Search-Bound Proximity Proofs: Binding Encrypted Geographic Search to Zero-Knowledge Verification

Abstract: Location-based systems that combine encrypted geographic search with zero-knowledge proximity proofs typically treat the two phases as independent. Under an honest-but-curious server, this leaves an authorization provenance gap: once session state is purged, no forensic procedure can attribute a proof to its originating search session, because the proof's public inputs encode no session-identifying information. We formalize this gap as the search-authorized proof (SAP) security notion and show via a concrete audit re-association attack that proof-external mechanisms, where authorization evidence remains outside the proof, cannot prevent forensic misattribution when the same drop parameters recur across sessions. Search-Bound Proximity Proofs (SBPP) realize the SAP requirements without modifying the ZKP circuit: session nonce, Merkle-root result-set commitment, and signed receipt are decomposed into independently auditable components, enabling property-level fault isolation in offline audit. Experiments on synthetic and real-world data (110,776 OpenStreetMap POIs) show sub-millisecond absolute overhead on a 125 ms Groth16 baseline.

• The paper introduces SBPP, a protocol that cryptographically binds search sessions to ZK proximity proofs, ensuring session-specific validation.
• The methodology leverages session nonces, Merkle commitments, and signed receipts integrated into Groth16 to enforce secure and efficient audit provenance.
• The protocol demonstrates sub-millisecond overhead and robust precision/recall, offering practical forensic audit solutions for geo-content systems.

Search-Bound Proximity Proofs: Binding Encrypted Geographic Search to Zero-Knowledge Verification

Overview and Motivation

This paper addresses the security and auditability gap in location-based systems that combine encrypted geographic search (such as SSE-based mechanisms) with zero-knowledge proximity proofs (e.g., Groth16). In typical deployments, search and verification phases operate independently: users first discover location-bound content via encrypted queries and subsequently prove proximity to unlock access through ZKPs. However, this separation introduces an authorization provenance gap; after server-side session state is purged, forensic auditors cannot cryptographically link a proximity proof to its originating search session. The absence of session-identifying information in the proof's public inputs enables adversaries to misattribute proofs to non-associated sessions, undermining forensic accountability in compliance-sensitive environments (e.g., geofenced media, access control audits).

SAP Security Notion and Problem Formalization

The paper formalizes the provenance gap with the Search-Authorized Proof (SAP) security notion, codifying three properties:

• P1: Session Binding — Proofs must be session-specific; they are only valid in their originating session.
• P2: Result-Set Authorization — Proofs must commit to the authorized content set returned during the search phase.
• P3: Audit Provenance — Offline auditors must be able to cryptographically verify that a proof relates to the session and result set authenticated by the server, independent of mutable session state.

Through precise security games and attack classes (including audit re-association and cross-session substitution), the analysis establishes that proof-external authorization (e.g., app-layer session tokens or MACs checked outside the proof transcript) is fundamentally inadequate for binding proofs to their session context during forensic audit. Only internalizing session and result-set commitments in the proof transcript enables cryptographic attribution.

Protocol Constructions and Binding Mechanisms

The core contribution is the design and implementation of Search-Bound Proximity Proofs (SBPP), instantiating the SAP requirements without altering the underlying ZKP circuit. The SBPP protocol introduces:

• Session Nonce ($N$): A cryptographically random session identifier assigned during search initiation.
• Merkle Root Commitment: A commitment to the search result set via a Merkle root. Proofs include a Merkle membership witness for the selected drop, ensuring transcript-level authorization.
• Signed Receipt: The server signs the session parameters and result-set commitment, enabling offline audit replay.

These components are composed into a digest (using domain-separated length-prefixed encoding hashed by SHA-256), which is passed as a public input to the Groth16 circuit. The soundness guarantees of Groth16 enforce the immutability of the proof binding, and the digest's inclusion ensures session isolation and result-set authorization.

