Privacy-Enhancing k-Nearest Neighbors Search over Mobile Social Networks ^†

Abstract

Focusing on the diversified demands of location privacy in mobile social networks (MSNs), we propose a privacy-enhancing k-nearest neighbors search scheme over MSNs. First, we construct a dual-server architecture that incorporates location privacy and fine-grained access control. Under the above architecture, we design a lightweight location encryption algorithm to achieve a minimal cost to the user. We also propose a location re-encryption protocol and an encrypted location search protocol based on secure multi-party computation and homomorphic encryption mechanism, which achieve accurate and secure k-nearest friends retrieval. Moreover, to satisfy fine-grained access control requirements, we propose a dynamic friends management mechanism based on public-key broadcast encryption. It enables users to grant/revoke others’ search right without updating their friends’ keys, realizing constant-time authentication. Security analysis shows that the proposed scheme satisfies adaptive $\mathcal{L}$-semantic security and revocation security under a random oracle model. In terms of performance, compared with the related works with single server architecture, the proposed scheme reduces the leakage of the location information, search pattern and the user–server communication cost. Our results show that a decentralized and end-to-end encrypted k-nearest neighbors search over MSNs is not only possible in theory, but also feasible in real-world MSNs collaboration deployment with resource-constrained mobile devices and highly iterative location update demands.

1. Motivation

With the rapid development of 5G Wireless Communication, mobile social networks (MSNs), represented by instant messaging and location sharing, have become essential parts of people’s everyday lives. According to [1], the number of enrolled users in MSNs worldwide reaches 862 million in 2020, and it is estimated to exceed 900 million by the end of 2021. In particular, the utilization rate of location-based MSN services reaches 96.9% based on the positioning system (e.g., GPS, WiFi, Bluetooth, etc.) embedded in mobile devices, such as Facebook’s “Nearby friends”, Foursquare’s “Swarm”, and Joyrun’s “real-time running competition”, and so forth. In these services, users can broadcast their locations among friends and send location-based queries for nearby friends. Therefore, the location-based services provide a profoundly mobile interface for users’ real-life social networks.

Nevertheless, people are using the enormously popular MSNs services without realizing their privacy concerns: the MSNs services providers can observe and accumulate the geo-location that users transmit through the network. According to the Mobile APP Security Research [2], among the 50 MSN services surveyed, there are 35 services that leak users’ location data to advertisers or data analysis services on purpose without any permission. In recent years, a lot of research also uses data analysis and machine learning technology to extract a large number of their sensitive information from users’ location information over MSNs: by analyzing their search patterns, the matched friends and search similarities and so forth, it is easy to predict the location conversion patterns between users and their friends [3,4]. It is also turned out that Facebook’s historical spatiotemporal trajectory leaks the geographical distance between each user and the spot that he frequently queries, and then the service provider can learn the access probability—whether and when the user will check-in the next time [5].

To avoid illegal access to users’ locations and search patterns by unauthorized service providers and hackers, previous research aimed to encrypt the location information before uploading. However, traditional encryption methods limit the MSNs service provider’s ability to provide location-based services for users. To achieve privacy-preserving location-based query, the straightforward mathematical methods deploy private information retrieval [6], searchable encryption [7] and other crypto primitives to make the encrypted location data searchable. However, these methods come at the huge cost of computation and communication overhead. Moreover, in a privacy-preserving setting, users have their keys embedded in their mobile devices. If a user is allowed to share his/her location encryption key with friends, he/she needs to launch a search request to the platform multiple times when he wants to retrieve his/her friends’ locations. Moreover, when granting or revoking friends’ search rights, a user and his/her friends should update their keys with synchronous locally, which are not suitable for MSNs platforms with highly extensible requirements. To the best of our knowledge, it is fair to say that achieving fine-grained location access control while providing an efficient, secure location-based neighbors search service has become one of the challenging research topics in the field of privacy-enhancing MSNs and still remains open.

In this work, we translate the high-level vision of the above issues and location privacy demand in MSNs into technical requirements and design a privacy-enhancing k-nearest neighbors search scheme containing cryptographic protocols that meet them. The purpose of this work is to protect users’ location data and search patterns privacy, and make it available for users to query for their k-nearest neighbors based on current distances. In terms of technical contribution, our work presents an efficient construction so that the server can effectively compute and sort the encrypted distance between a user and his/her friends without any decryption operation, which is the first to tackle this problem through the lens of secure multi-party computation. It also achieves lightweight friend authentication and authority management by enabling users to grant/revoke their friends’ search rights without updating others’ keys. In terms of security, our scheme satisfies adaptive $\mathcal{L}$-semantic secure and revocation secure under random oracle model. We also undertook an extensive experiment that validates our work, showing that the proposed scheme is possible in theory and feasible in practice.

2. Related Works

2.1. MSNs Privacy

In recent decades, researchers have proposed many privacy-preserving approaches for MSNs. Encryption is the most common method for achieving privacy. For example, Flybynight [8] is a Facebook application for encrypting and decrypting sensitive data using client-side JavaScript. However, it is easy to be attacked by an adversary because the server holds users’ keys and takes charge of key management. NOYB (short for none of your business) [9] offers privacy and preserves MSN services’ functionality based on a secret dictionary’s encryption. Besides, there have been many privacy-preserving matching solutions over MSNs proposed with different techniques. Some schemes are based on private set intersection protocols [10,11] to allow two users to compute the intersection of the two private profile sets privately, but leak no useful information of both parties. For example, Niu et al. designed a spatiotemporal matching scheme for privacy-aware users in MSNs based on the profile’s weight or level and the participant’s social strength [10]. Zhang et al. proposed the concept of a fine-grained privacy information matching protocol by giving preference to each profile and using a similarity function to measure the matching degree [11]. To reduce computation cost, some works [12,13] designed non-encryption-based privacy-preserving matching protocols. Fu et al. proposed a privacy-preserving common-friend matching scheme based on a bloom filter [12]. It transmitted the common profiles of two users into an intersection of bloom filters, which ensures the privacy of friend lists against unknown users. However, it will not be able to resist brute-force attacks, resulting in privacy information leakage. Sun et al. [13] proposed a privacy-preserving spatiotemporal profiles matching scheme to let each user periodically record his locations by a geographic cell index among a large set of predefined ones, which can ensure spatiotemporal privacy at the cost of possibly huge communication and computation overhead.

2.2. Location Privacy

With the rapid development and enormous popularity of location-based services, scholars have paid more and more attention to location data’s privacy and security. Many approaches focus on how to perform privacy-preserving location queries: Bamba et al. proposed a k-anonymity-based scheme that relies on a server to construct an anonymous set based on users’ original queries to make query indistinguishable on the server-side [14]. Bordenabe et al. [15] and Shi et al. [16] both integrated differential privacy to realize nearby friends’ queries. Differential privacy provides a rigorous privacy guarantee by adding noise (randomly to choose a set of fake locations ) to make their data and query deferentially private. Jorgensen et al. incorporated a clustering procedure that groups users according to the social network’s natural community structure and significantly reduced noise [17]. The above works [14,15,16,17] can achieve relatively high efficiency. However, the limitations of these works are that it is challenging to achieve provable security guarantees with formal security definitions, since they did not employ well-designed and provable encryption methods. Zhou et al. took advantage of private information retrieval (PIR) to realize nearby friends’ queries [18]. It provides strong cryptographic guarantees but needs complex operations, and it only protects query privacy but not location privacy. Li et al. designed a private location information matching protocol over MSNs based on inner product similarity (IPS) [19], putting users’ map locations into vectors and encrypting the vectors. The similarity function is used to measure the similarity degree of the encrypted vectors of different users. Schlegel et al. designed an encryption method of dynamic location grid index structure [20], achieving neighbor point search on the premise of not revealing location privacy to the third party. In the above encryption-based schemes, the computation efficiencies are not ideal, requiring multi-round interactions at the logarithmic level between user and server.

Many other works are based on higher security assumptions to achieve a trade-off between security and efficiency. For example, some works [21,22] assumed that the service provider is honest and that it has the authority to access the location plaintext without leaking any information to others. Some works [21,23,24] introduced a trusted third party (TTP) to achieve the trade-off between security and efficiency. Unfortunately, there may not exist such a TTP in real MSNs scenarios. Some non-TTP solutions [15,20] are based on approximate measurements (e.g., linear programming and dynamic grid) with no accurate result. Some works [18,25] need complex operations (e.g., sending fake queries or receiving redundant results) to achieve secure guarantees, which incur high communication and computation overhead at the user-side, making them unsuitable for resource-constrained mobile devices.

