Gmatch: Secure and Privacy-PreservingGroup Matching in Social Networks

Boyang Wang ,, Baochun Li and Hui Li State Key Laboratory of Integrated Services Networks, Xidian University, Xian, China

Department of Electrical and Computer Engineering, University of Toronto, Toronto, Ontario, Canada{bywang, lihui}@mail.xidian.edu.cn, bli@eecg.toronto.edu

AbstractGroups are becoming one of the most compellingfeatures in both online social networks and Twitter-like micro-blogging services. A stranger outside of an existing group mayhave the need to find out more information about attributes ofcurrent members in the group, in order to make a decision tojoin. However, in many cases, attributes of both group membersand the stranger need to be kept private and should not berevealed to others, as they may contain sensitive and personalinformation. How can we find out matching information existsbetween the stranger and members of the group, based on theirattributes that are not to be disclosed? In this paper, we present anew group matching mechanism, by taking advantage private setintersection and ring signatures. With our scheme, a stranger isable to collect correct group matching information while sensitiveinformation of the stranger and group members are not disclosed.Finally, we propose to use batch verification to significantlyimprove the performance of the matching process.

I. INTRODUCTIONAs online social networks and Twitter-like micro-blogging

services redefine our lifestyle, groups are becoming one ofthe most frequently used features. Groups are, in general,formed with common attributes, such as geographic locationsand hobbies. However, the features of a group are generallydescribed by only a few keywords or a short description, whichsometimes is not enough for users to make decisions whenchoosing an appropriate group for themselves. Especially,when several groups have similar (or even the same) keywordsand descriptions, it is very inconvenient for users to choosethe most suitable one among these groups. In order to make abetter decision when choosing a group to join, a stranger witha profile of his own attributes who is still an outsider of thegroup needs to collect detail matching information from allthe group members profiles. Such a problem is referred as togroup matching.

In most situations, attributes of users are sensitive, such aspersonal health records and religious preferences. It is typicalfor a user to store these attributes privately [1], so that onlyhis friends or members in the same group are able to revealthese attributes, but strangers or any third party cannot learnthese sensitive information. Unfortunately, collecting groupmatching information using these sensitive attributes mayintroduce a number of privacy problems. On one hand, sincethe stranger is not familiar with the group, the stranger doesnot want to reveal his sensitive attributes to any group memberduring the matching process. On the other hand, because thestranger is an outside and untrusted user to the group, each

group member is reluctant to reveal his own attributes and theexact matching results between two entities to the stranger.

To make matters more challenging, each group memberneeds to generate a signature on his matching response,which contains matching information between the stranger andhimself, and sends the signature and the matching responsetogether to the stranger, so that the stranger is convinced thematching response is reliable and correct. Unfortunately, dueto the unforgeability of signatures (only the entity with theknowledge of the private key can create valid signatures), thestranger is able to learn the identity of the signer on eachmatching response, and reveal exact matching informationbetween himself and each group member.

In this paper, we proposed Gmatch, a novel secure andprivacy-preserving group matching scheme in online socialnetworks. We utilize private set intersection [2] in Gmatch, sothat the stranger is able to collect matching information fromthe group while both the stranger and each group member areable to preserve sensitive attributes to each other. Meanwhile,with ring signatures [3], [4], the stranger is convinced thatmatching information from the group is correct, but he cannotlearn exact matching information between himself and eachgroup member. In addition, we improve the efficiency of thematching process using batch verification.

The remainder of this paper is organized as follows: In Sec-tion II, we introduce the system model and design objectives.In Section III, we briefly describe cryptographic primitives weutilized in Gmatch. We then present the details of Gmatch inSection IV. Section V provides a thorough security analysis,and Section VI evaluates the performance of Gmatch. Finally,we briefly discuss related work in Section VII, and concludethis paper in Section VIII.

