muon: epidemic based mutual anonymity in unstructured p2p ...bkchoi/compnw_3689.pdfuncorrected proof...

1

2

3

4

5

67

8

9

10

11

12

13

14

15

16

17

18

19

2021

Available online at www.sciencedirect.com

COMPNW 3689 No. of Pages 20, Model 3+

7 December 2007 Disk UsedARTICLE IN PRESS

Computer Networks xxx (2007) xxx–xxx

www.elsevier.com/locate/comnet

RO

OFMuON: Epidemic based mutual anonymity in unstructuredP2P networks q

Neelesh Bansod 1, Ashish Malgi 2, Byung K. Choi *, Jean Mayo

Department of Computer Science, Michigan Technological University, 1400 Townsend Drive, Houghton, MI 49931, United States

Received 19 June 2007; received in revised form 21 October 2007; accepted 14 November 2007

Responsible Editor: M. van Steen
P
REC

TEDAbstractA mutual anonymity system enables communication between a client and a service provider without revealing their

identities. In general, the anonymity guarantees made by the protocol are enhanced when a large number of participantsare recruited into the anonymity system. Peer-to-peer (P2P) systems are able to attract a large number of nodes and henceare highly suitable for anonymity systems. However, the churn (changes in system membership) within P2P networks,poses a significant challenge for low-bandwidth reliable anonymous communication in these networks.

This paper presents MuON, a protocol to achieve mutual anonymity in unstructured P2P networks. MuON leveragesepidemic-style data dissemination to deal with churn. Simulation results and security analysis indicate that MuON pro-vides mutual anonymity in networks with high churn, while maintaining predictable latencies, high reliability, and lowcommunication overhead.� 2007 Published by Elsevier B.V.

Keywords: Unstructured peer-to-peer (P2P) networks; Anonymity; Reliability; Epidemic protocol

UN

CO

R

22

23

24

25

26

27

28

29

30

31

32

33

1389-1286/$ - see front matter � 2007 Published by Elsevier B.V.doi:10.1016/j.comnet.2007.11.011

q This material is based in part on work supported by theNational Science Foundation under Grant No. CCR-9984682.Any opinions, findings, conclusions or recommendations ex-pressed in this material are those of the author(s) and do notnecessarily reflect the views of the National Science Foundation.An earlier version of MuON was presented at IEEE ICNP 2005in Boston MA.

* Corresponding author. Tel.: +1 906 487 3472; fax: +1 906 4872283.

E-mail addresses: [email protected] (N. Bansod), [email protected] (A. Malgi), [email protected] (B.K. Choi), [email protected] (J. Mayo).

1 Currently affiliated with Redback Networks, San Jose, CA95134, United States.

2 Currently affiliated with Microsoft Corporation, Redmond,WA 98052, United States.

Please cite this article in press as: N. Bansod et al., MuON: Epput. Netw. (2007), doi:10.1016/j.comnet.2007.11.011

1. Introduction

Reliable anonymous communication is requiredby certain online services operating over untrustednetworks. Anonymity is needed to prevent third par-ties (or adversaries) from gathering informationrelated to services and their clients. Examples of suchapplications include banking, e-voting, file sharingand searching, etc. Most online services have a com-mon model of interactions. A client (the initiator)sends a request to a node (the responder) that pro-vides the service; the responder processes the request,and sends the corresponding response to the initia-

idemic based mutual anonymity in unstructured ..., Com-

mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]

T

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

2 N. Bansod et al. / Computer Networks xxx (2007) xxx–xxx



UN

CO

RR

EC

tor. Based on this model of interactions, differenttypes of anonymity [1–3] can be provided to applica-tions: initiator anonymity, responder anonymity,mutual anonymity and unlinkability. Initiator ano-nymity hides the identity of the initiator from theresponder and adversary. Responder anonymity hidesthe identity of the responder from the initiator andadversary. Mutual anonymity provides both initiatoranonymity and responder anonymity. Unlinkabilitymeans that the initiator and responder cannot beidentified as communicating with each other, eventhough they can be identified as participating in somecommunication. All the terms related to anonymityresearch are well defined in [4].

Existing anonymity solutions use one of severalbasic approaches to achieve different forms of ano-nymity. In the simplest approach, a single proxy isused for communication between initiator andresponder [5,6]. However, this approach fails if theproxy is compromised to reveal the identities ofthe communicating parties. Many anonymity proto-cols [7–10,2,11] overcome this single point of failureusing indirection; messages from the sender (initia-tor/responder) are routed through intermediaterelay nodes till they reach the final destination(responder/initiator). Finally, other protocols [12–14] provide anonymous communication by multi-casting messages to a group of nodes. It is impor-tant to note that in these last two approaches, theanonymity in the system improves as the numberof participant nodes increases.

This paper presents MuON, a protocol thatshows a good potential to provide reliable, mutuallyanonymous communication with unlinkability.Inspired by the idea of multicasting, MuON usesepidemic-style data dissemination [15–17] to achievereliable communication with the desired anonymityproperties. As seen in prior work [15,17], epidemicprotocols are much more efficient than reliable mul-ticasting protocols. Intuitively, by broadcastingevery communication message to all members reli-ably, this type of protocol should provide a veryhigh potential to achieve anonymity. At the sametime, however, broadcasting every message createsa concern on the inefficient use of limited networkbandwidth. Thus, in general, limiting the scope ofbroadcast without (much) sacrificing the reliabilitywill be an issue in this line of approach. This paperaims at extensively investigating a single scope ofbroadcasting using an epidemic protocol. To thebest of our knowledge, this is the first study to usean epidemic protocol to provide anonymity. Multi-


ED

PR

OO

F

ple broadcast groups-based approaches will be theimportant future work.

MuON operates over unstructured P2P networks(such as the Gnutella file sharing system), which areknown to be able to attract a large number of partic-ipants. Other anonymity protocols have beendesigned to operate over P2P networks. These proto-cols have used different kinds of P2P networks suchas structured P2P systems [11], IP layer P2P systems[9] and hybrid P2P systems [3]. An unstructured P2Pnetwork does not impose a structure on its partici-pant nodes and thus has several desirable character-istics such as administrative ease, ease of deploymentand self-organization. However, unstructured P2Pnetworks pose significant challenges. For exampleGnutella is known to consume high bandwidth[18]. Other studies [19] have shown that P2P systemsexhibit high churn (changes in system membership);peers frequently leave/join the network and mostpeers are connected to the overlay for a short periodof time. Further, the nodes within the P2P networkcannot be trusted. Peers may attempt to tamper withmessages, masquerade as the responder, drop mes-sages that they are supposed to forward, collude toviolate the anonymity guarantees, or subvert theprotocol by any other means.

Earlier work of MuON was presented previouslyin [20] and was shown to provide high reliabilitywhile maintaining low latencies and low overhead.Here we present an extended version of MuON withenhanced anonymity guarantees and additional per-formance metrics. The modifications ensure that theprotocol terminates in dynamic networks withoutlosing anonymity or reliability, thus bounding theconsumed network resources. MuON has also beenextended to operate without a trusted PKI (publickey infrastructure). The extended version alsoincludes modifications that enable MuON to with-stand intersection attacks.

The paper is organized as follows: Section 2 sum-marizes the prior approaches for anonymity andintroduces epidemic protocols. Section 3.1 discussesthe goals of MuON. Section 3 describes MuON indetail, followed by the anonymity and performanceevaluations in Section 4. The contributions andfuture work are summarized in Section 5.

2. Related work and motivation

This section reviews epidemic protocols and priorsystems providing different kinds of anonymity overvarious network architectures.


T

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

N. Bansod et al. / Computer Networks xxx (2007) xxx–xxx 3



UN

CO

RR

EC

2.1. Anonymity by mixes

Systems like Mix-Net [21], Babel [22], MorphMix[23] and Mixminion [24] are based on mix-networks.These systems hide communication by encryptingmessages in layers of public key cryptography, andrelaying messages through a group of dedicatedmessage relays called ‘mixes’. Each mix decrypts,delays and reorders messages before relaying themto another mix. While these systems achieve stronganonymity guarantees, the randomly introduceddelays can result in high latencies unsuitable forinteractive applications.

