1 Introduction
In recent years, with the rapid development of ecommerce, online shopping has become a popular trend. Online shopping is an interactive activity between a buyer and a seller, where after completing an order by a buyer, the product is delivered via a logistics system [23]. Logistics system helps to reduce product cost and save shopping time.
Unfortunately, the current LISs [40] cannot effectively protect users’ privacy information. Users’ personal information is clearly visible on the express bill and the LIS database [50]. Some data breaches in LISs released users’ personal information, including addresses, phone numbers, transaction details, etc. If a user’s personal information is leaked and maliciously collected, she may be at high risk of identity forgery and property fraud, in addition to the risk of being harassed by spam messages. Therefore, it is interesting and important to consider the privacy issues in LISs.
Furthermore, since a product is delivered by multiple logistics stations, it is important to record the whole logistics process and make the process unforgeable. Additionally, to prevent users from conducting illegal transactions, users can be deanonymized [12, 21] and traced.
In this paper, we propose a privacypreserving logistics information system with traceability (PPLIST). Compared with the existing LISs, our scheme has the following advantages:

Users can anonymously use the logistics services in our PPLIST scheme. Users generate and use different pseudonyms in different logistics services. Even the internal staff of a logistics company can not directly obtain the information of users’ identities, our PPLIST effectively protects users’ personal information.

In the case that the identity of a user needs to be released, a trace party can deanonymize a user and find his identity. This properties prevent users from conducting illegal logistics via a logistics system.

