$n$-VDD: Location Privacy Protection Based on Voronoi-Delaunay Duality
Wei Zeng, Abdur B. Shahid, Keyan Zolfaghari, Aditya Shetty, Niki, Pissinou, and Sitharama S. Iyengar

TL;DR
This paper introduces a geometric framework using Voronoi-Delaunay duality to enhance location privacy in location-based services by hiding user locations within irregular Voronoi cells and intersection zones.
Contribution
It presents a novel geometric approach based on Voronoi-Delaunay duality for location privacy protection, introducing multiple anonymizing models with efficient linear computations.
Findings
The framework effectively conceals user locations.
The methods are computationally efficient due to linear line intersections.
Experiments demonstrate the approach's efficacy across various parameters.
Abstract
To date, location privacy protection is a critical issue in Location-Based Services (LBS). In this work, we propose a novel geometric framework based on the classical discrete geometric structure, the Voronoi-Delaunay duality (VDD). We utilize the fact that the user location cannot be recovered if only given an irregular -sided Voronoi cell around it, and the anonymity zone is the intersection of all the parallel strips perpendicular to and bounded by Voronoi edges. The irregular Voronoi cell and its variations can be used as the concealing space to hide the user location or the region of interest and submitted to the LBS server. Within this framework, we propose multiple typical anonymizing models by introducing irregularity to the convex regular VDD structure by shifting the interior Voronoi cell, exterior Delaunay polygon, sector rays, or their combinations. The proposed…
| Symbol | Definition |
|---|---|
| User’s location (or seed) | |
| Number of vertices of polygon around | |
| (/) | Delaunay polygon (shifted/scaled) |
| (/) | Delaunay polygon vertices (shifted/scaled) |
| (/) | Voronoi polygon (shifted/scaled) |
| (/) | Voronoi polygon vertices (shifted/scaled) |
| (/) | Anonymity zone (shifted/scaled) |
| () | Anonymity zone vertices (scaled) |
| , sector angle | |
| Length of line segment | |
| Range of vertices on a line | |
| Range of random angle adaption | |
| User-defined radius of interest | |
| Scaling factor | |
| Concealing cost | |
| Privacy level |
| Model | IR.1 Interior Sifting | IR.2 Exterior Shifting | IR.3 Sector Shifting | Anonymizing Protocol | Generated Polygons |
| I | - | - | S0 R1 P1 R0 | ||
| II | - | - | S0 P2 R1 R0 | ||
| III | - | S0 P2 R1 P1 R0 | |||
| - | - | N/A | N/A | ||
| Iα | - | S1 R1 P1 R0 | |||
| IIα | - | S1 P2 R1 R0 | |||
| IIIα | S1 P2 R1 P1 R0 |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsPrivacy-Preserving Technologies in Data · 3D Modeling in Geospatial Applications · Automated Road and Building Extraction
-VDD: Location Privacy Protection Based on Voronoi-Delaunay Duality
Wei Zeng‡, Abdur B. Shahid, Keyan Zolfaghari, Aditya Shetty, Niki Pissinou, and Sitharama S. Iyengar W. Zeng, A. B. Shahid, N. Pissinou and S. S. Iyengar were with the School of Computing and Information Sciences, Florida International University, Miami, FL 33199, USA. K. Zolfaghari was with University of Miami, Miami, FL 33124, USA. A. Shetty was with University of North Carolina at Chapel Hill, NC 27515, USA. ‡Corresponding e-mail: [email protected].
Abstract
To date, location privacy protection is a critical issue in Location-Based Services (LBS). In this work, we propose a novel geometric framework based on the classical discrete geometric structure, the Voronoi-Delaunay duality (VDD). We utilize the fact that the user location cannot be recovered if only given an irregular -sided Voronoi cell around it, and the anonymity zone is the intersection of all the parallel strips perpendicular to and bounded by Voronoi edges. The irregular Voronoi cell and its variations can be used as the concealing space to hide the user location or the region of interest and submitted to the LBS server. Within this framework, we propose multiple typical anonymizing models by introducing irregularity to the convex regular VDD structure by shifting the interior Voronoi cell, exterior Delaunay polygon, sector rays, or their combinations. The proposed methods are efficient by taking advantage of the VDD principle where main computations are linear line-line intersections. Experiments with various parameters demonstrate the efficiency and efficacy of the proposed -VDD framework.
I Introduction
With the help of pervasive global positioning system (GPS) and radio frequency identification (RFID) enabled mobile computing, the market share of location-based services (LBS) is increasing rapidly [6]. Today, people frequently use LBS to find the nearest ATM, restaurant, hospital, or gas station. Social networks, including but not limited to Facebook, LinkedIn and Twitter, as well as Internet telephony service providers such as Skype have all created frameworks for geosocial networking. LBS providers require users to divulge their exact location but guarantee a higher quality of service (QoS) with more accurate location data. If one uses Yelp to look for restaurants in a 15 mile radius, it would not matter if the location data is not as accurate, with the search being conducted in a relatively large area. Conversely, if a user looks to find the nearest gas station, Google Map would require a more accurate location to ensure a higher QoS. A user may enjoy receiving services with higher precisions, but is unaware of the possible exploitations of his/her location data. LBS providers can use this data to understand a user’s mobility pattern, enabling them to send unwanted advertisements; and attackers can perform malicious attacks. This has led to a general consensus that protecting a user’s location privacy is a highly important issue in LBS.
