a novel delay-aware and privacy preserving (dapp) data ...renjian/pubs/tvt2415515.pdf · ticipating...

1

A Novel Delay-Aware and Privacy Preserving(DAPP) Data Forwarding Scheme for Urban

Sensing NetworkDi Tang, Jian Ren Senior Member, IEEE

Abstract—Security, communication delay and delivery ratioare essential design issues in urban sensing networks. To addressthese three issues concurrently, we propose a novel delay-awareprivacy preserving (DAPP) transmission scheme based on acombination of two-phase forwarding and secret sharing. InDAPP, the collected data is first split into pieces and then eachpiece is relayed to an application data server by randomlyselected intermediate delivery nodes. The two-phase forwardingmethod detaches the connection between the application dataserver and the source node, which renders it infeasible for theapplication data server to estimate the source node identity.The underlying secret sharing scheme and dynamic pseudonymensure confidentiality of the collected data and anonymity of par-ticipating users. Through DAPP, we can also verify data integrityin hostile networks. Moreover, DAPP provides a frameworkto achieve a design trade-off among security, communicationdelay and delivery ratio. The security analysis demonstratesthat DAPP can preserve location privacy while defending againstside information attack. Our theoretical analysis and numericalresults show that the three design issues can be adjusted to meetvarious security and practical implementation goals.

Index Terms—Mobile service, urban sensing, privacy-preserving, delay-aware

I. INTRODUCTION

RECENT technological advances make urban sensing net-works technically and economically feasible to be widely

used in civilian applications, such as monitoring of urban envi-ronment, traffic condition and patient care. Urban sensing, alsoknown as participatory sensing, relies on sensors embedded inhuman-carried mobile devices or vehicular electrical devicesto collect and report the sensing data. The ubiquitous electricaldevices carried by human and vehicles are gradually replacingthe traditional static sensor networks for many urban areaapplications.

Participatory sensing networks differ significantly from tra-ditional wireless sensor networks. First, participatory sensornodes are embedded in rechargeable mobile devices, such assmart phone, iPad, laptop and auto computer. The powerfulresources equipped in these devices enhance their capabilitiesin computation, sensing, data storage, reliable data commu-nication, and energy lifetime dramatically. Hence, the energy

Copyright (c) 2015 IEEE. Personal use of this material is permitted.However, permission to use this material for any other purposes must beobtained from the IEEE by sending a request to [email protected].

This work was supported in part by the NSF under grants CNS-0845812,CNS-1117831, CNS-1217206, and ECCS-1232109.

The authors are with the Department of Electrical and Computer En-gineering, Michigan State University, East Lansing, MI 48824. Email:{ditony,renjian}@msu.edu

efficiency is no longer as critical as in traditional wirelesssensor networks. Second, in urban sensing networks, sensingdata collection and reporting no longer rely on fixed infrastruc-ture. The data can be forwarded by mobile nodes to the sinkeither directly or indirectly in multiple hops. Due to mobility,network topology structure constantly changes, which makesend-to-end communication delay, message delivery ratio andquality of service (QoS) some of the most essential perfor-mance evaluation metrics in urban sensing networks. Third,these devices are owned and operated by individuals. Insteadof being only data consumers, these devices could also collectsensing data. It makes data collection more directly relatedto people’s lives and hence privacy becomes one of the majorconcerns for participating users. In fact, the data collecting andreporting services put users privacy in jeopardizing since boththe delivery nodes and the wireless access points are able toidentify the data owner through direct communications. Theuploaded data is collected with spatial-temporal informationwhich may be used to extract or infer sensitive and privateinformation of the users. As a result, location information andside information may be correlated to recover the trajectoryof participating users.

The unique nature of participatory sensing networks createsnew security and performance requirements. In this paper, wepropose a decentralized data forwarding scheme to preservetrajectory privacy of participating users based on secret sharingand dynamic pseudonym. DAPP provides a design trade-off framework to address security, communication delay anddelivery ratio based on the selection of an (k, n) secret sharingscheme. We provide quantitative analysis on security, com-munication delay, and delivery ratio based on the parametersettings.

Our contributions in this paper can be summarized asfollows:

1) We propose a delay-aware privacy preserving (DAPP)data forwarding scheme to protect trajectory privacy ofparticipant users in urban sensing networks.

2) We devise a secret sharing based secure message deliv-ery option that can provide data integrity verification ofthe recovered data and maximize the message deliveryratio by introducing redundancy to the reported data.

3) We present a dynamic pseudonym scheme to defendagainst side information attacks.

4) The proposed scheme is able to achieve a trade-offamong security, communication delay and delivery ratiothrough adjustable parameters.

This is the author's version of an article that has been published in this journal. Changes were made to this version by the publisher prior to publication.The final version of record is available at http://dx.doi.org/10.1109/TVT.2015.2415515

Copyright (c) 2015 IEEE. Personal use is permitted. For any other purposes, permission must be obtained from the IEEE by emailing [email protected].

2

5) We quantitatively analyze performance of the proposedscheme on security, communication delay and deliveryratio.

The rest of this paper is structured as follows. In Section II,the related work is reviewed. The system model is described inSection III. The proposed scheme is presented in Section IV.In Section V, security analysis of the proposed scheme isconducted. Section VI provides performance analysis andnumerical results. We conclude in Section VII.

II. RELATED WORK

The participatory sensing concept was first proposed in [1].It was further extended to urban sensing and people-centricsensing in [2]. The key idea for participatory sensing is that thenetwork relies on people carried mobile devices to collect thedata sensed in urban area. Urban sensing network has also beenintroduced to vehicular sensing platform [3], [4] to monitortraffic conditions in urban areas. This network provides aflexible method to collect valuable environmental information.However, it also raises significant privacy concerns.

Location privacy for urban sensing networks was first dis-cussed in [5]. The main idea is to blur location informationbased on tessellation and clustering against adversaries. Thereported data is aggregated to enhance privacy protection [6],[7]. PriSense was designed based on slicing and mixing [7].The sensed data is divided into pieces and randomly dissemi-nated to cover nodes. At the cover nodes, the reported datais aggregated and reported to the server. This method caneffectively preserve the identity privacy, however, it can onlyprovide statistical sensing results for data users.

Mix-zones with pseudonym was proposed in [8], [9]. Toconceal real identities and accomplish k-anonymity within themix-zone, a trusted third party randomly assigns pseudonymsto the data reporters when they enter into or departure fromthe mix-zone. Nevertheless, mix zones cannot be placed overthe entire network to provide service for data collectors.

Spatial cloaking [10] was proposed to enable data collectorsto adjust the resolution of location information along spatialor temporal dimensions to avoid exposure of user’s exactlocation. This methodology was further studied in [11]–[14] toderive a trade-off between QoS and anonymity. Unfortunately,the privacy protection is achieved by sacrificing the resolutionof either spatial or temporal dimensions.

