## Abstract

The wide availability of inexpensive positioning systems made it possible to embed them into smartphones and other personal devices. This marked the beginning of location-aware applications, where users request personalized services based on their geographic position. The location of a user is, however, highly sensitive information: the user’s privacy can be preserved if only the minimum amount of information needed to provide the service is disclosed at any time. While some applications, such as navigation systems, are based on the users’ movements and therefore require constant tracking, others only require knowledge of the user’s position in relation to a set of points or areas of interest. In this paper we focus on the latter kind of services, where location information is essentially used to determine membership in one or more geographic sets. We address this problem using Bloom Filters (BF), a compact data structure for representing sets. In particular, we present an extension of the original Bloom filter idea: the Spatial Bloom Filter (SBF). SBF’s are designed to manage spatial and geographical information in a space efficient way, and are well-suited for enabling privacy in location-aware applications. We show this by providing two multi-party protocols for privacy-preserving computation of location information, based on the known homomorphic properties of public key encryption schemes. The protocols keep the user’s exact position private, but allow the provider of the service to learn when the user is close to specific points of interest, or inside predefined areas. At the same time, the points and areas of interest remain oblivious to the user.

### Keywords

- Location privacy
- Bloom filters
- Secure multi-party computation

L. Calderoni—Part of this research work was accomplished while visiting the Parallel and Distributed Systems group of Delft University of Technology (The Netherlands).

This is a preview of subscription content, access via your institution.

## Buying options

## References

Avoine, G., Calderoni, L., Delvaux, J., Maio, D., Palmieri, P.: Passengers information in public transport and privacy: can anonymous tickets prevent tracking? Int. J. Inf. Manag.

**34**(5), 682–688 (2014)Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM

**13**(7), 422–426 (1970)Blum, J.R., Greencorn, D.G., Cooperstock, J.R.: Smartphone sensor reliability for augmented reality applications. In: Zheng, K., Li, M., Jiang, H. (eds.) MobiQuitous 2012. LNICST, vol. 120, pp. 127–138. Springer, Heidelberg (2013)

Blumberg, A.J., Eckersly, P.: On locational privacy, and how to avoid losing it forever, April 2009. https://www.eff.org/wp/locational-privacy

Calderoni, L., Maio, D., Palmieri, P.: Location-aware mobile services for a smart city: design, implementation and deployment. JTAER

**7**(3), 74–87 (2012)Charles, D., Chellapilla, K.: Bloomier filters: a second look. In: Halperin, D., Mehlhorn, K. (eds.) ESA 2008. LNCS, vol. 5193, pp. 259–270. Springer, Heidelberg (2008)

Chazelle, B., Kilian, J., Rubinfeld, R., Tal, A.: The bloomier filter: an efficient data structure for static support lookup tables. In: SODA, pp. 30–39. SIAM (2004)

Jiazhu, D., Zhilong, L.: A location authentication scheme based on proximity test of location tags. In: ICINS 2013, pp. 1–6 (2013)

Kikuchi, H., Sakuma, J.: Bloom filter bootstrap: Privacy-preserving estimation of the size of an intersection. JIP

**22**(2), 388–400 (2014)Kulik, L.: Privacy for real-time location-based services. SIGSPATIAL Spec.

**1**(2), 9–14 (2009)de Montjoye, Y.-A., Hidalgo, C.A., Verleysen, M., Blondel, V.D.: Unique in the crowd: the privacy bounds of human mobility. Sci. Rep.

**3**(1376) (2013). doi:10.1038/srep01376Narayanan, A., Thiagarajan, N., Lakhani, M., Hamburg, M., Boneh, D.: Location privacy via private proximity testing. In: NDSS. The Internet Society (2011)

Nielsen, J.D., Pagter, J.I., Stausholm, M.B.: Location privacy via actively secure private proximity testing. In: PerCom Workshops, pp. 381–386. IEEE (2012)

Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, p. 223. Springer, Heidelberg (1999)

Pan, X., Meng, X.: Preserving location privacy without exact locations in mobile services. Front. Comput. Sci.

**7**(3), 317–340 (2013)Saldamli, G., Chow, R., Jin, H., Knijnenburg, B.P.: Private proximity testing with an untrusted server. In: WISEC, pp. 113–118. ACM (2013)

Shu, X., Yao, D.D.: Data leak detection as a service. In: Keromytis, A.D., Di Pietro, R. (eds.) SecureComm 2012. LNICST, vol. 106, pp. 222–240. Springer, Heidelberg (2013)

Sun, J., Zhang, R., Zhang, Y.: Privacy-preserving spatiotemporal matching. In: INFOCOM, pp. 800–808. IEEE (2013)

Tonicelli, R., David, B.M., de Morais Alves, V.: Universally composable private proximity testing. In: Boyen, X., Chen, X. (eds.) ProvSec 2011. LNCS, vol. 6980, pp. 222–239. Springer, Heidelberg (2011)

von Watzdorf, S., Michahelles, F.: Accuracy of positioning data on smartphones. In: LocWeb, p. 2. ACM (2010)

Wicker, S.B.: The loss of location privacy in the cellular age. Commun. ACM

**55**(8), 60–68 (2012)Zakhary, S., Radenkovic, M., Benslimane, A.: The quest for location-privacy in opportunistic mobile social networks. In: IWCMC, pp. 667–673. IEEE (2013)

Zheng, Y., Li, M., Lou, W., Hou, Y.T.: SHARP: private proximity test and secure handshake with cheat-proof location tags. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 361–378. Springer, Heidelberg (2012)

## Acknowledgments

The authors would like to acknowledge Marco Miani for the code used in producing Fig. 4.

