The advent of mobile devices and mobile networks triggered a new services named location-based services (LBS). LBS systems enable service providers (SPs) to provide users with accurate services based on their geographical locations. Nowadays, increasing number of users use LBS systems to query nearby Points of Interest (PoI) including shopping centers, restaurants, banks, hospitals, traffic information, navigation, etc. However, to query a service, a user must reveal her location to the service provider (SP). Hence, untrusted SPs can profile a user’s movement by tracing her location, and conclude her personal information, such as working place, health condition, commercial partners, etc. This raises a serious privacy issue. To protect users’ location privacy, privacy-preserving LBS schemes were proposed where either a semi-trusted third party (TTP) is required or the computation cost of a query is linear in the size of the queried area. However, in practice, it is difficult to find a party who can work as a semi-trusted TTP in LBS schemes, and mobile devices have constrained computation power and limited storage space.
Considering the above problems, an oblivious location-based service query (OLBSQ) scheme is proposed to enhance the security of SPs’ services and protect users’ location privacy. Especially, our OLBSQ scheme provides mobile uses with a light query algorithm which has constant computation cost.
1.1 Related Work
Due to it can provide accurate services, LBS schemes are becoming increasingly popular. Nevertheless, location privacy has been the primary concern of LBS users. To protect users’ location privacy, privacy-preserving LBS schemes were proposed.
1.1.1 Privacy-Preserving LBS with A Trusted Third Party
In these schemes, to protect mobile users’ location privacy, a trusted third party called location anonymizer is required to blur a user’s exact location into a cloaked area. Meanwhile, the cloaked area must satisfy the user’s privacy requirements. The popular privacy requirement is -anonymity, namely a user’s location is indistinguishable from other users’ locations. Gruteser and Grunwald  proposed an anonymous LBS scheme where the location anonymizer needs to remove any identifiers such as network and address, and perturbs the position data. In , the location anonymizer knows users’ location, and users need to periodically update their location information to the location anonymizer.
Proposed by Mokbel, Chow and Aref , is a privacy-aware query processing method for LBS. In Casper , the location anonymizer blurs users’ exact location into cloaked spatial areas and a privacy-aware query processor is embedded in the database to deal with queries based on the cloaked spatial areas. The privacy-aware query processor supports three types of queries: private queries over public data, public queries over private data and private queries over private data.
, entropy was used to measure the anonymity degree of a cloaking area, which consider both the number of the users and their anonymity probability distribution in the cloaking area. When issuing a query, a mobile user sends his query and desired anonymity level to the location anonymizer, and then the location anonymizer generates a session identity for the user and contact the service provider to establish a service session. After a service session is established, the location anonymizer needs to periodically identify a cloaking area for the user according to her latest location, and report the cloaking area to the service provider. Furthermore, a polynomial time algorithm was proposed to find a cloaking area satisfying the anonymity requirement.
Kalnis et al.  proposed a framework to prevent location-based identity inference of users. In , when receiving a query, the location anonymizer first removes the user’s identity, and uses an anonymizing spatial region to hide the user’s location. This framework optimizes the processing of both location anonymity and spatial queries.
Gedik and Liu  introduced a scalable architecture to protect users’ location privacy. The architecture consists of a model of personalised location anonymity and a set of location perturbation algorithms. In , upon receiving a query from a user, the location anonymizer remove the identity of the user and perturbs her location by replacing a 2-dimensional point with a spatial cloaking ranger. Especially, users are allowed to specify the minimum level of anonymity and the maximum temporal and spatial tolerances.
Chen et al.  proposed a new scheme to protect users’ location privacy. In , redundant point-of-interest (POI) records were applied to protect location privacy. When receiving a query from a user, the location anonymizer first generates a -anonymity rectangle area for the user, and then sends the anonymous query to the service provider. Notably, a blind filter scheme was proposed to enable the location anonymizer to filter out the redundant POI records on behalf of users.
To leveraging spatial diversity in LBS, He et al.  first proposed ambient environment-dependent location privacy metrics and a stochastic model, and then developed an optimal stopping-based LBS scheme which enable users to leverage the spatial diversity.
Grissa et al.  proposed two schemes to protect the location privacy of second users where a TTP named fusion centre (FC) is required to orchestrates the sensing operation. The first scheme is based on an order-preserving encryption (OPE) and has lower communication head, while the second scheme is based on a secure comparison protocol and has lesser architectural cost.
Schlegel et al.  proposed a user-defined privacy LBS scheme called dynamic grid system (DGS) which support both privacy-preserving continuous -nearest-neighbor (-NN) and range queries. In , each user generates a grid structure according to her privacy requirement and embeds it into an encrypted query area. When making a query, a user encrypts a secret key and the grid structure by using an identity-based encryption scheme, and sends the ciphertexts to the service provider. Subsequently, the user generates an encrypted identifier for each cell in the intended area using a deterministic encryption technique, and sends it to the TTP. To process a query, the service provider decrypts the ciphertext and obtains the secret key and the grid architecture. The service provider uses the secret key and the deterministic encryption technique to generate encrypted identifiers for all cells where POIs exist. Later, the service provider sends all the encrypted identifiers to the TTP. The TTP match the encrypted identifiers from the user and those from the service provider, and send the same encrypted identifiers to the user. Finally, the user can decrypt the encrypted identifiers and know the locations of the POIs. Notably, the communication cost to generate a query is linear with the number of POI in the vicinity and independent of the number of cells in the grid.
