Trajectory Hiding and Sharing for Supply Chains with Differential Privacy

Abstract

With the fast development of e-commerce, there is a higher demand for timely delivery. Logistic companies want to send receivers a more accurate arrival prediction to improve customer satisfaction and lower customer retention costs. One approach is to share (near) real-time location data with recipients, but this also introduces privacy and security issues such as malicious tracking and theft. In this paper, we propose a privacy-preserving real-time location sharing system including (1) a differential privacy based location publishing method and (2) location sharing protocols for both centralized and decentralized platforms. Different from existing location perturbation solutions which only consider privacy in theory, our location publishing method is based on a real map and different privacy levels for recipients. Our analyses and proofs show that the proposed location publishing method provides better privacy protection than existing works under real maps against possible attacks. We also provide a detailed analysis of the choice of the privacy parameter and their impact on the suggested noisy location outputs. The experimental results demonstrate that our proposed method is feasible for both centralized and decentralized systems and can provide more precise arrival prediction than using time slots in current delivery systems.

A Deferred Proofs and Figures

1.1 A.1 Proof for Lemma 2

Lemma 2.(Anonymity and unlinkability) A PPT adversary \(\mathcal {A}\) can not derive the receiver of a stealth address or distinguish the receiver of two different stealth addresses in Protocol 3.

Proof

Assume that a PPT adversary \(\mathcal {A}\) holds a stealth address (P, R) and \(p_{id}\) and a list of tuples \((TK_{i,p_{id}}, K_{b_i})\), \(\mathcal {A}\) needs to compute \(P^\prime = H_s(rTK_{i,p_{id}})G + K_{b_i})\) such that \(P^\prime = P\). To find such a \(P^\prime \), \(\mathcal {A}\) need to compute \(P-K_{b_i} = H_s(rTK_{i,p_{id}})G\). Because of the one-wayness of ECDLP, it is computationally infeasible to compute the \(H_s(rTK_{i,p_{id}})\). And since \(\mathcal {A}\) does not know the secret value r, he can not contrust \(P^\prime = H_s(rTK_{i,p_{id}})G + K_{b_i})\) himself. Therefore, it is infeasible for \(\mathcal {A}\) to derive the receiver of (P, R).

Similarly, assume that \(\mathcal {A}\) gets two stealth addresses \((P_1,R_1)\) and \((P_2, R_2)\), \(\mathcal {A}\) needs to distinguish the following two scenarios: (1) two stealth addresses belong to the same receiver, and (2) two stealth addresses belong to two different receivers. For scenario (1), \(\mathcal {A}\) computes \(P_1 - P_2\) as:

$$\begin{aligned} \begin{aligned} P_1 - P_2 &= H_s(rTK_{p_{id1}})G + K_b - (H_s(rTK_{p_{id2}}) + K_b)\\ &= (H_s(rTK_{p_{id1}}) - H_s(rTK_{p_{id2}}))G\\ &= xG \text { for some unknown x.} \end{aligned} \end{aligned}$$

(14)

Since the adversary \(\mathcal {A}\) does not hold \(p_{id1}, p_{id2}\) and r, \((H_s(rTK_{p_{id1}}) - H_s(rTK_{p_{id2}}))\) is a secret value x for him. For scenario (2), \(\mathcal {A}\) computes \(P_1 - P_2\) as:

$$\begin{aligned} \begin{aligned} P_1 - P_2 &= H_s(r_1 TK_{p_{id1}})G + K_{b_1} - (H_s(r_2 TK_{p_{id2}}) + K_{b_2}) \\ &= (H_s(r_1 TK_{p_{id1}}) - H_s(r_2 TK_{p_{id2}}) + K_{b_1} - K_{b_2})G \\ &= yG \text { \ \ \ for any unknown y.} \end{aligned} \end{aligned}$$

(15)

The adversary \(\mathcal {A}\) does not hold \(p_{id1},\ p_{id2},\ r_1,\ r_2\), so \((H_s(r_1TK_{p_{id1}}) - H_s(r_2TK_{p_{id2}}) + K_{b_1} - K_{b_2})G\) is a secret for \(\mathcal {A}\).

In both scenarios, the adversary \(\mathcal {A}\) can not derive the secret value. Given two different stealth addresses, it is computationally infeasible for \(\mathcal {A}\) to distinguish.

1.2 A.2 Proof of Lower Storage Cost

Fig. 11.

An example output by PL\(_\epsilon \), and the filtered output of the sanitized trajectory. The blue line shows the actual trajectory, the red line shows the published trajectory by PL\(_\epsilon \), and the green line shows the filtered trajectory. (Color figure online)

Lemma 3

The proposed encryption method has lower storage costs than DECOUPLES [22].

Proof

The space cost for only using ECIES is \(S_{ECIES} = N_{P}(e+(p,r))\). To compare the space cost of the encryption algorithm S and \(S_{ECIES}\), we compute \(S - S_{ECIES}\) as follows:

$$\begin{aligned} \begin{aligned} S-S_{ECIES} &= N_{L}e + N_{P}(k_{SE}+(p,r)) - N_{P}(e+(p,r)) \\ &\ = (N_{L} - N_{P})e + N_{P}(k_{SE}-e) \end{aligned} \end{aligned}$$

(16)

Since many products share the same location, we have \(N_{L} < N_{P} < 0\). If \(e > k_{SE}\), we get \(S-S_{ECIES} < 0\) (the size of the encrypted data is larger than the size of the symmetric key). Our encryption method requires less storage than ECIES.