Professional Documents
Culture Documents
Abstract—A common functionality of many location-based social networking applications is a location sharing service that allows a
group of friends to share their locations. With a potentially untrusted server, such a location sharing service may threaten the privacy of
users. Existing solutions for Privacy-Preserving Location Sharing Services (PPLSS) require a trusted third party that has access to the
exact location of all users in the system or rely on expensive algorithms or protocols in terms of computational or communication
overhead. Other solutions can only provide approximate query answers. To overcome these limitations, we propose a new encryption
notion, called Order-Retrievable Encryption (ORE), for PPLSS for social networking applications. The distinguishing characteristics of
our PPLSS are that it (1) allows a group of friends to share their exact locations without the need of any third party or leaking any
location information to any server or users outside the group, (2) achieves low computational and communication cost by allowing
users to receive the exact location of their friends without requiring any direct communication between users or multiple rounds of
communication between a user and a server, (3) provides efficient query processing by designing an index structure for our ORE
scheme, (4) supports dynamic location updates, and (5) provides personalized privacy protection within a group of friends by specifying
a maximum distance where a user is willing to be located by his/her friends. Experimental results show that the computational and
communication cost of our PPLSS is much better than the state-of-the-art solution.
Index Terms—Location privacy, location sharing services, order-retrievable encryption, location-based social networking, spatio-temporal
query processing
1 INTRODUCTION
of generality, suppose that R is the space of each dimension. from ORE. The OPE maintains the order information in
One additional remark is that the ORE scheme defined below encryption while ORE destroys the order information so that
can be viewed as a collection of one-way functions [17] and this given any two ciphertexts encrypted using ORE, the order
one-way function has the order retrievability property. In information is not preserved. Instead, the ORE ciphertexts
other words, our PPLSS framework does NOT need the can be used with an auxiliary function called Cmp which gets
decryption algorithm of the ORE scheme. Below are the an encrypted query location involved, and the function Cmp
details. can tell which of the two ciphertexts contain a location which
is closer to the query location, i.e., the ordering is with respect
Definition 1. An Order-Retrievable Encryption scheme consists
to the distance to a query location. Though OPE has been
of four probabilistic polynomial-time (PPT) algorithms.
used for many other applications such as efficient range
SKG KGenð1 ; RÞ. The symmetric key generation queries, indexing and query processing, OPE does not have
algorithm KGen takes a security parameter 2 N and the function of Cmp as we defined in ORE, and therefore, is
the dimensional space R defined above, and outputs a not known if it is possible to use OPE for constructing a pri-
symmetric key. vacy-preserving location sharing system. More discussions
C EncðSKG ; P Þ. The encryption algorithm takes are given in Section 9.
SKG and a d-dimensional point P 2 Rd , and outputs
a ciphertext as an “encrypted” location. 3 PPLSS: PRIVACY-PRESERVING LOCATION
QGenðSKG ; QÞ. The query generation algorithm SHARING SERVICES
takes SKG and a query point Q 2 Rd , outputs an In this section, we describe our PPLSS for social networking
“encrypted” query location. applications based on our Order-Retrievable Encryption
Cb Cmpð; C0 ; C1 Þ. The comparison algorithm scheme. We will first present the ORE scheme for PPLSS,
takes an encrypted query location and two encrypted and then propose an index structure that makes use of the
locations C0 and C1 , outputs Cb for b 2 f0; 1g if relative distance information provided by the ORE scheme
to improve query processing efficiency.
distðQ; Pb Þ distðQ; P1b Þ; (1)
3.1 The ORE Scheme
where QGenðSKG ; QÞ and Ci EncðSKG ; Pi Þ The main idea of our PPLSS is that a user or a group initiator
for i ¼ 0; 1, and distðP; QÞ represents the actual dis- registers with the system to create a user group. The group
tance between two locations P and Q. We stress that initiator then adds friends to the user group and creates a
the function Cmp neither has SKG as input nor has to shared group key SKG according to our ORE scheme and
output any further information about the evaluation of another shared data key SKD for AES [22] encryption of loca-
dist other than which of P0 and P1 is closer to Q. tion data (this is needed as our ORE scheme does not
require a decryption function, and the actual location data
We note that there are two distinct encryption algorithms, exchanged between users is therefore AES-encrypted). It is
Enc and QGen. Our ORE scheme uses different encryption important to note that users or group initiators are not
algorithms for locations used as query locations (QGen) and required to register with their real identity. They can use
for locations encrypted to compare them to a given query pseudonyms as long as their friends are able to recognize
locations (Enc), hence these two distinct algorithms. them (friends can also communicate their pseudonyms out-
Optionally, a decryption algorithm can be defined as of-band, e.g., through email). After the shared group key
P =? DecðSKG ; CÞ, which takes SKG and a ciphertext C, SKG and the shared data key SKD are securely delivered to
and outputs a d-dimensional point P 2 Rd or ? indicating all group members, each member periodically reports his/
the failure of decryption. We do not require the domain of her encrypted location to the database server. When a user
ciphertexts C to be in any special form related to the plaintext logs onto the system and wants to browse the location of
space Rd . Also note that our PPLSS framework does NOT his/her friends within a certain user-specified distance, the
need the decryption function Dec. The pair ðKGen; EncÞ can user issues a location query with an encrypted query location
be viewed as a one-way function collection indexed by SKG . and an encrypted location marker to the database server.
