CN109194666A - A kind of safe kNN querying method based on LBS - Google Patents

A kind of safe kNN querying method based on LBS Download PDF

Info

Publication number
CN109194666A
CN109194666A CN201811085432.1A CN201811085432A CN109194666A CN 109194666 A CN109194666 A CN 109194666A CN 201811085432 A CN201811085432 A CN 201811085432A CN 109194666 A CN109194666 A CN 109194666A
Authority
CN
China
Prior art keywords
server
encryption
voronoi
encrypted
safe
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811085432.1A
Other languages
Chinese (zh)
Other versions
CN109194666B (en
Inventor
杨晓春
王斌
王雷霞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Northeastern University China
Original Assignee
Northeastern University China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Northeastern University China filed Critical Northeastern University China
Priority to CN201811085432.1A priority Critical patent/CN109194666B/en
Publication of CN109194666A publication Critical patent/CN109194666A/en
Application granted granted Critical
Publication of CN109194666B publication Critical patent/CN109194666B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention belongs to data-privacies to protect field; it is proposed a kind of safe kNN querying method based on LBS; process includes: that data owner generates key pair and encrypted indexes structure; and encrypted indexes structure is sent to server C1; public key is sent to server C1, C2 and user, private key is sent to server C2;Inquiry of the user to oneself generates encrypted query using public key encryption and requests, and the inquiry request is sent to server C1;After the inquiry request of index structure and encryption that server C1 is encrypted, secure two party computation is defined;Based on secure two party computation, design safety kNN vlan query protocol VLAN;Query result is returned to user;The privacy of data on effective protection server of the present invention, the privacy of the inquiry request of user, the privacy of the query result of user, the access module in query process; and provide accurate query result; the mobile device low suitable for processing capacity, and substantially increase the speed for completing inquiry.

