Preserving the Location Privacy of Secondary Users in Cooperative Spectrum Sensing

Preserving the Location Privacy of Secondary Users in Cooperative Spectrum Sensing

Mohamed Grissa,  Attila A. Yavuz,  and Bechir Hamdaoui,  This work was supported in part by the US National Science Foundation under NSF award CNS-1162296. Mohamed Grissa, Attila A. Yavuz and Bechir Hamdaoui are with the Electrical Engineering and Computer Science (EECS) Department, Oregon State University, Corvallis, OR 97331-5501, USA (e-mail: grissam,attila.yavuz,© 2016 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

Cooperative spectrum sensing, despite its effectiveness in enabling dynamic spectrum access, suffers from location privacy threats, merely because Secondary Users (s)’ sensing reports that need to be shared with a fusion center to make spectrum availability decisions are highly correlated to the users’ locations. It is therefore important that cooperative spectrum sensing schemes be empowered with privacy preserving capabilities so as to provide s with incentives for participating in the sensing task. In this paper, we propose privacy preserving protocols that make use of various cryptographic mechanisms to preserve the location privacy of s while performing reliable and efficient spectrum sensing. We also present cost-performance tradeoffs. The first consists on using an additional architectural entity at the benefit of incurring lower computation overhead by relying only on symmetric cryptography. The second consists on using an additional secure comparison protocol at the benefit of incurring lesser architectural cost by not requiring extra entities. Our schemes can also adapt to the case of a malicious Fusion Center () as we discuss in this paper. We also show that not only are our proposed schemes secure and more efficient than existing alternatives, but also achieve fault tolerance and are robust against sporadic network topological changes.

Location privacy, secure cooperative spectrum sensing, order preserving encryption, cognitive radio networks.

I Introduction

Cooperative spectrum sensing is a key component of cognitive radio networks (s) essential for enabling dynamic and opportunistic spectrum access [1, 2, 3]. It consists of having secondary users (s) sense the licensed channels on a regular basis and collaboratively decide whether a channel is available prior to using it so as to avoid harming primary users (s). One of the most popular spectrum sensing techniques is energy detection, thanks to its simplicity and ease of implementation, which essentially detects the presence of ’s signal by measuring and relying on the energy strength of the sensed signal, commonly known as the received signal strength ([4].
Digital Object Identifier 10.1109/TIFS.2016.2622000

Broadly speaking, cooperative spectrum sensing techniques can be classified into two categories: centralized and distributed [1]. In centralized techniques, a central entity called fusion center () orchestrates the sensing operations as follows. It selects one channel for sensing and, through a control channel, requests that each  perform local sensing on that channel and send its sensing report (e.g., the observed  value) back to it. It then combines the received sensing reports, makes a decision about the channel availability, and diffuses the decision back to the s. In distributed sensing techniques, s do not rely on a  for making channel availability decisions. They instead exchange sensing information among one another to come to a unified decision [1].

Despite its usefulness and effectiveness in promoting dynamic spectrum access, cooperative spectrum sensing suffers from serious security and privacy threats. One big threat to s, which we tackle in this work, is location privacy, which can easily be compromised due to the wireless nature of the signals communicated by s during the cooperative sensing process. In fact, it has been shown that  values of s are highly correlated to their physical locations [5], thus making it easy to compromise the location privacy of s when sending out their sensing reports. The fine-grained location, when combined with other publicly available information, could easily be exploited to infer private information about users [6]. Examples of such private information are shopping patterns, user preferences, and user beliefs, just to name a few [6]. With such privacy threats and concerns, s may refuse to participate in the cooperative sensing tasks. It is therefore imperative that cooperative sensing schemes be enabled with privacy preserving capabilities that protect the location privacy of s, thereby encouraging them to participate in such a key function, the spectrum sensing.

In this paper, we propose two efficient privacy-preserving schemes with several variants for cooperative spectrum sensing. These schemes exploit various cryptographic mechanisms to preserve the location privacy of s while performing the cooperative sensing task reliably and efficiently.