3. The Proposed Scheme

3.1. Overview

The privacy-enhancing k-nearest neighbors search scheme over MSNs can be viewed as a decentralized system of end-to-end encrypted social network databases, focusing on the diversified demands of location privacy in MSNs. Our design relies on various cryptographic building blocks, including pseudo-random function, homomorphic crypto mechanism, secure multi-party computation and broadcast encryption.

-

Aiming at the limited computation power of resource-constrained mobile devices, we design a lightweight end-to-end location encryption algorithm and a server-aid location re-encryption protocol based on Paillier homomorphic encryption to achieve further location sharing. The protocol allows the service provider to transfer friends’ location ciphertexts into the query user’s homomorphic ciphertexts without requiring them to be online to participate in the calculation.

-

We build a secure dual-server architecture and design a secure k-nearest neighbors search protocol by secure multi-party computation and a homomorphic encryption mechanism under this architecture. The server can effectively compute and sort the distance between users and their friends without any decryption operation. Compared with the cloud-center model, where a single server holds complete knowledge, the dual-server architecture minimizes the leakage to the servers and reduces the cost of communication between the mobile user and the server.

-

To achieve fine-grained access control, we design a dynamic friends management mechanism based on public-key broadcast encryption. It enables users to grant/revoke their friends’ search rights without updating others’ keys, achieving lightweight friend authentication and authority management. Moreover, this mechanism satisfies revocation secure that the adversary cannot obtain the user’s location information through collusion with the server and the revoked friends, thus further improving the scheme’s overall security.

3.2. Architecture and Syntax

Our scheme is designed to be executed among: U, ${\mathcal{S}}_1$, and ${\mathcal{S}}_2$. U is a set that contains n mobile users $\{{\mathcal{U}}_1,\dots ,{\mathcal{U}}_n\}$. Each user ${\mathcal{U}}_i\in \mathbf{U}$ can connect with others as his friends dynamically. ${\mathcal{S}}_1$ is the primary server that provides a mobile social network service to all users in U. Each user ${\mathcal{U}}_i\in \mathbf{U}$ can send a search request to ${\mathcal{S}}_1$ for k-nearest neighbors among friends based on current location. ${\mathcal{S}}_2$ is a collaborated server to conduct secure computation with ${\mathcal{S}}_1$ for k-nearest neighbors search.

The scheme’s architecture is shown in Figure 1. At a high level, users’ information and their relationships are modeled by a direct graph structure $\mathcal{G}$. To initialize the system, the primary server ${\mathcal{S}}_1$ executes Initial algorithm to output public parameter $params$ and an empty $\mathcal{G}$. Any user ${\mathcal{U}}_i$ should use public parameter $params$ to generate his symmetric key $K_i$ and public/secret keys $(P{K}_i,S{K}_i)$ locally by executing $\mathbf{KeyGen}$ algorithm and interacts with the primary server ${\mathcal{S}}_1$ for registration by Join protocol. Any enrolled user ${\mathcal{U}}_i\in \mathbf{U}$ can grant/revoke ${\mathcal{U}}_j\in \mathbf{U}$’s location search right by interacting with ${\mathcal{S}}_1$ in Grant/Revoke protocols. ${\mathcal{U}}_i$ holds a friends index $F_i$ that records his granted friends. According to the real-life MSNs’ location service architecture, we deploy trusted location infrastructure to provide tracing service by sending the current location $l_i$ of each user ${\mathcal{U}}_i\in \mathbf{U}$ to his local mobile device periodically. ${\mathcal{U}}_i$ executes $\mathbf{LocUpdate}$ to encrypt his location data $l_i$ by his symmetric key $K_i$ at local and uploads the location ciphertext $C_i$ to ${\mathcal{S}}_1$. ${\mathcal{U}}_i$ then can execute Search protocol with ${\mathcal{S}}_1$ by sending k-nearest neighbors search request. ${\mathcal{S}}_1$ performs encrypted search in $\mathcal{G}$ with the assistance of ${\mathcal{S}}_2$ and returns the search result to ${\mathcal{U}}_i$, without relying on the presence of any other user. The proposed scheme’s syntax consists of seven polynomial-time algorithms and protocols, which is shown in Syntax below:

Definition 1 

(Correctness). Correctness implies that, for all $1^k$, all $(\mathcal{G},params)$ generated by Initial$(1^k)$, all $(K_i,P{K}_i,S{K}_i)$ generated by KeyGen$(params)$, all $({\mathrm{F}}_i;{\mathcal{G}}^{\prime })$ generated by $\mathit{Join}({\mathcal{U}}_i(i{d}_i,P{K}_i);{\mathcal{S}}_1(\mathcal{G}))$, all $(K_i,P{K}_i,S{K}_i)$ generated byKeyGen$(params)$, and all sequences of LocUpdate, Grant and Revoke protocols, $\mathit{Search}({\mathcal{U}}_i(K_i,{\mathrm{F}}_i);{\mathcal{S}}_1(\mathcal{G});{\mathcal{S}}_2(S{K}_i))$ will always output result $R_k$ that: $R_k$ satisfies $D_1<\dots <D_K$; and there does not exist ${\mathcal{U}}_i\in R_k$ such that ${\mathcal{U}}_i\notin F_s$ and ${\mathcal{U}}_i\in \{F_s\setminus R_k\}$ that $D_i<ma{x}_{{\mathcal{U}}_j\in R_k}\left\{D_j\right\}$.

3.3. Security Definition

3.3.1. Adaptive $\mathcal{L}$-Semantic Secure

The security definition of adaptive $\mathcal{L}$-semantic secure is formalized by an ideal/real-world paradigm [7]. Roughly speaking, we require that the execution of the scheme in the real-world is indistinguishable from an ideal-world. In real-world Real$(1^k)$, the protocols between the adversarial servers and the user execute just like in the real scheme. In ideal-world Ideal$(1^k)$, there exist two simulators $Si{m}_1$ and $Si{m}_2$ that can obtain the leakage information from leakage functions and try to simulate the execution of ${\mathcal{A}}_1$ and ${\mathcal{A}}_2$ in Real$(1^k)$.

Definition 2 

(Adaptive $\mathcal{L}$-Semantic Secure). Given the syntax in Section 3.2 and considering the following probabilistic paradigms, where U= $\{{\mathcal{U}}_1,\dots ,{\mathcal{U}}_n\}$ is the users’ set, ${\mathcal{A}}_1$ and ${\mathcal{A}}_2$ are two non-colluding adversaries with pseudo-random polynomial time (PPT) computation ability, $Si{m}_1$ and $Si{m}_2$ are two PPT simulators and ${\mathcal{L}}_1$ to ${\mathcal{L}}_4$ are leakage functions.

The proposed scheme achieves adaptive $\mathcal{L}$-semantic security if, for all polynomial time ${\mathcal{A}}_1$ and ${\mathcal{A}}_2$, there exists polynomial time simulators $Si{m}_1$ and $Si{m}_2$ such that the following two distribution ensembles are computationally indistinguishable:

$${\mathit{Output}}_{{\mathcal{A}}_{1/2}}^{\mathit{Real}(1^k)}\approx {\mathit{Output}}_{Si{m}_{1/2}}^{\mathit{Ideal}(1^k)}.$$

3.3.2. Revocation Security

Revocation security guarantees that the scheme satisfies that any user’s revoked friend cannot provide a valid search for his location, even if an adversary illegally steals the revoked friend’s key. We construct the experiment ${\mathbf{Exp}}_{{\mathcal{A}}_{rev}}^{\mathrm{Revoke}}(1^k)$ to formalize the revocation security definition. ${\mathbf{Exp}}_{{\mathcal{A}}_{rev}}^{\mathrm{Revoke}}(1^k)$ is interactively executed by a challenger $\mathcal{C}$ and an adversary ${\mathcal{A}}_{rev}$ who has the ability to add friends, perform a search and revoke friends in the real scheme. $\mathcal{C}$ deletes the user who has been added to the friends index by ${\mathcal{A}}_{rev}$. ${\mathcal{A}}_{rev}$ continues to generate a search token using the revoked friend’s identity and makes a search request. After a polynomial number of queries, $\mathcal{C}$ revokes all users that are queried to the Grant oracle but are not subsequently queried to the Revoke oracle (i.e., all users for which ${\mathcal{A}}_{rev}$ holds their valid user keys).

