IEEE INTERNET OF THINGS JOURNAL, VOL. 5, NO. 5, OCTOBER 2018 4191

A Dual Privacy Preserving Scheme in ContinuousLocation-Based Services

Shaobo Zhang , Guojun Wang , Member, IEEE, Md Zakirul Alam Bhuiyan , Senior Member, IEEE,

and Qin Liu , Member, IEEE

Abstract—With the development of wireless communicationand positioning technology, location-based services (LBSs) havebeen gaining tremendous popularity, due to its ability to greatlyfacilitate the people’s daily lives. Meanwhile, it also entails therisk of location privacy disclosure. To address this issue, gen-eral solutions introduce a single trusted anonymizer betweenthe users and the location service provider (LSP). However, asingle anonymizer offers limited privacy guarantees and incurshigh communication overhead in continuous LBSs. Once theanonymizer is compromised, it may put the user informationin jeopardy. In this paper, we propose a dual privacy preserving(DPP) scheme in continuous LBSs to protect the users’ trajectoryand query privacy. Our scheme introduces multiple anonymizersbetween the users and LSP, and combines with Shamir thresholdmechanism, dynamic pseudonym mechanism, and K-anonymitytechnology to improve the users’ trajectory and content privacyin continuous LBSs. An anonymizer alone cannot get the users’trajectory and query contents, and it thus can be semi-trusted.Our scheme can enhance the users’ privacy and effectively solvethe single point of failure in single anonymizer structure. At thesame time, the query authentication can guarantee the correct-ness of the query results. The analysis and simulation resultsdemonstrate that the proposed scheme has the ability to pro-tect users’ trajectory and content privacy effectively, and toreduce the computation and communication overhead of thesingle anonymizer.

Index Terms—K-anonymity, multiple anonymizers, queryauthentication, Shamir threshold, trajectory and content privacy.

I. INTRODUCTION

W ITH the rapid development of smart devices, mobilenetworks, and positioning technologies, location-based

Manuscript received February 1, 2018; revised May 10, 2018; acceptedMay 26, 2018. Date of publication May 31, 2018; date of current versionNovember 14, 2018. This work was supported in part by the National NaturalScience Foundation of China under Grant 61632009, Grant 61472451, Grant61402161, and Grant 61772194, in part by the Guangdong Provincial NaturalScience Foundation under Grant 2017A030308006, and in part by the HighLevel Talents Program of Higher Education in Guangdong Province underGrant 2016ZJ01. (Corresponding author: Guojun Wang.)

S. Zhang is with the School of Computer Science and Engineering, HunanUniversity of Science and Technology, Xiangtan 411201, China (e-mail:shaobozhang@csu.edu.cn).

G. Wang is with the School of Computer Science and EducationalSoftware, Guangzhou University, Guangzhou 510006, China (e-mail:csgjwang@gmail.com).

Md Z. A. Bhuiyan is with the Department of Computer and InformationSciences, Fordham University, Bronx, NY 10458 USA, and also withthe School of Computer Science and Educational Software, GuangzhouUniversity, Guangzhou 510006, China (e-mail: zakirulalam@gmail.com).

Q. Liu is with the School of Computer Science and Electronic Engineering,Hunan University, Changsha 410082, China (e-mail: gracelq628@hnu.edu.cn).

Digital Object Identifier 10.1109/JIOT.2018.2842470

Fig. 1. Architecture of TTP.

services (LBSs) have become the fastest-growing activitiesamong mobile social networks in the past few years, suchas Foursquare, Twitter, and Loopt [1]–[3]. In LBSs, usersneed to send their current locations and query contents tothe LBS server, then they can obtain the points of interests(POIs) nearby, such as finding nearest cinema, restaurant, andhospital [4], [5]. However, when users enjoy the great conve-nience and entertainment from LBSs, they may be exposed tothe privacy risks of sensitive information leakage. By collect-ing the queries submitted in continuous LBSs, an adversarywho has compromised the LBSs server can infer some sensi-tive information from a particular user, such as daily behaviortrajectory, working address, and even social relationship [6].What is worse, the LBS server may disclose user’s privateinformation to a third party for pecuniary advantage, whichmay become a serious threat. Therefore, privacy protection inLBSs is attracting wide attention and needs to be solved.

To reduce the risk of privacy disclosure in LBSs, someapproaches have been proposed to protect user’s location pri-vacy, and they mainly adopt the architecture based on fullytrusted third party (TTP) [7]. The TTP, called as anonymizer,acts as an intermediate tier between the users and the loca-tion service provider (LSP), and responsible for the anonymityof the user location. Fig. 1 depicts the architecture of TTP.When the query of a user is sent to the anonymizer, the exactlocation of the user is generalized to a cloaking region thatincludes at least (K − 1) other users to satisfy K-anonymity,in which the location information of the user sent to the LSPis indistinguishable from at least (K − 1) other users’ loca-tion information [8], [9]. Then, the LSP queries the POIs onthe cloaking region to obtain the candidate POIs. Finally, theanonymizer refines the candidate POIs and returns accuratePOIs to the user.

However, this TTP model has two severe drawbacks.1) All users report their exact location information to the

TTP, which becomes an attractive target for attackers. If

2327-4662 c© 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

4192 IEEE INTERNET OF THINGS JOURNAL, VOL. 5, NO. 5, OCTOBER 2018

the TTP server is compromised by an attacker, it willpose user information in jeopardy.

2) The TTP server will be the central point of failure andthe performance bottleneck, because all the submittedqueries have to go through it.

To overcome the defects of TTP, we propose a dual pri-vacy preserving (DPP) scheme in continuous LBSs to protectthe users’ trajectory and query privacy. Our scheme adoptsShamir threshold and dynamic pseudonym mechanism, andcombines with the K-anonymity technology based on multipleanonymizers to preserve dual privacy (trajectory and contentprivacy). When a user sends a query request, he first selects apseudonym and divides the query content into multiple piecesof subinformation by Shamir threshold mechanism, and sendsthem to the different anonymizers. Then the user randomlyselects an anonymizer to form a cloaking region, and the cloak-ing region should be sent to the LBS server. According to theShamir threshold mechanism, the LBS server can retrieve thequery content, and queries the user’s desired results. Finally,the query results have been returned to the user via multipleanonymizers, and the user verified the correctness of the queryresults through the query authentication.

In the process of query, a single anonymizer does not knowthe query contents and trajectory of the user, and it is mainlyplayed the role of forwarding messages and anonymization,so the anonymizer can be the semi-trusted entity. At thesame time, the failure of a single anonymizer does not affectthe entire system, and the user can randomly select anotheranonymizers for K-anonymity. This can effectively avoid thesingle point of failure and performance bottleneck of singleanonymizer in TTP. The main contributions of this paper areas follows.

