1922

IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS, VOL. 11, NO. 5, MAY 2012

USOR: An Unobservable Secure On-Demand Routing Protocol for Mobile Ad Hoc Networks
Zhiguo Wan, Kui Ren, and Ming Gu
AbstractPrivacy-preserving routing is crucial for some ad hoc networks that require stronger privacy protection. A number of schemes have been proposed to protect privacy in ad hoc networks. However, none of these schemes offer complete unlinkability or unobservability property since data packets and control packets are still linkable and distinguishable in these schemes. In this paper, we dene stronger privacy requirements regarding privacy-preserving routing in mobile ad hoc networks. Then we propose an unobservable secure routing scheme USOR to offer complete unlinkability and content unobservability for all types of packets. USOR is efcient as it uses a novel combination of group signature and ID-based encryption for route discovery. Security analysis demonstrates that USOR can well protect user privacy against both inside and outside attackers. We implement USOR on ns2, and evaluate its performance by comparing with AODV and MASK. The simulation results show that USOR not only has satisfactory performance compared to AODV, but also achieves stronger privacy protection than existing schemes like MASK. Index TermsRouting protocols, security, privacy, anonymity.

dened with regard to item of interest (IOI, including senders, receivers, messages, etc.) as follows:

Anonymity is the state of being not identiable within a set of subjects, the anonymity set. Unlinkability of two or more IOIs means these IOIs are no more or no less related from the attackers view. Unobservability of an IOI is the state that whether it exists or not is indistinguishable to all unrelated subjects, and subjects related to this IOI are anonymous to all other related subjects.

I. I NTRODUCTION RIVACY protection of mobile ad hoc networks is more demanding than that of wired networks due to the open nature and mobility of wireless media. In wired networks, one has to gain access to wired cables so as to eavesdrop communications. In contrast, the attacker only needs an appropriate transceiver to receive wireless signal without being detected. In wired networks, devices like desktops are always static and do not move from one place to another. Hence in wired networks there is no need to protect users mobility behavior or movement pattern, while this sensitive information should be kept private from adversaries in wireless environments. Otherwise, an adversary is able to prole users according to their behaviors, and endanger or harm users based on such information. Lastly, providing privacy protection for ad hoc networks with low-power wireless devices and low-bandwidth network connection is a very challenging task. With regard to privacy-related notions in communication networks, we follow the terminology on anonymity, unlinkability, and unobservability discussed in [1]. These notions are
Manuscript received August 19, 2011; revised December 1, 2011; accepted February 3, 2012. The associate editor coordinating the review of this paper and approving it for publication was S. Bahk. Z. Wan and M. Gu are with the MOE Key Laboratory for Information System Security, School of Software, Tsinghua National Laboratory for Information Science and Technology, Tsinghua University, Beijing 100084, China (e-mail: {wanzhiguo, guming}@tsinghua.edu.cn). K. Ren is with the ECE Department, Illinois Institute of Technology, USA (e-mail: kren2@iit.edu). Digital Object Identier 10.1109/TWC.2012.030512.111562

In above denitions, related and unrelated subjects refer to subjects involved or not involved in network operations like routing or message forwarding. Privacy protection in routing of MANET has interested a lot of research efforts. A number of privacy-preserving routing schemes have been brought forward. However, existing anonymous routing protocols mainly consider anonymity and partial unlinkability in MANET, most of them exploit asymmetric feature of public key cryptosystems to achieve their goals. Complete unlinkability and unobservability are not guaranteed due to incomplete content protection. Existing schemes fail to protect all content of packets from attackers, so that the attacker can obtain information like packet type and sequence number etc. This information can be used to relate two packets, which breaks unlinkability and may lead to source traceback attacks. Meanwhile, unprotected packet type and sequence number also make existing schemes observable to the adversary. Until now, there is no solution being able to achieve complete unlinkability and unobservability. Unfortunately, unlinkability alone is not enough in hostile environments like battleelds as important information like packet type is still available to attackers. Then a passive attacker can mount trafc analysis based on packet type[2]. In this case, it is preferable to make the trafc content completely unobservable to outside attackers so that a passive attacker only overhears some random noises. However, this is far from an easy task because it is extremely difcult to hide information on packet type and node identity. Furthermore, a hint on using which key for decryption should be provided in each encrypted packet, which demands careful design to remove linkability. Another drawback of most previous schemes is that they rely heavily on public key cryptography, and thus incur a very high computation overhead. Among these requirements unobservability is the strongest one in that it implies not only anonymity but also unlinkability. To achieve unobservability, a routing scheme should provide unobservability for both content and trafc pattern.

1536-1276/12$31.00 c 2012 IEEE

WAN et al.: USOR: AN UNOBSERVABLE SECURE ON-DEMAND ROUTING PROTOCOL FOR MOBILE AD HOC NETWORKS

1923

Hence we further rene unobservability into two types: 1) Content Unobservability, referring to no useful information can be extracted from content of any message; 2) Trafc Pattern Unobservability, referring to no useful information can be obtained from frequency, length, and source-destination patterns of message trafc. This paper will focus on content unobservability, which is orthogonal to trafc pattern unobservability, and it can be combined with mechanisms offering trafc pattern unobservability to achieve truly unobservable communication. The major mechanisms to achieve trafc pattern unobservability include MIXes [3] and trafc padding [2]. In this paper, we propose an efcient privacy-preserving routing protocol USOR that achieves content unobservability by employing anonymous key establishment based on group signature. The setup of USOR is simple: each node only has to obtain a group signature signing key and an ID-based private key from an ofine key server or by a key management scheme like [4]. The unobservable routing protocol is then executed in two phases. First, an anonymous key establishment process is performed to construct secret session keys. Then an unobservable route discovery process is executed to nd a route to the destination. The contributions of this paper include: 1) we provide a thorough analysis of existing anonymous routing schemes and demonstrate their vulnerabilities. 2) we propose USOR, to our best knowledge, the rst unobservable routing protocol for ad hoc networks, which achieves stronger privacy protection over network communications. 3) detailed security analysis and comparison between USOR and other related schemes are presented in the paper. 4) we implemented USOR on ns2 and evaluated its performance by comparing it with the standard implementation of AODV in ns2. We emphasize that our scheme USOR is to protect all parts of a packets content, and it is independent of solutions on trafc pattern unobservability. And it can be used with appropriate trafc padding schemes to achieve truly communication unobservability. The rest of the paper is organized as follows. In next section, we discuss related work on anonymous routing schemes for ad hoc networks. Then we describe our unobservable routing scheme in Section III. After that we analyze the proposed scheme against various attacks. We also compare it with other anonymous routing schemes. In Section V, we implement and evaluate performance of USOR. Finally, we summarize and conclude the paper. II. R ELATED W ORK A number of anonymous routing schemes have been proposed for ad hoc networks in recent years, and they provide different level of privacy protection at different cost. Most of them rely on public key cryptosystems (PKC) to achieve anonymity and unlinkability in routing. Although asymmetry of PKC can provide better support for privacy protection, expensive PKC operations also bring signicant computation overhead. Most schemes are PKC-based and the ANODR scheme proposed by Kong et al. [5] is the rst one to provide anonymity and unlinkability for routing in ad hoc networks.

