You are on page 1of 15



Privacy-Preserving Location Sharing

Services for Social Networks
Roman Schlegel, Member, IEEE, Chi-Yin Chow, Member, IEEE,
Qiong Huang, Member, IEEE, and Duncan S. Wong, Member, IEEE

Abstract—A common functionality of many location-based social networking applications is a location sharing service that allows a
group of friends to share their locations. With a potentially untrusted server, such a location sharing service may threaten the privacy of
users. Existing solutions for Privacy-Preserving Location Sharing Services (PPLSS) require a trusted third party that has access to the
exact location of all users in the system or rely on expensive algorithms or protocols in terms of computational or communication
overhead. Other solutions can only provide approximate query answers. To overcome these limitations, we propose a new encryption
notion, called Order-Retrievable Encryption (ORE), for PPLSS for social networking applications. The distinguishing characteristics of
our PPLSS are that it (1) allows a group of friends to share their exact locations without the need of any third party or leaking any
location information to any server or users outside the group, (2) achieves low computational and communication cost by allowing
users to receive the exact location of their friends without requiring any direct communication between users or multiple rounds of
communication between a user and a server, (3) provides efficient query processing by designing an index structure for our ORE
scheme, (4) supports dynamic location updates, and (5) provides personalized privacy protection within a group of friends by specifying
a maximum distance where a user is willing to be located by his/her friends. Experimental results show that the computational and
communication cost of our PPLSS is much better than the state-of-the-art solution.

Index Terms—Location privacy, location sharing services, order-retrievable encryption, location-based social networking, spatio-temporal
query processing


M ANY location-based service providers today provide

users with services related to their locations by mak-
ing use of GPS-enabled mobile devices, wireless communi-
receives location information from all users in the system. The
problem with this approach is that the central server can gen-
erate a detailed movement profile of each user (e.g., the loca-
cation and spatial database management systems. A tion, time and frequency of each place which has been visited
popular type of such services is for a user to search for by each user) and that raises privacy concerns [5], [6], [7].
points of interest in the vicinity (e.g., dining and shopping). Existing privacy-preserving location sharing schemes aim to
Recently, location-based services have been combined with protect the user location privacy against the central server,
online social networks, where user-generated, geo-tagged but they still allow the server to provide the user with the nec-
information is shared among people who are part of a social essary services. However, in some existing schemes, the cen-
network. A common functionality of many existing loca- tral server still knows the user’s approximate location [8], [9],
tion-based social networking systems is location sharing serv- [10], [11]. Other schemes require several messages to be
ices that allow users to discover the current location of their exchanged not only between the user and the central server
friends and notify the users when a friend is in the vicinity but also directly between the user and the user’s friends [12],
or within a certain distance, e.g., Facebook’s Places [1], [13], increasing the communication cost and making those
Foursquare [2], Google Plus [3], and Loopt [4]. schemes less practical. Other schemes only return approxi-
Existing location-based social networking systems with mate results [14], making them less useful. Peer-to-peer (P2P)
location sharing services rely on a central server which systems, where users’ devices would directly communicate
without an intermediate server are inherently difficult to real-
ize in mobile phone networks as they typically make use of
 R. Schlegel is with the Corporate Research, ABB Switzerland Ltd., Baden-
D€attwil, Switzerland. E-mail: network address translation (NAT), restricting direct commu-
 C.-Y. Chow is with the Department of Computer Science, City University nication between devices in the process [15].
of Hong Kong, Kowloon, Hong Kong. E-mail: In this paper, we propose a new encryption notion, called
 Q. Huang is with the College of Informatics, South China Agricultural Order-Retrievable Encryption (ORE); a new cryptographic pro-
University, China, and the Nanjing University of Information Science &
Technology, Nanjing, China. E-mail: tocol that realizes our Privacy-Preserving Location Sharing
 D.S. Wong is with the Security and Data Sciences Technology Division, Services (PPLSS) for social networking systems. In particular,
ASTRI, Hong Kong. E-mail: our ORE scheme enables users to browse their friends’ exact
Manuscript received 5 Feb. 2014; revised 17 Nov. 2015; accepted 21 Dec. locations within a certain distance without revealing any
2015. Date of publication 4 Jan. 2016; date of current version 6 Oct. 2017. information about their locations to any other users or a social
For information on obtaining reprints of this article, please send e-mail to:, and reference the Digital Object Identifier below. networking service provider. The framework of our PPLSS
Digital Object Identifier no. 10.1109/TSC.2016.2514338 consists of a database server (which is maintained by the social
1939-1374 ß 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See for more information.

networking service provider) and users. The users send their

location information in encrypted form to the database server
according to our ORE scheme. When a user wants to locate
his/her friends in the vicinity, the user logs onto the social net-
working system, sends a location query (e.g., “Q1: Send me the
location of my friends within 2 km of my current location”) to the
database server, and obtains the requested location informa-
tion in encrypted form based on our ORE scheme. The user Fig. 1. The system model of PPLSS.
then recovers the actual location of his/her friends from the
encrypted information returned by the database server. 2.1 System Model
The key distinguishing characteristics of our PPLSS based Our PPLSS framework consists of a database server and a set
on the proposed ORE scheme are: (1) Secure location privacy. of (mobile) users. The database server is maintained by a
PPLSS does not disclose any location information of its users social networking service provider. Fig. 1 illustrates the
to a central server or an eavesdropper, not even an approxi- PPLSS framework, in which each user sends his/her loca-
mate location, and does not require any third party. (2) Low tion in encrypted form according to our ORE scheme to the
computational and communication cost. It allows a user to receive database server. When a user wants to query the exact loca-
the exact location information of his/her friends without tion of his/her friends who are within a distance specified
requiring direct communication between users or multiple by the user, the user sends a location query in the form of a
rounds of communication between a user and a server. private location-based range query, like Q1 given in Sec-
(3) Index structure. We design an index structure for our tion 1, to the database server. The database server is
ORE scheme to index encrypted locations of a group of equipped with a privacy-aware query processor that has
friends to improve the efficiency of location query processing. the ability to provide an exact query answer for the user
(4) Efficient data updates. Our scheme supports highly dynamic based on the user’s encrypted location and his/her friends’
location updates from individual users efficiently. (5) Personal- encrypted locations without knowing any location informa-
ized privacy within a group of friends. Each user is able to specify tion about the query and the users. Finally, the user
a maximum distance defining a personalized privacy region decrypts the query answer and browses his/her friends’
so that only those friends who are within the region can locate locations displayed on a road map. It is important to note
the user. The rationale behind such personalized privacy is that all user locations and location queries are encrypted
that users may not want to share their locations with far-away using our ORE scheme (its definition will be described in
friends as it might not be practical or necessary to share their Section 2.2) before they are sent to the database server.
location with friends at large distances. In PPLSS, we assume that the database server is honest-
Regarding security requirements, we consider the data- but-curious, i.e., it follows our designed protocol, but it
base server to be honest-but-curious, namely, the database attempts to infer the user’s location. On the other hand, the
server handles queries, stores data received from users and user trusts his/her friends (i.e., other users in his/her friend
sends data to users who are making queries without tam- list in the social network context). The user constructs a
pering with the data. However, the database server also trusted group in which they share their locations through
attempts to find out the location of users in the system. Note private location queries according to our ORE scheme. The
that the term “privacy-preserving” refers to the location pri- security threat models and the security analysis of PPLSS
vacy of users rather than keeping their identities private. In will be given in Sections 6 and 7, respectively.
addition to the security analysis of our PPLSS, we also com-
pare the performance of our scheme to that of the state-of- 2.2 Order-Retrievable Encryption
the-art cryptography-based scheme [16] through experi- As mentioned above, user locations (i.e., points) in the data-
ments. The results show that our PPLSS outperforms the base server are always in encrypted form. When an
work [16] in terms of both communication cost and query “encrypted” query location of Q1 for a group of friends is
processing performance. received by the database server, the database server should
The rest of this paper is organized as follows: Section 2 determine for any two friends’ encrypted locations within
gives an overview of our PPLSS and the ORE scheme. The the group which of them is closer to the encrypted query
details of our PPLSS are presented in Section 3. Section 4 location. To achieve this, we use our proposed encryption
extends the PPLSS to support personalized privacy. Sec- notion ORE for geographical data.
tion 5 discusses the security requirements of the ORE An ORE scheme is a symmetric key encryption scheme
scheme and Section 6 gives an ORE construction which is with two additional functions: one is for generating encrypted
implemented in our experiment and also provides its secu- query locations and the other one is for the database server
rity analysis. Section 7 covers the security analysis of our to determine which one between two encrypted user loca-
PPLSS. Section 8 presents experimental results. Section 9 tions is closer to an encrypted query location. The scheme is
surveys related work and Section 10 concludes this paper. called ORE because the order of the encrypted user locations
in terms of their distances from any given encrypted query
2 OVERVIEW OF PPLSS AND ORE location can be retrieved. Note that the actual distance infor-
In this section, we first describe the system model of our Pri- mation is not retrievable.
vacy-Preserving Location Sharing Services for social network- In the formal definition of ORE below, we assume that
ing applications, and then give the definition of our Order- each distinct location in PPLSS can be represented uniquely
Retrievable Encryption scheme. using an element in a d-dimensional space and without loss

