User-Defined Privacy Grid System For

7/24/2019 User-Defined Privacy Grid System For

1/21

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation

information: DOI 10.110!T"C.#01$.#%&&'&&, I((( Transactions on "obile Computing1

1$%)*1#%% +c #01% I(((. -ersonal use is permitted, but republication!redistribution reuires I((( permission. /ee

http:!!.ieee.org!publicationsstandards!publications!rights!inde2.html for more information.

User-Defined Privacy Grid System forContinuous Location-Based Services

Roman Schlegel, Member, IEEE, Chi-Yin Cho, Member, IEEE, !iong "uang, Member,IEEE,

and Duncan S# $ong, Member, IEEE

Abstract%Location-&ased services 'LBS( re)uire users to continuously re*ort their location to a *otentially untrusted server to o&tain

services &ased on their location, hich can e+*ose them to *rivacy riss# Unfortunately, e+isting *rivacy-*reserving techni)ues for

LBS have several limitations, such as re)uiring a fully-trusted third *arty, offering limited *rivacy guarantees and incurring high

communication overhead# n this *a*er, e *ro*ose a user-defined *rivacy grid system called dynamic grid system 'DGS(. the first

holistic system that fulfills four essential re)uirements for *rivacy-*reserving snapshot and continuous LBS# '/( 0he system only

re)uires a semi-trusted third *arty, res*onsi&le for carrying out sim*le matching o*erations correctly# 0his semi-trusted third *arty

does not have any information a&out a user1s location# '2( Secure sna*shot and continuous location *rivacy is guaranteed under our

defined adversary models# '3( 0he communication cost for the user does not de*end on the user1s desired *rivacy level, it only

de*ends on the num&er of relevant *oints of interest in the vicinity of the user# '4( 5lthough e only focus on range and 3-nearest-

neigh&or )ueries in this or, our system can &e easily e+tended to su**ort other s*atial )ueries ithout changing the algorithms run

&y the semi-trusted third *arty and the data&ase server, *rovided the re)uired search area of a s*atial )uery can &e a&stracted into

s*atial regions# 6+*erimental results sho that our DGS is more efficient than the state-of-the-art *rivacy-*reserving techni)ue for

continuous LBS#

Index Terms%Dynamic grid systems, location *rivacy, location-&ased services, s*atio-tem*oral )uery *rocessing, cry*togra*hy

1 INTRODUCTION

In today4s orld of mobility and e5er*present Internet

connecti5ity, an increasing number of people use location*based

ser5ices +67/ to reuest information rele5ant to their current

locations from a 5ariety of ser5ice pro5iders. This can be thesearch for nearby points of interest +-OIs +e.g., restaurants and

hotels, location* aare ad5ertising by companies, traffic

information tailored to the highay and direction a user is

tra5eling and so forth. The use of 67/, hoe5er, can re5eal much

more about a person to potentially untrustorthy ser5ice

pro5iders than many people ould be ill* ing to disclose. 7y

trac3ing the reuests of a person it is possible to build a

mo5ement profile hich can re5eal information about a user4s

or3 +office location, medical records +5isit to specialist clinics,

political 5ies +attending political e5ents, etc.

8e5ertheless, 67/ can be 5ery 5aluable and as such users

should be able to ma3e use of them ithout ha5ing to gi5e up

their location privacy. 9 number of approaches ha5e recently

been proposed for preser5ing the user location pri5acy in 67/.

In general, these approaches can be classified into to main

categories. +1Fully-trusted third party +TT-. The most popular

pri5acy*preser5ing techniues reuire a TT- to be placed beteen

the user and the ser5ice pro5ider to hide the user4s location

information from the ser5ice pro5ider +e.g., 1;


2/21


information: DOI 10.110!T"C.#01$.#%&&'&&, I((( Transactions on "obile Computing#



ocation information. Se#i-trusted in this conte2t means that

hile

A/ ill try to determine the location of a user, it still correctly

carries out the simple matching operations reuired in the

protocol, i.e., it does not modify or drop messages or create ne

messages.

1: (ncrypted uery B(ncrypted cell identifiers

#: (ncrypted uery

9n untrusted A/ ould arbitrarily modify and drop messages asell as inject fa3e messages, hich is hy our system depends on

MobileUser

': (ncrypted -OIsmatching the encrypted Query

%: (ncrypted -OIs Service

ase#i-trusted A/ .

cell identifiers Server Provider

The main idea of our DGS. In D@/, a uerying user first

determines a /uery area, here the user is comfortable to re5eal

the fact that she is somehere ithin this uery area. The uery

area is di5ided into eual*sied grid cells based on the dynamic

grid structure specified by the user. Then, the user encrypts a

uery that includes the information of the uery area and the

dynamic grid structure, and encrypts the identity of each grid

cell intersecting the reuired search area of the spatial uery to

produce a set of encrypted identi$iers. 8e2t, the user sends a

reuest including +1 the encrypted uery and +# the encrypted

identifiers to A/, hich is a semi*trusted party located beteen

the user and /- . A/ stores the encrypted identifiers and

forards the encrypted uery to /- specified by the user. /-decrypts the uery and selects the -OIs ithin the uery area from

its database. or each selected -OI, /- encrypts its information,using the dynamic grid structure specified by the user to find a

grid cell co5ering the -OI, and encrypts the cell identity to

produce the encrypted identifier for that -OI. The encrypted

-OIs ith their corresponding encrypted identifiers are returned

to A/. A/ stores the set of encrypted -OIs and only returns tothe user a subset of encrypted -OIs hose corresponding

identifiers match any one of the encrypted identifiers initially sent

by the user. 9fter the user recei5es the encrypted -OIs, she

decrypts them to get their e2act locations and computes a uery

anser.7ecause the user is continuously roaming she might need

information about -OIs located in other grid cells +ithin the

uery area that ha5e not been reuested from A/ before. Theuser therefore simply sends the encrypted identifiers of the

reuired grid cells to A/. /ince A/ pre5iously stored the-OIs ithin the uery area together ith their encrypted

identifiers, it does not need to enlist /- for help. A/ simplyreturns the reuired -OIs hose encrypted identifiers match any

one of the nely reuired encrypted identifiers to the user. 9fter

the user recei5ed the encrypted -OIs from A/, she can e5aluate

the uery locally. Ehen the user unregisters a uery ith A/,

A/ remo5es the stored encrypted -OIs and their encryptedidentifiers. In addition, hen the reuired search area of a uery

intersects the space outside the current uery area, the user

unregisters the uery ith A/ and re*issues a ne uery ith ane uery area.

Contributions. Our D@/ has the folloing 3ey features:

+1 5o 440. Our D@/ only reuires a se#i-trusted uery ser5er

+A/ +i.e., trusted to correctly run the protocol located beteenusers and ser5ice pro5iders. +# Secure location privacy. D@/

ensures that A/ and other users are unable to infer any infor*mation about a uerying user4s location, and the ser5ice pro5ider

/- can only deduce that the user is somehere ithin the user*

specified uery area, as long as A/ and /- do not collude.+% Low co##unication overhead. The communication cost of

D@/ for the user does not depend on the user*specified uery

area sie. It only depends on the number of -OIs in the grid cells

o5erlapping ith a uery4s reuired search area. +'

+6tensi*ility to various spatial /ueries. D@/ is applicable to

5arious types of spatial ueries ithout changing the algorithms

carried out by A/ or /- if their ansers can be abstracted intospatial regions, e.g., re5erse*88 ueries 1#; and density ueries

1%;.
http://www.ieee.org/publications_standards/publications/rights/index.htmlhttp://www.ieee.org/publications_standards/publications/rights/index.html


3/21


information: DOI 10.110!T"C.#01$.#%&&'&&, I((( Transactions on "obile Computing%



ig# /# System architecture of our DGS

The rest of this paper is organied as follos. /ection #

resents the system model of our D@/. /ection % describes the

uery processing algorithms designed for D@/. /ection ' shos

hat D@/ is secure and preser5es user location pri5acy. /ection $

hos e2perimental results. /ection ) highlights related or3.

inally, /ection ? concludes the paper.

