Buses for Anonymous Message Delivery

Amos Beimel

Shlomi Dolev

Department of Computer S ien e

Ben-Gurion University of the Negev
Beer-Sheva 84105, Israel

beimel,dolev s.bgu.a .il

April 11, 2002

Abstra t
This work develops a novel approa h to hide the senders and the re eivers of messages. The intuition is taken from an everyday a tivity that hides the \ ommuni ation
pattern" { the publi transportation system. To des ribe our proto ols, busses are
used as a metaphor: Busses, i.e., messages, are traveling on the network, ea h pie e of
information is allo ated a seat within the bus. Routes are hosen and buses are s heduled to traverse these routes. Deterministi and randomized proto ols are presented,
the proto ols dier in the number of buses in the system, the worst ase traveling time,
and the required buer size in a \station." In parti ular, a proto ol that is based on
luster partition of the network is presented; in this proto ol there is one bus traversing
ea h luster. The lusters' size in the partition gives time and ommuni ation tradeos. One advantage of our proto ols over previous works is that they are not based on
statisti al properties for the ommuni ation pattern. Another advantage is that they
only require the pro essors in the ommuni ation network to be busy periodi ally.

Key Words. Anonymous ommuni ation, Priva y, Tra analysis.

1 Introdu tion
Throughout the history en ryption was used to hide the ontents of transmitted data. The
rapid growth in the use of the Internet only in reased the ne essity of en ryption. However,
en ryption does not hide all the relevant information, for example, it does not hide the
identity of the ommuni ating parties. That is, it does not prevent tra analysis. In this
work we deal with the problem of anonymous ommuni ation { ommuni ation that does
not dis lose the identity of the sender and re eiver.
A

preliminary version of this paper was published in Pro .

, pages 1 { 13, 2001.

with Algorithms

of the 2nd International Conferen e on FUN

We develop a novel approa h to hide the senders and the re eivers of messages. The
intuition is taken from an everyday a tivity that hides the \ ommuni ation pattern" { the
publi transportation system. For example, a traveler that takes buses from one pla e to
another remains anonymous, and it is hard to tra e him. Metaphori ally, we onsider the
pie es of information that senders send to re eivers as passengers. There are \buses," i.e.,
messages, traveling on the network, and ea h pie e of information is allo ated a seat within
a bus. The sender and re eiver are modeled as bus stations. Our aim is to simulate this
metaphor in the digital world while keeping the anonymity of the sender and re eiver. In
most of our proto ols we also hide the information that a message is sent, that is, hide the
number of passengers on ea h bus.
One of the rst works to onsider the problem of hiding the ommuni ation pattern in the network is the work of Chaum [2 where the on ept of a mix is introdu ed.
A single pro essor in the network, alled a mix, serves as a relay. Ea h pro essor p that wants
to send a message M to a pro essor q en rypts M using q's publi key to obtain M 0 . Then
p en rypts the pair (M 0 ; q ) using the publi key of the mix. The mix de rypts the message
and forwards M 0 to q. This s heme has been extended in [10, 11, 13, 14 where several mixes
are used to ope with the possibility of ompromising the single mix. For example, in the
onion routing system [14 a proxy denes a route for a message through the routing network
by rapping the message with a layered data-stru ture alled an onion; the onion is passed
through the routers as spe ied by the onion, ea h router whi h re eives an onion peels of its
layer, identies the next hop in the route, and sends the peeled onion to the next router. The
mix s hemes operate under some statisti al assumption on the pattern of ommuni ation.
If a single message is sent then an adversary that monitors the ommuni ation hannels
an observe the sender and the re eiver of the parti ular message. Another example for a
problemati ase is when all the pro essors send a message to the same destination { in this
ase the identity of the re eiver is revealed. A dis ussion on other mix-like systems an be
found in [14.
An approa h based on \xor-trees" has been presented in [6. The s heme presented in [6
ts long ommuni ation sessions during whi h the data ex lusive-ored with pseudo-random
bits (that an el ea h other) is transfered towards the root whi h in turn broad ast the
arriving information to the nodes in the tree. The solution presented in [6 is an extension
of the DC-net approa h suggested in [3.
Previous work.

We present deterministi and randomized proto ols for anonymous

message delivery based on the buses metaphor. The proto ols dier in the number of buses
in the system, the worst ase traveling time, and the required buer size in a \station."
Our rst solution uses a single bus that traverses an Euler tour. The traveling time in
this proto ol is O(n). Our se ond solution is a full ommuni ation solution for whi h two
buses traverse ea h link in opposite dire tions. The traveling time in this proto ol is the
distan e between the sender and re eiver, that is, the proto ol a hieves optimal time. Our
third solution is based on luster partition of the network; in this proto ol there is one bus
traversing ea h luster. The lusters' size in the partition gives time and ommuni ation
tradeos.

Our ontribution.

