2954 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. 15, NO.

5, SEPTEMBER/OCTOBER 2022

Privacy-Preserving Reverse Nearest Neighbor

Query Over Encrypted Spatial Data
Xiaoguo Li , Tao Xiang , Member, IEEE, Shangwei Guo,
Hongwei Li , Senior Member, IEEE, and Yi Mu , Senior Member, IEEE

Abstract—With the advent of cloud computing, it has become more and more popular to outsource various services to the cloud for
releasing the burden of local data storage and maintenance. However, it may cause serious privacy problems because the cloud may
be untrusted. In this article, we study the privacy-preserving reverse nearest neighbor (PPRNN) query over encrypted spatial data.
First, we introduce the concept of reference-locked order-preserving encryption (RL-OPE) with its construction and security proof,
which reveals less information than traditional order-preserving encryption (OPE). Then, we present a novel PPRNN scheme in static
setting based on structured encryption (SE) and the proposed RL-OPE, called sPPRNN. After that, we design a generic method that
extends a PPRNN scheme in static setting to the counterpart in dynamic setting, called dPPRNN. Furthermore, we present a thorough
privacy analysis of our proposal. Finally, we demonstrate its efficiency and effectiveness for practical deployment through extensive
experiments.

Index Terms—Cloud storage, services computing, reverse nearest neighbor query, order-preserving encryption

1 INTRODUCTION on different technologies, such as secret key encryption [2], [3],

[4] or public key encryption [5]. Second, they are based on differ-
continuing growth of cloud computing is leading
T HE
companies to outsource the management of large-sized
data to commercial public clouds due to its appealing char-
ent datasets, such as relational database [6], keyword dataset [7],
[8], or spatial dataset [9], [10], [11]. Third, they are designed for
different query types, such as delegated search [7], [12], k-nearest
acteristics such as resource-sharing and low maintenance.
neighbor (kNN) query [13], [14], [15], [16], range query [10], [17],
Data storage is one of the most fundamental services offered
[18], [19], group nearest neighbors [20].
by cloud service providers (CSPs) [1]. The CSPs supply not
Many studies have been done to protect the data privacy
only software or hardware resources to host outsourced
from the CSPs for different query types, but there is very lit-
data, but also mechanisms for clients to create, access,
tle research about privacy-preserving reverse nearest neigh-
update, and even analyze their outsourced data.
bor (PPRNN) query [21]. The task of nearest neighbor query
However, directly outsourcing user data to CSPs may lead to
(NN) is to find the set of points that are closest to a query
many security problems because CSPs may be not from a trusted
point, while the task of reverse nearest neighbor (RNN)
domain. For decades, many researchers have been focusing on
query is to find the set of points that have the query point as
how to design a promising way that not only protects the data
their nearest neighbor. The results reflect the “influence
privacy, but also makes the data available. The solutions are dif-
effect” of the query point and it has many practical applica-
ferent and diverse for the following reasons. First, they are based
tions in the location-based services [22] including business
location planning, taxi dispatching, heat maps drawing, etc.

Xiaoguo Li is with the Department of Computer Science, Hong Kong Considering the scenario in customer profile analysis which
Baptist University, Kowloon Tong, Hong Kong. can be used by a media company to push specific multime-
E-mail: [email protected]. dia information (e.g., news articles, advertisements, propa-

Tao Xiang is with the College of Computer Science, Chongqing University,
Chongqing 400044, China, and also with the Key Laboratory of Dependable ganda film) to some customers, an RNN query can be
Service Computing in Cyber Physical Society, Ministry of Education, employed to identify a set of customers such that the spe-
Chongqing University, Chongqing 400044, China. cific multimedia information is closest to their profiles.
E-mail: [email protected].

Shangwei Guo is with the School of Computer Science and Engineering,
There are two research lines to achieve privacy-preserv-
Nanyang Technological University, Singapore 639798. E-mail: shangwei. ing RNN queries. One research line is to protect the query
[email protected]. point [9], [23], while the other one is to answer RNN queries

Hongwei Li is with the School of Computer Science and Engineering, over encrypted data. In this paper, we focus on the latter.
University of Electronic Science and Technology of China, Chengdu
610054, China. E-mail: [email protected]. Tzouramanis et al. proposed a secure reverse kNN query

Yi Mu is with the School of Mathematics and Computer Science, Fujian scheme over encrypted data [24]. However, their approach
Normal University, Fuzhou 350000, China. E-mail: [email protected]. only works on the static data set, but fails to outsource
Manuscript received 2 April 2020; revised 8 November 2020; accepted 8 newly data to the cloud server. So far, it is still challenging
March 2021. Date of publication 11 March 2021; date of current version 7 to support dynamic operation while providing the RNN
October 2022.
(Corresponding author: Tao Xiang.) queries. In the scenario, the data owner can outsource newly
Digital Object Identifier no. 10.1109/TSC.2021.3065356 data at any time periods. Any authorized user can enjoy
1939-1374 © 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See ht_tps://www.ieee.org/publications/rights/index.html for more information.

Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:20:09 UTC from IEEE Xplore. Restrictions apply.
LI ET AL.: PRIVACY-PRESERVING REVERSE NEAREST NEIGHBOR QUERY OVER ENCRYPTED SPATIAL DATA
RNN services from the cloud without leak original data
stored to the cloud server.
In this paper, we first propose a PPRNN scheme in the
static setting (called sPPRNN), which not only protects the
data privacy, but also provides efficient RNN query service.
This proposal can be applied in the previous scenario about
customer profile analysis: the media company encrypts the
dataset about customers and their interest, and uploads the
encrypted dataset to the cloud; the company then derives a
trapdoor from specific multimedia information, and issues
the trapdoor to the cloud; the cloud follows what we pro-
posed in this paper and responds with encrypted RNN
results; finally the company decrypts the results to a set of
customers and then pushes the multimedia information to
them. Afterwards, the media company may attract many
new customers and have a larger customer group, so the
company wishes to upload new customer’s information to
the cloud and enjoys a better service in the future. To solve
this problem, we further propose a PPRNN scheme in the
dynamic setting (called dPPRNN). The dPPRNN scheme not
only has the same functionality and security requirements as
sPPRNN scheme, but also allows data owner to upload new
encrypted dataset to cloud server.
More specifically, two supportive technologies, structured
encryption (SE) and order-preserving encryption (OPE) are
employed for preserving the privacy of the data. They are the
building blocks in our construction of sPPRNN. Structured
encryption allows us to query the neighbors in the encrypted
data set, and OPE allows us to check whether a point is the
nearest neighbor of another point in a privacy-preserving
manner. A novel technology, reference-locked order-preserv-
ing encryption (RL-OPE), is proposed by using different OPE
secret key to encrypt different data. RL-OPE only leaks the
order information of distance between a fixed node and its
neighbors (local order information), while a traditional OPE
may leak the global order information. In the construction of
dPPRNN, we solve two challenging problems: 1) In a Delau-
nay triangulation, how to find the triangle that contains the
inserted point in a privacy-preserving manner? 2) How to
determine whether a triangle satisfies the empty circle prop-
erty in a privacy-preserving manner? The solutions to these
two challenging problems can be utilized by the cloud to
insert a new point into encrypted outsourced data.
Contributions. Our contributions are summarized as
follows:

We introduce the concept of reference-locked order-
preserving encryption (RL-OPE). We define RL-OPE
and its security formally, and present a generic way
for constructing a RL-OPE by employing any OPE
construction with IND-OCPA as the black box. We
also prove that the proposed RL-OPE has the desired
properties and achieves the same security as the
underlying OPE has.

We formulate the problem of privacy-preserving
reverse nearest neighbor query (PPRNN) and pro-
pose a PPRNN scheme in static setting (sPPRNN).
Structured encryption is employed to allow cloud
server to query the neighbors in the encrypted data
set; RL-OPE is proposed to check whether a point is
the nearest neighbor of another point, and it only
Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:20:09 UTC from IEEE Xplore. Restrictions apply.
2955
leaks local order information rather than global
order information as in traditional OPE.

We propose a PPRNN scheme in dynamic setting
(dPPRNN). The proposed dPPRNN allows the data
owner to upload new encrypted points to the cloud
server. In the construction of dPPRNN, we solve two
challenging problems: 1) finding a triangle that con-
tains the inserted point in a Delaunay triangulation
in a privacy-preserving manner; 2) determining
whether a triangle satisfies the empty circle property
in a privacy-preserving manner.

