Sillcom: A Communication-Efficient Privacy-Preserving Scheme for Indoor Localization

Abstract

This paper presents Sillcom, a high-performance secure indoor localization scheme designed to minimize both communication and computational costs while preserving participants’ privacy. Unlike existing privacy-preserving indoor localization techniques, which suffer from high computational overhead and excessive communication, Sillcom integrates replicated secret sharing and function secret sharing in an outsourcing model to achieve significantly lower online communication overhead. A multi-branch tree structure and multi-thread parallelism further optimize both the offline and online phases. Experimental results demonstrate that Silcom outperforms the state-of-the-art online-efficient scheme FAPRIL, reducing online communication by a factor of 15 and end-to-end query time by 75%.

1. Introduction

Location-Based Services (LBSs) have become an integral part of modern life, offering a wide range of functionalities that enhance the convenience, efficiency, and personalization of everyday tasks. From outdoor navigation for driving and walking, to real-time tracking of assets and people, LBSs are crucial in industries such as logistics, transportation, tourism, and healthcare. These services help businesses optimize operations, improve customer experiences, and enable new business models, such as location-based advertising. With the widespread adoption of smartphones and connected devices, LBSs are now deeply embedded in how people interact with their environment, whether it is finding the nearest restaurant, sharing location with friends, or getting directions in an unfamiliar area.

While Global Navigation Satellite Systems (GNSSs) like GPS or Galileo have made outdoor localization ubiquitous, their effectiveness diminishes significantly in indoor environments, where obstacles such as walls and ceilings disrupt signal reception. This limitation has spurred the development of various indoor localization (IL) techniques [1], which leverage technologies such as WiFi [2,3], Bluetooth [4], RFID [5], and cellular networks [6]. Among these, WiFi fingerprinting has emerged as a widely adopted solution due to the widespread deployment of WiFi infrastructure and the ability of mobile devices to measure WiFi signal strengths.

WiFi-based localization relies on measuring the received signal strengths (RSSs) from multiple WiFi access points (APs) within the environment [7,8]. The key idea is to use the strength of the WiFi signals received from various APs, which vary depending on the distance between the user and the APs. These RSS values are then compared to a pre-established database known as a “fingerprint” database. This database contains the signal strengths of different APs measured at known locations called reference points (RPs) in the area. By matching the current RSSs with those in the database, the user’s position can be estimated accurately. This method is particularly useful in indoor environments where GPS signals are unavailable or unreliable.

Despite the advancements in IL techniques, privacy concerns remain a major challenge. Most IL methods require users to send their real-time location-dependent measurements (e.g., WiFi RSSs) to a server, where localization is performed. This setup poses significant privacy risks: (1) user privacy leakage: the server can track the user’s movement patterns inside the building; (2) service provider control: users have limited control over how their location data is stored and processed. Moreover, location data is highly sensitive and can be exploited to infer users’ identities, habits, and even predict their future movements. Given the increasing regulatory requirements (e.g., GDPR [9]), there is a strong need for privacy-preserving indoor localization solutions.

To mitigate privacy risks, privacy-preserving indoor localization (PPIL) techniques have been proposed [10,11,12,13,14]. These solutions aim to prevent unauthorized tracking while still enabling accurate indoor localization. However, existing PPIL methods face significant challenges that limit their practical adoption: High computational overhead leads to excessive processing time, making real-time localization infeasible [10,11,12,15]. Excessive communication costs result in network inefficiencies and scalability issues, especially in large-scale or dense deployments [13,14,16]. Trade-offs between security and performance often undermine the privacy guarantees, resulting in schemes that may be vulnerable or unreliable [17]. These limitations—high computation, heavy communication, and weakened security—collectively hinder the practical deployment and effectiveness of current PPIL solutions.

This motivates us to design a more efficient secure indoor localization scheme while ensuring the privacy of both users and the data owner. Specifically, we first aim to minimize the user-side overhead, as user devices are typically resource-constrained, such as mobile phones. Second, we focus on having the computational server provide the service with low communication cost. Compared to the computational resources that can be added locally, limited bandwidth resources will constrain the throughput and scalability of schemes with high communication overhead. Third, we aim to further reduce the computational cost on the server side, particularly when computational overhead becomes the performance bottleneck. Overall, our design seeks to minimize the end-to-end query time for users to enhance the reliability and effectiveness of secure indoor localization, a task that requires real-time performance.

1.1. Our Contributions

To achieve the above goals, we design a high-performance secure indoor localization scheme in this paper. The main contributions are listed as follows:

• Overall, we propose Sillcom, which combines replicated secret sharing and function secret sharing in the outsourcing model, with the aim of reducing the user’s computational burden and minimizing server online communication cost, thus enabling secure indoor localization with low communication.
• To further enhance performance, we employ a multi-branch tree structure and multi-thread parallelism to optimize both offline phase overhead and online query time.
• We validate the performance of Sillcom through extensive experiments. Compared to the state-of-the-art scheme, FAPRIL [14], our improved design provides secure localization services with 1/15 of the online communication and 1/4 of the end-to-end query time.

1.2. Organization

The organization of this work is presented as follows. Section 2 reviews related works, and Section 3 formalizes our research problem. Section 4 provides background on indoor localization, secret sharing, and function secret sharing. In Section 5, we present Sillcom_3R, which requires only three rounds of online communication, followed by the improved scheme Sillcom_trd in Section 6, which balances computational and communication overhead. Section 7 and Section 8 offer a detailed analysis of our scheme from theoretical and experimental perspectives. Finally, we conclude the paper and discuss future work in Section 9.

2. Related Works

In this section, we provide an overview and summary of the related works in the PPIL field, with a detailed comparison presented in

Table 1. Comparison of existing PPIL schemes. In the Security column, × indicates that the scheme has security flaws, while 🗸 denotes that the scheme is secure.

Scheme	Technique	Query Time	Communication	Security
[10]	Paillier	Slow	Middle	×
[11]	Paillier + OT	Middle	Middle	🗸
[18]	Paillier + GC	N/A	High	🗸
[19]	Paillier + GC	N/A	High	🗸
[15]	Paillier + DGK	Slow	Middle	🗸
[13]	GC + OT	Fast	High	🗸
[12]	Paillier	Slow	Middle	🗸
[16]	Paillier + GC	Slow	High	🗸
[14]	Delta sharing + GC	Fast	High	🗸
[20]	IPE	Slow	Middle	🗸
[17]	IPE + LSH	Fast	High	× Access Pattern
${\mathrm{Sillcom}}_{3R}$	RSS + FSS	Middle	Low	🗸
${\mathrm{Sillcom}}_{trd}$	RSS + FSS	Fast	Low	🗸

.

Research on PPIL dates back to 2014. PriWFL [10] used Paillier encryption [21] to protect the privacy of participants in a client–server setting, but this design was later proven to be insecure [18]. In the same year, a design combining Paillier encryption and oblivious transfer (OT) [22,23] leveraged location information from other users for positioning [11]. However, in their design, the computational burden required of users was too high.