## Author information

### Authors and Affiliations

### Corresponding author

## Editor information

### Editors and Affiliations

## Appendices

### A Bloom Filters Properties

The bloom filter is built as follows. Initially all bits are set to \(0\). Then, for each element \(a \in S\) and for each \(h \in H\) we calculate \(h\left( a\right) = i\), and set the corresponding \(i\)-th bit of \(b\) to \(1\). Thus, \(m\) bits are needed in order to store \(b\).

We test an element \(a_u\) against \(b\) to determine membership in \(S\), that is, we verify whether \(a_u \in S\) if

If any bit in \(b\) that corresponds to a value output by one of the hash functions for \(a_u\) is \(0\), then \(a_u \not \in S\). If, instead, all the hashes map to bits of value \(1\), then \(a_u \in S\) minus a false positive probability \(p\) determined by the number \(n\) of elements in \(S\), the number \(k\) of hash functions in \(H\) and the maximum possible value \(m\) output by the hash functions (equal to the binary length of \(b\)) as follows:

This small false positive probability is due to the potential collision of hashes evaluated on different inputs, resulting into all bits associated to an element outside the originating set having value \(1\). As such, it is determined largely by \(k\): if \(k\) is sufficiently small for given \(m\) and \(n\), the resulting \(b\) is sufficiently sparse and collisions are infrequent. If we consider the approximation in (15), we can calculate the optimal number of hashes \(k\) as

from which we can infer

However, the number of hashes also determines the number of bits read for membership queries, the number of bits written for adding elements to the filter, and the computational cost of calculating the hashes themselves. Therefore, in constrained settings, we may choose to use a less than optimal \(k\), according to performance reasons, if the resulting \(p\) is considered sufficiently low for the specific application domain.

### B More on Spatial Representation

The most natural spatial representation for Earth is the standard geographic coordinate system. In the geographic coordinate system every location on Earth can be specified by using a set of values, called coordinates. Standard coordinates are *latitude*, *longitude* and *elevation*. For the purposes of this work we focus on longitude and latitude only, as the combination of these two components is enough to determine the position of any point on the planet (excluding elevation or depth). The whole Earth is divided with 180 parallels and 360 meridians; the plotted grid resulting on the surface is known as the *graticule* (Fig. 4).

Longitude (lng) and latitude (lat) can be stored and represented according to several formats. In the following we use the *decimal degrees plus/minus* format, where latitude is positive if it is north of the equator (negative otherwise), and longitude is positive if it is east of the prime meridian (negative otherwise); for instance, \(31.456764^\circ \) (lat) and \(-85.887734^\circ \) (lng) are two possible values.

Using a fixed precision in longitude and latitude (that is, choosing a fixed number of decimal points for their values) allows us to easily divide the planet’s surface into a discrete grid. Since meridians get closer as they converge the poles, as can be seen in Fig. 4, the portions of the Earth’s surface defined by such a grid have varying areas depending on their position (Table 2). While the construction proposed in the following is not dependent on the size or shape of the regions, for simplicity in the discussion it is reasonable to approximate such portions to rectangles and assume they have the same area.

In actual applications, the precision in decimal points for longitude and latitude should reflect the expected error of the device or sensor used for learning the location information. The precision and accuracy of mobile devices in determining their geographic position were proved to vary considerably depending on the context (urban areas, rural areas, etc.) [20].

In a detailed experiment on the accuracy of GPS sensors installed on mobile devices, Blum et al. show that the location is reported with a precision varying from 10 to 60 meters, depending on the device orientation and type, and, in cities, on the surrounding buildings [3]. Hence, when designing a system based on mobile devices it would reasonable to consider regions with sides tens of meters long.

## Rights and permissions

## Copyright information

© 2015 Springer International Publishing Switzerland

## About this paper

### Cite this paper

Palmieri, P., Calderoni, L., Maio, D. (2015). Spatial Bloom Filters: Enabling Privacy in Location-Aware Applications. In: Lin, D., Yung, M., Zhou, J. (eds) Information Security and Cryptology. Inscrypt 2014. Lecture Notes in Computer Science(), vol 8957. Springer, Cham. https://doi.org/10.1007/978-3-319-16745-9_2

### Download citation

DOI: https://doi.org/10.1007/978-3-319-16745-9_2

Published:

Publisher Name: Springer, Cham

Print ISBN: 978-3-319-16744-2

Online ISBN: 978-3-319-16745-9

eBook Packages: Computer ScienceComputer Science (R0)