A Trajectory Substitution Privacy Protection Scheme in location-based services

Abstract

Aimed at the disclosure risk of mobile terminal user's location privacy in location-based services, a location-privacy protection scheme based on similar trajectory substitution is proposed. On the basis of the anonymized identities of users and candidates who request LBS, this scheme adopts trajectory similarity function to select the candidate whose trajectory is the most similar to user's at certain time intervals, then the selected candidate substitutes user to send LBS request, so as to protect user's privacy like identity, query and trajectory. Security analyses prove that this scheme is able to guarantee such security features as anonymity, non-forgeability, resistance to continuous query tracing attack and wiretapping attack. And the results of simulation experiment demonstrate that this scheme remarkably improve the optimal candidate' trajectory similarity and selection efficiency.

1. Introduction

 Along with the development and improvement of intelligent mobile devices, GPS and wireless communications technology, location-based services (LBS) [1-3] has been gaining users’ attention. For instance, mobile terminal users may send location services request to LBS server to acquire the information on weather, food & beverage, navigation, etc., so as to enjoy the conveniences of LBS. However, in this process, users’ private information is liable to be leaked, such as users’ living habit, interests or hospitalization information. Therefore, while enjoying the conveniences brought by LBS, how to protect users’ privacy proves to be one of the urgent problems to be solved in this field[4-6]. Up to now, despite some scholars have made certain progress in protecting the disclosure of users’ instant location information[7], attackers are still able to obtain users’ relevant privacy information by analyzing users’ location trajectories. As a result, on the basis of protecting users’ location privacy, how to further protect the disclosure of users’ trajectory information turns out to be a hot issue in current research[8].

 Aiming to address the deficiencies in the existing schemes, this paper proposes a location privacy preservation scheme based on similar trajectory’s substitute query. In this scheme, trusted anonymous server (TAS) is employed to anonymize the identities of all users requesting LBS, so when a certain user sends request for location service, TAS adopts trajectory similarity algorithm to calculate the trajectory similarity value of all candidates and initiators within user’s specific area at certain time intervals, from which an optimal candidate with trajectory most similar to the requested user’s trajectory is selected to substiture real user in requesting LBS. Consequently, user’s privacy like identity, query and trajectory can be guaranteed. This paper also employs random oracle model (ROM) to verify the scheme’s security like anonymity and non-forgeability, and to analyze such security properties as resistance to continuous query tracing attack and resistance to wiretapping attack. We also conduct simulation experiment on the optimal candidate’s trajectory similarity and selection algorithm, which demonstrates the effectiveness and efficiency of this scheme. The following summarizes the main contributions of this paper:

 1. We propose a location privacy preservation scheme based on similar trajectory’s query substitution. In this scheme, the real user is replaced by the optimal candidate to submit the LBS service request. As a result, the trajectory of real user is protected.

 2. Through anonymizing the identities of user and candidates who request LBS, calculating the trajectory similarity between all candidates and the initiator within a certain period of time by using trajectory similarity algorithm, and choosing the candidate with the optimal trajectory similarity to replace real user in requesting LBS, the real user’s private information about identity and location is effectively protected.

 3. We conduct security analyses of the proposed solution. Security analyses prove that this scheme is able to guarantee such security features as anonymity, non-forgeability, resistance to continuous query tracing attack and wiretapping attack. And the results of simulation experiment demonstrate that this scheme remarkably improve the optimal candidate’ trajectory similarity and selection efficiency.

 The rest of this paper is organized as follows: In section 1, we show the Introduction. In section 2, we introduce the related work. In section 3, we introduce the preliminaries. The trajectory privacy protection scheme is described in detail in section 4. We offer the security analyses in section 5. In section 6, we give the simulation experiment about the similarity of the optimal candidate’s trajectory. The conclusions are given in section 7.

 

2. Related Work

 In recent years, in view of protecting users’ trajectory privacy, some scholars home and abroad have done lots of research and achieved certain positive results. Pan X et al.[9] proposed a distortion-based anonymity scheme for mobile users’ continuous queries, in which a generalized region where at least \(K\) number of users including the user who initiates the request is adopted and the generalized region is measured in reference to users’ motion velocity and direction in order to preserve users’ trajectory privacy. Later, Freudiger J et al.[10] proposed a metric based on the mobility profiles of mobile nodes to evaluate the mixing effectiveness of possible mix zone locations. As the location privacy achieved with mix zones depends on their placement in the network, this scheme analyzes the optimal placement of mix zones with combinatorial optimization techniques, thus succeeding in protecting users’ trajectory privacy. Kato et al. [11] assumed that users' movements are known in advance, and on the basis of users’ mobility trajectories and pauses, selected each hop of dummy trajectories according to the deviation angles of users’ locations and accessibility. Finally they proposed a dummy-based anonymization method based on user trajectory with pauses. However, in this scheme the similarity of dummy trajectories selected still needs to be improved. In reference[12], Huo Z et al. proposed a trajectory privacy-preserving method in mobile social network services. In their method, firstly they buffer the check-in sequences of pseudonym users, and then build prefix trees for buffered check-in sequences, prune and re-construct prefix trees to get the k-anonymized version. Finally they traverse the k-anonymized prefix tree to get k-anonymized check-in sequences, which can achieve a privacy guarantee of k-anonymity. In reference[13], users employ a buffer to record their history locations and the exchanged pseudo-locations. When requesting LBS, users choose from the buffer and submit \(k\) number of locations (including their own locations), so as to achieve the trajectory privacy security of K-anonymized users.

