Modern mobile devices with positioning capabilities (e.g., GPS) allow users to be informed about events that occur in their proximity. Many classes of applications benefit from the large-scale availability of location data, ranging from public safety and national security to social networks and advertising. One particular scenario of interest is that of location-based alert systems, where mobile users wish to be immediately notified when their current location satisfies some conditions, expressed as a spatial search predicate. For instance, in a public safety scenario, users want to be notified when they are getting close to a dangerous accident area. Alternatively, in the commercial domain, a user may want to be alerted when a nearby sale event is underway.
The typical architecture of such a system uses a server that collects location updates from the users and checks whether the alert condition is met. Such a service is often provided by a commercial entity that is not fully trusted. The collection of user trajectories at a commercial site introduces serious privacy concerns, as sensitive personal information may be derived from a person’s whereabouts [20, 16]. Therefore, protecting the privacy of users is a necessary feature of such a system, and the users must not report their exact locations to the server. Ideally, the only information that the server should be able to derive from the user updates is whether the conditions that the users subscribe to are satisfied or not. Syntactic privacy models [20, 14, 34, 17] that perform generalization of locations before sharing have been proven vulnerable, especially in the presence of background knowledge . Furthermore, semantic privacy models such as differential privacy [11, 12, 9] are only suitable for releasing statistics, but not for processing privately individual updates.
Recently, several advanced encryption functions that allow evaluation of predicates on ciphertexts have been proposed [6, 30, 2]. These functions are broadly referred to as searchable encryption (SE) functions, since they allow the evaluation of certain types of queries without requiring decryption. Some of these encryption systems are asymmetric, i.e., they employ a secret key SK and a public key PK pair.
Figure 1 shows the envisioned system architecture, with three types of entities: (i) users who send encrypted location updates using the PK of a trusted authority; (ii) a trusted authority (TA) who generates tokens for spatial search predicates using secret key ; and (iii) the server (S) that collects location updates from users and evaluates the predicates on the ciphertexts using the tokens. In practice, the TA may represent the public emergency department of a city, which is responsible for the safety of the citizens. The TA is trusted, but it does not have the necessary infrastructure to support a large-scale alert system, hence it outsources this service to .
However, is a commercial entity that cannot be trusted with user locations, so the TA sets up a SK/PK pair, and distributes PK to the users. When an emergency occurs in a region, the TA creates a search token which is sent to to be matched against the ciphertexts received from users. The properties of SE guarantee that is able to evaluate the predicate on the ciphertext (e.g., whether the user location is enclosed in the region encoded by the search token) and learns only if the ciphertext matches or not, but no other information about user location.
To understand search on encrypted data, it helps to consider each ciphertext as being composed of two parts: an encrypted index and encrypted message . is the payload of the ciphertext, just the same as in the case of conventional encryption. The novel part about searchable encryption is the presence of the index , which is used for search, and can be seen as a parameter of the encryption function . When a user constructs its update, she uses her current coordinates as index, and performs encryption as . If the index satisfies the predicate specified by a token, then the server is able to recover the message from the user. However, this does not imply that can find the exact user location, as may contain information that is of other nature (e.g., an emergency contact number).
One prominent approach to searchable encryption called Hidden Vector Encryption (HVE)
Hidden Vector Encryption (HVE)was proposed in . HVE can evaluate exact match, range and subset queries on ciphertexts. HVE uses bilinear maps on groups of composite order  as mathematical foundation and makes extensive use of expensive operations such as bilinear map pairings. As a result, HVE is very expensive and scales poorly. Later in Section 6, we show that in order to process the update from a single user only, it may take up to seconds. Clearly, direct application of HVE for alert systems is not suitable.
In this paper, we propose secure and efficient techniques to support private location-based alert systems using searchable encryption. To the best of our knowledge, this is the first study of applying asymmetric searchable encryption to the domain of private search with spatial predicates. Our specific contributions are111This submission is an extended version of . Additional contributions consist of the technique for relaxation of alert zones presented in Section 5, and its evaluation in Section 6.4.:
We devise specific constructions that allow application of HVE to the problem of location-based alert systems with a reduced number of bilinear pairing operations, thus lowering the computational overhead of HVE.
We develop optimizations based on reuse of expensive mathematical operation results and parallelization, which further reduce the HVE performance overhead.
We introduce a novel heuristic algorithm that provides effective means to tune the privacy-performance trade-off of the system, by allowing enlargement of alert zones by a small factor. By carefully enlarging the alert zone, one can obtain search tokens that require significantly smaller computation time to process.
We perform an extensive experimental evaluation which shows that the proposed approach brings the overhead of searchable encryption to acceptable levels in a computing environment such as the cloud.
Section 2 overviews the proposed system and HVE. Section 3 presents the encoding techniques for efficient application of HVE, whereas Section 4 outlines the optimizations to reduce execution time. In Section 5, we introduce the heuristic for privacy-performance trade-off tuning through alert zone enlargement. Section 6 contains the experimental evaluation results, followed by a survey of related research in Section 7. Finally, Section 8 concludes the paper and highlights directions for future work.
2.1 System and Privacy Model
Figure 2 illustrates the location-based alert system model, where users move within a two-dimensional domain. Users continuously report their coordinates and wish to be notified when their location falls within any of alert zones . Alert zones (or simply zones) are defined by a trusted authority, as detailed later in this section. For simplicity, we assume that the space is partitioned by a regular grid of size , and each alert zone covers a number of grid cells. To facilitate presentation, we assume a square data domain, but our techniques can be immediately extended to a rectangular one, by adjusting the grid cell shape. The functional requirement of the system follows the spatial range query semantics, i.e., a user must receive an alert corresponding to zone if its location is enclosed by zone .
The system (represented in Figure 1) consists of three types of entities:
Mobile Users subscribe to the alert system and periodically submit encrypted location updates.
The Trusted Authority (TA) is a trusted entity that decides which are the alert zones, and creates for each zone a search token that allows to check privately if a user location falls within the alert zone or not.
The Server (S) is the provider of the alert system. It receives encrypted updates from users and search tokens from TA, and performs the predicate evaluation to decide whether encrypted location falls within alert zone represented by token . If the predicate holds, returns message encrypted by the user, otherwise it returns a void message ().
The privacy requirement dictates that the server must not learn any information about the user locations, other than what can be derived from the match outcome, i.e., whether the user is in a particular alert zone or not. In case of a successful match, the server learns that user is enclosed by zone . In case of a non-match, the server learns only that the user is outside the zone , but no additional location information. Note that, this model is applicable to many real-life scenarios, such as our motivating example in Section 1. For instance, users wish to keep their location private most of the time, but they want to be immediately notified if they enter a zone where their personal safety may be threatened. Furthermore, the extent of alert zones is typically small compared to the entire data domain, so the fact that learns that is not within the set of alert zones does not disclose significant information about ’s location.
