ROLQ-TEE: Revocable and Privacy-Preserving Optimal Location Query Based on Trusted Execution Environment

Abstract

With the advent of cloud computing, outsourced computing has emerged as an increasingly popular strategy to reduce the burden of local computation. Optimal location query (OLQ) is a computationally intensive task in the domain of big data outsourcing, which is designed to determine the optimal placement of a new facility from a set of candidate locations. However, location data are sensitive and cannot be shared with other enterprises, so privacy-preserving optimal location query becomes particularly important. Although some privacy-preserving works have been proposed, they still suffer from other challenges, such as irrevocable query permissions and high communication overhead. To overcome these challenges, we propose a revocable and privacy-preserving optimal location query scheme based on TEE (Trusted Execution Environment). We employ a basic hash structure within the TEE to compute the intersection data of both parties. We use the concept of reverse nearest neighbor (RNN) to assess the impact of candidates, and then select the optimal facility location. In addition, to implement the revocation of query permissions, we introduce a key refresh strategy that adopts identity and timestamp. We evaluate the performance of the proposed scheme using real datasets, and the experimental results indicate strong practicality.

1. Introduction

The integration of cloud computing and smart mobile devices has led to the widespread generation of location data, thereby driving the widespread use of location-based services (LBSs) [1]. Location-based services enable governments and businesses to make informed decisions, such as when optimizing urban planning, determining new facility placements, allocating resources, and achieving various other strategic objectives. Optimal location query (OLQ) [1] is a branch of location-based service applications that aims to identify the best location for a new facility that maximizes its influence, taking into account a set of existing facilities and customers. However, these businesses (or governments) are unable to perform an optimal location query as the location of customers is invariably unknown to them. This requires businesses to obtain these location data from telecommunication operators. Since location data usually involves behavioral information, any leakage of location data may pose threats to personal security and result in losses of economic property. Therefore, telecommunication operators are unwilling to share these location data with other businesses directly. Additionally, to reduce the computational burden, telecommunication operators typically opt to outsource encrypted location data and location-based services to cloud service providers. The primary reason for this is that cloud service providers enable the cost-efficient storage and processing of large datasets, providing the computational capacity for complex location-based services.

Therefore, when cloud service providers offer an optimal location query service to businesses, telecommunication operators must ensure the privacy of individual customers and their location information, as well as the confidentiality of query results. Simultaneously, the customer information of businesses should remain confidential and protected from the cloud service provider.

For consistency, this paper regards the telecommunication operator as the data owner, the businesses as the data users, and the identity and location of the customer as private data. Moreover, in practical applications, optimal location query services are typically time-limited rather than permanent. When a subscription expires, the data owner must revoke the query permissions of data users by refreshing their query keys. For clarity, we visualize this architecture below in Figure 1. The scenario involves a data owner maintaining a customer location database, a TEE-enabled cloud service provider, and multiple data users (i.e., businesses, abstracted as Alice, Bob, and Adam), who have their own customer lists. These authorized data users perform optimal location queries for a new branch in a specified candidate set during the subscription.

To address privacy issues, various privacy-preserving schemes for optimal location queries have been proposed. According to the usage method, they can be generally divided into the following two categories: non-cryptographic privacy-preserving location selection schemes [2,3,4,5,6,7] and cryptographic privacy-preserving location selection schemes [8,9,10,11,12,13,14,15]. Nevertheless, both of the above privacy-preserving schemes have obvious shortcomings, such as insufficient data privacy protection, inaccurate query results, and irrevocable user query permissions for non-cryptographic schemes, and high computational overhead, low query efficiency, and irrevocable user query permissions for cryptographic schemes.

Our contributions: To overcome these shortcomings simultaneously, we propose ROLQ-TEE: a revocable and privacy-preserving optimal location query scheme based on TEE. The ROLQ-TEE scheme can securely and efficiently identify the optimal location within the candidate facility set based on the customer’s location data and also support the revocation of the query permission. Our primary contributions are summarized as follows:

• First, we design a query architecture for sensitive location data based on the TEE, ensuring that no information of either customer, apart from the intersection, is disclosed, and that the intersection results are not exposed to the cloud service provider. Meanwhile, the TEE leverages its features to guarantee the confidentiality and integrity of both data and code within its enclave.
• Second, we propose a revocable and privacy-preserving optimal location query scheme based on the above architecture (ROLQ-TEE), which not only enables the data users to obtain an optimal location of the new facility securely but also realizes the revocability of the query permission of the data users.
• Third, we introduce a practical scenario where the data users (i.e., banks) are required to perform any of the three optimal location query operations (namely RNN Query (RNNQ), Average Distance Query (AVGQ), and Maximum Distance Query (MAXQ)) we designed on the cloud server (i.e., cloud service provider) according to their own needs within a specified time; otherwise, the data user’s query permission will be revoked once the specified time has passed.
• Finally, we conduct a security analysis and performance evaluation of the optimal location query protocols. Subsequently, we demonstrate the security of the ROLQ-TEE scheme, illustrating that ROLQ-TEE scheme effectively preserves the privacy of both the location data owner and the requesting user. Finally, we theoretically analyze the performance and provide the experimental results.

The remainder of this paper is structured as follows: Section 2 discusses related works on optimal location query and privacy-preserving location-based query. Section 3 provides a brief background on bilinear pairings, discrete logarithm problems, collision-resistant hash function, nearest neighbor (NN) and RNN queries, and TEE. Section 4 details the system architecture, the threat model, and the construction of our proposed ROLQ-TEE scheme. Section 5 presents the security analysis of the ROLQ-TEE scheme. Section 6 evaluates the performance of ROLQ-TEE in terms of complexity analysis, memory usage, and efficiency. Finally, we conclude the paper in Section 7.

2. Related Work

In this section, we review previous works related to optimal location query and privacy-preserving location-based query.

2.1. Optimal Location Query

Optimal location query [1] seeks to identify the optimal location for a new facility among candidate sites, considering a set of existing facilities and a group of customers. However, an optimal location needs to be determined mathematically from a set of given points, which requires the introduction of the concept of reverse nearest neighbor (RNN) [16,17,18]. For example, for a data point p, its nearest neighbor (NN) [8] distance can be concretized as the distance from p to its nearest point in the dataset D. After that, it is easy to check whether p is an RNN that queries q by checking whether q falls in a circle centered at p and with a radius equal to p’s NN distance. The RNN queries exist as one of the following two main variants: the monochromatic version and the bichromatic version. In the monochromatic version, all points belong to a single category. In the bichromatic version, the points are divided into two distinct categories. Previous studies on the facility location problem generally assume that the customer’s location is known. However, in the given scenario of Figure 1, the business does not know the location of the customer, and the business needs to submit a query request to use location data stored by cloud service providers for data analysis. In other words, assuming that every customer prefers the nearest business, the bichromatic RNN query (RNNQ) is transformed into a business with an optimal location that can attract more potential customers. In addition to RNNQ, there are two other types of optimal location queries: the average distance query (AVGQ) [19], which minimizes the average distance between a customer and the nearest facility, and the maximum distance query (MAXQ) [20], which aims to maximize the maximum distance to the nearest facility for a customer.

2.2. Privacy-Preserving Location-Based Query

Although location-based services enhance daily convenience, they introduce significant challenges related to customer privacy and the protection of location data. Consequently, researchers have proposed many privacy-preserving location query schemes [2,3,4,5,6,7,8,9,10,11,12,13,14,15] in industry and academia. These schemes can be roughly categorized into the following two categories: non-cryptographic schemes and cryptographic schemes.

Some schemes [2,3,4,5,6,7] utilize non-cryptographic methods to protect the privacy of location data. Lin et al. [2] employed anonymization techniques to protect the privacy of the location of the mobile user. Zhang et al. [3] proposed location privacy protection for smartphones (LPPS), which is a privacy-preserving top-k query. LPPS operates without relying on a trusted third party (TTP) and does not necessitate changes to the business model of location-based service (LBS) servers. Hu et al. [4] proposed a strategy that combines a caching mechanism with K-anonymity, which not only meets users’ demands for accessing required services at the lowest cost but also safeguards users’ location privacy. Liu et al. [5] filtered out potential bogus data based on three criteria: time accessibility, direction similarity, and in-degree/out-degree. As a result, the remaining data helps to protect the privacy of the actual location information. However, these schemes suffer from lower privacy and returned results are not accurate enough. Islam et al. [6] proposed a novel query for spatial databases, known as the RNH query, which identifies neighborhoods where a specified query facility is the nearest facility among others in the dataset. In summary, most of these schemes rely on anonymization techniques or pseudo data to provide only a weak level of privacy protection.

