240 likes | 379 Views
A Two-level Protocol to Answer Private Location-based Queries. Roopa Vishwanathan Yan Huang [RoopaVishwanathan, huangyan]@unt.edu Computer Science and Engineering University of North Texas. Privacy Issues in Location-based Services.
E N D
A Two-level Protocol to Answer Private Location-based Queries Roopa Vishwanathan Yan Huang [RoopaVishwanathan, huangyan]@unt.edu Computer Science and Engineering University of North Texas
Privacy Issues in Location-based Services • Client requests information from the server related to her current location • Client wants to maintain privacy and anonymity • Location can be associated with user identity, e.g. service request at your own house • Thus client does not want the server to know her location • Server wants to release as precise information as possible ISI 2009, Dallas, Texas
Existing Approaches • Cloaking: k-anonymity [3][4][5] • Client requests are sent to an anonymizer • Anonymizer “cloaks” client’s location to a region that include k-1 other clients • Anonymizer forwards queries to the server using the cloaked location • Need to trust the anonymizer ISI 2009, Dallas, Texas
Existing Approaches … cont’d • Peer-to-peer [6][7] • A client c searches for k-1 peers • One peer acts as agent on behalf c • Chosen agent forwards requests to server using cloaked region • Need to be able to find k-1 peers • Need to trust the chosen agent peer ISI 2009, Dallas, Texas
Drawbacks of Existing Approaches • Need to trust the anonymizer or peers • Reveals some spatial information (general region of query) • Correlation attacks • Could possibly identify the client • Large volume of query results ISI 2009, Dallas, Texas
Problem Definition and Motivation • Nearest Neighbor Query Example: Find me the nearest gas station from the location based server (LBS) • Goal: Find a way to protect privacy of the client while ensuring server returns precise data • Privacy means: no release of identity or location of the client • Motivation: Recent research shows PIR is a feasible and privacy-preserving approach, but server reveals too much data ISI 2009, Dallas, Texas
Our Approach • Focus on Exact-Nearest-Neighbour queries • Uses PIR framework by Shahabi et al. [1] as a first step • Applies Oblivious Transfer [2] as the second step (to make server data precise) ISI 2009, Dallas, Texas
Private Information Retrieval (PIR) • Based on a computationally hard problem • Client sends an encrypted request for information • Server does not know what it reveals v(X, E(i)) Bob: X[ 1,2,3,…..,N ] Alice: Wants bit i E (i) ISI 2009, Dallas, Texas
PIR Theory ISI 2009, Dallas, Texas
User input: [ y1,y2,..,yn ] Server computes: zr = Πnj=1 w (r,j) w (r,j)=yj2 ifMr,j = 0 and w (r,j)=yjotherwise Server returns: z = [ z1, z2, .., zn] User computes: If za ε QR, Ma,b = 0 else Ma,b = 1 PIR in Location-based Services ISI 2009, Dallas, Texas
User location: M2,3 User generates request: y =[y1,y2,y3,y4] y3ε QNR, y1,y2,y4ε QR Server replies: [z1,z2,z3,z4] If z2ε QR, M2,3 = 0, else M2,3 = 1 Example of PIR in LBS ISI 2009, Dallas, Texas
Oblivious Transfer • Fundamental cryptographic protocol • Alice asks for one bit of information from Bob • Alice does not get to know any other bit • Bob does not know what bit Alice asked for • Many variants: 1-of-2, 1-of-n, k-of-n ISI 2009, Dallas, Texas
Example of Oblivious Transfer (OT) ISI 2009, Dallas, Texas
Exampleof OT … cont’d ISI 2009, Dallas, Texas
Server divides the area into Voronoi cells and superimposes a grid on it Each grid cell has list of Points Of Interests (POIs) associated with it One POI each in a Voronoi cell Contents of grid cells are the list of POIs The Two-level Protocol: First Step ISI 2009, Dallas, Texas
Client requests a column corresponding to its grid cell using PIR: e.g .PIR(C) Server prepares encrypted column C First Step: PIR …. cont’d ISI 2009, Dallas, Texas
Second Step – Oblivious Transfer (OT) • Client initiates 1-of-n OT with server • Client and server agree on a set of keys • Server encrypts each bit of PIR response with a different set of keys (according to the index of the bit) and sends it across • Server and client exchange keys (through 1-of-2 OT) • Client can decrypt the bit it wants and none else ISI 2009, Dallas, Texas
High-level View • Client knows it location • Tries to execute PIR to get its cell • Server prepares PIR response corresponding to a column that the client is in and encrypts it • Client and server engage in 1-of-n OT to get client’s cell from the column ISI 2009, Dallas, Texas
High-level View … cont’d • Contents of client’s grid cell are its neighbours (Point of Interests of POIs) • Client can easily calculate which point is the nearest • May contain redundant POIs • Repeated/redundant POIs can be discarded ISI 2009, Dallas, Texas
Complexity • N : number of objects (POIs), • M: number of bits in each • Request by client: O(M · N) • Response by server: O(M·N + √N log √N) • Total time: O(M·N + √N log √N) ISI 2009, Dallas, Texas
Comparison of Costs ISI 2009, Dallas, Texas
Conclusion • Contribution: Proposed a two-level protocol for private location queries • PIR over the entire grid – large amount of data would be revealed • OT over the entire grid – very expensive • Our approach – reduces amount of data revealed, not very expensive • Future direction: alternative approach (multi-level PIR) ISI 2009, Dallas, Texas
References • G. Ghinita, P. Kalnis, A. Khoshgozaran, C. Shahabi and K.Tan. Private Queries in Location Based Services: Anonymizers are not Necessary. In Proc. of ACM SIGMOD 2008, pp. 121-132. • B. Pinkas and M. Naor. Efficient Oblivious Transfer Protocols. In Proc. Of 12th ACM-SIAM Symposium on Discrete Algorithms. pp. 448-457, 2001. • B. Gedik and L. Liu. Privacy in mobile systems: A personalized anonymization model. In Proc. Of ICDCS. Pp. 620-629, 2005. • P. Kalnis, G. Ghinita, K. Mouratidis and D. Papadias. Preventing location-based identity inference in anonymous spatial queries. In Proc. Of IEEE TKDE, pp. 239-257, 2007. ISI 2009, Dallas, Texas
References … cont’d • M. Mokbel, C. Chow and W. Aref. The new Casper: Query Processing for location-based services without compromising privacy. In Proc. Of VLDB, pp. 219-239, 2005. • C.Y. Chow, M. Mokbel and X. Liu. A peer-to-peer spatial cloaking algorithm for anonymous location-based services. In Proc. of ACM International Symposium on GIS. Pp. 247-256, 2006. • G. Ghinita, P. Kalnis and S. Skiadopoulos. PRIVE: Anonymous location-based queries in distributed mobile systems. In Proc. of 1st Intl. Conference on World Wide Web (WWW), pp. 371-380, 2007. ISI 2009, Dallas, Texas