A Search Efficient Privacy-Preserving Location-Sharing Scheme in Mobile Online Social Networks

Abstract

With the advent of intelligent handheld devices, location sharing becomes one of the most popular services in mobile online social networks (mOSNs). In location-sharing services, users can enjoy a better social experience by updating their real-time location information. However, the leakage of private information may hinder the further development of location-sharing services. Although many solutions have been proposed to protect users’ privacy, the privacy-utility trade-offs must be considered. Therefore, we propose a new scheme called search efficient privacy-preserving location-sharing (SELS) system. In our scheme, we create a new approach named associated grids to improve the efficiency of location-sharing systems while maintaining users’ privacy. In addition, by setting the user-defined access control policy proposed in our scheme, users’ flexible privacy-preserving requirements can be satisfied. Detailed complexity and security analysis show that the proposed scheme is a practical and efficient privacy-preserving solution. Extensive simulations are performed to validate the effectiveness and performance of our scheme.

1. Introduction

The rapid advance of mobile communication technologies and modern smart mobiles is changing the way people socialize [1,2]. Fresh social paradigms named mobile online social networks (mOSNs) have become ubiquitous in recent years. In addition to providing regular services such as sharing pictures, status, and moods on traditional web-based social networks, mOSNs also supply new services such as searching Points of Interests (POIs), querying for nearby friends and so on, which offer users much convenience.

Location-based service (LBS), one of the most important components in mOSNs, plays an increasingly significant role in daily life [3,4]. With the help of network access service and positioning techniques (e.g., Global Positioning System (GPS) and cellular tower geolocation service) of mobile devices, many applications of LBS have been proposed, such as location-based mobile service recommendations and check-in games like Foursquare. LBS promotes the change from traditional social networks to mobile social networks and makes real-time location-sharing services a reality.

Due to the convenience brought by real-time location-sharing services, users can enjoy a better experience by updating their real-time location information. However, some security issues, especially location privacy, have become the focus of users. It is important to prevent personal location information from being obtained by malicious attackers since users’ geographical locations are a very sensitive factor that is related to the spatial and contextual information about users. For example, users’ job and housing locations may be inferred from public records of bicycle renting stations [5]. By collecting and analyzing the social and location-related information, adversaries can infer users’ crucial privacy information such as users’ preferences, faiths, and physical conditions. Some criminals may even launch personal tracking attacks after grasping users’ privacy information. Without the guarantee of privacy, users may not be willing to share their location information. Therefore, how to protect users’ privacy, especially in real-time location-sharing services, is one of the main challenges at present.

Fortunately, some solutions have been put forward on this issue. Wei et al. [6] proposed a location-sharing system, named MobiShare, to protect users’ location privacy for friends’ and strangers’ queries in location-sharing applications. Then, to prevent a third-party such as the location server from learning users’ sensitive information, Li et al. [7] proposed a series of privacy interaction protocols to reduce security risks. Subsequently, a solution, called N-Mobishare, was introduced by Liu et al. [8] to preserve users’ location and social information via the social network server and the location server respectively. Afterwards, Shen et al. [9] put forward a scheme named B-Mobishare that used Bloom Filter to improve the efficiency of privacy interaction protocols proposed in [7]. To prevent the disclosure of users’ privacy in social networks and improve the flexibility of privacy protection, Sun et al. [10] designed a user-defined location-sharing system. To overcome the drawback of disclosing users’ social network privacy and prevent the location server from learning users’ complete social network relationships, Li et al. [11] proposed a scheme which used multiple location servers (MLS) to protect users’ social network privacy. Further, to decrease communication overhead, Xiao et al. [12] designed a centralized architecture to address the privacy issues in location-sharing systems.

However, while protecting users’ privacy, the previous solutions seldom consider the problems of system efficiency and the flexibility of users’ privacy-preserving requirements. In location-sharing systems, a user can request a location-sharing service for querying friends’ locations. However, in the previous work, the locations (no matter real coordinates or dummy coordinates used for protecting location privacy) of all of the user’s friends must be sent to the location server for distance calculation and comparison regardless of the user’s query distance. In fact, some locations may be far beyond the query distance of the user, so the distance calculation is not required. In addition, most of the previous works only focus on the basic security requirements in location-sharing systems such as protecting users’ identities and locations. However, users may have privacy-preserving requirements for some sensitive areas or specific geofences such as workplace. Therefore, how to design user-defined access control policies to meet users’ flexible privacy-preserving requirements is also an urgent issue.

In this paper, we propose a search efficient privacy-preserving location-sharing scheme (i.e., SELS) to solve the issues mentioned above. The main contributions of this paper are as follows.

(1)

We create a new approach named associated grids to improve the efficiency of location-sharing systems. Based on the grid structure and a user’s query distance, we can find out the smallest set of grid cells (i.e., the associated grids) that cover the user’s query distance. By using the approach, our scheme can filter out the locations of the user’s friends that are not in the associated grids, which can reduce the burden of distance calculation and comparison on the location server.

(2)

We propose a new user-defined access control policy to meet users’ flexible privacy-preserving requirements. For some specific geofences or sensitive areas that users do not want to share with their friends, users can use the access control policy to prevent the leakage of privacy in social networks. Compared with paper [10], our solution can provide a more flexible privacy-preserving way, rather than simply preventing users from sharing locations with their friends.

(3)

Extensive simulations are implemented to explore the relationship between different solutions and parameters, as well as the performance of our scheme (i.e., SELS).

The remainder of this paper is organized as follows. After discussing the related work in Section 2, the notations and techniques are introduced in Section 3. Subsequently, we show our system architecture and security model in Section 4. Then, the detailed scheme description and discussion about security and efficiency are given in Section 5 and Section 6, respectively. Finally, we show the experiment results and our conclusions in Section 7 and Section 8.

2. Related Work

With the increasing prevalence of mobile devices, especially smartphones, mOSNs have gone through rapid development [13,14]. Location-sharing, as an increasingly important service in mOSNs, brings people great convenience. However, the privacy issues caused by location-sharing also become an urgent problem [15]. To address this issue, many privacy-preserving methods such as k-anonymity [16], dummy [17], and spatial cloaking [18] have been widely adopted. The security and system efficiency are the important two aspects in location-sharing systems. Therefore, the current location-sharing solutions are introduced based on the two aspects mentioned above.

