LIP-PA : A Logistics Information Privacy Protection Scheme with Position and Attribute-Based Access Control on Mobile Devices

With the fast development of Logistics Internet of Things and smart devices, the security of express information processed by mobile devices in Logistics Internet of Things has attracted much attention. However, the existing secure express schemes only focus on privacy protection of personal information but do not consider the security of the logistics information against couriers with malicious mobile devices. For example, a privacy-preserving delivery path should be required in order to prevent the privacy leakage in the express delivery procedure.Therefore, besides the security of personal information, the privacy protection of logistics information and authentication of mobile devices used in express company are important to security in Logistics Internet of Things. In this paper, we propose a secure logistics information scheme LIP-PA to provide privacy protection of both personal information and logistics information. First, we define the basic requirements of Logistics Internet ofThings.Then, using attributebased encryption and position-based key exchange, we propose a logistics information privacy protection scheme with position and attribute-based access control for mobile devices.The analysis results show that our scheme satisfies the defined requirements. Finally, the performance of our scheme is evaluated and the experiment results show that our scheme is efficient and feasible for mobile devices in real parcel delivery scenario.


Introduction
With the rapid development of Internet of Things technology [1] and continuous optimization of the logistics operation process, the Logistics Internet of Things (LIoT) has become an indispensable pattern for modern logistics industry.Based on many network communication technologies, such as RFID [2], QR code [3], NFC [4], and D2D [5] technology, LIoT has adopted lots of mobile devices to deal with the express business.
At the same time, the fast development of modern logistics industry has also brought a lot of security issues, especially the security of mobile devices in LIoT [6].Without security protection, the customer's private information is expressly visible on mobile devices, so that any adversary can see the private information.Besides, the adversary can easily track the parcel according to the logistics information in mobile devices and even analyze the customer's information such as personal hobbies, family members, and economic conditions [7,8].In addition, express delivery between different express stations can lead to data leakage and the malicious courier can analyze the flow of express station [9].The privacy protection of express information has attracted widespread attention.
However, traditional privacy protection schemes of express information all focus on customer's personal information [10,11], and they are unable to achieve a secure management of internal logistics staff.It is obvious that the couriers, who actually move parcels between sender and receiver, can obtain lots of express information including personal information and logistics information.Therefore, how to guarantee the express information privacy and securely manage the large-scale couriers based on mobile devices in LIoT is a focus.
As far as we know, the most popular authentication methods for couriers on mobile devices can be classified as public key authentication [12][13][14], password authentication [15,16], and multifactors authentication [17][18][19].However, these methods are not suitable for management of large-scale couriers on mobile devices.Group-based key exchange can 2 Wireless Communications and Mobile Computing realize efficient group-based management [20,21], but groupbased methods could not provide fine-grained access control on large-scale mobile devices.As a result, attribute-based encryption with fine-grained access control can be applied to the security solutions in LIoT.
Related Work.For privacy protection in LIoT, Wei et al. [22] proposed a -anonymous model to take the anonymous process of logistics information.This method randomly breaks the relationship between attribute values in the record to anonymous data.However, the order still retains the receiver's name and phone number, and -anonymity will cause some loss of information.Zhang et al. [23] proposed a logistics information system privacy protection system, which can solve the contradiction between privacy protection and logistics business process by the segment encryption design.However, the disadvantage of this solution is that the two-dimensional code needs to be constantly updated at each logistics station; also the processes of encryption and decryption are repeated.Qi et al. [24] proposed a new express management system based on encrypted QR code.The realtime logistics information of goods is automatically updated through GPRS or Wi-Fi.The APP provides an optimal delivery route for couriers by employing the improved genetic algorithm.Obviously, the above works lack access control and authentication for internal logistics staff.They cannot ensure the privacy protection of logistics information.
Li et al. [25] designed a privacy-preserving express delivery system, i.e., PriExpress.This system introduces the ciphertext-policy attribute-based encryption (CP-ABE) method into the privacy protection in logistics information system (LIS).With CP-ABE [26], the parcel sender specifies an attribute-based access policy for enforcing fine-grained access control to his delivery order which contains sensitive personal information.However, the PriExpress does not separate personal information from logistics information.Customers in this scheme need abundant computation capability and remain online when they deal with the express delivery procedure.
In summary, all above schemes lack a position and attribute-based access control for both logistics information and personal information.