The security parameter relates the security strength of the The database server is able to provide an exact answer for
ORE scheme to the security level of a secure symmetric key the user without knowing any location information of the
encryption scheme. For example, ¼ 80 refers to the 80-bit user and his/her friends. In general, the ORE scheme
security level [18]. Section 5 discusses the security require- involves seven major message exchanges for three opera-
ments of the ORE scheme, and Section 6 provides an ORE tions among a group initiator u, the database server, and u’s
construction, based on a scheme proposed by Wong et al. friends, as depicted in Fig. 2. The algorithms used in the
[19], and its security analysis. ORE scheme are defined in Section 2.2, the symbols used in
ORE versus Order-Preserving Encryption. A related work the ORE scheme are summarized in Table 1, and the three
called Order-Preserving Encryption (OPE) [20], [21] preserves operations are explained in more detail below.
the numerical ordering of the plaintexts in the ciphertexts.
Formally, for any A; B N with jAj jBj, an encryption fam- 3.1.1 User Group Formation
ily E : K A ! B is order preserving if for all i; j 2 A, A user u registers with the database server with an identity
Eðk; iÞ > Eðk; jÞ if and only if i > j, for any k 2 K, where K (or pseudonym) IDu and creates a user group G that
is the key space of the encryption family. OPE is different includes u, i.e., u is the group initiator. The group initiator
814 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. 10, NO. 5, SEPTEMBER/OCTOBER 2017
TABLE 1
Key Symbols in the ORE or ORE-Index Protocol
3) Describe the final extended WCKM encryption settings suggested in [19], additional conditions have to
scheme be introduced in order to ensure its security against
Below is the review of the WCKM basic encryption scheme Level 1 of Data Confidentiality requirement defined in
according to our ORE definition (Section 2.2): Section 5.
Symmetric Key Generation. Suppose that all the points
are in a d-dimensional space and R is the space of each 6.1 Security Analysis
dimension. Given a security parameter 2 N and dimen- In [19], the authors described a bruteforce attack which
sion space R, KGen outputs a symmetric key SKG as a ran- entails a total of n Pdþ1 ¼ Oðndþ1 Þ trials of potential sym-
domly chosen invertible ðdþ1Þ ðdþ1Þ matrix where each metric keys that an adversary needs to try if a set of n
element is in R. In the following, we assume that all ele- ciphertexts fCi g1in and plaintext points fPj g1jn are
ments in matrices and vectors are in R, and R is of inte-
given but the correspondence between the ciphertexts and
gers in a certain range, which will be defined in each
plaintexts are not known. In each trial, the adversary per-
concrete scheme.
forms no more than n decryptions. Hence as stated in [19],
Encryption. Given SKG and a point P , which is a d-element
if n ¼ 10K and d ¼ 2 (i.e., a two-dimensional geographical
vector ðp1 ; p2 ; . . . ; pd Þ 2 Rd , the encryption algorithm Enc data set), the adversary has to spend more than 310 years
prepares a ðdþ1Þ-element vector P^ as follows: to test out all trial symmetric keys if the adversary can per-
0 1 form 1M decryptions per second. This bruteforce attack
p1
B C falls in the setting of Level 1 of Data Confidentiality given
B p2 C
B . C in Section 5.
P^ ¼ B .. C (2) We observe, however, that the setting ðn ¼ 10K; d ¼ 2Þ
B C
@ pd A may not be secure enough for achieving 80-bit security
0:5jjP jj2 (i.e., ¼ 80) which is considered as the minimum security
requirement for symmetric key security [18]. First of all,
and calculates a ciphertext point C ¼ SKGT P^, where jjP jj we can see that the number of trial symmetric keys is
represents the Euclidean norm of point P . Note that jjP jj2 40
10K P3 < 2 . The estimation given in [19] relies on the
can be represented by P P where represents the scalar assumption that the adversary can perform at most 1M
product. decryptions per second. This might be the case if the
Decryption. Given SKG and a ciphertext point C which adversary can unleash the computational power of only a
is a ðdþ1Þ-element vector ðc1 ; c2 ; ; cdþ1 Þ 2 Rdþ1 , the few machines. However, as finding the symmetric key
decryption algorithm Dec recovers the original point P by SKG will enable the adversary to access the entire data-
computing base, there is a strong incentive to devote more resources
1 to the cracking task. One example is to make use of a bot-
P ¼ pd SKGT C; (3)
net which usually contains hundreds of thousands of
T 1
where SKG is the inverse of SKGT and pd removes the nodes [28]. Some botnets even have more than one million
ðd þ 1Þ-th dimension by setting pd ¼ ðId ; 0Þ with Id the computers that can be utilized by an adversary to launch a
d-dimensional identity matrix and “0” a column vector of bruteforce attack. Suppose 100K computers in a botnet are
zeros. pd is thus a d ðd þ 1Þ matrix. involved in the cracking task and each of them can run
Query Generation. Given SKG and a query point Q ¼ 10K decryptions per second, then the time required for
ðq1 ; q2 ; ; qd Þ 2 Rd , the query generation algorithm QGen finding SKG in the example above will be significantly
picks a random r > 0 and creates a ðd þ 1Þ-dimensional reduced to just four months.
