PRESERVATION

Algorithm 6.1: Distributed Coloring Require: INPUT

8.1 Introduction

MixGroup constructs extended pseudonym-changing regions, in which vehicles are allowed to successively exchange their pseudonyms. As a consequence, for the tracking adversary, the uncertainty of the pseudonym mixture is cumulatively enlarged, and therefore location privacy preservation is considerably improved.

We carry out simulations to verify the performance of MixGroup. Results indi- cate that MixGroup significantly outperforms the existing schemes. In addi- tion, MixGroup is able to achieve a favorable performance even in low traffic conditions.

Keywords: Location privacy, Internet of Vehicles, vehicular social network, pseudonym, group signature

signature [14] have been proposed for location privacy preservation. The central idea behind these schemes is to create opportunities for vehicles to obscure the eavesdropping of the adversary. However, Mix-zone is limited by the number of vehicles appearing at the pseudonyms changing occasions. Mix-zone may not perform very well in the places with few vehicles or low traffic. The group sig- nature approach is restricted by the group size. A large-scale group has low effi- ciency in managing the signatures while a small group is weak in preserving privacy.

By observing the vehicular traces and exploiting the social features of mobil- ity, we find that an individual vehicle actually has many chances to meet a lot of other vehicles. However, in most meeting occasions, only a few vehi- cles appear concurrently. This fact implies that, if the vehicle could cumula- tively aggregate these meeting occasions, it has indeed sufficient opportunities for pseudonym mixture. Otherwise, if the vehicle performs pseudonym changing merely at places of crowded neighbors, a large number of opportunities will be wasted. In this chapter, we are motivated to propose a new privacy-preserving scheme that is capable of efficiently exploiting the potential opportunities for pseudonym mixture. By creating a local group, we construct an extended region with multiple road intersections, in which pseudonym exchanges are allowed to successively take place. Consequently, for the tracking adversary, the uncertainty of a pseudonym mixture is cumulatively enlarged, and hence location privacy preservation is substantially improved.

8.1.1 Related work

For driving safety, vehicles have to broadcast periodical messages, which con- sist of four-tuple information {Time,Location,Velocity,Content}. If the real identities of vehicles are used in the safety messages, their location privacy will be easily eavesdropped. For this reason, vehicles should use pseudonyms instead of their real identities. Moreover, the vehicles should randomly change their pseudonyms when driving, since the irrelevance of these pseudonyms can guar- antee the location privacy of vehicles [12]. However, under consecutive adver- sary tracking, the pseudonym schemes are still vulnerable if vehicles keep using identical pseudonyms for a long time or change their pseudonyms at an improper occasion.

As shown in Figure 8.1, three vehicles run on a straight road. If only one vehicle changes its pseudonym fromP3 toA1 during∆t, an adversary can eas- ily link A1 with P3 since P1 and P2 are unchanged. Even if all three vehicles simultaneously change their pseudonyms, the location and velocity information embedded in safety messages could still provide a clue for adversaries to link the pseudonyms. Then, the pseudonyms may fail to protect location privacy. To address this privacy protection problem, previous work has proposed three major types of schemes: (1) Mix-zone, (2) group signature, and (3) silent period [15].

Hiva-Network.Com

A₁ is linked to P₃

A₁

P₁ P₂

P₁

T T+∆t

P₂

P₃

Figure 8.1: The pseudonyms are linkable.

Unobserved zone

Observed zone A B

C

D

E

F

Figure 8.2: The illustration of Mix-zone scheme.

The nature of all these schemes is to obscure the mapping relationship between vehicles’ real identities and their factitious identities.

The concept of Mix-zone is firstly presented in the context of location privacy in [16], and its variants are discussed in [11, 17, 18]. The vehicle uses different pseudonyms to guarantee location privacy by the unlinkability of pseudonyms.

However, if a vehicle changes its pseudonym at an improper occasion, the scheme will fail to protect location privacy. The adversary could still link a new pseudonym with the old one by continuously overhearing the surrounding vehi- cles and inferring the pseudonym changing. In [11], the authors divide the road network into an observed zone and an unobserved zone. The unobserved zone (the gray zone as shown in Figure 8.2) works as a Mix-zone region. In this region, it is difficult for the adversaries to track vehicles because the vehicles change and mix their pseudonyms in this zone. Therefore, the Mix-zone constructs an appropriate time and location for vehicles to change their pseudonyms. Typi- cally, at an intersection of multiple entries, the vehicles are allowed to change

their pseudonyms and separately depart from different exits, which achieves the unlinkability of pseudonyms.

