Keywords

1 Introduction

1.1 Background

With the rapid development of mobile social networks (MSN) and intelligent terminal equipment [14], users can share their emotions, photos, activities and hobbies to find new friends in MSN, many social applications can help enlarge the social scope (My Life Here, WeChat, etc.). Users can find friends with same interests or certain characteristics in cloud by comparing the personal attribute profile. But in this process, the cloud service provider (CSP) cannot be fully trusted, which may cause security risks of the stored data. For example, CSP may provide users’ information to third parties without permission, which will affect users’ data security. Hence, typically, users need to encrypt sensitive data to ensure the security and privacy.

Attribute-based encryption scheme is a typical application of privacy protection in mobile social networks, including keyPolicy attribute based encryption (KP-ABE) [1922] and ciphertext policy attribute based encryption (CP-ABE) [2325]. In KP-ABE, the decryption key is related to the access policy, ciphertext is related to attributes set. If the attributes set in ciphertext can satisfy the access policy in secret key, the data visitor can decrypt the ciphertext. On the contrary, in CP-ABE, data owner can define special access policy depend on personal attribute profile. Secret keys are associated with attributes set, when and only when the attributes in secret keys can satisfy the access policy in ciphertext, users can obtain the plaintext, so data owners can control their data more directly. Hence, comparing to KP-ABE, CP-ABE is more suitable for friend discovery in mobile social networks.

In the system model and working mechanism, the existing modes always depend on single Trusted Authority (\(\mathcal {TA}\)) to distribute public keys and utilize the access tree generated from user’s attribute to achieve access control to other users. But in this kind model, users are working in the same field, that is to say, the generation and distribution of all keys is generated by the same trusted authority.

Obviously, this model is not consistent with the actual application scenarios. For instance, in real dating system environment, data is stored in different clouds, when a data visitor expects to access data and exchange it, it is not possible to expect both data owner and visitor are in the same domain, inter cloud access needs to be taken into account. At the same time, in this model, the user’s access control structure exists the risk of violent speculation by malicious attackers, once cracked successfully, it will directly threaten the data privacy. Therefore, single working domain scheme failed. Based on the above problems, this paper considers that users can share data in multi domains by introducing of proxy re encryption technology to ensure the data security.

1.2 Related Work

According to the research on security and privacy protection of friend discovery in the mobile social network, many researchers put forward their research results, literature [914] proposed a solution that does not rely on trusted authority, by calculating private set intersection (PSI) to ensure the user’s privacy. The main method is: the two matching sides hold their own private attributes sets, by calculating the intersection or the intersection of the cardinal of the two sets to prevent the privacy leakage. Zhang et al. [15] improved the above methods, and proposed to distribute the different weight to the user’s interest and calculate the similarity. In the follow-up work, Niu et al. [16] set the user’s attributes with priority and improved it. Zhu et al. [17] proposed efficient confusion matrix transform algorithm to achieve a safe and efficient matching.

However, in the above schemes, users can only compare the number and weight of each attribute in the public collection, but do not consider the diversity of user attributes and access control. Therefore, the application range is limited. In the literature [58], the security and privacy in the process of making friends can be protected by the introducing the trusted authority and attribute encryption scheme, but in this model the problem of cross domain sharing of user data in the cloud cannot be solve. At the same time, it is a performance bottleneck to rely on single trusted authority. The literature [18] proposed the multi-authority attribute-based encryption scheme with access policy, the protocol using attributes to encrypt the message, and decrypts the message via trusted authority, and provide fine-grained access control to attributes matching and information sharing. But, in this scheme, there is violence speculation risk of access policy tree, once the access policy was successfully guessed, then the attacker can directly decrypt the stored data in a cloud, resulting in a security risk.

Therefore, in order to solve the problem of the performance bottlenecks and violent speculation of access policy, this paper intends to introduce the idea of multi-domain key sharing and proxy re-encryption technologies on the diversification of user management, to ensure the security and privacy of friend discovery in the mobile social networks. The symmetric encryption algorithm is adopted to encrypt the privacy sensitive data of the initiator, then utilize the CP-ABE algorithm to encrypt the symmetric key used in the symmetric encryption algorithm, finally get ciphertext of the key. When responder’s attributes satisfy the access policy on initiator, the responder can decrypt the ciphertext of the key to get the decryption key, then decrypt the ciphertext downloaded from friend discovery center to obtain the plaintext. Further social activities can be carried out. The contributions of this paper are as follows:

  1. (1)

    Based on secret sharing, an access control policy is proposed, ciphertext is associated with access policy, the ciphertext access control structure ensures that users can obtain the correct decryption key in accordance with the requirements of access control structure.

  2. (2)

    We propose a proxy re-encryption based friend discovery scheme, using proxy re-encryption technology, the access control structure of data owner can be efficiently hided, and the user who satisfies the access control structure can correctly decrypt the encrypted data from the proxy user, which ensures that the friends of proxy user can be efficiently shared and guarantees the privacy of data owner.

  3. (3)

    A multiple domain encryption scheme based on attributes is proposed, which can realize the data sharing among different domains, expand the scope of making friends, and improve the efficiency of the users.

Fig. 1.
figure 1

Friend discovery scheme using proxy re-encryption

Full size image

2 Preliminaries

2.1 Mathematical Basis

Bilinear Mapping: Let \(\mathbb G\) and \(\mathbb G'\) be two multiplicative cyclic groups with big prime order p. Let g be a generator of \(\mathbb G\). Let be a bilinear map \(e:\mathbb G \times \mathbb G \rightarrow \mathbb G'\) with the following properties:

  1. (1)

    Bilinearity: \(e({P^a}, {Q^b}) = e{(P, Q)^{ab}}, \forall P\; \in {\mathbb G_0}, Q \in {\mathbb G_1}\) and \(a,b \in {Z_q}\).