Other schemes [8,9,10,11,12,13,14,15] aim to use various cryptographic methods to protect the privacy of location data, such as homomorphic encryption (HE), differential privacy (DP), and order-preserving encryption (OPE). Li et al. [8] proposed a novel privacy-preserving reverse nearest neighbor (PPRNN) scheme in a static setting based on structured encryption (SE) and the proposed reference-locked order-preserving encryption (RL-OPE), referred to as sPPRNN. Yilmaz et al. [9] proposed a privacy-preserving scheme that enables data owners to respond to location-based queries without sharing their data with other businesses and without accessing sensitive information, such as the customer lists of the businesses submitting the queries. Han et al. [10] proposed a privacy-preserving optimal location query scheme (PPOLQ) that supports multiple condition filters and queries across multiple data providers in outsourced environments. Huang et al. [11] proposed a privacy-preserving spatiotemporal keyword search framework for encrypted location-based service (LBS) data, utilizing attribute-based encryption, linear encryption, and Rivest–Shamir–Adleman (RSA) encryption. This framework enables mobile users to submit LBS queries that incorporate spatial ranges, time intervals, and Boolean keyword expressions, providing accurate and authorized search results by matching these query conditions, along with the corresponding access policies. Guan et al. [12] proposed a novel oblivious location-based k-nearest neighbor (KNN) query scheme, ensuring that the cloud cannot link two queries, even if they are initiated by query users from the same location. Zhu et al. [13] proposed a privacy-preserving framework, which supports multi-location queries with fine-grained access control and allows searching based on location attributes. Nieminen et al. [14] proposed a privacy-preserving indoor localization scheme that utilizes received signal strength measurements, employing Paillier encryption and garbled circuits to ensure data privacy. Shao et al. [15] proposed a fine-grained privacy-preserving location-based service (LBS) framework called FINE. This framework employs a ciphertext-policy anonymous attribute-based encryption technique to ensure fine-grained access control, location privacy, and the confidentiality of both the LBS data and its access policy, while providing accurate LBS query results without involving any trusted third party. In comparison to non-cryptographic schemes, these approaches offer significantly stronger privacy protections and consistently produce exact query results that match those obtained from queries over plaintext location data. Nevertheless, employing these cryptographic methods imposes significant computational and communication overhead on telecommunication operators and businesses.

However, the above two types of location query-based schemes are based on traditional cloud computing scenarios, and the hardware security protection level is relatively low compared to the TEE-based schemes. Moreover, due to the existence of TEE, the latter has a huge advantage in client computing and communication overhead. In terms of efficiency, although the overall computing overhead of the server will increase in the TEE-based scheme, the computing efficiency inside the TEE is significantly higher than other privacy protection schemes. Therefore, in the TEE-based scenario, the way in which to achieve the optimal location query in terms of security and performance is the focus of our research.

3. Preliminaries

3.1. Bilinear Pairings

Let $\mathbb{G}$ and ${\mathbb{G}}_{\mathbb{T}}$ be two cyclic multiplicative groups with the same order q, and let g be a generator of $\mathbb{G}$. Meanwhile, let $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_{\mathbb{T}}$ be a bilinear map [21] which meets the following properties:

• Bilinearity: $\forall Q,R$∈$\mathbb{G}$ and $a,b$∈${\mathbb{Z}}_p$, $e(Q^a,R^b)=e{(Q,R)}^{ab}$.
• Non-degeneracy: $e(g,g)\ne 1_{{\mathbb{G}}_{\mathbb{T}}}$, where 1 is an unit of ${\mathbb{G}}_{\mathbb{T}}$.
• Computability: $\forall Q,R\in \mathbb{G}$, there exists an efficient algorithm to compute $e(Q,R)$.

3.2. Discrete Logarithm Problem

This problem was proposed by [22]; that is, given $g,h\in \mathbb{G}$, it is difficult to identify an $x\in \mathbb{G}$ such that $g^x=h$.

3.3. Collision-Resistant Hash Function

A collision-resistant hash function was provided by [23] and meets the following conditions:

• The input X can be of arbitrary length, while the output $H\left(X\right)$ has a fixed length of n bits (with $n\ge 128$).
• The hash function must be one-way, meaning that, given a Y in the range of H, it is hard to find a message X such that $H\left(X\right)=Y$. Furthermore, given X and $H\left(X\right)$, it should be challenging to find another message $X^{\prime }\ne X$ such that $H\left(X^{\prime }\right)\ne H\left(X\right)$.
• The hash function must be collision-resistant, meaning that it is difficult to find two distinct messages that produce the same hash result.

3.4. NN and RNN Query

Before introducing nearest neighbor (NN) and reverse nearest neighbors (RNN), it is essential to first understand Euclidean distance. Euclidean distance [24] is a metric that can be used to calculate nodes of different dimensions in order to measure the length between nodes. Based on [25], the Euclidean distance $dist(a,b)$, with the two-dimensional points $a=(x_1,y_1)$ and $b=(x_2,y_2)$, could be determined as follows:

$$dist(a,b)=\sqrt{{(x_1-y_1)}^2+{(x_2-y_2)}^2}$$

(1)

Generally speaking, nearest neighbor (NN) [8,26] query has garnered widespread attention in the spatial database research community. For example, when point A is closer to point B than other points, we say that point A is the nearest neighbor of point B. Conversely, we also refer to point B as one of the reverse nearest neighbors (RNN) of point A. In other words, an RNN query identifies a set of points for which the query point serves as their nearest neighbor, i.e., it calculates the Euclidean distance between the query point and other points. The RNN query was first proposed in [16]. There are two variants of RNN queries [9]: a monochromatic version and a bichromatic version. Given a facility $\mathcal{F}$, that is, a location of the $\mathcal{F}$, the bichromatic RNN query finds the set of objects that has $\mathcal{F}$ as the nearest neighbor. Please note that we typically assume, in optimal location query scenarios, that each object prefers the nearest facility.

Definition 1

(RNN query). Given a set of facility locations $\mathcal{F}=\{f_1,f_2,\dots ,f_s\}$, the purpose of the RNN query is to find RNNQ($\mathcal{F}$)=$\{nu{m}_j=\left|\right\{l_i|l_i$ is RNN of $f_j\left\}\right|$, $1\le j\le s$, where $l_i$ represents the location of customer $x_i$ and $|·|$ denotes the cardinality of a set. In other words, it aims to determine the cardinality of the reverse nearest neighbors (RNNs) for each facility $f_j$.

For a RNN query, the query result $Q=RNNQ\left(\mathcal{F}\right)$ is an s-vector (ordered set) of RNN cardinalities, where the largest element in the vector of size s corresponds to the facility that is the optimal facility location; in other words, the facility that attracts the maximum number of customers.

However, when the vector of two facilities share the same cardinality (e.g., $nu{m}_{j_1}=nu{m}_{j_2}$, $1\le j_1\ne j_2\le s$), the tie has to be broken. Generally, the customers prefer the facility closer to them because they can utilize it more easily. Thus, we employ the accumulated distance from all customers $l_i$ to the locations $f_j$ in its facility set $\mathcal{F}$, denoted as $D_j={\sum }_{l_i\in n}d(l_i,f_j)$, as the tie breaker. The n is the number of customers. The smaller the $D_j$ is, the better the $f_j$’s optimality is.

Definition 2

(AVG query). Given a set of facility locations $\mathcal{F}=\{f_1,f_2,\dots ,f_s\}$, the AVGQ query intends to find the following:

$$AVGQ\left(\mathcal{F}\right)={\displaystyle \frac{{\sum }_{l_i\in n}d(l_i,f_j)}{n}}$$

(2)

where $f_i$ is the NN of $l_i$, and $d(l_i,f_i)$ means the Euclidean distance between $l_i$ and $f_i$. In other words, it aims to compute the average distance between all customers and their nearest facilities.

Definition 3

(MAX query). Given a set of facility locations $\mathcal{F}=\{f_1,f_2,\dots ,f_s\}$, the MAXQ query aims to identify MAXQ$\left(\mathcal{F}\right)=max\left(d(l_i,f_i)\right)$, where $f_i$ is the NN of $l_i$. In other words, it aims to find the maximum distance between a customer and their nearest facilities.

3.5. Trusted Execution Environment

A trusted execution environment (TEE) is a secure computing environment designed to protect the security and privacy of sensitive data and codes. Typically composed of both hardware and software, a TEE provides a secure execution environment on standard operating systems, ensuring that malicious software cannot access or tamper with the data and code within the TEE. Examples of TEEs include Intel Software Guard Extensions, (Intel SGX), ARM TrustZone, and so on.

Intel SGX [27,28,29,30,31,32] is a set of new instructions and modifications to the memory access architecture of Intel CPUs. As shown in Figure 2, we mainly focus on the following two features of the Intel SGX: remote attestation and memory isolation.

