CN109194666A

CN109194666A - A kind of safe kNN querying method based on LBS

Info

Publication number: CN109194666A
Application number: CN201811085432.1A
Authority: CN
Inventors: 杨晓春; 王斌; 王雷霞
Original assignee: Northeastern University China
Current assignee: Northeastern University China
Priority date: 2018-09-18
Filing date: 2018-09-18
Publication date: 2019-01-11
Anticipated expiration: 2038-09-18
Also published as: CN109194666B

Abstract

The invention belongs to data-privacies to protect field; it is proposed a kind of safe kNN querying method based on LBS; process includes: that data owner generates key pair and encrypted indexes structure; and encrypted indexes structure is sent to server C1; public key is sent to server C1, C2 and user, private key is sent to server C2；Inquiry of the user to oneself generates encrypted query using public key encryption and requests, and the inquiry request is sent to server C1；After the inquiry request of index structure and encryption that server C1 is encrypted, secure two party computation is defined；Based on secure two party computation, design safety kNN vlan query protocol VLAN；Query result is returned to user；The privacy of data on effective protection server of the present invention, the privacy of the inquiry request of user, the privacy of the query result of user, the access module in query process; and provide accurate query result; the mobile device low suitable for processing capacity, and substantially increase the speed for completing inquiry.

Description

LBS-based security kNN query method

Technical Field

The invention belongs to the field of data privacy protection, and particularly relates to a safe kNN query method based on LBS.

Background

In recent years, with the rapid development of mobile networks and smart phones, Location Based Services (LBS) have been widely used in various aspects such as social contact, life service, online shopping, and the like. The kNN query, namely the query of k nearest neighbor points to the user position, is a basic and representative important query. However, the LBS brings great convenience for life and brings hidden danger of privacy disclosure to people. From the perspective of user privacy, when the location-based query is performed, the server can easily collect the real location of the user while responding to the user request, and deduce privacy information such as religious revenues, home addresses, daily life tracks and the like. From the perspective of enterprises, many enterprises outsource data to third-party servers in the form of data outsources, and the third-party servers respond to the query requests of users. In the process, the public data is known to a third-party server, and some secret warehouse addresses or databases of the entered household addresses of the employees are private information, and the leakage of the private information causes great economic loss of the company. How to protect the security of data and query requests while providing location-based query services is of great practical significance. At present, sensitive information is encrypted by an encryption-based privacy protection method, and since a server does not have a secret key for decryption, any privacy information about encrypted data is difficult to obtain, so that the aforementioned privacy disclosure condition can be protected. But the intermediate results of the cryptographic calculations can still reveal the data access pattern, i.e. which data are accessed, often vulnerable to inference attacks. Meanwhile, in the process, the server needs to calculate on the ciphertext to obtain the query result, however, in the currently proposed method, due to the complexity of the ciphertext calculation, a large time cost is often consumed, so that the security of the query service and the query cost are difficult to balance.

Disclosure of Invention

Aiming at the defects of the prior art, the homomorphic encryption scheme is effectively improved and supplemented, and in order to solve the problem of privacy information leakage in the kNN query based on the position, the invention provides a safe kNN query method based on LBS.

The technical scheme is based on a Paillier homomorphic encryption system, and because the encryption scheme can only complete partial homomorphic operation, namely addition homomorphic operation, a dual-server framework is used in the invention, in the framework, a Data Owner (DO) owns original data and a public key pk and a private key sk which are homomorphic encrypted by Paillier, a User owns an inquiry request and the public key pk, a cloud server C1 owns an encryption index structure and the public key pk, and a cloud server C2 owns the public key pk and the private key sk. Based on the system framework and a half-integrity model of two-party secure computation, the invention designs an encryption index structure, namely a secure Voronoi diagram SVD and a secure network grid division SG and a secure subprotocol for realizing basic ciphertext computation operation, and designs a secure kNN query protocol based on the index structure and the subprotocol. Through the protocol, the safe kNN query meeting the requirements is realized, and the specific steps are as follows:

step 1, a data owner DO generates a key pair (pk, sk) and an encryption index structure, sends the encryption index structure to a server C1, sends a public key pk to servers C1, C2 and a User, and sends a private key sk to a server C2;

the encryption index structure comprises: the security Voronoi diagram SVD and the security grid partition SG;

generating a key pair (pk, sk) using a Paillier encryption scheme, wherein a public key pk is used for encrypting data and a private key sk is used for decrypting data;

the specific steps for generating the encryption index structure are as follows:

(1) generating a Secure Voronoi Diagram (SVD):

① Voronoi diagram partitioning into DO-owned dataset D ═ p₁,…,p_nWhere the data point p_iX, y. Voronoi diagram partitioning is performed on the data set D. The Voronoi diagram divides the plane on which D lies into n convex polygons called Voronoi regions, each Voronoi region v_iWith and only one data point p_iCalled corresponding Voronoi region v_iThe seed node of (1). And dividing the edges of the two Voronoi regions to form vertical bisectors of the seed nodes of the two Voronoi regions. For a Voronoi region v_iThe nearest neighbor of the point q falling in the area is the seed node p of the area_i. From the nature of the Voronoi diagram, the kNN object for query point q exists among the seed nodes of the neighboring Voronoi regions of the (k-1) NN that were previously computed.

② storing all Voronoi regions in the Voronoi diagram in an array in random out-of-order according to the Voronoi divisionWill be the region v_iThe corresponding index number in the array is taken as its id. For any Voronoi region v_iBy one to twoTupleIs represented by (x)_i,y_i) Is the region v_iCorresponding seed node p_iA coordinate of (a)_ijIs the region v_i(ii) adjacent Voronoi region id, (t)₁) The number of Voronoi regions adjacent to the Voronoi region.

③ add false data to avoid an attacker distinguishing a Voronoi region by the number of adjacent Voronoi regions to the query region, by counting the number of groupsThe false adjacent Voronoi area id added in keeps the number of the adjacent areas as a constant value t₁Where the false ids added are all arraysThere are real index numbers, but none of them are the adjacent id of the corresponding area and are different from each other. These false ids can be pruned in the subsequent query process, a minimum value is selected from the read values each time, and the read-select operation is performed k times, so that the final k results can be obtained. Since the ids of the points with the minimum value are contained in the ids read each time, the points corresponding to the randomly added false ids cannot be selected during selection, which is equivalent to pruning.

④ data compression to fully utilize Paillier's plaintext space, which is generally 1024 bits, to store a region V of the array V_iThe corresponding coordinates and the id of the neighboring area are compressed using the following formula:

wherein λ is the number of compressed data, σ is the bit length of the data compression, and σ is greater than the bit length of the data itself in order to add random number disturbance to the compressed id in the subsequent protocol. Through the calculation, a plurality of numbers can be represented as one number, one-time encryption is carried out, the plaintext space of Paillier is fully utilized, and the encryption times are reduced.

⑤ pairs of arraysAnd encrypting by using pk to obtain the SVD. Obtaining an encrypted Voronoi division SVD, wherein each item stores an encrypted binary group corresponding to the Voronoi area

(2) Generating a security mesh partition (SG):

① meshing is performed on the basis of the Voronoi division described above, which divides Voronoi into m meshes, the side length of each mesh being represented by a vector wThe index numbers of the matrix rows and columns correspond to the coordinates of the grid in two dimensions, respectively. Each mesh stores the id of the Voronoi region it covers, i.e., the id of the Voronoi region it intersects, expressed asWherein o is_ijIs the region g_iId of intersecting Voronoi regions, (t)₂) The number of Voronoi regions intersected for that region.

② add false data to avoid an attacker distinguishing the grid by the number of Voronoi regions where the queried grid intersects, we do so by looking at the matrixThe false adjacent Voronoi area id added in keeps the number of id stored in each grid as a constant value t₂Where the false ids added are all arraysThere are real index numbers, but none are ids of the intersecting areas with the grid and are distinct from each other. These false ids can be pruned in the subsequent query process, and in the subsequent query process, a minimum value is selected from the read values each time, and the read-select operation is performed k times, so that the final k results can be obtained. Since the ids of the points with the minimum value are contained in the ids read each time, the points corresponding to the randomly added false ids cannot be selected during selection, which is equivalent to pruning.

③ data compression, in order to fully utilize Paillier's plaintext space, the content stored in each grid is compressed by the same formula (1). Via the calculation, a plurality of numbers can be expressed as one number, and are encrypted once, so that Paillier's plaintext space is fully utilized, and the encryption times are reduced.

④ are encrypted by public key pk to obtain SG pair matrixThe sum vector w is encrypted by pk to obtain SG and E_pk(w) is carried out. That is, obtaining the encryption grid SG As shown in FIG. 2(d), each encryption grid content is represented as

The security analysis is that the server C1 has an encrypted data structure but does not have the private key sk and cannot decrypt the data, the server C2 has the private key sk but does not have the data, and the servers C1 and C2 cannot obtain any effective information about the data except the size of the data set, so that the data privacy is protected.

Step 2, the User uses the public key pk to encrypt the inquiry Q of the User to generate an encrypted inquiry request E_pk(Q) and sends the query request to the server C1, where the vector Q is (x, y) the coordinates to be queried by the user, and the query request E is obtained by encrypting_pk(Q)＝{E_pk(x),E_pk(y)}；

And (3) safety analysis: in this process, the server C1 may obtain the encrypted query request Q of the user, but the server C1 has no private key sk, cannot decrypt the query Q, and cannot obtain the query content; the server C2 possesses the private key sk but no query Q, thus protecting the user's query privacy.

