pShare : Privacy-Preserving Ride-Sharing System with Minimum-Detouring Route

: Online ride-hailing (ORH) services allow people to enjoy on-demand transportation services through their mobile devices in a short responding time. Despite the great convenience, users need to submit their location information to the ORH service provider, which may incur unexpected privacy problems. In this paper, we mainly study the privacy and utility of the ride-sharing system, which enables multiple riders to share one driver. To solve the privacy problem and reduce the ride-sharing detouring waste, we propose a privacy-preserving ride-sharing system named pShare . To hide users’ precise locations from the service provider, we apply a zone-based travel time estimation approach to privately compute over sensitive data while cloaking each rider’s location in a zone area. To compute the matching results along with the least-detouring route, the service provider ﬁrst computes the shortest path for each eligible rider combination, then compares the additional traveling time (ATT) of all combinations, and ﬁnally selects the combination with minimum ATT. We designed a secure comparing protocol by utilizing the garbled circuit, which enables the ORH server to execute the protocol with a crypto server without privacy leakage. Moreover, we apply the data packing technique, by which multiple data can be packed as one to reduce the communication and computation overhead. Through the theoretical analysis and evaluation results, we prove that pShare is a practical ride-sharing scheme that can ﬁnd out the sharing riders with minimum ATT in acceptable accuracy while protecting users’ privacy.


Introduction
With the advent of GPS-embedded mobile devices and digital maps, Online Ride-Hailing (ORH) services have gained much popularity and have seen remarkable development in the past decade. Unlike traditional taxi services, ORH companies such as Uber and Didi provide a platform for riders to request a ride using few operations through their mobile devices, which has had a revolutionary impact on the ride-hailing industry [1]. According to the statistics of Didi Chuxing, they have completed over 10 billion ride-hailing orders [2].
Ride-matching is the primary function of ORH service, and it usually matches the nearest driver for any rider who starts a ride-matching request. To request the ride-matching service, the rider needs to submit his location information to the ORH service provider (i.e., the ORH company) through the ride-hailing application on their smartphone. Then the service provider matches the nearby drivers who update their locations in real time.
In order to improve the traffic utilization and the matching success rate, some ORH services also provide an enhanced function, i.e., ride-sharing service, which enables several riders with similar traveling routes to share one driver. Ride-sharing is in the broad category of the sharing economy [3], which is environmentally friendly and beneficial to all participant entities of the service. For riders, it provides a financial and efficient alternative.
Moreover, it enables drivers to cut down their traveling costs and improve the revenue with payment from several passengers. Besides, it reduces the emissions of CO 2 [4].
However, despite the convenience the ORH service brings, the privacy concern is also highly raised. For example, the largest Chinese ORH company, Didi Chuxing, was recently demanded to take off all applications from app stores due to a serious violation of data and privacy laws [5]. To request a ride, the rider must submit his ride information, which usually includes some private information on riders such as pick-up and drop-off locations and times. The submitted data can be analyzed for one's mobility patterns or can even be exploited to deduce one's home or working address. The leakage of users' private information invades their rights and sometimes even threatens their security.
It is necessary to preserve the privacy of users, whether riders or drivers. To achieve that, many encryption techniques and privacy-enhanced solutions are designed for ridehailing services [6][7][8][9][10][11], which provide private ride-matching schemes but do not support ride-sharing. There are also a few privacy-preserving ride-sharing schemes including SRide [12], PRIS [13], and PrivatePool [14], but they can only enable ride-sharing matches over fixed locations. PSRide is a flexible ride-sharing matching scheme, but it does not support ride-sharing between multiple riders. PGRide supports group ride-sharing matching. However, it cannot find the shortest path to pick up and drop off all riders.
Considering the issues stated above, we are motivated to research how to construct a private and practical ride-sharing mechanism, which supports flexible ride-sharing matching over multiple riders and meanwhile finds the shortest path with minimum detouring distance. However, we cannot compute the shortest path over plaintext precise locations of users due to the consideration of efficiency and privacy; thus, a zone-based method is applied to trade off between these factors. By hiding all users' locations in distinct zones, a user's privacy is well protected since enemies cannot distinguish from hundreds of points of interest in one zone. It is noteworthy that the matching is also computed over discretized zones, so the matching results are not necessarily optimal on a non-discretized map. In the following paper, expressions such as "minimum detouring" indicate the computing results over the zones. In Section 6, we implement pShare under zone-based estimation data and non-discretized ground-truth map data to evaluate the real accuracy of the scheme.
The ride-sharing service is an optional ride-hailing service since it can be replaced by ride-matching if there are no suitable sharing riders. Therefore, we apply the ride-sharing from the perspective of drivers and match several riders for each driver. For an available driver, the ORH server first searches his surrounding requested riders, then computes for the best matching riders with minimum detouring time. More specifically, our main contributions can be summarized as follows:

1.
We propose a flexible, privacy-preserving online ride-sharing matching scheme pShare, which performs matching between a shared driver and group riders with minimum detouring distance, while protecting their location privacy against the ORH service provider.

2.
We propose a zone-based riders-filtering approach, which can divide surrounding requested riders on the similarity of their traveling routes. Meanwhile, we have designed a secure comparing protocol, which computes users' encrypted data and outputs the ride-sharing results along with the minimum-detouring route.

3.
We evaluate the scheme using generated user datasets which obey real-world distribution. The experimental results demonstrate that pShare can achieve the functionality with high accuracy and practical efficiency.
The rest of the paper is organized as follows: In Section 2, we formalize the problem and introduce the system model and the threat model. In Section 3, we present some preliminaries of the paper. Then we present the specific construction of pShare in Section 4 and the privacy analysis in Section 5, followed by performance evaluation in Section 6. Finally, we conclude our work in Section 7.

Problem Definition
Given a driver d, supposing the passenger capacity of d is CAP d and the current number of onboard riders is OBR d , we define that d could be at one of three possible situations: idle, full, and not-full, which represent OBR d = 0, OBR d = CAP d , and 0 < OBR d < CAP d , respectively.
The problem of our concern is, for the driver d and the riders set R, to find the best match between the driver and v riders along with the optimal route to pick up and drop off all riders while protecting users' privacy, in which v CAP d − OBR d . The additional travel time (ATT) of the matching result should be minimal, and the schedule will miss no deadlines of the riders.

System Model and Threat Model
As shown in Figure 1, the system consists of four entities: an ORH server, a crypto server, the riders, and the drivers. We use the RS to represent the ORH server and the CS to represent the crypto server in the following paper. Drivers start ride-sharing queries and submit their current status when they are idle or not-full. Riders submit ride requests when they need a ride-sharing service. The RS finds the optimal riders for the driver with minimum average ATT. Besides, we introduce the CS to set up the cryptographic parameters and enable the matching computation. Based on the system model, we make the following assumptions: 1.
In our system, all entities are semi-honest. That means they always honestly follow the scheme but are curious about the information of users. So the goal of privacy is to prevent the RS or the CS from learning about users' sensitive infomation, which includes precise locations and appointed time.

2.
There is no collusion between the RS and the CS because they are managed by different parties. Nor will the RS collude with the drivers because the RS is always a big company and takes much attention to the reputation.

3.
The communication channel between two entities is secure, which means no manin-the-middle attack will be launched. Nobody can utilize channel information to locate users.

Design Goals
Under the proposed system model and threat model stated above, pShare system should satisfy the following design objectives:

1.
Accuracy. The RS should perform matching over ride-requests and drivers' status accurately. However, there exists a trade-off between accuracy and privacy level with different zone scales. Thus, under a proper privacy level, our goal of accuracy is that the RS should be able to find riders with minimum ATT in a big probability.

2.
Efficiency. The system should be efficient such that the responding time for riders and drivers is all acceptable in a real-time ride-matching scenario.

3.
Privacy. During the whole process of the scheme, the RS and CS should be prevented from learning the precise location information of users. Riders and drivers should likewise not learn each other's information unless they are matched.

