Location Privacy Preservation in Database-driven Wireless Cognitive Networks through Encrypted Probabilistic Data Structures (IEEE 2017).

ABSTRACT:

In this paper, we propose new location privacy preserving schemes for database-driven cognitive radio networks (CRN s) that protect secondary users’ (SU s) location privacy while allowing them to learn spectrum availability in their vicinity. Our schemes harness probabilistic set membership data structures to exploit the structured nature of spectrum databases (DBs) and SU s’ queries. This enables us to create a compact representation of DB that could be queried by SU s without having to share their location with DB, thus guaranteeing their location privacy. Our proposed schemes offer different costperformance characteristics. Our first scheme relies on a simple yet powerful two-party protocol that achieves unconditional security with a plausible communication overhead by making DB send a compacted version of its content to SU which needs only to query this data structure to learn spectrum availability. Our second scheme achieves significantly lower communication and computation overhead for SU s, but requires an additional architectural entity which receives the compacted version of the database and fetches the spectrum availability information in lieu of SU s to alleviate the overhead on the latter. We show that our schemes are secure, and also demonstrate that they offer significant advantages over existing alternatives for various performance and/or security metrics. Index Terms—Database-driven spectrum availability, location privacy preservation, cognitive radio networks, set membership data structures.

INTRODUCTION:

Cognitive radio networks (CRN s) have emerged as a key technology for addressing the problem of spectrum utilization inefficiency [2]–[8]. CRN s allow unlicensed users, also referred to as secondary users (SU s), to access licensed frequency bands opportunistically, so long as doing so does not harm licensed users, also referred to as primary users (PU s). In order to enable SU s to identify vacant frequency bands, also called white spaces, the federal communications commission (FCC ) has adopted two main approaches: spectrum sensingbased approach and geo-location database-driven approach. In the sensing-based approach [9], SU s themselves sense the licensed channels to decide whether a channel is available prior to using it so as to avoid harming PU s. In the databasedriven approach, SU s rely on a geo-location database (DB) to obtain channel availability information. For this, SU s are required to be equipped with GPS devices so as to be able to query DB on a regular basis using their exact locations.

SYSTEM MODEL AND SECURITY ASSUMPTIONS:

We first consider a CRN that consists of a set of SU s and a geo-location database (DB). SU s are assumed to be enabled with GPS and spectrum sensing capabilities, and to have access to DB to obtain spectrum availability information within its operation area. To learn about spectrum availability, a SU queries DB by including its location and its device characteristics. DB responds with a list of available channels at the specified location and a set of parameters for transmission over those channels. SU then selects and uses one of the returned channels. While using the channel, SU needs to recheck its availability on a daily basis or whenever it changes its location by 100 meters as mandated by PAWS [10]. We then investigate incorporating a third entity to the network along with DB and SU s. This entity, referred to as query server (QS), has a dedicated high throughput link with DB. QS is used to guarantee computational location privacy while reducing the computational and communication overhead especially on SU s’ side.

SET MEMBERSHIP DATA STRUCTURES:

Our proposed privacy-preserving schemes utilize set membership data structures to exploit the highly structured property of DB. There are several data structures that are designed for set membership tests, e.g. bloom filter [32], cuckoo filter [33], etc. However, in this paper, we opt for cuckoo filter as the building block of our schemes. We use cuckoo filter to construct a compact representation of the spectrum geolocation database as explained in Sections V-A & V-B. What motivates our choice is that cuckoo filter offers the highest space efficiency among its current well known alternatives, such as bloom filters. Besides, it has been proven to be more efficient than these alternatives especially for large sets.

PROPOSED SCHEMES:

Our proposed privacy-preserving schemes utilize set membership data structures to exploit the highly structured property of DB. There are several data structures that are designed for set membership tests, e.g. bloom filter [32], cuckoo filter [33], etc. However, in this paper, we opt for cuckoo filter as the building block of our schemes. We use cuckoo filter to construct a compact representation of the spectrum geolocation database as explained in Sections V-A & V-B. What motivates our choice is that cuckoo filter offers the highest space efficiency among its current well known alternatives, such as bloom filters. Besides, it has been proven to be more efficient than these alternatives especially for large sets.

SECURITY ANALYSIS:

We construct a history list H of each entity’s knowledge about SU s’ information during the execution of LPDB. SU . A SU cannot learn anything about other SU s information nor the filters {CFi,t} n−1,tf i=1,t=t0 that they receive from DB as the communication between each SU and DB is secured, i.e. HSU = ∅. Note that, even if, a SU would learn the filters of other SU s, i.e. HSU = {CFi,t} n−1,tf i=1,t=t0 , HSU includes no information about SU s’ location. DB. In Step 1 of Algorithm 1, DB learns HDB = {char} n i=1 which contains the characteristics of the querying SU s. HDB may include information like frequency ranges in which SU can operate, antenna characteristics, etc. This information is not related to the querying SU s’ location. This shows that the knowledge that DB gains during the execution of LPDB does not allow it to infer SU s’ location when they try to learn about spectrum opportunities. LPDB offers an unconditional privacy in the sense that DB’s knowledge about SU s’ location, during the execution of LPDB, does not increase compared to its initial knowledge, which is necessarily the coverage area of DB.

EVALUATION AND ANALYSIS:

In this section, we evaluate the performance of our proposed schemes. We consider that DB’s covered area is modeled as a √ m × √ m grid that contains m cells each represented by one location pair (locX ,locY ) in DB. We use the efficient cuckoo filter implementation provided in [41] for our performance analysis with a very small false positive rate  = 10−8 and a load factor α = 0.95. In addition, since personal/portable TVBD devices of SU s can only transmit on available channels in the frequency bands 512 − 608 MHz (TV channels 21−36) and 614-698 MHz (TV channels 38−51), this means that users can only access 31 white-space TV band channels in a dynamic spectrum access manner [42]. Therefore, in our evaluation we set the number of TV channels s = 31. Since in practice, at a given time, only a percentage of DB’s entries contains available channels, we have ran an experiment to learn what a realistic value of this percentage might be. We denote this percentage (averaged over time and space) as %. We have used the Microsoft online white spaces database application [36] to identify and measure % by monitoring 8 different US locations (Portland, San Faransico, Houston, Miami, Seattle, Boston, New York and Salt Lake City) for few days with an interval between successive measurements of 3 hours. Our measurements show that % is about 6.8%.

CONCLUSION:

In this paper, we have proposed two location privacy preserving schemes, called LPDB and LPDBQS, that aim to preserve the location privacy of SU s in database-driven CRN s. They both use set membership data structures to transmit a compact representation of the geo-location database to either SU or QS, so that SU can query it to check whether a specific channel is available in its vicinity. These schemes require different architectural and performance tradeoffs.