 Chen R et al. [14] proposed a tailored privacy model to anonymize trajectory data by means of local suppression, which serves to preserve users’ trajectory privacy. Afterwards, Zhao J et al. [15] put forward a novel privacy preserving method applying to trajectory data publishing, which functions to prevent identity linking attack as well as attribute attack. Li F H et al. [16] proposed an efficient scheme for trajectory privacy protection, which constructs ( \(k-1\) ) dummy trajectories based on side information, trajectory similarity and users’ mobility pattern, thus attackers fail to identify the real trajectory, then the terminal trajectory privacy can be guaranteed. Ye A et al.[17] proposed a location privacy-preserving scheme based on l-queries, in which some fake queries will be randomly injected into real continuous queries, so as to reduce temporal relevancy of continuous queries, then protect the privacy of users’ identities, locations and query content. In the location privacy protection approach put forward by Sun G et al. [18], location labels are adopted to distinguish mobile users’ sensitive locations and ordinary locations, both of which are protected at different levels, thus the response efficiency of LBS requests is improved. According to Li et al.[19], to improve the efficiency of selecting dummy locations, an credit-incentive mechanism is introduced in K-anonymity scheme. Based on fuzzy logic, each user’s credit level corresponds to certain probability threshold value. A user can get the help of other users only on the condition that his credit level matches certain probability threshold value. In this way, users are motivated to actively help others in constructing K-anonymity. In a sense, all the schemes mentioned above invariably originate from the location privacy protection scheme for single-time LBS, and thus ignore two issues: (1) security of communications messages in users’ LBS request; (2) certain location relevancy in continuous query may lead to the disclosure of users’ real location information.

 

3. Preliminaries

3.1 System model of trajectory privacy preservation

 As is shown in Fig. 1, the system model of trajectory privacy preservation is mainly composed of three entities: mobile terminal (MT), trusted anonymous server (TAS) and LBS server. Each entity functions as follows:

 

Fig. 1. System architecture of trajectory privacy preservation

 

 (1) MT: MT has two functions: sending request for anonymization to TAS, then verifying the validity of the anonymity and generating corresponding key information; sending location query request to LBS server and receiving query result.

 (2) LBS server: as the core of location privacy preservation system, it processes location service request for anonymity from MT and returns query results to MT.

 (3) TAS: it records attribute matrix information of the registered user (time sampling and the corresponding location coordinate sampling), processes request for anonymity from MT, and selects user with the optimal trajectory similarity for MT, then generates and releases system-related parameters.

 

3.2 Bilinear pairings

 Definition [20] : suppose 1 \(\left(G_{1},+\right),\left(G_{2}, *\right)\),  are separately the addition cycle group and multiplication cycle group of prime order \(q\) , then bilinear pairing \(e: G_{1} \times G_{1} \rightarrow G_{2}\) satisfies the following conditions:

 (1) Bilinearity: Bilinearity means that the function \(G_{1}(P, Q)\) is linear to both the variables \(p\) and \(Q\) . For example，for \(\forall a, b \in Z_{q}^{*}, P, Q \in G_{1}, e(a P, b Q)=e(P, Q)^{a b}=e(a b P, Q)\) .

 (2) Non-degeneracy: \(\exists P, Q \in G_{1}\), \(e(P, Q) \neq 1_{G_{2}}, 1_{G_{2}}\)satisfies signifies the identity element of group \(\left(G_{2}, *\right)\).

 (3) Symmetry: \(\forall P, Q \in G_{1}, e(P, Q)=e(Q, P)\).

 (4) Computability: \(\forall P, Q \in G_{1}\), there being polynomial time algorithm which can calculate \(e(P, Q)\).

 

3.3 Trajectory Similarity

 Trajectory similarity denotes the similarity degree of two mobility trajectories, and is usually measured with trajectory similarity function. Let user’s real mobility trajectory be \(T_{u}=\left\{I D_{A},\left(x_{0}, y_{0}, t_{0}\right),\left(x_{1}, y_{1}, t_{1}\right), \cdots,\left(x_{n}, y_{n}, t_{n}\right)\right\}\) , in which, \(I D_{A}\) signifies the identity of anonymized user, \(\left(x_{i}, y_{i}, t_{i}\right)\) means the location of t_i at the moment is \(I D_{A}\) , \(\left(x_{i}, y_{i}\right)\) and sampling time t_i satisfies \(t_{0} . Suppose user’s direction of mobility trajectory from initial point t₀ to moment t₁ is \(\phi_{i}\) , then \(\tan \phi_{i}=\left(\left(y_{i}-y_{0}\right) /\left(x_{i}-x_{0}\right)\right)\) , that is, \(\phi_{i}=\arctan \left(\left(y_{i}-y_{0}\right) /\left(x_{i}-x_{0}\right)\right)\) . Consequently, mobility trajectory t_u can be shown as: \(T_{u}=\left\{\left(x_{0}, y_{o}, t_{0}\right),\left\langle\left(\phi_{1}, t_{1}\right),\left(\phi_{2}, t_{2}\right), \cdots,\left(\phi_{n}, t_{n}\right)\right\rangle\right\}\) . Similarly, the mobility trajectory of potential candidate is \(T_{C}=\left\{I D_{C},\left(x_{0}^{c}, y_{0}^{c}, t_{0}^{c}\right),\left(x_{1}^{c}, y_{1}^{c}, t_{1}^{c}\right), \cdots\left(x_{n}^{c}, y_{n}^{c}, t_{n}^{c}\right)\right\}\) , which can be shown as \(T_{C}=\left\{\left(x_{0}^{c}, y_{0}^{c}, t_{0}^{c}\right),\left\langle\left(\phi_{1}^{c}, t_{1}^{c}\right), \cdots,\left(\phi_{n}^{c}, t_{n}^{c}\right)\right\rangle\right\}\) , while

\(\phi_{i}^{c}=\arctan \frac{y_{i}^{c}-y_{0}^{c}}{x_{i}^{c}-x_{0}^{c}},(1 \leq i \leq n, 1 \leq c \leq k-1)\).       (1)

 The similarity degree of mobility trajectories is:

\(\sigma^{2}=\left(\left(\sum_{i=1}^{n} \frac{\phi_{i}^{c}-\phi_{i}}{2 \pi}\right) / n\right)^{2}\)       (2)

 Obviously, \(\sigma^{2} \in[0,1]\), and the less \(\sigma^{2}\) is, the stronger the similarity between user’s mobility trajectory and candidate’s trajectory.

 

4. Location Privacy Preservation Scheme

 This scheme mainly consists of four phases: system initialization, registration, calculation of trajectory similarity, and location service request of query substitution.

4.1 System Initialization

 In this phase, system parameters are generated as follows:

 Step 1: Select two cyclic groups \(\left(G_{1},+\right)\)and \(\left(G_{2}, *\right)\)with prime \(q\) as the order number，and bilinear map \(\mathbf{e}: G_{1} \times G_{1} \rightarrow G_{2} \) , and \(P\) is a generator of \(G_{1}\) .

