Secure Two-Party Distance Computation Protocols with a Semihonest Third Party and Randomization for Privacy Protection in Wireless Sensor Networks

Abstract

Scenarios in which two nodes who distrust each other in wireless sensor networks (WSNs) would like to know the distance between them are considered. The scenario is designed to protect the private information of WSNs, in this case each node's location, from the other nodes and from a passive attacker. The goal of the present work is to provide two novel and secure two-party distance computation protocols based on a semihonest model, the first with aid of a third party and the second based on randomization technique. Both of these protocols can extend the calculated value into a real number field. The output of the distance computation and the intermediate values in the proposed protocols are also private and not accessible to a third party or any other attackers. When executing these two protocols, security is guaranteed, and the performances of communication and computation of them are found to be satisfactory when compared to those of other similar protocols.

1. Motivation

With the development of the computer and communication technologies, wireless sensor networks have gradually extended into the fabric of human society. Communications between people and things have become a reality so that many researchers have begun to pay attention to wireless sensor networks, where many techniques [1, 2] require secure authentication and secure privacy computation. This is because privacy protection is a significant research point which cannot be ignored in today's wireless sense applications. The privacy of wireless sensor networks’ entity may appear to be either a natural property or a social characteristic depending on the requirements of specific scenarios. The matter of defining privacy in terms of different applications and realizing privacy protection can be explained in detail through the following scenarios regarding secure communications.

Wireless sensor networks can usually be deployed in the enemies’ battle field to monitor military information. Once found, each node has the risk of being captured by enemies so that all nodes do not trust each other. However, these nodes have to cooperate with each other in this unreliable environment in order to complete tasks of data collection. For example, Node A decides to expand its coverage area through enhancing transmitting power in one region to obtain more sensing data. Node A also notices that Node B, possibly the adjacent node of Node A, is also expanding the coverage area of his located region. But the two nodes do not want to collect data in the same area, so they want to know whether there are overlapping areas between their respective regions without disclosing the corresponding location information, in order to avoid the danger of being captured caused by the leakage of location information. If Node A and Node B are able to calculate the distance between their respective regions in the case of keeping geographical location information confidentiality and meanwhile telling each other their respective coverage radiuses, then this problem can be effectively solved: if the distance is too close, it indicates that there is overlap; otherwise there is no overlap.

Location information becomes important and confidential in the above scenarios, though the utilization of the respective positions of two participants is the most common method for calculating Euclidean distance. In this case, secure two-party distance computation without revealing location information becomes a vital problem.

Secure two-party computation, introduced by Yao, allows two parties to jointly compute any function using their inputs in such a way that (1) the output of the computation is correct and public and (2) the inputs are not revealed to both users [3]. Secure calculation of the distance between two parties (or two nodes in WSNs) is a specific case of secure two-party computation, and it provides a solution to the scenario described above. Currently, there exist two ways of computing the distance, and both of them allow the location of each party to be kept secret. The first requires the help of a third party, and the other does not. The primary contribution of this paper is that it puts forward two novel, secure, and efficient protocols that can be used in accordance with the above two methods.

The rest of the paper is organized as follows. The next section reviews related works in the field of secure two-party distance computation. Section 3 presents the preliminaries and assumptions. Section 4 provides two novel and secure two-party distance computation protocols used in WSN, the first involving a semihonest third party and the other involving randomization technique, and their respective correctness proofs. Security analysis and performance comparisons between the proposals and previous work are presented in Sections 5 and 6, respectively. Further discussions about sensitive issues are given in Section 7. Section 8 concludes this paper.

2. Related Work

Secure two-party computation is widely used in network security protocol design to protect important information related to location, identity, and healthcare. Recently, location information during the use of location-based services (LBSs) has raised considerable concerns [12], especially in distance calculation application. Currently, secure two-party distance protocols are generally divided into three categories. The first [4–7] is established using a homomorphic encryption mechanism that serves as the secure basis of privacy protection. The second [8, 13] is established with the assistance of a third party, usually a semihonest third party. The third [14] is established with the randomization technique.

As the first type of protocol, [4] describes and analyzes a scheme for biometric authentication and it uses homomorphic encryption for secure calculation of Hamming Distance without revealing the participants’ secret information. The work [5] puts forward a secure two-party computation protocol of Euclidean distance using Paillier homomorphic encryption [11] and this protocol is implemented for private querying of face images and maintains low communication overhead. The work [6] also proposes a secure multiparty distance computation protocol, which is also designed based on Paillier homomorphic encryption without a third party. The work [7] suggests a secure, privacy-preserving opportunistic computing (SPOC) framework for healthcare emergency based on a secure scalar product protocol that can be used to design a secure two-party distance computation protocol. Pronounced computational complexity is the common weakness of secure two-party computation protocols based on homomorphic encryption mechanisms. This is difficult to use with resource-constrained outdoor wireless link networks.

In the second category protocol, two participants are unable to calculate the distance between them if there is no third party involved. The protocol in [13] involves a quantum private comparison based on the presence of a semihonest third party and it enables two parties to determine whether their information matches without revealing the specifics. The work [8] allows the participant to calculate the distance based on an honest third party for comparison of local data and simultaneously causes private values to be fully grasped by the third party, which is followed by obvious information leakage and security issues that cannot be ignored. Although intervention by a third party may improve the efficiency of computation and communication, this increases network costs. This issue of decreasing the number of secrets learned by a third party is significant here. The distinction between honest and semihonest third parties is illustrated in Section 3.2.

Broad application of homomorphic encryption mechanisms results in less use of other digital disguise techniques, such as randomization methods, which can be used to design secure two-party computation protocols. Randomized disguises obscure the real data by adding random elements to them to facilitate privacy protection. For example, [14] provides a randomization method by performing a linear transformation on the real data or a random permutation replacement of the real data to achieve a secure two-party distance computation protocol. The protocol in [9] also involves randomization method and 1 out of m oblivious transfer protocol [11]. Designing a secure and efficient two-party distance computation protocol based on randomized masquerade is mathematically difficult. Many current protocols, such as one described in a previous study [8], can only be used in integer domains and cannot be expanded into real number domains. This limits their use.

In wireless sensor networks, literatures related to privacy protection of location and distance [15] can be traced back to 2007. Actually only few literatures apply the distance computation protocols based on privacy protection to data security of wireless sensor networks. To the best of our knowledge, [16] is the first paper that uses the secure distance calculation protocol to solve location privacy in WSNs. The work [17] presents an overview of the solutions that provide source location privacy such as anonymity and unobservability, within a WSN, in relation to the assumptions about the adversary's capabilities. A location privacy routing protocol (LPR) is proposed in [18] to achieve path diversity, and, combining with fake packet injection, LPR is able to minimize the traffic direction information that an adversary can retrieve from eavesdropping. However, LPR does not provide the data-level privacy protection. The work [19] found out that Lu et al.'s protocol in [7] still has some secure flaws such as user anonymity and mutual authentication, and it presents an improved mobile-healthcare emergency system based on extended chaotic maps for applications of wireless body sensor networks (BSNs).

3. Preliminaries and Premises

3.1. Definition of Secure Two-Party Computation

There are two participants in WSNs, Node A and Node B. Node A selects a secret input x and Node B selects another one y. They hope to calculate the function $f (x, y)$ and produce final results but they must keep their respective inputs secret. We call this computation process “secure two-party computation.” Here, x (or y) may be the location information of Node A (or Node B), and $f (x, y)$ may be the distance between the two nodes.

3.2. Semihonest Model

Secure two-party computation should guarantee the safety of the information even if one participant behaves deceitfully in the execution of the protocol. The attacker may perform one of two types of attacks: one is active that is called “malicious (or adversarial) model [20]” and another is passive, here called the “semihonest model.” In the malicious model, the attacker manipulates one of the participants into executing the protocol improperly. For example, the attacker may cause a participant to substitute mendacious data for real input in order to interrupt implementation of the protocol. In the semihonest model, the attacker only grasps the entirety of the information of the captive participant, including those intermediate data acquired from the other participant, and the purpose of the attacker is solely to reveal some private information, but the protocol is carried out correctly and all inputs are true. Some researchers refer to the semihonest participant as “honest but curious” [21].

Based on the above, the reliability of a third party can be defined (hereinafter abbreviated “TP”). There exist three cases. In the first case, the TP is honest, and both the participants send their secrets to the TP without worrying that the TP will leak any private information. This case is perfect but impractical. In the second case, the TP is dishonest or malicious, and neither participant believes the TP. This case is dangerous. In the third case, the TP is semihonest. The TP executes the protocol faithfully, and all kinds of intermediary data and computational results are recorded. The TP tries to make this information publicly available. In WSNs, base station or the cluster-header usually acts as the role of TP.

In the present paper, it is supposed that both participants and TP all follow the semihonest model. Generally, the semihonest secure two-party computation model can be illustrated in detail as follows. This can be used in security proofs of protocols.

There exists a mapping function $f : {\{0,1\}}^{*} \times {\{0,1\}}^{*} \mapsto {\{0,1\}}^{*} \times {\{0,1\}}^{*}$ , where $f_{1} (x, y)$ is the first element and π denotes the secure two-party computation protocol. During the implementation of π, the view of the first party ${v i e w}_{1}^{π} (x, y)$ is represented by $(x, r^{1}, m_{1}^{1}, m_{2}^{1}, \dots, m_{t}^{1})$ (analogously $(y, r^{2}, m_{1}^{2}, m_{2}^{2}, \dots, m_{t}^{2})$ denotes the view of the second party ${v i e w}_{2}^{π} (x, y)$ ). Here, x is the input, $r^{1}$ denotes the result of random coin toss, and $m_{i}^{1}$ stands for the ith intermediate message received by the first party. When π is complete, the output of the first party is marked with ${o u t p u t}_{1}^{π} (x, y)$ (the output of the second party is ${o u t p u t}_{2}^{π} (x, y)$ ) and the output of π is ${o u t p u t}^{π} (x, y) = ({o u t p u t}_{1}^{π} (x, y), {o u t p u t}_{2}^{π} (x, y))$ .

