Professional Documents
Culture Documents
Amos Beimel
Shlomi Dolev
Abstra
t
This work develops a novel approa
h to hide the senders and the re
eivers of messages. The intuition is taken from an everyday a
tivity that hides the \
ommuni
ation
pattern" { the publi
transportation system. To des
ribe our proto
ols, busses are
used as a metaphor: Busses, i.e., messages, are traveling on the network, ea
h pie
e of
information is allo
ated a seat within the bus. Routes are
hosen and buses are s
heduled to traverse these routes. Deterministi
and randomized proto
ols are presented,
the proto
ols dier in the number of buses in the system, the worst
ase traveling time,
and the required buer size in a \station." In parti
ular, a proto
ol that is based on
luster partition of the network is presented; in this proto
ol there is one bus traversing
ea
h
luster. The
lusters' size in the partition gives time and
ommuni
ation tradeos. One advantage of our proto
ols over previous works is that they are not based on
statisti
al properties for the
ommuni
ation pattern. Another advantage is that they
only require the pro
essors in the
ommuni
ation network to be busy periodi
ally.
1 Introdu
tion
Throughout the history en
ryption was used to hide the
ontents of transmitted data. The
rapid growth in the use of the Internet only in
reased the ne
essity of en
ryption. However,
en
ryption does not hide all the relevant information, for example, it does not hide the
identity of the
ommuni
ating parties. That is, it does not prevent tra
analysis. In this
work we deal with the problem of anonymous
ommuni
ation {
ommuni
ation that does
not dis
lose the identity of the sender and re
eiver.
A
with Algorithms
We develop a novel approa
h to hide the senders and the re
eivers of messages. The
intuition is taken from an everyday a
tivity that hides the \
ommuni
ation pattern" { the
publi
transportation system. For example, a traveler that takes buses from one pla
e to
another remains anonymous, and it is hard to tra
e him. Metaphori
ally, we
onsider the
pie
es of information that senders send to re
eivers as passengers. There are \buses," i.e.,
messages, traveling on the network, and ea
h pie
e of information is allo
ated a seat within
a bus. The sender and re
eiver are modeled as bus stations. Our aim is to simulate this
metaphor in the digital world while keeping the anonymity of the sender and re
eiver. In
most of our proto
ols we also hide the information that a message is sent, that is, hide the
number of passengers on ea
h bus.
One of the rst works to
onsider the problem of hiding the
ommuni
ation pattern in the network is the work of Chaum [2 where the
on
ept of a mix is introdu
ed.
A single pro
essor in the network,
alled a mix, serves as a relay. Ea
h pro
essor p that wants
to send a message M to a pro
essor q en
rypts M using q's publi
key to obtain M 0 . Then
p en
rypts the pair (M 0 ; q ) using the publi
key of the mix. The mix de
rypts the message
and forwards M 0 to q. This s
heme has been extended in [10, 11, 13, 14 where several mixes
are used to
ope with the possibility of
ompromising the single mix. For example, in the
onion routing system [14 a proxy denes a route for a message through the routing network
by rapping the message with a layered data-stru
ture
alled an onion; the onion is passed
through the routers as spe
ied by the onion, ea
h router whi
h re
eives an onion peels of its
layer, identies the next hop in the route, and sends the peeled onion to the next router. The
mix s
hemes operate under some statisti
al assumption on the pattern of
ommuni
ation.
If a single message is sent then an adversary that monitors the
ommuni
ation
hannels
an observe the sender and the re
eiver of the parti
ular message. Another example for a
problemati
ase is when all the pro
essors send a message to the same destination { in this
ase the identity of the re
eiver is revealed. A dis
ussion on other mix-like systems
an be
found in [14.
An approa
h based on \xor-trees" has been presented in [6. The s
heme presented in [6
ts long
ommuni
ation sessions during whi
h the data ex
lusive-ored with pseudo-random
bits (that
an
el ea
h other) is transfered towards the root whi
h in turn broad
ast the
arriving information to the nodes in the tree. The solution presented in [6 is an extension
of the DC-net approa
h suggested in [3.
Previous work.
Our ontribution.
Our solutions do not rely on statisti
al properties for the
ommuni
ation pattern. In our
solution, unlike the solution presented in [6, the pro
essors in the
ommuni
ation network
are busy in the transmission only periodi
ally. That is, a pro
essor is busy only when a
bus arrives at the pro
essor. Moreover, there is no need to store information (su
h as the
result of xoring arriving bits) in memory between bus arrivals; thus, our proto
ols are more
suitable for fault tolerant environments. For example, the s
heme may be a base for a robust
anonymous message delivery by retransmitting a new bus upon a time-out.
