Practical Privacy-Preserving Location-Sharing BasedServices with Aggregate Statistics

Michael HerrmannKU Leuven ESAT/COSIC, iMinds

Leuven, Belgiummichael.herrmann@esat.kuleuven.be

Alfredo RialIBM Research

Rüschlikon, Switzerlandlia@zurich.ibm.com

Claudia DiazKU Leuven ESAT/COSIC, iMinds

Leuven, Belgiumclaudia.diaz@esat.kuleuven.be

Bart PreneelKU Leuven ESAT/COSIC, iMinds

Leuven, Belgiumbart.preneel@esat.kuleuven.be

ABSTRACTLocation-sharing-based services (LSBSs) allow users to sharetheir location with their friends in a sporadic manner. Incurrently deployed LSBSs users must disclose their locationto the service provider in order to share it with their friends.This default disclosure of location data introduces privacyrisks. We define the security properties that a privacy-preserving LSBS should fulfill and propose two construc-tions. First, a construction based on identity based broad-cast encryption (IBBE) in which the service provider doesnot learn the user’s location, but learns which other usersare allowed to receive a location update. Second, a construc-tion based on anonymous IBBE in which the service providerdoes not learn the latter either. As advantages with respectto previous work, in our schemes the LSBS provider doesnot need to perform any operations to compute the replyto a location data request, but only needs to forward IBBEciphertexts to the receivers. We implement both construc-tions and present a performance analysis that shows theirpracticality. Furthermore, we extend our schemes such thatthe service provider, performing some verification work, isable to collect privacy-preserving aggregate statistics on thelocations users share with each other.

Categories and Subject DescriptorsK.4.4 [Computers and Society]: Electronic Commerce–Distributed commercial transactions; Security

KeywordsLocation Privacy; Broadcast Encryption; Vector Commit-ments

Permission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full citationon the first page. Copyrights for components of this work owned by others than theauthor(s) must be honored. Abstracting with credit is permitted. To copy otherwise, orrepublish, to post on servers or to redistribute to lists, requires prior specific permissionand/or a fee. Request permissions from permissions@acm.org.WiSec’14, July 23–25, 2014, Oxford, UK.Copyright is held by the owner/author(s). Publication rights licensed to ACM.ACM 978-1-4503-2972-9/14/07 ...$15.00.http://dx.doi.org/10.1145/2627393.2627414 .

1. INTRODUCTIONThe emergence of mobile electronic devices with position-

ing capabilities (e.g. through the Global Positioning System,GPS), such as smart phones and tablet computers, has fos-tered the appearance of a wide variety of Location BasedServices (LBSs). With these services, users can find nearbyplaces of interest, share their location with friends, and ob-tain information about their surroundings.

Location-sharing-based services (LSBSs) permit users toshare their current location or activity with other people.The shared location data may be in the form of GPS co-ordinates, although in GeoSocial Networks (GSN), such asFoursquare and Facebook-check-in, it is common that usersannounce their location in a more socially meaningful way byproviding the venue (e.g., name of the restaurant) at whichthey are currently present. The action is commonly referredto as check-in. Every day millions of users enjoy GSN andshare millions of locations with each other.1

While LSBSs are indeed useful, the disclosure of locationdata raises significant privacy concerns. Service providersand other third parties with access to accurate location datacan infer private user information, such as their movementpatterns, home address, lifestyle and interests [25]. Further,making these inferences is even easier if users share the venuerather than just submitting coordinates, as any uncertaintiesintroduced by possible inaccuracies in the GPS coordinatesare removed. We note that, although GSNs offer config-urable privacy settings [27], they are still privacy invasive,as the LSBS provider learns the users’ location regardless ofthe privacy settings.

Location Privacy Preserving Mechanisms (LPPMs) thatimplement obfuscation strategies, such as adding dummylocations [35] or reducing precision [31], are unsuitable forLSBS. This is because, when transmitting an obfuscated lo-cation to the service provider, the service provider naturallyis only able to forward this obfuscated location to the user’sfriends. This conflicts with the main functionality of LSBSs.Therefore, LPPMs have been proposed in which users sharekeys allowing them to encrypt and decrypt their locationdata [22, 45]. In those solutions, the LSBS provider storesencrypted location data and computes the reply for a user

1https://foursquare.com/about/http://www.socialbakers.com/blog/167-interesting-facebook-places-numbers

requesting location data of her friends. A provider offeringsuch an LSBS is unable to learn statistics about its users’whereabouts. Consequently, this renders the common busi-ness model of offering a free service in exchange for the users’data impossible. An alternative is to offer a paid service, butthis might only be feasible if the fees are sufficiently low.

In this paper we propose two schemes based on identity-based broadcast encryption [20]. The first protocol revealsthe identities of the friends that should receive location in-formation to the LSBS provider and also to the other re-ceivers of that location information. In the second protocol,those identities are hidden towards the service provider aswell as towards other users (including the receivers of thelocation update), thanks to the use of anonymous identity-based broadcast encryption. The advantage over existingwork is that in our schemes the LSBS provider does notneed to perform complex operations in order to compute areply for a location data request, but only needs to forwarddata. This reduces the cost of an LSBS provider that isthen able to offer its service for a lower price if pursuing asubscription-based business model. Furthermore, we extendour schemes such that the service provider is able to collectprivacy-preserving statistics on the locations shared by theusers. This extension does require the LSBS provider to per-form additional computations. The obtained statistics couldbe monetized to compensate for this additional overhead orto facilitate a free service.

We have implemented both schemes on a Samsung S IIImini smart phone and provide results on the computationtime, bandwidth overhead and energy consumption. Ourevaluation shows that the performance of the first schemeis independent of the number of users in the system. Fur-thermore, it imposes minimal computational and bandwidthoverhead on both, the LSBS provider and the users’ mobiledevices. In the second scheme a user is able to choose atrade-off between privacy, computation and bandwidth over-head. We study this trade-off and provide recommendationsto increase the level of privacy for the same amount of re-sources.

The remainder of this paper is structured as follows. InSection 2, we review previous work on privacy-preservinglocation-based services and argue that none of the existingapproaches is suitable for implementing privacy-preservingLSBSs. We define privacy-preserving LSBS in Section 3.In Section 4, we introduce our two schemes. We provide adetailed performance analysis showing the feasibility of ourapproach in Section 5. In Section 6, we extend our schemesto allow for aggregate statistics collection. We discuss ourapproach and results in Section 7. Finally, in Section 8 weconclude our work.

2. RELATED WORKIn this section we review obfuscation-based LPPMs and

argue that they are not suitable for protecting location pri-vacy in LSBS. Subsequently, we review LPPMs that relyon cryptographic primitives. Some of them have been de-liberately designed for protecting location privacy in LSBS;others have a more general purpose. Our evaluation showsthat obfuscation-based LPPMs are not suitable for privacy-preserving LSBS and that our system has several advantagesover existing privacy-preserving LSBS.

Other works have examined location privacy in GSNs con-sidering a different threat model. Gambs et al. [27] and Vi-

cente et al. [48] review several GSNs and analyze their pri-vacy issues. However, in their privacy evaluation, they donot consider it to be a privacy breach if the service providerlearns the user locations. An analysis of the inferences thatcan be made about users based on where they check-in whileusing Foursquare is provided by Pontes et al. [43].

2.1 Obfuscation-based LPPMsWhile works like [22, 45] have already noted that LPPMs

based on anonymization and precision-reduction are not suit-able to protect location privacy in LSBS, we provide herea more detailed evaluation. We therefore follow the cat-egorization in [47] which distinguishes between these fourobfuscation strategies: location hiding, perturbation, addingdummy regions, and reducing precision. In the following weargue that none of these obfuscation-based LPPMs are ap-plicable to protect location privacy in LSBSs. We thereforeconsider the following LSBS application scenario: A userA is currently at one of her favorite locations and wishes toshare this information with her friends. This could be eitherbecause A simply wants to inform her friends, or to enablethem to join her at this place.