point Q ^ as A New Bruteforce Attack. We propose a new bruteforce
0 1 attacking technique which is different from the one
q1 described in [19], while it will be more effective in recover-
B .. C
Q^ ¼ rB
B . C
C
(4)
ing the key SKG when the value of d is small, as in the
@ qd A 1
example above. For each row of pd SKGT (in Equation (3)),
1 there are dþ1 elements and each element is in R. The scalar
1
^
and calculates a ciphertext query point Y ¼ SKG1 Q. product of row i of pd SKGT and the ðdþ1Þ-element vector
Comparison. Given two ciphertext location points C0 and C (in Equation 3) is the i-th element of the corresponding
C1 and one ciphertext query point Y , suppose that plaintext point P . A bruteforce attack can be launched
1
Ci EncðSKG ; Pi Þ for i ¼ 0; 1 and Y QGenðSKG ; QÞ which can find out the i-th row of pd SKGT . The bruteforce
where P0 ; P1 ; Q 2 Rd . The comparison algorithm Cmp cal- attack can be launched independently for each row of
1 1
culates the following to determine which ciphertext location pd SKGT . Once all the d rows of pd SKGT are found, the
point is closer to the encrypted point Y : adversary is then able to decrypt all the other ciphertexts by
following the decryption algorithm (in Equation 3).
ðC0 C1 Þ Y > 0: (5) Let ðei;1 ; ei;2 ; . . . ; ei;dþ1 Þ 2 Rdþ1 be the dþ1 elements on ith
1
If so, the output is set to C0 ; otherwise, the output is set row of pd SKGT . For each trial sequence of ðei;1 ; ei;2 ;
to C1 . . . . ; ei;dþ1 Þ, the adversary performs a decryption for each
In the following, we analyze the security of the ciphertext in fCi g1in and checks if the ith element in the
WCKM encryption scheme and show that besides the decrypted point is equal to the ith element of any plaintext
820 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. 10, NO. 5, SEPTEMBER/OCTOBER 2017
in fPj g1jn . This is carried out for all the n ciphertexts in 7 THE SECURITY ANALYSIS OF OUR PPLSS
fCi g1in . If all the checks are passed, then the adversary USING ORE AND ORE-INDEX
finds the correct ðei;1 ; ei;2 ; . . . ; ei;dþ1 Þ. There are different security aspects to consider in our Pri-
The total number of trial values for ðei;1 ; ei;2 ; . . . ; ei;dþ1 Þ vacy-Preserving Location Sharing Services for social network-
1
is jRjdþ1 for each row of pd SKGT . Since the bruteforce ing appliations. In the following, we start with a security
attack can be launched independently for each row, the model.
total number of attempts that the adversary needs to try
1
for finding the values of all the d rows of pd SKGT is 7.1 Security Model
djRjdþ1 . Depending on the cardinality of R, the adver- In our security model, we consider the database server as an
sary may spend less effort to crack the system. Suppose adversary which tries to locate one user in a group of n users,
that d ¼ 2 and R ¼ ½1K; 1K . Then the total number of all of which are mutually friends with each other. The group
possible candidates for SKG is 2 20003 234 which does is denoted as G ¼ fu1 ; u2 ; . . . ; un g where the secret keys
not satisfy 80-bit symmetric key security. shared by the group members are ðSKG ; SKD Þ. The adver-
sary (i.e., the database server) has access to data received
6.2 The Final ORE Construction from all the members in G. It can also collude with eaves-
To defend against the new bruteforce attack above, the droppers and all other users in the system who are not in G.
dimension d of the scheme can be augmented, for example, We say that the adversary is considered to have broken our
by setting d
80. In this way, even if SKG is a binary PPLSS if the adversary is able to find out the location of any
matrix, the scheme can still provide at least 80-bit symmet- user in G solely from the data received from the n group
ric key security against the bruteforce attack above. members u1 to un . We do not consider physical or side-chan-
For Level 2 of Data Confidentiality (Section 5), dimension nel attacks such as the adversary finding out a user’s location
through other means, for example, by tracking the cell tow-
augmentation is not enough as the adversary knows the cor-
ers that are communicating with the user. Once again, a pri-
respondence between the ciphertexts in fCi g1in and the
vacy-preserving location sharing system is for protecting the
plaintext points in fPi g1in . Hence the adversary can
location privacy of users. The adversary knows the identity
recover SKG after getting d þ 1 pairs of plaintext points Pi
(or pseudonym) of each user in the system.
