FPGA Real-Time Trajectory Anonymization

Updated 20 November 2025

The paper demonstrates a novel FPGA-based approach that integrates history-aware k-anonymity to process trajectories in real time, ensuring rigorous privacy.
It employs a multi-stage hardware pipeline combining node approximation, shortest-path computation, and weighted counting to accurately enforce privacy requirements.
Empirical results reveal enhanced data retention and real-time processing with modest resource overhead, making the approach viable for urban location-based services.

FPGA-based real-time trajectory anonymization is an approach that leverages field-programmable gate arrays (FPGAs) to enforce rigorous privacy guarantees on spatiotemporal movement data streams in latency-sensitive applications such as location-based services (LBS). The key challenge addressed by this methodology is the real-time anonymization of user trajectories—with strong, history-aware $k$ -anonymity—while preserving the behavioral utility and fidelity of the released data under operational constraints typical of city-scale deployments. Recent research unifies trajectory privacy, computational efficiency, and behavioral realism through custom hardware pipelines that execute complex anonymization logic without violating strict service-level latency requirements (Nakano et al., 12 Nov 2025).

1. Formal Problem and Privacy Guarantees

Let $G = (V, E)$ denote a road-network graph with nodes $V$ (intersections) and directed edges $E$ (road segments). A user’s movement is observed as discrete location updates, mapped to “start” and “end” nodes ( $n_s, n_e \in V$ ). The objective is to publish only those segments $s = (u \rightarrow v) \in E$ that are traversed by at least $k$ distinct users, enforcing segment-based $k$ -anonymity, and crucially, using behaviorally plausible routes as informed by historical movement data.

Given a historical trajectory database $H = \{ P^u_j \}$ , the methodology retrieves, for each $(n_s, n_e)$ pair, all historical paths starting at $n_s$ , ending at $n_e$ with hop-count bounded by $h_{sp} + \Delta_h$ , where $h_{sp}$ is the hop-count of the geometric shortest path and $\Delta_h$ is a tunable slack parameter. Each candidate path $P$ in this set is weighted by $w(P) = 1/h$ , where $h$ is the number of history-matched candidates, ensuring an even contribution across plausible alternatives. If no historical path is found, the fallback is to publish the unique shortest path with full weight.

A segment’s accumulated count $c(s)$ is incremented by $w(P)$ for each candidate $P$ containing $s$ . Only segments with $c(s) \geq k$ are released, strictly guaranteeing segment-based $k$ -anonymity under all adversary models considered in the system (Nakano et al., 12 Nov 2025).

2. Algorithmic Pipeline and Methodologies

The anonymization process on FPGA platforms consists of four principal pipeline stages:

Node Approximation: Incoming user locations (latitude, longitude, timestamp) are mapped to the nearest graph nodes $(n_s, n_e)$ . This step employs BRAM-based hash functions for deterministic, low-latency node resolution.
Trajectory Estimation:
- Shortest-Path Computation: For each query, Dijkstra’s algorithm identifies $P_{sp}$ , enabling a geometric lower bound for candidate filtering. FPGA implementations utilize pipelined priority queues and on-chip adjacency storage for efficient execution.
- History-Based Search: The offline trajectory database $H$ is linearly scanned to retrieve all user-traversed paths matching $(n_s, n_e)$ and hop-count constraints. An FPGA state-machine tracks validity and accumulates candidates in a single streaming pass.
Candidate Selection and Weighted Counting: Candidate paths are selected as $T_{hist}(n_s, n_e)$ (or $\{P_{sp}\}$ if empty), and per-segment counters are updated by $w(P)$ for each occurrence. Accumulators are implemented as Q16.16 fixed-point arithmetic in BRAM arrays, allowing fractional contributions and atomic updates.
Segment Output: After all users in the time window are processed, only segments with counts $c(s) \geq k$ are released, suppressing others to uphold privacy.

Algorithm 1 within (Nakano et al., 12 Nov 2025) provides hardware-friendly pseudocode for the history-based path retrieval and counting mechanics.

3. FPGA Architecture and System Design

The architecture is partitioned between the Processing System (PS) and Programmable Logic (PL):

PS handles data orchestration, parameter control ( $\Delta_h$ , $k$ ), and DMA transfers for input/output.
PL comprises:
- Node Search Engine: Mapping GPS data to graph nodes.
- Trajectory Search Engine: Dual-engine for both Dijkstra-based shortest-path and history-based scanning (pipelined and streaming, respectively).
- Selection and Generation Modules: Logic for weighting and assembling candidate edge sequences.
- Fixed-Point Segment Counters: Distributed BRAM-based accumulators indexed by hash of edge pairs.

