Privacy-Preserving Multi-User Graph Intersection Scheme for Wireless Communications in Cloud-Assisted Internet of Things

Abstract

Cloud-assisted Internet of Things (IoT) has become the core infrastructure of smart society since it solves the computational power, storage, and collaboration bottlenecks of traditional IoT through resource decoupling and capability complementarity. The development of a graph database and cloud-assisted IoT promotes the research of privacy preserving graph computation. We propose a secure graph intersection scheme that supports multi-user intersection queries in cloud-assisted IoT in this article. The existing work on graph encryption for intersection queries is designed for a single user, which will bring high computational and communication costs for data owners, or cause the risk of secret key leaking if directly applied to multi-user scenarios. To solve these problems, we employ the proxy re-encryption (PRE) that transforms the encrypted graph data with a re-encryption key to enable the graph intersection results to be decrypted by an authorized IoT user using their own private key, while data owners only encrypt their graph data on IoT devices once. In our scheme, different IoT users can query for the intersection of graphs flexibly, while data owners do not need to perform encryption operations every time an IoT user makes a query. Theoretical analysis and simulation results demonstrate that the graph intersection scheme in this paper is secure and practical.

1. Introduction

Internet of Things (IoT) has promoted the integration of the physical and digital worlds, greatly facilitating our life. However, the exponential growth of IoT devices brings great challenge for localized data processing, which promotes the emergence of cloud-assisted IoT. Cloud-assisted IoT can manage decentralized IoT devices through the cloud platform, providing computational and storage services for resource-limited IoT devices.

Graphs can describe not only diverse types of data but also connections among them. They have significant application value and are applied widely in a range of IoT scenarios such as smart home, smart logistics, smart wearables and so on. Since a large amount of graph data are produced or stored on IoT devices, graph computation tasks such as subgraph matching, shortest path computation, and graph intersection have become important in IoT applications.

The accelerating growth of cloud-assisted IoT promotes data owners with IoT devices to outsource the storage and computational task to the cloud server. However, it causes privacy leakage risk: the original graph data of IoT devices usually contain sensitive information (such as social relationships and medical data), so directly uploading them to the cloud may cause the data to be stolen or misused. To solve this problem, privacy-preserving graph computation in cloud-assisted IoT was born. As one of the most important technologies, graph encryption makes use of cryptography methods to protect the data and relationships of graphs. Much research has been conducted for graph encryption that supports various kinds of graph operations, including shortest distance computation [1,2,3,4,5,6], minimum community search [7], subgraph counting [8], subgraph matching [9,10,11,12,13,14], and so on.

Graph intersection is an operation that searches for common sub structures among graphs of different IoT devices through comparing their vertices and edges. It plays an important role in social network mutual friend recommendation, collaborative data analysis across institutions, etc. Unfortunately, little research aims at the privacy-preserving graph intersection [15,16,17], for which the scheme in [16] computes the graph intersection of two parties, the scheme in [17] enables multiple parties to collaboratively calculate the graph intersection directly among the participants, and the scheme in [15] proposes an outsourced graph intersection scheme of multiple data owners for a single user. Other relevant works study privacy-preserving subgraph matching [9,10,11,12,13,14] and outsourced private set intersection [18,19,20,21,22,23,24]. Some of these prior works only consider a single user; data owners encrypt their graphs using public encryption or symmetric encryption while the query user is directly issued the corresponding secret keys so they can perform decryption to obtain the query results. Other works support multiple users by applying access control over them, where users obtain the decryption key through the access control mechanism.

However, there are some problems in the schemes that IoT users directly obtain the decryption key: first of all, if the IoT user permission changes, data owners have to re-encrypt their graph with new keys, causing large computational and communication costs. Secondly, since a trusted authority or the data owner needs to manage key distribution, graph data can be decrypted once the decryption key leaked.

1.1. Contributions

To enable multiple users to flexibly query graph intersection in a privacy-preserving manner, we present a multi-user graph encryption for intersection queries in the cloud-assisted IoT environment. As is described in Figure 1, the system model consists of four types of entities: a trusted authority (TA), the cloud server, data owners, and data users. The contributions of this paper are summarized as follows.

• We present a construction of privacy-preserving graph intersection computation. In our scheme, a TA initializes the system, and it generates public parameters for the system and re-encryption keys for the cloud server. Each data owner encrypts their graph before uploading it to the cloud server. Every time a data user sends a graph intersection query, the cloud server re-encrypts these encrypted graphs with a re-encryption key from the TA to the data user. After calculating the intersection of all these encrypted graphs, it sends the graph intersection to the query user. Following this procedure, our scheme can support data users to query for the graph intersection of data owners securely and flexibly.
• Our scheme supports multi-user scenarios. It allows multiple users to query for the graph intersection, while data owners only need encrypt their data once. On the one hand, it achieves flexible data sharing; on the other hand, it decreases the processing burden placed on data owners.
• In our scheme, the cloud server transforms the ciphertexts intended for TA to ciphertexts that can be decrypted by the query user by using proxy re-encryption, enabling data users to decrypt the result with their own keys, without exposing sensitive data. It reduces the complexity of key management.
• We present the theoretical analysis from aspects of security and performance. The results from our experiments confirm that the scheme is practical and efficient.

1.2. Paper Organization

The related works are summarized in Section 2. We introduce the preliminaries in Section 3. Problem formalization including the system model, threat model, and security goals is presented in Section 4. We give the concrete construction of our scheme in Section 5. The correctness and security analysis are presented in Section 6. In Section 7, we show the performance analysis and experimental evaluation. In the end, we conclude our work in Section 8.

2. Related Work

We summarize the related works including graph encryption and outsourced private set intersection. Our scheme represents a specialized form of graph encryption to compute graph intersection, It is an extension of private set intersection, which computes the intersection of sets instead of graphs.

2.1. Graph Encryption

Chase and Kamara [25] proposed structured encryption schemes that support several kinds of private queries on encrypted data with complex structures. Among all the graph operations, the shortest distance query is the most fundamental one. Meng et al. [26] proposed GRECS composed of three schemes for different security and efficiency requirements; the schemes realize approximate shortest distance queries. Refs. [4,5,6] support exact shortest distance queries, and refs. [1,2,3] solve the problems in the constrained shortest distance query (CSD). Some other schemes [27,28,29,30] can provide users with the shortest path. Other privacy-preserving graph operations include graph search [31,32], minimum community search [7], graph similarity query [33], subgraph counting [8], and so on. The most related works to ours are subgraph matching [9,10,11,12,13,14] and graph intersection [15]. Cao et al. [14] introduced a system called PPGQ that utilizes the “filtering and verification” principle to filter according to a feature-based index and efficient inner product, where data users decrypt the candidate supergeaphs and verify each candidate. Fan et al. [12] transformed the classic Ullmann’s algorithm as a progression of matrix calculations, which is protected by a cyclic group-based encryption scheme. Zuo et al. [10] designed a privacy-preserving subgraph matching scheme that can protect the privacy of the user’s query subgraph and the original graph. It also achieved data integrity. Ge et al. [11] considered another type of subgraph matching that searches for all graphs exhibiting subgraph isomorphism with the query pattern from large amounts of small graphs, and where the query user is able to directly extract the subgraph. Wang et al. [9] designed OblivGM that supports attributed subgraph matching and can also hide search patterns. Based on OblivGM, they further proposed eGrass [13], which considers secure attributed subgraph matching even if the clouds are malicious. However, the techniques used in these schemes cannot support multiple users flexibly without key management; some of them are designed for a single user, while others enable data users to obtain the decryption key through access control.

