NTRU Implementation of Efficient Privacy-Preserving Location-Based Querying in VANET

The key for location-based service popularization in vehicular environment is security and efficiency. However, due to the constrained resources in vehicle-mounted system and the distributed structure of fog computation, disposing of the conflicts between real-time implementation and user’s privacy remains an open problem. Aiming at synchronously preserving the position information for users as well as the data proprietorship of service provider, an efficient location-based querying scheme is proposed in this paper. We argue that a recent scheme proposed by Jannati and Bahrak is time-consuming and vulnerable against active adaptive corruptions. Thus accordingly, a postquantum secure oblivious transfer protocol is devised based on efficient NTRU cryptosystem, which then serves as the understructure of a complete location-based querying scheme in ad hoc manner. The security of our scheme is proved under universal composability frame, while performance analysis is also carried out to testify its efficiency.


Introduction
With the development and fusion of techniques such as sensing, controlling, communication, positioning, and fog computation, vehicular ad hoc network (VANET), which is identified as a specific application of Internet of Things (IoT), has become a promising understructure to enhance traffic safety and convenience.As an important element of the intelligent transportation system (ITS), VANET is typically composed of numerous on-board units (OBU) equipped on vehicles and road-side units (RSUs) serve as infrastructure [1].Different from traditional networking, vehicular ad hoc network emphasizes heavily on adaptive computation as well as communication of end-users and edge devices, which is characterised as localized data storage, dense geographical distribution, boundary service providing, and compound data aggregation or analysis.A wide range of applications can be supported taking advantage of such fundamental installation; for example, when driving on the road, one can fall back on the VANET to locate services (shops, gas stations, etc.) on his route, or even be notified of any forecasted traffic condition along her itinerary.Though it is envisioned that the future transportation would be "information-driven" and "wirelessly enabled," the problems of confidential and privacy-preserving communication remain insufficiently solved due to the broadcasting nature of VANET [2].Moreover, since one of the most attractive applications of VANET is location-based querying, it is always self-extended to traditional networks such as Internet.As illustrated in Figure 1, any authorized on-board unit may access the querying service providers (QSPs) in backbone or local RSUs to inquire about interested information via various communication channels, which makes the security issue more complicated in such foggy environment.
As for privacy, the user may not want anybody, including the infrastructure units or service providers, to be aware of any information about her query.That means it should either be impossible to link up a query with the real identity of the user or make the query itself indistinct to some extent.In order to accomplish privacy requirement, two research lines are followed in literatures.1.1.Correlation Concealment.Due to the interactive nature of location-based querying, one can easily associate the identity of a user with a specific location which may severely violate the privacy of personal health condition, social relationships, habits, and so on.Accordingly, once the connectivity of inquired location and user ID are obscured, the sensitive information may be preserved to some extent.This kind of privacy-protection method includes the following.
1.1.1.Anonymity and Pseudonym.The goal of cryptonym methods is to prevent an adversary from reidentifying the data source by exploiting any exposed information.It generally relies on the fact that most location-based services are not strictly dependent on the knowledge of user's identity.Thereby, the most challenging issues turn into pseudonymous authentication, integrity, and nonrepudiation.Specifically, a large number of certificates are usually preloaded for each vehicle, which will be abandoned after usage in a short period of time.Coupled with reputation mechanisms, those certificates can thus be used to appraise credibility of anonymous sources or to fulfil the backtracking purpose [3].Nevertheless, anonymity and pseudonym schemes are only robust to semihonest secure model, because malicious vehicles may not discard or update their certificates as required by the protocols [4].[5], where the pseudonym should be exchange amongst all users within a same zone.The time interval when a vehicle passes through a mix zone is called the silent period, which means it must dumb its position so as to break off the connection between its identities at the entry and exit points.Palanisamy and Liu [6] investigated various context information in traffic environment that may reveal detailed trajectories such as geometrical or temporal constraints and devised the MobiMix approach directing against such privacy infringement.It is worth mentioning that the idea of -anonymity presented by Gruteser and Grunwald [7] is always served as a combination of anonymity (pseudonym) and mix zone implementation.For example, Caballero-Gil et al. [8] exploited the spatial and temporal cloaking to calculate the -anonymity set, which makes a vehicle indistinguishable from other  − 1 counterparts.To avoid active corruption, if a number of complaints are received pertinent to a malicious node, a track algorithm can also be carried out to prevent further detriment.Aiming at Sybil attack, Feng et al. [9] bounded -anonymity and reputation schemes together, which can effectively suppress the spread of false messages when updating the anonymity.

