RemindU: A Secure and Efficient Location Based Reminder System

Transcription

1 RemindU: A Secure and Efficient Location Based Reminder System Xinxin Zhao, Lingjun Li, Guoliang Xue Arizona State University Abstract Reminder applications are essential applications in mobile devices. Since most smart devices are equipped with accurate localization capabilities, based reminders emerge in recent smart devices. A user could add a based reminder which reminds the user to do something once she enters or leaves a. Convenient as these applications are, a user can be easily tracked once she installs these applications. We propose a secure and efficient based reminder system. In our system, the reminder and reminder message are stored in the form of ciphertext on the cloud server. The cloud server is able to preform a private match without knowing anything about the user s information. We propose a novel method to represent the user s reminder area in order to save the storage space and computation time of both users and the cloud server. We demonstrate the efficiency of our system in our simulations. I. INTRODUCTION Reminder applications are becoming crucial applications in mobile devices. They help users to memorize something important to do in the future and remind users at specific occasions. Traditional reminder applications are time based reminders, i.e., a user enters a reminder message and sets up a reminder time, which could be one time or periodically repeated times. The application displays the reminder message on the screen at the setting time and alerts the user. Recent years have witnessed a rapid development of smart devices. Most smart devices are now equipped with accurate localization capabilities, based for example on GPS receivers, access points, or triangulation with nearby base stations [13]. Due to the development of localization capabilities, the reminder applications have an additional functionality on more and more smart devices. A user can mark a when she adds a new reminder. We call this reminder. The smart device alerts the user when she is near the reminder. The closeness to the reminder is set by the user. We denote this closeness as reminder distance. For example, a user can set a reminder to remind her to buy groceries when she is 1 mile away from the supermarket. One approach to implement the based reminder is based on a single smart device. The user stores all reminder messages and associated reminder s in the smart device. The smart device periodically queries the localization sensor to detect the user s current. If the user is within the reminder distance, the smart device alerts the user and Zhao, Li and Xue are all affiliated with Arizona State University, Tempe, AZ {zhao.xinxin, li.lingjun, xue}@asu.edu. This research was supported in part by ARO grant W911NF , and NSF grant The information reported here does not reflect the position or the policy of the federal government. pops out the reminder message on the screen. This approach is easy to implement and relatively secure regarding users privacy. However, the synchronization between a user s different smart devices is hard to implement using this approach. For example, if the user sets a reminder using a tablet when she is browsing the Internet at home, she may want the reminder to automatically appear on her smartphone when she is out taking with it. Due to the development of cloud service, many companies use the cloud to synchronize users personal data, including reminders. A typical example is icould, which can synchronize users data between their idevices. A user can add a reminder on her ipad, and upload an encrypted copy to icloud. icloud pushes the copy to the user s other devices, such as iphone or itouch. In this way, the user can get the reminder from whichever device she takes with her. The disadvantage of this approach is that multiple copies exist in different devices. Thus, it wastes local storage space and users cellular data usage. If the reminder message is of large size, the storage overhead would be considerable. In addition, if a smart device has been offline for a long time, it will take a long time to synchronize the reminders when it is online again. Fig. 1. current Reminder Reminder distance Reminder area add a reminder An illustration of cloud assisted based reminder system It is desirable to keep just one copy of all reminders on the cloud server, which pushes the reminder message to the user s smart device only when it is within the reminder distance. We call this kind of reminder system cloud-assisted based reminder system, which is illustrated in Figure 1. As shown in Figure 1, the reminder area is a disc centered at the reminder. A user adds a new reminder in any of her smart devices, which uploads the reminder to the cloud server. The user s smart devices periodically send their current s to the cloud server. If any device appears in the reminder area, the corresponding reminder message is pushed to it, e.g., in Figure /14/$ IEEE 1011

