Professional Documents
Culture Documents
Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:19:35 UTC from IEEE Xplore. Restrictions apply.
ZHANG et al.: PPAQ: PRIVACY-PRESERVING AGGREGATE QUERIES 20179
Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:19:35 UTC from IEEE Xplore. Restrictions apply.
20180 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 20, 15 OCTOBER 2022
the request and disseminates it to all users in the group. Each into the ANN query, we first define an aggregate network
user then responds his/her location together with the received distance function.
tid to LSP. After receiving all users’ responses, LSP chooses Definition 1 (Aggregate Network Distance Function):
an optional meeting location and forwards it to the initiator Given a set of query points Q = {q1 , q2 , . . . , qm } and a point
u1 . After receiving the optimal meeting location, ui forwards p in a road network, the aggregate network distance function
it to other group users. F is monotonically increasing and can compute the aggregate
distance from p to Q
B. Security Model
F(p, Q) = F(d(q1 , p), d(q2 , p), . . . , d(qm , p)) (1)
In our security model, we consider all users U to be honest,
i.e., they will honestly report location information and task id where d(qt , p), t ∈ [1, m], is the shortest distance between p
to LSP. For the initiator u1 , he/she honestly distributes the and qt along a given road network.
received optimal location to other users. This is reasonable Generally, F is comprised of two basic functions sum and
since all users expect to correctly obtain an optimal location max [5], [7], in which sum indicates the total distance from p
and have no motivation to deviate from the purpose. However, to all query points Q, while max means the maximum distance
due to the sensitive nature of personal data, users do not want between p and Q.
LSP to know their locations or trajectories. For LSP, we Definition 2 (ANN Queries in Road Networks): Given Q
assume it is semi-honest [18], i.e., LSP will faithfully fol- and a set of data points P = {p1 , p2 , . . . , pn } in a road
low the protocol to select the optimal location (performing network, the ANN queries can return an optimal point po ∈ P
ANN queries) for users but may be curious to learn the loca- that has a minimal network distance, i.e., there does not exist
tion information of users. From our system model, we know pi ∈ P/{po } such that F(pi , Q) < F(po , Q).
that LSP receives the report locations from users and finds
the optimal location, which reveals the potential location of
B. Symmetric Homomorphic Encryption
users. As a result, in this work, the privacy threats are from
semi-honest LSP, who may attempt to obtain: 1) query users’ SHE is a lightweight symmetric homomorphic encryption
location information and 2) the selected optimal location, that can support homomorphic addition and multiplication. It
in the process of performing ANN queries. Note that, since was first proposed in [19] and proved to be IND-CPA secure
this work mainly focuses on secure computation techniques, in [14]. Concretely, SHE consists of three algorithms, namely:
other active attacks, e.g., data poisoning and modification, are 1) key generation KeyGen(); 2) encryption Enc(); and 3)
beyond the scope of this article and will be discussed in our decryption Dec(), as follows.
future work. 1) KeyGen(k0 , k1 , k2 ): Given three security parameters
{k0 , k1 , k2 } satisfying k1 k2 < k0 , the algorithm first
C. Design Goal chooses two large prime numbers p and q with |p| =
|q| = k0 and sets N = pq. Then, it generates the secret
Under the above system model and security model, we aim
key sk = (p, L), where L is a random number with
to design a privacy-preserving ANN query scheme for select-
|L| = k2 , and the public parameter pp = (k0 , k1 , k2 , N ).
ing the optimal location in road networks. In particular, the
Besides, the algorithm sets the basic message space
following objectives should be attained.
M = [ − 2k1 −1 , 2k1 −1 ).
1) Preserving Users’ Location Privacy: The basic require-
2) Enc(sk, m): On input of a secret key sk and a message
ment of our proposed scheme is to preserve the location
m ∈ M, the encryption algorithm outputs the ciphertext
privacy of users, i.e., the location information of users
E(m) = (rL + m)(1 + r p) mod N , where r ∈ {0, 1}k2
should be always kept secret from LSP.
and r ∈ {0, 1}k0 are random numbers.
2) Preserving Optimal Location Privacy: The selected
3) Dec(sk, E(m)): Taking the secret key sk and a ciphertext
optimal location should also be kept secret from LSP,
E(m) as inputs, the decryption algorithm recovers a mes-
which implies that we need to hide access patterns in
sage m = (E(m) mod p) mod L = (rL+m) mod L. If
the process of finding the optimal location, i.e., LSP
m < (L/2), it indicates m ≥ 0 and m = m . Otherwise,
does not know which location has been selected as the
m < 0 and m = m − L.
optimal one.
SHE satisfies the homomorphic addition and multiplication
properties as follows.
