Papers
Topics
Authors
Recent
Search
2000 character limit reached

BRASP: Encrypted Boolean Range Queries

Updated 5 July 2026
  • BRASP is a searchable encryption scheme for Boolean range queries over encrypted spatial data that uses Hilbert-curve prefix encoding and encrypted inverted indexes.
  • It employs a dual-server architecture with index shuffling and ID-field redistribution to hide both search and access patterns while supporting dynamic updates and forward security.
  • Experimental results show that BRASP outperforms comparable systems in key phases by reducing CPU cost despite a modest increase in communication overhead.

BRASP is a searchable encryption scheme for Boolean range queries over encrypted spatial data. It is defined for an outsourced spatio-textual database in which the data owner holds DB={O1,…,On}DB=\{O_1,\dots,O_n\}, with Oi=(loci,Wi)O_i=(loc_i,W_i), loci∈[0,1]2loc_i\in[0,1]^2, and Wi⊆WW_i\subseteq \mathcal{W}, and a Boolean range query Q=(Rq,Wq)Q=(R_q,W_q) asks for

Δ(Q)={Oi∈DB∣loci∈Rq and Wq⊆Wi}.\Delta(Q)=\{O_i\in DB \mid loc_i\in R_q \text{ and } W_q\subseteq W_i\}.

The scheme targets the standard leakage problem in efficient searchable encryption: most practical constructions leak the search pattern and access pattern, which may allow an honest-but-curious cloud server to infer query contents, user interests, or returned records. BRASP addresses this setting by combining Hilbert-curve-based prefix encoding with encrypted prefix-ID and keyword-ID inverted indexes, and by using a dual-server design with index shuffling and ID-field redistribution to hide both search and access patterns while supporting dynamic updates and forward security (Zhang et al., 9 Apr 2026).

1. Problem formulation and threat model

The BRASP problem setting is explicitly spatio-textual. Each object couples a two-dimensional location with a keyword set, and query semantics are conjunctive across the spatial and textual dimensions: an object matches only if its location lies in the query range RqR_q and the query keyword set WqW_q is contained in the object’s keyword set.

The privacy objectives are stated in two distinct forms. Search-pattern privacy requires that an adversary should not learn whether two trapdoors correspond to the same QQ. Access-pattern privacy requires that an adversary should not learn which encrypted objects match each query beyond what can be simulated from the mandatory leakage. These two goals are central because repeated searches and observable result behavior are precisely the channels through which efficient searchable encryption systems often become vulnerable.

The adversary model is a dual-server one. BRASP assumes two non-colluding honest-but-curious cloud servers, CS1CS_1 and Oi=(loci,Wi)O_i=(loc_i,W_i)0. The data owner and authorized clients are trusted. Oi=(loci,Wi)O_i=(loc_i,W_i)1 and Oi=(loci,Wi)O_i=(loc_i,W_i)2 each observe their local encrypted indexes, shuffled states, received trapdoors, partial decryptions, and inter-server messages, but do not collude. This suggests that BRASP trades a stronger deployment assumption—non-collusion—for stronger privacy against single-server observation (Zhang et al., 9 Apr 2026).

2. System architecture and end-to-end workflow

BRASP involves four parties: the Data Owner (DO), an Authorized Client, and two cloud servers Oi=(loci,Wi)O_i=(loc_i,W_i)3 and Oi=(loci,Wi)O_i=(loc_i,W_i)4. The DO builds and encrypts indexes, holds master keys, and authorizes clients. The Authorized Client holds a client key Oi=(loci,Wi)O_i=(loc_i,W_i)5, generates query and update tokens, recovers results, and triggers index redistribution. Each cloud server stores one share of the encrypted prefix-ID and keyword-ID indexes plus the encrypted object set.

