Location-sharing protocol for privacy protection in mobile online social networks

Location-based services are becoming more and more popular in mobile online social networks (mOSNs) for smart cities, but users’ privacy also has aroused widespread concern, such as locations, friend sets and other private information. At present, many protocols have been proposed, but these protocols are inefficient and ignore some security risks. In the paper, we present a new location-sharing protocol, which solves two issues by using symmetric/asymmetric encryption properly. We adopt the following methods to reduce the communication and computation costs: only setting up one location server; connecting social network server and location server directly instead of through cellular towers; avoiding broadcast encryption. We introduce dummy identities to protect users’ identity privacy, and prevent location server from inferring users’ activity tracks by updating dummy identities in time. The details of security and performance analysis with related protocols show that our protocol enjoys two advantages: (1) it’s more efficient than related protocols, which greatly reduces the computation and communication costs; (2) it satisfies all security goals; however, most previous protocols only meet some security goals.

. Users may hesitate to share their locations over mOSNs if their privacy is not protected [14].Therefore, protecting users' privacy is our first priority in mOSNs.Many studies have been proposed and they are mainly divided into the following two categories: (1) K-anonymity The typical methods in references [15] and [16] are used to obscure the real location by generating (k − 1) virtual locations.That is to say, k positions are generated, including one real position and (k − 1) dummy positions to prevent attackers from identifying the real position.However, firstly, some protocols set up cellular towers, which are used to connect the social network server S OSN and the location server S LS , and will increase communication costs of the whole system.Secondly, in some protocols, query results contain the real identity, which leaks the identity privacy.Thirdly, some protocols can't verify the identity of sender, that is to say, these protocols can't conduct identity authentication.
(2) Dummy identity The methods in references [17,18] are to only share location but hide identity.The method anonymizes users' identities by adopting pseudonyms.However, some protocols set up multiple location servers and adopt broadcast encryption, which increases communication and computation costs.On the other hand, in some protocols, location servers can infer users' activity tracks and further learn sensitive information such as health state.
From the above analysis, these methods suffer two constraints: (1) they are inefficient and have high communication and computation costs.
(2) they ignore some security goals.In the paper, we present a new protocol, which solves two issues by using symmetric/asymmetric encryption properly.Firstly, in our protocol, only one location server is set up, broadcast encryption isn't needed, and S OSN and S LS are connected directly instead of connecting through cellular towers, thus we greatly reduce computation and communication costs.Secondly, inquirers only get dummy identities rather than real identities, which protects users' identity privacy.Thirdly, we prevent location server from inferring users' activity track by updating dummy identities in time.Finally, we conduct identity authentication to prevent impersonation attacks.Compared with related articles, our advantages are as follows: • Our protocol greatly reduces computation and communication costs.In our protocol, firstly, only one location server rather than multiply location servers is set up to reduce communication and computation costs.Secondly, we apply symmetric encryption instead of broadcast encryption to reduce communication and computation costs.Thirdly, cellular towers aren't set up to reduce communication costs.• Our protocol satisfies all security goals; however, most previous protocols only meet some security goals.
This paper is organized as follows.The related works are described in Sect. 2. In Sect.3, some preliminaries are provided.In Sect.4, our new method is proposed.Result and discussion are presented in Sect. 5. Conclusion is described in Sect.6.