III. P RELIMINARIES
1) Homomorphic Addition-I: E(m1 ) + E(m2 ) mod N →
In this section, we first state the problem of the ANN queries E(m1 + m2 ).
in road networks. Then, we recall an SHE scheme, which 2) Homomorphic Multiplication-I: E(m1 ) · E(m2 )
serves as the building block of our proposed scheme. mod N → E(m1 · m2 ).
3) Homomorphic Addition-II: E(m1 ) + m2 mod N →
A. Aggregate Nearest Neighbor Queries in Road Networks E(m1 + m2 ).
The ANN query in road networks is a classic problem and 4) Homomorphic Multiplication-II: E(m1 ) · m2 mod N →
has been used to find the optimal location or point of interest E(m1 · m2 ) when m2 > 0.
in road networks, which minimizes an aggregate distance func- SHE Encryption Under Public Key Setting: In order to real-
tion with respect to a set of query points [5]. Before delving ize the SHE encryption under public key setting, we take
Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:19:35 UTC from IEEE Xplore. Restrictions apply.
ZHANG et al.: PPAQ: PRIVACY-PRESERVING AGGREGATE QUERIES 20181
IV. O UR P ROPOSED PPAQ S CHEME From the above analysis, we can simplify the problem of
In this section, we first analyze the problem of ANN query ANN queries in road networks by converting the distance cal-
over plaintexts and extract ANN query’s two basic operations. culation between P and Q into the distance between V and
Then, we design secure circuits as building blocks to deal with P, which can be precomputed by LSP. Furthermore, from (4)
the two basic operations over ciphertexts. After that, based on and (5), we can see that the ANN queries essentially have two
these building blocks, we present our PPAQ scheme. basic operations: 1) addition and 2) comparison. Accordingly,
we need to perform these two operations over ciphertexts if we
A. Analyzing ANN Queries in Road Network apply SHE to encrypt users’ locations. Note that, although it is
A typical road network is usually abstracted as road seg- easy to have the addition operation over ciphertexts by using
ments (edges) and junctions (vertices) [5], as shown in Fig. 1. the homomorphic addition property, it is not easy to compare
Assume that there are k vertices in a road network, denoted values over their ciphertexts in a single-server model. This
as V = {v1 , v2 , . . . , vk } and n POI P = {p1 , p2 , . . . , pn } that is because the operator is expected to obtain the comparison
lie on edges. Given m query points Q = {q1 , q2 , . . . , qm } that result without knowing any information about the underlying
also lie on edges, we have the following network distances: plaintexts. Although the arithmetic operations (multiplication
for each pi , i = 1, 2, . . . , n: and addition) can be performed on ciphertexts due to the
homomorphic properties of SHE, the operator cannot directly
F(pi , Q) = F d(qt , pi ) = d qt , v̂t + d v̂t , pi |m t=1 (3) use them to compare two ciphertexts and get the comparison
result in a single server. As a result, to tackle this challenge, we
where v̂t ∈ V is one of the vertices lying on the same edge as
carefully devise two novel bit-based secure circuit schemes to
the query point qt ∈ Q. For the simplicity sake, we assume
perform addition and comparison operations over ciphertexts.
that v̂t ∈ V is the closest neighbor vertex to qt in the road
network. If we let F be the sum function, the ANN query will
return the point in P that has the minimum total distance B. Secure Addition and Comparison Circuits
arg min (F(pi , Q)) In order to securely compare two integers without leaking
i∈[1,n]
m them and the result, we design a secure comparison scheme
based on the encrypted bit sequences. Since we employ SHE
= arg min d qt , v̂t + d v̂t , pi
i∈[1,n] to encrypt each bit, and only the addition and multiplication
t=1 (homomorphic) operations are used in our comparison scheme,
m
m
= arg min d qt , v̂t + d v̂t , pi we denote it as secure comparison circuit. Correspondingly, to
i∈[1,n] keep consistency, we also design a secure addition circuit to
t=1 t=1 achieve the addition operation over encrypted bit sequences.
m
⇔ arg min d v̂t , pi . (4) In the following, we first introduce the secure addition circuit,
i∈[1,n] and then present the secure comparison circuit.
t=1
Meanwhile, since LSP usually holds the road network, i.e., 1) Secure Addition Circuit: Assume there are two non-
the location of nodes V and data points P, LSP can precom- negative integers {x, y} of the same bit length, and the
corresponding encrypted bit sequences are E(x) = (E(x j )|0j=l )
pute m t=1 v̂t , pi ) and quickly obtain the optimal point if it
d(
knows the neighbor node of the query points. and E(y) = (E(y j )|0j=l ), where x j , y j ∈ {0, 1}, j = l, . . . , 1, 0,
On the other hand, if F is the max function, the ANN query and l is the most significant bit position of inputs. The secure
can return the point with the following distance: addition circuit is to compute E(z) = (E(z j )|0j=l ) by operating
E(x) and E(y) to satisfy z = x + y, where z is an integer and
arg min (F(pi , Q)) E(z) is its corresponding encrypted bit sequence. For exam-
i∈[1,n]
ple, if we set x = 5, y = 7, E(5) = (E(0), E(1), E(0), E(1))
= arg min arg max d qt , v̂t + d v̂t , pi . (5) and E(7) = (E(0), E(1), E(1), E(1)), then we can compute
i∈[1,n] t∈[1,m]
z = 5 + 7 = 12 and E(12) = (E(1), E(1), E(0), E(0)).
