Privacy-Preserving Location-Based Services

Mahdi ZamaniUniversity of New Mexico

zamani@cs.unm.edu

Mahnush MovahediUniversity of New Mexico

movahedi@cs.unm.edu

AbstractWith rapid advances in mobile communication technologies, location-based services are seam-

lessly and ubiquitously integrating into our lives. Unfortunately, this lays out several privacy chal-lenges because untrusted parties can abuse locational data and extract sensitive information aboutcustomers. To protect against such privacy breaches, we need new tools for location privacy. In thispaper, we study the problem of secure location sharing, where a group of n clients want to collab-orate with each other to anonymously share their location data with a location database server andexecute queries based on them. We assume up to a certain fraction of the clients are controlled ar-bitrarily by a computationally unbounded Byzantine adversary. A simpler instance of this problemhas already been studied assuming either a trusted third party or a weaker adversarial model. Wealternatively propose a scalable approach for secure location sharing that tolerates up to about n/6statically-chosen Byzantine clients and does not require any trusted third party. We show that, unlikemost other location-based services, our protocol is secure against traffic-analysis attacks. We alsoshow that our protocol requires each client to send a polylogarithmic number of bits and computea polylogarithmic number of operations (with respect to n) to query a point of interest based on itslocation.

1 Introduction

In this era of mass surveillance, our electronic data and activities are constantly recorded, aggregated, andanalyzed by companies and government agencies for purposes such as security and advertising. Unfor-tunately, this can severely threaten democracy and human dignity, and protecting against them requiresnew tools and technologies for private analysis, for anonymizing data, and for managing and sharing ourpersonal data. With the rise of smartphones and tablets that are equipped with various positioning sys-tems (like GPS) and that share locational data over the Internet constantly, user privacy is now becominga more challenging problem than ever. Mobile users frequently ask Location-Based Services (LBS) tofind points of interest near them, to receive information about traffic along their route, and to receivecustomized advertising. Such data can be used by others (e.g., companies and governments) for precisesurveillance and compromising user privacy.

Organizations may unintentionally leak location information due to software bugs and other vulner-abilities. The potential danger is that by compiling location patterns over time, untrusted parties couldcreate an intimate picture of personal information like political and religious beliefs, health status, etc.The documents provided by Edward Snowden in 2013 show that NSA is collecting data about the loca-tions of millions of cell phones by tapping into mobile networks [16]. Such data can be used to trackthe movements of individuals precisely and to find relationships between people by correlating variouspatterns in the locational data.

So far, most privacy-preserving LBS have assumed the existence of a trusted third party [19, 15,26, 3], which is often used for anonymizing location data. Unfortunately, finding such trusted parties

1

in practice is usually very hard or even impossible. Due to the huge number of mobile users interestedin sharing their location data frequently, such centralized parties should be powerful servers that areusually owned by large companies and governments. Moreover, centralized parties may be subject togovernmental control, and may be banned or forced to disclose sensitive location information.

LBS Privacy Approaches. Main approaches for achieving location privacy can be divided into twocategories that provide either location confidentiality or location anonymity. Location confidentiality isto hide1 users location and to process locational queries over hidden data. Such data are never revealedto any authority although it might be possible to link the users identity to its hidden query. Locationanonymity, on the other hand, is to hide the connection between a locational query and the user who issuesthe query. In anonymity terminology, this is often called unlinkability, which means that a particularmessage is not linkable to any sender (or recipient), and that to a particular sender (recipient), no messageis linkable [28].

While location confidentiality provides a great level of privacy, processing queries over hidden (e.g.,encrypted) data is usually hard and expensive. For example, homomorphic encryption [17] and privateinformation retrieval [10] can be used for privacy-preserving query processing but known such techniquesare still computationally intensive. On the other hand, if the number of users having queries is large,which is often the case for LBS, then the queries can be anonymized efficiently to provide a strong levelof privacy.

Adversarial Model. In designing location-based services, there is a need to ensure reliability evenagainst the most powerful type of adversary, called Byzantine (active) adversary. Such an adversarycontrols a certain fraction of the parties to run sophisticated Byzantine attacks like jamming, corrup-tion, and forging, as well as simple passive attacks like eavesdropping and non-participation. In an agewhere governments and financial entities increasingly engage in sophisticated cyber-warfare, we believeprotecting against active attacks is crucial.

Resistance to Traffic-Analysis. One challenging problem with most anonymity-based location servicesis resistance against traffic-analysis. A global adversary can sniff traffic exchanged between the user andthe service provider to link a query containing location information to the user who has issued that query.Such a powerful adversary was assumed to be unrealistic in the past but it might be realistic today if theservice provider is controlled or compromised by a state-level surveillance authority [14]. Unfortunately,most anonymity-providing protocols like Casper [26], Prive [18], and Tor [13] are not secure againsttraffic analysis attacks.

k-Anonymous LBS. Several LBS are built upon a relaxed notion of anonymity called k-anonymity[19, 26, 18, 15], where the adversary is assumed to be unable to identify the actual sender/receiver of alocational query from a set of k parties (called anonymity set). Even though k-anonymity often increasesefficiency significantly, choosing small ks can result in severe privacy problems. For example, attackersoften have background knowledge and it is shown that small anonymity sets are likely to leak privacywhen attackers have such knowledge [25]. We argue that this is often the case for location anonymity asqueries issued by people in different locations usually contain side information about their location. Forexample, a person located in New Mexico is more likely to search for a restaurant serving chili stew thana person in Vermont. Thus, we believe an algorithm is needed that scales well with the size of anonymityset, k.

1By hiding, we mean using techniques like encryption, steganography, and secret sharing for obscuring data.

2

Location Cloaking. In a seminal work, Gruteser and Grunwald [19] introduced two key ideas forachieving location k-anonymity called spatial cloaking and temporal cloaking. In spatial cloaking, aclients location (e.g., a two-dimensional point) is converted into a spatial area such that there are k mo-bile clients located in the area. While a spatially-cloaked location can be calculated efficiently (e.g., usingthe techniques of [19, 15, 26, 18]), the inaccuracy associated with the cloaked location often results insending unnecessary information back to the user. In temporal cloaking, location anonymity is achievedby delaying the users query until k clients also issue their queries. One drawback of this method isincreased latency, especially when k is large. On the other hand, with the fast growth of the number ofmobile users sharing their location information, this latency problem is becoming less important.