The location hiding strategy [4] consists of not sending thelocation data to the LBS and is thus impractical. In thiscase user A would not be able to share her location withher friends. Some LPPMs propose to change pseudonymsafter a period of location hiding [32, 37]. However, this isalso impractical, because the check-in is supposed to be re-ceived by the same set of friends and therefore identifiesuser A. LPPMs that rely on perturbation submit a locationdifferent from A’s actual location [34]. As a rather incon-venient result, the user’s friends learn a wrong place andif they decide to join their friend, they would realize uponarriving that A is actually not present there. The addingdummy regions strategy [35] consists of submitting fake lo-cations along with the user’s actual location. In this case Awould check-in at several places and her friends could notdistinguish real from fake check-ins. Finally, with the re-ducing precision strategy [31] A would send a cloak regionthat contains her current location, but she would not re-veal her precise whereabouts, making it extremely difficultfor her friends to find her. We note that with all obfusca-tion strategies, users could rely on personal contact in orderto obtain A’s precise location after learning the obfuscatedlocation. However, such a system would have significant us-ability issues. The key limitation of these techniques is thatthey do not make a distinction between information revealedto friends and to the service provider. Thus, in order to pro-tect their location information towards the service provider,users must lower the quality of location information sharedwith their friends.

2.2 Cryptographic LPPMsFreudiger [26] proposes that users should use symmet-

ric or asymmetric encryption and use the service providersolely as a rendez-vous point to exchange encrypted data.Longitude by Dong and Dulay [22] propose to use proxy-encryption, which guarantees that the service provider isnot able to learn the location update and, furthermore, thatthe ciphertext can be modified by the service provider suchthat only intended receivers are able to successfully decrypt.Puttaswamy et al. [45] propose a scheme which combinesencryption with location transformation in order to build a

location-based application, such as privacy-preserving LSBS.As already mentioned in Section 1 the proposed LPPMs im-pose a computational overhead at the LSBS provider, whichmakes offering such a service more expensive. In our schemesthe cost for the LSBS provider is kept at a minimum in orderto make running such a service as cheap as possible. Further-more, the service provider can decide to engage in additionalcomputation overhead and therefore obtain statistics aboutits users’ whereabouts. We note that this overhead is keptlow since the service provider only needs to forward dataand verify zero-knowledge proofs, whose cost can be reducedusing batch verification. Note however that our scheme, incontrast to the works mentioned above, introduces a trustedkey generation center.

Carbunar et al. [16] propose privacy preserving protocolsfor badge and mayor applications in GSNs. While this isclosely related to our work, their scheme does not allow usersto exchange their locations.

In privacy-preserving friend nearby notification, users canprivately learn whether a friend is in close proximity. Sucha service can be realized by homomorphic encryption [50],private equality testing [41] and private threshold set inter-section [39]. These protocols are different from our solution,because in privacy-preserving location sharing protocols, lo-cation updates are sent to friends regardless of their currentlocation, i.e. regardless of how close they are.

Bilogrevic et al. [5] propose two protocols to allow usersto compute a fair rendez-vous point in a privacy preservingmanner. This differs from our work in that we focus onlocation sharing, and not on deciding on where to meet aftera group of users has deliberately decided to do so.

Popa et al. [44] propose a privacy-preserving protocol tocompute aggregate statistics from users’ location updates.However, in this protocol users do not share their locationwith other users.

Finally, some works employ Private Information Retrieval(PIR) so that the users retrieve information (e.g., points ofinterest) related to their surroundings [30, 42]. PIR couldin principle be employed to build privacy-preserving LSBS.However, PIR operations are rather costly at the serviceprovider side which we again argue that introduces intoler-able overhead for a service provider.

3. DEFINITION OF PRIVACY FOR LSBSOur LSBS involves the following parties: a key generation

center, a service provider P and a set of users Ui for i = 1to n. Figure 1 shows the parties in the system.

A privacy-invasive protocol that realizes the desired func-tionality works as follows. A user Ui sends a message to theservice provider that indicates the place loc that Ui wishesto share, and the set S ⊆ [1, n] of users Uj (j ∈ S) thatshould learn that Ui shares loc. Then the service providerforwards to users Uj ∈ S the message (Ui, loc) to informthem that Ui has shared loc. As can be seen, this protocolis privacy-invasive. The service provider learns the locationloc that Ui shares, and the identities of the users Uj (j ∈ S).The privacy properties that our LSBS should fulfill are thefollowing:

Sender Privacy. No coalition of users U /∈ S and serviceprovider P should learn any information on loc.

User

ServiceProvider

KeyGenerationCenter

User

User User

Figure 1: System Model of a privacy-preserving LSBS. Thekey generation center sets up the public parameters and pro-vides users with secret keys. The service provider transfersmessages between users.

Receiver Privacy. No coalition of users Uj such that j 6={i, j∗} and service provider P should learn any infor-mation on whether j∗ ∈ S or j∗ /∈ S.

Our schemes in Section 4 are secure against active adver-saries, i.e., adversaries that deviate in any possible way formthe protocol execution. The security of our schemes relieson the security of identity based broadcast encryption. Thekey generation center is trusted, which is an assumption thatevery identity-based cryptographic scheme makes.

4. CONSTRUCTIONS OF LSBSOur schemes are based on identity-based broadcast en-

cryption, which we describe in Section 4.1. In Section 4.2, wedescribe the sender private scheme, which fulfills the senderprivacy property. In Section 4.3, we describe the fully pri-vate scheme, which fulfills both the sender privacy and thereceiver privacy properties.

4.1 Identity-Based Broadcast EncryptionBroadcast encryption allows a sender to encrypt a mes-

sage m to a set of receivers S ∈ [1, n], so that no coalitionof receivers not in S can decrypt. A broadcast encryptionscheme consists of the following algorithms:

Setup(1λ, n, `). On input the number of users n, the secu-rity parameter 1λ, and the maximum size ` ≤ n of abroadcast recipient group, output the public key pkand the secret key sk .

KeyGen(i, sk). On input an index i and the secret key sk ,output a secret key di for user Ui.

Enc(pk , S,m). On input the recipient group S ∈ [1, n], thepublic key pk and the message m, output the cipher-text c.

Dec(pk , di, c). On input the public key pk , the secret key diof user Ui and a ciphertext c, output m if i ∈ S or elsethe failure symbol ⊥.

In IBBE, a trusted key generation center KGC creates theparameters and computes the secret keys of the receivers.Note that the secret key sk allows the decryption of everyciphertext. If ciphertexts c do not reveal the set of receiversS, the broadcast encryption scheme is anonymous.

4.2 Sender-Private LSBSOur sender-private LSBS (SPLS) uses an IBBE scheme

that is not anonymous. In such a scheme, ciphertexts ccontain a description of the recipient group S . Our schemeworks as follows:

Setup Phase. KGC executes the setup algorithm Setup(1λ,n, `) on input the security parameter 1λ, the numberof users n and the maximum size ` ≤ n, publishesthe public key pk and stores the secret key sk . Usersobtain pk .

Registration Phase. Each user Ui registers with the ser-vice provider by sending the index i. Additionally, Uireceives the key di from KGC, which runs KeyGen(i,sk).

Main Phase. To share a location loc, a user Ui runs c ←Enc(pk , S, i ||loc) and sends c to the service provider P.P gets S from c and sends c to the users Uj (j ∈ S).Each user Uj runs Dec(pk , dj , c) to output the messagei ||loc.

We note that the registration and main phases can be inter-leaved, i.e., users can join our SPLS dynamically.

Our scheme fulfills the sender privacy property. The IBBEscheme ensures that no coalition of service provider P andusers U /∈ S can decrypt a ciphertext c computed on inputS. However, this scheme does not fulfill the receiver privacyproperty. Since the IBBE scheme is not anonymous, theciphertext c reveals the identity of the receivers Uj (j ∈ S).

