CP-ABE Based Privacy-Preserving User Profile Matching in Mobile Social Networks

Privacy-preserving profile matching, a challenging task in mobile social networks, is getting more attention in recent years. In this paper, we propose a novel scheme that is based on ciphertext-policy attribute-based encryption to tackle this problem. In our scheme, a user can submit a preference-profile and search for users with matching-profile in decentralized mobile social networks. In this process, no participant’s profile and the submitted preference-profile is exposed. Meanwhile, a secure communication channel can be established between the pair of successfully matched users. In contrast to existing related schemes which are mainly based on the secure multi-party computation, our scheme can provide verifiability (both the initiator and any unmatched user cannot cheat each other to pretend to be matched), and requires few interactions among users. We provide thorough security analysis and performance evaluation on our scheme, and show its advantages in terms of security, efficiency and usability over state-of-the-art schemes.


S1 Appendix
Proof of the Theorem 2 The construction of the simulator mentioned in theorem 1 is described as follows: Setup. The simulator first sets an integer u = 4q, chooses the integer k ∈ R {0, 1, 2, ..., n}(n = |A|), integer x , x ij ∈ R {0, 1, ..., u − 1}. Meanwhile, it chooses y , y ij ∈ R Z * P , 1 ≤ i ≤ n, 1 ≤ j ≤ m. All these parameters are kept by the simulator itself. For an attribute list L = {l 1 , l 2 , ..., l q }, we define For a given asymmetric DBDH tuple (g, g b , g c ,ĝ,ĝ a ,ĝ b , Z), the simulator setŝ g 1 =ĝ a ,ĝ 2 =ĝ b , g 2 = g b . Then the public parameterf =ĝ p−uk+x 2ĝ y , Phase 1. The adversary A will issue private key queries. Suppose A issues a query for an private key associated with attribute list L. if K(L) = 0 simulator aborts and randomly chooses its guess β of the challenger's value β. Otherwise, it chooses r ∈ R Z * p , and computes This simulator will be able to perform this computation iff F (L) = 0 mod p. For ease of analysis, the simulator will only continue (not abort) in the sufficient condition where K(L) = 0 (If we have K(L) = 0 this implies F (L) = 0 mod p since we can assume p > nm for any reasonable values of p, n, and m ).
Challenge. The adversary A next will submit two equal length messages M 0 , M 1 and two access policies W 0 , W 1 . The simulator flips two fair binary coin r and e. If x + aij ∈Wr x ij = uk, the simulator will abort and give a random guess β . Otherwise, F (W r ) ≡ 0 (mod p), and the simulator outputs the ciphertext T c = {ZM r , C 0 , C Clearly, if Z = e(g,ĝ) abc , the T c is a valid encryption of M associated with W r . Otherwise, Z just is a random element from G T , and the adversary is impossible to get any information about r and e.
Phase 2. The adversary A continues to issue private key queries with the requirement that the attribute list can not satisfy W 0 , W 1 . The simulator repeats the same method used in Phase 1.
Guess. The adversary A outputs a guess (r , e ) of (r, e) Artificial Abort. If the simulator has not aborted at this point it will check to see if the adversary's guess r = r and e = e . If r = r and e = e then the simulator outputs a guess β = 1, otherwise it outputs β = 0.
Intuitively, under the condition of Z = e(g,ĝ) abc , if A can always successfully guess r within a probability polynomial time, it means the simulator can resolve the asymmetric DBDH problem within a probability polynomial time as well, which contradicts to the assumption that the asymmetric DBDH is NP-hard. This simulator is difficult to be analyzed directly since it might abort before all of the queries are made.
The key point is that we should figure out an appropriate estimate of the simulator abort probability because P r[β = β] = P r[β = β|abort]P r[abort] + P r[β = β|abort]P r [abort]. Hereafter, we adopt the same proof method as in literature [22] and give out the same conclusion mentioned in theorem 1. Since the complete proof process is longer, we omit it here due to space limitation and direct the interested reader to [22].