of generality, suppose that R is the space of each dimension. from ORE. The OPE maintains the order information in
One additional remark is that the ORE scheme defined below encryption while ORE destroys the order information so that
can be viewed as a collection of one-way functions [17] and this given any two ciphertexts encrypted using ORE, the order
one-way function has the order retrievability property. In information is not preserved. Instead, the ORE ciphertexts
other words, our PPLSS framework does NOT need the can be used with an auxiliary function called Cmp which gets
decryption algorithm of the ORE scheme. Below are the an encrypted query location involved, and the function Cmp
details. can tell which of the two ciphertexts contain a location which
is closer to the query location, i.e., the ordering is with respect
Definition 1. An Order-Retrievable Encryption scheme consists
to the distance to a query location. Though OPE has been
of four probabilistic polynomial-time (PPT) algorithms.
used for many other applications such as efficient range
 SKG KGenð1 ; RÞ. The symmetric key generation queries, indexing and query processing, OPE does not have
algorithm KGen takes a security parameter  2 N and the function of Cmp as we defined in ORE, and therefore, is
the dimensional space R defined above, and outputs a not known if it is possible to use OPE for constructing a pri-
symmetric key. vacy-preserving location sharing system. More discussions
 C EncðSKG ; P Þ. The encryption algorithm takes are given in Section 9.
SKG and a d-dimensional point P 2 Rd , and outputs
a ciphertext as an “encrypted” location. 3 PPLSS: PRIVACY-PRESERVING LOCATION
  QGenðSKG ; QÞ. The query generation algorithm SHARING SERVICES
takes SKG and a query point Q 2 Rd , outputs an In this section, we describe our PPLSS for social networking
“encrypted” query location. applications based on our Order-Retrievable Encryption
 Cb Cmpð; C0 ; C1 Þ. The comparison algorithm scheme. We will first present the ORE scheme for PPLSS,
takes an encrypted query location  and two encrypted and then propose an index structure that makes use of the
locations C0 and C1 , outputs Cb for b 2 f0; 1g if relative distance information provided by the ORE scheme
to improve query processing efficiency.
distðQ; Pb Þ  distðQ; P1b Þ; (1)
3.1 The ORE Scheme
where  QGenðSKG ; QÞ and Ci EncðSKG ; Pi Þ The main idea of our PPLSS is that a user or a group initiator
for i ¼ 0; 1, and distðP; QÞ represents the actual dis- registers with the system to create a user group. The group
tance between two locations P and Q. We stress that initiator then adds friends to the user group and creates a
the function Cmp neither has SKG as input nor has to shared group key SKG according to our ORE scheme and
output any further information about the evaluation of another shared data key SKD for AES [22] encryption of loca-
dist other than which of P0 and P1 is closer to Q. tion data (this is needed as our ORE scheme does not
require a decryption function, and the actual location data
We note that there are two distinct encryption algorithms, exchanged between users is therefore AES-encrypted). It is
Enc and QGen. Our ORE scheme uses different encryption important to note that users or group initiators are not
algorithms for locations used as query locations (QGen) and required to register with their real identity. They can use
for locations encrypted to compare them to a given query pseudonyms as long as their friends are able to recognize
locations (Enc), hence these two distinct algorithms. them (friends can also communicate their pseudonyms out-
Optionally, a decryption algorithm can be defined as of-band, e.g., through email). After the shared group key
P =? DecðSKG ; CÞ, which takes SKG and a ciphertext C, SKG and the shared data key SKD are securely delivered to
and outputs a d-dimensional point P 2 Rd or ? indicating all group members, each member periodically reports his/
the failure of decryption. We do not require the domain of her encrypted location to the database server. When a user
ciphertexts C to be in any special form related to the plaintext logs onto the system and wants to browse the location of
space Rd . Also note that our PPLSS framework does NOT his/her friends within a certain user-specified distance, the
need the decryption function Dec. The pair ðKGen; EncÞ can user issues a location query with an encrypted query location
be viewed as a one-way function collection indexed by SKG . and an encrypted location marker to the database server.
The security parameter  relates the security strength of the The database server is able to provide an exact answer for
ORE scheme to the security level of a secure symmetric key the user without knowing any location information of the
encryption scheme. For example,  ¼ 80 refers to the 80-bit user and his/her friends. In general, the ORE scheme
security level [18]. Section 5 discusses the security require- involves seven major message exchanges for three opera-
ments of the ORE scheme, and Section 6 provides an ORE tions among a group initiator u, the database server, and u’s
construction, based on a scheme proposed by Wong et al. friends, as depicted in Fig. 2. The algorithms used in the
[19], and its security analysis. ORE scheme are defined in Section 2.2, the symbols used in
ORE versus Order-Preserving Encryption. A related work the ORE scheme are summarized in Table 1, and the three
called Order-Preserving Encryption (OPE) [20], [21] preserves operations are explained in more detail below.
the numerical ordering of the plaintexts in the ciphertexts.
Formally, for any A; B  N with jAj  jBj, an encryption fam- 3.1.1 User Group Formation
ily E : K  A ! B is order preserving if for all i; j 2 A, A user u registers with the database server with an identity
Eðk; iÞ > Eðk; jÞ if and only if i > j, for any k 2 K, where K (or pseudonym) IDu and creates a user group G that
is the key space of the encryption family. OPE is different includes u, i.e., u is the group initiator. The group initiator

Key Symbols in the ORE or ORE-Index Protocol

Symbol Description Algorithm

Locu Plaintext location of user u -
Locmarker Plaintext query marker point for ORE -
LocRi Plaintext location marker point of -
index ring Ri for ORE-Index -
ðLocmin ; Plaintext query marker points for -
Locmax Þ ORE-Index
distu User-specified distance for a -
location query
distmax User-specified maximum distance -
for ORE-Index
distpriv User-specified privacy distance -
for a personalized privacy region
SKG Shared group key for ORE ORE:KGen
Fig. 2. Message flows in the ORE scheme for PPLSS. SKD Shared data key for AES AES:KGen
C Encrypted user location using ORE ORE:Enc
can manage the members of G. Upon creation of G, a ran- D Encrypted user location using AES AES:Enc
 Encrypted query location or ORE:QGen
dom group identifier IDG (e.g., a random 128-bit string) is reference point using ORE
created. The group initiator can then invite users to join G, c Encrypted location marker using ORE ORE:Enc
and invited users can either accept or decline to join G. The k Encrypted privacy marker using ORE ORE:Enc
group initiator generates two random shared keys: a shared for personalized privacy region
group key SKG and a shared data key SKD for G and sends
the shared keys to each new group member through a
secure channel. The establishment of the secure channel can Notice that besides ORE, we also use AES to encrypt each
be done using conventional two-party authenticated key group member’s location. The purpose of including the AES
establishment protocols [23], [24]. To enable the removal of encryption is to improve the communication efficiency of
users from a group, e.g., defriending, the shared keys the next step, namely, location query processing. We will
ðSKG ; SKD Þ can be re-generated by the group initiator or see in Section 6 that the ciphertext of ORE is about 40 times
any legitimate member in G. A user who is part of several bigger in size than that of AES. Hence, we use an additional
groups will obtain the required keys for each group the user AES module for sending encrypted locations when answer-
is a part of. Fig. 2 shows that this step involves Messages 1 ing a location query below. This is also the reason why the
to 3, where a group initiator u registers with the database ORE scheme does not need the decryption algorithm (see
server to create a group G (Message 1) and adds five mem- Section 2.2).
bers to G, i.e., G ¼ fIDu ; IDm1 ; IDm2 ; . . . ; IDm5 g (Message 2).
3.1.3 Location Query Processing
After u generates the shared keys ðSKG ; SKD Þ for G, u sends
the keys directly to each member in G through a secure Location query generation (by user). If a user u logs onto the
communication channel (Message 3). system and wants to view the exact location of his/her
friends within a user-specified distance distu , u generates a
location query by (1) encrypting its current location Locu
3.1.2 User Location Update using the query encryption ORE:QGen under SKG to gener-
After invited users agree to join the group G and receive the ate an encrypted query location, that is, u ORE:QGen
shared keys ðSKG ; SKD Þ from the group initiator u, each ðSKG ; Locu Þ, (2) randomly selecting a query marker Locmarker
member m in G periodically sends hIDG ; Cm ; Dm i to the which is a point on the circle centered at Locu with a radius
database server, where IDG is the group identity, Cm is the of distu , and (3) encrypting Locmarker using the location
ORE encryption of m’s location Locm , that is, Cm encryption ORE:Enc under SKG , that is, cu ORE:Enc
ORE:EncðSKG ; Locm Þ, and Dm AES:EncðSKD ; Locm k ðSKG ; Locmarker Þ. Then, u sends the location query hIDu ;
IDm krm Þ is the AES encryption of m’s location, the identity IDG ; u ; cu i to the database server.
IDm (or pseudonym) of m in G, and a random number rm . Query processing (by server). Given the location query from
If m belongs to n different groups, i.e., G1 ; . . . ; Gn , m will the user u, the database server first finds all the members in
encrypt its location using ORE:Enc under each of G with group identifier IDG . Suppose there are n members
SKG1 ; . . . ; SKGn and AES:Enc under each of SKD1 ; . . . SKDn in G ¼ fm1 ; m2 ; . . . ; mn g. The database server then performs
to generate Cmi and Dmi , respectively, for each group Gi , a sequential scan of G by executing the comparison algo-
where 1  i  n, and send hðIDG1 ; Cm1 ; Dm1 Þ; . . . ; ðIDGn ; rithm ORE:Cmp for the encrypted location of each member
Cmn ; Dmn Þi to the database server. The location sent to the in G based on u’s encrypted query location u and query
database server is always encrypted, so at no point is the marker cu . If Cmi ORE:Cmpðu ; Cmi ; cu Þ for some
server able to determine the actual location of a user. Fig. 2 1  i  n, it means that the actual location of the member
illustrates the two messages exchanged in this step, where mi is located within the distance distu of u; Dmi is added to
the encrypted location of the group initiator u (Message 4) an answer set A (note that only the AES encryption of mem-
and that of other members in the group G (Message 5) are ber mi ’s location Dmi is included, but Cmi is not). After per-
reported to the database server. forming the comparison algorithm for each member in G,

server knows the location information of all users; they are

not applicable to PPLSS where the database server does not
have the location information of users or queries.

