Privacy Evaluation of Generative Models for Trajectory Generation

# Privacy Evaluation of Generative Models for Trajectory Generation ††thanks: This work was supported by the MUSIT Project through the European Union’s Horizon Europe Framework Programme (HORIZON), under Marie Sklodowska-Curie grant agreement no. 101182585. The work only reflects the authors’ views; the EU Agency is not responsible for any use of the information it contains.
Source: [https://arxiv.org/html/2605.15246](https://arxiv.org/html/2605.15246)
Stavros Bouras1, Ioannis Kontopoulos1, Chiara Pugliese3, Francesco Lettich2, Emanuele Carlini2, Hanna Kavalionak2, Chiara Renso2, Konstantinos Tserpes1

###### Abstract

Trajectory data is fundamental to modern urban intelligence, yet its sensitivity raises significant privacy concerns\. Generative models such as Generative Adversarial Networks, Variational Autoencoders, and Diffusion Models have been developed to generate realistic synthetic trajectory data by capturing underlying spatiotemporal distributions and mobility patterns\. Although these models are often assumed to preserve privacy due to their generative nature, this assumption does not necessarily hold\. In this work, we investigate the intersection of generative trajectory modeling and privacy evaluation\. By identifying applicable empirical methods for assessing privacy preservation in trajectory generation tasks, we demonstrate a significant gap in the evaluation of privacy for generative trajectory models\. Motivated by this gap, we implement Membership Inference Attacks against representative models, demonstrating the feasibility of using such empirical privacy evaluation methods and showing that their generative nature does not eliminate privacy risks\.

## IIntroduction

The widespread availability of location\-aware devices has made trajectory data a valuable resource for urban applications such as traffic management and route planning\. At the same time, trajectory data is deeply sensitive, as few as four spatiotemporal points are sufficient to uniquely identify 95% of individuals\[[11](https://arxiv.org/html/2605.15246#bib.bib9)\]\. To address this limitation, the use of deep generative models has rapidly increased for synthetic trajectory generation\[[9](https://arxiv.org/html/2605.15246#bib.bib49)\]\. The use of deep learning models helps capture complex spatiotemporal dependencies and allows us to avoid sharing real data, preserving user privacy\. However, this assumption is not guaranteed, as generative models are known to memorize aspects of their training data\[[7](https://arxiv.org/html/2605.15246#bib.bib6)\], leading their outputs to resemble, or even reconstruct, the original training records, making individuals vulnerable to inference attacks, demonstrated in works such as\[[4](https://arxiv.org/html/2605.15246#bib.bib24)\]\. This highlights the need for empirical privacy evaluation of generative trajectory models, enabling a comprehensive assessment from multiple perspectives and ensuring that the generated synthetic data does not expose the privacy of the individuals from whom it was derived\.

In this paper, we aim to provide a systematic investigation of privacy in synthetic trajectory generation, with a particular focus on how privacy risks can be assessed in practice by introducing the necessary background at the intersection of trajectory generation and privacy, covering fundamental concepts, threat models, and formal privacy guarantees\.

Our contributions are threefold\. First, we identify and categorize the empirical privacy evaluation methods applicable to the trajectory generation domain \(Section[II\-B](https://arxiv.org/html/2605.15246#S2.SS2)\)\. Second, we examine representative generative models, spanning variational autoencoders, generative adversarial networks, and diffusion models, and systematically map them to the identified evaluation methods, highlighting a significant gap in current practices \(Section[III](https://arxiv.org/html/2605.15246#S3)\)\. Third, we demonstrate the feasibility of membership inference attacks against generative trajectory models, showing that privacy risks are tangible and that empirical evaluation is both necessary and practical \(Section[IV](https://arxiv.org/html/2605.15246#S4)\)\.

## IIPreliminaries

We introduce the concept of trajectory and its generation below\.

#### II\-1Trajectory Definition

Formally, a trajectory is defined as a series of spatiotemporal pointsS=\{x1,x2,…,xn\}∈ℝN×2S=\\\{x\_\{1\},x\_\{2\},\\ldots,x\_\{n\}\\\}\\in\\mathbb\{R\}^\{N\\times 2\}, where each element is represented as a tuple\(li,ti\)\(l\_\{i\},t\_\{i\}\), in whichlil\_\{i\}denotes the spatial location andtit\_\{i\}denotes the timestamp of theii\-th\[[26](https://arxiv.org/html/2605.15246#bib.bib48)\]\.

#### II\-2Trajectory Generation

Trajectory generation is defined as the process where, given a trajectory dataset𝒟=\{τ1,τ2,…,τN\}\\mathcal\{D\}=\\\{\\tau\_\{1\},\\tau\_\{2\},\\ldots,\\tau\_\{N\}\\\}and a set of environmental constraints𝒞\\mathcal\{C\}, the goal is to synthesize a new set of trajectories𝒟′=\{τ1′,τ2′,…,τN′\}\\mathcal\{D\}^\{\\prime\}=\\\{\\tau\_\{1\}^\{\\prime\},\\tau\_\{2\}^\{\\prime\},\\ldots,\\tau\_\{N\}^\{\\prime\}\\\}such that the generated set preserves the spatiotemporal properties of the original dataset, i\.e\., the distributionsP​\(𝒟\)P\(\\mathcal\{D\}\)andP​\(𝒟′\)P\(\\mathcal\{D\}^\{\\prime\}\)are similar\[[9](https://arxiv.org/html/2605.15246#bib.bib49)\]\.

The three main approaches used to generate synthetic trajectories are Variational Autoencoders \(VAEs\), Generative Adversarial Networks \(GANs\), and Diffusion Models\. VAEs\[[25](https://arxiv.org/html/2605.15246#bib.bib2)\]use an encoder\-decoder architecture, mapping input data to a low\-dimensional latent space from which new samples are generated\. GANs\[[18](https://arxiv.org/html/2605.15246#bib.bib50)\]employ two competing networks \- a generator that produces synthetic samples and a discriminator that tries to distinguish them from real ones \- learning the data distribution through this adversarial process\. Diffusion Models\[[37](https://arxiv.org/html/2605.15246#bib.bib3),[19](https://arxiv.org/html/2605.15246#bib.bib4),[39](https://arxiv.org/html/2605.15246#bib.bib51),[38](https://arxiv.org/html/2605.15246#bib.bib52)\]are iterative generative models that first corrupt data by progressively adding noise, and then learn to recover the original data through a gradual reverse denoising process\.

