0% found this document useful (0 votes)

1 views

Practical Privacy

Uploaded by

irithanjavur

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

1 views

Practical Privacy

Uploaded by

irithanjavur

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 14

This article has been accepted for publication in a future issue of this journal, but has not been

fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMC.2020.2990871, IEEE
Transactions on Mobile Computing
1

Practical Privacy-Preserving Indoor Localization

based on Secure Two-Party Computation
Raine Nieminen and Kimmo Järvinen

Abstract—We present a privacy-preserving indoor localization scheme based on received signal strength measurements, e.g., from
WiFi access points. Our scheme preserves the privacy of both the client’s location and the service provider’s database by using secure
two-party computation instantiated with known cryptographic primitives, namely, Paillier encryption and garbled circuits. We describe a
number of optimizations that reduce the computation and communication overheads of the scheme and provide theoretical evaluations
of these overheads. We also demonstrate the feasibility of the scheme by developing a proof-of-concept implementation for Android
smartphones and commodity servers. This implementation allows us to validate the practical performance of our scheme and to show
that it is feasible for practical use in certain type of indoor localization applications.

Index Terms—Indoor localization, location privacy, WiFi fingerprinting, secure multi-party computation, Paillier encryption, garbled
circuits, Android smartphones

1 I NTRODUCTION Signal Strength (RSS) fingerprinting is particularly tempting

because (a) many indoor areas already have an extensive

W ITH the rise of smartphones and other smart mobile

devices, location data has become an important as-
set that is used in various Location-Based Services (LBSs)
WiFi infrastructure readily installed leading to small cost of
deployment for the Service Provider (SP) and (b) localiza-
tion can be implemented with regular smartphones without
ranging from traditional navigation and map applications to
the need for additional hardware for the client. In the future,
social media and targeted advertising. An obvious prereq-
opportunities for precise localization for both indoors and
uisite for any LBS is localization, the process of obtaining
outdoors can be provided by RSS fingerprinting in very
the physical location of a client (or more precisely the
dense 5G networks [15]. In RSS fingerprinting a SP records
client’s device). In outdoor environments localization is pre-
RSS values from multiple locations in the area covered by
dominately based on Global Navigation Satellite Systems
the localization service and stores them in a database in a
(GNSSs) such as GPS or Galileo. However, GNSS satellite
server. When a client wants to perform localization, his/her
signals are very weak and effectively blocked by physical
device measures RSS values and sends them to the server
obstacles leading to poor localization service particularly in
which computes the location based on comparisons with
indoor environments but even in certain outdoor environ-
the entries in the database and returns it to the client.
ments (e.g., dense woods or urban canyons). Hence, alterna-
Location data is very privacy sensitive and even lit-
tive localization techniques are required for providing LBSs
tle information about peoples’ locations allows to identify
for indoor environments.
them [16]. In the shopping mall use case, location infor-
Providing accurate indoor localization is important in mation reveals the stores, restaurants, etc., that a customer
order to facilitate useful LBSs such as indoor navigation, visits and, consequently, gives out sensitive details about
e.g., for shopping malls, airports, exhibition centers, hos- the customer and allows very accurate profiling. Notice
pitals, university campuses, etc. [1], [2], [3]. For instance, that even a single location query may reveal information
a navigation application for a shopping mall will help that a customer is unwilling to share (e.g., a visit to a
customers to find stores easily; retailers naturally benefit specific shop). WiFi fingerprinting is privacy-violating by
from this also, and they may get further benefits through nature because the actual localization is performed in the
targeted location-based advertising. To answer the need SP’s server, which leaks the clients’ locations to the SP.
for indoor localization, many indoor localization techniques Customers would benefit from deployment of a Privacy-
have been proposed in the literature and also deployed in Preserving Indoor Localization (PPIL) that prevents the SP
practice (see, [4], [5] for surveys) based on using WiFi [6], from obtaining the customers’ locations because this would
[7], [8], [9], [10], cellular [11], RFID [12], Bluetooth [13], or remove their privacy concerns. Also the SP has incentives
Zigbee [14] signals. Localization based on WiFi Received to provide PPIL because it would significantly increase
privacy-aware customers’ interest towards an indoor LBS
• R. Nieminen is with Insta Digital Oy, Tampere, Finland, e-mail: and would help the SP to comply with privacy regulations
[email protected]; While preparing the research work de- (e.g., EU GDPR). Hence, a PPIL has potential to benefit
scribed in this paper, he was with Department of Computer Science,
University of Helsinki, Helsinki, Finland both parties, given that it does not imply excessive compu-
• K. Järvinen is with Department of Computer Science, University of tation or communication overheads into the system; these
Helsinki, Helsinki, Finland, e-mail: [email protected] are particularly important factors for the clients who are
Manuscript date: February 24, 2020. using mobile devices. The SP may additionally require that

1536-1233 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: UNIVERSITY OF BIRMINGHAM. Downloaded on July 25,2020 at 03:41:05 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMC.2020.2990871, IEEE
Transactions on Mobile Computing
2

the scheme can be extended with additional features such • Our scheme is the first two-party PPIL scheme based
as (privacy-preserving) location-based targeted advertising on RSS fingerprinting that is both secure and feasible
and statistics about clients’ movements. for deployment.
Clients’ location privacy could be fully protected by The rest of the paper is structured as follows. Sec. 2
sending the database to the clients’ devices and perform- surveys the relevant background on indoor localization,
ing localization locally. This would also be essentially free cryptographic primitives, and the threat model. We describe
in terms of computation and communication overheads. our PPIL scheme in Sec. 3. In Sec. 4, we present multiple op-
Unfortunately, performing localization in clients’ devices timization techniques that are required to make our scheme
is seldom an option in practice because it contradicts the practical. In Sec. 5, we provide theoretical evaluation of com-
SP’s interests. The database is the SP’s primary asset as putation and communication overheads. We describe the
database collection is laborious and time-consuming. A details of a PoC implementation for Android smartphones
secret database permits the SP to charge from the use of the and Linux servers in Sec. 6 and provide results from it in
localization service (either from the owner of the premises or Sec. 7. Finally, we draw conclusions in Sec. 8.
the clients) and, therefore, the SP has economical incentives
to hide the database which has often lead to sacrificing
clients’ privacy. The database may also reveal sensitive 2 P RELIMINARIES
details about the infrastructure, e.g., thick doors or walls, This section covers the required background. We start by
which should be kept in secret, especially, from criminals. explaining RSS fingerprinting based indoor localization in
Hence, PPIL should hide (a) the clients’ locations from the Sec. 2.1. Cryptographic techniques are described in Sec. 2.2,
SP and (b) the database from the clients. Finally, we em- 2.3, and 2.4. Finally, we describe our threat model in Sec. 2.5.
phasize that PPIL solves only a part of all location privacy
problems because there can be other ways to track clients’ 2.1 Indoor Localization
movements, but they are out of the scope of this work. Indoor areas, such as airports and shopping malls, require a
A few attempts to develop a PPIL scheme for RSS fin- non-GNSS based localization technique. A common solution
gerprinting fulfilling the above requirements are available for indoor localization is a fingerprint-based localization
in the literature. Li et al. [17] presented a PPIL scheme based scheme where an SP holds a database of RSS information
on Paillier encryption [18], but severe weaknesses leading to pre-measured from predefined Access Points (APs) in cer-
full database recovery were recently found in their system tain locations [24], [25]. Our scheme does not rely on a
in [19]. Konstantidis [20] used k -anonymity to hide a client’s specific type of APs, so the source of the RSS is not relevant
real location trace among k−1 fake traces, but the protection at this point, but they can be, e.g., from WiFi APs.
is not very strong because use of auxiliary information (e.g., For simplicity, the localization process can be divided
a building map) may reveal the real trace. Zhang et al. [21] into two phases:
showed a PPIL based on Support Vector Machine (SVM)
and Paillier encryption, but [22] showed that it suffers from • Training phase. The SP constructs the database D.
similar weaknesses as [17]. Yang and Järvinen provide four Firstly, the SP determines a set of APs used in the
proposals for PPIL in [19]. The most promising proposal scheme and defines a (public) list
appears to be a hybrid secure two-party computation pro- T1 = {APj }N
j=1
tocol based on Paillier encryption and Garbled Circuits
(GCs), but they provides only a high-level sketch of the where APj is a unique identifier of the j -th AP (e.g.,
scheme without detailed implementation considerations or the MAC address) and N is the number of the APs.
results. In [23], Järvinen et al. propose a scheme based on Next, the SP specifies the locations, where RSS values
secure multi-party computation where the client and server are going to be pre-measured and defines a (public
outsource most of the computation and communication to or private) ordered list
two semi-trusted servers. While their scheme achieves very T2 = {χi }M
i=1
good performance, the requirement for semi-trusted parties
can be a problem in some cases because such trusted parties where χi is the location parameter at the i-th posi-
may not be available. To summarize, the literature still lacks tion (e.g., coordinates) and M is the number of the
a secure yet efficient two-party PPIL for RSS fingerprinting. locations.
We provide the following contributions: Then the SP (or a contractor) visits each location of
T2 , measures the RSS vi,j from all the APs defined
• We describe a PPIL scheme based on Yang and in T1 , and constructs a database D from the collected
Järvinen’s high-level proposal from [19]. Our scheme values and lists T1 , T2 . An overview of the structure
is based on standard cryptographic primitives: Pail- of D can be seen in Tab. 1. D is stored on a server S
lier encryption, GC, and One-Time Pad (OTP). deployed by the SP.
• We present several optimizations to the scheme that • Location retrieval phase. In this phase, a client C
considerably improve its performance by reducing requests its current location from the server S . Firstly,
both computation and communication overheads. C asks the list T1 from S , if C does not already have
• We develop a Proof-of-Concept (PoC) implementa- it. Then, C measures the RSS fj of all the APs in T1
tion of the scheme for Android smartphones and at its current location and sends these values to S .
commodity servers that allows us to evaluate the The server S computes the distances of the received
practical feasibility of the scheme. RSS values and the pre-measured RSS values in D

TABLE 1 The reason why the Paillier encryption scheme is used in our
The structure of the database D constructed during Training phase of localization scheme follows from (4) and (5). Other secure
the fingerprint-based localization scheme.
and efficient additively homomorphic encryption schemes
i Location AP1 AP2 ··· APN
offering the same features could be used as well (see,
e.g., DGK [29], exponential ElGamal [30] and the blinded
1 χ1 v1,1 v1,2 ··· v1,N
2 χ2 v2,1 v2,2 ··· v2,N
encryption schemes [31]); the choice of Paillier encryption is
.. .. .. .. .. .. supported by the facts that it is widely-studied and has an
. . . . . . ISO standard (ISO/IEC 18033-6:2019).
M χM vM,1 vM,2 ··· vM,N