The adversary ${\mathcal{A}}_{rev}$ must then produce a search token which, when used as an input to Search protocol, does not produce null, that is, ${\mathcal{A}}_{rev}$ must produce a valid search request even though it does not hold a non-revoked key. After several rounds of queries, if ${\mathcal{A}}_{rev}$’s probability of winning the revocation security experiment with PPT computation ability is negligible, then we can say that the proposed scheme satisfies revocation security.

Definition 3 

(Revocation Secure). Given the syntax in Section 3.2 and considering ${\mathit{Exp}}_{{\mathcal{A}}_{rev}}^{\mathit{Revoke}}(1^k)$, which is executed by a challenger $\mathcal{C}$ and an adversary ${\mathcal{A}}_{rev}$:

Specifically, $\mathcal{C}$ runs $\mathit{Initial}$ to initialize $\mathcal{G}$, generates key $(K_i,P{K}_i,S{K}_i)$ and state ciphertext $cs{t}_i$ by $\mathit{KeyGen}$ and Join. $\mathcal{C}$ sends $\mathcal{G}$ and $cs{t}_i$ to ${\mathcal{A}}_{rev}$. ${\mathcal{A}}_{rev}$ can access to the following oracles, where $·$ denotes the parameters that are provided by ${\mathcal{A}}_{rev}$ himself:

-

${\mathcal{O}}_{\mathit{Grant}}(·,\mathcal{G},i{d}_j,P{K}_i,{\mathrm{F}}_i)$: ${\mathcal{A}}_{rev}$ can send grant friend request to this oracle. If $i{d}_j\notin F_i$, then the oracle ${\mathcal{O}}_{\mathit{Grant}}$ runs Grant by the input provides by ${\mathcal{A}}_{rev}$. If $i{d}_j\in F_i$, then the oracle ${\mathcal{O}}_{\mathit{Revoke}}$ outputs ⊥.

-

${\mathcal{O}}_{\mathit{Revoke}}(·,\mathcal{G},i{d}_j,P{K}_i,{\mathrm{F}}_i)$: ${\mathcal{A}}_{rev}$ can send revoke friend request to this oracle. If $i{d}_j\in F_i$, then the oracle ${\mathcal{O}}_{\mathit{Revoke}}$ runs $\mathit{Revoke}$ by the input provides by ${\mathcal{A}}_{rev}$. If $i{d}_j\notin F_i$, then the oracle ${\mathcal{O}}_{\mathit{Revoke}}$ outputs ⊥.

-

${\mathcal{O}}_{\mathit{Search}}(·,\mathcal{G},P{K}_s,{\mathrm{F}}_s)$: ${\mathcal{A}}_{rev}$ can send a search request in $\mathcal{G}$ to this oracle. ${\mathcal{A}}_{rev}$ generates a search token and sends it to ${\mathcal{O}}_{\mathit{Search}}$. Then, the oracle ${\mathcal{O}}_{\mathit{Search}}$ runs $\mathit{Search}$ by the input provides by ${\mathcal{A}}_{rev}$, and outputs the search result to ${\mathcal{A}}_{rev}$.

After polynomial times rounds of queries, $\mathcal{C}$ revokes all the users that have access to ${\mathcal{O}}_{\mathit{Grant}}(·,\mathcal{G},i{d}_j,P{K}_i,{\mathrm{F}}_i)$ but not ${\mathcal{O}}_{\mathit{Revoke}}(·,\mathcal{G},i{d}_j,P{K}_i,{\mathrm{F}}_i)$. ${\mathcal{A}}_{rev}$ generates a search token τ in $\mathit{Search}$ protocol. If the output of $\mathrm{Search}$ is not ⊥, then returns 1, otherwise returns 0.

The proposed scheme achieves revocation security if, for all ${\mathcal{A}}_{rev}$, all $1^k$, the advantage of ${\mathcal{A}}_{rev}$ to win ${\mathbf{Exp}}_{\mathcal{A}}^{\mathit{Revoke}}(1^k)$ is negligible:

$$|\mathrm{Pr}[{\mathit{Exp}}_{{\mathcal{A}}_{rev}}^{\mathit{Revoke}}(1^k)=1]|\le \mathit{negl}(1^k).$$

3.4. The Detailed Construction

Let $\mathcal{BE}=\{\mathcal{BE}.\mathcal{K}ey\mathcal{G}en,\mathcal{BE}.\mathcal{J}oin,\mathcal{BE}.\mathcal{E}nc,\mathcal{BE}.\mathcal{D}ec\}$ be a broadcast encryption scheme that retains CPA secure against a coalition of revoked users [26], $\mathcal{P}=\{\mathcal{P}.\mathcal{K}ey\mathcal{G}en,\mathcal{P}.$

$\mathcal{E}nc,\mathcal{P}.\mathcal{D}ec\}$ be the Pallier encryption scheme [27], $\mathcal{GM}=\{\mathcal{GM}.\mathcal{K}ey\mathcal{G}en,\mathcal{GM}.\mathcal{E}nc,\mathcal{GM}.\mathcal{D}ec\}$ be the Goldwasser-Micali encryption scheme [28], and $\mathcal{F}:{\{0,1\}}^k\times {\{0,1\}}^{*}\to {\{0,1\}}^k$ be a pseudo-random function. The detailed construction is given as follows:

3.4.1. Initialization

On input of the security parameter $1^k$, ${\mathcal{S}}_1$ initializes the global social network graph structure $\mathcal{G}=(\mathcal{V},\mathcal{E})$ and public parameters $params$. In graph $\mathcal{G}$, the maximal number of vertexes in $\mathcal{V}$ is n, that is $\left|\mathcal{V}\right|=n$, which represents the maximum amount of enrolled users. Each vertex $v_i\in \mathcal{V}$ should be attached with the information for an enrolled user ${\mathcal{U}}_i\in \mathbf{U}$ that ${\mathcal{S}}_1$ gathered. The existence of a non-zero edge $e_{ij}\in \mathcal{E}$ between $v_i\in \mathcal{V}$ and $v_j\in \mathcal{V}$ represents the friends relationship of ${\mathcal{U}}_i$ and ${\mathcal{U}}_j$. In other words, if ${\mathcal{U}}_i$ and ${\mathcal{U}}_j$ are strangers to each other, then $e_{ij}=0$. $\mathcal{G}$ is empty at initialization.

3.4.2. Key Generation

If a user ${\mathcal{U}}_i$ is willing to join in the system, he should generate his own keys at local. ${\mathcal{U}}_i$’s keys consists of the following parts: the key for the pseudo-random function $\mathcal{F}$ to encrypt location data, the key pair for the broadcast encryption scheme $\mathcal{BE}$, the key pairs for the Pallier encryption scheme $\mathcal{P}$ and the Goldwasser-Micali encryption scheme $\mathcal{GM}$. ${\mathcal{U}}_i$ first takes as input the binary representation of the public parameters $params$, and randomly selects a k-bit string $k_i\in {\{0,1\}}^k$ for his key of $\mathcal{F}$. Then he generates $(bp{k}_i,ms{k}_i)$ by $\mathcal{BE}.\mathcal{K}ey\mathcal{G}en$, $(p{k}_i,s{k}_i)$ by $\mathcal{P}.\mathcal{K}ey\mathcal{G}en$ and $(p{k}_i^{\prime },s{k}_i^{\prime })$ by $\mathcal{GM}.\mathcal{K}ey\mathcal{G}en$. Afterwards, he forms his symmetric key $K_i$ as $(ms{k}_i,k_i)$, public key $P{K}_i$ as $(bp{k}_i,p{k}_i,p{k}_i^{\prime })$ and secret key $S{K}_i$ as $(s{k}_i,s{k}_i^{\prime })$. The lengths of the above keys are determined by the security parameter $1^k$. Finally, ${\mathcal{U}}_i$ publishes his public key $P{K}_i$ throughout the system.

