Discount Anonymous On Demand Routing forMobile Ad hoc Networks

Liu Yang Markus Jakobsson Susanne WetzelSoftware Engineering College School of Informatics Department of Computer Science

Sichuan University Indiana University Bloomington Stevens Institute of TechnologyChengdu, 610065, China Bloomington IN 47408, USA Hoboken NJ 07030, USA

Email: yangliutwwWgmail.com Email: markus@indiana.edu Email: swetzel@cs.stevens.edu

Abstract-Recent years have seen a large number of proposals affect personal security and mobility. Most recently, we havefor anonymity mechanisms operating on the application layer. seen a remarkable upswing of privacy intrusions driven byGiven that anonymity is no stronger than its weakest link, attempts to perform identity theft. It is evident that locationsuch proposals are only meaningful if one can offer anonymity information may be used to better target victims of suchguarantees on the communication layer as well. ANODR -

or ANonymous On Demand Routing - is one of the leading attacks, as well as attacks in the entire spectrum mentionedproposals to deal with this issue. In this paper, we propose a above. To limit the success of such attacks - without havingnovel technique to address the same problem, but at a lower to re-engineer our entire communication infrastructure - itcost. Our proposal, which we dub Discount-ANODR, is buit is important to develop techniques that implement sufficientaround the same set of techniques as ANODR is. Our proposal isim prtantt deveop tehnique stattimlementesu fhas the benefit of achieving substantially lower computation and levelsof privac, thoutanding substantialschanes ofcommunication complexities at the cost of a slight reduction the network orthe computationalrequirements associatedwithof privacy guarantees. In particular, Discount-ANODR achieves performing routing.source anonymity and routing privacy. A route is "blindly gener- The motivation for this paper is to design a lightweightated" by the intermediaries on the path between an anonymoussource and an identified destination. Route requests in Discount- prceserving and routing pr otocol touaceANODR bear strong similarities to route requests in existing source anonymity and routing privacy. We define sourcesource routing protocols, with the limitation that intermediaries anonymity as a property guaranteeing that an adversary canonly know the destination of the request and the identity of not find evidence that a node is the originator of an observedthe previous intermediary - but not whether the latter was the message or route request. Our definition of routing privacyoriginator of the request. The response to a route request protects * *

a* -

the compiled route by means of iterated symmetric encryption, crpondsro an proerty wohdn tintitie of node ondrawing on how messages are prepared before being submitted a path, from an adversary who may control one or more ofto a typical synchronous mix network (or onion router). The these intermediaries.communication of data subsequently uses such "route onions" to Our approach is based on reactive source routing, where achannel the packet to the intended destination. We do not use route is obtained only when there is a demand to send a mes-any key exchange, nor do we utilize public key operations at anytime; consequently, we do not need to rely on any PKI, CRL or sage Reactive routing Is belleved to have less overhead thanrelated constructions. proactive routing, where all routes are maintained periodically.

Our solution is very efficient in that the most computationallyintensive operation in use is symmetric encryption, no key

Mobile Ad hoc NETworks (MANETs) are being used in exchange is used, and no public key operations are needed. Fora large array of settings in which there is no "hardwired" an ordinary application with eight hops, our solution increasesnetwork infrastructure. Commonly cited uses include military the overall time by less than 0.2 ms(compared to DSR [13]),applications, emergency rescue and disaster relief, however which approximately corresponds to a 3.5300 increase. WhenMANETs are also believed to have future uses within vehicular using our approach to send messages, on a path of eight hops,networking, manufacturing, and various types of surveillance the ratio of control bytes to packet size is approximately 7.3%,and monitoring applications. While the last few years have slightly higher than the value of 3.91% by DSR. Our solutionwitnessed substantial efforts to provide efficient [17], [10] and is also easy to integrate into an existing system with littlesecure [9], [11], [8], [12] communication in ad hoc networks, modification and low overhead.much less emphasis has been placed on privacy issues.

Privacy (and the lack thereof) is one of society's most A Our cntributinnotable vulnerabilities. The attacks arising from insufficientprivacy - whether of actions, identities or locations - can Our main contribution is to design a lightweight, privacy-be of economic nature (whether for identity theft or targeted preserving routing protocol using only symmetric key opera-advertising); may relate to national security (by ways of tions. As such, this protocol is particularly well-suited for adattacks on the infrastructure and key individuals); and can hoc networks with battery-constrained nodes.

1-4244-0423-1/106/$20.00 ©2006 IEEE

In our protocol, when a node wants to learn a path to a that the routing path and length in Crowds is dynamic, notdestination, it locally broadcasts a route request, which will like the static or preset paths in mix-based solutions.be propagated to the destination node over one or more hops. Kong and Hong proposed an solution, named ANODR,Once the destination node receives the request, it responds for anonymous on demand routing in mobile ad hoc net-with a route reply to the node it received the request from. works [15]. Our approach bears some similarity to the onionAn intermediary receiving a reply first appends its identity. construction of ANODR, but is different in the followingThen it chooses a symmetric secret key to re-encrypt the ways. First, ANODR uses public cryptography to exchangemessage. The result is sent to the next intermediary on the way the pseudonym for each hop en route, but our approach onlyto the initiator of the request. Finally, the initiator obtains a employs symmetric building block. Second, each route discov-route reply encrypted layer-by-layer, like an onion, by all the ery in ANODR causes a global onion-construction floodingintermediaries on the route. The discovered route is stored in (all directions) in the networks, and each node receiving thethe route cache. When a source intends to send a message to a route request tries to open a trap-door function by performingdestination, it selects the corresponding onion from the route a symmetric decryption and a comparison operation. If acache, appends it to the payload, and forwards the assembled node is not the destination, it will add another layer to thepacket to the next hop according to the information in the received onion by performing a symmetric encryption, androute cache. An intermediary learns the next hop by peeling then broadcast the updated onion. In our approach, onions areoff its layer of the onion using its secret key. It is important constructed in only one direction - on the return route. Third,to note that our protocol does not require any key exchange. the trap-door design in ANODR requires a key distributionIn fact, a node can choose its secret key arbitrarily. process, and each sender must know the trap-door key of the