4.2.1 Construction of IBBEIn Section 5, we instantiate our SPLS with a broadcast

encryption scheme in order to implement it and evaluate itsperformance. Broadcast encryption was first formalized byFiat and Naor [24]. The first fully collusion secure broadcastschemes, i.e., schemes where security holds even if all theusers not in the recipient group S collude, were describedin [40]. The first public key broadcast encryption schemewas proposed in [21].

In the schemes mentioned above, the size of the ciphertextgrows linearly with the size of the recipient group. Boneh,Gentry and Waters [8] proposed the first schemes with con-stant size ciphertexts. Their schemes have selective security,i.e., the adversary should decide the target recipient groupto be attacked before the setup phase. Identity-based broad-cast encryption was proposed in [20], which describes alsoselectively secure schemes.

Broadcast encryption and identity-based broadcast en-cryption with adaptive security was first achieved in [28].These schemes achieve constant size ciphertexts in the ran-dom oracle model and under q-based assumptions. In [49]and [36], broadcast encryption schemes secure under staticassumptions are proposed. In [36], an identity-based broad-cast encryption scheme secure under static assumptions isalso proposed, but it only achieves selective security.

The main property of identity-based broadcast encryp-tion is that the scheme is efficient when the total number ofusers n is exponential in the security parameter 1λ. Sinceour SPLS could have millions of users, schemes that, de-spite having constant size ciphertexts, have public key oruser secret keys of size that grows linearly with n are lesssuitable. Therefore, we instantiate our SPLS with the adap-tively secure identity-based broadcast encryption in [28].

This scheme, which is secure in the random oracle model,in addition to constant size ciphertexts, has a public key ofsize independent of n that grows linearly with ` and user de-cryption keys di of constant size. The scheme in [28] employsbilinear maps.

Bilinear maps.Let G, G and Gt be groups of prime order p. A map

e : G × G → Gt must satisfy bilinearity, i.e., e(gx, gy) =e(g , g)xy; non-degeneracy, i.e., for all generators g ∈ G and

g ∈ G, e(g , g) generates Gt; and efficiency, i.e., there existsan efficient algorithm BMGen(1k) that outputs the pairing

group setup (p,G, G,Gt, e, g , g) and an efficient algorithm

to compute e(a, b) for any a ∈ G, b ∈ G. If G = G the mapis symmetric and otherwise asymmetric.

Let (E,D) be a secure symmetric key encryption scheme.The scheme in [28] works as follows:

Setup(1λ, n, `). On input the number of users n, the securityparameter 1λ, and the maximum size ` ≤ n of a broad-cast recipient group, run (p,G,Gt, e) ← BMGen(1λ).

Set g1, g2 ← G. Set α, β, γ ← Zp. Set g1 ← gβ1 and

g2 ← gβ2 . Set pk = (p,G,Gt, e, n, `, gγ1 , gγ·α1 , {gα

j

1 , gαj

1 ,

gαk

2 , gαk

2 : j ∈ [0, `], k ∈ [0, `− 2]}). Output pk and thesecret key sk = (α, γ).

KeyGen(i, sk). On input an index i and the secret key sk ,pick random ri ← Zp and output

di = (i, ri, hi = gγ−riα−i

2 )

Enc(pk , S,m). On input the recipient group S ∈ [1, n], the

public key pk and the message m, set τ ← {0, 1}O(λ).Set F (x) as the (`−1)-degree polynomial that interpo-lates F (i) = H(τ, i) for i ∈ S and F (i) = 1 for i ∈ [n+

j] with j ∈ [k+1, `], where H : {0, 1}O(λ)× [1, n]→ Zpis a hash function modelled as a random oracle. Setk = |S| and parse S as {i1, . . . , ik}. Set ij ← n+ j for

j ∈ [k+1, `]. Set P (x) =∏`j=1(x−ij). Set t← Zp and

set K ← e(g1, g2)γ·α`−1·t. Set Hdr ← 〈C1, . . . , C4〉 =

〈gP (α)·t1 , gγ·t1 , g

F (α)·t1 , e(g1, g2)α

`−1·F (α)·t〉. Compute C← E(K,m) and output c = (τ,Hdr, C, S).

Dec(pk , di, c). On input the public key pk , the secret key diand a ciphertext c, parse di as 〈i, ri, hi〉, c as (τ,Hdr,C, S) and Hdr as 〈C1, . . . , C4〉. Define P (x) as aboveand compute F (x) from τ as above. Set

Pi(x) = x`−1 − P (x)

(x− i) , Fi(x) =F (x)− F (i)

(x− i) ,

and ei = − riF (i)

and

K ← e(C1, hi · gei·Fi(α)2 ) · e(C2 · Cei3 , gPi(α)2 )/Cei4 .

Output m ← D(K,C).

We note that a user of LSBS usually shares her locationwith the same recipient group, i.e., with her friends. There-fore, broadcast encryption is used to share a symmetric keywith that recipient group, and messages are encrypted usingan efficient symmetric key encryption scheme. Broadcast en-cryption is used again only when the recipient group changes

or when the symmetric key should be renewed for securityreasons.

4.3 Fully-Private LSBSOur fully-private LSBS (FPLS) uses an anonymous IBBE

scheme. In such scheme, ciphertexts c do not reveal therecipient group. The setup and registration phases of thisscheme work as the ones described in Section 4.2. The mainphase works as follows:

Main Phase. To share a location loc, a user Ui runs c ←Enc(pk , S, i ||loc) and sends c to the service provider P.P forwards c to every user Uj such that j 6= i. Eachuser Uj runs Dec(pk , dj , c) to get either the messagei||loc or ⊥.

As in the construction in Section 4.2, this scheme fulfills thesender-private property. Additionally, this scheme fulfillsthe receiver privacy property. Since the IBBE scheme isanonymous, the ciphertext c does not reveal the identity ofthe receivers Uj (j ∈ S).

This construction requires location updates to be broad-cast to all users. Therefore, we propose a variant that allowsto trade-off communication efficiency and location-privacy.In this variant, the map is divided into regions reg1, . . . , regrand users reveal to the service provider the region wherethey are located and the region from where they would liketo receive location updates.

Region Phase. A user Ui sends to the service provider theregion to which location updates she wishes to receiveshould be associated.

Main Phase. To share a location loc ∈ reg, a user Ui runsc ← Enc(pk , S, i ||loc) and sends (c, reg) to the serviceprovider P. P forwards c to every user Uj such thatj 6= i and reg equals the region sent by Uj in the RegionPhase. Each user Uj runs Dec(pk , dj , c) to get eitherthe message i||loc or ⊥.

4.3.1 Construction of Anonymous IBBEIn Section 5, we instantiate our FPLS with an anonymous

broadcast encryption scheme in order to implement it andevaluate its performance. Barth et al. [3] propose an anony-mous broadcast encryption scheme secure in the random or-acle model where the ciphertext size is O(S). The public keysize is O(n), while user secret keys and decryption time areconstant. Libert et al. [38] proposed a scheme with the sameasymptotic performance but secure in the standard model.

Recently, a scheme with public key size O(n), secret keysize O(n), ciphertext size O(rlog(n

r)), where r is the set

n − S, and constant decryption time was proposed in [23].Despite the fact that in this scheme ciphertexts do not growlinearly with n, actually O(rlog(n

r)) is asymptotically larger

than O(n − r) for large values of r, which are likely in ourFPLS. Furthermore, the scheme in [23] does not provideanonymity with respect to users who are able to decrypt,i.e., those users can find out the identity of the other userswho can decrypt.

We modify the scheme in [3] so that it employs as build-ing block an anonymous identity-based encryption schemeinstead of a key-private public key encryption scheme. Thisallows users to employ their identities as public keys. Suchmodification was suggested in Barth et al. [3] and securityfollows from the security of the original scheme.