Description

A kind of safe kNN querying method based on LBS
Technical field
The invention belongs to data-privacies to protect field, and in particular to a kind of safe kNN querying method based on LBS.
Background technique
In recent years, with the fast development of mobile network and smart phone, location based service (LBS) is social, raw The various aspects such as the service of living, online shopping, which suffer from, to be widely applied.Wherein, kNN is inquired, that is, is inquired apart from user location most K close Neighbor Points are a basis and representative important inquiry.However, LBS is bringing huge life for us While convenient, the hidden danger of privacy leakage also is brought to us.From the angle of privacy of user, carrying out based on position Inquiry when, server respond user request while can collect the actual position of user easily, and be therefrom inferred to as The privacy informations such as religious belief, home address, daily life track.From the angle of enterprise, many enterprises pass through outside data Data are contracted out to third-party server by the form of packet, by third-party server come the inquiry request of relative users.In this mistake Cheng Zhong, company data is to third-party server it is found that and the number of employee's home address of some secret warehouse addresses or typing It is privacy information according to library, the leakage of these information will cause company's weight huge economic loss.How location-based look into is being provided While asking service, the safety of protection data and inquiry request is of great practical significance.Currently, based on encryption Method for secret protection, sensitive information is encrypted, due to server be not used for decrypt key, hardly result in about Any privacy information of encrypted data can protect previously mentioned privacy leakage situation.But the intermediate result of computations Still can be with leak data access module, i.e., which data is accessed, tends to by Inference Attack.Meanwhile in this mistake Cheng Zhong, server needs the method for carrying out calculating to obtain query result, however proposed at present in ciphertext, due to close The complexity that text calculates, generally requires to expend biggish time cost, so that the safety of query service and Query Cost are more difficult It is balanced.
Summary of the invention
The present invention in view of the deficiencies of the prior art, and is efficiently modified and is supplemented to homomorphic encryption scheme, in order to solve Leakage of private information problem in location-based kNN inquiry, the invention proposes a kind of safe kNN issuer based on LBS Method.
The technical solution adopted by the present invention is that Paillier homomorphic cryptography system is based on, since the encipherment scheme can be only done The operation of part homomorphism, i.e. additive homomorphism operate, and the present invention uses two server frame, in the frame, data owner (DO) Possessing the public key pk and private key sk of initial data and Paillier homomorphic cryptography, user User possesses inquiry request and public key pk, Cloud Server C1 possesses encrypted indexes structure and public key pk, and Cloud Server C2 possesses public key pk and private key sk.Based on the system frame The half sincere model that frame and two sides calculate safely, the present invention devise encrypted indexes structure --- safe Voronoi diagram SVD with Security grid computing divides the safe sub-protocol of SG and the operation of optimized integration cryptogram computation, and is set based on the index structure and sub-protocol Safe kNN vlan query protocol VLAN is counted.By the agreement, we realize the safe kNN inquiry for meeting the demand, specific steps It is as follows:
Step 1, data owner DO generate key pair (pk, sk) and encrypted indexes structure, and encrypted indexes structure are sent out Server C1 is given, public key pk is sent to server C1, C2 and user User, private key sk is sent to server C2;
Encrypted indexes structure includes: that safe Voronoi diagram SVD and security grid computing divide SG;
It generates key pair (pk, sk) and uses Paillier encipherment scheme, wherein public key pk is private for the encryption to data Key sk is for the decryption to data;
Generating encrypted indexes structure, specific step is as follows:
(1) safe Voronoi diagram (SVD) is generated:
1. carrying out Voronoi diagram division: DO possesses data set D={ p1,…,pn, wherein data point pi={ x, y }.Logarithm Voronoi diagram division is carried out according to collection D.Plane where D is divided into n convex polygon, the referred to as area Voronoi by Voronoi diagram Domain, each Voronoi area viOne and only one data point pi, referred to as correspond to Voronoi area viSeed node.It divides The side of two Voronoi areas is the perpendicular bisector of the two Voronoi area seed nodes.For a Voronoi Region vi, the arest neighbors for falling point q in the area is the seed node p in the regioni.By the property of Voronoi diagram it is found that looking into Among the seed node for the adjacent Voronoi area that the kNN object for asking point q is present in (k-1) NN being previously calculated.
2. dividing according to the Voronoi, all Voronoi areas in Voronoi diagram are stored in array with random disorderBy region viId of the corresponding call number as it in array.For any one Voronoi area vi, with a binary GroupIt indicates, wherein (xi,yi) it is region viCorresponding seed node piCoordinate, aij For region viAdjacent Voronoi area id, (t1) it is the adjacent Voronoi area quantity of the Voronoi area.
3. adding false data: in order to avoid attacker passes through the adjacent Voronoi area of the Voronoi area inquired Quantity distinguishes the region, we pass through in arrayThe false adjacent Voronoi area id of middle addition keeps adjacent area Quantity is definite value t1, the false id added herein is arrayPresent in true call number, but it is not corresponding region Adjacent id and different.These false id during subsequent query can by beta pruning, behind in query process, often A minimum value is selected in the secondary value from reading, is executed " reading-selection " and is operated k times, k final result can be obtained.Cause For the id of the point in these id for reading every time comprising minimum value, thus the corresponding point of false id added at random in selection not It can be selected, be equivalent to by beta pruning.
4. data compression: the plaintext space in order to make full use of Paillier, usual Paillier have 1024 bits Plaintext space, to the region v of array V storageiThe id of corresponding coordinate and adjacent area is compressed using following formula:
Wherein λ is the number of the data of compression, and σ is the bit bit length of data compression, in order to which aspect is right in subsequent protocol The id addition random number disturbance of compression, σ are greater than the bit bit length of data itself.By the calculating, we can be by multiple several tables It is shown as a number, primary encryption is carried out, takes full advantage of the plaintext space of Paillier, reduce encryption number.
5. to arrayIt is encrypted using pk, obtains SVD.It obtains encryption Voronoi and divides SVD, each storage should The corresponding encryption binary group of Voronoi area
(2) it generates security grid computing and divides (SG):
1. carrying out grid dividing on the basis of above-mentioned Voronoi is divided, Voronoi is divided into m net by grid dividing The side length of lattice, each grid is indicated with vector w.The grid dividing can store as matrixThe call number of matrix row and column point The coordinate of the grid on two dimensions is not corresponded to.Its id of Voronoi area for being covered of each coarse gridding, i.e., and The id for the Voronoi area that it intersects, is expressed asWherein oijFor region giThe Voronoi of intersection The id in region, (t2) it is the quantity that Voronoi area is intersected in the region.
2. adding false data: the quantity of the Voronoi area intersected by the grid that inquires in order to avoid attacker come Distinguish the grid, we pass through in matrixThe false adjacent Voronoi area id of middle addition keeps the id of each coarse gridding Quantity be definite value t2, the false id added herein is arrayPresent in true call number, but it is not and the net The id of lattice intersecting area and different.These false id during subsequent query can by beta pruning, behind query process In, a minimum value is selected from the value of reading every time, " reading-selection " is executed and operates k times, k final knot can be obtained Fruit.Because the id of the point in these id read every time comprising minimum value, the corresponding point of the false id added at random are selecting Shi Buhui is selected, and is equivalent to by beta pruning.
3. data compression: the plaintext space in order to make full use of Paillier equally makes the content of each coarse gridding It is compressed with formula (1).By the calculating, multiple numbers can be expressed as a number by we, carry out primary encryption, sufficiently The plaintext space of Paillier is utilized, reduces encryption number.
4. being encrypted with public key pk, SG is obtained to matrixIt is encrypted with vector w using pk, obtains SG and Epk(w)。 It obtains shown in refined net SG such as Fig. 2 (d), each refined net content representation is
Safety analysis: server C1 possesses the data structure of encryption but does not have private key sk, and data cannot be decrypted, Server C2 possesses private key sk but no data, and other than the size of data set, cannot access any has by server C1 and C2 The effective information for closing data, protects data-privacy.
Step 2, user User use public key pk encryption to generate encrypted query and request E to oneself inquiry QpkIt (Q), and will The inquiry request is sent to server C1, wherein vector Q=(x, y) is the coordinate to be inquired of user, and encryption, which obtains inquiry, asks Seek Epk(Q)={ Epk(x),Epk(y)};
Safety analysis: in this process, the encrypted query of the available user of server C1 requests Q, but C1 does not have Private key sk cannot decrypt inquiry Q, cannot inquire content;Server C2 possesses private key sk but without inquiry Q, therefore protects The inquiry privacy of user is protected.
The inquiry request E of step 3, index structure SVD, SG that server C1 is encrypted and encryptionpk(Q) it after, needs to lead to Secure two party computation is crossed, safe kNN inquiry is carried out while protecting above-mentioned privacy requirements.Safe kNN is carried out in ciphertext to look into It when inquiry, needs to calculate the Euclidean distance of point-to-point transmission and compares size, it is therefore desirable to some basic calculation operations in ciphertext It supports, such as the multiplication operation in ciphertext, divide operations.Since Paillier encipherment scheme only supports the additive homomorphism of two ciphertexts The multiplicative homomorphic of operation and ciphertext isolog operates, and the multiplication between two ciphertexts, division, the basis such as minimize are grasped Work cannot be handled directly.Currently, existing foundation for security sub-protocol includes secure multiplication agreement (Secure Multiplication writes a Chinese character in simplified form SM) and European squared-distance calculating agreement (the Secure Squared Euclidean of safety Distance writes a Chinese character in simplified form SSED), in the safe kNN vlan query protocol VLAN that the present invention designs, directly these sub-protocols will be adjusted With.For no or existing defects safe sub-protocol, the present invention devises a series of safety association calculated based on two sides View, including safe division agreement (Secure Division, write a Chinese character in simplified form SD), safe minimum agreement (Secure Minimum, letter Write SMIN), security grid computing calculates (Secure Grid Computation, write a Chinese character in simplified form SGC) and safe Voronoi area calculates association It discusses (Secure Voronoi Cell Computaition, write a Chinese character in simplified form SVCC).Specific protocol contents are as follows:
The safe division agreement SD: two given at the end server C1The integer a, b, C1 and C2 encrypted in range is logical Two sides calculating is crossed to the truncated division of two encryption datas encrypt, in the quotient that the end server C1 is encrypted.The agreement When execution, the data of encryption and quotient are only possessed by server C1, and server C2 only possesses key sk.
Shown in the principle of the agreement such as formula (5), for arbitrary
(ar1+br1r2+r3)/(br1)=a/b+r2 (2)
WhereinAnd r3<r1, K is that the bit of Paillier encipherment scheme key is big It is small, ldataFor data a, the bit length of b.
Specific step is as follows by safe division agreement SD:
1. server C1 generates random number: server C1 possesses the data E of encryptionpk(a),Epk(b), server C2 possesses Private key sk.Server C1 first, which is generated, to be metAnd r3<r1Random number r1,r2,r3
2. random number public key pk is encrypted, and server C2: server C1 is sent to using the random number and public affairs generated Key pk calculates Epk(ar1+br1r2+ r3) and Epk(br1), and send them to server C2.Specific calculation formula is as follows:
3. server C2 is decrypted with private key sk: server C2 receives the E of C1 transmissionpk(ar1+br1r2+ r3) and Epk(br1) Afterwards, they are decrypted respectively using private key sk, obtain λ 'aWith λ 'b.The formula of decryption is as follows:
λ′a=Dsk(Epk(ar1+br1r2+r3))=ar1+br1r2+r3 (5)
λ′b=Dsk(Epk(br1))=br1 (6)
Result λ ' after 4. server C2 will be decryptedaWith λ 'b, the two are counted and carries out division calculation, the quotient being calculated is made C1 is sent to after being encrypted with public key: server C2 calculates λ 'a/λ′b(mod n) and it is encrypted, mod indicates modulus Operation, obtains Epk(λ′a/λ′b), it is sent to server C1.
5. the encrypted result of safe division agreement is calculated in server C1: server C1 receives Epk(λ′a/λ′b) after, make The E of encryption is calculated with formula (7)pk(a/b)。
Epk(a/b)=Epk(λ′a/λ′b)*Epk(r2)N-1 (7)
Wherein Epk(r2)N-1=Epk(-r2), by ciphertext operation can encrypt by r2It subtracts, N is paillier public affairs Two Big prime products in key pk.