Related works
According to the underlying cryptographic techniques, there are two common methods: K-anonymity, Dummy identity.K-anonymity The typical method was first proposed by Sweeney et al. [15] in 2002, and then, Gruteser et al. [16] used it for location privacy protection.Kido et al. [17] extended K-anonymity and introduced the concept of virtual location.But the method K-anonymity has an obvious disadvantage: it incurs great communication and computation costs.
In 2004, a protocol [19] was proposed, which can hide users' positions in sensitive areas by location updation.But users may be traced by location servers.An improved model [20] called CacheCloak solves the problem.CacheCloak can make location data anonymous in real time.The activity track can be predicted by a trusted server from previous location information and be submitted to S LS .However, one user's predicted activ- ity track intersects that of others, thus preventing one user's activity track from being captured by untrusted location servers.
In 2015, BMobishare model [21] was proposed by Shen et al., which employs Bloom Filter to mask sensitive data.It employs Bloom Filter, thus a malicious user cannot obtain unauthorized privacy information.But it ignores identity privacy and identity authentication.Identity privacy: query results contain the real identities which leak the identity privacy.Identity authentication: if a server doesn't verify received information, an attacker may send a location message to the server by pretending the identity of a legitimate user.In 2019, Chen et al. presented a new model [22] to protect identity privacy and conduct identity authentication.
Dummy identity The typical method Dummy identity was first proposed by Cox et al. [18] in 2007, called SmokeScreen model, where a user ID i sets up his access control poli- cies df ID i for friends and ds ID i for strangers.Friends or strangers can obtain users' loca- tions if they satisfy the access control policies.However, in SmokeScreen model, there is only one server used to store personal information such as social network relation and location, if a malicious user colludes with the server, the identity information and the corresponding location information will be obtained by the malicious user.In 2012, Wei et al. [23] proposed Mobishare model to solve this problem.The model sets two servers: S LS and S OSN .S LS is used to store location data and S OSN is used to store personal infor- mation such as social relation.That is to say, neither S OSN nor S LS has a complete infor- mation including the users' identities and locations.So users' privacy is protected even if location server or social network server colludes with malicious users.But users' social relations can be inferred by location server.In 2013, Li et al. [24] proposed Mobishare+ model, which can be seen as an improved mechanism based on Mobishare model.It employs dummy queries and private set intersection protocol to prevent S OSN and S LS from learning individual information.In 2013, Liu et al. [25] proposed N-Mobishare model based on Mobishare model.Compared with Mobishare model and Mobishare+ model, cellular towers aren't set up in N-Mobishare that is used to connect S OSN and S LS , thus N-Mobishare reduces communication costs.In 2014, an improved model [26] of N-Mobishare was proposed, which can prevent location server from inferring social relation of users.S OSN generates a set containing dummy identities of an inquirer's all friends and adds some randomly dummy identities to further anonymize the inquirer's real social relation.But the model adopts broadcast encryption which requires user to dynamically change his sharing decryption key when a friend is added or revoked, which will lead to great communication and computation costs.
In 2017, a new model called UDPLS [27] was proposed to prevent S OSN from learn- ing location information and S LS from learning about users' social relationships.Li et al. [28] proposed a model with multiple location servers.When a user queries locations of friends, the social relation of the user will be randomly divided into multiple sets by S OSN , and these sets will be sent to different location servers.However, in the location update stage, the location is encrypted by the secret keys of every S LS and sent to every S LS , thus it results in great communication and computation costs.In addition, although S LS only stores users' anonymous identities, their activity tracks also can be inferred.In 2020, Xu et al. [29] presented a model with multiple location servers to protect the activity track privacy.However, due to the use of multiple location servers, this protocol has higher communication and computation costs.

System model
Figure 1 shows the system architecture, which contains three entities.
Users A user is an entity who locates the current location through his/her mobile phone.He/She can share his/her current location with the nearby friends or strangers, and can also query the locations of friends or strangers in his/her self-defined range.
Online Social Network Server S OSN .It provides online social services and manages every user's personal materials such as his friends set, friend's access control policy df ID i and stranger's access control policy ds ID i .In S OSN , each user has a corresponding dummy identity.
Location Server S LS .It manages users' dummy identities and locations and returns the location information to the queriers.

Threat model
Users may be dishonest and try to get all the location information which meet their needs, but some of the location information are beyond users' right.

LocaƟon Server
Fig. 1 System architecture in mobile online social networks (mOSNs) S OSN and S LS are both considered as "honest-but-curious." S OSN may attempt to get the location information which should be managed by S LS , and S LS may try to gain the social relation which is stored in S OSN .
In our security model, we assume that the users don't collude with S OSN and S LS .On the other hand, we assume that S OSN and S LS do not collude and can't obtain the infor- mation of each other.

