Enabling Location Privacy Preservation in MANETs Based on Distance, Angle, and Spatial Cloaking

: Preserving the location privacy of users in Mobile Ad hoc Networks (MANETs) is a signiﬁcant challenge for location information. Most of the conventional Location Privacy Preservation (LPP) methods protect the privacy of the user while sacriﬁcing the capability of retrieval on the server-side, that is, legitimate devices except the user itself cannot retrieve the location in most cases. On the other hand, applications such as geographic routing and location veriﬁcation require the retrievability of locations on the access point, the base station, or a trusted server. Besides, with the development of networking technology such as caching technology, it is expected that more and more distributed location-based services will be deployed, which results in the risk of leaking location information in the wireless channel. Therefore, preserving location privacy in wireless channels without losing the retrievability of the real location is essential. In this paper, by focusing on the wireless channel, we propose a novel LPP enabled by distance (ranging result), angle, and the idea of spatial cloaking (DSC-LPP) to preserve location privacy in MANETs. DSC-LPP runs without the trusted third party nor the traditional cryptography tools in the line-of-sight environment, and it is suitable for MANETs such as the Internet of Things, even when the communication and computation capabilities of users are limited. Qualitative evaluation indicates that DSC-LPP can reduce the communication overhead when compared with k -anonymity, and the computation overhead of DSC-LPP is limited when compared with conventional cryptography. Meanwhile, the retrievability of DSC-LPP is higher than that of k -anonymity and differential privacy. Simulation results show that with the proper design of spatial divisions and parameters, other legitimate devices in a MANET can correctly retrieve the location of users with a high probability when adopting DSC-LPP.


Introduction
Location information makes wireless devices become location-aware data collection instruments, such as smartphones in Mobile Ad hoc Networks (MANETs) or vehicles in Vehicular Ad hoc Networks (VANETs) [1]. The applications of location information include Mobile Crowd Sensing (MCS) [2,3], geographic routing [4], Location-Based Service (LBS) [5], Online Social Networks (OSN) [6], Internet of Things (IoT) [7], mobile Wireless Sensor Networks (WSN) [8], etc. In these applications, mobile users report their locations to the server through the Access Point (AP) or the Base Station (BS) to acquire services. However, unexpected eavesdroppers could obtain users' location information during the reporting process, leading to a significant challenge for location information: how to protect users' location privacy [9]?
The system which needs to preserve the location privacy includes the server-side and the user-side. On the server-side, the attacker will try to capture the location information by attacking the • To our best knowledge, this is the first work that can protect location privacy in the wireless channel based on distance and ranging, while the retrievability of users' locations on the server-side can be retained without conventional cryptography. • The scheme of redundancy check for DSC-LPP has been proposed to improve the accuracy of retrieval. • The application of DSC-LPP in irregular areas has been investigated. • The solutions to improve the robustness of DSC-LPP in the harsh environment has been investigated. • The performance of the proposed methods has been evaluated by simulation, qualitative evaluation, and comparison.
In the following, we outline the related work in Section 2. We present the system and threat model in Section 3, and the detail of DSC-LPP is presented in Section 4. Section 5 depicts the performance evaluation of DSC-LPP based on simulation. The discussion of special cases, security evaluation, and the comparison between DSC-LPP and other LPPs are included in Section 6. At last, we conclude the paper in Section 7.