  2. (2)

    Non-degeneracy: The mapping will not map all pairs in \({\mathbb G_0} \times {\mathbb G_1}\) to the identity in \({\mathbb G_T}\), because \({\mathbb G_0}, {\mathbb G_1}\) are groups of prime order, this means that if P and Q are generators of \(\mathbb G_0\) and \(\mathbb G_1\), respectively, then e(PQ) is the generator of \( Z \in \mathbb {\mathbb G_T}\).

  3. (3)

    Computability: There exists an efficient algorithm to calculate e(PQ), \(\forall P \in {\mathbb G_0}, Q \in {\mathbb G_1}\).

2.2 System Model

The model in this paper mainly consists of the following components: Trusted Authority, Friend Server, Data Owner, Data Proxy, and Data Requester. The model assumes that Trusted Authority, is completely trustworthy and that Friend Server is honest and curious. That is, Friend Server will honestly comply with various system protocols but it will also do what it can to secretly access user files stored in it. Hence, the user should encrypt private files before uploading them to Friend Server. The general structure of the scheme is shown in Fig. 1.

  1. (1)

    Trusted Authority (\(\mathcal {TA}\)): Responsible for initializing the system, generating the attribute keys of the region, distributing the keys, and for fine-granularity access control strategies.

  2. (2)

    Friend Server (\(\mathcal {FS}\)): Responsible for storing the user’s private cipher text, including personal photos, interests, contacts, identifies and private videos.

  3. (3)

    Data Owner (\(\mathcal {DO}\)): Responsible for creating, modifying, deleting, encrypting files, and specifying access strategies. The encrypted files cannot be decrypted correctly unless the \(\mathcal {DR}\)’s property satisfies the \(\mathcal {DO}\)’s access control strategy before performing further communications. This paper supposes that Alice is \(\mathcal {DO}\).

  4. (4)

    Data Proxy (\(\mathcal {DP}\)): It is authorized by \(\mathcal {DO}\) to re-encrypt \(\mathcal {DO}\)’s access control structure for the purpose of hiding \(\mathcal {DO}\)’s actual access control structure. Meanwhile, it can recommend its friends to \(\mathcal {DR}\) to improve efficiency of the friend making mechanism. This paper assumes Bob as \(\mathcal {DP}\).

  5. (5)

    Data Requester (\(\mathcal {DR}\)): Responsible for submitting friend making request to \(\mathcal {DP}\). This paper assumes Cindy as \(\mathcal {DR}\).

First, \(\mathcal {DO}\) uploads the access control strategy of a self-defined property to \(\mathcal {TA}\). Each \(\mathcal {TA}\) manages the set of properties in their respective domains, generates and distributes private keys for the set of properties owned by users in the domains. To ensure the safety of privacy during the friend making process, \(\mathcal {DO}\) needs to encrypt the data to be shared and uploads the encrypted cipher text to \(\mathcal {FS}\). During the friend making process, \(\mathcal {DO}\) can grant authorization to the proxy, and \(\mathcal {DP}\) can recommend friends to \(\mathcal {DR}\) that satisfies the proxy’s access control structure for the purpose of improving the friend making scope and efficiency of \(\mathcal {DR}\), protecting the access control structure of \(\mathcal {DO}\) from being intercepted by attackers, and ensuring privacy safety in the friend making process.

The access structure of sensitive data files is specified by \(\mathcal {DO}\) or \(\mathcal {DP}\). The cipher text of the sensitive data files can be accessed by other \(\mathcal {DR}\) that satisfies the access structure. This enables \(\mathcal {DO}\) and \(\mathcal {DP}\) to flexibly control the access permission of other users.

The proposed scheme security validation relies on the security validation framework based on dual system encryption. The proposed scheme consists of five stages: system initialization phase, user private key generation phase, file encryption phase, cipher text proxy re-encryption phase, and file decryption phase.

3 Details of the Proposed Scheme

3.1 System Initialization Phase

\(\mathcal {TA}\) chooses two cyclic groups \(\mathbb G\) and \(\mathbb {G^T}\), whose order is the prime number p. It also randomly chooses elements \(g, {g_1} \in \mathbb G\), \(a \in Z_p^*\). Let \(e:\mathbb G \times \mathbb G \rightarrow \mathbb {G_T}\) denote a bilinear mapping. The public parameter \(GP = (p, g,\;{g_1}, {g^a}, \mathbb G, \mathbb {G_T}, e)\), together with the Hash functions \({H_1}:{\{ 0, 1\} ^*} \rightarrow \mathbb G\) and \({H_2}:\mathbb {G^T} \rightarrow Z_p^*\), are generated (Table 1).

Table 1. Summary of notations
Full size table

Consider that the friend making system has multiple domains \({D_\phi }\). For the \(T{A_{{\phi _i}}}\) of any domain \({D_{{\phi _i}}}\), it can execute the algorithm \(setup(\;)\), randomly choose \({\alpha _{{\phi _i}}} \in Z_p^*\), generate the master key of the domain, \(MS{K_{{\phi _i}}} = {g^{{\alpha _{{\phi _i}}}}}\), and the public key \(P{K_{{\phi _i}}} = e{(g, g)^{{\alpha _{{\phi _i}}}}}\). The public parameter GP and the public key of the domain are public. The master key of the domain, \(MS{K_{{\phi _i}}}\), is stored by \(T{A_{{\phi _i}}}\).

3.2 User Private Key Generation Phase

The user who intends to join the network and participate in social activities, should first initiate the application on the smart terminal, and then chooses to register in a certain \(T{A_{{\phi _i}}}\). The registration process is as follows.