Step 3, the server C1 obtains the encrypted index structures SVD and SG and the encrypted query request E_pkAfter (Q), security kNN query is carried out while the privacy requirements are protected through security two-party calculation. When the secure kNN query is performed on a ciphertext, the Euclidean distance between two points needs to be calculated and compared, so that some support of basic calculation operations on the ciphertext is needed, such as multiplication operation and division operation on the ciphertext. Because the Paillier encryption scheme only supports the addition homomorphic operation of two ciphertexts and the multiplication homomorphic operation of the ciphertexts and the plaintext, basic operations such as multiplication, division, minimum value solving and the like between the two ciphertexts cannot be directly processed. At present, the existing security basic sub-protocols include a security multiplication protocol (SM) and a security Squared euclidean distance calculation protocol (SSED), and these sub-protocols are directly called in the security kNN query protocol designed by the present invention. Aiming at the security subprotocols without or with defects, the invention designs a series of security subprotocols based on two-party calculation, which comprise a security Division protocol (Secure Division, abbreviated as SD), a security Minimum value protocol (Secure Minimum, abbreviated as SMIN), security Grid calculation (Secure Grid calculation, abbreviated as SGC) and a security Voronoi area calculation protocol (Secure Voronoi Cell calculation, abbreviated as SVCC). The specific protocol content is as follows:

the secure division protocol SD: at server C1 end, give twoThe range-encrypted integers a, b, C1, and C2 are encrypted, truncated, and divided by a two-party calculation, over two encrypted data, at the server C1Resulting in an encrypted quotient. When the protocol is executed, the encrypted data and the merchant are owned only by the server C1, and the server C2 owns only the key sk.

The principle of the protocol is shown in equation (5) for any

(ar₁+br₁r₂+r₃)/(br₁)＝a/b+r₂(2)

WhereinAnd r is₃<r₁K is the bit size of the Paillier encryption scheme key, l_dataIs the bit length of the data a, b.

The specific steps of the secure division protocol SD are as follows:

① Server C1 generates random numbers that Server C1 owns the encrypted data E_pk(a),E_pk(b) The server C2 owns the private key sk. First, the server C1 generates a satisfyAnd r is₃<r₁Random number r of₁,r₂,r₃。

② encrypts the random number with the public key pk and sends it to the server C2. the server C1 calculates E using the generated random number and the public key pk_pk(ar₁+br₁r₂+ r3) and E_pk(br₁) And sends them to the server C2. The specific calculation formula is as follows:

③ Server C2 decrypts with private key sk that Server C2 received E sent by C1_pk(ar₁+br₁r₂+ r3) and E_pk(br₁) Then, they are decrypted by the private key sk to obtain λ'_aAnd λ'_b. The formula for decryption is as follows:

λ′_a＝D_sk(E_pk(ar₁+br₁r₂+r₃))＝ar₁+br₁r₂+r3 (5)

λ′_b＝D_sk(E_pk(br₁))＝br₁(6)

④ Server C2 decrypts the decrypted result λ'_aAnd λ'_bThe two numbers are divided, and the calculated quotient is encrypted by using a public key and then sent to C1: server C2 calculates λ'_a/λ′_b(mod n) and encrypt it, mod representing the modulo operation, resulting in E_pk(λ′_a/λ′_b) And sent to the server C1.

⑤ the server C1 calculates the encryption result of the secure division protocol that the server C1 receives E_pk(λ′_a/λ′_b) Then, the encrypted E is calculated using equation (7)_pk(a/b)。

E_pk(a/b)＝E_pk(λ′_a/λ′_b)*E_pk(r₂)^N-1(7)

Wherein E_pk(r₂)^N-1＝E_pk(-r₂) R is encrypted by the ciphertext operation₂Minus, N is the product of two large primes in the paillier public key pk.

And (3) safety analysis: in the process, the server C1 can obtain the encrypted data and the encrypted division result, but the C1 has no private key sk, cannot decrypt the data and the result content; the server C2 possesses the private key sk but no data, thus protecting data privacy and result privacy. Meanwhile, in the process, data sent by the C1 to the C2 are all random numbers, data sent by the C2 to the C1 are all Paillier probability encrypted data, and privacy of a data access mode is protected.

Safe minimum protocol SMIN: at server C1 end, t pieces are givenThe encrypted integers in the range and an encrypted range value C, C1 and C2 calculate the minimum value of t encrypted integers which are larger than the range value C in an encrypted way through safe two-party calculation, an encrypted sequence which corresponds to the t encrypted integers in a one-to-one mode and takes t as the length is generated according to the minimum value, the minimum value corresponds to encrypted 1, the rest is encrypted 0, and the encrypted sequence is obtained at the end of a server C1. When the protocol is executed, the encrypted data and the minimum sequence are owned only by the server C1, and the server C2 owns only the key sk.

The principle of the protocol is as follows: given t integersFor each x_iAnd (3) calculating:

x′_i＝x_i*r_max+r_i(8)

wherein r is_i<2^K-l-1Each r_iAll are different, r_maxIs r_iMaximum value of (2). When r is_iWhen the size is large enough, t unequal random integers can be obtained through the formula (8)And x'_iAnd x_iThe same partial ordering relationship is maintained.

The safety minimum protocol SMIN comprises the following specific steps:

① Server C1 generates random numbers that Server C1 owns the encrypted numbersAccording to E_pk(x₁),…,E_pk(x_t) And an encrypted range value E_pk(c) The server C2 possesses a private key sk. First, the server C1 generates t +1 random numbers r₁,…,r_t+1Is satisfied withThen, the maximum value of the t +1 random numbers is selected and recorded as r_maxAnd the rest random numbers are recorded as r₁,…,r_t}。

② the server C1 calculates each encrypted data to obtain the difference E between each encrypted integer and the value of the encryption range_pk(x_i-c). The specific calculation formula is as follows:

E_pk(x_i-c)＝E_pk(x_i)*E_pk(c)^N-1(9)

③ Server C1 adds a random number to each encrypted difference value, server C1 adds a random number to each encrypted difference value E_pk(x_i-c) calculating according to equation (8) to obtain the encrypted perturbation value E after adding random number thereto_pk(θ_i). The specific calculation formula is as follows:

④ the server C1 sends the t values to the server C2. after disordering the order, and the calculation formula is as follows:

E_pk(θ′)＝π(E_pk(θ)) (11)

⑤ Server C2 decrypts that Server C2 received E_pk(θ′_i) These values are then decrypted to obtain θ'_i。

⑥ Server C2 calculates θ'_iAnd marking the corresponding i of the minimum value in the sequence theta' as min.

⑦ garmentThe server C2 generates a sequence Δ', Δ t long_min' is 1, and the remainder is 0. All elements in the sequence Delta' are encrypted to obtain E_pk(Δ') to the server C1.

⑧ the server C1 uses the inverse function to obtain the safety minimum value protocol encryption result, the server C1 obtains the sequence E_pk(Δ') after the sequence and encrypted data E are obtained using the inverse function of equation (11), equation (12)_pk(x₁),…,E_pk(x_t) Corresponding 01 sequence E of encrypted minimum value maps_pk(Delta). The specific calculation formula is as follows:

E_pk(Δ)＝π^-1(E_pk(Δ′)) (12)

and (3) safety analysis: in the process, the server C1 can obtain the encrypted data and the encrypted division result, but the C1 has no private key sk, cannot decrypt the data and the result content; the server C2 can obtain the disturbed difference value through decryption operation, and since solving the equation set containing (t +1) variables and t equations is an NP-hard problem, the C2 can hardly learn x needed to be compared_iAnd c, data privacy is protected; meanwhile, the sequence sent by the C1 to the C2 is out of order, and the sequencing function C2 does not know, so that the sequence cannot correspond to a real sequence even if the corresponding minimum value is calculated by the C2, and the privacy of an access mode is protected.

Secure grid computing protocol SGC: at the server C1, the encrypted grid SG, the side length E of the encrypted grid cell are specified_pk(w) and encrypted query request E_pk(Q), C2 possesses private key sk, C1 and C2 to compute the grid cell where the query is located by secure two-party computation encryption and fetch the contents stored in the grid cell. During this calculation, the coordinates of the encrypted grid cells and the encrypted contents stored by the grid cells are only available at the server C1 side, and C2 does not obtain any valid information about these contents.

The security grid computing protocol SGC comprises the following specific steps:

① Server C1 calculates the encrypted coordinates of the grid where query Q is located, server C1 has encrypted grid SG, the side length E of the encrypted grid cell_pk(w) and encrypted query request E_pk(Q), the server C2 possesses the private key sk. Firstly, the server C1 calculates the coordinates of the encrypted query divided by the side length of the grid cell in each dimension, i.e. on the x-axis and the y-axis, respectively, using the secure division SD protocol, and calculates the encrypted coordinates E of the grid g where the query Q is located in the dimension_pk(x_i). Since the present invention is applicable to location based services queries, the point vectors referred to herein are all two-dimensional vectors. The specific calculation formula is as follows:

E_pk(x_i)＝SD(E_pk(Q_i),E_pk(w_i)) (13)

② Server C1 calculates grid g in each dimension separately in two dimensions_iAnd the encrypted difference of the coordinates of the grid g where the query point is located, and two encrypted one-dimensional vectors E are obtained_pk(α),E_pk(β) assume that there is n in each dimension_iGrid cells, the coordinates corresponding to the grid cells are 0 to n respectively_i-1. The specific calculation formula is as follows:

E_pk(α_i)＝E_pk(x₁-i),E_pk(β_i)＝E_pk(x₂-i) (14)

③ the server C1 multiplies the two encrypted one-dimensional vectors by random numbers respectively to obtain the disturbed result, the server C1 multiplies the E by the random numbers respectively_pk(α_i) And E_pk(β_i) Respectively encrypted and multiplied by a random number r to obtain a disturbed E_pk(α_i) And E_pk(β_i) Is shown as E_pk(α′_i) And E_pk(β′_i) Wherein the coordinates corresponding to the grids except the query are E_pk(0) And the rest are random numbers. It is noted that the random number multiplied by each number is different, and for the sake of convenience we will refer to r, the synergy described hereinafterThe conference follows the representation as well. The specific formula is as follows:

E_pk(α′_i)＝E_pk(α_i)^r,E_pk(β′_i)＝E_pk(β_i)^r(15)

④ Server C1 general equation (11) for E_pk(α') and E_pk(β') out of order and send to server C2.

