An Efficient Technique for Protecting Location Privacy of Cooperative Spectrum Sensing Users
Cooperative spectrum sensing, despite its effectiveness in enabling dynamic spectrum access, suffers from location privacy threats, merely because secondary users (s)’ sensing reports that need to be shared with a fusion center to make spectrum availability decisions are highly correlated to the users’ locations. It is therefore important that cooperative spectrum sensing schemes be empowered with privacy preserving capabilities so as to provide s with incentives for participating in the sensing task. In this paper, we propose an efficient privacy preserving protocol that uses an additional architectural entity and makes use of various cryptographic mechanisms to preserve the location privacy of s while performing reliable and efficient spectrum sensing. We show that not only is our proposed scheme secure and more efficient than existing alternatives, but also achieves fault tolerance and is robust against sporadic network topological changes.
Digital Object Identifier 10.1109/INFCOMW.2016.7562209
Cooperative spectrum sensing is a key component of cognitive radio networks (s) essential for enabling dynamic and opportunistic spectrum access . It consists of having secondary users (s) sense the licensed channels on a regular basis and collaboratively decide whether a channel is available prior to using it so as to avoid harming primary users (s). One of the most popular spectrum sensing techniques is energy detection, thanks to its simplicity and ease of implementation, which essentially detects the presence of signal by measuring and relying on the energy strength of the sensed signal, commonly known as the received signal strength () .
Broadly speaking, cooperative spectrum sensing techniques can be classified into two categories: Centralized and distributed . In centralized techniques, a central entity called fusion center () orchestrates the sensing operations as follows. It selects one channel for sensing and, through a control channel, requests that each perform local sensing on that channel and send its sensing report (e.g., the observed value) back it to. It then combines the received sensing reports, makes a decision about the channel availability, and diffuses the decision back to the s. In distributed sensing techniques, s do not rely on a for making channel availability decisions. They instead exchange sensing information among one another to come to a unified decision . This requirement makes distributed sensing techniques highly complex with respect to their centralized counterparts. Hence, centralized sensing techniques are considered more practical for real-life applications.
Despite its usefulness and effectiveness in promoting dynamic spectrum access, cooperative spectrum sensing suffers from serious security and privacy threats. One big threat to s, which we tackle in this work, is location privacy, which can easily be leaked due to the wireless nature of the signals communicated by s during the cooperative sensing process. In fact, it has been shown that values of s are highly correlated to their physical locations , thus making it easy to compromise the location privacy of s when sending out their sensing reports. The fine-grained location, when combined with other publicly available information, could easily be exploited to infer private information about users . Examples of such private information are shopping patterns, user preferences, and user beliefs, just to name a few . With such privacy threats and concerns, s may refuse to participate in the cooperative sensing tasks. It is therefore imperative that cooperative sensing schemes be enabled with privacy preserving capabilities that protect the location privacy of s, thereby encouraging them to participate in such a key function, the spectrum sensing.
In this paper, we propose an efficient privacy-preserving scheme for cooperative spectrum sensing that exploits various cryptographic mechanisms to preserve the location privacy of s while performing the cooperative sensing task reliably and efficiently. We show that our proposed scheme is secure and more efficient than its existing counterparts, and is robust against sporadic topological changes and network dynamism.
I-a Related Work
Security and privacy in s have gained some attention recently. Yan et al.  discussed security issues in fully distributed cooperative sensing. Qin et al. proposed a privacy-preserving protocol for transactions using a commitment scheme and zero-knowledge proof.
Location privacy, though well studied in the context of location-based services (LBS) [7, 8], has received little attention in the context of s [9, 10, 3]. Some works focused on location privacy but not in the context of cooperative spectrum sensing (e.g., database-driven spectrum sensing [9, 11] and dynamic spectrum auction ) and are skipped since they are not within this paper’s scope.