 Step 2: Define three secure harsh functions: \(H_{1}:\{0,1\}^{*} \rightarrow G_{1}^{*}\) ,\(H_{2}:\{0,1\}^{*} \rightarrow\{0,1\}^{n}\)and \(H_{3}: G_{2} \rightarrow\{0,1\}^{n}\) , in which n denotes a positive integer, while \(\{0,1\}^{*}\) the binary strings at any length.

 Step 3: TAS selects two random number \(s \in Z_{q}^{*}\) and \(Q \in G_{1}^{*}\) , calculates their public key \(P K_{\text {anon}}=s P\) and secret key \(S K_{a n o n}=s Q\) , in which \(Z_{q}^{*}\) signifies the integers’ multiplication group of module \(q\) .

 Step 4: TAS publicizes the system parameter: \(\left\{G_{1}, G_{2}, e, k, n, P, P K_{a n o n}, Q, H_{1}, H_{2}, H_{3}\right\}\) .

 

4.2 Registration

 In this phase, TAS helps to anonymize user’s identity and generates corresponding parameters, as follows:

 Step 1: User U sends its real identity ID safely to TAS via MT.

 Step 2: TAS randomly generates a \(m \times n\) matrix\(\chi(2 \leq m and a m-dimensional column vector \(\boldsymbol{p}\) , while the rank of coefficient matrix \(\chi\) is equal to that of augmented matrix \(\bar{\chi}\) , that is, \(R(\chi)=R(\bar{\chi})\) . Obviously,\(R(x), then linear equation \(\chi d=\rho\) has infinite solutions.

 Step 3: TAS distributes a unique n-dimensional column vector d_i for each registered user, and d_i satisfies \(\chi d_{i}=\rho\) , that is, d_i is a solution of linear equation \(\chi d_{i}=\rho\) . Then, TAS randomly selects a n-dimensional column vector D , calculates the fake identities \(P I D_{U}=\boldsymbol{D}^{T} \cdot \boldsymbol{d}_{i}\) of user U , as well as the relevant verified parameters \(Q_{u}=H_{1}\left(P I D_{u}\right)\) and \(S_{U}=s Q_{U}\) , finally TAS returns \(\left\{P I D_{U}, S_{U}, d_{i}\right\}\) to user U via secure channel.

 Step 4: After receiving message \(\left\{P I D_{U}, S_{U}, d_{i}\right\}\), user U calculates \(Q_{\mathrm{u}}=H_{1}\left(P I D_{u}\right)\) and judges whether \(\mathbf{e}\left(S_{U}, P\right)=e\left(\tilde{Q}_{U}, P K_{\text {anon }}\right)\) is valid or not. If valid, user U randomly selects a secret value \(r_{U} \in Z_{q}^{*}\) , calculates its public key \(P K_{t}=r_{U} P K_{a n o n}\) and secret key \(S K_{U}=r_{U} S_{U}\) ; if not valid, return to Step 1.

 

4.3 Calculation of Trajectory Similarity

 In this phase, TAS employs trajectory similarity function to calculate the similarity between all candidates’ trajectories and the trajectory of user U ( to calculate successively the trajectory similarity of the initiator and the candidate), as follows:

 Step 1: Assume the sampling point of mobile terminal user U ’s real trajectory and candidate’s mobility trajectory respectively is \(T_{U}=\left\{I D_{U},\left(x_{0}, y_{0}, t_{0}\right),\left(x_{1}, y_{1}, t_{1}\right), \cdots,\left(x_{k}, y_{k}, t_{k}\right)\right\}\) and \(T_{U}=\left\{I D_{U},\left(x_{0}, y_{0}, t_{0}\right),\left(x_{1}, y_{1}, t_{1}\right), \cdots,\left(x_{k}, y_{k}, t_{k}\right)\right\}\)k .

 Step 2: Based on \(\phi_{i}=\arctan \left(\left(y_{i}-y_{0}\right) /\left(x_{i}-x_{0}\right)\right) \quad(1 \leq i \leq n)\), TAS successively calculates the motion angle \(\phi_{i}\) of candidate’s and user \(U\) ’s trajectories from initial moment t₀ to moment t₁ , then the mobility trajectory of user U(t_u) and that of candidate (T_c) can be respectively shown as:

\(T_{U}=\left\{\left(x_{0}, y_{o}, t_{0}\right),\left\langle\left(\phi_{1}, t_{1}\right),\left(\phi_{2}, t_{2}\right), \cdots,\left(\phi_{n}, t_{n}\right)\right\rangle\right\} \text { and } T_{c}=\left\{\left(x_{0}^{c}, y_{0}^{c}, t_{0}^{c}\right),\left\langle\left(\phi_{1}^{c}, t_{1}^{c}\right), \cdots,\left(\phi_{n}^{c}, t_{n}^{c}\right)\right\rangle\right\}\)

 Step 3: Based on trajectory similarity formula: \(\sigma^{2}=\left(\frac{\sum_{i=1}^{n} \frac{\phi_{i}^{c}-\phi_{i}}{2 \pi}}{n}\right)^{2}\), TAS calculates the similarity degree \(\sigma^{2}\) between candidate’s trajectory \(T_{C}\) and mobile user U ’s trajectory \(T_{U}\) .