and their encrypted counterparts Ci . In the following, we We also assume that the database server is curious but
review a technique called secret splitting configuration which honest. It might try to determine the locations of users as
was proposed in [19]. The technique can be used to achieve described above, but it will run the algorithms honestly with-
Level 2 of Data Confidentiality. out denying service to any user. We also assume that no user
Instead of generating one transformation matrix, we in G colludes with the adversary. A user possesses the
now choose two matrices for the ORE scheme, e.g., SKG0 secret keys for encryption and decryption and would thus be
and SKG1 . For every extended location point p (i.e., a point able to decrypt all location information from other users if
augmented with random dimensions) to be encrypted, we he/she colluded with the database server. Therefore, users
split it into two parts pa ; pb so that p ¼ pa þ pb . Note that are assumed not to share the secret keys SKG and SKD with
for any query point q it holds that p q ¼ pa q þ pb q. We the server. However, the database server can have secret
then encrypt pa and pb under SKG0 and SKG1 , respectively, keys of all other users in the system who are not in G.
e.g., Ca SKGT 0 pa and Cb SKGT 1 pb . A query point q is
also encrypted twice, namely, we compute Ya SKG10 q 7.2 Location Privacy against Service Provider
and Yb SKG11 q. We then have Ca Ya þ Cb Yb ¼ pa q þ In our PPLSS, all the points sent to the server by users in the
pb q ¼ p q ¼ C Y . The same technique can also be system are encrypted either using our ORE scheme intro-
applied to the query point. That is, we can choose to split a duced in Section 2.2 (i.e., Ci , i , ci and ki ) or using AES [22]
query point to two parts, e.g., q ¼ qa þ qb , and encrypt each encryption (i.e., Di ). Because the encryption does not pre-
part under the corresponding secret key. serve distance, the server cannot gain any information from
However, as analyzed in [19], the split technique alone the encrypted points alone. Furthermore, the only operation
does not improve the security. Therefore, we consider the possible on the encrypted points is relative distance com-
secret splitting configuration. Specifically, we choose a secret parisons, but without knowing the corresponding actual
configuration, which is a vector of bits, e.g., ~ b ðb1 ; . . . ; bd ÞT location of at least two points even distance comparisons do
where bi 2 f0; 1g for i ¼ 1; 2; . . . ; d. If bi ¼ 1, we split pi (the not reveal useful information. In the following, we consider
ith entry of a location point p) to two parts, e.g., the correlation of several types of encrypted points.
pi ¼ pa;i þ pb;i , and copy qi (the ith entry of a query point q) Query/Normal Points. In general, the database server can
twice, e.g., qa;i ¼ qb;i ¼ qi ; otherwise, we split the qi to two only run following distance comparisons:
parts, e.g., qi ¼ qa;i þ qb;i , and copy pi twice. The configura- 1) An encrypted location query point and an
tion is secretly shared among all the users in the same encrypted query marker c or an encrypted user loca-
P
group. We then have di¼1 ðpa;i qa;i þ pb;i qb;i Þ ¼ p q. Since the tion point Cu
configuration is unknown to the adversary and there are in 2) An encrypted user location point u (for the person-
total 2d many possible choices, the enhanced scheme is 2d alized privacy region scheme) and an encrypted
more costly for the adversary to break than the original privacy marker ku or an encrypted location query
ORE scheme. point
SCHLEGEL ET AL.: PRIVACY-PRESERVING LOCATION SHARING SERVICES FOR SOCIAL NETWORKS 821
Fig. 11. Query time of ORE and ORE-Index (group size). Fig. 13. ORE-Index scheme (the ratio of the query range distance to the
index ring width).
size of 100,000 users the cost of ORE is a small fraction of
the cost of CRT. The difference gets smaller as the query varies with the index height from two to five levels, where
range distance increases to 5 km (Fig. 10b), but ORE still the group size is 5,000 users. For smaller query range dis-
requires only half to two thirds of the data transmitted tances (Fig. 12a), increasing the height from two to three
compared to CRT. (corresponding to going from three to seven rings) will yield
significant improvement, while deeper trees result in some-
8.2 Comparing ORE and ORE-Index what smaller gains. For larger query range distances
The second experiment was designed to compare the effi- (Fig. 12b), the performance continues to improve as the
ciency of the ORE scheme with the ORE-Index scheme. index structure contains more levels.