In the context of cooperative spectrum sensing, Shuai et al.  showed that s’ locations can easily be inferred from their reports, and called this the SRLP (single report location privacy) attack. They also identified the DLP (differential location privacy) attack, where a malicious entity can estimate the (and hence the location) of a leaving/joining user from the variations in the final aggregated measurements before and after user’s joining/leaving of the network. They finally proposed , a protocol for cooperative spectrum sensing, to address these two attacks. Despite its merits, has several limitations: (i) It needs to collect all the sensing reports to decode the aggregated result. This is not fault tolerant, since some reports may be missing due, for e.g., to the unreliable nature of wireless channels. (ii) It cannot handle dynamism if multiple users join or leave the network simultaneously. (iii) The pairwise secret sharing requirement incurs extra communication overhead and delay. (iv) The underlying encryption scheme requires solving the Discrete Logarithm Problem, which is possible only for very small plaintext space and can be extremely costly (see Table I). Chen et al.  proposed , a fault-tolerant and privacy-preserving data aggregation scheme for smart grid communications. , though proposed in the context of smart grids, is suitable for cooperative sensing schemes. But unlike , relies on an additional semi-trusted entity, called gateway, and like other aggregation based methods, is prone to the DLP attack. In our previous work  we proposed an efficient scheme called to overcome the limitations that existent approaches suffer from. combines order preserving encryption and yao’s millionaire protocol to provide a high location privacy while enabling an efficient sensing performance.
I-B Our Contribution
In this paper, we propose a new location privacy-preserving scheme that we call LP-3PSS (location privacy for 3-party spectrum sensing architecture), which harnesses various cryptographic primitives (e.g., order preserving encryption) in innovative ways along with an additional architectural entity (i.e., a gateway) to achieve high location privacy with a low overhead. That is, our proposed LP-3PSS scheme offers the following desirable properties:
Location privacy of secondary users while performing the cooperative spectrum sensing effectively and reliably.
Fault tolerance and robustness against network dynamism (e.g., multiple s join/leave the network) and failures (e.g., missed sensing reports).
Reliability and resiliency against malicious users via an efficient reputation mechanism.
Accurate spectrum availability decisions via half-voting rules while incurring minimum communication and computation overhead.
Note that for simplicity we use energy detection through measurement for spectrum sensing in our scheme. However, our scheme can be applied with any other spectrum detection technique whose sensing reports may leak information about the location of the users.
We consider a cooperative spectrum sensing architecture that consists of a and a set of s, where each is assumed to be capable of measuring on any channel by means of an energy detection method . In this cooperative sensing architecture, the combines the sensing observations collected from the s, decides about the spectrum availability, and broadcasts the decision back to the s through a control channel. This could typically be done via either hard or soft decision rules. The most common soft decision rule is aggregation, where collects the values from the s and compares their average to a predefined threshold, , to decide on the channel availability.
In hard decision rules, e.g. voting, combines votes instead of values. Here, each compares its value with , makes a local decision (available or not), and then sends to the its one-bit local decision/vote instead of sending its value. applies then a voting rule on the collected votes to make a channel availability decision. However, for security reasons to be discussed shortly, it may not be desirable to share with s. In this case, can instead collect the values from the s, make a vote for each separately, and then combine all votes to decide about the availability of the channel.
In this work, we opted for the voting-based decision rule, with is not to be shared with the s, over the aggregation-based rule. There are two reasons for choosing voting-based decision rule over the aggregation-based decision rule: (i) Aggregation methods are more prone to sensing errors; for example, receiving some erroneous measurements that are far off from the average of the values can skew the computed average, thus leading to wrong decision. (ii) Voting does not expose users to the DLP attack  (which is identified earlier in Section I-A). We chose not to share with the s because doing so limits the action scope of malicious users that may want to report falsified values for malicious and/or selfish purposes.
In this paper we investigate a 3-party cooperative sensing architecture, where a third entity, called gateway (), is incorporated along with the and s to cooperate with them in performing the sensing task. As will be shown later, this additional gateway allows to achieve higher privacy and lesser computational overhead, but of course at its cost.