 Step 4: Repeat Step1 to Step 3 to calculate the similarity between other candidates’ trajectory and user U’s trajectory. Then select the candidate with minimum trajectory similarity as the optimal candidate. If there is more than one candidate with minimum similarity, then select the candidate which is farther in distance from user U as the optimal candidate according to Euclidean distance formula:

\(\operatorname{dis}\left(T_{U}, T_{i}\right)=\frac{\sum_{i=1}^{n} \sqrt{\left(x_{U}-x_{i}\right)^{2}-\left(y_{U}-y_{i}\right)^{2}}}{n}\)       (3)

 

4.4 Location Service Request of Query Substitution

 In this phase, the selected candidate with optimal trajectory similarity will substitute user U to request LBS service，:

 Step 1: User U launches broadcast to obtain candidate’s anonymous identity \(m_{1}=\left\{P I D_{c}^{1}, P I D_{c}^{2}, \cdots, P I D_{c}^{k-1}\right\}\) within the range of communications, randomly selects \(\omega \in Z_{q}^{*}\) , calculates \(Q_{t s s}=H_{1}\left(I D_{L B S}\right) \quad, \quad c_{1}=\left\langle\omega P, m_{1} \oplus H_{3}\left(e\left(Q, P K_{\operatorname{man}}\right)^{\infty}\right)\right\rangle=\langle E, F\rangle\) and \(c_{2}=\left\langle\omega P, m_{2} \oplus H_{3}\left(e\left(Q_{L B S}, P K_{L B S}\right)^{\infty}\right)\right\rangle\) , in which \(I D_{L B S}\) signifies the identity label of LBS server, \(m_{2}=\left\{L_{v}, M_{v}, K_{s}\right\}, L_{v}\) user’s location, M_U the query content, K_s the session key of user and LBS server, and \(P K_{L B S}=r_{L B S} S P\)  the public key of LBS server; then sends data packet \(\operatorname{Meg}_{\text {UoN}}=\left\{c_{1}, c_{2}\right\}\) to TAS.

 Step 2: Receiving the request, TAS randomly selects \(i \in Z_{q}^{*}\) , calculates and \(r=i p\) , then sends the message \(\left\{t_{1}, I, H_{2}\left(r\left\|I D_{\text {anon }}\right\| t_{1}\right)\right\}\) to user \(U\) , in which \(t_1\) is the time stamp, and \(I D_{ {anon}}\) is the identification of TAS.

 Step 3: After receiving the message from TAS, user \(U\) firstly calculates \(R=I d_{i}\) , then verifies the equation \(H_{2}\left(R\left\|I D_{\text {anan}}\right\| t_{1}\right)=H_{2}\left(r\left\|I D_{\text {amon}}\right\| t_{1}\right)\) . If valid, sends \(\left\{t_{2}, H_{2}\left(R\left\|I D_{\text {anon}}\right\| t_{1} \| t_{2}\right)\right\}\) to TAS, in which \(t_2\) is the time stamp.

 Step 4: Receiving the message, TAS verifies the equation \(H_{2}\left(R\left\|I D_{\text {aman}}\right\| t_{1} \| t_{2}\right)=H_{2}\left(r\left\|I D_{\text {anan}}\right\| t_{1} \| t_{2}\right)\). If valid, calculates \(F \oplus H_{3}\left(e\left(S K_{a n o n}, E\right)\right)\) to get message \(m_1\) ; extracts the information of all candidates’ attribute matrix according to message \(m_1\) , employs trajectory similarity algorithm to select the optimal candidate \(B\) within a certain time interval, randomly selects \(\beta \in Z_{q}^{*}\) , and calculates \(Q_{B}=H_{1}\left(P I D_{B}\right)\) and \(c_{3}=\left\langle\beta P, m_{3} \oplus H_{3}\left(e\left(Q_{B}, P K_{B}\right)^{\beta}\right)\right\rangle\)β , in which \(m_{3}=\left\{P I D_{U}\right\}, P K_{B}=r_{B} s P\) is the public key of user \(B\) ; finally sends data packet \({Meg}_{N o B}=\left\{c_{2}, c_{3}\right\}\) to user \(B\) , and \(B\) will substitute user \(U\) to initiate LBS request.

 Step 5: Receiving the message, user \(B\) calculates \(m_{3} \oplus H_{3}\left(e\left(Q_{B}, P K_{B}\right)^{\beta}\right) \oplus H_{3}\left(e\left(S K_{B}, \beta P\right)\right)\) to get message \(m_3\) , in which \(S K_{B}=r_{B} s Q_{B}\) is the private key of user \(B\) , then sends data packet \({Meg}_{\text {UoN}}=\left\{c_{2}\right\}\) to LBS server.

 Step6: Receiving the message, LBS server calculates \(m_{2} \oplus H_{3}\left(e\left(Q_{L B S}, P K_{L B S}\right)^{\omega} \oplus H_{3}\right. \left(e\left(S K_{\mathrm{LBS}}, \omega P\right)\right)\) to get message \(m_2\) , then adopts \(m_2\) to obtain query result \(m_{4}=\{M E G\}\) , finally sends data packet \({Meg}_{S o B}=\left\{E n_{K_{f}}\left(m_{4}\right)\right\}\) to user \(B\) , in which \(E n_{K} ()\) is the encrypted symmetric function, and \(MEG\) is the query result of LBS service request.

 Step 7: Receiving message \({Meg}_{S o B}=\left\{E n_{K_{s}}\left(m_{4}\right)\right\}\) , user \(B\) verifies the identity of user \(U\) . If valid, then sends data packet \({Meg}_{S o B}=\left\{E n_{K_{s}}\left(m_{4}\right)\right\}\) to user \(U\) ; otherwise, cease the service.

 Step 8: After receiving message \({Meg}_{S o B}=\left\{E n_{K_{s}}\left(m_{4}\right)\right\}\) , user \(U\) decrypts it to obtain the query result \(MEG\).

 

5. Scheme Analyses

 This paper analyzes the scheme in terms of its correctness and security.

 

5.1 Correctness Analysis

 This process demonstrates the correctness of message encryption and decryption between user and TAS, user and user, as well as user and LBS server, that is, the correctness of encryption and decryption of messages \(m_1\) , \(m_2\) and \(m_3\).