We provide formal privacy analysis of the proposed
sPPRNN and dPPRNN. We evaluate our proposal
from both theoretical view and experimental view.
In the experiments, we measure the time costs of the
algorithms in our proposal, and also count the influ-
enced triangles in a Delaunay triangulation when we
insert a new data point. The experimental results val-
idate the theoretical analysis and demonstrate its
effectiveness and efficiency for practical deployment.
Organization. The rest of this paper is organized as fol-
lows. In Section 2, we review the related work. In Section 3,
we present necessary preliminaries. In Section 4, we formu-
late the problem and design the framework. In Section 5, we
introduce and formulate the new concept RL-OPE. In Sec-
tion 6, we describe our constructions of sPPRNN and
dPPRNN in detail, and followed by the privacy analysis in
Section 7. In Section 8, we give the experimental perfor-
mance evaluation of our schemes. Finally, we conclude our
paper in Section 9.
2 RELATED WORK
2.1 Secure kNN Search
In recent decades, many solutions to the secure kNN problem
have been proposed. Because kNN is of great significance in
many applications such as location-based service (LBS), simi-
larity search, and data mining. In [14], Wong et al. suggested
to achieve kNN by distance comparison, in which asymmetric
scalar-product-preserving encryption (ASPE) is employed as
the building block, and different encryption schemes are lev-
eraged to encrypt the data and the query, but all query users
have the same decryption key. In [25], a novel kNN method is
proposed and the decryption key does not leak to query users.
The scheme is interactive and query users have to get the
search token from data owner during query procedure. In
[26], Hu et al. proposed to process private query using a pri-
vacy homomorphism encryption scheme, which is proposed
in [27]. However, both schemes in [14] and [26] cannot resist
chosen-plaintext attacks. In [28], a partition Voronoi diagram
based scheme is proposed, but query users can only retrieve a
relevant encrypted candidate set from the cloud, which is a
superset containing the k-nearest neighbors of the query
point. In [29], Su et al. focused on the privacy-preserving spa-
tial keyword query problem, and they develop an anchor-
based position determination method to provide the boolean
spatial keyword queries to the customers.
2.2 Secure RNN Search
Following the success of secure kNN Search, there is a grow-
ing interest in designing secure RNN search. The RNN
2956 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. 15, NO. 5, SEPTEMBER/OCTOBER 2022
problem is another basic query type in many location based
applications. Its goal is to find the set of points that have the
query point as their nearest neighbor. Several works have be
done to answer the RNN query securely. In [9], Lin et al. lever-
aged the anonymization techniques to protect the privacy of
the mobile user’s location. In [23], the authors employed a
clocking region to hide the query input while submitting a
query to the service provider. In [30], Yilmaz et al. suggested
to provide optimal location selection services with differential
privacy. Besides, private information retrieval (PIR) technique
is employed to protect the query point [31]. However, all
above approaches focus on the protection of query point, and
they assume that all data are stored without encryption. In
this paper, we focus on answering RNN query over encrypted
data. In [24], a secure reverse kNN search was proposed to
protect not only the privacy of data consumer’s query point,
but also the data set. However, it only works on static spatial
data and thus cannot work in the dynamic setting.
3 PRELIMINARIES
3.1 NN and RNN
We define the NN query and the RNN query as follows. Let
P be a plane and dðp; qÞ be an appropriate distance defini-
tion where p; q 2 P.
Definition 1. (Nearest neighbor query, NN [32]). Given a point
set D such that D  P and a query point q 2 P, the task of NN
query is to find the neighbor set NNðqÞ such that
NNðqÞ ¼ fr 2 Dj8p 2 D : dðq; rÞ  dðq; pÞg:
Definition 2. (Reverse nearest neighbor query, RNN [32]). Given
a point set D such that D  P, and a query point q 2 P, the task
of RNN query is to find the neighbor set RNNðqÞ such that
RNNðqÞ ¼ fr 2 Dj8p 2 D : dðr; qÞ  dðr; pÞg:
3.2 Voronoi Diagram and Delaunay Triangulation
Let D ¼ fp1 ; p2 ; . . . ; pn g be a set of distinct points in an
m-dimensional space Rm . The Voronoi diagram [33] of D is
a partitioning of Rm into n regions, such that each region
contains only one point of D, say pi , and all points in this
region are closer to pi than any other point of D. Each region
is called a Voronoi cell and the point pi in that region is the
generator of the Vorinoi cell. If two generators share a
common edge, they are Voronoi neighbors. The Delaunay
triangulation is the dual graph of Voronoi diagram by con-
necting all the Voronoi neighbors. Fig. 1 shows an example,
where dashed lines belong to Voronoi diagram and solid
lines belong to Delaunay triangulation, and the polygons
consisting of dashed lines are Voronoi cells. Given any
points set D, we denote the method to generate the Delau-
nay triangulation by DG TriangulateðDÞ.
Proposition 1. Let DG be the Delaunay triangulation of a point
set D, then for any point q 2 D, we have
RNNðqÞ  GðqÞ;
where RNNðqÞ is the point set of RNN queries and GðqÞ is the
point set of the neighbors in the Delaunay triangulation DG.
Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:20:09 UTC from IEEE Xplore. Restrictions apply.
Fig. 1. Voronoi diagram and Delaunay triangulation.
Especially in two-dimensional plane R2 , let EðGðqÞÞ be the
expected number of neighbors for any point q, then we have that
jEðGðqÞÞj  6: (4)
Proof. The proof includes two parts. First, we proof the cor-
rectness of Eq. (3) by contradiction. Assume there exists a
point r 2 RNNðqÞ but r 62 GðqÞ. r 2 RNNðqÞ means that for
any point p, we have that dðr; pÞ  dðr; qÞ. Since the Delau-
nary triangulation is transformed from Voronoi diagram, r 6
2 GðqÞ implies there exists a point p 2 GðqÞ such that
dðr; pÞ < dðr; qÞ. Obliviously, the assumption does not
hold because of the contradiction. It completes the proof.
Second, we prove the correctness of Eq. (3). From [34],
we known that the average number of Voronoi edges per
(1) Voronoi polygon does not exceed 6 in R2 . In the Delau-
nay triangulation, each neighbor of one vertices is trans-
formed from one Voronoi edge, therefore the average
number of neighbors per vertex does not exceed 6 too. It
concludes that jEðGðqÞÞj  6. u
t
3.3 Structured Encryption
(2)
Structured encryption [35] is introduced for encrypting struc-
tured data (e.g., collections, matrices, graphs) so that it can be
efficiently and privately queried. Specifically, structured
encryption allows a user to query the encrypted structured
data with a query-specific token generated from secret key. A
structured encryption scheme is initialized by a security
parameter , which measures how hard it is to break the
structured encryption. Formally, it comprises four polyno-
mial-time algorithms SE ¼ ðKeyGen; Enc; Token; QueryÞ. Given
a security parameter  as input, the probabilistic algorithm
KeyGen outputs a private key K. Given a private key K, a
data structure d as inputs, the probabilistic algorithm Enc out-
puts an encrypted data structure g. Given a private key K
and a query q as inputs, the algorithm Token (probabilistic or
deterministic) outputs a query token t. Given an encrypted
data structure g and a token t as inputs, the deterministic
algorithm Query outputs the result of the query.
A structured encryption for graph data, called graph
encryption [35] in the following, will be employed in this
paper to encrypt the Delaunay triangulation. A graph encryp-
tion scheme is denoted as Graph ¼ ðKeyGen; Enc; Token;
(3) NeighÞ, which allows to support neighbor queries. Formally,
for any graph G ¼ ðV; EÞ, we can employ Graph to encrypt
the graph G by running g EncðK; GÞ. Let v 2 V be a vertex
in the graph, and GðvÞ be the neighbors of v. Then the search
LI ET AL.: PRIVACY-PRESERVING REVERSE NEAREST NEIGHBOR QUERY OVER ENCRYPTED SPATIAL DATA
Fig. 2. The system model.
token can be derived from t TokenðK; vÞ. Finally, we can
recover the neighbors of v by GðvÞ Neighðg; tÞ.
4 PROBLEM FORMULATION
4.1 System Model
As depicted in Fig. 2, there are three different entities in our
system: data owner, data user, and cloud server. For reduc-
ing local maintenance of data storage, the data owner out-
sources its spatial dataset (a set of points) on the cloud
server, and the data user (or the data owner) would like to
have the capability of searching over the outsourced spatial
dataset in the cloud server. In our work, we focus on RNN
query over outsourced spatial data, in which each data
record and the query can be denoted as a point. The goal of
RNN query is to retrieve the point set that each point in this
set has this query point as its nearest neighborhood.
4.2 Threat Model
A “honest-but-curious” threat model is considered for cloud
server in our paper. It means that cloud server executes the
designated instructions correctly. At the same time, it tries
to learn the private information about data records and
RNN queries not only based on the stored encrypted data
and all the data packages during protocol running, but also
based on some additional background knowledge about the
original data it ever has. For avoiding private information
leakage, data owner only stores the encrypted form of its
spatial dataset on cloud server, and a client (data user or
data owner) only submits the encrypted query version (i.e.,
a search token) of its RNN query to cloud server. To capture
the threat model in real life, we consider the scenario that
the data of the owner is sampled from multiple data sour-
ces, the data sources may collude with the cloud server.
Therefore, the cloud server may have background knowl-
edge about the data. According to different background
knowledge, we discuss three levels of attackers in the fol-
lowing. Summarily,

Level 1: cloud server only possess the public system
parameters, the ciphertexts, and the communications
among all entities. It is the case that all parties in the
protocol follows the protocol honestly and the cloud
server has no background knowledge.

Level 2: besides the knowledge in the Level 1, cloud
server also gets some background knowledge about
Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:20:09 UTC from IEEE Xplore. Restrictions apply.
2957
the original data. In this paper, we assume that the
cloud knows a small point subset of the original
point set. It reflects the truth in our life that some
data sources know at least their own data, which is a
subset of the whole point set. Therefore, our design
is required against this kind of attackers.

Level 3: besides the knowledge in the Level 2, cloud
server is assumed to know not only the subset of the
original point set, but also their corresponding
ciphertexts. This attacker may happen because the
access pattern may reveal the linkage relation
between the original point and its corresponding
ciphertext, especially when the cloud server and
some data sources collude with each other. There-
fore, it is important to design such a protocol against
Level 3 attack.
With the above three attacker levels, the attacker may
want to learn the concrete position information of the query
or some encrypted data points. Naturally, a secure protocol
supporting RNN query should only leaks order of the dis-
tance away from the query points. The order is named local
order information in the following. A reasonable attacker
may want to deduce more sensitive information that
beyond the local order information. In this paper, we pres-
ent a PPRNN scheme that only leaks local order information
of the query point.
4.3 Framework
In this section, we depict the general framework of our
PPRNN scheme and the framework includes following four
phases.
1) Key generation phase: data owner generates system
parameters (secret keys and public keys), which are
used in the following phases. Secret keys are stored
locally and granted to authenticated data users, pub-
lic keys are published to all entities in our system
model (including adversaries).
2) Data outsourcing phase: data owner encrypts data
records with secret keys and then outsources
encrypted data to cloud server. Specifically, encrypted
indices are generated, on which one can achieve search
task if he has search token.
3) Data query phase: an authenticated user generates a
search token and submits the search token to cloud
server. The cloud server searches over the encrypted
records (encrypted indices), and then sends the search
results to the user.
4) (Optional) Data insert phase: data owner generates an
update token with secret keys and submits the update
token to the cloud, then the cloud can insert data items
into the encrypted dataset. This phase is only required
in dynamic setting.
We now define the PPRNN formally. The scheme in
static setting is called sPPRNN, and in dynamic setting is
called dPPRNN.
Definition 3. (PPRNN in static setting, sPPRNN). A privacy-
preserving reverse nearest neighbor query in static setting con-
sists of four polynomial-time algorithms Ps = (KeyGen, Enc,
2958 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. 15, NO. 5, SEPTEMBER/OCTOBER 2022
SrchToken, Search). In detail, these algorithms can be formu-
lated as follows.