Let us note two additional important properties of our s
heme. First note that in our
proto
ols the buses traverse the network in xed routes and xed s
hedule, thus the adversary
annot learn whether there is any
ommuni
ation between the pro
essors or not. In addition,
our s
heme
an
ope with an adversary that monitors any number of pro
essors.
We also extend the s
heme to
ope with three extensions of the model: (1) proto
ols that
enable anonymous broad
ast and multi
ast, (2) proto
ols whi
h work even if the topology
of the network is unknown, and (3) proto
ols whi
h tolerate Byzantine pro
essors.
The rest of the paper is organized as follows. The problem statement
appears in Se
tion 2. Two simple solutions that a
hieve minimum
ommuni
ation and
minimum time, respe
tively, are presented in Se
tion 3. A solution that introdu
es a tradeo
between time and
ommuni
ation is presented in Se
tion 4. Lower bounds on the possible
tradeos between time and
ommuni
ation are proved in Se
tion 5. Solutions whi
h
ope
with extensions of the model appear in Se
tion 6.
Organization.
not limit the size of the set). Later a pair of parties (or some pairs) exe
ute the anonymous
message delivery proto
ol. At the end of the exe
utions the adversary should not know if
p sent a message to p for every p ; p 2
= C . This adversary is honest-but-
urious, i.e.,
it
annot
hange any messages, delete messages, add any messages, or
hange the state of
any pro
essor. We next formally dene anonymous message delivery proto
ols. For this
denition, we re
all the denition of indistinguishable distributions [9, 16.
i
Pr
2k
M v;
1 =1
k
Pr
2 k
M w;
1 = 1 k1 :
k
The proto
ols we dene have a se
urity parameter k whi
h measures the length of the keys
in the
ryptographi
primitives they use (see Se
tion 2.1 for des
ription of these primitives).
Roughly speaking, the requirement is that a Turing Ma
hine that runs in time polynomial
in k
annot know who are the sender and re
eiver. The view of the listening adversary
ontrolling a set C of pro
essors after an exe
ution of a message delivery proto
ol in whi
h
p sends a message to p is denoted by the random variable VIEW (i; j ) where k is the
se
urity parameter. This view
ontains all messages ex
hanged in the network and the lo
al
information known to pro
essors in C , i.e., the random inputs they used during the exe
ution,
the state of the pro
essors, and the se
ret keys they know.
k
Denition 2.2 We say that the proto
ol is an anonymous message delivery proto
ol if:
Corre
tness. If p sends a message M to p then p re
eives the message.
i
Anonymity. For
every C fpo1 ; : : : ; p gn and every i1 ; i2o; j1 ; j2 2= C the sequen
es of random
n
1
1
variables VIEW (i1 ; j1 ) =1 and VIEW (i2 ; j2 ) =1 are indistinguishable.
n
The Byzantine adversary is more powerful than the listening adversary. Like the listening
adversary, the Byzantine adversary
an monitor the
ommuni
ation links and the internal
ontents of the pro
essors of the network. In addition, for some parameter t, it
an
ontrol
up to t pro
essors in the network. These pro
essors
an insert messages, delete messages,
or arbitrarily
hange messages that they re
eive (before forwarding the messages). That
is, these pro
essors
an deviate from the pre-dened proto
ol. Again we assume that the
adversary is non-adaptive. We do not give a formal denition of an anonymous message
delivery proto
ol in the presen
e of a Byzantine adversary sin
e it is quite
ompli
ated.
The denition is similar to the denition of se
ure fun
tion evaluation in the presen
e of a
Byzantine (mali
ious) adversary.
We evaluate a proto
ol by its time
omplexity, its
ommuni
ation
omplexity, and its
buer
omplexity: the time
omplexity is the worst
ase time required to transmit a message
1 If
the adversary monitors the internal
ontents of the sender or the re
eiver, then it
an identify the
sender and the re
eiver.
from a sender to a re
eiver, the
ommuni
ation
omplexity is the maximal number of messages that are sent simultaneously by the pro
essors in the network (however, these messages
an be long), and the buer
omplexity is the buer size required for ea
h pro
essor to store
in
oming and outgoing messages in ea
h time step. In our proto
ols the buer
omplexity
is the number of seats in the buses that arrive simultaneously to a pro
essor.