Three subsequent works combined Paillier encryption with garbled circuits (GC) [24,25] for PPIL design. Yang et al. [18] also discussed the weaknesses of some previous designs, but these were only analyzed and discussed theoretically, without experimental validation of their proposed solution’s performance. On the other hand, Richter et al. [19] focused on discussing methods to reduce the representation bit length of RSS values through techniques such as quantization to lower the overhead. While theoretical performance improvements were achieved, they too did not conduct experimental validation. Nieminen et al. [16] further employed optimizations such as precomputation by users and servers, as well as Paillier ciphertext packing, to reduce costs. They also experimentally validated the specific performance of their approach. However, the computational overhead of homomorphic encryption and the communication overhead introduced by garbled circuits still resulted in overall performance that was less than ideal.

Quijano et al. [15] extended the homomorphic encryption-based algorithm to further include the DGK cryptosystem [26]. However, the performance overhead of their solution was substantial, with users bearing a heavy burden of homomorphic computations. As a result, even on small datasets, queries took tens of seconds to complete.

Pilot [13] implemented the first practical design under the outsourcing model. They based their solution on the ABY framework [27], utilizing garbled circuits and oblivious transfer, and validated the performance of the scheme across multiple distance metrics. Through various combinations of MPC optimization techniques, their solution achieved a feasible user query time. However, the computational servers incurred huge communication overhead, which significantly impacted the throughput and scalability of their scheme.

Zhang et al. [12] further considered stronger security settings and extended the Paillier-based design to achieve malicious security. However, similar to previous works, the computational overhead became the performance bottleneck of their design.

FAPRIL [14] integrates Delta sharing [28] and garbled circuits to design a two-party PPIL scheme. While Delta sharing optimizes the communication overhead for distance computation in the online phase and garbled circuits reduce the number of online communication rounds for top-k computation, the use of correlated OT for generating multiplication triples introduces additional offline communication. Moreover, the communication bandwidth consumed by evaluating garbled circuits in the online phase further limits the query performance and scalability of the scheme.

Wang et al. [20] employed inner product encryption (IPE) for their design in a cloud outsourcing computing scenario. However, their solution still required several hundred milliseconds to perform a secure localization query, even when the number of anchors was small (three or eight).

Wang et al. [17] also designed a sublinear query scheme by introducing an HNSW-based retrieval structure. Although their retrieval algorithm hides the real Euclidean distances by computing them through IPE, it still leaks the user’s query access pattern, which is a common privacy leakage issue in sublinear kNN query schemes.

Therefore, we used FAPRIL [14], which guarantees both security and concrete performance, as our comparative benchmark.

In addition to the cryptographic-based schemes introduced above, there are also designs based on anonymization techniques [29,30], differential privacy [31,32], and federated learning [33,34]. These approaches adopt different technical methodologies and are considered parallel to cryptography-based designs. Specifically, anonymization and differential privacy typically rely on data perturbation or obfuscation mechanisms, while federated learning distributes the training process without directly sharing raw data. In contrast, cryptography-based schemes aim to achieve strong, provable security guarantees through secure computation protocols. Since these approaches are built upon fundamentally different threat models, system architectures, and privacy definitions, this paper does not analyze or compare them in detail. We recommend [35] for further insights.

3. Problem Statement

System architecture (Figure 1). Our protocol consists of three computing parties: $P_0, P_1,$ and $P_2$. It follows an offline/online paradigm, offloading part of the computational and communication burden to a setup phase to improve efficiency during the online phase. Moreover, in the setup phase, the data owner (DO) distributes secret shares of the dataset to the computing parties. At the beginning of the online phase, users obtain their RSS vectors through APs and secretly share them among the three computing parties.

Threat model and design goals. Our protocol assumes a non-colluding computing server setting, allowing at most one server to be corrupted. It is designed to achieve accuracy, privacy, and efficiency. In terms of privacy, the primary requirements are that the dataset remains hidden from both the computing parties and users, while users’ query indexes and query results are kept confidential from the computing parties and the data owner.

Problem Formalization. The user first measures and obtains their location representation RSSs data via APs, then securely sends the RSSs data to computational servers. The computational servers, based on the RSS data of RPs obtained from the data owner during the offline phase, first calculate the k nearest RPs to the user. Then, the average of the coordinates of these k RPs is computed to determine the user’s location coordinates.

4. Preliminaries

4.1. Notation

We summarize our notations in

Table 2. Terms and notations.

Notations	Descriptions
$\lambda$	Security parameter, =128
$P_i$	Computing servers, $i\in \left\{0,1,2\right\}$
n	Number of access points
m	Number of reference points
$m^{\prime }$	Subset size for two-layer ${\mathrm{Sillcom}}_{trd}$
k	Number of nearest neighbors as result
$l_{RSS}$	Bit-length of $f_{ij}$
l	Bit-length of $f_{ij}$ in secure computation
$l_r$	Bit-length for ranks
$\Pi$	Secure protocol
$k^{<}$	FSS key for comparison

.

4.2. WiFi Fingerprint-Based Localization

WiFi fingerprint localization is typically divided into two phases: reference point dataset construction and user localization query. Below, we provide a detailed explanation of the computational process and its formalization.

In the reference point dataset construction phase, the DO first determines n fixed access points and measures the received signal strengths at m RPs. The physical location of each RP is represented by the coordinate $X_i=[x_i,y_i]$ (or $[x_i,y_i,z_i]$ in a three-dimensional scenario), and its WiFi fingerprint consists of an RSS vector $V_i$ received from n APs. Finally, the fingerprint database $\mathcal{D}$ is constructed as follows:

$$\mathcal{D}=\left\{(X_i,F_i)\right|i=1,2,\dots ,m\},$$

(1)

where $F_i=[f_{i1},f_{i2},\dots ,f_{in}]$ records the RSS values received from n APs at location $X_i$.

In the user localization query phase, the user device measures the WiFi signal strength from n APs, forming the fingerprint $F_q=[f_{q1},f_{q2},\dots ,f_{qn}]$ and transmits it to the localization server. The server computes the distances between $F_q$ and all stored fingerprints $F_i$ in the database and employs top-k to find the k closest reference points $\{X_{i_1},\dots ,X_{i_k}\}$. Finally, the user location is determined by computing the average coordinates of these reference points.

Various distance metrics have been studied and applied in WiFi-based indoor localization, including Manhattan distance, Sørensen distance, and others [13]. To optimize performance, this paper adopts Euclidean distance as the distance metric for comparison.

4.2.1. Parameter Settings

According to the aforementioned computational process, multiple parameters influence both query accuracy and query performance, particularly in secure query scenarios.

First, the number of access points (n) and the number of reference points (m) determine the vector length for each distance computation and the total number of distance computations, respectively. This paper followed the settings from multiple WiFi fingerprint-based designs [13,14], where $n\in [50,250]$ and $m\in [100,800]$.