Because both schemes return the exact result to the user, the Another important parameter of the ORE-Index scheme
amount of data transmitted is identical. We therefore that influences the query processing time required by the
focused the comparison on the query time, i.e., the process- database server is a ratio between the query range distance
ing time required by the database server to run a query. The dist and the ring width, as the ratio below one signifies that
result shown in Fig. 11a confirms that the ORE-Index it is more likely that only one index ring has to be searched,
scheme is indeed an order of magnitude more efficient in while the ratio larger than one means that always at least
terms of query processing time than the ORE scheme for rel- two or even more index rings have to be searched. How-
atively small query range distances dist, i.e., 1 km. This is ever, if the query range distance remains fixed, a smaller
due to the fact that the ORE scheme always has to search ratio results in a much larger area being covered by the
sequentially through all users in a group, while the ORE- index, resulting in more users per index ring.
Index scheme only compares the users in the relevant rings Fig. 13 shows the evolution of the query processing time
of the index. For larger query distances, i.e., 5 km, ORE- as the ratio varies from 0.25 to 2.5 with the same number of
Index still requires only half the processing time, or even index rings, for 1 km and 5 km queries. For a ratio of 0:25
less than half as the number of users increases (Fig. 11b). (meaning that the width of an index ring is four times the
query range distance), the query processing time required
by the database server is the highest, due to the fact that the
8.3 Effect of Parameters of ORE-Index index area is large, with each ring containing many users.
The ORE-Index scheme has a number of parameters which As the ratio increases, the query processing time drops,
influence its performance. We looked at the two most most significantly until it reaches 0:75. Larger ratios only
important parameters among them. The first parameter is marginally decrease the query processing time. For larger
the height of an index structure. If the area covered by an query range distances (Fig. 13b) there is a special effect for a
index, i.e., distmax , remains constant, varying the index tree ratio of one, resulting in longer query processing time than
height means varying the width of the index rings. Increas- a ratio of 0:75 or 1:5. On the other hand, increasing the ratio
ing the height of the index results in thinner rings (with a has as a consequence that the index has to be rebuilt more
smaller total area) and vice versa. Fig. 12 shows how the often because the total index area is proportionally smaller
required query processing time for the database server and a querying user will leave the index area of a previously
built index sooner. 0:75 therefore seems to be an acceptable
compromise between good query performance (in terms of
query processing time) and the frequency with which the
index has to be rebuilt.
9 RELATED WORK
In this section, we survey the privacy-preserving techniques
for conventional location-based services, spatial data out-
sourcing, and location sharing services.
Location-based services. The problem of user location pri-
vacy in location-based services has been addressed from
Fig. 12. ORE-Index scheme (index levels). several angles before. For example techniques such as
SCHLEGEL ET AL.: PRIVACY-PRESERVING LOCATION SHARING SERVICES FOR SOCIAL NETWORKS 823
k-anonymity or location cloaking, where the location of a user algorithms use an additive homomorphic cryptosystem to
is expanded to include k 1 other users [8], [9], [10], [11]. perform secure multi-party computation. Their first scheme,
Another approach uses oblivious transfer or private infor- Louis, allows two users to determine whether they are in
mation retrieval to allow a user to retrieve points of interest proximity if and only if they are nearby, using a semi-
without the server knowing what was retrieved [29], [30], trusted third party. Lester, the second scheme, does not
[31]. In conventional location-based services, the informa- need any third party and relies instead on letting a user
tion held by the server (points of interest) is static, while the solve a computational puzzle to determine whether another
information held by the user (i.e., the user location) is user is nearby. Each user determines the hardness of the
dynamic. If location-based services are used for locating puzzle and consequently, the amount of work is necessary
friends, on the other hand, then all information is dynamic, for other users to find out whether they are in proximity.
i.e., both the information held by the user (his/her own The third scheme, Pierre, makes use of a grid structure and
location) and the information held by the server (the loca- encrypted grid coordinates to determine whether two users
tion of all users). Privacy-preserving query processing are in the same or in adjacent grid cells. There are other
schemes designed for conventional location-based services grid-based schemes, but they usually have the drawback
(such as store finders, etc.) are therefore usually not directly that locations and proximity calculations are approximate
applicable to location-based services for locating friends, because the distance between grid cells does not capture
i.e., location sharing services for social networks. exactly the distance between users within those cells.
Spatial data outsourcing. An order-preserving encryption Another approach by Mascetti et al. in [14] uses three dif-
scheme [20], [21] protects outsourcing data by using a ferent protocols called SP-Filtering, Hide&Seek and Hide&-
bucket-based encryption E such that EðxÞ < EðyÞ for every Crypt. SP-Filtering computes the proximity between users
pair of values for which x < y. However, since the order- with a certain degree of approximation. It requires a third
preserving encryption scheme can only protect data in sim- party which does the computation. The third party com-
ple numerical domains, it cannot easily be extended to pro- pares so-called granules, which obfuscate the exact location
tect spatial data. Another approach described in [32] for of users to determine the approximate distance between
outsourcing data uses homomorphic encryption4 to enable them. If more precision is needed, Hide&Seek or Hide&Crypt
aggregate SQL queries over encrypted databases. The scope is run as a second step. Hide&Seek starts a direct interaction
is very limited, though, focusing only on simple numerical between two users to get a more precise distance measure-
domains and aggregate queries in SQL. Furthermore, the ment. Hide&Crypt also requires direct interaction between
scheme has been shown to be insecure in [33]. users but uses secure computation to leak less information
For spatial data, one approach to preserve privacy in spa- about the respective position of users. Nevertheless, the first
tial datasets is to transform or perturb data in a way which step, SP-Filtering, will still leak the approximate location of
still allows making meaningful operations on the trans- each user to the third party.
