The development of wireless communications and mobile devices triggers the emergence of mobile crowdsensing , in which user-centric mobile sensing and computing devices, e.g., smartphones, in-vehicle devices and wearable devices, are utilized to sense, collect and process data from the environment. This “Sensing as a Service”  elaborates our knowledge of the physical world by opening up a new door for data collection and sharing . Due to the increasing popularity of mobile devices, mobile crowdsensing supports a broad range of sensing applications nowadays, ranging from social recommendation, such as restaurant recommendation, parking space discovery and indoor floor plan reconstrction , to environment monitoring, such as air quality measurement, noise level detection and dam water release warning. With human intelligence and user mobility, mobile crowdsensing can significantly improve the trustworthiness of sensing data, extend the scale of sensing applications and reduce the cost on high-quality data collection .
While mobile crowdsensing makes data sensing appealing than ever, it also brings new challenges towards mobile users, one of which is privacy leakage, indicating that mobile crowdsensing puts the privacy of mobile users at stake [7, 8, 9]
. The sensing data collected from the surrounding areas are necessarily people-centric and related to some aspects of mobile users and their social setting: where they are and where they are going; what places they are frequently visited and what they are seeing; how their health status is and which activity they prefer to do. Photos on social events may expose the social relations, locations or even political affiliations of mobile users. Furthermore, the more sensing tasks mobile users engaged in and the richer data the users contribute to, the higher probability that their sensitive information may be exposed with. Therefore, preserving the privacy of mobile users is the first-order security concern in mobile crowdsensing. If there is no effective privacy-preserving mechanism to protect the private information for mobile users, it is of difficulty to motivate mobile users to join in mobile crowdsensing services. In addition, the sensing tasks may contain sensitive information about the customers who issue them. Some personal information about the customers, such as identities, locations, references and purchase intentions, can be predicted by curious entities from the releasing tasks. For example, a house agency may know Bob desire to buy a house in a particular area if Bob releases tasks to collect traffic condition and noise level in the neighborhood. To preserve the privacy for both customers and mobile users, several privacy-preserving mobile crowdsensing schemes[10, 11, 12, 13] have been proposed by utilizing anonymity techniques. Nevertheless, anonymity is insufficient for privacy preservation, since the mobile users may be traced from travel routes and social relations. It is possible to uniquely identify 35% of mobile users based on their top-two locations and 85% of them from their top-three locations based on a large set of call data records provided by a US nationwide cell operator . Therefore, it is important to explore strong privacy-preserving mechanisms to prevent privacy leakage for customers and mobile users in mobile crowdsensing.
Once all information about mobile users and customers is perfectly preserved, it is impossible for service providers to accurately recruit mobile users for task performing, while task allocation is a critical component in mobile crowdsensing to ensure the quality of sensing results. Different from traditional sensing networks, the produced data cannot be predicted as a priori, and their trustworthiness totally depends on the intelligence and behaviors of mobile users. In general, the higher quality the sensing data have, the more efforts and costs the mobile users should pay. Therefore, the set of mobile users would directly impact the quality of sensing data. How to identify the right groups of mobile users to produce the desired data according to the targets of sensing tasks is a complex problem from the service provider’s perspective. Geography-based and reputation-based approaches are popular in mobile crowdsensing to allocate tasks to mobile users, but either has its inherent weaknesses. Firstly, reputation-based task allocation mechanisms [11, 15, 16, 17] need a trusted third party (TTP) to perform heavy reputation management and are vulnerable to reputation-linking attacks, in which the anonymous mobile users can be re-identified from their reputations. Secondly, geography-based task allocation schemes can optimize users selection based on their spatial and temporal correlation , but it discloses the content of sensing tasks and the locations of mobile users to the service provider, while location privacy is one of the primary concerns for mobile users in pervasive environments. In summary, privacy preservation and task allocation become a pair of contradictory objectives in mobile crowdsensing.
