Embed Size (px)
Citation preview
RAC : a Freerider-resilient, Scalable, AnonymousCommunication Protocol
Sonia Ben MokhtarCNRSLyon
Gautier BerthouGrenoble University
Grenoble
Amadou DiarraGrenoble University
Grenoble
Vivien QuemaGrenoble INP
Grenoble
Ali ShokerCNRSLyon
Resume—Enabling anonymous communication over the Inter-net is crucial. The first protocols that have been devised foranonymous communication are subject to freeriding. Existingprotocols has thus been proposed to deal with this issue. Howeverthese protocols, do not scale to large systems and some of themfurther assume the existence of trusted servers. In this paper,we present RAC, the first scalable anonymous communicationprotocol that tolerates freeriders without relaying on any trustedparty. The key contribution of our system is that its complexity interms of the number of messages exchanged is independent fromthe number of nodes in the system, i.e., RAC is scalable. The latteronly depends on the degree of anonymity that we want to enforce.We theoretically prove using game theory that our protocol is aNash equilibrium, i.e, that freeriders have no interest in deviatingfrom the protocol. Further, we experimentally evaluate RAC usingsimulations. Our evaluation shows that whatever the size of thesystem (up to 100000 nodes) the nodes participating in the systemobserve the same throughput.
I. INTRODUCTION
Anonymous communication protocols are important forscenarios spanning from the lambda Internet user who caresabout protecting his instant messaging from somebody wat-ching his Internet connection to the dissemination of sensitivecontent over the Internet, such as war crime videos. Thefirst protocols that have been proposed in the literature toenable anonymous communication are DC-Net [1] and onionrouting [2]. These two protocols have focused on enabling thestrongest possible anonymity for the former, and on providingpractical performance for the latter.
An issue shared by the two above protocols, as well as byother protocols devised using the same principles (e.g., [3],[4]) is that they take the participation of nodes as granted. Thisassumption is not realistic in collaborative systems, which arewell knows to be the perfect playing ground for freeriders.A freerider, is a node that benefits from the system, whiletrying to minimize its contribution to it, in order to saveresources. Research has thus moved towards the design offreerider resilient anonymous communication protocols.
The first protocol that has been devised to deal withfreeriders is called Dissent v1 [5]. This protocol forces nodesto participate to the protocol. Specifically, for each messagesent anonymously, Dissent v1 forces each node in the systemto send messages to all the other nodes. As such, it iseasy to detect whether a node contributed its fair share tothe system. Unfortunately, this approach yields very poor
performance. Indeed, this protocol becomes unpractical forsystems involving as little as 40 or 50 nodes.
A second protocol, called Dissent v2 [6], has been veryrecently proposed with the aim to improve the performanceachieved by Dissent v1. The key idea of this protocol isto rely on a set of trusted nodes to avoid involving all thenodes in the system for every anonymous communication. Inthis protocol, each trusted node receives anonymous commu-nication requests from untrusted nodes and runs a protocolinvolving all-to-all communications between trusted nodes.This considerably reduces the number of messages exchangedfor every anonymous communication, which allows Dissentv2 to exhibit better performance than Dissent v1. However,this protocol suffers from two major limitations. First, there isa trust issue : we can hardly envision that people that want tosubmit secret war documents to WiKi leaks, or that want todisclose documents about any totalitarian regime, would trustany third party as their lives might be endangered. Second,there is (still) a scalability issue : trusted nodes are involvedin all communications and the throughput achieved by theprotocol, although better than that achieved by Dissent v1,drastically decreases when the number of nodes in the systemincreases, until it reaches zero (for a system with 100000nodes).
Our contribution in this article is RAC, a freerider resilientanonymous communication protocol that addresses the twoabove issues, i.e., trust and scalability.
Regarding the resilience to freeriders, we theoreticallyprove, using game theory, that our protocol is a Nash equili-brium, i.e, that freeriders have no interest in deviating from theprotocol. Regarding trust, RAC does not assume any trustedserver. Regarding scalability, both the number of broadcastmessages and the size of the groups in which the broadcastmessages need to be sent, are independent from the numberof nodes in the system. Specifically, in our protocol, theseparameters are exclusively dependent on constants that are as-sociated with the degree of anonymity our system guarantees.In other words, RAC is scalable and it exhibits a clear tradeoffbetween anonymity and performance.
We experimentally evaluate RAC using simulations. Ourevaluation shows that RAC achieves a very good level ofanonymity and that, contrary to Dissent v1 and Dissent v2 thatexhibit a drop of throughput when the number of nodes grows,the throughput of RAC remains constant when increasing
the size of the system. For instance, a system comprising100000 nodes, RAC achieves 1300 times better throughputthan Dissent v2, while Dissent v1’s throughput is almost 0.
The remaining of the paper is structured as follows. Wefirst introduce some definitions and analyze the related worksin Section II. We then discuss the need of a new protocolin Section III, before presenting our protocol in Section IV.We further present the proofs of RAC freerider resiliency, aswell as the proofs of RAC anonymity guarantees in Section V.We finally present the experimental evaluation of RAC inSection VI, and our concluding remarks in Section VII.
II. DEFINITIONS AND RELATED WORKS
We start this section by the definition of anonymity pro-perties guaranteed by anonymous communication protocols inSection II-A. We then review existing anonymous communi-cation protocols in Section II-B.
A. Definitions
We rely in this paper on the definitions introduced byPfitzmann and Hansen [7]. We consider a system composed ofnodes that communicate with each other via communicationchannels. In such a system, a node is acting anonymously ifit is impossible for an observer to distinguish this node fromthe other nodes present in the system. Specifically, researchersdistinguish the following three anonymity properties. The firstone is sender anonymity. This property holds if it is notpossible to identify the sender of any given message. Thesecond property is receiver anonymity. This property holdsif it is not possible to identify the destination of any givenmessage. The third property is relationship anonymity. Thisproperty holds if an observer is not able to identify a pair ofnodes as communicating with each other.
The goal of an anonymous communication protocol is toguarantee one or more (preferably all) of these anonymityproperties in presence of an opponent, i.e., a malicious entitytrying to break these properties. All existing protocols, aswell as our protocol, consider the strongest possible opponent,called the global and active opponent. Global means that theopponent can monitor and record the traffic on all the networklinks of the system. Active means that the opponent can controlsome nodes in the system and make them deviate from theprotocol in order to reduce the anonymity of other nodes. Thehigher the number of nodes that the opponent must controlto break a protocol, the stronger the anonymity guaranteedby this protocol. The only limitation of the global and activeopponent is that it is not able to invert encryption.
B. Related works
The two pioneering protocols for anonymous communica-tion are the DC-Net [1] and Onion routing [2] protocols.
