LNAI 8933 - A Secure and Efficient Privacy-Preserving ... - Springer Link

4 downloads 6233 Views 640KB Size Report
In recent years, many researchers have dedicated substantial effort in designing ... The problem of private set intersection is, if Alice and Bob hold attributes SA .... Oblivious transfer (OT) is a protocol which allows a server to transfer one of.
A Secure and Efficient Privacy-Preserving Attribute Matchmaking Protocol in Proximity-Based Mobile Social Networks Solomon Sarpong and Chunxiang Xu Department of Computer Science University of Electronic Science and Technology of China Chengdu, China [email protected], [email protected]

Abstract. Since the advent of matchmaking protocols, many such protocols have been proposed. The bane of most of these protocols has been with the preservation of users privacy and reduce or remove completely the leaking of users private information. Most of the existing matchmaking protocols simply match-pair persons without checking if they have enough common attributes to be an appropriate pair. Also, in most matchmaking protocols, since the inputs are private, malicious participants may choose their sets arbitrarily and use this flexibility to affect the results or learn more about the input of an honest individual. As an improvement, we propose a novel hybrid matchmaking protocol. In this proposed protocol, the initiator sets a threshold number of common attributes that a-would-be pair should have to qualify as a match-pair. With the use of certification of attributes to ensure that the inputs are not arbitrary and a preset threshold number of common attributes defined, an initiator can adequately find pair(s) without leaking any private information. In addition to helping find the most appropriate pair, our proposed protocol also has the ability to resist semi-honest and malicious attacks. Keywords: Hybrid, threshold.

1

nonspoofability,

multiparty,

proximity-based,

Introduction

In recent years, many researchers have dedicated substantial effort in designing efficient mobile social network (MSN) protocols. This is to facilitate the sharing of sensitive and private information. The sharing of information should be such that there is no leakage and unauthorized persons should not know anything about the individuals information being shared. In lieu of this, the research community has foreseen the need for mechanisms to enable limited (privacypreserving) sharing of sensitive information and a number of effective solutions have been proposed. Among them, Private Set Intersection (PSI) techniques are particularly appealing for scenarios where two parties wish to compute an X. Luo, J.X. Yu, and Z. Li (Eds.): ADMA 2014, LNAI 8933, pp. 305–318, 2014. c Springer International Publishing Switzerland 2014 

306

S. Sarpong and C. Xu

intersection of their respective sets of items without revealing to each other any other information [1]. The advent of online social network has received a lot of attention as it provides the online community of users an information sharing platform. These MSN applications have been very successful because they attract millions of users, some of whom have little or no prior experience using such applications. With the pace at which the internet is growing and it being used for all sort of activities, privacy issues have become a major concern [4]. Increasing dependence on anytime-anywhere availability of data and the commensurately increasing fear of losing privacy motivate the need for privacy-preserving techniques. One interesting and common problem occurs when two parties need to privately compute an intersection of their respective sets of data. In doing so, one or both parties must obtain the intersection (if one exists), while neither should learn anything about other s data set. In most cases, since each party is not willing to disclose the content of its list, ordinary private set intersection protocols will not be appropriate. Privacy consideration of individual information is important in private set intersection however, authentication of users attributes is also an important issue. In light of this, authorisation of the input sets of the persons in the protocol is more appropriate as it prevents potent attack such as semi-honest attack. Hence, our research seeks to formulate a hybrid matchmaking protocol that is very efficient and secure against semi-honest and malicious attacks. The novelty of this proposed protocol is that, the initiator sets a threshold number of common attributes that individual(s) should have to qualify as a pair. Hence among the many would-be possible matching-pairs, the initiator will be able to find a pair(s) that has at least the threshold number of common attributes. When such individual(s) is found, apart from the matching-pair(s) that is privy to the number of common attributes, no one else does. After the matching-pair(s) have been found, they can then compute to know their actual attributes. The rest of this paper is organized as follows: in section 2 we take a brief look at private set intersection; also in section 3, we present related works. Our protocol together with the algorithms are presented in section 4. Also, the security and simulation of the algorithm are in section 5. Finally, we conclude this paper in section 6.

2

Private Set Intersection

Generally speaking, Private Set Intersection (PSI) is a cryptographic protocol that involves two individuals, say Alice and Bob, each with a private set of attributes. Their goal is to compute the intersection of their respective attributes, such that minimal information is revealed in the process. In other words, Alice and Bob should learn the attributes (if any) common to both sets and nothing else. The problem of private set intersection is, if Alice and Bob hold attributes SA and SB , respectively and want to compute the intersection of their attributes,