Safety analysis: in this process, the data of the available encryption of server C1 and the result of division of encryption, but C1 does not have private key sk, cannot decrypt, cannot get data and resultant content;Server C2 possesses private key sk but no data, therefore Protect data-privacy and result privacy.It is random number that C1, which is sent to the data of C2, during being somebody's turn to do simultaneously, and C2 is sent to C1's Data are Paillier probability encryption data, and data access patterns privacy is protected.
Safe minimum agreement SMIN: t are given at the end server C1The integer encrypted in range and encryption Value range c, C1 and C2 cryptographically calculate the minimum in the t Keyed integer greater than value range c by secure two party computation Value generates one according to the minimum value and this t Keyed integer is corresponded using t as the ciphering sequence of length, and minimum value is corresponding The 1 of encryption, remaining is the 0 of encryption, obtains the ciphering sequence at the end server C1.When the agreement executes, data of encryption and most Small value sequence is only possessed by server C1, and server C2 only possesses key sk.
The principle of the agreement are as follows: give t integerTo each xiIt calculates:
x′i=xi*rmax+ri (8)
Wherein, ri<2K-l-1, each riIt is different from, rmaxFor riIn maximum value.Work as riWhen sufficiently large, pass through formula (8), available t unequal random integersAnd x 'iAnd xiKeep identical partial ordering relation.
Specific step is as follows by safe minimum agreement SMIN:
1. server C1 generates random number: server C1 possesses the data E of encryptionpk(x1),…,Epk(xt) and encryption model Enclose value Epk(c), server C2 possesses private key sk.Server C1 first generates t+1 random number { r1,…,rt+1, meetThe maximum value in this t+1 random number is selected later and is denoted as rmax, remaining random number is successively denoted as again {r1,…,rt}。
2. server C1 calculates each encryption data, obtains each Keyed integer and encrypt the poor E of value rangepk (xi-c).Specific formula for calculation is as follows:
Epk(xi- c)=Epk(xi)*Epk(c)N-1 (9)
3. server C1 adds random number: difference E of the server C1 to each encryption to the difference of each encryptionpk(xi-c) It is calculated according to formula (8), obtains the disturbed value E for the encryption that it is added after random numberpki).Specific formula for calculation is as follows:
4. server C1 is sent to server C2 after this t value is upset sequence.Calculation formula is as follows:
Epk(θ ')=π (Epk(θ)) (11)
5. server C2 is decrypted: server C2 receives Epk(θ′i) after, these values are decrypted, θ ' is obtainedi
6. server C2 calculates θ 'iIn minimum value, and mark the minimum value in sequence θ ' corresponding i be min.
7. the sequence Δ of one t long of server C2 generation ', Δmin' it is 1, residual value 0.By sequence Δ ' middle all elements Encryption, obtains Epk(Δ ') is sent to server C1.
8. server C1 obtains safe minimum agreement encrypted result with inverse function: server C1 obtains sequence Epk(Δ′) Afterwards, using the inverse function of formula (11), i.e. formula (12), obtain sequence and encryption data Epk(x1),…,Epk(xt) corresponding Encryption minimum value mapping 01 sequence Epk(Δ).Specific formula for calculation is as follows:
Epk(Δ)=π-1(Epk(Δ′)) (12)
Safety analysis: in this process, the data of the available encryption of server C1 and the result of division of encryption, but C1 does not have private key sk, cannot decrypt, cannot get data and resultant content;Server C2 passes through the available process of decryption oprerations Difference after disturbance is NP-hard problem due to solving the equation group containing (t+1) a variable and t equation, and C2 is very Find it difficult to learn the x for practising and comparing to needsiWith the value of c, data-privacy is protected;Simultaneously because the sequence that C1 is sent to C2 is out-of-order, and Ranking functions C2 does not know, therefore even if C2 has calculated corresponding minimum value, can not be corresponded to true sequence, Protect access module privacy.
Security grid computing calculates agreement SGC: giving the side length of the grid SG of encryption, the grid cell of encryption at the end server C1 Epk(w) and encryption inquiry request Epk(Q), C2 possesses private key sk, C1 and C2 and is somebody's turn to do by the calculating that secure two party computation encrypts It inquires the grid cell at place and takes out the content of grid cell storage.In the calculating process, the grid cell of encryption Coordinate and the encrypted content of grid cell storage only obtain at the end server C1, and C2 cannot be about any effective of these contents Information.
Security grid computing calculates agreement SGC, and specific step is as follows:
1. server C1 calculate inquiry Q where grid encryption coordinate: server C1 possess encryption grid SG, encryption The side length E of grid cellpk(w) and encryption inquiry request Epk(Q), server C2 possesses private key sk.Server C1 first exists In each dimension, i.e., in x-axis and y-axis, the coordinate of encrypted query is calculated divided by the dimension using safe division SD agreement respectively The side length of grid cell on degree calculates the encryption coordinate E of grid g where inquiring Q in the dimensionpk(xi).Since the present invention is suitable For the inquiry based on location-based service, therefore mentioned herein vector is bivector.Specific formula for calculation is as follows:
Epk(xi)=SD (Epk(Qi),Epk(wi)) (13)
2. server C1 calculates separately grid g in each dimension on two dimensionsiCoordinate and query point where The difference of the encryption of the coordinate of grid g, and obtain the one-dimensional vector E of two encryptionspk(α),Epk(β).Assuming that in each dimension There is niA grid cell, then the corresponding coordinate of these grid cells is respectively 0 to ni-1.Specific formula for calculation is as follows:
Epki)=Epk(x1-i),Epki)=Epk(x2-i) (14)
3. the one-dimensional vector that server C1 encrypts two is respectively multiplied by random number, result after being disturbed: server C1 is by Epki) and Epki) encrypt respectively be multiplied by a random number r, the E disturbedpki) and Epki), it is expressed as Epk(α′i) and Epk(β′i), wherein in addition to the corresponding coordinate of grid where inquiry is Epk(0), remaining is random number.It is worth note Meaning, the random number that every number multiplies are different from, and for convenience, we are indicated with r, association described below View is also in compliance with the expression.Specific formula is as follows:
Epk(α′i)=Epki)r,Epk(β′i)=Epki)r (15)
4. server C1 uses formula (11) by Epk(α ') and EpkServer C2 is sent to after (β ') is out-of-order.
5. server C2 is decrypted and handles: server C2 receives Epk(α′i) and Epk(β′i) afterwards using private key sk to it It is decrypted, and generates corresponding μiAnd χi.Wherein, if α 'i=0, then μiIt is 1;If β 'i=0, then χiIt is 1, remaining is all It is 0.
6. server C2 encrypts result after decryption and processing using public key pk, and is sent to server C1: service Device C2 uses public key pk by μiAnd χiIt is encrypted, obtains Epki) and Epki), and it is sent to server C1.
7. server C1 receives Epk(μ) and EpkAfter (χ), using formula (12) by vector recovery sequence.
8. server C1 calculates the dot product of vector using the property of the additive homomorphism of secure multiplication agreement SM and Paillier μ SG χ, is equal to, to each grid gijComputations Epk(gijij), all calculated result is encrypted later Addition, so that it may obtain the value of the encryption of the grid cell g where the inquiry.Since Paillier is probability encryption, The E being calculated by thispk(g) it can not be corresponded to the ciphertext in grid.Specific formula is as follows:
Wherein, the quantity m=n of the grid of division1*n2, n1The quantity of grid, n in x-axis2It is the quantity of grid in y-axis.
Safety analysis: in this process, the data of the available encryption of server C1 and encryption as a result, but C1 do not have There is private key sk, cannot decrypt, cannot get data and resultant content;Server C2 is by the sequence that decryption oprerations are calculated Random ordering, and ranking functions C2 is invisible to C2, therefore even if C2 cannot be corresponded to true sequence, where cannot obtaining The coordinate of grid;Simultaneously as Paillier is probability encryption, the E that C1 cannot will be calculatedpk(g) and grid in ciphertext It is corresponded to, protects access module privacy.
Safe Voronoi area calculates agreement SVCC: the Voronoi data structure SVD of encryption is given at the end server C1, The Voronoi area id E of encryptionpk(a1|…|aλ) and λ, wherein λ is the quantity of the id of compression;C2 possesses private key sk.C1 and The corresponding Voronoi area of the calculating inquiry that C2 is encrypted by secure two party computation and the seed node for taking out region encryption Value and it adjacent area encryption id.In the calculating process, the value in the Voronoi area id of encryption and the region is only It is obtained at the end server C1, C2 cannot be about any effective information of these contents.
Safe Voronoi area calculates agreement SVCC, and specific step is as follows:
1. server C1 generates random number, compressed and encrypted to random number: server C1 possesses the Voronoi of encryption Region SVD, the Voronoi area id E of encryptionpk(a1|…|aλ) and compression id quantity λ, server C2 possesses private key sk. Server C1 first generates λ random number r, and compresses these random numbers using formula (4) and passed through Epk() encryption, Obtain Epk(r1|…|rλ)。
2. server C1 is by the compression random number E of encryptionpk(r1|…|rλ) and encryption Voronoi area id Epk(a1 |…|aλ), it is added to obtain E using Paillier additive homomorphism propertypk(a′1|…|a′λ), it is equivalent to aiAnd riAfter addition again Compression encryption.Specific formula for calculation is as follows:
Epk(a′1|…|a′λ)=Epk(r1+a1|…|rλ+aλ)=Epk(r1|…|rλ)*Epk(a1|…|aλ) (17)
3. server C1 is by Epk(a′1|…|a′λ) it is sent to server C2.
4. server C2 receives Epk(a′1|…|a′λ) be decrypted afterwards using private key sk, it is carried out later according to formula (4) Decompression, obtains λ numerical value a '1,…,a′λ
5. two-dimensional array is obtained by calculation in server C2: server C2 calculates each ci=a 'iThe value of mod n, it is corresponding every A ciGenerate the sequence α of a n longi, whereinIt is 1, remaining is all 0, wherein n is the quantity of Voronoi area.The end C2 Symbiosis obtains the two-dimensional array α of a λ * n size at λ sequence.
6. server C2 is using public key pk to αijIt is encrypted to obtain Epkij), by the two-dimensional array E of encryptionpk(α) is sent Give server C1.
7. server C1 receives EpkAfter (α), the sequence β of a n long is generated, stores real call number from 0 to n-1's The corresponding selective value of Voronoi area encrypts Voronoi area id E by calculatingpk(a1|…|aλ) include id in Epk E is corresponded in (β)pk(1), remaining corresponds to Epk(0).Specific formula for calculation is as follows:
8. server C1 uses formula (11) by EpkServer C2 is sent to after (β) is out-of-order;
9. server C2 receives EpkAfter (β), decryption obtains β.The call number of β sequence is divided into λ grouping G, each grouping GiThe corresponding β of one and only one elementi=1.
10. server C2 is by each grouping GiIn element upset, all grouping G are sent to server C1.
After server C1 receives grouping G, corresponding sequence will be reverted to out-of-order call number in G using formula (12) Call number, and by Epk(β) recovery sequence.
Server C1 is grouped G to eachiCalculate separately the secret value E of its corresponding Voronoi area seed nodepk (vi) and the Voronoi area adjacent area encryption id Epk(ai).Specific formula for calculation is as follows:
Wherein, c is grouping GiThe number of middle element.
The additive homomorphism operation uses Paillier addition encipherment scheme:
For in plain textTo ciphertext Epk(m1) and Epk(m2) it is groupInterior multiplication operation is equal to m1 And m2It does add operation to re-encrypt, wherein Epk() indicates cryptographic operation, Dsk() indicates decryption oprerations, and formula is as follows:
Dsk(Epk(m1)Epk(m2)mod N2)=m1+m2mod N (21)
The multiplicative homomorphic operation uses Paillier multiplication encipherment scheme:
For in plain textTo ciphertext Epk(m1) and m2It is groupInterior power operation is equal to m1And m2 It does multiplication operation to re-encrypt, formula is as follows:
Wherein, N is two Big prime products in paillier public key pk.
Safety analysis: in this process, the data of the available encryption of server C1 and encryption as a result, but C1 do not have There is private key sk, cannot decrypt, cannot get data and resultant content;Server C2 is by the sequence that decryption oprerations are calculated Random ordering, and ranking functions C2 is invisible to C2, therefore even if C2 cannot be corresponded to true sequence, cannot obtain required The corresponding call number of Voronoi area;Simultaneously as Paillier is probability encryption, the E that C1 cannot will be calculatedpk (vi) and Epk(ai) corresponded to the ciphertext in SVD, protect access module privacy.
Step 4 is based on above-mentioned safe sub-protocol, and the present invention devises safe kNN vlan query protocol VLAN SkNN, to complete ciphertext Safe kNN inquiry.Inquiry request E of the agreement in the input encryption of the end server C1pk(Q) and encryption Security Index structure SVD, SG and Epk(w), by the secure two party computation of C1 and C2, distance E is searched on index structurepk(Q) nearest k Pass point, the point of this k encryption are kNN as a result, obtaining at the end C1.The main thought of agreement progress kNN inquiry are as follows: C1 and C2 calculates agreement SGC by security grid computing first and calculates inquiry request Epk(Q) grid where, to obtain the grid The call number of the encryption of the Voronoi area of covering;According to the call number, these region seed nodes are calculated from SVD Value and adjacent area id;Agreement SSED, which is calculated, using safe European squared-distance calculates query point Epk(Q) these seeds are arrived The European squared-distance of node uses safe minimum agreement SMIN calculated minimum later;The minimum value being calculated is added Enter in kNN result, is NN object;It reads the value of these adjacent areas and calculates 2NN;From the adjacent of NN object and 2NN object 3NN is calculated in region;And so on, until obtaining the result of kNN.
Specific step is as follows by safe kNN vlan query protocol VLAN SkNN:
1. server C1 initializes three arrays: server C1 possesses the inquiry request E of encryptionpk(Q) and encryption safety Index structure SVD, SG and Epk(w), server C2 possesses private key sk.Firstly, server C1 initializes three arrays Respectively indicate the seed node collection, subsequent Voronoi area id collection and candidate distance of candidate Voronoi area Collection.The value of the encryption seed node currently read is stored, it is subsequent for convenience to read current minimum value as a result, and adding Enter result set Epk(R) in;The encryption id of the adjacent area of (k-1) a Voronoi area before storage, for calculating kNN;Storage currently needs the European squared-distance of the encryption of comparison other.C1 initializes current minimum range E simultaneouslypk(dtemp) value For current minimum range Epk(0)。
2. server C1 and C2 calculate agreement SGC using security grid computing and calculate inquiry request Epk(Q) grid where, thus Obtain the call number E of the encryption of the Voronoi area of grid coveringpk(a)。
3. server C1 and C2 calculate agreement SVCC using safe Voronoi area and calculate Epk(a) corresponding seed node Value Epk(vi) and adjacent area id Epk(ai), these values are respectively added toWithIn.
4. server C1 and C2 calculates agreement SSED using safe European squared-distance and calculates encrypted query E one by onepk(Q) with 3. seed node E that step is calculatedpk(vi) European squared-distance Epk(di), these values are added to later In.
5. server C1 and C2 calculate Candidate Set using safe minimum agreement SMINIn be greater than current minimum range Epk(dtemp) minimum value, obtain 01 sequence of encryption of minimum value
6. willWithRegard one-dimensional vector, server C1 computations dot product as WithWhereinencIndicate that encryption dot product calculates to get to step 5. minimized correspondence Encryption seed node value Epk(v), the id E of adjacent Voronoi area is encryptedpk(a) and encryption European squared-distance Epk(dtemp), i.e., E is updated by this steppk(a) and Epk(dtemp) value.
Assuming that calculating the encryption dot product of the encryption vector A and B of two λ long, then dot product A is encryptedencBTSpecific calculating it is public Formula is as follows:
7. server C1 adds Epk(v) result set E is arrivedpk(R) in.
8. server C1 empties Candidate SetWith
It is 2. arrived 7. 9. server C1 and C2 repeat step, until obtaining k arest neighbors as a result, i.e. result set E at the end C1pk (R) size is k.
Safety analysis:
In safe k query process, the intermediate result that the end server C1 obtains is probability encryption decryption, and C1 is according in this Between result be inferred to any other information.Meanwhile according to security protocol combinatorial theorem it is found that if forming the son association of the agreement View is safe, and the intermediate result generated is random number or probability encryption data, then the agreement is safe.
Step 5, return query result give user User: the server C1 query result E for possessing encryptionpk(R), server C2 Possess key sk, to k query result, server C1 generates two random numbers respectively, and the two random numbers are compressed Encryption disturbs result using encrypted random number is compressed.Cryptogram computation is obtained as a result, server C1 is by ciphertext meter It calculates result and is sent to server C2, k is sent to user User to random number;Server C2 decrypts result after disturbance, obtains As a result, and obtaining coordinate value after the disturbance of k group after decryption;Coordinate value is sent to user User after C2 disturbs k group;User User Receive k group random number from server C1, from server C2 receive the disturbance of k group after coordinate value, user User is by each disturbance recoil Scale value subtracts the random number of disturbance accordingly, and final query result can be obtained.Herein, the calculating of user terminal is not related to Encrypting and decrypting and cryptogram computation operation, not will cause heavy time cost.
Returning to query result, specific step is as follows:
1. server C1 generates k to random number, encrypt and compress: server C1 possesses the query result E of encryptionpk(R), it takes Business device C2 possesses key sk.Server C1 first generates k to random number (ri1,ri2), and they are gone back using formula (4) Paillier encipherment scheme is compressed and is encrypted, and E is obtainedpk(ri1|ri2)。
2. server C1 is to each query result Epk(Ri) use Epk(ri1|ri2) disturbed, result E after being disturbedpk (Ri'), specific formula for calculation is as follows:
Epk(R′i)=Epk(Ri+ri1|ri2)=Epk(Ri)*Epk(ri1|ri2) (24)
Result E after 3. server C1 will be disturbedpk(R′i) it is sent to server C2, by k to random number (ri1,ri2) be sent to User User.
4. server C2 receives Epk(R′i) after, by Epk(R′i) decryption obtain R 'i;According to formula (4) by R 'iDecompression obtains Coordinate value (the x ' of result points disturbanceiyi′)。
5. coordinate value (the x ' that server C2 disturbs k groupi,yi') it is sent to user User.
6. user User receives k group random number (r from server C1i1,ri2), k group coordinate value (x ' is received from server C2i, yi′).Final query result can be obtained in the random number that each coordinate is subtracted to disturbance accordingly.Specific formula for calculation is such as Under:
xi=x 'i-ri1,yi=y 'i-ri2 (25)
Safety analysis: server C1 possesses the query result of encryption, but cannot decrypt without private key sk;Server C2 solution It is close disturbed as a result, random number due to not knowing addition, and solve the equation group containing 2k variable, k equation It is HP-hard problem, result privacy cannot be protected by the value that result is calculated in effective time.
Advantageous effects:
(1) it protects the privacy of data on server: in query process, preventing revealing to the attacker of malice for data, Prevent the data in addition to query result from revealing to user.It is, the data of storage on the server, in addition to that can be user There is provided outside the query result needed for it, cannot by including server anyone obtain.
(2) protect the privacy of the inquiry request of user: in query process, protecting the inquiry request of user, (i.e. user is looked into The position of inquiry) it is not revealed to attacker and server.Using agreement designed by this paper, user can not be known in server Inquiry request what is in the case where, carry out safe kNN and inquire and obtain precise results.
(3) protect the privacy of the query result of user: after the completion of inquiry, the query result of user can only be obtained by user It arrives, server and other malicious attackers cannot all learn that the query result of user is.
(4) access module in query process is protected: the data access patterns in effectively hiding query process, i.e., to service Device hides the information being accessed about which data, hides generated all intermediate result in inquiry calculating process, in this way It is possible to prevente effectively from server carries out the inquiry request of data and user on server by historical record and background knowledge Inference Attack.
(5) it accurate query result: in the case where protecting privacy as above, can still be obtained using the agreement designed herein To accurate and correct query result.This is only capable of obtaining that approximation is different with the inquiry of most of secret protections, safety Improve the accuracy there is no victim queries result.
(6) mobile device low present invention may apply to processing capacity: in the method that the present invention designs, client is not The process for participating in cryptogram computation, in entire query process, the inquiry that it only needs to complete to oneself carries out encryption and ties from disturbance Random number two operations are subtracted in fruit.The completion of the two operations is not required for client to the processing capacity of data, also It is that this method can be adapted for the client of reduction process ability, can be used in the mobile device of low side.
(7) the completion inquiry of effective time: the protocol time complexity for being mostly based on encryption is all larger, is difficult when effective It is interior to obtain query result.The present invention is based on the completion of the index structure of encryption, the time complexity of power operation is O (n+m), I.e. for 1,000 datas, on the computer for being configured to [email protected], 8GB RAM, user can be in 30min Complete the inquiry of k=3, hence it is evident that better than the analogous algorithms for guaranteeing same safety, analogous algorithms generally require 3 hours or so it is complete At inquiry.
Detailed description of the invention
Fig. 1 is the safe kNN querying method block diagram based on LBS of the embodiment of the present invention;
Fig. 2 (a) is the safe Voronoi diagram of the embodiment of the present invention;
Fig. 2 (b) is that the safe SVD of the embodiment of the present invention schemes;
Fig. 2 (c) is that the security grid computing of the embodiment of the present invention divides figure;
Fig. 2 (d) is that the safe SG of the embodiment of the present invention schemes;
Fig. 3 is the safe kNN querying method flow chart based on LBS of the embodiment of the present invention;
Fig. 4 is the safe Voronoi diagram SVD flow chart of generation of the embodiment of the present invention;
Fig. 5 is that the generation security grid computing of the embodiment of the present invention divides SG flow chart;
Fig. 6 is the safe division agreement SD flow chart of the embodiment of the present invention;
Fig. 7 is the safe minimum agreement SMIN flow chart of the embodiment of the present invention;
Fig. 8 is that the security grid computing of the embodiment of the present invention calculates agreement SGC flow chart;
Fig. 9 is that the safe Voronoi area of the embodiment of the present invention calculates agreement SVCC flow chart;
Figure 10 is the safe kNN vlan query protocol VLAN SkNN flow chart of the embodiment of the present invention;
Figure 11 is the return query result flow chart of the embodiment of the present invention.
Specific embodiment
Invention is described further with specific implementation example with reference to the accompanying drawing, as shown in Figures 1 and 3, detailed process Include:
Step 1, data owner DO generate key pair (pk, sk) and encrypted indexes structure, wherein the Paillier of generation Key length be 1024, and encrypted indexes structure is sent to server C1, public key pk is sent to server C1, C2 With user User, private key sk is sent to server C2.It is registered data set using Gowalla, and therefrom randomly selects 1000 Point is tested, and using point of interest POI as data point, and data standard is turned to 16 big integers, each integer is possessed with data Person DO regard treated data point as seed node, using Fortune's algorithm building Voronoi diagram, net later Lattice divide, and generate encrypted indexes structure SVD and SG;
Encrypted indexes structure includes: that safe Voronoi diagram SVD and security grid computing divide SG;
It generates key pair (pk, sk) and uses Paillier encipherment scheme, wherein public key pk is private for the encryption to data Key sk is for the decryption to data;
Generating encrypted indexes structure, specific step is as follows:
(1) safe Voronoi diagram SVD is generated, as shown in Figure 4:
1. carrying out Voronoi diagram division: DO possesses data set D={ p1,…,pn, wherein data point pi={ x, y }, n= 1000.Voronoi diagram division is carried out to data set D, shown in division result such as Fig. 2 (a).Voronoi diagram is by the plane where D It is divided into n convex polygon, referred to as Voronoi area, each Voronoi area viOne and only one data point pi, referred to as Corresponding Voronoi area viSeed node.The side for dividing two Voronoi areas is the two Voronoi area seeds The perpendicular bisector of node.For a Voronoi area vi, the arest neighbors for falling point q in the area is the kind in the region Child node pi.By the property of Voronoi diagram it is found that the kNN object of query point q is present in the adjacent of (k-1) NN being previously calculated Among the seed node in the region Voronoi.
2. dividing according to the Voronoi, all Voronoi areas in Voronoi diagram are stored in array with random disorder V, by region viId of the corresponding call number as it in array.For any one Voronoi area vi, with a binary groupIt indicates, wherein (xi,yi) it is region viCorresponding seed node piCoordinate, aijFor this Region viAdjacent Voronoi area id, (t1) it is the adjacent Voronoi area quantity of the Voronoi area.
3. adding false data: in order to avoid attacker passes through the adjacent Voronoi area of the Voronoi area inquired Quantity distinguishes the region, we pass through in arrayThe false adjacent Voronoi area id of middle addition keeps adjacent area Quantity is definite value t1, the false id added herein is arrayPresent in true call number, but it is not corresponding region Adjacent id and different.These false id can be by beta pruning during subsequent query.
4. data compression: the plaintext space in order to make full use of Paillier, usual Paillier have 1024 bits Plaintext space, to arrayThe region v of storageiThe id of corresponding coordinate and adjacent area is compressed using following formula:
Wherein λ is the number of the data of compression, and σ is the bit bit length of data compression, in order to which aspect is right in subsequent protocol The id addition random number disturbance of compression, σ are greater than the bit bit length of data itself, and test uses 78.Pass through the calculating, Wo Menke Multiple numbers are expressed as a number, primary encryption is carried out, the plaintext space of Paillier is taken full advantage of, reduces encryption Number.
5. to arrayIt is encrypted using pk, obtains SVD.Encryption Voronoi is obtained to divide shown in SVD such as Fig. 2 (b), Fig. 2 (a) is the figure of intuitivism apprehension, and Fig. 2 (b) is the data structure stored when realizing.
Each stores the corresponding encryption binary group of the Voronoi area T when test1=13.
(2) it generates security grid computing and divides SG, as shown in Figure 5:
1. grid dividing is carried out on the basis of above-mentioned Voronoi is divided, shown in division result such as Fig. 2 (c).Grid dividing Voronoi is divided into m grid, the side length of each grid is indicated with vector w, m=16*16 when test.The grid dividing It can store as matrixThe call number of matrix row and column respectively corresponds the coordinate of the grid on two dimensions.Each grid The id for the Voronoi area that it is covered is stored, i.e., the id of the Voronoi area intersected with it is expressed asWherein oijFor region giThe id of the Voronoi area of intersection, (t2) it is that Voronoi is intersected in the region The quantity in region.