In addition, we study the cost-performance tradeoffs of the proposed schemes, and show that higher privacy and better performance can be achieved, but at the cost of deploying an additional architectural entity in the system. We show that our proposed schemes are secure and more efficient than their existing counterparts, and are robust against sporadic topological changes and network dynamism.

I-a Related Work

Security and privacy in s have gained some attention recently. Adem et al. [7] addressed jamming attacks in s. Yan et al. [8] discussed security issues in fully distributed cooperative sensing. Qin et al.[9] proposed a privacy-preserving protocol for  transactions using a commitment scheme and zero-knowledge proof. Wang et al. [10] proposed a privacy preserving framework for collaborative spectrum sensing in the context of multiple service providers.

Location privacy, though well studied in the context of location-based services (LBS) [11, 12], has received little attention in the context of [13, 14, 5]. Some works focused on location privacy but not in the context of cooperative spectrum sensing (e.g., database-driven spectrum sensing [15, 13] and dynamic spectrum auction [14]) and are skipped since they are not within this paper’s scope.

In the context of cooperative spectrum sensing, Shuai et al. [5] showed that s’ locations can easily be inferred from their  reports, and called this the SRLP (single report location privacy) attack. They also identified the DLP (differential location privacy) attack, where a malicious entity can estimate the  (and hence the location) of a leaving/joining user from the variations in the final aggregated  measurements before and after user’s joining/leaving of the network. They finally proposed  to address these two attacks. Despite its merits,  has several limitations: (i) It needs to collect all the sensing reports in order to decode the aggregated result. This is not fault tolerant, since some reports may be missing due, for example, to the unreliable nature of wireless channels. (ii) It cannot handle dynamism if multiple users join or leave the network simultaneously. (iii) The pairwise secret sharing requirement incurs extra communication overhead and delay. (iv) The underlying encryption scheme requires solving the Discrete Logarithm Problem, which is possible only for very small plaintext space and can be extremely costly. Chen et al. [16] proposed , a fault-tolerant and privacy-preserving data aggregation scheme for smart grid communications. , though proposed in the context of smart grids, is suitable for cooperative sensing schemes. But unlike ,  relies on an additional semi-trusted entity, called gateway, and like other aggregation based methods, is prone to the DLP attack. In our previous work [17] we proposed an efficient scheme called  to overcome the limitations that existent approaches suffer from.  combines order preserving encryption and yao’s millionaire protocol to provide a high location privacy to the users while enabling an efficient sensing performance.

I-B Our Contribution

In this paper, we propose two location privacy-preserving schemes for cooperative spectrum sensing that achieve:

  • Location privacy of secondary users while performing the cooperative spectrum sensing effectively and reliably.

  • Fault tolerance and robustness against network dynamism (e.g., multiple s join/leave the network) and failures (e.g., missed sensing reports).

  • Reliability and resiliency against malicious users via an efficient reputation mechanism.

  • Accurate spectrum availability decisions via half-voting rules while incurring minimum communication and computation overhead.

Compared to our preliminary works [18] and [17], this paper provides a more efficient version of  [17], referred to as LP-2PSS in this paper, that is also robust against malicious users and adapted to a stronger threat model for . Besides, this paper provides another variant of LP-3PSS [18] that improves the crytpographic end-to-end delay. Finally, this paper provides an improved security analysis and more comprehensive performance analysis.

The reason why we present two variants is to give more options to system designers to decide which topology and which approach is more suitable to their specific requirements. There are tradeoffs between the two options. While LP-2PSS provides location privacy guarantees without needing to introduce an extra architectural entity, it requires relatively high computational overhead due to the use of the Yao’s millionaires’ protocol. On the other hand, LP-3PSS provides stronger privacy guarantees (as the private inputs are shared among 3 non-colluding entities) and reduces the computational overhead substantially when compared to LP-2PSS, but at the cost of introducing an extra architectural entity.

The remainder of this paper is organized as follows. Section II provides our system and security threat models. Section III presents our preliminary concepts and definitions. Section IV and V provide an extensive explanation of the proposed schemes. Section VI gives the security analysis of these schemes. Section VII presents their performance analysis and a comparison with existent approaches. Finally, Section VIII concludes this work.