A Secure and Efficient Privacy-Preserving Attribute Matchmaking Protocol

307

their wish is to jointly compute the intersection in such a way that reveals as little as possible about SA to Bob and SB to Alice. In other words, both Alice and Bob should learn only SA ∩ SB but nothing more [10]. While this task could be completed with general secure multiparty techniques, it is far more efficient to have a dedicated protocol. A problem common to all these protocols is that the input attributes SA and SB can be chosen arbitrarily by Alice and Bob [1]. Hence, a dishonest person can therefore insert fabricated attributes in the set that s/he suspects the other individual might have. The intersection will reveal if the other person indeed has those attributes in his/her set. In order to address this issue, Authorized Private Set Intersection (APSI) and its variants [8], [24] and [25] ensure that each party can only use attributes certified by a certification authority in the intersection protocol. In [25], two parties are able to privately share their information while enforcing complex policies after each party s set has been authorised. In particular, we consider the scenario where two parties each hold a set of attributes and wish to find the intersection of their attributes without revealing other attributes that are not in the intersection. In such applications, it is important to ensure that attributes being exchanged are properly authenticated or authorized by a trusted authority in the intersection protocol [3]. When authorization is done, it thwarts dishonest behaviour. Hence, unless some form of authentication is required, a malicious individual can claim possession of fictitious attributes, in an attempt to find out whether the other individual possesses them. The problem of authentication of mutually suspicious parties is becoming more and more important in distributed systems. A user in a distributed system may not only need to verify the identity of the system, but may require that the system, or another user or node in the system, verifies itself to him/her. Moreover, both sides may require some degree of authentication before they release any information about themselves [4]. A trusted third party is used in such cases, however this may not be practical in a highly distributed system. But for well established reasons, this cannot be appropriate. The use of cryptographic matchmaking protocols allows users with various attributes to verify whether or not they have some attributes in common without revealing the attributes to each other or a third party. Certifying attributes restricts their input and hence reduces the strength of attacks from malicious individuals. Bob though malicious, will follow the protocol but as he wishes to learn as much as possible about the private set of Alice, can strategically populate his private set with all of his best guesses for Alice s private set and hence, his private set will be as large as possible. This maximizes the amount of information Bob learns about Alice s private set. In the extreme case, Bob may claim his private set contains all possible attributes, which will always reveal the private set of Alice. Bob may also vary his private set over multiple runs of the protocol, in order to learn more information over time. These attacks are even more powerful when the protocol can be executed anonymously. It must be noted that all these behaviours are permitted in any protocol which allows the individuals to choose their private inputs arbitrarily [12].

308

3

S. Sarpong and C. Xu

Related Work

In this section we will take a look at some previous works on matchmaking for mobile social networking, and then focus on reviewing cryptographic protocols for matchmaking. 3.1

Mobile Social Networking Applications

In private set intersection problem, two individuals each having a set of attributes compute the intersection of their attributes such that no individual learns information other than the intersecting attributes. Matchmaking protocol is a private set intersection problem where a match-pair is made by computing the intersection of their individual attributes. In some matchmaking protocols, there is the use of a trusted server. Such protocol applications can be found in [6], [15] and [16]. Another way is the fully distributed technique, which requires no trusted server in the whole matchmaking process. Matchmaking protocols in [5], [21] and [23] use such techniques. The attributes of the initiator and the candidates are shared among multi-parties using Shamir Secret Sharing Scheme, the computing of common attributes set are conducted among multi-parties as well [11]. The third technique in use is a hybrid, where a trusted centralized server is needed only for the purpose of management and verification, and it does not participate in the matchmaking operations. This mechanism can provide efficient matchmaking services with relatively high scalability. In [7], [11], [13], [19] and [26], are the protocols based on hybrid mechanisms designed to support privacy preserving matchmaking functions for MSN. In [9], with two persons involved in matchmaking, at the end of the protocol only one of them, say Alice, computes the intersection set. This may lead to information asymmetry as Alice may decide not to continue with the matchmaking after knowing the attributes of the other user. Furthermore as the proposed protocol is one way, several malicious attacks can be launched by the individuals in the protocols. This protocol was improved upon in [7] by removing the likelihood of malicious attack by persons involved in the protocol. Also, both persons in the protocol perform the intersection set. The proposed protocol does not take into consideration if the would-be pair has enough common attributes to qualify to be paired. In Wang et. al. [11], the proposed protocol lets a user (called initiator) find the best match among multi-parties (called candidates). In their protocol, the best match means the user that has the maximum intersection set size with the initiator. Also, Li et. al. [38] defined two increasing levels of privacy with decreasing amounts of revealed profile information. Using a set of privacy-preserving profile matching schemes for proximity-based mobile social networks, an initiating user can find from a group of other users the one whose profile best matches with him/her. Apart from [11] and [38], all the existing matchmaking protocols do not consider if the initiator and a user have enough common attributes before pairing them. Even these two papers that tried to match-pair users based on the number of attributes they have in common, simply assumed that the best match is the

A Secure and Efficient Privacy-Preserving Attribute Matchmaking Protocol

309

user (among other candidates) that has the maximum intersection set size with the initiator. It can be noted that these protocols are not very adequate as the best match does not necessarily mean the pair has enough common attributes to make a good pair. However in [26], privacy-preserving scalar computation was used to find a user that has at least a threshold number of common attributes with the initiator. If the number of common attributes is at least the threshold set by the initiator, they then become a match-pair. 3.2