2 1, the reminder message is pushed to the user s smartphone once it is in the reminder area. In this paper, we propose a secure and efficient based reminder system, in which the cloud server is able to determine whether a user is around the reminder area without learning anything of the user s information. The reminder messages are also stored in the cloud server in the form of ciphertext. We propose a novel reminder area representation method. We divide the earth into small squares, each of which has a unique ID. Centered at the reminder, we use a east-west direction bar to represent the reminder area. We also use a north-south direction bar to represent a user s current area. The two bars are of the same length and divided into squares. This representation saves a large storage space and computation time for both users and the cloud server. The contributions of our paper are as follows. We propose a secure and efficient based reminder system. In our system, users privacy and reminder message confidentiality are preserved. We propose an efficient area representation method. We propose to use bloom filter for the cloud server to test whether a user is around the reminder area or not. The use of bloom filter saves a large storage space for the cloud server. The rest of our paper is organized as follows. We review the area of privacy in Section II. We formulate our problem in Section III. In Section IV, we present our system construction and give our system analysis in Section V. We show our simulation results in Section VI and conclude our work in Section VII. II. RELATED WORK Location privacy is becoming a hot topic in recent years. In previous studies, privacy mainly focused on based service (LBS), in which the mobile device sends queries to the server, and the server returns the corresponding information regarding the query content. An extensive work about privacy was based on K-anonymity model [14], [15]. In previous K-anonymity approaches, a user s query is first relayed by a third trusted party. The third trusted party does not relay the user s query once it receives it. Instead, it will wait until K different queries are collected from the same area. In this way, the server could not tell which query comes from which user. The assumption that the third party is fully trusted becomes the security weakness of this kind of approach. Kalnis et al. [7] pointed out that in certain scenarios the K-anonymity approach leaks private information to malicious entities. To overcome the aforementioned disadvantages, a new class of privacy protection approaches were proposed, which were known as transformation based approaches. In [8], Khoshgozaran and Shahabi proposed to use an one-way transformation to encode the query and the object space. The query is evaluated in the transformed space such that users privacy is preserved. Their approaches do not rely on a trusted third party, but may have errors in scenarios that require exact results. Some other works were proposed to preserve the privacy by using private information retrieval (PIR) [3]. Hengartner proposed an architecture which utilized PIR and trusted computing to protect users privacy [6]. However, the proposed architecture is not implemented yet. Ghinita et al. used computational PIR to enable private evaluation of the nearest neighbour queries [4]. However, the heavy computational overhead of the underlying PIR scheme makes the approach unsuitable for a smart device. A fast PIR based privacy scheme was proposed by Khoshgozaran et al. [9]. Their scheme requires a tamper-resistant trusted hardware installed close to the server, which makes the scheme less practical. As far as we know, Zhao et al. was the first to study the privacy issue in based reminder [18]. They proposed a secure based reminder system. In their scheme, they divide the earth into small squares and use crosses to represent the reminder area and the user s current area. Searchable symmetric encryption was used in their system to reduce inequality testing to equality testing. III. PROBLEM FORMULATION In this section, we present our system model, threat model, and design goals. A. System Model and Threat Model Our system consists of a cloud server S and multiple users. Since all the interactions are between a user and S, we use u to denote any user interacting with S. A user u may have multiple smart devices (e.g., tablet, smartphone, etc.). All the devices share the same account so that the user could conveniently manage all her devices. When user u enrolls in a reminder system, she chooses a reminder distance d u, and a parameter a u. She also chooses secret keys for the hash functions used in our system, which we will elaborate in the following sections. The reminder area is a disc centered at the reminder with radius d u. If user u adds a reminder in any of her device, the device should be able to upload the encrypted reminder to S. User u may have multiple reminders stored on S. She may take any of her devices when she is out. When a user passes by the marked with one of her devices, S is able to push the correct reminder message to this device, and alert the user. In our work, we only focus on the privacy protection of the based reminder. Time based reminder is out of scope of our paper. The cloud server S in our paper is considered to be honest but curious. S honestly follows the protocol execution. At the same time, it may be curious about users information. It may collect all messages transmitted between itself and users, analyze them, and try to infer users privacy. Our system is distributed and does not rely on a trusted third party. In our paper, we assume that users smart devices are not hacked by malicious applications. Malicious application detection in mobile devices is studied by [10], [12] and is our of scope of our paper. 1012

