Secure Two-Party Distance Computation Protocols with a Semihonest Third Party and Randomization for Privacy Protection in Wireless Sensor Networks

Scenarios in which two nodes who distrust each other in wireless sensor networks (WSNs) would like to know the distance between them are considered. The scenario is designed to protect the private information of WSNs, in this case each node's location, from the other nodes and from a passive attacker. The goal of the present work is to provide two novel and secure two-party distance computation protocols based on a semihonest model, the first with aid of a third party and the second based on randomization technique. Both of these protocols can extend the calculated value into a real number field. The output of the distance computation and the intermediate values in the proposed protocols are also private and not accessible to a third party or any other attackers. When executing these two protocols, security is guaranteed, and the performances of communication and computation of them are found to be satisfactory when compared to those of other similar protocols.


Motivation
With the development of the computer and communication technologies, wireless sensor networks have gradually extended into the fabric of human society.Communications between people and things have become a reality so that many researchers have begun to pay attention to wireless sensor networks, where many techniques [1,2] require secure authentication and secure privacy computation.This is because privacy protection is a significant research point which cannot be ignored in today's wireless sense applications.The privacy of wireless sensor networks' entity may appear to be either a natural property or a social characteristic depending on the requirements of specific scenarios.The matter of defining privacy in terms of different applications and realizing privacy protection can be explained in detail through the following scenarios regarding secure communications.
Wireless sensor networks can usually be deployed in the enemies' battle field to monitor military information.Once found, each node has the risk of being captured by enemies so that all nodes do not trust each other.However, these nodes have to cooperate with each other in this unreliable environment in order to complete tasks of data collection.For example, Node A decides to expand its coverage area through enhancing transmitting power in one region to obtain more sensing data.Node A also notices that Node B, possibly the adjacent node of Node A, is also expanding the coverage area of his located region.But the two nodes do not want to collect data in the same area, so they want to know whether there are overlapping areas between their respective regions without disclosing the corresponding location information, in order to avoid the danger of being captured caused by the leakage of location information.If Node A and Node B are able to calculate the distance between their respective regions in the case of keeping geographical location information 2 International Journal of Distributed Sensor Networks confidentiality and meanwhile telling each other their respective coverage radiuses, then this problem can be effectively solved: if the distance is too close, it indicates that there is overlap; otherwise there is no overlap.
Location information becomes important and confidential in the above scenarios, though the utilization of the respective positions of two participants is the most common method for calculating Euclidean distance.In this case, secure two-party distance computation without revealing location information becomes a vital problem.
Secure two-party computation, introduced by Yao, allows two parties to jointly compute any function using their inputs in such a way that (1) the output of the computation is correct and public and (2) the inputs are not revealed to both users [3].Secure calculation of the distance between two parties (or two nodes in WSNs) is a specific case of secure twoparty computation, and it provides a solution to the scenario described above.Currently, there exist two ways of computing the distance, and both of them allow the location of each party to be kept secret.The first requires the help of a third party, and the other does not.The primary contribution of this paper is that it puts forward two novel, secure, and efficient protocols that can be used in accordance with the above two methods.
The rest of the paper is organized as follows.The next section reviews related works in the field of secure two-party distance computation.Section 3 presents the preliminaries and assumptions.Section 4 provides two novel and secure two-party distance computation protocols used in WSN, the first involving a semihonest third party and the other involving randomization technique, and their respective correctness proofs.Security analysis and performance comparisons between the proposals and previous work are presented in Sections 5 and 6, respectively.Further discussions about sensitive issues are given in Section 7. Section 8 concludes this paper.