Many solutions have been proposed to protect users’ sensitive information such as identities and locations. For example, Li et al. [7] pointed out that users’ real identities may be leaked to the location server during location-sharing services. Thus, they proposed a security mechanism named MobiShare+ which employed dummy queries to protect identity privacy. Son et al. [19] used a broadcast form to query the information of friends nearby and introduced a new cryptography primitive called the functional pseudonym to protect users’ identity information. To overcome the privacy threat caused by users’ co-location information, Olteanu et al. [20] proposed a game-theoretic framework to explore the relationship between users’ behaviors and locations. Lin et al. [21] stated that users may provide inaccurate positioning data in location-sharing systems. Hence, they designed an attack method to reveal the shortcomings of protecting location privacy in existing location-sharing mechanisms. Recently, to prevent the disclosure of users’ identities caused by users’ threshold distances, Xu et al. [22] have proposed a secure distance comparison protocol by the paillier encryption. However, the above solutions mainly focus on the basic security requirements in location-sharing systems such as protecting users’ identity privacy and location privacy, but can not meet user-defined privacy-preserving requirements. To resist attacks from friends, Sun et al. [10] created a user-defined access control policy which can allow a user to determine whether to share a location with part of his/her friends. However, the above access control policy is aimed at some trust-less friends but not some sensitive areas. If the user has a privacy-preserving requirement for some geofences such as the workplace, the user has to set the access control policy to all his/her friends each time when the user is in these geofences. Similarly, when the user moves to other places and wants to use location-sharing services, the user has to reset the access control policy. Therefore, in terms of the privacy-preserving requirements for sensitive areas, the above access control policy is not flexible enough.

While maintaining users’ privacy, some schemes are proposed to improve the efficiency of location-sharing systems. For example, the location update database is adopted in paper [6] to improve search efficiency and reduce the time of finding users’ locations. However, the location update database brings a great storage burden. In order to increase the transmission efficiency, Shen et al. [9] proposed a scheme named B-Mobishare and used Bloom Filter to filter the sensitive data in the transmission between the social network server and the location server. However, B-Mobishare suffers a high time cost and computational overhead. To prevent the location server from getting users’ complete social network relationships, Li et al. [11] designed a new architecture with multiple location servers, which also can increase the computing power of distance calculation and comparison. Unfortunately, multiple location servers mean an increase in hardware costs. To enhance the efficiency of data transmission, Xiao et al. [12] proposed a centralized location-sharing system that integrates the social network server and the location server into one server. However, the increase of system efficiency is caused by the change of system architecture. Overall, the above schemes can not filter out some locations in advance based on an issuing user’s query distance. For example, when a user submits a query with a certain query distance and wants to request a location-sharing service with nearby friends, the social network server in [6,11,12] first finds out the locations (no matter real coordinates or dummy coordinates) of the user’ friends, and then directly sends these locations to the location server even though some locations are far beyond the query distance of the user. Thus, their solutions affect the system efficiency since the location server in their schemes has to retrieve the locations of all of the user’s friends rather than the filtered locations based on the user’s query distance.

3. Preliminaries

In this section, we explain the basic concepts used in this work. Key notations used in this paper are summarized in

Table 1. Summary of notations.

Notation	Description
$ID$	A user’s identifier.
$PID$	A user’s pseudo-identifier (pseudo-ID).
$GID$	A grid cell’s identifier.
$GFID$	A grid cell’s fake-identifier (fake-ID).
$BID$	A base station’s identifier.
$(x,y)$	A location coordinate.
$df$	Threshold distance for friends.
$ds$	Threshold distance for strangers.
$dis(i,j)$	The distance comparison function to compute Euclidean distance from i to j.
l	A user’s query distance.
$ts$	A time-stamp.
$Sec{K}_{B\&L}$	Location server’s secret key, shared with base stations.
$Sec{K}_{B\&S}$	Social network server’s secret key, shared with base stations.
$Sec{S}_U$	A user’s session key, shared with all his friends.
$seq$	A sequence number, generated by base stations.

.

3.1. Grid Structure

Before users request location-sharing services, the location-sharing system usually specifies a query area (e.g., a city or an administrative district). Therefore, the grid structure [23] can be used to divide a query area into a certain number of grid cells. By using the method of grid structure, a query area can be designed to a uniform structure. The uniform structure can be a square or a rectangle covering the entire query area, and consists of the grid cells with equal size. The size of each grid cell can be defined as $S\times S$. Suppose that the lower-left and upper-right coordinate of a query area are denoted as $(x_a,y_a)$ and $(x_b,y_b)$, respectively, then the query area can be divided to $n_x\times n_y$ grid cells with equal size and represented by Equation (1):

$$\begin{array}{c}\hfill Queryarea⟵((x_a,y_a),(x_b,y_b),n_x,n_y).\end{array}$$

(1)

To unify the grid structure, the lower-left and upper-right coordinates can be converted by Equation (2):

$$\left\{\begin{array}{c}{x}_c=x_a-x_a;\hfill \\ y_c=y_a-y_a;\hfill \\ x_d=x_b-x_a;\hfill \\ y_d=y_b-y_a;\hfill \end{array}\right.$$

(2)

Then, $n_x=(x_d-x_c)/S$ and $n_y=(y_d-y_c)/S$ can be calculated.

In the uniform grid structure, each grid cell can be represented by a unique identifier. Herein, the identifier $GID$ of each grid cell is represented by $(r_i,c_i)$, where $r_i$ denotes the row identifier of Y-axis and $c_i$ denotes the column identifier of X-axis. Figure 1a shows an example of determining the identifier of grid cell $GI{D}_a$ that base station B locates in. The identifier can be calculated by Equation (3) and the identifier of $GI{D}_a$ can be identified as (5, 5).

$$\left\{\begin{array}{c}{r}_b=\frac{y_b-y_a}{\left(y_d\right)/n_y}\hfill \\ c_b=\frac{x_b-x_a}{\left(x_d\right)/n_x}\hfill \end{array}\right.$$

(3)

3.2. Associated Grids

Based on the grid structure and an issuing user’s query distance, we can find out a certain number of grid cells that cover the issuing user’s query distance. Thus, associated grids are the smallest set of grid cells that cover the query distance of an issuing user. Suppose that there is a user who wants to search for nearby users (e.g., friends or strangers) and submits a request with the query distance l through base station B. If base station B locates in grid cell $GI{D}_a$, then we can lock the smallest set of grid cells that need to be searched based on the query distance l. The specific steps are as follows.

(1)

Based on the grid cell which base station B locates in, the four coordinates (i.e., upper-left, lower-left, upper-right, and lower-right) of $GI{D}_a$ can be found.

(2)

Four circles can be formed by taking the user’s query distance l as the radius and four coordinates (i.e., upper-left, lower-left, upper-right, and lower-right) of $GI{D}_a$ as the center.

(3)

The grid cellsthat cover the above four circles can be figured out. Then these grid cells are named the associated grids of the user. Figure 1b shows the associated grids (i.e., green grid cells) when the user’s query distance is 2 km.