3 B. Design Goals In summary, our system should achieve the following design goals. Location Privacy: The cloud server should not know users reminder s and should not be able to track users; Reminder Confidentiality: The cloud server should not be able to access reminder messages; Efficiency: The system should be efficient in computation, cellular data usage, and space consumption; Workability: The cloud server should be able to check whether the user is around the reminder area and send corresponding reminder messages; Responsiveness: A user s device should not need to synchronize in order to receive reminders from the cloud server, even when the device has been offline for a long time. IV. SYSTEM CONSTRUCTION In this section, we describe our system constructions. First, we demonstrate a novel reminder area representation method. Next, we introduce to use bloom filter for private match and present the details of our system construction. A. A Novel Area Representation Following the similar idea as that in [11], we tessellate the earth into squares, which was introduced in our previous work [18]. The tessellation forms a grid on the earth. We use G u to denote the grid mapped on the plane. G u consists of squares with the side length a u which is defined by user u. Each square has a unique ID and we use id (x,y) to denote the square that the (x, y) locates. Since a reminder area is a disc consists of numerous points, a challenge here is to find an approach to represent the disc using a finite number of points. We try to find an area representation method that reduces the space consumption while keeping the inaccuracy small. Our idea is to use a horizontal bar to represent the reminder area, and use a vertical bar to represent the user s current area, as shown in Figure 2. The bar is divided into 2( d u /a u )+1 squares in the tessellation and is centered at the square where the interested (reminder or current ) locates. Given a (x, y), we use id i, (x,y), i = ±1, ±2,, ±( d u /a u ) to denote i-th square identifier to the east/west (negative numbers denote the west direction) of square id (x,y), and id,i (x,y) i = ±1, ±2,, ±( d u/a u ) to denote the i-th square identifier to the north/south (negative numbers denote the south direction) of square id (x,y). All the squares in the bar, i.e., the shaded squares in Figure 2, are called valid squares with respect to (x, y). We use two different procedures to create valid square identifier sets regarding the reminder and the user s current. Given a (x, y), a reminder distance d u, and a square side length a u, we use Procedure 1 if (x, y) is the reminder, otherwise we use Procedure 2. Using valid square identifier sets, we can test whether the distance between two s (x, y ) and (x, y) is smaller than or equal to d u or not. We generate two different a u Fig. 2. reminder dd u /a u e N current Using cross to represent an area Procedure 1: CreateHorizontalBar(x, y) Data: (x, y) Result: ID (x,y), the set of square identifiers on the east-west direction bar centered at (x, y) ID (x,y) ; ID (x,y) ID (x,y) {id (x,y) }; for i 1 to d u /a u do ID (x,y) ID (x,y) {id i, (x,y) end return ID (x,y), id i, (x,y) }; square identifier sets ID (x,y ) and ID (x,y) with respect to (x, y ) and (x, y), respectively, and test whether they have any intersection. If they do not have intersections, the user s current is definitely not in the reminder area, otherwise the user retrieves the ciphertext of the intersected square from the cloud server, decrypts it, and calculates the distance between the reminder and her current. If the two bars have an intersection, it does not necessarily mean that the user s current is in the reminder area. We use Figure 3 to show three cases of bar intersections. We use a blue point to denote the reminder (x, y) and a red point to denote the user s current (x, y ). After the distance calculation, the user retrieves the corresponding reminder message from the cloud server if the distance between (x, y) and (x, y ) is less than or equal to d u. B. Toward Private Location Match In a desired secure based reminder system, the cloud server performs a private match without knowing anything about users information. We propose to use bloom filter [1] for this purpose. Bloom filter is a spaceefficient randomized data structure for representing a set in order to support membership queries [2]. Suppose we want to Procedure 2: CreateVerticalBar(x, y) Data: (x, y) Result: ID (x,y), the set of square identifiers on the north-south direction bar centered at (x, y) ID (x,y) ; ID (x,y) ID (x,y) {id (x,y) }; for i 1 to d u /a u do ID (x,y) ID (x,y) {id,i (x,y) end return ID (x,y), id, i (x,y) }; 1013