2. adding false data: the quantity of the Voronoi area intersected by the grid that inquires in order to avoid attacker come Distinguish the grid, we pass through in matrixThe false adjacent Voronoi area id of middle addition keeps the id of each coarse gridding Quantity be definite value t2, the false id added herein is arrayPresent in true call number, but it is not and the net The id of lattice intersecting area and different.These false id can be by beta pruning during subsequent query.
3. data compression: the plaintext space in order to make full use of Paillier equally makes the content of each coarse gridding It is compressed with formula (1).By the calculating, multiple numbers can be expressed as a number by we, carry out primary encryption, sufficiently The plaintext space of Paillier is utilized, reduces encryption number.
4. being encrypted with public key pk, SG is obtained to matrixIt is encrypted with vector w using pk, obtains SG and Epk (w).It obtains shown in refined net SG such as Fig. 2 (d), Fig. 2 (c) is the figure of intuitivism apprehension, and Fig. 2 (d) is the number stored when realizing According to structure.Each refined net content representation isT when test2=38.
Safety analysis: server C1 possesses the data structure of encryption but does not have private key sk, and data cannot be decrypted, Server C2 possesses private key sk but no data, and other than the size of data set, cannot access any has by server C1 and C2 The effective information for closing data, protects data-privacy.
Step 2, user User use public key pk encryption to generate encrypted query and request E to oneself inquiry QpkIt (Q), and will The inquiry request is sent to server C1, wherein vector Q=(x, y) is the coordinate to be inquired of user, and encryption, which obtains inquiry, asks Seek Epk(Q)={ Epk(x),Epk(y)};
Safety analysis: in this process, the encrypted query of the available user of server C1 requests Q, but C1 does not have Private key sk cannot decrypt inquiry Q, cannot inquire content;Server C2 possesses private key sk but without inquiry Q, therefore protects The inquiry privacy of user is protected.
The inquiry request E of step 3, index structure SVD, SG that server C1 is encrypted and encryptionpk(Q) it after, needs to lead to Secure two party computation is crossed, safe kNN inquiry is carried out while protecting above-mentioned privacy requirements.Safe kNN is carried out in ciphertext to look into It when inquiry, needs to calculate the Euclidean distance of point-to-point transmission and compares size, it is therefore desirable to some basic calculation operations in ciphertext It supports, such as the multiplication operation in ciphertext, divide operations.Since Paillier encipherment scheme only supports the additive homomorphism of two ciphertexts The multiplicative homomorphic of operation and ciphertext isolog operates, and the multiplication between two ciphertexts, division, the basis such as minimize are grasped Work cannot be handled directly.Currently, existing foundation for security sub-protocol includes secure multiplication agreement (Secure Multiplication writes a Chinese character in simplified form SM) and European squared-distance calculating agreement (the Secure Squared Euclidean of safety Distance writes a Chinese character in simplified form SSED), in the safe kNN vlan query protocol VLAN that the present invention designs, directly these sub-protocols will be adjusted With.For no or existing defects safe sub-protocol, the present invention devises a series of safety association calculated based on two sides View, including safe division agreement (Secure Division, write a Chinese character in simplified form SD), safe minimum agreement (Secure Minimum, letter Write SMIN), security grid computing calculates (Secure Grid Computation, write a Chinese character in simplified form SGC) and safe Voronoi area calculates association It discusses (Secure Voronoi Cell Computaition, write a Chinese character in simplified form SVCC).Specific protocol contents are as follows:
Safe division agreement SD: two given at the end server C1The integer a, b, C1 and C2 encrypted in range passes through two Side calculates the truncated division encrypt to two encryption datas, in the quotient that the end server C1 is encrypted.The agreement executes When, the data of encryption and quotient are only possessed by server C1, and server C2 only possesses key sk.
Shown in the principle of the agreement such as formula (5), for arbitrary
(ar1+br1r2+r3)/(br1)=a/b+r2 (2)
WhereinAnd r3<r1, K is that the bit of Paillier encipherment scheme key is big It is small, ldataFor data a, the bit length of b.
Specific step is as follows by safe division agreement SD, as shown in Figure 6:
1. server C1 generates random number: server C1 possesses the data E of encryptionpk(a),Epk(b), server C2 possesses Private key sk.Server C1 first, which is generated, to be metAnd r3<r1Random number r1,r2,r3
2. random number public key pk is encrypted, and server C2: server C1 is sent to using the random number and public affairs generated Key pk calculates Epk(ar1+br1r2+ r3) and Epk(br1), and send them to server C2.Specific calculation formula is as follows:
3. server C2 is decrypted with private key sk: server C2 receives the E of C1 transmissionpk(ar1+br1r2+ r3) and Epk(br1) Afterwards, they are decrypted respectively using private key sk, obtain λ 'aWith λ 'b.The formula of decryption is as follows:
λ′a=Dsk(Epk(ar1+br1r2+ r3))=ar1+br1r2+r3 (5)
λ′b=Dsk(Epk(br1))=br1 (6)
Result λ ' after 4. server C2 will be decryptedaWith λ 'b, the two are counted and carries out division calculation, the quotient being calculated is made C1 is sent to after being encrypted with public key: server C2 calculates λ 'a/λ′b(mod n) and it is encrypted, mod indicates modulus Operation, obtains Epk(λ′a/λ′b), it is sent to server C1.
5. the encrypted result of safe division agreement is calculated in server C1: server C1 receives Epk(λ′a/λ′b) after, make The E of encryption is calculated with formula (7)pk(a/b)。
Epk(a/b)=Epk(λ′a/λ′b)*Epk(r2)N-1 (7)
Wherein, Epk(r2)N-1=Epk(-r2), by ciphertext operation can encrypt by r2It subtracts.
Safety analysis: in this process, the data of the available encryption of server C1 and the result of division of encryption, but C1 does not have private key sk, cannot decrypt, cannot get data and resultant content;Server C2 possesses private key sk but no data, therefore Protect data-privacy and result privacy.It is random number that C1, which is sent to the data of C2, during being somebody's turn to do simultaneously, and C2 is sent to C1's Data are Paillier probability encryption data, and data access patterns privacy is protected.
Safe division agreement SD content is as shown in algorithm 1.
Safe minimum agreement SMIN: t are given at the end server C1The integer encrypted in range and encryption Value range c, C1 and C2 cryptographically calculate the minimum in the t Keyed integer greater than value range c by secure two party computation Value generates one according to the minimum value and this t Keyed integer is corresponded using t as the ciphering sequence of length, minimum value pair Should encrypt 1, remaining is the 0 of encryption, obtains the ciphering sequence at the end server C1.The agreement execute when, the data of encryption and Minimum value sequence is only possessed by server C1, and server C2 only possesses key sk.
The principle of the agreement are as follows: give t integerTo each xiIt calculates:
x′i=xi*rmax+ri (8)
Wherein, ri<2K-l-1, each riIt is different from, rmaxFor riIn maximum value.Work as riWhen sufficiently large, pass through formula (8), available t unequal random integersAnd x 'iAnd xiKeep identical partial ordering relation.
Specific step is as follows by safe minimum agreement SMIN, as shown in Figure 7:
1. server C1 generates random number: server C1 possesses the data E of encryptionpk(x1),…,Epk(xt) and encryption model Enclose value Epk(c), server C2 possesses private key sk.Server C1 first generates t+1 random number { r1,…,rt+1, meetThe maximum value in this t+1 random number is selected later and is denoted as rmax, remaining random number is successively denoted as again {r1,…,rt}。
2. server C1 calculates each encryption data, obtains each Keyed integer and encrypt the poor E of value rangepk (xi-c).Specific formula for calculation is as follows:
Epk(xi- c)=Epk(xi)*Epk(c)N-1 (9)
3. server C1 adds random number: difference E of the server C1 to each encryption to the difference of each encryptionpk(xi-c) It is calculated according to formula (8), obtains the disturbed value E for the encryption that it is added after random numberpki), specific formula for calculation is as follows:
4. server C1 is sent to server C2 after this t value is upset sequence.Calculation formula is as follows:
Epk(θ ')=π (Epk(θ)) (11)
5. server C2 is decrypted: server C2 receives Epk(θ′i) after, these values are decrypted, θ ' is obtainedi
6. server C2 calculates θ 'iIn minimum value, and mark the minimum value in sequence θ ' corresponding i be min.
7. the sequence Δ of one t long of server C2 generation ', Δmin' it is 1, residual value 0.By sequence Δ ' middle all elements Encryption, obtains Epk(Δ ') is sent to server C1.
8. server C1 obtains safe minimum agreement encrypted result with inverse function: server C1 obtains sequence Epk(Δ′) Afterwards, using the inverse function of formula (11), i.e. formula (12), obtain sequence and encryption data Epk(x1),…,Epk(xt) corresponding Encryption minimum value mapping 01 sequence Epk(Δ).Specific formula for calculation is as follows:
Epk(Δ)=π-1(Epk(Δ′)) (12)
Safety analysis: in this process, the data of the available encryption of server C1 and the result of division of encryption, but C1 does not have private key sk, cannot decrypt, cannot get data and resultant content;Server C2 passes through the available process of decryption oprerations Difference after disturbance is NP-hard problem due to solving the equation group containing (t+1) a variable and t equation, and C2 is very Find it difficult to learn the x for practising and comparing to needsiWith the value of c, data-privacy is protected;Simultaneously because the sequence that C1 is sent to C2 is out-of-order, and Ranking functions C2 does not know, therefore even if C2 has calculated corresponding minimum value, can not be corresponded to true sequence, Protect access module privacy.
Safe minimum agreement SMIN content is as shown in algorithm 2.
Security grid computing calculates agreement SGC: giving the side length of the grid SG of encryption, the grid cell of encryption at the end server C1 Epk(w) and encryption inquiry request Epk(Q), C2 possesses private key sk, C1 and C2 and is somebody's turn to do by the calculating that secure two party computation encrypts It inquires the grid cell at place and takes out the content of grid cell storage.In the calculating process, the grid cell of encryption Coordinate and the encrypted content of grid cell storage only obtain at the end server C1, and C2 cannot be about any effective of these contents Information.
Security grid computing calculates agreement SGC, and specific step is as follows, as shown in Figure 8:
1. server C1 calculate inquiry Q where grid encryption coordinate: server C1 possess encryption grid SG, encryption The side length E of grid cellpk(w) and encryption inquiry request Epk(Q), server C2 possesses private key sk.Server C1 first exists In each dimension, i.e., in x-axis and y-axis, the coordinate of encrypted query is calculated divided by the dimension using safe division SD agreement respectively The side length of grid cell on degree calculates the encryption coordinate E of grid g where inquiring Q in the dimensionpk(xi).Since the present invention is suitable For the inquiry based on location-based service, therefore mentioned herein vector is bivector.Specific formula for calculation is as follows:
Epk(xi)=SD (Epk(Qi),Epk(wi)) (13)
2. server C1 calculates separately grid g in each dimension on two dimensionsiCoordinate and query point where The difference of the encryption of the coordinate of grid g, and obtain the one-dimensional vector E of two encryptionspk(α),Epk(β).Assuming that in each dimension There is niA grid cell, then the corresponding coordinate of these grid cells is respectively 0 to ni-1.Specific formula for calculation is as follows:
Epki)=Epk(x1-i),Epki)=Epk(x2-i) (14)
3. the one-dimensional vector that server C1 encrypts two is respectively multiplied by random number, result after being disturbed: server C1 is by Epki) and Epki) encrypt respectively be multiplied by a random number r, the E disturbedpki) and Epk(β i) is expressed as Epk(α′i) and Epk(β′i), wherein in addition to the corresponding coordinate of grid where inquiry is Epk(0), remaining is random number.It is worth note Meaning, the random number that every number multiplies are different from, and for convenience, we are indicated with r, association described below View is also in compliance with the expression.Specific formula is as follows:
Epk(α′i)=Epki)r,Epk(β′i)=Epki)r (15)
4. server C1 uses formula (11) by Epk(α ') and EpkServer C2 is sent to after (β ') is out-of-order.
5. server C2 is decrypted and handles: server C2 receives Epk(α′i) and Epk(β′i) afterwards using private key sk to it It is decrypted, and generates corresponding μiAnd χi.Wherein, if α 'i=0, then μiIt is 1;If β 'i=0, then χiIt is 1, remaining is all It is 0.
6. server C2 encrypts result after decryption and processing using public key pk, and is sent to server C1: service Device C2 uses public key pk by μiAnd χiIt is encrypted, obtains Epki) and Epki), and it is sent to server C1.
7. server C1 receives Epk(μ) and EpkAfter (χ), using formula (12) by vector recovery sequence.
8. server C1 calculates the dot product of vector using the property of the additive homomorphism of secure multiplication agreement SM and Paillier μ SG χ, is equal to, to each grid gijComputations Epk(gijij), all calculated result is encrypted later Addition, so that it may obtain the value of the encryption of the grid cell g where the inquiry.Since Paillier is probability encryption, The E being calculated by thispk(g) it can not be corresponded to the ciphertext in grid.Specific formula is as follows:
Safety analysis: in this process, the data of the available encryption of server C1 and encryption as a result, but C1 do not have There is private key sk, cannot decrypt, cannot get data and resultant content;Server C2 is by the sequence that decryption oprerations are calculated Random ordering, and ranking functions C2 is invisible to C2, therefore even if C2 cannot be corresponded to true sequence, where cannot obtaining The coordinate of grid;Simultaneously as Paillier is probability encryption, the E that C1 cannot will be calculatedpk(g) and grid in ciphertext It is corresponded to, protects access module privacy.