The DC-Net protocol exhibits strong anonymity guarantees.Specifically, it is not possible for an opponent to break anony-mity without controlling all the nodes executing the protocol.DC-Net reaches this objective by relying on the principleof secret-sharing. Specifically, nodes in DC-Net proceed in
rounds. During one round, only one node is allowed to send amessage. If two nodes send a message during the same round,there is a collision and none of the messages is correctlydelivered. To avoid collisions, there exist mechanisms forreserving sending slots [8], [9]. To guarantee anonymity, DC-Net organizes nodes in a structured network and requires nodesto forward encrypted messages received from their neighbors.Nodes then rely on a XOR-based mechanism (that they applyon messages they receive from their different neighbors) todecrypt messages. The major limitation of DC-Net is that ityields a considerable overhead. Indeed, at every round, everypair of nodes in the system needs to exchange messages.This is why other protocols that aim at reducing the costof DC-Net have been devised. The Herbivore protocol [4]is one such protocol. In this protocol, nodes are organizedin groups, which limits the exchange of messages inside thegroups. Despite this optimization, this protocol is consideredas unusable in practice as soon as the system grows to morethan (approximatively) 50 nodes as analyzed in [10].
The onion routing protocol guarantees a lower degree ofanonymity than DC-Net. It is nevertheless considered secureenough to be widely used in practice [11]. Furthermore,it exhibits way better performance. This protocol works asfollows. A node wanting to send a message, randomly selectsa list of nodes (called relays) and encrypts the message intomultiple layers of encryption : one layer for every relay. Theresulting encrypted message is called an onion. The node thensends the onion to the first relay that deciphers the first layer.This layer contains the address of the second relay and an inneronion, encrypted with the key of the second relay. The firstrelay sends the inner onion to the second relay. This processis repeated until the message reaches its destination. Note thatbecause of its onion structure, a forwarded message changesat each relay. Various variants of this protocol have beenproposed in the literature, such as crowds [3], cashmere [12],Tarzan [13], and TOR [11]. The three first protocols aim atbetter tolerating churn. The last article describes a popularimplementation of the onion routing protocol.
The major limitation of these protocols is that they assumethat nodes participating in the system are altruistic, i.e., theyfollow the protocol. However, as in cooperative systems, nodesoften tend to freeride in order to benefit from the system,without contributing their fair share to it. This explains why arecent attention has been given to the design of freerider resi-lient protocols, in which all nodes are obliged to participate,otherwise risking eviction.
The first protocol that follows this direction is the Dissentv1 protocol [5]. This protocol relies on the principles of DC-Net to which it adds a double encryption system. This systemallows stopping the execution of a round whenever a nodedetects the misbehavior of another node (including freeriding).It then allows exposing the misbehaving node without breakinganonymity. While this protocol is resilient to freeriding, issuffers from the same performance limitations as DC-Net,as further analyzed in Section III. A second protocol, i.e.,Dissent v2 [6], has very recently been proposed to address
this performance issue. The key idea behind this protocol isto run Dissent v1 on a small number of trusted servers. Theseservers are then used by a large number of nodes (called clientsin [6]) to enforce the anonymity of their communications.To reach this objective, nodes need to trust the servers theyuse to exchange messages, which is a strong assumption.Performance wise, as analyzed in the following section, eventhough Dissent v2 exhibits better performance that Dissent v1,it still suffers from a scalability issue.
III. THE CASE FOR A NEW PROTOCOL
In this section, we motivate the need for a new anonymouscommunication protocol. We show, using simulations, thatthe two existing freerider-resilient anonymous communicationprotocols achieve poor performance in large-scale settings.We simulate (using the Omnet++ simulator), a network ofnodes connected via 1Gb/s links 1. In our simulation, eachnode chooses a random node to which it sends anonymousmessages of a fixed size equal to 10kB, at the highest possiblethroughput it can sustain. We run this experiment severaltimes with an increasing number of nodes, and we measurethe average throughput at which nodes receive anonymousmessages.
We configure Dissent v2 with the optimal number of trustedservers for each network size. Specifically, increasing the num-ber of trusted servers allows reducing the number of messagesprocessed by each trusted server. However, it also increasesthe number of broadcast messages performed between trustedservers, and the size of these broadcasts. For each differentnumber of nodes in the system, there is thus an optimal numberof servers to be used, which maximizes the throughput of theprotocol. Moreover, we equally distribute the number of nodesbetween trusted servers.
0.001
0.01
0.1
1
10
100
1000
100 1000 10000 100000
Thr
ough
put(
kb/s
)
Number of nodes
Dissent v1Dissent v2
FIGURE 1. Throughput as a function of the number of nodes for Dissent v1and Dissent v2
The throughput as a function of the number of nodes inthe system for both Dissent v1 and Dissent v2 is depicted
1. This ideal network configuration allows us to measure the maximumthroughput each protocol can reach
in Figure 1. From these results, we can first observe that thethroughput of nodes in Dissent v1 drops down to (almost) zerowhen the number of nodes is higher than 50. The reason isthat for each anonymous communication, every node needs tosend a message to all the other nodes in the system. Thisrequires the sending of what is equivalent to N broadcastmessages involving all the nodes, where N is the numberof nodes in the system. Let us note the cost of Dissent v1as N ∗ Bcast(N) 2, which refers to the fact that for eachanonymous communication, N broadcast messages are sent ina group of N nodes 3. It becomes thus obvious why Dissentv1 exhibits such poor performance when the number of nodesin the system increases. Indeed, both the number of broadcastmessages sent in the network, and the size of the broadcastgroups depends on the latter. We can also observe from thisfigure that the throughput reached by nodes in Dissent v2 ishigher than the throughput reached by nodes in Dissent v1,which was the key objective of this protocol. Nevertheless,the throughput of Dissent v2 decreases when the number ofnodes in the system increases. The reason of this decrease isthat Dissent v2 requires for each anonymous communication,the sending of S broadcasts (where S is the number of trustedservers) in the group of size S servers, plus one broadcast ina group of size N
S . Hence, the cost of Dissent v2 is equal toBcast(NS ) + S ∗Bcast(S), which is also dependent on N .
Our objective in this paper, is thus to design a freeriderresilient anonymous communication protocol that scales, i.e.,its cost must be independent from the number of nodes in thesystem. Moreover, we do not want to assume trusted servers,as we do not believe that this is a reasonable assumption fora protocol aiming at guaranteeing anonymity.