recipient in order to start a route request. Our approach doesB. Outline not require any key distribution. Finally, a potential drawbackWe begin by describing our work in general and covering ofANODR is lack ofterminating condition, i.e., large amount

some related work in Section II. We then detail our com- of requests will be propagated in the network for a long time.munication model and adversary model in Section III. In Traditional routing protocols solve this problem by setting aSection IV, we describe the protocols for route discovery, maximum propagating limit to each request [13]. However,message sending, and route maintenance. Privacy properties a hop counter tells the adversary how far he is away fromand the cost of the protocol are analyzed in Section V and VI. the originator. Hence it does not work in a protocol aimingFinally, we conclude in Section VII. at privacy preserving. We address the problem of surviving

onions in a simple and practical way in this paper.II. RELATED WORK While ANODR achieves good privacy by providing sender

Privacy-related communication has applications on the In- anonymity, recipient anonymity, and unlinkability, it has aternet [6], [7], [19], [18], [21], ad hoc networks [15], hybrid much higher overhead in computation, communication, andnetworks [3], and sensor networks [14]. Some solutions focus storage than our approach due to the above operations. Inon sender anonymity [4], [5], [6], [7], [19], [20], [21], other particular, for a route of eight hops, ANODR adds around 1.6schemes provide recipient anonymity [22] still others provide seconds over a conventional routing protocol for each routeboth [1], [15], [3]. discovery, while our approach only increases 0.17 millisecondChaum proposed a so-called mix to achieve source to perform such a route discovery. It is not clear whether

anonymity [4]. A mix accepts a number of messages from ANODR is applicable in cases of frequent communicationsdifferent sources, performs cryptographic transformations on (among users) and high mobility due to it takes a long time tothe messages, and forwards the messages to the next desti- find route. ANODR can be used in cases requiring high levelnation in a random order. Mixes make tracking a particular privacy, e.g., military and intelligence. Our approach is moremessage either in bit-pattern, size, or ordering with other efficient and provides acceptable privacy.messages difficult. Onion routing is an early and independent Capkun, Hubaux, and Jakobsson design an approach byimplementation of the notion of a mix network on the Internet changing node pseudonyms and cryptographic keys to achieveby Goldschlag, Reed, and Syverson [6], [7], [19]. In onion privacy in hybrid ad hoc networks [3]. They make each noderouting the initiator of a connection creates an onion, defining be able to sign a verifiable message, but no one can tell whothe path of the connection through the network. Each onion signed it except the central authority. The approach in [3]router along the path learns its successor and some other can not be applied to ad hoc network where there is noinformation by peeling off one layer of the onion with its central authority. Like other public-key oriented protocols,private key, and the data arrives at the destination in plaintext. their approach achieves privacy by adding a huge computationMix and onion routing are based on public cryptography. In burden and complexity to the network.order to build onions defining meaningful routes the onion Blaze, Ioannidis, and Keromytis et al, proposed WARproxy is required to know the network topology and public (Wireless Anonymous Routing) in [2]. WAR works in casescertificates of routing nodes. Crowds [20] is a web-oriented where all nodes are in direct communication range of eachanonymizing approach for synchronous communications. The other. It relies on public cryptography and has an expensivemain difference between Crowds and mix-based solutions is key distribution mechanism. Although periodically sending

symmetric keys is not time consuming, the receivers need to the network. All nodes are willing to cooperate in the networkdecrypt these keys with their private keys. Another problem operation. Nodes do not exchange local topology informationof WAR is there is no route discovery. A source selects with their neighbors who are within direct communicationintermediaries to a destination at random, and encapsulates range. A message is propagated from the source to thethe payload by an iterated encryption approach. It is hard to destination over one or more hops. Each node in the networkimagine that a randomly selected route will be a valid path has a unique identity, and it chooses an arbitrary secret keyto a destination, given that the source has no knowledge of which is not shared with any other node. The communicationthe topology of the network. Thus, a source channels message between two nodes is bidirectional, i.e., if node A can reachto a destination in a blindly-flooding way. Unlike WAR, our node B, then B can reach A.approach works in multi-hop situations and has a clear wayto perform route discovery. B. Adversary Model

