USOR an Unobservable Secure OnDemand

1922 IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS, VOL. 11, NO. 5, MAY 2012

USOR: An Unobservable Secure On-DemandRouting Protocol for Mobile Ad Hoc Networks

Zhiguo Wan, Kui Ren, and Ming Gu

Abstract—Privacy-preserving routing is crucial for some adhoc networks that require stronger privacy protection. A num-ber of schemes have been proposed to protect privacy in adhoc networks. However, none of these schemes offer completeunlinkability or unobservability property since data packets andcontrol packets are still linkable and distinguishable in theseschemes. In this paper, we define stronger privacy requirementsregarding privacy-preserving routing in mobile ad hoc networks.Then we propose an unobservable secure routing scheme USORto offer complete unlinkability and content unobservability for alltypes of packets. USOR is efficient as it uses a novel combinationof group signature and ID-based encryption for route discovery.Security analysis demonstrates that USOR can well protect userprivacy against both inside and outside attackers. We implementUSOR on ns2, and evaluate its performance by comparing withAODV and MASK. The simulation results show that USOR notonly has satisfactory performance compared to AODV, but alsoachieves stronger privacy protection than existing schemes likeMASK.

Index Terms—Routing protocols, security, privacy, anonymity.

I. INTRODUCTION

PRIVACY protection of mobile ad hoc networks is moredemanding than that of wired networks due to the open

nature and mobility of wireless media. In wired networks, onehas to gain access to wired cables so as to eavesdrop commu-nications. In contrast, the attacker only needs an appropriatetransceiver to receive wireless signal without being detected.In wired networks, devices like desktops are always staticand do not move from one place to another. Hence in wirednetworks there is no need to protect users’ mobility behavioror movement pattern, while this sensitive information shouldbe kept private from adversaries in wireless environments.Otherwise, an adversary is able to profile users according totheir behaviors, and endanger or harm users based on suchinformation. Lastly, providing privacy protection for ad hocnetworks with low-power wireless devices and low-bandwidthnetwork connection is a very challenging task.

With regard to privacy-related notions in communicationnetworks, we follow the terminology on anonymity, unlinka-bility, and unobservability discussed in [1]. These notions are

Manuscript received August 19, 2011; revised December 1, 2011; acceptedFebruary 3, 2012. The associate editor coordinating the review of this paperand approving it for publication was S. Bahk.

Z. Wan and M. Gu are with the MOE Key Laboratory for InformationSystem Security, School of Software, Tsinghua National Laboratory forInformation Science and Technology, Tsinghua University, Beijing 100084,China (e-mail: {wanzhiguo, guming}@tsinghua.edu.cn).

K. Ren is with the ECE Department, Illinois Institute of Technology, USA(e-mail: [email protected]).

Digital Object Identifier 10.1109/TWC.2012.030512.111562

defined with regard to item of interest (IOI, including senders,receivers, messages, etc.) as follows:

• Anonymity is the state of being not identifiable withina set of subjects, the anonymity set.

• Unlinkability of two or more IOIs means these IOIsare no more or no less related from the attacker’sview.

• Unobservability of an IOI is the state that whether itexists or not is indistinguishable to all unrelated sub-jects, and subjects related to this IOI are anonymousto all other related subjects.

In above definitions, related and unrelated subjects refer tosubjects involved or not involved in network operations likerouting or message forwarding.

Privacy protection in routing of MANET has interesteda lot of research efforts. A number of privacy-preservingrouting schemes have been brought forward. However, exist-ing anonymous routing protocols mainly consider anonymityand partial unlinkability in MANET, most of them exploitasymmetric feature of public key cryptosystems to achievetheir goals. Complete unlinkability and unobservability arenot guaranteed due to incomplete content protection. Existingschemes fail to protect all content of packets from attackers,so that the attacker can obtain information like packet typeand sequence number etc. This information can be used torelate two packets, which breaks unlinkability and may lead tosource traceback attacks. Meanwhile, unprotected packet typeand sequence number also make existing schemes observableto the adversary. Until now, there is no solution being able toachieve complete unlinkability and unobservability.

Unfortunately, unlinkability alone is not enough in hostileenvironments like battlefields as important information likepacket type is still available to attackers. Then a passiveattacker can mount traffic analysis based on packet type[2]. Inthis case, it is preferable to make the traffic content completelyunobservable to outside attackers so that a passive attackeronly overhears some random noises. However, this is farfrom an easy task because it is extremely difficult to hideinformation on packet type and node identity. Furthermore, ahint on using which key for decryption should be providedin each encrypted packet, which demands careful designto remove linkability. Another drawback of most previousschemes is that they rely heavily on public key cryptography,and thus incur a very high computation overhead.

Among these requirements unobservability is the strongestone in that it implies not only anonymity but also unlink-ability. To achieve unobservability, a routing scheme shouldprovide unobservability for both content and traffic pattern.

1536-1276/12$31.00 c© 2012 IEEE

WAN et al.: USOR: AN UNOBSERVABLE SECURE ON-DEMAND ROUTING PROTOCOL FOR MOBILE AD HOC NETWORKS 1923

Hence we further refine unobservability into two types: 1)Content Unobservability, referring to no useful informationcan be extracted from content of any message; 2) TrafficPattern Unobservability, referring to no useful informationcan be obtained from frequency, length, and source-destinationpatterns of message traffic. This paper will focus on contentunobservability, which is orthogonal to traffic pattern unob-servability, and it can be combined with mechanisms offeringtraffic pattern unobservability to achieve truly unobservablecommunication. The major mechanisms to achieve trafficpattern unobservability include MIXes [3] and traffic padding[2].

In this paper, we propose an efficient privacy-preservingrouting protocol USOR that achieves content unobservabilityby employing anonymous key establishment based on groupsignature. The setup of USOR is simple: each node only has toobtain a group signature signing key and an ID-based privatekey from an offline key server or by a key management schemelike [4]. The unobservable routing protocol is then executedin two phases. First, an anonymous key establishment processis performed to construct secret session keys. Then an unob-servable route discovery process is executed to find a routeto the destination. The contributions of this paper include: 1)we provide a thorough analysis of existing anonymous routingschemes and demonstrate their vulnerabilities. 2) we proposeUSOR, to our best knowledge, the first unobservable routingprotocol for ad hoc networks, which achieves stronger privacyprotection over network communications. 3) detailed securityanalysis and comparison between USOR and other relatedschemes are presented in the paper. 4) we implemented USORon ns2 and evaluated its performance by comparing it with thestandard implementation of AODV in ns2.

We emphasize that our scheme USOR is to protect all partsof a packet’s content, and it is independent of solutions ontraffic pattern unobservability. And it can be used with appro-priate traffic padding schemes to achieve truly communicationunobservability.