In practice, the TA role is played by an organization such as a city’s public emergency department. Such an actor is trusted not to disclose and compromise user privacy, but at the same time does not have the technological infrastructure to monitor a large user population. Hence, the alert service is outsourced to a commercial entity, e.g., a cloud provider that plays the role of the server. The TA will issue alert zones to signal that certain areas of the city are affected by an emergency.
A private location-based alert system is also useful in social networks. A social network user can create a pair and distribute to its buddies. Next, creates a token that represents his/her current location, e.g., a downtown restaurant. The network provider (e.g., Facebook), plays the role of the server: it privately monitors users, and sends the identifiers of buddies in the downtown area back to . No information is gained by the server about locations of non-matching users.
2.2 Searchable Encryption with HVE
Hidden Vector Encryption (HVE)  is a searchable encryption system that supports predicates in the form of conjunctive equality, range and subset queries. Compared to earlier solutions [3, 5], HVE yields ciphertexts with considerably smaller length. Search on ciphertexts can be performed with respect to a number of index attributes. HVE represents an attribute as a bit vector (each element has value or ), and the search predicate as a pattern vector where each element can be , or ’*’ that signifies a wildcard (or “don’t care”) value. Let denote the HVE width, which is the bit length of the attribute, and consequently that of the search predicate. A predicate evaluates to for a ciphertext if the attribute vector used to encrypt has the same values as the pattern vector of the predicate in all positions that are not ’*’ in the latter. Figure 3 illustrates the two cases of Match and Non-Match for HVE, whereas Algorithm 1 provides the matching pseudocode. We provide additional mathematical background on HVE encryption and its operations in Appendix 0.A.
3 Proposed Spatial HVE Approaches
In Section 3.1 we outline a naive baseline technique which applies HVE in a straightforward manner to determine privately which users fall within one or more alert zones. The baseline leads to prohibitive costs, as shown by experiments in Section 6. To bring down the overhead of HVE, we propose in Section 3.2 a hierarchical encoding technique, which reduces the amount of cryptographic primitives (specifically, bilinear pairings) required during search. Next, in Section 3.3 we further refine hierarchical encoding and devise the Gray encoding, which achieves superior computation savings.
3.1 Baseline Encoding
Recall that the data space is partitioned by a two-dimensional regular grid. When a user reports its position, it sends to the server an encryption of the grid cell it is enclosed by. Similarly, the TA defines the alert zones as a set of grid cells. Each grid cell can be uniquely identified by a cell identifier, with values between and . Thus, the straightforward way to support secure location-based alerts is to use an HVE index with width . The data and query encoding are performed as follows:
When user enclosed by grid cell reports its location, it uses a bitmap index of width where all the bits are set to ’0’ except bit which is set to ’1’.
The creates a single token for search, which captures all the alert zones. The token is a bitmap with bits where all bits corresponding to cell identifiers that are included in an alert zone are set to ’*’. All other bits are set to ’0’.
At the server (i.e., at query time), according to the rules for HVE query evaluation from Section 2.2, a user will be determined as a if and only if the ’1’ bit in the encrypted location will correspond to a ’*’ entry in the token.
Consider the example in Figure 4, where . We have nine grid cells, so the width of the HVE is . There are two alert zones: which consists of a single grid cell (), and which spans two grid cells ( and ). Two users report their locations: enclosed by cell , and enclosed by cell . The index vectors of the two users are shown in the diagram. A single token is used to represent both alert zones, and a ’*’ is placed in the positions corresponding to the cells enclosed by the zones, namely , and . The predicate evaluation for will return , as the position marked by ’1’ in the index of corresponds to a ’*’ in the token. Conversely, a Non-Match is returned for , as the bit ’1’ in position corresponds to a ’0’ in the token. Algorithm 2 provides the baseline encoding pseudocode.
As discussed in Appendix 0.A, Eq. (1) from the query step executes two pairing operations and multiplies their results for every element in , i.e., for every position that is not ’*’ in the token. Having a token with one position for each grid cell leads to high cost, so the naive encoding where the HVE width is equal to the number of cells is not practical. Furthermore, the sum of areas of all alert zones is relatively small compared to the entire dataspace, hence the number of ’*’ entries will be small, and the cardinality of set will be large, increasing cost. Next, we propose two effective forms of encoding HVEs such that execution cost is reduced.
3.2 Hierarchical Encoding
The main problem of the baseline encoding is that the HVE width grows linearly with the grid cell count. We propose a technique that reduces the HVE width from to , by using the binary representation of cell identifiers. However, the representation of the search predicates (and thus, that of the tokens) becomes more complicated, since the advantage of the “bitmap-like” representation of the baseline is lost. We investigate how to aggregate representations of adjacent cells belonging to the same alert zone, in order to reduce the amount of tokens required. Aggregation is performed according to a hierarchical spatial structure, hence the name of hierarchical encoding.
We consider a logical organization of the grid cells into a quadtree-like structure222Note that this is a logical structure, no physical index is required. . Figure 5 illustrates the space partitioning into four cells of equal size by using mediators on the and axes. Each of these four cells will have a -bit id: for top left, for bottom left, for top right and for bottom right. Next, each of these cells is partitioned recursively into four new cells, and the newly obtained -bit identifiers are concatenated as a suffix to the previous step identifiers. For simplicity, in this example we consider that the grid cell count is a power of
, but any grid size can be accommodated in this model by using padding.
The diagram also shows how aggregation of cells from level is performed into a larger cell at level (i.e., in reverse direction of scoping). Note that, with the binary representation of identifiers, cell aggregation corresponds to binary minimization of a logical ’OR’ expression composed of the terms that represent cell identifiers. As a result, instead of using a distinct token (i.e., HVE pattern) for each cell, we can use token aggregation and reduce the number of predicates that need to be tested. If two cells are in the same alert zone and their identifiers differ in just one bit, then a ’*’ can be used instead of that bit, similar to a wildcard in binary minimization. The newly obtained token is faster to generate and evaluate, because according to the operations described in Appendix 0.A, only the positions in the pattern vector where the value is not ’*’ need to be considered (i.e., those in set ). If all of the four partitions belonging to the same quadtree node are in the same alert zone, then they can all be aggregated to the identifier of their parent. In our implementation, in order to generate HVE pattern vectors with aggregation, we use the binary expression minimization tool Espresso .
Consider for instance the example from Figure 6, where the alert zone is composed of seven cells. All four cells whose identifiers have prefix are in the zone, hence they can all be aggregated to . Also, cells on the last vertical line can be aggregated to . Finally, cells and can be aggregated to . Note that, although these tokens overlap, this does not introduce a correctness problem at query (i.e., matching) time at the server. Furthermore, the monitoring server can evaluate them in order from the most general (highest number of ’*’s) to the most specific one (lowest number of ’*’s). If one token evaluates to a on a particular ciphertext, there is no need to evaluate the rest of the tokens, since it is clear that the user is in the alert zone. In addition, creating overlapping tokens helps if these tokens have more ’*’ symbols in their HVEs, because the cardinality of set (Eq. (1) in Appendix 0.A) decreases, hence query and token generation times decrease as well.