Ii-a Security Threat Model and Objectives
We consider a semi-honest threat model, where all the network parties (i.e., s, , and ) are assumed to be honest but curious in that they execute the protocol honestly but show interest in learning information about the other parties. This means that none of these entities is trusted. More specifically, we make the following assumptions:
Security Assumption 1.
No party in the system modifies maliciously (or nonmaliciously) the integrity of its input. That is, (i) does not maliciously inject false ; and (ii) the s do not maliciously change their values.
Security Assumption 2.
No party in the system colludes with any of the other parties. That is, (i) does not collude with s; (ii) s do not collude with one another; and (iii) does not collude with s or .
As mentioned before, values are shown to be highly correlated to the s’ locations . Therefore, if the confidentiality of the values is not protected, then nor is the location privacy of the s. With this in mind, the security objectives of the proposed schemes are then:
Security Objective 1.
Keep the value of each confidential to the only by hiding it from all other parties. This should hold during all sensing periods and for any network membership change.
Also, since s may rely on the threshold to maliciously manipulate their s, our second objective is then to:
Security Objective 2.
Keep confidential to the only by hiding it from all other parties. This should hold during all sensing periods and for any network membership change.
Ii-B Half-Voting Availability Decision Rule
Let and be the spectrum sensing hypothesis that is absent and present, respectively. Let , and denote the probabilities of false alarm, detection, and missed detection, respectively, of one ; i.e., , , and . collects the 1-bit decision from each and fuses them together according to the following fusion rule :
Note that infers that is present when at least s are inferring . Otherwise, decides that is absent, i.e. . Note here that the OR fusion rule corresponds to the case where and the AND fusion rule corresponds to the case where . The cooperative spectrum sensing false alarm probability, , and missed detection probability, , are: and . Letting be the number of s, the optimal value of that minimizes is , where and denotes the ceiling function. For simplicity, is denoted as throughout this paper.
Ii-C Reputation Mechanism
To make the voting rule more reliable, we incorporate a reputation mechanism that allows to progressively eliminate faulty and malicious s. It does so by updating and maintaining a reputation score for each to reflect the level of reliability the has. Our proposed schemes incorporate the Beta Reputation mechanism, proposed and shown to be robust by Arshad et al. . For completeness, we highlight its key features next; more details can be found in .
At the end of each sensing period , obtains a decision vector, with , where (resp. ) means that the spectrum is reported to be free (resp. busy) by . then makes a global decision using the fusion rule as follows:
where is the weight vector calculated by based on the credibility score of each user, as will be shown shortly, and is the voting threshold determined by the Half-voting rule , as presented in Section II-B.
For each , maintains positive and negative rating coefficients, and , that are updated every sensing period as: and , where and are calculated as
Here, (resp. ) reflects the number of times ’s observation, , agrees (resp. disagrees) with the ’s global decision, (t).
computes then ’s credibility score, (t), and contribution weight, (t), at sensing period as:
Ii-D Cryptographic Building Blocks
Our scheme uses a well known cryptographic building block, which we define next before using it in the next section when describing our scheme so as to ease the presentation.
Order Preserving Encryption : is a deterministic symmetric encryption scheme whose encryption preserves the numerical ordering of the plaintexts, i.e. for any two messages and , we have , with is order preserving encryption of a message under key , where is the block size of .
Note that communications are made over a secure (authenticated) channel maintained with a symmetric key (e.g., via SSL/TLS as in Algorithm 1) to ensure confidentiality and authentication. For the sake of brevity, we will only write encryptions but not the authentication tags (e.g., Message Authentication Codes ) for the rest of the paper.
We now present our proposed scheme that we call LP-3PSS (location privacy for 3-party spectrum sensing architecture), which offers high location privacy and low overhead, and uses an additional entity in the network, referred to as Gateway () (thus ”3P” refers to the 3 parties: s, , and ). enables a higher privacy by preventing from even learning the order of encrypted values of s which was allowed in . also learns nothing but secure comparison outcome of values and , as in but only using . Thus, no entity learns any information on or beyond a pairwise secure comparison, which is the minimum information required for a voting-based decision.