2.2. Anonymity by proxy

Systems like Anonymizer [5], Lucent PersonalizedWeb Assistant [6], PRA:Proxy for Responder Ano-nymity [12] and APFS Unicast [12] use an intermedi-ate proxy to provide anonymity. As these systemstrust the proxy for performance and anonymityguarantees, they are vulnerable to failure if theproxy is compromised or if the proxy fails.

2.3. Anonymity by single-path forwarding

Many anonymity protocols forward messagesalong a single anonymous path, formed throughthe group of nodes within the infrastructure. Thisanonymous path can be specifically created, or isformed by random forwarding.

Onion Routing [10] provides anonymous com-munication using a dedicated set of message relayscalled ‘onion routers’. The sender selects a pathfrom the set of onion routers. It then wraps thedata within encrypted layers to form an onion.The innermost layer of encryption in the onionuses the encryption key of the path’s last hop,while the outermost layer uses the encryption keyof the path’s first hop. Onion routers co-operateand forward the onion from the sender to thedestination.

Several systems use onion routing to create tun-nels for anonymous communication. Tor [8] pro-vides mutual anonymity by creating tunnels torendezvous points, while Tarzan [9] provides initia-tor anonymity by building tunnels through an IPlayer P2P system. Similarly, MorphMix [23] createsanonymous tunnels through P2P networks usingnested encryption. TAP [11] uses replicated tunnelsto provide reliable anonymous communication onlywithin structured P2P networks.


ED

PR

OO

F

Xiao et al. [3] propose protocols that use hybridP2P networks to provide mutual anonymity. Trustedthird parties coordinate anonymous message trans-fers between communicating entities. Crowds [2] pro-vides initiator anonymity using random forwarding.Messages are sent to a randomly chosen peer called ajondo. Each jondo then randomly decides to eithersend the message to the responder or to anotherjondo.

In networks with high churn (nodes frequentlyjoin and leave the P2P network), approaches usingsingle anonymous paths are likely to suffer from pathlosses. Consider an anonymous path through nnodes. If p is the probability of a node leaving theoverlay, then a given path is valid with a probabilityof ð1� pÞn. With increasing path lengths (increasingn) and increasing network churn (increasing p), theprobability that a given path remains valid dimin-ishes. Hence approaches using a single-path willincur with greater probability, the additional over-head of detecting and rebuilding failed paths. Provid-ing this kind of fault tolerance can be a high overheadoperation and has not been extensively explored inthe context of maintaining anonymity guarantees.

2.4. Anonymity by group communication

Many systems like APFS Multicast [12] andHordes [14] multicast messages within a large groupto achieve anonymous communication. LikewiseGAP [7] uses controlled flooding to send a messagethroughout the network, while P5 [13] defines a log-ical hierarchy of broadcast groups, sending mes-sages to groups of different sizes.

Protocols that depend on group communicationprimitives are ideally suited for networks with highchurn, because the departure of a few nodes doesnot substantially impact the communication betweenthe sender and receiver. Previous work [14] also indi-cates that the use of multicasting helps reducecommunication latencies. However, the lack ofwidespread deployment of IP multicast infrastructureinhibits deployment of protocols based on this type ofmulticast [12,13]. GAP [7] takes a different approach,but achieves reliability by flooding, which may notscale well in large unstructured P2P networks.

2.5. Epidemic protocols

Epidemic (or gossip) protocols [25] are a well-studied class of protocols for low-cost reliable datadissemination within groups. They have been shown


T231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

p

q

r

s

M0

Gossip message

Message ‘pull’

t2t0 t1 t3 t4 t5 t6

Fig. 1. Epidemic protocols.

3 Though messages between peers are sent unreliably, MuONreliably transfers messages between communicating entities.




UN

CO

RR

EC

to be much more efficient than flooding basedapproaches [26,27]. Epidemic protocols providehigher reliability and scalability while using lowerbandwidth [16], when compared to other reliablemulticast protocols. They provide a bimodal guaran-tee of reliability [15]; a message reaches all membersof the group with a high probability, and the proba-bility that it will reach to just a few members of thegroup is very low. Studies have shown that the timerequired to disseminate data to the entire group islogðNÞ, where N is the number of nodes in the group.Due to these desirable characteristics, MuON usesan epidemic-style protocol for data dissemination.

A simplified gossip protocol is depicted in Fig. 1.Each node runs several rounds of the gossip proto-col. In each round, a node selects a random node asits gossip target. The node sends the gossip target(s)a gossip message containing a list of message identi-fiers that it has heard (indicated by dotted linesbetween nodes). If the list contains a message iden-tifier which the gossip target has not received, thegossip target will request the node to send it (indi-cated by solid lines between nodes).

Three important parameters impact gossip proto-col performance. First is the number of gossip tar-gets FanOut used in each round. (FanOut is two inthe figure.). The second parameter is the timeDinterval between successive protocol rounds. (In thefigure, as node p starts gossip rounds at time t1and t6, the Dinterval is t6� t1.). The final parameteris the number of rounds GC that a message is gos-siped. These parameters determine the speed andefficiency of the protocol and have been rigorouslystudied by Birman et al. [15].

3. MuON

This section describes the details of MuON. Wefirst give the goals, notation, system model andassumptions for deploying MuON, followed by a


description of the basic data dissemination proto-col. Finally, we describe the use of this data dissem-ination protocol to effect communication, betweeninitiator and responder, with the desired properties.

ED

PR

OO

F

3.1. Goals of MuON

MuON aims to balance between performanceand anonymity in dynamic P2P networks. The maingoals are described below:

1. Mutual Anonymity: Initiators and responders cancommunicate without knowing the actual iden-tity of the other communicating party.

2. Unlinkability: Communication between initiatorsand responders cannot be correlated.

3. Bounded Latency: Latency is bounded.4. Reliability: Reliable communication between ini-

tiator and responder(s).5. Communication Overhead: Overhead incurred by

a peer should be low.6. Scalability: Metrics like reliability, anonymity,

latency and overhead should scale well with theP2P network size and churn.

7. Integrity and Confidentiality: Peers cannot mod-ify messages in-transit and cannot masqueradeas responders; requests can be read only by theintended responder; responses can be read onlyby the appropriate initiator.

3.2. System model

MuON operates over an unstructured P2P net-work. Let N be the number of nodes within theoverlay. We assume that nodes within the overlayknow at least logðNÞ other peers in the overlay. Thismembership list for epidemic protocols can be main-tained using services such as SCAMP [28], ‘‘PeerSampling Service” [29], and DIMPLE [30]. MuONassumes that all initiators and responders are mem-bers of the P2P network. All protocol messages uselow-cost unreliable transport (UDP) for communi-cation.3 Each peer is associated with a unique publickey, which is used in lieu of actual node identities.The message sending protocol of MuON ensuresthat mutual anonymity and unlinkability are main-tained, while the use of public and session keysmaintains data integrity and confidentiality. The


T

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397




UN

CO

RR

EC

public keys are not tied to any specific algorithm;for example incomparable public keys [31] couldbe used.

To access a service in MuON, initiators requirethe public keys of peers that provide the corre-sponding service. MuON provides the ability to per-form an anonymous network-wide search to map asearch query (i.e. a desired service) to a set of publickeys. Alternately a trusted PKI may be used to pro-vide correct public keys corresponding to a searchquery. It is interesting to note that the communica-tion between the PKI and the initiator must beanonymous. However, it is easy to conceive thePKI as a service within MuON, whose public keyis well known and distributed out-of-band.

Peers are assumed to have approximately syn-chronized clocks; the difference between clock read-ings of any two peers at a single instant of time(called the clock skew) is within a known bound.Clocks may be synchronized in hardware, software,or some hybrid combination [32–34]. The increasingavailability of global positioning system (GPS)based hardware allows physically dispersed systemsto be synchronized [35] with a clock skew of a fewmicroseconds4 via their mutual synchronization toCoordinated Universal Time (UTC).5

Throughout this paper, the adversary is assumedto be passive and external. Depending on attacks,the adversary may be either local or global.

