Task distribution system model of privacy protection space crowdsourcing and realization method

[0051] The present invention will now be described in further detail with reference to the drawings. These drawings are all simplified schematic diagrams, which merely illustrate the basic structure of the present invention in a schematic manner, so they only show the structures related to the present invention.

[0052] 1. System model and problem definition

[0053] figure 1 Describes the system model of spatial crowdsourcing. For non-private space crowdsourcing (see figure 1 (a)) There are three components, namely SC server (SC-server), workers with mobile devices and task requester (taskrequester). The SC server is responsible for allocating appropriate staff to the space tasks created by the task requester. Workers need to report their private information (such as location and velocity) to the SC server through their mobile devices. Based on this framework, we give the following definitions.

[0054] Definition 1 (Space Task) Space task s is to be at position l s Implementation and deadline e s Associated tasks.

[0055] Definition 2 (Worker) Worker w is a person who is willing to perform spatial tasks. Each worker with IDid specified by SC server w , Speed ​​v w And its current location l w Associated.

[0056] Using space crowdsourcing, the task requester creates space task s and specifies its location l s And deadline e s. To perform the task, the worker must be on the deadline e s Reached position l before s. When receiving a space task, the SC server assigns it to appropriate workers based on certain predefined policies. In the present invention, we assume that the SC server preferentially chooses to arrive first. s Workers. We also assume that each worker accepts the assigned task with a certain probability, which is expressed as the acceptance rate (AR). Assuming that the AR of each worker is 100%, we first define a simple task assignment problem as follows:

[0057] Definition 3 (task assignment problem) Let W=(w 1 ,w 2 ,...,W n } Is a set of n workers. Given space task s, task allocation problem P TA (W,s) is to assign task s to worker w i* , Making:

[0058] 1, w i* Can be on deadline e s Arrived before l s;

[0059] 2. No other workers can work in w i* Arrived before l s.

[0060] In Definition 3, the first requirement means t c +d(l i* ,l s )/v i* ≤e s , Where t c Is the current time, l i* Is w i* 'S current position, v i* Is w i* Speed, d(l i* ,l s ) Is the position l i* And l s Euclidean distance between. The second requirement means that there is no w j Such that d(l j* ,l s )/v j i* ,l s )/v i*. For the convenience of future discussion, we call the winner of this question w i* , And use i* as its ID. Note that when all the workers cannot arrive before the deadline s At that time, such a winner does not exist. In this case, the SC server will notify the task requester that there is no competent person.

[0061] However, in practice, workers will not necessarily accept the tasks assigned to them. In order to ensure that the task is accepted with a high probability, multiple workers can be required to perform the task. Suppose worker w i The AR is a i. Let η(W,s) denote the probability of at least one worker in W accepting task s. Obviously, Therefore, we define the following another task assignment problem:

[0062] Definition 4 (task assignment problem with acceptance guarantee) Let W=(w 1 ,w 2 ,...,W n } Is a set of n workers. Given space task s, there is a guaranteed task assignment problem P TAG (W,s) is to assign task s to a group of workers W * (Called the set of winners) such that:

[0063] 1. Each worker w i* ∈W * Are available on the deadline e s Reached position l before s;

[0064] 2. No other workers w j ∈W\W * Can work on any worker w i* ∈W * Reached position l before s;

[0065] 3, η(W * ,s)≥α, where α is W * The expected probability of at least one worker in accepting task s.

[0066] The opponent model. figure 1 (b) is a system model of crowdsourcing in the privacy protection space. It introduces a new crypto service provider (CSP, Crypto Service Provider) to provide key services such as SC server and worker key generation. For the adversary model, we assume that all parties are semi-honest. In other words, they fully follow a prescribed agreement, but may try to learn as much as possible from other parties' private inputs when the agreement is executed based on what they have seen. In particular, the SC server will be interested in the location and speed of each worker and the ID of each winner. CSP is also interested in this and the location of the task. Each worker is willing to know the location and speed of other workers, the ID of each winner, and the location of the task. As a special worker, each winner has the right to know his ID and the location of the task, but he also wants to know the location and speed of other workers, as well as the IDs of other winners. Based on the opponent model, we have the following definitions:

[0067] Definition 5 (Privacy protection task assignment problem) Let W = (w 1 ,w 2 ,...,W n } Is a set of n workers. Given space task s, privacy protection task assignment problem P PTA (W,s) is to find P as follows TA (W,s) the winner w i* :

[0068] 1. For each worker w i ∈W, its position l i Sum and speed v i Information cannot be used by SC server, CSP and any other workers w j ∈W, w j <> w j obtain;

[0069] 2. Task location information s Cannot be CSP and except w i* All workers outside

[0070] 3. Except w i* In addition, the SC server, CSP and all other workers cannot get w i* ID information.

