices in G S , L 3 is the number of vertices in G C and the number of common vertices between G S and G C , and L 4 is the vertex union V U and the number of vertices in G S .
The formal definitions of security models are described as follows: Definition 3 (PGI security). A semihonest server learns nothing about the client's graph, beyond what can be deduced from G I and the leakage function L 1 , and a semihonest client learns nothing about the server's graph, beyond the leakage function L 2 .
Definition 4 (PGU security). A semihonest server learns nothing about the client's graph, beyond what can be deduced from G U and the leakage function L 3 , and a semihonest client learns nothing about the server's graph, beyond the leakage function L 4 .

Protocol Construction
In this section, we propose the constructions of PGI and PGU. The graphs of the server and the client are represented as G S = ðV S , E S Þ and G C = ðV C , E C Þ, respectively, where V S = fs 1 , s 2 , ⋯, s m g, V C = fc 1 , c 2 , ⋯, c n g, 5.1. PGI Construction. We use the FNP protocol [25] as a building block for computing the vertex intersection. The private graph intersection protocol is described below: Input: S and C hold the graphs G S = ðV S , E S Þ and G C = ðV C , E C Þ, respectively.
Output: S learns G I = ðV I , E I Þ. Protocol: Step 1. S runs the key generation algorithm of the Paillier cryptosystem, ðpk, skÞ ← KeyGenð1 k Þ, and obtains the public key and the secret key. Then, S publishes pk.
(a) By using the homomorphic properties of the Paillier cryptosystem, C evaluates the polynomial P using each element in V C as input. In other words, C computes EncðPðc i ÞÞ, for 1 ≤ i ≤ n (b) For each polynomial evaluation, C chooses a random value r and computes β ⊕ Step 4. S decrypts all the ciphertexts received and compares the decrypted values with his vertex set V S . If a decrypted value β i = Decðβ ⊕ i Þ has a corresponding element in V S , it is an element of the intersection of V S and V C . In other words, if β i ∈ V S , β i ∈ V I . After decrypting all the received ciphertexts, the server obtains V I .
(a) S uses V I to construct an adjacency matrix A of size p × p, where p is the number of the vertex in V I : A has the property that, for each vertex pair v x ∈ V I and v y ∈ V I , if an edge exists in G S between vertices v x and v y , a x,y = 1; otherwise, a x,y = 0.

(b) S encrypts each element in A under the Paillier cryptosystem and obtains an encrypted matrix A ⊕ = EncðAÞ
(c) S sends A ⊕ and V I to C Step 6.
(a) By using V I , C constructs an adjacency matrix B using the same method in the last step:

Wireless Communications and Mobile Computing
Step 7. S decrypts each element in E ⊕ I and obtains E I = DecðE ⊕ I Þ. At last, S obtains G I = ðV I , E I Þ.