Paillier Cryptosystem
The Paillier cryptosystem [15] is a public-key cryptosystem with the property of additive homomorphism based on the composite residuosity assumption [1]. We briefly describe it as follows: KeyGen() → (pk, sk): Choose two large primes p and q, and let n = pq. Then compute the least common multiple λ = lcm(p − 1, q − 1) and select g ∈ Z * n 2 , ensuring the greatest common divisor gcd L g λ mod n 2 , n = 1, in which L(x) = (x − 1)/n. Then the public key is pk = (n, g) and the secret key sk = λ.
Encryption: E(m, pk) → c. Given a plaintext m ∈ Z * n , randomly select r ∈ Z * n and compute the ciphertext as follows: c = g m r n mod n 2 (1) Decryption: D(c, sk) → m. Given a ciphertext c ∈ Z n 2 , the corresponding plaintext can be computed as follows: m = L c λ mod n 2 L g λ mod n 2 mod n (2) The Paillier cryptosystem described above is semantically secure. Besides, it has the following homomorphism properties:

Garbled Circuit
Garbled circuit was first introduced by Yao [16] to solve the millionaire's problem. It enables two parties to evaluate any function jointly such that nothing can be learned from the evaluation but their outputs. Specifically, one party first generates a garbled version of function f (x, y) as the generator and obtains the garbled circuitf . Then the generator sendsf together with his garbled inputx to the other party, which is the evaluator. Then they execute a 1-out-of-2 Oblivious Transfer (OT) protocol jointly, in which the evaluator can obtain his garbled inputŷ without any information leakage to the generator. Then the evaluator can evaluate the garbled circuit to obtain the result of f (x, y). Several optimizations have been proposed to construct Yao's GC, such as [17,18].

Data Packing
Let (t 1 , t 2 , · · · , t n ) be an n-dimensional vector. We can pack it in the following form: where x j−1 is the parameter which is big enough to separate two values at the bit level.
Similarly, for data encrypted in paillier cryptosystem ( t 1 , t 2 , · · · , t n ), we can pack it as: By applying the data packing technique, we can use just one decryption to the packed ciphertext or one encryption to the packed plaintext.

Road Travel Time Estimation
Our approach to compute the best matching results for ride-sharing service consists of shortest road traveling time computation. Traditional methods compute it directly in large-scale road networks, which will cause an expensive computation cost and cannot be applied with cryptographic primitives. To solve this, a zone-based method could be used to estimate the road traveling time [19] First, the road network is partitioned into . For each grid, we set an anchor point for travel time estimation between zones. All anchor points are selected considering the number of its adjacent edges (namely the degrees) and the geographical distance to the center of its located zone. We use to represent the anchor point of each zone. Once the process of anchor setting is finished, the travel time between zones can be estimated and precomputed with the distance between anchor points as follows: For any two points in the road network, we denote as s and d, respectively. The travel time between s and d can be estimated with the following expression: where AP(x) denotes the anchor point of the zone in which x is located. The information of road network and anchor points are public. In our proposal scheme, for a ride request with start point s and destination d, the ride requester can easily compute t s→AP(s) and t AP(d)→d at the local mobile device. Then the rider can submit them after encryption to hide the precise locations s and d in two located zones.

Proposed Approach
In this section, we describe the architecture of pShare and the protocol details we apply to obtain the best matching results without privacy leakage of users.

System Overview
Given the locations of drivers and riders, the ride-sharing matching is to find the best combination of riders with minimum detouring time. The RS applies the matching between a driver and several riders who accept to share their ride with other passengers. Before the RS applies the ride-sharing matching, the system needs to finish the initialization. With the coarse locations of riders and drivers, the RS first executes a filtering algorithm and obtains several sets of nearby riders, which are divided in terms of the similarity of their trips.
Then for each set, the RS traverses all feasible rider combinations of v riders and computes the encrypted ATT of each rider combination. To compare the ciphertexts without leaking privacy, the RS and the CS execute comparing protocols using Yao's GC together to compute the results securely. The combination with minimum ATT will be selected and matched to the driver. Finally, a secure communication channel will be established between the driver and selected riders for pick-up details.
It is noteworthy that no precise locations are exposed to other entities except the user himself. All sensitive information such as location and time deadline are submitted in ciphertext form.