1) We propose a DPP scheme in continuous LBSs toprotect the users’ trajectory and query privacy. Ourscheme deploys multiple anonymizers between the userand the LSP, and allows the user to randomly selectdifferent anonymizer for K-anonymity in continuousqueries. Therefore, the attacker cannot get the user’s truetrajectory from a single anonymizer.

2) We employ the Shamir threshold mechanism to dividethe query content into multiple pieces of subinfor-mation, and send them to multiple anonymizers. Ananonymizer alone does not know the query content,thereby improving the user’s content privacy in theanonymizer.

3) We design the forwarding message mechanism in whichthe query contents and results are forwarded by multipleanonymizers. It can effectively alleviate the performancebottleneck of single anonymizer and solve the singlepoint of failure in TTP.

4) We thoroughly analyze the security of the DPP scheme,which can protect user’s trajectory and content pri-vacy effectively. Our simulation results show that theproposed scheme can reduce the computational andcommunication costs of a single anonymizer.

We introduce the related work in Section II and provide anoverview of our system model and definition in Section III.In Section IV, we describe our proposed scheme in details.

Then, the security analysis is provided in Section V. Next,we evaluate the performance of our proposed scheme inSection VI. Finally, we conclude this paper and outline futurework in Section VII.

II. RELATED WORK

In this section, we discuss the current state of trajectoryprivacy-preserving techniques in LBSs. Over the past years,many promising approaches have been proposed concern-ing preserving trajectory privacy in LBSs. Generally, theseapproaches can be classified into two categories accordingto the system architectures: 1) peer-to-peer architecture and2) centralized architecture based on TTP [10].

A. Peer-to-Peer Architecture

In the peer-to-peer architecture, the user communicate withthe LSP directly, and the untrustworthy LSP may publish theuser trajectories to a third party for analysis and leak theuser’s privacy, so some methods are proposed to protect user’sprivacy from the untrusted LSP. Typically, the user blurseach location information in continuous LBSs to prevent theLBS server knowing his exact location, such as obfuscationmethods and collaboration methods. The former is achievedmainly by adding noise to locations or sending the “fake”ones to the LSP. For example, Zhang et al. [11] proposed adeviation-based query exchange scheme that obfuscates theusers’ query point to mitigate trajectory disclosure in mobilesocial networks. Ardagna et al. [12] presented a obfusca-tion operators that protect the location privacy of the user byperturbing location information measured by sensing technolo-gies, which focus on protecting a single sample of locationinformation. The main drawback of obfuscation methods isthat the service quality will degrade due to low accuracy ofthe query results.

In collaboration methods, each user collects their loca-tion data to generate the cloaking region. For example,Shokri et al. [13] presented a scheme by collaboration ofmobile devices, which allows a querying user to answer LBSqueries from the other users, so that a querying user can pro-tect his location privacy from the server. Peng et al. [14]proposed a trajectory privacy protection method based on usercollaboration in continuous LBSs, in which trajectory pri-vacy is guaranteed by caching-aware collaboration betweenusers. However, this methods require a powerful computationalcapability for mobile devices.

On the whole in the peer-to-peer architecture theseapproaches need to incur a high preprocessing overhead on theuser side, and large redundant results will be returned from theLSP, which will incur a higher communication cost betweenthe user and the LSP.

B. Centralized Architecture

In centralized architecture based on TTP, a centralized entitycalled anonymizer is introduced into the system to protect theuser’s location privacy, and his main function is constructingthe cloaking region for K-anonymity [15].

ZHANG et al.: DPP SCHEME IN CONTINUOUS LBSs 4193

At present, some approaches have been proposed under thiscentralized architecture. For example, Gao et al. [16] proposeda trajectory privacy-preserving framework for participatorysensing, which improves the theoretical mix-zones model withconsidering the time factor from the perspective of graphtheory. Gedik and Liu [17] first proposed the centralized archi-tecture based on TTP to achieve the user location privacy, inwhich the anonymity server performs location anonymizationon LBS request messages of mobile clients. Hwang et al. [18]proposed a time-obfuscated technique which integrates theR-anonymity, K-anonymity, and S-segment paradigms, and itcombines ambient conditions into cloak location informationbased on the user privacy profile to avoid a malicious LBSreconstructing a user trajectory. Vu et al. [19] proposed amechanism based on locality-sensitive hashing to partitionuser locations into groups, and each group contains at leastK users, which is shown to preserve both locality and K-anonymity. The users’ locations are continuously updated,however, the existing K-anonymity location cloaking algo-rithms cannot effectively prevent location dependent attacks.Liao et al. [20] proposed the K-anonymity trajectory algo-rithm that selects (K − 1) dummy locations using the slidingwidow-based K-anonymity mechanism in continuous queries.In general, all centralized architecture based on TTP inevitablysuffers from its inherent drawbacks, as previously discussed.

To overcome the defects of the centralized TTP architec-ture, Wang et al. [21] proposed a fog structure to store partialinformation with the anonymity technology to enhance pri-vacy and the traditional TTP server is replaced with a fogserver. Peng et al. [22] proposed an enhanced-location-privacy-preserving scheme to protect user’s location privacy in LBSs.This scheme employs a function generator that generates thetransforming parameters, and the anonymizer does not haveany knowledge about a user’s real location without the param-eters. Zhang et al. [23] proposed a enhance privacy schemethat adopts the uniform grid and order-preserving symmetricencryption technique, in which the anonymizer knows noth-ing about a user’s real location. However, it also has the riskof the central point of failure and performance bottleneck incontinuous LBSs.

To alleviate these problems, we propose an trajectory andcontent privacy preserving scheme in continuous LBSs, whichwill improve the user’s privacy by the Shamir threshold,pseudonym mechanism and K-anonymity technology.

III. SYSTEM MODEL AND DEFINITION

In this section, we first depict the trajectory and contentprivacy-preserving framework in continuous LBSs, then wedefine some basic notions about the Shamir threshold and theMerkle hash tree. Finally, we provide the threat model.

A. System Architecture

In this paper, we propose a DPP scheme in continuousLBSs, which introduces multiple anonymizers that forward theuser’s query contents and results, and combines the Shamirthreshold, dynamic pseudonym, and K-anonymity technologyto improve the user’s privacy. The DPP scheme supports range

Fig. 2. Architecture of DPP.

queries in continuous LBSs. The architecture of DPP schemeis shown in Fig. 2, and the main components of the architectureconsist of four main entities: 1) user; 2) multiple anonymizers;3) certificate authority (CA); and 4) LBS server. We describethe main entities and their interactions as follows.