Waters, Felten, and Sahai introduce the "incomparable" 1) Assumption: We let A be an adversary controlling onepublic keys to achieve receiver anonymity [22]. In their work, or more nodes in the network. We assume:a receiver is able to create many public keys corresponding . The nodes controlled by an adversary are not able toto one secret key. Since a receiver has many public keys, he monitor all nodes within the direct communication rangeis able to generate many identities. An adversary, given two of the source.public keys, is not able to tell whether they are equivalent, . A can be passive or active. A passive adversary obtainsi.e., corresponding to the same secret key. The incomparablepublic key approach can be used as a building block to achieve imationronl y'eesdroping, wes anacie onemay post route requests, inject messages, tamper with,receiver anonymity in wired or wireless routing. Unlike [22], or even drop received messages to gain information. Weour approach does not aim for receiver anonymity. assume an adversary has bounded eavesdropping ability.Our approach distinguishes itself from the other approaches In particular, A is able to eavesdrop on no more than a

by two features: it is based on symmetric cryptography; and fraction e of nodes en route.we do not use any key exchange, nor do we utilize public key We also distinguish compromised nodes by en route,operations at any time. close to a route, or far away from a route. Close refers

III. PROBLEM STATEMENT to a compromised node is within one hop from a given

An important feature of multi-hop ad hoc networks is route, and far away means that a compromised node ismore than one hop from a given route. A node en route

that nodes collaborate to realize communication. In particular, ore to a given routei A both te route

when a node wants to communicate with a destination not in . c

its direct communication range, it requires the assistance of request and the corresponding response to a certain route'~~ ~ ~~~o discovery. A node far away from a route can not hear the

one or more intermediaries to forward its message; or in other corresponding route response.words, it needs to learn a path to the destination. DSR [13]and AODV [16] are two well-known reactive routing protocols. 2) Goals of the adversary. There are two goals of anUnfortunately, they do not provide privacy protection for either adversary A. The first goal is to learn the identity of a messageroute discovery or communication. In both DSR and AODV, originator. The second goal is to infer identities of all nodesa route request identifies the source and destination and the along a route. If an adversary achieves both the first and thehop-count the request has traveled so far. A route request of second goals, he is naturally able to associate two nodes asDSR even records the sequence of nodes as it is propagated communication partners.to the destination. A route response of DSR includes all We say a protocol achieves source anonymity ifA is not ableintermediaries between the source and destination in plaintext. to find evidence that a node was the originator of a specifiedIn AODV, each entry in the route table contains the number message. Moreover, we say a protocol provides route secrecyof hops to different destinations. if A can not attain the second goal with a probability non-

There are a number of ways to compromise the privacy of negligibly higher than a random guess from a group of candi-DSR and AODV. For example, an adversary is able to learn the dates. Furthermore, we say a protocol provides pair-anonymityidentities of all intermediaries by just eavesdropping in DSR. if A can not link two nodes as communication partners fromLong time eavesdropping allows him to learn the topology of routing evidence. This feature follows automatically from thethe network. Eavesdropping also allows an adversary to learn first two properties.the topology of the network in AODV. 3) Possible attacks: An adversary may use several methods

- either passive or active - to achieve one or both of the goalsA. Communication Model described above.

We assume the network to be a mobile ad hoc network. . Thacing: an adversary tries to trace the route by control-Nodes in the network can either be devices with regular ling one or more compromised nodes close or en route.computation ability, like laptops, or lesser computation ability, . Timing attacks: an adversary tries to guess its distance tolike pocket PCs (PDAs), or devices with low computation and the source or destination by observing timings associatedstorage ability, like sensors. Nodes are distributed uniformly in with the repeated use of same onions.

* Onion recording: an adversary deduces the source or o-- Droute length by recording a lot of onions. n 5

* Tampering: a node manipulates messages to gain infor- 0mation. 0'

. Packet dropping or injecting: a node drops packets or 0 0inj ects packets to the network.

IV. SOLUTION

To simplify the description of our approach, we introduce 0O1some denotation: s

* rid: route request id;S D: source and destination; 0 /O_ 0

* EKi(),DKi :symmetric encryption and decryption withsecret key Ki;

* REQ:routerequestinformof(rid,S,D); 0 0 0 0 0 0 O0* REP: route reply in form of (ei,ni,rid), where ei

EKi(ei 1,ni 1), and ni 1 is the next hop to D. 0 0 0 Q o0A. Intuitive approach 0 0

We use an example to explain our main idea. Figure 1Iand 2 demonstrate the procedure of route discovery by a node route request propagation 0 o one-layer onion four-layer onion

S. First, S initiates a route discovery by assembling a route no encryption is needed node two-layeronion @ five-layeronionruerespone transmission, only.request REQ (rd,L incudingoe _symmetric___encryptionrQ(ri S, D) and broadcasts it locally. The uding one smtric encption i three-layer onion i six-layer onion