Mix Zones. The technique of mix zones is originally introduced by Beresford and Stajano
1.2.Query Fuzzification.The service of location-based querying can be deemed as a process of information retrieval, which means only the users care about the correctness or precision of the research outcomes.Therefore, lots of approaches are presented taking the advantage of information asymmetry between users and the server, including the following.

Position Dummies.
It is aiming to deceive the QSP by confounding the user's true position together with multiple false locations [10][11][12][13].Nevertheless, since the traffic networks are always scattered but structured, it is difficult to create dummies indistinguishable from the true position.In order to generate plausible dummies, Shankar et al. [14] proposed the SybilQuery approach, which obfuscates the real position with dummies chosen from a historical traffic database.

Obfuscation.
The idea behind position obfuscation is to intentionally reduce the precision of inquiry messages.Typically, the protocol proposed by Ardagna et al. [15] used a circular area to substitute the exact position of a user.Though the obfuscation area can be allodially determined by the querier, the trade-off between privacy and precision is of great significance.Thus, accordingly, Reynold et al. [16] introduced a model for probabilistic range queries depending on the overlapping size of the query area and the obfuscation shapes.Another way to obfuscate the user's position is the coordinate transformation, where some geometric mappings are carried out on a series of users' coordinates before sending to the server.However, in order to ensure the functionality of the QSP, it is impossible to find an all-sided protection scheme purely based on coordinate transformation because the service provider has to be able to determine the relative position of objects and areas to each other [17].In addition, to preserve the trajectory of user, a great deal of spatiotemporal location obfuscation schemes are also proposed, which also took the temporal information associated with positions into account [18][19][20][21][22][23][24][25].[27] and further improved their protocol by optimizing the placement of shares in terms of servers' trustworthiness [28].Though position sharing schemes can also be implemented on account of obfuscation or coordinate transformation [29], cryptography-based fashions are preferable due security consideration [30].
1.2.4.Cryptographic Approaches.Due to the capacities such as confidentiality, integrity, and authenticity, cryptographic primitives are taken as desirable building blocks to realize position privacy.For the sake of concealing the real identity of a user, ring or group signature are generally used to confound the querier as a member of a vehicular set [31,32].By using private information retrieval (PIR) technique, a QSP can answer queries without learning or revealing any information of the query [33,34].Meanwhile, since the computational result of ciphertext matches that of the plaintext, homomorphic cryptosystems are also valued as promising tools for location privacy application [35,36].Nevertheless, the aforementioned approaches took only the querier's position information as a target for protection and simply lost the sight of QSP's data ownership.Practically, the charging models in nowadays always lie on a per-query basis which enable drivers to use the service in ad hoc manner and pay for their queries according to the quantity.With regard to the proprietorship of QSP's records, Paulet et al. [37] proposed a location-based querying approach in the light of 1-out- oblivious transfer (OT 1  ).Their scheme made use of an ElGamal cryptosystem which imposed an additional privacy property for the sender such that the receiver could learn at most one of the retrieved items.However, Jannati and Bahrak [38] caught the sight of its security defect arguing that the receiver is able to decrypt all ciphered records; thus the QSP's data ownership cannot be preserved.In order to rectify the vulnerability of Paulet's scheme, they also reconstructed the oblivious transfer part of it at the cost of higher computational overhead.It is well known that ElGamal encryption is defined over a cyclic group , whose security depends on the difficulty of computing discrete logarithms.Therefore, a large security parameter must be considered in order to make sure that it is unbreakable.Though other traditional public key cryptosystems may also be exploited as basic primitives to realize oblivious transfer, they are deficient in efficiency due to computational hardness assumptions depending on large parameters.For the same reason, these cryptosystems tend to be vulnerable with the advent of quantum machine era.The comparison of security parameters amongst diffident cryptosystems is given in Table 1.
During encryption phase, ElGamal requires two exponentiation operations, while one exponentiation should be correspondingly carried out for decryption.Since exponentiation on large numbers is always time-consuming and occupies a lot of memory, we argue that Jannati's scheme is not efficient enough, especially under embedded environments.Moreover, though their scheme is proved to be secure under game-based verification, active and adaptive corruptions are simply ignored because CCA (chosen ciphertext attack) security is unachievable by ElGamal cryptosystem itself [39].
In order to eliminate the defects of Jannati's protocol, we take the advantage of NTRUEncrypt to implement privacypreserving location-based querying.As a relatively new public key cryptosystem developed in 1996, the number theory research unit encryption (NTRU) [40] runs faster compared to other asymmetric encryption schemes and is more competitive to be realized in resource-constraint environments such as mobile devices or smart cards.Up till 2017, literatures can be found that introduce new parameters to resist currently known attacks and increase its computation power [41,42].According to the latest research [43], the parameters in Table 2 are considered secure.
As for Table 2, the parameters, where  defines a truncated polynomial ring  = []/(  − 1) used in NTRUEncrypt and ,  are two moduli, are relatively smaller than that of traditional public key cryptosystems.Moreover, it uses only simple polynomial multiplications; the time of performing an NTRU operation increases only quadratically.Taking moderate security for example, if both exponentiation and polynomial multiplication are composed of log 2 -bits modular multiplications, the former must invoke the basis  2 /log 2  times compared to  log 2  of the latter.It is reported that, using a modern GTX280 GPU, a throughput of up to 200,000 encryptions per second can be reached at a security level of 256 bits [44], which is only approximately 20 times slower than a recent AES implementation [45].Accordingly, we resort to the characteristics of high efficiency as well as postquantum security and employ NTRUEncrypt as a building block to realize oblivious transfer.Then, based on the novel OT 1   protocol, an adaptive secure location-based querying scheme can thus be achieved.
The rest of this paper is organized as follows.We first give some preliminaries about oblivious transfer and NTRU-Encrypt in Section 2. In Section 3, a NTRU-based 1-out- oblivious protocol will be devised in advance which is then used to structure the secure location-based querying scheme after describing the system model.Security analyses and performance evaluations are given in Sections 4 and 5.The paper is finally concluded in Section 6.

