Nowadays, the location privacy problem has become an important problem for the users who enjoy the location-based services (LBSs). Researchers have focused on the problem of how to protect the location privacy of user efficiently for a long time. On one hand, many achievements adopt the centralized structure in which there is an additional center server. Additionally, some other researchers adopt the distributed structure to overcome the disadvantages brought by the center server in the centralized anonymous system structure. On the other hand, the existing methods of solving the problem are always to protect the individual user’s location privacy in LBSs, without considering the user group’s location privacy. This kind of methods is not very applicable to the status of a number of users who formed a group to complete a LBS task together by collaborative computing. In order to solve the problem of location privacy protection for a user group in the untrusted mobile social networks, a location privacy protection method based on the distributed structure is discussed in this paper. In the scheme, the special homomorphic features of BGN cryptosystem are cleverly used so that it can solve the group’s three classical location service applications simultaneously, namely, group nearest neighbor query, optimal group collection point determination, and group friend’s distance query, by only one security policy. If there are k users who formed the group, it could achieve k-anonymity without exposing the coordinate of each individual user or using any anonymous areas. Furthermore, theoretical and experimental analysis proves that the proposal can efficiently protect each user’s location privacy in the group through taking full advantage of the collaborative computing and communication capabilities of the mobile terminals. It can resist the existing distance interaction attack and collusion attack and can realize the secure and efficient fine-grained controllable location privacy protection for the user group.
LBSs experience a booming period of development due to the wide applications of location-based technology and the mobile terminals [
Fortunately, with the development of the mobile networks, researchers have found many methods that can realize the location privacy-preserving in the applications of LBSs. The existing methods mainly can be divided into two big categories.
No matter which kind of above methods is, it must be designed based on a certain system model. According to the perspective of system structure, there are two main types. They are, respectively, the centralized and distributed architecture. As shown in Figure
The location privacy-preserving system model with the centralized structure.
However, there are several shortcomings in the centralized location privacy-preserving model.
In order to overcome the shortcomings of the centralized structure, more and more researches turn to the models with the distributed structure. For example, [
Moreover, most of these existing schemes focus on the location privacy protection from the view of the individual user. They did not consider another frequent situation in practice. Sometimes, many users in the mobile networks are willing to form a group to collaborate when they issue the LBS. They want to realize their location privacy protection and obtain good service results with other users’ cooperative computing. In the group, they can exchange some information but with their own location with other users of the same group for completing a task such as group nearest neighbor (GNN) query. Once the group jointly completes the query, each user in the group can adopt the query result returned in the LBS. However, the researches in this area are relatively rare and the existing schemes do not apply to the collaborative computing environment where many users complete the group query task together. Thus, it is necessary to design some schemes on the location privacy protection from the view of the user group.
In fact, Hashem et al. [
At present, more and more researches about group privacy protection have focused on the key problem of the group center computation. It is proven that the group location privacy protection and the quality of LBS can be well balanced by changing the GNN query into NN query. Namely, as shown in Figure
The center location of the user group.
In this paper, a new location privacy-preserving protocol for user group based on the distributed structure is designed. Each user’s real location is added with a noise disturbance parameter to protect the user’s location privacy. The weight coefficients are also introduced to ensure that the user who enjoys the LBS currently can freely adjust and control the contribution of other user’s location data when computing the group center. Meanwhile, without exposing any user’s real location coordinate, our scheme can realize only using one security policy, the core of BGN, to well solve three privacy protection problems in the classic LBS scenarios: the applications of GNN, the best group collection location determination, and the group friends distance query.
Before the explanation of our scheme, this section puts forward our system model first. Shown as Figure
Our system model.
In order to simplify the problem, our system model assumes that if any user needs the LBS, he can easily form a group with nearby neighbors by the way of self-organized P2P network. In the group, users can communicate with each other and get their own location through the positioning system in real time. The privacy protection for each user is completed by the cooperation of the users in the group.
Compared with the existing models, in our model, the SP is semitrusted and the trusted center server is not necessary any more. It avoids the disadvantage brought by the request of trustworthy SP and the center server. The user who applies for LBS only sends the group center location as the anchor point instead of his own location to get good quality results from the SP. More importantly, our model ensures that each user never leaks their own real locations in the process of LBSs to any third party, including the other group users and the SP. Thus, it is more practical and effective in location privacy-preserving than other system models in the untrusted mobile networks.