Generally, if there exists a probabilistic polynomial-time algorithm (denoted by $S_{1}$ or $S_{2}$ ) to execute the privacy computation of f, it can be concluded that the following is true:

\begin{array}{l} {\{(S_{1} (x, f_{1} (x, y)), f_{2} (x, y))\}}_{x, y} \\ \equiv {\{({v i e w}_{1}^{π} (x, y), {o u t p u t}_{2}^{π} (x, y))\}}_{x, y}, \\ {\{(f_{1} (x, y), S_{2} (y, f_{2} (x, y)))\}}_{x, y} \\ \equiv {\{({o u t p u t}_{1}^{π} (x, y), {v i e w}_{2}^{π} (x, y))\}}_{x, y} . \end{array}

(1)

Here, the meaning of “≡” is “calculation of indiscernibility,”

{o u t p u t}_{i}^{π} (x, y)

is entirely determined by

{v i e w}_{i}^{π} (x, y)

, and both of them are stochastic variables.

S_{1}

and

S_{2}

are called the time simulators.

3.3. Definition of Distance

There are many definitions of distance between two participants, including the Minkowski distance, Hamming distance, and Levenshtein distance [22]. The Minkowski distance is the most common one. It can be expressed using

\begin{matrix} d (p) = {(\sum_{i = 1}^{n} {|x_{i} - y_{i}|}^{p})}^{1 / p} . \end{matrix}

(2)

Here

x_{i}

and

y_{i}

are from

P = (x_{1}, x_{2}, \dots, x_{n}) \in R^{n}

and

Q = (y_{1}, y_{2}, \dots, y_{n}) \in R^{n}

, respectively. When

p = 1

, it becomes the Manhattan distance; when

p = \infty

, it becomes the Chebyshev distance; when

p = 2

, it becomes the Euclidean distance, which can be described by

\begin{matrix} d (2) = \sqrt{(\sum_{i = 1}^{n} {|x_{i} - y_{i}|}^{2})} . \end{matrix}

(3)

In this paper, the Euclidean distance between two participants is calculated exactly in the two proposed secure protocols.

3.4. Privacy Measure

Most researchers use the “calculation of indiscernibility” method to realize security proofs, but this method cannot quantify privacy. If it is necessary to prove that one protocol is absolutely secret (perfect zero leakage), privacy measures become essential because it can validate safety of protocols against attackers more efficiently. However, currently there is no common method of measuring privacy. Although the utilization of information theory can quantify privacy, it has limitations [23, 24]. Specifically, it is only available for the protocols whose input has a linear relationship with output. It cannot be applied to nonlinear protocols.

Several symbols and concepts regarding the measurement of privacy are given below. These were used to confirm the validity of the proposed protocol.

$X_{i}^{π}$ denotes the input of the ith participant in π, and ${m s g}_{i}^{π}$ is described as the message received by the ith participant. After the beginning of π, one participant receives some information from his partner. In this way, the following can be defined:

$H_{i}^{π} = H (X_{i}^{π})$ : the entropy of stochastic variable $X_{i}^{π}$ ;

$H_{i j}^{π} = H (X_{i}^{π} | {m s g}_{j}^{π})$ : the conditional entropy of $X_{i}^{π}$ when ${m s g}_{j}^{π}$ is given and when it implies the uncertainty on $X_{i}^{π}$ of the jth participant while receiving ${m s g}_{j}^{π}$ ;

$m i n_{i, j} (H_{i j}^{π} | H_{i}^{π})$ : the relative privacy of π;

$m i n_{i, j} (H_{i j}^{π})$ : the absolute privacy of π.

Relative privacy is believed to be more likely to reflect the degree of privacy divulgence than the absolute privacy, and it can be standardized to a value between 0 and 1 where 0 represents full leakage and 1 indicates perfect safety (perfect zero leakage).

Theorem 1 (see [23]).

Consider that $V, C \in G F (p)^{n}$ (both V and C are one-dimensional vectors); A is a matrix with m rows and n columns whose element belongs to $G F (p)^{n}$ and $r a n k (A) = k$ . If there exists a functional dependency relationship among A , V , and C , which can be expressed by $A * V = C$ , and meanwhile if V has n unknown quantities, then $H (V | C) = (n - k) l o g p$ .

The proof for Theorem 1 is shown in a previous study [23].

4. Two Novel Secure Two-Party Distance Computation Protocols

4.1. Description of the TPEDP Protocol

In this section, a novel third party-based Euclidean distance protocol (abbreviated TPEDP) is used to securely calculate the distance between two participants of Node A and Node B. Based on semihonest model, the TPEDP is divided into three phases: the input phase, computation phase, and output phase.

Input Phase. Node A selects a secret vector $P = (x_{1}, x_{2}, \dots, x_{n})$ , and Node B chooses another one $Q = (y_{1}, y_{2}, \dots, y_{n})$ , where $n \geq 1$ and their location information are represented by P and Q , respectively.

Output Phase. Through two-party calculation, $f (P, Q)$ is the final result that denotes Euclidean distance ${|P Q|}^{2}$ . Node A grasps $f_{a}$ and Node B keeps $f_{b}$ . Equation (4) shows the relationship among those symbols:

\begin{matrix} f_{a} = f (P, Q) + f_{b} . \end{matrix}

(4)

At last, Node A declares

f_{a}

and Node B reveals

f_{b}

, and they share the resulting

f (P, Q)

according to (4).

Computation Phase

Step 0. The TP (a third party, i.e., a base station or a cluster-header) randomly generates two vectors, $R a = (r a_{1}, r a_{2}, \dots, r a_{n})$ , $R b = (r b_{1}, r b_{2}, \dots, r b_{n})$ , and two numbers, p and q. It causes them to satisfy (5). Then the TP sends $R a$ and p to Node A and $R b$ and q to Node B. Consider

\begin{matrix} (R a - R b) * {(R a - R b)}^{T} = p + q . \end{matrix}

(5)

Step 1. Node A receives $R a$ , calculates $P_{1} = P + R a = (x_{1} + r a_{1}, x_{2} + r a_{2}, \dots, x_{n} + r a_{n})$ , and sends $P_{1}$ to Node B.

Step 2. Node B computes $Q_{1} = R b - Q = (r b_{1} - y_{1}, r b_{2} - y_{2}, \dots, r b_{n} - y_{n})$ using the received vector $R b$ and its secret Q . Then Node B generates a random number v, together with $P_{1}$ , and establishes (6). Finally, Node B sends $Q_{1}$ and s to Node A. Consider

\begin{array}{l} s = (P_{1} + Q_{1}) * {(P_{1} + Q_{1})}^{T} + 2 R b * Q^{T} \\ - 2 R b * P_{1}^{T} - q + v . \end{array}

(6)

Step 3. After receiving $Q_{1}$ and s, Node A calculates u in terms of

\begin{matrix} u = s - 2 R a * Q_{1}^{T} - 2 R a * P^{T} - p . \end{matrix}

(7)

Finally, Node A and Node B determine the distance ${|P Q|}^{2}$ (i.e., $d^{2}$ ) with respect to

\begin{matrix} u = d^{2} + v . \end{matrix}

(8)

Here,

f_{a} = - u

f_{b} = - v

, and

f (P, Q) = d^{2}

satisfy the form of (4).

Proof (correctness proof).

The TPEDP can achieve the correct result of Euclidean distance between two participants.

Proof.

The arithmetic expression of (6) can be expanded as follows:

\begin{array}{l} s = (P_{1} + Q_{1}) * {(P_{1} + Q_{1})}^{T} + 2 R b * Q^{T} \\ - 2 R b * P_{1}^{T} - q + v \\ = \sum_{i = 1}^{n} {(x_{i} + r a_{i} + r b_{i} - y_{i})}^{2} + 2 \sum_{i = 1}^{n} r b_{i} y_{i} \\ - 2 \sum_{i = 1}^{n} r b_{i} (x_{i} + r a_{i}) - q + v \\ = \sum_{i = 1}^{n} {((x_{i} - y_{i}) + (r a_{i} + r b_{i}))}^{2} + 2 \sum_{i = 1}^{n} r b_{i} y_{i} \\ - 2 \sum_{i = 1}^{n} r b_{i} (x_{i} + r a_{i}) - q + v \\ = \sum_{i = 1}^{n} {(x_{i} - y_{i})}^{2} + \sum_{i = 1}^{n} {(r a_{i} - r b_{i})}^{2} + 4 \sum_{i = 1}^{n} r a_{i} r b_{i} \\ + 2 \sum_{i = 1}^{n} (x_{i} - y_{i}) (r a_{i} + r b_{i}) \\ + 2 \sum_{i = 1}^{n} r b_{i} y_{i} - 2 \sum_{i = 1}^{n} r b_{i} (x_{i} + r a_{i}) - q + v \\ = \sum_{i = 1}^{n} {(x_{i} - y_{i})}^{2} + \sum_{i = 1}^{n} {(r a_{i} - r b_{i})}^{2} + 2 \sum_{i = 1}^{n} x_{i} r a_{i} \\ + 2 \sum_{i = 1}^{n} r a_{i} (r b_{i} - y_{i}) - q + v \\ = \sum_{i = 1}^{n} {(x_{i} - y_{i})}^{2} + \sum_{i = 1}^{n} {(r a_{i} - r b_{i})}^{2} + 2 R a * P^{T} \\ + 2 R a * Q_{1}^{T} - q + v . \end{array}