Based on onion routing for route discovery, ANODR uses one-time public/private key pairs to achieve anonymity and unlinkability, but unobservability of routing messages is not considered in its design. During the route discovery process, each intermediate node creates a one-time public/private key pair to encrypt/decrypt the routing onion, so as to break the linkage between incoming packets and corresponding outgoing packets. However, packets are publicly labeled and the attacker is able to distinguish different packet types, which fails to guarantee unobservability as discussed. Meanwhile, both generation of one-time PKC key pairs (this can be done during idle time) and PKC encryption/decryption present signicant computation burden for mobile nodes in ad hoc networks. ASR [6], ARM [7], AnonDSR [8] and ARMR [9] also make use of one-time public/private key pairs to achieve anonymity and unlinkability. ASR is designed to achieve stronger location privacy than ANODR, which ensures nodes on route have no information on their distance to the source/destination node. As the routing onion used in ANODR exposes distance information to intermediate nodes, ASR abandons the onion routing technique while still make use of one-time public/private key pair for privacy protection. ARM [7] considered to reduce computation burden on one-time public/private key pair generation. Different from the above schemes, ARMR [9] uses one-time pubkic keys and bloom lter to establish multiple routes for MANETs. Besides one-time public/private key pairs, SDAR [10] and ODAR [11] use long-term public/private key pairs at each node for anonymous communication. These schemes are more scalable to network size, but require more computation effort. For example, SDAR is similar to ARM except ARM uses shared secrets between source and destination for verication. Unfortunately, ODAR provides only identity anonymity but not unlinkability for MANET, since the entire RREQ/RREP packets are not protected with session keys. A more recent scheme [12] provides a solution for protecting privacy for a group of interconnected MANETs, but it has the same problem as ODAR. MASK [13] is based on a special type of public key cryptosystem, the pairing-based cryptosystem, to achieve anonymous communication in MANET. MASK requires a trusted authority to generate sufcient pairs of secret points and corresponding pseudonyms as well as cryptographic parameters. Hence the setup of MASK is quite expensive and may be vulnerable to key pair depletion attacks. The RREQ ag is not protected and this enables a passive adversary to locate the source node. Moreover, the destination nodes identity is in clear in route request packets. Though this would not disclose where and who the destination node is, an adversary can easily recover linkability between different RREQ packets with the same destination, which actually violates receiver anonymity as dened in [1]. An anonymous location-aided routing scheme ALARM [14] makes use of public key cryptography and the group signature to preserve privacy. The group signature has a good privacy preserving feature in that everyone can verify a group signature but cannot identify who is the signer. But ALARM still leaks quite a lot sensitive privacy information:

1924

IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS, VOL. 11, NO. 5, MAY 2012

network topology, location of every node. Similar to ALARM, PRISM [15] also employs location information and group signature to protect privacy in MANETs. A closely related research direction along this line is anonymous routing in peer-to-peer systems, which has been investigated heavily too. Interested readers are referred to [16],[17] for details. To summarize, public key cryptosystems have a preferable asymmetric feature, and it is well-suited for privacy protection in MANET. As a result, most anonymous routing schemes proposed for MANET make use of public key cryptosystems to protect privacy. However, existing schemes provide only anonymity and unlinkability, while unobservability is never considered or implemented by now. An obvious drawback in existing schemes is that packets are not protected as a whole. Information like packet types, trapdoor information, public keys is simply unprotected in current proposals, and these can be exploited by a global adversary to obtain useful information. A summary of anonymous routing protocols discussed above is given in Table I. III. USOR: A N U NOBSERVABLE ROUTING S CHEME In this section we present an efcient unobservable routing scheme USOR for ad hoc networks. In this protocol, both control packets and data packets look random and indistinguishable from dummy packets for outside adversaries. Only valid nodes can distinguish routing packets and data packets from dummy trafc with inexpensive symmetric decryption. The intuition behind the proposed scheme is that if a node can establish a key with each of its neighbors, then it can use such a key to encrypt the whole packet for a corresponding neighbor. The receiving neighbor can distinguish whether the encrypted packet is intended for itself by trial decryption. In order to support both broadcast and unicast, a group key and a pairwise key are needed. As a result, USOR comprises two phases: anonymous trust establishment and unobservable route discovery. The unobservable routing scheme USOR aims to offer the following privacy properties. 1) Anonymity: the senders, receivers, and intermediate nodes are not identiable within the whole network, the largest anonymity set. 2) Unlinkability: the linkage between any two or more IOIs from the senders, the receivers, the intermediate nodes, and the messages is protected from outsiders. Note linkage between any two messages, e.g., whether they are from the same source node, are also protected. 3) Unobservability: any meaningful packet in the routing scheme is indistinguishable from other packets to an outside attacker. Not only the content of the packet but also the packet header like packet type are protected from eavesdroppers. And any node involved in route discovery or packet forwarding, including the source node, destination node, and any intermediate node, is not aware of the identity of other involved nodes (also including the source node, the destination node, or any other intermediate nodes).