2.2. Outsourced Private Set Intersection

In outsourced private set intersection (O-PSI), data owners outsource the PSI computation the cloud server. Kerschbaum [18] firstly presented an outsourced PSI scheme on the basis of Bloom filter and HE. Since then, various PSI schemes have been proposed. Ref. [19] extended the scale of PSI protocol to billion-element sets by using a high-efficiency data structure from the Sparsehash library. Abadi et al. [20] presented two delegated private set intersection schemes, of which O-PSI employs additive homomorphic encryption, and EO-PSI makes use of hash tables instead of public key encryption, which provides higher efficiency. Ali et al. [21] designed a protocol in which data owners can define access control policies such that only data owners who satisfy specific attributes can query for PSI results. Since the cloud server can be malicious, the schemes in [22,23,24,34] realized both privacy preservation and verifiability; their PSI computations were combined with the resultant verification mechanisms that enable clients to verify whether the results are correct. Sharma [35] designed a framework named PRISM which is based on secret sharing, where data owners upload their data to non-colluding clouds to perform secure set operations based on secret sharing. All these works support private set intersection among sets, but how to securely compute the intersection of graphs has yet to be studied.

3. Preliminaries

We summarize concepts and basic tools of our scheme: to realize secure graph intersection, we employ the proxy re-encryption (PRE) based on bilinear pairings.

3.1. Graph Intersection

Definition 1.

(Graph Intersection). Given t graphs $G_1=(V_1,E_1),G_2=(V_2,E_2),\dots ,G_t=(V_t,E_t)$, the graph intersection is defined as $G=G_1\cap G_2\cap ...\cap G_t=(V,E)$ satisfying the following:

• For each vertex $v\in V$, $v\in V_1$ and $v\in V_2$.
• For each vertex $e\in E$, $e\in E_1$ and $e\in E_2$.

Figure 2 is an example: the intersection of graph $G_1$ and $G_2$ is G.

3.2. Bilinear Pairings

Bilinear pairings is a map presented as $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$, where $\mathbb{G}$ and ${\mathbb{G}}_T$ are cyclic groups of prime order p, generator $g=〈\mathbb{G}〉$. It satisfies the following properties:

• Bilinearity. $e(u^a,v^b)=e{(u,v)}^{ab}$, for all $u,v\in \mathbb{G}$ and $a,b\in {\mathbb{Z}}_p$.
• Non-degeneracy. $e(g,g)\ne 1$.
• Computability. $e(g,g)$ can be computed efficiently.

3.3. Proxy Re-Encryption

Our graph encryption scheme is based on the proxy re-encryption (PRE) technique. We employ the PRE scheme in the following [36]:

• $PRE.Setup\left(\lambda \right)$. Given a security parameter $\lambda$, $TA$ constructs a bilinear map $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$ where $\mathbb{G}$ and ${\mathbb{G}}_T$ are groups of prime order p, and generator $g\in \mathbb{G}$, return the public parameters $\mathcal{P}=\{\mathbb{G},{\mathbb{G}}_T,e,p,g\}$.
• $PRE.KeyGen\left(\lambda \right)$. An entity chooses a random $sk\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{\ast }$ as the private key; their public key is $pk\leftarrow g^{sk}$.
• $PRE.ReKeyGen(s{k}_a,p{k}_b)$. The re-encryption key $R_{ab}$ can be generated with delegator a’s private key $s{k}_a$ and delegatee b’s public key as $R_{ab}=p{k}_b^{{\displaystyle \frac{1}{s{k}_a}}}=g^{{\displaystyle \frac{s{k}_b}{s{k}_a}}}$
• $PRE.Enc(m,p{k}_a,\mathcal{P})$. To encrypt a message $m\in {\mathbb{G}}_T$ under $p{k}_a$: sample $r\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{\ast }$, $C_1=p{k}_a^r=g^{s{k}_a·r}$, $C_2=e{(g,g)}^r·m$. The ciphertext $C=(C_1,C_2)$.
• $PRE.ReEnc(C,R_{ab})$. Given the re-encryption key $R_{ab}$, ciphertext $C=(C_1,C_2)$ can be re-encrypted as follows: sample $r^{\prime }\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{\ast }$, $C_3={R_{ab}}^{{\displaystyle \frac{1}{r^{\prime }}}}=p{k}_b^{{\displaystyle \frac{1}{s{k}_a·r^{\prime }}}}=g^{{\displaystyle \frac{s{k}_b}{s{k}_a·r^{\prime }}}}$, $C_4={C_1}^{r^{\prime }}=p{k}_i^{r·r^{\prime }}=g^{s{k}_a·r·r^{\prime }}$. The re-encrypted ciphertext $C^{\prime }=(C_2,C_3,C_4)$.
• $PRE.Dec(C^{\prime },s{k}_b)$. Entity b can decrypt $C^{\prime }=(C_2,C_3,C_4)$ using their private key $s{k}_b$: $m={\displaystyle \frac{C_2}{e{(C_3,C_4)}^{\frac{1}{s{k}_b}}}}$

4. Problem Formalization

4.1. System Model

There are four types of roles in the system—data owners, data users, cloud server, and a trusted authority, as shown in Figure 1:

• Cloud Server. The cloud server possesses strong storage and computational capabilities: it receives and stores encrypted graph data uploaded by data owners, performs graph re-encryption and intersection operations, and finally it provides the results to the data user.
• Data Owner $D{O}_i$. Each data owner has a graph $G_i=(V_i,E_i)$ that participates in graph intersection computation. To ensure the confidentiality of the graph $G_i$, they will encrypt $G_i$ before uploading it to the cloud server.
• Data User. A data user may query for the intersection of graphs from $D{O}_1,D{O}_2,\dots ,D{O}_t$. In order to save storage and computational costs, they outsource the computational task to the cloud server, and finally obtains the encrypted result from the cloud server and decrypts it.
• Trusted Authority. As a trusted third party, the $TA$ initializes the system with a security parameter $\lambda$, generates a set of public parameters $\mathcal{P}$. It is also responsible for generating re-encryption keys that enable the cloud server to convert the ciphertexts for them to be decryptable by the data user.

4.2. Threat Model

We consider $TA$ and data owners to be trustworthy, data owners will honestly model their graph data and encrypt them. The cloud server is considered semi-honest, implying that it executes our protocol honestly, but it may try to infer sensitive information during computation such as the original and intersection graph, through methods such as statistics and analysis.

4.3. Security Goals

• Graph data confidentiality. Any information about original graphs except for information in leakage functions should not be obtainable by the cloud server or other adversaries; only the part in the intersection with graphs from other data owners can be learned by an authorized data user.
• Query result confidentiality. The graph intersection results in a ciphertext form that can only be decrypted by an authorized data user with their own key. It remains confidential from the cloud server, data owners, other data users, and adversaries.