In view of the practical status of the mobile network, the system model is assumed as follows: The servers of the SP provide LBSs to the mobile users. Mobile users send LBS requests to the servers and receive corresponding location service results from the SP. In an open network environment, the SP will provide service results for users who request services. Moreover, in certain scenarios, the SP might analyze or disclose the user’s real sensitive location information. Namely, the semitrusted SP is employed in this paper. The communication between mobile users and the SP is forwarded by the communication base station, and any third party can get and record the wireless messages transmitted by the base station. The mobile users obtain their real position coordinates from the position system or the location satellite anonymously. The mobile users have fine-granular demand for their location privacy and have the specific quality of service requirements. The users in the group distrust each other, and they will never expose or send their own real location to others.
For convenient describtion, Table
Symbol definitions.
| The group |
| The certain time of the group user |
| The group location privacy-preserving request. |
| The subscript to mark symbols. |
| The geographic coordinate of the user |
| The weight sequence generated by the user |
| The noise sequence to disturb the users’ location coordinate produced by the noise generator. |
| The new coordinates after the disturbance by the noise. |
| The center location of the user group |
When the user
Bilinear mapping, Bilinearity: Nondegeneration: With special condition,
When
Based on the bilinear mapping, the BGN cipher system is composed of three parts: key generation, encryption, and decryption.
For key generation, each user in the system has a pair of keys distributed by the BGN cryptosystem, namely, the public key and the private key.
Set
For encryption, suppose that the space of the plaintext messages is made up by the integers of the set
For decryption, use the private key
So the user
The BGN cryptosystem can support homomorphic addition and one-time homomorphic multiplication simultaneously.
Our method adopts the secure policy of BGN cryptosystem, and our solutions validity depends on its homomorphic property. Here, we prove the homomorphic property of BGN cryptosystem. For convenient explanation, the encryption algorithm of BGN cryptosystem is denoted by
If
Thus, the result of the operation on the plaintexts can be also got by decrypting the corresponding operation result of the ciphertexts [
An important type of LBSs is the point of interest query, also known as location searching services (LSSs) [
Here, we assume that the user After receiving the above messages, SP executes the computation as ( The SP sends the result to
Sometimes, there is an important application in LBSs. It is the query for the group collection location. The friends may want to determine some location to gather around. In this case, they can form a temporary group to obtain the optimal collection location. For the users in the group, finding the optimal location is finding the location that meets the sum of distances to everyone in the group is smallest. Moreover, in order to ensure the group privacy, the best collection location should be safely determined without exposing any user’s real location.
If the sum of the distances from some location point to all the group users is minimum, the point is the best assembling location of the user group, which is expressed as
Assume that the user The SP calculates The user
where
Sometimes, in LBSs, users want to know their friend’s distance from them. In this case, from the view of location privacy protection, we should ensure that each user in the group could conveniently inquire the friend’s distance without exposing his own location information or knowing his friend’s location. This case is similar to another application in LBSs that the merchants or shops would like to push advertisements to the users based on their locations. The merchants and shops concerned by the group users can safely inquire the distance from the user and decide whether to push advertisements to some user in the group without knowing the specific location of the users.
Assume that the group user The user After receiving the query request, the SP calculates the function of the ciphertexts
In the scheme proposed in Section
Based on the homomorphism property of BGN cryptosystem, the correctness of our method to get the center location can be further proven:
In addition, according to the analysis and conclusion in [
In the scheme proposed in Section
First, we can calculate the best collection location by solving mathematical minimization problem. Compute the value of coordinate of point
Solve the following problem:
Here,
Set
Therefore the minimum value of
Furthermore, we can prove the equation as follows by the homomorphism property of BGN cryptosystem:
Additionally, we must notice that the best collection location point here is decided by the minimum sum of distances. In reality, we should also consider that the time interval between the first user with the shortest distance
In the scheme proposed in Section
Therefore, Theorem
In this section, some quantitative measurements of privacy security and quality of services are given according to our method. In our privacy model, the quantitative measurements can be obtained easily by the relationships between the group center location and each user’s real location.