3.2.1 Basic Idea

When a user u generates an initial location query, u esti-
mates a circular region in which it will be located for a cer-
tain time period, e.g., one hour. A simple way to calculate
the radius of the region distmax is multiplying the time
period by the maximum legal speed in the system area.
Fig. 3. A location query example. More sophisticated ways can be used to compute distmax , as
the index structure does not have any assumption on how
distmax is computed. The index structure is built based on a
the answer A is sent to u. Finally, u uses AES:Dec to decrypt
set of encrypted location markers and an encrypted reference
the location of each friend in A under the shared data key
point generated by u to index the members in u’s group G.
SKD locally and u can browse their location information
Once established, the index structure will be used to evalu-
displayed on an underlying road map.
ate u’s location queries. Note that the estimation of distmax
Fig. 3 depicts u’s specified distance distu and the exact
will not affect the answer accuracy; it only influences the
locations of u and other members in u’s group G. Locmarker is
frequency of rebuilding the index, which becomes necessary
a point on the circle centered at u with a radius of distu . After
whenever the required search area of u’s location query is
u generates a location query, the query is sent to the database
outside the region defined by distmax . In general, our PPLSS
server (Message 6 in Fig. 2). Our ORE scheme enables the
using the ORE-Index scheme has two major phases, namely,
database server to compute that there are two members m2
index construction and location query processing.
and m5 within distance distu from u without letting the data-
base server know any location information of u or any other
member in G. In Message 7, the AES encrypted locations of 3.2.2 Index Construction
m2 and m5 , i.e., D2 and D5 , respectively, are returned to u. Index construction request (by user). The generation of an
index construction request requires a querying user u to
3.2 ORE-Index: The ORE Scheme with an Index determine a radius distmax for a circular area A in which u
Structure will be located for a certain time period. The database
In a typical location-based social networking system (e.g., server only needs to build the requested index once and
Google Latitude [25]), when a user u logs onto the system, a then u can reuse the index as long as the required search
location query is automatically sent to the database server. areas of u’s subsequent location queries are within A. A is
Then, the database server periodically evaluates the query then divided into N non-overlapping rings (or donut
answer to allow u to keep track of the exact location of his/ shapes), i.e., R1 ; R2 ; . . . ; RN , (note that the innermost shape
her friends within u’s specified distance distu . The ORE is in fact a circle). For each ring Ri , a point with the maxi-
scheme using the sequential scan proposed above takes mum distance to u’s location Locu is randomly selected as a
OðnÞ time to evaluate the location query answer, where n is location marker LocRi . Then, Locu is encrypted using the
the number of members in u’s group G, because the data- query encryption ORE:QGen as an encrypted reference point of
base server has to perform the comparison algorithm an index, i.e., u ORE:QGenðSKG ; Locu Þ, and each LocRi
ORE:Cmp for each member in G. is encrypted using the location encryption ORE:Enc, i.e.,
Although the number of friends of each user is usually not ci ORE:EncðSKG ; LocRi Þ as the encrypted location of a
large,1 using the sequential scan approach to process a large node in the index. u sends an index construction request
number of location queries at a high frequency, i.e., with a along with the encrypted reference point and the set of
small evaluation time interval, would put a considerable encrypted location markers to the database server, i.e.,
computational burden on the database server. In fact, many hIDu ; IDG ; u ; c1 ; c2 ; . . . ; cN i.
users would be subscribing to the location sharing service Notice that our scheme has no assumption about N and the
through their mobile devices,2 and the evaluation period for width of each ring, i.e., the rings of an index can have different
their location queries should therefore be as small as possible widths. In practice, N can be a user or system parameter. A
to provide more accurate location information of their larger N requires u to generate a larger set of encrypted loca-
friends. To avoid sequential scan of the members in G for tion markers which incurs a higher cost of generating an index
each query evaluation, in the following we propose a tree- construction request. However, a larger set of encrypted loca-
like index structure for managing the ORE encrypted data. tion markers results in an index with more levels which
We call the structure ORE-Index and it aims to improve the improves query processing efficiency by reducing the number
efficiency of processing location queries. Although index of false positives in a candidate answer. The detail of the
structures have previously been proposed for location-based query processing step will be discussed in Section 3.2.3. Thus,
queries [27], they rely on the assumption that the database N can be adjusted as a trade-off between the cost of generat-
ing an index construction request on the client side and the
query processing efficiency. For simplicity, we adjust N rela-
1. Average Facebook user has 130 friends [26].
2. There are more than 200 million active users currently accessing tive to u’s specified search range distu in a location query, i.e.,
Facebook through their mobile devices [26]. N¼bdistmax =ðdistu  aÞc, where a (a > 0) is a system

Fig. 5. Location query processing.

Fig. 4. Index construction.

list. Then the hash table is updated accordingly. (2) Deletion.

parameter to tune the performance trade-off. A smaller a When a member m logs off from the system or moves out-
leads to an index with more levels, and vice versa. side the user’s specified region A, m will be deleted from
Index construction (by server). When the database server I u . To do so, we access the hash table to find the leaf node
receives the index construction request from the user u, u is whose member list contains m, and then remove m from the
used as the encrypted reference point I u for an index struc- member list. (3) Update. When a member m moves from
ture I u and the server uses a top-down approach to build I u ring Ri to ring Rj , where i 6¼ j, we perform the deletion
based on the (one-dimensional) relative distance information operation to remove m from Ri and then perform the inser-
between the encrypted reference point and each encrypted tion operation to insert m to Rj .
location marker. Starting from the root node, the 1-st to N-th Fig. 5a shows that five members, m1 to m5 , in user u’s
ring are split into two groups with respect to a key computed group G are within u’s specified region A. These five mem-
as ci , where i¼bð1 þ NÞ=2c; hence, one group contains the bers are inserted into I u . For member m1 , since ORE:
1-st to the ith ring and the other group contains the ði þ 1Þ-st CmpðI u ; c2 ; Cm1 Þ returns Cm1 , we descend to the left child.
to the N-th ring. The root node keeps ci as a key. Then, these Then, since ORE:CmpðI u ; c1 ; Cm1 Þ returns c1 , we descend
two groups are recursively split until each leaf node contains to the right child. As a leaf node R2 is reached, m1 ’s AES and
only one ring. Each leaf node maintains a member list of the ORE encrypted locations ðD1 ; C1 Þ are added to its member
members in G located within the area of the corresponding list. Similarly, other members m2 to m5 are inserted into I u
ring. The database server also maintains a hash table, where (Fig. 5b).
an entry contains a member identity with a pointer to the
leaf node whose member list contains the member. A singu- 3.2.3 Location Query Processing
larly linked list is built on these member lists to facilitate Location query generation (by user). A location query is period-
range searches. ically sent to the database server by the user u to keep track
Fig. 4 shows an index structure I u for a querying user u, of the locations of his/her friends within u’s specified dis-
where u’s location Locu (represented by a cross) is encrypted tance distu . To generate a location query, u computes a
using ORE:QGen as an encrypted reference point u and u’s required search area as a circle with a radius of distu cen-
specified region A is divided into four rings R1 to R4 . On the tered at its location Locu . Note that u can reuse the index
outer boundary of each ring Ri (1  i  4), a point is ran- built by the database server (i.e., no index construction
domly selected as a location marker LocRi (represented by a request is needed) as long as the required search area is
triangle), which is encrypted using ORE:Enc as ci . To con- within the region A of the index. u finds two points Locmin
struct I u , the key of the root node is c2 , as bð1 þ 4Þ=2c ¼ 2. and Locmax that are the closest and farthest points, respec-
The key of its left child is c1 , as bð1 þ 2Þ=2c ¼ 1. The key of tively, within the required search area compared to the orig-
its right child is c3 , as bð3 þ 4Þ=2c ¼ 3. Since each leaf inal query point which was encrypted as a reference point
node corresponds to one ring, the construction of I u is com- when its index construction request was generated. Then,
plete (Fig. 4b). Locmin and Locmax are encrypted by using the location
Index maintenance (by server). Since I u is constructed encryption as cmin ORE:EncðSKG ; Locmin Þ and cmax
based on u’s set of encrypted location markers, no split and ORE:EncðSKG ; Locmax Þ, respectively, and Locu is encrypted
merge operations are necessary on insertion and deletion, using the query encryption as u ORE:QGen ðSKG ; Locu Þ.
respectively. Three operations are required to maintain I u . The location query hIDu ; IDG ; u ; cmin ; cmax i is sent to the
(1) Insertion. To insert a member m with an encrypted loca- database server.
tion Cm into I u , we first check whether m is located in u’s Query processing (by server). When the database server
specified region A. If ORE:CmpðI u ; cN ; Cm Þ returns cN , m receives a location query, it searches the index structure I u
is outside A and m will not be inserted into I u . Otherwise, of u for cmin and cmax with respect to its encrypted refer-
the server navigates I u recursively from the root node to ence point. For cmin , the search starts from the root node
insert m. Starting from the root node with a key ci , if with key ci , if ORE:CmpðI u ; ci ; cmin Þ returns cmin , we
ORE:CmpðI u ; ci ; Cm Þ returns Cm , we search its left subtree; search its left subtree; otherwise, we search its right subtree.
otherwise, we search its right subtree. This procedure is This process is repeated until a leaf node nmin is reached.
repeated until a leaf node is reached where m’s AES and Likewise, a leaf node nmax is found for cmax . The server
ORE encrypted locations (Dm ; Cm ) are added to the member then goes through the member list of every node between

