Distributed Multi-authority Attribute-Based Encryption for Secure Friend Discovery and Data Sharing in Mobile Social Networks

Abstract

With the rapid development of mobile social networks and cloud servers, more and more people will outsource their personal profiles for sharing in cloud. Compared to traditional web-based online social networks, the mobile social networks can assist users to easily discover and make new social interaction with others. To keep the shared data confidential against untrusted cloud service providers and solve the problem of single point failure as well as performance bottleneck, we propose a secure distributed multi-authority attribute-based encryption scheme without central authority, so as to provide not only fine-grained access control, but also high security and performance. By employing this scheme, users can achieve fine-grained access control and privacy preserving.

Fang Qi and Wenbo Wang are co-first authors. These two authors contribute equally to this study.

1 Introduction

With the explosive growth of mobile social networks and cloud services, users can remotely access the data shared in cloud anytime and anywhere, using any device. Outsourcing data into the cloud provides great convenience to users for they do not need to consider the large investment in both the deployment and management of the hardware infrastructure. In mobile social networks, sharing data in cloud offers users opportunities to enjoy the online activities, for example, by sharing photos, users can appreciate the beauty of other places without actually being there. However, allowing the cloud servers to take part in the computation and communication processes, raises underlying security and privacy issues that will result in a series of unexpected consequences. For instance, the untrustworthy third parties may collude to get the confidential information about a user and sell it to make a profit. Hence, a natural way to keep sensitive data confidential is to store only the encrypted data in cloud.

In recent years, many private matching schemes have been proposed to solve this problem. Among these schemes, some protect user’s privacy based on trusted third party (TTP) [10, 11, 13, 18], the other is TTP-free [8, 14, 17]. Although, this kind of approaches can achieve profile matching without the support of TTP, they have some disadvantages. The reliance on public-key crytosytem and homomorphic encryption [4, 10, 12, 18] requires multiple rounds of interaction which causes high communication and computation overhead. Moreover, matched and unmatched users are all involved in the expensive computation and learn the matching result. Many schemes have been proposed to protect the privacy information. The technique of group signature [3, 9] is widely used. In this kind of schemes, each visitor needs to be allocated a special group signature, which will cause huge amount of computation cost. Li et al. [8] propose a private matching scheme based on the common interests, which is not fine-grained. Zhang et al. [18] present a fine-grained private matching scheme but fail in considering the priority related to every attribute and they employ the homomorphic encryption which is resource consuming on mobile devices. Qi et al. [14] employ an asymmetric-scalar-production based on kNN query, but the presentation of interests is too single to get an accurate result. Moreover, the widely used technique of group signature [7, 15] always costs huge volume of computational resources on users’ hand-held devices, and the access control based on the key-policy attribute-based encryption [5] is not efficient enough. In addition, if any server or TTP is compromised, the confidentiality of the stored data may be compromised, too. Therefore, considering the powerful computational as well as storage ability of the TTP and cloud server, the main point of our work is to design an efficient privacy-preserving and fine-grained friend discovery system based on the combination of TTP and cloud server.

In this paper, the flexible encryption scheme, ciphertext-policy attribute-based encryption (CP-ABE) [2], is adopted to provide a fine-grained access control for the encrypted data. CP-ABE allows to encrypt data specifying an access policy over attribute, so that only users who satisfying the policy can decrypt the corresponding data [16]. For example, the access policy is designed as \((a_1\wedge a_2)\vee a_3\) means that a user who has attribute \(a_1\) and \(a_2\) or a user with attribute \(a_3\) can decrypt the data.

We design a distributed multi-authority scheme without central authority, the scheme can significantly relieve the users’ trust on a single authority and is secure against collusion attack as well as chosen-plaintext attack. The applicability of system also has been increased. Our contributions are as follows:

• \(\cdot \) We propose a distributed multi-authority attribute-based encryption scheme without central authority, which can significantly reduce the risk of single point failure and performance bottleneck.

• \(\cdot \) The proposed scheme can achieve fine-grained access control, only the user who satisfies the access policy can decrypt the corresponding ciphertext.

• \(\cdot \) By combining the powerful computation and storage ability of cloud, the overhead on users’ ends can be largely decreased.

The remainder of this paper is organized as follows. Preliminaries are introduced in Sect. 2. We propose our scheme in Sect. 3, followed by the performance evaluations in Sect. 4. Finally, we conclude our work.