In above schemes, a TTP is required to protect users’ location privacy. However, in practice, it is difficult to find an entity which can play the role of the TTP.
1.1.2 Privacy-Preserving LBS without A Trusted Third Party
Chow, Mokbel and Liu  proposed a peer-to-peer (P2P) spatial cloaking scheme which enables users to obtain services without the need of a TTP. Prior to make a query, a user needs to forms a group from her peers via single-hop communication/multiple-hop routing. The spatial cloaked area should cover all peers in the group. Furthermore, the user randomly selects one peer in the group as her agent and sends both her query and cloaked spatial region to the agent. The agent forwards the query to the service provider and receives a list of answers including actual answers and false answers. Then, the agent sends the answers to the user. Finally, the user filter out false answers and obtain the actual answers. The P2P spatial cloaking scheme supports two models: on-demand model and proactive model. Comparatively, the on-demand model is efficient, but requires longer response time.
Ghinita, Kalnis and Skiadopoulos  proposed a decentralised LBS scheme named where each user can organises herself into a hierarchical overlay network and make service queries anonymously. Each user can decide the degree of anonymity and the algorithm can identify an appropriate set consisting of users in a distributed manner. To protect users’ anonymity, the HILB-ASR algorithm was proposed to guarante that the probability of identifying a real service requester is always bounded by . This scheme is scalable and fault tolerant.
Paulet et al.  proposed a privacy-preserving and content-protecting LBS scheme. This scheme was derived from the oblivious transfer (OT) scheme  and private information retrieve (PIR) . Each user firsts runs the OT protocol with the service provider to obtain the location identity and a secret key, and then executes the PIR protocol with the service provider to obtain the location data by using the secret key. The author formalised the security model and analysed the security of the proposed scheme.
Schlegel et al.  proposed an order-retrievable encryption (ORE) scheme with the following two properties: (1) it can generate a encrypted query location; (2) given two encrypted user locations, a server can determine which one is closed to the an encrypted query location. Subsequently, based on the proposed ORE scheme, a privacy-preserving location sharing services scheme was presented. In , a user or a group initiator should create a group. The group initiator generates a shared key for the ORE scheme and a shared key for AES scheme. Every user in the group updates periodically her location information to a database server using the ORE and AES techniques. When receiving a encrypted query location, the server can search out the exact answer without knowing the location information. Finally, the user can use the shared key for AES to decrypt the cipherext and obtain the location information. In , a group of users need to share keys prior to sharing location information.
, a user can obtain accurate services, but does not release any query content information to the server. The homomorphic encryption is used to compute the Euclidean distance between the attribute vector submitted by a user and the attribute vectors in the database. The OT protocol was used to find the exact match vectors for the queried attribute vector. Finally, the PIR protocol was applied to obtain the intended POI set. The security of the proposed scheme was analysed, instead of formal reduction.
To protect users’ location privacy, we propose an OLBSQ scheme which can provide the following important features: (1) a semi-trusted TTP is not required; (2) a user can query services from a service provider without revealing her exact location; (3) a service provider can only know the size of a query made by a user; and (4) both the computation cost and the communication cost to generate a query is constant, instead of linear with the size of the queried area.
Our contributions include: (1) both the definition and security model of the proposed OLBSQ scheme are formalised; (2) a concrete OLBSQ scheme is proposed; (3) the security of the proposed OLBSQ is reduced to well-known complexity assumptions.
In this section, all preliminaries used throughout this paper are introduced.
2.1 Formal Definition
Let be a location structure (e.g. grid) and be a point in . By , we denote that the area with start point and size in . For example, if is a grid system, is the area consisting of the left-bottom point and continuous cells. Let be the services included in and be the encrypted services. stands for the services included in the area . Fig. 1 describes the framework of our OLBSQ scheme. The service provider first generates a secret key and some public parameters , selects a location structure . Suppose that has a set of service , he encrypts each service in by using and its location information, and obtains an encrypted set of services . To query services included in an area, a user select a start point and the query size , and then commit to be a point . Furthermore, generates a proof that the queried area starting from with size is included in . sends to . If is correct, uses to obliviously and incrementally compute a set of keys according to and , and sends to . Finally, decommit , and obtain a set of decryption key which enable her to access the intended services.
An OLBSQ scheme consists of the following two algorithms:
Setup Taking as input a security parameter , a location structure and a set of services , this algorithm outputs a secret key for , some public parameters and the encrypted services .
Service-Transfer. This is an interactive algorithm executed between a user and the service provider . takes as input the public parameters , the start point and the query size , and outputs the intended services . takes as input the public parameters and the secret key , and outputs the committed start point , query size and a proof that the queried area with start point and size is in .