The main idea of personalized privacy regions is exem-

plified in Fig. 6, where user Q runs a location query with
friend y at location Py as one of Q’s group members. User y
has defined a privacy region with a maximum distance
distypriv , which is represented by a circle centered at y with a
radius of distypriv , by randomly selecting a privacy marker
Locypriv on the boundary of y’s privacy region. Consider that
Q runs a location query with a range distance distQ which
includes y, but Q is outside the privacy region of y (Fig. 6a),
the database server will not return the location of y in the
Fig. 6. In (a) the privacy region requirement of y is not satisfied, while
in (b) it is satisfied. answer set. If, on the other hand, Q is inside the privacy
region of y (Fig. 6b), the database server will return the loca-
tion of y as part of the answer to Q.
nmin and nmax (inclusive) and adds their members to a can-
In the following, we will describe our ORE and ORE-
didate answer set A. Since I u only considers one-dimen-
Index schemes for PPLSS when extended with personalized
sional relative distance information, there may be some
privacy regions.
false positives in A. Thus, for each member m in A, the
server performs a filtering step by using the comparison
algorithm in the ORE scheme. If ORE:Cmpðu ; cmin ; Cm Þ 4.1 Extension to the ORE Scheme
returns cmin , m is removed from A. After that, a set of the We will discuss how to extend our ORE scheme to support
AES encrypted locations of the members in A is returned to personalized privacy regions.
u as a query answer.
Fig. 5 depicts a location query of u with a location Locu in 4.1.1 User Group Formation
our running example, where the shaded circle indicates the The user group formation step is identical to the group for-
required search area defined by distu . Locmin and Locmax are mation for the ORE scheme in Section 3.1.1.
represented by triangles. Since the required search area is
within the region A of the index (Fig. 4), u can reuse the
index to process the location query without requesting the 4.1.2 User Location Update
database server to construct a new index. The database When having personalized privacy regions, the difference
server finds a leaf node nmin for the encrypted form of to the location update of the ORE scheme described in Sec-
Locmin , cmin , i.e., nmin ¼ R2 , and a leaf node nmax for cmax , tion 3.1.2 is that a user not only updates its own location but
i.e., nmax ¼ R3 . All the members in the member list of every also sends information about his/her privacy region. To
leaf node from R2 to R3 are added to A, i.e., A ¼ fðD1 ; this effect, each user decides on his/her personal privacy
C1 Þ; ðD2 ; C2 Þ; ðD3 ; C3 Þg. After removing false positives from region by choosing a distance distpriv . When doing a loca-
A, one member remains in A ¼ fðD1 ; C1 Þg and a query tion update, a user u picks a privacy marker Locupriv by ran-
answer fD1 g is returned to u. domly selecting a point on the circle with radius distupriv
centered at u’s location Locu . u then encrypts Locupriv using
4 PERSONALIZED PRIVACY REGIONS the location encryption ORE:Enc under SK G , i.e., ku
ORE:EncðSK G ; Locupriv Þ. In addition to calculating Cu
In this section, we further improve the privacy of individual ORE:EncðSK G ; Locu Þ and Du AES:EncðSK D ; Locu kIDu
users in our PPLSS using the ORE or ORE-Index scheme by kru Þx (where ru is a random number), u encrypts its location
allowing them to define their personalized privacy regions. In Locu using the query encryption ORE:QGen under SK G , i.e.,
the ORE and ORE-Index schemes described in Sections 3.1 u ORE:QGenðSK G ; Locu Þ. u will then send the location
and 3.2, respectively, the querying user u is theoretically update hIDG ; Cu ; Du ; ku ; u i to the database server.
free to choose a location marker at a considerably larger dis- Notice that if u belongs to multiple groups G1 ; . . . ; Gn , u
tance than is practical (e.g., 1;000 km). The database server is able to specify a different distpriv for each group based on
would return all friends in u’s group within that distance, u’s desired privacy requirements, e.g., u is willing to always
allowing u to learn their location even though there is no
disclose location information to his/her family, i.e.,
practical need to know their location at such large distances.
distpriv ¼ 1, but only a small privacy region, e.g., distpriv ¼
Personalized privacy regions are an extension to the PPLSS
1 km, for his/her colleagues. When u generates a location
which help prevent this situation, by allowing individual
update, u encrypts a privacy marker for each group Gi
users to specify a maximum distance distpriv up to which
under the corresponding shared group key SK Gi and sends
members of their groups are allowed to locate them. distpriv
the location update hðIDG1 ; Cu1 ; Du1 ; ku1 ; u1 Þ; . . . ; ðIDGn ;
is chosen by each individual user and it is applied whenever
Cun ; Dun ; kun ; un Þi to the database server.
other users of the group run location queries. This means
that even when a user runs a location query with a location
marker at a distance of 1;000 km, if all other users of the 4.1.3 Location Query Processing
group have defined a privacy region of 1 km, the query will When using personalized privacy regions, the location query
only return people at most 1 km away from the location of processing is divided into two parts. In the first part, the data-
the querying user (because for all other users their privacy base server checks which members in the group are within
region requirements would not be met). the distance specified by the querying user, as described in


In addition to the correctness requirement below, a secure
ORE encryption should satisfy two additional requirements,
confidentiality of encrypted points and confidentiality of
query points. We start with the correctness requirement as
1. Correctness. For all shared group key SKG KGen
ð1 ; RÞ and P0 ; P1 ; Q 2 R , where P0 and P1 are two plain-

text location points and Q is a plaintext query location point,

we have Cb CmpðQGenðSKG ; QÞ; EncðSKG ; P0 Þ; Enc
ðSKG ; P1 ÞÞ if and only if distðQ; Pb Þ  distðQ; P1b Þ where
Fig. 7. The ORE scheme with personalized privacy regions. b 2 f0; 1g and distðP; QÞ represents the actual distance
between two locations P and Q.
Section 3.1.3. In the second part, for each member mi in an 2. Data Confidentiality. We require that an adversary A
answer set A, the database server checks whether the query- should not be able to recover the plaintext points from their
ing user is within the privacy region of mi . If this is not the encrypted form. More precisely, there are two levels to con-
case (i.e., the privacy requirement of mi is not met), mi is sider for the data confidentiality requirement:
removed from the answer set A.
The generation of a location query is similar to the ORE  Level 1: A observes a set of ciphertext points
scheme in Section 3.1.3. When requesting location sharing fCi g1in and also knows a set of plaintext points
services, a user u will send a location query along with his/ fPj g1jn , but does not know which ciphertext point
her encrypted location using the ORE scheme hIDu ; IDG ; in fCi g1in corresponds to which plaintext point in
Cu ; u ; cu i to the database server, where u ORE:QGen fPj g1jn . Now given a new ciphertext point C  , A is
ðSK G ; Locu Þ and cu ORE:EncðSK G ; Locumarker Þ. In the to output the corresponding plaintext point P  2 Rd .
first part, for each member mi of the group with identity  Level 2: A knows the correspondence of plaintext
IDG except u, the database server runs the comparison algo- points in fPi g1in and ciphertext points in fCi g1in
rithm ORE:Cmpðu ; Ci ; cu Þ. Whenever the comparison . Now given a new ciphertext point C  , A is to output
returns Ci , mi is added to an answer set A. In the second
the corresponding plaintext point P  2 Rd .
part, for each member mj in the answer set A, the database
The adversary A above can be considered as a malicious
server runs the comparison algorithm again, this time for Social Network Service Provider (SNSP) which has access to
the privacy marker, by calculating ORE:Cmpðj ; Cu ; kj Þ. the encrypted locations of users when the users update their
Whenever the algorithm returns Cu , the querying user u is locations. The malicious SNSP may also obtain the plaintext
inside the privacy region of mj , and thus, mj remains in the locations of some of the users.
answer set A. However, if the comparison returns kj , mj is 3. Query Confidentiality. This requirement concerns the
removed from A. Finally, a query answer that contains the confidentiality of the query location, namely, an adversary
AES encrypted location of each remaining member in A is A should not be able to find out a query location Q from its
returned to u. encrypted form  QGenðSKG ; QÞ. We may also consider
Fig. 7 shows an example where a group of user u con- the adversary as a malicious SNSP which tries to recover
tains four friends m1 to m4 and u’s specified distance the location of a user making a query. In particular, given a
distu is represented by a dotted circle. The first part of set of ciphertext points fCi g1in , a set of encrypted query
the query processing uses the comparison algorithm locations fj g1j‘ , and a challenging encrypted query loca-
ORE:Cmp to find that two members with C2 and C4 are
tion  QGenðSKG ; Q Þ for a randomly picked query Q ,
within distu of u, and thus, they are added to an answer
A is to find out Q .
set A, i.e., fm2 ; m4 g. The second part of the query proc-
In the next section (Section 6), we will describe how to
essing removes C2 from A because u is outside the pri-
construct a secure ORE scheme.
vacy region of m2 . Finally, m4 ’s AES encrypted location,
fD4 g, is returned to u.
4.2 Extension to the ORE-Index Scheme
We now describe a construction of the Order-Retrievable
The extension of the ORE-Index scheme to support per- Encryption defined in Section 2.2. The construction is based
sonalized privacy regions is very similar to the ORE on an encryption scheme recently proposed by Wong et al.
scheme. The only difference is that the database server [19]. We call their scheme the WCKM encryption scheme. The
first searches the index constructed for a querying user u WCKM encryption scheme matches our definition of an
to find a candidate answer set A. For each member mi ORE scheme. The rest of this section contains the following
in A, if the ORE comparison algorithm ORE:Cmp indi- three aspects.
cates that (1) mi is a false positive as in the original
ORE-Index scheme (Section 3.2.3) or (2) the querying 1) Review the WCKM basic encryption scheme accord-
user is outside mi ’s privacy region, mi is removed from ing to the ORE definition given in Section 2.2
A. After that a set of the AES encrypted location of each 2) Describe a new attack showing that the basic scheme
remaining member in A constitutes a query answer does not satisfy Level 1 of Data Confidentiality given
returned to u. in Section 5