⑤ Server C2 decrypts and processes that Server C2 receives E_pk(α′_i) And E_pk(β′_i) Then it is decrypted using the private key sk and corresponding mu is generated_iHexix-_iWherein, if α'_iWhen it is equal to 0, then μ_iIs 1 if β'_iWhen the ratio is 0, then x_iIs 1, and the rest are 0.

⑥ the server C2 uses the public key pk to encrypt the decrypted and processed result and sends the result to the server C1. the server C2 uses the public key pk to encrypt the mu_iHexix-_iIs encrypted to obtain E_pk(μ_i) And E_pk(χ_i) And sent to the server C1.

⑦ Server C1 received E_pk(. mu.) and E_pkAfter (χ), the vectors are restored to order using equation (12).

⑧ Server C1 calculates the dot product μ · SG · χ of the vectors using the additive homomorphic property of the secure multiplication protocol SM and Paillier, equivalently, for each grid g_ijCryptographic calculation E_pk(g_ij*μ_i*χ_j) And then, all the calculation results are added in an encryption mode to obtain the encrypted value of the grid cell g where the query is located. Since Paillier is a probabilistic cipher, E is obtained by this calculation_pk(g) And does not correspond to the ciphertext in the trellis. The specific formula is as follows:

wherein the number m of the divided grids is n₁*n₂，n₁Number of grids on x-axis, n₂Is the number of grids on the y-axis.

And (3) safety analysis: in the process, the server C1 can obtain the encrypted data and the encrypted result, but the C1 has no private key sk, cannot decrypt the data and the result content; the sequence calculated by the server C2 through the decryption operation is a disorder sequence, and the C2 cannot see the C2, so even if the C2 cannot correspond to the real sequence, the coordinates of the grid where the C2 is located cannot be obtained; meanwhile, since Paillier is probabilistic encryption, C1 cannot compute E_pk(g) And the access mode privacy is protected by corresponding to the ciphertext in the grid.

Secure Voronoi regional computing protocol SVCC: on the server C1 side, an encrypted Voronoi data structure SVD, an encrypted Voronoi region id E are given_pk(a₁|…|a_λ) And λ, where λ is the number of compressed ids; c2 possesses private key sk. C1 and C2 calculate the Voronoi region corresponding to the query by secure two-party computation encryption and take the value of the seed node encrypted for that region and the encrypted id of its neighboring region. During this calculation, the encrypted Voronoi area id and the value of this area are only available at the server C1, and C2 does not get any valid information about these contents.

The specific steps of the secure Voronoi regional computation protocol SVCC are as follows:

① Server C1 generates random numbers, compresses and encrypts the random numbers, server C1 has an encrypted Voronoi region SVD, and an encrypted Voronoi region id E_pk(a₁|…|a_λ) And the number λ of compression ids, the server C2 possesses the private key sk. First, the server C1 generates λ random numbers r, and compresses and passes E through these random numbers using equation (4)_pk(. o) encrypting to obtain E_pk(r₁|…|r_λ)。

② Server C1 will encryptCompressed random number E of_pk(r₁|…|r_λ) And encrypted Voronoi region id E_pk(a₁|…|a_λ) Adding homomorphic properties by Paillier addition to obtain E_pk(a′₁|…|a′_λ) Is equivalent to a_iAnd r_iAdding and compressing the encryption. The specific calculation formula is as follows:

E_pk(a′₁|…|a′_λ)＝E_pk(r₁+a₁|…|r_λ+a_λ)＝E_pk(r₁|…|r_λ)*E_pk(a₁|…|a_λ) (17)

③ Server C1 will E_pk(a′₁|…|a′_λ) To the server C2.

④ Server C2 received E_pk(a′₁|…|a′_λ) Then, the private key sk is used for decryption, and then decompression is carried out according to a formula (4) to obtain a lambda number value a'₁,…,a′_λ。

⑤ Server C2 obtains a two-dimensional array by calculation that Server C2 calculates each C_i＝a′_iThe value of mod n, for each c_iGenerating an n-long sequence α_iWherein1, and 0 for the rest, wherein n is the number of Voronoi regions, and the ends of C2 are co-formed into lambda sequences, so that a two-dimensional array α with the size of lambda x n is obtained.

⑥ Server C2 uses public Key pk Pair α_ijEncrypted to obtain E_pk(α_ij) Two-dimensional array E to be encrypted_pk(α) to Server C1.

⑦ Server C1 received E_pk(α) generating an n-long sequence β, storing the selection values corresponding to the Voronoi regions with real index numbers from 0 to n-1, and encrypting the Voronoi region id E by calculation_pk(a₁|…|a_λ) Containing id at E_pk(β) corresponding to E_pk(1) The rest corresponds to E_pk(0). The specific calculation formula is as follows:

⑧ Server C1 general equation (11) for E_pk(β) sending the data to the server C2 after disorder;

⑨ Server C2 received E_pk(β), decryption yields β dividing the β sequence index into λ packets G, each packet G_iβ with and only one element corresponding_i＝1。

⑩ Server C2 groups each G_iIs scrambled and all packets G are sent to server C1.

After the server C1 receives the group G, the unordered index numbers in the group G are restored to the index numbers in the corresponding sequence by using a formula (12), and E is used_pk(β) restoring the sequence.

The server C1 groups G for each packet_iRespectively calculating the encrypted values E of the Voronoi region seed nodes corresponding to the seed nodes_pk(v_i) And an encryption id E of an area adjacent to the Voronoi area_pk(a_i). The specific calculation formula is as follows:

wherein c is a group G_iThe number of the elements in (B).

The addition homomorphic operation adopts a Paillier addition encryption scheme:

for plain textFor ciphertext E_pk(m₁) And E_pk(m₂) Making a groupMultiplication operations within are equivalent to the pair m₁And m₂Performing an addition operation and then encrypting, wherein E_pk(. represents an encryption operation, D)_sk(. cndot.) represents a decryption operation, and the formula is as follows:

D_sk(E_pk(m₁)E_pk(m₂)mod N²)＝m₁+m₂mod N (21)

the multiplication homomorphic operation adopts a Paillier multiplication encryption scheme:

for plain textFor ciphertext E_pk(m₁) And m₂Making a groupThe exponentiation operation of inner is equivalent to m₁And m₂Carrying out multiplication operation and then encrypting, wherein the formula is as follows:

where N is the product of two large prime numbers in the paillier public key pk.

Security analysis during this process, the server C1 can get the encrypted data and the encrypted results, but C1 does not have the private key sk, the data and the result content cannot be obtained because the decryption cannot be carried out; the sequence calculated by the server C2 through the decryption operation is a disorderly sequence, and the sorting function C2 does not see C2, so that even if C2 cannot correspond to a real sequence, the index number corresponding to the required Voronoi region cannot be obtained; meanwhile, since Paillier is probabilistic encryption, C1 cannot compute E_pk(v_i) And E_pk(a_i) And the access mode privacy is protected by corresponding to the ciphertext in the SVD.

And 4, designing a secure kNN query protocol SkNN based on the secure subprotocol to complete secure kNN query of the ciphertext. The protocol inputs an encrypted query request E at the server C1 side_pk(Q) and encrypted Security index structures SVD, SG, and E_pk(w) finding the distance E on the index structure by secure two-way computation of C1 and C2_pk(Q) the nearest k encrypted points, which are kNN results, are obtained at C1. The main idea of the protocol for kNN query is as follows: c1 and C2 first compute query request E through secure grid computing protocol SGC_pk(Q) the grid on which the grid is located, thereby obtaining encrypted index numbers for the Voronoi regions covered by the grid; according to the index number, calculating values of the region seed nodes and the id of the adjacent region from the SVD; computing a query point E using a secure Euclidean distance computation protocol SSED_pk(Q) euclidean distances to the seed nodes, then calculating a minimum using a safe minimum protocol SMIN; adding the minimum value obtained by calculation into the kNN result to obtain an NN object; reading the values of the neighboring regions and calculating 2 NN; calculating 3NN from neighbor regions of the NN object and the 2NN object; and the like in turn until a kNN result is obtained.

The specific steps of the secure kNN query protocol SkNN are as follows:

① Server C1 initializes three tuples-Server C1 owns the encrypted query request E_pk(Q) and encrypted secure index structures SVD, SG, and E_pk(w), the server C2 possesses the private key sk. First, the server C1 initializes three arrays And the seed node set, the subsequent Voronoi area id set and the candidate distance set respectively represent candidate Voronoi areas.Storing the value of the current read-out encryption seed node, facilitating the subsequent reading of the current minimum result, and adding the result set E_pk(R) in (A);storing the encrypted ids of adjacent areas of the first (k-1) Voronoi areas for calculating kNN;storing the encrypted Euclidean distance of the current object to be compared. While C1 initializes the current minimum distance E_pk(d_temp) The value is the current minimum distance E_pk(0)。

② servers C1 and C2 compute query request E using secure grid computing protocol SGC_pk(Q) the grid on which it is located, thus obtaining the encrypted index E of the Voronoi region covered by the grid_pk(a)。

③ servers C1 and C2 calculate E using the secure Voronoi region computation protocol SVCC_pk(a) Value E of the corresponding seed node_pk(v_i) And id E of neighboring area_pk(a_i) Adding these values to the respectiveAndin (1).