PGU Construction.
The private graph union protocol is described below: Input: S and C hold the graphs G S = ðV S , E S Þ and G C = ðV C , E C Þ, respectively.
Output: S learns G U = ðV U , E U Þ. Protocol: Step 1. Same as Step 1 of PGI.
Step 2. Same as Step 2 of PGI.
(a) By using the homomorphic properties of the Paillier cryptosystem, C evaluates the polynomial P using each element in V C as input. In other words, C computes EncðPðc i ÞÞ, for 1 ≤ i ≤ n (b) For each polynomial evaluation, C choose a random value r and computes β ⊕ i = EncðPðc i ÞÞ ⊗ r. Then, C sends the set of all resulting ciphertexts β ⊕ = fβ ⊕ i g 1≤i≤n to S Step 4. S decrypts each ciphertext received as β i = Decðβ ⊕ i Þ and checks the decrypted value. If β i = 0, S computes γ ⊕ i = Encð0Þ; otherwise, S computes γ ⊕ i = Encð1Þ. Then, S sends γ ⊕ = fγ ⊕ i g 1≤i≤n to C.
(a) S decryptes each value in δ ⊕ and checks if the decrypted value δ i = Decðδ ⊕ i Þ is zero (b) By combining the server's vertex set V S and the set of nonzero decrypted values fδ i g δ i ≠0 , S obtains V U . V U is then sorted in ascending order and is represented as Step 7.
(a) S uses V U to construct an adjacency matrix A of size q × q, where q is the number of vertex in V U : A has the property that, for each vertex pair u x ∈ V U and u y ∈ V U , if an edge exists in G S between vertices u x and u y , a x,y = 1; otherwise, a x,y = 0 (b) S encrypts each element in A under the Paillier cryptosystem and sends the encrypted matrix A ⊕ and V U to C Step 8.
(a) C uses V U to construct an adjacency matrix B in the same manner as S in the last step: (b) C encrypts each element in B using the Paillier cryptosystem and obtains B ⊕ (c) C generates a matrix R with q × q random values: (d) C computes: 6. Analysis 6.1. Security Analysis. In this section, we prove the correctness and security of both PGI and PGU. When analyzing the security of the proposed protocols, we assume both the server and the client evaluate the protocols faithfully, but they may try to obtain as much information about the graph of the other party as possible. The security analysis for the protocols is divided into two cases, where one of the server and the client acts as the adversary in each case. Then, we prove the zero-knowledge properties of the server and the client in each case, using the methods and techniques introduced in [15,34].
Lemma 5 (PGI correctness). If both participants are honest, for any G S = ðV S , E S Þ and any G C = ðV C , E C Þ, the private graph intersection protocol computes Proof. The correctness of PGI is ensured by the correctness of the FNP protocol and the homomorphic property of the Paillier cryptosystem.
During Steps 2 to 4 of the protocol, the client and the server jointly perform a FNP protocol using their vertex collections as inputs. At the end of Step 4, the server learns the vertex intersection V I , and the client receives V I from the server in Step 5.
In Steps 5 and 6, the server and the client construct two adjacency matrices by using V I , denoted as A and B, respectively. Note that A and B contain the adjacency relations between the vertices in V I for graphs G S and G C , respectively. In other words, if an edge exists between two vertices in V I , it leads to a value of 1 in the corresponding position of the constructed adjacency matrix; otherwise, it leads to a value of 0 instead. Therefore, the dot product of A and B will produce an adjacency matrix that represents the edge intersection. If an edge exists in both A and B, i.e., it is a common edge between G S and G C , the dot product of its adjacency relations will result a value of 1. If an edge only exists in one of G S and G C , or the edge does not exist at all, the dot product will result in a value of 0.
In Step 6, the client receives the encryption of A under the Paillier cryptosystem from the server. If the Paillier cryptosystem has the homomorphic property, i.e., it supports multiplication between a ciphertext and a constant, the client can homomorphically compute the dot product of the A ⊕ and B, and the result is the encryption of the edge intersection. Finally, in Step 7, the server obtains the edge intersection after decryption.
As a result, if the FNP protocol is correct and the Paillier cryptosystem has the homomorphic property, the private graph intersection protocol computes G I = ðV I , Lemma 6 (PGI server zero-knowledge). A semihonest server learns nothing about the client's graph, beyond what can be deduced from G I and the leakage function L 1 .
Proof. The proof of PGI server zero-knowledge is trivial. During PGI, there are two parts where the server receives information about the client's graph. The first part is during the FNP protocol in Step 3, and the second part is at the end of Step 6.
For the first part, in Step 3, the server receives a set of ciphertexts from the client. The server can learn the number of vertices in the client's graph by counting the number of ciphertexts, which is the predefined leakage function L 1 . By decrypting the ciphertexts, the server obtains a set of values. If a value exists in V S , it is a common vertex between G S and G C , which is a part of the final result of the protocol. Otherwise, if the value does not exist in V S , it will be a random value, which has no relation to the client's graph.
For the second part, the server receives E ⊕ I from the client, which is the ciphertext of the edge intersection. Upon decryption, the server only learns the edge intersection. As a result, the PGI server zero-knowledge holds.
Lemma 7 (PGI client zero-knowledge). A semihonest client learns nothing about the server's graph, beyond the leakage function L 2 .
Proof. There are two parts where the client receives information about the server's graph. The first part is during the FNP protocol in Step 2, and the second part is at the end of Step 5.
For the first part, the client receives a set of encrypted coefficients α ⊕ of the polynomial P from the server. The client can learn the number of vertices of the server's graph by counting the number of encrypted coefficients received, which is a part of the predefined leakage function L 2 .