2 SYSTEM ARCHITECTURE

ig. 1 depicts the system architecture of our dynamic grid system

D@/ designed to pro5ide pri5acy*preser5ing continuous 67/

or mobile users. Our system consists of three main entities,

ervice providers, /uery servers and #o*ile users. Ee ill

describe the main entities and their interactions, and then present

he to spatial ueries, i.e., range and 3*nearest*neighbor +88ueries, supported by our system.

Service providers (/- . Our system supports any number of

ndependent ser5ice pro5iders. (ach /- is a spatial databasemanagement system that stores the location information of a

articular type of static -OIs, e.g., restaurants or hotels, or the

tore location information of a particular company, e.g., /tarbuc3s

r "cDonald4s. The spatial database uses an e2isting spatial inde2

e.g., >*tree or grid structure to inde2 -OIs and anser range

ueries +i.e., retrie5e the -OIs located in a certain area. 9s

depicted in ig. 1, /- does not communicate ith mobile users

directly, but it pro5ides ser5ices for them indirectly through the

uery ser5er +A/ .

Mobile users. (ach mobile user is euipped ith a @-/*enabled

de5ice that determines the user4s location in the form +2u, yu. The user can obtain snapshot or continuous 67/ from our

system by issuing a spatial uery to a particular /- through

A/. Our system helps the user select a uery area for the

spatial uery, such that the user is illing to re5eal to /- thefact that the user is located in the gi5en area. Then, a grid

structure is created and is embedded inside an encrypted uery

that is forarded to /- , it ill not re5eal any information aboutthe uery area to A/ itself. In addition, the communication costfor the user in D@/ does not depend on the uery area sie.

This is one of the 3ey features that distinguishes D@/ from the

e2isting techniues based on the fully*trusted third party model.

Ehen specifying the uery area for a uery, the user ill

typically consider se5eral factors. +1 The user specifies a mini*

mum pri5acy le5el, e.g., city le5el. or a snapshot spatial

uery, the uery area ould be the minimum bounding rectangle

of the city in hich the user is located. If better pri5acy is

reuired, the user can choose the state le5el as the minimum

pri5acy le5el +or e5en larger, if desired. The sie of the uery

area has no performance implications hatsoe5er on the user, anda user can freely choose the uery area to suit her on pri5acy

reuirements. or continuous spatial ueries, the user again first

chooses a uery area representing the minimum pri5acy le5el

reuired, but also ta3es into account possible mo5ement ithin

the time period t for

the uery +e.g., %0 minutes. If mo5ement at the ma2imum legal

speed could lead the user outside of the minimum pri5acy le5el

uery area ithin the uery time t, the user enlarges the ueryarea correspondingly. This enlargement can be made generously,

as a larger uery area does not ma3e the uery more e2pensi5e

for the user, neither in terms of communication nor computational

cost. +# The user can also generate a uery area using a desired

3*anonymity le5el as a guideline. Fsing a table ith population

densities for different areas, a user can loo3*up the population

density of the current area, and use this to calculate the uery

area sie such that the e2pected number of users ithin the uery

area correlates ith the desired 3*anonymity le5el. Considering

that this is an appro2imation for the corresponding 3*anonymity,the resulting uery area can be ta3en as a loer*bound and the

final uery area sie calculated as the loer*bound times a safety

margin factor. The idea of using such density maps has been used

for 67/ 1'; and health data 1$;. +% 9lternati5ely, the user can

specify a uery area based on ho far she ants to tra5el, e.g., if

the user ants to find restaurants ithin the donton area, shesets the donton area as the uery area.

9 larger uery area does ha5e an impact on A/ and /- in

terms of or3load and communication cost, but the bottlenec3

is considered to be beteen the user and A/, and the load onthis lin3 and on the user does not depend on the uery area sie.

9 system parameter can be defined to limit the ma2imum uery

area sie or number of objects returned to a user, in order to not

o5erload the client*side application.

Query servers (A/. A/ is a semi*trusted party placed beteenthe mobile user and /- . /imilar to the most popularinfrastructure in e2isting pri5acy*preser5ing techniues for 67/,

A/ can be maintained by a telecom operator 1);. Thecontrol!data flos of our D@/ are as follos +ig. 1:

1 The mobile user sends a reuest that includes +a the

iden* tity of a user*specified /- , +b an encrypted /uery

+hich includes information about the user*defined

dynamic grid structure, and +c a set of encrypted

identi$iers +hich are calculated based on the user*

defined dynamic grid structure to A/ .# A/ stores the encrypted identifiers and forards the

encrypted uery to the user*specified /- .

% /- decrypts the uery and finds a proper set of -OIsfrom its database. It then encrypts the -OIs and their cor*responding identifiers based on the dynamic grid

structure specified by the user and sends them to A/ .' A/ returns to the user e5ery encrypted -OI hose

encrypted identifier matches one of the encrypted iden*

tifiers initially sent by the user. The user decrypts the

recei5ed -OIs to construct a candidate anser set, and

then performs a simple filtering process to prune false

positi5es to compute an e2act uery anser.

Ee assume that there is a secure channel beteen the user and

A/. This assumption is necessary as /- might be able to learn

the user4s location if it can ea5esdrop on the communicationbeteen the user and A/. The secure channel can easily beestablished using standard techniues such as identity*based

encryption 1?;, 3ey e2change protocols +e.g. "AG 1&; or

//6!ET6/. Ee also note that the data pri5acy of /- is

protected ith regards to A/ , as A/ only recei5es encryptedinformation about the -OIs, and only the client can decrypt the

-OIs. A/ hence does not learn any information about the -OIs+e.g., name, address, ratings, etc..


4/21


information: DOI 10.110!T"C.#01$.#%&&'&&, I((( Transactions on "obile Computing'



Ee additionally note that the or3*load of the A/ depends toome e2tent on the uery area chosen by a user, i.e., a large uery

rea ould lead to the /- sending a comparati5ely larger amount

f data to the A/. If this is an issue, a A/ could pro5ide differentiers of ser5ices, some of hich could be paid, that ould allo

or different pri5acy reuirements of users +i.e., different

ma2imum uery area sies. 7asic economical principles could be

pplied to ma3e this orthhile both for users and A/ ser5icero5iders. Supported spatial !ueries. D@/ supports the to

most popular spatial ueries, i.e., range and 3*88 ueries, hile

reser5ing the user4s location pri5acy. The mobile useregisters a continuous range uery ith our system to 3eep

rac3 of the -OIs ithin a user*specified distance, Range, of

he user4s current location +2u, yu for a certain time period,

.g., HContinuously send #e the restaurants within one #ile o$ #y

urrent location $or the ne6t one hour. The mobile user can also

ssue a continuous 3*88 uery to find the 3*nearest -OIs to the

ser4s current location +2u, yu for a specific time period, e.g.,

Continuously send #e the $ive nearest restaurants to #y current

ocation $or the ne6t 78 #inutes.

/ince a snapshot uery is just the initial anser of the contin*

ous one, D@/ also supports snapshot range and 3*88 ueries.