Protocol Details
We now describe the construction details of pShare scheme, which consists of the following five steps:

1.
Setup. In this procedure, the system needs to be initialized. First, the map is partitioned into zones, and the anchor point of each zone needs to be set up as described in III.D; the travel time between any two anchor points is precomputed. Then the CS generates the key pair (pk, sk) and broadcasts pk to other parties in the system.

2.
Ride Request Submit. When a rider needs the ride-sharing service, he will first compute the estimated travel time t s→AP(s) and t d→AP(d) using the public road network and navigation system in his mobile device, where s and d are the locations of his start point and destination point. Then he encrypts them with pk and obtains t s→AP(s) and t d→AP(d) , respectively, in which represents the ciphertext form.
After that, the rider selects the deadline of pick-up time t s and the deadline of dropoff time t d and encrypts them. Finally, the rider submits the ride-sharing request

3.
Driver Location Update. Similarly, the driver needs to submit his current status to finish the matching process. First, he computes t l→AP(l) with his end device and pk, then submits his status D = CAP d , OBR d , z(l), t l→AP(l) , where l is the driver's current location and v is the current vehicle load. If OBR d > 0, namely that the driver has existing riders, the schedule of driver , P should also be submitted to the RS, which include onboard riders' encrypted requests and the existing path. The definition of path is described in the following paper. 4.
Riders Filtering. To mitigate the computation overhead, the RS needs to filter the riders on their coarse locations of start point and destination point (i.e., the corresponding zones) as Algorithm 1. On receiving from a driver's status D, the RS first checks if there are any existing riders. If OBR d = 0, the RS searches the surrounding riders of z(l) within a fixed-size region SR and outputs the set R nearby . For each rider r of R nearby , the RS obtains the shortest route between AP(r i .z(s)) and AP(r i .z(d)) from precomputed data. Then the RS gets r i .Zpath = {r i .z(s), · · · , r i .z(d)}, which represents the zones sequence the route passes through. The RS selects M riders {r i } M i=1 with the longest length of Zpath from R nearby as the root riders, meanwhile M corresponding rider sets {R i } M i=1 are constructed. In addition, the RS computes the expanded path for each root rider of {r i } M i=1 . As Figure 2 indicates, r.Zpath indicates the black area, and r.EZpath is computed as the grey area and the black area in order to include more potential riders. For the rest of the riders, the RS compares their paths and the directions with the root riders as follows, and riders with similar traveling routes will be added to the corresponding set. 10: Addr i to R i ; 11: end for 12: for every r ∈ R near do 13: for 1 to M do 14: if r.z(s), r.z(d) ∈r i .EZpath and Dir(r, R i ) < 0 then 15: Add r to R i ; 16: end if 17: end for 18: end for 19:  For each rider r j ∈ R nearby except root riders, the RS judges if the following conditions are met: where (9) indicates r j is in the path of r i ; when (9) is met, the RS judges if they have similar directions with the appearing order of the start point and the destination point in (10), if r j . Once qualified, r j will be added to the set R i . Note that a rider could be added to more than one set. If OBR d > 0 and the driver has an existing schedule, the RS will refer the existing path P to add potential riders to just one set as the Algorithm 2 does.
as vertices of a graph, the travel time between V i and V j is the corresponding edge t V i →V j . Therefore, the path-planning problem is to find the shortest path on ciphertexts that passes through all vertices.
i=0 is a vector of vertices that indicates the pick-up or drop-off order. Each vertice represents a location point of {d.l, r.z(s), r.z(d)} together with a time constraint t V i . The path should cover all nodes of the graph. A legal path P has to meet the following constraints: P.indexo f (r i .s) < P.indexo f (r i .d) To find the shortest path, the RS needs to compare all practical paths with their total traveling time. As depicted in Figure 3, for all paths that meet (11) and (12), the RS checks and selects the driving path that would not fail any deadline in (13). To do this, the RS computes the encrypted travel time for all edges using (3) and (8) and gets . Then the RS computes T (P ) for each path P as follows: in which T i represents the total time consumption to reach the node v i .  For each path, the RS compares each point with its deadline time. Suppose T 1 , T 2 , · · · T 2v are p-bit integers. Then the RS randomly chooses 2v (k − 1)-bit length integers A = {a 1 , a 2 , · · · a 2v } (k − 1 > p) and applies the following operations: S T (P ) = E(S(A))S( T (P ) ) The RS first packs T 1 , T 2, · · · T 2v and a 1 , a 2, · · · a 2v in (15), (16) and then adds the encrypted integers to each item of (17) and obtains T (P ) , which is the packing ciphertexts after blinding operation. Similarly, for the deadline time of each , the RS generates random integers A = a 1 , a 2, · · · a 2V and executes the same blinding operations in (15)- (17). Then the RS sends T (P ) and T V (P ) to the CS, and they jointly finish the judging for each path. On receiving T (P ) and T V (P ) , the CS decrypts the ciphertext and unpacks the data. For each path P j , the RS holds A and A ; the CS holds T P j and T V P j ; and they execute the garbled circuit TC as shown in Figure 4, in which the SCMP circuit is shown in Figure 5. CMP, MUX, SUB, and MIN denote a comparator circuit, a multiplexer circuit, a subtractor circuit, and a minimum circuit, respectively. We present the details of the circuit TC in Algorithm 3. The circuit first restores the real values from blind values (1) and then compares the arriving time and the deadline time for each point (2-8). Only if all deadlines are satisfied will the circuit output the total time consumption of the ride-sharing process (9-10), or the circuit outputs a big enough integer {1} p (12). Then for all paths P j , the RS and CS jointly execute a path-planning circuit C pp to select the path with minimum traveling time. We present the circuit C pp in Figure 6. Phase 2. (Riders Selection) In this phase, for all rider combinations C = C j CN j=1 , the system compares their ATT and outputs the best combination, in which CN is the total number of combinations, and ATT is the total detouring time of all riders. First, the RS computes the ATT of each combination. For each rider r i , the detouring time is the traveling time difference between the time consumption of driving in the current path and directly to the destination. The ATT of C j is presented as the following equation: For example, the ATT of the path in Figure 3 can be computed as: Moreover, we can obtain the corresponding ciphertext as: For each combination C j , the RS computes the ATT j , then packs them and obtains S ATT j CN j=1 . As with the previous blinding operations, the RS generates CN random integers [a 1 , a 2 , · · · a CN ], then computes the blinding ciphertexts S ATT j CN j=1 and sends it to the CS. After decryption and unpacking operations, the RS and the CS execute the RCS algorithm to select out the best rider combination as Algorithm 4. Finally, the RS obtains the result and establishes a secure communication channel between the driver and the riders in combination so that they can communicate for pick-up details.