Our solutions do not rely on statisti al properties for the ommuni ation pattern. In our
solution, unlike the solution presented in [6, the pro essors in the ommuni ation network
are busy in the transmission only periodi ally. That is, a pro essor is busy only when a
bus arrives at the pro essor. Moreover, there is no need to store information (su h as the
result of xoring arriving bits) in memory between bus arrivals; thus, our proto ols are more
suitable for fault tolerant environments. For example, the s heme may be a base for a robust
anonymous message delivery by retransmitting a new bus upon a time-out.
Let us note two additional important properties of our s heme. First note that in our
proto ols the buses traverse the network in xed routes and xed s hedule, thus the adversary
annot learn whether there is any ommuni ation between the pro essors or not. In addition,
our s heme an ope with an adversary that monitors any number of pro essors.
We also extend the s heme to ope with three extensions of the model: (1) proto ols that
enable anonymous broad ast and multi ast, (2) proto ols whi h work even if the topology
of the network is unknown, and (3) proto ols whi h tolerate Byzantine pro essors.
The rest of the paper is organized as follows. The problem statement
appears in Se tion 2. Two simple solutions that a hieve minimum ommuni ation and
minimum time, respe tively, are presented in Se tion 3. A solution that introdu es a tradeo
between time and ommuni ation is presented in Se tion 4. Lower bounds on the possible
tradeos between time and ommuni ation are proved in Se tion 5. Solutions whi h ope
with extensions of the model appear in Se tion 6.
Organization.

2 The System and Threat Models

We onsider a network of n pro essors, denoted p ; : : : ; p , onne ted by m ommuni ation
links. We use the ommuni ation graph G(V; E ) to represent our network, V is the set of
pro essors and E is the set of ommuni ation links onne ting the pro essors (that is n = jV j
and m = jE j). We assume that G is onne ted. Pro essors ommuni ate by sending and
re eiving messages. The system is syn hronous { there is a ommon global pulse (possibly
implemented by syn hronized distributed lo ks) that triggers (whenever the lo k rea hes
an integer value) the pro essors to send messages; messages sent in a ertain pulse arrive at
the neighboring pro essor before the next pulse.
Some pro essor p , alled sender, may de ide to ommuni ate with another (not ne essarily neighboring) pro essor p , alled re eiver. Informally, our obje tive is to hide the fa t
that p ommuni ates with p . That is, we want to hide the identities of p and p . See below
for a formal denition. Furthermore, some of our proto ols even hide the fa t that a message was sent. A proto ol that a hieves these goals is alled an anonymous message delivery
proto ol. We note that the vast majority of known ryptographi te hniques fo us on hiding
the ontents of the transmitted data, but not the fa t that data has been transmitted.
We onsider two types of adversaries listening adversary and Byzantine adversary. The
listening adversary an monitor all the ommuni ation links and also monitor the internal
ontents of some pro essors in the network. The adversary is non-adaptive: Before the
exe ution of the proto ol the adversary hooses a set of pro essors C  fp ; : : : ; p g (we do
1

not limit the size of the set). Later a pair of parties (or some pairs) exe ute the anonymous
message delivery proto ol. At the end of the exe utions the adversary should not know if
p sent a message to p for every p ; p 2
= C . This adversary is honest-but- urious, i.e.,
it annot hange any messages, delete messages, add any messages, or hange the state of
any pro essor. We next formally dene anonymous message delivery proto ols. For this
denition, we re all the denition of indistinguishable distributions [9, 16.
i

Denition 2.1 (Indistinguishability) Two sequen es of probability distributions, fV g1=1

and fW g1=1 , are polynomial-time indistinguishable if for every probabilisti polynomial-time
Turing Ma hine M , every integer  1 and for every su iently large k,
k

Pr
2k

M v;

1 =1
k

Pr
2 k

M w;

1 = 1  k1 :
k

The proto ols we dene have a se urity parameter k whi h measures the length of the keys
in the ryptographi primitives they use (see Se tion 2.1 for des ription of these primitives).
Roughly speaking, the requirement is that a Turing Ma hine that runs in time polynomial
in k annot know who are the sender and re eiver. The view of the listening adversary
ontrolling a set C of pro essors after an exe ution of a message delivery proto ol in whi h
p sends a message to p is denoted by the random variable VIEW (i; j ) where k is the
se urity parameter. This view ontains all messages ex hanged in the network and the lo al
information known to pro essors in C , i.e., the random inputs they used during the exe ution,
the state of the pro essors, and the se ret keys they know.
k

Denition 2.2 We say that the proto ol is an anonymous message delivery proto ol if:
Corre tness. If p sends a message M to p then p re eives the message.
i

Anonymity. For
every C  fpo1 ; : : : ; p gn and every i1 ; i2o; j1 ; j2 2= C the sequen es of random
n
1
1
variables VIEW (i1 ; j1 ) =1 and VIEW (i2 ; j2 ) =1 are indistinguishable.
n

