A Location Privacy Preservation Method Based on Dummy Locations in Internet of Vehicles

Featured Application: This work can used in location privacy preservation in internet of vehicles. Abstract: During the procedure, a location-based service (LBS) query, the real location provided by the vehicle user may results in the disclosure of vehicle location privacy. Moreover, the point of interest retrieval service requires high accuracy of location information. However, some privacy preservation methods based on anonymity or obfuscation will affect the service quality. Hence, we study the location privacy-preserving method based on dummy locations in this paper. We propose a vehicle location privacy-preservation method based on dummy locations under road restriction in Internet of vehicles (IoV). In order to improve the validity of selected dummy locations under road restriction, entropy is used to represent the degree of anonymity, and the effective distance is introduced to represent the characteristics of location distribution. We present a dummy location selection algorithm to maximize the anonymous entropy and the effective distance of candidate location set consisting of vehicle user’s location and dummy locations, which ensures the uncertainty and dispersion of selected dummy locations. The proposed location privacy-preservation method does not need a trustable third-party server, and it protects the location privacy of vehicles as well as guaranteeing the LBS quality. The performance analysis and simulation results show that the proposed location privacy-preservation method can improve the validity of dummy locations and enhance the preservation of location privacy compared with other methods based on dummy locations.


Introduction
With the development and application of wireless networks, the vehicular ad hoc network (VANET) is becoming an important part of future intelligent transport system. It is expected to play an important role in the road safety [1], traffic management [2], information dissemination to drivers and passengers [3], and so on. With increasing number of vehicles being connected to the Internet of things, the conventional VANET is changing into the Internet of vehicles (IoV).
Moreover, the use of location-based services (LBS) application from mobile devices and applications (apps) is rapidly increasing [4]. When a user acquires the LBS, it needs to provide its location, which results in the disclosure of the location privacy. In addition, a vehicle may act as a provider of location services. For example, when a vehicle participates in a task based on swarm intelligence perception, it should expose the location privacy. Hence, the problem of privacy preservation in the LBS should be resolved [5]. To address the privacy-preserving issue, many approaches have been proposed over the past few years. Most of them are based on the location perturbation and obfuscation adopt well-known privacy metrics such as K-anonymity [6] and rely on a trusted thirdparty server [7,8]. However, K-anonymity privacy-preserving scheme is suitable for high vehicle density. When there are fewer vehicles, spatial anonymity may not be realized, or the anonymous area formed is too large [9]. On the other hand, for the point of interest (POI) retrieval service in IoV, the accuracy of retrieval results is related to the precision of provided location information. However, the location privacy-preservation schemes based on anonymity or obfuscation cannot guarantee the accuracy of location information, which affects the quality of LBS [10][11][12][13].
In the location privacy-preservation method based on dummy locations, a location set containing (or implied) the user's real location is provide to the LBS server. Hence, this method can ensure the accuracy of POI retrieval results [14]. At the same time, the generation of dummy locations does not need a trustable third-party server. In recent years, many location privacy-preservation methods based on dummy locations have been proposed [15][16][17][18][19][20][21][22][23]. However, due to the characteristics of vehicles, the location of vehicles is subject to the road distribution, many methods cannot be directly adopted in IoV.
In IoV, road information can be used to preprocess dummy locations by the LBS server. Since the enhanced dummy location selection (E-DLS) [18] algorithm does not take the road information into consideration, the validity of dummy locations cannot be guaranteed. In addition, due to the restriction of roads and roadside buildings, the distribution of dummy locations is constrained. Although dummy locations are generated combining with location semantic information [24], the required location distribution is difficult to be achieved under road constraints. Considering the geographical constraint, a method is proposed to generate and arrange dummy objects around users in a grid form [25]. However, the method ignores the history request information. Due to the shortcomings in the existing location privacy-preserving methods in IoV, we investigate the problem of location privacy preservation under road constraints in this paper.
In this paper, we propose a vehicle location privacy-preservation method based on dummy locations. In the proposed method, the dummy location selection algorithm is modified based on vehicle location features. The main contributions of this paper as follows:

•
We investigate the problem of vehicle location privacy preservation in IoV and propose a vehicle location privacy-preservation method based on dummy locations.

•
We define the concept of effective distance to represent the characteristics of vehicle location distribution. Moreover, we improve the dummy location selection algorithm by using anonymous entropy and effective distance.