1.1 Our Contribution

In this paper, we design a decentralized protocol for location-based services that scales well with thenumber of clients and has practical costs. Moreover, our protocol is load-balanced meaning that eachclient handles a roughly equal amount of communication and computation. This is crucial especially formodels with mobile devices that usually have very limited resources. We show that our protocol puts onlya polylogarithmic load on each participating party with respect to the number of parties. Our protocol isprovably-secure against Byzantine faults including traffic analysis attacks. We prove that the protocol issecure against a priori knowledge that an adversary might have regarding the potential communicatingparties. Moreover, unlike the majority of previous work which rely on centralized trusted servers, ourprotocol is fully-decentralized and does not require any trusted party.

As our main contribution, we indicate that the problem of privacy-preserving LBS can be efficientlymodeled as a Multi-Party Computation (MPC) problem, where a set of n parties, each having a se-cret value, compute a known function over their inputs, without revealing the inputs to any party. Weargue that using MPC, one can achieve a highly scalable and fault-tolerant LBS with provable privacy-preserving properties.

In the last three decades, a large body of work has been devoted to designing MPC protocols [5,4, ?, 11]. Unfortunately, most of these protocols are inefficient and scale poorly with the number ofparties. Recently, Boyle et al. [7] and Dani et al. [12] proposed scalable solutions to general MPC.Unfortunately, both of these protocols are not practical due to large logarithmic and constant factors intheir communication/computation costs. Moreover, the protocol of Boyle et al. is not load-balancedmaking it hard to be used in settings where the parties have limited resources. Inspired by [7] and[12], our main strategy for achieving scalability is to perform local communications and computations inlogarithmic-size groups of parties called quorums, where the number of adversary-controlled parties ineach quorum is guaranteed not to exceed a certain fraction.

Using quorums and the MPC approach of [12], we develop an efficient multi-party shuing protocolfor anonymizing client queries. In the following, we first give a high level description of our protocoland then, explain two other contributions of this paper.

Protocol Overview. In our protocol, we use the temporal cloaking approach to wait until k clients eachhold a locational query. The k clients, then, participate in a MPC protocol to jointly compute a shuingfunction that randomly permutes their queries. The shued queries are then sent to the location-basedserver to be processed. Finally, the results are broadcast by the server to all participating clients. In otherwords, our protocol builds a set of quorums in a one-time setup phase and then uses them in the onlinephase for shuing client queries. We represent the desired shuing function by a circuit. We assign thecomputation of each gate of the circuit to a quorum and evaluate the circuit level by level, passing theoutputs of one level as the inputs to the next level. Figure 1 shows our protocol architecture. Each circle

3

Figure 1: Our architecture

depicts a quorum of mobile users who connect to their local base station. Once the local computation isfinished in each quorum, the result is forwarded to the next quorum via one-to-one communication withclients of the next quorum. Finally, at the highest level of the circuit, the shued queries are computedand sent to the server.

To achieve practical costs, we present a simple explicit construction of the protocol of Dani et al. [12] byrelieving two main bottlenecks in their protocol, which we call secure multiplication and share renewal.

Secure multiplication. One approach for solving MPC (also followed by [12]) is for each party to divideits secret input into n pieces called shares, which reveal nothing about the input. This can be done usinga secret sharing algorithm such as Shamirs scheme [29]. Each party, then, sends one share to each of theother parties. In the next step, each party computes an arithmetic circuit2, which represents the function,gate by gate over the shares and broadcasts the result. Finally, each party computes the circuit outputusing the pieces it receives at the end of the previous step. Using a linear secret sharing scheme (like[29]), addition gates can be computed simply by adding the two input shares. On the other hand, knownsecret sharing schemes are not multiplicatively homomorphic meaning that the product of two shares isnot necessarily a valid and secure share of the product of the corresponding secrets. We are not awareof a perfectly-secure technique for secure multiplication with constant rounds of communication. Wepropose a simple O(1) round method for this problem.

Share Renewal. In our protocol (and the protocol of [12]), each gate of the circuit is assigned a quorumQ and the parties in Q are responsible for computing the function associated with that gate. Then, theysend the result of this computation to any quorums associated with gates that need this result as input.

2An arithmetic circuit is a directed acyclic graph, where every node with indegree zero is called an input gate and everyother gate is labeled by either + (called a addition gate) or (called a multiplication gate).

4

Let Q be one such quorum. It is necessary to securely send the output from Q to Q without revealingany information to any individual party or to any coalition of adversarial parties. Dani et al. [12] solvethis using a mask-and-reveal technique. Unfortunately, they do not provide an explicit construction ofthis method and simple constructions are very expensive in terms of communication and computationcosts [30]. Alternatively, we propose a different approach for solving this problem by reducing it to thesimpler problem of generating a fresh sharing of the output of Q among parties of Q. In other words,parties in Q generate a new set of random shares that represents the same secret as the output of Q,and distribute this new sharing among parties of Q. Inspired by [20], we refer to this problem as sharerenewal, which we solve using a simple and efficient technique described in Section 6.

2 Model

We consider a network of n clients whose identities are common knowledge. We assume there is aprivate and authenticated communication channel between every pair of clients and the communicationis synchronous. Our protocol does not require the presence of any trusted third party, and we do notassume the existence of a reliable broadcast channel. We assume t < (1/6 )n of the clients arecontrolled by a Byzantine adversary, for some small positive constant . We assume our adversary iscomputationally unbounded and is actively trying to prevent the protocol from succeeding by attackingthe privacy of the parties, and the integrity of communications, by attempting to corrupt, forge, or dropmessages. We say that the clients controlled by the adversary are dishonest and that the remaining clientsare honest meaning that they strictly follow our protocol. We finally assume that the adversary is staticmeaning that it must select the set of dishonest clients at the start of the protocol.

3 Our Results

We provide a decentralized protocol for location-based services with polylogarithmic communicationand computation costs with respect to the number of clients. We prove the following main theorem inSection 7.3.

Theorem 1. Consider n clients in a fully connected synchronous network with private channels, whereeach client has a locational query to send to a location-based server. There exists an n-party protocolsuch that if all honest clients follow the protocol, then with high probability,

Each honest client sends its query to the server anonymously.

The protocol tolerates up to t < (1/6 )n Byzantine clients, for some small positive constant . Each client sends O(1) bits and computes O(1) operations.

The protocol has O(log n) rounds of communication.

4 Related Work

Using anonymity for location privacy was first proposed by Kong and Hong [23]. They propose ananonymous routing protocol called ANDOR that targets mobile ad-hoc networks. They address twoclosely-related unlinkability problems, namely route anonymity and location privacy. Based on a route

5

pseudonymity approach, ANODR prevents the adversary from exposing local wireless transmitters iden-tities and tracing network packet flows. For location privacy, their protocol ensures that the adversarycannot discover the real identities of local transmitters.