In summary, the hierarchical scheme works as follows:
Encryption. Users determine the binary identifier of the grid cell they are in, and create an HVE index with that representation, having width , where is the grid size. The encryption is performed with respect to . Since the grid parameters are public, the user can easily determine its enclosing cell and construct .
Token Generation. For each alert zone , the TA creates the set of binary codes of cells within the zone. Next, it computes the minimized binary expression equivalent to the logical ’OR’ of all codes in the set. For each resulting term in the minimized expression, the TA creates a token, and the token will have a ’*’ symbol in each position that was reduced during the minimization. All tokens are sent to the server.
Query. For every user and alert zone, the server performs matching as follows: evaluates the encrypted user location against every token that represents the zone, in decreasing order of the number of ’*’ symbols in the token. In other words, tokens with a higher number of ’*’s are considered first. If a is obtained, then the remaining tokens for the zone are no longer considered. If a Non-Match is obtained for all tokens in the zone, then the server concludes that the user is not inside the zone.
Even though the number of tokens increases compared to the baseline, the width of each token is considerably smaller. In addition, the proportion of ’*’ symbols in a token is much higher for the hierarchical scheme, due to aggregation. Finally, considering tokens with a smaller set first increases the chances of deciding on a without having to consider all tokens of a zone. All these factors make the hierarchical encoding perform much faster than the baseline, as we show in Section 6. Algorithm 3 provides the hierarchical encoding pseudocode.
3.3 Gray Encoding
The performance gain of the hierarchical technique comes from the ability to combine adjacent cells into a single search token with many ’*’ positions. In other words, the performance improves when the binary minimization of the logical ’OR’ of cell identifiers is more effective. However, in some cases, no aggregation can be performed between two neighboring cells, as the Hamming distance between their identifiers is more than . As alert zones are composed of groups of neighboring cells, it is desirable to have small Hamming distance between adjacent cell identifiers. To improve the effectiveness of the binary minimization step, hence to increase the number of ’*’ values in search tokens, we represent cell identifiers using Gray codes . This way, cell identifier values are assigned in such a manner that the Hamming distance between two adjacent cells is always , hence binary minimization is facilitated.
A one-dimensional Gray code vector is determined using the following recursive algorithm, where represents the concatenation operator, and is the vector of a Gray code instance at step ).
For , the following Gray code vectors are obtained:
Given a grid, the length of the required Gray code necessary to represent all cells is . We employ a Gray code instance independently for each of the two dimensions of the space, thus the identifier of a cell consist of the concatenation between the Gray code value for the axis and the axis values. Similar to hierarchical encoding, the scheme assumes a total number of cells that is a power of , but other cases can be handled by padding.
Figure 7 illustrates the advantage of using Gray encoding instead of hierarchical encoding for a -cell grid. The alert zone consists of four cells. The two digits leading each row in the Gray encoding diagram (Figure (a)a) mark the two-bit prefix shared by all the cell identifiers in that row. Conversely, the two digits on top of each column mark the two-bit suffix of all the cell identifiers in that column. Using binary minimization, the two tokens shown in the diagram are obtained, each of them having one ’*’ symbol. Figure (b)b shows how the hierarchical encoding behaves for the same input. Due to the fact that moving from cell to , or from to corresponds to a Hamming distance larger than , no aggregation is possible between these cell pairs. As a result, three tokens are necessary to represent this zone. Furthermore, two of these tokens have no ’*’ symbol, leading to more expensive evaluation. As we will show in Section 6
The phases of encryption and query for the Gray encoding method are similar to their counterparts for the hierarchical encoding method of Section 3.2. The main difference is in the token generation phase, where the binary minimization is performed according to the Gray code cell identifier binary representation. As we show in the experimental evaluation (Section 6), using the Gray code representation can improve performance by achieving more effective binary minimization. This in turn results in either fewer tokens, or tokens with a larger proportion of ’*’ symbols.
4 Performance Optimizations
4.1 Preprocessing mathematical operations
As discussed in Appendix 0.A, the HVE mechanism involves a large number of exponentiations with very large integers which incur a significant computational cost. Fortunately, many of these exponentiations are performed on a common base. For example, if we take into consideration the encryption phase, in order to compute and , and must be raised to the power of . Even if is chosen randomly for each run of this step, and depend on the public key, which remains unchanged for long periods of time (in commercial systems, re-keying can be done with frequency of once per year, or even less often). Furthermore, when computing , because the index attributes consist of a vector of and values, the base of the power can have only two values: or . Because both depend only on the public key, these two exponentiations will always have a constant base. The same logic can be also applied to the exponentiations for token generation. By employing preprocessing on each of these fixed bases, the exponentiations become a lot faster. The preprocessing can be done offline, and the results used during online operation, leading to significant execution time savings.
When matching a token against an encrypted message, several pairing computations are performed. For a particular token, the values of , and remain constant. When applying a pairing, Miller’s algorithm is used . Typically, for each such operation, it is required to compute several line equations. In  it is shown that effective preprocessing can be used as long as the first parameter is constant because the equations of the lines can be calculated and stored ahead of time. At runtime, the coordinates of a given point are substituted into these precomputed expressions. Since HVE requires symmetric elliptic curves, preprocessing can be also done for the second parameter. Preprocessed information is stored with each token and used by the server to improve the time of each pairing. Preprocessing each token must be done only when the tokens are generated at the trusted authority.
The server is monitoring a large number of users, and may receive a large number of alert zones. This creates a considerable load on the server. However, we emphasize that the processing of a message from a user can be done independently from messages originating at other users. Furthermore, even for the same user, the matching for different alert zones are completely independent operations. This presents a great potential for parallelization. In fact, the problem is embarrassingly parallel, and significant execution time improvements can be obtained by using several CPUs for matching. Nowadays, even off-the-shelf desktop computers have multiple cores. Commercial cloud services typically have hundreds or thousands of CPUs available for computation. Due to the parallel nature of the problem, the speedup is expected to be close to linear, and the resulting system scales very well as the number of CPUs involved grows.
We consider a message-passing parallel computing paradigm, which is favored by the fact that only a small amount of data needs to be shared among distinct CPUs. One master process coordinates all other slave processes. The master process distributes to the slaves the search tokens. Then, as encrypted updates from users arrive, the master receives the requests and dispatches them to slaves. Load balancing can be easily implemented at the master level, which keeps track of the status of all slave processes. No communication is required between slave processes, and the master-slave communication is required only at the start and end of each task. Furthermore, distinct messages originating from the same user can be processed on different CPUs without any loss in correctness or performance (i.e., no state maintenance is required). After processing is done, if the token evaluated successfully, a response action can be taken by the processing CPU, or the event can be sent to a central server responsible only with handling what to do in case of a successful match.