ðSK; PP Þ KeyGen(1 ): is a probabilistic key gener-
ation algorithm run by data owner to generate secret
keys and public system parameters. It takes a security
parameter  as input, and outputs a secret key SK and
public parameters PP .

C Enc(SK; D): is a probabilistic (or deterministic)
algorithm run by data owner to encrypt a set of data
items. It takes a secret key SK and a dataset D ¼
fp1 ; . . . ; pn g as inputs, where pi is a point in the R2 for
1  i  n, and outputs the encrypted dataset C ¼
fc1 ; . . . ; cn g.

TK SrchToken(SK; q): is a probabilistic (or deter-
ministic) algorithm run by data owner to generate a
secure search token. It takes a secret key SK and a
RNN query q as inputs, where q 2 D, and outputs a
search token TK.

Iq Search(TK; C): is a deterministic algorithm run
by cloud server to search over encrypted data. It takes a
search token TK and an encrypted dataset C as inputs,
and returns a set of identifiers I q , where each Ii is the
identifier of the data record pi , and Ii 2 I q if the query
point q is the nearest neighbor of pi .
Correctness. We say that the above sPPRNN is correct if
for all , all SK, C, and TK that returned by Ps , we have

If q is the nearest neighbor of pi : Search(TK; C) = I q ,
where Ii 2 I q ;

If q is not the nearest neighbor of pi : Search(TK; C) =
I q , where Ii 2
= I q.
The definition of PPRNN in dynamic setting is similar to
the definition in static setting, and it allows data user to
insert a record into encrypted dataset. Formally,
Definition 4. (PPRNN in dynamic setting, dPPRNN). A pri-
vacy-preserving reverse nearest neighbor query in dynamic set-
ting consits of five polynomial-time algorithms Pd = (KeyGen,
Enc, SrchToken, Search, InstToken, Insert) such that:

ðSK; PP Þ KeyGen(1 ): the same as Definition 3.

C Enc(SK; D): the same as Definition 3.

TK SrchToken(SK; q): the same as Definition 3.

Iq Search(TK; C): the same as Definition 3.

iTK InstToken(SK; p): is a probabilistic (or deter-
ministic) algorithm run by data owner to generate an
insert token. It takes a secret key SK and a point p as
inputs, and outputs an insert token iTK.

C0 Insert(iTK; C): is a deterministic algorithm run
by the server to insert a data item. It takes an insert
token iTK and an encrypted dataset C as inputs, and
returns an updated encrypted dataset C0 .
Correctness. We say that the above dPPRNN is correct if
for all , all SK, C, TK, iTK, and C0 that returned by Pd , we
have

If q is the nearest neighbor of pi : Search(TK; C0 ) = I q ,
where Ii 2 I q ;

If q is not the nearest neighbor of pi : Search(TK; C0 ) =
I q , where Ii 2
= I q.
Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:20:09 UTC from IEEE Xplore. Restrictions apply.
Fig. 3. Example for RL-OPE.
5 REFERENCE-LOCKED ORDER-PRESERVING
ENCRYPTION
In this section, we introduce a novel supporting mechanism:
reference-locked order-preserving encryption (RL-OPE),
which serves as the foundation of our proposed scheme.
Order-preserving encryption [6] only reveals the order
information to the adversary [36], [37], [38], so that we can
compare numeric data in its encrypted domain. It means
that if x < y, EncðK; xÞ < EncðK; yÞ for any secret key K
derived from KeyGen. But as shown in Fig. 3, traditional
OPE not only reveals the information dðc1 ; c2 Þ < dðc2 ; c3 Þ ,
dðp1 ; p2 Þ < dðp2 ; p3 Þ and dðc2 ; c3 Þ < dðc3 ; c4 Þ , dðp2 ; p3 Þ <
dðp3 ; p4 Þ, where dðci ; cj Þ and dðpi ; pj Þ are the euclidean dis-
tances in the ciphertext space and plaintext space, respec-
tively. It also reveals dðc1 ; c2 Þ > dðc3 ; c4 Þ, which implies that
dðp1 ; p2 Þ > dðp3 ; p4 Þ. Therefore, for large graphs, traditional
OPE leaks the global order information.
To resolve this problem, we propose a novel RL-OPE that
only reveals a local order information to the cloud server,
which is sufficient to achieve the RNN query. Specifically,
RL-OPE allows the cloud server to compare the encrypted
numeric data without revealing the plain data as traditional
OPE does, while it only leaks the local order information
related to a reference object (e.g., number value, point,
string identity). Our core idea is shown in Fig. 3. RL-OPE
maps the original points to several different spaces, which
incapacitates the comparisons over the ciphertexts. Specifi-
cally, dðc1 ; c2 Þ > dðc3 ; c4 Þ 6, dðp1 ; p2 Þ > dðp3 ; p4 Þ.
5.1 Definition
Definition 5. A reference-locked order-preserving encryption
should consist of four polynomial-time algorithms RL-OPE =
(Setup, KeyGen, Enc, Dec). These algorithms can be formu-
lated in detail as follows.

MK Setup(1 ): on input a security parameter 1 ,
the data owner runs this algorithm to generate a master
key MK.

SKe KeyGen(MK; e): on input the master key
MK and a reference object e, the data owner runs this
algorithm to generate a secret key SKe related to the
reference object.

c Enc(SKe ; x): on input the secret key SKe and a
numeric data x, the data owner runs this algorithm to
produce a ciphertext c.

x Dec(SKe ; c): on input the secret key SKe and the
ciphertext c, the user who has SKe can decrypt c to x.
Correctness. The correctness of a RL-OPE scheme should in-
clude two aspects: correct decryption and correct comparison.
LI ET AL.: PRIVACY-PRESERVING REVERSE NEAREST NEIGHBOR QUERY OVER ENCRYPTED SPATIAL DATA 2959

1) Correct decryption. For all  2 N, MK Setup(1 ) takes x as input and outputs a random values in the range
and SKe KeyGen(MK; e) for any e, and c ðm=2; m=2Þ. We present the detailed construction of our
Enc(SKe ; x) for any x, we have that Dec(SKe ; c) = x. RL-OPE in Algorithm 1.
2) Correct comparison. For any numeric data x and y, we
have that Enc(SKe ; x) < Enc(SKe ; y) if and only if Algorithm 1. Generic RL-OPE
x < y.
1: function Setup(1 )
The security of a RL-OPE scheme also should include 2: Choose a random element MK from key space K
two aspects: ciphertext security and reference-locked 3: return MK
security. 4:
1) Reference-locked security. For any different reference 5: function KeyGen(MK; e)
6: Encode the pair ðMK; eÞ into a binary string s
objects e1 and e2 , and any numeric data x and y, it
7: Choose a random pair ðme ; ne Þ for e where me > 2
is hard to compare x and y if Enc(SKe1 ; x) <
8: Run algorithm Ke OPE:KeyGen(1 )
Enc(SKe2 ; y).
9: return SKe ¼ fKe ; me ; ne g
2) Ciphertext security. To capture the ciphertext security 10:
of the RL-OPE, we define the indistinguishability 11: function Enc(Ske ; x)
under selective reference, ordered chosen plaintext 12: Parse SKe as fKe ; me ; ne g
attack (IND-sR-OCPA) of RL-OPE between a chal- 13: Choose a random r and compute oe HKe ;me ðrÞ
lenger and an adversary as follows. 14: Run algorithm c0 OPE:Enc(Ke ; x)

Setup: The challenger runs algorithm Setup to 15: return ðc ¼ me c0 þ ne þ oe ; rÞ
generate a master key MK. 16:

Queries: In this phase, the adversary can submit 17: function Dec(Ske ; ðc; rÞ)
two kinds of queries. 18: Parse SKe as fKe ; me ; ne g
– The adversary can submit a reference 19: Compute oe HKe ;me ðrÞ
object e to challenger, the challenger runs 20: Calculate c0 ðc  ne  oe Þ=me
algorithm KeyGen to generate the secret 21: Run algorithm x OPE:Dec(Ke ; c0 )
key SKe and sends SKe to the adversary. 22: return x
– The adversary can also submit a reference
object e and a numeric data x to the chal-
lenger, the challenger responds the adver- 5.3 Correctness Proof
sary with ciphertext c by first generating The following two propositions (Propositions 2 and 3) show
SKe and then encrypting x to c using algo- that our RL-OPE not only achieves the correct decryption,
rithm Enc. but also the correct comparison.

Challenge: The adversary chooses a reference object
e and two sequences x0 ¼ fx01 ; x02 ; . . . ; x0n g and Proposition 2. Our proposed RL-OPE can decrypt a ciphertext
x1 ¼ fx11 ; x12 ; . . . ; x1n g. Let S be the set of numeric correctly.
data that has been issued to the challenger in Proof.
Queries phase. x0 and x1 should satisfy that
– For any 1  i  n, x0i 2 S or x1i 2 S
DecðSKe ; cÞ ¼ OPE:DecðKe ; ðc  ne  oe Þ=me Þ
implies that x0i ¼ x1i .
– For any 1  i; j  n and x0i 2 = S; x0j 2
= S, ¼ OPE:DecðKe ; c0 Þ
x0i < x0j implies that x1i < x1j . ¼ OPE:DecðKe ; OPE:EncðKe ; xÞÞ
¼ x:
The challenger chooses a random bit b, encrypts each
numeric data in xb , and sends them to the adversary. The second “=” holds because both encryption algorithm

Guess: The adversary guesses which sequence is and decryption algorithm result in same noise oe . This
encrypted and outputs a bit b0 . The adversary completes the proof. u
t
wins if b0 ¼ b.
Proposition 3. Our proposed RL-OPE can compare two cipher-
5.2 Construction text correctly.
Now we show that any OPE construction with IND-sR-OCPA Proof.
security defined in [36] implies a RL-OPE construction with
IND-OCPA security defined above. We first present a general x < y
construction of RL-OPE, which employs any implementation
of OPE as a black box, and then prove the security of our , OPE:EncðKe ; xÞ < OPE:EncðKe ; yÞ
generic RL-OPE. All parameters involved in the scheme are , OPE:EncðKe ; xÞ þ 1  OPE:EncðKe ; yÞ:
assumed to be integers. If not, we can adjust all values to inte-
gers by right shifting the decimal points [39]. The first “,” holds because of the property of underly-
Let H : f0; 1g ! K be a collision resistant hash function, ing OPE scheme. The second “,” holds because of our
where K be the key space of OPE. HK;m ðxÞ be a random assumption that all parameters in the scheme should be
function family, and for any hash function H K;m ðxÞ H, it integers. Since me is a positive integer, we have

Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:20:09 UTC from IEEE Xplore. Restrictions apply.
2960 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. 15, NO. 5, SEPTEMBER/OCTOBER 2022

me me TABLE 1
me OPE:EncðKe ; xÞ þ  me OPE:EncðKe ; yÞ  :
2 2 Notations
(5)
Notations Description
Since that oe 2 ðme =2; me =2Þ, we have DG The Graph after Delaunay Triangulation
g Encrypted graph by structured encryption
me
me OPE:EncðKe ; xÞ þ oex < me OPE:EncðKe ; xÞ þ ; R Encrypted index by RL-OPE
2 dij The distance between point pi and pj
(6) d0ij The RL-OPE distance between point pi and pj
Iq Query results for query point q
and
me
me OPE:EncðKe ; xÞ þ < me OPE:EncðKe ; xÞ þ oey :
2 Algorithm 2. PPRNN in Static Setting
(7)
1: function KeyGen(1 )
Combing Eqs. (5), (6), and (7), we obtain that Enc 2: K1 Graph:KeyGen(1 )
ðSKe ; xÞ < EncðSKe ; yÞ. This completes the proof. u
t 3: K2 RL  OPE:Setup(1 )
4: returnSK ¼ ðK1 ; K2 Þ; PP ¼ f; Graphg
From the above proofs, our RL-OPE achieves the correct 5:
decryption and the correct comparison based on the correct- 6: function Enc(SK; D)
ness of underlying OPE. Besides, we find that our RL-OPE 7: R ;
requires that the ciphertext of underlying OPE is a real 8: DG TriangulateðDÞ
value. In fact, we can implement this condition by any 9: g Graph:EncðK1 ; DGÞ
monotonically increasing transformation, which maps the 10: for each node pi in DG do
ciphertext of underlying OPE to the real space. Therefore, 11: Ii SymEncðpi Þ
the correctness of our RL-OPE always holds for any OPE 12: K2;i RL  OPE:KeyGenðK2 ; Ii Þ
implementation. 13: Find the neighbors Gðpi Þ of pi
14: for each point pj 2 Gðpi Þ do
15: Compute the distance dij dðpi ; pj Þ
6 PROPOSED PPRNN SCHEME 16: d0ij RL  OPE:Enc(Kpi ; dij )
In this section, we first investigate the PPRNN in static set- 17: Add (Ij ; d0ij ) to list R½i
ting, called sPPRNN. Then we design a generic method that 18: return C ¼ ðg; RÞ
extends a PPRNN scheme in static setting to the counterpart 19:
in dynamic setting, called dPPRNN. 20: function SrchToken(K1 ; q)
21: t Graph:Token(K1 ; q)
22: Iq SymEncðqÞ
6.1 PPRNN in Static Setting 23: return TK ¼ ðIq ; tÞ
Before presenting the detailed construction, it is instructive 24:
to understand the intuition behind our construction. From 25: function Search(TK; C ¼ ðg; RÞ)
Proposition 1, the result of RNN query is just a subset of the 26: Iq ;
neighbors in Delaunay triangulation. The main idea of our 27: GðqÞ Graph:Neighðg; tÞ
construction is to find the neighbor set of the query, and 28: for each pk 2 GðqÞ do
then to check each point in the neighbors set. If the query 29: Find the smallest d0kj in R½k
point is the nearest neighbor of the checked point, then the 30: if Ij ¼ Iq then
checked point is added to the result set. This process is not 31: Iq I q [ fIk g
time-consuming because of Eq. (4). 32: return I q
To preserve data privacy, we employ two build blocks in
our construction: structured encryption Graph ¼ ðKeyGen; In the KeyGen algorithm, data owner invokes Graph:
Enc; Token; NeighÞ[35] and reference-locked order-preserv- KeyGen and RL-OPE:Setup to obtain the keys SK ¼
ing encryption RL-OPE ¼ ðSetup; KeyGen; Enc; DecÞ. Struc- ðK1 ; K2 Þ and PP ¼ f; Graphg. Then in the Enc algorithm,
tured encryption Graph allows us to query the neighbors in the owner first generates an encrypted graph g by the struc-
encrypted data set, and RL-OPE allows us to check whether tured encryption Graph:Enc with inputs K1 and DG, where
a point is the nearest neighbor of another point in a privacy- DG is the Delaunay triangulation. Then for each node pi , a list
preserving manner. R½i is stored, and each element in the list has the form
Now we present the details of our proposed sPPRNN. ðIj ; d0ij Þ. ðIj ; Þ is in R½i if and only if qj is a neighbor of qi in the
sPPRNN is a tuple of four polynomial-time algorithms Ps = graph DG. d0ij is the RL-OPE cipher of the distance between qi
(KeyGen, Enc, SrchToken, Search). Let Ii be encrypted and qj . From Proposition 3, dij < dik holds if and only if d0ij <
identifier of the corresponding point pi 2 D, and it can be d0ik . As shown in Fig. 4, it depicts a toy example for encrypted
easily realized by any symmetric encryption with semantic index structure by RL-OPE. With the list, we can determine
security. We simplify its description by Ii SymEncðpi Þ. the nearest neighbor of any vertex in encrypted domain.
Specifically, we present the detailed solution in Algorithm 2. In the SrchToken algorithm, data owner generates the
Table 1 shows some useful notations employed in following token by invoking Graph:Token and then sends the tuple
algorithms. ðIq ; tÞ to cloud server. In the Search algorithm, the server

Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:20:09 UTC from IEEE Xplore. Restrictions apply.
LI ET AL.: PRIVACY-PRESERVING REVERSE NEAREST NEIGHBOR QUERY OVER ENCRYPTED SPATIAL DATA
Fig. 4. Example of encrypted index structure by RL-OPE.
first obtains the neighbors GðqÞ, and then for each neighbor
pk , the server determines the nearest neighbor pj of pk . If the
identifier Ij is consistent with the queried point q, then we
add it to the result set I q . By this way the server can get the
reverse nearest neighbor and thus the correctness of the pro-
posed sPPRNN is guaranteed.
6.2 PPRNN in Dynamic Setting
In this section, we construct a dynamic PPRNN query
scheme, called as dPPRNN, and we focus on the problem of
how to privately insert a point into Delaunay triangulation.
We first present a high-level construction of how to insert a
new point without considering privacy in Section 6.2.1. And
then we deal with two challenging problems in the update
procedure in Section 6.2.2. Finally, we summarize the pro-
posal with a compact form in Section 6.2.3.
6.2.1 Inserting New Point Without Considering Privacy
Delaunay triangulation has the empty circle property. It
means that a circle circumscribing a Delaunay triangle does
not contain any other input points in its interior. For exam-
ple, in Fig. 5b, the circumscribed circle of DABD does not
contain the point C in its interior. If the empty circle prop-
erty is not satisfied, then we can update the triangulation
with a flip operation. Fig. 5 presents how flip operation
works. In Fig. 5a, the point D is contained in the circum-
scribed circle of DABC, which violates the empty circle
property. Then we replace diagonal AC with another one
BD to get the Fig. 5b, which obeys the empty circle
property.
Using the empty circle property, one can insert a new
point into the data set and then obtain a new Delaunay tri-
angulation. Fig. 6 is a motivating example. Fig. 6a is the
original triangulation. While inserting a new point p, we
first find the triangle that contains the inserted point, e.g.,
Dp2 p4 p7 contains the inserted point p in Fig. 6b. Then we
check whether the new triangles satisfy the empty circle
property, e.g., in Fig. 6b the triangles Dpp4 p7 , Dpp7 p2 and
Dpp2 p4 . For example, the circumscribed circle of Dpp4 p7
does not contain the point p6 , a flip operation should be
done, namely replacing the diagonal p7 p4 with pp6 . Then
Fig. 5. Flip operation.
Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:20:09 UTC from IEEE Xplore. Restrictions apply.
2961
Fig. 6. The process of updating the Delaunay triangulation.
new triangles are produced such as Dpp6 p7 and Dpp4 p7 , and
we check empty circle property as before. By this way, we
can get a new triangulation that all the triangles satisfy the
empty property, such as Fig. 6c.
6.2.2 Dealing With Two Challenging Problems
In this section we solve two challenging problems related to
the above insertion procedure. To construct a dPPRNN
scheme, there are two problems that we have to solve: 1) In
a Delaunay triangulation, how to find the triangle that con-
tains the inserted point? 2) How to determine whether a tri-
angle satisfies the empty circle property? Both problems
should be solved with a privacy-preserving manner.