Intuition: The main idea behind LP-3PSS is simple yet very powerful: We enable to privately compare distinct encryptions of and values, which were computed under pairwise keys established between and s. These encrypted pairs permit to learn the comparison outcomes without deducing any other information. then sends these comparison results to to make the final decision. learns no information on values and s cannot obtain the value of , which complies with our Security Objectives 1 and 2. Note that LP-3PSS relies only on symmetric cryptography to guarantee the location privacy of s. Hence, it is the most computationally efficient and compact scheme among all alternatives (see Section V), but with an additional entity in the system.
LP-3PSS is described in Algorithm 1 and outlined below.
Initialization: Let be IND-CPA secure  block cipher (e.g. ) encryption/decryption operations. establishes a secret key with each and . establishes a secret key with each . encrypts with using , . then encrypts ciphertexts with using and sends these s to , . Since these encryptions are done offline at the beginning of the protocol, they do not impact the online private sensing phase. may also pre-compute a few extra encrypted values in the case of new users joining the sensing.
Private Sensing: Each encrypts with using , which was used by to encrypt value. then encrypts this ciphertext with using key , and sends the final ciphertext to . decrypts ciphertexts s and s with using and , which yields encrypted values. then compares each encryption of with its corresponding encryption of . Since both were encrypted with the same key, can compare them and conclude which one is greater as in Step 12. stores the outcome of each comparison in a binary vector , encrpyts and sends it to . Finally, compares the summation of votes to the optimal voting threshold to make the final decision about spectrum availability and updates the reputation scores of the users.
Update after Membership Changes or Breakdown: Each new user joining the sensing just establishes a pairwise secret key with and . This has no impact on existing users. If some users leave the network, and remove their secret keys, which also has no impact on existing users. In both cases, and also in the case of a breakdown or failure, must be updated accordingly.
Iv Security Analysis
We first describe the underlying security primitives, on which our schemes rely, and then precisely quantify the information leakage of our schemes, which we prove to achieve our Security Objectives 1 and 2.
Let and be IND-CPA secure  and IND-OCPA secure symmetric ciphers, respectively. are values and of each and for sensing periods in a group . are history lists, which include all values learned by entities , and , respectively, during the execution of the protocol for all sensing periods and membership status of . Vector is a list of IND-CPA secure values transmitted over secure (authenticated) channels. may be publicly observed by all entities including external attacker . Hence, is a part of all lists . Values (jointly) generated by an entity such as cryptographic keys or variables stored only by the entity itself (e.g., , ) are not included in history lists for brevity.
Proof: , where and are generated at the initialization and privacy sensing in Algorithm 1, respectively. History lists are as follows for each sensing period :
Variables in are IND-CPA secure and IND-OCPA secure, and therefore leak no information beyond the pairwise order of ciphertexts to by Fact 1.
Any membership status update on requires an authenticated channel establishment or removal for joining or leaving members, whose private keys are independent from each other. Hence, history lists are computed identically as described above for the new membership status of , which are IND-CPA secure and IND-OCPA secure.
V Performance Evaluation
We now evaluate our proposed scheme, LP-3PSS, by comparing it to existent approaches that we briefly explain below.
V-a Existing Approaches
 uses secret sharing and the Privacy Preserving Aggregation (PPA) process proposed in  to hide the content of specific sensing reports and uses dummy report injections to cope with the DLP attack.  also uses but in a completely different way than how we use it in this paper. Users encrypt their values, send them to which, based on the order of the encrypted s, performs at worst a logarithmic number of yao’s millionaires secure comparisons  between and s and then makes a final decision about spectrum availability.  combines Paillier cryptosystem  with Shamir’s secret sharing , where a set of smart meters sense the consumption of different households, encrypt their reports using Paillier, then send them to a gateway. The gateway multiplies these reports and forwards the result to the control center, which selects a number of servers (among all servers) to cooperate in order to decrypt the aggregated result. requires a dedicated gateway, just like LP-3PSS, to collect the encrypted data, and a minimum number of working servers in the control center to decrypt the aggregated result.
