Skip to main content

Spatial Bloom Filters: Enabling Privacy in Location-Aware Applications

Part of the Lecture Notes in Computer Science book series (LNSC,volume 8957)


The wide availability of inexpensive positioning systems made it possible to embed them into smartphones and other personal devices. This marked the beginning of location-aware applications, where users request personalized services based on their geographic position. The location of a user is, however, highly sensitive information: the user’s privacy can be preserved if only the minimum amount of information needed to provide the service is disclosed at any time. While some applications, such as navigation systems, are based on the users’ movements and therefore require constant tracking, others only require knowledge of the user’s position in relation to a set of points or areas of interest. In this paper we focus on the latter kind of services, where location information is essentially used to determine membership in one or more geographic sets. We address this problem using Bloom Filters (BF), a compact data structure for representing sets. In particular, we present an extension of the original Bloom filter idea: the Spatial Bloom Filter (SBF). SBF’s are designed to manage spatial and geographical information in a space efficient way, and are well-suited for enabling privacy in location-aware applications. We show this by providing two multi-party protocols for privacy-preserving computation of location information, based on the known homomorphic properties of public key encryption schemes. The protocols keep the user’s exact position private, but allow the provider of the service to learn when the user is close to specific points of interest, or inside predefined areas. At the same time, the points and areas of interest remain oblivious to the user.


  • Location privacy
  • Bloom filters
  • Secure multi-party computation

L. Calderoni—Part of this research work was accomplished while visiting the Parallel and Distributed Systems group of Delft University of Technology (The Netherlands).

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-16745-9_2
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   69.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-16745-9
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   89.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.


  1. Avoine, G., Calderoni, L., Delvaux, J., Maio, D., Palmieri, P.: Passengers information in public transport and privacy: can anonymous tickets prevent tracking? Int. J. Inf. Manag. 34(5), 682–688 (2014)

    CrossRef  Google Scholar 

  2. Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13(7), 422–426 (1970)

    CrossRef  MATH  Google Scholar 

  3. Blum, J.R., Greencorn, D.G., Cooperstock, J.R.: Smartphone sensor reliability for augmented reality applications. In: Zheng, K., Li, M., Jiang, H. (eds.) MobiQuitous 2012. LNICST, vol. 120, pp. 127–138. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  4. Blumberg, A.J., Eckersly, P.: On locational privacy, and how to avoid losing it forever, April 2009.

  5. Calderoni, L., Maio, D., Palmieri, P.: Location-aware mobile services for a smart city: design, implementation and deployment. JTAER 7(3), 74–87 (2012)

    Google Scholar 

  6. Charles, D., Chellapilla, K.: Bloomier filters: a second look. In: Halperin, D., Mehlhorn, K. (eds.) ESA 2008. LNCS, vol. 5193, pp. 259–270. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  7. Chazelle, B., Kilian, J., Rubinfeld, R., Tal, A.: The bloomier filter: an efficient data structure for static support lookup tables. In: SODA, pp. 30–39. SIAM (2004)

    Google Scholar 

  8. Jiazhu, D., Zhilong, L.: A location authentication scheme based on proximity test of location tags. In: ICINS 2013, pp. 1–6 (2013)

    Google Scholar 

  9. Kikuchi, H., Sakuma, J.: Bloom filter bootstrap: Privacy-preserving estimation of the size of an intersection. JIP 22(2), 388–400 (2014)

    Google Scholar 

  10. Kulik, L.: Privacy for real-time location-based services. SIGSPATIAL Spec. 1(2), 9–14 (2009)

    CrossRef  Google Scholar 

  11. de Montjoye, Y.-A., Hidalgo, C.A., Verleysen, M., Blondel, V.D.: Unique in the crowd: the privacy bounds of human mobility. Sci. Rep. 3(1376) (2013). doi:10.1038/srep01376

  12. Narayanan, A., Thiagarajan, N., Lakhani, M., Hamburg, M., Boneh, D.: Location privacy via private proximity testing. In: NDSS. The Internet Society (2011)

    Google Scholar 

  13. Nielsen, J.D., Pagter, J.I., Stausholm, M.B.: Location privacy via actively secure private proximity testing. In: PerCom Workshops, pp. 381–386. IEEE (2012)

    Google Scholar 

  14. Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, p. 223. Springer, Heidelberg (1999)

    CrossRef  Google Scholar 

  15. Pan, X., Meng, X.: Preserving location privacy without exact locations in mobile services. Front. Comput. Sci. 7(3), 317–340 (2013)

    CrossRef  MathSciNet  Google Scholar 

  16. Saldamli, G., Chow, R., Jin, H., Knijnenburg, B.P.: Private proximity testing with an untrusted server. In: WISEC, pp. 113–118. ACM (2013)

    Google Scholar 

  17. Shu, X., Yao, D.D.: Data leak detection as a service. In: Keromytis, A.D., Di Pietro, R. (eds.) SecureComm 2012. LNICST, vol. 106, pp. 222–240. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  18. Sun, J., Zhang, R., Zhang, Y.: Privacy-preserving spatiotemporal matching. In: INFOCOM, pp. 800–808. IEEE (2013)

    Google Scholar 

  19. Tonicelli, R., David, B.M., de Morais Alves, V.: Universally composable private proximity testing. In: Boyen, X., Chen, X. (eds.) ProvSec 2011. LNCS, vol. 6980, pp. 222–239. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  20. von Watzdorf, S., Michahelles, F.: Accuracy of positioning data on smartphones. In: LocWeb, p. 2. ACM (2010)

    Google Scholar 

  21. Wicker, S.B.: The loss of location privacy in the cellular age. Commun. ACM 55(8), 60–68 (2012)

    CrossRef  Google Scholar 

  22. Zakhary, S., Radenkovic, M., Benslimane, A.: The quest for location-privacy in opportunistic mobile social networks. In: IWCMC, pp. 667–673. IEEE (2013)

    Google Scholar 

  23. Zheng, Y., Li, M., Lou, W., Hou, Y.T.: SHARP: private proximity test and secure handshake with cheat-proof location tags. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 361–378. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

Download references


The authors would like to acknowledge Marco Miani for the code used in producing Fig. 4.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Paolo Palmieri .