### II\-APrivacy

Machine learning models tend to memorize information during training, which can expose sensitive data during generation and pose privacy risks\.\[[7](https://arxiv.org/html/2605.15246#bib.bib6)\]distinguishes three related but distinct concepts:overfitting, which occurs when a model learns training data too well and fails to generalize;overtraining, which refers to the specific point at which validation error stops decreasing; andunintentional memorization, defined as the retention of out\-of\-distribution training data that is irrelevant to the learning task and independent of overtraining, beginning early in the training process and peaking when validation loss is minimized\. These distinctions highlight that some degree of memorization is an inherent and unavoidable part of training, occurring even in well\-trained models that show no signs of overfitting or overtraining\. This behavior extends directly to generative models, where memorization during training can surface during generation and expose sensitive information in synthetic data applications\.

When the data synthetically generated are trajectories, significant privacy risks emerge\[[22](https://arxiv.org/html/2605.15246#bib.bib8)\]because trajectory data differs fundamentally from other modalities\. It is constrained by spatial structures and mobility patterns, exhibits strong spatiotemporal continuity, and carries semantic meaning through points of interest that can reveal sensitive personal attributes\. Critically, anonymized trajectories can be re\-identified from as few as 4 spatiotemporal points, sufficient to uniquely identify 95% of individuals\[[11](https://arxiv.org/html/2605.15246#bib.bib9)\]\. Furthermore, despite generative models producing synthetic samples, the generated data cannot be assumed to be private\[[30](https://arxiv.org/html/2605.15246#bib.bib10)\], as privacy can be compromised when generated samples closely resemble training data or when phenomena such as memorization occur during training, enabling adversaries to infer sensitive information through privacy attacks\.

#### II\-A1Privacy Attacks

In privacy attacks, adversaries seek to infer information that was not intended to be disclosed\[[33](https://arxiv.org/html/2605.15246#bib.bib11)\]\. This information can range from details about the training data of the targeted machine learning model to properties of the data or information about the model itself\. As presented in\[[33](https://arxiv.org/html/2605.15246#bib.bib11)\], a taxonomy of privacy attacks includes the following types of attacks:

- •Membership Inference Attacks \(MIAs\)\[[35](https://arxiv.org/html/2605.15246#bib.bib12)\], which aim to determine if a specific data sample was part of the original training dataset of a machine learning model\.
- •Reconstruction Attacks, also referred to asModel Inversion Attacks\[[16](https://arxiv.org/html/2605.15246#bib.bib13),[15](https://arxiv.org/html/2605.15246#bib.bib14)\], that seek to recreate training samples either fully or partially, with the possibility of also recovering their corresponding training labels\.
- •Property Inference Attacks\[[3](https://arxiv.org/html/2605.15246#bib.bib16)\], which aim to infer dataset\-level properties that are neither explicitly represented as features nor directly tied to the learning task\. These properties \(e\.g\., demographic characteristics\) can be exposed, as models unintentionally learn such information, even in well\-generalized models, since it is an inherent byproduct of the learning process\[[7](https://arxiv.org/html/2605.15246#bib.bib6),[33](https://arxiv.org/html/2605.15246#bib.bib11)\]\.
- •Model Extraction Attacks\[[40](https://arxiv.org/html/2605.15246#bib.bib15)\]that seek to reconstruct a substitute model that closely replicates the behavior of the target model, either by matching its task accuracy or approximating its decision boundary\.

While the above taxonomy characterizes the broad machine learning field, the trajectory\-data domain introduces additional domain\-specific privacy threats due to its spatiotemporal properties\. In particular, in\[[22](https://arxiv.org/html/2605.15246#bib.bib8)\], trajectory\-specific privacy attack types are identified, distinguishing betweenLinkage Attack ModelsandProbabilistic Attack Models\. The former focuses on the type of sensitive data being inferred, while the latter focuses on how much information is revealed\.Linkage Attackscan be further divided intoRecord Linkage, which seeks to infer individual identity \(e\.g\., re\-identification\),Attribute Linkage, which aims to infer personal profile information by leveraging frequent occurrences among similar trajectories,Table Linkage, which determines whether a specific individual is present in a dataset \(a threat closely related to membership inference attacks\), andGroup Linkage, which focuses on extracting social relationships between individuals from their trajectory data\.

#### II\-A2Formal Privacy Guarantees \- Differential Privacy

Existing defenses against privacy attacks do not provide formal guarantees and are limited to specific attack scenarios rather than offering comprehensive protection\.

Differential Privacy \(DP\)\[[12](https://arxiv.org/html/2605.15246#bib.bib23),[13](https://arxiv.org/html/2605.15246#bib.bib22)\]is the only framework that provides such guarantees, ensuring that the contribution of any individual record to the output of a learning algorithm is formally bounded\. Formally, DP is defined such that:

A randomized mechanismℳ:𝒟→𝒮\\mathcal\{M\}:\\mathcal\{D\}\\rightarrow\\mathcal\{S\}is\(ε,δ\)\(\\varepsilon,\\delta\)\-differentially private if for any two adjacent datasetsD,D′∈𝒟D,D^\{\\prime\}\\in\\mathcal\{D\}differing by at most one record, and for any subset of outputsS⊆𝒮S\\subseteq\\mathcal\{S\}:

Pr⁡\[ℳ​\(D\)∈S\]≤eε⋅Pr⁡\[ℳ​\(D′\)∈S\]\+δ\\Pr\[\\mathcal\{M\}\(D\)\\in S\]\\leq e^\{\\varepsilon\}\\cdot\\Pr\[\\mathcal\{M\}\(D^\{\\prime\}\)\\in S\]\+\\delta\(1\)whereε\>0\\varepsilon\>0is the privacy budget controlling the strength of the privacy guarantee, andδ≥0\\delta\\geq 0is the failure probability\. The definition of adjacent datasets is central to the DP framework, as it determines what constitutes the record whose addition or removal must not significantly change the output of the mechanism\. This record, therefore, is the unit of data that receives the privacy protection of the framework\.

In the context of Deep Learning, DP is implemented throughDifferentially Private Stochastic Gradient Descent \(DP\-SGD\)\[[1](https://arxiv.org/html/2605.15246#bib.bib31),[31](https://arxiv.org/html/2605.15246#bib.bib27)\], which incorporates the DP framework in the training process at the level of the training algorithm\. DP\-SGD operates by first bounding the influence of individual training samples through gradient clipping, then adding calibrated Gaussian noise to the clipped gradients, while a privacy accountant tracks the cumulative privacy budgetε\\varepsilonto ensure the desired privacy guarantee\.