④ servers C1 and C2 use secure Euclidean distance computation protocol SSED to compute encrypted query E one by one_pk(Q) and the seed node E calculated in step ③_pk(v_i) Squared Euclidean distance E of_pk(d_i) After which these values are added toIn (1).

⑤ servers C1 and C2 compute candidate sets using the secure minimum protocol SMINGreater than the current minimum distance E_pk(d_temp) To obtain an encrypted 01 sequence with a minimum value

⑥ will beAndviewed as a one-dimensional vector, server C1 cryptographically computes the dot product Andwherein_encRepresenting the encryption dot product calculation, i.e., the value E of the encrypted seed node corresponding to the minimum value found in step ⑤_pk(v) Encrypting id E of adjacent Voronoi areas_pk(a) And the encrypted Euclidean distance E_pk(d_temp) By this step, update E_pk(a) And E_pk(d_temp) The value of (c).

Assuming that the encrypted dot product of two λ -long encrypted vectors A and B is calculated, the encrypted dot product A ·_encB^TThe specific calculation formula of (2) is as follows:

⑦ Server C1 Add E_pk(v) To result set E_pk(R) in (A).

⑧ Server C1 emptying candidate setAnd

⑨ servers C1 and C2 repeat steps ② through ⑦ until k nearest neighbor results are obtained at C1, i.e., result set E_pkThe size of (R) is k.

And (3) safety analysis:

in the process of the security k query, the intermediate results obtained at the server C1 are both probability encryption and decryption, and the C1 deduces any other information according to the intermediate results. Meanwhile, according to the theorem of secure protocol combination, it can be known that a protocol is secure if the sub-protocols constituting the protocol are secure and the generated intermediate results are all random numbers or probability encryption data.

And 5, returning a query result to the User: server C1 has encrypted query result E_pk(R), the server C2 possesses the key sk, generates two random numbers for the k query results respectively, and the server C1 compresses and encrypts the two random numbers, and perturbs the results by using the compressed and encrypted random numbers. Obtaining a ciphertext calculation result, sending the ciphertext calculation result to a server C2 by the server C1, and sending the k pairs of random numbers to a User; the server C2 decrypts the disturbed result to obtain a decrypted result and obtains k groups of disturbed coordinate values; c2 sending the k groups of disturbed coordinate values to a User; the User receives k sets of random numbers from server C1, and from server CAnd 2, receiving the k groups of disturbed coordinate values, and subtracting the disturbed random number corresponding to each disturbed coordinate value by the User to obtain a final query result. Here, the computation at the user side does not involve encryption and decryption and ciphertext computation operations, and does not cause heavy time cost.

The specific steps for returning the query result are as follows:

① Server C1 generates k pairs of random numbers, encrypts and compresses that Server C1 possesses encrypted query result E_pk(R), Server C2 possesses key sk. First, the server C1 generates k pairs of random numbers (r)_i1,r_i2) And compressing and encrypting the E and E by using a Paillier encryption scheme also shown in formula (4) to obtain E_pk(r_i1|r_i2)。

② Server C1 for each query result E_pk(R_i) Using E_pk(r_i1|r_i2) Disturbing to obtain a disturbed result E_pk(R_i') the specific calculation is as follows:

E_pk(R′_i)＝E_pk(R_i+r_i1|r_i2)＝E_pk(R_i)*E_pk(r_i1|r_i2) (24)

③ Server C1 will disturb the result E_pk(R′_i) Sends it to the server C2, and pairs k to random numbers (r)_i1,r_i2) And sending the data to a User.

④ Server C2 received E_pk(R′_i) Then, E is mixed_pk(R′_i) Decrypted to obtain R'_i(ii) a R 'is prepared according to formula (4)'_iDecompressing to obtain the coordinate value (x ') of the disturbance of the result point'_iy_i′)。

⑤ Server C2 sets coordinate values (x ') of k sets of disturbances'_i,y_i') to the User.

⑥ User receives k sets of random numbers (r) from server C1_i1,r_i2) The k set coordinate value (x ') is received from the server C2'_i,y_i'). And subtracting the disturbed random number corresponding to each coordinate to obtain a final query result. The specific calculation formula is as follows:

x_i＝x′_i-r_i1,y_i＝y′_i-r_i2(25)

and (3) safety analysis: server C1 has the encrypted query results but cannot decrypt without the private key sk; the server C2 decrypts the perturbed result, and since the added random number is unknown and solving the equation set containing 2k variables and k equations is an HP-hard problem, the value of the result cannot be obtained through calculation in the valid time, and the privacy of the result is protected.

The beneficial technical effects are as follows:

(1) protecting the privacy of data on a server: in the query process, the data is prevented from being leaked to a malicious attacker, and the data except the query result is prevented from being leaked to a user. That is, the data stored on the server cannot be accessed by anyone, including the server, except for providing the user with the results of the query they need.

(2) Protecting privacy of a user's query request: in the query process, the query request of the user (namely the position of the user query) is protected from being disclosed to an attacker and a server. Using the protocol designed herein, a secure kNN query can be made and accurate results obtained without the server knowing what the user's query request is.

(3) Protecting privacy of user's query results: after the query is completed, the query result of the user can only be obtained by the user, and the server and other malicious attackers cannot know what the query result of the user is.

(4) Protecting access patterns in the query process: the data access mode in the inquiry process is effectively hidden, namely information about which data are accessed is hidden from the server, and all intermediate results generated in the inquiry calculation process are hidden, so that the server can be effectively prevented from reasoning and attacking the data on the server and the inquiry request of the user through historical records and background knowledge.

(5) Accurate query results: with the above privacy protected, accurate and correct query results can still be obtained using the protocols designed herein. This is in contrast to most privacy-preserving queries which can only yield approximate results, and the security improvement does not sacrifice the accuracy of the query results.

(6) The present invention can be applied to mobile devices with low processing power: in the method designed by the invention, the client does not participate in the ciphertext calculation process, and only needs to complete two operations of encrypting the query and subtracting the random number from the disturbance result in the whole query process. The two operations are completed without requiring the processing capacity of the client for data, that is, the method is suitable for the client with low processing capacity and can be used on the low-end mobile device.

(7) Completion query of validity time: most of protocols based on encryption have high time complexity, and query results are difficult to obtain in effective time. The method is completed based on an encrypted index structure, the time complexity of the exponentiation operation is O (n + m), namely for 1 thousand pieces of data, on a computer configured as i7-4790CPU @3.60GHz and 8GB RAM, a user can complete the query of k ═ 3 in 30min, which is obviously superior to the similar algorithm for ensuring the same safety, and the similar algorithm generally needs about 3 hours to complete the query.

Drawings

Fig. 1 is a block diagram of a security kNN query method based on LBS in an embodiment of the present invention;

FIG. 2(a) is a secure Voronoi diagram of an embodiment of the invention;

FIG. 2(b) is a diagram of a secure SVD according to an embodiment of the present invention;

FIG. 2(c) is a security mesh partition diagram of an embodiment of the present invention;

fig. 2(d) is a diagram of a security SG according to an embodiment of the present invention;

fig. 3 is a flowchart of a security kNN query method based on LBS in an embodiment of the present invention;

FIG. 4 is a flow diagram of generating a secure Voronoi diagram SVD in accordance with an embodiment of the present invention;

FIG. 5 is a flowchart of an embodiment of the present invention for generating a security mesh partition SG;

FIG. 6 is a flow diagram of a secure division protocol SD according to an embodiment of the present invention;

FIG. 7 is a flow chart of a secure minimum protocol SMIN according to an embodiment of the present invention;

FIG. 8 is a security mesh computing protocol SGC flow diagram of an embodiment of the present invention;

FIG. 9 is a flow chart of a secure Voronoi region computation protocol SVCC in accordance with an embodiment of the present invention;

fig. 10 is a SkNN flowchart of the secure kNN query protocol in an embodiment of the present invention;

FIG. 11 is a flowchart of returning a query result according to an embodiment of the present invention.

Detailed Description

The invention is further described with reference to the accompanying drawings and specific embodiments, as shown in fig. 1 and fig. 3, the specific process includes:

step 1, the data owner DO generates a key pair (pk, sk) and an encryption index structure, wherein the length of the generated Paillier key is 1024 bits, the encryption index structure is sent to the server C1, the public key pk is sent to the servers C1, C2 and the User, and the private key sk is sent to the server C2. Signing in a data set by using Gowalla, randomly selecting 1000 points from the data set for testing, using a point of interest (POI) as a data point, normalizing the data into 16-bit large integers, using a Data Owner (DO) to use the processed data point as a seed node for each integer, constructing a Voronoi diagram by using Fortune's algorithm, and then performing grid division to generate an encryption index Structure (SVD) and an encryption index Structure (SG);

(1) generating a secure Voronoi diagram SVD, as shown in FIG. 4:

① Voronoi diagram partitioning into DO-owned dataset D ═ p₁,…,p_nWhere the data point p_iX, y, and n is 1000. The data set D is subjected to Voronoi diagram division, and the division result is shown in fig. 2 (a). The Voronoi diagram divides the plane on which D is located into n convex polygons called Voronoi regions, each Voronoi region v_iWith and only one data point p_iCalled corresponding Voronoi region v_iThe seed node of (1). And dividing the edges of the two Voronoi regions to form vertical bisectors of the seed nodes of the two Voronoi regions. For a Voronoi region v_iThe nearest neighbor of the point q falling in the area is the seed node p of the area_i. From the nature of the Voronoi diagram, the kNN object for query point q exists among the seed nodes of the neighboring Voronoi regions of the (k-1) NN that were previously computed.