A. Assumptions, System Setup and Attack Model Assumptions: Since we use the group signature scheme in [18] and the ID-based encryption scheme in [19], we follow the same assumptions and denitions. We assume solving the elliptic curve discrete log problem (ECDLP) and the bilinear Dife-Hellman problem (BDH) on the two groups is hard. Both the group signature scheme and the ID-based scheme are based on pairing of elliptic curve groups of order of a large prime (e.g. 170-bit long), so that they have the same security strength as the 1024-bit RSA algorithm [18], [19]. System Setup: We consider an ad hoc network consisting n nodes. In this network, all nodes have the same communication range, and each node can move around within the network. A node can communicate with other nodes within its transmission range, and these nodes are called its neighbors. For nodes outside of ones transmission range, one has to communicate via a multi-hop path. We assume the ad hoc network is all connected, and each node has at least one neighbor. Nodes do not use physical addresses like MAC addresses in data frames to avoid being identied by others. Instead, they set their network interfaces in the promiscuous mode to receive all the MAC frames that can be detected in the neighborhood. This is important to prevent trafc analysis based on MAC addresses. Before the ad hoc network starts up, by following the group signature scheme, a key server generates a group public key gpk which is publicly known by everyone, and it also generates a private group signature key gskX for each node X. The group signature scheme ensures full-anonymity, which means a signature does not reveal the signers identity but everyone can verify its validity. The setup of the ID-based encryption scheme is as follows. Let G1 , G2 be an elliptic curve group of order q. An admissible bilinear mapping e : G1 G1 G2 is dened as in [13]. The key server chooses a master secret s Z and generates q the ID-based private key for node X as KX = s H1 (X). A random generator P is also selected by the server. The corresponding public key is q, G1 , G2 , e, P, Ppub , H1 , in which Ppub = s P . Attack Model: With regard to the adversary model, we assume a global adversary that is capable of monitoring trafc of the entire ad hoc network. The adversary can monitor and record content, time, and size of each packet sent over the network, and analyzes them to obtain information on who is the source or the destination of packets, who is communicating with whom etc. Meanwhile, the adversary can mount active attacks afar or nearby, e.g., injecting, modifying, dropping packets within the network. However, the adversary cannot launch wormhole attacks [20] to attract a large amount of network trafc. The adversary is able to compromise one or more nodes to make his attack more successfully, but each node has at least one legitimate(uncompromised) neighbor after node compromise attack. As a result, the adversary intends to break the aforementioned privacy properties, i.e., anonymity, unlinkability and unobservability. We assume the adversary has only bounded computation capability, and is not capable of breaking the aforementioned pairing-based cryptosystem as well as symmetric cryptosystems with appropriate key length.

WAN et al.: USOR: AN UNOBSERVABLE SECURE ON-DEMAND ROUTING PROTOCOL FOR MOBILE AD HOC NETWORKS

1925

TABLE I C OMPARISON OF A NONYMOUS ROUTING P ROTOCOLS Cryptosystems One-time PKC One-time PKC One-time PKC One-time PKC One-time PKC Long-term & One-time PKC Long-term & One-time PKC Long-term PKC Long-term PKC One-time Pairing Sender Anonymity Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Receiver Anonymity Yes Yes Yes Yes Yes Yes Yes Yes Yes No Observable Info. Sequence no., trapdoor info., Sequence no., trapdoor info., Trapdoor info., RREQ/RREP Trapdoor info., RREQ/RREP RREQ/RREP tag Trapdoor info., RREQ/RREP Trapdoor info., RREQ/RREP RREQ/RREP tag, Location RREQ/RREP tag, Location RREQ ID, Dest. ID

ANODR ASR ARM AnonDSR ARMR SDAR ODAR ALARM PRISM MASK

RREQ/RREP tag RREQ/RREP tag tag tag tag tag

TABLE II N OTATIONS

A s q P Hi () gskA gpk KA EA () kA kAX NymA NymAX

A node in the ad hoc network, and its real identity The master secret key owned by the key server A 170-bit prime number Generator of the elliptic curve group G1 Secure one-way hash functions, i = 1, 2, 3 Node As private group signature key The public group signature verication key Node As private ID-based key which is s H1 (A) ID-based encryption using As public key A local broadcast key within As neighborhood A pairwise session key shared between A and X The pseudonym only valid within As neighborhood The pseudonym shared between A and X

1. : rS P ,SIGgskS (rS P ) S 2. S : rX P ,SIGgskX (rX P ),E kSX (k X *) X 3. X : E kSX (k S *) S

Fig. 1. Anonymous key establishment. S broadcast the rst message to its direct neighbors. Each of Ss neighbors does the same things as X does to learn Ss local broadcast key. kSX = H2 (rS rX P ).

H1 maps a node identity to an element in G1 , H2 maps an element in G1 to a session key, H3 maps a session key and a random nonce to a random pseudonym.

B. The Unobservable Routing Scheme The unobservable routing scheme comprises of two phases: anonymous key establishment as the rst phase and the route discovery process as the second phase. In the rst phase of the scheme, each node employs anonymous key establishment to anonymously construct a set of session keys with each of its neighbors. Then under protection of these session keys, the route discovery process can be initiated by the source node to discover a route to the destination node. Notations used in the description of the scheme is listed in the Table II. 1) Anonymous Key Establishment: In this phase, every node in the ad hoc network communicates with its direct neighbors within its radio range for anonymous key establishment. Suppose there is a node S with a private signing key gskS and a private ID-based key KS in the ad hoc network, and it is surrounded by a number of neighbors within its power range. Following the anonymous key establishment procedure, S does the following: (1) S generates a random number rS Z and computes q rS P , where P is the generator of G1 . It then computes a signature of rS P using its private signing key gskS to obtain SIGgskS (rS P ). Anyone can verify this signature using the group public key gpk. It broadcast rS P, SIGgskS (rS P ) within its neighborhood. (2) A neighbor X of S receives the message from S and veries the signature in that message. If the verication is successful, X chooses a random number rX Z and computes rX P . X also computes q

a signature SIGgskX (rS P |rX P ) using its own signing key gskX . X computes the session key kSX = H2 (rS rX P ), and replies to S with message rX P, SIGgskX (rS P |rX P ), EkSX (kX |rS P |rX P ) , X is Xs local broadcast key. where k (3) Upon receiving the reply from X, S veries the signature inside the message. If the signature is valid, S proceeds to compute the session key between X and itself as kSX = H2 (rS rX P ). S also generates a local broad cast key kS , and sends EkSX (kS |kX |rS P |rX P ) to its neighbor X to inform X about the established local broadcast key. (4) X receives the message from S and computes the same session key as kSX = H2 (rS rX P ). It then decrypts the message to get the local broadcast key kS . Figure 1 illustrates the anonymous key establishment process. Note that the messages exchanged in this phase are not unobservable, but this would not leak any private information like node identities. As a result of this phase, a pairwise session key kSX is constructed anonymously, which means the two nodes establish this key without knowing who the other party is. Meanwhile, node S establishes a local broadcast key kS , and transmits it to all its neighbors. It is used for per-hop protection for subsequent route discovery. The key establishment protocol is designed following the principal of KAM [21], which employs Dife-Hellman key exchange and secure MAC code. It can effectively prevent replay attacks and session key disclosure attack, and meanwhile, it achieves key conrmation for established session keys. KAM has been proved to be secure under the oracle DifeHellman assumption and the hash Dife-Hellman assumption. Our key establishment protocol uses elliptic curve DifeHellman (ECDH) key exchange to replace Dife-Hellman key exchange, and uses group signature to replace MAC code.

