MuON: Epidemic based mutual anonymity in unstructured P2P ...bkchoi/COMPNW_3689.pdfUNCORRECTED PROOF...
Transcript of MuON: Epidemic based mutual anonymity in unstructured P2P ...bkchoi/COMPNW_3689.pdfUNCORRECTED PROOF...
-
1
2
3
4
5
67
8
9
10
11
12
13
14
15
16
17
18
19
2021
Available online at www.sciencedirect.com
COMPNW 3689 No. of Pages 20, Model 3+
7 December 2007 Disk UsedARTICLE IN PRESS
Computer Networks xxx (2007) xxx–xxx
www.elsevier.com/locate/comnet
RO
OFMuON: Epidemic based mutual anonymity in unstructuredP2P networks q
Neelesh Bansod 1, Ashish Malgi 2, Byung K. Choi *, Jean Mayo
Department of Computer Science, Michigan Technological University, 1400 Townsend Drive, Houghton, MI 49931, United States
Received 19 June 2007; received in revised form 21 October 2007; accepted 14 November 2007
Responsible Editor: M. van Steen
PREC
TEDAbstractA mutual anonymity system enables communication between a client and a service provider without revealing their
identities. In general, the anonymity guarantees made by the protocol are enhanced when a large number of participantsare recruited into the anonymity system. Peer-to-peer (P2P) systems are able to attract a large number of nodes and henceare highly suitable for anonymity systems. However, the churn (changes in system membership) within P2P networks,poses a significant challenge for low-bandwidth reliable anonymous communication in these networks.
This paper presents MuON, a protocol to achieve mutual anonymity in unstructured P2P networks. MuON leveragesepidemic-style data dissemination to deal with churn. Simulation results and security analysis indicate that MuON pro-vides mutual anonymity in networks with high churn, while maintaining predictable latencies, high reliability, and lowcommunication overhead.� 2007 Published by Elsevier B.V.
Keywords: Unstructured peer-to-peer (P2P) networks; Anonymity; Reliability; Epidemic protocol
UN
CO
R
22
23
24
25
26
27
28
29
30
31
32
33
1389-1286/$ - see front matter � 2007 Published by Elsevier B.V.doi:10.1016/j.comnet.2007.11.011
q This material is based in part on work supported by theNational Science Foundation under Grant No. CCR-9984682.Any opinions, findings, conclusions or recommendations ex-pressed in this material are those of the author(s) and do notnecessarily reflect the views of the National Science Foundation.An earlier version of MuON was presented at IEEE ICNP 2005in Boston MA.
* Corresponding author. Tel.: +1 906 487 3472; fax: +1 906 4872283.
E-mail addresses: [email protected] (N. Bansod), [email protected] (A. Malgi), [email protected] (B.K. Choi), [email protected] (J. Mayo).
1 Currently affiliated with Redback Networks, San Jose, CA95134, United States.
2 Currently affiliated with Microsoft Corporation, Redmond,WA 98052, United States.
Please cite this article in press as: N. Bansod et al., MuON: Epput. Netw. (2007), doi:10.1016/j.comnet.2007.11.011
1. Introduction
Reliable anonymous communication is requiredby certain online services operating over untrustednetworks. Anonymity is needed to prevent third par-ties (or adversaries) from gathering informationrelated to services and their clients. Examples of suchapplications include banking, e-voting, file sharingand searching, etc. Most online services have a com-mon model of interactions. A client (the initiator)sends a request to a node (the responder) that pro-vides the service; the responder processes the request,and sends the corresponding response to the initia-
idemic based mutual anonymity in unstructured ..., Com-
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]
-
T
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
2 N. Bansod et al. / Computer Networks xxx (2007) xxx–xxx
COMPNW 3689 No. of Pages 20, Model 3+
7 December 2007 Disk UsedARTICLE IN PRESS
UN
CO
RR
EC
tor. Based on this model of interactions, differenttypes of anonymity [1–3] can be provided to applica-tions: initiator anonymity, responder anonymity,mutual anonymity and unlinkability. Initiator ano-nymity hides the identity of the initiator from theresponder and adversary. Responder anonymity hidesthe identity of the responder from the initiator andadversary. Mutual anonymity provides both initiatoranonymity and responder anonymity. Unlinkabilitymeans that the initiator and responder cannot beidentified as communicating with each other, eventhough they can be identified as participating in somecommunication. All the terms related to anonymityresearch are well defined in [4].
Existing anonymity solutions use one of severalbasic approaches to achieve different forms of ano-nymity. In the simplest approach, a single proxy isused for communication between initiator andresponder [5,6]. However, this approach fails if theproxy is compromised to reveal the identities ofthe communicating parties. Many anonymity proto-cols [7–10,2,11] overcome this single point of failureusing indirection; messages from the sender (initia-tor/responder) are routed through intermediaterelay nodes till they reach the final destination(responder/initiator). Finally, other protocols [12–14] provide anonymous communication by multi-casting messages to a group of nodes. It is impor-tant to note that in these last two approaches, theanonymity in the system improves as the numberof participant nodes increases.
This paper presents MuON, a protocol thatshows a good potential to provide reliable, mutuallyanonymous communication with unlinkability.Inspired by the idea of multicasting, MuON usesepidemic-style data dissemination [15–17] to achievereliable communication with the desired anonymityproperties. As seen in prior work [15,17], epidemicprotocols are much more efficient than reliable mul-ticasting protocols. Intuitively, by broadcastingevery communication message to all members reli-ably, this type of protocol should provide a veryhigh potential to achieve anonymity. At the sametime, however, broadcasting every message createsa concern on the inefficient use of limited networkbandwidth. Thus, in general, limiting the scope ofbroadcast without (much) sacrificing the reliabilitywill be an issue in this line of approach. This paperaims at extensively investigating a single scope ofbroadcasting using an epidemic protocol. To thebest of our knowledge, this is the first study to usean epidemic protocol to provide anonymity. Multi-
Please cite this article in press as: N. Bansod et al., MuON: Epput. Netw. (2007), doi:10.1016/j.comnet.2007.11.011
ED
PR
OO
F
ple broadcast groups-based approaches will be theimportant future work.
MuON operates over unstructured P2P networks(such as the Gnutella file sharing system), which areknown to be able to attract a large number of partic-ipants. Other anonymity protocols have beendesigned to operate over P2P networks. These proto-cols have used different kinds of P2P networks suchas structured P2P systems [11], IP layer P2P systems[9] and hybrid P2P systems [3]. An unstructured P2Pnetwork does not impose a structure on its partici-pant nodes and thus has several desirable character-istics such as administrative ease, ease of deploymentand self-organization. However, unstructured P2Pnetworks pose significant challenges. For exampleGnutella is known to consume high bandwidth[18]. Other studies [19] have shown that P2P systemsexhibit high churn (changes in system membership);peers frequently leave/join the network and mostpeers are connected to the overlay for a short periodof time. Further, the nodes within the P2P networkcannot be trusted. Peers may attempt to tamper withmessages, masquerade as the responder, drop mes-sages that they are supposed to forward, collude toviolate the anonymity guarantees, or subvert theprotocol by any other means.
Earlier work of MuON was presented previouslyin [20] and was shown to provide high reliabilitywhile maintaining low latencies and low overhead.Here we present an extended version of MuON withenhanced anonymity guarantees and additional per-formance metrics. The modifications ensure that theprotocol terminates in dynamic networks withoutlosing anonymity or reliability, thus bounding theconsumed network resources. MuON has also beenextended to operate without a trusted PKI (publickey infrastructure). The extended version alsoincludes modifications that enable MuON to with-stand intersection attacks.
The paper is organized as follows: Section 2 sum-marizes the prior approaches for anonymity andintroduces epidemic protocols. Section 3.1 discussesthe goals of MuON. Section 3 describes MuON indetail, followed by the anonymity and performanceevaluations in Section 4. The contributions andfuture work are summarized in Section 5.
2. Related work and motivation
This section reviews epidemic protocols and priorsystems providing different kinds of anonymity overvarious network architectures.
idemic based mutual anonymity in unstructured ..., Com-
-
T
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
N. Bansod et al. / Computer Networks xxx (2007) xxx–xxx 3
COMPNW 3689 No. of Pages 20, Model 3+
7 December 2007 Disk UsedARTICLE IN PRESS
UN
CO
RR
EC
2.1. Anonymity by mixes
Systems like Mix-Net [21], Babel [22], MorphMix[23] and Mixminion [24] are based on mix-networks.These systems hide communication by encryptingmessages in layers of public key cryptography, andrelaying messages through a group of dedicatedmessage relays called ‘mixes’. Each mix decrypts,delays and reorders messages before relaying themto another mix. While these systems achieve stronganonymity guarantees, the randomly introduceddelays can result in high latencies unsuitable forinteractive applications.