Similarly, d(v̂t , pi ) can be precomputed by LSP. If users send Fig. 3 illustrates the truth table of the addition operation, in
d(qt , v̂t ) and v̂t to LSP, it is simple for LSP to obtain the which o is the output of the current bit and ĉ is the new carry
maximum distance by matching vertex v̂t . bit. It is easy to obtain the logical expressions of o and ĉ as
Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:19:35 UTC from IEEE Xplore. Restrictions apply.
20182 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 20, 15 OCTOBER 2022
follows:
¬
o= a ∧¬ b ∧ c ∨ ¬
a ∧ b ∧¬ c
∨ a ∧¬ b ∧¬ c ∨ (a ∧ b ∧ c)
= a + b + c − 2(ab + ac + bc) + 4abc
¬
ĉ = a ∧ b ∧ c ∨ a ∧¬ b ∧ c
∨ a ∧ b ∧¬ c ∨ (a ∧ b ∧ c)
= ab + ac + bc − 2abc.
Fig. 4. Relations of α j , β j , and d j with an example of x = 5, y = 7.
According to the above logical expressions, we have E(z) =
(E(zl ), . . . , E(z j ), . . . , E(z1 ), E(z0 )), for each j = l, . . . , 1, 0
Then, over the ciphertexts E(x) = (E(x j )|0j=l ) and E(y) =
E z j = E x j + y j + ĉ j (E(y j )|0j=l )}, we have the output of each bit ρ j as follows:
+ E(−1) · E(2) · E x j y j + x j ĉ j + y j ĉ j j
Eα + E β j · E ρ j−1 , j > 0
+ E(4) · E x j y j ĉ j E ρj = (9)
(6) E αj , j=0
where where j = l, . . . , 1, 0. Finally, the secure comparison circuit
⎧ j−1 j−1 produces E(δ) = E(ρ l ) as the output.
j ⎨ E x y + x j−1 ĉ j−1
+ y j−1 ĉ j−1
Correctness: We say our secure comparison circuit is correct
E ĉ = + E(−1) · E(2) · E x j−1 y j−1 ĉ j−1 , j > 0 (7)
⎩ if it outputs E(δ) = E(ρ l ) = E(1) when x > y, and outputs
E(0), j = 0.
E(δ) = E(ρ l ) = E(0) otherwise.
Next, we depict the details about the process of E(12) = Proof: When x > y, it means ∃j ∈ [0, l], d j = 1 and
E(5) + E(7) with our secure addition circuit. First of all, since d = 0, for all j = l, . . . , j + 1. In this case, E(ρ j ) = E(1) +
j
ĉ0 = 0, we have z0 = x0 + y0 − 2x0 y0 = 0. Then, for j = 1, E(0) · E(ρ j−1 ) = E(1). Since d j = 0 for j = l, . . . , j + 1,
we can obtain we have E(α j ) = E(0) and E(β j ) = E(1), leading to
E(ρ j ) = E(ρ j −1 ). As a result, E(ρ l ) = E(ρ j ) = E(1).
ĉ1 = x0 y0 + x0 ĉ0 + y0 ĉ0 − 2x0 y0 ĉ0 = 1; Similarly, when x < y, we have E(ρ l ) = E(ρ j ) = E(0).
z1 = x1 + y1 + ĉ1 − 2(x1 y1 + x1 ĉ1 + y1 ĉ1 ) + 4x1 y1 ĉ1 When x = y, it means ∀j ∈ [0, l], d j = 0, leading to E(α j ) =
E(0) and E(β j ) = E(1). Therefore, E(ρ l ) = E(ρ 0 ) =
= 2 − 2 = 0.
E(α 0 ) = E(0).
Repeatedly, with (6) and (7), we can calculate ĉ2 = 1, Nevertheless, for obtaining E(α j ), we still need to further
z2 = 1 and ĉ3 = 1, z3 = 1. Finally, we have (E(z j )|0j=3 ) = compute E(d j ·(d j +1))/E(2). To tackle the challenge, we can
choose an odd random number L in SHE, then it is easy for us
(E(1), E(1), E(0), E(0)) = E(12).
to find an inverse element E() satisfying E()·E(2) = E(1).