Ii System and Security Threat Models

Ii-a System Model

We consider a cooperative spectrum sensing architecture that consists of a  and a set of s.

Each  is assumed to be capable of measuring  on any channel by means of an energy detection method [4]. In this cooperative sensing architecture, the  combines the sensing observations collected from the s, decides about the spectrum availability, and broadcasts the decision back to the s through a control channel. This could typically be done via either hard or soft decision rules. The most common soft decision rule is aggregation, where  collects the  values from the s and compares their average to a predefined threshold, , to decide on the channel availability.

In hard decision rules, e.g. voting,  combines votes instead of  values. Here, each  compares its  value with , makes a local decision (available or not), and then sends to the  its one-bit local decision/vote instead of sending its  value.  applies then a voting rule on the collected votes to make a channel availability decision. However, for security reasons to be discussed shortly, it may not be desirable to share  with s. In this case,  can instead collect the  values from the s, make a vote for each  separately, and then combine all votes to decide about the availability of the channel.

In this work, we opted for the voting-based decision rule, with  is not to be shared with the s, over the aggregation-based rule. Two reasons for why choosing voting over aggregation: One, aggregation methods are more prone to sensing errors; for example, receiving some erroneous measurements that are far off from the average of the  values can skew the computed  average, thus leading to wrong decision. Two, voting does not expose users to the DLP attack [5] (which was identified earlier in Section I-A). We chose not to share  with the s because doing so limits the action scope of malicious users that may want to report falsified  values for malicious and/or selfish purposes.

In this paper, in addition to this 2-party (i.e.,  and s) cooperative sensing architecture that we just described above, we investigate a 3-party cooperative sensing architecture, where a third entity, called gateway (), is incorporated along with the  and s to cooperate with them in performing the sensing task. As we show later, this gateway allows to achieve higher privacy and lesser computational overhead, but of course at its cost.

Ii-B Security Threat Models and Objectives

We make the following security assumptions:

Security Assumptions 1.

(i)  may modify the value of  in different sensing periods to extract information about the  values of s; (ii)  executes the protocol honestly but shows interest in learning information about the other parties; (iii)  does not collude with s; and (iv)  does not collude with s or .

We aim to achieve the following security objectives:

Security Objectives 1.

(i) Keep  value of each  confidential; and (ii) Keep  confidential. This should hold during all sensing periods and for any network membership change.

Iii Preliminaries

Iii-a Half-Voting Availability Decision Rule

Our proposed schemes use the half-voting decision rule, shown to be optimal in [19], and for completeness, we here highlight its main idea. Details can be found in [19].

Let and be the spectrum sensing hypothesis that  is absent and present, respectively. Let , and denote the probabilities of false alarm, detection, and missed detection, respectively, of one ; i.e., , , and .

 collects the 1-bit decision from each and fuses them together according to the following fusion rule [19]:


 infers that  is present, i.e. , when at least  s are inferring . Otherwise,  decides that  is absent, i.e. . Note that the OR fusion rule, in which  decides if at least one of the decisions from the s is , corresponds to the case where . The AND fusion rule, in which  decides if and only if all decisions from the s are , corresponds to the case where . The cooperative spectrum sensing false alarm probability, , and missed detection probability, , are: and .

Letting be the number of s, the optimal value of  that minimizes is , where and denotes the ceiling function. The value of comes from the half-voting rule presented in [19]. We use it since it was proven in [19] to provide the best sensing performance in voting based cooperative sensing. For simplicity, is denoted as throughout this paper.

Iii-B Reputation Mechanism

To make the voting rule more reliable, we incorporate a reputation mechanism that allows  to progressively eliminate faulty and malicious s. It does so by updating and maintaining a reputation score for each  that reflects its level of reliability. Our proposed schemes incorporate the Beta Reputation mechanism [20]. For completeness, we highlight its key features next; more details can be found in [20] from which all computations in this subsection are based.

At the end of each sensing period ,  obtains a decision vector, with , where (resp. ) means that the spectrum is reported to be free (resp. busy) by user .  then makes a global decision using the fusion rule as follows:


where is the weight vector calculated by  based on the credibility score of each user, as will be shown shortly, and is the voting threshold determined by the Half-voting rule [19], as presented in Section III-A.