Related Work
To preserve location privacy, researchers have proposed different techniques. Spatial cloaking methods blur the locations of the users into a cloaked space, e.g., k-anonymity employs a trusted anonymizer to blur the locations of a group of at least k users, and then any user's location cannot be distinguished from at least (k − 1) other locations [10,13,14]. Space transformation transforms the locations of users into an encoded space such that the locations are irreversible for any devices without the transformation key; meanwhile, some spatial properties of the locations are maintained [15]. Dummy-based methods generate a group of dummies aside with the real location, and then the server cannot distinguish which one is the real location [16]. Differential privacy-based methods transform the locations of the users to an obfuscated location according to a preconfigured probability function, and for any two locations, their probability of being mapped to the obfuscated location are similar, such that the attacker cannot distinguish whether the obfuscated location is transformed from which location [17][18][19][20].
To protect users from the LE attack, Sanaa et al. utilized the fake point to confuse the attackers [21]. Arana et al. increased the localization error of attackers by controlling the transmission power [22]. Conventional cryptography is a primary method to protect location privacy from eavesdropping. However, computing overhead and the exchange of secret keys are the challenges for low power networks such as sensor networks [23]. k-anonymity and dummy techniques can be utilized for LPP in the wireless channel. Unfortunately, the retrieval of locations of users on the AP/server is challenging, making it not suitable for location reports such as location verification and geographic routing. K. P. N. Puttaswamy et al. partitioned location data based on users' social groups, and a user will transform its location into the virtual coordinate system before storing the location on untrusted servers. On the other hand, the member in the same group know the key of transformation, and then the other members can transform the virtual location into the real coordinate system [24].
T. Peng et al. enhanced the LPP by utilizing a Function Generator, which is responsible for generating the spatial transformation parameters in kNN queries. The user transforms its location into a pseudolocation, and, theoretically, other devices can retrieve the real location of the user by connecting the Function Generator [25].
The methods in [24,25] can maintain the retrievability of locations on the server-side, however, the utilization of cryptography and the third party limits the application environment of them. Therefore, the environments that DSC-LPP is adaptive should be as many as possible. An efficient way to achieve the above goal is to limit the computation and communication overhead of DSC-LPP. Moreover, the utilization of a third party should be limited.

System and Threat Model
Without the loss of generality, we consider a MANET with an AP. The AP needs to retrieve the specific location of the user, and it can estimate the distance between the user and itself via ranging technologies such as Time of Flight (TOF), Time of Arrival (TOA) [26], Received Signal Strength (RSS) [27], etc. A mobile user, which can localize itself with the assistance of a localization system such as the Global Positioning System (GPS), in the same MANET shares its location with the AP for certain desired services, and the location of AP is known. Additionally, all the unencrypted responses from the AP exclude any information that is strictly related to the user's real location, i.e., the trajectory tracking attack is limited. It worth noting that, in practice, any neighbouring node trusted by the user can retrieve the location of the user based on DSC-LPP.
We assume that conventional cryptography is not applied to the transmission of locations on the user-side. An eavesdropper in a public area is assumed to collect the locations of the user via eavesdropping the wireless channel between the user and the AP. The LE and other attacks are not included in our model. However, we will discuss some enhanced methods to limit the LE attack in Section 6. Figure 1 shows an example of the privacy attack in wireless channels, where the Attacker can eavesdrop the wireless channels of both User 1 and User 2 simultaneously. Since it is easy to achieve encrypted communication between APs and servers in most environments, the discussion and evaluation in the following of this paper is also adaptable to scenarios that the location of the user retrieved on the server.

Proposed Scheme for Location Privacy Preservation
The key idea of DSC-LPP is to transform the user's location into a cloaking space based on the user-AP distance. Then, the AP retrieves the user's location based on the ranging result.

DSC-LPP
Distance between the user and AP is the primary key for transforming and retrieving the location of users. Therefore, the distance information should not be included in any message to preserve the user's location privacy. That is, the user can transform its location into the cloaking space by calculating the distance between AP and itself, and AP can retrieve the user's location based on ranging only. The ranging result is with some deviation when compared with the real distance. Therefore, we utilize the normalized distance rather than the exact distance to transform the location to reduce the impact of ranging deviation on retrieving the location of the user.
In DSC-LPP, we divide the AP's coverage into m (m > 1) annuli. A group of annuli-based divisions compose a related space. Furthermore, any location in the related space will be transformed into cloaking space (a division in the same related space). To obfuscate locations in related space and to retrieve locations from the cloaking space correctly, the following requirements of DSC-LPP should be satisfied: (i) For any transformed location, its possible retrieved locations should not be unique.
(ii) For locations in the same annulus, their normalized distances are the same, and each division has only one transformation scheme. (iii) Locations in some cloaking space use the same retrieving method, that is, a cloaking space has only one associate related space and vice versa.
Requirement (i) ensures the obfuscation of transformed locations, i.e., any location in the cloaking space has two or more corresponding real locations. Requirements (ii) and (iii) avoid the ambiguity of retrieved locations, i.e., for any transformed location, its retrieved result is unique once the normalized distance is observed.
The commonly used notations we used in the following of this paper is shown in Table 1.