Previous studies have designed location privacy models based on a trade-off between location privacy and QoS. If the degree of privacy is high, then the QoS is low and vice versa. So, it is important to understand this trade-off while designing a LBS privacy model. We classify the previous methods to protect location privacy into three main categories [36]: 1) -anonymity, 2) position dummies, and 3) spatial obfuscation.
In -anonymity, the framework pairs a user’s location with -1 locations of other neighboring users [16, 13, 40, 22, 15, 33, 28] [12, 23, 10] and provides the LBS provider with a box containing that user and the other locations. This approach engenders several problems. It has an inherent dependency on the presence of the other users in the specified region or time. Furthermore, each user cannot have a personalized privacy setting with the settings of the other neighboring users overlapping. Gedik et al. proposed the CliqueCloak theorem [14] to improve the original -anonymity approach that joins multiple queries that overlap together into a clique, and sends the minimum bounding rectangle of those users as a single query. Although it is advantageous in the case of reducing computation time and increasing the privacy of the users, it can fail to join users into a clique. Marius et al. [36] classified several improved methods of -anonymity: strong -anonymity [39, 34], l-diversity [4], -closeness [25], -sensitivity[31], and historical -anonymity [29, 37, 1, 26]. In these schemes, the probability of identifying a user is . These approaches also suffer from a high communication and query processing cost [11].
The position dummy based techniques direct multiple fake positions along with user’s true location to location service providers [9, 27, 32, 21, 35, 20]. Hua et al. [27] proposed a dummy-based method, titled PAD, which generates dummy users in a virtual grid or circle. Qilang et al. [32] proposed a user dummy generation based clustering method to provide privacy on road networks. Location obfuscation methods have the advantage of generating dummy locations by itself, unlike the -anonymity based methods. However, generating indistinguishable dummy locations is a challenge for these methods [36].
To address the problems of -anonymity and dummy based methods, some solutions propose spatial obfuscation methods [2, 18, 24, 38, 19, 30, 7, 3, 5], based on the idea of providing a user-defined obfuscation area without revealing explicit location information at the expense of quality of services. Ardagna et al. [2] proposed a method to submit a circle instead of a user’s exact location. Different methods were presented to use other geometric transformations to preserve a user’s location. Kalnis et al. proposed transformations based on the -anonymity concept for nearest neighbor search, while hiding user’s location. Gutscher et al. [18] detailed the use of coordinate transformation to protect a user’s privacy. Min et al. [38] proposed a privacy scheme based on a line-symmetric transformation for database privacy in cloud computing. Li et al. [24] proposed a geometric approach towards location privacy that divides the user’s region of interest (ROI) into concealing disks (-CD) and submits the centers and the radii of those concealing disks for transmission. Guo et al. [17] extended -CD by introducing dynamic pseudonyms-changing mechanism with the expense of concealing and communication costs. The proposed framework in this work falls into this category, and is comparable to the -CD approach.
I-A Our Approach
In this work, we propose a novel framework based on the classical geometric structure, the so-called Voronoi-Delaunay Duality (VDD). Table I gives the symbols used in the work.
As shown in Fig. 1, we treat the user location as the center and properly select discrete points () on the Euclidean plane surrounding to result a Delaunay triangulation , by connecting edges and (). Each triangle satisfies empty circle criterion, i.e., the circumcircle of the triangle doesn’t contain any other point. The Voronoi diagram of is computed by the perpendicular bisector lines of all the edges of and their intersection points . The Voronoi diagram and the Delaunay triangulation are dual to each other. The dual relationship is unique. The VDD gives a two-layered dual structure defined around the user location , including the exterior convex Delaunay polygon and the interior convex Voronoi polygon , as shown in Fig. 1(a). The facts include:
-
and define the interior uniquely;
-
and define uniquely; and
-
and define uniquely.
However, if only and without any other information, one cannot figure out the exact location of the center . But it can give the feasible region containing the user location. Based on the VDD perpendicular rule, we draw the parallel strip perpendicular to each edge of Voronoi cell, the intersecting region of all the parallel strips and the Voronoi cell is a convex polygon , where any point may be the user location. This region is the so-called anonymity zone in our framework. Figure 1(a) shows one example when where the anonymity zone is within the Voronoi cell, and (b) gives two examples when , where the anonymity zone is the Voronoi polygon itself. It means that at a Voronoi polygon vertex with corner angle , the associated perpendicular lines are either outside the Voronoi cell or overlap the Voronoi edges, and then the associated Voronoi polygon edges are used for computing the intersection. Therefore, the interior Voronoi polygon can be used to hide the user location . In the -VDD framework, we submit the Voronoi polygon or its variations to the LBS provider.