This paper considers logical network topologiesinduced by membership services, such as SCAMP[28] and DIMPLE [30], which are used for epidemicprotocols. One common assumption in epidemicprotocols is that each node can randomly selectlogðNÞ different nodes (fanout) in each cycle. Asthe network size grows, providing such informationfor each node is difficult for centralized service.Hence distributed algorithms and protocols havebeen sought in an effort to provide such membershipinformation in a scalable manner. One commonapproach in that line of work is to locate a tiny sub-set (local view) of the entire membership at eachnode, and have the nodes exchange part of the localview with that of another randomly chosen node;this is known as shuffling. This seemingly simpleoperation in fact produces local views populatedfrom the entire membership randomly and uni-formly [36,37]. Thus a node knows at least as many

4 Evaluation (Section 4) shows that MuON tolerates clockskews up to 18 � RTT (RTT = round trip time of UDP).

5 UTC is independent of local timezone and daylight savings.


ED

PR

OO

F

nodes as the size of the local view. At any giveninstance, we can create a graph (called knowledgegraph) reflecting the induced logical topology byadding an edge from P to Q if P knows Q. Asreported in [37,30], such a knowledge graph is a ran-dom graph with the same number of nodes andedges. Assuming that MuON uses such a member-ship service, the network topology remains randomindependently of the physical networking.

Obviously, this claim does not directly involveshuffle message loss due to possible network conges-tion patterns. While congestion-embedded simula-tion would produce more realistic outcomes,applying flat message loss rates seems to be an alter-native to focus on the effectiveness of the reliablebroadcasting of MuON. Adopting this argument,this paper uses the simplified approach of using10% packet loss rate throughout the simulation.Using network congestion patterns in simulationremains as future work.

An interesting question is whether this idea isdirectly applicable to wireless ad hoc mobile net-works (MANET). The fundamental differencebetween MANETs and wired P2P systems is thatwhile a peer can directly communicate with anotherpeer using the underlying routing infrastructure, amobile node is not able to without having otherintermediate nodes forward a packet toward a des-tination in MANET. As a result, gossiping to fan-out nodes would involve many other intermediatenodes in MANET. This, in turn, would makeMuON-like gossiping impractical. Fundamentalresearch needs to be done to support effective gos-siping for MANET. The original question ofwhether MuON-like anonymous communicationprotocols can exist for MANET then could beanswered after such fundamental work. This paperleaves this question open for future work.

3.3. Notation

The protocol uses the following notation.

Notation

idemic based mu

Description

ksession

Symmetric session key

kþA , k

�A
Public and private key of node A
r1

Nonce

fdatagks
data encrypted/signed using key ks (ks
is public, private or session key)

HðdataÞ
Cryptographic hash (e.g. SHA-1)
computed over data

tual anonymity in unstructured ..., Com-

398399

400401

402403

404405

406

407408

409

410

411

412

413

414415

416417

418419

420421

422

423424

425426

427428

429430

431

432433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453




self

6 This assumpresponses (e.g. filetions, MuON achto other group coanticipate that Mfor applicationsrequire reliableevaluated in this

Please cite thisput. Netw. (20

IP-address of node

pinter
Intermediate probability
YB,MSG

a, b

Bounds on epidemic lifetimes

B

A,MSG

X, MSG

QUERY_HDR
Search query initiated by I . Format is
{T deadline, kþI , query}.

A PX X,MSG
MSG_HDR
F

MESSAGE TRANSFER

MESSAGE HEADERS

A,MSG

Node X communicating to Y.

Header associated with MSG. Formatis {T deadline, currOwner, hdr, H(hdr)}.Contents of hdr are defined in Section3.5. If MSG_HDR is associated with aMSG, MSG_HDR. currOwner is non-nulland indicates the node owning MSG.
OT current Current time on synchronized clock
Fig. 2. Message sent from node X to Y.

T join

T current recorded at start of session

T deadline
Time at which message is invalidated
454

skewmax

455

Bounds on the clock skew within thesystem (accuracy is �skewmax)

456

Dinterval

Interval between successive rounds

457

Davg

Average life of peers in the system

458

FanOut

Number of gossip targets per round

459

GC

460

Number of rounds message isgossiped

461
MSG Data (request/response) message
T462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483
NC
OR

REC

3.4. Data dissemination in MuON

MuON’s data dissemination protocol is unidirec-tional; it is used to send requests from an initiator toa responder and then again to send a response fromthe responder to the initiator. This protocol is thenused for sending messages between initiators andresponders and also for mapping services to the cor-responding public keys (discussed in Section 3.5).

The data dissemination protocol operates via themessages MSG_HDR and MSG. MSG_HDR containsinformation such as identifiers and cryptographickeys, while MSG encapsulates the associated data.As MSG_HDR contains only protocol data, weassume6 that the size of MSG_HDR is much less thanMSG. The data dissemination protocol is depicted inFig. 2, which shows node X sending MSG to node Y.MuON uses an epidemic protocol to disseminateMSG_HDR to all nodes within the P2P network,while the larger MSG is disseminated to only a few

U 484485486

487

tion holds true in applications with large-transfer and web-browsing). In these applica-ieves substantial bandwidth savings comparedmmunication based anonymity protocols. WeuON will also provide a bandwidth reductionwith small data messages (e.g. e-voting) thatdelivery, though these applications are notpaper.

article in press as: N. Bansod et al., MuON: Ep07), doi:10.1016/j.comnet.2007.11.011

ED

PR

Onodes within the network (shaded within Fig. 2).As explained in detail later, the number of nodeswhich receive MSG depends on the value of pinter.The protocol ensures that the responder always getsMSG. As the larger MSG is not sent to the entire net-work, MuON substantially reduces the bandwidthusage. Also, since multiple nodes within the networkreceive MSG (all the shaded nodes), multiple nodesare potential receivers and senders of MSG, givingMuON its anonymity guarantees. MuON derivesits properties of reliability and bounded latenciesfrom its epidemic nature.

Every node running MuON maintains two buf-fers; one headerBuffer to store the message headersand the other messageBuffer to store the corre-sponding messages. Every node tracks the numberof protocol rounds gossipCount each header hasbeen gossiped. Algorithm 1 describes the detailsfor handling these buffers. Algorithm 2 explainsthe protocol executed by each node after everyDinterval units of time. This algorithm describes anepidemic protocol for disseminating the headers.Each node selects FanOut random nodes from thegroup as gossip targets and sends them a list witheach message header MSG_HDR currently withinheaderBuffer. As given in Algorithm 3, whenever Agets the message, A tries to decrypt7 the message.If A cannot decrypt the message then A performsone of two actions: it may just add the header toits header buffer or with some probability pinter itmay go back and get the corresponding MSG fromB. In the first case, A gossips with its neighbors thatB currently has the message. In the second case,when A gets the MSG from B, it changes the

7 If the decrypted message contains an expected value like aknown identifier or public key, the node can conclude ‘‘success-ful” decryption.


488

489

490

491

492

493

494

495

496

497

498

499




currOwner field of MSG_HDR to A. Thus when A gos-sips the header, it indicates itself as the messageowner. With this property, MuON achieves its ano-nymity guarantees as there are many equiprobableowners of the same message. If A can decrypt themessage, it indicates that the message was intended

UN

CO

RR

EC

T


for A and thus A contacts currOwner and pulls themessage. In this case A also gossips with its neigh-bors that it has the message to send. Thus theresponder in MuON behaves exactly the same asany other node in the network (with the exceptionthat it always pulls the message).

ED

PR

OO

F


T

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587




UN

CO

RR

EC

3.5. Communication in MuON

This subsection first describes how a node withinMuON can anonymously obtain the public key of aresponder. We then describe how the data dissemi-nation protocol is used for anonymous communica-tion between initiator and responder.