User: User has the devices with the capabilities of computa-tion, memory, wireless communication, and global positioningfunctionality (e.g., GPS). The user can obtain continuous LBSsfrom our system by issuing continuous query at different timeto LBS server through multiple anonymizers.

Multiple Anonymizers: The multiple anonymizers are placedbetween user and LBS server, and they can be deployed atnetwork access points or intermediate nodes such as base sta-tions and gateways. In our system, their main function is toforward query request and results, and they also have the K-anonymity function for the user location to ensure the user’slocation privacy in LBS server.

Certificate Authority: The CA is a fully trusted entity,and is responsible for the registration of users and LSPs.In our system, the CA also has the function that issued thepseudonym and certificate to users.

LBS Server: LBS server can be a service provider which hasservice databases to store and updates the service data and canprovide kinds of data services for users.

The DPP scheme works as follows.1) The user adopts the Shamir threshold mechanism to

divide the query content into multiple pieces of subin-formation. Meanwhile, the user performs user authenti-cation at a CA and is granted pseudonym certificate.

2) The user is named after the pseudonym and randomlyassigns the multiple pieces of subinformation into differ-ent anonymizers. One of the anonymizers is responsiblefor anonymizing the query sent by the user. After thecloaking region has been formed, it is sent to the LBSserver for query.

3) As long as the LBS server receives the specified amountof subinformation, it is able to obtain the user’s querycontents, and then query the POIs within the cloakingregion in the database.

4) The LBS server divides the query results into multiplesubsets of candidate POIs and constructs a Merkle hashtree for each subset, and then returns them together tothe user by different anonymizers.

5) After receiving these subsets of candidate POIs, the userverifies its correctness by the query authentication, andobtains the accurate query results through refinement.

The advantage of this scheme is that user trajectory andquery contents cannot be acquired from a single anonymizer.

4194 IEEE INTERNET OF THINGS JOURNAL, VOL. 5, NO. 5, OCTOBER 2018

In addition to offering more protection to privacy of user tra-jectory and query contents, it provides an effective approachfor the anonymizer’s performance bottleneck and the singlepoint of failure problem.

B. Shamir (t, n) Threshold Scheme

Consider that t and n are positive integers and t ≤ n. If asecret s is divided into n pieces {s1, s2, . . . , sn}, and then participants {P1, P2, ..., Pn} are assigned a piece si, and1 ≤ i ≤ n. Hence, at least t participants {P1, P2, ..., Pt}are needed to obtain the secret s using t pieces, and the secrets cannot be computed with less than t participants. What isdescribed above is the meaning of the (t, n) Shamir threshold,where t is the threshold.

The Shamir threshold scheme is dependent on the Lagrangeinterpolation equation [24]. A (t − 1)-degree polynomial isconstructed, and the shared secret s is its constant term. Eachpiece of the secret satisfies the coordinate point (xi , F(xi)) ofthis polynomial. The generated polynomial can be written as

F(x) = S + m1x + m2x2 + · · · + mt−1xt−1 mod q. (1)

The Shamir threshold scheme has the following properties.1) In this polynomial, m1, m2, . . . , mt−1 are random inte-

gers, and t is an integer no larger than n.2) The distributor who assigns the secret chooses a finite

field GF(p), where p is a large prime number. Foreach xi(i = 1, 2, . . . , n) chosen from the finite field,we can compute a unique F(xi) and regard its solu-tion (xi, F(xi)) as a piece of secret that is held by nparticipants {P1, P2, ..., Pn}, respectively.

3) The secret cannot be restored unless there are secretpieces from t or more participants.

C. Merkle Hash Tree

The Merkle hash tree is a complete binary tree [25], [26].Each leaf node of a binary tree corresponds to a data value,and each node in the binary tree corresponds to a hash functionvalue. The hash function value of the leaf node is obtained byhashing the data value, and the hash value of the intermediatenode is obtained by hashing the hash function value of its childnode [27]. And so on, we can get the hash function value ofthe root node. Due to the interdependencies of various nodesin this structure, any change in the value of a leaf node willaffect the value of the root node of the binary tree. Therefore,we only need to verify the correctness of the root node valueto know whether the leaf node has been changed.

Fig. 3 shows the Merkle hash tree, there are four data itemsa1, a2, a3, and a4 (a1 ≤ a2 ≤ a3 ≤ a4), where H(�) denotesthe hash function, and “|” denotes the concatenation of twonodes. The root node is signed with the data owner’s privatekey and made known to all users. In the query process, theserver returns the result and reconstructs the Merkle hash treeto obtain the root digest. For example, if the query resultsare a1, a2, a3, and a4, the user will reconstruct the root digestwith these sorted data and compares it with the root digestpublished by the data owner. If the two digests match, theuser can be assure that a1, a2, a3, and a4 are not tampered.

Fig. 3. Merkle hash tree.

D. Threat Models

In this paper, the main goal of adversary is to identifythe users’ trajectory and query contents, and the adversary’sknowledge is an important factor in evaluating the privacyof our model. A common adversary may be an entity thateavesdrops on wireless channel between the user and the LBSserver, or an attacker who has compromised the anonymizeror LSP. Some security schemes can be used to ensure theintegrity of data-in-transit [28], [29]. Then based on the sensi-tive information which an adversary can get, we consider boththe weak and strong adversary attack model are the same asin [30].

1) Weak Adversary Attack Model: The weak adversary haslittle knowledge about the user. It is only an adversary thatcan wiretap the insecure wireless channel. Eavesdroppers areusually local, short-term and passive because of their statusfeatures and limited resources. They try to infer some sensitiveinformation of the user from the eavesdropped information,such as sensitive locations of the user, user’s identity andinterest.

2) Strong Adversary Attack Model: The strong adversaryhas more power than the weak adversary. At the worst case,the LSP or anonymizer may be compromised by the adversary,and they may leak the sensitive information for making profits,so they are considered as strong adversary. The LBS server iscapable to be a global, long-term, and active observer, and itmanages all the queries for user’s server and records all thebehaviors of a particular user.

IV. DPP SCHEME IN CONTINUOUS LBSS

In this section, we present the DPP scheme for trajectoryprivacy in continuous LBSs, we describe in details the workingprocesses of this scheme. The summary of notations used inthe architecture of DPP is shown in Table I.

A. Query Request

When a query request is issued, the user first obtainsa pseudonym by the dynamic pseudonym mechanism, anddivides the query content and key into multiple pieces ofsubinformation by the Shamir threshold mechanism. Thenthe dynamic mapping mechanism is used to select differentanonymity for each subinformation, and the user sends themto the different anonymizers.