REQ is heard by n1, a neighbor of S. n, then helps topropagate the request by flipping a biased-coin. If the result of Fig. 1. An example of route discovery by our approachflipping is true, it replaces the S in REQ by its own identityn1 and broadcasts the request locally; otherwise it drops the (rid,S,D) rid,rni,D)(rid, n2, D)_(rid, n3, D) (rid,n4,D) rid<n5,Drequest. Other nodes deal with the received request in the S ) ((5 )(el, nl, rid) (C2, n2, rid) (e0, n3, rid) (C4, n4, rid) (C5, n5, rid) (CD, D, rid)same way. The request is transmitted several hops until it isheard by the destination D. D then assembles a route response Ei= I3e,4 ) es = EK(CD, D)REP = (eD, D, rid) (shown in Figure 2) and transmits the i=2,3,4,5 eD EKD(PD) PDeI,{O,1}kREP to n5, the sending neighbor of the corresponding route Fig. 2. The process of forming a privacy route from S to D by symmetricrequest. n5 encrypts the received (eD, D) by its secret key K5 encryption.and sends (e5, n5, rid) to n4, from which n5 received the routerequest with rid. The route response is encrypted layer bylayer by intermediaries n4, n3, n2 and n1 when traveling from containing entries of (Si, rid), where Si is a neighbor fromD to S. Each layer of the encryption contains an identity of the which ni received a request with rid. Li will be used laternext intermediary to D. Finally, S receives a path to D in form for route reply propagation. A destination constructs a routeof (el, in1, rid). It then adds an entry (D, e1, n1) to its route reply by encrypting a binary string PD with random lengthcache. Figure 1 shows the big picture of our approach, and between 0 to k bits, where k can be adjusted accordingFigure 2 shows the details of route discovery. For simplicity, to the network situation. The random length here makeswe omit two things in all further figures: the coin-flipping the size of the reply somehow unpredictable. Each nodeoperation, and a flag used to indicate whether a message is a maintains a route cache containing entries in the form ofroute request or response. (destiination, path, nexthop). A node calls Retr(D, cache)

to retrieve an entry from its route cache according to des-B. Route discovery tination parameter D. The result of the "call" can either be

The process of route discovery includes the following three null or in the form of (path, nexthop), where path is anstages: encrypted route. We note that the propagation of route requests

1) Request origination: A source S initiates a route request will continue for a long time if not controlled. DSR uses a hopto a destination D by selecting a rid and locally broadcasting counter (recording how many hops a request has traveled) toa route request REQ =(rid, , D). solve this problem. A route request will be dropped if its hop

2) Request resolution. The process of request resolution is counter is greater than some upper limit. Such an approach canshown in Figure 3. not be used here because a hop counter tells an observer howEach node maintains a PROCESSEDREQ to record the far he is from the request originator. To overcome this problem,

rids already processed in order to avoid repeated transmission we let each node flip a biased-coin (denoted by Flip(bcoiin))of the same requests. A node ini also maintains a list Li to determine whether to retransmit a request. For example, if

A node ni receives a control message (rid, Si, D) from Si. route requests it has issued. If it receives a REP with an ridIf rid E PROCESSEDREQ, then belonging to MYREQ, it knows this reply corresponds to a

% ignore repeats request it has issued and adds an entry (D, ei, ni) to its routehalt; cache. If a node nj receiving a reply is not the corresponding

else put (Si, rid) in list Li;If D (ni, then originator, it checks whether it is an intermediary by calling a

% recipient is destination function Retr(rid, Lj). Here Lj is a list containing entries ofrespond REP= (ei, ni, rid) to Si, halt; (Si, rid), Si is a neighbor from which nj received a requestwhere ei EKi (PD), and Ki is the secret chosen by ni. with rid. This approach allows the reply to reach to the request

else if Retr(D, cache) 74 null, then originator. If nj finds an Sj in Lj corresponding to the rid in%recipient knows the path REP, then it is an intermediary. nj then encrypts the (ei, ni)respond REP (ei, ni, rid) to Si, halt; with its secret and sends the assembled REP to Si.where ei EKi (path(D), nexthop),and (path(D), nexthop) Retr(D, cache)

else if Flip(bcoin) true A * D% retransmit by flipping biased-coin

locally broadcast (rid, ni, D), halt; REPelse|halt. RNEQ REQ = (rid, B. D)

REP = (eA, A, rid)

Fig. 3. Steps of route request resolution eA = EKAJ(el ni)CAC'HE of A

REQ ~~~~~~D,ei,nithe winning rate of the biased-coin is 9 then a request is10'expected to be retransmitted 5 hops on average before being -G(dropped. The winning rate of the flipping should be adjusted ----

according to the network situation such that route requestswilvsteeyndwihraoalprbbiy. Thsdeed Fig. 5. An example of using cache to speed up the route discoverywill visit every node with reasonable probability. This depends

on several factors, like the number of nodes, average hops Figure 5 is an example of using route cache to speed upbetween communication pairs, etc. Too high of a winning rate the route discovery process. Node B issues a route requestmay cause a traffic jam in the network, while too low of a REQ to D by doing a local broadcast. The request REQ isvalue will cause frequent failure of route discovery. heard by its neighbors A, E, F, and G. Node A retrieves itsWe note that whether a node is performing "request origina- cache by D and gets an entry (D, e1, inn). It then assembles

tion" or "request resolution" is indistinguishable to an observer a route response REP = (eA, A, rid) and sends back REP(whether a neighbor or an adversary) as long as the observer to B, where eA = EKA (el, n1). Hence B gets a route tois not able to monitor all neighbors of this node. The reason D. We note E, F, and G will help to retransmit the REQfor this is that a request only contains the identity of the further because they are not the destination, and also have nosending neighbor, which can either be an originator or be an entry to D in their cache. Later, another route response mayintermediary. be returned to B. This response can be used as a backup in

3) Response transmission. The steps of routing response case the first route is invalid.transmission are shown in Figure 4.