Private Matchmaking Protocols

Oblivious transfer (OT) is a protocol which allows a server to transfer one of two items to client, such that the client can choose which item s/he wants, keep his/her choice hidden from server, and learn nothing about the other items. OT can be used to construct private set intersection protocols [18], [24] and [27]. These were improved upon by Kissner and Song [2]. Using threshold cryptosystem, they proposed efficient protocols to solve privacy preserving set intersection and privacy-preserving set matching problems. Thus, private set intersection (PSI) protocols enable two parties each holding a set of input to jointly compute the intersection of their inputs without leaking any other information. However these are less efficient than specialized protocols, and efficiency decreases when elements are chosen from larger domains hence, cannot be used in a distributed environment. Variants of this protocol can be found in [1] and [37]. In [36], there was the use of Shamir Secret Sharing to guarantee the privacy of the intersection set and prevent malicious attacks. Freedman et. al. [14] introduced the oblivious pseudorandom function based protocols, which implemented private set intersection and private cardinality of set intersection protocol based on pseudorandom function. Hazay and Lindell [17] using efficient secure protocols for set intersection and pattern matching, securely computed the set intersection functionality based on secure pseudorandom function evaluations, in contrast to previous protocols that are based on polynomials. In addition, utilizing specific properties of the Naor-Reingold pseudorandom function, a secure pseudorandom function evaluation in order to achieve secure pattern matching. In [18], there is an improvement in oblivious pseudorandom function. In [12], when individuals want to query the common items in their database, they compute the hash values of their individual items. They then exchange the hash values of their individual items. In this way, they are able to find the common items in their intersection without revealing any other items that are not in the intersection. Other researchers use commutative encryption to achieve private set intersection and private cardinality of set intersection. Agrawal et. al. [9], suggested the power function, fe (x) = xe mod p, as an example of a commutative encryption function.

310

4

S. Sarpong and C. Xu

Our Protocol

The quest of this paper is to propose a mutual matchmaking protocol that will help an initiator find the most appropriate pair(s) among other match-pair seekers. The initiator, Alice, sets a threshold number of common attributes, AT hreshold , that a person(s) should possess in order to qualify as a matchingpair. After the initiator and the other person(s) have calculated the number of attributes they have in common, if the number of common attributes is at least AT hreshold , then they become a match-pair. At this point the initiator and the other person(s) only know the number of attributes they have in common. In this protocol, some privacy levels are worth considering; Privacy level 1: At the end of the algorithm, Alice and the person(s) in the protocol mutually learn the size of their intersection set. An adversary should learn nothing. Privacy level 2: At the end of the protocol, Alice and the person(s) with at least AT hreshold number of attributes will mutually learn the actual attributes they have in common. An adversary should learn nothing. Table 1. Explanation to some notations used Notation AT hreshold Si σjk RA Rj | IAj | | IjA |

4.1

Explanation Threshold number of attributes set by Alice Certification of Alice s by CA; Si = H(IDA  ai )d modN Certification of Candidates by CA; σjk = H(IDj  bjk )d modN Random number chosen by Alice; RA ←−r ZN/2 Random number chosen by each candidate; Rj ←−r ZN/2 Number of attributes in the intersection between Alice and a Candidate Number of attributes in the intersection between a Candidate and Alice

Initial Phase

Our system consists of Y users (persons) denoted as P1 , ..., PY , each possessing a portable device. Each device of a person in the protocol communicate through wireless interfaces such as Bluetooth or WIFI. For simplicity, we assume every participating device is in the communication range of each other. Alice launches the matchmaking process to find an individual(s) that has at least the preset threshold number of common attributes, AT hreshold , among the other persons. Alice has a set of attributes {ai }, i = 1, . . . , n whilst each of the other j persons profile consists of a set of attributes {bjk }, j = 1, . . . , m; k = 1, . . . , p. Note that, we assume the system adopts some standard way to describe every attribute, so that two attributes are exactly the same if they are the same semantically. Table 1 explains some of the notations used in this paper. Creation of Secret Keys for Communication: The CA generates an RSA key pair, (e, d), and N = pq, where p = 2 · p + 1 and q = 2 · q  + 1; p, q, p and q  are large prime numbers. The CA makes N and e public. The CA also outputs a

A Secure and Efficient Privacy-Preserving Attribute Matchmaking Protocol

311

collision resistant cryptographic hash function H. Each person looking for a pair also creates RSA key pair (eY , dY ) and makes eY public. Each person further chooses a username and an ID. The ID is the hash of his/her RSA private key. Certification of Attributes: Let the attributes of Alice and the j individuals looking for a match-pair be a = {a1 , a2 , . . . , an } and bj = {bj1 , bj2 , . . . , bjp } respectively. Each person in the protocol then exponentiates the personal attributes using the public key of the CA. Alice s attributes hence becomes, ae = {ae1 , ae2 , . . . , aen }, whist the attributes of the individuals become bej = {bej1 , bej2 , . . . , bejp }, 1 ≤ j ≤ m. Alice, and the individuals, then encrypt their attributes, ID, username, and the public key pair of his/her RSA key using the public key of the CA and send it to the CA. Thus, Alice sends Ee {ae  IDA  username  RSApublickey, eA} to the CA. The individuals also send Ee {bej  IDj  username  RSApublickey, ej } to the CA. When the CA receives the attributes from the initiator and the individuals, the CA certifies them and sends them back to Alice and the individuals. Thus, the CA computes and sends A = {(a1 , S1 ), (a2 , S2 ), . . . , (an , Sn )} to Alice; where Si = H(IDA  ai )d modN . Also, the CA computes and sends Bj = {(bj1 , σj1 ), (bj2 , σj2 ), . . . , (bjp , σjp )} to each of the individuals; where σjk = H(IDj  bjk )d modN . This process is done just once for each person in the protocol. In the event that a person wants to update the attributes, s/he goes through the same process again. 4.2

