A Privacy-Preserving Efficient Location-Sharing Scheme for Mobile Online Social Network Applications

The rapid development of mobile internet technology and the better availability of GPS have made mobile online social networks (mOSNs) more popular than traditional online social networks (OSNs) over the last few years. They necessitate fundamental social operations such as establishing friend relationship, location sharing among friends, and providing location-based services. As a consequence, security and privacy issues demands the utmost importance to mOSNs users. The first stream of existing solutions adopts two different servers to store locations-based and social network-based information separately, thereby sustaining large storage and communication overhead. The second stream of solutions aims at integrating the social network server and the location-based server into a single entity. However, as these approaches exploit only one single server, they may face several performance issues related to server bottlenecks. Moreover, such schemes are found to be vulnerable to various active and passive security attacks. In this paper, we propose a privacy preserving, secure and efficient location sharing scheme for mOSNs, which shows both efficiency and flexibility in the location update, sharing, and query of social friends and social strangers. The security of the proposed scheme is validated using random oracle based formal security proof and Burrows-Abadi-Needham (BAN) logic based authentication proof, followed by informal security analysis. Additionally, we have used ProVerif 1.93 to verify the security of the system. The efficiency and practicability of the proposed scheme are demonstrated through experimental implementation and evaluation.


I. INTRODUCTION
The advancement of mobile internet technology over the last few years have shifted online social networks (OSNs) users towards its more flexible and dynamic version, namely mobile online social network (mOSNs). In general, mobile users keep their mobile devices in online mode anytime, anywhere. This allows the mobile device to use the current location information, thereby providing support to a range of location-based services such as current location sharing, The associate editor coordinating the review of this manuscript and approving it for publication was Young Jin Chun . social friend or stranger's location query, etc. Nowadays, mOSNs users can use location-based services to recommend good social friend, search various intended Points of Interests (PoIs) such as restaurants, movie halls and hospitals.
Online Social Networks (OSN) is an online platform which people use to build social networks or social relationships with other people who share similar personal or career interests and activities [1]. Normally, people use PC or laptop to use and access online social network services.
Mobile online social networking (mOSN) involves the interactions between participants with similar interests and objectives through their mobile devices and/or tablet within virtual social networks [1]. mOSN leverages mobile communication networks and social networks, as mobile applications can use existing social networks. In mOSN, social networks can take advantage of mobile features and ubiquitous accessibility. Moreover, an mOSN can readily exploit mobile networks to support the concept of real-time web [2], which is at the forefront of the emerging trends in social networking. mOSNs enhance conventional social networks with additional features, such as location-awareness, tag media [3], etc. mOSNs can take advantage of the additional capabilities of modern mobile devices such as smartphones or tablets. People can access mOSNs applications anywhere and anytime. These capabilities, such as global position system (GPS) receiver, sensing modules (cameras, sensors, etc.), and multiple radios (third/fourth generation cellular, WiFi, Bluetooth, WiFi Direct, etc.), enable mOSNs to enhance conventional social networks with additional features, such as location-awareness [5], location-based service, the ability to capture and tag media [3]. In general built-in GPS is not that much available in laptops. Moreover, it does not exploit 4G or the current standard of cellular networks. Hence, location-based services cannot be accessed using laptops [1].
Location sharing through mOSN may end up in catastrophic failure, especially when privacy and security measures are not implemented properly. On the one hand, the popularity and usage of mOSN based applications are increasing every day. On the other hand, different malicious users and attackers continuously engineer innovative attacks to unlawfully access and modify various social and physical information of the registered mOSN users. The implementation of a secured, privacy-preserving location sharing strategy while sustaining the modern-day facilities of various mOSN applications is a serious research challenge.
Detail security analysis reveals the vulnerability of the existing related schemes against many security attacks, such as the denial-of-service (DoS) attack [6], replay attack [6], [7] and privileged insider attack [6], [7]. A recent study reveals that two attacking tricks, namely Regional Statistical Attack (RSA) [8] and Long-term Statistical Attack (LSA) [8], give more opportunity to the attackers.
In this paper, we propose a new location sharing scheme for mobile online social network applications, in which the limitations of the earlier schemes concerning security and functionality are overcome. The proposed system adopts a model, where the social network server (SNS) and the location-based server (LBS) are integrated into one single entity. To share privacy-preserving locations, the proposed scheme exploits dummy locations, a dedicated mapping protocol among the Cellular Tower (CT) and a set of location-storing social network servers. Various security attacks including the strong replay attack, man-in-the-middle attack, etc., which are prevalent in existing schemes, can be successfully overcome by our scheme.
Formal security validation of the proposed scheme is achieved through ProVerif 1.93 simulation tool. The Realor-Random (ROR) model based on the random oracle model is employed to verify the security of the proposed scheme formally. Moreover, BAN logic is used to prove authentication of the proposed system. We logically explain how the proposed scheme defends various active and passive security attacks by analyzing it informally. Experimental implementation and evaluation results demonstrate the efficiency and practicality of the proposed scheme.
Our study shows that although modern smartphones have privacy and security-based location sharing features, those services requires improvements in the security aspects. Moreover, in current systems, location sharing to a large number of friends may incur substantial security hazards.
First, although popular online social networks provide many facilities to social life, they also increase the danger of user privacy breaches due to direct and indirect location sharing. A few studies have attempted to address the location privacy issues in MSNs [9]- [11]. Recently, H. Li et al. presented an empirical research to quantify private information leaking issues arising from location sharing in popular OSNs such as Facebook and Twitter [12]. They conducted a three-week real-world experiment with 30 participants, and discovered that direct and indirect location sharing by popular OSNs could reveal 16% and 33% of the users' real points of interest (POIs) respectively. External adversary was able to attack to infer the demographics (e.g., age, gender, education) after observing the exposed users' location profiles. H. Li et al. implemented such an attack in a large real-world dataset involving 22,843 mobile users [12]. Many popular social networks provide location-based sharing functionalities like geolocation tags and check-in services. Based on these functionalities, the attacker can easily obtain the location information shared by the mobile users by crawling the interested information from web pages and extracting POIs from the collected data [10], [13].
Second, It is possible for a privileged insider to execute location spoofing intentionally, providing fake locations on the location-based features of Facebook, WhatsApp and Snapchat (e.g. Nearby Friends and Snap Map). This is done using downloadable apps like FakeGPS, in order to deceive the social friends for malicious purpose [14].
Third, sharing location information is less safe especially when a person has large number of friends or followers whom he/she might not actually know. Location sharing and friend's location query should be done on a restricted basis where the communicating parties can limit the distance threshold by which they can find each other.
In this paper, we address above security drawbacks of the existing location-based features by popular OSNs. According to our proposed scheme, MU i and LSSNS first separately establish a shared symmetric session key with CT . All location updates and friend's location query messages are encrypted with this session key before transmission. Because of this end-to-end encryption, an adversary A has little chance to reveal the location information of MU i . Furthermore, unlike the location-based services of existing OSNs, our proposed scheme allows a user to decide a distance threshold, up to which he/she wants to make himself/herself visible to the social friends. This imposes a much better user controlled restriction on location sharing, as unrestricted location sharing can lead to security vulnerabilities.