The Byzantine adversary is more powerful than the listening adversary. Like the listening
adversary, the Byzantine adversary an monitor the ommuni ation links and the internal
ontents of the pro essors of the network. In addition, for some parameter t, it an ontrol
up to t pro essors in the network. These pro essors an insert messages, delete messages,
or arbitrarily hange messages that they re eive (before forwarding the messages). That
is, these pro essors an deviate from the pre-dened proto ol. Again we assume that the
adversary is non-adaptive. We do not give a formal denition of an anonymous message
delivery proto ol in the presen e of a Byzantine adversary sin e it is quite ompli ated.
The denition is similar to the denition of se ure fun tion evaluation in the presen e of a
Byzantine (mali ious) adversary.
We evaluate a proto ol by its time omplexity, its ommuni ation omplexity, and its
buer omplexity: the time omplexity is the worst ase time required to transmit a message
1 If

the adversary monitors the internal ontents of the sender or the re eiver, then it an identify the
sender and the re eiver.

from a sender to a re eiver, the ommuni ation omplexity is the maximal number of messages that are sent simultaneously by the pro essors in the network (however, these messages
an be long), and the buer omplexity is the buer size required for ea h pro essor to store
in oming and outgoing messages in ea h time step. In our proto ols the buer omplexity
is the number of seats in the buses that arrive simultaneously to a pro essor.
2.1

Cryptographi Primitives

The rst ryptographi primitive that we use is en ryption whi h guarantees the se re y of
messages. That is, a sender an send an en rypted message su h that only the intended
re ipient an de rypt it. We will require semanti se urity { the en ryption is randomized
and an eavesdropper annot distinguish in polynomial time between en ryptions of any pair
of messages. See, e.g., [7 for formal denitions. We onsider two types of en ryption:
Symmetri key en ryption. Both sender and re eiver have a ommon se ret key, whi h
is used for both en ryption and de ryption.
Publi key en ryption. The re eiver has a se ret private key whi h it uses for de ryption.
Furthermore, the re eiver publishes a publi key whi h is used for en ryption by any
sender; an eavesdropper annot distinguish between en ryptions of messages even if it
has the publi key.
Typi al symmetri key en ryption s hemes are faster than publi key en ryption s hemes;
however they require every pair of pro essors in the network to have a ommon se ret key.
The se ond ryptographi primitive that we use is authenti ation whi h
guarantees that if a sender sends a message to a re eiver and a third party alters this message,
then with high probability the re eiver an dete t this fa t. Again we an onsider two types:
(1) symmetri key authenti ation in whi h the sender uses the ommon key to authenti ate a
message and the re eiver uses the ommon key to verify the authenti ity of the message, and
(2) publi key authenti ation, known as signatures, in whi h the sender uses its private key
to sign a message and the re eiver uses the publi key to verify the validity of the signature.
See, e.g., [8 for formal denitions of authenti ation and signatures.
Authenti ation.

3 Simple Solutions
In this se tion we present two simple proto ols, one with optimal ommuni ation omplexity
and another with optimal time omplexity. In Se tion 4 we will generalize the ideas of these
proto ols, and present proto ols that exhibit tradeos between time and ommuni ation. In
all our proto ols we metaphori ally view ea h message as a bus. The proto ols vary a ording
to the number of buses in the system, and the way they travel in the ommuni ation graph.

3.1

Communi ation Optimal Proto ol

We start with a solution with message omplexity 1, i.e., in ea h time unit only one pro essor
sends a message to one other pro essor. Using our metaphor, there is only one bus traveling
in the system. We next dene how the bus travels in the ommuni ation graph. First, x
any spanning tree in the graph. Next, use an Euler tour (that is, a DFS tour) of the spanning
tree to dene a ring. The bus is rotating through the ring, and has n seats. Seat s is used
to ommuni ate an en rypted message from pro essor p to p ; this message is en rypted
either using the symmetri key of p and p , or using the publi key of p (depending whi h
en ryption infra-stru ture exists). Ea h time the bus gets to pro essor p it hanges ea h
message in the row of seats s either to an en ryption of a message it wants to send to
p , or to some dete table garbage whi h is then en rypted for p . Furthermore, p he ks
what messages were sent to it, by de rypting the n messages lo ated in the i-th olumn and
ignoring the ones ontaining garbage.
By the semanti se urity of the en ryption, a listening adversary annot tell whether a
seat ontains garbage or a real message, i.e., it annot tell if two pro essors are ommuni ating. Next, we state the ommuni ation and time omplexities of our solution. The
ommuni ation omplexity of this solution is optimal { there is single bus. However, the
time omplexity is quite bad: it an take at most 2n 1 time units until the bus rea hes
the sender, and at most 2n 1 additional time units until the bus rea hes the destination.
The buer omplexity of this proto ol is n . We summarize the properties of this proto ol
below.
2

i;j

i;j

Theorem 3.1 There is an anonymous message delivery proto ol with ommuni ation omplexity 1, time omplexity O(n), and buer omplexity O(n2 ).

