The Cloaked-Centroid protocol: location privacy protection for a group of users of location-based services

Abstract

Several techniques have been recently proposed to protect user location privacy while accessing location-based services (LBSs). However, applying these techniques to protect location privacy for a group of users would lead to user privacy leakage and query inefficiency. In this paper, we propose a two-phase protocol, we name Cloaked-Centroid, which is designed specifically to protect location privacy for a group of users. We identify location privacy issues for a group of users who may ask an LBS for a meeting place that is closest to the group centroid. Our protocol relies on spatial cloaking, an anonymous veto network and a conference key establishment protocol. In the first phase, member locations are cloaked into a single region based on their privacy profiles, and then, a single query is submitted to an LBS. In the second phase, a special secure multiparty computation extracts the meeting point result from the received answer set. Our protocol is resource aware, taking into account the LBS overhead and the communication cost, i.e., the number of nearest neighbor queries sent to a service provider and the number of returned points of interests. Regarding privacy, Cloaked-Centroid protects the location privacy of each group member from those in the group and from anyone outside the group, including the LBS. Moreover, our protocol provides result-set anonymity, which prevents LBS providers and other possible attackers from learning the meeting place location. Extensive experiments show that the proposed protocol is efficient in terms of computation and communication costs. A security analysis shows the resistance of the protocol against collusion, disruption and background knowledge attacks in a malicious model.

Appendix: Range proofs for the Cloaked-Centroid protocol

To prove \(x_i ,y_i \in \left[ {a,b} \right] \) (location coordinates) in the Cloaked-Centroid protocol, the classical range proof [40] can be applied. In this proof that is based on the zero-knowledge proof of a discrete logarithm [54], the prover encodes her secret to its binary representation and then proves that each digit in this representation is either 0 or 1, using a proof of knowledge of 1 out of 2 discrete logarithms [16]. Adapting the classical range proof to the Cloaked-Centroid protocol proceeds as follows:

Assume the parameters of the range proof are the same as the Cloaked-Centroid protocol.

1. 1.

   The prover generates \(V=g^{x_i}h^{r}\;\hbox {mod}\,p\) as a commitment to \(x_i\) where \(h\) is the generator of \(G\) and \(r\) is a random integer in \(Z_q\).

2. 2.

   The prover computes \(V^{{\prime }}=V/g^{a}=g^{x_i -a}h^{r}\;\hbox {mod}\,p\); then, the proof that \(x_i \in \left[ {a,b} \right] \) is reduced to the proof that \(x_i -a\in \left[ {0,b-a} \right] \).

3. 3.

   Let \(x_i -a=x_0 2^{0}+x_1 2^{1}+\cdots +x_m 2^{m}\) be the binary representation of \(x_i -a\), where \(x_j \in \{0,1\}\) and \(j=0,1,\ldots ,m\) where \(m=32\).

4. 4.

   The prover chooses \(u_0 ,u_1 ,\ldots ,u_m \in _R Z_q\), and computes \(u=u_0 2^{0}+u_1 2^{1}+\cdots +u_m 2^{m}\;\hbox {mod}\,q\). Then, she computes \(u^{{\prime }}=u-r\) and \(E_i =E\left( {x_j ,u_j} \right) =g^{x_j}h^{u_j}\;\hbox {mod}\,p\) for \(j=0,1,\ldots , m\).

5. 5.

   The prover sends \(E_j\) and \(u^{{\prime }}\) to the verifier.

6. 6.

   The verifier checks whether \(V^{{\prime }}h^{u^{{\prime }}}\) is equal to \(\mathop \prod \nolimits _{j=0}^m E_j^{2^{j}}\;\hbox {mod}\,p\).

7. 7.

   For each \(E_j (j=0,1,\ldots ,m)\), the prover and the verifier run a sub-protocol to prove that the \(x_j\) value is either 0 or 1. This can be done by applying the zero-knowledge proof of knowledge of 1 out of 2 discrete logarithms [16].

Note that before running the range proof protocol, the prover should prove that \(V=g^{x_i}h^{r}\;\hbox {mod}\,p\) and \(w_i =g^{a_i b_i}g^{a_{i-1} a_i}g^{x_i}\;\hbox {mod}\,p\) hides the same secret \(x_i\) by applying a proof of equality of two discrete logarithms [8]. Also, the verification can either be done centrally by a chosen member in the group or distributedly by all members.

The batch range proof of Peng et al. [48] is similar to the classical range proof and can also be applied. In a batch range proof, the prover represents her secret in a base-k system where \(k\) can be any integer greater than 1. Then, the prover proves \(\log _k (b-a)\) instances of the proof that each digit of the base-\(k\) representation of \(x_i -a\) is in \(Z_k\). This is done using a batch proof in which the \(\log _k (b-a)\) instances of proof of knowledge of 1 out of \(k\) are batched into a single proof [48]. Assuming \(k=2\), the batch proof for \(m\) instances of knowledge of 1 out of 2 discrete logarithms is as follows:

Assuming \(k=2\), adapting the batch range proof to the Cloaked-Centroid protocol proceeds as follows:

1. 8.

   Steps 1 to 6 are exactly the same as for the classical range proof.

2. 9.

   The prover and the verifier run a batch proof of knowledge of 1 out of 2 (or 1 out of \(k\)) discrete logarithms to prove that for each \(E_j (j=0,1,\ldots ,m)\), the value of \(x_j \in \{0,1\}\) using the above batch proof.