II. PROBLEM STATEMENTA. System Model

Our system is a social network, which includes a stranger Sand all d group members P1, ..., Pd in the group P (as shownin Fig. 1). The stranger S, who is not a member of the group P ,has k attributes in his profile and the j-th attribute is denoted asas,j . The strangers profile is denoted as As = {as,1, ..., as,k}.Group member Pi has m attributes and the profile of thisgroup member is denoted as Ai = {ai,1, ..., ai,m}. In ourmodel, we assume all group members have the same sizeof profile. Attributes in every users profile are private and

2sensitive, which are stored and maintained locally by eachuser. Note that we also assume there does not exist of athird party that first collects all the group members profiles,and then simply completes group matching between itselfand the stranger. Even if there exists a group manager whomaintains basic activities of the group, such as the changes ofmembership, it is still not able to access sensitive attributes ofgroup members. The stranger completes group matching in adistributed manner [5].

Group matching informationprofile

profile

profile

profile

profile

profile

profile

profile

Pi

Stranger S

Group P

As = {as,1, ..., as,k}

Ai = {ai,1, ..., ai,m}

Fig. 1. Stranger S wants to collect group matching information from groupP based on his attribute set As.

During group matching, this stranger S wishes to collectgroup matching information from group P based on hisprofile. If an attribute in a group members profile is equalto an attribute in the strangers profile, it is then referred to asa matched attribute. Otherwise, it is called an unmatched at-tribute. The total number of group members that has the sameattribute with the attribute as,j , is denoted as the matchingdegree Dj of attribute as,j . The group matching informationfrom the group P is described as D(P) = {D1, ..., Dk}. Eachgroup member Pi is asked to provide matching informationto stranger S based on profile Ai, so stranger S can calculategroup matching information D(P) from group P .

B. Privacy ThreatsIn this paper, we assume the stranger is honest-but-curious.

It means the stranger will honestly follow the protocol tocollect group matching information, but may attempt to learnmore information than allowed.

C. Design ObjectivesDuring the group matching, our scheme should be able

to provide the following desirable privacy properties. (1)Strangers Attributes Privacy: The stranger does not revealany attribute in his profile to any group member. (2) GroupMembers Attributes Privacy: The stranger only obtainsmatched attributes that both in his profile and some groupmembers profile, while the unmatched attributes in groupmembers profiles are not disclosed to the stranger. (3) ExactMatching Information Privacy: The stranger is able to com-pute group matching information, while any exact matchinginformation between himself and each group member is notrevealed.

III. PRELIMINARIESIn this section, we briefly introduce cryptographic primitives

that we implement in Gmatch.

A. Bilinear MapsLet G1, G2 and GT be three multiplicative cyclic groups of

prime order p, g1 be a generator of G1, and g2 be a generatorof G2. A bilinear map e is a map G1 G2 GT withthe following properties: (1) Computability: there exists anefficient algorithm for computing map e. (2) Bilinearity: forall u G1, v G2 and a, b Zp, e(ua, vb) = e(u, v)ab. (3)Non-degeneracy: e(g1, g2) 6= 1.

B. Ring SignaturesThe concept of ring signatures was first proposed by Rivest

et al. in 2001 [3]. A ring signature scheme has the propertythat, a verifier is convinced that a ring signature was producedusing one of group members private keys, but this verifier isnot able to determine which one.

C. Private Set IntersectionPrivate set intersection [2], [6], [7] enables two parties to

calculate the intersection of their private sets without leakingany additional information. Private set intersection can beconstruct using additive homomorphic encryption, such asPaillier cryptosystem [8]. The additive homomorphic encryp-tion algorithm Enc() in [8] is able to complete followingoperations, without knowing the corresponding plaintexts.

Given Enc(m1) and Enc(m2), output Enc(m1+m2) =Enc(m1) Enc(m2).

Given Enc(m1) and a constant c, output Enc(c m1) =Enc(m1)c.

IV. GMATCH: SECURE AND PRIVACY-PRESERVINGGROUP MATCHING

A. OverviewIn this section, we introduce Gmatch, a secure and privacy-

preserving group matching scheme. By utilizing private setintersection, the stranger can learn the matching informationfrom the group without revealing any unmatched attributes ingroup members profiles. With ring signatures, the stranger isconvinced that a matching response is correct and generatedby a group member, yet cannot distinguish this matching re-sponse belongs to which particular group member. Exploitingthe properties of bilinear maps, Gmatch can support batchverification, which is able to greatly improve the efficiencyof verification of ring signatures. In addition, with minormodifications in the construction of Gmatch, we can achieveeven higher privacy levels.