Privacy Protection in LIoT.Different from IoT, the security requirements of LIoT have the following characteristics.
First, privacy-preserving of logistics information should be guaranteed in LIoT.For complete logistics information, it is necessary to keep confidentiality for untrusted express staff.In traditional privacy protection schemes, logistics information is not separated from personal information.Some malicious couriers may sell the logistics information to criminals who can analyze the flow of express station according to the delivery path.Thus, privacy-preserving of logistics information is one of the required properties in LIoT.
Second, couriers who actually deliver parcels are very important to the guarantee of the security of express delivery process.But there are so large-scale couriers that it is difficult to manage them.On one hand, for some malicious couriers, they may sell privacy information to criminals.On the other hand, once the hackers get the courier's master secret, they can impersonate a valid courier to obtain the express information illegally.Therefore, it is necessary to guarantee the attribute-based access control for privacy information and ensure that the courier with specific attributes can obtain privacy information.
Due to the high turnover of couriers, it is significant to make sure that only the couriers that work online at delivery station can obtain the order information.So position-based access control is also one of the required properties of LIoT.Besides, there may be some couriers that are curious about the information which they cannot possess, so they maybe collude together and share their own attributes to obtain much more information.Therefore, it is necessary to implement the authentication of couriers.Specifically, the security requirements on couriers should guarantee anticollusion attack to attribute-based access control and anticollusion attack to position-based access control.
Third, customers always are remote and offline.Therefore, it is hard to achieve authentication of customers online [27].A dishonest sender may deny that he (or she) has sent some harmful parcel to someone.Besides, a dishonest receiver may personate a legal receiver to take away the parcel which does not belong to himself (or herself).Therefore, it is necessary to achieve the verifiability of receiver and verifiability of parcel [28].Last but not least, it is necessary to keep customer's unlinkability for administrator and others.
Fourth, in the real delivery scene, customers always have irregular operations such as leaving wrong addresses and phone numbers, which leads to the fact that it is difficult to manage or recover parcel.Therefore, the security requirements of LIoT should guarantee the undeniability of sender and receiver.Specifically, a sender cannot deny a parcel sent by himself (or herself), while a receiver cannot deny a parcel received by himself (or herself).
Our Contributions.Although the most popular authentication methods on mobile devices are not suitable for management of large-scale couriers [29,30], attribute-based encryption can achieve fine-grained access control, so we need to use the ABE technology to realize position and attribute-based access control of couriers based on mobile devices in LIoT.However, this study is very challenging with the following reasons.First, it is hard to realize both attributebased encryption and location-based access control.Second, how to securely verify the validity of a courier's claimed position is also a problem [31].
This paper proposes a logistics information privacy protection scheme with position and attribute-based access control on mobile devices.First, in order to realize fine-grained access control of encrypted logistics information, we adopt ciphertext-policy attribute-based encryption (CP-ABE) [26], which encrypts segmented logistics information in different access policies.Different couriers can only decrypt different segments of the express order in accordance with their respective attributes.Second, we apply position-based key exchange [32], which uses the courier's physical position information as credential, to realize position-based access control on couriers.Third, we utilize public key encryption to achieve the confidentiality of personal information.At the same time, we use digital signature to ensure the verifiability of parcel and the undeniability of customers [33].
Our contributions in this paper are fourfold.
(1) We classify the required properties of our scheme including attribute-based access control, position-based access control, privacy-preserving of logistics information, confidentiality of personal information, verifiability of receiver, verifiability of parcel, anticollusion attack to attribute-based access control, anticollusion attack to position-based access control, undeniability, and unlinkability.
(2) We propose a logistics information privacy protection scheme LIP-PA.In the scheme, logistics information is divided into segments and, respectively, encrypted; administrator can prebuild access tree which contains the position attribute.
(3) We theoretically analyze the security of LIP-PA.We show that LIP-PA satisfies the above required properties.
(4) We report experimental evaluations of our scheme.Our results show that LIP-PA is efficient and feasible for mobile devices in real parcel delivery scenario.

Preliminaries
In this paper, some basic cryptographic algorithms are necessary.First, we will use public key encryption to protect the personal information [34] in our scheme.Second, we also need digital signature [35,36] to realize the undeniability of customers.Third, hash functions [37] are used in generation of order information.Besides the above algorithms, ciphertext-policy attribute-based encryption and positionbased key exchange are core algorithms in our scheme.