We emphasize again that sin e there is one bus, most of the time ea h pro essor is not
involved in exe uting this proto ol and does not need to store any information between two
visits of the bus. Furthermore, by Theorem 5.2, the time omplexity in any proto ol with
ommuni ation omplexity 1 is
(n).
3.1.1 Redu ing the Number of Seats

In this se tion we present a proto ol that redu es the number of seats in ea h bus assuming
that not too many messages are sent simultaneously. We modify the above proto ol where
instead of assigning a seat for any sour e/destination pair, the sender writes its message in a
randomly hosen seat (deleting the previous ontents of the seat). However, the sender wants
to hide the fa t that it wrote a message in some seat/seats, thus it hanges the ontents of
all the seats in the bus. To a hieve this goal, the sender en rypts the message using the
publi keys, in reverse order, of all the pro essors in the Euler tour between the sender and
re eiver. When the bus gets to some pro essor, it repla es the ontents of ea h seat by the
de ryption of the previous ontents under its private key. Next, if any message makes sense,
then the pro essor knows that this is a message sent to it, and it hanges it to a random
ontents. Re all that we use a semanti ally-se ure publi -key en ryption; su h en ryption
s heme must be probabilisti , and the length of the nested en ryption, that is, after the
6

multiple en ryptions, is O(n). The sender appends dummy blo ks to the en ryption su h
that its length does not leak information on the intended re eiver. For more details on
semanti ally-se ure en ryption, see e.g., [7).
The buer omplexity in the proto ol is O(n) times the size of the bus. To determine the
size of the bus that may serve well under this poli y we use the so- alled birthday problem
(or birthday paradox). As an example, with probability 1=2 in a group of 23 random people
there will be two people with the same birthday. More generally,
2

Claim 3.2 Suppose s balls are randomly and independently assigned to r bins. The probability that all balls fall into distin t bins is  e ( 1) 2 .
s s

= r

Assume that we have an upper bound s on the number of messages that will be sent
anonymously. Thus, if we take the size of the bus to be r = O(s ) then the probability that
two pro essors will randomly hoose the same seat is less than 1=4. If we take the size of
the bus to be r = O(ks ), for some se urity parameter k, then the probability of a ollision
drops to 1 e  1 (1 1=k) = 1=k.
Of ourse, if there is a ollision then the rst message gets lost. A possible way to
over ome this problem is that the re ipient sends an a knowledgment to the sender using
the same seat. If the sender does not get the message, then the sender resends the message.
The expe ted number of times that a message will be sent is less than 2 even if the number
of seats is r = O(s ).
2

1=k

Theorem 3.3 Assume that there is some upper bound s on the number of anonymous messages that are sent simultaneously. There is an anonymous message delivery proto ol with
ommuni ation omplexity 1, expe ted time omplexity O(n), and buer omplexity O(ns2).

The above proto ol enables to send an anonymous-sender message, that is, a message
in whi h the sender keeps its anonymity from the re eiver (simply by not mentioning the
originator of a message). Now, if a sender p sees that it resends a message many times,
then p an de ide to double the size of the bus. However, p does not want to reveal that
it is trying to send a message, thus it an send an anonymous-sender message to another
(random or xed) pro essor to double the size of the bus. Similarly, a pro essor that re eives
a knowledgments for several messages in a row an send an anonymous message to redu e
the size of the bus.
Another way to redu e the number of seats is to assume that ea h time the bus gets to
p it will send only one message. In this ase, we an use a bus with only n seats: Ea h
pro essor has a single seat s in the bus that an be used for sending a message to another
pro essor in the ring. The message M is en rypted by the sender in a way that ensures that
only the re eiver an de rypt M . That is, when the bus gets to a pro essor p it tries to
de rypt the messages in the n 1 seats s , where i 6= j , and re eives the messages that it
an verify their authenti ity.
i

2 Here

we ignore the se urity parameter.

disadvantage of this proto ol is that when a sender does not get the a knowledgment then it knows
that someone else is also sending messages.
4 Alternatively, if p has more than one pro essor with whom it wants to ommuni ate, then it will use a
i
buer to store these messages; this will in rease the delivery time to O(n2 ).
3 The

3.2

Full Communi ation { Time Optimal Proto ol

We next present a proto ol with optimal time omplexity, however with bad ommuni ation
omplexity. In this proto ol two buses travel through every link { a bus in ea h dire tion.
The nodes transfer seats from one bus to another a ording to the shortest path riteria. A
seat s that arrives at a node p is assigned to a bus that traverses the link atta hed to p
that is on a shortest path to p . The seats that are transfered use the routing information,
and may be transfered together with the routing messages that are repeatedly ex hanged.
That is, the ommuni ation in this proto ol is \swallowed" by the ommuni ation of the
routing-update proto ol.
As in the previous proto ol all messages are en rypted using the key of the re eiver
before they are assigned to seats, and en rypted garbage messages are sent if there is no
real message. Thus, anonymity is guaranteed. Next we state the ommuni ation and time
omplexities of this proto ol. The ommuni ation omplexity of this proto ol is the number
of buses, i.e., 2m (where m is the number of edges in the graph). This proto ol has optimal
time for message arrival, whi h is the number of links in the shortest path between the
re eiver and sender. The buer omplexity of a node is the number of shortest paths that
ontain this node. This number an be small or big depending on the ommuni ation graph.
For example, if the graph is a omplete graph, ea h bus ontains one seat, and the buer
omplexity of a node is the number of its neighbors, i.e., n 1, however, the number of buses
is O(n ). The other extreme is a star, where the buer omplexity of the enter is O(n )
and the number of buses is O(n).
i;j

Theorem 3.4 There is an anonymous message delivery proto ol with ommuni ation omplexity 2m and buer omplexity at most O(n2 ). The time omplexity between two nodes is
the distan e between the nodes in the ommuni ation graph.