A. MOTIVATION
The factors that motivated us to envisage the proposed scheme explained in this paper are as follows.
1) In order to achieve efficiency, the communication cost between the social network server (SNS) and the location-based server (LBS) should be as little as possible. Moreover, less message exchange would give an attacker less exposure to execute attacks in a wireless public channel.
2) The Location sharing mechanism should not depend on a third-party location-based server. This should be done to minimize the chance of privacy leakage and to minimize the establishment cost.
3) The location-based server (LBS) must not be able to discover the topological structures of users' social network. By collusion with the social network server, LBS should not be able to reveal users' social information.

B. RESEARCH CONTRIBUTIONS
The following contributions are made in this paper: 1) The location sharing scheme of the proposed scheme does not depend on any third-party location-based server. This eliminates the possibility of LBS to reveal the social network topology structure of a social user. 2) The proposed scheme integrates LBS and SNS into a set of single entity servers, thereby reducing their internal communication overhead. 3) The proposed scheme has the ability to resist various active and passive security attacks which are present in the existing schemes. 4) The location sharing mechanism is efficient, lightweight and secure. We avoid computation costly operations like bilinear pairing, elliptic curve cryptography, public key infrastructure (PKI), public key cryptography. 5) On top of informal security analysis, we validate security of the proposed scheme through formal security verification using random oracle, and through security simulation using ProVerif 1.93.

C. ORGANIZATION OF THE PAPER
The rest of the paper is as follows. Section II outlines the existing work in brief. Section III discusses mathematical preliminaries, which are necessary to set up the proposed scheme. The system architecture and threat model is explained in Section IV. Section V presents the proposed location sharing scheme for multiserver architecture in mOSNs. Section VI provides various formal security proofs along with informal security analysis. Section VII presents security validation using ProVerif 1.93 simulation tool. Section VIII presents the computation and communication cost of the proposed scheme. Section IX presents a performance and security comparison of the proposed scheme with the other related existing schemes. Finally, Section X concludes the paper.

II. RELATED WORK
In the field of mOSNs, privacy and security issues have attracted a great deal of research focus. Hence, in recent years, many of privacy-preserving schemes have been proposed with their own merits and limitations. Earlier research focuses on privacy preserving schemes aimed at the achievement of at achievement of information privacy [15], user anonymity [16] and protection of location privacy [17].
In order to sustain location anonymity, a mobile device encrypts the current location before sending it to servers. K-anonymity for location privacy adopts the process of obfuscating the actual location of the user as proposed and used by [18] and [19]. The use of dummy location along with the real location is the next approach for location anonymity [20]. Location encryption is another very effective way to achieve location privacy protection [21]. The pseudonym methods [22], [23], mix zones [24] and the m-unobservability [25] are some well know schemes developed in the past. Rahman et al. obtained location obscurity through privacy context obfuscation based on various location parameters [26].
Location sharing while maintaining privacy protection in online social networks has been first primarily addressed in 2007 by SmokeScreen [27], which allowed sharing locations between social friends and strangers. Wei et al. enhanced this scheme and proposed Mobishare, where users' social and location information were separately stored into SNS and LBS respectively [28]. Mobishare suffers from the weakness that, in the query phrase, LBS can reveal the topology structure of social networks of a user. Recently, Li et al. [29] enhanced Mobishare to propose new privacy-protected location-sharing scheme in mOSNs, namely MobiShare+, which introduced the concept of dummy queries and private set intersection to prevent LBS from knowing social information of a user. BMobiShare is a improved version over MobiShare+ in terms of transmission efficiency, where the existing private set intersection method is replaced by Bloom Filter [30]. However, the computation cost of BMobiShare is quite high.
In 2015, in order to improve privacy-protection against the insider attack, Li et al. introduced a multiple location server based location sharing system [31]. Although it provides higher security, it is resource-demanding and time-inefficient. As these schemes rely on the third-party location server, they associate the chance of LBS to collude with SNS in order to reveal the social information. Also, they incur a high transmission and storage cost [28], [29], [32], [33], [30]. To address this issue, very recently, Xiao et al. proposed CenLocShare [34], where SNS and LBS were amalgamated into one single server. This scheme reduces communication cost, storage cost and also increases user's privacy protection.