V-B Performance Analysis and Comparison
We focus on communication and computational overheads. We consider the overhead incurred during the sensing operations but not that related to system initialization (e.g. key establishment), where most of the computation and communication is done offline. We model the membership change events in the network as a random process that takes on 0 and 1, and whose average is . means that no change occurred in the network and means that some users left/joined the sensing task. Let (t) be a function that models the average number of users that join the sensing at the current sensing period , where
The execution times of the different primitives and protocols were measured on a laptop running Ubuntu 14.10 with 8GB of RAM and a core M 1.3 GHz Intel processor, with cryptographic libraries MIRACL , Crypto++  and Louismullie’s Ruby implementation of .
Computational Overhead: Table I provides an analytical computational overhead comparison including the details of variables, parameters and the overhead of building blocks.
In LP-3PSS, requires only a small constant number of operations. An requires one and encryptions of its . Finally, requires one operation per user and one of vector . All computations in LP-3PSS rely on only symmetric cryptography, which makes it the most computationally efficient scheme among all alternatives.
For illustration purpose, we plot in Fig. 1(a) the system end-to-end computational overhead of the different schemes. Fig. 1(a) shows that LP-3PSS is several order of magnitudes faster than the other schemes including , that we proposed in a previous work, for any number of users.
Communication Overhead: Table II provides the analytical communication overhead comparison. LP-3PSS requires (+1) ciphertexts and single , which are significantly smaller than the ciphertexts transmitted in the other schemes.
We further compare our scheme with its counterparts in terms of communication overhead in Fig. 1(b). Fig. 1(b) shows that LP-3PSS has the smallest communication overhead since, again, it relies on symmetric cryptography only. and have a very high communication overhead due to the use of expensive public key encryptions (e.g., Pailler ).
Overall, our performance analysis indicates that LP-3PSS is significantly more efficient than all other counterpart schemes in terms of computation and communication overhead, even for increased values of the security parameters, but with the cost of including an additional entity.
We developed an efficient scheme for cooperative spectrum sensing that protects the location privacy of s with a low cryptographic overhead while guaranteeing an efficient spectrum sensing. Our scheme is secure and robust against users dynamism, failures, and user maliciousness. Our performance analysis indicates that our scheme outperforms existing alternatives in various metrics.
This work was supported in part by the US National Science Foundation under NSF award CNS-1162296.
-  I. F. Akyildiz, B. F. Lo, and R. Balakrishnan, “Cooperative spectrum sensing in cognitive radio networks: A survey,” Physical Communication, vol. 4, pp. 40–62, 2011.
-  O. Fatemieh, A. Farhadi, R. Chandra, and C. A. Gunter, “Using classification to protect the integrity of spectrum measurements in white space networks.” in NDSS, 2011.
-  S. Li, H. Zhu, Z. Gao, X. Guan, K. Xing, and X. Shen, “Location privacy preservation in collaborative spectrum sensing,” in INFOCOM, 2012 Proceedings IEEE. IEEE, 2012, pp. 729–737.
-  S. B. Wicker, “The loss of location privacy in the cellular age,” Communications of the ACM, vol. 55, no. 8, pp. 60–68, 2012.
-  Q. Yan, M. Li, T. Jiang, W. Lou, and Y. Hou, “Vulnerability and protection for distributed consensus-based spectrum sensing in cognitive radio networks,” in INFOCOM, 2012 Proc. IEEE, March 2012.
-  Z. Qin, S. Yi, Q. Li, and D. Zamkov, “Preserving secondary users’ privacy in cognitive radio networks,” in INFOCOM, 2014 Proceedings.
-  D. Yang, X. Fang, and G. Xue, “Truthful incentive mechanisms for k-anonymity location privacy,” in INFOCOM, 2013 Proceedings IEEE.