3.3. RSA Signature Scheme

RSA digital signature, a mature and popular signature scheme, has been used in many studies. The key point of RSA digital signature is to use the characteristics of asymmetric encryption; that is, the private key is used to encrypt a message (i.e., forming signature) and the public key is used to decrypt the encrypted message (i.e., verifying signature). There are three algorithms in a RSA digital signature scheme, i.e., $KeyGen$, $Sig$, and $Ver$. The description of algorithms is as follows.

(1)

$KeyGen$ is a key pair generation algorithm. Firstly, select two large prime numbers p and q. Then, compute $N=p\times q$ and choose e so as to $1<e<\lambda \left(N\right)$ and $gcd(e,\lambda (N)=1)$, where $\lambda \left(N\right)=(p-1)(q-1)$ and $gcd$ is the greatest common divisor. Finally, compute $d=e^{-1}\left(mod\left(\lambda \left(N\right)\right)\right)$ and then $(N,e)$ is defined as the public key and $(N,d)$ is defined as the private key.

(2)

$Sig$ is a signing algorithm. Suppose M is the message to be signed, then the ciphertext $C=M^e\left(modN\right)$ is the signature that will be sent and used for verification.

(3)

$Ver$ is a verification algorithm. Given a signature C, if the decrypted $M^{\prime }=C^d\left(modN\right)$ is the same as the original message M, then the C can be accepted as a valid signature.

4. System Architecture and Security Model

In this section, we first give the system architecture and the security model. Then, security goals for our scheme are identified and listed.

4.1. Architecture

The architecture of our location-sharing system consists of four entities: users, base stations, the social network server, and the location server. Figure 2a,b shows the system architecture of our scheme and the workfolw of location query, respectively.

(1)

The entity of users, with mobile terminals, can send a request for location-sharing with nearby friends or strangers. Within a specified query distance, an issuing user can know nearby friends or strangers’ locations if some pre-set access control policies are satisfied. Users can communicate with base stations and online social network server directly via their mobile devices. One user only has a unique identity in the online social network server.

(2)

Base station (B) is an entity that has a certain computation and acts as a connecting thread. Users can communicate with servers through base stations.

(3)

The social network server ($SNS$) is an entity that stores users’ social network topology, in the form of social network graph $G=(V,E)$. V is a set of vertices which represent users’ identities and E is a set of edges that indicate the friends’ relationships. If two vertices are connected by an edge, the two corresponding users have a social relationship (i.e., they are friends). In addition, the social network server is also responsible for user registration and provides social network services based on the requirements of users’ queries.

(4)

The location server ($LS$) is an entity that stores the location information of users and dummies. In addition, it also takes charge of providing location-related services such as computing and comparing the Euclidean distance of two locations based on their coordinates.

4.2. Security Model

In our security model, the base station (B) is assumed to be a trusted entity, which means it knows the transmitted information but does not leak any sensitive information. Herein, we mainly focus on the threats caused by users, $SNS$, and $LS$.

Users are assumed to be dishonest and try to get unauthorized information beyond the scope of their access privileges as much as possible. Thus, by querying other users’ locations in location-sharing systems, they want to infer some sensitive information (e.g., locations) of their friends or strangers such as home address.

The social network server ($SNS$) is supposed to be “honest-but-curious”, which means $SNS$ will execute the proposed protocol honestly but try to get sensitive information such as users’ actual locations from the interactive communications. Previous researches such as [6,12] also use base stations in their system architectures. In addition, the researches above also assume that the social network server can not identify base stations by observing their IP addresses in the connections. However, if a system insider (e.g., an employee) colludes with $SNS$, the approximate region of users who send requests for location-sharing services can be figured out since the locations of base stations are fixed. Thus, with the help of insiders, we assume that $SNS$ can infer the approximate region of users since users have to use base stations to submit location-sharing services.

The location server ($LS$) is also assumed to be “honest-but-curious”, which means $LS$ will execute the proposed protocol honestly but try to get sensitive information such as users’ social network topology or identities.

However, the collusion between $SNS$ and $LS$, which means they collude together to gain users’ sensitive information at the same time, is beyond our security assumption. In addition, information leakage and eavesdropping during transmission are also beyond the scope of our scheme.

4.3. Security Goals

According to the security model, the security goals are given as follows.

Users’ actual location information should be kept secret from $SNS$ and unauthorized users. In addition, users’ location information also can not be revealed to friends or strangers who do not match their pre-set access control policies.

The social network server ($SNS$) should be prevented from obtaining users’ actual location information though it can collude with malicious insiders to get users’ approximate regions.

The location server ($LS$) is prevented from getting users’ real social network information, location information, and identity information.

5. Search Efficient Privacy-Preserving Location-Sharing (SELS) Scheme

To preserve users’ privacy and improve the efficiency of location-sharing systems, the proposed scheme utilizes the grid structure and anonymous technologies. The details of each step are given below.

Initialization. $SNS$ assigns a unique identifier $ID$ to each user and builds social network graphs $G=(V,E)$ for users. Then, $SNS$ creates a mapping relationship set $\{ID,PI{D}_{list}=\left(PI{D}_1,PI{D}_2,\dots ,PI{D}_k\right),ind\}$ for each user. $PI{D}_{list}$ is a pseudo-ID set generated by the pseudo-random function [24]. $ind$ is an index to indicate the real pseudo-ID in $PI{D}_{list}$, where $1\le ind\le k$ and k is the number of pseudo-IDs. Finally, $SNS$ shares the mapping relationship with B.

In addition, B builds a grid structure for the entire query area of the location-sharing system and creates a mapping relationship between $GID=\{GI{D}_1,GI{D}_2,\dots ,GI{D}_n\}$ and $GFID=\{GFI{D}_1,GFI{D}_2,\dots ,GFI{D}_n\}$, where $GID$ is the identifier set of grid cells and $GFID$ is the fake-ID set generated by the cryptographic hash function SHA-1. Note that one grid cell identifier in $GID$ corresponds to one fake-ID in $GFID$. Afterwards, B shares the mapping relationship with $SNS$.

Registration. Firstly, user U sends a registration request in the form of $(ID,df,ds,ts,Sig(ID,ts\left)\right)$ to $SNS$, where $ts$ is a time-stamp used to prevent replay attacks, $df$ and $ds$ represent U’s distance threshold in friends’ and strangers’ location query respectively, and $Sig(ID,ts)$ is a signature generated with U’s private key over the time-stamp $ts$. After receiving the registration request of U, $SNS$ uses U’s public key to verify the correctness of the signature. If the decrypted $ID$ is the same as U’s identifier assigned by $SNS$ in advance, $SNS$ will send a message $OK$ to U. Secondly, $SNS$ will send a notification in the form of $(ID,df,ds,reg)$ to B, where $reg$ is a notice which means this $ID$ is a registered one. After receiving the notification, B replies a message ${ }^{\prime }O{K}^{\prime }$ to $SNS$ and stores the corresponding information in the database. Figure 3 shows the message transmission about the registration.