2.3 One-Time Pad

for each location in T2 and obtains a list of distances
{d M
i }i=1 . We use the squared Euclidean distance di = OTP is an encryption technique that provides perfect secrecy
PN 2 [32] and it works as follows.
j=1 (fj − vi,j ) and utilize the fact that the formula
for di can be expanded into three parts [26]:
• Key Generation. Choose a unique truly random key
N
X N
X N
X R ∈ Zn , where n is a positive integer.
di = fj2 + (−2fj · vi,j ) + 2
vi,j . (1) • Encryption. For a plaintext m ∈ Zn , use the key R ∈
j=1 j=1 j=1 Zn to compute the ciphertext c = m + R mod n.
We later refer to the three terms in (1) as δ1 , δ2 , and • Decryption. Decryption follows similar procedure,
δ3 , respectively. Finally, S finds the indices of the k namely, m = c − R mod n.
smallest distances in the list. The method is known
as the k -Nearest Neighbor (kNN) [27]. The location It is crucial for the security that R is a truly random value
of C is computed as the centroid of the locations in of the size of the plaintext and must never be reused.
T2 corresponding to the indices.
2.4 Garbled Circuits
2.2 Paillier Encryption Scheme
GC is a technique for secure computation that was implicitly
The Paillier encryption scheme [18] is an additive homomor- introduced by A. Yao in [33]. GC can be used for secure two-
phic probabilistic public-key cryptosystem proposed by P. party computation, i.e., two parties can evaluate a function
Paillier in 1999. In the following, we describe the cryptosys- f (x, y) without revealing the respective inputs x, y to each
tem and review certain properties of the scheme. Further other or a third party. The idea of GC is to describe the
details and optimizations are found in [18] and [28]. function as a Boolean circuit for the two inputs. The wires
• Key Generation. Let p and q be two randomly se- of the circuit are assigned with two random s-bit values
lected large prime numbers and n = pq . Let B be corresponding to the bit values zero and one, respectively.
the set of elements of order nα in Z∗n2 , where α is The gates of the circuit are “garbled” so that their output
a positive integer, and g a base from B . The public wire values are encrypted by using the input values as keys
key pk is the pair (n, g) and the secret key sk is according to the truth tables, after which the rows of the
λ = lcm(p − 1, q − 1), i.e., the least common multiple tables are randomly permuted. The derived tables form the
of p − 1 and q − 1. “garbled” function fe(x e, ye), which can be evaluated securely
• Encryption. For a plaintext m ∈ Zn , the encryption with the garbled inputs x e, ye to obtain the result.
is done as follows. We select a random r ∈ Zn and Yao’s original GC proposal is widely considered unprac-
compute the ciphertext c by using the formula tical due to its high computation and particularly com-
munication overheads, but significant improvements have
c = gm · rn mod n2 (2)
been made during the last decades (see, e.g., [34], [35],
with the public key (n, g). Henceforth, Paillier en- [36], [37], [38], [39]). Next, we highlight three state-of-the-
cryption of m is denoted by E(m). art optimizations that have a major impact on the effi-
• Decryption. Decryption of a ciphertext c (< n2 ) is ciency of GC based secure computation. In [37], Kolesnikov
performed as follows: and Schneider introduced a technique that reduces both
computation and communication overhead of each XOR
L(cλ mod n2 )
m= mod n , (3) gate of the circuit to zero. In [39], Zahur et al. presented
L(g λ mod n2 ) a technique that reduces the communication overhead of
where λ is the secret key and L(u) = u−1 n . Hence-
gates by 50% (4s to 2s) compared to Yao’s original proposal.
forth, Paillier decryption of c is denoted by D(c). In [35], Bellare et al. showed that GCs can be constructed
by using a block cipher (e.g., AES) with a fixed key as
Paillier encryption is an additively homomorphic encryp-
the basic cryptographic primitive consequently leading to
tion scheme and we emphasize the following properties that
major speedups in computation overhead (e.g,. by using
are used in our scheme:
the AES-NI instruction set extension). Our scheme can be
∀m1 , m2 ∈ Zn and k ∈ N implemented by using any GC framework but, as will be
2
D(E(m1 )E(m2 ) mod n ) = m1 + m2 mod n (4) discussed with more details in Sec. 6.2, we use ABY [40] for
k 2
the PoC. It is a state-of-the-art framework that implements
D(E(m1 ) mod n ) = km1 mod n . (5) (among others) the optimizations of [35], [37], and [39].

2.5 Threat Model a unique random value, which protects the database and
This section covers privacy threat model for a PPIL scheme. prevents the attack from [17]. The mask is removed and
In short, the information of both the server S and the client the kNN is run within a GC. Although, the GCs could be
C needs to be secured and kept private. In the perspective utilized for a complete location retrieval without the need
of S this means that an adversary AC who uses the service of the Paillier scheme, the communication overhead would
as a client should not be able to construct the database D (or be enormous [19].
a close equivalent D0 that allows running a similar service).
I.e., AC should not learn the pre-measured RSS values vi,j of 3.1 Description of the Scheme
D from the messages sent in the protocol. On the other hand, The following introduces the details of the scheme.
in the perspective of C , S may be AS who wants to obtain
the locations of its clients and the protocol should reveal • Training phase. This phase is exactly the same pro-
nothing about the location of C within the area covered cedure explained in Sec. 2.1. The outcome is the same
by the service. I.e., AS should not obtain C ’s location (the database D as in Sec. 2.1 and it is stored on a server S
output of the protocol), the RSS values fj of C ’s query, or any in plaintext. No interaction with any client is needed.
intermediate values that depend on them (e.g., distances di ). • Distribution phase. The purpose of this phase is
A regular fingerprint-based localization scheme (e.g., as to let a client C and the server S share necessary
described in Sec. 2.1) can easily be made resistant against values with each other. Ideally, this phase needs to
AS , if S simply sends D to C , but obviously this directly be done only once with each C . In addition to T1 , T2
implies insecurity against AC . On the other hand, even the and C ’s Paillier public key pk (defined in Sec. 2.1
simple scheme in Sec. 2.1 is resistant against against AC , if and Sec. 2.2, respectively), fixed values used in GC
only the final location is sent to C , but then the protocol fails protocol should be distributed according to the re-
to protect against AS . Therefore, we demand that a PPIL quirements of the specific GC protocol in use.
scheme must be resistant against both types of adversaries • Paillier phase. The location retrieval starts by C
AC and AS . measuring the RSS fi from every AP in T1 . Then,
Most of the related work has considered the above C computes the following list
privacy requirements under the Honest-But-Curious (HBC) N
threat model (if any at all). The HBC assumes that both {E(−2fj )}j=1
parties faithfully follow the protocol but try to compromise PN
and ∆3 = E( j=1 fj2 ), which are sent to S . Next, S
the other party’s privacy by using information given by
computes the following values for i = 1, . . . , M
the protocol (e.g., message contents). However, Yang and  
Järvinen [41] recently argued that HBC is not sufficient XN
2
to protect PPIL in practice. Indeed, a malicious client AC ∆i,1 = E  vi,j  (6)
can easily deviate from the protocol by manufacturing fake j=1
queries (e.g., such that all RSS values are zeros or only N
Y
one is non-zero), send them to S , and deduct information ∆i,2 = E(−2fj )vi,j (7)
about D from the response [17], [19]. In most PPIL proposals j=1
clients’ queries are encrypted, so S has no way to notice and then computes Di = ∆i,1 · ∆i,2 · ∆3 . Due to
such malicious behavior. In fact, practical attacks building the homomorphic properties of Paillier encryption
on such ideas have been recently presented against several (see (4) and (5)), decryption of Di would yield di ,
PPIL proposals in [19], [22]. A malicious server AS , on the where di is exactly the distance as in (1). Finally, S
other hand, must follow the protocol because any deviation masks each Di with a random value Ri ∈ Zn . I.e., S
would immediately results in a drop in the quality of local- computes the following list
ization which would be noticed by C who would probably
stop using the service [41]. Motivated by these observations, {Di · E(Ri )}M
i=1 (8)
[41] proposed that a Unilateral-Malicious (UM) threat model
and sends it to C , who decrypts every item on the list
should be used for PPIL. In UM, AC is allowed to deviate
and obtains
from the protocol, but AS is not. In addition to introducing M
{di + Ri }i=1 .
the UM threat model, [41] also proved that the high-level
proposal from [19], which is also the basis of our PPIL • GC phase. In this phase, C uses a garbled circuit (see
scheme, is secure against both AC and AS under the UM Sec. 2.4) to remove the masks and to compute the
model. For the sake of clarity, we omit further details and kNN in the following way
point interest readers to [41] for more detailed descriptions
of UM and the security proofs. 1) S constructs a Boolean circuit that takes two
lists X, Y both containing M values of size
l0 , where l0 is the maximum bit-length of a
3 P RIVACY -P RESERVING L OCALIZATION distance. The circuit computes first X − Y =
This section introduces the PPIL scheme based on a high- {x1 − y1 , . . . , xM − yM }, and then returns the
level idea given in [19]. Basically, the scheme uses the indices of the k smallest values in the list. This
Paillier encryption scheme to hide the clients’ RSS values Boolean circuit is then used in GC construc-
from the server. The Paillier scheme cannot protect the tion and the GC is sent to C along with the
database by itself. Therefore, each distance is masked with servers garbled input Ye = {ye1 , . . . , yeM } =