2.2. Anonymity by proxy
Systems like Anonymizer [5], Lucent PersonalizedWeb Assistant [6], PRA:Proxy for Responder Ano-nymity [12] and APFS Unicast [12] use an intermedi-ate proxy to provide anonymity. As these systemstrust the proxy for performance and anonymityguarantees, they are vulnerable to failure if theproxy is compromised or if the proxy fails.
2.3. Anonymity by single-path forwarding
Many anonymity protocols forward messagesalong a single anonymous path, formed throughthe group of nodes within the infrastructure. Thisanonymous path can be specifically created, or isformed by random forwarding.
Onion Routing [10] provides anonymous com-munication using a dedicated set of message relayscalled ‘onion routers’. The sender selects a pathfrom the set of onion routers. It then wraps thedata within encrypted layers to form an onion.The innermost layer of encryption in the onionuses the encryption key of the path’s last hop,while the outermost layer uses the encryption keyof the path’s first hop. Onion routers co-operateand forward the onion from the sender to thedestination.
Several systems use onion routing to create tun-nels for anonymous communication. Tor [8] pro-vides mutual anonymity by creating tunnels torendezvous points, while Tarzan [9] provides initia-tor anonymity by building tunnels through an IPlayer P2P system. Similarly, MorphMix [23] createsanonymous tunnels through P2P networks usingnested encryption. TAP [11] uses replicated tunnelsto provide reliable anonymous communication onlywithin structured P2P networks.
Please cite this article in press as: N. Bansod et al., MuON: Epput. Netw. (2007), doi:10.1016/j.comnet.2007.11.011
ED
PR
OO
F
Xiao et al. [3] propose protocols that use hybridP2P networks to provide mutual anonymity. Trustedthird parties coordinate anonymous message trans-fers between communicating entities. Crowds [2] pro-vides initiator anonymity using random forwarding.Messages are sent to a randomly chosen peer called ajondo. Each jondo then randomly decides to eithersend the message to the responder or to anotherjondo.
In networks with high churn (nodes frequentlyjoin and leave the P2P network), approaches usingsingle anonymous paths are likely to suffer from pathlosses. Consider an anonymous path through nnodes. If p is the probability of a node leaving theoverlay, then a given path is valid with a probabilityof ð1� pÞn. With increasing path lengths (increasingn) and increasing network churn (increasing p), theprobability that a given path remains valid dimin-ishes. Hence approaches using a single-path willincur with greater probability, the additional over-head of detecting and rebuilding failed paths. Provid-ing this kind of fault tolerance can be a high overheadoperation and has not been extensively explored inthe context of maintaining anonymity guarantees.
2.4. Anonymity by group communication
Many systems like APFS Multicast [12] andHordes [14] multicast messages within a large groupto achieve anonymous communication. LikewiseGAP [7] uses controlled flooding to send a messagethroughout the network, while P5 [13] defines a log-ical hierarchy of broadcast groups, sending mes-sages to groups of different sizes.
Protocols that depend on group communicationprimitives are ideally suited for networks with highchurn, because the departure of a few nodes doesnot substantially impact the communication betweenthe sender and receiver. Previous work [14] also indi-cates that the use of multicasting helps reducecommunication latencies. However, the lack ofwidespread deployment of IP multicast infrastructureinhibits deployment of protocols based on this type ofmulticast [12,13]. GAP [7] takes a different approach,but achieves reliability by flooding, which may notscale well in large unstructured P2P networks.
2.5. Epidemic protocols
Epidemic (or gossip) protocols [25] are a well-studied class of protocols for low-cost reliable datadissemination within groups. They have been shown
idemic based mutual anonymity in unstructured ..., Com-
-
T231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
p
q
r
s
M0
Gossip message
Message ‘pull’
t2t0 t1 t3 t4 t5 t6
Fig. 1. Epidemic protocols.
3 Though messages between peers are sent unreliably, MuONreliably transfers messages between communicating entities.
4 N. Bansod et al. / Computer Networks xxx (2007) xxx–xxx
COMPNW 3689 No. of Pages 20, Model 3+
7 December 2007 Disk UsedARTICLE IN PRESS
UN
CO
RR
EC
to be much more efficient than flooding basedapproaches [26,27]. Epidemic protocols providehigher reliability and scalability while using lowerbandwidth [16], when compared to other reliablemulticast protocols. They provide a bimodal guaran-tee of reliability [15]; a message reaches all membersof the group with a high probability, and the proba-bility that it will reach to just a few members of thegroup is very low. Studies have shown that the timerequired to disseminate data to the entire group islogðNÞ, where N is the number of nodes in the group.Due to these desirable characteristics, MuON usesan epidemic-style protocol for data dissemination.
A simplified gossip protocol is depicted in Fig. 1.Each node runs several rounds of the gossip proto-col. In each round, a node selects a random node asits gossip target. The node sends the gossip target(s)a gossip message containing a list of message identi-fiers that it has heard (indicated by dotted linesbetween nodes). If the list contains a message iden-tifier which the gossip target has not received, thegossip target will request the node to send it (indi-cated by solid lines between nodes).
Three important parameters impact gossip proto-col performance. First is the number of gossip tar-gets FanOut used in each round. (FanOut is two inthe figure.). The second parameter is the timeDinterval between successive protocol rounds. (In thefigure, as node p starts gossip rounds at time t1and t6, the Dinterval is t6� t1.). The final parameteris the number of rounds GC that a message is gos-siped. These parameters determine the speed andefficiency of the protocol and have been rigorouslystudied by Birman et al. [15].
3. MuON
This section describes the details of MuON. Wefirst give the goals, notation, system model andassumptions for deploying MuON, followed by a
Please cite this article in press as: N. Bansod et al., MuON: Epput. Netw. (2007), doi:10.1016/j.comnet.2007.11.011
description of the basic data dissemination proto-col. Finally, we describe the use of this data dissem-ination protocol to effect communication, betweeninitiator and responder, with the desired properties.
ED
PR
OO
F
3.1. Goals of MuON
MuON aims to balance between performanceand anonymity in dynamic P2P networks. The maingoals are described below:
1. Mutual Anonymity: Initiators and responders cancommunicate without knowing the actual iden-tity of the other communicating party.
2. Unlinkability: Communication between initiatorsand responders cannot be correlated.
3. Bounded Latency: Latency is bounded.4. Reliability: Reliable communication between ini-
tiator and responder(s).5. Communication Overhead: Overhead incurred by
a peer should be low.6. Scalability: Metrics like reliability, anonymity,
latency and overhead should scale well with theP2P network size and churn.
7. Integrity and Confidentiality: Peers cannot mod-ify messages in-transit and cannot masqueradeas responders; requests can be read only by theintended responder; responses can be read onlyby the appropriate initiator.
3.2. System model
MuON operates over an unstructured P2P net-work. Let N be the number of nodes within theoverlay. We assume that nodes within the overlayknow at least logðNÞ other peers in the overlay. Thismembership list for epidemic protocols can be main-tained using services such as SCAMP [28], ‘‘PeerSampling Service” [29], and DIMPLE [30]. MuONassumes that all initiators and responders are mem-bers of the P2P network. All protocol messages uselow-cost unreliable transport (UDP) for communi-cation.3 Each peer is associated with a unique publickey, which is used in lieu of actual node identities.The message sending protocol of MuON ensuresthat mutual anonymity and unlinkability are main-tained, while the use of public and session keysmaintains data integrity and confidentiality. The
idemic based mutual anonymity in unstructured ..., Com-
-
T
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
N. Bansod et al. / Computer Networks xxx (2007) xxx–xxx 5
COMPNW 3689 No. of Pages 20, Model 3+
7 December 2007 Disk UsedARTICLE IN PRESS
UN
CO
RR
EC
public keys are not tied to any specific algorithm;for example incomparable public keys [31] couldbe used.
To access a service in MuON, initiators requirethe public keys of peers that provide the corre-sponding service. MuON provides the ability to per-form an anonymous network-wide search to map asearch query (i.e. a desired service) to a set of publickeys. Alternately a trusted PKI may be used to pro-vide correct public keys corresponding to a searchquery. It is interesting to note that the communica-tion between the PKI and the initiator must beanonymous. However, it is easy to conceive thePKI as a service within MuON, whose public keyis well known and distributed out-of-band.