• Remote attestation: Remote attestation offers cryptographic verification to ensure that the enclave operates securely on the cloud server. When the enclave is created, a remote attestation signature is generated with the assistance of the SGX component, which is known as quote enclave (QE), to ensure the security of the enclave. Additionally, a secure channel is established for secret sharing between the enclave and the client using Elliptic-curve Diffie–Hellman (ECDH) [33].
• Memory isolation: When a project runs on an SGX platform, the project is divided into an untrusted (or semi-trusted) storage area and a trusted isolation area, called an enclave. The enclave is an independent physical RAM block where the code and data contained within it are protected and inaccessible to privileged software, operating systems, hypervisors, and system firmware. When the SGX program is suspended or closed, the encrypted sensitive data separated from the enclave are stored in an untrusted area. When the SGX program is running, these data can only be accessed within the enclave through a dedicated interface designed for decryption and integrity checking.

4. ROLQ-TEE Scheme

In this section, we present our system architecture in Section 4.1. The threat model is given in Section 4.2. We describe the construction of the ROLQ-TEE scheme in detail in Section 4.3.

4.1. System Architecture

As shown in Figure 3, we consider a multi-parties scenario. The ROLQ-TEE scheme consists of three entities, namely a data owner ($\mathcal{DO}$), data users ($\mathcal{DU}$), and a cloud service provider ($\mathcal{CSP}$) that supports TEE, where $\mathcal{DU}=\{{\mathcal{DU}}_1,\dots ,{\mathcal{DU}}_n\}$. $\mathcal{DO}$ has a private customer set $U_{\mathcal{DO}}=\{(x_1,l_1),\dots ,$$(x_{n_{\mathcal{DO}}},l_{n_{\mathcal{DO}}})\}$, where $x_i$ is the ith unique customer identity of the $\mathcal{DO}$ and $l_i$ is the location information of $x_i$, $1\le i\le n_{\mathcal{DO}}$. In fact, $l_i$ can be an expression of a point in any coordinate system, for example, $l_i=(u_i,v_i)$ in the Cartesian coordinate system or $l_i=(ln{g}_i,la{t}_i)$ in the geographic coordinate system. Each ${\mathcal{DU}}_{\mu }$ has a private customer list $U_{\mu }=\{y_{\mu ,1},\dots ,y_{\mu ,n_{\mu }}\}$, where $y_{\mu ,j}$ is the jth unique customer identity of the ${\mathcal{DU}}_{\mu }$, $1\le \mu \le n$, and $1\le j\le n_{\mu }$. Additionally, each ${\mathcal{DU}}_{\mu }$ has a candidate list of facilities ${\mathcal{F}}_{\mu }=\{f_1,\dots ,f_s\}$, where $f_{\xi }$ also represents the expression of a point in any coordinate system, $1\le \xi \le s$. Their respective tasks and system flows are described as follows:

• Data owner ($\mathcal{DO}$): The data owner is mainly responsible for system setup, data encryption and ciphertext uploading. In addition, the $\mathcal{DO}$ establishes the secure channel through remote attestation with the TEE of the $\mathcal{CSP}$ and generates the session key to transfer the secret key and data.
• Cloud service provider ($\mathcal{CSP}$): This is mainly divided into two areas: one is the TEE area, and the other is the storage area. The TEE is mainly responsible for query key generation, map table construction, optimal location query, and query key refresh. The storage area is mainly responsible for storing encrypted data.
• Data users ($\mathcal{DU}$): The ${\mathcal{DU}}_{\mu }$ is mainly responsible for providing a candidate set ${\mathcal{F}}_{\mu }$ = ${\left\{f_{\xi }\right\}}_1^s$ and generating query requests $\mathcal{Q}$ for the candidate set. Additionally, the ${\mathcal{DU}}_{\mu }$ is also responsible for decrypting the optimal location query results.

As shown in Figure 3, the $\mathcal{DO}$ establishes a secure channel with the TEE of the $\mathcal{CSP}$ through remote attestation in advance and generates the session key $K_s$. Next, the $\mathcal{DO}$ executes the system setup to generate master secret key $msk$ and master public parameters $mpk$ in step 1. In step 2, the $\mathcal{DO}$ uploads encrypted data to the $\mathcal{CSP}$. After that, the TEE generates the storage key $s{k}_{\mathcal{DO}}$ and the query keys $s{k}_{\mu }$ for the $\mathcal{DO}$ and all ${\mathcal{DU}}_{\mu }$ in step 3. In step 4, the TEE performs query key distribution for all ${\mathcal{DU}}_{\mu }$. In step 5, the TEE constructs the map table and re-encrypts the location data. In step 6, the ${\mathcal{DU}}_{\mu }$ generates optimal location query requests and sends them to the TEE. In step 7, the TEE executes the optimal location query algorithm to obtain a query result $res$. The TEE sends the encrypted query results $C_{res}$ to the ${\mathcal{DU}}_{\mu }$ in step 8. In step 9, the ${\mathcal{DU}}_{\mu }$ performs the Dec algorithm to obtain the query result $res$. The TEE performs a query key refresh operation to revoke the query permissions of the user in the revocation list, and updates user list $UL$, revocation list $RL$, time list $TL$, and the query keys of the unrevoked users in step 10.

4.2. Threat Model

We construct the ROLQ-TEE scheme based on the following assumptions regarding its threat model. We assume that attackers are computationally bounded and unable to break standard cryptographic assumptions, meaning they cannot compromise the hardware security of the TEE. This ensures that the TEE protects the predefined code and data contained within it. In addition, $\mathcal{DO}$, $\mathcal{RU}$, and TEE are trusted, and $\mathcal{CSP}$ without TEE is honest and curious. This implies that the cloud service provider honestly executes all algorithm instructions. Meanwhile, the $\mathcal{CSP}$ may exhibit curiosity about the sensitive information contained in the stored encrypted data and might attempt to learn additional sensitive information through RNN queries. To prevent the leakage of sensitive information, the $\mathcal{DO}$ store only ciphertexts of their location data on the $\mathcal{CSP}$, while the $\mathcal{DU}$ submit encrypted forms of their RNN queries (i.e., query tokens) to the $\mathcal{CSP}$. Additionally, the $\mathcal{CSP}$ may exhibit curiosity about the query results of the $\mathcal{DU}$, making it essential to assume the absence of collusion between the $\mathcal{DO}$ and the $\mathcal{CSP}$. In summary, our ROLQ-TEE scheme is considered to be secure, meaning that the following security requirements should be met simultaneously.

• Data privacy: Data privacy means that the outsourced location data, query tokens, customer lists, and query results cannot be broken by the adversary.
• Revocation security: The data users whose access has been revoked are unable to initiate new optimal location queries and are also prevented from decrypting any ciphertext data associated with subsequent queries.
• Data anonymity: The data users cannot utilize the obtained information to infer the locations stored in the database of the data owner, other than the intersection location data.

4.3. Detailed Construction

Our ROLQ-TEE scheme includes the following eight algorithms: $Setup$, $KeyGen$, $Enc$, $Build$, $GenToken$, $OptLocQue$, $Dec$, and $KeyFresh$. We first summarize important notations used in ROLQ-TEE, as shown in

Table 1. Notations.

Symbol	Descriptions
$msk$	System master secret key
$mpk$	System master public key
$s{k}_{\mu }$	The query key of ${\mathcal{DU}}_{\mu }$
$s{k}_{\mathcal{DO}}$	The storage key of $\mathcal{DO}$
$TL$	The timestamp list
$RL$	The revocation list
$UL$	The data user list
$U_{\mathcal{DO}}$	The customer sets of $\mathcal{DO}$
$U_{\mu }$	The customer sets of $\mu$-th ${\mathcal{DU}}_{\mu }$
$L_{\mathcal{DO}}$	The location information set of $\mathcal{DO}$
n, s	The total number of users and existing facilities
$n_{\mathcal{DO}}$	The total number of customers of $\mathcal{DO}$
$n_{\mu }$	The total number of customers of the $\mu$-th ${\mathcal{DU}}_{\mu }$
$n_I$	The total number of data in intersection I
$res$	The query result of the optimal location query
$x_i$	The i-th customer data of $\mathcal{DO}$
$y_{\mu ,j}$	The j-th customer data of the ${\mathcal{DU}}_{\mu }$
$U_I$	The intersection set of the customer of $\mathcal{DO}$ and ${\mathcal{DU}}_{\mu }$
$dist(a,b)$	A distance function that computes the euclidean
	distance between any two objects a and b

. Next, we present our construction as follows:

• $Setup\left(1^{\lambda }\right)$→$(msk,mpk)$. The $Setup$ algorithm is run by the $\mathcal{DO}$. It takes as input a security parameter $\lambda$. It outputs the master secret key $msk$ and system master public key $mpk$.
  • The $\mathcal{DO}$ chooses a bilinear map $e:\mathbb{G}\times \mathbb{G}$→${\mathbb{G}}_{\mathbb{T}}$, where $\mathbb{G}$ and ${\mathbb{G}}_{\mathbb{T}}$ are two cyclic groups with order q. Then, the $\mathcal{DO}$ randomly chooses a generator g of $\mathbb{G}$ and a generator $g_t$ of ${\mathbb{G}}_{\mathbb{T}}$, respectively. After that, the $\mathcal{DO}$ chooses two different collision-resistant hash functions, $H_1$:${\{0,1\}}^{*}$→$\mathbb{G}$ and $H_2$:${\{0,1\}}^{*}$→$\mathbb{G}$, randomly. Additionally, the $\mathcal{DO}$ chooses an pseudo-random function F.
  • The $\mathcal{DO}$ chooses some random values $\alpha ,{\alpha }_{\mu }\in Z_q^{*}$, and computes h = $g^{\alpha }$ and $h_{\mu }$ = $g^{{\alpha }_{\mu }}$, 1 ≤ $\mu$ ≤ n.
  • The $\mathcal{DO}$ executes remote attestation with the TEE of the $\mathcal{CSP}$ to generate the session key $K_s$. Meanwhile, both parties establish a secure channel.
  • Finally, the $\mathcal{DO}$ publishes $mpk=(\mathbb{G},{\mathbb{G}}_{\mathbb{T}},e,g,q,$$h_{\mu },h,H_1,H_2)$ as the system parameters, and sends the encrypted $msk$ = $\{\alpha ,{\alpha }_{\mu }\}$ to the TEE through the secure channel.
• $Enc(U_{\mathcal{DO}},msk,iv,add,K_s)$→$(\mathcal{C},{\mathcal{C}}_{msk},tag,ta{g}_{msk})$. The $Enc$ algorithm is run by the $\mathcal{DO}$. It takes as input the data $U_{\mathcal{DO}}=\{M_i=x_i\left|\right|l_i\}$, the master system key $msk$, the initial vector $iv=\{i{v}_0,i{v}_1,\dots ,i{v}_{n_{\mathcal{DO}}}\}$, the additional authentication data $add=\{ad{d}_0,ad{d}_1,\dots ,ad{d}_{n_{\mathcal{DO}}}\}$, and the session key $K_s$. It outputs the ciphertexts $\mathcal{C}=\left\{{\mathcal{C}}_i\right\}$ and ${\mathcal{C}}_{msk}$, and the encrypted tags $tag=\left\{ta{g}_i\right\}$ and $ta{g}_{msk}$, where $1\le i\le n_{\mathcal{DO}}$.
• $KeyGen({\mathcal{C}}_{msk},K_s,mpk)$→$(s{k}_{\mu },s{k}_{\mathcal{DO}},TL,RL,UL)$. The KeyGen algorithm is run by the TEE. It takes as input the encrypted master secret key ${\mathcal{C}}_{msk}$ and the master public key $mpk$. It outputs the query key $s{k}_{\mu }$, a storage key $s{k}_{\mathcal{DO}}$, a data user list $UL=\left\{ri{d}_{\mu }\right\},1\le \mu \le n$, an empty revocation list $RL=\{\varnothing \}$, and an timestamp list $TL=\{\varnothing \}$.
  • First, the TEE decrypts ${\mathcal{C}}_{msk}$ to $msk$ and randomly generates a unique identifier $ri{d}_{\mu }$ for each registered data user ${\mathcal{DU}}_{\mu }$. Meanwhile, the TEE also generates a unique identifier $ri{d}_{\mathcal{DO}}$ for the $\mathcal{DO}$.
  • Second, the TEE creates a timestamp $T_t$ and sets a counter $t=1$, where $TL=\left\{T_1\right\}$. After that, the TEE computes the corresponding query key $s{k}_{\mu }=\{s{k}_{\mu ,t,0},$$s{k}_{\mu ,t,1}\}$, where $s{k}_{\mu ,t,0}=H_1{\left(ri{d}_{\mu }\right)}^{{\alpha }_{\mu }}$·$H_2{\left(T_t\right)}^{r_{\mu ,t}}$, $s{k}_{\mu ,t,1}=g^{r_{\mu ,t}}$, and $r_{\mu ,t}\in Z_q^{*}$.
  • Next, the TEE computes the storage key $s{k}_{\mathcal{DO}}=H_1{\left(ri{d}_{\mathcal{DO}}\right)}^{\alpha }$ for the $\mathcal{DO}$ and uses it for data encryption.
  • Finally, the TEE distributes $\{s{k}_{\mathcal{DO}},ri{d}_{\mathcal{DO}}\}$ to the $\mathcal{DO}$ through a secure channel, and distributes $\{s{k}_{\mu },ri{d}_{\mu },T_t\}$ to the corresponding ${\mathcal{DU}}_{\mu }$ through the secure sockets layer (SSL) protocol.
• $Build(K_s,\mathcal{C},s{k}_{\mathcal{DO}})$→$(MT,c_i)$. The $Build$ algorithm is run by the TEE. It takes as input the session key $K_s$, the ciphertext $\mathcal{C}=\left\{{\mathcal{C}}_i\right\}$, and the secret key $s{k}_{\mathcal{DO}}$. It outputs the map table $MT$ and encrypted location data. The detailed process is as follows:
  • First, the TEE decrypts the ciphertext ${\mathcal{C}}_i$ to plaintext $M_i=x_i\left|\right|l_i$ and splits the $M_i$ to obtain the customer identity $x_i$ and corresponding location information $l_i$, $1\le i\le n_{\mathcal{DO}}$.
  • Second, the TEE computes $F(s{k}_{\mu },x_i)$, and calls the $Enc$ algorithm to generate the encrypted location data ciphertext $c_i$; that is, $c_i=Enc(l_i,s{k}_{\mathcal{DO}},i{v}_i^{\prime },ad{d}_i^{\prime })$.
  • Finally, the TEE constructs a map table $MT\left[F(s{k}_{\mu },x_i)\right]=c_i$ and stores the ciphertext $c_i$ to the store area of the $\mathcal{CSP}$.
• $GenToken({\mathcal{F}}_{\mu },s{k}_{\mu },U_{\mu })$→$({\mathcal{CF}}_{\mu },{\mathcal{CL}}_{\mu })$. The $GenToken$ algorithm is run by the ${\mathcal{DU}}_{\mu }$. It takes as input a list of candidate facility locations ${\mathcal{F}}_{\mu }=\{f_1,\dots ,f_s\}$, the query key $s{k}_{\mu }$, and the private customer set of the data user $U_{\mu }$. It outputs an encrypted candidate set ${\mathcal{CF}}_{\mu }$ and an encrypted customer list set ${\mathcal{CL}}_{\mu }$. The detailed steps are as in Algorithm 1:
  • The ${\mathcal{DU}}_{\mu }$ chooses a random value $r_{\mu }\in Z_q^{*}$ and computes the encrypted candidate set ${\mathcal{CF}}_{\mu }=\{{\mathcal{CF}}_{\mu ,0},$${\mathcal{CF}}_{\mu ,1},{\mathcal{CF}}_{\mu ,2}\}$, where ${\mathcal{CF}}_{\mu ,0}=g^{r_{\mu }}$, ${\mathcal{CF}}_{\mu ,1}=M_{{\mathcal{F}}_{\mu }}·e(H_1{\left(ri{d}_{\mu }\right)}^{r_{\mu }},h_{\mu })$, ${\mathcal{CF}}_{\mu ,2}=H_2{\left(T_t\right)}^{r_{\mu }}$, and $M_{{\mathcal{F}}_{\mu }}=f_1\left|\right|f_2\left|\right|\dots \left|\right|f_s$.
  • Next, the ${\mathcal{DU}}_{\mu }$ computes the encrypted customer list ${\mathcal{CL}}_{\mu }=\{{\mathcal{CL}}_{\mu ,0},{\mathcal{CL}}_{\mu ,1},{\mathcal{CL}}_{\mu ,2}\}$, where ${\mathcal{CL}}_{\mu ,0}=g^{r_{\mu }^{\prime }}$, ${\mathcal{CL}}_{\mu ,1}=L·e(H_1{\left(ri{d}_{\mu }\right)}^{r_{\mu }^{\prime }},h_{\mu })$, ${\mathcal{CL}}_{\mu ,2}=H_2{\left(T_t\right)}^{r_{\mu }^{\prime }}$, $r_{\mu }^{\prime }\in Z_q^{*}$, and $L=F(s{k}_{\mu },y_{\mu ,1})\left|\right|\dots \left|\right|F(s{k}_{\mu },y_{\mu ,n_{\mu }})$.
  • Finally, the ${\mathcal{DU}}_{\mu }$ sends the encrypted query token ${\mathcal{Q}}_{\mu }=\{{\mathcal{CF}}_{\mu },{\mathcal{CL}}_{\mu }\}$ to the $\mathcal{CSP}$.
• $OptLocQue(c_i,{\mathcal{Q}}_{\mu },s{k}_{\mu },s{k}_{\mathcal{DO}},MT,mpk)$→${\mathcal{C}}_{res}$. The $OptLocQue$ algorithm is run by the TEE. It takes as input the encrypted location data set $c_i$, the encrypted query token ${\mathcal{Q}}_{\mu }$, the query key $s{k}_{\mu }$, the secret key $s{k}_{\mathcal{DO}}$, the map table $MT$, and public system parameters $mpk$. It outputs an encrypted optimal location query result ${\mathcal{C}}_{res}$. The detailed steps are as in Algorithm 2:
  • The TEE decrypts the ${\mathcal{CF}}_{\mu }$ to the $M_{{\mathcal{F}}_{\mu }}$ using Equation (3), as shown below, and obtains a list of the candidate facility locations ${\mathcal{F}}_{\mu }=\{f_1,\dots f_s\}$.