•
We analyze the performance of the proposed method in terms of security, computation overhead, and communication overhead, and conduct extensive simulations to evaluate the proposed method.
The rest of the paper is organized as follows. The related work about location privacypreservation methods is overviewed in Section 2. In Section 3, we give some preliminaries and the problem aiming to be solved in this paper. In Section 4, we propose a vehicle location privacy-preservation method based on dummy locations. Performance analysis and simulation results are given to verify the proposed method in Sections 5 and 6, respectively. Finally, we conclude the paper in Section 7.
The privacy-preservation method based on dummy locations can work without a thirdparty server, and provides a location set containing the user's real location to guarantee the quality of LBS. Hence, this method can achieve a good tradeoff between location privacy-preservation and service quality. Sun et al. [15] proposes a privacy-preservation method based on dummy locations, where a query is submitted to an LBS provider with the actual location of a user and other dummy locations. The LBS provider searches for all the related POI locations and returns them to the user. Hence, the generation of dummy locations is the key issue in the privacy-preservation method based on dummy locations. Grid-based and circle-based algorithms for generating dummy locations are proposed to satisfy regional privacy requirements in [16]. A distributed dummy client generation method is proposed to make clients control over their privacy protection [17]. The method selects clients with movement patterns be close to user's movement pattern according to the privacy requirements. However, many dummy location generation algorithms assume that an attacker has no other background information and select locations randomly. To solve this problem, an E-DLS algorithm is proposed in [18]. In the E-DLS algorithm, dummy locations are selected to optimize the privacy-preserving effect in terms of the maximum entropy and cloaking region (CR). Based on E-DLS, Liao et al. [19] considers that when the attacker can obtain the type of service, the greedy algorithm based on entropy measurement is proposed to select the dummy locations to construct the anonymous area.
Recently, the trajectory privacy-preserving issue for continuous LBS has been becoming a hot research topic. A method named Dummy-Q is proposed for query privacypreservation in the continuous LBS scenarios [20], where the query privacy is protected by generating dummy queries. In [21], the problem of privacy leakage under continuous LBS is studied, and a frequency-aware dummy-based method (FADBM) is proposed to ensure that dummy locations are generated around frequent areas and the time accessibility. In [22], a dummy filtering algorithm is proposed, where the spatiotemporal correlation of time-sensitive side information is used to select and generate dummy locations, and spatiotemporal correlation between locations is truncated with time accessibility and access constraints to ensure trajectory similarity. In [23], a location privacy method is proposed to prevent privacy disclosure in LBS constrained in incomplete data collection, where the anonymous candidate set is constructed with compressing sensing technology. Moreover, the differential privacy mechanism is adopted to construct the anonymous candidate set for continuous LBS.
Since the trajectory of vehicles is subject to the road distributions, the influence of road information should be considered for designing location privacy-preservation methods in IoV. Considering the geographical constraint, a method is proposed to generate and arrange dummy objects around users in a grid form [25]. However, the service request probability of locations is not considered when generating dummy locations, the effect of privacy protection is poor. Lina et al. [33] proposes a location privacy-preservation scheme based on anonymous entropy, where anonymous entropy based on location distance and request content is considered. Moreover, two algorithms are presented to select dummy users to build anonymous regions for the dense region and the sparse region, respectively. In combination with the characteristics of vehicle network, a privacy preservation algorithm converts road map into edge cluster diagram in order to hide road information and vehicle information, and constructs invisible areas based on K-anonymity and L-diversity [34]. A region-of-interest division-based algorithm is proposed to preserve the location privacy of mobile device users in location-based cyber services [24]. In this method, dummy locations are generated considering the semantic information of those locations.
We will study the location privacy-preservation based on dummy locations in IoV, in which road constraints and vehicle location characteristics are taken into consideration.

Preliminaries and Problem Formulation
In this section, we introduce some preliminaries including the system model, LBS query, service semantics, anonymous entropy, and adversary model. Then, the problem to be solved in this paper is formulated. Figure 1 illustrates the system architecture of IoV that consists of a number of intelligent vehicles with onboard unit (OBU), several roadside units (RSUs), a trusted authority (TA), and an LBS server. OBU can acquire the perceived driving information of on-board sensors, calculate, process, and store the sensed data. The communication modes in IoV, namely vehicle-to-vehicle (V2V) and vehicle-to-RSU (V2R), adopt dedicated short range communication (DSRC) technology. Through V2V communication, intelligent vehicles can not only obtain driving state information through sensors and exchange messages, but also receive and forward messages broadcasted by other vehicles. Through V2R communication, vehicles can exchange information with the RSU and access the Internet. We will study the location privacy-preservation based on dummy locations in IoV, in which road constraints and vehicle location characteristics are taken into consideration.