1) Dynamic Pseudonym Mechanism: During the continu-ous queries process, the user keeps changing the pseudonym

ZHANG et al.: DPP SCHEME IN CONTINUOUS LBSs 4195

TABLE ISUMMARY OF NOTATIONS

and thus submits the forwarding query request to anonymizerusing different pseudonyms. The attacker cannot obtain theuser’s real identify from an anonymizer alone, not to men-tion the user trajectory. The user acquires pseudonym in thefollowing ways.

Registration: When logging on the system for the first time,the user needs to register with the CA. The user begins withchoosing a random number r1 as the key, and encrypts it andthe user identify together to yield the registration request mes-sage EPKCA(IDu||r1) which is then sent to CA. Afterward, CAgenerates a pair of public and private keys PKu and SKu forthe user, encrypting IDu, PKu, and SKu using the user keyr1 to yield Er1(IDu||PKu||SKu) which is returned to the user.Finally, the user key r1 is used to decrypt Er1(IDu||PKu||SKu)

and obtain the pair of public and private keys PKu and SKu.Authentication: When requesting for the certificate from

CA, the user first signs IDu using his own private key SKu

to obtain SIGSKu(IDu). Next, the public key PKCA of CAis used to encrypt his own identity IDu, the digital signa-ture SIGSKu(IDu) and the randomly generated key r2, yield-ing the user request message EPKCA(IDu||SIGSKu(IDu)||r2||)which is then sent to CA. After that, CA decryptsEPKCA(IDu||SIGSKu(IDu)||r2||) using his own private keySKCA and encrypts IDu using the user’s public key PKu toverify its digital signature SIGSKu(IDu). In the case of verifica-tion failure, stop responding to user message. The pseudonymand certificate will not be generated and issued to the userunless the verification succeeds.

Pseudonym and Certificate: The user first chooses two hashseeds SDu,1 and SDu,2, which are then combined with theuser identity IDu to form the user record 〈IDu, SDu,1, SDu,2〉.Meanwhile, M pseudonyms PIDui = h(s1,j ⊕ s2,M+1−j) aregenerated for the user, where (i = 1, 2, . . . , M) M ≥ N, andN denotes the number of continuous queries of the user onmobile trajectory. Note that s1,i = hi(SDu,1) and s2,M+1−j =hM+1−j(SDu,2) denote the hash chains generated by the user’shash seeds during the ith and (M + 1 − i)th round of hashnested operations. Then, CA uses the private key SKCA todigitally sign PIDui and obtain the corresponding certificateCertui , and Certui = SigSKCA

(PIDui). The key r2 is also used toencrypt PIDui and Certui to generate the pseudonym message

Er2(PIDui ||Certui) which is returned to the user. Finally, theuser decrypts Er2(PIDui ||Certui) using the key r2 to obtain thepseudonym PIDui and the pseudonym certificate Certui .

2) Shamir Threshold Mechanism: Before the user sends thequery, the query content and the user-generated key shouldbe segmented using the Shamir threshold mechanism. Duringsegmentation, the user will choose an appropriate coding mode(ASCII or ANSI) based on the specific language environmentto convert the character information of the user query content qinto numerical values. Meanwhile, the user randomly generatesa key k, and adopts the Shamir threshold mechanism to dividethe query content q and the key k into n pieces of numericsubinformation, respectively. Details of its implementation areas follows.

Randomly choose t − 1 elements mi (i = 1, 2, . . . , t − 1)

from GF(p) to form (t − 1)-degree polynomial

F(x) =t−1∑

i=1

S + mixi mod p (2)

where p is a large prime number and p > S, the secret S =F(0). The user can generate n subsecrets

Sj = F(xj

) =t−1∑

i=1

S + mjxij mod p, j = 1, 2, . . . , n. (3)

The query content q and the key k of the user are takenas S in (3), and we randomly select n nonzero and mutuallydifferent elements qi and ki (i = 1, 2, . . . , n) from GF(p),and then substitute them into the variable xi in (3) to obtainF(xi), that is, F(qi) and F(ki). From this we can get n querysubcontents {(q1, F(q1)), (q2, F(q2)), · · ·, (qn, F(qn))}and subkeys {(k1, F(k1)), (k2, F(k2)), · · ·, (kn, F(kn))}.Let Qi = (qi, F(qi)) and Ki = (ki, F(ki)), then the n querysubcontents and subkeys can be expressed as {Q1, Q2, · ··, Qn} and {K1, K2, ···, Kn}, respectively. Finally, we can getn pieces of numeric subinformation {(Q1, K1), (Q2, K2), · ··, (Qn, Kn)}.

3) Random Mapping Mechanism: There are N anonymiz-ers (A0, A1, . . . , AN−1) in the system, whose serial num-bers are 0, 1, . . . , N − 1. A random assignment schemeis used to allocate the n pieces of subinformation{(Q1, K1), (Q2, K2), · · ·, (Qn, Kn)} (N ≥ n) to the nanonymizers for processing. In this paper, we construct amapping table Table and a hash function with each subin-formation as the variable. By computing its modular, we canobtain an anonymizer mapped to the serial number l, wherel = 0, 1, . . . , N − 1

Al = Hash(Qi + Ki)mod N (1 ≤ i ≤ n, 0 ≤ l ≤ N − 1). (4)

That is, the serial number of anonymizer is determined bysubinformation using (4). Every subinformation should mapsto different anonymizer. If there is subinformation mapping tothe same anonymizer, the serial number of anonymizer will bein conflict. We address this problem by using (5) to calculatethe serial number again

Al = (Hash(Qi + Ki) + P)mod N (1 ≤ P ≤ N − 1) (5)

4196 IEEE INTERNET OF THINGS JOURNAL, VOL. 5, NO. 5, OCTOBER 2018

where P is set to 1 first. If the obtained serial number ofanonymizer is still in conflict, we will increase the value of Psequentially until a nonmapped serial number is found.

Finally, the user forms a query request message that consiststhe jth subinformation (Qj, Kj)(1 ≤ j ≤ n), the randomlychosen user pseudonym PIDui and the pseudonym certificateCertui , the user’s current location EPKAj

(loc) encrypted usingthe anonymizer’s public key PKAj , the query identifier Qid, thetime threshold T , the anonymity level K, and the query radiusR. The jth anonymizer is chosen from table using the randommapping to send the query. The request message is

MSGU2Aj ={

PIDui , Certui, EPKAj(loc),

(Qj, Kj

), Qid, T, K, R

}. (6)

Meanwhile, based on the random mapping, the user sendsother n − 1 subinformation with the query identifier to theircorresponding n − 1 anonymizers through the secure channel.For example, the user select the first subinformation (Q1, K1)

to form the query request message, and the other subinforma-tion with Qid are {Qid, (Q2, K2)}, {Qid, (Q3, K3)}, . . . , and{Qid, (Qn, Kn)}.