For each ,  maintains positive and negative rating coefficients, and , that are updated every sensing period as: and , where and are calculated as

Here, (resp. ) reflects the number of times ’s observation, , agrees (resp. disagrees) with the ’s global decision, (t).

 computes then ’s credibility score, (t), and contribution weight, (t), at sensing period as suggested in [20]:


Iii-C Cryptographic Building Blocks

Our schemes use a few known cryptographic building blocks, which we define next before using them in the next sections when describing our schemes so as to ease the presentation.

Definition 1.

Order Preserving Encryption : is a deterministic symmetric encryption scheme whose encryption preserves the numerical ordering of the plaintexts, i.e. for any two messages and , we have [21], with is order preserving encryption of a message under key , where is the block size of .

Definition 2.

Yao’s Millionaires’  Protocol [22]: is a Secure Comparison protocol that enables two parties to execute ”the greater-than” function, , without disclosing any other information apart from the outcome.

Definition 3.

Tree-based Group Elliptic Curve Diffie-Hellman  [23]: is a dynamic and contributory group key establishment protocol that permits multiple users to collaboratively establish and update a group key .

Definition 4.

Group Key independence: given a subset of previous keys, an attacker cannot know any other group key.

Definition 5.

Elliptic Curve Discrete Logarithm Problem given an elliptic curve over and points , find an integer , if any exists, s.t. .

Definition 6.

Digital Signature: A digital signature scheme  is used to validate the authenticity and integrity of a message . It contains three components defined as follows:

Key generation algorithm (): returns a private/public key pair given a security parameter , .

Signing algorithm (): takes as input a message and the secret key and returns a signature , .

Verification algorithm (): takes as input the public key , and . It returns if valid and if invalid, .

Note that communications are made over a secure (authenticated) channel maintained with a symmetric key (e.g., via SSL/TLS) to ensure confidentiality and authentication. For the sake of brevity, we will only write encryptions but not the authentication tags (e.g., Message Authentication Codes [24]) for the rest of the paper.

In the following we present the two schemes that we propose in this paper. For convenience and before getting into the details of the proposed approaches, we have summarized the different notations that we use in the remaining parts of this paper in Table I.

Secondary user
Fusion center
Received signal strength
Average number of s per sensing period
Set of all s in the system
Optimal voting threshold
Energy sensing threshold
Large prime number for
Elliptic curve over a finite field
Outcome of  between  and
Final decision made by
Group key established by s
Digital signature
Vector of weights assigned to s
Table of  ciphertexts exchanged in
Public key used for the digital signature
Secret key used for the digital signature
Secret key established between
Secret key established between
Secret key established between
 encryption-decryption for
IND-CPA secure block cipher encryption-decryption
Secure authenticated channel between  and
History list including all values learned by
History list including all values learned by
History list including all values learned by
Average number of s joining the  at
Average of the membership change process
TABLE I: Notations

Iv Lp-2pss

We now present our first proposed scheme, which is a voting-based approach designed for the 2-party cooperative spectrum sensing network, consisting of one  and a set of s. Throughout, we refer to this scheme by LP-2PSS (location privacy for 2-party spectrum sensing architecture). LP-2PSS achieves the aforementioned security objectives via an innovative integration of the ,  and  protocols. Voting-based spectrum sensing offers several advantages over its aggregation-based counterparts as discussed in Section III, but requires comparing ’s threshold and s’ s, thereby forcing at least one of the parties to expose its information to the other. One solution is to use a secure comparison protocol, such as , between  and each , which permits  to learn the total number of s above/below but nothing else. However, secure comparison protocols involve several costly public key crypto operations (e.g., modular exponentiation), and therefore invocations of such a protocol per sensing period, thus incurring prohibitive computational and communication overhead.

