WO2019006968A1 - 一种接受保证的隐私保护空间众包任务分配系统及方法 - Google Patents
一种接受保证的隐私保护空间众包任务分配系统及方法 Download PDFInfo
- Publication number
- WO2019006968A1 WO2019006968A1 PCT/CN2017/113468 CN2017113468W WO2019006968A1 WO 2019006968 A1 WO2019006968 A1 WO 2019006968A1 CN 2017113468 W CN2017113468 W CN 2017113468W WO 2019006968 A1 WO2019006968 A1 WO 2019006968A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- worker
- server
- task
- workers
- encrypted
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
- H04L63/0421—Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0631—Resource planning, allocation, distributing or scheduling for enterprises or organisations
- G06Q10/06311—Scheduling, planning or task assignment for a person or group
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0464—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload using hop-by-hop encryption, i.e. wherein an intermediate entity decrypts the information and re-encrypts it before forwarding it
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/008—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0872—Generation of secret information including derivation or calculation of cryptographic keys or passwords using geo-location information, e.g. location data, time, relative position or proximity to other entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
Definitions
- the invention belongs to the field of computers, and particularly relates to a task distribution system for space crowdsourcing, in particular to a privacy protection space crowdsourcing task allocation system that accepts guarantees; in addition, the present invention also relates to the privacy protection space crowdsourcing task of accepting guarantees.
- the implementation of the distribution system is not limited to any one of the computers, and particularly relates to a task distribution system for space crowdsourcing, in particular to a privacy protection space crowdsourcing task allocation system that accepts guarantees; in addition, the present invention also relates to the privacy protection space crowdsourcing task of accepting guarantees.
- Crowdsourcing has revolutionized the way solutions are solved by outsourcing a task (usually performed by a designated agent) to the public through open recruitment. Crowdsourcing can provide talent capacity and expert services on demand, far less than the cost of hiring professionals, and has been successfully applied to transcription books, protein folding, galaxies classification and traffic monitoring. Recently, crowdsourcing has also been widely used for emergency management because it collects critical information efficiently and at low cost in emergencies and disasters, such as affected areas, at-risk populations, and potential areas where search and rescue operations may be required. For example, on April 25, 2015, Nepal was hit by a magnitude 7.8 earthquake. To provide detailed damage assessment, DigitalGlobe collects high-resolution satellite images from the affected areas before and after the earthquake. These images are divided into small segments and provided to online populations to identify damaged buildings and roads. Thanks to the help of crowdsourcing, more than 21,000 damaged buildings and roads were identified and marked within a month, providing valuable data for rescue and reconstruction.
- SC Space Crowdsourcing
- a spatial task ie, location-related tasks
- the SC server sends a space task for survivors in a particular collapsed building to all available workers, including volunteers and professionals equipped with life testing instruments. Workers willing to perform the task arrive at the building for inspection and send the results back to the SC server. Based on a rescue plan that can be subsequently performed, for example, if someone is identified as being trapped in the rubble, professional heavy rescue equipment will be deployed on site.
- the success of crowdsourcing depends on the active participation of the crowd.
- location privacy issues are a major factor hindering workers from engaging in space missions.
- effectiveness means that space tasks can be quickly completed by assigning them to nearby workers
- the SC server needs to continuously collect their location through the workers' mobile devices.
- the SC server it is very difficult for workers to control the use of their location data by an untrusted third party, the SC server.
- the collected location data is likely to be shared, rented or sold, which has a serious impact on personal privacy.
- intruders can conduct a wide range of attacks on individuals, such as physical surveillance and tracking, identity theft, and the destruction of sensitive information such as home addresses and lifestyle habits. Therefore, location privacy protection, or more generally, worker privacy protection is an important aspect of space crowdsourcing because it can motivate workers to actively participate in space missions. This is especially important for emergency management because more active workers usually mean that tasks can be completed faster.
- Tasks on existing crowdsourcing platforms are open to all workers. This mode may not be suitable for space crowdsourcing in an emergency.
- the over-workers motivated by altruism can go there to perform the task, even if they are not required to do so. This may lead to more other mixed discussions, such as traffic jams. Therefore, the location of the task should not be mastered by the staff, except for the person to whom the task is assigned.
- task location protection is also welcome. For example, people with health problems at home can seek help through crowdsourcing, but publicizing their health issues and home addresses clearly violates personal privacy. Therefore, task location privacy should also be protected in space crowdsourcing.
- the technical problem to be solved by the present invention is to provide a privacy protection space crowdsourcing task allocation system that accepts guarantees.
- the present invention realizes the private to both parties.
- the data is encrypted to achieve strong mutual security, and the computational cost of the system is greatly reduced, and the present invention can ensure that the task is accepted with high probability.
- the present invention also provides an implementation method of the privacy-protected space crowdsourcing task allocation system that accepts the guarantee.
- the present invention provides a privacy-protected space crowdsourcing task distribution system that includes a guarantee, including an SC server, an encryption service provider, a space task requester, and a worker; the SC server is a space crowdsourcing server;
- the cryptographic service provider is configured to generate a key using a Paillier cryptosystem and an ElGamal cryptosystem, the cryptographic service provider generating ElGamal's domain parameters and Paillier and ElGamal's key pair, which keeps the private key secret, and Send the public key to the SC server and all workers;
- the spatial task requester is configured to create a spatial task, and transmit the task location to the SC server; after the SC server encrypts the task location with the public key, send the ciphertext to all the workers, and after receiving the encrypted information from the SC server, , each worker calculates the distance between the task position and the position of the worker, thereby calculating the privacy protection distance;
- the speed of each worker is encrypted and sent to the SC server cooperating with the cryptographic service provider.
- the SC server multiplies the speed of all encrypted workers and decrypts it by the cryptographic service provider to send V to each worker. Workers calculate their travel time, encrypt and send to the SC server;
- the SC server calculates the winning worker based on the encrypted privacy protection travel time by means of the encrypted service provider, and the encryption service provider encrypts the winner set containing the plurality of winners and returns to the SC server; the encryption service provider obtains all from the SC server After the workers' travel time is sorted in ascending order, the workers are added to the winners one by one until the expected acceptance rate is reached;
- the SC server encrypts the task location and broadcasts it to all workers, assigning tasks to workers.
- the encrypted task location can only be decrypted by the winning worker, and the winning worker arrives at the designated location to perform the corresponding task.
- the space task s refers to a task to be executed at the position l s and associated with the expiration date e s ;
- the worker w is a person who is willing to perform a space task, and each worker and SC server specified ID id w, and its speed v w l w at which the current position is associated.
- the ElGamal cryptosystem can be extended to support switched encryption, and the following two new algorithms are defined as follows:
- the ciphertext of E' ha (m) is
- the ciphertext (c1, c2, c3) can be decrypted by using the private keys x a and x b in a different order, and the decryption result is the same. If we use the private key x a first, we have E' hb (m) can be decrypted again by x b to obtain m. It's easy to verify that if x b is used first and then x a is used , the decryption result is the same.
- each worker w i * ⁇ W * l s position can be reached before the deadline e s;
- no other workers w j ⁇ W ⁇ W * may be any worker l s i ⁇ W before reaching the position w * *;
- the present invention also provides an implementation method for accepting a guaranteed privacy protection space crowdsourcing task allocation system, comprising the following steps:
- the winning worker calculates: the SC server has a list of 2-tuples ⁇ i, E(ti'2)>, where i is the ID of the worker wi, 1 ⁇ i ⁇ n; in order to protect the worker, especially the winner Identity, which encrypts each worker's ID by a PRF fk function and sends ⁇ fk(i), E(tfk(i)'2)> to the cryptographic service provider, and the cryptographic service provider calculates the winner of the travel time. Sets, the cryptographic service providers sort them in ascending order, and then add workers to the winner set one by one until the expected acceptance rate is reached;
- the fourth stage, task location broadcast Once E' C (f k (i * )) is received, the space crowdsourcing server encrypts the task location l s and broadcasts to all workers Encrypt l s as follows:
- h is a length matching hash function for mapping a longer bit string to a shorter bit string
- a method of constructing h that proves to be semantically secure is to truncate a longer bit string into multiple Fixed-length shorter bit strings, and XOR calculations and outputs on these shorter bit strings; only workers who obtain E' C (f k (i * )) information can pass the calculation Get the task location information.
- all workers are required to send encryption to the space crowdsourcing server in the form of E(x i 2 +y i 2 ), E(x i ) and E(y i ). Location, and ask the space crowdsourcing server to calculate E(d 2 (l i , l s )).
- each worker encrypts its speed through the ElGamal cryptosystem and sends E'(v i ) to the space crowdsourcing server, and the space crowdsourcing server passes all
- the encrypted virtual travel time is sent to the space crowdsourcing server for further processing; during this process, the cryptographic service providing unit and all workers know the exact value of V, which does not violate the personal privacy of any worker.
- ti'2 can be obtained by decrypting E(ti'2) and calculating the actual travel time.
- the cryptographic service provider then ranks all workers by travel time and determines if they can reach the mission location before the due date es, then adds the workers to the winner set one by one until the expected acceptance rate is reached; if not expected The rate accepts the task, and the cryptographic service provider notifies the SC server that no worker set can guarantee the task is accepted; otherwise, it uses ElGamal to encrypt the winner's ID fk(i*) for each winner, and E'C(fk( i*)) sent to the SC server.
- the following steps ensure that only the winner can obtain the E' C (f k (i * )) information:
- each worker w i obtains the encrypted ID f k (i) from the space crowdsourcing server and encrypts it with ElGamal using its own public key, and then encrypts the information E' wi (f k (i)) Sent to the encryption service providing unit, after receiving the information, the encryption service providing unit encrypts again through ElGamal using its public key and the same random number r for encrypting E' C (f k (i * )); the encryption service provides Unit will then result Sent to each worker who can be decrypted by their private key to obtain E' C (f k (i)); the public key should be kept secret to protect privacy.
- the present invention has the following beneficial effects:
- the present invention combines a partially homomorphic encryption scheme to efficiently implement the complex operations required on encrypting data, thereby avoiding significant performance penalties. Compared to the implementation of the above-mentioned calculation using a complete homomorphic encryption (FHE)-based scheme, resulting in high computational cost, the present invention uses a partially homomorphic encryption scheme to effectively reduce the high computational cost. Moreover, the system algorithm of the present invention solves the technical problem of not being able to support all the operations required to calculate inequality (8).
- the invention can realize efficient task assignment in space crowdsourcing and provide privacy protection for both workers and tasks. This is the first time in the space crowdsourcing to achieve mutual privacy protection, creative.
- the present invention can implement some complicated operations that the existing practical cryptosystem cannot support. Through this strategy, the protocol of the present invention can implement privacy protection of both parties with acceptable overhead.
- the present invention ensures that tasks are accepted with high probability.
- Figure 1 is a schematic diagram of a system model of space crowdsourcing; wherein Figure 1 (a) is a system model representation of non-private space crowdsourcing Intention; FIG. 1(b) is a schematic diagram of a task allocation system model of the privacy protection space crowdsourcing of the present invention.
- FIG. 2 is a flow chart of the privacy-protected space crowdsourcing task allocation system of the present invention.
- FIG. 3 is a schematic diagram showing the efficiency of the number of workers in the protocol of the present invention with respect to travel time (change MAR); wherein FIG. 3(a) represents a key length of 1024, and FIG. 3(b) represents a key length of 2048.