Preliminaries on 1-Out-n Oblivious Transfer and NTRUEncrypt
Oblivious transfer, originally introduced as conjugate coding, owns its name to Rabin [46].Amongst different flavors of OT, 1-out- oblivious transfer has been extensively studied in the literature since any cryptographic task can be achieved by this extremely basic primitive [47].In cryptography, a 1-out- oblivious transfer is a type of protocol in which a receiver  is entitled to obtain 1 out of  messages held by a sender  without learning any other messages, while the sender do not know which massage has been chosen.The protocol is formally described as in Table 3.
In order to optimize the performance of oblivious transfer protocol, several tricks can be imposed on it.For example, [48] enables the computation of many OTs with a small elementary cost from  OT at a normal cost and also enables to reduce oblivious transfers of long strings to oblivious transfers of short strings using a pseudorandom generator.
In this paper, an efficient and secure OT 1  protocol will be constructed based on NTRUEncrypt in the light of its linearity and resistance to quantum machines.The NTRU encryption algorithm works on a truncated polynomial ring  = []/(  − 1) with convolution multiplication and all polynomials in the ring have integer coefficients and degree at most  − 1: Similar to the prime decomposition problem exploited by RSA, the security of NTRUEncrypt relies on hardness of factoring a reducible polynomial, which is equivalent to the shortest vector problem.Thus, it is infeasible to usurp the secret key if the parameters are chosen secure enough.
For each system, three integer parameters (, , ) are specified, where  and  are two moduli who truncate the ring  as   = (/)[]/(  − 1) and   = (/)[]/(  − 1).It is always assumed that ,  are prime while  is coprime to both  and .To generate a key pair, two key polynomials  and  whose coefficients lie within {−1, 0, 1} must be generated in advance.An additional requirement that there exist two inverses   ,   , where  ⋅   = 1mod  and  ⋅   = 1mod , must also be satisfied.Then,  together with   can be preserved as the secret key, while ℎ =  ⋅   ⋅  will be published to be the public key.
During encrypting phase, a message  should be represented as a binary or ternary string and transformed into a truncated polynomial within the ring .Then a binding polynomial  with small coefficients should be randomly chosen to calculate the ciphertext as In order to decrypt the cryptograph c, the receiver first computes and then lifts its coefficients to interval [−/2, /2] and achieves the plaintext as In order to prove the correctness of our protocols, a polynomial set T( 1 ,  2 ) specified by two parameters is defined in advance.Definition 1.For any positive integers  1 and  2 , other cofficients of a () are 0. ( According to Definition 1, the correctness of NTRU decryption can be guaranteed in terms of the condition described as below.