5 Privacy-Performance Trade-off through Alert Zone Expansion
So far, we considered that alert zones are a fixed input to the system, and we provided data encodings and optimizations to reduce computational overhead under this constraint. Since alert zones were not modified, we maintained the amount of location disclosure to a minimum, i.e., an adversary could only learn whether a specific ciphertext corresponded to a location inside the alert zone or not. In this section, we consider a relaxation of the alert zone extent in order to improve performance. Specifically, given an input alert zone, we investigate whether it is possible to slightly enlarge it such that the resulting set of tokens needed to implement secure notification requires fewer bilinear pairings to evaluate.
To maintain the level of additional disclosure low, we allow only a relatively small enlargement factor, expressed as a ratio of the alert zone area, and quantified by a bound parameter . Given an enlargement factor , our proposed alert zone expansion heuristic determines an enlarged area with significantly lower processing overhead. In effect, this proposed optimization trades a small amount of additional location disclosure for a significant boost in matching performance. As a salient feature of this optimization, the privacy-performance trade-off can be tuned using a single parameter ().
The optimization is deployed at the TA, which is in charge of generating search tokens. In an actual deployment, since the TA is trusted, it can perform additional steps to check whether the enlarged zone is acceptable from a security standpoint, for instance by comparing it against a set of pre-defined policies. In this paper, we only focus on the performance aspect, and derive effective algorithms that quickly generate enlarged search tokens (the policy aspect is outside our scope). Similar to optimizations from prior sections, the zone expansion is guided by the objective of deriving tokens with fewer non-wildcard elements, which results in less computation. The expansion technique assumes the same hierarchical data domain representation considered so far, and works in conjunction with either hierarchical or Gray encodings.
We denote by base cell a cell in the leaf level of the hierarchical domain representation (recall that, the domain is split into base cells, where is a power of two). The hierarchy has a number of levels. At level , an aggregate cell consists of base cells. Specifically, at the leaf level, numbered as , each cell is a base cell, whereas at the top of the hierarchy (level ) there is a single cell with size (expressed in terms of base cells). We identify a cell at level by its coordinates within that level: . The binary identifier of a cell consists of a binary string, which can be immediately derived from its coordinates.
Algorithm 4 captures the main steps of the proposed heuristic alert zone expansion technique. The input consists of expansion factor and initial alert zone . The heuristic is given a maximum budget base cells that it can add to the initial zone, where is the area of the initial zone expressed in terms of base grid cells. The output of Algorithm 4 is an expanded zone such that and the number of bilinear pairings required to evaluate is lower than that of .
The ExpandZone routine (Algorithm 4) works by considering each level of the data domain hierarchy. An essential step of ExpandQuery is the SelectPatchesSingleLevel routine (detailed in Algorithm 9) which finds patches to add to the current set of zone cells (line 4). A patch (formally defined in Section 5.1) is a set of cells added to the zone in a single iteration. If the new set of zone cells, denoted as , does not require more pairings than the current set of cells, an expansion is made with the cells in the patch and we continue to the next level.
In order to prepare for the next level (lines [4-4]), parameters and indices are adjusted. Budget is reduced by a factor of , since in the next level the size of one cell is equal to cells in the current level. Similarly, indices of zone cells are divided by two. The intuition behind dividing the indices by two is that all areas containing zone cells in this level must be fully covered by the expansion, which means all cells in those areas are in . Algorithm 4 stops when one of the following conditions is met: (i) the new set of zone cells increases the number of pairings; (ii) budget is exhausted; or (iii) the zone expands to the entire root level.
To illustrate the zone expansion algorithm, consider the example in Figure 8. Zone cells are shown in grey color, and budget is set to . An area with at level is denoted as . Starting at level (Figure (a)a), the areas , , and are considered for expansion. All six cells with diagonal stripes are added to the current set of zone cells to fill those three areas. To prepare for expansion at the next level, the coordinate ids of zone cells must be adjusted for each area. For example, for , area becomes cell , area becomes cell and so on. The budget is reduced to . Next, at level (Figure (b)b), the areas and are considered for expansion.The cells with diagonal stripes in range (which equals in the base grid) are added to the zone.
5.1 Patch Assembly
Next, we focus on the process of assembling patches at each level of the data domain hierarchy. A patch is a set of cells that can be combined with existing zone cells to reduce the number of non-wildcard elements in a search token. We denote the cells belonging to a patch as attached cells, and the zone cells adjacent to the patch as attaching cells. A patch is associated with a local cost and gain: the cost measures the increase in alert zone area, whereas the gain quantifies the resulting reduction in bilinear pairing operations when the patch is added to the zone.
We consider as patch candidate each cell333We emphasize that, as patch candidates are considered at each level of the hierarchy, a patch cell may include many base grid cells. that satisfies the following conditions: (i) has even and coordinates, (ii) contains at least one zone cell, and (iii) has at least one non-zone cell. Revisiting the example in Figure (a)a, the area composed of base cells is a patch candidate. Note that, not all cell areas are valid candidates for patches. For instance,
has an odd; does not contain any zone cell; and does not contain any non-zone cell.
For each valid patch candidate , cells are indexed in a spiral order, as shown in Figure (a)a. We use this indexing order because it simplifies the process of patch assembly, as will be described later in Section 5.2. In order to keep track of zone and non-zone cells, a boolean array is maintained, such that if cell within is a zone cell, and , otherwise. Figure (b)b shows a array for the area in Figure (a)a. The array is constructed by checking for each cell within the area whether or not it belongs to the alert zone. The marking procedure is summarized in Algorithm 5.
Using the array, patch candidates are constructed such that one or more non-zone cells can be attached to zone cells to reduce the number of pairings. Figure 10 shows several examples of patches for an area with cells containing one, two, or three zone cells. In each example, the non-zone cell (striped fill) is attached to the zone cell (grey fill) to form a patch. Note that in Figure (c)c, a striped cell can be attached to either grey cell.
However, when the area contains only one zone cell, although there are three potential patches, only one of these is selected (Figure (a)a). The reason is that if two patches, each having a single zone cell, are selected, the number of pairings is not reduced; on the other hand, if the patch with three zone cells is selected, there is no need to select other patches with a single zone cell. Therefore, for each area, we construct patch groups that include all potential patches such that no more than one patch can be selected from that group. For example, in Figure (a)a, there is only one patch group containing all three patches; in Figure (b)b and (d)d, there is only one patch group containing one patch; in Figure (c)c, there are two patch groups, each containing one patch.
The GetPatchGroupsInsideArea routine (Algorithm 6) shows the details of constructing patches and patch groups. The algorithm handles separately each case based on the number of zone cells in the area. For a single zone cell (line 6), similar to the example in Figure (a)a, one patch group is constructed which includes two patches: one with one non-zone cell and another with all three non-zone cells. If there are two zone cells (line 6), the algorithm further considers if those two zone cells are adjacent or opposite (similar to Figure (b)b and (c)c, respectively) and either one or two patch groups are created, corresponding to the two situations. Finally, when there are three zone cells (line 6), a single patch group is created.