Gruteser and Grunwald [19] show that location data introduces new and potentially more severe pri-vacy risks than network addresses pose in conventional services. Moreover, they analyzed the technicalfeasibility of k-anonymous location-based services and showed the privacy risks can be reduced throughit. They propose an algorithm and service model that that can be used by a centralized location brokerservice and guarantee k-anonymous location information.

Zhong et al. [31] propose three protocols, Louis, Lester and Pierre, to achieve location privacy for aservice that alerts a person of his nearby friend. Location privacy guarantees that users of the service canlearn a friends location if and only if the friend is actually nearby. Their approach was based on securetwo-party computation and all three protocols exploit homomorphic encryption. The Louis protocolrequires a semi-trusted third party that does not learn any location information. The Lester and Pierreprotocols do not need a third party. The Lester protocol has the drawback that a user might be able tolearn a friends location even if the friend is in an area that is no longer considered nearby by the friend.The Pierre protocol does not have this disadvantage at the cost of not being able to tell the user the precisedistance to a nearby friend.

The Casper framework of Mokbel et al. [26] consists of two main components called locationanonymizer and privacy-aware query processor. The location anonymizer is a trusted third party thatacts as a middle layer between mobile users and the location-based database server. It receives the loca-tion information, blurs the information into cloaked spatial areas, and sends the cloaked spatial areas tothe location-based database server. The authors also design a privacy-aware query processor that helpsdatabase server to deal with anonymous queries and cloaked spatial areas rather than the exact locationinformation. Unfortunately, the cloaked locations in Casper are usually very large and the algorithmlacks a mechanism to dynamically determine the size of cloaking regions.

Ghinita et al. [18] propose a decentralized model that helps mobile users self-organize into a fault-tolerant overlay network in order to run privacy-preserving anonymous location-based queries. Theirprotocol develops a rectangular area enclosing k users called k-Anonymous Spatial Region (k-ASR) inorder to guarantee query anonymity even if the attacker knows the locations of all users. k-ASRs arebuilt in a decentralized fashion, therefore the bottleneck of a centralized server is avoided. The empiricalresults confirm that the system achieves efficient and scalable anonymization and load-balancing withlow maintenance overhead, while being fault-tolerant. On the other hand, the protocol does not provideprovable security guarantees and can only tolerate non-adversarial fail-stop faults.

Gedik and Liu [15] develop a k-anonymizer that is run by a trusted server. Their algorithm enableseach mobile client to specify the minimum level of anonymity it desires and the maximum temporaland spatial tolerances it is willing to accept when requesting for k-anonymity. The authors proposea location cloaking algorithm called CliqueCloak, which combines the ideas of spatial and temporalcloaking. Unfortunately, the algorithm is expensive and shows poor performance for large k as it relieson the ability to locate a clique in a graph to perform location cloaking.

The PrivacyGrid framework of Bamba et al. [3] is composed of dynamic grid-based spatial cloakingalgorithms for providing location k-anonymity and location `-diversity (as defined in [25]) for mobileenvironments. The algorithms find the smallest possible cloaking region meeting desired privacy levelsby measuring several metrics for k-anonymity and `-diversity. While the algorithms are shown to behighly efficient and to achieve higher anonymization success rate, they rely on a trusted server for locationtracking and anonymization service.

6

5 Preliminaries

In this section, we define standard terms, notation, and results used throughout the paper.

Notation. An event occurs with high probability, if it occurs with probability at least 1 1/nc , for anyc > 0 and all sufficiently large n. We denote the set of integers {1, ...,n} by [n]. Also, let Zp denote theadditive group of integers modulo a prime p.

5.1 Basic Tools

In this section, we review the definitions of standard basic tools used throughout the paper.

Verifiable Secret Sharing. An (n, t)-secret sharing scheme, is a protocol in which a dealer who holds asecret value shares the secret among n parties such that any set of t parties cannot gain any informationabout the secret, but any set of at least t + 1 parties can reconstructs it. An (n, t)-verifiable secret shar-ing (VSS) scheme is an (n, t)-secret sharing scheme with the additional property that after the sharingphase, a dishonest dealer is either disqualified or the honest parties can reconstruct the secret, even ifshares sent by dishonest parties are spurious. In our protocol, we use the constant-round VSS proto-col of Katz et al. [21] that is based on Shamirs secret sharing scheme [29]. This result is described inTheorem 2.

Theorem 2. [21] There exists a synchronous linear (n, t)-VSS scheme for t < n/3 that is perfectly-secure against a static Byzantine adversary. The protocol requires one broadcast and three rounds ofcommunication.

Quorum Building. A good quorum is a set of N = O(log n) parties that contains a majority of honestparties. King et al. [22] showed that a Byzantine Agreement (BA) protocol can be used to bring allparties to agreement on a collection of n good quorums. In this paper, we use the fast BA protocol ofBraud-Santoni et al. [8] to build n good quorums.

Theorem 3. [22, 8] There exists an unconditionally-secure protocol that brings all good parties to agree-ment on n good quorums with high probability. The protocol has O(n) amortized communication andcomputation complexity3, and it can tolerate up to (1/3 )n Byzantine parties. If at most ( )fraction of parties are Byzantine, then each quorum is guaranteed to have T N Byzantine parties,where 0 1/3.In our protocols, we require t < (1/6 )n. Therefore, each quorum is guaranteed to have T < N/6Byzantine parties.

Secure Broadcast. In the Byzantine setting, when parties have only access to secure pairwise channels,a protocol is required to ensure secure (reliable) broadcast4. Such a broadcast protocol guarantees allparties receive the same message even if the broadcaster (dealer) is dishonest and sends different mes-sages to different parties. It is known that a BA protocol can be used to perform secure broadcasts. Inour protocol, we use the BA algorithm of Braud-Santoni et al. [8] to perform secure broadcasts.

Theorem 4. [8] There exists an unconditionally-secure protocol for performing secure broadcasts amongn parties. The protocol has O(n) amortized communication and computation complexity, and it cantolerate up to (1/3 )n Byzantine parties.

3Amortized communication complexity is the total number of bits exchanged divided by the number of parties.4We are not aware of any easy approach to physically implement a broadcast channel without assuming a trusted party.

7

Sorting Networks. A sorting network is a network of comparators. Each comparator is a gate withtwo input wires and two output wires. When two values enter a comparator, it outputs the lower valueon the top output wire, and the higher value on the bottom output wire. Ajtai et al. [1] describe anasymptotically-optimal O(log n) depth sorting network called AKS. Unfortunately, the AKS network isnot practical due to large constants hidden in the depth complexity. Leighton and Plaxton [24] propose apractical O(log n)-depth probabilistic sorting network that sorts with very high probability meaning that

it sorts all but n! of the n! possible input permutations, where = 1/22c

log n, for any constant c > 0. In

our protocol, we use the sorting circuit of [24] for shuing client queries efficiently.

