Post on 18-Jan-2016
A Hybrid Technique for Private Location-Based Queries with
Database Protection
Gabriel Ghinita1 Panos Kalnis2
Murat Kantarcioglu3 Elisa Bertino1
1 Purdue University2 KAUST University
3 UT Dallas
3
Location-Based Services (LBS) LBS users
Mobile devices with GPS capabilities
Spatial Queries E.g., NN Queries Location server is NOT trusted
“Find closest hospital to my present location”
Problem Statement:
How to protect the
identity and location
of the query source?
4
Spatial Cloaking Privacy through Cloaking Regions (CRs)
Spatial Anonymity (e.g., CliqueCloak, Casper) Spatial Diversity (PROBE)
6
Private Information Retrieval (PIR)
Computationally hard to find i from q(i) Bob can easily find Xi from r (trap-door)
7
PIR Protocol for Binary Data
0 1 01
1 1 01
0 1 01
0 1 11
a
b
Get X10
a=2, b=3, N=35
QNR={3,12,13,17,27,33}
QR={1,4,9,11,16,29}
4 16 17 33
QNR
z 4
z 3
z 2
z 1
z2=QNR => X10=1
z2=QR => X10=0
4
1)1(4
jjiji yXz
[KO97 ]E. Kushilevitz and R. Ostrovsky. Replication is NOT needed: Single database, computationally-private
information retrieval. In IEEE Symposium on Foundations of Computer Science, pages 364–373, 1997.
X10
27
3
27
16
8
Approximate Nearest Neighbor
Data organized as a square matrix Each column corresponds to index leaf An entire leaf is retrieved – the closest to the user
p4 p6
p5 p8
p1
p2
p7 p9 p3u
9
Motivation Spatial Cloaking
Cheap, but vulnerable
PIR Secure, but expensive
Severe disclosure of POI information O(|D|), O(√|D|), respectively
10
Hybrid Approach Overview
Apply PIR to a dynamic window Hide enclosure relationship Minimize leaf fragmentation
Dataspace
CR
POI Index
a b c d e f Leaf Nodes
CR
a b c
PIR Matrix
11
Homomorphic Encryption (Paillier) plaintext space E[m1] * E[m2] = E[m1+m2] (mod N2) E[m]r = E[r*m] (mod N2)
Protocol to determine privately sign(b-a) Paillier encryption + random blinding
Private Point-Rectangle Enclosure
NΖ
12
Private Evaluation of (b-a)
|a-b|<M, M << N
A: m1= N-a --- E[m1] -->
B: m2= b
<-- E[m1+m2] ---
A: res= D[E[m1+m2]]
0 N-1M N-M
a ≤ b a > b
res:
13
Private Evaluation of sign(b-a)
|a-b|<M, M << N, r < M/N
A: m1= N-a --- E[m1] -->
B: m2= b
<-- E[m1+m2]^r ---
A: res= D[E[m1+m2]]
0 N-1M N-M
a ≤ b a > b
res:
N/2
14
Fragmentation-aware Indexing
Assume Disclosure Threshold is 3 Median SplitOur Approach
15
Experimental Settings Datasets
Sequoia dataset: 62K POI
Modulus up to 1280 bits
P4, 2.8GHz CPU
16
POI Disclosure
17
Execution Time
18
Communication Overhead
19
Conclusions Hybrid LBS privacy
Limit the amount of POI disclosure Reduce processing overhead
Future work Support more complex types of queries
Apply fully homomorphic functions Investigate less costly PIR protocols
27
Spatial Cloaking Privacy through Cloaking Regions (CRs)
Spatial Anonymity (e.g., CliqueCloak, Casper) Spatial Diversity (PROBE)