Update. The update process includes mapping relationship update and location update.

Figure 4 shows the process of mapping relationship update. The detailed steps are as follows:

(1)

B generates a new mapping relationship $\{GFID=GFI{D}_1,GFI{D}_2,\dots ,GFI{D}_n\}$) between grid cells’ identifiers and their fake-IDs. Then, the new fake-ID set (i.e., $\{GFID=GFI{D}_1,GFI{D}_2,\dots ,GFI{D}_n\}$) is encrypted with the secret key $Sec{K}_{B\&S}$ and sent to $SNS$.

(2)

$SNS$ uses the random number generator [25] to generate a new $ind$. Then, the new $ind$ and identifier $ID$ of each user are encrypted with the secret key $Sec{K}_{B\&S}$ and sent to B.

(3)

To prevent the users who are no longer friends from getting messages, $SNS$ updates the session key $Sec{S}_U$ for each user based on social network graphs.

Figure 5 shows the process of location update. The detailed steps are as follows:

(1)

When user U updates his/her location, U needs to submit a message in the form of $(I{D}_U,(x,y),Ses{S}_U(x,y),A/F)$ to B. $(x,y)$ is the U’s current location and $Ses{S}_U(x,y)$ is the encrypted location information with $Ses{S}_U$. $A/F$ is the grid cell access control policy, which means the current grid cell is accessible/inaccessible (i.e., U allows or forbids the current grid cell where U locates can be searched by the location-sharing requests of his/her friends). When getting the message, B will record the access control policy in the form of $(I{D}_U,GID,A/F)$ in the database. Note that A is the default state and F means only the current grid cell can not be searched by the location-sharing request of his/her friends (i.e., the current grid cell is a sensitive area that U does not want his/her friends to know). However, if U is no longer in this grid cell, U can be searched by the location-sharing requests of his/her friends.

(2)

If A is included in U’s submitted message, B will send a message in the form of $Sec{K}_{B\&S}(I{D}_U,GFID)$ to $SNS$, where $GFID$ is the fake-ID of the grid cell where B locates. For example, if U offers update information through base station $B_a$ which locates in $GFI{D}_a$, then $B_a$ will send $Sec{K}_{B\&S}(I{D}_U,GFI{D}_a)$ to $SNS$. After receiving the update information, $SNS$ will reply a message $OK$ to B which then forwards $OK$ to U. If U’s submitted message includes F, B will do nothing.

(3)

B sends a message in the form of $((PI{D}_1,x_1,y_1,st{r}_1,d{f}_1,d{s}_1),\dots ,(PI{D}_k,x_k,y_k,st{r}_k,d{f}_k,d{s}_k))$ to $LS$, where $PID$ is the pseudo-ID set of U and $str$ is a random string to imitate the encrypted location. Herein, suppose that $ind=1$ in the last mapping relationship update, then $(PI{D}_1,x_1,y_1,Sec{K}_U(x_1,y_1),d{f}_1,d{s}_1)$ represents the real information of U, and $((PI{D}_2,x_2,y_2,st{r}_2,d{f}_2,d{s}_2),\dots ,(PI{D}_k,x_k,y_k,st{r}_k,d{f}_k,d{s}_k))$ indicates the dummies of U. Then $LS$ stores the information in its database and sends a response in the form of ${ }^{\prime }O{K}^{\prime }$ to B which then forwards ${ }^{\prime }O{K}^{\prime }$ to U.

Querying friends’ locations. Users can request a location query for searching friends’ locations. If user U wants to request a location sharing with nearby friends, U needs to submit a request for querying friends’ locations through a nearby base station. Note that the base station and the user are assumed to be in the same grid cell. Figure 6 shows the specific process of querying friends’ locations. The detailed steps are as follows:

(1)

U needs to submit a query in the form of $(I{D}_U,f,l)$ to B, where f means this query is a request for querying friends’ locations and l indicates the specified query distance such as 2 km.

(2)

When receiving U’s query, B first figures out the associated grids of U (see Section 3.2) based on U’s query distance l, and form a list $GFI{D}_{list}$ which contains the fake-ID set of the associated grids. The purpose of finding out the list $GFI{D}_{list}$ is to help $SNS$ filter out U’s friends that are not in the associated grids. Then, B encrypts its identifier $BID$ and $seq$ with $Sec{K}_{B\&L}$ to form $Sec{K}_{B\&L}(BID,seq)$, where $seq$ is a sequence number to resist the replay attack. Finally, B sends the message $(I{D}_U,f,l,Sec{K}_{B\&L}(BID,seq),GFI{D}_{list})$ to $SNS$.

(3)

According to U’s social network graph and users’ location update information, $SNS$ finds out the U’s friends who are in $GFI{D}_{list}$ (i.e., seeking out U’s friends whose locations are in $GFI{D}_{list}$). Suppose that there are m users meeting the above condition, where $m\le n$ and n is the total number of U’s friends. Then $SNS$ will collect these users’ $PI{D}_{list}$ to form a set $\left\{PI{D}_{ij}\right\}$, where $1\le i\le k$ and $1\le j\le m$. The purpose of forming $\left\{PI{D}_{ij}\right\}$ is to perturb the identity information of U’s friends. Finally, $SNS$ sends a query in the form of $(PI{D}_{ind},l,\left\{PI{D}_{ij}\right\},Sec{K}_{B\&L}(BID,seq))$ to $LS$, where $PI{D}_{ind}$ represents the real pseudo-ID of U.

(4)

After getting of the query from $SNS$, $LS$ runs the distance comparison function $dis((x_{ind},y_{ind}),(x_v,y_v))\le min(l,d{f}_v)$, where $dis$ is a function to compute Euclidean distance and $(x_{ind},y_{ind})$ is the coordinates of $PI{D}_{ind}$. $(x_v,y_v)$ represents the corresponding coordinates of pseudo-IDs in $\left\{PI{D}_{ij}\right\}$, where $1\le v\le (k\times m)$. Suppose that there are w $PID$s satisfying the distance comparison function, then $LS$ collects these w $PID$s to form a set $\left\{PI{D}_f\right\}$ and finds the corresponding $str$, where $1\le f\le w$ and $\left\{PI{D}_f\right\}\subseteq \left\{PI{D}_{ij}\right\}$. Finally, $LS$ replies a message in the form of $({\{PI{D}_f,Sec{K}_{B\&L}\left(st{r}_f\right)\}}_{f=1,\dots ,w},Sec{K}_{B\&L}\left(seq\right))$ to $SNS$.