formed data. Both [34] and [35] suggest such kinds of dis- snys et al. present an approach based on
In [13], Sik
tance-recoverable transformations, where the distance encrypted grid indices. Users share a list of grids with dif-
between points is preserved. Wong et al. showed in [19] ferent levels (or resolutions). Each cell in a grid of a specific
that distance-recoverable or general scalar-product-preserv- resolution can be mapped to a unique number through a
ing encryption schemes are not secure against certain one-to-one function such as AES. A server can then deter-
attacks and in [36], Liu et al. demonstrated how the original mine proximity by comparing these numbers, asking users
data can be recovered in schemes such as [34] and [35]. In to switch to a finer resolution if necessary. This requires sev-
[19], Wong et al. introduced a scheme which is asymmetric eral rounds of communication when two users are close,
scalar-product-preserving instead of general scalar-product- making it more expensive in terms of communication. A
preserving, making it immune to such attacks. snys et al. [12] introduces Vicinity
recent paper also by Sik
A similar paper on outsourcing location data to an Locator which is similar to the Friend Locator in [13] but
untrusted third party is by Yiu et al. [16]. Similar to Wong allows arbitrarily shaped regions of interest.
et al. [19] it transforms a database before outsourcing it to a Another privacy-preserving location-sharing service pro-
service provider. Authorized users share a private key so posed by Herrmann et al. [38] makes use of identity-based
they can send queries to the service provider, who can work broadcast encryption (IBE) to realize a location-sharing ser-
on the transformed data to generate a response without vice that affords location privacy with respect to the central
learning any location information. Both those schemes [16], server. One version of the scheme shares the location with
[19], however, are for outsourcing static data. For applica- friends irrespective of their relative location, leading to more
tions where the location of points is updated continuously, data being transferred than necessary. An updated version
[16] for example would require the whole database to be re- maps locations to discrete regions to counteract this problem,
transformed for each update, which is impractical. but the mapping is approximate as it depends on the defini-
Location sharing services. One paper proposing three dif- tion of the regions, while our scheme is exact in defining
ferent algorithms for a privacy-preserving location-based within which range to share locations. Furthermore, our
service for locating friends is by Zhong et al. [37]. Their scheme also provides personalized privacy regions, while
their scheme has no such provisions.
Similarly, Freudiger et al. [39] also make use of broadcast
4. Homomorphic encryption allows to perform addition and/or
encryption (albeit not identity-based) to distribute locati-
multiplication over ciphertexts such that it corresponds to the same
operation over the plaintext, i.e., "ðxÞ þ "ðyÞ ¼ "ðx þ yÞ, and/or ons among friends, augmenting the system with dummy
"ðxÞ "ðyÞ ¼ "ðx yÞ. queries and caching of information required for localization
824 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. 10, NO. 5, SEPTEMBER/OCTOBER 2017
to minimize leaking information through the geo-location [5] L. Barkhuus, B. Brown, M. Bell, S. Sherwood, M. Hall, and
M. Chalmers, “From awareness to repartee: Sharing location
process. In contrast, while our scheme is also cryptography- within social groups,” in Proc. ACM Conf. Human Factors Comput.
based, our scheme minimzes overhead by enabling the Syst., 2008, pp. 497–506.
server to only send relevant locations as the response to a [6] E. Toch, et al., “Empirical models of privacy in location sharing,”
query of a user, and our scheme also provides privacy from in Proc. ACM Int. Conf. Ubiquitous Comput., 2010, pp. 129–138.
[7] S. Consolvo, et al., “Location disclosure to social relations: Why,
overly curious friends. when, & what people want to share,” in Proc. ACM Conf. Human
To summarize, our PPLSS using the proposed ORE Factors Comput. Syst., 2005, pp. 81–90.
scheme can distinguish itself from existing solutions in [8] C.-Y. Chow, M. F. Mokbel, and W. G. Aref, “Casper*: Query proc-
essing for location services without compromising privacy,” ACM
that it (1) provides secure location privacy by not disclosing Trans. Database Syst., vol. 34, no. 4, pp. 1–48, 2009.
any location information about users and queries, not even [9] M. Gruteser and D. Grunwald, “Anonymous usage of location-
approximate location information, to a database server, based services through spatial and temporal cloaking,” in Proc.
(2) does not require any third party, (3) achieves low com- ACM Int. Conf. Mobile Syst., Appl., Serv., 2003, pp. 31–42.