To resolve this issue, we propose a Strong Privacy-preserving mObile crOwdseNsing scheme (SPOON) supporting location-based task allocation, decentralized trust management and privacy preservation for both mobile users and customers simultaneously. By leveraging blind signatures and randomizable matrix multiplication, we fully prevent the privacy leakage from all sources for both mobile users and customers, including locations, identities and credit points, without scarifying the normal mobile crowdsensing services of service providers, such as task allocation, data filtering and trust management. The main contributions of this paper are summarized as three folds:
We design a privacy-preserving location matching mechanism based on matrix multiplication to allow service providers to allocate sensing tasks based on the sensing areas of tasks and the geographic locations of mobile users. Specifically, the service provider can determine whether a mobile user is in the sensing area of a task from two randomized matrices generated from the sensing area and the user’s location. Thus, the service provider can learn the result of location matching, but has no knowledge about the interested areas of customers and the locations of mobile users.
By extending the proxy re-encryption and BBS+ signature, we protect the sensitive information for mobile users and customers to prevent privacy leakage, including their identities, credit points, sensing tasks and sensing reports. Specifically, we allow the registered customers and mobile users to anonymously prove their capacities and trust levels to participate in the crowdsensing services and securely perform the sensing tasks without exposing contents of sensing tasks and sensing reports. Besides, to prevent the mobile users from misbehaving for unfair rewards, a trusted authority enables to detect the greedy mobile users and trace their identities.
We introduce a privacy-preserving credit management mechanism for mobile users, in which mobile users are able to prove their trustworthiness without the exposure of credit points and the management of centralized servers. In particular, it supports the positive and negative updates of credit points for mobile users based on the contributions on the tasks. In addition, multiple service providers can cooperatively maintain a unique trust evaluation system, in the way that mobile users are allowed to participate in the mobile crowdsensing services offered by different service providers using unique credit points.
The remainder of this paper is organized as follows. We review the related work in section II, and formalize system model, threat model and identify security goals in section III. In section IV, we propose our SPOON scheme, followed by the security discussion in section V. In section VI, we discuss some extensions on SPOON and evaluate performance in section VII. Finally, we draw the conclusion in section VIII.
Ii Related Work
Mobile crowdsensing has attracted great interests from the research community in recent years, especially for security and privacy aspects. To build a secure mobile crowdsensing architecture, AnonySense  was proposed to allow mobile devices to deliver sensing data through Mix networks. Christin et al.  investigated the location privacy of mobile users and presented a decentralized and collaborative mechanism to allow mobile users to exchange the sensing data when they physically meet for the protection of the travel routes of mobile users. Dimitriou et al.  raised the problem of customer’s privacy leakage and designed a privacy-preserving access control scheme for mobile sensing to preserve the privacy for customers. However, none of above schemes enables to preserve the privacy for both mobile users and customers simultaneously. Therefore, Cristofaro and Soriente  proposed a privacy-enhanced participatory sensing infrastructure (PEPSI) based on the blind extraction technique. In PEPSI, the identity-based encryption is extended to achieve the anonymity for both mobile users and customers, and a blind matching method is built to find the sensing reports for a specific task. Unfortunately, Günther et al.  demonstrated PEPSI is vulnerable to collusion attacks across mobile users and customers. As a result, PEPSI fails to preserve the privacy of mobile users. To fix this drawback, a new infrastructure is designed from anonymous identity-based encryption. Qiu et al.  presented SLICER, a -anonymous privacy-preserving scheme for mobile sensing that achieves strong privacy preservation for mobile users and high data quality, by integrating a data coding technique and message transfer strategies. However, these schemes may be insufficient to preserve the privacy nowadays, since it is possible to re-identify the mobile users or customers through the combination of information from different sources, such as travel routes, social relations or payment records. To protect the sensing data, Zhou et al.  introduced a generalized efficient batch cryptosystem to achieve both batch encryption and batch decryption from public key encryption, and extended to support fine-grained multi-receiver multi-file sharing in cloud-assisted mobile crowdsensing. Chen et al.  introduced a group management protocol to guarantee differential privacy of personal data to prevent the disclosure of sensing data. Jin et al.  integrated user incentive, data aggregation and data perturbation mechanisms to design an incentivizing privacy-preserving data aggregation scheme to generate high-accurate aggregated results, and provide privacy protection for mobile users in mobile crowdsensing.