Ciphertext-Policy Attribute-Based Encryption.
A ciphertext-policy attribute-based encryption scheme [26] consists of four fundamental algorithms: Setup, Encrypt, KeyGen, and Decrypt.
Setup: The setup algorithm takes no input other than the implicit security parameter.It outputs the public parameters  and a master key .
Encrypt(, , ): The encryption algorithm takes as input the public parameters , a message , and an access tree .The algorithm will encrypt  and produce a ciphertext  such that only a user with a set of attributes that satisfies the access tree  will be able to decrypt .
Key Generation(, ): The key generation algorithm takes as input the master key  and a set of attributes .It outputs the private key , which is used by users to decrypt ciphertext.
Decrypt(, , ): The decryption algorithm takes as input the public parameters , a ciphertext , and a private key .If the set  satisfies the access tree  then the algorithm will return a message .

Position-Based Key Exchange.
Based on the bounded storage model (BSM) and BSM pseudorandom generators (PRG), Chandran et al. construct the provable secure position-based key exchange (PBKE) protocol against colluding adversaries [32].BSM assumes that any party including adversary can only store a part of information with high min-entropy.BSM PRG: {0, 1}  × {0, 1}  → {0, 1}  is an -secure BSM PRG for storage rate  and min-entropy rate  if and only if, for every -source  on {0, 1}  and for every function : {0, 1}  → {0, 1}  , the random variable ((, ), (), ) is -close to (  , (), ), where   ←  {0, 1}  .Different from traditional key exchange, PBKE applies the user's physical position as the unique credential to negotiate a shared key  between verifiers and a prover at a legal position .At the end of PBKE, the shared key  and a random number are indistinguishable from the view of the colluding adversaries.
However, the previous position-based key exchange protocol is not suitable for realizing the position-based access control in ABE.Thus, an improved position-based key exchange protocol is proposed as shown in Algorithm 4.

Problem Formulations
3.1.System Model.As shown in Figure 1, the system model consists of following entities: customers including a sender and a receiver, couriers, and administrator with attribute authority and landmarks.
When a logistic transit process begins, as shown in Figure 1, a sender first generates an order and submits the order information to administrator.The order information consists of address information, i.e., customers' address information, and customers' personal information including the names and telephone numbers.If the administrator accepts this order, the administrator will generate a logistics information which is a delivery plan including some independent delivery steps for couriers.During the parcel delivery, every courier in one delivery step only distributes the express from one station to another station.The parcel finally arrives at the last delivery station and the receiver takes away the parcel after authenticated.More specifically, we have the following.
Customers.Customers can be divided into a sender and a receiver of parcel.They aim to absolutely protect personal information against administrator and couriers and obtain a privacy-preserving protection service for logistics information from administrator; i.e., any courier managed by administrator can only know a part of logistics information but not all the logistics information.
Administrator.Administrator, as a general management institution of logistics company, provides trusted express service for customers and completes the privacy protection of logistics information against couriers.Specifically, the administrator first employs an attribute authority (AA) to realize attribute-based management for couriers.Then, the administrator configures all the access trees for all couriers involved by the target order according to the delivery plan and encrypts the segmented logistics information with different attribute policies.If a courier delivers a parcel in some one delivery step, the courier can only decrypt the required information segment (i.e., the next station information of the current delivery step).At the same time, the administrator employs some landmarks to verify the location of the courier in order to guarantee that the courier from a legal station in a valid time slot can get the required information segment to perform the delivery task.
Couriers.Couriers are employed by express company.They are the entities that actually deliver parcels between a sender and a receiver.A courier is only responsible for delivering the parcels from one station to another station in a delivery step.The courier just needs to obtain the required information segment (e.g., the next station) with position and attributebased access control.In this way, a parcel delivery process consists of multiple delivery steps performed by multiple couriers.

Threat Model
Administrator.Administrator, as a manager of an express company, is honest but curious.On one hand, the administrator is responsible for privacy protection on customers' address information and logistics information against couriers.For such a service, the administrator is in charge of securely encrypting the logistics information and building suitable access policy to couriers.AA and landmarks are employed by administrator to guarantee position and attribute-based access control.On the other hand, in order to obtain more potential benefits, the administrator is also very interested in customers' personal information, such as name and telephone number.
Customers.A customer of the parcel (i.e., sender or receiver) may have the following dishonest behaviors.First, a dishonest sender may deny that he (or she) has sent some harmful parcels to someone.Second, a dishonest receiver may personate a legal receiver to take away the parcel which does not belong to himself (or herself).
Couriers.Couriers, as the entities that actually deliver parcels, are very important for the guarantee of the security of the express delivery process.However, in order to obtain illegal individual benefit, some couriers may have four dishonest behaviors: First, couriers are curious about the customers' address and personal information; they may sell them to obtain economic benefit.Second, some colluding couriers may attempt to steal the logistics information even if they are not located at the valid delivery station at work time.Third, some couriers with different attributes may collude with others in order to decrypt the extra information which they could not know originally.Fourth, couriers may modify the order information in order to disturb the express delivery process, such as changing the valid receiver information into an illegal receiver.

