User-Defined Privacy Grid System For
-
Upload
gagan-singh -
Category
Documents
-
view
217 -
download
0
Transcript of User-Defined Privacy Grid System For
-
7/24/2019 User-Defined Privacy Grid System For
1/21
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.110!T"C.#01$.#%&&'&&, I((( Transactions on "obile Computing1
1$%)*1#%% +c #01% I(((. -ersonal use is permitted, but republication!redistribution reuires I((( permission. /ee
http:!!.ieee.org!publicationsstandards!publications!rights!inde2.html for more information.
User-Defined Privacy Grid System forContinuous Location-Based Services
Roman Schlegel, Member, IEEE, Chi-Yin Cho, Member, IEEE, !iong "uang, Member,IEEE,
and Duncan S# $ong, Member, IEEE
Abstract%Location-&ased services 'LBS( re)uire users to continuously re*ort their location to a *otentially untrusted server to o&tain
services &ased on their location, hich can e+*ose them to *rivacy riss# Unfortunately, e+isting *rivacy-*reserving techni)ues for
LBS have several limitations, such as re)uiring a fully-trusted third *arty, offering limited *rivacy guarantees and incurring high
communication overhead# n this *a*er, e *ro*ose a user-defined *rivacy grid system called dynamic grid system 'DGS(. the first
holistic system that fulfills four essential re)uirements for *rivacy-*reserving snapshot and continuous LBS# '/( 0he system only
re)uires a semi-trusted third *arty, res*onsi&le for carrying out sim*le matching o*erations correctly# 0his semi-trusted third *arty
does not have any information a&out a user1s location# '2( Secure sna*shot and continuous location *rivacy is guaranteed under our
defined adversary models# '3( 0he communication cost for the user does not de*end on the user1s desired *rivacy level, it only
de*ends on the num&er of relevant *oints of interest in the vicinity of the user# '4( 5lthough e only focus on range and 3-nearest-
neigh&or )ueries in this or, our system can &e easily e+tended to su**ort other s*atial )ueries ithout changing the algorithms run
&y the semi-trusted third *arty and the data&ase server, *rovided the re)uired search area of a s*atial )uery can &e a&stracted into
s*atial regions# 6+*erimental results sho that our DGS is more efficient than the state-of-the-art *rivacy-*reserving techni)ue for
continuous LBS#
Index Terms%Dynamic grid systems, location *rivacy, location-&ased services, s*atio-tem*oral )uery *rocessing, cry*togra*hy
1 INTRODUCTION
In today4s orld of mobility and e5er*present Internet
connecti5ity, an increasing number of people use location*based
ser5ices +67/ to reuest information rele5ant to their current
locations from a 5ariety of ser5ice pro5iders. This can be thesearch for nearby points of interest +-OIs +e.g., restaurants and
hotels, location* aare ad5ertising by companies, traffic
information tailored to the highay and direction a user is
tra5eling and so forth. The use of 67/, hoe5er, can re5eal much
more about a person to potentially untrustorthy ser5ice
pro5iders than many people ould be ill* ing to disclose. 7y
trac3ing the reuests of a person it is possible to build a
mo5ement profile hich can re5eal information about a user4s
or3 +office location, medical records +5isit to specialist clinics,
political 5ies +attending political e5ents, etc.
8e5ertheless, 67/ can be 5ery 5aluable and as such users
should be able to ma3e use of them ithout ha5ing to gi5e up
their location privacy. 9 number of approaches ha5e recently
been proposed for preser5ing the user location pri5acy in 67/.
In general, these approaches can be classified into to main
categories. +1Fully-trusted third party +TT-. The most popular
pri5acy*preser5ing techniues reuire a TT- to be placed beteen
the user and the ser5ice pro5ider to hide the user4s location
information from the ser5ice pro5ider +e.g., 1;
-
7/24/2019 User-Defined Privacy Grid System For
2/21
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.110!T"C.#01$.#%&&'&&, I((( Transactions on "obile Computing#
1$%)*1#%% +c #01% I(((. -ersonal use is permitted, but republication!redistribution reuires I((( permission. /ee
http:!!.ieee.org!publicationsstandards!publications!rights!inde2.html for more information.
ocation information. Se#i-trusted in this conte2t means that
hile
A/ ill try to determine the location of a user, it still correctly
carries out the simple matching operations reuired in the
protocol, i.e., it does not modify or drop messages or create ne
messages.
1: (ncrypted uery B(ncrypted cell identifiers
#: (ncrypted uery
9n untrusted A/ ould arbitrarily modify and drop messages asell as inject fa3e messages, hich is hy our system depends on
MobileUser
': (ncrypted -OIsmatching the encrypted Query
%: (ncrypted -OIs Service
ase#i-trusted A/ .
cell identifiers Server Provider
The main idea of our DGS. In D@/, a uerying user first
determines a /uery area, here the user is comfortable to re5eal
the fact that she is somehere ithin this uery area. The uery
area is di5ided into eual*sied grid cells based on the dynamic
grid structure specified by the user. Then, the user encrypts a
uery that includes the information of the uery area and the
dynamic grid structure, and encrypts the identity of each grid
cell intersecting the reuired search area of the spatial uery to
produce a set of encrypted identi$iers. 8e2t, the user sends a
reuest including +1 the encrypted uery and +# the encrypted
identifiers to A/, hich is a semi*trusted party located beteen
the user and /- . A/ stores the encrypted identifiers and
forards the encrypted uery to /- specified by the user. /-decrypts the uery and selects the -OIs ithin the uery area from
its database. or each selected -OI, /- encrypts its information,using the dynamic grid structure specified by the user to find a
grid cell co5ering the -OI, and encrypts the cell identity to
produce the encrypted identifier for that -OI. The encrypted
-OIs ith their corresponding encrypted identifiers are returned
to A/. A/ stores the set of encrypted -OIs and only returns tothe user a subset of encrypted -OIs hose corresponding
identifiers match any one of the encrypted identifiers initially sent
by the user. 9fter the user recei5es the encrypted -OIs, she
decrypts them to get their e2act locations and computes a uery
anser.7ecause the user is continuously roaming she might need
information about -OIs located in other grid cells +ithin the
uery area that ha5e not been reuested from A/ before. Theuser therefore simply sends the encrypted identifiers of the
reuired grid cells to A/. /ince A/ pre5iously stored the-OIs ithin the uery area together ith their encrypted
identifiers, it does not need to enlist /- for help. A/ simplyreturns the reuired -OIs hose encrypted identifiers match any
one of the nely reuired encrypted identifiers to the user. 9fter
the user recei5ed the encrypted -OIs from A/, she can e5aluate
the uery locally. Ehen the user unregisters a uery ith A/,
A/ remo5es the stored encrypted -OIs and their encryptedidentifiers. In addition, hen the reuired search area of a uery
intersects the space outside the current uery area, the user
unregisters the uery ith A/ and re*issues a ne uery ith ane uery area.
Contributions. Our D@/ has the folloing 3ey features:
+1 5o 440. Our D@/ only reuires a se#i-trusted uery ser5er
+A/ +i.e., trusted to correctly run the protocol located beteenusers and ser5ice pro5iders. +# Secure location privacy. D@/
ensures that A/ and other users are unable to infer any infor*mation about a uerying user4s location, and the ser5ice pro5ider
/- can only deduce that the user is somehere ithin the user*
specified uery area, as long as A/ and /- do not collude.+% Low co##unication overhead. The communication cost of
D@/ for the user does not depend on the user*specified uery
area sie. It only depends on the number of -OIs in the grid cells
o5erlapping ith a uery4s reuired search area. +'
+6tensi*ility to various spatial /ueries. D@/ is applicable to
5arious types of spatial ueries ithout changing the algorithms
carried out by A/ or /- if their ansers can be abstracted intospatial regions, e.g., re5erse*88 ueries 1#; and density ueries
1%;.
http://www.ieee.org/publications_standards/publications/rights/index.htmlhttp://www.ieee.org/publications_standards/publications/rights/index.html -
7/24/2019 User-Defined Privacy Grid System For
3/21
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.110!T"C.#01$.#%&&'&&, I((( Transactions on "obile Computing%
1$%)*1#%% +c #01% I(((. -ersonal use is permitted, but republication!redistribution reuires I((( permission. /ee
http:!!.ieee.org!publicationsstandards!publications!rights!inde2.html for more information.
ig# /# System architecture of our DGS
The rest of this paper is organied as follos. /ection #
resents the system model of our D@/. /ection % describes the
uery processing algorithms designed for D@/. /ection ' shos
hat D@/ is secure and preser5es user location pri5acy. /ection $
hos e2perimental results. /ection ) highlights related or3.
inally, /ection ? concludes the paper.
