Skip to main content
SpringerLink
Log in

Approximate and exact hybrid algorithms for private nearest-neighbor queries with database protection

  • Published:
GeoInformatica Aims and scope Submit manuscript

Abstract

Mobile devices with global positioning capabilities allow users to retrieve points of interest (POI) in their proximity. To protect user privacy, it is important not to disclose exact user coordinates to un-trusted entities that provide location-based services. Currently, there are two main approaches to protect the location privacy of users: (i) hiding locations inside cloaking regions (CRs) and (ii) encrypting location data using private information retrieval (PIR) protocols. Previous work focused on finding good trade-offs between privacy and performance of user protection techniques, but disregarded the important issue of protecting the POI dataset D. For instance, location cloaking requires large-sized CRs, leading to excessive disclosure of POIs (O(|D|) in the worst case). PIR, on the other hand, reduces this bound to \(O(\sqrt{|D|})\), but at the expense of high processing and communication overhead. We propose hybrid, two-step approaches for private location-based queries which provide protection for both the users and the database. In the first step, user locations are generalized to coarse-grained CRs which provide strong privacy. Next, a PIR protocol is applied with respect to the obtained query CR. To protect against excessive disclosure of POI locations, we devise two cryptographic protocols that privately evaluate whether a point is enclosed inside a rectangular region or a convex polygon. We also introduce algorithms to efficiently support PIR on dynamic POI sub-sets. We provide solutions for both approximate and exact NN queries. In the approximate case, our method discloses O(1) POI, orders of magnitude fewer than CR- or PIR-based techniques. For the exact case, we obtain optimal disclosure of a single POI, although with slightly higher computational overhead. Experimental results show that the hybrid approaches are scalable in practice, and outperform the pure-PIR approach in terms of computational and communication overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18

Similar content being viewed by others

Notes

  1. For instance, to answer NN queries, [5] uses a Voronoi diagram mapped to a regular grid.

  2. Previous work considered result set size only in the context of communication cost. However, this indirect approach is not effective due to other factors that influence bandwidth consumption (e.g., POI size may be negligible in comparison with other traffic components).

  3. The example considers an approximate query, where candidate NNs outside Q are ignored.

  4. The indexing scheme we employ (Section 5) guarantees that the retrieved tile is not empty.

  5. Note that, we choose to present first the approximate NN solution, and then the exact one. While this may not seem intuitive at first glance, the rationale behind this presentation order is that the approximate NN method maps in a more natural manner to the PIR technique and associated data structures (i.e., PIR matrix). Therefore, presenting the approximate method first improves the readability of the paper.

  6. Alternatively, the trusted anonymizer or a trusted peer can perform the described protocol on behalf of the user.

  7. In the case of exact NN queries, each convex polygon (i.e., Voronoi cell) has exactly one POI.

  8. Details about the private evaluation of point-rectangle and point-in-convex-polygon enclosure are given in Sections 4 and 6, respectively.

  9. Random blinding is a frequently-used operation in cryptographic protocols [27].

  10. Note that, if disclosing the number of leaf nodes that intersect Q represents a privacy concern for the database, the server can include randomly generated rectangles (that do not intersect Q) in the enclosure evaluation phase, without affecting correctness.

  11. Due to the non-overlapping indexing of POI, exactly one rectangle will enclose the user.

  12. A similar benefit metric has been used for R-trees [28].

  13. Although the MBRs are used in the benefit evaluation, the resulting partition is not pruned to the MBR, due to the requirement that the index must cover the entire data space.

  14. http://www.rtreeportal.org

References

  1. Gruteser M, Grunwald D (2003) Anonymous usage of location-based services through spatial and temporal cloaking. In: Proc. of USENIX MobiSys

  2. Gedik B, Liu L (2005) Location privacy in mobile systems: a personalized anonymization model. In: Proc. of ICDCS, pp 620–629

  3. Mokbel MF, Chow CY, Aref WG (2006) The new Casper: query processing for location services without compromising privacy. In: Proc. of VLDB, pp 763–774

  4. Kalnis P, Ghinita G, Mouratidis K, Papadias D (2007) Preserving location-based identity inference in anonymous spatial queries. IEEE TKDE 19(12):1719–1733

    Google Scholar 

  5. Ghinita G, Kalnis P, Khoshgozaran A, Shahabi C, Tan KL (2008) Private queries in location based services: anonymizers are not necessary. In: SIGMOD, pp 121–132

  6. Kido H, Yanagisawa Y, Satoh T (2005) An anonymous communication technique using dummies for location-based services. In: International conference on pervasive services (ICPS), pp 88–97