Design Goals.
According to the requirements and the adversary model, the proposed scheme should satisfy the following properties: (1) Attribute-based access control (ABAC): Our scheme should achieve a fine-grained access control of encrypted logistics information based on the attributes of couriers.The required part of logistics information could only be decrypted by a valid courier whose attributes satisfy the access policy.Apart from this, there is no way to obtain the other parts of logistic information for valid couriers.
(2) Position-based access control (PBAC): Our scheme should ensure that a courier that is going to obtain the   required part of logistics information must be at a valid delivery station at the expected work time.
(3) Privacy-preserving of logistics information (PPLI): First and foremost, our scheme should guarantee confidentiality of logistics information.For logistics company, the whole delivery path should only be known by administrator, so a valid courier can only decrypt the partial logistics information which is necessary for the delivery process.The complete logistics information keeps privacy protection to all couriers.
(4) Confidentiality of personal information (CPI): Our scheme should ensure the confidentiality of personal information even to administrator.Customers' personal information contains sender's and receiver's names, phone numbers, etc.It is only visible among the sender and the receiver.
(5) Verifiability of receiver (VR): Our scheme should provide the verifiability of receiver.Only when the receiver of parcel is the expected one according to the order information, can receiver take away the parcel from the final courier.
(6) Verifiability of parcel (VP): A receiver in our scheme should ensure that the order information of the parcel is the correct and unforged during the express delivery process, and then he (or she) will receive this parcel.
(7) Anticollusion attack to attribute-based access control (ACA-A): Our scheme should ensure that the colluding couriers with different attributes cannot obtain the additional logistics information under the colluding attribute sets.
(8) Anticollusion attack to position-based access control (ACA-P).Our scheme should achieve that the colluding couriers that are not located at the valid station cannot obtain the logistics information according to the position-based access control policy.
(9) Undeniability (UD): A sender cannot deny a parcel sent by himself (or herself), while a receiver cannot deny a parcel received by himself (or herself).
(10) Unlinkability (UL): Although the same sender sends lots of parcels to a receiver, the administrator and others cannot distinguish whether the encrypted order information in the many delivery processes originates from the same sender.
From the Table 1, we can see that both LIPPS and NEMS cannot provide ABAC.It is obvious that all the related schemes including LIPPS, NEMS, and PriExpress cannot guarantee PBAC, VP, and UD.Meanwhile PriExpress cannot provide totally CPI.Our scheme can satisfy all the properties in Table 1.In the initialization phase, a sender will generate an encrypted order and launch an order request to administrator.The encrypted order information consists of customers' address information and personal information like names, telephone numbers, etc.

The Proposed Scheme
Upon receiving the order request from sender, the administrator constructs logistics information based on the planned delivery path in the encryption phase.Then, the administrator formulates the position and attribute-based access control and encrypts different segments of logistics information with different access control policies.
In the retrieval phase, a courier located at a valid station at work time can run a position-based key exchange protocol to obtain a secret key about position attribute.Based on the position-based key, the courier who satisfies the desired attribute policy can retrieve required logistics information in order to transmit the parcel from one station to next station.
When the parcel arrives at last station, the courier will transmit the parcel to target receiver in the reception phase.In this phase, the courier should verify the authenticity of receiver.The receiver would also verify the correctness of order information on parcel.If both authentication of receiver and validity of parcel are verified, the parcel will be delivered to receiver successfully.