The unique degenerated case is that if is a convex regular polygon111In Euclidean geometry, a regular polygon is a polygon that is equiangular and equilateral. taking as the centroid, then the is regular with the same centroid, as shown in Fig. 2. In this case, if there is such a principle in the protocol public to users/attackers: is regular around , then can be easily recovered from , i.e., the centroid of . To conquer this, our strategy is to introduce irregularity to the VDD structure of a convex regular polygon, in detail, by shifting the exterior polygon , or interior polygon , or both, to be irregular. The following three models are given to demonstrate the performance of the -VDD framework.
Model I - Interior Shifting.
is a regular -sided convex polygon with the centroid at . We adapt the corresponding Voronoi cell to be irregular by parallelly shifting each Voronoi edge along the dual Delaunay edge while keeping all the Voronoi cell vertices within each original sector and . The shifting position is uniformly and randomly selected within a range calculated based on the above condition, which guarantees the user location is included in the shifted Voronoi cell.
Model II - Exterior Shifting.
We shift to be an irregular -sided convex polygon around such that the corresponding triangulation is still Delaunay. The resulted Voronoi cell is also irregular. For each Delaunay vertex , we compute the valid range on its sector ray such that the Voronoi vertex is within the corresponding sector , and then we randomly and uniformly select a point in the valid range as .
Model III - Double Shifting.
We first shift to be an irregular -sided convex polygon around as Model II, to guarantee the corresponding triangulation is Delaunay, and then we shift the resulted Voronoi cell as Model I. This is a combination of Models I, II. Generally, both the exterior and interior polygons are irregular.
Sector Shifting
Another aspect to generate irregularity from the convex polygon is to shift the sector rays to make the sector angles not equal. We integrate the sector shifting operation into the above three Models I, II and III, to generate three variation Models Iα, IIα and IIIα accordingly. In each anonymizing model, we first randomly and uniformly perturb the sector rays in a range to achieve the sector angle inequality, and then apply other anonymizing principles. Note that the randomness of sector rays itself on a convex regular polygon can generate an irregular convex polygon with the same sector radius. The resulted Voronoi cell is irregular. We call this Model . However, it can not be used for anonymization. That is because the center can be easily calculated by the intersection of the bisectors of two Voronoi edges due to the property of the same sector radius, as shown in Fig. 3 with a simulation example. Therefore, only angle randomness on the convex regular polygon is not enough for hiding the user location.
In summary, there are three irregularity principles to adapt the convex regular polygon to achieve irregular VDD structures, (1) interior shifting, (2) exterior shifting and (3) sector shifting. The combinations of the three can form totally 7 models (see Table II), among which the Model is not applicable for anonymization, and other 6 Models I, II, III, Iα, IIα, and IIIα are to be used for anonymization (see Figs. 4, 5 and 6). Details will be explained in later sections.
In this framework, the scaled Voronoi cell of the shifted Voronoi cell will be used as the concealing space of the user, which hides the user location and is submitted to the LBS providers. The area of the anonymity zone resulted from the concealing space , is defined as the privacy level. Thus, bigger concealing space generates bigger anonymity zone and higher privacy level for the user location privacy.
When the user submits a query of places of interest within a circular range , the query area is . We compute the closest distance to the edges of the originally generated and define the scalar , and then transform the Voronoi polygon by a scaling operation with scalar and the user location as the origin. The transformed Voronoi polygon, i.e., the final concealing space, is denoted as , which covers the query region with radius , as shown in Fig. 7. Users also have flexibility to customize the privacy level in the system by setting the expected anonymity range . Then, similarly, we compute a scalar , and transform the Voronoi polygon to be by a -scaling around . If the user customizes both privacy level and concealing space, we use compute .
All the computations are constructive by using planar geometry and linear algebra, and therefore are efficient.
I-B Contributions
In this work, we present a novel location privacy framework, named -VDD, based on the unique discrete geometric structure Voronoi-Delaunay Duality (VDD). In detail,
- •
Six models are proposed, to introduce irregularity to convex regular VDD structure.
- •
The concealing space is derived from the Voronoi polygon. The privacy level can be customized.
- •
The method is efficient by utilizing the planar VDD, where computations are linear line-line intersections.
The rest of the paper is organized as follows: Section II describes the system model, Section III presents the algorithms of the -VDD models, Section IV details the application settings, experiments and discussions, and finally Section V concludes the paper.
II -VDD Location Privacy Protection Model
In this section, we first review the background knowledge of VDD, and then describe the VDD-based system for location privacy protection and the anonymizing protocol, and finally perform the attack analysis.