Matchmaking Phase

Alice has private inputs A = {(a1 , S1 ), (a2 , S2 ), . . . , (an , Sn )} and for all i = 1, . . . , n, she chooses a random number RA:i ←−r ZN/2 and calculates MA:i = Si ·g RA:i modN . Alice then sends MA:i , i = 1, . . . , n to each individual. Thus, Alice sends MA:1  MA:2  . . .  MA:n to each individual. Each individual with private input Bj = {(bj1 , σj1 ), (bj2 , σj2 ), . . . , (bjp , σjp )} also chooses a random number RBj :k ←−r ZN/2 and calculates MBj :k = σjk · g RBj :k modN . The individuals then send MBj :k , j = 1, . . . , m; k = 1, . . . , p to Alice. Thus, each individual sends MBj :1  MBj :2  . . .  MBj :p to Alice. Alice further chooses and stores another random number, RA ←−r ZN/2 and after receiving MBj :k , j = 1, . . . , m; k = 1, . . . , p, Alice computes ZA = g eRA modN . Furthermore, for all j = 1, . . . , m and k = 1, . . . , p, Alice calculates  MBj :k = (MBj :k )eRA modN . Also, for all i = 1, . . . , n, Alice computes {ai }RA ,

RA RA A thus Alice computes the ordered set {aR 1 , a2 , . . . , an }. Using the random RA RA RA permutation ξA , Alice computes ξA {a1 , a2 , . . . , an } which reorders the set such that, it is not possible for anyone to know the actual order of the set in  polynomial time. Alice then sends ZA  MBj :k , j = 1, . . . , m; k = 1, . . . , p 

RA RA A ξA {aR 1 , a2 , . . . , an } to each individual. Each individual also chooses and stores a random number Rj ←−r ZN/2 and calculates Zj = g eRj modN . For  all i = 1, . . . , n, each individual then calculates MA:i = (MA:i )eRj modN . For all R R R k = 1, . . . , p, each individual computes the ordered set {bj1j , bj2j , . . . , bjpj }. Also,

312

S. Sarpong and C. Xu R

R

R

using the random permutation ξj each individual computes ξj {bj1j , bj2j , . . . , bjpj } which reorders the set such that, it is not possible for anyone to know the actual  order of the set in polynomial time. Each individual then sends Zj  MA:i , i = R R R 1, . . . , n  ξj {bj1j , bj2j , . . . , bjpj } to Alice. Alice then encrypts and sends her random number, RA , to each individual using their public keys. Thus, Alice sends Eej (RA ) to each individual. Also, each individual encrypts and sends his/her random number, Rj , to Alice using her public key. Thus, each individual sends EeA (Rj ) to Alice. Alice R R R R R R then computes, ξA {a1 A j , a2 A j , . . . , an A j } and each individual also computes R R R R R R ξj {bj1j A , bj2j A , . . . , bjpj A }.  Alice computes DA:i = MA:i · Zj−RA:i modN ∀i = 1, . . . , n and j = 1, . . . , m. R RA

After Alice has output DA:i = ξj {bj1j

R RA

, bj2j

R RA

, . . . , bmj R R

}, Alice finds the numR R

R R

ber of attributes in the intersection between ξA {a1 A j , a2 A j , . . . , an A j } and R R R R R R ξj {bj1j A , bj2j A , . . . , bjpj A }. Denoting the intersection between Alice and an individual by IAj , Alice can only know the number of attributes, | IAj | because of the random permutation ξj used by each of the individuals. Each individual com −R putes DBj :k = MBj :k · ZA j modN ∀ j = 1, . . . , m and k = 1, . . . , p. Also, after R R

R R

R R

each individual has output DBj :k = ξA {a1 A j , a2 A j , . . . , an A j }, each individR R R R ual finds the number of attributes in the intersection between ξj {bj1j A , bj2j A , R R