2 Preliminaries

2.1 System Model

We assume that the system is composed of the following parts: the cloud servers, attribute authority (AA), data owner and visitor. The shared data which is outsourced in the encrypted form into the cloud by data owner, each visitor has a global identifier \( gid \in GID \), where the GID is the identity set of all registered users. The cloud servers that store huge volumes of shared data and operate the computation process, and n attribute authorities (\(AA_1, ...,AA_n\)) manage a set of attributes \( {U_i}({U_i} \cap {U_j} = \emptyset \mathrm{{ }} \wedge \mathrm{{ }}U = \cup _{i = 1}^n{U_i}) \) (\( i,j \in \{ 1,2,...,n\} \wedge i \ne j \)) and are responsible for generating keys for users. Each visitor with attribute set \( \varLambda \) will obtain their keys from the corresponding \( AA_n \). We assume that all the authorities are run by different organizations and governed by the government. Figure 1 illustrates the system model.

Fig. 1.

Data sharing in mobile social networks

2.2 Bilinear Mapping

Suppose p is a prime number, both \(\mathbb {G}\) and \(\mathbb {G}_T\) are multiplicative cyclic groups of the order p, g is the generator of \(\mathbb {G}\). e is a bilinear map: \( e:\mathbb {G} \times \mathbb {G} \rightarrow \mathbb {G_T} \). Bilinear mapping possesses the following characteristics:

1. 1.

   bilinearity: \( \forall x,y \in {\mathbb {G}_1} \) and \( a,b \in {Z_q} \), there is \( e({x^a},{y^b}) = e{(x,y)^{ab}} \)

2. 2.

   computability: \( \forall {u_1},{u_2},v \in {\mathbb {G}_T} \), there exists a computable algorithm \( e({x^a},{y^b}) = e{(x,y)^{ab}} \)

3. 3.

   non-degeneracy: for \( g \in \mathbb {G} \), \( e(g,g) \ne 1 \)

2.3 Adversary Model

In the profile matching process, there usually exist two main adversary models: honest but curious adversaries model [19] and malicious model [6].

The honest-but-curious adversary is a legitimate user who will honestly follow the protocol but will try to learn more information than allowed from legitimately received message. In this paper, we assume that the attacker is more interested in the private information of mobile social network users. At the same time, we suppose the data owner and visitor are honest-but-curious users.

The malicious adversary is a user who does not honestly obey the protocol and launch some active attacks to learn more information than allowed. These adversaries behave arbitrarily such as denial-of-service (DoS) and continuous fake-profile attacks.

In this paper, we mainly focus on the honest-but-curious adversaries; those active attacks are not in the scope of this paper.

3 Proposed Scheme

3.1 System Initialization

\(\mathbb {G}\) and \( \mathbb {G}_N \) are bilinear cyclic groups with the order \( N=p_1p_2 \), where \( {p_1},{p_2} \) are distinct big prime numbers. \( {\mathbb {G}_p}_i \) is the subgroup of \( \mathbb {G}_N \) with order \( p_i \), \( g_1 \) is the generator of \( {\mathbb {G}_p}_1 \) and \( g_2 \) is the generator of \( {\mathbb {G}_p}_2 \). On input the security parameter \(\lambda \), the initialization algorithm randomly chooses \( h{ \in _R}{\mathbb {G}_{{p_1}}} \) and the global parameter is published as:

$$\begin{aligned} GP=(N,g_1,g_2,h) \end{aligned}$$

(1)

For each \(AA_k\), inputs GP, \( AA_k \)’s index k and the attribute universe \( U_k \) belonging to \( AA_k \). For each att in \( U_k \), \( AA_k \) randomly selects \( {s_{att}, v_{k}, \alpha _k, a_k }{ \in _R}{\mathbb {Z}_N} \), then computes \( {T_{att}} = {g^{{s_{att}}}} \) and \({V_{k}} = {g^{{v_{k}}}} \). The master key is:

$$\begin{aligned} MK_k=(v_{k}, \alpha _k, a_k, \{s_{att}|att \in U_k\}) \end{aligned}$$

(2)

and the public key is published as:

$$\begin{aligned} PK_k=(V_k, g^{a_k}, e(g,g)^{\alpha _k}, \{T_{att}|att \in U_k\}) \end{aligned}$$

(3)

where \( e:\mathbb {G} \times \mathbb {G} \rightarrow \mathbb {G_N} \) is a bilinear map.

3.2 Encryption

This algorithm is performed on the data owner’s end. The data owner designs the access policy that defines the special attributes that the visitors need to satisfy. The access policy is embedded in the ciphertext so that before decrypting the decryption can verify whether the visitor is qualified.