Primary Scheme
The relationship between Cartesian coordinates and the user-AP distance is non-linear, and then the requirements of DSC-LPP cannot be satisfied in some environments. Besides, the Cartesian coordinates will significantly increase the complexity of designing the divisions in practice. Instead of Cartesian coordinates, the polar coordinates and user-AP distance have a linear relationship, that is, it is feasible to let the transformation meets the requirements of DSC-LPP.
For the polar coordinates, the normalized distance is, in fact, the normalized radial coordinate. Then, the angular coordinate can be transformed based on the radial coordinate. A simple way to transform the angular coordinate is to divide the AP's coverage into n (n > 1) sectors based on angular coordinates, and each sector has a normalized angular coordinate. For instance, in Figure 2, division M i,j is generated based on annulus i and sector j, where i ∈ [1, m], j ∈ [1, n], and the lower bounds of radial and angular coordinates of each division are the normalized coordinates. The divisions we present above are the critical elements to DSC-LPP to enable location privacy preservation. In the rest of this paper, we assume that locations in the same related space use the same transformation scheme, an AP locates at the origin of the polar coordinate system. Specifically, suppose that the real location of the user is X u = (r u , φ u ), where r u and φ u are the radial and angular coordinates, respectively, and then the transformed location of the user is where T is the transformation function, N d and N c normalize the radial and angular coordinates based on r u and φ u , respectively. Withr u , the ranging result between user and AP, the retrieved location can be achieved as follows:Ẋ where R retrieves the location of the user from the cloaking space. Equations (1) and (2) show that DSC-LPP can retrieve the location of the user without error evenr u = r u except thatr u falls into another annulus. A redundancy check can reduce the influence of ranging results as it is shown in Sections 4.4 and 5 It is obvious that in DSC-LPP, a real location is obfuscated with other min (m, n) locations. Then the number of locations that are obfuscated can reflect the level of security. Inspired by the anonymity level of k-anonymity [28], we utilize L to reflect the obfuscation level of DSC-LPP: where P d and P c are the probabilities that an eavesdropper can guess out the real radial and angular coordinates, respectively, based on the transformed location. Then, the higher L means higher security of privacy.

Lemma 1.
In a related space, the maximum obfuscation level can be achieved if the divisions fall into different annuli, and L ≤ (1 − 1 m ).
Proof. Suppose that a related space includes k divisions, and all the divisions except M i,j and M i,j+1 fall into different annuli apart from i. IfX u = (r u ,φ u ), thenr u andφ u are the transformed radial and angular coordinates, respectively. u = 1, 2..., X 1 ∈ M i,j , X 2 ∈ M i,j+1 , and then, the retrieved radial coordinate is:ṙ where R d retrievesṙ u from the cloaking space. It is evident that, without ranging error, N d (r 1 ) = N d (r 2 ), then we haveṙ 1 =ṙ 2 ifr 1 =r 2 . Equation (4) indicates that the retrieved result in some annulus is unique for the same transformed radial coordinate. Consider that M i,j and M i,j+1 belong to the same annulus, according to Equation (4), we can retrieve at most (k − 1) different radial coordinates based onr u , i.e., P d = 1 k−1 . Note that the divisions can fall into at most k annuli, then we have P d ≥ 1 k , and similarly, In the following of this paper, we always assume that n ≥ m, k = m, and the divisions in a related space falls into a different annuli and a different sectors to ensure that L = (1 − 1 m ).