{R eM }, where R
e1 , . . . , R ei is the garbled value 4 O PTIMIZATIONS
of the random value Ri .
This section covers several techniques to decrease the com-
2) Before C can evaluate the GC, it needs to ob-
e = {x putational and communication overheads. Without these
tain the garbled values X eM } =
e1 , . . . , x
techniques, the scheme described above would be unprac-
{d1 + R1 , . . . , dM + RM } for its input X by
^ ^
tical in areas, where parameters (particularly N or/and
using an Oblivious Transfer (OT) protocol M ) are large. In practice, both N and M depend on the
[42], [43]. size of the building covered by the service but typically
3) C evaluates the GC and obtains the list of M > N . Some public databases are available1 and, e.g.,
indices of the k smallest distances. Finally, C M = 505 and N = 241 for the TUT measurement data
deduces the locations from T2 and retrieves of a four-story office building. However, it is possible that
its own location by computing the centroid. N could be significantly pruned in such databases without
Remark 1. In Step 3 of GC phase, T2 could be a part of significant reductions in localization accuracy by removing
the GC, which could then return the location directly, less significant APs and possible duplicates (e.g., one AP
i.e., the centroid can be computed within the circuit. The with several MAC addresses).
GC phase may also include Step 4 containing additional
service related material, such as promo codes or discount
vouchers, allowing location-based targeted marketing 4.1 Client Pre-computation
without losing privacy and practicality. The Paillier encryption (see (2)) contains two modular expo-
nentiations and one multiplication. Especially, rn mod n2 is
computationally involving for every encryption, since r and
3.2 Security
n are always large. However, that part of the encryption
The security of our scheme relies on commonly known cryp- is independent of the message m and can be computed
tographic protocols, namely, Paillier encryption, OTP and in advance. For each encryption, r needs to be a fresh
GCs (see Sec. 2.2, 2.3 and 2.4, respectively). In this section, random value, and therefore multiple values should be pre-
we take a closer look on how the system protects against computed into a stack.
the attacks described in Sec. 2.5 and what assumptions need With the pre-computation of rn mod n2 , the encryption
to be made. The high-level proposal from [19] was shown complexity depends on g m mod n2 . On C ’s side, the mes-
to be secure under the UM threat model in [41]. Because sage m is always related to an RSS value, which is normally
our scheme follows the high-level proposal, this proof holds bounded to a small value. Technically, C needs to encrypt
also for our scheme and we claim that our scheme is secure PN 2 N
j=1 fj and every {−2fj }j=1 . However, later we will see
under the UM model. In the following, we provide an PN 2
that j=1 fj does not need to be encrypted. Therefore, C
informal rationale behind this claim and refer interested
can store g −2f mod n2 for each possible RSS value. Con-
readers to [41] for a formal treatment.
sequently, each encryption is only a multiplication of two
pre-computed values.
3.2.1 Privacy of the Client’s Location
Each query requires N + 1 encryptions on C ’s side.
The client’s precise location information (RSS values) is Hence, a small stack of pre-computed rn mod n2 values
encrypted during the whole Paillier phase and is safe from runs out of values after a few queries. On the other hand,
any adversary assuming that Paillier encryption is secure. constructing a very large stack might not be feasible on C ’s
After a client decrypts the received masked distances, GC side due to the time and power consumption. The overhead
phase begins. Therefore, the client’s location information is of pre-computations could be reduced, e.g., by performing
still vulnerable at this point and we must be able to trust on them in the nighttime while the device is charging, but this
the security of the GC protocol. Precisely, the OT protocol must comply with the background processing policies of
must ensure that AS is not able to reveal any information of the mobile operating system. In a practical scenario, the
the client’s input for the GC. There are many well studied stack size should be at least N + 1 and the stack could be
OT protocols, which are believed to be secure (see [42] and initialized before the actual query is made. This reduces the
[43]). online location retrieval time but prevents C from making
a new query immediately after the previous one. This is
3.2.2 Privacy of the Server’s Database
acceptable in many practical scenarios (see, e.g., Ex. 4.3).
Without the random mask R on the distances, the server’s
database D is leaked to the client during the Paillier phase
response after N queries. The attack is fully explained in 4.2 Server Pre-computation
[17], but basically the client simply solves a set of linear
If storage space is not a problem, every ∆i,1 for i = 1, . . . , M
equations to obtain the exact D. Therefore, it is essential that
(see (6)) can be pre-computed for each client after Dis-
the masking secures the distance values from adversaries.
tribution phase. This reduces the computational overhead
This is the case because the random mask acts as an OTP.
tremendously while computing the encrypted distances Di ,
The mask is removed during GC phase inside the GC.
since we can avoid M encryptions.
Hence, the secrecy of D relies also on the security of the
GC protocol. GCs are believed to be secure when proper
1. UJIIndoorLoc Data Set: https://archive.ics.uci.edu/ml/datasets/
label/key sizes and secure symmetric-key algorithms are ujiindoorloc; TUT Indoor WLAN measurement data: http://www.cs.
used in the construction and evaluation. tut.fi/tlt/pos/MEASUREMENTS WLAN FOR WEB.zip

4.3 Server Computation Improvements d1 d2 d3 d4 d5 d6 d7

A dynamic programming style technique can be applied for 0 13 26 39 52 65 78 91 2048
computation of ∆i,2 with (7) to reduce the computational
overhead. Firstly, we make an observation that each vi,j is Fig. 1. Example of packing
normally a small number. E.g., if the maximum bit-length
of RSS is 4, then vi,j ∈ {0, 1, . . . , 15}. Let vmax,j denote the
computed Di for all i = 1, . . . , M , it computes the packages
maximum value of vi,j for each j = 1, . . . , N (the maximum
as follows
RSS in each column of the database), then we compute the ( t
0 0
)T
lists L = {1, E(−2fj ), E(−2fj )2 , . . . , E(−2fj )vmax,j }N 2(i −1)l
Y
j=1 . Dt(k−1)+i0 .
Now every possible E(−2fj )vi,j value is computed and i0 =1 k=1
can be derived from the lists during the computation of
Example 4.1. Let M = 7 and so we have the encrypted
each ∆i,2 for i = 1, . . . , M . This technique is shown in
distances D1 , . . . , D7 . We assume that l0 = 13, γ = 2048
Alg. 1 and it prevents the server from computing the same
and t = 7. Thus, T = 1 and we can fit all the distances
exponentiation multiple times. Qt 2(i−1)l
0
in one package by computing i=1 Di . Due to the
homomorphic properties, the effect on the plaintext is
Algorithm 1: An optimization technique for ∆i,2 the following
Data: E(−2f1 ), . . . , E(−2fN ), D t
X 0

Result: L di · 2(i−1)l .
1 for j = 1 to N do i=1

2 vmax ← 0; The distances line up in the plaintext as shown in Fig. 1.

3 for i = 1 to M do The masking is done in a similar fashion to (8), but only
4 v ← D[i, j]; T masks are needed. The random mask should be chosen
5 vmax ← max(v, vmax ); uniformly at random from Zn to avoid any information
6 α ← 1; leaking about the distances after the decryption.
7 list[0] ← α; If the distances cannot be divided exactly into T pack-
8 for i = 1 to vmax do ages of length t, the remaining distances are distributed
9 α ← α · E(−2fj ); evenly in the packages, i.e., we have that M = T · t +
10 list[i] ← α; and T = bM/tc. The best choice for T (or t) can be derived
11 L[j] ← list; from the minimum point of a cost function that evaluates the
complexity of the processes related to the packing, namely
the packing itself, the random masking, the overhead of
sending the packages to C and the decryption at the C ’s
side.
4.4 Distance Packing For every distance di , the plaintext of ∆3 , namely,
PN 2
S has to send M ciphertexts to C , which increases the δ3 = j=1 fj , is a positive constant that only increases
communication overhead tremendously in a real life setting, the value of every di . Therefore, the kNN gives the same
where M is large. To overcome this issue, S can pack result, even if δ3 is left out. However, the distances di are not
multiple distances into one ciphertext using the packing necessary positive anymore, which is problematic, since we
technique from [26]. Firstly, we need to deduce the bit- are using modular arithmetic. To overcome this problem, the
length of a distance di , which can be derived from (1). Let l client adds δ3 to the decrypted masked distances after the
be the maximum bit-length of a RSS value, then decryption to ensure the positivity of each distance. With the
l m packing technique, δ3 needs to be added to every distance
l0 = log2 (2l − 1)2 · N (9) in a package.
Example 4.2. Let us use a similar setup as in Ex. 4.1. Without
is the maximum bit-length of di for every i = 1, . . . , M . 0
∆3 the plaintext would be P ti=1 (δ1 + δ2 ) · 2(i−1)l + R.
P
Essentially, by packing we mean that multiple distances t 0

are aligned in one larger value by linearly shifting them Therefore, we need to add i=1 δ3 · 2(i−1)l to obtain
with a proper constant value. We call the result a package t
X 0
t
X 0
regardless of whether the distances in it are in encrypted (δ1 + δ2 + δ3 ) · 2(i−1)l + R = di · 2(i−1)l + R .
form or not. The length of a package is the number of i=1 i=1
distances it contains. Remark 2. Since δ3 is eventually added to the package(s),
The maximum bit-length of the plaintext in Paillier the packing cannot be denser, i.e., l0 must be computed
encryption is γ = dlog2 (n)e. To avoid the possibility of as before (see (9)).
an overflow (with high probability) resulting in a modular
reduction modulo n during decryption after R is added into
the package (cf. (8)), we leave some of the most significant 4.5 Masking Pre-computations
bits to zero on purpose by packing fewer distances into one The encryption of Ri could be done after Distribution
plaintext that what would fit there. Let t be the number of phase by pre-computing them into a stack for each client.
distances we pack in one package and T the total number However, the number of needed encrypted masks is un-
of packages needed to transmit all M distances. After S has known, since it depends on the number of a particular

client’s queries which could be hundreds per day. This tech- The rest of the overhead comes from the decryption step,
nique used with the packing reduces the masking process which involves T decryptions. The cost of one decryption is
down to only T multiplications. However, it is difficult to approximately 3/2 log2 n multiplications modulo n with the
justify the practical feasibility of this technique. state of art optimizations [18], [28].
Example 4.3. Let us imagine a shopping mall that offers The following equation
a PPIL service by using our scheme. We can store a
Mult-C(n2 ) = 4 · Mult-C(n) (11)
certain number of encrypted masks for each client and
refill this storage, e.g., during the nighttime (at least for gives the complexity relation of a schoolbook multiplica-
several thousands of clients). If such a storage is not used tion2 . It is used to simplify the overheads and we get
or it runs out of pre-computed values, the service may
limit the frequency at which the client can make queries C -Mult-C2 (N, M ) = (N + T · 3/8 log2 n) · Mult-C(n2 ) .
(e.g., only every 5 seconds) and use the intermediate
time for filling the stack of pre-computed values. This The computational overhead of S for Paillier phase is
would not degrade the quality of service significantly.
S -Mult-C2 (N, M )
This also allows the client to perform the client-side pre-
computations discussed in Sec. 4.1. The only difference is = (N · (2l − 2) + M · Na + M · ((t − 1)l0 /2 + 1) + T )
that the server must serve several clients simultaneously · Mult-C(n2 )
and perform multiple pre-computations in the same time
where a client performs only its own pre-computations. where Na denotes the average number of non-zero RSS
values in each row of D, which basically stands for the
average number of available APs at each location3 . The first
4.6 Garbled Circuit Pre-computations part of the complexity comes from Alg. 1, when we assume
Since GC phase is a distinct part in the scheme, it is the worst case, i.e., each column contains every possible RSS
difficult to do any specific optimizations. However, since the value. Finally we can compute every Di with the list L using
structure of the circuit is known, the server could construct M · Na multiplications modulo n2 . The rest of the overhead
it in advance. The problem is that the GC needs to be unique comes from the packing (see Sec. 4.4) and from the masking,
for each query and the size of one GC is already large (even which is only T multiplications with the pre-computations
several megabytes). (see Sec. 4.5).
In practice, the new GC for the next query can be con- Finally, we omit the multiplication complexity and ob-
structed right after the current query. This technique follows tain
the same idea as the Paillier phase optimization techniques
with pre-computation, where we assumed that there is a Client-C(N, M ) = N + T · 3/8 log2 n (12)
long enough delay between multiple queries. Furthermore, Server-C(N, M )
the new GC could be sent to the client right after the (13)
= N · (2l − 2) + M · (Na + (t − 1)l0 /2 + 1) + T .
construction before the actual query is made. This may give
a notable saving in time from making the location query to Now we can plot the overheads to find out which party is
receiving the location, especially, in slower networks. computationally more involving in our scheme. Firstly, we
fix several parameters. Let l = 4 and by using (9), we get l0
as a function of N . For simplicity, we set Na = 0.15N, n =
5 T HEORETICAL E VALUATION 22048 and t = 25, which makes T = d Mt e dependent only
We denote the computational cost of a modular mul- on M . Now both (12) and (13) depend only on N and M .
tiplication with Mult-C(m) and an exponentiation with The overheads with these assumptions are shown in Fig. 2.
Exp-C(a, m), where a is the exponent and m is the modulus. Clearly, S has a higher computational overhead than C .
The square-and-multiply algorithm gives However, the overhead can be shifted by altering t. Here
we suggested that t = 25 is a good overall upper bound for
Exp-C(a, m) = 1.5 log2 a · Mult-C(m) (10)
the number of distances in packages, but other values may
on average (the exact cost depends on the Hamming weight be more appropriate in certain applications.
of a). The computational overhead of GC phase comes only
With Crypt-C(s) we denote the computational cost of from the GC execution on C ’s side, when the pre-
a decryption in the garbled circuit evaluation, where s = computation techniques are used (see Sec. 4.6). The execu-
dlog2 we
e is the label size (in bits). The computational cost tion complexity depends on the number of AND gates in
depends on s and the garbled circuit encryption function. the circuit. It can be estimated using information available
in [34] that the subtraction and the kNN require approx-
5.1 Computational Overhead imately M · l0 = ζ AND gates and 3k · ζ AND gates,
respectively. Therefore, we get the following overhead
The computational overhead of C during Paillier phase is
GC-C(N, M ) = (3k + 1) · ζ · Crypt-C(s) . (14)
C -Mult-C2 (N, M )
= N · Mult-C(n2 ) + T · 3/2 log2 n · Mult-C(n) 2. There exists faster variants of a long multiplication, such as the
Toom-Cook algorithm [44].
with the pre-computation technique, which decreases the 3. In practice, about 85% of the values in the database are normally
encryption step down to N multiplications modulo n2 . zeros (see, e.g., [45]), which means that Na ≈ 0.15N .

