SQRT: A Secure Querying Scheme of Routing Table Based on Oblivious Transfer

Abstract

The user equipment and directory server stay in the state of asymmetric information in anonymous networks, so that it is hard to coordinate information leakage prevention and information sharing when we explore the routing addressing technology. The severe security risk faced by existing anonymous networks, such as Tor and I2P, is the leakage of privacy information of routing nodes. This paper tries to resolve this problem and proposes a novel secure querying scheme of the routing table (SQRT) based on oblivious transfer, which can effectively ensure that both user equipment and directory server faithfully follow the routing querying protocol and protect the privacy information of both parties to the greatest extent. The SQRT scheme can realize that the directory server cannot only send the required routing nodes to the user equipment, but can also ensure that the directory server cannot know the exact routing nodes received by the user equipment and protect the information of other routing nodes in the directory server from disclosure. Security analysis shows that in the scenario where the directory server and user equipment are semi-honest, respectively, the SQRT scheme can ensure the privacy of both directory server and user equipment. The experimental simulation results show that compared with existing schemes, the SQRT scheme has obvious performance advantages in terms of the degree of anonymity, protocol running time, and communication traffic.

1. Introduction

Anonymous networks refer to hiding the users’ privacy information such as the network address of communication entities and the communication relationship between entities in the transmission traffic through certain methods, so that attackers cannot directly know or speculate on the communication relationship between the two parties or the identity information or location information of the communication entity [1,2]. Therefore, the security of routing information is an important factor in ensuring anonymous network security. In the onion routing (TOR) networks, some secure and reliable servers are set as directory servers (DSs), which can provide anonymous routing information to describe the current state of routing nodes. The user equipment (UE) can request and download the address information of routing nodes through HTTPS [3].

In anonymous networks, the identity and address information of routing nodes need to be properly protected from being identified by attackers. As shown in Figure 1a, the UE in TOR networks queries the DS for the routing node (RN) list [4], and the DS returns n qualified routing nodes to the UE. The UE randomly selects m routing nodes from the n nodes to build a multi-hop transmission path in which m, n ∈ N⁺, and m ≤ n. As shown in Figure 1b, in the invisible Internet Project (I2P) networks, the UE queries the network database (NetDb) for routing information. NetDb stores and searches the routing information in n floodfill nodes through the Kad algorithm [5]. NetDb returns the RouterInfo and LeaseSet to the UE, and the UE establishes an outbound tunnel for the user equipment to send data according to the routing information. The outbound tunnel is from the gateway to the endpoint, and the LeaseSet contains the gateway of the recipient’s inbound tunnel [6]. After receiving the data, the endpoint of outbound tunnel forwards the data to the gateway of the recipient’s inbound tunnel. This routing scheme is also called the garlic routing [7]. The problem with the above two query schemes of the routing table is that the DS or NetDb knows the range of routing nodes that can be selected by the UE; at the same time, the UE also knows the information of other routing nodes in the DS and NetDb other than the routing nodes selected by itself. Take TOR networks as an example: according to the RN request of the UE, the DS feeds back n routing nodes meeting the requirements of the UE. The UE accordingly selects m routing nodes from the n routing nodes, with the result that the address information of n–m routing nodes in the DS are leaked to the UE.

Oblivious transfer (OT) is an important branch of cryptography research. It helps data owners provide data retrieval and data calculation based on their own data, while not disclosing their own data information to ensure that the data are available and invisible [8,9]. This paper proposes a secure querying scheme of the routing table (SQRT) based on oblivious transfer. This scheme makes sure that the user equipment only obtains the routing node information fed back to the user equipment in the directory server without knowing the information of other routing nodes from the routing table in the directory server. The directory server knows neither the specific requirements of the routing nodes submitted by the user equipment nor which part of the node information is fed back to the user equipment so as to achieve a good effect of routing table data privacy protection.