 (1) It is known that user \(U\) adopts the public key of TAS to transform the anonymous identity \(m_1\) of candidates within the range of communications into ciphertext \(c_{1}=\left\langle\omega P, m_{1} \oplus H_{3}\left(e\left(Q, P K_{a n o n}\right)^{\omega}\right)\right\rangle=\langle E, F\rangle\), so after receiving the ciphertext, TAS adopts secret key \(S K_{a n o n}\) to obtain plain text \(m_1\) by calculating \(F \oplus H_{3}\left(e\left(S K_{a n o n}, E\right)\right)\) , which is demonstrated as follows:

\(\begin{aligned} F \oplus H_{3}\left(e\left(S K_{{anon}}, E\right)\right) &=F \oplus H 3(e(s Q, \omega P)) \\ &=F \oplus H_{3}\left(e(Q, s P)^{\omega}\right) \\ &=F \oplus H_{3}\left(e\left(Q, P K_{ {anon}}\right)^{\omega}\right) \\ &=m_{1} \end{aligned}\)

 (2) It is known that user \(U\) adopts LBS server’s public key to transform the requested data message \(m_2\) into ciphertext \(c_{2}=\left\langle\omega P, m_{2} \oplus H_{3}\left(e\left(Q_{L B S}, P K_{L B S}\right)^{\omega}\right)\right\rangle=\langle\varphi, \eta\rangle\) , then after receiving the ciphertext, LBS adopts secret key \(S K_{L B S}=r_{L B S} s Q_{L B S}\) to obtain plain text \(m_2\) by calculating \(\eta \oplus H_{3}\left(e\left(S K_{\mathrm{LBS}}, \varphi\right)\right)\) , which is demonstrated as follows:

\(\begin{aligned} \eta \oplus H_{3}\left(e\left(S K_{\mathrm{LBS}}, \varphi\right)\right) &=\eta \oplus H_{3}\left(e\left(r_{B} S_{\mathrm{LBS}}, \omega P\right)\right) \\ &=\eta \oplus H_{3}\left(e\left(r_{L B S} s Q_{L B S}, \omega P\right)\right) \\ &=\eta \oplus H_{3}\left(e\left(Q_{L B S}, r_{L B S} s P\right)^{\omega}\right) \\ &=\eta \oplus H_{3}\left(e\left(Q_{L B S}, P K_{L B S}\right)^{\omega}\right) \\ &=m_{2} \end{aligned}\)

 (3) It is known that user \(U\) employs the public key \(P K_{B}\) of the optimal candidate \(B\) to transform its fake identity \(m_3\) into ciphertext \(c_{3}=\left\langle\beta P, m_{3} \oplus H_{3}\left(e\left(Q_{B}, P K_{B}\right)^{\beta}\right)\right\rangle=\langle Z=\beta P, T\rangle\), then after receiving the ciphertext, the optimal candidate \(B\) adopts the secret key \(S K_{B}=r_{B} S_{B}=r_{B} s Q_{B}\) to obtain the plain text \(m_3\) by calculating \(T \oplus H_{3}\left(e\left(S K_{B}, Z\right)\right)\), which is demonstrated as follows:

\(\begin{aligned} T \oplus H_{3}\left(e\left(S K_{B}, Z\right)\right)=T \oplus H_{3}\left(e\left(r_{B} S_{B}, \beta P\right)\right) \\ =T \oplus H_{3}\left(e\left(r_{B} s Q_{B}, \beta P\right)\right)\\ =T \oplus H_{3}\left(e\left(Q_{B}, r_{B} s P\right)^{\beta}\right)\\ =T \oplus H_{3}\left(e\left(Q_{B}, r_{B} S_{B}\right)^{\beta}\right)\\ =T \oplus H_{3}\left(e\left(Q_{B}, P K_{B}\right)^{\beta}\right)\\ =m_{3} \end{aligned}\)

 To sum up, the encryption and decryption process of the proposed scheme is correct.

 

5.2 Communication Cost

 First of all, we consider the communication overhead between the user and TAS. The data packet sent by the user to TAS is \({Meg}_{ {UoN}}=\left\{c_{1}, c_{2}\right\}\) . The size of the encrypted data \(c_1\) varies according to the number of candidates \(k\) , and the size of the encrypted data packet \(c_2\) is constant. So its communication overhead is \(O(k)\) . Then we consider the communication overhead between the user and TAS. The message that the user queries to TAS is \({Meg}_{N o B}=\left\{c_{2}, c_{3}\right\}\) , whose size is constant. In addition，we also consider the communication overhead between the optimal candidate and LBS server. The message that the candidate queries to LBS server is \({Meg}_{ {UoN}}=\left\{c_{2}\right\}\) , whose size is constant. The query results presented to the candidate is \({Meg}_{S o B}=\left\{E n_{K_{s}}\left(m_{4}\right)\right\}\) . Its size varies with the number \(M\) of Points of Interest (POIs). So the communication overhead between the optimal candidate and LBS server is \(O (M)\) . Finally, we consider the communication overhead when the optimal candidate presents the query to the user. The query result is \({Meg}_{B o U}=\left\{E n_{K_{s}}\left(m_{4}\right)\right\}\) . Its size varies with the number \(M\) of Points of interest (POIs). So the communication overhead between the user and the optimal candidate is \(O (M)\).

 In order to analyze the computational overhead of the scheme qualitatively, we use \(T_{par}\) to denote a bilinear pairing operation, \(T_h\) to denote a hash function operation and \(T_{mul}\) to denote a point multiplication operation. Other operations are ignored here for being relatively simple and lower time consumption. We first consider the user's computational overhead. According to the formulas \({Meg}_{ {UoN}}=\left\{c_{1}, c_{2}\right\}, { Q_{LBS} }=H_{1}\left(I D_{L B S}\right), c_{1}=\left\langle\omega P, m_{1} \oplus H_{3}\left(e\left(Q, P K_{ {anon}}\right)^{\omega}\right)\right\rangle\) and \(c_{2}=\left\langle\omega P, m_{2} \oplus H_{3}\left(e\left(Q_{L B S}, P K_{L B S}\right)^{\omega}\right)\right\rangle\) , the computational overhead is \(2 T_{p a r}+3 T_{h}+3 T_{m u l}\) . Then, considering the computational overhead of TAS, according to formulas \({Meg}_{N o B}=\left\{c_{2}, c_{3}\right\} , \ Q_{B}=H_{1}\left(P I D_{B}\right)\) and \(c_{3}=\left\langle\beta P, m_{3} \oplus H_{3}\left(e\left(Q_{B}, P K_{B}\right)^{\beta}\right)\right\rangle\) , the computational overhead is \(T_{p a r}+2 T_{h}+2 T_{m u l}\) . Then we consider the computational overhead of the optimal candidate. According to the formula \(m_{3} \oplus H_{3}\left(e\left(Q_{B}, P K_{B}\right)^{\beta}\right) \oplus H_{3}\left(e\left(S K_{B}, \beta P\right)\right)\) , the computational overhead is \(2 T_{p a r}+2 T_{h}+2 T_{m u l}\) . Finally, we calculate the computational overhead of LBS server. According to the formula \(m_{2} \oplus H_{3}\left(e\left(Q_{L B S}, P K_{L B S}\right)^{\omega} \oplus H_{3}\left(e\left(S K_{\mathrm{LBS}}, \omega P\right)\right)\right.\) , the computational overhead is \(2 T_{p a r}+2 T_{h}+2 T_{m u l}\) . As is stated, the computational overhead of the entire process is \(7 T_{p a r}+9 T_{h}+9 T_{m u l}\) .