For the second part, the client receives an encrypted matrix A ⊕ and the vertex intersection V I . Since V I is also a part of the predefined leakage function L 2 , we need to show that A ⊕ does not reveal any information about the server's graph. According to the protocol construction, A ⊕ contains the encryptions of adjacency relations between the vertices in V I for the server's graph. Therefore, if the client cannot distinguish between the cases where the server has different input graphs, given the knowledge of A ⊕ and V I , the PGI client zero-knowledge holds. Consider the following experiment: Wireless Communications and Mobile Computing In the above experiment, A is a probabilistic polynomialtime adversarial client with a private graph G C = ðE C , V C Þ. The adversary first chooses two graphs, denoted as G 0 = ð V 0 , E 0 Þ and G 1 = ðV 1 , E 1 Þ, respectively. The two graphs have the property that V 0 then sends the graphs to the server. The server randomly picks a bit b = f0, 1g, and chooses G b as the private graph. After that, the server and A jointly perform the private graph intersection protocol from Steps 1 to 5. At the end of Step 5, A needs to output a bitb, using the information he recevied during the protocol. Ifb = b, the experiment outputs 1; otherwise, it outputs 0. The advantage of the above experiment for A is defined as Adv A = jPr ½EX P A ð1 k Þ = 1 − 1/2j.
During PGI, the information that A receives contains α ⊕ , V I , and A ⊕ . α ⊕ contains a set of ciphertexts under the Paillier cryptosystem, V I is the vertex intersection, and A ⊕ is an encrypted adjacency matrix under the Paillier cryptosystem.
Due to the condition V 0 T V C = V 1 T V C , the vertex intersection V I gives no useful information since V I will be the same for both G 0 and G 1 . Since the Paillier cryptosystem is IND-CPA secure and A cannot decrypt the ciphertexts without the private key, α ⊕ and A ⊕ cannot help A to distinguish which graph the server has chosen. As a result, if the Paillier cryptosystem is IND-CPA secure, the advantage of the above experiment for A is negligible, i.e., Adv A = jPr ½ EXP A ð1 k Þ = 1 − 1/2j = ε, where ε is negligible. At last, we construct a simulator Sim S to simulate the view of the client in the ideal model. Sim S is given the knowledge of the vertex intersection V I and the vertex number m of the server's graph. In the above experiment, Sim S sends a set of m + 1 random values to the client in Step 2 and sends V I and a matrix with p × p random values to the client in Step 5. Since the client cannot distinguish between the ciphertexts under the Paillier cryptosystem and random values, the view of the client in the ideal model is computationally indistinguishable from the view in the real model, i.e., View real C ½Sð G S Þ, C ≈ View ideal C ½Sim S ðV I , mÞ, C. As a result, the PGI client zero-knowledge holds.
Lemma 8 (PGU correctness). If both participants are honest, for any G S = ðV S , E S Þ and any G C = ðV C , E C Þ, the private graph union protocol computes G U = ðV U , E U Þ = G S S G C .
Proof. The correctness of PGU is ensured by the homomorphic property of the Paillier cryptosystem. Steps 2-of PGU compute the vertex union, and Steps 7-9 compute the edge union.
In order to compute the vertex union between G S and G C , the server needs to obtain the vertices in G C that are not in G S .
In Step 2, the server constructs a polynomial, such that all the roots are exactly the vertices in G S . After that, the client homomorphically evaluates the polynomial using all the vertices in G C , and each polynomial evaluation is homomorphically multiplied by a random value. Therefore, the common vertices between G S and G C will result in encryptions of zero, and other vertices will result in encryptions of random values. In Step 4, the server decrypts all the polynomial evaluations. If the decryption is zero, the server generates an encryption of 0; otherwise, the server generates an encryption of 1. In the next step, the client homomorphically multiplies the received encryptions with the vertices in V C . For an encryption of 0, i.e., the vertex is a common vertex, the client will result in an encryption of 0; for an encryption of 1, i.e., the vertex is not a common vertex, the client will result in an encryption of the vertex. As a result, in Step 6, the server learns the set of vertices that only exists in G C . By combing the above set and V S , the server obtains the vertex union V U .
In order to compute the edge union, the server needs to obtain an adjacency matrix, such that if an edge does not exist in either G S and G C , it will have a corresponding value of 0 in the matrix; otherwise, it will have a corresponding value of 1.
In Steps 7 and 8, each of the server and the client constructs an adjacency matrix using the vertex union and his own graph and encrypts each element under the Paillier cryptosystem. The client then homomorphically adds the encrypted values at the same locations in the two matrices. There are three circumstances for the addition results. If an edge does not exist in either of the graphs, the addition will result in an encryption of 0; if an edge only exists in one of the graphs, the addition will result in an encryption of 1; if an edge exists in both of the graphs, the addition will result in an encryption of 2. Then, the client homomorphically multiplies each result by a random value. Therefore, for the edges that do not exist in either of the graphs, the final result will still be an encryption of 0; for the edges that only exist in one of the graphs and the edges that exist in both of the graphs, the final result will be encryptions of random values. Finally, in Step 9, the server decrypts the encrypted matrix and replaces all the nonzero values to 1, which is the edge union of G S and G C .
As a result, if the Paillier cryptosystem has the homomorphic property, the private graph union protocol computes Lemma 9 (PGU server zero-knowledge). A semihonest server learns nothing about the client's graph, beyond what can be deduced from G U and the leakage function L 3 .
Proof. There are three parts where the server receives information from the client, which are Steps 3, 5, and 8.