(9)

Q_{1}

and s of (7) are displaced, then (10) can be produced:

\begin{array}{l} u = s - 2 R a * Q_{1}^{T} - 2 R a * P^{T} - p \\ = \sum_{i = 1}^{n} {(x_{i} - y_{i})}^{2} + \sum_{i = 1}^{n} {(r a_{i} - r b_{i})}^{2} + 2 R a * P^{T} \\ + 2 R a * Q_{1}^{T} - q + v \\ - 2 R a * Q_{1}^{T} - 2 R a * P^{T} - p \\ = \sum_{i = 1}^{n} {(x_{i} - y_{i})}^{2} + \sum_{i = 1}^{n} {(r a_{i} - r b_{i})}^{2} - p - q + v . \end{array}

(10)

From (5), the equality of

p + q = \sum_{i = 1}^{n} (r a_{i} - r b_{i})^{2}

can be deduced. It can be substituted into (10). Finally, the expression of

u = \sum_{i = 1}^{n} (x_{i} - y_{i})^{2} + v = {|P Q|}^{2} + v

can be concluded and the validity of the TPEDP is proven.

4.2. Description of the REDP Protocol

Some outdoor wireless sensor network environments do not allow the existence of a reliable third party, so the two nodes must complete security distance calculation relying only on each other. A randomization technique is used to avoid the high computational complexity produced by homomorphic encryption, and the design of an efficient two-party protocol is described in this section. It is here called the randomization-based Euclidean distance protocol (abbreviated REDP). The difficulty of designing REDP is that it requires randomly camouflaging vectors in the domain of real numbers and it involves exchanging some elements within those modified vectors.

It can be supposed that Node A and Node B are semihonest participants and operations in input and output phases of the REDP are identical to those of the TPEDP. Then only the steps of computation phase are displayed as follows.

Computation Phase

Step 1. Node A generates a random sequence ${r a_{0}, r a_{1}, \dots, r a_{n}}$ where $r a_{i} \neq 0$ , $i \in [0, n]$ , and, for each $x_{i}$ in P ( $P = (x_{1}, x_{2}, \dots, x_{n})$ ), Node A calculates $x_{i}^{'} = r a_{0} x_{i} + i r a_{i}$ ( $i = 1,2, \dots, n$ ) which creates a new vector $P_{1} = (x_{1}^{'}, x_{2}^{'}, \dots, x_{n}^{'})$ . Node A continues to calculate the values of λ and $x_{i}^{''}$ according to (11) and (12), respectively, where u, e, and w ( $u, e, w \neq 0$ ) are random numbers chosen by Node A:

\begin{matrix} λ = - \frac{1}{2} r a_{0} (u + \sum_{i = 1}^{n} x_{i}^{2}), \end{matrix}

(11)

\begin{matrix} x_{i}^{''} = \frac{w - r a_{i}}{e}, (i = 1,2, \dots, n) . \end{matrix}

(12)

All

x_{i}^{''}

form a new vector

P_{2} = (x_{1}^{''}, x_{2}^{''}, \dots, x_{n}^{''})

, and Node A sends

P_{1}

P_{2}

, and λ to Node B but keeps

{r a_{0}, r a_{1}, \dots, r a_{n}}

, e, w, and u secret.

Step 2. Node B constructs two fresh vectors $Q_{1} = (y_{1}^{'}, y_{2}^{'}, \dots, y_{n}^{'}) = (r_{b} y_{1}, r_{b} y_{2}, \dots, r_{b} y_{n})$ and $Q_{2} = (y_{1}^{''}, y_{2}^{''}, \dots, y_{n}^{''}) = (r_{b} y_{1}, 2 r_{b} y_{2}, \dots, n r_{b} y_{n})$ with a random number $r_{b}$ ( $r_{b} \neq 0$ ) and Q ( $Q = (y_{1}, y_{2}, \dots, y_{n})$ ). Then Node B computes $h_{1}$ , $h_{2}$ , and $h_{3}$ in terms of (13), (14), and (15), separately, and $P_{1}$ , $P_{2}$ , and λ are obtained from Node A. Consider

\begin{array}{l} h_{1} = λ r_{b} + P_{1} * Q_{1} = r a_{0} r_{b} (u + \sum_{i = 1}^{n} x_{i}^{2}) + \sum_{i = 1}^{n} x_{i}^{'} y_{i}^{'} \\ = - \frac{1}{2} r a_{0} r_{b} (u + \sum_{i = 1}^{n} {x_{i}}^{2}) + \sum_{i = 1}^{n} (r a_{0} x_{i} + i r a_{i}) r_{b} y_{i}, \end{array}

(13)

\begin{array}{l} h_{2} = P_{2} * Q_{2} = \sum_{i = 1}^{n} x_{i}^{''} y_{i}^{''} = \sum_{i = 1}^{n} (w - \frac{r a_{i}}{e}) i r_{b} y_{i}, \end{array}

(14)

\begin{array}{l} h_{3} = \sum_{i = 1}^{n} y_{i}^{''} . \end{array}

(15)

At last, Node B sends

h_{1}

h_{2}

, and

h_{3}

to Node A but keeps

r_{b}

secret.

Step 3. Node A determines the value of m on the basis of (16) and sends it to Node B:

\begin{matrix} m = - \frac{(h_{1} + e h_{2} - w e h_{3})}{r a_{0}} . \end{matrix}

(16)

Step 4. Node B obtains the value of v according to

\begin{matrix} v = \frac{2 m}{r_{b}} + \sum_{i = 1}^{n} y_{i}^{2} . \end{matrix}

(17)

Finally, Node A and Node B share the value of ${|P Q|}^{2}$ (i.e., $d^{2}$ ) in the light of

\begin{matrix} v = d^{2} + u . \end{matrix}

(18)

Here

f_{a} = u

f_{b} = v

, and

f (P, Q) = d^{2}

all satisfy the form of (4).

Proof (correctness proof).

According to (16), (17), and (18), (19) can be deduced:

\begin{array}{l} d^{2} = v - u = \frac{2 m}{r_{b}} + \sum_{i = 1}^{n} y_{i}^{2} - u \\ = - \frac{2 (h_{1} + e h_{2} - w e h_{3})}{r a_{0} r_{b}} + \sum_{i = 1}^{n} y_{i}^{2} - u . \end{array}

(19)

It makes use of the expressions of (13), (14), and (15) to displace

h_{1}

h_{2}

, and

h_{3}

in (19), respectively. Then the following can be concluded:

\begin{array}{l} d^{2} = - \frac{2 [- (1 / 2) r a_{0} r_{b} (u + \sum_{i = 1}^{n} x_{i}^{2}) + \sum_{i = 1}^{n} r a_{0} r_{b} x_{i} y_{i}]}{r a_{0} r_{b}} \\ + \sum_{i = 1}^{n} y_{i}^{2} - u \\ = u + \sum_{i = 1}^{n} x_{i}^{2} - 2 \sum_{i = 1}^{n} x_{i} y_{i} + \sum_{i = 1}^{n} y_{i}^{2} - u \\ = \sum_{i = 1}^{n} {(x_{i} - y_{i})}^{2} . \end{array}

(20)

Equation (20) shows the exact computation of the expression of Euclidean distance between Node A and Node B. In this way, the proof is complete.

5. Security Analysis

5.1. Security of the TPEDP Protocol

In this section, the security of the TPEDP protocol is proven. Node A and Node B cannot learn any private vectors from each other except for the distance between them. This provides a detailed analysis of each step of the TPEDP. (1)

In Step 0, the TP receives no reply from either Node A or Node B, so it cannot gain any information from either of the two participants.

(2)

In Step 1, Node B learns $P_{1} = P + R a$ from Node A but cannot analyze P because Node B knows nothing about $R a$ . After receiving $P_{1}$ , Node B encounters a group of nonhomogeneous linear equations with $2 n$ unknown quantities but only n equations. These equations cannot be solved in an algebraic field.

(3)

In Step 2, Node A receives s, which is the result of scalar products for $P_{1}$ , $Q_{1}$ . For Node A, s and $Q_{1}$ are equivalent to a group of nonhomogeneous linear equations, including $2 n + 2 (Q, R b, q, v)$ unknown quantities, but the $n + 1$ equations are not enough to solve for those elements of Q .

(4)

In Step 3, owing to adding stochastic number v into (6) by Node B, Node A cannot hold the final result by itself. It means that u is only available to Node A and v is only available to Node B. For any one participant, (8) has two unknown quantities and an infinity of solutions. In this way, neither Node A nor Node B can deduce the value of $d^{2}$ from their respective data alone. So the scenario protects the secrecy of the information regarding the location of the two participants.

In summary, none of the information is compromised during communications among Node A, Node B, and TP. In order to render the procedure of security analysis more convincing, the calculation of indiscernibility method was adopted for further validation.

Theorem 2.

The TPEDP (marked with $π_{1}$ ) ensures that Node A and Node B cannot acquire private input of each other.

Proof.