Remark 1: The implementation of end-to-end encryption
is an open research problem to many popular OSNs. The CEO of Facebook has recently published an article ''A Privacy-Focused Vision for Social Networking'', which claims that the OSN giant is planning to implement endto-end encryption on all its messaging services to increase privacy levels, and it has started experimenting with endto-end encryption already [35]. The lack of privacy in OSNs leads to various security hazards like the identity theft, information leakage, and government impinge on user privacy [36]. However, the proposed scheme does not aim at providing complete end-to-end encryption on all messages between mobile user and the social media service provider.
The idea proposed in this paper serves three basic purposes. First, it provides centralized storage of location-based information and social information into single entity [34]. Second, it ensures secure communication of location sharing and update based messages, thus protecting them from various malicious attackers. Finally, for location sharing, it facilitates a low computation and communication cost on mobile device, as it avoids encryption via public key infrastructure (PKI). These make the proposed scheme suitable for practical environments.
We find that existing centralized location sharing of the scheme suffer from the man-in-the-middle attack, replay attack, and DoS attack [37]. Our contribution is to secure location sharing and location query based messages and to protect them from adversary. We do not exploit direct key sharing between the user and the service provider. As shown in Figure 3, MU i goes through a three-factor authentication process with CT , and establish the session key SK MU i ,CT (= SK CT ,MU i ), shared with CT . All location-based messages between MU i and CT are encrypted with this key. Similarly, Figure 4 shows how CT and LSSNS authenticate and establish their shared session key SK S j ,CT (= SK CT ,S j ).

III. MATHEMATICAL FUNDAMENTALS
To describe our proposed scheme, we have applied the collision-resistant one-way hash function [38], Chebyshev polynomial [39], [40], biometrics and fuzzy extractor, bitwise XOR operator. In this section, we describe these fundamental concepts in brief.

A. THE COLLISION-RESISTANT ONE-WAY HASH FUNCTION
The input to a one-way cryptographic hash function H : , 1} k is any string of 0 and 1. That is, s ∈ {0, 1} * . The output of the function is another binary string H (s) ∈ {0, 1} k whose length is fixed k bits. The property of collision-resistant of H (·) is described in the following [41].
Definition 1: The advantage probability of any adversary A's to find any collision with the execution time t n is denoted and defined by Adv HASH A (t n ) = Pr[(p, q) ∈ R A: p = q and H (p) = H (q)], where Pr[M ] is the probability of an event M and an adversary A selects a random pair (p, q). By an ( , t n )-adversary A attacks the collision resistance of H (·), it specify that the computation time of A is at most t n and that Adv HASH

B. THE CHEBYSHEV POLYNOMIAL: DEFINITION AND PROPERTIES
The Chebyshev polynomial T n (x) : [−1, 1] → [−1, 1] of degree n is defined as [39]: The Chebyshev polynomial can be expressed in terms of the following recurrecnce relation.
when n is equal to 0 x when n is equal to 1 when n is greater 2xT n−1 (x) − T n−2 (x) than or equal to 2.
Definition 2: The semi-group property of the enhanced Chebyshev polynomial holds on the interval (−∞, +∞) and is defined as follows [42].
Definition 3: For any given x and y, it is computationally infeasible to find an integer s such that T s (x) = y. It is referred to as the Chaotic map-based discrete logarithm problem (CMDLP) [43]. The advantage probability of A to solve CMDLP is Adv CMDLP

C. THE BIOMETRICS AND FUZZY EXTRACTOR
For secure authentication, various authentication protocols use some biometrics features, such as iris and fingerprint as the key for their uniqueness property [44], [45]. Using the Fuzzy extractor technique, we can produce the identical output string, though the input biometric will differ from the stored biometric samples up to a given threshold limit for permissible error tolerance. The Fuzzy extractor is defined by two algorithms: Generate(·) and Reproduce(·), which are deterministic and probabilistic.
Definition 4: Let us suppose that a biometric key of length n bits is generated from the biometrics B. We also consider that R = {0, 1} k is a metric space of finite dimensional biometric data points. The following two functions are defined next.
• Generate: This function generates a pair (η, µ), where η ∈ {0, 1} n represents the biometric key and µ is a public value which is used as a parameter by the Reproduce function for a given input B ∈ R.  as the Hamming distance. To be close, this distance must not to be more than E. E is a pre-defined threshold value.

IV. THE ADVERSARY MODEL AND SYSTEM MODEL
This section briefly describes the basic attack model or adversary model applicable for our proposed scheme. Moreover, we depict the outline of the system model adopted for our proposed location sharing scheme for the online social network.

A. THE THREAT MODEL
We primarily assume that cellular tower (CT ) is a trusted body and define the threat model concerning the location-sharing social network servers (LSSNSs) and the user (U ). We define the model below: • Registered entities like U , LSSNS and CT communicate through a public insecure wireless channel. The proposed scheme adopts the widely-accepted Dolev-Yao threat model (DY model) [46]. An attacker or a malicious user has all the capabilities of executing all potential attacks defined in the classical DY model.
• A registered or authorized user or a privileged insider of the system may turn into a malicious user, who illegally intends to access various location or social information of other genuine users.
• LSSNSs exhibit an 'honest but curious' nature. They alone, or after colluding with other servers, try to retrieve the social network topology or location information of other registered users.
• Our proposed scheme assumes CT to be a trusted entity. Figure 1 shows the basic system model of the proposed scheme. Here, we define the basic entities, which are described as follows:

B. THE SYSTEM MODEL
• Mobile user (U ): Sends and responds to three types of request queries. These include sharing of location information to other social friends and strangers, updating own location information and querying a friend's location information.
• Location Sharing Social Network Servers (LSSNS): Responsible for storing, updating and informing various location information of U .
• Cellular Tower (CT):: It is a trusted entity, which receives, processes and forwards various messages of U and LSSNS. All messages communicated between U and LSSNS are communicated via CT .
The overall flow of the model is shown in Figure 1. First, the mobile user and the Location Sharing Social Network Server LSSNS j register to a cellular tower CT (process A). This is a one-time operation and is executed through a secure channel. Next, the mobile user MU i and LSSNS j make a secure login to the registered CT and establish a shared session key (processes B and C respectively). Thereafter, the mobile user registers a distance threshold to LSSNS j via CT , in which corresponding social friends can be searched (process D). When required, the mobile user updates his/her current location to LSSNS j through the cellular tower (process E). Finally, the mobile user obtains his/her social friends' identities and locations for those who are willing to share their information from LSSNS j through the cellular tower (process F).
In general, three major security challenges are primarily faced by location sharing schemes designed for mOSN applications. First, various location-based services must be privacy-preserving. An attacker or malicious user must not be able to access and/or modify personal information of U . Second, to ensure user location privacy, LSSNS should store various fake or dummy identities of U . Finally, a physical distance threshold between U and friend or stranger of U must be registered. A location query about U 's friends or strangers are processed only if their current physical distance is within that predefined distance threshold.