 

5.3 Security Analysis

 The security analysis of the scheme is conducted in terms of three aspects: anonymity, non-forgeability and resistance to query tracing attack.

 5.3.1 Anonymity game

 Step 1: The attacker launches query to obtain the system parameters: \(\left\{G_{1}, G_{2}, e, k, n, P, P K_{a n o n}, Q, H_{1}, H_{2}, H_{3}\right\}\) , and the necessary information of the parameters;

 Step 2: The attacker selects two totally different messages \(m_b\) and \(m_{1−b} \) as the ID messages of user \(U_1\) and \(U_2\) ;

 Step 3: Select random bit \(b \in\{0,1\}\) , then send \(m_b\) and \(m_{1−b} \) to two users \(U_1\) and \(U_2\) , while \(b\) is not open to the attacker;

 Step 4: For \(U_1\) and \(U_2\) , TAS respectively finds the optimal candidates \(B_1\) and \(B_2\) , then sends the encrypted ID \(c_b\) and \(c_{1-b}\) to \(B_1\) and \(B_2\) ;

 Step 5: If the encrypted information \(c_b\) and \(c_{1-b}\) received by \(B_1\) and \(B_2\) corresponds respectively with message \(m_b\) and \(m_{1−b} \) , then sends \(c_b\) and \(c_{1-b}\) to the attacker in random order; otherwise, return ⊥ to the attacker;

 Step 6: If the attacker \(A\) decrypts \(c_b\) , and is able to output the message \(m_{b}^{\prime}=m_{b}\) , then he wins the game.

 The advantage of attacker winning this game is defined as: \(A d v(A)=|{Pr}[A]|\) , in which \({Pr}[A]\) represents the probability of attacker \(A\) outputting the message \(m_{b}^{\prime}=m_{b}\) , that is, the probability of attacker obtaining user’s ID information.

 Theorem 1: In the trajectory privacy preservation scheme, assume attacker \(A\) is able to win the anonymity game with negligible probability, then this scheme satisfies the requirement for anonymity.

 Proof: Assume attacker \(A\) as the attacker in the anonymity game in Theorem 1, if ⊥ is received in Step 5, then attacker \(A\) fails to obtain any useful information. Then consider another possibility: assume attacker \(A\) obtains two encrypted data packets \(M_{N o B_{1}}=\left\{c_{b}\right\}\) and \(M_{N o B_{2}}=\left\{c_{1-b}\right\}\) , in which \(c_{b}=\left<\upsilon P, m_{b} \oplus H_{3}\left(e\left(Q_{B_{1}}, P K_{B_{1}}\right)^{\upsilon}\right)\right\rangle\) , \(c_{1-b}=\left\langle\zeta P, m_{1-b} \oplus H_{3}\left(e\left(Q_{B_{1-b}}, P K_{B_{1-b}}\right)^{\zeta}\right)\right\rangle\) . \(v \in Z_{q}^{*}\)and \(\zeta \in Z_{q}^{*}\) are the random number generated by TAS, while \(P K_{B_{1}}\) and \(P K_{B_{2}}\) are respectively the public keys of user \(B_{1}\) and \(B_{2}\) .

 Let the probability of the attacker obtaining the encrypted information \(c_{b}\) is \(P(\mathbb{Q})\) , because \(c_b\) and \(c_{1-b}\) are sent to attacker \(A\) in random order, so \(P(\mathbb{Q})=\frac{1}{2}\) . Assuming that the probability of the attacker decrypting the message \(c_b\) is \(\mathrm{P}(\ell)\) , the probability that the attacker finally obtains the identity information \(m_b\) is \(P(m)=P(\ell) P(\mathbb{Q})=\frac{1}{2} P(\ell)\) . Assuming that the attacker’s secret key is \(S K_{ {Atack}}=r_{ {Atack}} S_{ {Atack}} Q_{ {Atack}}\), if he tries to obtain user’s ID information \(m_b\) by decrypting the ciphertext \(c_{b}=\left<\upsilon P, m_{b} \oplus H_{3}\left(e\left(Q_{B_{1}}, P K_{B_{1}}\right)^{\upsilon}\right)\right\rangle\) , then he must find the solution of \(H_{3}\left(e\left(Q_{B_{1}}, P K_{B_{1}}\right)^{\upsilon}\right)\) . Attacker can assume \(Q_{{Arnack}}=Q_{B_{1}}\) and \(r_{ {Atack}} s_{ {Attack}} P=P K_{B_{1}}\) , and calculate \(H_{3}\left(e\left(Q_{ {Atack}}, r_{ {Atack}} S_{ {Attack}} P\right)^{\upsilon^{\prime}}\right)\) . If \(H_{3}\left(e\left(Q_{ {Atack}}, r_{ {Atack}} s_{ {Atuack}} P\right)^{\upsilon^{\prime}}\right)=H_{3}\left(e\left(Q_{B_{1}}, P K_{B_{1}}\right)^{\upsilon}\right.\) is tenable, \(\upsilon^{\prime}=\upsilon\) must be satisfied. Since random number \(\upsilon\) satisfies \(\lambda_{b}=\upsilon P\) , then its solution-finding means solving Elliptic Curve Discrete Logarithm Problem (ECDLP), which is computationally infeasible. Therefore, the probability \(\mathrm{P}(\ell)\) of the attacker to decrypt the message \(c_1\) is negligible. Consequently, the probability of attacker \(A\) winning the game is: \(A d v(A)=|{Pr}[A]|=\frac{1}{2} \mathrm{P}(\ell)\) , which is negligible. Therefore, the scheme realizes anonymity. However, since the optimal candidate is selected from \(k\) candidates, the probability of the attack inferring the optimal candidate is \(1 / k\) . Let \(\mathrm{P}\left(P I D_{k}\right)\) be the probability of attacker solving the solution of \(d_i\) based on \(PID_k\) . So the probability that the attacker finally gets the privacy of the real requester is \(\operatorname{Pr}(S k)=\frac{1}{2 k} P(\ell) P\left(P I D_{k}\right)\) . In the equation \(P I D_{k}=\boldsymbol{D}^{T} \cdot \boldsymbol{d}_{i}, \boldsymbol{D}\) is an n-dimensional column vector randomly selected by TAS, so solving \(d_i\) on the basis of the equation \(P I D_{k}=\boldsymbol{D}^{T} \cdot \boldsymbol{d}_{l}\) is infeasible. In addition, \(d_i\) is one of infinite solutions of the linear equation \({\chi d_{i}=\rho}\) , so the probability that the attacker guesses d_i is negligible. In summary, the probability of an attacker obtaining the privacy of the real requester is negligible.