At present, there are some oblivious transfer schemes that can be applied to the malicious model. The BLAZE scheme presented in [10] tries to combine the semi-honest model with a consistency test to check the consistency by comparing the hash value of the share in the input stage with that in the output stage, which might lead to high communication traffic of oblivious transfer expansion. A multi-party secret sharing scheme, TRIDENT is designed in [11], where the share of the product and its hash value is generated among multiple participants in the online stage and sent to other parties to check the consistency, which leads to a linear relationship between the storage overhead and the number of participants. In [12], a route selection scheme based on connectivity, delay, and trust (CDT) is proposed to help user equipment obtain good connectivity–delay–trust performance and prevent potential attacks from malicious routing nodes. However, if the user equipment is a malicious attacker trying to detect the network topology, the above scheme cannot guarantee the anonymity of the routing nodes, and the malicious attacker can sniff the identity and location information of all the routing nodes. In [13], a secure route optimization scheme based on decentralized identifiers (DIDs) is provided to defense against denial-of-service attacks at the routing layer. There is a defect in the secure routing scheme where the directory server masters each routing node through which the user equipment information transmission path passes. Therefore, it is obviously not applicable to the honest but curious model of the directory server. Based on the analysis of the schemes proposed in latest literature, the authors provide

Table 1. The technical advantages and disadvantages of existing schemes.

References	Schemes	Advantages	Disadvantages
[4]	The Onion Routing	Anonymous Routing	Sniffer Attack
[7]	The Galicia Routing	Anonymous Routing	Sniffer Attack
[10]	BLAZE	Consistency Protection	High communication overhead
[11]	TRIDENT	Consistency Protection	High communication overhead
[12]	CDT	Anti-malicious routing nodes	Sniffer Attack
[13]	DID	Anti-DoS attack	Transmission Route Leakage
Our Paper	SQRT	Bilateral Anonymity	N/A

, which demonstrates the technical advantages and disadvantages of some current routing querying protocol schemes. A qualitative analysis shows the innovation and contribution of the SQRT scheme in the paper.

The remainder of this paper is organized as follows: Section 2 describes the system model of secure query of the routing table in anonymous networks; Section 3 presents the N_k-out-of-N_k + ∆ oblivious transfer protocol and its application in the secure query of the routing table; Section 4 analyzes the security of SQRT scheme; Section 5 provides the simulation environment, the numerical results, and some discussions, and Section 6 concludes this paper.

2. System Model

The system model of secure query of the routing table in anonymous networks is shown in Figure 2. The workflow of the SQRT scheme proposed in this paper includes three steps. Firstly, a user equipment UE_k generates a routing node query request. Secondly, the directory server stores and updates the status information of the routing nodes. Lastly, the directory server queries the status information of the routing nodes.

2.1. User Equipment Generates Routing Node Query Request

The user equipment UE_k first generates a routing node query request and represents the required routing node requirements as an m-dimensional vector as ${\mathit{q}}_{\mathit{i}}^{\mathit{k}}=(q_1^k,q_2^k,\dots ,q_m^k)$, where i = 1, 2, …, m, k = 1, 2, …, l, and the number of user equipment in the network is l. $q_1^k$ represents the first constraint on the routing nodes of the user equipment UE_k, for example, the network bandwidth of the requesting routing node BW_j = 10 Mbps, j = 1, 2, …, n. $q_2^k$ represents the second constraint of the routing nodes, for example, the online time of the requesting routing node is T_j ≥ 12 h. $q_3^k$ represents the third constraint of the routing nodes, for example, the number of requested routing nodes N_k = 3, k = 1, 2, …, l. The user equipment UE_k blinds ${\mathit{q}}_{\mathit{i}}^{\mathit{k}}$ with w × m-dimensional matrix B_k, ${\mathit{B}}_{\mathit{k}}=\left[\begin{array}{ccc}{b}_{11}& \cdots & b_{1m}\\ ⋮& \ddots & ⋮\\ b_{w1}& \cdots & b_{wm}\end{array}\right]$,

where ${\displaystyle \sum _{a=1}^w{s}_a}\cdot b_{ai}=1$, and b_ai is the selection bit, b_ai ∈ {0,1}, i = 1, 2, …, m. The user equipment UE_k generates the w × m-dimensional matrix:

$${\mathit{M}}_{\mathit{k}}= {\mathit{B}}_{\mathit{k}}·{\mathit{q}}_{\mathit{i}}^{\mathit{k}}=\left[\begin{array}{ccc}{b}_{11}\cdot q_1^k& \cdots & b_{1m}\cdot q_m^k\\ ⋮& \ddots & ⋮\\ b_{w1}\cdot q_1^k& \cdots & b_{wm}\cdot q_m^k\end{array}\right]$$