Because both Node A and Node B are semihonest participants, it is necessary to prove, in the TPEDP, that the intermediate information obtained by the passive attacker cannot be differentiated from those produced in no-attack and real situations, that is, calculation of indiscernibility.

A simulator must be constructed to imitate all of information acquired by a passive attacker in the executing process of the TPEDP. It can be discretionarily determined whether Node A or Node B is captured by the attacker. For this reason, the simulator $S_{1}$ can simulate data from the view of Node A ${v i e w}_{1}^{π_{1}} (P = (x_{1}, x_{2}, \dots, x_{n})$ , $Q = (y_{1}, y_{2}, \dots, y_{n}))$ . In this way, this proof process can be used to verify whether ${S_{1} (P, f_{1} (P, Q), f_{2} (P, Q))}$ and ${v i e w_{1}^{π_{1}} (P, Q), o u t p u t_{2}^{π_{1}} (P, Q)}$ are equivalent, where ${v i e w}_{1}^{π_{1}} (P, Q) = (P, r^{1}, m_{1}^{1}, m_{2}^{1}, \dots, m_{t}^{1})$ . The location information $P = (x_{1}, x_{2}, \dots, x_{n})$ of Node A and the final distance d serve as the inputs of $S_{1}$ .

Input Phase of $π_{1}$ . The attacker informs $S_{1}$ that it will collect all of information held by Node A, including its private location P and the final result d. Because of the absence of $Q = (y_{1}, y_{2}, \dots, y_{n})$ which is held by Node B, $S_{1}$ can only generate one simulated vector $Q^{'} = (y_{1}^{s}, y_{2}^{s}, \dots, y_{n}^{s})$ that satisfies (3). Here, $y_{i}$ in (3) is replaced by $y_{i}^{s}$ .

Computation Phase of $π_{1}$ . In Step 0, Node A receives the true data $R a$ and p distributed by the TP. But $S_{1}$ still generates simulant data involved in ${R a}^{'} = (r a_{1}^{'}, r a_{2}^{'}, \dots, r a_{n}^{'})$ , ${R b}^{'} = (r b_{1}^{'}, r b_{2}^{'}, \dots, r b_{n}^{'})$ , $p^{'}$ , $q^{'}$ in terms of the result of coin toss $r^{1}$ , and all those values satisfy the form of (5); that is, $({R a}^{'} - {R b}^{'}) * {({R a}^{'} - {R b}^{'})}^{T} = p^{'} + q^{'}$ .

In Step $1$ , $S_{1}$ can calculate $P_{1}^{'} = P + {R a}^{'} = (x_{1} + r a_{1}^{'}, x_{2} + r a_{2}^{'}, \dots, x_{n} + r a_{n}^{'}$ ) and send $P_{1}^{'}$ to Node B.

In Step 2, Node A receives s and $Q_{1}$ , which are produced by Node B. But $S_{1}$ can select a random number $v^{'}$ with ${R b}^{'}$ & $q^{'}$ . These values can be used to simulate the following equalities of $Q_{1}^{'}$ and $s^{'}$ in accordance with (6):

\begin{array}{l} Q_{1}^{'} = {R b}^{'} - Q^{'} = (r b_{1}^{'} - y_{1}^{s}, r b_{2}^{'} - y_{2}^{s}, \dots, r b_{n}^{'} - y_{n}^{s}) \\ s^{'} = (P_{1}^{'} + Q_{1}^{'}) * {(P_{1}^{'} + Q_{1}^{'})}^{T} + {R b}^{'} * Q^{' T} - {R b}^{'} \\ * P_{1}^{' T} - q^{'} + v^{'} . \end{array}

(21)

In Step 3, $S_{1}$ incites Node A to calculate the simulant parameter $u^{'} = s^{'} - 2 R a^{'} * Q_{1}^{' T} - 2 R a^{'} * P^{T} - p^{'}$ .

Output Phase of $π_{1}$ . Finally, $f_{a}^{'} = - u^{'}$ , $f_{b}^{'} = - v^{'}$ , and all satisfy the form of (4); that is, $f_{b}^{'} = f (P, Q) + f_{a}^{'}$ . After the exchange of data between Node A and Node B, through simulation, $S_{1}$ obtains all information of Node A: ${f_{a}^{'}, f_{b}^{'}, f (P, Q)}$ .

However, in each of the steps outlined above, all of the data (denoted by $S_{1} (P, d) = {P, r^{1}, s^{'}, Q_{1}^{'}, d})$ handled by $S_{1}$ cannot be distinguished from those produced in the normal execution of $π_{1}$ . Because the view of Node A is ${v i e w}_{1}^{π_{1}} (P, Q) = {P, r^{1}, s, Q_{1}}$ and the output of $π_{1}$ is ${o u t p u t}_{1}^{π_{1}} (P, Q) = {o u t p u t}_{2}^{π_{1}} (P, Q) = d$ , ${S_{1} (P, d), d} \equiv {{v i e w}_{1}^{π_{1}} (P, Q), {o u t p u t}_{2}^{π_{1}} (P, Q)}$ can be concluded. This indicates “calculation of indiscernibility.”

Likewise, if the attacker suborns Node B, then the attacker will gather all information in Node B's possession using another simulator, $S_{2}$ . The view of Node B is ${v i e w}_{2}^{π_{1}} (P = (x_{1}, x_{2}, \dots, x_{n})$ , $Q = (y_{1}, y_{2}, \dots, y_{n}))$ , and the same conclusion of “calculation of indiscernibility” can be drawn: ${f_{1} (P, Q)$ , $S_{2} (Q, f_{2} (P, Q))}$ and ${o u t p u t_{1}^{π_{1}} (P, Q), v i e w_{2}^{π_{1}} (P, Q)}$ are equivalent.

If the attacker captures the TP, then the attacker cannot realize the simulation because the TP has not obtained any information from Node A or Node B at any point in the protocol.

This proves Theorem 2.

5.2. Security of the REDP Protocol

Node A and Node B cannot obtain any private vectors from each other except for the distance value between them. The following is a detailed analysis of each step in the REDP process.

(1) In Step 1, Node B receives some data from Node A, including $P_{1} = (x_{1}^{'}, x_{2}^{'}, \dots, x_{n}^{'})$ , $P_{2} = (x_{1}^{''}, x_{2}^{''}, \dots, x_{n}^{''})$ , where $x_{i}^{'} = r a_{0} x_{i} + i r a_{i}$ , $x_{i}^{''} = (w - r a_{i}) / e$ ( $i = 1,2, \dots, n$ ). However, because Node B cannot learn the specific values of $r a_{i}$ , w, or e, it is faced with the difficulty of solving $x_{i}$ with $2 n$ nonlinear polynomial equations but $2 n + 3$ unknown quantities. These can be expressed by (22), where $b_{j}$ ( $j = 1,2, \dots, n, n + 1, \dots, 2 n$ ) is a specific constant. Consider

\begin{array}{l} x_{2 n + 1} x_{1} + x_{1} = b_{1}, \\ ⋮ \\ x_{2 n + 1} x_{i} + i x_{i} = b_{i}, \\ ⋮ \\ x_{2 n + 1} x_{n} + n x_{n} = b_{n}, \\ x_{2 n + 2} - \frac{x_{n + 1}}{x_{2 n + 3}} = b_{n + 1}, \\ ⋮ \\ x_{2 n + 2} - \frac{x_{n + i}}{x_{2 n + 3}} = b_{n + i}, \\ ⋮ \\ x_{2 n + 2} - \frac{x_{2 n}}{x_{2 n + 3}} = b_{2 n}, \\ (i = 1,2, \dots, n) . \end{array}

(22)

Equation (22) has infinity of solutions. In some cases, such as

r a_{0} = 1

e = 1

, (22) can be degraded to a group of nonhomogeneous linear equations group represented by (23). Here,

b_{j}

(

j = 1,2, \dots, n, n + 1, \dots, 2 n

) is a specific constant. Consider

\begin{array}{l} x_{1} + x_{n + 1} = b_{1}, \\ ⋮ \\ x_{i} + i x_{n + i} = b_{i}, \\ ⋮ \\ x_{n} + n x_{2 n} = b_{n}, \\ x_{2 n + 1} - x_{n + 1} = b_{n + 1}, \\ ⋮ \\ x_{2 n + 1} - x_{n + i} = b_{n + i}, \\ ⋮ \\ x_{2 n + 1} - x_{2 n} = b_{2 n}, \\ (i = 1,2, \dots, n) . \end{array}

(23)

Because (23) can be solved using features of the nonhomogeneous linear equations, it shows that the coefficient matrix and the augmented matrix of the equations outlined above have the same rank. For this reason, only the rank of the coefficient matrix is considered. This is displayed as follows:

\begin{array}{l} A = (\begin{pmatrix} \begin{array}{l} 1 \\ 0 \end{array} & \overset{n u m b e r o f ” 0 ” : n - 1}{\overset{︷}{\begin{array}{l} \begin{array}{l} 0 & 0 & \dots & 0 \end{array} \\ \begin{array}{l} 1 & 0 & \dots & 0 \end{array} \end{array}}} & \begin{array}{l} 1 \\ 0 \end{array} & \overset{n u m b e r o f ” 0 ” : n - 1}{\overset{︷}{\begin{array}{l} \begin{array}{l} 0 & 0 & \dots & 0 \end{array} \\ \begin{array}{l} 2 & 0 & \dots & 0 \end{array} \end{array}}} & \begin{array}{l} 0 \\ 0 \end{array} \\ \dots & \dots \\ 0 & \begin{array}{l} 0 & \dots & 0 & 1 \end{array} & 0 & \begin{array}{l} 0 & \dots & 0 & n \end{array} & 0 \\ 0 & \begin{array}{l} 0 & \dots & 0 & 0 \end{array} & - 1 & \begin{array}{l} 0 & \dots & 0 & 0 \end{array} & 1 \\ 0 & \begin{array}{l} 0 & \dots & 0 & 0 \end{array} & 0 & \begin{array}{l} - 1 & \dots & 0 & 0 \end{array} & 1 \\ \dots & \dots \\ 0 & \begin{array}{l} 0 & \dots & 0 & 0 \end{array} & 0 & \begin{array}{l} 0 & \dots & 0 & - 1 \end{array} & 1 \end{pmatrix}) \\ r (A) = 2 n . \end{array}

(24)

However, there are

2 n + 1

unknown quantities in (23) for which the rank of the coefficient matrix is

2 n

. Equation (23) has an infinite number of solutions because the rank of the augmented matrix (i.e., the number of linearly independent equations) is less than the number of unknown quantities. Even in some extreme situations, (22) still has an infinity of solutions. Node B cannot discriminate u or

r a_{0}

from the value of λ. In this way, the data obtained by Node B are not sufficient for detection of any private information regarding location vector

P = (x_{1}, x_{2}, \dots, x_{n})

, which is owned by Node A.