Initialization.
We assume that sender, receiver, administrator, and courier must be registered and have a certified public/private key pair, respectively, before initialization.
In our scheme, order information can be divided into two types: logistics information and personal information.Logistics information including sender's address (  ) and receiver's address (  ) should be encrypted using public key of administrator to provide the property of secrecy against adversarial couriers.Personal information, such as sender's name (  ), receiver's name (  ), sender's phone number (ℎ  ), and receiver's phone number (ℎ  ), should be always secret during the express delivery process considering the confidentiality.Figure 3 illustrates the structure of encrypted order information sent from sender to administrator.Algorithm 1 shows the detailed generation process of order ciphertext, where () is the public key encryption algorithm,   means the user's private key, and   means the user's public key.
As we can see, the ciphertext mainly contains two sections:  1 ;  2 . 1 contains logistics information and  2 contains personal information.Note that, in line 2 of Algorithm 1, a random number   is unique identity of parcel.In addition, the sender generates a random number  in  2 .At the same time, the sender computes  = ℎ() in  1 .In line 5 of Algorithm 1, the sender's digital signature is added to  2 for the verifiability of parcel.Finally, Algorithm 1 outputs the ciphertext of order information, which will be submitted to administrator.

Encryption.
The encryption phase contains two steps which administrator needs to complete.First, the administrator runs the delivery path generation algorithm (i.e., Algorithm 2) and generates the logistics information according to sender's and receiver's addresses in ℎ  .Second, based on the delivery path, the administrator formulates the position and attribute policies ( 1 ,  2 , . . .,   ) and encrypts segments of logistics information using CP-ABE with related policies.Algorithm 3 shows the detailed encryption process of logistics information.
In line 1 of Algorithm 2, the administrator conducts (  , [ℎ  ]), where () is a public key decryption algorithm, and obtains   ,   ,   , , and ℎ  2 .Because address can be divided into three sections, street, city, and state, all address structures can be combined to form multiple tree structures.According to sender's and receiver's addresses, the administrator will generate an optimal path, as shown in Figure 4.
Obviously, the sender's address is different from receiver's address.In other words, the street  3 ̸ =  3 .There are three types of paths according to addresses of sender and receiver.The parcel will be distributed according to the optimal path.So the number of delivery stations can be divided into three types:

Wireless Communications and Mobile Computing
(1) When  2 =  2 , as shown in Figure 4(a), the optimal path is  3  2  3 , so there are three delivery stations on the optimal path.
It is worth noting that, in real parcel delivery scenario, the numbers of delivery stations may be changed, such as wrong delivery or route change.The alternative solutions are as follows.
When the administrator has encrypted multiple paths and made the ciphertext into a QR code, the courier can decrypt multiple optional station addresses.He (or she) needs to choose a suitable station according to actual situation.When the existing optional paths are all unavailable, the administrator will encrypt a new path and send the new ciphertext to courier.If the parcel is wrongly transmitted, the solution is different.For example, the original path is  3  2  3 , as shown in Figure 4(a); the real path becomes  3  2  3 .It means the courier at  2 transmits the parcel to the wrong station ; at the same time, the courier at  cannot decrypt the logistics information.So he (or she) will return the parcel to station  2 .The courier at  2 needs to tell the event to administrator.Then administrator will adjust the access policy of logistics information.
In lines 2-7 of Algorithm 3, the administrator predetermines the position attribute according to delivery stations on delivery path for couriers, where (S) means the attribute S's value.Our scheme guarantees that the courier needs to arrive at the correct delivery position, so that he (or she) can obtain a secret key about the policy of position-based access control.
In lines 8-11 of Algorithm 3, the administrator divides the path into segments according to delivery station nodes and obtains segments  1 ,  2 , . . .,   .In lines 12-15 of Algorithm 3, the administrator, respectively, encrypts the segments  1 ,  2 , . . .,   under CP-ABE.This method guarantees a fine-grained access control of encrypted logistics information.Besides, the position attribute S  is added to leaf nodes of access tree.So our scheme achieves a positionbased access control.
After completing Algorithm 3, the administrator makes the ciphertext  1 ,  2 , . . .,   combined with   .At the same time, he (or she) sends encrypted  and  to couriers using his (or her) public key.When the sender drops off the parcel at local delivery station to courier, the courier can inquire about the ciphertext according to   .Then he (or she) makes the ciphertext into a QR code, which will be pasted on the parcel.