  1. (1)

    The application of \(\mathcal {TA}\) executes the algorithm \(keyGen(\;)\), chooses a random number \(ts \in Z_p^*\) for the user, and generates the private key \(S{K_S} = (K = {g^{a \cdot ts}} \cdot {g^{{\alpha _{{\phi _i}}}}}, L = {g^{ts}}, {K_x} = {H_1}{(x)^{ts}})\).

  2. (2)

    \(T{A_{{\phi _i}}}\) sends \((P{K_{{\phi _i}}}, S{K_S})\) and the signature of this user in \(T{A_{{\phi _i}}}\) to this user through the safe channels.

3.3 File Encryption Phase

The encryption process of \(\mathcal {DO}\) is as follows:

  1. (1)

    \(\mathcal {DO}\) first chooses an unique document number \(\mathcal {FID}\) randomly for the document, and randomly generates a symmetric key \(\mathcal {KF}\), which is then used to encrypt the plain text DataFile for the purpose of obtaining the cipher text \(\mathcal {CF}\).

  2. (2)

    \(\mathcal {DO}\) runs the document encryption algorithm \(Enc(\;)\), where \((M, \rho )\) denotes the access control structure of \(\mathcal {LSSS}\), M denotes the \(l \times n\) matrix, \(\rho \) denotes the associated mapping from the rows of M to properties, \(\{ \rho (i)|1 \le i \le l\}\) denotes the property used in the access structure \((M, \rho )\). \(\mathcal {DO}\) randomly chooses a secret to be shared, \(s \in Z_p^*\), and a vector \(v = (s, {y_2}, ..., {y_n}), {y_2}, ..., {y_n} \in Z_p^*\). \(\mathcal {DO}\) also sets \({\lambda _i} = v \cdot {M_i}\), where i ranges from i to l, \({M_i}\) denotes the vector corresponding to the \(i_{th}\) row of M. We randomly choose \({r_{1,}}\;...\;{r_l} \in Z_p^*\) to compute the cipher text:

    $$\begin{aligned} \begin{aligned} \begin{array}{l} {A_1} = KFile \cdot e{(g, g)^{\alpha \cdot s}}, {A_2} = {g^s}, {A_3} = g_1^s;\\ {B_1} = {({g^a})^{{\lambda _1}}} \cdot {H_1}{(\rho (1))^{ - {r_1}}}, ..., {B_l} = {({g^a})^{{\lambda _l}}} \cdot {H_1}{(\rho (l))^{ - {r_t}}};\\ {C_1} = {g^{{r_1}}},..., {C_l} = {g^{{r_l}}}; \end{array} \end{aligned} \end{aligned}$$
    (1)

    The cipher text of the key can be expressed as:

    $$\begin{aligned} \begin{aligned} CT = ((M, \rho ), {A_1}, {A_2}, {A_3}, ({B_{1,}}{C_1}),..., ({B_{l, }}{C_l})) \end{aligned} \end{aligned}$$
    (2)
  3. (3)

    \(\mathcal {DO}\) sends (FIDCTCF) and the signature to \(\mathcal {FS}\), which will verify the signature after receiving it. If the signature is valid, (FIDCTCF) will be stored.

3.4 Cipher Text Proxy Re-encryption Phase

The cipher text proxy re-encryption phase is as follows:

  1. (1)

    Consider that the user Bob is a validly authorized proxy user that satisfies the access control structure \((M, \rho )\) of \(\mathcal {DO}\). Then, after receiving the permission from \(\mathcal {DO}\), Bob will execute the algorithm \(rekeyGen(\;)\).

    Bob inputs the private key \(SK = (K, L, {K_x})\) and the set of properties S to generate a new access control structure \((M',\ \rho ')\), where \(M'\) is the \(l' \times n'\) matrix, \(\rho '\) is the associated mapping from the rows of M to properties. Let \(\{ \rho '(i)|1 \le i \le l'\} \) denote the properties used in the access structure \((M',\ \rho ')\).

  2. (2)

    Bob randomly chooses \(s' \in Z_p^*\) and the vector \(v' = (s', {y'_2}, ..., {y'_n}), \) \({y'_2}, ..., {y'_n} \in Z_p^*\). For i ranging from 1 to \(l'\), Bob sets \({\lambda '_i} = v' \cdot {M'_i}\), where \({M'_i}\) is the vector corresponding to the \(i_{th}\) row of the matrix \(M'\).

  3. (3)

    If Bob and Cindy belong to the same \(\mathcal {TA}\), \({D_{{\phi _i}}}\), then Bob randomly chooses \(\delta \in {G_T}\) to compute the cipher text.

    $$\begin{aligned} \begin{aligned} \begin{array}{l} {A'_1} = \delta \cdot e{(g, g)^{{\alpha _{{\phi _i}}} \cdot s'}}, {A'_2} = {g^{s'}};\\ {B'_1} = {({g^a})^{{\lambda '_1}}} \cdot {H_1}{(\rho (1))^{ - {r'_1}}}, ..., {B'_l} = {({g^a})^{{\lambda '_l}}} \cdot {H_1}{(\rho '(l'))^{ - {r'_t}}};\\ {C'_1} = {g^{{r'_1}}},..., {C'_{l'}} = {g^{{r'_l}}}; \end{array} \end{aligned} \end{aligned}$$
    (3)

    The cipher text can be expressed as:

    $$\begin{aligned} \begin{aligned} {C'_{(M',\ \rho ')}} = ({A'_1}, {A'_2}, {B'_{1,}}{C'_1},..., {B'_{l,}},{C'_l}) \end{aligned} \end{aligned}$$
    (4)
  4. (4)

