PRESERVATION

Algorithm 6.1: Distributed Coloring Require: INPUT

8.2 System Model .1 Network model.1 Network model

pseudonym (fromP3toP4) from proximity locationsL3toL4, then the adversary will be misled to treat the neighboring vehicle as the target. The random silent period scheme is efficient in resisting the adversary tracking. However, the max- imum silent period is limited by the safety message broadcast period [21]. With the maximum silent period constrained to the order of hundredths of millisec- onds, it is still possible to track vehicles by inferring the temporal and spatial relationship of the vehicles.

8.1.2 Contributions and organization of the paper

In this chapter, we aim to address the problem of location privacy preservation in VSNs. The main contributions of our work are presented as follow.

First, we provide observations on vehicle traces: although social spots crowded with vehicles exist, each vehicle tends to meet others sporadi- cally and mostly outside the social spots. Following the observations, we propose a new scheme, MixGroup, to cumulatively exploit the meeting opportunities for pseudonym changing and improve the location privacy preservation.

Second, by leveraging group signature, we construct an extended pseudonym-changing region, namely, group-region, in which vehicles are allowed to use the group identity instead of pseudonyms, meanwhile cumulatively exchanging their pseudonyms with each other. The usage of group identity efficiently covers the procedure of pseudonym exchange.

Third, to facilitate the operation of pseudonym exchange among vehicles, we devise an entropy-optimal negotiation procedure. In the procedure, each vehicle will evaluate its benefit and risk in taking part in pseudonym exchange. The benefit and risk during pseudonym exchange are quantita- tively measured by the predefined pseudonym entropy.

The rest of this chapter is organized as follows. In Section 8.2, we introduce the network model, the threat model, and the location privacy requirements. In Section 8.3, the proposed location privacy-preserving scheme, calledMixGroup, is presented. Firstly, two observations from vehicle traces are described. Then, we provide a brief overview of MixGroup. After that, the detailed operations and protocols of MixGroup are elaborated. In Section 8.4, the performance analysis and optimization are discussed. A performance evaluation is provided in Sec- tion 8.5. Finally, we conclude our work in Section 8.6.

8.2 System Model

V2V communication

V2I communication

V2I communication Vehicle

Vehicle sensor and

database

Road side unit (RSU)

Location server Semitrusted entity

Registration authority (RA)

Trusted entity Onboard unit

(OBU)

Figure 8.4: Architecture of a vehicle social network.

and an intelligent transportation system (ITS) data center. These components are explained as follows.

Vehicle. A large number of vehicles run on the roads in the urban area of interest. Each vehicle is equipped with an OBU, which allows the vehicles to communicate with each other or with the roadside infrastructures for data exchange. Each vehicle will periodically broad- cast its location information for the purposes of driving safety. To protect its location privacy, each vehicle should identify itself by a predefined pseudonym instead of its real identity when broadcasting location-related safety messages.

Moreover, two hardware modules are needed for security in OBU, that is, a tamperproof device (TPD) and an event data recorder (EDR).

The TPD possesses cryptographic processing capabilities and the EDR provides storage for the TPD. The EDR records the critical data of a vehicle during emergency events, such as its speed, location, time, etc.

The EDR is similar to the ”black box” in airplane. The EDR can be extended to record safety message broadcasts during driving. As the electronic devices are easily accessible by a driver and some mechan- ics, the cryptographic keys of a vehicle should be protected in the TPD.

The TPD is a safe hardware to store all cryptographic material and per- form cryptographic operations. The TDP stores a set of cryptographic keys with the identity binding of a given vehicle. These keys in the

TDP guarantee the accountability property. The TDP includes its own clock and has a rechargeable battery that is periodically recharged by the vehicle [22].