- FIG. 4 is a schematic diagram showing the efficiency of the number of workers in the protocol of the present invention with respect to travel time (change ⁇ ); wherein FIG. 3(a) represents a key length of 1024, and FIG. 3(b) represents a key length of 2048.
- Figure 5 is a schematic diagram (change MAR) of the number of workers in the protocol of the present invention relative to the communication overhead of the parties; wherein Figure 4(a) represents a key length of 1024 and Figure 4(b) represents a key length of 2048.
- Figure 6 is a schematic diagram (change a) of the number of workers in the protocol of the present invention relative to the communication overhead of the parties; wherein Figure 4(a) represents a key length of 1024 and Figure 4(b) represents a key length of 2048.
- Figure 8 is a schematic diagram showing the efficiency of the protocol of the present invention in terms of WTD (Worker Stroke Distance) by changing ⁇ ; wherein Figure 8(a) represents a linear decreasing function of the travel time for the data set used by Gowalla, 8(b) represents that the data set used is Gowalla, the worker acceptance rate obeys the Zipf distribution, and Figure 8(c) represents that the data set used is Yelp, the worker acceptance rate is a linear decreasing function of the travel time, and Figure 8(d) represents the Using the data set for Yelp, the worker acceptance rate is subject to the Zipf distribution.
- WTD Worker Stroke Distance
- Figure 9 is by change To show the efficiency diagram of the protocol of the present invention in terms of WTD (worker distance); wherein, Figure 9(a) represents that the data set used is Gowalla, the worker acceptance rate is a linear decreasing function of the travel time, and Figure 9(b) represents the Using the dataset for Gowalla, the worker acceptance rate obeys the Zipf distribution, Figure 9(c) represents that the data set used is Yelp, the worker acceptance rate is a linear decreasing function of travel time, and Figure 9(d) represents that the data set used is Yelp, Worker acceptance rates are subject to the Zipf distribution.
- WTD worker distance
- Figure 10 is a schematic diagram showing the efficiency of the protocol of the present invention in terms of NNW (notification of the number of people) by changing the MAR; wherein, Figure 10(a) represents that the data set used is Gowalla, and the worker acceptance rate is a linear decreasing function of the travel time, Figure 10 (b) represents the data set used for Gowalla, the worker acceptance rate obeys the Zipf distribution, Figure 10(c) represents that the data set used is Yelp, the worker acceptance rate is a linear decreasing function of the travel time, and Figure 10(d) represents the used The data set is Yelp and the worker acceptance rate is subject to the Zipf distribution.
- Figure 11 is a diagram showing the efficiency of the protocol of the present invention in terms of NNW (notification of number of people) by changing ⁇ ; wherein, Figure 11(a) represents a linear decreasing function of the travel time for the data set used by Gowalla, Figure 11 (a), Figure 11 (b) represents the data set used for Gowalla, the worker acceptance rate obeys the Zipf distribution, Figure 11(c) represents the data set used for Yelp, the worker acceptance rate is a linear decreasing function of travel time, and Figure 11(d) represents the used The data set is Yelp and the worker acceptance rate is subject to the Zipf distribution.
- Figure 11(a) represents a linear decreasing function of the travel time for the data set used by Gowalla
- Figure 11 (b) represents the data set used for Gowalla
- the worker acceptance rate obeys the Zipf distribution
- Figure 11(c) represents the data set used for Yelp
- the worker acceptance rate is a linear decreasing function of travel time
- Figure 11(d) represents the used
- the data set is Ye
- FIG 1 depicts the system model for space crowdsourcing.
- the SC server SC-server
- the SC server is responsible for assigning the appropriate staff to the space tasks created by the task requester. Workers need to report their private information (such as location location and speed velocity) to the SC server through their mobile device.
- the space task s is the task to be executed at position l s and associated with the expiration date e s .
- the task requester creates a spatial task s and specifies its location l s and expiration date e s . To perform this task, the worker must reach the position of the deadline l s e s.
- the SC server assigns it to the appropriate worker based on some predefined policy. In the present invention, we assume that the SC server preferentially selects workers who may arrive at the first s . We also assume that each worker accepts the assigned task with a certain probability, expressed as an acceptance rate (AR). Assuming each worker's AR is 100%, we first define a simple task assignment problem as follows:
- the first requirement means t c +d(l i* , l s )/v i* ⁇ e s , where t c is the current time, l i* is the current position of w i* , v i* is the speed of w i* , and d(l i* , l s ) is the Euclidean distance between the positions l i* and l s .
- the second requirement means that there is no w j such that d(l j* , l s )/v j ⁇ d(l i* , l s )/v i* .
- no other workers w j ⁇ W ⁇ W * may be any worker l s i ⁇ W before reaching the position w * *;
- the task location information l s cannot be obtained by the CSP and all workers except w i* ;
- P PTA The last requirement of P PTA indicates that the SC server is not allowed to know the identity of the winner. If the SC server knows who the winner is, it may be based on some background knowledge (such as task location and due date) to infer the approximate location of the winner. Obviously, SC P TA server to determine the winner. However, in P PTA , the SC server is not allowed to know who is the winner. This contradiction is another problem with P PTA .
- the present invention uses the ideal paradigm to define the security of the protocol.
- the process of protocol implementation if each party involved does not receive more information than it has access to, the agreement is secure or privacy-protected.
- This can be defined by the ideal paradigm as follows: For all opponents, there is a probability-based polynomial time simulator that makes the viewpoints of the opponents in the real world and the viewpoints of the simulators in the ideal world computationally indistinguishable.
- protocol P does not leak more information than the final output of P i , we believe that protocol P is completely privately protected against P i .
- ⁇ indicates that it is not possible to distinguish between calculations. in case P believes that there is agreement on privacy leak K i P i, because it does not leak and the final output more information than the K i for P i.
- the present invention employs several encryption tools: a pseudo-random function, a Paillier cryptosystem and an ElGamal cryptosystem, which are briefly described below.
- the pseudo-random function observes the result in a black box manner, and the random characteristics cannot be distinguished from the real random function.
- a keyed one-way hash function such as HMAC
- HMAC keyed one-way hash function
- Paillier is a public key cryptosystem whose security is based on the assumption that it is related to the decomposition hardness (whether it is equivalent or not). It consists of the following three algorithms:
- N and g are obtained from the public key pk, and c is the ciphertext of m.
- Paillier is semantically secure, meaning that an attacker cannot obtain any information about the plaintext from the ciphertext.
- it is also a probabilistic encryption scheme, which means that different ciphertexts are generated when the same message is encrypted multiple times. It can be clearly seen from equation (1) that the random number r participates in the encryption process.
- ElGamal is a public key cryptosystem whose security is based on the intractability of the discrete logarithm problem. It consists of several public domain parameters and three algorithms that can be shared by multiple users:
- the ciphertext c is decrypted by the following calculation:
- ElGamal is also a probabilistic encryption scheme because each message is encrypted by a different random number r, as shown in equation (5).
- An interesting property of the ElGamal cryptosystem is homomorphic multiplication. Specifically, multiplying the ciphertext of m 1 and the ciphertext of m 2 to obtain a ciphertext of m 1 m 2 , namely:
- Switched encryption satisfies two encryption-independent attributes.
- ElGamal can be extended to support switched encryption.
- the two new algorithms are defined as follows:
- the ciphertext of E' ha (m) is
- the ciphertext (c1, c2, c3) can be decrypted by using the private keys x a and x b in a different order, and the decryption result is the same. If we use the private key x a first, we have E' hb (m) can be decrypted again by x b to obtain m. It's easy to verify that if x b is used first and then x a is used , the decryption result is the same.
- Input a collection of n workers, each worker w i has an ID of i, the location information is l i , the speed information is v i ; a spatial task s (created by the task requester), the task position is l s , the due date For e s ; an SC server and a CSP.
- the CSP generates a Paillier key pair (pk, sk) and an ElGamal key pair (pk', sk').
- the SC server and all workers get the public keys pk and pk'.
- the private key sk and sk' information is only known by the CSP.
- SC server uses public key pk encryption x s and y s and send the results to all workers.
- the SC server sends f k (i) to worker w i , where f k is a PRF.
- SC server will Where 1 ⁇ i ⁇ n.
- the CSP sorts the worker's travel time in ascending order, and then adds the workers to the winner set one by one until the expected acceptance rate is reached, and the winner set W * is obtained . Any worker who concentrates on the winner W * Its travel time is
- the CSP encrypts f k (i * ) using k' and sends E' C (f k (i * )) to the SC server.
- the present invention uses two partial homomorphic encryption schemes, Paillier and ElGamal, to construct our solution, which consists of the five phases depicted in Figure 2.
- the CSP generates the domain parameters of ElGamal and the key pairs of Paillier and ElGamal. It keeps the private key secret and sends the public key to the SC server and all workers.
- the task requester creates a space task triggering the start of phase 1, during which the SC server and all workers run a privacy protection distance calculation protocol based on the encrypted location information and output the encrypted distance information.
- each worker's speed is encrypted and sent to the SC server in collaboration with the CSP to calculate the travel time of each worker.
- the SC server calculates the winner by means of CSP in the third stage, but the result is still in encrypted form.
- the location information of the encrypted task is broadcast to all workers, but only the winner can retrieve the location of the task. After that, the winner arrives at the designated location to perform the corresponding task.
- Extended Algorithm 1 is a concrete implementation of a privacy protection task assignment protocol. We explain in detail as follows.
- Phase 1 Since the key code of the Paillier and ElGamal cryptosystems required for phase 0 has been introduced in "Three, Password Building Blocks", we will introduce the detailed construction of the protocol from the first stage.
- each worker w i calculates the square of the distance between l s and its current location l i and encrypts it, namely:
- the travel time t i d(l i ,l s )/v i , ie the worker with the shortest virtual travel time must have the shortest exact travel time.
- each worker encrypts its speed through the ElGamal cryptosystem and sends E'(v i ) to the SC server.
- the SC server can obtain E'(V) by multiplying all the encrypted speeds.
- the SC server then asks the CSP to decrypt E'(V) and send V to all workers.
- the encrypted virtual travel time is sent to the SC server for further processing. Please note that the CSP and all staff in the above process know the exact value of V. However, this does not violate the personal privacy of any worker, as will be demonstrated in the next section.
- the SC server has a list of 2-tuple ⁇ i, E(ti'2)>, where i is the ID of the person wi, 1 ⁇ i ⁇ n.
- i is the ID of the person wi, 1 ⁇ i ⁇ n.
- it encrypts each worker's ID with a PRF fk function and sends ⁇ fk(i), E(tfk(i)'2)> to the CSP. Since the CSP has Paillier's private key, ti'2 can be obtained by decrypting E(ti'2) and calculating the actual travel time.
- the CSP sorts all workers by travel time and determines whether they can reach the mission position before the due date es, and then adds the workers to the winner set one by one until the expected acceptance rate is reached, ie ⁇ (W, s) ⁇ ⁇ . If the task cannot be accepted at the acceptance rate of ⁇ , the CSP notifies the SC server that no worker set can guarantee that the task is accepted. Otherwise, it uses ElGamal to encrypt the winner's ID fk(i*) for each winner and sends E'C(fk(i*)) to the SC server. Encryption here is necessary because the SC server can infer who is the winner after getting fk(i*). On the other hand, due to the pseudo-randomness of the PRF, the privacy of the winner's concentrated workers is still protected.
- Phase 4 Upon receiving E' C (f k (i * )), the SC server encrypts the task location l s and broadcasts to all workers Specifically, ls is encrypted in the following manner:
- h is a length matching hash function for mapping a longer bit string to a shorter bit string.