An identity-based encryption (IBE) scheme consists of thealgorithms (IBESetup, IBEExtract, IBEEnc, IBEDec). The al-gorithm IBESetup(1λ) outputs parameters params and mas-ter secret key msk . IBEExtract(params,msk , id) outputs thesecret key sk id for identity id . IBEEnc(params, id ,m) out-puts ct encrypting m under id . IBEDec(params, sk id , ct)outputs message m encrypted in ct .

An IBE scheme is anonymous [1] if it is not possible toassociate the identity used to encrypt a message m with theresulting ciphertext. We employ the scheme in [7], whichis anonymous [9], to implement the anonymous broadcastencryption scheme.

Another building block of the anonymous IBBE scheme isa strongly existentially unforgeable signature scheme. A sig-nature scheme consists of algorithms (Kg, Sign,Vf). Kg(1λ)outputs a key pair (ssk , vsk). Sign(ssk ,m) outputs a signa-ture s on message m. Vf(vsk , s,m) outputs accept if s is avalid signature on m and reject otherwise. We employ thescheme secure in the random oracle model proposed in [6].

The remaining building block is a secure symmetric keyencryption scheme (E,D). We employ the advanced encryp-tion standard [19]. The anonymous IBBE scheme works asfollows.

Setup(1λ, n, `). Choose a group G of primer order p whereCDH is hard and DDH is easy and pick a generatorg ∈ G. Choose a hash function H : G→ {0, 1}λ whichis modeled as a random oracle. Compute params andmsk via IBESetup(1λ). For i = 1 to n, pick randomai ← Zp. Output Output pk = (G, g, ga1 , . . . , gan , H,params) and sk = (msk , a1, . . . , an).

KeyGen(i, sk). On input an index i and the secret key sk ,compute a secret key sk i ← IBEExtract(params,msk ,i). Output di = (sk i, ai).

Enc(pk , S,m). On input the recipient group S ∈ [1, n], thepublic key pk and the message m, execute the followingsteps.

1. Compute (ssk , vsk)← Kg(1λ).

2. Pick a random symmetric key K.

3. Pick random r ← Zp and set T = gr.

4. For each tuple (i, gai) ∈ S, set the ciphertext ci ←H(gair)||IBEEnc(params, i, vsk ||gair||K).

5. C1 is the concatenation of all ci ordered by thevalues of H(gair).

6. Compute C2 = EK(m).

7. Sign s ← Sign(ssk , T ||C1||C2).

8. Return the ciphertext C = s||T ||C1||C2.

Dec(pk , dj , c). On input the public key pk , the secret key djand a ciphertext c, execute the following steps.

1. Calculate l = H(T aj ).

2. Find cj such that cj = l||c for some cj in C1.

3. Calculate p← IBEDec(params, sk j , cj).

4. If p is ⊥, return ⊥.

5. Parse p as vsk ||x||K.

6. If x 6= T aj , return ⊥.

7. If Vf(vsk , s, T ||C1||C2) outputs accept, then out-put m = DK(C2) else ⊥.

We remark that, if the user is not in the recipient group andtherefore she cannot decrypt, the decryption algorithm onlyrequires the computation of a hash function.

5. PERFORMANCE ANALYSISLocation-sharing-based applications are usually run on a

mobile device, such as a smart phone or a tablet computer.Therefore, the available resources at the client side are lim-ited in terms of computational power and bandwidth whenon mobile connection. Furthermore, mobile devices usuallyhave a rather low battery capacity. Thus an applicationmust use the CPU or mobile communication interfaces, suchas WiFi or 3G, as moderate as possible in order not to drainthe battery too much. In order to evaluate the overhead ofour schemes, we implemented them in the C programminglanguage using the Pairing-Based Cryptography2 (PBC) li-brary. Subsequently, we imported the schemes within An-droid application using Android’s Native Development Kit3

(NDK) and tested the application on a Samsung S III mini(1 GHz dual-core CPU) which runs the CyanogenMod4 op-erating system.

In the following we provide the additional overhead im-posed by our schemes. This overhead is due to the compu-tation of cryptographic operations and due to the transmis-sion of key material and ciphertexts. Mobile applicationsfor LSBSs, such as Foursquare, are used on a large user baseand the overhead imposed by these services is accepted inpractice.

For the energy consumption of our schemes, we measurethe different current consumption of the phone when theCPU is idle and when the CPU load of one core is at themaximum. We found that the difference is 150 mA at 3.8V and thus that the power consumption is 570 mW if oneCPU core is at full load. Please note that we could notuse PowerTutor5 to estimate the energy consumption of ourschemes, because PowerTutor was designed for a Nexus 1mobile phone. Although PowerTutor does also run on ourSamsung S III mini, the energy measurements are likely tobe inaccurate, because both phones have a different CPUand we found that PowerTutor is unable to read the trafficsent and received on our phone. For the runtime estima-tion of our schemes, we executed our protocols 50 timesand computed the average. Multiplying the runtime withthe power consumption equals to the energy consumption ofour schemes.

The energy consumption of data transmission via a mobileinterface, such as WiFi and 3G, turns out to be significantlymore difficult. This is because the actual energy consump-tion for sending and receiving data depends on many factors,such as amount of data, time between two consecutive datatransmissions and network reception. We therefore use Bal-asubramanian et al. [2] work to outline ways to minimize theenergy consumed by our schemes.

5.1 Evaluation of the Sender-Private LSBSThe complexity of the Gentry and Waters [28] scheme that

we employ for our SPLS only depends on the size of the max-

2http://crypto.stanford.edu/pbc/3https://developer.android.com/tools/sdk/ndk/index.html4http://www.cyanogenmod.org/5http://powertutor.org/

imal broadcast group l. This means that for a given l, thecomputational and bandwidth overhead for computing thesymmetric key stays constant, regardless of n (the numberof users in the system) or k (actual receiver of a broadcastmessage). We therefore limit our evaluation to the systemparameter l.

As we can see in Figure 2a the time for creating the sym-metric key increases polynomially with l. For a reasonablylarge l, such as 100, our phone needs 8.66 seconds to com-pute the symmetric key in the encryption protocol and 7.42in the decryption protocol. While this appears to be ratherhigh, we must stress that a user is able to reuse a symmetrickey until the broadcast group changes or the key got com-promised. Therefore, a single symmetric key can be usedfor thousands of location shares. Furthermore, as we cansee in Figure 2b, the actual energy consumed for computinga symmetric key is 4.94 Joule for the encryption protocoland 4.23 Joule for the decryption protocol, which is verylow. The capacity of the standard battery of a Samsung SIII mini (3.8 V and 1500 mAh) is 20520 Joule and thereforecomputing even dozens of symmetric keys per day would notdrain the battery too much.

We show the bandwidth overhead of the FPLS in Fig-ure 2c. For creating a new symmetric key a user needs tosend 788 byte of data to the receiver of the broadcast group.Please note that even for k > 1 the user only needs to send788 byte instead of k×788 byte, because the service providerforwards the traffic to the intended receivers. The public keyof our scheme grows linearly in l. However, please note thatthe public key only needs to be sent very rarely. This iswhen a user signs up for the service, the new user receivesthe public key from the service provider, and if the serviceprovider decides to increase/decrease the size of the maximalbroadcast group and thus changes the parameter l. In thosecases, all the users in the system receive the new public key.

5.2 Evaluation of the Fully-Private LSBSIn the following we will first show that the computational

overhead that is imposed by the FPLS is feasible for currentmobile devices. Subsequently we will show that the FPLSimposes a significant bandwidth overhead. This is a prob-lem for two reasons. Firstly, data plans usually include afixed data volume to be transmitted before either the speedof the connection gets throttled or additional costs incur.Secondly, using mobile communication interfaces, such as3G or WiFi, is expensive in terms of energy and thereforesending and receiving higher amounts of data additionallydrains the battery. However, we make several suggestionson how our protocol should be deployed to significantly re-duce the energy consumption, although the transferred datavolume remains the same. Furthermore, as introduced inSection 4.3, the concept of big regions greatly helps in mak-ing the FPLS feasible. We therefore consider the FPLS as aprotocol which allows a very broad-ranged trade-off betweenlocation privacy and performance for users that do not wishto reveal their friendship graph. At the one extreme a veryhigh level of location privacy is possible if the user is willingto spend the necessary resources. On the other extreme auser reveals accurate location information towards the ser-vice provider and thereby decreases the amount of data thatis received.