Secure Comparison. Given two linearly secret-shared values a,b Zp , Nishide and Ohta [27] proposean efficient protocol for computing a sharing of {0,1} such that = (a b). Their protocol hasO(1) rounds and requires O(`) invocations of a secure multiplication protocol, where ` is the bit-lengthof elements to be compared. We refer to this protocol by Compare. We also describe a fast multiplicationprotocol to be used along with the comparison protocol of [27] for implementing fast comparator gates.

6 Our Protocol

In this section, we describe our protocol for secure location sharing. Consider n parties P1,P2, ...,Pneach having a locational query xi Zp , for a prime p and all i [n]. The parties want to anonymouslysend their queries to a location-based server and receive the results back. We assume the queries havealready been collected via temporal cloaking and up to t < (1/6 )n of the parties are controlled by aByzantine adversary.

We first describe an ideal functionality of our protocol where a hypothetical trusted party P computesthe desired protocol outcome by communicating with all parties5. In every run of the protocol, P executesa shuing protocol over the queries and sends the shued sequence of queries to the location-basedserver. Once the queries are processed, the server broadcasts the results to the parties. The shuingprotocol first chooses a uniform random number ri Zp to form an input pair (ri , xi ) for each partyPi and for all i [n]. The protocol then uses a shuing circuit that is based on the sorting network ofLeighton and Plaxton [24] to sort the set of pairs {(r1, x1), ..., (rn , xn )} according to their first elements.We later show that this functionality randomly permutes the set of input queries {x1, ..., xn }.

In our protocol, we denote the shuing circuit by C, which has m gates. Each gate is essentially acomparator gate and is denoted by Gi , for i [m]. Our protocol first creates n quorums and then assignseach gate of C to a quorum. For n parties, the circuit has dn/2e input gates as each gate has two inputs.We label the quorums assigned to the input gates by Q1, ...,Q dn/2e and call them input quorums. C alsohas dn/2e output gates, which correspond to output quorums labeled by Q1, ...,Qdn/2e .

We now implement the real functionality of our protocol based on the ideal functionality describedabove. Protocol 1 defines our main algorithm. Throughout the protocol, we represent each shared values Zp by s = (s1, ..., sn ) meaning that each party Pi holds a share si generated by the VSS scheme ofTheorem 2 during its sharing phase. Using the natural component-wise addition of representations, wedefine a + b = a + b. For multiplication, we define a b = Multiply(a,b), where Multiply is aprotocol defined later in this section.

In LocationService, we use a simple and well-known technique (e.g., see Beaver [4]) for generatinguniformly random shared values by adding uniformly random secrets shared by each party. We referto this algorithm by GenRand. In our protocol, Reconst refers to the secret reconstruction algorithmof Theorem 2. Given a shared value s, Reconst reconstructs s via polynomial interpolation and error

5We are inspired by the standard ideal/real world definition for multi-party protocols proposed by Canetti [9].

8

Table 1: List of subprotocols used in the main protocol (Protocol 1)Protocol DescriptionCompare The protocol of [27] for securely comparing two secret-shared values.GenRand Generates a uniform random secret-shared value.Multiply Multiplies two secret-shared values. Defined as Protocol 2.Reconst Given a secret-shared value s, reconstructs s via the reconstruction method of [21].RenewShares Re-randomizes shares of a secret-shared value. Defined as Protocol 3.

correction using a BCH decoding algorithm such as the Berlekamp-Welch algorithm [6]. For the readersconvenience, all subprotocols used in our main protocol (Protocol 1) are listed in Table 1.

Protocol 1 LocationService

1. Setup. Parties run the quorum building protocol of Theorem 3 jointly with all parties to agree onn good quorums Q1, ...,Qn , and assign each gate Gi to the (i mod n)-th quorum. For each quorumQ, each party in Q runs the key generation protocol of VSS scheme of Theorem 2 jointly withother parties in Q.

2. Input Broadcast. Parties Pi and Pi+1 secret share their inputs xi and xi+1 among all parties ofQ di/2e .

3. Random Generation. Parties in each input quorum Q di/2e run GenRand twice to generate shar-ings ri and ri+1 of two random elements ri ,ri+1 Zq , for some prime q. At the end of thisstep, Q di/2e holds two pairs of sharings (ri,xi) and (ri+1,xi+1).

4. Circuit Computation. The circuit is evaluated level-by-level starting from the input gates. Foreach gate G and the quorum Q associated with it, parties in Q do the following.

(a) Gate Computation. Let (r,x) and (r ,x ) be the sharings associated with the inputsof G. Parties compute = Compare(r,r ), where = (r r ). Then, they computethe output pairs (s,y) and (s,y) from

s = r + (1 ) r y = x + (1 ) x

s = r + (1 ) ry = x + (1 ) x

For every addition over two shared values a and b performed above, parties computesc = a + b. For every multiplication, they run c = Multiply(a,b).

(b) Output Resharing. Parties run RenewShares over s, y, s, and y to re-share themin the quorum associated with the parent gate.

5. Query Processing. Let (si,yi) and (si+1,yi+1) be the pairs of shared values each outputquorum Qi receives. Parties in Q

i run zi= Reconst(yi) and zi+1= Reconst(yi+1) and send zi

and zi+1 to the LBS. For all the zi and zi+1 messages received from parties of Qi , the location-based server picks two via majority filtering. Then, the server processes the queries z1, ..., zn , andsends the results to all parties.

9

We prove the correctness and secrecy of LocationService (and Theorem 1) in Section 7.3. In Lemma 5,we show that for sufficiently large k > 0 and q > 32 kn

2 log n, LocationService computes a random per-mutation of the input queries with high probability.

We now describe the protocol Multiply that is based on a well-known technique proposed by Beaver [4].The technique generates a shared multiplication triple (u,v,w) such that w = u v. The triple isthen used to convert multiplications over shared values to additions.

Protocol 2 MultiplyUsage. Initially, parties hold two shared values a and b that are on a polynomial of degree d = N/3.The protocol computes a shared value c such that c = a b.Multiply(a,b) :

1. Parties run GenRand to generate two shared random values u = (u1, ...,uN ) and v = (v1, ...,vN )both on polynomials of degree d/2. Then, each party Pi computes wi = vi ui .

2. Each party Pi computes i = ai + ui and i = bi + vi and runs Reconst(i ) and Reconst(i ) tolearn and . Party Pi computes ci = wi + ai + bi .