[0071] Although its non-private version (i.e. P TA ) Is simple, but P PTA It is very challenging to try to protect worker privacy and task privacy at the same time. In particular, the winner is determined not only by the location of the worker, but also by its speed, and both should be kept secret in the calculation process. At first glance, this requirement means that we need to divide the ciphertext. However, effective homomorphic splitting is still an open issue. In addition, the task location s Need to keep all staff members secret except the winner, which makes d(l i ,l s ) Is more difficult to calculate than through plaintext. Note that the winner must know the task location l s , Because it needs to reach this location to perform the task, so the person is not considered a privacy leak. P PTA The last requirement stated that the SC server is not allowed to know the identity of the winner. If the SC server knows who is the winner, it may infer the approximate location of the winner based on some background knowledge (such as task location and deadline). Obviously, the SC server decides P TA The winner. However, in P PTA In, the SC server is not allowed to know who is the winner. This contradiction is P PTA Another difficult problem.

[0072] Similarly, our definition of the assignment of privacy protection tasks with acceptance guarantees is as follows:

[0073] Definition 6 (Privacy protection task assignment problem with acceptance guarantee) Let W=(w 1 ,w 2 ,...,W n } Is a set of n workers. Given the space task s, there is a guaranteed privacy protection task assignment problem P PTAG (W,s) is to find P as follows TAG (W,s) Winner Set W * :

[0074] 1. For each worker w i ∈W, its position l i Sum and speed v i Information cannot be used by SC server, CSP and any other workers w j ∈W, w j <> w j obtain;

[0075] 2. Task location information s Cannot be CSP and except W * All workers except the winner among them get;

[0076] 3. Except w i* In addition, the SC server, CSP and all other workers cannot get w i* ID information.

[0077] Such as figure 2 As shown, a task distribution system model of the privacy protection space crowdsourcing of the present invention includes a space crowdsourcing server (SC server), a cryptographic service provision unit (CSP), a space task request unit and a worker mobile terminal;

[0078] The space task request unit is used to create a space task, and transmit task information to the space crowdsourcing server;

[0079] The space crowdsourcing server allocates tasks to the worker mobile terminals;

[0080] The encryption service providing unit provides privacy protection task assignment management to the space task request unit, the space crowdsourcing server and the worker mobile terminal.

[0081] Such as figure 2 As shown, the implementation method of the task allocation system model of the privacy protection space crowdsourcing of the present invention includes the following steps:

[0082] 1) The space task requester creates and releases the space task. Space mission s means to be in position l s Implementation and deadline e s Associated tasks.

[0083] 2) The space mission is released to the SC server. SC server according to the worker set W = {w 1 ,w 2 ,...,W n } And the position of task s s And deadline e s , Through the task allocation algorithm (the task allocation algorithm is the following "four, privacy protection task allocation protocol algorithm 1"), assign tasks to workers w i*. Worker w i* Two conditions need to be met: first, w i* Can be on deadline e s Arrived before l s; Second, no other workers can i* Arrived before l s.

[0084] 3) A cryptographic service provider (CSP) provides a privacy protection function, which provides key services to the SC server and workers. The privacy protection function encrypts the transmitted data and enables the SC server to perform addition, multiplication and other calculations on the encrypted data to ensure that the selected workers are excluded during the communication process. i* In addition, the SC server, CSP and all other workers cannot get w i* ID information.

[0085] Second, the definition of privacy standards

[0086] The present invention uses ideal paradigms to define the security of the protocol. Intuitively speaking, during the implementation of the agreement, if each party involved does not obtain more information than it has the right to obtain, then the agreement is safe or privacy-protected. This can be defined by the ideal paradigm as follows: for all opponents, there is a probability-based polynomial time simulator, so that the opponent's viewpoint in the real world and the simulator's viewpoint in the ideal world are computationally indistinguishable.

[0087] Let P -1 For CSP, P 0 For SC server, P 1 ,...,P n For n workers. Let view i , X i And K i (-1≤i≤n) respectively P i , Its private input and additional information that can be obtained during the execution of the protocol P. The standard definition of the privacy requirements of Protocol P is as follows:

[0088] Definition 7 If there is a probability-based polynomial time simulator S i , Making:

[0089]

[0090] Because the protocol P does not leak than P i The final output of more information, we think that the agreement P to P i It is completely privacy protected. Where for all possible inputs ≡ means that it cannot be distinguished by calculation. in case It is considered that the agreement P versus P i Privacy protection has K i Leakage, because it will not leak the final output and ratio K i More information to P i.

[0091] Obviously, complete privacy protection is a very strong privacy guarantee. However, such a strong guarantee is sometimes difficult to achieve through an effective agreement. In fact, as long as privacy is not violated, additional knowledge K can be allowed during the execution of protocol P i Public. In other words, even based on knowledge K i , The probability that the opponent can obtain the privacy input of either party is also negligible.