B. GmatchGmatch includes four steps: Setup, Compute, Evaluate,

Match. In Setup, stranger S and each group member generatetheir own public/private key pairs. In Compute, stranger S firstgenerates a polynomial, where each attribute in his profile isa root of this polynomial and all the roots are in his profile.

3Then, stranger S encrypts all the coefficients of this poly-nomial by performing additive homomorphic encryption, andsends all the encrypted coefficients to all the group members.In Evaluate, each group member evaluates a matching valuefor each attribute in his own profile using all the encryptedcoefficients, signs a matching response that contains all thematching values generated by himself, and sends this matchingresponse and the corresponding signature to the stranger. InMatch, stranger S first checks the correctness of a matchingresponse by verifying its signature, then computes whethereach matching value in this matching response indicates amatched attribute. After collecting all the matching responsesfrom all group members, the stranger S calculates matchingdegrees for all the attributes in his profile. Details of each stepare listed as follows.

Setup. Stranger S generates his public/private key pair(pks, sks) for additive homomorphic encryption. Here, weutilize Paillier cryptosystem [8]. The encryption algorithm isdenoted as Enc, and the corresponding decryption algorithmis denoted as Dec. Each group member generate his pub-lic/private key pair (pki, ski) for computing ring signatures.The ring signature scheme we used is BGLS [4], which isbased on bilinear maps. The total number of group membersis d. The number of attributes in the strangers profile is k,and the number of attributes in each group members profileis m.

Algorithm 1 KeyGenGiven two multiplicative cyclic groups G1, G2 with primeorder p and their generators g1, g2 respectively, groupmember Pi generates his public key and private key as:

1) Pick random ui Zp.2) Compute vi = gui2 G2.

Group member Pis public key is pki = vi and his privatekey is ski = ui.

Compute. Stranger S first constructs a k-degree polynomialP (x), whose k roots are all attributes in his profile. Thispolynomial is described as:

P (x) = (x as,1)(x as,2) . . . (x as,k) =

ki=0

ixi. (1)

Clearly, if an attribute ai,j from group member Pi is a matchedattribute that equals some attribute in stranger Ss profile, thenai,j is also a root of this k-degree polynomial P (x), and wehave P (ai,j) = 0.

After generating polynomial P (x), stranger S encrypts allthe k+1 coefficients of this polynomial P (x) using Enc withhis public key pks. He then sends all the k + 1 encryptedcoefficients {Enc(0), ...,Enc(k)} to each group member(as illustrated in Fig. 2).

Evaluate. Group member Pi has m attributes and eval-uates a matching value wi,j for each attribute ai,j in hisprofile. More specifically, group member Pi first computes anencrypted polynomial value Enc(P (ai,j)) for each attribute

Stranger S Group member Pi

{Enc(0), ..., Enc(k)}

Fig. 2. Stranger S sends all the encrypted coefficients to group member Pi.

ai,j . Due to properties of additive homomorphic encryptionwe introduced in Section III, this encrypted polynomial valueEnc(P (ai,j)) can be easily computed by Pis attribute ai,jand all the encrypted coefficients Enc(i), for i [0, k], asfollows:

Enc(P (ai,j))

= Enc(0 + 1ai,j + + kaki,j)

= Enc(0) Enc(1)ai,j Enc(k)

aki,j . (2)After that, group member Pi generates a random number i,j ,and computes a matching value wi,j of attribute ai,j as:

wi,j = Enc(i,j P (ai,j) + ai,j)

= Enc(P (ai,j))i,j Enc(ai,j), (3)

where Enc(ai,j) can be computed using the strangers publickey pks and attribute ai,j with Enc.

Then, group member Pi constructs his matching responsewwwi = (wi,1, ..., wi,m) using all his matching values, signsthis matching response using ring signatures in Algorithm2, and sends wwwi = (wi,1, ..., wi,m) and its ring signaturei = (i,1, ..., i,d) to stranger S (as shown in Fig. 3).

Algorithm 2 RingSignGiven all the group members public keys (pk1, ..., pkd) =(v1, ..., vd), a matching response www, and a private key sks =us for some s, this group member us

1) Randomly chooses yi Zp and computes i = gyi1for all i 6= s and i [1, d].