Wireless Communications and Mobile Computing
In Step 3, the server receives a set of ciphertexts, β ⊕ , from the client. Each vertex in V C has a corresponding ciphertext in β ⊕ . If a vertex in V C also exists in V S , i.e., it is a common vertex in both graphs, it will result in an encryption of 0; otherwise, it will result in an encryption of a random value. By counting the number of ciphertexts in β ⊕ , the server can learn the number of vertices in the client's graph, and by decrypting and counting the number of 0 s, the server can learn the number of common vertices. The above information is defined as leakage function L 3 . In Step 5, the server receives another set of ciphertexts, γ ⊕ , from the client. Similar as above, each vertex in V C has a corresponding ciphertext in γ ⊕ . If a vertex exists in both V S and V C , it will result in an encryption of 0; otherwise, it will result in an encryption of the vertex itself. Therefore, upon decryption, the server learns of the vertices in V C that do not exist in V S , which are a part of the vertex union.
In Step 8, the server receives an encrypted matrix, E ⊕ U , from the client. Each element of the matrix represents the adjacency relation between two vertices in the graph union. If an edge exists in at least one of the input graphs, the corresponding adjacency value will be a random number; if an edge does not exist in either of the input graphs, it will result in an adjacency value of 0. By decrypting the matrix and replacing the random values to 1, the server obtains the edge union. As a result, the PGU server zero-knowledge holds. Proof. There are three parts where the client receives information from the server, which are Steps 2, 4, and 7. In Step 2, the client receives a set α ⊕ that contains m + 1 ciphertexts under the Paillier cryptosystem, which are encryptions of the coefficients of the server's polynomial. The client can learn the vertex number of the server's graph by counting the ciphertexts in α ⊕ , which is the leakage function L 4 . In Step 4, the client receives another set of ciphertexts γ ⊕ , which contains n encryptions of 1 s and 0 s. In Step 7, the client receives an encrypted matrix of size q × q, which contains encryptions of 1 s and 0 s. In order to prove that the above information does not reveal anything about the server's graph beyond what can be deduced from V U and the leakage function L 4 , consider the following experiment: pk, sk ð Þ← Step 1 1 k , In the above experiment, A is a probabilistic polynomialtime adversarial client with a private graph G C = ðE C , V C Þ. The adversary first chooses two graphs, denoted as G 0 = ð V 0 , E 0 Þ and G 1 = ðV 1 , E 1 Þ, respectively. The two graphs have the property that V 0 then sends the graphs to the server. The server randomly picks a bit b = f0, 1g and chooses G b as the private graph. After that, the server and A jointly perform the private graph union protocol from Steps 1 to 7.
At the end of Step 7, A needs to output a bitb, using the information he received during the protocol. Ifb = b, the experiment outputs 1; otherwise, it outputs 0. The advantage of the above experiment for A is defined as Adv A = jPr ½EX During PGU, the information that A receives contains α ⊕ , γ ⊕ , A ⊕ , and V U . α ⊕ and γ ⊕ are both sets of ciphertexts under the Paillier cryptosystem. Since G 0 and G 1 satisfied the condition |V 0 | = |V 1 |, the numbers of ciphertexts in α ⊕ will be the same for both G 0 and G 1 . A ⊕ is a matrix filled with q × q ciphertexts. Since the Paillier cryptosystem is IND-CPA secure and A cannot decrypt the ciphertexts without the private key, α ⊕ , γ ⊕ , and A ⊕ cannot help A to distinguish which graph the server has chosen. Furthermore, since G 0 and G 1 satisfied the condition V 0 S V C = V 1 S V C , V U will be the same for both G 0 and G 1 . As a result, if the Paillier cryptosystem is IND-CPA secure, the advantage of the above experiment for A is negligible, i.e., Ad v A = jPr ½EXP A ð1 k Þ = 1 − 1/2j = ε, where ε is negligible. At last, we construct a simulator Sim S to simulate the view of the client in the ideal model. Sim S is given the knowledge of the vertex union V U and the vertex number m of the server's graph. In the ideal model, Sim S genereates a set of m + 1 random values in Step 2, a set of n random values in Step 4, and a matrix of size q × q filled with random values in Step 7. Since the Paillier cryptosystem is IND-CPA secure, the client cannot distinguish the ciphertexts and random values. Therefore, the view of the client in the ideal model is computationally indistinguishable from the view in the real model, i.e., View real C ½SðG S Þ, C ≈ View ideal C ½Sim S ðV U , mÞ, C. As a result, the PGU client zero-knowledge holds.