[0092] Three, cryptographic building blocks

[0093] To solve the P defined above PTA And P PTAG The problem, the present invention uses several encryption tools: pseudo-random function, Paillier cryptosystem and ElGamal cryptosystem, which are briefly introduced as follows.

[0094] The pseudo-random function (PRF) observes the results through a black box method, and the random characteristics cannot be distinguished from the real random function. Generally, PRF is determined by f k Indicates that it belongs to the PRF function family F λ ={f k :{0,1} λ →{0,1} λ }k∈{0,1} λ , With k as the index. Our work assumes that a keyed one-way hash function (such as HMAC) can be modeled as a pseudo-random function. Therefore, f k The function can be implemented by typing a hash function using k and applying it to x.

[0095] Paillier is a public-key cryptosystem whose security is based on assumptions related to decomposition hardness (whether it is equivalent is not yet known). It consists of the following three algorithms:

[0096] –Key generation: Choose two different random large prime numbers p and q, and calculate N=pq. Select element g ∈ Z * N 2. The public key pk is (N, g), and the private key sk is (p, q).

[0097] – Encrypt E: Let m be Z N A message in. By choosing Z * N A random number in to encrypt and calculate

[0098] c=E(m)=g m r N mod N, (1)

[0099] Among them, N and g are obtained from the public key pk, and c is the ciphertext of m.

[0100] – Decryption D: The ciphertext c is decrypted by the following calculation:

[0101]

[0102] (2)

[0103] Where λ = lcm (p-1, q-1) can be calculated by the private key sk.

[0104] One of the most important features of the Paillier cryptosystem is homomorphic addition. Specifically, m 1 Ciphertext and m 2 Multiply the ciphertexts, then we get m 1 +m 2 The ciphertext of m; the k-th power of the ciphertext of m is the ciphertext of km. which is:

[0105] E(m 1 )E(m 2 )=E(m 1 +m 2 ), (3)

[0106] E(m) k =E(km). (4)

[0107] In addition, Paillier is semantically safe, that is, the attacker cannot obtain any information about the plaintext from the ciphertext. At the same time, it is also a probabilistic encryption scheme, which means that different ciphertexts will be generated when the same message is encrypted multiple times. It can be clearly seen from equation (1) that the random number r participates in the encryption process.

[0108] ElGamal is a public key cryptosystem whose security is based on the intractability of the discrete logarithm problem. It consists of some public domain parameters that can be shared by multiple users and three algorithms:

[0109] -Domain parameters. Let p be a large prime number and q be a medium prime number such that q|p–1. Let g=r (p–1/q) mod p <> 1, where r∈F p *. These public parameters use the generation parameter g to create a public finite abelian group G of prime order q.

[0110] -Key generation. Choose an integer x such that 0≤x≤q–1 and calculate h=g x mod p. The public key pk is h, and the key sk is x.

[0111] – Encrypt E’. Let m be the message in G. Encrypt by choosing a random number r, where 0≤r≤q-1, and calculate:

[0112] c 1 =g r ,c 2 =mh r. (5)

[0113] The ciphertext c of m is E’(m)=(c 1 ,c 2 ).

[0114] -Decrypt D’. The ciphertext c is decrypted by the following calculation:

[0115] m=D’(c)=c 2 (c 1 x ) -1 (6)

[0116] ElGamal is also a probabilistic encryption scheme, because each message is encrypted by a different random number r, as shown in equation (5). An interesting property of the ElGamal cryptosystem is homomorphic multiplication. Specifically, set m 1 Ciphertext and m 2 Multiply the ciphertexts, then we get m 1 m 2 Ciphertext, namely:

[0117] E’(m 1 )E’(m 2 )=E’(m 1 m 2 ), (7)

[0118] Switched encryption satisfies two attributes that are independent of the encryption order. ElGamal can be extended to support switched encryption. In particular, the two new algorithms are defined as follows:

[0119] -Secondary encryption Given public key h a Encrypted ciphertext E’ ha (m)=(g ra ,mh a ra ), which can be selected by random number r b , Where 0≤r b ≤q–1, and calculate c 1 =g ra , C 2 =g rb And c 3 =mh a ra h b rb , Where h b Is the public key for secondary encryption. E’ ha The ciphertext of (m) is

[0120] -Secondary decryption The ciphertext (c1, c2, c3) can be obtained by using the private key x in a different order a And x b After decryption, the decryption result is the same. If you use the private key x first a ,We have E’ hb (m) can be x b Decrypt again to obtain m. It's easy to verify if you use x first b Then use x a , The decryption result is the same.