V. THE PROPOSED SCHEME
In order to design the proposed scheme, various symbols are used. The symbols and notations are tabulated in Table 1.

A. THE REGISTRATION PHASE
This phase involves two distinct registration processes, namely, (a) the registration of a mOSN user (MU i ) to a cellular tower, and (b) the registration of a LSSNS j to a cellular tower. The registration process is a one-time operation that is executed through a secure channel; the message communication for this phase is shown in Figure 2.

1) MOBILE USER REGISTRATION
In this phase, a series of steps are executed for the registration of a mobile user MU i to the CT . These steps are as follows.
Step UR1: 1) MU i selects own identity, password, and biometrics as ID i , PW i , B i respectively. 2) MU i selects parameters n and λ, which are two 128-bit random numbers.
Step UR2: 1) MU i uses the fuzzy extractor (·) function to produce (η i , µ i ) = Generation(B i ) and computes the biometric Note that ID i and PW i are randomized by concatenating 128-bit (16-byte) random numbers [43], [47], [48]. We mask the user id and password as MPWB i = H (ID i || H (PW i || η i ||n)). Thus, guessing of ID i and PW i from MPWB i is infeasible, as it is computationally hard to guess three secrets simultaneously. An 128-bit random number can generate 10 38 possible values (as 2 128 ≈ 10 38 ). So, the guessing possibility is only ≈ 1 10 38 [47], [49].
Step UR3: 1) CT randomly selects its own 1024-bit master secret key X . 2) For each CT ↔ MU i pair, CT randomly selects a 1024-bit secret key Step UR4: 1) CT provides an anonymous temporary identity for each mOSN user MU i . This is done by selecting a random but temporary identity TID i for each user MU i . VOLUME 8, 2020 2) CT saves m CT ↔ MU i key-plus-id combinations Step UR5: s, RID i s and RID and removes V CT U i s, RID and TID i s from own mobile device.

2) THE LOCATION SHARING SOCIAL NETWORK SERVER REGISTRATION PHASE
Each location sharing social network server LSSNS j registers to the cellular tower CT through the following steps: Step SR1: 1) LSSNS j chooses own id and password as ID S j and PW S j .
2) It selects one random number b of 128-bit long.
Step SR2: Step SR3: 1) CT uses its master secret key X and one random number r (128-bit) to compute SN j is the identity or serial number of the server LSSNS j .
Step SR4: The Summary of registration process of MU i and LSSNS j to CT is shown in Figure 3.

B. THE mOSN USER LOGIN, AUTHENTICATION AND KEY ESTABLISHMENT PHASE
The mOSN user MU i makes a secure login to the registered CT and establishes a shared session key through the following steps: Step ULA1: 1) MU i inputs own identity, password, and biomerics (noisy) as ID i , PW i , and B i respectively. 2) Using stored µ i and P 1 i , MU i computes η i = Reproduction(B i , µ i ) and generates n = P 1 i ⊕ H (PW i ||η i ). 3) MU i calculates H (ID i ||PW i ||n ||η i ) and compares with stored P 2 i . 4) If the verification succeeds, go to Step ULA2, else, exit.
Step ULA2: 1) MU i randomly generates u i (128-bit number). 2) Using stored paratemer V CT U i , MU i computes: Step ULA3: ≤ T . If verification holds go to step 2, else exit.
Step ULA4: 1) CT uses received parameters to prepares a hash value Step ULA5: 1) MU i receives an authentication response message from step 8 of ULA4. 2) MU i verifies the transmission delay by comparing received and current timestamps. Go to step 3, if verification holds, else exit.
Step ULA6 1) MU i generates a session key (mutually shared with CT ) as The LSSNS j makes a secure login to the registered cellular tower CT and establishes a shared session key through the following steps: Step SLA1: 1) LSSNS j inputs own id ID S j and password PW S j . = f S j . If verification holds, go to step SLA2, else exit.
Step SLA2: Step SLA3: T S j is the current timestamp of LSSNS j . 3) LSSNS j generates its pseudo identity PID S j = ID S j ⊕ H (K 1 ). 4) LSSNS j computes M S j = H (ID S j || C ||K 1 || s j || T S j ) 5) Finally, through a public channel, LSSNS j sends its login request {PID S j , T s j (C), R 1 , M S j , T S j } to the cellular tower CT .
Step SLA4: 1) CT receives login message and verifies if |T * S j − T S j | ? ≤ T . If verification holds go to step 2, else exit. Here, If verification holds, CT ensures that ID S j = ID S j and go to step 5. 5) CT finds the record ID S j , SN j , r in the database.

8) CT uses the received parameters T S j and calculates
9) CT verifies whether R 3 ? = R 2 . 10) On successful verification, CT accepts the login request and considers the Location Server LSSNS j as VOLUME 8, 2020   Step SLA6: 1) LSSNS j receives the authentication response message from CT . 2) LSSNS j verifies the transmission delay |T * CT is the current timestamp. If verification holds, go to step 3, else exit.

2) LSSNS j verifies M CT
3) If verification succeeds, LSSNS j confirms that the cellular tower CT is authentic and the current session key SK S j ,CT (= SK CT ,S j ) is mutually verified and established. Otherwise, discard the session key and exit. The summary of the LSSNS j login, authentication and key establishment phase is shown in Figure 6.