3) Describe the final extended WCKM encryption settings suggested in [19], additional conditions have to
scheme be introduced in order to ensure its security against
Below is the review of the WCKM basic encryption scheme Level 1 of Data Confidentiality requirement defined in
according to our ORE definition (Section 2.2): Section 5.
Symmetric Key Generation. Suppose that all the points
are in a d-dimensional space and R is the space of each 6.1 Security Analysis
dimension. Given a security parameter  2 N and dimen- In [19], the authors described a bruteforce attack which
sion space R, KGen outputs a symmetric key SKG as a ran- entails a total of n Pdþ1 ¼ Oðndþ1 Þ trials of potential sym-
domly chosen invertible ðdþ1Þ  ðdþ1Þ matrix where each metric keys that an adversary needs to try if a set of n
element is in R. In the following, we assume that all ele- ciphertexts fCi g1in and plaintext points fPj g1jn are
ments in matrices and vectors are in R, and R is of inte-
given but the correspondence between the ciphertexts and
gers in a certain range, which will be defined in each
plaintexts are not known. In each trial, the adversary per-
concrete scheme.
forms no more than n decryptions. Hence as stated in [19],
Encryption. Given SKG and a point P , which is a d-element
if n ¼ 10K and d ¼ 2 (i.e., a two-dimensional geographical
vector ðp1 ; p2 ; . . . ; pd Þ 2 Rd , the encryption algorithm Enc data set), the adversary has to spend more than 310 years
prepares a ðdþ1Þ-element vector P^ as follows: to test out all trial symmetric keys if the adversary can per-
0 1 form 1M decryptions per second. This bruteforce attack
B C falls in the setting of Level 1 of Data Confidentiality given
B p2 C
B . C in Section 5.
P^ ¼ B .. C (2) We observe, however, that the setting ðn ¼ 10K; d ¼ 2Þ
@ pd A may not be secure enough for achieving 80-bit security
0:5jjP jj2 (i.e.,  ¼ 80) which is considered as the minimum security
requirement for symmetric key security [18]. First of all,
and calculates a ciphertext point C ¼ SKGT P^, where jjP jj we can see that the number of trial symmetric keys is
represents the Euclidean norm of point P . Note that jjP jj2 40
10K P3 < 2 . The estimation given in [19] relies on the
can be represented by P  P where  represents the scalar assumption that the adversary can perform at most 1M
product. decryptions per second. This might be the case if the
Decryption. Given SKG and a ciphertext point C which adversary can unleash the computational power of only a
is a ðdþ1Þ-element vector ðc1 ; c2 ;    ; cdþ1 Þ 2 Rdþ1 , the few machines. However, as finding the symmetric key
decryption algorithm Dec recovers the original point P by SKG will enable the adversary to access the entire data-
computing base, there is a strong incentive to devote more resources
1 to the cracking task. One example is to make use of a bot-
P ¼ pd SKGT C; (3)
net which usually contains hundreds of thousands of
T 1
where SKG is the inverse of SKGT and pd removes the nodes [28]. Some botnets even have more than one million
ðd þ 1Þ-th dimension by setting pd ¼ ðId ; 0Þ with Id the computers that can be utilized by an adversary to launch a
d-dimensional identity matrix and “0” a column vector of bruteforce attack. Suppose 100K computers in a botnet are
zeros. pd is thus a d  ðd þ 1Þ matrix. involved in the cracking task and each of them can run
Query Generation. Given SKG and a query point Q ¼ 10K decryptions per second, then the time required for
ðq1 ; q2 ;    ; qd Þ 2 Rd , the query generation algorithm QGen finding SKG in the example above will be significantly
picks a random r > 0 and creates a ðd þ 1Þ-dimensional reduced to just four months.
point Q ^ as A New Bruteforce Attack. We propose a new bruteforce
0 1 attacking technique which is different from the one
q1 described in [19], while it will be more effective in recover-
B .. C
Q^ ¼ rB
B . C
ing the key SKG when the value of d is small, as in the
@ qd A 1
example above. For each row of pd SKGT (in Equation (3)),
1 there are dþ1 elements and each element is in R. The scalar
and calculates a ciphertext query point Y ¼ SKG1 Q. product of row i of pd SKGT and the ðdþ1Þ-element vector
Comparison. Given two ciphertext location points C0 and C (in Equation 3) is the i-th element of the corresponding
C1 and one ciphertext query point Y , suppose that plaintext point P . A bruteforce attack can be launched
Ci EncðSKG ; Pi Þ for i ¼ 0; 1 and Y QGenðSKG ; QÞ which can find out the i-th row of pd SKGT . The bruteforce
where P0 ; P1 ; Q 2 Rd . The comparison algorithm Cmp cal- attack can be launched independently for each row of
1 1
culates the following to determine which ciphertext location pd SKGT . Once all the d rows of pd SKGT are found, the
point is closer to the encrypted point Y : adversary is then able to decrypt all the other ciphertexts by
following the decryption algorithm (in Equation 3).
ðC0  C1 Þ  Y > 0: (5) Let ðei;1 ; ei;2 ; . . . ; ei;dþ1 Þ 2 Rdþ1 be the dþ1 elements on ith
If so, the output is set to C0 ; otherwise, the output is set row of pd SKGT . For each trial sequence of ðei;1 ; ei;2 ;
to C1 . . . . ; ei;dþ1 Þ, the adversary performs a decryption for each
In the following, we analyze the security of the ciphertext in fCi g1in and checks if the ith element in the
WCKM encryption scheme and show that besides the decrypted point is equal to the ith element of any plaintext