Related Work
Secure two-party computation is widely used in network security protocol design to protect important information related to location, identity, and healthcare.Recently, location information during the use of location-based services (LBSs) has raised considerable concerns [12], especially in distance calculation application.Currently, secure two-party distance protocols are generally divided into three categories.The first [4][5][6][7] is established using a homomorphic encryption mechanism that serves as the secure basis of privacy protection.The second [8,13] is established with the assistance of a third party, usually a semihonest third party.The third [14] is established with the randomization technique.
As the first type of protocol, [4] describes and analyzes a scheme for biometric authentication and it uses homomorphic encryption for secure calculation of Hamming Distance without revealing the participants' secret information.The work [5] puts forward a secure two-party computation protocol of Euclidean distance using Paillier homomorphic encryption [11] and this protocol is implemented for private querying of face images and maintains low communication overhead.The work [6] also proposes a secure multiparty distance computation protocol, which is also designed based on Paillier homomorphic encryption without a third party.The work [7] suggests a secure, privacy-preserving opportunistic computing (SPOC) framework for healthcare emergency based on a secure scalar product protocol that can be used to design a secure two-party distance computation protocol.Pronounced computational complexity is the common weakness of secure two-party computation protocols based on homomorphic encryption mechanisms.This is difficult to use with resource-constrained outdoor wireless link networks.
In the second category protocol, two participants are unable to calculate the distance between them if there is no third party involved.The protocol in [13] involves a quantum private comparison based on the presence of a semihonest third party and it enables two parties to determine whether their information matches without revealing the specifics.The work [8] allows the participant to calculate the distance based on an honest third party for comparison of local data and simultaneously causes private values to be fully grasped by the third party, which is followed by obvious information leakage and security issues that cannot be ignored.Although intervention by a third party may improve the efficiency of computation and communication, this increases network costs.This issue of decreasing the number of secrets learned by a third party is significant here.The distinction between honest and semihonest third parties is illustrated in Section 3.2.
Broad application of homomorphic encryption mechanisms results in less use of other digital disguise techniques, such as randomization methods, which can be used to design secure two-party computation protocols.Randomized disguises obscure the real data by adding random elements to them to facilitate privacy protection.For example, [14] provides a randomization method by performing a linear transformation on the real data or a random permutation replacement of the real data to achieve a secure two-party distance computation protocol.The protocol in [9] also involves randomization method and 1 out of  oblivious transfer protocol [11].Designing a secure and efficient twoparty distance computation protocol based on randomized masquerade is mathematically difficult.Many current protocols, such as one described in a previous study [8], can only be used in integer domains and cannot be expanded into real number domains.This limits their use.
In wireless sensor networks, literatures related to privacy protection of location and distance [15] can be traced back to 2007.Actually only few literatures apply the distance computation protocols based on privacy protection to data security of wireless sensor networks.To the best of our knowledge, [16] is the first paper that uses the secure distance calculation protocol to solve location privacy in WSNs.The work [17] presents an overview of the solutions that provide source location privacy such as anonymity and unobservability, within a WSN, in relation to the assumptions about the adversary's capabilities.A location privacy routing protocol (LPR) is proposed in [18] to achieve path diversity, and, combining with fake packet injection, LPR is able to minimize the traffic direction information that an adversary can retrieve from eavesdropping.However, LPR does not provide the data-level privacy protection.The work [19] found out that Lu et al. 's protocol in [7] still has some secure flaws such as user anonymity and mutual authentication, and it presents an improved mobile-healthcare emergency system based on extended chaotic maps for applications of wireless body sensor networks (BSNs).

Definition of Secure Two-Party Computation.
There are two participants in WSNs, Node A and Node B. Node A selects a secret input  and Node B selects another one .They hope to calculate the function (, ) and produce final results but they must keep their respective inputs secret.We call this computation process "secure two-party computation." Here,  (or ) may be the location information of Node A (or Node B), and (, ) may be the distance between the two nodes.

Semihonest Model.
Secure two-party computation should guarantee the safety of the information even if one participant behaves deceitfully in the execution of the protocol.The attacker may perform one of two types of attacks: one is active that is called "malicious (or adversarial) model [20]" and another is passive, here called the "semihonest model." In the malicious model, the attacker manipulates one of the participants into executing the protocol improperly.For example, the attacker may cause a participant to substitute mendacious data for real input in order to interrupt implementation of the protocol.In the semihonest model, the attacker only grasps the entirety of the information of the captive participant, including those intermediate data acquired from the other participant, and the purpose of the attacker is solely to reveal some private information, but the protocol is carried out correctly and all inputs are true.Some researchers refer to the semihonest participant as "honest but curious" [21].
Based on the above, the reliability of a third party can be defined (hereinafter abbreviated "TP").There exist three cases.In the first case, the TP is honest, and both the participants send their secrets to the TP without worrying that the TP will leak any private information.This case is perfect but impractical.In the second case, the TP is dishonest or malicious, and neither participant believes the TP.This case is dangerous.In the third case, the TP is semihonest.The TP executes the protocol faithfully, and all kinds of intermediary data and computational results are recorded.The TP tries to make this information publicly available.In WSNs, base station or the cluster-header usually acts as the role of TP.
In the present paper, it is supposed that both participants and TP all follow the semihonest model.Generally, the semihonest secure two-party computation model can be illustrated in detail as follows.This can be used in security proofs of protocols.
There exists a mapping function  : {0, 1} Here, the meaning of "≡" is "calculation of indiscernibility, " output   (, ) is entirely determined by view   (, ), and both of them are stochastic variables. 1 and  2 are called the time simulators.