B. Anonymity

After receiving the user query message, the jth anomymizerchooses other K − 1 users based on user location loc andanonymity level K and then generates the cloaking regionRegion that includes K users. In the Region, the attacker canguess the user at a probability of 1/K. Hence, the higherthe value of K, the higher the level of anonymity. After thedynamic pseudonym mechanism is adopted, the attacker isunable to acquire the user’s trajectory from an anonymizeralone, and a single anonymizer knows nothing about the user’squery content q. Finally, other information in MSGU2Aj sentby the user is combined by the anonymizer with Region toform a new query request message MSGAj2S which is thensent to the LBS server

MSGAj2S = {PIDui , Certui , Region,

(Qj, Kj

), Qid, T, K, R

}.

(7)

Meanwhile, other anonymizers forward the n − 1 pieces ofsubinformation with the query identifier to the LBS server.

C. Searching

On receipt of the user request, the LBS server begins tocheck validity of the pseudonym. The LBS server sends theuser pseudonym PIDui and the pseudonym certificate Certui

to the CA, and the user pseudonym PIDui is digitally signedwith the CA’s private key SKCA to get SigSKCA

(PIDui). If itmatches the user’s pseudonym certificate Certui , it will pass theverification. The LBS server cannot provide the query servicefor user unless the user authentication process is completedand the pseudonym PIDui is valid.

Next, based on the query identifier Qid, theLBS server accumulates t pieces of subinforma-tion {(Q1, K1), (Q2, K2), · · ·, (Qt, Kt)} (t ≤ n)

within a time period T and resumes the polyno-mial F(q) and F(k) by substituting the t coordinatepoints (q1, F(q1)), (q2, F(q2)), · · ·, (qt, F(qt)),(k1, F(k1)), (k2, F(k2)), · · ·, (kt, F(kt)) into (8), andtake F(0) = S to calculate the user’s query content q and keyk. They can also be substituted into (9) directly to obtain S,that is, the user’s query content q and key k

F(x) =t∑

i=1

F(xi)

t∏

j=1j �=i

x − xj

xi − xj(8)

S = F(0) =t∑

i=1

F(xi)

t∏

j=1j �=i

−xj

xi − xjmod p. (9)

Afterward, based on the query content q, cloaking regionRegion, and the query radius R, the LBS server queries thePOIs needed by the user, and we can obtain the set of candidatePOIs Re within the query range. We divide Re into m subsets{Re1,Re2, · · ·,Rem}(m ≤ N), and each subset Rei (1 ≤ i ≤ m)

contains at least one element.Then we construct a 2-3-element Merkle hash tree for each

subset Rei, which contains 2 or 3 child nodes under each parentnode. If the number of POIs for a subset of candidate POIsis g, there are non-negative integers a and b, which make2a + 3b = g. Select a and b as follows:

a ={ g/

2, b = 0, g is even(g − 3)

/2, b = 1, g is odd.

(10)

The LBS server first arranges the POIs of each subset inascending order of the position value xj + yj, and then con-structs them into a 2-3-element Merkle hash tree, respectively.Finally, the hash value ri(1 ≤ i ≤ m) of each tree root is digi-tally signed with the private key SKS of the LBS server. At thesame time, each subset of candidate POIs Rei can be encryptedusing the symmetric encryption together with the key k toyield Enk(Rei) (1 ≤ i ≤ m). Finally, the LBS server randomlychooses m from the N anonymizers to forward the encryptedsubsets Enk(Rei) and the digital signature Sig(ri) of tree root,and the message forwarded to the jth anomymizer is

MSGS2Aj = {Enk(Rei), Sig(ri)}, 1 ≤ i ≤ m. (11)

D. Result Computation

After receiving the forwarding request message MSGS2Aj

from the LBS server, the m anonymizers forward them to theuser. The message forwarded by the jth anonymizer to theuser is

MSGAj2U = {Enk(Rei), Sig(ri)}, 1 ≤ i ≤ m. (12)

On receipt of the message MSGS2Aj from m anonymizers,the user decrypts the subset of candidate POIs Enk(Rei) usingthe key k to determine the accurate location (xj , yj) of eachPOI. Then the user verifies the correctness of each subset ofcandidate POIs through Algorithm 1. The POIs locations ofeach subset are also used to construct a 2-3-element Merklehash tree to obtain the hash value Ri of the tree root, and theuser decrypt the digital signature Sig(ri) with the public key

ZHANG et al.: DPP SCHEME IN CONTINUOUS LBSs 4197

Algorithm 1 Query AuthenticationInput: Rei, Sig(ri)(1 ≤ i ≤ m)

Output: A[m](Authentication result array)

1: The user obtains Rei and Sig(ri);2: for i = 1 to m do3: Sort the POIs of each subset Rei in ascending order of

the position value xj + yj;4: Build a 2-3-element Merkle hash tree Ti;5: Obtain the hash value Ri of the tree root;6: Decrypt Sig(ri) with the PKS and obtain the ri;7: if Ri = ri then8: A[i]=true;9: else

10: A[i]=false;11: end if12: end for13: return A[m]

PKS of the LBS server. If the two hash values are the sameas Ri = ri, the subset is complete; otherwise, the LBS serverneeds to be re-requested and sends the subset of candidatePOIs to the user again. Finally, the user obtains the accuratequery results by computing POIs in his own query range.

V. SECURITY ANALYSIS

Our security analysis will focus on how the DPP schemeachieve the user’s trajectory and content privacy preservation,the threat model in Section III has been discussed. The securityof the proposed scheme against eavesdropping attacks and dis-honest LSP or anonymizer will be analyzed in the following,respectively.

A. Privacy Against Anonymizer

Challenge 1: Multiple anonymizers are between the userand the LBS server, which is responsible for forwarding ofquery request and results. And an anonymizer will performas a strong attacker to infer some sensitive information fromthese data, which aims to disclose the trajectory and querycontent of the user. If the anonymizer can know the trajectoryand query content of the user, it will win the game.

Lemma 1: Our DPP scheme is inference attack resistant toan anonymizer.

Proof: In our scheme, the Shamir threshold mechanismis used to divide the user’s query content q into n pieces ofsubinformation {Q1, Q2, ..., Qn}. Next, n are chosen fromthe N anonymizers to forward this subinformation. As longas the n anonymizers do not collude, it is impossible to obtainthe q of the user. Even if the attacker obtains the q becauseseveral anonymizers collude, the q cannot be associated withthe real identify of user IDu. The reason is that the user alwayschooses a pseudonym PIDui dynamically for each query.