Efficiency Analysis.
In this section, we analyze the efficiencies of PGI and PGU in terms of communication cost and computation cost. The communication cost is measured in terms of the amount of ciphertexts that has been transferred between the server and the client, and the computation 8 Wireless Communications and Mobile Computing cost is measured in terms of modular exponentiations and multiplications.
We denote m as the number of vertices in G S , n as the number of vertices in G C , p as the number of vertices in the intersection of G S and G C , and q as the number of vertices in the union of G S and G C .
6.2.1. PGI Communication Cost. The construction of PGI is simple and only requires Oð1Þ rounds of communication. In Step 2, the server sends m + 1 ciphertexts to the client. In Step 3, the client sends n ciphertexts to the server. In Step 5, the server sends p 2 ciphertexts to the client. At last, in Step 6, the client sends p 2 ciphertexts to the server. As a result, the total communication cost of our protocol is Oðm + n + p 2 Þ ciphertexts.

PGI Server Computation Cost. In
Step 2, constructing the polynomial requires Oðm 2 Þ modular multiplication, and encrypting the coefficients requires OðmÞ modular exponentiations. In Step 4, decrypting the received ciphertexts requires OðnÞ modular exponentiations. In Step 5, encrypting each element in A requires Oðp 2 Þ modular exponentiations. In Step 7, decrypting each element in E ⊕ I requires Oðp 2 Þ exponentiations. As a result, the total computation cost for the server is Oðm + n + p 2 Þ modular exponentiations and Oðm 2 Þ modular multiplications.

PGI Client Computation Cost. In
Step 3, obliviously evaluating the polynomial requires OðmnÞ modular exponentiations. In Step 6, computing E ⊕ I requires Oðp 2 Þ modular exponentiations. As a result, the total computation cost for the client is Oðmn + p 2 Þ modular exponentiations.

PGU Communication
Cost. The construction of PGU also only requires Oð1Þ rounds of communication. During Steps 2-5, the server sends m + 1 + n ciphertexts to the client, and the client sends 2n ciphertexts to the server. During Steps 7 and 8, the server sends q 2 ciphertexts to the client, and the client sends q 2 ciphertexts to the server. As a result, the total communication cost is Oðm + n + q 2 Þ ciphertexts.