[10] M. F. Mokbel, C.-Y. Chow, and W. G. Aref, “The new casper:
munication and computational overhead by not requiring Query processing for location services without compromising
any direct communication between users or multiple-round privacy,” in Proc. Int. Conf. Very Large Data Bases, 2006,
communication between a user and a database server, pp. 763–774.
(4) designs an index structure for our ORE scheme to [11] T. Wang and L. Liu, “Privacy-aware mobile services over road
networks,” in Proc. Int. Conf. Very Large Data Bases, 2009, pp. 1042–
improve query processing efficiency, (5) supports highly 1053.
dynamic location updates from individual users efficiently, [12] L. Siksnys, J. R. Thomsen, S. Saltenis, and M. L. Yiu, “Private and
and (6) introduces a new privacy notion, called a personal- flexible proximity detection in mobile social networks,” in Proc.
Int. Conf. Mobile Data Manage., 2010, pp. 75–84.
ized privacy region, to further improve user privacy within [13] L. Siksnys, J. R. Thomsen, S. Saltenis, M. L. Yiu, and O. Andersen,
a group of friends. “A location privacy aware friend locator,” in Proc. Int. Symp. Spa-
tial Temporal Databases, 2009, pp. 405–410.
[14] S. Mascetti, C. Bettini, and D. Freni, “Longitude: Centralized pri-
10 CONCLUSION vacy-preserving computation of users’ proximity,” in Proc. Int.
Workshop Secure Data Manage., 2009, pp. 142–157.
In this paper, we introduce an Order-Retrievable Encryption [15] S. Triukose, S. Ardon, A. Mahanti, and A. Seth, “ Geolocating IP
scheme; a new encryption notion for Privacy-Preserving Loca- addresses in cellular data networks,” in Proc. 13th Int. Conf. Pas-
tion Sharing Services in social networking applications. ORE sive Active Meas., 2012, vol. 7192, pp. 158–167.
[16] M. L. Yiu, G. Ghinita, C. S. Jensen, and P. Kalnis, “Enabling search
is designed to answer location queries that allow a user to services on outsourced private spatial data,”Int. J. Very Large Data
view the exact location of his/her friends within a user-spec- Bases, vol. 19, no. 3, pp. 363–384, 2010.
ified distance without revealing any location information [17] O. Goldreich, Foundations of Cryptography, volume I, Basic Tools.
about the user and his/her friends to the database server and Cambridge, U.K.: Cambridge Univ. Press, 2007.
[18] B. Kaliski. (2003). TWIRL and RSA key size CryptoBytes Technical
any other users in the system. The distinguishing characteris- Newsletter [Online]. Available: http://www.rsa.com/rsalabs/
tics of ORE compared to existing algorithms are that ORE node.asp?id=2004
provides secure location privacy, achieves low communica- [19] W. K. Wong, D. W.-L. Cheung, B. Kao, and N. Mamoulis, “Secure
tion and computational cost, and supports dynamic location kNN computation on encrypted databases,” in Proc. ACM Int.
Conf. Manage. Data, 2009, pp. 139–152.
updates. To improve query processing efficiency, we pro- [20] R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu, “Order-preserving
pose a tree-like index structure for our ORE scheme (ORE- encryption for numeric data,” in Proc. ACM Int. Conf. Manage.
Index) to facilitate range searches over the encrypted loca- Data, 2004, pp. 563–574.
tions of a group of friends. In addition, a personalized pri- [21] A. Boldyreva, N. Chenette, Y. Lee, and A. O’Neill, “Order-pre-
serving symmetric encryption,” in Proc. 28th Annu. Int. Conf. Adv.
vacy region scheme is proposed to further improve user Cryptol.: Theory Appl. Cryptograph. Techn., 2009, pp. 224–241.
privacy within a group of friends by enabling a user to spec- [22] (2001). Specification for the advanced encryption standard (AES)
ify a maximum distance up to which his/her friends are Federal Information Processing Standards Publication 197
allowed to locate the user. We also perform experiments to [Online]. Available: http://csrc.nist.gov/publications/fips/
fips197/fips-197.pdf
evaluate ORE and ORE-Index and show that their perfor- [23] C. Boyd and A. Mathuria, Protocols for Authentication and Key
mance is much better compared to the state-of-the-art cryp- Establishment. New York, NY, USA: Springer, 2003.
tography-based technique designed for spatial queries. [24] IEEE, P1363-2000: Standard Specifications For Public Key Cryptogra-
phy, pp. 1–228, Aug. 2000.
[25] (2016). Google Latitude [Online]. Available: http://www.google.
ACKNOWLEDGMENTS com/latitude
[26] (2016). Facebook Statistics [Online]. Available: http://www.
Qiong Huang was supported by the National Natural Sci- facebook.com/press/info.php?statistics
ence Foundation of China (No. 61472146), the Guangdong [27] S. Chen, C. S. Jensen, and D. Lin, “A benchmark for evaluating
Natural Science Funds for Distinguished Young Scholar moving object indexes,” Proc. Int. Conf. Very Large Data Bases,
2008, pp. 1574–1585.