IV. THE RAC PROTOCOL
In this section, we present RAC, a practical, freerider-resilient, anonymous communication protocol. The practicalityof our protocol builds on two key ideas : (1) the reductionof the number of messages broadcast in the system and (2)the reduction of the size of the broadcast groups. We firstexplain how we achieve these two key ideas. We then providea detailed description of the protocol.
A. Key idea #1 : reducing the number of broadcasts
In order to be more efficient than Dissent v1 and Dissentv2, we decided to start the design of our protocol from theprinciple of the onion routing protocol. Indeed, the sending ofan anonymous message using this protocol does not requirethe sending of any broadcast message. Instead, the sender of amessage selects a subset of nodes to act as relays. Although theanonymity of onion routing, which is a function of the numberof relays, is lower than the one of protocols such as DC-Net,it is strong enough to be widely used in practice. The problem
2. In the remaining of the paper we adopt the following notation : wewrite ”the protocol P has a cost of x ∗ Bcast(y)” to refer to the fact thatfor each anonymous communication done using P , x broadcast messages aresent in a group of y nodes.
3. For the sake of simplicity we assume that all broadcast messages haveapproximatively the same size.
with existing onion-based protocols is that freeriders have nointerest in acting as relays ; they will thus drop the messagesthey are supposed to relay whenever they can (i.e. when itdoes not endanger their anonymity). It is thus necessary tofind a way to monitor the behavior of relays. The only nodethat knows all the relays on the path of an onion and thatcan identify all the layers of the onion is the sender of themessage. The question is : how to make the sender monitorthe relays without disclosing its identity ? Indeed, if a relayknows that a node is using it as a relay, it can break thenode sender anonymity. Our solution is to have senders andrelays broadcast the messages they send or relay. Broadcastingmessages allows senders to receive the messages broadcastby relays and to check that relays forward correctly, withoutdisclosing their identity (every node receives the messages).
The broadcast exchanges must be reliable, despite thepresence of freeriders and opponent nodes. In order to forcenodes to forward messages, the broadcast protocol we proposerelies on a structured network similar to the one used in theFireflies group membership protocol [14]. Specifically, nodesare placed on several rings using a hash function. On eachring a node has a predecessor node and a successor node. Thebroadcasting protocol works as follows : each time a nodereceives a message from one of its predecessors, it forwardsit to all its successors. A node expects to receive the messagefrom all its other predecessors. If it does not receive themessage from one of its predecessors, it considers it as afreerider. This forces nodes to forward all the messages theyreceive. Note that a node also verifies that its predecessorsare broadcasting at a constant rate, because this is required toensure anonymity, as explained in the detailed description.
Figure 2 summarizes the dissemination of a message inRAC. A node A that wants to send a message to a node Dbuilds an onion (containing two relays B and C in that case).The node then broadcasts the onion using the multiple ringstructure. Upon the reception of the onion, each node tries todecipher it. If a node manages to decipher the onion and itobtains a new onion, this means that the node is a relay andit will broadcast the new onion (this is the case of node Band then of node C). If a node obtains a clear message, thismeans that it is the destination (this is the case of node D). Ifit does not manage to decipher the onion, the node discardsthe onion.
The resulting protocol has a cost of : L ∗ R ∗ Bcast(N),where L << N is the number of relays employed in the onionpath, and R << N is the number of rings used in the broadcastprotocol. In the experiments presented in Section V, we useL = 5 and R = 7. As we show, these values are enough toensure that an opponent only has a probability of 9.9 ∗ 10−7
to break the anonymity of a sender in a system comprising100000 nodes 4. Nevertheless, this cost always depends onN . We see how we further decrease this cost (to make itindependent from N ) in the next Section.
4. Note that in this case, receiver anonymity and unlinkability are optimal :the opponent needs to control all the nodes in the system to break them.
B. Key idea #2 : reducing the size of broadcast groups
In the previous section, we have shown how to make thenumber of broadcasts independent from the number of nodesin the system. In this section, we show how to make the size ofbroadcast groups independent from the number of nodes in thesystem. As such, we gain both in intrinsic performance as thecost of each broadcast will be lower and in scalability as thebroadcast size becomes independent from the number of nodesin the system. Note that broadcasting in small groups insteadof in a group of size N , gives the opponent that captures amessage, more information about the possible sender and thereceiver of this message. Specifically, the latter knows that thesender and the receiver of the given message is one amongthe G nodes of a broadcast group, instead of one among theN nodes of the system. We realize this second key idea byclustering nodes into groups of approximatively the same size,say G. The identifier of the group to which a node shouldbelong is computed deterministically by the node when it firstjoins the system (e.g., using a hash of its public key modulothe number of groups). If two nodes that belong to the samegroup want to communicate they use the protocol we saw inthe previous section, inside the group they belong to (of sizeG) instead of running it on the whole system. The cost isthus reduced to L∗R∗Bcast(G). The remaining question is :How do we enable the communication between two nodes thatdo not belong to the same group ? A straightforward solutionwould be to run the protocol presented in the previous sectionin a supergroup composed of the union of the two groupsto which these nodes belong. The resulting cost would thusbe L ∗ R ∗ Bcast(2 ∗ G). We adopt in our protocol a moreoptimized solution.
The sender sends the anonymous message by running theprotocol in his group, as if the destination was part of thesame group. It nevertheless sets a flag in the innermost onionfor the last relay, to inform him about the group Id of thedestination node. This allows sending most broadcasts insidea group of size G. Upon receiving the innermost onion, thelast relay needs to perform two actions. Firstly, it needs toforward the message to the destination node, which belongsto another group and secondly, it needs to inform the senderthat it effectively forwarded the message. To perform these twoactions at once, the last relay broadcasts the message in a supergroup constituted of the union of the two groups, i.e., its groupand the group of the destination. This super group is what wecall a channel in the remaining of the paper. As such theoverall cost of the protocol is equal to (L−1)∗R∗Bcast(G)for the first part of the protocol, which executes inside thesender’s group plus R ∗Bcast(2G) for the broadcast that thelast relay executes inside the channel. As Bcast(2G) = 2 ∗Bcast(G), the overall cost of our protocol is equal to (L +1) ∗ R ∗ Bcast(G), which is lower than the original L ∗ R ∗Bcast(2 ∗G) because for the commonly chosen values of L,L+ 1 < 2 ∗ L.
A B C D
A
A
A
B
C
G
D
E
FD
B
G
F
C
E
F C
DBEG
A
A
A B
C
G
D
E
FD
B
G
F
C
E
F C
DBEG
A
A
A B
C
G
D
E
FD
BG
F
C
E
F C
DBEG
Step (1) : node A iniates the broadcast of the onion
Step (2) : node B peels the onion and initiates a second broadcast
Step (3) : node C peels the onion initiates and the last broadcast
Original onion routing path
First step of the broadcast.The following steps are not depicted for clarity.