4 Time and Communi ation Tradeo

In this se tion we will examine more sophisti ated proto ols that an be tuned up to trade
time and ommuni ation. The rst observation is that the full ommuni ation proto ol
presented in Se tion 3.2 already presents tradeos between time and ommuni ation: the
proto ol an use any onne ted spanning sub-graph of the ommuni ation graph with two
buses on ea h edge of the subgraph. This redu es the ommuni ation omplexity but might
in rease the time omplexity sin e the distan e between two nodes in the sub-graph might
be bigger. To obtain the minimum number of buses, the proto ol uses a spanning tree; in
this ase the ommuni ation omplexity is O(n).
We next present proto ols whi h redu e the number of buses to less than n. In these
proto ols we divide the graph into lusters and onstru t bus routes within ea h luster. For
on reteness, we hoose spe i partitions to lusters that are based on [5, however similar
partitions an be used as well (see the related work in [5).
The partition s heme of [5 uses a spanning tree of the ommuni ation graph, and partitions its nodes and edges to lusters. One way to partition the tree is a node partition whi h
results in lusters with at least x nodes and no more than x nodes, where x an be hosen
8

to be any value in the range 1; : : : ; n and is the maximum degree of a node in the tree. In
this partition neighboring lusters are onne ted by a single link. The partition s heme that
we will use is edge partition, that is, ea h edge in ontained in exa tly one luster. In this
ase ea h luster ontains at least x edges and no more than 3x edges, where, again, x an
be hosen to be any value in the range 1; : : : ; n. (In fa t at most one luster is of size 3x
and all the rest are of at most 2x.) Ea h luster is a onne ted sub-graph of the spanning
tree, i.e., it is a tree that ontains O(x) nodes. In this partition two neighboring lusters are
onne ted by a single node.
We now roughly des ribe the edge partition s heme of [5. A rooted spanning tree is
onstru ted and ea h node p is marked by M , the number of edges in its subtree. In ea h
iteration a node with M  x, su h that for all p's hildren q it holds that M < x, is hosen.
Then a subset of the subtrees rooted at p's hildren are sele ted su h that the total number
of the edges in these subtrees is greater than x but not ex eeding 2x. These trees form a
luster, that is removed from the tree. Now, the numbers M re al ulated for the remaining
tree, and the s heme pro eeds to the next iteration. Note that if the number of edges in the
tree is less than 3x then it may not be possible to partition the last remaining tree into a
luster of x to 2x edges. For example, a root with three outgoing edges for whi h the subtree
rooted at ea h of them is of size exa tly x 1 annot be partitioned as we require { hen e
we allow the last luster to in lude 3x edges.
On e the network is partitioned to lusters, we have one bus in ea h luster whi h performs an Euler tour on the spanning tree of the luster. There are at most dn=xe lusters
in the graph, thus the number of buses, i.e., the ommuni ation omplexity, is no more than
dn=xe. If a message is sent from a node in one luster to a node in another luster then this
message should move from one bus to another until it rea hes the luster of the re eiver.
That is, when a bus rea hes a node that is part of more than one luster (re all that we use
an edge partition), then seats are transfered from one bus to another. The bus in Cluster
has a seat s for every p and p su h that the simple path onne ting them in the spanning
tree passes through an edge of Cluster . We next analyze the buer omplexity: For a given
node and a given seat s , there an be at most two lusters ontaining the node su h that
the path from p to p in the spanning tree uses an edge from the luster. Thus, the buer
size of ea h node is at most twi e the number of simple paths in the tree passing through the
node. This number is at most O(n ). Sin e the messages are en rypted using a semanti ally
se ure en ryption, the anonymity is guaranteed.
p

i;j

i;j

4.1

Bus S heduling

We would like to minimize the time required for a message to arrive to its destination. To
a hieve this goal, buses in lusters with a ommon node, should rea h the ommon node
simultaneously in order to transfer seats. We show how to s hedule the buses to satisfy this
ondition. Re all that we onsider a syn hronous settings, where the bus traverses an edge
in a single time unit. Furthermore, we use the fa t that lusters have similar sizes. Let us
rst onsider an ideal ase, where the lusters have identi al size. In this ase, we an start
with an arbitrary luster, s hedule its bus, and whenever the bus rea hes a node shared with
another luster, we start s heduling the bus of the neighboring luster. Sin e we onsider a
9