Second, k determines the number of nearest neighbors selected. Studies have shown that a small k is sufficient to ensure query accuracy in indoor localization scenarios [36,37]. Similar to prior works, we adopted $k=3$ and $k=4$.

Finally, the bit length used to represent the signal strength value $v_{i1}$ also impacts performance. Related studies indicate that quantizing $f_{ij}$ to 4 bits achieves comparable accuracy [14] to the unquantized values. Therefore, we adopted this parameter setting in our work as well.

4.3. Secret Sharing

In this paper, we mainly considered ring ${\mathbb{Z}}_{2^l}$.

A two-out-of-two additive secret sharing scheme [38] over ${\mathbb{Z}}_{2^l}$, referred to as 2P-ASS, splits a ring element x into random shares ${\langle x\rangle }_0^l$ and ${\langle x\rangle }_1^l$ with the only constraint being that ${\langle x\rangle }_0^l+{\langle x\rangle }_1^l\equiv x\mathrm{mod}{2}^l$.

Three-out-of-three additive secret sharing, referred to as 3P-ASS, similarly splits $x\in {\mathbb{Z}}_L$ into random shares into random shares ${\left[x\right]}_0^l$, ${\left[x\right]}_1^l$, ${\left[x\right]}_2^l$, such that ${\left[x\right]}_0^l+{\left[x\right]}_1^l+{\left[x\right]}_2^l\equiv x\mathrm{mod}{2}^l$.

A two-out-of-three replicated secret sharing scheme (RSS) [39,40], denoted as $\left[\right[·\left]\right]-$sharing, splits x into 3 random parts satisfying $x_0+x_1+x_2\equiv x\mathrm{mod}{2}^l$. Each party $P_b$, $b\in \left\{0,1,2\right\}$, holds ${\left[\left[x\right]\right]}_b^{2^l}=({\left[x\right]}_b^{2^l},{\left[x\right]}_{(b+1\mathrm{mod}3)}^{2^l})$.

For simplicity, we omit the superscript L where the context makes it unambiguous.

4.4. Function Secret Sharing

Unlike sharing values between parties above, function secret sharing [41,42] splits function f into separate keys. Each party evaluates its own key locally with public input value x and generates a secret share of $f\left(x\right)$. Note that parties can not infer any information about function f only from their own keys.

Definition 1

(Function Secret Sharing, FSS). A two-party FSS scheme is a pair of algorithms (Gen, Eval) such that

• A PPT key generation algorithm $\mathit{Gen}(1^{\lambda },\widehat{f})$ inputs security parameter λ and $\widehat{f}\in {\{0,1\}}^{*}$ (description of a function f), then outputs a pair of FSS keys $k_0^f$ and $k_1^f$.
• A polynomial time evaluation algorithm $\mathit{Eval}(k_b,b,x)$ inputs $P_b$’s FSS key $k_b$, $b\in \left\{0,1\right\}$, and evaluates on $x\in {\mathbb{G}}^{in}$, then outputs a value $f_b\left(x\right)\in {\mathbb{G}}^{out}$, which satisfies $f\left(x\right)=f_0\left(x\right)+f_1\left(x\right)$.

FSS schemes should satisfy two properties: correctness and security. We recommend [41,42,43] for more details.

4.4.1. Secure Computation with FSS in the Preprocessing Model

Boyle et al. [44,45] observe that FSS can be used to perform two-party secure computation with optimal online communication. However, the generation of FSS keys either requires a trusted third party or relies on expensive distributed generation. Wagh [46] extends this approach to a three-party setting, where one party generates and distributes FSS keys to the other two parties in the offline phase.

A computation function is represented as a circuit, where $f_i$ denotes the gates to be evaluated, and $w_i$ represents input and output wires. Each gate maps an input from a group ${\mathbb{G}}^{in}$ to an output in a group ${\mathbb{G}}^{out}$, where gates with multiple input or output wires can be represented using product groups. To ensure secure gate computation, an offset function is used to conceal the inputs and outputs. We first introduce the following definition.

Definition 2

(Offset Function and FSS Gate). Let $\mathcal{G}=\{g:{\mathbb{G}}^{\mathrm{in}}\to {\mathbb{G}}^{\mathrm{out}}\}$ be a computation gate; the offset function family $\widehat{\mathcal{G}}$ of $\mathcal{G}$ is given by

$$\widehat{\mathcal{G}}:=\left\{g^{\left[{\mathrm{r}}^{\mathit{in}},{\mathrm{r}}^{\mathit{out}}\right]}:{\mathbb{G}}^{\mathit{in}}\to {\mathbb{G}}^{\mathit{out}}\mid \begin{array}{c}g:{\mathbb{G}}^{\mathit{in}}\to {\mathbb{G}}^{\mathit{out}}\in \mathcal{G},\hfill \\ {\mathrm{r}}^{\mathit{in}}\in {\mathbb{G}}^{\mathit{in}},{\mathrm{r}}^{\mathit{out}}\in {\mathbb{G}}^{\mathit{out}}\hfill \end{array}\right\}$$

$\mathit{where}{g}^{\left[r^{\mathit{in}},r^{\mathit{out}}\right]}\left(x\right):=g(x-r^{\mathit{in}})+r^{\mathit{out}}.$

The term FSS gate for $\mathcal{G}$ denotes an FSS scheme for the corresponding offset function family.

We describe the high-level idea using Wagh’s three-party model.

Offline Stage. For a gate g where the input and output wires are $w_i$ and $w_j$, $P_2$ generates the FSS keys $(k_0^g,k_1^g)$ corresponding to the offset function $g^{\left[r_{\mathrm{i}},r_{\mathrm{j}}\right]}\left(x\right):=g(x-r_{\mathrm{i}})+r_{\mathrm{j}}$, where $r_{\mathrm{i}}$ and $r_{\mathrm{j}}$ are the random masks for $w_i$ and $w_j$ sampled by $P_2$. The resulting triplet $(k_b^g,{\langle r_i\rangle }_b,{\langle r_j\rangle }_b)$ is then distributed to $P_b$, $b\in \{0,1\}$.

Online Stage. To obtain the correct result, $P_b$ also needs to perform an offset shift on the input to the FSS evaluation function. After obtaining the secret share of $x_i$, $P_b$ computes ${\langle x_i\rangle }_b+{\langle r_i\rangle }_b$ and sends it to $P_{1-b}$. Both parties now can reveal the same offset input $x_i+r_i$, evaluate the corresponding FSS key, and obtain the share of $g\left(x_i\right)$ via $\mathbf{Eval}(k_b^g,b,x_i+r_i)-{\langle r_j\rangle }_b$.

4.4.2. Distributed Comparison Function

As special cases of FSS, the distributed point function and distributed comparison function have been extensively applied in this paper.

Definition 3

(Distributed Comparison Function, DCF). A comparison function $f_{\alpha ,\beta }^{<}\left(x\right):{\{0,1\}}^n\to {\mathbb{G}}^{out}$ takes input $x\in {\{0,1\}}^n$ and output $\beta \in {\mathbb{G}}^{out}$ if $x<\alpha$ and 0 otherwise. FSS schemes for comparison functions are called distributed comparison functions.