Definition of Distance.
There are many definitions of distance between two participants, including the Minkowski distance, Hamming distance, and Levenshtein distance [22].The Minkowski distance is the most common one.It can be expressed using Here   and   are from P = ( 1 ,  2 , . . .,   ) ∈ R  and Q = ( 1 ,  2 , . . .,   ) ∈ R  , respectively.When  = 1, it becomes the Manhattan distance; when  = ∞, it becomes the Chebyshev distance; when  = 2, it becomes the Euclidean distance, which can be described by In this paper, the Euclidean distance between two participants is calculated exactly in the two proposed secure protocols.

Privacy Measure.
Most researchers use the "calculation of indiscernibility" method to realize security proofs, but this method cannot quantify privacy.If it is necessary to prove that one protocol is absolutely secret (perfect zero leakage), privacy measures become essential because it can validate safety of protocols against attackers more efficiently.However, currently there is no common method of measuring privacy.

International Journal of Distributed Sensor Networks
Although the utilization of information theory can quantify privacy, it has limitations [23,24].Specifically, it is only available for the protocols whose input has a linear relationship with output.It cannot be applied to nonlinear protocols.
Several symbols and concepts regarding the measurement of privacy are given below.These were used to confirm the validity of the proposed protocol.

𝑋 𝜋
denotes the input of the th participant in , and msg   is described as the message received by the th participant.After the beginning of , one participant receives some information from his partner.In this way, the following can be defined: ): the absolute privacy of .Relative privacy is believed to be more likely to reflect the degree of privacy divulgence than the absolute privacy, and it can be standardized to a value between 0 and 1 where 0 represents full leakage and 1 indicates perfect safety (perfect zero leakage).
Theorem 1 (see [23]).Consider that V, C ∈ ()  (both V and C are one-dimensional vectors); A is a matrix with  rows and  columns whose element belongs to ()   The proof for Theorem 1 is shown in a previous study [23].

Two Novel Secure Two-Party Distance Computation Protocols
At last, Node A declares   and Node B reveals   , and they share the resulting (P, Q) according to (4).
Step 2. Node B computes . .,   −   ) using the received vector Rb and its secret Q.
Then Node B generates a random number V, together with P 1 , and establishes (6).Finally, Node B sends Q 1 and  to Node A. Consider Step 3.After receiving Q 1 and , Node A calculates  in terms of Finally, Node A and Node B determine the distance |PQ| 2 (i.e.,  2 ) with respect to Here,   = −,   = −V, and (P, Q) =  2 satisfy the form of (4).

Proof (correctness proof).
The TPEDP can achieve the correct result of Euclidean distance between two participants.

Description of the REDP Protocol
. Some outdoor wireless sensor network environments do not allow the existence of a reliable third party, so the two nodes must complete security distance calculation relying only on each other.A randomization technique is used to avoid the high computational complexity produced by homomorphic encryption, and the design of an efficient two-party protocol is described in this section.It is here called the randomizationbased Euclidean distance protocol (abbreviated REDP).The difficulty of designing REDP is that it requires randomly camouflaging vectors in the domain of real numbers and it involves exchanging some elements within those modified vectors.
It can be supposed that Node A and Node B are semihonest participants and operations in input and output phases of the REDP are identical to those of the TPEDP.Then only the steps of computation phase are displayed as follows.
Step 3. Node A determines the value of  on the basis of ( 16) and sends it to Node B: Step 4. Node B obtains the value of V according to Finally, Node A and Node B share the value of |PQ| 2 (i.e.,  2 ) in the light of Here   = ,   = V, and (P, Q) =  2 all satisfy the form of (4).

