1. Introduction
Location information makes wireless devices become location-aware data collection instruments, such as smartphones in Mobile Ad hoc Networks (MANETs) or vehicles in Vehicular Ad hoc Networks (VANETs) [
1]. The applications of location information include Mobile Crowd Sensing (MCS) [
2,
3], geographic routing [
4], Location-Based Service (LBS) [
5], Online Social Networks (OSN) [
6], Internet of Things (IoT) [
7], mobile Wireless Sensor Networks (WSN) [
8], etc. In these applications, mobile users report their locations to the server through the Access Point (AP) or the Base Station (BS) to acquire services. However, unexpected eavesdroppers could obtain users’ location information during the reporting process, leading to a significant challenge for location information: how to protect users’ location privacy [
9]?
The system which needs to preserve the location privacy includes the server-side and the user-side. On the server-side, the attacker will try to capture the location information by attacking the server, the AP/BS, or by eavesdropping the communication link between devices on the server-side. However, the capabilities of devices on the server-side allow them to protect their messages based on conventional cryptography.
On the user-side, the attacker acquires the location information by invasion attack, Location Estimation (LE), or eavesdropping the wireless channel between the user and the AP/BS. Fortunately, the invasion attack is more costly when compared with eavesdropping, and more and more security technologies can defend against the invasion attack. In the LE attack, the attackers can estimate the location of users by ranging, and the hardware overhead of the LE attack is higher than that of eavesdropping, which makes the LE attack not as common as eavesdropping. Therefore, preventing the leakage of location privacy on the user-side is vital due to the open nature of the wireless environment, especially for applications in which the retrievability of locations is essential. For instance, in the initial stage of some
k-anonymity or spatial cloaking methods, the locations of users are transmitted to a trusted third party [
10], which provides the chance for the attacker to eavesdrop users’ locations through the wireless channel. Furthermore, it is expected that the development of caching technology will result in more distributed LBS/OSN servers or location verifiers [
11,
12], e.g., the AP. In conclusion, the privacy protection of locations in the wireless channel is essential for the pervasive public networks.
In this paper, by focusing on the wireless channel, we propose an LPP scheme for MANETs based on Distance, angle, and the idea of Spatial Cloaking (DSC-LPP) to prevent eavesdropping attack. DSC-LPP utilizes the AP-user distance as the primary key to transform the location of the user into a cloaking space, and the ranging result enables the AP to retrieve the location of the user. Different from conventional cryptography, the AP receives the key (dynamically) by ranging, and the storage of the key is not necessary, which reduces the risk of eavesdropping based on the revealing key. Compared with conventional cryptography and k-anonymity methods, DSC-LPP can reduce the overhead of communication and computation when preserving location privacy in the wireless channel, and the retrievability of the user’s location on the server-side is retained. Meanwhile, polar coordinates are adopted instead of Cartesian coordinates to improve the feasibility of DSC-LPP, i.e., it is adaptable for applications that need only the direction from AP to the user. Another advantage is that the circular coverage of AP can be easily divided into small zones according to the security requirement due to the utilization of polar coordinates. Finally, DSC-LPP is suitable for some sparse networks, and even there is only one AP and one user.
The main contributions of this paper are as follows:
To our best knowledge, this is the first work that can protect location privacy in the wireless channel based on distance and ranging, while the retrievability of users’ locations on the server-side can be retained without conventional cryptography.
The scheme of redundancy check for DSC-LPP has been proposed to improve the accuracy of retrieval.
The application of DSC-LPP in irregular areas has been investigated.
The solutions to improve the robustness of DSC-LPP in the harsh environment has been investigated.
The performance of the proposed methods has been evaluated by simulation, qualitative evaluation, and comparison.
In the following, we outline the related work in
Section 2. We present the system and threat model in
Section 3, and the detail of DSC-LPP is presented in
Section 4.
Section 5 depicts the performance evaluation of DSC-LPP based on simulation. The discussion of special cases, security evaluation, and the comparison between DSC-LPP and other LPPs are included in
Section 6. At last, we conclude the paper in
Section 7.