At the end of Algorithm 6, each patch has its cells numbered from set . In order to recover the original cell ids (i.e., the coordinates in current level of hierarchy), we use Algorithm 7, which takes as inputs a cell id and the , values of the area , and utilizes the spiral index to recover the original values.
Next, we need to evaluate which patches are more desirable to use in the enlarged zone, by computing the local cost and gain for each patch. Algorithm 8 takes as inputs a candidate patch and the grid dimension at current level . It outputs as cost the number of attached cells (i.e., non-zone cells) of the patch (line 8). Effectively, the cost measures the amount of enlargement of the expanded alert zone caused by this patch. The gain measures the amount of saved computation: specifically, the number of search token non-wildcards that are eliminated when we combine the attached cells with the attaching cells for the current patch. There are two cases to consider when determining the gain of the patch: (i) when only one cell is attached to form a patch (line 8), we can remove one non-wildcard element (line 8); (ii) when the entire area is filled (line 8), the number of zone cells inside the area (i.e., ) is further considered to determine the gain. Specifically, when , the gain is larger () since we can remove a token in its entirety.
In the previous example from Figure (a)a, there are three patch groups corresponding to three areas: for area , for area , and for area . The patches in each patch group along with their cost, gain, attaching cells, and attached cells are shown in Table 1. For instance, to express area one can look at patches of , and use two tokens “00*110” and “00111*”, with a total of non-wildcard elements. By adding one cell, only a single token “00*11*” is needed to represent the area. Thus, the number of non-wildcard elements is reduced from to , or an improvement of . The high gain when applying patch results not only from the number of non-wildcards reduced in one token, but also from the reduction in the number of tokens (as one of the initial tokens is completely eliminated).
5.2 Patch Selection
Once we have the set of patches and patch groups, as well as their respective costs and gains, we need a method to select the actual patches to expand the current alert zone. Algorithm 9 outlines the patch selection process, which takes as inputs budget , the grid dimension at current level , and current alert zone . It outputs a set of patches that has total cost at most and maximizes the gain compared to other candidate patches.
The selection algorithm works within an expanding search boundary determined by the call to routine FindExpandingBoundary in line 9 (FindExpandingBoundary is summarized in Algorithm 10: the boundaries consist of the maximum and minimum coordinate values of zone cells, and they always have even values). Then, for each area starting with even values (lines [9-9] in Algorithm 9), if the current area is a valid area to expand (line 9), the patches and patch groups within this area are constructed (according to the procedure detailed in Section 5.1). First, the cells that already belong to the current zone are marked by calling Algorithm 5 (line 9). Then, using the marking information, the set of patch groups within that area is constructed by calling Algorithm 6 (line 9). Next, for each patch in the patch groups of , the original coordinate ids of cells in the attaching and attached set of that patch are recovered by calling Algorithm 7 (line 9), and the local cost and gain are calculated by calling Algorithm 8 (line 9). Finally, a set of patches is selected for expansion by calling Algorithm 11 (line 9).
The patches are selected such that the total cost is no more than , the total gain is maximized, and there is no more than one patch selected per group. This can be modeled as a variant of a multiple-choice knapsack problem (MCKP) where a class in MCKP is represented by a patch group, and we may choose a single item from a class, instead of being required to choose at least one item. The reduction is as follows: Given an instance of MCKP with capacity , classes, and each item in class having cost and gain , for each class , a new item (or patch in our setting) is added with cost and gain . However, our patch selection problem is not NP-hard, because is restricted to a fraction of the alert zone, which in turn is restricted to a fraction of the entire grid.
In our setting, each patch group contain either one or two patches. As a result, a dynamic programming approach for traditional binary knapsack problem can be used. Algorithm 11 shows the dynamic programming solution that returns the selected patches for expansion. In the example summarized in Figure 8 and Table 1, patches are selected for expansion at level .
5.3 Complexity Analysis
The complexity of the alert zone expansion (Algorithm 4) depends on the complexity of the binary minimization step (line 4) in which the algorithm decides whether or not to continue expansion. In the worst case, Algorithm 4 needs to expand through all levels of the hierarchy, and in each level its invokes Algorithm 9 and the binary minimization procedure (in our implementation, we use the Espresso tool ).
Since Algorithm 9 finds the patch groups within the boundary of the query, and the size of the alert zone is often much smaller than the size of the data domain, we formulate the complexity of Algorithm 9 based on the alert zone size. Let be the number of cells of the alert zone at level . After finding patch groups, Algorithm 9 invokes the dynamic programming solution in Algorithm 11 to select patches. In the worst case, the number of patch groups at level equals the number of cells of the alert zone. In our setting, there are only one or two patches in each patch group. Hence, the complexity of Algorithm 11 becomes since . Thus, the complexity of Algorithm 9 is .
However, since the value of is divided by a factor of each time increases, the complexity of the alert zone expansion (Algorithm 4) becomes where is the size of the zone at the base level (i.e., original grid) and is the time to run the binary minimization procedure for inputs.
6 Experimental Evaluation
We implemented a Python prototype of the proposed HVE-based location-based alert system and performance optimizations. We have used as dataset the city of Oldenburg, and generated user movements using Brinkhoff’s IAPG Network-based Generator of Moving Objects444http://iapg.jade-hs.de/personen/brinkhoff/generator/ . We generated alert zones within the boundaries of the dataset domain according to two distributions: uniform and Gaussian. We vary the percentage of space covered by alert zones compared to the entire dataspace extent from to , and we denote this parameter as coverage. We consider a regular grid partitioning the two-dimensional space with size ranging from to . The HVE cryptographic functions were implemented using the Gnu MP v6.1.2 library and the Pairing-Based Cryptography v0.5.14 library555Available online at http://gmplib.org/ and http://crypto.stanford.edu/pbc/. We use key lengths of 768, 1024 (default value), 1280 and 1536 bits. The experimental testbed consisted of a Intel(R) Core(TM) i9-9980XE CPU (3.00GHz) with cores and 128GB of RAM, running Ubuntu 18.04 LTS. All code was written in Python 3.6.9.
6.1 Baseline Evaluation
Figure 12 shows the execution time results obtained for token generation, encryption and query. The times presented are for a single operation, and present the average value obtained for a particular grid size and percentage of the area covered by alert zones (each percentage value has a different line in the graphs). First, we note that the coverage does not have a significant effect on the execution time, because the width of the HVE obtained is so large that the associated overhead overshadows the influence of the additional ’*’ symbols obtained as the area of alert zones grows. Second, it can be observed that the values obtained are very large, and clearly not acceptable in practice.
Token generation can take up to seconds. Although expensive, it can be argued that the TA does not execute this phase very often (only when a new alert zone occurs), hence its performance is not critical. However, encryption is very frequent, and it is executed at the resource-constrained mobile users. It can take up to seconds to generate a single encrypted update on a high-end CPU (in practice, this would be executed on a mobile phone). Furthermore, the time required at the server to process a single user update (i.e., perform matching against all alert zones) can reach seconds.