2 SYSTEM ARCHITECTURE
ig. 1 depicts the system architecture of our dynamic grid system
D@/ designed to pro5ide pri5acy*preser5ing continuous 67/
or mobile users. Our system consists of three main entities,
ervice providers, /uery servers and #o*ile users. Ee ill
describe the main entities and their interactions, and then present
he to spatial ueries, i.e., range and 3*nearest*neighbor +88ueries, supported by our system.
Service providers (/- . Our system supports any number of
ndependent ser5ice pro5iders. (ach /- is a spatial databasemanagement system that stores the location information of a
articular type of static -OIs, e.g., restaurants or hotels, or the
tore location information of a particular company, e.g., /tarbuc3s
r "cDonald4s. The spatial database uses an e2isting spatial inde2
e.g., >*tree or grid structure to inde2 -OIs and anser range
ueries +i.e., retrie5e the -OIs located in a certain area. 9s
depicted in ig. 1, /- does not communicate ith mobile users
directly, but it pro5ides ser5ices for them indirectly through the
uery ser5er +A/ .
Mobile users. (ach mobile user is euipped ith a @-/*enabled
de5ice that determines the user4s location in the form +2u, yu. The user can obtain snapshot or continuous 67/ from our
system by issuing a spatial uery to a particular /- through
A/. Our system helps the user select a uery area for the
spatial uery, such that the user is illing to re5eal to /- thefact that the user is located in the gi5en area. Then, a grid
structure is created and is embedded inside an encrypted uery
that is forarded to /- , it ill not re5eal any information aboutthe uery area to A/ itself. In addition, the communication costfor the user in D@/ does not depend on the uery area sie.
This is one of the 3ey features that distinguishes D@/ from the
e2isting techniues based on the fully*trusted third party model.
Ehen specifying the uery area for a uery, the user ill
typically consider se5eral factors. +1 The user specifies a mini*
mum pri5acy le5el, e.g., city le5el. or a snapshot spatial
uery, the uery area ould be the minimum bounding rectangle
of the city in hich the user is located. If better pri5acy is
reuired, the user can choose the state le5el as the minimum
pri5acy le5el +or e5en larger, if desired. The sie of the uery
area has no performance implications hatsoe5er on the user, anda user can freely choose the uery area to suit her on pri5acy
reuirements. or continuous spatial ueries, the user again first
chooses a uery area representing the minimum pri5acy le5el
reuired, but also ta3es into account possible mo5ement ithin
the time period t for
the uery +e.g., %0 minutes. If mo5ement at the ma2imum legal
speed could lead the user outside of the minimum pri5acy le5el
uery area ithin the uery time t, the user enlarges the ueryarea correspondingly. This enlargement can be made generously,
as a larger uery area does not ma3e the uery more e2pensi5e
for the user, neither in terms of communication nor computational
cost. +# The user can also generate a uery area using a desired
3*anonymity le5el as a guideline. Fsing a table ith population
densities for different areas, a user can loo3*up the population
density of the current area, and use this to calculate the uery
area sie such that the e2pected number of users ithin the uery
area correlates ith the desired 3*anonymity le5el. Considering
that this is an appro2imation for the corresponding 3*anonymity,the resulting uery area can be ta3en as a loer*bound and the
final uery area sie calculated as the loer*bound times a safety
margin factor. The idea of using such density maps has been used
for 67/ 1'; and health data 1$;. +% 9lternati5ely, the user can
specify a uery area based on ho far she ants to tra5el, e.g., if
the user ants to find restaurants ithin the donton area, shesets the donton area as the uery area.
9 larger uery area does ha5e an impact on A/ and /- in
terms of or3load and communication cost, but the bottlenec3
is considered to be beteen the user and A/, and the load onthis lin3 and on the user does not depend on the uery area sie.
9 system parameter can be defined to limit the ma2imum uery
area sie or number of objects returned to a user, in order to not
o5erload the client*side application.
Query servers (A/. A/ is a semi*trusted party placed beteenthe mobile user and /- . /imilar to the most popularinfrastructure in e2isting pri5acy*preser5ing techniues for 67/,
A/ can be maintained by a telecom operator 1);. Thecontrol!data flos of our D@/ are as follos +ig. 1:
1 The mobile user sends a reuest that includes +a the
iden* tity of a user*specified /- , +b an encrypted /uery
+hich includes information about the user*defined
dynamic grid structure, and +c a set of encrypted
identi$iers +hich are calculated based on the user*
defined dynamic grid structure to A/ .# A/ stores the encrypted identifiers and forards the
encrypted uery to the user*specified /- .
% /- decrypts the uery and finds a proper set of -OIsfrom its database. It then encrypts the -OIs and their cor*responding identifiers based on the dynamic grid
structure specified by the user and sends them to A/ .' A/ returns to the user e5ery encrypted -OI hose
encrypted identifier matches one of the encrypted iden*
tifiers initially sent by the user. The user decrypts the
recei5ed -OIs to construct a candidate anser set, and
then performs a simple filtering process to prune false
positi5es to compute an e2act uery anser.
Ee assume that there is a secure channel beteen the user and
A/. This assumption is necessary as /- might be able to learn
the user4s location if it can ea5esdrop on the communicationbeteen the user and A/. The secure channel can easily beestablished using standard techniues such as identity*based
encryption 1?;, 3ey e2change protocols +e.g. "AG 1&; or
//6!ET6/. Ee also note that the data pri5acy of /- is
protected ith regards to A/ , as A/ only recei5es encryptedinformation about the -OIs, and only the client can decrypt the
-OIs. A/ hence does not learn any information about the -OIs+e.g., name, address, ratings, etc..
http://www.ieee.org/publications_standards/publications/rights/index.htmlhttp://www.ieee.org/publications_standards/publications/rights/index.html -
7/24/2019 User-Defined Privacy Grid System For
4/21
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.110!T"C.#01$.#%&&'&&, I((( Transactions on "obile Computing'
1$%)*1#%% +c #01% I(((. -ersonal use is permitted, but republication!redistribution reuires I((( permission. /ee
http:!!.ieee.org!publicationsstandards!publications!rights!inde2.html for more information.
Ee additionally note that the or3*load of the A/ depends toome e2tent on the uery area chosen by a user, i.e., a large uery
rea ould lead to the /- sending a comparati5ely larger amount
f data to the A/. If this is an issue, a A/ could pro5ide differentiers of ser5ices, some of hich could be paid, that ould allo
or different pri5acy reuirements of users +i.e., different
ma2imum uery area sies. 7asic economical principles could be
pplied to ma3e this orthhile both for users and A/ ser5icero5iders. Supported spatial !ueries. D@/ supports the to
most popular spatial ueries, i.e., range and 3*88 ueries, hile
reser5ing the user4s location pri5acy. The mobile useregisters a continuous range uery ith our system to 3eep
rac3 of the -OIs ithin a user*specified distance, Range, of
he user4s current location +2u, yu for a certain time period,
.g., HContinuously send #e the restaurants within one #ile o$ #y
urrent location $or the ne6t one hour. The mobile user can also
ssue a continuous 3*88 uery to find the 3*nearest -OIs to the
ser4s current location +2u, yu for a specific time period, e.g.,
Continuously send #e the $ive nearest restaurants to #y current
ocation $or the ne6t 78 #inutes.