International Journal of Distributed Sensor Networks
Proof (correctness proof).According to ( 16), (17), and ( 18), ( 19) can be deduced: It makes use of the expressions of ( 13), (14), and (15) to displace ℎ 1 , ℎ 2 , and ℎ 3 in (19), respectively.Then the following can be concluded: Equation (20) shows the exact computation of the expression of Euclidean distance between Node A and Node B. In this way, the proof is complete.

Security Analysis
5.1.Security of the TPEDP Protocol.In this section, the security of the TPEDP protocol is proven.Node A and Node B cannot learn any private vectors from each other except for the distance between them.This provides a detailed analysis of each step of the TPEDP.
(1) In Step 0, the TP receives no reply from either Node A or Node B, so it cannot gain any information from either of the two participants.
( In summary, none of the information is compromised during communications among Node A, Node B, and TP.In order to render the procedure of security analysis more convincing, the calculation of indiscernibility method was adopted for further validation. Theorem 2. The TPEDP (marked with  1 ) ensures that Node A and Node B cannot acquire private input of each other.
Proof.Because both Node A and Node B are semihonest participants, it is necessary to prove, in the TPEDP, that the intermediate information obtained by the passive attacker cannot be differentiated from those produced in no-attack and real situations, that is, calculation of indiscernibility.
A simulator must be constructed to imitate all of information acquired by a passive attacker in the executing process of the TPEDP.It can be discretionarily determined whether Node A or Node B is captured by the attacker.For this reason, the simulator  1 can simulate data from the view of Node A view In this way, this proof process can be used to verify whether { 1 (P,  1 (P, Q),  2 (P, Q))} and {view Output Phase of  1 .Finally,    = −  ,    = −V  , and all satisfy the form of (4); that is,    = (P, Q) +    .After the exchange of data between Node A and Node B, through simulation,  1 obtains all information of Node A: {   ,    , (P, Q)}.However, in each of the steps outlined above, all of the data (denoted by  1 (P, ) = {P,  1 ,   , Q   1 , }) handled by  1 cannot be distinguished from those produced in the normal execution of  1 .Because the view of Node A is view Likewise, if the attacker suborns Node B, then the attacker will gather all information in Node B's possession using another simulator,  2 .The view of Node B is view , and the same conclusion of "calculation of indiscernibility" can be drawn: If the attacker captures the TP, then the attacker cannot realize the simulation because the TP has not obtained any information from Node A or Node B at any point in the protocol.