Dummy location was studied in [15]–[17]. The fundamentalidea is to report dummy locations to conceal the actual locationof the reported data. Suppression based techniques [18] wasalso proposed to blur the reported locations by converting thedatabase of trajectories. In these methods, the privacy can beprotected by obscuring the exact locations, which may induceinformation loss for data service.

Encryption based algorithms and data exchange schemes areproposed in [19]–[21]. In [19], the sensed data is encryptedand disseminated to replica sensors. The replica sensors thenstore the received data and relay it upon receiving inquiries.As a consequence, the source node identity can be concealedby the replica sensors. Nevertheless, the shared key mayeither help the operator to identify the source node or enable

the malicious replica nodes to decrypt the data readings.In [20], the collected sensing readings are exchanged betweenparticipants within wireless communication range. The datacan be exchanged multiple times to prevent adversaries fromcorrelating the data and its identity. [22] proposed to forwardthe collected data from friends to friends of the source useruntil the required number of hops has been reached. In theseschemes, source node may be directly identified by interme-diate nodes through wireless communications. Additionally,malicious intermediate nodes can also reveal and tamper withdata contents through the forwarding procedure. There is littleflexibility in delivery ratio when the data is being dropped ortampered with.

III. MODELS AND ASSUMPTIONS

A. System Model

Urban sensing network relies on a set of sensor nodesembedded in mobile devices or vehicular systems for datasensing and reporting. These devices can get wireless Internetaccess intermittently through wireless access points (APs) inthe sensing area. The APs, such as WiFi access points, maybe owned and operated by the government, organizations orindividuals. They are directly connected to the applicationdata server. In this network, the surrounding environmentinformation is collected by the participating mobile devicesand eventually sent to the application data server.

The application data server provides environmental sensingservices for data consumers and disseminates the requestedtasks to mobile devices carried by participants. Mobile devicescan join the system at will to participate in data sensing. Theyare required to report the collected data to the applicationdata server once they accept tasks. To provide precise servicesto data consumers, the data is required to be collected withspatial-temporal information. Here we may use the term “re-port location” to indicate the spatial-temporal information. Thedata format is {pID, (x, y), Td}, where pID is the pseudonymof the data source, (x, y) is the coordinator where data iscollected, and Td is the collecting time. This informationmay divulge details about the participating user’s location.Due to characteristics of opportunistic sensing and physicalinfrastructure of the network, we only deal with sensing datathat is delay tolerant.

B. Adversary Model

Our adversary model is similar to [6]. It can be summarizedas follows:• The adversary can be any parties in the network, includ-

ing individual sensing nodes, wireless access points, andeven the application data servers.

• Adversaries are generally assumed to be honest butcurious. We also assume that they may drop or tamperwith the reported data due to their own interests.

• The collected data is eventually forwarded to the applica-tion data server, which enables it to disclose their reportedlocation. The application data server may try to uncoversource identities of the received data and the trajectory.



3

• The participating user list is kept secret to delivery nodesand public, however, the application data server canaccess the list due to its administrative right.

• Intermediate delivery nodes can obtain the sourcepseudonym of their received data. They may collude toobtain the location privacy information or forge collecteddata to fool the application data server.

C. Side Information Attack

Side information attack includes both direct side informa-tion attack and indirect side attack. The direct side informationrefers to the information that an adversary can acquire basedon direct access to the communication. In our case, the directside information may include information {pID, (x, y), Td} ofa particular event. In particular, the adversary can record theset of identities I appear within its communication range.The nature of wireless communications makes adversary ableto extrapolate the source node located within its communica-tion range. If I is small enough by combining direct sideinformation obtained, the adversary may derive the actual IDand correlate it to the pID.

The indirect side information is defined as the informationthat an adversary can obtain through indirect channels, suchas media, video and web blog published on the internet, of aparticular event. In DAPP scheme, an adversary may receivedata d, which contains {pID, (x, y), Td}. To derive the actualsource identity ID of pID, it may search through the publicdomain to find the people who have visited location (x, y)at time Td. In this way, the adversary may either completelyidentify the actual ID or limit it to a smaller subset.

D. Mobility Model

In urban sensing networks, sensor nodes are embedded inthe mobile devices carried by people or vehicles. In this paper,we apply the Manhattan street pedestrian model describedin [23]. The analysis for vehicular networks is similar based onmobility mode presented in [24]. The Manhattan street modelis proposed to emulate the movement pattern of pedestrian onthe streets. In this model, sensor nodes move on a two-waystreet segment. The street segment can be modeled as a realstreet between two intersections. The arrivals and departuresof mobile nodes occur at the endpoints of the street segment.The velocities of the mobile sensor nodes are independent andidentically distributed (iid) random variables with a probabilitydensity function fv(v). The direction and speed of a noderemain constant in one segment. Participating users arriving atboth endpoints can be modeled as a Poisson Process [25]. Thetotal arrival rate is denoted as λ. At each endpoint, the mobilenode may alter its direction with a predetermined probability.The four directions at a cross road are expressed as f(orward),l(eft), r(ight) and b(ackward), respectively. The probability forgoing these directions at the intersection are Pf , Pr, Pl, Pb.This model assumes that communications between two nodesin different street segments is not possible. As a result, anexisting connection breaks at the endpoints.

E. Design Goal

Our design goals can be described as follows:• Adversaries should not be able to obtain real identities of

participating users without side information.• The malicious delivery node should not be able to dis-

cover spatial-temporal information of the reported data.• Adversaries should not be able to recover data trajectory

by collecting side information.• The proposed scheme should provide data integrity veri-

fication for the recovered data.• The proposed scheme should be able to provide high

delivery ratio in case some data pieces are dropped ortampered with by malicious delivery nodes.

• The proposed scheme should provide flexibility and di-versity in protocol design.

IV. THE PROPOSED DAPP SCHEME

In this section, we present a novel delay-aware privacy-preserving (DAPP) data reporting scheme based on a combina-tion of Shamir’s secret sharing [26] and two-phase routing. Itcan ensure data confidentiality and also provide a data integrityverification option for the reported data. We also propose adynamic pseudonym scheme to guarantee anonymity of thesource node.

A. Overview of the Proposed Privacy Scheme

To transmit collected data, the source node generates ndata pieces from the collected data based on the Shamir’ssecret sharing scheme. It then generates a unique pseudonymfor each data piece as its identity to conceal the sourceinformation. The data pieces are then forwarded to n randomlyselected participating users, named as delivery nodes, withinthe communication range. Delivery nodes relay the receiveddata pieces to the application data server through nearby APs.Upon receiving k or more data pieces, the application dataserver is able to reconstruct the original collected data. Toensure integrity of the recovered data, both the original dataand its hash value will be transmitted together.