Preliminaries and Problem Formulation
In this section, we introduce some preliminaries including the system model, LBS query, service semantics, anonymous entropy, and adversary model. Then, the problem to be solved in this paper is formulated. Figure 1 illustrates the system architecture of IoV that consists of a number of intelligent vehicles with onboard unit (OBU), several roadside units (RSUs), a trusted authority (TA), and an LBS server. OBU can acquire the perceived driving information of on-board sensors, calculate, process, and store the sensed data. The communication modes in IoV, namely vehicle-to-vehicle (V2V) and vehicle-to-RSU (V2R), adopt dedicated short range communication (DSRC) technology. Through V2V communication, intelligent vehicles can not only obtain driving state information through sensors and exchange messages, but also receive and forward messages broadcasted by other vehicles. Through V2R communication, vehicles can exchange information with the RSU and access the Internet.

LBS Query
An LBS query Lq is defined as id Lq = (u ,{(x, y),C,V}), where uid denotes a user's identity; (x, y) represents the user's location information, x and y represent latitude and longitude, respectively; C denotes the user's query content; V is the user's privacy preservation level.
However, since the LBS provider may be malicious, the user's location will be disclosed if the user directly sends Lq to the LBS provider. To preserve the location privacy, dummy locations method is used to preprocess Lq. Hence, Lq is transformed to ′ Lq as , where (x1, y1), …, (xk−1, yk−1) are k − 1 dummy locations, Ci represents the query content sent at dummy location (xi, yi), i = 1, 2, ..., k-1.
From Lq', the adversary cannot determine the user's real location from k−1 dummy locations. By this way, the vehicle location privacy can be protected.

Service Semantics
In each location, users may request entertainment, medical treatment, transportation, or other services. The service requests sent by users are closely related to their locations, and the probabilities of various services in different locations are different. Therefore, service semantics is used to represent the relationship between location and service.

LBS Query
An LBS query Lq is defined as Lq = (u id , {(x, y), C, V}), where u id denotes a user's identity; (x, y) represents the user's location information, x and y represent latitude and longitude, respectively; C denotes the user's query content; V is the user's privacy preservation level.
However, since the LBS provider may be malicious, the user's location will be disclosed if the user directly sends Lq to the LBS provider. To preserve the location privacy, dummy locations method is used to preprocess Lq. Hence, Lq is transformed to Lq as From Lq', the adversary cannot determine the user's real location from k − 1 dummy locations. By this way, the vehicle location privacy can be protected.

Service Semantics
In each location, users may request entertainment, medical treatment, transportation, or other services. The service requests sent by users are closely related to their locations, and the probabilities of various services in different locations are different. Therefore, service semantics is used to represent the relationship between location and service.
Let U be the number of services, e i,u represents the request probability of service u in location (x i , y i ), 0 ≤ e i,u ≤ 1, i = 0, 1, . . . , k -1, u = 1, 2, . . . , U, and U ∑ u=1 e i,u = 1. In this paper, the LBS server is responsible for the collection and establishment of service semantics.

Anonymous Entropy
It is pointed out in [17] that entropy can measure the uncertainty of target location in the location set. In this paper, we use entropy to evaluate the degree of anonymity.
Here, we consider set G including k locations, G = {(x 0 , y 0 ), (x 1 , y 1 ), . . . , (x k−1 , y k−1 )}. The service request probability at location (x i , y i ) is q i , the candidate probability of location (x i , y i ) is p i . If the vehicle user at location (x i , y i ) request service u, the service semantics at location (x i , y i ) is e i,u , and the request probability of service u at location (x i , y i ) is q i ,q i = q i e i,u , i = 0, 1, . . . , k -1, u = 1, 2, . . . , U. Hence, the anonymous entropy is defined as where According to the mathematical property of entropy, it is required that the candidate probabilities of k locations be the same to achieve the maximum entropy. That is, if p i = 1/k, i = 0, 1, . . . , k -1, the maximum of anonymous entropy of set G is log 2 k.

Adversary Model
The goal of the adversary is to obtain sensitive information about a particular user. There are two types of adversary model, passive adversary, and active adversary.
A passive adversary can monitor and eavesdrop on wireless channels or compromise users to obtain other users' sensitive information. A passive adversary can perform eavesdropping attack to learn extra information about a user.
An active adversary can compromise the LBS server and obtain all the information known by the server.
In this work, we assume that the LBS server and RSUs are honest-but-curious, as active adversaries. Hence, the adversary can obtain global information and monitor all the LBS queries from users. In addition, the adversary knows the location privacy-preservation scheme adopted in the system. Based on the known information, the adversary tries to infer and learn other sensitive information.