Party Held or stored material Role
Data Owner master keys builds and encrypts indexes; authorizes clients
Authorized Client client key Oi=(loci,Wi)O_i=(loc_i,W_i)6 generates query/update tokens; recovers results; triggers index redistribution
Oi=(loci,Wi)O_i=(loc_i,W_i)7 one share of encrypted indexes and encrypted object set search, partial decryption, shuffle participation
Oi=(loci,Wi)O_i=(loc_i,W_i)8 one share of encrypted indexes and encrypted object set search, partial decryption, shuffle participation

The system workflow is staged. In DO.Setup, the DO generates a TPF key Oi=(loci,Wi)O_i=(loc_i,W_i)9, a TUR key pair loci∈[0,1]2loc_i\in[0,1]^20, partial TUR keys loci∈[0,1]2loc_i\in[0,1]^21, and shuffle-seeds loci∈[0,1]2loc_i\in[0,1]^22. In DO.EncryptedIndexBuild, the DO builds two shared inverted indexes loci∈[0,1]2loc_i\in[0,1]^23 on loci∈[0,1]2loc_i\in[0,1]^24 and loci∈[0,1]2loc_i\in[0,1]^25 on loci∈[0,1]2loc_i\in[0,1]^26. Before any search and after each search or update, loci∈[0,1]2loc_i\in[0,1]^27 re-randomizes and permutes both indexes. The client then runs TokenGeneration for a query loci∈[0,1]2loc_i\in[0,1]^28, producing trapdoors loci∈[0,1]2loc_i\in[0,1]^29 that are sent to both servers. During Search, the servers perform partial decryptions and bitmap intersections and return encrypted result shares to the client. The client recovers Wi⊆WW_i\subseteq \mathcal{W}0 and triggers IndexRedistribution to refresh ID-field shares. Updates are handled through client-generated Wi⊆WW_i\subseteq \mathcal{W}1, which Wi⊆WW_i\subseteq \mathcal{W}2 apply in a forward-secure way (Zhang et al., 9 Apr 2026).

A notable systems property is that the shuffle is not an occasional maintenance step; it is part of the privacy-preserving lifecycle. The index state is refreshed before any search and after each search or update, so the storage structure itself becomes stateful.

3. Hilbert-curve encoding and encrypted inverted indexes

BRASP reduces two-dimensional spatial filtering to prefix matching by means of a Hilbert mapping. For a fixed curve order Wi⊆WW_i\subseteq \mathcal{W}3, the unit square is divided into Wi⊆WW_i\subseteq \mathcal{W}4 cells, and

Wi⊆WW_i\subseteq \mathcal{W}5

maps each point Wi⊆WW_i\subseteq \mathcal{W}6 to a single integer Hilbert value Wi⊆WW_i\subseteq \mathcal{W}7. Writing the Wi⊆WW_i\subseteq \mathcal{W}8-bit binary representation of Wi⊆WW_i\subseteq \mathcal{W}9 as Q=(Rq,Wq)Q=(R_q,W_q)0, BRASP defines the prefix family

Q=(Rq,Wq)Q=(R_q,W_q)1

where Q=(Rq,Wq)Q=(R_q,W_q)2 is a wildcard bit.

For a target Hilbert interval Q=(Rq,Wq)Q=(R_q,W_q)3, BRASP computes the minimal set of prefixes Q=(Rq,Wq)Q=(R_q,W_q)4 such that

Q=(Rq,Wq)Q=(R_q,W_q)5

A point with value Q=(Rq,Wq)Q=(R_q,W_q)6 lies in the range iff

Q=(Rq,Wq)Q=(R_q,W_q)7

This is the scheme’s core geometric reduction: range membership is transformed into prefix-family overlap.

The plaintext indexing layer contains two bitmap-based inverted indexes. The prefix-ID index is

Q=(Rq,Wq)Q=(R_q,W_q)8

where Q=(Rq,Wq)Q=(R_q,W_q)9 is a prefix string and Δ(Q)={Oi∈DB∣loci∈Rq and Wq⊆Wi}.\Delta(Q)=\{O_i\in DB \mid loc_i\in R_q \text{ and } W_q\subseteq W_i\}.0 with Δ(Q)={Oi∈DB∣loci∈Rq and Wq⊆Wi}.\Delta(Q)=\{O_i\in DB \mid loc_i\in R_q \text{ and } W_q\subseteq W_i\}.1 iff Δ(Q)={Oi∈DB∣loci∈Rq and Wq⊆Wi}.\Delta(Q)=\{O_i\in DB \mid loc_i\in R_q \text{ and } W_q\subseteq W_i\}.2 matches Δ(Q)={Oi∈DB∣loci∈Rq and Wq⊆Wi}.\Delta(Q)=\{O_i\in DB \mid loc_i\in R_q \text{ and } W_q\subseteq W_i\}.3. The keyword-ID index is