The rest of the paper is organized as follows. In next section,we discuss related work on anonymous routing schemes forad hoc networks. Then we describe our unobservable routingscheme in Section III. After that we analyze the proposedscheme against various attacks. We also compare it with otheranonymous routing schemes. In Section V, we implement andevaluate performance of USOR. Finally, we summarize andconclude the paper.

II. RELATED WORK

A number of anonymous routing schemes have been pro-posed for ad hoc networks in recent years, and they providedifferent level of privacy protection at different cost. Mostof them rely on public key cryptosystems (PKC) to achieveanonymity and unlinkability in routing. Although asymmetryof PKC can provide better support for privacy protection,expensive PKC operations also bring significant computationoverhead.

Most schemes are PKC-based and the ANODR schemeproposed by Kong et al. [5] is the first one to provideanonymity and unlinkability for routing in ad hoc networks.

Based on onion routing for route discovery, ANODR usesone-time public/private key pairs to achieve anonymity andunlinkability, but unobservability of routing messages is notconsidered in its design. During the route discovery process,each intermediate node creates a one-time public/private keypair to encrypt/decrypt the routing onion, so as to break thelinkage between incoming packets and corresponding outgoingpackets. However, packets are publicly labeled and the attackeris able to distinguish different packet types, which fails toguarantee unobservability as discussed.

Meanwhile, both generation of one-time PKC key pairs (thiscan be done during idle time) and PKC encryption/decryptionpresent significant computation burden for mobile nodes in adhoc networks.

ASR [6], ARM [7], AnonDSR [8] and ARMR [9] also makeuse of one-time public/private key pairs to achieve anonymityand unlinkability. ASR is designed to achieve stronger locationprivacy than ANODR, which ensures nodes on route have noinformation on their distance to the source/destination node.As the routing onion used in ANODR exposes distance infor-mation to intermediate nodes, ASR abandons the onion routingtechnique while still make use of one-time public/private keypair for privacy protection. ARM [7] considered to reducecomputation burden on one-time public/private key pair gen-eration. Different from the above schemes, ARMR [9] usesone-time pubkic keys and bloom filter to establish multipleroutes for MANETs.

Besides one-time public/private key pairs, SDAR [10] andODAR [11] use long-term public/private key pairs at eachnode for anonymous communication. These schemes are morescalable to network size, but require more computation effort.For example, SDAR is similar to ARM except ARM usesshared secrets between source and destination for verification.Unfortunately, ODAR provides only identity anonymity butnot unlinkability for MANET, since the entire RREQ/RREPpackets are not protected with session keys. A more recentscheme [12] provides a solution for protecting privacy for agroup of interconnected MANETs, but it has the same problemas ODAR.

MASK [13] is based on a special type of public key cryp-tosystem, the pairing-based cryptosystem, to achieve anony-mous communication in MANET. MASK requires a trustedauthority to generate sufficient pairs of secret points and cor-responding pseudonyms as well as cryptographic parameters.Hence the setup of MASK is quite expensive and may bevulnerable to key pair depletion attacks. The RREQ flag isnot protected and this enables a passive adversary to locatethe source node. Moreover, the destination node’s identity is inclear in route request packets. Though this would not disclosewhere and who the destination node is, an adversary can easilyrecover linkability between different RREQ packets with thesame destination, which actually violates receiver anonymityas defined in [1].

An anonymous location-aided routing scheme ALARM[14] makes use of public key cryptography and the groupsignature to preserve privacy. The group signature has agood privacy preserving feature in that everyone can verifya group signature but cannot identify who is the signer. ButALARM still leaks quite a lot sensitive privacy information:


network topology, location of every node. Similar to ALARM,PRISM [15] also employs location information and groupsignature to protect privacy in MANETs.

A closely related research direction along this line isanonymous routing in peer-to-peer systems, which has beeninvestigated heavily too. Interested readers are referred to[16],[17] for details.

To summarize, public key cryptosystems have a preferableasymmetric feature, and it is well-suited for privacy protectionin MANET. As a result, most anonymous routing schemesproposed for MANET make use of public key cryptosystemsto protect privacy. However, existing schemes provide onlyanonymity and unlinkability, while unobservability is neverconsidered or implemented by now. An obvious drawbackin existing schemes is that packets are not protected as awhole. Information like packet types, trapdoor information,public keys is simply unprotected in current proposals, andthese can be exploited by a global adversary to obtain usefulinformation. A summary of anonymous routing protocolsdiscussed above is given in Table I.

III. USOR: AN UNOBSERVABLE ROUTING SCHEME

In this section we present an efficient unobservable routingscheme USOR for ad hoc networks. In this protocol, bothcontrol packets and data packets look random and indistin-guishable from dummy packets for outside adversaries. Onlyvalid nodes can distinguish routing packets and data packetsfrom dummy traffic with inexpensive symmetric decryption.The intuition behind the proposed scheme is that if a nodecan establish a key with each of its neighbors, then it can usesuch a key to encrypt the whole packet for a correspondingneighbor. The receiving neighbor can distinguish whether theencrypted packet is intended for itself by trial decryption. Inorder to support both broadcast and unicast, a group key anda pairwise key are needed. As a result, USOR comprises twophases: anonymous trust establishment and unobservable routediscovery.

The unobservable routing scheme USOR aims to offer thefollowing privacy properties.

1) Anonymity: the senders, receivers, and intermediatenodes are not identifiable within the whole network, thelargest anonymity set.

2) Unlinkability: the linkage between any two or moreIOIs from the senders, the receivers, the intermediatenodes, and the messages is protected from outsiders.Note linkage between any two messages, e.g., whetherthey are from the same source node, are also protected.

3) Unobservability: any meaningful packet in the routingscheme is indistinguishable from other packets to anoutside attacker. Not only the content of the packet butalso the packet header like packet type are protectedfrom eavesdroppers. And any node involved in routediscovery or packet forwarding, including the sourcenode, destination node, and any intermediate node, isnot aware of the identity of other involved nodes (alsoincluding the source node, the destination node, or anyother intermediate nodes).

A. Assumptions, System Setup and Attack Model

Assumptions: Since we use the group signature scheme in[18] and the ID-based encryption scheme in [19], we followthe same assumptions and definitions. We assume solving theelliptic curve discrete log problem (ECDLP) and the bilinearDiffie-Hellman problem (BDH) on the two groups is hard.

Both the group signature scheme and the ID-based schemeare based on pairing of elliptic curve groups of order of a largeprime (e.g. 170-bit long), so that they have the same securitystrength as the 1024-bit RSA algorithm [18], [19].

System Setup: We consider an ad hoc network consisting nnodes. In this network, all nodes have the same communicationrange, and each node can move around within the network. Anode can communicate with other nodes within its transmis-sion range, and these nodes are called its neighbors. For nodesoutside of one’s transmission range, one has to communicatevia a multi-hop path. We assume the ad hoc network is allconnected, and each node has at least one neighbor. Nodesdo not use physical addresses like MAC addresses in dataframes to avoid being identified by others. Instead, they settheir network interfaces in the promiscuous mode to receiveall the MAC frames that can be detected in the neighborhood.This is important to prevent traffic analysis based on MACaddresses.