II-A Background
II-A1 Voronoi-Delaunay Duality (VDD)
Voronoi diagram and Delaunay triangulation are the classical geometric structures in computational geometry [8]. The Voronoi diagram of a point set of points in the plane is a subdivision of the plane into Voronoi cells, such that each Voronoi cell around is the set of all points from which is the closest among all other points in . The dual of the Voronoi diagram is a unique triangulation, known as the Delaunay triangulation. A triangulation is Delaunay means that it satisfies the empty circumcircle criterion, i.e., for any triangle, its circumcircle doesn’t contain any other point, such triangle is called Delaunay triangle. The optimal time complexity for constructing Voronoi diagram and Delaunay triangulation is , and the dual conversion between them costs .
II-A2 Local Structures
In our model, we require a proper exterior polygon such that the triangulation obtained by connecting each vertex of the polygon to the user location is Delaunay. Once the exterior polygon is fixed, the VDD structure is determined. Based on the VDD property, three convex polygons surrounding are generated, as follows:
- •
Delaunay Polygon , the convex boundary polygon of the Delaunay triangulation .
- •
Voronoi Polygon , the convex polygon generated by applying the VDD principle on .
- •
Anonymity Zone , the convex polygon generated by the intersection of the perpendicular strips for the edges of Voronoi polygon.
We start from the Voronoi-Delaunay structure of the convex regular -sided polygon using as the center, and make variations to the structure to introduce irregularity. We adapt the exterior Delaunay polygon or/and interior Voronoi polygon to be irregular, which guarantees that the anonymity zone is a convex region, not a single point. Different variations induce different anonymizing protocols. The -VDD framework may have other variations by introducing different irregularities.
II-B System Model
In a typical LBS system, a user generates a query which is a tuple of his/her identification, the location , the radius of the neighborhood , and the points of interests (POI) , such as the gas stations, ATMs and so on. That is, . This query is transmitted to a local anonymizer engine which generates the concealing space (i.e., adapted Vononoi polygon), and based on the query framework, the concealing space is transmitted to LBS system.
- •
Model I: exterior polygon is convex regular; interior Voronoi polygon is shifted to be irregular. The interior polygon generated by shifting is denoted as
[TABLE]
- •
Model II: exterior convex regular polygon is shifted to be irregular. The exterior polygon generated by shifting is denoted as
[TABLE]
The interior Voronoi polygon of is irregular.
- •
Model III: exterior polygon is shifted to be irregular ; the interior Voronoi polygon of is shifted to .
Suppose the area of the finally resulted interior polygon in each model is denoted as . According to the closest distance to the edges of the originally generated , we compute a scaling transformation of the with scalar ( as the origin), denoted as . is the final concealing space,
[TABLE]
Then the original query becomes
The user may also set privacy level , defined by the expected the anonymity radius parameter , . In this case, the original query . Similarly, we compute a scalar . Then we have . If the user only cares about the customized privacy level, then .
II-C Anonymizing Protocol
The anonymizing protocols are generally public to audience. The followings are the common principles for all models:
- •
R0 - Scaling: The submitted concealing space denoted as is obtained by a -scaling of a convex polygon around the user location. The is computed based on the user’s requirements on privacy level and range of interest.
- •
R1 - Voronoi-Delaunay Duality: The convex polygon has a dual convex polygon : 1) each edge has a perpendicular dual edge; 2) all the dual edges intersect at the user location; and 3) all other endpoints of the dual edges are outside and form , . For each edge of , a feasible strip is computed, which is perpendicular to the edge and exactly bounds it. The intersection of the feasible strips of all the edges is a convex feasible region, denoted as . Similarly, the final anonymity zone can be computed from . differs from by a scalar , which is or .
The exterior polygon can be convex regular (equiangular and equilateral) or irregular with different sector angles, then there are the following alternative principles:
- •
S0 - Sector Uniformization: The polygon is convex and regular taking the user location as the centroid, and forms a Delaunay triangulation by connecting each vertex of to , which defines sector rays. Then, the resulted dual Voronoi polygon around is constructed by the perpendicular bisector intersections, and is regular.
- •
S1 - Sector Shifting: The sector rays of the original exterior polygon are randomly shifted in a range to generate a new exterior polygon , such that each vertex of the resulted dual Voronoi polygon is shifted within its corresponding sector.
Besides the above, each model has its own principle:
- •
P1 - Interior Shifting: The exterior polygon and form a Delaunay triangulation by sector rays. The interior polygon is generated by randomly shifting each edge of the Voronoi cell of in parallel, such that each vertex of is shifted within its original sector.
- •
P2 - Exterior Shifting: The exterior polygon is generated by shifting each vertex of the original polygon along its sector ray, such that each vertex of the resulted Voronoi polygon is shifted within its original sector.
- •
P3 - Double Shifting (P1,P2): The exterior polygon is generated by shifting the vertices of the original along sector rays, and the resulted Voronoi edges are shifted in parallel to form the interior polygon , such that each vertex of is shifted within its original sector. It is the combination of P1 and P2.
Table II gives the anonymizing pipeline in each model.
II-D Attack Analysis
We analyze the ability of the VDD models to protect the user location from the attacker. Suppose the query message is obtained by the attacker. Then the attacker has:
- •
An -sided convex irregular polygon , which is a scaled (shifted) Voronoi polygon hiding the user location;
- •
An anonymizing protocol, one of Table II.