2) Computes h = H(www) G1 and sets

s =

(h

(

i6=s vyii )

)1/us, (4)

where H : {0, 1} Zp is a full-domain hash func-tion and : G2 G1 is a computable isomorphism.

3) Outputs the ring signature = (1, ..., d) Gd1.

Stranger S Group member Pi

{(wi,1, ..., wi,m), (i,1, ...,i,d)}

Fig. 3. Group member Pi sends matching response wwwi and its signature ito stranger S.

Match. Upon receiving a matching response wwwi and itsring signature i, stranger S first verifies the correctnessof this matching response according to Algorithm 3. If the

4matching response passes the verification, stranger S decryptseach wi,j wwwi with decryption algorithm Dec. If the resultof decryption matches one of his attributes, then ai,j is amatched attribute. Otherwise, it is an unmatched attribute. Thisis because

Dec(wi,j) = Dec(Enc(i,j P (ai,j) + ai,j))

= i,j P (ai,j) + ai,j , (5)where P (ai,j) = 0 and Dec(wi,j) = ai,j , if ai,j As.

Algorithm 3 RingVerifyGiven all the group members public keys (pk1, ..., pkd) =(v1, ..., vd), a matching response www, and its ring signature = (1, ..., d), the stranger

1) Computes h = H(www) G1.2) Verifies

e(h, g2)?=

di=1

e(i, vi). (6)

If the equation holds, then this matching response is correctand signed by a group member. Otherwise, it is not.

After decrypting all the matching values from all the groupmembers, stranger S is able to calculate the matching degreeDj , for j [1, k] and obtain group matching informationD(P) = (D1, ..., Dk) about this group P .

C. Batch VerificationGenerally, the stranger in Gmatch has to verify d matching

responses from all the d group members separately, whichintroduces prohibitive huge computation cost to himself. Uti-lizing properties of bilinear maps, the stranger can reducethe cost of verification by checking the integrity of all thematching responses in a batch manner, instead of verifyingthem one by one. The details of batch verification are shownin Algorithm 4.

Algorithm 4 BatchVerifyGiven all the group members public keys (pk1, ..., pkd) =(v1, ..., vd), all the d matching responses (www1, ...,wwwd), andtheir ring signatures (1, ...,d), where i = (i,1, ..., i,d),the stranger

1) Computes hl = H(wwwl) G1, for all l [1, d].2) Generates d random number (1, ..., d) Zdp .3) Verifies

e(

dl=1

hll , g2)?=

di=1

e(

dl=1

ll,i, vi). (7)

If the equation holds, then all the matching responses arevalid. Otherwise, they are not all valid.

Note that batch verification will fail if only one invalidmatching response exists. To further detect a small numberof invalid ones among all the responses, so the valid ones can

still pass verification, we can leverage binary search [9] duringbatch verification. More specifically, when batch verificationfails, the stranger further divides the set of all the matchingresponses into two halves, and rechecks each half using batchverification. If one half passes, all the matching responses inthis half are valid. Otherwise, two sub halves of this half willbe further rechecked until all the invalid ones are found.

D. Higher Privacy LevelsThere are two ways to modify the construction of Gmatch,

so that it can achieve even higher privacy levels. First, similarto the previous work [2], each matching value is computed aswi,j = Enc(i,jP (ai,j)) instead of wi,j = Enc(i,jP (ai,j))+ai,j . Then, when the decryption result is 0, it means that thereis a matched attribute in the group. However, the strangercannot determine which particular attribute in his profile ismatched to this attribute.

Second, instead of signing the matching response wwwi, eachgroup member signs each matching value wi,j wwwi one byone using ring signatures, and sends each matching valueseparately to the stranger. Then, the stranger believes thatevery matching value is correct and signed by a group member,but cannot distinguish whether two different matching valuesare from the same group member. Further, the stranger cannottell whether two different matched attributes are from the samegroup member. However, to achieve this higher privacy level,each group member has to operate m ring-signing operationsinstead of only one ring-signing operation, and the strangeralso needs to verify m d ring signatures in total, which willincrease the computation cost of the entire scheme.