We say that an oblivious location-based service query scheme is correct if and only if
2.2 Security Model
The security model of OLBSQ schemes is formalised by using the simulation-based model [3, 4, 14, 19] where the real world experiment and ideal world experiment are defined. In the real world experiment, there are some parties who run the protocol: an adversary who controls some of the parties and an environment who provides inputs to all honest parties and interact arbitrarily with . The dishonest parties are controlled by . In the ideal world experiment, there are same parties as in the real world experiment. Notably, these parties do not run the protocol. They submit their inputs to a ideal functionality and receive outputs from . specifies the behaviour that the desired protocol should implement in the real world. provides inputs to and receives outputs from honest parties. Let be a simulator who controls the dishonest parties in the ideal world experiment as does in the real world experiment. Furthermore, interacts with arbitrarily.
Let be the probability with which runs the protocol with and outputs 1 in the real world experiment. Let be the probability with which interacts with and , and outputs 1 in the ideal world experiment. We say that the protocol securely realizes the functionality if
The ideal functionality of OLBSQ schemes is formalized in Fig. 2.
2.3 Bilinear Map and Complexity Assumptions
Let , and be three cyclic groups with prime order . A map is a bilinear map if it satisfies the following properties:
Bilinearity. For all , and , ;
Non-degeneracy. , where is the identity of ;
Efficiency. For all and , there is an efficient algorithm to compute .
If , is called a symmetric bilinear map. Let be a generator of symmetric bilinear group which takes as input a security parameter and outputs a bilinear group with prime order and .
(-Strong Diffie-Hellman (-SDH) Assumption ). Let and . Suppose that be a generator of . Given , we say that the -SDH assumption holds on the bilinear group if all probable polynomial-time adversarties can output with a negligible advantage, namely
where and .
( -Power Decisional Diffie-Hellman (-PDDH) Assumption ). Let , be a generator of and . Given , we say that -PDDH assumption holds on if all probable polynomial-time adversary can distinguish from with a negligible advantage, namely
In this section, we describe the formal construction of our OLBQS scheme.
3.1 High-Level Overview
To construct our scheme, we use the grid structure which is described in Fig. 3. The location of each cell is determined by the coordinate of the point at its upper-right corner. Suppose that all services included in a cell are encrypted under a same key. Firstly, the service provider divides the whole area into cells, and then generates a secret key and some public parameters. The service provider encrypts each service in a cell by using his secret key and the coordinate of the cell. Finally, the service provider publishes the public parameters and the encrypted services.
When making a service query, a user selects a start point and the query size where and are the numbers of cells in each row and each column, respectively. The user commits to be a point , generates a proof that the queried area is included in , and sends to the service provider. After receiving , the service provider first checks the correctness of , and then uses his secret key to obliviously an incrementally compute a set of keys according and . Furthermore, the service provider generates a proof that these keys are computed correctly, and sends the keys and to the user. Finally, the user verifies the proof , de-commits the keys and obtains the corresponding decryption keys. Finally, the user decrypts the ciphertexts and obtains the intended services. Notably, to retrieve a service, the user only needs to execute 3 exponent operations on .
3.2 Our Construction
Setup. The service provider first divides the whole area into cells. generates a bilinear group by running , and then selects its secret key where and . To encrypt the service in a cell using its coordinate , computes and for and . To enable each user to prove that a committed point is in the whole area and to obliviously and incrementally generate decryption keys according ’s query, computes , , , , , , , , for and . Actually, are used by to prove that a committed start point is within for and ; while other parameters are used by to computes decryption keys. Finally, the public parameters are and .
Service-Transfer. To make a query, first selects a start point and query size . generates a proof that he knows the value which is used to encrypt services. If is correct, selects and commits into . Let . Furthermore, generates a proof that the query area is within . sends and to .
If is correct, obliviously and incrementally computes a set of keys using his secret key and generates a proof that and are generates correctly, where and . Let . sends and to .
If is correct, uses to de-commit the key and obtain . Furthermore, can obtain the services by computing , where and .
3.3 Efficiency Analysis
The computation cost and communication cost of our OLBSQ scheme are presented in Table 1 and Table 2, respectively. By , , , , we denote the time of executing one exponent on the group , executing one exponent on the group , executing a pairing and executing one hash function, respectively. , and stand for the size of one element in the group , and , respectively.
4 Security Analysis
To prove Theorem 4.1, we consider the cases where either the user or the service provider is corrupted. We show that there exists a simulator such that it can interact with the ideal functionality (simply denoted as ) and the environment appropriately and and are indistinguishable.
In order to prove the indistinguishability between and , a sequence of hybrid games Game, Game, , Game are defined. For each Game, we show that there exists a simulator that runs as a subroutine and provides ’s view, for . Hybrid stands for the probability that outputs running in the world provided by . runs and other honest parties in the real-world experiment, so Hybrid . runs in the ideal-world experiment, so Hybrid .