② storing all Voronoi regions in the Voronoi diagram into the array V in random out-of-order according to the Voronoi division_iThe corresponding index number in the array is taken as its id. For any Voronoi region v_iUsing a doubletIs represented by (x)_i,y_i) Is the region v_iCorresponding seed node p_iA coordinate of (a)_ijIs the region v_i(ii) adjacent Voronoi region id, (t)₁) The number of Voronoi regions adjacent to the Voronoi region.

③ add false data to avoid an attacker distinguishing a Voronoi region by the number of adjacent Voronoi regions to the query region, by counting the number of groupsThe false adjacent Voronoi area id added in keeps the number of the adjacent areas as a constant value t₁Where the false ids added are all arraysThere are real index numbers, but none of them are the adjacent id of the corresponding area and are different from each other. These false ids can be pruned during subsequent queries.

④ data compression to fully utilize Paillier's plaintext space, Paillier usually has 1024 bit plaintext space, log groupRegion v of storage_iThe corresponding coordinates and the id of the neighboring area are compressed using the following formula:

where λ is the number of compressed data, σ is the bit length of the data compression, and σ is greater than the bit length of the data itself in order to add random number perturbation to the compressed id in the subsequent protocol, test uses 78. Through the calculation, a plurality of numbers can be expressed as one number, one-time encryption is carried out, the plaintext space of Paillier is fully utilized, and the encryption times are reduced.

⑤ pairs of arraysAnd encrypting by using pk to obtain the SVD. That is, the encrypted Voronoi divided SVD is obtained as shown in fig. 2(b), fig. 2(a) is a diagram visually understood, and fig. 2(b) is a data structure stored at the time of implementation.

Each item stores the encrypted binary group corresponding to the Voronoi areaTime of test t₁＝13。

(2) Generating a security mesh partition SG as shown in fig. 5:

①, the grid division is performed on the basis of the above-mentioned Voronoi division, and the division result is shown in fig. 2 (c). the grid division divides Voronoi into m grids, the side length of each grid is represented by a vector w, and m is 16 at the time of test, the grid division can be stored as a matrixThe index numbers of the matrix rows and columns correspond to the coordinates of the grid in two dimensions, respectively. Each mesh stores the id of the Voronoi region it covers, i.e., the id of the Voronoi region it intersects, expressed asWherein o is_ijIs the region g_iId of intersecting Voronoi regions, (t)₂) The number of Voronoi regions intersected for that region.

② add false data to avoid an attacker distinguishing the grid by the number of Voronoi regions where the queried grid intersects, we do so by looking at the matrixThe false adjacent Voronoi area id added in keeps the number of id stored in each grid as a constant value t₂Where the false ids added are all arraysThe true index number in (1), but none of themAnd the id of the area intersecting the grid is different. These false ids can be pruned during subsequent queries.

④ are encrypted by public key pk to obtain SG pair matrixThe sum vector w is encrypted by pk to obtain SG and E_pk(w) is carried out. That is, obtaining the encryption grid SG is shown in fig. 2(d), fig. 2(c) is a diagram for intuitive understanding, and fig. 2(d) is a data structure stored upon implementation. Each encrypted grid content is represented asTime of test t₂＝38。

secure division protocol SD: at server C1 end, give twoThe range encrypted integers a, b, C1, and C2 obtain the encrypted quotient at the server C1 by two-party computing a truncated division of the encryption of the two encrypted data. When the protocol is executed, the encrypted data and the merchant are owned only by the server C1, and the server C2 owns only the key sk.

The principle of the protocol is shown in equation (5) for any

(ar₁+br₁r₂+r₃)/(br₁)＝a/b+r₂(2)

The specific steps of the secure division protocol SD are as follows, as shown in fig. 6:

λ′_a＝D_sk(E_pk(ar₁+br₁r₂+r3))＝ar₁+br₁r₂+r3 (5)

λ′_b＝D_sk(E_pk(br₁))＝br₁(6)

E_pk(a/b)＝E_pk(λ′_a/λ′_b)*E_pk(r₂)^N-1(7)

Wherein E is_pk(r₂)^N-1＝E_pk(-r₂) R is encrypted by the ciphertext operation₂And (4) subtracting.

The contents of the secure division protocol SD are shown in algorithm 1.

Safe minimum protocol SMIN: at server C1 end, t pieces are givenThe encrypted integers in the range and an encrypted range value C, C1 and C2 calculate the minimum value of t encrypted integers which are larger than the range value C in an encrypted way through safe two-party calculation, an encrypted sequence which corresponds to the t encrypted integers in a one-to-one mode and takes t as the length is generated according to the minimum value, the minimum value corresponds to an encrypted 1, the rest is an encrypted 0, and the encrypted sequence is obtained at the end of a server C1. When the protocol is executed, the encrypted data and the minimum sequence are owned only by the server C1, and the server C2 owns only the key sk.

x′_i＝x_i*r_max+r_i(8)

The specific steps of the secure minimum protocol SMIN are as follows, as shown in fig. 7:

① Server C1 generates random numbers that Server C1 owns the encrypted data E_pk(x₁),…,E_pk(x_t) And encrypted range values E_pk(c) The server C2 possesses a private key sk. First, the server C1 generates t +1 random numbers r₁,…,r_t+1Is satisfied withThen, the maximum value of the t +1 random numbers is selected and recorded as r_maxAnd the rest random numbers are recorded as r₁,…,r_t}。

E_pk(x_i-c)＝E_pk(x_i)*E_pk(c)^N-1(9)

③ Server C1 adds a random number to each encrypted difference value, server C1 adds a random number to each encrypted difference value E_pk(x_i-c) calculating according to equation (8) to obtain the encrypted perturbation value E after adding random number thereto_pk(θ_i) The specific calculation formula is as follows:

E_pk(θ′)＝π(E_pk(θ)) (11)

⑦ Server C2 generates a t-long sequence Δ', Δ_min' is 1, and the remainder is 0. Will orderAll elements in column Δ' are encrypted to obtain E_pk(Δ') to the server C1.

E_pk(Δ)＝π^-1(E_pk(Δ′)) (12)

The contents of the secure minimum protocol SMIN are shown in algorithm 2.

Secure grid computing protocol SGC: at the server C1, the encrypted grid SG, the side length E of the encrypted grid cell are specified_pk(w) and encrypted query request E_pk(Q), C2 possesses private key sk, C1 and C2 to compute the grid cell where the query is located by secure two-party computation encryption and fetch the contents stored in the grid cell. During the calculation, the coordinates of the encrypted grid cells and the encrypted content stored in the grid cells are only obtained at the server C1 sideC2 does not get any valid information about these contents.

The specific steps of the security mesh computing protocol SGC are as follows, as shown in fig. 8:

E_pk(x_i)＝SD(E_pk(Q_i),E_pk(w_i)) (13)

E_pk(α_i)＝E_pk(x₁-i),E_pk(β_i)＝E_pk(x₂-i) (14)

③ the server C1 multiplies the two encrypted one-dimensional vectors by random numbers respectively to obtain the disturbed result, the server C1 multiplies the E by the random numbers respectively_pk(α_i) And E_pk(β_i) Respectively encrypted and multiplied by a random number r to obtain a disturbed E_pk(α_i) And E_pk(β i), denoted E_pk(α′_i) And E_pk(β′_i) Therein is in addition toThe coordinate corresponding to the grid where the query is located is E_pk(0) And the rest are random numbers. It is noted that the random numbers multiplied by each number are all different and we have for the convenience of description denoted by r, and the protocol described hereinafter follows this. The specific formula is as follows:

E_pk(α′_i)＝E_pk(α_i)^r,E_pk(β′_i)＝E_pk(β_i)^r(15)

⑧ Server C1 calculates the dot product μ · SG · χ of the vectors using the additive homomorphic property of the secure multiplication protocol SM and Paillier, equivalently, for each grid g_ijCryptographic calculation E_pk(g_ij*μ_i*χ_j) And then, all the calculation results are added in an encryption mode to obtain the encrypted value of the grid cell g where the query is located. Since Paillier is a probabilistic cipher, E is obtained by this calculation_pk(g) Cannot match the ciphertext in the trellisThe rows correspond. The specific formula is as follows:

The content of the security mesh calculation protocol SGC is shown in algorithm 3:

The specific steps of the secure Voronoi region computation protocol SVCC are as follows, as shown in fig. 9:

② Server C1 will encrypt the compressed random number E_pk(r₁|…|r_λ) And encrypted Voronoi region id E_pk(a₁|…|a_λ) Adding homomorphic properties by Paillier addition to obtain E_pk(a′₁|…|a′_λ) Is equivalent to a_iAnd r_iAdding and compressing the encryption. The specific calculation formula is as follows:

③ Server C1 will E_pk(a′₁|…|a′_λ) To the server C2.

⑤ Server C2 obtains a two-dimensional array by calculation that Server C2 calculates each C_i＝a′_iThe value of mod n, for each c_iGenerating an n-long sequence α_iWhereinIs 1, and the rest are 0, wherein n is the number of Voronoi regions. C2 ends are co-generated into lambda sequences to obtain lambdaA two-dimensional array α of size n.