V. SECURITY ANALYSIS

In this section, we show that Gmatch is able to achieve theprivacy properties we defined in Section II.

Theorem 1: Assuming that the additive homomorphic en-cryption is semantically secure, Gmatch achieves strangersattributes privacy.

Proof: In Gmatch, group member Pi obtains k + 1encrypted coefficients of polynomial P (x) computed by addi-tive homomorphic encryption algorithm Enc. If the additivehomomorphic encryption Enc is semantically secure [8], itis computational infeasible for the group member to deriveany plaintext when given only its corresponding ciphertextand public encryption key pks. Because Paillier cryptosys-tem, which we use in Gmatch, is semantically secure. Then,given encrypted coefficients {Enc(0), . . . ,Enc(k)} andpublic encryption key pks, group member Pi cannot learn{0, . . . , k} without the strangers private key sks. Further,group member Pi is not able to reconstruct the polynomialP (x) and compute all the k roots of P (x). Therefore, all thek attributes in stranger profile are not revealed to any groupmember, strangers attributes privacy is achieved.

Theorem 2: Assuming parameter i,j for matching valuewi,j is random, Gmatch achieves group members attributesprivacy.

5Proof: According to Equation (5), the decryption resultof matching value wi,j can be described as follows:

ai,j + i,j P (ai,j) =

{ai,j , if P (ai,j) = 0random, if P (ai,j) 6= 0

(8)

Clearly, when ai,j is a matched attribute, it is a root of poly-nomial P (x), then we have P (ai,j) = 0, and the decryptionresult is ai,j . When ai,j is an unmatched attribute, if i,j isa random number, we have P (ai,j) 6= 0, and the decryptionresult is a random value. Therefore, what the stranger obtainsafter decryption is either an attribute in his profile or a randomvalue that does not disclose any unmatched attribute in anygroup members profile.

Theorem 3: Assuming each matching response is signedby ring signatures, then Gmatch achieves exact matchinginformation privacy with probability 1 1d! , where d is thesize of the group.

Proof: Due to the properties of ring signatures in BGLS[4], when verifying a matching response, the stranger isconvinced that this matching response is signed by a groupmember but cannot distinguish which particular member itis from. The stranger can successfully distinguish that amatching response belongs to a particular group member witha probability of 1/d. Since the total number of matchingresponses received by the stranger is d, the total probabilitythat the stranger successfully discloses the exact matchinginformation between himself and every group member is 1d! .Therefore, Gmatch can achieve exact matching informationprivacy with probability 1 1d! .

As we analyzed in Theorem 2, during the group match-ing, unmatched attributes in group members profiles are notdisclosed to the stranger. However, by honestly following thegroup matching, the stranger can still obtain more informationthan allowed by performing all zero polynomial attacks [1].More specifically, the stranger sets all k + 1 coefficients ofpolynomial P (x) as zeros. Under this type of attacks, thecomputation result of P (ai,j) is always zero, which makesthe random number i,j useless. Then, all the decryptionresults of matching values are attributes from one of groupmembers profiles. In this case, the stranger is able to learn allthe attributes in all group members profiles. Making mattersworse, because the stranger only sends the encrypted coeffi-cients to each group member, and the encryption algorithmis probabilistic, group members cannot check whether thosecoefficients are all zeros or not. To prevent this type of attacks,we set one of the k + 1 coefficients as 1, and is sent togroup members without encryption. Similar methods can alsobe found in [1] [10].

VI. PERFORMANCEWe now evaluate the efficiency of Gmatch in experiments

by using the PBC library. All the experiments are tested ona 2.26 GHz Linux system. For the ease of implementation,we assume G1 = G2. The elliptic curve we used is an MNTcurve with a base field size of 159 bits. The length of eachelement of G1 is |p| = 160 bits, and the length of an element

of GT is 1024 bits. An encrypted coefficient under Enc is anelement of Zn, where |n| = 2048 bits.

1) Efficiency of Gmatch: As we can see from Fig. 4(a),Fig. 5(a) and Fig. 6(a), the efficiency of group matchingcan be significantly improved by utilizing batch verification.More specifically, when the size of users profiles are fixedin Fig. 6(a), the rum time of Gmatch without batch verifica-tion exponentially increases with the total number of groupmembers, while the one with batch verification only increaseslinearly with the group size.