2) Secure Comparison Circuit: Given E(x) = (E(x j )|0j=l )
Theorem 1: In the KeyGen(k0 , k1 , k2 ) algorithm of SHE,
and E(y) = (E(y j )|0j=l )}, the secure comparison circuit is used
when an odd random number L is chosen, i.e., gcd(2, L) = 1,
to determine whether the corresponding integers x, y satisfy
we can set = [(1 + L)/2] to satisfy E() · E(2) = E(1).
x > y without leaking x, y, and the comparison result. If yes,
Proof: Since mod L is applied in the SHE decryption
it outputs E(δ) = E(1), otherwise E(δ) = E(0).
algorithm, it is easy to see E() · E(2) = E( · 2) = E([(1 +
The main idea over the plaintexts is to check whether there
L)/2] · 2) = E(1 + L) = E(1). The correctness follows.
exists the most significant differing bit position j such that
According to Theorem 1, we can obtain E(α j ) by computing
x j > y j and x j = y j for all j = l, . . . , j+1. If yes, then x > y;
E(α j ) = E(d j · (d j + 1)) · E().
otherwise x ≤ y. For j = l, . . . , 1, 0, we can compute d j =
In Fig. 4, we also demonstrate an example of comparing
x j − y j , then there are three cases for d j , i.e., d j = 1, 0, −1.
x = 5 and y = 7. Since x < y, the result δ = ρ 3 = 0.
When d j = 1, or −1, we can directly obtain the output from
Note that, in the above analysis, we only show that our secure
the difference of the jth bit. While when d j = 0, we have to
comparison circuit can determine whether x > y. In fact, we
recursively use the (j − 1)th bit to determine the order relation
can also determine any order relations of two encrypted bit
until j = 0. When the operations work on the ciphertexts, since
sequences by constructing a α-function
we cannot determine whether E(d j ) is E(1), E(0), or E(−1), j
we have to go through all j = l, . . . , 1, 0. j dj dj + 1 d − 1 dj + 1
α = fα d = λ 1
j
+ λ2
For the ease of description, we denote the current jth bit
2 −1
value as α j and the transitive bit value from j to j − 1 as β j . dj dj − 1
Since we consider x > y, we have the relation of α j , β j , and + λ3 . (10)
2
d j shown in Fig. 4, where
j j j The correctness of α-function can be easily verified. In Fig. 4,
α = d · d + 1 /2 if the ith row of Table (a) is 1, we can set the ith term of
(8)
β j = 1 − d j · d j. fα (d j ) is 1, and others are 0. For example, if we want to
Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:19:35 UTC from IEEE Xplore. Restrictions apply.
ZHANG et al.: PPAQ: PRIVACY-PRESERVING AGGREGATE QUERIES 20183
determine x ≥ y, we should make λ1 = λ2 = 1 and λ3 = 0. vs in the k tuples that satisfies vs = vt with encrypted E(vt ),
For determining whether x > y, we can set λ1 = 1 and λ2 = and has no idea about which vertex in V is the same as vt .
λ3 = 0. Thus, α j = fα (d j ) = ([d j (d j + 1)]/2). To address it, we adopt the following matching approach.
1) First, LSP calculates a flag fs for each vs as follows:
C. Description of PPAQ
l
j
In this section, we present our PPAQ scheme, which is E(fs ) = vs E(vt ) = vsj E v̂t (11)
comprised of four phases: 1) system initialization; 2) location j=0
report; 3) optimal location selection; and 4) location recov- j j
ery. Before delving into the details, we first assume LSP where the operation vs E(v̂t ) is defined as
⎧
holds a road network with k vertices V = {v1 , v2 , . . . , vk } ⎨ E 1 − v̂tj , vsj = 0
and n POI P = {p1 , p2 , . . . , pn }, and there are m users in the j
vs E v̂t =
j
(12)
group, where k, n, m ≥ 2. We say vs ∈ V and pi ∈ P, where ⎩ E v̂tj , j
vs = 1.
s ∈ [1, k] and i ∈ [1, n], are unique integers encoded by LSP.
The corresponding binary formats are denoted as vs and pi . It means that only if vs is the same as vt , i.e., for each
j j
j j
Besides, we say E(vs ) = (E(vs )|0j=l ) and E(pi ) = (E(pi )|0j=l ), bit vs = v̂t , the corresponding flag fs is 1, otherwise it
where j = l, . . . , 1, 0, indicate that the binary is encrypted bit is 0.