Editor information

Editors and Affiliations


A Bloom Filters Properties

The bloom filter is built as follows. Initially all bits are set to \(0\). Then, for each element \(a \in S\) and for each \(h \in H\) we calculate \(h\left( a\right) = i\), and set the corresponding \(i\)-th bit of \(b\) to \(1\). Thus, \(m\) bits are needed in order to store \(b\).

We test an element \(a_u\) against \(b\) to determine membership in \(S\), that is, we verify whether \(a_u \in S\) if

$$\begin{aligned} \forall h \in H, b\left[ h(a_u)\right] = 1. \end{aligned}$$

If any bit in \(b\) that corresponds to a value output by one of the hash functions for \(a_u\) is \(0\), then \(a_u \not \in S\). If, instead, all the hashes map to bits of value \(1\), then \(a_u \in S\) minus a false positive probability \(p\) determined by the number \(n\) of elements in \(S\), the number \(k\) of hash functions in \(H\) and the maximum possible value \(m\) output by the hash functions (equal to the binary length of \(b\)) as follows:

$$\begin{aligned} p = \left( 1 - \left( 1 - \frac{1}{m} \right) ^{kn} \right) ^k \approx \left( 1 - e^{-{\frac{kn}{m}}}\right) ^k. \end{aligned}$$

This small false positive probability is due to the potential collision of hashes evaluated on different inputs, resulting into all bits associated to an element outside the originating set having value \(1\). As such, it is determined largely by \(k\): if \(k\) is sufficiently small for given \(m\) and \(n\), the resulting \(b\) is sufficiently sparse and collisions are infrequent. If we consider the approximation in (15), we can calculate the optimal number of hashes \(k\) as

$$\begin{aligned} opt\left( k\right) = \frac{m}{n} \ln 2, \end{aligned}$$

from which we can infer

$$\begin{aligned} m = {\bigg \lceil }{-\frac{n \ln p}{\left( \ln 2\right) ^2}}{\bigg \rceil }. \end{aligned}$$

However, the number of hashes also determines the number of bits read for membership queries, the number of bits written for adding elements to the filter, and the computational cost of calculating the hashes themselves. Therefore, in constrained settings, we may choose to use a less than optimal \(k\), according to performance reasons, if the resulting \(p\) is considered sufficiently low for the specific application domain.

B More on Spatial Representation

The most natural spatial representation for Earth is the standard geographic coordinate system. In the geographic coordinate system every location on Earth can be specified by using a set of values, called coordinates. Standard coordinates are latitude, longitude and elevation. For the purposes of this work we focus on longitude and latitude only, as the combination of these two components is enough to determine the position of any point on the planet (excluding elevation or depth). The whole Earth is divided with 180 parallels and 360 meridians; the plotted grid resulting on the surface is known as the graticule (Fig. 4).

Fig. 4.
figure 4

An example of the planet’s surface and the grid plotted on it. \(\phi _1\) and \(\phi _2\) are longitude values while \(\lambda \) is a latitude value.

Longitude (lng) and latitude (lat) can be stored and represented according to several formats. In the following we use the decimal degrees plus/minus format, where latitude is positive if it is north of the equator (negative otherwise), and longitude is positive if it is east of the prime meridian (negative otherwise); for instance, \(31.456764^\circ \) (lat) and \(-85.887734^\circ \) (lng) are two possible values.

Using a fixed precision in longitude and latitude (that is, choosing a fixed number of decimal points for their values) allows us to easily divide the planet’s surface into a discrete grid. Since meridians get closer as they converge the poles, as can be seen in Fig. 4, the portions of the Earth’s surface defined by such a grid have varying areas depending on their position (Table 2). While the construction proposed in the following is not dependent on the size or shape of the regions, for simplicity in the discussion it is reasonable to approximate such portions to rectangles and assume they have the same area.

Table 2. Some reference values of accuracy using three decimal places for coordinate representation.

In actual applications, the precision in decimal points for longitude and latitude should reflect the expected error of the device or sensor used for learning the location information. The precision and accuracy of mobile devices in determining their geographic position were proved to vary considerably depending on the context (urban areas, rural areas, etc.) [20].

In a detailed experiment on the accuracy of GPS sensors installed on mobile devices, Blum et al. show that the location is reported with a precision varying from 10 to 60 meters, depending on the device orientation and type, and, in cities, on the surrounding buildings [3]. Hence, when designing a system based on mobile devices it would reasonable to consider regions with sides tens of meters long.

Rights and permissions

Reprints and Permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Palmieri, P., Calderoni, L., Maio, D. (2015). Spatial Bloom Filters: Enabling Privacy in Location-Aware Applications. In: Lin, D., Yung, M., Zhou, J. (eds) Information Security and Cryptology. Inscrypt 2014. Lecture Notes in Computer Science(), vol 8957. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-16744-2

  • Online ISBN: 978-3-319-16745-9

  • eBook Packages: Computer ScienceComputer Science (R0)