C. Sending a messageA node nj receives a REP = (ei, ni, rid). Suppose S wants to send a message M to D. It first checksif rid E PROCESSEDREp, then its route cache for an entry to D. If such a route is found, S

°/ ignore repeatshalt can transmit M according to this route. Otherwise, S will start

else if rid E MYREQ, then a route discovery to D and will get a route reply using the% nr is the initiator approach in Section IV-B. The process of sending a message% add an entry to route cache can be described by the following protocol.add (D, ei, nir) to route cache, halt; 1) Message origination:

else if Retr(rid, Lj) :4 null, then% nj is an intermediary * S obtains an entry (D, ei, ni) from its cache or by meansassemble REP = (ej, nj, rid) and send it to S, of route discovery.where Sj = Retr(rid, Lj), and ej = Ej (ei, ni) * S assembles P = (M, ei, rs) and transmits it to ni, the

otherwise next hop on the route to D. Here rs = EKS (PS) and% invalid REP P C_{O,l}

Here Ps is a 0-1 string chosen by S with a random lengthFig. 4. Steps of response transmission between 0-k bits, and rs is the most inner layer of the route

from the D to S. We note ei can be only used to routeEach node maintains a MYREQ to record the rids of messages from S to D due to its encryption order. Therefore,

(ack, rs) (ack, ri) (ack, r2) (ack, r3) (ack, r4) (ack, r5)another route needs to be built in case D wants to send a reply 0 - Cmessage to S. Such a route can be generated in the same way S ni n2 n3 n4 n5 Das ei except in an inverse encryption order, which starts from (rs, S) =DK (rl) (r2, n2)= DK3(r3) (r4, n4) =DK(rs5)S and ends up at D. Ps = DK (rS) (ri,ni) = DKI(r2) (r3,n3) = DK4(r4)

2) Message transmission: The steps of message transmis-sion are shown in Figure 6. Fig. 8. D sends back an acknowledgement to S via a privacy route after

receiving a message

A node nj receives a packet P = (M, ej, rj- ) from nj-nj computes (ej+ ,nj+1) = DK(ej) E. Responding to a messageif DKj(ej) c Gj(p)

% .i is the destination If the destination needs to send back a message to the

elseit

1 ianib source, it uses the same approach as that in sending backtransmit (M,eig1,rh ) tonjr1, where r= EKo(rr, ) an acknowledgement (Section IV-D). We note that when an

otherwise acknowledgement or a responding message is being sent back% invalid packet to the source S, the destination D and each intermediary arediscard P. unaware of the identities of the source and nodes other than

its predecessor and successor along the route.Fig. 6. Steps of message transmission

Node nj maintains a list Gj (p) to keep track of the route V. PRIVACY PROPERTIESreplies it resolved before. If the decrypted part of a route ej Our protocol has the benefit of achieving substantially lowercan be found in Gj(p), then nj is the destination of message computation and communication complexities at the cost of aM; otherwise it just helps re-transmit the message to the next slight reduction in privacy guarantees. In particular, Discount-hop indicated by the decrypted result. ANODR achieves source anonymity, routing privacy, and and

Figure 7 is an example of sending a message, where the pair-anonymity. We show that route privacy is well preservedmessage M, originated from S, travels through node nl, n2, if less than half of nodes en route or close to a route aren3, n4, and n5 to arrive at the destination D. We see that compromised. Intermediaries only know the destination of thea return route r5 has been established by the intermediaries request and the identity of the previous intermediary, but not ifwhen M arrives at D. This returning route is used to send the latter was the originator of the request. To some extent, ourback an acknowledgement or a message to the originator when protocol also protects the locations of nodes in the networknecessary. when protecting their identities. In the following statements,

(M, i r (M, e2 ri) (M, C3, r2) (M, C4, r3) (M, C5r4 (M, eD, we analyze our protocol by considering possible attacks andcomparing its privacy features and overhead to other protocols.

S ni n2 n3 n4 n5 D

rs = EKS (PS) r2 = EK2 (ri, n1) r4 EK4 (r3, n3) A. Preventing Attacksri = EK1 (rs,S) r3 = EK3 (r2, n2) r5 EK5 (r4, n4)

1) Tracing: To our knowledge, message tracing is the mostFig. 7. S sends a message to D via a privacy route powerful of all attacks. It is possible for an adversary to trace

a route by controlling several compromised nodes en route orThe construction of a return path ri occurs during the first close to a route. If two nodes are observed transmitting the

message from S to D after the route discovery. Once D same message, they are two hops along a certain route. Thelearns the return path, it is unnecessary to perform such a adversary is able to learn all intermediaries if he can controlconstruction during the succeeding communication. This will enough number of nodes en route or close to a route. We note

reduce theovrhadofcotrlas long as a compromised node is close to a certain route, itD. Route maintenance does not matter whether it is an intermediary because it is ableWe use an end-to-end scheme to maintain the route. After to eavesdrop on passing messages.

receiving a message from a source, D assembles an acknowl- If all nodes along a route are disclosed by the adversary,edgement ack and appends the return route ri, then it sends we say the route is fully traced; otherwise the route is said toback the acknowledgement to the hop from which it received be partially traced, or un-traced (no node en route is traced).the original message. The ack will be propagated back to the Here we define a metric - trace ratio - as the fraction of hopssource, where each intermediary removes a layer of the return being traced en route.route by decrypting the route with its secret key. Figure 8shows an example, where D responds with an ack to S via R Li1C (1)route r5 after receiving a message. If the source does notLreceive an ack in a certain time interval, it assumes a route where 1 denotes the number of compromised segments of aerror occurred. It may choose another route or start a new certain route, ci is the length (number of hops) of the ithroute discovery to the destination, compromised segment, and L is the length of a route.