[0121] 4. Privacy protection task assignment agreement

[0122] According to Definition 5, our goal is to find P without revealing the location information of workers TA The winner. Although some existing privacy protection tools, such as k anonymity and differential privacy, can be used to protect personal privacy, they usually assume that there is a trusted third party that can access the entire original data (such as the location information of all workers). This is in practice difficult to realize. In addition, they protect personal privacy at the cost of reducing data utilization, which means that methods based on them may not be able to accurately find P TA The winner. Therefore, we decided to use encryption tools to accurately solve P PTA problem. In order to prevent privacy leakage, the dead person data of each worker is encrypted before being sent to the SC server. It can be seen from Definition 3 that P PTA The key to the problem is to determine which worker arrives at the location first s. To solve this problem, we need to compare two workers w i And w j The travel time of is calculated as the following inequality:

[0123]

[0124] Obviously, calculation includes several basic operations: addition and multiplication (for distance calculation), division and comparison. It should be noted that these operations should be performed in ciphertext, because, for example, for privacy protection, l i And v i It has been encrypted at this time. In theory, we can design a scheme based on Fully Homomorphic Encryption (FHE) to achieve the above calculations, but this will lead to high computational costs, making this method of limited practical significance. Therefore, we consider using a partially homomorphic encryption scheme. Although they are more efficient than FHE, they cannot support all the operations required to calculate inequality (8). We will show how to solve this problem in the next section.

[0125] 4.1 Protocol overview

[0126] Algorithm 1 Privacy Protection Task Assignment Protocol

[0127] Input: a set of n workers, each worker w i ID is i, location information is l i , The speed information is v i; A space task s (created by the task requester), the task location is l s , The deadline is e s; One SC server and one CSP.

[0128] Output: winner w * Get task location l s.

[0129] 1: Phase 0-key generation

[0130] 2: CSP generates Paillier key pair (pk, sk) and ElGamal key pair (pk', sk'). The SC server and all workers get the public keys pk and pk'. The information of the private keys sk and sk' is only controlled by the CSP.

[0131] 3: CSP generates another ElGamal domain parameter set and publishes it. Based on these parameters, CSP again generates a public key pk" but keeps it secret. Each worker w i A key pair (pki",ski") is also generated and kept secret.

[0132] 4: Phase 1-Privacy protection distance calculation

[0133] 5: SC server uses public key pk encryption x s And y s And send the results to all workers.

[0134] 6: for each worker w i (1≤i≤n)do

[0135] 7: w i Use pk encryption To get

[0136] 8: w i Calculation

[0137] 9: end for

[0138] 10: Phase 2-Privacy protection travel time calculation

[0139] 11: for each worker w i (1≤i≤n)do

[0140] 12: w i Use pk′ to encrypt v i And send E'(vi) to the SC server.

[0141] 13: end for

[0142] 14: SC server calculation And sent to CSP.

[0143] 15: The CSP decrypts E'(V) and sends it back to the SC server.

[0144] 16: The SC server broadcasts V to all workers.

[0145] 17: for each worker w i (1≤i≤n)do

[0146] 18: w i Calculation And Send to the SC server.

[0147] 19: end for

[0148] 20: Stage 3-Privacy protection winner calculation

[0149] 21: SC server will f k (i) Send to worker w i , Where f k It is a PRF.

[0150] 22: SC server will Where 1≤i≤n.

[0151] 23: CSP decryption And calculate Where 1≤i≤n.

[0152] 24: CSP calculates the winner w with the smallest travel time i* , Its travel time is

[0153] 25: CSP uses k′ to encrypt f k (i * ), and E′ c (f k (i * )) sent to the SC server.

[0154] 26: Phase 4-Privacy Protection Winner Statement

[0155] 27: Through calculation SC server will l s Encrypt and Broadcast to all workers. Where h is the length matching hash function

[0156] 28: for each worker w i (1≤i≤n)do

[0157] 29: w i Use pk″ i Encryption f k (i) and Send to CSP.

[0158] 30: CSP uses pk″ i will Encrypt and send To w i.

[0159] 31: w i Use private key sk″ i Decrypt To get E′ c (f k (i)).

[0160] 32: w i Try to calculate Decrypt

[0161] 33: end for

[0162] image 3 An overview diagram of the privacy protection task allocation protocol is given. Based on the above discussion, we use two partially homomorphic encryption schemes Paillier and ElGamal to build our solution, which is composed of image 3 Composed of five stages depicted in. In the 0th stage, according to security requirements, CSP generates ElGamal domain parameters and Paillier and ElGamal key pairs. It keeps the private key secret and sends the public key to the SC server and all workers. The creation of a space task by the task requester triggers the start of phase 1. During this phase, the SC server and all workers run the privacy protection distance calculation protocol based on the encrypted location information, and output the encrypted distance information. In the second stage, the speed of each worker is encrypted and sent to the SC server cooperating with the CSP to calculate the travel time of each worker. Based on the encrypted travel time obtained in the second stage, the SC server uses the CSP to calculate the winner in the third stage, but the result is still encrypted. In the fourth stage, the location information of the encrypted task is broadcast to all workers, but only the winner can retrieve the location of the task. After that, the winner arrives at the designated location to perform the corresponding task.