(2) In Step 2, Node A encounters the same problem with respect to solving a group of nonlinear equations. In extreme situations (e.g., if Node B selects $r_{b} = 1$ ), Node A may choose a zero vector $P = 0$ in input phase. This can be used repeatedly in (13) and (14) after Node A receives $h_{1}$ , $h_{2}$ , and $h_{3}$ . Finally, Node A can deduce the value of $r_{b}$ with considerable probability of success. Even so, Node A still needs to solve a group of nonhomogeneous linear equations with $n + 1$ unknown quantities and only three equations. This problem has an infinite number of solutions. Just by virtue of $r_{b}$ , Node A is unable to infer Node B's confidential location information Q .

(3) In Step 3, if Node B utilizes the expressions of (13), (14), and (15) to successively substitute for the values of $h_{1}$ , $h_{2}$ , and $h_{3}$ in (16), Node B can produce

\begin{array}{l} m = - \frac{(h_{1} + e h_{2} - w e h_{3})}{r a_{0}} \\ = - \frac{[- (1 / 2) r a_{0} r_{b} (u + \sum_{i = 1}^{n} x_{i}^{2}) + \sum_{i = 1}^{n} r a_{0} r_{b} x_{i} y_{i}]}{r a_{0}} \\ = \frac{1}{2} r_{b} (u + \sum_{i = 1}^{n} x_{i}^{2}) - r_{b} \sum_{i = 1}^{n} x_{i} y_{i} . \end{array}

(25)

There is a variety of ways in which Node B might separate individual components such as

u + \sum_{i = 1}^{n} x_{i}^{2}

from (25). During the input phase, Node B may select a special vector Q that only includes one nonzero element to participate in all calculations from Steps 1 to 4. However, this method does not allow Node B to discriminate

u + \sum_{i = 1}^{n} x_{i}^{2}

\sum_{i = 1}^{n} x_{i} y_{i}

from (25). Unless Node B uses a zero vector, that is,

Q = 0

, it can determine the value of

u + \sum_{i = 1}^{n} x_{i}^{2}

in Step 3 with considerable probability of success. Using the received value of λ, Node B may determine the value of

r a_{0}

after successfully cracking

u + \sum_{i = 1}^{n} x_{i}^{2}

. Even so, Node B cannot find solutions to a group of nonlinear polynomial equations with only

n + 2

equations though the number of unknown quantities is reduced from the original

2 n + 3

to the current

2 n + 2

(4) The security analysis in Step 4 of this process is the same as the analysis in Step 4 of the TPEDP.

In order to make the above security analysis more persuadable, it must be proven that the intermediate information obtained by a passive attacker and that produced in no-attack and real situations involve the “calculation of indiscernibility.”

Theorem 3.

The REDP (marked with $π_{2}$ ) ensures that Node A and Node B cannot acquire private input regarding each other.

Proof.

Because of the premises and assumptions of the simulator and because the process of the input phase of the REDP protocol is similar to that of the TPEDP protocol, the validation procedures of computation and output phases may be paid more attention. It can still be supposed that the passive attacker captures Node A and constructs the simulator $S_{1}$ to implement the REDP protocol.

Computation Phase of $π_{2}$ . In Step 1, $S_{1}$ produces ${{r a}_{0}^{'}, {r a}_{1}^{'}, \dots, {r a}_{n}^{'}}$ , $u^{'}$ , $w^{'}$ , and $e^{'}$ successively according to the results of $r^{1}$ and then calculates ${P_{1}^{'}, P_{2}^{'}, λ^{'}}$ , which serves as the simulated information that would be sent to Node B.

In Step 2, because Node A does not know the real $r_{b}$ generated by Node B, $S_{1}$ will forge $r_{b}^{'}$ , together with $Q^{'} = (y_{1}^{s}, y_{2}^{s}, \dots, y_{n}^{s})$ and simulate the intermediate data $Q_{1}^{'}$ , $Q_{2}^{'}$ , $h_{1}^{'}$ , $h_{2}^{'}$ , and $h_{3}^{'}$ , which must be selected by Node B in (13)–(15):

\begin{array}{l} Q_{1}^{'} = (r_{b} y_{1}^{s}, r_{b} y_{2}^{s}, \dots, r_{b} y_{n}^{s}), \\ Q_{2}^{'} = (r_{b} y_{1}^{s}, 2 r_{b} y_{2}^{s}, \dots, n r_{b} y_{n}^{s}), \\ h_{1}^{'} = λ^{'} r_{b}^{'} + P_{1}^{'} * Q_{1}^{'} = - \frac{1}{2} r a_{0}^{'} r_{b}^{'} (u^{'} + \sum_{i = 1}^{n} {x_{i}}^{2}) \\ + \sum_{i = 1}^{n} (r a_{0}^{'} x_{i} + i r a_{i}^{'}) r_{b}^{'} y_{i}^{s}, \\ h_{2}^{'} = P_{2}^{'} * Q_{2}^{'} = \sum_{i = 1}^{n} (w^{'} - \frac{r a_{i}^{'}}{e^{'}}) i r_{b}^{'} y_{i}^{s}, \\ h_{3}^{'} = \sum_{i = 1}^{n} i r_{b}^{'} y_{i}^{s} . \end{array}

(26)

In Step 3, $S_{1}$ continues to create $f_{a}^{'} = u^{'}$ and $m^{'} = - (h_{1}^{'} + e^{'} h_{2}^{'} - w^{'} e^{'} h_{3}^{'}) / r a_{0}^{'}$ .

In Step 4, $S_{1}$ obtains $f_{b}^{'} = v^{'} = 2 m^{'} / r_{b}^{'} + \sum_{i = 1}^{n} y_{i}^{s 2}$ in terms of (17) to complete the simulation for Node B.

Output Phase of $π_{2}$ . $S_{1}$ collects all information of Node A: ${f_{a}^{'}, f_{b}^{'}, f (P, Q)}$ , which satisfy the form of (4); that is, $f_{b}^{'} = f (P, Q) + f_{a}^{'}$ , where $f_{a}^{'} = - u^{'}$ , $f_{b}^{'} = - v^{'}$ .

$S_{1} (P, d) = {P, r^{1}, h_{1}^{'}, h_{2}^{'}, h_{3}^{'}, d}$ cannot be distinguished from all information produced in the normal execution of $π_{2}$ . The view of Node A is ${v i e w}_{1}^{π_{2}} (P, Q) = {P, r^{1}, h_{1}, h_{2}, h_{3}}$ and the output of $π_{2}$ is $o u t p u t_{1}^{π_{2}} (P, Q) = o u t p u t_{2}^{π_{2}} (P, Q) = d$ , so ${S_{1} (P, d), d} \equiv {v i e w_{1}^{π_{2}} (P, Q), o u t p u t_{2}^{π_{2}} (P, Q)}$ implies “calculation of indiscernibility.”

The same conclusion can be drawn if the participant captured by the attacker is Node B.

This proves Theorem 3.

6. Efficiency Analysis and Comparisons

In this section, the complexity of communication round is analyzed, and the complexity of computation and the type of data involved in various protocols are also evaluated. These protocols obey semihonest execution rules and their objectives are to determine the result of secure distance computation. One of these protocols in previous study [4] is based on homomorphic encryption, called “Rane's Scheme.” A similar scheme [5], in which Rane's Scheme was improved upon, is called “Rane's Improved Scheme.” Another previous study [8] proposed two kinds of secure two-party closest-pair of points protocols. The first one comprised the computation of distance aided by a third party, and the distance computation procedure can be separated from the protocol itself and called “Huang's 1st Scheme.” The second one was designed according to discrete logarithm principles without any third party and could be used to realize secure two-party distance computation, called “Huang's 2nd Scheme.” Luo's Scheme, Lu's Scheme, and Li's Scheme are introduced, respectively, in [6], [7], and [9] in the Related Work section. Lu's Scheme only realized a scalar product protocol, but, through it, a distance calculation protocol can be simulated at no extra cost. Table 1 lists the results of a comparison of the protocols given above from several perspectives.

Table 1

Secure two-party distance computation protocols.