In thetrajectory domain, this unit of data has been referred to as theUnit of Privacy \(UoP\)\[[4](https://arxiv.org/html/2605.15246#bib.bib24)\], and it should be carefully chosen as it introduces a trade\-off: a larger UoP requires more obfuscation to achieve the same level of privacy, thereby increasing utility loss, while a smaller UoP implies protecting a smaller unit of information, leading to increased risks of correlation attacks\[[29](https://arxiv.org/html/2605.15246#bib.bib25)\]or reconstruction attacks\[[5](https://arxiv.org/html/2605.15246#bib.bib26)\]\. In\[[4](https://arxiv.org/html/2605.15246#bib.bib24)\], four levels of UoP are identified, each representing a different definition of neighboring datasets in the DP mechanism:

- •User\-Level, whereD′D^\{\\prime\}differs fromDDby the removal of all trajectories associated with a specific user, providing the highest level of theoretical protection but at the cost of a significant utility trade\-off\.
- •Instance\-Level, also referred to astrajectory\-level, whereD′D^\{\\prime\}differs by one complete trajectory, thus protecting the trajectory as a unit and hindering the exploitation of intra\-trajectory correlations that many attacks rely on\. This is the most common level of privacy in deep learning, as DP\-SGD provides this level of UoP for training samples\.
- •Location\-Level, where the unit of protection is an individual location within a trajectory, offering the weakest level of privacy\. In this setting, works on DP\-based trajectory publication\[[21](https://arxiv.org/html/2605.15246#bib.bib28)\]and synthetic generation\[[24](https://arxiv.org/html/2605.15246#bib.bib29)\]have been proposed\. However, the level of protection is not guaranteed to extend to the full trajectory, as independently protecting each location is only effective when the number of trajectory points is small and does not scale well to longer trajectories\[[2](https://arxiv.org/html/2605.15246#bib.bib30)\]\. It is therefore suggested that better privacy is achievable by protecting the trajectory as a whole rather than its individual locations\[[2](https://arxiv.org/html/2605.15246#bib.bib30)\]\.
- •Multi\-Event\-Level, which lies between instance\- and location\-level privacy by protecting a window of multiple locations within a trajectory\.

Ultimately, the choice of UoP and, more generally, the incorporation of DP in synthetic data generation introduces the privacy–utility trade\-off, as stronger privacy guarantees degrade the utility of the generated data\[[33](https://arxiv.org/html/2605.15246#bib.bib11)\]\. Specifically, in the trajectory domain, this is particularly evident, as the spatiotemporal structure of the data makes it sensitive to noise addition\[[4](https://arxiv.org/html/2605.15246#bib.bib24)\]\.

Beyond the privacy\-utility trade\-off, DP cannot defend against every privacy attack and its protection is bounded in scope\. While it provides formal guarantees against Membership Inference and Reconstruction attacks\[[33](https://arxiv.org/html/2605.15246#bib.bib11)\], it cannot provide such protection against property inference attacks\[[3](https://arxiv.org/html/2605.15246#bib.bib16)\]\. Furthermore, model extraction attacks focus on replicating the model’s functionality rather than extracting information from the training data, and therefore defenses rely more on query detection and prediction obfuscation than on the data\-level protection provided by DP\.

Moreover, even in cases where DP is applied, as demonstrated in the trajectory domain, some implementations contain flawed DP proofs, meaning that the claimed guarantees do not hold, despite the underlying framework being sound\[[4](https://arxiv.org/html/2605.15246#bib.bib24)\]\. Finally, even correct implementations of DP can be undermined by an inappropriate choice of UoP\[[4](https://arxiv.org/html/2605.15246#bib.bib24)\]\.

These boundaries of formal privacy guarantees indicate that no single defensive mechanism can provide comprehensive protection against all privacy\-related threats\. Privacy attacks that fall outside the scope of DP represent an attack surface that lacks formal guarantees and therefore require empirical evaluation, motivating their use as tools for assessing privacy\.

### II\-BEmpirical Privacy Evaluation of Trajectories

To address these limitations, a variety of empirical evaluation approaches have been developed for the trajectory domain, ranging from adversarial attacks that directly exploit model vulnerabilities to quantitative metrics that measure the degree of privacy preservation\. These include Trajectory User Linking \(TUL\)\[[17](https://arxiv.org/html/2605.15246#bib.bib32)\], Linkage Attack Probability \(LA\)\[[23](https://arxiv.org/html/2605.15246#bib.bib36)\], Reconstruction Attacks such as RAoPT\[[5](https://arxiv.org/html/2605.15246#bib.bib26)\]and iTracker\[[34](https://arxiv.org/html/2605.15246#bib.bib33)\], Tracking Attack Probability \(TA\)\[[36](https://arxiv.org/html/2605.15246#bib.bib38),[45](https://arxiv.org/html/2605.15246#bib.bib37)\], Mutual Information \(MI\)\[[10](https://arxiv.org/html/2605.15246#bib.bib39)\]and Membership Inference Attacks \(MIA\)\. Among these, MIAs are of particular interest as they directly assess whether a model has memorized specific training samples, representing one of the most critical privacy risks in machine learning\[[7](https://arxiv.org/html/2605.15246#bib.bib6)\]\. The application of MIAs to generative trajectory models is discussed in detail in Section[IV](https://arxiv.org/html/2605.15246#S4)\.

## IIIPrivacy Evaluation in Generative Trajectory Models

To contextualize the privacy evaluation gap in the trajectory generation literature, representative generative models spanning VAEs, GANs and Diffusion Models were examined with respect to the privacy evaluation methods identified in Section[II\-B](https://arxiv.org/html/2605.15246#S2.SS2)\. VAE\-based and Diffusion Model\-based works were found to include no privacy evaluation, focusing instead on generation quality and utility\. This is consistent with the common view that synthetic data generation is inherently privacy\-preserving, a claim that as discussed in Section[II\-B](https://arxiv.org/html/2605.15246#S2.SS2), is not always guaranteed\. Among GAN\-based models, only a small subset includes any form of privacy evaluation, as shown in Table[I](https://arxiv.org/html/2605.15246#S3.T1)\. Notably, the MIA column remains entirely empty across all models, confirming the gap that this work addresses\.

