An Efficient Location Privacy-Preserving Authentication Scheme for Cooperative Spectrum Sensing

In cognitive radio networks, cooperative spectrum sensing can improve the performance of spectrum utilization and accuracy of spectrum result. However, it suffers from security and privacy threats. Firstly, secondary users’ sensing reports that have to be sent to the fusion center are heavily correlated to their locations, thereby leading to the leakage of locations of secondary users in the process of reports transmission and aggregation. Moreover, malicious secondary users are likely to submit fake sensing reports or alter sensing reports of other secondary users, which finally result in a wrong aggregated result. To address these questions, we propose an efficient location privacy-preserving authentication scheme for cooperative spectrum sensing. To be specific, our scheme incorporates a reputation mechanism and enables reliable secondary users to participate in cooperative spectrum sensing. Selected users with pseudo IDs instead of real identities send encrypted sensing reports to the fusion center. This can eliminate the correlation between sensing reports and secondary users and prevent the fusion center from associating sensing reports with secondary users’ real identities while decrypting and aggregating reports, thereby protecting the location privacy of secondary users. Besides, to ensure a true aggregated result, we utilize elliptic curve cryptography technique to verify the legitimacy of sensing reports when the fusion center receives them. Theoretical analyses show that the proposed scheme protects the location privacy of secondary users. Numerical results demonstrate that the proposed scheme brings less overhead than previous schemes.


I. INTRODUCTION
Radio spectrum is a very precious communication resource [1]. On one hand, with the application of new technologies such as 5th-Generation, Internet of Things (IoT), virtual reality, the number of wireless devices has tremendously increased, thus leading to a rapid expansion of demand for spectrum [2]- [4]. According to the report, 50 billion devices will be connected to the development of IoT by 2030 [5]. On the other hand, static spectrum allocation policies have led to lower spectrum resource utilization. A survey by the Federal Communications Commission (FCC) finds that the average utilization in the licensed spectrum The associate editor coordinating the review of this manuscript and approving it for publication was Zijian Zhang .
band is currently around 30% [6]. Consequently, in the case of limited spectrum resources, how to improve the performance of spectrum utilization to meet people's spectrum needs has become the research goal of many scholars.
In 1999, Mitola and Maguire propose cognitive radio technology [7]. The characteristics of cognitive radio technology are that it can sense the wireless communication environment, and then obtain the unused spectrum information of authorized users through active learning, reasoning and decision-making within a period of time, and finally realize ''secondary utilization of spectrum'' without disturbing the authorized users. Cognitive Radio Networks (CRNs) is a network built on cognitive radio technology. In CRNs, there are two types of users: Primary Users (PUs) and Secondary Users (SUs). PUs are authorized users, and can access their spectra at any time. SUs are unlicensed users. When a PU is off-line, a SU is allowed to access the PU's spectrum. On the arrival of PU, the SU needs to vacate the PU's spectrum immediately without disturbing the PU's transmission [8].
In CRNs, multiple SUs collaboratively explore spectrum availability information, called cooperative spectrum sensing [9]. Specifically, each SU senses the signal of a PU through energy detection [10], generates a sensing report (known as Received Signal Strength, RSS), and then sends it to the Fusion Center (FC). The FC aggregates these sensing reports, and then compares the aggregated result with the energy threshold value. If the result is larger than the threshold value, the spectrum is occupied by the PU, otherwise, the spectrum is in idle. It has been shown in [11] that sensing reports which are generally signal strength measurements of the TV spectrum are closely related to SUs' physical locations. If SUs directly submit sensing reports in the form of plaintext, it is likely to comprise their locations during transmission and aggregation. The experiment result in [11] shows that through the sensing report, the adversary can locate the victim's location with a probability of more than 90%. The fine-grained location information can be inferred a series of individual privacy including beliefs, preferences and behavior [12]. Noting such privacy threat, SUs are reluctant to participate in cooperative spectrum sensing, thereby discouraging CRNs.
In addition, malicious SUs may submit fake sensing reports and even alter sensing reports of other SUs, which results in a wrong aggregated result and cause interference to the PU.
To sum up, in cooperative spectrum sensing, we ought to consider three requirements: How to select reliable SUs to participate in spectrum sensing? How to protect the location privacy of selected SUs? How to verify the legitimacy of sensing reports? Consequently, we propose an efficient location privacy-preserving authentication scheme for cooperative spectrum sensing. The contributions of this paper are summarized as follows: • In the proposed scheme, SUs with specified reputation score are allowed to participate in spectrum sensing. This can select reliable SUs for spectrum sensing in a way and therefore ensure the authenticity of sensing report at the source. Reputation scores of SUs is calculated according to the performance of SUs in previous spectrum sensing.
• In the proposed scheme, SUs with pseudo IDs instead of real identities send encrypted sensing reports to the FC, which eliminates the correlation between sensing reports and SUs and prevents the FC from correlating decrypted sensing reports with real identities of SUs, thereby protecting the location privacy of SUs. In addition, other adversaries can not know SUs' physical locations from encrypted sensing reports and thus protecting the location privacy of SUs.
• Besides, utilizing elliptic curve cryptography technique, the proposed scheme verifies the legitimacy of sensing reports. In this way, the FC receives legitimate reports and aggregates them to obtain true result.
• The proposed scheme has advantages over existing alternatives in communication cost and storage cost. And compared with other schemes, our scheme brings less computation cost on the FC side. The rest of this paper is organized as follows. Section II overviews the related work about location privacy-preserving in cooperative spectrum sensing. In section III and section IV, we describe our scheme which consists of system model, threat models, design objectives and solution. In section V and section VI, we analyze our scheme from the aspects of safety and performance, and compare with other schemes. Finally, we conclude this paper in section VII.