Lemma 2. If the polynomials of NTRU cryptosystem are chosen from
whose coefficients satisfy  >  (6 + 1) , (7) then a legal receiver can accurately recover ciphertext  with her private key.
Proof.Since all polynomials of are provided with coefficients designated by formula (6) the message can accurately be recovered.

Location Privacy-Preserving Querying Based on NTRU
In this paper, a novel location-based querying scheme is proposed aiming at not only protecting the position privacy of drivers but also preserving the data proprietary of QSP.Specifically, three goals must be achieved in terms of security and feasibility.(a) Within authenticated but not confidential communication environments, any malicious third party is incapable of gaining or efficaciously modifying any information of the conversation.
(b) Even if active and adaptive corrupted participant exists, the driver must be insensible of any data hold by QSP except the one she requested while keeping her querying information concealed.
(c) The protocol should be feasible on both vehiclemounted devices as well as location-based servers, which means that low computation and communication burden must be fulfilled.
For clarity, a novel 1-out- oblivious transfer protocol will be presented in the first place.Then we will employ it as the building block to complete our entire scheme.

NTRU Implementation of 1-Out-𝑛 Oblivious Transfer.
Different from traditional public key cryptosystems, NTRU is structured on a truncated polynomial ring which is provided with both addition and multiplication.Since the time of performing convolution multiplication is much faster than that of modular exponentiation on large numbers, the preferable efficiency and security property of NTRU are more appropriate to construct the basic oblivious transfer protocol.
In order to realize the NTRU-based 1-out- oblivious transfer, the messages held by the sender are presented as  0 ,  1 , . . .,  −1 , which must be kept unacquainted from the receiver except for   .Accordingly, we describe the primitive 1-out- oblivious transfer protocol as below.
During key generation phase, the sender constructs a key pair as in Section 2, she releases her public key  = ℎ to all potential receivers or stores it in a communal database, while keeping the secret key  = (,   ) private.
In oblivious transfer phase, the sender is supposed to choose  random polynomials  0 ,  1 , . . .,  −1 from T(, ), where   ⋅ ℎ can be represented as  ⋅   ⋅   , and encrypt all plaintexts to be   =   ⋅ ℎ +   (mod ) , ( = {0, 1, . . .,  − 1}) , (10) which is then sent to the receiver.When all ciphertexts are received, the receiver first generates a random polynomial  belonging to T(, ) and figures out its inverse  −1 (mod ).If the inverse of polynomial  does not exist, she can simply resample another one and repeat the inversion process.
After that, the receiver must single out the th ciphertext and compute it as utilizing another random polynomial   chosen from T(, ).The result will be sent back to the sender.Depending on the altered ciphertext    , the sender can calculate and then to be her response for the driver.Since the driver is aware of polynomial , she can achieve the expected messages   by multiply    with  −1 modulo .The above process is also characterized in Table 4. Correctness of the 1-out- oblivious transfer protocol relies on the computation of polynomials in truncated polynomial ring, as follows.