Obtaining public keys of responders: To obtainpublic keys of responders providing a service, an ini-tiator I multicasts a search-query describing theservice by invoking sendQuery(search-query). send-Query encapsulates the search-query and key kþI intoa QUERY_HDR and disseminates it throughout thenetwork using a push-epidemic protocol (The rele-vant portions of Algorithms 2 and 3.). Thus thequery is delivered to each peer within the network.On receiving a search-query, a peer R that providesa matching service anonymously sends its publickey kþR to node I (This is equivalent to invoking send-Message(fkþR gkþI , NULL)). On receiving kþR , node Ican now anonymously access the service.8

Initiator and responder communication: While thedata dissemination protocol achieves anonymity,cryptographic measures are needed to ensure mes-sage integrity and confidentiality. The followingdescribes how the data dissemination protocol isused by initiators and responders for secure anony-mous communication.

Sending a request: An initiator I uses the follow-ing steps to initiate communication with node R bysending the request data.

1. I generates a symmetric session key ksession, whichis used to encrypt all data messages.

2. I generates a nonce r1, which is used to correlateresponses with this request.

3. The MSG is generated as fr1; datagksession.4. I creates a header hdr, corresponding to MSG as

hdr ¼ fr1; ksession; kþI ; fHðDÞgk�I gkþR where D ¼fr1; ksession; kþI ;MSGg and HðÞ is a cryptographichash function.

5. I invokes sendMessage(hdr, MSG).

Responding to a request: Algorithm 3 eventuallydelivers MSG_HDR and MSG to the responder R,which proceeds with the following steps.

588

589

590

591

592

593

8 A query may result in multiple responses. A reputationscheme [38,39] may be used to select one trusted response.


ED

PR

OO

F

1. R decrypts hdr using k�R , to obtain ksession, r1 andthe initiator’s public key kþI . R now runs integritychecks with the cryptographic hash.

2. Using ksession, R decrypts MSG to obtain data.3. Let response be the corresponding reply, which R

needs to send to I . R creates MSG ¼ fr1; reponsegksession using ksession and r1 as recovered in step 1.

4. R creates a header hdr corresponding to theresponse as hdr ¼ fr1; fHðDÞgk�R gkþI , where D ¼fr1;MSGg and HðÞ is a cryptographic hashfunction.

5. R invokes sendMessage(hdr,MSG).

3.6. Miscellaneous protocol properties

Epidemic Termination: Epidemic protocolsachieve reliability by gossiping messages until allprotocol participants receive (with very high proba-bility) the message. However, in dynamic P2P net-works, the set of protocol participants changesunpredictably over time. Reaching all protocol par-ticipants would then result in a perpetually surviv-ing epidemic. Hence, MuON requires some othermechanism for termination of the epidemic withoutcompromising its anonymity properties.

A fixed value of GC is not adequate to terminatethe epidemic. Each time a node joins the networkand receives a given header for the first time, it willdisseminate the header GC additional times. Sincethe network membership changes continually, epi-demics may survive perpetually. Another simpleapproach is to choose some maximum integer countof rounds for which a message is propagated. Theinitiator chooses this count value and appends itto the message; each subsequent propagation ofthe message by any node decrements the count byone. When the count reaches zero, the message isno longer propagated. However, implementing thisapproach without sacrificing anonymity is difficult.Suppose each initiator randomly selects the roundcount from within some range of values. Then anynode that chooses the maximum value of the rangecan be identified as initiator.

MuON applies approximately synchronizedclocks toward epidemic termination. A MuONheader originating at time T is associated with adeadline T deadline that specifies the wall-clock timeat which the header is to be invalidated. Thisensures that even in dynamic networks, the associ-ated epidemic terminates at approximately T deadlineand the epidemic has a lifetime of approximatelyT deadline � T .


T

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

651

652

653

654

655

656

657

658

659

660

661

662

663

664

665

666

667

668

669

670

671

672

673

674




CO

RR

EC

If all messages have the same lifetime, a peerdirectly receiving a header from the initiator canguess the identity of the initiator. Hence the messagelifetime is chosen between a and b, where b > a.MuON uses a value of a equal to the maximumcommunication latency for epidemic protocols instatic networks (� log2ðoverlay sizeÞ [15]). Thisensures that with high probability all nodes thatare in the network when the dissemination begins,that remain in the network over the lifetime interval,and that remain reachable, will receive the message.Though all nodes choose a lifetime value between aand b, T deadline is computed by adding the selectedlifetime value to the local synchronized clock value.Since local clocks are only approximately synchro-nized, the identity of the initiator is obscured. UsingT deadline an adversary receiving a header directlyfrom the initiator can guess the message’s time oforigin (and detect the initiator) with a probability

1ðb�aÞ�ð1þ2�skewmaxÞ.

9 Thus clock skew (and clock syn-

chronization) is essential for terminating MuONepidemics anonymously in this way.

Aligning with long-lived nodes: In dynamic P2Pnetworks, peers alternately join and leave the net-work. As discussed in section 15, this continualchange in system membership aids an adversarialattack called an intersection attack. To enhance ano-nymity, peers in MuON pull data messages with aprobability p proportional to the time that haselapsed since joining the system (termed age). Thusin MuON long-lived nodes pull data messages witha higher probability.10 For simplicity, we consider pincreasing linearly with the peer’s age (as computedby method currentProbability in Algorithm 1),though other relations may be suitable dependingon the network model.

4. Evaluation

In this section, we describe MuON’s simulationmodel and evaluate the performance, anonymityand other security guarantees.

UN 675676

677

678

679

680

681

682

683

684

9 If initiator with clock skew skew sends a message at wall-clocktime T , then T deadline ¼ T þ lifetimeþ skew. For a given T deadline,an adversary can guess lifetime with a probability 1b�a and skewwith a probability 11þ2�skewmax.10 P2P applications using MuON for communication, may use

this property to align with the network topology, though detailsare not discussed within this paper.


ED

PR

OO

F

4.1. Simulation model

Measurement studies of unstructured P2P net-works [40,19,41] indicate that these systems exhibitdynamic membership, because peers alternately joinand leave the network. Peers participate in the pro-tocol only during the time between joining and leav-ing the network. This time is called the session time(or age) and the resultant dynamism is called thenetwork churn. The network churn is related to theaverage session time of the peers within the net-work. As the average session time decreases, themembership of the P2P network changes at a fasterrate and is said to exhibit a higher churn [42,43].Prior experiences [44,42,43] indicate that networkchurn impacts the performance of protocols overP2P networks. Hence we evaluate MuON overP2P networks of varying sizes and varying churn.

We model network churn using an approach sim-ilar to that described by Liben-Nowell et al. [45].This model has also been used for evaluating distrib-uted hash tables over P2P networks [42,43]. Peerswithin the network are assigned exponentially dis-tributed session times. When a peer reaches the endof its session time, it leaves the network. Prior work[46] has shown that the average session time (amountof churn) within a network depends on the applica-tion. Since MuON is not specific to any application,we simulate networks with varying churn.

Simulating network churn has been relatively welladdressed in the literature. One issue is whether agood mathematical distribution exists to model net-work churn. Some work [47] suggest the use of a dis-tribution function backed up by real measurements,while some others [45] advocate the same methodadopted in this paper. A second issue in simulatingnetwork churn is whether the network size shouldremain constant. A common approach used in theliterature is to maintain a fixed network size in indi-vidual simulation runs. This helps in decoupling theimpact of network size from that of network churn.Furthermore, to simulate networks with varyingsizes, one requires an underlying management ser-vice which can provide the network size dynamically,since epidemic protocol parameters depend on thenetwork size. Estimating network size can be foundin separate work such as [48]. Including dynamicallychanging network sizes and different distributionmodels for network size, would produce more realis-tic outcomes. However, since this paper focuses onanonymity these improvements are left for futurework.