    If Bob and Cindy do not belong to the same \(\mathcal {TA}\) (e.g., Bob belongs to \({D_{{\phi _i}}}\) and Cindy belongs to \({D_{{\phi _j}}}\)), Bob will apply for the public key \(e{(g,g)^{{\alpha _{{\phi _j}}}}}\) of the domain \({D_{{\phi _j}}}\) and compute the cipher text.

    $$\begin{aligned} \begin{aligned} \begin{array}{l} {A'_1} = \delta \cdot e{(g, g)^{{\alpha _{{\phi _j}}} \cdot s'}}, {A'_2} = {g^{s'}};\\ {B'_1} = {({g^a})^{{\lambda '_1}}} \cdot {H_1}{(\rho (1))^{ - {r'_1}}}, ..., {B'_l} = {({g^a})^{{\lambda '_l}}} \cdot {H_1}{(\rho '(l'))^{ - {r'_t}}};\\ {C'_1} = {g^{{r'_1}}},..., {C'_{l'}} = {g^{{r'_l}}}; \end{array} \end{aligned} \end{aligned}$$
    (5)

    The cipher text can be expressed as:

    $$\begin{aligned} \begin{aligned} {C'_{(M',\ \rho ')}} = ({A'_1}, {A'_2}, {B'_{1,}}{C'_1},..., {B'_{l,}},{C'_l}) \end{aligned} \end{aligned}$$
    (6)
  5. (5)

    Bob chooses \(\theta \in Z_p^*\) and computes:

    $$\begin{aligned} \begin{aligned}&r{k_1} = {K^{{H_2}(\delta )}} \cdot g_1^\theta = ({g^{a \cdot ts}} \cdot {g^a})g_1^\theta , r{k_2} = {g^\theta }, r{k_3} = {L^{{H_2}(\delta )}},\\&\forall x \in S, r{k_4} = {C'_{(M',\ \rho ')}}, {R_x} = K_x^{{H_2}(\delta )} \end{aligned} \end{aligned}$$
    (7)

    Bob outputs the re-encrypted key:

    $$\begin{aligned} \begin{aligned} r{k_{S \rightarrow }}_{(M',\ \rho ')} = (S, r{k_1}, r{k_2}, r{k_{3\;}},r{k_4},{R_x}) \end{aligned} \end{aligned}$$
    (8)

    and sends \(r{k_{S \rightarrow }}_{(M',\ \rho ')}\) to \(\mathcal {FS}\).

  6. (6)

    After receiving \(r{k_{S \rightarrow }}_{(M',\ \rho ')}\), \(\mathcal {FS}\) re-encrypts the cipher text of the key using the algorithm \(reEnc(\;)\) and outputs the re-encrypted cipher text of the key, \(CT'\). The calculation process is as follows:

    If \(I \subset \{ 1, ..., l\} \) is defined as \(I = \{ i:\rho (i) \in S\} \), \(\{ {\lambda _i}\} \) denotes the valid sharing of the secret s based on the matrix M, and S satisfies \((M, \rho )\), then there exists a set of constants \({\{ {\omega _i} \in Z_p^*\} _{i \in I}}\) which has \(\sum \nolimits _{i \in I} {{\omega _i}} \cdot {\lambda _i} = s\). Afterwards, we compute:

    $$\begin{aligned} \begin{aligned} {A_4} = \frac{{e({A_2}, r{k_1})/e({A_3}, r{k_2})}}{{({{\prod \nolimits _{i \in I} {(e({B_i}, r{k_3}) \cdot e({C_i}, {R_{\rho (i)}}))} }^{{w_i}}})}} \end{aligned} \end{aligned}$$
    (9)

    Output:

    $$\begin{aligned} \begin{aligned} CT' = ((M',\ \rho '), {A_1}, {A_3},({B_{1,}}{C_1}),..., ({B_{l,}}{C_l}),{A_4}, r{k_4}) \end{aligned} \end{aligned}$$
    (10)

3.5 Document Decryption Phase

The document decryption phase is as follows:

Cindy issues a request to \(\mathcal {FS}\) to access the encrypted document \(\mathcal {CF}\) with a document number \(\mathcal {FID}\). If the set of properties of Cindy, \(\mathcal {S}\), does not satisfy \((M, \rho )\), then output the empty set \(\bot \). If \(\mathcal {S}\) satisfies \((M, \rho \), Cindy can download the encrypted DataFile of \(\mathcal {DO}\). Hence, Cindy needs to use the decryption algorithm \(Desc(\;)\) to decrypt the cipher text of the key. The steps are as follows:

  1. (1)

    If the cipher text of the key is the original cipher text \(\mathcal {CT}\):

    Then define \(I \subset \{ 1, ..., l\} \) as \(I = \{ i:\rho (i) \in S\} \). There exists a set of constants \({\{ {\omega _i} \in Z_p^*\} _{i \in I}}\) which has \(\sum \nolimits _{i \in I} {{\omega _i}} \cdot {\lambda _i} = s \). Cindy computes:

    $$\begin{aligned} {A_4}&= \frac{{e({A_2}, r{k_1})/e({A_3}, r{k_2})}}{{({{\prod \nolimits _{i \in I} {(e({B_i}, r{k_3}) \cdot e({C_i}, {R_{\rho (i)}}))} }^{{w_i}}})}} \nonumber \\&= \frac{{KF \cdot e{{(g, g)}^{\alpha \cdot s}}{{(\prod \nolimits _{i \in I} {(e({g^{\alpha \cdot {\lambda _i}}} \cdot {H_1}{{(\rho (i))}^{ - {r_i}}}, {g^{ts}}) \cdot e({g^{{r_i}}}, {H_1}(\rho {{(i)}^{ts}})})}^{{w_i}}})}}{{e({g^s}, {g^{a \cdot ts}} \cdot {g^\alpha })}}\nonumber \\&= \frac{{KF \cdot e{{(g, g)}^{\alpha \cdot s}}e{{(g, {g^{a \cdot ts}})}^{\sum \nolimits _{i \in I} {{\lambda _i} \cdot {w_i}} }}}}{{e({g^s}, {g^{a \cdot ts}} \cdot {g^\alpha })}}\\&= \frac{{KF \cdot e{{(g, g)}^{\alpha \cdot s}}e{{(g, {g^{a \cdot ts}})}^{\sum \nolimits _{i \in I} {{\lambda _i} \cdot {w_i}} }}}}{{e{{(g, g)}^{\alpha \cdot s}}}}\nonumber \\&= KF\nonumber \end{aligned}$$
    (11)
  2. (2)