3.4.3. Join

Before joining in, ${\mathcal{U}}_i$ should generate his friends index ${\mathrm{F}}_i$ with d entries, where d represents the maximum amount of ${\mathcal{U}}_i$’s friends. ${\mathrm{F}}_i$ is a key-value data structure, which is empty at first. The key part of ${\mathrm{F}}_i$ will be attached with the granted friends’ identities, the corresponding value part will be attached with the granted friends’ session keys. More precisely, if ${\mathcal{U}}_j$ is a friend of ${\mathcal{U}}_i$, then ${\mathrm{F}}_i\left[i{d}_j\right]$ stores the session key $k_j^i$ that ${\mathcal{U}}_j$ has shared with ${\mathcal{U}}_i$, where $i{d}_i$ represents ${\mathcal{U}}_i$’s identity: ${\mathrm{F}}_i\left[i{d}_j\right]=k_j^i$, where $i{d}_j$ represents ${\mathcal{U}}_j$’s identity. To register, ${\mathcal{U}}_i$ should also add the server ${\mathcal{S}}_1$ in ${\mathrm{F}}_i$ by generating ${\mathcal{S}}_1$’s session key $k_{{\mathcal{S}}_1}^i$ by $\mathcal{BE}.\mathcal{J}oi{n}_{ms{k}_i}({\mathcal{S}}_1)$ and setting ${\mathrm{F}}_i\left[{\mathcal{S}}_1\right]=k_{{\mathcal{S}}_1}^i$. Afterwards, ${\mathcal{U}}_i$ randomly selects a k-bit string $s{t}_i$ as his current state value and encrypts $s{t}_i$ to $cs{t}_i$ by $\mathcal{BE}.\mathcal{E}n{c}_{bp{k}_i}({\mathcal{S}}_1,s{t}_i)$. Then ${\mathcal{U}}_i$ sends ${\mathcal{S}}_1$ a registration request $R{e}_i=(i{d}_i\left|\right|cs{t}_i\left|\right|k_{{\mathcal{S}}_1}^i)$. ${\mathcal{S}}_1$ selects an empty vertex $v_i\in \mathcal{V}$ in $\mathcal{G}$ and attaches $v_i$ with $R{e}_i$.

3.4.4. Location Update

An enrolled user ${\mathcal{U}}_i\in \mathrm{U}$ can interact with ${\mathcal{S}}_1$ to update his location by LocUpdate protocol. First, ${\mathcal{U}}_i$ obtains his current geo-location $l_i$ from the trusted location infrastructure that sends ${\mathcal{U}}_i$’s geo-location to his local mobile device periodically. ${\mathcal{U}}_i$ maps $l_i$ into an integer $x_i$ from ${\mathbb{Z}}_k$ and computes its square ${x_i}^2$. To hide $l_i$ from ${\mathcal{S}}_1$, ${\mathcal{U}}_i$ needs to encrypt $x_i$ and ${x_i}^2$ at local: he chooses two random values $r_1$ and $r_2$ from ${\mathbb{Z}}_k$, uses his key $k_i$ to generate $p_1={\mathcal{F}}_{k_i}(r_1)$ and $p_2={\mathcal{F}}_i(r_2)$ by pseudo-random function $\mathcal{F}$, and hides $x_i$ and ${x_i}^2$ into $c_{x_i}=(x_i+p_1,r_1)$ and $c_{{x_i}^2}=({x_i}^2+p_2,r_2)$ by $(p_1,p_2)$ and $(r_1,r_2)$. Finally he forms his current location ciphertext $L_i$ as $L_i=(c_{x_i},c_{x_i^2})$ and sends $L_i$ to ${\mathcal{S}}_1$. ${\mathcal{S}}_1$ updates the information embedded in vertex $v_i$ in $\mathcal{G}$ as $v_i\leftarrow v_i\left|\right|\left\{L_i\right\}$.

3.4.5. Grant

When ${\mathcal{U}}_i$ connects ${\mathcal{U}}_j$ as his friend, he should grant ${\mathcal{U}}_j$’s right to search his location by conducting Grant protocol with ${\mathcal{S}}_1$. First, ${\mathcal{U}}_i$ adds ${\mathcal{U}}_j$’s identity $i{d}_j$ as an entry in ${\mathcal{U}}_i$’s friends index ${\mathrm{F}}_i$, generates ${\mathcal{U}}_j$’s session key $k_j^i$ by $\mathcal{BE}.\mathcal{J}oi{n}_{ms{k}_i}(i{d}_j)$, sends $k_j^i$ to ${\mathcal{U}}_j$ in secure channel. ${\mathcal{U}}_i$ then selects a k-bit string $s{t}_i^{\prime }$ as his updated state value, encrypts $s{t}_i^{\prime }$ to $cs{t}_i^{\prime }$ for the updated friends group in ${\mathrm{F}}_i$ that contains ${\mathcal{U}}_j$ by $\mathcal{BE}.\mathcal{E}n{c}_{(bp{k}_i)}(s{t}_i^{\prime },{\mathrm{F}}_i)$, and boardcasts $cs{t}_i^{\prime }$ to the system. After receiving his session key $k_i^j$ from ${\mathcal{U}}_j$, he attaches ${\mathrm{F}}_i\left[i{d}_j\right]$ with $k_i^j$: ${\mathrm{F}}_i\left[i{d}_j\right]=k_i^j$. Afterwards, he sends grant request $(cs{t}_i^{\prime }||i{d}_j)$ to ${\mathcal{S}}_1$. ${\mathcal{S}}_1$ first checks whether there is a non-zero direct edge $e_{ij}$ in $\mathcal{G}$. If not, it sets $e_{ij}=1$ and update $v_i$ in $\mathcal{G}$ with new $cs{t}_i^{\prime }$: $v_i\leftarrow v_i\setminus \left\{cs{t}_i\right\}\cup \left\{cs{t}_i^{\prime }\right\}$.

3.4.6. K-Nearest Neighbors Search

Each enrolled user ${\mathcal{U}}_s\in \mathrm{U}$ can send a search request to ${\mathcal{S}}_1$ for retrieving his k-nearest neighbors sorted by distances, shown in Protocol 1. First of all, ${\mathcal{U}}_s$ retrieves his friends’ identities $\{i{d}_1,\dots ,i{d}_d\}$ from his friends index $F_i$, downloads the state ciphertexts $\{cs{t}_1,\dots ,cs{t}_d\}$ for all his friends $\{{\mathcal{U}}_1,\dots ,{\mathcal{U}}_d\}$ from the system. For each $cs{t}_i\in \{cs{t}_1,\dots ,cs{t}_d\}$, ${\mathcal{U}}_s$ decrypts it to $s{t}_i^{\prime }$ by $\mathcal{BE}.\mathcal{D}e{c}_{k_s^i}(s{t}_i^{\prime })$. Afterwards, ${\mathcal{U}}_s$ consolidates the decryption results into search token $\tau =(s{t}_1^{\prime },\dots ,s{t}_d^{\prime })$ and sends $\tau$ to ${\mathcal{S}}_1$. After receiving $\tau$, ${\mathcal{S}}_1$ extracts $\{cs{t}_1,\dots ,cs{t}_d\}$ from $v_j$’s all adjacents $\{v_1,\dots ,v_d\}$ in $\mathcal{G}$. For each $cs{t}_i\in \{cs{t}_1,\dots ,cs{t}_d\}$, ${\mathcal{S}}_1$ decrypts it to $s{t}_i$ by $\mathcal{BE}.\mathcal{D}e{c}_{k_{{\mathcal{S}}_1}^i}(cs{t}_i)$. It compares each $s{t}_i$ in $\{s{t}_1,\dots ,s{t}_d\}$ with $s{t}_i^{\prime }$ in $\tau$: if $s{t}_j^{\prime }$ is equal to $s{t}_i$, then ${\mathcal{U}}_s$ has been granted the right to search for ${\mathcal{U}}_i$’s location. Afterwards, for each granted ${\mathcal{U}}_i$, ${\mathcal{S}}_1$ retrieves the encrypted location $L_i$ attached in $v_i$. Then, ${\mathcal{S}}_1$ and ${\mathcal{S}}_2$ conduct the following protocols:

After conducting ${\mathcal{P}}_1$ and ${\mathcal{P}}_2$ for all ${\mathcal{U}}_s$’s friends, ${\mathcal{S}}_1$ forms a key-value set $I=\{(i{d}_1,\left[D_1\right]),\dots ,(i{d}_d,\left[D_d\right])\}$ that contains all pairs of the encrypted distances between ${\mathcal{U}}_s$ and his friends along with their identities. ${\mathcal{S}}_1$ encrypts each $i{d}_i\in I$ to $\left[i{d}_i\right]$ by $\mathcal{P}.\mathcal{E}n{c}_{p{k}_s}(i{d}_i)$, and generates $\tilde{R}=\{(\left[i{d}_1\right],\left[D_1\right]),\dots ,(\left[i{d}_d\right],\left[D_d\right])\}$. ${\mathcal{S}}_1$ and ${\mathcal{S}}_2$ perform a secure comparison protocol ${\mathcal{P}}_3$ [29] for ${\mathcal{S}}_1$ and ${\mathcal{S}}_2$ to compare each pair $(\left[i{d}_x\right],\left[D_x\right])$ and $(\left[i{d}_y\right],\left[D_y\right])$ in $\tilde{R}$ based on the distance $D_x$ and $D_y$. We use ${\mathcal{P}}_3$ as a black-box building block for Search protocol, and pick Batcher’s sorting [30] for performing efficient parallel multi-time comparisons.