More specifically, there are three entrances (i.e.,A,B,C) and three exits (i.e., D,E,F) in Figure 8.2. A vehicle enters the Mix-zone coverage through Aand broadcasts its safety messages with the help of RSUs. The vehicle changes its pseudonyms in the coverage, and then the vehicle departs from any one exit, which ensures the unlinkability of pseudonyms. The road intersections or parking lots can naturally be assigned as Mix-zones [19]. The limitation of the Mix-zone scheme is the concurrent appearance of vehicles in the same intersection. On roads with minimal traffic, the scheme may not perform well.

For the group signature scheme, a vehicle joins a group and signs for mes- sages using the group identity, thereby protecting its location privacy. Using a group signature scheme, the members of a group can sign a message with their respective secret keys. The resulting signature can be verified by anyone who knows the common public key, but the signature does not reveal any information about the signer except that he or she is a member of the group. Essential to a group signature scheme is a group leader, who is the trusted entity. The group leader knows the true identity of vehicles, and has the right to track down any of the group members if necessary. However, if the size of a group is too large [20], it is challenging to manage all the group members efficiently.

For the silent period scheme, a target vehicle enters a region of interest, where it initially broadcasts safety messages, then keeps silent and updates its pseudonym fromP1 toP2 for a random silent period during moving from loca- tionsL1toL2 (Figure 8.3). The vehicle finally broadcasts safety messages using P2inL2. At the same time, if one of its neighboring vehicles happens to update its

Entering the silent period region

Random silent period

Vehicle with pseudonym P₁ broadcasts saftey messages using updated P₂

Exiting the silent period region

L₁ L₂

L₃

P₃ÆP₄

P₁ÆP₂

L₄ P₁

P₁

P₃ P₃ P₄

P₂

Figure 8.3: The illustration of silent period scheme.

pseudonym (fromP3toP4) from proximity locationsL3toL4, then the adversary will be misled to treat the neighboring vehicle as the target. The random silent period scheme is efficient in resisting the adversary tracking. However, the max- imum silent period is limited by the safety message broadcast period [21]. With the maximum silent period constrained to the order of hundredths of millisec- onds, it is still possible to track vehicles by inferring the temporal and spatial relationship of the vehicles.

8.1.2 Contributions and organization of the paper

In this chapter, we aim to address the problem of location privacy preservation in VSNs. The main contributions of our work are presented as follow.

First, we provide observations on vehicle traces: although social spots crowded with vehicles exist, each vehicle tends to meet others sporadi- cally and mostly outside the social spots. Following the observations, we propose a new scheme, MixGroup, to cumulatively exploit the meeting opportunities for pseudonym changing and improve the location privacy preservation.

Second, by leveraging group signature, we construct an extended pseudonym-changing region, namely, group-region, in which vehicles are allowed to use the group identity instead of pseudonyms, meanwhile cumulatively exchanging their pseudonyms with each other. The usage of group identity efficiently covers the procedure of pseudonym exchange.

Third, to facilitate the operation of pseudonym exchange among vehicles, we devise an entropy-optimal negotiation procedure. In the procedure, each vehicle will evaluate its benefit and risk in taking part in pseudonym exchange. The benefit and risk during pseudonym exchange are quantita- tively measured by the predefined pseudonym entropy.

The rest of this chapter is organized as follows. In Section 8.2, we introduce the network model, the threat model, and the location privacy requirements. In Section 8.3, the proposed location privacy-preserving scheme, calledMixGroup, is presented. Firstly, two observations from vehicle traces are described. Then, we provide a brief overview of MixGroup. After that, the detailed operations and protocols of MixGroup are elaborated. In Section 8.4, the performance analysis and optimization are discussed. A performance evaluation is provided in Sec- tion 8.5. Finally, we conclude our work in Section 8.6.

8.2 System Model