II. RELATED WORK
In this section, we introduce existing solutions for SUs' location privacy-preserving in cooperative spectrum sensing.
In the context of cooperative spectrum sensing, Li et al. first discover the location privacy leakage of SUs [11]. They find that SUs' locations can be inferred with a high probability from SUs' sensing reports (i.e., observed RSS values) and call this the Single Report Location Privacy (SRLP) attack. Later, they also discover another attack and call it the Differential Location Privacy (DLP) attack, where the adversary can deduce the leaving or joining user's sensing report from the differences in the final aggregated results of sensing reports before and after a SU quits or joins cooperative spectrum sensing. To address these attacks, Li et al. propose a privacy-preserving spectrum sensing protocol. In this protocol, authors utilize secret share and privacy preserving aggregation [13] process to cope with the SRLP attack and dummy report injections to cope with the DLP attack. However, the protocol does not support fault tolerance [14], that is the FC can not perform fusion analysis if a single SU does not submit a sensing report. In addition, since any two SU need to share a set of key pairs, it will bring extra communication cost.
To protect the location privacy of SUs in CRNs, Mao et al. propose two schemes one after another. The first scheme [15], Cooperative Spectrum Sensing with Derivative ElGamal introduces a modified derivative ElGamal algorithm and a helper to prevent the FC from matching the affiliation of each sensing report while decrypting sensing reports. However, Mao et al. point out that this scheme is vulnerable to SU's malfunction as the helper is selected from internal SUs. Then they propose the second scheme [16], Cooperative Spectrum Sensing with Threshold Cryptosystem, to be more robust when facing single-point failure. This scheme utilizes a noninteractive threshold cryptosystem [17] to select t out of n SUs to decrypt the ciphertexts. However, for selected SUs, it is costly in communication cost and computation cost.
Mohamed et al. also propose two schemes to protect the location privacy of SUs in CRNs. The first scheme [18] combines order preserving encryption [19] and Yao's Millionaires protocol [20], where SUs encrypt their sensing reports using VOLUME 8, 2020 order preserving encryption, then send them to the FC. The FC runs Yao's Millionaires protocol to count the number of SUs' sensing reports above or below the threshold but can not learn each report. However, in the first scheme, the FC can still learn the order of encrypted RSS values of SUs. So in the second scheme [21], Mohamed et al. introduce a gateway to solve the deficiencies.
In addition to utilizing cryptography tools, researchers also use differential privacy to realize the location privacypreserving of SUs in CRNs. Wang and Zhang [22] propose a privacy-preservation framework with multiple service providers in cooperative sensing. In this framework, each sensing report is transformed into a single value. Transformed values from a group of SUs are merged in a cloak. Each cloak will be perturbed by adding random noise to the number of SUs in the cloak. At last, the cloaks with noisy counts aggregated from all SPs can be taken as the input of general cooperative sensing schemes. However, when there are more FCs or fewer SUs, the privacy-preserving level will decline.
In our previous work, a scheme with fault tolerance is proposed to protect the location privacy of SUs [23]. We assign n secret keys for each sensing task, which the sum of n secret keys is 0, and then randomly assign one secret key out of n secret keys to each SU. SUs encrypt sensing reports by assigned secret keys. Finally, the FC aggregates encrypted sensing reports directly and obtains aggregated result without learning sensing report of each SU, therefore protecting the location privacy of SUs. Moreover, to verify the legitimacy of sensing reports, we provide an authentication mechanism for SUs' sensing reports, which do not be taken into account in other schemes.
Inspired by our previous work, we propose another location privacy-preserving scheme for cooperative spectrum sensing. Specifically, we protect the location privacy of SUs by eliminating the correlation between sensing reports and SUs. Besides, we utilize the authentication mechanism in [23] for SUs' sensing reports. What's more, the proposed scheme enables reliable SUs to participate in spectrum sensing by incorporating a reputation mechanism.