- a method of constructing semantically secure h is to truncate a longer bit string into a plurality of fixed-length shorter bit strings, and perform an exclusive-OR calculation on these shorter bit strings and output. Obviously, only workers who get E' C (f k (i * )) information can pass the calculation. Get the task location information. The following process ensures that only the winner can get E' C (f k (i * )) information.
- each worker w i obtains the encrypted ID f k (i) from the SC server and encrypts it with ElGamal using its own public key, and then sends the encrypted information E' wi (f k (i)) to CSP.
- the CSP encrypts it again via ElGamal using its public key and the same random number r used to encrypt E' C (f k (i * )).
- CSP will then result Sent to each worker who can be decrypted by his private key to obtain E' C (f k (i)). Obviously, only the winner w fk(i*) can get E' C (f k (i * )).
- the public key used here should be kept confidential to protect privacy.
- the appropriate key length should be set to avoid overflow of all workers' speed products. For example, we used a 2048-bit key to process 1,000 workers in the experiment. If the number of workers is large, the likely method is to use the least common multiple (LCM) instead of multiplication.
- LCM least common multiple
- Table 1 summarizes the computational cost of our agreement. We assume that all workers can perform calculations (such as encryption and decryption) in parallel, and can interact with the SC server and CSP in parallel, so we only need to consider the computational cost of a user. In addition, we ignore low-cost operations such as large integer multiplication and bit-wise XOR operations.
- the detailed analysis is as follows. In the extended algorithm 1, the SC server performs three Paillier encryptions (line 5), and the worker w i performs a Paillier encryption and a two-modulus power operation (lines 7, 8) for privacy calculation of the travel distance. In the second phase, the worker performs an ElGamal encryption to protect its speed (line 12).
- the product of the encrypted speed is decrypted by the CSP (line 15) to achieve the calculation of the subsequent travel time.
- the SC server uses n PRF functions to protect the worker's ID (line 21), the CSP performs n times of ElGamal decryption (line 23) and an ElGamal encryption (line 25) to find the winner and protect it. ID.
- the worker w i will perform one ElGamal encryption (line 29) and one ElGamal secondary decryption (line 31), and the CSP will perform n times of ElGamal secondary encryption (line 30). ).
- Table 2 shows the communication overhead of the proposed protocol.
- L and L' are the key lengths of the Paillier and ElGamal encryption systems, respectively.
- Table 2 summarizes the communication overhead of our protocol. Since the size of the ciphertext is usually larger than the plaintext size, we only consider the ciphertext sent and received by each party. It should be noted that the ciphertext lengths of ElGamal encryption and secondary encryption are twice and three times the length of the key, respectively. We have omitted the detailed analysis. Please refer to Table 2 for the analysis results.
- the lemma 3 product ⁇ and the positive rational number set ⁇ b 1 ,...,b n ⁇ are random positive integers ranging from 1 to d (d>n) Generated and satisfies the following equation:
- Lemma 4 selects the random number a from 1, ..., d, and when d ⁇ , the probability that a is a prime number is 1/log d.
- Theorem 2 is based on the information K i (-1 ⁇ i ⁇ n), and the probability that the intruder P i can obtain private information of either party during the execution of the task assignment protocol (extended algorithm 1) is negligible.
- differential privacy is significantly less expensive than public key cryptosystems, but it does not protect data during the calculation process (for example, allowing trusted third parties to view the location of all workers). Therefore, it is pointless to compare our protocol (based on public key cryptosystem) with the method of To et al. (based on differential privacy) in terms of runtime. Therefore, we only pay attention to the efficiency of our agreement and test whether its overhead can be accepted in practice. We run our agreement 10 times and report their average results.
- Gowalla contains the login history of users in a location-based social network.
- Yelp we chose a region of Phoenix with a latitude from 33.205308 to 33.924407 and a longitude from -112.400283 to -111.218100. The region has approximately 67,000 users and 11,200 companies.
- a company location is considered a task, and the user's location is randomly selected from the companies it has viewed.
- Figures 3 and 4 depict the runtime of the protocol extension version by changing MAR and ⁇ , respectively.
- the extra overhead comes mainly from ElGamal encryption, because the number of encryptions is limited by the size of the winner's collection, which is usually small (more results can be found in Figures 10, 11 and 12).
- Figures 7, 8, and 9 change the MAR, ⁇ and To show the performance of our agreement in WTD (worker distance).
- our protocol outperforms the benchmark in all combinations of datasets (Gowalla, Yelp) and acceptance rate functions (Linear, Zipf).
- the benchmark needs to access more grid cells to achieve the desired acceptance rate.
- Each unit usually contains some workers. Some of them may be far from the mission location, but they can accept the mission.
- our agreement always selects workers based on their travel time (or travel distance in this case). That's why when the MAR is small, our agreement is much better than the benchmark.
- Figure 9 shows when providing stronger privacy protection (for example, When the benchmark has a larger WTD. However, even if only weak privacy protection is provided (for example, ), our agreement is still better than the benchmark.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Business, Economics & Management (AREA)