However, after the privacy of mobile users and customers is preserved, it is difficult for the service provider to find proper mobile users for task fulfillment. Kazemi and Shahabi  focused on spatial task assignment for spatial crowdsourcing, in which the service provider allocates tasks based on the locations of mobile users. To hide their locations, To et al. 
introduced a framework to protect the locations of mobile users based on differential privacy and geocasting. This framework provides heuristics and optimizations to determine effective geocast regions for reaching high task assignment ratio. Kazemi et al. defined reputation scores to represent the probability that a mobile user can perform a task correctly, and a confidence level to state that a task is acceptable if its confidence is higher than a given threshold. Huang et al.  demonstrated that mobile users are vulnerable to linking attacks if they naively reveal their reputations to the service provider and presented an anonymization scheme from pseudonyms and a reputation management mechanism by employing a trusted server to minimize the risk of such attack. Christin et al.  proposed an identity privacy-preserving reputation framework, which uses pseudonyms to preserve the identity privacy for mobile users. The pseudonyms cannot be linked in multiple time periods, while the reputations can be transferred for the mobile user that are associated with adjacent time periods. Consequently, Wang et al.  proposed ARTSense to achieve the trust management without identity exposure in mobile sensing. ARTSense achieves both positive and negative updates of reputations for mobile users with no TTP, but it still requires a reputation database for each service provider to support reputation management. Moreover, the reputations of mobile users and the privacy of customers are directly revealed to the service provider and other curious entities in ARTSense.
For the above reasons, in our preliminary work , we proposed a privacy-preserving mobile crowdsensing framework to achieve trajectory-based task allocation without privacy leakage for both mobile users and customers. In this paper, we extend this work to support privacy-preserving decentralized credit management in mobile crowdsensing. In specific, the proposed SPOON (1) provides strong privacy preservation for mobile users; (2) protects the identities, sensing areas and tasks for customers; (3) allows the service provider to allocate sensing tasks based on the locations and credit points of mobile users; and (4) supports privacy-preserving credit management without a centralized server. We show the comparison on features between SPOON and the existing works in Table I.
|Features||Identity Privacy||Data Privacy||Location Privacy||Credit Management|
|Users||Customers||Users||Customers||Users||Customers||Credit Privacy & Sharing||No TTP||Greedy user Tracing|
|[13, 25, 28]||X||X||X||X||X||X|
|[22, 23, 24]||X||X||X||X||X||X||X||X|
Iii Problem Statement
In this section, we formally define the system model and threat model, and identify our design goals.
Iii-a System model
The mobile crowdsensing service provides customers a people-centric way for data collection from surrounding environment. The architecture consists of three entities: a service provider, customers and mobile users, as shown in Fig. 1.
Service Providers: Service providers develop cloud services by themselves or rent the cloud resources offered by cloud service providers. They have sufficient storage and computing resources to provide mobile crowdsensing services. The service providers receive sensing tasks from customers and allocate them to mobile users based on their locations. They collect sensing reports from mobile users, select sensing reports based on the credit points of mobile users and generate sensing results for customers. The service provider also distributes credit points to mobile users for incentive.
Customers: The customers can be individuals, corporations or organizations. They need to accomplish data collection tasks, e.g., to study traffic congestion in a city, pollution level of a creek and satisfactory on public transportation, but they do not have sufficient capabilities to perform tasks by themselves. Thereby, they issue their sensing tasks to the service providers to obtain the sensing results.
Mobile Users: Every mobile user has several mobile devices, e.g., mobile phones, tablets, vehicles and smart glasses. These mobile devices, with rich computational, communication and storage resources, are carried by their owners wherever they go and whatever they do. The mobile users make sure the battery on mobile devices have sufficient power to support their normal functions. The mobile users participate in sensing tasks and utilize their portable devices to collect data from their surrounding areas to fulfill sensing tasks, and report sensing data to the service providers for earning credit points.