by bit, and l is the common maximum bit length. 2) Then, with the k tuples (vs , σsi , pi for s = 1, . . . , k)
1) System Initialization: In our scheme, the initiator u1 ini- and the corresponding fs , LSP computes E(σti ) =
j
tializes a privacy-preserving aggregate query. First, u1 obtains (E(σti )|0j=l )
the user ids of other users in the group and sends a task k
k
generation request with these ids to LSP. Then, LSP ran- E σti =
j j
E(fs ) · E σsi = E
j
fs · σsi (13)
domly generates a task id tid and disseminates it to users s=1 s=1
U according to the received user ids. Next, given security
j j
parameters (k0 , k1 , k2 ), u1 generates the sk = (p, L), where in which LSP can first encrypt σsi into E(σsi )
L is odd, and pp = (k0 , k1 , k2 , N ). Afterward, u1 calls with (2). Next, LSP can construct a two-element tuple
Enc(sk, m) to generate {E(0)1 , E(0)2 , E(−1), E()}, where E(σti ), pi that indicates qt can reach pi via its neigh-
= [(1 + L)/2]. Finally, u1 sets the public key pk = {E(0)1 , bor v̂t = vs with the shortest distance σti . Now, LSP
E(0)2 , E(−1), E(), pp}. totally holds m × n tuples: E(σti ), pi , where t ∈ [1, m]
2) Location Report: Assume that each user ut , t ∈ [1, m], and i ∈ [1, n].
has installed the client (LSP’s application) in his/her mobile Step 2 (Calculating Aggregate Values): If F is sum, LSP
phone. First, the client senses the location of ut , denoted as qt , computes the total distance from Q to pi . According to (4),
and calculates the distance from qt to its closest neighbor ver- LSP can only add up all users’ shortest distances m from their
tex v̂t . Since V is embedded into clients by LSP in advance, neighbor
vertices v̂t to pi , i.e., E(σi ) = t=1 E(σti ) =
the client can easily compute θt = d(qt , v̂t ) with the sensed E( m t=1 σti ). It can be achieved by our secure addition cir-
qt . After that, θt is encoded into a bit sequence and encrypted cuit (Section IV-B1) with inputs E(σti ). Note that it is simple
j
into E(θt ) = (E(θt )|0j=l ) using (2). With the same encryption for LSP to set a proper l to guarantee that there is no overflow
j
approach, v̂t is encrypted into E(vt ) = (E(v̂t )|0j=l ). Finally, ut when using the secure addition circuit.
If F is max, LSP computes the maximum distance from
sends tid, E(θt ), E(vt ) to LSP.
Q to pi . First, LSP adds up E(θt ) and E(σti ) using the secure
3) Optimal Location Selection: Assume there are m users
addition circuit, i.e., E(τti ) = E(θt ) + E(σti ), in which the
in the group. LSP will receive m tuples tid, E(θt ), E(vt ),
inputs of the secure addition circuit are E(θt ) and E(σti ), and
where t ∈ [1, m]. Since LSP holds spatial databases, it
the output is E(τti ). Then, LSP determines the maximum
can precompute the shortest distances {σsi = d(vs , pi )|s ∈
value among E(τti ) for t = 1, 2, . . . , m. Take comparing E(τ1i )
[1, k], i ∈ [1, n]} over plaintexts using existing shortest path
and E(τ2i ) as an example. LSP employs our secure compar-
algorithms, such as Dijkstra [21] and HiTi [22], and encode
ison circuit (Section IV-B2) to determine whether τ1i > τ2i
{σsi , vs } into bit sequences {σsi , vs }, respectively. Afterward,
with inputs E(τ1i ) and E(τ2i ). If yes, our secure comparison
LSP can construct tuples vs , σsi , pi , where s ∈ [1, k], i ∈
circuit outputs E(δ) = E(1), otherwise E(δ) = E(0). Using the
[1, n] in advance. It is worth noting that both calculating short-
following equation, LSP can calculate the maximum value,
est path and encoding bit sequences can be achieved offline.
denoted as E(τmaxi ):
With the constructed and received tuples, LSP can perform
the following steps to find the optimal location. j j j j
E τmaxi = E(δ) · E τ1i − E τ2i + E τ2i . (14)
Step 1 (Matching): For each pi , if all vertices can reach
it, there will be k tuples related to pi : vs , σsi , pi for s = If δ is 1, E(τmaxi ) = E(τ1i ). Otherwise, E(τmaxi ) = E(τ2i ). It
1, . . . , k. Consequently, there must exist a tuple in the k tuples means τmaxi is always the larger one. After that, LSP can con-
that has a joint vertex with the received vt . That is, ∃s ∈ [1, k] tinue to compare E(τmaxi ) and E(τ3i ) with the secure compar-
such that v̂t (a.k.a vt ) = vs (a.k.a vs ). It means qt can reach ison circuit. Repeating m − 1 times, LSP can obtain the max-
pi with the shortest distance θt + σsi = d(qt , v̂t ) + d(vs , pi ) imum distance from Q to pi : E(σi ) = arg maxt∈[1,m] (E(τti )).
passing the vertex vs that is also the neighbor vertex v̂t of qt . After calculating aggregating values, LSP constructs n
As a result, the problem is converted into: LSP needs to find tuples: E(σi ), pi for i = 1, 2, . . . , n. Since E(σi ) is computed
Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:19:35 UTC from IEEE Xplore. Restrictions apply.