- Human Resources & Organizations (AREA)
- Entrepreneurship & Innovation (AREA)
- Economics (AREA)
- Strategic Management (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- Game Theory and Decision Science (AREA)
- Theoretical Computer Science (AREA)
- Educational Administration (AREA)
- Tourism & Hospitality (AREA)
- Development Economics (AREA)
- Quality & Reliability (AREA)
- Operations Research (AREA)
- Marketing (AREA)
- Power Engineering (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
本发明公开了一种接受保证的隐私保护空间众包任务分配系统及方法,包括SC服务器、加密服务提供者、空间任务请求者和工人;加密服务提供者生成密钥,采用Paillier密码和ElGamal密码系统;空间任务请求者创建空间任务,将任务位置返回SC服务器;SC服务器加密任务位置,每个工人计算任务位置与工人位置的距离;每个工人的速度被加密发送SC服务器,每个工人计算其行进时间,加密后发送给SC服务器;SC服务器借助加密服务提供者计算获胜工人,加密服务提供者将含有多名获胜者的获胜者集加密后返回SC服务器;SC服务器加密任务位置向所有工人广播,获胜工人到达指定位置执行任务。本发明在空间众包中实现双方隐私保护,计算成本大大降低,能保证任务被高概率的接受。
Description
本发明属于计算机领域,具体涉及一种空间众包的任务分配系统,尤其涉及一种接受保证的隐私保护空间众包任务分配系统;此外,本发明还涉及该接受保证的隐私保护空间众包任务分配系统的实现方法。
众包通过将一项任务(通常由指定代理人执行)通过公开招募的形式外包给大众,彻底改变了问题解决方法的格局。众包可以按需提供人才容量和专家服务,所需成本远远少于雇佣专业人士,已经被成功应用于转录书籍、蛋白质折叠、星系分类和交通监测等。最近,众包也已广泛用于应急管理,因为它可以在紧急情况和灾害中高效和低成本的收集关键信息,例如影响区域,危险人群,以及可能需要搜索和救援行动的潜在地区。例如,2015年4月25日,尼泊尔遭受了7.8级地震的袭击。为了提供详细的损伤评估,DigitalGlobe收集了受影响地区地震前后到高分辨率卫星图像,这些图像被分成小部分并提供给在线人群以识别受损建筑物和道路。因为众包的帮助,21000多个损坏的建筑和道路在一个月内被识别和标记,为救助和重建提供了有价值的数据。
由于无处不在的无线网络和智能移动设备的快速发展,在应急管理中众包可以扮演更为积极主动的角色。一种新型的众包,空间众包(SC)将一个空间任务(即与位置相关的任务)外包给持有移动设备的多个工作者,这些工作者需要到达指定位置并完成任务。我们继续上述在地震中的应急管理的例子。SC服务器发送一个在特定的倒塌建筑物中是否存在幸存者的空间任务给所有可用工作者,包括志愿者和配备有生命检测仪器的专业人员。愿意执行任务的工作者到达建筑物进行检查,并将结果发送回SC服务器。基于随后可以进行的救援计划,例如,如果有人被识别为被困在瓦砾中,则会在现场部署专业重型救援设备。
不管在任何应用领域,众包的成功取决于人群的积极参与。对于空间众包,位置隐私问题是妨碍工人从事空间任务的主要因素。为了实现有效的任务分配(这里的有效性指空间任务可以通过分配给附近的工人而快速完成),SC服务器需要通过工人们的移动设备不断地收集他们的位置。然而,工人非常难以控制由不受信任的第三方,即SC服务器,存储他们的位置数据的使用。事实上,所收集的位置数据很可能被共享,出租或出售,这对个人隐私有严重的影响。基于这些位置数据,入侵者可以对个人进行广泛的攻击,比如物理监视和跟踪,身份窃取和敏感信息(例如家庭住址和生活习惯)破坏等。因此,位置隐私保护,或者更一般地,工作者的隐私保护是空间众包的一个重要方面,因为它可以激励工人积极参与完成空间任务。这对于应急管理特别重要,因为更活跃的工人通常意味着任务可以更快地完成。
现有众包平台上的任务(如Amazon Mechanical Turk)对所有工人都是公开的。这种模式可能不适合在紧急情况下的空间众包。一旦任务的位置被公开,由利他主义激励的过度工作者便可以去那里执行任务,即使他们没有被要求这样做。这可能引起更多其他的混论,比如交通堵塞。因此,任务的位置不应该被工作人员掌握,除了任务被分配到的人。有时,从任务请求者的角度来看,任务位置保护也是受欢迎的。例如,在家中患有健康问题的人可以通过众包寻求帮助,但是公开其健康问题以及家庭地址明显侵犯了个人隐私。因此,任务位置隐私也应该在空间众包中得到保护。
在基于位置服务的场景下,虽然已经有很多针对位置隐私策略的努力,但是在空间众包应用中的研究工作较少。在[To,H.,Ghinita,G.and Shahabi,C.:A framework for protecting worker location privacy in spatial crowdsourcing.PVLDB,7(10),919-930(2014)]中,工作人员的位置被信任方收集和干扰,根据隐私差分注入校准噪声到原始数据
[参见Dwork,C.,2008,April.Differential privacy:A survey of results.In International Conference on Theory and Applications of Models of Computation(pp.1-19).Springer Berlin Heidelberg.]。在接收到空间任务时,SC服务器查询被干扰过的位置数据,以确定在任务位置附近可能包含足够工人的区域。位于该区域的工人将会接到任务通知,并有权决定是否执行。在这项开创性的工作中提出的解决方案有几个缺点。首先,它只考虑工人的位置隐私,而不考虑任务位置的隐私。第二,它主要基于工人的行进距离执行任务分配,而没有考虑到其他重要因素,例如工人的行进速度,这使得分配结果有时不能令人满意。此外,它的工作基于一个非常强的假设,即有一个可信任方有权访问所有工人的位置。可以设计一种基于完全同态加密(FHE)的方案来实现系统的计算,但这将导致高昂的计算成本,使得该方法具有有限的实际意义。
因此,亟需研发一种既可以保护工人的位置隐私,还可以保护任务位置隐私的空间众包任务分配系统,控制该系统的计算成本也成为一个技术难题。
发明内容
本发明要解决的技术问题在于提供一种接受保证的隐私保护空间众包任务分配系统,在任务分配期间,不仅应保护工作者的隐私,还应保护任务隐私,本发明实现了对双方的私人数据进行加密,从而实现强大的互保性,且该系统的计算成本大大降低,且本发明能保证任务被高概率的接受。为此,本发明还提供该接受保证的隐私保护空间众包任务分配系统的实现方法。
为解决上述技术问题,本发明提供一种接受保证的隐私保护空间众包任务分配系统,包括SC服务器、加密服务提供者、空间任务请求者和工人;所述SC服务器为空间众包服务器;
所述加密服务提供者用于生成密钥,其采用Paillier密码系统和ElGamal密码系统,所述加密服务提供者生成ElGamal的域参数和Paillier和ElGamal的密钥对,其对私钥进行保密,并向SC服务器和所有工人发送公钥;
所述空间任务请求者用于创建空间任务,将任务位置传送给所述SC服务器;所述SC服务器用公钥加密任务位置后,向所有工人发送密文,从SC服务器接收到该加密信息后,每个工人计算任务位置与工人位置的距离,从而计算得到隐私保护距离;
每个工人的速度被加密并发送到与加密服务提供者协作的SC服务器,SC服务器对加密后的所有工人的速度求乘积,并由加密服务提供者解密得到V,发送给每个工人;每个工人计算其行进时间,加密后发送给SC服务器;
SC服务器借助加密服务提供者根据加密的隐私保护行进时间计算获胜工人,加密服务提供者将含有多名获胜者的获胜者集加密后返回给SC服务器;所述加密服务提供者从SC服务器获得所有工人的行进时间,按升序对其进行排序后,逐个添加工人到获胜者集,直到达到预期的接受率;
SC服务器加密任务位置并向所有工人广播,将任务分配给工人,加密后的任务位置只有获胜工人能解密,获胜工人到达指定位置执行相应的任务。
作为本发明优选的技术方案,所述空间任务s是指要在位置ls执行,并与截止日期es相关联的任务;所述工人w是愿意执行空间任务的人,每个工人与由SC服务器指定的ID idw,速度vw和其当前所处的位置lw相关联。
作为本发明优选的技术方案,所述SC服务器根据工人集合W={w1,w2,…,wn}和空间任务s的位置ls和截止日期es,通过任务分配算法,将任务分配给工作者wi*,工作者wi*需满足两个条件:第一,wi*可以在截止日期es之前到达ls;第二,没有其他工人可以在wi*之前到达ls。
作为本发明优选的技术方案,所述ElGamal密码系统能被扩展为支持交换式加密,采用如下两种新算法定义如下:
–二次加密给定用公钥ha加密的密文E’ha(m)=(gra,mha
ra),其可以通过选择随机数rb,其中0≤rb≤q–1,并计算c1=gra,c2=grb和c3=mha
rahb
rb,其中hb为公钥,来进行二次加密。E’ha(m)的密文为
–二次解密密文(c1,c2,c3)可以通过以不同的顺序使用私钥xa和xb进行解密,其解密结果是相同的。如果首先使用私钥xa,我们有
E’hb(m)可以被xb再次解密以获得m。很容易验证,如果首先使用xb然后使用xa,解密结果也是相同的。
作为本发明优选的技术方案,所述多名获胜者集的是令W={w1,w2,…,wn}是n个工人的集合,给定空间任务s,将任务s分配给一组工人W*,称为获胜者集,使得:
1,每个工人wi*∈W*都可以在截止日期es之前到达位置ls;
2,没有其他工人wj∈W\W*可以在任何工人wi*∈W*之前到达位置ls;
3,η(W*,s)≥α,其中α是W*中至少一名工人接受任务s的预期接受率。
此外,本发明还提供一种接受保证的隐私保护空间众包任务分配系统的实现方法,包括如下步骤:
第一阶段,任务位置与工人位置距离计算:空间众包服务器用Paillier公钥加密任务位置ls=(xs,ys)后,向所有工人发送三份密文:E(xs
2+ys
2),E(xs)和E(ys),从空间众包服务器接收到该加密信息后,每个工人wi计算ls和其当前位置li的距离的平方,并进行加密,即:
第二阶段,每个工人行进时间计算:令W={w1,w2,…,wn}是n个工人的集合,V是所有工人速度的乘积,即且vk‘=V/vk,其中1≤k≤n;对于任意两个工人wi,wj∈W,当且仅当d(li,ls)vi‘<d(lj,ls)vj‘时有d(li,ls)/vi<d(lj,ls)/vj;为每个工人计算虚拟行程时间ti’=d(li,ls)vi’,其等同于确切的行程时间ti=d(li,ls)/vi,即具有最短虚拟行程时间的工人必定具有最短的确切行程时间;
第三阶段,获胜工人计算:SC服务器具有2元组<i,E(ti’2)>的列表,其中i是工人wi的ID,1≤i≤n;为了保护工人,尤其是获胜者的身份,它通过一个PRF fk函数加密每个工人的ID,并向加密服务提供者发送<fk(i),E(tfk(i)’2)>,加密服务提供者计算得到行进时间的获胜者集,加密服务提供者按升序对其进行排序,然后逐个添加工人到获胜者集,直到达到预期的接受率;
其中h是长度匹配哈希函数,用于将较长的位串映射到较短的位串;一种被证明是语义安全的h的构建方法是,将一个较长的位串截断为多个固定长度的较短位串,并在这些较短位串上进行异或计算并输出;只有获得E’C(fk(i*))信息的工人才能通过计算
得到任务位置信息。
作为本发明优选的技术方案,所述第一阶段中,要求所有工人以E(xi
2+yi
2),E(xi)和E(yi)的形式向空间众包服务器发送加密位置,并要求空间众包服务器计算E(d2(li,ls))。
作为本发明优选的技术方案,所述第二阶段中,每个工人通过ElGamal密码系统对其速
度进行加密,并将E‘(vi)发送给空间众包服务器,空间众包服务器通过将所有加密的速度相乘获得E’(V);然后,空间众包服务器要求加密服务提供单元解密E’(V),并给所有工人移动端发送V;通过用其速度vi除V,每个工人wi得到vi’的值并计算E(d2(li,ls))vi’2=E(d2(li,ls)vi’2)=E(ti’2);加密的虚拟行程时间被发送到空间众包服务器进行进一步处理;该过程中加密服务提供单元和所有工人都知道V的确切值,这并不违反任何工人的个人隐私。
作为本发明优选的技术方案,所述第三阶段中,由于加密服务提供者具有Paillier的私钥,因此能通过解密E(ti’2)来获得ti’2并计算实际的行程时间然后,加密服务提供者按行程时间对所有工人进行排序并判断其是否可以在截止日期es之前到达任务位置,然后逐个添加工人到获胜者集,直到达到预期的接受率;如果不能以预期的接受率接受任务,加密服务提供者则通知SC服务器没有工人集合可以保证任务被接受;否则,它使用ElGamal加密获胜者集中每个获胜者的ID fk(i*),并将E’C(fk(i*))发送到SC服务器。
作为本发明优选的技术方案,所述第四阶段中,以下步骤确保只有获胜者才能获得E’C(fk(i*))信息:
首先,每个工人wi从空间众包服务器获取加密的ID fk(i)),并使用自己的公钥通过ElGamal进行加密,然后将加密后的信息E’wi(fk(i))发送给加密服务提供单元,加密服务提供单元接收到该信息后,使用其公钥和用于加密E’C(fk(i*))的相同随机数r再次通过ElGamal进行加密;加密服务提供单元随后将结果发送到每个可以通过其私钥来解密以获得E’C(fk(i))的工人;所述公钥应该保密,以保护隐私。
与现有技术相比,本发明具有以下有益效果:
1、双方的隐私保护。在任务分配期间,不仅应保护工作者的隐私,还应保护任务隐私。本发明采用著名的密码系统对双方的私人数据进行加密,从而实现强大的互保性。
2、高效的任务分配。在任务分配期间,行进时间比行进距离更加重要,特别是对于有最后期限的任务,因此在最近的空间众包应用中工作者速度被认为是一个重要指标。本发明统一工人速度与工人的位置,以实现更有效的任务分配。本发明由工人计算行进距离和行进时间,可以大大减轻SC服务器的负载,实现更有效的任务分配。
3、可接收的开销。隐私保护的强度以附加的计算或通信成本为代价。在任务分配期间,本发明组合部分同态加密方案以有效地实现在加密数据上所需的复杂操作,从而避免显著的性能损失。相比采用基于完全同态加密(FHE)的方案来实现上述计算导致高昂的计算成本,本发明使用部分同态加密方案有效降低了高昂的计算成本。且本发明系统算法解决了不能支持计算不等式(8)所需的所有操作的技术难题。
4、本发明可以实现空间众包中进行高效的任务分配,并提供工作者和任务两方面的隐私保护。这是首次在空间众包中实现双方隐私保护,具有创造性。
5、本发明可以实现现有实用密码系统不能支持的一些复杂操作,通过这种策略,本发明协议可以在可接受的开销下实现双方的隐私保护。
6、本发明能保证任务被高概率的接受。
下面结合附图和实施例对本发明进一步说明。
图1是空间众包的系统模型示意图;其中,图1(a)是非私人空间众包的系统模型示
意图;图1(b)是本发明隐私保护空间众包的任务分配系统模型示意图。
图2是本发明接受保证的隐私保护空间众包任务分配系统的流程图。
图3是本发明协议中工人数量相对于行程时间的效率示意图(改变MAR);其中图3(a)代表密钥长度为1024,图3(b)代表密钥长度为2048。
图4是本发明协议中工人数量相对于行程时间的效率示意图(改变α);其中图3(a)代表密钥长度为1024,图3(b)代表密钥长度为2048。
图5是本发明协议中工人数量相对于各方通信开销的示意图(改变MAR);其中图4(a)代表密钥长度为1024,图4(b)代表密钥长度为2048。
图6是本发明协议中工人数量相对于各方通信开销的示意图(改变α);其中图4(a)代表密钥长度为1024,图4(b)代表密钥长度为2048。
图7是通过改变MAR来显示本发明协议在WTD(工人行程距离)方面的效率示意图;其中,图7(a)代表所使用数据集为Gowalla,工人接受率为行程时间的线性递减函数,图7(b)代表所使用数据集为Gowalla,工人接受率服从Zipf分布,图7(c)代表所使用数据集为Yelp,工人接受率为行程时间的线性递减函数,图7(d)代表所使用数据集为Yelp,工人接受率服从Zipf分布。
图8是通过改变α来显示本发明协议在WTD(工人行程距离)方面的效率示意图;其中,图8(a)代表所使用数据集为Gowalla,工人接受率为行程时间的线性递减函数,图8(b)代表所使用数据集为Gowalla,工人接受率服从Zipf分布,图8(c)代表所使用数据集为Yelp,工人接受率为行程时间的线性递减函数,图8(d)代表所使用数据集为Yelp,工人接受率服从Zipf分布。
图9是通过改变来显示本发明协议在WTD(工人行程距离)方面的效率示意图;其中,图9(a)代表所使用数据集为Gowalla,工人接受率为行程时间的线性递减函数,图9(b)代表所使用数据集为Gowalla,工人接受率服从Zipf分布,图9(c)代表所使用数据集为Yelp,工人接受率为行程时间的线性递减函数,图9(d)代表所使用数据集为Yelp,工人接受率服从Zipf分布。
图10是通过改变MAR来显示本发明协议在NNW(通知人数)方面的效率示意图;其中,图10(a)代表所使用数据集为Gowalla,工人接受率为行程时间的线性递减函数,图10(b)代表所使用数据集为Gowalla,工人接受率服从Zipf分布,图10(c)代表所使用数据集为Yelp,工人接受率为行程时间的线性递减函数,图10(d)代表所使用数据集为Yelp,工人接受率服从Zipf分布。
图11是通过改变α来显示本发明协议在NNW(通知人数)方面的效率示意图;其中,图11(a)代表所使用数据集为Gowalla,工人接受率为行程时间的线性递减函数,图11(b)代表所使用数据集为Gowalla,工人接受率服从Zipf分布,图11(c)代表所使用数据集为Yelp,工人接受率为行程时间的线性递减函数,图11(d)代表所使用数据集为Yelp,工人接受率服从Zipf分布。
图12是通过改变来显示本发明协议在NNW(通知人数)方面的效率示意图;其中,图12(a)代表所使用数据集为Gowalla,工人接受率为行程时间的线性递减函数,图12(b)代表所使用数据集为Gowalla,工人接受率服从Zipf分布,图12(c)代表所使用数据集为Yelp,工人接受率为行程时间的线性递减函数,图12(d)代表所使用数据集为Yelp,工人
接受率服从Zipf分布。
现在结合附图对本发明作进一步详细的说明。这些附图均为简化的示意图,仅以示意方式说明本发明的基本结构,因此其仅显示与本发明有关的构成。
一、系统模型和问题定义
图1描述了空间众包的系统模型。对于非私人空间众包(见图1(a))有三个组成部分,即SC服务器(SC-server),持有移动设备的工人(workers)和空间任务请求者(task requester)。SC服务器负责将适当的工作人员分配给任务请求者创建的空间任务。工人需要通过他们的移动设备向SC服务器报告他们的私人信息(如位置location和速度velocity)。基于该框架,我们给出以下定义。
定义1(空间任务)空间任务s是要在位置ls执行并与截止日期es相关联的任务。
定义2(工人)工人w是愿意执行空间任务的人。每个工人与由SC服务器指定的ID idw,速度vw和其当前所处的位置lw相关联。
利用空间众包,任务请求者创建空间任务s并且指定其位置ls和截止日期es。要执行该任务,工人必须在截止日期es之前到达位置ls。在接收到空间任务时,SC服务器基于某些预定义的策略将其分配给适当的工作者。在本发明中,我们假设SC服务器优先选择可能最先到达ls的工作者。我们还假设每个工人以一定的概率接受被分配的任务,表示为接受率(AR)。假设每个工人的AR是100%,我们首先定义简单的任务分配问题如下:
定义3(任务分配问题)令W={w1,w2,…,wn}是n个工人的集合。给定空间任务s,任务分配问题PTA(W,s)是将任务s分配给工作者wi*,使得:
1,wi*可以在截止日期es之前到达ls;
2,没有其他工人可以在wi*之前到达ls。
在定义3中,第一个要求意味着tc+d(li*,ls)/vi*≤es,其中tc是当前时间,li*是wi*的当前位置,vi*是wi*的速度,d(li*,ls)是位置li*和ls之间的欧几里得距离。第二个要求意味着不存在wj使得d(lj*,ls)/vj<d(li*,ls)/vi*。为了便于以后的讨论,我们称这个问题的胜者为wi*,并将i*作为其ID。注意,当所有的工人在截止日期之前都不能到达ls时,这样的获胜者便不存在。在这种情况下,SC服务器会通知任务请求者没有胜任者。
然而,在实践中,工人不一定会接受分配给他们的任务。为了保证任务被高概率的接受,可以要求多个工人执行任务。假设工人wi的AR是ai。用η(W,s)表示W中至少一个工人接受任务s的概率。显然,因此,我们定义下面的另一个任务分配的问题:
定义4(具有接受保证的任务分配问题)令W={w1,w2,…,wn}是n个工人的集合。给定空间任务s,具有接受保证的任务分配问题PTAG(W,s)是将任务s分配给一组工人W*(称为优胜者集合),使得:
1,每个工人wi*∈W*都可以在截止日期es之前到达位置ls;
2,没有其他工人wj∈W\W*可以在任何工人wi*∈W*之前到达位置ls;
3,η(W*,s)≥α,其中α是W*中至少一名工人接受任务s的预期概率。
对手模型。图1(b)是隐私保护空间众包的系统模型。其引入了新的密码服务提供者(CSP,Crypto Service Provider),向SC服务器和工人密钥生成等密钥服务。对于对手模型,我们假设虽有各方都是半诚实的。也就是说,他们完全遵循一个规定的协议,但是可能根据他们所看到的尝试在协议执行时,尽可能多地从其他方的隐私输入学习。特别的,SC服务器会对每个工人的位置和速度以及每个获胜者的ID感兴趣。CSP也对此以及任务的位置感兴趣。而每个工人则愿意知道其他工作人员的位置和速度,每位获胜者的ID,以及任
务的位置。作为一个特殊的工人,每个获胜者都有权知道其ID和任务的位置,但其也想知道其他工作人员的位置和速度,以及其他获胜者的ID。基于对手模型,我们有如下定义:
定义5(隐私保护任务分配问题)令W={w1,w2,…,wn}是n个工人的集合。给定空间任务s,隐私保护任务分配问题PPTA(W,s)是以如下方式找到PTA(W,s)的获胜者wi*:
1,对于每个工人wi∈W,其位置li和和速度vi信息不能被SC服务器,CSP和其他任何工作者wj∈W,wj<>wj获得;
2,任务位置信息ls不能被CSP和除了wi*之外的所有工人获得;
3,除了wi*之外,SC服务器,CSP和所有其他工人都无法获得wi*的ID信息。
虽然它的非隐私版本(即PTA)很简单,但PPTA在尝试同时保护工人隐私和任务隐私方面非常具有挑战性。特别是获胜者不仅由工人的位置决定,而且还由其速度决定,两者都应该在计算过程中保密。乍一看,这个要求意味着我们需要对密文进行划分。然而,有效的同态分裂现在仍然是一个悬而未决的问题。此外,任务位置ls需要对除了获胜者之外的所有工作人员保密,这使得d(li,ls)的计算比通过明文更难。注意,获胜者必须知道任务位置ls,因为其需要达到该位置以执行任务,所以者不被视为隐私泄露。PPTA的最后一个要求表明,SC服务器不被允许知道获胜者的身份。如果SC服务器知道谁是获胜者,则可能会根据某些背景知识(例如任务位置和截止日期)来推断获胜者的大概位置。显然,SC服务器来决定PTA的获胜者。然而,在PPTA中,SC服务器不被允许知道谁是获胜者。这个矛盾是PPTA的另一个难题。
同样,我们对具有接受保证的隐私保护任务分配问题的定义如下:
定义6(具有接受保证的隐私保护任务分配问题)令W={w1,w2,…,wn}是n个工人的集合。给定空间任务s,具有接受保证的隐私保护任务分配问题PPTAG(W,s)是以如下方式找到PTAG(W,s)的获胜者集W*:
1,对于每个工人wi∈W,其位置li和和速度vi信息不能被SC服务器,CSP和其他任何工作者wj∈W,wj<>wj获得;
2,任务位置信息ls不能被CSP和除了W*之中的获胜者之外的所有工人获得;
3,除了wi*之外,SC服务器,CSP和所有其他工人都无法获得wi*的ID信息。
二、隐私标准定义
本发明使用理想的范例来定义协议的安全性。直观的说,在协议执行的过程中,如果所涉及的每一方获取的信息都不会比其有权获取的信息更多,那么协议就是安全的或者说是隐私保护的。这可以通过理想范式定义如下:对于所有对手,存在一个基于概率的多项式时间模拟器,使得现实世界中对手的观点和理想世界中模拟器的观点在计算上无法区分。
令P-1为CSP,P0为SC服务器,P1,…,Pn为n个工人。令viewi,xi和Ki(-1≤i≤n)分别为Pi的观点,其隐私输入以及在协议P执行期间可以获得的额外信息。协议P的隐私要求的标准定义如下:
定义7如果存在一个基于概率的多项式时间模拟器Si,使得:
因为协议P不泄漏比Pi的最终输出更多的信息,我们认为协议P对Pi是完全隐私保护的。其中对于所有可能输入(x-1,x0,…,xn),≡表示在计算上无法区分。如果则认为协议P对Pi的隐私保护有Ki泄漏,因为它不会泄漏最终输出和比Ki更多的信息给Pi。
很明显,完全的隐私保护是一个非常强的隐私保证。然而,如此强的保证有时难以通过有效的协议实现。实际上,只要不破坏隐私,在协议P的执行过程中可以允许额外知识Ki的公开。也就是说,即使基于知识Ki,对手可以获得任何一方的隐私输入的概率也是可以忽略不计的。
三、密码构建块
为解决以上定义的PPTA和PPTAG问题,本发明采用了几种加密工具:伪随机函数,Paillier密码系统和ElGamal密码系统,简要介绍如下。
伪随机函数(PRF)通过黑盒方式观察结果,且随机特性不能与真实随机函数区分。通常,PRF由fk表示,其属于PRF函数族Fλ={fk:{0,1}λ→{0,1}λ}k∈{0,1}λ,以k为索引。我们的工作假设键控单向散列函数(如HMAC)可以被建模为伪随机函数。因此,fk函数可以通过使用k键入散列函数并将其应用于x来实现。
Paillier是一个公钥密码系统,其安全性基于与分解硬度有关(是否等同还未可知)的假设。它由以下三种算法组成:
–加密E:令m为ZN中的一条消息。其通过选择Z*
N中的一个随机数来加密,并计算
c=E(m)=gmrN mod N, (1)
其中N和g从公钥pk中获得,c为m的密文。
–解密D:密文c通过如下计算进行解密:
其中λ=lcm(p-1,q-1)可以通过私钥sk进行计算。
Paillier密码系统最重要的特性之一是同态加法。具体地说,将m1的密文和m2的密文相乘,则得到m1+m2的密文;m的密文的k次方,即为km的密文。即:
E(m1)E(m2)=E(m1+m2), (3)
E(m)k=E(km). (4)
此外,Paillier是语义安全的,也就是说,攻击者不能从密文中获得任何关于明文部分的信息。同时,它也是一种概率加密方案,这意味着在多次加密相同的消息时,会产生不同的密文。从等式(1)可以清晰的看到,随机数r参与了加密过程。