Problem Formulation
The LBS server divides the area covered by an RSU into I×J cells as shown in Figure 2. cell i,j denotes the cell of row i and column j, i = 1, 2, . . . , I, j = 1, 2, . . . , J. The location of cell i,j is denoted as r i,j , and r i,j = (x i,j , y i,j ). The request probability of cell i,j is q i,j , the service semantics of cell i,j is e (i,j),u , and the information matrix Q(r, q, e) for each RSU can be set up. Figure 2 shows service request probability distribution, the area is divided into 10 × 10 cells. The star represents the user's real location, and the triangle represents the dummy location, and the shade in each cell represents its request probability generated based on the Borlange data set [35]. The gray block represents the road, and R represents the location area accessible by the road.
In Figure 2a, a vehicle user randomly generates k − 1 dummy locations in order to protect the location privacy. Then vehicle user uses the dummy locations and real location to send service request to the LBS server. In theory, the probability of exposing the user's real location can be 1/k. However, using some auxiliary information, the LBS server can deduce the real location with a probability of 1/(k − k d ), where k d is the number of dummy locations be filtered out through the auxiliary information.
Appl. Sci. 2021, 11, x FOR PEER REVIEW 6 of 15 real location can be 1/k. However, using some auxiliary information, the LBS server can deduce the real location with a probability of 1/(k − kd), where kd is the number of dummy locations be filtered out through the auxiliary information. In IoV, since the location of vehicles is restricted by the road, and the service request probability is used as auxiliary information, the validity of dummy locations generated with random dummy location selection algorithm in Figure 2a, E-DLS algorithm in [18] and Dest-ex algorithm in [25] is affected. The dummy locations filtered out by the LBS server, kd, increases. For example, in Figure 2a, k = 4, and kd = 3. Hence, the effect of privacy protection is degraded.
Therefore, to protect the location privacy of vehicles, it is necessary to ensure the validity of dummy locations generated. When road information, service request probability and service semantics are used as auxiliary information, set  is set up for minimizing kd. The optimization problem can be defined as where G(r, q, e) is the information matrix corresponding to set  which consists of vehicle user's location and k − 1 dummy locations, and set  is the set of all locations of cells in the area covered by the RSU.

Algorithm Design
In this section, we present a location privacy-preservation method based on dummy locations in IoV, where a dummy location selection algorithm is addressed to improve the validity of dummy locations.

Effective Distance
As shown in Figure 3, due to the road restrictions and roadside buildings, the distribution of vehicles is in the form of "pipeline", and the aggregation distribution may occur. Hence, the validity of dummy locations further decreases. To ensure the validity of dummy locations, it is necessary to make the location distribution be uniform and dispersed, as shown in Figure 3b. In IoV, since the location of vehicles is restricted by the road, and the service request probability is used as auxiliary information, the validity of dummy locations generated with random dummy location selection algorithm in Figure 2a, E-DLS algorithm in [18] and Dest-ex algorithm in [25] is affected. The dummy locations filtered out by the LBS server, k d , increases. For example, in Figure 2a, k = 4, and k d = 3. Hence, the effect of privacy protection is degraded.
Therefore, to protect the location privacy of vehicles, it is necessary to ensure the validity of dummy locations generated. When road information, service request probability and service semantics are used as auxiliary information, set G is set up for minimizing k d . The optimization problem can be defined as where G(r, q, e) is the information matrix corresponding to set G which consists of vehicle user's location and k − 1 dummy locations, and set C is the set of all locations of cells in the area covered by the RSU.

Algorithm Design
In this section, we present a location privacy-preservation method based on dummy locations in IoV, where a dummy location selection algorithm is addressed to improve the validity of dummy locations.

Effective Distance
As shown in Figure 3, due to the road restrictions and roadside buildings, the distribution of vehicles is in the form of "pipeline", and the aggregation distribution may occur. Hence, the validity of dummy locations further decreases. To ensure the validity of dummy locations, it is necessary to make the location distribution be uniform and dispersed, as shown in Figure 3b In order to make the distribution of generated dummy locations be uniform, we define the effective distance between locations as the minimum distance between the current location and other locations in a location set. That is, where  represents a location set, ri represents location i in set , the corresponding coordinates is i i x ,y ( ), rw represents location w in set , the corresponding coordinates is w w x ,y ( ), i = 1, 2, …, ||, w = 1, 2, …, ||, || is the number of elements in set , and d(ri) is the effective distance of ri.
From Figure 4, one finds that the larger the effective distance, the greater the spacing between vehicles, and the more dispersed the distribution.