Server-C(N, M ) Paillier-Comm(N, M )

·104 Client-C(N, M ) ·105 GC-Comm(N, M )

The communication (in bytes)

5 1
Mult-C(n2 )

0 0
100 100
300 300
200 200
100 N 100 N
M M

Fig. 2. The number of multiplications modulo n2 needed for Paillier Fig. 3. The communication overheads in bytes for Paillier phase and
phase separately for S and C , when l = 4, Na = 0.15N , n = 22048 GC phase separately, when l = 4, n = 22048 , t = 25 and s = 112.
and t = 25.

Studio5 . The server side is not restricted to any particular

In general, Mult-C(n) is more complex than Crypt-C(s)
operating system, but we use a GNU/Linux Ubuntu server6 .
(e.g., AES), but the exact relation depends on the computing
The details of the hardware used for evaluating our PoC
platform. The cost of Crypt-C(s) can be often reduced signif-
implementation were Exynos 7420 with 8 CPU cores and
icantly even with commodity hardware by utilizing specific
2.74 GB of RAM running at 1.5 GHz for the client side and
instructions such as Intel’s AES-NI. Accelerating Mult-C(n)
Xeon E5-2697 v2 with 4 CPU cores and 8.17 GB of RAM
is more complicated, but specific hardware accelerators (e.g.,
running at 2.7 GHz for the server side.
with FPGAs) can be used on the server side, and they may
allow significant speedups for these operations.
6.1 Paillier Phase
5.2 Communication Overhead In this section, we concentrate on the implementation as-
The communication overhead (in bits) of Paillier phase is pects of Paillier phase programmed in Java7 . The imple-
mentation follows the description given in Sec. 3 with the
Paillier-Comm(N, M ) = (N + T ) · log2 n2 (15)
optimization techniques from Sec. 4.
and during GC phase the overhead is The Paillier encryption scheme implementation follows
Sec. 2.2 with the state-of-the-art optimization techniques of
GC-Comm(N, M ) = 2s · M · l0 . (16)
[18] and [28]. The random numbers are generated with Java
We assume that the GC and S ’s (garbled) input have been class SecureRandom8 , which provides a cryptographically
sent in advance and that the OT pre-computations are done. strong random number generator that complies the specifi-
Fig. 3 depicts the overheads when N and M are increased cation FIPS 140-2.
with fixed parameters l = 4, n = 22048 , t = 25 and s = Modular arithmetic relies on the Java class BigInteger9 .
112. Normally, the communication overhead of GC phase Random prime numbers of specific length are generated
becomes dominant. with the SecureRandom. The most important method is the
The communication overhead reflects to the location modPow(..) from the BigInteger class, which computes
retrieval time, since the data transfer takes some time. Espe- an exponentiation with a modulus. The method uses the
cially with low bandwidth, the delay might be significant. sliding window techniques [46] and the Montgomery do-
For some clients, the communication overhead might be an main [47], which improves the efficiency of an exponentia-
issue also due to data transfer costs. Therefore, we also want tion slightly more than we estimated in (10).
to see the total communication overhead for each query. The
Remark 3. The modPow(..) is not a constant time al-
overheads of different objects are gathered into Tab. 2. It is
gorithm by default, but we ignore this fact since our
easy to see that the size of the garbled circuit becomes domi-
implementation is a PoC. However, a constant-time
nant quickly, especially with large k , when M increases. The
exponentiation should be used in practice to prevent
growth is also linear, which makes extrapolation easy.
timing attacks [48]. In our scheme, the exponents are

6 I MPLEMENTATION 5. https://developer.android.com/studio/
6. https://www.ubuntu.com/server
In the following, we give an overview of the PoC implemen-
7. https://www.java.com/en/
tation of our PPIL scheme introduced in Sec. 3. The client 8. https://docs.oracle.com/javase/8/docs/api/java/security/
side is programmed to an Android device4 with the Android SecureRandom.html
9. https://docs.oracle.com/javase/8/docs/api/java/math/
4. Samsung S6 SM-G920F running Android 7.0 BigInteger.html

TABLE 2
The total communication overhead of the scheme.

Paillier phase GC phase Pre-computation (Online) Offline

Ciphertexts OT Garbled circuit S ’s input OT
(N + T ) · log2 n2 2sζ (6k + 2) · sζ sζ 4sζ + 6s2

often small (e.g., a RSS value). Hence, a global constant- TABLE 3

time exponentiation routine allowing exponents up to Security levels and corresponding parameter bit-lengths.
the size of n would slow down these computations
Security Level (s) Paillier (n) Garbled circuits (w
e and c)
tremendously. However, because the maximum values
of the exponents are known in every exponentiation, tai- 112 2048 112
128 3072 128
loring constant-time exponentiation routines for specific
exponent lengths solves this problem.
A multiplication of two BigIntegers follows the Toom-Cook size of the GC. To overcome this, we slice this subtraction
algorithm [44], which is faster than a regular multiplication into individual 16-bit subtractions and tolerate the small
for large numbers. We store pre-computed values in a Con- errors caused by the lack of carry propagation between the
currentLinkedQueue10 , which is thread-safe meaning that 16-bit subtractions. For simplicity, we fix the bit-length of
we can access the queue safely with multiple threads. In- a distance to 16 bits in our implementation, i.e., l0 = 16
deed, we use the queue as a stack for the pre-computations. regardless of l and N . Following the recommendations
The communication between a client C and the server S from [49], we fix l = 4 resulting in an upper bound of 291
is implemented with Java network sockets. Java objects are for N (due to (9)). This means that for smaller values of
transferred between C and S containing the necessary val- N , there will be “free space” (zero bits) after each distance
ues. The (socket) connection stays open during the compu- in the package, which in turn means that the chance of the
tations at S and is closed after C has received the encrypted carry-bit error decreases.
and masked distances from S . The same connection cannot
be used in GC phase, which is a slight drawback in our 7 P RACTICAL E VALUATION
PoC implementation (see the reason in Sec. 6.2). Ideally, one
connection should be kept open for the whole duration of a In this section, we present the computational and commu-
location retrieval to reduce the number of connection calls nication overheads of our scheme obtained with measure-
that increase unnecessary routing and possible handshakes. ments from the PoC implementation discussed in Sec. 6.
We start by analyzing the practicality of the scheme in real
life environment in Sec. 7.1. Next, we construct artificial
6.2 GC Phase databases of different sizes and use them in Sec. 7.2. This
The implementation of GC phase is separated from Paillier allows us to test the implementation for different values of
phase, since we take advantage of the framework for effi- N and M . Finally, we give the overheads of the distinct
cient mixed-protocol secure two-party computation called steps of our scheme in Sec. 7.3.
ABY [40] available online at GitHub11 . Therefore, the socket We provide experimental results for our PoC imple-
connection of Paillier phase mentioned previously cannot mentation for cryptographic security levels of 112 and 128
be used here. Overall, the implementation of GC phase bits. We have gathered parameter sizes of the cryptographic
relies fully on ABY and its functionality, which is used in primitives with the corresponding security levels in Tab. 3
a black box manner. ABY was chosen because it is a state- according to the guidelines of [50] and [51].
of-the-art framework for secure two-party computation.
ABY provides three secure computation schemes based 7.1 Real Life Experiment
on Arithmetic sharing, Boolean sharing and Yao’s garbled
We experimented our PoC implementation in one building
circuits. We use Yao’s garbled circuits. The OT extension
at the university campus. There were 17 Wi-Fi and 17 LTE
implementation of [43] is used within ABY. ABY requires
APs located within the test area. We used three different
that the pre-computations must be done during the current
databases (constructed by us) which each had M = 76
query after Paillier phase, which means that they do not
reference locations. The databases were constructed by mea-
give any advantage. This is a practical drawback of our PoC,
suring RSS from only the Wi-Fi (N = 17), only the LTE
but this can be fixed in production level code. Nevertheless,
(N = 17) and both the Wi-Fi and LTE APs (N = 34).
ABY still allows us to analyze the exact overheads of our
We measured the total duration of the location retrieval,
scheme even from this PoC implementation (see Sec. 7.3).
which is the time of Paillier and GC phase together, while
The first subtraction (“the mask removal”) is difficult to
walking in the building. The parameter values for our im-
implement with the packing technique, since we need to do
plementation during this experiment are gathered in Tab. 4.
a subtraction of two large numbers which is not directly
With this setting, we observed that the location retrieval
supported by ABY and would result in an increase in the
time is 2.208 seconds on average. We will investigate the
10. https://docs.oracle.com/javase/8/docs/api/java/util/
time spent in each step precisely in Sec. 7.3, but we men-
concurrent/ConcurrentLinkedQueue.html tion already here that the OT pre-computations (which are
11. https://github.com/encryptogroup/ABY mostly independent of N and M ) took 1.032 seconds in

TABLE 4 encryptions for N = 100 and N = 150, respectively, and

The parameter values for our real life experiment. the total time increases dramatically. We could allow the
client to do N encryption pre-computations, but the above
Security Level (s) N M k l l0 T t
procedure allows us to evaluate the overheads of online
112 17 or 34 76 1 4 16 1 76 encryptions and pre-computations.
The security parameter s has a large impact. Fig. 4(a)
TABLE 5 and 4(b) show that the increased complexity of encryptions
The number of packages T when M is given. and decryptions leads to significant increases in the location
retrieval times for s = 128 compared to s = 112 with larger
(a) s = 112 N . When s = 128, our scheme becomes impractical for large
M 100 200 300 400 500 600 700 800 N and M . However, with the pre-computations (N = 50)
T 10 20 25 33 41 50 50 50 and s = 112, the time stays in decent limits even for large
areas with many reference locations (large M ).
(b) s = 128 A detailed discussion of the communication overhead of
M 100 200 300 400 500 600 700 800 Paillier phase is omitted here. Nevertheless, we mention
T 5 15 20 25 33 40 50 50 that the total communication per query is at most some
hundreds of KBs even in large settings.