Security of the REDP Protocol.
Node A and Node B cannot obtain any private vectors from each other except for the distance value between them.The following is a detailed analysis of each step in the REDP process. ( Because ( 23) can be solved using features of the nonhomogeneous linear equations, it shows that the coefficient matrix and the augmented matrix of the equations outlined above have the same rank.For this reason, only the rank of the coefficient matrix is considered.This is displayed as follows: number of "0":−1 ) However, there are 2 + 1 unknown quantities in (23) for which the rank of the coefficient matrix is 2.Equation ( 23) has an infinite number of solutions because the rank of the augmented matrix (i.e., the number of linearly independent International Journal of Distributed Sensor Networks equations) is less than the number of unknown quantities.Even in some extreme situations, (22) still has an infinity of solutions.Node B cannot discriminate  or  0 from the value of .In this way, the data obtained by Node B are not sufficient for detection of any private information regarding location vector P = ( 1 ,  2 , . . .,   ), which is owned by Node A.
(2) In Step 2, Node A encounters the same problem with respect to solving a group of nonlinear equations.In extreme situations (e.g., if Node B selects   = 1), Node A may choose a zero vector P = 0 in input phase.This can be used repeatedly in ( 13) and ( 14) after Node A receives ℎ 1 , ℎ 2 , and ℎ 3 .Finally, Node A can deduce the value of   with considerable probability of success.Even so, Node A still needs to solve a group of nonhomogeneous linear equations with  + 1 unknown quantities and only three equations.This problem has an infinite number of solutions.Just by virtue of   , Node A is unable to infer Node B's confidential location information Q.
(3) In Step 3, if Node B utilizes the expressions of ( 13), ( 14), and ( 15) to successively substitute for the values of ℎ 1 , ℎ 2 , and ℎ 3 in ( 16), Node B can produce There is a variety of ways in which Node B might separate individual components such as  + ∑  =1  2  from (25).During the input phase, Node B may select a special vector Q that only includes one nonzero element to participate in all calculations from Steps 1 to 4. However, this method does not allow Node B to discriminate  + ∑  =1  2  or ∑  =1     from (25).Unless Node B uses a zero vector, that is, Q = 0, it can determine the value of  + ∑  =1  2  in Step 3 with considerable probability of success.Using the received value of , Node B may determine the value of  0 after successfully cracking  + ∑  =1  2  .Even so, Node B cannot find solutions to a group of nonlinear polynomial equations with only  + 2 equations though the number of unknown quantities is reduced from the original 2 + 3 to the current 2 + 2.
(4) The security analysis in Step 4 of this process is the same as the analysis in Step 4 of the TPEDP.
In order to make the above security analysis more persuadable, it must be proven that the intermediate information obtained by a passive attacker and that produced in no-attack and real situations involve the "calculation of indiscernibility." Theorem 3. The REDP (marked with  2 ) ensures that Node A and Node B cannot acquire private input regarding each other.
Proof.Because of the premises and assumptions of the simulator and because the process of the input phase of the REDP protocol is similar to that of the TPEDP protocol, the validation procedures of computation and output phases may be paid more attention.It can still be supposed that the passive attacker captures Node A and constructs the simulator  1 to implement the REDP protocol.
2 , and ℎ  3 , which must be selected by Node B in ( 13)-( 15): In Step 3,  1 continues to create    =   and in terms of (17) to complete the simulation for Node B.
Output Phase of  2 . 1 collects all information of Node A: {   ,    , (P, Q)}, which satisfy the form of (4); that is,    = (P, Q) +    , where    = −  ,    = −V  . 1 (P, ) = {P,  1 , ℎ  1 , ℎ  2 , ℎ  3 , } cannot be distinguished from all information produced in the normal execution of  2 .The view of Node A is view The same conclusion can be drawn if the participant captured by the attacker is Node B.

Efficiency Analysis and Comparisons
In this section, the complexity of communication round is analyzed, and the complexity of computation and the type of data involved in various protocols are also evaluated.These protocols obey semihonest execution rules and their objectives are to determine the result of secure distance computation.One of these protocols in previous study [4] is based on homomorphic encryption, called "Rane's Scheme." A similar scheme [5], in which Rane's Scheme was improved upon, is called "Rane's Improved Scheme." Another previous study [8] proposed two kinds of secure two-party closest-pair of points protocols.The first one comprised the computation of distance aided by a third party, and the distance computation procedure can be separated from the protocol itself and called "Huang's 1st Scheme." The second one was designed according to discrete logarithm principles without any third party and could be used to realize secure two-party distance computation, called "Huang's 2nd Scheme." Luo's Scheme, Lu's Scheme, and Li's Scheme are introduced, respectively, in [6], [7], and [9] in the Related Work section.Lu's Scheme only realized a scalar product protocol, but, through it, a distance calculation protocol can be simulated at no extra cost.Table 1 lists the results of a comparison of the protocols given above from several perspectives.
(a) Communication Round Complexity.As shown in Table 1, communication round complexities of those protocols are almost roughly the same level except for Li's Scheme, which includes many communication steps.Rounds of communication in Lu's Scheme, Rane's Scheme, and the Rane's Improved Scheme are determined by the dimensions of the input vector.However, the dimensions of location information must be less than or equal to 3.Even if there is a third party, the TPEDP can be completed within two rounds, but the REDP has a total of four steps and three rounds of interaction, so the complexity of communication round is 3.
(b) Computation Complexity.As shown in Table 1, the overhead of these protocols to generate random numbers can be ignored because that can be addressed in the input phase.The complexity of computation is primarily produced during the computation phase of those protocols, including the TPEDP and REDP.Both of these protocols rely on the dimensions of input vectors, so the computation complexity of them are both ().Some protocols based on Paillier additive homomorphic encryption can be used to perform 2 log  rounds of modular multiplication (modular operator  2 ) for each encryption and decryption, at most 2 rounds of modular multiplication (modular operator  2 ) per modular exponential calculation (()  ), where  denotes the number of bits of processed data.For example, the complexity of computation of Rane's Scheme and its improved one is ((2 + 2) log  + 2 +  + 1) rounds of modular multiplication (modular operator  2 ) and that of Lu's is ((6 + 2) log  + (2 + 2) + ) rounds; it means that the computational cost of Rane's Scheme and its improved one totally includes ( + 1) times encryptions,  times modular exponentiations,  times modular multiplications, and once decryption; Luo's Scheme is not based on Paillier additive homomorphic encryption but rather on another form of encryption.The complexity of the computation can still be evaluated; it is (6 log  + 2 + 2) rounds of modular multiplication (modular operator  2 ).Generally, the value of  is larger than the dimension , so the complexity of the computation processes involved in the protocols outlined above is no less than ( 3 ).
(c) Type of Data.Rane's Scheme shows satisfactory performance with respect to the complexity of rounds of communication, but the types of data that it can process are limited to integer field.Huang's 2nd Scheme shows the same defect.The two proposed protocols have a broader range of computation because they can be implemented in real number domains.
(d) Degree of Privacy Protection.The TP of Huang's 1st Scheme holds all the information from both participants, so there is no privacy protection at all.Li's Scheme, which is based on oblivious transfer protocol and involves no TP, has a primary disadvantage that one participant may acquire all results of distance computation and deduce some private information of the other participant.In this case, if one participant can obtain all three distances from three different starting points to the same terminal point, the exact location of the other participant can be calculated.For example, as shown in Figure 1, if Node A holds  11 ,  12 , and  13 , which represent distances from points  1 ,  2 , and  3 to point  1 , it can deduce the location of Node B,  1 , correctly.
Both the TPEDP and REDP use a result-sharing mechanism in which two participants can determine the distance calculation results until publishing their respective random numbers ( and V).This prevents the privacy leakage that can be caused when one participant monopolizes the results.In Section 7.1, especially, it can be proven that the TPEDP protocol's degree of privacy is 1, that is, the perfect zero leakage.