TABLE I:Privacy Evaluation Methods Used by Generative Trajectory ModelsFamilyModelTULLARAoPTiTrackerTAMIMIAVAEs−\-GANsLSTM\-TrajGAN\[[32](https://arxiv.org/html/2605.15246#bib.bib44)\]✓×\\times✓†×\\times×\\times×\\times×\\timesLGAN\-DP\[[46](https://arxiv.org/html/2605.15246#bib.bib61)\]×\\times×\\times×\\times×\\times×\\times✓×\\timesDP\-TrajGAN\[[44](https://arxiv.org/html/2605.15246#bib.bib60)\]×\\times×\\times×\\times×\\times×\\times✓×\\timesDP\-LTGAN\[[45](https://arxiv.org/html/2605.15246#bib.bib37)\]×\\times✓×\\times×\\times✓×\\times×\\timesDMs−\-✓: evaluated,×\\times: not evaluated,−\-: no privacy evaluation conducted\.†RAoPT evaluation for LSTM\-TrajGAN conducted in\[[4](https://arxiv.org/html/2605.15246#bib.bib24)\]\.

Among the identified evaluation methods in Section[II\-B](https://arxiv.org/html/2605.15246#S2.SS2), MIAs are particularly suitable for evaluating the privacy of generative trajectory models, as they directly probe whether specific training samples have been memorized by the model\. Such attacks can exploit the inherent spatiotemporal structure of trajectory data, demonstrating that generative models are not inherently immune to inference attacks\. This is further reinforced by the limitations of formal privacy guarantees discussed in Section[II\-A2](https://arxiv.org/html/2605.15246#S2.SS1.SSS2), where flawed DP proofs and inappropriate Unit of Privacy selections leave models vulnerable to precisely such inference threats, even when a formal guarantee is claimed\. Together, these observations suggest that empirical privacy evaluation approaches should be applied more broadly and systematically to generative trajectory models, covering the full range of methods outlined in Section[II\-B](https://arxiv.org/html/2605.15246#S2.SS2)in order to properly assess their privacy\. Motivated by this, the following section showcases the feasibility of MIAs against generative trajectory models as a first step toward addressing this gap\.

## IVEmpirical Experimental Privacy Evaluation via Membership Inference Attacks

### IV\-AThreat Model

As discussed in Section[II\-A1](https://arxiv.org/html/2605.15246#S2.SS1.SSS1), the overall goal of MIAs is to determine, given a trained modelℳθ\\mathcal\{M\}\_\{\\theta\}and a target samplexx, whetherx∈Dt​r​a​i​nx\\in D\_\{train\}\(member\) orx∉Dt​r​a​i​nx\\notin D\_\{train\}\(non\-member\), whereDt​r​a​i​nD\_\{train\}is the training dataset ofℳθ\\mathcal\{M\}\_\{\\theta\}\. In this work, we apply MIAs against four representative generative trajectory models, namely two GAN\-based models, LSTM\-TrajGAN\[[32](https://arxiv.org/html/2605.15246#bib.bib44)\]and MoveSim\[[14](https://arxiv.org/html/2605.15246#bib.bib45)\], and two Diffusion Model\-based models, DiffTraj\[[48](https://arxiv.org/html/2605.15246#bib.bib47)\]and Diff\-RNTraj\[[41](https://arxiv.org/html/2605.15246#bib.bib46)\]\. A white\-box setting is considered, in which the adversary has full access to the trained model’s weights and architecture\.

### IV\-BAttack Formulations

#### IV\-B1Discriminator\-based MIA on GAN\-based Trajectory Models

Based on\[[8](https://arxiv.org/html/2605.15246#bib.bib41)\], which provides a systematic taxonomy of MIAs against generative models, we implement a discriminator\-based MIA against LSTM\-TrajGAN\[[32](https://arxiv.org/html/2605.15246#bib.bib44)\]and MoveSim\[[14](https://arxiv.org/html/2605.15246#bib.bib45)\]\. The discriminator𝒟\\mathcal\{D\}, trained to distinguish real training trajectories from synthetic ones, serves as the membership signal\. If𝒟\\mathcal\{D\}overfits to the training data, it will assign systematically higher confidence to members than to non\-members, making its output a membership indicator\[[8](https://arxiv.org/html/2605.15246#bib.bib41)\]\. For a target trajectoryxx, the membership score is computed as:

s​\(x\)=log⁡𝒟​\(x\)1−𝒟​\(x\)s\(x\)=\\log\\frac\{\\mathcal\{D\}\(x\)\}\{1\-\\mathcal\{D\}\(x\)\}\(2\)
where the logit transformation is applied to𝒟\\mathcal\{D\}’s output to improve membership separation\[[6](https://arxiv.org/html/2605.15246#bib.bib42)\]\. Attack performance is evaluated using AUC\-ROC\[[8](https://arxiv.org/html/2605.15246#bib.bib41)\]\.

#### IV\-B2Loss\-based MIA on Diffusion\-based Trajectory Models

Grounded in the theoretical connection between overfitting and membership leakage\[[43](https://arxiv.org/html/2605.15246#bib.bib78)\], we adopt a loss\-based MIA against DiffTraj\[[48](https://arxiv.org/html/2605.15246#bib.bib47)\]and Diff\-RNTraj\[[41](https://arxiv.org/html/2605.15246#bib.bib46)\], following the white\-box loss\-based attack formulation for diffusion models proposed in\[[27](https://arxiv.org/html/2605.15246#bib.bib79)\]and\[[20](https://arxiv.org/html/2605.15246#bib.bib80)\]\. If a model overfits to its training data, it will assign systematically lower denoising loss to members than to non\-members\. For a target trajectoryx0x\_\{0\}, the membership score is computed as the negative average noise prediction MSE over multiple randomly sampled diffusion timesteps:

s​\(x0\)=−1T​∑t=1T𝔼ε​\[‖ε−εθ​\(xt,t\)‖2\]s\(x\_\{0\}\)=\-\\frac\{1\}\{T\}\\sum\_\{t=1\}^\{T\}\\mathbb\{E\}\_\{\\varepsilon\}\\left\[\\\|\\varepsilon\-\\varepsilon\_\{\\theta\}\(x\_\{t\},t\)\\\|^\{2\}\\right\]\(3\)
whereεθ\\varepsilon\_\{\\theta\}is the model’s noise prediction network,ε∼𝒩​\(0,𝐈\)\\varepsilon\\sim\\mathcal\{N\}\(0,\\mathbf\{I\}\)is the Gaussian noise added at timesteptt,xtx\_\{t\}is the noisy trajectory at timesteptt, andTTis the number of probe timesteps\. Attack performance is evaluated using AUC\-ROC\.