2.1
Cryptographi Primitives
The rst
ryptographi
primitive that we use is en
ryption whi
h guarantees the se
re
y of
messages. That is, a sender
an send an en
rypted message su
h that only the intended
re
ipient
an de
rypt it. We will require semanti
se
urity { the en
ryption is randomized
and an eavesdropper
annot distinguish in polynomial time between en
ryptions of any pair
of messages. See, e.g., [7 for formal denitions. We
onsider two types of en
ryption:
Symmetri
key en
ryption. Both sender and re
eiver have a
ommon se
ret key, whi
h
is used for both en
ryption and de
ryption.
Publi
key en
ryption. The re
eiver has a se
ret private key whi
h it uses for de
ryption.
Furthermore, the re
eiver publishes a publi
key whi
h is used for en
ryption by any
sender; an eavesdropper
annot distinguish between en
ryptions of messages even if it
has the publi
key.
Typi
al symmetri
key en
ryption s
hemes are faster than publi
key en
ryption s
hemes;
however they require every pair of pro
essors in the network to have a
ommon se
ret key.
The se
ond
ryptographi
primitive that we use is authenti
ation whi
h
guarantees that if a sender sends a message to a re
eiver and a third party alters this message,
then with high probability the re
eiver
an dete
t this fa
t. Again we
an
onsider two types:
(1) symmetri
key authenti
ation in whi
h the sender uses the
ommon key to authenti
ate a
message and the re
eiver uses the
ommon key to verify the authenti
ity of the message, and
(2) publi
key authenti
ation, known as signatures, in whi
h the sender uses its private key
to sign a message and the re
eiver uses the publi
key to verify the validity of the signature.
See, e.g., [8 for formal denitions of authenti
ation and signatures.
Authenti
ation.
3 Simple Solutions
In this se
tion we present two simple proto
ols, one with optimal
ommuni
ation
omplexity
and another with optimal time
omplexity. In Se
tion 4 we will generalize the ideas of these
proto
ols, and present proto
ols that exhibit tradeos between time and
ommuni
ation. In
all our proto
ols we metaphori
ally view ea
h message as a bus. The proto
ols vary a
ording
to the number of buses in the system, and the way they travel in the
ommuni
ation graph.
3.1
We start with a solution with message
omplexity 1, i.e., in ea
h time unit only one pro
essor
sends a message to one other pro
essor. Using our metaphor, there is only one bus traveling
in the system. We next dene how the bus travels in the
ommuni
ation graph. First, x
any spanning tree in the graph. Next, use an Euler tour (that is, a DFS tour) of the spanning
tree to dene a ring. The bus is rotating through the ring, and has n seats. Seat s is used
to
ommuni
ate an en
rypted message from pro
essor p to p ; this message is en
rypted
either using the symmetri
key of p and p , or using the publi
key of p (depending whi
h
en
ryption infra-stru
ture exists). Ea
h time the bus gets to pro
essor p it
hanges ea
h
message in the row of seats s either to an en
ryption of a message it wants to send to
p , or to some dete
table garbage whi
h is then en
rypted for p . Furthermore, p
he
ks
what messages were sent to it, by de
rypting the n messages lo
ated in the i-th
olumn and
ignoring the ones
ontaining garbage.
By the semanti
se
urity of the en
ryption, a listening adversary
annot tell whether a
seat
ontains garbage or a real message, i.e., it
annot tell if two pro
essors are
ommuni
ating. Next, we state the
ommuni
ation and time
omplexities of our solution. The
ommuni
ation
omplexity of this solution is optimal { there is single bus. However, the
time
omplexity is quite bad: it
an take at most 2n 1 time units until the bus rea
hes
the sender, and at most 2n 1 additional time units until the bus rea
hes the destination.
The buer
omplexity of this proto
ol is n . We summarize the properties of this proto
ol
below.
2
i;j
i;j
Theorem 3.1 There is an anonymous message delivery proto ol with ommuni ation omplexity 1, time omplexity O(n), and buer omplexity O(n2 ).
We emphasize again that sin
e there is one bus, most of the time ea
h pro
essor is not
involved in exe
uting this proto
ol and does not need to store any information between two
visits of the bus. Furthermore, by Theorem 5.2, the time
omplexity in any proto
ol with
ommuni
ation
omplexity 1 is
(n).
3.1.1 Redu
ing the Number of Seats
In this se
tion we present a proto
ol that redu
es the number of seats in ea
h bus assuming
that not too many messages are sent simultaneously. We modify the above proto
ol where
instead of assigning a seat for any sour
e/destination pair, the sender writes its message in a
randomly
hosen seat (deleting the previous
ontents of the seat). However, the sender wants
to hide the fa
t that it wrote a message in some seat/seats, thus it
hanges the
ontents of
all the seats in the bus. To a
hieve this goal, the sender en
rypts the message using the
publi
keys, in reverse order, of all the pro
essors in the Euler tour between the sender and
re
eiver. When the bus gets to some pro
essor, it repla
es the
ontents of ea
h seat by the
de
ryption of the previous
ontents under its private key. Next, if any message makes sense,
then the pro
essor knows that this is a message sent to it, and it
hanges it to a random
ontents. Re
all that we use a semanti
ally-se
ure publi
-key en
ryption; su
h en
ryption
s
heme must be probabilisti
, and the length of the nested en
ryption, that is, after the
6
multiple en
ryptions, is O(n). The sender appends dummy blo
ks to the en
ryption su
h
that its length does not leak information on the intended re
eiver. For more details on
semanti
ally-se
ure en
ryption, see e.g., [7).
The buer
omplexity in the proto
ol is O(n) times the size of the bus. To determine the
size of the bus that may serve well under this poli
y we use the so-
alled birthday problem
(or birthday paradox). As an example, with probability 1=2 in a group of 23 random people
there will be two people with the same birthday. More generally,
2
Claim 3.2 Suppose s balls are randomly and independently assigned to r bins. The probability that all balls fall into distin
t bins is e ( 1) 2 .
s s
= r
Assume that we have an upper bound s on the number of messages that will be sent
anonymously. Thus, if we take the size of the bus to be r = O(s ) then the probability that
two pro
essors will randomly
hoose the same seat is less than 1=4. If we take the size of
the bus to be r = O(ks ), for some se
urity parameter k, then the probability of a
ollision
drops to 1 e 1 (1 1=k) = 1=k.
Of
ourse, if there is a
ollision then the rst message gets lost. A possible way to
over
ome this problem is that the re
ipient sends an a
knowledgment to the sender using
the same seat. If the sender does not get the message, then the sender resends the message.
The expe
ted number of times that a message will be sent is less than 2 even if the number
of seats is r = O(s ).
2
1=k
Theorem 3.3 Assume that there is some upper bound s on the number of anonymous messages that are sent simultaneously. There is an anonymous message delivery proto
ol with
ommuni
ation
omplexity 1, expe
ted time
omplexity O(n), and buer
omplexity O(ns2).
The above proto
ol enables to send an anonymous-sender message, that is, a message
in whi
h the sender keeps its anonymity from the re
eiver (simply by not mentioning the
originator of a message). Now, if a sender p sees that it resends a message many times,
then p
an de
ide to double the size of the bus. However, p does not want to reveal that
it is trying to send a message, thus it
an send an anonymous-sender message to another
(random or xed) pro
essor to double the size of the bus. Similarly, a pro
essor that re
eives
a
knowledgments for several messages in a row
an send an anonymous message to redu
e
the size of the bus.
Another way to redu
e the number of seats is to assume that ea
h time the bus gets to
p it will send only one message. In this
ase, we
an use a bus with only n seats: Ea
h
pro
essor has a single seat s in the bus that
an be used for sending a message to another
pro
essor in the ring. The message M is en
rypted by the sender in a way that ensures that
only the re
eiver
an de
rypt M . That is, when the bus gets to a pro
essor p it tries to
de
rypt the messages in the n 1 seats s , where i 6= j , and re
eives the messages that it
an verify their authenti
ity.
i
2 Here
3.2
We next present a proto
ol with optimal time
omplexity, however with bad
ommuni
ation
omplexity. In this proto
ol two buses travel through every link { a bus in ea
h dire
tion.
The nodes transfer seats from one bus to another a
ording to the shortest path
riteria. A
seat s that arrives at a node p is assigned to a bus that traverses the link atta
hed to p
that is on a shortest path to p . The seats that are transfered use the routing information,
and may be transfered together with the routing messages that are repeatedly ex
hanged.
That is, the
ommuni
ation in this proto
ol is \swallowed" by the
ommuni
ation of the
routing-update proto
ol.
As in the previous proto
ol all messages are en
rypted using the key of the re
eiver
before they are assigned to seats, and en
rypted garbage messages are sent if there is no
real message. Thus, anonymity is guaranteed. Next we state the
ommuni
ation and time
omplexities of this proto
ol. The
ommuni
ation
omplexity of this proto
ol is the number
of buses, i.e., 2m (where m is the number of edges in the graph). This proto
ol has optimal
time for message arrival, whi
h is the number of links in the shortest path between the
re
eiver and sender. The buer
omplexity of a node is the number of shortest paths that
ontain this node. This number
an be small or big depending on the
ommuni
ation graph.