spanning tree then there are no y les and this s heduling is possible.
If the lusters have dierent number of nodes, we rst s hedule the bus in a luster Cluster
with the maximum number of edges m . Re all that an Euler tour in this luster will take
2m time units. Then whenever the bus rea hes a node that is part of other lusters, the
buses of the other lusters are s heduled. It is possible that a neighboring luster Cluster
has m0 < m nodes, in su h a ase the bus of Cluster will wait, O(m
m0 ) time units,
for the bus of Cluster , whenever it rea hes the node that is ommon to Cluster and Cluster .
The pro edure ontinues in a fashion similar to the ase of identi al size lusters.
We next analyze the time omplexity of this proto ol. If the distan e between node p
and node p in the spanning tree is d, then the path an pass through at most d lusters,
and in ea h luster it would take less than 2m steps until the message would pass to the
next luster. Thus, the delivery time from p to p is O(dx) (sin e m < 3x, where x is
the parameter hosen in the edge partition s heme). In the worst ase the message will pass
through ea h edge of the spanning tree at most twi e and the delivery time would be O(n).
Theorem 4.1 For every x, where 1  x  n, there is an anonymous message delivery
proto ol with ommuni ation omplexity O(n=x), buer omplexity O(n ), and time omplexity between two nodes is O(min(dx; n)), where d is the distan e between the nodes in the
`

max

max

max

max

max

max

spanning tree.

Consider a omplete binary tree with a \natural" partition into lusters.

More pre isely, onsider a omplete binary tree whose height is `a for some parameters `
anddef a, and its number of nodes is n = 2
1. We partition the tree into lusters of size
x=2
1 where ea h luster is a omplete binary tree of depth a. The distan e d between
two nodes in this ase is at most 2 log n. However, the upper-bound of Theorem 4.1 is too
pessimisti for this ase. Observe that any simple path in the tree passes through at most
2 log n= log x lusters, thus the delivery time is O(x log n= log x) and the message omplexity
is (n 1)=(x 1). See example in Figure 1.
Example 4.2

la+1

a+1

Figure 1: A tree of height 3 partitioned into 7 lusters of height a = 1.

10

4.2

Redu ing the Number of Seats

We an redu e the number of seats in a bus, i.e., redu e the buer omplexity. We use a bus
with O(n =x ) seats, a seat s for a message that should be transfered from the k'th luster
to the `'th luster. In this ase only one message an be sent at a time from a parti ular
luster to another luster. It is possible that more than one pro essor in Cluster will try
to transmit a message to Cluster . We use a probabilisti approa h, where ea h pro essor
in Cluster that would like to send a message to Cluster uses a random fun tion to de ide
whether to overwrite the seat s . To ensure that overwrites are not observed ea h message
is hanged at every node. To do so, every message is en rypted in a nested fashion, using
all the keys of the pro essors in the route to the bus ex hange node.
2

k;`

k;`

5 Lower Bounds
In this se tion we prove lower bounds on the time/ ommuni ation tradeos. As a warm-up
we start with the simple ase where there is one bus traversing the ommuni ation tree
a ording to some Euler tour. This tour, whose length is O(n), traverses ea h leaf of the tree
on e and there are at least two leaves. Thus, for any two leaves u and v the distan e between
u and v or v and u in the tour is at least n=2, and it takes at least n=2 time units to send a
message from u to v or from v to u. The next lemma generalized the above simple s enario.
It onsiders a proto ol where in ea h time step only one pro essors sends a message. The
order of the pro essors sending the messages an be arbitrary, it may hange in time, or
even be randomized. In this ase we onsider a very long exe ution of the proto ol, where
pro essors ex hange many messages. We measure the expe ted delivery time from p to p ,
where the expe tation is taken over the many times that p sends a message to p .
Lemma 5.1 In any proto ol with ommuni ation omplexity 1, there are two nodes in the
graph su h that the expe ted delivery time from one node to the se ond is
(n).
Proof: A ne essary ondition for transmitting a message from a node u to a node v is that
u sends some message on one of its outgoing edges. In ea h time unit there is at most one
node sending a message. For any t, onsider the sequen e of nodes that send messages in
the rst t time units. (We do not assume anything about this sequen e other than that it
ontains at most t nodes.) There is at least one node u that appears at most t=n times in this
sequen e. In other words, the expe ted distan e from two o urren es of u in the sequen e
is
(n). Fix su h u and pi k any node v. Assume that u wants to send a message to v one
time unit after ea h time that it appears in the sequen e. It takes
(n) time units for u to
send a message to v.
The above proof does not use the anonymity requirement of the delivery proto ol, but only
relies on the message omplexity. There is one deli ate issue that we should elaborate. By the
assumptions on the order of sending message, this order might depend on the transmitting
parties (if we use the anonymity requirement then this assumption might be reasonable).
The simplest way to get rid of this problem is to x a vertex v in advan ed, and assume
that ea h other vertex wants to transmit a message to v one time unit after ea h time that
it appears in the sequen e.
i

11

Note that every proto ol with ommuni ation omplexity and time omplexity t an be
transformed into a proto ol with ommuni ation omplexity 1 and time omplexity t (sin e
we onsider a syn hronous system). Thus,
Theorem 5.2 In any proto ol with ommuni ation omplexity , there are two nodes in the
graph su h that the expe ted delivery time from one node to the se ond is
(n= ).

The above theorem implies that the tradeo in Theorem 4.1 annot be improved by
a fa tor bigger than O(d) where d is the distan e between the two nodes in the spanning
tree. We next show that if we onsider the \natural" partition of the omplete binary tree
into lusters des ribed in Remark 4.2 then we obtain message omplexity n=x and time
omplexity (x log n= log x). The upper-bound is shown in Remark 4.2. We next show that
this upper bound is tight for this partition. To prove this laim onsider an Euler tour in a
omplete binary tree with x nodes starting from the root, and let v be the rst leaf visited
in the tour. The distan e in the tour between v and the root is
(x). Now we onsider the
omplete binary tree, and dene a sequen e of log n= log x nodes v ; v ; : : : ; v
, where
v is the root of the tree, and v is a leaf in the luster of v
whose distan e from v in
the Euler tour of the luster is
(x). Thus, the delivery time of a message from v
to
the root is
(x log n= log x) no matter how the buses are s heduled.
0

log n= log x

log n= log x

6 Extensions
In this se tion we show how simple modi ations to the idea of the buses an ope with
three extensions to the model. The rst extension is anonymous multi ast and broad ast,
the se ond is when the topology of the ommuni ation graph is unknown, and the third is to
a Byzantine adversary, that is, an adversary that an ause pro essors to behave mali iously.
6.1

Anonymous Multi ast and Broad ast

In this se tion we dis uss informally how to anonymously multi ast and broad ast a message.
Anonymous broad ast enables a sender to broad ast a message to all pro essors without
revealing its identity. To enable anonymous broad ast the sender only needs to send an
anonymous-sender message to some (xed or randomized) re eiver p , that is, a message
in whi h the sender keeps its anonymity from the re eiver. This message will simply say
\broad ast message M to all pro essors." Pro essor p uses any (non-anonymous) broad ast
proto ol to broad ast M . The proto ol of Theorem 3.3 enables anonymous-sender messages
hen e enables anonymous broad ast. Furthermore, in all our proto ols where we allo ate a
seat s for sending a message from p to p (e.g., the proto ol of Theorem 3.1) we an add
a seat s meaning that some anonymous pro essor wants to send a message to p , in this
ase the sender uses the nested en ryption method des ribed in Se tion 3.1.1 to hide the fa t
that it hanges the ontent of a seat. If there are not to many anonymous broad asts sent
simultaneously and the sender sele ts a random p then this solution is e ient.
Multi ast enables a sender to send a message to some subset D of pro essors. We onsider
three variants of anonymous multi ast: (1) keeping the anonymity of the sender, (2) keeping
j

i;j

;j

12

the anonymity of the re ipients, (3) keeping the anonymity of both the sender and the
re ipients. Anonymous-sender multi ast redu es to sending an anonymous-sender message
to a single pro essor in the multi ast set saying \multi ast message M to the pro essors
in D." Anonymous-re ipients multi ast redu es to independently sending the message M
anonymously to ea h pro essor in D. This an be done without any over-head in all our
proto ols where we allo ate a seat s for ea h pair of pro essors. Finally, anonymous-sender,
anonymous-re ipients multi ast an be a hieved by independently sending the message M
to ea h pro essor in D using an anonymous-sender proto ol.
i;j

6.2

Unknown Topology

We onsider the s enario where the pro essors in the network do not know the topology of
the network (for example, the network an hange periodi ally). The solution we propose
for this problems is to use a random walk on the ommuni ation graph. More pre isely,
there is one bus traversing the graph, and in ea h step the pro essor holding the bus hooses
uniformly one of its neighbors, and sends the bus to the hosen neighbor. Aleliunas et al. [1
proved that the expe ted time of a random walk that visits all the nodes of an undire ted
graph with n nodes and m edges is O(nm). Thus, the expe ted delivery time of a message
using a random walk (in an unknown graph) is O(nm). This bound on the delivery time is
tight for some graphs, e.g., the so alled lollipop graph. However, it is too pessimisti for
some graphs, e.g., for a lique the expe ted delivery time is O(n log n) (and not O(n )).
3

Theorem 6.1 There is an anonymous message delivery proto ol in a network whose topology
is unknown with ommuni ation omplexity 1, expe ted time omplexity O(nm), and buer
omplexity O(n2 ).
6.3

Byzantine Adversary

We now turn to the ase in whi h pro essors are Byzantine, that is, they may try to
add/delete or hange messages in a mali ious way. First note that the ommuni ation graph
must be t + 1 onne ted in order to tolerate t faults. Otherwise, there is a ut of t or less
Byzantine pro essors that an partition the graph into two isolated onne ted omponents.
We therefore assume that the ommuni ation graph is t + 1 onne ted, thus, by Menger's
theorem, for every two nodes there are t + 1 paths onne ting them su h that there is no
internal node ommon to two of these paths. For every pair of pro essors we x su h t + 1
disjoint paths. We des ribe a proto ol in whi h there are two buses on ea h link, one in ea h
dire tion. When p wants to anonymously send a message to p , then p authenti ates this
message using a private key ommon to p and p . Pro essor p sends the message over the
t + 1 xed disjoint paths, therefore the message will rea h the destination through at least
one path with no Byzantine pro essor. This ensures that a Byzantine pro essor an not
generate/ hange a message originating from some sender in a way that is not identied by
the re eiver. Thus, the Byzantine pro essor an only drop messages. To a hieve anonymity
we use the me hanism of the full ommuni ation proto ol des ribed in Se tion 3.2. The
number of seats in a bus equals to the number of paths that use this link in the bus traveling
dire tion. The time omplexity from p to p in this proto ol is the length of the longest
i

13

path amongst the t + 1 disjoint paths from p to p . In the worst ase this an be n. We
summarize the properties of the above proto ol below.
Theorem 6.2 Assume that the ommuni ation network is t + 1 onne ted. There is an
i

anonymous message delivery proto ol against a Byzantine adversary that ontrols at most t
pro essors with ommuni ation omplexity 2m, time omplexity O(n), and buer omplexity
O (n2 ).