A. SYSTEM MODEL
Our system model is based on centralized cooperative spectrum sensing which is showed in FIGURE 1. In this model, there are three entities, the FC, the third party (TP), and SUs. The responsibility of each entity in the system is as follows.
• FC: The responsibilities of FC are to receive SUs' sensing reports, and then to analyze them to obtain the spectrum status of a PU.
• TP: The TP has strong computing power and sufficient storage and is authorized by the FCC [24]. In our system, the TP is responsible for generating system parameters and registering SUs. Additionally, the TP stores SUs' reputation scores and updates them after a spectrum sensing. • SUs: SUs provide the system with spectrum status of PUs. SUs usually carry smart devices that support spectrum sensing. The rewards that SUs receive through spectrum sensing are out of the scope of this paper. The general process of our scheme is described as follows.
(1) The FC issues a sensing task in the system; (2) If SUs intend to participate in the sensing task, they need to complete the registration process first with the help of the TP; (3) When SUs register successfully, they start to perform spectrum sensing individually, and then generate sensing reports. According to [25], if SUs adopt the method of energy detection, generated sensing reports follow the distribution: where n 0 is the noise power, s i is the SU i 's received signal power of a PU, and M is the number of signal samples. H 0 represents the PU is off-line, whereas H 1 represents the PU is on-line; (4) SUs send sensing reports to the FC; (5) The FC receives sensing reports and aggregates them as follows: in which w i is the weight of m i , r is the aggregated result. Without loss of generality, we adopt equal gain combination and set w i to 1 [25]. (6) The FC compares r with the energy threshold δ, if r ≥ δ, it represents the channel is occupied by the PU, if r < δ, it represents the channel is not occupied by the PU. Finally, the FC stores the PU's spectrum status in the database.

B. THREAT MODELS
In the context of cooperative spectrum sensing, we consider three types of adversary: the semi-honest FC, the semi-honest TP, and malicious SUs. The behavior of each adversary is as follows.
• Semi-Honest FC: The semi-honest FC will obey his/her responsibilities (e.g., receives and analyzes sensing reports of SUs) but meanwhile be curious about the location of some SU in the system.
• Semi-Honest TP: The semi-honest TP will obey his/her resonbilities (e.g., generates system parameters, registers SUs and updates reputation scores of SUs) but meanwhile be curious about the location of some SU in the system. In cooperative spectrum sensing, adversaries learn locations of SUs mainly by obtaining sensing reports of SUs. What's more, it is generally recognized that the location privacy of SUs is disclosed if and only if adversaries associate locations (namely sensing reports) of SUs with their real identities. In the next section, we will define location privacy. Besides, we assume that the FC does not collude with the TP in our system.