6.2 Hierarchical and Gray Encoding
Figures 12 and 13 show the comparison results for uniform and Gaussian alert zone distributions, respectively. Hierarchical encoding clearly outperforms the baseline, especially in terms of encryption time. The maximum time required for encryption is less than seconds, in contrast with seconds for the baseline (Figure (b)b). Recall that alert zones do not influence encryption, so the hierarchical encoding lines present in Figure (b)b overlap. Encryption is also independent of alert zone distribution, so we do not show encryption in Figure 13.
In terms of token generation and query time, the gain in performance is higher for the Gaussian distribution, since there is more potential for token aggregation. The reason is that minimization of binary expressions of cell identifiers is more effective when zones are clustered, which is likely to be the case in practice.
As expected, execution time is higher for finer-grained grids. However, as opposed to the baseline, in the case of hierarchical encoding the coverage has a significant effect on token generation and query performance, as more alert zone cells translate into a larger number of tokens. Still, the variation with coverage is sublinear, due to the good effectiveness of the aggregation strategy employed (note how when coverage doubles from to for uniform data and largest grid size, the query time increases only by ). Although the absolute execution times are still high, hierarchical encoding significantly outperforms the baseline. Later in Section 6.3 we show how optimizations can be used to further cut down the performance overhead. For the rest of the experimental evaluation, we will omit the baseline results.
Next, we evaluate the effect of using Gray encoding on performance. Recall from Section 3.3 that using Gray codes provides better potential for aggregation, thus reducing the number of required tokens and/or increasing the proportion of ’*’ symbols in a token. For uniform data (graph omitted due to space considerations), both encodings perform similarly, without a clear winner, due to the fact that the aggregation potential is equal in the two cases. On the other hand, for Gaussian data (Figure 14) where alert zones are clustered, Gray encoding favors aggregation of cells. For clarity, to keep the number of lines in the graph low, we present the ratio between the execution time of Gray divided by that of hierarchical encoding. Lower values of the ratio correspond to higher gains for the Gray encoding. In practice, as alert zones are likely to be clustered, Gray can bring significant performance benefits, of up to .
6.3 Optimization Effect
We evaluate the performance of the proposed techniques when incorporating the performance optimizations discussed in Section 4. First, we show the effect of incorporating preprocessing to pre-compute and re-use some of the results to expensive mathematical operations, such as exponentiations with large numbers. Figure 15 present the absolute token generation and query times for both proposed encoding techniques on uniform data and two values of the alert zone coverage, namely and (Gaussian data results show similar trends, so we omit them for brevity). Token generation computation requirements are improved by roughly . As the coverage increases, more tokens are required to represent a zone, so the generation time increases. We believe that such times are reasonable in practice, especially since creation of alert zones is not a frequent event in the system operation. In terms of querying, the execution times are approximately cut in half compared to the non-optimized case (Figures 12 and 13).
Figure 16 presents the behavior of hierarchical encoding with preprocessing when varying encryption key length. We show results for two different grid granularities and coverage values, with Gaussian zone distribution. As expected, the performance decreases when key length increases. However, the 1024-bit setting, which according to industry standards is sufficient for securing individuals’ information, does not incur a steep increase in performance overhead. Gray encoding results exhibit similar behavior.
Figures 17 and 18 present the results when employing the parallel processing optimization. We used , and CPUs for computation. We considered both variable grid size for a fixed coverage of , as well as variable coverage of alert zones for a fixed grid size of . The results show that a close-to-linear speedup can be obtained. For CPUs for instance, the speedup is . This is a very encouraging outcome, and the query time is this way reduced to less than one second in the worst case. For median-scale settings of the grid size and coverage, we obtain absolute execution times of under seconds per query. We emphasize that, although we only had available CPUs for testing, the problem studied is embarrassingly parallel in nature, so the availability of a larger number of CPUs is likely to lead to close-to-linear speedup values as well.
6.4 Alert Zone Expansion Evaluation
In this section, we evaluate the performance gain obtained by the alert zone expansion heuristic introduced in Section 5. We use the same settings as in the previous experiments, except that we allow a finer-grained partitioning of the space, to better evaluate the impact of the expansion heuristic. Specifically, we consider grids of granularity , where , resulting to a total number of grid cells of , and , respectively. We keep the same alert zone size ranging from to of data space size, but we consider three distinct shapes: square, rectangular (with a skew ratio of ), and circular. The latter case is used to capture scenarios where there is an event epicenter, and individuals are notified if they are situated within a certain Euclidean distance of it. The resulting circular zone is mapped to the grid. This is representative for cases when mobile users are alerted to stay away from a dangerous location (e.g., a toxic gas spill). The alert zone expansion ratio is varied within set (recall that a larger value results in a more significant privacy leakage, but is also likely to yield a higher performance gain).
Fig. 19 shows the performance gain of expansion when varying the size of the initial alert zone. For ease of presentation, the gain is expressed as improvement factor (), i.e., the ratio between the matching time when there is no enlargement over the matching time when enlargement is used (a higher value represents a better performance gain). Each line in the graph corresponds to a different grid granularity . First, we note that enlargement always results in improvement (the value is always greater than ). Second, the improvement factor shows a general increasing trend with alert zone size (except for some random outcomes). This is explained by the fact that the enlargement factor is expressed as a percent of initial alert zone size. When the initial alert zone is larger, the heuristic can select patches from more candidate cells. Finally, the improvement factor is larger for finer granularity cases (i.e., larger ). This is also due to the fact that the heuristic has more candidate patches to choose from. A finer granularity also allows the search boundary to advance slightly more. When cells are larger, including an extra cell may cause the threshold to be exceeded, so the heuristic will not consider that cell for enlargement. We also note that the shape of the zone impacts significantly the gain. Specifically, a circular zone is better for expansion, since the heuristic does not favor any particular expansion direction. When the initial zone is circular (or to be precise, a circle aligned to the grid), the heuristic can bring into the zone cells from all directions, and therefore the amount of possible choices is increased. The zone is also likely to grow uniformly in all directions, leading to more compact tokens due to the binary representations of cells. Conversely, the rectangular case, which leads to the most skewed zones in terms of shape, performs the worst.
Fig. 20 shows the improvement factor when varying the enlargement factor . As expected, there is a clear increasing trend in execution time improvement. Since more cells are available as patch candidates, the heuristic is able to either completely eliminate some tokens, or significantly increase the number of wildcards in the remaining tokens through binary minimization. As in the previous experiment, we note that an increase in granularity results in a higher improvement factor. Also, when the initial alert zone is circular, the highest improvement is obtained, with values of up to times. The gain is less pronounced for rectangular alert zones, but the heuristic is still providing significant gains, with an improvement factor of up to times.