Security grid computing calculates the content of agreement SGC as shown in algorithm 3:
Safe Voronoi area calculates agreement SVCC: the Voronoi data structure SVD of encryption is given at the end server C1, The Voronoi area id E of encryptionpk(a1|…|aλ) and λ, wherein λ is the quantity of the id of compression;C2 possesses private key sk.C1 and The corresponding Voronoi area of the calculating inquiry that C2 is encrypted by secure two party computation and the seed node for taking out region encryption Value and it adjacent area encryption id.In the calculating process, the value in the Voronoi area id of encryption and the region is only It is obtained at the end server C1, C2 cannot be about any effective information of these contents.
Safe Voronoi area calculates agreement SVCC, and specific step is as follows, as shown in Figure 9:
1. server C1 generates random number, compressed and encrypted to random number: server C1 possesses the Voronoi of encryption Region SVD, the Voronoi area id E of encryptionpk(a1|…|aλ) and compression id quantity λ, server C2 possesses private key sk. Server C1 first generates λ random number r, and compresses these random numbers using formula (4) and passed through Epk() encryption, Obtain Epk(r1|…|rλ)。
2. server C1 is by the compression random number E of encryptionpk(r1|…|rλ) and encryption Voronoi area id Epk(a1 |…|aλ), it is added to obtain E using Paillier additive homomorphism propertypk(a′1|…|a′λ), it is equivalent to aiAnd riAfter addition again Compression encryption.Specific formula for calculation is as follows:
Epk(a′1|…|a′λ)=Epk(r1+a1|…|rλ+aλ)=Epk(r1|…|rλ)*Epk(a1|…|aλ) (17)
3. server C1 is by Epk(a′1|…|a′λ) it is sent to server C2.
4. server C2 receives Epk(a′1|…|a′λ) be decrypted afterwards using private key sk, it is carried out later according to formula (4) Decompression, obtains λ numerical value a '1,…,a′λ
5. two-dimensional array is obtained by calculation in server C2: server C2 calculates each ci=a 'iThe value of mod n, it is corresponding every A ciGenerate the sequence α of a n longi, whereinIt is 1, remaining is all 0, wherein n is the quantity of Voronoi area.The end C2 Symbiosis obtains the two-dimensional array α of a λ * n size at λ sequence.
6. server C2 is using public key pk to αijIt is encrypted to obtain Epkij), by the two-dimensional array E of encryptionpk(α) is sent Give server C1.
7. server C1 receives EpkAfter (α), the sequence β of a n long is generated, stores real call number from 0 to n-1's The corresponding selective value of Voronoi area encrypts Voronoi area id E by calculatingpk(a1|…|aλ) include id in Epk E is corresponded in (β)pk(1), remaining corresponds to Epk(0).Specific formula for calculation is as follows:
8. server C1 uses formula (11) by EpkServer C2 is sent to after (β) is out-of-order;
9. server C2 receives EpkAfter (β), decryption obtains β.The call number of β sequence is divided into λ grouping G, each grouping GiThe corresponding β of one and only one elementi=1.
10. server C2 is by each grouping GiIn element upset, all grouping G are sent to server C1.
After server C1 receives grouping G, corresponding sequence will be reverted to out-of-order call number in G using formula (12) Call number, and by Epk(β) recovery sequence.
Server C1 is grouped G to eachiCalculate separately the secret value E of its corresponding Voronoi area seed nodepk (vi) and the Voronoi area adjacent area encryption id Epk(ai).Specific formula for calculation is as follows:
Wherein, c is grouping GiThe number of middle element.
Safety analysis: in this process, the data of the available encryption of server C1 and encryption as a result, but C1 do not have There is private key sk, cannot decrypt, cannot get data and resultant content;Server C2 is by the sequence that decryption oprerations are calculated Random ordering, and ranking functions C2 is invisible to C2, therefore even if C2 cannot be corresponded to true sequence, cannot obtain required The corresponding call number of Voronoi area;Simultaneously as Paillier is probability encryption, the E that C1 cannot will be calculatedpk (vi) and Epk(ai) corresponded to the ciphertext in SVD, protect access module privacy.
Safe Voronoi area calculates the particular content of agreement SVCC as shown in algorithm 4:
The additive homomorphism operation uses Paillier addition encipherment scheme:
For in plain textTo ciphertext Epk(m1) and Epk(m2) it is groupInterior multiplication operation is equal to m1 And m2It does add operation to re-encrypt, wherein Epk() indicates cryptographic operation, Dsk() indicates decryption oprerations, and formula is as follows:
Dsk(Epk(m1)Epk(m2)mod N2)=m1+m2mod N (21)
The multiplicative homomorphic operation uses Paillier multiplication encipherment scheme:
For in plain textTo ciphertext Epk(m1) and m2It is groupInterior power operation is equal to m1And m2 It does multiplication operation to re-encrypt, formula is as follows:
Step 4 is based on above-mentioned safe sub-protocol, and the present invention devises safe kNN vlan query protocol VLAN (SkNN), to complete ciphertext Safe kNN inquiry.Inquiry request E of the agreement in the input encryption of the end server C1pk(Q), the Security Index knot of k and encryption Structure SVD, SG and Epk(w), by the secure two party computation of C1 and C2, distance E is searched on index structurepk(Q) nearest k The point of a pass point, this k encryption is kNN as a result, k=3 when test.The main thought of agreement progress kNN inquiry Are as follows: C1 and C2 calculates agreement SGC by security grid computing first and calculates inquiry request Epk(Q) grid where, to obtain the net The call number of the encryption of the Voronoi area of lattice covering;According to the call number, these region seed sections are calculated from SVD The value of point and the id of adjacent area;Agreement SSED, which is calculated, using safe European squared-distance calculates query point Epk(Q) these kinds are arrived The European squared-distance of child node uses safe minimum agreement SMIN calculated minimum later;The minimum value that will be calculated It is added in kNN result, is NN object;It reads the value of these adjacent areas and calculates 2NN;From the phase of NN object and 2NN object 3NN is calculated in neighbouring region;And so on, until obtaining the result of kNN.
Server C1 possesses encrypted indexes structure and encrypted query request Epk(Q), server C2 possesses key.It cooperates with first Calculate the grid G found where inquiry Qi, later according to GiThe encryption Voronoi area id of middle preservation is found corresponding The region Voronoi, computations obtain Voronoi area where obtaining inquiry Q, obtain the seed node of the Voronoi area As arest neighbors node, the i.e. result of k=1.The adjacent unit of the unit is added in Candidate Set later, and from Candidate Set Middle computations obtain k=2's as a result, recycling the process until obtain k result.
Specific step is as follows by safe kNN vlan query protocol VLAN SkNN, as shown in Figure 10:
1. server C1 initializes three arrays: server C1 possesses the inquiry request E of encryptionpk(Q), the peace of k and encryption Full index structure SVD, SG and Epk(w), server C2 possesses private key sk.Firstly, server C1 initializes three arraysRespectively indicate the seed node collection of candidate Voronoi area, subsequent Voronoi area id collection and Candidate distance collection.The value of the encryption seed node currently read is stored, it is subsequent for convenience to read current minimum value As a result, and result set E is addedpk(R) in;The encryption id of the adjacent area of (k-1) a Voronoi area before storage is used In calculating kNN;Storage currently needs the European squared-distance of the encryption of comparison other.C1 initializes current minimum range simultaneously Epk(dtemp) value be current minimum range Epk(0)。
2. server C1 and C2 calculate agreement SGC using security grid computing and calculate inquiry request Epk(Q) grid where, thus Obtain the call number E of the encryption of the Voronoi area of grid coveringpk(a)。
3. server C1 and C2 calculate agreement SVCC using safe Voronoi area and calculate Epk(a) corresponding seed node Value Epk(vi) and adjacent area id Epk(ai), these values are respectively added toWithIn.
4. server C1 and C2 calculates agreement SSED using safe European squared-distance and calculates encrypted query E one by onepk(Q) with 3. seed node E that step is calculatedpk(vi) European squared-distance Epk(di), these values are added to later In.
5. server C1 and C2 calculate Candidate Set using safe minimum agreement SMINIn be greater than current minimum range Epk(dtemp) minimum value, obtain 01 sequence of encryption of minimum value
6. willWithRegard one-dimensional vector, server C1 computations dot product as WithWhereinencIndicate that encryption dot product calculates to get to step 5. minimized correspondence Encryption seed node value Epk(v), the id E of adjacent Voronoi area is encryptedpk(a) and encryption European squared-distance Epk(dtemp), i.e., E is updated by this steppk(a) and Epk(dtemp) value.
Assuming that calculating the encryption dot product of the encryption vector A and B of two λ long, then dot product A is encryptedencBTSpecific calculating it is public Formula is as follows:
7. server C1 adds Epk(v) result set E is arrivedpk(R) in.
8. server C1 empties Candidate SetWith
It is 2. arrived 7. 9. server C1 and C2 repeat step, until obtaining k arest neighbors as a result, i.e. result set E at the end C1pk (R) size is k.
Safety analysis:
In safe k query process, the intermediate result that the end server C1 obtains is probability encryption decryption, and C1 is according in this Between result be inferred to any other information.Meanwhile according to security protocol combinatorial theorem it is found that if forming the son association of the agreement View is safe, and the intermediate result generated is random number or probability encryption data, then the agreement is safe.
The particular content of safe kNN vlan query protocol VLAN SkNN is as shown in algorithm 5:
Step 5, return query result give user User: the server C1 query result E for possessing encryptionpk(R), server C2 Possess key sk, to k query result, server C1 generates two random numbers respectively, and the two random numbers are compressed Encryption disturbs result using encrypted random number is compressed, and obtains cryptogram computation as a result, server C1 is by ciphertext meter It calculates result and is sent to server C2, k is sent to user User to random number;Server C2 decrypts result after disturbance, obtains As a result, and obtaining coordinate value after the disturbance of k group after decryption;Coordinate value is sent to user User after C2 disturbs k group;User User Receive k group random number from server C1, from server C2 receive the disturbance of k group after coordinate value, user User is by each disturbance recoil Scale value subtracts the random number of disturbance accordingly, and final query result can be obtained.Herein, the calculating of user terminal is not related to Encrypting and decrypting and cryptogram computation operation, not will cause heavy time cost.
Returning to query result, specific step is as follows, as shown in figure 11:
1. server C1 generates k to random number, encrypt and compress: server C1 possesses the query result E of encryptionpk(R), it takes Business device C2 possesses key sk.Server C1 first generates k to random number (ri1,ri2), and they are gone back using formula (4) Paillier encipherment scheme is compressed and is encrypted, and E is obtainedpk(ri1|ri2)。
2. server C1 is to each query result Epk(Ri) use Epk(ri1|ri2) disturbed, result E after being disturbedpk (Ri'), specific formula for calculation is as follows:
Epk(R′i)=Epk(Ri+ri1|ri2)=Epk(Ri)*Epk(ri1|ri2) (24)
Result E after 3. server C1 will be disturbedpk(R′i) it is sent to server C2, by k to random number (ri1,ri2) be sent to User User.
4. server C2 receives Epk(R′i) after, by Epk(R′i) decryption obtain R 'i;According to formula (4) by R 'iDecompression obtains Coordinate value (the x ' of result points disturbancei,yi′)。
5. coordinate value (the x ' that server C2 disturbs k groupi,yi') it is sent to user User.
6. user User receives k group random number (r from server C1i1,ri2), k group coordinate value (x ' is received from server C2i, yi′).Final query result can be obtained in the random number that each coordinate is subtracted to disturbance accordingly.Specific formula for calculation is such as Under:
xi=x 'i-ri1,yi=y 'i-ri2 (25)
Safety analysis: server C1 possesses the query result of encryption, but cannot decrypt without private key sk;Server C2 solution It is close disturbed as a result, random number due to not knowing addition, and solve the equation group containing 2k variable, k equation It is HP-hard problem, result privacy cannot be protected by the value that result is calculated in effective time.
The protocol contents of query result are returned as shown in algorithm 6:
Conclusion:
The program can protect inquiry privacy, data-privacy, result privacy, data access patterns privacy in secure context; It is encrypted on search efficiency and the time complexity of power is O (n+m), wherein n is the quantity of data point, as Voronoi The quantity in region, m are the quantity of the grid divided, and when there are many data point, i.e., when n is very big, m will be much smaller than n.Meanwhile client End is usually the mobile terminal for having lower processing capacity, is not involved in inquiry and calculates;In validity, this method returns correct and accurate Query result.Herein, inquiry privacy refers to the location information submitted when server cannot obtain user query, i.e. protection is used The location privacy information at family;Data-privacy refers to that server cannot obtain other letters relevant with data in addition to data set size Breath, user can not obtain other information relevant with data set other than query result;As a result privacy refers to looking into for user Asking result cannot reveal and data owner's leakage to server;Data access patterns privacy refers to that server cannot be by looking into It askes the intermediate result for calculating and generating and obtains any effective information in relation to data access patterns, data access patterns refer to and look into The relevant data of point are ask, are mainly guaranteed by the way that intermediate result is probability encryption data or random number in solution.