20184 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 20, 15 OCTOBER 2022
Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:19:35 UTC from IEEE Xplore. Restrictions apply.
ZHANG et al.: PPAQ: PRIVACY-PRESERVING AGGREGATE QUERIES 20185
Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:19:35 UTC from IEEE Xplore. Restrictions apply.
20186 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 20, 15 OCTOBER 2022
Fig. 6. Search time of our PPAQ scheme varying with the number of POIs Fig. 7. Search time of our PPAQ scheme varying with the number of query
n. (a) Over the Sequoia data set. (b) Over the DIMACS data set. users m. (a) Over the Sequoia data set. (b) Over the DIMACS data set.
Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:19:35 UTC from IEEE Xplore. Restrictions apply.
ZHANG et al.: PPAQ: PRIVACY-PRESERVING AGGREGATE QUERIES 20187
TABLE I
P ERCENTAGE OF E XECUTION T IME OF S TEP 1 Existing privacy-preserving ANN query schemes mainly
concentrated on the Euclidean space [10]–[12]. Although their
privacy-preserving techniques can be used in the road network
scenario, there are privacy problems with these techniques.
Hashem et al. [10] converted each user’s location into a region,
and the service provider returns a super-set of the exact query
result. This approach not only increases the communication
cost but also has privacy issues in terms of users’ locations
optimal location with several minutes for ensuring the fully and query results since they are not fully protected. Ashouri-
privacy preservation. Talouki et al. [11] adopted a secure multiparty computation
Besides, we have observed that the matching step (Step 1) technique to make each user participate in the calculation
consumes the most of execution time in our PPAQ scheme, of the query results. However, this approach cannot pro-
and it is significantly affected by the number of vertices. To tect the privacy of query results against the service provider.
illustrate it, we list the percentage of execution time of Step 1 Recently, Wu et al. [12] presented a novel privacy-preserving
in Table I, where percentage = (execution time of Step 1/ scheme for ANN queries by integrating the dummy technique
[execution time of (Step 1 + Step 2 + Step 3)]). and Paillier encryption. However, this approach has a pri-
It is worth noting that the number of POIs n and query users vacy issue in terms of the users’ real locations when a query
m has little impact on the percentage of the execution time of user launches multiple queries in a fixed location. Note that
Step 1, i.e., their ratios remain stable (around 95%) when vary- although Yilmaz et al. [28] also proposed a privacy-preserving
ing n and m. In order to improve the efficiency, LSP can have optimal location selection scheme, their work is not for the
the following approaches to optimize Step 1: 1) adopt multiple ANN query of a group considered in this article. Moreover, it
threads and 2) select fewer vertices to calculate shortest path mainly focused on the private set intersection (PSI) technique
distances. The second approach may affect the accuracy of and did not protect the location privacy of the client.
the selected optimal location, and how to select vertices is an
interesting topic. We leave the research on these optimization VIII. C ONCLUSION
approaches as future work. In this article, we have proposed a PPAQ scheme in road
networks, which can preserve the privacy of users’ locations,
query results, and access patterns. Specifically, we first ana-
VII. R ELATED W ORK
lyzed the problem of the ANN queries in road networks
The ANN query has attracted considerable attention due over plaintexts. Then, we designed secure addition and secure
to its wide range of applications [1]–[8]. Among them, comparison circuits to securely perform addition and com-
the works in [1]–[4] focus on the Euclidean space, while parison operations in a single-server model without leaking
the others [5]–[8] pay their attention to road networks. operands and results. Based on these secure circuits, we
Papadias et al. [1], [2] proposed several algorithms to effi- proposed our PPAQ scheme in road networks by designing
ciently perform the ANN queries by assuming that the users’ a secure matching approach. Security analysis indicated that
locations fit in memory and POIs are indexed by an R-tree. our PPAQ scheme is indeed privacy preserving, and exten-
Lian and Chen [3] considered the ANN queries over the sive performance evaluations validated its efficiency. In our
uncertain database and integrated effective pruning methods future work, we will further exploit its efficiency and prac-
to facilitate reducing the search space of probabilistic ANN tically implement our proposed scheme, such as developing
queries. In 2010, Li et al. [4] designed efficient algorithms for the mobile application for users and ANN query services for
the group enclosing queries, which actually is a variant of the service providers.