### IV\-CDatasets

The GAN\-based models are evaluated on the datasets used in their original training procedures\. LSTM\-TrajGAN\[[32](https://arxiv.org/html/2605.15246#bib.bib44)\]was trained on the Foursquare NYC weekly trajectory dataset\[[42](https://arxiv.org/html/2605.15246#bib.bib76),[28](https://arxiv.org/html/2605.15246#bib.bib35)\], while MoveSim\[[14](https://arxiv.org/html/2605.15246#bib.bib45)\]was trained on the GeoLife dataset\[[47](https://arxiv.org/html/2605.15246#bib.bib77)\]\. Both diffusion\-based models, DiffTraj\[[48](https://arxiv.org/html/2605.15246#bib.bib47)\]and Diff\-RNTraj\[[41](https://arxiv.org/html/2605.15246#bib.bib46)\], were trained on the DiDi Chengdu taxi trajectory dataset111https://outreach\.didichuxing\.com\.

### IV\-DImplementation Details

For each model, membership scores are computed on a set of member trajectories, drawn from the training data, and non\-member trajectories, drawn from a held\-out set that was never seen by the model during training\. For the diffusion\-based models, membership scores are averaged over 50 randomly sampled timesteps from the full diffusion range, following\[[20](https://arxiv.org/html/2605.15246#bib.bib80)\], to produce a stable and model\-agnostic signal\. The implementation details for each model are summarized in Table[II](https://arxiv.org/html/2605.15246#S4.T2)\.

TABLE II:MIA Implementation Details
### IV\-EResults

AUC\-ROC measures the probability that the attack assigns a higher membership score to a training sample than to a non\-training sample, with a value of 0\.5 indicating performance equivalent to random guessing and values above 0\.5 indicating exploitable membership leakage\.

TABLE III:MIA Results on Generative Trajectory ModelsAs can be seen from Table[III](https://arxiv.org/html/2605.15246#S4.T3), the results vary across models\. MoveSim exhibits an AUC\-ROC of 0\.70, indicating clear evidence of membership leakage under the implemented attack and suggesting that the model has memorized specific training trajectories to a degree that an adversary can exploit\. LSTM\-TrajGAN, DiffTraj, and Diff\-RNTraj, by contrast, show AUC\-ROC values close to 0\.5, consistent with random guessing, indicating that the implemented attacks were unable to extract meaningful membership signals\. This suggests that, under the evaluated attack formulations, no exploitable membership leakage was observed in these models\.

These results demonstrate the feasibility of implementing MIAs as an empirical privacy evaluation tool for generative trajectory models\. The finding that MoveSim exhibits membership leakage while the remaining models show resistance confirms that privacy risks in generative trajectory models are real and model\-dependent, and cannot be assumed absent simply because the model produces synthetic data\. The attacks implemented in this work represent a single class of empirical privacy evaluation methods\. Other MIA formulations, as well as other categories of privacy attacks identified in Section[II\-B](https://arxiv.org/html/2605.15246#S2.SS2), could reveal additional vulnerabilities not captured here, further underlining the need for comprehensive empirical privacy evaluation of generative trajectory models\.

## VConclusions & Future work

This work examined the privacy of generative trajectory models from an empirical perspective, identifying a significant gap in how privacy is assessed in the trajectory generation literature\. Although many of the examined models were not developed with privacy as a primary concern, the sensitivity of trajectory data necessitates that the privacy implications of their deployment are understood and assessed\. The implementation of MIAs against four representative generative trajectory models establishes that such attacks are applicable in this domain, and that privacy risks are model\-dependent and cannot be assumed absent simply because a model produces synthetic data\. These findings highlight the need for systematic empirical privacy evaluation as a complement to formal guarantees, or as a substitute where such guarantees are absent\.

As for future work, a broader range of adversarial privacy attacks and empirical evaluation methods should be explored to uncover additional privacy vulnerabilities in generative trajectory models\. Such investigations will not only deepen the understanding of the privacy risks associated with these models but will also inform the development of more robust generative architectures and effective privacy\-preserving defenses\.