B. Secret Sharing

In Shamir’s (k, n) secret sharing scheme, to share a secretS, the secret holder picks a random k − 1 degree polynomialf(x) = a0 + a1x+ a2x

2 + · · ·+ ak−1xk−1 over a finite field

Zq , where a0 = S and q > max(S, n) is a prime number.H generates n data pieces Si = (i, f(i)), i = 1, · · · , n. Thesecret holder distributes the n data pieces to n individual users.

The secret S can be recovered by k or more availabledata components using Barycentric Lagrange Interpolation.The computational complexity to recover the secret S is onlyO(n). More specifically, for k available data components, Scan be recovered as follows:

1) For any k out of n secret pieces (i, f(i)), without loss ofgenerality, we assume i = 0, · · · , k − 1. Define l(x) =(x− x0)(x− x1) · · · (x− xk−1).



4

2) Compute the weight

wj =1∏k

i=0,i6=j(xj − xi). (1)

3) Letlj(x) = l(x)

wjx− xj

and

L(x) = l(x)

k∑j=0

wjx− xj

yj . (2)

4) The shared secret is S = L(0).

C. Dynamic Pseudonyms

Pseudonyms have been widely used to prevent adversariesfrom obtaining source identities. However, adversaries mayuse side information to link multiple pseudonyms or correlatethe pseudonyms to the actual identity. To solve this problem,we propose a new method to generate dynamic pseudonymsusing an ID-hash-chain. Instead of simply using hash func-tions, we enable the source node to employ a secret key in thehash chain.

Suppose ID is the real identity of a participating user. Toconceal it, the user replaces ID with a dynamic changingpseudonym pIDi for each message transmission, where i isrelated to the order of message. Each pseudonym is gen-erated using a one way hash function H(·) based on theprevious pseudonym and the secret key. The ID-hash-chain{pID1, pID2, ...} for the participating user ID is generated asfollows:

pID1 = H(ID,K)

pID2 = H(pID1,K)

· · ·

where K is a secret key of the message source. Withoutknowing the secret key and the real identity, establishing alinkage between pseudonyms, or between a pseudonym andthe real identity are both infeasible.

D. DAPP Scheme

In DAPP, to ensure security of the reporting data d, wegenerate n data pieces based on Shamir’s secret sharingscheme. Each data piece is then forwarded to a randomlyselected delivery node. In this way, the original data can beconcealed among n trustworthy secret holders. The shareddata d can be recovered by any k or more data pieces.Since we assume the delivery nodes may tamper with thereporting data, the application server may receive incorrectdata pieces. Therefore, the application data server may not beable to recover the original data. To deal with this issue, theproposed scheme is designed to be able to verify integrity ofthe recovered data.

We assume the source node H has data d to transmit. It firstcomputes the hash value H(d), where H(· ) is a one way hashfunction. d and H(d) are treated as two independent secretdata pieces. We randomly select two (k, n) secret sharing

schemes to share d and H(d) separately. The polynomialcomputation is operated over Zq . The procedure is describedas follows:

1) H chooses a prime q > max(d, n).2) H constructs two coefficient sets,A and B. Each set con-

tains k − 1 randomly selected coefficients, A = {a0 =d, a1, ..., ak−1} and B = {b0 = H(d), b1, ..., bk−1} fromZq .

3) H generates two random polynomials over Zq as fol-lows:

fa(x) =

k−1∑i=0

aixi, (3)

fb(y) =

k−1∑i=0

biyi. (4)

4) H computes n components fa(i), fb(i) from d andH(d), respectively, i = 1, · · · , n.

5) The ith data piece for d and H(d) is (i, fa(i), fb(i)),i = 1, · · · , n.

The proposed data distribution scheme is summarized inAlgorithm 1.

Algorithm 1 Data Distribution1: Choose a prime q > max(d, n).2: Construct two coefficient sets A and B from Zq randomly.3: Based on A and B, construct two polynomials fa(x) =∑k−1

i=0 aixi, and fb(y) =

∑k−1i=0 biy

i over Zq to share dand H(d), respectively, as two secret values.

4: Compute n data pieces di = (i, fa(i), fb(i), q), i =1, · · · , n.

5: Generate a pseudonym pID for d using ID-hash-chain.6: for each i ∈ [1, n] do7: Send di to a randomly selected neighboring node Mi.8: Insert an interval tα before sending di+1.9: The neighboring node Mi forwards di to a wireless

access point.10: end for

DAPP includes two phases in data forwarding. In thefirst phase, the generated n data pieces are distributed to nrandomly selected delivery nodes before being relayed to theapplication server. The data source may choose to add a timeinterval tα between transmissions of two consecutive datapieces. A properly selected tα can effectively control the prob-ability for any single delivery node to receive multiple datapieces, especially in sparse networks. Since delivery nodesmay not be completely trusted, integrity of the reconstructeddata has to be verified. The reconstruction algorithm followsthe Barycentric Lagrange Interpolation defined in equation (1)and equation (2). It is described in Algorithm 2.

V. SECURITY ANALYSIS

Source privacy information can be specified by two equallyessential parts: spatial-temporal information and identity in-formation. Only when both are exposed, the complete privacyinformation is disclosed.



5

Algorithm 2 Data Reconstruction and Verification1: Suppose the server has received at least k out of n data

pieces (i, fa(i), fb(i)) for data (d,H(d)).2: The application data server reconstructs the original data

using the Barcentric Lagrange Interpolation algorithmdescribed in Equations (1) and (2).

3: The application data server verifies integrity of the recon-structed data by checking whether D = H(d) holds true.

In this section, we will provide quantitative analysis thatDAPP can provide both identity and spatial-temporal infor-mation from being disclosed to adversaries. We first introduceseveral definitions and metrics.

A. Definitions and Security Metrics

Definition 1 (Identity information leakage). The identity in-formation leakage for data d is defined as the probability thatan adversary is able to derive the source identity dI of data d.We denote it as P (dI).

Definition 2 (Location information leakage). The locationinformation leakage for data d is defined as the probability thatan adversary is able to derive the spatial-temporal informationdL of data d. The probability is denoted as P (dL).

To measure identity information loss of the received data,we introduce mutual information.

Definition 3 (Identity information loss). Let X be the set ofpossible identities estimated by adversaries prior to receivinga message, and Y be the set of estimated source identitiesafter receiving the message. The identity information lossfor forwarding the message event is defined as the mutualinformation between the X and Y . That is

I(X;Y ) = H(Y )−H(Y |X). (5)

Notice that source privacy information consists of bothspatial-temporal information and its correlated identity. Weintroduce the following metric to measure the joint informationloss.