o~~~~~~~~~~~~KooKJc(S n1 n2 n3 n4 n5 n16 n7 D

Fig. 9. A route with eight hops 0

0.8V

We demonstrate the trace ratio of our protocol by investi- 0.6gating a route with 8 hops (Figure 9) and consider three cases. 0,

0.4,1) Consecutive colluding: nodes compromised by A are

consecutive en route or close to a route. For example, if 0.2 ,node n2 is compromised, then A learns two hops (n1 to ,

n2, and n2 to n3), the trace ratio is computed as 8 1.8 4' _J__

similarly, if n2 and n3 are compromised, the trace ratio 0 1 2 3 4 5 6 73 Number of compromised nodes

is 8. Figure 10(a) shows the trace ratio correspondingto different numbers of consecutive compromised nodes (a) Consecutive compromisingen route or close to a route. In this case, A needs tocompromise at least 7 consecutive nodes to trace thewhole route. However, even with that information, A 1can not identify the source with certainty.

2) Two hops distance: the distance between nodes com- 0.80,

promised by A is two hops. For example, if n, andn3 are compromised, then A learns four hops en route, 0.6

.4 1and the trace ratio is 8=. Figure 10(b) showsthe trace ratio corresponding to different numbers ofcompromised nodes with two hops from one to another. 0.4To trace the whole route, A needs to compromise atleast 4 nodes. 0.2 ,

3) Three hops distance: the distance between compro-mised nodes is three hops. For example, if n, and n4are compromised, then A learns four hops en route, and 1 Numberofcomromisednode 3 4the trace ratio is - 1 This is the same as case 2.8 2

The above analysis and the results in Figure 10 show that (b) Non-consecutive compromisingthe lower bound for A to fully trace a route requires A tocompromise the number of nodes en route or close to a Fig. 10. Trace ratio corresponding to different types of colludingroute. In other words, if less than e = of nodes en route or

2close to a route are compromised, the adversary is not able tofully trace the route. with an onion during message transmission will cause the

2) Other attacks: Finally we discuss counter-measures to next intermediary to not be able to decrypt the onion,other attacks described in section III-B. and therefore drop the message. All these attacks do not

. Timing attacks can be thwarted by introducing a random help an adversary identify the source, or trace a routedelay before message re-transmission. Timing attacks do in use. The tampering can be prevented by enforcingnot help the adversary gain the identities of source or authentication, which is an orthogonal topic to our paper.intermediaries. . Packet dropping or injecting: When a message gets

. Onion recording: Repeated onions allow an adversary to dropped, the source usually re-sends the message. If alearn that several messages might have been originated node injects a route request to the network, it will receivefrom a same source (the cached onion may be used by a route response from a destination. If a node injectsdifferent nodes), but they do not identify the source. Such invalid onions to the network, the onions will be droppeda threat can be reduced if we shorten the life-time of by other nodes (unable to decrypt). Both packet droppingcached onions. and injecting do not help an adversary to achieve his

. Tampering: An adversary may tamper with a route re- goals.quest, a route response, or an encrypted onion. Tampering BCoprsnfpivcfetesoohrpooolwith a route request may cause the request be dropped orbe propagated to a wrong destination. Tampering a route From analysis of Section Ill-B we see both DSR andresponse may cause an originator to not be able to receive AODV provide almost no privacy. For example, an eaves-the response, or to receive an invalid response. Tampering dropper en route or close to a route learns identities of all

TABLE Inodes en route from a single intercepted message in DSR.AODV allows an active adversary to learn the topology of the COMPARISON OF LENGTH OF CONTROL MESSAGE VIA PACKET SIZE

BETWEEN DIFFERENT PROTOCOLS WHEN SENDING MESSAGESnetwork by repeatedly issuing route discovery. Our protocolachieves source anonymity and route secrecy. During the route Protocol Control message R,=Control msg/Packet sizediscovery, an intermediary only knows the identity of the (byte)destination and the previous intermediary, but not whether packet packet packetthe latter was the request originator. The route constructed by DSR 40 7.81% 3.91% 2.67%iterated-encryption protects the identities of intermediaries. To Discount 150 (first packet) 29.30% 14.65% 10.00%

ANODR -75 (succeeding packet) 14.65%0 7.30% 5.00%0fully trace a route, an adversary has to compromise at least ANODR 716 3.5% 7.3% 1.07%ANODR16 ~~~~3.1300 1.5600 1.0700

half the number of nodes en route or close to the route. Wenote ANODR [15] provides better privacy than our protocol,but with a much higher overhead in computation, storage, and approximately 1.6 seconds, while in our approach it is onlycommunication. 0.17 milliseconds. Our approach increases the route discovery

VI. OVERHEAD time with 3.54% compared to DSR, while ANODR takessignificantly longer time (more than 330 times that of DSR)

A. Overhead in route discovery to perform a route discovery. The storage costs for ANODR

We base our estimate of the overhead of DSR, our protocol and our approach are estimated to be approximately 12.7Mband ANODR on the following facts and assumptions: and 62kb respectively. The communication costs of ANODR