II-D1 Protocol Attack
Attacking can be tried by reversing the anonymizing process and analyzing each principle. The common principles are analyzed as follows:
- •
R0*-1* - Scaling: The scaling uses the user location as the origin, which guarantees the user location is always within , and the shape of is similar to that of the resulted interior polygon in all the models.
- •
R1*-1* - Voronoi-Delaunay Duality: For each edge of , we can find a feasible strip which is perpendicular to the edge and exactly bounds the edge. The intersection of all the feasible strips forms the anonymity zone . For any point , we find the point for edge of such that is the perpendicular bisector of . All the ’s form the exterior Delaunay polygon (see Fig. 1). The Delaunay edges exist and are uniquely determined. Therefore, every point in the anonymity zone has a VDD structure satisfying principle R1, and could be the user location .
Principles specific to each model are analyzed as follows:
- •
S0*-1* - Sector Uniformization: From S0, the surrounding angles around the user location are identical to be , where is the number of vertices of (convex). For any point , we draw the perpendicular lines to all the edges of and the angles surrounding won’t change when we shift the point within .
- •
(S0, P1)-1 - Interior Shifting: From P1, irregular is obtained by shifting the regular Voronoi polygon, which takes the user location as the centroid/center. Given any point , by shifting back the edges of , it is guaranteed to generate a regular polygon to induce a Delaunay polygon by R1. Therefore, every point in the anonymity zone satisfies principles (S0, P1) (Model I).
- •
(S0, P2)-1 - Exterior Shifting: For any point , the Delaunay polygon resulted from the irregular is unique and irregular (by R1). From S0, all surrounding angles at are equal. Then by shifting the edges of , it is guaranteed to generate a regular polygon taking as the centroid. That means every point in the anonymity zone satisfies principles (S0, P2) (Model II).
- •
(S0, P3)-1 - Double Shifting: For any point , the Delaunay polygon is uniquely computed (by R1). We shift with a random range to and then update the Delaunay polygon to be . By shifting , it is guaranteed to generate a regular polygon which takes as the centroid. That means every point in the anonymity zone satisfies principles (S0, P3) (Model III).
- •
S1*-1* - Sector Shifting: From S1, the surrounding angles around the user location are unequal, and is irregular. For any point , we compute the Delaunay polygon of by R1. The angles around can be computed and won’t change if shifting the point within .
- •
(S1, P1)-1 - Sector & Interior Shifting, (S1, P2)-1 - Sector & Exterior Shifting, (S1, P3)-1 - Sector & Double Shifting: For any point , the Delaunay polygon is uniquely computed (by R1). Shifting , , or both won’t influence the surrounding angles, and also won’t generate a regular polygon. Therefore, every point in the anonymity zone satisfies corresponding principles (Models Iα-IIIα).
Therefore, in all Models I-III, Iα-IIIα, every point in the anonymity zone could be the user location, and the attackers cannot differentiate the points in the anonymity zone.
II-D2 Centroid Attack
Centroid is easy to compute for a given polygon. Here, we need analyze whether the centroid can be used for the attack.
First of all, all the anonymizing protocols introduce the irregularity, so that the centroid of the submitted Voronoi polygon (concealing space), denoted as , is not guaranteed to coincide with the user location. In Models I-III, is with equal sector angles, and the centroid of interior/exterior regular polygon in a VDD structure gives the user location, however, the centroid of irregular is not the user location. In Models Iα-IIIα, there is no guarantee that the centroid of irregular is the user location. Therefore, direct concealing space centroid attack can be avoided for each model. To verify this, we generated irregular polygons by random shifting the vertices along the sector rays (exterior vertex shifting), and computed the centroids. Figure 8 gives two examples of the distribution of the centroids around the user location (top), and also plots the average distance from for . It is observed that the centroid is away from the user location in general case.
After generating the anonymity zone from , is it possible to use the centroid of , denoted as , to reveal the user location? Similarly, , is not guaranteed to coincide with the user location. Similar experiments verified that. Then, will the two centroids, and , give a hint to shrink the range? First, can be inside or outside , there is no fixed relationship between their positions, as shown in Fig. 9 (top). We then create a circle passing through the two centroids and using the segment between them as the diameter, and detect whether the circle includes the user location . Figure 9 (bottom) shows that the only a low portion (less than ) of the 1000 examples in the cases of has the user location in the circle of the two centroids. That means the circle cannot be used to replace or shrink .
III Computational Algorithms
This section details the computation of the anonymizing process and the anonymity zone for the proposed models. They share the same algorithms for the common anonymizing principles R0 (scaling) , R1 (VDD), and have different algorithms for their specific principles.
III-A Common Algorithms
III-A1 Voronoi Polygon
The Voronoi polygon is generated from the Delaunay triangulation formed by the Delaunay polygon and the seed (user location). Each vertex of is the intersection of perpendicular bisector lines of line segments and () (see Fig. 1).