Further Discussion
7.1.Privacy Measurement Problem of the TPEDP Protocol.Not all protocols can be carried out and used to measure privacy; only those that always satisfy linear dependence between their inputs and intermediate messages can be evaluated for the degree of privacy by using the methods recommended in Section 3.4.In this way, only the TPEDP protocol meets the requirements outlined in this paper.In the TPDEP protocol, the impact of TP can be completely ignored, because it only distributed some initial values but did not receive any valid information from either of the two participants.
During the running of the TPDEP protocol, all messages received by Node A can be denoted by msg  = {, , Q 1 }, which includes the following: The expressions of  and  can be altered as follows: These values are related to Node B's inputs, Q and Rb.For the convenience of measurement of privacy, the expressions of all three elements can be changed as follows: Here, it is supposed that ) . (30) According to Theorem 1, it can finally be deduced that (Q | msg  ) =  log .
Next, the degree of privacy is examined from Node B's perspective.All messages received by Node B can be denoted with msg  = {, P 1 }, where the following are true: (32 Here it is assumed that

The Repeated Calculation Problem of the REDP Protocol.
Repeated calculation problem is worth emphasizing.It merits attention from both of the participants in the REDP protocol.An erroneous choice of participants may lead to a serious reduction in privacy.If Node A and Node B meet again after they have executed the REDP protocol at least once, then, during the new execution, the REDP protocol requires fresh initial vectors and random numbers distinguished from those used in the last calculation.A specific example can be cited and used to illustrate this issue, but discussions are not limited to this example.
Node A and Node B, who held initial vectors P and Q, respectively, have completed the REDP protocol once.To run the REDP again, Node B here reselects the initial vector R substituted for Q, but Node A insists on keeping the original vector P and updates the random sequence   ( = 0, 1, 2, . . ., ) and random numbers  and  to construct new P 1 , P 2 , and  values.This indicates that Node B may encounter a group of 2 nonlinear polynomial equations when it receives those renewed data from Node A. If the new equations in the group are linearly independent from those obtained by Node B in the last execution (Node A held P and Node B held Q), then Node B can obtain a group of 4 nonlinear polynomial equations and 2 + 3 +  + 3 = 3 + 6 unknown quantities.If Node A selects  0 = 1,  = 1 in the new interaction (though this case is almost impossible), the 4 nonlinear polynomial equations will degenerate into a group of nonhomogeneous linear equations with 3 + 6 unknown quantities.In this case, if  < 6 (i.e., 4 < 3 + 6), then Node B cannot learn the value of P because of prohibitively high number of solutions.If  ≥ 6 (i.e., 4 ≥ 3 + 6) and the number of unknown quantities is less than the number of equations, then Node B will break P and the location information of Node A is revealed.In this way, if Node A persists in using its original vector, it will be unable to update random sequences and random numbers (such as   , , and ) in another running of this protocol.Otherwise, Node B will collect more equations regarding this original vector of Node A, which will increase the risk of loss of privacy.However, in this case, Node A can change the random value of  to produce the corresponding alteration of the results   and   .
For this reason, extra limitations must be added to the REDP protocol when it is encoded into the wireless communication devices.This can prevent some extreme situations such as selecting  0 = 1,  = 1 in Node A's computation round.Certainly, a better provision for the REDP protocol is that each participant should try to choose inputs different from those in previous executions to prevent hidden danger unless the location information of the participant has not changed.(This case has a negligible probability for moving entities.)In this way, Node A must only renew the values of  or V.