1926

IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS, VOL. 11, NO. 5, MAY 2012

(1) S

(2) A

(3) B

NS

NA

NB

NC

(1) : NonceS ,Nym S ,E k S *(RREQ ,N S ,E D (S ,D ,rS P ),seqno )

(2) : NonceA ,Nym A ,E k A *(RREQ ,N A ,E D (S ,D , S P ),seqno ) r (3) : NonceC ,NymC ,E kC *(RREQ ,N C ,E D (S ,D ,rS P ),seqno)

entry maintained by S temporarily is seqno, , NS , , . After that, S encrypts these items using its local broad cast key kS to obtain EkS (RREQ, NS , ED (S, D, rS P )). Finally, S broadcast the following unobservable route request to its neighbors:
N onceS , NymS , EkS (RREQ, NS , ED (S, D, r P ), seqno). (1) S

Route Request
(6) S (5) A (4) C B D

NS

NA

NB

NC

(4) : NonceD ,NymCD ,E kCD (RREP ,N C ,E S(D ,S ,rS P ,rD P ),seqno)

(5) : NonceC ,Nym BC ,E kBC (RREP ,N B ,E S(D ,S ,rS P ,rD P ),seqno)
(6) : NonceA ,Nym SA ,E kSA(RREP ,N S ,E S(D ,S ,rS P ,rD P ),seqno )

Route Reply
(7) S (8) A (9) B

NS

NA

NB

NC

(7) : NonceS ,NymSA ,E kSA(DATA,N S ,seqno,E kSD ( payload))

(8) : NonceA ,NymAB ,E kAB (DATA,N A ,seqno,E kSD ( payload))

(9) : NonceC ,NymCD ,E kCD (DATA,N C ,seqno,E kSD ( payload))

Data

Fig. 2.

USOR route request, route reply and data packet transmission.

Consequently, the security of our protocol can be derived using the same proof technique of KAM. Due to space limit, we do not elaborate proof details here, but interested readers are referred to [21]. 2) Privacy-Preserving Route Discovery: This phase is a privacy-preserving route discovery process based on the keys established in previous phase. Similar to normal route discovery process, our discovery process also comprises of route request and route reply. The route request messages ood throughout the whole network, while the route reply messages are sent backward to the source node only. Suppose there is a node S (source) intending to nd a route to a node D (destination), and S knows the identity of the destination node D. Without loss of generality, we assume three intermediate nodes between S and D, as illustrated in Fig. 2. The route discovery process executes as follows: Route Request (RREQ): S chooses a random number rS , and uses the identity of node D to encrypt a trapdoor information that only can be opened with Ds private IDbased key, which yields ED (S, D, rS P ). S then selects a sequence number seqno for this route request, and another random number NS as the route pseudonym, which is used as the index to a specic route entry. To achieve unobservability, S chooses a nonce N onceS and calculates a pseudonym as NymS = H3 (kS |N onceS ). Each node also maintains a temporary entry in his routing table seqno, P rev RN ym, N ext RN ym, P rev hop, N ext hop , where seqno is the route request sequence number, P rev RN ym denotes the route pseudonym of previous hop, N ext RN ym is the route pseudonym of next hop, P rev hop is the upstream node and N ext hop is the downstream node along the route. As any node does not know the real identity of its upstream or downstream node The

Upon receiving the route request message from S, A tries all his session keys shared with all neighbors to calculate H3 (kX |N onceS ) or H3 (kXA |N onceS ) to see which one matches the received NymS . Then A would nd out kS S |N onceS ), so he uses kS to satises NymS = H3 (k decrypt the ciphertext. After nding out this is a route request packet, A tries to decrypt ED (S, D, rS P ) using his private IDbased key to see whether he is the destination node. To avoid RREQ broadcasting storm, A will check if he has received the same request before by looking up in his cache, which includes a list of NS and seqno. If it is not a duplicate RREQ, A caches NS and seqno for a given time to detect multiple receipt of the same RREQ packet. In this example, A is not the destination and his trial fails, so he acts as an intermediate node. A generates a nonce N onceA and a new route pseudonym NA for this route. He then calculates a pseudonym NymA = H3 (kA |N onceA ). He also records the route pseudonyms and sequence number in his routing table for purpose of routing, and the corresponding table entry he maintained is seqno, NS , NA , S, . At the end, A prepares and broadcast the following message to all its neighbors:
N onceA , NymA , EkA (RREQ, NA , ED (S, D, rS P ), seqno). (2)

Other intermediate nodes do the same as A does. Finally, the destination node D receives the following message from C:
N onceC , NymC , EkC (RREQ, NC , ED (S, D, rS P ), seqno). (3)

Likewise, D nds out the correct key kC according to the equation NymC = H3 (kC |N onceC ). After decrypting the ciphertext using kC , D records route pseudonyms and the sequence number into his route table. Then D successfully decrypts ED (S, D, rS P ) to nd out he is the destination node. D may receive more than one route request messages that originate from the same source and have the same destination D, but he just replies to the rst arrived message and drops the following ones. The route table entry recorded by D is seqno, NC , , C, . Route Reply (RREP): After node D nds out he is the destination node, he starts to prepare a reply message to the source node. For route reply messages, unicast instead of broadcast is used to save communication cost. D chooses a random number rD and computes a ciphertext ES (D, S, rS P, rD P ) showing that he is the valid destination capable of opening the trapdoor information. A session key kSD = H2 (rS rD P |S|D) is computed for data protection. Then he generates a new pairwise pseudonym NymCD = H3 (kCD |N onceD ) between

WAN et al.: USOR: AN UNOBSERVABLE SECURE ON-DEMAND ROUTING PROTOCOL FOR MOBILE AD HOC NETWORKS

1927

TABLE III ROUTE TABLE FOR ALL NODES IN THE EXAMPLE : EACH NODE HAS ONLY ONE ROW OF THE TABLE . Seqno seqno seqno seqno seqno seqno P RNym NS NA NB NC N RNym NS NA NB NC Prev Hop kS kA kB k
C

S A B C D

Next Hop kA kB kC k
D

this message is for him according to the pseudonym NymSA . After decryption using the right key, A knows this message is a data packet and should be forwarded to B according to route pseudonym NS . Hence he composes and forwards the following packet to B:
N onceA , NymAB , EkAB (DAT A, NA , seqno, EkSD (payload)). (8)

The data packet is further forwarded by other intermediate nodes until it reaches the destination node D. At the end, the following data packet is received by D:
N onceC , NymCD , EkCD (DAT A, NC , seqno, EkSD (payload)). (9)

C and him. At the end, using the pairwise session key kCD , he computes and sends the following message to C:
N onceD , NymCD , EkCD (RREP, NC , ES (D, S, rS P, rD P ), seqno). (4)

When C receives the above message from D, he identies who the sender of the message is by evaluating the equation NymCD = H3 (kCD |N onceD ). So he uses the right key kCD to decrypts the ciphertext, then he nds out which route this RREP is related to according to the route pseudonym NC and seqno. C then searches his route table and modies the temporary entry seqno, NB , NC , B, into seqno, NB , NC , B, D . At the end, C chooses a new nonce N onceC , computes NymBC = H3 (kBC |N onceC ), and sends the following message to B:

By looking up in his route table, D knows himself is the destination of this packet. So he is able to decrypt the encrypted payload with the session key kSD . Fig. 2 illustrates data transmission in USOR. IV. S ECURITY AND P RIVACY A NALYSIS In this section, we introduce an information theoretic metric to quantify privacy in anonymous routing protocols, and then we employ it to evaluate privacy of USOR and other existing schemes. Next, we discuss issues on anonymity, unlinkability, and unobservability against the global adversary who can continuously monitor the whole network.