For example, if the graph is a
omplete graph, ea
h bus
ontains one seat, and the buer
omplexity of a node is the number of its neighbors, i.e., n 1, however, the number of buses
is O(n ). The other extreme is a star, where the buer
omplexity of the
enter is O(n )
and the number of buses is O(n).
i;j
Theorem 3.4 There is an anonymous message delivery proto
ol with
ommuni
ation
omplexity 2m and buer
omplexity at most O(n2 ). The time
omplexity between two nodes is
the distan
e between the nodes in the
ommuni
ation graph.
to be any value in the range 1; : : : ; n and is the maximum degree of a node in the tree. In
this partition neighboring
lusters are
onne
ted by a single link. The partition s
heme that
we will use is edge partition, that is, ea
h edge in
ontained in exa
tly one
luster. In this
ase ea
h
luster
ontains at least x edges and no more than 3x edges, where, again, x
an
be
hosen to be any value in the range 1; : : : ; n. (In fa
t at most one
luster is of size 3x
and all the rest are of at most 2x.) Ea
h
luster is a
onne
ted sub-graph of the spanning
tree, i.e., it is a tree that
ontains O(x) nodes. In this partition two neighboring
lusters are
onne
ted by a single node.
We now roughly des
ribe the edge partition s
heme of [5. A rooted spanning tree is
onstru
ted and ea
h node p is marked by M , the number of edges in its subtree. In ea
h
iteration a node with M x, su
h that for all p's
hildren q it holds that M < x, is
hosen.
Then a subset of the subtrees rooted at p's
hildren are sele
ted su
h that the total number
of the edges in these subtrees is greater than x but not ex
eeding 2x. These trees form a
luster, that is removed from the tree. Now, the numbers M re
al
ulated for the remaining
tree, and the s
heme pro
eeds to the next iteration. Note that if the number of edges in the
tree is less than 3x then it may not be possible to partition the last remaining tree into a
luster of x to 2x edges. For example, a root with three outgoing edges for whi
h the subtree
rooted at ea
h of them is of size exa
tly x 1
annot be partitioned as we require { hen
e
we allow the last
luster to in
lude 3x edges.
On
e the network is partitioned to
lusters, we have one bus in ea
h
luster whi
h performs an Euler tour on the spanning tree of the
luster. There are at most dn=xe
lusters
in the graph, thus the number of buses, i.e., the
ommuni
ation
omplexity, is no more than
dn=xe. If a message is sent from a node in one
luster to a node in another
luster then this
message should move from one bus to another until it rea
hes the
luster of the re
eiver.
That is, when a bus rea
hes a node that is part of more than one
luster (re
all that we use
an edge partition), then seats are transfered from one bus to another. The bus in Cluster
has a seat s for every p and p su
h that the simple path
onne
ting them in the spanning
tree passes through an edge of Cluster . We next analyze the buer
omplexity: For a given
node and a given seat s , there
an be at most two
lusters
ontaining the node su
h that
the path from p to p in the spanning tree uses an edge from the
luster. Thus, the buer
size of ea
h node is at most twi
e the number of simple paths in the tree passing through the
node. This number is at most O(n ). Sin
e the messages are en
rypted using a semanti
ally
se
ure en
ryption, the anonymity is guaranteed.
p
i;j
i;j
4.1
Bus S heduling
We would like to minimize the time required for a message to arrive to its destination. To
a
hieve this goal, buses in
lusters with a
ommon node, should rea
h the
ommon node
simultaneously in order to transfer seats. We show how to s
hedule the buses to satisfy this
ondition. Re
all that we
onsider a syn
hronous settings, where the bus traverses an edge
in a single time unit. Furthermore, we use the fa
t that
lusters have similar sizes. Let us
rst
onsider an ideal
ase, where the
lusters have identi
al size. In this
ase, we
an start
with an arbitrary
luster, s
hedule its bus, and whenever the bus rea
hes a node shared with
another
luster, we start s
heduling the bus of the neighboring
luster. Sin
e we
onsider a
9
spanning tree then there are no
y
les and this s
heduling is possible.
If the
lusters have dierent number of nodes, we rst s
hedule the bus in a
luster Cluster
with the maximum number of edges m . Re
all that an Euler tour in this
luster will take
2m time units. Then whenever the bus rea
hes a node that is part of other
lusters, the
buses of the other
lusters are s
heduled. It is possible that a neighboring
luster Cluster
has m0 < m nodes, in su
h a
ase the bus of Cluster will wait, O(m
m0 ) time units,
for the bus of Cluster , whenever it rea
hes the node that is
ommon to Cluster and Cluster .