Clearly, and can be safely revealed to all parties so that each party can compute locally.The only difference between Multiply and Beavers multiplication method is that Beaver generates sharedrandom elements u and v on polynomials of degree d and multiplies them to get a polynomial of degree2d for w. Then, a degree reduction algorithm is run to reduce the degree from 2d to d. Instead, wechoose polynomials of degree d/2 for u and v to get a polynomial of degree d for w. In our protocol,since we require T < N/6 of parties be dishonest in each quorum, we can do this without revealing anyinformation to the adversary. We prove this formally in Section 7 (proof of Theorem 5). We note thatthe first step of Multiply is independent of the inputs and thus, can be performed in an oine phase togenerate a sufficient number of multiplication triples.

Theorem 5. Given two secret-shared values a and b, the protocol Multiply correctly and securelygenerates a shared value c such that c = a b.Proof. In Section 7.1.

For solving the share renewal problem described in Section 1.1, we propose a simple and efficientprotocol called RenewShares that is described in Protocol 3. The high-level idea is to first generate arandom polynomial that passes through the origin, and then add it to the polynomial that correspondsto the shared secret. The result is a new polynomial that represents the same secret but has coefficientsthat are chosen randomly and completely independent of the coefficients of the original polynomial.Combined with the VSS scheme of Theorem 2 in a group of n parties with t < n/3 dishonest parties, thisprotocol has one round of communication and requires each party to send O(n) field elements.

This high-level idea was first proposed by Ben-Or et al. in [5]. The solution provided in [5] requiresa zero-knowledge proof, where each party is asked to prove distribution of shares over a polynomialwith zero free-coefficient. Unfortunately, such a zero-knowledge proof either is round-expensive (asin [5]) or requires a weaker adversarial model for the problem to be solved efficiently (e.g., see Herzberget al. [20]). On the other hand, by relaxing the resiliency bound by only one less dishonest party, we cangenerate a random polynomial that passes through the origin without requiring the zero-knowledge step.

Let (x) be the original polynomial. The idea is to first generate a random polynomial (x) of degreedeg() 1, and then compute a new polynomial 0(x) = x (x) that is of degree deg() and passes

10

()

0() = ()

()

()

() = () + 0()

Figure 2: Share renewal technique

through the origin. Finally, the fresh polynomial is computed from (x) + 0(x). The polynomial (x)can be simply generated by asking parties to agree on a secret-shared uniform random number (by callingGenRand) over a random polynomial of degree deg()1. Figure 2 depicts this idea for the special caseof d = 1. Protocol 3 implements our share renewal technique, and Theorem 6 proves its correctness andsecrecy.

Protocol 3 RenewSharesUsage. Let Q be the quorum associated with gate G in the circuit, and Q be the quorum associated witha parent of G. Initially, parties in Q hold a sharing s = (s1, ..., sN ) of a secret s Zp over a randompolynomial (x) of degree d = N/3. Using this protocol, parties in Q jointly generate a fresh sharing ofs in Q.

RenewShares(s,Q):For all i [N],

1. Party Pi Q runs GenRand to jointly generate a sharing r = (r1, ...,rN ) of a uniform randomvalue r Zp over a polynomial (x) of degree d 1.

2. Pi Q computes si = si + i ri , and sends si to party Pi Q.

Theorem 6. Let Q and Q be two quorums of size N , where Q holds a shared value s = (s1, ..., sN )over a polynomial of degree d = N/3. The protocol RenewShares generates a new shared values = (s1, ..., sN ) in Q such that s = s. The protocol is secure against a Byzantine adversary corruptingT < N/6 parties in each quorum.

Proof. In Section 7.2.

7 Correctness and Security Proofs

In this section, we prove the correctness and secrecy of our protocols. Before proceeding to the proofs,we define a few concepts and properties that make our proofs simpler.

11

Definition 1. [t-secrecy] A sharing defined over a polynomial is said to have t-secrecy if1. it is t-private meaning that no set of at most t parties can compute (0), and

2. it is t-resilient meaning that no set of t or less parties can prevent the other n t remaining partiesfrom correctly reconstructing (0).

Proposition 1. The Shamirs secret sharing scheme [29] has the following properties:1. A sharing defined over a polynomial of degree d has d-secrecy if the adversary knows less than

d points on .

2. Let 1 and 2 be independent random polynomials of degree d1 and d2 that correspond to shar-ings with d1-secrecy and d2-secrecy respectively. 3 = 1 + 2 is a polynomial of degree d3 =max(d1,d2) that corresponds to a sharing with d3-secrecy.

3. Let 1 and 2 be polynomials of degree d that correspond to two sharings both with d-secrecy.3 = 1 2 is a polynomial of degree 2d that corresponds to a sharing with d-secrecy.

Proof. The first property can be easily observed from Definition 1 because in order to uniquely recon-struct a polynomial of degree d, at least d + 1 points are required. Since the adversary knows less thand points on , and all elements of Zp are equally likely to be the missing point(s), the adversary cannotuniquely reconstruct the polynomial and thus, he learns nothing about the secret.

The second property is correct due to the linearity of Shamirs secret sharing scheme. Without loss ofgenerality, let d1 d2. Intuitively, if we assume that the sharing defined by 3 does not have d2-secrecy.Then, parties compute 2 = 31. Thus, they can find 2(0) (or similarly, prevent others from learning2(0)). This contradicts with the fact that 2 corresponds to a sharing with d2-secrecy. For a completeproof, we refer the reader to Claim 3.4 of [2].

The third property is correct because considering an arbitrary party Pi holding two shares ai and bion polynomials 1 and 2 respectively, Pi learns nothing from ai bi other than what is revealed fromai and bi since Pi computes it with no interaction with other parties. So, the resulting shared value alsohas d-secrecy.

Corollary 1. If a shared value has d-secrecy, then it also has d -secrecy, where d < d.

Definition 2. [Perfect random permutation] Consider a set of n 1 elements A = {a1,a2, ...an }. Aperfect random permutation of A is a permutation chosen uniformly at random from the set of all possiblen! permutations of A.

7.1 Proof of Theorem 5

The correctness of Multiply is already shown by Beaver in [4]. The security of Theorem 5 directly followsfrom Proposition 1 described above and Lemma 1 proved below.