Finally, ${\mathcal{S}}_1$ obtains the sorted final result $R=\{(\left[i{d}_1\right],\left[D_1\right]),\dots ,(\left[i{d}_d\right],\left[D_d\right])\}$, and sends it back to ${\mathcal{U}}_s$. ${\mathcal{U}}_s$ can decrypt each $\left[i{d}_i\right]$ to $i{d}_i$ by $\mathcal{P}.\mathcal{D}e{c}_{s{k}_s}\left[i{d}_i\right]$, then obtain his k-nearest neighbors identities $R_k=(i{d}_1,\dots ,i{d}_k)$ that were sorted by distance.

3.4.7. Revoke

When ${\mathcal{U}}_i$ wants to revoke ${\mathcal{U}}_j$’s search right, he should conduct Revoke protocol with ${\mathcal{S}}_1$. ${\mathcal{U}}_i$ first deletes ${\mathrm{F}}_i\left[i{d}_j\right]$ locally, selects a k-bit string $s{t}_i^{\prime }$ as his updated state value, encrypts $s{t}_i^{\prime }$ to $cs{t}_i^{\prime }$ by $\mathcal{BE}.\mathcal{E}n{c}_{bp{k}_i}(s{t}_i^{\prime },{\mathrm{F}}_i)$ for the updated group in ${\mathrm{F}}_i$ that excludes ${\mathcal{U}}_j$. Afterwards, he sends revoke request $(cs{t}_i^{\prime }||i{d}_j)$ to ${\mathcal{S}}_1$. ${\mathcal{S}}_1$ first checks whether there is a non-zero direct edge $e_{ij}$ in $\mathcal{G}$. If true, it set $e_{ij}=0$ and update $v_i$ in $\mathcal{G}$ with new $cs{t}_i^{\prime }$: $v_i\leftarrow v_i\setminus \left\{cs{t}_i\right\}\cup \left\{cs{t}_i^{\prime }\right\}$.

4. Security Analysis

4.1. Adaptive $\mathcal{L}$-Semantic Secure

Theorem 1. 

If $\mathcal{F}$ is a pseudo-random function, $\mathcal{P}$, $\mathcal{GM}$ and $\mathcal{BE}$ are CPA secure, and the DGK protocol [31] is proved to be semantically secure in the random oracle model, then the proposed scheme satisfies adaptive $\mathcal{L}$-semantic security, which is defined in Definition 2.

Proof. 

We construct two simulators $Si{m}_1,Si{m}_2$ that can generate the simulated values in $\mathrm{Ideal}(1^k)$ using the information given in the leakage functions ${\mathcal{L}}_1$ to ${\mathcal{L}}_4$, and prove that $\mathrm{Ideal}(1^k)$ is indistinguishable with Real$(1^k)$ by any PPT adversary.

Given the information leaked from ${\mathcal{L}}_1$, $Si{m}_1$ can learn $|cs{t}_i^j|$ and $\left\{\right|cs{t}_i^1|,\dots ,|cs{t}_i^q\left|\right\}$. Afterwords, it can choose random value ${\widetilde{cst}}_i^j$ with lengths $|cs{t}_i^j|$ to simulate $cs{t}_i^j$. Due to the CPA secure of $\mathcal{BE}$, ${cst}_i^j$ is indistinguishable from ${\widetilde{cst}}_i^j$ by any PPT adversary. Therefore, $Si{m}_1$ cannot learn extra information from $\left\{\right|cs{t}_i^1|,\dots ,|cs{t}_i^q\left|\right\}$, which satisfies:

$${\mathrm{Output}}_{{\mathcal{A}}_1}^{\mathrm{Real}}(\{cs{t}_i^1,\dots ,cs{t}_i^q\})\approx {\mathrm{Output}}_{Si{m}_1}^{\mathrm{Ideal}}(\{{\widetilde{cst}}_i^1,\dots ,{\widetilde{cst}}_i^q\}).$$

Given the information leaked from ${\mathcal{L}}_2$, $Si{m}_1$ can learn $|c_{x_i}^j|$ and $|c_{{x_i}^2}^j|$ in $L_i^j=(c_{x_i}^j,c_{{x_i}^2}^j)$. Afterwards, it can choose two random values in lengths $|c_{x_i}^j|$ and $|c_{{x_i}^2}^j|$ to output the simulated ${\tilde{L}}_i^j=({\tilde{c}}_{x_i}^j,{\tilde{c}}_{{x_i}^2}^j)$. Since $L_i^j$ is generated by $\mathcal{F}$, ${\tilde{L}}_i^j$ and $L_i^j$ are indistinguishable by any PPT adversary due to the randomness of $\mathcal{F}$. Therefore, $Si{m}_1$ cannot learn extra information from the update history $\{L_i^1,\dots ,L_i^q\}$, which satisfies:

$${\mathrm{Output}}_{{\mathcal{A}}_1}^{\mathrm{Real}}(\{L_i^1,\dots ,L_i^q\})\approx {\mathrm{Output}}_{Si{m}_1}^{\mathrm{Ideal}}(\{{\tilde{L}}_i^1,\dots ,{\tilde{L}}_i^q\}).$$

Given the information leaked from ${\mathcal{L}}_3$, $Si{m}_1$ can obtain search tokens $\{{\tau }_1,\dots ,{\tau }_q\}$. Afterwards, it can choose random value ${\tilde{\tau }}_i$ in size $|{\tau }_i|$ to simulate each ${\tau }_i$. Moreover, since $\{s{t}_1^{\prime },\dots ,s{t}_d^{\prime })$ is generated by $\mathcal{BE}.\mathcal{D}ec$ by decrypting $\{cs{t}_1,\dots ,cs{t}_d\}$ using keys $\{k_s^1,\dots ,k_s^d)$, and each $k_s^i$ in $\{k_s^1,\dots ,k_s^d\}$ is a k-bit random string, each $s{t}_j^{\prime }$ in ${\tau }_i$ is indistinguishable from ${\tilde{\tau }}_i$ by any PPT adversary. Therefore, $Si{m}_1$ cannot learn extra information from ${\tau }_1,\dots ,{\tau }_q$, which satisfies:

$${\mathrm{Output}}_{{\mathcal{A}}_1}^{\mathrm{Real}}(\{{\tau }_1,\dots ,{\tau }_q\})\approx {\mathrm{Output}}_{Si{m}_1}^{\mathrm{Ideal}}(\{{\tilde{\tau }}_1,\dots ,{\tilde{\tau }}_q\}).$$

The sorting network between ${\mathcal{A}}_1$ and ${\mathcal{A}}_2$ contains ${(logd)}^2$ levels, and each level contains ${(logd)}^2$ times of ${\mathcal{P}}_3$ protocols. Therefore, the simulation of the sorting network can be reduced to prove $Si{m}_1$ and $Si{m}_2$ can simulate the secure comparison protocol ${\mathcal{P}}_1$ with leakage functions. Given the information leaked from ${\mathcal{L}}_4$, $Si{m}_2$ can learn the leaked information $(\left[\left[z_i\right]\right],\left[{\lambda }_i\right])$ from each round of ${\mathcal{P}}_3$ and the rounds number ${(logd)}^2$. In each round, $Si{m}_2$ can learn $(\left[D_x\right],\left[D_y\right],l)$. $Si{m}_1$ and $Si{m}_2$ should simulate ${\mathcal{A}}_1$ and ${\mathcal{A}}_2$ with ${\mathcal{L}}_4$ by all pairs with ${(logd)}^2$ times in sorting protocol to get the final simulation value. At every pairs i, ${\mathcal{A}}_1$’s view can be denoted as $vie{w}_{{\mathcal{A}}_1}=(s{k}_s,\left[\left[z\right]\right],∥\lambda ∥)$. Given $(s{k}_s,\left[\left[z\right]\right],\left[\lambda \right])$, we can build $Si{m}_1$ in the following phases:

-

Randomly choose $\tilde{\lambda }$, compute $\left|\right|\tilde{\lambda }\left|\right|$ as $x_x\le x_y$;

-

Randomly choose $\tilde{z}\leftarrow (0,2^{\lambda +l})\bigcup Z$;

-

Encrypt $\tilde{z}$: $\left[\tilde{z}\right]\leftarrow \mathcal{P}.\mathcal{E}n{c}_{p{k}_s}(z)$;

-

Output $vie{w}_{Si{m}_1}=(s{k}_s,l,\left[\tilde{z}\right],\left|\right|\tilde{\lambda }\left|\right|)$.