9lthough e only focus on range and 3*88 ueries in this or3,D@/ is applicable to other continuous spatial ueries if the uery

nser can be abstracted into spatial regions. or e2ample, our

ystem can be e2tended to support re5erse*88 ueries 1#; and

density ueries 1%; because recent research efforts ha5e shon

hat the anser of these ueries can be maintained by monitoring

region.

2.1 Adversaria M!des

Ee no discuss ad5ersarial models regarding A/ and /- , andthen present the formal security proof of our D@/ in /ection '. 9

malicious A/ or /- ill try to brea3 a user4s pri5acy by or3ingith the data a5ailable to them ithin the described protocol. Ee

do not consider A/ or /- ith access to e2ternal information notdirectly related to the protocol.

2.1.1 User Anonymity

9s described abo5e, both A/ and /- ill try to de*anonymie auser by using the information contained in the protocol +although

they still faithfully follo the protocol itself. Ehile A/ does notha5e any information about a user that ould allo it to narro

don the list of users that ould fit a specific uery, /- hasaccess to the plainte2t uery of a user. This uery, hoe5er, only

contains the uery region and the grid parameters, and ith the

information a5ailable, A/ can therefore do no better thanestablish that the user is somehere ithin the uery region +see

also /ection '.

One other concern regarding the de*anonymiation of users is

that if for e2ample the ser5ices of /- are paid ser5ices, then /-might for e2ample be able to lin3 a uery ith a billing record

and at least establish the presence of a user in a uery area. Ehile

in this paper e consider it acceptable that a user can be locatedto be ithin a uery region by A/ +after all, the user can freelychoose the uery area and hence choose it such that her personal

pri5acy reuirements are met, there is other research hich

ould allo to pre5ent the lin3ing of a uery area to a specific

user through billing records, for e2ample the or3 by Jau and

9n 1;. /o e5en if the /- reuires the authentication of usersto pro5ide a +paid ser5ice, the ser5ice can be pro5ided hile

protecting the anonymity of the user. Koe5er, no matter in

hich ay the /-

pro5ides the ser5ice, the pri5acy guarantees ill alays be better

than TT-, as a TT- alays 3nos the e2act location of the users,

hile in our system neither A/ nor /- 3no the e2act location

of a user. >egarding paid ser5ices and A/, in such a case A/does not ha5e any information to narro don the geographic

location of a user, e5en if it is being used as a paid ser5ice and

can lin3 ueries to billing records.

>egarding the de*anonymiation of users, e also note that

the type of -OI in a uery sent to /- or the density of -OIs percell in the uery area, do not pro5ide A/ ith any meaningful

information that could be used to reduce the anonymity set of

y

%

#

1

0

+2b,yb0 1 # %

+2t,yty

2

%

#

1

0

+2b,yb

0

1 # %

+2t,yt

2

a user. /pecifically, there is no correlation beteen the density +a Dynamic grid structure +b 9nser computation

of -OIs in a cell and the actual location of a user, as the userlaunches a uery ithout a*priori 3noledge of the density of

-OIs, and hence the density of -OIs in a cell cannot be used to

ma3e deductions about the possible location of a user in the uery

area.9 natural choice for the role of A/ is the netor3 ser5ice

pro5ider of a user. (5en though the netor3 ser5ice pro5ider can

typically locate a user don to an indi5idual cellular netor3 cell

already, ta3ing on the role of A/ does not pro5ide it ith anyadditional information about the user, such as the actual uery

area. There is also no reuirement for the ueries of a user to

correspond to the user4s actual location, and the netor3 ser5ice

pro5ider does not ha5e any information a5ailable that ould

allo it to infer either case. To summarie, a netor3 ser5icepro5ider already 3nos the location of its users, and ser5ing as a

A/ does not pro5ide it ith any additional information about its

users. 9lternati5ely, A/ ser5ices could also be pro5ided by

5olunteers +e.g., li3e many of the nodes in the Tor netor3, byad*supported ser5ices, or e5en by ser5ices that charge a modest

fee.

2.1.2 OtherAttacks

In this subsection e discuss a fe other attac3s and e2plain ho

they relate to our proposed system."P locali#ation. One possible attac3 in5ol5es A/ trying to de*termine the position of a user through I- localiation +i.e., using

a database hich can map I- addresses to locations. 7ecause

of ho mobile phone netor3s are setup +considering that our

system is aimed at mobile users using mobile phone netor3s,

hoe5er, mobile phones cannot be located ith usefulaccuracy, as shon by 7ala3rishnan et al. #0;. (5en so, if I-

localiation is a concern, solutions at the netor3 le5el can hide

the originating I-, for e2ample by using an anonymiing softare

>ange

+2u,yu

p?

+2

p'

u,yu

p)

p1 p#


5/21


information: DOI 10.110!T"C.#01$.#%&&'&&, I((( Transactions on "obile Computing$



such as Tor #1;. Timin$ attac%s. 9nother set of attac3s might

use timing infor* mation if A/ can obser5e the traffic close to

the originating user. Koe5er, if A/ can obser5e such traffic,the location pri5acy of the user is 5ery li3ely already

compromised, e5en ithout timing attac3s. urthermore, e

consider this to be out of the scope of our or3.

Query server as client. A/ might try to also act as a client in an

attempt to gain some information hich could help to localie a

user. A/ has no information to launch such an attac3, hoe5er,not e5en an appro2imate location of the user. 9lso, the number of

-OIs returned to a client does not allo A/ to ma3e anyinferences, because it 3nos neither the uery area nor the grid

parameters. 9 large number of -OIs could either mean a dense

region or a large uery area, depending on the grid parameters,

hich are un3non to A/ .&et'or% traffic fin$erprintin$. 9n attac3 as described by

7issias et al. ##; hich ma3es inferences based on the

statistics of

7ig# 2# 6+am*le of range )uery *rocessing in DGS

encrypted netor3 connections is not applicable to our system.

The attac3 as described in the paper is eui5alent to determining

hich A/ a user is using. This information does not need to

be secret and communication ith A/ is highly uniform acrossdifferent uery ser5ers +unli3e ebsite traffic, 5ery li3ely ma3ing

them for all practical purposes indistinguishable.

Commuter problem. 9nother attac3 that can identify the home

and the office location of a user through location traces is de*

scribed by @olle et al. #%;. This attac3 is not applicable to our

system, because no plainte2t locations are e5er transmitted in our

system and no inferences can be made.Ee e2clude side*channel attac3s in general from the security

analysis as being out of the scope of this paper. "any of the

side*channel attac3s mentioned abo5e are fundamental to netor3

communications, and as such neither limited to nor a conseuence

of the design of our proposed protocol.

" DYNAMIC #RID SYSTEM $D#S%

In this section, e ill describe ho our D@/ supports pri5acy*

preser5ing continuous range and 3*88 ueries. This section isorganied as follos: /ection %.1 describes the details of our

D@/ for processing continuous range ueries and incrementally

maintaining their ansers, and /ection %.# e2tends D@/ to

support 3*88 ueries.

".1 Ran&e '(eries

Our D@/ has to main phases for pri5acy*preser5ing continuous

range uery processing. The first phase finds an initial +or a

snapshot anser for a range uery +/ection %.1.1, and the

second phase incrementally maintains the uery anser based

on the user4s location updates +/ection %.1.#.

3.1.1 Range uery !rocessing

9s described in /ection #, a continuous range uery is defined as

3eeping trac3 of the -OIs ithin a user*specified distance >angeof the user4s current location +2u , yu for a certain time

period. In general, the pri5acy*preser5ing range uery processing

protocol has si2 main steps.

Step . Dynamic $rid structure (by the user. The idea of this

step is to construct a dynamic grid structure specified by the user.