. Nodes are uniformly distributed in the network, and the and our approach are 417kb resp. 81 kb.average travel distance of a route request is 10 hops. By analysis, we identify two reasons responsible for the

. For ANODR, the field length of source, destination, and big difference in costs between our approach and ANODR.route pseudonym is 128 bits. The length of the other One is that ANODR adopts public cryptography, but we dononce is 40 bits. Let the average size of onions be 600 not. Another reason is related to the use of onion encryption.bits. For our protocol, the length of the identifier of a node Onions are encrypted on the way out in ANODR [15], i.e.,is 40 bits, which is the same as the nonce in ANODR. from the request initiator to every direction in the network,The size of an acknowledgment is 40 bits. while the onion encryption occurs only on the returning way

. When public-key encryption is used, we assume the use in our approach.of ECAES (160-bit key), with an encryption time of To understand the big difference between ANODR and our160ms, and decryption time of 42ms. When symmetric protocol, it is worth to take a look at the two approachesencryption is used, we assume the use of AES (128-bit in more detail. Figure 1 and 11 show the processes of routekey & block). The encryption/decryption speed of AES discovery from S to D in the two protocols. In Figure 1, ais 29.1/29.2Mbps. The above computation time is based route is constructed on the return path by D and intermediarieson iPAQ3670 pocket PC with Intel StrongARM 206MHz n5, n4, n3, n2 and n1. Each intermediary adds one layer toCPU. the received onion. Onions only occur on the return path.

* The maximum packet size for the three protocols is 1500 However, in Figure 11, the onion is a part of a route request.bytes. The channel capacity is 2 Mbits/second. (Windows As the route requests travel away from S, onions get biggersystems are limited to a maximum payload size of 1380 and bigger (more layers). They are propagated in all directionsbytes for TCP packets.) from S without any explicit terminating condition. On the

1) Route discovery time by DSR. The route request by return path, each hop "costs" two public-key operations, two

DSR has the format REQ =(rid, , rrcd, D), where rrcd symmetric-key operations (one is used to peel off one layer of

is the route record used to keep the sequence of hops traveled an onion), and one comparison. These operations add a heavyas the request is propagated through the network. The route computational burden to nodes on the route.response has the format RES =(rid,rrcd). According to the We will now take a look at the costs of the WAR [2] protocolassumptions above, for a path with 8 hops, the route discovery in a network with the same topology as in Figure I and 11.time can be estimated to be 4.82 milliseconds. In WAR, S selects multiple intermediaries at random. Such

2) Overhead ofANODR and our approach. We compare randomness is just like no route discovery or "blind" flooding.the overhead of computation, storage, and communication Given that S has no knowledge of the network topology in this

'' ~~~~~~multi-hop environment,Scan not find a route to D.between our approach and ANODR for a route discovery m

with a length of 8 hops. The computation overhead refersto how much time is spent on public-key and symmetric-keyencryptions and decryptions; storage overhead refers to how We use the same assumption as in Section VI-A to estimatemuch space is required to keep secrets, public/private keys, the length of control bytes of the protocols when sending alists, and pseudonyms, etc; communication overhead refers to message, i.e., 8 hops route, 600 bits onion on average, 128the amount of data being sent through the network. Using bits route pseudonym. The comparison of control ratios withthe above assumptions, the computation time of ANODR is DSR, ANODR, and our approach is summarized in Table I.

o----O D~-X approach increases the route discovery time over DSR for a115 typical application by less than an estimated four percent,

'V C 1 <@> ° making our protocol particularly suitable to use in ad hoc

*0 \° t1 24 networks with high mobility. In terms of future work, we planto quantify the relationship between the biased-coin and the

0 0 ° ° EJIX3 ° traffic reduction of the request flooding versus the probability0 of route discovery. We also plan to extend our work to BGP

00 00O2 on the Internet.

0 s ACKNOWLEDGMENTSQ(

Q0 S 00 Q

The authors thank Dr. Xiaofeng Wang for his helpful dis-

/ 1 \ ~~~~~~~feedback on the format ofthe article. We also appreciate the

O O O0O0 0 0 reviewers' helpful comments and suggestions.0

0@ REFERENCES

"0 "- 00(-' \ .

03 - - [1] L. Ahn, A. Bortz, and N.J. Hopper. k-anonymous message transmission.03 0 fnode In Proceedings of the 10th ACM conference on Computer and Commu-

0- 0o one layerono nications Security, pages 22-130, Washington D.C., USA, 2003.

- C ~ ~~~~~~two-layeronion [2] M. Blaze, J. Ioannidis, A. D. Keromytis, T. Malkin, and A. Rubin.n- }~~~~~~~~three-layer onion Protocols for anonymity in wireless networks. In Proceedings of the 11th

route request propagation route construction with public crypto, including n four-layer onion International Workshop on Security Protocols, Cambridge, England,including one trap-door openning one public decryption, one symmetric decrytion @ 1yAl20one symmetric encryption, and one symmetric encryption, one comparison, and 1,fve-layer onion April200.one comparison one public encryption six-layer onion [3] 5. Capkun, J. P. Hubaux, and M. Jakobsson. Secure and privacy-

preserving communication in hybrid ad hoc networks. Technical report

Fig. 11. An example of route discovery by ANODR. ic/2004/10, EPFL-DI-ICA, January 2004.* ~~~[4] D. Chaum. Untraceable electronic mail, return addresses, and digital

pseudonyms. In Proceedings of Communications of the ACM, 24(2),pages 245-253, 1981.

