ProCSA: Protecting Privacy in Crowdsourced Spectrum Allocation

Abstract

Sharing a spectrum is an emerging paradigm to increase spectrum utilization and thus address the unabated increase in mobile data consumption. The paradigm allows the “unused” spectrum bands of licensed primary users to be shared with secondary users, as long as the allocated spectrum to the secondary users does not cause any harmful interference to the primary users. However, such shared spectrum paradigms pose serious privacy risks to the participating entities, e.g., the secondary users may be sensitive about their locations and usage patterns. This paper presents a privacy-preserving protocol for the shared spectrum allocation problem in a crowdsourced architecture, wherein spectrum allocation to secondary users is done based on real-time sensing reports from geographically distributed and crowdsourced spectrum sensors. Such an architecture is highly desirable since it obviates the need to assume a propagation model, and facilitates estimation based on real-time propagation conditions and high granularity data via inexpensive means.

We design our protocol by leveraging the efficiency and generality of recently developed fast and secure two-party computation (\(\mathrm {S2PC}\)) protocols. We show that this approach leads to practical solutions that outperform the state-of-the-art in terms of both efficiency as well as functionality. To achieve the desired computational efficiency, we optimize the spectrum allocation algorithm to select a small number of relevant reports based on certain parameters. This results in a faster RAM program for power allocation which, under suitable adjustments to underlying arithmetic operations, can be efficiently implemented using \(\mathrm {S2PC}\). We use the standard “ideal/real paradigm” to define the security of spectrum allocation and prove security of our protocol (in the semi-honest model). We also provide data from extensive simulations to demonstrate the accuracy, as well as computational and communication efficiency of our schemes.

A Security Proof

Theorem 1

(Security of Protocol 1). Protocol 1 is a secure multi-party computation implementation of the plaintext algorithm shown in Sect. 3.1 with respect to semi-honest adversaries which do not corrupt \(\mathrm{SM}_0\) and \(\mathrm{SM}_1\) at the same time.

Proof

(Sketch; see [4] for a detailed proof). We need to show a simulator for different combinations of views for all possible subset \(I \subseteq \{\mathrm {S_i}, \mathrm{SM}_0, \mathrm{SM}_1, \mathrm{PNs} \}\) such that I does not contain \(\mathrm{SM}_0 \) and \(\mathrm{SM}_1 \) at the same time (Recall that we assume they do not collude). For Protocol 1, we claim that it will be sufficient if we can construct a simulator for each party separately (which is not necessarily true for general MPC protocols). This is because both \(\mathrm {S_i} \) (except for its final output \(t_i\)) and \(\mathrm{PNs} \) receive no message during the execution of \(\varPi \). Simulators for them can be constructed in a “dummy” way by just outputting the input/output of \(\mathrm {S_i} \) and \(\mathrm{PNs} \). So the essential part of Protocol 1 is actually a \(\mathrm {S2PC}\) protocol between \(\mathrm{SM}_0 \) and \(\mathrm{SM}_1 \). And it is not hard to verify that once \(\mathrm{SM}_0 \) and \(\mathrm{SM}_1 \) are not corrupted at the same time, the simulator for a spectrum manager can be composed with the aforementioned “dummy” simulators of \(\mathrm {S_i} \) and \(\mathrm{PNs} \) arbitrarily, to get a whole simulator for any corrupted set I that goes through the security proof. Therefore, we only need to construct a simulator for \(\mathrm{SM}_0\) (\(\mathrm{SM}_1\)’s role is symmetric to that of \(\mathrm{SM}_0\)).

Notice that for each of the 6 subprotocols described in Protocol 1, the input/output of \(\mathrm{SM}_0\) are secret shares of some data. Due to the security of the secret-sharing scheme, those shares is (purely) random. So if we substitute each subprotocols by invoking the corresponding simulator on a random string, we will get the final simulator for \(\mathrm{SM}_0\). A formal proof involves a sequence of hybrids where we substitute each subprotocol (with its simulator) in order and proves indistinguishability in a careful but standard way.

We remark that the existence of simulators for subprotocols \(\varPi _{\mathsf {off}}\), \(\varPi _{\mathsf {slct}}\), \(\varPi _{\mathsf {alloc}}\) and \(\varPi _{\mathsf {update}}\) is guaranteed by the \(\mathrm {S2PC}\) protocols used to implement them. We still need to show simulators for \(\varPi _{\mathsf {read}}\) and \(\varPi _{\mathsf {write}}\). The read algorithm (Fig. 3) involves two \(\mathrm {S2PC}\) protocols and one oblivious transfer, where all the input/output are random secret shares. So a simulator can be constructed in a straightforward way. The write algorithm (Fig. 4) consists of a \(\mathrm {S2PC}\) protocol followed by four message exchanges, which look random. So a simulator for it can also be easily constructed. This completes the proof for Theorem 1.    \(\square \)