Message in a Sealed Bottle: Privacy Preserving Friending in Social Networks Lan Zhang∗, Xiang-Yang Li,y, Yunhao Liu,∗z ∗ Department of Computer Science and Technology, School of Software, TNList, Tsinghua University y Department of Computer Science, Illinois Institute of Technology z Department of Computer Science and Engineering, HKUST Abstract—Many proximity-based mobile social networks are profiles to facilitate friending between proximate strangers and developed to facilitate connections between any two people, or to enable privacy preserving people searching to some extent. help a user to find people with a matched profile within a certain Observe that in practice the mobile Internet connection may distance. A challenging task in these applications is to protect the privacy of the participants’ profiles and personal interests. not always be available and it may incur high expense. Thus, in In this paper, we design novel mechanisms, when given a this work we focus on proximity-based decentralized mobile preference-profile submitted by a user, that search persons social networks (MSN) based on short-range wireless tech- with matching-profile in decentralized multi-hop mobile social nologies such as WiFi and Bluetooth. However the increasing networks. Our mechanisms also establish a secure communication privacy concern becomes a barrier for adopting MSN. People channel between the initiator and matching users at the time are unwilling to disclose personal profiles to arbitrary persons when the matching user is found. Our rigorous analysis shows that our mechanism is privacy-preserving (no participants’ pro- in physical proximity before deciding to interact with them. file and the submitted preference-profile are exposed), verifiable The insecure wireless communication channel and potentially (both the initiator and the unmatched user cannot cheat each untrusted service provider increase the risk of revealing private other to pretend to be matched), and efficient in both communi- information. cation and computation. Extensive evaluations using real social Friending based on private profile matching allows two network data, and actual system implementation on smart phones show that our mechanisms are significantly more efficient than users to match their personal profiles without disclosing them existing solutions. to each other. There are two mainstreams of approaches Index Terms—Private Profile Matching, Secure Communica- to solve this problem. The first category provides private tion, Decentralized Mobile Social Networks. attributes matching based on private set intersection (PSI) and private cardinality of set intersection (PCSI), [12], [20]. I. INTRODUCTION The second category measures the social proximity by private vector dot product [7], [9], [25]. They rely on public-key A boom in mobile hand-held devices greatly enriches the so- cryptosystem and homomorphic encryption, which results in cial networking applications. Many social networking services expensive computation cost and usually requires a trusted third are available on mobile phones (e.g., JuiceCaster, MocoSpace party. Multiple rounds of interactions are required to perform and WiFace [23]) and majority of them are location-aware the presetting (e.g. exchange public keys) and private match- (e.g., FourSquare, BrightKite and Loopt). However, most of ing between each pair of users. Moreover, most protocols them are designed for facilitating people connections based are unverifiable: there lack efficient methods to verify the on their real life social relationship [15], [19]. There is an result. Furthermore, in these approaches, matched users and increasing difficulty of befriending new people or commu- unmatched users all get involved in the expensive computation nicating with strangers while protecting the privacy of real and learn their matching results (e.g. profile intersection) with personal information. the initiator. These limitations hinder the adoption of the SMC- Friending and communication are two important basic func- related private matching methods in MSN. tions of social networks. When people join social networks, A secure communication channel is equally important in they usually begin by creating a profile, then interact with other MSN. Although the matching process is private, the following users. Profile matching is a common and helpful way to make chatting may still be disclosed to the adversary and more new friends with common interests or to search for experts privacy may be leaked. Most protocols assume that there is [22]. Some applications help a user automatically find users a secure communication channel established by using public- with similar profile within a certain distance. For example, in key cryptosystem. This involves a trusted third party and key the social network Color, people in close proximity (within management, which is difficult to manage in decentralized 50 meters) can share photos automatically based on their MSN. similarity. MagnetU [1] matches one with nearby people for Facing these challenges, we first formally define the privacy dating, friend-making. Small-talks [21] connects proximate preserving verifiable profile matching problem in decentralized users based on common interests. These applications use MSN (Section II). We then propose several protocols (Section III) to address the privacy preserving profile matching and participants, protecting their profiles is necessary and can secure communication channel establishment in decentralized reduce the barrier to participate in MSN. Note that, the social networks without any presetting or trusted third party. exact location information is also a part of the user’s We take advantage of the common attributes between matching profile privacy. users, and use it to encrypt a message with a secret channel 2) Communication Security: The messages between a key in it. In our mechanisms, only a matching user can decrypt pair of users should be transmitted through a secure the message. A privacy-preserving profile matching and secure communication channel. We emphasize that the secure channel construction are completed simultaneously with one communication channel establishment has been ignored round communication. The secure channel construction resists in most previous works which address the private profile the Man-in-the-Middle attack. Both precise and fuzzy match- matching in decentralized MSN. In practice, after profile ing/search in a flexible form are supported. The initiator can matching, more privacy, even profile information, may be define a similarity threshold, the participant whose similarity exposed via communication through an insecure channel. is below the threshold learns nothing. A sequence of well- In this paper, we address the verifiable privacy preserving designed schemes make our protocols practical, flexible and profile matching and secure communication channel estab- lightweight, e.g., a remainder vector is designed to signifi- lishment in decentralized MSN without any presetting or cantly reduce the computation and communication overhead trusted third party. Formally, each user vk in a social network of unmatched users. Our profile matching mechanisms are has a profile set Ak consisting of mk attributes, Ak = also verifiable which thwart cheating about matching result. fa1 ; a2 ; :::; amk g. The number of attributes is not necessary We also design a mechanism for location privacy preserved k k k the same for different users. An initiator vi represents his/her vicinity search based on our basic scheme. Compared to desired user by a request profile with mt attributes as At = most existing works (Section VI) relying on the asymmetric f 1 2 mt g at ; at ; :::; at . Our mechanism allows the initiator to search cryptosystem and trusted third party, our protocols require no a matching user in a flexible way by constructing the request presetting and much less computation. To the best of our profile in the form of At = (Nt;Ot). Here knowledge, these are the first privacy-preserving verifiable • profile matching protocols based on symmetric cryptosystem. Nt consists of α necessary attributes. All of them are required to be owned by a matching user; We rigorously analyze the security and performance of • O consists of the rest m −α optional attributes. At least our mechanisms (Section IV). We then conduct extensive t t β of them should be owned by a matching user. evaluations on the performances of our mechanisms using large scale social network data, Tencent Weibo. Our results The acceptable similarity threshold of a matching user is θ = α+β . Let γ = mt − α − β. When γ = 0, a perfect match is (Section V) show that our mechanisms outperform existing mt solutions significantly. We also implement our protocols on required. A matching user vm with a profile Am must satisfy laptop and mobile phone and measure the computation and that communication cost in real systems. In our mobile-phone Nt ⊂ Am and jOt \ Amj > β: (1) implementation, a user only needs about 1.3ms to generate a friending request. On average, it only takes a non-candidate When At ⊂ Am, vm is a perfect matching user. In a user about 0.63ms and a candidate user 7ms to process this decentralized MSN, a request will be spread by relays until request. hitting a matching user or meeting a stop condition, e.g. expiration time. Then the initiator vi and the matching user II. SYSTEM MODEL AND PROBLEM DEFINITION vm decide whether to connect each other. A. System Model B. Adversary Model A user in a mobile ad hoc social networking system usually has