-  X. Zhao, L. Li, and G. Xue, “Checking in without worries: Location privacy in location based social networks,” in INFOCOM, 2013 Proceedings IEEE, April 2013, pp. 3003–3011.
-  Z. Gao, H. Zhu, Y. Liu, M. Li, and Z. Cao, “Location privacy in database-driven cognitive radio networks: Attacks and countermeasures,” in INFOCOM, 2013 Proceedings IEEE. IEEE, 2013, pp. 2751–2759.
-  S. Liu, H. Zhu, R. Du, C. Chen, and X. Guan, “Location privacy preserving dynamic spectrum auction in cognitive radio network,” in Distributed Computing Systems (ICDCS), 2013 IEEE 33rd International Conference on. IEEE, 2013, pp. 256–265.
-  M. Grissa, A. A. Yavuz, and B. Hamdaoui, “Cuckoo filter-based location-privacy preservation in database-driven cognitive radio networks,” in Computer Networks and Information Security (WSCNIS), 2015 World Symposium on. IEEE, 2015, pp. 1–7.
-  K. S. McCurley, “The discrete logarithm problem,” in Proc. of Symp. in Applied Math, vol. 42, 1990, pp. 49–74.
-  L. Chen, R. Lu, and Z. Cao, “PDAFT: A privacy-preserving data aggregation scheme with fault tolerance for smart grid communications,” Peer-to-Peer Networking and Applications, pp. 1–11, 2014.
-  M. Grissa, A. A. Yavuz, and B. Hamdaoui, “Lpos: Location privacy for optimal sensing in cognitive radio networks,” in Global Communications Conference (GLOBECOM), 2015 IEEE. IEEE, 2015.
-  W. Zhang, R. K. Mallik, and K. Letaief, “Cooperative spectrum sensing optimization in cognitive radio networks,” in Communications, 2008. ICC’08. IEEE International Conf. on. IEEE, 2008, pp. 3411–3415.
-  K. Arshad and K. Moessner, “Robust collaborative spectrum sensing based on beta reputation system,” in Future Network & Mobile Summit (FutureNetw), 2011. IEEE, 2011, pp. 1–8.
-  A. Boldyreva, N. Chenette, Y. Lee, and A. O´neill, “Order-preserving symmetric encryption,” in Advances in Cryptology-EUROCRYPT 2009.
-  J. Katz and Y. Lindell, Introduction to Modern Cryptography. Chapman & Hall/CRC, 2007.
-  “Cryptographic key length recommendation,” http://www.keylength.com/en/compare/#Biblio6.
-  R. A. Popa, F. H. Li, and N. Zeldovich, “An ideal-security protocol for order-preserving encoding,” in Security and Privacy (SP), IEEE Symposium on. IEEE, 2013, pp. 463–477.
-  F. Kerschbaum and A. Schroepfer, “Optimal average-complexity ideal-security order-preserving encryption,” in Proc. of the SIGSAC Conf. on Computer and Comm. Security. ACM, 2014, pp. 275–286.
-  J. Daemen and V. Rijmen, “Aes proposal: Rijndael,” 1999.
-  E. Shi, T.-H. H. Chan, E. G. Rieffel, R. Chow, and D. Song, “Privacy-preserving aggregation of time-series data.” in NDSS, vol. 2, no. 3, 2011.
-  H.-Y. Lin and W.-G. Tzeng, “An efficient solution to the millionaires’ problem based on homomorphic encryption,” in Applied Cryptography and Network Security. Springer, 2005, pp. 456–466.
-  P. Paillier, “Public-key cryptosystems based on composite degree residuosity classes,” in Advances in cryptology-EUROCRYPTâ99, 1999.
-  A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612–613, 1979.
-  “Miracl library,” http://www.certivox.com/miracl.
-  “Crypto++ library,” http://www.cryptopp.com/.
-  “Ruby ope implementation,” https://github.com/louismullie/ope-rb.