T

685

686

687

688

689

690

691

692

693

694

695

696

697

698

699

700

701

702

703

704

705

706

707

708

709

710

711

712

713

714

715

716

717

718

719

720

721

722

723

724

725

726

727

728

729

730

731

732

733

734

735

736

737

738

739

740

741

742

743

744

745

746

747

748

749

750

751

752

753

754

755

756

757

758

759

760

761

762

763

764

0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

olou

r gr

adie

nt

0.6

0.8

1

Reliability

pinter=0.3, skew=3, γ =0

Reliability




NC

OR

REC

MuON is simulated using PeerSim [49], a P2Psimulator designed specifically for epidemic proto-cols. The simulator executes the protocol in a seriesof cycles, where the time interval between each cycleis assumed to be sufficient for unidirectional unreli-able (UDP) message transmission with a loss rate of10%.11 This UDP loss rate of 10% is a rough modelof congestion. All time in the simulations is mea-sured in terms of cycles, which is the smallest unitof time within the simulator. In the simulationmodel, a network with churn 0 is a static network,which does not change during the simulation. Atchurn 0, the average session time was chosen as100 cycles (a factor of 10 over the maximum timefor one run of the protocol in a system of 1000nodes), to enable simulation of several rounds ofMuON simultaneously. An increase of 0.1 in net-work churn decreases the average session time ofthe nodes by a factor of 1

10. When a node leaves

the network, another immediately joins, thus keep-ing the overlay size constant. This helps us to under-stand the impact of overlay size and churnindependently. We also model networks with vary-ing clock skew. If the clock skew in a simulated net-work is skew, then the clock skew of each node isselected uniformly between �skew and þskew. Thenode’s clock skew remains constant throughout itslifetime.

In the simulations, FanOut and GC are main-tained at log2ðoverlay sizeÞ and Dinterval is maintainedat one cycle. These parameters are common to allepidemic protocols and their impact on performanceis similar to that determined by previous studies [15].We maintain a ¼ log2ðoverlay sizeÞ and b ¼ 2� a tobound epidemic lifetimes such that message deliverymay be attempted but the epidemic is terminatedeventually. The parameter Davg controls the rateof increase of pcurrent. We simulate two differentapproaches for determining the value of Davg. Inthe first approach (denoted by c ¼ 0), each nodecomputes Davg using the session-time of its previoussessions.12 In the second approach, the membershipservice13 is used to provide Davg. We use the follow-ing values for Davg; 0:5� Dlife;Dlife and 2� Dlife(denoted by c ¼ 1; 2 and 3, respectively) where Dlife
U
11 In general, the time required for unidirectional UDP messagetransmission is 0:5� round trip time. Based on reported averageround trip times [50], one cycle is approximately 50–100 ms.12 Davg ¼ 1 during the first session.13 Membership services [28] using unsubscriptions or leases can

estimate the average session-time of participant peers.


is the average session time within the network. Thusc ¼ 1; 2 and 3 represents increasing Davg.

ED

PR

OO

F

4.2. Performance evaluation

This section discusses MuON’s performance innetworks with varying sizes and churn. SinceMuON cannot provide reliable communication atchurn 1, we measure performance metrics (otherthan reliability) in networks with churn between 0and 0.8. Performance metrics are averages over mul-tiple messages exchanged between initiator andresponder for a given set of parameters such asskew, c and pinter.

Reliability: The reliability of MuON is measuredby the delivery ratio achieved in networks of varyingsizes and churn. The delivery ratio is the fraction ofthe sent requests that were ultimately delivered atthe final destination. When delivery ratio is one, itindicates that all requests that were sent were even-tually delivered at their destination, thus indicatingreliable communication. Fig. 3 shows the deliveryratio for networks with varying sizes and churn. Itcan be seen that MuON maintains a high deliveryratio of almost one, independent of the overlay sizeand churn. This high reliability indicates its suitabil-ity for highly dynamic P2P networks.

Bounded Communication Latency: One ofMuON’s goal is to achieve communication withina predictably bounded time interval. This character-istic is important from the application’s point ofview; shorter latencies are important for applicationinteractivity while bounded latencies are needed byapplications to set timeouts and detect messagelosses. Since MuON operates over an overlay net-work, we measure the latency in terms of numberof protocol cycles required for the message to be

0 0.1 0.2 c

1000 2000

3000 4000

5000 6000

7000 8000

9000 10000

0 0.2

0.4 0.6

0.8 1

0

0.2

0.4

Overlay SizeChurn

Fig. 3. Reliability.


OF

765

766

767

768

769

770

771

772

773

774

775

776

777

778

779

780

781

782

783

784

785

786

787

788

789

790

791

792

793

0

2

4

6

8

10

12

14

0 0.2 0.4 0.6 0.8

Lat

ency

(cy

cles

)

Churn

pinter=0.5, skew=3, overlay size=4000

γ=0γ=1γ=2γ=3

(Average) γ=0(Average) γ=1(Average) γ=2(Average) γ=3

Fig. 6. Impact of Davg on latency.




delivered at its destination. (The duration of a pro-tocol cycle corresponds roughly to the time requiredfor delivery and processing of a single UDP mes-sage.). Fig. 4 shows the average number of cyclesrequired for messages to be delivered; the bars indi-cate the variation in the delivery latency. It can beseen that the delivery latency is similar at each net-work size irrespective of network churn, indicatingthat the latencies in MuON are predictable andbounded. The latency does increase sublinearly withincreasing network size, since the message lifetime isproportional to logðnetwork sizeÞ. When a peerpulls a data message, it does not gossip the headertill the data message arrives. Hence as seen in Figs.5 and 6, when data messages are pulled by a greaternumber of peers (caused by increasing pinter anddecreasing Davg), the latency increases marginally.

Epidemic Termination: As discussed in Section3.6, epidemic protocols tend to survive perpetuallyin dynamic networks. MuON terminates messageepidemics by associating a deadline with each headerin a system with approximately synchronized clocks.

UN

CO

RR

EC

T

0

2

4

6

8

10

12

14

1000 2000 3000 4000 5000 6000 7000 8000 9000 10000

Lat

ency

(cy

cles

)

Overlay Size

pinter=0.5, skew=3, γ=0Churn=0

Churn=0.8(Average) Churn=0

(Average) Churn=0.8

Fig. 4. Latency of message delivery.

0

2

4

6

8

10

12

14

0 0.2 0.4 0.6 0.8

Lat

ency

(cy

cles

)

Churn

skew=3, γ=0, overlay size=4000pinter =0.3pinter =0.8

(Average) p inter =0.3(Average) p inter =0.8

Fig. 5. Impact of pinter on latency.


PR

OWe study the effectiveness of this approach by mea-suring the epidemic lifetime in the networks of vary-ing sizes and churn. A message’s epidemic lifetime ismeasured as the duration of time (measured incycles) during which at least one peer actively gossipsthe corresponding header. Figs. 7–10 show that theepidemic lifetime is not affected by overlay size,

ED

15

20

25

30

35

40

1000 2000

3000 4000

5000 6000

7000 8000

9000 10000

0 0.2

0.4 0.6

0.8 0

5

10

15

20

25

30

35

40

Average epidemic lifetime (cycles)

pinter=0.8, skew=3, γ=0

Overlay Size

Churn

Fig. 7. Epidemic lifetime.

0

10

20

30

40

50

60

0 0.2 0.4 0.6 0.8

Ave

rage

epi

dem

ic li

fetim

e (c

ycle

s)

skew=3, γ=0, overlay size=4000

pinter=0.3pinter=0.8

(Average) pinter=0.3(Average) pinter=0.8

Churn

Fig. 8. Impact of pinter on epidemic lifetime.


CT

OO

F794

795

796

797

798

799

800

801

802

803

804

805

806

807

808

809

810

811

812

813

814

815

816

817

818

819

820

821

822

823

824

825

826

827

828

829

830

831

832

833

834

835

0

10

20

30

40

50

60

0 0.2 0.4 0.6 0.8

Ave

rage

epi

dem

ic li

fetim

e (c

ycle

s)

Churn


γ=0γ=1γ=2γ=3

(Average) γ=0(Average) γ=1(Average) γ=2(Average) γ=3

Fig. 9. Impact of Davg on epidemic lifetime.

0

10

20

30

40

50

60

0 0.2 0.4 0.6 0.8

Ave

rage

epi

dem

ic li

fetim

e (c

ycle

s)

Churn

pinter=0.5, γ=0, overlay size=4000

skew=3skew=9

(Average) skew=3(Average) skew=9

Fig. 10. Impact of skew on epidemic lifetime.

0

1

2

3

4

5

100

0

200

0

300

0

400

0

500

0

600

0

700

0

800

0

900

0

100

00

0

0.2

0.4

0.6

0.8

1

Hea

der

thro

ughp

ut

Dat

a th

roug

hput

Overlay Size

pinter=0.3, skew=3, γ=0Header throughput (Churn 0)Data throughput (Churn 0)

Header throughput (Churn 0.8)Data throughput (Churn 0.8)

Fig. 11. Node overhead.

0

1

2

3

4

5

6

7

0 0.2 0.4 0.6 0.8 0

0.05

0.1

0.15

0.2

0.25

0.3

Hea

der

thro

ughp

ut

Dat

a th

roug

hput

Churn


Header throughput γ=0Data throughput γ=0




Fig. 12. Impact of Davg on node overhead.




UN

CO

RR

EDavg, pinter and skew. Fig. 7 shows that MuON suc-cessfully terminates epidemics despite of high churn,though the epidemic lifetime increases gradually.

Node Overhead: When a peer joins MuON, itcontributes its resources to forward messages fromother peers. These resources are needed to send,encrypt, decrypt and store messages and are propor-tional to message size. Similar to prior work in epi-demic protocols [32], we study the node overhead inMuON by measuring the header and data through-put. The throughput is measured as the number ofheader (or data) messages processed per cycle pernode for each anonymous message sent in the net-work. Fig. 11 shows that the throughput is essen-tially independent of the overlay size and increaseswith churn. It can be seen that the throughput oflarger data messages is much lower than the headerthroughput. Header messages are small in size andthus the processing overhead for each header, stor-age and bandwidth is low. MuON uses private/pub-lic key encryption for small headers and fastersymmetric cryptography for large data messages,


ED

PRto reduce the encryption overhead. Fig. 12 indicates

that Davg does not significantly impact the nodeoverhead. Fig. 13 shows that the data throughputincreases with pinter, while not impacting the headerthroughput.

Network Resources: MuON’s message sendingprotocol is designed to use low network resourcesas compared to previous multicast-based anonymityprotocols. The network resources can be measuredby the network bandwidth consumed, when onedata message is sent anonymously.

Let HDRsize and DATAsize be the size of header anddata messages, respectively, and N be overlay size.When a message is sent anonymously, a multicast-based anonymity protocol multicasts this messageto N nodes. Hence the consumed bandwidth will beat least N � DATAsize. Note that this is a conservativeestimate, since it ignores the bandwidth consumed bycontrol messages and data message re-transmissionsrequired in the presence of network churn. On the


TED

PR

OO

F

836

837

838

839

840

841

842

843

844

845

846

847

848

849

850

851

852

853

854

855

856

857

858

859

860

800K

600K

400K

200K

100

0

200

0

300

0

400

0

500

0

600

0

700

0

800

0

900

0

100

00

6K

4K

2KHea

der

tran

sfer

s

Dat

a tr

ansf

ers

Overlay Size


Header transfers (Churn 0)Data transfers (Churn 0)

Header transfers (Churn 0.8)Data transfers (Churn 0.8)

Fig. 14. Network overhead.

220K

180K

140K

100K

60K

20K

0 0.2 0.4 0.6 0.8

10K

8K

6K

4K

2K

Hea

der

tran

sfer

s

Dat

a tr

ansf

ers

Churn


Header transfers γ=0Data transfers γ=0




Fig. 15. Impact of Davg on network overhead.

220K

180K

140K

100K

60K

20K

10K

8K

6K

4K

2K

Hea

der

tran

sfer

s

Dat

a tr

ansf

ers

skew=3, γ=0, overlay size=4000Header transfers pinter=0.3

Data transfers pinter=0.3Header transfers pinter=0.8

Data transfers pinter=0.8

0

1

2

3

4

5

6

7

0 0.2 0.4 0.6 0.8 0

0.05

0.1

0.15

0.2

0.25

0.3

Hea

der

thro

ughp

ut

Dat

a th

roug

hput

Churn

skew=3, γ=0, overlay size=4000Header throughput (p inter=0.3)

Data throughput (pinter=0.3)Header throughput (p inter=0.8)

Data throughput (pinter=0.8)

Fig. 13. Impact of pinter on node overhead.




CO

RR

EC

other hand, MuON disseminates the data message toonly a subset of nodes within the overlay, ensuringthat the final destination is a member of this sub-set. The bandwidth consumed in MuON is h�HDRsize þ /� DATAsize, where h and / is the numberof header and data transfers in the network. Consid-ering the values of h and / from Fig. 14, it can be seenthat MuON provides reliable anonymous communi-cation at a cost lower than N � DATAsize.14 Fig. 17depicts the bandwidth consumed in MuON as com-pared to a multicast based approach, while Figs. 15and 16 show that the bandwidth consumed by datamessages increases with increasing pinter and decreas-ing Davg, while the resources consumed by headermessages are unaffected.

Scalability: Scalability is an important character-istic in systems designed for P2P networks. It is evi-dent from the presented results that MuON isscalable. The protocol exhibits desirable perfor-mance irrespective of the overlay size and churn.

4.3. Anonymity guarantees

This section describes how MuON achievesmutual anonymity, followed by an evaluation ofanonymity in overlays of varying sizes and churn.We then describe the protocol behavior under vari-

UN

861

862

863

864

14 Considering 128 bit cryptographic hash, 128 bit crypto-graphic keys, 32 bit IP addresses and 32 bit nonce, the maximumsize of hdr is 416 bits and HDRsize ¼ 576 bits (72 bytes). If thetransferred data is a 1 MB media file then DATAsize ¼ 1; 048; 576bytes. From Fig. 14, if the overlay has 10,000 nodes with churn0.8, then h ¼ 600; 000 and / ¼ 4500. Hence the volume of MuONheader messages is 41.2 MB and the volume of MuON datamessages is 4500 MB. In this system with 10,000 nodes,N � DATAsize ¼ 10; 000 MB.

0 0.2 0.4 0.6 0.8Churn

Fig. 16. Impact of pinter on network overhead.


ous adversarial attacks. The anonymity metrics areaverages over multiple messages exchanged betweenmultiple initiator and responder pairs for a given setof parameters such as skew, c and pinter.


T

OF

865

866

867

868

869

870

871

872

873

874

875

876

877

878

879

880

881

882

883

884

885

886

887

888

889

890

891

892

893

894

895

896

897

898

899

900

901

902

903

904

905

906

907

908

909

910

911

912

913

914

915

916

917

918

919

920

921

922

923

924

925

926

927

928

929

930

931

932

933

0.14

0.16

0.18

0.2

0.22

0.24

0.26

0.28

1000 2000

3000 4000

5000 6000

7000

0 0.1

0.2 0.3

0.4 0.5

0.6 0.7

0.8

0

0.2

0.4

0.6

0.8

1

Normalized anonymity


Overlay SizeChurn

Fig. 18. Anonymity.

15 Cover traffic increases network bandwidth consumption,message delays introduce communication latencies, and per-hopmessage encryption necessitates negotiation of shared keysbetween each pair of nodes in the dynamic network.

0

2000

4000

6000

8000

10000

12000

14000

16000

2000 4000 6000 8000 10000 12000 14000

Num

ber

of D

ata

Mes

sage

s

Overlay Size

MulticastMuON, pinter=0.8MuON, pinter=0.5MuON, pinter=0.3MuON, pinter=0.1

Fig. 17. Comparative bandwidth use.




UN

CO

RR

EC

4.3.1. Mutual anonymity in MuON

Since MuON does not make use of cover trafficand padding, and does not hide information suchas message lengths, T deadline and currOwner, epidemictraffic can be observed at each individual node.Consequently as discussed in Section 4.3, MuONis vulnerable to a sustained attack by a global adver-sary. However as discussed in the sections below,the anonymity guarantees of end-to-end trafficbetween initiators and responders are maintainedin the presence of adversaries that can observe onlya limited portion of the network for a given periodof time.