We next dis uss how to redu e the number of buses. Given a ommuni ation graph that is
at least t +1 onne ted, we will nd a spanning sub-graph that is t +1 onne ted and ontains
fewer edges. Finding a t + 1- onne ted spanning subgraphs that has the minimum number
of edges is NP-hard. However, there are good approximation algorithms for this problem. A
re ent result [4 des ribe an e ient algorithm that returns a graph whose number of edges
is no more than 1 + 1=(t + 2) times the optimal number of edges. In parti ular, the number
of edges is no more than (t + 1)n. This, however, might in rease the delivery time sin e the
length of the t +1 disjoint paths might be longer. We summarize the properties of the above
proto ol below.
Theorem 6.3 Assume that the ommuni ation network is t + 1 onne ted. There is an
anonymous message delivery proto ol against a Byzantine adversary that ontrols at most
t pro essors with ommuni ation omplexity 2(t + 1)n, time omplexity O (n), and buer
omplexity O(n2 ).

Referen es
[1 R. Aleliunas, R. M. Karp, R. J. Lipton, L. Lovasz, and C. Ra ko. Random walks,
universal traversal sequen es, and the omplexity of maze problems. In Pro . of the
11th Annu. ACM Symp. on the Theory of Computing, pp. 218{223, 1979.
[2 D. Chaum. Untra eable ele troni mail, return addresses, and digital pseudonyms. Communi ation of the ACM, vol. 24, no. 2, pp. 84{88, 1981.
[3 D. Chaum. The dining ryptographers problem: un onditional sender and re ipient
untra eability. Journal of Cryptology, vol. 1, no. 1, pp. 65{75, 1988.
[4 J. Cheriyan and R. Thurimella. Approximating minimum-size k- onne ted spanning
subgraphs via mat hing. SIAM J. on Computing, vol. 30, no. 2, pp. 528{560, 2000.
[5 S. Dolev, E. Kranakis, D. Krizan , and D. Peleg. Bubbles: adaptive routing s heme
for high-speed dynami networks. SIAM J. on Computing, vol. 29, no. 3, pp. 804{833,
1999.
[6 S. Dolev and R. Ostrovsky. Xor-trees for e ient anonymous multi ast and re eption.
ACM Transa tions on Information and System Se urity, vol. 3, no. 2, pp. 63{84, 2000.
14

[7 O. Goldrei h. Fragments on a hapter on En ryption S hemes. Extra ts from

Foundations of Cryptography vol. 2 (in preparation). 2001. Available from
http://www.wisdom.weizmann.a .il/oded/fo -vol2.html.
[8 O. Goldrei h. Fragments on a hapter on Digital Signature and Message Authenti ation.
Extra ts from Foundations of Cryptography vol. 2 (in preparation). 2001. Available from
http://www.wisdom.weizmann.a .il/oded/fo -vol2.html.
[9 S. Goldwasser and S. Mi ali. Probabilisti en ryption. J. of Computer and System
S ien es, vol. 28, no. 21, pp. 270{299, 1984.
[10 A. Ptzmann. How to implement ISDNs without user observability { some remarks. TR
14/85, Fakultat fur Informatik, Universitat Karlsruhe, 1985.
[11 A. Ptzmann, B. Ptzmann, and M. Waidner. ISDN-MIXes { Untra eable ommuni ation with very small bandwidth overhead. In Pro . Kommunikation in verteilten
Systemen, pp. 451{463, 1991.
[12 T. Rabin and M. Ben-Or. Veriable se ret sharing and multiparty proto ols with honest
majority. In Pro . of the 21st ACM Symp. on the Theory of Computing, pp. 73{85, 1989.
[13 C. Ra ko and D. Simon. Cryptographi defense against tra analysis. In Pro . of the
25th Annu. ACM Symp. on the Theory of Computing, pp. 672{681, 1993.
[14 M. G. Reed, P. F. Syverson, and D. M. Golds hlag. Anonymous Conne tions and Onion
Routing. IEEE Journal on Sele ted Areas in Communi ation, vol. 16, no. 4, pp. 482{494,
1998.
[15 M. Waidner and B. Ptzmann. The dining ryptographers in the dis o: un onditional
sender and re ipient untra eability with omputationally se ure servi eability. In Advan es in Cryptology { EUROCRYPT 89, vol. 434 of LNCS, pp. 690, Springer-Verlag,
1990.
[16 A. C. Yao. Proto ols for se ure omputations. In Pro . of the 23th Annu. IEEE Symp.
on Foundations of Computer S ien e, pp. 160{164, 1982.

15