/ince a snapshot uery is just the initial anser of the contin*
ous one, D@/ also supports snapshot range and 3*88 ueries.
9lthough e only focus on range and 3*88 ueries in this or3,D@/ is applicable to other continuous spatial ueries if the uery
nser can be abstracted into spatial regions. or e2ample, our
ystem can be e2tended to support re5erse*88 ueries 1#; and
density ueries 1%; because recent research efforts ha5e shon
hat the anser of these ueries can be maintained by monitoring
region.
2.1 Adversaria M!des
Ee no discuss ad5ersarial models regarding A/ and /- , andthen present the formal security proof of our D@/ in /ection '. 9
malicious A/ or /- ill try to brea3 a user4s pri5acy by or3ingith the data a5ailable to them ithin the described protocol. Ee
do not consider A/ or /- ith access to e2ternal information notdirectly related to the protocol.
2.1.1 User Anonymity
9s described abo5e, both A/ and /- ill try to de*anonymie auser by using the information contained in the protocol +although
they still faithfully follo the protocol itself. Ehile A/ does notha5e any information about a user that ould allo it to narro
don the list of users that ould fit a specific uery, /- hasaccess to the plainte2t uery of a user. This uery, hoe5er, only
contains the uery region and the grid parameters, and ith the
information a5ailable, A/ can therefore do no better thanestablish that the user is somehere ithin the uery region +see
also /ection '.
One other concern regarding the de*anonymiation of users is
that if for e2ample the ser5ices of /- are paid ser5ices, then /-might for e2ample be able to lin3 a uery ith a billing record
and at least establish the presence of a user in a uery area. Ehile
in this paper e consider it acceptable that a user can be locatedto be ithin a uery region by A/ +after all, the user can freelychoose the uery area and hence choose it such that her personal
pri5acy reuirements are met, there is other research hich
ould allo to pre5ent the lin3ing of a uery area to a specific
user through billing records, for e2ample the or3 by Jau and
9n 1;. /o e5en if the /- reuires the authentication of usersto pro5ide a +paid ser5ice, the ser5ice can be pro5ided hile
protecting the anonymity of the user. Koe5er, no matter in
hich ay the /-
pro5ides the ser5ice, the pri5acy guarantees ill alays be better
than TT-, as a TT- alays 3nos the e2act location of the users,
hile in our system neither A/ nor /- 3no the e2act location
of a user. >egarding paid ser5ices and A/, in such a case A/does not ha5e any information to narro don the geographic
location of a user, e5en if it is being used as a paid ser5ice and
can lin3 ueries to billing records.
>egarding the de*anonymiation of users, e also note that
the type of -OI in a uery sent to /- or the density of -OIs percell in the uery area, do not pro5ide A/ ith any meaningful
information that could be used to reduce the anonymity set of
y
%
#
1
0
+2b,yb0 1 # %
+2t,yty
2
%
#
1
0
+2b,yb
0
1 # %
+2t,yt
2
a user. /pecifically, there is no correlation beteen the density +a Dynamic grid structure +b 9nser computation
of -OIs in a cell and the actual location of a user, as the userlaunches a uery ithout a*priori 3noledge of the density of
-OIs, and hence the density of -OIs in a cell cannot be used to
ma3e deductions about the possible location of a user in the uery
area.9 natural choice for the role of A/ is the netor3 ser5ice
pro5ider of a user. (5en though the netor3 ser5ice pro5ider can
typically locate a user don to an indi5idual cellular netor3 cell
already, ta3ing on the role of A/ does not pro5ide it ith anyadditional information about the user, such as the actual uery
area. There is also no reuirement for the ueries of a user to
correspond to the user4s actual location, and the netor3 ser5ice
pro5ider does not ha5e any information a5ailable that ould
allo it to infer either case. To summarie, a netor3 ser5icepro5ider already 3nos the location of its users, and ser5ing as a
A/ does not pro5ide it ith any additional information about its
users. 9lternati5ely, A/ ser5ices could also be pro5ided by
5olunteers +e.g., li3e many of the nodes in the Tor netor3, byad*supported ser5ices, or e5en by ser5ices that charge a modest
fee.
2.1.2 OtherAttacks
In this subsection e discuss a fe other attac3s and e2plain ho
they relate to our proposed system."P locali#ation. One possible attac3 in5ol5es A/ trying to de*termine the position of a user through I- localiation +i.e., using
a database hich can map I- addresses to locations. 7ecause
of ho mobile phone netor3s are setup +considering that our
system is aimed at mobile users using mobile phone netor3s,
hoe5er, mobile phones cannot be located ith usefulaccuracy, as shon by 7ala3rishnan et al. #0;. (5en so, if I-
localiation is a concern, solutions at the netor3 le5el can hide
the originating I-, for e2ample by using an anonymiing softare
>ange
+2u,yu
p?
+2
p'
u,yu
p)
p1 p#
http://www.ieee.org/publications_standards/publications/rights/index.htmlhttp://www.ieee.org/publications_standards/publications/rights/index.html -
7/24/2019 User-Defined Privacy Grid System For
5/21
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.110!T"C.#01$.#%&&'&&, I((( Transactions on "obile Computing$
1$%)*1#%% +c #01% I(((. -ersonal use is permitted, but republication!redistribution reuires I((( permission. /ee
http:!!.ieee.org!publicationsstandards!publications!rights!inde2.html for more information.
such as Tor #1;. Timin$ attac%s. 9nother set of attac3s might
use timing infor* mation if A/ can obser5e the traffic close to
the originating user. Koe5er, if A/ can obser5e such traffic,the location pri5acy of the user is 5ery li3ely already
compromised, e5en ithout timing attac3s. urthermore, e
consider this to be out of the scope of our or3.
Query server as client. A/ might try to also act as a client in an
attempt to gain some information hich could help to localie a
user. A/ has no information to launch such an attac3, hoe5er,not e5en an appro2imate location of the user. 9lso, the number of
-OIs returned to a client does not allo A/ to ma3e anyinferences, because it 3nos neither the uery area nor the grid
parameters. 9 large number of -OIs could either mean a dense
region or a large uery area, depending on the grid parameters,
hich are un3non to A/ .&et'or% traffic fin$erprintin$. 9n attac3 as described by
7issias et al. ##; hich ma3es inferences based on the
statistics of
7ig# 2# 6+am*le of range )uery *rocessing in DGS
encrypted netor3 connections is not applicable to our system.
The attac3 as described in the paper is eui5alent to determining
hich A/ a user is using. This information does not need to
be secret and communication ith A/ is highly uniform acrossdifferent uery ser5ers +unli3e ebsite traffic, 5ery li3ely ma3ing
them for all practical purposes indistinguishable.
Commuter problem. 9nother attac3 that can identify the home
and the office location of a user through location traces is de*
scribed by @olle et al. #%;. This attac3 is not applicable to our
system, because no plainte2t locations are e5er transmitted in our
system and no inferences can be made.Ee e2clude side*channel attac3s in general from the security
analysis as being out of the scope of this paper. "any of the
side*channel attac3s mentioned abo5e are fundamental to netor3
communications, and as such neither limited to nor a conseuence
of the design of our proposed protocol.
" DYNAMIC #RID SYSTEM $D#S%
In this section, e ill describe ho our D@/ supports pri5acy*
preser5ing continuous range and 3*88 ueries. This section isorganied as follos: /ection %.1 describes the details of our
D@/ for processing continuous range ueries and incrementally
maintaining their ansers, and /ection %.# e2tends D@/ to
support 3*88 ueries.
".1 Ran&e '(eries
Our D@/ has to main phases for pri5acy*preser5ing continuous
range uery processing. The first phase finds an initial +or a
snapshot anser for a range uery +/ection %.1.1, and the
second phase incrementally maintains the uery anser based
on the user4s location updates +/ection %.1.#.