4 d>d u (a) d u Fig. 3. d>d u (b) Three cases of bar intersections d<d u use a M-bit bloom filter for a data set with Num elements {d i } Num i=1. The initial bits of the bloom filter are all set to 0. We choose t hash functions {h j ( )} t j=1, with each output of the hash function in the range of 1 M. For each element d i, we compute the hash values {h j (d i )} t j=1, and set the h j(d i )- th component of the bloom filter to bit 1. To check if an element e is in the set {d i } Num i=1, we compute t hash values {h j (e)} t j=1, and check if all t bits at index {h j(e)} t j=1 is 1. If it is, e is in the data set with a large probability, otherwise, we can make sure that e is definitely not in the data set. Assume the reminder is (x, y), for each id ID (x,y), the user computes its hash values {h j (id)} t j=1, and sends them to the server. The server sets all the components at index {h j (id)} t j=1 to bit 1. The user periodically uploads the hash values regarding her current to the server, which searches in the bloom filter to find if there is any match, i.e. the intersection of the two bars representing the user s reminder area and current area, respectively. If a match is found, the server sends the encrypted reminder to the user, who will decrypts the ciphertext, and calculates the distance between the reminder and her current. If the distance is less than or equal to the reminder distance, the user retrieves the corresponding reminder message from the server. C. System Construction In this section, we give the details of our system construction. We assume that the number of a user s active reminders is no more than N. For example, it is difficult for a person to handle 500 reminders at the same time. While using a dynamic bloom filter [5] is able to enhance the space efficiency and dynamically respond to the user s increasing demands, we would like to focus on comparing the usage of bloom filters and that of searchable encryptions for secure based reminder system in this paper. Procedure 3: CreateIndexSets(ID (x,y) ) Data: a set of square identifiers ID (x,y) Result: a set of index sets I, each element of I is a set of indices I ; foreach id ID (x,y) do I id = {h i (id)} t i=1 ; // h i(x) = h(x k i ) mod M randomly permutes the elements of I id ; I I { } I id ; end randomly permutes the elements of I ; // each element is a set return I (c) For a specific user u, given the reminder distance d u and the square side length a u, the number of square IDs in a bar is 2 d u /a u + 1. The capacity, in terms of reminders, of the bloom filter is the number of reminders it can hold while the false positive probability is less than a designated number. Since the more elements stored in the bloom filter, the greater probability a collision happens in the bloom filter, to reduce the error probability, we need to restrict the capacity of the bloom filter. Assume the capacity of the bloom filter is N. The bloom filter array size is M. Each component of the bloom filter is a tuple < b, R >, where b is a bit denoting whether the component is set and R is a set of references associated with the component. Given a reference, the server can locate the ciphertext of the reminder and reminder message. To construct t hash functions, a user generates t hash keys k 1,, k t, where each key is a random number. A hash function is constructed as: h i (x) = h(x k i ) mod M, i = 1,, t. Our construction mainly consists of three protocols, marking protocol, search protocol, and removing reminder protocol. They are shown in Figure 4, Figure 5, and Figure 6, respectively. We use Procedure 3 to create index set for the bloom filter. User u marks (x, y) as a reminder with a reminder message M sg. u also secretly maintains a vector of hash function secret keys {k 1, k 2,, k t }. u chooses a symmetric encryption key k and keeps it secret. 1) u creates a horizontal bar set ID (x,y) CreateHorizontalBar(x,y). u generates a set of index sets I CreateIndexSets ( ) ID (x,y). 2) Using the symmetric encryption system, u encrypts the reminder as C 1 = Enc k (x y) and the reminder message as C 2 = Enc k (Msg). The user assembles them together to form a ciphertext tuple C =< C 1, C 2 >. User u sends < C, I > to the server. 3) Upon receiving < C, I > from user u, the server stores C and obtains a reference r C to the stored. For each index set I i I and each element ind j I i, the server sets B u [ind j ].b 1 and puts r C into the associated reference set B u [ind j ].R {r C } B u [ind j ].R. A. Security side Fig. 4. Location Marking Protocol V. SYSTEM ANALYSIS The secret keys for hash functions is randomly selected by a user and kept secret in the user s local storage. The hash values will then be converted into the residue system modulo M. Because the bloom filter size M is far smaller than the output of the hash function h( ), the server has no way to determine the original hash value. The user randomly permutes each I id so that linking the hash value back to the secret hash key becomes more difficult for the server. Therefore, the server cannot recover the square identifier from the index set I id. The 1014