(1)

The public and private keys of the user equipment UE_k are (sk, pk), and N_k + ∆ random public keys pk_t, t = 1, …, and N_k + ∆ are sampled from the public key space, where ∆ is the increasing redundancy due to the N_k routing nodes required by the user equipment UE_k. The security of the SQRT scheme assumes that there is a public key encryption scheme [14], where N_k + ∆ random public keys are sampled without obtaining the corresponding private keys, and the semi-honest attack model is used to secure the scheme [15]. The DS can only see the N_k + ∆ public keys sent by the user equipment UE_k and cannot predict the corresponding private key, which public key UE_k has.

The user equipment UE_k sends a routing node query request to the DS, including the blinded M_k and pk_t, where t = 1, …, N_k + ∆.

2.2. The Directory Server Stores and Updates the Status Information of the Routing Nodes

The DS dynamically collects the status information of routing nodes through the network heartbeat mechanism [16,17]. The DS regularly sends heartbeat detection packets to the routing node RN_j, where j = 1, 2, …, n, and the present number of routing nodes in the network is n. The DS waits for the responses of the routing nodes. If the responses of the routing nodes are not received within a certain time, it is considered that the current routing node has been offline and performed operation n = n − 1. The heartbeat response packet fed back by routing node j to the directory server contains the real-time network bandwidth BW_j of the current routing node. The DS counts the online time T_j of the routing node up to the current time based on the heartbeat response packet fed back by routing node j. If the DS detects a newly added or re-online routing node, the real-time network bandwidth and online time of the routing node are also collected according to the above process, and the operation n = n + 1 is executed.

The DS can establish a routing table database based on the routing node data collected through the heartbeat mechanism [18], which is expressed as DB = {d_j}, j = 1, 2, …, n, where n is the number of nodes in the routing table; d_j is the state information set of routing node j, i.e., d_j = ( $d_1^j$, $d_2^j$, …, $d_m^j$), i = 1, 2, …, m, j = 1, 2, …, n. For example, $d_1^j$ represents the first type of status information of node j, such as the network bandwidth BW_j, and $d_2^j$ represents the second type of status information of node j, such as the online time T_j of the node j. The DS stores and updates the status information set table d_j of the routing node.

2.3. The Directory Server Queries and Returns the Status Information of the Routing Node

After obtaining the M_k of the user equipment UE_k, the DS calculates the S_ij for the routing node j, j = 1, 2, …, n,

$$\begin{array}{l}{s}_{ij}={\mathit{M}}_{\mathit{k}}\cdot {({\mathit{d}}_{\mathit{u}}-{\mathit{d}}_{\mathit{v}})}^T\\ \hspace{1em}=\left[\begin{array}{ccc}{b}_{11}\cdot q_1^k& \cdots & b_{1m}\cdot q_m^k\\ ⋮& \ddots & ⋮\\ b_{w1}\cdot q_1^k& \cdots & b_{wm}\cdot q_m^k\end{array}\right]\cdot \left(\begin{array}{c}{d}_{u1}-d_{v1}\\ ⋮\\ d_{um}-d_{vm}\end{array}\right)\end{array}$$

(2)

where u and v represent different routing nodes, respectively, i.e., u, v = 1, 2, …, n, and u ≠ v.

The DS returns the routing node information $S_{ij}^{\prime }$ to the user equipment UE_k, which can be obtained according to the received $S_{ij}$

$$\begin{array}{l}{S}_{ij}^{\prime }=(s_1,\cdots ,s_w)\cdot S_{ij}\\ \hspace{1em}=(s_1,\cdots ,s_w)\cdot \left[\begin{array}{ccc}{b}_{11}\cdot q_1^k& \cdots & b_{1m}\cdot q_m^k\\ ⋮& \ddots & ⋮\\ b_{w1}\cdot q_1^k& \cdots & b_{wm}\cdot q_m^k\end{array}\right]\cdot \left(\begin{array}{c}{d}_1^u-d_1^v\\ ⋮\\ d_m^u-d_m^v\end{array}\right)\\ \hspace{1em}={\displaystyle \sum _{a=1}^w{s}_a\cdot b_{a1}\cdot }{q}_1^k\cdot (d_1^u-d_1^v)+\cdots +{\displaystyle \sum _{a=1}^w{s}_a\cdot b_{am}\cdot }{q}_m^k\cdot (d_m^u-d_m^v)\\ \hspace{1em}={\displaystyle \sum _{i=1}^m{q}_i^k\cdot d_i^u}-{\displaystyle \sum _{i=1}^m{q}_a^k\cdot d_i^v}\\ \hspace{1em}=\frac{1}{2}\left[{\displaystyle \sum _{i=1}^m{(q_i^k-d_i^u)}^2-{\displaystyle \sum _{i=1}^m{(q_i^k-d_i^v)}^2}}\right]\end{array}$$