III-A2 Anonymity Zone
From a given Voronoi polygon , the anonymity zone (feasible Region) is generated by computing the intersecting region of the parallel strips, which are perpendicular to and bounded by the Voronoi edge . Any point in could be a feasible solution to the seed . In detail, assume , are the perpendicular lines at , , respectively, and the parallel strip is denoted as . Then .
III-A3 Scaling
After getting the interior (shifted) Voronoi polygon and its anonymity zone , we perform a scaling transformation using the user location as the origin with a scaling factor . can be computed in different ways according to the user query about the ROI radius or the privacy level or both, as reported in Section II-B. Therefore, the obtained concealing space .
III-B Model I - Interior Shifting
Model I introduces the irregularity to the interior Voronoi polygon by shifting the Voronoi edges in their corresponding feasible ranges to guarantee the Voronoi vertices are still in their original sectors (to grantee ).
Algorithm 1 shows the computation pipeline. We first generate a regular polygon using the user location as the centroid and compute the Voronoi polygon based on Voronoi-Delaunay duality, then shift the Voronoi edges to generate an irregular Voronoi polygon, and finally scale the shifted Voronoi polygon and submit the result to LBS providers.
In detail, after getting the regular Voronoi polygon, we fix the first Voronoi edge , and shift the left Voronoi edges to the new one one by one. For each Voronoi edge , the shift range is determined by the previous Voronoi edge . For the last Voronoi edge , the shift range is determined by both and .
As shown in Fig. 10, is extended to intersect and at , , respectively. From , we issue a ray perpendicular to which intersects at . Then the range . The position witihn this range can guarantee the new Voronoic polygon vertex is within the Delaunay triangle . For the last Voronoi edge , we compute the range determined by , and the range determined by . Therefore, . The uniformly and randomly selected Voronoi edge within the range intersects and and produces and , respectively. Then the resulted shifted Voronoi cell is .
For the case of or , the Voronoi polygon is a triangle or rectangle, then the anonymity zone is itself. They give very strong and interesting results, where the attacker can do nothing for predicting the user location. In addition, the probability to generate a regular shifted Voronoi polygon with random numbers is very low and almost won’t happen. We never met this situation in our large amounts of experiments. In order to make it for sure, one may add a regularity test to avoid this case. Figure 4 shows the simulation results, which include three layers of polygons, , and . Figure 11 gives the histograms of the distances from the shifted Voronoi edge to the user location by generating 200 5-sided polygons, to show the irregularity generated by Voronoi edge (interior) shifting. Note that in the original convex regular polygon with sector radius 1.0, the distance of Voronoi edge to the center is identical to be 0.5.
III-C Model II - Exterior Shifting
Model II introduces irregularity to the exterior Delaunay polygon by shifting the regular Delaunay polygon vertices along their corresponding sector rays within a shifting feasible range, so that the resulted Voronoi polygon is irregular.
Algorithm 2 gives the computation pipeline. We first generate an irregular Delaunay polygon around the user location, then compute the Voronoi polygon, and finally scale the Voronoi polygon and submit the result to LBS provides.
We first select one point in the neighborhood of the user location as the vertex . We generate the vertices one by one. Here, we set the sector angles to be equal, . The range for is determined by to guarantee the Voronoi vertex is within the triangle . Similarly, the last vertex is determined by both and .
As shown in Fig. 12, by VDD, we have , , , and . In addition, , and . In order to keep the intersection of and in the sector , the following conditions must hold:
: then . 2. 2.
: then , similarly.
So, we have the inequality
[TABLE]
For , . For , the angle is close to or greater than , then the upper bound will be very large or no intersection. So we give a parameter to constrain the range. Therefore, we have
[TABLE]
For the last vertex , we take the intersection of the ranges based on using the similar strategy. Then the resulted irregular Delaunay polygon is . Similarly, for , is a triangle or rectangle (see Fig. 1), and is itself. Figure 5 shows more simulation results, which include three layers of polygons, , and .
III-D Model III - Double Shifting
Model III introduces the irregularity to both the exterior Delaunay polygon and interior Voronoi polygon. We first shift the exterior polygon to using Algorithm 1, then compute the VDD on to get the irregular Voronoi polygon , and finally update by shifting using Algorithm 2. Figure 6 shows the simulation results, which include three layers of polygons, , and .
III-E Models , Iα, IIα, IIIα - Sector Shifting
Models Iα, IIα, IIIα introduce another dimension of irregularity by shifting sector rays from the original equal divisions () while generating sectors. The surrounding angles are computed as follows:
[TABLE]
where a random number , and we select in our experiments. The sector shifting (on sector rays) is not conflict with the previous interior/exterior shifting (on vertices/edges with fixed sector rays). Once we get the exterior polygon with random sector sifting, we then perform the algorithms of Models I-III to generate the result. Figures 4, 5 and 6 show the simulation results, which include three layers of polygons, , and . For , the interior polygon is not a rectangle because of the unequal sector angles and the perpendicular lines at vertices with acute corner angle are outside , as shown in Fig. 13.