Iii-B Threat Model
Mobile users are interested in the privacy about the customers and the other mobile users. In particular, they are willing to know the other mobile users participating in the same tasks, and learn more information about customers they are working for to reach the expectations of customers. Further, mobile users may be greedy for the credit points, such that they may anonymously submit more sensing reports than allowed to warn unfair credit points. In addition, the mobile users may maliciously forge, modify the sensing data or deliver ambiguous, biased sensing data to cheat customers for credit points. These forged or biased data can be discovered using redundancy or truth discovery approaches. The locations are extracted from GPS trusted chips in mobile devices or access points, we assume that mobile users cannot modify their location information.
The external attackers, such as eavesdroppers and hackers, also bring serious security threats towards mobile crowdsensing services. It is possible for an attacker to obtain the identities of the nearby mobile users or customers via physical observation, such that the anonymity may be insufficient for privacy preservation for customers and mobile users. The customers are fully trusted since they are the main beneficiaries of mobile crowdsensing service.
Iii-C Design Goals
To enable strong privacy-preserving mobile crowdsensing under the aforementioned system model and against security threats, SPOON should achieve the following design goals:
Location-based Task Allocation: The sensing tasks are allocated to the mobile users in the sensing areas defined by the customers, and other mobile users out of the given areas cannot learn any information about the tasks.
Location Privacy Preservation: The locations of mobile users and the sensing areas of sensing tasks would not be exposed to others. The mobile users are only aware whether they are in the sensing area or not.
Data Confidentiality: No entity, except the delegated participants, can obtain the content of releasing tasks or sensing reports, such that the privacy of customers and mobile users would not be disclosed to others.
Anonymity of Mobile Users and Customers: The customers, mobile users, the service provider or their collusion are unable to link a sensing report to a mobile user or link a sensing task to a customer. It is even impossible for an attacker to identify whether two sensing reports are generated by the same mobile user or two sensing tasks are issued by the same customer.
Privacy-Preserving Credit Management: Credit points are used to represent the reputation of mobile users and encourage them to participate in the mobile crowdsensing activities as rewards. The service provider selects the sensing reports based on the credit points of mobile users and awards credit points to mobile users without knowing the exact credit points of mobile users. The balance of credit points is achieved, which means that it is impossible for the mobile users to forge credit points without being detected, such that the total credit points of a mobile user should be equal to the awarded credit points plus the initial points.
Greedy User Tracing: The identities of greedy mobile users, who submit more than one sensing report for the same task in a reporting period, are recovered to prevent the mobile user from awarding unfair credit points.
Iv The SPOON Scheme
In this section, we review the preliminaries and propose our SPOON, which is composed of five phases, Service Setup, User Registration, Task Allocation, Data Reporting and Credit Assignment, based on the matrix multiplication, the BBS+ signature  and the proxy re-encryption .
We review the preliminaries that are used to design our SPOON, including the bilinear map, the BBS+ signature and the proxy re-encryption.
Bilinear Map. Let be two cyclic groups with a prime order . is the bilinear map with the following properties:
Bilinearity. For , , .
Non-degeneracy. For , .
Computability. is efficiently computable.
(Unique Representation). The binary presentation for all elements in is unique.
Let be generators of . Randomly choose from as the secret key of the signature scheme, and compute the corresponding public key as .
A signature on messages is , where and are random values chosen from .
This signature can be checked as: .
The security of BBS+ signature can be reduced to the -SDH assumption and it can be utilized to construct a zero-knowledge proof-of-knowledge protocol that allows the signer to prove the possession of the message-signature pair.
Proxy Re-Encryption . Proxy Re-encryption is a special public key encryption with a desirable property that a semi-trusted proxy enables to convert a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext, given a proxy re-encryption key. Thanks to this promising property, it has been widely employed in data sharing scenarios. The proxy re-encryption scheme is proposed by Ateniese et al. , the details of which are as follows:
KeyGen. Alice picks a random value as the secret key and compute the public key .
RKeyGen. Alice delegates to Bob by sending the re-encryption key to a proxy by using Bob’s public key.
Encrypt. To encrypt a message under , Alice chooses a random value to compute .
Re-Enc. The proxy can change the ciphertext into a ciphertext for Bob with . From , the proxy calculates and releases .