The pro
edure
ontinues in a fashion similar to the
ase of identi
al size
lusters.
We next analyze the time
omplexity of this proto
ol. If the distan
e between node p
and node p in the spanning tree is d, then the path
an pass through at most d
lusters,
and in ea
h
luster it would take less than 2m steps until the message would pass to the
next
luster. Thus, the delivery time from p to p is O(dx) (sin
e m < 3x, where x is
the parameter
hosen in the edge partition s
heme). In the worst
ase the message will pass
through ea
h edge of the spanning tree at most twi
e and the delivery time would be O(n).
Theorem 4.1 For every x, where 1 x n, there is an anonymous message delivery
proto
ol with
ommuni
ation
omplexity O(n=x), buer
omplexity O(n ), and time
omplexity between two nodes is O(min(dx; n)), where d is the distan
e between the nodes in the
`
max
max
max
max
max
max
spanning tree.
la+1
a+1
10
4.2
We
an redu
e the number of seats in a bus, i.e., redu
e the buer
omplexity. We use a bus
with O(n =x ) seats, a seat s for a message that should be transfered from the k'th
luster
to the `'th
luster. In this
ase only one message
an be sent at a time from a parti
ular
luster to another
luster. It is possible that more than one pro
essor in Cluster will try
to transmit a message to Cluster . We use a probabilisti
approa
h, where ea
h pro
essor
in Cluster that would like to send a message to Cluster uses a random fun
tion to de
ide
whether to overwrite the seat s . To ensure that overwrites are not observed ea
h message
is
hanged at every node. To do so, every message is en
rypted in a nested fashion, using
all the keys of the pro
essors in the route to the bus ex
hange node.
2
k;`
k;`
5 Lower Bounds
In this se
tion we prove lower bounds on the time/
ommuni
ation tradeos. As a warm-up
we start with the simple
ase where there is one bus traversing the
ommuni
ation tree
a
ording to some Euler tour. This tour, whose length is O(n), traverses ea
h leaf of the tree
on
e and there are at least two leaves. Thus, for any two leaves u and v the distan
e between
u and v or v and u in the tour is at least n=2, and it takes at least n=2 time units to send a
message from u to v or from v to u. The next lemma generalized the above simple s
enario.
It
onsiders a proto
ol where in ea
h time step only one pro
essors sends a message. The
order of the pro
essors sending the messages
an be arbitrary, it may
hange in time, or
even be randomized. In this
ase we
onsider a very long exe
ution of the proto
ol, where
pro
essors ex
hange many messages. We measure the expe
ted delivery time from p to p ,
where the expe
tation is taken over the many times that p sends a message to p .
Lemma 5.1 In any proto
ol with
ommuni
ation
omplexity 1, there are two nodes in the
graph su
h that the expe
ted delivery time from one node to the se
ond is
(n).
Proof: A ne
essary
ondition for transmitting a message from a node u to a node v is that
u sends some message on one of its outgoing edges. In ea
h time unit there is at most one
node sending a message. For any t,
onsider the sequen
e of nodes that send messages in
the rst t time units. (We do not assume anything about this sequen
e other than that it
ontains at most t nodes.) There is at least one node u that appears at most t=n times in this
sequen
e. In other words, the expe
ted distan
e from two o
urren
es of u in the sequen
e
is
(n). Fix su
h u and pi
k any node v. Assume that u wants to send a message to v one
time unit after ea
h time that it appears in the sequen
e. It takes
(n) time units for u to
send a message to v.
The above proof does not use the anonymity requirement of the delivery proto
ol, but only
relies on the message
omplexity. There is one deli
ate issue that we should elaborate. By the
assumptions on the order of sending message, this order might depend on the transmitting
parties (if we use the anonymity requirement then this assumption might be reasonable).
The simplest way to get rid of this problem is to x a vertex v in advan
ed, and assume
that ea
h other vertex wants to transmit a message to v one time unit after ea
h time that
it appears in the sequen
e.
i
11
Note that every proto
ol with
ommuni
ation
omplexity
and time
omplexity t
an be
transformed into a proto
ol with
ommuni
ation
omplexity 1 and time
omplexity t
(sin
e
we
onsider a syn
hronous system). Thus,
Theorem 5.2 In any proto
ol with
ommuni
ation
omplexity
, there are two nodes in the
graph su
h that the expe
ted delivery time from one node to the se
ond is
(n=
).