Parameter Settings
The location privacy protection requirement is presented by privacy protection level V, which indicates the success rate of location privacy protection. That is, , and V∈[0,1). Privacy parameter k is determined by privacy protection level V set by the vehicle user. That is, where ⋅     denotes the upper integer operation. In order to make the distribution of generated dummy locations be uniform, we define the effective distance between locations as the minimum distance between the current location and other locations in a location set. That is, where W represents a location set, r i represents location i in set W, the corresponding coordinates is (x i , y i ), r w represents location w in set G, the corresponding coordinates is (x w , y w ), i = 1, 2, . . . , |W|, w = 1, 2, . . . , |W|, |W| is the number of elements in set W, and d(r i ) is the effective distance of r i . From Figure 4, one finds that the larger the effective distance, the greater the spacing between vehicles, and the more dispersed the distribution. In order to make the distribution of generated dummy locations be uniform, we d fine the effective distance between locations as the minimum distance between the curren location and other locations in a location set. That is, From Figure 4, one finds that the larger the effective distance, the greater the spacin between vehicles, and the more dispersed the distribution.

Parameter Settings
The location privacy protection requirement is presented by privacy protection lev V, which indicates the success rate of location privacy protection. That is, , and V∈[0,1). Privacy parameter k is determined by privacy protection level V set by the vehic user. That is,

Parameter Settings
The location privacy protection requirement is presented by privacy protection level V, which indicates the success rate of location privacy protection. That is, V = 1 − p = 1 − 1 k , and V∈[0,1).
Privacy parameter k is determined by privacy protection level V set by the vehicle user. That is, where · denotes the upper integer operation.

Dummy Location Selection Algorithm under Road Restriction
In order to ensure the validity of dummy locations, two conditions should be considered simultaneously for selecting the dummy locations. One is to maximize the anonymous entropy of the candidate set. The other is to maximize the effective distance of the candidate set.
Hence, the optimization problem formulated in (3) can convert to a multiple object optimization problem as where candidate set G consists of the vehicle user's location and k − 1 selected dummy locations.
Obviously, the problem formulated in (6) is difficult to resolve. Hence, we decouple the problem in (6) into two sub-problems, the anonymous entropy maximization sub-problem and the effective distance maximization sub-problem.
According to the background knowledge of the LBS server and the purpose of the dummy location selection algorithm, we give priority to the sub-problem of anonymous entropy maximization. That is, where set G including the vehicle user's location and k' − 1 selected dummy locations is set up to resolve the sub-problem formulated in (7), k' is the number of locations in set G', and k' > k. According to Q(r, q, e), the vehicle user calculates the probability of service request at each location in R, q (i,j),u , i = 1, 2, . . . , I, j = 1, 2, . . . , J, u = 1, 2, . . . , U, cell i,j ∈R. According to service request probability of content C 0 , the vehicle user selects other k' − 1 locations whose service request probabilities are close to that of the vehicle user.
Hence, a candidate set G is constructed with the vehicle user's location and k − 1 selected dummy locations.
Then, the sub-problem for maximizing the effective distance of the candidate set is to resolve. That is, where set G including the vehicle user's location and k − 1 selected dummy locations is set up to resolve the sub-problem formulated in (8).
To solve the sub-problem formulated in (8), the vehicle user selects k − 1 dummy locations in a greedy manner.
Let r 0,0 denote the location of the vehicle user. G = {r 0,0 } and G = G \{r 0,0 }. The vehicle user chooses k − 1 locations with the maximum effective distance through k − 1 rounds.
In the ith round, i = 1, 2, . . . , k−1, the vehicle user calculates the effective distance of the location(s) in G to the location(s) in G . If r i * ,j * = arg max r i,j ∈G min r i ,j ∈G r i,j , r i ,j , the vehicle user puts r i * ,j * into set G and deletes it from G . Hence, set G is constructed with the vehicle user's location and k − 1 selected dummy locations.