Find the triangle that contains the inserted point. Let DG
be the Delaunay triangulation of a point set D ¼
fp1 ; p2 ; . . . ; pn g and p be the inserted point. We can
find the triangle in DG that contains the inserted
point p bu the following steps.
1) Find the nearest neighbor of inserted p. Let pi
(i ¼ 1; . . . n) be the points for constructing the
Delaunay triangulation DG, then we set p0i ¼
2 T
M1T p^i , where p^i ¼ ðpT i ; 0:5kpi k Þ and M1 is a
secret random matrix. Let p ¼ M11 p^, where p^ ¼
0
rðpT ; 1ÞT and r be a random scalar. It has been
shown ðp0i  p0j Þ p0 > 0 if and only if kp  pi k <
kp  pj k in [14], namely dðpi ; pÞ  dðpj ; pÞ. There-
fore, we can find the nearest neighbor of inserted
point p in a privacy-preserving manner by taking
p0 and p01 ; p02 ; . . . ; p0n as inputs.
2) Obtain triangle candidate collection. Without loss of
generality, let pi be the nearest neighbor to point p.
In R½i all neighbors to pi are stored and we can
define Ci ¼ fDpi ps pt jpi ; ps ; pt are mutual neighborsg.
Then from Proposition 1, we have that jEðCi Þj  6,
because the number of the triangles is less than
the number of neighbors to the point pi . As shown
in Fig. 6c, for point p, the number of the triangles
is 5 and the number of neighbors is also 5. There-
fore the target triangle containing the inserted
point is in the collection Ci , which only takes O(1)
average cost.
3) Determine which triangle that inserted point is inside.
Let Dst be a triangle Dpi ps pt in the collection, and
M2 be a secret random matrix. We set p ¼ M2 p,
pi ¼ M2 pi for i ¼ 1; . . . n. Then we can calculate
the formulas in Eq. (8), in which the operation ‘ ’
denotes the cross product. If these formulas have
the same symbol, then the triangle Dpi ps pt con-
tains the point p, otherwise the triangle Dpi ps pt
does not contain the point p
2962 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. 15, NO. 5, SEPTEMBER/OCTOBER 2022

matrix (last line in Eq. (10)). The new matrix has two
salient advantages: 1) each element is a single con-
stant or coordinate of one point rather than a differ-
ence between two coordinate values of two different
points; 2) each column can be derived from one sin-
gle point. These advantages allow us to encrypt each
point individually and thus the cloud server can
compute determinate in a privacy-preserving man-
ner. As long as the symbol of the determinate does
not change, cloud server can determine whether a
Fig. 7. Empty circle property. triangle satisfies the empty circle property over the
encrypted data.
8 Now we show the details of encrypting each
< ðpi  pÞ ðps  pÞ
point. Let k0 ; k1 ; k2 ; k3 > 0 be the secret values.
ðp  pÞ ðpt  pÞ : (8)
: s Given any p ¼ ðxp ; yp Þ, we set p~ ¼ ð1; xp ; yp ; kpkÞT . To
ðpt  pÞ ðpi  pÞ protect the location privacy of point p, we first
choose a random positive value r, and set the final

Determine whether a triangle satisfy the empty circle ciphertext to have the following form:
property. Without loss of generality, we consider the
case in Fig. 7. Let p be ðxp ; yp Þ, ps be ðxps ; yps Þ, pt be 0 1
qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi rk0
ðxpt ; ypt Þ and pd be ðxpd ; ypd Þ. Let kpk ¼ x2p þ y2p , and B rk1 xp C
B C
correspondingly we can define kps k, kpt k, and kpd k. @ rk2 yp A:
From related algebraic knowledge, we can determine rk3 kpk
whether the point pd is inside the circumscribed circle
of Dpps pt by calculating the determinant of following In cloud server side, the server can calculate the
matrix in Eq. (9). If the determinate is not less than 0, determinate of matrix
then pd is outside or on the circumscribed circle and it
0 1
satisfies the empty circle property. Otherwise, pd is r0 k0 r1 k0 r2 k0 r3 k0
inside the circumscribed circle and it does not satisfy B r0 k1 xpd r1 k1 xp r2 k1 xps r3 k1 xpt C
B C;
the empty circle property @ r0 k2 ypd r1 k2 yp r2 k2 yps r3 k2 ypt A
  r0 k3 kpd k r1 k3 kpk r2 k3 kps k r3 k3 kpt k
 xp  xpd xps  xpd xpt  xpd 
  (11)
 yp  ypd yps  ypd ypt  ypd : (9)

 kpk  kp k kp k  kp k kpt k  kpd k 
d s d where r0 ; r1 ; r2 ; r3 > 0 denote the different random
values chosen in the above step. Then cloud server
However, Eq. (9) cannot be leveraged directly in our
can check the empty circle property using the sym-
dPPRNN scheme. Because each element in the
bol of the calculated determinate. It is obvious that
matrix is the difference between two coordinate
Eqs. (10) and (11) have the same symbol, which
value of different points. Although homomorphic
allows the server to determine whether the empty
encryption could be used to allow cloud server to
circle property holds.
compute determinate of the above formula over
encrypted data, it may be computationally extensive,
and thus impractical 6.2.3 Summarization
  Finally, we summarize our dPPRNN scheme in a compact
 xp  xpd xps  xpd xpt  xpd  form, which includes six polynomial-time algorithms. Let

  Ps = (KeyGen, Enc, SrchToken, Search) be our sPPRNN
 yp  ypd yps  ypd ypt  ypd 
  scheme presented in Section 6.1. Based on Ps , We present
 kpk  kpd k kps k  kpd k kpt k  kpd k 
  our dPPRNN scheme Pd = (KeyGen, Enc, SrchToken,
 1 0 0 0 
  Search, InstToken, Insert) in Algorithm 3.
 x xp  xpd xps  xpd xpt  xpd 
 pd In the KeyGen algorithm, data owner invokes Ps :KeyGen
¼ 
 ypd yp  ypd yps  ypd ypt  ypd  to obtain the key SK1 and then generates the secret keys M1 ,

 kp k kpk  kp k kp k  kp k kp k  kp k  M2 and ki ; 0  i  3. SK1 is used to produce the search token,
d d s d t d
  M1 , M2 and ki ; 0  i  3 are employed to support insertion
 1 1 1 1 
  operation and the details can be found in Section 6.2.2. Then
 x xpt 
 pd xp xps in the Enc algorithm, data owner not only encrypts original
¼ :
 ypd yp yps ypt  spatial data as he does in static setting, but also generates the

 kp k kpk kp k kp k  corresponding metadata for supporting update algorithm,
d s t
such as ðR2 ; R3 ; R4 Þ. Specifically, R2 empowers the cloud
(10)
server to find the nearest point of the inserted point, R3 allows
In order to perfectly adapt our dPPRNN scheme, we the server to find the target triangle that the inserted point
raise the dimensions of Eq. (9) and obtain the 4x4 located in, and R4 is employed to check the empty circle

Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:20:09 UTC from IEEE Xplore. Restrictions apply.
LI ET AL.: PRIVACY-PRESERVING REVERSE NEAREST NEIGHBOR QUERY OVER ENCRYPTED SPATIAL DATA 2963

property. SrchToken and Search algorithms are done in a find the triangle that inserted point is located in. Second,
similar manner as in the static setting. cloud server employs the p key to check whether a triangle
satisfies the empty circle property, and if not meets, a flip
Algorithm 3. PPRNN in Dynamic Setting operation should be done. The two steps stop until all the
triangles meet the empty circle property. It should be men-
1: function KeyGen(1 ) tioned that the flip operation is just simply to record the
2: ðSK1 ; PP1 Þ Ps :KeyGen(1 )
identifiers I of the affected point as the way in Section 6.2.1.
3: Select two inverse matrices randomly: M1 and M2
After that, cloud server sends the corresponding ciphertext
4: Select four random positive scalars: k0 ; k1 ; k2 ; k3
of these affected points to data owner, and data owner re-
5: return SK ¼ ðSK1 ; M1 ; M2 ; k0 ; k1 ; k2 ; k3 Þ; PP ¼ PP1
6:
encrypts these points and uploads the new ciphertext to
7: function Enc(SK; D) cloud server. This completes the insertion operation.
8: C Ps :Enc(SK1 ; D) and then parse C as ðg; R1 Þ
9: for each node pi in DG do 7 PRIVACY ANALYSIS
2 T
10: Set p^i ¼ ðpT
i ; 0:5kpi k Þ
11: 0 T
Add element pi ¼ M1 p^i to the vector R2 In this section, we discuss the security of our proposed
12: Add element pi ¼ M2 pi to the vector R3 sPPRNN and dPPRNN, and analyze their resistance to the
13: Set p~i ¼ ð1; xpi ; ypi ; kpi kÞT three different levels attackers as considered in Section 4.2.
14: Set pi ¼ ðrk0 ; rk1 xpi ; rk2 ypi ; rk3 kpi kÞT We first prove the security of our proposed RL-OPE scheme
15: Add element pi to the vector R4 in Section 7.1, then we present the privacy analysis of our
16: returnC ¼ ðg; R1 ; R2 ; R3 ; R4 Þ sPPRNN and dPPRNN schemes in Sections 7.2 and 7.3,
17: respectively.
18: function SrchToken(SK; q)
19: TK Ps :SrchToken(SK1 ; q)
20: returnTK 7.1 Security Proof
21: We now show the security of our proposed RL-OPE.
22: function Search(TK; C) Theorem 1. Our RL-OPE is reference-locked secure.
23: I q Ps :Search(TK; C)
24: return I q Proof. We show that our RL-OPE is reference-locked secure
25: by the following two cases:
26: function InstToken(SK; p)
27: Select two random positive scalars r0 and r1
If SKe1 ¼ SKe2 : We can find a collision pair of the
28: Set p^ ¼ r0 ðpT ; 1ÞT hash function H: (MK; e1 ) and (MK; e2 ). It contra-
29: Set p0 ¼ M11 p^, p ¼ M2 p, p~ ¼ ð1; xp ; yp ; kpkÞT dicts the collision resistant property of H. There-
30: Set p ¼ ðr1 k0 ; r1 k1 xp ; r1 k2 yp ; r1 k3 kpkÞT fore, the probability of SKe1 ¼ SKe2 is negligible.
31: returniTK ¼ ðp0 ; p; pÞ
If SKe1 6¼ SKe2 : Enc(SKe1 ; x) < Enc(SKe2 ; y) may
32: hold, no matter what the relation between x and
33: function Insert(iTK; C) y. Because the secret key is different, the compari-
34: I ; son between Enc(SKe1 ; x) and Enc(SKe2 ; y) does
35: Find the nearest neighbor pi of inserted p not mean anything. For any x and y, even though
36: Obtain the triangle candidate collection Ci OPE:Enc(Ke1 ; x) > OPE:Enc(Ke2 ; y), we can find
37: Determine Dpi ps pt that inserted p is located in two appropriate pairs ðme1 ; ne1 Þ and ðme2 ; ne2 Þ
38: Push Dpps pt , Dppt pi , Dppi ps to queue Q where me1 and me2 are the positive scales such
39: while Q is not empty do that the final ciphertexts satisfy Enc(SKe1 ; x) <
40: Let Dpps pt be the top element in Q and pop it Enc(SKe2 ; y).
41: if triangle Dpps pt and point pd does not satisfy the
This completes the proof. u
t
empty circle property then
42: Update the R½i -list of points (p; ps ; pt ; pd ) Therefore, the proposed RL-OPE only leaks the local
43: I ¼ I [ fp; ps ; pt ; pd g information about the graph to the adversary.
44: Push Dpps pd and Dppt pd to Q
45: Cloud server sends the corresponding ciphertexts of Theorem 2. Our RL-OPE is IND-sR-OCPA secure, if the
points in I to the data owner underlying OPE is IND-OCPA.
46: Data owner re-encrypts points in I , generates a new Proof. We prove it by contradiction. Suppose there is a
ciphertext and then sends to cloud server probabilistic polynomial time adversary A that breaks
47: Cloud server updates its encrypted data locally and the
our RL-OPE with -advantage. Then we can build an
new encrypted data is named C0
algorithm B that breaks the IND-OCPA security of
48: return C0
underlying OPE with ð1  qðkÞ 2k
Þ-advantage, where qðkÞ
is an arbitrary polynomial, and 2k denotes the size of
In the InstToken algorithm, data owner generates the reference space.
token iTK ¼ ðp0 ; p; pÞ by the method described in Sec- Recall that B’s goal is to break the IND-OCPA security
tion 6.2.2. In the Insert algorithm, cloud server first uses p0 of underlying OPE. Note that B not only serves as the
to find the nearest neighbor of inserted p and obtains the tri- adversary in the IND-OCPA game, but also serves as the
angle candidate collection, where p allows cloud server to challenger in the IND-sR-OCPA game.

Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:20:09 UTC from IEEE Xplore. Restrictions apply.
2964 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. 15, NO. 5, SEPTEMBER/OCTOBER 2022

Setup: The challenger first runs algorithm OPE:
Setup algorithm, and B runs algorithm RL
OPE:Setup algorithm. A determines a random
reference object e and then sends it to B.

Queries: The adversary can submit two kinds of
queries to B.
– The adversary can submit a reference object e
to B. In order to respond to this kind of query,
B maintains a list of tuples ðe; SKe Þ, we refer
this list as e-list. If e has been queried before,
B responds A with a SKe by looking up e-list.
Otherwise, B runs algorithm KeyGen to gen-
erate the secret key SKe and sends SKe to the
adversary. At the same time, B adds ðe; SKe Þ
to e-list.
– The adversary can also submit a reference
object e and a numeric data x to B. If e is in
e-list. B encrypts x to c by algorithm
RL  OPE:Enc. If e is not in e-list but e 6¼ e , B
runs algorithm KeyGen to generate the secret
key SKe for e and then adds ðe; SKe Þ to e-list.
Otherwise, B sends x to the challenger and
gets the ciphertext c0 from the challenger. In
order to respond to this kind of query, B
maintains a pair ðme ; ne Þ. B also maintains a
list of tuples ðx; oe Þ, we refer this list as o-list.
B chooses a random noise parameter oe from
the range ðme =2; me =2Þ. Then B sets the
ciphertext c by c ¼ me c0 þ ne þ oe . At the
same time, B adds ðx; oe Þ to o-list. Finally, B
sends c to the adversary.

Challenge: The adversary determines two sequen-
ces x0 ¼ fx01 ; x02 ; . . . ; x0n g and x1 ¼ fx11 ; x12 ; . . . ;
x1n g. B submits two sequences x0 and x1 to the
challenger. The challenger chooses a random bit b
and encrypts each xbi for 1  i  n in xb . These
ciphertexts are denoted as c0b and are sent to B.
For each element xbi in xb , if xbi is not in o-list, B
first chooses a random noise parameter oe from
the range ðme =2; me =2Þ. Then B sets the cipher-
text cbi by c ¼ me c0bi þ ne þ oe . Thus, B simu-
lates the final ciphertext cb . Finally B sends cb to
the adversary.