2. Related Work
To preserve location privacy, researchers have proposed different techniques. Spatial cloaking methods blur the locations of the users into a cloaked space, e.g.,
k-anonymity employs a trusted anonymizer to blur the locations of a group of at least
k users, and then any user’s location cannot be distinguished from at least (
) other locations [
10,
13,
14]. Space transformation transforms the locations of users into an encoded space such that the locations are irreversible for any devices without the transformation key; meanwhile, some spatial properties of the locations are maintained [
15]. Dummy-based methods generate a group of dummies aside with the real location, and then the server cannot distinguish which one is the real location [
16]. Differential privacy-based methods transform the locations of the users to an obfuscated location according to a preconfigured probability function, and for any two locations, their probability of being mapped to the obfuscated location are similar, such that the attacker cannot distinguish whether the obfuscated location is transformed from which location [
17,
18,
19,
20].
To protect users from the LE attack, Sanaa et al. utilized the fake point to confuse the attackers [
21]. Arana et al. increased the localization error of attackers by controlling the transmission power [
22]. Conventional cryptography is a primary method to protect location privacy from eavesdropping. However, computing overhead and the exchange of secret keys are the challenges for low power networks such as sensor networks [
23].
k-anonymity and dummy techniques can be utilized for LPP in the wireless channel. Unfortunately, the retrieval of locations of users on the AP/server is challenging, making it not suitable for location reports such as location verification and geographic routing.
K. P. N. Puttaswamy et al. partitioned location data based on users’ social groups, and a user will transform its location into the virtual coordinate system before storing the location on untrusted servers. On the other hand, the member in the same group know the key of transformation, and then the other members can transform the virtual location into the real coordinate system [
24].
T. Peng et al. enhanced the LPP by utilizing a Function Generator, which is responsible for generating the spatial transformation parameters in
kNN queries. The user transforms its location into a pseudolocation, and, theoretically, other devices can retrieve the real location of the user by connecting the Function Generator [
25].
The methods in [
24,
25] can maintain the retrievability of locations on the server-side, however, the utilization of cryptography and the third party limits the application environment of them. Therefore, the environments that DSC-LPP is adaptive should be as many as possible. An efficient way to achieve the above goal is to limit the computation and communication overhead of DSC-LPP. Moreover, the utilization of a third party should be limited.
4. Proposed Scheme for Location Privacy Preservation
The key idea of DSC-LPP is to transform the user’s location into a cloaking space based on the user-AP distance. Then, the AP retrieves the user’s location based on the ranging result.
4.1. DSC-LPP
Distance between the user and AP is the primary key for transforming and retrieving the location of users. Therefore, the distance information should not be included in any message to preserve the user’s location privacy. That is, the user can transform its location into the cloaking space by calculating the distance between AP and itself, and AP can retrieve the user’s location based on ranging only. The ranging result is with some deviation when compared with the real distance. Therefore, we utilize the normalized distance rather than the exact distance to transform the location to reduce the impact of ranging deviation on retrieving the location of the user.
In DSC-LPP, we divide the AP’s coverage into m () annuli. A group of annuli-based divisions compose a related space. Furthermore, any location in the related space will be transformed into cloaking space (a division in the same related space). To obfuscate locations in related space and to retrieve locations from the cloaking space correctly, the following requirements of DSC-LPP should be satisfied:
- (i)
For any transformed location, its possible retrieved locations should not be unique.
- (ii)
For locations in the same annulus, their normalized distances are the same, and each division has only one transformation scheme.
- (iii)
Locations in some cloaking space use the same retrieving method, that is, a cloaking space has only one associate related space and vice versa.
Requirement (i) ensures the obfuscation of transformed locations, i.e., any location in the cloaking space has two or more corresponding real locations. Requirements (ii) and (iii) avoid the ambiguity of retrieved locations, i.e., for any transformed location, its retrieved result is unique once the normalized distance is observed.
The commonly used notations we used in the following of this paper is shown in
Table 1.
4.2. Primary Scheme
The relationship between Cartesian coordinates and the user-AP distance is non-linear, and then the requirements of DSC-LPP cannot be satisfied in some environments. Besides, the Cartesian coordinates will significantly increase the complexity of designing the divisions in practice. Instead of Cartesian coordinates, the polar coordinates and user-AP distance have a linear relationship, that is, it is feasible to let the transformation meets the requirements of DSC-LPP.