R R

R R

R R

. . . , bjpj A } and ξA {a1 A j , a2 A j , . . . , an A j }. Denoting the intersection between an individual and Alice by IjA , each individual can only know the number of attributes, | IjA | because of the random permutation ξA used by Alice. At the end of the algorithm, Alice outputs the number of attributes in the intersection, |IAj |, with each individual; likewise, each individual also outputs the number of attributes in the intersection, |IjA |, with Alice. Alice then checks which individuals intersection set is at least the threshold number of common attributes. Hence, the individual(s) with | IAj |≥ AT hreshold then becomes the match-pair of Alice. At this point, Alice and the individual(s) in the protocol know only the number of attributes they have in common. For simplicity, let us assume Bob was the only individual in the protocol who has the number of attributes that is at least AT hreshold . Alice and Bob at this point know only the number of attributes they have in common. Assume Bob s random permutation and random number are ξB and RB respectively. Also, the intersection set computed by Alice and Bob are IAB and IBA respectively. In order for them to know the actual attributes they have in common, they exchange their random permutations. Alice sends her random permutation −1 and hence EeB (ξA ) to Bob. With the knowledge of ξA , Bob can compute ξA RA RB RA RB RA RB RA RB RA RB A RB recover {a1 , a2 , . . . , an } from ξA {a1 , a2 , . . . , aR }. With n the knowledge of RA given to Bob by Alice in step 7, Bob is able to compute and know the actual attributes he has in common with Alice. Also, Bob sends his random permutation EeA (ξB ) to Alice. With the knowledge of ξB , Alice can compute −1 B RA B RA B RA B RA B RA ξB and hence recover {bR , bR , . . . , bR } from ξB {bR , bR ,..., m 1 2 1 2

A Secure and Efficient Privacy-Preserving Attribute Matchmaking Protocol

313

B RA bR }. With the knowledge of RB given to Alice by Bob in step 7, Alice is able m to compute and know the actual attributes she has in common with Bob.

Algorithm 1. Computing the Number of Common Attributes Require: Let {N, e, g, H} be inputs common to Alice and the individual(s) from the CA. 1: Private attributes of Alice, (a1 , a2 , . . . , an ); After certification, her private set becomes A = {(a1 , S1 ), (a2 , S2 ), . . . , (an , Sn )}, where Si = H(IDA  ai )d modN . 2: The j individuals with k attributes have private input, (bj1 , bj2 , . . . , bjp ); After certification, their private input set become Bj = {(bj1 , σj1 ), (bj2 , σj2 ), . . . , (bjp , σjp )}, where σjk = H(IDj  bjk )d modN . 3: For all i = 1, . . . , n, Alice chooses a random number RA:i ←−r ZN/2 and calculates MA:i = Si · gRA:i modN . Alice then sends MA:i , i = 1, . . . , n to each individual. 4: For all j = 1, . . . , m and k = 1, . . . , p, each individual chooses a random number RBj :k ←−r R

5:

ZN/2 and calculates MBj :k = σjk · g Bj :k modN . Each individual then sends MBj :k , j = 1, . . . , m, k = 1, . . . , p to Alice. Alice further chooses and stores another random number, RA ←−r ZN/2 , computes ZA:i = 

geRA modN . Alice then computes MBj :k = (MBj :k )eRA modN for all j = 1, . . . , m and k = 1, . . . , p. Also, for all i = 1, . . . , n, Alice computes {ai }RA , i = 1, . . . , n and randomly permutes it us ing the random permutation ξA . Alice then sends ZA  MB :k , j = 1, . . . , m; k = 1, . . . , p  j

6:

ξA {ai }RA , i = 1, . . . , n to each individual. Each individual further chooses and stores another random number, Rj ←−r ZN/2 computes 

ZBj :k = geRj modN and MA:i = (MA:i )eRj modN for all i = 1, . . . , n and j = 1, . . . , m. For all j = 1, . . . , m and k = 1, . . . , p, each individual computes {bjk }Rj and randomly permutes 

7:

8:

it using the random permutation ξj . Each individual then sends Zj  MA:i , i = 1, . . . , m  ξj {bjk }Rj , j = 1, . . . , m and k = 1, . . . , p to Alice. Alice then encrypts and sends her random number, RA , to each individual using their public keys. Thus, Alice sends Eej (RA ) to each individual. Also, each individual encrypts and sends his/her random number, Rj , to Alice using her public key. Thus, each individual sends EeA (Rj ) to Alice. R R R R R R Alice then computes, ξA {a1 A j , a2 A j , . . . , an A j } and the individuals also compute R RA

ξj {bj1j

9: 10: 11:

R RA

, bj2j

R RA

, . . . , bjpj

−RA:i modN j :k 

Alice

computes

R RA

R RA

, bj2j

and

outputs R RA

, . . . , bjpj R

|IAj |



A ∩ Bj

j :k

if

−RB :k j

· ZA:i ∃i, j

modN

and

k

s.t.

DA:i

=

}. The number of attributes she has in common with each in-

R

R

R

R

R

R R

R R

R R

dividual is |IAj | = ξA {a1 A j , a2 A j , . . . , an A j } ∩ ξj {bj1j A , bj2j A , . . . , bjpj A }. Each individual also computes and outputs |IjA | ∈ A ∩ Bj if ∃i, j and k s.t. DBj :k = R

ξA {a1 A

Rj

R

, a2 A

Alice is |IAj | =

5



For all k = 1, . . . , p each individual computes DBj :k = MB ξj {bj1j

12:

}

For all i = 1, . . . , n, Alice computes DA:i = MA:i · ZB

Rj

R

, . . . , an A

Rj

}. The number of attributes each individual has in common with

R R R R R R ξj {bj1j A , bj2j A , . . . , bjpj A }

R

∩ ξA {a1 A

Rj

R

, a2 A

Rj

R

, . . . , an A

Rj

}.