Our PPLIST scheme is efficient. Multisignature is applied to record the delivery process and reduces the storage space.
Contributions:
Our main contributions in this paper are summarised as follows: 1) The definition and security model of our PPLIST scheme are formalised; 2) A PPLIST scheme is formally constructed; 3) The security of our PPLIST scheme is formally reduced to wellknown complexity assumptions; 4) Our PPLIST scheme is implemented and evaluated.
1.1 Related Work
In this subsection, we introduce the work which is related to our PPLST scheme, including LIS, privacy protection in LIS, multisignature and pseudonym.
1.1.1 Logistics Information System
LIS is a subsystem and the nerve center of logistics systems. As the control center of the whole logistics activities, LIS has many functions. The main functions of LIS are as follows: collect, store, transmit, process, maintain and output logistics information; provide strategic decision support for logistics managers; improve the efficiency of logistics operations [39].
Bardi et al. [26] pointed out that the choice of LIS directly affected the logistics cost and customerservice level. Lai et al. [38] showed that LISs is very important for a company to manage product inventory and predict the trend of customers’ online shopping. In addition, Ngai et al. [42] claimed that LIS is an information system that can promote a good communication between the companies and the customers. An LIS adoption model was proposed in [42] to examine the relationship among organizational environment, perceived benefits and perceived barriers of LIS adoption. In [29], Closs and Xu argued that the important source of enterprise competitive advantages was logistics information technology. Their research showed that companies with advanced logistics information technology and LIS performed better than other companies.
LISs have been proposed and applied into various application scenarios [24, 46]. Amazon [24] is one of the first companies to provide ecommerce services. Amazon has a logistics system, which realizes the organization and operation of the whole logistics activities. Amazon has also added special technology, OneClick [13], in their LIS, which can automatically store the information of customers. Therefore, customers do not input their person information in each shopping. In addition, Amazon’s LIS has the following functions [30]: order confirmation in time, smooth logistics process, accurate inventory information and optional logistics methods, etc. Amazon has become a business to consumer (B2C) ecommerce [37] company.
Taobao [46] is a consumer to consumer (C2C) ecommerce [15] platform. Taobao entrusts all logistics activities to a third party logistics company, but takes a series of measures to ensure the security of logistics activities. For instance, Taobao implements the network realname system (NRS) [14] in their LIS, and has set up a special customerservice department to solve products logistics problems. Besides, Taobao has the functions of timely confirmation of orders and delivery within the specified time.
1.1.2 Privacy Protection in LIS
Although the LIS of ecommerce platform brings convenience to people’s life, it also brings great challenges to privacy protection. LIS stores a large number of users’ personal information. Once the information is leaked, it will result in serious threaten to the life and safety of users. Some privacy protection methods in LIS have been proposed, such as [31, 17, 19, 20, 47, 49, 16]. We compare our scheme with these systems in Table 1.
Léauté et al. [17] proposed a scheme to ensure the privacy of users while minimizing the cost of logistics operation. The scheme formalizes the problem as a Distributed Constraint Optimization Problem (DCOP) [33], and combines various techniques of cryptography. But the disadvantage of this scheme [17] is that the anonymization of users is not considered. In [16], Frank et al. proposed a set of protocols for tracking logistics information, which is a lightweight privacy protection mechanism.
To solve the problem of privacy leakage caused by stolen express order number, Wei et al. [49] proposed a kanonymous model to protect logistics information. However, the method only protects a part of users’ personal information, because the names and telephone numbers of receivers are directly printed on the express bills for delivery.
To improve the security of [49], Qi et al. [19] proposed a new logistics management scheme based on encrypted QR code [47]. After a courier scans the encrypted QR code by using an APP, the logistics information of products in the database is automatically updated through GPRS or WiFi. The APP provides an optimal delivery route for couriers. However, the problem of [19] is that users’ personal information is still visible to the internal staff of express companies. In addition, Laslo et al. [47] proposed a traceable LIS based on QR code. However, this scheme does not consider privacy protection.
Furthermore, Gao et al. [31] proposed a secure LIS, named LIPPA, which can protect the logistics process information between different logistics stations, but the protection of users’ personal information is not considered well. Hence, the privacy of users in LISs [31, 19, 47] was not fully considered.
Liu et al. [20] designed an LIS based on the Near Field Communication (NFC) [51] technology. In [20], users’ personal information was hidden in tags, and only authorized people can access information. However, because of the limitation of computation power, the scheme cannot perform complex encryption and decryption processes.
In summary, above schemes addressed the privacy issues in LIS, but these schemes did not consider the track of delievery process and the trace of illegal users. However, these are important issues in LISs. Therefore, to solve these problems, we propose a new privacypreserving LIS called PPLIST.
1.1.3 MultiSignature
Multisignature, also called multidigital signature, is an important branch of digital signature. Multisignature is suitable to the case where multiple users sign on a message, and a verifier is convinced that each user participated in the signing [7].
Itakura [35] first proposed the concept of multisignature, and proposed a multisignature scheme with fixed number of signatures. Then, many multisignature schemes were proposed [9, 4, 6, 43, 2, 44]. The multisignature generation time of schemes [35, 44] is linear with the number of signers. Okamoto et al. [2] proposed a mutisignature scheme, but it, like scheme [43], only allows each signer in a group to sign the message. It’s inflexible. Furthermore, Ohta and Okamoto [43] formlized the security model of multisignature. However, this scheme did not consider the security of the key generation process, so its security is not strong. Based on [43], Micali et al. [6] proposed a formal and strong security model for multisignature. Bellare and Neven [9] proposed a new scheme and proved its secure in the plain publickey model. This scheme improved the efficiency of previous multisignature schemes.
Since it enables multiple signers to collabratively sign on a message, multisignature has been used into various application scenarios, such as [41, 48, 25, 22]. Shacham [8] proposed a sequential aggregate multisignature scheme. The scheme computed the final multisignature by sequentially aggregating the signatures from multiple signers. However, the data transmission of [8] is large. To solve this problem, Neven [41] presented a new sequential aggregate multisignature scheme based on [8]. The scheme of [41] reduces signing and verification costs effectively.
Tiwari et al. [48] proposed a secure multiproxy multisignature scheme. It does not need paring operations, and reduces the running time. The scheme is aslo secure against the attack of selected messages. However, Asaar et al.[25] found the scheme in [48] is insecure, and proposed an identitybased multiproxy and multisignature scheme without pairing. The security of this scheme was reduced to the RSA assumption in the random oracle model by using the Forking Lemma technique [11].
Recently, Dan et al.[22] proposed a new multisignature scheme. Signature compression and publickey aggregation were used in the scheme. Therefore, when a group of signers signed a message, the verifier only needs to verify the final aggregate signature. The advantage of this scheme is that the size of final aggregate signature is constant and independent of the number of signers. Furthermore, this scheme is secure against roguekey attacks. When constructing our PPLIST, we apply the scheme [22] to record the whole logistics process and reduces the storage cost.
1.1.4 Pseudonym
Pseudonym is a method that allows users to interact anonymously with other organizations. Because pseudonym is unlinkable, it can effectively protect the information of a user’s identity [45] among multiple authentications. The common pseudonym generation techniques are as follows [28]: 1) Encryption with public key; 2) Hash function; 3) Keyedhash function with stored key; 4) Tokenization.
Chaum [27] found that pseudonym enables users to work anonymously with multiple organizations, and users can use different pseudonyms in different organizations. Because of the unlinkability of pseudonym, no organization can link a user’s pseudonyms to her identities. Later, Chaum and Evertse [1] presented a pseudonym model scheme based on RSA. However, the scheme needs a trusted center to complete the sign and transfer of all users’ credentials.
To reduce the trust on the trusted center, Chen [3] proposed a scheme based on the discrete logarithm assumption. The scheme also needs a trusted center, but the trusted center is only required for pseudonym verification. Although Chen’s scheme is less dependent on the trusted center than the scheme [1], the trusted center was still required.
In order to enable users to have the initiative in the pseudonym system, Lysyanskaya et al. [5] proposed a new scheme. In this scheme, a user’s master secret key was introduced. If the master secret keys are different, the information of users’ identities must be different. In addition, the pseudonym certificate submitted by a user to an organization only corresponds to the user’s master public key and does not disclose the information of his master secret key.
Pseudonym has been applied in some schemes [34, 36] to protect users’ privacy. To reduce the communication cost of traditional pseudonym systems in Internet of Vehicles, Kang et al. [36] proposed a privacypreserved pseudonym scheme. In this scheme, the network edge resources were used for effective management, and the communication cost was effectively reduced.
In [34], Han et al. proposed an anonymous single signon (ASSO) scheme. In this scheme, pseudonym was applied to protect users’ identities. A user uses his secret key to generate different pseudonyms, and obtains a ticket from a ticket issuer anonymously without releasing anything about his real identity. Furthermore, a user can use different pseudonyms to buy different tickets and the ticket issuer cannot know whether two tickets are for the same user or two different users. In our PPLIST scheme, to protect users’ privacy, we apply the pseudonym developed in [34] to enable users to use logistics services anonymously and unlinkably.
1.2 Paper Organisation
The remainder of this paper is organised as follows. Section 2 presents the preliminaries used in our scheme, and describes the formal definition and security model of our PPLIST scheme. Section 3 provides the construction of our scheme. The security proof and implementation of our scheme are presented in Section 4 and Section 5, respectively. Finally, Section 6 concludes this paper.
2 Preliminaries
In this section, the preliminaries used throughout this paper are introduced, including bilinear group, complexity assumptions, formal definition and security model. Table 2 summaries the notations used in this paper
Notation  Explanation  Notation  Explanation 