Availability in Wireless Sensor
Networks.It is necessary to verify the availability of TPEDP and REDP in wireless sensor networks.We design such simulation experiments related to distance to observe the changes of network lifetime and energy consumption in the following three scenarios: the first is calculating the distance between Nodes A and B which use the REDP protocol; the second aids TPEDP to achieve the distance calculation (the current cluster-header is "TP"); and the third is based on ECC (elliptic curves cryptography), which is considered as the most lightweight public key method in WSNs, to realize the computation through encryptions, decryptions, and the reliable third party (the base station).To achieve the data-level privacy protection, in the third scenario, Nodes A and B must encrypt their locations separately using the public key of the base station, and the base station decrypts them and calculates the distance between Nodes A and B, and then the base station must encrypt the distance value by their respective public keys and send it to A and B. Finally, Nodes A and B decrypt it and obtain the result.If A and B cannot communicate with the base station within one hop, this method will cause heavy network loads.
In order to ensure the validity of comparisons, we make some assumptions aimed at the three scenarios.Shown in Figure 2, any two nodes who want to calculate the distance between them in the network can form a group; once a node joins one group it will not be able to join other groups, except the death of the other node in the same group, it will find a new single node with the same situation again to form a new group.In our simulation experiments, nodes would prefer to search the closest neighbor to form a group.All groups repeatedly calculate the distance between two members, until the network life cycle is ended.The base station, especially, does not participate in any group and all packets are in the same size which can be divided exactly by 16.Leach protocol will be used as the clustering and routing protocol in order to ensure path accessibility.If one current cluster-header is dead, it will reselect the new header in terms of Leach protocol.In TPEDP protocol, the same cluster-header can act as the TP for several groups of nodes.Detailed simulation parameters can be shown in Table 2.We set two cases " = 3,  = 64 bits" and " = 8,  = 96 bits" to reflect the trend of network lifetime, based on the comparisons of REDP, TPEDP, and ECC, seen in Figures 3(a) and 3(b), respectively.We can watch that, with the increase of sensor nodes, the network lifetimes of three scenarios (or protocols?)appear to decline (or downtrend?)after a little growth in the initial stage.There exit different reasons of these phenomena for REDP, TPEDP, and ECC.There still exit some active sensor nodes in REDP (or TPEDP) because they cannot find another neighbor (or a suitable TP) in their communication ranges when the number of nodes is 100; however the lifecycle is terminated.With the increase of sensor nodes, the above symptoms will be relieved; for instance, the number of nodes is 150 or 200.With the further raise of the number of nodes (350 or 400), more and more new groups emerge while some previous groups are still running, which causes more communication costs, so the lifetime is shortened.Owing to direct or multihop communication to the base station for each node in the network, the secure distance calculation based on ECC would lead to more energy consumption, compared with REDP and TPEDP.Similarly, 100 nodes are uniformly distributed in 400 * 400 field, however some active nodes have never been able to establish the paths to the base station before their lifecycles end.The suitable enhancement of sensor nodes would create more paths to the base station, which can prolong the network lifetime.However, when the number of nodes is 250 or more, many nodes will play the role of relay to achieve more paths, which causes the decline of lifecycle because of more energy consumption.It is worthy to notice that parameters  and  make have influence on the lifetime of REDP and TPEDP, which in Figure 3(b) is less than Figure 3(a), and the larger the  and , the more the computation cost of the two protocols.However, the increase of the values of  and  cannot affect the decline of ECC too much, even if it also brings more computational overhead.Compared with TPEDP, REDP causes more energy consumption because of the requirements for more communication rounds and the cost of reselection of new cluster-headers for TP.