## References

- \[1\]\(2016\)Deep learning with differential privacy\.InProceedings of the 2016 ACM SIGSAC conference on computer and communications security,pp\. 308–318\.Cited by:[§II\-A2](https://arxiv.org/html/2605.15246#S2.SS1.SSS2.p4.1)\.
- \[2\]M\. E\. Andrés, N\. E\. Bordenabe, K\. Chatzikokolakis, and C\. Palamidessi\(2013\)Geo\-indistinguishability: differential privacy for location\-based systems\.InProceedings of the 2013 ACM SIGSAC conference on Computer & communications security,pp\. 901–914\.Cited by:[3rd item](https://arxiv.org/html/2605.15246#S2.I2.i3.p1.1)\.
- \[3\]G\. Ateniese, L\. V\. Mancini, A\. Spognardi, A\. Villani, D\. Vitali, and G\. Felici\(2015\)Hacking smart machines with smarter ones: how to extract meaningful data from machine learning classifiers\.International Journal of Security and Networks10\(3\),pp\. 137–150\.Cited by:[3rd item](https://arxiv.org/html/2605.15246#S2.I1.i3.p1.1),[§II\-A2](https://arxiv.org/html/2605.15246#S2.SS1.SSS2.p7.1)\.
- \[4\]E\. Buchholz, A\. Abuadbba, S\. Wang, S\. Nepal, and S\. S\. Kanhere\(2024\)Sok: can trajectory generation combine privacy and utility?\.arXiv preprint arXiv:2403\.07218\.Cited by:[§I](https://arxiv.org/html/2605.15246#S1.p1.1),[§II\-A2](https://arxiv.org/html/2605.15246#S2.SS1.SSS2.p5.1),[§II\-A2](https://arxiv.org/html/2605.15246#S2.SS1.SSS2.p6.1),[§II\-A2](https://arxiv.org/html/2605.15246#S2.SS1.SSS2.p8.1),[TABLE I](https://arxiv.org/html/2605.15246#S3.T1.28.28.28.1.2)\.
- \[5\]E\. Buchholz, A\. Abuadbba, S\. Wang, S\. Nepal, and S\. S\. Kanhere\(2022\)Reconstruction attack on differential private trajectory protection mechanisms\.InProceedings of the 38th annual computer security applications conference,pp\. 279–292\.Cited by:[§II\-A2](https://arxiv.org/html/2605.15246#S2.SS1.SSS2.p5.1),[§II\-B](https://arxiv.org/html/2605.15246#S2.SS2.p1.1)\.
- \[6\]N\. Carlini, S\. Chien, M\. Nasr, S\. Song, A\. Terzis, and F\. Tramer\(2022\)Membership inference attacks from first principles\.In2022 IEEE symposium on security and privacy \(SP\),pp\. 1897–1914\.Cited by:[§IV\-B1](https://arxiv.org/html/2605.15246#S4.SS2.SSS1.p3.1)\.
- \[7\]N\. Carlini, C\. Liu, Ú\. Erlingsson, J\. Kos, and D\. Song\(2019\)The secret sharer: evaluating and testing unintended memorization in neural networks\.In28th USENIX security symposium \(USENIX security 19\),pp\. 267–284\.Cited by:[§I](https://arxiv.org/html/2605.15246#S1.p1.1),[3rd item](https://arxiv.org/html/2605.15246#S2.I1.i3.p1.1),[§II\-A](https://arxiv.org/html/2605.15246#S2.SS1.p1.1),[§II\-B](https://arxiv.org/html/2605.15246#S2.SS2.p1.1)\.
- \[8\]D\. Chen, N\. Yu, Y\. Zhang, and M\. Fritz\(2020\)Gan\-leaks: a taxonomy of membership inference attacks against generative models\.InProceedings of the 2020 ACM SIGSAC conference on computer and communications security,pp\. 343–362\.Cited by:[§IV\-B1](https://arxiv.org/html/2605.15246#S4.SS2.SSS1.p1.3),[§IV\-B1](https://arxiv.org/html/2605.15246#S4.SS2.SSS1.p3.1)\.
- \[9\]X\. Chen, C\. Huang, C\. Wang, and L\. Chen\(2025\)Trajectory generation: a survey on methods and techniques\.GeoInformatica29\(3\),pp\. 351–376\.Cited by:[§I](https://arxiv.org/html/2605.15246#S1.p1.1),[§II\-2](https://arxiv.org/html/2605.15246#S2.SS0.SSS2.p1.5)\.
- \[10\]T\. M\. Cover\(1999\)Elements of information theory\.John Wiley & Sons\.Cited by:[§II\-B](https://arxiv.org/html/2605.15246#S2.SS2.p1.1)\.
- \[11\]Y\. De Montjoye, C\. A\. Hidalgo, M\. Verleysen, and V\. D\. Blondel\(2013\)Unique in the crowd: the privacy bounds of human mobility\.Scientific reports3\(1\),pp\. 1376\.Cited by:[§I](https://arxiv.org/html/2605.15246#S1.p1.1),[§II\-A](https://arxiv.org/html/2605.15246#S2.SS1.p2.1)\.
- \[12\]C\. Dwork, F\. McSherry, K\. Nissim, and A\. Smith\(2006\)Calibrating noise to sensitivity in private data analysis\.InTheory of cryptography conference,pp\. 265–284\.Cited by:[§II\-A2](https://arxiv.org/html/2605.15246#S2.SS1.SSS2.p2.1)\.
- \[13\]C\. Dwork and A\. Roth\(2014\)The algorithmic foundations of differential privacy\.Foundations and trends® in theoretical computer science9\(3\-4\),pp\. 211–487\.Cited by:[§II\-A2](https://arxiv.org/html/2605.15246#S2.SS1.SSS2.p2.1)\.
- \[14\]J\. Feng, Z\. Yang, F\. Xu, H\. Yu, M\. Wang, and Y\. Li\(2020\)Learning to simulate human mobility\.InProceedings of the 26th ACM SIGKDD international conference on knowledge discovery & data mining,pp\. 3426–3433\.Cited by:[§IV\-A](https://arxiv.org/html/2605.15246#S4.SS1.p1.6),[§IV\-B1](https://arxiv.org/html/2605.15246#S4.SS2.SSS1.p1.3),[§IV\-C](https://arxiv.org/html/2605.15246#S4.SS3.p1.1),[TABLE II](https://arxiv.org/html/2605.15246#S4.T2.1.3.2.1),[TABLE III](https://arxiv.org/html/2605.15246#S4.T3.1.3.2.1)\.
- \[15\]M\. Fredrikson, S\. Jha, and T\. Ristenpart\(2015\)Model inversion attacks that exploit confidence information and basic countermeasures\.InProceedings of the 22nd ACM SIGSAC conference on computer and communications security,pp\. 1322–1333\.Cited by:[2nd item](https://arxiv.org/html/2605.15246#S2.I1.i2.p1.1)\.