(No. 2014A030306021), the CICAEET fund and the PAPD [28] P. Barford and V. Yegneswaran, An Inside Look at Botnets. New
fund (No. KJR1615). York, NY, USA: Springer, 2007, pp. 171–191.
[29] G. Ghinita, P. Kalnis, A. Khoshgozaran, C. Shahabi, and K.-L. Tan,
“Private queries in location based services: Anonymizers are not
REFERENCES necessary,” in Proc. ACM Int. Conf. Manage. Data, 2008, pp. 121–132.
[1] (2016). Facebook Places [Online]. Available: http://www. [30] M. Kohlweiss, et al., “Efficient oblivious augmented maps: Loca-
facebook.com/places/ tion-based services with a payment broker,” in Proc. 7th Int. Conf.
[2] (2016). Foursquare [Online]. Available: http://www.foursquare. Privacy Enhancing Technol. Symp., 2007, pp. 77–94.
com [31] R. Vishwanathan and Y. Huang, “A two-level protocol to answer
[3] (2016). Google Plus [Online]. Available: https://plus.google.com private location-based queries,” in Proc. IEEE Int. Conf. Intell.
[4] (2016). Loopt [Online]. Available: http://www.loopt.com Security Inform., 2009, pp. 149–154.
SCHLEGEL ET AL.: PRIVACY-PRESERVING LOCATION SHARING SERVICES FOR SOCIAL NETWORKS 825
[32] H. Hacig€ um€us, B. R. Iyer, and S. Mehrotra, “Efficient execution of Chi-Yin Chow received the MS and PhD
aggregation queries over encrypted relational databases,” in Proc. degrees from the University of Minnesota-Twin
9th Int. Conf. Database Syst. Adv. Appl., 2004, pp. 125–136. Cities in 2008 and 2010, respectively. He is cur-
[33] E. Mykletun and G. Tsudik, “Aggregation queries in the database- rently an assistant professor at the Department of
as-a-service model,” in Proc. Annu. IFIP Conf. Data Appl. Security, Computer Science, City University of Hong Kong.
2006, pp. 89–103. His research interests include spatio-temporal
[34] K. Chen and L. Liu, “Privacy preserving data classification with data management and analytics, machine learn-
rotation perturbation,” in Proc. IEEE Int. Conf. Data Mining, 2005, ing, GIS, mobile computing, and location-based
pp. 589–592. services. He was the co-organizer of ACM SIG-
[35] S. R. M. Oliveira and O. R. Zaane, “Achieving privacy preserva- SPATIAL MobiGIS 2012, 2013, 2014, and 2015.
tion when sharing data for clustering,” in Proc. SIAM Int. Conf. He is member of the IEEE.
Data Mining, 2004, pp. 67–82.
[36] K. Liu, C. Giannella, and H. Kargupta, “An attacker’s view of dis-
tance preserving maps for privacy preserving data mining,” in Qiong Huang received the BS and MS degrees
Proc. 10th Eur. Conf. Principles Practice Knowl. Discovery Databases, from the Fudan University, in 2003 and 2006,
2006, pp. 297–308. respectively, and the PhD degree from the City
[37] G. Zhong, I. Goldberg, and U. Hengartner, “Louis, lester and University of Hong Kong, in 2010. He is currently
pierre: Three protocols for location privacy,” in Proc. Privacy a professor at the South China Agricultural Uni-
Enhancing Technol. Symp., 2007, pp. 62–76. versity. His research interests include cryptogra-
[38] M. Herrmann, A. Rial, C. Diaz, and B. Preneel, “Practical privacy- phy and information security, in particular,
preserving location-sharing based services with aggregate cryptographic protocols design and analysis. He
statistics,” in Proc. ACM Conf. Security Privacy Wireless Mobile is member of the IEEE.
Netw., 2014, pp. 87–98.
[39] J. Freudiger, R. Neu, and J.-P. Hubaux, “Private sharing of user
location over online social networks,” in Proc. 3rd Hot Topics Pri-
vacy Enhancing Technol., 2010, 62–72. Duncan S. Wong received the BEng degree
from the University of Hong Kong in 1994, the
Roman Schlegel received the MSc degree from MPhil degree from the Chinese University of
the EPFL, Switzerland, in communication sys- Hong Kong in 1998, and the PhD degree from the
tems and the PhD degree in computer science Northeastern University, Boston, MA, in 2002. He
from the City University, Hong Kong. During his is currently the director of Security and Data Sci-
doctoral studies he also spent a year as a ences, ASTRI, Hong Kong. His primary research
research assistant at the Indiana University Bloo- interest is cryptography; in particular, crypto-
mington, Bloomington, IN. After receiving the graphic protocols, encryption and signature
PhD degree, he joined ABB Corporate Research schemes, and anonymous systems. He is mem-
as a research scientist for security in industrial ber of the IEEE.
control systems. His research interests include
privacy, network security, and applied cryptogra-
phy. He is member of the IEEE.