Before the ad hoc network starts up, by following thegroup signature scheme, a key server generates a group publickey gpk which is publicly known by everyone, and it alsogenerates a private group signature key gskX for each nodeX . The group signature scheme ensures full-anonymity, whichmeans a signature does not reveal the signer’s identity buteveryone can verify its validity.

The setup of the ID-based encryption scheme is as follows.Let G1, G2 be an elliptic curve group of order q. An admissi-ble bilinear mapping e : G1 ×G1 → G2 is defined as in [13].The key server chooses a master secret s ∈ Z∗

q and generatesthe ID-based private key for node X as KX = s · H1(X).A random generator P is also selected by the server. Thecorresponding public key is 〈q,G1,G2, e, P, Ppub, H1〉, inwhich Ppub = s · P .

Attack Model: With regard to the adversary model, weassume a global adversary that is capable of monitoring trafficof the entire ad hoc network. The adversary can monitor andrecord content, time, and size of each packet sent over thenetwork, and analyzes them to obtain information on who isthe source or the destination of packets, who is communicatingwith whom etc. Meanwhile, the adversary can mount activeattacks afar or nearby, e.g., injecting, modifying, droppingpackets within the network. However, the adversary cannotlaunch wormhole attacks [20] to attract a large amount ofnetwork traffic. The adversary is able to compromise one ormore nodes to make his attack more successfully, but eachnode has at least one legitimate(uncompromised) neighborafter node compromise attack. As a result, the adversaryintends to break the aforementioned privacy properties, i.e.,anonymity, unlinkability and unobservability.

We assume the adversary has only bounded computationcapability, and is not capable of breaking the aforementionedpairing-based cryptosystem as well as symmetric cryptosys-tems with appropriate key length.


TABLE ICOMPARISON OF ANONYMOUS ROUTING PROTOCOLS

Cryptosystems Sender Anonymity Receiver Anonymity Observable Info.ANODR One-time PKC Yes Yes Sequence no., trapdoor info., RREQ/RREP tag

ASR One-time PKC Yes Yes Sequence no., trapdoor info., RREQ/RREP tagARM One-time PKC Yes Yes Trapdoor info., RREQ/RREP tag

AnonDSR One-time PKC Yes Yes Trapdoor info., RREQ/RREP tagARMR One-time PKC Yes Yes RREQ/RREP tagSDAR Long-term & One-time PKC Yes Yes Trapdoor info., RREQ/RREP tagODAR Long-term & One-time PKC Yes Yes Trapdoor info., RREQ/RREP tag

ALARM Long-term PKC Yes Yes RREQ/RREP tag, LocationPRISM Long-term PKC Yes Yes RREQ/RREP tag, LocationMASK One-time Pairing Yes No RREQ ID, Dest. ID

TABLE IINOTATIONS

A A node in the ad hoc network, and its real identitys The master secret key owned by the key serverq A 170-bit prime numberP Generator of the elliptic curve group G1

Hi(∗) Secure one-way hash functions, i = 1, 2, 3 †gskA Node A’s private group signature keygpk The public group signature verification keyKA Node A’s private ID-based key which is s ·H1(A)

EA(∗) ID-based encryption using A’s public keykA∗ A local broadcast key within A’s neighborhoodkAX A pairwise session key shared between A and X

NymA The pseudonym only valid within A’s neighborhoodNymAX The pseudonym shared between A and X

† H1 maps a node identity to an element in G1, H2 maps an element inG1 to a session key, H3 maps a session key and a random nonce to a randompseudonym.

B. The Unobservable Routing Scheme

The unobservable routing scheme comprises of two phases:anonymous key establishment as the first phase and the routediscovery process as the second phase. In the first phase ofthe scheme, each node employs anonymous key establishmentto anonymously construct a set of session keys with each ofits neighbors. Then under protection of these session keys, theroute discovery process can be initiated by the source node todiscover a route to the destination node. Notations used in thedescription of the scheme is listed in the Table II.

1) Anonymous Key Establishment: In this phase, everynode in the ad hoc network communicates with its directneighbors within its radio range for anonymous key establish-ment. Suppose there is a node S with a private signing keygskS and a private ID-based key KS in the ad hoc network,and it is surrounded by a number of neighbors within its powerrange. Following the anonymous key establishment procedure,S does the following:

(1) S generates a random number rS ∈ Z∗q and computes

rSP , where P is the generator of G1. It then com-putes a signature of rSP using its private signing keygskS to obtain SIGgskS (rSP ). Anyone can verify thissignature using the group public key gpk. It broadcast〈rSP, SIGgskS (rSP )〉 within its neighborhood.

(2) A neighbor X of S receives the message from Sand verifies the signature in that message. If theverification is successful, X chooses a random numberrX ∈ Z∗

q and computes rXP . X also computes

SX

)(:.3

)(),(,:.2

)(,:.1

*

*

Sk

XkXgskX

SgskS

kEXS

kEPrSIGPrSX

PrSIGPrS

SX

SXX

S

Fig. 1. Anonymous key establishment. S broadcast the first message to itsdirect neighbors. Each of S’s neighbors does the same things as X does tolearn S’s local broadcast key. kSX = H2(rSrXP ).

a signature SIGgskX (rSP |rXP ) using its ownsigning key gskX . X computes the session keykSX = H2(rSrXP ), and replies to S with message〈rXP, SIGgskX (rSP |rXP ), EkSX (kX∗|rSP |rXP )〉,where kX∗ is X’s local broadcast key.

(3) Upon receiving the reply from X , S verifies the signa-ture inside the message. If the signature is valid, S pro-ceeds to compute the session key between X and itselfas kSX = H2(rSrXP ). S also generates a local broad-cast key kS∗, and sends EkSX (kS∗|kX∗|rSP |rXP ) toits neighbor X to inform X about the established localbroadcast key.

(4) X receives the message from S and computes the samesession key as kSX = H2(rSrXP ). It then decrypts themessage to get the local broadcast key kS∗.

Figure 1 illustrates the anonymous key establishment pro-cess. Note that the messages exchanged in this phase are notunobservable, but this would not leak any private informationlike node identities. As a result of this phase, a pairwisesession key kSX is constructed anonymously, which means thetwo nodes establish this key without knowing who the otherparty is. Meanwhile, node S establishes a local broadcast keykS∗, and transmits it to all its neighbors. It is used for per-hopprotection for subsequent route discovery.

The key establishment protocol is designed following theprincipal of KAM [21], which employs Diffie-Hellman keyexchange and secure MAC code. It can effectively prevent re-play attacks and session key disclosure attack, and meanwhile,it achieves key confirmation for established session keys.KAM has been proved to be secure under the oracle Diffie-Hellman assumption and the hash Diffie-Hellman assumption.Our key establishment protocol uses elliptic curve Diffie-Hellman (ECDH) key exchange to replace Diffie-Hellman keyexchange, and uses group signature to replace MAC code.