D. THE DISTANCE THRESHOLD REGISTRATION PHASE
Every registered mOSN user MU i needs to register a distance threshold to LSSNS j in which corresponding social friends can be searched and the message communications of Distance Threshold Registration Phase is shown in Figure 7.
Step DR1: 1) MU i decides a distance threshold D f u i beyond which MU i does not allow his/her social friends to find himself in a friends' location query. 2) MU i sends encrypted distance registration message Here, RN u i , TS u i , H (·) and E(·) convey their meaning as tabulated in Table 1. R flag = 1 indicates that this message in intended for the distance threshold registration.
Step DR2: 1) CT uses session key SK CT ,MU i and decrypts ≤ T , where TS * u i is the current timestamp. If verification holds, go to step 3, else terminate and exit.
3) CT computes the hash value H (ID i || RN u i || TS u i ). If the computed and received hash values are same, then go to step 4, else discards the message and exit. 4) CT logs in to LSSNS j and establishes the shared session key SK CT ,S j as explained in subsection V-C. 5) CT encrypts and sends the distance registration message as Step DR3: 1) LSSNS j decrypts Msg 2 dreg using the session key SK S j ,CT .  (2) and (3) are successful, go to Step 5, else terminate the session and exit. 5) LSSNS j saves record {ID i , D f u i } and sends response message Msg 1 resp = E SK CT ,S j (ID i ||RN u i ||RN ct ||'ok ) to CT . VOLUME 8, 2020 Step DR4: 1) CT decrypts Msg 1 resp using the shared session key. 2) CT verifies the received random number RN ct and sends Msg 2 resp using the shared session key SK MU i ,CT 4) MU i verifies the random number RN u i . If these verification holds, go to step 5.Otherwise, termiate the session and exit. 5) MU i reads 'ok message and distance registration process successfully terminates.

E. THE USER LOCATION UPDATE PHASE
In this subsection, we describe how mOSN user MU i updates his current location to the Location Sharing Social Network Server LSSNS j and the message communications of User Location Update Phase is shown in Figure 8. The location updation is done through the cellular tower CT , following the steps as mentioned in subsection V-B, MU i makes a secure login to CT and mutually estabsishes a shared session key SK MU i ,CT (= SK CT ,MU i ). Next, it executes the following steps: Step LU1: 1) MU i selects a one-time 128-bit random number RN u i . 2) MU i uses the shared session key SK MU i ,CT and sends an encrypted message ≤ T , where TS * u i is the current timestamp. If the verification holds then go to step LU 3, else discards the received message and exit.

1) CT uses the decrypted parameter and computes a hash
value = H 1 . If the verification holds then go to step 3, else terminate the session and exit.
3) CT confirms the authenticity and integrity of the message and makes a login to LSSNS j . 4) CT and LSSNS j establishes a mutually shared session key SK CT ,S j as mentioned in subsection V-C.
Step LU4: 1) CT generates L − 1 dummy locations and L − 1 dummy encrypted string chosen randomly as 2) CT randomly put MU i 's real updated location information string at the n th place among the dummy information set, (1 ≤ n ≤ L).

3) The sequence number of MU i 's real location update
information is encrypted by CT with its own master secret key X , i.e., Step LU5: H (LSSNS j || Msg 2 || RN ct ), TS ct } to server LSSNS j .
Step LU6: 1) LSSNS j uses its session key SK S j ,CT (shared with CT ) and decrypts the message Msg 2 , random number RN ct , and timestamp TS ct . 2) LSSNS j checks the transmission delay using the received and current timestamps. 3) LSSNS j checks message integrity by checking computing a fresh hash value from the decrypted parameters.

4) LSSNS j updates the user location and sends
Step LU7: 1) CT uses the session key SK CT ,S j and decrypts Msg 3 .
2) CT verifies the correctness of RN ct . If it is correct, go to step 3, else terminate the session and exit. 3) CT forwards 'ok to MU i .
The user location update phase is summarized in Figure 9. Remark 2: When the user reaches a new place, he/she updates his/her location in the LSSNS's database to ensure that LSSNS knows the user's real-time location. MU i executes the user location update phase and sends the current location coordinate (x u i , y u i ) (obtained by GPS) to LSSNS. As the user location update phase of our proposed scheme is based only on the private key encryption, cryptographic hash function and xor operation, it is both secure and lightweight.  Depending on the population density, potential users, etc., the LTE technology nowadays requires cellular towers VOLUME 8, 2020  Figure 2 and Table 3, MU i registration has the computation cost of 5*T H + 5*T X + T FE , which essentially takes only 0.0656 second. This evidences that the user registration process is very efficient.

F. THE FRIENDS' LOCATIONS QUERY PHASE
In this subsection, we describe how MU i achieves his/her social friends' identity and location, who are willing to share their information. The message communications of Friends' Locations Query Phase is shown in Figure 10.
Step FLQ1: 1) MU i makes a secure login to CT and mutually establishes a shared session key SK MU i ,CT (= SK CT ,MU i ) (As explained in subsection V-B).
Note that the message F is a request to find 'friends'. TS u i , RN u i , E(·) and H (·) convey their usual meanings as explained in Table 1.
Step FLQ2: Here, TS * u i is the current timestamp. If the verification holds, go to step 2, else exit. 2) CT uses its session key SK CT ,MU i (shared with MU i ) to decrypt the encrypted user message.

3) CT uses received timestamp TS u i and parameter TS u i
⊕RN u i to retrieve the random number as If the computed H 3 and the received hash value does not match, then CT rejects the request immediately. Otherwise, go to step 5. 5) CT logs in to the server LSSNS j and creates a shared session key SK CT ,S j , as explained in subsection V-C.

6) Through a public channel, CT forwards {E
Step FLQ3: 1) LSSNS j receives the message from CT and decrypts the message using its session key SK S j ,CT (shared with CT ). 2) LSSNS j checks the communication delay using current timestamp TS * ct and the received timestamp TS ct . if verification holds, go to step 3, else terminate the session and exit.
3) LSSNS j retrieves RN new ct and computes fresh hash value with the decrypted parameter and compares with the received hash value. 4) If verification holds, go to step FLQ4, else terminate the session and exit.
Step FLQ4: 1) LSSNS j finds the set containing a database entry for all friends of MU i . 2) LSSNS j finds whether δ((x p , y p ), (x u i t , y u i t )) ≤ min(qf u i , df s ) s∈ , p = 1, · · · , k, and t = 1, · · · , k, where δ(·) is the distance function and (x u i t , y u i t ) are one real and k −1 fake locations of MU i . Here, database entry of ID i is excluded.

