Location-Proof System Based on Secure Multi-party Computations

Abstract

Location-based services are quite popular. Their variety and their numerous users show it clearly. However, these applications rely on the persons’ honesty to use their real location. If they are motivated to lie about their position, they can do so. A location-proof system allows a prover to obtain proofs from nearby witnesses, for being at a given location at a given time. Such a proof can be used to convince a verifier later on. Many solutions have been designed in the last decade, but none protects perfectly the privacy of their participants. Indeed, provers and witnesses may want to keep their identity and location private. In this paper, a solution is presented in which a malicious adversary, acting as a prover, cannot cheat on his position. It relies on multi-party computations and group-signature schemes to protect the private information of both the prover and the witnesses against any semi-honest participant. Additionally, this paper gives a new secure multi-party maximum computation protocol requiring \(\mathcal {O}(n \log (n))\) computations and communications, which greatly improves the previously known solutions having \(\mathcal {O}(n^2)\) complexities. Although it is designed for our location-proof system, it can be applied to any scenario in which a small information leakage is acceptable.

Appendices

A Complexity of the Overall System

We have detailed the computational and communication complexity in each sub-protocols, but we are now interested in the complexity of the overall location-proof system (Protocol 1), depending on the number of witnesses. For simplicity, let us assume there are \(m=4n\) witnesses, i.e. n in each direction. Let |N| denote the size of the keys (the size of a ciphertext is simply 2|N| with the Paillier’s cryptosystem) and |S| denote the size of group signatures. We consider that the encryption, decryption functions and homomorphic operations are in \(\mathcal {O}(1)\).

Table 2. Complexity of the system

Table 2 presents the number of cryptographic operations processed by the prover and by each witness, the number of communications and the bits exchanged during the different protocols. We only deal with the worst case scenario: a marked witness for the computational complexity in \(\textsf {Protocol}~3\), and only a witness A in Protocol 4. This can obviously be optimized by giving role B to marked witnesses as often as possible. The complexity of Protocol 3 is an approximation of the total number of comparisons. An exact formula is given in Sect. 4.3. In Protocol 4, it has been shown that \(\mathcal {P}\) runs \(l+1\) operations in \(n-1\) comparisons, and only 1 otherwise. Thus, the number of operations done by the prover in Protocol 3 and 4 is approximately \((n-1)l + \frac{n}{2}\lceil \log {n} \rceil \).

To summarize, the global complexity, both in terms of computations and communication, is in \(\mathcal {O}(n\log {n})\) for the prover and \(\mathcal {O}(\log {n})\) for a witness. In comparison, most previous location-based systems have a complexity for the prover in \(\mathcal {O}(n)\), and \(\mathcal {O}(1)\) for a witness. This is due to the fact that witnesses do not need to interact with each other. However, location-privacy requires such interactions, and thus we do not reach the same objectives.

B Security Proofs of the Two-Party Comparison Protocol

In this annex, we give more details about some security goals of Protocol 4: (1) A cannot find b, (3) \(\mathcal {P}\) cannot find neither a nor b and (4) the result of the comparison is known only to \(\mathcal {P}\).

Proof

(Objective (1)). At the beginning of Step 3, A learns \(\pi _B(\delta _1,\cdots , \delta _l)\) with

$$\begin{aligned} \delta _i = k_i(h(T_1^a[i]) - h(T_0^b[i]))+r_B \end{aligned}$$

Remember that \(h(T_0^b[i])\) can be seen as an encoding of b. Let us prove that the vector \(\delta \) does not leak any information about b.

W.l.o.g. assume that \(\pi _B(\cdot )\) is the permutation identity. Let us take any value \(b' \ne b\) and show that the same vector \(\delta \) can be obtained from \(b'\) and thus does not leak any information.

If \(a>b'\), let \(i^*\) be the index such that \(T_1^a[i^*] = T_0^{b'}[i^*]\) and take \(r_B = \delta _{i^*}\). On the other hand, if \(a \le b'\), we can choose arbitrarily \(r_B\). Now if we take:

$$\begin{aligned} k_i = (\delta _i - r_B) \cdot (h(T_1^a[i]) - h(T_0^{b'}[i]))^{-1} \ \ \ \ \ \forall i \ne i^* \end{aligned}$$

then we obtain the same vector \(\delta \).

This can be generalized to permutation \(\pi _B(\cdot )\). Hence, \(\delta \) can be obtained from any value of \(b'\) with the same probability, and does not therefore leak any information about b.

It remains to prove that A does not learn the result of the comparison (part of Objective (4)) which would leak partial information about b. The result of the comparison (either in the vector \(\mu \), the value \(s_A\) or \(s_B\)) is always encrypted under the public key of \(\mathcal {P}\). We assume the cryptosystem is semantically secure, which ends the proof of Objective (1). \(\square \)

Proof

(Objective (3)). At the beginning of Step 4, \(\mathcal {P}\) learns \(\pi _A(\mu _1,\cdots , \mu _l)\) where

$$\begin{aligned} \mu _i = (\delta ^*_i-r_B+s_B+s_A+r_{A,i})\cdot {r_{A,i}}^{-1} \end{aligned}$$

and \(\delta ^*_i = \delta _{\pi _B(i)}\). To simplify notations, assume that \(\pi _A(\cdot )\) and \(\pi _B(\cdot )\) are the identity permutation. If \(s_A\) or \(s_B\) is different from 0, this case is simple (Objective (7)): the vector \(\mu \) follows an independent uniform distribution of \(\mathbb {Z}_{N_\mathcal {P}}^l\). Thus, we only study the case:

$$\begin{aligned} \mu _i = (k_i(h(T_1^a[i]) - h(T_0^b[i]))+r_{A,i}) \cdot {r_{A,i}}^{-1} \end{aligned}$$

Knowing that \(a > b\), we will now show that for any couple \((a',b')\) such that \(a' > b'\), we can obtain the same vector \(\mu \) with the same probability. In this case, let \(i^*\) be the index such that \(T_1^{a'}[i^*] = T_0^{b'}[i^*]\). In this case, \(k_{i^*}\) can be chosen arbitrarily. For all other value \(i \ne i^*\), \(r_{A,i}\) can be chosen arbitrarily, and \(k_i\) can be defined as:

$$\begin{aligned} k_i = (\mu _i \cdot r_{A,i} - r_{A,i}) \cdot (h(T_1^{a'}[i]) - h(T_0^{b'}[i]))^{-1}. \end{aligned}$$

Finally, if \(a \le b\), this is simpler. In this case, the index \(i^*\) is not defined, and the values of all \(r_{A,i}\) and \(k_i\) are defined as above.

Thus, the same vector \(\mu \) can be obtained. This can be done for any values of \(a'\) and \(b'\), as long as the result remains unchanged, and for any permutation \(\pi _A(\cdot )\) and \(\pi _B(\cdot )\). Therefore, the vector \(\mu \) does not leak any information about a or b except whether \(a > b\) or not, which ends the proof.

\(\square \)