Route Request

S A C D

)),,,(,,(,,:)1(*

seqnoPrDSENRREQENymNonce SDSkSS S

)),,,(,,(,,:)2(*

seqnoPrDSENRREQENymNonce SDAkAA A

)),,,(,,(,,:)3(*

seqnoPrDSENRREQENymNonce SDCkCC C

(1) (2) (3)

B

SN AN BN CN

S A B C D

)),,,,(,,(,,:)4( seqnoPrPrSDENRREPENymNonce DSSCkCDD CD

)),,,,(,,(,,:)5( seqnoPrPrSDENRREPENymNonce DSSBkBCC BC

)),,,,(,,(,,:)6( seqnoPrPrSDENRREPENymNonce DSSSkSAA SA

(4)(5)(6)

SN AN BN CN

S A B C D

))(,,,(,,:)9( payloadEseqnoNDATAENymNonceSDCD kCkCDC

))(,,,(,,:)8( payloadEseqnoNDATAENymNonceSDAB kAkABA

))(,,,(,,:)7( payloadEseqnoNDATAENymNonceSDSA kSkSAS

(7) (9)(8)

SN AN BN CN

Route Reply

Data

Fig. 2. USOR route request, route reply and data packet transmission.

Consequently, the security of our protocol can be derived usingthe same proof technique of KAM. Due to space limit, wedo not elaborate proof details here, but interested readers arereferred to [21].

2) Privacy-Preserving Route Discovery: This phase is aprivacy-preserving route discovery process based on the keysestablished in previous phase. Similar to normal route discov-ery process, our discovery process also comprises of routerequest and route reply. The route request messages floodthroughout the whole network, while the route reply messagesare sent backward to the source node only.

Suppose there is a node S (source) intending to find a routeto a node D (destination), and S knows the identity of thedestination node D. Without loss of generality, we assumethree intermediate nodes between S and D, as illustrated inFig. 2. The route discovery process executes as follows:

Route Request (RREQ): S chooses a random numberrS , and uses the identity of node D to encrypt a trapdoorinformation that only can be opened with D’s private ID-based key, which yields ED(S,D, rSP ). S then selects asequence number seqno for this route request, and anotherrandom number NS as the route pseudonym, which is used asthe index to a specific route entry. To achieve unobservability,S chooses a nonce NonceS and calculates a pseudonym asNymS = H3(kS∗|NonceS).

Each node also maintains a temporary entry in hisrouting table 〈seqno, Prev RNym, Next RNym,Prev hop,Next hop〉, where seqno is the route requestsequence number, Prev RNym denotes the route pseudonymof previous hop, Next RNym is the route pseudonym ofnext hop, Prev hop is the upstream node and Next hop isthe downstream node along the route. As any node does notknow the real identity of its upstream or downstream node The

entry maintained by S temporarily is 〈seqno,−, NS,−,−〉.After that, S encrypts these items using its local broad-

cast key kS∗ to obtain EkS∗(RREQ,NS, ED(S,D, rSP )).Finally, S broadcast the following unobservable route requestto its neighbors:

NonceS ,NymS , EkS∗(RREQ,NS , ED(S,D, rSP ), seqno). (1)

Upon receiving the route request message from S, A triesall his session keys shared with all neighbors to calculateH3(kX∗|NonceS) or H3(kXA|NonceS) to see which onematches the received NymS . Then A would find out kS∗satisfies NymS = H3(kS∗|NonceS), so he uses kS∗ todecrypt the ciphertext. After finding out this is a route requestpacket, A tries to decrypt ED(S,D, rSP ) using his private ID-based key to see whether he is the destination node. To avoidRREQ broadcasting storm, A will check if he has receivedthe same request before by looking up in his cache, whichincludes a list of NS and seqno. If it is not a duplicate RREQ,A caches NS and seqno for a given time to detect multiplereceipt of the same RREQ packet.

In this example, A is not the destination and his trial fails,so he acts as an intermediate node. A generates a nonceNonceA and a new route pseudonym NA for this route. Hethen calculates a pseudonym NymA = H3(kA∗|NonceA). Healso records the route pseudonyms and sequence number inhis routing table for purpose of routing, and the correspondingtable entry he maintained is 〈seqno,NS, NA, S,−〉. At theend, A prepares and broadcast the following message to allits neighbors:

NonceA,NymA, EkA∗(RREQ,NA, ED(S,D, rSP ), seqno).(2)

Other intermediate nodes do the same as A does. Finally,the destination node D receives the following message fromC:

NonceC ,NymC , EkC∗(RREQ,NC , ED(S,D, rSP ), seqno).(3)

Likewise, D finds out the correct key kC∗ according to theequation NymC = H3(kC∗|NonceC). After decrypting theciphertext using kC∗, D records route pseudonyms and thesequence number into his route table. Then D successfullydecrypts ED(S,D, rSP ) to find out he is the destination node.D may receive more than one route request messages thatoriginate from the same source and have the same destinationD, but he just replies to the first arrived message and dropsthe following ones. The route table entry recorded by D is〈seqno,NC ,−, C,−〉.

Route Reply (RREP): After node D finds out he is the des-tination node, he starts to prepare a reply message to the sourcenode. For route reply messages, unicast instead of broadcastis used to save communication cost. D chooses a randomnumber rD and computes a ciphertext ES(D,S, rSP, rDP )showing that he is the valid destination capable of opening thetrapdoor information. A session key kSD = H2(rSrDP |S|D)is computed for data protection. Then he generates a newpairwise pseudonym NymCD = H3(kCD|NonceD) between


TABLE IIIROUTE TABLE FOR ALL NODES IN THE EXAMPLE: EACH NODE HAS ONLY

ONE ROW OF THE TABLE.

Seqno P RNym N RNym Prev Hop Next HopS seqno - NS - k∗AA seqno NS NA k∗S k∗BB seqno NA NB k∗A k∗CC seqno NB NC k∗B k∗DD seqno NC - k∗C -

C and him. At the end, using the pairwise session key kCD,he computes and sends the following message to C:

NonceD,NymCD, EkCD (RREP,NC , ES(D, S, rSP, rDP ), seqno).(4)

When C receives the above message from D, he iden-tifies who the sender of the message is by evaluating theequation NymCD = H3(kCD|NonceD). So he uses theright key kCD to decrypts the ciphertext, then he finds outwhich route this RREP is related to according to the routepseudonym NC and seqno. C then searches his route tableand modifies the temporary entry 〈seqno,NB, NC , B,−〉 into〈seqno,NB, NC , B,D〉. At the end, C chooses a new nonceNonceC , computes NymBC = H3(kBC |NonceC), and sendsthe following message to B:

NonceC ,NymBC , EkBC (RREP,NB , ES(D, S, rSP, rDP ), seqno).(5)

Other intermediate nodes perform the same operations asC does. Finally, the following route reply is sent back to thesource node S by A in our example illustrated in the Fig. 2:

NonceA,NymSA, EkSA(RREP,NS, ES(D,S, rSP, rDP ), seqno).(6)

S decrypts the ciphertext using the right key kSA andverifies that ES(D,S, rSP, rDP ) is composed faultlessly.Now S is ensured that D has successfully opened the routerequest packet, and the route reply is really originated fromthe destination node D. S also computes the same session keykSD = H2(rSrDP |S|D) as D does. Till now, S has success-fully found a route to the destination node D, and the routediscovery process is finished with success. S then finds andmodifies his temporary route table entry 〈seqno,−, NS,−,−〉into 〈seqno,−, NS,−, A〉.