4.4. Security Definition

We adopt the adaptive chosen query attack (CQA2) security definition in the graph intersection scheme, which is defined as follows:

Definition 2.

(CQA2-Security). Let $\mathsf{\Pi }=(Setup,KeyGen,ReKeyGen,GraphIntersection,Dec)$ be our private graph intersection scheme, and let ${\mathcal{L}}_1$ and ${\mathcal{L}}_2$ be leakage functions. $\mathcal{A}$ denotes the adversary, and $\mathcal{S}$ denotes the simulator. Supposing λ is the security parameter, the experiments in the ideal world and real world are defined as follows:

• ${\mathbf{Real}}_{\mathcal{A}}\left(\lambda \right)$: $\mathcal{A}$ outputs graphs $G_1,G_2,\dots ,G_n$. The experiment generates a pair of keys $(pk,sk)$ by $KeyGen$ and generates the re-encryption key $R_{TA\to DU}$ by $ReKeyGen$. Then, $\mathcal{A}$ makes queries for intersections of randomly chosen t graphs $G_1,G_2,\dots ,G_t$, for each query, and the experiment computes computes $C_i\leftarrow Enc\left(G_i\right)$ and sends the encrypted graphs $C_1,C_2,\dots ,C_t$ to $\mathcal{A}$. It then compute the encrypted intersection graph $\tilde{C}\leftarrow$$GraphIntersection$$(\mathcal{P},R_{TA\to DU},C_1,\dots ,C_t)$ and gives it to $\mathcal{A}$. At the end of the experiment, $\mathcal{A}$ outputs a bit $b\in \left\{0,1\right\}$ as the experiment result.
• ${\mathbf{Ideal}}_{\mathcal{A},\mathcal{S}}\left(\lambda \right)$: $\mathcal{A}$ outputs graphs $G_1,G_2,\dots ,G_n$. Then, $\mathcal{A}$ makes queries for intersections of randomly chosen t graphs $G_1,G_2,\dots ,G_t$. Based on leakage functions ${\mathcal{L}}_1$ and ${\mathcal{L}}_2$, $\mathcal{S}$ produces encrypted graphs $C_1^{\ast },C_2^{\ast },\dots ,C_t^{\ast }$ and sends them to $\mathcal{A}$, then $\mathcal{S}$ simulates and sends the query results ${\tilde{C}}^{\ast }$ to $\mathcal{A}$. At the end of the experiment, $\mathcal{A}$ outputs a bit $b\in \left\{0,1\right\}$ as the experiment result.

We say the graph encryption scheme Π is $({\mathcal{L}}_1,{\mathcal{L}}_2)$-secure against the adaptive chosen query attack if for any probability polynomial time (PPT) adversary $\mathcal{A}$, there exists a PPT simulator $\mathcal{S}$ that

$$\left|Pr\left[{\mathbf{Real}}_{\mathcal{A}}\left(\lambda \right)=1\right]-Pr\left[{\mathbf{Ideal}}_{\mathcal{A},\mathcal{S}}\left(\lambda \right)=1\right]\right|\le negl\left(\lambda \right)$$

(1)

where $negl\left(\lambda \right)$ denotes a negligible function.

5. Construction of Our Scheme

We present our scheme for secure graph intersection computation, including the construction overview and concrete construction.

5.1. Construction Overview

Our scheme consists of the following six algorithms:

• $Setup\left(\lambda \right)\to \mathcal{P}$. The procedure $setup$ is executed by the $TA$, the trusted third party, taking a secure parameter $\lambda$ as input and producing a set of public parameters $\mathcal{P}$ as output.
• $KeyGen(\lambda ,\mathcal{P})\to (pk,sk)$. Upon input of a security parameter $\lambda$ and public parameter $\mathcal{P}$, we use this algorithm to generate a pair of public–private keys $(pk,sk)$.
• $ReKeyGen(\mathcal{P},sk,p{k}_{DU})\to R_{TA\to DU}$. Given the public parameter $\mathcal{P}$, $TA$’s private key $sk$, and the public key $p{k}_{DU}$ of the data user $DU$, the algorithm outputs a re-encryption key $R_{TA\to DU}$ that allows ciphertexts encrypted by data owners to be transformed into ciphertexts intended for the data user $DU$.
• $Enc(\mathcal{P},pk,G_i)\to C_i$. It is the graph encryption algorithm executed by data owner $D{O}_i$; taking the graph $G_i$, public key of the $TA$, and $\mathcal{P}$ as inputs, it outputs the encrypted graph $C_i$.
• $GraphIntersection(\mathcal{P},R_{TA\to DU},C_1,\dots ,C_t)\to \tilde{C}$. This algorithm takes public parameter $\mathcal{P}$, the re-encryption key $R_{TA\to DU}$, and ciphertexts $C_1,C_2,\dots ,C_t$ uploaded by the data owner $D{O}_1,D{O}_2,\dots ,D{O}_t$, and the cloud server performs re-encryption on $C_1,C_2,\dots ,C_t$, resulting in new ciphertexts ${\tilde{C}}_1,\dots ,{\tilde{C}}_t$. The cloud server calculates the graph intersections and outputs the encrypted result $\tilde{C}$.
• $Dec(\mathcal{P},\tilde{C},s{k}_{DU})\to G$.Taking the inputs of private key $s{k}_{DU}$ and re-encrypted ciphertext $\tilde{C}$, this algorithm returns the subgraph G.

5.2. Concrete Construction

The details of our secure graph intersection scheme is described in this section. We summarize the notations in our construction in

Table 1. Summary of notations.

Notations	Description
$\mathcal{P}$	public parameters
$(p{k}_{DU},s{k}_{DU})$	public–private key pair of data user $DU$
$(pk,sk)$	public–private key pair of the trusted authority $TA$
$R_{TA\to DU}$	re-encryption key from trusted authority $TA$ to data user $DU$
$G_i=(V_i,E_i)$	graph of data owner $D{O}_i$
$n_i$	the amount of vertices in $G_i$
$V_i$	vertex set of $G_i$
$H_i$	hashed vertex set of $G_i$
$E_i$	adjacency matrix of $G_i$
$v_j^i$	the vertex in $V_i$
$e_{kl}^i$	the element in adjacency matrix $E_i$
$C^i=(C_v^i,C_e^i)$	the encrypted form of $G_i$
$\tilde{C}=({\tilde{C}}_I,{\tilde{C}}_e)$	the encrypted graph intersection

.

5.2.1. Setup

Given the security parameter $\lambda$, $TA$ completes the setup phase and generates the following public parameters: a bilinear map $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$, where $\mathbb{G}$ and ${\mathbb{G}}_T$ are groups of prime order p, and generator $g\in \mathbb{G}$, a collision-resistant hash function $H:{\left\{0,1\right\}}^{\ast }\to {\mathbb{Z}}_p$. The public parameters $\mathcal{P}=\{\mathbb{G},{\mathbb{G}}_T,p,g,H\}$.