The server C1 groups G for each packet_iRespectively calculating the encrypted values E of the Voronoi region seed nodes corresponding to the seed nodes_pk(v_i) Andencryption id E of the adjacent area of the Voronoi area_pk(a_i). The specific calculation formula is as follows:

wherein c is a group G_iThe number of the elements in (B).

In the process, the server C1 can obtain the encrypted data and the encrypted result, but the C1 does not have the private key sk, can not decrypt the data and the result content, and does not obtain the data and the result content; the sequence calculated by the server C2 through the decryption operation is a disorderly sequence, and the sorting function C2 does not see C2, so that even if C2 cannot correspond to a real sequence, the index number corresponding to the required Voronoi region cannot be obtained; meanwhile, since Paillier is probabilistic encryption, C1 cannot compute E_pk(v_i) And E_pk(a_i) And the access mode privacy is protected by corresponding to the ciphertext in the SVD.

The specific contents of the secure Voronoi region computation protocol SVCC are shown in algorithm 4:

for plain textFor ciphertext E_pk(m₁) And E_pk(m₂) Making a groupInside ofMultiplication operation is equivalent to the pair m₁And m₂Performing an addition operation and then encrypting, wherein E_pk(. represents an encryption operation, D)_sk(. cndot.) represents a decryption operation, and the formula is as follows:

D_sk(E_pk(m₁)E_pk(m₂)mod N²)＝m₁+m₂mod N (21)

and 4, designing a secure kNN query protocol (SkNN) based on the secure subprotocol to complete secure kNN query of the ciphertext. The protocol inputs an encrypted query request E at the server C1 side_pk(Q), k and encrypted Security index structures SVD, SG, and E_pk(w) finding the distance E on the index structure by secure two-way computation of C1 and C2_pk(Q) the nearest k encrypted points, which are kNN results, where k is 3 at test. The main idea of the protocol for kNN query is as follows: c1 and C2 first compute query request E through secure grid computing protocol SGC_pk(Q) the grid on which the grid is located, thereby obtaining encrypted index numbers for the Voronoi regions covered by the grid; according to the index number, calculating values of the region seed nodes and the id of the adjacent region from the SVD; computing a query point E using a secure Euclidean distance computation protocol SSED_pk(Q) toCalculating the minimum value by using a safe minimum value protocol SMIN (Small Internet protocol) after the Euclidean square distance of the seed nodes; adding the minimum value obtained by calculation into the kNN result to obtain an NN object; reading the values of the neighboring regions and calculating 2 NN; calculating 3NN from neighbor regions of the NN object and the 2NN object; and the like in turn until a kNN result is obtained.

Server C1 has an encrypted index structure and encrypted query request E_pk(Q), Server C2 possesses the key. Firstly, the grid G where the query Q is located is found through collaborative calculation_iThen according to G_iAnd (4) finding a corresponding Voronoi area by the encrypted Voronoi area id stored in the database, carrying out encryption calculation to obtain the Voronoi area where the query Q is located, and obtaining a result that the seed node of the Voronoi area is the nearest neighbor node, namely k is 1. Then, the adjacent units of the unit are added into the candidate set, and the result of k being 2 is obtained from the candidate set through encryption calculation, and the process is circulated until k results are obtained.

The specific steps of the secure kNN query protocol SkNN are as follows, as shown in fig. 10:

① Server C1 initializes three tuples-Server C1 owns the encrypted query request E_pk(Q), k and encrypted Security index structures SVD, SG, and E_pk(w), the server C2 possesses the private key sk. First, the server C1 initializes three arraysAnd respectively representing a seed node set, a subsequent Voronoi area id set and a candidate distance set of the candidate Voronoi areas.Storing the value of the encryption seed node read currently, facilitating the subsequent reading of the current minimum result, and adding the result set E_pk(R) in (A);storing the encrypted ids of adjacent areas of the first (k-1) Voronoi areas for calculating kNN;storing the encrypted Euclidean distance of the current object to be compared. While C1 initializes the current minimum distance E_pk(d_temp) The value is the current minimum distance E_pk(0)。

⑦ Server C1 Add E_pk(v) To result set E_pk(R) in (A).

⑧ Server C1 emptying candidate setAnd

⑨ servers C1 and C2 repeat steps ② through ⑦ until atThe C1 end obtains k nearest neighbor results, namely a result set E_pkThe size of (R) is k.

And (3) safety analysis:

The specific content of the secure kNN query protocol SkNN is shown in algorithm 5:

and 5, returning a query result to the User: server C1 has encrypted query result E_pk(R), the server C2 has the key sk, the server C1 generates two random numbers for k query results respectively, the two random numbers are compressed and encrypted, the results are disturbed by using the compressed and encrypted random numbers to obtain ciphertext calculation results, the server C1 sends the ciphertext calculation results to the server C2, and the k pair random numbers are sent to the User; the server C2 decrypts the disturbed result to obtain a decrypted result and k groups of disturbed coordinate values; c2 sending the k groups of disturbed coordinate values to a User; the User receives k groups of random numbers from the server C1, receives k groups of disturbed coordinate values from the server C2, and subtracts the disturbed random numbers from each disturbed coordinate value to obtain a final query result. Here, the computation at the user side does not involve encryption and decryption and ciphertext computation operations, and does not cause heavy time cost.

The specific steps of returning the query result are as follows, as shown in fig. 11:

E_pk(R′_i)＝E_pk(R_i+r_i1|r_i2)＝E_pk(R_i)*E_pk(r_i1|r_i2) (24)

④ Server C2 received E_pk(R′_i) Then, E is mixed_pk(R′_i) Decrypted to obtain R'_i(ii) a R 'is prepared according to formula (4)'_iDecompressing to obtain the coordinate value (x ') of the disturbance of the result point'_i,y_i′)。

x_i＝x′_i-r_i1,y_i＝y′_i-r_i2(25)

The protocol content of the returned query result is shown in algorithm 6:

and (4) conclusion:

the scheme can protect query privacy, data privacy, result privacy and data access mode privacy in the aspect of safety; the time complexity of encryption and exponentiation in query efficiency is O (n + m), where n is the number of data points, i.e., the number of Voronoi regions, m is the number of divided grids, and when there are many data points, i.e., n is large, m is much smaller than n. Meanwhile, the client is usually a mobile terminal with lower processing capacity and does not participate in query calculation; in effectiveness, the method returns correct and accurate query results. Here, inquiring privacy refers to that the server cannot obtain the location information submitted by the user when inquiring, that is, the location privacy information of the user is protected; the data privacy refers to that the server cannot obtain other information related to the data except the size of the data set, and the user cannot obtain other information related to the data set except the query result; the result privacy refers to that the query result of the user cannot be revealed to the server and the data owner; the data access mode privacy refers to that the server cannot obtain any effective information about the data access mode through intermediate results generated by query calculation, the data access mode refers to data related to a query point, and the solution is mainly ensured through probability encryption data or random numbers of the intermediate results.

Claims

1. A safe kNN query method based on LBS is characterized by comprising the following steps:

step 2, the User uses the public key pk to encrypt the inquiry Q of the User to generate an encrypted inquiry request E_pk(Q) and sends the query request to server C1, where the vector Q ═ x, y is intended for the userCoordinates of the query are encrypted to obtain a query request E_pk(Q)＝{E_pk(x),E_pk(y)}；

Step 3, the server C1 obtains the encrypted index structure and the encrypted query request E_pkAfter (Q), defining safe two-party calculation;

wherein, safe two side calculation includes: a secure division protocol SD, a secure minimum value protocol SMIN, a secure grid computing SGC and a secure Voronoi area computing protocol SVCC; the addition homomorphic operation adopts a Paillier addition encryption scheme, and the multiplication homomorphic operation adopts a Paillier multiplication encryption scheme;

step 4, designing a safe kNN query protocol SkNN based on safe two-party calculation; the protocol inputs an encrypted query request E at the server C1 side_pk(Q) and encrypted index Structure and E_pk(w) finding the distance E on the cryptographic index structure by secure two-way computation of C1 and C2_pk(Q) nearest k encrypted points, namely, the k encrypted points are the kNN query result E_pk(R) obtained at the C1 end;

and 5, returning a query result to the User: server C1 has encrypted query result E_pk(R), the server C2 has the key sk, the server C1 generates two random numbers for k query results respectively, the two random numbers are compressed and encrypted, the results are disturbed by using the compressed and encrypted random numbers to obtain ciphertext calculation results, the server C1 sends the ciphertext calculation results to the server C2, and the k pair random numbers are sent to the User; the server C2 decrypts the disturbed result to obtain a decrypted result and k groups of disturbed coordinate values; c2 sending the k groups of disturbed coordinate values to a User; the User receives k groups of random numbers from the server C1, receives k groups of disturbed coordinate values from the server C2, and subtracts the disturbed random numbers from each disturbed coordinate value to obtain a final query result.