A Location Privacy-Preservation Method Based on Dummy Locations under Road Restriction
The specific procedure of a location privacy-preservation method based on dummy location under road restriction can be follows: (1) Based on the historical data of service requests, the LBS server counts the number of service requests initiated by vehicle users in each cell, and the service request probability of cell i,j , i = 1, 2, . . . , I, j = 1, 2, . . . , J, q i,j = f i,j /F, where f i,j is the number of service requests initiated by vehicle users in cell i,j , and F is the number of service requests in the area. The service semantics of service u is Hence, set G is constructed with the vehicle user's location and k − 1 selected dummy locations.
(6) The vehicle user generates service query Lq' including locations in G , their corresponding service contents, and the privacy preservation level, and then, Lq' is sent to the LBS server via RSU. (7) Receiving service query Lq', the LBS server retrieves service results according to k locations and the corresponding service contents, and then, the LBS server returns service results to the vehicle user through RSU. (8) The vehicle user selects the required result from service results according to its location.

Performance Analysis
In this section, the performance of the proposed location privacy-preservation method using dummy location selection algorithm under road restriction, abbreviated as RR-DLS, is analyzed.

Security Analysis
Since encrypt-based technologies can be easily applied to the proposed RR-DLS method, eavesdropping attack on wireless channels between users and other entities can be ignored. We focus on collusion attack and inference attack from passive and active attackers.

Collusion Attack
Passive attackers may collude with some users to get additional information about other users or collude with the LBS server to predict sensitive information about legitimate users. If the probability of successfully guessing the real location of a vehicle user among k locations in the service query does not increase with the number of collusion users, the proposed method can resist collusion attack.
We consider a situation that collusion occurs between a group of users aiming to acquire the user's real location from k locations. In RR-DLS method, each user can only know the service request probability and road condition collected by itself. When eavesdropping the service query sent to the LBS server, the attacker cannot filter out some invalid locations through additional information since k locations in the service query have the same or similar service request probability and are on the road.
One extreme case for the passive adversary is that it can acquire the global information by compromising the LBS server as well as RSUs. In this case, it becomes an active adversary and can perform inference attack as discussed in the following.

Inference Attack
The LBS server and RSUs have global information, such as information matrix Q(r, q, e), road information R and k locations in the service query, and so on. Based on this information, the LBS server or the RSU can act as an active attacker to launch reasoning attack and acquire some sensitive information of users.
Suppose p G (event) be the probability that an attacker successfully guesses that event is true. The proposed method should satisfy (9) to resist inference attack.
where set B consists of the locations obtained by an attacker. For any dummy location r i,j generated by RR-DLS algorithm, the probability of r i,j being guessed as the real location is Substituting (10) into (9), we have The proposed dummy location selection algorithm under road restriction selects locations with the same or similar probability of service requests and service semantics. Hence, the proposed RR-DLS method satisfies the condition in (11), which means that the method can effectively resist inference attack.

Computation Overhead
If RSU jurisdiction is divided into I × J cells, the number of services is U and the number of results returned by the LBS server is n.
In the procedure of an LBS query, the vehicle user needs to generate k dummy locations. First, as the vehicle user selects 2k − 1 locations based on service request probability, the computation overhead is O(IJU). As the vehicle user selects dummy locations by effective distance through k − 1 rounds. In the i th round, i = 1, 2, . . . , k − 1, the vehicle user calculates the effective distance of 2k − 1 − i locations in G to i locations in G to update the effective distance of each location, and the location with maximum effective distance of locations in G is selected. Hence, the computation overhead is O(k 2 ). Therefore, the computation overhead of dummy location selection algorithm at the vehicle user is O(k 2 + IJU).
Since RSU does not need additional computation, the computation overhead at RSU is O(1).
The LBS server needs to perform service retrieval for k − 1 dummy locations and a real location. Hence, the computation overhead at the LBS server is O(kn).

Communication Overhead
In the procedure of an LBS query, the vehicle user sends service query to the LBS server through RSU. The communication overhead at the vehicle user is O(k).
RSU needs to broadcast the service request probability, the service semantics and other information. The communication overhead is O(IJU). At the same time, RSU needs to forward the service query to the LBS server and return kn service query results to the vehicle user. Therefore, the communication overhead at the RUS is O(IJU + kn + k).
The LBS server needs to send the service request probability, service semantics and other information to RSU. The communication overhead is O(IJU). Receiving the service query, the corresponding service results are returned to RSU. The communication cost is O(kn). Therefore, the communication overhead at LBS server is O(IJU + kn).
The performance of proposed RR-DLS method in terms of computation overhead and communication overhead is listed in Table 1.