  7. Yiu ML, Jensen C, Huang X, Lu H (2008) SpaceTwist: managing the trade-offs among location privacy, query performance, and query accuracy in mobile services. In: International conference on data engineering (ICDE), pp 366–375

  8. Cheng R, Zhang Y, Bertino E, Prahbakar S (2006) Preserving user location privacy in mobile data management infrastructures. In: Privacy enhancing technologies (PET), pp 393–412

  9. Chow CY, Mokbel MF (2007) Enabling private continuous queries for revealed user locations. In: SSTD, pp 258–275

  10. Gruteser M, Liu X (2004) Protecting privacy in continuous location-tracking applications. IEEE Secur Priv 2:28–34

    Article  Google Scholar 

  11. Damiani M, Bertino E, Silvestri C (2008) PROBE: an obfuscation system for the protection of sensitive location information in LBS. Technical report 2001-145, CERIAS

  12. Khoshgozaran A, Shahabi C (2007) Blind evaluation of nearest neighbor queries using space transformation to preserve location privacy. In: SSTD, pp 239–257

  13. Chor B, Goldreich O, Kushilevitz E, Sudan M (1995) Private information retrieval. In: IEEE symposium on foundations of computer science, pp 41–50

  14. Kushilevitz E, Ostrovsky R (1997) Replication is NOT needed: SINGLE database, computationally-private information retrieval. In: FOCS, pp 364–373

  15. Flath DE (1998) Introduction to number theory. Wiley, New York

    Google Scholar 

  16. Atallah MJ, Du W (2001) Secure multi-party computational geometry. In: WADS ’01: Proceedings of the 7th international workshop on algorithms and data structures, pp 165–179

  17. Luo Y, Huang L, Zhong H (2007) Secure two-party point-circle inclusion problem. J Comput Sci Technol 22(1):88–91

    Article  Google Scholar 

  18. Goldreich O, Micali S, Wigderson A (1987) How to play any mental game. In: Proceedings of ACM symposium on theory of computing (STOC), pp 218–229

  19. Fischlin M (2001) A cost-effective pay-per-multiplication comparison method for millionaires. In: CT-RSA 2001: Proceedings of the 2001 conference on topics in cryptology, pp 457–472

  20. Blake IF, Kolesnikov V (2004) Strong conditional oblivious transfer and computing on intervals. In: Advances in cryptology—ASIACRYPT 2004, pp 515–529

  21. Lin HY, Tzeng WG (2005) An efficient solution to the millionaires’ problem based on homomorphic encryption. In: Intl. conference on applied cryptography and network security, pp 456–466

  22. Yao AC (1982) Protocols for secure computations. In: SFCS ’82: Proceedings of the 23rd annual symposium on foundations of computer science, pp 160–164

  23. Chow CY, Mokbel MF, Liu X (2006) A peer-to-peer spatial cloaking algorithm for anonymous location-based service. In: GIS, pp 171–178

  24. Ghinita G, Kalnis P, Skiadopoulos S (2007) PRIVE: anonymous location-based queries in distributed mobile systems. In: WWW, pp 371–380

  25. Ghinita G, Kalnis P, Skiadopoulos S (2007) MobiHide: a mobile peer-to-peer system for anonymous location-based queries. In: SSTD, pp 221–238

  26. Paillier P (1999) Public-key cryptosystems based on composite degree residuosity classes. In: EUROCRYPT, pp 223–238

  27. Atallah MJ (1998) Algorithms and theory of computation handbook. CRC Press, Boca Raton

    Book  Google Scholar 

  28. de Berg M, van Kreveld M, Overmars M, Schwarzkopf O (2000) Computational geometry: algorithms and applications, 2nd edn. Springer, Berlin

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Purdue University, West Lafayette, IN, 47907, USA

    Gabriel Ghinita & Elisa Bertino

  2. King Abdullah University of Science and Technology, Jeddah, Saudi Arabia

    Panos Kalnis

  3. University of Texas at Dallas, Richardson, TX, 75080, USA

    Murat Kantarcioglu

Authors
  1. Gabriel Ghinita
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Panos Kalnis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Murat Kantarcioglu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Elisa Bertino
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gabriel Ghinita.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Ghinita, G., Kalnis, P., Kantarcioglu, M. et al. Approximate and exact hybrid algorithms for private nearest-neighbor queries with database protection. Geoinformatica 15, 699–726 (2011). https://doi.org/10.1007/s10707-010-0121-4

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10707-010-0121-4

Keywords

Search

Navigation