2. The LBS-based secure kNN query method according to claim 1, wherein the encryption index structure comprises: secure Voronoi diagram SVD and secure mesh partitioning SG:

(1) generating a secure Voronoi diagram SVD:

① Voronoi diagram partitioning into DO-owned dataset D ═ p₁,…,p_nWhere the data point p_iVoronoi diagram partitioning of the data set D into n convex polygons, called Voronoi regions, each Voronoi region v, is performed { x, y }, the plane on which D lies_iWith and only one data point p_iCalled corresponding Voronoi region v_iThe seed node of (1) divides the edges of two Voronoi regions, is a vertical bisector of the seed nodes of the two Voronoi regions, and is used for one Voronoi region v_iThe nearest neighbor of the point q falling in the area is the seed node p of the area_iFrom the nature of the Voronoi diagram, the kNN object for query point q exists among the seed nodes of the neighboring Voronoi cells of the previously computed (k-1) NN;

② storing all Voronoi regions in the Voronoi diagram in an array in random out-of-order according to the Voronoi divisionWill be the region v_iThe corresponding index number in the array as its id, v for any Voronoi region_iUsing a doubletIs represented by (x)_i,y_i) Is the region v_iCorresponding seed node p_iA coordinate of (a)_ijIs the region v_i(ii) adjacent Voronoi region id, (t)₁) The number of adjacent Voronoi regions for the Voronoi region;

③ false data is added by groupingThe false adjacent Voronoi area id added in keeps the number of the adjacent areas as a constant value t₁Where the false ids added are all arraysThe actual index numbers exist in the region, but the index numbers are not adjacent id of the corresponding region and are different from each other;

④ data compression log arrayRegion v of storage_iThe corresponding coordinates and the id of the neighboring area are compressed using the following formula:

wherein, λ is the number of compressed data, σ is the bit length of data compression, and σ is greater than the bit length of data itself;

⑤ pairs of arraysEncrypting by using pk to obtain SVD, namely obtaining encrypted Voronoi division SVD, wherein each item stores the encrypted binary group corresponding to the Voronoi area

(2) Generating a safety grid division SG:

① meshing on the basis of the Voronoi division, which divides Voronoi into m meshes, the side length of each mesh being represented by a vector w, the meshing being storable as a matrixThe index numbers of the matrix rows and columns respectively correspond to the coordinates of the grid in two dimensions, and each grid stores the id of the Voronoi region covered by the grid, namely the id of the Voronoi region intersected by the grid, which is expressed asWherein o is_ijIs the region g_iId of intersecting Voronoi regions, (t)₂) The number of intersecting Voronoi regions for the region;

② false data is added by adding false data in the matrixThe false adjacent Voronoi area id added in keeps the number of id stored in each grid as a constant value t₂Where the false ids added are all arraysThe true index number exists in (1), but none of them are ids of the intersection area with the grid and are different from each other;

③ data compression, namely, the content stored in each grid is compressed by using the formula (1) as well;

④ are encrypted by public key pk to get SGThe sum vector w is encrypted by pk to obtain SG and E_pk(w) each encrypted lattice content is represented as

3. The LBS-based secure kNN query method according to claim 1, wherein said generating the key pair (pk, sk) uses a Paillier encryption scheme, wherein a public key pk is used for encrypting data and a private key sk is used for decrypting data.

4. The LBS-based secure kNN query method according to claim 1, wherein the secure division protocol SD: at server C1 end, give twoThe range of encrypted integers a, b, the servers C1 and C2 obtain the encrypted quotient at the server C1 by calculating, at both parties, a truncated division of the encryption of the two encrypted data, the protocol being executed,the encrypted data and the merchant are owned only by the server C1, the server C2 owns the key sk only;

the principle of the protocol is shown in equation (2) for any

(ar₁+br₁r₂+r3)/(br₁)＝a/b+r₂(2)

Wherein,and r is₃<r₁K is the bit size of the Paillier encryption scheme key, l_dataThe bit length of the data a, b;

the specific steps of the secure division protocol are as follows:

① Server C1 generates random numbers that Server C1 owns the encrypted data E_pk(a),E_pk(b) The server C2 has the private key sk, and the server C1 generates the key satisfyingAnd r is₃<r₁Random number r of₁,r₂,r₃；

② encrypts the random number with the public key pk and sends it to the server C2. the server C1 calculates E using the generated random number and the public key pk_pk(ar₁+br₁r₂+ r3) and E_pk(br₁) And sends them to the server C2, the specific calculation formula is as follows:

③ Server C2 decrypts with private key sk that Server C2 received E sent by C1_pk(ar₁+br₁r₂+ r3) and E_pk(br₁) Then, they are decrypted by the private key sk to obtain λ'_aAnd λ'_bThe formula for decryption is as follows:

λ′_a＝D_sk(E_pk(ar₁+br₁r₂+r3))＝ar₁+br₁r₂+r3 (5)

λ′_b＝D_sk(E_pk(br₁))＝br₁(6)

④ Server C2 decrypts the decrypted result λ'_aAnd λ'_bThe two numbers are divided, and the calculated quotient is encrypted by using a public key and then sent to C1: server C2 calculates λ'_a/λ′_b(mod n) and encrypt it, mod representing the modulo operation, resulting in E_pk(λ′_a/λ′_b) To server C1;

⑤ the server C1 calculates the encryption result of the secure division protocol that the server C1 receives E_pk(λ′_a/λ′_b) Then, the encrypted E is calculated using the formula (7)_pk(a/b)：

E_pk(a/b)＝E_pk(λ′_a/λ′_b)*E_pk(r₂)^N-1(7)

Wherein E is_pk(r₂)^N-1＝E_pk(-r₂) R is encrypted by the ciphertext operation₂Minus, N is the product of two large primes in the paillier public key pk.

5. The LBS-based secure kNN query method according to claim 1, wherein the secure minimum protocol SMIN: at server C1 end, t pieces are givenThe encrypted integers within the range and an encrypted range value C, C1 and C2 cryptographically calculating a minimum value of t encrypted integers greater than the range value C by secure two-party computation, generating one from the minimum value, and the t encrypted integersThe encryption integers correspond to an encryption sequence with the length of t, the minimum value corresponds to an encrypted 1, the rest is an encrypted 0, the encryption sequence is obtained at the end of the server C1, when the protocol is executed, the encrypted data and the minimum value sequence are only owned by the server C1, and the server C2 only owns the key sk;

x′_i＝x_i*r_max+r_i(8)

wherein r is_i<2^K-l-1Each r_iAll are different, r_maxIs r_iWhen r is the maximum value of_iWhen the size is large enough, t unequal random integers can be obtained through the formula (8)And x'_iAnd x_iKeeping the same partial order relation;

the safety minimum protocol SMIN comprises the following specific steps:

① Server C1 generates random numbers that Server C1 owns the encrypted data E_pk(x₁),…,E_pk(x_t) And an encrypted range value E_pk(c) The server C2 has a private key sk, and first the server C1 generates t +1 random numbers { r }₁,…,r_t+1Is satisfied withThen, the maximum value of the t +1 random numbers is selected and recorded as r_maxAnd the rest random numbers are recorded as r₁,…,r_t}；

② the server C1 calculates each encrypted data to obtain the difference E between each encrypted integer and the value of the encryption range_pk(x_i-c); the specific calculation formula is as follows:

E_pk(x_i-c)＝E_pk(x_i)*E_pk(c)^N-1(9)

③ Server C1 adds a random number to each encrypted difference value, server C1 adds a random number to each encrypted difference value E_pk(x_i-c) calculating according to equation (8) to obtain the encrypted perturbation value E after adding the random number thereto_pk(θ_i) The specific calculation formula is as follows:

④, the server C1 sends the t values to the server C2 after disordering the sequence, and the calculation formula is as follows:

E_pk(θ′)＝π(E_pk(θ)) (11)

⑤ Server C2 decrypts that Server C2 received E_pk(θ′_i) These values are then decrypted to obtain θ'_i；

⑥ Server C2 calculates θ'_iAnd marking the corresponding i of the minimum value in the sequence theta' as min;

⑦ Server C2 generates a t-long sequence Δ', Δ_min'is 1, the remainder is 0, all elements in the sequence Δ' are encrypted to give E_pk(Δ') to the server C1;

⑧ the server C1 uses the inverse function to obtain the safety minimum value protocol encryption result, the server C1 obtains the sequence E_pk(Δ') after the sequence E is obtained using the inverse function of equation (11), i.e., equation (12)_pk(Δ), the specific calculation formula is as follows:

E_pk(Δ)＝π^-1(E_pk(Δ′)) (12)

wherein E is_pk(Delta) is the sequence E_pk(Δ') the sequential and encrypted data E is obtained using equation (12)_pk(x₁),…,E_pk(x_t) A corresponding encrypted minimum mapped 01 sequence.

6. The LBS-based secure kNN query method according to claim 1, wherein said secure grid computing protocol SGC: at the server C1 sideGiven an encrypted grid SG, the side length E of an encrypted grid cell_pk(w) and encrypted query request E_pk(Q), C2 possesses private key sk, C1 and C2, calculates the grid cell where the query is located and fetches the content stored in the grid cell by secure two-party calculation, in the calculation process, the coordinates of the encrypted grid cell and the encrypted content stored in the grid cell are only obtained at the C1 end of the server, C2 does not obtain any effective information about these contents,

① Server C1 calculates the encrypted coordinates of the grid on which query Q resides, server C1 has encrypted grid SG, the side length E of the encrypted grid cell_pk(w) and encrypted query request E_pk(Q), the server C2 possesses the private key sk, firstly, the server C1 calculates the coordinate of the encryption query divided by the side length of the grid unit in each dimension by using the secure division SD protocol on each dimension, namely on the x axis and the y axis, respectively, and calculates the encryption coordinate E of the grid g where the query Q is located in the dimension_pk(x_i) Because of the query based on the location service, the point vectors are all two-dimensional vectors, and the specific calculation formula is as follows:

E_pk(x_i)＝SD(E_pk(Q_i),E_pk(w_i)) (13)

② Server C1 calculates grid g in each dimension separately in two dimensions_iAnd the encrypted difference of the coordinates of the grid g where the query point is located, and two encrypted one-dimensional vectors E are obtained_pk(α),E_pk(β), assume that there is n in each dimension_iGrid cells, the coordinates corresponding to the grid cells are 0 to n respectively_i-1, the specific calculation formula is as follows:

E_pk(α_i)＝E_pk(x₁-i),E_pk(β_i)＝E_pk(x₂-i) (14)