Security

In the algorithm, for all the attributes of Alice and the individual(s), the CA computes Si = H(IDA  ai )d modN and σjk = H(IDj  bjk )d modN respectively. This computation is to certify the input attributes of the persons in the protocol. By this, the attributes of Alice and the individual(s) in the protocol are bound to them. Hence, they cannot change or modify their attributes so as to gain more information from the others. This facilitates the security of this

314

S. Sarpong and C. Xu

protocol as the persons in the protocol cannot input attributes they do not possess. Alice and the individual(s) in each step in the algorithm ensure that the other cannot know the actual attributes they possess before the protocol ends. An individual may terminate the protocol before it ends if s/he is able to know the other persons personal attributes. In step 5 of the algorithm, Alice computes ξA {ai }RA , i = 1, . . . , n. The computation of ξA {ai }RA , i = 1, . . . , n makes it computationally impossible for any A individual to map aR to the corresponding attribute in ξA {ai }RA in polynoi mial time. Hence in step 8, there is no way any individual can know the actual attributes of Alice. Likewise, the computation of ξj {bjk }Rj , j = 1, . . . , m; k = R 1, . . . , p makes it computationally impossible for Alice to map bjkj to the corresponding attribute in ξj {bjk }Rj in polynomial time. Hence in step 8, there is no way Alice can know the actual attributes of any of the individual(s). At the end of the protocol, Alice outputs |IAj | ∈ A ∩ Bj if ∃i, j and k s.t. R R R R R R DA:i = ξj {bj1j A , bj2j A , . . . , bjpj A }. Hence, Alice actually outputs:  DA:i = MA:i ·Zj−RA:i modN = (MA:i )eRj ·Zj−RA:i modN = (MA:i )eRj ·(g eRj )−RA:i eR

modN = (Si · g RA:i )eRj · (g eRj )−RA:i modN = Si j · g eRA:i Rj · g −eRj RA:i modN eR = Si j modN = [(H(IDA  ai ))d ]eRj modN = [H(IDA  ai )]Rj modN . From R R R R R R Alice s output of DA:i = ξj {bj1j A , bj2j A , . . . , bjpj A }, it can be observed that R R

R R

R R

H(IDA  ai )Rj modN = ξj {bj1j A , bj2j A , . . . , bjpj A }. Each individual at the end of the protocol computes and outputs |IjA | ∈ A∩Bj R R R R R R if ∃i, j and k s.t. DBj :k = ξA {a1 A j , a2 A j , . . . , an A j }. Also, each individual  R R R R R R −R actually outputs; DBj :k = ξA {a1 A j , a2 A j , . . . , an A j } = MBj :k · ZA j modN eRA · = (MBj :k )eRA · (g eRA )−Rj modN = (σjk · g Rj )eRA · (g eRA )−Rj modN = σjk eRA eRA Rj −eRA Rj d eRA ·g modN = σjk modN = [H(IDj  bjk ) ] modN = H(IDj  g R R

R R

bjk )RA modN . From the output of the individuals, DBj :k = ξA {a1 A j , a2 A j , . . . , R R R R R R an A j }, it can be observed that H(IDj  bjk )RA modN = ξA {a1 A j , a2 A j , . . . , RA Rj }. an Correctness of the Protocol: The protocol is correct since for Alice, as DA:i = R R R R R R R R R R ξj {bj1j A , bj2j A , . . . , bjpj A } , hence H(IDA  ai )Rj modN = ξj {bj1j A , bj2j A , R RA

. . . , bjpj

R RA

}. Also, for each individual, since DBj :k = ξj {bj1j

hence H(IDj  bjk )

RA

modN =

R RA

, bj2j

R RA

, . . . , bjpj

},

R R R R R R ξA {a1 A j , a2 A j , . . . , an A j }.

Achievement of Privacy Levels: Privacy level 1 is achieved in steps 11 and 12 of the algorithm. Alice computes R R R R R R and outputs H(IDA  ai )Rj modN = ξj {bj1j A , bj2j A , . . . , bjpj A }. Alice is then able to compute the number of attributes she has in common with each individual R R R R R R R R R R R R by computing ξA {a1 A j , a2 A j , . . . , an A j }∩ξj {bj1j A , bj2j A , . . . , bjpj A }. This only allows Alice to know the number of attributes she has in common with each individual. In like manner, each individual also computes and outputs H(IDj 