 

5.3.2 Non-forgeability

 Theorem 1: In Random Oracle Model (ROM), if attacker \(A\) exists to forge user’s registration information by masquerading TAS in polynomial time, then Diffie-Hellman, the calculative problem, can be solved with non-negligible probability in polynomial time.

 Proof: Assume attacker \(A\) is able to solve the calculative problem Diffie-Hellman with non-negligible probability in polynomial time, that is, attacker \(A\) finds \(​​s\) with non-negligible probability to make the equation \(\mathrm{e}\left(S_{U}, P\right)=e\left(\tilde{Q}_{U}, P K_{a n o n}\right)\) tenable.

 Initialization: Assume challenger \(C\) possesses(\(P, s P\)) and provides for attacker \(A\) the system parameters \(\left\{G_{1}, G_{2}, e, k, n, P, P K_{ {anon}}, Q, H_{1}, H_{2}, H_{3}\right\}\) , in which \(P K_{a n o n}=s P\) , while \(​​s\) is the random number generated by TAS , and is unknown to \(C\); attacker \(A\) requests from \(C\) a random answer of ROM \(H_1\) while maintains consistency to avoid conflict, and \(C\) keeps a request-reply list to store the replies from the requests.

 ROM query phase: \(C\) is able to provide ROM query for attacker \(A\) via ROM \(H_1\) , and provide corresponding request-reply parameters.

 Attacker \(A\) conducts query via ROM \(H_1\) to obtain harsh values, as follows: \(H_1\) request: \(A\) requests the harsh value of identity \(ID_i\) from \(C\), and \(C\) detects whether there is \(I D_{i} \in L_{I}\) in request-reply list \(L_I\) ;

 (1) If there is \(I D_{i} \in L_{I}\) , then send the corresponding reply to \(A\).

 (2) Otherwise, randomly select \(\tau_{i} \in Z_{q}^{*}\) and calculate \(H_{1}\left(I D_{i}\right)\) , send \(\left(\tau_{i}, H_{1}\left(I D_{i}\right)\right)\) to \(A\), and store this request-reply in the list \(L_I\) , then the corresponding \(S_{ID_{i}}=\tau_{i} H_{1}\left(I D_{i}\right)\) can be easily obtained.

 Forgeability and problem-solving: attacker \(A\) forges user’s registration information by masquerading TAS, but \(A\) is unable to obtain the random number \(​​s\) of TAS, so it fails to calculate \(S_{U}\) to make the equation \(\mathrm{e}\left(S_{U}, P\right)=e\left(\tilde{Q}_{U}, P K_{\alpha n o n}\right)\) valid. If attacker \(A\) manages to obtain the random number \(​​s\) , then it has to speculate the random number \(​​s\) via the public key \(\left(P, P K_{ {anon}}\right)\) and \(P K_{ {anon}}=s P\) in TAS, which means facing the calculative problem Diffie-Hellman, so attacker \(A\) is unable to solve Diffie-Hellman problem with non-negligible probability in polynomial time. Therefore, the proposed scheme is able to meet the demand for non-forgeability.

 

5.3.3 Resistance to Query Tracing Attack

 In the process of initiating LBS service, the initiator is replaced by the optimal candidate in launching LBS query, so in the query records of LBS server, what is recorded is the query information and ID information of the optimal candidate. Meanwhile, at different time intervals in users’ mobility trajectories, there are different optimal candidates making continuous requests, so that attacker is unable to infer candidates’ relevancy to real users via the intersection of user sets in cloak area at different time intervals. Therefore, it achieves the purpose of confusing the user's moving track. Assume the frequency of user’s continuous query in mobility trajectories as \(m\) , and the number of candidates participating in each query is \(n_i\) , in which \(1 \leq i \leq k\) , since the optimal candidates in each query differ with one another, so the candidates in different cloak areas are independent with one another. Let \(\mathrm{P}\left(P I D_{U}\right)\) be the probability of attacker solving the solution of \(d_i\) based on \(P I D_{U}\) , and \(\mathrm{P}(\partial)\) be the probability of attacker capturing the communications between user \(U\) and candidate and decrypting the message, and if attacker obtains the registered message that MT user requests to TAS, then in the course of continuous queries the probability of tracing users is \(\mathrm{P}=\prod_{i=1}^{m} \frac{1}{n_{i}} \mathrm{P}(\partial) \mathrm{P}\left(P I D_{U}\right)\) . \(\mathrm{P}(\partial)\) means solving the elliptic curve cryptosystem, which is infeasible in calculation. \(\mathrm{P}\left(P I D_{U}\right)\) is equal to the known \(P I D_{U}\) , then find the solution of \(d_i\) according to equation \(P I D_{u}=D^{T} \cdot d_{i}\) , while \(D\) is a n-dimensional column vector randomly selected by TAS, and the probability of solving and finding \(d_i\) is negligible; moreover, there are infinite solutions of the linear equation \(\boldsymbol{\chi d_{i}=\rho}\) , so attacker is unable to identify \(\boldsymbol{d_{i}}\) according to matrix equations. Therefore, it can be concluded that the probability of attacker obtaining requestor’s real identity is negligible, that is, attacker is unable to trace candidates according to continuous query records so as to identify the real identity of the initiator.