③ the server C1 multiplies the two encrypted one-dimensional vectors by random numbers respectively to obtain the disturbed result, the server C1 multiplies the E by the random numbers respectively_pk(α_i) And E_pk(β_i) Respectively encrypted by a randomNumber r, get perturbed E_pk(α_i) And E_pk(β_i) Is shown as E_pk(α′_i) And E_pk(β′_i) Wherein the coordinates corresponding to the grids except the query are E_pk(0) And the rest are random numbers, and the specific formula is as follows:

E_pk(α′_i)＝E_pk(α_i)^r,E_pk(β′_i)＝E_pk(β_i)^r(15)

④ Server C1 general equation (11) for E_pk(α') and E_pk(β') sending to server C2 after disorder;

⑤ Server C2 decrypts and processes that Server C2 receives E_pk(α′_i) And E_pk(β′_i) Then it is decrypted using the private key sk and corresponding mu is generated_iHexix-_iWherein, if α'_iWhen it is equal to 0, then μ_iIs 1 if β'_iWhen the ratio is 0, then x_i1, and the rest are 0;

⑥ the server C2 uses the public key pk to encrypt the decrypted and processed result and sends the result to the server C1. the server C2 uses the public key pk to encrypt the mu_iHexix-_iIs encrypted to obtain E_pk(μ_i) And E_pk(χ_i) And sent to the server C1;

⑦ Server C1 received E_pk(. mu.) and E_pk(χ) then, the vectors are restored to order using equation (12);

⑧ Server C1 calculates the dot product μ · SG · χ of the vectors using the additive homomorphic property of the secure multiplication protocol SM and Paillier, equivalently, for each grid g_ijCryptographic calculation E_pk(g_ij*μ_i*χ_j) And then, adding all the calculation results in an encryption manner to obtain an encrypted value of the grid cell g where the query is located, wherein the specific formula is as follows:

wherein the paddleThe number m of the divided grids is n₁*n₂，n₁Number of grids on x-axis, n₂Is the number of grids on the y-axis.

7. The LBS-based secure kNN query method according to claim 1, wherein said secure Voronoi region computation protocol SVCC: on the server C1 side, an encrypted Voronoi data structure SVD, an encrypted Voronoi region id E are given_pk(a₁|…|a_λ) And λ, where λ is the number of compressed ids; c2 has a private key sk, and C1 and C2 calculate the Voronoi region corresponding to the query by secure two-party calculation encryption and take out the value of the encrypted seed node of the region and the encrypted id of its adjacent region, during the calculation, the encrypted Voronoi region id and the value of the region are only obtained at the end of the server C1, and C2 cannot obtain any valid information about the contents;

① Server C1 generates random numbers, compresses and encrypts the random numbers, server C1 has an encrypted Voronoi region SVD, and an encrypted Voronoi region id E_pk(a₁|…|a_λ) And the number of compression ids λ, the server C2 possesses the private key sk, first the server C1 generates λ random numbers r, and compresses and passes E these random numbers using equation (1)_pk(. o) encrypting to obtain E_pk(r₁|…|r_λ)；

② Server C1 will encrypt the compressed random number E_pk(r₁|…|r_λ) And encrypted Voronoi region id E_pk(a₁|…|a_λ) Adding homomorphic properties by Paillier addition to obtain E_pk(a′₁|…|a′_λ) Is equivalent to a_iAnd r_iAdding and then compressing and encrypting, wherein the specific calculation formula is as follows:

③ Server C1 will E_pk(a′₁|…|a′_λ) To server C2;

④ Server C2 received E_pk(a′₁|…|a′_λ) Then, the private key sk is used for decryption, and then decompression is carried out according to a formula (1) to obtain lambda numerical values a'₁,…,a′_λ；

⑤ Server C2 obtains a two-dimensional array by calculation that Server C2 calculates each C_i＝a′_iThe value of mod n, for each c_iGenerating an n-long sequence α_iWherein1, and 0 for the rest, wherein n is the number of Voronoi regions, and the ends of C2 are co-generated into lambda sequences to obtain a two-dimensional array α with the size of lambda x n;

⑥ Server C2 uses public Key pk Pair α_ijEncrypted to obtain E_pk(α_ij) Two-dimensional array E to be encrypted_pk(α) to server C1;

⑦ Server C1 received E_pk(α) generating an n-long sequence β, storing the selection values corresponding to the Voronoi regions with real index numbers from 0 to n-1, and encrypting the Voronoi region id E by calculation_pk(a₁|…|a_λ) Containing id at E_pk(β) corresponds to E_pk(1) The rest corresponds to E_pk(0) The specific calculation formula is as follows:

⑧ Server C1 uses equation (11) as E_pk(β) sending the data to the server C2 after disorder;

⑨ Server C2 received E_pk(β), decrypting to obtain β, dividing the β sequence index number into lambda packets G, each packet G_iβ with and only one element corresponding_i＝1；

⑩ Server C2 groups each G_iSending all the groups G to the server C1;

after the server C1 receives the group G, it uses the formula (12) to restore the unordered index number in G to the index number in the corresponding order, and E_pk(β) restoring the sequence;

the server C1 groups G for each packet_iRespectively calculating the encrypted values E of the Voronoi region seed nodes corresponding to the seed nodes_pk(v_i) And an encryption id E of an area adjacent to the Voronoi area_pk(a_i) The specific calculation formula is as follows:

wherein c is a group G_iThe number of the elements in (B).

8. The LBS-based secure kNN query method according to claim 1, wherein said addition homomorphic operation employs a Paillier addition encryption scheme:

for plain textFor ciphertext E_pk(m₁) And E_pk(m₂) Making a groupMultiplication operations within are equivalent to the pair m₁And m₂Performing an addition operation and then encrypting, wherein E_pk(. represents an encryption operation, D)_sk(. represents decryption)In operation, the formula is as follows:

D_sk(E_pk(m₁)E_pk(m₂)mod N²)＝m₁+m₂mod N (21)

9. The LBS-based secure kNN query method according to claim 1, wherein the secure kNN query protocol SkNN includes the following specific steps:

① Server C1 initializes three tuples-Server C1 owns the encrypted query request E_pk(Q) and encrypted Security index structures SVD, SG, and E_pk(w), Server C2 has private key sk, first, Server C1 initializes three arrays A set of seed nodes, a set of subsequent Voronoi region ids, and a set of candidate distances representing candidate Voronoi regions, respectively,storing the value of the current read-out encryption seed node, facilitating the subsequent reading of the current minimum result, and adding the result set E_pk(R) in (A);storing the encrypted ids of adjacent areas of the first (k-1) Voronoi areas for calculating kNN;storing the encrypted Euclidean distance of the current object to be compared, and C1 initializing the current minimum distance E_pk(d_temp) The value is the current minimum distance E_pk(0)；

② servers C1 and C2 compute query request E using secure grid computing protocol SGC_pk(Q) the grid on which it is located, thus obtaining the encrypted index E of the Voronoi region covered by the grid_pk(a)；

③ servers C1 and C2 calculate E using the secure Voronoi region computation protocol SVCC_pk(a) Value E of the corresponding seed node_pk(v_i) And id E of neighboring area_pk(a_i) Adding these values to the respectiveAndperforming the following steps;

④ servers C1 and C2 use secure Euclidean distance computation protocol SSED to compute encrypted query E one by one_pk(Q) and the seed node E calculated in step ③_pk(v_i) Squared Euclidean distance E of_pk(d_i) After which these values are added toPerforming the following steps;

⑥ will beAndviewed as a one-dimensional vector, server C1 cryptographically computes the dot product Andwherein_encRepresenting the encryption dot product calculation, i.e., the value E of the encrypted seed node corresponding to the minimum value found in step ⑤_pk(v) Encrypting id E of adjacent Voronoi areas_pk(a) And the encrypted Euclidean distance E_pk(d_temp) By this step, update E_pk(a) And E_pk(d_temp) A value of (d);

⑦ Server C1 Add E_pk(v) To result set E_pk(R) in (A);

⑧ Server C1 emptying candidate setAnd

10. The LBS-based secure kNN query method according to claim 1, wherein the specific steps of returning the query result are as follows:

① Server C1 generates k pairs of random numbers, encrypts and compresses that Server C1 possesses encrypted query result E_pk(R), the server C2 has the key sk, and first the server C1 generates k pairs of random numbers (R)_i1,r_i2) And compressing and encrypting the two by using a Paillier encryption scheme of formula (1) to obtain E_pk(r_i1|r_i2)；

E_pk(R_i′)＝E_pk(R_i+r_i1|r_i2)＝E_pk(R_i)*E_pk(r_i1|r_i2) (24)

③ Server C1 will disturb the result E_pk(R′_i) Sends it to the server C2, and pairs k to random numbers (r)_i1,r_i2) Sending the data to a User;

④ Server C2 received E_pk(R′_i) Then, E is mixed_pk(R′_i) Decrypted to obtain R'_i(ii) a R 'is prepared according to formula (1)'_iDecompressing to obtain the coordinate value (x ') of the disturbance of the result point'_i,y_i′)；

⑤ Server C2 sets coordinate values (x ') of k sets of disturbances'_i,y_i') to send toA User;

⑥ User receives k sets of random numbers (r) from server C1_i1,r_i2) The k set coordinate value (x ') is received from the server C2'_i,y_i') to a host; and subtracting the disturbed random number corresponding to each coordinate to obtain a final query result, wherein a specific calculation formula is as follows:

x_i＝x′_i-r_i1,y_i＝y′_i-r_i2(25)

wherein (x)_i,y_i) Is the final query result.