7.2.2 GC Phase
our experiment (see Tab. 7(a)). In this experiment, the pre-
computations had to be included in the online phase since The computational overhead of GC phase is discussed more
our PoC implementation uses ABY as a separated part as closely in Sec. 7.3. Here we proceed to analyze Fig. 5 show-
explained in Sec. 6.2. Therefore, the location retrieval time ing the communication overhead of GC phase. The value
could be reduced down to around one second with a more of N is irrelevant for GC phase because we used a fixed l0 .
compatible GC implementation. We observe that the uplink communication remains almost
Communication overhead is constant for each query. The constant for both security levels. According to Fig. 5(a) and
measurements were done with vnstat12 at the server. To 5(b), the client sends on average 71.44 and 116.31 KBs with
avoid measurement errors, the following values are aver- s = 112 and s = 128, respectively.
aged over 10 queries. Each query required about 90 KBs The communication overhead is dominated by the
of data to be send to the server (uplink) and 327 KBs to downlink transfer(s), notably, when M and/or k are large.
be received (downlink), when N = 17. When N = 34, The security level does not have a significant effect, as
the communication overhead was 103 and 334 KBs for the shown in Fig. 5(c) and 5(d). The overhead increases linearly
uplink and downlink, respectively. Theoretically, the only with M and k .
difference should have been in the uplink data, where addi-
tional 17 ciphertexts (8.7 KBs) are sent but small measuring 7.3 Precise Overheads of Phases
errors may have occurred, particularly, because M is small. This section breaks our scheme into smaller steps and ex-
The theoretical communication overheads (see Tab. 2) are amines the overhead of each step and its effect to the total
slightly optimistic (around 282 KBs in total) compared to overhead. In addition, we see how much “unnecessary”
the practical ones, but the order of magnitude is correct. online overhead the ABY implementation creates.

7.3.1 Paillier Encryption with Java

7.2 Artificial Databases
We chose the parameters N = 50, M = 150, s = 128
In this section, we form databases of different sizes contain- and T = 10 for our test case and collected the result in
ing randomized RSS entries of bit-length l = 4. We make Tab. 6. The computational overhead is separated into six
the databases more realistic by setting most of the entries to steps: namely, Encryption, Decryption, Distance, Packing,
zero; more precisely, we set Na = 0.2N . Masking and Pre-encryption, shown in Tab. 6(a).
The steps involving encryption, specifically, Encryption
7.2.1 Paillier Phase and Masking, become negligible with pre-computations
We generate several databases with fixed N and M and computed already after the previous query. The pre-
take a closer look at the computational and communication computations are useful because they reduce the online
overheads during Paillier phase. We choose T according location retrieval time, i.e., the delay that a client must
to Tab. 5, where we have taken balancing aspects (see wait after “pushing the button” until finally obtaining the
Sec. 4.4) under consideration and set T ≤ 50 to limit the location. The client’s (parallelized) pre-computation took
communication overhead. 2.447 seconds, which is the time that the client needs to
The location retrieval times are shown in Fig. 4 for wait before making a new query. This delay between queries
both security parameters 112 and 128. The pre-computation is acceptable in many practical settings (see Ex. 4.3), but it
techniques from Sec. 4 are applied, but we have limited could become infeasible in buildings with hundreds of APs.
the number of client’s encryption pre-computations to 50. The Distance step stands for the squared Euclidean dis-
Consequently, the encryptions are almost free when N ≤ 50. tance calculation with the ciphertexts at the server side. It
On the other hand, the client must perform 50 or 100 online also involves encryptions but they can be avoided with pre-
computations (see Sec. 4). Even with Alg. 1, the cost of this
12. https://humdi.net/vnstat/ step is 28.3% of the total overhead.

40 N = 150 40 N = 150
35 N = 100 35 N = 100
N = 50 N = 50
30 30
25 25

Time (s)
20 20
15 15
12 12
9 9
6 6
3 3
0 0
100 300 500 700 100 300 500 700
M M
(a) s = 112 (b) s = 128

Fig. 4. The location retrieval time of Paillier phase, when s = 112, 128 and N = 50, 100, 150. The value for T follows from Tab. 5. The number of
client’s encryption pre-computations is limited to 50.

TABLE 6 TABLE 7
The overhead of Paillier phase with N = 50, M = 150, s = 128 and The overhead of GC phase, when N = 50, M = 150, s = 128 and
T = 3. k = 3.

(a) Computational (a) Computational

Step Time (ms) Step Time (ms)
Client One-time expense
Encryption 7.77 Init 0.73
Decryption 299.07 CircuitGen 0.07
Total 306.84 Network 313.07
BaseOTs 1032.17
Server Total 1346.04
Distance 334.55 For each new query
Packing 535.91
Masking 3.82 OTExtension 23.04
Total 874.28 Garbling 48.38
Online 294.89
Pre-computation (Client) Total 366.31
Pre-encryption 2446.74
(b) Communication
(b) Communication Step Uplink (bytes) Downlink (bytes)
Step Uplink (bytes) Downlink (bytes) One-time expense
For each new query BaseOTs 49958 49956
Paillier phase 41984 6144 For each new query
Setup 43256 916881
Online 411 147500
Total 43667 1064381

The rest of the computational overhead comes from the

Decryption and Packing steps. The overhead can be shifted 7.3.2 Garbled Circuits with ABY
between these steps and, consequently, between the client We investigate the precise overheads of GC phase by utiliz-
and server, as explained in Sec. 4. In our case T = 3 and ing the benchmarking routines of ABY on the server side.
the packing consumed 0.237 seconds more time than the The benchmarking is shown in Tab. 7, where we chose the
decryptions. Nonetheless, the cost of these steps is dominant parameters to be N = 50, M = 150, s = 128, and k = 3.
emphasizing the importance of wise packing in our scheme. The results for the computational overhead are gath-
ered in Tab. 7(a), where we have separated the one-time
The communication overhead of Paillier phase is expenses, i.e., the expense, when two parties connect for
straightforward as shown in Tab. 6(b). The size of one the first time, and the expenses required for each query. We
ciphertext is 768 bytes, when s = 128. We compare this to observe that 78.6% of the time goes to the one-time expenses
the measurements and obtain that 41984 − N · 768 = 3584 and, as a consequence, the actual computational overhead is
bytes (uplink) and 6144 − T · 768 = 3840 bytes (downlink), only 0.366 seconds per query.
which indicates that the constant communication overhead The overhead of the initialization (“Init”) and circuit
produced by the Java object is about 4 KBs. generation (“CircuitGen”) steps are negligible, but the

k=1
120 k=3 120
k=7

Uplink data (KBs)

100 100

80 80 k=1
k=3
k=7
60 60
40 60 80 100 120 40 60 80 100 120
M M
(a) Uplink, s = 112 (b) Uplink, s = 128

k=1 k=1
1,500 k=3 1,500 k=3
Downlink data (KBs)

k=7 k=7

1,000 1,000

500 500

40 60 80 100 120 40 60 80 100 120

M M
(c) Downlink, s = 112 (d) Downlink, s = 128

Fig. 5. The amount of data transferred during GC phase, when s = 112, 128 and k = 1, 3, 7.

“BaseOTs” step takes over a second to complete. This is not nication for each query is dominated by the OTExtension
surprising since it requires expensive public-key operations. step. The online step consists of the server sending its
Hence, it is justified to say that the location retrieval time in inputs to the circuit to the client. Therefore, the downlink
our real life experience (see Sec. 7.1) would be only about communication is dominant.
one second with a better integrated GC implementation. The measurements with vnstat show that the server
The network step of Tab. 7(a) includes the time the received 117.42 KBs (uplink) and sent 1106.27 KBs (down-
server waits the client to connect. With our implementa- link). This is consistent with Tab. 7(b) having 93.63 and
tion, the network time includes the time of the Paillier 1114.34 KBs, respectively.
phase response and decryption since the server starts the
GC phase immediately after the masking is done. The 8 C ONCLUSION
decryption takes 0.097 seconds (when T = 1) and we We introduced a PPIL scheme based on secure two-party
can estimate that the response takes roughly 30 ms. This computation following the sketch in [19]. We proposed
gives the total time of GC phase with our implementation, several optimization techniques and gave the theoretical
namely, 1346.04 + 366.31 − 97 − 30 = 1585.35 ms. We overheads for the scheme. Furthermore, we implemented
measured the total time also in the Android application a PoC implementation for a basic Android device and
and obtained 1584 ms, which is very well aligned with the experimented it in a real environment. We measured the
benchmarking of ABY. practical overheads of the implementation with databases of
The communication overheads are shown in Tab. 7(b). various sizes. They are small enough to consider the scheme
The only one-time expense comes from the “BaseOTs” step, as practical for certain applications. However, it is clear that
which requires 49.96 KBs in both directions. Most of the the scheme cannot be used in every setting where indoor
overheads for each query come from the setup step, which localization is used nowadays or it at least requires some
consists of the OTExtension and Garbling steps. The setup additional measures to fit in certain applications.
downlink overhead consists of the actual GC and dominates The idea of using Paillier encryption and garbled circuits
the overall communication overhead. The ABY benchmarks for PPIL was shown to be feasible with certain reserva-
show that there are 28650 AND gates, which means that the tions. The advantage of such a system is that the privacy
circuit size is 2 · 128 · 28650/(8 · 1000) = 916.8 KBs. We can relies fully on well-known cryptographic protocols provid-
conclude that the downlink communication of OTExtension ing cryptographic guarantees that privacy of the inputs of
step is negligible in the setup step but the uplink commu- both parties is protected. The drawback is the increment