ANN query by calculating the maximum distance instead of
minimum distance after applying aggregate functions. In the R EFERENCES
road network scenario, Yiu et al. [5] first studied the ANN
[1] D. Papadias, Q. Shen, Y. Tao, and K. Mouratidis, “Group nearest neigh-
queries in road networks and presented three algorithms to bor queries,” in Proc. 20th Int. Conf. Data Eng., 2004, pp. 301–312.
explore the network around the query points until the desired [2] D. Papadias, Y. Tao, K. Mouratidis, and C. K. Hui, “Aggregate near-
results are discovered. Zhu et al. [6] presented a voronoi-based est neighbor queries in spatial databases,” ACM Trans. Database Syst.,
vol. 30, no. 2, pp. 529–576, 2005.
approach to solve the ANN problem in road networks. The [3] X. Lian and L. Chen, “Probabilistic group nearest neighbor queries in
advantage of this work is that it does not need to retrieve uncertain databases,” IEEE Trans. Knowl. Data Eng., vol. 20, no. 6,
the network from disk and just utilizes the look-up tables pp. 809–824, Jun. 2008.
[4] F. Li, B. Yao, and P. Kumar, “Group enclosing queries,” IEEE Trans.
of the voronoi diagram generated in advance. Yan et al. [7] Knowl. Data Eng., vol. 23, no. 10, pp. 1526–1540, Oct. 2011.
adopted the ANN query to find the optimal meeting point [5] M. L. Yiu, N. Mamoulis, and D. Papadias, “Aggregate nearest neighbor
in road networks, which has the same scenario as our work. queries in road networks,” IEEE Trans. Knowl. Data Eng., vol. 17, no. 6,
pp. 820–833, Jun. 2005.
Recently, Yao et al. [8] studied the flexible ANN queries [6] L. Zhu, Y. Jing, W. Sun, D. Mao, and P. Liu, “Voronoi-based aggre-
in road networks and proposed a series of universal meth- gate nearest neighbor query processing in road networks,” in Proc. 18th
ods to solve this problem, e.g., the Dijkstra-based algorithm. SIGSPATIAL Int. Conf. Adv. Geograph. Inf. Syst., 2010, pp. 518–521.
[7] D. Yan, Z. Zhao, and W. Ng, “Efficient algorithms for finding optimal
However, all of the above works aimed to improve ANN query meeting point on road networks,” Proc. VLDB Endowment, vol. 4,
efficiency and did not consider the privacy issues. no. 11, pp. 968–979, 2011.
Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:19:35 UTC from IEEE Xplore. Restrictions apply.
20188 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 20, 15 OCTOBER 2022
[8] B. Yao, Z. Chen, X. Gao, S. Shang, S. Ma, and M. Guo, “Flexible Suprio Ray (Member, IEEE) received the Ph.D.
aggregate nearest neighbor queries in road networks,” in Proc. IEEE degree from the Department of Computer Science,
34th Int. Conf. Data Eng. (ICDE), 2018, pp. 761–772. University of Toronto, Toronto, ON, Canada, in
[9] Q. Zhao, C. Zuo, G. Pellegrino, and L. Zhiqiang, “Geo-locating drivers: 2015.
A study of sensitive data leakage in ride-hailing services,” in Proc. Annu. He is an Associate Professor with the Faculty of
Netw. Distrib. Syst. Security Symp., Feb. 2019, pp. 1–15. Computer Science, University of New Brunswick,
[10] T. Hashem, L. Kulik, and R. Zhang, “Privacy preserving group nearest Fredericton, NB, Canada. His research interests
neighbor queries,” in Proc. 13th Int. Conf. Extending Database Technol., include big data and database management systems,
2010, pp. 489–500. run-time systems for scalable data science, prove-
[11] M. Ashouri-Talouki, A. Baraani-Dastjerdi, and A. A. Selçuk, “GLP: A nance and privacy issues in big data, and query
cryptographic approach for group location privacy,” Comput. Commun., processing on modern hardware.
vol. 35, no. 12, pp. 1527–1533, 2012.
[12] Y. Wu et al., “Enhanced privacy preserving group nearest neighbor
search,” IEEE Trans. Knowl. Data Eng., vol. 33, no. 2, pp. 459–473, Rongxing Lu (Fellow, IEEE) received the Ph.D.
Feb. 2021. degree from the Department of Electrical and
[13] M. S. Islam, M. Kuzu, and M. Kantarcioglu, “Access pattern disclosure Computer Engineering, University of Waterloo,
on searchable encryption: Ramification, attack and mitigation,” in Proc. Waterloo, ON, Canada, in 2012.