Key architectural optimizations include single-pass history search (avoiding random access), pipelined shortest-path engine, and AXI-stream DMA for zero-copy data streaming.

Resource utilization under representative city-level workloads is modest: the advanced history-aware design incurs a ~12.7% BRAM and ~1% logic increase compared to baseline shortest-path–only designs, with throughput exceeding 6,000 records/s and latency remaining compliant with <1 minute real-time constraints (Nakano et al., 12 Nov 2025).

4. Empirical Evaluation and Performance

The FPGA system was evaluated on a Xilinx Zynq UltraScale+ XCZU19EG with a 4 km² urban road network (4,500 nodes, 5,100 edges). Input comprised over 51,000 location points, with a 1-hour historical trajectory database of approximately 49,000 paths.

Key empirical results:

Data Retention Improvement: The history-aware methodology boosted retention rates by up to 1.2% over shortest-path–only anonymization (e.g., 43.4% vs. 42.3% at $k=16$ ).
Preservation of Behavioral Utility: Major arterial road segments were retained with higher accuracy due to the prioritization of frequently traveled paths observed in actual historical data.
Throughput and Scalability: Processing rates of ≥6,000 records/s were sustained across user densities typical of urban deployments, and throughput remained stable up to 70,000 historical entries.
Latency and Overhead: The proposed method exhibited a 3.33× increase in per-record processing relative to baseline, but this overhead is offset by the improved data fidelity and remains well within operational envelope.
Hop-Count Filtering: Filtering with $\Delta_h=5$ effectively suppressed outlier, infrequently traveled segments at lower $k$ thresholds; at higher $k$ values, suppression converged to retaining only the dominant corridor structure.

5. Comparison with Software-Based and Alternative Approaches

Software-based anonymization methods for trajectory $k$ -anonymity, including history-aware frameworks such as $k^{\tau,\epsilon}$ -anonymity (Gramaglia et al., 2017), TP-aware sender $k$ -anonymity (Deutsch et al., 2012), and machine learning–based anonymization (MLA) (Shaham et al., 2019), focus primarily on offline settings and rely on complex clustering, multiple sequence alignment, or generalization. While these frameworks achieve strong privacy and utility trade-offs at scale, they cannot guarantee strict real-time throughput under harsh latency constraints, and are sensitive to scaling inefficiencies.

In contrast, FPGA-based anonymization delivers deterministic processing, pipelined execution, and the ability to integrate trajectory search and candidate selections in hardware, yielding provably efficient operation at the sub-minute scale for city-scale workloads (Nakano et al., 12 Nov 2025).

6. Utility–Privacy Trade-Offs and Future Directions

The history-aware FPGA approach maintains segment-based $k$ -anonymity with no relaxation of privacy guarantees: only segments traversed by at least $k$ pseudo-distinct users (counted according to weighted history-trajectory matches) are published, precluding adversarial inference from infrequent or idiosyncratic paths.

Utility gains derive from the emulation of realistic user behavior: the system emphasizes the retention of commonly traveled arterial corridors and minimizes the publication of spurious, geometrically optimal but behaviorally implausible shortcuts. Empirical data retention is increased by up to 1.2%. Latency and resource overhead are modest compared to software or non–history-aware FPGA designs.

Future extension areas include dynamic, live updating of the historical database $H$ , integration with formal differential privacy mechanisms, and adaptive weighting strategies (e.g., with recency decay) to reflect evolving user behavior in streaming contexts (Nakano et al., 12 Nov 2025). A plausible implication is that hybrid privacy criteria, such as $k^{\tau,\epsilon}$ -anonymity, could be embedded into the same hardware pipeline, though this demands architectural adaptations not yet realized in current prototypes.

7. Context within Trajectory Anonymization Research

FPGA-based real-time trajectory anonymization is situated at the intersection of privacy-preserving data publishing and hardware-accelerated computation. It moves beyond classical snapshot $k$ -anonymity, providing defense against intersection and linkage attacks across entire trajectories, and unlike traditional approaches, is directly deployable in high-throughput, low-latency environments such as urban LBS infrastructure. This hardware paradigm complements, rather than supplants, history-aware clustering, dynamic programming, and optimization-centric anonymization research (Deutsch et al., 2012, Gramaglia et al., 2017, Shaham et al., 2019), and represents a practical, scalable solution for next-generation privacy-preserving, behaviorally coherent location data release (Nakano et al., 12 Nov 2025).