The control-to-message ratio of ANODR is smaller than [5] D. Chaum. The dining cryptographers problem: Unconditional sendertha of bot DS an ou prtoo in th pakttasiso* 6 and recipient untraceability. Journal of Cryptology, 1(1):65-75, 1988.

[]R. Dingledine, N. Mathewson, and P. Syverson. Tor: The second-phase. However, it is easy to see that the overhead is shifted to generation onion router. In Proceedings of the 13th USENIX Securitythe route discovery in ANODR. In an 8-hop route discovery, Symposium, August 2004.

the communication overhead is approximately-52125 bytes, [7] D. Goldschlag M. Reed and P. Syverson. Onion routing for anonymous

the~~~~~~~~~~~~~~node1ho Inrha Prcedigofro1althe2 bytesofrec n opte n Cmu

-0and private internet connectons. Communications of the ACM (USA),while it is only 10125 bytes in our protocol. 42(2):39-41, 1999.

Table I shows how the control-to-message ratios decrease [8] Y C. Hu, D. B. Johnson, and A. Perrig. Sead: Secure efficient distancef i i e . a cratioaor tn Pvector routing for mobile wireless ad hoc networks. Ad Hoc Networksfornesymmetricncryptio,andp ketsymetc enc onecpappror fi yron Journal, pages 175-192, 1 2003.

first packet is high due to the construction of the return path. It [] Y. C. Hu, A. Perrig, and D. B. Johnson. Ariadne: A secure on demandgets lower in the succeeding communication. We recommend routing protocol for ad hoc networks. In MobiCom '02, Atlanta, Georgia,to use 1024 bytes as the packet sizein our protocol. USA , EPtembe-23-2 2002.[4] C.CHu, A. Perrig, and D. B. Johnson. Efficient security mechanisms

for routing protocols. In Proceedings of the Tenth Annual Network andVII. CONCLUSION Distributed System Security Symposium (NDSS), 2003.

[11] Y. C. Hu, A. Perrig, and D. B. Johnson. Packet leashes: A defenseWe propose an approach- Dscount ANODRc-kfor anony- against wormhole attacks in wireless networks. In IEEE Infocom, 2003.

mous on demand routing in mobile ad hoc networks. We pro- [12] Y. C. Hu, A. Perrig, and D. B. Johnson. Rushing attacks and defensevide peer-to-peer privacy of both payload and control messages in wireless ad hoc network routing protocols. In ACM Workshop on

Wireless Security (WiSe), 2003.using a cryptographically lightweight protocol relying solely [13] D. B. Johnson and D. A. Maltz. Mobile Computing, volume 353,on symmetric cryptography for its operation. As a result, we chapter Dynamic Source Routing in Ad Hoc Wireless Networks. Kluwerachieve substantially lower computation and communication Academic Publishers, 1996.

[14] P. Kamat, Y. Zhang, W. Trappe, and C. Ozturk. Enhancing source-complexityin comparison with functonally related proposals, location privacy in sensor network routing. In Proceedings of theat the cost of only a minor reduction of privacy guarantees. 25th IEEE International Conference on Distributed Computing Systems,Effectively, however, the achieved reduction of the burden 2005.bonby th use deie .sblee t nbeteata [ 15] J. Kong and X. Hong. ANODR: ANonymous On Demand Routing withforane byntheausing pa cketsize. In our approa ,thenrat otheauuntraceable routes formobileilesad-hoc networks. In ACMMOBIHOC '03,

deployment of a privacy preserving technique of this type; 2003.thus, we argue that we actually enhance privacy guarantees [16] c Perkins. Ad-hoc on-demand distance vector routing. In MILCOM

'97 panel on Ad Hoc Networks, Nov 1997.(in comparison to the status quo) as opposed to degrading [17] A. Perrigy, R. Canetti, D. Song, and J. D. Tygar. Efficient and securethem. Our proposal achieves source anonymity and routing source authentication for multicast. In Proceedings of Network andprivacy. As long as less than half of the nodes close to Distributed System Security Symposium, February 2001.

oronrapgiveanroutearerocompromised,oantANODR-ade rsar i b [18] M. Reed, P. Syverson, and D. Goldschlag. Proxies for anonymousmousonadeandroutingare mobile anadvhocnetworksay W eproCrouting. In In 12th Annual Computer Security Applications Conference,unable to trace a route. The overhead analysis indicates our pages 95-104. IEEE, Dec 1995.

[19] M. Reed, P. Syverson, and D. Goldschlag. Anonymous connectionsand onion routing. IEEE Journal ofSelected Areas in Communications,16(4):482-494, May 1998.

[20] M. K. Reiter and A. D. Rubin. Crowds: Anonymity for web transactions.ACM Transactions on Information and System Security, 1(1), June 1998.

[21] C. Shields and B. N. Levine. A protocol for anonymous communicationover the internet. In Proceedings of the 7th ACM Conference onComputer and Communications Security, Athens, Greece, 2000.

[22] B. R. Waters, E. W. Felten, and A. Sahai. Receiver anonymity viaincomparable public keys. In Proceedings of the 10th ACM conferenceon Computer and communication security, 2003.