C. DESIGN OBJECTIVES
Based on the aforementioned system model and threat models, the design objectives of the proposed scheme are as follows.
• Location Privacy-Preserving: The proposed scheme should protect the location privacy of each SU in the system. This objective is the most fundamental goal of our scheme. Here, we give the definition of location privacy as follows: in which RID i denotes the real identity of SU i and LOC i denotes the physical location of SU i . In the previous section, we talk about that only when adversaries obtain SU i 's RID i and LOC i at the same time and associate them, can SU i 's location privacy be disclosed. Intuitively, the exposure of any one piece of information does not result in the disclosure of SU i 's location privacy.
• Reputation Mechanism: The proposed scheme should enable reliable SUs to participate in spectrum sensing so as to guarantee the authenticity of sensing reports at the source. Specifically, the proposed scheme gives each SU a reputation score based on the performance of previous spectrum sensing, and SUs with specified reputation score are allowed to participate in spectrum sensing.
• Authentication: The proposed scheme should verify the legitimacy of sensing reports. Specifically, when the FC receives sensing reports, it is necessary to verify the validity (to avoid replay attacks) and integrity (to avoid modification attacks) of sensing reports to obtain true aggregated result.
• Fault Tolerance: The proposed scheme should achieve fault tolerance. To be specific, when a group of SUs in the system do not submit sensing reports due to network failure, the FC can make a decision about spectrum opportunities based on the received sensing reports.
• Dynamism: The proposed scheme should achieve dynamism. To be specific, when a SU joins or leaves the system, the proposed scheme should allow the system to keep running. What's more, it does not pose a location privacy threat to the joining/leaving user.

D. ELLIPTIC CURVE CRYPTOGRAPHY
Elliptic Curve Cryptography (ECC) is employed in our scheme [26]. We now show the definition of ECC. Let F p denote a finite prime field where p is a large prime and p > 3. An elliptic curve E over a finite prime field F p is defined as follows: where a, b ∈ F p and 4 a 3 + 27 b 2 = 0 mod p. A cyclic additive group G consists of all points (x, y) on the elliptic curve E/F p and a point at infinity. That is: Let P be a generator of G. Elliptic curve discrete logarithm problem [27] is defined as follows: for a random variable x ∈ Z * q , Given P and x ·P, it is difficult to find x in polynomial time.

IV. THE PROPOSED SCHEME
We present the proposed scheme which includes six phases: initialization phase, sensing task release phase, user registration phase, sensing report-encryption phase, sensing reportdecryption phase, and sensing report-analysis phase. The notations used in our scheme are defined in TABLE 1.

A. INITIALIZATION PHASE
The initialization phase will generate some system parameters for later use and be executed only once. The initialization process is specified as follows.
(1) Based on Section III − D, The TP selects a random large prime p and determines the tuple F p , E/F p , G, P . (2) The TP randomly selects sk TP ∈ Z * q as his/her secret key and keeps it secret. Meanwhile, the TP computes the corresponding public key PK TP = sk TP · P. (3) The TP determines two secure hash functions: (4) The TP publishes system parameters: Based on the published system parameters, the FC randomly selects sk FC ∈ Z * q as his/her secret key and keeps it secret. Meanwhile, the FC computes the corresponding public key PK FC = sk FC · P and publishes it.

B. SENSING TASK RELEASE PHASE
The FC broadcasts sensing task Task in the system. The sensing task can be described as Task = {Task id , Task c , Task t , Task m , Task r , R id }. Each notation's meaning is showed in TABLE 1. In order to improve the sensing accuracy and reduce the impact of collusion attacks, Task m should be large enough. Furthmore, we require that SU i perform spectrum sensing in a circular area centered on the PU showed in FIGURE 2. Besides, this circual area should be large enough so as to prevent SU i from directly exposing the location information while performing spectrum sensing. ξ id is caluated by the FC and we will show its function later.
After receiving the system broadcast, if SU i is interested in participating in sensing task Task id , he or she first submits registration application to the TP. Based on the reputation score of SU i , the TP decides whether to pass SU i 's application. Algorithm 1 shows the TP how to select reliable SUs.
On passing the application, SU i starts to register with the assistance of the TP. The user registration phase mainly includes two processes: generates pseudo ID for a SU and public/secret keys for subsequent authentication. SU's pseudo ID consists of two parts, one part is generated by SU himself and the other part is generated by the TP. We use PID to denote the pseudo ID. The concrete registration process is specified as follows.
(1) SU i randomly selects α i ∈ Z * q and computes the first part pseudo ID In our scheme, {PID i1 , PID i2 } can only be used once, in other words, once SU i has applied for a pseudo ID from the TP, it can only be used for one sensing task. (4) The TP generates public and secret keys for subsequent authentication for SU i . The TP selects a random number β i ∈ Z * q , then computes and So far, SU i has registered successfully. SU i can use (PID i , U i , u i ) to participate in the next process.