    $$\begin{array}{cc}\hfill M_{{\mathcal{F}}_{\mu }}& ={\displaystyle \frac{{\mathcal{CF}}_{\mu ,1}·e(s{k}_{\mu ,t,1},{\mathcal{CF}}_{\mu ,2})}{e(s{k}_{\mu ,t,0},{\mathcal{CF}}_{\mu ,0})}}\hfill \\ \hfill & ={\displaystyle \frac{M_{\mathcal{F}}·e(H_1{\left(ri{d}_{\mu }\right)}^{r_{\mu }},h_{\mu })·e(g^{r_{\mu ,t}},H_2{\left(T_t\right)}^{r_{\mu }})}{e(H_1{\left(ri{d}_{\mu }\right)}^{{\alpha }_{\mu }}·H_2{\left(T_t\right)}^{r_{\mu ,t}},g^{r_{\mu }})}}\hfill \\ \hfill & ={\displaystyle \frac{M_{\mathcal{F}}·e(H_1{\left(ri{d}_{\mu }\right)}^{r_{\mu }},h_{\mu })·e(g^{r_{\mu ,t}},H_2{\left(T_t\right)}^{r_{\mu }})}{e(H_1{\left(ri{d}_{\mu }\right)}^{{\alpha }_{\mu }},g^{r_{\mu }})·e(H_2{\left(T_t\right)}^{r_{\mu ,t}},g^{r_{\mu }})}}\hfill \\ \hfill & =M_{{\mathcal{F}}_{\mu }}\hfill \end{array}$$

    (3)
  • According to the decryption method in Step 1, TEE decrypts the encrypted customer list ${\mathcal{CL}}_{\mu }$ to $L=\{F(s{k}_{\mu },y_{\mu ,1}),\dots ,F(s{k}_{\mu },y_{\mu ,n_{\mu }})\}$.
  • Meanwhile, the TEE compares whether $L.F(s{k}_{\mu },y_{\mu ,j})$ and $MT.F(s{k}_{\mu },\left(x_i\right))$ are equal using Equation (4), as shown below. If equal, the TEE loads $c_i$, corresponding to $MT.F(s{k}_{\mu },\left(x_i\right))$, and decrypts it to obtain the location data $l_i$. Otherwise, TEE continues to match the next token.

    $$L.F(s{k}_{\mu },y_{\mu ,j})\stackrel{?}{=}MT.F(s{k}_{\mu },\left(x_i\right))$$

    (4)
  • Subsequently, the TEE loads the encrypted location data $c_i$ of $MT.F(s{k}_{\mu },\left(x_i\right))$ and decrypts the $c_i$ to the $l_i$. Next, the TEE obtains $U_I=\left\{l_i\right\}$, corresponding to the intersection of the customers of the $\mathcal{DO}$ and the ${\mathcal{DU}}_{\mu }$.
  • The TEE uses the $U_I$ and the ${\mathcal{F}}_{\mu }$ to compute the ranking result $res$ of the optimal location query (RNNQ/AVGQ/MAXQ) according to the Euclidean distance (Section 3.1) and Definition 1 (or Definition 2 or Definition 3).
  • The TEE encrypts the optimal location query results $res$ to ${\mathcal{C}}_{res}=\{{\mathcal{C}}_{res,0},{\mathcal{C}}_{res,1},{\mathcal{C}}_{res,2}\}$ using $s{k}_{\mu }$, and sends the $C_{res}$ to the ${\mathcal{DU}}_{\mu }$.
• Dec($C_{res},s{k}_{\mu }$)→$res$. The $Dec$ algorithm is run by the ${\mathcal{DU}}_{\mu }$. It takes as input the query results $C_{res}$ and the query key $s{k}_{\mu }$. It outputs the ranking results $res$, as follows:

  $$\begin{array}{cc}\hfill res& ={\displaystyle \frac{{\mathcal{C}}_{res,1}·e(s{k}_{\mu ,t,1},{\mathcal{C}}_{res,2})}{e(s{k}_{\mu ,t,0},{\mathcal{C}}_{res,0})}}\hfill \\ \hfill & ={\displaystyle \frac{res·e(H_1{\left(ri{d}_{\mu }\right)}^{r_R},h_{\mu })·e(g^{r_{\mu ,t}},H_2{\left(T_t\right)}^{r_R})}{e(H_1{\left(ri{d}_{\mu }\right)}^{{\alpha }_{\mu }}·H_2{\left(T_t\right)}^{r_{\mu ,t}},g^{r_R})}}\hfill \\ \hfill & ={\displaystyle \frac{res·e(H_1{\left(ri{d}_{\mu }\right)}^{r_R},h_{\mu })·e(g^{r_{\mu ,t}},H_2{\left(T_t\right)}^{r_R})}{e(H_1{\left(ri{d}_{\mu }\right)}^{{\alpha }_{\mu }},g^{r_R})·e(H_2{\left(T_t\right)}^{r_{\mu ,t}},g^{r_R})}}\hfill \\ \hfill & =res\hfill \end{array}$$

  (5)
• $KeyFresh(\left\{ri{d}_k\right\},msk,mpk)$→$(s{k}_{\mu }^{\prime },R{L}^{\prime },T{L}^{\prime },U{L}^{\prime })$. The $KeyFresh$ algorithm is run by the TEE. It takes as input a set of revoked identities $\left\{ri{d}_k\right\}$, the master secret key $msk$, and the system master public key $mpk$. It outputs the updated query keys $s{k}_{\mu }^{\prime }$, an updated revocation list $R{L}^{\prime }$, an updated data user list $U{L}^{\prime }$, and an updated timestamp list $T{L}^{\prime }$.
  • Upon the expiration of the subscription period, the TEE first identifies the user identities $\left\{ri{d}_k\right\}$ to be revoked in the data user list, and obtains an updated revocation list $R{L}^{\prime }=RL\cup \left\{ri{d}_k\right\}$ and an updated request user list $U{L}^{\prime }=UL/\left\{ri{d}_k\right\}$, where $k\in [1,n]$.
  • Then, the TEE recreates the timestamp $T_{t+1}$ onto the original list $TL$, and obtains a new timestamp list $T{L}^{\prime }=\{T_t,T_{t+1}\}$.
  • TEE randomly chooses a $r_{\mu ,t+1}\in Z_q^{*}$ for the corresponding unrevoked user set $U{L}^{\prime }=UL$-$R{L}^{\prime }$, and recomputes $s{k}_{\mu ,t+1,0}=H_1{\left(ri{d}_{\mu }\right)}^{{\alpha }_{\mu }}$·$H_2{\left(T_{t+1}\right)}^{r_{\mu ,t+1}}$ and $s{k}_{\mu ,t+1,1}=g^{r_{\mu ,t+1}}$, $\mu \in [1,n]/\left\{k\right\}$.
  • Finally, the TEE sends the $s{k}_{\mu }^{\prime }=\{s{k}_{\mu ,t+1,0},s{k}_{\mu ,t+1,1}\}$ to the corresponding unrevoked data user $U{L}^{\prime }$.