For the polar coordinates, the normalized distance is, in fact, the normalized radial coordinate. Then, the angular coordinate can be transformed based on the radial coordinate. A simple way to transform the angular coordinate is to divide the AP’s coverage into
n (
) sectors based on angular coordinates, and each sector has a normalized angular coordinate. For instance, in
Figure 2, division
is generated based on annulus
i and sector
j, where
,
, and the lower bounds of radial and angular coordinates of each division are the normalized coordinates.
The divisions we present above are the critical elements to DSC-LPP to enable location privacy preservation. In the rest of this paper, we assume that locations in the same related space use the same transformation scheme, an AP locates at the origin of the polar coordinate system. Specifically, suppose that the real location of the user is
, where
and
are the radial and angular coordinates, respectively, and then the transformed location of the user is
where
is the transformation function,
and
normalize the radial and angular coordinates based on
and
, respectively. With
, the ranging result between user and AP, the retrieved location can be achieved as follows:
where
retrieves the location of the user from the cloaking space. Equations (
1) and (
2) show that DSC-LPP can retrieve the location of the user without error even
except that
falls into another annulus. A redundancy check can reduce the influence of ranging results as it is shown in
Section 4.4 and
Section 5It is obvious that in DSC-LPP, a real location is obfuscated with other
locations. Then the number of locations that are obfuscated can reflect the level of security. Inspired by the anonymity level of
k-anonymity [
28], we utilize
L to reflect the
obfuscation level of DSC-LPP:
where
and
are the probabilities that an eavesdropper can guess out the real radial and angular coordinates, respectively, based on the transformed location. Then, the higher
L means higher security of privacy.
Lemma 1. In a related space, the maximum obfuscation level can be achieved if the divisions fall into different annuli, and .
Proof. Suppose that a related space includes
k divisions, and all the divisions except
and
fall into different annuli apart from
i. If
, then
and
are the transformed radial and angular coordinates, respectively.
,
,
, and then, the retrieved radial coordinate is:
where
retrieves
from the cloaking space. It is evident that, without ranging error,
, then we have
if
. Equation (
4) indicates that the retrieved result in some annulus is unique for the same transformed radial coordinate. Consider that
and
belong to the same annulus, according to Equation (
4), we can retrieve at most
different radial coordinates based on
, i.e.,
. Note that the divisions can fall into at most
k annuli, then we have
, and similarly,
.
The above inequalities indicate that . Consider that , we have . □
In the following of this paper, we always assume that , , and the divisions in a related space falls into a different annuli and a different sectors to ensure that .
4.3. Transformation and Retrieval
Suppose that
, then
and
are the lower bound and width of radial coordinates of
, respectively. Correspondingly,
and
are the lower bound and included angle of angular coordinates of
, respectively, where
. The cloaking space of
is
, and the coordinates in each related space are continuous. Consider the requirements in
Section 4.1 and the general case; scale transformation is adopted to calculate the transformed coordinates as follows:
where
In Equations (
5) and (
7),
and
can be extracted based on the related space determined by
and
.
In practice, the lower bounds, the widths, and the included angles can be configured by either the AP or the user, and thus Equations (
5) and (
6) can be calculated once
is determined.
It is easy to retrieve the radial coordinate from cloaking space once the ranging result,
, is known. That is
For a specific division, the lower bound of angular coordinate can be implied by the lower bound of the radial coordinate. Let
extract the lower bound of angular coordinate based on the ranging result and cloaking space, then the retrieved angular coordinate in the general case is
where
The transformation process of DSC-LPP (primary divisions) in the general case is shown in Algorithm 1, where the primary search method is adopted to demonstrate the transformation process clearly. It worth noting that the computation overhead can be reduced in practice by adopting other search methods such as the binary search. The primary divisions can be varied according to the environment and the security requirement, and a typical process of designing the primary divisions is as follows:
Step 1: Determine the number of annuli (m) and sectors (n), the width of each annulus () and the included angle of each sector () according to the requirement of security (e.g., obfuscation level), the characteristics of devices (e.g., mobility) and the environment (e.g., ranging accuracy), and let .
Step 2: Let the location of the receiver (e.g., base station) be the center, plot circles to divide the coverage of the receiver into m annuli according to , and plot radial lines from the center to divide the coverage of the receiver into n sectors according to .