Onion
FIGURE 2. Illustration of the RAC protocol.
C. Detailed description
We will now detail the protocol.
Joining the system. Each node in the system has an identifier(ID), a view containing the list of the nodes present in thesystem, and two private/public key pairs. The first pair of keysis linked to the node ID. We call these keys the ID keys.The second pair of keys is used to encrypt messages for theirdestination (using the key of the destination). This pair ofkeys cannot be linked to the node ID. We call these keysthe pseudonym keys. The way nodes learn about pseudonymkeys is application-dependent. For instance, in an anonymouspublish-subscribe system, nodes would subscribe to a giventopic using their public pseudonym key.
To join the system, a node n sends a JOIN request to a nodex that is already part of the system. This JOIN request containsthe ID public key of n, denoted by K and ID, the identifierof n, which determines the group that n will join. To computethis identifier, we use a solution inspired by the Herbivoresystem [4]. Specifically, let f and g be two one-way functions.The new-coming node has to generate random vectors until itfinds a vector y 6= K such that the least significant mk bits off(K) are equal those of f(y). The value g(K, y) gives n thevalue of its ID. An opponent node may want to circumventthe system to join a particular group. Using this solution isrobust to this attack, because it is difficult for a node to obtainthe values of K and y that are necessary to join a given groupas the functions g and f are one-way functions.
Once x has received the JOIN request from n, it computeswhich group n should join (for example, the group containingthe node with the nearest ID). Then, x anonymously broadcaststhe JOIN request to this group. Upon receiving this request,all nodes of the group verify that the ID of n is correct. Ifthe ID is not correct the request is ignored, otherwise thenodes add n to their view and compute the positions of n inthe various rings. n position in the group is determined asfollows : using n’s ID, group nodes deterministically computethe position of n on the rings used to broadcast messages. Thisis done as in the Fireflies protocol [14] : the position of a node
on the ith ring is determined by the hash of the couple (ID,i). The number of rings to create depends on the size of thesystem, as well as of the percentage of opponent nodes thatis assumed in the system. More precisely, the successor set ofeach node (which is, for a given node, a set comprising thesuccessor of this node on the various rings) should containa majority of non-opponent nodes, and this majority shouldbe large-enough to ensure reliable dissemination of broadcastmessages 5. Concretely, in a system comprising 1000 nodesand assuming that 10% of the nodes are opponent nodes, itis enough to use 7 rings to ensure that the successor sets willcontain less than 3 opponent nodes with a probability 0, 999.
After a period T , which corresponds to the maximum timenecessary for a message to reach all nodes in the group, xsends a READY message to n signaling that all nodes havebeen informed of its arrival in the system. When n receivesthe READY message it sends a message to its followers andpredecessor to indicate them that they can use it as their newfollower or predecessor. Other nodes than n predecessors andfollowers need to wait a period equal to 2T from receiving nJOIN request before using n as a relay. Once n as joined agroup, the nodes of this group broadcast the JOIN messagesin the channels they belong to. This way, all nodes in thesystem are informed of n arrival and n can find its positionin each channel.
Managing groups. To guarantee a lower bound on anonymityand an upper bound on the cost of our protocol, groups musthave a minimum size smin and a maximum size smax, whichare system parameters. When the size of a group becomeslower than smin, nodes belonging to the group broadcast amessage indicating that the group should be dissolved. They,then, rejoin the system in order to be assigned to anothergroup. When nodes join the system and a group becomeslarger than smax nodes of this group broadcast a messageindicating that the group should be split in two. Nodes then
5. To ensure reliable dissemination in a system with N nodes, each nodeshould have at least log(N)+c non-opponent node in its successor set, wherec is a constant [15].
compute which of the two new groups they should join.Specifically, nodes with the lower IDs go in the first groupand nodes with the higher IDs go in the second. Finally, eachnode computes its position in the various rings of the groupand connect to its new followers and predecessors.
Sending a message. To send a message, a node ciphers themessage with the public pseudonym key of the destinationnode. It then randomly chooses L public ID keys of nodesof its group and ciphers the message in successive layers(called onions) Gautier Ia verifier avec la derniere version del’overviewJ. Each layer contains a flag that allows a node toknow whether it successfully deciphered it. If the messagedestination is in another group, the innermost layer alsocontains a flag indicating the channel to which it shouldbe broadcast Ali Ito keep the same message structure, thisflag should be present in both cases, however it is disabled incase inside a group.J. Gautier Idepend de l’overview, celonqu’on utilise le dernier relais comme “gateway” ou qu’on ajouteune node de plus dans le path pour faire “gateway”J Ali
Iwhat is the advantage of using another gateway ? and thisrequires a special handling then. I don’t think we have time.JOnce the L layers have been created, the sender pads themessage to reach a defined size and initiates a broadcast bysending the message to its direct successors on the differentrings of its group. The reason why messages are paddedis that this makes it impossible for opponent nodes to usethe size of network packets to track the path followed bya message. Note that to guarantee some of the anonymityproperties Ali Iwhy to say ‘some’ ?J, nodes must send orforward messages at a constant rate, defined by the system.If a node does not have messages to send or forward, itshould create a fake message (called noise message) andsend it in the system, following the above-described procedure.
Receiving a message. Upon reception of a message, a nodechecks if it has already received the message. If that isnot the case, the node forwards the message to its directsuccessors on the different rings of the group of channelin which the message is broadcast. The node then checkswhether it can decipher the message using its private ID key.In case of success (the node is able to read the flag put bythe sending node), this means that the node should act asa relay for this message. Consequently, it checks if there isa flag indicating that the message should be broadcast in achannel. It then pads the deciphered message and sends it toits direct successors on the different rings of the appropriategroup or channel. Otherwise, the node checks whether themessage is intended to it by trying to decipher it usingits private pseudonym key. If that is the case, it deliversthe message. Note that only innermost layers are broadcastin the channels, so Ali Iplease dont use ‘so’ in scheintificwritingJ, when they receive a message on a channel, nodesonly have to check if they can decipher it with their privatepseudonym key Ali Ido we need to say this ? Because weshould talk about verficiation cost then ; as nodes have to verifyany received message more than onceJ. Ali Imissing the
case when the node does not succeed in decrypting the msg atall (already mentioned in overview).J
Checking the misbehavior of nodes. In order to discouragefreeriding Ali Irational only ? what about opponents ? becausethese are also misbehaviors ; and why don’t we say freeridersas we do above ?J, nodes check that (1) the relays they useto send their own messages correctly forward messages, (2)the nodes that directly precede them in the different rings ofchannels and group correctly forward messages (i.e. once andonly once), and (3) the nodes that directly precede them inthe different rings of their group send messages at a constantrate. Every time a node discovers a misbehavior, it locallyblacklists the corresponding node. Each node maintains severalblacklists. A blacklist per channel for suspected predecessors,a blacklist for their group suspected predecessors and a bla-cklist for suspected relays. We see in the following part howthese blacklists are used to evict nodes from the system.
