3.3 Subgraph Construction Phase
3.3.9 Practical Issues in Implementation
Besides the performance analysis of a suggested protocol, practical issues in implementation—
estimating overhead cost, guessing the system parameters that were assumed to be given in the analysis, and so on—are another important topics to investigate. For onion routing, many researchers have studied practical issues to improve the protocol (e.g., improving effi- ciency and simplicity of TOR system [62]). In this section, we investigate some of important practical issues for our proposed protocol in implementation:
1) To design a P2P anonymous system, we start with choosing N,l, d, and p. Among them, we first focus on the compromising probability p. If an optimal subgraph selection varies depending on the adversarial presence, we need to guesstimate adversarial probability pprecisely. However, from the simulations, we observe that the optimal subgraph selection is robust enough to provide a good performance across differentp’s. Suppose that we consider a case of N = 1000 and subgraph size n = 72, for which we decide to pick l = 18 and d= 4. This subgraph shape is optimal for p∈[0.08, 0.5]. Forp∈[0, 0.08), this subgraph shape is suboptimal but the performance loss (entropy difference) from the optimal shape is negligible (far less than 1%). In the region of very smallp < 0.1, the conditional entropies are all large enough to make the entropies insensitive to the choice of subgraph shapes. This is the case for otherN andn, which is supported by extensive simulations. In conclusion, if we choose an optimal shape for “not too small” compromising probability (e.g.,p∈[0.1, 0.4])
5 10 15 20 25 30 35 0
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Source−Sink Pair Anonymity, Rectangle NW, 72 among 1000 nodes, p=0.2
l, (d=72/l) H(S,T|A) / log 2 (N(N−1))
Hybrid (3l/4) Non−PKI
(a) One crypto node at3l4 withp= 0.2
5 10 15 20 25 30 35
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Source−Sink Pair Anonymity, Rectangle NW, 72 among 1000 nodes, p=0.4
l, (d=72/l) H(S,T|A) / log2 (N(N−1))
Hybrid (l/2) Hybrid (l/3) Non−PKI
(b) One crypto node at 2l or 3l withp= 0.4
Figure 3.16: Hybrid scheme with one crypto node. The performance gain is non-trivial for
“long” subgraphs and with high adversarial probabilityp. For high adversarial probability, hybrid scheme can also provide a robustness against different choices of a subgraph shape.
5 10 15 20 25 30 35 0
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Source−Sink Pair Anonymity, Rectangle NW, 72 among 1000 nodes, p=0.2
l, (d=72/l) H(S,T|A) / log2 (N(N−1))
(1/4, 2/3) No crypto
(a) Two crypto nodes at 4l and 2l3 withp= 0.2
5 10 15 20 25 30 35
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Source−Sink Pair Anonymity, Rectangle NW, 72 among 1000 nodes, p=0.4
l, (d=72/l) H(S,T|A) / log 2 (N(N−1))
(1/4, 2/3) (1/4, 1/2) No crypto
(b) Two crypto nodes at l4,2l
or 4l,2l
withp= 0.4
Figure 3.17: Hybrid scheme with two crypto nodes. The performance behavior is similar to the case of one crypto node. The additional performance gain beyond one crypto node case is marginal.
using Conjecture3.1, then it will work well for any compromising probabilityp∈[0, 0.5].
2) We also consider the effect of the system sizeN. To construct a subgraph, the source should know all the nodes out of which it is going to build the subgraph. The question of interest is how many nodes would need to be in the network to provide anonymity. The number of nodes necessary in the system depends on the target entropy. Once the threshold of entropy is given, we can chooseN. However, too largeN makes the protocol impractical since the source needs to know all IP addresses of N nodes. To resolve this problem, we take advantage of structured approaches to build scalable P2P system, used in AP3 [56]. In a structured P2P overlays [70,75], every node is assigned a unique identifier called nodeID.
To ensure the uniqueness, the identifies are drawn from a large and sparse space. Also, the system generates random keys, each of which is dynamically mapped to a node in the network. Multiple keys can be mapped to one node, but the number of keys mapped to each node is statistically balanced. As in AP3 [56], the source picks the nodes from the network as follows: first, the source chooses a random key K from the ID space. Then, it sends lookup request to the nodes closest to K and decides the node closest to K among the nodes that respond back to the lookup request. By repeating this procedure, the source constructs a subgraph from the large overlay network efficiently.
3) As shown in Section 3.3.7, the overhead cost of our protocol to set up a subgraph has an exponential complexity. Since the dominant term is dl+1q, reducing the subgraph length can significantly improve the overhead. To reduce the subgraph length, we suggest a “hybrid” scheme that takes advantage of using PKI in our protocol design. The basic idea is that PKI is costly in distribution and management so that we try to minimize the use of PKI. Accordingly, in the hybrid scheme, not all participating nodes but only a few nodes share a public key with the source. Suppose that there is one node vin thejth layer that shares a public key with the source. If nodev locates in the downstream network of a vertex-cut, then adversaries cannot obtain all information of downstream network as before.
Instead, since they cannot decodev’s message content without knowingv’s private key, they can identify messages of nodes up to the jth layer (exceptv) and identities of all nodes up to the (j+ 1)th layer. Since a vertex-cut can be equally located over all layers, placing node vin layerl/2 is most effective to limit adversaries’ knowledge. Therefore, if there is at least one node in layerl/2 sharing a public key with the source, the hybrid scheme improves the performance. In other words, for a given anonymity requirement, the smaller subgraph is
sufficient to meet the requirement.