Data owner inputs GP, \(PK_k\), the plaintext of data M and access policy \( \mathbb {A} = (A,\rho ) \). \( (A,\rho ) \) a linear secret-sharing scheme (LSSS) [1] matrix, where A is a \( l \times n \) matrix and \( \rho \) will map each row \( A_x \) in A to get an attribute \( \rho (x) \). \( \rho \) is required that when mapping different row, the attribute must not be the same. Randomly chooses a vector \( {\varvec{v}} = (s,{v_2},...,{v_n}) \in \mathbb {Z}_N^n \). These valuses will be used to share the encryption exponent s. For each \(x \in \{1,2,...,l\}\), the algorithm randomly selects \(r_x \in \mathbb {Z}_N\). The ciphertext is:

$$\begin{aligned} \begin{aligned} CT&= (M\prod \limits _{k = 1}^n {e{{(g,g)}^{{\alpha _k}s}}}, C'=g^s, C''_k=g^{{\alpha }_ks}, \\&\forall x \in {1,2,...,l}: ~~ \{ {C_x} = {h^{{A_x}{\varvec{v}}}}T_{\rho (x)}^{\frac{1}{{{r_x}}}}, C'_x=g^{r_x}\}) \end{aligned} \end{aligned}$$

(4)

Along with the access policy \(\mathbb {A}\), data owner outsources the ciphertext to the cloud.

3.3 Key Generation

Suppose a visitor wants to visit some data with certain characteristics, he/she will set up an attribute set \(\varLambda \). To meet the security and efficiency requirements, all attributes in \(\varLambda \) will be split into n different shares and distributed to n different attribute authorities.

Visitor submits his/her identifier gid, attribute set \(\varLambda \) to the attribute authority \(AA_k\) for requesting a pair of secret keys \(<SK_k^1, SK_k^2>\). \(AA_k\) randomly selects \(c_k \in \mathbb {Z}^*_N\), \(r_k \in \mathbb {Z}_N\), \(\beta _k, \beta _k', \beta _k'' \in \mathbb {G}_{p_2} \). Then it creates the \(SK_k^1\) as:

$$\begin{aligned} \begin{aligned} SK_k^1 =\,&({g^{\frac{{{a_k}}}{{{\alpha _k} + {c_k}}}}}h_k^{{r_k}}{\beta _k}, {c_k}, \\ {L_k} =\,&g_k^{{r_k}}{\beta '_k},{L'_k} = ({g^{{a_k}}})_{}^{{r_k}}{\beta ''_k}) \end{aligned} \end{aligned}$$

(5)

For each attribute \( att \in {U_k} \cap \varLambda \), \(AA_k\) randomly chooses \(\varGamma _k \in \mathbb {G}_{p_2} \), \(\beta '_{att} \in \mathbb {G}_{p_2}\), \(AA_k\) computes

$$\begin{aligned} \begin{aligned} S{K_{att,k}}&= {(V_k^{({a_k} + {c_k}){r_k}}{\varGamma _k})^{\frac{{{s_{att}}}}{{{v_k}}}}}{{\beta '}_{att}}\\&= T_{att}^{({a_k} + {c_k}){r_k}}\varGamma _k^{\frac{{{s_{att,k}}}}{{{v_k}}}}{{\beta '}_{att}} \end{aligned} \end{aligned}$$

(6)

So the \(SK_k^2\) is defined as:

$$\begin{aligned} SK_k^2=({g^{\frac{{{\alpha _k} - {a_k}}}{{{\alpha _k} + {c_k}}}}}h_k^{{r_k}}{\beta _k}, \{S{K_{att,k}}|att \in \varLambda \}) \end{aligned}$$

(7)

3.4 Decryption

When a visitor wants to visit certain data, first, he/she must satisfy the access policy designed by the data owner. If the visitor’s attribute set \( \varLambda \) satisfies the access policy \( \mathbb {A}=(A,\rho ) \), which means there exists constants \( {\omega _x} \in {\mathbb {Z}_N} \) and \( {\sum _{\rho (x) \in \varLambda }}{\omega _x}{A_x} = (1,0,...,0) \). If \(\varLambda \) fails in the access policy, the algorithm will output \( \bot \), which means \(\varLambda \) dose not satisfy the access policy, the visitor cannot decrypt the ciphertext and continue the following steps.

If the verification is passed, then the visitor will input \(<SK_k^1,SK_k^2>\), then computes:

$$\begin{aligned} \begin{aligned}&\frac{{e({{(C')}^{{c_k}}},{g^{\frac{{{a_k}}}{{{\alpha _k} + {c_k}}}}}h_k^{{r_k}}{\beta _k})}}{{\prod \nolimits _{\rho (x) \in \varLambda } {{{(e({C_x},L_k^{{c_k}})e({{C'}_x},S{K_{\rho (x),k}}))}^{{\omega _x}}}} }} \\ =\,&\frac{{e({{({g^s})}^{{c_k}}},{g^{\frac{{{a_k}}}{{{\alpha _k} + {c_k}}}}}h_k^{{r_k}}{\beta _k})}}{{\prod \nolimits _{\rho (x) \in \varLambda } {{{(e({h^{{A_x}{\varvec{v}}}}T_{\rho (x)}^{\frac{1}{{{r_x}}}},{{(g_k^{{r_k}}{{\beta '}_k})}^{{c_k}}})e({g^{{r_x}}},S{K_{\rho (x),k}}))}^{{\omega _x}}}} }} \\ =\,&e{(g,g)^{{a_k}s}} \end{aligned} \end{aligned}$$