Since $z=x+r$, where x is a l-bits integer and r is a $l+\lambda$-bits integer, the distribution of $\tilde{z}$ is indistinguishable from z. We can get $(s{k}_s,\left[\tilde{z}\right])\approx (s{k}_s,\left[z\right])$. Besides, since the distribution of $\tilde{z}$ and z are independent of t, we can get $(s{k}_s,l,\left[\tilde{z}\right]\left|\right|\tilde{\lambda }\left|\right|)\approx (s{k}_s,l,\left[z\right],\left|\right|\tilde{\lambda }\left|\right|)$. In a similar way, at every pairs i, ${\mathcal{A}}_2$’s view can be denoted as $vie{w}_{{\mathcal{A}}_2}=(({\left[D_x\right]}_i,{\left[D_y\right]}_i,l,p{k}_s,r,∥\lambda ∥,\left[z_l\right])$. We can build $Si{m}_2$ to simulate ${\mathcal{A}}_2$ in the following phases:

-

Choose $\tilde{r}\leftarrow (0,2^{\lambda +l})\bigcup Z$;

-

Choose two random values $\tilde{\lambda },{\tilde{z}}_l$, computes $\left|\right|\tilde{\lambda }\left|\right|,∥\tilde{z}∥$;

-

Output $vie{w}_{Si{m}_2}=(\left[D_x\right],\left[D_y\right],l,p{k}_s,\tilde{r},\left[{\tilde{z}}_l\right])$.

In both $vie{w}_{{\mathcal{A}}_2}$ and $vie{w}_{Si{m}_2}$, r is extracted from uniform distribution $(0,2^{\lambda +l})\bigcup \mathbb{Z}$, $\left[{\tilde{z}}_l\right]$ is the ciphertext of $\mathcal{P}$ which is randomness, so $(\left[D_x\right],\left[D_y\right],l,p{k}_s)\approx (\left[D_x\right],\left[D_y\right],l,p{k}_s,r,$

$\left[{\tilde{z}}_l\right])$. We can obtain: $vie{w}_{{\mathcal{A}}_2}$ and $vie{w}_{Si{m}_2}$ are computational indistinguishable. What is more, since $\left|\right|\tilde{\lambda }\left|\right|\approx ∥\left[D_x\right]\le \left[D_y\right]∥$, $(s{k}_s,l,\left[z\right],\left|\right|\tilde{\lambda }\left|\right|)\approx (s{k}_s,l,\left[z\right],$$∥\left[x_x\right]\le \left[y_y\right]∥)$. Due to the semantic security of DGK, $Si{m}_1$ and $Si{m}_2$ can obtain d ciphertexts that are unsorted from the leakage function ${\mathcal{L}}_4$. Then, $Si{m}_1$ and $Si{m}_2$ can simulate Bathcer’s sorting protocols in ${(logd)}^2$ times.

Therefore, for all polynomial time ${\mathcal{A}}_1$ and ${\mathcal{A}}_2$, there exists polynomial time simulators $Si{m}_1$ and $Si{m}_2$ such that:

We can demonstrate that the proposed scheme satisfies adaptive $\mathcal{L}$-semantic security in the random oracle model, which is defined in Definition 2. Theorem 1 proved. □

4.2. Revocation Secure

Theorem 2. 

If $\mathcal{BE}$ is CPA secure, then the proposed scheme satisfies revocation secure, which is defined in Definition 3.

Proof. 

Assuming the advantage of ${\mathcal{A}}_{rev}$ to win ${\mathbf{Exp}}_{{\mathcal{A}}_{rev}}^{\mathrm{Revoke}}(1^k)$ is negligible, we can construct an adversary ${\mathcal{A}}_{be}$, who can break the CPA secure of $\mathcal{BE}$ with assist of ${\mathcal{A}}_{rev}$. We will show that if ${\mathcal{A}}_{rev}$ has a non-negligible advantage in ${\mathbf{Exp}}_{{\mathcal{A}}_{rev}}^{\mathrm{Revoke}}(1^k)$, then we can construct an adversary ${\mathcal{A}}_{be}$ that uses ${\mathcal{A}}_{rev}$ as a subroutine to break the CPA secure of $\mathcal{BE}$.

To make the output of ${\mathbf{Exp}}_{{\mathcal{A}}_{rev}}^{\mathrm{Revoke}}(1^k)$ as 1, ${\mathcal{A}}_{rev}$ needs to provide a valid search token. To achieve that, ${\mathcal{A}}_{rev}$ must know $s{t}_i$. A new value of $s{t}_i$ is randomly selected and encrypted by $\mathcal{BE}.\mathcal{E}n{c}_{bp{k}_i}(s{t}_i,{\mathrm{F}}_i\setminus u_j)$ at each time a user is revoked from the system, where ${\mathrm{F}}_i\setminus u_j$ is the new friends index. ${\mathcal{A}}_{rev}$ then broadcast this encrypted value to all users. $\mathcal{BE}$’s security ensures that only a non-revoked friend of ${\mathcal{U}}_i$ can decrypt this ciphertext to obtain $s{t}_i$ with overwhelming probability. Hence, the adversary can only create a valid search token if he is a valid friend of ${\mathcal{U}}_i$, or he will break the security of $\mathcal{BE}$. That is, the probability that a random bit string is valid is $2^{-k}$. It means that the adversary will not be able to produce a valid token with non-negligible probability.

Let $\mathcal{C}$ be the challenger for the adversary ${\mathcal{A}}_{be}$ against $\mathcal{BE}$, ${\mathcal{A}}_{be}$ will act as the challenger for ${\mathcal{A}}_{rev}$:

• $\mathcal{C}$ runs $\mathcal{BE}.\mathcal{K}ey\mathcal{G}en(1^k)$ to generate keys $(ms{k}_{be},bp{k}_i)$. ${\mathcal{A}}_{be}$ initializes ${\mathrm{F}}_i$, randomly chooses a k-bit string $s{t}_i$, and sends $(s{t}_i,{\mathrm{F}}_i)$ to $\mathcal{C}$. $\mathcal{C}$ runs $\mathcal{BE}.\mathcal{E}{\mathrm{nc}}_{bp{k}_i}(s{t}_i,{\mathrm{F}}_i)$ to generate $s{t}_{{\mathcal{S}}_1}$, and sends it to ${\mathcal{A}}_{be}$. ${\mathcal{A}}_{be}$ runs $\mathbf{KeyGen}$ to generate $K_i$, runs $\mathbf{Join}$ to generate $k_{{\mathcal{S}}_1}^i$, where $K_i$ does not include $k_{be}$.
• ${\mathcal{A}}_{be}$ issues a query to $\mathcal{C}$ for the secret key of ${\mathcal{A}}_{rev}$. $\mathcal{C}$ runs $\mathcal{BE}.\mathcal{J}{\mathrm{oin}}_{ms{k}_i}({\mathcal{A}}_{rev})$ to generate $k_{{\mathcal{A}}_{rev}}$, sends $k_{{\mathcal{A}}_{rev}}$ to ${\mathcal{A}}_{be}$. To fully enroll ${\mathcal{A}}_{rev}$ as a valid friend, the state ciphertext also needs to be updated by ${\mathcal{A}}_{be}$. ${\mathcal{A}}_{be}$ send ${\mathrm{F}}_i$ and a newly generated $s{t}_i$ to $\mathcal{C}$, $\mathcal{C}$ runs $\mathcal{BE}.\mathcal{E}n{c}_{bp{k}_i}(s{t}_i,{\mathrm{F}}_i)$ to generate new $cs{t}_i$. ${\mathcal{A}}_{be}$ runs $\mathbf{Grant}$ to generate the key $k_{{\mathcal{A}}_{rev}}^i$ of ${\mathcal{A}}_{rev}$.
• ${\mathcal{A}}_{be}$ runs Initial to generate graph $\mathcal{G}$, and sends $k_{{\mathcal{A}}_{rev}}^i$ and $\mathcal{G}$ to ${\mathcal{A}}_{rev}$. ${\mathcal{A}}_{rev}$ can access to oracles ${\mathcal{O}}_{\mathrm{Grant}}$ and ${\mathcal{O}}_{\mathrm{Revoke}}$.
• ${\mathcal{A}}_{be}$ revokes ${\mathcal{A}}_{rev}$ by running $\mathbf{Revoke}$, ${\mathcal{A}}_{be}$ runs Revoke a second time in order to produce two values $s{t}_{i0}\leftarrow {\{0,1\}}^k$ and $s{t}_{i1}\leftarrow {\{0,1\}}^k$ for $s{t}_i$, and sends $s{t}_{i0}$ and $s{t}_{i1}$ to $\mathcal{C}$ as the challenge value for ${\mathcal{A}}_{be}$, along with a set of no revoked friends ${\mathrm{F}}_i$ of ${\mathcal{A}}_{rev}$.
• $\mathcal{C}$ selects a bit $b\in \{0,1\}$, uses $\mathcal{BE}.\mathcal{E}n{c}_{bp{k}_i}(s{t}_{ib},{\mathrm{F}}_i)$ to encrypt $s{t}_{ib}$ and generates ${cs{t}_i}_b$, sends ${cs{t}_i}_b$ to ${\mathcal{A}}_{be}$ as the challenge ciphertext for the CPA secure of $\mathcal{BE}$. ${\mathcal{A}}_{be}$ sends ${cs{t}_i}_b$ to ${\mathcal{A}}_{rev}$ as the challenge ciphertext of ${\mathbf{Exp}}_{{\mathcal{A}}_{rev}}^{\mathrm{Revoke}}(1^k)$.
• ${\mathcal{A}}_{rev}$ generates token $\tau$, and sends $\tau$ to ${\mathcal{A}}_{be}$. Since the advantage for ${\mathcal{A}}_{rev}$ to win ${\mathbf{Exp}}_{{\mathcal{A}}_{rev}}^{\mathrm{Revoke}}(1^k)$ is non-negligible, the probability of validity of $\tau$ is non-negligible.
• If $t_0\ne \perp$, then Search stops. According to the following situations, ${\mathcal{A}}_{be}$ outputs its guess for b:

  -

  If $t_0\ne \perp$, this tells ${\mathcal{A}}_{be}$ that $s{t}_{i0}$ was used to generate the token, ${\mathcal{A}}_{be}$ outputs its guess for b as $b^{\prime }=0$;

  -

  Of $t_1\ne \perp$, this tells ${\mathcal{A}}_{be}$ that $s{t}_{i1}$ was used to generate the token, ${\mathcal{A}}_{be}$ outputs its guess for b as $b^{\prime }=1$.

From the above analysis, the advantage of ${\mathcal{A}}_{be}$ to break the CPA secure of $\mathcal{BE}$ can be computed as ${\mathrm{Adv}}_{{\mathcal{A}}_{be}}^{\mathcal{BE}}(1^k)$:

$$\begin{array}{cc}\hfill {\mathrm{Adv}}_{{\mathcal{A}}_{be}}^{\mathcal{BE}}(1^k)& =\left|\right[(Pr[(t_0\vee t_1)\ne \perp ]·1-\frac{1}{2})+(Pr[((t_0\wedge t_1)\ne \perp ]·\frac{1}{2}-\frac{1}{2})|\hfill \\ \hfill & =|\delta ·1+(1-\delta )·\frac{1}{2}-\frac{1}{2}|\hfill \\ \hfill & =|\frac{(\delta +1)}{2}-\frac{1}{2}|\hfill \\ \hfill & =\frac{\delta }{2}.\hfill \end{array}$$

Since the advantage $\delta$ of ${\mathcal{A}}_{rev}$ to win ${\mathbf{Exp}}_{{\mathcal{A}}_{rev}}^{\mathrm{Revoke}}(1^k)$ is non-negligible, the advantage $\frac{\delta }{2}$ of ${\mathcal{A}}_{be}$ to break the CPA security of $\mathcal{BE}$ is non-negligible, which contradicts the CPA security of $\mathcal{BE}$. Therefore, there exists no ${\mathcal{A}}_{rev}$, who can win ${\mathbf{Exp}}_{{\mathcal{A}}_{rev}}^{\mathrm{Revoke}}(1^k)$ with non-negligible probability, and the proposed scheme satisfies revocation security as defined in Definition 3. Theorem 2 proved. □

5. Theoretical Analysis

The complexity analysis is shown in

Table 1. Complexity analysis.

	${\mathit{Stor}}_{\mathit{u}}$	${\mathit{Stor}}_{{\mathcal{S}}_1}$	${\mathit{Stor}}_{{\mathcal{S}}_2}$	${\mathit{Comp}}_{\mathit{u}}$	${\mathit{Comp}}_{{\mathcal{S}}_1}$	${\mathit{Comp}}_{{\mathcal{S}}_2}$	${\mathit{Comm}}_{\mathit{u}}$	${\mathit{Comm}}_{{\mathcal{S}}_1}$	${\mathit{Comm}}_{{\mathcal{S}}_2}$
Register	$\mathcal{O}$(1)	$\mathcal{O}$(n)	$\mathcal{O}$(n)	$\mathcal{O}$(1)	–	–	$\mathcal{O}$(1)	$\mathcal{O}$(1)	$\mathcal{O}$(1)
Grant	$\mathcal{O}$(d)	$\mathcal{O}$($nd$)	–	$\mathcal{O}$(d)	–	–	$\mathcal{O}$(d)	$\mathcal{O}$($nd$)	–
Revoke	–	–	–	$\mathcal{O}$(1)	$\mathcal{O}$(1)	–	$\mathcal{O}$(1)	$\mathcal{O}$(1)	–
LocUpdate	–	$\mathcal{O}$(n)	–	$\mathcal{O}$(1)	–	–	$\mathcal{O}$(1)	$\mathcal{O}$(n)	–
Search	–	–	–	$\mathcal{O}$(d)	$\mathcal{O}$($d+$(logd)${}^2$)	$\mathcal{O}$($d+$(logd)${}^2$)	$\mathcal{O}$(k)	$\mathcal{O}({(\log d)}^2)$	$\mathcal{O}({(\log d)}^2)$

$Stor$: storage complexity; $Comp$: computation complexity; $Comm$: communication complexity.

, where n is the maximum amount of enrolled users and d is the maximum amount of each user’s friends. We compare our scheme with the related privacy-preserving location-based query schemes [15,18,20] in

Table 2. Properties comparison.

	Accuracy	Evaluation Method	Dynamic	Cryptography tool	SP	LP	AC	Rank Model
[16]	✓	Euclidean distance/Anchor points	×	PIR/$\mathcal{P}$	✓	✓	×	–
[17]	×	Linear Programming	✓	HMAC	✓	✓	×	–
[21]	×	Dynamic Grid	×	HMAC	✓	×	×	User
Ours	✓	Squared Euclidean distance	✓	$\mathcal{P}$/$\mathcal{GM}$/$\mathcal{BE}$	✓	✓	✓	2 servers

SP: Search Privacy; LP: Location Privacy; AC: Access Control.

. Due to the significant differences among the existing schemes in application scenarios, secure models, evaluation indicators and other factors, we focus on comparing characteristics and security.

For result accuracy, [15] achieves differential privacy for location information using linear programming techniques. It is specifically designed for simple computation that cannot provide accurate encrypted distance sorting. Ref. [20] uses a dynamic location grid structure to cluster users close to each other. However, the search results in [15,20] have a specific rate of false positives, which are suitable for similarity search. Our scheme and [18] use Euclidean distance to calculate the encrypted distance to achieve precise secure sorting. Ref. [18] focuses on searching the number of points of interest in a specific location area; our scheme sorts the distances based on the proven-secure comparison protocol. In terms of security, Ref. [18] protects location search privacy by way of private information retrieval (PIR). Although it adopts the anchor technology to improve search efficiency, it still has a certain communication overhead. Ref. [20] achieves sort privacy by assuming the server only performs the search, and the user performs the result sorting. As a result, the above methods each sort privacy but lead to high computation or communication costs.