ElGamal是一个公钥密码系统,其安全性基于离散对数问题的难解性。它由一些可以由多个用户共享的公共域参数和三种算法组成:
–域参数。令p为大素数,q为中等素数,使得q|p–1。令g=r(p–1/q)mod p<>1,其中r∈Fp
*。这些公共参数使用用生成参数g创建质数阶q的公共有限阿贝尔组G。
–密钥生成。选择一个整数x,使得0≤x≤q–1并计算h=gx mod p。公钥pk为h,密钥sk为x。
–加密E’。令m为G中的消息。通过选择随机数r来加密,其中0≤r≤q–1,并计算:
c1=gr,c2=mhr. (5)
m的密文c为E’(m)=(c1,c2)。
–解密D’。密文c通过如下计算进行解密:
m=D’(c)=c2(c1
x)-1 (6)
ElGamal也是一种概率加密方案,因为每个消息都由不同的随机数r加密,如等式(5)所示。ElGamal密码系统有一个有趣的属性是同态乘法。具体而言,将m1的密文和m2的密文相乘,则得到m1m2的密文,即:
E’(m1)E’(m2)=E’(m1m2), (7)
交换式加密满足两个加密顺序无关的属性。ElGamal可以被扩展为支持交换式加密。特别的,两种新算法定义如下:
–二次加密给定用公钥ha加密的密文E’ha(m)=(gra,mha
ra),其可以通过选择随机数rb,其中0≤rb≤q–1,并计算c1=gra,c2=grb和c3=mha
rahb
rb,其中hb为公钥,来进行二次加密。E’ha(m)的密文为
–二次解密密文(c1,c2,c3)可以通过以不同的顺序使用私钥xa和xb进行解密,其解密结果是相同的。如果首先使用私钥xa,我们有
E’hb(m)可以被xb再次解密以获得m。很容易验证,如果首先使用xb然后使用xa,解密结果也是相同的。
四、隐私保护任务分配协议
根据定义5,我们的目标是在不泄露工人位置信息的前提下找到PTA的获胜者。虽然可以采用一些现有的隐私保护工具,如k匿名和差异隐私来保护个人隐私,但它们通常假设存在可信的第三方可以访问整个原始数据(比如所有工人的位置信息),这在实践中很难实现。此外,它们以降低数据的利用率为代价来保护个人隐私,这意味着基于它们的方法可能无法准确找到PTA的获胜者。因此,我们决定利用加密工具准确地解决PPTA问题。为了防止隐私泄露,每个工人的死人数据在发送到SC服务器之前都已被加密。从定义3可知,PPTA问题的关键在于确定哪个工作人员最先到达位置ls。为了解决这个问题,我们需要比较两个工人wi和wj的行程时间,即计算以下不等式:
显然,计算包括几个基本操作:加法和乘法(用于距离计算),除法以及比较。需要注意的是,这些操作应该通过密文执行,因为,比如说,为进行隐私保护,li和vi此时已经被加密了。理论上讲,我们可以设计一种基于完全同态加密(FHE)的方案来实现上述计算,但这将导致高昂的计算成本,使得该方法具有有限的实际意义。因此,我们考虑使用部分同态加密方案。虽然它们比FHE效率更高,但它们都不能支持计算不等式(8)所需的所有操作。我们将在下一小节中展示如何解决这个难题。
4.1协议概述
扩展算法1隐私保护任务分配协议
输入:n个工人的集合,每个工人wi的ID为i,位置信息为li,速度信息为vi;一个空间任务s(由任务请求者创建),任务位置为ls,截止日期为es;一个SC服务器和一个CSP。输出:获胜者w*得到任务位置ls。
1:阶段0-密钥生成
2:CSP生成Paillier密钥对(pk,sk)和ElGamal密钥对(pk’,sk’)。SC服务器和所有工人得到公钥pk和pk’。私钥sk和sk’信息只由CSP掌握。
3:CSP生成另外一个ElGamal域参数集并公开。基于这些参数,CSP再次生成一个公钥pk”但将其保密。每个工人wi也生成一个密钥对(pki”,ski”)并保密。
4:阶段1-隐私保护距离计算
6:for每个工人wi(1≤i≤n)do
9:end for
10:阶段2-隐私保护行进时间计算
11:for每个工人wi(1≤i≤n)do
12:wi使用pk’加密vi并将E′(vi)发送至SC服务器。
13:end for
15:CSP解密E′(V)并将其发送回SC服务器。
16:SC服务器向所有工人广播V。
17:for每个工人wi(1≤i≤n)do
19:end for
20:阶段3-隐私保护获胜者计算
21:SC服务器将fk(i)发送至工人wi,其中fk是一个PRF。
25:CSP使用k’加密fk(i*),并将E′C(fk(i*))发送至SC服务器。
26:阶段4-隐私保护获胜者声明
28:for每个工人wi(1≤i≤n)do
33:end for
如图2所示,本发明采用两个部分同态加密方案Paillier和ElGamal来构建我们的解决方案,它由图2中描绘的五个阶段组成。在第0阶段,根据安全要求,CSP生成ElGamal的域参数和Paillier和ElGamal的密钥对。其对私钥进行保密,并向SC服务器和所有工人发送公钥。任务请求者创建空间任务触发阶段1的开始,在该阶段期间,SC服务器和所有工人基于加密的位置信息运行隐私保护距离计算协议,并输出加密后的距离信息。在第2阶段,每个工人的速度被加密并发送到与CSP协作的SC服务器,以计算每个工作人员的行程时间。基于第2阶段获得的加密行程时间,SC服务器在第3阶段借助CSP计算获胜者,但结果仍然是加密形式。在第4阶段,将加密任务的位置信息广播给所有的工人,但只有获胜者能够检索任务的位置。之后,获胜者到达指定位置执行相应的任务。
4.2详细构建
扩展算法1为隐私保护任务分配协议的具体实现。我们详细解释如下。
第1阶段。因为“三、密码构建块”中已经介绍了第0阶段所需的Paillier和ElGamal密码系统的关键代码,我们从第1阶段开始介绍协议的详细构建。SC服务器用Paillier公钥加密任务位置ls=(xs,ys)后,向所有工人发送三份密文:E(xs
2+ys
2),E(xs)和E(ys)。从SC服务器接收到该加密信息后,每个工人wi计算ls和其当前位置li的距离的平方,并进行加密,即:
其正确性很容易根据等式(3)和(4)进行验证。注意,我们还可以要求所有工作人员向SC服务器发送加密位置(以E(xi
2+yi
2),E(xi)和E(yi)的形式),并要求SC服务器计算E(d2(li,ls))。虽然这个过程与我们在非隐私案例中的做法类似,但它会为SC服务器带来更多的计算成本。换句话说,我们目前的设计具有为所有工人分摊计算成本的优点。
第2阶段。如前所述,隐私保护行程时间计算需要对密文进行除法运算。然而,同态分裂的高效实现仍然是一个悬而未决的问题。因此,我们的目标不是设计一个有效的同态分裂方案,而是在计算行程时间的过程中,从技术上排除除法运算。为此,我们使用一个有趣的属性来比较行程时间,也就是说,确切的行程时间的计算是不必要的。此属性由以下引理保证:
引理1令W={w1,w2,…,wn}是n个工人的集合,V是所有工人速度的乘积,即
且vk‘=V/vk,其中1≤k≤n。对于任意两个工人wi,wj∈W,当且仅当d(li,ls)vi‘<d(lj,ls)vj‘时有d(li,ls)/vi<d(lj,ls)/vj。
基于该引理,我们为每个工人计算虚拟行程时间ti’=d(li,ls)vi’,其等同于确切
的行程时间ti=d(li,ls)/vi,即具有最短虚拟行程时间的工人必定具有最短的确切行程时间。具体来说,每个工人通过ElGamal密码系统对其速度进行加密,并将E‘(vi)发送给SC服务器。SC服务器可以通过将所有加密的速度相乘获得E’(V)。然后,SC服务器要求CSP解密E’(V),并给所有工人发送V。通过用其速度vi除V,每个工人wi可以得到vi’的值并计算E(d2(li,ls))vi’2=E(d2(li,ls)vi’2)=E(ti’2)。加密的虚拟行程时间被发送到SC服务器进行进一步处理。请注意,上述过程中CSP和所有工作人员都知道V的确切值。但是,这并不违反任何工人的个人隐私,这将在下一小节中得到证明。
第3阶段。在实践中,工人不一定会接受分配给他们的任务。为了保证任务被高概率的接受,可以要求多个工人执行任务。假设工人wi的AR(接受率)是ai。用η(W,s)表示W中至少一个工人接受任务s的概率。显然,
现在,SC服务器具有2元组<i,E(ti’2)>的列表,其中i是人wi的ID,1≤i≤n。为了保护工人,尤其是获胜者的身份,它通过一个PRF fk函数加密每个工人的ID,并向CSP发送<fk(i),E(tfk(i)’2)>。由于CSP具有Paillier的私钥,因此可以通过解密E(ti’2)来获得ti’2并计算实际的行程时间然后,CSP按行程时间对所有工人进行排序并判断其是否可以在截止日期es之前到达任务位置,然后逐个添加工人到获胜者集,直到达到预期的接受率,即η(W,s)≥α。如果不能以α的接受率接受任务,CSP则通知SC服务器没有工人集合可以α保证任务被接受。否则,它使用ElGamal加密获胜者集中每个获胜者的ID fk(i*),并将E’C(fk(i*))发送到SC服务器。这里的加密是必要的,因为SC服务器可以在得到fk(i*)后推断谁是获胜者。另一方面,由于PRF的伪随机性,获胜者集中工人的隐私仍然是受到保护的。
将工人的AR(接受率)建模为行程时间的递减函数φ,并考虑两种情况:1)线性,其中AR从起始MAR(最大接受率)值(当工人恰好在任务位置时)开始随行程时间线性递减;和2)Zipf,其中接受率服从Zipf分布。那么,停止添加新的工人进入获胜者集W*的条件即为其中ai=η(tfk(i),MAR)。
当所有各方都有权直到|W*|,即获胜者数量时,很容易验证我们的协议仍然是安全的。假设所有工人有相同的接受率(AR),我们可以计算W*的大小为因此,在第3阶段,CSP需要执行|W*|次ElGamal加密,且CSP和SC服务器之间的通讯开销由2L’变为2|W*|L‘。
其中h是长度匹配哈希函数,用于将较长的位串映射到较短的位串。一种被证明是语义安全的h的构建方法是,将一个较长的位串截断为多个固定长度的较短位串,并在这些较短位串上进行异或计算并输出。显然,只有获得E’C(fk(i*))信息的工人才可以通过计算
得到任务位置信息。以下流程确保只有获胜者可以获得E’C(fk(i*))信息。
首先,每个工人wi从SC服务器获取加密的ID fk(i)),并使用自己的公钥通过ElGamal
进行加密,然后将加密后的信息E’wi(fk(i))发送给CSP。CSP接收到该信息后,使用其公钥和用于加密E’C(fk(i*))的相同随机数r再次通过ElGamal进行加密。CSP随后将结果发送到每个可以通过其私钥来解密以获得E’C(fk(i))的工人。显然,只有获胜者wfk(i*)可以获得E’C(fk(i*))。需要注意的是,这里使用的公钥应该保密,以保护隐私。
备注。在计算E’(V)时,应设置适当的密钥长度,以避免所有工人的速度乘积溢出。例如,我们在实验中使用2048位的密钥来处理1000名工人。如果工人数量很大,可能的方法是使用最小公倍数(LCM)而不是乘法。然而,隐私保护的LCM计算(即计算多个加密数字的最小公倍数)是一个非常具有挑战性的问题,我们将其作为我们未来的研究方向之一。
4.3性能分析
计算代价。表1总结了我们协议的计算代价。我们假设所有工人可以并行执行计算(如加密和解密),并且可以并行与SC服务器和CSP进行交互,因此我们只需要考虑一个用户的计算代价。此外,我们忽略代价小的操作,如大整数乘法和位串的异或操作。详细分析如下。在扩展算法1中,SC服务器执行三次Paillier加密(第5行),工人wi执行一次Paillier加密和两次模幂运算(第7,8行),用于行程距离的隐私计算。在第2阶段,工人执行一次ElGamal加密保护其速度(第12行)。加密的速度的乘积由CSP(第15行)解密,以实现后续行程时间的计算。这需要工人wi进行一次模幂运算(第18行)。在第3阶段,SC服务器使用n个PRF函数来保护工人的ID(第21行),CSP执行n次ElGamal解密(第23行)和一次ElGamal加密(第25行)来寻找获胜者并保护其ID。在第4阶段,为了交换解密密钥,工人wi将执行一次ElGamal加密(第29行)和一次ElGamal二次解密(第31行),CSP则需执行n次ElGamal二次加密(第30行)。
表1 所提出协议的计算代价。E,D,E′,D′,e,PRF分别表示Paillier加密,Paillier解密,ElGamal加密,ElGamal解密,ElGamal二次加密,ElGamal二次解密,模幂和伪随机函数。
表2 所提出协议的通信开销。L和L′分别为Paillier和ElGamal加密系统密钥长度。
通信开销。表2总结了我们协议的通信开销。由于密文的大小通常大于明文大小,我们只考虑每一方发送和接收的密文。需要注意的是,ElGamal加密和二次加密的密文长度分别是密钥长度的两倍和三倍。我们省略了详细的分析,分析结果请参考表2。
4.4安全分析
以下分析所提出协议的安全性。
定理1我们的任务分配协议(扩展算法1)对SC服务器,CSP和所有工人是分别有K0=V,K-1={V,tfk(1),…,tfk(n)}和Ki=V(1≤i≤n)泄露的隐私保护的。
证明:我们首先证明存在一个多项式时间的概率模拟器S0可以在K0=V的条件下模拟SC服务器的视角(view)。假设SC服务器的视角为S0生成视角view0′={E′(x1),...,E′(xn),E(y1),...,E(yn),E′(xn+1),V},其中xi(1≤i≤n+1)是G中服从均匀分布的随机元素,yi(1≤i≤n)是ZN中服从均匀分布的随机元素。由于Paillier和ElGamal都是语义安全的,我们可以很容易证明view0≡view0′。
然后,我们证明存在一个多项式时间的概率模拟器Si可以在Ki=V的条件下模拟工人wi的视角(view)。若wi不是获胜者,则对其进行模拟时,Si生成其中xi(i=1,2,3)是ZN中服从均匀分布的随机元素,y从G中随机取样,k是均匀分布于{0,1}λ上的随机元素。对获胜者其视角所以生成{E(x1),E(x2),E(x3),k,i*,V}为在这两种情况中,根据Paillier和ElGamal的语义安全性和PRF的伪随机性,我们都可以得到viewi≡viewi′。