Peers are assumed to have approximately syn-chronized clocks; the difference between clock read-ings of any two peers at a single instant of time(called the clock skew) is within a known bound.Clocks may be synchronized in hardware, software,or some hybrid combination [32–34]. The increasingavailability of global positioning system (GPS)based hardware allows physically dispersed systemsto be synchronized [35] with a clock skew of a fewmicroseconds4 via their mutual synchronization toCoordinated Universal Time (UTC).5
Throughout this paper, the adversary is assumedto be passive and external. Depending on attacks,the adversary may be either local or global.
This paper considers logical network topologiesinduced by membership services, such as SCAMP[28] and DIMPLE [30], which are used for epidemicprotocols. One common assumption in epidemicprotocols is that each node can randomly selectlogðNÞ different nodes (fanout) in each cycle. Asthe network size grows, providing such informationfor each node is difficult for centralized service.Hence distributed algorithms and protocols havebeen sought in an effort to provide such membershipinformation in a scalable manner. One commonapproach in that line of work is to locate a tiny sub-set (local view) of the entire membership at eachnode, and have the nodes exchange part of the localview with that of another randomly chosen node;this is known as shuffling. This seemingly simpleoperation in fact produces local views populatedfrom the entire membership randomly and uni-formly [36,37]. Thus a node knows at least as many
4 Evaluation (Section 4) shows that MuON tolerates clockskews up to 18 � RTT (RTT = round trip time of UDP).
5 UTC is independent of local timezone and daylight savings.
Please cite this article in press as: N. Bansod et al., MuON: Epput. Netw. (2007), doi:10.1016/j.comnet.2007.11.011
ED
PR
OO
F
nodes as the size of the local view. At any giveninstance, we can create a graph (called knowledgegraph) reflecting the induced logical topology byadding an edge from P to Q if P knows Q. Asreported in [37,30], such a knowledge graph is a ran-dom graph with the same number of nodes andedges. Assuming that MuON uses such a member-ship service, the network topology remains randomindependently of the physical networking.
Obviously, this claim does not directly involveshuffle message loss due to possible network conges-tion patterns. While congestion-embedded simula-tion would produce more realistic outcomes,applying flat message loss rates seems to be an alter-native to focus on the effectiveness of the reliablebroadcasting of MuON. Adopting this argument,this paper uses the simplified approach of using10% packet loss rate throughout the simulation.Using network congestion patterns in simulationremains as future work.
An interesting question is whether this idea isdirectly applicable to wireless ad hoc mobile net-works (MANET). The fundamental differencebetween MANETs and wired P2P systems is thatwhile a peer can directly communicate with anotherpeer using the underlying routing infrastructure, amobile node is not able to without having otherintermediate nodes forward a packet toward a des-tination in MANET. As a result, gossiping to fan-out nodes would involve many other intermediatenodes in MANET. This, in turn, would makeMuON-like gossiping impractical. Fundamentalresearch needs to be done to support effective gos-siping for MANET. The original question ofwhether MuON-like anonymous communicationprotocols can exist for MANET then could beanswered after such fundamental work. This paperleaves this question open for future work.
3.3. Notation
The protocol uses the following notation.
Notation
idemic based mu
Description
ksession
Symmetric session key
kþA , k
�A
Public and private key of node Ar1
Nonce
fdatagks
data encrypted/signed using key ks (ksis public, private or session key)
HðdataÞ
Cryptographic hash (e.g. SHA-1)computed over data
tual anonymity in unstructured ..., Com-
-
398399
400401
402403
404405
406
407408
409
410
411
412
413
414415
416417
418419
420421
422
423424
425426
427428
429430
431
432433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
6 N. Bansod et al. / Computer Networks xxx (2007) xxx–xxx
COMPNW 3689 No. of Pages 20, Model 3+
7 December 2007 Disk UsedARTICLE IN PRESS
self
6 This assumpresponses (e.g. filetions, MuON achto other group coanticipate that Mfor applicationsrequire reliableevaluated in this
Please cite thisput. Netw. (20
IP-address of node
pinter
Intermediate probabilityYB,MSG
a, b
Bounds on epidemic lifetimes
B
A,MSG
X, MSG
QUERY_HDR
Search query initiated by I . Format is{T deadline, kþI , query}.
A PX X,MSG
MSG_HDRF
MESSAGE TRANSFER
MESSAGE HEADERS
A,MSG
Node X communicating to Y.
Header associated with MSG. Formatis {T deadline, currOwner, hdr, H(hdr)}.Contents of hdr are defined in Section3.5. If MSG_HDR is associated with aMSG, MSG_HDR. currOwner is non-nulland indicates the node owning MSG.
OT current Current time on synchronized clockFig. 2. Message sent from node X to Y.
T join
T current recorded at start of session
T deadline
Time at which message is invalidated454
skewmax
455
Bounds on the clock skew within thesystem (accuracy is �skewmax)
456
Dinterval
Interval between successive rounds
457
Davg
Average life of peers in the system
458
FanOut
Number of gossip targets per round
459
GC
460
Number of rounds message isgossiped
461
MSG Data (request/response) messageT462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
NCOR
REC
3.4. Data dissemination in MuON
MuON’s data dissemination protocol is unidirec-tional; it is used to send requests from an initiator toa responder and then again to send a response fromthe responder to the initiator. This protocol is thenused for sending messages between initiators andresponders and also for mapping services to the cor-responding public keys (discussed in Section 3.5).
The data dissemination protocol operates via themessages MSG_HDR and MSG. MSG_HDR containsinformation such as identifiers and cryptographickeys, while MSG encapsulates the associated data.As MSG_HDR contains only protocol data, weassume6 that the size of MSG_HDR is much less thanMSG. The data dissemination protocol is depicted inFig. 2, which shows node X sending MSG to node Y.MuON uses an epidemic protocol to disseminateMSG_HDR to all nodes within the P2P network,while the larger MSG is disseminated to only a few
U 484485486
487
tion holds true in applications with large-transfer and web-browsing). In these applica-ieves substantial bandwidth savings comparedmmunication based anonymity protocols. WeuON will also provide a bandwidth reductionwith small data messages (e.g. e-voting) thatdelivery, though these applications are notpaper.
article in press as: N. Bansod et al., MuON: Ep07), doi:10.1016/j.comnet.2007.11.011
ED
PR
Onodes within the network (shaded within Fig. 2).As explained in detail later, the number of nodeswhich receive MSG depends on the value of pinter.The protocol ensures that the responder always getsMSG. As the larger MSG is not sent to the entire net-work, MuON substantially reduces the bandwidthusage. Also, since multiple nodes within the networkreceive MSG (all the shaded nodes), multiple nodesare potential receivers and senders of MSG, givingMuON its anonymity guarantees. MuON derivesits properties of reliability and bounded latenciesfrom its epidemic nature.
Every node running MuON maintains two buf-fers; one headerBuffer to store the message headersand the other messageBuffer to store the corre-sponding messages. Every node tracks the numberof protocol rounds gossipCount each header hasbeen gossiped. Algorithm 1 describes the detailsfor handling these buffers. Algorithm 2 explainsthe protocol executed by each node after everyDinterval units of time. This algorithm describes anepidemic protocol for disseminating the headers.Each node selects FanOut random nodes from thegroup as gossip targets and sends them a list witheach message header MSG_HDR currently withinheaderBuffer. As given in Algorithm 3, whenever Agets the message, A tries to decrypt7 the message.If A cannot decrypt the message then A performsone of two actions: it may just add the header toits header buffer or with some probability pinter itmay go back and get the corresponding MSG fromB. In the first case, A gossips with its neighbors thatB currently has the message. In the second case,when A gets the MSG from B, it changes the
7 If the decrypted message contains an expected value like aknown identifier or public key, the node can conclude ‘‘success-ful” decryption.
idemic based mutual anonymity in unstructured ..., Com-
-
488
489
490
491
492
493
494
495
496
497
498
499
N. Bansod et al. / Computer Networks xxx (2007) xxx–xxx 7
COMPNW 3689 No. of Pages 20, Model 3+
7 December 2007 Disk UsedARTICLE IN PRESS
currOwner field of MSG_HDR to A. Thus when A gos-sips the header, it indicates itself as the messageowner. With this property, MuON achieves its ano-nymity guarantees as there are many equiprobableowners of the same message. If A can decrypt themessage, it indicates that the message was intended
UN
CO
RR
EC
T
Please cite this article in press as: N. Bansod et al., MuON: Epput. Netw. (2007), doi:10.1016/j.comnet.2007.11.011
for A and thus A contacts currOwner and pulls themessage. In this case A also gossips with its neigh-bors that it has the message to send. Thus theresponder in MuON behaves exactly the same asany other node in the network (with the exceptionthat it always pulls the message).
ED
PR
OO
F
idemic based mutual anonymity in unstructured ..., Com-
-
T
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
8 N. Bansod et al. / Computer Networks xxx (2007) xxx–xxx
COMPNW 3689 No. of Pages 20, Model 3+
7 December 2007 Disk UsedARTICLE IN PRESS
UN
CO
RR
EC
3.5. Communication in MuON
This subsection first describes how a node withinMuON can anonymously obtain the public key of aresponder. We then describe how the data dissemi-nation protocol is used for anonymous communica-tion between initiator and responder.
Obtaining public keys of responders: To obtainpublic keys of responders providing a service, an ini-tiator I multicasts a search-query describing theservice by invoking sendQuery(search-query). send-Query encapsulates the search-query and key kþI intoa QUERY_HDR and disseminates it throughout thenetwork using a push-epidemic protocol (The rele-vant portions of Algorithms 2 and 3.). Thus thequery is delivered to each peer within the network.On receiving a search-query, a peer R that providesa matching service anonymously sends its publickey kþR to node I (This is equivalent to invoking send-Message(fkþR gkþI , NULL)). On receiving kþR , node Ican now anonymously access the service.8
Initiator and responder communication: While thedata dissemination protocol achieves anonymity,cryptographic measures are needed to ensure mes-sage integrity and confidentiality. The followingdescribes how the data dissemination protocol isused by initiators and responders for secure anony-mous communication.
Sending a request: An initiator I uses the follow-ing steps to initiate communication with node R bysending the request data.
1. I generates a symmetric session key ksession, whichis used to encrypt all data messages.
2. I generates a nonce r1, which is used to correlateresponses with this request.
3. The MSG is generated as fr1; datagksession.4. I creates a header hdr, corresponding to MSG as
hdr ¼ fr1; ksession; kþI ; fHðDÞgk�I gkþR where D ¼fr1; ksession; kþI ;MSGg and HðÞ is a cryptographichash function.
5. I invokes sendMessage(hdr, MSG).
Responding to a request: Algorithm 3 eventuallydelivers MSG_HDR and MSG to the responder R,which proceeds with the following steps.
588
589
590
591
592
593
8 A query may result in multiple responses. A reputationscheme [38,39] may be used to select one trusted response.
Please cite this article in press as: N. Bansod et al., MuON: Epput. Netw. (2007), doi:10.1016/j.comnet.2007.11.011
ED
PR
OO
F
1. R decrypts hdr using k�R , to obtain ksession, r1 andthe initiator’s public key kþI . R now runs integritychecks with the cryptographic hash.
2. Using ksession, R decrypts MSG to obtain data.3. Let response be the corresponding reply, which R
needs to send to I . R creates MSG ¼ fr1; reponsegksession using ksession and r1 as recovered in step 1.
4. R creates a header hdr corresponding to theresponse as hdr ¼ fr1; fHðDÞgk�R gkþI , where D ¼fr1;MSGg and HðÞ is a cryptographic hashfunction.
5. R invokes sendMessage(hdr,MSG).
3.6. Miscellaneous protocol properties
Epidemic Termination: Epidemic protocolsachieve reliability by gossiping messages until allprotocol participants receive (with very high proba-bility) the message. However, in dynamic P2P net-works, the set of protocol participants changesunpredictably over time. Reaching all protocol par-ticipants would then result in a perpetually surviv-ing epidemic. Hence, MuON requires some othermechanism for termination of the epidemic withoutcompromising its anonymity properties.
A fixed value of GC is not adequate to terminatethe epidemic. Each time a node joins the networkand receives a given header for the first time, it willdisseminate the header GC additional times. Sincethe network membership changes continually, epi-demics may survive perpetually. Another simpleapproach is to choose some maximum integer countof rounds for which a message is propagated. Theinitiator chooses this count value and appends itto the message; each subsequent propagation ofthe message by any node decrements the count byone. When the count reaches zero, the message isno longer propagated. However, implementing thisapproach without sacrificing anonymity is difficult.Suppose each initiator randomly selects the roundcount from within some range of values. Then anynode that chooses the maximum value of the rangecan be identified as initiator.
MuON applies approximately synchronizedclocks toward epidemic termination. A MuONheader originating at time T is associated with adeadline T deadline that specifies the wall-clock timeat which the header is to be invalidated. Thisensures that even in dynamic networks, the associ-ated epidemic terminates at approximately T deadlineand the epidemic has a lifetime of approximatelyT deadline � T .
idemic based mutual anonymity in unstructured ..., Com-
-
T
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
N. Bansod et al. / Computer Networks xxx (2007) xxx–xxx 9
COMPNW 3689 No. of Pages 20, Model 3+
7 December 2007 Disk UsedARTICLE IN PRESS
CO
RR
EC
If all messages have the same lifetime, a peerdirectly receiving a header from the initiator canguess the identity of the initiator. Hence the messagelifetime is chosen between a and b, where b > a.MuON uses a value of a equal to the maximumcommunication latency for epidemic protocols instatic networks (� log2ðoverlay sizeÞ [15]). Thisensures that with high probability all nodes thatare in the network when the dissemination begins,that remain in the network over the lifetime interval,and that remain reachable, will receive the message.Though all nodes choose a lifetime value between aand b, T deadline is computed by adding the selectedlifetime value to the local synchronized clock value.Since local clocks are only approximately synchro-nized, the identity of the initiator is obscured. UsingT deadline an adversary receiving a header directlyfrom the initiator can guess the message’s time oforigin (and detect the initiator) with a probability
1ðb�aÞ�ð1þ2�skewmaxÞ.
9 Thus clock skew (and clock syn-
chronization) is essential for terminating MuONepidemics anonymously in this way.
Aligning with long-lived nodes: In dynamic P2Pnetworks, peers alternately join and leave the net-work. As discussed in section 15, this continualchange in system membership aids an adversarialattack called an intersection attack. To enhance ano-nymity, peers in MuON pull data messages with aprobability p proportional to the time that haselapsed since joining the system (termed age). Thusin MuON long-lived nodes pull data messages witha higher probability.10 For simplicity, we consider pincreasing linearly with the peer’s age (as computedby method currentProbability in Algorithm 1),though other relations may be suitable dependingon the network model.
4. Evaluation
In this section, we describe MuON’s simulationmodel and evaluate the performance, anonymityand other security guarantees.
UN 675676
677
678
679
680
681
682
683
684
9 If initiator with clock skew skew sends a message at wall-clocktime T , then T deadline ¼ T þ lifetimeþ skew. For a given T deadline,an adversary can guess lifetime with a probability 1b�a and skewwith a probability 11þ2�skewmax.10 P2P applications using MuON for communication, may use
this property to align with the network topology, though detailsare not discussed within this paper.
Please cite this article in press as: N. Bansod et al., MuON: Epput. Netw. (2007), doi:10.1016/j.comnet.2007.11.011
ED
PR
OO
F
4.1. Simulation model
Measurement studies of unstructured P2P net-works [40,19,41] indicate that these systems exhibitdynamic membership, because peers alternately joinand leave the network. Peers participate in the pro-tocol only during the time between joining and leav-ing the network. This time is called the session time(or age) and the resultant dynamism is called thenetwork churn. The network churn is related to theaverage session time of the peers within the net-work. As the average session time decreases, themembership of the P2P network changes at a fasterrate and is said to exhibit a higher churn [42,43].Prior experiences [44,42,43] indicate that networkchurn impacts the performance of protocols overP2P networks. Hence we evaluate MuON overP2P networks of varying sizes and varying churn.
We model network churn using an approach sim-ilar to that described by Liben-Nowell et al. [45].This model has also been used for evaluating distrib-uted hash tables over P2P networks [42,43]. Peerswithin the network are assigned exponentially dis-tributed session times. When a peer reaches the endof its session time, it leaves the network. Prior work[46] has shown that the average session time (amountof churn) within a network depends on the applica-tion. Since MuON is not specific to any application,we simulate networks with varying churn.
Simulating network churn has been relatively welladdressed in the literature. One issue is whether agood mathematical distribution exists to model net-work churn. Some work [47] suggest the use of a dis-tribution function backed up by real measurements,while some others [45] advocate the same methodadopted in this paper. A second issue in simulatingnetwork churn is whether the network size shouldremain constant. A common approach used in theliterature is to maintain a fixed network size in indi-vidual simulation runs. This helps in decoupling theimpact of network size from that of network churn.Furthermore, to simulate networks with varyingsizes, one requires an underlying management ser-vice which can provide the network size dynamically,since epidemic protocol parameters depend on thenetwork size. Estimating network size can be foundin separate work such as [48]. Including dynamicallychanging network sizes and different distributionmodels for network size, would produce more realis-tic outcomes. However, since this paper focuses onanonymity these improvements are left for futurework.
idemic based mutual anonymity in unstructured ..., Com-
-
T
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
olou
r gr
adie
nt
0.6
0.8
1
Reliability
pinter=0.3, skew=3, γ =0
Reliability
10 N. Bansod et al. / Computer Networks xxx (2007) xxx–xxx
COMPNW 3689 No. of Pages 20, Model 3+
7 December 2007 Disk UsedARTICLE IN PRESS
NC
OR
REC
MuON is simulated using PeerSim [49], a P2Psimulator designed specifically for epidemic proto-cols. The simulator executes the protocol in a seriesof cycles, where the time interval between each cycleis assumed to be sufficient for unidirectional unreli-able (UDP) message transmission with a loss rate of10%.11 This UDP loss rate of 10% is a rough modelof congestion. All time in the simulations is mea-sured in terms of cycles, which is the smallest unitof time within the simulator. In the simulationmodel, a network with churn 0 is a static network,which does not change during the simulation. Atchurn 0, the average session time was chosen as100 cycles (a factor of 10 over the maximum timefor one run of the protocol in a system of 1000nodes), to enable simulation of several rounds ofMuON simultaneously. An increase of 0.1 in net-work churn decreases the average session time ofthe nodes by a factor of 1
10. When a node leaves
the network, another immediately joins, thus keep-ing the overlay size constant. This helps us to under-stand the impact of overlay size and churnindependently. We also model networks with vary-ing clock skew. If the clock skew in a simulated net-work is skew, then the clock skew of each node isselected uniformly between �skew and þskew. Thenode’s clock skew remains constant throughout itslifetime.
In the simulations, FanOut and GC are main-tained at log2ðoverlay sizeÞ and Dinterval is maintainedat one cycle. These parameters are common to allepidemic protocols and their impact on performanceis similar to that determined by previous studies [15].We maintain a ¼ log2ðoverlay sizeÞ and b ¼ 2� a tobound epidemic lifetimes such that message deliverymay be attempted but the epidemic is terminatedeventually. The parameter Davg controls the rateof increase of pcurrent. We simulate two differentapproaches for determining the value of Davg. Inthe first approach (denoted by c ¼ 0), each nodecomputes Davg using the session-time of its previoussessions.12 In the second approach, the membershipservice13 is used to provide Davg. We use the follow-ing values for Davg; 0:5� Dlife;Dlife and 2� Dlife(denoted by c ¼ 1; 2 and 3, respectively) where Dlife
U11 In general, the time required for unidirectional UDP messagetransmission is 0:5� round trip time. Based on reported averageround trip times [50], one cycle is approximately 50–100 ms.12 Davg ¼ 1 during the first session.13 Membership services [28] using unsubscriptions or leases can
estimate the average session-time of participant peers.
Please cite this article in press as: N. Bansod et al., MuON: Epput. Netw. (2007), doi:10.1016/j.comnet.2007.11.011
is the average session time within the network. Thusc ¼ 1; 2 and 3 represents increasing Davg.
ED
PR
OO
F
4.2. Performance evaluation
This section discusses MuON’s performance innetworks with varying sizes and churn. SinceMuON cannot provide reliable communication atchurn 1, we measure performance metrics (otherthan reliability) in networks with churn between 0and 0.8. Performance metrics are averages over mul-tiple messages exchanged between initiator andresponder for a given set of parameters such asskew, c and pinter.
Reliability: The reliability of MuON is measuredby the delivery ratio achieved in networks of varyingsizes and churn. The delivery ratio is the fraction ofthe sent requests that were ultimately delivered atthe final destination. When delivery ratio is one, itindicates that all requests that were sent were even-tually delivered at their destination, thus indicatingreliable communication. Fig. 3 shows the deliveryratio for networks with varying sizes and churn. Itcan be seen that MuON maintains a high deliveryratio of almost one, independent of the overlay sizeand churn. This high reliability indicates its suitabil-ity for highly dynamic P2P networks.
Bounded Communication Latency: One ofMuON’s goal is to achieve communication withina predictably bounded time interval. This character-istic is important from the application’s point ofview; shorter latencies are important for applicationinteractivity while bounded latencies are needed byapplications to set timeouts and detect messagelosses. Since MuON operates over an overlay net-work, we measure the latency in terms of numberof protocol cycles required for the message to be
0 0.1 0.2 c
1000 2000
3000 4000
5000 6000
7000 8000
9000 10000
0 0.2
0.4 0.6
0.8 1
0
0.2
0.4
Overlay SizeChurn
Fig. 3. Reliability.
idemic based mutual anonymity in unstructured ..., Com-
-
OF
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
0
2
4
6
8
10
12
14
0 0.2 0.4 0.6 0.8
Lat
ency
(cy
cles
)
Churn
pinter=0.5, skew=3, overlay size=4000
γ=0γ=1γ=2γ=3
(Average) γ=0(Average) γ=1(Average) γ=2(Average) γ=3
Fig. 6. Impact of Davg on latency.
N. Bansod et al. / Computer Networks xxx (2007) xxx–xxx 11
COMPNW 3689 No. of Pages 20, Model 3+
7 December 2007 Disk UsedARTICLE IN PRESS
delivered at its destination. (The duration of a pro-tocol cycle corresponds roughly to the time requiredfor delivery and processing of a single UDP mes-sage.). Fig. 4 shows the average number of cyclesrequired for messages to be delivered; the bars indi-cate the variation in the delivery latency. It can beseen that the delivery latency is similar at each net-work size irrespective of network churn, indicatingthat the latencies in MuON are predictable andbounded. The latency does increase sublinearly withincreasing network size, since the message lifetime isproportional to logðnetwork sizeÞ. When a peerpulls a data message, it does not gossip the headertill the data message arrives. Hence as seen in Figs.5 and 6, when data messages are pulled by a greaternumber of peers (caused by increasing pinter anddecreasing Davg), the latency increases marginally.
Epidemic Termination: As discussed in Section3.6, epidemic protocols tend to survive perpetuallyin dynamic networks. MuON terminates messageepidemics by associating a deadline with each headerin a system with approximately synchronized clocks.
UN
CO
RR
EC
T
0
2
4
6
8
10
12
14
1000 2000 3000 4000 5000 6000 7000 8000 9000 10000
Lat
ency
(cy
cles
)
Overlay Size
pinter=0.5, skew=3, γ=0Churn=0
Churn=0.8(Average) Churn=0
(Average) Churn=0.8
Fig. 4. Latency of message delivery.
0
2
4
6
8
10
12
14
0 0.2 0.4 0.6 0.8
Lat
ency
(cy
cles
)
Churn
skew=3, γ=0, overlay size=4000pinter =0.3pinter =0.8
(Average) p inter =0.3(Average) p inter =0.8
Fig. 5. Impact of pinter on latency.
Please cite this article in press as: N. Bansod et al., MuON: Epput. Netw. (2007), doi:10.1016/j.comnet.2007.11.011
PR
OWe study the effectiveness of this approach by mea-suring the epidemic lifetime in the networks of vary-ing sizes and churn. A message’s epidemic lifetime ismeasured as the duration of time (measured incycles) during which at least one peer actively gossipsthe corresponding header. Figs. 7–10 show that theepidemic lifetime is not affected by overlay size,
ED
15
20
25
30
35
40
1000 2000
3000 4000
5000 6000
7000 8000
9000 10000
0 0.2
0.4 0.6
0.8 0
5
10
15
20
25
30
35
40
Average epidemic lifetime (cycles)
pinter=0.8, skew=3, γ=0
Overlay Size
Churn
Fig. 7. Epidemic lifetime.
0
10
20
30
40
50
60
0 0.2 0.4 0.6 0.8
Ave
rage
epi
dem
ic li
fetim
e (c
ycle
s)
skew=3, γ=0, overlay size=4000
pinter=0.3pinter=0.8
(Average) pinter=0.3(Average) pinter=0.8
Churn
Fig. 8. Impact of pinter on epidemic lifetime.
idemic based mutual anonymity in unstructured ..., Com-
-
CT
OO
F794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
0
10
20
30
40
50
60
0 0.2 0.4 0.6 0.8
Ave
rage
epi
dem
ic li
fetim
e (c
ycle
s)
Churn
pinter=0.5, skew=3, overlay size=4000
γ=0γ=1γ=2γ=3
(Average) γ=0(Average) γ=1(Average) γ=2(Average) γ=3
Fig. 9. Impact of Davg on epidemic lifetime.
0
10
20
30
40
50
60
0 0.2 0.4 0.6 0.8
Ave
rage
epi
dem
ic li
fetim
e (c
ycle
s)
Churn
pinter=0.5, γ=0, overlay size=4000
skew=3skew=9
(Average) skew=3(Average) skew=9
Fig. 10. Impact of skew on epidemic lifetime.
0
1
2
3
4
5
100
0
200
0
300
0
400
0
500
0
600
0
700
0
800
0
900
0
100
00
0
0.2
0.4
0.6
0.8
1
Hea
der
thro
ughp
ut
Dat
a th
roug
hput
Overlay Size
pinter=0.3, skew=3, γ=0Header throughput (Churn 0)Data throughput (Churn 0)
Header throughput (Churn 0.8)Data throughput (Churn 0.8)
Fig. 11. Node overhead.
0
1
2
3
4
5
6
7
0 0.2 0.4 0.6 0.8 0
0.05
0.1
0.15
0.2
0.25
0.3
Hea
der
thro
ughp
ut
Dat
a th
roug
hput
Churn
pinter=0.5, skew=3, overlay size=4000
Header throughput γ=0Data throughput γ=0
Header throughput γ=1Data throughput γ=1
Header throughput γ=2Data throughput γ=2
Header throughput γ=3Data throughput γ=3
Fig. 12. Impact of Davg on node overhead.
12 N. Bansod et al. / Computer Networks xxx (2007) xxx–xxx
COMPNW 3689 No. of Pages 20, Model 3+
7 December 2007 Disk UsedARTICLE IN PRESS
UN
CO
RR
EDavg, pinter and skew. Fig. 7 shows that MuON suc-cessfully terminates epidemics despite of high churn,though the epidemic lifetime increases gradually.
Node Overhead: When a peer joins MuON, itcontributes its resources to forward messages fromother peers. These resources are needed to send,encrypt, decrypt and store messages and are propor-tional to message size. Similar to prior work in epi-demic protocols [32], we study the node overhead inMuON by measuring the header and data through-put. The throughput is measured as the number ofheader (or data) messages processed per cycle pernode for each anonymous message sent in the net-work. Fig. 11 shows that the throughput is essen-tially independent of the overlay size and increaseswith churn. It can be seen that the throughput oflarger data messages is much lower than the headerthroughput. Header messages are small in size andthus the processing overhead for each header, stor-age and bandwidth is low. MuON uses private/pub-lic key encryption for small headers and fastersymmetric cryptography for large data messages,
Please cite this article in press as: N. Bansod et al., MuON: Epput. Netw. (2007), doi:10.1016/j.comnet.2007.11.011
ED
PRto reduce the encryption overhead. Fig. 12 indicates
that Davg does not significantly impact the nodeoverhead. Fig. 13 shows that the data throughputincreases with pinter, while not impacting the headerthroughput.
Network Resources: MuON’s message sendingprotocol is designed to use low network resourcesas compared to previous multicast-based anonymityprotocols. The network resources can be measuredby the network bandwidth consumed, when onedata message is sent anonymously.
Let HDRsize and DATAsize be the size of header anddata messages, respectively, and N be overlay size.When a message is sent anonymously, a multicast-based anonymity protocol multicasts this messageto N nodes. Hence the consumed bandwidth will beat least N � DATAsize. Note that this is a conservativeestimate, since it ignores the bandwidth consumed bycontrol messages and data message re-transmissionsrequired in the presence of network churn. On the
idemic based mutual anonymity in unstructured ..., Com-
-
TED
PR
OO
F
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
800K
600K
400K
200K
100
0
200
0
300
0
400
0
500
0
600
0
700
0
800
0
900
0
100
00
6K
4K
2KHea
der
tran
sfer
s
Dat
a tr
ansf
ers
Overlay Size
pinter=0.3, skew=3, γ=0
Header transfers (Churn 0)Data transfers (Churn 0)
Header transfers (Churn 0.8)Data transfers (Churn 0.8)
Fig. 14. Network overhead.
220K
180K
140K
100K
60K
20K
0 0.2 0.4 0.6 0.8
10K
8K
6K
4K
2K
Hea
der
tran
sfer
s
Dat
a tr
ansf
ers
Churn
pinter=0.5, skew=3, overlay size=4000
Header transfers γ=0Data transfers γ=0
Header transfers γ=1Data transfers γ=1
Header transfers γ=2Data transfers γ=2
Header transfers γ=3Data transfers γ=3
Fig. 15. Impact of Davg on network overhead.
220K
180K
140K
100K
60K
20K
10K
8K
6K
4K
2K
Hea
der
tran
sfer
s
Dat
a tr
ansf
ers
skew=3, γ=0, overlay size=4000Header transfers pinter=0.3
Data transfers pinter=0.3Header transfers pinter=0.8
Data transfers pinter=0.8
0
1
2
3
4
5
6
7
0 0.2 0.4 0.6 0.8 0
0.05
0.1
0.15
0.2
0.25
0.3
Hea
der
thro
ughp
ut
Dat
a th
roug
hput
Churn
skew=3, γ=0, overlay size=4000Header throughput (p inter=0.3)
Data throughput (pinter=0.3)Header throughput (p inter=0.8)
Data throughput (pinter=0.8)
Fig. 13. Impact of pinter on node overhead.
N. Bansod et al. / Computer Networks xxx (2007) xxx–xxx 13
COMPNW 3689 No. of Pages 20, Model 3+
7 December 2007 Disk UsedARTICLE IN PRESS
CO
RR
EC
other hand, MuON disseminates the data message toonly a subset of nodes within the overlay, ensuringthat the final destination is a member of this sub-set. The bandwidth consumed in MuON is h�HDRsize þ /� DATAsize, where h and / is the numberof header and data transfers in the network. Consid-ering the values of h and / from Fig. 14, it can be seenthat MuON provides reliable anonymous communi-cation at a cost lower than N � DATAsize.14 Fig. 17depicts the bandwidth consumed in MuON as com-pared to a multicast based approach, while Figs. 15and 16 show that the bandwidth consumed by datamessages increases with increasing pinter and decreas-ing Davg, while the resources consumed by headermessages are unaffected.
Scalability: Scalability is an important character-istic in systems designed for P2P networks. It is evi-dent from the presented results that MuON isscalable. The protocol exhibits desirable perfor-mance irrespective of the overlay size and churn.
4.3. Anonymity guarantees
This section describes how MuON achievesmutual anonymity, followed by an evaluation ofanonymity in overlays of varying sizes and churn.We then describe the protocol behavior under vari-
UN
861
862
863
864
14 Considering 128 bit cryptographic hash, 128 bit crypto-graphic keys, 32 bit IP addresses and 32 bit nonce, the maximumsize of hdr is 416 bits and HDRsize ¼ 576 bits (72 bytes). If thetransferred data is a 1 MB media file then DATAsize ¼ 1; 048; 576bytes. From Fig. 14, if the overlay has 10,000 nodes with churn0.8, then h ¼ 600; 000 and / ¼ 4500. Hence the volume of MuONheader messages is 41.2 MB and the volume of MuON datamessages is 4500 MB. In this system with 10,000 nodes,N � DATAsize ¼ 10; 000 MB.
0 0.2 0.4 0.6 0.8Churn
Fig. 16. Impact of pinter on network overhead.
Please cite this article in press as: N. Bansod et al., MuON: Epput. Netw. (2007), doi:10.1016/j.comnet.2007.11.011
ous adversarial attacks. The anonymity metrics areaverages over multiple messages exchanged betweenmultiple initiator and responder pairs for a given setof parameters such as skew, c and pinter.
idemic based mutual anonymity in unstructured ..., Com-
-
T
OF
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
0.14
0.16
0.18
0.2
0.22
0.24
0.26
0.28
1000 2000
3000 4000
5000 6000
7000
0 0.1
0.2 0.3
0.4 0.5
0.6 0.7
0.8
0
0.2
0.4
0.6
0.8
1
Normalized anonymity
pinter=0.3, skew=3, γ=0
Overlay SizeChurn
Fig. 18. Anonymity.
15 Cover traffic increases network bandwidth consumption,message delays introduce communication latencies, and per-hopmessage encryption necessitates negotiation of shared keysbetween each pair of nodes in the dynamic network.
0
2000
4000
6000
8000
10000
12000
14000
16000
2000 4000 6000 8000 10000 12000 14000
Num
ber
of D
ata
Mes
sage
s
Overlay Size
MulticastMuON, pinter=0.8MuON, pinter=0.5MuON, pinter=0.3MuON, pinter=0.1
Fig. 17. Comparative bandwidth use.