[0163] 4.2 Detailed construction

[0164] Algorithm 1 is the concrete realization of the privacy protection task allocation protocol. We explain in detail as follows.

[0165] Phase 1. Because the key codes of the Paillier and ElGamal cryptosystems required for Phase 0 have been introduced in "3. Cryptographic Building Blocks", we will introduce the detailed construction of the protocol from Phase 1. SC server uses Paillier public key to encrypt task location ls=(x s ,y s ), send three ciphertexts to all workers: E(x s 2 +y s 2 ), E(x s ) And E(y s ). After receiving the encrypted information from the SC server, each worker w i Calculate l s And its current position i The square of the distance and encryption, namely:

[0166]

[0167] Its correctness can be easily verified according to equations (3) and (4). Note that we can also require all staff to send the encrypted location to the SC server (with E(x i 2 +y i 2 ), E(x i ) And E(y i )), and require the SC server to calculate E(d 2 (l i ,l s )). Although this process is similar to what we did in non-privacy cases, it will bring more computing costs to the SC server. In other words, our current design has the advantage of sharing the calculation cost for all workers.

[0168] Phase 2. As mentioned earlier, the calculation of privacy protection travel time requires division of the ciphertext. However, the efficient realization of homomorphic splitting is still an open issue. Therefore, our goal is not to design an effective homomorphic splitting scheme, but to eliminate the division operation technically in the process of calculating travel time. For this, we use an interesting property to compare travel time, that is, the calculation of the exact travel time is unnecessary. This property is guaranteed by the following lemma:

[0169] Lemma 1 Let W={w 1 ,w 2 ,...,W n } Is the set of n workers, and V is the product of the speeds of all workers, namely And v k ‘=V/v k , Where 1≤k≤n. For any two workers w i , W j ∈W, if and only if d(l i ,l s )v i ‘ j ,l s )v j ‘When there is d(l i ,l s )/v i j ,l s )/v j.

[0170]

[0171] Based on this lemma, we calculate the virtual travel time t for each worker i ’=d(l i ,l s )v i ’, which is equivalent to the exact travel time t i =d(l i ,l s )/v i , That is, the worker with the shortest virtual travel time must have the shortest exact travel time. Specifically, each worker encrypts its speed through the ElGamal cryptographic system and sets E’(v i ) Sent to the SC server. The SC server can obtain E'(V) by multiplying all the encryption speeds. Then, the SC server asks the CSP to decrypt E'(V) and sends V to all workers. By using its speed v i Except V, each worker w i Can get v i ’And calculate E(d 2 (l i ,l s )) vi’2 =E(d 2 (l i ,l s )v i ’ 2 )=E(t i ’ 2 ). The encrypted virtual travel time is sent to the SC server for further processing. Please note that in the above process, CSP and all staff know the exact value of V. However, this does not violate the personal privacy of any worker, which will be demonstrated in the next section.

[0172] Phase 3. Now the SC server has a 2-tuple i ’ 2 )> A list of where i is person w i ID, 1≤i≤n. In order to protect the identity of workers, especially the winner, it passes a PRF f k The function encrypts the ID of each worker and sends it to the CSP k (i),E(t fk(i) ’ 2 )> , To find out which worker has the shortest travel time and whether it can meet the deadline e s Arrived before the mission location. Since CSP has Paillier’s private key, it can decrypt E(t i ’ 2 ) To get t i ’ 2 And calculate the actual travel time Then, the CSP can easily find the worker with the shortest travel time and determine whether it can meet the deadline. If not, the CSP informs the SC server that there is no winner. Otherwise, it uses ElGamal to encrypt the winner's ID f k (i * ), and E’ C (f k (i * )) sent to the SC server. The encryption here is necessary because the SC server can get f k (i * ) After inferring who is the winner. On the other hand, due to the pseudo-randomness of PRF, the privacy of the winner is still protected.

[0173] Phase 4. Once received E’ C (f k (i * )), the SC server encrypts the task location s And broadcast to all workers Specifically, l is encrypted as follows s :

[0174]

[0175] Among them, h is a length matching hash function, used to map a longer bit string to a shorter bit string. One method of constructing h that is proven to be semantically safe is to truncate a longer bit string into multiple shorter bit strings of fixed length, and perform XOR calculations on these shorter bit strings and output them. Obviously, only get E’ C (f k (i * )) Information workers can calculate (l s )⊕h(E’ C (f k (i * ))) Obtain task location information. The following process ensures that only the winner can get E’ C (f k (i * ))information.

[0176] First, each worker w i Obtain the encrypted ID f from the SC server k (i)), and use your own public key to encrypt through ElGamal, and then encrypt the encrypted information E’ wi (f k (i)) Send to CSP. After CSP receives the information, it uses its public key and used to encrypt E’ C (f k (i * )) The same random number r is encrypted again by ElGamal. CSP will then Sent to each can be decrypted with its private key to obtain E’ C (f k (i)) workers. Obviously, only the winner w fk(i*) Can get E’ C (f k (i * )). It should be noted that the public key used here should be kept secret to protect privacy.