Lemma 1. Let a and b be two secret-shared values both with N/3-secrecy and c = Multiply(a,b).The sharing c has N/3-secrecy.Proof. In the first step of Multiply, algorithm GenRand creates two shared values u = (u1, ...,uN ) andv = (v1, ...,vN ) that correspond to degree N/6 polynomials. Lemma 1 proves that u and v bothhave N/6-secrecy. For each party Pi , based on Lemma 1, wi = ui vi defines a new sharing that is ona polynomial of degree N/3 and has N/6-secrecy. Moreover, a and b both are on polynomials ofdegree N/3 and have N/3-secrecy. Thus, based on Lemma 1, ci = wi + ai + bi defines a newsharing c that is on a polynomial of degree N/3 and has N/3-secrecy.

12

7.2 Proof of Theorem 6

We first prove the correctness of RenewShares. Figure 2 shows a sketch of the proof. From the correct-ness of GenRand, ri Zp is a share of a global random value r Zp . Let o (x) = x (x). Clearly,deg(o ) = deg() + 1 = d. Now, define (x) = (x) + o (x). Since (0) = s and o (0) = 0, we have(0) = s. Hence, each party Pi can locally compute a new share of s denoted by si from s

i = si + i ri ,

where si = (i), si = (i), and i ri = o (i). We now prove the security of RenewShares.

Lemma 2. Let 1 and 2 be two polynomials. 2(x) = x 1(x) if and only if 2(0) = 0.Proof. If 2(x) = x 1(x), then 2(0) = 0. Assuming d = deg(2), we write 2(x) = a0 + a1x +... + ad xd . If 2(0) = 0, then a0 = 0 and there exists a polynomial 1(x) = a1 + ... + ad xd1 such that2(x) = x 1(x). Lemma 3. Let s and s be two shared values defined over random polynomials 1 and 2 respectively,where 2(x) = x 1(x). If s has t-secrecy, then s also has t-secrecy.Proof. Let d1 and d2 be the degrees of 1 and 2 respectively. Clearly, d2 = d1 + 1. Let St be a set of atmost t d1 points on 1 the adversary learns via a coalition of at most t malicious parties. By Lemma 2,the only information the adversary learns about 2 is a set of at most t + 1 points St {(0,0)} on 2.Since t + 1 d2, by Proposition 1 and Corollary 1, s has t-secrecy. We now prove Theorem 6. Let (x) be the polynomial associated with r = (r1, ...,rN ) generated inthe first step of RenewShares. Since has degree d = N/3, based on Corollary 1, s has d-secrecy.Since deg() = deg() 1 = d 1, the sharing r has (d 1)-secrecy. By Corollary 1, x (x) definesa new sharing with (d 1)-secrecy. Finally, by Proposition 1, the protocol computes a new sharings = (s1, ..., sN ) with (d 1)-secrecy, where si = si + i ri .Based on the correctness of RenewShares shown in Section 6, s = s. Since T < N/6 parties aredishonest in Q and Q, via a coalition of at most 2T < N/3 dishonest parties in Q and Q, the adversarycan learn up to 2T shares of s. Moreover, since s and s both have (N/3 1)-secrecy, the last stepof the protocol reveals nothing about s. Based on the correctness and secrecy of GenRand invoked inthe first step of RenewShares, r and its shares are uniformly random and independent from any otherrandom value generated in the protocol. For all i [N], since ri is independent of si , we conclude thatsi is independent of si .

7.3 Proof of Theorem 1

We now prove our main theorem (Theorem 1). We first state two lemmas required in our proof.

Lemma 4. Consider a sequence of input pairs (r1, x1), ..., (rn , xn ) and a sorting protocol that sortsthe pairs according to their first elements. computes a perfect random permutation of the pairs if theirfirst elements are chosen uniformly at random and are distinct.

Proof. Let X = (r1, x1), ..., (rn , xn ) be the input sequence and Y = (s1, y1), ..., (sn , yn ) be the outputsequence of . Note s1, ..., snis the sorted sequence of {r1, ...,rn }. An arbitrary output sequence of pairsY = (s1, y

1), ..., (s

n , y

n ) is said to be equal to Y if yi = y

i , for all i [n]. We want to prove that the

probability of Y being equal to Y is 1n! . In general, for any i [n], yi = yi if and only if si is the i-thsmallest element in {r1, ...,rn } conditioned on knowing the i 1 smallest elements, which happens withprobability 1ni+1 . Thus, the probability that Y = Y

is 1n 1n1 ... 12 1 = 1n! .

13

In the random generation step of LocationService, it is possible that two or more input quorumschoose the same random elements from Zq . In this situation, we say a collision happens. Collisionsreduce the level of anonymity our protocol guarantees because the higher the probability of collisions,the higher the chance the adversary is given in guessing the correct sequence of inputs. On the other hand,we observe that if the field size (i.e., q) is sufficiently large, then the probability of collisions becomesoverwhelmingly small. Lemma 5 gives a lower bound on q such that collisions are guaranteed to happenwith negligible probability.

Lemma 5. Let Zq be the field of random elements generated in the random generation step of Location-Service. The probability that there is a collision between any two parties is negligible if q > 32 kn

2 log n,for some k > 0.

Proof. Based on Theorem 3, all input quorums are good. Based on the correctness of GenRand, allelements generated by the input quorums in the random generation step of LocationService are chosenuniformly at random and independent of all other random elements generated throughout the protocol.Let Pi and Pj be two parties and ri and r j be the random values assigned to them respectively by theircorresponding input quorums. The probability that ri = r j is 1/q. Let Xi j be the following indicatorrandom variable and Y be a random variable giving the number of collisions between any two parties,

Xi j =1, ri = r j0, otherwise , Y =

i, j [n]

Xi j .

Using the linearity of expectations,

E(Y ) = E( i, j [n]

Xi j)

=

i, j [n]E(Xi j ) =

1q

(n2

)=

n(n 1)2q

.

We want to find an upper bound on the probability of collisions using the Chernoff bound defined by

Pr (Y (1 + )E(Y )) e2E (Y )

3 .

To ensure that no collision happens with high probability, we need to have (1 + )E(Y ) < 1 while

e2E (Y )

3 < 1nk

, for any k > 0. Choosing < 1E (Y ) 1 and solving the inequalities for E(Y ) we get

e2E (Y )

3 < 1nk

e2E (Y )

3 < ek log n 1 2E (Y )3 < k log n (+1)2E (Y )3 >

k log n 1

3E (Y ) > k log n E(Y ) < 13k log nSince E(Y ) = n(n1)2q

32 kn

2 log n and < 3k log n 1.