Δ(Q)={Oi∈DB∣loci∈Rq and Wq⊆Wi}.\Delta(Q)=\{O_i\in DB \mid loc_i\in R_q \text{ and } W_q\subseteq W_i\}.4

where Δ(Q)={Oi∈DB∣loci∈Rq and Wq⊆Wi}.\Delta(Q)=\{O_i\in DB \mid loc_i\in R_q \text{ and } W_q\subseteq W_i\}.5 is a plaintext keyword and Δ(Q)={Oi∈DB∣loci∈Rq and Wq⊆Wi}.\Delta(Q)=\{O_i\in DB \mid loc_i\in R_q \text{ and } W_q\subseteq W_i\}.6 iff keyword Δ(Q)={Oi∈DB∣loci∈Rq and Wq⊆Wi}.\Delta(Q)=\{O_i\in DB \mid loc_i\in R_q \text{ and } W_q\subseteq W_i\}.7.

Encryption is split across labels and bitmaps. TPF, the Tailored Proxy PRF, is used for labels: Δ(Q)={Oi∈DB∣loci∈Rq and Wq⊆Wi}.\Delta(Q)=\{O_i\in DB \mid loc_i\in R_q \text{ and } W_q\subseteq W_i\}.8, Δ(Q)={Oi∈DB∣loci∈Rq and Wq⊆Wi}.\Delta(Q)=\{O_i\in DB \mid loc_i\in R_q \text{ and } W_q\subseteq W_i\}.9, and RqR_q0 moves RqR_q1 under a new key without touching RqR_q2. TUR, the Tailored Universal Re-encryption, is used for bitmaps: RqR_q3, RqR_q4, RqR_q5, RqR_q6, RqR_q7 a partial decryption, and RqR_q8.

In encrypted index construction, for each RqR_q9, BRASP computes WqW_q0 and WqW_q1, then stores WqW_q2 in WqW_q3; the keyword index is handled analogously. This decomposition separates searchable labels from encrypted bitmap payloads and enables later shuffling and re-randomization without reconstructing plaintext indexes (Zhang et al., 9 Apr 2026).

4. Query execution and dual-server pattern hiding

Query execution begins with prefix-cover computation. For a Boolean range query WqW_q4, the client computes WqW_q5. For each WqW_q6, the client computes

WqW_q7

and performs the same procedure for each WqW_q8, yielding WqW_q9 and QQ0.

On the server side, QQ1 first transforms client trapdoors into master-key space. For each QQ2, it computes QQ3, finds the matching QQ4 entry by label equality, and applies QQ5 to the corresponding encrypted ID bitmap. It performs the same steps for keywords and sends the resulting partial decryptions to QQ6. QQ7 completes decryption of the bitmap shares, uses them to locate matching encrypted objects, unions prefix matches, intersects keyword matches, and returns the encrypted object-ID list. The final server-side result structure is

QQ8

The client then recovers and decrypts the returned encrypted objects (Zhang et al., 9 Apr 2026).

Pattern hiding is reinforced by a separate index-shuffling protocol. Its purpose is twofold: the same QQ9 or CS1CS_10 should lead to a fresh, unlinkable label after each shuffle, and ID bitmaps should be re-randomized and remapped so that the cloud cannot link which bitmap it saw before and after. On the CS1CS_11 side, the high-level protocol takes its index shares CS1CS_12 for CS1CS_13, sends them to CS1CS_14, and has CS1CS_15 re-encrypt labels with CS1CS_16, re-randomize the ID ciphertexts with TUR, increment the entry state, randomly permute all entries, and return the resulting structures. CS1CS_17 then re-encrypts again with CS1CS_18, re-randomizes the ciphertexts again, increments the state again, and applies a fresh permutation to obtain the new shuffled index shares.

No zero-knowledge proofs are used. Privacy relies on TPF for pseudorandom labels, TUR for re-rando Paillier, random shuffles, and split-bitmap secret sharing. This design choice is operationally significant because it places the privacy burden on re-encryption, permutation, and server separation rather than on proof-carrying query execution (Zhang et al., 9 Apr 2026).

5. Security properties and formal analyses

BRASP is formalized through confidentiality, shuffle indistinguishability, query unforgeability, and forward security. The confidentiality statement is given as Theorem 1: for any PPT adversary controlling one server, there exists a simulator CS1CS_19 with only leakage Oi=(loci,Wi)O_i=(loc_i,W_i)00 such that

Oi=(loci,Wi)O_i=(loc_i,W_i)01

The proof sketch is a hybrid argument replacing TPF outputs and TUR ciphertexts by truly random ones consistent with leakage.