    Consider the case where the cipher text of the key is the re-encrypted cipher text of the key:

    1. a.

      If \(I' \subset \mathrm{{\{ }}1 ,..., l'\mathrm{{\} }}\) is defined as \(I' = \mathrm{{\{ }}i:\rho '(i\; \in \;S'\mathrm{{\} }}\) and \(\{{{\lambda '_1}}\} \) is defined as the valid sharing of the secret \(s'\) based on \(M'\), then there exists a set of constants, \({\{ w_{i}^{\prime } \in Z_p^ * \} _{i \in {I^ * }}}\), which has \(\sum \nolimits _{i \in I} {w_{i}^{\prime } \cdot } \lambda _{i}^{\prime } = S'\). The user Cindy computes \(\delta \;\) as:

      $$\begin{aligned} \begin{aligned} \delta \;\mathrm{{ = }}\;A_{1}^{\prime } /e(A_{2}^{\prime }, K')/(\prod \nolimits _{i \in I} {{{(e(B_{i}^{\prime }, L') \cdot e(C_{i}^{\prime }, {K'_{\rho (i)}}))}^{{w_i}}})}) \end{aligned} \end{aligned}$$
      (12)

      Correctness validation 1: If Cindy and Bob belong to the same domain \({D_{{\phi _i}}}\):

      $$\begin{aligned} \begin{aligned} \begin{array}{l} A_{1}^{\prime } /e(A_{2}^{\prime }, K')/(\prod \nolimits _{i \in I} {{{(e(B_{i}^{\prime }, L') \cdot e(C_{i}^{\prime },{K'_{\rho (i)}}))}^{{w'_i}}})})\\ = \frac{{\delta \cdot e{{(g, g)}^{{\alpha _{{\phi _i}}} \cdot S'}}(\prod \nolimits _{i \in I} {{{(e({g^{a \cdot {\lambda '_i}}} \cdot {H_1}{{(\rho '(i))}^{ - {r'_i}}}, {g^{{t_{S'}}}}) \cdot e({g^{{r'_i}}}, {H_1}{{(\rho '(i))}^{{t_{S'}}}}))}^{{w'_i}}})} }}{{e({g^{S'}}, {g^{a \cdot {t_{S'}}}} \cdot {g^{{\alpha _{{\phi _i}}}}})}}\\ = \delta \end{array} \end{aligned} \end{aligned}$$
      (13)

      If Cindy and Bob does not belong to the same domain (e.g., Bog belongs to \({D_{{\phi _i}}}\) and C belongs to \({D_{{\phi _j}}}\)):

      $$\begin{aligned} \begin{aligned} \begin{array}{l} A_{1}^{\prime } /e(A_{2}^{\prime }, K')/(\prod \nolimits _{i \in I} {{{(e(B_{i}^{\prime }, L') \cdot e(C_{i}^{\prime }, {K'_{\rho (i)}}))}^{{w'_i}}})})\\ = \frac{{\delta \cdot e{{(g, g)}^{{\alpha _{{\phi _j}}} \cdot S'}}(\prod \nolimits _{i \in I} {{{(e({g^{a \cdot {\lambda '_i}}} \cdot {H_1}{{(\rho '(i))}^{ - {r'_i}}}, {g^{{t_{S'}}}}) \cdot e({g^{{r'_i}}}, {H_1}{{(\rho '(i))}^{{t_{S'}}}}))}^{{w'_i}}})} }}{{e({g^{S'}}, {g^{a \cdot {t_{S'}}}} \cdot {g^{{\alpha _{{\phi _j}}}}})}}\\ = \delta \end{array} \end{aligned} \end{aligned}$$
      (14)
    2. b.

      Compute the cipher text of the key \(KF = {A_1}/{({A_4})^{\frac{1}{{{H_2}(\delta )}}}}\), and \({A_4} = \frac{{e({A_2},r{k_1})/e({A_3}, r{k_2})}}{{(\prod \nolimits _{i \in I} {{{(e({B_i}, r{k_3}) \cdot e({C_i}, {R_{\rho (i)}}))}^{{w_i}}})} }}\).