5 User u checks if a given (x, y) is in any of her existing reminder area and fetches the reminder message. 1) User u constructs a vertical bar set ID (x,y) CreateVerticalBar(x, y) and generates a set of index sets I CreateIndexSets ( ) ID (x,y). User u sends I to the server. 2) Upon receiving I from user u, the server performs as follows for each I i I Checks if B u [ind j ].b = 1. ind j I i If no such I i exists, informs user u. If it is true for some I i, calculates set intersection R = ind j I i B u [ind j ].R, retrieves the first part of every referenced ciphtertext tuples C 1 = {< C 1, r C > C =< C 1, > and r C R }, and sends C 1 to u. 3) Upon receiving C 1, user u decrypts each element to get a coordinate tuple L = {< (x, y ), r C > (x, y ) = Dec k (C 1 )and < C 1, r C > C 1 }. The decryption to a coordinate tuple is possible because each coordinate is of fixed bit size. User checks the distance between each pair of (x, y) and (x, y ), and obtains the valid reminder references R = {r C < (x, y ), r C > L and (x x ) 2 + (y y ) 2 d 2 u}. u sends R to the server. 4) Upon receiving R, the server retrieves the ciphertext {C r C R } and sends back to the user. The user uses her secret key k to recover the reminder message. Fig. 5. Location Search Protocol Given a reminder (x, y) and reference r C, remove the relevant reminder information stored on the server. 1) User u constructs a horizontal bar set ID (x,y) CreateHorizontalBar(x, y), generates a set of index sets I CreateIndexSets ( ) ID (x,y), and sends < I, r C > to the server. 2) Upon receiving < I, r C > from the user, the server delete the ciphtertext tuple stored at r C. For each I i I and each ind j I i, the server removes r C from B[ind j ].R. If B[ind].R becomes empty, the server sets B[ind].b 0. Fig. 6. Removing Reminder Protocol user also randomly permutes among index sets, i.e. I id s in I, so that the server cannot learn the relationship between any two squares. All the messages are encrypted using a symmetric key encryption cryptosystem. The server cannot learn the content because the encryption key k is kept secret by the user. The user should use CBC mode encryption such that the replacing or modifying of any block of the ciphertext will fail. Furthermore, the user can employ CCA2 secure symmetric key encryption system [17] to provide more protection to the reminder message. Early match problem: We call the case that two bars have an intersection while the distance between the reminder and the user s current is greater than d u as early match. All points in a (2d + a) (2d + a) rectangle centered at id (x,y) may trigger a match and a follow up decryption. However, the desired reminder area is a plate centered at the reminder. So the early match area is (2d u + a u ) 2 πd 2 u. The early match probability is 1 π 2+(a. Given a reminder distance d u/d u) u, the smaller a u is the less probably early match happens. However, a smaller a u will cause more computation during the marking and search, as well as the server side storage. Given the maximum reminder number N, the expected maximum of squares stored in the bloom filter is N s = N (2 d u /a u +1). To achieve a false alarm probability P, the Ns ln P bloom filter size is given by M = (ln 2) and the desirable 2 hash key number is t = M N s ln 2 [16]. A typical usage is to set remind distance as 1, 000 meters and the square length as 20 meters. If the maximum number of reminders is N = 500, we will have elements to be stored in the bloom filter. If we set P = 1%, we have M = 23, 963 < 3KB and t = 7. A typical configuration of the reminder system in [18] contains a 160-bit ECC group a 80-bit symmetric key, which gives l g = 160 and l e = 80. A typical server storage overhead is (400 + r C )(4A u + 1)n, where A u = d u /a u. To compare the work in this paper and the work in [18], the computation overhead on the user side is to compute the index set, computing either pseudo-random numbers as in [18] or hash functions in this paper. To index a square in [18], we need to do a hash operation, a group exponentiation, and a symmetric encryption, while we just need to do t hash operations in this paper. If we take the hash operations equivalent to a group multiplication mul in terms of the computation time, we have the overall user indexing time in Table I. A fast group exponentiation takes O(l g mul) operations. VI. SYSTEM SIMULATION In this section, we evaluated the performance of the proposed system via simulation. A Motorola Droid smartphone was used to simulate a user s smart device and a Macbook Pro was used to simulate the server. The Motorola Droid has a 550MHz A8 processor, 256MB memory, and 16GB SD card as an external storage. The Macbook Pro is equipped with a 2.53GHz Intel Dual Core CPU and 4GB memory. We used C++ to implement the system and generated native code for the Android platform in order to get a low latency. The cryptographic library used in the implementation was Crypto and we ported it to the Android platform. We used SHA-1 as the hash function in the system. We did comparison experiments of the system in this paper with the system proposed in [18]. The system in [18] is based on the searchable encryption and was implemented on a 160 bit ECC group [18]. For convenience, we denote the system in [18] as SE and the system in our paper as BF, which is constructed based on a bloom filter. Fixing a square side length as 20 meters and message size as 1024 bit, we collected the computation time that was used to mark a, as the reminder distance increased from 500 meters to 3500 meters, with a 200-meter increment. Next, we fixed the reminder distance on 1000 meters, changed the message size from 5M 1015