Step 3: Adjust and/or merge divisions according to the environment, and the essential requirement of adjusting/merging divisions is to ensure each related space includes
m divisions (an example of this step is shown in
Section 6.1).
Step 4: Label each related space and cloaking space according to the requirements of DSC-LPP, and it is suggested to let all the cloaking spaces in the same annulus such that the communication overhead can be limited due to that the parameters for transformation is limited.
Algorithm 1 Transformation process of DSC-LPP (primary divisions) |
1: , primary divisions, related space(s), cloaking space(s); |
2: transformed location; |
3: if then |
4: ; |
5: ; |
6: else |
7: ; |
8: while do |
9: ; |
10: end while |
11: ; |
12: ; |
13: end if |
14: if then |
15: if then |
16: ; |
17: else |
18: ; |
19: if then |
20: ; |
21: end if |
22: end if |
23: ; |
24: else |
25: ; |
26: while and do |
27: ; |
28: end while |
29: ; |
30: ; |
31: end if |
32: Calculate the transformed location according to Equations (5)–(7); |
4.4. Redundancy Check
A division can be further divided into subdivisions. Then a related space of primary divisions is covered by some related spaces of subdivisions, as it is shown in
Figure 3, where we use the equivalent matrix to demonstrate the divisions in the coverage of AP. The transformation and retrieval of locations in a subdivision are the same as those in a primary division. The subdivisions are designed as the redundancy check for primary division to limit the deviations of retrieved locations.
The retrieved locations of the user should be the same in different types of divisions. Suppose that the retrieved radial coordinates of the user in subdivisions is
. Then,
is the final retrieved results if
. Otherwise, the AP will measure the distance again or use other methods to achieve the final result. The pseudo-code of the retrieving process of DSC-LPP with a redundancy check is shown in Algorithm 2, where
includes the transformed radial coordinates of
in both the primary divisions and the subdivisions, and
includes the transformed angular coordinates correspondingly.
and
are the retrieved results of
and
of iteration
t (
) in primary divisions, respectively, and similarly,
and
are the retrieved results of iteration
t in subdivisions. Recent
c (
) retrieved results are utilized to estimate the final results if
T, the maximum iteration times, is reached.
Algorithm 2 Retrieving process of DSC-LPP with redundancy check |
1: , primary divisions, subdivisions, related space(s), cloaking space(s); |
2: final retrieved result; |
3: ; |
4: ; |
5: ; |
6: while and do |
7: t++; |
8: Get a new ranging result , and then calculate , , , according to , , , |
Equations (8) and (9); |
9: if then |
10: , ; |
11: break; |
12: else if then |
13: ; |
14: ; |
15: break; |
16: end if |
17: end while |
18: The final retrieved result is |
A well-designed subdivisions cannot reduce the obfuscation level achieved by the primary divisions.
Lemma 2. The subdivisions will not reduce the obfuscation level of DSC-LPP if and any division of includes at least one division of . and are the related spaces of subdivisions and primary divisions, respectively, .
Proof. Suppose that for -based DSC-LPP. If any division of includes at least one division of , then at least m different coordinates can be retrieved from any location in the cloaking space of . Consider that , then the obfuscation level of will not exceed . □
The designing process of subdivisions is similar to that of primary divisions except that the adjusting/merging process is not necessary for designing subdivisions, as each subdivision is a part of some primary division, and all the subdivisions should conform to the assumption in Lemma 2.
Lemma 3. If the situation in Lemma 2 is real, the false retrieval probability of is reduced when compared with primary division-only DSC-LPP. Suppose that each primary division includes subdivisions with the same width and included angle, then if and , the false retrieval probability of iswhere , and are the lower bound and width of radial coordinates of subdivision , , , and P denotes probability. Proof. According to Equations (
8) and (
10), if
falls into annulus
i, the retrieved result has no deviation if
. Consequently, without subdivisions, the false retrieval probability of
is
If
, the final retrieved result will be achieved if
, that is,
Consider that in each primary division, at most an
x can let Equation (
14) to be true, then we have
If any primary division includes two or more subdivisions, then .