in computational and communication overheads resulting should be developed to attract SPs to use PPIL
in longer response delays, greater power consumption, and schemes in practice.
bigger data usage per query. The costs of privacy are easily • Other techniques for indoor localization exist be-
noticeable and increase linearly with the building related pa- sides RSS fingerprinting (e.g., angle-of-arrival, time-
rameters (N and M ). However, a simple tradeoff between of-arrival, etc.). PPIL solutions for such techniques
efficiency and clients’ location privacy exists by splitting the should be also studied and developed in the future.
area covered by the service into smaller sub-areas.
Our scheme is suitable for a service that provides clients
with an application allowing them to make explicit location
ACKNOWLEDGMENTS
retrieval requests to locate themselves in buildings such as This work was funded by the INSURE project (303578)
airports, hotels, and shopping malls. In such scenarios, the of Academy of Finland. We thank Matthias Senker and
client can wait for a few seconds to retrieve the location and Christian Weinert from Technische Universität Darmstadt
is unlikely to make several consecutive queries. Our PoC for helping to compile the ABY framework for Android
implementation was designed for such a scenario and it was devices.
demonstrated to be practical with real life experiments.
The scheme is infeasible when quick tracking of a fast
R EFERENCES
object, such as a vehicle, is required. However, continuous
tracking of walking speed movements could still be done [1] C. K. Chung, I. Q. Chung, Y. H. Wang, and C. T. Chang, “The
by combining our scheme with tracking based on auxiliary integrated applications of WIFI and APP used in the shopping
mall environment for menber card E-marketing,” in Intl. Conf. on
information. E.g., an application may refresh the location Machine Learning and Cybernetics (ICMLC 2016), 2016.
every 5–10 seconds with our scheme and use, e.g., the [2] T. Guan, L. Fang, W. Dong, Y. Hou, and C. Qiao, “Indoor local-
motion sensors of a smartphone to track the movements ization with asymmetric grid-based filters in large areas utilizing
smartphones,” in IEEE Intl. Conf. on Communications (ICC 2017),
between the queries. The overheads can be mitigated also 2017.
with high performance devices, but other factors, such as [3] S. He, W. Lin, and S.-H. G. Chan, “Indoor localization and auto-
power consumption and heat, may set up new practical matic fingerprint update with altered AP signals,” IEEE Transac-
limitations. On the other hand, we can safely assume that tions on Mobile Computing, 2017.
[4] C. Langlois, S. Tiku, and S. Pasricha, “Indoor localization with
performance of devices (i.e., smartphones and servers) con- smartphones: Harnessing the sensor suite in your pocket,” IEEE
tinues to improve also in the future together with other CEM, 2017.
aspects such as faster communication and better batteries, [5] A. Yassin, Y. Nasser, M. Awad, A. Al-Dubai, R. Liu, C. Yuen,
R. Raulefs, and E. Aboutanios, “Recent advances in indoor lo-
consequently, increasing the practical attractiveness of our calization: A survey on theoretical approaches and applications,”
scheme. Nevertheless, it is unlikely that our scheme will IEEE Communications Surveys and Tutorials, 2017.
ever be feasible, e.g., for autonomous cars. [6] A. M. Ladd, K. E. Bekris, A. Rudys, L. E. Kavraki, and D. S. Wal-
Topics for future research include at least the following: lach, “Robotics-based location sensing using wireless ethernet,”
Wireless Networks, 2005.
[7] P. Tao, A. Rudys, A. M. Ladd, and D. S. Wallach, “Wireless LAN
• It is essential that APs or reference locations that have location-sensing for security applications,” in ACM Workshop on
no or only minor effect on localization accuracy are Wireless Security, 2003.
pruned from the database to avoid unnecessary over- [8] A. M. Ladd, K. E. Bekris, A. P. Rudys, D. S. Wallach, and L. E.
Kavraki, “On the feasibility of using wireless ethernet for indoor
heads. Optimal ways for such pruning and tradeoffs localization,” IEEE Transactions on Robotics and Automation, 2004.
between database sizes and localization accuracy [9] A. M. Ladd, K. E. Bekris, G. Marceau, A. Rudys, D. S. Wallach,
require further research. and L. E. Kavraki, “Using wireless ethernet for localization,” in
• Hardware acceleration of critical operations on the IEEE/RSJ Intl. Conf. on Intelligent Robots and Systems, 2002.
[10] A. Haeberlen, E. Flannery, A. M. Ladd, A. Rudys, D. S. Wallach,
server side can provide significant reductions for the and L. E. Kavraki, “Practical robust localization over large-scale
server side delays. The expensive Paillier operations 802.11 wireless networks,” in MobiCom, 2004.
are the primary candidate for hardware acceleration. [11] J. Talvitie and E. S. Lohan, “Modeling received signal strength
measurements for cellular network based positioning,” in Proc.
The GC phase utilizes mostly secret-key primitives Intl. Conf. on Localization and GNSS, ICL-GNSS 2013. IEEE, 2013,
and existing instruction set extensions, e.g., for AES pp. 1–6.
can be used in a straightforward manner. [12] K. Chawla, C. McFarland, G. Robins, and C. Shope, “Real-time
• Other additively homomorphic encryption schemes RFID localization using RSS,” in Proc. Intl. Conf. on Localization and
GNSS, ICL-GNSS 2013. IEEE, 2013, pp. 1–6.
(e.g., [29], [30], [31], [52]) may perform better than [13] L. Chen, H. Kuusniemi, Y. Chen, L. Pei, T. Kröger, and R. Chen,
Paillier encryption in certain settings and the use of “Information filter with speed detection for indoor Bluetooth
other encryption schemes is worth investigating. positioning,” in Proc. Intl. Conf. on Localization and GNSS, ICL-
GNSS 2011. IEEE, 2011, pp. 47–52.
• SPs require specific incentives to deploy indoor lo- [14] A. S.-I. Noh, W. J. Lee, and J. Y. Ye, “Comparison of the mecha-
calization schemes and these are often related to nisms of the Zigbee’s indoor localization algorithm,” in Proc. ACIS
customer tracking and targeted advertising. Privacy- Intl. Conf. on Software Engineering, Artificial Intelligence, Networking,
preserving location-based advertising (e.g., discount and Parallel/Distributed Computing, SNPD 2008. IEEE, 2008, pp.
13–18.
vouchers) may be added to our PPIL scheme, more [15] A. Hakkarainen, J. Werner, M. Costa, K. Leppanen, and
precisely in the GC. Privacy-preserving collection of M. Valkama, “High-efficiency device localization in 5G ultra-dense
statistics about customers movements may also be networks: Prospects and enabling technologies,” in IEEE Vehicular
built on top of our scheme, e.g., by using existing Technology Conf. (VTC Fall). IEEE, 2015, pp. 1–5.
[16] S. M. Bellovin, R. M. Hutchins, T. Jebara, and S. Zimmeck, “When
techniques for privacy-preserving data mining (see, enough is enough: Location tracking, mosaic theory, and machine
e.g., [53], [54], [55]). Nevertheless, specific schemes learning,” NYU Journal of Law & Liberty, 2013.

