A Two-level Protocol to Answer Private Location-based Queries

A Two-level Protocol to Answer Private Location-based Queries

Roopa VishwanathanYan Huang

[RoopaVishwanathan, huangyan]@unt.eduComputer Science and Engineering

University of North Texas

Privacy Issues in Location-based Services

Client requests information from the server related to her current location

Client wants to maintain privacy and anonymity Location can be associated with user identity, e.g. service

request at your own house Thus client does not want the server to know her location

Server wants to release as precise information as possible

06/09/09 ISI 2009, Dallas, Texas2

Existing Approaches

Cloaking: k-anonymity [3][4][5]

Client requests are sent to an anonymizer

Anonymizer “cloaks” client’s location to a region that include k-1 other clients

Anonymizer forwards queries to the server using the cloaked location

Need to trust the anonymizer


Existing Approaches … cont’d

Peer-to-peer [6][7]

A client c searches for k-1 peers

One peer acts as agent on behalf c

Chosen agent forwards requests to server using cloaked region

Need to be able to find k-1 peers

Need to trust the chosen agent peer

406/09/09 ISI 2009, Dallas, Texas

Drawbacks of Existing Approaches

Need to trust the anonymizer or peers

Reveals some spatial information (general region of query)

Correlation attacks

Could possibly identify the client

Large volume of query results


Problem Definition and Motivation

Nearest Neighbor Query Example: Find me the nearest gas station from the location based server (LBS)

Goal: Find a way to protect privacy of the client while ensuring server returns precise data Privacy means: no release of identity or location of the

client

Motivation: Recent research shows PIR is a feasible and privacy-preserving approach, but server reveals too much data


Our Approach

Focus on Exact-Nearest-Neighbour queries

Uses PIR framework by Shahabi et al. [1] as a first step

Applies Oblivious Transfer [2] as the second step (to make server data precise)


Private Information Retrieval (PIR)

Based on a computationally hard problem

Client sends an encrypted request for information

Server does not know what it reveals


Bob: X[ 1,2,3,…..,N ] Alice: Wants bit i

v(X, E(i))

PIR Theory


PIR in Location-based Services


User input: [ y1,y2,..,yn ]

Server computes: zr = Πnj=1

w (r,j)

w (r,j)=yj2 if Mr,j = 0 and w

(r,j)=yj otherwise

Server returns: z = [ z1, z2, .., zn]

User computes:

If za ε QR, Ma,b = 0

else Ma,b = 1

Example of PIR in LBS


User location: M2,3

User generates request: y =[y1,y2,y3,y4]

y3 ε QNR, y1,y2,y4 ε QR

Server replies: [z1,z2,z3,z4]

If z2 ε QR, M2,3 = 0, else M2,3 = 1

Oblivious Transfer

Fundamental cryptographic protocol

Alice asks for one bit of information from Bob

Alice does not get to know any other bit

Bob does not know what bit Alice asked for

Many variants: 1-of-2, 1-of-n, k-of-n


Example of Oblivious Transfer (OT)


Exampleof OT … cont’d


The Two-level Protocol: First Step


Server divides the area into Voronoi cells and superimposes a grid on it

Each grid cell has list of Points Of Interests (POIs) associated with it

One POI each in a Voronoi cell

Contents of grid cells are the list of POIs

First Step: PIR …. cont’d


Client requests a column corresponding to its grid cell using PIR: e.g .PIR(C)

Server prepares encrypted column C

Second Step – Oblivious Transfer (OT)

Client initiates 1-of-n OT with server

Client and server agree on a set of keys

Server encrypts each bit of PIR response with a different set of keys (according to the index of the bit) and sends it across

Server and client exchange keys (through 1-of-2 OT)

Client can decrypt the bit it wants and none else


High-level View

Client knows it location

Tries to execute PIR to get its cell

Server prepares PIR response corresponding to a column that the client is in and encrypts it

Client and server engage in 1-of-n OT to get client’s cell from the column


High-level View … cont’d

Contents of client’s grid cell are its neighbours (Point of Interests of POIs)

Client can easily calculate which point is the nearest

May contain redundant POIs

Repeated/redundant POIs can be discarded


Complexity

N : number of objects (POIs),

M: number of bits in each

Request by client: O(M · N)

Response by server:

O(M·N + √N log √N)

Total time: O(M·N + √N log √N)


Comparison of Costs


Action PIR OT Our Two Level Protocol

Req. by user O(√n) O(logn) O(√n+log√n)

Res. By server

O(m√n)

O(mn) O(m√n)

Total time O(m√n)

O(mlogn+mn)

O(m√n+log√n)

Conclusion

Contribution: Proposed a two-level protocol for private location queries PIR over the entire grid – large amount of data would be

revealed OT over the entire grid – very expensive

Our approach – reduces amount of data revealed, not very expensive

Future direction: alternative approach (multi-level PIR)


References

1. G. Ghinita, P. Kalnis, A. Khoshgozaran, C. Shahabi and K.Tan. Private Queries in Location Based Services: Anonymizers are not Necessary. In Proc. of ACM SIGMOD 2008, pp. 121-132.

2. B. Pinkas and M. Naor. Efficient Oblivious Transfer Protocols. In Proc. Of 12th ACM-SIAM Symposium on Discrete Algorithms. pp. 448-457, 2001.

3. B. Gedik and L. Liu. Privacy in mobile systems: A personalized anonymization model. In Proc. Of ICDCS. Pp. 620-629, 2005.

4. P. Kalnis, G. Ghinita, K. Mouratidis and D. Papadias. Preventing location-based identity inference in anonymous spatial queries. In Proc. Of IEEE TKDE, pp. 239-257, 2007.


References … cont’d

5. M. Mokbel, C. Chow and W. Aref. The new Casper: Query Processing for location-based services without compromising privacy. In Proc. Of VLDB, pp. 219-239, 2005.

6. C.Y. Chow, M. Mokbel and X. Liu. A peer-to-peer spatial cloaking algorithm for anonymous location-based services. In Proc. of ACM International Symposium on GIS. Pp. 247-256, 2006.

7. G. Ghinita, P. Kalnis and S. Skiadopoulos. PRIVE: Anonymous location-based queries in distributed mobile systems. In Proc. of 1st Intl. Conference on World Wide Web (WWW), pp. 371-380, 2007.


Documents

A Two-level Protocol to Answer Private Location-based Queries