in fPj g1jn . This is carried out for all the n ciphertexts in 7 THE SECURITY ANALYSIS OF OUR PPLSS
fCi g1in . If all the checks are passed, then the adversary USING ORE AND ORE-INDEX
finds the correct ðei;1 ; ei;2 ; . . . ; ei;dþ1 Þ. There are different security aspects to consider in our Pri-
The total number of trial values for ðei;1 ; ei;2 ; . . . ; ei;dþ1 Þ vacy-Preserving Location Sharing Services for social network-
is jRjdþ1 for each row of pd SKGT . Since the bruteforce ing appliations. In the following, we start with a security
attack can be launched independently for each row, the model.
total number of attempts that the adversary needs to try
for finding the values of all the d rows of pd SKGT is 7.1 Security Model
djRjdþ1 . Depending on the cardinality of R, the adver- In our security model, we consider the database server as an
sary may spend less effort to crack the system. Suppose adversary which tries to locate one user in a group of n users,
that d ¼ 2 and R ¼ ½1K; 1K . Then the total number of all of which are mutually friends with each other. The group
possible candidates for SKG is 2  20003  234 which does is denoted as G ¼ fu1 ; u2 ; . . . ; un g where the secret keys
not satisfy 80-bit symmetric key security. shared by the group members are ðSKG ; SKD Þ. The adver-
sary (i.e., the database server) has access to data received
6.2 The Final ORE Construction from all the members in G. It can also collude with eaves-
To defend against the new bruteforce attack above, the droppers and all other users in the system who are not in G.
dimension d of the scheme can be augmented, for example, We say that the adversary is considered to have broken our
by setting d
80. In this way, even if SKG is a binary PPLSS if the adversary is able to find out the location of any
matrix, the scheme can still provide at least 80-bit symmet- user in G solely from the data received from the n group
ric key security against the bruteforce attack above. members u1 to un . We do not consider physical or side-chan-
For Level 2 of Data Confidentiality (Section 5), dimension nel attacks such as the adversary finding out a user’s location
through other means, for example, by tracking the cell tow-
augmentation is not enough as the adversary knows the cor-
ers that are communicating with the user. Once again, a pri-
respondence between the ciphertexts in fCi g1in and the
vacy-preserving location sharing system is for protecting the
plaintext points in fPi g1in . Hence the adversary can
location privacy of users. The adversary knows the identity
recover SKG after getting d þ 1 pairs of plaintext points Pi
(or pseudonym) of each user in the system.
and their encrypted counterparts Ci . In the following, we We also assume that the database server is curious but
review a technique called secret splitting configuration which honest. It might try to determine the locations of users as
was proposed in [19]. The technique can be used to achieve described above, but it will run the algorithms honestly with-
Level 2 of Data Confidentiality. out denying service to any user. We also assume that no user
Instead of generating one transformation matrix, we in G colludes with the adversary. A user possesses the
now choose two matrices for the ORE scheme, e.g., SKG0 secret keys for encryption and decryption and would thus be
and SKG1 . For every extended location point p (i.e., a point able to decrypt all location information from other users if
augmented with random dimensions) to be encrypted, we he/she colluded with the database server. Therefore, users
split it into two parts pa ; pb so that p ¼ pa þ pb . Note that are assumed not to share the secret keys SKG and SKD with
for any query point q it holds that p  q ¼ pa  q þ pb  q. We the server. However, the database server can have secret
then encrypt pa and pb under SKG0 and SKG1 , respectively, keys of all other users in the system who are not in G.
e.g., Ca SKGT 0 pa and Cb SKGT 1 pb . A query point q is
also encrypted twice, namely, we compute Ya SKG10 q 7.2 Location Privacy against Service Provider
and Yb SKG11 q. We then have Ca  Ya þ Cb  Yb ¼ pa  q þ In our PPLSS, all the points sent to the server by users in the
pb  q ¼ p  q ¼ C  Y . The same technique can also be system are encrypted either using our ORE scheme intro-
applied to the query point. That is, we can choose to split a duced in Section 2.2 (i.e., Ci , i , ci and ki ) or using AES [22]
query point to two parts, e.g., q ¼ qa þ qb , and encrypt each encryption (i.e., Di ). Because the encryption does not pre-
part under the corresponding secret key. serve distance, the server cannot gain any information from
However, as analyzed in [19], the split technique alone the encrypted points alone. Furthermore, the only operation
does not improve the security. Therefore, we consider the possible on the encrypted points is relative distance com-
secret splitting configuration. Specifically, we choose a secret parisons, but without knowing the corresponding actual
configuration, which is a vector of bits, e.g., ~ b ðb1 ; . . . ; bd ÞT location of at least two points even distance comparisons do
where bi 2 f0; 1g for i ¼ 1; 2; . . . ; d. If bi ¼ 1, we split pi (the not reveal useful information. In the following, we consider
ith entry of a location point p) to two parts, e.g., the correlation of several types of encrypted points.
pi ¼ pa;i þ pb;i , and copy qi (the ith entry of a query point q) Query/Normal Points. In general, the database server can
twice, e.g., qa;i ¼ qb;i ¼ qi ; otherwise, we split the qi to two only run following distance comparisons:
parts, e.g., qi ¼ qa;i þ qb;i , and copy pi twice. The configura- 1) An encrypted location query point  and an
tion is secretly shared among all the users in the same encrypted query marker c or an encrypted user loca-
group. We then have di¼1 ðpa;i qa;i þ pb;i qb;i Þ ¼ p  q. Since the tion point Cu
configuration is unknown to the adversary and there are in 2) An encrypted user location point u (for the person-
total 2d many possible choices, the enhanced scheme is 2d alized privacy region scheme) and an encrypted
more costly for the adversary to break than the original privacy marker ku or an encrypted location query
ORE scheme. point 

Fig. 9. Communication cost of CRT and ORE (dist).

distributed among the vertices, and then move along the

roads at speeds between 50 and 70 miles per hour. Unless
mentioned otherwise, the default number of friends per
Fig. 8. The road network of Hennepin County, MN, USA. user (the user group size) is 5,000, and users issue location
queries with a query range distance dist of 1 km and an
3) An encrypted location query point cmin (or cmax ) index area with a radius distmax of 10 km. For the ORE-
and an encrypted reference point I u or the encry- Index scheme, the default index height is three, i.e., an index
pted key ci of a node in index I u contains eight rings. With the default distmax and index
Because distances are not preserved for encrypted points, height, the default index ring width is 1.25 km, and hence,
the database server can only run comparisons between the default ratio of the query range distance dist to the index
points. For an arbitrary user at location Locu (given as Cu ), ring width is 1=1:25 ¼ 0:8. All experiments were run on a
the database server can only determine if Locu is closer to Q machine with an Intel Core 2 Duo 3.16GHz CPU and
(given as ) than Locmarker (given as c). The case of Locu far- 3.25GB of RAM.
ther away than Locmarker does not reveal any additional
information, and the case of Locu being closer than Locmarker 8.1 Comparing ORE and CRT
does not narrow down the possible region of a user either We first compared our ORE scheme with the CRT scheme.
as the database server does not know the value of dist. Although several schemes were proposed in [16], CRT is
However, in practice users tend to choose dist in some pre- the only one which offers the same strong privacy guaran-
dictable way, for example, 1 km for users who are walking. tees as our ORE scheme. Because both CRT and ORE target
In this way, the database server may be able to tell whether the mobile environment, we focused on comparing their
a user x is in proximity of the querying user while another communication cost. Our ORE scheme only returns the
user, say user y is not. Nevertheless, the database server exact results to the user, while CRT requires the user to run
may only find out their relative proximity rather than their several rounds (navigating an encrypted R-tree) and filter
exact locations. the returned results locally.
Comparing ORE and CRT when varying the range dis-
8 EXPERIMENTAL RESULTS tance of location queries, i.e., dist, gives the results shown
To evaluate the performance of our Privacy-Preserving Loca- in Figs. 9a and 9b for group sizes of 1,000 users and 50,000
tion Sharing Services using the Order-Retrievable Encryption users, respectively. The result shows that our ORE scheme
with the sequential scan scheme and ORE with the pro- typically needs to transfer less than half the amount of
posed index structure (ORE-Index), and also to compare data than CRT for small groups, and about two thirds of
them to the state-of-the-art cryptography-based privacy- the amount of data as the group size grows larger. ORE is
preserving query processing technique for spatial data, especially more efficient if the query range distance is com-
namely, the CRT scheme described in [16], we implemented paratively small. Fig. 10a shows the comparison of the
a simulator in Java to run both our ORE and ORE-Index communication cost for dist ¼ 1 km where up to a group
schemes and the CRT scheme [16]. CRT is an interactive
protocol for location queries over spatial data, making use
of R*-trees and cryptography-based transformations on
location data to protect the privacy of the data. In all experi-
ments, we generated a set of moving users on the road net-
work of Hennepin County, Minnesota, USA, as illustrated
in Fig. 8. The input road network is extracted from the
Tiger/Line files that are publicly available.3 The total area
of the Hennepin County is 1;571 km2 . The road map has
57;020 edges and 42;135 vertices. Users are initially

3. U.S. Census Bureau. Topologically Integrated Geographic Encod-

ing and Referencing system (TIGER).
www/tiger/ Fig. 10. Communication cost of CRT and ORE (group size).