Definition 4 (Joint information leakage). The joint identityand location privacy information leakage PT for data d isdefined as the joint probability that the adversary obtains thespatial-temporal information and the identity of data d:

PT (d) = P (dL, dI) = P (dL|dI)P (dI) = P (dI |dL)P (dL), (6)

where dI and dL denote the the identity and location infor-mation of data d, respectively.

B. Identity Information Loss

The identity Information loss can be derived by the follow-ing theorem.

Theorem 1. Assume an adversary is able to limit the messagesource node to a potential subset Y ⊂ X attack after receivinga message. Then the identity information loss is

I(X;Y ) = log |X| − log |Y |, (7)

where |X|, |Y | denote the cardinalities of X and Y , respec-tively.

Proof: In set X , if each node can be the source node withequal probability, then the probability for each node in the setto be selected as the source node is 1

|X| . After a message isreceived, the adversary may limit the message source node toset Y . If each node in set Y can be the source node with equalprobability, the probability for each node in Y to be selectedas the source node is 1

|Y | . The identity information loss canbe calculated by the following equation:

I(X;Y )=H(X)−H(X|Y )

=−∑

p(x) log p(x) +∑y∈Y

p(y)∑

p(x|y) log p(x|y)

=−|X| · 1

|X|log

1

|X|+∑y∈Y

p(y)(|Y | · 1

|Y |log

1

|Y |)

=log |X| − log |Y |.

1) Without Side Information Attack: For security attackwithout side information, based on Definition 1, Definition 3and Theorem 1, we have the following corollary.

Corollary 1. The proposed DAPP scheme can achieve uncon-ditional message source privacy protection for participatingusers under message ID based attack. That is the set ofpossible source node X prior to data transmission is thesame as the set of the possible source node Y after messagetransmission. As a result, we have I(X;Y ) = 0.

Proof: DAPP introduces a two-phase message forward-ing: distribution of data pieces to randomly selected deliverynodes, and message forwarding to the application serverthrough the APs. Assume an adversary receives a data piecedi with a unique pseudonym pID. Prior to receiving di, thepotential set for data source can be arbitrary nodes in the entireset of the population in the urban area of the delivery nodessince they are not entitled to access the list of the participatingusers. For the application data server, since it has access to theparticipating user list, the priori estimated set is the same asthe participating users.

Through message forwarding, the adversary obtains pIDinstead of ID of di. The proposed dynamic pseudonym makesit infeasible for adversaries to derive ID from pID withoutsecret key K. Hence, the posterior estimated identity setY based on message forwarding event is also equal to X .Therefore, I(X;Y ) = 0.

2) Side Information Attack: Side information attack isenvisioned as one of the major threats to data privacy. It maydivulge part or even the entire source identity information.

Corollary 2. For DAPP, through direct side informationattack, the identity information loss to the delivery node (ID),the AP (IS) and the application data server (IA) can bederived as follows:

ID(X;Y ) = log |X| − log |Y |, (8)

IS(X;Y ) = IA(X;Y ) = 0, (9)



6

where |X|, |Y | denote the cardinalities of X and Y , respec-tively.

Proof: Direct side information is obtained through trafficmonitoring during message forwarding. The data pieces arerelayed to the application data server by randomly selecteddelivery nodes. The application data server and APs maypossibly collect direct side information only about deliverynodes rather than the source node. Therefore, they are unableto reduce the size of X . As a consequence, X = Y . Therefore,we have

IS(X;Y ) = IA(X;Y ) = 0. (10)

The potential event set X is the same as the total populationin the network. Since the delivery node can acquire direct sideinformation about the source node, after the message is beingtransmitted, the delivery node may be able to limit the messagesource to a subset Y , which is equal to the population in thecommunication rage of source. Based on Theorem 1, we have

ID(X;Y ) = log |X| − log |Y |.

Corollary 3. Through indirect side information attack, theidentity information loss to the delivery node, the AP and theapplication data server can be derived as follows:

IS(X;Y ) = log |X| − log |Y |, (11)ID(X;Y ) = IA(X;Y ) = 0. (12)

Proof: The indirect side information can be used to derivethe source identity by exploring the matched spatial-temporalinformation through public information. The key procedureof this attack lies in the recovery of the reported location{(x, y), Td} in d. However, DAPP applies secret sharing toensure confidentiality, which makes it infeasible to reveal thedata content by single data piece. Thus, neither an AP nor adelivery node can reveal the source identity of the receiveddata piece. The identity information loss to them is

ID(X;Y ) = IA(X;Y ) = 0. (13)

In addition, data pieces are eventually sent to the applicationdata server, which enables it to recover the reported location.Due to access right, application data server can acquire theparticipating user list, thus, the estimated identity set X isequal to the list of participating users. Based on indirect sideinformation, it can limit X into a subset Y , which is dependedon the accuracy of indirect side information.

IS(X;Y ) = log |X| − log |Y |.

C. Location Information Leakage

Spatial-temporal information is equally essential for sourceprivacy. In the subsequent analysis, we will discuss the loca-tion information leakage of DAPP. We first prove that the datadistribution process follows Poisson process.

Theorem 2. The process of data distribution in the firstforwarding phase of the proposed DAPP scheme is a Poissonprocess.

Proof: See Appendix.1) The Location Information Leakage to Individual Deliv-

ery Node: In this paper, Manhattan street model is appliedto analyze the location information leakage to a maliciousdelivery node. In this model, we denote ` as the length ofa street segment. Assume S is the source node and M is amalicious node. vS and vM are the velocities of S and M ,respectively. Denote the probability density function for v asf(v). Let tM be the time duration that a malicious node staysin the source node communication range ∆. Then we havetM = 2∆

z , where z = |vM − vS |. We also use P (tM > ktα)to denote the probability that a sensor node stays in the sourcenode communication range at least ktα seconds. Let PM be theprobability that a malicious node M is selected as the deliverynode in one data piece distribution, and c be the number oftimes that M has been selected as the delivery node.

Theorem 3. Assume velocities of the malicious node and thesource node are two independent and identically distributed(i.i.d.) random variables, then the location information leakageto the malicious delivery node can be derived as follows:

PD(dL) =

ˆ 2∆ktα

− 2∆ktα

f(z)dz

×n∑i=k

(1

4

)b 2itαvS` c(n

i

)P iM (1− PM )n−i

,(14)

where f(z) is the joint probability density function of z =|vM − vS |.

Proof: Since the data content can be closely relatedto the reporting location, leakage of message content mayinadvertently expose the source location. To deal with thispotential security issue, DAPP utilizes secret sharing to ensuredata confidentiality by generating multiple seemingly mean-ingless data pieces and delivers each piece through a randomlyselected delivery node. In this way, the malicious node willnot be able to get the content of the data unless it is capableof collecting up to k or more data pieces.