Concrete Cost of DCF [44]. Let $G_q:{\{0,1\}}^{\lambda }\to {\{0,1\}}^{4\lambda +2}$ be a length-quadrupling PRG, which can be implemented using four calls to fixed-key AES in counter mode. DCFs can be achieved from n calls to $G_q$ with key size $\lambda +n(\lambda +2m+2)+m$ and Eval invokes half-$G_q$n times.

${\Pi }_{CMP}(x,y)$ compares 2P-ASS shared $x,y\in {\{0,1\}}^l$ and outputs $gt$, where $gt=0$ if $x<y$, otherwise $tt=0$. Ref. [45] presents a design using a single DDCF key, a variant of DCF, achieving online communication of l bits in one round.

5. Sillcom_3R: Basic Design with Three Online Rounds

5.1. Overview of Sillcom_3R

We first give a high-level overview of Sillcom_3R. Indoor localization can be decomposed into three submodules: distance computation, top-k ranking, and top-k result selection. Research on these submodules also focuses on optimizing communication and computation overhead while ensuring efficient end-to-end performance. For distance computation, we employ RSS to ensure that communication overhead does not increase with the number of APs n, while maintaining lightweight computation. The top-k ranking and selection stages involve secure comparison and selection operations, which are inherently nonlinear and often constitute a performance bottleneck in secure computation. To address this performance issue, we transition the three computing servers into an asymmetric mode and utilize FSS to securely compute these nonlinear components. This results in our Sillcom, which requires only three rounds of online communication. In the following, we introduce those blocks separately.

5.2. Communication-Efficient Distance Computation via RSS ${\Pi }_{SED}$

Since square root operations are costly in MPC, we adopt the squared Euclidean distance, which preserves relative ordering, as the distance metric for comparison.

In distance computation, computing the dot product of inputs with dimension n requires n multiplications. Homomorphic multiplication incurs high computational costs, and designs based on secret sharing frameworks such as ABY [27] require certain communication overhead in both offline and online phases for each multiplication. In our three-party setting, the communication overhead of multiplication using RSS arises from share reconstruction after local computation. As a result, the n reconstruction steps in dot product computation can be compressed into only one single data transmission, making the communication cost of dot product computation independent of the dimension n. Algorithm 1 provides details on the squared Euclidean distance computation.

Algorithm 1 Secure square Euclidean distance computation via RSS ${\Pi }_{SED}$

Input:  RSS shared fingerprints $F_i$ of $R{P}_i$ and $F_q$ of client, $i\in \left[m\right]$. Output: RSS shared square Euclidean distance between $F_i$ and $F_q$.   Offline preprocessing:  1: DO RSS share fingerprints $F_i$ to three computing servers $P_0$, $P_1$ and $P_2$, $i\in \left[m\right]$.   Online computing:  1: Client RSS shares fingerprint $F_q$ to $P_0$, $P_1$ and $P_2$.  2: for $i\leftarrow 1$ to m do  3:    Server $P_b$ locally computes ${\left[\left[f_{ij}\right]\right]}_b$ − ${\left[\left[f_{qj}\right]\right]}_b$, $j\in \left[n\right]$, $t\in \left[3\right]$,.  4:    $P_b$ gets 3P-ASS share of square Euclidean distance $d_{iq}$ between $F_i$ and $F_q$ by locally   computing ${\left[d_{iq}\right]}_b={\sum }_{j=1}^n({({\left[\left[f_{ij}\right]\right]}_b-{\left[\left[f_{qj}\right]\right]}_b)}^2+2·({\left[\left[f_{ij}\right]\right]}_b-{\left[\left[f_{qj}\right]\right]}_b)·({\left[\left[f_{ij}\right]\right]}_{b+1}-{\left[\left[f_{qj}\right]\right]}_{b+1}))$.  5:     Servers perform RSS construction with compressed communication in one round.  6: end for

5.3. Round-Efficient Secure Top-k Ranking via FSS ${\Pi }_{Rank}$

An important contribution to the high overhead of nonlinear modules in secure computation is the high round complexity. In particular, when performing a comparison between two l-bit values, the computation typically involves bit decomposition followed by bitwise comparisons, resulting in $O\left(l\right)$ communication rounds [27,47]. Although some works use optimized circuits to reduce the number of communication rounds to $logl$ [28,48], the network latency introduced by communication rounds remains significantly higher than the computation time. Additionally, selecting the top-k from m values requires an efficient organization of comparisons, such as the commonly used binary tree structure for top-1 selection. When communication rounds are the bottleneck, increasing parallelism at the cost of additional computation is a viable optimization strategy. This section focuses on designing a secure ranking protocol that requires only one round of communication to determine the rank of each value in a set, while Section 6.1 will discuss the tradeoff of reducing computation by increasing communication rounds when computation becomes the bottleneck, allowing for adaptation to different application scenarios.

Boyle et al. proposed a novel approach for secure comparison in the preprocessing model using FSS [44,45]. Unlike the symmetric structure used for RSS computation in Figure 2 and Figure 3 provides an intuitive illustration of its asymmetric computation structure in a three-party setting: $P_2$ is responsible for generating DDCF keys (a simple variant of DCF keys) during the offline phase and distributing them to $P_0$ and $P_1$. In the online phase, $P_0$ and $P_1$ only require a single round of communication, where each party sends a single message to complete the secure comparison.

Building on this foundation, a naive approach is to compare all m values pairwise, where each value computes its rank by summing the results of the $m-1$ comparisons involving itself. Figure 4 and Figure 5 provide an intuitive illustration of this process. Taking $d_1$ as an example, it is compared with the other $m-1$ distance values, and the sum of these comparison results determines its rank in the distance set.

Discussion. The above naive approach requires $O\left(m^2\right)$ secure comparisons, with a computational cost of $O\left(m^2\right)$ DDCF key evaluations, which translates to $O\left(m^2·l\right)$ PRG invocations. Although the online communication still consists of a single round, since each pairwise DDCF key evaluation requires exchanging one value, both $P_0$ and $P_1$ need to send $O\left(m^2\right)$ values of length l bits to each other during the online phase.

Reducing Communication to $\mathcal{O}\left(n\right)$

To reduce this quadratic communication cost, we adopt optimization from [49]: as illustrated in Figure 5, taking the comparison between $d_i$ and all remaining points as an example, Instead of randomly generating DDCF keys for each comparison, i.e., $d_i$ and $d_s$ where $s\ne i$, we first assign a fixed random mask to each distance and then generate the DDCF keys based on the difference between the random masks of each pair of distances $d_i$ and $d_s$. This optimization eliminates the need for sending one element per comparison and reduces communication to just one element for each distance involved in the ranking process. While the resulting pairwise comparisons still require $O\left(m^2\right)$ DDCF computation, the online communication is significantly reduced from $O\left(m^2\right)$ to $O\left(m\right)$. Algorithm 2 provides details on secure ranking via FSS.