The first check is performed as follows. When a node sendsone of its own messages, it keeps a copy of the various layersof the message, together with the public ID keys they havebeen ciphered with. It then expects to receive the messagescorresponding to the different layers before the expiration ofa timer (recall that all messages are broadcast in the system).The first relay, if any, that does not correctly decipher andforward the message, is suspected and added by the senderto the relays blacklist Ali Iand it is not used anymore by thisnodeJ.
Ali Ithe follwoing two paragraphs are too long, I would sum-marize them in once seentence : a node adds a predecessorto the approprite predecessors checklist (ina group or channel)if it did not receive the expected message ; or it did recieve it,however, too early, late, or twice.J
The second check is performed as follows. Provided thatmessages are broadcast, for each message, a node expects toreceive a copy from each of its direct predecessors in thechannel or group in which the message is broadcast. If apredecessor does not send a copy of a given message within abounded Ali Ineither too early nor delayed, IWS : In a periodicmanner with a predfined frequencyJ, configurable time, thismeans that it misbehaves Ali Ii think this is not the place to talkabout impl. details kike TCP and so, instead, we should say thatwe assume a synchrounous system model.J 6. If a predecessorsends the same message twice, it also means that it misbehaves(the node could be performing a replay attack [16]). In bothcases, the node suspects its predecessor of misbehaving andadds it to the appropriate predecessors blacklist.
The third check is performed as follows. Each node checksthat it receives messages from its direct predecessors on thedifferent rings of its group at a constant rate. Whenever anode detects a misbehaving predecessor, it adds it to thepredecessors blacklist.
Evicting nodes. As described above, nodes maintain two kinds
6. Our implementation uses TCP, which ensures reliable delivery betweenpairs of nodes.
of blacklists. A blacklist for suspected relays and severalblacklists for suspected predecessors. Nodes disseminate theseblacklists as follows Ali Ithe same sentence is repeated andit is not shown how dessiminated ?J. The relays blacklist isperiodically disseminated Ali Ihow ?J to the node’s groupin an anonymous way Ali Ihow ? the answer is tool far.J.This has to be done anonymously because it can discloseinformation about the identity of a message sender Ali IIwould put this sentence before the previous one.J. To avoidan attack where malicious nodes send more than one blacklistat each round, we use the shuffle protocol of dissent v1 Ali
Iso we are using DC-Net too ?J which allows to permutea set of fixed-length messages and broadcast the set to allmembers with cryptographically strong anonymity. Ali IOnthe contrary,J The predecessors blacklists are disseminatedas clear messages Ali Iwhy clear, now ?J in the channels orgroup to which they correspond.
As soon as a node A collects evidence that a node B belongsto the predecessors blacklist of t+ 1 of B’s followers in onechannel or group, with t the maximum number of opponentfollowers provided by Fireflies Ali IciteJ, or the relays black-list of f+1 nodes of B’s group, with f the maximum numberof opponent nodes in a group, A removes B from its view Ali
Ithis sentnce is killing, I will rewrite it latterJ. Further, if B isone of A’s predecessors or followers, it replaces it with a newpredecessor or successor deterministically computed from theview updated after the eviction of B.
When a node is evicted from a group or a channel the nodesAli Iall nodes ?Jof its group must broadcast messages Ali
Ihow ? anonymously ?Jto all the channels it belonged to. Thismessage inform the nodes of the channels that the node wasevicted. Node that fail at sending this message are suspectedby the nodes of their group. Nodes in the channels wait toreceived f + 1 eviction notifications to take this eviction intoaccount.
Ali Idon’t we discuss cases where a nodes sends amessges to a destination in nother group that left the system(and the notification has not been received yet). And the casewhere a node recieves a message from an evicted node, andso... ?J
V. PROOFS
In this section, we first prove that RAC ensures anonymity.Then we prove that RAC is freerider-resilient
A. Anonymity proof
Our proof for anonymity comprises sender anonymity, re-ceiver anonymity, and unlinkability. We use the followingnotations : the network size is denoted by N , the groups sizeis denoted by G, the fraction of opponent nodes is denoted byf , and the number of relays used to disseminate each messageis denoted by L. We explained in section IV-B that dividingnodes into groups reduce nodes anonymity from one amongN to one among G. We now show how this anonymity of oneamong G is protected. We first assume that opponent nodesare passive, which means that they follow the protocol and can
only gather information by monitoring the network. We thenconsider the case of active opponents nodes that are willingto deviate from the protocol in order to break anonymity.
1) Passive opponent nodes:a) Sender Anonymity.: As nodes in RAC broadcast mes-
sages at a constant rate is not possible to know if they areforwarding messages, sending messages or sending noise.Thus, an opponent node receiving a message can only discoverthe sender of this message when it colludes with all the relaysof that message. This is quite hard to achiev. In fact, theprobability for a correct node to build a path only containingopponent nodes is equal to
∏Li=0
X−iG−i , with X the number
of opponent nodes in its group. Thus, an opponent that triesto break a node anonymity should control a number X ofnodes as large as possible in the targeted node’s group. But, asnodes are spread randomly among the groups, the probabilitythat the opponent controls X nodes in a given group isequal to
∏X−1i=0
fN−iN−i . As a result, the probability that the
opponent break the sender anonymity of a given node is equalto maxX(
∏Li=0
X−iG−i−1 ∗
∏X−1i=0
fN−iN−i ). With N = 100.000,
G = 1000, f = 50%, and L = 5 this probability is equal to1.8 ∗ 10−16, which is considered extremely low.
b) Receiver anonymity.: When a node sends a messagem to a destination node nD, it ciphers m using nD’s publicpseudonym key and broadcasts it using a set of relays. Notefirst that, as explained in Section ??, the public pseudonymkey of nD cannot be linked to nD. The only node that isable to decipher the message m is node nD, using its privatepseudonym key. Nodes cannot distinguish nD from othernodes (i.e. they have no way to know that it was able todecipher the message). For an external observer, nD behaveslike every other nodes in the system : it forwards the messagem once and only once to all its direct successors in thedifferent rings. Consequently, no node is able to detect thatnD is the destination of message m. This in optimal, to breakthis anonymity the opponent must control all the node of thegroup but one.
c) Unlinkability.: RAC anonymity protocol guaranteesoptimal receiver anonymity in the groups. Consequently, it isimpossible for a node to determine the destination of a givenmessage m within a group. It is thus impossible for an externalobserver to know whether two nodes are communicating ornot. The opponent can at best know that two nodes arecommunicating using a channel. But it cannot know preciselywhich nodes. Hence, sender-receiver unlinkability follows.