Decrypt . Bob enables to decrypt to obtain as .
|Set of registered mobile users|
|Set of mobile users in sensing area|
|A task issued by a customer|
|The detailed content of a task|
|The expiration time of a task|
|The sensing region of a task|
|A matrix to represent the service area of the service provider|
|A matrix to represent the sensing area of a task|
|A matrix to represent the current and future locations of a user|
A random invertible matrix
|A random invertible matrix|
|The unique identity of a registrant (mobile user or customer)|
|The initial credit point of a mobile user|
|The trust level of a sensing report|
|The maximum of trust level in a task|
|The credit threshold chosen by a mobile user|
|The anonymous credential of a mobile user or customer|
|The anonymous credential of a mobile user with credit point|
Iv-B High-Level Description
We first provide a high-level description of SPOON and its information flow, which is shown in Fig. 2. The notions frequently used in SPOON are listed in Table II.
Service Setup: A trusted authority (TA) bootstraps the whole mobile crowdsensing service for the service provider by defining the public parameters and generates its secret-public key pair . The service provider also generates the secret-public key pair , and defines a matrix to denote the geographic region of its crowdsensing service.
User Registration: The TA registers the mobile users and customers, who are willing to participate in the mobile crowdsensing service. It evaluates the registrant to determine the initial credit point and interacts with the registrant to generate an anonymous credential . is used to access the mobile crowdsensing service and is used to credit management for the registrant. To achieve the anonymity, the ownership of and is proved by the registrant for identity authentication and credit evaluation using zero-knowledge proofs, respectively. Besides, is assigned to the registrant for the decryption of allocated sensing tasks.
Task Allocation: A customer generates a sensing task and sends the message to the service provider, which consists of the encrypted task , the expiration time , the randomized sensing area , the identity proof and other information. The latter releases to attract mobile users for participation, where is the identifier of . A mobile user sends its location and identity proof to the service provider. Then, the service provider finds the set of mobile users in the sensing area of based on two matrices (). Since () are randomized matrices, the service provider can learn whether is in the sensing area of based on matrix multiplication, but has no information about ’s sensing area and ’s location. The service provider re-encrypts the ciphertext to be decryptable for using . Finally, the service provider sends to .
Data Reporting: encrypts the collected data to generate , and sends the sensing report to the service provider, in which is the commitment on the identity and credit point , is the identifier of this report, is the identifier of , is a tag to identify the double-reporting user, is the claimed credit threshold to show that the number of credit points has is larger than , is the current slot for reporting, and is used to prove the ownership of its credit points . The service provider selects sensing reports based on the claimed thresholds and forwards the selected reports to the customer. The TA can recover the identity of anonymous mobile user who double-reports sensing reports with the service provider using the double-reporting tag .
Credit Assignment: The customer evaluates the trustworthiness of each report and returns the corresponding trust level to the service provider. The latter computes the number of credit points awarded to , , and forwards to , where is the ticket for awarded credit points , and is used to identify the mobile user . Once receiving , updates its credit points and the anonymous credential for the new .
Iv-C The Detailed SPOON
We then show the detailed SPOON as follows.
Iv-C1 Service Setup
Let be two cyclic groups with a prime order , where is bits, and be a bilinear map. The authority picks random generators and computes and respectively. The TA also chooses a random value and defines a cryptographic hash function and a pseudo-random function . The public parameters are . The TA randomly chooses as its secret key and calculates the public key .
To setup the mobile crowdsensing service, the service provider randomly chooses its secret key and computes as its public key. It also employs a matrix to denote the geographical region that the crowdsensing service can cover according to the longitude and latitude. Each entry in the matrix denotes a small grid in the sensing region, as shown in Fig. 3. Assume the longitude of Ontario is from W to W, the latitude is from N to N, we can use a matrix or matrix more precisely to represent the Ontario region.
Iv-C2 User Registration
Either customer or mobile user is required to register at the TA to obtain an anonymous credential, which is used to participate in the crowdsensing service. Each registrant is assigned a unique identity in the system, which can be the telephone number or mailing address in practise. The registrant picks three random values to compute , , , and sends to the TA, along with the following zero-knowledge proof:
The TA firstly checks the proof for ensuring that are generated correctly. Then, it evaluates the registrant’s initial credit point according to its credit record, which is assumed to be . After that, the TA randomly picks to calculate , , , and returns to the registrant through secure channels. Finally, the TA stores the tuple in its database.