(3)

This paper is based on the distance $dis{t}_i^{k,j}$ between q_i and d_j to the query routing nodes. With a flowchart, Figure 3 shows that the DS selects nodes with the number of N_k + ∆ from the number of n routing nodes that meet the UE_k requirements. The specific method steps are shown in Algorithm 1. The DS queries the elements in the routing request set of the user equipment UE_k through Algorithm 1, compares them with the routing node status information in the routing table database, and looks for the nearest N_k + ∆ routing nodes between them. Algorithm 1 describes how the directory server feeds back the N_k + ∆ routing nodes that meet the requirements of the routing node request of the user equipment.

3. SQRT Scheme

The security querying for the routing table process includes two participants, DS and UE_k. They want to calculate f(q_i,(d₁, d₂, …, d_m)) = r_z together, where r_z is the satisfied routing node obtained by comparison, and UE_k obtains the output function r_z.

The process of the user equipment UE_k querying the routing table security from the DS can be abstracted into an N_k + ∆-out-of-N_k oblivious transfer model, which is abbreviated as $O{T}_{N_k+\Delta }^{N_k}$. In a public key encryption scheme [19], there is an encryption function E, a decryption function D, a public key Key_p, and a private key Key_s. The key length satisfies |Key_p| = |Key_s| = K and String = D(E(String,key_p), Key_s), which means that in any secure public key encryption scheme, the corresponding private key cannot be calculated for a specific public key. In other words, it is difficult to calculate the corresponding private key. The Algorithm 1 shows the process of secure querying for the routing table.

Algorithm 1. The algorithm of secure querying for the routing table

Input: ${\mathit{q}}_{\mathit{i}}^{\mathit{k}}=(q_1^k,q_2^k,\dots ,q_m^k)$ sent by user equipment UEk and dj = ($d_1^j$, $d_2^j$, …, $d_m^j$) stored in the directory server Output: The IP address of the routing node RNj, and the number of routing nodes is Nk + ∆

Ini_Function(${\mathit{q}}_{\mathit{i}}^{\mathit{k}}$, dj) // Update the routing node requirements of UEk and the routing node status information of DS as the initial conditions for j = 1:n for i = 1:m $dis{t}_i^{k,j}={\displaystyle \sum _{i=1}^m{\left(q_i^k-d_i^j\right)}^2}$ // The DS needs to calculate the distance $dis{t}_i^{k,j}$ between $d_i^j$ and ${\mathit{q}}_{\mathit{i}}^{\mathit{k}}$ of node j if $dis{t}_i^{k,u}-dis{t}_i^{k,v}<0$ // Compare the distance of routing node among $d_i^u$, $d_i^v$, and $q_i^k$, respectively; u and v represent different routing nodes Queue_Fun(dj,dj+1) // The routing table database DB is sorted according to the distance, and the number of the nearest node is in the front else Queue_Fun(dj+1,dj) end if end for end for Queue_Fun(DB)→RN1, …, $R{N}_{N_k}$, …, $R{N}_{N_k+\Delta }$ // The first Nk + ∆ routing nodes of n routing nodes in the routing table database End

For the 2-out-of-1 oblivious transfer scheme [20], the input of DS is two strings s₀, s₁ ∈ {0,1}^k, and the input of UE_k is c ∈ {0,1}. Using the 2-out-of-1 oblivious transfer to construct the N_k + ∆-out-of-N_k oblivious transfer is shown in Figure 4. Figure 4 mainly introduces how to select N_k routing nodes from the N_k + ∆ routing nodes in the oblivious transfer model.