As we can see in Figure 3a, the computation and energyoverhead for encryption grows only linearly in k and is there-

0

2

4

6

8

10

12

14

0 20 40 60 80 100 120

Tim

e in

s

Size of maximal broadcast group l

Runtime encRuntime dec

(a) Overview of runtimes for encryptionand decryption.

0

2

4

6

8

10

12

14

0 20 40 60 80 100 120

Ener

gy i

n J

oule

Size of maximal broadcast group l

Energy encEnergy dec

(b) Overview of energy consumption forencryption and decryption.

0

10

20

30

40

50

60

70

0 20 40 60 80 100 120

Dat

a in

kB

Size of maximal broadcast group l

Size of ciphertextSize of public key

(c) Overview of bandwidth overhead.

Figure 2: Runtime, energy consumption and bandwidth overhead of the SPLS for increasing l and fixed n = 1000 and k = 5.

fore lower than in the SPLS. Figure 3b shows that the over-head for decryption is about two magnitudes lower than inthe SPLS. Furthermore, Figure 3b shows the computationand energy overhead for fail-decryptions. These are the re-sources a user needs to spend in order to determine that alocation update is actually not for her. Recalling the bat-tery capacity of 20520 Joule, we can see that in terms ofcomputational overhead the FPLS allows for sharing mul-tiple locations per day and receiving thousands of locationupdates.

As already mentioned the main drawback of the FPLS isthe data a user receives due to flooding. Figure 3c showsthe lengths of a ciphertext as k increases. In [16], the au-thors state that the very majority of users has less than 100friends. Therefore, we can assume most ciphertexts to havea length of at most 60 kB. If an LSBS would have 1 millionusers, this would result in approximately 106×60kB = 57.22GB of data every user receives per day. Clearly, this is notfeasible. However, choosing a big region such that only0.01% of all the world-wide location updates are receivedresults in a bandwidth overhead of 5.86 MB per day.

The energy that is consumed for receiving data can be op-timized with two measures. Firstly, receiving data via theWiFi interface consumes significantly less energy than re-ceiving the same amount of data via 3G interface [2] (§ 3.6).For example receiving 500 kB of data via 3G consumesaround 19 Joule and only 5 Joule via WiFi. Secondly, asnoted in [2] (§ 3.6.1), the energy consumption strongly de-pends on the inter-transfer time between downloads. Forexample, receiving 50 kB transmissions with inter-transfertime 1 second consumes around 5 Joule, while it consumes10 Joule if the inter-transfer time is 9 seconds. We there-fore suggest: (i) to receive most of the traffic when a WiFiconnection is available; (ii) that the service provider cacheslocation updates for a certain period and sends them all atonce in order to have few but large data transmissions tothe users.

6. LSBS WITH AGGREGATE STATISTICSCOLLECTION

In our scheme, the service provider acts as a channel be-tween users. The service provider relays messages betweenthe sender and the receivers, but learns nothing about thecontent of the messages sent. The business model of cur-

rently deployed LSBS relies on learning user check-ins. Ser-vice providers use that information in order to, e.g., giverecommendations on most visited places and give discountsto users that check-in a number of times at a particular lo-cation.

We describe how our scheme can be extended to allowthe service provider to collect aggregated data on how manytimes users visit each of the locations. In this extension,each time a user checks-in, the user increases a committedcounter for that location. This committed counter is hiddenfrom the service provider. However, after a number of check-ins, the user can choose to disclose the counter of one of thelocations in order to, e.g., get a discount. The commitmentensures that the user cannot cheat and open the committedcounter to a different value.

We note that, in currently deployed LSBS, users can check-in at a certain location without being present at that loca-tion. The countermeasure against that is that the wronglocation disclosed to the service provider is also disclosed tothe user’s friends, which can cause annoyance.

Our extension provides the same countermeasure. Us-ing zero-knowledge proofs, the user proves to the serviceprovider that the location shared with her friends equals thelocation whose committed counter is increased. In order todo that, we make the following modification in our scheme.Instead of employing symmetric key encryption to encryptthe location message, we employ public key encryption. Thekey output when decrypting the broadcast encryption ci-phertext is an ElGamal private key, while the correspondingpublic key is transmitted along with the broadcast encryp-tion ciphertext.

In [16], a scheme that employs hardware devices at thephysical location in order to ensure that users can check-inonly if they are at the location is proposed. It is also possibleto extend our scheme with hardware devices to achieve thatproperty.

We note that the total number of locations where a usercan check-in is usually large. The user should maintain acommitted counter for each of the locations and, at eachcheck-in, increment it without disclosing the location or thevalue of the counter, yet proving that the location equalsthe location shared with her friends. If we employ Pedersencommitments, this operation would have a cost linear on thetotal number of locations, which would make it impractical.In order to have a cost independent of the total number of

0

2

4

6

8

10

0 20 40 60 80 100 120 0

2

4

6

8

10T

ime

in s

Ener

gy i

n J

oule

Size of broadcast group k

Runtime encEnergy enc

(a) Overview of runtime and energyconsumption for encryption.

0

30

60

90

0 20 40 60 80 100 120 0

30

60

90

Tim

e in

ms

Ener

gy i

n m

Joule

Size of broadcast group k

Runtime decEnergy dec

Runtime fail-decEnergy dail-dec

(b) Overview of runtime and energyconsumption for decryption and fail-decryption.

0

20

40

60

80

100

0 20 40 60 80 100 120

Dat

a in

kB

Size of broadcast group k

Size of ciphertext

(c) Overview of bandwidth overhead.

Figure 3: Runtime, energy consumption and bandwidth overhead of the FPLS for increasing k and fixed n = 1000.

locations, we employ P-commitments [33], which are basedon vector commitments.

6.1 Cryptographic Building BlocksWe recall the notation for zero-knowledge proofs and the

definitions of P-commitments in [33].

6.1.1 Zero-Knowledge Proofs of KnowledgeWe employ of classical results for efficient zero-knowledge

proofs of knowledge (ZKPK) for discrete logarithm rela-tions [46, 17, 15, 11, 10, 18]. In the notation of [13], aprotocol proving knowledge of exponents w1, . . . , wn satis-fying the formula φ(w1, . . . , wn) is described as

Kw1, . . . , wn : φ(w1, . . . , wn) (1)

Here, we use the symbol “ K” instead of “∃” to indicate thatwe are proving “knowledge” of the exponents, rather thanjust its existence. The formula φ(w1, . . . , wn) consists of con-junctions and disjunctions of “atoms”. An atom expresses

group relations, such as∏kj=1 g

Fjj = 1, where the gj are el-

ements of prime order groups and the Fj ’s are polynomialsin the variables w1, . . . , wn.

There exist practical zero-knowledge proofs for the typesof relations required in our protocols. We refer to Camenischet al. [12, 14] for details.

Extended zero-knowledge formulas.A proof system for (1) can be transformed into a proof sys-

tem for the following more expressive statements about se-cret exponents (wi)i = sexps and secret bases (gi)i = sbases:

Ksexps, sbases : φ(sexps, bases ∪ sbases) (2)

The transformation uses a blinded base g′i = gihρi for every

gi. It adds h and all g′i to the public bases, ρi to the secret

sexps, and rewrites gFji into g′i

Fjh−Fjρi for all i, j. Finally,we observe that the proof system supports pairing productequations

∏kj=1 e(gj , gj)

Fj = 1 in groups of prime order |G|with a bilinear map e : G× G→ Gt, by treating the targetgroup as the group of the proof system—we focus on thespecial case of i = j for simplicity: the embedding for secretbases is unchanged, except for the case in which both basesin a pairing are secret. In the latter case, e(gj , gj)

Fj needs

to be transformed into e(g′j , g′j)Fj e(g′j , h)−Fjρj e(h, g′j)

−Fj ρj

e(h, h)−Fjρj ρj .