14 N. Bansod et al. / Computer Networks xxx (2007) xxx–xxx
COMPNW 3689 No. of Pages 20, Model 3+
7 December 2007 Disk UsedARTICLE IN PRESS
UN
CO
RR
EC
4.3.1. Mutual anonymity in MuON
Since MuON does not make use of cover trafficand padding, and does not hide information suchas message lengths, T deadline and currOwner, epidemictraffic can be observed at each individual node.Consequently as discussed in Section 4.3, MuONis vulnerable to a sustained attack by a global adver-sary. However as discussed in the sections below,the anonymity guarantees of end-to-end trafficbetween initiators and responders are maintainedin the presence of adversaries that can observe onlya limited portion of the network for a given periodof time.
Similar to anonymity protocols that use multi-casting [12] or broadcasting [13], MuON achievesmutual anonymity on the virtue that several inter-mediate peers receive a message. When an interme-diate node receives a MSG, it gossips thecorresponding MSG_HDR with itself as the owner.From an observer’s perspective, any node claimingto be the current owner could be the actual senderof the message. Similarly, when an intermediatenode receives MSG_HDR, it probabilistically pullsthe corresponding MSG. Hence from the local obser-ver’s perspective, any peer that eventually pulls MSGcould potentially be the receiver. Thus in the proto-col, an observer (initiator, responder or intermedi-ate node) cannot differentiate the initiator andresponder from the other peers. The use of publickeys also enables the initiator and responder tocommunicate without the identity of each other.Thus mutual anonymity and unlinkability isachieved.
The degree of anonymity provided by an ano-nymity system depends on the number of nodes thathave an equiprobable chance of playing a certainrole (initiator/responder). Let S (called the anonym-
Please cite this article in press as: N. Bansod et al., MuON: Epput. Netw. (2007), doi:10.1016/j.comnet.2007.11.011
ED
PR
O
ity set) denote the set of nodes that have an equi-probable chance of being the initiator/responder.Shields et al. [14] show that the degree of anonymityin the system is 1� 1jSj. In MuON, for a given com-municating pair of initiator and responder, anynode that receives MSG has some probability ofbeing the initiator or responder. In this paper, allsuch nodes are collectively considered the anonym-ity set. This is because a local adversary cannot tellif the probability of being the sender or receiver isequal for all such nodes without a large scale collu-sion. Intersection attacks by a global adversarywould make this anonymity set smaller. Formalanalysis of this anonymity set using an informationtheoretic technique such as introduced by [51] is leftas an important future work. Therefore, we measurethe anonymity of MuON as the fraction of peerswithin the overlay that received a given MSG (calledthe normalized anonymity). Fig. 18 shows that theanonymity is almost constant in networks of vary-ing sizes and churn. Figs. 19 and 20 indicate thatthe anonymity is controlled by pinter and Davg.
Attacks by Adversary: Anonymity systems aresusceptible to several possible attacks. However,the adversary must utilize varying amounts ofresources to complete these attacks successfully.To withstand powerful adversaries, several systems[10,9,3,11,8] use techniques like cover traffic genera-tion, message buffering and per-hop messageencryption. This paper evaluates MuON withoutusing these high-cost15 approaches, by describingthe protocol behavior under various known attacks.
idemic based mutual anonymity in unstructured ..., Com-
-
CT
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
0
0.2
0.4
0.6
0.8
1
0 0.2 0.4 0.6 0.8
Nor
mal
ized
ano
nym
ity
Churn
pinter=0.5, skew=3, overlay size=4000
Average anonymity set γ=0Average anonymity set γ=1Average anonymity set γ=2Average anonymity set γ=3
Fig. 20. Impact of Davg on anonymity.
0
0.2
0.4
0.6
0.8
1
0 0.2 0.4 0.6 0.8
Nor
mal
ized
ano
nym
ity
Churn
skew=3, γ=0, overlay size=4000Average anonymity set pinter=0.5Average anonymity set pinter=0.8
Fig. 19. Impact of pinter on anonymity.
N. Bansod et al. / Computer Networks xxx (2007) xxx–xxx 15
COMPNW 3689 No. of Pages 20, Model 3+
7 December 2007 Disk UsedARTICLE IN PRESS
UN
CO
RR
EIn addition, this paper assumes that a goodpseudo ID management is in place. An intermediatenode in MuON can collect pseudo IDs, such as pub-lic key as a pseudo ID, by participating the gossip-ing behavior. In order to prevent such a problem, amechanism needs to be in place which changes thepseudo ID randomly at every interval. The generalproblem of managing pseudo IDs is left as futurework. Follow up work will incorporate a mecha-nism into MuON.
Local eavesdropper: A local eavesdropper is anadversary that can monitor all communications sentto or received from one particular peer. This adver-sary tries to detect the identity of communicatingparties by recording and comparing all incomingand outgoing messages of a particular node. InMuON, a local eavesdropper on an intermediatepeer, cannot confirm the identities of the communi-cating parties, even if the message and its header arereceived by the peer. This is because the peer cannotdetermine the identity of either sender or receiverwith certainty based on the information of the
Please cite this article in press as: N. Bansod et al., MuON: Epput. Netw. (2007), doi:10.1016/j.comnet.2007.11.011
ED
PR
OO
F
header. Likewise a local eavesdropper an initiator(or responder) cannot deduce the identity of theresponder (or initiator).
Collusion Attack: In a collusion attack, peers col-laborate to identify communicating entities. Thesecolluding peers could be physically different nodesor a single node with multiple identities. It has beenseen that the degree of anonymity in MuON is1� 1jSj where S is the anonymity set. This impliesthat as long as a pair of peers within the anonymityset do not collaborate, it is hard for colluding nodesto differentiate the initiator, responder and the hon-est peer(s) from one another. If all jSj nodes withinthe anonymity set collaborate, MuON’s degree ofanonymity becomes 0 and the identities of the com-municating parties can be revealed. However, sincethe anonymity set changes for every MSG in the sys-tem, a large fraction of peers must collaborate tosuccessfully launch this attack.
Timing attack: In a timing attack, the adversary(behaving as an initiator) attempts to identify theresponder by analyzing the round trip time (RTT)of a request, since short RTT indicates that theresponder is nearby. In MuON since the messagesare transferred over the overlay network, RTT mea-surements do not reflect actual network locations.Thus launching a timing attack is difficult. Anadversary can launch a variant of the timing attackagainst MuON, by identifying the initiator as thefirst node to gossip a particular MSG. To launch thisattack, the adversary would have to trace outgoingmessages of every node within the network, to iden-tify a particular node as the first node to gossip amessage. However, the adversary cannot identifythe responder, since the responder behaves like anintermediate node and continues to gossip the MSG.
Traceback attacks: There are two kinds of trace-back attacks: passive traceback and active traceback.In a passive traceback attack, the adversary exam-ines the stored routing state of the peers to identifythe path(s) between initiator and responder. Tolaunch a passive traceback against MuON, theadversary needs to look at the application level mes-sage buffers at every node within the network. How-ever, since the messages are periodically removedfrom the buffers, to perform a successful tracebackthe adversary must collect the information beforeit is removed. In an active traceback attack, theadversary has control of the network infrastructureand is able to follow an active and continuingstream of packets back through the network to theirpoint of origin. In MuON, such an adversary can
idemic based mutual anonymity in unstructured ..., Com-
-
TED
PR
OO
F
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
0
0.1
0.2
0.3
0.4
0.5
0.6
0 10
20 30
40 50
60 70
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.2
0.4
0.6
Fraction of nodes
pinter=0.5, skew=3, γ=0, overlay size=4000
Age of nodes (in cycles)
Churn
Fig. 21. Message distribution.
0
0.2
0.4
0.6
0.8
1
0 10 20 30 40 50 60 70 80 90 100
Eff
ectiv
e an
onym
ity s
et
Time (in cycles)
pinter=0.5, skew=3, overlay size=4000
MuON γ=0MuON γ=1MuON γ=2MuON γ=3
System Membership
Fig. 22. Progress of an intersection attack (churn¼0.6).
16 N. Bansod et al. / Computer Networks xxx (2007) xxx–xxx
COMPNW 3689 No. of Pages 20, Model 3+
7 December 2007 Disk UsedARTICLE IN PRESS
UN
CO
RR
EC
identify the sender of a message (it is the startingpoint of the message paths). However the recipientis not revealed (since paths do not terminate at therecipient).
Predecessor attacks: These attacks occur if thesame path is used by the initiator while communi-cating to the responder. If a compromised noderecords its predecessor, then most of the time theinitiator will be the predecessor. However in MuONas every node randomly picks up the gossip target,different messages follow different paths. Hence thistype of attack is unlikely in MuON.
Traffic volume attack: An adversary can differen-tiate responders from other nodes by observing thevolume of data transmitted, since initiators generateless data as compared to responders. This attack ispossible against MuON, if the adversary canobserve the traffic generated by each node in thenetwork.
Intersection Attack: An adversary can record themembers within the anonymity set of a message bylaunching a traffic volume or traceback attack. Toperform an intersection attack, the adversary firstrecords the anonymity sets of messages for anextended period of time. The adversary then com-putes the effective anonymity set, which is the inter-section of all observed anonymity sets. Since theinitiator and responder are present in each anonym-ity set,16 they are always included in the effectiveanonymity set. Thus if the network is observed fora sufficient period, the effective anonymity set canbe reduced substantially. We measure the progressof an intersection attack by measuring the size ofthe effective anonymity set at regular time intervals,relative to the size of the first observed anonymityset. For simplicity, we assume the adversaryobserves the entire network.
In dynamic networks, an intersection attack isassisted17 due to changes in system membership.To offset this effect, MuON peers pull data messageswith a probability proportional to their age in thesystem. Fig. 21 shows the fraction of peers withindifferent age-groups that pull a given message.Hence the anonymity sets of successive messagesinclude the same subset of long-lived nodes, result-ing in larger effective anonymity sets. Fig. 22 showsthe progress of an intersection attack in MuON
1071
1072
1073
1074
1075
16 This assumes that the initiator and responder are within theportion of the network observed by the adversary.17 This motivates some systems [13,14] to restrict system
membership changes, and perform periodic system resets.
Please cite this article in press as: N. Bansod et al., MuON: Epput. Netw. (2007), doi:10.1016/j.comnet.2007.11.011
(depicted by solid lines) along with the effective ano-nymity set solely due to network churn (depicted bythe dashed line). It can be seen that for low values ofDavg, an intersection attack proceeds primarily dueto network churn. According to the simulationmodel, since the network in Fig. 22 has churn 0.6,the session time of peers is exponentially distributedwith an average of 40 cycles (shaded region). Thusby the time the communicating entities completetheir communication, the effective anonymity set isstill greater than 0.3. Fig. 23 shows the progress ofan intersection attack in networks with varyingchurn. Figs. 22 and 24 indicate that defense againstintersection attacks can be improved by decreasingDavg and increasing pinter.
In summary, we see that MuON can resist mostkinds of attacks in the absence of a global adver-sary. We believe that such an adversary is impracti-cal for large and dynamic P2P systems, thoughmany of these attacks can be thwarted by meansof cover traffic [52].
idemic based mutual anonymity in unstructured ..., Com-
-
T1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
0
0.2
0.4
0.6
0.8
1
0 10
20 30
40 50
60 70
80
0 0.2
0.4 0.6
0.8 1
0
0.2
0.4
0.6
0.8
1
Intersection set
pinter=0.5, skew=3, γ=0, overlay size=4000Intersection Set
TimeChurn
Fig. 23. Effective anonymity set.
N. Bansod et al. / Computer Networks xxx (2007) xxx–xxx 17
COMPNW 3689 No. of Pages 20, Model 3+
7 December 2007 Disk UsedARTICLE IN PRESS
REC
4.4. Security guarantees
In MuON, message confidentiality and integrityis achieved using cryptographic techniques such ascryptographic hash, public/private keys and sessionkeys. Hence these guarantees are constrained by thestrengths of the chosen cryptographic algorithms.
When the initiator sends the request, it generatesa nonce r1 and a session key ksession. The initiatorthen generates a header containing the nonce, ses-sion key and the initiator’s public key. The headeris then encrypted using the responder’s public key.Similarly, the responder includes the nonce in theheader for the response and encrypts this headerwith the initiator’s public key. Thus the nonce andsession key always remain confidential. MSG alwaysencrypts the data and nonce, using the session key.Since the session keys are not reused, encrypting thedata with session keys helps thwart dictionaryattacks. Thus confidentiality is maintained.
UN
CO
R
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
0 10
20 30
40 50
60 70
80
0 0.1 0.2
0.3 0.4
0.5 0.6
0.7 0.8
0
0.2
0.4
0.6
0.8
1
Effective anonymity set
pinter=0.3, skew=3, γ=0, overlay size=4000
Time (in cycles)Churn
Ef
Fig. 24. Impact of pinter on e
Please cite this article in press as: N. Bansod et al., MuON: Epput. Netw. (2007), doi:10.1016/j.comnet.2007.11.011
ED
PR
OO
F
The header, hdr always contains a cryptographichash signed by the private key of the sender (initia-tor in case of requests and responder in case ofresponses). The cryptographic hash is computedover MSG and the required fields of hdr and is signedby the sender’s private key. This signed crypto-graphic hash has several uses. It allows the receiverto verify the correspondence between a given MSGand its MSG_HDR. The signed cryptographic hashhelps the receiver detect if an adversary changedthe contents of the message or the nonce. Similarly,when an initiator receives a response, the initiatorcan verify that the response originated from theresponder, because the cryptographic hash is signedby the responder’s private key. Thus an adversarycannot masquerade as the responder. Likewise, thenonce contained within each header and data mes-sage can be used by the initiator to detect a replayof a response. If the responder keeps track of noncevalues of the past requests, it can detect the replayof requests.
It is important to note that MSG_HDR contains anunsigned value for T deadline, since an intermediatenode cannot verify a signature without knowingthe public key of the originator. Hence a misbehav-ing intermediate node may increase or decrease thevalue of T deadline to either cause the epidemic to dieslowly or quickly; a slow dying epidemic increasesthe resources consumed by the protocol, while aquick dying epidemic would prevent the messagefrom reaching the destination. However due to theinherent redundancy within the epidemic, a signifi-cant percentage of peers need to be misbehavingto consistently cause delivery failures. In either sce-nario, the anonymity and security guarantees of theprotocol remain intact. In general, promoting com-
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
0 10
20 30
40 50
60 70
80
0 0.1
0.2 0.3
0.4 0.5
0.6 0.7 0.8
0
0.2
0.4
0.6
0.8
1
fective anonymity set
pinter=0.5, skew=3, γ=0, overlay size=4000
Time (in cycles)Churn
ffective anonymity set.
idemic based mutual anonymity in unstructured ..., Com-
-
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181
1182118311841185
18 N. Bansod et al. / Computer Networks xxx (2007) xxx–xxx
COMPNW 3689 No. of Pages 20, Model 3+
7 December 2007 Disk UsedARTICLE IN PRESS
pliance within P2P anonymity systems [53] is animportant research problem, which we plan toinvestigate in future work.
T
11861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214
5. Conclusion and future work
We have presented MuON, a protocol for pro-viding mutual anonymity in dynamic P2P networks.There are two key contributions of MuON; the pro-tocol provides reliable mutually anonymous com-munication over dynamic P2P networks, whilemaintaining low bandwidth and processing over-head compared to existing reliable multicastingapproaches, and it exhibits application friendlycharacteristics such as bounded communicationlatency and message integrity and confidentiality.A unique feature of MuON is the ability to maintainanonymity against sustained adversarial attack for areasonable amount of time. In order to help resolvethe inefficient bandwidth use problem due to thebroadcasting nature, a methodology to create multi-ple broadcast groups with high inter-group connec-tivity for reliable message delivery is currently underinvestigation. In the future, we plan to investigatethe use of MuON for creating censorship resistantservices and ‘Denial-of-Service’ DoS tolerant anon-ymous services.
12151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243
UN
CO
RR
ECReferences
[1] Pfitzmann Andreas, Waidner Michael, Networks withoutuser observability, Computers and Security 6 (2) (1987) 158–166.
[2] Michael K. Reiter, Aviel D. Rubin, Crowds: anonymity forweb transactions, ACM Transactions on Information andSystem Security 1 (1) (1998) 66–92.
[3] Xiao Li, Xu Zhichen, Zhang Xiaodong, Low-cost andreliable mutual anonymity protocols in peer-to-peer net-works, IEEE Transactions on Parallel and DistributedSystems 14 (9) (2003) 829–840.
[4] Andreas Pfitzmann, Marit Hansen, .
[5] AT&T, The anonymizer, .[6] Eran Gabber, Phillip B. Gibbons, David M. Kristol, Yossi
Matias, Alain Mayer, Consistent, yet anonymous, webaccess with LPWA, Communications of ACM 42 (2)(1999) 42–47.
[7] Krista Bennett, Christian Grothoff, GAP-practical anony-mous networking, in: PET’03: Privacy Enhancing Technol-ogies Workshop, Dresden, Germany, March 2003, pp. 141–160.
[8] Roger Dingledine, Nick Mathewson, Paul Syverson, Tor:The second-generation onion router, in: Security’04: Pro-ceedings of the 13th USENIX Security Symposium, SanDiego, CA, August 2004, pp. 303–320.
Please cite thi