3.1.1 Range uery !rocessing
9s described in /ection #, a continuous range uery is defined as
3eeping trac3 of the -OIs ithin a user*specified distance >angeof the user4s current location +2u , yu for a certain time
period. In general, the pri5acy*preser5ing range uery processing
protocol has si2 main steps.
Step . Dynamic $rid structure (by the user. The idea of this
step is to construct a dynamic grid structure specified by the user.
9 uerying user first specifies a uery area, here the user is
comfortable to re5eal the fact that she is located somehere
ithin that uery area. The uery area is assumed to be a
rectangular area, represented by the coordinates of its bottom*
left 5erte2 +2b , yb and top*right 5erte2 +2t, yt. 8otice that the
user is not necessarily
http://www.ieee.org/publications_standards/publications/rights/index.htmlhttp://www.ieee.org/publications_standards/publications/rights/index.html -
7/24/2019 User-Defined Privacy Grid System For
6/21
reuired to be at the center of the uery area. Instead, its location
can be anyhere in the area. Koe5er, our system can also
support irregular spatial regions, e.g., the boundary of a city or a
county, by using a minimum bounding rectangle to model the
irregular spatial region as a rectangular area. The uery area
is di5ided
into m m eual*sied grid cells to construct a dynamicgrid
structure, here m is a user*specified parameter. (ach grid
cellis identified by +c, r, here c is the column inde2 from left toright and r is the ro inde2 from bottom to top, respecti5ely,ith0 c, r L m. @i5en the coordinates of the bottom*left5erte2
identifiers /e and forards the encrypted uery to /- specifiedby the user.
Step ). Query processin$ (by /- . /- decrypts the reuest toretrie5e the -OI*type, the random 3ey M selected by the user inthe reuest generation step +/tep #, and the uery area defined
by m, +2b , yb , and +2t , yt . /- then selects a set of np-OIs that match the reuired -OI*type ithin the user specified
uery area from its database. or each selected -OI j ith alocation +2j, yj +1 j np , /- computes the identity
of the grid cell in the user specified dynamic grid structureco5eringj by
of a grid cell, +2c , yc, the grid cell identity can be computed by +cj, rj N
j
2j2b
3
,
jyjyb
3
.+2t2b!m +ytyb!m
j2c2b
+2t2b!m
3 jycyb
+ytyb!m3 . ig. # gi5es a running Then, /- generates +KM, (M, "M MDD+M and com*
e2ample for pri5acy*preser5ing range uery processing, here the
uerying user is located in the cell +#, 1, m N ', and the circleith a radius of the range distance >ange specified by the user
putes the folloing:
hj K +cj, rj +)
constitutes the uery region of the range uery.
Step *. +e!uest $eneration (by the user. In this step, theuerying user generates a reuest that includes +1 a uery for
a /- specified by the uerying user and +# a set of encrypted
identifiers, /e, for a A/. The user first selects a random 3ey M
and deri5es three distinct 3eys:
+KM, (M, "M MDD+M +1
here MD+ is a 3ey deri5ation function + #';. Then, the usersets uery and /e as follos:
+1 (uery generation. 9n encrypted uery for a specific /-is prepared as:
uery I7(.(nc/-+-OI*type, M, m, +2b , yb , +2t, yt
+#
here I7(.(nc/-+ is Identity*7ased (ncryption +I7( underthe identity of /- +details of I7( are in 1?;. In the encrypted
uery, -OI*type specifies the type of -OIs, M is the random 3eyselected by the user, and the personalied dynamic grid structure
is specified by m, +2b , yb , and +2t, yt.+# +ncrypted identi$ier generation. @i5en the uery region
of the range uery, the user selects a set of grid cells /c in thedynamic grid structure that intersect the uery region, i.e., a circlecentered at the user4s current location +2u, yu ith a radiusof >ange. or each selected grid cell i in /c , its identity +ci, ri is encrypted to generate an encrypted identifier:
hi K +ci, ri+%
Ci /(.(ncKM +hi +'
here K + is a collision*resistant hash function and/(.(nc3ey + a symmetric encryption algorithm +for e2ample9(/*based under 3ey 3ey. 9fter encrypting all the grid cellsin /c , the user generates a set of encrypted identifiers /e . It isimportant to note that the user ill ma3e sure that the identifiersin /e are ordered randomly. inally, the user produces a reuestas belo and sends it to A/ :
reuest h/-,uery, /ei
+$ In the running e2ample +ig. #a, the range uery region,
hich
is represented by a circle, intersects si2 grid cells, i.e., +1, 0,+#, 0, +1, 1, +#, 1, +1, #, and +#, # +represented by shaded
cells, hich ma3e up the set of grid cells /c, and thus, the user
has to encrypt each identity of these grid cells and produce si2encrypted identifiers in /e .Step ,. +e!uest processin$ (by A/. Ehen A/ recei5esthe
reuest from the user, it simply stores the set of
encrypted
+c, r N ,
-
7/24/2019 User-Defined Privacy Grid System For
7/21
Cj /(.(ncKM +hj +?lj /(.(nc(M+2j, yj +&
j N " 9C"M+Cj, lj +
here " 9C3ey + is a message authentication code under3ey 3ey. The Cj is the corresponding encrypted identifier of a-OI, the lj contains the e2act location of a -OI in encryptedorm, and the j is included to pre5ent certain attac3s by A/such as tampering ith the encrypted -OIs.
inally, /- sends the set of selected -OIs bac3 to A/ in the
olloing form:
h-OIj N +Cj, lj, ji, herej N 1, . . . , np .
+10
Step -. ncrypted identifier matchin$ (by A/. Fpon recei5ingnp triples, A/ determines the set of matching -OIs by comparinghe encrypted identifiers Cj +1 j np of the recei5ed
-OI ith the set of encrypted identifiers /e pre5iously recei5edrom
he user. 9 match beteen a Cj and some Ci in the set/e indicates that the -OIj is in one of the grid cells reuired byhe user. Thus, A/ forards e5ery matching -OI hlj, ji to theser. If the uery is a snapshot uery, A/ then deletes theecei5ed -OIs and their encrypted identifiers. Koe5er, if the
uery is a continuous one, A/ 3eeps the recei5ed -OIs alongith their
encrypted identifiers until the user unregisters the uery.
Step /. 0ns'er computation (by the user. /uppose that thereare P matched -OIs recei5ed by the user. or each of thesematched -OIs, say hlj , ji, the user decrypts lj using (Mand gets access to the e2act location +2j , yj of the -OI. rom+2j, yj and lj, the user 5erifies jby re*calculating the " 9C5alue and compares it against j. If they match, the user finds theanser that includes the -OI hose location is ithin adistance of >ange of the user4s current position +2u, yu. Inthe running e2ample +ig. #b, the user recei5es fi5e -OIs from
A/, here the range uery anser includes to -OIs, i.e., p'andp).
3.1.2 Incrementa" Range uery Ans#erMaintenance
9fter the user gets the initial response for a range uery from
A/, she can find the initial +or snapshot uery anser locally.Then, incremental anser updates can be performed to maintain
the anser hen the user4s location changes. This phase has four
main steps.
Step . Cache re$ion (by the user. The user 3eeps trac3 of the
grid cells pre5iously reuested and caches the -OIs returned by
A/ for those cells. These cells define a cache region. The useris able to find a uery anser from the cached -OIs as long as
y
Cache >egion%
p?#
+2u,yu
1 p' p)
+2t,yty
%
#
1
p?
+2u,yu
p' p)
+2t,yt
p10
p&
to contact /- to deal ith the anser update reuest. Instead,similar to the encrypted identifier matching step +/tep $ in the
range uery processing phase, A/ simply returns the -OIs hose
encrypted identifier matches one of the encrypted identifiers in /ein the anser update reuest sent by the user.