Macro notation for zero-knowledge statements.We use a macro language to specify named proof compo-

nents that can be reused as sub-components of larger proofs.For example, we may define a proof macro for the long di-vision of a by q as follows: Div(a, q) 7→ (b) ≡ Ka, q, b,

r : a = b ∗ q + r ∧ r < b ∧ 0 ≤ a, b, q, r ≤√|G| ∧ b > 1.

Semantically, the function Div states that the division ofa by q gives b with remainder r. Secret a is interpretedas an initial value and secret b as a new value. In termsof cryptography, it is simply syntactic sugar, but importantsugar as demonstrated by the long list of side conditions toguarantee a unique positive solution modulo the order of G.Proving these inequalities is itself non-trivial and could befurther expanded using macros.

Named proof components can be used in further higher-level proofs without their details being made explicit. Forexample, the proof K. . . , a, q, b : · · ·∧ b = Div(a, q) can fromnow on be used in proof expressions instead of the complexrestrictions above. All variables within the component dec-laration (e.g., variables a, q, b in Div(a, q) 7→ (b)) can bere-used in the high level proof. Variables whose knowledgeis proved, but that are not in the declaration, are consideredinaccessible to the higher-level proof.

6.1.2 P-commitmentsA vector commitment scheme allows Alice to succinctly

commit to a vector x = 〈x1, . . . , xn〉 ∈ Mn such that shecan compute an opening w to xi and can replace xi by a newvalue x′i by updating her commitment, such that both w andthe update value is of size independent of i and n. A vectorcommitment scheme consists of the following algorithms.

Setup(1k, `). On input the security parameter 1k and an up-per bound ` on the size of the vector, generate the pa-rameters of the commitment scheme par , which includea description of the message spaceM and a descriptionof the randomness space R.

Commit(par ,x, r). On input a vector x ∈ Mn (n ≤ `) andr ∈ R, output a commitment com to x.

Prove(par , i,x, r). Compute a witness w for xi.

Verify(par , com, x, i,w). Output accept if w is a valid wit-ness for x being at position i and reject otherwise.

Update(par , com, i, x, r, x′, r′). On input a commitment comwith value x at position i and randomness r, outputa commitment com ′ with value x′ at position i andrandomness r′. The other positions remain unchanged.

A commitment scheme must be hiding and binding. Thehiding property requires that any probabilistic polynomialtime (p.p.t.) adversary A has negligible advantage in guess-ing which of two vectors x of values of its choice has beenused to compute a challenge commitment. The bindingproperty requires that any p.p.t. adversary A has negligibleadvantage in computing a vector x of length n, randomnessr, a value x, a position i ∈ [1..n] and a witness w such thatx[i] 6= x but the commitment com ← Commit(par ,x, r) canbe opened to x at position i using w .

A P-commitment scheme is a secure vector commitmentscheme that supports three ZKPKs.

Create. A proof of correct commitment generation thatproves knowledge of (x, r) such that Commit(par ,x,r) = com. We call the proof macro Create(x) →(com, r, (wi)i) as it proves that a P-commitment wascorrectly initialized to the vector x. The prover canthen use this commitment in subsequent proof steps.To simplify our macro notation, we use M = (com, r,(wi)i) as a shorthand for the collection of com, r, anddifferent wi values and refer to it as the memory of aP-commitment proof.

Get. A proof of a witness w that a value x was committedto in com at position i.

Get(M, i)→ (x) ≡Kx, i,w :

Verify(par , com, x, i,w) = accept ∧ i ∈ [1, n]

Set. A proof that a commitment com ′ is an update of com-mitment com at position i. This proof is slightly moreinvolved because it requires the prover to prove knowl-edge of the old vector value for the updated positionto bind the old and the new commitment together:

Set(M, i, x′)→ (M ′) ≡Kx[i], x′, i, r, r′,w :

com ′ = Update(par , com, i,x[i], r, x′, r′) ∧Verify(par , com,x[i], i,w) = accept ∧ i ∈ [1, n]

6.2 ConstructionAs mentioned above, in this extension the location mes-

sage m is encrypted using an ElGamal encryption c = (c1,c2) = (yr ·m, gr), where y = gx is the public key and x isthe secret key. The secret key is encrypted in the broadcastencryption ciphertext, while the public key is transmittedalong with the broadcast encryption ciphertext. We employa zero-knowledge proof of knowledge of m encrypted to in c:

Km, t : e(c1, g) = e(m, g) · e(t, g) ∧ e(t, g) = e(y, c2)

In our scheme, the indices (i1, . . . , in) of the committed vec-tor will be the locations, and n is the total number of lo-cations. We note that the schemes proposed in [33] to im-plement P-commitments employ a structure preserving sig-nature (SPS) scheme to sign together an index i with thegenerator gi for position i in the parameters of the commit-ment scheme. SPS sign group elements, and therefore we can

prove in zero-knowledge equality between the location mes-sage m encrypted in c and the index i of the P-commitment.Sender and receivers employ a table or a hash function tomap a location to an element of group G.

In the registration phase, the service provider executesSetup(1k, `), where ` is the number of locations, and sendspar to the users. Then, each user creates a vector x =(0, . . . , 0) of size `, picks r ∈ R and runs Commit(par ,x, r)to get com. The user sends com to the service provider,along with a proof

Kx : Create(x)→ (M) ∧ x = (0, . . . , 0)

where M = (com, r, (wi)i). This proof initializes the coun-ters for each of the locations to 0 and can be done veryefficiently in the P-commitment schemes in [33].

In the main phase, when a user sends a broadcast cipher-text to the service provider for location i encrypted in ci-phertext (c1, c2), the user sets x[i]′ = x[i] + 1, picks randomr′ ∈ R and runs Update(par , com, i,x[i], r,x[i]′, r′) to getcom ′. The user sends com ′ to the service provider, alongwith a proof

Ki, t,x[i],x[i]′ :

e(c1, g) = e(i, g) · e(t, g) ∧ e(t, g) = e(y, c2)∧Set(M, i,x[i]′)→ (M ′) ∧ x[i]′ = x[i] + 1

The user proves that she increments the committed counterfor the same location in the message encrypted in c. We re-call that the cost of this proof is independent of the numberof locations. When the service provider receives the broad-cast encryption ciphertext, the ElGamal ciphertex and pub-lic key, the commitment com ′ and the proof, the providerverifies the proof. If it is correct, then the provider replacesthe stored com by com ′ and sends the broadcast encryptionciphertext and the ElGamal ciphertext and public key tothe receivers. The receivers decrypt first the broadcast en-cryption ciphertex to get the ElGamal secret key, which isused to decrypt the ElGamal ciphertext and get the sender’slocation.

When a user wishes to open the counter corresponding toone of the locations, she can use algorithm Prove(par , i,x,r) to compute a witness w for location i and send (x[i], i,w)to the provider. The service provider runs Verify(par , com,x[i], i,w) and accepts the value of the counter x[i] if the ver-ification is successful. Alternatively, the user can also provestatements about the committed counter in zero-knowledge,e.g., prove that the counter has surpassed a threshold thatentitles her to receive a discount. The proof Get is employedfor this purpose.

The security of this extension relies on the security ofP-commitments. The hiding property, along with the zero-knowledge property of proofs of knowledge, ensures that theservice provider does not learn the values of the committedcounters or the locations whose counters are increased. Ad-ditionally, the binding property of P-commitments and theextractability of proofs of knowledge ensure that the com-mitted counters are updated correctly and that they cannotbe opened to a wrong value.