Fig. 11. Query time of ORE and ORE-Index (group size). Fig. 13. ORE-Index scheme (the ratio of the query range distance to the
index ring width).
size of 100,000 users the cost of ORE is a small fraction of
the cost of CRT. The difference gets smaller as the query varies with the index height from two to five levels, where
range distance increases to 5 km (Fig. 10b), but ORE still the group size is 5,000 users. For smaller query range dis-
requires only half to two thirds of the data transmitted tances (Fig. 12a), increasing the height from two to three
compared to CRT. (corresponding to going from three to seven rings) will yield
significant improvement, while deeper trees result in some-
8.2 Comparing ORE and ORE-Index what smaller gains. For larger query range distances
The second experiment was designed to compare the effi- (Fig. 12b), the performance continues to improve as the
ciency of the ORE scheme with the ORE-Index scheme. index structure contains more levels.
Because both schemes return the exact result to the user, the Another important parameter of the ORE-Index scheme
amount of data transmitted is identical. We therefore that influences the query processing time required by the
focused the comparison on the query time, i.e., the process- database server is a ratio between the query range distance
ing time required by the database server to run a query. The dist and the ring width, as the ratio below one signifies that
result shown in Fig. 11a confirms that the ORE-Index it is more likely that only one index ring has to be searched,
scheme is indeed an order of magnitude more efficient in while the ratio larger than one means that always at least
terms of query processing time than the ORE scheme for rel- two or even more index rings have to be searched. How-
atively small query range distances dist, i.e., 1 km. This is ever, if the query range distance remains fixed, a smaller
due to the fact that the ORE scheme always has to search ratio results in a much larger area being covered by the
sequentially through all users in a group, while the ORE- index, resulting in more users per index ring.
Index scheme only compares the users in the relevant rings Fig. 13 shows the evolution of the query processing time
of the index. For larger query distances, i.e., 5 km, ORE- as the ratio varies from 0.25 to 2.5 with the same number of
Index still requires only half the processing time, or even index rings, for 1 km and 5 km queries. For a ratio of 0:25
less than half as the number of users increases (Fig. 11b). (meaning that the width of an index ring is four times the
query range distance), the query processing time required
by the database server is the highest, due to the fact that the
8.3 Effect of Parameters of ORE-Index index area is large, with each ring containing many users.
The ORE-Index scheme has a number of parameters which As the ratio increases, the query processing time drops,
influence its performance. We looked at the two most most significantly until it reaches 0:75. Larger ratios only
important parameters among them. The first parameter is marginally decrease the query processing time. For larger
the height of an index structure. If the area covered by an query range distances (Fig. 13b) there is a special effect for a
index, i.e., distmax , remains constant, varying the index tree ratio of one, resulting in longer query processing time than
height means varying the width of the index rings. Increas- a ratio of 0:75 or 1:5. On the other hand, increasing the ratio
ing the height of the index results in thinner rings (with a has as a consequence that the index has to be rebuilt more
smaller total area) and vice versa. Fig. 12 shows how the often because the total index area is proportionally smaller
required query processing time for the database server and a querying user will leave the index area of a previously
built index sooner. 0:75 therefore seems to be an acceptable
compromise between good query performance (in terms of
query processing time) and the frequency with which the
index has to be rebuilt.

In this section, we survey the privacy-preserving techniques
for conventional location-based services, spatial data out-
sourcing, and location sharing services.
Location-based services. The problem of user location pri-
vacy in location-based services has been addressed from
Fig. 12. ORE-Index scheme (index levels). several angles before. For example techniques such as

k-anonymity or location cloaking, where the location of a user algorithms use an additive homomorphic cryptosystem to
is expanded to include k  1 other users [8], [9], [10], [11]. perform secure multi-party computation. Their first scheme,
Another approach uses oblivious transfer or private infor- Louis, allows two users to determine whether they are in
mation retrieval to allow a user to retrieve points of interest proximity if and only if they are nearby, using a semi-
without the server knowing what was retrieved [29], [30], trusted third party. Lester, the second scheme, does not
[31]. In conventional location-based services, the informa- need any third party and relies instead on letting a user
tion held by the server (points of interest) is static, while the solve a computational puzzle to determine whether another
information held by the user (i.e., the user location) is user is nearby. Each user determines the hardness of the
dynamic. If location-based services are used for locating puzzle and consequently, the amount of work is necessary
friends, on the other hand, then all information is dynamic, for other users to find out whether they are in proximity.
i.e., both the information held by the user (his/her own The third scheme, Pierre, makes use of a grid structure and
location) and the information held by the server (the loca- encrypted grid coordinates to determine whether two users
tion of all users). Privacy-preserving query processing are in the same or in adjacent grid cells. There are other
schemes designed for conventional location-based services grid-based schemes, but they usually have the drawback
(such as store finders, etc.) are therefore usually not directly that locations and proximity calculations are approximate
applicable to location-based services for locating friends, because the distance between grid cells does not capture
i.e., location sharing services for social networks. exactly the distance between users within those cells.
Spatial data outsourcing. An order-preserving encryption Another approach by Mascetti et al. in [14] uses three dif-
scheme [20], [21] protects outsourcing data by using a ferent protocols called SP-Filtering, Hide&Seek and Hide&-
bucket-based encryption E such that EðxÞ < EðyÞ for every Crypt. SP-Filtering computes the proximity between users
pair of values for which x < y. However, since the order- with a certain degree of approximation. It requires a third
preserving encryption scheme can only protect data in sim- party which does the computation. The third party com-
ple numerical domains, it cannot easily be extended to pro- pares so-called granules, which obfuscate the exact location
tect spatial data. Another approach described in [32] for of users to determine the approximate distance between
outsourcing data uses homomorphic encryption4 to enable them. If more precision is needed, Hide&Seek or Hide&Crypt
aggregate SQL queries over encrypted databases. The scope is run as a second step. Hide&Seek starts a direct interaction
is very limited, though, focusing only on simple numerical between two users to get a more precise distance measure-
domains and aggregate queries in SQL. Furthermore, the ment. Hide&Crypt also requires direct interaction between
scheme has been shown to be insecure in [33]. users but uses secure computation to leak less information
For spatial data, one approach to preserve privacy in spa- about the respective position of users. Nevertheless, the first
tial datasets is to transform or perturb data in a way which step, SP-Filtering, will still leak the approximate location of
still allows making meaningful operations on the trans- each user to the third party.
formed data. Both [34] and [35] suggest such kinds of dis-  snys et al. present an approach based on
In [13], Sik
tance-recoverable transformations, where the distance encrypted grid indices. Users share a list of grids with dif-
between points is preserved. Wong et al. showed in [19] ferent levels (or resolutions). Each cell in a grid of a specific
that distance-recoverable or general scalar-product-preserv- resolution can be mapped to a unique number through a
ing encryption schemes are not secure against certain one-to-one function such as AES. A server can then deter-
attacks and in [36], Liu et al. demonstrated how the original mine proximity by comparing these numbers, asking users
data can be recovered in schemes such as [34] and [35]. In to switch to a finer resolution if necessary. This requires sev-
[19], Wong et al. introduced a scheme which is asymmetric eral rounds of communication when two users are close,
scalar-product-preserving instead of general scalar-product- making it more expensive in terms of communication. A
preserving, making it immune to such attacks.  snys et al. [12] introduces Vicinity
recent paper also by Sik
A similar paper on outsourcing location data to an Locator which is similar to the Friend Locator in [13] but
untrusted third party is by Yiu et al. [16]. Similar to Wong allows arbitrarily shaped regions of interest.
et al. [19] it transforms a database before outsourcing it to a Another privacy-preserving location-sharing service pro-
service provider. Authorized users share a private key so posed by Herrmann et al. [38] makes use of identity-based
they can send queries to the service provider, who can work broadcast encryption (IBE) to realize a location-sharing ser-
on the transformed data to generate a response without vice that affords location privacy with respect to the central
learning any location information. Both those schemes [16], server. One version of the scheme shares the location with
[19], however, are for outsourcing static data. For applica- friends irrespective of their relative location, leading to more
tions where the location of points is updated continuously, data being transferred than necessary. An updated version
[16] for example would require the whole database to be re- maps locations to discrete regions to counteract this problem,
transformed for each update, which is impractical. but the mapping is approximate as it depends on the defini-
Location sharing services. One paper proposing three dif- tion of the regions, while our scheme is exact in defining
ferent algorithms for a privacy-preserving location-based within which range to share locations. Furthermore, our
service for locating friends is by Zhong et al. [37]. Their scheme also provides personalized privacy regions, while
their scheme has no such provisions.
Similarly, Freudiger et al. [39] also make use of broadcast
4. Homomorphic encryption allows to perform addition and/or
encryption (albeit not identity-based) to distribute locati-
multiplication over ciphertexts such that it corresponds to the same
operation over the plaintext, i.e., "ðxÞ þ "ðyÞ ¼ "ðx þ yÞ, and/or ons among friends, augmenting the system with dummy
"ðxÞ  "ðyÞ ¼ "ðx  yÞ. queries and caching of information required for localization