D. SENSING REPORT-ENCRYPTION PHASE
SU i carring a device goes to the designated area and starts to execute task. After finishing sensing, SU i obtains a sensing report m i . Before sending it to the FC, SU i performs the follwing actions.
(1) SU i randomly selects sk i ∈ Z * q as his or her secret key and keeps it secret.
(2) SU i computes the corresponding public key PK i = sk i ·P and publishes it.
(4) SU i computes in which t i is the current timestamp. channel.

Receiving the message {PID
where t is the transmission delay and t i is the receiving time. This verification is to check the validity of the message. If the message is not sent within the specified receiving period t, then the FC discards this message and halts. (2) The FC performs the second verification. The FC computes and then confirms whether the following equation holds or not: This verification is to confirm the integrity of the message. If the equation does not hold, then the message has been modified and the FC discards this message and halts.
To reduce the computation cost, the FC can simultaneously verify the integrity of n messages as follows: (3) The FC decrypts the message. The FC computes and obtains sensing report of SU i . VOLUME 8, 2020 (4) The FC aggregates decrypted sensing reports as defined in Section III-A and stores the result of spectrum availability in the database.

F. SENSING REPORT-ANALYSIS PHASE
Apart from aggregating sensing reports, the FC analyzes each sensing report. That is by analyzing the authenticity of each sensing report, the FC evalutes each SU. Specifically, if m i ≥ ξ id , it shows that SU i offers legal sensing report, then the FC attaches a tag of {+1} to SU i ; if m i < ξ id , it shows that SU i offers fake sensing report, then the FC attaches a tag of {−1} to SU i . SUs use advanced smart devices, so the probability of erroneous results due to the malfunction of the devices is very small, and we will not consider them. The calcuation of ξ id can refer to [28], [29]. Finally, the FC sends {PID i , TAG i } to the TP via a secure channel. According to Algorithm 2, the TP computes the reputation score of SU i and updates end if 10: end for