7. DISCUSSIONThe computation overhead of the SPLS is mainly due to

the creation of a symmetric key. An actual location sharingoperation is then encrypted using a fast encryption scheme,

such as AES. While we note that the symmetric key of theSPLS can be reused for many location sharing operations,we argue that even computing several symmetric keys perday is feasible. Firstly, as our evaluation shows computingsymmetric keys consumes very little energy and can thus bedone several times without draining the battery. Secondly,since modern smart phones have multi-core processors em-bedded, one core can be occupied for creating a symmetrickey while the phone is still usable for other operations, suchas email checking or surfing the web. All in all we thus arguethat on the user side our scheme imposes negligible overheadto the user’s device.

The FPLS on the other hand imposes a significant band-width overhead. However, we note that it is to the best ofour knowledge the only scheme that allows a user to hide herfriends without relying on proxies, such as in [45]. It does soby offering a privacy/performance trade-off, which has beenproposed before in schemes for privacy-preserving LSBS [45].Note that the FPLS is not vulnerable to velocity-based at-tacks [29] for two reasons. Firstly location updates hap-pen sporadically and not continuously and hence big regionsare much harder to correlate. Secondly, and more impor-tantly, the big regions are much bigger than in k-anonymityschemes, such as [31].

We note that our schemes are also suitable to implementother services, such as social recommendation applications.This is because in practice users can share arbitrary infor-mation in the ciphertext. Instead of encrypting locationinformation, users could share their reviews, such as howthey like the food in a particular restaurant. Furthermore,the low overhead of the SPLS and the strategy of reusingsymmetric keys would allow to use the scheme for locationtracking applications. Such applications require rather fre-quent location updates instead of sporadic ones, which isusually the case for check-in applications. Furthermore, wenote that our schemes are more efficient than a unicast solu-tion in which every user sends an encrypted location updateto each of her friends. This is because in our schemes theuser only needs to transmit the encrypted location update tothe service provider that is then forwarding it to the recipi-ents or all users of the service, respectively. This consumessignificantly less bandwidth and also less energy than in theunicast solution.

Although in the setup routine of the SPLS, as well as theFPLS, the service provider initially needs to commit to amaximal number of users n, we note that even if there aremore than n users in the service, the service provider doesnot need to re-initialize the service. In the SPLS, n is onlyused for checking that l ≤ n. This condition, however, ismaintained if it was true before and n increases. In theFPLS, the scheme’s public key can be extended, becausethe gai with i > n can be computed when necessary anddistributed among all users of the service.

Besides location-sharing, badge and mayorship protocolsare another main functionality of a GSN. For the latter pri-vacy preserving protocols have been proposed in [16]. Wenote that it would be possible to combine both approachesto build a privacy-preserving GSN.

8. CONCLUSIONSWe have defined the privacy properties that an LSBS

should provide and we have proposed two LSBS based onidentity-based broadcast encryption. Both constructions al-

low a user to share her location with her friends withoutdisclosing it to the service provider. The first constructiondiscloses to the service provider the receivers of a locationupdate, while the second does not. As advantages from pre-vious work, in our schemes the LSBS provider does not needto perform complex operations in order to compute a re-ply for a location data request, but only needs to forwardIBBE ciphertexts to the receivers. This allows to run aprivacy-preserving LSBS at significantly lower costs. We im-plement both constructions and present a performance anal-ysis that shows their practicality. Furthermore, we extendour schemes such that the service provider, performing someverification work, is able to collect privacy-preserving statis-tics about the places users share among each other. Thiscould be a way to monetize the privacy-preserving LSBS.

Acknowledgments.We thank the anonymous reviewers for their valuable com-

ments. We also thank Carmela Troncoso for insightful discus-

sions and helpful feedback. This research was supported in part

by the projects: IWT SBO SPION, FWO G.0360.11N, FWO

G.0686.11N, GOA TENSE (GOA/11/007), iMinds SoLoMIDEM,

and KU Leuven OT project Traffic Analysis Resistant Privacy

Enhancing Technologies.

9. REFERENCES[1] Michel Abdalla, Mihir Bellare, Dario Catalano, Eike

Kiltz, Tadayoshi Kohno, Tanja Lange, JohnMalone-Lee, Gregory Neven, Pascal Paillier, andHaixia Shi. Searchable encryption revisited:Consistency properties, relation to anonymous ibe,and extensions. In Advances in Cryptology–CRYPTO2005, pages 205–222. Springer, 2005.

[2] Niranjan Balasubramanian, Aruna Balasubramanian,and Arun Venkataramani. Energy consumption inmobile phones: a measurement study and implicationsfor network applications. In Proceedings of the 9thACM SIGCOMM conference on Internetmeasurement, pages 280–293. ACM, 2009.

[3] Adam Barth, Dan Boneh, and Brent Waters. Privacyin encrypted content distribution using privatebroadcast encryption. Financial Cryptography andData Security, pages 52–64, 2006.

[4] A.R. Beresford and F. Stajano. Mix zones: UserPrivacy in Location-aware Services. In PervasiveComputing and Communications Workshops, 2004.Proceedings of the Second IEEE Annual Conferenceon, pages 127 – 131, march 2004.

[5] Igor Bilogrevic, Murtuza Jadliwala, Kubra Kalkan,Jean-Pierre Hubaux, and Imad Aad. Privacy in mobilecomputing for location-sharing-based services. InPrivacy Enhancing Technologies, volume 6794 ofLecture Notes in Computer Science, pages 77–96.Springer Berlin Heidelberg, 2011.

[6] Dan Boneh and Xavier Boyen. Short signatureswithout random oracles. In Advances inCryptology-EUROCRYPT 2004, pages 56–73.Springer, 2004.

[7] Dan Boneh and Matt Franklin. Identity-basedencryption from the weil pairing. In Advances inCryptology-CRYPTO 2001, pages 213–229. Springer,2001.

[8] Dan Boneh, Craig Gentry, and Brent Waters.Collusion resistant broadcast encryption with shortciphertexts and private keys. In Advances inCryptology–CRYPTO 2005, pages 258–275. Springer,2005.

[9] Xavier Boyen and Brent Waters. Anonymoushierarchical identity-based encryption (withoutrandom oracles). In Advances in Cryptology-CRYPTO2006, pages 290–307. Springer, 2006.

[10] Stefan Brands. Rapid demonstration of linear relationsconnected by boolean operators. In Walter Fumy,editor, Advances in Cryptology — EUROCRYPT ’97,volume 1233 of LNCS, pages 318–333. SpringerVerlag, 1997.

[11] Jan Camenisch. Group Signature Schemes andPayment Systems Based on the Discrete LogarithmProblem. PhD thesis, ETH Zurich, 1998.

[12] Jan Camenisch, Nathalie Casati, Thomas Groß, andVictor Shoup. Credential authenticated identificationand key exchange. In CRYPTO, pages 255–276, 2010.

[13] Jan Camenisch, Stephan Krenn, and Victor Shoup. Aframework for practical universally composablezero-knowledge protocols. In ASIACRYPT, pages449–467, 2011.

[14] Jan Camenisch, Stephan Krenn, and Victor Shoup. Aframework for practical universally composablezero-knowledge protocols. Cryptology ePrint Archive,Report 2011/228, 2011. http://eprint.iacr.org/.

[15] Jan Camenisch and Markus Michels. Proving inzero-knowledge that a number n is the product of twosafe primes. In Jacques Stern, editor, Advances inCryptology — EUROCRYPT ’99, volume 1592 ofLNCS, pages 107–122. Springer Verlag, 1999.

[16] Bogdan Carbunar, Radu Sion, Rahul Potharaju, andMoussa Ehsan. The shy mayor: Private badges ingeosocial networks. In Feng Bao, Pierangela Samarati,and Jianying Zhou, editors, Applied Cryptography andNetwork Security, volume 7341 of Lecture Notes inComputer Science, pages 436–454. Springer BerlinHeidelberg, 2012.