	Communication round complexity	Computation complexity	Data type	Need for a third party	Degree of privacy protection
TPEDP	2	$O (n)$	Real	Yes	1 (perfect zero leakage)
REDP	3	$O (n)$	Real	No	Zero leakage
Rane's Scheme [4]	n	$O (n^{3})$	Integer	No	Zero leakage
Rane's Improved Scheme [5]	n	$O (n^{3})$	Real	No	Zero leakage
Luo's Scheme [6]	2	$O (n^{3})$	Real	No	Zero leakage
Lu's Scheme [7]	n	$O (n^{3})$	Real	No	Zero leakage
Huang's 1st Scheme [8]	3	$O (n)$	Real	Yes	The TP obtains all messages from two participants
Huang's 2nd Scheme [8]	2	$O (n)$	Integer	No	Zero leakage
Li's Scheme [9]	10	$O (n^{2})$	Real	No	One participant obtains all messages from another

Note: for a fair comparison, a specific effective algorithm in [10], whose communications round complexity is 2 and computational cost is $2 n + 2$ exponential modulo operation, is selected as the complement of oblivious transfer protocol $O T_{n}^{1}$ [11] of Li's Scheme [9].

(a) Communication Round Complexity. As shown in Table 1, communication round complexities of those protocols are almost roughly the same level except for Li's Scheme, which includes many communication steps. Rounds of communication in Lu's Scheme, Rane's Scheme, and the Rane's Improved Scheme are determined by the dimensions of the input vector. However, the dimensions of location information must be less than or equal to 3. Even if there is a third party, the TPEDP can be completed within two rounds, but the REDP has a total of four steps and three rounds of interaction, so the complexity of communication round is 3.

(b) Computation Complexity. As shown in Table 1, the overhead of these protocols to generate random numbers can be ignored because that can be addressed in the input phase. The complexity of computation is primarily produced during the computation phase of those protocols, including the TPEDP and REDP. Both of these protocols rely on the dimensions of input vectors, so the computation complexity of them are both $O (n)$ .

Some protocols based on Paillier additive homomorphic encryption can be used to perform $2 l o g N$ rounds of modular multiplication (modular operator $N^{2}$ ) for each encryption and decryption, at most $2 d$ rounds of modular multiplication (modular operator $N^{2}$ ) per modular exponential calculation $(E {(x)}^{y})$ , where d denotes the number of bits of processed data. For example, the complexity of computation of Rane's Scheme and its improved one is ( $(2 n + 2) l o g N + 2 n d + n + 1$ ) rounds of modular multiplication (modular operator $N^{2}$ ) and that of Lu's is ( $(6 n + 2) l o g N + (2 n + 2) d + n$ ) rounds; it means that the computational cost of Rane's Scheme and its improved one totally includes ( $n + 1$ ) times encryptions, n times modular exponentiations, n times modular multiplications, and once decryption; Luo's Scheme is not based on Paillier additive homomorphic encryption but rather on another form of encryption. The complexity of the computation can still be evaluated; it is ( $6 n l o g N + 2 n d + 2$ ) rounds of modular multiplication (modular operator $N^{2}$ ). Generally, the value of N is larger than the dimension n, so the complexity of the computation processes involved in the protocols outlined above is no less than $O (n^{3})$ .

(c) Type of Data. Rane's Scheme shows satisfactory performance with respect to the complexity of rounds of communication, but the types of data that it can process are limited to integer field. Huang's 2nd Scheme shows the same defect. The two proposed protocols have a broader range of computation because they can be implemented in real number domains.

(d) Degree of Privacy Protection. The TP of Huang's 1st Scheme holds all the information from both participants, so there is no privacy protection at all. Li's Scheme, which is based on oblivious transfer protocol and involves no TP, has a primary disadvantage that one participant may acquire all results of distance computation and deduce some private information of the other participant. In this case, if one participant can obtain all three distances from three different starting points to the same terminal point, the exact location of the other participant can be calculated. For example, as shown in Figure 1, if Node A holds $d_{11}$ , $d_{12}$ , and $d_{13}$ , which represent distances from points $T_{1}$ , $T_{2}$ , and $T_{3}$ to point $H_{1}$ , it can deduce the location of Node B, $H_{1}$ , correctly.

Figure 1

Deduction of location.

Both the TPEDP and REDP use a result-sharing mechanism in which two participants can determine the distance calculation results until publishing their respective random numbers (u and v). This prevents the privacy leakage that can be caused when one participant monopolizes the results. In Section 7.1, especially, it can be proven that the TPEDP protocol's degree of privacy is 1, that is, the perfect zero leakage.

7. Further Discussion

7.1. Privacy Measurement Problem of the TPEDP Protocol

Not all protocols can be carried out and used to measure privacy; only those that always satisfy linear dependence between their inputs and intermediate messages can be evaluated for the degree of privacy by using the methods recommended in Section 3.4. In this way, only the TPEDP protocol meets the requirements outlined in this paper. In the TPDEP protocol, the impact of TP can be completely ignored, because it only distributed some initial values but did not receive any valid information from either of the two participants.

During the running of the TPDEP protocol, all messages received by Node A can be denoted by ${m s g}_{T} = {s, p, Q_{1}}$ , which includes the following:

\begin{array}{l} Q_{1} = Q^{T} + R b, \\ p = (R a - R b) * {(R a - R b)}^{T} - q \\ = R a * R a^{T} - 2 R a * R b^{T} + R b * R b^{T} - q, \\ s = (P_{1} + Q_{1}) * {(P_{1} + Q_{1})}^{T} + 2 R b * Q^{T} - 2 R b \\ * P_{1}^{T} - q + v \\ = P_{1} * P_{1}^{T} + P_{1} * Q_{1}^{T} + Q_{1} * P_{1}^{T} + Q_{1} * Q_{1}^{T} \\ + 2 R b * Q^{T} - 2 R b * P_{1}^{T} - q + v \\ = P_{1} * P_{1}^{T} - 2 P_{1} * Q^{T} + R b * R b^{T} + Q * Q^{T} - q + v . \end{array}

(27)

The expressions of p and s can be altered as follows:

\begin{matrix} p = - 2 R a * R b^{T} + R b * R b^{T} - q, \\ s = - 2 P_{1} * Q^{T} + R b * R b^{T} + Q * Q^{T} - q + v . \end{matrix}

(28)

These values are related to Node B's inputs, Q and

R b

. For the convenience of measurement of privacy, the expressions of all three elements can be changed as follows:

\begin{array}{l} Q_{1} = I_{n} * Q^{T} + I_{n} * R b^{T} + 0 * (R b * R b^{T}) \\ + 0 * (Q * Q^{T}) + 0 * q + 0 * v, \\ p = 0_{1 * n} * Q^{T} - 2 R a * R b^{T} + R b * R b^{T} \\ + 0 * (Q * Q^{T}) + 0 * q + 0 * v, \\ s_{1} = - 2 P_{1} * Q^{T} + 0_{1 * n} * R b^{T} + R b * R b^{T} \\ + Q * Q^{T} - q + v . \end{array}

(29)

Here, it is supposed that

\begin{matrix} A_{1} = (\begin{pmatrix} I_{n} & I_{n} & 0 & 0 & 0 & 0 \\ 0_{1 * n} & - 2 R a & 1 & 0 & - 1 & 0 \\ - 2 P_{1} & 0_{1 * n} & 1 & 1 & - 1 & 1 \end{pmatrix}), \\ Z_{1} = (\begin{pmatrix} Q^{T} \\ R b \\ R b * R b^{T} \\ Q * Q^{T} \\ q \\ v \end{pmatrix}), C_{1} = (\begin{pmatrix} Q_{1}^{T} \\ p \\ s \end{pmatrix}) . \end{matrix}

(30)

This satisfies

A_{1} * Z_{1} = C_{1}

(

I_{n}

represents identity matrix).

C_{1}

is equivalent to

{m s g}_{T} = \{s, p, Q_{1}\}

and

r a n k (A_{1})

n + 2

. If any participant obtains Q and

{m s g}_{T}

, he would easily calculate

R b

R b * R b^{T}

, q,

Q * Q^{T}

, and v. According to the definitions given in Section 3.4, it can be concluded that

H (R b | Q, {m s g}_{T}) = H (R b * R b^{T} | Q, {m s g}_{T}) = H (q | Q, {m s g}_{T}) = H (Q * Q^{T}∣ Q, {m s g}_{T})

H (v | Q, {m s g}_{T})

= 0 and

H (Q | {m s g}_{T})

H (Q, R b, R b * R b^{T}, Q * Q^{T}, q, v | {m s g}_{T})

. According to Theorem 1, it can finally be deduced that

H (Q | {m s g}_{T}) = n l o g p

Next, the degree of privacy is examined from Node B's perspective. All messages received by Node B can be denoted with ${m s g}_{H} = {q, P_{1}}$ , where the following are true:

\begin{array}{l} P_{1} = I_{n} * P + I_{n} * R a, \\ q = (R a - R b) * {(R a - R b)}^{T} - p \\ = R a * R a^{T} - 2 R b * R a^{T} + R b * R b^{T} - p . \end{array}

(31)

The expressions of q and $P_{1}$ can be altered into

\begin{matrix} P_{1} = I_{n} * P + I_{n} * R a + 0 * R a * R a^{T} - 0 * p, \\ q = 0_{1 * n} * P - 2 R b * R a^{T} + R a * R a^{T} - p . \end{matrix}

(32)

Here it is assumed that

\begin{matrix} A_{2} = (\begin{pmatrix} I_{n} & I_{n} & 0 & 0 \\ 0_{1 * n} & - 2 R b & 1 & - 1 \end{pmatrix}), \\ Z_{2} = (\begin{pmatrix} P \\ R a^{T} \\ R a * R a^{T} \\ p \end{pmatrix}), C_{2} = (\begin{pmatrix} P_{1} \\ q \end{pmatrix}) . \end{matrix}

(33)

This satisfies

A_{2} * Z_{2} = C_{2}

(

I_{n}

represents identity matrix).