Algorithm 2 Secure ranking via FSS ${\Pi }_{rank}$

Input: 2P-ASS shared $d_{iq}$, $P_b$ holds ${\langle d_{iq}\rangle }_b$, $b\in \{0,1\}$, $i\in \left[m\right]$. Output: $P_b$ gets 2P-ASS shared $({\langle ran{k}_{1q}\rangle }_b,\dots ,{\langle ran{k}_{mq}\rangle }_b)$, $ran{k}_{iq}$ denotes rank of $d_{iq}$.   Offline preprocessing:  1: $P_2$ generates m random masks $(r_0,\dots ,r_{m-1})$.  2: for $i\leftarrow 0$ to $m-1$ do  3:     for $j\leftarrow i$ to $m-1$ do  4:         $P_2$ generates DDCF keys: $(k_0^{i,j},k_1^{i,j})\leftarrow {\mathrm{Gen}}^{DDCF}(1^{\lambda },f_{(r_i-r_j)})$.  5:         $P_2$ sends $k_b^{i,j}$ to $P_b$, $b\in \{0,1\}$.  6:     end for  7: end for   Online computing:  1: $P_0$ and $P_1$ exchange m values to get m masked distances $d_{iq}+r_i$, $i\in \left[m\right]$.  2: for $i\leftarrow 0$ to $m-1$ do  3:     for $j\leftarrow i$ to $m-1$ do  4:         $P_b$ computes 2P-ASS shared $1\{d_{iq}>d_{jq}\}$: ${\langle g{t}_{ij}\rangle }_b={\mathbf{Eval}}^{\mathrm{DDCF}}(b,d_{iq}+r_i,d_{jq}+r_j)$.  5:     end for  6:     $P_b$ gets 2P-ASS shared rank of $d_{iq}$: ${\langle ran{k}_{iq}\rangle }_b={\sum }_{j=1}^m{\langle g{t}_{ij}\rangle }_b$.  7: end for

5.4. Secure Selection via Secure Shuffle ${\Pi }_{Shuffle}$

The remaining challenge is how to obliviously select the top-k distances from the secret-shared ranks. Inspired by [49], we also adopt the shuffle-then-reveal paradigm. The shuffle-based secure selection operates on the principle that, given a secret-shared distance set $(d_1,\dots ,d_m)$, applying a secure shuffle before ranking prevents an adversary from linking specific distances to their corresponding ranks. As a result, the ranks of the secret distances can be safely revealed, facilitating the identification of the ith nearest neighbor and the data points eligible for pruning based on their public ranks, while keeping the actual distances and associated payloads (coordinates) confidential. As discussed in Section 4, recent results [50,51] have demonstrated that three-party secure shuffling can be performed in two rounds with low computation, making this approach practical and efficient. We provide details on sthe ecure shuffle Algorithm A1 in Appendix A.

5.5. Eliminating RSS Reconstruction to Reduce One Round

The communication in RSS distance computation comes from the share reconstruction performed by the three computing parties. After reconstruction, the RSS distance needs to be converted into the input for the secure shuffle algorithm. We observe that performing RSS share reconstruction is entirely redundant—i.e., the 3P-ASS shared distance values obtained after RSS computation can be directly transformed into the input of the secure shuffle algorithm with just one round of communication. Since $P_2$ holds the complete random permutation $\Pi$ and the three-party shares of the computed distances, it can apply the random permutation to its share and send the permuted share to $P_0$ and $P_1$ in a single communication round. We note that the one round of communication in the share conversion phase can be merged into the two rounds of communication in secure shuffling. We detail this process in Algorithm 3.

Algorithm 3 Share conversion ${\Pi }_{SC}$

Input:  $P_2$’s 3P-ASS shared distance vector ${\left[d_0\right]}_2,\dots ,{\left[d_{m-1}\right]}_2$. Output: $P_0$ and $P_1$ each gets 2P-ASS share of shuffled $\pi ({\left[d_0\right]}_2,\dots ,{\left[d_{m-1}\right]}_2)$.   Offline preprocessing:  1: $P_2$ samples m random values $(r{p}_0,\dots ,r{p}_{m-1})$.  2: $P_2$ samples random permutation $\pi \in \left[m\right]\to \left[m\right]$.   Online computing:  1: $P_2$ perform $\pi (r{p}_0,\dots ,r{p}_{m-1})$ and sends to $P_0$.  2: $P_2$ perform $\pi ({\left[d_0\right]}_2-r_0,\dots ,{\left[d_{m-1}\right]}_2-r_{m-1})$ and sends to $P_1$.

5.6. Putting It All Together

We now present an overall description of Sillcom_3R in Algorithm 4. First, after receiving the RSS shared fingerprints sent by the user and the DO, the three computing servers perform distance computation, which requires only local computation without RSS reconstruction. Then, through share conversion, the 3P-ASS shared distances from the distance computation are transformed into a format suitable for the secure shuffle algorithm. After two rounds of communication, the distance vector of m values is randomly shuffled. Finally, the shuffled distance vector undergoes pairwise comparisons based on FSS, and the sorting result is revealed in one round of communication to obtain the top-k values. The corresponding coordinates are then averaged to determine the user’s location.

Algorithm 4 Three online round Sillcom3R

Input: RSS shared fingerprints $F_i$ of $R{P}_i$ and $F_C$ of client, $i\in \left[m\right]$. Output: Client gets location coordinates.   Offline preprocessing:  1: $P_2$ prepares DDCF keys, random permutations and random values.   Online computing:  1: Servers perform ${\Pi }_{SED}$ without RSS reconstruction to get m 3P-ASS shared distances.  2: Servers perform ${\Pi }_{SC}$ to convert 3P-ASS shared distance vector into 2P-ASS shared.  3: Servers perform ${\Pi }_{Shuffle}$ to randomly shuffle distance vector.  4: Servers perform ${\Pi }_{rank}$ to get top-k RPs and get their average coordinates as client’s indoor location.

6. Sillcom_trd: Customized Optimization with Computation/Communication Tradeoff

As previously mentioned, the design of Sillcom_3R aims to reduce the number of communication rounds based on the premise that, when the computational cost is relatively low, communication rounds have a greater impact on end-to-end execution time. Specifically, [52,53] states that the amortized time for each invocation of fixed-key AES is only 10 clock cycles, whereas real-world network latency typically exceeds 0.1 ms. This disparity of several orders of magnitude allows Sillcom_3R to minimize the impact of communication latency as the bottleneck when m is small.

However, as m increases, the computation of $O\left(m^2\right)$ DDCF keys, which corresponds to $O\left(m^2·l\right)$ fixed-key AES computations, gradually approaches or even exceeds the communication delay. To address this computation bottleneck, we propose an alternative design, ${\mathrm{Sillcom}}_{trd}$, which reduces computational overhead by increasing the number of communication rounds. This tradeoff enables faster end-to-end query times in scenarios with a larger number of RPs. The core of ${\mathrm{Sillcom}}_{trd}$ lies in the design of an efficient top-k circuit. Leveraging the fact that k is small in indoor localization scenarios, we design an optimized top-k circuit, which we describe in detail below.