Intuition: The key observation that led us to overcome this challenge is the following: If we enable  to learn the relative order of  values but nothing else, then the number of  invocations can be reduced drastically. That is, the knowledge of relative order permits  to execute  protocol at worst-case by utilizing a binary-search type approach, as opposed to running  with each user in total overhead. This is where  comes into play. The crux of our idea is to make users  encrypt their  values under a group key , which is derived via  at the beginning of the protocol. This allows  to learn the relative order of encrypted  values but nothing else (and users do not learn each others’  values, as they are sent to  over a pairwise secure channel).  then uses this knowledge to run  protocol by utilizing a binary-search strategy, which enables it to identify the total number of users above/below and then compares it to . As  may try to maliciously modify the value of  as stated in Security Assumption 1, this makes it easier for it to infer the  values of s, thus their location. We rely on digital signatures to overcome this limitation. A digital signature is used by s to verify the integrity of the information that was sent by  during the execution of  protocol and signed by the service operator as we explain in more details next. This strategy makes LP-2PSS achieve s’ location privacy with efficient spectrum sensing, fault-tolerance and network dynamism simultaneously.

Before we describe our protocol in more details, we first highlight how we improve the  protocol proposed in [25] as shown next.

Iv-a Our Improved  Scheme

To achieve high efficiency, we improve the  protocol in [25], in which only the initiator of the protocol learns the outcome, and call this improved scheme . , described next, is used by our proposed LP-2PSS to perform secure comparisons. Our secure comparison scheme improves  protocol proposed in [25] in two aspects: (i) We adapt it to work with additive homomorphic encryption (specifically ) to enable compact comparison operations in Elliptic Curves (EC) domain. (ii) The final stage of  requires solving  (Definition 5), which is only possible with small plaintext domains, and this is the case for our 8-bit encoded RSS values required by IEEE 802.22 standard [26]. However, despite small plaintext domain, solving  with brute-force is still costly. We improve this step by adapting Pollard-Lambda method [27] to solve the  for the reverse map, which offers decryption efficiency and compactness. The Pollard-Lambda method is designed to solve the  for points that are known to lie in a small interval, which is the case for  values [27]. Below, we outline our optimized .

Notation: Let denote the size in bits of the  value of a  and  of  to be privately compared. Also, let denote the average number of s per sensing period, be a large prime number, an elliptic curve over a finite field , a point on the curve with prime order . is a private/public key pair of Elliptic Curve ElGamal () encryption [28], generated under . Let be  parameters generated by  which is the initiator of the protocol.  returns , where if and otherwise. Only  learns but learn nothing else. For simplicity during the description of , we denote  as and  as .

, as in , is based on the fact that is greater than and have a common element where and are the 1-encoding of and the 0-encoding of respectively. The 0-encoding of a binary string is given by and the 1-encoding of is given by . For example, if we have a string , then and . If we want to compare two values and , we need first to construct and . Since , then .

 with a private input generates  for encryption and decryption then prepares a -table , such that and for a random in the subgroup and finally sends to .  with private input computes for each as follows


with denotes Elliptic Curve point addition operations ( replaces in the original  scheme).  then prepares random encryptions and permutes ’s and ’s to obtain which are sent back to  that decrypts , via Pollard-Lambda algorithm [27] and decides some ( in the original ). The different steps of this protocol are summarized in Figure 1.

Fig. 1:  protocol

Iv-B Lp-2pss Descitpion

Next we describe our proposed scheme LP-2PSS whose main steps are outlined in Algorithm 1.

1:Initialization: Executed only once.
2:Service operator sets .
3: generates , sets  and .
4: pre-computes using .
5:Service operator computes .
6:Service operator shares  with s.
7: establish via  protocol.
8: establishes  with each for .        
9:Private Sensing: Executed every sensing period
10: computes for .
11: sends to  over for .
12: sorts encrypted RSS values as .
13: runs with having .
14: verifies using .
15:if  then
16:      leaves the sensing
17:     Go to Step 19.
18:if  then Channel free, .
19:else  runs with having .
20:      verifies using .
21:     if  then
22:          leaves the sensing
23:         Go to Step 29.      
24:     if  then Channel busy, .
25:     else
26:         repeat
27:               computes
28:               runs with having .
29:               verifies using .
30:              if  then
31:                   leaves the sensing               
32:         until 
33:          assigns forand for
34:          computes
35:         if  then Channel busy
36:         else Channel free               
37: updates and as in Eqs. (3) & (4) return        
38:Update after Membership Changes or Breakdown:
39:if (s) join/leave or breakdown in  then
40:     New group form new using .
41:      updates  and  as ’ and ’, respectively, if required.
42:     Execute the private sensing with .
Algorithm 1 LP-2PSS Algorithm