• The DS has inputs M₁, M₂, …, M_n ∈ {0,1}^k, selects a random string C ∈ {0,1}^k, and sends C to the DS;
• UE_k has different inputs c₁, c₂, …, $c_{N_k}$ ∈ {1, 2, …, N_k + ∆}, constructs a pair of public key Key_pc and private key Key_sc, and then calculates another public key Key_p,1−c according to Key_p,1−c ⊕ Key_pc = C, and the key length is satisfied $\left|Ke{y}_{p_0}\right|=\left|Ke{y}_{p_1}\right|=\left|Ke{y}_{sc}\right|=\left|C\right|$;
• UE_k sends $Ke{y}_{p_0}$ and $Ke{y}_{p_1}$ to the DS;

The DS verifies whether $Ke{y}_{p_0}$ ⊕ $Ke{y}_{p_1}$ = C. If not, the execution is rejected.

4.

The DS sends E(s₀, $Ke{y}_{p_0}$) and E(s₁, $Ke{y}_{p_1}$) to UE_k;

5.

UE_k uses Key_pc to get s_c, i.e.,

s_c = D(E(s_c, Key_pc), Key_sc)

(4)

6.

UE_k and DS perform the interaction process of N_k oblivious transfer. Each time the oblivious transfer protocol is executed, UE_k can always obtain the address information of a routing node j, j = 1, 2, …, n. After executing N_k times, UE_k can obtain N_k messages M_t, t ∈ {c₁, c₂, …, $C_{N_k}$}.

If both DS and UE_k are honest [21,22], UE_k can obtain s_c through (4), i.e., UE_k can obtain N_k messages M_t, t ∈ {c₁, c₂, …, $C_{N_k}$}. For DS, what it obtains in the process of interaction is only the sum of two strings $Ke{y}_{p_0}$ and $Ke{y}_{p_1}$, and it cannot judge the exact value of c. For UE_k, it can only construct public key and private key, Key_pc, Key_sc→Key_p,1−c through the following methods. According to the requirements of a public key encryption scheme, UE_k cannot calculate Key_s,1−c through Key_p,1−c. Thus, the N_k + ∆-out-of-N_k oblivious transfer scheme based on general public key encryption scheme can be constructed, i.e., $O{T}_{N_k+\Delta }^{N_k}$.

The DS selects N_k public keys pk_t, t = 1, 2, …, and N_k, from N_k + ∆ random public keys sent by the UE_k. In addition, ∆ public keys pk_t, t = 1, 2, …, ∆, and ∆ are randomly generated to encrypt the routing node information and return the information of N_k + ∆ routing node to the UE_k, i.e., (e₀, e₁, …, $e_{N_k+\Delta }$) = ($EN{C}_{p{k}_1}(R{N}_1)$, $EN{C}_{p{k}_2}(R{N}_2)$, …, $EN{C}_{p{k}_{N_k+\Delta }}(R{N}_{N_k+\Delta })$). After receiving (e₀, e₁, …, $e_{N_k+\Delta }$), the UE_k decrypts (e₀, e₁, …, $e_{N_k+\Delta }$) with sk and only obtains the address information of N_k routing nodes.

4. Security Analysis

Under the semi-honest attack model [23], if $O{T}_{N_k+\Delta }^{N_k}$ is secure, the SQRT scheme is secure. The proof process is specified as follows.

Proof. 

Let the protocol with formal security proof be Π [24]. Note that during the implementation of the protocol, the two views of UE_k and DS are ${\{{\mathrm{VIEW}}_k^{\Pi }(q_i,\{d_1,d_2,\dots ,d_m\})\}}_{k=1,2}$, including four parts of messages: {secret input, random number, messages transmitted from the other party, and output}. Based on the two views, UE_k and DS can obtain the views as follows, respectively,

$$\{{\mathrm{VIEW}}_1^{\Pi }(q_i,\{d_1,d_2,\dots ,d_m\})\}=\{q_i,s_a,{\mathit{B}}_{\mathit{k}},S_{ij}^{\prime }{|}_{i,j=1,\dots ,n,i\ne j}\}\{{\mathrm{VIEW}}_1^{O{T}_{N_k+\Delta }^{N_k}}(z,r_i{|}_{i=1,\dots ,m},r_z)\}$$