6 TABLE I OVERHEAD COMPARISON server storage user indexing time server matching time RemindU M + (2A u + 1)nt l r O((2A u + 1)t mul) O(2A u + 1) AsiaCCS (4A u + 1)n (2l g + l e + l r) O((4A u + 1)l g mul) O((4A u + 1) log n) lr is the bit size of a reference. lg and l e are the ECC group size and the bit size of a key encryption, respectively. Indexing time for a Reminder distance (a) Indexing time (y-axis is log scaled ) BF SE Fig. 7. Indexing time for a bytes to 50M bytes, and recorded the execution time on the user side. The results are shown in Figure 7(a) and 7(b), respectively. It is obvious that BF, denoted by blue lines, is efficient than SE on the user side, because for SE, the user needs to generate a pseudo random number in computing a index, while in BF, the user only calculates t hash values. The pseudo random number generation involves an exponentiation which is computationally expensive. The time for computing indices in BF is less than 0.07 seconds while in SE, the computation time is almost 5 seconds. When the size of the reminder message is large, in SE, the user usually costs 12 seconds for computing indices while the time in BF increases with the message size. Fixing the reminder distance as 1000 meters, square side length as 20 meters, and message size as 1024 bits, we recorded the time of searching a reminder after different number of reminders (from 50 to 1250) were uploaded. The execution time in Figure 7(c) is the average time over 50 searches. From Figure 7(c), we can see that the search time in SE is between seconds and seconds, while in BF, the server finished one search in less than time. The difference is remarkable because in SE, the server searches among n reminders, which costs O(log n) time. In BF, the server searches one square in a short time, by only comparing t hash values and t is usually small, e.g. t = 7 in our experiment. VII. CONCLUSIONS In this paper, we have proposed a secure and efficient cloudassisted based reminder system. The cloud server could preform a private search on users reminder s without knowing anything about users information. We have presented an efficient area representation method which saves a large storage space and computation time for both users and the cloud server. REFERENCES [1] B. H. Bloom, Space/time trade-offs in hash coding with allowable errors, Commun. ACM, vol. 13, no. 7, pp , BF SE Message Size (b) Marking with large message size Search time for Comparison between SE system and BF system BF SE Number of reminders (c) Searching time [2] A. Broder and M. Mitzenmacher, Network applications of bloom filters: A survey, Internet Mathematics, vol. 1, no. 4, pp , [3] B. Chor, E. Kushilevitz, O. Goldreich, and M. Sudan, Private information retrieval, Journal of the ACM (JACM), vol. 45, no. 6, pp , [4] G. Ghinita, P. Kalnis, A. Khoshgozaran, C. Shahabi, and K.-L. Tan, Private queries in based services: anonymizers are not necessary, in SIGMOD Conference, 2008, pp [5] D. Guo, J. Wu, H. Chen, Y. Yuan, and X. Luo, The dynamic bloom filters, IEEE Trans. Knowl. Data Eng., vol. 22, no. 1, pp , [6] U. Hengartner, Hiding information from -based services, in MDM, 2007, pp [7] P. Kalnis, G. Ghinita, K. Mouratidis, and D. Papadias, Preserving anonymity in based services, National University of Sigapore, Tech. Rep., [8] A. Khoshgozaran and C. Shahabi, Blind evaluation of nearest neighbor queries using space transformation to preserve privacy, in SSTD, 2007, pp [9] A. Khoshgozaran, C. Shahabi, and H. Shirani-Mehr, Location privacy: going beyond k-anonymity, cloaking and anonymizers, Knowl. Inf. Syst., vol. 26, no. 3, pp , [10] L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang, Chex: statically vetting android apps for component hijacking vulnerabilities, in Proceedings of the 2012 ACM CCS. ACM, 2012, pp [11] A. Narayanan, N. Thiagarajan, M. Lakhani, M. Hamburg, and D. Boneh, Location privacy via private proximity testing, in Proc. of NDSS, vol. 2011, [12] H. Peng, C. Gates, B. Sarma, N. Li, Y. Qi, R. Potharaju, C. Nita-Rotaru, and I. Molloy, Using probabilistic generative models for ranking risks of android apps, in Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 2012, pp [13] R. Shokri, G. Theodorakopoulos, J.-Y. L. Boudec, and J.-P. Hubaux, Quantifying privacy, in IEEE Symposium on Security and Privacy, 2011, pp [14] L. Sweeney, Achieving k-anonymity privacy protection using generalization and suppression, International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, vol. 10, no. 5, pp , [15], k-anonymity: A model for protecting privacy, International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, vol. 10, no. 5, pp , [16] S. Tarkoma, C. E. Rothenberg, and E. Lagerspetz, Theory and practice of bloom filters for distributed systems. IEEE Communications Surveys and Tutorials, vol. 14, no. 1, pp , [17] J. T. Trostle, Chosen ciphertext secure (ccs): Stateful symmetric key cca encryption with minimal ciphertext expansion, IACR Cryptology eprint Archive, vol. 2013, p. 269, [18] X. Zhao, L. Li, and G. Xue, Secure cloud-assisted based reminder, in ASIACCS, 2013, pp