R a n k (A_{2})

can be shown to be

n + 1

and

C_{2}

can be shown to be

{m s g}_{H}

. P and

{m s g}_{H}

allow

R a

R a * R a^{T}

, and p to be determined. In this way, it is obvious that

H (R a | P, {m s g}_{H}) = H (R a * R a^{T} | P, {m s g}_{H}) = H (p | P, {m s g}_{H}) = 0

H (P | {m s g}_{H})

H (P, R a, R a * R a^{T}

p | {m s g}_{H})

, and

H (P | {m s g}_{H}) = ((2 n + 1) - (n + 1)) l o g p = n l o g p

in terms of Theorem 1.

Based on the information given above, the following conclusions can be drawn.

Theorem 4.

The result of privacy measure for the TPEDP is $m i n (H (P | {m s g}_{H}) / H (P)$ , $H (Q | {m s g}_{T}) / H (Q | {m s g}_{T})) = 1$ , which implies perfect zero leakage.

7.2. The Repeated Calculation Problem of the REDP Protocol

Repeated calculation problem is worth emphasizing. It merits attention from both of the participants in the REDP protocol. An erroneous choice of participants may lead to a serious reduction in privacy. If Node A and Node B meet again after they have executed the REDP protocol at least once, then, during the new execution, the REDP protocol requires fresh initial vectors and random numbers distinguished from those used in the last calculation. A specific example can be cited and used to illustrate this issue, but discussions are not limited to this example.

Node A and Node B, who held initial vectors P and Q , respectively, have completed the REDP protocol once. To run the REDP again, Node B here reselects the initial vector R substituted for Q , but Node A insists on keeping the original vector P and updates the random sequence $r a_{i}$ ( $i = 0,1, 2, \dots, n$ ) and random numbers w and e to construct new $P_{1}$ , $P_{2}$ , and λ values. This indicates that Node B may encounter a group of $2 n$ nonlinear polynomial equations when it receives those renewed data from Node A. If the new equations in the group are linearly independent from those obtained by Node B in the last execution (Node A held P and Node B held Q ), then Node B can obtain a group of $4 n$ nonlinear polynomial equations and $2 n + 3 + n + 3 = 3 n + 6$ unknown quantities. If Node A selects $r a_{0} = 1$ , $e = 1$ in the new interaction (though this case is almost impossible), the $4 n$ nonlinear polynomial equations will degenerate into a group of nonhomogeneous linear equations with $3 n + 6$ unknown quantities. In this case, if $n < 6$ (i.e., $4 n < 3 n + 6$ ), then Node B cannot learn the value of P because of prohibitively high number of solutions. If $n \geq 6$ (i.e., $4 n \geq 3 n + 6$ ) and the number of unknown quantities is less than the number of equations, then Node B will break P and the location information of Node A is revealed. In this way, if Node A persists in using its original vector, it will be unable to update random sequences and random numbers (such as $r a_{i}$ , w, and e) in another running of this protocol. Otherwise, Node B will collect more equations regarding this original vector of Node A, which will increase the risk of loss of privacy. However, in this case, Node A can change the random value of u to produce the corresponding alteration of the results $f_{a}$ and $f_{b}$ .

For this reason, extra limitations must be added to the REDP protocol when it is encoded into the wireless communication devices. This can prevent some extreme situations such as selecting $r a_{0} = 1$ , $e = 1$ in Node A's computation round. Certainly, a better provision for the REDP protocol is that each participant should try to choose inputs different from those in previous executions to prevent hidden danger unless the location information of the participant has not changed. (This case has a negligible probability for moving entities.) In this way, Node A must only renew the values of u or v.

7.3. Availability in Wireless Sensor Networks

It is necessary to verify the availability of TPEDP and REDP in wireless sensor networks. We design such simulation experiments related to distance to observe the changes of network lifetime and energy consumption in the following three scenarios: the first is calculating the distance between Nodes A and B which use the REDP protocol; the second aids TPEDP to achieve the distance calculation (the current cluster-header is “TP”); and the third is based on ECC (elliptic curves cryptography), which is considered as the most lightweight public key method in WSNs, to realize the computation through encryptions, decryptions, and the reliable third party (the base station). To achieve the data-level privacy protection, in the third scenario, Nodes A and B must encrypt their locations separately using the public key of the base station, and the base station decrypts them and calculates the distance between Nodes A and B, and then the base station must encrypt the distance value by their respective public keys and send it to A and B. Finally, Nodes A and B decrypt it and obtain the result. If A and B cannot communicate with the base station within one hop, this method will cause heavy network loads.

In order to ensure the validity of comparisons, we make some assumptions aimed at the three scenarios. Shown in Figure 2, any two nodes who want to calculate the distance between them in the network can form a group; once a node joins one group it will not be able to join other groups, except the death of the other node in the same group, it will find a new single node with the same situation again to form a new group. In our simulation experiments, nodes would prefer to search the closest neighbor to form a group. All groups repeatedly calculate the distance between two members, until the network life cycle is ended. The base station, especially, does not participate in any group and all packets are in the same size which can be divided exactly by 16. Leach protocol will be used as the clustering and routing protocol in order to ensure path accessibility. If one current cluster-header is dead, it will reselect the new header in terms of Leach protocol. In TPEDP protocol, the same cluster-header can act as the TP for several groups of nodes. Detailed simulation parameters can be shown in Table 2.

Table 2

Simulation parameters setting.

Parameters	The setting value
Network range	400 * 400 m²
Distribution of sensor nodes	Uniform distribution with the number from 100 to 400 nodes, and the base station is in the center
Clustering and routing protocol	Leach
The number of dimensions of location information	$n = 3$ , $n = 8$
Original energy of node	20 J (infinite energy for the base station)
Energy consumption when sending a packet (at most d = 128 bits)	0.35 J
Energy consumption when receiving a packet (at most d = 128 bits)	0.15 J
Energy consumption when processing one bit (at most d = 128 bits)	0.0005 J
Energy consumption when encrypting or decrypting one bit with ECC (at most d = 128 bits)	0.0005 J
Energy consumption when processing a modular multiplication (modular operator $N^{2}$ ) (at most d = 128 bits)	0.001 J
Communication radius of node	50 m
Modular operator $N^{2}$	$N = 79$ , $N^{2} = 6241$

Figure 2

Three simulation scenarios.

We set two cases “ $n = 3$ , $d = 64$ bits” and “ $n = 8$ , $d = 96$ bits” to reflect the trend of network lifetime, based on the comparisons of REDP, TPEDP, and ECC, seen in Figures 3(a) and 3(b), respectively. We can watch that, with the increase of sensor nodes, the network lifetimes of three scenarios (or protocols?) appear to decline (or downtrend?) after a little growth in the initial stage. There exit different reasons of these phenomena for REDP, TPEDP, and ECC. There still exit some active sensor nodes in REDP (or TPEDP) because they cannot find another neighbor (or a suitable TP) in their communication ranges when the number of nodes is 100; however the lifecycle is terminated. With the increase of sensor nodes, the above symptoms will be relieved; for instance, the number of nodes is 150 or 200. With the further raise of the number of nodes (350 or 400), more and more new groups emerge while some previous groups are still running, which causes more communication costs, so the lifetime is shortened. Owing to direct or multihop communication to the base station for each node in the network, the secure distance calculation based on ECC would lead to more energy consumption, compared with REDP and TPEDP. Similarly, 100 nodes are uniformly distributed in 400 ∗ 400 field, however some active nodes have never been able to establish the paths to the base station before their lifecycles end. The suitable enhancement of sensor nodes would create more paths to the base station, which can prolong the network lifetime. However, when the number of nodes is 250 or more, many nodes will play the role of relay to achieve more paths, which causes the decline of lifecycle because of more energy consumption. It is worthy to notice that parameters n and d make have influence on the lifetime of REDP and TPEDP, which in Figure 3(b) is less than Figure 3(a), and the larger the n and d, the more the computation cost of the two protocols. However, the increase of the values of n and d cannot affect the decline of ECC too much, even if it also brings more computational overhead. Compared with TPEDP, REDP causes more energy consumption because of the requirements for more communication rounds and the cost of reselection of new cluster-headers for TP.

Figure 3

Comparisons of network lifetime among REDP, TPEDP, and ECC.

7.4. Extended Multiparty Computation

The flexibility characteristics of the TPEDP and REDP protocols make them conveniently transform from two-party distance computation to multi-party distance computation. We suppose that there are totally m nodes in WSNs, and they can be denoted by $U_{1}, U_{2}, \dots, U_{m}$ and hold their secret inputs $P_{1}, P_{2}, \dots, P_{m}$ , respectively, where $P_{1} = \{p_{11}, p_{12}, \dots, p_{1 n}\}, \dots, P_{m} = {p_{m 1}, p_{m 2}, \dots, p_{m n}}$ are all n-dimensional vectors. In a security multiparty distance protocol, any one of the nodes $U_{i}$ ( $i = 1,2, \dots, m$ ) expects that it can achieve the correct distance value with any other node $U_{j}$ ( $j = 1,2, \dots, m$ & $i \neq j$ ) without release of its secret; however $U_{i}$ cannot obtain any privacy from $U_{j}$ . So the output phase can be described as follows: $f (U_{i}, U_{j})$ is the final result that denotes Euclidean distance ${|U_{i} U_{j}|}^{2}$ , $U_{i}$ grasps $f_{U_{i}}$ , and $U_{j}$ keeps $f_{U_{j}}$ . Equation (4) shows the relationship among those symbols:

\begin{matrix} f_{U_{i}} = f (U_{i}, U_{j}) + f_{U_{j}} . \end{matrix}

(34)

At last,

U_{i}

declares

f_{U_{i}}

and

U_{j}

reveals

f_{U_{j}}

, and they share the resulting

f (U_{i}, U_{j})

according to (34).