Step ). 0ns'er computation (by the user. This step is similar
to the anser computation step +/tep ) in the range uery
processing
0 p1 p# 0 p1 p# the -OIs nely returned by A/ and the pre5iously cached -OIs.+2b,yb
0
1 # %+2b,yb
02
1 # % ig. %b depicts that the user gets to ne -OIs,p& andp10 , from2 A/, and the ne uery anser includes -OIs p) andp&.
+a Cache region +b 9nser refinement
7ig# 3# 6+am*le of incremental range )uery maintenance
the uery region +i.e., a circular area centered at the user4s current
location +2u , yu ith a radius of range distance >ange
specified by the user is contained ithin the cache region.
Koe5er, hen the uery region intersects some grid cells+ithin the uery area outside the cache region, the user e2ecutes
the folloing steps +/teps # to ' to enlist A/ for help to find auery anser.
ig. % depicts a running e2ample for the incremental range
uery anser maintenance phase, here the user has reuested
the -OIs ithin si2 grid cells, as illustrated in ig. #. The
combined area of these si2 grid cells constitutes the cache region,
represented by a bold rectangle. 9s shon in ig. %a, the uery
region of the range uery intersects to grid cells outside the
cache region, i.e., +%, 1 and +%, # +represented by shaded cells,so the user has to e2ecute /teps # to ' to get the -OIs ithin
these to grid cells from A/ .Step *. "ncremental re!uest $eneration (by the user. This
step is similar to the reuest generation step +/tep # in the range
uery processing phase +/ection %.1.1, e2cept that the user only
generates encrypted identifiers for the set of grid cells /c that
intersect the uery region but are outside of the cache region,
i.e., that ha5e not been reuested by the user before. or each
grid cell in /c , its identity is encrypted to generate an encrypted
identifier Ci using (uations % and '. Then, an anser update
reuest including the set of encrypted identifiers /e is sent to
A/. In the running e2ample +ig. %a, the user has to get the-OIs ithin the to grid cells +%, 1 and +%, # to e5aluate the
range uery, so she encrypts their cell identities to generate toencrypted identifiers in /e , and sends an update reuest along
ith /e to A/ .
There is the possibility that a small amount of information
about the mo5ement of a user is lea3ed if the user only reuests
the cells outside the cache region. or e2ample, if a user reuests
si2 cells in an initial reuest, and then to cells in an anser
update reuest a short hile later, an ad5ersary +e.g., A/ mightbe able to infer information about the mo5ements of theuser.
-
7/24/2019 User-Defined Privacy Grid System For
8/21
".2 M )Nearest)Nei&*b!r '(eries
/imilar to continuous range ueries, the pri5acy*preser5ing uery
rocessing for continuous 3*88 ueries has to main phases. Theirst phase finds an initial +or snapshot anser +/ection %.#.1,
hile the second phase maintains the correct anser hen the
ser mo5es by using incremental updates +/ection %.#.#.
Koe5er, unli3e range ueries, the reuired search area of a 3*
88 uery is un3non to a user until the user finds at least 3-OIs to compute a reuired search area, i.e., a circular area
entered at the user4s location ith a radius from the user to the
3*th nearest -OI. Thus, the pri5acy*preser5ing uery processing
rotocol of 3*88 ueries is slightly different.
3.2.1 M $%earest$%eighbor uery !rocessing
9 continuous 3*88 uery is defined as 3eeping trac3 of the 3*
earest -OIs to a user4s current location +2u , yu for a
ertain time period, as presented in /ection #. In general, the
ri5acy* preser5ing 3*88 uery processing has si2 majorteps to find an initial +or snapshot uery anser. ig. ' depicts
running e2ample of the pri5acy*preser5ing uery processing of
3*88 uery, here 3 N %.
Step . Dynamic $rid structure (by the user. This step is the
same as the dynamic grid structure step +/tep 1 in the range
uery processing phase +/ection %.1.1. It ta3es a user*specified
uery area ith a left*bottom 5erte2 +2b , yb and a right*top
5erte2+2t , yt and di5ides the uery area into m m eual*siedcells,
as illustrated in ig. 'a +m N ).Step *. +e!uest $eneration (by the user. The reuired search
area of the 3*88 uery is initially un3non to the user. The
user first finds at least 3 -OIs to compute the reuired searcharea as a circular area centered at the user4s location ith a
radius of a distance from the user to the 3*th nearest 3non -OI.The user therefore first attempts to get the nearby -OIs from a
specific /- . In this step, the user reuests the -OIs in the cell
containing the user and its neighboring cells from /- . @i5enthe user4s current location +2u , yu and a uery area
specified by the user in /tep 1, she ants to get the -OIs
ithin a set of grid cells /c that includes the cell containing
herself, i.e.,
If this is a concern, a user can pad the number of encrypted +cu, ru Nj
2u2b
3
,
jyuyb
3
, and its at most eight+2t2b!m +ytyb!m
identifiers in an anser update reuest to obtain the same number
of encrypted identifiers as in the initial reuest by generating
encrypted identifiers for additional grid cells, hich ha5e not been
reuested by the user before and are around the grid cells in /c .
In this ay, the ad5ersary cannot distinguish beteen the Hactual
encrypted identifiers and the Hadditional encrypted identifiers.
Step ,. +e!uest processin$ (by A/. 7ecause A/ alreadycached the -OIs along ith their encrypted identifiers ithin the
user*specified uery area from the initial reuest, it does not need
neighboring cells +cu 1, ru 1, +cu, ru 1, +cuB 1, ru 1,+cu 1, ru, +cu B 1, ru, +cu 1, ru B 1, +cu, ru B 1,and
+cu B 1, ru B 1. or each cell i in /c , the user generatesan
encrypted identifier Ci using (uations % and ', as in the reuestgeneration step +/tep # in the range uery processing phase. The
user also creates a uery to be sent to /- based on (uation #.inally, the user sends a reuest, hich includes the identity of
/- , the uery, and the set of encrypted identifiers +in random
order /e , as gi5en in (uation $, to A/ .
-
7/24/2019 User-Defined Privacy Grid System For
9/21
+2t,yt
p1
+2u,yu
p#
p%
+2b,yb0
1 # % ' $ +2b,yb0
2
1 # % ' $ +2b,yb0
2
1 # % ' $ +2b,yb0
2
1 # % ' $ 2
+a Dynamic grid structure +b Incremental search +c >euired search area +d 9nser refinement
7ig# 4# 6+am*le of 3-nearest-neigh&or )uery *rocessing in DGS
In the running e2ample +ig. 'a, the user located in the grid
cell +%, % and therefore reuests the -OIs in the cells +%, % andits neighboring grid cells, i.e., +#, #, +%, #, +', #, +#, %, +', %,+#, ', +%, ', and +', ', +represented by shaded cells from /-through A/ .
Step ,. +e!uest processin$ (by A/. This step is identical to/tep % for range ueries in the uery processing phase +/ec*
tion %.1.1.Step ). Query processin$ (by /- . This step is identical to /tep' for range ueries in the uery processing phase +/ection %.1.1.
Than3s to this uery abstraction feature, our D@/ can be easily
e2tended to support other continuous spatial uery types, e.g.,
re5erse 88 ueries and density ueries.
Step -. +e!uired search area (by the user and A/. This step issimilar to the encrypted identifier matching step +/tep $ for range
ueries in the uery processing phase +/ection %.1.1, ith the
difference that this step may in5ol5e se5eral rounds of interaction
beteen the user and A/. A/ matches the encrypted identifiers
of the encrypted -OIs returned by /- ith the encrypted
identifiers in /e sent by the user in /tep #, and sends the matchingencrypted -OIs to the user.
If at least 3 encrypted -OIs are returned to the user, she can
decrypt them to compute a reuired search area for the 3*88uery in the form of a circle centered at the user4s location ith a
radius of the distance beteen the user and the 3*th nearest -OI.