Claims (10)

1. a kind of safe kNN querying method based on LBS, which comprises the steps of:
Step 1, data owner DO generate key pair (pk, sk) and encrypted indexes structure, and encrypted indexes structure are sent to Server C1, is sent to server C1, C2 and user User for public key pk, and private key sk is sent to server C2;
Step 2, user User use public key pk encryption to generate encrypted query and request E to oneself inquiry Qpk(Q), it and by this looks into It askes request and is sent to server C1, wherein vector Q=(x, y) is the coordinate to be inquired of user, and encryption obtains inquiry request Epk (Q)={ Epk(x),Epk(y)};
The inquiry request E of step 3, the index structure that server C1 is encrypted and encryptionpk(Q) after, secure two party computation is defined;
Wherein, secure two party computation includes: safe division agreement SD, safe minimum agreement SMIN, security grid computing calculate SGC and Safe Voronoi area calculates agreement SVCC;Paillier addition encipherment scheme, multiplicative homomorphic are used about additive homomorphism operation Operation uses Paillier multiplication encipherment scheme;
Step 4 is based on secure two party computation, design safety kNN vlan query protocol VLAN SkNN;The agreement is inputted at the end server C1 and is encrypted Inquiry request Epk(Q) and encryption index structure and Epk(w), by the secure two party computation of C1 and C2, in encrypted indexes Distance E is searched in structurepk(Q) point of k nearest pass point, this k encryption is kNN query result Epk(R), in C1 End obtains;
Step 5, return query result give user User: the server C1 query result E for possessing encryptionpk(R), server C2 possesses Key sk, to k query result, server C1 generates two random numbers respectively, and the two random numbers are carried out compression encryption, Result is disturbed using encrypted random number is compressed, obtains cryptogram computation as a result, server C1 is by cryptogram computation result It is sent to server C2, k is sent to user User to random number;Server C2 decrypts result after disturbance, after obtaining decryption As a result, and obtaining coordinate value after the disturbance of k group;Coordinate value is sent to user User after C2 disturbs k group;User User is from server C1 receives k group random number, receives coordinate value after k group disturbs from server C2, user User is corresponding by coordinate value after each disturbance The random number for subtracting disturbance, final query result can be obtained.
2. a kind of safe kNN querying method based on LBS according to claim 1, which is characterized in that the encrypted indexes knot Structure includes: that safe Voronoi diagram SVD and security grid computing divide SG:
(1) safe Voronoi diagram SVD is generated:
1. carrying out Voronoi diagram division: DO possesses data set D={ p1,…,pn, wherein data point pi={ x, y }, to data set D carries out Voronoi diagram division, and the plane where D is divided into n convex polygon, referred to as Voronoi area by Voronoi diagram, often A Voronoi area viOne and only one data point pi, referred to as correspond to Voronoi area viSeed node, divide two The side of Voronoi area is the perpendicular bisector of the two Voronoi area seed nodes, for a Voronoi area vi, the arest neighbors for falling point q in the area is the seed node p in the regioni, by the property of Voronoi diagram it is found that query point q The kNN object adjacent dimension promise unit that is present in (k-1) NN being previously calculated seed node among;
2. dividing according to the Voronoi, all Voronoi areas in Voronoi diagram are stored in array with random disorderIt will Region viCorresponding call number is as its id in array, for any one Voronoi area vi, with a binary groupIt indicates, wherein (xi,yi) it is region viCorresponding seed node piCoordinate, aijFor this Region viAdjacent Voronoi area id, (t1) it is the adjacent Voronoi area quantity of the Voronoi area;
3. adding false data: by arrayThe false adjacent Voronoi area id of middle addition keeps the quantity of adjacent area to be Definite value t1, the false id added herein is arrayPresent in true call number, but it is not the adjacent id of corresponding region And it is different;
4. data compression: to arrayThe region v of storageiThe id of corresponding coordinate and adjacent area is pressed using following formula Contracting:
Wherein, λ is the number of the data of compression, and σ is the bit bit length of data compression, and σ is greater than the bit bit length of data itself;
5. to arrayIt is encrypted using pk, obtains SVD to get to encryption Voronoi and divide SVD, each storage should The corresponding encryption binary group of Voronoi area
(2) it generates security grid computing and divides SG:
1. carrying out grid dividing on the basis of Voronoi is divided: Voronoi is divided into m grid, each net by grid dividing The side length of lattice indicates that the grid dividing can store as matrix with vector wThe call number of matrix row and column respectively corresponds the net The coordinate of lattice on two dimensions, each coarse gridding its id of Voronoi area for being covered intersect with it The id of Voronoi area, is expressed asWherein oijFor region giThe id of the Voronoi area of intersection, (t2) it is the quantity that Voronoi area is intersected in the region;
2. adding false data: by matrixThe false adjacent Voronoi area id of middle addition keeps each coarse gridding The quantity of id is definite value t2, the false id added herein is arrayPresent in true call number, but it is not and the net The id of lattice intersecting area and different;
3. data compression: equally using formula (1) to compress the content of each coarse gridding;
4. being encrypted with public key pk, SG is obtained: to matrixIt is encrypted with vector w using pk, obtains SG and Epk(w), often A refined net content representation is
3. a kind of safe kNN querying method based on LBS according to claim 1, which is characterized in that the generation key pair (pk, sk) uses Paillier encipherment scheme, wherein public key pk is used for the solution to data for the encryption to data, private key sk It is close.
4. a kind of safe kNN querying method based on LBS according to claim 1, which is characterized in that the safe division association Discuss SD: two given at the end server C1Integer a, the b encrypted in range, server C1 and C2 are calculated by two sides to two The truncated division of encryption data encrypt, in the quotient that the end server C1 is encrypted, when which executes, the data of encryption Only possessed by server C1 with quotient, server C2 only possesses key sk;
Shown in the principle of the agreement such as formula (2), for arbitrary
(ar1+br1r2+r3)/(br1)=a/b+r2 (2)
Wherein,And r3<r1, K is the bit size of Paillier encipherment scheme key, ldataFor data a, the bit length of b;
Specific step is as follows for safe division agreement:
1. server C1 generates random number: server C1 possesses the data E of encryptionpk(a),Epk(b), server C2 possesses private key Sk, server C1, which are generated, to be metAnd r3<r1Random number r1,r2,r3
2. random number public key pk is encrypted, and server C2: server C1 is sent to using the random number and public key pk generated Calculate Epk(ar1+br1r2+ r3) and Epk(br1), and server C2 is sent them to, specific calculation formula is as follows:
3. server C2 is decrypted with private key sk: server C2 receives the E of C1 transmissionpk(ar1+br1r2+ r3) and Epk(br1) after, make They are decrypted respectively with private key sk, obtains λ 'aWith λ 'b, the formula of decryption is as follows:
λ′a=Dsk(Epk(ar1+br1r2+ r3))=ar1+br1r2+r3 (5)
λ′b=Dsk(Epk(br1))=br1 (6)
Result λ ' after 4. server C2 will be decryptedaWith λ 'b, the two are counted and carries out division calculation, the quotient being calculated is used public Key is sent to C1 after being encrypted: server C2 calculates λ 'a/λ′b(mod n) and it being encrypted, mod indicates modulo operation, Obtain Epk(λ′a/λ′b), it is sent to server C1;
5. the encrypted result of safe division agreement is calculated in server C1: server C1 receives Epk(λ′a/λ′b) after, use public affairs The E of encryption is calculated in formula (7)pk(a/b):
Epk(a/b)=Epk(λ′a/λ′b)*Epk(r2)N-1 (7)
Wherein, Epk(r2)N-1=Epk(-r2), by ciphertext operation can encrypt by r2It subtracts, N is paillier public key pk In two Big prime products.
5. a kind of safe kNN querying method based on LBS according to claim 1, which is characterized in that the safe minimum Agreement SMIN: t are given at the end server C1The integer encrypted in range and the value range c, C1 and C2 of an encryption pass through Secure two party computation cryptographically calculates the minimum value in the t Keyed integer greater than value range c, generates one according to the minimum value A and this t Keyed integer is corresponded using t as the ciphering sequence of length, and the 1 of the corresponding encryption of minimum value, remaining is encryption 0, the ciphering sequence is obtained at the end server C1, when which executes, the data of encryption and minimum value sequence are only by server C1 Possess, server C2 only possesses key sk;
The principle of the agreement are as follows: give t integerTo each xiIt calculates:
x′i=xi*rmax+ri (8)
Wherein, ri<2K-l-1, each riIt is different from, rmaxFor riIn maximum value, work as riIt, can by formula (8) when sufficiently large To obtain t unequal random integersAnd x 'iAnd xiKeep identical partial ordering relation;
Specific step is as follows by safe minimum agreement SMIN:
1. server C1 generates random number: server C1 possesses the data E of encryptionpk(x1),…,Epk(xt) and encryption value range Epk(c), server C2 possesses private key sk, and server C1 first generates t+1 random number { r1,…,rt+1, meet The maximum value in this t+1 random number is selected later and is denoted as rmax, remaining random number is successively denoted as { r again1,…,rt};
2. server C1 calculates each encryption data, obtains each Keyed integer and encrypt the poor E of value rangepk(xi- c);Specific formula for calculation is as follows:
Epk(xi- c)=Epk(xi)*Epk(c)N-1 (9)
3. server C1 adds random number: difference E of the server C1 to each encryption to the difference of each encryptionpk(xi- c) foundation Formula (8) is calculated, and the disturbed value E for the encryption that it is added after random number is obtainedpki), specific formula for calculation is as follows:
4. server C1 is sent to server C2 after this t value is upset sequence, calculation formula is as follows:
Epk(θ ')=π (Epk(θ)) (11)
5. server C2 is decrypted: server C2 receives Epk(θ′i) after, these values are decrypted, θ ' is obtainedi
6. server C2 calculates θ 'iIn minimum value, and mark the minimum value in sequence θ ' corresponding i be min;
7. the sequence Δ of one t long of server C2 generation ', Δmin' it is 1, residual value 0 adds sequence Δ ' middle all elements It is close, obtain Epk(Δ ') is sent to server C1;
8. server C1 obtains safe minimum agreement encrypted result with inverse function: server C1 obtains sequence EpkAfter (Δ '), make With the inverse function of formula (11), i.e. formula (12), sequence E is obtainedpk(Δ), specific formula for calculation is as follows:
Epk(Δ)=π-1(Epk(Δ′)) (12)
Wherein, Epk(Δ) is sequence Epk(Δ ') obtain sequence using formula (12) and encryption data Epk(x1),…,Epk(xt) 01 sequence of the minimum value mapping of corresponding encryption.
6. a kind of safe kNN querying method based on LBS according to claim 1, which is characterized in that the security grid computing meter It calculates agreement SGC: giving the side length E of the grid SG of encryption, the grid cell of encryption at the end server C1pk(w) and encryption inquiry Request Epk(Q), C2 possess private key sk, C1 and C2 by secure two party computation encrypt calculate the inquiry where grid cell simultaneously The content for taking out grid cell storage, in the calculating process, coordinate and the grid cell storage of the grid cell of encryption Encrypted content only obtains at the end server C1, C2 cannot about any effective information of these contents,
Security grid computing calculates agreement SGC, and specific step is as follows:
The encryption coordinate of grid where 1. server C1 calculates inquiry Q: server C1 possesses the grid of the grid SG of encryption, encryption The side length E of unitpk(w) and encryption inquiry request Epk(Q), server C2 possesses private key sk, and server C1 first is at each In dimension, i.e., in x-axis and y-axis, the coordinate for being calculated encrypted query using safe division SD agreement respectively is surfed the Internet divided by the dimension The side length of lattice unit calculates the encryption coordinate E of grid g where inquiring Q in the dimensionpk(xi), due to based on location-based service Inquiry, therefore described vector is bivector, specific formula for calculation is as follows:
Epk(xi)=SD (Epk(Qi),Epk(wi)) (13)
2. server C1 calculates separately grid g in each dimension on two dimensionsiCoordinate and query point where grid g Coordinate encryption difference, and obtain two encryption one-dimensional vector Epk(α),Epk(β), it is assumed that have n in each dimensioniA net Lattice unit, then the corresponding coordinate of these grid cells is respectively 0 to ni- 1, specific formula for calculation is as follows:
Epki)=Epk(x1-i),Epki)=Epk(x2-i) (14)
3. the one-dimensional vector that server C1 encrypts two is respectively multiplied by random number, result after disturb: server C1 general Epki) and Epki) encrypt respectively be multiplied by a random number r, the E disturbedpki) and Epki), it is expressed as Epk (α′i) and Epk(β′i), wherein in addition to the corresponding coordinate of grid where inquiry is Epk(0), remaining is random number, specific formula It is as follows:
Epk(α′i)=Epki)r,Epk(β′i)=Epki)r (15)
4. server C1 uses formula (11) by Epk(α ') and EpkServer C2 is sent to after (β ') is out-of-order;
5. server C2 is decrypted and handles: server C2 receives Epk(α′i) and Epk(β′i) it is carried out using private key sk afterwards Decryption, and generate corresponding μiAnd χi;Wherein, if α 'i=0, then μiIt is 1;If β 'i=0, then χiIt is 1, remaining is all 0;
6. server C2 encrypts result after decryption and processing using public key pk, and is sent to server C1: server C2 Using public key pk by μiAnd χiIt is encrypted, obtains Epki) and Epki), and it is sent to server C1;
7. server C1 receives Epk(μ) and EpkAfter (χ), using formula (12) by vector recovery sequence;
8. server C1 calculates the dot product μ of vector using the property of the additive homomorphism of secure multiplication agreement SM and Paillier SG χ, is equal to, to each grid gijComputations Epk(gijij), the phase for later encrypting all calculated result Add, so that it may the value of the encryption of the grid cell g where the inquiry is obtained, specific formula is as follows:
Wherein, the quantity m=n of the grid of division1*n2, n1The quantity of grid, n in x-axis2It is the quantity of grid in y-axis.
7. a kind of safe kNN querying method based on LBS according to claim 1, which is characterized in that the safety Voronoi area calculates agreement SVCC: the Voronoi data structure SVD of encryption is given at the end server C1, encryption Voronoi area id Epk(a1|…|aλ) and λ, wherein λ is the quantity of the id of compression;C2 possesses private key sk, and C1 and C2 pass through peace Complete two side calculate the corresponding Voronoi area of the calculatings inquiry of encryption and take out the seed node that the region encrypts value and it Adjacent area encryption id, in the calculating process, the Voronoi area id of encryption and the value in the region are only in server The end C1 obtains, and C2 cannot be about any effective information of these contents;
Safe Voronoi area calculates agreement SVCC, and specific step is as follows:
1. server C1 generates random number, compressed and encrypted to random number: server C1 possesses the Voronoi area of encryption SVD, the Voronoi area id E of encryptionpk(a1|…|aλ) and compression id quantity λ, server C2 possesses private key sk, takes first Be engaged in device C1 λ random number r of generation, and compresses these random numbers using formula (1) and passed through Epk() encryption, obtains Epk(r1|…|rλ);
2. server C1 is by the compression random number E of encryptionpk(r1|…|rλ) and encryption Voronoi area id Epk(a1|…| aλ), it is added to obtain E using Paillier additive homomorphism propertypk(a′1|…|a′λ), it is equivalent to aiAnd riIt is recompressed after addition Encryption, specific formula for calculation are as follows:
Epk(a′1|…|a′λ)=Epk(r1+a1|…|rλ+aλ)=Epk(r1|…|rλ)*Epk(a1|…|aλ) (17)
3. server C1 is by Epk(a′1|…|a′λ) it is sent to server C2;
4. server C2 receives Epk(a′1|…|a′λ) be decrypted afterwards using private key sk, it is decompressed later according to formula (1) Contracting, obtains λ numerical value a '1,…,a′λ
5. two-dimensional array is obtained by calculation in server C2: server C2 calculates each ci=a 'iThe value of mod n, corresponding each ci Generate the sequence α of a n longi, whereinBe 1, remaining is all 0, wherein n be Voronoi area quantity, the symbiosis of the end C2 at λ sequence obtains the two-dimensional array α of a λ * n size;
6. server C2 is using public key pk to αijIt is encrypted to obtain Epkij), by the two-dimensional array E of encryptionpk(α) is sent to clothes Be engaged in device C1;
7. server C1 receives EpkAfter (α), the sequence β of a n long is generated, stores real call number from 0 to n-1's The corresponding selective value of Voronoi area encrypts Voronoi area id E by calculatingpk(a1|…|aλ) include id in Epk E is corresponded in (β)pk(1), remaining corresponds to Epk(0), specific formula for calculation is as follows:
8. server C1 uses formula (11), by EpkServer C2 is sent to after (β) is out-of-order;
9. server C2 receives EpkAfter (β), decryption obtains β, and the call number of β sequence is divided into λ grouping G, each grouping GiHave And the corresponding β of an only elementi=1;
10. server C2 is by each grouping GiIn element upset, all grouping G are sent to server C1;
After server C1 receives grouping G, using formula (12), by G to the rope for reverting to corresponding sequence with out-of-order call number Quotation marks, and by Epk(β) recovery sequence;
Server C1 is grouped G to eachiCalculate separately the secret value E of its corresponding Voronoi area seed nodepk(vi) With the encryption id E of the Voronoi area adjacent areapk(ai), specific formula for calculation is as follows:
Wherein, c is grouping GiThe number of middle element.
8. a kind of safe kNN querying method based on LBS according to claim 1, which is characterized in that the additive homomorphism behaviour Make to use Paillier addition encipherment scheme:
For in plain textTo ciphertext Epk(m1) and Epk(m2) it is groupInterior multiplication operation is equal to m1And m2 It does add operation to re-encrypt, wherein Epk() indicates cryptographic operation, Dsk() indicates decryption oprerations, and formula is as follows:
Dsk(Epk(m1)Epk(m2)mod N2)=m1+m2mod N (21)
The multiplicative homomorphic operation uses Paillier multiplication encipherment scheme:
For in plain textTo ciphertext Epk(m1) and m2It is groupInterior power operation is equal to m1And m2It does and multiplies Method operation re-encrypts, and formula is as follows:
Wherein, N is two Big prime products in paillier public key pk.
9. a kind of safe kNN querying method based on LBS according to claim 1, which is characterized in that the safe kNN is looked into Ask agreement SkNN, the specific steps are as follows:
1. server C1 initializes three arrays: server C1 possesses the inquiry request E of encryptionpk(Q) and encryption Security Index Structure SVD, SG and Epk(w), server C2 possesses private key sk, firstly, server C1 initializes three arrays Respectively indicate the seed node collection, subsequent Voronoi area id collection and candidate distance of candidate Voronoi area Collection,The value of the encryption seed node currently read is stored, it is subsequent for convenience to read current minimum value as a result, and adding Enter result set Epk(R) in;The encryption id of the adjacent area of (k-1) a Voronoi area before storage, for calculating kNN;Storage currently needs the European squared-distance of the encryption of comparison other, while C1 initializes current minimum range Epk(dtemp) value For current minimum range Epk(0);
2. server C1 and C2 calculate agreement SGC using security grid computing and calculate inquiry request Epk(Q) grid where, to obtain The call number E of the encryption of the Voronoi area of grid coveringpk(a);
3. server C1 and C2 calculate agreement SVCC using safe Voronoi area and calculate Epk(a) value of corresponding seed node Epk(vi) and adjacent area id Epk(ai), these values are respectively added toWithIn;
4. server C1 and C2 calculates agreement SSED using safe European squared-distance and calculates encrypted query E one by onepk(Q) and step 3. the seed node E being calculatedpk(vi) European squared-distance Epk(di), these values are added to laterIn;
5. server C1 and C2 calculate Candidate Set using safe minimum agreement SMINIn be greater than current minimum range Epk (dtemp) minimum value, obtain 01 sequence of encryption of minimum value
6. willWithRegard one-dimensional vector, server C1 computations dot product as WithWhereinencIndicate that encryption dot product calculates to get to step 5. minimized correspondence Encryption seed node value Epk(v), the id E of adjacent Voronoi area is encryptedpk(a) and encryption European squared-distance Epk(dtemp), i.e., E is updated by this steppk(a) and Epk(dtemp) value;
Assuming that calculating the encryption dot product of the encryption vector A and B of two λ long, then dot product A is encryptedencBTSpecific formula for calculation such as Under:
7. server C1 adds Epk(v) result set E is arrivedpk(R) in;
8. server C1 empties Candidate SetWith
It is 2. arrived 7. 9. server C1 and C2 repeat step, until obtaining k arest neighbors as a result, i.e. result set E at the end C1pk(R) Size is k.
10. a kind of safe kNN querying method based on LBS according to claim 1, which is characterized in that return to query result Specific step is as follows:
1. server C1 generates k to random number, encrypt and compress: server C1 possesses the query result E of encryptionpk(R), server C2 possesses key sk, and server C1 first generates k to random number (ri1,ri2), and formula (1) also Paillier is used to them Encipherment scheme is compressed and is encrypted, and E is obtainedpk(ri1|ri2);
2. server C1 is to each query result Epk(Ri) use Epk(ri1|ri2) disturbed, result E after being disturbedpk (Ri'), specific formula for calculation is as follows:
Epk(Ri')=Epk(Ri+ri1|ri2)=Epk(Ri)*Epk(ri1|ri2) (24)
Result E after 3. server C1 will be disturbedpk(R′i) it is sent to server C2, by k to random number (ri1,ri2) it is sent to user User;
4. server C2 receives Epk(R′i) after, by Epk(R′i) decryption obtain R 'i;According to formula (1) by R 'iDecompression obtains result Coordinate value (the x ' of point disturbancei,yi′);
5. coordinate value (the x ' that server C2 disturbs k groupi,yi') it is sent to user User;
6. user User receives k group random number (r from server C1i1,ri2), k group coordinate value (x ' is received from server C2i, yi′);Final query result can be obtained in the random number that each coordinate is subtracted to disturbance accordingly, and specific formula for calculation is such as Under:
xi=x 'i-ri1,yi=y 'i-ri2 (25)
Wherein, (xi,yi) it is final query result.
CN201811085432.1A 2018-09-18 2018-09-18 LBS-based security kNN query method Active CN109194666B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811085432.1A CN109194666B (en) 2018-09-18 2018-09-18 LBS-based security kNN query method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811085432.1A CN109194666B (en) 2018-09-18 2018-09-18 LBS-based security kNN query method