In our final experiment, we measure the execution time of the zone enlargement heuristic. Fig. 21 and Fig. 22 show the time required to compute the enlarged zone when varying initial alert zone size and enlargement factor , respectively. An interesting trade-off emerges: as the granularity of the grid increases (i.e., finer grained grids), the improvement in token matching time increases (as seen in previous experiments), but at the same time the computation time for the enlarged zone grows. Furthermore, we emphasize that the token matching computational overhead can be parallelized, whereas zone enlargement computation is sequential in nature. The main reason why the zone enlargement computation is high for finer granularities is the quadratic increase in patch candidates, coupled with the relatively slow binary expression minimization step. Among different zone shapes, the circular shape takes the longest, due to the fact that it considers the most patch candidates within the given enlargement threshold .
Nevertheless, we note that for coarser and moderate granularities ( and ), the enlargement process is fast (less than half a second). Coupled with the significant improvement factors (ranging from to for granularities coarser than , as can be observed from Figs. 19 and 20), the heuristic can lead to very good overall execution time improvements. Furthermore, the enlargement cost is done once per zone, and remains the same regardless of the number of mobile users (i.e., ciphertexts to match against). Hence, as the user population grows, the performance gain of the heuristic (which is always a factor of the original zone evaluation time) will lead to linear gains in the number of users, whereas the enlargement computation overhead stays constant. We conclude that, overall, the zone enlargement heuristic is effective in reducing the matching overhead, even for small values of enlargement (i.e., only a small amount of privacy needs to be traded off for significant performance gains).
7 Related work
Location Privacy. A significant amount of research focused on the problem of private location-based queries, where users send their coordinates to obtain nearby points of interest. Early work attempted to protect locations of real users by generating fake locations. For instance, in  the querying user sends to the server fake locations to reduce the likelihood of identifying the actual user position. However, fake locations can be detected using filtering techniques, which leaves the real users vulnerable.
A new direction of research started by  and continued by [15, 25, 34] relies on the concept of Cloaking Regions (CRs). CR-based solutions implement the spatial -anonymity (SKA)  paradigm. For each query, a trusted anonymizer service generates CRs that contain at least real user locations. If the resulting CRs are reciprocal , SKA guarantees privacy for snapshots of user locations. However, supporting continuous queries  requires generating large-sized CRs. In [21, 10], the objective is to prevent the association between users and sensitive locations. Users define privacy profiles  that specify their sensitivity with respect to certain feature types (e.g., hospitals, bars, etc.), and every CRs must cover a diverse set of sensitive and non-sensitive features. In , the set of POI is first encoded according to a secret transformation by a trusted entity. A Hilbert-curve mapping (with secret parameters) transforms 2-D points to 1-D. Users (who know the transformation key) map their queries to 1D, and the processing is performed in the 1-D space. However, the mapping can decrease result accuracy, and the transformation may be vulnerable to reverse-engineering.
The problem with CR-based methods is that the underlying -anonymity paradigm is vulnerable to background knowledge attacks. This is particularly a problem in the case of moving users, since trajectory information can be used to derive the identities behind reported locations. More recently, differential privacy , a provably secure model for semantic privacy, has been used for spatial data in . However, differential privacy is only suitable for aggregate releases of data, and cannot handle processing of individual updates, as required by an alert system.
Closer to our work, a Private Information Retrieval (PIR) protocol is proposed in  for nearest-neighbor queries. The protocol is provably secure, and also uses cryptography. However, it considers a ’pull-based’ approach, and assumes that the user already knows the location s/he wants to retrieve points of interest from. In contrast, our focus is on a ’push-based’ notification service, where the PIR solution cannot be applied since the user is not aware of where the alert zones are.
Since the publication of , several works addressed processing on encrypted location data. In  and , two solutions are proposed for search on encrypted location data hosted at a cloud server. Both approaches rely on symmetric searchable encryption (SSE), where the client has access to the secret key of the transformation. The FastGeo system  builds upon the concepts introduced in  and supports faster search under the same trust assumptions. However, the SSE setting is not appropriate in our problem setting, where large populations of mobile users subscribe to location-based alerts. If a single user colludes with the service provider, the security of the entire set of locations is compromised. This is a strong trust assumption, suitable for cases where there are relatively few clients, who can be throughly vetted. Our solution relies on asymmetric encryption, and mobile users only have access to the public key, which is used for encryption. No user is able to compromise the privacy of other participants.
Furthermore, all the above solutions build an index on encrypted data to speed up search performance. As shown in , the index structure can leak a lot of sensitive details about the data, even when fully encrypted (e.g., data distribution, or relative distance order among users). A similar approach that builds an R-tree on location data protected using homomorphic encryption is proposed in , with emphasis on IoT data, and on parallelizing computation in big data environments. The work in  is a position paper that looks at how some concepts similar to search on encrypted locations can be used for biomedical data, and also identifies other interesting type of queries that may be of interest, such as skyline queries.
A significant body of research focused on nearest-neighbor (NN) queries on encrypted data [23, 13, 24], culminating with the work in  which showed that the most secure and efficient way to answer NN queries on encrypted data is through materialization of results and encryption of the resulting structure. All these works consider the symmetric encryption setting, hence they rely on trust assumptions that are too strong for our proposed location alert system.
Searchable Encryption. One of the earliest works that coined the concept of searchable encryption was , which proposed provably secure cryptographic techniques for keyword search. Only exact matches of keywords were supported. Later in , the set of search predicates supported was extended to comparison queries. However, the resulting solution could not be easily extended to conjunctions of conditions, without a considerable increase in ciphertext and token size. The work in  further extended the set of supported predicates to subset queries, as well as conjunctions of equality, comparison and subset queries with small ciphertext and token size. The authors of  also introduced HVE, which we employ as a building block in our solutions for private location-based alert systems. HVE protects the privacy of the encrypted messages received from users, but assumes that the token information (e.g., alert zones) is public. The more recent work in  extends HVE to also protect the tokens. However, the solution is more expensive.
We proposed a system for secure location-based alerts which utilizes searchable encryption. We introduced two alternate data encodings that allow efficient application of cryptographic primitives for search on encrypted data (namely HVE). Furthermore, we devised performance optimizations that reduce the overhead of searchable encryption, which is notoriously expensive. We also devised a heuristic that enlarges alert zones by a small factor in order to reduce matching time, thus achieving a tunable performance-privacy trade-off. The experimental evaluation results show that searchable encryption can be made practical with careful system design and optimizations.
In future work, we plan to investigate more advanced data and query encoding techniques (beyond regular grids) that will allow us to securely alert users with even lower overhead. We also plan to study other types of matching semantics beyond range queries (e.g., nearest-neighbors, top-).
Acknowledgments. This research has been funded in part by NSF grants IIS-1910950 and IIS-1909806, the USC Integrated Media Systems Center (IMSC), and unrestricted cash gifts from Microsoft and Google. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the sponsors.
-  (1976-09) Efficient generation of the binary reflected gray code and its applications. Commun. ACM 19 (9), pp. 517–521. Cited by: §3.3.