Algorithm 1: GenToken Algorithm

Input: The candidate facility list ${\mathcal{F}}_{\mu }$, the query key $s{k}_{\mu }$, and the customer set $U_{\mu }$

Output: The encrypted candidate set ${\mathcal{CF}}_{\mu }$ and the encrypted customer list set ${\mathcal{CL}}_{\mu }$

1: Select a random value $r_{\mu }\in Z_q^{*}$;

2: Construct the facility candidate set $M_{{\mathcal{F}}_{\mu }}=f_1\left|\right|f_2\left|\right|,\dots ,\left|\right|f_s$;

3: Compute the encrypted candidate set ${\mathcal{CF}}_{\mu }=\{{\mathcal{CF}}_{\mu ,0},{\mathcal{CF}}_{\mu ,1},{\mathcal{CF}}_{\mu ,2}\}$, where ${\mathcal{CF}}_{\mu ,0}=g^{r_{\mu }}$,

${\mathcal{CF}}_{\mu ,1}=M_{{\mathcal{F}}_{\mu }}·e(H_1{\left(ri{d}_{\mu }\right)}^{r_{\mu }},h_{\mu })$, and ${\mathcal{CF}}_{\mu ,2}=H_2{\left(T_t\right)}^{r_{\mu }}$;

4: Select a random value $r_{\mu }^{\prime }\in Z_q^{*}$;

5: Construct the customer list $L=F(s{k}_{\mu },y_{\mu ,1})\left|\right|F(s{k}_{\mu },y_{\mu ,2})\left|\right|\dots \left|\right|F(s{k}_{\mu },y_{\mu ,n_{\mu }})$;

6: Compute the encrypted customer list set ${\mathcal{CL}}_{\mu }=\{{\mathcal{CL}}_{\mu ,0},{\mathcal{CL}}_{\mu ,1},{\mathcal{CL}}_{\mu ,2}\}$, where ${\mathcal{CL}}_{\mu ,0}=g^{r_{\mu }^{\prime }}$,

${\mathcal{CL}}_{\mu ,1}=L·e(H_1{\left(ri{d}_{\mu }\right)}^{r_{\mu }^{\prime }},h_{\mu })$, and ${\mathcal{CL}}_{\mu ,2}=H_2{\left(T_t\right)}^{r_{\mu }^{\prime }}$;

7: Generate the query token ${\mathcal{Q}}_{\mu }=\{{\mathcal{CF}}_{\mu },{\mathcal{CL}}_{\mu }\}$ and send ${\mathcal{Q}}_{\mu }$ to the $\mathcal{CSP}$.

Algorithm 2: OptLocQue Algorithm

Input: The encrypted location data set $c_i$, the encrypted query token ${\mathcal{Q}}_{\mu }$, the query key $s{k}_{\mu }$, the secret key

$s{k}_{\mathcal{DO}}$, the map table $MT$, and the public system parameters $mpk$

Output: The encrypted optimal query result ${\mathcal{C}}_{res}$

1: Load the encrypted query token ${\mathcal{Q}}_{\mu }=\{{\mathcal{CF}}_{\mu },{\mathcal{CL}}_{\mu }\}$;

2: Decrypt ${\mathcal{CF}}_{\mu }$ to $M_{{\mathcal{F}}_{\mu }}={\displaystyle \frac{{\mathcal{CF}}_{\mu ,1}·e(s{k}_{\mu ,t,1},{\mathcal{CF}}_{\mu ,2})}{e(s{k}_{\mu ,t,0},{\mathcal{CF}}_{\mu ,0})}}$;

3: Decrypt ${\mathcal{CL}}_{\mu }$ to $L={\displaystyle \frac{{\mathcal{CL}}_{\mu ,1}·e(s{k}_{\mu ,t,1},{\mathcal{CL}}_{\mu ,2})}{e(s{k}_{\mu ,t,0},{\mathcal{CL}}_{\mu ,0})}}$;

4: for $1\le i\le n_{\mathcal{MO}}$ do

5:   for $1\le j\le n_{\mu }$ do

6:      if $L.H_1\left(y_{\mu ,j}\right)=MT.H_1\left(x_i\right)$

7:        Load the $c_i$ of $MT.H_1\left(x_i\right)$ and decrypt $c_i$ to $l_i$;

8: Obtain the location intersection set $U_I=\left\{l_i\right\}$;

9: for $1\le \xi \le s$ do

10:   foreach $l_i$ in $U_I$ do

11:      Compute the euclidean distance $d(l_i,f_{\xi })$ between $f_{\xi }$ and $l_i$;

12:      Compute accumulated value $\sum =d(l_i,f_{\xi })$;

13: Select the query type, namely RNNQ, AVGQ, or MAXQ;

14: Obtain the optimal query result $res$;

15: Select a random value $r_R\in Z_q^{*}$;

16: Compute encrypted optimal query result ${\mathcal{C}}_{res}=\{{\mathcal{C}}_{res,0}=g^{r_R},{\mathcal{C}}_{res,1}=res·e(H_1{\left(ri{d}_{\mu }\right)}^{r_R},h_{\mu }),$

${\mathcal{C}}_{res,2}=H_2{\left(T_t\right)}^{r_R}\}$;

17: Send the ${\mathcal{C}}_{res}$ to the ${\mathcal{DU}}_{\mu }$.

5. Security Analysis

We now analyze the security of the ROLQ-TEE scheme. The goal of the adversary is to be able to decrypt ciphertext with the key of a revoked user.

Theorem 1.

The ROLQ-TEE scheme maintains data privacy if the discrete logarithm problem and the collision resistance of hash functions are hard.

Proof. 

The query token, customer list, and query result are encrypted with public keys using random numbers, unique identifiers, and timestamps. Under the premise that the adversary $\mathcal{A}$ does not know the private key, the adversary $\mathcal{A}$ needs to solve computational problems such as discrete logarithms and the anti-collision of hash functions in probabilistic polynomial time. This contrasts with the issues explored in Section 3.2 and Section 3.3. Since the adversary $\mathcal{A}$ cannot crack the ciphertext of the query token, customer list, and query result, the ROLQ-TEE scheme maintains data privacy. □

Theorem 2.

The ROLQ-TEE scheme maintains revocable security if the discrete logarithm problem and the collision resistance of hash functions are hard.

Proof. 

The optimal location query process of the ROLQ-TEE scheme is carried out in the TEE (Intel SGX), and its correctness relies on the guarantee of hardware security. For a more detailed proof process, please refer to references [29,33]. Therefore, our scheme only needs to ensure that the ciphertext data in other stages cannot be decrypted by the adversary or revoked by users. We will meet this design goal in Stage 1, Stage 2, and Stage 3.

Stage 1: In the ciphertext upload stage, the following processes occur: (1) $\mathcal{DO}$ generates the master secret key $msk$ locally and transmits it to TEE through a secure channel generated by TEE remote attestation. The security of the transmission depends on the ECDH protocol [33]. Since $\mathcal{DO}$ and TEE are trusted and the transmission process is secure, it is impossible for an adversary $\mathcal{A}$ to obtain the master secret key through monitoring or tampering. (2) These keys used for data encrypted by the ${\mathcal{DU}}_{\mu }$ are derived keys, which are derived by TEE through $msk$ and securely distributed by TEE. The adversary $\mathcal{A}$ cannot forge the $s{k}_{\mu }$ and $s{k}_{\mathcal{DO}}$ in probabilistic polynomial time without knowing $msk$, because the adversary $\mathcal{A}$ cannot solve the discrete logarithm problem and the collision resistance of the hash function. In summary, the ROLQ-TEE scheme is secure during the ciphertext upload phase.

Stage 2: During the token upload phase, each ${\mathcal{DU}}_{\mu }$ generates a query token $\mathcal{Q}$ using a unique identity $ri{d}_{\mu }$ and the public parameters $mpk$. If the adversary $\mathcal{A}$ can decrypt the encrypted token in polynomial time, then the adversary $\mathcal{A}$ must solve the discrete logarithm problem and the collision resistance of the hash function in polynomial time in order to forge the analysis key $s{k}_{\mu }$. This contradicts the difficulty of solving discrete logarithms and the anti-collision property of the $H_1$ and $H_2$ hash functions. Therefore, it is computationally infeasible for the adversary $\mathcal{A}$ to break the token with a non-negligible advantage.

Stage 3: During the key refresh phase, the TEE recalculates the parameters $s{k}_{\mu ,t+1,0}$ and $s{k}_{\mu ,t+1,1}$ for each non-revoked request user, utilizing the updated timestamp $T_{t+1}$ and updated random number $r_{\mu ,t+1}$ to generate the refreshed query key $s{k}_{\mu }^{\prime }$. Thus, when ${\mathcal{DU}}_{\mu }$ initiates a query again using the new query key $s{k}_{\mu }^{\prime }$, the messages ${\mathcal{F}}_{\mu }$ and $U_{\mu }$ are randomized with $r_{\mu }^{\prime }$ and $r_{\mu ,j}^{\prime }$, respectively, instead of with $r_{\mu }$ and $r_{\mu ,j}$. Thus, the adversary $\mathcal{A}$ cannot decrypt the encrypted tokens ${\mathcal{CF}}_{\mu }^{\prime }$ and ${\mathcal{C}}_{\mu ,j}$. However, the adversary $\mathcal{A}$ can try to recover the query key $s{k}_{\mu }^{\prime }$. Since the query key $s{k}_{\mu }^{\prime }$ is randomized by a random number $r_{\mu ,t+1}$, and the discrete logarithm problem (DLP) and the collision resistance of the hash function, it is computationally infeasible for the adversary $\mathcal{A}$. Thus, the adversary $\mathcal{A}$ can not break the query key $s{k}_{\mu }^{\prime }$ of the ${\mathcal{DU}}_{\mu }$ within probabilistic polynomial time. □

Theorem 3.

The ROLQ-TEE scheme maintains data anonymity if the pseudo-random function and the advanced encryption standard galois/counter mode (AES-GCM) algorithm are secure.

Proof. 