[0177] Remarks. When calculating E’(V), an appropriate key length should be set to avoid overflow of the speed product of all workers. For example, we used a 2048-bit key in the experiment to handle 1000 workers. If the number of workers is large, the possible method is to use the least common multiple (LCM) instead of multiplication. However, the calculation of privacy protection LCM (that is, calculating the least common multiple of multiple encrypted numbers) is a very challenging problem, and we take it as one of our future research directions.

[0178] 4.3 Performance analysis

[0179] Calculate the cost. Table 1 summarizes the computational cost of our agreement. We assume that all workers can perform calculations (such as encryption and decryption) in parallel, and can interact with the SC server and CSP in parallel, so we only need to consider the calculation cost of one user. In addition, we ignore low-cost operations such as multiplication of large integers and exclusive OR operations of bit strings. The detailed analysis is as follows. In Algorithm 1, the SC server performs Paillier encryption three times (line 5), and the worker w i Perform one Paillier encryption and two modular exponentiation operations (lines 7 and 8) for the privacy calculation of the travel distance. In the second stage, the worker performs an ElGamal encryption to protect its speed (line 12). The product of the encrypted speed is decrypted by the CSP (line 15) to realize the calculation of the subsequent travel time. This requires workers w i Perform a modular exponentiation (line 18). In the third stage, the SC server uses n PRF functions to protect the worker's ID (line 21), and the CSP performs n ElGamal decryption (line 23) and one ElGamal encryption (line 25) to find the winner and protect it ID. In stage 4, in order to exchange decryption keys, worker w i The ElGamal encryption (line 29) and the second ElGamal decryption (line 31) will be performed once, and the CSP will need to perform n times the ElGamal secondary encryption (line 30).

[0180] The calculated cost of the protocol proposed in Table 1. E, D, E′, D′ e and PRF respectively represent Paillier encryption, Paillier decryption, ElGamal encryption, ElGamal decryption, ElGamal secondary encryption, ElGamal secondary decryption, modular exponentiation and pseudo-random functions.

[0181]

[0182] The communication overhead of the protocol proposed in Table 2. L and L'are the key lengths of Paillier and ElGamal encryption systems, respectively.

[0183]

[0184] Communication overhead. Table 2 summarizes the communication overhead of our protocol. Since the size of the ciphertext is usually larger than the size of the plaintext, we only consider the ciphertext sent and received by each party. It should be noted that the ciphertext length of ElGamal encryption and secondary encryption is twice and three times the key length, respectively. We have omitted the detailed analysis, please refer to Table 2 for the analysis results.

[0185] 4.4 Safety analysis

[0186] The following analyzes the security of the proposed protocol.

[0187] Theorem 1 Our task allocation protocol (Algorithm 1) has K for SC server, CSP and all workers respectively. 0 =V, K -1 ={V,t fk(1) ,...,T fk(n) } And K i =V(1≤i≤n) The privacy protection of leakage.

[0188] Proof: We first prove that there is a probability simulator S in polynomial time 0 Can be in K 0 The view of the SC server is simulated under the condition of =V. Suppose the perspective of the SC server is S 0 Generate perspective view 0 ′={E′(x 1 ),..., E′(x n ), E(y 1 ),..., E(y n ),E′(x n+1 ), V}, where x i (1≤i≤n+1) is a random element in G that obeys a uniform distribution, y i (1≤i≤n) is Z N Obey uniformly distributed random elements. Since Paillier and ElGamal are both semantically safe, we can easily prove the view 0 ≡view 0 '.

[0189] Then, we prove that there is a probability simulator S in polynomial time i Can be in K i = Simulate worker w under the condition of V i The view. If w i Is not a winner, then When it is simulated, S i generate Where x i (i=1, 2, 3) is Z N Random elements in uniform distribution, y is randomly sampled from G, and k is uniformly distributed in {0, 1} λ Random elements on. To the winner w i* , Its perspective and so Generate {E(x 1 ), E(x 2 ), E(x 3 ), k, i * , V} is view i* '. In both cases, according to the semantic security of Paillier and ElGamal and the pseudo-randomness of PRF, we can get the view i ≡view i '.

[0190] Finally, we prove that there is a probability simulator S in polynomial time -1 allowable Under the condition of simulating the view of CSP. In the agreement, the perspective of CSP is When it is simulated, S -1 Generate view -1 ′={E′(x 1 ),..., E′(x n )}∪K -1 , Where x i (1≤i≤n) is a random element in G that obeys a uniform distribution. Because of the semantic security of ElGamal, view -1 =view -1 'Obviously holds.

[0191] The above theorem proves that our protocol is K leak safe. Before explaining the limited impact of leaking K on personal privacy, we give the following lemma.