(5)

Upon receiving $({\{PI{D}_f,Sec{K}_{B\&L}\left(st{r}_f\right)\}}_{f=1,\dots ,w},Sec{K}_{B\&L}\left(seq\right))$, $SNS$ recovers the real identifiers from $\left\{PI{D}_f\right\}$ to form a result set $\left\{I{D}_g\right\}$ (i.e., the friends’ real identifiers of U) based on the $ind$s of U’ friends. The purpose of forming $\left\{I{D}_g\right\}$ is to filter out dummies of U’s friends. Suppose that there are t users’ $ID$s recovered from the result set, then $SNS$ sends a message in the form of $({\{I{D}_g,Sec{K}_{B\&L}\left(st{r}_g\right)\}}_{g=1,\dots ,t},Sec{K}_{B\&L}\left(seq\right))$ to B. Note that if $t=0$, $SNS$ will send ⌀ to B.

(6)

Upon the reception of the response from $SNS$, B first checks the sequence number $seq$ and then decrypts ${\left\{Sec{K}_{B\&L}\left(st{r}_g\right)\right\}}_{g=1,\dots ,t}$ to obtain ${\left\{Sec{S}_U(x_g,y_g)\right\}}_{g=1,\dots ,t}$. Finally, B replies the result $res$ in form of ${\{I{D}_g,Sec{S}_U(x_g,y_g)\}}_{g=1,\dots ,t}$ to user U.

(7)

After obtaining $res$, U uses session key $Sec{S}_U$ to decrypt the corresponding coordinates of his/her friends.

Querying strangers’ locations. Users also can request a location query for searching strangers’ locations. The process of querying strangers’ locations is similar to that of friends. Figure 7 shows the specific process of querying strangers’ locations and detailed steps are as follows:

(1)

U needs to submit a query in the form of $(I{D}_U,s,l)$ to B, where s means this query is a request for querying strangers’ locations and l indicates the specified query distance such as 2 km.

(2)

After receiving U’s query, B figures out the associated grids based on U’s query distance l, and forms a list $GFI{D}_{list}$. Then, B sends the message $(I{D}_U,s,l,Sec{K}_{B\&L}(BID,seq),GFI{D}_{list})$ to $SNS$.

(3)

Based on $GFI{D}_{list}$ and U’s social network graph, $SNS$ first eliminates the users who have friendship with U. Then, $SNS$ will randomly collect a certain number of users’ $PI{D}_{list}$ to form a set $\left\{PI{D}_{ij}\right\}$, where $1\le i\le k$, $1\le j\le rand$, and $rand$ is a number of randomly selected users. Finally, $SNS$ sends a query in the form of $(PI{D}_{ind},l,PI{D}_{ij},Sec{K}_{B\&L}(BID,seq))$ to $LS$, where $PI{D}_{ind}$ represents the real pseudo-ID of U.

(4)

When receiving of the query from $SNS$, $LS$ runs the distance comparison function $dis((x_{ind},y_{ind}),(x_v,y_v))\le min(l,d{s}_v)$. $(x_v,y_v)$ indicates the corresponding coordinates of pseudo-IDs in $\left\{PI{D}_{ij}\right\}$, where $1\le v\le (k\times rand)$. Suppose that there are w $PID$s satisfying the distance comparison function, then $LS$ collects these w $PID$s to form a set $\left\{PI{D}_s\right\}$ and finds the corresponding $(x,y)$, where $1\le s\le w$ and $\left\{PI{D}_s\right\}\subseteq \left\{PI{D}_{ij}\right\}$. Finally, $LS$ replies a message in the form of $({\{PI{D}_s,Sec{K}_{B\&L}(x_s,y_s)\}}_{s=1,\dots ,w},Sec{K}_{B\&L}\left(seq\right))$ to $SNS$.

(5)

Upon receiving $({\{PI{D}_s,Sec{K}_{B\&L}(x_s,y_s)\}}_{s=1,\dots ,w},Sec{K}_{B\&L}\left(seq\right))$, $SNS$ recovers the real identifiers from $\left\{PI{D}_s\right\}$ to form a result set $\left\{I{D}_g\right\}$ (i.e., the users’ real identifiers) based on users’ $ind$s. Suppose that there are t users’ $ID$s recovered from the result set, then $SNS$ sends $({\{I{D}_g,Sec{K}_{B\&L}(x_g,y_g)\}}_{g=1,\dots ,t},Sec{K}_{B\&L}\left(seq\right))$ to B.

(6)

After getting the response from $SNS$, B first checks the sequence number $seq$ and then decrypts ${\left\{Sec{K}_{B\&L}(x_g,y_g)\right\}}_{g=1,\dots ,t}$ to obtain ${\left\{(x_g,y_g)\right\}}_{g=1,\dots ,t}$. Finally, B replies the result $res$ in the form of ${\{I{D}_g,(x_g,y_g)\}}_{g=1,\dots ,t}$ to user U.

6. Discussion

In this section, the proposed scheme will be analyzed in terms of efficiency and security.

6.1. Efficiency Analysis

In previous studies such as [6,10,11,12], their schemes also adopted the method of pseudo-IDs to protect the privacy of users’ identities. When an issuing user U sends a request for querying friends’ locations, the social network server ($SNS$) will send a certain number pseudo-IDs of the user’s friends to the location server ($LS$), and then $LS$ will operate the distance comparison function for each pseudo-ID sent from $SNS$. Therefore, the number of pseudo-IDs sent from $SNS$ not only can reflect the size of the communication traffic between $SNS$ and $LS$, but also can be a measure for the computational cost of $LS$. Based on the times of operating the distance comparison function (i.e., $dis(i,j)$) in $LS$, we compare the time complexity among our scheme and previous solutions. The comparison results are given in

Table 2. Compared with previous solutions.

Scheme	Time Complexity
MobiShare [6]	$\mathcal{O}\left(kf\right)$
UDPLS [10]	$\mathcal{O}\left(k{f}_1\right)$
MLS [11]	$\mathcal{O}\left({\sum }_1^w\left(S_i{f}_i\right)\right)$
CenLocShare [12]	$\mathcal{O}\left(kf\right)$
SELS (Our scheme)	$\mathcal{O}\left(k{f}_2\right)$

. Note that the time complexity focuses on the process of querying friends’ locations. The time complexity of querying strangers’ locations is related to the number of strangers’ pseudo-IDs randomly selected by $SNS$, so we omit it here.