There are two possible scenarios for a malicious node toobtain k data pieces: (i) The malicious node comes acrossthe data source node at least k times to collect the datapieces from the source node during the entire duration of themessage transmission; and (ii) The malicious node stays in thecommunication range of the source node at least ktα seconds.

In the first case, since velocities of the participating usersare independent, the spatial dependence degree of two arbitrarynodes is approximately 0 according to [27], which means thatthe probability for two nodes to meet for the second time isapproximate to 0 within a limited short time duration. Thus,probability for the first case can be viewed as 0.

The success of the malicious node is determined by thelikelihood of the second case. Assume f(z) is the joint



7

probability density function of z = |vM − vS |, then we have

P (tM ≥ ktα) = P

(2∆

z≥ ktα

)= P

(z ≤ 2∆

ktα

)=

ˆ 2∆ktα

− 2∆ktα

f(z)dz.

(15)

The success of case (ii) requires the malicious node tobe selected as the delivery node at least k times. In DAPP,the source node selects delivery nodes based on the principleof randomness, thus each node in the source communicationrange can be selected as delivery node with equal probabilityPM = 1

|X| , where |X| is the total number of participantsin the communication range of S. Based on Theorem 2, theprocess of the participating users’ arrival and departure canbe modeled as M/G/∞ based on Theory of Queues. In thismodel, the source node can be denoted as the service node.tM is actually the service time for a given participating user.Moreover, suppose λ is the arrival rate and T is the averageservice time. Hence, we can have

|X| = λ · T. (16)

Since ` is the length of of a street segment, we have tM ≤`

max[vS ,vM ] . Without loss of the generality, we may assumevS ≥ vM , then,

T = 2 ·ˆ ν

2∆vS`

2∆

zf(z)dz, (17)

where ν = Vmax − Vmin, Vmax and Vmin represent themaximum and minimum speed of the participating users.

The location information leakage in one street segment canbe described as the joint probability of tM ≥ ktα and c ≥ k.That is

PD(dL)=P (tM ≥ ktα, c ≥ k)

=P (tM ≥ ktα)P (c ≥ k | tM ≥ ktα)

=P (tM ≥ ktα)

n∑i=k

(n

i

)P iM (1− PM )n−i. (18)

In equation (18), all data pieces are assumed to be dis-tributed in one street segment. In fact, these data pieces maybe distributed in several streets. S and M may change theirvelocities at the endpoint of the street segment. Hence, Mcan stay in the communication range of S only if they movesin the same direction. To simplify the analysis, we assumethat the probability for each direction is equal to 1

4 . Thus, theprobability that S and M choose same direction at an endpointis equal to ( 1

4 )2. Therefore,

PD(dL) =P (tM > ktα)

×n∑i=k

(1

4

)b 2itαvS` c(n

i


.(19)

Combining equation (15) and equation (19), we can getequation (14).

From Theorem 3, we can derive the following corollary.

Corollary 4.lim

ktα→∞PD(dL) = 0. (20)

Proof: From equation (14), we have

PD(dL) =

ˆ 2∆ktα

− 2∆ktα

f(z)dz

n∑i=k

[(1

4

)b 2itαv0` c(n

i


]

≤ˆ 2∆

ktα

− 2∆ktα

f(z)dz ·(

1

4

)⌊2ktαvS

`

⌋.

(21)

Since both´ 2∆ktα

− 2∆ktα

f(z)dz and(

14

)⌊ 2ktαvS`

⌋are asymptoti-

cally equivalent to 0 as ktα → ∞. Therefore, we havelimktα→∞ PD(dL) = 0.

2) The Location Information Leakage to APs: In the secondforwarding phase, delivery nodes transmit the data pieces toAPs, which are assumed to be uniformly distributed in urbanarea. Thus, each AP has equal probability to receive the datapiece and we have the following corollary.

Corollary 5. The location information leakage to each APcan be computed by the following equation

PA(dL) =

n∑i=k

(n

i

)(1

η

)i(1− 1

η

)η−i, (22)

where η is the number of wireless APs in urban area. Fromthis equation, we can see that the location information leakageto delivery node and each AP is asymptotically equivalent to0 as k →∞.

D. Joint Identity and Location Privacy Information Leakage

We have discussed the identity information loss and thelocation information leakage separately. The results show thatthe delivery node may only obtain partial identity informationthat is insufficient to identify the data source. However, thereported location and the identity information may be depen-dent on side information attack. In order to elaborate privacyinformation loss, we further investigate privacy leakage whenthese two pieces are considered jointly.

Theorem 4. For the joint identity and location privacy infor-mation leakage, we have

limktα→∞

PDT = 0, (23)

limk=nn→∞

PAT = 0. (24)

Proof: Based on Definition 4, we have

PDT ≤ PD(dL), PAT ≤ PA(dL).

The equalities in above equations may hold if the adversarycan collect k or more data pieces through side informationattack. Thus, the joint identity and location privacy information



8

TABLE IJOINT PRIVACY INFORMATION LEAKAGE FOR COLLUSION ATTACKS, WHERE n=30

Collusionk = 5 k = 10 k = 15 k = 20 k = 25 k = 30

PC(dL) (%)1% 1.16× 10−3 2.50× 10−11 1.35× 10−20 2.73× 10−31 1.36× 10−43 1.36× 10−58

5% 1.56 1.16× 10−4 2.31× 10−10 1.76× 10−17 3.32× 10−26 9.31× 10−38

10% 17.5 4.54× 10−2 3.56× 10−6 1.11× 10−11 8.60× 10−19 1.02× 10−28

15% 47.6 9.66× 10−1 7.08× 10−4 2.14× 10−8 1.65× 10−14 1.92× 10−23

leakages to an AP and a delivery node are both dependent onthe parameters (k, n; tα). Based on Corollary 4, we have

limktα→∞

PDT ≤ limktα→∞

PD(dL) = 0.

From equation (22), the joint identity and location privacyinformation leakage to an AP can be derived as follows

0 ≤ limk=nn→∞

PAT ≤ limk=nn→∞

PA(dL) = limk→∞

(1

η

)k= 0.

Similarly, for the application server, we have the followingcorollary.

Corollary 6. For the application data server, the joint iden-tity and location privacy information under side informationattacks can be calculated by PST = 1

|Y | .