Roadside Infrastructure. To collect ITS-related data (e.g., the condition of the traffic, vehicles, and roads) from vehicles, roadside infrastructures are deployed along the roads of the urban area of interest. A roadside infrastructure has two main components: an RSU as a wireless com- munication interface and a front-computing unit (FCU) for local data processing. A roadside infrastructure can extend the communication of VANETs by redistributing or sending the information to other roadside infrastructures. The roadside infrastructure also provides Internet con- nectivity to OBUs, and runs safety applications, for example, accident warning or blacklist broadcasting [23]. For economic reasons roadside infrastructures are placed sparsely along the road. As a consequence, there is only intermittent coverage on the road for vehicles to access.

All roadside infrastructures are connected to the ITS data center by wired backhauls.

Data Center. All ITS-related data are aggregated to the data cen- ter. The trusted registration authority, the location server, and the pseudonym database are located in the data center. The registration authority is a trusted third party operated by governmental organiza- tions. It is responsible for the VSN, and manages the identity and cre- dentials of all vehicles registered with it. The data center is respon- sible for global decision-making, such as pseudonyms generation and revocation.

Regarding their moving traces, the vehicles in a VSN exhibit inherent social features, which may be exploited for designing the privacy protection scheme.

To describe the social features of the spatial distribution of vehicles, we propose the concepts of social hot spot and individual hot spot in the following.

Global Social Spot. From the perspective of a VSN, a global social spot is the place where a number of vehicles meet at a certain time. For example, a road intersection of a busy street in a Central Business District (CBD) is a typical global social spot, where many vehicles wait at red lights. It is noteworthy that global social spots are usually selected as Mix-zones in many existing works e.g., [11, 18, 19, 24].

Individual Social Spot. From the perspective of a specific vehicle, an indi- vidual social spot refers to the place where the vehicle frequently visits.

For example, a road intersection near the vehicle owner’s workplace and a

supermarket parking lot near the vehicle owner’s home are usually poten- tial individual social spots. Actually, vehicles may share common individ- ual social spots. For example, for people working in the same company, their vehicles have the same parking lot as a common individual social spot. In this sense, if a place is a common individual social spot of many vehicles, it is indeed a global social spot. Note that, for a specific vehicle, its individual social spots are candidate places for pseudonym changing, if it happens to meet enough vehicles there.

8.2.2 Threat model

To broadcast safety-related messages periodically, the radio of the OBU can- not be switched off when a vehicle is running on the road. As a result, an eavesdropper may track a specific vehicle and monitor its location information by leveraging these periodical safety messages [19, 25]. Location privacy pro- tection is therefore necessary to deal with potential adversaries. In our threat model, we consider both external and internal adversaries. More specifically, two types of external adversaries, namely, a global passive adversary (GPA) and a restricted passive adversary (RPA), and two types of internal adversaries, namely, an internal betrayal adversary (IBA) and an internal tricking adversary are considered.

Global Passive Adversary(GPA). The GPA (e.g., “Big Brother” surveil- lance [21]) can locate and track any vehicle in a region of interest by eavesdropping its broadcasts.

Restricted Passive Adversary(RPA). The RPA (e.g., a compromised ser- vice provider) is limited in its location tracking capability in a region of interest, since it can only exploit the deployed infrastructure RSUs for eavesdropping and estimating the locations of vehicle broadcasts. Hence, the region over which the RPA can track vehicles is dependent on the vehicle transmission range and the distance between any two successive deployed RSUs [26].

Internal Betrayal Adversary (IBA). For the group signature based scheme, an internal adversary is a compromised group member who becomes an adversary after being a group member. The IBA will collude with a GPA or RPA to track a target vehicle. After exchanging privacy- related information (e.g., the pseudonyms) with the target vehicle, an IBA will leak the information to the GPA and RPA, resulting in the reconstruc- tion of the target vehicle’s trace if the target vehicle only exchanges once in the MixGroup.

For example, a vehicleVi has some pseudonyms, denoted as PIDi. The vehicle exchanges its pseudonyms with an adversary (e.g., a com- promised group member), who owns a set of pseudonymsPIDj. Finally,

VigetsPIDj, and the adversary obtainsPIDi. The adversary leaks out the pseudonym’s information to a GPA or RPA. Then, the adversaries can restructure the historical trajectory ofViby analyzing the eavesdropped record of safety messages signed byPIDi. IfVino longer exchangesPIDj

with others after departing the MixGroup zone,Viwill usePIDjto broad- cast safety messages. By monitoring the safety messages signed byPIDj, the adversaries can infer the real trace of the target vehicle and continue to track the target vehicle.