A Secure and Efficient Privacy-Preserving Attribute Matchmaking Protocol R R

R R

315

R R

bjk )RA modN = ξA {a1 A j , a2 A j , . . . , an A j }. Each individual is also able to compute the number of attributes s/he has in common with Alice by computing R R R R R R R R R R R R ξA {a1 A j , a2 A j , . . . , an A j } ∩ ξj {bj1j A , bj2j A , . . . , bjpj A }. This output also enables each individual to know the number of attributes s/he has in common with Alice. Privacy level 2 is achieved after they have securely exchanged their random permutations to enable them find the actual attributes they have in common. Attacks on the Protocol and Countermeasures: In this protocol, attacks by persons outside the protocol is not possible. The structure of the algorithm coupled with the certification of private input attributes further prevents malicious and semi-honest attacks. Alice s private input set and the individuals private input sets are certified by the CA hence, only certified set of attributes are used in the protocol. This is to ensure that the attributes used by the persons in the protocol, they really possess them. Thus the certification prevents cheating (semi-honest attacks) by the persons in the protocol. Our protocol is collusion resistant. In this protocol, the individuals are unaware of the presence of others. Thus, each individual executes the protocol with the initiator independently without the knowledge of other individuals in the protocol. In lieu of this, the protocol guards against collusion attacks. Also, as the matched-pair will eventually know the type of common attributes s/he has with the other individual, to a large extent user profiling cannot be prevented but minimized. Nonspoofability of the other users attributes is another characteristic of our protocol. As the attributes of the persons in the protocol are certified, an individual cannot query another s attributes without his/her knowledge. 5.1

Simulation

Simulation for our matchmaking algorithm was conducted in java. We focused only on the execution time without considering the communication time. In this simulation, the execution time is mainly decided by the number of participants and the number of attributes they possess. The prime numbers p and q we chosen to be 1024 bits with RSA modulus of 1024 bits. Also, each attribute was represented by 64 bits. We simulated the algorithm on an i5 PC which has 2.67 GHz processor with 2G RAM. In order to get more accurate execution time, an average of 60 repeated execution times was computed. In the experiment, we considered varying number of users, j = 1, 5, 10, 15, 20. The initiator has the same number of attributes whilst the number of attributes each user has equals k = 10, 15, 20, 25, 30. Fig. 1 shows the execution times for the different number of user with varying number of attributes. The x-axis shows the number of users and the y-axis shows the execution time. The graph shows the execution times for the varying number of users and users attributes. It can be observed that the execution times increases as the number of users and attributes increase.

316

S. Sarpong and C. Xu

Fig. 1. Comparison of execution time for the number of attributes

6

Conclusion

With the increasing popularity of mobile social networks, it is important to develop secure and privacy-preserving attribute matchmaking protocols that will enable users to effectively find matching-pairs and interact with each other. By this proposed protocol, an initiator can find the best match from among many potential pair-seekers without leaking any private information.

References 1. Ateniese, G., De Cristofaro, E., Tsudik, G. (If) size matters: Size-hiding private set intersection. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 156–173. Springer, Heidelberg (2011) 2. Kissner, L., Song, D.: Privacy-preserving set operations. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 241–257. Springer, Heidelberg (2005) 3. De Cristofaro, E., Tsudik, G.: Practical private set intersection protocols with linear complexity. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 143–159. Springer, Heidelberg (2010) 4. De Cristofaro, E., Lu, Y., Tsudik, G.: Efficient techniques for privacy-preserving sharing of sensitive information. In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 239–253. Springer, Heidelberg (2011) 5. Yang, Z., Zhang, B., Dai, J., Champion, A., Xuan, D., Li, D.: Esmalltalker: A distributed mobile system for social networking In physical proximity. In: IEEE, ICDCS, pp. 468–477 (2010)