The above theorem implies that the tradeo in Theorem 4.1
annot be improved by
a fa
tor bigger than O(d) where d is the distan
e between the two nodes in the spanning
tree. We next show that if we
onsider the \natural" partition of the
omplete binary tree
into
lusters des
ribed in Remark 4.2 then we obtain message
omplexity n=x and time
omplexity (x log n= log x). The upper-bound is shown in Remark 4.2. We next show that
this upper bound is tight for this partition. To prove this
laim
onsider an Euler tour in a
omplete binary tree with x nodes starting from the root, and let v be the rst leaf visited
in the tour. The distan
e in the tour between v and the root is
(x). Now we
onsider the
omplete binary tree, and dene a sequen
e of log n= log x nodes v ; v ; : : : ; v
, where
v is the root of the tree, and v is a leaf in the
luster of v
whose distan
e from v in
the Euler tour of the
luster is
(x). Thus, the delivery time of a message from v
to
the root is
(x log n= log x) no matter how the buses are s
heduled.
0
log n= log x
log n= log x
6 Extensions
In this se
tion we show how simple modi
ations to the idea of the buses
an
ope with
three extensions to the model. The rst extension is anonymous multi
ast and broad
ast,
the se
ond is when the topology of the
ommuni
ation graph is unknown, and the third is to
a Byzantine adversary, that is, an adversary that
an
ause pro
essors to behave mali
iously.
6.1
In this se
tion we dis
uss informally how to anonymously multi
ast and broad
ast a message.
Anonymous broad
ast enables a sender to broad
ast a message to all pro
essors without
revealing its identity. To enable anonymous broad
ast the sender only needs to send an
anonymous-sender message to some (xed or randomized) re
eiver p , that is, a message
in whi
h the sender keeps its anonymity from the re
eiver. This message will simply say
\broad
ast message M to all pro
essors." Pro
essor p uses any (non-anonymous) broad
ast
proto
ol to broad
ast M . The proto
ol of Theorem 3.3 enables anonymous-sender messages
hen
e enables anonymous broad
ast. Furthermore, in all our proto
ols where we allo
ate a
seat s for sending a message from p to p (e.g., the proto
ol of Theorem 3.1) we
an add
a seat s meaning that some anonymous pro
essor wants to send a message to p , in this
ase the sender uses the nested en
ryption method des
ribed in Se
tion 3.1.1 to hide the fa
t
that it
hanges the
ontent of a seat. If there are not to many anonymous broad
asts sent
simultaneously and the sender sele
ts a random p then this solution is e
ient.
Multi
ast enables a sender to send a message to some subset D of pro
essors. We
onsider
three variants of anonymous multi
ast: (1) keeping the anonymity of the sender, (2) keeping
j
i;j
;j
12
the anonymity of the re
ipients, (3) keeping the anonymity of both the sender and the
re
ipients. Anonymous-sender multi
ast redu
es to sending an anonymous-sender message
to a single pro
essor in the multi
ast set saying \multi
ast message M to the pro
essors
in D." Anonymous-re
ipients multi
ast redu
es to independently sending the message M
anonymously to ea
h pro
essor in D. This
an be done without any over-head in all our
proto
ols where we allo
ate a seat s for ea
h pair of pro
essors. Finally, anonymous-sender,
anonymous-re
ipients multi
ast
an be a
hieved by independently sending the message M
to ea
h pro
essor in D using an anonymous-sender proto
ol.
i;j
6.2
Unknown Topology
We
onsider the s
enario where the pro
essors in the network do not know the topology of
the network (for example, the network
an
hange periodi
ally). The solution we propose
for this problems is to use a random walk on the
ommuni
ation graph. More pre
isely,
there is one bus traversing the graph, and in ea
h step the pro
essor holding the bus
hooses
uniformly one of its neighbors, and sends the bus to the
hosen neighbor. Aleliunas et al. [1
proved that the expe
ted time of a random walk that visits all the nodes of an undire
ted
graph with n nodes and m edges is O(nm). Thus, the expe
ted delivery time of a message
using a random walk (in an unknown graph) is O(nm). This bound on the delivery time is
tight for some graphs, e.g., the so
alled lollipop graph. However, it is too pessimisti
for
some graphs, e.g., for a
lique the expe
ted delivery time is O(n log n) (and not O(n )).