[0192] Lemma 2 continuous product From 1 to d (d> random integer between n) generate. When d→∞, right equation The number of solutions is at least n! The probability is 1.

[0193] prove: The probability that each element in is not equal is

[0194]

[0195] sequence Any permutation of is a legal solution. Therefore, the equation At least n! The probability of each solution is η(d, n), and we have lim d→∞ η(d,n)=1.

[0196] Lemma 3 The continuous product π and the set of positive rational numbers {b 1 ,...,B n } From 1 to d (d> n) random positive integer Generated and satisfies the following equation:

[0197]

[0198] Where (σ(1),···,σ(n)) is the complete permutation of (1,...,n), then when d→∞, the equation has at least n! The probability of each solution is 1.

[0199] Proof: The proof process is similar to the proof of Lemma 2. When d→∞, The probability of being unequal is 1, and the sequence Any permutation of will produce a different solution.

[0200] Lemma 4 Choose a random number a from 1,...,d. When d→∞, the probability that a is a prime number is 1/log d.

[0201] This lemma can be obtained directly from the prime number theorem [24], which states that when d→∞, the number of prime numbers before the number d converges to d/log d.

[0202] Remarks. From Lemma 4, we know that x i The probability of being prime or 1 can be approximated as (1/log d+1/d). Therefore, all x i The probability that both have at least two prime factors is

[0203] (1–1/log d–1/d) n (11)

[0204] When d→∞, the value converges to 1. This means that as long as d is chosen large enough, the probability that the product π has at least 2n prime factors is 1. In practice, the equation The number of solutions is much larger than the stated n! .

[0205] Theorem 2 is based on information K i (-1≤i≤n), the intruder P i During the execution of the task allocation agreement (Algorithm 1), the probability of obtaining any party's private information is negligible.

[0206] Proof: First consider P 0 , In the case of the SC server, it has information K 0 =V. SC server can build equations Assuming 1≤v i ≤d,η(v i ) Is P 0 Can get v i Probability, η(v i |K 0 ) Is P 0 At K 0 Can get v i The probability. From Lemma 2, we have

[0207]

[0208] Under normal circumstances, this is obviously negligible.

[0209] To P i Proof of with P 0 Similarly, we now consider P -1 (Ie CSP). because Then CSP can construct a nonlinear system containing n+1 equations:

[0210]

[0211] From Lemma 3, we also have

[0212]

[0213] In general, this is negligible. And even if CSP gets d(l s , L i ) Is the exact value, which cannot get l s And l i The probability of information is also much higher than random guessing. The certificate is complete.

[0214] Remarks. It should be noted that Theorem 2 shows that the privacy protection task allocation protocol is safe in general. In some extreme cases, for example, V=1, the intruder can immediately know that the speed of each worker is 1. But as the number of workers increases, the probability of this happening will drop sharply.

[0215] Five, performance evaluation

[0216] 5.1 Experimental setup

[0217] We evaluate the performance of our protocol (Algorithm 1) based on two types of indicators: efficiency correlation and effectiveness correlation. The former includes running time and communication overhead, worker travel distance (WTD), worker travel time (WTT) and number of notifications (NNW). Generally, workers tend to have shorter WTDs, and so do task requesters, because if workers have the same speed, then tasks can be executed earlier. However, if the speed of the workers is different, a shorter WTD is not necessarily better. In this case, staff and task requesters are more inclined to short WTT. NNW should be kept at a low level to reduce computational cost and communication overhead.

[0218] For effectiveness evaluation, we use To[To,H.,Ghinita,G.and Shahabi,C.:A framework for protecting worker location privacy in spatial crowdsourcing.PVLDB,7(10),919-930(2014)] et al. The method is the benchmark. Since their method did not consider the influence of speed, the speed of each worker was set to 1 in the experiment. In this case, WTT is equal to WTD. In addition, the deadline for each task is set to a large value so that all workers can arrive before the deadline. Since our agreement does not consider the acceptance rate of workers and always returns one worker (ie NNW is always equal to 1), we randomly generate 1000 tasks and report the average result.

[0219] For efficiency evaluation, we noticed that differential privacy is significantly less computationally expensive than public key cryptography, but it cannot protect data during the calculation process (for example, allowing trusted third parties to view the location of all workers). Therefore, it is meaningless to compare our protocol (based on a public key cryptosystem) with the method of To et al. (based on differential privacy) in terms of runtime. Therefore, we only focus on the efficiency of our protocol and test whether its overhead is acceptable in practice. We run our protocol 10 times and report its average results.

[0220] We use two real-world data sets, Gowalla and Yelp to evaluate performance. Gowalla contains the login history of users in location-based social networks. We choose an area in California with latitude from 33.720183 to 34.149932 and longitude from -118.399999 to -117.900516. There are 5830 users logged in in this area, and these users are considered workers in the spatial crowdsourcing system. We take the location where the user logs in the most as its current location, and assume that a space task can be created in any location where there is a login record. For Yelp, we choose an area in Phoenix with latitude from 33.205308 to 33.924407 and longitude from -112.400283 to -111.218100. There are approximately 67,000 users and 11,200 companies in the region. The company location is considered a task, and the user's location is randomly selected from the companies they have viewed.