9 uerying user first specifies a uery area, here the user is

comfortable to re5eal the fact that she is located somehere

ithin that uery area. The uery area is assumed to be a

rectangular area, represented by the coordinates of its bottom*

left 5erte2 +2b , yb and top*right 5erte2 +2t, yt. 8otice that the

user is not necessarily


6/21

reuired to be at the center of the uery area. Instead, its location

can be anyhere in the area. Koe5er, our system can also

support irregular spatial regions, e.g., the boundary of a city or a

county, by using a minimum bounding rectangle to model the

irregular spatial region as a rectangular area. The uery area

is di5ided

into m m eual*sied grid cells to construct a dynamicgrid

structure, here m is a user*specified parameter. (ach grid

cellis identified by +c, r, here c is the column inde2 from left toright and r is the ro inde2 from bottom to top, respecti5ely,ith0 c, r L m. @i5en the coordinates of the bottom*left5erte2

identifiers /e and forards the encrypted uery to /- specifiedby the user.

Step ). Query processin$ (by /- . /- decrypts the reuest toretrie5e the -OI*type, the random 3ey M selected by the user inthe reuest generation step +/tep #, and the uery area defined

by m, +2b , yb , and +2t , yt . /- then selects a set of np-OIs that match the reuired -OI*type ithin the user specified

uery area from its database. or each selected -OI j ith alocation +2j, yj +1 j np , /- computes the identity

of the grid cell in the user specified dynamic grid structureco5eringj by

of a grid cell, +2c , yc, the grid cell identity can be computed by +cj, rj N

j

2j2b

3

,

jyjyb

3

.+2t2b!m +ytyb!m

j2c2b

+2t2b!m

3 jycyb

+ytyb!m3 . ig. # gi5es a running Then, /- generates +KM, (M, "M MDD+M and com*

e2ample for pri5acy*preser5ing range uery processing, here the

uerying user is located in the cell +#, 1, m N ', and the circleith a radius of the range distance >ange specified by the user

putes the folloing:

hj K +cj, rj +)

constitutes the uery region of the range uery.

Step *. +e!uest $eneration (by the user. In this step, theuerying user generates a reuest that includes +1 a uery for

a /- specified by the uerying user and +# a set of encrypted

identifiers, /e, for a A/. The user first selects a random 3ey M

and deri5es three distinct 3eys:

+KM, (M, "M MDD+M +1

here MD+ is a 3ey deri5ation function + #';. Then, the usersets uery and /e as follos:

+1 (uery generation. 9n encrypted uery for a specific /-is prepared as:

uery I7(.(nc/-+-OI*type, M, m, +2b , yb , +2t, yt

+#

here I7(.(nc/-+ is Identity*7ased (ncryption +I7( underthe identity of /- +details of I7( are in 1?;. In the encrypted

uery, -OI*type specifies the type of -OIs, M is the random 3eyselected by the user, and the personalied dynamic grid structure

is specified by m, +2b , yb , and +2t, yt.+# +ncrypted identi$ier generation. @i5en the uery region

of the range uery, the user selects a set of grid cells /c in thedynamic grid structure that intersect the uery region, i.e., a circlecentered at the user4s current location +2u, yu ith a radiusof >ange. or each selected grid cell i in /c , its identity +ci, ri is encrypted to generate an encrypted identifier:

hi K +ci, ri+%

Ci /(.(ncKM +hi +'

here K + is a collision*resistant hash function and/(.(nc3ey + a symmetric encryption algorithm +for e2ample9(/*based under 3ey 3ey. 9fter encrypting all the grid cellsin /c , the user generates a set of encrypted identifiers /e . It isimportant to note that the user ill ma3e sure that the identifiersin /e are ordered randomly. inally, the user produces a reuestas belo and sends it to A/ :

reuest h/-,uery, /ei

+$ In the running e2ample +ig. #a, the range uery region,

hich

is represented by a circle, intersects si2 grid cells, i.e., +1, 0,+#, 0, +1, 1, +#, 1, +1, #, and +#, # +represented by shaded

cells, hich ma3e up the set of grid cells /c, and thus, the user

has to encrypt each identity of these grid cells and produce si2encrypted identifiers in /e .Step ,. +e!uest processin$ (by A/. Ehen A/ recei5esthe

reuest from the user, it simply stores the set of

encrypted

+c, r N ,


7/21

Cj /(.(ncKM +hj +?lj /(.(nc(M+2j, yj +&

j N " 9C"M+Cj, lj +

here " 9C3ey + is a message authentication code under3ey 3ey. The Cj is the corresponding encrypted identifier of a-OI, the lj contains the e2act location of a -OI in encryptedorm, and the j is included to pre5ent certain attac3s by A/such as tampering ith the encrypted -OIs.

inally, /- sends the set of selected -OIs bac3 to A/ in the

olloing form:

h-OIj N +Cj, lj, ji, herej N 1, . . . , np .

+10

Step -. ncrypted identifier matchin$ (by A/. Fpon recei5ingnp triples, A/ determines the set of matching -OIs by comparinghe encrypted identifiers Cj +1 j np of the recei5ed

-OI ith the set of encrypted identifiers /e pre5iously recei5edrom

he user. 9 match beteen a Cj and some Ci in the set/e indicates that the -OIj is in one of the grid cells reuired byhe user. Thus, A/ forards e5ery matching -OI hlj, ji to theser. If the uery is a snapshot uery, A/ then deletes theecei5ed -OIs and their encrypted identifiers. Koe5er, if the

uery is a continuous one, A/ 3eeps the recei5ed -OIs alongith their

encrypted identifiers until the user unregisters the uery.

Step /. 0ns'er computation (by the user. /uppose that thereare P matched -OIs recei5ed by the user. or each of thesematched -OIs, say hlj , ji, the user decrypts lj using (Mand gets access to the e2act location +2j , yj of the -OI. rom+2j, yj and lj, the user 5erifies jby re*calculating the " 9C5alue and compares it against j. If they match, the user finds theanser that includes the -OI hose location is ithin adistance of >ange of the user4s current position +2u, yu. Inthe running e2ample +ig. #b, the user recei5es fi5e -OIs from

A/, here the range uery anser includes to -OIs, i.e., p'andp).

3.1.2 Incrementa" Range uery Ans#erMaintenance

9fter the user gets the initial response for a range uery from

A/, she can find the initial +or snapshot uery anser locally.Then, incremental anser updates can be performed to maintain

the anser hen the user4s location changes. This phase has four

main steps.

Step . Cache re$ion (by the user. The user 3eeps trac3 of the

grid cells pre5iously reuested and caches the -OIs returned by

A/ for those cells. These cells define a cache region. The useris able to find a uery anser from the cached -OIs as long as

y

Cache >egion%

p?#

+2u,yu

1 p' p)

+2t,yty

%

#

1

p?

+2u,yu

p' p)

+2t,yt

p10

p&

to contact /- to deal ith the anser update reuest. Instead,similar to the encrypted identifier matching step +/tep $ in the

range uery processing phase, A/ simply returns the -OIs hose

encrypted identifier matches one of the encrypted identifiers in /ein the anser update reuest sent by the user.

Step ). 0ns'er computation (by the user. This step is similar

to the anser computation step +/tep ) in the range uery

processing

0 p1 p# 0 p1 p# the -OIs nely returned by A/ and the pre5iously cached -OIs.+2b,yb

0

1 # %+2b,yb

02

1 # % ig. %b depicts that the user gets to ne -OIs,p& andp10 , from2 A/, and the ne uery anser includes -OIs p) andp&.

+a Cache region +b 9nser refinement

7ig# 3# 6+am*le of incremental range )uery maintenance

the uery region +i.e., a circular area centered at the user4s current

location +2u , yu ith a radius of range distance >ange

specified by the user is contained ithin the cache region.