Transformation and Retrieval
Suppose that X u ∈ M i,j , then N d (r u ) = d i and W(r u ) = w i are the lower bound and width of radial coordinates of M i,j , respectively. Correspondingly, N c (φ u ) = α j and A(φ u ) = γ j are the lower bound and included angle of angular coordinates of M i,j , respectively, where φ u ∈ [0, 360°). The cloaking space of M i,j is M i ,j , and the coordinates in each related space are continuous. Consider the requirements in Section 4.1 and the general case; scale transformation is adopted to calculate the transformed coordinates as follows: where In Equations (5) and (7), d i and α j can be extracted based on the related space determined by N d (r u ) and N c (φ u ).
In practice, the lower bounds, the widths, and the included angles can be configured by either the AP or the user, and thus Equations (5) and (6) can be calculated once M i,j is determined.
It is easy to retrieve the radial coordinate from cloaking space once the ranging result,r u , is known.
For a specific division, the lower bound of angular coordinate can be implied by the lower bound of the radial coordinate. Let D extract the lower bound of angular coordinate based on the ranging result and cloaking space, then the retrieved angular coordinate in the general case iṡ where The transformation process of DSC-LPP (primary divisions) in the general case is shown in Algorithm 1, where the primary search method is adopted to demonstrate the transformation process clearly. It worth noting that the computation overhead can be reduced in practice by adopting other search methods such as the binary search. The primary divisions can be varied according to the environment and the security requirement, and a typical process of designing the primary divisions is as follows: Step 1: Determine the number of annuli (m) and sectors (n), the width of each annulus (w i ) and the included angle of each sector (γ j ) according to the requirement of security (e.g., obfuscation level), the characteristics of devices (e.g., mobility) and the environment (e.g., ranging accuracy), and let m ≤ n.
Step 2: Let the location of the receiver (e.g., base station) be the center, plot circles to divide the coverage of the receiver into m annuli according to w i , and plot radial lines from the center to divide the coverage of the receiver into n sectors according to γ j .
Step 3: Adjust and/or merge divisions according to the environment, and the essential requirement of adjusting/merging divisions is to ensure each related space includes m divisions (an example of this step is shown in Section 6.1).

Redundancy Check
A division can be further divided into subdivisions. Then a related space of primary divisions is covered by some related spaces of subdivisions, as it is shown in Figure 3, where we use the equivalent matrix to demonstrate the divisions in the coverage of AP. The transformation and retrieval of locations in a subdivision are the same as those in a primary division. The subdivisions are designed as the redundancy check for primary division to limit the deviations of retrieved locations. The retrieved locations of the user should be the same in different types of divisions. Suppose that the retrieved radial coordinates of the user in subdivisions isr u . Then,ṙ u is the final retrieved results ifr u =ṙ u . Otherwise, the AP will measure the distance again or use other methods to achieve the final result. The pseudo-code of the retrieving process of DSC-LPP with a redundancy check is shown in Algorithm 2, whereR u includes the transformed radial coordinates of X u in both the primary divisions and the subdivisions, andΦ u includes the transformed angular coordinates correspondingly. r u,t andφ u,t are the retrieved results of r u and φ u of iteration t (t > 0) in primary divisions, respectively, and similarly,r u,t andφ u,t are the retrieved results of iteration t in subdivisions. Recent c (c ≤ T) retrieved results are utilized to estimate the final results if T, the maximum iteration times, is reached. Get a new ranging resultr u , and then calculateṙ u,t ,r u,t ,φ u,t ,φ u,t according toR u ,Φ u ,r u , Equations (8) and (9); 9: ifr u =ṙ u then 10:r u =r u,t ,φ u =φ u,t ; 11: break; 12: else if t = T then φ u,t +φ u,t ; 15: break; 16: end if 17: end while 18: The final retrieved result is (r u ,φ u ) A well-designed subdivisions cannot reduce the obfuscation level achieved by the primary divisions. The designing process of subdivisions is similar to that of primary divisions except that the adjusting/merging process is not necessary for designing subdivisions, as each subdivision is a part of some primary division, and all the subdivisions should conform to the assumption in Lemma 2.