Retrieval.
When the parcel arrives at the delivery station, the courier at this station scans QR code to get ciphertext   and decrypts logistics information   ; then he (or she) transmits the parcel to next station.
Before logistics information retrieval, the courier can decrypt and obtain  and  sent by administrator.In the retrieval phase, the courier who is located at a valid station at work time needs to run an improved positionbased key exchange protocol to obtain the secret key about policy of position-based access control.In Algorithm 4, the courier performs the improved position-based key exchange (I-PBKE) with landmarks to obtain S  , where (  ,   ) means the BSM PRG function.
In the previous position-based key exchange protocol (PBKE) [32], it assumes that landmarks must store {  } in order to compute the expected response from courier.However, this position-based key exchange protocol is not suitable for realizing the position-based access control with ABE in our scheme.There are two reasons.First,   is a long string which is drawn from the landmark's reverse block entropy source.Thus the landmark's storage capacity needs to be large enough.What is more, the landmark generates   randomly along with the protocol execution.It means the final exchange key  6 is determined by all landmarks after protocol execution, so that the administrator cannot prebuild access tree for couriers.
The improved position-based key exchange protocol is shown in Algorithm 4. The landmarks predetermine the keys  1 ,  2 ,  3 ,  4 ,  5 ,  6 that are to be used at every iteration of the application of the PRG.Now, the expected exchange key  6 is known before protocol execution to all landmarks.
Obviously, there are two advantages of the improved position-based key exchange (I-PBKE) compared with the previous PBKE [32]: (1) The expected exchange key  6 is known by all landmarks before protocol execution.In other words, the position attribute's value is already determined, so the administrator can prebuild the access tree  which contains the position Wireless Communications and Mobile Computing 9 attribute, instead of waiting for the courier's response when the parcel arrives at delivery station.
(2) The landmarks need not store long strings {  }.
In line 2 of Algorithm 5, the courier obtains the secret key  6 according to Algorithm 4 (I-PBKE); thus the courier possesses suitable attribute set S. Since the courier has got  and  sent by administrator and he (or she) satisfies the desired access tree , the courier can retrieve required logistics information   , as shown in lines 5-9 of Algorithm 5.After decrypting the logistics information   , the courier will transmit parcel to next station.Multiple couriers collaborate to complete the express delivery process.

Reception.
When the parcel arrives at last station, the final courier gets ciphertext   ; then he (or she) decrypts logistics information and transmits the parcel to target receiver.
Note that, in line 2 of Algorithm 6, the courier decrypts   according to Algorithm 5 (LIR).Specifically, the courier obtains the secret key about the position attribute, decrypts the ciphertext   , and gets ℎ  2 and .
When the receiver comes to pick up parcel, he (or she) should verify the correctness of order information on parcel and the courier should verify the authenticity of receiver.
After mutual verification between courier and receiver, the receiver will get the parcel from courier successfully.
The details of reception of parcel are illustrated in Algorithm 6.Firstly, the receiver can get (  , [ 2 ]) from courier and decrypt it using his (or her) private key.Then the receiver obtains the following information:   , ,   , and personal information:   ,   , ℎ  , and ℎ  .By verifying   , he (or she) can confirm the integrity of parcel information.In addition, the receiver can compute  1 = ℎ().By comparing the string  1 shown by receiver with the information  which courier possesses, the courier can verify the validity of receiver.Then the receiver conducts (  , [  || ])] and sends it to administrator.The administrator can compute  2 = ℎ() and check  2 = , in order to verify that the receiver has received the parcel.

Analysis of Scheme
In this section, we demonstrate that our scheme satisfies all the required properties.

Attribute-Based Access Control (ABAC).
In our scheme, the logistics information is encrypted under CP-ABE.With CP-ABE, the courier is specified with an attribute-based access policy for fine-grained access control of logistics address.
Specifically, the administrator selects attributes S and builds access tree  for couriers.The required logistics information   can only be decrypted by the valid courier whose attributes satisfy the access policy   .Different courier can only decrypt different segments of logistics information in accordance with their respective private keys, which correspond to different attributes sets {S  } satisfying the access policy.

Position-Based Access Control (PBAC).
Different from traditional cryptography, position-based cryptography uses the user's spatial position information as the only credential for user.In our scheme, the courier's position of valid delivery station at the expected work time is considered as one of the indispensable attributes.Specifically, the courier needs to obtain a secret key  6 about position attribute S  , so that he can continue the decryption process.
In addition, landmarks predetermine the keys  6 .It means that the expected value of position attribute is already known by all landmarks before protocol execution.Then the position attribute S  will be added to leaf nodes of access tree, so that the administrator can prebuild the access tree .