(5)

$$\{{\mathrm{VIEW}}_2^{\Pi }(q_i,\{d_1,d_2,\dots ,d_m\})\}=\{d_1,d_2,\dots ,d_m\}{\mathit{M}}_{\mathit{k}}\left\}\right\{{\mathrm{VIEW}}_2^{O{T}_{N_k+\Delta }^{N_k}}(z,r_i{|}_{i=1,\dots ,m},\lambda )\}$$

(6)

   □

From the definition of security [25], only the probabilistic polynomial time algorithm S₁/S₂ [26] needs to be constructed, so that P₁/P₂ can be constructed on the premise of known input/output: (q_i,r_z)/({d₁, d₂, …, d_m},λ), i.e., {S₁(q_i,r_z)}/{S₂({d₁, d₂, …, d_m},λ)}. It is computationally indistinguishable from the views obtained in the process of real protocol execution, i.e., it meets the requirements

$$\{S_1(q_i,r_z)\}\stackrel{c}{\equiv }\{{\mathrm{VIEW}}_1^{\Pi }(q_i,\{d_1,d_2,\dots ,d_m\})\}$$

(7)

$$\{S_2(\{d_1,d_2,\dots ,d_m\},\lambda )\}\stackrel{c}{\equiv }\{{\mathrm{VIEW}}_2^{\Pi }(q_i,\{d_1,d_2,\dots ,d_m\})\}$$

(8)

Therefore, we need only to construct S₁ and S₂. Next, we will prove the security of the SQRT scheme in two cases.

4.1. The DS Is Semi-Honest

If DS is semi-honest, it is only necessary to construct S₂ so that the input {d_i}_i=1,…,m and output λ of P₂ are known. In this case, the corresponding view can be obtained according to (6). Because the SQRT scheme is based on the security of $O{T}_{N_k+\Delta }^{N_k}$, it can be regarded as a black box [27], and there is an algorithm, $S_2^{O{T}_{N_k+∆}^{N_k}}$ to obtain the input {r_i}_i=1,…,m and output λ, then the view of DS during execution can be obtained, which is represented as $S_2^{O{T}_{N_k+∆}^{N_k}}$ ({r_i}_{i=1, …, m}, λ) and is indistinguishable from the real view calculation, i.e., $\{S_2(\{d_1,d_2,\cdots ,d_m\},\lambda )\}\stackrel{c}{\equiv }\{{\mathrm{VIEW}}_2^{\prod }(q_i,\{d_1,d_2,\dots ,d_m\})\}.$

4.2. The UE_k Is Semi-Honest

Like the previous case, only S₁ needs to be constructed so that when the input q_i and output r_z of P₁ are known, the corresponding view can be obtained according to (5). Similarly, because the SQRT scheme is based on the security of $O{T}_{N_k+∆}^{N_k}$, there is an algorithm $S_1^{O{T}_{N_k+∆}^{N_k}}$ to obtain the input z and output r_z, and the view of UE_k executing $O{T}_{N_k+∆}^{N_k}$ can be obtained, i.e.,

$$\{S_1^{O{T}_{N_k+∆}^{N_k}}(z,r_z)\}\stackrel{c}{\equiv }\left\{{\mathrm{VIEW}}_1^{O{T}_{N_k+∆}^{N_k}}{(z,r_i)}_{i=1,\dots ,m}\right\}$$

(9)

The view of the output of S₁ is represented as

$$\left\{S_1\right(q_i,r_z\left)\right\}=\{q_i,s_a,{\mathit{B}}_{\mathit{k}},S_{ij}^{\prime }{|}_{i,j=1,\dots ,n,i\ne j}\},\{S_1^{O{T}_{N_k+∆}^{N_k}}(z,r_z),r_z\}$$

(10)

Since s_a and B_k are randomly generated and satisfy ${\displaystyle \sum _{a=1}^w{s}_w\cdot b_{ai}=1}$, i = 1, 2, …, m, s_a and B_k can be obtained from the view $\{{\mathrm{VIEW}}_1^{\prod }(q_i,\{d_1,d_2,\dots ,d_m\})\}$. Because of their randomness, we can ascertain that (s_a, B_k) and ($s_a^{\prime }$, ${\mathit{B}}_{\mathit{k}}^{\prime }$) are indistinguishable. Similarly, $S_{ij}^{\prime }{|}_{i,j=1,\dots ,n,i\ne j}$ and $S_{ij}{|}_{i,j=1,\dots ,n,i\ne j}$ are computationally indistinguishable [28].