PGU Server Computation Cost. In
Step 2, constructing the polynomial requires Oðm 2 Þ modular multiplication, and encrypting the coefficients requires OðmÞ modular exponentiations. In Step 4, decrypting n ciphertexts requires OðnÞ modular exponentiations, and encrypting n ciphertexts requires OðnÞ modular exponentiations. In Step 6, decrypting n ciphertexts requires OðnÞ modular exponentiations. In Step 7, encrypting each element in A requires Oðq 2 Þ modular exponentiations. In Step 9, decrypting each element in E ⊕ U requires Oðq 2 Þ modular exponentiations. As a result, the total computation cost for the server is Oðm + n + q 2 Þ modular exponentiations and Oðm 2 Þ modular multiplications.
6.2.6. PGU Client Computation Cost. In Step 3, obliviously evaluating the polynomial requires OðmnÞ modular exponentiations. Computing n homomorphic multiplication requires OðnÞ modular exponentiations. In Step 5, computing n homomorphic multiplication requires OðnÞ modular exponentiations. In Step 8, encrypting the each element in B requires Oðq 2 Þ modular exponentiations. Computing q 2 homomorphic addition and multiplication requires Oðq 2 Þ modular exponentiations and Oðq 2 Þ modular multiplication. As a result, the total computation cost for the client is Oðm n + q 2 Þ modular exponentiations and Oðq 2 Þ modular multiplications.
6.3. Leakage Analysis 6.3.1. PGI Leakage. As stated before, the proposed PGI leaks certain information about the private graphs, which is modeled as the leakage functions L 1 and L 2 . There are several techniques that can be used to reduce the amount of information leakage; however, it cannot be completely avoided.
In Step 2, the server constructs a polynomial P, such that all the roots of PðxÞ are exactly the elements in V S . After that, the server sends the encryptions of the coefficients of P to the client. In order to prevent the client from learning the exact vertex number of the server's graph, the server first randomly constructs an irreducible polynomial RðxÞ with degree d. The server then computes P ′ ðxÞ = PðxÞRðxÞ and uses P ′ ðxÞ instead of PðxÞ in Step 2. The polynomial P ′ ðxÞ has the same property as PðxÞ; therefore, it will not affect the result of the protocol. As a result, by counting the number of ciphertexts received, the client can only learn the upper bound of the vertex number of the server's graph, i.e., m + d.
In order to hide the exact vertex number of the client's graph, the client can randomly generate a set of h values from the message space of the Paillier cryptosystem in Step 3. After that, the client encrypts the random values and sends the encrypted random set to the server along with β ⊕ . Since the message space of the Paillier cryptosystem is large enough, the probability that a random value equals to an element in V S can be assumed as negligible. Therefore, the random values will not affect the result of the protocol, since they are not in the vertex intersection. As a result, by counting the number ciphertexts received in Step 3, the server can only learn the upper bound of the vertex number of the client's graph, i.e., n + h. 6.3.2. PGU Leakage. Similar as PGI, PGU also leaks partial information about the input graphs during the process, which is modeled as L 3 and L 4 .
In Step 2, the server can utilize the same technique, as introduced above, to hide the exact vertex number of his graph, and the client can only learn the upper bound instead, i.e., m + d. In Step 3, in order to hide the exact vertex number of the client's graph, the client generates k encryptions of zero and sends the ciphertexts along with β ⊕ . An encryption of zero in Step 3 indicates that a vertex in the client's graph also exists in the server's graph. In later steps, extra encryptions of zero will not affect the final result, since the vertex union between the two input graphs will remain the same. As a result, the server can only learn the upper bound of the vertex number of the client's graph, i.e., n + k, and the upper bound of the common vertex number, i.e., p + k.

Wireless Communications and Mobile Computing
In addition, we consider the case where the server sends a graph with small size to the client in Step 2. If the server's graph is small enough, i.e., only 1 vertex and no edge, the union of the graphs will be almost the graph of the client. To prevent the server from learning the client's graph in such a method, there are two points where the client can choose to end the protocol.
The first point is at Step 3. If the client receives a very small polynomial, the client can choose to end the protocol, and at this point, the server has not learned anything yet. However, if the server uses the technique stated above, the polynomial that the client receives will not give the exact size of the server's graph. In this case, the client can check if the vertex union received in Step 8 is almost the same as his vertex set V C . If V U ≈ V C , it means either the server has a very small graph or the vertices in both graphs are highly overlapping. At this point, the client can choose to end the protocol; however, the server has already learned the vertex set of the client.