E. Participating Nodes Collusion

Participating users may conspire or share information toinfer privacy information of others. Assume there are κ (κ ≤k1) malicious nodes in the network, where k1 is the numberof delivery nodes in urban sensing networks. The probabilityfor an arbitrary delivery node to be malicious is κ

k1. Hence,

the location information leakage of the reported data d is

PC(dL) =

n∑i=k

(n

i

)(κ

k1

)i(1− κ

k1

)n−i. (25)

For each data piece di, the malicious delivery node mayrecord a potential identity set through traffic monitoring, I i ={ai0, · · · , ail}. As the direct side information can be shared,the colluding users could limit the source identity to be anelement in the intersection

⋂ki=0 I i. The joint identity and

location privacy information PCT for collusion attacks falls asthe location information leakage PC(dL) decreases. Based onequation (25), PC(dL) decreases to ( κk1

)k as k increases ton. Then, PCT can be asymptotically equivalent to 0 as k = nand k →∞. Therefore, we have the following corollary.

Corollary 7.

limk=nn→∞

PCT ≤ limk=nn→∞

PC(dL) = limk→∞

(κ

k1

)k= 0.

The numerical result is presented in Table I. It shows thatthe location privacy information leakage can be minimizedwith increasing k for a given n. Furthermore, with a propersetting on (k, n), DAPP can defend against collusion attackseven if there is a relatively high ratio of malicious deliverynodes.

F. Data Integrity

In reality, delivery nodes may drop, tamper with and forgethe received data due to their own interests. To deal with theseissues, DAPP provides a mechanism to verify the integrityof the received data. The application data server needs kuntampered data pieces to recover the original data d and D.In case that at least one data piece in the set of k pieces hasbeen tampered with, we should have H(d) 6= D. Therefore,the recovered data can detect whether the data set containsany corrupted data pieces as well as integrity of the recovereddata.

VI. PERFORMANCE EVALUATION AND SIMULATIONRESULTS

In urban sensing networks, QoS can be measured by com-munication delay and delivery ratio. In this section, we analyzethe communication delay and error rate of DAPP scheme.

A. Communication Delay

DAPP scheme includes two phases for data forwarding: dataforwarding from the source node to the delivery nodes, andfrom the delivery nodes to the application data server.

In the first phase, let the communication delay for the ith

data piece distribution is τi, which includes two parts. One partof the delay is introduced to encounter the ith delivery node,denoted as γi. Theorem 2 proves that the data distributionprocess is a Poisson process. Hence, γi should follow Γdistribution. The probability distribution function for γi isgiven by

fγi(t) = λe−λt · (λt)(n−1)

(n− 1)!, (26)

where λ is the arrival rate of the Poisson process. The secondpart is introduced by the inserted constant interval tα. For theith delivery node, the delay is equal to itα.

In the second phase, the delay is the time duration fromthe time that the delivery node receives a data piece until itreaches the next AP. Suppose the delivery node receives onedata piece at time t and T is the average time duration that thedelivery node travels from one AP to the next AP. The time tshould be uniformly distributed in the range of T . We denotethe delay in the second forwarding phase as ti for each datapiece di. The total communication delay Td can be computedas follows:

Td = min1→k{γi + ti + itα |i = 1, · · · , k}, (27)

where γi+ ti+ itα is the delay for the application data serverto receive the ith data component, and min1→k is the function



9

TABLE IITHE ERROR RATE FOR THE REPORTED DATA. n=30

PE(%) k = 5 k = 10 k = 15 k = 20 k = 25pe = 1% 2.64× 10−46 1.31× 10−33 1.27× 10−22 4.59× 10−13 4.83× 10−5

pe = 2% 1.70× 10−38 2.52× 10−27 7.31× 10−18 7.87× 10−10 2.51× 10−3

pe = 3% 6.20× 10−34 1.15× 10−23 4.19× 10−15 5.70× 10−8 2.33× 10−2

pe = 4% 1.05× 10−30 4.43× 10−21 3.65× 10−13 1.13× 10−6 1.06× 10−1

pe = 5% 3.35× 10−28 4.39× 10−19 1.13× 10−11 1.10× 10−5 3.28× 10−1

TABLE IIITHE AVERAGE COMMUNICATION DELAY AND JOINT INFORMATIONLEAKAGE FOR VARIOUS k, WHILE n = 30, λ = 100 AND tα = 20

λ = 1 Location CommunicationTα = 20 Leakage PDT (%) Delay(s)k = 5 2.37 648.7k = 10 2.29× 10−1 1201.6k = 15 3.11× 10−2 1749.4k = 20 5.20× 10−3 2300.7k = 25 9.67× 10−4 2852.3k = 30 2.10× 10−4 3418.2

to find the kth minimum value of a given set. Equation (27)shows that the overall delay is determined by k when it islarge. Table III gives numerical results for various k values.

B. Delivery Ratio

Due to the nature of the wireless communications, the mes-sage received may contain errors. Unreliable delivery nodesmay even drop the received data pieces for their own interests.To deal with this problem, the proposed scheme introducesredundancy to minimize the error rate for the reporting data.The underlying secret sharing scheme ensures the reporteddata can be recovered by receiving k or more valid datapieces. The extra n−k data pieces add redundancy that can beemployed for data recovery under erroneous scenarios. Let pebe the error rate or packet loss rate of a single data piece. Theoverall error rate PE for the reported data can be computedby the following equation:

PE =

n∑i=n−k+1

(n

i

)pie(1− pe)n−i. (28)

Based on equation (28), for a given n, the overall error rate PEdecreases when k reduces, and the overall error rate PE canbe minimized by increasing the number of redundant packets.Table II provides numerical results of the overall error rate forvarious k’s.

C. Trade-off Design and Numerical Simulation Results

In this paper, DAPP is designed to achieve trade-off amongseveral conflicting design issues in urban sensing networks.It leverages the relationship between configurable schemeparameters and system performance to provide flexible optionsfor system users. Based on equation (14) and equation (27),we have the following equations to determine joint information

leakage and communication delay:PDT = P (ts > ktα)

×∑ni=k

[(14

)b 2itαvS` c (n

i


]Td = min1→k{γi + ti + itα |i = 1, · · · , k},

(29)In equation (29), parameter tα is designed to prevent one

single delivery node from collecting multiple data pieces ina sparse network. It can be set according to the density ofpopulation. The two equations show the trade-off betweencommunication delay and security. For a given tα and n,the location privacy information leakage can be minimized byincreasing the value of k. On the other hand, when k increases,the communication delay also increases, as shown in Table IIIand Table IV.

Furthermore, for the trade-off between error rate and secu-rity, we have the following equations:

PDT = P (ts > ktα)

×∑ni=k

[(14

)b 2itαvS` c (n

i


]PE =

∑ni=n−k+1

(ni

)pie(1− pe)n−i.

(30)In equation (30), for a given tα and n, the error rate

can be minimized by decreasing k. However, the direct jointinformation leakage to the delivery nodes also increase. Thenumerical results are provided in Table II and Table IV.

