Revisiting a Privacy-Preserving Location-based Service Protocol using Edge Computing

TL;DR

This paper critically analyzes a privacy-preserving location-based service protocol using edge computing, revealing a flaw in the secure comparison method that compromises user location privacy.

Contribution

It identifies a correctness flaw in a prior protocol and demonstrates that fixing it without security trade-offs is challenging.

Findings

The secure comparison protocol has a correctness flaw.

Straightforward fixes compromise user privacy.

The original protocol is insecure due to the flaw.

Abstract

Location-based services are getting more popular day by day. Finding nearby stores, proximity-based marketing, on-road service assistance, etc., are some of the services that use location-based services. In location-based services, user information like user identity, user query, and location must be protected. Ma et al. (INFOCOM-BigSecurity 2019) proposed a privacy-preserving location-based service using Somewhat Homomorphic Encryption (SHE). Their protocol uses edge nodes that compute on SHE encrypted location data and determines the $k$-nearest points of interest contained in the Location-based Server (LBS) without revealing the original user coordinates to LBS, hence, ensuring privacy of users locations. In this work, we show that the above protocol by Ma et al. has a critical flaw. In particular, we show that their secure comparison protocol has a correctness issue in that it will not lead to correct comparison. A major consequence of this flaw is that straightforward approaches to fix this issue will make their protocol insecure. Namely, the LBS will be able to recover the actual locations of the users in each and every query.