0 20 40 60 80 100

k: size of the stranger's profile

0

50

100

150

200

Total run time (s)

m=10,d=100

Gmatch

Batch

(a) Run time at stranger S.

0 20 40 60 80 100

k: size of the stranger's profile

1.20

1.25

1.30

1.35

1.40

1.45

1.50

1.55

1.60

Total run time (s)

m=10, d=100

Gmatch

(b) Run time at group member Pi.

Fig. 4. Impact of k on the run time, where m = 10 and d = 100

0 20 40 60 80 100

m: size of each member's profile

0

100

200

300

400

500

600

Total run time (s)

k=10, d=100

Gmatch

Batch

(a) Run time at stranger S.

0 20 40 60 80 100

m: size of each member's profile

0

2

4

6

8

10

12

14

Total run time (s)

k=10, d=100

Gmatch

(b) Run time at group member Pi.

Fig. 5. Impact of m on the run time, where k = 10 and d = 100

0 20 40 60 80 100

d: number of group members

0

50

100

150

200

Total run time (s)

k=10, m=10

Gmatch

Batch

(a) Run time at stranger S.

0 20 40 60 80 100

d: number of group members

1.20

1.21

1.22

1.23

1.24

1.25

Total run time (s)

k=10, m=10

Gmatch

(b) Run time at group member Pi.

Fig. 6. Impact of d on the run time, where m = 10 and k = 10

The efficiency of group matching at each group member areillustrated in Fig. 4(b), Fig. 5(b) and Fig. 6(b). The run timeat each group member in Gmatch is greatly increasing withthe size of each group members profile, but hardly affectedby the size of the strangers profile or the size of the group.

2) Efficiency of Batch Verification with Invalid MatchingResponses: We now evaluate the performance of batch verifi-cation under different numbers of invalid matching responses.Clearly, the increasing number of invalid responses will reducethe efficiency of batch verification. In this experiment, we setthe total number of matching responses d = 100 and assume it

6always requires the worst-case algorithm to detect invalid onesfrom all the matching responses. As shown in Fig. 7, whenless than 10% of all the matching responses are invalid, batchverification is still efficient than verifying them separately.

0 2 4 6 8 10 12

Percentage of invalid vectors

0

20

40

60

80

100

120

140

160

Verification time (s)

d=100

Gmatch

Batch

Fig. 7. Comparison on verification time between batch verification and one-by-one verification where d = 100.

VII. RELATED WORKA. Two-party private matching

Freedman et al. [2] proposed a private matching scheme,which allows a client and a server compute the set intersectionwith their own private sets. During private matching, the clientonly obtains the set intersection while the server does not knowany matching result. Agrawal et al. [6] introduced a privatematching scheme between two databases using commutativeencryptions. Hazay and Lindell [7] exploited pseudo randomfunctions to evaluate set intersection. In [11], Dachman-Soledet al. exploited polynomial evaluations to compute the setintersection between two parties, and also leveraged shamirsecret sharing and cut-and-choose protocol to improve effi-ciency. Recent work in [12] introduced an authorized privateset intersection (APSI) based on blind RSA signatures. InAPSI, each element in the clients set must be authorized bysome mutually trusted authority.

B. Multi-party private matchingKissner and Song [13] proposed a multi-party private match-

ing scheme to compute the union, intersection and elementreduction operations for multiple sets. However, this schemerequires a group decryption among multiple entities, whichis impractical between the stranger and group members insocial networks. Ye et al. [14] extended previous scheme to adistributed scenario with multiple servers. The dataset of theoriginal server is shared by several sub-servers using (t, w)-shamir secret sharing. Therefore, any t1 or fewer sub-serverscannot discover the dataset of the original server. Sang etal. [15] improved the efficiency of private matching amongmultiple parties by exploiting an extra N N nonsingularmatrix, where N is the total number of entities. Li and Wu [10]proposed a private multi-party set intersection scheme basedon the two-dimensional verifiable secret sharing scheme.