      Correctness validation 2:

      $$\begin{aligned} {A_4} =&\frac{{e({A_2},r{k_1})/e({A_3}, r{k_2})}}{{(\prod \nolimits _{i \in I} {{{(e({B_i}, r{k_3}) \cdot e({C_i}, {R_{\rho (i)}}))}^{{w_i}}})} }}\nonumber \\ =&\frac{{e({g^S},{{({g^{a \cdot {t_S}}} \cdot {g^{{\alpha _{{\phi _i}}}}})}^{{H_2}(\delta )}} \cdot g_1^\theta )/e(g_1^S, {g^\theta })}}{{(\prod \nolimits _{i \in I} {{{(e({{({g^a})}^{{\lambda _i}}} \cdot {H_1}{{(\rho (i))}^{ - {r_i}}}, {{({g^{{t_S}}})}^{{H_2}(\delta )}}) \cdot e({g^{{r_i}}}, {H_1}{{(\rho (i))}^{{t_S} \cdot {H_2}(\delta )}}))}^{{w_i}}}} }}\\ =&\frac{{e({g^S},{{({g^{a \cdot {t_S}}} \cdot {g^{{\alpha _{{\phi _i}}}}})}^{{H_2}(\delta )}})/e(g_1^S, {g^{a \cdot {t_s} \cdot {H_2}(\delta )}})}}{{e{{(g, {g^{a \cdot {t_S} \cdot {H_2}(\delta )}})}^{\sum \nolimits _{i \in I} {{\lambda _i} \cdot {w_i}} }}}}\nonumber \\ =&e({g^S}, {g^{a \cdot {t_{{\phi _i}}} \cdot {H_2}(\delta )}})\nonumber \end{aligned}$$
      (15)
      $$\begin{aligned} \begin{aligned} {A_1}/{({A_4})^{\frac{1}{{{H_2}(\delta )}}}} = KF \cdot e{(g, g)^{{\alpha _{{\phi _i}}} \cdot S}}/e({g^S}, {g^{{\alpha _{{\phi _i}}}}}) = KF \end{aligned} \end{aligned}$$
      (16)
  3. (3)

    Finally, Cindy can obtain the data document DataFile by decrypting \(\mathcal {CF}\) through \(\mathcal {KF}\) in order to perform more profound communication. For example, Cindy can acquire \(\mathcal {DR}\)’s voice bands, videos, contacts and hobbies.

4 Security Analysis

Consider that the decidable \(\mathcal {DBDH}\) hypothesis is valid over \((G,{G_T})\), then no adversary \(\mathcal {A}\) can conquer the proposed scheme using the access matrix \(({M^*},{\rho ^*})\) with a size of \({\ell ^*} \times {n^*}({\ell ^*},{n^*} \le q)\).

Definition. Assume that an opponent \(\mathcal {A}\) can conquer the proposed scheme in the \(\mathcal {CPA}\) game by a margin of \(\varepsilon = Ad{v_A}\), then there is at least one polynomial time algorithm which can solve the \(\mathcal {DBDH}\) problem by an undeniable margin.

Proof: \(\mathcal {A}\) challenger \(\mathcal {C}\) is constructed for the decidable \(\mathcal {DBDH}\) hypothesis, determining \(T = e{(g,g)^{{a^{q + 1}} \cdot S}}\) or \(T \in {\mathbb G_T}\).

\(\mathcal {C}\) and \(\mathcal {A}\) play the following \(\mathcal {CPA}\) game: \(\mathcal {C}\) inputs \((p,g,G,{G_T},e)\), \(\mathcal {DBDH}\) instance \(\mathbf {y}\) and T, and then determine \(T = e{(g,g)^{{a^{q + 1}} \cdot S}}\) or \(T \in {\mathbb G_T}\).

  1. (1)

    Initialization phase. \(\mathcal {A}\) delivers the access structure \(({M^*},{\rho ^*})\) to be challenged to \(\mathcal {C}\), where \({M^*}\) is a matrix with a size of \({\ell ^*} \times {n^*}\), \({\ell ^*}\) is the number of rows, and \({n^*}\) is the number of columns (\({\ell ^*},{n^*} \le q\)).

  2. (2)

    Establishment phase. If the property of the access control structure \(({M^*},{\rho ^*})\) belongs to the domain \({\phi _i}\), then \(\mathcal {C}\) chooses \({\alpha _{{\phi _i}}},\gamma \in Z_p^*\), sets \({g_1} = {g^y}\), and \(e{(g, g)^{{\alpha _{{\phi _i}}}}} = e({g^\alpha }, {g^{{\alpha ^q}}}) \cdot e(g, {g^{{\alpha _{{\phi _i}}}}})\). Meanwhile, \(\mathcal {C}\) chooses the Hash function \({H_1},{H_2}\), sends the public parameter \(GP = (p,g,G,{G_T},e,{g_1},{g^\alpha },{H_1},{H_2})\) and the public key \(PK = e{(g,g)^{{\alpha _{{\phi _i}}}}}\) to \(\mathcal {A}\).

    \(\mathcal {A}\) simulates fulfiment of the random prophecy \({H_j}(j \in \{ 1,2\})\) by establishing the table \(H_j^{List}(j \in \{ 1,2\})\). And \(\mathcal {C}\) answers the queries based on the following rules.

    1. (a)

      \({H_1}\): \(\mathcal {C}\) receives a query \({H_1}\) over \(x \in {U_{{\phi _i}}}\). If the table \(H_1^{List}\) has contained the tuple \(\{ x,{z_x},{\delta _{2,x}},{z_x} \in Z_q^*,{\delta _{2,x}} \in G\} \), \(\mathcal {C}\) returns the value \({\delta _{2,x}}\) in the tuple to \(\mathcal {A}\). Otherwise, \(\mathcal {C}\) constructs \({\delta _{2,x}}\). Let X denote the set of labels\({\rho ^*}(i) = x, (1 \le i \le {\ell ^*})\).

      \(\mathcal {C}\) chooses \({z_x} \in Z_q^*\), and sets: \({\delta _{2,x}} = {g^{{z_x}}} \cdot \prod \limits _{i \in X} g^{\alpha \cdot M_{i,1}^*/{b_i} + {\alpha ^2} \cdot M_{i,2}^*/{b_i} + ... + {\alpha ^{{n^*}}} \cdot M_{i,{n^*}}^*/{b_i}}\).