N onceC , NymBC , EkBC (RREP, NB , ES (D, S, rS P, rD P ), seqno). (5) A. Privacy Metric and Analysis

We adopt an information theoretic approach [22] to measure network privacy provided by USOR and MASK (or ANODR). The entropy-based privacy metric is obtained according to the probability distribution of a node being the sender (resp. the receiver). Specically, we consider the sender anonymity of N onceA , NymSA , EkSA (RREP, NS , ES (D, S, rS P, rD P ), seqno). (6) RREQ packets in our analysis. The sender anonymity is computed by Hk = pi log2 pi , where pi is the probability of S decrypts the ciphertext using the right key kSA and node i being the sender of a packet RREQk . If the anonymity veries that ES (D, S, rS P, rD P ) is composed faultlessly. set, i.e., the set of nodes that are the possible sender, is AS, Now S is ensured that D has successfully opened the route and nodes in AS are equally possible to be the sender, then 1 |AS| log2 |AS| = log2 |AS|. request packet, and the route reply is really originated from the sender anonymity is Hk = the destination node D. S also computes the same session key This metric represents the bits of information that an attacker kSD = H2 (rS rD P |S|D) as D does. Till now, S has success- needs to identify the sender of the packet RREQk . When the fully found a route to the destination node D, and the route anonymity set is the whole network, the sender anonymity discovery process is nished with success. S then nds and gets the maximum value. In the following analysis, we always assume nodes in the anonymity set have the same probability modies his temporary route table entry seqno, , NS , , to be the sender. into seqno, , NS , , A . For schemes like ANODR or MASK, RREQ tags are The nal route table for each node is as in Table III, and publicly known and RREQ packets with the same ID belong Fig. 2 illustrates the detailed routing messages. 3) Unobservable Data Packet Transmission: After the to the same session. A node nearer to the source node source node S successfully nds out a route to the destination receives the RREQ packet earlier than a farther node. Based node D, S can start unobservable data transmission under the on this observation, a simple but effective attack to reduce protection of pseudonyms and keys. As illustrated in Fig. 2, the anonymity set can be launched. Suppose there are m data packets from S must traverse A, B, and C to reach D. eavesdropping nodes controlled by the attacker, and t of them, The data packets sent by S take the following format (DAT A labeled as ni1 , ni2 , ..., nit , receive RREQ packets with the same sequence number in subsequent time. Then the possible denotes the packet type): source of the RREQ packet is the one whose coordinate (x, y) N onceS , NymSA , EkSA (DAT A, NS , seqno, EkSD (payload)). satises the following condition: Other intermediate nodes perform the same operations as C does. Finally, the following route reply is sent back to the source node S by A in our example illustrated in the Fig. 2:
(7)

Upon receiving the above message from S, A knows that

(x xr )2 + (y yr )2 < i i

(x xs )2 + (y ys )2 , i i (10)

1928

IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS, VOL. 11, NO. 5, MAY 2012

B C 1 2 D

Fig. 3. A Simple Example on Sender Anonymity Reduction: Source node S initiates a route discovery process to the destination node E. There are three eavesdropping nodes (1-3) controlled by the attacker. The two dash lines are mid-perpendiculars between node 1 and node 2, node 2 and node 3, respectively. According to the RREQ packet forwarding time, the attacker can reduce the possible source of the RREQ to the grey nodes.

where 1 r < s t, and (xr , yr ), (xs , ys ) are coordinates i i i i of node nir , nis . The nodes that satisfy condition (10) form the anonymity set AS. This method is effective as long as the network has no extraordinary congestion. An example is illustrated in Fig. 3, the anonymity set is composed of the four grey nodes. As a result, the sender anonymity of the RREQ packet can be computed as H = log2 4 = 2. That is, the attacker needs 2-bit information to identify who is the real sender. It can be seen that if the attacker can control more eavesdropping nodes then he is able to obtain more information on who might be the sender. B. Discussion The fundamental difference between USOR and ANODR or AnonDSR is that USOR relies on established keys between neighboring nodes to achieve privacy protection, while the other two schemes depend on onion encryption and end-toend security. Consequently, per-hop protection in USOR can provide complete unlinkability and unobservability efciently, but ANODR and AnonDSR fail to protect linkability or observability of messages. Another advantage of USOR over ANODR is the constant size of routing packets. This makes USOR more advantageous as the attacker cannot obtain private information from packet size, while ANODR has to deal with this issue by padding packets to the same size. The neighboring nodes authentication in USOR makes use of group signatures, while MASK uses one-time pairing-based keys for preserving privacy. Because these one-time pairingbased keys are generated by a trusted party beforehand, thus MASK has to face the problem of one-time key depletion. Moreover, MASK leaks identity information of the destination node during routing discovery, not to mention the disclosure of packet types. However, all these information is well-protected in USOR. Anonymity. User anonymity is implemented by group signature which can be veried without disclosing ones identity. Group signature is used to establish session keys between neighboring nodes, so that they can authenticate each other