5.3.4 Resistance to Wiretapping Attack

 In this scheme, when user \(U\) communicate with TAS via MT, user \(U\) will employ TAS’ public key \(P K_{{anon}}\) and LBS server’s public key \(P K_{L B S}\) to encrypt message 1\(m_{1}=\left\{P I D_{C}^{1}, P I D_{C}^{2}, \cdots, P I D_{C}^{k-1}\right\}\) and user’s requested message \(m_{2}=\left\{L_{U}, Q_{U}, K_{s}\right\}\) so as to guarantee the security of messages during communications; and the optimal candidate \(B\) communicates with LBS server via secure channel. When returning query result, LBS server will adopts session key\( K_s\) to encrypt the query result \(m_{4}=\{M E G\}\) so as to guarantee its security. Finally, the optimal candidate \(B\) sends the encrypted data packet \(M_{B o U}=\left\{E n_{K_{s}}\left(m_{4}\right)\right\}\) to user \(U\) .

 In conclusion, it can be demonstrated that the communications of LBS is conducted in encrypted manner to interchange messages, which effectively prevents the wireless communications among MT, TAS and LBS server from being monitored and wiretapped by attacker. Therefore, this scheme succeeds in resisting to wiretapping attack.

 

6. Simulation Experiment

 The environment of simulation experiment in this scheme is as follows: operation system: Windows 7 (64 bit); CPU: Intel i5 processor; RAM: 4G; simulation software: mobile object generator Thomas Brinkhoff and simulation tool MATLAB. Suppose the experiment is conducted in an ideal network environment, then a large number of trajectory data of mobile objects are generated via Thomas Brinkhoff, and a certain mobile object is selected randomly as the initiator to realize confusion of users’ trajectories by means of solution algorithm of trajectory similarity and query substitution algorithm, so as to further protect user’s trajectory privacy. In comparison with this scheme, other schemes are adopted, like Random Scheme (based on fake trajectories randomly generated), schemes in Reference [11] and [16], as well as the optimal scheme in theory. The following experiment results are invariably the average value of 1000 operations.

 As is shown in Fig. 2, given the same number of candidates \(K\) , the scheme in Reference [11] has the most unfavorable similarity, for it only considers user’s marching direction after each pause in generating fake trajectories, while ignoring the map background information of fake trajectories; the scheme in Reference [16] has less unfavorable similarity, for it considers the properties of user’s motion pattern and trajectory similarity in generating fake trajectories, and make reasonable adjustment according to locations’ background information in fake trajectories, thus improving the trajectory similarity. In the proposed scheme of this paper, we adopts trajectory sampling and selects similar trajectories based on trajectory similarity function. Since this scheme conducts trajectory sampling at shorter time intervals, as a result, the candidate trajectories are quite short, which has a higher trajectory similarity than that of Reference [16].

Fig. 2. The relationship between candidate number K and trajectory similarity

 Given the fixed point number of trajectory segments, the processing time costs increase with increasing candidates, as is shown in Fig. 3. The explanation is: when increasing the candidate number of user or the point number within trajectory segments, certain time costs also increase because user need match more candidate users within certain range. Meanwhile, given the fixed candidate \(K\) , the execution time of algorithm increases with increasing point number \(N\) of trajectory segments. For example, when candidate \(K\) is 5, the point number \(N\) increases from 2 to 10, while the execution time increases from 19ms to 41ms, which means the processing time is directly proportional to point number in trajectory segments. Consequently, the total time of searching the trajectory with the optimal similarity increases with increasing candidate user’s number \(K\) and trajectory segments’ point number \(N\) . It is to be noted that in real case this scheme must ensure that \(K \geq 2\) and \(N ≥ 2\) . When \(N =1\), this trajectory is replaced by this sampling point, since a single point can not define the similarity of trajectory segments, so this scheme does not apply; if the environment in which the request users lie is excessively sparse, for instance, when \(K = 0\) , no candidate exists to substitute user in requesting service; when \(K = 1\), that is, only one candidate exists, then there is no need to adopt trajectory similarity function in selecting optimal candidate, the only candidate is the optimal candidate to substitute user in requesting service, and attacker could trace it according to candidate’s continuous queries and obtain the relevant private information of the initiator.

Fig. 3. The relationship among candidate number \(K\) , trajectory segments’ point number \(N\) and the time \(t\)

 In this scheme, given the fixed number \(N\) of trajectory segments, the influence of candidate \(K\) ’s variation upon the algorithm’s execution time is shown in Fig. 4. According to the results, Random Scheme is the most efficient in execution for not taking into account other conditions, but is the most undesirable in protecting user’s privacy via security analysis. The scheme in Reference [16] takes into account such elements as user’s motion pattern, fake trajectories’ validity and background information, etc., and requires more potential traversal and verification in generating and selecting fake trajectories, thus is much longer in algorithm’s execution time. In this proposed scheme, what is needed is only the sampling of the existing trajectories, without generating trajectories, and selecting the trajectory with optimal similarity via trajectory similarity function, without considering other elements, therefore, the execution efficiency in this scheme is more desirable than that of Ref.[] and Ransom scheme.

Fig. 4. The influence of candidate number \(K\) upon algorithm’s execution time \(t\)

 

7. Conclusion

 Aimed at the disclosure of mobile terminal user’s location privacy in LBS, this paper proposes a trajectory privacy preservation scheme on the basis of similar trajectory’s query substitution. Based on the anonymized identities of user and candidates, this scheme adopts trajectory similarity function to select the candidate with optimal trajectory similarity to substitute real user in requesting LBS service, so as to preserve user’s privacy like identity, location trajectory and query contents. Security analyses prove that this scheme is not only able to solve such problems as anonymity and non-forgeability, but also able to resist continuous query attack and wiretapping attack. Moreover, simulation experiment is conducted in terms of three aspects: similarity between candidate and requested user, the influence of candidate number \(K\) and trajectory segments’ point number N on time t, and the execution efficiency of the algorithm. The results show that the trajectory similarity between optimal candidate selected in this scheme and real user at certain time intervals is apparently more desirable than that of other schemes. Therefore, this scheme is of important theoretical significance and applicable value in mobile users’ privacy protection in LBS.