Koe5er, hen the uery region intersects some grid cells+ithin the uery area outside the cache region, the user e2ecutes

the folloing steps +/teps # to ' to enlist A/ for help to find auery anser.

ig. % depicts a running e2ample for the incremental range

uery anser maintenance phase, here the user has reuested

the -OIs ithin si2 grid cells, as illustrated in ig. #. The

combined area of these si2 grid cells constitutes the cache region,

represented by a bold rectangle. 9s shon in ig. %a, the uery

region of the range uery intersects to grid cells outside the

cache region, i.e., +%, 1 and +%, # +represented by shaded cells,so the user has to e2ecute /teps # to ' to get the -OIs ithin

these to grid cells from A/ .Step *. "ncremental re!uest $eneration (by the user. This

step is similar to the reuest generation step +/tep # in the range

uery processing phase +/ection %.1.1, e2cept that the user only

generates encrypted identifiers for the set of grid cells /c that

intersect the uery region but are outside of the cache region,

i.e., that ha5e not been reuested by the user before. or each

grid cell in /c , its identity is encrypted to generate an encrypted

identifier Ci using (uations % and '. Then, an anser update

reuest including the set of encrypted identifiers /e is sent to

A/. In the running e2ample +ig. %a, the user has to get the-OIs ithin the to grid cells +%, 1 and +%, # to e5aluate the

range uery, so she encrypts their cell identities to generate toencrypted identifiers in /e , and sends an update reuest along

ith /e to A/ .

There is the possibility that a small amount of information

about the mo5ement of a user is lea3ed if the user only reuests

the cells outside the cache region. or e2ample, if a user reuests

si2 cells in an initial reuest, and then to cells in an anser

update reuest a short hile later, an ad5ersary +e.g., A/ mightbe able to infer information about the mo5ements of theuser.


8/21

".2 M )Nearest)Nei&*b!r '(eries

/imilar to continuous range ueries, the pri5acy*preser5ing uery

rocessing for continuous 3*88 ueries has to main phases. Theirst phase finds an initial +or snapshot anser +/ection %.#.1,

hile the second phase maintains the correct anser hen the

ser mo5es by using incremental updates +/ection %.#.#.

Koe5er, unli3e range ueries, the reuired search area of a 3*

88 uery is un3non to a user until the user finds at least 3-OIs to compute a reuired search area, i.e., a circular area

entered at the user4s location ith a radius from the user to the

3*th nearest -OI. Thus, the pri5acy*preser5ing uery processing

rotocol of 3*88 ueries is slightly different.

3.2.1 M $%earest$%eighbor uery !rocessing

9 continuous 3*88 uery is defined as 3eeping trac3 of the 3*

earest -OIs to a user4s current location +2u , yu for a

ertain time period, as presented in /ection #. In general, the

ri5acy* preser5ing 3*88 uery processing has si2 majorteps to find an initial +or snapshot uery anser. ig. ' depicts

running e2ample of the pri5acy*preser5ing uery processing of

3*88 uery, here 3 N %.

Step . Dynamic $rid structure (by the user. This step is the

same as the dynamic grid structure step +/tep 1 in the range

uery processing phase +/ection %.1.1. It ta3es a user*specified

uery area ith a left*bottom 5erte2 +2b , yb and a right*top

5erte2+2t , yt and di5ides the uery area into m m eual*siedcells,

as illustrated in ig. 'a +m N ).Step *. +e!uest $eneration (by the user. The reuired search

area of the 3*88 uery is initially un3non to the user. The

user first finds at least 3 -OIs to compute the reuired searcharea as a circular area centered at the user4s location ith a

radius of a distance from the user to the 3*th nearest 3non -OI.The user therefore first attempts to get the nearby -OIs from a

specific /- . In this step, the user reuests the -OIs in the cell

containing the user and its neighboring cells from /- . @i5enthe user4s current location +2u , yu and a uery area

specified by the user in /tep 1, she ants to get the -OIs

ithin a set of grid cells /c that includes the cell containing

herself, i.e.,

If this is a concern, a user can pad the number of encrypted +cu, ru Nj

2u2b

3

,

jyuyb

3

, and its at most eight+2t2b!m +ytyb!m

identifiers in an anser update reuest to obtain the same number

of encrypted identifiers as in the initial reuest by generating

encrypted identifiers for additional grid cells, hich ha5e not been

reuested by the user before and are around the grid cells in /c .

In this ay, the ad5ersary cannot distinguish beteen the Hactual

encrypted identifiers and the Hadditional encrypted identifiers.

Step ,. +e!uest processin$ (by A/. 7ecause A/ alreadycached the -OIs along ith their encrypted identifiers ithin the

user*specified uery area from the initial reuest, it does not need

neighboring cells +cu 1, ru 1, +cu, ru 1, +cuB 1, ru 1,+cu 1, ru, +cu B 1, ru, +cu 1, ru B 1, +cu, ru B 1,and

+cu B 1, ru B 1. or each cell i in /c , the user generatesan

encrypted identifier Ci using (uations % and ', as in the reuestgeneration step +/tep # in the range uery processing phase. The

user also creates a uery to be sent to /- based on (uation #.inally, the user sends a reuest, hich includes the identity of

/- , the uery, and the set of encrypted identifiers +in random

order /e , as gi5en in (uation $, to A/ .


9/21

+2t,yt

p1

+2u,yu

p#

p%

+2b,yb0

1 # % ' $ +2b,yb0

2

1 # % ' $ +2b,yb0

2

1 # % ' $ +2b,yb0

2

1 # % ' $ 2

+a Dynamic grid structure +b Incremental search +c >euired search area +d 9nser refinement

7ig# 4# 6+am*le of 3-nearest-neigh&or )uery *rocessing in DGS

In the running e2ample +ig. 'a, the user located in the grid

cell +%, % and therefore reuests the -OIs in the cells +%, % andits neighboring grid cells, i.e., +#, #, +%, #, +', #, +#, %, +', %,+#, ', +%, ', and +', ', +represented by shaded cells from /-through A/ .

Step ,. +e!uest processin$ (by A/. This step is identical to/tep % for range ueries in the uery processing phase +/ec*

tion %.1.1.Step ). Query processin$ (by /- . This step is identical to /tep' for range ueries in the uery processing phase +/ection %.1.1.

Than3s to this uery abstraction feature, our D@/ can be easily

e2tended to support other continuous spatial uery types, e.g.,

re5erse 88 ueries and density ueries.

Step -. +e!uired search area (by the user and A/. This step issimilar to the encrypted identifier matching step +/tep $ for range

ueries in the uery processing phase +/ection %.1.1, ith the

difference that this step may in5ol5e se5eral rounds of interaction

beteen the user and A/. A/ matches the encrypted identifiers

of the encrypted -OIs returned by /- ith the encrypted

identifiers in /e sent by the user in /tep #, and sends the matchingencrypted -OIs to the user.

If at least 3 encrypted -OIs are returned to the user, she can

decrypt them to compute a reuired search area for the 3*88uery in the form of a circle centered at the user4s location ith a

radius of the distance beteen the user and the 3*th nearest -OI.

On the other hand, if less than 3 -OIs are returned, the user starts

the ne2t iteration by reuesting the grid cells from A/ one hopfurther aay from the position of the user, i.e., the neighboring

cells of the grid cells that ha5e already been reuested by the

user. This incremental search process is repeated +i.e., reuesting

more cells mo5ing steadily outard from the user4s position until

the user has obtained at least 3 -OIs from A/. 9fter the userdetermines the reuired search area, there are to possibilities:

1 The user has already reuested all the cells hich in*

tersect the reuired search area. In this case, the user

proceeds to the ne2t step.