Three verification modes are supported:

• Stateful Online: Server retains full result set $\mathcal{R}$ for direct membership checking ($O(|\mathcal{R}|)$ state).
• Compact Online: Server retains only the Merkle root and validates client-supplied membership proofs ($O(1)$ state).
• Offline Audit: After session expiry, auditors validate stored (proof, receipt, membership witness) transcripts, relying on the receipt signature and Merkle opening.

Security Analysis

Formally, SBPP achieves SAP security under standard cryptographic assumptions (SHA-256 collision resistance, Groth16 soundness, Merkle target-binding, EUF-CMA signature security):

• Session binding and cross-session isolation: Adversaries cannot re-associate proofs to incorrect sessions; any such attempt requires a SHA-256 collision.
• Result-set authorization: Merkle commitments prevent adversaries from submitting proofs for content not authorized in the search phase.
• Audit provenance: Receipt-backed offline audit is cryptographically robust, precluding session or result-set forgery unless signature or Merkle security is compromised.

The paper provides concrete reductions and sketches, demonstrating that proof-external artifacts are insufficient. Only session-distinguishing public inputs committed within the proof transcript can prevent audit misattribution.

Performance Evaluation

The SBPP protocol was implemented in the open-source Zairn platform. Experiments span synthetic and real-world datasets (110,776 OpenStreetMap POIs) and compare nine protocol variants across six attack classes. Key findings:

• Overhead: Protocol-path overhead for SBPP is sub-millisecond (27 μs median over GridSE baseline; 0.03 ms end-to-end on a 125 ms Groth16 baseline). Merkle verification for compact mode scales negligibly (up to 1.1 ms at 50,000 candidates).
• Scalability: Token matching scales linearly; precision and recall are robust (>0.92 recall, precision 0.54–0.60 depending on distribution).
• Mobile latency: Warm Groth16 proof generation is 42–125 ms median; the SBPP overhead is negligible in user-perceived latency.
• Audit workflow: Offline audit replay incurs only microsecond-level overhead; storage costs are manageable (1.5 kB per unlock, 45 GB/month at 1M unlocks/day).

Fault injection and targeted attack trials confirm that SBPP enables property-level fault isolation in audit: session rebinding, result-set escape, and context forgery are localized to independent audit components, facilitating precise diagnostics.

Practical and Theoretical Implications

Practically, SBPP enables higher-assurance forensic auditing for compliance-bound geo-content systems, maintaining cryptographic linkage between discovery and verification phases. It achieves $O(1)$ verifier state and protocol flexibility without circuit modification, making deployment feasible in real-world systems. The design decomposes authorization provenance into session, result-set, and receipt commitments, improving audit transparency and fault isolation compared to token hash aggregation approaches.

Theoretically, the SAP security notion and proof-external separation established in the paper clarify minimum requirements for binding cryptographic actions to prior search authorization. The analysis demonstrates that naive compositions (external tokens, MACs, app-layer checks) fail to prevent session misattribution, motivating careful protocol-level binding in privacy-preserving location systems.

The paper does not address SSE access-pattern leakage, client-side location spoofing, or completeness/fairness assertions under malicious servers. Integrating volume-hiding search (e.g., ORAM), verifiable query processing, and stronger client verification constitute logical extensions.

Future Directions

Extending SBPP and SAP to malicious server settings (e.g., using verifiable query protocols), mitigating residual SSE leakage with ORAM or volume-hiding techniques, and exploring transparent deployability at scale across multi-instance architectures represent promising avenues. The integration with privacy-preserving spatial queries and the adaptation for dynamic content and access tiers are natural follow-ons.

Conclusion

This work contributes a formal SAP security framework and demonstrates through SBPP a practical, efficient protocol binding encrypted geographic search to zero-knowledge proximity verification. The approach ensures cryptographically verifiable authorization provenance, delivers property-level auditability, and achieves negligible overhead in proof generation and verification. Its principled decomposition and rigorous security analysis set a baseline for compliance-centric geo-content system designs, with implications for future auditability and privacy extensions in location-based access control.