A Secure and Efficient Privacy-Preserving Attribute Matchmaking Protocol

317

6. Eagle, N., Pentland, A.: Social Serendipity: Mobilizing Social Software. In: IEEE Pervasive Computing, Special Issue: The Smartphone, pp. 28–34 (2005) 7. Xie, Q., Hengartner, U.: Privacy-Preserving Matchmaking for Mobile Social Networking Secure Against Malicious Users. In: Proc. 9th Int l. Conf. on Privacy, Security (PST), and Trust 2011, pp. 252–259 (2011) 8. De Cristofaro, E., Kim, J., Tsudik, G.: Linear-complexity private set intersection protocols secure in malicious model. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 213–231. Springer, Heidelberg (2010) 9. Agrawal, R., Evfimievski, A., Srikant, R.: Information Sharing Across Private Databases. In: Proc. of SIGMOD, pp. 86–97 (2003) 10. Camenisch, J., Zaverucha, G.M.: Private intersection of certified sets. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 108–127. Springer, Heidelberg (2009) 11. Wang, Y., Zhang, T., Li, H., He, L., Peng, J.: Efficient Privacy Preserving Matchmaking for Mobile Social Networking against Malicious Users. In: IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 609–615 (2012) 12. De Cristofaro, E., Jarecki, S., Kim, J., Tsudik, G.: Privacy-preserving policy-based information transfer. In: Goldberg, I., Atallah, M.J. (eds.) PETS 2009. LNCS, vol. 5672, pp. 164–184. Springer, Heidelberg (2009) 13. De Cristofaro, E., Durussel, A., Aad, I.: Reclaiming Privacy for Smartphone Applications. In: IEEE International Proc. of Pervasive Computing and Communications (PerCom), pp. 84–92 (2011) 14. Freedman, M.J., Nissim, K., Pinkas, B.: Efficient private matching and set intersection. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 1–19. Springer, Heidelberg (2004) 15. Kjeldskov, J., Paay, J.: Just-for-Us: A Context-Aware Mobile Information System Facilitating Sociality. In: Proc. 7th International. Conf. on Human Computer Interaction with Mobile Devices and Services, pp. 23–30 (2005) 16. Li, K., Sohn, T., Huang, S., Griswold, W.: PeopleTones: A System for the Detection and Notification of Buddy Proximity on Mobile Phones. In: Proc. 6th Intl. Conf. on Mobile Systems (MobiSys), pp. 160–173 (2008) 17. Hazay, C., Lindell, Y.: Efficient Protocols for Set Intersection and Pattern Matching with Security Against Malicious and Covert Adversaries. Journal of Cryptology 23(3), 422–456 (2010) 18. Jarecki, S., Liu, X.: Efficient oblivious pseudorandom function with applications to adaptive OT and secure computation of set intersection. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 577–594. Springer, Heidelberg (2009) 19. Lu, R., Lin, X., Shen, X.: SPOC: A secure and privacy-preserving opportunistic computing framework for mobile-health emergency. IEEE Transactions on Parallel and Distributed Systems 24(3), 614–624 (2013) 20. Dachman-Soled, D., Malkin, T., Raykova, M., Yung, M.: Efficient robust private set intersection. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 125–142. Springer, Heidelberg (2009) 21. Liu, M., Lou, W.: FindU: Privacy-preserving personal profile matching in mobile social networks. In: Proc. of Infocom (2011) 22. Lu, R., Lin, X., Liang, X., Shen, X.: Secure handshake with symptoms-matching: the essential to the success of mhealthcare social network. In: Proc. BodyNets (2010)

318

S. Sarpong and C. Xu

23. De Cristofaro, E., Tsudik, G.: Practical private set intersection protocols with linear complexity. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 143–159. Springer, Heidelberg (2010) 24. Camenisch, J., Kohlweiss, M., Rial, A., Sheedy, C.: Blind and anonymous identitybased encryption and authorised private searches on public key encrypted data. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 196–214. Springer, Heidelberg (2009) 25. Stefanov, E., Shi, E., Song, D.: Policy-enhanced private set intersection: Sharing information while enforcing privacy policies. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 413–430. Springer, Heidelberg (2012) 26. Sarpong, S., Xu, C.: A Secure and Efficient Privacy-preserving Matchmaking for Mobile Social Network. In: International Conference on Computer, Network Security and Communication Engineering (CNSCE), pp. 362–366 (2014) 27. Rabin, M.: How to exchange secrets by oblivious transfer, Tech. Rep. TR-81, Harvard Aiken Computation Laboratory (1981) 28. De Cristofaro, E., Jarecki, S., Kim, J., Tsudik, G.: Privacy-preserving policy-based information transfer. In: Goldberg, I., Atallah, M.J. (eds.) PETS 2009. LNCS, vol. 5672, pp. 164–184. Springer, Heidelberg (2009) 29. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985) 30. Hazay, C., Lindell, Y.: Efficient Protocols for Set Intersection and Pattern Matching with Security Against Malicious and Covert Adversaries. Journal of Cryptology 23(3), 422–456 (2010) 31. Lin, H., Chow, S.S.M., Xing, D., Fang, Y., Cao, Z.: Privacy preserving friend search over online social networks. Cryptology EPrint Archive (2011), http://eprint.iacr.org/2011/445.pdf 32. Camenisch, J., Kohlweiss, M., Rial, A., Sheedy, C.: Blind and anonymous identitybased encryption and authorised private searches on public key encrypted data. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 196–214. Springer, Heidelberg (2009) 33. Sun, J., Zhu, X., Fang, Y.: A privacy-preserving scheme for online social networks with efficient revocation. In: Proceedings of the IEEE Conference on Computer Communications (INFOCOM 2010), pp. 1–9. 34. Li, M., Cao, N., Yu, S., Lou, W.: FindU: Privacy-preserving personal profile matching in mobile social networks. In: Proc. of IEEE Infocom, pp. 2435–2443 (2011) 35. Pietil¨ ainen, A., Oliver, E., LeBrun, J., Varghese, G., Diot, C.: Mobiclique: middleware formobile social networking. In: Proceedings of the 2nd ACM Workshop on Online Socialnetworks, pp. 49–54. ACM (2009) 36. De Cristofaro, E., Lu, Y., Tsudik, G.: Efficient techniques for privacy-preserving sharing of sensitive information. In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 239–253. Springer, Heidelberg (2011) 37. Dachman-Soled, D., Malkin, T., Raykova, M., Yung, M.: Efficient robust private set intersection. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 125–142. Springer, Heidelberg (2009) 38. Li, M., Yu, S., Cao, N., Lou, W.: Privacy-Preserving Distributed Profile Matching in Proximity-based Mobile Social Networks. IEEE Transactions on Wireless Communications 12(5), 2024–2033 (2013)