In Table 2, k is the number of pseudo-IDs for each user (i.e., $PI{D}_{list}$), and f is the total number of an issuing user U’s friends. In addition, MobiShare, MLS, and CenLocShare do not consider attacks from friends (i.e., not consider the disclosure of privacy among friends), which means $SNS$ has to send all the pseudo-IDs of U’s friends to $LS$. However, the number of pseudo-IDs that $SNS$ sends to $LS$ is different in MobiShare, MLS, and CenLocShare. In MobiShare and CenLocShare, $SNS$ directly sends all the pseudo-IDs of U’s friends to $LS$, so the number of pseudo-IDs sent from $SNS$ is $kf$. In MLS, to prevent the location server side (i.e., $LS$) from getting the complete social network relationship of U, the social network server ($SNS$) first divides all the pseudo-IDs of U’s friends into a certain number of subsets and then sends these subsets to multiple location servers separately. Herein, according to scheme MLS, we can assume that the number of subsets is w, a subset is represented by $S_i$ and the number of pseudo-IDs in subset $S_i$ is $f_i$. Therefore, the number of pseudo-IDs sent from $SNS$ can be represented by ${\sum }_1^w\left(S_i{f}_i\right)$. In the schemes that do not consider attacks from friends, we can conclude that: (1) $kf\le {\sum }_1^w\left(S_i{f}_i\right)$; and (2) $kf={\sum }_1^w\left(S_i{f}_i\right)$ when $w=1$ (i.e., when there is only one set which contains all the pseudo-IDs of U’s friends). From the above conclusions, it is easy to deduce that: (1) the time complexity of scheme MLS (i.e., $\mathcal{O}\left({\sum }_1^w\left(S_i{f}_i\right)\right)$) is usually greater than that of scheme MobiShare and CenLocShare (i.e., $\mathcal{O}\left(kf\right)$); (2) in terms of the size of the communication traffic between $SNS$ and $LS$, scheme MLS is usually bigger than MobiShare and CenLocShare; (3) in terms of the computational cost of $LS$, MLS is usually bigger than MobiShare and CenLocShare.

In Table 2, $f_1$ means the number of U’s friends who agree to share their locations with U [10], and $f_2$ indicates the number of U’s friends who locate in U’s associated grids and agree to share their locations with U. Note that both $f_1$ and $f_2$ are usually not the total number of U’s friends. The reason is that user-defined privacy location-sharing system (UDPLS) proposed in paper [10] and our SELS both consider attacks from friends and design corresponding access control policy; that is, $SNS$ only sends the pseudo-IDs of U’s friends that meet U’s privacy-preserving requirements to $LS$. Therefore, if U uses the access control policy for preventing the disclosure of privacy among friends in UDPLS and our SELS, the number of pseudo-IDs sent from $SNS$ in UDPLS and our SELS is bound to be less than that in schemes MobiShare, MLS, and CenLocShare. Through the above analysis, we can deduce that: (1) the time complexity of the schemes that do not consider attacks from friends is usually greater than that of the schemes that do; (2) in terms of the size of the communication traffic between $SNS$ and $LS$, the schemes that do not consider attacks from friends are usually bigger than the schemes that do; (3) in terms of the computational cost of $LS$, the schemes that do not consider attacks from friends are usually bigger than the schemes that do.

From Table 2, we know that the number of pseudo-IDs sent from $SNS$ in UDPLS is $k{f}_1$ and the number of pseudo-IDs sent from $SNS$ in our SELS is $k{f}_2$. Therefore, we can compare $f_1$ and $f_2$ to know the number of pseudo-IDs sent from $SNS$ by setting k as a constant. In UDPLS, $f_1$ means the number of U’s friends who agree to share their locations with U, i.e., $f_1=f-f_3$, where f represents the total number of U’s friends and $f_3$ represents the number of U’s friends who do not agree to share their locations with U in the entire query area of the location-sharing system. In our SELS, $f_2$ indicates the number of U’s friends who locate in U’s associated grids and agree to share their locations with U, i.e., $f_2=f-f_4-f_5$, where $f_4$ represents the number of U’s friends who are not in U’s associated grids and $f_5$ means the number of U’s friends who do not agree to share their locations with U in U’s associated grids. With the above description, we can know that: (1) when U’s associated grids are the entire query area of the location-sharing system, $f_4=0$; and (2) when $f_4=0$ and the number of U’s friends who do not agree to share their locations with U is set to be the same constant in UDPLS and SELS (i.e., $f_3=f_5$), then $f_1=f_2$. In general, U’s associated grids are part of the entire query area of the location-sharing system, and the possibility that all U’s friends are in U’s associated grids is very small. Thus, it can be concluded that: (1) the time complexity of UDPLS (i.e., $\mathcal{O}\left(k{f}_1\right)$) is usually greater than that of our SELS (i.e., $\mathcal{O}\left(k{f}_2\right)$); (2) in terms of the size of the communication traffic between $SNS$ and $LS$, UDPLS is usually bigger than SELS; (3) in terms of the computational cost of $LS$, UDPLS is usually bigger than SELS.

Through the above analysis, we also can summarize that: (1) the time complexity of our scheme is lower than that of other solutions; (2) when k is set to be a constant, bigger f (i.e., the number of an issuing user’s friends) requires more resources of location-sharing systems (i.e., the size of the communication traffic between $SNS$ and $LS$ and the computational cost of $LS$).

6.2. Security Analysis

In our security model, B is a trusted entity while $SNS$ and $LS$ are “honest-but-curious”. In addition, $SNS$ and $LS$ are assumed not to be able to collude with each other to obtain users’ sensitive information. Thus, our scheme mainly focuses on the proposed security goals.

Access control. There are two kinds of access control policies in our scheme. One is users’ defined threshold distance access control, and the other is users’ defined grid cell access control. Since $SNS$ and $LS$ are assumed to be “honest-but-curious”, that is, the access control policies will be implemented honestly. Thus, users’ defined access control policies can be achieved.

Identity privacy. The identity privacy of users does not need to be considered on $SNS$ since $SNS$ has users’ identity information. Therefore, we only need to analyze whether $LS$ can obtain a user’s real identity or not.

In the location update process, all the users’ pseudo-IDs are uploaded to $LS$ and each user’s real identity has been anonymized by a pseudo-ID set (i.e., $PI{D}_{list}$). Thus, the probability of getting a user’s real identity is $\frac{1}{nk}$, where n is the total number of users and k is the number of pseudo-IDs for each user. In the location query process, suppose that the number of pseudo-IDs that are sent to $LS$ is w, the probability of identifying a user’s real identity is $\frac{1}{w}$. Since n and w are usually a very large number, it is impossible for $LS$ to get the real identity of a user. In addition, when a user performs the location update, the pseudo-ID which represents the user’s real identity randomly changes with the index $ind$. Therefore, $LS$ can not get users’ real identities.