Publications (2)

Publication Number Publication Date
CN109194666A true CN109194666A (en) 2019-01-11
CN109194666B CN109194666B (en) 2021-06-01

Family

ID=64911650

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811085432.1A Active CN109194666B (en) 2018-09-18 2018-09-18 LBS-based security kNN query method

Country Status (1)

Country Link
CN (1) CN109194666B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109818729A (en) * 2019-01-28 2019-05-28 东北大学 Secret protection average distance querying method based on Paillier homomorphic cryptography
CN111131327A (en) * 2020-01-06 2020-05-08 湖北工业大学 Sphere-based privacy protection satellite collision detection method and system
CN114021172A (en) * 2021-11-10 2022-02-08 苏州同济区块链研究院有限公司 Multi-party joint security calculation method and device based on alliance chain
CN115102733A (en) * 2022-06-13 2022-09-23 西安电子科技大学 Efficient packed image encryption retrieval method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102930051A (en) * 2012-11-16 2013-02-13 上海交通大学 Safe nearest neighbor search method and system based on isometric partition and random filling
WO2016195552A1 (en) * 2015-06-02 2016-12-08 Telefonaktiebolaget Lm Ericsson (Publ) Method and encryption node for encrypting message
US20170048208A1 (en) * 2010-02-26 2017-02-16 Microsoft Technology Licensing, Llc Secure computation using a server module
CN108111294A (en) * 2017-12-13 2018-06-01 南京航空航天大学 A kind of multiple labeling sorting technique of the protection privacy based on ML-kNN
CN108133229A (en) * 2017-12-11 2018-06-08 广州能量盒子科技有限公司 The classification encryption method and system of a kind of Android APK file
CN108363689A (en) * 2018-02-07 2018-08-03 南京邮电大学 Secret protection multi-key word Top-k cipher text retrieval methods towards mixed cloud and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170048208A1 (en) * 2010-02-26 2017-02-16 Microsoft Technology Licensing, Llc Secure computation using a server module
CN102930051A (en) * 2012-11-16 2013-02-13 上海交通大学 Safe nearest neighbor search method and system based on isometric partition and random filling
WO2016195552A1 (en) * 2015-06-02 2016-12-08 Telefonaktiebolaget Lm Ericsson (Publ) Method and encryption node for encrypting message
CN108133229A (en) * 2017-12-11 2018-06-08 广州能量盒子科技有限公司 The classification encryption method and system of a kind of Android APK file
CN108111294A (en) * 2017-12-13 2018-06-01 南京航空航天大学 A kind of multiple labeling sorting technique of the protection privacy based on ML-kNN
CN108363689A (en) * 2018-02-07 2018-08-03 南京邮电大学 Secret protection multi-key word Top-k cipher text retrieval methods towards mixed cloud and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
崔宁宁: "《移动K-支配最近邻查询验证研究》", 《计算机学报》 *
李璐: "《 安全两方计算关键技术及应用研究》", 《中国博士学位论文全文数据库信息科技辑》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109818729A (en) * 2019-01-28 2019-05-28 东北大学 Secret protection average distance querying method based on Paillier homomorphic cryptography
CN109818729B (en) * 2019-01-28 2021-10-29 东北大学 Privacy protection average distance query method based on Paillier homomorphic encryption
CN111131327A (en) * 2020-01-06 2020-05-08 湖北工业大学 Sphere-based privacy protection satellite collision detection method and system
CN111131327B (en) * 2020-01-06 2022-04-01 湖北工业大学 Sphere-based privacy protection satellite collision detection method and system
CN114021172A (en) * 2021-11-10 2022-02-08 苏州同济区块链研究院有限公司 Multi-party joint security calculation method and device based on alliance chain
CN115102733A (en) * 2022-06-13 2022-09-23 西安电子科技大学 Efficient packed image encryption retrieval method
CN115102733B (en) * 2022-06-13 2023-11-21 西安电子科技大学 Efficient packed image encryption retrieval method

Also Published As

Publication number Publication date
CN109194666B (en) 2021-06-01

Similar Documents

Publication Publication Date Title
Liu et al. An efficient privacy-preserving outsourced calculation toolkit with multiple keys
Paulet et al. Privacy-preserving and content-protecting location based queries
KR101679156B1 (en) Secure private database querying with content hiding bloom filters
Shao et al. FINE: A fine-grained privacy-preserving location-based service framework for mobile devices
KR100398319B1 (en) Encrypting/decrypting system
CN109194666A (en) A kind of safe kNN querying method based on LBS
WO2018210895A1 (en) Post-quantum secure private stream aggregation
Li et al. EPLQ: Efficient privacy-preserving location-based query over outsourced encrypted data
CN112270006A (en) Searchable encryption method for hiding search mode and access mode in e-commerce platform
US20090138698A1 (en) Method of searching encrypted data using inner product operation and terminal and server therefor
CN105049196B (en) The encryption method that multiple keywords of designated position can search in cloud storage
CN102314580A (en) Vector and matrix operation-based calculation-supported encryption method
Jayapandian et al. Secure and efficient online data storage and sharing over cloud environment using probabilistic with homomorphic encryption
Yang et al. Flexible wildcard searchable encryption system
CN108833077A (en) Outer packet classifier encipher-decipher method based on homomorphism OU password
Li et al. Double chaotic image encryption algorithm based on optimal sequence solution and fractional transform
CN110392038A (en) The multi-key cipher that can verify that under a kind of multi-user scene can search for encryption method
Zhang et al. A privacy protection scheme for IoT big data based on time and frequency limitation
CN107885705A (en) A kind of efficiently expansible safe document similarity computational methods and device
Guo et al. Enabling privacy-preserving geographic range query in fog-enhanced IoT services
Gahi et al. Privacy preserving scheme for location-based services
Corena et al. Secure and fast aggregation of financial data in cloud-based expense tracking applications
Tallapally et al. Competent multi-level encryption methods for implementing cloud security
Liu et al. Secure and efficient multi-attribute range queries based on comparable inner product encoding
Tang Secret sharing-based IoT text data outsourcing: A secure and efficient scheme

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant