Discount Anonymous On Demand Routing for Mobile Ad hoc Networks

Discount Anonymous On Demand Routing forMobile Ad hoc NetworksLiu Yang Markus Jakobsson Susanne WetzelSoftware Engineering College School of Informatics Department of Computer ScienceSichuan University Indiana University Bloomington Stevens Institute of TechnologyChengdu, 610065, China Bloomington IN 47408, USA Hoboken NJ 07030, USAEmail: yangliutwwWgmail.com Email: markus@indiana.edu Email: swetzel@cs.stevens.eduAbstract-Recent years have seen a large number of proposalsaffect personal security and mobility. Most recently, we havefor anonymity mechanisms operating on the application layer. seen a remarkable upswing of privacy intrusions driven byGiven that anonymity is no stronger than its weakest link, attempts to perform identity theft. It is evident that locationsuch proposals are only meaningful if one can offer anonymity information may be used to better target victims of suchguarantees on the communication layer as well. ANODR -or ANonymous On Demand Routing - is one of the leading attacks, as well as attacks in the entire spectrum mentionedproposals to deal with this issue. In this paper, we propose a above. To limit the success of such attacks - without havingnovel technique to address the same problem, but at a lower to re-engineer our entire communication infrastructure - itcost. Our proposal, which we dub Discount-ANODR, is buit is important to develop techniques that implement sufficientaround the same set of techniques as ANODR is. Our proposal is im prtantt deveop tehnique stattimlementesu fhas the benefit of achieving substantially lower computation and levelsof privac, thoutanding substantialschanes ofcommunication complexities at the cost of a slight reduction the network orthe computationalrequirements associatedwithof privacy guarantees. In particular, Discount-ANODR achieves performing routing.source anonymity and routing privacy. A route is "blindly gener- The motivation for this paper is to design a lightweightated" by the intermediaries on the path between an anonymoussource and an identified destination. Route requests in Discount- prceserving and routing pr otocol touaceANODR bear strong similarities to route requests in existing source anonymity and routing privacy. We define sourcesource routing protocols, with the limitation that intermediaries anonymity as a property guaranteeing that an adversary canonly know the destination of the request and the identity of not find evidence that a node is the originator of an observedthe previous intermediary - but not whether the latter was the message or route request. Our definition of routing privacyoriginator of the request. The response to a route request protects * * a* -the compiled route by means of iterated symmetric encryption, crponds ro an proerty wo hdn tintitie of node ondrawing on how messages are prepared before being submitted a path, from an adversary who may control one or more ofto a typical synchronous mix network (or onion router). The these intermediaries.communication of data subsequently uses such "route onions" to Our approach is based on reactive source routing, where achannel the packet to the intended destination. We do not use route is obtained only when there is a demand to send a mesanykey exchange, nor do we utilize public key operations at anytime; consequently, we do not need to rely on any PKI, CRL or sage Reactive routing Is bellevedto have less overhead thanrelated constructions.proactive routing, where all routes are maintained periodically.Our solution is very efficient in that the most computationallyintensive operation in use is symmetric encryption, no keyMobile Ad hoc NETworks (MANETs) are being used in exchange is used, and no public key operations are needed. Fora large array of settings in which there is no "hardwired" an ordinary application with eight hops, our solution increasesnetwork infrastructure. Commonly cited uses include military the overall time by less than 0.2 ms(compared to DSR [13]),applications, emergency rescue and disaster relief, however which approximately corresponds to a 3.5300 increase. WhenMANETs are also believed to have future uses within vehicular using our approach to send messages, on a path of eight hops,networking, manufacturing, and various types of surveillance the ratio of control bytes to packet size is approximately 7.3%,and monitoring applications. While the last few years have slightly higher than the value of 3.91% by DSR. Our solutionwitnessed substantial efforts to provide efficient [17], [10] and is also easy to integrate into an existing system with littlesecure [9], [11], [8], [12] communication in ad hoc networks, modification and low overhead.much less emphasis has been placed on privacy issues.Privacy (and the lack thereof) is one of society's most A Our cntributinnotable vulnerabilities. The attacks arising from insufficientprivacy - whether of actions, identities or locations - can Our main contribution is to design a lightweight, privacybeof economic nature (whether for identity theft or targeted preserving routing protocol using only symmetric key operaadvertising);may relate to national security (by ways of tions. As such, this protocol is particularly well-suited for adattacks on the infrastructure and key individuals); and can hoc networks with battery-constrained nodes.1-4244-0423-1/106/$20.00 ©2006 IEEE

symmetric keys is not time consuming, the receivers need to the network. All nodes are willing to cooperate in the networkdecrypt these keys with their private keys. Another problem operation. Nodes do not exchange local topology informationof WAR is there is no route discovery. A source selects with their neighbors who are within direct communicationintermediaries to a destination at random, and encapsulates range. A message is propagated from the source to thethe payload by an iterated encryption approach. It is hard to destination over one or more hops. Each node in the networkimagine that a randomly selected route will be a valid path has a unique identity, and it chooses an arbitrary secret keyto a destination, given that the source has no knowledge of which is not shared with any other node. The communicationthe topology of the network. Thus, a source channels message between two nodes is bidirectional, i.e., if node A can reachto a destination in a blindly-flooding way. Unlike WAR, our node B, then B can reach A.approach works in multi-hop situations and has a clear wayto perform route discovery. B. Adversary ModelWaters, Felten, and Sahai introduce the "incomparable" 1) Assumption: We let A be an adversary controlling onepublic keys to achieve receiver anonymity [22]. In their work, or more nodes in the network. We assume:a receiver is able to create many public keys corresponding . The nodes controlled by an adversary are not able toto one secret key. Since a receiver has many public keys, he monitor all nodes within the direct communication rangeis able to generate many identities. An adversary, given two of the source.public keys, is not able to tell whether they are equivalent, . A can be passive or active. A passive adversary obtainsi.e., corresponding to the same secret key. The incomparablepublic key approach can be used as a building block to achievemay imationronl post route requests,y'eesdroping, inject messages, wes anacie tamper with,onereceiver anonymity in wired or wireless routing. Unlike [22],or even drop received messages to gain information. Weour approach does not aim for receiver anonymity.assume an adversary has bounded eavesdropping ability.Our approach distinguishes itself from the other approaches In particular, A is able to eavesdrop on no more than aby two features: it is based on symmetric cryptography; and fraction e of nodes en route.we do not use any key exchange, nor do we utilize public key We also distinguish compromised nodes by en route,operations at any time.close to a route, or far away from a route. Close refersIII. PROBLEM STATEMENT to a compromised node is within one hop from a givenAn important feature of multi-hop ad hoc networks is route, and far away means that a compromised node ismore than one hop from a given route. A node en routethat nodes collaborate to realize communication. In particular,ore to a given routei A both te routewhen a node wants to communicate with a destination not in . cits direct communication range, it requires the assistance of request and the corresponding response to a certain route'~~ ~ ~~~o discovery. A node far away from a route can not hear theone or more intermediaries to forward its message; or in other corresponding route response.words, it needs to learn a path to the destination. DSR [13]and AODV [16] are two well-known reactive routing protocols. 2) Goals of the adversary. There are two goals of anUnfortunately, they do not provide privacy protection for either adversary A. The first goal is to learn the identity of a messageroute discovery or communication. In both DSR and AODV, originator. The second goal is to infer identities of all nodesa route request identifies the source and destination and the along a route. If an adversary achieves both the first and thehop-count the request has traveled so far. A route request of second goals, he is naturally able to associate two nodes asDSR even records the sequence of nodes as it is propagated communication partners.to the destination. A route response of DSR includes all We say a protocol achieves source anonymity if A is not ableintermediaries between the source and destination in plaintext. to find evidence that a node was the originator of a specifiedIn AODV, each entry in the route table contains the number message. Moreover, we say a protocol provides route secrecyof hops to different destinations. if A can not attain the second goal with a probability non-There are a number of ways to compromise the privacy of negligibly higher than a random guess from a group of candi-DSR and AODV. For example, an adversary is able to learn the dates. Furthermore, we say a protocol provides pair-anonymityidentities of all intermediaries by just eavesdropping in DSR. if A can not link two nodes as communication partners fromLong time eavesdropping allows him to learn the topology of routing evidence. This feature follows automatically from thethe network. Eavesdropping also allows an adversary to learn first two properties.the topology of the network in AODV. 3) Possible attacks: An adversary may use several methods- either passive or active - to achieve one or both of the goalsA. Communication Model described above.We assume the network to be a mobile ad hoc network. . Thacing: an adversary tries to trace the route by control-Nodes in the network can either be devices with regular ling one or more compromised nodes close or en route.computation ability, like laptops, or lesser computation ability, . Timing attacks: an adversary tries to guess its distance tolike pocket PCs (PDAs), or devices with low computation andstorage ability, like sensors. Nodes are distributed uniformly inthe source or destination by observing timings associatedwith the repeated use of same onions.

* Onion recording: an adversary deduces the source or o-- D*route length by recording a lot of onions. n 5Tampering: a node manipulates messages to gain infor- 0mation. 0'. Packet dropping or injecting: a node drops packets or 0 0inj ects packets to the network.IV. SOLUTIONTo simplify the description of our approach, we introduce0O1some denotation:s* rid: route request id;S D: source and destination; 0 _ /O0* EKi (),DKi :symmetric encryption and decryption withsecret key Ki;* REQ:routerequestinformof(rid,S,D); 0 0 0 0 0 0 O0* REP: route reply in form of (ei,ni,rid), where eiEKi(ei 1,ni 1), and ni 1 is the next hop to D.0 0 0 Q o0A. Intuitive approach 0 0We use an example to explain our main idea. Figure 1Iand 2 demonstrate the procedure of route discovery by a node route request propagation 0 o one-layer onion four-layer onionS. First, S initiates a route discovery by assembling a route no encryption is needed node two-layeronion @ five-layeronionruerespone transmission,request REQ (ri (rd,L rQ S, D) and broadcasts it locally. The only.incudingoe _symmetric___encryptionsmtric encption i three-layer onion i six-layer onionREQ is heard by n1, a neighbor of S. n, then helps topropagate the request by flipping a biased-coin. If the result of Fig. 1. An example of route discovery by our approachflipping is true, it replaces the S in REQ by its own identityn1 and broadcasts the request locally; otherwise it drops the (rid, S,D) rid,rni,D)(rid, n2, D)_(rid, n3, D) (rid,n4, D) rid

A node ni receives a control message (rid, Si, D) from Si. route requests it has issued. If it receives a REP with an ridIf rid E PROCESSEDREQ, then belonging to MYREQ, it knows this reply corresponds to a% ignore repeats request it has issued and adds an entry (D, ei, ni) to its routehalt;cache. If a node nj receiving a reply is not the correspondingelse put (Si, rid) in list Li;If D (ni, then originator, it checks whether it is an intermediary by calling a% recipient is destination function Retr(rid, Lj). Here Lj is a list containing entries ofrespond REP= (ei, ni, rid) to Si, halt; (Si, rid), Si is a neighbor from which nj received a requestwhere ei EKi (PD), and Ki is the secret chosen by ni. with rid. This approach allows the reply to reach to the requestelse if Retr(D, cache) 74 null, thenoriginator. If nj finds an Sj in Lj corresponding to the rid in%recipient knows the path REP, then it is an intermediary. nj then encrypts the (ei, ni)respond REP (ei, ni, rid) to Si, halt;with its secret and sends the assembled REP to Si.EKi (path(D), nexthop),where eiand (path(D), nexthop) Retr(D, cache)else if Flip(bcoin) true A * D% retransmit by flipping biased-coinlocally broadcast (rid, ni, D), halt;REPelse|halt . RNEQ REQ = (rid, B. D)REP = (eA, A, rid)Fig. 3. Steps of route request resolution eA = EKAJ(el ni)the winning rate of the biased-coin is 10' 9 then a request isexpected to be retransmitted 5 hops on average before being-G(dropped. The winning rate of the flipping should be adjusted ----according to the network situation such that route requestsREQCAC'HE of A~~~~~~D,ei,nivsteeyndwihraoalprbbiy. wilThsdeed Fig. 5. An example of using cache to speed up the route discoverywill visit every node with reasonable probability. This dependson several factors, like the number of nodes, average hops Figure 5 is an example of using route cache to speed upbetween communication pairs, etc. Too high of a winning rate the route discovery process. Node B issues a route requestmay cause a traffic jam in the network, while too low of a REQ to D by doing a local broadcast. The request REQ isvalue will cause frequent failure of route discovery. heard by its neighbors A, E, F, and G. Node A retrieves itsWe note that whether a node is performing "request origina- cache by D and gets an entry (D, e1, inn). It then assemblestion" or "request resolution" is indistinguishable to an observer a route response REP = (eA, A, rid) and sends back REP(whether a neighbor or an adversary) as long as the observer to B, where eA = EKA (el, n1). Hence B gets a route tois not able to monitor all neighbors of this node. The reason D. We note E, F, and G will help to retransmit the REQfor this is that a request only contains the identity of the further because they are not the destination, and also have nosending neighbor, which can either be an originator or be an entry to D in their cache. Later, another route response mayintermediary.be returned to B. This response can be used as a backup in3) Response transmission. The steps of routing response case the first route is invalid.transmission are shown in Figure 4.C. Sending a messageA node nj receives a REP = (ei, ni, rid).Suppose S wants to send a message M to D. It first checksif rid E PROCESSEDREp, then its route cache for an entry to D. If such a route is found, S°/ ignore repeatshaltcan transmit M according to this route. Otherwise, S will startelse if rid E MYREQ, then a route discovery to D and will get a route reply using the% nr is the initiator approach in Section IV-B. The process of sending a message% add an entry to route cache can be described by the following protocol.add (D, ei, nir) to route cache, halt; 1) Message origination:else if Retr(rid, Lj) :4 null, then% nj is an intermediary * S obtains an entry (D, ei, ni) from its cache or by meansassemble REP = (ej, nj, rid) and send it to S, of route discovery.where Sj = Retr(rid, Lj), and ej = Ej (ei, ni) * S assembles P = (M, ei, rs) and transmits it to ni, theotherwise next hop on the route to D. Here rs = EKS (PS) and% invalid REP P C_{O,l}Here Ps is a 0-1 string chosen by S with a random lengthFig. 4. Steps of response transmission between 0-k bits, and rs is the most inner layer of the routefrom the D to S. We note ei can be only used to routeEach node maintains a MYREQ to record the rids of messages from S to D due to its encryption order. Therefore,

(ack, rs) (ack, ri) (ack, r2) (ack, r3) (ack, r4) (ack, r5)another route needs to be built in case D wants to send a reply 0 - Cmessage to S. Such a route can be generated in the same way S ni n2 n3 n4 n5 Das ei except in an inverse encryption order, which starts from (rs, S) =DK (rl) (r2, n2)= DK3(r3) (r4, n4) =DK(rs5)S and ends up at D. Ps = DK (rS) (ri,ni) = DKI(r2) (r3,n3) = DK4 (r4)2) Message transmission: The steps of message transmissionare shown in Figure 6. Fig. 8. D sends back an acknowledgement to S via a privacy route afterreceiving a messageA node nj receives a packet P = (M, ej, rj- ) from njnjcomputes (ej+ ,nj+1) = DK(ej) E. Responding to a messageif DKj(ej) c Gj(p)% .i is the destination If the destination needs to send back a message to theelsei1 tianib source, it uses the same approach as that in sending backtransmit (M,eig1, rh njr1, ) to where r= EKo(rr, ) an acknowledgement (Section IV-D). We note that when anotherwiseacknowledgement or a responding message is being sent back% invalid packet to the source S, the destination D and each intermediary arediscard P. unaware of the identities of the source and nodes other thanits predecessor and successor along the route.Fig. 6. Steps of message transmissionNode nj maintains a list Gj (p) to keep track of the route V. PRIVACY PROPERTIESreplies it resolved before. If the decrypted part of a route ej Our protocol has the benefit of achieving substantially lowercan be found in Gj(p), then nj is the destination of message computation and communication complexities at the cost of aM; otherwise it just helps re-transmit the message to the next slight reduction in privacy guarantees. In particular, Discounthopindicated by the decrypted result.ANODR achieves source anonymity, routing privacy, and andFigure 7 is an example of sending a message, where the pair-anonymity. We show that route privacy is well preservedmessage M, originated from S, travels through node nl, n2, if less than half of nodes en route or close to a route aren3, n4, and n5 to arrive at the destination D. We see that compromised. Intermediaries only know the destination of thea return route r5 has been established by the intermediaries request and the identity of the previous intermediary, but not ifwhen M arrives at D. This returning route is used to send the latter was the originator of the request. To some extent, ourback an acknowledgement or a message to the originator when protocol also protects the locations of nodes in the networknecessary. when protecting their identities. In the following statements,(M, i r (M, e2 ri) (M, C3, r2) (M, C4, r3) (M, C5r4 (M, eD, we analyze our protocol by considering possible attacks andcomparing its privacy features and overhead to other protocols.S ni n2 n3 n4 n5 Drs = EKS (PS) r2 = EK2 (ri, n1) r4 EK4 (r3, n3) A. Preventing Attacksri = EK1 (rs, S) r3 = EK3 (r2, n2) r5 EK5 (r4, n4)1) Tracing: To our knowledge, message tracing is the mostFig. 7. S sends a message to D via a privacy route powerful of all attacks. It is possible for an adversary to tracea route by controlling several compromised nodes en route orThe construction of a return path ri occurs during the first close to a route. If two nodes are observed transmitting themessage from S to D after the route discovery. Once D same message, they are two hops along a certain route. Thelearns the return path, it is unnecessary to perform such a adversary is able to learn all intermediaries if he can controlconstruction during the succeeding communication. This will enough number of nodes en route or close to a route. We notereducetheovrhadofcotrlas long as a compromised node is close to a certain route, itD. Route maintenance does not matter whether it is an intermediary because it is ableWe use an end-to-end scheme to maintain the route. After to eavesdrop on passing messages.receiving a message from a source, D assembles an acknowl- If all nodes along a route are disclosed by the adversary,edgement ack and appends the return route ri, then it sends we say the route is fully traced; otherwise the route is said toback the acknowledgement to the hop from which it received be partially traced, or un-traced (no node en route is traced).the original message. The ack will be propagated back to the Here we define a metric - trace ratio - as the fraction of hopssource, where each intermediary removes a layer of the return being traced en route.route by decrypting the route with its secret key. Figure 8shows an example, where D responds with an ack to S via R i1C L(1)route r5 after receiving a message. If the source does notLreceive an ack in a certain time interval, it assumes a route where 1 denotes the number of compromised segments of aerror occurred. It may choose another route or start a new certain route, ci is the length (number of hops) of the ithroute discovery to the destination, compromised segment, and L is the length of a route.

o~~~~~~~~~~~~K ooKJc (S n1 n2 n3 n4 n5 n16 n7 DFig. 9. A route with eight hops 00.8VWe demonstrate the trace ratio of our protocol by investi- 0.6gating a route with 8 hops (Figure 9) and consider three cases. 0,0.4,1) Consecutive colluding: nodes compromised by A areconsecutive en route or close to a route. For example, if 0.2 ,node n2 is compromised, then A learns two hops (n1 to ,n2, and n2 to n3), the trace ratio is computed as 8 1.8 4' _J__similarly, if n2 and n3 are compromised, the trace ratio 0 1 2 3 4 5 6 73 Number of compromised nodesis 8. Figure 10(a) shows the trace ratio correspondingto different numbers of consecutive compromised nodes(a) Consecutive compromisingen route or close to a route. In this case, A needs tocompromise at least 7 consecutive nodes to trace thewhole route. However, even with that information, A 1can not identify the source with certainty.2) Two hops distance: the distance between nodes com- 0.8 ,0promised by A is two hops. For example, if n, andn3 are compromised, then A learns four hops en route, 0.6.4 1and the trace ratio is 8=. Figure 10(b) showsthe trace ratio corresponding to different numbers ofcompromised nodes with two hops from one to another. 0.4To trace the whole route, A needs to compromise atleast 4 nodes. 0.2 ,3) Three hops distance: the distance between compromisednodes is three hops. For example, if n, and n4are compromised, then A learns four hops en route, and 1 Number ofcomromisednode 3 4the trace ratio is -18 2 This is the same as case 2.The above analysis and the results in Figure 10 show that (b) Non-consecutive compromisingthe lower bound for A to fully trace a route requires A tocompromise the number of nodes en route or close to a Fig. 10. Trace ratio corresponding to different types of colludingroute. In other words, if less than e = of nodes en route or2close to a route are compromised, the adversary is not able tofully trace the route.with an onion during message transmission will cause the2) Other attacks: Finally we discuss counter-measures to next intermediary to not be able to decrypt the onion,other attacks described in section III-B.and therefore drop the message. All these attacks do not. Timing attacks can be thwarted by introducing a random help an adversary identify the source, or trace a routedelay before message re-transmission. Timing attacks do in use. The tampering can be prevented by enforcingnot help the adversary gain the identities of source or authentication, which is an orthogonal topic to our paper.intermediaries. . Packet dropping or injecting: When a message gets. Onion recording: Repeated onions allow an adversary to dropped, the source usually re-sends the message. If alearn that several messages might have been originated node injects a route request to the network, it will receivefrom a same source (the cached onion may be used by a route response from a destination. If a node injectsdifferent nodes), but they do not identify the source. Suchinvalid onions to the network, the onions will be droppeda threat can be reduced if we shorten the life-time of by other nodes (unable to decrypt). Both packet droppingcached onions. and injecting do not help an adversary to achieve his. Tampering: An adversary may tamper with a route re- goals.quest, a route response, or an encrypted onion. Tampering BCoprsnfpivcfetesoohrpooolwith a route request may cause the request be dropped orbe propagated to a wrong destination. Tampering a route From analysis of Section Ill-B we see both DSR andresponse may cause an originator to not be able to receive AODV provide almost no privacy. For example, an eavestheresponse, or to receive an invalid response. Tampering dropper en route or close to a route learns identities of all

nodes en route from a single intercepted message in DSR.AODV allows an active adversary to learn the topology of thenetwork by repeatedly issuing route discovery. Our protocolTABLE ICOMPARISON OF LENGTH OF CONTROL MESSAGE VIA PACKET SIZEBETWEEN DIFFERENT PROTOCOLS WHEN SENDING MESSAGESachieves source anonymity and route secrecy. During the route Protocol Control message R,=Control msg/Packet sizediscovery, an intermediary only knows the identity of the (byte)destination and the previous intermediary, but not whether packet packet packetthe latter was the request originator. The route constructed by DSR 40 7.81% 3.91% 2.67%iterated-encryption protects the identities of intermediaries. To Discount 150 (first packet) 29.30% 14.65% 10.00%-75 (succeeding packet) 14.65%0 7.30% 5.00%0fully trace a route, an adversary has to compromise at least ANODR7 16 3.5% 7.3% 1.07%ANODR16 ~~~~3.1300 1.5600 1.0700half the number of nodes en route or close to the route. Wenote ANODR [15] provides better privacy than our protocol,but with a much higher overhead in computation, storage, and approximately 1.6 seconds, while in our approach it is onlycommunication.0.17 milliseconds. Our approach increases the route discoveryVI. OVERHEAD time with 3.54% compared to DSR, while ANODR takessignificantly longer time (more than 330 times that of DSR)A. Overhead in route discovery to perform a route discovery. The storage costs for ANODRWe base our estimate of the overhead of DSR, our protocol and our approach are estimated to be approximately 12.7Mband ANODR on the following facts and assumptions: and 62kb respectively. The communication costs of ANODR. Nodes are uniformly distributed in the network, and the and our approach are 417kb resp. 81 kb.average travel distance of a route request is 10 hops. By analysis, we identify two reasons responsible for the. For ANODR, the field length of source, destination, and big difference in costs between our approach and ANODR.route pseudonym is 128 bits. The length of the other One is that ANODR adopts public cryptography, but we dononce is 40 bits. Let the average size of onions be 600 not. Another reason is related to the use of onion encryption.bits. For our protocol, the length of the identifier of a node Onions are encrypted on the way out in ANODR [15], i.e.,is 40 bits, which is the same as the nonce in ANODR. from the request initiator to every direction in the network,The size of an acknowledgment is 40 bits. while the onion encryption occurs only on the returning way. When public-key encryption is used, we assume the use in our approach.of ECAES (160-bit key), with an encryption time of To understand the big difference between ANODR and our160ms, and decryption time of 42ms. When symmetric protocol, it is worth to take a look at the two approachesencryption is used, we assume the use of AES (128-bit in more detail. Figure 1 and 11 show the processes of routekey & block). The encryption/decryption speed of AES discovery from S to D in the two protocols. In Figure 1, ais 29.1/29.2Mbps. The above computation time is based route is constructed on the return path by D and intermediarieson iPAQ3670 pocket PC with Intel StrongARM 206MHz n5, n4, n3, n2 and n1. Each intermediary adds one layer toCPU. the received onion. Onions only occur on the return path.* The maximum packet size for the three protocols is 1500 However, in Figure 11, the onion is a part of a route request.bytes. The channel capacity is 2 Mbits/second. (Windows As the route requests travel away from S, onions get biggersystems are limited to a maximum payload size of 1380 and bigger (more layers). They are propagated in all directionsbytes for TCP packets.) from S without any explicit terminating condition. On the1) Route discovery time by DSR. The routereturnrequest bypath, each hop "costs" two public-key operations, twoDSR has the format REQ =(rid, , rrcd, D), where rrcd symmetric-key operations (one is used to peel off one layer ofis the route record used to keep the sequence of hops traveled an onion), and one comparison. These operations add a heavyas the request is propagated through the network. The route computational burden to nodes on the route.response has the format RES =(rid,rrcd). According to theWe will now take a look at the costs of the WAR [2] protocolassumptions above, for a path with 8 hops, the route discovery in a network with the same topology as in Figure I and 11.time can be estimated to be 4.82 milliseconds. In WAR, S selects multiple intermediaries at random. Such2) Overhead of ANODR and our approach. We comparerandomness is just like no route discovery or "blind" flooding.the overhead of computation, storage, and communication Given that S has no knowledge of the network topology in this' ~~~~~~multi-hop 'environment,Scan not find a route to D.mbetween our approach and ANODR for a route discoverywith a length of 8 hops. The computation overhead refersto how much time is spent on public-key and symmetric-keyencryptions and decryptions; storage overhead refers to how We use the same assumption as in Section VI-A to estimatemuch space is required to keep secrets, public/private keys, the length of control bytes of the protocols when sending alists, and pseudonyms, etc; communication overhead refers to message, i.e., 8 hops route, 600 bits onion on average, 128the amount of data being sent through the network. Using bits route pseudonym. The comparison of control ratios withthe above assumptions, the computation time of ANODR is DSR, ANODR, and our approach is summarized in Table I.

o---- O~- X Dapproach increases the route discovery time over DSR for a115 typical application by less than an estimated four percent,'V C 1 ° making our protocol particularly suitable to use in ad hoc*0 \° t1 24 networks with high mobility. In terms of future work, we planto quantify the relationship between the biased-coin and the0 0 ° ° EJIX3 ° traffic reduction of the request flooding versus the probability0 of route discovery. We also plan to extend our work to BGP00 20 O 0on the Internet.Q(Q00S Qs ACKNOWLEDGMENTS00The authors thank Dr. Xiaofeng Wang for his helpful0/ 1 \ ~~~~~~~feedback on the format of the article. We also appreciate theO"0 O "- O0O0 0 0 reviewers' helpful comments and suggestions.00(-' \ .0@REFERENCES03 - - [1] L. Ahn, A. Bortz, and N.J. Hopper. k-anonymous message transmission.003 f- C ~ ~~~~~~dis-node In Proceedings of the 10th ACM conference on Computer and Commu-0- 0o one layerono nications Security, pages 22-130, Washington D.C., USA, 2003.two-layeronion [2] M. Blaze, J. Ioannidis, A. D. Keromytis, T. Malkin, and A. Rubin.n- }~~~~~~~~ three-layer onionProtocols for anonymity in wireless networks. In Proceedings of the 11throute request propagation route construction with public crypto, including n four-layer onion International Workshop on Security Protocols, Cambridge, England,including one trap-door openning one public decryption, one symmetric decrytion @ 1yA l20one symmetric encryption, and one symmetric encryption, one comparison, and 1,fve-layer onion April200.one comparison one public encryption six-layer onion [3] 5. Capkun, J. P. Hubaux, and M. Jakobsson. Secure and privacypreservingcommunication in hybrid ad hoc networks. Technical reportFig. 11. An example of route discovery by ANODR. ic/2004/10, EPFL-DI-ICA, January 2004.the~~~~~~~~~~~~~~ node1ho * ~~~[4] Inrha D. Prcedigofro1althe2 Chaum. Untraceable electronic bytes ofrec mail, return n addresses, opte nandCmudigitalpseudonyms. In Proceedings of Communications of the ACM, 24(2),pages 245-253, 1981.The control-to-message ratio of ANODR is smaller than [5] D. Chaum. The dining cryptographers problem: Unconditional sendertha of bot DS an ou prtoo in th pakttasiso* 6 and recipient untraceability. Journal of Cryptology, 1(1):65-75, 1988.[]R. Dingledine, N. Mathewson, and P. Syverson. Tor: The secondphase.However, it is easy to see that the overhead is shifted to generation onion router. In Proceedings of the 13th USENIX Securitythe route discovery in ANODR. In an 8-hop route discovery, Symposium, August 2004.the communication overhead is approximately-52125 bytes, [7] D. Goldschlag M. Reed and P. Syverson. Onion routing for anonymous-0and private internet connectons. Communications of the ACM (USA),while it is only 10125 bytes in our protocol. 42(2):39-41, 1999.Table I shows how the control-to-message ratios decrease [8] Y C. Hu, D. B. Johnson, and A. Perrig. Sead: Secure efficient distancef i i e . a cratioaor tn Pvector routing for mobile wireless ad hoc networks. Ad Hoc Networksfornesymmetricncryptio,andp ket symetc enc onecpappror fi yron Journal, pages 175-192, 1 2003.first packet is high due to the construction of the return path. It [] Y. C. Hu, A. Perrig, and D. B. Johnson. Ariadne: A secure on demandgets lower in the succeeding communication. We recommendrouting protocol for ad hoc networks. In MobiCom '02, Atlanta, Georgia,to use 1024 bytes as the packet sizein our protocol. USA , EPtembe-23-2 2002.[4] CĊHu, A. Perrig, and D. B. Johnson. Efficient security mechanismsfor routing protocols. In Proceedings of the Tenth Annual Network andVII. CONCLUSION Distributed System Security Symposium (NDSS), 2003.[11] Y. C. Hu, A. Perrig, and D. B. Johnson. Packet leashes: A defenseWe propose an approach- Dscount ANODRc-kfor anony- against wormhole attacks in wireless networks. In IEEE Infocom, 2003.mous on demand routing in mobile ad hoc networks. We pro- [12] Y. C. Hu, A. Perrig, and D. B. Johnson. Rushing attacks and defensevide peer-to-peer privacy of both payload and control messages in wireless ad hoc network routing protocols. In ACM Workshop onWireless Security (WiSe), 2003.using a cryptographically lightweight protocol relying solely [13] D. B. Johnson and D. A. Maltz. Mobile Computing, volume 353,on symmetric cryptography for its operation. As a result, we chapter Dynamic Source Routing in Ad Hoc Wireless Networks. Kluwerachieve substantially lower computation and communication Academic Publishers, 1996.[14] P. Kamat, Y. Zhang, W. Trappe, and C. Ozturk. Enhancing sourcecomplexityincomparison with functonally related proposals, location privacy in sensor network routing. In Proceedings of theat the cost of only a minor reduction of privacy guarantees. 25th IEEE International Conference on Distributed Computing Systems,Effectively, however, the achieved reduction of the burden 2005.bonby use deie .sblee t nbeteata [ 15] J. Kong and X. Hong. ANODR: ANonymous On Demand Routing withforane byntheausing pa cketsize. In our approa țhenrat the auuntraceable oroutes for mobileilesad-hoc networks. In ACMMOBIHOC '03,deployment of a privacy preserving technique of this type; 2003.thus, we argue that we actually enhance privacy guarantees [16] c Perkins. Ad-hoc on-demand distance vector routing. In MILCOM'97 panel on Ad Hoc Networks, Nov 1997.(in comparison to the status quo) as opposed to degrading [17] A. Perrigy, R. Canetti, D. Song, and J. D. Tygar. Efficient and securethem. Our proposal achieves source anonymity and routing source authentication for multicast. In Proceedings of Network andprivacy. As long as less than half of the nodes close to Distributed System Security Symposium, February 2001.mousonadeandroutingoronrapgiveanroutearerocompromised,oantANODR-are mobile advhocnetworksay an W eproCrouting. In In 12th Annual Computer Security Applications Conference,unable to trace a route. The overhead analysis indicates our pages 95-104. IEEE, Dec 1995.ade rsar i b [18] M. Reed, P. Syverson, and D. Goldschlag. Proxies for anonymous

[19] M. Reed, P. Syverson, and D. Goldschlag. Anonymous connectionsand onion routing. IEEE Journal of Selected Areas in Communications,16(4):482-494, May 1998.[20] M. K. Reiter and A. D. Rubin. Crowds: Anonymity for web transactions.ACM Transactions on Information and System Security, 1(1), June 1998.[21] C. Shields and B. N. Levine. A protocol for anonymous communicationover the internet. In Proceedings of the 7th ACM Conference onComputer and Communications Security, Athens, Greece, 2000.[22] B. R. Waters, E. W. Felten, and A. Sahai. Receiver anonymity viaincomparable public keys. In Proceedings of the 10th ACM conferenceon Computer and communication security, 2003.