Privacy and Security Analysis
In this section, we present the analysis of security. Our goal is to ensure no entity could learn the precise location of users, but for the utility and efficiency, we allow the RS to access the zone-based location. We make more discussion about the balance of privacy and utility in the following section. In pShare, we mainly consider the security against the RS and the CS. We adopt and modify the notion of adaptive security from [8,19].
Leakage function L access : Given the map of the city M, a set of riders R = (r 1 , · · · , r n ) , and a set of drivers D = (d 1 , · · · d n ), we define the leakage function L access = AP access (M, d, R), where AP(M, d, R) is the access pattern.
Definition 2 (Access Pattern). Given the map M, a series of drivers D and a series of riders R, we define the access pattern as AP(M, D, R) = z(R), z(d), {p * x } C x ∈C , C * , where z(R) and z(d) are the zone information corresponding to R and d, respectively; p * x is the best path of the combination C x ; and C * is the final selected combination with the minimum ATT.
Definition 3 (Adaptive Semantic Security). Let pShare = (RRS, DLU, RFA, PPA, RCS) be our privacy-preserving ride-sharing scheme, representing the process of Ride Request Submit, Driver Location Update, Request Filtering Algorithm, Path-Planning Algorithm, and Rider Combination Selection, respectively. We consider the following experiments with probabilistic polynomial time (PPT) adversary A, a challenger C, a simulator S, and the leakage function L access .
Real A,C 1 λ : Firstly, C runs the initialization to set the system parameters. Then A outputs a set of ride requests R. For each rider r i ∈ R, C and A execute a simulation of RRS, with C acting as the rider and A acting as the RS. Then A generates a polynomial number of adaptively chosen drivers D. For each driver d j ∈ D, C and A execute a simulation of DLU, in which C and A play the role of the driver and the RS, respectively. Afterward, A acts the RS and runs RFA, PPA, and RCS, and finally outputs γ as the result of the experiments.
Ideal A,S 1 λ : Firstly, S generates system parameters in the process initialization. Then A outputs a set of riders R for each rider r i ∈ R, and A executes a simulation of RRS, with S acting as the rider and A acting as the RS. Then A generates a polynomial number of adaptively chosen drivers D. For each driver d j , S is given the leakage function L access = AP access (M, d, R) and executes a simulation of DLU with A, in which C and A plays the role of the driver and the RS, respectively. Afterward, A acts as the RS and runs RFA, PPA, and RCS, and outputs γ as the result of the experiment.
We define the advantage of A and in the experiment as Adv(λ) = |Pr(γ = γ ) − 1/2|. Then we say pShare is adaptively L access -semantic secure if for all PPT adversaries A, there exists a PPT simulator s.t. Adv(λ) is negligible.
According to the above definitions, we analyze the user privacy of pShare as follows: Theorem 1. If Paillier cryptosystem is semantically secure, pShare has rider privacy in RRS algorithm.
Proof. Supposing pShare cannot satisfy user privacy in RRS and there is a PPT adversary who has a non-negligible advantage to distinguish the outputs of the Real A,C 1 λ from the outputs of the Ideal A,S 1 λ . We use A to break user privacy in RRS algorithm. First, we generate the public key pk and randomly generate two plaintext ride-sharing requests . Then we send the requests to the challenger, and the challenger randomly chooses b ∈ {0, 1} and returns with the RRS algorithm. We send R b to the adversary A, who gives his guess b . So the advantage for A to distinguish two requests is Adv(λ) = |Pr(b = b ) − 1/2|, which is also non-negligible. Based on the non-negligible advantage to distinguish the ciphertext requests encrypted by Paillier cryptosystem, we break the semantic security of Paillier cryptosystem. It is contradictory to the assumption of the theorem. This completes the proof.
Theorem 2. If Paillier cryptosystem is semantically secure, pShare has user privacy in the DLU algorithm.
Similar to the proof of Theorem 1, we can prove Theorem 2 that there is no PPT adversary who has a non-negligible advantage to distinguish two outputs of DLU algorithm with drivers from the same zone. Theorem 3. If the garbled circuit C pp is secure under the semi-honest adversary model, then the PPA algorithm is secure under the semi-honest model.