On the other hand, if less than 3 -OIs are returned, the user starts
the ne2t iteration by reuesting the grid cells from A/ one hopfurther aay from the position of the user, i.e., the neighboring
cells of the grid cells that ha5e already been reuested by the
user. This incremental search process is repeated +i.e., reuesting
more cells mo5ing steadily outard from the user4s position until
the user has obtained at least 3 -OIs from A/. 9fter the userdetermines the reuired search area, there are to possibilities:
1 The user has already reuested all the cells hich in*
tersect the reuired search area. In this case, the user
proceeds to the ne2t step.
# The reuired search area intersects some cells hich
ha5e not yet been reuested from A/. The +at least 3-OIs found so far may in that case not be an e2act
anser, and the user reuests those cells from A/hich intersect the reuired search area but ha5e not
been reuested yet +in ig. 'c these ould be the shaded
cells outside the bold rectangle. 9fter recei5ing all
encrypted -OIs in the nely reuested cells from A/,the user proceeds to the ne2t step.
In the running e2ample, ig. 'b depicts that the grid cells initially
reuested by the user +ithin the bold rectangle contains less
than three -OIs. The user therefore reuests the neighboring grid
cells +the grid cells adjacent to the bold rectangle from A/. This
ill result in disco5ering three -OIs in total, i.e., p1, p#, andp%. The user then computes the reuired search area represented by
a circle +ig. 'c. 9s the reuired search area intersects eight cells
hich the user has not yet reuested from A/ +i.e., they areoutside the bold rectangle, the user ill launch another reuest
for the grid cells +0, 1, +0, #, +0, %, +0, ', +1, 0, +#, 0, +%, 0,
and +', 0. Step /. 0ns'er refinement (by the user. Ka5ingrecei5ed all the -OIs ithin all the grid cells intersecting the
reuired search area, the user can decrypt them to get their e2act
locations, as in the anser computation step +/tep ) for range
ueries in the uery processing phase +/ection %.1.1, and
determine the e2act anser by selecting the 3 nearest -OIs. The
pre5ious steps ensure that these 3 -OIs are indeed the closestones. In the running e2ample +ig. 'd, the user can find the
e2act anser for the %*88 uery, hich includes three -OIsp1,
p#, andp'.
3.2.2 Incrementa" 3$%% uery Ans#erMaintenance
9fter the user computes an initial +or snapshot 3*88 ueryanser, the incremental anser update phase allos to maintain
the anser as the user mo5es around. /imilar to range ueries,
the incremental anser maintenance phase has four steps. The
first to steps are the same as the cache region step and the
incremental reuest generation step as in /ection %.1.#. In the
third step +i.e., reuest processing performed by the A/, since
A/ has already cached the encrypted -OIs, together ith their
corresponding encrypted identifiers calculated by /- in /tep 'of the uery processing phase, it does not need to contact /- .It can simply forard the encrypted -OIs matching one of the
encrypted identifiers in /e to the user. In the last step +i.e., anser
refinement performed by the user, she decrypts the recei5ed
-OIs and sorts the ones located ithin the reuired search area
according to their distance to the user in ascending order. The
3*nearest -OIs to the user constitute the ne uery anser.
+ SECURITY ANA,YSIS
In this section, e define se5eral security models hich formalie
the location pri5acy of our D@/, and sho that the proposed
schemes in /ection % are secure. In our schemes, the uery ser5er
+A/ sees a user4s encrypted ueries and -OIs from a ser5ice
pro5ider +/- . /ince the user uery and returned -OI locations
are encrypted, A/ could only learn the user4s location from
p1
+2 yu
p' p#
p%
+2 yu
y y y y+2t,
$
yt +2t,
$
yt +2t,
$
yt
$
' ' ' '
% % % %
# # # #
1 1 1 1
0 0 0 0
p1
+2u,yu
p#
-
7/24/2019 User-Defined Privacy Grid System For
10/21
the number of returned -OIs rather than the encrypted 5alues.
Koe5er, this is not the case in our scheme. The number of -OIs
returned by /- depends on the uery area sie, hich is
encrypted and un3non, and therefore, A/ is not able to deri5eany useful information from the number of -OIs, e.g., hether
the user is in
a dense or sparse region. /ee 6emma # for the detailed analysis.
pri5ate 3ey of hich has not been ueried, the grid structure, a
uery area, and to user locations +20 , y0 and +21 , y1 in
theuery area, and gi5es them to C. C tosses a coinb {0,1},and
uses +2b , yb and the other information specified by A to generate"sg
bas the user4s message to A/, and the corresponding /-
message "sgb
. It sends both "sgb
and "sgb
to A. A continues% 1 %9fter decrypting the uery forarded by A/, a /- obtains
the uery area hich contains the user. Other than this, it learnsnothing, since the user could be anyhere in the area. /ee 6emma
1 for the proof. >egarding the integrity, e5ery encrypted -OI is
authenticated by /- using a "9C and the authentication 3ey is
only shared beteen the user and /- . @uaranteed by the security
of the "9C, A/ is unable to modify the information of any -OIreturned to the user, nor to add a Hfa3e -OI. /ee 6emma % for the
to issue ueries as abo5e e2cept that it cannot as3 for the pri5ate
3ey of the intended /- . inally, A outputs a bit b as its guessofb, and ins the game if bN b.
Definition *. A D9S achieves Privacy Against Query Server
(A/) i$ $or all pro*a*ilistic polyno#ial-ti#e A, its pro*a*ility o$winning the a*ove ga#e is negligi*ly close to 1!#.
1emma *. 3ur D9S achieves 0rivacy Against A/ .proof. 9s shon in ig. 1 +/ection # there are four message flos
in a basic uery in our D@/. Ee denote them by "sg1 +from the0roo$. Ee pro5e the lemma by a series of games,@0,
,@i,
user to A/, "sg# +from A/ to /- , "sg% +from /- to A/ and denote by Qi the e5ent that A ins game@i. @0: This
and "sg' +from A/ to the user, respecti5ely. In the folloing
subsections e analye the security of our scheme in detail.
+.1 -rivac A&ainst Service -r!vider $/- %
Ee reuire that /- cannot learn the user4s location any betterthan ma3ing a random guess. ormally, e consider the folloinggame played beteen a challenger C and a +malicious /- ,denoted by A.
The challenger prepares the system parameters, and gi5esthem to A. A specifies a -OI*type, the grid structure, a ueryarea and to locations +20 , y0 and +21 , y1 in this area, andgi5es them to C. C chooses at random b {0,1}, uses +2b ,yb , the specified grid structure and -OI*type to generate "sg
b
ith respect to the identity of A, i.e., the message that themalicious /- e2pects torecei5e. C then gi5es "sg
bto A. A outputs a bit b and ins the
game ifbN b.
Definition . A D9S achievesPrivacy Against Service Provider
(/- ) i$ $or any /- , its success pro*a*ility o$ winning thega#e
is the original game defined in Definition #. @i5en the system
parameters, A begins to issue pri5ate 3ey ueries. 9t somepoint, it chooses a -OI*type, the identity of the intended /- ,the grid structure, a uery area and to user locations +20 , y0,+21 , y1
in the uery area, and sends them to the challenger, hich selects+2b , yb for some random bit b to generate the user message"sg
band the corresponding /- message "sg
b, and returns them
to A.The ad5ersary continues to issue pri5ate 3ey ueries as before
e2cept to as3 for the pri5ate 3ey of the intended /- . inally,Aoutputs a bit b and ins the game if b N b. 8otice that theree2ist
to ranges, e.g., >0 and >1 , such that the grids intersected iththe circles ith ranges >0 and >1 , and centered at +20 , y0 and +21 , y1 respecti5ely, contain the same number of -OIs.7esides, the ranges are chosen by the users, and thus are
un3non to the ad5ersary.