The final route table for each node is as in Table III, andFig. 2 illustrates the detailed routing messages.

3) Unobservable Data Packet Transmission: After thesource node S successfully finds out a route to the destinationnode D, S can start unobservable data transmission under theprotection of pseudonyms and keys. As illustrated in Fig. 2,data packets from S must traverse A, B, and C to reach D.The data packets sent by S take the following format (DATAdenotes the packet type):

NonceS ,NymSA, EkSA(DATA,NS , seqno,EkSD (payload)).(7)

Upon receiving the above message from S, A knows that

this message is for him according to the pseudonym NymSA.After decryption using the right key, A knows this messageis a data packet and should be forwarded to B according toroute pseudonym NS . Hence he composes and forwards thefollowing packet to B:

NonceA,NymAB , EkAB (DATA,NA, seqno,EkSD (payload)).(8)

The data packet is further forwarded by other intermediatenodes until it reaches the destination node D. At the end, thefollowing data packet is received by D:

NonceC ,NymCD, EkCD (DATA,NC , seqno,EkSD (payload)).(9)

By looking up in his route table, D knows himself isthe destination of this packet. So he is able to decrypt theencrypted payload with the session key kSD . Fig. 2 illustratesdata transmission in USOR.

IV. SECURITY AND PRIVACY ANALYSIS

In this section, we introduce an information theoretic metricto quantify privacy in anonymous routing protocols, and thenwe employ it to evaluate privacy of USOR and other existingschemes. Next, we discuss issues on anonymity, unlinkability,and unobservability against the global adversary who cancontinuously monitor the whole network.

A. Privacy Metric and Analysis

We adopt an information theoretic approach [22] to measurenetwork privacy provided by USOR and MASK (or ANODR).The entropy-based privacy metric is obtained according to theprobability distribution of a node being the sender (resp. thereceiver). Specifically, we consider the sender anonymity ofRREQ packets in our analysis. The sender anonymity is com-puted by Hk = −∑

pi log2 pi, where pi is the probability ofnode i being the sender of a packet RREQk. If the anonymityset, i.e., the set of nodes that are the possible sender, is AS,and nodes in AS are equally possible to be the sender, thenthe sender anonymity is Hk =

∑ 1|AS| log2 |AS| = log2 |AS|.

This metric represents the bits of information that an attackerneeds to identify the sender of the packet RREQk. When theanonymity set is the whole network, the sender anonymitygets the maximum value. In the following analysis, we alwaysassume nodes in the anonymity set have the same probabilityto be the sender.

For schemes like ANODR or MASK, RREQ tags arepublicly known and RREQ packets with the same ID belongto the same session. A node nearer to the source nodereceives the RREQ packet earlier than a farther node. Basedon this observation, a simple but effective attack to reducethe anonymity set can be launched. Suppose there are meavesdropping nodes controlled by the attacker, and t of them,labeled as ni1 , ni2 , ..., nit , receive RREQ packets with thesame sequence number in subsequent time. Then the possiblesource of the RREQ packet is the one whose coordinate (x, y)satisfies the following condition:

√(x− xir )

2 + (y − yir )2 <

√(x − xis)

2 + (y − yis)2,(10)


A

D

C

B

E

S

1

2

3

Fig. 3. A Simple Example on Sender Anonymity Reduction: Source nodeS initiates a route discovery process to the destination node E. There arethree eavesdropping nodes (1-3) controlled by the attacker. The two dashlines are mid-perpendiculars between node 1 and node 2, node 2 and node3, respectively. According to the RREQ packet forwarding time, the attackercan reduce the possible source of the RREQ to the grey nodes.

where 1 ≤ r < s ≤ t, and (xir , yir), (xis , yis) are coordinatesof node nir , nis . The nodes that satisfy condition (10) formthe anonymity set AS. This method is effective as long as thenetwork has no extraordinary congestion.

An example is illustrated in Fig. 3, the anonymity set iscomposed of the four grey nodes. As a result, the senderanonymity of the RREQ packet can be computed as H =log2 4 = 2. That is, the attacker needs 2-bit information toidentify who is the real sender. It can be seen that if theattacker can control more eavesdropping nodes then he is ableto obtain more information on who might be the sender.

B. Discussion

The fundamental difference between USOR and ANODR orAnonDSR is that USOR relies on established keys betweenneighboring nodes to achieve privacy protection, while theother two schemes depend on onion encryption and end-to-end security. Consequently, per-hop protection in USOR canprovide complete unlinkability and unobservability efficiently,but ANODR and AnonDSR fail to protect linkability orobservability of messages. Another advantage of USOR overANODR is the constant size of routing packets. This makesUSOR more advantageous as the attacker cannot obtain privateinformation from packet size, while ANODR has to deal withthis issue by padding packets to the same size.

The neighboring nodes authentication in USOR makes useof group signatures, while MASK uses one-time pairing-basedkeys for preserving privacy. Because these one-time pairing-based keys are generated by a trusted party beforehand, thusMASK has to face the problem of one-time key depletion.Moreover, MASK leaks identity information of the destinationnode during routing discovery, not to mention the disclosure ofpacket types. However, all these information is well-protectedin USOR.

Anonymity. User anonymity is implemented by group sig-nature which can be verified without disclosing one’s identity.Group signature is used to establish session keys betweenneighboring nodes, so that they can authenticate each other

anonymously. And subsequent routing discovery procedure isbuilt on top of these session keys. Hence it is easy to see thatUSOR fulfills the anonymity requirement under both passiveand active attacks, as long as the group signature is secure.

Unlinkability. Let’s consider the three types of packetsdefined in Section III-B2. In these packets, they are identifiedby pseudonyms which are generated from random noncesand secret session keys. The nonces are only used once andnever reused, and so are the pseudonyms. Except the randomnonce and the pseudonym, the remaining part of the message,including the trapdoor information in the route request, isdecrypted and encrypted at each hop. Hence even for a globaladversary who can eavesdrop every transmission within thenetwork, it is impossible for him to find linkage betweenmessages without knowing any encryption key. He even hasno idea of the type of the packet being transmitted in thenetwork, and he cannot relate different packets in terms ofpacket type.