Similar to anonymity protocols that use multi-casting [12] or broadcasting [13], MuON achievesmutual anonymity on the virtue that several inter-mediate peers receive a message. When an interme-diate node receives a MSG, it gossips thecorresponding MSG_HDR with itself as the owner.From an observer’s perspective, any node claimingto be the current owner could be the actual senderof the message. Similarly, when an intermediatenode receives MSG_HDR, it probabilistically pullsthe corresponding MSG. Hence from the local obser-ver’s perspective, any peer that eventually pulls MSGcould potentially be the receiver. Thus in the proto-col, an observer (initiator, responder or intermedi-ate node) cannot differentiate the initiator andresponder from the other peers. The use of publickeys also enables the initiator and responder tocommunicate without the identity of each other.Thus mutual anonymity and unlinkability isachieved.

The degree of anonymity provided by an ano-nymity system depends on the number of nodes thathave an equiprobable chance of playing a certainrole (initiator/responder). Let S (called the anonym-


ED

PR

O

ity set) denote the set of nodes that have an equi-probable chance of being the initiator/responder.Shields et al. [14] show that the degree of anonymityin the system is 1� 1jSj. In MuON, for a given com-municating pair of initiator and responder, anynode that receives MSG has some probability ofbeing the initiator or responder. In this paper, allsuch nodes are collectively considered the anonym-ity set. This is because a local adversary cannot tellif the probability of being the sender or receiver isequal for all such nodes without a large scale collu-sion. Intersection attacks by a global adversarywould make this anonymity set smaller. Formalanalysis of this anonymity set using an informationtheoretic technique such as introduced by [51] is leftas an important future work. Therefore, we measurethe anonymity of MuON as the fraction of peerswithin the overlay that received a given MSG (calledthe normalized anonymity). Fig. 18 shows that theanonymity is almost constant in networks of vary-ing sizes and churn. Figs. 19 and 20 indicate thatthe anonymity is controlled by pinter and Davg.

Attacks by Adversary: Anonymity systems aresusceptible to several possible attacks. However,the adversary must utilize varying amounts ofresources to complete these attacks successfully.To withstand powerful adversaries, several systems[10,9,3,11,8] use techniques like cover traffic genera-tion, message buffering and per-hop messageencryption. This paper evaluates MuON withoutusing these high-cost15 approaches, by describingthe protocol behavior under various known attacks.


CT

934

935

936

937

938

939

940

941

942

943

944

945

946

947

948

949

950

951

952

953

954

955

956

957

958

959

960

961

962

963

964

965

966

967

968

969

970

971

972

973

974

975

976

977

978

979

980

981

982

983

984

985

986

987

988

989

990

991

992

993

994

995

996

997

998

999

1000

1001

1002

1003

1004

1005

1006

1007

0

0.2

0.4

0.6

0.8

1

0 0.2 0.4 0.6 0.8

Nor

mal

ized

ano

nym

ity

Churn


Average anonymity set γ=0Average anonymity set γ=1Average anonymity set γ=2Average anonymity set γ=3

Fig. 20. Impact of Davg on anonymity.

0

0.2

0.4

0.6

0.8

1

0 0.2 0.4 0.6 0.8

Nor

mal

ized

ano

nym

ity

Churn

skew=3, γ=0, overlay size=4000Average anonymity set pinter=0.5Average anonymity set pinter=0.8

Fig. 19. Impact of pinter on anonymity.




UN

CO

RR

EIn addition, this paper assumes that a goodpseudo ID management is in place. An intermediatenode in MuON can collect pseudo IDs, such as pub-lic key as a pseudo ID, by participating the gossip-ing behavior. In order to prevent such a problem, amechanism needs to be in place which changes thepseudo ID randomly at every interval. The generalproblem of managing pseudo IDs is left as futurework. Follow up work will incorporate a mecha-nism into MuON.

Local eavesdropper: A local eavesdropper is anadversary that can monitor all communications sentto or received from one particular peer. This adver-sary tries to detect the identity of communicatingparties by recording and comparing all incomingand outgoing messages of a particular node. InMuON, a local eavesdropper on an intermediatepeer, cannot confirm the identities of the communi-cating parties, even if the message and its header arereceived by the peer. This is because the peer cannotdetermine the identity of either sender or receiverwith certainty based on the information of the


ED

PR

OO

F

header. Likewise a local eavesdropper an initiator(or responder) cannot deduce the identity of theresponder (or initiator).

Collusion Attack: In a collusion attack, peers col-laborate to identify communicating entities. Thesecolluding peers could be physically different nodesor a single node with multiple identities. It has beenseen that the degree of anonymity in MuON is1� 1jSj where S is the anonymity set. This impliesthat as long as a pair of peers within the anonymityset do not collaborate, it is hard for colluding nodesto differentiate the initiator, responder and the hon-est peer(s) from one another. If all jSj nodes withinthe anonymity set collaborate, MuON’s degree ofanonymity becomes 0 and the identities of the com-municating parties can be revealed. However, sincethe anonymity set changes for every MSG in the sys-tem, a large fraction of peers must collaborate tosuccessfully launch this attack.

Timing attack: In a timing attack, the adversary(behaving as an initiator) attempts to identify theresponder by analyzing the round trip time (RTT)of a request, since short RTT indicates that theresponder is nearby. In MuON since the messagesare transferred over the overlay network, RTT mea-surements do not reflect actual network locations.Thus launching a timing attack is difficult. Anadversary can launch a variant of the timing attackagainst MuON, by identifying the initiator as thefirst node to gossip a particular MSG. To launch thisattack, the adversary would have to trace outgoingmessages of every node within the network, to iden-tify a particular node as the first node to gossip amessage. However, the adversary cannot identifythe responder, since the responder behaves like anintermediate node and continues to gossip the MSG.

Traceback attacks: There are two kinds of trace-back attacks: passive traceback and active traceback.In a passive traceback attack, the adversary exam-ines the stored routing state of the peers to identifythe path(s) between initiator and responder. Tolaunch a passive traceback against MuON, theadversary needs to look at the application level mes-sage buffers at every node within the network. How-ever, since the messages are periodically removedfrom the buffers, to perform a successful tracebackthe adversary must collect the information beforeit is removed. In an active traceback attack, theadversary has control of the network infrastructureand is able to follow an active and continuingstream of packets back through the network to theirpoint of origin. In MuON, such an adversary can


TED

PR

OO

F

1008

1009

1010

1011

1012

1013

1014

1015

1016

1017

1018

1019

1020

1021

1022

1023

1024

1025

1026

1027

1028

1029

1030

1031

1032

1033

1034

1035

1036

1037

1038

1039

1040

1041

1042

1043

1044

1045

1046

1047

1048

1049

1050

1051

1052

1053

1054

1055

1056

1057

1058

1059

1060

1061

1062

1063

1064

1065

1066

1067

1068

1069

1070

0

0.1

0.2

0.3

0.4

0.5

0.6

0 10

20 30

40 50

60 70

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.2

0.4

0.6

Fraction of nodes

pinter=0.5, skew=3, γ=0, overlay size=4000

Age of nodes (in cycles)

Churn

Fig. 21. Message distribution.

0

0.2

0.4

0.6

0.8

1

0 10 20 30 40 50 60 70 80 90 100

Eff

ectiv

e an

onym

ity s

et

Time (in cycles)


MuON γ=0MuON γ=1MuON γ=2MuON γ=3

System Membership

Fig. 22. Progress of an intersection attack (churn¼0.6).




UN

CO

RR

EC

identify the sender of a message (it is the startingpoint of the message paths). However the recipientis not revealed (since paths do not terminate at therecipient).

Predecessor attacks: These attacks occur if thesame path is used by the initiator while communi-cating to the responder. If a compromised noderecords its predecessor, then most of the time theinitiator will be the predecessor. However in MuONas every node randomly picks up the gossip target,different messages follow different paths. Hence thistype of attack is unlikely in MuON.

Traffic volume attack: An adversary can differen-tiate responders from other nodes by observing thevolume of data transmitted, since initiators generateless data as compared to responders. This attack ispossible against MuON, if the adversary canobserve the traffic generated by each node in thenetwork.