6.1. Optimized Top-k Circuit for Small k

The design of a top-k circuit refers to efficiently organizing comparators to get the top-k results from m values. While methods such as quicksort can achieve sorting with low complexity and then extract the top-k, such non-data-oblivious designs leak access patterns in secure computation. A naive data-oblivious circuit design employs a bubble sort approach, requiring $O\left(mk\right)$ comparators but also introducing $O\left(mk\right)$ rounds (depth for comparators). A straightforward improvement builds a binary tree structure for each top-i computation, reducing the number of rounds to $O(klogm)$. However, as mentioned earlier, secure computation requires keeping cryptographic costs in mind. In FSS-based secure comparisons, the computational cost per comparison is significantly lower than communication latency, so an optimized design should focus on a higher degree of parallelism in the top-k circuit. Sorting networks [54] are widely used in this direction; for example, Batcher’s odd-even sorting network [55] reduces the number of comparators to $O(mlogm)$, but it still requires $O\left({(logm)}^2\right)$ rounds.

In indoor localization, where positioning can be achieved with a very small k, we can optimize sorting networks by discarding the $m^{\prime }-k$ non-top-k values within each small subset of size $m^{\prime }$. Inspired by [56], we design the top-k circuit shown in Figure 6. First, m is partitioned into smaller subsets of size $m^{\prime }$, where each small subset computes top-k using the design from ${\mathrm{Sillcom}}_{3R}$, discarding the remaining $m^{\prime }-k$ values. The resulting top-k values from multiple small sunsets are then merged into new sets to compute top-k iteratively until the top-k results over the entire m values are obtained. In the example shown in Figure 6, each small subset extracts the top-3 from 12 values, achieving a fourfold data compression in each parallel top-3 stage. We refer to such a circuit as top-k in a multi-branch tree manner.

In practical applications, it is essential to select an appropriate subset size $m^{\prime }$. A large $m^{\prime }$ can reduce the number of rounds, but its $O\left(m{m}^{\prime }\right)$ computational complexity may offset the advantage gained from fewer rounds. Conversely, a small $m^{\prime }$ may not achieve efficient circuit compression. Therefore, choosing $m^{\prime }$ requires balancing network latency and computational capacity. In this paper, we adopt a two-layer multi-branch tree structure to address the feature of relatively small k in indoor localization scenarios. The effectiveness of this approach is verified through experimental results. As m extends larger, additional layers can be incorporated into the structure, further reducing computational overhead by increasing the number of communication rounds.

6.2. Accelerating FSS keys Computation via Multi-threads

In both Sillcom$3R$ and Sillcom$trd$, the computation of DDCF keys is a major bottleneck due to the high computational cost caused by the large number of fixed-key AES operations. This computational overhead significantly impacts the overall performance and efficiency of our design. To address this issue, we employ multi-threading to optimize performance. By leveraging multi-threading, we can parallelize the computation of DDCF keys, effectively distributing the workload across multiple processor cores. The multi-threading approach enhances the system’s scalability and performance, enabling faster key generation and improving the overall efficiency of the computational task. Through this optimization, we aim to reduce latency and achieve a more responsive system capable of handling larger datasets and more complex computations in real time. We also provide a detailed validation of the acceleration brought by multi-threading in the experiments.

7. Efficiency and Security Analysis

7.1. Cost Analysis

7.1.1. Communication Cost

We present a breakdown of the communication cost for two Sillcom schemes in

Table 3. Communication cost of Sillcom.

Scheme	Module	Rounds	P2	P0	P1
${\mathrm{Sillcom}}_{3R}$	${\Pi }_{SED}$	0	0/0	0/0	0/0
	${\Pi }_{SC}$	Merged	0/$2ml$	0/0	0/0
	${\Pi }_{Shuffle}$	2	$10ml$/0	0/$2ml$	0/$2ml$
	${\Pi }_{rank}$	1	$m(m-1)·k^{<}$/0	0/$m{l}_r$	0/$m{l}_r$
${\mathrm{Sillcom}}_{trd}$	${\Pi }_{SED}$	0	0/0	0/0	0/0
	${\Pi }_{SC}$	Merged	0/$2(m+k{\displaystyle \frac{m}{m^{\prime }}})l$	0/0	0/0
	${\Pi }_{Shuffle}$	$2+2$	$10(m+k{\displaystyle \frac{m}{m^{\prime }}})l$/0	0/$2(m+k{\displaystyle \frac{m}{m^{\prime }}})l$	0/$2(m+k{\displaystyle \frac{m}{m^{\prime }}})l$
	${\Pi }_{rank}$	$1+1$	$\approx (m{m}^{\prime }+{\left({\displaystyle \frac{m}{m^{\prime }}}\right)}^2)·k^{<}/0$	0/$(m+k{\displaystyle \frac{m}{m^{\prime }}})l_r$	0/$(m+k{\displaystyle \frac{m}{m^{\prime }}})l_r$

, where ${\mathrm{Sillcom}}_{trd}$ utilizes a two-layer structure. As our initial goal, both schemes effectively compress the online communication rounds and online communication volume. In particular, ${\Pi }_{SED}$ and ${\Pi }_{SC}$ exhibit very low communication, both online and offline. With the communication optimization, ${\mathrm{Sillcom}}_{3R}$ requires only 6ml + 2ml_r bits of data to be sent by the three computation servers during the online phase. In contrast, FAPRIL, which also uses a constant-round design, employs garbled circuits to compute top-k with just one round of communication. However, the large security parameter $\lambda$ leads to substantial online communication volume, making it a bottleneck that severely affects the throughput of their scheme. The large $\lambda$ also impacts the size of the DDCF key, which constitutes the main part of the offline communication in our design. As m grows larger, the communication volume caused by transmitting $O\left(m^2\right)$ DDCFs during the offline phase also affects the throughput of our scheme during the preprocessing stage. It can be observed that ${\mathrm{Sillcom}}_{trd}$, by sacrificing an additional three rounds of communication and a small increase in online communication volume, significantly reduces the time spent in preparing the DDCF keys.

7.1.2. Computation Cost

We also performed a detailed analysis of the computational overhead. First, during the symmetric ${\Pi }_{SED}$ computation phase, each server needs to compute three matrix-vector multiplications of an $m\times n$ matrix and an n-length vector, resulting in a total of $3nm$ ring multiplications. In fact, optimized vector multiplication can be performed very quickly on modern CPUs. Next, the main computation involved in ${\Pi }_{SC}$ and ${\Pi }_{Shuffle}$ is the shuffling of an m-length vector. Experimental results in [49] show that the amortized cost of one memory access for large-size vectors is approximately 31 ns. However, it is important to note that, when shuffling relatively smaller-size vectors, cache optimizations can be effectively leveraged, reducing the amortized cost of one memory access to just a few nanoseconds. This makes the computation time in these two modules much smaller than the impact of communication latency on the end-to-end time.