Proof.
During the PPA algorithm, we simulate the view of the RS and the CS, respectively. Let S CS simulate the view of the CS. The RS first blinds the ciphertexts by adding them with a set of randomly generated integers. Then the CS receives the blinded ciphertexts and decrypts them. Since the random integers are big enough, the CS cannot distinguish between two blinded values. That is to say, if S CS randomly picks an integer from the range 2 k−1 + 1, 2 k + 2 l+1 − 2 , encrypts it, and sends it to the CS, there is no PPT adversary who can distinguish the blinded plaintext from random integer with non-negligible probability.
Then C pp outputs the path-planning results, which is an m-bits integer that indicates which path to choose. We use S RS to simulate the RS's view. For each combination, S RS randomly chooses a path that meets Equations (11) and (12) and sends the number of the path as the result of PPA algorithm to the RS. There is no PPT adversary who can distinguish the best path, which is a sequence of encrypted location information, from the randomly chosen one.
The process of circuit execution is also secure. The security proof of C pp can be found in [20]. We complete the proof of the theorem. Proof. Similar to the proof of Theorem 3, from the view of the CS, the adversary A cannot distinguish the blinded plaintext from the random integer. Then S RS randomly selects a number from all eligible combinations as the result of combination selection. The randomly selected number is also indistinguishable from the real result.
Proof. We first describe a PPT simulator S to simulate the whole process of pShare such that any PPT adversary A cannot distinguish the results of Real A,C 1 λ and Ideal A,S 1 λ with non-negligible advantages. Given L access = AP access (M, d, R), S randomly generates a set of driversD, and for eachd ∈D, S randomly generates a set of riders around the driver. Then S simulates riders to run RRS algorithm and drivers to run DLU algorithm with A acting as the RS, and then running RFA, PPA, and RCS algorithms.
According to Theorems 1 and 2, A cannot distinguishd ∈D from d ∈ D andr ∈R from r ∈ R during RRS and DLU algorithm execution. Since there is no data transmission in RFA, A cannot obtain any useful information. According to Theorems 3 and 4, A still cannot distinguishd ∈D from d ∈ D andr ∈R from r ∈ R in PPA and RCS algorithms.
In summary, pShare is adaptively L access -semantic secure against semi-honest adversaries. We complete the proof.