[17] D. Chaum and T. Pedersen. Wallet databases withobservers. In CRYPTO ’92, volume 740 of LNCS,pages 89–105, 1993.

[18] R. Cramer, I. Damgard, and B. Schoenmakers. Proofsof partial knowledge and simplified design of witnesshiding protocols. In CRYPTO, pages 174–187, 1994.

[19] Joan Daemen and Vincent Rijmen. The design ofRijndael: AES-the advanced encryption standard.Springer, 2002.

[20] Cecile Delerablee. Identity-based broadcast encryptionwith constant size ciphertexts and private keys.Advances in Cryptology–ASIACRYPT 2007, pages200–215, 2007.

[21] Yevgeniy Dodis and Nelly Fazio. Public key trace andrevoke scheme secure against adaptive chosenciphertext attack. Public Key CryptographyaATPKC2003, pages 100–115, 2002.

[22] Changyu Dong and Naranker Dulay. Longitude: Aprivacy-preserving location sharing protocol for mobileapplications. In Trust Management V, volume 358 ofIFIP Advances in Information and Communication

Technology, pages 133–148. Springer BerlinHeidelberg, 2011.

[23] Nelly Fazio and Irippuge Perera. Outsider-anonymousbroadcast encryption with sublinear ciphertexts.Public Key Cryptography–PKC 2012, pages 225–242,2012.

[24] Amos Fiat and Moni Naor. Broadcast encryption. In

Advances in CryptologyaATCryptoaAZ93, pages480–491. Springer, 1994.

[25] J. Freudiger, R. Shokri, and J. Hubaux. Evaluatingthe Privacy Risk of Location-Based Services. InFinancial Cryptography and Data Security, volume7035 of LNCS, pages 31–46. Springer Berlin, 2012.

[26] Julien Freudiger, Raoul Neu, and Jean-Pierre Hubaux.Private sharing of user location over online socialnetworks. 3rd Hot Topics in Privacy EnhancingTechnologies (HotPETs 2010), 2010.

[27] Sebastien Gambs, Olivier Heen, and Christophe Potin.A comparative privacy analysis of geosocial networks.In Proceedings of the 4th ACM SIGSPATIALInternational Workshop on Security and Privacy inGIS and LBS, SPRINGL ’11, pages 33–40, New York,NY, USA, 2011. ACM.

[28] Craig Gentry and Brent Waters. Adaptive security inbroadcast encryption systems (with short ciphertexts).Advances in Cryptology-EUROCRYPT 2009, pages171–188, 2009.

[29] Gabriel Ghinita, Maria Luisa Damiani, ClaudioSilvestri, and Elisa Bertino. Preventing velocity-basedlinkage attacks in location-aware applications. GIS ’09,pages 246–255, New York, NY, USA, 2009. ACM.

[30] Gabriel Ghinita, Panos Kalnis, Ali Khoshgozaran,Cyrus Shahabi, and Kian-Lee Tan. Private queries inlocation based services: anonymizers are notnecessary. SIGMOD ’08, pages 121–132, New York,NY, USA, 2008. ACM.

[31] M. Gruteser and D. Grunwald. Anonymous Usage ofLocation-Based Services Through Spatial andTemporal Cloaking. MobiSys ’03, pages 31–42, NewYork, NY, USA, 2003. ACM.

[32] Leping Huang, Hiroshi Yamane, Kanta Matsuura, andKaoru Sezaki. Towards modeling wireless locationprivacy. In George Danezis and David Martin, editors,Privacy Enhancing Technologies, volume 3856 ofLecture Notes in Computer Science, pages 59–77.Springer Berlin Heidelberg, 2006.

[33] Markulf Kohlweiss and Alfredo Rial. Optimallyprivate access control. In Proceedings of the 12th ACMworkshop on Workshop on privacy in the electronicsociety, pages 37–48. ACM, 2013.

[34] John Krumm. Inference attacks on location tracks. InAnthony LaMarca, Marc Langheinrich, and KhaiN.Truong, editors, Pervasive Computing, volume 4480 ofLecture Notes in Computer Science, pages 127–143.Springer Berlin Heidelberg, 2007.

[35] John Krumm. Realistic driving trips for locationprivacy. In Hideyuki Tokuda, Michael Beigl, AdrianFriday, A. Brush, and Yoshito Tobe, editors, PervasiveComputing, volume 5538 of Lecture Notes inComputer Science, pages 25–41. Springer Berlin /Heidelberg, 2009.

[36] Allison Lewko, Amit Sahai, and Brent Waters.Revocation systems with very small private keys. InSecurity and Privacy (SP), 2010 IEEE Symposium on,pages 273–285. IEEE, 2010.

[37] Mingyan Li, Krishna Sampigethaya, Leping Huang,and Radha Poovendran. Swing & swap: User-centricapproaches towards maximizing location privacy.WPES ’06, pages 19–28, New York, NY, USA, 2006.ACM.

[38] Benoıt Libert, Kenneth Paterson, and ElizabethQuaglia. Anonymous broadcast encryption: adaptivesecurity and efficient constructions in the standardmodel. Public Key Cryptography–PKC 2012, pages206–224, 2012.

[39] Zi Lin, Denis Foo Kune, and Nicholas Hopper.Efficient private proximity testing with gsm locationsketches. In AngelosD. Keromytis, editor, FinancialCryptography and Data Security, volume 7397 ofLecture Notes in Computer Science, pages 73–88.Springer Berlin Heidelberg, 2012.

[40] Dalit Naor, Moni Naor, and Jeff Lotspiech.Revocation and tracing schemes for stateless receivers.In Advances in Cryptology-CRYPTO 2001, pages41–62. Springer, 2001.

[41] Arvind Narayanan, Narendran Thiagarajan, MugdhaLakhani, Michael Hamburg, and Dan Boneh. Locationprivacy via private proximity testing. In NDSS, 2011.

[42] Femi Olumofin, Piotr Tysowski, Ian Goldberg, andUrs Hengartner. Achieving efficient query privacy forlocation based services. In Privacy EnhancingTechnologies, pages 93–110. Springer, 2010.

[43] Tatiana Pontes, Marisa Vasconcelos, Jussara Almeida,Ponnurangam Kumaraguru, and Virgilio Almeida. Weknow where you live: Privacy characterization offoursquare behavior. In 4th International Workshop onLocation-Based Social Networks (LBSN 2012), 2012.

[44] Raluca Ada Popa, Andrew J Blumberg, HariBalakrishnan, and Frank H Li. Privacy andaccountability for location-based aggregate statistics.In Proceedings of the 18th ACM conference onComputer and communications security, pages653–666. ACM, 2011.

[45] K.P.N. Puttaswamy, Shiyuan Wang, T. Steinbauer,D. Agrawal, A. El Abbadi, C. Kruegel, and B.Y.Zhao. Preserving location privacy in geosocialapplications. Mobile Computing, IEEE Transactionson, 13(1):159–173, Jan 2014.

[46] C. Schnorr. Efficient signature generation for smartcards. Journal of Cryptology, 4(3):239–252, 1991.

[47] R. Shokri, G. Theodorakopoulos, J. Le Boudec, andJ. Hubaux. Quantifying Location Privacy. In Securityand Privacy (SP), pages 247 –262, May 2011.

[48] C.R. Vicente, D. Freni, C. Bettini, and Christian S.Jensen. Location-related privacy in geo-socialnetworks. Internet Computing, IEEE, 15(3):20–27,2011.

[49] Brent Waters. Dual system encryption: Realizing fullysecure ibe and hibe under simple assumptions.Advances in Cryptology-CRYPTO 2009, pages619–636, 2009.

[50] Ge Zhong, Ian Goldberg, and Urs Hengartner. Louis,lester and pierre: Three protocols for location privacy.

In Nikita Borisov and Philippe Golle, editors, PrivacyEnhancing Technologies, volume 4776 of Lecture Notesin Computer Science, pages 62–76. Springer BerlinHeidelberg, 2007.