We now prove Theorem 1 in the real/ideal world model as described by Canetti [9]. First, we considerthe protocol in an ideal model. In this model, all parties send their input to a trusted party who computesthe shuing circuit. Then, it sends the result to the location-based server. Let A be the sequence ofinputs and A be the sequence of sorted inputs according to the random numbers associated with them.Recall that we have at least n t honest parties. Based on Lemma 4 and conditioned on the event that nocollision happens with high probability (Lemma 5), the elements of A that correspond to honest partiescan be any permutation of the elements of honest parties in A. In other words, the probability that the

14

adversary can successfully map A to A is less than 1(nt )! which guarantees (n t)-anonymity (i.e., fullanonymity). The protocol LocationService is the realization of the above ideal model. The real model,computes the circuit in a multi-party setting. We prove this realization is correct and secure.

Setup. The correctness and secrecy follows from the proof of Theorem 3.

Input Broadcast. The correctness and secrecy follows from the proof of the VSS scheme of [21]. Afterthis step, each input quorum Qi has a correct sharing of Pis input. This is the base case for our proof ofcircuit computation step.

Random Generation. The correctness and secrecy follows from the proof of the GenRand algorithm.

Circuit Computation. Correctness. We prove by induction in the real/ideal model. The invariant isthat if the input shares are correct, then the output of each gate is equal to the output when the gate iscomputed by a trusted party in the ideal model, and the result is shared between parties of the quorumcorrectly. For the base case, note that the invariant is true for input gates. Induction step is based on theuniversal composability of Compare and Multiply. Moreover, based on the correctness of RenewShares,the output resharing step generates new shares without changing the output.

Secrecy. We prove by induction. The adversary cannot obtain any information about the inputs andoutputs during the computation of each gate of the circuit. Let Q, and Q be two quorums involved inthe computation of a gate, where Q provides an input to the gate, and Q computes the gate. Consider aparty P. Let S be the set of all shares P receives during the protocol. We consider two cases. First, ifP < (Q Q), then elements of S are independent of the shares Q sends to Q. Moreover, elements of Sare independent of the output of Q since Q also re-shares its output(s). Hence, S reveals nothing aboutthe inputs and outputs of the gate.

Second, if P (Q Q), then the inductive invariant is that the collection of all shares held by dishonestparties in Q and Q does not give the adversary any information about the inputs and the outputs. Asthe base case, it is clear that the invariant is valid for input gates. The induction step is as follows. Theadversary can obtain at most 2(N/6) = N/3 shares of any shared value during the computation step; N/6from dishonest parties in Q and N/6 from dishonest parties in Q. By the secrecy of the VSS scheme,at least N/3 + 1 shares are required for reconstructing the secret. By the secrecy of RenewShares andMultiply, when at most N/3 of the shares are revealed, the secrecy of the computation step is proved usinguniversal computability of multi-party protocols.

Query Processing. The correctness and secrecy follows from the proof of the Reconst algorithm and thestandard assumption that the location-based server correctly executes the queries and sends the resultsback to the parties.

Lemma 6. The protocol LocationService sends O(n) bits, computes O(n) operations, and has O(log n)rounds of communication.

We first compute the cost of each step of the protocol separately and then compute the total cost. Basedon [21], the communication and computation complexity of the VSS subprotocol is O(poly(n)) when itis invoked among n parties. Also, the VSS protocol takes constant rounds of communication.

Setup. The communication and computation costs are equal to those costs of the quorum buildingalgorithm of Theorem 3, which is O(1) for each party. This protocol takes constant rounds ofcommunication.

15

Input Broadcast. The input broadcast step invokes the VSS protocol n times among N = O(log n)parties. So, this step sends O(n poly(N )) bits and performs O(n poly(N )) operations. Since theVSS scheme is constant-round, this step also takes constant rounds.

Random Generation. It is easy to see that the subprotocol GenRand sends O(N poly(N )) mes-sages, performs O(N poly(N )), and has constant rounds.

Circuit Computation. The sorting network of Leighton and Plaxton [24] has O(n log n) gates. So,the communication cost of this step is equal to the communication and computation cost of runningO(n log n) instantiations of Compare and RenewShares. Compare requires O(log q) invocation ofMultiply which sends O(poly(N )) messages and computes O(poly(N )) operations. RenewSharesalso sends O(poly(N )) messages and computes O(poly(N )) operations. Hence, the circuit com-putation phase sends O(n log n log q poly(N )) messages computes O(n log n log q poly(N )) .Since the sorting network has depth O(log n), and Compare takes constant rounds, this steps takesO(log n) rounds of communication.

Query Processing. The costs are equal to the communication and computation costs of runningn instantiations of Reconst. Thus, this step sends O(n) messages and performs O(n) operations.Since Reconst is a constant-round protocol and the communications with the server take constantrounds, this step of the protocol also takes constant rounds.

Total. Since q > 32 kn2 log n, for a constant k, q = O(n3) and log q = O(log n). Thus, Protocol 1

sends O(n) bits and computes O(n) operations. Finally, the protocol requires O(log n) rounds ofcommunication. This completes the proof of Theorem 1.

8 Conclusion and Open Problems

We described a privacy-preserving location-based service that is fully decentralized and tolerates up toabout n/6 Byzantine faults. Moreover, our protocol is load-balanced and can tolerate traffic-analysis at-tacks. The amount of information sent and the amount of computations performed by each client scalespolylogarithmically with the number of parties. The scalability is achieved by performing local commu-nications and computations in groups of logarithmic size and by relaxing the latency requirements.

Several open problems remain. For example, can we design a spatial cloaking technique to trade-off anonymity for efficiency while preserving the traffic-analysis resistance? Or, can we decrease thenumber of rounds of our protocol using a smaller-depth sorting circuit? For example, since our protocolsorts uniform random numbers, it seems possible to use a constant-depth non-comparison-based sortingcircuit like bucket sort to achieve O(n)-anonymity.

16

References[1] M. Ajtai, J. Komls, and E. Szemerdi. Sorting in c log n parallel steps. Combinatorica, 3(1):119, Jan.

1983.

[2] G. Asharov and Y. Lindell. A full proof of the BGW protocol for perfectly-secure multiparty computation.Cryptology ePrint Archive, Report 2011/136, 2011.

[3] B. Bamba, L. Liu, P. Pesti, and T. Wang. Supporting anonymous location queries in mobile environmentswith privacygrid. In Proceedings of the 17th International Conference on World Wide Web, WWW 08, pages237246, New York, NY, USA, 2008. ACM.

[4] D. Beaver. Efficient multiparty protocols using circuit randomization. In Advances in Cryptology CRYPTO91, volume 576 of Lecture Notes in Computer Science, pages 420432. Springer Berlin Heidelberg, 1991.