V. SECURITY ANALYSIS
In this section, we analyze the security of the proposed scheme. Moreover, we compare our scheme with other schemes from five aspects which showed in TABLE 3.
• Location Privacy-Preserving: The location privacypreserving of SUs is the most fundamental goal of our scheme. In Section III-B, we have described three adversaries who covet SUs' locations. Now we introduce in detail how the proposed scheme avoids three adversaries.
-SU i with a pseudo ID submits encrypted sensing report to the FC. The FC can obtain the sensing report of SU i for aggregating through decryption.
To some extent, the FC knows the physical location LOC i of SU i . However, the FC just knows the pseudo ID of SU i but can not know the real identity RID i of SU i . The reasons are as follows.
The pseudo ID of SU i is generated by SU i and the TP together, which consists of RID i of SU i . In order to learn the RID i of SU i , the FC needs to obtain sk TP , PID i1 and T i , then solves the formula As sk TP is kept secret in the TP, it is impossible for the FC to obtain sk TP . What's more, T i and PID i1 are only known to SU i and the TP. As the FC and the TP does not collude, the FC can not know T i and PID i1 . According to the definition of location privacy defined in Section III-C, the FC just obtains SU i 's LOC i but no RID i , That is, SU i 's location privacy is protected. -The TP owns the real identity RID i of SU i . To get the physical location LOC i of SU i , the TP needs to know the sk i of SU i first, and then solves the formula C i = m i H 2 (sk i · PK FC ). As sk i is kept secret in SU i , it is impossible for the TP to learn sk i . Thus, the location privacy of SU i is protected. -Other SU can not learn the location of SU i through the pseudo ID of SU i and encrypted sensing reports.
• Reputation Mechanism: The FC analyzes the authenticity of each sensing report and sends a tag (e.g., ''+1'' represents SU i offers legal sensing report, ''−1'' represents SU i offers fake sensing report) to the TP. Then the TP updates reputation scores of SUs based on the tag of each SU. According to reputation scores of SUs, the proposed scheme selects reliable SUs.
• Authentication: the FC verifies the legitimacy of message twice. The first verification is to resist replay attacks, and the second verification is to resist modification attacks. Two verifications are to ensure that the sensing report is completely sent by the SU without any blocking.
-Prevention of Replay Attacks: In order to resist replay attacks, we require that SUs add a timestamp to the message before sending it to the FC. The timestamp can help the FC to judge whether the message was replayed and determine whether to discard the message. Specifically, when receiv- Once the message is sent outside the period t, then the FC discards it. -Prevention of Modification Attacks: In order to resist modification attacks, we require that SUs cal- while encrypting sensing reports and send V i to the FC. After receiving the message and then verifies the equation . Through this equation, we know that no matter which value in the message is modified by the adversary, the equation does not hold, so the FC discards this message. Conversely, if the equation holds, the FC judges that the message is complete and receives this message. • Fault Tolerance: Based on the definition of fault tolerance defined in Section III-C, the proposed scheme achieves fault tolerance. On receiving encrypted sensing report C i , the FC computes as follows: m i = C i H 2 (sk FC · PK i ). It means that the FC decrypts C i using sk FC and PK i , that is, when a group of SUs do not submit sensing reports, the FC can still decrypt the received sensing reports and aggregate them. All in all, unsubmitted sensing reports do not affect the final aggregated process.
• Dynamism: When a SU joins/leaves cooperative spectrum sensing, the adversary can deduce the joining/leaving user's sensing report from the differences in the final aggregated results. However, since the SU participates in spectrum sensing under a pseudo ID and the pseudo ID can only be used once, the adversary can not associate the sensing report with the real identity of SU, then the location privacy of the joining/leaving user is protected.
• Comparison with Other Schemes: From five aspects, we compare the proposed scheme with previous schemes. As we can see in TABLE 3, we know that our scheme has five functions and is superior to the schemes proposed in [11], [15], [16]. Besides, our scheme has the exact same function as Zeng et al's [23]. However, our scheme gets its advantages in fault tolerance and reputation mechanism. When a group of SUs fail to submit sensing reports, Zeng et al's brings more computation cost than ours on the FC side. In terms of reputation mechanism, Zeng et al. evaluate the reputation scores of SUs based on the completion of the task. Specifically, if a SU completes the sensing task, his/her reputation score increases by 1, otherwise the reputation score decreases by 1. But in our scheme, we use the authenticity of sensing reports to evaluate the reputation values of SUs.

VI. PERFORMANCE EVALUATION
In this section, we analyze the computation cost, communication cost, and storage cost of the proposed scheme.
In addition, we also compare the performance of our scheme with the schemes proposed in [11], [15], [16] and [23].

A. COMPUTATION COST
We use symbols to denote different cryptographic operations. According to [23], the running time of each cryptographic operation is showed in TABLE 4. Besides, owing to the running time of one xor operation is very short, the proposed scheme does not consider the computation cost. The computation cost of each phase is as follows.
(1) In the user registration phase, each SU performs one elliptic curve point multiplication operation, and the TP performs one elliptic curve point multiplication operation, one hash operation, and one modular addition operation. Therefore, the computation cost of one SU is C em . For n SUs, the computation cost of the TP is 2 · n · C em + 2 · n · C h + C m · n + C a · n. (2) In the sensing report-encryption phase, only SUs are involved. Each SU performs two elliptic curve point multiplication operations, two hash operations, and one modular addition operation. Therefore, the computation cost of one SU is C em + 2 · C h + C m + C a . (3) In the sensing report-decryption phase, only the FC participates in the decryption process. To decrypt a sensing report, the FC performs three hash operations, one elliptic curve point multiplication operation, and one modular addition operation. If the FC simultaneously verifies the integrity of n messages, to obtain the final aggregated result, the total computation cost of the FC is (2n+1)C em +(3n−1)C ea +n·C m +(2n−2)C a +3n·C h . Now we compare the computation cost of the proposed scheme with other schemes in terms of the FC and one SU in TABLE 5, FIGURE 3, FIGURE 4, and FIGURE 5. FIGURE 3 shows the comparison of computation cost on SU side. From FIGURE 3, we can see that the computation cost of the proposed scheme is lower than the schemes pro-VOLUME 8, 2020    posed in [11], [15] and [16]. That is because Li et al. [11], Mao et al. [15], and Mao et al. [16] need to execute at least two modular exponentiation operations, and our scheme requires two elliptic curve point multiplication operations. As shown in TABLE 4, one modular exponentiation operation costs more than one elliptic curve point multiplication operation. In addition, our scheme's computation cost on SU side is slightly higher than Zeng et al.'s [23]. This is due to the fact that SUs need to execute extra one elliptic curve point multiplication operation to generate the first part of pseudo ID in the proposed scheme, however, in Zeng et al.'s [23], SU's pseudo ID is completely generated by the TP. From a security perspective, it is safer that the pseudo ID is generated by SU and the TP together. In case the TP disguises as the SU i and sends fake sensing report to the FC, then the FC can remove the TP's delivery by comparing the part of the pseudo ID generated by SU i .  [23].
When a group of SUs fail to send sensing reports to the FC, to obtain the aggregated result, the computation cost of FC in Zeng et al.'s [23] is (3 |Q| + 1)C em + (3 |Q| − 1)C ea + |Q| · C m + (3 |Q| − 1)C a + 4 |Q| · C h , and the computation cost of the FC in our scheme is (2 |Q| + 1)C em + (3 |Q| − 1)C ea + |Q| · C m + (2 |Q| − 2)C a + 3 |Q| · C h . We show the comparison result in FIGURE 5. From FIGURE 5, we know that our scheme brings less computation cost when a group of SUs fail to submit sensing reports.