最后,我们证明存在一个多项式时间的概率模拟器S-1可以在
的条件下模拟CSP的视角(view)。协议中,CSP的视角为对其进行模拟时,S-1生成view-1′={E′(x1),...,E′(xn)}∪K-1,其中xi(1≤i≤n)是G中服从均匀分布的随机元素。因为ElGamal的语义安全性,view-1≡view-1′显然成立。
上述定理证明了我们的协议是K泄露安全的。在说明泄露K对个人隐私的影响有限之前,我们给出以下引理。
其中(σ(1),···,σ(n))是(1,…,n)的全排列,那么当d→∞时,该方程至少有n!个解的概率为1。
引理4从1,…,d中选取随机数a,当d→∞时,a为质数的概率为1/log d。
此引理可以直接从素数定理[24]中得到,其指出当d→∞时,数字d之前素数的数目收敛于d/log d。
备注。通过引理4,可知xi为素数或为1的概率可近似为(1/log d+1/d)。因此,所有xi都具有至少两个素因子的概率为
(1–1/log d–1/d)n (11)
定理2基于信息Ki(-1≤i≤n),入侵者Pi在执行任务分配协议(扩展算法1)期间可以获得任何一方的私人信息的概率是可以忽略不计的。
证明:首先考虑P0,SC服务器的情况,其拥有信息K0=V。SC服务器可以构建方程假设1≤vi≤d,η(vi)为P0可以获取vi的概率,η(vi|K0)为P0在K0的情况下可以获取vi的概率。由引理2,我们有
一般情况下,这显然是可以忽略不计的。
由引理3,我们亦有
在一般情况下,这是可以忽略不计的。并且,即使CSP获取了d(ls,li)的精确值,其不能获取ls和li信息的概率也远远高于随机猜测。证毕。
备注。需要注意的是,定理2表明隐私保护任务分配协议在一般情况下是安全的。在某些极端情况下,例如,V=1,入侵者可以立即知道每个工人的速度为1。但是随着工人人数的增加,发生这种情况的可能性会急剧下降。
五、性能评估
5.1实验设置
我们基于两类指标来评估我们协议(扩展算法1)的性能:效率相关和有效性相关。前者包括运行时间和通信开销,工人行程距离(WTD),工人行程时间(WTT)和通知人数(NNW)。通常,工人倾向于更短的WTD,任务请求者也如此,因为如果工人具有相同的速度,那么任务便可以更早的被执行。不过,如果工人的速度不同,那么WTD短不一定会更好。在这种情况下,工作人员和任务请求者都更倾向与短的WTT。NNW应保持在较低水平,以降低计算成
本和通信开销。
对于有效性评估,我们以To[To,H.,Ghinita,G.and Shahabi,C.:A framework for protecting worker location privacy in spatial crowdsourcing.PVLDB,7(10),919-930(2014)]等人的方法为基准。由于他们的方法没有考虑到速度的影响,所以每个工作人员的速度在实验中设置为1。在这种情况下,WTT等于WTD。此外,每个任务的截止日期都被设置为一个很大的值,以使所有工人都可以在截止日期之前到达。由于我们协议不考虑工人的接受率,并且总是返回一个工人(即NNW总是等于1),我们随机生成1000个任务并报告平均结果。
对于效率评估,我们注意到,差分隐私比公钥密码系统明显计算代价更低,但其在计算过程中不能进保护数据(例如,允许受信任的第三方查看所有工人的位置)。因此,把我们的协议(基于公钥密码系统)与To等人的方法(基于差异隐私)在运行时间方面进行比较是无意义的。因此,我们只关注我们协议的效率,测试其开销在实践中是否可以被接受。我们运行我们的协议10次,并报告其平均结果。
我们使用两个真实世界数据集,Gowalla和Yelp对性能进行评估。Gowalla包含基于位置的社交网络中用户的登录历史记录。我们选择加利福尼亚州的一个地区,纬度为33.720183至34.149932,经度为-118.399999至-117.900516。这个地区有5830个用户的登录,这些用户被认为是空间众包系统中的工人。我们将用户登录最多的位置作为其当前位置,并假定可以在任何有过登录记录的位置创建空间任务。对于Yelp,我们选择凤凰城的一个区域,纬度从33.205308到33.924407,经度从-112.400283到-111.218100。该地区拥有约67000个用户和11200个公司。公司地点被视为任务,而用户的位置是从其查看过的公司中随机选取的。
我们设定工人人数#W∈{100,400,700,1000},最大接受率MAR∈{0.4,0.6,0.8,1},预期任务接受概率α∈{0.7,0.8,0.9,0.99}。由于性能基准依赖于基于隐私预算的差异隐私,我们还设置了对于Paillier和ElGamal的安全参数,我们参考了NIST建议书(2016),并设置密钥长度KL∈{1024,2048},其中1024的密钥长度适用于当前的应用,并且在未来15年(2016-2030)推荐使用长度为2048的密钥。每个参数的默认值以黑体显示。
在我们的实验中,SC服务器和CSP在具有四个Intel Xeon E7-8860 2.2GHz CPU(每个CPU有16个核心)和1TB RAM的机器上运行。每个工人由具有APQ 8064 1.5GHz CPU和2GB RAM的Mi 2手机进行模拟。我们使用Bouncy Castle Crypto包实现我们的协议。代码用Java编写,并在JDK 1.8中执行。从表1可以看到,我们协议的性能瓶颈是一系列的Paillier解密过程。幸运的是,这些昂贵的操作很容易并行进行计算,因为它们是独立执行的。在我们的实验中,我们使用64个线程来执行这些解密。
4.2实验结果
4.2.1效率
图3和图4分别通过改变MAR和α来描绘协议扩展版本的运行时间。总体而言,协议扩展版本仅增加了有限的开销以提供指定的接受保证。例如,当MAR=1时,为了使α=0.9,我们的协议需要大约1.79秒。但是当MAR降低到0.4时,需要约1.84秒(见图4(a))。另一个例子,当MAR=0.8时,我们的协议可以在1.81秒内找到α=0.7的获胜者集合。为了确保任务可以很高的概率被接受,比如α=0.99,我们的协议只需要1.94秒。额外的开销主要来自ElGamal加密,因为加密次数受到获胜者集合的大小的限制,该集合通常是很小的(更多的结果可以在图10,11和12中找到)。
工人的通信开销仍然是一个小常数。我们通过改变MAR和α进一步调查协议扩展版本的通信成本,并得到图5和图6的结果。对于所有三方来说,由于多个获胜者的参与,通信
成本略有增加。总而言之,我们的协议在通信开销方面也是可扩展的。
4.2.2有效性
图7,8,9分别通过改变MAR,α和来显示我们的协议在WTD(工人行程距离)方面的表现。在所有图表中,我们的协议在数据集(Gowalla,Yelp)和接受率函数(Linear,Zipf)的所有组合中表现均优于基准。具体来说,在图7中,我们观察到当MAR下降时,我们的协议和基准之间的差异增加。为了解释这一点,我们首先注意到,基准需要访问更多的网格单元才能达到所需的接受率。每个单元通常都包含一些工人。其中一些可能离任务位置较远,但他们可以接受任务。然而,我们的协议总是根据他们的行程时间(或在这种情况下的旅行距离)选择工人。这就是为什么当MAR很小时,我们的协议比基准要好得多。图9示出了当提供更强的隐私保护(例如,)时,基准具有较大的WTD。然而,即使仅提供弱的隐私保护(例如,),我们的协议仍然优于基准。
我们通过改变MAR,α和来进一步评估我们的协议在NNW(通知人数)方面的表现,并分别在图10,11,12中报告结果。再次,我们的协议在数据集(Gowalla,Yelp)和接受率函数(Linear,Zipf)的所有组合中表现均优于基准。在大多数情况下,被通知的工人数量不大于5。在某些极端情况下,例如,α=0.99,我们的协议选择了少于15名工人来执行任务。这可以解释为什么我们的协议可以以非常低的开销扩展到PPTAG。另一方面,基准需要通知很多工人,因为它在网格单元上工作。
以上述依据本发明的理想实施例为启示,通过上述的说明内容,相关工作人员完全可以在不偏离本项发明技术思想的范围内,进行多样的变更以及修改。本项发明的技术性范围并不局限于说明书上的内容,必须要根据权利要求范围来确定其技术性范围。
Claims (10)
- 一种接受保证的隐私保护空间众包任务分配系统,其特征在于,包括SC服务器、加密服务提供者、空间任务请求者和工人;所述SC服务器为空间众包服务器;所述加密服务提供者用于生成密钥,其采用Paillier密码系统和ElGamal密码系统,所述加密服务提供者生成ElGamal的域参数和Paillier和ElGamal的密钥对,其对私钥进行保密,并向SC服务器和所有工人发送公钥;所述空间任务请求者用于创建空间任务,将任务位置传送给所述SC服务器;所述SC服务器用公钥加密任务位置后,向所有工人发送密文,从SC服务器接收到该加密信息后,每个工人计算任务位置与工人位置的距离,从而计算得到隐私保护距离;每个工人的速度被加密并发送到与加密服务提供者协作的SC服务器,SC服务器对加密后的所有工人的速度求乘积,并由加密服务提供者解密得到V,发送给每个工人;每个工人计算其行进时间,加密后发送给SC服务器;SC服务器借助加密服务提供者根据加密的隐私保护行进时间计算获胜工人,加密服务提供者将含有多名获胜者的获胜者集加密后返回给SC服务器;所述加密服务提供者从SC服务器获得所有工人的行进时间,按升序对其进行排序后,逐个添加工人到获胜者集,直到达到预期的接受率;SC服务器加密任务位置并向所有工人广播,将任务分配给工人,加密后的任务位置只有获胜工人能解密,获胜工人到达指定位置执行相应的任务。
- 如权利要求1所述的系统,其特征在于,所述空间任务s是指要在位置ls执行,并与截止日期es相关联的任务;所述工人w是愿意执行空间任务的人,每个工人与由SC服务器指定的ID idw,速度vw和其当前所处的位置lw相关联。
- 如权利要求2所述的系统,其特征在于,所述SC服务器根据工人集合W={w1,w2,…,wn}和空间任务s的位置ls和截止日期es,通过任务分配算法,将任务分配给工作者wi*,工作者wi*需满足两个条件:第一,wi*可以在截止日期es之前到达ls;第二,没有其他工人可以在wi*之前到达ls。
- 如权利要求1所述的系统,其特征在于,所述多名获胜者集的是令W={w1,w2,…,wn}是n个工人的集合,给定空间任务s,将任务s分配给一组工人W*,称为获胜者集,使得:1,每个工人wi*∈W*都可以在截止日期es之前到达位置ls;2,没有其他工人wj∈W\W*可以在任何工人wi*∈W*之前到达位置ls;3,η(W*,s)≥α,其中α是W*中至少一名工人接受任务s的预期接受率。
- 一种如权利要求1-5任一项所述的系统的实现方法,其特征在于,包括如下步骤:第一阶段,任务位置与工人位置距离计算:空间众包服务器用Paillier公钥加密任务位置ls=(xs,ys)后,向所有工人发送三份密文:E(xs 2+ys 2),E(xs)和E(ys),从空间众包服务器接收到该加密信息后,每个工人wi计算ls和其当前位置li的距离的平方,并进行加密,即:第二阶段,每个工人行进时间计算:令W={w1,w2,…,wn}是n个工人的集合,V是所有工人速度的乘积,即且vk‘=V/vk,其中1≤k≤n;对于任意两个工人wi,wj∈W,当且仅当d(li,ls)vi‘<d(lj,ls)vj‘时有d(li,ls)/vi<d(lj,ls)/vj;为每个工人计算虚拟行程时间ti’=d(li,ls)vi’,其等同于确切的行程时间ti=d(li,ls)/vi,即具有最短虚拟行程时间的工人必定具有最短的确切行程时间;第三阶段,获胜工人计算:SC服务器具有2元组<i,E(ti’2)>的列表,其中i是工人wi的ID,1≤i≤n;为了保护工人,尤其是获胜者的身份,它通过一个PRF fk函数加密每个工人的ID,并向加密服务提供者发送<fk(i),E(tfk(i)’2)>,加密服务提供者计算得到行进时间的获胜者集,加密服务提供者按升序对其进行排序,然后逐个添加工人到获胜者集,直到达到预期的接受率;
- 如权利要求6所述的方法,其特征在于,所述第一阶段中,要求所有工人以E(xi 2+yi 2),E(xi)和E(yi)的形式向空间众包服务器发送加密位置,并要求空间众包服务器计算E(d2(li,ls))。
- 如权利要求6所述的方法,其特征在于,所述第二阶段中,每个工人通过ElGamal密码系统对其速度进行加密,并将E‘(vi)发送给空间众包服务器,空间众包服务器通过将所有加密的速度相乘获得E’(V);然后,空间众包服务器要求加密服务提供单元解密E’(V),并给所有工人移动端发送V;通过用其速度vi除V,每个工人wi得到vi’的值并计算E(d2(li,ls))vi’2=E(d2(li,ls)vi’2)=E(ti’2);加密的虚拟行程时间被发送到空间众包服务器进行进一步处理;该过程中加密服务提供单元和所有工人都知道V的确切值,这并不违反任何工人的个人隐私。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710533887.4 | 2017-07-03 | ||
CN201710533887.4A CN107360146B (zh) | 2017-07-03 | 2017-07-03 | 一种接受保证的隐私保护空间众包任务分配系统及方法 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019006968A1 true WO2019006968A1 (zh) | 2019-01-10 |
Family
ID=60292821