Intersection Attack: An adversary can record themembers within the anonymity set of a message bylaunching a traffic volume or traceback attack. Toperform an intersection attack, the adversary firstrecords the anonymity sets of messages for anextended period of time. The adversary then com-putes the effective anonymity set, which is the inter-section of all observed anonymity sets. Since theinitiator and responder are present in each anonym-ity set,16 they are always included in the effectiveanonymity set. Thus if the network is observed fora sufficient period, the effective anonymity set canbe reduced substantially. We measure the progressof an intersection attack by measuring the size ofthe effective anonymity set at regular time intervals,relative to the size of the first observed anonymityset. For simplicity, we assume the adversaryobserves the entire network.

In dynamic networks, an intersection attack isassisted17 due to changes in system membership.To offset this effect, MuON peers pull data messageswith a probability proportional to their age in thesystem. Fig. 21 shows the fraction of peers withindifferent age-groups that pull a given message.Hence the anonymity sets of successive messagesinclude the same subset of long-lived nodes, result-ing in larger effective anonymity sets. Fig. 22 showsthe progress of an intersection attack in MuON

1071

1072

1073

1074

1075

16 This assumes that the initiator and responder are within theportion of the network observed by the adversary.17 This motivates some systems [13,14] to restrict system

membership changes, and perform periodic system resets.


(depicted by solid lines) along with the effective ano-nymity set solely due to network churn (depicted bythe dashed line). It can be seen that for low values ofDavg, an intersection attack proceeds primarily dueto network churn. According to the simulationmodel, since the network in Fig. 22 has churn 0.6,the session time of peers is exponentially distributedwith an average of 40 cycles (shaded region). Thusby the time the communicating entities completetheir communication, the effective anonymity set isstill greater than 0.3. Fig. 23 shows the progress ofan intersection attack in networks with varyingchurn. Figs. 22 and 24 indicate that defense againstintersection attacks can be improved by decreasingDavg and increasing pinter.

In summary, we see that MuON can resist mostkinds of attacks in the absence of a global adver-sary. We believe that such an adversary is impracti-cal for large and dynamic P2P systems, thoughmany of these attacks can be thwarted by meansof cover traffic [52].


T1076

1077

1078

1079

1080

1081

1082

1083

1084

1085

1086

1087

1088

1089

1090

1091

1092

1093

1094

1095

1096

1097

1098

1099

1100

1101

1102

1103

1104

1105

1106

1107

1108

1109

1110

1111

1112

1113

1114

1115

1116

1117

1118

1119

1120

1121

1122

1123

1124

1125

1126

1127

1128

1129

1130

0

0.2

0.4

0.6

0.8

1

0 10

20 30

40 50

60 70

80

0 0.2

0.4 0.6

0.8 1

0

0.2

0.4

0.6

0.8

1

Intersection set

pinter=0.5, skew=3, γ=0, overlay size=4000Intersection Set

TimeChurn

Fig. 23. Effective anonymity set.




REC

4.4. Security guarantees

In MuON, message confidentiality and integrityis achieved using cryptographic techniques such ascryptographic hash, public/private keys and sessionkeys. Hence these guarantees are constrained by thestrengths of the chosen cryptographic algorithms.

When the initiator sends the request, it generatesa nonce r1 and a session key ksession. The initiatorthen generates a header containing the nonce, ses-sion key and the initiator’s public key. The headeris then encrypted using the responder’s public key.Similarly, the responder includes the nonce in theheader for the response and encrypts this headerwith the initiator’s public key. Thus the nonce andsession key always remain confidential. MSG alwaysencrypts the data and nonce, using the session key.Since the session keys are not reused, encrypting thedata with session keys helps thwart dictionaryattacks. Thus confidentiality is maintained.

UN

CO

R

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

0 10

20 30

40 50

60 70

80

0 0.1 0.2

0.3 0.4

0.5 0.6

0.7 0.8

0

0.2

0.4

0.6

0.8

1

Effective anonymity set


Time (in cycles)Churn

Ef

Fig. 24. Impact of pinter on e


ED

PR

OO

F

The header, hdr always contains a cryptographichash signed by the private key of the sender (initia-tor in case of requests and responder in case ofresponses). The cryptographic hash is computedover MSG and the required fields of hdr and is signedby the sender’s private key. This signed crypto-graphic hash has several uses. It allows the receiverto verify the correspondence between a given MSGand its MSG_HDR. The signed cryptographic hashhelps the receiver detect if an adversary changedthe contents of the message or the nonce. Similarly,when an initiator receives a response, the initiatorcan verify that the response originated from theresponder, because the cryptographic hash is signedby the responder’s private key. Thus an adversarycannot masquerade as the responder. Likewise, thenonce contained within each header and data mes-sage can be used by the initiator to detect a replayof a response. If the responder keeps track of noncevalues of the past requests, it can detect the replayof requests.

It is important to note that MSG_HDR contains anunsigned value for T deadline, since an intermediatenode cannot verify a signature without knowingthe public key of the originator. Hence a misbehav-ing intermediate node may increase or decrease thevalue of T deadline to either cause the epidemic to dieslowly or quickly; a slow dying epidemic increasesthe resources consumed by the protocol, while aquick dying epidemic would prevent the messagefrom reaching the destination. However due to theinherent redundancy within the epidemic, a signifi-cant percentage of peers need to be misbehavingto consistently cause delivery failures. In either sce-nario, the anonymity and security guarantees of theprotocol remain intact. In general, promoting com-

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

0 10

20 30

40 50

60 70

80

0 0.1

0.2 0.3

0.4 0.5

0.6 0.7 0.8

0

0.2

0.4

0.6

0.8

1

fective anonymity set


Time (in cycles)Churn

ffective anonymity set.


1131

1132

1133

1134

1135

1136

1137

1138

1139

1140

1141

1142

1143

1144

1145

1146

1147

1148

1149

1150

1151

1152

1153

1154

1155

1156

1157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181

1182118311841185




pliance within P2P anonymity systems [53] is animportant research problem, which we plan toinvestigate in future work.

T

11861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214

5. Conclusion and future work

We have presented MuON, a protocol for pro-viding mutual anonymity in dynamic P2P networks.There are two key contributions of MuON; the pro-tocol provides reliable mutually anonymous com-munication over dynamic P2P networks, whilemaintaining low bandwidth and processing over-head compared to existing reliable multicastingapproaches, and it exhibits application friendlycharacteristics such as bounded communicationlatency and message integrity and confidentiality.A unique feature of MuON is the ability to maintainanonymity against sustained adversarial attack for areasonable amount of time. In order to help resolvethe inefficient bandwidth use problem due to thebroadcasting nature, a methodology to create multi-ple broadcast groups with high inter-group connec-tivity for reliable message delivery is currently underinvestigation. In the future, we plan to investigatethe use of MuON for creating censorship resistantservices and ‘Denial-of-Service’ DoS tolerant anon-ymous services.

12151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243

UN

CO

RR

ECReferences

[1] Pfitzmann Andreas, Waidner Michael, Networks withoutuser observability, Computers and Security 6 (2) (1987) 158–166.

[2] Michael K. Reiter, Aviel D. Rubin, Crowds: anonymity forweb transactions, ACM Transactions on Information andSystem Security 1 (1) (1998) 66–92.

[3] Xiao Li, Xu Zhichen, Zhang Xiaodong, Low-cost andreliable mutual anonymity protocols in peer-to-peer net-works, IEEE Transactions on Parallel and DistributedSystems 14 (9) (2003) 829–840.

[4] Andreas Pfitzmann, Marit Hansen, .

[5] AT&T, The anonymizer, .[6] Eran Gabber, Phillip B. Gibbons, David M. Kristol, Yossi

Matias, Alain Mayer, Consistent, yet anonymous, webaccess with LPWA, Communications of ACM 42 (2)(1999) 42–47.

[7] Krista Bennett, Christian Grothoff, GAP-practical anony-mous networking, in: PET’03: Privacy Enhancing Technol-ogies Workshop, Dresden, Germany, March 2003, pp. 141–160.

[8] Roger Dingledine, Nick Mathewson, Paul Syverson, Tor:The second-generation onion router, in: Security’04: Pro-ceedings of the 13th USENIX Security Symposium, SanDiego, CA, August 2004, pp. 303–320.

Please cite thi

muon: epidemic based mutual anonymity in unstructured p2p ...bkchoi/compnw_3689.pdfuncorrected proof...

Documents