Furthermore, suppose that
,
, then, according to Equation (
8), we have
on the other hand, consider that
,
, we have
Equations (
16) and (
17) indicate that if
, we have
, and similarly,
, then we can conclude that the final retrieved result will be achieved if
. Finally, we have Equation (
12). □
In fact, for
and
, the false retrieval probabilities of
are the first and second parts of the right-hand side of Equation (
12), respectively. Lemma 3 indicates that with the same number of primary divisions, more subdivisions means the smaller false retrieval probability if
.
Consider
Figure 3 as an example. Suppose that the user located in
, then the retrieved location will be accepted if the ranging result falls into the annuli of
,
,
, and
. On the other hand, without the redundancy check, any ranging result and retrieved location will be accepted. Therefore, the redundancy check can improve the accuracy of retrieved locations.
Theoretically, the more subdivisions will result in the lower probability of retrieving an incorrect location if there are enough iterations. In practice, the more subdivisions mean the higher probability of ruining a correct retrieved location due to the ranging error. For instance, in the example of the above paragraph, if the ranging result falls into the annulus of , the retrieved result will be rejected. However, the retrieved result of the primary division is correct in such a case, and the later ranging result may achieve the final retrieved result in , which ruins a correct retrieved location. Therefore, it is necessary to design the subdivisions and the threshold of iterations carefully according to the application environment.
Finally, assistant methods, such as the majority vote for the accepted retrieved results, can limit the probability of ruining a correct retrieved location if there are enough iterations. For instance, Algorithm 2 can be repeated for several times, and then several final retrieved results are achieved. It worth noting that for any transformed location, its possible retrieved locations are limited. Consequently, the final retrieved result, which gets the most votes, is the ultimate result. Consider that the ranging deviation of the line-of-sight (LoS) link obeys the Gauss distribution. We can conclude that, in most cases of the LoS situation, the probability of the ranging result falling into an incorrect division is less than that of the ranging result falling into the correct division, and then the retrieval deviation is limited by the majority vote. If the majority vote is adopted, iterations will terminate when some retrieved location gets enough votes or the maximum iteration times are reached.
5. Simulations
We use MATLAB to launch the simulation and then evaluate the performance of DSC-LPP. The maximum communication range of AP is 50 m, besides
. RSS is adopted as the ranging method, and the transmission power is 20 dbm [
29], and the ranging model is as follows:
where
is the received signal strength at the distance of
r.
is the reference distance and
dbm.
is the coefficient of path loss.
is the noise variable, and
except that in Figure 10.
is the coefficient of radio irregularity on the direction from the user to the AP (degree
a) [
30],
is expressed as:
where
is a Weibull random variable with the shape parameter of
and the scale parameter of
.
is the indicator of irregularity degree, and
is the set of integers. For degree
,
. To evaluate the original performance of DSC-LPP, we suppose that AP is stationary, and the user can transmit sequential ranging signal with a small interval. Therefore, the impact of mobility of users and radio irregularity on the ranging result can be incorporated in the noise (i.e.,
) in most cases except that in Figures 7b, 8 and 9. All the results are evaluated based on 10,000 tests. The location of the user in each test is generated randomly, and the maximum distance between AP and the user is 100 m.
The width, included angle of primary divisions are the same, and the coverage of AP includes primary divisions. The relationship between primary divisions and subdivisions is the same as in Lemma 3, where in Figures 4–6 and Figure 11. The coordinates of each related space are continuous, i.e., . Consequently, the boundary of primary divisions will be considered if and ; that is, the final retrieved result will be modified to let in the above case.
Figure 4a,b show the Cumulative Distribution Function (CDF) of the deviation of
. We set
, and the user can transmit
T ranging signals to AP continuously.
Figure 4a indicates that fewer divisions mean a higher probability of accurate retrieval and lower security, where the deviations of more than 99.57%, 94.79%, 88.53%, and 81.49% tests are less than 10 m for
,
,
, and
, respectively. It worth noting that we utilize the original RSS to estimate the distance in our simulation, and it is expected that an advanced ranging technology could increase the accuracy of retrieval further. Also, the large number of primary divisions can limit the large deviations.
Figure 4b indicates that when
, the deviations of more than 93% retrieved angular coordinates are less than 10°. Therefore, we can conclude that DSC-LPP is also suitable for applications that only concern the direction from AP to the user.