 Initialization: The service operator sets up the value of energy threshold .  sets up  crypto parameters, voting threshold and users reputation weights values. Initially, all the users are considered credible so the weight vector is constituted of ones. , then, constructs the table used in  protocol as described in Section IV-A with  as input using the ’s  public key . Notice here that since the same  is always used during different sensing periods, the table can be precomputed during the Initialization phase. This considerably reduces this protocol’s computational overhead. Then the service operator that manages the network signs using a digital signature scheme with secret key . This digital signature is used to make sure that  does not maliciously modify the value of  to learn  values of users and thus infer their locations. The service operator then shares the public key  with s to use it for verifying the integrity of and thus of . s establish a group key via , with which they  encrypt their  values during the private sensing.  also establishes a secure channel with each user .

 Private Sensing: Each  encrypts its with group key and sends ciphertext to  over .  then sorts ciphertexts as (as all s are  encrypted under the same ) without learning corresponding  values, and the secure channel protects the communication of from other users as well as from outside attackers.  then initiates  first with the  that has the highest  value . If it is smaller than energy sensing threshold , then the channel is free. Otherwise,  initiates  with the user that has . If it is greater than , then the channel is busy. Otherwise, to make the final decision based on the optimal sensing threshold ,  runs  according to the binary-search strategy which guarantees the decision at the worst invocations. Note that before participating in , each  first verifies the integrity of using the digital signature  that was provided by the service operator as indicated in Steps 14, 20 29. A  that detects a change in the value of refuses to participate in the sensing to prevent  from learning any sensitive information regarding its location. In that case the system stops and the malicious intents of  are detected.

In Steps 18, 24 33 of Algorithm 1,  constructs the vector of local decisions of s after running the private comparisons between  and  values. Based on the decision vector and the weights vector that was computed previously,  computes in Step 34 using Equation 2 to finally make the final decision  using voting threshold .  then computes the credibility score and the weights that will be given to all users in the next sensing period. If has a decision , its assigned weight decreases. But if a  makes the same decision as , it is assigned the highest weight. The main steps of the private sensing phase are summarized in Figure 2.

Fig. 2: LP-2PSS’s Private Sensing phase

 Update after Membership Changes or Breakdown: At the beginning of , if membership status of changes, a new group key is formed via , and then  updates . If some s breakdown and fail to sense or send their measurements,  also must be updated. In new sensing period, Algorithm 1 is executed with new parameters and group key.

Choice of digital signature

Choosing the right digital signature scheme depends on the network and users constraints. In the following we briefly discuss some of the schemes that could be applied in LP-2PSS.

One scheme that could be used is RSA [29] which is one of the first and most popular digital signature schemes. RSA has a very large signature but offers a fast signature verification. However, newer schemes outperform it in terms of signature and key size and/or computational efficiency.

Another scheme could be ECDSA [30] which is an elliptic curve analogue of the DSA [31] digital signature scheme. It provides more compact signatures than its counterparts thanks to the use of Elliptic Curve crypto. It has a moderate speed, though, in terms of verification and encryption compared to RSA. It is more suitable for situations where the communication overhead is the main concern.

One-time signatures, e.g.  [32] and its variants [33, 34], are digital signatures that are based on one-way functions without a trapdoor which makes them much faster than commonly used digital signatures, like RSA. The main drawbacks of this kind of digital signatures are their large size and the complexity of their ”one-timed-ness” which requires a new call to the key generation algorithm for each use. In our context, we should not worry about the latter since we sign only once so we don’t have to regenerate the keys. In that case, one-time signatures may be the best option when computation speed at s is the main concern.

NTRU [35] signature could also be applied here. It provides a tradeoff between signature size and computational efficiency. Indeed it has a moderate signature size that is larger than the one of ECDSA but it is faster than both ECDSA and RSA in key generation, signing and verification.