At the same time, regarding the query request that consistsof the PIDui , Certui , EPKAj

(loc), (Qj, Kj), Qid, T , K, and R, theuser sends it to a random anonymizer for processing. Duringthis process, only one of the N anonymizers is responsiblefor the anonymity of user location, and the attacker is unable

to acquire user trajectory from an anonymizer alone. Due tothe use of dynamic pseudonym, even if several anonymizerscolluded, the attacker cannot determine the mobile trajectoryof the specific user.

When the query results are returned to the user, the msubsets Enk(Rei) are encrypted using the key k. Hence, theanonymizer cannot decrypt it and obtain the candidate POIsRe without the user’s key k.

From the analysis above, it can be seen that the anonymizeris unable to determine the user’s trajectory and querycontent.

B. Privacy Against LSP

Challenge 2: The LSP manages all the query informationfrom all users. And it will perform as an honest but curi-ous attacker or even strong attacker to infer some sensitiveinformation from these data, which aims to disclose the reallocation of the user. If the LSP knows the exact location ofthe user who is corresponding to the query information, so theLSP will win the game.

Lemma 2: Our DPP scheme is inference attack resistant toLSP.

Proof: In our scheme, the MSGAj2S denote the queryrequest message that the user forward to LSP via the jthanonymizer, and it includes the user pseudonym PIDui , thepseudonym certificate Certui , the cloaking region Region,the subinformation (Qi, Ki), the query identity Qid, the timethreshold T and the query radius R. From these information,the LSP cannot acquire the accurate user location. Even ifLSP knows that the user is located within Region, this cloak-ing region has at least K users. Therefore, LSP guesses theuser correctly at a probability of 1/K at most.

When LSP receives t pieces of subinformation (Qi, Ki), thequery content of user can be restored using the Lagrangeinterpolation polynomial. The candidate POIs can also bedetermined based on q, Region and R. During this process,LSP only knows the query content q. The use of dynamicpseudonym prevents it from associating with specific user.Therefore, from the user’s query data in LBS server, LSP canneither accurately determine the user location nor correctlyguess the user that corresponds to the query contents.

C. Resistance to Eavesdropping Attacks

Challenge 3: For a weak adversary, attackers can monitorand eavesdrop the communication processes between the userand the LBS server, then it can learn extra information witheavesdropping attacks, which aims to disclose the trajectoryand the query content of the user. If the weak attackers suc-cessfully gain the trajectory and the query content of the user,then attackers will win the game.

Lemma 3: Our DPP scheme is eavesdropping attackresistant.

Proof: In our scheme, the MSGU2Aj denote the messagethat the user sends to the jth anonymizer, and it includesthe user pseudonym PIDui , the pseudonym certificate Certui ,the current user location EPKAj

(loc) encrypted using the jthanonymizer’s public key PKAj , the subinformation (Qj, Kj) and

4198 IEEE INTERNET OF THINGS JOURNAL, VOL. 5, NO. 5, OCTOBER 2018

TABLE IIEXPERIMENTAL PARAMETER SETTINGS

the anonymity level K. The weak attacker is unable to deter-mine user location accurately without the jth anonymizer’sprivate key SKAj . And according to the Shamir thresholdmechanism, the weak attacker cannot restore the user’s querycontent q from the subinformation (Qj, Kj) in MSGU2Ai .

Even if the attacker resumes q by eavesdropping the com-munication channels between the user and the other n − 1anonymizers, it is impossible to determine the real user thatcorresponds to the query content q due to the use of dynamicpseudonym. When the jth anonymizer forward the queryrequest message MSGAj2S to the LBS server, the weak attackercan only obtain user pseudonym PIDui or restore the querycontent q. Similarly, it cannot determine the real user thatcorresponds to the query content q.

In the query results returned to the user which includesMSGS2Aj and MSGAj2U , the subsets of candidate POIs{Re1,Re2, · · · ,Ren} is encrypted using the symmetric encryp-tion and the key k. The weak attacker does not have theuser key k, and thus it can neither obtain the subset Rei

nor reap other useful information. Even if the attacker tam-pered with these subsets, the user can verify the correctnessof the subsets through the query authentication. From theanalysis above, the eavesdropper is unable to accurately deter-mine the user location or correctly guess the query content ofspecific user.

VI. EVALUATION

In this section, the effectiveness and efficiency of ourproposed DPP scheme are experimentally evaluated under var-ious system settings. We conducted our experiments focusingon the performance of our scheme, the query authenticationcost and the overhead of a single anonymizer.

A. Simulation Setup

We use the well-known Thomas Brinkhoff network-basedgenerator of moving objects [31] to generate 10 000 mov-ing objects in the system. The input of the generator is theroad map of Oldenburg County, Germany. We choose theGedik and Liu [17] and Hwang et al. [18] scheme in the TTPas the baseline algorithm to compare against. Our experimentswere implemented with the MyEclipse development platformand Java programming language, and performed all experi-ments on an Intel Core-i5 3.30-GHz machine with 4 GB ofRAM and Windows 7 OS. A summary of the experimentalparameters is shown in Table II.

B. Effectiveness Analysis

We analyze the effectiveness of our DPP scheme that mainlyby changing the number of divided subinformation n, the

(a) (b)

Fig. 4. Effect of the divided subinformation n. (a) Computation time.(b) Communication cost.

(a) (b)

Fig. 5. Effect of the POIs. (a) Computation time. (b) Communication cost.

number of POIs, and the query range radius R at the differentanonymity level K.

The Effect of the Divided Subinformation: Fig. 4 shows thecomputation cost and the communication cost under varying nwhile POIs = 10 000, R = 1.0 and K = 30, 60 and 90, respec-tively. From this figure, it can be seen that the query time andcommunication overhead increase with the value of n and K.The reason is that when the number of divided subinformationincreases, more anonymizers are needed to process the user’ssubinformation, resulting in greater query time and communi-cation overhead. Similarly, when the value of K increases, thecloaking region and the corresponding query range is enlarged.This also costs longer query time and more communicationoverhead.

The Effect of the POIs: Fig. 5 shows the computation timeand the communication cost under varying POIs while n = 50,R = 1.0, and K = 30, 60, and 90, respectively. As seen in thisfigure, with the increase of POIs and K, the computation timeand the communication cost are increasing. The reason is thatwhen the number of POIs in the cloaking region increases, theLBS server and user need more time for searching POIs andrefinement results. At the same time, in the case of more POIsin the cloaking region, there will be more POIs sent from theLBS server to anonymizer and returned from anonymizer touser, resulting in more communication overhead.

The Effect of the Query Range: Fig. 6 shows the computa-tion time and the communication cost under varying R whilen = 50, POIs = 10000, and K = 30, 60, and 90, respectively.As seen in this figure, with the increase of R and K, the com-putation time and the communication cost are increasing. Thisis because as the query range radius increases, the query spa-tial region will became larger, and the corresponding querytime and communication overhead also increase. Similarly,when the value of K increases, the cloaking region is enlarged.