Lemma 3.
If the situation in Lemma 2 is real, the false retrieval probability ofẊ u is reduced when compared with primary division-only DSC-LPP. Suppose that each primary division includes b 2 subdivisions with the same width and included angle, then if X u ∈ M i,j S p,q and T → ∞, the false retrieval probability ofẊ u is where i ∈ [2, m − 1], l p and s p are the lower bound and width of radial coordinates of subdivision S p,q , d i < d i+1 , l p < l p+1 , and P denotes probability.
Proof. According to Equations (8) and (10), ifr u falls into annulus i, the retrieved result has no deviation if N d (r u ) = d i . Consequently, without subdivisions, the false retrieval probability ofẊ u is If T → ∞, the final retrieved result will be achieved ifr u =ṙ u , that is, Consider that in each primary division, at most an x can let Equation (14) to be true, then we have If any primary division includes two or more subdivisions, then P f Ẋ < P g Ẋ . Furthermore, suppose thatr u ∈ [d i+e , d i+e + w i+e ), (i + e) ∈ [1, m], then, according to Equation (8), on the other hand, consider that s Equations (16) and (17) indicate that if r u ≥ l p , we haveṙ u ≥ l p+eb , and similarly,ṙ u < (l p+eb + s p+eb ), then we can conclude that the final retrieved result will be achieved ifr u ∈ [l p+eb , l p+eb + s p+eb ). Finally, we have Equation (12).
In fact, for i = m and i = 1, the false retrieval probabilities ofẊ u are the first and second parts of the right-hand side of Equation (12), respectively. Lemma 3 indicates that with the same number of primary divisions, more subdivisions means the smaller false retrieval probability if T → ∞.
Consider Figure 3 as an example. Suppose that the user located in S 2,1 , then the retrieved location will be accepted if the ranging result falls into the annuli of S 2,1 , S 4,3 , S 6,5 , and S 8,7 . On the other hand, without the redundancy check, any ranging result and retrieved location will be accepted. Therefore, the redundancy check can improve the accuracy of retrieved locations.
Theoretically, the more subdivisions will result in the lower probability of retrieving an incorrect location if there are enough iterations. In practice, the more subdivisions mean the higher probability of ruining a correct retrieved location due to the ranging error. For instance, in the example of the above paragraph, if the ranging result falls into the annulus of S 1,1 , the retrieved result will be rejected. However, the retrieved result of the primary division is correct in such a case, and the later ranging result may achieve the final retrieved result in S 4,3 , which ruins a correct retrieved location. Therefore, it is necessary to design the subdivisions and the threshold of iterations carefully according to the application environment.
Finally, assistant methods, such as the majority vote for the accepted retrieved results, can limit the probability of ruining a correct retrieved location if there are enough iterations. For instance, Algorithm 2 can be repeated for several times, and then several final retrieved results are achieved. It worth noting that for any transformed location, its possible retrieved locations are limited. Consequently, the final retrieved result, which gets the most votes, is the ultimate result. Consider that the ranging deviation of the line-of-sight (LoS) link obeys the Gauss distribution. We can conclude that, in most cases of the LoS situation, the probability of the ranging result falling into an incorrect division is less than that of the ranging result falling into the correct division, and then the retrieval deviation is limited by the majority vote. If the majority vote is adopted, iterations will terminate when some retrieved location gets enough votes or the maximum iteration times are reached.