V Lp-3pss

We now present an alternative scheme that we call LP-3PSS (location privacy for 3-party spectrum sensing architecture), which offers higher privacy and significantly better performance than that of LP-2PSS, but at the cost of deploying an additional entity in the network, referred to as Gateway () (thus ”3P” refers to the 3 parties: s, , and ).

 enables a higher privacy by preventing  from even learning the order of encrypted  values of s (as in LP-2PSS).  also learns nothing but secure comparison outcome of a  values and , as in  but only using . Thus, no entity learns any information on  or  beyond a pairwise secure comparison, which is the minimum information required for a voting-based decision.

Intuition: The main idea behind LP-3PSS is simple yet very powerful: We enable  to privately compare  distinct  encryptions of  and  values, which were computed under  pairwise keys established between  and s. These  encrypted pairs permit  to learn the comparison outcomes without deducing any other information.  then sends these comparison results to  to make the final decision.  learns no information on  values and s cannot obtain the value of , which complies with our Security Objectives 1. Note that LP-3PSS relies only on symmetric cryptography to guarantee the location privacy of s. Hence, it is the most computationally efficient and compact scheme among all alternatives but with an additional entity in the system. LP-3PSS is described in Algorithm 2 and outlined below.

1:Initialization: Executed only once.
2:Service operator sets .
3: sets  and .
4: establishes with , .
5: establishes with , .
6: establishes with .
7: computes , and sends to .        
8:Private Sensing: Executed every sensing period
9: computes , and sends to .
10: obtains and , .
11:for  do
12:     if  then
13:     else      
14: computes and sends to .
15: decrypts and computes
16:if  then Channel busy
17:else Channel free
18: updates and as in Eqs. (3) & (4) return        
19:Update after Membership Changes or Breakdown:
20:if  joins  then
21:      establishes with  and with .
22:if s join/leave/breakdown then
23:      updates  as ’.
24:     Execute the private sensing with ’.
Algorithm 2 LP-3PSS Algorithm

 Initialization: Service operator and  set up spectrum sensing and crypto parameters. Let be IND-CPA secure [24] block cipher (e.g. ) encryption/decryption operations.  establishes a secret key with each  and .  establishes a secret key with each .  encrypts  with  using , .  then encrypts  ciphertexts with  using and sends these s to , . Since these encryptions are done offline at the beginning of the protocol, they do not impact the online private sensing phase.  may also pre-compute a few extra encrypted values in the case of new users joining the sensing.

 Private Sensing: Each  encrypts with  using , which was used by  to  encrypt  value. then encrypts this ciphertext with  using key , and sends the final ciphertext to .  decrypts ciphertexts s and s with  using and , which yields  encrypted values.  then compares each  encryption of  with its corresponding  encryption of . Since both were encrypted with the same key,  can compare them and conclude which one is greater as in Step 12.  stores the outcome of each comparison in a binary vector , encrpyts and sends it to . Finally,  compares the summation of votes  to the optimal voting threshold  to make the final decision about spectrum availability and updates the reputation scores of the users.

 Update after Membership Changes or Breakdown: Each new user joining the sensing just establishes a pairwise secret key with  and . This has no impact on existing users. If some users leave the network,  and  remove their secret keys, which also has no impact on existing users. In both cases, and also in the case of a breakdown or failure,  must be updated accordingly.

Fig. 3: LP-3PSS protocol, , and
Remark 1.

A malicious  in LP-3PSS following Security Assumption 1 may want to maliciously modify the value of . But since  is the one that performs the comparison between  values and , changing  maliciously has almost no benefit to  as it does not have access to individual comparison outcomes. This makes LP-3PSS robust against this malicious .

It is worth iterating that the  only needs to perform simple comparison operations between the  values of the s and the energy sensing threshold  of the  as we explained earlier. Thus, such an entity does not interfere with the spectrum sensing process in the . Moreover, it does not need to be provided with large computational resources as these comparisons are very simple and fast to perform. It could be a standalone entity, one of the s that is dedicated to perform the tasks of the  or even a secure hardware that is deployed inside the  itself as we discuss next. This gives multiple options to system designers. If FCC’s regulation allows introducing an additional entity to the , then  could be deployed without any concern. If not, system designers could consider introducing a secure hardware within  or dedicating one of the s to perform the tasks of .