3) For all friends α ∈
, LSSNS j includes record (α, (p, enc * p ), Index α ) in the result set if the coordinate (x α i t , y α i t ) meets the distance requirement. 4) Corresponding to k coordinate entries of MU i (x u i , y u i ) i=1···k , LSSNS j prepares k subsets {F i } i=1···k and adds them to result set. 5) LSSNS j uses RN new ct (the random number sent by CT ), TS S j (the current timestamp) and encrypts the result set using the shared session key SK S j ,CT . 6) Through public channel, LSSNS j forwards message  y u i )))) and retrieves the real sequence number γ . CT uses its master secret key for the decryption.
2) CT discurds all records {F i } i =γ and accepts only F γ . 3) CT finds every present user U in the dataset F γ . 4) CT decrypts Index U and finds its real center point location γ U . 221342 VOLUME 8, 2020

Remark 3:
The existing location sharing schemes for OSN suffer from multiple security drawbacks. The purpose of our research is to design a secure and efficient location sharing scheme for OSN. User location updates and friend's location queries are two essential operations for location sharing services. As mentioned in existing location sharing schemes [28], [29], [34], group key-establishment among a user and its trusted social friends is an intrinsic requirements. In the literature, several group key distribution and key-establishment schemes among social friends have been proposed in distributed online social networks [51]- [54].
Unlike those schemes, our proposed one is not designed for purpose group key distribution and key-establishment among social friends. That said, the key-establishment process among social friends advocated by Y. Jung et al. [51] and L. Guo et al. [54] can be adapted to work with our proposed scheme.

VI. SECURITY ANALYSIS
In this section, we provide the detail security analysis of the proposed scheme. This is done in two ways. First, we present the authentication proof Using Burrows-Abadi-Needham (BAN) logic. Second, we present an informal security analysis to logically explain how and why the proposed scheme resists various security attacks.

A. AUTHENTICATION PROOF USING BAN LOGIC
BAN logic is used to analyze the security of any authentication scheme to verify the secure transmission between two communicating parties of that network [55]. In this section, we use BAN logic to show that the proposed scheme actually achieves the authentication goals. The basic syntax and semantics of BAN logic are explained in Table 2. The main logical postulates of the BAN logic are defined by a set of laws or rules as listed below [55], [56]. In the proposed scheme, there will be two basic types of messages as follows: The above generic messages have to be converted to idealized messages. These idealized messages are as follows.
Message 1: With the following assumptions, the authentication proof of our proposed scheme is presented as follows: A Next, we shall show that two goals mentioned earlier can be achieved using the assumptions, idealized messages and Basic BAN logic laws.
From the first message, we may obtain the following.
• S 6 : Using A.6 and JL, we get, CT |≡ (ID i , x CT u i , u i , T u i , H (ID CT )).
• S 7 : From S 6 and AL, we obtain, CT |≡ u i , CT |≡ T u i , CT |≡ ID i .
• S 17 : The results of Steps S 15 and S 16 give (Goal 1) Consequently, both the goals are achieved to ensure that mutual authentication between MU i and CT is established.

B. INFORMAL SECURITY ANALYSIS
In this section, we present an informal analysis of the security of the proposed scheme. This analysis aims to logically show that our scheme can successfully defend against the following known attacks.

1) THE REPLAY ATTACK
In the proposed scheme, two message communications are needed by the login phase and the authentication phase. In the process of login, MU i sends ||P 1 ||T u i ) and checks whether H 2 =H 1 or not. This computation is crucial to prevent a replay attack. The cellular tower CT rejects any request for log-in if this checking does not succeed. We have explained in Step LA5 in Section V-B, of the mOSN user login, authentication and key establishment phase how an attacker cannot succeed in replaying the authentication message Msg 2 . Moreover, CT also stores parameters ID i , u i , T u i in its repository. In case CT receives another login request message, say Msg n 1 = {TID * n , M n 1 , H n 1 , T u n }, it first checks whether T u n is valid or not. If it is found to be valid, CT gies on to check whether the extracted TID * n = TID n ⊕ H (ID CT ||T u n ) is the same as the TID n stored in its repository for the same ID n . If they are the same, Msg n 1 is considered being a replay message. Thus, our proposed scheme is capable of resisting a strong replay attack with the help of current timestamp and a random nonce.

2) THE MAN-IN-THE-MIDDLE ATTACK
An adversary A may attempt to modify login or authentication message through a man-in-the-middle attack. In order to execute this attack, A set up an independent parallel connection with both MU i and CT for a specific session. Additionally, to invalidate the login request of an authorized user, the attacker may modify some parameters from the request message. In the proposed scheme, the credentials of both login and authentication message, such as ID CT , RID , A U iCT , etc. are generated with fuzzy extractor, hash function, bitwise XOR and random nonce. This makes adversary A very difficult to regenerate and modify. As a consequence, the proposed scheme can resist the man-in-the-middle attack.

3) THE STOLEN/LOST MOBILE DEVICE ATTACK
Suppose the mobile device of the user MU i has been stolen or lost, an adversary can easily find P 1 i and P 2 i , which are stored in the memory of the device. However, ID i , PW i , and biometric η i are not stored directly in the device. From stored , it is computationally infeasible to identify or predict all these parameters. Furthermore, P 1 i and P 2 i are masked with a random number n and the collision-resistant hash function H (·). This makes it a computationally infeasible problem to predict all the credentials in polynomial time. Therefore, the proposed scheme resists this type of attacks.

4) THE OFFLINE PASSWORD GUESSING ATTACK
As describe in Section V-B, a mobile user MU i needs the identity ID i and password PW i for its login. An adversary can obtain the P 1 i and P 2 i from the lost or stolen mobile device, but it cannot guess and compute identity ID i , password PW i , and biometric η i at the same time as it is computationally infeasible. Hence, this scheme can prevent the offline password guessing attack.

5) KNOWN KEY SECRECY/FORWARD SECRECY
An adversary may obtain the current session key, but with that compromised session key, it cannot compute previous session keys. As per the proposed scheme, the session key is computed as SK CT , With the use of i , T u i , j , and T u j , a new login key for each session, SK CT ,MU i = SK MU i ,CT is generated freshly and uniquely. So, the key cannot be used further in future. Moreover, before establishing a session key, both MU i and CT mutually validated each other. Hence, the proposed scheme confirms that the leakage of temporal information does not break the secrecy of the session key and it provides the session key security.