anonymously. And subsequent routing discovery procedure is built on top of these session keys. Hence it is easy to see that USOR fullls the anonymity requirement under both passive and active attacks, as long as the group signature is secure. Unlinkability. Lets consider the three types of packets dened in Section III-B2. In these packets, they are identied by pseudonyms which are generated from random nonces and secret session keys. The nonces are only used once and never reused, and so are the pseudonyms. Except the random nonce and the pseudonym, the remaining part of the message, including the trapdoor information in the route request, is decrypted and encrypted at each hop. Hence even for a global adversary who can eavesdrop every transmission within the network, it is impossible for him to nd linkage between messages without knowing any encryption key. He even has no idea of the type of the packet being transmitted in the network, and he cannot relate different packets in terms of packet type. The only way to gain information on relationship between transmissions is that the attacker has access to some encryption keys, i.e., he has compromised one or more valid nodes. This case is discussed in detail later in subsection IV-B. Unobservability. In USOR, RREQ, RREP and data packets are indistinguishable from dummy packets to a global outside adversary. Meanwhile, nodes involved in the routing procedure are anonymous to other valid nodes. Consequently, USOR provides unobservability as dened for ad hoc networks. First of all, a global adversary cannot distinguish different packet types, and neither can he distinguish a meaningful ciphertext from random noise. Moreover, a node chooses the nonce randomly and never reuses it. The nonce is updated each time after it is used, so there is no linkage between the pseudonyms which are computed from nonces. Only those mobile nodes with valid session keys can recognize valid pseudonyms and decrypt the corresponding ciphertexts to obtain meaningful plaintexts from them. Secondly, a node and its next-hop node or previous-hop node on route establish a session key anonymously, hence no one is able to know real identities of its next-hop node or previous-hop node. Even the source and the destination node do not know real identities of the intermediate nodes on route. As a result, USOR offers content unobservability for ad hoc networks according to the denition in [1]. Based on the content unobservability provided by USOR, trafc padding can be introduced into the network to thwart trafc analysis and provide trafc pattern unobservability. As discussed in Section II, privacy-preserving routing problem is orthogonal to countermeasures against trafc analysis, and appropriate countermeasures against trafc analysis can be applied to make USOR unobservable in terms of trafc pattern. Node Compromise. Node compromise is easy for the adversary and highly possible in ad hoc networks, hence it is crucial for a privacy-preserving routing protocol to withstand security attacks due to node capture. In this case, privacy information leakage is unavoidable due to secret exposure, while our routing protocol can protect user privacy against serious node compromise. Suppose a node is compromised by an attacker, his private signing key and ID-based encryption key are disclosed to

WAN et al.: USOR: AN UNOBSERVABLE SECURE ON-DEMAND ROUTING PROTOCOL FOR MOBILE AD HOC NETWORKS

1929

the attacker. The attacker now is able to establish keys with neighboring nodes, but only the following information can be obtained by the attacker: 1) the type of a received packet; 2) data/RREP packets sent to/via the compromised node; 3) headers of packets relayed by the compromised node; 4) RREQ packets sent from the compromised nodes neighbors. The attacker is not able to gain more beyond this information. From this information, he cannot infer: 1) the location of the source/destination node; 2) real identities of source/destination node of the relaying packets; 3) source/destination node of the RREQ packets. That is, the privacy leakage due to node compromise is limited within the compromised nodes neighborhood, and privacy information like identity and location is still well protected by USOR. Even if the global attack exploits the compromised nodes secret credential for a global attack, USORs resilience against privacy leakage can still offer satisfactory protection, due to its per-hop protection of packets. As described in (4) and (7), RREP and data packets are encrypted hop-by-hop, and onetime nonces and pseudonyms are used to provide unlinkability and unobservability. Only if the RREP or data packets pass through the compromised node can the attacker know the packet type. Even if the compromised node happens to be on the route, as an intermediate node, the attacker has no clue on where the source node or the destination node is. If the attacker tries to impersonate as the source node to request a route to a specic node, the attacker is still not certain where the destination node is in any case. Collusion Attacks. For the colluding outsiders, privacy information is perfectly protected with USOR. As the attacker is unable to distinguish a meaningful packet from a dummy packet, USOR can provide complete protection for privacy with an appropriate trafc padding scheme. Even if the target node is surrounded by more than one attack node, given the assumption that no node is totally surrounded by compromised nodes, the attacker is unable to perceive anything except some random dummy packets. If appropriate dummy trafc is injected into the network, the colluding outsiders cannot gain any privacy information about the network at all. For the colluding insiders, USOR still offers unobservability as promised. Though information disclosure is unavoidable for colluding insiders, and the adversary knows some keys, the information that the colluding insiders can obtain is largely restricted by USOR. The attackers are able to know: 1) a target node is involved in a route discovery procedure since it is broadcasting a RREQ packet; 2) a target node is the previous hop or the next hop on a path. However, the colluding insiders are not able to know identity of the target node or other intermediate nodes on route. According to the design of USOR, authentication and key establishment is achieved by group signature, which perfectly protects user identity from disclosure. Consequently, unobservability is guaranteed by USOR under colluding insider attacks according to the denition of unobservability. Sybil Attacks. In the Sybil attack [23], a single node presents multiple fake identities to other nodes in the network. Sybil attacks pose a great threat to decentralized systems like peer-to-peer networks and geographic routing protocols. In USOR, the centralized key server generates group signature

TABLE IV C OMPUTATION C OST OF USOR AND E XISTING S CHEMES

ANODR ASR ARM AnonDSR SDAR ODAR ARMR PRISM ALARM USOR

Computation cost Source Destination KG+1P(1P) 1P KG+1P(1P) 1P KG+1P(1P) L*P KG+1P(1P) (L + 1)*P KG+2P(2P) (L + 1)*P KG+1P(1P) 1P KG+3P(3P) 3P KG+3P(3P) 3P KG+2P(2P) 2P 4P(3P) 4P(3P)

Intermediate KG+2P(2P) KG+2P(2P) 1P 1P KG+1P(1P) 0 4P 0 0 P

Numbers in brackets are computation complexity with pre-computation. L is the hops from the source to the destination, KG denotes public key generation, P denotes public key operations, e.g., PKC encryption/decryption, ECC pairing.

signing keys and ID-based keys for network nodes. Thus, it is impossible for the adversary to obtain other valid identities except the compromised ones. Nevertheless, the anonymity feature of USOR allows the adversary to launch Sybil attacks which are similar to collusion attacks discussed above. As discussed in the collusion attack part, USOR is able to count such attacks effectively. V. I MPLEMENTATION AND P ERFORMANCE E VALUATION In this section, we analyze computation cost of USOR, and compare it with existing schemes. We then describe the implementation and performance evaluation of our protocol. USOR requires a signature generation and two point multiplications in the rst process. In the route discovery process, each node except the source node and destination node needs one ID-based decryption, while the source node and destination node have to do two ID-based encryption/decryption and two point multiplications. A detailed comparison on computation cost of existing schemes and USOR is showed in Table IV. In this table, we ignore symmetric operations as they are negligible compared to PKC operations. MASK is not listed in the table as they do not need public key operations during the route discovery process. However, MASK does not offer sender anonymity or receiver anonymity. From the table, we can see that USOR can achieve unobservability without too much computation cost. We implement both USOR and MASK on ns2, and evaluate their performance by comparing with AODV (the standard implementation of ns-2.31). In our simulation, the scenario parameters are listed as in table V, and we use the cryptographic benchmarks on 1GHz Pentium III according to [24], [25]. In the simulation, 50 nodes are randomly distributed within a network eld of size 1500mx300m as such a rectangle eld can make the number of hops between two nodes larger. Mobile nodes are moving in the eld according to the random way point model, and we adopt the speed ranges used in [13] so that the average speeds range from 0 to 10m/s. Two different CBR trafc loads are generated for each of the 20 pairs selected from the 50 nodes: 2 packets/s as the light trafc