The details of calculation are determined by the specific protocol. If $U_{1}, U_{2}, \dots, U_{m}$ select their respective random number denoted by $θ_{1}, θ_{2}, \dots, θ_{m}$ in the calculation procedure, $θ_{i} = {|U_{i} U_{j}|}^{2} + θ_{j}$ can be used to represent the final result that keeps the same form of (34). For example, another participant (holds vector R and random number r) other than Node A and Node B can easily enjoy the implement of the two proposed protocols, which need to be upgraded simply, and the results would be shared by the form of $u = {|P Q|}^{2} + v$ , $u = {|P R|}^{2} + r$ and $v = {|Q R|}^{2} + r$ .

8. Conclusions

Wireless sensor networks make communication and computation between humans and other things become a research hotspot. Two novel secure two-party protocols for distance computation are presented in this paper, designed to address the scenarios of privacy-preservation of location information in an encounter between Node A and Node B. The first proposed protocol, the TPEDP, involves a semihonest TP that protects the location of all participants from a passive attacker inside or outside the network. The problem of nonexistence of a suitable TP in wireless sensor networks was considered. The second protocol lacks a third party. The REDP, which benefits from randomization method, can be used to acquire the correct results of distance between two nodes securely. Compared to the similar protocols, the two proposals, TPEDP and REDP, performed more satisfactorily on the efficiency including rounds of communication, computation, and data type.

However, the assumption of the semihonest model is only suitable for certain scenarios, those that can resist only passive attacks. Some protocols secure against the malicious adversary model have been proposed especially for privacy-preserving data applications [20, 25]. However, these techniques are expensive in both communication and computation costs. In the future, the design of efficient protocols that can resist active or malicious attacks may remain challenging.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

The authors would like to thank the anonymous reviewers of this paper for their objective comments and helpful suggestions while at the same time helping the authors to improve the English spelling and grammar throughout the manuscript. This research was supported by National Natural Science Foundation of China under Grant nos. 61373138, 61170065, 61202355, 61201163, 61272422, and 61300240, Scientific and Technological Support Project (Industry) of Jiangsu Province under Grant no. BE2012183, Natural Science Key Fund for Colleges and Universities in Jiangsu Province under Grant no. 12KJA520002, Postdoctoral Foundation under Grant no. 2013T60536, and Science and Technology Innovation Fund for Higher Education Institutions of Jiangsu Province under Grant no. CXLX13_467. The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the paper.

References

Weber

R. H.

Internet of things—new security and privacy challenges

Computer Law & Security Review 2010 26 1 23 30

10.1016/j.clsr.2009.11.008

2-s2.0-74949143896

Huang

Feng

Wang

Qin

An exact top-k query algorithm with privacy protection in wireless sensor networks

International Journal of Distributed Sensor Networks 2014 2014 10

749049

10.1155/2014/749049

Yao

A. C.-C.

How to generate and exchange secrets

Proceedings of the 27th Annual Symposium on Foundations of Computer Science

October 1986

Toronto, Canada

162 167

2-s2.0-0022882770

10.1109/SFCS.1986.25

Rane

S. D.

Sun

Vetro

Secure distortion computation among untrusting parties using homomorphic encryption

Proceedings of the IEEE International Conference on Image Processing (ICIP ′09)

November 2009

Cairo, Egypt

1485 1488

10.1109/ICIP.2009.5414544

2-s2.0-77951953963

Rane

Sun

Vetro

Privacy-preserving approximation of L1 distance for multimedia applications

Proceedings of the IEEE International Conference on Multimedia and Expo (ICME ′10)

July 2010

Singapore

492 497

10.1109/ICME.2010.5583030

2-s2.0-78349236191

Luo

Huang

Chen

Shen

Privacy-preserving distance measurement and its applications

Chinese Journal of Electronics 2006 15 2 237 241

2-s2.0-33646505576

Lin

Shen

SPOC: a secure and privacy-preserving opportunistic computing framework for mobile-healthcare emergency

IEEE Transactions on Parallel and Distributed Systems 2013 24 3 614 624

10.1109/TPDS.2012.146

2-s2.0-84873848479

Huang

Zhong

Yan

Sun

Two protocols for no-information leaked closest-pair of points

Computer Engineering and Applications 2010 46 34 80 81

10.3778/j.issn.1002-8331.2010.34.025

S.-D.

Dai

Y.-Q.

Secure two-party computational geometry

Journal of Computer Science and Technology 2005 20 2 258 263

10.1007/s11390-005-0258-z

MR2132203

2-s2.0-18244384471

10.

Tzeng

W.-G.

Efficient 1-out-n oblivious transfer schemes

Proceedings of the 5th International Workshop on Practice and Theory in Public Key Cryptosystems (PKC ′02)

2002

Paris, France

159 171

10.1007/3-540-45664-3_11

11.

Rabin

How to exchange secrets by oblivious transfer

1981 TR-81

Harvard Aiken Computation Laboratory

http://userpages.umbc.edu/~bhushan1/Day-1.pdf

12.

Ashouri-Talouki

Baraani-Dastjerdi

Selçuk

A. A.

GLP: a cryptographic approach for group location privacy

Computer Communications 2012 35 12 1527 1533

10.1016/j.comcom.2012.04.019

2-s2.0-84862752812

13.

Yang

Y.-G.

Xia

Jia

Zhang

Comment on quantum private comparison protocols with a semi-honest third party

Quantum Information Processing 2013 12 2 877 885

10.1007/s11128-012-0433-4

MR3028273

2-s2.0-84878612249

14.

Nergiz

M. E.

Çiçek

Pedersen

Saygin

A look-ahead approach to secure multiparty protocols

IEEE Transactions on Knowledge and Data Engineering 2012 24 7 1170 1185

10.1109/TKDE.2011.44

2-s2.0-84861732485

15.

Liu

Zhou

Zhao

Secure location verification using hop-distance relationship in wireless sensor networks

Proceedings of the 2nd IEEE Asia-Pacific Service Computing Conference

December 2007

Tsukuba, Japan

62 68

10.1109/APSCC.2007.24

16.

Xiao

Huang

Wang

Pei

Privacy preserving hop-distance computation in wireless sensor networks

Chinese Journal of Electronics 2010 19 1 191 194

2-s2.0-77149174773

17.

Conti

Willemsen

Crispo

Providing source location privacy in wireless sensor networks: a survey

IEEE Communications Surveys and Tutorials 2013 15 3 1238 1280

10.1109/SURV.2013.011413.00118

2-s2.0-84881316459

18.

Jian

Chen

Zhang

Protecting receiver-location privacy in wireless sensor networks

Proceedings of the 26th IEEE International Conference on Computer Communications

May 2007

Anchorage, Alaska, USA

IEEE Computer Society

1955 1963

10.1109/INFCOM.2007.227

2-s2.0-34548310311

19.

Lee

C.-C.

Hsu

C.-W.

Lai

Y.-M.

Vasilakos

An enhanced mobile-healthcare emergency system based on extended chaotic maps

Journal of Medical Systems 2013 37 5, article 9973

10.1007/s10916-013-9973-0

2-s2.0-84883484959

20.

Lindell

Pinkas

Secure two-party computation via cut-and-choose oblivious transfer

Journal of Cryptology 2012 25 4 680 722

10.1007/s00145-011-9107-0

MR2981779

2-s2.0-84869506354

21.

Hazay

Lindell

Efficient Secure Two-Party Protocols: Techniques and Constructions 2010

New York, NY, USA

Springer

http://u.cs.biu.ac.il/~lindell/IntroductionEfficient2PC.pdf

22.

Huang

Evans

Katz

Malka

Faster secure two-party computation using garbled circuits

Proceedings of the USENIX Security Symposium

2011

San Francisco, Calif, USA

35 http://www.cs.umd.edu/~jkatz/papers/usenix2011.pdf

23.

Chiang

Y.-T.

Wang

D.-W.

Liau

C.-J.

Hsu

Secrecy of two-party secure computation

Proceedings of the 19th Annual IFIP WG 1 1.3 Working Conference on Data and Applications Security

2005

Storrs, Conn, USA

114 123

10.1007/11535706_9

24.

Shen

C.-H.

Zhan

Wang

D.-W.

Hsu

T.-S.

Liau

C.-J.

Information-theoretically secure number-product protocol

Proceedings of the 6th International Conference on Machine Learning and Cybernetics (ICMLC ′07)

August 2007

Corvallis, Ore, USA

3006 3011

10.1109/ICMLC.2007.4370663

2-s2.0-38049046146

25.

Nielsen

J. B.

Nordholt

P. S.

Orlandi

Burra

S. S.

A new approach to practical active-secure two-party computation

Proceedings of the 32nd Annual Cryptology Conference

2012

Santa Barbara, Calif, USA

681 700

10.1007/978-3-642-32009-5_40