Figure 5 shows the CDF of the deviation of
with different
T, where
. The deviations of more than 97.07%, 96.39%, 94.79%, and 92.88% tests are less than 10 m for
,
,
, and
, respectively. It can be concluded that more iterations result in more correct retrieved results, and the impact of iteration times on large deviations is limited.
In
Figure 6, the iterations are terminated when
. We suppose that the user is stable to analyse the impact of primary division quantity on convergence of DSC-LPP. It is evident that more primary divisions result in more iterations, and the CDF of iterations can help to determine
T in practice. Besides, it is feasible to finish the continuous ranging tests within a short time.
Figure 6 indicates that 95% tests are converged within 4, 11, 24, and 35 iterations for
,
,
,
, respectively.
In the following simulations,
except that in Figure 11.
Figure 7a indicates that the subdivisions can improve the accuracy of retrieved locations effectively, and the best performance is achieved when
. Note that Lemma 3 reveals that the deviation of the retrieved location will decrease along with the increasing of
b theoretically; however, the limited iterations and ranging error will affect the performance of redundancy check. Therefore, the best performance of the redundancy check will be achieved with different
b when the iteration times and environment are changed.
In
Figure 7b and the following mobile cases, the impact of radio irregularity cannot be ignored, where
,
,
. We suppose the user is a walker with a speed of 3.6 km/h (1 m/s), and its moving direction changed randomly per second. The interval of broadcasting the ranging signal is 1 s.
Figure 7b indicates that with the proper value of
b, the subdivisions can reduce the deviation of retrieved locations in walking cases. Note that
means that only the primary divisions are adopted.
The performance of DSC-LPP in stationary cases and the mobile cases are compared in
Figure 8, and we can conclude that, with the appropriate value of
b, the impact of mobility (walking cases) on the performance of redundancy check is limited.
Figure 8b demonstrates the average deviation of the retrieved locations with different numbers of subdivisions, and we can conclude that the redundancy check is useful when
. When
, the average deviation with redundancy check is over that of the case without redundancy check due to the mobility and the limited iterations, and therefore, it is necessary to design the subdivisions carefully in practice.
Figure 9 shows the deviation of retrieved locations with the speed of walking/robots (3.6 km/h), bicycles (18 km/h), unmanned aerial vehicles (36 km/h), and vehicles (72 km/h), where
. We can conclude that with the proper design of subdivisions, the impact of mobility on the performance of the redundancy check is limited. It worth noting that, in practice, the interval consecutive transmissions for RSS ranging can be reduced to 100 ms [
31], and then the impact of mobility on the performance of the redundancy check can be further suppressed.
The impact of noise on retrieval performance can reflect the robustness of DSC-LPP in different environments and can help to determine the strategy of LPP.
Figure 10a shows that the retrieval accuracy of DSC-LPP increases along with the decrease of noise. Therefore, it is necessary to use other methods to improve the performance of DSC-LPP in a harsh environment. For instance, the user can switch its LPP mode from DSC-LPP to cryptography when the link status changes from LoS to non-line-of-sight (NLoS). Another candidate solution is to utilize one or several trusted assistant neighbour(s) to forward the ranging result between the user and its one-hop-neighbour to the AP. It worth noting that because all the nodes utilize DSC-LPP, the AP can retrieve the locations of nodes from the neighbour of itself to the user sequentially.
Figure 10b shows the effectiveness of the assistant neighbour-based solution. In the “one hop” case, the AP retrieves the location of the user based on the signal from the user with much noise (e.g., NLoS link). In the other cases, the AP retrieves the location of the user based on the signal from the assistant neighbour(s). The ranging result from the user to its one-hop-neighbour is forwarded one, two, and three times in the cases of “two hops”, “three hops”, and “four hops”, respectively, and all the links are with limited noise (i.e., LoS link).
Finally, we compare the retrieval performance of DSC-LPP with that of
k-anonymity.
Figure 11 indicates that the average retrieval accuracy of DSC-LPP is higher than that of
k-anonymity. In
k-anonymity, the other
dummy locations are the other possible retrieved locations in the same related space, and the AP retrieves the locations by guessing.