to minimize leaking information through the geo-location [5] L. Barkhuus, B. Brown, M. Bell, S. Sherwood, M. Hall, and
M. Chalmers, “From awareness to repartee: Sharing location
process. In contrast, while our scheme is also cryptography- within social groups,” in Proc. ACM Conf. Human Factors Comput.
based, our scheme minimzes overhead by enabling the Syst., 2008, pp. 497–506.
server to only send relevant locations as the response to a [6] E. Toch, et al., “Empirical models of privacy in location sharing,”
query of a user, and our scheme also provides privacy from in Proc. ACM Int. Conf. Ubiquitous Comput., 2010, pp. 129–138.
[7] S. Consolvo, et al., “Location disclosure to social relations: Why,
overly curious friends. when, & what people want to share,” in Proc. ACM Conf. Human
To summarize, our PPLSS using the proposed ORE Factors Comput. Syst., 2005, pp. 81–90.
scheme can distinguish itself from existing solutions in [8] C.-Y. Chow, M. F. Mokbel, and W. G. Aref, “Casper*: Query proc-
essing for location services without compromising privacy,” ACM
that it (1) provides secure location privacy by not disclosing Trans. Database Syst., vol. 34, no. 4, pp. 1–48, 2009.
any location information about users and queries, not even [9] M. Gruteser and D. Grunwald, “Anonymous usage of location-
approximate location information, to a database server, based services through spatial and temporal cloaking,” in Proc.
(2) does not require any third party, (3) achieves low com- ACM Int. Conf. Mobile Syst., Appl., Serv., 2003, pp. 31–42.
[10] M. F. Mokbel, C.-Y. Chow, and W. G. Aref, “The new casper:
munication and computational overhead by not requiring Query processing for location services without compromising
any direct communication between users or multiple-round privacy,” in Proc. Int. Conf. Very Large Data Bases, 2006,
communication between a user and a database server, pp. 763–774.
(4) designs an index structure for our ORE scheme to [11] T. Wang and L. Liu, “Privacy-aware mobile services over road
networks,” in Proc. Int. Conf. Very Large Data Bases, 2009, pp. 1042–
improve query processing efficiency, (5) supports highly 1053.
dynamic location updates from individual users efficiently, [12] L. Siksnys, J. R. Thomsen, S. Saltenis, and M. L. Yiu, “Private and
and (6) introduces a new privacy notion, called a personal- flexible proximity detection in mobile social networks,” in Proc.
Int. Conf. Mobile Data Manage., 2010, pp. 75–84.
ized privacy region, to further improve user privacy within [13] L. Siksnys, J. R. Thomsen, S. Saltenis, M. L. Yiu, and O. Andersen,
a group of friends. “A location privacy aware friend locator,” in Proc. Int. Symp. Spa-
tial Temporal Databases, 2009, pp. 405–410.
[14] S. Mascetti, C. Bettini, and D. Freni, “Longitude: Centralized pri-
10 CONCLUSION vacy-preserving computation of users’ proximity,” in Proc. Int.
Workshop Secure Data Manage., 2009, pp. 142–157.
In this paper, we introduce an Order-Retrievable Encryption [15] S. Triukose, S. Ardon, A. Mahanti, and A. Seth, “ Geolocating IP
scheme; a new encryption notion for Privacy-Preserving Loca- addresses in cellular data networks,” in Proc. 13th Int. Conf. Pas-
tion Sharing Services in social networking applications. ORE sive Active Meas., 2012, vol. 7192, pp. 158–167.
[16] M. L. Yiu, G. Ghinita, C. S. Jensen, and P. Kalnis, “Enabling search
is designed to answer location queries that allow a user to services on outsourced private spatial data,”Int. J. Very Large Data
view the exact location of his/her friends within a user-spec- Bases, vol. 19, no. 3, pp. 363–384, 2010.
ified distance without revealing any location information [17] O. Goldreich, Foundations of Cryptography, volume I, Basic Tools.
about the user and his/her friends to the database server and Cambridge, U.K.: Cambridge Univ. Press, 2007.
[18] B. Kaliski. (2003). TWIRL and RSA key size CryptoBytes Technical
any other users in the system. The distinguishing characteris- Newsletter [Online]. Available:
tics of ORE compared to existing algorithms are that ORE node.asp?id=2004
provides secure location privacy, achieves low communica- [19] W. K. Wong, D. W.-L. Cheung, B. Kao, and N. Mamoulis, “Secure
tion and computational cost, and supports dynamic location kNN computation on encrypted databases,” in Proc. ACM Int.
Conf. Manage. Data, 2009, pp. 139–152.
updates. To improve query processing efficiency, we pro- [20] R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu, “Order-preserving
pose a tree-like index structure for our ORE scheme (ORE- encryption for numeric data,” in Proc. ACM Int. Conf. Manage.
Index) to facilitate range searches over the encrypted loca- Data, 2004, pp. 563–574.
tions of a group of friends. In addition, a personalized pri- [21] A. Boldyreva, N. Chenette, Y. Lee, and A. O’Neill, “Order-pre-
serving symmetric encryption,” in Proc. 28th Annu. Int. Conf. Adv.
vacy region scheme is proposed to further improve user Cryptol.: Theory Appl. Cryptograph. Techn., 2009, pp. 224–241.
privacy within a group of friends by enabling a user to spec- [22] (2001). Specification for the advanced encryption standard (AES)
ify a maximum distance up to which his/her friends are Federal Information Processing Standards Publication 197
allowed to locate the user. We also perform experiments to [Online]. Available:
evaluate ORE and ORE-Index and show that their perfor- [23] C. Boyd and A. Mathuria, Protocols for Authentication and Key
mance is much better compared to the state-of-the-art cryp- Establishment. New York, NY, USA: Springer, 2003.
tography-based technique designed for spatial queries. [24] IEEE, P1363-2000: Standard Specifications For Public Key Cryptogra-
phy, pp. 1–228, Aug. 2000.
[25] (2016). Google Latitude [Online]. Available:
[26] (2016). Facebook Statistics [Online]. Available: http://www.
Qiong Huang was supported by the National Natural Sci-
ence Foundation of China (No. 61472146), the Guangdong [27] S. Chen, C. S. Jensen, and D. Lin, “A benchmark for evaluating
Natural Science Funds for Distinguished Young Scholar moving object indexes,” Proc. Int. Conf. Very Large Data Bases,
2008, pp. 1574–1585.
(No. 2014A030306021), the CICAEET fund and the PAPD [28] P. Barford and V. Yegneswaran, An Inside Look at Botnets. New
fund (No. KJR1615). York, NY, USA: Springer, 2007, pp. 171–191.
[29] G. Ghinita, P. Kalnis, A. Khoshgozaran, C. Shahabi, and K.-L. Tan,
“Private queries in location based services: Anonymizers are not
REFERENCES necessary,” in Proc. ACM Int. Conf. Manage. Data, 2008, pp. 121–132.
[1] (2016). Facebook Places [Online]. Available: http://www. [30] M. Kohlweiss, et al., “Efficient oblivious augmented maps: Loca- tion-based services with a payment broker,” in Proc. 7th Int. Conf.
[2] (2016). Foursquare [Online]. Available: http://www.foursquare. Privacy Enhancing Technol. Symp., 2007, pp. 77–94.
com [31] R. Vishwanathan and Y. Huang, “A two-level protocol to answer
[3] (2016). Google Plus [Online]. Available: private location-based queries,” in Proc. IEEE Int. Conf. Intell.
[4] (2016). Loopt [Online]. Available: Security Inform., 2009, pp. 149–154.

[32] H. Hacig€ um€us, B. R. Iyer, and S. Mehrotra, “Efficient execution of Chi-Yin Chow received the MS and PhD
aggregation queries over encrypted relational databases,” in Proc. degrees from the University of Minnesota-Twin
9th Int. Conf. Database Syst. Adv. Appl., 2004, pp. 125–136. Cities in 2008 and 2010, respectively. He is cur-
[33] E. Mykletun and G. Tsudik, “Aggregation queries in the database- rently an assistant professor at the Department of
as-a-service model,” in Proc. Annu. IFIP Conf. Data Appl. Security, Computer Science, City University of Hong Kong.
2006, pp. 89–103. His research interests include spatio-temporal
[34] K. Chen and L. Liu, “Privacy preserving data classification with data management and analytics, machine learn-
rotation perturbation,” in Proc. IEEE Int. Conf. Data Mining, 2005, ing, GIS, mobile computing, and location-based
pp. 589–592. services. He was the co-organizer of ACM SIG-
[35] S. R. M. Oliveira and O. R. Zaane, “Achieving privacy preserva- SPATIAL MobiGIS 2012, 2013, 2014, and 2015.
tion when sharing data for clustering,” in Proc. SIAM Int. Conf. He is member of the IEEE.
Data Mining, 2004, pp. 67–82.
[36] K. Liu, C. Giannella, and H. Kargupta, “An attacker’s view of dis-
tance preserving maps for privacy preserving data mining,” in Qiong Huang received the BS and MS degrees
Proc. 10th Eur. Conf. Principles Practice Knowl. Discovery Databases, from the Fudan University, in 2003 and 2006,
2006, pp. 297–308. respectively, and the PhD degree from the City
[37] G. Zhong, I. Goldberg, and U. Hengartner, “Louis, lester and University of Hong Kong, in 2010. He is currently
pierre: Three protocols for location privacy,” in Proc. Privacy a professor at the South China Agricultural Uni-
Enhancing Technol. Symp., 2007, pp. 62–76. versity. His research interests include cryptogra-
[38] M. Herrmann, A. Rial, C. Diaz, and B. Preneel, “Practical privacy- phy and information security, in particular,
preserving location-sharing based services with aggregate cryptographic protocols design and analysis. He
statistics,” in Proc. ACM Conf. Security Privacy Wireless Mobile is member of the IEEE.
Netw., 2014, pp. 87–98.
[39] J. Freudiger, R. Neu, and J.-P. Hubaux, “Private sharing of user
location over online social networks,” in Proc. 3rd Hot Topics Pri-
vacy Enhancing Technol., 2010, 62–72. Duncan S. Wong received the BEng degree
from the University of Hong Kong in 1994, the
Roman Schlegel received the MSc degree from MPhil degree from the Chinese University of
the EPFL, Switzerland, in communication sys- Hong Kong in 1998, and the PhD degree from the
tems and the PhD degree in computer science Northeastern University, Boston, MA, in 2002. He
from the City University, Hong Kong. During his is currently the director of Security and Data Sci-
doctoral studies he also spent a year as a ences, ASTRI, Hong Kong. His primary research
research assistant at the Indiana University Bloo- interest is cryptography; in particular, crypto-
mington, Bloomington, IN. After receiving the graphic protocols, encryption and signature
PhD degree, he joined ABB Corporate Research schemes, and anonymous systems. He is mem-
as a research scientist for security in industrial ber of the IEEE.
control systems. His research interests include
privacy, network security, and applied cryptogra-
phy. He is member of the IEEE.