[17] H. Li, L. Sun, H. Zhu, X. Lu, and X. Cheng, “Achieving privacy [41] Z. Yang and K. Järvinen, “Modeling privacy in WiFi fingerprinting
preservation in WiFi fingerprint-based localization,” in IEEE IN- indoor localization,” in ProvSec. Springer, 2018, pp. 329–346.
FOCOM 2014 - IEEE Conf. on Computer Communications, April 2014, [42] V. Kolesnikov and R. Kumaresan, “Improved OT extension for
pp. 2337–2345. transferring short secrets,” in Advances in Cryptology–CRYPTO
[18] P. Paillier, “Public-key cryptosystems based on composite degree 2013. Springer, 2013, pp. 54–70.
residuosity classes,” in Advances in Cryptology — EUROCRYPT ’99. [43] G. Asharov, Y. Lindell, T. Schneider, and M. Zohner, “More effi-
Springer Berlin Heidelberg, 1999. cient oblivious transfer and extensions for faster secure computa-
[19] Z. Yang and K. Järvinen, “The death and rebirth of privacy- tion,” in Proc. 2013 ACM SIGSAC Conf. on Computer & Communica-
preserving WiFi fingerprint localization with Paillier encryption,” tions Security, ser. CCS ’13. New York, NY, USA: ACM, 2013, pp.
in INFOCOM. IEEE, 2018, pp. 1223–1231. 535–548.
[20] A. Konstantinidis, G. Chatzimilioudis, D. Zeinalipour-Yazti, [44] S. A. Cook and S. O. Aanderaa, “On the minimum computation
P. Mpeis, N. Pelekis, and Y. Theodoridis, “Privacy-preserving time of functions,” Transactions of the American Mathematical Society,
indoor localization on smartphones,” in 2016 IEEE 32nd Intl. Conf. vol. 142, pp. 291–314, 1969.
on Data Engineering (ICDE), May 2016, pp. 1470–1471. [45] E. S. Lohan, J. Torres-Sospedra, H. Leppäkoski, P. Richter, Z. Peng,
[21] T. Zhang, S. S. M. Chow, Z. Zhou, and M. Li, “Privacy-preserving and J. Huerta, “Wi-Fi crowdsourced fingerprinting dataset for
Wi-Fi fingerprinting indoor localization,” in Advances in Informa- indoor positioning,” Data, vol. 2, no. 4, 2017.
tion and Computer Security (IWSEC 2016), 2016. [46] C. Koç, “Analysis of sliding window techniques for exponentia-
[22] Z. Yang and K. Järvinen, “The death and rebirth of privacy- tion,” Computers & Mathematics with Applications, vol. 30, no. 10,
preserving WiFi fingerprint localization with Paillier encryption,” pp. 17 – 24, 1995.
Cryptology ePrint Archive, Report 2018/259, 2018. [47] P. L. Montgomery, “Modular multiplication without trial divi-
[23] K. Järvinen, H. Leppäkoski, E. Lohan, P. Richter, T. Schneider, sion,” Mathematics of Computation, vol. 44, no. 170, pp. 519–521,
O. Tkachenko, and Z. Yang, “PILOT: Practical privacy-preserving 1985.
indoor localization using OuTsourcing,” in IEEE European Sympo- [48] P. C. Kocher, “Timing attacks on implementations of Diffie-
sium on Security and Privacy, IEEE EuroS&P, to appear. Hellman, RSA, DSS, and other systems,” in Advances in
[24] P. Bahl and V. N. Padmanabhan, “RADAR: An in-building RF- Cryptology—CRYPTO 1996, ser. LNCS, vol. 1109. Springer, 1996,
based user location and tracking system,” in INFOCOM, 2000. pp. 104–113.
[25] H. Liu, H. Darabi, P. Banerjee, and J. Liu, “Survey of wireless [49] P. Richter, Z. Yang, O. Tkachenko, H. Leppäkoski, K. Järvinen,
indoor positioning techniques and systems,” IEEE Transactions on T. Schneider, and E. S. Lohan, “Received signal strength quantiza-
Systems, Man, and Cybernetics, Part C (Applications and Reviews), tion for secure indoor positioning via fingerprinting,” in Proc. 2018
vol. 37, no. 6, pp. 1067–1080, Nov 2007. 8th Intl. Conf. on Localization and GNSS (ICL-GNSS 2018), 2018.
[26] A.-R. Sadeghi, T. Schneider, and I. Wehrenberg, “Efficient privacy- [50] E. B. Barker, W. C. Barker, W. E. Burr, W. T. Polk, and M. E. Smid,
preserving face recognition,” in Proc. 12th Intl. Conf. on Informa- “SP 800-57. Recommendation for key management, part 1: General
tion Security and Cryptology, ser. ICISC’09. Berlin, Heidelberg: (revised),” Gaithersburg, MD, United States, Tech. Rep., 2007.
Springer-Verlag, 2010, pp. 229–244. [51] M. Abdalla, T. E. Bjørstad, C. Cid, B. Gierlichs, A. Hülsing,
[27] T. Seidl and H.-P. Kriegel, “Optimal multi-step k-nearest neighbor A. Luykx, K. G. Paterson, B. Preneel, A.-R. Sadeghi, T. Spies,
search,” SIGMOD Rec., vol. 27, no. 2, pp. 154–165, Jun. 1998. M. Stam, M. Ward, B. Warinschi, and G. Watson, “Algorithms,
key size and protocols report (2018).” ECRYPT - CSA, 2018.
[28] I. Damgård, M. Jurik, and J. B. Nielsen, “A generalization of Pail-
[52] S. D. Galbraith, “Elliptic curve Paillier schemes,” Journal of Cryp-
lier’s public-key system with applications to electronic voting,”
tology, vol. 15, no. 2, pp. 129–138, 2002.
International Journal of Information Security, vol. 9, no. 6, pp. 371–
[53] R. Agrawal and R. Srikant, Privacy-preserving data mining. ACM,
385, Dec 2010.
2000, vol. 29, no. 2.
[29] I. Damgård, M. Geisler, and M. Krøigaard, “Efficient and secure
[54] Y. Lindell and B. Pinkas, “Privacy preserving data mining.” Journal
comparison for on-line auctions,” in Proc. 12th Australasian Conf. on
of cryptology, vol. 15, no. 3, 2002.
Information Security and Privacy, ser. ACISP’07. Berlin, Heidelberg:
[55] C. C. Aggarwal and P. S. Yu, A General Survey of Privacy-Preserving
Springer-Verlag, 2007, pp. 416–430.
Data Mining Models and Algorithms. Springer US, 2008, pp. 11–52.
[30] R. Cramer, R. Gennaro, and B. Schoenmakers, “A secure and opti-
mally efficient multi-authority election scheme,” European transac-
tions on Telecommunications, vol. 8, no. 5, pp. 481–490, 1997.
[31] J. Dossogne and F. Lafitte, “Blinded additively homomorphic
encryption schemes for self-tallying voting,” Journal of Information
Security and Applications, vol. 22, pp. 40 – 53, 2015, special Issue on Raine Nieminen received the M.Sc. (Tech.) de-
Security of Information and Networks. gree in computer, communication and informa-
[32] C. E. Shannon, “Communication theory of secrecy systems,” The tion sciences from Aalto University in Finland in
Bell System Technical Journal, vol. 28, no. 4, pp. 656–715, Oct 1949. 2018. He had short-term Research and Teach-
[33] A. Yao, “How to generate and exchange secrets,” in FOCS, 1986. ning Assistant positions in Aalto University in
[34] T. Schneider, Engineering Secure Two-Party Computation Protocols: 2016 and 2017. In 2018, he was a full-time Re-
Design, Optimization, and Applications of Efficient Secure Function search Assistant with the Department of Com-
Evaluation. Springer Publishing Company, Incorporated, 2012. puter Science in University of Helsinki in Finland.
[35] M. Bellare, V. T. Hoang, S. Keelveedhi, and P. Rogaway, “Efficient Since 2019, he has been a Security Specialist in
garbling from a fixed-key blockcipher,” in 2013 IEEE Symposium Insta Digital in Finland. His research interests lie
on Security and Privacy, May 2013, pp. 478–492. in the domains of security and cryptography.
[36] S. R. Tate and K. Xu, “On garbled circuits and constant round
secure function evaluation,” University of North Texas, Tech. Rep.,
2003.
[37] V. Kolesnikov and T. Schneider, “Improved garbled circuit: Free
XOR gates and applications,” in Proc. 35th Intl. Colloquium on Kimmo Järvinen received the M.Sc. (Tech.) and
Automata, Languages and Programming, Part II, ser. ICALP ’08. D.Sc. (Tech.) degrees in electrical engineering
Springer-Verlag, 2008, pp. 486–498. from Helsinki University of Technology (TKK) in
[38] B. Pinkas, T. Schneider, N. P. Smart, and S. C. Williams, “Secure Finland in 2003 and 2008, respectively. From
two-party computation is practical,” in Intl. Conf. on the Theory and 2008 to 2013 and from 2015 to 2016, he was
Application of Cryptology and Information Security. Springer, 2009, a postdoctoral researcher in the Department of
pp. 250–267. (Information and) Computer Science in Aalto
[39] S. Zahur, M. Rosulek, and D. Evans, “Two halves make a whole,” University in Finland. From 2014 to 2015, he
in Annual Intl. Conf. on the Theory and Applications of Cryptographic was with the COSIC Group in KU Leuven ESAT
Techniques. Springer, 2015, pp. 220–250. in Belgium. Since 2016, he has been a Senior
[40] D. Demmler, T. Schneider, and M. Zohner, “ABY - a framework for Researcher with the Department of Computer
efficient mixed-protocol secure two-party computation,” in NDSS, Science in University of Helsinki in Finland. His research interests lie in
2015. the domains of security, cryptography, and cryptographic engineering.