# The reuired search area intersects some cells hich

ha5e not yet been reuested from A/. The +at least 3-OIs found so far may in that case not be an e2act

anser, and the user reuests those cells from A/hich intersect the reuired search area but ha5e not

been reuested yet +in ig. 'c these ould be the shaded

cells outside the bold rectangle. 9fter recei5ing all

encrypted -OIs in the nely reuested cells from A/,the user proceeds to the ne2t step.

In the running e2ample, ig. 'b depicts that the grid cells initially

reuested by the user +ithin the bold rectangle contains less

than three -OIs. The user therefore reuests the neighboring grid

cells +the grid cells adjacent to the bold rectangle from A/. This

ill result in disco5ering three -OIs in total, i.e., p1, p#, andp%. The user then computes the reuired search area represented by

a circle +ig. 'c. 9s the reuired search area intersects eight cells

hich the user has not yet reuested from A/ +i.e., they areoutside the bold rectangle, the user ill launch another reuest

for the grid cells +0, 1, +0, #, +0, %, +0, ', +1, 0, +#, 0, +%, 0,

and +', 0. Step /. 0ns'er refinement (by the user. Ka5ingrecei5ed all the -OIs ithin all the grid cells intersecting the

reuired search area, the user can decrypt them to get their e2act

locations, as in the anser computation step +/tep ) for range

ueries in the uery processing phase +/ection %.1.1, and

determine the e2act anser by selecting the 3 nearest -OIs. The

pre5ious steps ensure that these 3 -OIs are indeed the closestones. In the running e2ample +ig. 'd, the user can find the

e2act anser for the %*88 uery, hich includes three -OIsp1,

p#, andp'.

3.2.2 Incrementa" 3$%% uery Ans#erMaintenance

9fter the user computes an initial +or snapshot 3*88 ueryanser, the incremental anser update phase allos to maintain

the anser as the user mo5es around. /imilar to range ueries,

the incremental anser maintenance phase has four steps. The

first to steps are the same as the cache region step and the

incremental reuest generation step as in /ection %.1.#. In the

third step +i.e., reuest processing performed by the A/, since

A/ has already cached the encrypted -OIs, together ith their

corresponding encrypted identifiers calculated by /- in /tep 'of the uery processing phase, it does not need to contact /- .It can simply forard the encrypted -OIs matching one of the

encrypted identifiers in /e to the user. In the last step +i.e., anser

refinement performed by the user, she decrypts the recei5ed

-OIs and sorts the ones located ithin the reuired search area

according to their distance to the user in ascending order. The

3*nearest -OIs to the user constitute the ne uery anser.

+ SECURITY ANA,YSIS

In this section, e define se5eral security models hich formalie

the location pri5acy of our D@/, and sho that the proposed

schemes in /ection % are secure. In our schemes, the uery ser5er

+A/ sees a user4s encrypted ueries and -OIs from a ser5ice

pro5ider +/- . /ince the user uery and returned -OI locations

are encrypted, A/ could only learn the user4s location from

p1

+2 yu

p' p#

p%

+2 yu

y y y y+2t,

$

yt +2t,

$

yt +2t,

$

yt

$

' ' ' '

% % % %

# # # #

1 1 1 1

0 0 0 0

p1

+2u,yu

p#


10/21

the number of returned -OIs rather than the encrypted 5alues.

Koe5er, this is not the case in our scheme. The number of -OIs

returned by /- depends on the uery area sie, hich is

encrypted and un3non, and therefore, A/ is not able to deri5eany useful information from the number of -OIs, e.g., hether

the user is in

a dense or sparse region. /ee 6emma # for the detailed analysis.

pri5ate 3ey of hich has not been ueried, the grid structure, a

uery area, and to user locations +20 , y0 and +21 , y1 in

theuery area, and gi5es them to C. C tosses a coinb {0,1},and

uses +2b , yb and the other information specified by A to generate"sg

bas the user4s message to A/, and the corresponding /-

message "sgb

. It sends both "sgb

and "sgb

to A. A continues% 1 %9fter decrypting the uery forarded by A/, a /- obtains

the uery area hich contains the user. Other than this, it learnsnothing, since the user could be anyhere in the area. /ee 6emma

1 for the proof. >egarding the integrity, e5ery encrypted -OI is

authenticated by /- using a "9C and the authentication 3ey is

only shared beteen the user and /- . @uaranteed by the security

of the "9C, A/ is unable to modify the information of any -OIreturned to the user, nor to add a Hfa3e -OI. /ee 6emma % for the

to issue ueries as abo5e e2cept that it cannot as3 for the pri5ate

3ey of the intended /- . inally, A outputs a bit b as its guessofb, and ins the game if bN b.

Definition *. A D9S achieves Privacy Against Query Server

(A/) i$ $or all pro*a*ilistic polyno#ial-ti#e A, its pro*a*ility o$winning the a*ove ga#e is negligi*ly close to 1!#.

1emma *. 3ur D9S achieves 0rivacy Against A/ .proof. 9s shon in ig. 1 +/ection # there are four message flos

in a basic uery in our D@/. Ee denote them by "sg1 +from the0roo$. Ee pro5e the lemma by a series of games,@0,

,@i,

user to A/, "sg# +from A/ to /- , "sg% +from /- to A/ and denote by Qi the e5ent that A ins game@i. @0: This

and "sg' +from A/ to the user, respecti5ely. In the folloing

subsections e analye the security of our scheme in detail.

+.1 -rivac A&ainst Service -r!vider $/- %

Ee reuire that /- cannot learn the user4s location any betterthan ma3ing a random guess. ormally, e consider the folloinggame played beteen a challenger C and a +malicious /- ,denoted by A.

The challenger prepares the system parameters, and gi5esthem to A. A specifies a -OI*type, the grid structure, a ueryarea and to locations +20 , y0 and +21 , y1 in this area, andgi5es them to C. C chooses at random b {0,1}, uses +2b ,yb , the specified grid structure and -OI*type to generate "sg

b

ith respect to the identity of A, i.e., the message that themalicious /- e2pects torecei5e. C then gi5es "sg

bto A. A outputs a bit b and ins the

game ifbN b.

Definition . A D9S achievesPrivacy Against Service Provider

(/- ) i$ $or any /- , its success pro*a*ility o$ winning thega#e

is the original game defined in Definition #. @i5en the system

parameters, A begins to issue pri5ate 3ey ueries. 9t somepoint, it chooses a -OI*type, the identity of the intended /- ,the grid structure, a uery area and to user locations +20 , y0,+21 , y1

in the uery area, and sends them to the challenger, hich selects+2b , yb for some random bit b to generate the user message"sg

band the corresponding /- message "sg

b, and returns them

to A.The ad5ersary continues to issue pri5ate 3ey ueries as before

e2cept to as3 for the pri5ate 3ey of the intended /- . inally,Aoutputs a bit b and ins the game if b N b. 8otice that theree2ist

to ranges, e.g., >0 and >1 , such that the grids intersected iththe circles ith ranges >0 and >1 , and centered at +20 , y0 and +21 , y1 respecti5ely, contain the same number of -OIs.7esides, the ranges are chosen by the users, and thus are

un3non to the ad5ersary.