5.2.2. KeyGen

$TA$ chooses the private key $sk$ randomly from ${\mathbb{Z}}_p^{\ast }$, and the public key is $pk\leftarrow g^{sk}$. Similarly, data user $D{U}_i$ also generates their own public–private key pair $(p{k}_{DU},s{k}_{DU})$, where $p{k}_{DU}=g^{s{k}_{DU}}$.

5.2.3. ReKeyGen

When user $DU$ initiates a query request, $TA$ generates the re-encryption key for $DU$: $R_{TA\to DU}={\left(p{k}_{DU}\right)}^{{\displaystyle \frac{1}{sk}}}$.

5.2.4. Enc

Data owner $D{O}_i$ models their graph as $G_i=(V_i,E_i)$, $V_i=\left\{v_1^i,v_2^i,\dots v_{n_i}^i\right\}$ is the vertex set, and each $v_j^i$ represents the unique ID value of a vertex. $E_i$ is the adjacency matrix, which can be represented as

$$E_i=\left(\begin{array}{ccc}{e}_{11}^i& \dots & e_{1n_i}^i\\ \dots & & \dots \\ e_{n_{i}1}^i& \dots & e_{n_i{n}_i}^i\end{array}\right)$$

where each element $e_{kl}^i\in \left\{\theta ,1\right\}$ ($\theta$ is a random number that $\theta \ne 0$), $e_{kl}^i=1$ indicates that there is an edge connecting nodes $v_k^i$ and $v_l^i$, while $e_{kl}^i=\theta$ indicates that there is no edge between the two nodes.

To ensure the confidentiality of the graph, $D{O}_i$ performs the following operations on $G_i=(V_i,E_i)$ as shown in Algorithm 1.

• Vertices Hashing. $D{O}_i$ performs a hash computation on the vertices set to obtain the corresponding hashed set $H_i=\{h_1^i,h_2^i,\dots ,h_{n_i}^i\}$.
• Graph Encryption. $D{O}_i$ encrypts $G_i=(V_i,E_i)$ using proxy re-encryption (PRE). To elaborate in detail, given $V_i=\left\{v_1^i,v_2^i,\dots v_{n_i}^i\right\}$, adjacency matrix $E_i$, $pk$. For each element $v_j^i\in V_i$, choose $r_j^i$ randomly from ${\mathbb{Z}}_p^{\ast }$, compute $c_j^i=(c_{1j}^i,c_{2j}^i)$, where $c_{1j}^i=p{k}^{r_j^i},c_{2j}^i=e{(g,g)}^{r_j^i}·v_j^i$. For each element $e_{kl}^i\in E_i$, choose $r_{kl}^i$ randomly from ${\mathbb{Z}}_p^{\ast }$, and compute $c_{kl}^i=(c_{1kl}^i,c_{2kl}^i)$ where $c_{1kl}^i=p{k}^{r_{kl}^i},c_{2kl}^i=e{(g,g)}^{r_{kl}^i}·e_{kl}^i$. The encrypted graph is $C^i=(C_v^i,C_e^i)$, where the encrypted vertices set $C_v^i=\{c_1^i,c_2^i,\dots ,c_{n_i}^i\}$, and the encrypted adjacency matrix

  $$C_e^i=\left(\begin{array}{ccc}{c}_{11}^i& \dots & c_{1n_i}^i\\ \dots & & \dots \\ c_{n_{i}1}^i& \dots & c_{n_i{n}_i}^i\end{array}\right)$$

Algorithm 1 Enc.

Input: public parameter $\mathcal{P}$, $D{O}_i$’s graph $G_i=(V_i,E_i)$, $TA$’s public key $pk$. Output: encrypted graph $C^i$. 1: for each element $v_j^i\in V_i$ do 2:    $h_j^i\leftarrow H\left(v_j^i\right)$. 3:    $c_j^i\leftarrow PRE.Enc(v_j^i,pk,\mathcal{P})$. 4: end for 5: $H_i\leftarrow \{h_1^i,h_2^i,\dots ,h_{n_i}^i\}$. 6: $C_v^i\leftarrow \{c_1^i,c_2^i,\dots ,c_{n_i}^i\}$. 7: for each element $e_{kl}^i\in E_i$ do 8:    $c_{kl}^i\leftarrow PRE.Enc(e_{kl}^i,pk,\mathcal{P})$. 9: end for 10: Set $$C_e^i=\left(\begin{array}{ccc}{c}_{11}^i& \dots & c_{1n_i}^i\\ \dots & & \dots \\ c_{n_{i}1}^i& \dots & c_{n_i{n}_i}^i\end{array}\right)$$ 11: return$H_i,C^i=(C_v^i,C_e^i)$.

5.2.5. GraphIntersection

The GraphIntersection in Algorithm 2 works as follows:

Algorithm 2 GraphIntersection.

Input: public parameter $\mathcal{P}$, the re-encryption key $R_{TA\to DU}$, $C^i=(C_v^i,C_e^i)$, $H_i$, $i=1,2,\dots ,t$. Output:  $\tilde{C}$. 1: $H_I=\{h_1,h_2,\dots ,h_s\}\leftarrow Intersection(H_1,H_2,\dots ,H_t)$. 2: Obtain the encrypted vertices set $C_I=\{c_{I\left(j\right)},j=1,\dots ,s\}$ according to $H_I$. 3: for each element $c_{I\left(j\right)}\in C_I$ do 4:    ${\tilde{c}}_{I_{(}j)}\leftarrow PRE.ReEnc(c_{I\left(j\right)},R_{TA\to DU})$. 5: end for 6: The re-encrypted node set ${\tilde{C}}_I\leftarrow \{{\tilde{c}}_{I\left(j\right)},j=1,\dots ,s\}$. 7: for each encrypted matrix $C_e^i$, $i=1,2,\dots ,t$ do 8:    Choose the elements $c_{I_u\left(i\right)I_v\left(i\right)}^i$ in the encrypted matrix $C_e^i$ where $u,v\in \{1,2,..,s\}$ and constructs the submatrix $S_e^i$ 9:    for each element $c_{I_u\left(i\right)I_v\left(i\right)}^i\in S_e^i$ do 10:      ${\tilde{c}}_{I_u\left(i\right)I_v\left(i\right)}^i\leftarrow PRE.ReEnc(c_{I_u\left(i\right)I_v\left(i\right)}^i,R_{TA\to DU})$. 11:    end for 12:    The re-encrypted matrix ${\tilde{S}}_e^i$ 13: end for 14: Compute the element-wise product of re-encrypted matrices ${\tilde{C}}_e\leftarrow {\tilde{S}}_e^1\circ \dots \circ {\tilde{S}}_e^t$. 15: return $\tilde{C}=({\tilde{C}}_I,{\tilde{C}}_e)$.