A security parameter  Pseudonym  The pseudonym of  
The ith logistics station  Public parameters  
User  PPT  Probable polynomialtime  
The trace party  A bilinear group generator  
YA  The aggregation of  x is randomly selected from  
AgY  A set of selected public keys  Cryptographic hash functions  
The aggregation of signatures  The ith single signature  
The proof of user’s ownership  I  A set consisting of the indexes  
d  The number of elements in  of selected logistics stations  
q  A prime number 
The framework of our PPLIST is presented in Fig. 1. The system first generates the public parameters . Then, each entity (e.g. logistics station, user and the trace party) generates its secretpublic key pair. Prior to ordering a service, the user generates a pseudonym by using his secret key. The system determines the delivery path, and then generates the aggregated public key of the selected logistics stations. After that, each selected logistics station generates its single signature on the product information, pseudonym and aggregated public key, and then passes it to the next selected logistics station. Finally, the last selected logistic station generates its signature and the aggregate signature . To obtain a product, the user needs to prove that he is the owner by generating a proof of the knowledge included in the pseudonym. The user can verify whether the product is delivered correctly by checking the aggregate signature . In the case that the identity of a user needs to be traced, the trace party can use his secret key to deanonymous the pseudonym, and find the user’s identity.
2.1 Bilinear Group
Let be cyclic groups with prime order . A map is a bilinear map if it satisfies the following properties: (1) Bilinearity: For all , , , ; (2) Nondegeneration: For all , , , where is the identity element in ; (3) Computability: For all , , there exists an efficient algorithm to compute .
Let be a bilinear group generator which takes as input a security parameter and outputs a bilinear group .
A function is negligible if for any , there exist a such that when .
2.2 Complexity Assumptions
Definition 1 (Computational DiffieHellman (CDH) Assumption [10])
Let , and be generator of , respectively. Suppose that . Given a triple , we say that the assumption holds on if all adversaries can output with a negligible advantage, namely .
Definition 2 (Discrete Logarithm (DL) Assumption [32])
Let be a cyclic group with prime order , and be a generator of . Given , we say that the assumption holds on if all adversaries can output a number such that with a negligible advantage, namely .
2.3 Formal Definition
A PPLIST scheme is formalized by the following eight algorithms:
The algorithm takes the security parameters as input and outputs the public parameters .
This algorithm consists of the following subalgorithms:

This algorithm is executed by each logistics station . takes the security parameters as input, and outputs his secretpublic key pair , where .