Evaluation
We compare pShare with schemes [7,8,14,19,21] under the same threat model and summarize the differences between them in the Table 1. Compared to the other privacypreserving ORH schemes, pShare is able to match the driver with a group of riders and computes for the least-detouring path while protecting users' privacy. In this section, we design an experiment to show the utility and efficiency of pShare. We present the experimental setup in Section 6.1 and experiment results in Section 6.2. Table 1. Comparison with existing schemes.

Experimental Setup
In this section, we evaluate our experiments on the road network of an about 50 × 50 km map of Beijing, which is generated by OpenStreetMap [22]. Since the distribution of riders and drivers is always dynamic, we generate the ride-sharing requests and driver locations using the tool TaxiQueryGenerator [23], whose outputs conform to Beijing's real spatiotemporal distribution. We implement Paillier cryptosystem by an open-source library, jpaillier [24], and Yao's garbled circuits by Faster-GC [25]. During the experiment, we set the modulus of the Paillier cryptosystem to 1024 bits, the bit-length of a blinded value k to 32 bits, the bit-length of a domain value l to 16 bits, and the bit-length of a wire label to 80 bits. All our experiments are run on a PC with 8 GB memory and an Intel-8265U CPU of 1.8 GHz.
We divide the selected area of the map into grids and set up all the parameters of the pShare ride-sharing system. Then we randomly initialize the locations of the drivers and the riders in the selected area, meanwhile generating the corresponding pick-up time and drop-off time of the riders and the available time of the drivers. Then the pick-up deadline and drop-off deadline are computed as t s = t cur + 600 s, t d = t s + t s→d + 600 s.
The default patience time of a rider is 30 min, i.e., the rider will turn to other options for traveling rather than ride-sharing beyond this amount of time. We choose the generated requesting datasets of period 10:00-11:00 and the drivers' datasets of period 10:30-11:00 as the experimental datasets. We first read all rider requesting data, and for each record of driver datasets, we read it sequentially and apply the ride-sharing matching between the driver and riders within the patience time. The result of the ride-sharing matching may be a failure or success. To evaluate the accuracy of pShare, we record the matched riders if matching successfully and compare the results to another experiment pShare-GT, which takes ground truth to replace the estimated traveling time. Besides, we also measure the overhead of the experiments and record it in the table.

Accuracy:
In the experiments, we use two metrics to evaluate the accuracy of the system, which are Successful Matching Rate (SMR) and Accurate Matching Rate (AMR), respectively. We compute SMR as SMR = N suc /N tot , in which N suc indicates the number of successful matching and N tot indicates the total number of matching. We compute AMR as AMR = N acc /N tot ; N acc indicates the number of matches where the results of pShare are the same as the results of pShare-GT. We use the metric AMR to evaluate the accuracy of the scheme to find the minimum detouring route. Since there is a trade-off between the matching accuracy and the user privacy, we introduce the Average Number of POI (ANP) in one zone to represent the privacy level of current zone size, in which POI is point of interest, corresponding to the location points of the riders' probable destinations. Therefore, the users' precise locations are disclosed in the probability of 1/ANP. We compute and compare the variants of SMR, AMR, and ANP by varying the zone scale and the number of riders to be searched R nearby . As shown in Figure 7, SMR has little association with the zone size, but AMR increases remarkably with zone getting smaller, which indicates the accuracy of the zone-based time estimation method is highly relevant to the zone scale. Besides, there is a drastic reduction in APN with smaller zone size, so it is necessary to properly set the zone scale considering protecting users' privacy at an acceptable level. Furthermore, the rider number to be searched has an influence on SMR but has no evident impact on AMR/SMR.