Performance Evaluation and Discussion
In this section, the performance of proposed RR-DLS method is valuated. Moreover, we compare the performance of proposed RR-DLS algorithm with some existing dummy location selection algorithms, such as random dummy location selection algorithm, E-DLS algorithm in [18], Dest-ex algorithm in [25].
The simulation area and the corresponding service request probability distribution are illustrated in Figure 5, which is a region in Hangzhou with an area of 500 m × 500 m. This region is divided into 10 × 10 cells, the number of service types U = 4, the service request probability and service semantics are generated randomly, and orange cells represent locations that are inaccessible to the vehicle. other information. The communication overhead is O(IJU). At the same time, RSU need to forward the service query to the LBS server and return kn service query results to th vehicle user. Therefore, the communication overhead at the RUS is O (IJU + kn + k).
The LBS server needs to send the service request probability, service semantics an other information to RSU. The communication overhead is O(IJU). Receiving the servic query, the corresponding service results are returned to RSU. The communication cost i O(kn). Therefore, the communication overhead at LBS server is O(IJU + kn).
The performance of proposed RR-DLS method in terms of computation overhea and communication overhead is listed in Table 1.

Performance Evaluation and Discussion
In this section, the performance of proposed RR-DLS method is valuated. Moreove we compare the performance of proposed RR-DLS algorithm with some existing dumm location selection algorithms, such as random dummy location selection algorithm, E-DL algorithm in [18], Dest-ex algorithm in [25].
The simulation area and the corresponding service request probability distributio are illustrated in Figure 5, which is a region in Hangzhou with an area of 500 m × 500 m This region is divided into 10 × 10 cells, the number of service types U = 4, the servic request probability and service semantics are generated randomly, and orange cells rep resent locations that are inaccessible to the vehicle.
The simulation environment is Windows10, with 8 GB memory and AMD Ryzen 3550 H processor.  The simulation environment is Windows10, with 8 GB memory and AMD Ryzen 5 3550 H processor. Figure 6 shows the impact of privacy parameter k on computation overhead in terms of execution time. From Figure 6, we observe that the computation overhead of proposed RR-DLS method is concentrated on the vehicle user side, and the execution time increases rapidly along with the increase of privacy parameter k. The computation overhead at RSU and the LBS server side is small. The execution time of RSU is independent of privacy parameter k, and the execution time of the LBS server increases linearly along with the increase of privacy parameter k. of execution time. From Figure 6, we observe that the computation overhead of proposed RR-DLS method is concentrated on the vehicle user side, and the execution time increases rapidly along with the increase of privacy parameter k. The computation overhead at RSU and the LBS server side is small. The execution time of RSU is independent of privacy parameter k, and the execution time of the LBS server increases linearly along with the increase of privacy parameter k.  Figure 7 shows the impact of privacy parameter k on communication overhead in terms of data traffic. From Figure 7, we observe that the communication overhead of proposed RR-DLS method is concentrated on RSU and the LBS server, and the communication overhead at the vehicle user side is small. As privacy parameter k increases, the communication overhead in terms of data traffic increases.   Figure 8 shows the anonymous entropy of four different dummy location selection algorithms, the proposed RR-DLS algorithm, random dummy location selection algorithm, E-DLS algorithm in [18], and Dest-ex algorithm in [25]. From Figure 8, we observe  Figure 7 shows the impact of privacy parameter k on communication overhead in terms of data traffic. From Figure 7, we observe that the communication overhead of proposed RR-DLS method is concentrated on RSU and the LBS server, and the communication overhead at the vehicle user side is small. As privacy parameter k increases, the communication overhead in terms of data traffic increases.

Communication Overhead
RR-DLS method is concentrated on the vehicle user side, and the execution time increases rapidly along with the increase of privacy parameter k. The computation overhead at RSU and the LBS server side is small. The execution time of RSU is independent of privacy parameter k, and the execution time of the LBS server increases linearly along with the increase of privacy parameter k.  Figure 7 shows the impact of privacy parameter k on communication overhead in terms of data traffic. From Figure 7, we observe that the communication overhead of proposed RR-DLS method is concentrated on RSU and the LBS server, and the communication overhead at the vehicle user side is small. As privacy parameter k increases, the communication overhead in terms of data traffic increases.   Figure 8 shows the anonymous entropy of four different dummy location selection algorithms, the proposed RR-DLS algorithm, random dummy location selection algorithm, E-DLS algorithm in [18], and Dest-ex algorithm in [25]. From Figure 8, we observe  Figure 8 shows the anonymous entropy of four different dummy location selection algorithms, the proposed RR-DLS algorithm, random dummy location selection algorithm, E-DLS algorithm in [18], and Dest-ex algorithm in [25]. From Figure 8, we observe that the anonymous entropy of proposed RR-DLS algorithm is the largest. This is because the proposed RR-DLS algorithm can ensure the validity of dummy locations. Since Destex algorithm only considers the road information, the anonymous entropy of Dest-ex algorithm is smaller than that of proposed RR-DLS algorithm, and larger than that of random dummy location selection algorithm and E-DLS algorithm. Since E-DLS algorithm selects dummy locations according to service request probability and CR, some dummy locations can be filtered using auxiliary knowledge. The anonymous entropy of E-DLS algorithm is low. Since random selection algorithm selects dummy locations randomly, the anonymous entropy of random dummy location selection algorithm is the lowest.