-  (2009) Private-key hidden vector encryption with key confidentiality. In Proceedings of the 8th International Conference on Cryptology and Network Security, pp. 259–277. Cited by: §1, §7.
-  (2003) Public key encryption with keyword search. In EUROCRYPT 2004, volume 3027 of LNCS, Cited by: §2.2.
-  (2005) Evaluating 2-dnf formulas on ciphertexts. In Proceedings of the Second international conference on Theory of Cryptography, pp. 325–341. Cited by: Appendix 0.A.
-  (2006) Fully collusion resistant traitor tracing with short ciphertexts and private keys. In EUROCRYPT 2006, volume 4004 of LNCS, pp. 573–592. Cited by: §2.2, §7.
-  (2007) Conjunctive, subset, and range queries on encrypted data. In Proceedings of the 4th conference on Theory of cryptography, pp. 535–554. Cited by: §1, §1, §2.2, §7.
-  (2002) A Framework for Generating Network-based Moving Objects. GeoInformatica 6 (2), pp. 153–180. Cited by: §6.
-  (2007) Enabling Private Continuous Queries for Revealed User Locations. In SSTD, pp. 258–275. Cited by: §7.
-  (2012) Differentially private spatial decompositions. In ICDE, pp. 20–31. Cited by: §1, §7.
-  (2008) PROBE: an Obfuscation System for the Protection of Sensitive Location Information in LBS. Technical report Technical Report 2001-145, CERIAS. Cited by: §7.
-  (2006) Calibrating noise to sensitivity in private data analysis. In TCC, pp. 265–284. Cited by: §1, §7.
-  (2010) Differential privacy in new settings. In SODA, pp. 174–183. Cited by: §1.
-  (2013) Secure k-nearest neighbor query over encrypted data in outsourced environments. In IEEE International Conference on Data Engineering (ICDE), pp. 664–675. Cited by: §7.
-  (2008) Protecting Location Privacy with Personalized k-Anonymity: Architecture and Algorithms. IEEE TMC 7(1), pp. 1–18. Cited by: §1.
-  (2005) Location Privacy in Mobile Systems: A Personalized Anonymization Model.. In Proc. of ICDCS, pp. 620–629. Cited by: §7.
-  (2008) Private Queries in Location Based Services: Anonymizers are not Necessary. In Proceedings of International Conference on Management of Data (ACM SIGMOD), Cited by: §1, §7.
-  (2007) PRIVE: Anonymous Location-based Queries in Distributed Mobile Systems. In WWW, Cited by: §1.
-  (2014) An Efficient Privacy-Preserving System for Monitoring Mobile Users: Making Searchable Encryption Practical. In In Proc. of Intl. Conference on Data and Application Security and Privacy (CODASPY), pp. 321–332. Cited by: §7, footnote 1.
-  (2004) The Foundations of Cryptography, Volume 2. Cambridge University Press. Cited by: §1.
-  (2003) Anonymous Usage of Location-Based Services Through Spatial and Temporal Cloaking. In USENIX MobiSys, Cited by: §1, §7.
-  (2004) Protecting Privacy in Continuous Location-Tracking Applications. IEEE Security and Privacy 2, pp. 28–34. Cited by: §7.
-  (2019) MixGeo: efficient secure range queries on encrypted dense spatial data in the cloud. In Proceedings of the International Symposium on Quality of Service, IWQoS ’19. Cited by: §7.
-  (2010-01) Privacy preserving group nearest neighbor queries. In IEEE International Conference on Data Engineering (ICDE), pp. 489–500. Cited by: §7.
-  (2011) Processing private queries over untrusted data cloud through privacy homomorphism. In IEEE International Conference on Data Engineering (ICDE), pp. 601–612. Cited by: §7.
-  (2007) Preserving Location-based Identity Inference in Anonymous Spatial Queries. IEEE TKDE 19 (12). Cited by: §7.
-  (2007) Blind Evaluation of Nearest Neighbor Queries Using Space Transformation to Preserve Location Privacy. In SSTD, Cited by: §7.
-  (2005) An anonymous communication technique using dummies for location-based services. In International Conference on Pervasive Services (ICPS), pp. 88–97. Cited by: §7.
-  (2019-02) Computing over encrypted spatial data generated by iot. Telecommun Sys 70, pp. 193–229. Cited by: §7.
-  (2015) Secure Similarity Queries: Enabling Precision Medicine with Privacy. In Biomedical Data Management and Graph Online Querying, Cited by: §7.
-  (2012-05) Secure and privacy preserving keyword searching for cloud storage services. J. Network Computing Applications 35 (3), pp. 927–933. Cited by: §1.
-  (2007) On the Implementation of Pairing-Based Cryptography. Ph.D. Thesis, Stanford University. Cited by: §4.1.
-  (1993) Espresso-signature: a new exact minimizer for logic functions. In Proceedings of the 30th international Design Automation Conference, pp. 618–624. Cited by: §3.2, §5.3.
-  (2004-09) The weil pairing, and its efficient calculation. J. Cryptol. 17 (4), pp. 235–261. Cited by: §4.1.
-  (2006) The New Casper: Query Processing for Location Services without Compromising Privacy. In VLDB, Cited by: §1, §7.
-  (1984-06) The quadtree and related hierarchical data structures. ACM Comput. Surv. 16 (2), pp. 187–260. Cited by: §3.2.
-  (2000) Practical techniques for searches on encrypted data. In IEEE Symposium on Security and Privacy, Cited by: §7.
-  (2016-04) Geometric range search on encrypted spatial data. IEEE Transactions on Information Forensics and Security 11 (4), pp. 704–719. Cited by: §7.
-  (2019-03) FastGeo: efficient geometric range queries on encrypted spatial data. IEEE Transactions on Dependable and Secure Computing 16 (2), pp. 245–258. Cited by: §7.
-  (2013) Secure nearest neighbor revisited. In Proc. of Intl. Conf. on Data Engineering, pp. 733–744. Cited by: §7, §7.
Appendix 0.A Primer on HVE Encryption
HVE is built on top of a symmetrical bilinear map of composite order , which is a function such that and it holds that . and are cyclic multiplicative groups of composite order where and are large primes of equal bit length. We denote by , the subgroups of of orders and , respectively. Let denote the HVE width, which is the bit length of the attribute, and consequently that of the search predicate. HVE consists of the following phases:
Setup. The generates the public/secret (/) key pair and shares with the users. has the form:
To generate , the first chooses at random elements , and . Next, is determined as:
Encryption uses and takes as parameters index attribute and message . The following random elements are generated: and . Then, the ciphertext is:
Token Generation. Using , and given a search predicate encoded as pattern vector , the TA generates a search token as follows: let be the set of all indices where . TA randomly generates and . Then
Query is executed at the server, and evaluates if the predicate represented by holds for ciphertext . The server attempts to determine the value of as
If the index based on which was computed satisfies , then the actual value of is returned, otherwise a special number which is not in the valid message domain (denoted by ) is obtained.