Simulations
We use MATLAB to launch the simulation and then evaluate the performance of DSC-LPP. The maximum communication range of AP is 50 m, besides c = 3. RSS is adopted as the ranging method, and the transmission power is 20 dbm [29], and the ranging model is as follows: where G(r) is the received signal strength at the distance of r. r 0 is the reference distance and G(r 0 ) = −35 dbm. η = 4 is the coefficient of path loss. F σ ∼ N(0, σ 2 ) is the noise variable, and σ = 1 except that in Figure 10. K a is the coefficient of radio irregularity on the direction from the user to the AP (degree a) [30], K a is expressed as: where Rand µ,ν is a Weibull random variable with the shape parameter of µ and the scale parameter of ν. DOI > 0 is the indicator of irregularity degree, and Z is the set of integers. For degree a ∈ (a − 1, a), K a = K a−1 + (a − a + 1)(K a − K a−1 ). To evaluate the original performance of DSC-LPP, we suppose that AP is stationary, and the user can transmit sequential ranging signal with a small interval. Therefore, the impact of mobility of users and radio irregularity on the ranging result can be incorporated in the noise (i.e., K a = 1) in most cases except that in Figures 7b, 8 and 9. All the results are evaluated based on 10,000 tests. The location of the user in each test is generated randomly, and the maximum distance between AP and the user is 100 m. The width, included angle of primary divisions are the same, and the coverage of AP includes k 2 primary divisions. The relationship between primary divisions and subdivisions is the same as in Lemma 3, where b = 8 in Figures 4-6 and 11. The coordinates of each related space are continuous, i.e., M = ∑ v S v . Consequently, the boundary of primary divisions will be considered if t = T and (r u ,φ u ) / ∈ M; that is, the final retrieved result will be modified to let (r u ,φ u ) ∈ M in the above case. Figures 4a,b show the Cumulative Distribution Function (CDF) of the deviation ofX u . We set T = 5, and the user can transmit T ranging signals to AP continuously. Figure 4a indicates that fewer divisions mean a higher probability of accurate retrieval and lower security, where the deviations of more than 99.57%, 94.79%, 88.53%, and 81.49% tests are less than 10 m for k = 2, k = 5, k = 10, and k = 15, respectively. It worth noting that we utilize the original RSS to estimate the distance in our simulation, and it is expected that an advanced ranging technology could increase the accuracy of retrieval further. Also, the large number of primary divisions can limit the large deviations. Figure 4b indicates that when k ≤ 5, the deviations of more than 93% retrieved angular coordinates are less than 10°. Therefore, we can conclude that DSC-LPP is also suitable for applications that only concern the direction from AP to the user.   Figure 5 shows the CDF of the deviation ofX u with different T, where k = 5. The deviations of more than 97.07%, 96.39%, 94.79%, and 92.88% tests are less than 10 m for T = 9, T = 7, T = 5, and T = 3, respectively. It can be concluded that more iterations result in more correct retrieved results, and the impact of iteration times on large deviations is limited.
In Figure 6, the iterations are terminated whenr u =ṙ u . We suppose that the user is stable to analyse the impact of primary division quantity on convergence of DSC-LPP. It is evident that more primary divisions result in more iterations, and the CDF of iterations can help to determine T in practice. Besides, it is feasible to finish the continuous ranging tests within a short time. Figure 6 indicates that 95% tests are converged within 4, 11, 24, and 35 iterations for k = 2, k = 5, k = 10, k = 15, respectively.  In the following simulations, k = 5 except that in Figure 11. Figure 7a indicates that the subdivisions can improve the accuracy of retrieved locations effectively, and the best performance is achieved when b = 2. Note that Lemma 3 reveals that the deviation of the retrieved location will decrease along with the increasing of b theoretically; however, the limited iterations and ranging error will affect the performance of redundancy check. Therefore, the best performance of the redundancy check will be achieved with different b when the iteration times and environment are changed.
In Figure 7b and the following mobile cases, the impact of radio irregularity cannot be ignored, where DOI = 0.005, µ = 0.67, ν = 0.16. We suppose the user is a walker with a speed of 3.6 km/h (1 m/s), and its moving direction changed randomly per second. The interval of broadcasting the ranging signal is 1 s. Figure 7b indicates that with the proper value of b, the subdivisions can reduce the deviation of retrieved locations in walking cases. Note that b = 1 means that only the primary divisions are adopted. The performance of DSC-LPP in stationary cases and the mobile cases are compared in Figure 8, and we can conclude that, with the appropriate value of b, the impact of mobility (walking cases) on the performance of redundancy check is limited. Figure 8b demonstrates the average deviation of the retrieved locations with different numbers of subdivisions, and we can conclude that the redundancy check is useful when b < 8. When b ≥ 8, the average deviation with redundancy check is over that of the case without redundancy check due to the mobility and the limited iterations, and therefore, it is necessary to design the subdivisions carefully in practice.  Figure 9 shows the deviation of retrieved locations with the speed of walking/robots (3.6 km/h), bicycles (18 km/h), unmanned aerial vehicles (36 km/h), and vehicles (72 km/h), where b = 5. We can conclude that with the proper design of subdivisions, the impact of mobility on the performance of the redundancy check is limited. It worth noting that, in practice, the interval consecutive transmissions for RSS ranging can be reduced to 100 ms [31], and then the impact of mobility on the performance of the redundancy check can be further suppressed. The impact of noise on retrieval performance can reflect the robustness of DSC-LPP in different environments and can help to determine the strategy of LPP. Figure 10a shows that the retrieval accuracy of DSC-LPP increases along with the decrease of noise. Therefore, it is necessary to use other methods to improve the performance of DSC-LPP in a harsh environment. For instance, the user can switch its LPP mode from DSC-LPP to cryptography when the link status changes from LoS to non-line-of-sight (NLoS). Another candidate solution is to utilize one or several trusted assistant neighbour(s) to forward the ranging result between the user and its one-hop-neighbour to the AP. It worth noting that because all the nodes utilize DSC-LPP, the AP can retrieve the locations of nodes from the neighbour of itself to the user sequentially. Figure 10b shows the effectiveness of the assistant neighbour-based solution. In the "one hop" case, the AP retrieves the location of the user based on the signal from the user with much noise (e.g., NLoS link). In the other cases, the AP retrieves the location of the user based on the signal from the assistant neighbour(s). The ranging result from the user to its one-hop-neighbour is forwarded one, two, and three times in the cases of "two hops", "three hops", and "four hops", respectively, and all the links are with limited noise (i.e., LoS link). Finally, we compare the retrieval performance of DSC-LPP with that of k-anonymity. Figure 11 indicates that the average retrieval accuracy of DSC-LPP is higher than that of k-anonymity. In k-anonymity, the other (k − 1) dummy locations are the other possible retrieved locations in the same related space, and the AP retrieves the locations by guessing.