6) USER ANONYMITY
In this proposed scheme, the anonymity property of any mobile user is maintained. An adversary may eavesdrop a login or authentication message communicated between MU i and CT , but adversary cannot get the original ID i from those messages. At the time of login MU i send Msg 1 = , which is valid for only one session. Furthermore, it is not possible to compute ID i from At the time of authentication, CT transmits back a authentication response message So, from any intrude message, it is not feasible to figure out the original ID i by an adversary. Thus, the proposed scheme can preserve the anonymity property of any user.

7) THE PARALLEL SESSION AND REFLECTION ATTACK
In the proposed scheme, an adversary cannot start a new session with CT using any fake identity, obtaining from any eavesdropped messages Msg 1 = {TID * i , M 1 , H 1 , T u i }. As described in section V-B, an adversary cannot obtain the correct identity ID i , password PW i or the biometric key η i of any legal user MU i with an offline password guessing attack. Hence, from any eavesdropped message, an attacker cannot create a valid login request message Msg 1 , so a new session with CT as a legal user not possible. Thus, our proposed scheme can protect the parallel session and reflection attacks.

8) SESSION KEY SECURITY
For establishing a new session, a mutually computed session key SK MU i ,CT (= SK CT ,MU i ) is shared between MU i and CT . The session key is computed as follows: Both MU i and CT authenticate each other to compute the mutually shared session key. Moreover, an adversary needs the credentials ID i , ID CT , B CT U i = (A U iCT ) for computing session keys. Therefore, the session keys are fully secured in our proposed scheme.

9) THE EPHEMERAL SECRET LEAKAGE ATTACK
An adversary may obtain the temporary (ephemeral) secrets (e.g., random variable) of any session from a compromised mobile device if those are not deleted properly. In this kind of attacks, with the mentioned information, an attacker can initiate an ephemeral secret leakage attack. As per our proposed scheme, our session key is generated as follows: . u i is a 128-bit random number there. With this single random number, an attacker cannot regenerate the session key SK MU i ,CT , as it requires some other credentials, such as ID i , ID CT , PW i etc. Thus, our scheme can defend the ephemeral secret leakage attack.

10) THE USER IMPERSONATION ATTACK
In the user impersonation attack, an adversary pretends itself as an authorized user to the cellular tower. So, for login, an adversary needs the credentials value of ID i , PW i , B i . As it is already discussed that in our proposed scheme, these credentials are not sent directly through the public channel or saved in the device memory, or it is computationally infeasible to obtain them from the easily available information. If an adversary wants to send a login message Msg 1 T ct ⊕ ID i ) and hash value H 3 (= H (ID i ||P 1 || ct ||T u i ||T ct ||SK CT ,MU i )), an attacker needs the secret key, X of the cellular tower and the random number x CT U i as B CT U i = H (H (ID i ⊕x CT U i ) ||X ). Hence, our proposed scheme can resist the server impersonation attack.

12) THE PRIVILEGED-INSIDER ATTACK
This kind of attacks is launched by an internal user who may be authorized to use the system that is attacked. Suppose that an adversary, who is an internal user also, obtains the registration credentials ID i , (MPWB i ⊕ λ) from the mobile registration request Msg 1 . However, as discussed in section V-B, it is not feasible to compute the PW i and the biometric key η i = even if the adversary has that lost or stolen mobile device. Without the knowledge of λ, it also not possible to calculate MPWB i from (MPWB i ⊕ λ). So, our scheme can resist this type of attacks.

VII. FORMAL SECURITY VERIFICATION USING PROVERIF
In this section, we present the formal security verification of the proposed scheme using based ProVerif simulation tool [57]. This tool is based on applied pi calculus and can be used to verify whether an attacker can attack the session key [48]. We have modelled the proposed scheme in ProVerif and corresponding the source codes have been presented in Figure 11, Figure 12, Figure 13, and Figure 14.
In Figure 11, the code for channel declarations is presented along with the definition of constants, free variables,functions, equations, queries and events, which are  needed to model the proposed scheme. Figure 12 depicts the ProVerif code for mobile user MU registration, login, authentication and key-establishment process with CT . Cellular tower registration process (CTReg) and authentication process (CTAuth) have been presented as a parallel composition in Figure 13.
Finally, we execute the codes given in the previous three Figures in the latest version (1.93) of ProVerif simulation tool. The results of session key secrecy (from the user as well as cellular tower) and authentication are presented in Figure 14.
The following observations can be drawn from the results.
• RESULT inj-event (UserAuth(id)) ==> inj-event (UserStart(id)) is true.   • RESULT not attacker(SKctmu[]) is true. From the result set mentioned above, we conclude that the proposed scheme passes the required security verification.

VIII. PERFORMANCE ANALYSIS
In this section, we present the computation and communication cost of our proposed scheme. It is to be noted that the proposed scheme avoids cryptographic operations such as bilinear pairing, elliptic curve point multiplication operation etc., as they incur high computation overhead. Table 5 shows various cryptographic operations, corresponding notations and their execution time on an Intel Pentium4 2600 MHz processor with 1024 MB RAM, as performed in [39], [63]. Due to the fuzzy extractor Rep(·) function for extracting the biometric key α i , we require T FE ≈ T M [64]. Symmetric encryption/decryption has been given for a AES-128 symmetric cryptosystem. The mobile user registration and LSSNS Registration mechanism is a one-time process. As a result, we have not considered the computation cost of the registration phases. In Table 3 we have tabulated the computational overhead for the main three entities of our scheme MU i , CT and LSSNS j . For MU i , during login phase overhead is 10*T H + 10*T X + T FE . Since bitwise XOR operation, T X time is negligible, the overhead will be 10 * T H + T FE . For the authentication, required overhead of CT will be 7 * T H + 8 * T X ≈ 7 * T H . Hence, overall computation cost of mobile user login and authentication phase is 17 * T H +T FE = 17 * 0.5+1 * 63.08 = 71.58ms. Following the same procedure, we calculate the computation cost and the exact execution time of all other remaining phases of the proposed scheme and tabulate them in Table 3.