Guess: The adversary outputs a guess bit b0 to B,
and B outputs b0 ;
This completes the description of algorithm B. We
now analyze the advantage of B to break the IND-OCPA
security of underlying OPE. Since the above reduction
procedure fully simulates the environment in the real
world setting, B also has a -advantage to break the IND-
OCPA security of underlying OPE if A has a -advantage
to break the IND-sR-OCPA security of proposed RL-
OPE. It contradicts the IND-OCPA security of underlying
OPE and thus completes the proof.
7.2 Privacy of sPPRNN
In sPPRNN, two supportive mechanisms, SE and RL-OPE,
are employed to produce the ciphetext. The basic security of
our sPPRNN scheme is based on the employed SE. A classi-
cal SE has the CQA2-security[35]. Specifically, the CQA2-
Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:20:09 UTC from IEEE Xplore. Restrictions apply.
security means that no attacker can learn any partial infor-
mation about the original data from the encrypted index
and data, although the attacker has the ability to run an
adaptive chosen-query attack. The CQA2-security is much
more stronger than the security level that can resist the
Level-3 attacker. So, we only analyze the privacy of our RL-
OPE scheme in the rest. Now, we claim that our sPPRNN
can resist three different levels attackers as stated in
Section 4.2.
First, our sPPRNN can resist the Level-1 attacker. From
[40], distance-preserving transformation (DPT) is a com-
mon method that reveals the distance between any two
points to cloud server. Obviously, revealing the real dis-
tance of any two points must leak local order information,
so our RL-OPE leaks less information than a DPT to the
attacker. Therefore, DPT based scheme can resisit the
Level-1 attacker implies that our sPPRNN can resist the
Level-1 attacker too.
Second, our sPPRNN also resists the Level-2 attacker.
Beyond the Level-1 attacker, the Level-2 attacker knows a
small point subset of the original point set. Without loss
of generality, let V ¼ fpi1 ; pi2 ; . . . ; piv g be the subset of
points that the attacker knows. In case that for any pair
ðpis ; pit Þ; 1  s; t  v, pis and pit are not adjacent points in
graph DG, the attacker can only calculate the distance
information among these points. However, in our pro-
posed scheme the encrypted database C ¼ ðg; RÞ only
includes the encrypted distance information of the
adjacent points in graph DG. It is impossible to build a
relation between the background knowledge and the
enceypted database C. In case that there exists two points
pis and pit such that they are adjacent in graph DG. Let
dst be the distance between points pis and pit . It exists a
RL-OPE ciphertext c in R such that it encrypts distance
dst . However, for any RL-OPE ciphertext c, we can choose
appropriate parameter me ; ne ; oe such that me OPE:Enc
ðKe ; dst Þ þ ne þ oe ¼ c. Thus, for any ciphertexts ci0 and cj0 ,
we have that
Pr½ci0 jdst ¼ Pr½cj0 jdst : (12)
Based on the above two kinds of cases, our sPPRNN can
resist the Level-2 attacker.
Third, our sPPRNN can resist the Level-3 attacker too.
Beyond Level-2 attacker, the Level-3 attacker not only
knows a small point subset of the original point set, the
attacker also knows their corresponding ciphertexts. The
correspondence relation between points and their cipher-
texts may help attacker to build algebraic relations, and
then to break our scheme. In the following, we show that
our proposed RL-OPE can resist this kind of attack. In
case that for any pair ðpis ; pit Þ; 1  s; t  v, pis and pit are
not adjacent points in graph DG. From above, it is impos-
u
t sible to build a relation between the background knowl-
edge and the encrypted database C. In case that for any
pis 2 V , there only one adjacent point pit 2 V . It exists
only one RL-OPE ciphertext cst in R such that it encrypts
distance dst , where dst be the distance between points pis
and pit . The ciphertext cst regards the point pis as the ref-
erence object. Let Ks ; ms ; ns be the secret key of reference
point pis , and c0st be the OPE ciphertext OPE:EncðKs ; dst Þ.
LI ET AL.: PRIVACY-PRESERVING REVERSE NEAREST NEIGHBOR QUERY OVER ENCRYPTED SPATIAL DATA
Since that the attacker knows the corresponding cipher-
text, thus we can derive a equation
ms c0st þ ns þ os ¼ cst :
However, only one adjacent point pit is close to point pis , so
the attacker only can derive one equation about the unknown
variants ms ; ns ; os , which will not provide advantage for help-
ing the attacker to deduce more information from the back-
ground knowledge and the encrypted database. In case that
for any pis 2 V , there exist at least two adjacent points pit1 ;
pit2 . . . . We can derive at most six equations through the way
as above. Let c0st1 ; c0st2 ; c0st3 ; . . . be the OPE ciphertexts OPE:Enc
ðKs ; dst1 Þ; OPE:EncðKs ; dst2 Þ; OPE:EncðKs ; dst3 Þ, and let cst1 ;
cst2 ; cst3 ; . . . be the corresponding RL-OPE ciphertexts. Then
we can build a system of equations
8 In this section, we evaluate the performance by theoretical
>
> ms c0st1 þ ns þ os1 ¼ cst1
<
ms c0st2 þ ns þ os2 ¼ cst2
: (14)
>
> m c0 þ ns þ os3 ¼ cst3
: s st3
Since that the noise parameters os1 ; os2 ; os3 are different for
each equation, the number of equations must be less than
the number of unknowns. Thus the attacker cannot gain
any information from the above system of equations.
To sum up, our sPPRNN only leaks the local order infor-
mation to the attacker, and the attackers cannot learn more
information than what they are allowed. Thus, our proposal
can resist the three different levels attackers.
7.3 Privacy of dPPRNN
In this section, we discuss the privacy of our proposed
dPPRNN. In dPPRNN, not only two basic mechanisms, SE
and RL-OPE, are employed to support normal RNN
queries, but also some auxiliary information are provided
to cloud server for supporting insert operation. From Sec-
tion 7.2, the basic mechanisms, SE and RL-OPE, can resist
three levels attackers. Thus, in the following we only
explain the information leakage about the auxiliary infor-
mation. Specifically, in the tuple C ¼ ðg; R1 ; R2 ; R3 ; R4 Þ, g
and R1 are same as the ciphertext in the sPPRNN.
R2 ; R3 ; R4 are the auxiliary information for supporting
insert operation.
We first analyze the privacy of auxiliary information
R2 and R3 . Oblivious, the ciphertexts R2 and R3 hide the
point by multiplying a random matrix, which is called
as matrix encryption [40]. A matrix encryption scheme
does not reveal any distance between any two points pi
and pj , thus it can resist the Level-2 attacker. To resist
the Level-3 attacker, we can employ random split and
dimension extension technologies to construct a new
ciphertext for protecting the privacy of each point. So,
auxiliary information R2 and R3 can resist the Level-2
attacker and they can be enhanced to resist the Level-3
attacker.
Then we analyze the privacy of auxiliary information
R4 . In Eq. (11), k0 , k1 , k2 and k3 are used to disturb the ele-
ment relations in each column, and ri is used to disturb
the element relations in each row. No Level-2 attacker can
deduce the corresponding plaintext from the ciphertext
Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:20:09 UTC from IEEE Xplore. Restrictions apply.
2965
because all the relations of elements have been disturbed
by the above unknown secret keys. To resist the Level-3
attacker, we can use a random matrix whose determinant
(13) is larger than zero to blind the points, and then employ the
dimension extension technology [41] to protect the privacy
of each point. So, auxiliary information R4 can resist the
Level-2 attacker and it can be enhanced to resist the Level-
3 attacker.
Furthermore, different keys are employed to produce the
ciphertext tuple C ¼ ðg; R1 ; R2 ; R3 ; R4 Þ, and it is hard for any
attacker by combing all these information to gain additional
information. To sum up, our final dPPRNN can resist
attackers of three different levels.
8 PERFORMANCE EVALUATION
analysis and experimental validation in Sections 8.1 and 8.2,
respectively.
8.1 Theoretical Evaluation
From a theoretical view, we analyze the complexity of
the algorithm Enc, Search, and Insert. Let N be the
number of points in the data set. For algorithm Enc, it
invokes Graph:Enc to generate encrypted structure for
answering the query neighbors and other information
(e.g., R1 ; R2 ; R3 ; R4 ) for answering the RNN query. Both of
them are generated in OðNÞ time complexity. As shown in
Fig. 4, each edge of Delaunay triangulation is stored two
times in the encrypted index structure, and therefore it
will spend OðjEjÞ space complexity. Since for each vertex,
the expected number of its neighbors is upper-bounded by
a constant (e.g., 6, from Proposition 1) and so we have
OðjEjÞ ¼ OðNÞ. Therefore the space complexity is OðNÞ.
For algorithm Search, it takes OðNÞ complexity to run
Graph:Neigh [35] and O(1) time complexity to find the
RNN results. In fact, we can sort all points by a random
key and then build a tree-based index to find the neighbors
of the query point in Oðlog NÞ time complexity. In all,
the complexity of the algorithm Search is Oðlog NÞ. For
Insert, its time complexity depends on the number of influ-
enced triangles. In the worst case, the number of influ-
enced triangles is OðNÞ. In [42], it has been shown the
expected running time of incremental Delaunay triangula-
tion is OðNlog NÞ and the number of influenced triangles
is Oðlog NÞ. Therefore the complexities of time, space, and
communication are Oðlog NÞ.
8.2 Experimental Evaluation
Our experimental evaluation of the proposed scheme is
based on a real-world spatial data set [43]. We choose
the geographic data of Los Angeles as our experimental
data, and the data includes four point sets. We evaluate
the performance on several data sets that with different
sizes. The whole experiments are implemented by C++
language on an Intel-based E5-1650 server with 3.6 GHz
processor and 64 GB RAM. The code is available online.1
We conduct three groups of experiments. First, we evalu-
ate the time cost of algorithm Insert. Second, we count the
1. https://github.com/xiaoguosk/safeGeoRecommend.git
2966
Fig. 8. Time cost of the algorithm Insert.
number of influenced triangles in Delaunay triangulation
when a new point is inserted. Third, we evaluate the time
cost of algorithm Search. All experimental results represent
the mean of 10 trials.
1) Time cost of Insert. In this group of experiments,
we run the algorithm Insert on the data sets and
evaluate the time cost of inserting a new point. In
the initial state, the server only store an empty
encrypted data set C ¼ ? . Then we pick one point
from the data set and then invoke the algorithm
Insert to insert a new point into C. The procedure
is repeated until that all the points in the original
data set is inserted. We record the time of insert-
ing each point and Fig. 8 shows the experimental
results. In Fig. 8a, it shows the average time cost
when a new point is inserted. When N increases,
the average time cost increases logarithmically,
which validates our theoretical analysis. In
Figs. 8b, 8c, 8d, and 8e, the red line denotes the
average time cost after all points are inserted
when N varies. As we can observe, the time cost
in worst case is about 1.0(s), when the average
time cost is no more than 0.2(s). The reason is that
Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:20:09 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. 15, NO. 5, SEPTEMBER/OCTOBER 2022
Fig. 9. The number of influenced triangles in Delaunay triangulation
when a new point is inserted.
when a point is inserted, the worst case may hap-
pen but only with a very small probability. There-
fore, it matches our analysis in Section 8.1.
2) The number of influenced triangles. In this group of
experiments, we count the number of influenced
triangles in Delaunay triangulation when a new
point is inserted. In initial state, the server only
stores an empty encrypted data set C ¼ ? . Then
we pick one point from the data set and then
invoke the algorithm Insert to insert a new point
into C. The procedure is repeated until all the
points in original data set are inserted. We count
the number of influenced triangles and show
experimental results in Fig. 9. In each subfigure,
the red line denotes the average number of the
influenced triangles after all points are inserted.
As we can observe, no matter what number of
points is, it happens with a prohibitive probability
when the number of influenced triangle is no
more than 10.
3) Time cost of Search. In this group of experiments,
we run the algorithm Search on the data sets and
evaluate the time cost of searching a point. We
first insert all points in the data set into the
encrypted data set C. Then we record the time for
searching each point by running the algorithm
Search. In Fig. 10a, it shows the average time cost
when a point is queried. When N increases, the