[5] M. Ben-Or, S. Goldwasser, and A. Wigderson. Completeness theorems for non-cryptographic fault-tolerantdistributed computing. In Proceedings of the Twentieth ACM Symposium on the Theory of Computing(STOC), pages 110, 1988.

[6] E. Berlekamp and L. Welch. Error correction for algebraic block codes, US Patent 4,633,470, Dec. 1986.

[7] E. Boyle, S. Goldwasser, and S. Tessaro. Communication locality in secure multi-party computation: how torun sublinear algorithms in a distributed setting. In Proceedings of the 10th theory of cryptography conferenceon Theory of Cryptography, TCC13, pages 356376, Berlin, Heidelberg, 2013. Springer-Verlag.

[8] N. Braud-Santoni, R. Guerraoui, and F. Huc. Fast Byzantine agreement. In Proceedings of the 2013 ACMSymposium on Principles of Distributed Computing, PODC 13, pages 5764, New York, NY, USA, 2013.ACM.

[9] R. Canetti. Universally composable security: a new paradigm for cryptographic protocols. In Proceedings ofthe 42nd Annual Symposium on Foundations of Computer Science, FOCS 01, pages 136145, Oct 2001.

[10] B. Chor, E. Kushilevitz, O. Goldreich, and M. Sudan. Private information retrieval. J. ACM, 45(6):965981,Nov. 1998.

[11] I. Damgrd, Y. Ishai, M. Krigaard, J. Nielsen, and A. Smith. Scalable multiparty computation with nearlyoptimal work and resilience. Advances in Cryptology CRYPTO 08, pages 241261, 2008.

[12] V. Dani, V. King, M. Movahedi, and J. Saia. Quorums quicken queries: Efficient asynchronous secure mul-tiparty computation. In Distributed Computing and Networking, volume 8314 of Lecture Notes in ComputerScience, pages 242256. Springer Berlin Heidelberg, 2014.

[13] R. Dingledine, N. Mathewson, and P. Syverson. Tor: the second-generation onion router. In Proceedings ofthe 13th USENIX Security Symposium, pages 2121, Berkeley, CA, USA, 2004. USENIX Association.

[14] J. Feigenbaum and B. Ford. Seeking anonymity in an Internet panopticon. e-Print arXiv:1312.5307, March2014.

[15] B. Gedik and L. Liu. Location privacy in mobile systems: A personalized anonymization model. In Dis-tributed Computing Systems, 2005. ICDCS 2005. Proceedings. 25th IEEE International Conference on, pages620629, June 2005.

[16] B. Gellman and A. Soltani. NSA tracking cellphone locations worldwide, snowden documents show. TheWashington Post, December 2013.

[17] C. Gentry. Fully homomorphic encryption using ideal lattices. In Proceedings of the 41st annual ACMsymposium on Theory of computing, STOC 09, pages 169178, New York, NY, USA, 2009. ACM.

[18] G. Ghinita, P. Kalnis, and S. Skiadopoulos. Prive: Anonymous location-based queries in distributed mobilesystems. In Proceedings of the 16th International Conference on World Wide Web, WWW 07, pages 371380, New York, NY, USA, 2007. ACM.

17

[19] M. Gruteser and D. Grunwald. Anonymous usage of location-based services through spatial and temporalcloaking. In Proceedings of the 1st International Conference on Mobile Systems, Applications and Services,MobiSys 03, pages 3142, New York, NY, USA, 2003. ACM.

[20] A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung. Proactive secret sharing or: How to cope with perpetualleakage. In Advances in Cryptology CRYPTO 95, volume 963 of Lecture Notes in Computer Science,pages 339352. Springer Berlin Heidelberg, 1995.

[21] J. Katz, C.-Y. Koo, and R. Kumaresan. Improving the round complexity of VSS in point-to-point networks.In Automata, Languages and Programming, volume 5126 of Lecture Notes in Computer Science, pages 499510. Springer Berlin Heidelberg, 2008.

[22] V. King, S. Lonargan, J. Saia, and A. Trehan. Load balanced scalable Byzantine agreement through quorumbuilding with full information. In Distributed Computing and Networking, volume 6522 of Lecture Notes inComputer Science, pages 203214. Springer Berlin Heidelberg, 2011.

[23] J. Kong and X. Hong. Anodr: Anonymous on demand routing with untraceable routes for mobile ad-hocnetworks. In Proceedings of the 4th ACM International Symposium on Mobile Ad Hoc Networking &Amp;Computing, MobiHoc 03, pages 291302, New York, NY, USA, 2003. ACM.

[24] T. Leighton and C. G. Plaxton. A (fairly) simple circuit that (usually) sorts. In Proceedings of the 31st AnnualSymposium on Foundations of Computer Science, FOCS 90, pages 264274, Oct 1990.

[25] A. Machanavajjhala, D. Kifer, J. Gehrke, and M. Venkitasubramaniam. `-diversity: Privacy beyond k-anonymity. ACM Trans. on Knowledge Discovery from Data, 1(1), Mar. 2007.

[26] M. F. Mokbel, C.-Y. Chow, and W. G. Aref. The new casper: Query processing for location services withoutcompromising privacy. In Proceedings of the 32nd International Conference on Very Large Data Bases,VLDB 06, pages 763774. VLDB Endowment, 2006.

[27] T. Nishide and K. Ohta. Multiparty computation for interval, equality, and comparison without bit-decomposition protocol. In Public Key Cryptography PKC 2007, volume 4450 of Lecture Notes in Com-puter Science, pages 343360. Springer Berlin Heidelberg, 2007.

[28] A. Pfitzmann and M. Khntopp. Anonymity, unobservability, and pseudonymity a proposal for terminology.In Designing Privacy Enhancing Technologies, volume 2009 of Lecture Notes in Computer Science, pages19. Springer Berlin Heidelberg, 2001.

[29] A. Shamir. How to share a secret. Commun. ACM, 22(11):612613, 1979.

[30] M. Zamani, M. Movahedi, and J. Saia. Millions of millionaires: Multiparty computation in large networks.Cryptology ePrint Archive, Report 2014/149, 2014.

[31] G. Zhong, I. Goldberg, and U. Hengartner. Louis, lester and pierre: Three protocols for location privacy. InProceedings of the 7th International Conference on Privacy Enhancing Technologies, PET07, pages 6276,Berlin, Heidelberg, 2007. Springer-Verlag.

18

1 Introduction1.1 Our Contribution

2 Model 3 Our Results 4 Related Work 5 Preliminaries 5.1 Basic Tools

6 Our Protocol 7 Correctness and Security Proofs 7.1 Proof of Theorem 5 7.2 Proof of Theorem 6 7.3 Proof of Theorem 1

8 Conclusion and Open Problems