The registrant computes and checks
The registrant stores secretly on the read-only memory of mobile device.
Iv-C3 Task Allocation
A customer with registered information has a sensing task to be allocated to mobile users and requests the sensing data slot by slot, where each slot ranges from minutes to days depending on the specific requirements of the sensing task. The statement of the task is defined as , which indicate the content (what to sense), the expiration time (when to sense), the sensing area (where to sense), the maximum trust level and the number of required reports, respectively. Other attributes (e.g., sensing intervals, acceptance conditions, benefits, reporting periods) can be illustrated in . To protect the content of the task, the customer randomly picks to calculate , and . Then, the customer generates a matrix to indicate the target sensing region . As depicted in Fig. 3, for each position in the sensing area, the corresponding entry in is set to be a random value chosen from , and the value for a location outside is set to be zero. To mask the sensing area in , the customer picks random numbers from to generate an invertible matrix and computes , where is the transpose of the matrix . Note that all non-zero entries in should be distinct, unless an attacker still can learn the sensing region from . Finally, the customer keeps in private and sends to the service provider, along with the following zero-knowledge proof:
The service provider checks the validity of the proof . If yes, it assigns a task identifier , releases and stores in its database.
When a mobile user with is willing to participate in crowdsensing activities, it firstly picks a random value to calculate . Then, generates a matrix according to its current location and the places it will visit. For each location will reach, the corresponding entry in is set to be a random value chosen from , and the rest entries are set to be zero. The non-zero entries in should be different. To protect these location information, it also generates a random invertible matrix by picking random values from , and calculates . Finally, keeps secretly and sends to the service provider, along with the following zero-knowledge proof:
The service provider returns failure if is invalid. Otherwise, for each unexpired task, it uses to calculate and checks whether
is zero matrix or not. Ifis non-zero matrix, which means that can match , the service provider calculates and releases for . If there is no task to match , the service provider responds failure.
When obtains , it decrypts by using as . Then, evaluates the task and determines to participate in or abandon this task according to benefit and cost. If accepts the task , it starts to perform the sensing work according to the details in . The correctness of is elaborated as follows:
Iv-C4 Data Reporting
collects and, pre-processes the data and submits a sensing report to the customer periodically, which includes the collection time, the sensing location and the detailed content. The reporting periods are defined by the customer, and we assume the current slot is . To prevent attackers from learning , uses to encrypt as , , where is a value randomly chosen from . Then, randomly picks to compute . Next, computes , , and . Finally, chooses a credit threshold and sends the report to the service provider, along with the following zero-knowledge proof:
The service provider returns failure if is invalid; otherwise, the service provider checks whether there is another report that has the same and different with the new received report . If yes, the service provider computes and sends to the TA, and the TA can find the mobile user’s identity by utilizing in the database to check . Such that, the identity of the greedy mobile user is recovered by the TA if it submits two different sensing reports in a reporting slot. Then, according to the claimed thresholds, the service provider chooses reports that have top- thresholds, and releases them for the customer. Note that the mobile users, whose reports are not selected, can increase their thresholds in the next reporting slot .
When the customer retrieves the reports, it can decrypt them using the stored as one by one.
Iv-C5 Credit Assignment
After the customer obtains the sensing result, it evaluates the trustworthiness of each report and responds the corresponding trust level to the service provider. The trust level of is defined as . If is positive, is trustworthy, otherwise, is incredible.
Upon receiving trust levels, the service provider randomly picks to compute , , and releases for , where is the nearest integer function.
retrieves from the service provider, computes , and checks whether or not. If yes, uses the new tuple to replace the previous one and stores them together with . Meanwhile, updates in the read-only memory, which can be used to show the credit points in the future crowdsensing activities. Further, since are managed by , enables to prove the ownership of cross service providers. The credit points awarded by different service providers can be accumulated and can prove the credit points to multiple service providers during the participation of mobile crowdsensing services offered by different service providers.