Privacy-Preserving of Logistics Information (PPLI).
In our scheme, besides sender and receiver, the whole delivery path is only known by administrator.The sender submits encrypted order information ℎ  to administrator; then the administrator, respectively, encrypts the segmented logistics information {  } under CP-ABE, as shown in Algorithm 3.
On the one hand, for general people who do not have the correct attributes, the only information they can get is   , which is used to uniquely identify the parcel.Apart from this, they cannot obtain anything about the plaintext of logistics information, i.e.,   and   .On the other hand, the courier who actually moves parcel can only decrypt partial address information   according to attributes.  is the next delivery station address, which is necessary for the courier's delivery process.

Confidentiality of Personal Information(CPI).
In initialization phase, customer's personal information which contains   ,   , ℎ  , and ℎ  is encrypted by receiver's public key   .In last phase, the parcel arrives at the final delivery station and the receiver obtains ℎ  2 from the final courier and executes (  , [ℎ  2 ]), so that the receiver gets the personal information which is included in  2 .In the whole parcel transit process, only the target receiver can decrypt the personal information.For other people including administrator and couriers, the probability of obtaining  2 is negligible even if they have ℎ  2 .

Verifiability of Receiver (VR).
The courier can verify the correctness of receiver.In the phase of reception, the final courier can obtain  using (  ).At the same time, the target receiver can get  2 using (  , [ℎ  2 ]), where  is included in  2 .Then the receiver computes  1 = ℎ().By comparing the hash value  1 which receiver shows with , the courier can verify the correctness of receiver.For the adversary who wants to simulate the receiver, he (or she) must obtain .Because hash function is noninvertible and collision resistant and  2 cannot be decrypted without   which is kept secretly by receiver, the adversary has a negligible probability to obtain  and .Consequently, our scheme can prevent forging identity by adversary to take away the parcel which does not belong to himself (or herself).

Verifiability of Parcel (VP).
The digital signature guarantees the origin and integrity of parcel.The sender generates digital signature   by (  , [  ||  ]) and adds it into  2 .Then  2 is encrypted using receiver's public key   .In the reception phase, the receiver can decrypt  2 and obtain   .He (or she) can decrypt (  , [  ||  ]) using sender's public key and get   ,   .  contains receiver's personal information and address information, so that the receiver can confirm that the parcel is not forged.As a result, our scheme can prevent parcel forgery by malicious couriers during the express delivery process.ACA-A).In the retrieval phase, the courier with appropriate attributes can only decrypt a segment   .However, couriers are so curious about other information that they may collude with others in order to enlarge their privileges.Our scheme ensures the courier only can decrypt the specific information according to his (or her) attributes.

Anticollusion Attack to Attribute-Based Access Control (
For example, assuming that couriers  1 ,  2 have the attribute set S 1 , S 2 .Couriers  1 and  2 want to collude together.There is a courier  3 who has the attribute set S 3 ; let S 3 =  1 ∪ S 2 .So  1 ,  2 want to obtain  3 's secret key and decrypt  3 's information.In our scheme,  1 and  2 must recover (, )  in order to obtain  3 's secret key.In the phase of encryption, the string  from different couriers is randomized, so  1 and  2 cannot recover (, )  .It means  3 's ciphertext cannot be decrypted even if  1 and  2 collude.In other words, the collusion of multiple couriers is useless for decryption of addition logistics information. .Even if the malicious couriers collude together, according to properties of the secure BSM PRG, the probability of the malicious couriers correctly guessing  5 = (( 4 ),  4 ) = ( 4 ,  4 ) ⊕   5 is  + 2 − , which is negligible in security parameter by choice of  and ; thus  ≥ (2/)().So  5 is still a random string to adversaries; thus they cannot find anything about  6 .Similarly, as for other possible reaching sequences, even if the malicious couriers collude together, they cannot find anything about final key  6 .

Undeniability (UD)
. Specifically, the sender cannot deny a parcel sent by himself (or herself), while the receiver cannot deny a parcel received by himself (or herself).In the step of initialization, the sender generates digital signature   which uses his (or her) private key   and then adds the signature   to  2 .So, after decrypting  2 , the receiver can confirm that the parcel was sent by sender.In the step of reception, when the receiver wants to take away the parcel, he (or she) should conduct (  , [  ||])] and send it to administrator.Then the administrator can decrypt (  , [  ||])] using   .At the same time, the administrator can receive  sent by courier.By computing  2 = ℎ() and checking  2 = , the administrator can verify that the receiver has received the parcel.