Sensitive area privacy. Unlike the previous studies that do not consider the disclosure of privacy among friends (i.e., a curious user may infer the privacy information of his/her friends such as workplace by querying friends’ locations), and different from the access control policy proposed in paper [10] which directly shuts up the location-sharing service for friends, our scheme focuses on the privacy-preserving requirements for sensitive areas. In our scheme, users are assumed to be curious and want to infer other users’ privacy by requesting location-sharing services, such as home address and workplace. Suppose that there is a user U who does not want to share some specific geofences or locations with his/her friends in location-sharing systems. In the location update process, if U’s current location or geofence is a sensitive area, then U can use the grid cell access control policy proposed in our scheme to set the current grid cell as inaccessible. In this way, U’s friends can not get location information of U’s sensitive area by their location-sharing services. Therefore, U’s privacy-preserving requirements of sensitive areas can be satisfied.

Location privacy. In our scheme, both $LS$ and $SNS$ are assumed to be curious and want to obtain users’ locations. Thus, we need to analyze whether $LS$ and $SNS$ can get a user’s real location.

From the perspective of $LS$, the probability of identifying a user’s location is the same as that of getting the user’s identity in the location update process, because each user’s pseudo-ID is associated with a corresponding location. In the location query process, $LS$ can not still distinguish a users’ real location since $LS$ can not get each user’s real identity which randomly changes with the index $ind$. Therefore, $LS$ can not get users’ locations.

From the perspective of $SNS$, the coordinates replied from $LS$ are protected by symmetric encryption scheme (i.e., $Sec{K}_{B\&L}$) in the location query process, so $SNS$ has no chance to get the users’ locations unless $SNS$ can decrypt the encrypted coordinates. In the location update process, $SNS$ can get the fake-IDs of base stations. As mentioned in the security model (i.e., Section 4.2), we suppose that the malicious users may be system insiders who can collude with $SNS$. Thus, with the help of these insiders, $SNS$ can obtain users’ rough location range since base stations can locate the subscribed cell phones with an accuracy of 50 to 300 m. However, $SNS$ can not get actual locations of users and can not always make sure of users’ rough location range since the mapping relationship between grid cells’ identifiers and their fake-IDs is different in each update cycle. Therefore, $SNS$ can not get users’ actual locations.

Social Network Privacy. Since $SNS$ manages users’ social network graphs, we do not consider social network privacy on $SNS$, and only need to analyze whether there is an issue of disclosing social network privacy on $LS$.

In the location query process, $LS$ has nothing information about a user’s query type (i.e., querying friends’ locations or querying strangers’ locations). Therefore, suppose that the number of pseudo-IDs sent from $SNS$ is m, the probability of inferring the user’s social network privacy for $LS$ can be computed as $\frac{1}{2^m}$. In the location update process, all the users’ pseudo-IDs are uploaded to $LS$ and the index $ind$, which is used to indicate the real pseudo-ID, is randomly changed. Therefore, the probability of inferring the user’s social network privacy can be calculated as $\frac{1}{2^{nk}}$, where n is the total number of users and k is the number of pseudo-IDs for each user. Since m and n are usually large numbers, it is impossible for $LS$ to obtain the social network privacy. Therefore, users’ social network privacy can be well protected. In addition, since $SNS$ sends a subset of an issuing user’s friends (i.e., part of the user’s friends) to $LS$ each time [11], our scheme can also prevent $LS$ from inferring the complete social network relationship of the user.

7. Simulation and Results

We have conducted extensive simulations to evaluate the performance of our scheme. In this section, we first describe the simulation environment and then give the simulation results and analysis.

7.1. Simulation Setup

The simulations are implemented by using JAVA programming language and conducted on a Windows machine with an Intel Core-i5 2.6 GHz, 16 GB RAM, and Microsoft Windows 7 OS. For pseudo-random function, we choose the hash function SHA-256 with an output size of 32 byte. Since the efficiency of querying strangers’ locations directly relates to the number of strangers randomly selected by $SNS$, we focus the research on the performance of querying friends’ locations. In general, the grid structure is generated by the system and it does not change frequently. In addition, for an issuing user U, the friend threshold distance of U is also usually set as a constant since it is meaningless to adjust $d_f$ frequently when his/her privacy is not threatened. Therefore, in the process of querying friends’ locations, we mainly focus on four parameters that directly relate to the performance of location-sharing systems. These four parameters are the number of users, the number of pseudo-IDs for each user, the number of friends for each user, and the query distance. The specific parameter settings of our simulations are shown in

Table 3. Parameter settings.

Item	Attribute	Specification
n	Variate	1000–2500
k	Variate	10–30
$GS$	Constant	20 × 20, 1 km × 1 km
$d_f$	Constant	5 km
l	Variate	1–5 km
f	Variate	50–90

. In Table 3, n is the total number of users, and k is the number of pseudo-IDs for each user. $GS$ represents the grid structure composed of 20 × 20 grid cells and the size of each grid cell is 1 km × 1 km. $d_f$ indicates the threshold distance for friends. l means the query distance and f is the number of friends for each user.

The performance metrics used in this paper are the query time and the effective users. The effective users are the number of users’ pseudo-IDs sent from $SNS$ to $LS$, and the query time is the time cost on distance comparison function based on the number of the effective users. In addition, UDPLS allows an issuing user U to set the access control policy to resist attacks from trust-less friends, which leads to the result that a small number of U’s friends can not share locations with U, so we set the proportion of U’s trust-less friends to be 1%. To compare the performance of our scheme with that of other schemes (i.e., MobiShare, UDPLS and CenLocShare), we set different parameter variables as follows:

(1)

Under the condition of querying friends’ locations, ten locations are randomly selected as the initial locations of an issuing user. The total number of users n is set to be 1000 and the users are randomly distributed throughout the grid structure. The number of pseudo-IDs for each user k and the query distance l of the issuing user are set as 10 and 5 km, respectively. The number range of friends for each user f changes from 50 to 90. We execute 100 times and then calculate the average number of effective users and the average time cost under different f. The above settings are named scenario-1, which is used to explore the effect caused by f.

(2)

Under the condition of querying friends’ locations, ten locations are randomly selected as the initial locations of an issuing user. The total number of users n is set to be 1000 and the users are randomly distributed throughout the grid structure. The number of pseudo-IDs for each user k and the number of friends for each user f are set as 10 and 50, respectively. The query distance l of the issuing user changes from 1 km to 5 km. We execute 100 times and then calculate the average number of effective users and the average time cost under different l. The above settings are named scenario-2, which is used to research the effect caused by l.