1930

IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS, VOL. 11, NO. 5, MAY 2012

TABLE V PARAMETERS ON C RYPTOGRAPHIC O PERATIONS AND E XPERIMENT S CENARIOS

1024-bit ID-based Enc 1024-bit ID-based Dec Group Signature Generation Group Signature Verication Point Multiplication 1024-bit Pairing Simulation Time Scenario Dimension Wireless Radio Range Mobile Nodes Number Average Node Speed Source-Destination Pairs Trafc Type Trafc Frequency Wireless Bandwidth Node Pause Time Key Update Interval Average Hops Average Neighbors

22ms 17ms 24ms 26ms 3ms 8.6ms 600s 1500m x 300m 250m 50 0-10m/s 20 random pairs 512-byte CBR trafc 2 or 4 packets/s 2Mbps 0s 40s 2.90 12.69

load and 4 packets/s as the heavy trafc load. The local session keys are updated every 40 seconds in the simulation, and each update involves a complete anonymous key establishment procedure. To simulate cryptographic operations on each node, we force each node to delay for some time according to the benchmarks given in table V. The period a node needs to wait is determined by cryptographic operations the node performs. We evaluate the performance of USOR in terms of packet delivery ratio, packet delivery latency, and normalized control bytes. With Fig. 4 we demonstrate performance of USOR, MASK and AODV at different moving speeds for two different trafc loads. Two trafc loads are selected according to performance of the standard AODV implementation of ns2. According to Fig. 4(a), AODV has the highest packet delivery ratio for both types of trafc loads, and MASKs performance is between AODV and USOR. The packet delivery ratio decreases as nodal speed increases and trafc load becomes heavier. Under the light trafc load(2 packets/s), USOR has more than 90% packet delivery ratio at high node speeds, only slightly lower than MASK and AODV. Under the heavy trafc load(4 packets/s), performance of all three protocols has downgraded greatly. The biggest difference between USOR and AODV on packet delivery ratio is less than 10%. Apparently, the performance drop of both protocols when node speed goes up due to more frequent route disruption at higher speeds. Route disruption leads to packet drop and retransmission, and a new route has to be constructed before remaining packets can be sent out. Lower packer delivery ratio of USOR is due to the following reasons: 1) In USOR only trusted neighbors will forward route packets for each other, otherwise packets are simply dropped, 2) Local key update and node mobility lead to trust lost between one and its neighbors. Before neighboring nodes establish shared local keys, no trafc can be passed between them, which results in transmission delay in USOR; 3) Route repair in AODV is not applicable in the protocol for the sake of privacy protection, as route repair requires identity information about the destination; 4) In AODV or MASK, intermediate nodes can reply to a route

request if they know a route to the requested destination, while USOR cannot do this as any intermediate node is not supposed to know either the source node or the destination node. From Fig. 4(b), we can also see that AODV has the least delivery latency and MASK is between AODV and USOR, but the packet delivery latency difference between USOR and MASK is less than 100ms. Under the light trafc load USORs latency increases from 50ms to 90ms when node speed increases from 0m/s to 10m/s. Under the heavy trafc load, USORs latency increases from about 100ms to more than 400ms for node speed from 0m/s to 10m/s. Due to the same reasons discussed above, non-optimal paths and local key construction delay result in longer latency of USOR than AODV. Figure 4(c) illustrates the routing cost for delivering a unit of data payload. It is not strange that USOR and MASK have to send more control packets than AODV. In AODV, only three types of routing control packets, namely routing request packet, routing reply packet, and routing error packet. However, USOR needs more control packets to maintain anonymous routing information. Since MASK and USOR exploit similar key management and route discovery approach, their normalized control bytes are very close. We also examine impact of packet padding on USORs performance with Fig. 4. In the experiment CBR trafc packet size is set to 128 bytes, and CBR trafc frequency is set to 4 packets/s in the experiment. This trafc load is half of the light trafc (2 packets/s and 512 bytes/packet). In the padded USOR, all packets including RREQ, RREP packets and other control packets (e.g. Beacon packets) are padded to 128 bytes. Due to the packet padding, performance of the padded USOR is obviously downgraded, but the padded USOR still achieves satisfactory performance: more than 85% delivery success and about 250ms delivery latency. Finally, we compare USOR with MASK in terms of privacy protection. We make use of the information theoretic privacy metric discussed in Section IV. We alter the number of eavesdropping nodes in the network and compute the sender anonymity of RREQ packets. The sender anonymity is the obtained by calculating entropy of probability distribution of possible sender of RREQ packets. It can be seen from Fig. 5 that USOR provides best privacy protection regardless of the number of eavesdroppers, while MASK provides better privacy for less eavesdropping nodes. However, when the number of eavesdropper increases to 8 or larger, the privacy entropy does not decrease signicantly. This is reasonable since the anonymity set of possible senders cannot be reduced any more by introducing more eavesdroppers. VI. C ONCLUSION AND F UTURE W ORK In this paper, we proposed an unobservable routing protocol USOR based on group signature and ID-based cryptosystem for ad hoc networks. The design of USOR offers strong privacy protectioncomplete unlinkability and content unobservabilityfor ad hoc networks. The security analysis demonstrates that USOR not only provides strong privacy protection, it is also more resistant against attacks due to node compromise. We implemented the protocol on ns2 and

WAN et al.: USOR: AN UNOBSERVABLE SECURE ON-DEMAND ROUTING PROTOCOL FOR MOBILE AD HOC NETWORKS

1931

(a) Packet Delivery Ratio Fig. 4.

(b) Packet Delivery Latency

(c) Packet Delivery Latency

Performance comparison between USOR, MASK and AODV in case of different mobile node speeds.