Shuffle indistinguishability is formulated as a separate notion. After a shuffle, any adversary’s advantage in linking a post-shuffle entry Oi=(loci,Wi)O_i=(loc_i,W_i)02 to its pre-shuffle origin Oi=(loci,Wi)O_i=(loc_i,W_i)03 is negligible. The informal theorem states that if TPF and Oi=(loci,Wi)O_i=(loc_i,W_i)04 are pseudorandom or unlinkable, then shuffle is indistinguishable. The proof sketch is correspondingly direct: Oi=(loci,Wi)O_i=(loc_i,W_i)05 and Oi=(loci,Wi)O_i=(loc_i,W_i)06 produce unlinkable outputs, and random permutation erases positional information.

Query unforgeability appears as Theorem 3. No PPT adversary can forge a valid trapdoor for an unissued query with non-negligible probability. The stated intuition is that a successful forgery would imply either a TPF collision or a break of pseudorandomness.

Forward security is captured in Theorem 4. After an update, previous transcripts do not help link the new entries to past queries. The proof sketch attributes this to state-dependent update tokens and new TUR ciphertexts that are re-randomized and therefore unlinkable from past observations (Zhang et al., 9 Apr 2026).

Taken together, these properties characterize BRASP not merely as an efficient encrypted search structure, but as a stateful dual-server SE system whose privacy guarantees are explicitly tied to re-randomization and non-collusion.

6. Experimental results, limitations, and acronym ambiguity

The experimental evaluation uses the Yelp business dataset with approximately Oi=(loci,Wi)O_i=(loc_i,W_i)07K objects and an implementation in Python 3.12 on an AMD Ryzen 5 3500U with 16 GB RAM. The baselines are Oi=(loci,Wi)O_i=(loc_i,W_i)08 and PPSKS, and the reported metrics are computation time and communication volume for Index Build, Token Generation, Search, and Update.

The reported results are phase-specific. For Index Build, BRASP is approximately Oi=(loci,Wi)O_i=(loc_i,W_i)09–Oi=(loci,Wi)O_i=(loc_i,W_i)10 faster than the baselines. For Token Generation, BRASP scales linearly in query-size and has the lowest cost. For Search, BRASP reduces server-side computation by Oi=(loci,Wi)O_i=(loc_i,W_i)11–Oi=(loci,Wi)O_i=(loc_i,W_i)12, while communication overhead is slightly higher due to shuffle. For Update, cost grows linearly with update size, and the overhead is dominated by TUR re-encryptions. The overall comparison states that BRASP outperforms Oi=(loci,Wi)O_i=(loc_i,W_i)13 and PPSKS in all four phases, while trading a modest extra communication during search and shuffle for much lower CPU cost. The source code is publicly available at the repository specified by the authors, which is relevant for reproducibility and follow-on systems work (Zhang et al., 9 Apr 2026).

The stated limitations are also specific. Current schemes assume non-collusion, so extending to Oi=(loci,Wi)O_i=(loc_i,W_i)14 servers or threshold collusion models is open. The Hilbert-curve prefix encoding imposes Oi=(loci,Wi)O_i=(loc_i,W_i)15 fixed order, and adaptive multi-resolution indexing could improve locality or range overlap. There is no support yet for Oi=(loci,Wi)O_i=(loc_i,W_i)16-nearest-neighbor or circular range queries. All cryptographic workloads rely on Paillier-based TUR, and exploring lighter-weight additively homomorphic primitives such as elliptic-curve ElGamal could reduce update cost. Integrating verifiability, in the sense of proofs of correct search, without destroying pattern privacy is identified as an important direction.

A separate source of ambiguity is terminological rather than cryptographic. In reliability-sampling literature, BRASP is also used to denote a Bayesian reliability acceptance sampling plan under adaptive accelerated testing with competing risks and type-II censoring (Das et al., 31 Jul 2025). Closely related work under adaptive SSSPALT with Type I censoring uses the term BSPAA rather than BRASP (Das et al., 2024). In the searchable-encryption context, however, BRASP refers specifically to Boolean range queries over encrypted spatial data under access and search pattern privacy.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to BRASP.