average time cost increases logarithmically,
which also matches our theoretical analysis. In
Figs. 10b, 10c, 10d, and 10e, the red line denotes
the average time cost after all points are inserted
when N varies. As we can observe, the worst case
time cost in Fig. 10e is only about 0.3(s), which is
very efficient for practical deployment.
LI ET AL.: PRIVACY-PRESERVING REVERSE NEAREST NEIGHBOR QUERY OVER ENCRYPTED SPATIAL DATA
Fig. 10. Time cost of the algorithm Search.
9 CONCLUSION
In this paper, we address the problem of privacy-preserving
reverse nearest neighbor query (PPRNN), First, we intro-
duce reference-locked order-preserving encryption (RL-
OPE), which only leaks the local order information related
to a reference object. We present a generic construction of
RL-OPE and prove its security under selective reference,
ordered chosen plaintext attack (IND-sR-OCPA). Then, we
construct a novel PPRNN scheme in static setting (sPPRNN)
by employing structured encryption and the proposed RL-
OPE. Furthermore, we extend the sPPRNN to an efficient
privacy-preserving reverse nearest neighbor query scheme
in dynamic setting (dPPRNN) by solving two challenging
problems. After that, we analyze the security of our pro-
posed sPPRNN and dPPRNN against three different levels
attackers as considered in our threat model. Finally, we con-
duct experiments to demonstrate its efficiency for practical
deployment.
ACKNOWLEDGMENTS
This work was supported by the National Natural Science
Foundation of China under Grants U20A20176, 62072062,
and 61932006, and the Natural Science Foundation of
Chongqing, China under Grant cstc2019jcyjjqX0026.
Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:20:09 UTC from IEEE Xplore. Restrictions apply.
2967
REFERENCES
[1] T. Hoang, A. A. Yavuz, and J. G. Merchan, “A secure searchable
encryption framework for privacy-critical cloud storage services,”
IEEE Trans. Services Comput., to be published, doi: 10.1109/
TSC.2019.2897096.
[2] R. Curtmola, J. A. Garay, S. Kamara, and R. Ostrovsky,
“Searchable symmetric encryption: Improved definitions and
efficient constructions,” J. Comput. Secur., vol. 19, no. 5,
pp. 895–934, 2011.
[3] S. Kamara, C. Papamanthou, and T. Roeder, “Dynamic searchable
symmetric encryption,” in Proc. ACM Conf. Comput. Commun.
Secur., 2012, pp. 965–976.
[4] K. Kurosawa, K. Sasaki, K. Ohta, and K. Yoneyama, “UC-secure
dynamic searchable symmetric encryption scheme,” in Proc. Int.
Workshop Secur., 2016, pp. 73–90.
[5] D. Boneh, G. D. Crescenzo, R. Ostrovsky, and G. Persiano, “Public
key encryption with keyword search,” in Proc. Int. Conf. Theory
Appl. Cryptogr. Techn., 2004, pp. 506–522.
[6] R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu, “Order preserving
encryption for numeric data,” in Proc. ACM Special Interest Group
Manage. Data, 2004, pp. 563–574.
[7] Q. Tang, H. Ma, and X. Chen, “Extend the concept of public key
encryption with delegated search,” Comput. J., vol. 58, no. 4,
pp. 724–734, 2015.
[8] B. Lang, J. Wang, M. Li, and Y. Liu, “Semantic-based compound
keyword search over encrypted cloud data,” IEEE Trans. Services
Comput., to be published, doi: 10.1109/TSC.2018.2847318.
[9] X. Lin, L. Zhou, P. Chen, and J. Gu, “Privacy preserving reverse
nearest-neighbor queries processing on road network,” in Proc.
Int. Conf. Web-Age Inf. Manage., 2012, pp. 19–28.
[10] B. Wang, M. Li, and H. Wang, “Geometric range search on
encrypted spatial data,” IEEE Trans. Inf. Forensics Security, vol. 11,
no. 4, pp. 704–719, Apr. 2016.
[11] H. Zhu, F. Liu, and H. Li, “Efficient and privacy-preserving poly-
gons spatial query framework for location-based services,” IEEE
Internet Things J., vol. 4, no. 2, pp. 536–545, Apr. 2017.
[12] L. Ibraimi, S. Nikova, P. H. Hartel, and W. Jonker, “Public-key
encryption with delegated search,” in Proc. Conf. Appl. Cryptogr.
Netw. Secur., 2011, pp. 532–549.
[13] Y. Qi and M. J. Atallah, “Efficient privacy-preserving k-nearest
neighbor search,” in Proc. IEEE Int. Conf. Distrib. Comput. Syst.,
2008, pp. 311–319.
[14] W. K. Wong, D. W. Cheung, B. Kao, and N. Mamoulis, “Secure
kNN computation on encrypted databases,” in Proc. ACM Special
Interest Group Manage. Data, 2009, pp. 139–152.
[15] Y. Elmehdwi, B. K. Samanthula, and W. Jiang, “Secure k-nearest
neighbor query over encrypted data in outsourced environ-
ments,” in Proc. Int. Conf. Data Eng., 2014, pp. 664–675.
[16] X. Yi, R. Paulet, E. Bertino, and V. Varadharajan, “Practical k near-
est neighbor queries with location privacy,” in Proc. Int. Conf. Data
Eng., 2014, pp. 640–651.
[17] B. Wang, M. Li, H. Wang, and H. Li, “Circular range search on
encrypted spatial data,” in Proc. IEEE Conf. Commun. Netw. Secur.,
2015, pp. 182–190.
[18] Y. Luo, S. Fu, D. Wang, M. Xu, and X. Jia, “Efficient and general-
ized geometric range search on encrypted spatial data in the
cloud,” in Proc. Int. Symp. Qual. Service, 2017, pp. 1–10.
[19] I. Kamel, A. M. Talha, and Z. A. Aghbari, “Dynamic spatial index
for efficient query processing on the cloud,” J. Cloud Comput.,
vol. 6, no. 1, 2017, Art. no. 5.
[20] Y. Wu, K. Wang, Z. Zhang, W. Lin, H. Chen, and C. Li, “Privacy
preserving group nearest neighbor search,” in Proc. Conf. Extend-
ing Database Technol., 2018, pp. 277–288.
[21] X. Pan, S. Nie, H. Hu, P. Yu, and J. Guo, “Reverse nearest
neighbor search in semantic trajectories for location based
services,” IEEE Trans. Services Comput., to be published, doi:
10.1109/TSC.2020.2968309.
[22] F. Buccafurri, G. Lax, S. Nicolazzo, and A. Nocera, “A privacy-
preserving localization service for assisted living facilities,” IEEE
Trans. Services Comput., vol. 13, no. 1, pp. 16–29, Jan./Feb. 2020.
[23] Y. Du, “Privacy-aware RNN query processing on location-based
services,” in Proc. IEEE Int. Conf. Mobile Data Manag., 2007,
pp. 253–257.
[24] T. Tzouramanis and Y. Manolopoulos, “Secure reverse k-nearest
neighbours search over encrypted multi-dimensional databases,”
in Proc. Int. Database Eng. Appl. Symp., 2018, pp. 84–94.
2968 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. 15, NO. 5, SEPTEMBER/OCTOBER 2022
[25] Y. Zhu, R. Xu, and T. Takagi, “Secure k-NN computation on
encrypted cloud data without sharing key with query users,” in
Proc. Int. Workshop Secur. Cloud Comput., 2013, pp. 55–60.
[26] H. Hu, J. Xu, C. Ren, and B. Choi, “Processing private queries over
untrusted data cloud through privacy homomorphism,” in Proc.
Int. Conf. Data Eng., 2011, pp. 601–612.
[27] J. Domingo-Ferrer, “A provably secure additive and multiplica-
tive privacy homomorphism,” in Proc. Int. Conf. Inf. Secur., 2002,
pp. 471–483.
[28] B. Yao, F. Li, and X. Xiao, “Secure nearest neighbor revisited,” in
Proc. Int. Conf. Data Eng., 2013, pp. 733–744.
[29] S. Su, Y. Teng, X. Cheng, K. Xiao, G. Li, and J. Chen, “Privacy-pre-
serving top-k spatial keyword queries in untrusted cloud environ-
ments,” IEEE Trans. Services Comput., vol. 11, no. 5, pp. 796–809,
Sep./Oct. 2018.
[30] E. Yilmaz, H. Ferhatosmanoglu, E. Ayday, and R. C. Aksoy,
“Privacy-preserving aggregate queries for optimal location
selection,” IEEE Trans. Dependable Secure Comput., vol. 16, no. 2,
pp. 329–343, Mar./Apr. 2019.
[31] L. Pournajaf, F. Tahmasebian, L. Xiong, V. Sunderam, and C. Sha-
habi, “Privacy preserving reverse k-nearest neighbor queries,” in
Proc. IEEE Int. Conf. Mobile Data Manag., 2018, pp. 177–186.
[32] F. Korn and S. Muthukrishnan, “Influence sets based on reverse
nearest neighbor queries,” in Proc. ACM Special Interest Group
Manage. Data, 2000, pp. 201–212.
[33] L. Hu, W.-S. Ku, S. Bakiras, and C. Shahabi, “Spatial query integ-
rity with Voronoi neighbors,” IEEE Trans. Knowl. Data Eng., vol.
25, no. 4, pp. 863–876, Apr. 2013.
[34] A. Okabe, B. Boots, K. Sugihara, and S. N. Chiu, Concepts and
Applications of Voronoi Diagrams. Hoboken, NJ, USA: Wiley, 2000.
[35] M. Chase and S. Kamara, “Structured encryption and controlled
disclosure,” in Proc. Int. Conf. Theory Appl. Cryptol. Inf. Secur.,
2010, pp. 577–594.
[36] A. Boldyreva, N. Chenette, and A. O’Neill, “Order-preserving
encryption revisited: Improved security analysis and alternative
solutions,” in Proc. Int. Conf. Theory Appl. Cryptogr. Techn., 2011,
pp. 578–595.
[37] R. A. Popa, F. H. Li, and N. Zeldovich, “An ideal-security protocol
for order-preserving encoding,” in Proc. IEEE Symp. Security Pri-
vacy, 2013, pp. 463–477.
[38] F. Kerschbaum and A. Schr€ opfer, “Optimal average-complexity
ideal-security order-preserving encryption,” in Proc. ACM Conf.
Comput. Commun. Secur., 2014, pp. 275–286.
[39] X. Li, T. Xiang, F. Chen, and S. Guo, “Efficient biometric identity-
based encryption,” Inf. Sci., vol. 465, pp. 248–264, 2018.
[40] Z. Fu, K. Ren, J. Shu, X. Sun, and F. Huang, “Enabling personal-
ized search over encrypted outsourced data with efficiency
improvement,” IEEE Trans. Parallel Distrib. Syst., vol. 27, no. 9,
pp. 2546–2559, Sep. 2016.
[41] N. Cao, C. Wang, M. Li, K. Ren, and W. Lou, “Privacy-preserving
multi-keyword ranked search over encrypted cloud data,” IEEE
Trans. Parallel Distrib. Syst., vol. 25, no. 1, pp. 222–233, Jan. 2014.
[42] L. J. Guibas, D. E. Knuth, and M. Sharir, “Randomized incremen-
tal construction of Delaunay and Voronoi diagrams,” Algorith-
mica, vol. 7, no. 1–6, pp. 381–413, 1992.
[43] Tiger: Real spatial data, 2015. [Online]. Available: http://www.
census.gov/geo/www/tiger/
Xiaoguo Li received the PhD degree in computer
science from Chongqing University, Chongqing,
China, in 2019. He is currently a postdoctoral
research fellow with Hong Kong Baptist University,
Hong Kong, China. His current research interests
include privacy-preserving database outsourc-
ing, public-key cryptography, and secure signal
processing.
Authorized licensed use limited to: Jinan University. Downloaded on April 16,2023 at 09:20:09 UTC from IEEE Xplore. Restrictions apply.
Tao Xiang (Member, IEEE) received the BEng,
MS, and PhD degrees in computer science from
Chongqing University, Chongqing, China, in 2003,
2005, and 2008, respectively. He is currently a pro-
fessor with the College of Computer Science,
Chongqing University. His research interests
include multimedia security, cloud security, data pri-
vacy, and cryptography. He has published more
than 100 papers on international journals and con-
ferences. He also served as a referee for numerous
international journals and conferences.
Shangwei Guo received the PhD degree in com-
puter science from Chongqing University, Chongq-
ing, China, in 2017. He worked with Hong Kong
Baptist University as a postdoctoral research fellow
from 2018-2019. He is currently a postdoctoral
research fellow with Nanyang Technological Uni-
versity, Singapore. His research interests include
multimedia security, cloud security, and data
privacy.
Hongwei Li (Senior Member, IEEE) received the
PhD degree from the University of Electronic Sci-
ence and Technology of China, Chengdu, China, in
June 2008. He is currently the head and a profes-
sor with the Department of Information Security,
School of Computer Science and Engineering, Uni-
versity of Electronic Science and Technology of
China. He worked as a postdoctoral fellow with the
University of Waterloo from October 2011 to Octo-
ber 2012. His research interests include network
security and applied cryptography. He has pub-
lished more than 100 technical papers. He is the sole author of a book,
Enabling Secure and Privacy Preserving Communications in Smart Grids
(Springer, 2014). He serves as the associate editor of the IEEE Internet of
Things Journal, and Peer-to-Peer Networking and Applications, guest edi-
tor of the IEEE Network, IEEE Internet of Things Journal and IEEE Trans-
actions on Vehicular Technology. He also serves/served the technical
symposium co-chair of ACM TUR-C 2019, IEEE ICCC 2016, IEEE
GLOBECOM 2015, and IEEE BigDataService 2015, and technical
program committees for many international conferences, such as IEEE
INFOCOM, IEEE ICC, IEEE GLOBECOM, IEEE WCNC, IEEE SmartGrid-
Comm, BODYNETS, and IEEE DASC. He won best paper awards from
IEEE MASS 2018 and IEEE HEALTHCOM 2015. He currently serves as
the secretary of IEEE ComSoc CIS-TC. He is the distinguished lecturer of
the IEEE Vehicular Technology Society.
Yi Mu (Senior Member, IEEE) received the PhD
degree from the Australian National University,
Canberra, Australia, in 1994. He was a full pro-
fessor with the University of Wollongong, Aus-
tralia. He joined Fujian Normal University, China,
where he is currently a full professor with the
Fujian Provincial Key Laboratory of Network
Security and Cryptology, College of Mathematics
and Informatics. His current research interests
include cryptography, network security, and com-
puter security. He was the editor-in-chief of the
International Journal of Applied Cryptography and serves as an associ-
ate editor or a guest editor for many international journals.
" For more information on this or any other computing topic,
please visit our Digital Library at www.computer.org/csdl.