• Vertices Re-encryption. Given the hash sets $H_1,H_2,\dots ,H_t$, the cloud server computes their intersection. Denote the intersection by $H_I=H_1\cap H_2\cap \dots \cap H_t=\{h_1,h_2,\dots ,h_s\}$ and the intersection of graph nodes as $V_I=V_1\cap V_2\cap \dots \cap V_t=v_1,v_2,\dots ,v_s$. The graph node corresponding to element $h_j$ actually has different ordinality in the original graphs. We denote the ordinality of the node of the original graph $G_i$ corresponding to $h_j$ by $I_i\left(j\right):[1..s]\to [1..n_s]$. There are t encrypted node sets, and since the t encrypted node sets can be decrypted to the same node intersection set, we only need to choose a random one to re-encrypt it, which can be written as $C_I=\{c_{I\left(j\right)},j=1,\dots ,s\}$. For each $c_{I\left(j\right)}\in C_I$, we re-encrypt it using proxy re-encryption (PRE). Specifically, for $c_{I\left(j\right)}=(c_{1I\left(j\right)},c_{2I\left(j\right)})=(p{k}^{r_{I\left(j\right)}},e{(g,g)}^{r_{I\left(j\right)}}·v_{I\left(j\right)})$, choose $t_{I\left(j\right)}$ randomly from ${\mathbb{Z}}_p^{\ast }$, and compute $c_{3I\left(j\right)}=R_{TA\to DU}^{{\displaystyle \frac{1}{t_{I\left(j\right)}}}},c_{4I\left(j\right)}=c_{1I\left(j\right)}^{t_{I\left(j\right)}}$, with the re-encrypted ${\tilde{c}}_{I\left(j\right)}=(c_{3I\left(j\right)},c_{4I\left(j\right)},c_{2I\left(j\right)})$. The cloud server can precompute $e(c_{3I\left(j\right)},c_{4I\left(j\right)})$ for every node for the decryption phase. Finally, the cloud server obtains the re-encrypted vertices sets ${\tilde{C}}_I\leftarrow \{{\tilde{c}}_{I\left(j\right)},j=1,\dots ,s\}$.
• Matrices Re-encryption. The cloud server continues to calculate the re-encrypted adjacency matrix. It chooses the elements $c_{I_u\left(i\right)I_v\left(i\right)}^i$ in the encrypted matrix $C_e^i$ where $u,v\in \{1,2,..,s\}$ and constructs the submatrix

  $$S_e^i=\left(\begin{array}{ccc}{c}_{I_1\left(i\right)I_1\left(i\right)}^i& \dots & c_{I_1\left(i\right)I_s\left(i\right)}^i\\ \dots & & \dots \\ c_{I_s\left(i\right)I_1\left(i\right)}^i& \dots & c_{I_s\left(i\right)I_s\left(i\right)}^i\end{array}\right)$$
  For each $c_{I_u\left(i\right)I_v\left(i\right)}^i\in S_e^i$, we re-encrypt it using proxy re-encryption (PRE). Specifically, for $c_{I_u\left(i\right)I_v\left(i\right)}^i=(c_{1I_u\left(i\right)I_v\left(i\right)},c_{2I_u\left(i\right)I_v\left(i\right)})=(p{k}^{r_{I_u\left(i\right)I_v\left(i\right)}^i},e{(g,g)}^{r_{I_u\left(i\right)I_v\left(i\right)}^i}·e_{I_u\left(i\right)I_v\left(i\right)}^i)$, we choose $t_{I_u\left(i\right)I_v\left(i\right)}^i$ randomly from ${\mathbb{Z}}_p^{\ast }$, and compute $c_{3I_u\left(i\right)I_v\left(i\right)}^i=R_{TA\to DU}^{{\displaystyle \frac{1}{t_{I_u\left(i\right)I_v\left(i\right)}^i}}},c_{4I_u\left(i\right)I_v\left(i\right)}^i=c_{1I_u\left(i\right)I_v\left(i\right)}^{t_{I_u\left(i\right)I_v\left(i\right)}^i}$, with the re-encrypted ${\tilde{c}}_{I_u\left(i\right)I_v\left(i\right)}^i=(c_{3I_u\left(i\right)I_v\left(i\right)}^i,c_{4I_u\left(i\right)I_v\left(i\right)}^i,c_{2I_u\left(i\right)I_v\left(i\right)}^i)$. The cloud server can also precompute $e(c_{3I_u\left(i\right)I_v\left(i\right)}^i,c_{4I_u\left(i\right)I_v\left(i\right)}^i)$ for every element for the decryption phase. Finally, the cloud server obtains the re-encrypted matrix

  $${\tilde{S}}_e^i=\left(\begin{array}{ccc}{c}_{2I_1\left(i\right)I_1\left(i\right)}^i& \dots & c_{2I_1\left(i\right)I_s\left(i\right)}^i\\ \dots & & \dots \\ c_{2I_s\left(i\right)I_1\left(i\right)}^i& \dots & c_{2I_s\left(i\right)I_s\left(i\right)}^i\end{array}\right)$$
• Graph Intersection Computation. The cloud server then computes

  $$\begin{array}{cc}\hfill & {\tilde{C}}_e={\tilde{S}}_e^1\circ ...\circ {\tilde{S}}_e^t=\left(\begin{array}{ccc}\prod _{i=1}^t{c}_{2I_1\left(i\right)I_1\left(i\right)}^i& ...& \prod _{i=1}^t{c}_{2I_1\left(i\right)I_s\left(i\right)}^i\\ ...& & ...\\ \prod _{i=1}^t{c}_{2I_s\left(i\right)I_1\left(i\right)}^i& ...& \prod _{i=1}^t{c}_{2I_s\left(i\right)I_s\left(i\right)}^i\end{array}\right)\hfill \end{array}$$

  (2)

At the end, the calculated result $\tilde{C}=({\tilde{C}}_I,{\tilde{C}}_e)$ is sent to the querying user $DU$.

5.2.6. Dec

The $Dec$ shown in Algorithm 3 works as follows:

• Vertices Decryption. According to the graph re-encryption in Algorithm 2, the re-encrypted node set corresponding to the intersection set $V_I$ is ${\tilde{C}}_I=\{{\tilde{c}}_{I\left(j\right)},j=1,\cdots ,s\}$, where ${\tilde{c}}_{I\left(j\right)}=(c_{3I\left(j\right)},c_{4I\left(j\right)},c_{2I(j)})=(R_{TA\to DU}^{{\displaystyle \frac{1}{t_{I(j)}}}},p{k}^{r·t_{I(j)}},e{(g,g)}^{r_j}·v_j)=(g^{{\displaystyle \frac{s{k}_{DU}}{sk·t}}},g^{sk·r·t_{I(j)}},e{(g,g)}^{r_j}·v_j)$. It can be obtained that $v_j={\displaystyle \frac{c_{2I(j)}}{e{(c_{3I(j)},c_{4I(j)})}^{\frac{1}{s{k}_{DU}}}}}$. Finally, we obtain the set of intersections of vertices $V=\{v_j,j=1,\cdots ,s\}$.
• Matrix Decryption. The edges set intersection ${\tilde{C}}_e$ can be decrypted with $s{k}_{DU}$ as follows:

  $$\begin{array}{cc}\hfill & E=PRE.De{c}_{s{k}_{DU}}({\tilde{C}}_e,s{k}_{DU})\hfill \\ \hfill & =PRE.De{c}_{s{k}_{DU}}\left(\begin{array}{ccc}\prod _{i=1}^t{c}_{2I_1\left(i\right)I_1\left(i\right)}^i& \dots & \prod _{i=1}^t{c}_{2I_1\left(i\right)I_s\left(i\right)}^i\\ \dots & & \dots \\ \prod _{i=1}^t{c}_{2I_s\left(i\right)I_1\left(i\right)}^i& ...& \prod _{i=1}^t{c}_{2I_s\left(i\right)I_s\left(i\right)}^i\end{array}\right)\hfill \\ \hfill & =\left(\begin{array}{ccc}\prod _{i=1}^t{e}_{I_1\left(i\right)I_1\left(i\right)}^i& ...& \prod _{i=1}^t{e}_{I_1\left(i\right)I_s\left(i\right)}^i\\ ...& & ...\\ \prod _{i=1}^t{e}_{I_s\left(i\right)I_1\left(i\right)}^i& ...& \prod _{i=1}^t{e}_{I_s\left(i\right)I_s\left(i\right)}^i\end{array}\right)\hfill \end{array}$$

  (3)

Finally, the data user $DU$ recovers the intersection of the graphs G by using V and E.