- \[16\]M\. Fredrikson, E\. Lantz, S\. Jha, S\. Lin, D\. Page, and T\. Ristenpart\(2014\)Privacy in pharmacogenetics: an\{\\\{end\-to\-end\}\\\}case study of personalized warfarin dosing\.In23rd USENIX security symposium \(USENIX Security 14\),pp\. 17–32\.Cited by:[2nd item](https://arxiv.org/html/2605.15246#S2.I1.i2.p1.1)\.
- \[17\]Q\. Gao, F\. Zhou, K\. Zhang, G\. Trajcevski, X\. Luo, and F\. Zhang\(2017\)Identifying human mobility via trajectory embeddings\.\.InIjcai,Vol\.17,pp\. 1689–1695\.Cited by:[§II\-B](https://arxiv.org/html/2605.15246#S2.SS2.p1.1)\.
- \[18\]I\. Goodfellow, J\. Pouget\-Abadie, M\. Mirza, B\. Xu, D\. Warde\-Farley, S\. Ozair, A\. Courville, and Y\. Bengio\(2020\)Generative adversarial networks\.Communications of the ACM63\(11\),pp\. 139–144\.Cited by:[§II\-2](https://arxiv.org/html/2605.15246#S2.SS0.SSS2.p2.1)\.
- \[19\]J\. Ho, A\. Jain, and P\. Abbeel\(2020\)Denoising diffusion probabilistic models\.Advances in neural information processing systems33,pp\. 6840–6851\.Cited by:[§II\-2](https://arxiv.org/html/2605.15246#S2.SS0.SSS2.p2.1)\.
- \[20\]H\. Hu and J\. Pang\(2023\)Membership inference of diffusion models\.arXiv preprint arXiv:2301\.09956\.Cited by:[§IV\-B2](https://arxiv.org/html/2605.15246#S4.SS2.SSS2.p1.1),[§IV\-D](https://arxiv.org/html/2605.15246#S4.SS4.p1.1)\.
- \[21\]K\. Jiang, D\. Shao, S\. Bressan, T\. Kister, and K\. Tan\(2013\)Publishing trajectories with differential privacy guarantees\.InProceedings of the 25th International conference on scientific and statistical database management,pp\. 1–12\.Cited by:[3rd item](https://arxiv.org/html/2605.15246#S2.I2.i3.p1.1)\.
- \[22\]F\. Jin, W\. Hua, M\. Francia, P\. Chao, M\. E\. Orlowska, and X\. Zhou\(2022\)A survey and experimental study on privacy\-preserving trajectory data publishing\.IEEE Transactions on Knowledge and Data Engineering35\(6\),pp\. 5577–5596\.Cited by:[§II\-A1](https://arxiv.org/html/2605.15246#S2.SS1.SSS1.p3.1),[§II\-A](https://arxiv.org/html/2605.15246#S2.SS1.p2.1)\.
- \[23\]F\. Jin, W\. Hua, T\. Zhou, J\. Xu, M\. Francia, M\. E\. Orlowska, and X\. Zhou\(2020\)Trajectory\-based spatiotemporal entity linking\.IEEE Transactions on Knowledge and Data Engineering34\(9\),pp\. 4499–4513\.Cited by:[§II\-B](https://arxiv.org/html/2605.15246#S2.SS2.p1.1)\.
- \[24\]J\. W\. Kim and B\. Jang\(2022\)Deep learning\-based privacy\-preserving framework for synthetic trajectory generation\.Journal of Network and Computer Applications206,pp\. 103459\.Cited by:[3rd item](https://arxiv.org/html/2605.15246#S2.I2.i3.p1.1)\.
- \[25\]D\. P\. Kingma and M\. Welling\(2013\)Auto\-encoding variational bayes\.arXiv preprint arXiv:1312\.6114\.Cited by:[§II\-2](https://arxiv.org/html/2605.15246#S2.SS0.SSS2.p2.1)\.
- \[26\]X\. Kong, Q\. Chen, M\. Hou, H\. Wang, and F\. Xia\(2023\)Mobility trajectory generation: a survey\.Artificial Intelligence Review56\(Suppl 3\),pp\. 3057–3098\.Cited by:[§II\-1](https://arxiv.org/html/2605.15246#S2.SS0.SSS1.p1.5)\.
- \[27\]T\. Matsumoto, T\. Miura, and N\. Yanai\(2023\)Membership inference attacks against diffusion models\.In2023 IEEE Security and Privacy Workshops \(SPW\),pp\. 77–83\.Cited by:[§IV\-B2](https://arxiv.org/html/2605.15246#S4.SS2.SSS2.p1.1)\.
- \[28\]L\. May Petry, C\. Leite Da Silva, A\. Esuli, C\. Renso, and V\. Bogorny\(2020\)MARC: a robust method for multiple\-aspect trajectory classification via space, time, and semantic embeddings\.International Journal of Geographical Information Science34\(7\),pp\. 1428–1450\.Cited by:[§IV\-C](https://arxiv.org/html/2605.15246#S4.SS3.p1.1)\.
- \[29\]À\. Miranda\-Pascual, P\. Guerra\-Balboa, J\. Parra\-Arnau, J\. Forné, and T\. Strufe\(2023\)SoK: differentially private publication of trajectory data\.Proceedings on privacy enhancing technologies\.Cited by:[§II\-A2](https://arxiv.org/html/2605.15246#S2.SS1.SSS2.p5.1)\.
- \[30\]À\. Miranda\-Pascual, P\. Guerra\-Balboa, J\. Parra\-Arnau, J\. Forné, and T\. Strufe\(2024\)An overview of proposals towards the privacy\-preserving publication of trajectory data: À\. miranda\-pascual et al\.\.International journal of information security,pp\. 1–37\.Cited by:[§II\-A](https://arxiv.org/html/2605.15246#S2.SS1.p2.1)\.
- \[31\]N\. Ponomareva, H\. Hazimeh, A\. Kurakin, Z\. Xu, C\. Denison, H\. B\. McMahan, S\. Vassilvitskii, S\. Chien, and A\. G\. Thakurta\(2023\)How to dp\-fy ml: a practical guide to machine learning with differential privacy\.Journal of Artificial Intelligence Research77,pp\. 1113–1201\.Cited by:[§II\-A2](https://arxiv.org/html/2605.15246#S2.SS1.SSS2.p4.1)\.
- \[32\]J\. Rao, S\. Gao, Y\. Kang, and Q\. Huang\(2020\)LSTM\-trajgan: a deep learning approach to trajectory privacy protection\.arXiv preprint arXiv:2006\.10521\.Cited by:[TABLE I](https://arxiv.org/html/2605.15246#S3.T1.7.7.7.8),[§IV\-A](https://arxiv.org/html/2605.15246#S4.SS1.p1.6),[§IV\-B1](https://arxiv.org/html/2605.15246#S4.SS2.SSS1.p1.3),[§IV\-C](https://arxiv.org/html/2605.15246#S4.SS3.p1.1),[TABLE II](https://arxiv.org/html/2605.15246#S4.T2.1.2.1.1),[TABLE III](https://arxiv.org/html/2605.15246#S4.T3.1.2.1.1)\.