The only way to gain information on relationship betweentransmissions is that the attacker has access to some encryptionkeys, i.e., he has compromised one or more valid nodes. Thiscase is discussed in detail later in subsection IV-B.

Unobservability. In USOR, RREQ, RREP and data packetsare indistinguishable from dummy packets to a global outsideadversary. Meanwhile, nodes involved in the routing procedureare anonymous to other valid nodes. Consequently, USORprovides unobservability as defined for ad hoc networks.

First of all, a global adversary cannot distinguish differentpacket types, and neither can he distinguish a meaningfulciphertext from random noise. Moreover, a node chooses thenonce randomly and never reuses it. The nonce is updatedeach time after it is used, so there is no linkage between thepseudonyms which are computed from nonces. Only thosemobile nodes with valid session keys can recognize validpseudonyms and decrypt the corresponding ciphertexts toobtain meaningful plaintexts from them. Secondly, a node andits next-hop node or previous-hop node on route establish asession key anonymously, hence no one is able to know realidentities of its next-hop node or previous-hop node. Even thesource and the destination node do not know real identitiesof the intermediate nodes on route. As a result, USOR offerscontent unobservability for ad hoc networks according to thedefinition in [1].

Based on the content unobservability provided by USOR,traffic padding can be introduced into the network to thwarttraffic analysis and provide traffic pattern unobservability. Asdiscussed in Section II, privacy-preserving routing problemis orthogonal to countermeasures against traffic analysis, andappropriate countermeasures against traffic analysis can beapplied to make USOR unobservable in terms of traffic pattern.

Node Compromise. Node compromise is easy for theadversary and highly possible in ad hoc networks, hence it iscrucial for a privacy-preserving routing protocol to withstandsecurity attacks due to node capture. In this case, privacyinformation leakage is unavoidable due to secret exposure,while our routing protocol can protect user privacy againstserious node compromise.

Suppose a node is compromised by an attacker, his privatesigning key and ID-based encryption key are disclosed to


the attacker. The attacker now is able to establish keys withneighboring nodes, but only the following information can beobtained by the attacker: 1) the type of a received packet;2) data/RREP packets sent to/via the compromised node; 3)headers of packets relayed by the compromised node; 4)RREQ packets sent from the compromised node’s neighbors.The attacker is not able to gain more beyond this information.From this information, he cannot infer: 1) the location of thesource/destination node; 2) real identities of source/destinationnode of the relaying packets; 3) source/destination node ofthe RREQ packets. That is, the privacy leakage due to nodecompromise is limited within the compromised node’s neigh-borhood, and privacy information like identity and location isstill well protected by USOR.

Even if the global attack exploits the compromised node’ssecret credential for a global attack, USOR’s resilience againstprivacy leakage can still offer satisfactory protection, due toits per-hop protection of packets. As described in (4) and (7),RREP and data packets are encrypted hop-by-hop, and one-time nonces and pseudonyms are used to provide unlinkabilityand unobservability. Only if the RREP or data packets passthrough the compromised node can the attacker know thepacket type. Even if the compromised node happens to beon the route, as an intermediate node, the attacker has no clueon where the source node or the destination node is. If theattacker tries to impersonate as the source node to request aroute to a specific node, the attacker is still not certain wherethe destination node is in any case.

Collusion Attacks. For the colluding outsiders, privacyinformation is perfectly protected with USOR. As the attackeris unable to distinguish a meaningful packet from a dummypacket, USOR can provide complete protection for privacywith an appropriate traffic padding scheme. Even if the targetnode is surrounded by more than one attack node, given theassumption that no node is totally surrounded by compromisednodes, the attacker is unable to perceive anything exceptsome random dummy packets. If appropriate dummy trafficis injected into the network, the colluding outsiders cannotgain any privacy information about the network at all.

For the colluding insiders, USOR still offers unobservabilityas promised. Though information disclosure is unavoidable forcolluding insiders, and the adversary knows some keys, theinformation that the colluding insiders can obtain is largelyrestricted by USOR. The attackers are able to know: 1) atarget node is involved in a route discovery procedure sinceit is broadcasting a RREQ packet; 2) a target node is theprevious hop or the next hop on a path. However, the colludinginsiders are not able to know identity of the target node orother intermediate nodes on route. According to the designof USOR, authentication and key establishment is achievedby group signature, which perfectly protects user identityfrom disclosure. Consequently, unobservability is guaranteedby USOR under colluding insider attacks according to thedefinition of unobservability.

Sybil Attacks. In the Sybil attack [23], a single nodepresents multiple fake identities to other nodes in the network.Sybil attacks pose a great threat to decentralized systems likepeer-to-peer networks and geographic routing protocols. InUSOR, the centralized key server generates group signature

TABLE IVCOMPUTATION COST OF USOR AND EXISTING SCHEMES

Computation cost †Source Destination Intermediate

ANODR KG+1P(1P) 1P KG+2P(2P)ASR KG+1P(1P) 1P KG+2P(2P)

ARM KG+1P(1P) L*P 1PAnonDSR KG+1P(1P) (L+ 1)*P 1P

SDAR KG+2P(2P) (L+ 1)*P KG+1P(1P)ODAR KG+1P(1P) 1P 0ARMR KG+3P(3P) 3P 4PPRISM KG+3P(3P) 3P 0

ALARM KG+2P(2P) 2P 0USOR 4P(3P) 4P(3P) P

† Numbers in brackets are computation complexity with pre-computation.L is the hops from the source to the destination, KG denotes public key gen-eration, P denotes public key operations, e.g., PKC encryption/decryption,ECC pairing.

signing keys and ID-based keys for network nodes. Thus, itis impossible for the adversary to obtain other valid identitiesexcept the compromised ones. Nevertheless, the anonymityfeature of USOR allows the adversary to launch Sybil attackswhich are similar to collusion attacks discussed above. Asdiscussed in the collusion attack part, USOR is able to countsuch attacks effectively.

V. IMPLEMENTATION AND PERFORMANCE EVALUATION

In this section, we analyze computation cost of USOR,and compare it with existing schemes. We then describe theimplementation and performance evaluation of our protocol.

USOR requires a signature generation and two point multi-plications in the first process. In the route discovery process,each node except the source node and destination node needsone ID-based decryption, while the source node and destina-tion node have to do two ID-based encryption/decryption andtwo point multiplications.

A detailed comparison on computation cost of existingschemes and USOR is showed in Table IV. In this table, weignore symmetric operations as they are negligible comparedto PKC operations. MASK is not listed in the table as theydo not need public key operations during the route discoveryprocess. However, MASK does not offer sender anonymity orreceiver anonymity. From the table, we can see that USOR canachieve unobservability without too much computation cost.