In summary, DAPP can achieve trade-off among security,communication delay and delivery ratio. By carefully set-ting on parameter (n, k, tα), DAPP can provide an excellentbalance between location privacy for participating users andvarious performance requirements of data users.

D. Computational Complexity

The computational complexity is determined by the over-head in recovery of the secret data using Barycentric LagrangeInterpolation, which is O(n) for reconstruction of the collecteddata. If the delivery node only drops data pieces withoutmanipulating, then the Barycentric Lagrange Interpolationalgorithm only needs to be implemented once to recover thecollected data. However, if the application data server receivesmodified or corrupted data pieces, it may need to implementthe Barycentric Lagrange Interpolation algorithm up to

(nk

)times in the worst case to recover the original data.

Fortunately, the parameters (k, n) with relatively smallvalues are able to decrease the location information leakageclose to 0, as shown in Table IV. As a consequence, it enablesthe application data server to rebuild the original data in ashort time interval. In particular, for n = 25 and k = 20, the



10

computer with 2.0GHz processor needs at most 0.053 secondsto reconstruct the original data.

E. Numerical Simulation Results

In numerical simulations, we assume vi follows the uniformdistribution in the range of [Vmin, Vmax]. The results of otherdistributions are similar. To emulate the reality, we set upboth dense network and sparse network to show the jointinformation leakage to the delivery node. In the two scenarios,we select various parameters (k, n, tα) to show the relationshipbetween the settings and the security performance againstintermediate delivery node under side information attack.

In the first scenario, we set the average number of people inthe communication range of the source node as λ = 10, andtα = 1. With proper setting on (k, n), PM is small enoughto make the joint information leakage approximated to 0. Thejoint information leakage to the delivery node is presented inTable IV.

In the second scenario, we consider a sparse network inthe urban area. We set λ = 100. Then through equation (16)and equation (17), we can derive that the average numberof people in the communication range of source node to bearound 1. As a consequence, there may be only one neighbornode around the source node to distribute each data piece. Insuch a scenario, the joint information leakage is determined

by the value of P (ts ≥ ktα) ·(

14

)b 2ktαv0L c. To minimize this

value, we raise tα to 20 and let k increases from 5 to 30.The joint information leakage to the delivery node is shownin Table II and Table IV. The simulation results of the tablescan be summarized as follows:• Location privacy can be preserved in the proposed DAPP

scheme under side information attack.• With proper parameter settings, the joint information

leakage can be minimized to approximately 0 for eachdelivery node.

• The joint information leakage, average communicationdelay and error rate can be adjusted by selection onsystem parameters.

VII. CONCLUSION

In this paper, we propose a delay-aware privacy preserving(DAPP) data forwarding scheme for people-centric urbansensing networks. It is developed based on Sharmir’s secretsharing, dynamic pseudonyms and a two-phase data forward-ing method. The two-phase forwarding method detaches theconnection between the source node and the application dataserver. Shamir’s secret sharing prevents delivery nodes fromdiscovering privacy information in the reported data. Theproposed dynamic pseudonym scheme can defend againstidentity based side information attack. Both theoretical analy-sis and simulation results demonstrate that the proposed DAPPcan provide an excellent design trade-off among security,communication delay and delivery ratio.

APPENDIX

Proof of Theorem 2: In the Manhattan street model, thenode arrival and departure at an endpoint of a street segment is

a Poisson process. It is straightforward to derive that the arrivalprocess at any points in the street segment parallelizing theendpoint is also a Poisson process. Suppose that the participantA encounters n participants when it stays at the point (xi, yi).And it stays at the point for a time duration δ (δ → 0). Thenode arrival rate at this point is λ. So the probability that Ameets n participants is

p(N(δ + t)−N(t) = n) = e−λδ · (λδ)n

n!, (31)

where N(t) is the number of participants that node A hasencountered from time 0 to time t.

Suppose A needs T seconds to move from (xi, yi) to(xj , yj). So the process for A to encounter other participantsfor time duration T is the sum of encounter processes fromlocation (xi, yi) to (xj , yj). These meeting processes aremutually independent. Since the number of the independentPoisson processes is T

δ , the sum of multiple Poisson processesis still a Poisson process. Hence, the new arrival rate of thePoisson process can be computed by the following equation

λsum =

T/δ∑i=1

λi =T

δ· λ. (32)

The probability that A meets n participants in time durationT can be calculated as

p(N(t+ T )−N(t) = n) = e−λsum·δ · (λsum·δ)nn!

= e−λ·T · (λ·T )n

n! .

Therefore, it is a Poisson process. The data distributionis actually equal to the encountering Poisson process. Theprobability to forward one data piece in a given time durationtd is

p(N(t+ td)−N(t) = 1) = e−λtd(λtd). (33)

However, the source node will insert an interval betweentwo data distributions in the first forwarding phase. Supposethe data piece di is forwarded to the delivery node at time t,and the source node insert an interval tα before the forwardingof di+1. Since Poisson process is a memoryless process, thenumber of arrivals occurring in any bounded interval of timeafter time t is independent of the number of arrivals occurringbefore time t. So the probability to forward di+1 in a giventime duration td is

p(N(t+ td + tα)−N(t+ tα) = 1) = e−λtd(λtd). (34)

Therefore, the data distribution process in the proposedscheme is a Poisson process.

REFERENCES

[1] J. Burke, D. Estrin, M. Hansen, A. Parker, N. Ramanathan, S. Reddy,and M. B. Srivastava, “Participatory sensing,” in the 1st Workshop onWorld-Sensor-Web, Oct 2006, pp. 1–5.

[2] A. T. Campbell, S. B. Eisenman, N. D. Lane, E. Miluzzo, and R. A.Peterson, “People-centric urban sensing,” in Proceedings of the 2ndAnnual International Workshop on Wireless Internet, 2006, pp. 18–31.

[3] R. Du, C. Chen, B. Yang, N. Lu, X. Guan, and X. Shen, “Effective urbantraffic monitoring by vehicular sensor networks,” IEEE Transactions onVehicular Technology, vol. PP, no. 99, pp. 1–1, 2014.



11

TABLE IVTHE AVERAGE COMMUNICATION DELAY AND JOINT INFORMATION LEAKAGE FOR VARIOUS (k, n), tα = 1 AND λ = 10

Delay(s)k = 5 k = 10 k = 15 k = 20 k = 25 k = 30

/PDT (%)

n = 5 219.5/8.89× 10−4 - - - - -

n = 10 145.2/1.45× 10−1 284.8/5.28× 10−9 - - - -

n = 15 140.3/1.13 213.8/9.85× 10−6 341.3/4.45× 10−14 - - -

n = 20 139.8/3.84 206.9/3.77× 10−4 271.8/4.21× 10−10 396.6/3.76× 10−19 - -

n = 25 139.6/8.71 206.7/4.17× 10−3 264.7/5.44× 10−8 327.4/1.21× 10−14 451.2/3.20× 10−24 -

n = 30 139.2/15.6 206.2/2.40× 10−2 284.3/1.58× 10−6 320.3/4.15× 10−12 382.7/2.75× 10−19 506.1/2.78× 10−29

[4] U. Lee, E. Magistretti, M. Gerla, P. Bellavista, and A. Corradi, “Dissem-ination and harvesting of urban data using vehicular sensing platforms,”IEEE Transactions on Vehicular Technology, vol. 58, no. 2, pp. 882–901,Feb 2009.