Experiments
In order to evaluate the performances of the proposed PGI and PGU protocols, we implement the protocols and perform experiments over the Enron email dataset. All the experiments were conducted on two PCs with Intel Core i7-2600 4.2 GHz CPU, 16 GB RAM, and Windows 10 operat-ing system. (Due to the COVID-19 crisis, we cannot access the lab in the university at the moment, which contains the environment and equipment to perform the experiments on real mobile devices. As a result, the experiments are performed on a PC in this paper, and we will improve the experiments on mobile devices in later works.). The protocols are implemented in Python 3.6, and we used the phe library for the Paillier cryptosystem with a 1024-bit key length. 7.1. Dataset. The Enron email dataset is publicly available from the Stanford SNAP website (https://snap.stanford.edu/ data/). The dataset contains email communications of around half a million emails. In order to convert the dataset to a graph, the senders and the receivers of the emails are represented as vertices, and if vertex i sends at least one email to vertex j, there exists an undirected edge between i and j. The resulting graph has 36,692 vertices and 183,831 edges. In addition, each vertex of the graph is represented as a unique integer.

Evaluation of PGI.
When evaluating the performance of PGI, we randomly generate two subgraphs from the Enron email graph dataset and assign them to the server and the client, respectively. For each experiment, we set m and n to have the same value, and they increase from 1,000 to 10,000. Furthermore, the graphs of the server and the client are generated following the rule that 5% of the vertices are the same  between the two graphs. Figure 2(a) shows the computation time for the server and the client. As analyzed before, the computation costs for the server and the client are Oðm + n + p 2 Þ and Oðmn + p 2 Þ, respectively, where p is the number of vertices in the intersection of G S and G C . Therefore, the most dominant part of the computation costs for both the server and the client is most likely to be the number of common vertices between G S and G C . As shown in Figure 2(a), the computation time for both the server and the client grows quadratically as the number of common vertices increases. The detailed computation time for each step is shown in Table 2.
As shown in Table 2, the most time-consuming parts of PGI are Steps 5 and 6. In Step 5, the server performs p 2 Paillier encryptions, and in Step 6, the client performs p 2 homomorphic multiplications. Since the computations for both Steps 5 and 6 are highly parallelizable, the computation time can be greatly reduced if cluster computing is deployed.
The communication costs of PGI for both the server and the client are shown in Figure 2(b). As analyzed before, the   In addition, the communication costs are nearly the same for both the server and the client, and the overall communication cost for PGI is practical for the experimental dataset.

Evaluation of PGU.
When evaluating the performance of PGU, we first randomly generate a subgraph from the Enron email graph dataset as the graph union G U . Then, we randomly choose two subgraphs of G U and assign them to the server and the client, respectively. The numbers of the vertices in the subgraphs are 60% of the vertex number in G U ; therefore, both m and n will have the same value. For each experiment, the number of vertices in G U increases from 50 to 500. Figure 3(a) shows the computation time for the server and the client, and the detailed computation time for each step is shown in Table 3.
As analyzed before, the computation costs for PGU are Oðm + n + q 2 Þ and Oðmn + q 2 Þ for the server and the client, respectively, where q is the number of vertices in the union of G S and G C . Therefore, similar as PGI, the most dominant part of the computation costs for both the server and the client is most likely to be the number of vertices in G U .
As shown in Table 3, most of the computation time is spent in Steps 7 and 8. In Step 7, the server performs q 2 Paillier encryptions, and in Step 8, the client performs q 2 Paillier encryptions and q 2 homomorphic additions and multiplications. Similar as before, the above computations are highly parallelizable, and cluster computing will greatly optimize the computation time.
As shown in Figure 3(b), the communication cost of PGU is similar to PGI, and the communication costs for both the server and the client have a quadratic growth as the number of vertices in G U increases. For our experimental dataset, the overall communication cost for the PGU protocol is also practical.

Conclusion
In this work, we proposed two privacy-preserving graph operation protocols between two parties, which can be used for secure authentication for smart devices. The first protocol, PGI, allows a server and a client to jointly compute the intersection between their private graphs, while the second protocol, PGU, computes the union of the graphs. The protocols first use polynomial representation and oblivious polynomial evaluation to compute the intersection and union of the vertices. The intersection and union of the edges are then computed by using an additive homomorphic cryptosystem.
We proved that the proposed protocols are secure in the semihonest security model. In other words, a semihonest client learns nothing about the server's graph and a semihonest server learns nothing about the client's graph. We analyzed the leakages during the protocols for both the server and the client and modeled the leakages as leakage functions. At last, we implemented the constructions of the protocols and evaluated the efficiencies over real-word graph data.

Data Availability
The graph data used to support the findings of this study can be found at https://snap.stanford.edu/data/.

Conflicts of Interest
The authors declare that they have no conflicts of interest.