III-F Analysis
The following guarantees that the obtained anonymity zone is qualified to protect user location from attacking.
Lemma 1
The seed is within the anonymity zone.
Proof: Based on the definition of Voronoi-Delaunay duality, the Voronoi edge is the perpendicular bisector of the sector ray , and the Voronoi vertices are in the two sides of , respectively. According to the construction of the anonymity zone, the seed is within the feasible strip , , and . Thus . Proof for the finally generated irregular is similar.
Lemma 2
The probability of any point in anonymity zone to be the seed is equally likely.
Proof: According to Lemma 1, given the anonymity zone , the user location . Using the conclusions in attack analysis Section II-D for all the models, every point in the anonymity zone could be the user location. In theory, if the sampling resolution of the anonymity zone goes to infinity, then the probability of revealing the exact location of goes to zero. In practice, if it is known that there are points in for attempting, then the probability of identifying the user is ; if no such preconditions, the probability to reveal is infinitely small (zero). With the same sampling resolution, the greater the area of anonymity zone (the greater ), the more difficult to reveal the seed.
Lemma 3
The anonymity zone area decreases with the increase of , for the same radius of interest .
Proof: According to Lemma 1, anonymity zone is the intersection region of all the lines drawn at Voronoi vertices and perpendicular to Voronoi edges. So, the number of the perpendicular lines are . With the increase of , a convex polygon tends to be more circular, then the resulted (shifted) Voronoi edges become shorter, the perpendicular strips become narrower, and therefore, the area of the intersections of perpendicular strips (anonymity zone) decreases. This can also be observed in Fig. 19.
IV Performance Evaluation
In this section, we evaluate the proposed -VDD models in terms of the main principles: privacy level , concealing cost , and communication cost . We demonstrate the efficiency and efficacy of the -VDD models by experimental simulations and comparison.
IV-A Experimental Setup
We first consider a network region, with a square area of . The location of the user is randomly picked within this region. The user’s region of interests (ROI) with a radius will always be within this network region. The different parameters used to evaluate the performance of the proposed methods include the number of vertices , the range for random angle shifting , and the expected neighborhood radius around the user or of the region of interest (meter). We apply this parameter setting to test all the models. For each combination of these parameters, we perform 1000 iterations of the algorithm and then compute the average value of concealing cost and privacy level to generate the statistics.
IV-B Concealing Cost, Privacy Level
We define the concealing cost as the measurement of the area of the concealing space, i.e., the scaled Voronoi polygon , for all the models. We then define the privacy level as the measurement of the area of the anonymity zone, i.e., the scaled most interior polygon .
IV-B1 Impact of Radius of ROI
In theory, with the increase of the radius of ROI, the concealing cost and the privacy level will linearly increase. This can be easily explained in our method as follows: in our settings, we set the initial radius as . Then after generating the shifted Voronoi polygon , we adapt it to get the concealing space by a linear scaling with scalar (linear to the customized ) to cover the ROI. Therefore, we have the linear theoretic claim. As shown in Fig. 14, an almost similar upward linear trend of and appears for different over (Model I). Other -VDD models have similar results.
IV-B2 Impact of Number of Vertices
We analyze the concealing cost and the privacy level with different for all the models. As shown in Fig. 15, decreases when changes from 3 to 5, but increases when increases above 5, while decreases with the increase of from 3 (Model I). The plots for other models are similar in our simulations. This is consistent to Lemma 3.
IV-B3 Impact of Angle Randomness Range
We analyze the concealing cost and the privacy level with different range of angle randomness for all the models. As shown in Fig. 16, the values are almost linear for different .
IV-C Communication Cost
We compute the communication cost as the sum of upstream and downstream cost in the network traffic.
IV-C1 Upstream Traffic
For the -sided concealing polygon , the upstream traffic is computed as , where a packet header costs 40 bytes, 8 bytes are added for the user ID , and then 8 bytes are used to represent the coordinates of each .
IV-C2 Downstream Traffic
For the number of preferences of interest (POIs) returned, the downstream traffic is computed as , where a packet header costs 40 bytes, and each POI coordinates costs 8 bytes.
IV-D Comparison
In this work, we compare our method with the closely related method, the -CD model [24], which uses concealing disks to cover the user location and the region of interest, reporting the rotated disk centers and radii of the LBS server. The intersection region of all these concealing disks defines the anonymity zone, as shown in Fig. 18. In terms of computation, the proposed -VDD models are easy to implement and practical; the computations are mainly based on line-line intersections, and therefore the anonymizing algorithm is linear. In contrast, the -CD model requires circle-circle intersections which is computationally more expensive. Thus, our method is more efficient than the -CD one. The following details the comparison of the anonymizing performance in terms of concealing cost, privacy level, and communication cost (see the plots in Fig. 19 for different with ).