Efficiency:
We take communication and computation cost to evaluate the efficiency of pShare scheme. During the ride-sharing, the computation cost mainly includes the encryption of riders and drivers in the process of Request Submit and Location Submit, the packing/unpacking operations and the garbled circuit execution in the process of ride-sharing matching.
As shown in Table 2, for the rider, the communication cost is always 0.51 KB, and the computation cost is 26 ms. For a driver with no onboard rider, the communication cost is 0.13 KB. For a driver with onboard riders, the submitted information should also contain the requests of riders onboard. As for the server (includes both the ride-sharing server and the crypto server), the communication cost and the computation cost are subject to the size of searched riders. The communication cost of the server is mainly from the packed ciphertexts the RS sends to the CS, and the computation cost mainly contains the cost of ciphertexts packing and computation of the RS, the ciphertexts unpacking of the CS, and the execution time of the garbled circuit. From the table, we can see that the total execution time of the server is about 30 s if the number of riders to be searched is 100. The responding time is acceptable for users with an appropriate searching scale. Moreover, we especially evaluate the computation cost of the garbled circuit with different searched riders and the number of available seats. From Figure 8, we can find the execution time of the garbled circuit takes up most of the total computation cost, and the cost rises faster as the size of R nearby and v become bigger.

Privacy-Preserving Ride-Matching
Many approaches have been proposed to preserve users' privacy in location-based services. For the cryptographic primitives, there is homomorphic encryption, secure multiparty computation, and private set intersection. Besides, some non-encrypted techniques include location perturbation [26], dummy location generation [27], and spatial cloaking [28]. Based on these methods, a few privacy-preserving ride-matching schemes have been proposed. A privacy-enhanced scheme, PrivateRide [6], was proposed by Pham et al., which provides anonymity for users' locations. Later, they extended it to ORide [7], which is based on somewhat homomorphic encryption and enables the matching more efficiently while protecting users' privacy. Besides, Luo et al. proposed a privacy-preserving ride-matching scheme based on road networks [8], which can perform matching more accurately. Considering side-channel attacks, they also presented a private and efficient scheme with Intel SGX enclave, which provides a hardware-enforced Trusted Execution Environment [29]. However, all these schemes are ride-matching schemes, which do not support ride-sharing matching.

Privacy-Preserving Ride-Sharing
There are also some relevant schemes for ride-sharing. SRide is a privacy-preserving dynamic ride-sharing system, which computes the ride-sharing results based on users' spatiotemporal data. PRIS [13] utilizes PHE [15] to find eligible matching between riders and drivers. Sherif et al. proposed a scheme [30] that computes the similarity of riders' trips on ciphertexts to match riders. The FICA scheme [31] ensures data privacy and reliability using edge computation and blockchain techniques. PrivatePool [14] constructs a distributed and privacy-enhanced ride-sharing system with PSI [32] protocol and SHE [33] technique. PSRide [19] utilizes PHE [15] and the Garbled Circuit technique to build a privacy-preserving scheme that supports flexible ride-sharing matching. Yu et al. proposed PGRide [21], in which they designed an encrypted aggregate distance computation approach by using SHE and ciphertexts packing technique. Through the approach, the aggregate distances can be computed in encrypted form. Howerver, none of these schemes can support group matching and meanwhile find minimum detouring matching results over road traveling time.

Conclusions
In this paper, we propose a privacy-preserving ride-sharing scheme pShare for ORH service. pShare supports privacy-preserving ride-sharing between multiple riders, the matching results of which have a minimum ATT. To achieve this, the riders and drivers need to submit their encrypted location information to the ORH server, and the ORH server applies secure computing and compares matching protocols with the crypto server based on the garbled circuit and the data packing technique. They first compute the minimum path for each eligible rider combination, and finally, they compare and select the best combination with minimum ATT. We prove that pShare scheme achieves user privacy and is adaptively semantically secure under the random oracle model. The experimental results have shown that pShare achieves both accuracy and practical efficiency.