Unlinkability (UL).
In the initialization phase, the sender's encrypted order information ℎ  which contains   ,   , ℎ  , ℎ  ,   , and   and is transmitted to receiver.It is impossible for administrator and couriers to reveal the identity of customers from the encrypted order information.
As shown in Algorithm 1, a different random number  is used in each generation of order ciphertext. 2 contains  and  1 contains ( = ℎ()), so each order information is different even if it is sent by the same sender.Since  is random, the administrator and others are unable to tell whether these encrypted orders have the same logistics information (  ,   ) and personal information (  ,   , ℎ  , and ℎ  ).In other words, except customers, other people cannot distinguish whether the encrypted order information ℎ  in many delivery processes originates from the same sender.

Performance Evaluation
In this section, we mainly focus on evaluation of computation overhead of our proposed scheme.The performance evaluation consists of four parts according to LIP-PA, i.e., initialization, encryption, retrieval, and reception.The experiments are implemented on an Android phone (Band: Samsung Galaxy S7 Edge, CPU: Quad Core 2.15GHz, Operating System: Android 6.0, ROM:32G, RAM:4G).Our implementation is based on Java Pairing-Based Cryptography Library (JPBC).
Initialization.In the initialization phase, a sender wants to submit an encrypted order to administrator.Specifically, the sender needs to complete ℎ(), (  , [ 2 ]), (  , [ℎ  2 || 1 ]), and   .In Figure 5, we adopt hash function and RSA algorithm with different parameters to evaluate the sender's computation overhead.From Figure 5, we notice that the hash functions with different parameters lead to slightly different computation overhead.RSA algorithm with different parameters has greater impact on computational cost.When the hash function is SHA-512 and RSA algorithm is RSA-2048, the computation cost is still lower than 20ms.In general, the computation overhead of initialization is low for sender.
Encryption.In this phase, the computational cost of administrator mainly reflects on encryption of logistics information.
In Figure 6, we compare the administrator's computation   overhead under three types of delivery paths.The administrator, respectively, encrypts the segmented logistics information  1 ,  2 , . . .,   (where  = 3 if  2 =  2 ;  = 5 if  2 ̸ =  2 and  1 =  1 ;  = 6 if  1 ̸ =  1 ) under CP-ABE.We set that the number of attributes in private key is fixed to 10, the number of leaf nodes in policy is fixed to 5, and the size of logistics information is 4kB.As shown in Figure 6, the processing time almost is between 1.5s and 2.6s.The computation overhead of encryption is efficient for administrator in practice.
Retrieval.In this phase, the courier and administrator collaborate to complete the retrieval.As shown in Figure 7, we evaluate the calculation costs of the administrator and the  courier, respectively.For courier, he (or she) needs to run I-PBKE to obtain  6 .Besides, the courier would decrypt the logistics information   .As a result, the computation overhead of courier consists of six (  ,   ) operations and one CP-ABE decryption operation.For administrator, he (or she) can employ landmarks to complete I-PBKE.At this protocol, landmarks need to generate five random large strings {  }.From Figure 7, we can see that the courier's computation overhead is far less than administrator's computation overhead.
Reception.In the reception phase, the courier delivers the parcel to receiver with the help of administrator.They use public key encryption and hash function specifically.We adopt SHA-256 and RSA-1024 to evaluate the computation overhead of administrator, courier, and receiver, respectively.As illustrated in Figure 8, the computation costs of administrator and receiver are all about 200ms.As for courier, he (or she) needs to complete extra decryption of logistics information.As a result, the courier's computation overhead is higher.In general, their computation overhead is all acceptable for real parcel delivery process.
In general, our scheme is efficient and feasible in practice.What is more, our scheme satisfies all the security requirements of LIoT.So the LIP-PA is available for mobile devices in real parcel delivery scenario.

Conclusions
In this paper, we propose LIP-PA, a logistics information privacy protection scheme with position and attributebased access control on mobile devices.Different from existing schemes, our scheme provides privacy protection for both personal information and logistics information.In our scheme, customers could achieve verifiability and undeniability.The administrator could encrypt the logistics information based on the policy of position and attributebased access control.In order to transmit the parcel to next station, couriers could only decrypt the required segment of logistics information but not all the logistics information.As a further contribution, we prove that our scheme can satisfy all the security requirements and show that it is available for mobile devices in practice based on the experiment results.

4. 1 .
Overview of Scheme LIP-PA.The scheme LIP-PA consists of four phase: initialization, encryption, retrieval, and reception as shown in Figure2.

Figure 3 :
Figure 3: Initialization of order information.

Table 1 :
Comparison with related work.