Efficient and Secure
Location-Based Querying.The system is modelled as a QSP and a series of vehicles.More specifically, the QSP can be considered working in a distributed manner, which is composed of a centralized authentication server together with numerous delivery RSUs.The reason behind such configuration is to separate data retrieval from transaction process, which not only preserves the driver's position privacy but also abates the operating load of service centre.Resorting to the OBUs equipped on vehicles, drivers are able to determine their current position via localization devices such as GPS or WiFi.
In initialization phase, the QSP first generates its key pair and divides the geography to be a public grid  composed of  rows and  columns.For each cell V ×  of the grid, she assembles all related data as a message   , where  = +V ⋅ , 0 ≤ V ≤  − 1, and 0 ≤  ≤  − 1, and encrypts it as    =    = V ⊕  (  ) by symmetric cryptosystem  according to the keys  V ,   designated to each row and column.Then, the QSP stores its key pair together with all  V ,   as well as    in distributed RSUs.
In retrieving phase, the driver should complete both the payment and oblivious transfer process as follows.
In order to actualize the requirement of pay-per-retrieval for location-based service, the driver should ask for a random number  from its adjacent RSU and sign it using her private key corresponding to the valid digital certificate.After verifying the digital signature sent by the driver, the authentication server should launch a preconcerted -commerce protocol to accomplish the transaction, resign the random number  in terms of her own private key, and then send it back to the driver.Availing herself of the signed random number, the driver can thus prove to the RSU that she has paid for the service.
After that, the driver is in a position to interact with the adjacent RSU and acquire  V  as well as    corresponding to her interested coordinates in the light of the aforementioned 1-out- oblivious transfer protocol.Then she retrieves all encrypted messages and decrypts   =    = V  ⊕   (   ) to recover the data she expected.
It is worth noting that the driver may retrieve all encrypted messages only once and store some of them for further queries.In addition, even if the driver's identity is exposed during the authenticating process, it will not jeopardize the confidentiality of her queried position due to the intrinsic nature of oblivious transfer.
The process is illustrated in Table 5.
In fact, the aforementioned protocol can be regarded as being based on 2-out- oblivious transfer since two symmetric keys  V  ,    should be retrieved.However, all encrypted data need only to be transmitted once during retrieval phase, which means the extra computation and communication overheads are trivial.Moreover, the public key pair of driver is only used for authentication and payment but not necessarily for oblivious transfer.

Security Analysis
We investigate the server's data proprietorship and the driver's position privacy in oblivious transfer at first.It should be noted that the messages obliviously transferred are symmetric keys  V  ,    instead of   actually; however, we will alternatively apply these notations for smooth representation.As for the driver's position privacy, we claim the following.

Lemma 4.
The QSP gains no information on the driver's choice  in the proposed OT protocol.
Proof.Using the private key , the QSP can compute    =  ⋅   (mod ).However, she is ignorant of the driver's secret polynomial  and thereby cannot differentiate the choice  from any other by comparing it with possessed messages, though the QSP may fortunately figure out   +   ⋅ (mod ) if  is reversible, which means she can further achieve (  +  ⋅ )⋅(⋅  ) −1 =   ⋅ −1 ⋅ −1  +  ⋅ −1  .Nevertheless, since   and  are uniformly distributed,   is totally indistinguishable.The server's data proprietorship can be found as follows.

Lemma 5. The driver gains no information on 𝑚
Proof.The driver is aware of   =   ⋅ ℎ  +   (mod ) for all messages.Since she does not possess the server's private key, the mistiness of   from   is straight-forward.With regard to the processes of authentication and transaction, the driver would interact with a central server directly to achieve a voucher signed by the QSP's private key.That means the RSU is incapable of linking the driver's current position up to her identity.Moreover, since the voucher is generated according to a provisional random number chosen by the RSU, the chance that a driver replay her voucher to cheat the QSP out of her service is negligible.Thanks to the intrinsic characteristic of OT, even if the identity of the driver is exposed in case that the RSU colludes with the central server, the confidentially of required coordinate would never be compromised.Supposing that the driver's identity privacy is obligatory in certain circumstances, anonymous authentication schemes such as that of [49] are further suggested.Now, we argue UC security of the complete scheme.In order to testify that a real-world implementation of our scheme is indistinguishable from its simulation, the ideal functionality is firstly defined as follows.Definition 6.The ideal functionality F − OT receives a coordinate (V  ,   ) ∈ {0, 1, . . ., −1}×{0, 1, . . ., −1} together with an identity from the driver and a vector of -bits messages, that is, ( 0 ,  1 , . . .,  ×−1 ), from the server , but only outputs a -bits string   to the driver .In line with Definition 6, two simulators S 1 , S 2 can be established to emulate the corrupted QSP and driver, respectively.Since it is obvious that according to Lemma 4. So the indistinguishability S 1 (, ID driver , ( 0 ,  1 , . . .,  ×−1 ) ) ≅ VIEW QSP (ID driver , ( 0 ,  1 , . . .,  ×−1 ) , where || stands for the size of plaintext space, and due to the ignorance of  V  ̸ = and    ̸ = on driver's side in terms of Lemma 5.
Thus we claim the folowing.
Theorem 7. Our protocol securely implements the functionality F −  if the symmetric encryption scheme (, ) is noncommitting.