IV-D1 Concealing Cost, Privacy Level
Figure 19(a-b) shows the plots for the -VDD models I-III, in which, for , the concealing space and the anonymity zone overlap. We observe that in the -VDD models, the concealing cost has a peak at and decreases from , and the privacy level decreases as the value of increases; in the -CD model, they are almost linear (almost identical). While the number of vertices is small () and big (), the concealing cost of the -VDD models are much lower than -CD when the radius of ROI () is fixed. We can simply get that one can achieve higher privacy level with lower concealing cost using the models of -VDD than -CD with smaller value of . Minimizing the trade-off between and is the primary goal of an anonymizing protocol. We analyze and compare this trade-off as the ratio of the two terms , for the -CD and the -VDD. Figure 19(c) shows that for smaller value of (), this ratio in the models of -VDD is much smaller than -CD, i.e., we can have higher privacy level compared to concealing cost for smaller value of than -CD. At , the ratio in -VDD is 1.0 because the concealing space and the anonymity zone overlap, while -CD is much higher. At , the two models have close values. Therefore, we can select in practice. This trade-off shows the strength of our proposed methods in case of smaller values of . In the other hand, there is flexibility to adapt the values (performance) by changing in our models, while the values for the -CD model are almost stable with different .
IV-D2 Communication Cost
In the -CD model, the upstream traffic cost is calculated as , where denotes the number of concealing disks, is the sum of 40 bytes for the packet header and 8 bytes for the user id, is the sum of 8 bytes for disk center coordinates and 4 bytes for disk radius; the downstream traffic cost is calculated as , where denotes the number of the returned POIs and each has bytes for coordinates. In terms of upstream cost, we observe that the -VDD models are better than -CD. The downstream cost largely depends on the area of the concealing space: the larger the concealing cost, the more the downstream cost. Moreover, if the concealing cost is high, the quality of services will be low. So we can define both downstream cost and quality of services as functions of concealing cost. From Fig. 19(c), we see that the concealing cost of the -VDD models are lower than that of -CD, implying the maximum bound of both the communication cost and quality of services error are lower.
V Conclusion
We present a novel location privacy framework, the so-called -VDD, based on the Voronoi-Delaunay duality (VDD). This work is based on the insight that only an irregular Voronoi cell around the user location can not induce the user location (or the seed) but can give the anonymity zone, which is the intersection of all the parallel strips perpendicular to and bounded by Voronoi edges. We introduce the irregularity to the Voronoi cell using three terms for random shifting and their combinations: (1) interior shifting - starting from a regular polygon and shifting the generated Voronoi cell to be irregular with randomness, (2) exterior shifting - starting from an irregular polygon generated with randomness, and (3) sector shifting - starting from a regular polygon and shifting the sector rays around the seed. All the computations are efficient based on basic planar geometry and linear algebra. Experiments and comparisons have demonstrated the efficiency and efficacy for protecting the user location. In future work, we will explore the location privacy applications in 3D environment by generalizing planar -VDD to volumetric -VDD.
Acknowledgment
This work was supported by NSF CCF-1544267, NSF CNS-1263124/15601334 and NSF CNS-1407067.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Charu C. Aggarwal and Philip S. Yu. A general survey of privacy-preserving data mining models and algorithms . Springer, 2008.
- 2[2] C. A. Ardagna, M. Cremonini, E. Damiani, S. De Capitani di Vimercati, and P. Samarati. Location privacy protection through obfuscation-based techniques. In Proceedings of the 21st Annual IFIP WG 11.3 Working Conference on Data and Applications Security , pages 47–60, Berlin, Heidelberg, 2007. Springer-Verlag.
- 3[3] Claudio A Ardagna, Marco Cremonini, Sabrina De Capitani di Vimercati, and Pierangela Samarati. An obfuscation-based approach for protecting location privacy. Dependable and Secure Computing, IEEE Transactions on , 8(1):13–27, 2011.
- 4[4] Bhuvan Bamba, Ling Liu, Peter Pesti, and Ting Wang. Supporting anonymous location queries in mobile environments with privacygrid. In Proceedings of the 17th International Conference on World Wide Web , WWW ’08, pages 237–246, New York, NY, USA, 2008. ACM.
- 5[5] Bhuvan Bamba, Ling Liu, Peter Pesti, and Ting Wang. Supporting anonymous location queries in mobile environments with privacygrid. In Proceedings of the 17th international conference on World Wide Web , pages 237–246. ACM, 2008.
- 6[6] Anahid Basiri, Terry Moore, Chris Hill, and Paul Bhatia. Challenges of location-based services market analysis: Current market description. In Georg Gartner and Haosheng Huang, editors, Progress in Location-Based Services 2014 , Lecture Notes in Geoinformation and Cartography, pages 273–282. Springer International Publishing, 2015.
- 7[7] Chi-Yin Chow, Mohamed F Mokbel, and Xuan Liu. A peer-to-peer spatial cloaking algorithm for anonymous location-based service. In Proceedings of the 14th annual ACM international symposium on Advances in geographic information systems , pages 171–178. ACM, 2006.
- 8[8] Mark de Berg, Otfried Cheong, Marc van Kreveld, and Mark Overmars. Computational Geometry: Algorithms and Applications . Springer-Verlag, 2008.