Algorithm 3 Dec.

Input: $\tilde{C}=({\tilde{C}}_I,{\tilde{C}}_e)$, $\mathcal{P}$, $s{k}_{DU}$. Output: G. 1: for  ${\tilde{c}}_{I\left(j\right)}\in {\tilde{C}}_I$  do 2:    Decrypt $v_j=PRE.Dec({\tilde{c}}_{I\left(j\right)},s{k}_{DU})$. 3: end for 4: $V\leftarrow \{v_1,v_2,\dots ,v_s\}$. 5: $E\leftarrow PRE.De{c}_{s{k}_{DU}}({\tilde{C}}_e,s{k}_{DU})$ 6: return  $G=(V,E)$

6. Correctness and Security Analysis

6.1. Correctness Analysis

Theorem 1.

If all follow the algorithms within the scheme, then the query user can obtain the correct graph intersection result.

Proof. 

We prove that the query user can obtain $G=(V,E)=G_1\cap G_2\cap ...\cap G_t$.

When calculating graph intersection, the cloud server first acquires a set of common hash values $H_I=\{h_1,h_2,...,h_s\}$. Since each value in the hash set $H_i$ corresponds uniquely to an element in the ciphertext set $C_v^i$, the encrypted node subset can be correctly extracted from $C_v^i$ as $C_I=\{c_{I\left(j\right)},j=1,...,s\}$. The cloud server then re-encrypts it to obtain the re-encrypted node set ${\tilde{C}}_I\leftarrow \{{\tilde{c}}_{I\left(j\right)},j=1,...,s\}$, which can be decrypted to obtain $V_I=V_1\cap V_2\cap ...\cap V_t=\{v_j,j=1,\cdots ,s\}$, to be specific, given ${\tilde{c}}_{I\left(j\right)}=(c_{3I\left(j\right)},c_{4I\left(j\right)},c_{2I\left(j\right)})$ and $s{k}_{DU}$, $v_j={\displaystyle \frac{c_{2I\left(j\right)}}{e{(c_{3I\left(j\right)},c_{4I\left(j\right)})}^{\frac{1}{s{k}_{DU}}}}}$.

The cloud server constructs the submatrices, re-encrypts the elements in the matrices and performs the Hadamard product on these matrices to obtain

$$\begin{array}{cc}\hfill & {\tilde{C}}_e={\tilde{S}}_e^1\circ \dots \circ {\tilde{S}}_e^t=\left(\begin{array}{ccc}\prod _{i=1}^t{c}_{2I_1\left(i\right)I_1\left(i\right)}^i& ...& \prod _{i=1}^t{c}_{2I_1\left(i\right)I_s\left(i\right)}^i\\ ...& & ...\\ \prod _{i=1}^t{c}_{2I_s\left(i\right)I_1\left(i\right)}^i& ...& \prod _{i=1}^t{c}_{2I_s\left(i\right)I_s\left(i\right)}^i\end{array}\right)\hfill \end{array}$$

(4)

The data user decrypts to obtain the intersection matrix with their private key $s{k}_{DU}$

$$\begin{array}{cc}\hfill & E=\left(\begin{array}{ccc}\prod _{i=1}^t{e}_{I_1\left(i\right)I_1\left(i\right)}^i& ...& \prod _{i=1}^t{e}_{I_1\left(i\right)I_s\left(i\right)}^i\\ ...& & ...\\ \prod _{i=1}^t{e}_{I_s\left(i\right)I_1\left(i\right)}^i& ...& \prod _{i=1}^t{e}_{I_s\left(i\right)I_s\left(i\right)}^i\end{array}\right)\hfill \\ \hfill & =\left(\begin{array}{ccc}{\displaystyle \frac{{\prod }_{i=1}^t{e}_{I_1\left(i\right)I_1\left(i\right)}^i·e{(g,g)}^{\sum r_{I_1\left(i\right)I_1\left(i\right)}}}{e{(g,g)}^{\sum r_{I_1\left(i\right)I_1\left(i\right)}}}}& ...& {\displaystyle \frac{{\prod }_{i=1}^t{e}_{I_1\left(i\right)I_s\left(i\right)}^i·e{(g,g)}^{\sum r_{I_1\left(i\right)I_s\left(i\right)}}}{e{(g,g)}^{\sum r_{I_1\left(i\right)I_{1s}}}}}\\ ...& & ...\\ {\displaystyle \frac{{\prod }_{i=1}^t{e}_{I_s\left(i\right)I_1\left(i\right)}^i·e{(g,g)}^{\sum r_{I_s\left(i\right)I_1\left(i\right)}}}{e{(g,g)}^{\sum r_{I_s\left(i\right)I_1\left(i\right)}}}}& ...& {\displaystyle \frac{{\prod }_{i=1}^t{e}_{I_s\left(i\right)I_{1s}}^i·e{(g,g)}^{\sum r_{I_s\left(i\right)I_s\left(i\right)}}}{e{(g,g)}^{\sum r_{I_s\left(i\right)I_s\left(i\right)}}}}\end{array}\right)\hfill \\ \hfill & =\left(\begin{array}{ccc}{\displaystyle \frac{{\prod }_{i=1}^t{c}_{2I_1\left(i\right)I_1\left(i\right)}^i}{\prod e{(c_{3I_1\left(i\right)I_1\left(i\right)}^i,c_{4I_1\left(i\right)I_1\left(i\right)}^i)}^{1/s{k}_{DU}}}}& ...& {\displaystyle \frac{{\prod }_{i=1}^t{c}_{2I_1\left(i\right)I_s\left(i\right)}^i}{\prod e{(c_{3I_1\left(i\right)I_s\left(i\right)}^i,c_{4I_1\left(i\right)I_s\left(i\right)}^i)}^{1/s{k}_{DU}}}}\\ ...& & ...\\ {\displaystyle \frac{{\prod }_{i=1}^t{c}_{2I_s\left(i\right)I_1\left(i\right)}^i}{\prod e{(c_{3I_s\left(i\right)I_1\left(i\right)}^i,c_{4I_s\left(i\right)I_1\left(i\right)}^i)}^{1/s{k}_{DU}}}}& ...& {\displaystyle \frac{{\prod }_{i=1}^t{c}_{2I_s\left(i\right)I_s\left(i\right)}^i}{\prod e{(c_{3I_s\left(i\right)I_s\left(i\right)}^i,c_{4I_s\left(i\right)I_s\left(i\right)}^i)}^{1/s{k}_{DU}}}}\end{array}\right)\hfill \end{array}$$

(5)

□

6.2. Security Analysis

This section conducts a comprehensive security evaluation of the proposed scheme. Our analysis unfolds in two key phases: initially formalizing the leakage functions, followed by a rigorous proof that the scheme is CQA-2 secure.