Indoor Intelligent Fingerprint-Based Localization Principles Approaches and Challenges
No ratings yet
Indoor Intelligent Fingerprint-Based Localization Principles Approaches and Challenges
24 pages
Applied Sciences: Applying Deep Neural Network (DNN) For Robust Indoor Localization in Multi-Building Environment
No ratings yet
Applied Sciences: Applying Deep Neural Network (DNN) For Robust Indoor Localization in Multi-Building Environment
14 pages
Semi-Supervised Variational Autoencoder For WiFi Indoor Localization
No ratings yet
Semi-Supervised Variational Autoencoder For WiFi Indoor Localization
8 pages
Wi-Fi Fingerprint-Based Indoor Positioning: Recent Advances and Comparisons
No ratings yet
Wi-Fi Fingerprint-Based Indoor Positioning: Recent Advances and Comparisons
25 pages
An Adaptive Indoor Localization Approach Using WiFi RSSI Fingerprinting with SLAM-Enabled Robotic Platform and Deep Neural Networks
No ratings yet
An Adaptive Indoor Localization Approach Using WiFi RSSI Fingerprinting with SLAM-Enabled Robotic Platform and Deep Neural Networks
11 pages
Sensors: A Survey of Smartphone-Based Indoor Positioning System Using RF-Based Wireless Technologies
No ratings yet
Sensors: A Survey of Smartphone-Based Indoor Positioning System Using RF-Based Wireless Technologies
32 pages
Wireless Indoor Localization Using Convolutional N
No ratings yet
Wireless Indoor Localization Using Convolutional N
9 pages
Indoor_Positioning_Technologies_Without_Offline_Fingerprinting_Map_A_Survey
No ratings yet
Indoor_Positioning_Technologies_Without_Offline_Fingerprinting_Map_A_Survey
18 pages
数字交互和网络
No ratings yet
数字交互和网络
13 pages
IET Signal Processing - 2020 - Rocamora - Survey of CSI fingerprinting‐based indoor positioning and mobility tracking
No ratings yet
IET Signal Processing - 2020 - Rocamora - Survey of CSI fingerprinting‐based indoor positioning and mobility tracking
13 pages
A Survey On Ubiquitous Wifi Based Indoor Localization System For Smartphone Users From Implementation Perspectives
No ratings yet
A Survey On Ubiquitous Wifi Based Indoor Localization System For Smartphone Users From Implementation Perspectives
21 pages
Wintech Localization Tesebed
No ratings yet
Wintech Localization Tesebed
8 pages
Indoor Localization and Tracking Using Posterior State Distribution and Fingerprint Interpolation
No ratings yet
Indoor Localization and Tracking Using Posterior State Distribution and Fingerprint Interpolation
8 pages
(Lecture Notes in Geoinformation and Cartography) Chun Liu (Eds.) - Principle and Application Progress in Location-Based Services-Springer International Publishing (2014)
No ratings yet
(Lecture Notes in Geoinformation and Cartography) Chun Liu (Eds.) - Principle and Application Progress in Location-Based Services-Springer International Publishing (2014)
367 pages
Hoang 2019
No ratings yet
Hoang 2019
13 pages
Indoor Positioning System Using Wi-Fi & Bluetooth Low Energy Technology
No ratings yet
Indoor Positioning System Using Wi-Fi & Bluetooth Low Energy Technology
6 pages
Kalman Filtering
No ratings yet
Kalman Filtering
14 pages
54 - A Smartphone Indoor Localization Using Inertial Sensors and Single Wi-Fi Access Point
No ratings yet
54 - A Smartphone Indoor Localization Using Inertial Sensors and Single Wi-Fi Access Point
7 pages
An Efficient Indoor Positioning Method Based on Wi-Fi RSS Fingerprint and Classification Algorithm
No ratings yet
An Efficient Indoor Positioning Method Based on Wi-Fi RSS Fingerprint and Classification Algorithm
19 pages
Applsci 13 08545
No ratings yet
Applsci 13 08545
16 pages
Golenbiewski 2020
No ratings yet
Golenbiewski 2020
7 pages
Indoor Positioning Based Ranging
No ratings yet
Indoor Positioning Based Ranging
13 pages
Efficient Privacy-Preserving Fingerprint-Based Indoor Localization Using Crowdsourcing
No ratings yet
Efficient Privacy-Preserving Fingerprint-Based Indoor Localization Using Crowdsourcing
6 pages
DumbLoc Dumb Indoor Localization Framework Using Wi-Fi Fingerprinting
No ratings yet
DumbLoc Dumb Indoor Localization Framework Using Wi-Fi Fingerprinting
8 pages
A Survey On Indoor Positioning Security and Privacy - 2023 - Computers - Securit
No ratings yet
A Survey On Indoor Positioning Security and Privacy - 2023 - Computers - Securit
32 pages
WiFi-based Positioning System with k-means Clustering and Outlier Removal-Evidence from Multiple Datasets
No ratings yet
WiFi-based Positioning System with k-means Clustering and Outlier Removal-Evidence from Multiple Datasets
9 pages
Design and Implementation of An Android
No ratings yet
Design and Implementation of An Android
5 pages
BLE Indoor Positioning System Using RSSI-based Trilateration
No ratings yet
BLE Indoor Positioning System Using RSSI-based Trilateration
20 pages
RSSI-Based Indoor Localization With The Internet of Things
No ratings yet
RSSI-Based Indoor Localization With The Internet of Things
13 pages
li2019
No ratings yet
li2019
6 pages
Summer Training Presentation
No ratings yet
Summer Training Presentation
15 pages
Indoor Positioning System
No ratings yet
Indoor Positioning System
11 pages
SURIMI Supervised Radio Map Augmentation With Deep Learning and A Generative Adversarial Network For Fingerprint-Based Indoor Positioning
No ratings yet
SURIMI Supervised Radio Map Augmentation With Deep Learning and A Generative Adversarial Network For Fingerprint-Based Indoor Positioning
8 pages
(IJCST-V5I3P14) :shubham Dhirde, Shivangi Khedkar, Aman Shaikh Prof. Anisaara Nadaph
No ratings yet
(IJCST-V5I3P14) :shubham Dhirde, Shivangi Khedkar, Aman Shaikh Prof. Anisaara Nadaph
3 pages
An Improved Algorithm To Generate A Wi-Fi Fingerprint Database For Indoor Positioning
No ratings yet
An Improved Algorithm To Generate A Wi-Fi Fingerprint Database For Indoor Positioning
9 pages
Sensors 19 02508 v2
No ratings yet
Sensors 19 02508 v2
18 pages
Paper 2-Color Radiomap Interpolation For Efficient Fingerprint WiFi-based Indoor Location Estimation PDF
No ratings yet
Paper 2-Color Radiomap Interpolation For Efficient Fingerprint WiFi-based Indoor Location Estimation PDF
6 pages
2020_Tesis_Sansano Sansano_Emilio
No ratings yet
2020_Tesis_Sansano Sansano_Emilio
197 pages
Com ST 2743228
No ratings yet
Com ST 2743228
24 pages
Accuracy Characterization For Metropolitan-Scale Wi-Fi Localization
No ratings yet
Accuracy Characterization For Metropolitan-Scale Wi-Fi Localization
13 pages
s41598-024-79647-x
No ratings yet
s41598-024-79647-x
14 pages
Futureinternet 14 00051 v2
No ratings yet
Futureinternet 14 00051 v2
17 pages
A WiFi Indoor Location Tracking Algorithm Based On Improved Weighted K Nearest Neighbors and Kalman Filter
No ratings yet
A WiFi Indoor Location Tracking Algorithm Based On Improved Weighted K Nearest Neighbors and Kalman Filter
12 pages
Indoor Localization Using Multiple Wireless Technologies: A.K.M. Mahtab Hossain, Hien Nguyen Van, Yunye Jin, Wee-Seng Soh
No ratings yet
Indoor Localization Using Multiple Wireless Technologies: A.K.M. Mahtab Hossain, Hien Nguyen Van, Yunye Jin, Wee-Seng Soh
9 pages
IET Communications - 2022 - Shang - Overview of WiFi Fingerprinting‐Based Indoor Positioning
No ratings yet
IET Communications - 2022 - Shang - Overview of WiFi Fingerprinting‐Based Indoor Positioning
9 pages
FYP Thesis Last
No ratings yet
FYP Thesis Last
48 pages
Deep Learning Methods For Fingerprint-Based Indoor Positioning: A Review
No ratings yet
Deep Learning Methods For Fingerprint-Based Indoor Positioning: A Review
29 pages
A Stigmergic Approach To Indoor Localization Using Bluetooth Low Energy Beacons
No ratings yet
A Stigmergic Approach To Indoor Localization Using Bluetooth Low Energy Beacons
6 pages
Sensors 22 07920
No ratings yet
Sensors 22 07920
20 pages
Wireless Positioning System
No ratings yet
Wireless Positioning System
30 pages
Indoor Localization Using Data Augmentation Via Selective Generative Adversarial Networks
No ratings yet
Indoor Localization Using Data Augmentation Via Selective Generative Adversarial Networks
11 pages
Csur16 Xiao
No ratings yet
Csur16 Xiao
31 pages
Techniques For Indoor Location-Based On Bluetooth Fingerprinting Using Artificial Intelligence Algorithms
No ratings yet
Techniques For Indoor Location-Based On Bluetooth Fingerprinting Using Artificial Intelligence Algorithms
10 pages
DeepPositioning - Intelligent Fusion of Pervasive Magnetic Field and WiFi Fingerprinting For Smartphone Indoor Localization Via Deep Learning
No ratings yet
DeepPositioning - Intelligent Fusion of Pervasive Magnetic Field and WiFi Fingerprinting For Smartphone Indoor Localization Via Deep Learning
7 pages
ArrayTrack. A Fine-Grained Indoor Location System. Jie Xiong. 2013
No ratings yet
ArrayTrack. A Fine-Grained Indoor Location System. Jie Xiong. 2013
14 pages
5G VS Wi-Fi Indoor Positioning: A Comparative Study
No ratings yet
5G VS Wi-Fi Indoor Positioning: A Comparative Study
9 pages
A_Characteristics-Based_Least_Common_Multiple_Algorithm_to_Optimize_Magnetic_Field-Based_Indoor_Localization
No ratings yet
A_Characteristics-Based_Least_Common_Multiple_Algorithm_to_Optimize_Magnetic_Field-Based_Indoor_Localization
16 pages
Design and Development Indoor Positioning System
No ratings yet
Design and Development Indoor Positioning System
6 pages
Review Article: Recent Advances in Wireless Indoor Localization Techniques and System
No ratings yet
Review Article: Recent Advances in Wireless Indoor Localization Techniques and System
13 pages
SD-WAN Demystified: Empowering Your Network for Success
From Everand
SD-WAN Demystified: Empowering Your Network for Success
Maula Issa
5/5 (1)
Lecture Notes On Quantum Mechanics - Part I: Institute of Theoretical Physics, Shanxi University
No ratings yet
Lecture Notes On Quantum Mechanics - Part I: Institute of Theoretical Physics, Shanxi University
36 pages
Practice Papers MTH 401
No ratings yet
Practice Papers MTH 401
7 pages
ASS2
No ratings yet
ASS2
12 pages
Chapter 8
No ratings yet
Chapter 8
61 pages
Attachment
No ratings yet
Attachment
16 pages
class8 3rd exam
No ratings yet
class8 3rd exam
3 pages
Electrical Notes
No ratings yet
Electrical Notes
3 pages
MODULE 2 LESSON 1 (Overview To Enrichment)
No ratings yet
MODULE 2 LESSON 1 (Overview To Enrichment)
11 pages
Harmonicsreduction Technique of 48 Pulse Converter With Pi Controller For Electric Vehicle Fast Charger
No ratings yet
Harmonicsreduction Technique of 48 Pulse Converter With Pi Controller For Electric Vehicle Fast Charger
9 pages
Module 3
No ratings yet
Module 3
8 pages
Mailath - Economics703 Microeconomics II Modelling Strategic Behavior
No ratings yet
Mailath - Economics703 Microeconomics II Modelling Strategic Behavior
264 pages
Holiday Assignment Mathematics - Grade 6
No ratings yet
Holiday Assignment Mathematics - Grade 6
8 pages
Ai TS 2 (X) - APT 2 - CMP - 16 09 2019 - SET A
100% (2)
Ai TS 2 (X) - APT 2 - CMP - 16 09 2019 - SET A
15 pages
BTP Presentation
No ratings yet
BTP Presentation
29 pages
Elective Mathematics For Senior High SCH
No ratings yet
Elective Mathematics For Senior High SCH
56 pages
Algorithm To Find Sum of The Digits of Num
No ratings yet
Algorithm To Find Sum of The Digits of Num
14 pages
Problem Score Problem Score Problem Score 1 (15 PTS) 4 (12 PTS) 7 (11 PTS) 2 (18 PTS) 5 (12 PTS) 8 (15 PTS) 3 (12 PTS) 6 (12 PTS) Total
No ratings yet
Problem Score Problem Score Problem Score 1 (15 PTS) 4 (12 PTS) 7 (11 PTS) 2 (18 PTS) 5 (12 PTS) 8 (15 PTS) 3 (12 PTS) 6 (12 PTS) Total
10 pages
Arithmetic and Logic Instructions: Task Performance
No ratings yet
Arithmetic and Logic Instructions: Task Performance
3 pages
WINTER VACATION class XI
No ratings yet
WINTER VACATION class XI
5 pages
Problems Sets For MFE 1
No ratings yet
Problems Sets For MFE 1
1 page
Week 2
No ratings yet
Week 2
12 pages
Robot Project Beta
No ratings yet
Robot Project Beta
4 pages
Constructing Smooth Hot Mix Asphalt HMA Pavements ASTM Special Technical Publication 1433 Mary Stroup-Gardiner download
No ratings yet
Constructing Smooth Hot Mix Asphalt HMA Pavements ASTM Special Technical Publication 1433 Mary Stroup-Gardiner download
71 pages
Design and Sketching: Section
No ratings yet
Design and Sketching: Section
36 pages
Weber Patrick Rep T
No ratings yet
Weber Patrick Rep T
14 pages
Hydro Graphs
100% (1)
Hydro Graphs
40 pages
Vertical Alignment Lectures
100% (1)
Vertical Alignment Lectures
24 pages
Mathematical Reasoning
No ratings yet
Mathematical Reasoning
28 pages
CBSE Class 5 Mathematics Worksheet- Area and Perimeter (2)
100% (1)
CBSE Class 5 Mathematics Worksheet- Area and Perimeter (2)
4 pages
3D Animation Principles and Techniques - 3D Studio Max: Modules and Module Objectives
No ratings yet
3D Animation Principles and Techniques - 3D Studio Max: Modules and Module Objectives
1 page

Practical Privacy

Uploaded by

Practical Privacy

Uploaded by

This article has been accepted for publication in a future issue of this journal, but has not been

Practical Privacy-Preserving Indoor Localization

1 I NTRODUCTION Signal Strength (RSS) fingerprinting is particularly tempting

W ITH the rise of smartphones and other smart mobile

2.3 One-Time Pad

4.3 Server Computation Improvements d1 d2 d3 d4 d5 d6 d7

2 vmax ← 0; The distances line up in the plaintext as shown in Fig. 1.

·104 Client-C(N, M ) ·105 GC-Comm(N, M )

The communication (in bytes)

Studio5 . The server side is not restricted to any particular

Paillier phase GC phase Pre-computation (Online) Offline

often small (e.g., a RSS value). Hence, a global constant- TABLE 3

TABLE 4 encryptions for N = 100 and N = 150, respectively, and

7.3.1 Paillier Encryption with Java

(a) Computational (a) Computational

The rest of the computational overhead comes from the

Uplink data (KBs)

40 60 80 100 120 40 60 80 100 120

You might also like