[0221] We set the number of workers #W∈{100,400,700,1000}, the maximum acceptance rate MAR∈{0.4,0.6,0.8,1}, and the expected task acceptance probability α∈{0.7,0.8,0.9,0.99}. Since the performance benchmark relies on differential privacy based on the privacy budget ∈, we also set ∈ ∈ {0.1,0.4,0.7,1.0}. For the security parameters of Paillier and ElGamal, we refer to the NIST Recommendation (2016) and set the key length KL ∈ {1024, 2048}, where the key length of 1024 is suitable for current applications and will be used in the next 15 years (2016). -2030) It is recommended to use a key with a length of 2048. The default value of each parameter is shown in bold.

[0222] In our experiment, the SC server and CSP are run on a machine with four Intel Xeon E7-8860 2.2GHz CPUs (each CPU has 16 cores) and 1TB RAM. Each worker is simulated by a Mi 2 phone with APQ 8064 1.5GHz CPU and 2GB RAM. We use the Bouncy Castle Crypto package to implement our protocol. The code is written in Java and executed in JDK 1.8. As can be seen from Table 1, the performance bottleneck of our protocol is a series of Paillier decryption processes. Fortunately, these expensive operations can easily be calculated in parallel because they are executed independently. In our experiment, we use 64 threads to perform these decryptions.

[0223] 4.2 Experimental results

[0224] 4.2.1 Efficiency

[0225] Figure 4 (a) shows that the number of workers #W increased from 100 to 1000, and the step length of 300 is the running time of the agreement. As expected, when #W increases, the CPU time of SC server and CSP also increases linearly, because their computational cost mainly comes from password operations proportional to the number of workers. On the other hand, despite the large number of workers, the computational cost of workers using mid-range mobile phones is almost constant, for example, about 0.1 second. Therefore, our protocol has good scalability in practice. In terms of total running time, our agreement only needs less than 2 seconds to realize the assignment of privacy protection tasks for more than 1,000 workers. in Figure 4 A similar performance trend can be seen in (b), where the 2048-bit key used can provide a stronger security guarantee (this key length is recommended for use in the next 15 years). Even in this case, the total running time of our agreement is still less than 7 seconds.

[0226] in Figure 5 In, we measured the communication overhead of the parties in the agreement. From Figure 5 (b) It can be seen that when a 2048-bit key is used to perform task distribution, the SC server, CSP and worker need to send or receive 2.7MB, 2.1MB and 0.008MB of data respectively. We believe that these costs cannot become a burden for current mobile applications. By changing the number of workers from 100 to 1,000, we are Figure 5 The linear growth trend of SC server and CSP is observed in, because the data transmitted is mainly password, and the total communication volume is proportional to the number of workers.

[0227] 4.2.2 Effectiveness

[0228] Image 6 , 7 and 8 show the performance of our agreement in WTD (worker travel distance) by changing MAR, α and ε respectively. In all graphs, our protocol outperforms the benchmark in all combinations of data sets (Gowalla, Yelp) and acceptance rate functions (Linear, Zipf). Specifically, in Image 6 In, we observe that when MAR decreases, the difference between our agreement and benchmark increases. To explain this, we first note that the benchmark needs to visit more grid cells to reach the required acceptance rate. Each unit usually contains some workers. Some of them may be far from the mission location, but they can accept the mission. However, our agreement always selects workers based on their travel time (or travel distance in this case). This is why when MAR is small, our agreement is much better than the benchmark. Figure 8 It is shown that when stronger privacy protection is provided (e.g., ε=0.1), the benchmark has a larger WTD. However, even if only weak privacy protection is provided (e.g., ε=1), our protocol is still better than the benchmark.

[0229] We further evaluate the performance of our protocol in terms of NNW (number of notifications) by changing MAR, α and ε, and Picture 9 , 10 and 11 report results. Again, our protocol outperforms the benchmark in all combinations of the data set (Gowalla, Yelp) and the acceptance rate function (Linear, Zipf). In most cases, the number of workers notified is no more than 5. In some extreme cases, for example, α=0.99, our agreement selects less than 15 workers to perform the task. This may explain why our protocol can be extended to P with very low overhead PTAG. On the other hand, the benchmark needs to notify many workers because it works on grid cells.

[0230] Taking the above-mentioned ideal embodiment according to the present invention as enlightenment, through the above-mentioned description content, relevant staff can make various changes and modifications without departing from the scope of the technical idea of ​​the present invention. The technical scope of the present invention is not limited to the content of the description, and its technical scope must be determined according to the scope of the claims.