This algorithm is executed by a user . takes the security parameters as input, and outputs his secretpublic key pair .

This algorithm is executed by a trace party . takes the security parameters as input, and outputs his secretpublic key pair .
This algorithm is executed by . takes as input his secret key , the public key of the trace party and the public parameters , and outputs a pseudoym .
Let be a set which consists of the indexes of some selected logistics stations. This algorithm takes as input the public parameters and the public keys of selected logistics stations, and outputs the aggregated public key .
This algorithm consists of the following subalgorithms:

This algorithm is executed by each selected logistics station . takes as input its secret key , the aggregated public key , product information and the public parameters , and outputs a signature , where .

This algorithm takes as input the public parameters and signatures , and outputs a final signature .
This algorithm is executed between and .

takes as input his secret key , the public key , his pseudonym and the public parameters , and outputs a proof .

The verifier takes as input the public parameters , and outputs if the proof is valid; otherwise, it outputs to show the proof is invalid.
This algorithm takes as input the public parameters , the final signature , the pseudonym , the aggregated public key and product information , and outputs if signature is valid; otherwise, it outputs to show it is an invalid signature.
This algorithm is executed by . takes as input his secret key , the pseudonym , the aggregated public key , the final signature , product information and the public parameters , and outputs public key if the signature is valid; otherwise, it outputs to show failure.
2.4 Security Requirements
The security model of our scheme is defined by the following two games.
2.4.1 Unforgeability.
This is used to define the unforgeability of signature, namely even if users, the trace party and the other stations collude, they cannot forge a valid signature on behalf of the selected logistics stations. This game is executed between a challenger and a forger .
Setup.
runs and sends to .
KeyGeneration Query.

asks the public key of stations. runs and sends the station’s public key to .

When asks a urse’s secretpublic key pair, runs and sends to . Let be a set of users’ public key.

When asks the secretpublic key of the trace party, runs and sends to .
UserPseudonym Query.
submits a and the public key of the trace party, runs and sends to . Let be a set of pseudonyms of users.
PublicKeyAggregation Query.
Let be a set which consists of the indexes of some selected logistics stations and let be the number of elements in the set . submits a group of selected stations’ public keys. runs , where . returns to .
Sign Query.
adaptively submits selected station’s secret key , the aggregation of public key , and pseudonym and the product information to ask for a single signature up to times.
Output.
outputs a forged signature , a final signature , pseudonym and the product information , the public keys of selected logistics stations and the aggregated public keys . wins the game if , has not conducted signature query on the message , and .
Definition 3
A privacypreserving logistics information system with traceability is unforgeable if all probabilistic polynomialtime (PPT) forger who makes signature queries can only win the above game with a negligible advantage, namely
(1) 
2.4.2 Traceability.
This is used to formalise the traceability of our scheme, namely an attacker cannot frame a user who did not use the logistics services. We suppose that at least one station is honest. This game is executed between a challenger and an attacker .
Setup.
runs and sends to .
KeyGeneration Query.

can ask for the public key of each station. runs and sends the station’s public key to .

When asks a urse’s secretpublic key pair, runs . Let the secretpublic key pair of be . sends other users’ secretpublic key pair and to . Let be a set consisting of users’s public keys.