Fig. 5. Privacy entropy of MASK and USOR in case of 2, 6, 10, 14 and 18 Eavesdroppers

examined performance of USOR, which shows that USOR has satisfactory performance in terms of packet delivery ratio, latency and normalized control bytes. Future work along this direction is to study how to defend against wormhole attacks, which cannot be prevented with USOR. Also how to make the unobservable routing scheme resistant against DoS attacks is a challenging task that demands in-depth investigation. ACKNOWLEDGMENTS The authors would like to thank the anonymous reviewers for their valuable comments. Zhiguo Wans research is supported in part by Scientic Foundation for Returned Overseas Chinese Scholars, MOE, and the NSFC project under Grant No. 61003223. Kui Rens research is supported in part by the US National Science Foundation under grants CNS-0831963 and CNS-1117811. R EFERENCES
[1] A. Ptzmann and M. Hansen, Anonymity, unobservability, and pseudonymity: a consolidated proposal for terminology, draft, July 2000. [2] Y. Zhu, X. Fu, B. Graham, R. Bettati, and W. Zhao, On ow correlation attacks and countermeasures in mix networks, in PET04, LNCS 3424, 2004, pp. 207225. [3] D. Chaum, Untraceable electronic mail, return addresses, and digital pseudonyms, Commun. of the ACM, vol. 4, no. 2, Feb. 1981.

[4] S. Capkun, L. Buttyan, and J. Hubaux, Self-organized public-key management for mobile ad hoc networks, IEEE Trans. Mobile Comput., vol. 2, no. 1, pp. 5264, Jan.-Mar. 2003. [5] J. Kong and X. Hong, ANODR: aonymous on demand routing with untraceable routes for mobile ad-hoc networks, in Proc. ACM MOBIHOC03, pp. 291302. [6] B. Zhu, Z. Wan, F. Bao, R. H. Deng, and M. KankanHalli, Anonymous secure routing in mobile ad-hoc networks, in Proc. 2004 IEEE Conference on Local Computer Networks, pp. 102108. [7] S. Seys and B. Preneel, ARM: anonymous routing protocol for mobile ad hoc networks, in Proc. 2006 IEEE International Conference on Advanced Information Networking and Applications, pp. 133137. [8] L. Song, L. Korba, and G. Yee, AnonDSR: efcient anonymous dynamic source routing for mobile ad-hoc networks, in Proc. 2005 ACM Workshop on Security of Ad Hoc and Sensor Networks, pp. 33 42. [9] Y. Dong, T. W. Chim, V. O. K. Li, S.-M. Yiu, and C. K. Hui, ARMR: anonymous routing protocol with multiple routes for communications in mobile ad hoc networks, Ad Hoc Networks, vol. 7, no. 8, pp. 1536 1550, 2009. [10] A. Boukerche, K. El-Khatib, L. Xu, and L. Korba, SDAR: a secure distributed anonymous routing protocol for wireless and mobile ad hoc networks, in Proc. 2004 IEEE LCN, pp. 618624. [11] D. Sy, R. Chen, and L. Bao, ODAR: on-demand anonymous routing in ad hoc networks, in 2006 IEEE Conference on Mobile Ad-hoc and Sensor Systems. [12] J. Ren, Y. Li, and T. Li, Providing source privacy in mobile ad hoc networks, in Proc. IEEE MASS09, pp. 332341. [13] Y. Zhang, W. Liu, and W. Lou, Anonymous communications in mobile ad hoc networks, in 2005 IEEE INFOCOM. [14] K. E. Defrawy and G. Tsudik, ALARM: anonymous location-aided routing in suspicious MANETs, IEEE Trans. Mobile Comput., vol. 10, no. 9, pp. 13451358, 2011. [15] , Privacy-preserving location-based on-demand routing in MANETs, IEEE J. Sel. Areas Commun., vol. 29, no. 10, pp. 1926 1934, 2011. [16] J. Han and Y. Liu, Mutual anonymity for mobile peer-to-peer systems, IEEE Trans. Parallel Distrib. Syst., vol. 19, no. 8, pp. 10091019, Aug. 2008. [17] Y. Liu, J. Han, and J. Wang, Rumor riding: anonymizing unstructured peer-to-peer systems, IEEE Trans. Parallel Distrib. Syst., vol. 22, no. 3, pp. 464475, 2011. [18] D. Boneh, X. Boyen, and H. Shacham, Short group signatures, in Advances in CryptologyCrypto04, Lecture Notes in Computer Science, vol. 3152, 2004, pp. 4155. [19] D. Boneh and M. Franklin, Identity-based encryption from the Weil pairing, in Advances in CryptologyCrypto01, Lecture Notes in Computer Science, vol. 2139, 2001, pp. 213229. [20] D. Dong, M. Li, Y. Liu, X.-Y. Li, and X. Liao, Topological detection on wormholes in wireless ad hoc and sensor networks, IEEE/ACM Trans. Netw., vol. 19, no. 6, pp. 17871796, Dec. 2011. [21] I. R. Jeong, J. O. Kwon, and D. H. Lee, A Dife-Hellman key exchange protocol without random oracles, in Proc. CANS 2006, vol. LNCS 4301, pp. 3754. [22] A. Serjantov and G. Danezis, Towards an information theoretic metric for anonymity, in Privacy Enhancing Technologies, 2002, pp. 4153.

1932

IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS, VOL. 11, NO. 5, MAY 2012

[23] H. Yu, M. Kaminsky, P. B. Gibbons, and A. Flaxman, Sybilguard: defending against sybil attacks via social networks, in Proc. 2006 SIGCOMM, pp. 267278. [24] M. Brown, D. Hankerson, J. L pez, and A. Menezes, Software impleo mentation of the NIST elliptic curves over prime elds, in Topics in Cryptology CT-RSA 2001, LNCS, vol. 2020, 2001, pp. 250265. [25] M. Scott, MIRACL: Multiprecision Integer and Rational Arithmetic C/C++ Library. Zhiguo Wan is a lecturer in School of Software, Tsinghua University, China. His main research interests include security and privacy in wireless networks, mobile social networks and cryptography. He received his B.S. degree in computer science from Tsinghua University in 2002, and the Ph.D. degree in wireless network security from National University of Singapore in 2006. He is a member of IEEE and ACM.

Kui Ren is currently an Assistant Professor of Electrical and Computer Engineering Department at the Illinois Institute of Technology. He received his B.E and M.E Degrees from Zhejiang University and PhD degree from Worcester Polytechnic Institute. Kuis research expertise includes Cloud Computing & Security, Wireless Security, and Smart Grid Security. His research is supported by NSF, DoE, AFRL, and Amazon. He is a recipient of National Science Foundation Faculty Early Career Development (CAREER) Award in 2011. Kui received the Best Paper Award from IEEE ICNP 2011. Kui serves as an associate editor for IEEE Wireless Communications and IEEE T RANSACTIONS ON S MART G RID. Kui is a senior member of IEEE and a member of ACM. Ming Gu is the senior researcher, vice director of Key Laboratory for Information System Security, Ministry of Education. Her research interests include middleware techniques, formal methods in software, information system security. She has been in charge of more than 10 national research projects, and published more than 50 research papers in international conferences and journals.