B. COMMUNICATION COST ANALYSIS
In order to calculate the overall communication overhead of our proposed scheme, we have assumed standard bit sizes  of various parameters and cryptographic function outputs. As an example, the bit size of used identity, random numbers and timestamp are 160, 128 and 32 bits respectively. The size of output of hash function H (·) is 160 bits, (if we use SHA-1 hash function [65]) and output of symmetric encryption/decryption (for example, Advanced Encryption Standard or AES-128 [66]) is 128 bits and the prime number is 160 bits. For mobile user login and authentication in our proposed scheme, two message communications are required. In step ULA2 of Section V-B, CT receives the login request message from mobile user MU i . In step ULA4, CT sends one authentication response message to the MU i . The communication cost for transmission of the MU i login message {TID * i , M 1 , H 1 , T u i } requires (160 + 160 + 160 + 32)=512 bits and authentication response message {M 2 , H 3 , T ct } requires (160 + 160 + 32) = 352 bits. In the same fashion, we calculate the communication cost of messages communicated in various other phases of the proposed scheme. Table 4 shows the detailed communication cost for different phases.

C. STORAGE OVERHEAD ANALYSIS
We have three different entities in our scheme -mobile device (MU i ), cellular tower(CT ) and location sharing social network server(LSSNS j ). We have calculated the storage requirement for each of them separately. The lengths of some important parameters that are needed to calculate the storage space are as follows: Device identity or serial number:: 160 bit Output of a secured one way hash function H (·):: 160 bit Session key:: 160 bit One random number, r:: 128 bit Master secret key, X :: 1024-bit Secret key, x CT U i :: 1024-bit Fuzzy Extractor, µ i :: 128 bit According to our proposed scheme, a mobile device MU i mandatorily needs to store µ i , P 1 i , P 2 i , V CT U i , RID i , RID , SK MU i ,CT . Hence, the required storage space of MU i is = 128 + 160 + 160 + 160 + 160 + 160 + 160 = 1088 bit. A cellular tower, CT , needs minimum {X + ID CT + ID i + TID i + x CT U i + ID S j + SN j + r + SK CT ,MU i + SK CT ,S j ) = 1024 + 160 + 160 + 160 + 1024 + 160 + 160 + 128 + 160 + 160} = 3296 bit storage space to complete its processing. LSSNS j requires {E 1 + T X (K j ) + E 2 + f S j + SK S j ,CT } = 160 + 160 + 160 + 160 + 160 = 800 bit. Table 7 shows the storage analysis of our proposed scheme.

IX. PERFORMANCE AND COMPARATIVE STUDY
In this section, we present a comparative study of our proposed scheme with some recent chaotic-map based user authentication schemes under multi-server environment, such as schemes proposed by C. C. Lee et al. [58], X. Li et al. [59], Tsai-Lo [60], Irshad et al. [61] and H. Wang et al. [62]. The comparative study includes detail analysis and comparison in terms of security and functionality features, computation overheads and communication overheads.
In Table 6, we have tabulated an overall security and functionality features comparison among our proposed scheme and other related authentication and key-establishment schemes. It is seen that a large number of the recent schemes do not support three-factor authentication, as they do not include user biometrics [43]. The tabulation result reveals that the existing schemes suffer from various security attacks like stolen smart card attack [60], [61], server impersonation attack [58], session key recovery attack [61] and login phase inefficiency [58]. Moreover, it is observed that these chaotic-map based authentication schemes can not support proper location-sharing and friends' locations query feature. It is clear from Table 6 that the proposed scheme overcomes such security and functionality weaknesses of the existing schemes.
In Table 9, we tabulate and compare the computation overheads of the proposed scheme with the relevant schemes [58]- [61], [62]. The mobile user registration phase and the location sharing social network server registration phase are an one-time process only. Hence, for calculation as well as comparison of communication cost, we consider only user and server login, authentication and key-establishment phases for the proposed and related schemes. Table 5 shows various cryptographic operations, corresponding notations and their execution time on an Intel Pentium4 2600 MHz processor with 1024 MB RAM, as performed in [39], [63]. For all the given schemes, we separately tabulated computation for the user, server and the registration center or the cellular tower. Also, in Table 9, we mention and compare total computation cost for each relevant scheme.
It is observed that total computation cost of our proposed scheme is ≈ 117.122 ms only, whereas computation cost of C. C. Lee [62] is ≈ 178.04 ms. It is to be noted that, except Tsai-Lo's scheme, we have the lowest computation cost. The reason behind such low computation cost of our proposed schemes is that, we use only two chaotic map operations for authentication and key-establishment purpose, which is the minimum among other related existing schemes. Table 8 shows and compares message communication rounds and communication cost (in bits) of the proposed scheme with related schemes [58]- [61], [62]. Since the user and server registration phasesare executed only once, we consider only user and server login, authentication & key-establishment phases for calculation of communication cost for the proposed scheme and other schemes. In our proposed scheme, mOSN user and location server login and authentication phase needs 864 bits and 992 bits of message communication respectively, with a total communication cost of 1856 bits. From Table 8, it is clear that, compared to all related scheme, except C. C. Lee et al.'s scheme [58], the proposed scheme has the minimum communication cost. Unfortunately, as shown in Table 6, C. C. Lee et al.'s scheme is vulnerable to some serious security attacks. Overall, the proposed scheme is both efficient and provides much greater security and functionality features for the smart devices as compared to all existing compared schemes.

X. CONCLUSION
This paper presents an efficient location sharing scheme for mOSNs and shows the ability to resist various active and passive security attacks that are present in the existing schemes. VOLUME 8, 2020 The proposed scheme integrates LBS and SNS into a set of single entity servers, thereby reducing their internal communication overhead. Our location sharing scheme for mOSNs shows both efficiency and flexibility in location update, sharing, and query of social friends and social strangers. Formal security verification, authentication proof and simulation results prove the security strength of the proposed scheme.