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2017/113468 WO2019006968A1 (zh) | 2017-07-03 | 2017-11-29 | 一种接受保证的隐私保护空间众包任务分配系统及方法 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN107360146B (zh) |
WO (1) | WO2019006968A1 (zh) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113761555A (zh) * | 2021-07-20 | 2021-12-07 | 杭州师范大学 | 一种基于智能合约的安全可靠的车联网空间众包任务匹配方法 |
CN114978492A (zh) * | 2022-05-11 | 2022-08-30 | 西安电子科技大学 | 空间信息网中集中式空间众包任务分配的隐私保护方法 |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107360146B (zh) * | 2017-07-03 | 2021-03-26 | 深圳大学 | 一种接受保证的隐私保护空间众包任务分配系统及方法 |
CN109033865B (zh) * | 2018-06-20 | 2021-10-01 | 苏州大学 | 一种空间众包中隐私保护的任务分配方法 |
CN109003172A (zh) * | 2018-07-09 | 2018-12-14 | 中国科学技术大学苏州研究院 | 保护隐私的空间众包任务竞拍方法 |
CN109600709B (zh) * | 2018-11-27 | 2021-01-26 | 南方科技大学 | 空间众包任务分配方法及系统 |
CN110062042B (zh) * | 2019-04-16 | 2021-09-24 | 南京信息工程大学 | 一种移动众包支持的去中心化的视频流服务方法及系统 |
CN110232507B (zh) * | 2019-05-28 | 2021-07-27 | 中国人民解放军国防科技大学 | 基于智能合约的众包活动全过程监管方法及系统 |
CN110620774B (zh) * | 2019-09-20 | 2021-06-08 | 西安电子科技大学 | 区块链下空间众包的位置策略隐私保护方法 |
CN111563789B (zh) * | 2020-03-30 | 2022-03-25 | 华东师范大学 | 基于隐私保护的推荐方法 |
CN112488577B (zh) * | 2020-12-17 | 2024-05-24 | 多点(深圳)数字科技有限公司 | 信息生成的方法、装置、电子设备和计算机可读介质 |
CN114944960B (zh) * | 2022-06-20 | 2023-07-25 | 成都卫士通信息产业股份有限公司 | 一种密码应用方法、装置、设备及存储介质 |
CN115587716B (zh) * | 2022-12-12 | 2023-03-14 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | 一种隐私保护空间众包任务分配方法及系统 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140343984A1 (en) * | 2013-03-14 | 2014-11-20 | University Of Southern California | Spatial crowdsourcing with trustworthy query answering |
CN105243501A (zh) * | 2015-10-13 | 2016-01-13 | 重庆大学 | 空间众包网络节点位置隐私保护方法 |
CN107360146A (zh) * | 2017-07-03 | 2017-11-17 | 深圳大学 | 一种接受保证的隐私保护空间众包任务分配系统及方法 |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120046995A1 (en) * | 2009-04-29 | 2012-02-23 | Waldeck Technology, Llc | Anonymous crowd comparison |
CN104731860B (zh) * | 2015-02-04 | 2017-11-14 | 北京邮电大学 | 隐私保护的空间关键字查询方法 |
CN105825333A (zh) * | 2016-03-14 | 2016-08-03 | 南京邮电大学 | 基于云平台匿名地点的众包服务系统及任务分配方法 |
-
2017
- 2017-07-03 CN CN201710533887.4A patent/CN107360146B/zh not_active Expired - Fee Related
- 2017-11-29 WO PCT/CN2017/113468 patent/WO2019006968A1/zh active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140343984A1 (en) * | 2013-03-14 | 2014-11-20 | University Of Southern California | Spatial crowdsourcing with trustworthy query answering |
CN105243501A (zh) * | 2015-10-13 | 2016-01-13 | 重庆大学 | 空间众包网络节点位置隐私保护方法 |
CN107360146A (zh) * | 2017-07-03 | 2017-11-17 | 深圳大学 | 一种接受保证的隐私保护空间众包任务分配系统及方法 |
Non-Patent Citations (1)
Title |
---|
SONG, TIANSHU ET AL.: "Three Types of Objects under Spatial Crowdsourcing Environment", JOURNAL OF SOFTWARE, vol. 28, no. 3, 31 March 2017 (2017-03-31), ISSN: 1000-9825 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113761555A (zh) * | 2021-07-20 | 2021-12-07 | 杭州师范大学 | 一种基于智能合约的安全可靠的车联网空间众包任务匹配方法 |
CN113761555B (zh) * | 2021-07-20 | 2024-04-09 | 杭州师范大学 | 一种基于智能合约的安全可靠的车联网空间众包任务匹配方法 |
CN114978492A (zh) * | 2022-05-11 | 2022-08-30 | 西安电子科技大学 | 空间信息网中集中式空间众包任务分配的隐私保护方法 |
CN114978492B (zh) * | 2022-05-11 | 2024-05-14 | 西安电子科技大学 | 空间信息网中集中式空间众包任务分配的隐私保护方法 |
Also Published As
Publication number | Publication date |
---|---|
CN107360146A (zh) | 2017-11-17 |
CN107360146B (zh) | 2021-03-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107257381B (zh) | 一种隐私保护空间众包的任务分配系统模型及实现方法 | |
WO2019006968A1 (zh) | 一种接受保证的隐私保护空间众包任务分配系统及方法 | |
WO2019006967A1 (zh) | 用部分同态加密方案构建的空间众包任务分配系统及方法 | |
Belguith et al. | Phoabe: Securely outsourcing multi-authority attribute based encryption with policy hidden for cloud assisted iot | |
He et al. | A provably-secure cross-domain handshake scheme with symptoms-matching for mobile healthcare social network | |
Wenxiu et al. | Privacy-preserving data processing with flexible access control | |
CN114586313B (zh) | 用于签署一信息的系统及方法 | |
Li et al. | Efficient and privacy-preserving data aggregation in mobile sensing | |
Puthal et al. | A dynamic key length based approach for real-time security verification of big sensing data stream | |
Paulet et al. | Privacy-preserving and content-protecting location based queries | |
CN110089071B (zh) | 安全的分布式数据处理 | |
Misra et al. | A unique key sharing protocol among three users using non-commutative group for electronic health record system | |
Au et al. | Privacy-preserving personal data operation on mobile cloud—Chances and challenges over advanced persistent threat | |
Tang et al. | Achieve privacy-preserving truth discovery in crowdsensing systems | |
Kiyomoto et al. | Security issues on IT systems during disasters: a survey | |
Raeisi-Varzaneh et al. | Internet of Things: Security, Issues, Threats, and Assessment of Different Cryptographic Technologies | |
Vishwakarma et al. | A secure three-party authentication protocol for wireless body area networks | |
Al-Zumia et al. | A novel fault-tolerant privacy-preserving cloud-based data aggregation scheme for lightweight health data | |
Zhang et al. | Privacy‐friendly weighted‐reputation aggregation protocols against malicious adversaries in cloud services | |
Li et al. | Epps: Efficient privacy-preserving scheme in distributed deep learning | |
Karl et al. | Cryptonite: A framework for flexible time-series secure aggregation with non-interactive fault recovery | |
Gladkov et al. | SNS-Based Secret Sharing Scheme for Security of Smart City Communication Systems | |
Ghanbarafjeh et al. | Developing a secure architecture for internet of medical things using attribute-based encryption | |
Bouamama et al. | EdgeSA: Secure Aggregation for Privacy-Preserving Federated Learning in Edge Computing | |
Sandhya et al. | Secure data aggregation in wireless sensor networks using privacy homomorphism |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 17917106 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 12/06/2020) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 17917106 Country of ref document: EP Kind code of ref document: A1 |