Special Cases
In practice, the division of angular coordinates is optional, and Equations (6) and (9) can be simplified as a transformation based on r u andr u , respectively. On the other hand, the division of angular coordinates increases the flexibility of DSC-LPP. For instance, suppose M 4,4 in Figure 2 is the only division available for users in M, then the eavesdropper can infer the locations of users. To avoid the above weakness of DSC-LPP, we can merge M 4,4 into other related space(s) to obfuscate the locations of users.
It is common in reality that an irregular area is not available for most users, which results in some irregular areas that are available for users. Then the obfuscation level of some areas will be reduced in such a case. The reduction of obfuscation level can be avoided by merging an irregular area into its neighbouring division, as it is shown in Figure 12. As the unavailable area B divide M 4,1 into different parts, the obfuscation level of the related space of M 4,1 is reduced to 2 3 , to avoid the reduction of obfuscation level, the left part of M 4,1 is merged into M 4,4 . Because the upper bound of the angular coordinates of new M 4,4 is irregular, A(φ u ) is calculated as follows: where V (r u , φ u ) is the upper bound of the angular coordinates of the new M 4,4 when the radial coordinate is r u . Equation (20) indicates that for irregular boundaries, the transformation and retrieval of coordinates should consider the radial and the angular coordinates simultaneously. On the other hand, it is not necessary to merge the other irregular parts divided by B into their neighboring divisions, and the included angle of angular coordinates of new M 4,1 and the width of radial coordinates of M 3,1 can be calculated similarly to Equation (20). It is easy to prove that the obfuscation level in Figure 12 is still 0.75, as same as that in Figure 2. Finally, we can conclude that, in any case, the obfuscation level of DSC-LPP can be maintained if the coordinates of each division are continuous, and the number of divisions in each related space is as same as that in the original case (no irregular division existed).