@1 : Ee change the generation of +KM, (M, "M. 8oe randomly select them from the space KK K( K" .@uaranteed by the security of MD, e ha5e that |-r:Q1 ; -r:Q0;| is negligible #$;, #);.@# : Ee change the generation of li in "sg
b. Instead of
thea*ove is at #ost 1!#B negl+R, where negl+ is anegligi*le
$unction1
in the security para#eter.
encryption of the real location, no li1
is the encryption of a
1emma . 3ur D9S achieves 0rivacy Against /- . random location +other than +20 , y0 and +21 , y1 under the 3ey(M. @uaranteed by the semantic security of /(, e ha5e that
-r:Q#; -r:Q1;| is negligible #$;, #);.0roo$. The message that /- recei5es from A/ is "sg
#N uery,
|b
hich is an I7( of -OI*type, M , the uery area and grid structureunder /- 4s identity +see (uation #, and is independent of
the user4s location. Kence a +malicious /- does not gain anyad5antage in guessingb chosen by the challenger.
+.2 -rivac A&ainst '(er Server $A/ %
This reuires that A/ cannot tell from the user4s reuest or /- 4s
transcript about here the user is, pro5ided that it does not
collude
@%: /imilar to @# , e change all the Ci4s in "sg1 and all
the
Ci4s in "sgb
to be the encryptions of randomly selected hi4s,under the constraint that all -OIs in the same grid cell share the
same hi ith the grid cell itself. The semantic security of /(implies that |-r:Q% ; -r:Q# ;| isnegligible.@' : Ee change reuest in the client message to the encryptionof a random tuple ith the same length. The security of I7(
implies that |-r:Q'; -r:Q%;| is negligible 1?;. In @', both"sgb
and
"sgb
are independent of b chosen by the challenger. Therefore,A %could succeed in outputting the correct bit ith probability atmost
1
#
#
1
%
%
-
7/24/2019 User-Defined Privacy Grid System For
11/21
ith the intended /- . ormally, e consider the folloing game 1!#, and e ha5e |-r:Q0;1-%
-r:QiB1; -r:Qi;|B
played beteen an ad5ersaryA +hich is the dishonest A/ and a 1 #|
iN0|
challenger C hich acts the roles of the user and ser5icepro5iders.
@i5en the system parameters, A begins to issue Private 2eyQuery for polynomially many times: it submits the identity of
a /- to C, and recei5es the corresponding pri5ate 3ey. Thismodels the case that A/ colludes ith a +non*intended /- . Athen specifies the -OI*type, the identity of the intended /- +the
1. 9 function f : 8 S 0, 1; is negligible if for all positi5e polynomialpoly+ there e2ists an 8 such that for all n U 8 , f+n L 1!poly+n.
|-r:Q' ; # | hich isnegligible.
+." Inte&rit
This is to ensure that A/ cannot modify any messages returnedby /- or add any messages ithout being detected. ormally, e
consider the folloing game, here the ad5ersary A is a A/, andthe challenger Cplays the roles of the client and all the ser5icepro5iders.
@i5en the system parameters, A adapti5ely issues the fol* #$
loing ueries for polynomially number of times: Private 2ey #0
Query: A submits the identity of a /- , and is returned the 1$corresponding pri5ate 3ey. Service Query: A generates a user10 message "sg1 and sends it to /- indicated in "sg1 . It then$ recei5es the anser "sg% . A then submits the -OI*type, the0
identity of the intended /- +the pri5ate 3ey of hich has not beenueried, the grid structure, a uery area, and a user4s location
/er5ice -ro5iderAuery /er5erClient
$ $0 $00 $000 $0000
8umber of -OIs
1000000
100000
10000
1000
100
10
1
/er5ice -ro5iderClient
$ $0 $00 $000 $0000
8umber of -OIs
+2, y. C generates the user4s message "sg
, and the intended
/- 4s message "sg, and sends them to A. inally, Aoutputs
+a Computation Cost
7ig# 8# 9um&er of P:s '99 )ueries(#
+b Communication Cost
"sg. 6et "sg be the correct anser that an honest A/ ould
return to the user. A ins the game if "sg' 6 "sg' but theuser accepts "sg.Definition ,. A D9S achieves integrity i$ there is no
pro*a*ilistic polyno#ial-ti#e adversary A which wins thea*ove ga#e with non-negligi*le pro*a*ility.
1emma ,. 3ur D9S achieves
integrity.
0roo$. 9gain, e use Qi to denote the e5ent that A ins the
game@i. @0 is the original game described abo5e.
/ E0-ERIMENTA, RESU,TS
In this section, e e5aluate the performance of our D@/ for both
continuous range and 3*88 ueries through simulations.3aseline al$orithm. Ee implemented a continuous spatial cloa3*
ing scheme using the $ully-trusted third party #odel +TT- #;.
TT- relies on a fully*trusted location anonymier, hich is placed
beteen the user and the ser5ice pro5ider +/- , to blur a
uerying user4s location into a cloa3ed area that contains the
uerying user
and a set of K 1 other users to satisfy the user specifiedK*
anonymity pri5acy reuirement. To preser5e the user4s continuous@1: Ee change the generation of "sg1 and "sg% . Insteadof being output by MD on input a random M , "M is noselected at random from K" . It is also used in the5erification of the ad5ersary4s final output, i.e., chec3ing the
5alidity of the "9Cs in
"sg
. The security of MD implies that |-r:Q ; -r:Q ;|is
location pri5acy, the location anonymier 3eeps adjusting thecloa3ed area to contain the uerying user and the K 1users. 9 pri5acy*aare uery processor at /- returns a set ofcandidate -OIs to the uerying user through the locationanonymier );,
' 1 0
negligible. 7elo e sho that the ad5ersary ins this game only
ith negligible probability.
Ee use A to construct an algorithm B hich brea3s the strong
unforgeability of "9C #$;, #);. @i5en oracle access to O" ,B
generates system parameters hich include the I7( 3ey. It thenin5o3es A on input the system parameters, and begins to anserA4s ueries as folloing. Private 2ey Query: @i5en theidentity of a /- , B uses the I7( 3ey to generate the pri5ate 3eyof /- , and returns it to A. Service Query: @i5en a clientmessage "sg1 N h/-,re.uest,/e i, B uses the pri5ate 3ey of/- +hich can becomputed from the I7( 3ey to decrypt reuest and obtains -OI*type, M , m, +2b , yb and +2t , yt . It then follos the
prescribed strategy of a /- to generate "sg% , and returns it toA.
Ehen "sg% is ready, A outputs the identity of an intended/- , the pri5ate 3ey of hich has not been ueried. A alsooutputs
-OI*type, the grid structure, a uery region and a user4s location
+2, y. B then generates "sg1 using the information gi5en byA
and also "sg
as follos:
or all the -OIs, B computes Ci and li using 3eysderi5ed from M hich is embedded in F"sg. It then sends+C , l to i ithe oracle O" and is returned i N " 9C"M+Ci, li.
Com*utation
0ime;ms9". 9ndroid uses Wa5a to rite applications, but it
also allos to run code nati5ely by cross*compiling for the
9>" architecture and then calling nati5e code from ithin
an application ritten in Wa5a. or the benchmar3 e first
e5aluated the performance of doing the cryptographic opera*
tions in Wa5a, using built*in symmetric cryptography and W-7C+h tt p :!! g as.d ia.un isa.it! p r o jects!j pb c!i nd e 2 .h tm l, a Wa5a port of
-7C, for performing I7(. Ee then also cross*compiled the
libraries used in the prototype +Open//6, @"- and -7C for
9>" to e5aluate the performance hen running the
cryptographic operations nati5ely on the de5ice.
+esults. Table 1 shos the benchmar3 results for I7( en*
cryption and 9(/ decryption that refer to encrypting one reuest
for /- and decrypting one -OI recei5ed from A/, respecti5ely.
These results sho that smartphones are easily capable of per*
forming the cryptographic operations necessary in our protocol.