@1 : Ee change the generation of +KM, (M, "M. 8oe randomly select them from the space KK K( K" .@uaranteed by the security of MD, e ha5e that |-r:Q1 ; -r:Q0;| is negligible #$;, #);.@# : Ee change the generation of li in "sg

b. Instead of

thea*ove is at #ost 1!#B negl+R, where negl+ is anegligi*le

$unction1

in the security para#eter.

encryption of the real location, no li1

is the encryption of a

1emma . 3ur D9S achieves 0rivacy Against /- . random location +other than +20 , y0 and +21 , y1 under the 3ey(M. @uaranteed by the semantic security of /(, e ha5e that

-r:Q#; -r:Q1;| is negligible #$;, #);.0roo$. The message that /- recei5es from A/ is "sg

#N uery,

|b

hich is an I7( of -OI*type, M , the uery area and grid structureunder /- 4s identity +see (uation #, and is independent of

the user4s location. Kence a +malicious /- does not gain anyad5antage in guessingb chosen by the challenger.

+.2 -rivac A&ainst '(er Server $A/ %

This reuires that A/ cannot tell from the user4s reuest or /- 4s

transcript about here the user is, pro5ided that it does not

collude

@%: /imilar to @# , e change all the Ci4s in "sg1 and all

the

Ci4s in "sgb

to be the encryptions of randomly selected hi4s,under the constraint that all -OIs in the same grid cell share the

same hi ith the grid cell itself. The semantic security of /(implies that |-r:Q% ; -r:Q# ;| isnegligible.@' : Ee change reuest in the client message to the encryptionof a random tuple ith the same length. The security of I7(

implies that |-r:Q'; -r:Q%;| is negligible 1?;. In @', both"sgb

and

"sgb

are independent of b chosen by the challenger. Therefore,A %could succeed in outputting the correct bit ith probability atmost

1

#

#

1

%

%


11/21

ith the intended /- . ormally, e consider the folloing game 1!#, and e ha5e |-r:Q0;1-%

-r:QiB1; -r:Qi;|B

played beteen an ad5ersaryA +hich is the dishonest A/ and a 1 #|

iN0|

challenger C hich acts the roles of the user and ser5icepro5iders.

@i5en the system parameters, A begins to issue Private 2eyQuery for polynomially many times: it submits the identity of

a /- to C, and recei5es the corresponding pri5ate 3ey. Thismodels the case that A/ colludes ith a +non*intended /- . Athen specifies the -OI*type, the identity of the intended /- +the

1. 9 function f : 8 S 0, 1; is negligible if for all positi5e polynomialpoly+ there e2ists an 8 such that for all n U 8 , f+n L 1!poly+n.

|-r:Q' ; # | hich isnegligible.

+." Inte&rit

This is to ensure that A/ cannot modify any messages returnedby /- or add any messages ithout being detected. ormally, e

consider the folloing game, here the ad5ersary A is a A/, andthe challenger Cplays the roles of the client and all the ser5icepro5iders.

@i5en the system parameters, A adapti5ely issues the fol* #$

loing ueries for polynomially number of times: Private 2ey #0

Query: A submits the identity of a /- , and is returned the 1$corresponding pri5ate 3ey. Service Query: A generates a user10 message "sg1 and sends it to /- indicated in "sg1 . It then$ recei5es the anser "sg% . A then submits the -OI*type, the0

identity of the intended /- +the pri5ate 3ey of hich has not beenueried, the grid structure, a uery area, and a user4s location

/er5ice -ro5iderAuery /er5erClient

$ $0 $00 $000 $0000

8umber of -OIs

1000000

100000

10000

1000

100

10

1

/er5ice -ro5iderClient

$ $0 $00 $000 $0000

8umber of -OIs

+2, y. C generates the user4s message "sg

, and the intended

/- 4s message "sg, and sends them to A. inally, Aoutputs

+a Computation Cost

7ig# 8# 9um&er of P:s '99 )ueries(#

+b Communication Cost

"sg. 6et "sg be the correct anser that an honest A/ ould

return to the user. A ins the game if "sg' 6 "sg' but theuser accepts "sg.Definition ,. A D9S achieves integrity i$ there is no

pro*a*ilistic polyno#ial-ti#e adversary A which wins thea*ove ga#e with non-negligi*le pro*a*ility.

1emma ,. 3ur D9S achieves

integrity.

0roo$. 9gain, e use Qi to denote the e5ent that A ins the

game@i. @0 is the original game described abo5e.

/ E0-ERIMENTA, RESU,TS

In this section, e e5aluate the performance of our D@/ for both

continuous range and 3*88 ueries through simulations.3aseline al$orithm. Ee implemented a continuous spatial cloa3*

ing scheme using the $ully-trusted third party #odel +TT- #;.

TT- relies on a fully*trusted location anonymier, hich is placed

beteen the user and the ser5ice pro5ider +/- , to blur a

uerying user4s location into a cloa3ed area that contains the

uerying user

and a set of K 1 other users to satisfy the user specifiedK*

anonymity pri5acy reuirement. To preser5e the user4s continuous@1: Ee change the generation of "sg1 and "sg% . Insteadof being output by MD on input a random M , "M is noselected at random from K" . It is also used in the5erification of the ad5ersary4s final output, i.e., chec3ing the

5alidity of the "9Cs in

"sg

. The security of MD implies that |-r:Q ; -r:Q ;|is

location pri5acy, the location anonymier 3eeps adjusting thecloa3ed area to contain the uerying user and the K 1users. 9 pri5acy*aare uery processor at /- returns a set ofcandidate -OIs to the uerying user through the locationanonymier );,

' 1 0

negligible. 7elo e sho that the ad5ersary ins this game only

ith negligible probability.

Ee use A to construct an algorithm B hich brea3s the strong

unforgeability of "9C #$;, #);. @i5en oracle access to O" ,B

generates system parameters hich include the I7( 3ey. It thenin5o3es A on input the system parameters, and begins to anserA4s ueries as folloing. Private 2ey Query: @i5en theidentity of a /- , B uses the I7( 3ey to generate the pri5ate 3eyof /- , and returns it to A. Service Query: @i5en a clientmessage "sg1 N h/-,re.uest,/e i, B uses the pri5ate 3ey of/- +hich can becomputed from the I7( 3ey to decrypt reuest and obtains -OI*type, M , m, +2b , yb and +2t , yt . It then follos the

prescribed strategy of a /- to generate "sg% , and returns it toA.

Ehen "sg% is ready, A outputs the identity of an intended/- , the pri5ate 3ey of hich has not been ueried. A alsooutputs

-OI*type, the grid structure, a uery region and a user4s location

+2, y. B then generates "sg1 using the information gi5en byA

and also "sg

as follos:

or all the -OIs, B computes Ci and li using 3eysderi5ed from M hich is embedded in F"sg. It then sends+C , l to i ithe oracle O" and is returned i N " 9C"M+Ci, li.

Com*utation

0ime;ms9". 9ndroid uses Wa5a to rite applications, but it

also allos to run code nati5ely by cross*compiling for the

9>" architecture and then calling nati5e code from ithin

an application ritten in Wa5a. or the benchmar3 e first

e5aluated the performance of doing the cryptographic opera*

tions in Wa5a, using built*in symmetric cryptography and W-7C+h tt p :!! g as.d ia.un isa.it! p r o jects!j pb c!i nd e 2 .h tm l, a Wa5a port of

-7C, for performing I7(. Ee then also cross*compiled the

libraries used in the prototype +Open//6, @"- and -7C for

9>" to e5aluate the performance hen running the

cryptographic operations nati5ely on the de5ice.

+esults. Table 1 shos the benchmar3 results for I7( en*

cryption and 9(/ decryption that refer to encrypting one reuest

for /- and decrypting one -OI recei5ed from A/, respecti5ely.

These results sho that smartphones are easily capable of per*

forming the cryptographic operations necessary in our protocol.