Security Evaluation
Mobility is a primary concern in practice. DSC-LPP is designed for users to report their real-time locations rather than the past locations, and a user should re-localize itself if the delay between the recording and the transmitting time of location reaches some threshold. Thus the impact of mobility on the deviation of retrieved location is limited.
The scheme of "handover" should be designed carefully to avoid the revealing of locations. Any user in the overlapping area of different APs should select the appropriate related space to transform its location. Otherwise, the eavesdropper can infer the location of the user based on the relationship of divisions in different APs. A simple solution for "handover" is to generate the transformed location based on the related space of new AP if the last and current real locations are not in the same primary division of the current AP. Besides, conventional cryptography and k-anonymity can also be utilized to assist the "handover".
It worth noting that if the AP broadcasts the division scheme without any conventional encryption, the location privacy can still be protected in most scenarios. The first exception is that the eavesdropper is very close to the AP, where the eavesdropper can estimate the distance between the user and itself. The second exception is that the eavesdropper-user distance is much different from the distance between the eavesdropper and any other retrieved location. The third exception is the LE attack. Fortunately, once AP can avoid the approaching of an eavesdropper, e.g., AP is mobile, the above weaknesses can be eliminated by adopting TOF/TOA ranging and the dynamic transmission power [22]. Note that with TOF/TOA ranging, the user does not need to inform its current transmission power to the AP. Thus it is almost impossible for the eavesdroppers to estimate the accurate distance between it and the user.

Comparison
Consider that it is difficult for the attackers to steal the secret keys of a MANET; the location privacy of conventional cryptography is higher than other methods. Based on the system and threat model we assumed, the location privacy of k-anonymity and DSC-LPP depend on the anonymity level and the obfuscation level, respectively. The privacy level of differential privacy depends on the privacy budget.
According to the theories of some classic encryption methods and [19], the computation overhead of conventional cryptography is high. On the other hand, we assume that the other k − 1 locations of k-anonymity are generated by dummy techniques (to make it adaptable for sparse MANETs). Then the maximum computation overhead (complexity) of k-anonymity is O(k). Differential privacy obfuscates the location of the user to another one according to a pre-configured probability function; therefore, its computation overhead is low. For DSC-LPP, the computation overhead consumes in the process of matching the division (search i and j). In the worst case, the included angles of divisions in the same annulus are different from each other. Consider that it is convenient to store the boundaries of annuli in order, then the maximum computation complexity of DSC-LPP is O(log 2 n) by adopting the binary search (note that n ≥ m).
Consider that the length of ciphertext is larger than plaintext in some cases, then the communication overhead of conventional cryptography is various. Most of the dummy-based k-anonymity methods need to transmit k locations to the AP to avoid the eavesdropping attack. Then the communication overhead of k-anonymity is high. Differential privacy and DSC-LPP transmit only the transformed location to the AP; then, their communication overhead is as low as the primary transmission. It worth noting that the comparison here is for uplink only, and for location reports, the resource of uplink in a MANET is less than that of the downlink in typical cases.
With a secret key, the AP can retrieve the location of users directly. Therefore, its retrievability is prefect. In k-anonymity and differential privacy, the AP can retrieve the location of the user by guessing only. Then, the retrievability of k-anonymity and differential privacy is low. At last, our simulation results show that the AP can retrieve the locations of users with a high probability, and then the retrievability of DSC-LPP is high.
Finally, we can conclude that DSC-LPP can extend the applicable environments of k-anonymity as the comparison shows in Table 2.

Conclusions
In this paper, we proposed DSC-LPP based on distance, angle, and the idea of spatial cloaking. DSC-LPP is a solution for MANETs to preserve location privacy in the wireless channel while retaining the retrievability of locations on the server-side. DSC-LPP is suitable for sparse MANETs and location reports, and it can enhance the reliability of k-anonymity and other conventional LPPs by increasing the privacy between the user and the trusted third party. Retrievability is one of the main advantages of DSC-LPP, and simulation results show that, with the proper-designed parameters, AP can correctly retrieve the location of users with a high probability, even when the user is mobile. Additionally, the performance of DSC-LPP in the harsh environment can be improved by adopting adaptive strategies such as traditional cryptography or routing. Besides, Qualitative evaluation indicates that DSC-LPP can reduce the communication overhead when compared with k-anonymity, and the computation overhead is limited when compared with conventional cryptography. Meanwhile, the retrievability of DSC-LPP is higher than that of k-anonymity and differential privacy. In the future, we will investigate advanced division and "handover" schemes to improve the performance of DSC-LPP, as well as low-cost solutions for improving the performance of DSC-LPP in the harsh environment. The integration of DSC-LPP with conventional LPP methods is also a candidate topic. Besides, it is necessary to investigate other solutions, except "merging", for cases of irregular divisions to improve the flexibility of DSC-LPP.