During the query phase, the ${\mathcal{DU}}_{\mu }$ sends a query token ${\mathcal{Q}}_{\mu }$ to the cloud server, which contains the encrypted set ${\mathcal{CF}}_{\mu }$ of candidate facilities and the encrypted customer list ${\mathcal{CL}}_{\mu }$.

In the optimal location analysis phase, assuming that the TEE created by the $\mathcal{DO}$ operates securely and correctly on the $\mathcal{CSP}$, the location analysis process is executed within the TEE. The critical step involves comparing the customer identity of the mapping table $MT$ with the customer list L to determine the corresponding encrypted location data. Subsequently, the TEE calculates the Euclidean distance between the intersected customer locations and the candidate facility locations to produce a ranking of the candidate facilities. Notably, the customer identity in the mapping table and the customer list are encrypted using a pseudo-random function F.

During the decryption phase, the ${\mathcal{DU}}_{\mu }$ only obtains the ranking results ${\mathcal{C}}_{res}$ of the candidate facility locations. Even if the ${\mathcal{DU}}_{\mu }$ attempts to reverse-engineer the ranking results ${\mathcal{C}}_{res}$ through extensive computation and combinatorial analysis, they can infer only the intersection data permitted by the scheme, but cannot deduce any additional location data stored by the $\mathcal{DO}$ other than the intersection. Furthermore, due to the security of the pseudorandom function and the ${\mathcal{DU}}_{\mu }$’s inability to access the $MT$, the ${\mathcal{DU}}_{\mu }$ cannot obtain the identities of customers other than the intersection, nor can they access the corresponding location data. Additionally, the location data are encrypted using the AES-GCM algorithm. Without knowledge of the storage key $s{k}_{\mathcal{DO}}$, the ${\mathcal{DU}}_{\mu }$ is unable to infer any additional location data from the ciphertext. The security of the pseudorandom function and the AES-GCM encryption algorithm has been proven in [34,35], respectively, and will not be further elaborated on here. □

6. Performance Evaluation

In this section, we analyze the computational complexity, communication overhead, query efficiency, and memory usage of the ROLQ-TEE scheme.

6.1. Complexity Analysis

In this section, the performance and functions of these schemes are summarized in

Table 2. Comparison with prior works. We assume that P is a bilinear pairing operation, E is a modular exponential operation, H is an operation of mapping to the coordinates of an elliptic curve point in a cyclic group, Mu is a modular multiplication operation, Div is a modular division operation, Com is an element comparison operation on the group, Dec is an AES-GCM decryption algorithm, $\tilde{n}$ is the size of the superset, and w is a random number selected by the server in the maximum distance query/seiver (MAXQ/S) and maximum distance query/seiver (MAXQ/C) protocols. TEE indicates whether this scheme has a trusted execution environment.

Schemes	Query Computation Complexity		Storgae			RNN	Revocation	TEE
	S(TEE)	C($\mathcal{DU}$)	C($\mathcal{DO}$)	C($\mathcal{DU}$)	S
RNNQ/S [9]	($n_{\mathcal{DO}}·s$)$dist$	($n_{\mu }·s$)Mu
	$\tilde{n}·s$(2E+Mu)	s(2E+Mu)	$O(n_{\mu }+s)$	$O(n_{\mu }+s)$	$O\left(n_{\mathcal{DO}}\right)$	✔	✘	✘
	s(Div+E+Mu)
AVGQ/S [9]	($n_{\mathcal{DO}}·s$)$dist$	2$n_{\mu }·$Mu
	2$\tilde{n}$(2E+Mu)	2(2E+Mu)	$O(n_{\mu }+s)$	$O(n_{\mu }+s)$	$O\left(n_{\mathcal{DO}}\right)$	✔	✘	✘
	2(Div+E+Mu)	1 Div
MAXQ/S [9]	($n_{\mathcal{DO}}·s$)$dist$	$w·$ ($n_{\mu }-1$)Mu
	$\tilde{n}·w$(2E+Mu)	$w·$E	$O(n_{\mu }+s)$	$O(n_{\mu }+s)$	$O\left(n_{\mathcal{DO}}\right)$	✔	✘	✘
	w(Div+E+Mu)
RNNQ/C [9]	($n_{\mathcal{DO}}·s$)$dist$
	s(2E+Mu)	s(Div+E+Mu)	$O(n_{\mu }+s)$	$O(n_{\mu }+s)$	$O\left(n_{\mathcal{DO}}\right)$	✔	✘	✘
	($n_{\mathcal{DO}}+s$)Mu
AVGQ/C [9]	($n_{\mathcal{DO}}·s$)$dist$	2(Div+E+Mu)
	2(2E+Mu)+2$n_{\mathcal{DO}}·$Mu	1 Div	$O(n_{\mu }+s)$	$O(n_{\mu }+s)$	$O\left(n_{\mathcal{DO}}\right)$	✔	✘	✘
	$n_{\mathcal{MO}}·$E
MAXQ/C [9]	($n_{\mathcal{DO}}·s$)$dist$	(w-q)(Div+E+Mu)
	$n_{\mathcal{DO}}$·Mu	Div+E+Mu	$O(n_{\mu }+s)$	$O(n_{\mu }+s)$	$O\left(n_{\mathcal{DO}}\right)$	✔	✘	✘
	$w·$E ≤w(2E+Mu)
RNNQ	($n_I·s$)$dist$	2(3E+P+2H+Mu)
	$n_I$·Dec	2P+Mu+Div	$O\left(1\right)$	$O(n_{\mu }+s)$	$O\left(n_{\mathcal{DO}}\right)$	✔	✔	✔
	5P+3Mu+2Div+3E+2H
AVGQ	($n_I·s$)$dist$+sDiv	2(3E+P+2H+Mu)
	$n_I$·Dec	2P+Mu+Div	$O\left(1\right)$	$O(n_{\mu }+s)$	$O\left(n_{\mathcal{DO}}\right)$	✔	✔	✔
	5P+3Mu+2Div+3E+2H
MAXQ	($n_I·s$)$dist$+(s-1)Com	2(3E+P+2H+Mu)
	$n_I$·Dec	2P+Mu+Div	$O\left(1\right)$	$O(n_{\mu }+s)$	$O\left(n_{\mathcal{DO}}\right)$	✔	✔	✔
	5P+3Mu+2Div+3E+2H

. Table 2 shows the computational cost of the optimal location query, the storage cost of all entities, and some functional characteristics. Yilmaz [9] implements a server-based query processing protocol and a client-based query processing protocol, respectively. Each protocol implements the following three most effective location analysis methods: cardinality query (RNNQ), average distance query (AVGQ), and maximum distance query (MAXQ). Similarly, our scheme also implements the above three query methods. However, the overall complexity of the three query methods of the ROLQ-TEE scheme on the server side is higher than that of the three query methods of the above scheme [9]. The reason is that the three query methods of the ROLQ-TEE scheme achieve stronger privacy protection than the above three query methods, so there are more encryption and decryption operations on the server side. Moreover, due to the introduction of TEE, the ROLQ-TEE scheme enables the cloud server provider $\mathcal{CSP}$ to communicate less frequently with data owners $\mathcal{DO}$ (or ${\mathcal{DU}}_{\mu }$), thereby reducing the communication complexity of clients such as $\mathcal{DO}$ or ${\mathcal{DU}}_{\mu }$. If the encryption and decryption operation are not considered, the computational efficiency of the three query methods of the ROLQ-TEE scheme is far better than the above three query methods. This is mainly because the ROLQ-TEE scheme only processes the plaintext data in the $U_I$ in TEE, not all the ciphertext data. Therefore, the computational overhead is less than that of ciphertext processing in reference [9]. Meanwhile, the query computation complexity on the user side is reduced to a constant level, such as 6E+4P+4H+3Mu+Div, and our scheme reduces the storage overhead to $O\left(1\right)$ on the data owner side. However, the storage overhead of the $\mathcal{CSP}$ is the same as in reference [9]. Additionally, the ROLQ-TEE scheme also implements the revocation of user query permissions, avoiding a situation wherein location data are abused by data users ${\mathcal{DU}}_{\mu }$ after the query service expires. Compared with the scheme in reference [9], the ROLQ-TEE scheme achieves stronger privacy protection in terms of access control. Therefore, the ROLQ-TEE scheme also increases the computational overhead of key refresh and the communication overhead of key distribution accordingly.

6.2. Memory Usage

From

Table 3. Memory usage compared with previous work.

Schemes	Memory Usage
	${\mathit{n}}_{\mathit{I}}=\mathbf{10},\mathbf{000},\mathbf{000}$	$\mathit{s}=\mathbf{100}$
[9]	250 MB	25 KB
ROLQ-TEE	28.61 MB	29.3 KB

, we can see that, when the number of intersections $n_I$ is one million, the occupancy rate of our scheme in the ciphertext is reduced by $88\%$ compared with that in scheme [9]. However, when the number of candidate facilities s is 100, the memory usage of our scheme is higher than that of scheme [9]. This is because the facility location data transmitted in scheme [9] is in plain text, while our scheme is in ciphertext.