The computational overhead of Sillcom is primarily concentrated during the secure comparison phase when computing the DDCF keys using fixed-key AES. In ${\mathrm{Sillcom}}_{3R}$, during the online phase, both P0 and P1 need to compute $2m(m-1)l$ instances of fixed-key AES. Similar to the case with communication overhead, an increase in m will gradually cause the computational overhead of computing DDCF keys to dominate the end-to-end time. Therefore, in ${\mathrm{Sillcom}}_{trd}$, we can exchange a small amount of communication for a reduction in the computational bottleneck by a factor of ${\displaystyle \frac{m}{m^{\prime }}}$, resulting in a tradeoff that allows the user to achieve faster query times.

7.2. Security Proof

As previously mentioned, Sillcom is based on a similar outsourcing model to three computational servers [57]. We perform a simple security analysis of Sillcom based on the outsourcing model defined in [58]. Sillcom instantiates the outsourcing scheme of [58] with secure three-party computation, where the distance computation part is based on three-party RSS sharing, and the remaining three computational modules adopt an asymmetric structure. The computing party $P_2$ ceases to participate in subsequent computations after completing the sharing conversion of the distance computation results. Below, we first provide the security proof for the sharing conversion performed by the ${\Pi }_{\mathrm{SC}}$ algorithm.

Theorem 1.

The ${\Pi }_{\mathrm{SC}}$ protocol is secure in the presence of semi-honest adversaries.

Proof. 

Let $\mathcal{S}$ be a simulator and $\mathcal{A}$ be any probability polynomial time (PPT) adversary, we now prove that the outputs of the two games $Rea{l}_{\mathcal{A}}\left(\lambda \right)$ and $Ide{a}_{\mathcal{A},\mathcal{S}}\left(\lambda \right)$ are computationally indistinguishable. First, assume the adversary controls $P_2$. In this case, $\mathcal{A}$ simply distributes the computation result and does not receive any further response from the other two computing servers, so the security is not compromised. Now consider the adversary controls $P_0$ or $P_1$. For example, when $P_1$ is corrupted, in the real view, the adversary $\mathcal{A}$ receives a message vector from $P_2$. In the ideal view, the simulator S interacts with $\mathcal{A}$ and simulates exact transcripts for interactions between $\mathcal{A}$ and $P_2$, generating the correct distribution of outputs to enable security against semi-honest adversaries. Since the honest $P_2$ locally generates a random permutation $\pi$ and a random value vector, and the distance 3P-ASS shares computed by RSS are also random for $P_1$, no PPT adversary can distinguish the output of $Rea{l}_{\mathcal{A}}\left(\lambda \right)$ and $Idea{l}_{\mathcal{A},\mathcal{S}}\left(\lambda \right)$.    □

Theorem 2.

Sillcom is secure against a semi-honest adversary in the $({\Pi }_{\mathit{SED}},{\Pi }_{\mathit{SC}},{\Pi }_{\mathit{Shuffle}},{\Pi }_{\mathit{rank}})-hybrid$ model.

Proof. 

Similar security analysis of ${\Pi }_{\mathrm{Shuffle}}$ and ${\Pi }_{\mathrm{rank}}$ are presented in prior [46,49] and ${\Pi }_{\mathrm{SED}}$ in [59], rely on the result of [60], Sillcom is secure under concurrent general composition.    □

8. Evaluation Results

8.1. Experiment Setup

We employed a cloud server equipped with an AMD EPYC 7663 3.5GHz processor (30 cores) to simulate three computing servers through three terminal instances. To maintain consistency with FAPRIL’s experimental setups, we simulated a 16 ms round-trip time (RTT) for user connections via WiFi. Based on Microsoft’s EzPC project [61], we implemented our two schemes in C++ and conducted a large number of tests to illustrate the performance of our design. In addition, we compared the theoretical and experimental results with those of FAPRIL in detail.

For the experimental dataset, we similarly generated the RSS data of RPs through simulation, based on the range of values for n and m discussed in Section 4.2.1. Additionally, a single RSS value represented by 4 bits was expanded to

$$l=2·l_{\mathrm{RSS}}+\lceil \sqrt{n}\rceil$$

after the distance calculation. Therefore, the value of l was selected from the range [14, 16] based on the range of n in [50, 250].

8.2. Micro Benchmarks

In this section, we present comprehensive benchmarking results across multiple parameter configurations.

8.2.1. Different Amount of APs

The number of access points (n) primarily affects distance computation in our designs. A key feature of ${\mathrm{Sillcom}}_{3R}$ is that RSS-based distance computation can be performed locally, eliminating communication overhead. Consequently, the impact of n is confined to m length-n RSS vector computations. As demonstrated in Figure 7, with m held constant, changing n does not significantly affect the server computation time. This consistency stems from the minimal computational overhead of ring arithmetic operations—especially after compiler optimization with -O3 flags; the ${\Pi }_{\mathrm{SED}}$ module contributes insignificantly to the overall end-to-end query time.

8.2.2. Different Subset Size

It can also be seen from Figure 7 that in ${\mathrm{Sillcom}}_{3R}$, where the communication rounds remain constant, the server computing time increases in a superlinear manner with the growth of m. In order to reduce computation cost, our tradeoff design ${\mathrm{Sillcom}}_{trd}$ aims to reduce the $O\left(m^2\right)$ amount of FSS key computation. From Figure 8, it can be seen that using different subset sizes $m^{\prime }$ in the two-layer structure effectively reduces the server computation time compared with ${\mathrm{Sillcom}}_{3R}$. Even in the relatively poor $m^{\prime }$ = 10, the server computation time is reduced by five times, and more than ten times in other $m^{\prime }$ settings. In addition, it should be noted that the computation time does not keep increasing or decreasing with the change of $m^{\prime }$, because although reducing $m^{\prime }$ can reduce the cost of computing DDCF keys in the first layer, it will also cause the computing overhead of DDCF keys in the second layer to increase quadratically. Therefore, in order to reduce the overall cost as much as possible, it is necessary to balance the amount of DDCF keys in the two layers.

8.2.3. Different Number of Threads

Another method to accelerate computation is multi-threading. Figure 9 shows that $P_0$ and $P_1$ increased from a single thread to 8 threads to calculate ${\Pi }_{\mathrm{rank}}$. From the results, adding threads indeed continuously accelerates the speed of FSS keys calculation. The performance improvement at 2 and 4 threads is close to 2 and 4 times, respectively, but the benefit weakens when it is further increased to 8 threads.