ZHANG et al.: DPP SCHEME IN CONTINUOUS LBSs 4199

(a) (b)

Fig. 6. Effect of the query range R. (a) Computation time. (b) Communicationcost.

Fig. 7. Impact of the size of the query results.

(a) (b)

Fig. 8. Performance comparison of a single anonymizer. (a) Computationtime. (b) Communication cost.

This also costs longer query time and more communicationoverhead.

The Query Authentication Cost: Fig. 7 shows the queryauthentication cost under varying POIs while n = 50, R = 1.0,and K = 30, 60, and 90, respectively. As seen in this figure,with the increase of POIs and K, the query authenticationcost is increased. The reason is that when the number of POIsand K increase, the user will obtain more query results fromLBS server, and the query authentication cost that verifies thecorrectness of these query results increases accordingly.

C. Comparison

We compare the effectiveness of our DPP scheme withGedik and Hwang scheme in the aspect of the overhead of asingle anonymizer. Fig. 8 shows the computation time and thecommunication cost under varying K while n = 50, R = 1.0and POIs = 10000. As can be seen from Fig. 8, the DPP hasgreater superiority over Gedik and Hwang in terms of a singleanonymizer time and communication overhead when the valueof K increases. The reason is that DPP randomly chooses nfrom N anonymizers to process the user’s query. But in Gedikand Hwang schemes, the query is processed by an anonymizer

alone. When it comes to the average time of users’ query andcommunication overhead of a single anonymizer, DPP is verysuperior to the Gedik and Hwang schemes in TTP structure.

VII. CONCLUSION

In this paper, we propose a DPP scheme in continu-ous LBSs to protect the users’ trajectory and query privacy.Our scheme introduces multiple anonymizers and utilizes theShamir threshold mechanism, the dynamic pseudonym mech-anism and K-anonymity technology to improve the users’privacy.

The users’ queries are sent to LSP for query via multipleanonymizers, and a single anonymizer cannot get the user’strajectory and query contents, which can improve the users’trajectory and content privacy on the anonymizer. At the sametime, the query contents and results are forwarded by multipleanonymizers, which can effectively alleviate the performancebottleneck of a single anonymizer and solve the single pointof failure in TTP. The correctness of the query results isalso guaranteed by the query authentication. Security anal-ysis demonstrates that our scheme can resist the possibleprivacy attack from both strong adversary and weak adversaryto protect the users’ trajectory and content privacy. Extensiveevaluations also suggest that our proposed scheme preservestrajectory privacy at low computation and communicationcosts on a single anonymizer.

However, the number of subinformation that the querycontent is divided by Shamir threshold mechanism is toosmall, which will increase the idle rate of multianonymizer.Therefore, future work includes studying the optimal relation-ship between the number of divided subinformation and thenumber of multianonymizers to further improve the servicequality under the premise of ensuring user privacy. In addi-tion, we intend to add the error correction mechanism that cancorrect a wrong query result.

REFERENCES

[1] M. Grissa, A. A. Yavuz, and B. Hamdaoui, “Preserving the location pri-vacy of secondary users in cooperative spectrum sensing,” IEEE Trans.Inf. Forensics Security, vol. 12, no. 2, pp. 418–431, Feb. 2017.

[2] Q. Liu, G. Wang, F. Li, S. Yang, and J. Wu, “Preserving privacy withprobabilistic indistinguishability in weighted social networks,” IEEETrans. Parallel Distrib. Syst., vol. 28, no. 5, pp. 1417–1429, May 2017.

[3] E. Luo et al., “PrivacyProtector: Privacy-protected patient data collectionin IoT-based healthcare systems,” IEEE Commun. Mag., vol. 56, no. 2,pp. 163–168, Feb. 2018.

[4] R. Schlegel, C.-Y. Chow, Q. Huang, and D. S. Wong, “Privacy-preserving location sharing services for social networks,” IEEE Trans.Services Comput., vol. 10, no. 5, pp. 811–825, Sep./Oct. 2017.

[5] L. Li, R. Lu, and C. Huang, “EPLQ: Efficient privacy-preservinglocation-based query over outsourced encrypted data,” IEEE InternetThings J., vol. 3, no. 2, pp. 206–218, Apr. 2016.

[6] J. Son et al., “Privacy enhanced location sharing for mobile onlinesocial networks,” IEEE Trans. Sustain. Comput., to be published.[Online]. Available: https://doi.org/10.1109/TSUSC.2018.2842788,doi: 10.1109/TSUSC.2018.2842788.

[7] R. Schlegel, C.-Y. Chow, Q. Huang, and D. S. Wong, “User-definedprivacy grid system for continuous location-based services,” IEEE Trans.Mobile Comput., vol. 14, no. 10, pp. 2158–2172, Oct. 2015.

[8] S. Zhang, Q. Liu, and Y. Lin, “Anonymizing popularity in onlinesocial networks with full utility,” Future Gener. Comput. Syst., vol. 72,pp. 227–238, Jul. 2016.

4200 IEEE INTERNET OF THINGS JOURNAL, VOL. 5, NO. 5, OCTOBER 2018

[9] H. Zhu, F. Liu, and H. Li, “Efficient and privacy-preserving polygonsspatial query framework for location-based services,” IEEE InternetThings J., vol. 4, no. 2, pp. 536–545, Apr. 2017.

[10] A. Pingley et al., “Protection of query privacy for continuous locationbased services,” in Proc. IEEE INFOCOM, vol. 8, 2011, pp. 1710–1718.

[11] S. Zhang, G. Wang, Q. Liu, and J. H. Abawajy, “A trajectoryprivacy-preserving scheme based on query exchange in mobile socialnetworks,” Soft Computing. Heidelberg, Germany: Springer, 2017,doi: 10.1007/s00500-017-2676-6.

[12] C. A. Ardagna, M. Cremonini, S. D. C. di Vimercati, and P. Samarati,“An obfuscation-based approach for protecting location privacy,” IEEETrans. Depend. Secure Comput., vol. 8, no. 1, pp. 13–27, Jan./Feb. 2011.

[13] R. Shokri, G. Theodorakopoulos, P. Papadimitratos, E. Kazemi, andJ.-P. Hubaux, “Hiding in the mobile crowd: Locationprivacy throughcollaboration,” IEEE Trans. Depend. Secure Comput., vol. 11, no. 3,pp. 266–279, May/Jun. 2014.

[14] T. Peng, Q. Liu, D. Meng, and G. Wang, “Collaborative trajectory pri-vacy preserving scheme in location-based services,” Inf. Sci. Int. J.,vol. 387, pp. 165–179, May 2017.