      If X is empty, then \(\mathcal {C}\) sets \({\delta _{2,x}} = {g^{{z_x}}}\). \(\mathcal {C}\) returns \({\delta _{2,x}}\) to \(\mathcal {A}\) and adds the tuple \((x,{z_x},{\delta _{2,x}})\) to the table \(H_1^{List}\).

    2. (b)

      \(H_2\): \(\mathcal {C}\) receives the query \(H_2\) over \(\delta \in G_T\). If \(H_2^{List}\) has included the tuple \((\delta , \xi )\), \(\mathcal {C}\) sends the already included value \(\xi \in Z_p^*\) to \(\mathcal {A}\). Otherwise, \(\mathcal {C}\) sets \(H_2(\delta )=\xi \), returns \(\xi \) to \(\mathcal {A}\), and adds the tuple \((\delta , \xi )\) to \(H_2^{List}\).

  3. (3)

    Query phase 1. \(\mathcal {A}\) puts a series of queries to \(\mathcal {C}\) and \(\mathcal {C}\) answers based on the following rules.

    1. (a)

      The private key extracts the query \(O_{SK}(S)\): if \(S \vdash (M^*,\rho ^*)\), then \(\mathcal {C}\) randomly chooses an output from 0,1 and then stops this game. Otherwise, \(\mathcal {C}\) chooses a random value \(r_S \in Z_p^*\), and finds \(w=(w_1,w_2,...,w_n) \in Z_p^*\), where \(w_1=-1\) and \(w \dot{M}_i^*=0\) when \(\forall i,\rho ^*(i) \in S\).

      If S is in the domain \(D_{\phi _i}\), then \(\mathcal {C}\) sets \(L=g^{r_S} \cdot \prod _{i=1,...,n} g^{a^{q+1-i} \cdot w_i}=g^{t_S}\). In this domain, \(t_S\) is easily defined as \(t_S=r_S+w_1 \cdot a^q+...+w_n \cdot a^{q-n+1}\). Next, based on this definition, \(\mathcal {C}\) constructs \(K=g^{\alpha _{\phi _j}} \cdot g^{a \cdot r_S} \cdot \prod _{i=2,...,n} g^{a^{q+2-i} \cdot w_i}\). Validation shows that \(K=g^{\alpha _{\phi _j}} \cdot g^{a^{q+1}} \cdot g^{-a^{q+1}} \cdot g^{a \cdot r_S} \cdot \prod _{i=2,...,n} g^{a^{q+2-i} \cdot w_i}=g^{\alpha _{\phi _j}} \cdot L^a=g^{\alpha _{\phi _j}} \cdot g^{a \cdot t_S}\).

      If \(x \in S\) and \(\rho ^*(i) \ne x\) for all \(i \in \{1,...,\ell ^*\}\), then let \(K_x=L^{z_w}=\delta _{2,x}^{t_S}=H_1(x)^{t_S}\).

      Otherwise,

      $$\begin{aligned} \begin{aligned} K_x=L^{z_w} \cdot \prod _{i \in X} \prod _{j=1,...,n} (g^{(a^j/b^j) \cdot r_S} \cdot \prod _{k=1,...,n^*,k \ne j}(g^{a^{q+1+j-k}/b_j})^{w_k})^{M_{i,j}^*} \end{aligned} \end{aligned}$$
      (17)

      The equation above can prove validity of \(K_x\) by using the following equation.

      $$\begin{aligned} {K_x} =&{L^{{z_x}}} \cdot \prod \limits _{i \in X} {\prod \limits _{j = 1,...,n} {{{({g^{({a^j}/{b_i}) \cdot {r_S}}} \cdot \prod \limits _{k = 1,...,{n^*},k \ne j} {{{({g^{{a^{q + 1 + j - k}}/{b_i}}})}^{{w_k}}}})}^{M_{i,j}^*}}} } \nonumber \\ \cdot&\prod \limits _{i \in X} {\prod \limits _{j = 1,...,n} {{{({g^{{a^{q + 1}}/{b_i}}})}^{{w_j} \cdot M_{i,j}^*}}} } \nonumber \\ =&{({g^{{z_x}}} \cdot \prod \limits _{i \in X} {{g^{a \cdot M_{i,1}^*/{b_i} + {a^2} \cdot M{}_{i,2}^*/{b_i} + ... + {a^{{n^*}}} \cdot M_{i,{n^*}}^*/{b_i}}}})^{({r_S} + {w_1} \cdot {a^q} + ... + {w_{{n^*}}} \cdot {a^{q - {n^*} + 1}})}} \nonumber \\ =&\delta _{2.x}^{^{({r_S} + {w_1} \cdot {a^q} + ... + {w_{{n^*}}} \cdot {a^{q - {n^*} + 1}})}} \nonumber \\ =&\delta _{2.x}^{{t_S}} = {H_1}{(x)^{{t_S}}} \end{aligned}$$
      (18)

      where X is the set of i which has \(\rho ^*(i)=x\). If S does not satisfy \((M^*,\rho ^*)\), then we have \(w \cdot M_i^*=0\).

      Hence,

      $$\begin{aligned} \begin{aligned} \prod _{i \in X} \prod _{j=1,...,n} (g^{a^{q+1}/b_i})^{w_k \cdot M_{i,j}^*}=g^{a^{q+1} \cdot (\sum _{i \in X} \sum _{j=1,...,n^*} w_j \cdot M_{i,j}^*/b_j)}=g^0=1 \end{aligned} \end{aligned}$$
      (19)

      Finally, \(\mathcal {C}\) adds the tuple \((S,SK_S)\) to \(SK^{List}\), and returns \(SK_S\) to \(\mathcal {A}\).