Internal Tricking Adversary(ITA). Unlike the IBA, the ITA will tautolog- ically use the pseudonyms, which had been exchanged with others more than once. The victim obtains useless pseudonyms and may exchange with others without knowing. The number of victims depends on the number of vehicles that exchange information with the ITA.

There are other methods for an eavesdropper to track a target vehicle. For example, a video-based approach using traffic-monitoring cameras is able to visually identify the target, using color, size, or license plate number. Another physical-layer approach may use specialized hardware to capture and process electromagnetic signatures, such as signal strength, or commercial-off-the-shelf hardware to passively track multiple vehicles. However, these approaches require significant efforts like expensive cameras with sufficiently high resolution to track even a single target vehicle. The adversary has to undertake the overwhelm- ing cost of the entire system. In this chapter, we consider the adversary using the aforementioned radio-based eavesdropping, which involves only a moderate sys- tem expense.

8.2.3 Location privacy requirements

To preserve the location privacy of vehicles in vehicular social networks against the four types of adversaries mentioned previously, the requirements should be satisfied as follows [19].

Identity privacy: Identity privacy is a prerequisite for the success of loca- tion privacy. Each vehicle should use pseudonyms instead of a real iden- tity to broadcast safety messages for the preservation of identity privacy.

pseudonyms: Each vehicle should periodically change its pseudonyms to weaken the relationship between the former and the latter locations of a vehicle. The vehicles should choose appropriate times and locations to periodically change the pseudonyms to avoid continuous adversary tracking.

Conditional tracking: Location privacy should be conditional in this chapter. The pseudonyms of vehicles should be trackable to the trusted

register authority (RA). The RA is capable of disclosing the real identity as well as the location of any vehicle in the VSN. The adversaries should be held accountable for illegal activity by the RA.

In the following section, a location privacy-preserving scheme, which achieves the above requirements, is proposed and discussed for VSNs.

8.3 Proposed Location Privacy Preservation Scheme: MixGroup

In this section, we present the design of MixGroup for preserving the location privacy of vehicles in VSNs. Our discussion begins with the characteristics of vehicular social networks and two interesting and intuitive observations from real vehicle traces. The notations used in this paper are listed in Table 8.1.

Table 8.1 Standard definition of symbols used in this chapter

Notation Description

vi Theith vehicle in the VSN.

PIDi,k Thekth pseudonym of vehiclei. Each vehicle hasw pseudonyms,{PIDi,k}^w_k=1={PIDi}.

Gj The jth group of vehicles in the VSN.

GLj A group leader of the jth group in the VSN.

GIDj The identity of jth group.

SKGj,i,CertGj,i Group private key of group ID and corresponding

certificate for vehiclei.

{x} A set with elementx.

L^v_sⁱ Thesth location of vehiclevi.

C_k^vi Thekth exchange location of vehiclevi. i→ j Vehiclevisends a message tovj. x||y Elementxconcatenates toy.

RSUk Thekth RSU in the VSN.

PKi,SKi,Certi Public and private key pair of vehicleviand corresponding

certificate.

PK_i^′,SK_i^′,Cert_i^′ Public and private key pair of vehiclevi’s temporary identity and the corresponding certificate.

PKe.i,SKe,i,Certe,i Public and private key pair of vehiclevifor pseudonym exchange and the corresponding certificate.

EPKx(m) Encryption of messagemwith public key of entryx.

ESKx(m) Encryption of messagemwith private key of entryx.

SignSKx(m) Digital signature on messagemwith private key of entryx.

dual-signaturei→j Dual signature from vehicleviand vehiclevj. TimeRecord Time record of pseudonym exchanging event.