Performance Evaluation
Since only simple polynomial multiplications are needed for NTRU cryptosystem, it features high speed, low memory requirements, and reasonably short and easily created keys.
The moduli used in NTRUEncrypt specially are logarithmically smaller than that of traditional asymmetric cryptosystems based on integer factorization or discrete logarithm, which implies preferable efficiency and practicability.According to the report from [50], the speed of NTRU is up to 1300 times faster than 2048-bit RSA and 117 times faster than ECC NIST-224 when comparing the number of encryptions per second.Our experimental results also signified that the ratio of encryption times between 2048-bit ElGamal and NTRU in moderate security is 355 : 1.
In order to impartially compare with Jannati's protocol, only retrieval process will be considered in the following performance analysis.Though authentication and transaction are introduced in our scheme for pay-per-service purpose, the extra overheads are ineluctable but negligible compared to that of oblivious transfer.Table 6 illustrates the comparison of computation as well as communication overheads between our and Jannati's scheme.However, since the basic operations used in NTRU are absolutely different from that of ElGamal, it should be noted that modular multiplications and modular polynomial multiplications are correspondingly applied to one of them.
Compared to Jannati's protocol in Table 6, it is obvious that no exponentiations would be necessary in our scheme and the overhead of modular multiplication is also halved even without regard for the scale of moduli.It is worth mentioning that, though the number of transmitted messages are almost the same between Jannati's scheme and ours, we have evidently depressed the communication burden because a ElGamal encryption works on a large cyclic group and produces a double expansion in size from plaintext to ciphertext.Meanwhile, our scheme is more applicable since the receiver is free of generating or distributing any public key during oblivious transfer process.
We also simulated our and Jannati's protocol by C program.The experiment is carried out on an Intel Core i3-2330M processor (Sandy Bridge) where each party runs on one core.The computation burden and communication overhead for each retrieval are averaged by 500 tests.
According to Table 7, it is obvious that our scheme dramatically outperforms Jannati's protocol with respect to both computation and communication overheads.Specifically, taking the resource limits of OBU into account, the operational efficiency is 479 times that of Jannati's protocol, which means our scheme is more applicative in embedded and real-time environments.We simply neglected the delivery load of queried data in our experiment; however, retrieving all    indistinguishably from the server is inevitable due to the query privacy for any oblivious transfer.Fortunately, the driver can only retrieve the ciphered messages ones and keep all expected portions in the local storage, or she may ignore any other messages except for    when receiving the QSP's broadcast.

Conclusion
This paper proposed a privacy-preserving location-based querying scheme in virtue of NTRUEncrypt.Thanks to the intrinsic nature of NTRU cryptosystem such as postquantum security, high speed, low storage requirements, and short keys, our scheme is resistant to active adaptive corruptions and more practicable within vehicular ad hoc network.Specifically, the computational overheads are only 0.33 and 0.21 percent while the communication burdens are 24 and 21 percent compared to those of a recent scheme presented by Jannati and Bahrak Besides the theoretical and experimental performance analyses, we also depicted the detailed process of authentication and transaction for pay-per-service purpose.In the light of universal composability frame, it is believable that our scheme is secure with the functionality of oblivious transfer realized.For further work, we expect to reduce the interactive round of retrieving phase from 3 to 2 and decrease the RSU's overheads to a higher degree.
is straight-forward.Similarly, once the symmetric cryptosystem (, ) is noncommitting, the distributions of    ̸ = in F OT and F − OT are both uniform and indiscernible, which means Pr

Table 1 :
Security parameters for diffident public key cryptosystems.

Table 3 :
Oblivious transfer paradigm F OT .
, the parameters of  ⋅  after convolution polynomial multiplication will never overrange [−2, 2].Similarly, the parameters of  as well as  are located within [−/2, /2] which means that the maximal parameter of  ⋅  is ( + 1/2) to its very extent.As a result, once the condition of  > (6 + 1) is met, all parameters of (8) can be lifted to [−/2, /2] without losing any information.Then by computing

Table 5 :
The proposed privacy-preserving location-based querying scheme.

Table 6 :
Comparison of computation and communication overheads.

Table 7 :
Timings in milliseconds and delivery loads in kilobytes for per retrieval (moderate security).