8.2.4. Different k

We compared the results using different parameters k in Figure 10. Although $k=3$ and $k=4$ can already ensure a certain level of accuracy, k can be further increased in scenarios that require higher precision. In ${\mathrm{Sillcom}}_{3R}$, there is almost no difference in performance between the schemes when $k=3$ and $k=4$. This is because the computational complexity of the shuffle then pairwise comparison design we adopted is independent of k in one-layer structure, so extending to larger k will not increase computational overhead. The time cost of performing first layer computation in ${\mathrm{Sillcom}}_{trd}$ is also independent of k, but the remaining distances in the second layer are linearly related to k. Therefore, a larger k value will increase the DDCF key calculation time in the second layer. From the figure, it can be seen that the time cost difference between two ${\mathrm{Sillcom}}_{trd}$ schemes continues to widen with the increase of m, which is a reflection of the increased computational complexity of DDCF keys in the second layer.

8.2.5. Runtime Breakdown

In Section 7.2, we pointed out that computing the FSS keys, specifically the fixed-key AES computation, is the performance bottleneck of our scheme. From Figure 11, Figure 12, Figure 13 and Figure 14, we provide a runtime breakdown of ${\mathrm{Sillcom}}_{3R}$ and ${\mathrm{Sillcom}}_{trd}$ for both single thread and 8 threads. In the single-thread execution of ${\mathrm{Sillcom}}_{3R}$, the server computation time is predominantly spent on the calculation of FSS keys. In the 8-thread ${\mathrm{Sillcom}}_{trd}$, which achieves optimal acceleration, the runtime of other modules significantly increases; however, it still accounts for less than 10% of the total server computation time. This provides clear guidance for future optimization efforts: further accelerating the computation of FSS keys, which is still the bottleneck module.

8.3. Comparison with FAPRIL [14]

In this section, we provide a detailed comparison between Sillcom and FAPRIL, which currently achieves the optimal end-to-end query time, covering aspects from online and offline communication overhead to query time.

We begin by comparing the offline communication of ${\mathrm{Sillcom}}_{3R}$, ${\mathrm{Sillcom}}_{trd}$, and FAPRIL in Figure 15. Due to the need for single-layer ${\mathrm{Sillcom}}_{3R}$ to distribute $O\left(m^2\right)$ DDCF keys, its communication grows quadratically with m, eventually surpassing the linear growth in communication overhead of FAPRIL. ${\mathrm{Sillcom}}_{trd}$ effectively addresses this issue; by adopting a two-layer structure, the communication overhead of the first layer is reduced by a factor of ${\displaystyle \frac{m}{m^{\prime }}}$, and further optimization can be achieved by adjusting the value of $m^{\prime }$ to balance the number of DDCF keys in the first and second layers, thereby minimizing offline communication cost. Additionally, it is noteworthy that the offline communication in FAPRIL is proportional to n, whereas our two schemes are much less affected by n, with the difference solely arising from the number of bits required to represent the n dimensions.

Compared to the expensive offline communication caused by the distribution of DDCF keys, the communication advantage of FSS in the preprocessing model method during the online phase is significantly larger, as shown in Figure 16. FAPRIL has already made attempts to optimize online communication: by utilizing ABY2.0’s delta-sharing [28], they effectively reduce the online communication of the distance computation module. However, to save communication rounds, FAPRIL employs garbled circuits, resulting in still considerable online communication cost. The increased online bandwidth consumption directly impacts the throughput of their scheme. On the other hand, ${\mathrm{Sillcom}}_{3R}$, which has undergone various online communication optimizations, is optimal on this metric, with its online communication volume being about 5.6% that of FAPRIL. While the online communication of ${\mathrm{Sillcom}}_{trd}$ is slightly higher than ${\mathrm{Sillcom}}_{3R}$, the tradeoff is valuable, as it achieves a significant reduction in both offline communication and online computation cost with such a small increase in online communication.

Finally, we compare the schemes based on end-to-end query time.

Table 4. Performance comparison between different schemes. In online phase runtime, 16 refers to RTT for client’s query. In ${\mathrm{Sillcom}}_{3R}^{8t}$ and ${\mathrm{Sillcom}}_{trd}^{8t}$, superscript 8t refers to 8 threads. Bold values indicate the optimal results.

	Offline Phase		Online Phase
	Runtime (ms)	Comm. (MB)	Runtime (ms)	Comm. (KB)
$n=241$, $m=505$
FAPRIL [14]	2500	9.8	96	129
Sillcom3R	621.3	87.4	16 + 221	7.2
${\mathrm{Sillcom}}_{3R}^{8t}$	451.8	87.4	16 + 54	7.2
${\mathrm{Sillcom}}_{trd}$, $m^{\prime }=20$	57.9	3.7	16 + 23	8.2
${\mathrm{Sillcom}}_{trd}^{8t}$, $m^{\prime }=20$	43.3	3.7	16 + 7	8.2

lists the comparison between our schemes and FAPRIL with a set of commonly used parameters, $n=241$ and $m=505$. The results show that our two-layer ${\mathrm{Sillcom}}_{trd}$, even in single thread, has a smaller online runtime than FAPRIL. Under 8-threaded execution, the user query time of ${\mathrm{Sillcom}}_{trd}^{8t}$ is less than a quarter of FAPRIL, server computation time is even less than the network latency for sending the user’s query and receiving the result. ${\mathrm{Sillcom}}_{3R}$ is online faster than FAPRIL only in the 8 threads case. Furthermore, our offline runtime also outperforms FAPRIL. Although ${\mathrm{Sillcom}}_{3R}$ has a higher offline communication volume, this may be due to the simpler network distribution task of DDCF keys, while FAPRIL’s offline phase requires more complex multiplication triple generation using oblivious transfer.

9. Limitation and Future Work

An important limitation of this work is that it only considers a semi-honest, non-colluding security model, which assumes a relatively weak adversarial capability. We plan to extend the scheme to stronger security models with more powerful adversaries. For example, to achieve malicious security, the RSS-based distance computation component could adopt an error-detecting skill based on message authentication codes, such as the one proposed by Bai et al. [62], while the FSS-based computation could leverage the design by Wagh et al. [46]. Naturally, providing malicious security typically incurs significant additional computational and communication overhead. How to further optimize performance under this stronger security setting is a meaningful direction for future research.

10. Conclusions

In this paper, we propose Sillcom, an efficient and privacy-preserving indoor localization scheme. By combining replicated secret sharing and function secret sharing techniques in an outsourcing model, and further optimizing with a multi-branch tree structure and multi-thread parallelism, our design significantly reduces both communication and computation costs. Our extensive experiments demonstrate that Sillcom achieves only 1/15 of the online communication and 1/4 of the user’s end-to-end query time compared to the state-of-the-art scheme FAPRIL, while maintaining equivalent security guarantees. These results indicate that Sillcom is not only theoretically efficient but also practically deployable for real-world indoor localization applications with moderate data sizes. However, we note that in extremely poor network conditions or when scaling to very large datasets, additional challenges such as increased offline computation for FSS key generation and the cost of multi-server deployment may arise. Addressing these limitations remains an open issue. As a future direction, we plan to explore techniques for reducing FSS key generation overhead and further investigate two-server secure computation frameworks to minimize deployment costs while preserving performance and security.