Ehile I7( is still a somehat e2pensi5e operation reuiring on

the order of $0ms, this is an infreuent reuest and hence not abottlenec3. Kashing ! encrypting and 9(/ decryption on the other

hand are much more freuent operations in our protocol, but the

operations are 5ery efficient hen done nati5ely, so that a mobile

de5ice can easily decrypt up to se5eral hundred thousand -OIs per

second, or e5en more if multiple cores are used +at hich point

bandidth is more li3ely to become the bottlenec3.

4 RE,ATED 5OR6

/patial cloa3ing techniues ha5e been idely used to preser5e

user location pri5acy in 67/. "ost of the e2isting spatial cloa3ing

techniues rely on a fully*trusted third party +TT-, usually

termed location anony#izer, that is reuired beteen the user and

the ser5ice pro5ider +e.g., 1;


18/21

ther users to satisfy 3*anonymity. The TT- model has four

major drabac3s. +a It is difficult to find a third party that can

e fully trusted. +b 9ll users need to continuously update their

ocations ith the location anonymier, e5en hen they are not

ubscribed to any 67/, so that the location anonymier has

nough information to compute cloa3ed areas. +c 7ecause the

ocation anonymier stores the e2act location information of

ll users, compromising the location anonymier e2poses their

ocations. +d 3*anonymity typically re5eals the appro2imate

ocation of a user and the location pri5acy depends on the user

distribution. In a system ith such regional location privacy it is

difficult for the user to specify personalied pri5acy reuirements.

The feeling* based approach #; alle5iates this issue by finding a

loa3ed area based on the number of its 5isitors that is at least as

opular as the user4s specified public region.

9lthough some spatial cloc3ing techniues can be applied to

eer*to*peer en5ironments %0;


19/21

AC6NO5,ED#MEN TS

Chi*Jin Cho as partially supported by the @uangdong 8at*

ural /cience oundation +8o. /#01%01001#%)% and a research

grant +CityF -roject 8o. #%11%1. Aiong Kuang as sup*

ported by the 8ational 8atural /cience oundation of China +8o.)1'?#1') and the @uangdong 8atural /cience oundation +8o.

/#01%010011&$. Duncan /. Eong as supported by a research

grant from the >esearch @rants Council, KM/9> +-roject 8o.

CityF 1#1$1#.

RE8ERENCES

1; 7. 7amba, 6. 6iu, -. -esti, and T. Eang, H/upporting anonymouslocation ueries in mobile en5ironments ith -ri5acy@rid, in """,#00&.

#; C.*J. Cho and ". . "o3bel, H(nabling pri5ate continuous ueries forre5ealed user locations, in SS4D, #00?.

%; 7. @edi3 and 6. 6iu, H-rotecting location pri5acy ith personalied 3*anonymity: 9rchitecture and algorithms, )+++ 4:C, 5ol. ?, no. 1,

pp.1. Yhang, H(ffecti5e densityueries of continuously mo5ing objects, in)+++ )CD+, #00).

1'; /. Eang and Q. /. Eang, H9nonTist: 8earest neighbor uerying ithboth location pri5acy and 3*anonymity for mobile users, in :D:,#00.

1$; E. 7. 9llshouse, E. 7. 9llshousea, ". M. itchb, M. K. Kamptonb, D.C.

@esin3c, I. 9. Dohertyd, -. 9. 6eonebd, ". 6. /errea, and E. C."illerb, H@eomas3ing sensiti5e health data and pri5acy protection: an

e5aluation using an (11 database, 9eocarto )nternational, 5ol. #$, pp.''%


20/21

#'; I(((, 0=7>7-?888 Standard Speci$ications $or 0u*lic-'ey Cryptogra-phy, #000.

#$; 9. 7. 6e3o and 7. Eaters, H(fficient pseudorandom functions fromthe decisional linear assumption and ea3er 5ariants, in AC: CCS,#00.


21/21

#); O. @oldreich, /. @oldasser, and /. "icali, HKo to construct randomfunctions,@ournal o$ the AC:, 5ol. %%, no. ', pp. ?#.h tt p :!! .ce n s u s . g o 5 ! g e o ! !t ig e r!.#; T. Qu and J. Cai, Heeling*based location pri5acy protection for

location*based ser5ices, in AC: CCS, #00.

%0; C.*J. Cho, ". . "o3bel, and Q. 6iu, H9 peer*to*peer spatialcloa3ing algorithm for anonymous location*based ser5ice, in AC:

9)S, #00).%1; @. @hinita, -. Malnis, and /. /3iadopoulos, H"O7IKID(: 9 mobilepeer* to*peer system for anonymous location*based ueries, in SS4D,#00?.

%#; XX, H->IG(: 9nonymous location*based ueries in distributed mobilesystems, in """, #00?.

%%; @. Yhong and F. Kengartner, H9 distributed 3*anonymity protocol forlocation pri5acy, in)+++ 0erCo#, #00.

%'; ". 6. Jiu, C. /. Wensen, Q. Kuang, and K. 6u, H/paceTist: "anagingthe trade*offs among location pri5acy, uery performance, and ueryaccuracy in mobile ser5ices, in )+++ )CD+, #00&.

%$; >. 9graal, W. Miernan, >. /ri3ant, and J. Qu, HOrder*preser5ingencryp* tion for numeric data, in AC: S)9:3D, #00'.

%); K. Kacigu\ mu\ s], 7. Iyer, and /. "ehrotra, H(fficient e2ecution ofaggre* gation ueries o5er encrypted relational databases, in DASFAA,#00'.

%?; (. "y3letun and @. Tsudi3, H9ggregation ueries in the database*as*a*ser5ice model, inDBSec, #00).

%&; 9. Mhoshgoaran and C. /hahabi, H7lind e5aluation of nearest neighborueries using space transformation to preser5e location pri5acy, inSS4D,#00?.

%; E. M. Eong, D. E. Cheung, 7. Mao, and 8. "amoulis, H/ecure 388computation on encrypted databases, inAC: S)9:3D, #00.

'0; ". 6. Jiu, @. @hinita, C. /. Wensen, and -. Malnis, H(nabling searchser5ices on outsourced pri5ate spatial data, ;LDB @ournal, 5ol. 1, no.%, pp. %)%and2A/A, res*ectively# "e is currently an assistant*rofessor in De*artment of Com*uter Science,City University of "ong ong# "is researchinter- ests include s*atio-tem*oral datamanagement and analytics, GS, mo&ile

com*uting, location- &ased services, and data*rivacy# "e as the

co-organier of 5C SGSP505L o&iGS 2A/2, 2A/3, and 2A/4#

'i!n& H(an& got his B#S# and #S# degreesfrom 7udan University in 2AA3 and 2AA= re-s*ectively, and got his PhD degree from CityUniversity of "ong ong in 2A/A# 9o he is a*rofessor at South China 5gricultural University#"is research interests include cry*togra*hy andinformation security, in *articular, cry*togra*hic*rotocols design and analysis#

D(ncan S. 5!n& received the B#6ng# degreefrom the University of "ong ong in /@@4, the#Phil# degree from the Chinese University of"ong ong in /@@>, and the Ph#D# degree from9ortheastern University, Boston, 5, in 2AA2#"e is currently an associate *rofessor in the De-*artment of Com*uter Science at the City Uni-versity of "ong ong# "is *rimary researchinter- est is cry*togra*hy. in *articular,cry*togra*hic *rotocols, encry*tion and

signature schemes, and anonymous systems#"e is also interested

in other to*ics in information security, such as netor security,ireless security data&ase security, and security in cloud com*uting#
http://www.census.gov/geo/www/tiger/http://www.census.gov/geo/www/tiger/http://www.census.gov/geo/www/tiger/

User-Defined Privacy Grid System For

Documents

Transcript of User-Defined Privacy Grid System For