3
Theorem 6.1 There is an anonymous message delivery proto
ol in a network whose topology
is unknown with
ommuni
ation
omplexity 1, expe
ted time
omplexity O(nm), and buer
omplexity O(n2 ).
6.3
Byzantine Adversary
We now turn to the
ase in whi
h pro
essors are Byzantine, that is, they may try to
add/delete or
hange messages in a mali
ious way. First note that the
ommuni
ation graph
must be t + 1
onne
ted in order to tolerate t faults. Otherwise, there is a
ut of t or less
Byzantine pro
essors that
an partition the graph into two isolated
onne
ted
omponents.
We therefore assume that the
ommuni
ation graph is t + 1
onne
ted, thus, by Menger's
theorem, for every two nodes there are t + 1 paths
onne
ting them su
h that there is no
internal node
ommon to two of these paths. For every pair of pro
essors we x su
h t + 1
disjoint paths. We des
ribe a proto
ol in whi
h there are two buses on ea
h link, one in ea
h
dire
tion. When p wants to anonymously send a message to p , then p authenti
ates this
message using a private key
ommon to p and p . Pro
essor p sends the message over the
t + 1 xed disjoint paths, therefore the message will rea
h the destination through at least
one path with no Byzantine pro
essor. This ensures that a Byzantine pro
essor
an not
generate/
hange a message originating from some sender in a way that is not identied by
the re
eiver. Thus, the Byzantine pro
essor
an only drop messages. To a
hieve anonymity
we use the me
hanism of the full
ommuni
ation proto
ol des
ribed in Se
tion 3.2. The
number of seats in a bus equals to the number of paths that use this link in the bus traveling
dire
tion. The time
omplexity from p to p in this proto
ol is the length of the longest
i
13
path amongst the t + 1 disjoint paths from p to p . In the worst
ase this
an be n. We
summarize the properties of the above proto
ol below.
Theorem 6.2 Assume that the
ommuni
ation network is t + 1
onne
ted. There is an
i
anonymous message delivery proto
ol against a Byzantine adversary that
ontrols at most t
pro
essors with
ommuni
ation
omplexity 2m, time
omplexity O(n), and buer
omplexity
O (n2 ).
We next dis
uss how to redu
e the number of buses. Given a
ommuni
ation graph that is
at least t +1
onne
ted, we will nd a spanning sub-graph that is t +1
onne
ted and
ontains
fewer edges. Finding a t + 1-
onne
ted spanning subgraphs that has the minimum number
of edges is NP-hard. However, there are good approximation algorithms for this problem. A
re
ent result [4 des
ribe an e
ient algorithm that returns a graph whose number of edges
is no more than 1 + 1=(t + 2) times the optimal number of edges. In parti
ular, the number
of edges is no more than (t + 1)n. This, however, might in
rease the delivery time sin
e the
length of the t +1 disjoint paths might be longer. We summarize the properties of the above
proto
ol below.
Theorem 6.3 Assume that the
ommuni
ation network is t + 1
onne
ted. There is an
anonymous message delivery proto
ol against a Byzantine adversary that
ontrols at most
t pro
essors with
ommuni
ation
omplexity 2(t + 1)n, time
omplexity O (n), and buer
omplexity O(n2 ).
Referen
es
[1 R. Aleliunas, R. M. Karp, R. J. Lipton, L. Lovasz, and C. Ra
ko. Random walks,
universal traversal sequen
es, and the
omplexity of maze problems. In Pro
. of the
11th Annu. ACM Symp. on the Theory of Computing, pp. 218{223, 1979.
[2 D. Chaum. Untra
eable ele
troni
mail, return addresses, and digital pseudonyms. Communi
ation of the ACM, vol. 24, no. 2, pp. 84{88, 1981.
[3 D. Chaum. The dining
ryptographers problem: un
onditional sender and re
ipient
untra
eability. Journal of Cryptology, vol. 1, no. 1, pp. 65{75, 1988.
[4 J. Cheriyan and R. Thurimella. Approximating minimum-size k-
onne
ted spanning
subgraphs via mat
hing. SIAM J. on Computing, vol. 30, no. 2, pp. 528{560, 2000.
[5 S. Dolev, E. Kranakis, D. Krizan
, and D. Peleg. Bubbles: adaptive routing s
heme
for high-speed dynami
networks. SIAM J. on Computing, vol. 29, no. 3, pp. 804{833,
1999.
[6 S. Dolev and R. Ostrovsky. Xor-trees for e
ient anonymous multi
ast and re
eption.
ACM Transa
tions on Information and System Se
urity, vol. 3, no. 2, pp. 63{84, 2000.
14
15