• Leakage function ${\mathcal{L}}_1$: Given a query $q=(G_1,G_2,...,G_t)$, where $G_i=(V_i,E_i)$, the leakage function ${\mathcal{L}}_1$ reveals the information inferred from encrypted graphs $C_1^{\ast },C_2^{\ast },\dots ,C_t^{\ast }$ and their encrypted intersection graph ${\tilde{C}}^{\ast }$, including the vertex count of each individual graph and the vertex count of the graph intersection. Thus, ${\mathcal{L}}_1\left(q\right)=(Nu{m}_1,Nu{m}_2)$ where $Nu{m}_1,Nu{m}_2$ are formally described as follows:

  -

  $Nu{m}_1$. $Nu{m}_1$ is is a t-sized array, where $Nu{m}_1\left[i\right]=\left|V_i\right|$ for $i=1,2,\dots ,t$.

  -

  $Nu{m}_2$. $Nu{m}_2$ signifies the total vertices in the graph intersection which denoted as $|V_I|$.

• Leakage function ${\mathcal{L}}_2$: The leakage function ${\mathcal{L}}_2$ reveals information during multiple queries including query pattern leakage, which reveals whether a particular query has been issued previously, and intersection pattern leakage, which indicates the number of common vertices shared among different queries. Let $\mathbf{q}=\left\{q_1,q_2,...,q_m\right\}$ be a sequence of graph intersection queries, where $q_i$ corresponds to a collection of graphs $(G_1^i,G_2^i,...,G_t^i)$. They are formally stated as follows.

Definition 3.

(Query pattern leakage). The query pattern leakage function ${\mathcal{L}}_{QP}\left(\mathbf{q}\right)$ is modeled as a $m\times m$ matrix, where each entry $(i,j)$ signifies whether $q_i$ and $q_j$ are identical. We denote each entry $(i,j)$ as $Sim(q_i,q_j)=(G_1^i=G_1^j,G_2^i=G_2^j,...,G_t^i=G_t^j)$.

Definition 4.

(Intersection pattern leakage). The intersection pattern leakage function ${\mathcal{L}}_{IP}\left(\mathbf{q}\right)$ is represented as a $m\times m$ matrix, where each entry $(i,j)$ contains common hashes between graph intersections corresponding to queries $q_i$ and $q_j$, denoted as $Com(q_i,q_j)$. Since the hash function is deterministic, hash values have one-to-one correspondence with vertices, and $Com(q_i,q_j)$ indicates the common vertices between $q_i$ and $q_j$ without leaking their identities.

Thus, the leakage function ${\mathcal{L}}_2=({\mathcal{L}}_{QP}\left(\mathbf{q}\right),{\mathcal{L}}_{IP}\left(\mathbf{q}\right))$.

Theorem 2.

If H is a secure hash function and $PRE$ is a secure proxy re-encryption algorithm, then our graph encryption scheme Π is $({\mathcal{L}}_1,{\mathcal{L}}_2)$-secure against an adaptive chosen query attack.

Proof. 

To demonstrate the security of our scheme, we construct a simulator S. Based on ${\mathcal{L}}_1$, ${\mathcal{L}}_2$, $\mathcal{S}$ generates counterfeit encrypted graphs $C_1^{\ast },C_2^{\ast },...,C_t^{\ast }$ as well as the encrypted graph intersection result ${\tilde{C}}^{\ast }$ for query $q_i\in \left\{q_1,q_2,...,q_m\right\}$. If for any probability polynomial time adversary $\mathcal{A}$, it cannot differentiate the two experiments ${\mathbf{Real}}_{\mathcal{A}}\left(\lambda \right)$ and ${\mathbf{Ideal}}_{\mathcal{A},\mathcal{S}}\left(\lambda \right)$, then our scheme is considered to be secure.

Simulating the encryption. Given $q_i=(G_1^i,G_2^i,...,G_t^i)$ and leakage functions ${\mathcal{L}}_1$ and ${\mathcal{L}}_2$, $\mathcal{S}$ first checks if $q_i$ has been previously encountered; if it has, $\mathcal{S}$ provides the previous results. Otherwise, $\mathcal{S}$ behaves as follows: it generates t graphs whose scales and vertices relationships satisfy the conditions in leakage functions ${\mathcal{L}}_1\left(q\right)=(Nu{m}_1,Nu{m}_2)$ and ${\mathcal{L}}_2=({\mathcal{L}}_{QP}\left(\mathbf{q}\right),{\mathcal{L}}_{IP}\left(\mathbf{q}\right))$. Then, $\mathcal{S}$ encrypts the t graphs using the hash function and proxy re-encryption algorithm to obtain the encrypted form of the t graphs, represented as $C_1^{\ast },C_2^{\ast },...,C_t^{\ast }$, as well as t hash sets $H_1^{\ast },H_2^{\ast },...,H_t^{\ast }$.

Simulating the graph intersection computation. Given $C_1^{\ast },C_2^{\ast },...,C_t^{\ast },H_1^{\ast },H_2^{\ast },...,H_t^{\ast }$, $\mathcal{S}$ first obtains the hash sets intersection $H_I^{\ast }$ and the encrypted vertices set intersection $C_I^{\ast }$. Then, it generates the re-encryption key $R_{TA\to DU}^{\ast }$ with a randomly chosen $s{k}^{\ast }$, and re-encrypts $C_I^{\ast }$. Finally, $\mathcal{S}$ constructs the submatrices from $C_1^{\ast },C_2^{\ast },...,C_t^{\ast }$, re-encrypts them using $R_{TA\to DU}^{\ast }$, and multiplies the re-encrypted submatrices to obtain the encrypted intersection matrix ${\tilde{C}}^{\ast }$.

Since the hash function H and proxy re-encryption algorithm $PRE$ are secure, any PPT adversary $\mathcal{A}$ cannot distinguish the fake encrypted graphs $C_1^{\ast },C_2^{\ast },...,C_t^{\ast }$, the fake hash sets $H_1^{\ast },H_2^{\ast },...,H_t^{\ast }$, and fake encrypted intersection matrix ${\tilde{C}}^{\ast }$ from real ones, i.e., $\mathcal{A}$ cannot distinguish between experiments in the ideal world and those in the real world. Thus, we have

$$\left|Pr\left[{\mathbf{Real}}_{\mathcal{A}}\left(\lambda \right)=1\right]-Pr\left[{\mathbf{Ideal}}_{\mathcal{A},\mathcal{S}}\left(\lambda \right)=1\right]\right|\le negl\left(\lambda \right)$$

(6)

where $negl$ is a negligible function.

Therefore, our scheme is $({\mathcal{L}}_1,{\mathcal{L}}_2)$-secure against an adaptive chosen query attack. □

7. Performance Analysis

In

Table 2. Comparison of functionalities with existing schemes.