Besides, compared with other schemes, our scheme also has a flexible access control mechanism. Moreover, our scheme achieves a constant-time computation cost and communication cost when updating friends and encrypting locations, and a user only needs to store key-related information locally. Therefore, we can demonstrate that our proposed scheme has both a very light user workload and a moderate server workload while being secure against the honest-but-curious adversary. In nowadays’s mobile social networking environment, the user-side lightweight device’s storage and computation cost should be minimized as much as possible. As a consequence, the proposed scheme is more suitable for the real-life thin clients MSNs deployment scenario.

6. Implementation

We implement and analyze the performance of our scheme. The experiments were run on several computers with Linux Ubuntu 18.04.2 64-Bit Version with Inter(R) Core(TM) I7-2600 quad-core processor (3.4 ghz) and 8 GB memory, which were installed on VMware Workstation in the LAN in C++ language. One of the computers acted as the server-end and the others acted as user-ends, respectively. We implemented a job allocation mechanism in the server-end that the computer acted as the master server and used threads to simulate the collaborated server that performed the assistant job. Each user-end stored the user’s keys locally and interacted with the server-end. To submit a search request, a user-end only communicated with the master server.

In the simulation experiments, the security parameter k was set to 256 bits. We chose SHA256 in the OpenSSL library [32] for the pseudo-randomness function, and used the Relic library [33] to implement Paillier and GM homomorphic encryption. To implement the scheme more securely, we improved the modulus n of the Paillier and GM to 1024 bits. Besides, we used BGW2 [26] to implement public-key broadcast encryption. The key length in the above public encryption methods was set to be 1024 bits.

We conducted data simulations based on real-world data sets, which came from the newest version of the Enron email dataset [34], where we randomly selected 1000 accounts as the total users set. We represented users’ friendships in the form of linked contacts. We selected a random integer in $(10,50)$ to simulate the user’s location’ value, which was updated periodically. Moreover, we initialized the social network graph structure $\mathcal{G}$ with 1000 vertexes and 3831 edges that contained the above data and used a unique value to identify each vertex (user) in ${\mathbb{Z}}_k$. We did not record the network communication time during all the experiments since it depends on the user-end and the server-end’s network connection. Each data point in the experiments was obtained after being repeated 50 times to generate the average value.

6.1. Storage Analysis

We first analyzed the storage overhead of our scheme.

Table 3. Storage cost.

	Unencrypted $\mathcal{G}$		Encrypted $\mathcal{G}$
Vertex	Storage (kb)	GenTime (s)	Storage (kb)	GenTime (s)	Inflation Rate
200	18.752	0.423	57.506	2.359	306.665%
400	38.101	0.477	115.302	2.941	302.622%
600	57.460	0.514	174.379	3.316	303.478%
800	74.677	0.538	225.039	3.770	301.349%
1000	95.988	0.575	289.864	4.113	301.979%

shows the comparison between the encrypted $\mathcal{G}$ and unencrypted $\mathcal{G}$ of the generation time and the server’s storage cost in the trend of the number of users increases. It can be seen that the server’s storage cost increased almost linearly with the increase of the number of users. Since we used symmetric encryption to encrypt location, compared with the Paillier homomorphism ciphertext, the inflation rate of the symmetric ciphertext of the location decreased significantly, which is consistent with the theoretical analysis. Therefore, the proposed scheme achieves the trade-off of users’ location confidentiality and search privacy with the acceptable additional storage cost.

6.2. Communication

In terms of communication, we mainly analyzed the amount of data transformed between (1) ${\mathcal{U}}_i$ and ${\mathcal{S}}_1$ and (2) ${\mathcal{S}}_1$ and ${\mathcal{S}}_2$ in Search protocol. Theoretically, when ${\mathcal{U}}_i$ requests to search k-nearest neighbors among his d friends, ${\mathcal{U}}_i$’s communication overhead increases almost linearly with k. When ${\mathcal{S}}_1$ and ${\mathcal{S}}_2$ interact with each other to compute the distance from the total of d friends’ location ciphertexts, the data size of the communication between them is $\mathcal{O}({(\log d)}^2)$.

Figure 2a,b shows the relationship between the two types of communication overhead in the experiment with the increasing trends of the friends’ number d and the search parameter k, respectively. In general, the amount of data transmission required by the user in Search protocol is positively related to k. When k increases to a particular value (greater than d), the data transmission volume tends to be stable. The communication overhead between ${\mathcal{S}}_1$ and ${\mathcal{S}}_2$ is mainly positively related to d, but independent of the increase of k. Moreover, the distance computation sub-procedure requires several rounds of interactions, so the amount of communication overhead between servers is relatively large, which is consistent with the theoretical analysis.

6.3. Search Time

We also analyzed the primary source of the search time overhead for Search protocol. First, we divided the Search protocol at the server-end into two sub-procedures of location search and distance sort. Figure 3 shows the relationship between search time and the number of friends d. In Figure 3, the total time overhead of Search protocol is shown in the blue curve, the time overhead to extract and re-encrypt location ciphertext is shown in the yellow curve, and the time overhead to compute and sort the encrypted distance is shown in the red curve.

From Figure 3, we can see that the time overhead of the two sub-procedures in the Search protocol generally increases with the increasing trend of d. Specifically, the location search time is far lower than the distance sort time, and with d increases to 4, the curve growth is slowing down. The distance sort time has a stable approximate linear relation with d. Therefore, it can be concluded that the computation and comparison of encrypted distances are two primary time-overhead sources of the Search protocol, which is consistent with the theoretical analysis.

6.4. Scalability

In terms of scalability, we first analyzed the impact of the search users’ number who submit search requests in parallel on the time overhead of the Search protocol. To be specific, we deploy one host to simulate one user to execute the Search protocol and record the total time overhead. Then we deploy six hosts to simulate six users to repeat the same experiment and compare the results. It is worth mentioning that, when recording the time of multi-user search, multiple user-ends simultaneously send the search requests to the server-end. We record the start and end time when the server-end receives the search request until it completes each user’s search. Figure 4 shows the relationship between the parallel search users’ number and Search protocol’s total time. It can be seen that one user’s search time is slightly lower than six parallel users’ search times. The former is approximately in a stable linear relation with d, and the latter slows down to a constant level with the increase of d. From the trend it can be concluded that, with the number of search users d increasing, its impact on search time overhead is weakened, and it further weakens the influence of the increasing number of friends on the search time. Therefore, the multi-user parallelism has a weak impact on search time overhead, which helps the scheme to achieve a certain level of scalability.

Besides, we analyzed the influence of the expandable number of remote servers on the search time overhead. First, we deployed three servers to execute the Search protocol for six users simultaneously and recorded the total time overhead. Then we deployed six servers to repeat the same experiment and compare the results. Figure 4 shows the relationship between the number of servers and the search time. It can be seen that the search time of 6-server deployment is significantly lower than the running time with 3-server deployment, and the former’s growth was slowed down to a constant level after d reaches 4, but the latter’s growth takes an approximately linear relationship with the number of friends steadily. Therefore, it can be concluded that deploying multiple servers to perform parallel searches can reduce the search time overhead and further weaken the influence of the increasing number of friends on the search time.

Remark 1. 

It is worth pointing out that the search process’s main computation cost is the homomorphic encryption/decryption operation and broadcast decryption operation. The computation efficiency is closely related to the selected parameters of the underlying algorithms. The server-end implementation can also be optimized to reduce the search time by using multiple threads for distance sorting and using approximate sorting algorithms, and so forth. In our experiment, we did not adopt any optimization method. The server was allowed to complete all the computation steps in a single thread in each phase to reflect the scheme’s original execution efficiency faithfully.

7. Conclusions

Aiming at the problem of location privacy disclosure in MSNs, we propose a privacy-enhancing k-nearest neighbors search scheme over MSNs. We deploy a dual-server collaborative architecture and design an encrypted location-oriented k-neighbor search protocol based on secure multi-party computation and homomorphic encryption. Our scheme achieves accurate nearby friends retrieval while protecting the geo-location and the distance order from revealing them to the servers. We propose a lightweight dynamic friends management mechanism based on public-key broadcast encryption to satisfy the fine-grained access control requirement. It enables users to grant/revoke a friend’s location search right without updating others’ keys and achieves constant-time identity authentication. The scheme satisfies adaptive $\mathcal{L}$-semantic security and revocation security under the random oracle model. Compared with the works on single server architecture, the proposed scheme reduces the communication cost between users and the server and prevents location information leakage, which achieves a trade-off of the location availability and privacy.