(8)

and computes

$$\begin{aligned} \begin{aligned}&\frac{{e({{(C')}^{{c_k}}},{g^{\frac{{{\alpha _k} - {a_k}}}{{{\alpha _k} + {c_k}}}}}h_k^{{r_k}}{\beta _k})}}{{\prod \nolimits _{\rho (x) \in \varLambda } {{{(e({C_x},L_k^{{c_k}})e({{C'}_x},S{K_{\rho (x),k}}))}^{{\omega _x}}}}}} \\ =\,&\frac{{e({{({g^s})}^{{c_k}}},{g^{\frac{{{\alpha _k} - {a_k}}}{{{\alpha _k} + {c_k}}}}}h_k^{{r_k}}{\beta _k})}}{{\prod \nolimits _{\rho (x) \in \varLambda } {{{(e({h^{{A_x}{\varvec{v}}}}T_{\rho (x)}^{\frac{1}{{{r_x}}}},{{(g_k^{{r_k}}{{\beta '}_k})}^{{c_k}}})e({g^{{r_x}}},S{K_{\rho (x),k}}))}^{{\omega _x}}}} }} \\ =\,&e{(g,g)^{({\alpha _k} - {a_k})s}} \end{aligned} \end{aligned}$$

(9)

Finally, the visitor can recover the plaintext:

$$\begin{aligned} \begin{aligned} M&= \frac{{CT}}{{\prod {_{k = 1}^n(e{{(g,g)}^{{a_k}s}}e{{(g,g)}^{({\alpha _k} - {a_k})s}})} }} \\ {}&= \frac{{M\prod \limits _{k = 1}^n {e{{(g,g)}^{{\alpha _k}s}}}}}{{\prod {_{k = 1}^n(e{{(g,g)}^{{a_k}s}}e{{(g,g)}^{({\alpha _k} - {a_k})s}})} }} \\ {}&= M \end{aligned} \end{aligned}$$

(10)

4 Performance Analysis

In this section, we evaluate the proposed scheme with several existing works in terms of efficiency and practicability. Since the cloud is generally assumed to be resource abundant, we mainly focus on the computation and communication overhead loaded on both the data owner and visitor’s ends.

We conduct the experiments on a laptop with 1.6 GHz processor and 2 GB RAM, and the simulation code was written in C++. We perform the comparisons between Boyen [3], Liang [9] and our scheme. The size of attributes set is fixed in 30 and n denotes the number of participated visitors.

Fig. 2.

Communication overhead

Fig. 3.

Computation cost on data owner’s end

Fig. 4.

Computation cost on visitor’s end

Figure 2 represents the communication overhead comparison among Boney’s scheme [3], Liang’s scheme [9] and ours. It is obvious that the communication cost of Boney’s and Liang’s schemes sharply increase as the number of visitors grows from 50 to 500. However, the proposed scheme is significantly lower than Boney’s and Liang’s schemes. Moreover, with the increasing number of visitors, the communication overhead keeps low and stable, which is really important in massive users enviroment.

Figure 3 illustrates the computation cost comparison among Boyen’s scheme [3], Liang’s scheme [9] and ours on the data owner’s ends. From the curve, we can know that the computation cost in Boney’s and Liang’s schemes increases quickly as the number of visitors grows. Because the technique of group signatures is adopted, and to achieve privacy preserving, it is required for the data owner to generate one group signature for each visitor, which would bring about intolerable computation complexity on users’ ends. Significantly from [3, 9], our scheme requires no extra signature to protect privacy information.

Figure 4 shows the computation cost comparison among Boyen’s shceme [3], Liang’s scheme [9] and ours on the data’s ends. It is obvious that the proposed scheme consumes less. When there are many visitors, each of them needs to wait for a special group signature, which is time-consuming. When \(n=50\), both Boyen [3] and Liang [9] need 129.07 ms to complete the computation processes on visitor’s end. But in our scheme, the whole processes on visitor’s end only consumes 5.54 ms.

From the above analysis, the proposed scheme is superior in both communication and computation overhead. With the increasing number of participated visitors, the system cost only grows slightly, especially in the massive users enviroment the communication overhead can be small and stable.

5 Conclusion

For the sake of enjoying a more comprehensive and high quality service, a distributed multi-authority attribute-based encryption is proposed for secure friend discovery and data sharing, which simultaneously achieves flexibility, high performance and security. The proposed scheme is collusion resistant and can decrease the work pressure and reliance on a single point. In the future work, we will design a more expressive encryption scheme to achieve better performance.