[5] A. Kapadia, N. Triandopoulos, C. Cornelius, D. Peebles, and D. Kotz,“Anonysense: Opportunistic and privacy-preserving context collection,”Pervasive Computing, vol. 5013, pp. 280–297, 2008.

[6] K. L. Huang, S. Kanhere, and W. Hu, “Towards privacy-sensitiveparticipatory sensing,” in IEEE International Conference on PervasiveComputing and Communications, March 2009, pp. 1–6.

[7] J. Shi, R. Zhang, Y. Liu, and Y. Zhang, “Prisense: Privacy-preservingdata aggregation in people-centric urban sensing systems,” in Proceed-ings of IEEE INFOCOM 2010, March 2010, pp. 758–766.

[8] S. Gao, J. Ma, W. Shi, G. Zhan, and C. Sun, “TRPF: A trajectoryprivacy-preserving framework for participatory sensing,” IEEE Transac-tions on Information Forensics and Security, vol. 8, no. 6, pp. 874–887,June 2013.

[9] B. Palanisamy and L. Liu, “Mobimix: Protecting location privacy withmix-zones over road networks,” in Data Engineering (ICDE), IEEE 27thInternational Conference on, April 2011, pp. 494–505.

[10] M. Gruteser and D. Grunwald, “Anonymous usage of location-basedservices through spatial and temporal cloaking,” in ACM 1st Int. Conf.Mobile Systems, Applications and Services, 2003, pp. 31–42.

[11] M. Datar, N. Immorlica, P. Indyk, and V. S. Mirrokni, “Locality-sensitivehashing scheme based on p-stable distributions,” in Proceedings of theTwentieth Annual Symposium on Computational Geometry, 2004, pp.253–262.

[12] T. Xu and Y. Cai, “Exploring historical location data for anonymitypreservation in location-based service,” in Proceeding of IEEE INFO-COM 2008, March 2008, pp. 547–555.

[13] C. Ardagna, M. Cremonini, S. De Capitani di Vimercati, and P. Sama-rati, “An obfuscation-based approach for protecting location privacy,”Dependable and Secure Computing, IEEE Transactions on, vol. 8, no. 1,pp. 13–27, Jan 2011.

[14] K. Vu, R. Zheng, and J. Gao, “Efficient algorithms for k-anonymouslocation privacy in participatory sensing,” in Proceeding of INFOCOM2012, March 2012, pp. 2399–2407.

[15] S. Gao, J. Ma, W. Shi, and G. Zhan, “Towards location and trajectoryprivacy protection in participatory sensing,” in Mobile Computing,Applications and Services, 2011, pp. 381–386.

[16] H. Lu, C. S. Jensen, and M. L. Yiu, “Pad: Privacy-area aware, dummy-based location privacy in mobile services,” in 7th ACM Int.Workshop onData Engineering for Wireless and Mobile Access, 2008, pp. 16–23.

[17] H. Kido, Y. Yanagisawa, and T. Satoh, “An anonymous communicationtechnique using dummies for location-based services,” in 9th Int. Symp.Privacy Enhancing Technologies (PETS’10), 2005, pp. 88–97.

[18] M. Terrovitis and N. Mamoulis, “Privacy preservation in the publicationof trajectories,” in Mobile Data Management, 2008. MDM ’08. 9thInternational Conference on, April 2008, pp. 65–72.

[19] E. De Cristofaro and R. Di Pietro, “Adversaries and countermeasures inprivacy-enhanced urban sensing systems,” IEEE Systems Journal, vol. 7,no. 2, pp. 311–322, June 2013.

[20] D. Christin, J. Guillemet, A. Reinhardt, M. Hollick, and S. Kanhere,“Privacy-preserving collaborative path hiding for participatory sensingapplications,” in IEEE 8th International Conference on Mobile Adhocand Sensor Systems (MASS), Oct 2011, pp. 341–350.

[21] ——, “Privacy-preserving collaborative path hiding for participatory

sensing applications,” in IEEE 8th International Conference on MobileAdhoc and Sensor Systems (MASS), Oct 2011, pp. 341–350.

[22] L. Hu and C. Shahabi, “Privacy assurance in mobile sensing networks:Go beyond trusted servers,” in 8th IEEE International Conference onPervasive Computing and Communications Workshops, March 2010, pp.613–619.

[23] J. Kim and S. Bohacek, “A survey-based mobility model of people forsimulation of urban mesh networks,” in Proceeding of MeshNets, 2005.

[24] X. Y. Li and T. Jung, “Search me if you can: Privacy-preserving locationquery service,” in Proceeding of INFOCOM 2013, April 2013, pp. 2760–2768.

[25] V. Vukadinovic, O. R. Helgason., and G. Karlsson, “An analytical modelfor pedestrian content distribution in a grid of streets,” Mathematical andComputer Modelling, vol. 57(11-12), pp. 2933–2944, June 2013.

[26] A. Shamir, “How to share a secret,” Commun. ACM, vol. 22, no. 11,pp. 612–613, Nov 1979.

[27] F. Bai, N. Sadagopan, and A. Helmy, “Important: a framework tosystematically analyze the impact of mobility on performance of routingprotocols for adhoc networks,” in Proceeding of IEEE INFOCOM 2003,vol. 2, March 2003, pp. 825–835.

Di Tang received the BE degree from Xidian Uni-versity in 2005. He is currently a PhD candidatein electrical and computer engineering at MichiganState University. His research interests include wire-less sensor networks and network security.

Jian Ren received the BS and MS degrees bothin mathematics from Shaanxi Normal University,and received the Ph.D. degree in EE from XidianUniversity, China. He is an Associate Professor inthe Department of ECE at Michigan State University.His current research interests include cryptography,cloud computing security, network security, energyefficient sensor network security protocol design,privacy-preserving communications, network cod-ing, distributed network storage, and cognitive net-works. He is a recipient of the US National Science

Foundation Faculty Early Career Development (CAREER) award in 2009. Dr.Ren is a senior member of the IEEE.



a novel delay-aware and privacy preserving (dapp) data ...renjian/pubs/tvt2415515.pdf · ticipating...

Documents