Lp-3pss with Secure Hardware

LP-3PSS could also be implemented in a slightly different way by relying on a secure hardware deployed within the  itself instead of using a dedicated gateway. All the computation that is performed by  could be relayed to this hardware. This secure hardware, which is referred to as secure co-processor () or as trusted platform module (TPM) in the literature, is physically shielded from penetration, and the I/O interface to the module is the only way to access the internal state of the module [36]. An  that meets the FIPS 140-2 level 4 [37] physical security requirements guarantees that  cannot tamper with its computation. Any attempt to tamper with this  from  that results somehow in penetrating the shield, leads to the automatic erasure of sensitive memory areas containing critical secrets.

The SCPU may provide several benefits to the network. First, there is no need anymore of adding a new standalone entity managed by a third party to the network as was the case with . Also, despite its high cost, having an  deployed within  itself may reduce the communication latency that is incurred by having a gateway that needs to communicate with  and with every user in the network.

In terms of performance, it was proven in [38] that at a large scale the computation inside an  is orders of magnitude cheaper than equivalent cryptography that is performed on an unsecured server hardware, despite the overall greater acquisition cost of secure hardware.

All of this makes using an SCPU a good alternative to using a dedicated gateway in the network thanks to its performance and the security guarantees that it provides.

Vi Security Analysis

We first describe the underlying security primitives, on which our schemes rely, and then precisely quantify the information leakage of our schemes, which we prove to achieve our Security Objectives 1. At the end of this section, we discuss the security of the modified versions of our schemes.

Fact 1.

An  is indistinguishable under ordered chosen-plaintext attack (IND-OCPA) [21] if it has no leakage, except the order of ciphertexts (e.g. [39, 40]).

Fact 2.

 is secure by Definition 2 if  cryptosystem [28], whose security relies on the  (Definition 5), is secure.

Fact 3.

 is secure with key independence by Definition 4 if  is intractable by Definition 5.

Let  and  be IND-CPA secure [24] and IND-OCPA secure symmetric ciphers, respectively. are  values and  of each and  for sensing periods in a group . are history lists, which include all values learned by entities ,  and , respectively, during the execution of the protocol for all sensing periods and membership status of . Vector  is a list of IND-CPA secure values transmitted over secure (authenticated) channels.  may be publicly observed by all entities including external attacker . Hence,  is a part of all lists . Values (jointly) generated by an entity such as cryptographic keys or variables stored only by the entity itself (e.g., , ) are not included in history lists for the sake of brevity. Moreover, information exchanged during the execution of  protocol are not included in history lists, since they do not leak any information by Fact 2.

Theorem 1.

Under Security Assumptions 1, LP-2PSS leaks no information on beyond IND-CPA secure , IND-OCPA secure order of tuple and to .

Proof: at Step 6 of Algorithm 1. History lists are as follows for each sensing period :

where are the outcomes of  protocol (Steps 13, 19 & 28 of Algorithm 1). By Fact 2,  protocol leaks no information beyond to  and no information to anyone else. Variables in are IND-CPA and IND-OCPA secure, and therefore leak no information beyond the order of tuples in to  by Fact 1.

Any membership status update on requires an execution of  protocol, which generates a new group key . By Fact 3,  guarantees key independence property (Definition 4), and therefore is only available to new members and is independent from previous keys. Hence, history lists are computed identically as described above for the new membership status of but with , which are IND-CPA secure and IND-OCPA secure.

Using a digital signature gives s the possibility to learn the intentions of  and detect whether it is trying to locate them. Since no  wants its location to be revealed, s will simply refuse to participate in the sensing upon detection of malicious activity of  by verifying the signed messages. The only way that  can learn the location of a  in this case is when this  continues to participate in the sensing even after detecting the malicious intents of .

Theorem 2.

Under Security Assumptions 1, LP-3PSS leaks no information on beyond IND-CPA secure , IND-OCPA secure pairwise order