Schemes	Cryptographic Primitives	Privacy	Cloud-Assisted Computation	Multi-Owners	Multi-Users
[16]	Paillier encryption	√	×	×	×
[17]	Lifted-ElGamal threshold encryption	√	×	√	√
[15]	ElGamal encryption	√	√	√	×
Our scheme	Proxy re-encryption	√	√	√	√

, we evaluate our scheme in comparison with related works across several dimensions including cryptographic primitives, privacy, cloud-assisted computation, multi-owners and multi-users. Scheme [16] computes the graph intersection of two parties. In scheme [17], multiple parties are able to collaboratively calculate the intersection of their graphs. Instead of outsourcing their graphs to a cloud server, they perform secure multi-party computation directly among the participants. Zuo et al. [15] enabled the cloud server to compute the graph intersection of multiple data owners for a single user. However, none of them support multi-users to query for graph intersection with cloud assisted computations.

7.1. Theoretical Analysis

In

Table 3. Theoretical analysis of our scheme.

Algorithms	Computational Cost	Output Size
$KeyGe{n}_{DU}$	$1E$	$1\left|\mathbb{G}\right|$
$KeyGe{n}_{TA}$	$1E$	$1\left|\mathbb{G}\right|$
$ReKeyGen$	$1E$	$1\left|\mathbb{G}\right|$
$Enc$(one data owner)	$n·H+(n^2+n)(E+e+E_T+M)$	$(n^2+n)(\left|{\mathbb{G}}_T\right|+\left|\mathbb{G}\right|)+n·\left|H\right|$
$GraphIntersection$	$(s+t·s^2)·(2E+e)+t·s^2·M$	$(s^2+s)(\left|{\mathbb{G}}_T\right|+2\left|\mathbb{G}\right|)$
$Dec$	$(s+s^2)(M+E_T)$	-

, we show the computational complexity of each phase including $KeyGe{n}_{DU}$, $KeyGe{n}_{TA}$, $ReKeyGen$, $Enc$, $GraphIntersection$, and $Dec$. The complexity analysis is denoted by the following operations: the exponentiation E in $\mathbb{G}$, the exponentiation $E_T$ in ${\mathbb{G}}_T$, the bilinear pairing e, and multiplication in ${\mathbb{G}}_T$. We consider t data owners; the intersection graph of them has s nodes. n indicates that the graph encrypted has n nodes. $\left|\mathbb{G}\right|$ is the size of a group element in $\mathbb{G}$, and $\left|{\mathbb{G}}_T\right|$ is the size of a group element in ${\mathbb{G}}_T$.

In the phase of $KeyGen$ and $ReKeyGen$, it needs one exponentiation in $\mathbb{G}$; the key size is 1 group element in $\mathbb{G}$. In the $Enc$ phase, to encrypt a graph with n nodes, we need to compute n hashes. For each of the n nodes and $n^2$ elements in the matrix, we need to compute one exponentiation in $\mathbb{G}$, one exponentiation in ${\mathbb{G}}_T$, one pairing e, and one multiplication M in ${\mathbb{G}}_T$, resulting in $n·H+(n^2+n)(E+e+E_T+M)$ operations. In the $GraphIntersection$ phase, the vertex set intersection and the submatrices totally contain $s+t·s^2$ elements, and each element re-encryption requires $2E+e$ operations. Combining with $(t-1)·s^2·M$ operations during the multiplication of matrices, totally $(s+t·s^2)·(2E+e)+(t-1)·s^2·M$ is needed. During the $Dec$ phase, a data user needs to decrypt the set of node intersection of size s and the matrix of size $s\times s$. Each of these elements requires $(M+E_T)$ to decrypt, so the complexity is $(s+s^2)(M+E_T)$.

7.2. Experiments

In this section, we analyze the performance of our scheme through a series of experiments.

7.2.1. Experimental Setting

We perform the experiments on an Ubuntu 22.04 operating system in the VMware Workstation on a PC with an i9-13900H CPU and 16 GB RAM. We implement the scheme using Go programming language based on the PBC library for Go [37]. We adopt the type A pairing which generates a pairing on the curve $y^2=x^3+x$ over the field $F_q$. In our experiment setting, the large prime q is 512 bits, and the group order of $\mathbb{G}$ is set to 160 bits. We instantiate hash function H with SHA-256.

Table 4. Execution time of basic operations.

Operation ($\times 100$)	Exponent in $\mathbb{G}$	Exponent in ${\mathbb{G}}_{\mathit{T}}$	Multiplication in ${\mathbb{G}}_{\mathit{T}}$	Bilinear Paring	H
time	$62.70$ ms	$5.30$ ms	$160.08$ µs	$41.58$ ms	$138.61$ µs

shows the execution time of basic operations using for 100 times. We evaluate the performance using real-world graph data LastFM Asia social network [38]. The LastFM Asia social network is an undirected graph with 7627 nodes and 27,806 edges. We randomly choose subgraphs as graph data for data owners while controlling the number of common vertices among them to ensure the intersections are not empty.

7.2.2. Experimental Results

We demonstrate the experimental results in Figure 3.

Figure 3a shows the encryption time for graphs of different size at the data owner. Since we perform the encryption for each node and each element in the adjacency matrix, the encryption time grows with the size of the graph. As we can see, with the vertex count of the graph varying from 200 to 1200, the encryption time increases from 29.62 s to 1040.72 s. Since each data owner is required to encrypt their graph only once, the encryption time is acceptable in practice.

In Figure 3b, we show the computational cost at the cloud server. The computation time is influenced by the amount of data owners and the graph intersection size. As shown in the theoretical analysis, the cloud server needs to perform, in total, $(s+t·s^2)·(2E+e)+(t-1)·s^2·M$ operations with t data owners and s vertices in the graph intersection. We simulate this phase with data owners ranging from 100 to 500 and the vertex count in the graph intersection ranging between 20 and 80. Simulations show that the workload of the cloud server is heavy such that the computation cost rises as both the amount of the data owners and the graph intersection size increase, for example, it takes 5,143,852 s to compute the graph intersection of 500 data users with 80 common vertices. Specifically, the size of the graph intersection plays a more dominant role in determining the computation time compared to the amount of data owners.

As depicted in Figure 3c, the decryption of the data user is time saving. The decryption time is related to the size of graph intersection, and the data user only needs to perform less-time-consuming operations including exponents and multiplications in ${\mathbb{G}}_T$. As we can see, the time of decrypting graph intersection with 20 vertices is 115.35 ms, and that with 100 vertices is 2.93 s.

8. Conclusions

In this paper, we introduce a privacy-preserving multi-user graph intersection scheme in the cloud-assisted IoT environment, realizing the privacy-preserving graph intersection computation. It supports multiple data users to query for the intersection of graphs of multiple data owners. We prove our scheme is secure under reasonable assumptions. The performance assessment and experimental validation on real-world graph data confirm the efficiency and practicality of our scheme. In the future, we will explore how to realize the privacy-preserving graph intersection query against malicious cloud servers and consider further improving the efficiency to make the scheme applicable to larger-scale graph data.