We implement both USOR and MASK on ns2, and evaluatetheir performance by comparing with AODV (the standardimplementation of ns-2.31). In our simulation, the scenarioparameters are listed as in table V, and we use the crypto-graphic benchmarks on 1GHz Pentium III according to [24],[25].

In the simulation, 50 nodes are randomly distributed withina network field of size 1500mx300m as such a rectanglefield can make the number of hops between two nodes larger.Mobile nodes are moving in the field according to the randomway point model, and we adopt the speed ranges used in[13] so that the average speeds range from 0 to 10m/s. Twodifferent CBR traffic loads are generated for each of the 20pairs selected from the 50 nodes: 2 packets/s as the light traffic


TABLE VPARAMETERS ON CRYPTOGRAPHIC OPERATIONS AND EXPERIMENT

SCENARIOS

1024-bit ID-based Enc 22ms1024-bit ID-based Dec 17msGroup Signature Generation 24msGroup Signature Verification 26msPoint Multiplication 3ms1024-bit Pairing 8.6msSimulation Time 600sScenario Dimension 1500m x 300mWireless Radio Range 250mMobile Nodes Number 50Average Node Speed 0-10m/sSource-Destination Pairs 20 random pairsTraffic Type 512-byte CBR trafficTraffic Frequency 2 or 4 packets/sWireless Bandwidth 2MbpsNode Pause Time 0sKey Update Interval 40sAverage Hops 2.90Average Neighbors 12.69

load and 4 packets/s as the heavy traffic load. The local sessionkeys are updated every 40 seconds in the simulation, andeach update involves a complete anonymous key establishmentprocedure. To simulate cryptographic operations on each node,we force each node to delay for some time according to thebenchmarks given in table V. The period a node needs to waitis determined by cryptographic operations the node performs.

We evaluate the performance of USOR in terms of packetdelivery ratio, packet delivery latency, and normalized controlbytes. With Fig. 4 we demonstrate performance of USOR,MASK and AODV at different moving speeds for two differenttraffic loads. Two traffic loads are selected according toperformance of the standard AODV implementation of ns2.

According to Fig. 4(a), AODV has the highest packetdelivery ratio for both types of traffic loads, and MASK’sperformance is between AODV and USOR. The packet de-livery ratio decreases as nodal speed increases and trafficload becomes heavier. Under the light traffic load(2 packets/s),USOR has more than 90% packet delivery ratio at high nodespeeds, only slightly lower than MASK and AODV. Under theheavy traffic load(4 packets/s), performance of all three proto-cols has downgraded greatly. The biggest difference betweenUSOR and AODV on packet delivery ratio is less than 10%.Apparently, the performance drop of both protocols whennode speed goes up due to more frequent route disruptionat higher speeds. Route disruption leads to packet drop andretransmission, and a new route has to be constructed beforeremaining packets can be sent out. Lower packer deliveryratio of USOR is due to the following reasons: 1) In USORonly trusted neighbors will forward route packets for eachother, otherwise packets are simply dropped, 2) Local keyupdate and node mobility lead to trust lost between one andits neighbors. Before neighboring nodes establish shared localkeys, no traffic can be passed between them, which results intransmission delay in USOR; 3) Route repair in AODV is notapplicable in the protocol for the sake of privacy protection, asroute repair requires identity information about the destination;4) In AODV or MASK, intermediate nodes can reply to a route

request if they know a route to the requested destination, whileUSOR cannot do this as any intermediate node is not supposedto know either the source node or the destination node.

From Fig. 4(b), we can also see that AODV has the leastdelivery latency and MASK is between AODV and USOR,but the packet delivery latency difference between USORand MASK is less than 100ms. Under the light traffic loadUSOR’s latency increases from 50ms to 90ms when nodespeed increases from 0m/s to 10m/s. Under the heavy trafficload, USOR’s latency increases from about 100ms to morethan 400ms for node speed from 0m/s to 10m/s. Due to thesame reasons discussed above, non-optimal paths and localkey construction delay result in longer latency of USOR thanAODV.

Figure 4(c) illustrates the routing cost for delivering a unitof data payload. It is not strange that USOR and MASKhave to send more control packets than AODV. In AODV,only three types of routing control packets, namely routingrequest packet, routing reply packet, and routing error packet.However, USOR needs more control packets to maintainanonymous routing information. Since MASK and USORexploit similar key management and route discovery approach,their normalized control bytes are very close.

We also examine impact of packet padding on USOR’sperformance with Fig. 4. In the experiment CBR traffic packetsize is set to 128 bytes, and CBR traffic frequency is set to4 packets/s in the experiment. This traffic load is half of thelight traffic (2 packets/s and 512 bytes/packet). In the paddedUSOR, all packets including RREQ, RREP packets and othercontrol packets (e.g. Beacon packets) are padded to 128 bytes.Due to the packet padding, performance of the padded USORis obviously downgraded, but the padded USOR still achievessatisfactory performance: more than 85% delivery success andabout 250ms delivery latency.

Finally, we compare USOR with MASK in terms of privacyprotection. We make use of the information theoretic privacymetric discussed in Section IV. We alter the number ofeavesdropping nodes in the network and compute the senderanonymity of RREQ packets. The sender anonymity is theobtained by calculating entropy of probability distributionof possible sender of RREQ packets. It can be seen fromFig. 5 that USOR provides best privacy protection regardlessof the number of eavesdroppers, while MASK provides betterprivacy for less eavesdropping nodes. However, when thenumber of eavesdropper increases to 8 or larger, the privacyentropy does not decrease significantly. This is reasonablesince the anonymity set of possible senders cannot be reducedany more by introducing more eavesdroppers.

VI. CONCLUSION AND FUTURE WORK

In this paper, we proposed an unobservable routing pro-tocol USOR based on group signature and ID-based cryp-tosystem for ad hoc networks. The design of USOR offersstrong privacy protection—complete unlinkability and contentunobservability—for ad hoc networks. The security analysisdemonstrates that USOR not only provides strong privacyprotection, it is also more resistant against attacks due tonode compromise. We implemented the protocol on ns2 and


(a) Packet Delivery Ratio (b) Packet Delivery Latency (c) Packet Delivery Latency

Fig. 4. Performance comparison between USOR, MASK and AODV in case of different mobile node speeds.

Fig. 5. Privacy entropy of MASK and USOR in case of 2, 6, 10, 14 and 18Eavesdroppers

examined performance of USOR, which shows that USORhas satisfactory performance in terms of packet delivery ratio,latency and normalized control bytes.

Future work along this direction is to study how to defendagainst wormhole attacks, which cannot be prevented withUSOR. Also how to make the unobservable routing scheme re-sistant against DoS attacks is a challenging task that demandsin-depth investigation.

ACKNOWLEDGMENTS

The authors would like to thank the anonymous reviewersfor their valuable comments. Zhiguo Wan’s research is sup-ported in part by Scientific Foundation for Returned OverseasChinese Scholars, MOE, and the NSFC project under GrantNo. 61003223. Kui Ren’s research is supported in part by theUS National Science Foundation under grants CNS-0831963and CNS-1117811.