[15] D. Liao, G. Sun, H. Li, H. Yu, and V. Chang, “The framework and algo-rithm for preserving user trajectory while using location-based servicesin IoT-cloud systems,” Cluster Comput., vol. 20, no. 3, pp. 2283–2297,2017.

[16] S. Gao, J. Ma, W. Shi, G. Zhan, and C. Sun, “TrPF: A trajectoryprivacy-preserving framework for participatory sensing,” IEEE Trans.Inf. Forensics Security, vol. 8, no. 6, pp. 874–887, Jun. 2013.

[17] B. Gedik and L. Liu, “Protecting location privacy with personalized k-anonymity: Architecture and algorithms,” IEEE Trans. Mobile Comput.,vol. 7, no. 1, pp. 1–18, Jan. 2008.

[18] R.-H. Hwang, Y.-L. Hsueh, and H.-W. Chung, “A novel time-obfuscatedalgorithm for trajectory privacy protection,” IEEE Trans. ServicesComput., vol. 7, no. 2, pp. 126–139, Apr./Jun. 2014.

[19] K. Vu, R. Zheng, and J. Gao, “Efficient algorithms for K-anonymouslocation privacy in participatory sensing,” in Proc. IEEE INFOCOM,Orlando, FL, USA, 2012, pp. 2399–2407.

[20] D. Liao, H. Li, G. Sun, and V. Anand, “Protecting user trajectoryin location-based services,” in Proc. IEEE Glob. Commun. Conf.,San Diego, CA, USA, 2015, pp. 1–6.

[21] T. Wang et al., “Trajectory privacy preservation based on a fog structurefor cloud location services,” IEEE Access, vol. 5, pp. 7692–7701, 2017.

[22] T. Peng, Q. Liu, and G. Wang, “Enhanced location privacy preservingscheme in location-based services,” IEEE Syst. J., vol. 11, no. 1,pp. 219–230, Mar. 2017.

[23] S. Zhang, K.-K. R. Choo, Q. Liu, and G. Wang, “Enhancing privacythrough uniform grid and caching in location-based services,” FutureGener. Comput. Syst., to be published.

[24] R. Steinfeld, J. Pieprzyk, and H. Wang, “Lattice-based threshold change-ability for standard Shamir secret-sharing schemes,” IEEE Trans. Inf.Theory, vol. 53, no. 7, pp. 2542–2559, Jul. 2007.

[25] P. Devanbu, M. Gertz, C. Martel, and S. G. Stubblebine, “Authenticdata publication over the Internet,” J. Comput. Security, vol. 11, no. 3,pp. 291–314, 2003.

[26] P. T. Devanbu, M. Gertz, C. U. Martel, and S. G. Stubblebine, “Authenticthird-party data publication,” in Proc. Ifip Tc11/ Wg11.3 14th WorkingConf. Database Security Data Appl. Security Develop. Directions, 2000,pp. 101–112.

[27] S. Tian, Y. Cai, and Z. Hu, “A parity-based data outsourcing model forquery authentication and correction,” in Proc. IEEE Int. Conf. Distrib.Comput. Syst., 2016, pp. 395–404.

[28] A. Karati et al., “Provably secure identity-based signcryption scheme forcrowdsourced industrial Internet of Things environments,” IEEE InternetThings J., to be published, doi: 10.1109/JIOT.2017.2741580.

[29] Q. Liu, G. Wang, X. Liu, T. Peng, and J. Wu, “Achieving reliable andsecure services in cloud computing environments,” Comput. Elect. Eng.,vol. 59, pp. 153–164, Apr. 2017.

[30] B. Niu, Z. Zhang, X. Li, and H. Li, “Privacy-area aware dummy gener-ation algorithms for location-based services,” in Proc. IEEE Int. Conf.Commun., 2014, pp. 957–962.

[31] T. Brinkhoff et al., “Generating traffic data,” IEEE Data Eng. Bull.,vol. 26, no. 2, pp. 19–25, Aug. 2003.

Shaobo Zhang received the B.S. and M.S. degreesin computer science from the University of Scienceand Technology, Xiangtan, China, in 2003 and 2009,respectively, and the Ph.D. degree in computerscience from Central South University, Changsha,China, in 2017.

He is currently a Lecturer with the Schoolof Computer Science and Engineering, HunanUniversity of Science and Technology, Xiangtan. Hiscurrent research interests include security and pri-vacy issues in cloud computing and social networks,and big data security.

Guojun Wang (A’10–M’10) received the B.Sc.degree in geophysics, M.Sc. degree in computer sci-ence, and Ph.D. degree in computer science fromCentral South University, Changsha, China, in 1992,1996, and 2002, respectively.

He is a Professor with the School of ComputerScience and Educational Software, GuangzhouUniversity, Guangzhou, China. He had been aProfessor with Central South University, Changsha,an Adjunct Professor with Temple University,Philadelphia, PA, USA, a Visiting Scholar with

Florida Atlantic University, Boca Raton, FL, USA, a Visiting Researcher withthe University of Aizu, Aizuwakamatsu, Japan, and a Research Fellow withthe Hong Kong Polytechnic University, Hong Kong. His current researchinterests include network and information security, Internet of Things, andcloud computing.

Dr. Wang is a Senior Member of the CCF and a member of the ACM andIEICE.

Md Zakirul Alam Bhuiyan (M’09–SM’17)received the M.Sc. and Ph.D. degrees (withDistinction) in computer science and technologyfrom Central South University, Changsha, China.

He is currently an Assistant Professor with theDepartment of Computer and Information Sciences,Fordham University, New York, NY, USA. Hewas an Assistant Professor with Temple University,Philadelphia, PA, USA. His current research interestsinclude dependability, cyber security, big data, andcyber-physical systems. He has authored or co-

authored over 100 publications, including publications journal/transactionarticles, conference proceedings, book chapters, and 2 books.

Dr. Bhuiyan has served as an Associate Editor and a lead Guest Editor forkey journals. He has also served as the General Chair, the Program Chair,the Workshop Chair, the Publicity Chair, a TPC member, and a Reviewer ofvarious international journals/conferences. He is a member of the ACM.

Qin Liu (M’17) received the B.Sc. degree incomputer science from Hunan Normal University,Changsha, China, in 2004 and the M.Sc. and Ph.D.degrees in computer science from Central SouthUniversity, Changsha, China, in 2007 and 2012,respectively.

She has been a visiting student with TempleUniversity, Philadelphia, PA, USA. She is anAssistant Professor with the College of ComputerScience and Electronic Engineering, HunanUniversity, Changsha. Her current research interests

include security and privacy issues in cloud computing.