Anonymous Entropy
that the anonymous entropy of proposed RR-DLS algorithm is the largest. This is because the proposed RR-DLS algorithm can ensure the validity of dummy locations. Since Destex algorithm only considers the road information, the anonymous entropy of Dest-ex algorithm is smaller than that of proposed RR-DLS algorithm, and larger than that of random dummy location selection algorithm and E-DLS algorithm. Since E-DLS algorithm selects dummy locations according to service request probability and CR, some dummy locations can be filtered using auxiliary knowledge. The anonymous entropy of E-DLS algorithm is low. Since random selection algorithm selects dummy locations randomly, the anonymous entropy of random dummy location selection algorithm is the lowest.  Figure 9 shows the effective distance of two different dummy location selection algorithms, the proposed RR-DLS algorithm and E-DLS algorithm in [18]. For E-DLS algorithm, the anonymous area is maximized considering the query probability. From Figure  9a, the means of effective distance of two algorithms are close. Moreover, from Figure 9b, we observe that the variance of effective distance of proposed RR-DLS algorithm is much smaller than that of E-DLS algorithm. The proposed RR-DLS algorithm can guarantee the distributed and uniform distribution of dummy locations to ensure the validity of dummy locations.   Figure 9 shows the effective distance of two different dummy location selection algorithms, the proposed RR-DLS algorithm and E-DLS algorithm in [18]. For E-DLS algorithm, the anonymous area is maximized considering the query probability. From Figure 9a, the means of effective distance of two algorithms are close. Moreover, from Figure 9b, we observe that the variance of effective distance of proposed RR-DLS algorithm is much smaller than that of E-DLS algorithm. The proposed RR-DLS algorithm can guarantee the distributed and uniform distribution of dummy locations to ensure the validity of dummy locations. ex algorithm only considers the road information, the anonymous entropy of Dest-ex algorithm is smaller than that of proposed RR-DLS algorithm, and larger than that of random dummy location selection algorithm and E-DLS algorithm. Since E-DLS algorithm selects dummy locations according to service request probability and CR, some dummy locations can be filtered using auxiliary knowledge. The anonymous entropy of E-DLS algorithm is low. Since random selection algorithm selects dummy locations randomly, the anonymous entropy of random dummy location selection algorithm is the lowest.  Figure 9 shows the effective distance of two different dummy location selection algorithms, the proposed RR-DLS algorithm and E-DLS algorithm in [18]. For E-DLS algorithm, the anonymous area is maximized considering the query probability. From Figure  9a, the means of effective distance of two algorithms are close. Moreover, from Figure 9b, we observe that the variance of effective distance of proposed RR-DLS algorithm is much smaller than that of E-DLS algorithm. The proposed RR-DLS algorithm can guarantee the distributed and uniform distribution of dummy locations to ensure the validity of dummy locations.

Conclusions
In this paper, we investigated the vehicle location privacy-preserving problem in IoV and proposed a location privacy-preservation method based on dummy locations under road restriction. In the proposed RR-DLS method, the effective distance is introduced to represent the characteristics of location distribution in order to improve the validity of dummy locations. A dummy location selection algorithm under road restriction was addressed according to anonymous entropy and effective distance. Security analysis results show that the proposed RR-DLS method can resist collusion attack and inference attack effectively. Performance analysis and simulation results show that the proposed RR-DLS method can effectively protect the vehicle location privacy and ensure the accuracy of LBS service. Furthermore, the proposed RR-DLS method increases the computation overhead at the vehicle user and communication overhead at RSU and the LBS server.
In the future, we will study the problem of vehicle trajectory privacy preservation in continuous LBS scenario.

Conflicts of Interest:
The authors declare no conflict of interest.