Ehile I7( is still a somehat e2pensi5e operation reuiring on
the order of $0ms, this is an infreuent reuest and hence not abottlenec3. Kashing ! encrypting and 9(/ decryption on the other
hand are much more freuent operations in our protocol, but the
operations are 5ery efficient hen done nati5ely, so that a mobile
de5ice can easily decrypt up to se5eral hundred thousand -OIs per
second, or e5en more if multiple cores are used +at hich point
bandidth is more li3ely to become the bottlenec3.
4 RE,ATED 5OR6
/patial cloa3ing techniues ha5e been idely used to preser5e
user location pri5acy in 67/. "ost of the e2isting spatial cloa3ing
techniues rely on a fully*trusted third party +TT-, usually
termed location anony#izer, that is reuired beteen the user and
the ser5ice pro5ider +e.g., 1;
-
7/24/2019 User-Defined Privacy Grid System For
18/21
ther users to satisfy 3*anonymity. The TT- model has four
major drabac3s. +a It is difficult to find a third party that can
e fully trusted. +b 9ll users need to continuously update their
ocations ith the location anonymier, e5en hen they are not
ubscribed to any 67/, so that the location anonymier has
nough information to compute cloa3ed areas. +c 7ecause the
ocation anonymier stores the e2act location information of
ll users, compromising the location anonymier e2poses their
ocations. +d 3*anonymity typically re5eals the appro2imate
ocation of a user and the location pri5acy depends on the user
distribution. In a system ith such regional location privacy it is
difficult for the user to specify personalied pri5acy reuirements.
The feeling* based approach #; alle5iates this issue by finding a
loa3ed area based on the number of its 5isitors that is at least as
opular as the user4s specified public region.
9lthough some spatial cloc3ing techniues can be applied to
eer*to*peer en5ironments %0;
-
7/24/2019 User-Defined Privacy Grid System For
19/21
AC6NO5,ED#MEN TS
Chi*Jin Cho as partially supported by the @uangdong 8at*
ural /cience oundation +8o. /#01%01001#%)% and a research
grant +CityF -roject 8o. #%11%1. Aiong Kuang as sup*
ported by the 8ational 8atural /cience oundation of China +8o.)1'?#1') and the @uangdong 8atural /cience oundation +8o.
/#01%010011&$. Duncan /. Eong as supported by a research
grant from the >esearch @rants Council, KM/9> +-roject 8o.
CityF 1#1$1#.
RE8ERENCES
1; 7. 7amba, 6. 6iu, -. -esti, and T. Eang, H/upporting anonymouslocation ueries in mobile en5ironments ith -ri5acy@rid, in """,#00&.
#; C.*J. Cho and ". . "o3bel, H(nabling pri5ate continuous ueries forre5ealed user locations, in SS4D, #00?.
%; 7. @edi3 and 6. 6iu, H-rotecting location pri5acy ith personalied 3*anonymity: 9rchitecture and algorithms, )+++ 4:C, 5ol. ?, no. 1,
pp.1. Yhang, H(ffecti5e densityueries of continuously mo5ing objects, in)+++ )CD+, #00).
1'; /. Eang and Q. /. Eang, H9nonTist: 8earest neighbor uerying ithboth location pri5acy and 3*anonymity for mobile users, in :D:,#00.
1$; E. 7. 9llshouse, E. 7. 9llshousea, ". M. itchb, M. K. Kamptonb, D.C.
@esin3c, I. 9. Dohertyd, -. 9. 6eonebd, ". 6. /errea, and E. C."illerb, H@eomas3ing sensiti5e health data and pri5acy protection: an
e5aluation using an (11 database, 9eocarto )nternational, 5ol. #$, pp.''%
-
7/24/2019 User-Defined Privacy Grid System For
20/21
#'; I(((, 0=7>7-?888 Standard Speci$ications $or 0u*lic-'ey Cryptogra-phy, #000.
#$; 9. 7. 6e3o and 7. Eaters, H(fficient pseudorandom functions fromthe decisional linear assumption and ea3er 5ariants, in AC: CCS,#00.
-
7/24/2019 User-Defined Privacy Grid System For
21/21
#); O. @oldreich, /. @oldasser, and /. "icali, HKo to construct randomfunctions,@ournal o$ the AC:, 5ol. %%, no. ', pp. ?#.h tt p :!! .ce n s u s . g o 5 ! g e o ! !t ig e r!.#; T. Qu and J. Cai, Heeling*based location pri5acy protection for
location*based ser5ices, in AC: CCS, #00.
%0; C.*J. Cho, ". . "o3bel, and Q. 6iu, H9 peer*to*peer spatialcloa3ing algorithm for anonymous location*based ser5ice, in AC:
9)S, #00).%1; @. @hinita, -. Malnis, and /. /3iadopoulos, H"O7IKID(: 9 mobilepeer* to*peer system for anonymous location*based ueries, in SS4D,#00?.
%#; XX, H->IG(: 9nonymous location*based ueries in distributed mobilesystems, in """, #00?.
%%; @. Yhong and F. Kengartner, H9 distributed 3*anonymity protocol forlocation pri5acy, in)+++ 0erCo#, #00.
%'; ". 6. Jiu, C. /. Wensen, Q. Kuang, and K. 6u, H/paceTist: "anagingthe trade*offs among location pri5acy, uery performance, and ueryaccuracy in mobile ser5ices, in )+++ )CD+, #00&.
%$; >. 9graal, W. Miernan, >. /ri3ant, and J. Qu, HOrder*preser5ingencryp* tion for numeric data, in AC: S)9:3D, #00'.
%); K. Kacigu\ mu\ s], 7. Iyer, and /. "ehrotra, H(fficient e2ecution ofaggre* gation ueries o5er encrypted relational databases, in DASFAA,#00'.
%?; (. "y3letun and @. Tsudi3, H9ggregation ueries in the database*as*a*ser5ice model, inDBSec, #00).
%&; 9. Mhoshgoaran and C. /hahabi, H7lind e5aluation of nearest neighborueries using space transformation to preser5e location pri5acy, inSS4D,#00?.
%; E. M. Eong, D. E. Cheung, 7. Mao, and 8. "amoulis, H/ecure 388computation on encrypted databases, inAC: S)9:3D, #00.
'0; ". 6. Jiu, @. @hinita, C. /. Wensen, and -. Malnis, H(nabling searchser5ices on outsourced pri5ate spatial data, ;LDB @ournal, 5ol. 1, no.%, pp. %)%and2A/A, res*ectively# "e is currently an assistant*rofessor in De*artment of Com*uter Science,City University of "ong ong# "is researchinter- ests include s*atio-tem*oral datamanagement and analytics, GS, mo&ile
com*uting, location- &ased services, and data*rivacy# "e as the
co-organier of 5C SGSP505L o&iGS 2A/2, 2A/3, and 2A/4#
'i!n& H(an& got his B#S# and #S# degreesfrom 7udan University in 2AA3 and 2AA= re-s*ectively, and got his PhD degree from CityUniversity of "ong ong in 2A/A# 9o he is a*rofessor at South China 5gricultural University#"is research interests include cry*togra*hy andinformation security, in *articular, cry*togra*hic*rotocols design and analysis#
D(ncan S. 5!n& received the B#6ng# degreefrom the University of "ong ong in /@@4, the#Phil# degree from the Chinese University of"ong ong in /@@>, and the Ph#D# degree from9ortheastern University, Boston, 5, in 2AA2#"e is currently an associate *rofessor in the De-*artment of Com*uter Science at the City Uni-versity of "ong ong# "is *rimary researchinter- est is cry*togra*hy. in *articular,cry*togra*hic *rotocols, encry*tion and
signature schemes, and anonymous systems#"e is also interested
in other to*ics in information security, such as netor security,ireless security data&ase security, and security in cloud com*uting#
http://www.census.gov/geo/www/tiger/http://www.census.gov/geo/www/tiger/http://www.census.gov/geo/www/tiger/