6.3. Communication

In this section, the communication overhead of these schemes can be found in

Table 4. Communication overhead compared with previous work. We assume that $lo{g}_{2}q$ represents the bit size of the elements on $Z_q$, $lo{g}_{2}N$ represents the bit size of the elements on $Z_N$, $|{\mathbb{G}}_{\mathbb{T}}|$ represents the bit size of the element on the group ${\mathbb{G}}_{\mathbb{T}}$ with order q, and $\left|\mathbb{G}\right|$ represents the bit size of the element on the group $\mathbb{G}$ with order q, where $N=pq$ and p and q are large prime numbers of the same size.

Schemes	Communication
	C($\mathcal{DO}$)	$\mathcal{DU}$	S
RNNQ/S [9]	$s(lo{g}_{2}q+lo{g}_{2}N)$	/	$lo{g}_{2}N(n_{\mathcal{DO}}+2s)$
AVGQ/S [9]	$s(lo{g}_{2}q+lo{g}_{2}N)$	/	$lo{g}_{2}N(n_{\mathcal{DO}}+2s)$
MAXQ/S [9]	$s(lo{g}_{2}q+lo{g}_{2}N)$	/	$lo{g}_{2}N(n_{\mathcal{DO}}+2s)$
RNNQ/C [9]	$s·lo{g}_{2}q+n_{\mu }·lo{g}_{2}N$	/	$s·lo{g}_{2}N$
AVGQ/C [9]	$s·lo{g}_{2}q+n_{\mu }·lo{g}_{2}N$	/	$s·lo{g}_{2}N$
MAXQ/C [9]	$s·lo{g}_{2}q+n_{\mu }·lo{g}_{2}N$	/	$s·lo{g}_{2}N$
RNNQ	$2n_{\mathcal{DO}}·lo{g}_{2}q$	$(s+1)|{\mathbb{G}}_{\mathbb{T}}|+2(s+1)|\mathbb{G}|$	$|{\mathbb{G}}_{\mathbb{T}}|+2|\mathbb{G}|$
AVGQ	$2n_{\mathcal{DO}}·lo{g}_{2}q$	$(s+1)|{\mathbb{G}}_{\mathbb{T}}|+2(s+1)|\mathbb{G}|$	$|{\mathbb{G}}_{\mathbb{T}}|+2|\mathbb{G}|$
MAXQ	$2n_{\mathcal{DO}}·lo{g}_{2}q$	$(s+1)|{\mathbb{G}}_{\mathbb{T}}|+2(s+1)|\mathbb{G}|$	$|{\mathbb{G}}_{\mathbb{T}}|+2|\mathbb{G}|$

. This table describes the communication overhead of the entity in the system model, which mainly considers the transmitted ciphertext, the query request, and the query result. The keys have little effect on the communication overhead and are not considered for the time being. Yilmaz [9] implemented two protocols, one based on client query protocol and the other based on server query. As can be seen in Table 4, the communication overhead of our scheme on both the data owner side and the cloud server provider side is smaller than that of Yilmaz’s two protocols. The communication overhead on the data user side is significantly greater than that of the Yilmaz [9] scheme, mainly because the client in the [9] scheme is both the data owner $\mathcal{DO}$ and the data user ${\mathcal{DU}}_{\mu }$, and the data user ${\mathcal{DU}}_{\mu }$ in our scheme needs to send not only requests but also customer identifiers. In addition, regardless of how the number of candidate facilities s and the amount of data owner data $n_{\mathcal{DO}}$ increase, the communication overhead of the cloud server provider in our scheme is almost constant. Similarly, this also means that the computational overhead of the data owner is constant.

6.4. Efficiency

We implemented this scheme in C/C++ on a workstation that supports Intel SGX. All experiments were performed on a 64-bit Ubuntu 22.04.3 LTS machine with a 2.9 × 16 GHz Intel Core i7 processor and 32 GB of RAM. All distances were calculated using the trusted execution environment in the Euclidean metric.

In our experiments, we utilized real datasets [36] comprising 573,703 check-ins from Tokyo. The x and y coordinates were scaled to integer values ranging from 1 to 10,000. As the total number of users in the dataset is fewer than 5000, we treated each check-in location as the location of an individual data user. Thus, we set $n_{\mathcal{MO}}$ = 573,703 in the Tokyo dataset. We randomly selected 60 percent of the data in the above dataset and some synthetic data as a dataset for a data user ${\mathcal{DU}}_{\mu }$. For existing facilities, we also selected 1 percent of the location data in the Tokyo dataset as the location of existing facilities. For synthetic datasets, the x and y coordinates of the user locations and facility locations were randomly generated as integer values ranging from 1 to $maxvalue=10,000$.

When setting s = 10 and $n_I$ = 100, we conducted a systematic test on each algorithm in the scheme, as in Figure 4. Figure 4 shows the running time comparison of each algorithm under different numbers of data users ${\mathcal{DU}}_{\mu }$. Figure 4 clearly shows that the number of ${\mathcal{DU}}_{\mu }$ is proportional to the KeyGen algorithm and the KeyFresh algorithm, while the other algorithms are independent of the number of ${\mathcal{DU}}_{\mu }$.

Figure 5 shows the computation costs of three analysis methods. As shown in Figure 5a, when the number s of facilities in ${\mathcal{F}}_{\mu }$ and the number $n_I$ of intersection users in $U_I$ increase at the same time, the time taken for an RNNQ analysis will also increase. Note that the RNNQ analysis time we tested refers to the total test time for decrypting data and calculating the Euclidean distance between all facilities in ${\mathcal{F}}_{\mu }$ and all intersection users in $U_I$. Therefore, the RNNQ analysis time increases proportionally with both the number s of facilities in ${\mathcal{F}}_{\mu }$ and the number $n_I$ of intersection users in $U_I$.

In Figure 5b, when the number s of facilities in ${\mathcal{F}}_{\mu }$ and the number $n_I$ of intersection users in $U_I$ increase at the same time, the time taken for an AVGQ query will also increase. Note that the AVGQ query time we tested is the sum of the average analysis time of computing the Euclidean distance between all facilities in ${\mathcal{F}}_{\mu }$ and all intersection users in $U_I$.

In Figure 5c, when the number s of facilities ${\mathcal{F}}_{\mu }$ and the number $N_I$ of intersection users in $U_I$ increase at the same time, the time taken for a MAXQ query will also increase. Note that the MAXQ query time we tested is the analysis time required to compute the minimum Euclidean distance among the Euclidean distances between all facilities in ${\mathcal{F}}_{\mu }$ and all intersection users in $U_I$.

In particular, during the RNNQ query process, the TEE needs to decrypt and analyze a large amount of data in sequence, while AVGQ analysis and MAXQ query are performed based on the decrypted data of the RNNQ query, so the query time taken for AVGQ and MAXQ is less than the query time taken for RNNQ.

Figure 6a shows that, when the number of facilities $s=100$, as the number $n_I$ of intersection user data increases, the query time taken for the three analysis methods RNNQ, AVGQ, and MAXQ also gradually increases. Similarly, Figure 6b shows that, when the number of intersection user data $n_I=\mathrm{10,000}$, as the number s of facilities increases, the query time taken for the three analysis methods RNNQ, AVGQ, and MAXQ also gradually increases. Figure 6a,b clearly show that the number $n_I$ of intersection data and the number s of facilities have a huge impact on the query time taken for RNNQ. Compared with the number s of facilities, the number $n_I$ of intersection data has a more significant impact on the query time taken for AVGQ and MAXQ.

7. Conclusions

We propose the ROLQ-TEE scheme, a privacy-preserving scheme for querying location data of telecommunication operators and data users in a cloud service provider ($\mathcal{CSP}$) utilizing a Trusted Execution Environment (TEE). This scheme incorporates the following three key functionalities: (a) The TEE-based query architecture ensures data and code confidentiality and integrity within the TEE, preventing customer lists from being exposed to the $\mathcal{CSP}$; (b) the privacy-preserving optimal location query enables the secure computation of optimal locations without revealing query results to the $\mathcal{CSP}$. Meanwhile, it also supports three types of queries—reverse nearest neighbor query (RNNQ), average query (AVGQ), and maximum query (MAXQ)—to address different objectives in optimal location queries; finally, (c) the data user revocation mechanism facilitates the efficient revocation of expired users’ query permissions through a simple key refresh process. Finally, the security of the ROLQ-TEE scheme is based on the discrete logarithm problem and the collision resistance of hash functions, as demonstrated in [37,38]. Experimental evaluations of various query types confirm that the scheme is both practical and scalable.

Furthermore, we plan to incorporate mechanisms such as zero-knowledge proofs or blockchain-based consensus in future research work to address the problem of collusion between entities and support batch query processing.