When asks the secretpublic key pair of the trace party, runs and sends to .
UserPseudonym Query.
submits a user’s and the public key of the trace party, runs and sends to . Let be a set of pseudonyms of users.
PublicKeyAggregation Query.
Let be a set which consists of the indexes of some selected logistics stations and let be the number of elements in the set . submits a group of selected stations’ public keys. runs , where . returns to .
Sign Query.
adaptively submits a selected station’s secret key , the aggregation of public key , and pseudonym and the product information to ask for a single signature up to times.
Output.
outputs a tuple . wins the game if with or .
Definition 4
A privacypreserving logistics information system with traceability is traceable if all probabilistic polynomialtime (PPT) adversary who makes signature queries can only win the above game with a negligible advantage, namely
(2) 
3 Construction of Our Scheme
In this section, we introduce the construction of our scheme. We firstly present a highlevel overview, and then describe the formal construction of our scheme.
3.1 HighLevel Overview
The highlevel overview of our scheme is as follows.
Setup.
The system generates the corresponding public parameters .
KeyGeneration.
Suppose that there are logistics stations. Each , and generate their secretpublic key pairs , and , where .
UserPseudonym.
In order to protect privacy in a delivery process, generates a pseudonym by using his secret key and public key .
PublicKeyAggregation.
According to product information, the system determines the logistics process by selecting a set of logistics stations . Let be a set consisting of the public keys of the selected logistics stations. For each service, a table is built to record its delivery information. The system uses the public key of each and the set to generate to resist the rogue key attacks, where . Then, the system generates the aggregated public key .
Sign.
Each selected logistics station uses his secret key to generate a signature on pseudonym and the product information , and sends to the next logistics stations. Finally, the last logistic station use his secret key to generate a single signature on pseudonym and the producte information , and compute the aggregated signature . also adds to the table .
UserOwnershipVerify.
When proves to the last logistic station that he is the owner of the product, he proves that his secret key is included in the pseudonym by executing a zeroknowledge proof with . If the proof is correct, is the owner of the product; otherwise, he is not the owner of the product.
Verify.
When receives a product, he checks whether the product was delivered correctly by checking the validity of the aggregate signature . If it is, the product is delivered correctly; otherwise, there are some problems in the delivery process.
Trace.
Given , in the case that a user needs to be deanonymized, the trace party first checks whether the signature is correct or not. If it is incorrect, aborts; otherwise, users his secret key to deanonymize the Pseudonym and get ’s public key .
3.2 Formal Construction
The formal construction of our PPLIST scheme is formalised by the following eight algorithms:
Setup.
The system runs with . Let be a generator of and be a generator of . Suppose that and are cryptographic hash functions. The public parameters are .
KeyGeneration.

Each logistics station selects and computes . The secretpublic key pair of is , where .

Each selects and computes . The secretpublic key pair of is .

selects and computes . The secretpublic key pair of is .
UserPseudonym.
To generate a pseudonym for a product information , firstly computes and then computes . The pseudonym is .
PublicKeyAggregation.
Let be a set consisting of the public keys of the logistics stations which will deliver the product to the user. The system firstly computes , and then computes . Let be a record of the product information . The system adds it into the table .
Sign.
When receiving a product, each computes . sends to for . Finally, computes and . Subsequently, adds it into the record of in the table .
UserOwnershipVerify.
To prove the ownership of the product to the last logistics station . and work as follows.

selects and computes .

sends to . selects , and returns it to .

computes , and , and returns to .

verifies , and . If these equations hold, it outputs to show that is the owner of the product; otherwise, it outputs to show that is not the owner of the product.
Verify.
verifies . If the equation holds, it outputs to show that the delivery process is correct; otherwise, it outputs to show that there are some errors in the delivery.
Trace.
In the case that the identity of who selected the product needs to be revealed, searches in the table , and finds the record firstly. Then, verifies . If it is not, quits the system immediately; otherwise, computes , and confirms the identity of user.
4 Security Analysis
In this section, the security of our scheme is formally proven.
Theorem 4.1
Our privacypreserving logistics information system with traceability (PPLIST) is unforgeable if and only if the computational DiffieHellman (CDH) assumption holds on the bilinear group and are two random oracles and is a cryptographic hash function, where is the number of signature queries made by the forger , and .
Proof
Suppose that there exists a forger that can break the unforgeability of our scheme, we can construct an algorithm which can use to break the CDH assumption. Given , the aim of is to output .
Setup.
selects . The public parameters are .
responds to the queries of about the random oracle .

queries the hash function of a pseudonym and a message . selects ,and sets ,where . sends to and adds into the table .

queries the hash function of a pseudonym and a message . sends to , and adds into the table .
responds to the queries of about the random oracle . Let is the index of .

when , selects and sets . returns to and adds into the table .

when , selects and sets . returns to , and adds into the table .
KeyGeneration Query.

picks a station from . For the th logistics station key generation query, selects , and computes where . returns to . For the th logistics station key generation query, returns to .

selects , and compute . sends the secretpublic key pair to .

selects , and compute . sends the secretpublic key pair to .
UserPseudonym Query.
submits a product information . computes firstly, then computes , . sends to .
PublicKeyAggreation Query.
submits a group of logistics stations’ publickey and sets . searches in , and gets , where . computes , and sends to .
Sign Query.
responds to the queries of about the single signature :

Since , asks about the single signature of the logistics station on a pseudonym and the message . computes . sends to .

Since , asks about the single signature of station on a pseudonym and a message . computes . sends to . can ask for many times.

asks about the single signature of station on a pseudonym and the message . aborts.
Output.
outputs a forged final signature . According to the above situations, can make queries of random oracles and signature generations, respectively. By using Forking lemma technique, for two queries of the random oracle on the th station, selects and with . For other selected stations, sets and with . Hence, . If can forge a valid signature, have and , respectively. Then, computes
Comments
There are no comments yet.