2) Active opponent nodes:a) Sender anonymity.: An active opponent can try to
break sender anonymity : (1) by trying to force nodes to buildrelay paths only containing opponent nodes, or (2) by tryingto evict some nodes from the system. Evicting nodes mightreduce the number of non-malicious nodes in the system, orrenders a system that is prone to intersection attacks [17] bycomparing sent messages before and after the eviction of somenodes.
– Case 1 : an opponent node acting as relay can drop themessages it is supposed to broadcast. This forces the
sending node to build new paths and, thus, increases theprobability of that the node build a path that is totallycomposed of opponent nodes. Nevertheless, this is notan easy task since if an opponent node drops a messageit will be blacklisted by the sender that will not use itas a relay anymore. Consequently, provided there is afraction f of opponent nodes, if they coordinate theiractions, and if each time a new path is created, there isan opponent node in it, then they will be able to force atmost fN new paths to be created Ali Ithis senetence iscomlicated, lots of commas, also at the end I would add :this makes the probability of building a complete path ofopponent nodes very low. For instance, in a system ...J.In a system with N = 100.000, G = 1000, f = 50%and L = 5, the probability that opponent nodes manageto force one single node to build a path only composedof opponent nodes is at most 1.8 ∗ 10−14. This is low.Note that to reach this maximum the opponent nodeshould not be evicted due to dropping onions from othernodes than the targeted node. As the opponent cannotknow if the messages it drops have been sent by thetargeted node, this has a high probability to happen, sothe opponent will not reach this maximum.
– Case 2 : an opponent node can try to break senderanonymity by evicting nodes from the system (e.g. toallow intersection attacks [17] to be run). In RAC, a noden is evicted if : (1) fG + 1 nodes notify their groupthat the node n misbehaves, or (2) a majority of thedirect successors of node n on the different rings notifytheir group or channel that node n misbehaves. Let usconsider the first case. There are fG opponent nodesin the network. Consequently, opponent nodes alonecannot force the eviction of node n by sending a wrongnotification to the group. They need to behave in such away that at least one non-opponent node will also senda notification regarding node n. The only thing they cando is to try to stop the dissemination of some messages,so that node n will not be reached and will possiblybe blacklisted (e.g. if n was a relay for that message).Nevertheless, as shown in [14], it is possible to increasethe reliability of the broadcast by increasing the numberof rings. It is thus possible to use a number of ringsguaranteeing that opponent nodes will have an arbitrarilylow probability to succeed in evicting node n by makinga non-opponent node send a notification against it. Let usnow consider the second case. As explained in Section ??the higher the number of rings, the lower the probabilitythat node n will have a majority of opponent nodes in itsset of direct successors. Consequently, it is possible to usea number of rings guaranteeing that opponent nodes willhave an arbitrarily low probability to succeed in evictingnode n due to a majority of opponent nodes in its set ofdirect successors.b) Receiver anonymity.: Opponent nodes can try to break
receiver anonymity using the same attacks as the ones descri-
bed in the proof of the “sender anonymity” property. As wehave seen, these attacks do not succeed. Consequently, receiveranonymity is not impacted by the presence of active opponentnodes.
c) Unlinkability.: The proof is similar to the one madefor passive opponent nodes.
3) Freerider-resilience proof: In this section, we prove thatRAC tolerates freeriders. A protocol tolerates freeriders ifthey do not have any interest in deviating from the protocol.To prove this, we prove that RAC provides a Nash equili-brium [18]. Note that the proof presented in this paper makessimilar assumptions as those presented in previous worksrelated to freeriders, e.g., [19], [20], [21] Ali II think we needto recall what is Nash ?J
Theorem 1: The RAC protocol provides a Nash equilibrium.a) Assumptions on freeriders.: To reason about freeri-
ders, it is necessary to formalize their behavior. In the caseof RAC, the benefit of a node n depends of the followingparameters :
– (A) reducing the risks of comprmising its anonymity.– (T) succeeding in sending its own messages.– (R) receiving messages that are intended to it.– (F) forwarding as few messages as possible.– (C) ciphering as few messages as possible.– (D) deciphering as few messages as possible.We can define the overall benefit of a node as B = αA +
βT +γR+ δF +ωC+φD, where α ≈ β ≈ γ � δ ≈ ω ≈ φ.Intuitively, this means that nodes do not want to trade-off Ali
I‘compromise’ is usually used hereJ their anonymity and thereliable transmittion of their own messages against a lowerbandwidth and CPU consumption.
Moreover, freeriders are assumed not to collude ; they ex-pect opponent nodes to try to decrease the benefit of freeridersas much as possible ; they expect other nodes to follow theprotocol.
b) Nash equilibrium proof.: We prove Theorem 1 follo-wing the approach adopted by related works [19], [20] : wedecompose the theorem into a set of lemmas representing theprotocol steps, and we explain why it is in the best interest ofa freerider to follow the protocol at that given step. The proofof Theorem 1 directly follows from the proofs of the differentlemmas.
Lemma 1: A freerider always sends messages to all itsdirect successors in the different rings of a channel or group.
Proof: A freerider knows that up to half of its directsuccessors but one can be opponent nodes and can thus sendwrong notifications to the group or channel. Consequently, afreerider knows that it risks eviction if at least one correctsuccessor send a notification to the group or channel. Conse-quently, a freerider sends messages to all its direct successorsin the different rings.
Lemma 2: A freerider always correctly forwards the mes-sages it acts as a relay for.
Proof: A freerider n knows that the sender of a messagewill notify the group if it does not receive the messagethat node n was supposed to broadcast as a relay. Provided
that there are f × G opponent nodes in the group that cansend wrong notifications to the group, node n knows thatit is enough to be suspected by one non-opponent node tobe evicted from the system. Consequently, node n correctlyforwards the messages it acts as a relay for.
Lemma 3: A freerider always checks that its predecessorsare sending every message once and only once.
Proof: A direct predecessor that does not send a givenmessage can be an opponent node trying to run an (N-1)-attack [22] on the node. As a result, freeriders alwayschecks if all direct predecessors send them all messages theyare supposed to. A direct predecessor that sends a givenmessage twice can be an opponent node trying to run a replayattack [16] on the node. As a result freeriders always checksthat their direct predecessors do not send the same messagetwice.
Lemma 4: A freerider sends the list of nodes it suspectsduring the periodic anonymous blacklist broadcasting.
Proof: As shown in [5], the anonymous blacklist broad-casting protocol is acountable, thus a freerider participates init to avoid eviction by the network. Moreover, this messagehas a fixed-size, thus a freerider does not gain bandwidth orCPU by sending a message containing wrong information.Consequently, a freerider sends the exact list of nodes thatit suspects.
Lemma 5: A freerider broadcasts the join requests it re-ceives from nodes that want to enter in the system.
Proof: A freerider has interest in helping nodes to enterthe system because that increases its anonymity. In fact, themore nodes are in the system the more difficult for an opponentto control a significant part of the nodes. Moreover, helpingnodes to join the system ensure that opponent nodes are notthe only one to control who can join the system. If onlyopponent nodes control who can join the system they may onlyaccept opponent nodes and this way increase their chances ofbreaking anonymity. Finally, freeriders have interest in helpingnodes they want to communicate with to join the system.
Lemma 6: A freerider always sends new messages (possi-bly noise) at the rate required by the protocol.
Proof: A freerider n knows that if it omits to send newmessages (possibly noise) at the rate defined by the protocol tosome of its direct successors, the latter will accuse n to theirgroup. Moreover, node n knows that up to half of its directsuccessors but one can be opponent nodes and can thus sendwrong notifications to the trusted third party. Consequently,node n knows that it risks being evicted if at least one correctsuccessor sent a notification to the group. Consequently, noden sends messages at the required rate.
Lemma 7: A freerider always checks if its predecessorssend new messages at the rate defined by the protocol.
Proof: A freerider notifies the group or channel if one ofits direct predecessors sends a message at a higher rate thanthat defined by the protocol. Indeed, such a behavior increasesits bandwidth and CPU consumption. Moreover, a freeridernotifies the the group if one of its direct predecessors sendsmessages at lower rate than required as this can be a sign of
an opponent runing an attack.
VI. EVALUATION
In this section, we evaluate both the performance and theanonymity of RAC. We evaluate the former using simulationsand the latter using an instantition of the formulas presented inSection V. We use simulations in order to be able to evaluatethe performance of our protocol in configurations comprisingup to 100.000 nodes. The objective of this evaluation is toanswer to the following two questions :
– What is the throughput offered by RAC compared to theone of Dissent v1 and v2 when the number of nodes inthe system grows ?
– What are the anonymity guarantees of RAC compared tothose of Dissent v1, v2 and onion routing ?
We start by a presentation of our simulation settings andthe protocols configuration parameters (in sections VI-A andVI-B). We then reply to the two questions mentioned above(in sections VI-C and VI-D, respectively).
A. Simulation settings
We performed simulations using Omnet++ [23], a discreteevent simulator written in C++. Omnet++ allows emulating allthe networking stacks accurately. Using Omnet++, we simulatea network of nodes interconnected by a router. Nodes areconnected to the router using 1Gb/s links. We use this networkconfiguration as it allows to evaluate the maximum throughputenabled by each protocol.
B. Protocol configuration parameters
In all our evaluations, we considered two configurations forour RAC protocol. A configuration with no group structure,i.e., all nodes belong to a single group, and a configurationwith groups including up to 1000 nodes. We refer to these twoconfigurations as RAC-NoGroup and RAC-1000, respectively.In both configurations we used seven rings for the broadcastprotocol, i.e., R = 7 and five relays for the onion paths, i.e.,L = 5.
We have configured the number of servers of Dissent v2 insuch a way that the latter reaches the maximum throughputwith 100000 nodes. The number of servers we used is thusequal to 450. Sonia Ice chiffre de 450 est un peu parachute.est ce qu’on a une explication ?J Gautier I Is there still anexplanation in the section 2 ? The 450 is for 100.000 nodes,to do the graph we adapted the number of server to eachsimulation.J
C. Throughput
In order to compare the throughput of our protocol to theone of Dissent v1 and Dissent v2, we considered the follo-wing scenario. Consider a system with N nodes. Each noderandomly selects a destination node and sends anonymousmessages to it at the maximum throughput it can sustain.Messages sent have a fixed size of 10kB. We measure foreach protocol, the average throughput at which the N nodesreceive anonymous messages. Figure 3 shows the throughput
measured for RAC-NoGroup, RAC-1000 Gautier Iwouldn’t itbe good to introduce these names in previous subsection ?J,Dissent v1 and Dissent v2 as a function of N . In this figurewe first observe that both RAC configurations scale better thanthe two versions of Dissent. Indeed, when the system contains100000 nodes, the throughput of RAC-NoGroup and RAC-1000 are 15 times and 1300 times higher than the throughputof Dissent v2, respectively, while Dissent v1 can not evenrun in this configuration. This result was expected for theconfiguration of RAC using groups, i.e., RAC-1000. Indeed,adding nodes in the system does not have any impact onthe throughput reached by the protocol as it neither increasesthe number of broadcast messages sent in the system Gautier
Itechnicaly it increases the number of broadcast messagessent in the system. I think we have to speak about the numberof broadcast messages sent in each groupJ nor it increasesthe size of the broadcast groups. Note that the performanceof this configuration is equivalent to the performance of RAC-NoGroup when the number of nodes is lower than 1000. Thereason is that under 1000 nodes there is a single group inRAC-1000. From 1000 nodes on, we observe instead that thethroughput of RAC-1000 remains stable whatever the numberof nodes in the system.
Summarizing, RAC is a scalable protocol, which is not thecase of existing freerider resilient anonymous communicationprotocols. We discuss in the following section the impact themeasures we adopted to reach this level of scalability, on theanonymity guaranteed by our protocol.
0.01
0.1
1
10
100
1000
100 1000 10000 100000
Thr
ough
put(
kb/s
)
Number of nodes
RAC-NoGroupRAC-1000Dissent v1Dissent v2
FIGURE 3. Throughput as a function of the number of nodes in the systemfor Dissent v1, Dissent v2, RAC-NoGroup and RAC-1000.
D. Anonymity guarantees
We compare in this section the anonymity guaranteed by thetwo configurations of RAC against Dissent v1, Dissent v2 andthe onion routing protocol. Results are depicted in Table I. Thenumbers depicted in this table result from the instantiation ofthe formulas characterizing the anonymity guarantees of eachprotocol.
The first line of the table represents the size of the set towhich belongs the sender or the receiver of a given messagecaptured by an opponent. This is the easiest value an opponentcan compute. This value should not be too small as it candisclose a lot of information regarding the identity of thesender or the receiver of a message. For instance, if this valueis equal to 10, this means that the probability that a given nodeis the sender or the receiver of the message is 1
10 . From thetable we can observe that this value is the highest possible forall protocols but RAC-1000, for which it is equal to 1000, i.e.,the size of the groups. Sonia Iso what ?J
The table is then structured in three sub parts accordingthe proportion of nodes controlled by the opponent (P inthe table). We considered three values of P : 10%, 50% and90%. For each value of P we computed the probability thatthe opponent discloses the identity of the sender, the receiveror links the sender with the receiver of a given message.Results show that these probabilities and equal to zero forDissent v1 and Dissent v2. Indeed, in these protocols, theopponent must control all the nodes in the system or all thetrusted servers in Dissent v2 to break anonymity. Althoughour protocol does not exhibit ideal anonymity, similar to thetwo Dissent protocols, the probability that an opponent breaksanonymity in RAC-1000, even when the latter controls 90% ofthe nodes in the system is at most equal to 7.1∗10−11, whichis extremely low. Note that counter-intuitively, the probabilitythat an opponent breaks anonymity in RAC-1000 is lower thanit is for RAC-NoGroup. The reason is due to the fact thatin RAC-1000, a node can not choose the group to which itbelongs. Consequently, an opponent needs to control almost allthe nodes in the system for having enough nodes in the samegroup in order to break anonymity within that group. Finally,we can observe that RAC-1000 exhibits lower probabilitiesthan the ones of onion routing in all cases. This is due to tworeasons : Sonia Ibroadcast+groupes. Gautier pourrais tu ecrireune phrase stp ?J. Gautier I First, RAC-1000 has a bettersender anonymity than onion routing for the same reasons asit has a better sender anonymity than RACNoGroup. Second,to break receiver anonymity in onion routing the opponent onlyhave to control all the node on a message onion path. Weshowed in section V that to break receiver anonymity in RACthe opponent must control all the node of the destination group.Hence, a better receiver anonymity. Better unlinkability followsfrom the better receiver anonymity.J
Sonia Iconclure en disant que RAC fournit des proprietesd’anonymat largement suffisante pour un systeme distribue surInternetJ
VII. CONCLUSION
REFERENCES
[1] D. Chaum, “The dining cryptographers problem : Unconditional senderand recipient untraceability,” Journal of Cryptology, vol. 1, 1988.
[2] D. G. et al., “Onion routing,” Commun. ACM, vol. 42, pp. 39–41,February 1999.
[3] M. K. R. et al., “Crowds : anonymity for web transactions,” ACM Trans.Inf. Syst. Secur., vol. 1, pp. 66–92, November 1998.
System with 100.000 nodes Dissent v1 Dissent v2 Onion RAC-NoGroup RAC-1000Anonymity, the sender/receiver is one among 100.000 100.000 100.000 100.000 1000
opponent nodes (P) Anonymity Type (T)Sender 0 0 0.53 0.53 7.1 ∗ 10−11
90% Receiver 0 0 0.53 0 1.1 ∗ 10−46
Probability to break Unlinkability 0 0 0.53 0 1.1 ∗ 10−46
a given node Sender 0 0 1.5 ∗ 10−2 1.5 ∗ 10−2 1.8 ∗ 10−16
anonymity of type T 50% Receiver 0 0 1.5 ∗ 10−2 0 1.2 ∗ 10−303
when controling Unlinkability 0 0 1.5 ∗ 10−2 0 1.2 ∗ 10−303
P% of the nodes Sender 0 0 9.9 ∗ 10−7 9.9 ∗ 10−7 7.3 ∗ 10−22
10% Receiver 0 0 9.9 ∗ 10−7 0 5.8 ∗ 10−1020
Unlinkbility 0 0 9.9 ∗ 10−7 0 5.8 ∗ 10−1020
TABLE IANONYMITY GUARANTEED BY THE VARIOUS PROTOCOLS IN A SYSTEM OF 100.000 NODES
[4] S. G. et al., “Herbivore : A scalable and efficient protocol for anonymouscommunication. tech rep.” Cornell University, Tech. Rep., 2003.
[5] H. C.-G. et al., “Dissent : accountable anonymous group messaging,” inProceedings of CCS, 2010.
[6] D. W. et al., “Dissent in numbers : Making strong anonymity scale,” inProceedings of OSDI, 2012.
[7] A. P. et al., “Anonymity, unlinkability, undetectability, unobservability,pseudonymity, and identity management – a consolidated proposal forterminology,” 2008.
[8] M. W. et al., “The dining cryptographers in the disco : Unconditionalsender and recipient untraceability with computationally secure servi-ceability,” in Proceedings of EUROCRYPT, 1990.
[9] A. Juels, “Dining cryptographers revisited,” in Proceedings of EURO-CRYPT, 2004.
[10] M. E. et al., “On anonymity in an electronic society : Asurvey of anonymous communication systems,” ACM Comput. Surv.,vol. 42, no. 1, pp. 5 :1–5 :35, Dec. 2009. [Online]. Available :http ://doi.acm.org/10.1145/1592451.1592456
[11] R. D. et al., “Tor : the second-generation onion router,” in Proceedingsof USENIX Security, 2004.
[12] L. Z. et al., “Cashmere : resilient anonymous routing,” in Proceedingsof NSDI, 2005.
[13] M. J. F. et al., “Tarzan : a peer-to-peer anonymizing network layer,” inProceedings of CCS, 2002, pp. 193–206.
[14] J. H. et al., “Fireflies : scalable support for intrusion-tolerant networkoverlays,” in Proceedings of EuroSys, 2006, pp. 3–13.
[15] A. K. et al., “Probabilistic reliable dissemination in large-scale systems,”IEEE Trans. Parallel Distrib. Syst., 2003.
[16] R. P. et al., “A new replay attack against anonymous communicationnetworks,” in Proceedings of ICC, may 2008.
[17] J. Raymond, “Traffic analysis : Protocols, attacks, design issues, andopen problems,” in Designing Privacy Enhancing Technologies, 2001.
[18] J. Nash, “Non-Cooperative Games,” The Annals of Mathematics, vol. 54,no. 2, 1951.
[19] A. S. A. et al., “BAR Fault Tolerance for Cooperative Services,” inProceedings of SOSP, October 2005.
[20] H. C. L. et al., “BAR Gossip,” in Proceedings of OSDI, 2006.[21] S. B. et al., “FireSpam : Spam Resilient Gossiping in the BAR Model,”
in Proceedings of SRDS, October 2010.[22] A. S. et al., “From a trickle to a flood : Active attacks on several mix
types,” in Information Hiding, 2003.[23] A. V. et al., “An overview of the omnet++ simulation environment,” in
Proceedings of Simutools, 2008.