Security goals
In our model, the security goals have the following six aspects: • Authorized access A user's location can't be accessed by friends or strangers who do not conform to the user's access control policies df ID i or ds ID i .• Identity privacy Users can only get friends' or strangers' dummy identities as query results, and they can't collude with S OSN to get the real identities of friends or stran- gers.• Social relation privacy S LS should be prevented from obtaining users' personal mate- rials such as the social relation.• Location privacy S OSN should be prevented from obtaining users' locations.
• Activity track privacy S LS should be prevented from inferring users' activity tracks.
• Identity authentication Some measures should be taken to prevent users' identities from being impersonated.

Notation
We present the main notations in Table 1.(b) User registration The details of registration are described in Fig. 2.

Table 1
(1) User ID i generates a signature with his secret key σ ID i = Sig sk ID i (ID i , ts) , where ts is a timestamp, and encrypts authentication information (ID i , ts, σ ID i ) and his current location (x,y) to generate fies whether the digital signature σ ID i is correct.If the authentication passes, S OSN randomly generates a dummy identity FID i and stores the record (ID i , FID i , df ID i , ds ID i , pk ID i ) at S OSN , then sends (FID i , c) to S LS .(3) S LS decrypts c to acquire location information (x,y) and stores the record (FID i , (x, y)) at S LS .
(c) Location updation The details of location updation are described in Fig. 3.(d) Friends' location query The details of friends' location query are described in Fig. 4. At this stage, the inquirers can query the locations of friends according to their own needs.′ l ′ can be understood as the distance threshold formulated by an inquirer.
(1) Inquirer ID i generates a one-time symmetric key k and encrypts k and his own current location information (x, y) to generate c, where c = E pk LS (x, y, k) .k is a bit string consisting of 128 bit random zeros or ones and can be expressed as k ← R {0, 1} 128 .The inquirer also encrypts the query condition , where ′ F ′ stands for friend query.The inquirer sends (C ID i , c) to S OSN .(2) Upon receiving the information, S OSN decrypts C ID i and gets (ID i , ′ F ′ , l) .S OSN matches inquirer's friends set and matches each friend's (ID j , FID j , df ID j ) .Then S OSN calculates each friend's dm ID j , which is expressed as dm ID j = min(df ID j , l) , and matches (FID j , dm ID j ) of all friends to form the set S. Suppose the num- ber of the inquirer's friends is m, S = ((FID 1 , dm ID 1 ), .., (FID m , dm ID m )) .Then S OSN encrypts the set S to generate C LS = E pk LS (S) and sends (C LS , c) to S LS .(3) Upon receiving the information, S LS decrypts c and C LS and matches the corresponding position (x j , y j ) and checks which member can meet the condition dist((x, y), (x j , y j )) <= dm ID j .If a member FID j meets the con- dition, S LS encrypts the location information c ID j = E k (FID j , (x j .yj )) .Sup- pose there are p qualified members, which are represented as a set M, M = (c ID 1 , c ID 2 , c ID 3 , ...., c ID p ) .S LS sends the set M to S OSN and S OSN forwards it to the inquirer.(4) The inquirer decrypts and gets all of the location information (FID j , (x j , y j )) in the set M.
(e) Strangers' location query The details of strangers' location query are described in Fig 5 .At this stage, the inquirers can query the location of strangers according to their own needs.′ l ′ can be understood as the distance threshold formulated by an inquirer.
(1) Inquirer ID i generates a one-time symmetric key k and encrypts k and his own current location information (x, y) to generate c, where c = E pk LS (x, y, k) .k is a bit string consisting of 128 bit random zeros or ones and can be expressed as k ← R {0, 1} 128 .The inquirer also encrypts the query condition (ID i , ′ S ′ , l) to generate C ID i = E pk osn (ID i , ′ S ′ , l) , ′ S ′ stands for stranger query.The inquirer sends (C ID i , c) to S OSN .(2) Upon receiving the information, S OSN decrypts C ID i and gets (ID i , ′ S ′ , l) .S OSN matches inquirer's strangers set and matches each stranger's (ID j , FID j , ds ID j ) .Then S OSN calculates each stranger's dm ID j which is expressed as dm ID j = min(ds ID j , l) , and matches (FID j , dm ID j ) of all strangers form the set S. Suppose the number of the inquirer's strangers is m, then the set S can be expressed as S = ((FID 1 , dm ID 1 )..(FID m , dm ID m )) .Then S OSN encrypts the set S to generate C LS = E pk LS (S) and sends (C LS , c) to S LS .
Fig. 4 Friends' location query (3) Upon receiving the information, S LS decrypts c, C LS and matches the cor- responding position (x j , y j ) , and checks which member can meet the condi- tion dist((x, y), (x j , y j )) <= dm ID j .If a member FID j meets the condition, S LS encrypts the location C ID j = E k (FID j , (x j .yj )) .Suppose there are p qualified members that are represented as a set M, M = (c ID 1 , c ID 2 , c ID 3 , ...., c ID p ) .S LS sends the set M to S OSN and S OSN sends M to the inquirer.(4) The inquirer decrypts and gets all of the location information (FID j , (x j , y j )) in the set M.