C. Private matching in social networksFindU [1] focuses on finding the best matched user from the

group in mobile social networks. Yang et al. [16] introduced

E-SmallTalker, which allows users to privately match otherpeople in mobile social networks using the iterative bloomfilter (IBF) protocol.

VIII. CONCLUSIONIn this paper, we proposed Gmatch, a secure and privacy-

preserving group matching in social networks. With Gmatch,the stranger can successfully collect group matching infor-mation while the private information of group members arepreserved. Our experimental results show that Gmatch canefficiently compute correct group matching information withbatch verification.

ACKNOWLEDGEMENTWe are grateful to the anonymous reviewers for their helpful

comments. This work is supported by the National Sci-ence and Technology Major Project (No. 2012ZX03002003),Fundamental Research Funds for the Central Universities(No. K50511010001), National 111 Program (No. B08038),Doctoral Foundation of Ministry of Education of China(No. 20100203110002) and Program for Changjiang Scholarsand Innovative Research Team in University.

REFERENCES[1] M. Li, N. Cao, S. Yu, and W. Lou, FindU: Private-Preserving Personal

Profile Matching in Mobile Social Networks, in Proc. IEEE INFOCOM,2011, pp. 2435 2443.

[2] M. J. Freedman, K. Nissim, and B. Pinkas, Efficient Private Matchingand Set Intersection, in Proc. EUROCRYPT. Spring-Verlag, 2004, pp.119.

[3] R. L. Rivest, A. Shamir, and Y. Tauman, How to Leak a Secret, inProc. ASIACRYPT. Springer-Verlag, 2001, pp. 552565.

[4] D. Boneh, C. Gentry, B. Lynn, and H. Shacham, Aggregate and Verifi-ably Encrypted Signatures from Bilinear Maps, in Proc. EUROCRYPT.Springer-Verlag, 2003, pp. 416432.

[5] A. Sorniotti and R. Molva, Secret Interest Groups (SIGs) in SocialNetworks with an Implementation on Facebook, in Proc. ACM SAC,2010, pp. 621628.

[6] R. Agrawal, A. Evfimievski, and R. Srikant, Information SharingAcross Private Databases, in Proc. ACM SIGMOD, 2003, pp. 8697.

[7] C. Hazay and Y. Lindell, Efficient Protocols for Set Intersectionand Pattern Matching with Security Against Malicious and CovertAdversaries, in Proc. TCC. Springer-Verlag, 2008, pp. 155175.

[8] P. Paillier, Public-Key Cryptosystems Based on Composite DegreeResiduosity Classes, in Proc. EUROCRYPT. Springer-Verlag, 1999,pp. 223238.

[9] C. Wang, Q. Wang, K. Ren, and W. Lou, Privacy-Preserving PublicAuditing for Data Storage Security in Cloud Computing, in Proc. IEEEINFOCOM, 2010, pp. 525533.

[10] R. Li and C. Wu, An Unconditionally Secure Protocol for Multi-PartySet Intersection, in Proc. ACNS. Springer-Verlag, 2007, pp. 226236.

[11] D. Dachman-Soled, T. Malkin, M. Raykova, and M. Yung, EfficientRobust Private Set Intersection, in Proc. International Conference onApplied Cryptography and Network Security. Springer-Verlag, 2009,pp. 125142.

[12] E. D. Cristofaro and G. Tsudik, Practical Private Set IntersectionProtocols with Linear Complexity, in Proc. FC, 2010, pp. 143159.

[13] L. Kissner and D. Song, Privacy-Preserving Set Operations, in Proc.CRYPT. Springer-Verlag, 2005, pp. 241257.

[14] Q. Ye, H. Wang, and J. Pieprzyk, Distributed Private Matching and SetOperations, in Proc. ISPEC. Springer-Verlag, 2008, pp. 347360.

[15] Y. Sang, H. Shen, Y. Tan, and N. Xiong, Efficient Protocols for PrivacyPreserving Matching Against Distributed Datasets, in Proc. ICICS.Springer-Verlag, 2006, pp. 210227.

[16] Z. Yang, B. Zhang, J. Dai, A. C.Champion, D. Xuan, and D. Li, E-SmallTalker: A Distributed Mobile System for Social Networking inPhysical Proximity, in Proc. IEEE ICDCS, 2010, pp. 468 477.