    2. (b)

      Re-encrypt the key to extract the query \(O_{rk}(S,(M', \rho '))\): Use a property set S and an access structure \((M', \rho ')\) to query \(O_{rk}\). According to the safety game, if \(\mathcal {S}\) does not satisfy \((M^*, \rho ^*)\), \(\mathcal {C}\) executes \(O_{SK}(S)\) first to obtain the corresponding key \((K,L,K_x)\), and then chooses \(\theta , \sigma \in _R Z_p^*,\bar{K} \in _R G\). Compute the re-encryption key as \(rk_1=\bar{K} \cdot g_1^{\theta },rk_2=g^{\theta },rk_4=g^{\sigma },R_X=\delta _{2,x}^{\sigma }\).

  4. (4)

    Challenge stage. \(\mathcal {A}\) outputs \({m_0},{m_1}\) to \(\mathcal {C}\). \(\mathcal C\) chooses \(b \in \{ 0,1\}\) and answers based on the following rules. For each row i in \({M^*}\), set \({x^*} = {\rho ^*}(i)\) and query \({H_1}\) over \({x^*}\) in order to obtain the tuple \(({x^*},{z_x},{\delta _{2,{x^*}}})\).

    Choose \({y'_2}, {y'_3},...,{y'_{{n^*}}}\) and use the vector to share the secret \(v = (s,s \cdot a + {y'_2},s \cdot {a^2} + {y'_3},...,s \cdot {a^{n - 1}} + {y'_{{n^*}}}) \in Z_p^{{n^*}}\). Choose \({r'_1},...,{r'_{{l^*}}} \in Z_p^*\), and for all \(i \in \{ 1,2,...,{\ell ^*}\} \), \({R_i}\) denotes the sets that have \(i \ne k\) and \({\rho ^*}(i) = {\rho ^*}(k)\). We define that:

    $$\begin{aligned} \begin{aligned} B_i^* = \delta _{2,x}^{ - {r_i}} \cdot (\prod \limits _{j = 2,...,n} {{g^{a \cdot M_{i,j}^* \cdot {y_j}}}}) \cdot {g^{{b_i} \cdot s \cdot (0{z_{{x^*}}})}} \cdot {(\prod \limits _{k \in {R_i}} {\prod \limits _{j = 1,...,{n^*}} {{{({g^{{a^j} \cdot s \cdot ({b_i}/{b_k})}})}^{M_{k,j}^*}}} })^{ - 1}} \end{aligned} \end{aligned}$$
    (20)
    $$\begin{aligned} \begin{aligned} C_i^* = {g^{r_i^* + s \cdot {b_i}}} \end{aligned} \end{aligned}$$
    (21)
    1. (a)

      \(\mathcal {C}\) chooses \(A_1^* \in {\{ 0,1\} ^{2k}}\), defines \(T \cdot e({g^s},{g^{{\alpha _{{\phi _i}}}}}) = A_1^*/{m_b}\) in an implicit manner and sets \(A_2^* = {g^s},A_3^* = g_1^s\).

    2. (b)

      Output the challenging cipher text:

      $$\begin{aligned} \begin{aligned} C{T^*} = (({M^*},{\rho ^*}), A_`^*, A_2^*, A_3^*, (B_1^*,C_1^*),..., (B_{{\ell ^*}}^*,C_{{\ell ^*}}^*)) \end{aligned} \end{aligned}$$
      (22)

      to \(\mathcal {A}\). If \(T = e{(g,g)^{{a^{q + 1}} \cdot s}}\), then \(C{T^*}\) is a valid cipher text.

  5. (5)

    Query stage 2. Query as in the first stage but the constraint in Definition 1 needs to be satisfied.

  6. (6)

    Prediction stage. \(\mathcal {A}\) outputs a predicted bit \(b' \in \{ 0,1\}\). Then, \(\mathcal {C}\) makes its prediction based on the prediction of \(\mathcal {A}\). If \(\mathcal {A}\) predicts correctly that \(b' = b\), then \(\mathcal {C}\) outputs the prediction 1(\(T = e{(g,g)^{{a^{q + 1}} \cdot s}}\)) in the challenge process of the game. Otherwise, \(\mathcal {C}\) outputs 0(\(T \in {G_T}\)). The success probability of \(\mathcal {C}\) can be computed follows.

    If the output is 1, i.e. \(T = e{(g,g)^{{a^{q + 1}} \cdot s}}\), then what \(\mathcal {A}\) obtains is a valid cipher text about \({m_b}\). According to the definition, \(\mathcal {A}\) can correctly predict the result. Hence, \(\Pr [b' \ne b|(y,T = e{(g,g)^{{a^{q + 1}} \cdot s}}) = 0] = \frac{1}{2} + Ad{v_A}\).

    If the output is 0, i.e. \(T \in {G_T}\), then \(\mathcal {A}\) obtains no message on \({m_b}\). Hence, the prediction is right at a probability of \(\Pr [b' \ne b|(y,T = R) = 0] = \frac{1}{2}\). In this case, \(\mathcal {C}\) has an non-negligible advantage of \(\frac{\varepsilon }{2}\) in the delidable\(\mathcal {DBDH}\) game.

5 Conclusion

In mobile social networks, maximizing the contact and communication between each other, while protecting the privacy of users is a research hotspot in privacy preserving field. Based on cryptography, we propose cross domain re-encryption protocol for privacy preserving. The scheme improves the efficiency of making friends in mobile social networks and enables users find friends satisfying the access policy with fine-grained access control. By using proxy re-encryption, the real access control structure is hidden. The security and privacy of friend discovery in mobile social networks is realized. Meanwhile, we introduce multi-authority, secret keys are generated from several authorities, which solves the bottleneck of single point and key management. From the security analysis, it is proved that the proposed scheme can meet CPA security.