Security analysis
In this section, we give the security analysis as follows: (1) Authorized access Every user defines his access conditions df ID i which is used to friends' location query and ds ID i which is used to strangers' location query.Only when an inquirer satisfies a user's df ID i or ds ID i , he can obtain the user's location information.Otherwise, the user's location information will be protected and can't be learned by the inquirer.(2) Identity privacy When users query friends' or strangers' locations, S OSN matches and sends all friends' dummy identities rather than real identities to the S LS , then S LS sends them to inquirers.Thus, in the process of query, inquirers can't get friends' or strangers' real identities, so that identity privacy is protected.(3) Social relation privacy If a user is constantly updating his or her locations, FID is constantly changed.Then when different inquirers inquiry a common friend's location, they are matched different dummy identities in S LS .S LS will assume that dif- ferent users are being queried, thus records in S LS are not linked to the common friend, which prevents the user's friends relation from being acquired by S LS .(4) Location privacy In the location updation stage and location query stage, location information is sent to S OSN in the form of ciphertext, which means that the location of users are avoided to be obtained by S OSN .(5) Activity track privacy When a user updates his location, S OSN assigns different FID and S LS stores the newest FID and location.In other word, S LS stores several records which belong to the same user, but S LS believes every record belongs to dif- ferent users due to the different FID and doesn't connect the records with the same user and can't infer users' activity tracks.( 6) Identity authentication When S OSN receives a user's location, it verifies the user's identity.So the user's identity will not be impersonated.

Implementation
We run our experiments for mobile users in a Xiaomi smartphone with Android operation system.S LS is simulated with the Intel(R) Core(TM)i7-8750H 2.20-GHz CPU, and S OSN is simulated with Alibaba Cloud in Ubuntu18.04with linux 4.4.0.59.Our system is implemented using the Bouncycastle library for the cryptographic operations.The following cryptography tools are included in our implementation: SM2 encrypt/decrypt algorithm, SM2 signature/verify algorithm, SM3 hash algorithm and AES encrypt/ decrypt algorithm.And we use Gaode map API to get the real geographical location.We give the running times of two main stages in our system in Table 2.

Discussion
A detailed analysis with other related protocols is given in Tables 3 and 4. We evaluate the performance in terms of two aspects: security goals, communication and computation costs.
(1) Security goals From Table 3, we can see that our protocol achieves all security goals, but other protocols only meet part of the following security goals.
Identity privacy users can only get friends' or strangers' dummy identities as query results, and they can't collude with S OSN to get the real identities of friends or stran- gers.In [21,30], enquirer can get the real identities of friends or strangers.So, they don't satisfy the security goal.Activity track privacy S LS should be prevented from inferring users' activity tracks.In [28], location server can infer the activity track and further learn sensitive information such as interest and health state, which will pose a great security threat to   users.In our protocol, we protect activity track privacy by updating user's dummy identities.
Identity authentication Some measures should be taken to prevent users' identities from being impersonated.In the communication process of [21,30] which evade the identity authentication, an attacker may send a location message to servers by pretending a legitimate user's identity.If the servers do not verify the received information, they will store the wrong location message.In our protocol, social network service will conduct identity authentication to avoid this security problem.