NDSS, 2012, pp. 1–15. He is a Mastercard IoT Research Chair, a
[14] Y. Zheng, R. Lu, Y. Guan, J. Shao, and H. Zhu, “Efficient and privacy- University Research Scholar, an Associate Professor
preserving similarity range query over encrypted time series data,” with the Faculty of Computer Science (FCS),
IEEE Trans. Dependable Secure Comput., early access, Feb. 23, 2021, University of New Brunswick (UNB), Fredericton,
doi: 10.1109/TDSC.2021.3061611. NB, Canada. Before that, he worked as an
[15] Y. Elmehdwi, B. K. Samanthula, and W. Jiang, “Secure k-nearest neigh- Assistant Professor with the School of Electrical
bor query over encrypted data in outsourced environments,” in Proc. and Electronic Engineering, Nanyang Technological
IEEE 30th Int. Conf. Data Eng., 2014, pp. 664–675. University, Singapore, from April 2013 to August 2016. He worked as a
[16] J. Liu, J. Yang, L. Xiong, and J. Pei, “Secure skyline queries on cloud Postdoctoral Fellow with the University of Waterloo from May 2012 to April
platform,” in Proc. IEEE 33rd Int. Conf. Data Eng. (ICDE), 2017, 2013. His research interests include applied cryptography, privacy-enhancing
pp. 633–644. technologies, and IoT-big data security and privacy. He has published exten-
[17] J. Chen, L. Liu, R. Chen, W. Peng, and X. Huang, “SecRec: A privacy- sively in his areas of expertise.
preserving method for the context-aware recommendation system,” Dr. Lu was awarded the most prestigious Governor General’s Gold Medal
IEEE Trans. Dependable Secure Comput., early access, Jun. 7, 2021, from the University of Waterloo and won the 8th IEEE Communications
doi: 10.1109/TDSC.2021.3085562. Society (ComSoc) Asia–Pacific Outstanding Young Researcher Award, in
[18] J. Brickell and V. Shmatikov, “Privacy-preserving graph algorithms in 2013. He is the Winner of the 2016 and 2017 Excellence in Teaching
the semi-honest model,” in Proc. Int. Conf. Theory Appl. Cryptol. Inf. Award, FCS, UNB. He was the recipient of nine best (student) paper awards
Security, 2005, pp. 236–252. from some reputable journals and conferences. He currently serves as the
[19] H. Mahdikhani, R. Lu, Y. Zheng, J. Shao, and A. A. Ghorbani, Chair of IEEE ComSoc Communications and Information Security Technical
“Achieving O (log3 n) communication-efficient privacy-preserving range Committee and the Founding Co-Chair of IEEE TEMS Blockchain and
query in fog-based IoT,” IEEE Internet Things J., vol. 7, no. 6, Distributed Ledgers Technologies Technical Committee.
pp. 5220–5232, Jun. 2020.
[20] Y. Guan, R. Lu, Y. Zheng, S. Zhang, J. Shao, and G. Wei, “Toward
privacy-preserving Cybertwin-based Spatio-temporal keyword query for Yandong Zheng received the M.S. degree from
ITS in 6G era,” IEEE Internet Things J., vol. 8, no. 22, pp. 16243–16255, the Department of Computer Science, Beihang
Nov. 2021. University, Beijing, China, in 2017. She is cur-
[21] E. W. Dijkstra, “A note on two problems in connexion with graphs,” rently pursuing the Ph.D. degree with the Faculty of
Numerische Mathematik, vol. 1, no. 1, pp. 269–271, 1959. Computer Science, University of New Brunswick,
[22] S. Jung and S. Pramanik, “An efficient path computation model for Fredericton, NB, Canada.
hierarchically structured topographical road maps,” IEEE Trans. Knowl. Her research interest includes cloud computing
Data Eng., vol. 14, no. 5, pp. 1029–1046, Sep./Oct. 2002. security, big data privacy, and applied privacy.
[23] O. Goldreich, Foundations of Cryptography: Volume 2, Basic
Applications. Cambridge, U.K.: Cambridge Univ. Press, 2009.
[24] 2012, “Sequoia: Locations of California,” ChoroChronos. [Online].
Available: http://chorochronos.datastories.org/?q=node/58
[25] R. Paulet, M. G. Kaosar, X. Yi, and E. Bertino, “Privacy-preserving
and content-protecting location based queries,” IEEE Trans. Knowl. data Yunguo Guan is currently pursuing the Ph.D.
Eng., vol. 26, no. 5, pp. 1200–1210, May 2014. degree with the Faculty of Computer Science,
[26] “DIMACS: Locations of New York City.” 2006. [Online]. Available: University of New Brunswick, Fredericton, NB,
http://www.diag.uniroma1.it/challenge9/download.shtml Canada.
[27] “OpenStreetMap.” [Online]. Available: https://www.openstreetmap.org His research interests include applied cryptogra-
(Accessed: May 13, 2022). phy and game theory.
[28] E. Yilmaz, H. Ferhatosmanoglu, E. Ayday, and R. C. Aksoy, “Privacy-
preserving aggregate queries for optimal location selection,” IEEE
Trans. Dependable Secure Comput., vol. 16, no. 2, pp. 329–343,
Mar./Apr. 2019.
Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:19:35 UTC from IEEE Xplore. Restrictions apply.