(a) The location privacy protection distance: it is the Euclidean distance between the user
(b) The maximum distance of the group privacy protection: assuming that the maximum distance is obtained between the group user
(c) The minimum distance of the group privacy protection: assuming that the minimum distance is obtained between the group user
(d) The location privacy protection angle: it refers to the declination angle between the user
Thus, the measurements proposed are very suitable for our privacy model. It is possible for the user to easily judge and control the privacy protection degree by the measurements.
The users in the group can adjust the weight sequence
From the perspective of LBSs, the user gets the query results according to his own position. In our method, all the users in the group get the query results from the SP according to the group center instead of their own positions. Especially, because the users in the group have different geographic locations, the distance of the group center location to different users in the group may be different, which can be seen in Figure
The geometric measures of the group location privacy protection.
Because
From the above equation, since
Usually, each user in the group has different requirements for location privacy-protection. The user who has the highest request for location privacy-preserving always should have the largest privacy-protection distance
Similarly, from the definition of
(2) The geometric measures of the GNN service
As shown in Figure
The geometric measures of the quality of GNN query service.
In order to simplify the problem description and facilitate quantitative measurement, the Euclidean distance
What is more, from the perspective of a single user in the group, when the NN query result is
In fact, in LBSs, exposing precise user positions raises user privacy concerns, especially if the SP is not fully trusted. To enable the secure applications of private user locations in nontrusted networks, we present three kinds of group location privacy protection schemes in three important application scenarios. In our method, there is no need to provide individual location data of each user to the SP. Only the aggregation result of the group users’ locations is usually required to obtain the corresponding query results [
The schemes in Sections
In the process of LBSs, the users’ locations are encrypted after noise disturbance and weights adding. What the SP can get are the ciphertexts. On one hand, the SP can verify each user’s signature and the source of each ciphertext. So it can prevent the group users from maliciously forging the fake ciphertexts and wasting the computation and network resources. On the other hand, because the SP does not have the user’s private key, it cannot complete the decryption to get the location of each user. Moreover, each user can get none of the other users’ locations. After obtaining the group center, all the users make service requests with the center location as the anchor point. Therefore, both the location privacy-protection of the group and the location privacy-protection of every individual user in the group can be realized.
In the group, the users use
In another case, if
Particularly, we have the collusion between
As shown in Table
Characteristics comparison.
| [ | [ | [ | [ | Ours |
| |||||
| Distance sum | Center location | Center location | Center location | Center location |
| |||||
| Low | Low | Low | High | Low |
| |||||
| | | | | |
| |||||
| | | | | |
| |||||
| Fine-granularity | Coarse-granularity | Coarse-granularity | Coarse-granularity | Fine-granularity |
| |||||
| Ring-unicast | Ring-unicast | Star-unicast | Group-broadcast | Star-unicast |
| |||||
| Static | Static/dynamic | Static/dynamic | Static | Static/dynamic |
Both of the schemes in [
Additionally, the schemes in [
In addition, GLP protocol [
In the single group query service, the scheme proposed by us only needs the users to encrypt their respective disturbed locations once. If the complexity of the signature algorithm is ignored, the computation time complexity is
The main computation of the SP is the aggregation of all the ciphertexts from
Combined with the research status of the location privacy-protection schemes in LBSs, there are still some problems to be solved urgently. Fortunately, these problems have been mainly solved in our paper.
Our contributions are as follows: based on BGN cryptographic algorithm, three group location privacy-protection schemes of distributed structure are, respectively, proposed according to the classic application scenarios in LBSs, which are GNN query, the best group gathering location query, and the group friend’s distance query services, achieving
The conclusion of our paper is based on the mathematical and cryptotheorem. If the specific examples to verify the findings of our study are needed, anyone would be welcome to contact the corresponding author.
The authors declare that they have no conflicts of interest.
This work is supported in part by the National Natural Science Foundation of China under Grant No. 61572521, the National Natural Science Foundation of China under Grant No. U1636114, and the National Key Research and Development Program of China under Grant No. 2017YFB0802000.