- \[33\]M\. Rigaki and S\. Garcia\(2023\)A survey of privacy attacks in machine learning\.ACM Computing Surveys56\(4\),pp\. 1–34\.Cited by:[3rd item](https://arxiv.org/html/2605.15246#S2.I1.i3.p1.1),[§II\-A1](https://arxiv.org/html/2605.15246#S2.SS1.SSS1.p1.1),[§II\-A2](https://arxiv.org/html/2605.15246#S2.SS1.SSS2.p6.1),[§II\-A2](https://arxiv.org/html/2605.15246#S2.SS1.SSS2.p7.1)\.
- \[34\]M\. Shao, J\. Li, Q\. Yan, F\. Chen, H\. Huang, and X\. Chen\(2020\)Structured sparsity model based trajectory tracking using private location data release\.IEEE Transactions on Dependable and Secure Computing18\(6\),pp\. 2983–2995\.Cited by:[§II\-B](https://arxiv.org/html/2605.15246#S2.SS2.p1.1)\.
- \[35\]R\. Shokri, M\. Stronati, C\. Song, and V\. Shmatikov\(2017\)Membership inference attacks against machine learning models\.In2017 IEEE symposium on security and privacy \(SP\),pp\. 3–18\.Cited by:[1st item](https://arxiv.org/html/2605.15246#S2.I1.i1.p1.1)\.
- \[36\]R\. Shokri, G\. Theodorakopoulos, J\. Le Boudec, and J\. Hubaux\(2011\)Quantifying location privacy\.In2011 IEEE symposium on security and privacy,pp\. 247–262\.Cited by:[§II\-B](https://arxiv.org/html/2605.15246#S2.SS2.p1.1)\.
- \[37\]J\. Sohl\-Dickstein, E\. Weiss, N\. Maheswaranathan, and S\. Ganguli\(2015\)Deep unsupervised learning using nonequilibrium thermodynamics\.InInternational conference on machine learning,pp\. 2256–2265\.Cited by:[§II\-2](https://arxiv.org/html/2605.15246#S2.SS0.SSS2.p2.1)\.
- \[38\]J\. Song, C\. Meng, and S\. Ermon\(2020\)Denoising diffusion implicit models\.arXiv preprint arXiv:2010\.02502\.Cited by:[§II\-2](https://arxiv.org/html/2605.15246#S2.SS0.SSS2.p2.1)\.
- \[39\]Y\. Song, J\. Sohl\-Dickstein, D\. P\. Kingma, A\. Kumar, S\. Ermon, and B\. Poole\(2020\)Score\-based generative modeling through stochastic differential equations\.arXiv preprint arXiv:2011\.13456\.Cited by:[§II\-2](https://arxiv.org/html/2605.15246#S2.SS0.SSS2.p2.1)\.
- \[40\]F\. Tramèr, F\. Zhang, A\. Juels, M\. K\. Reiter, and T\. Ristenpart\(2016\)Stealing machine learning models via prediction\{\\\{apis\}\\\}\.In25th USENIX security symposium \(USENIX Security 16\),pp\. 601–618\.Cited by:[4th item](https://arxiv.org/html/2605.15246#S2.I1.i4.p1.1)\.
- \[41\]T\. Wei, Y\. Lin, S\. Guo, Y\. Lin, Y\. Huang, C\. Xiang, Y\. Bai, and H\. Wan\(2024\)Diff\-rntraj: a structure\-aware diffusion model for road network\-constrained trajectory generation\.IEEE Transactions on Knowledge and Data Engineering36\(12\),pp\. 7940–7953\.Cited by:[§IV\-A](https://arxiv.org/html/2605.15246#S4.SS1.p1.6),[§IV\-B2](https://arxiv.org/html/2605.15246#S4.SS2.SSS2.p1.1),[§IV\-C](https://arxiv.org/html/2605.15246#S4.SS3.p1.1),[TABLE II](https://arxiv.org/html/2605.15246#S4.T2.1.5.4.1),[TABLE III](https://arxiv.org/html/2605.15246#S4.T3.1.5.4.1)\.
- \[42\]D\. Yang, D\. Zhang, V\. W\. Zheng, and Z\. Yu\(2014\)Modeling user activity preference by leveraging user spatial temporal characteristics in lbsns\.IEEE Transactions on Systems, Man, and Cybernetics: Systems45\(1\),pp\. 129–142\.Cited by:[§IV\-C](https://arxiv.org/html/2605.15246#S4.SS3.p1.1)\.
- \[43\]S\. Yeom, I\. Giacomelli, M\. Fredrikson, and S\. Jha\(2018\)Privacy risk in machine learning: analyzing the connection to overfitting\.In2018 IEEE 31st computer security foundations symposium \(CSF\),pp\. 268–282\.Cited by:[§IV\-B2](https://arxiv.org/html/2605.15246#S4.SS2.SSS2.p1.1)\.
- \[44\]J\. Zhang, Q\. Huang, Y\. Huang, Q\. Ding, and P\. Tsai\(2023\)DP\-trajgan: a privacy\-aware trajectory generation model with differential privacy\.Future Generation Computer Systems142,pp\. 25–40\.Cited by:[TABLE I](https://arxiv.org/html/2605.15246#S3.T1.19.19.19.7)\.
- \[45\]R\. Zhang, W\. Ni, N\. Fu, L\. Hou, D\. Zhang, and Y\. Zhang\(2025\)DP\-ltgan: differentially private trajectory publishing via locally\-aware transformer\-based gan\.Future Generation Computer Systems166,pp\. 107686\.Cited by:[§II\-B](https://arxiv.org/html/2605.15246#S2.SS2.p1.1),[TABLE I](https://arxiv.org/html/2605.15246#S3.T1.24.24.24.6)\.
- \[46\]Z\. Zhang, X\. Xu, and F\. Xiao\(2023\)LGAN\-dp: a novel differential private publication mechanism of trajectory data\.Future Generation Computer Systems141,pp\. 692–703\.Cited by:[TABLE I](https://arxiv.org/html/2605.15246#S3.T1.13.13.13.7)\.
- \[47\]Y\. Zheng, X\. Xie, W\. Ma,et al\.\(2010\)GeoLife: a collaborative social networking service among user, location and trajectory\.\.IEEE Data Eng\. Bull\.33\(2\),pp\. 32–39\.Cited by:[§IV\-C](https://arxiv.org/html/2605.15246#S4.SS3.p1.1)\.
- \[48\]Y\. Zhu, Y\. Ye, S\. Zhang, X\. Zhao, and J\. Yu\(2023\)Difftraj: generating gps trajectory with diffusion probabilistic model\.Advances in Neural Information Processing Systems36,pp\. 65168–65188\.Cited by:[§IV\-A](https://arxiv.org/html/2605.15246#S4.SS1.p1.6),[§IV\-B2](https://arxiv.org/html/2605.15246#S4.SS2.SSS2.p1.1),[§IV\-C](https://arxiv.org/html/2605.15246#S4.SS3.p1.1),[TABLE II](https://arxiv.org/html/2605.15246#S4.T2.1.4.3.1),[TABLE III](https://arxiv.org/html/2605.15246#S4.T3.1.4.3.1)\.