B. COMMUNICATION COST
We assume that RID i , T i , t i are 32 bits, respectively. q is 160 bits. The communication cost of each phase is as follows.
(1) In the user registration phase, SU i sends {RID i , PID i1 } to the TP, resulting in a communication cost of 32 + 2 · l ecc . Therefore, the total communication cost of n SU is 32 · n + 2 · n · l ecc . The TP sends {RID i , PID i , U i , u i } to SU i , so for n SUs, the total communication cost of the TP is 32 · n + 2 · n · l ecc + 160 · n + 32 · n + 2 · n · ł ecc + 160 · n. (2) In the sensing report-encryption phase, SU i sends {PID i , C i , U i , t i } to the FC, so the total communication cost generated by n SU is 2 · n · l ecc + 160 · n + 32 · n + n · γ + 2 · n · l ecc + 32 · n.   As we can see from FIGURE 6, our scheme is the most efficient one of these schemes in computation cost. In contrast, Mao et al. [16] brings the highest communication cost as selected t SUs are required to receive all sensing reports from each SU.

C. STORAGE COST
The physical storage performance of the FC and the TP is strong, and the devices carried by SUs generally do not support large-capacity storage. Therefore, in this paper, we only analyze the storage cost of SUs. In our scheme, each SU stores {P, PID i2 , T i , U i , u i , PK FC }, so the storage cost of one SU is 2 · l ecc + 160 + 32 + 2 · l ecc + 160 + 2 · l ecc .    Zeng et al. [23], and our scheme. From two figures, we can see that the storage cost of our scheme is the lowest in terms of SU side. In Li et al.'s [11], each SU needs to storage n − 1 pairwise secret keys, so it requires the largest storage space among five schemes.
All in all, our scheme has advantages over existing schemes in terms of communication and storage cost. For the computation cost, the pseudo ID of a SU is generated by the SU in cooperation with the TP in our scheme, so our scheme is not optimal.

VII. CONCLUSION
To protect the location privacy of SUs in cooperative spectrum sensing, we propose a scheme where it adopts a pseudonym method and thus eliminates the correlation between sensing reports and SUs. In addition, to guarantee a true aggregated result, the proposed scheme enables reliable SUs to participate in spectrum sensing by incorporating a reputation mechanism and utilizes elliptic curve cryptography technique to verify the legitimacy of reports. Security analyse show that our scheme not only protects the location privacy of SUs, but also resists various attacks. Performance analyse shows that the feasibility of our scheme in various metrics.
In future work, we will study distributed cooperative spectrum sensing model and consider how to use blockchain technology to achieve our research goals. Dr. Xu is also a member of ACM, and a Senior Member of CCF and CIE in China. He has been invited to act as the PC Chair or a member in more than 30 international conferences.
YALI ZENG received the B.S., M.S., and Ph.D. degrees from Fujian Normal University, China, in 2013, 2016, and 2020, respectively. Her main research interests include security and privacy in cognitive radio networks.