V Security Discussion
In this section, we show that SPOON satisfies five security goals defined in III-C: location privacy, anonymity, data confidentiality, credit balance and greedy user tracing.
V-a Location Privacy
The sensing region of a task is represented as a matrix
, which is randomized by a random matrixto generate . The location of the mobile user is transformed to be . Having two matrices and , the service provider cannot learn any information about the location of the mobile user and the sensing area of the task. The service provider computes . If there is no overlapping between the sensing area of task and the location of mobile user, must be zero matrix. If one overlapping grid exists, whose corresponding entry is in and is in , respectively, the entries in -row of are nonzero, as well as the entries in -column of . Thus, the service provider enables to know that there are some overlapping locations on the -column of the sensing area, while it is unable to distinguish which location is overlapped from locations. Further, and cannot give more information to the service provider. The results are the same if the overlapping grids are more than one. Therefore, the sensing area and the location of mobile user would not be exposed to the service provider and other entities.
V-B Data Confidentiality
We aim to ensure that only the mobile users whose locations can match the sensing area have the capacity to recover the corresponding sensing task. In SPOON, the adversaries may be the service provider, unmatched mobile users and external attackers. To resist these adversaries, the task protection consists of two stages. In the first stage, the sensing task is encrypted by the customer under the public keys of the TA and the service provider; in the second one, the service provider partially decrypts the ciphertext using its secret key and then re-encrypts the result for the matched mobile users. Therefore, we demonstrate the task confidentiality in the following two procedures:
Firstly, the first-stage ciphertext should not be entirely decryptable for the service provider or the mobile users. To be specific, given the first-stage ciphertext () and two plaintexts , if an adversary can distinguish which one out of is the plaintext of (), we show how to construct a simulator to solve the DBDHI problem .
Given the simplified DBDHI tuple , the simulator ’s goal is to determine whether via interactions with the adversary. sets . The adversary possessing the secret key of the service provider, , can query any chosen message to the simulator to obtain the corresponding the ciphertext. Then, picks two messages and a random bit to compute the challenge , where is a random value chosen from , and returns to the adversary, along with . Finally, the adversary returns to . If , can address the simplified DBDHI problem as .
The task confidentiality against the adversary, who possesses , also relies on the simplified DBDHI problem, given , The proof is the same as that above with one difference that the challenge is , where is a random value chosen from . Finally, can address the simplified DBDHI problem as .
Secondly, the sensing task should only be recovered by the matched mobile users from the second-stage ciphertext. To prevent unmatched mobile users from learning the content of sensing task, the service provider encrypts the sensing task with the temporary public key using the proxy re-encryption scheme . Therefore, the security of the second-stage ciphertext can be reduced to the DBDHI assumption as well.
To guarantee the confidentiality of sensing reports, each mobile user employs the proxy re-encryption scheme  to encrypt under the temporary public key , which is distributed to the mobile users along with the sensing task. The decryption key is kept by the customer secretly. Therefore, the confidentiality of directly depends on the sematic security of proxy re-encryption scheme, which can be reduced to the simplified DBDHI assumption .
The anonymity of the mobile user is defined via the game in which the adversary cannot distinguish an honest mobile user out of two under the extreme condition that all other interactions are specified by the adversary. We prove that the mobile user’s identity is preserved properly, unless the DDH assumption  does not hold. Specifically, if there exists an adversary that can identify an honest mobile user out of two challenging identities, we show how to construct a simulator to solve an instance of the DDH problem. That is, given a tuple , can tell whether exists , such that , , . generates (), picks two identities , , where , and sends them to . acts on behalf of the users and to register at the TA. then interacts with in the following interactions:
acts as honestly to submit the location information. For , in the -th query, randomly chooses and simulates the zero-knowledge proof to prove its identity interacting with .
honestly acts on behalf of to report the data. For , sets , . For the -th query, randomly chooses , and computes , . simulates the zero-knowledge proof and sends to , along with a random sensing report.
picks a random bit . If , honestly reports the data acts as . If and randomly chooses and calculates , , . Then, simulates