(3)

Under the condition of querying friends’ locations, ten locations are randomly selected as the initial locations of an issuing user. The total number of users n is set to be 1000 and the users are randomly distributed throughout the grid structure. The query distance l of the issuing user and the number of friends for each user f are set as 5 km and 50, respectively. The number of pseudo-IDs for each user k changes from 10 to 30. We execute 100 times and then calculate the average number of effective users and the average time cost under different k. The above settings are named scenario-3, which is used to study the effect caused by k.

(4)

Under the condition of querying friends’ locations, ten locations are randomly selected as the initial locations of an issuing user. The total number of users n changes from 1000 to 2500 and the users are randomly distributed throughout the grid structure. The query distance of the issuing user l, the number of pseudo-IDs for each user k, and the number of friends for each user f are set as 5 km, 10, and 50, respectively. We execute 100 times and then calculate the average number of effective users and the average time cost under different k. The above settings are named scenario-4, which is used to research the effect caused by n.

7.2. Simulation Results

Figure 8 shows the results under scenario-1. From Figure 8a, it can be known that the number of effective users increases with f no matter which solution is used. The reason is that the increasing f leads to the increasing number of users’ friends and the corresponding dummies. The number of effective users by using our scheme is smaller than other solutions since our SELS can efficiently filter out the issuing user’s friends who are not in the issuing user’s associated grids. However, other solutions have to provide all the issuing user’s friends and the corresponding dummies to $LS$, which inevitably increases the computational burden of $LS$. From Figure 8b, it can be seen that: (1) the query time increases with f in all schemes; (2) when 50 $\le f\le$ 90, the query time of our SELS is at least 1/3 of that of other schemes, i.e., the efficiency of our scheme is at least 3 times better than other solutions due to the same reason as above. In addition, it can be summarized that the effect of f on the query time is linear in all schemes. The reason is that when other parameters are fixed, the number of users (including friends and dummies) that need to be compared for distance with the issuing user is almost fixed, and the only factor that affects the query time is a linearly increasing number f.

Figure 9 shows the results under scenario-2. From Figure 9a, it can be seen that when using our scheme, the number of effective users increases with l, while the number of effective users is almost stable when using other solutions. The reason is that the number of the effective users increases with the query distance l which determines the number of associated grids in our scheme. However, for other solutions, the friends who are not in the issuing user’s associated grids can not be filtered out, which leads to the result that all the friends have to be retrieved by $LS$. Thus, it can be concluded that the efficiency of our SELS is better than other solutions since the number of effective users in our scheme is smaller than other solutions under different query distances. From Figure 9b, it can be known that: (1) the query time increases with l in all schemes; (2) when the query distance l changes from 1 km to 5 km, the query time of our SELS is at least 1/3 of that of other schemes, i.e., the query efficiency is at least 3 times better than other solutions since a smaller number of effective users need less computational cost. In addition, we can also summarize that the effect of l on the query time is quadratic in all schemes. The reason is that when the query distance changes, the number of users (including friends and dummies) within the issuing user’s query distance also changes, and the change of these users is quadratic. Furthermore, the reason for different curves in Figure 9b among our scheme and other solutions is as follows. When other parameters are fixed, different l leads to the change in the number of effective users and the number of users (including friends and dummies) within the issuing user’s query distance in our scheme. While in other schemes, different l only leads to the change in the number of users (including friends and dummies) within the issuing user’s query distance.

Figure 10 shows the results under scenario-3. From Figure 10a, it can be known that the number of effective users increases with k in all schemes. The reason is that increasing k leads to an increasing number of friends’ dummies. The number of effective users by using our scheme is smaller than other solutions since our SELS can efficiently filter out the issuing user’s friends who are not in the issuing user’s associated grids. However, other solutions have to provide all the issuing user’s friends and the corresponding dummies to $LS$, which inevitably increase the computational burden of $LS$. From Figure 10b, it can be seen that: (1) the query time increases with k in all schemes; (2) when 10 $\le k\le$ 30, the query time of our SELS is at least 1/3 of that of other schemes, i.e., the efficiency of our scheme is at least 3 times better than other solutions due to the same reason as above. In addition, it also can be concluded that the effect of k on the query time is quadratic in all schemes. The reason is that when the number of pseudo-IDs for each user changes, the number of effective users and the number of users (including friends and dummies) within the issuing user’s query distance both changes, and the above two kinds of users changes in multiples. While in other schemes, different k only leads to the change in the number of users (including friends and dummies) within the issuing user’s query distance.

Figure 11 shows the results under scenario-4. From Figure 11a, it can be seen that the number of effective users is stable with different n in all schemes. The reason is that when other parameters are fixed, the increasing n can not affect the number of effective users since the number of the issuing user’s friends does not change. Thus, the number of effective users that needs to be sent to $LS$ has no change. However, the number of effective users in our SELS is smaller than other solutions since $LS$ in our scheme only needs to run the distance comparison function for the friends are located in the issuing user’s associated grids. From Figure 11b, it can be seen that: (1) the query time increases with n in all schemes; (2) when the total number of users n changes from 1000 to 2500, the query time of our SELS is at least 1/3 of that of other schemes, i.e., the efficiency of our scheme is at least 3 times better than other solutions since a smaller number of effective users need less computational cost. In addition, it can be concluded that the effect of n on the query time is linear in all schemes. The reason is that when other parameters are fixed, the only factor that affects the query time is a linearly increasing number n, which increases the number of dummies within the issuing user’s query distance.

8. Conclusions

In this paper, while maintaining users’ privacy, we explore the issues of utility in location-sharing systems. To address the problems of system efficiency and the flexibility of users’ privacy-preserving requirements in location-sharing systems, we propose a search efficient privacy-preserving location-sharing solution (i.e., SELS). Specifically, based on the grid structure and users’ query distances, we design a novel approach called associated grids to improve the efficiency of location-sharing systems while maintaining users’ privacy. In addition, our scheme also provides a user-defined access control policy to meet users’ flexible privacy-preserving requirements, which can effectively prevent the disclosure of users’ privacy in social networks. The detailed efficiency analysis proves that our SELS can improve the efficiency of location-sharing systems. The security analysis also shows the privacy-preserving ability of our scheme. Under the condition of setting different parameters, we explore the effect of these parameters on location-sharing systems and compare our SELS with other schemes. Extensive experiments validate the practicability and performance of our scheme comprehensively.

However, there are also some limitations in our SELS, such as the regional rationality of grid structure and the computing power cost of base stations. In the future, we will think of ways to lessen the limitations.