REFERENCES

[1] A. Pfitzmann and M. Hansen, “Anonymity, unobservability, andpseudonymity: a consolidated proposal for terminology,” draft, July2000.

[2] Y. Zhu, X. Fu, B. Graham, R. Bettati, and W. Zhao, “On flow correlationattacks and countermeasures in mix networks,” in PET04, LNCS 3424,2004, pp. 207–225.

[3] D. Chaum, “Untraceable electronic mail, return addresses, and digitalpseudonyms,” Commun. of the ACM, vol. 4, no. 2, Feb. 1981.

[4] S. Capkun, L. Buttyan, and J. Hubaux, “Self-organized public-keymanagement for mobile ad hoc networks,” IEEE Trans. Mobile Comput.,vol. 2, no. 1, pp. 52–64, Jan.-Mar. 2003.

[5] J. Kong and X. Hong, “ANODR: aonymous on demand routing withuntraceable routes for mobile ad-hoc networks,” in Proc. ACM MOBI-HOC’03, pp. 291–302.

[6] B. Zhu, Z. Wan, F. Bao, R. H. Deng, and M. KankanHalli, “Anony-mous secure routing in mobile ad-hoc networks,” in Proc. 2004 IEEEConference on Local Computer Networks, pp. 102–108.

[7] S. Seys and B. Preneel, “ARM: anonymous routing protocol for mobilead hoc networks,” in Proc. 2006 IEEE International Conference onAdvanced Information Networking and Applications, pp. 133–137.

[8] L. Song, L. Korba, and G. Yee, “AnonDSR: efficient anonymousdynamic source routing for mobile ad-hoc networks,” in Proc. 2005ACM Workshop on Security of Ad Hoc and Sensor Networks, pp. 33–42.

[9] Y. Dong, T. W. Chim, V. O. K. Li, S.-M. Yiu, and C. K. Hui, “ARMR:anonymous routing protocol with multiple routes for communicationsin mobile ad hoc networks,” Ad Hoc Networks, vol. 7, no. 8, pp. 1536–1550, 2009.

[10] A. Boukerche, K. El-Khatib, L. Xu, and L. Korba, “SDAR: a securedistributed anonymous routing protocol for wireless and mobile ad hocnetworks,” in Proc. 2004 IEEE LCN, pp. 618–624.

[11] D. Sy, R. Chen, and L. Bao, “ODAR: on-demand anonymous routingin ad hoc networks,” in 2006 IEEE Conference on Mobile Ad-hoc andSensor Systems.

[12] J. Ren, Y. Li, and T. Li, “Providing source privacy in mobile ad hocnetworks,” in Proc. IEEE MASS’09, pp. 332–341.

[13] Y. Zhang, W. Liu, and W. Lou, “Anonymous communications in mobilead hoc networks,” in 2005 IEEE INFOCOM.

[14] K. E. Defrawy and G. Tsudik, “ALARM: anonymous location-aidedrouting in suspicious MANETs,” IEEE Trans. Mobile Comput., vol. 10,no. 9, pp. 1345–1358, 2011.

[15] ——, “Privacy-preserving location-based on-demand routing inMANETs,” IEEE J. Sel. Areas Commun., vol. 29, no. 10, pp. 1926–1934, 2011.

[16] J. Han and Y. Liu, “Mutual anonymity for mobile peer-to-peer systems,”IEEE Trans. Parallel Distrib. Syst., vol. 19, no. 8, pp. 1009–1019, Aug.2008.

[17] Y. Liu, J. Han, and J. Wang, “Rumor riding: anonymizing unstructuredpeer-to-peer systems,” IEEE Trans. Parallel Distrib. Syst., vol. 22, no. 3,pp. 464–475, 2011.

[18] D. Boneh, X. Boyen, and H. Shacham, “Short group signatures,” inAdvances in Cryptology–Crypto’04, Lecture Notes in Computer Science,vol. 3152, 2004, pp. 41–55.

[19] D. Boneh and M. Franklin, “Identity-based encryption from the Weilpairing,” in Advances in Cryptology–Crypto’01, Lecture Notes in Com-puter Science, vol. 2139, 2001, pp. 213–229.

[20] D. Dong, M. Li, Y. Liu, X.-Y. Li, and X. Liao, “Topological detection onwormholes in wireless ad hoc and sensor networks,” IEEE/ACM Trans.Netw., vol. 19, no. 6, pp. 1787–1796, Dec. 2011.

[21] I. R. Jeong, J. O. Kwon, and D. H. Lee, “A Diffie-Hellman key exchangeprotocol without random oracles,” in Proc. CANS 2006, vol. LNCS 4301,pp. 37–54.

[22] A. Serjantov and G. Danezis, “Towards an information theoretic metricfor anonymity,” in Privacy Enhancing Technologies, 2002, pp. 41–53.


[23] H. Yu, M. Kaminsky, P. B. Gibbons, and A. Flaxman, “Sybilguard:defending against sybil attacks via social networks,” in Proc. 2006SIGCOMM, pp. 267–278.

[24] M. Brown, D. Hankerson, J. Lopez, and A. Menezes, “Software imple-mentation of the NIST elliptic curves over prime fields,” in Topics inCryptology – CT-RSA 2001, LNCS, vol. 2020, 2001, pp. 250–265.

[25] M. Scott, “MIRACL: Multiprecision Integer and Rational ArithmeticC/C++ Library.”

Zhiguo Wan is a lecturer in School of Software,Tsinghua University, China. His main research in-terests include security and privacy in wireless net-works, mobile social networks and cryptography.He received his B.S. degree in computer sciencefrom Tsinghua University in 2002, and the Ph.D.degree in wireless network security from NationalUniversity of Singapore in 2006. He is a member ofIEEE and ACM.

Kui Ren is currently an Assistant Professor ofElectrical and Computer Engineering Department atthe Illinois Institute of Technology. He received hisB.E and M.E Degrees from Zhejiang University andPhD degree from Worcester Polytechnic Institute.Kui’s research expertise includes Cloud Computing& Security, Wireless Security, and Smart Grid Secu-rity. His research is supported by NSF, DoE, AFRL,and Amazon. He is a recipient of National ScienceFoundation Faculty Early Career Development (CA-REER) Award in 2011. Kui received the Best Paper

Award from IEEE ICNP 2011. Kui serves as an associate editor for IEEEWireless Communications and IEEE TRANSACTIONS ON SMART GRID. Kuiis a senior member of IEEE and a member of ACM.

Ming Gu is the senior researcher, vice director ofKey Laboratory for Information System Security,Ministry of Education. Her research interests includemiddleware techniques, formal methods in software,information system security. She has been in chargeof more than 10 national research projects, and pub-lished more than 50 research papers in internationalconferences and journals.

Documents

USOR an Unobservable Secure OnDemand