Extended Multiparty Computation.
The flexibility characteristics of the TPEDP and REDP protocols make them conveniently transform from two-party distance computation to multi-party distance computation.We suppose that there are totally  nodes in WSNs, and they can be denoted by  1 ,  2 , . . .,   and hold their secret inputs  1 ,  2 , . . .,   , respectively, where  1 = { 11 ,  12 , . . .,  1 }, . . .,   = { 1 ,  2 , . . .,   } are all -dimensional vectors.In a security multiparty distance protocol, any one of the nodes   ( = 1, 2, . . ., ) expects that it can achieve the correct distance (34) At last,   declares    and   reveals    , and they share the resulting (  ,   ) according to (34).The details of calculation are determined by the specific protocol.If  1 ,  2 , . . .,   select their respective random number denoted by  1 ,  2 , . . .,   in the calculation procedure,   = |    | 2 +   can be used to represent the final result that keeps the same form of (34).For example, another participant (holds vector R and random number ) other than Node A and Node B can easily enjoy the implement of the two proposed protocols, which need to be upgraded simply, and the results would be shared by the form of  = |PQ| 2 + V,  = |PR| 2 +  and V = |QR| 2 + .

Conclusions
Wireless sensor networks make communication and computation between humans and other things become a research hotspot.Two novel secure two-party protocols for distance computation are presented in this paper, designed to address the scenarios of privacy-preservation of location information in an encounter between Node A and Node B. The first proposed protocol, the TPEDP, involves a semihonest TP that protects the location of all participants from a passive attacker inside or outside the network.The problem of nonexistence of a suitable TP in wireless sensor networks was considered.The second protocol lacks a third party.The REDP, which benefits from randomization method, can be used to acquire the correct results of distance between two nodes securely.Compared to the similar protocols, the two proposals, TPEDP International Journal of Distributed Sensor Networks and REDP, performed more satisfactorily on the efficiency including rounds of communication, computation, and data type.
However, the assumption of the semihonest model is only suitable for certain scenarios, those that can resist only passive attacks.Some protocols secure against the malicious adversary model have been proposed especially for privacy-preserving data applications [20,25].However, these techniques are expensive in both communication and computation costs.In the future, the design of efficient protocols that can resist active or malicious attacks may remain challenging.
and rank(A) = .If there exists a functional dependency relationship among A, V, and C, which can be expressed by A * V = C, and meanwhile if V has  unknown quantities, then (V | C) = ( − ) log .
, where  1 (, ) is the first element and * × {0, 1} *  → {0, 1} * × {0, 1} * 8)has two unknown quantities and an infinity of solutions.In this way, neither Node A nor Node B can deduce the value of  2 from their respective data alone.So the scenario protects the secrecy of the information regarding the location of the two participants.
Computation Phase of  2 .In Step 1,  1 produces {  0 ,   1 , . . .,    },   ,   , and   successively according to the results of  1 and then calculates {P  1 , P  2 ,   }, which serves as the simulated information that would be sent to Node B. In Step 2, because Node A does not know the real   generated by Node B,  1 will forge    , together with Q  = (  1 ,   2 , . . .,    ) and simulate the intermediate data

Table 1 :
Secure two-party distance computation protocols.
[9]]: for a fair comparison, a specific effective algorithm in[10], whose communications round complexity is 2 and computational cost is 2 + 2 exponential modulo operation, is selected as the complement of oblivious transfer protocol OT1[11]of Li's Scheme[9].
This satisfiesA 1 * Z 1 = C 1 (I  represents identity matrix).C 1 is equivalent to msg  = {, , Q 1 } and rank(A 1 ) is  + 2.If any participant obtains Q and msg  , he would easily calculate Rb, Rb * Rb  , , Q * Q  , and V.According to the definitions given in Section 3.4, it can be concluded that