(2) Communication and computation costs
Firstly, from Table 3, our protocol and [22] only need one location server and get rid of cellular towers and broadcast encryption.[21,30] have cellular towers that are used to connect S OSN and S LS and thus increase the communication costs.[28,29] set up multiple location servers.In the location updation stage and location query stage, every location information needs to be encrypted by every location server's public key, thus one location information will be encrypted multiple times by users, which will cause large communication and computation costs.Broadcast encryption [28] leads to great communication and computation costs.Since the ciphertext is encrypted with the key shared with the current authorized users, if a user joins or exits, in order to ensure the security of the broadcast, the keys of current authorized users must be updated, which leads to great communication and computation costs.Secondly, Table 4 shows the detailed computation and communication costs of two main stages: the location updation stage and location query stage.Communication costs: (1) in the location updation stage, communication costs in our protocol are much less than other protocols.(2) in the location query stage, communication costs in our protocol are similar to [22,30], and are much less than other protocols.Computation costs: (1) in the location updation stage, computation costs in our protocol are much less than other protocols because we use less asymmetric encryption than other protocols.(2) in the location query stage, computation costs in our protocol is similar to [21], and is much less than other protocols, where many asymmetric encryptions are used.

Conclusion
We presented an efficient privacy-preserving location sharing protocol in mOSNs for smart cities, which not only supported location sharing among friends and strangers, but also protected users' privacy.Our protocol had higher efficiency than other related protocols and achieved all security goals.In our protocol, there is a storage pressure because a new record will be generated on the location server once a user updates his location.In the future, we can further improve our protocol by finding appropriate methods to regularly delete invalid records in the location server during the location updation phase.

:
the length of elements calculated by elliptic curve encryption operation µ : the length of elements calculated by elliptic curve signature operation p: In the location query stage of friends and strangers, the number of members meeting the requirements of the inquirer n: the number of location services Enc-sym: a symmetric encryption operation Enc-asym: an asymmetric encryption operation Dec-sym: a symmetric decryption operation Dec-asym: an asymmetric decryption operation Sig: a elliptic curve signature operation Ver: an operation to verify the validity of an elliptic curve signature k: one real location and (k − 1) virtual locations generated by k anonymous t: the number of friends assigned to each location server

4 Our methods 4.1 A new location sharing protocol for privacy protection
Table of notations IDi , sk IDi ) User ID i 's public key and secret key pair (pk osn , sk osn ) The public key and secret key pair of S OSN (pk LS , sk LS ) Location server's public key and secret key pair dist((x 1 , y 1 ),(x 2 , y 2 )) The function calculates the distance between (x 1 , y 1 ) and (x 2 , y 2 ) min(x,y) The function that computes the minimum of x and y s OSN = Sig skosn (FID i , ts) A signature s OSN generated with the user's secret key sk osn over ( FID i ,ts) Ver pkosn (s OSN )Verify the correctness of the signature s OSN with the user's public key pk osn i generates his public key and secret key pair (pk ID i , sk ID i ) , defines his access control policy df ID i and ds ID i .In the friends' location query phase, df ID i refers to the condition that other users must satisfy if they want to access user ID i 's location.Similarly, ds ID i is applied to the strangers' location query stage.Personal data (ID i , pk ID i , df ID i , ds ID i ) is stored at S OSN .(2)S OSN generates his public key and secret key pair (pk osn , sk osn ) , stores a social network graph G, which involves all users' social relation.(3) S LS generates his public key and secret key pair (pk LS , sk LS ).
The details of our location-sharing protocol are as follows:(a) System initialization (1) A user ID

Table 2
The running times (ms) of two main stages

Table 3
Comparison of performances with other related protocols

Table 4
Detailed computation and communication costs