Thus, combined with (9), we can obtain

$$\{{\mathit{q}}_{\mathit{i}},{\mathit{s}}_{\mathit{a}},{\mathit{B}}_{\mathit{k}},S_{ij}^{\prime }{|}_{i,j=1,\dots ,n,i\ne j}\},\{S_1^{O{T}_{N_k+∆}^{N_k}}(z,r_z),{\mathit{r}}_{\mathit{z}}\}$$

$$\stackrel{c}{\equiv }\{{\mathit{q}}_{\mathit{i}},{\mathit{s}}_{\mathit{a}},{\mathit{B}}_{\mathit{k}},S_{ij}^{\prime }{|}_{i,j=1,\dots ,n,i\ne j}\left\}\right\{{\mathrm{VIEW}}_1^{O{T}_{N_k+∆}^{N_k}}{(z,r_i)}_{i=1,\dots ,m},r_z\}$$

(11)

Whereas we can deduce that

$$\{S_1(q_i,r_z)\}\stackrel{c}{\equiv }\{{\mathrm{VIEW}}_1^{\prod }(q_i,\{d_1,d_2,\dots ,d_m\})\}$$

Therefore, the security of the SQRT scheme can be proven under the semi-honest model.

5. Experimental Results

The hardware configuration of the directory server used in this experiment is Intel 4214R processor. The memory size is 256 GB. The network port is 25 Gbps. The software environment is CentOS Linux release 7.6. The hardware configuration of the user equipment is W-2145 8core CPU, and the memory is 32 GB. In order to obtain the packets of routing querying requests and responses, we needed to create a packet capture module on the router in the local network. In order to mark the network traffic more efficiently, the method of capturing offline data needed to be improved. The experimental method in the paper was to run the routing table query operation according to the full buffer mode in the virtual machine, i.e., continuously generate the data packets of routing querying request and response in the anonymous networks. During the experimental test, the data packet was captured through the router in the local network with Wireshark, TCPDump, and other packet capture tools.

Table 2. Comparison of security model and performance among SQRT scheme and other existing schemes.

References	Schemes	Security Model	Performance Metrics
			Running Time/ms	Communication Traffic/KB
[4]	The Onion Routing	Semi-honest Model	408.4	218.5
[7]	The Galicia Routing	Semi-honest Model	517.5	328.2
[10]	BLAZE	Malicious Model	419.0	426.8
[11]	TRIDENT	Malicious Model	498.2	379.1
Our Paper	SQRT	Semi-honest Model	339.2	175.6

shows the security model and performance comparison results between the SQRT scheme proposed in this paper and the existing schemes. The security models are mainly divided into malicious model or semi-honest model, and the network performance includes the running time of the policy and the generated communication traffic. The BLAZE and TRIDENT schemes can realize multiplication under the malicious model; therefore, the communication traffic generated during the implementation of the above two schemes is relatively large. By comparison, the traffic generated by the TRIDENT scheme is lower than that of the BLAZE scheme. For the semi-honest model, the SQRT scheme proposed in this paper adopted the 3-out-of-10 oblivious transfer model. Compared with the onion routing and the galicia routing, the running time can be reduced by 16.9% and 34.5%, respectively, and the traffic can be reduced by 19.6% and 46.5%, respectively.

Figure 5 shows the performance results of the SQRT scheme in terms of running time when N_k and ∆ take different values. It is worth noting that when analyzing the time overhead of cryptographic algorithms, we mainly focused on the public key cryptographic algorithms with a large amount of computation and longtime consumption, while ignoring the symmetric cryptographic algorithms with small overhead. Let N_k = 1, …, 10, ∆ = 1, …, and 10. With the increase in the values of N_k and ∆, the running time of the SQRT scheme increases accordingly, especially when N_k ≥ 5 and ∆ ≥ 4, the running time is higher than 500 ms. When N_k = 10, ∆ = 10, and the SQRT scheme adopts the more complex 10-out-of-20 oblivious transfer model, the running time reaches 714.5 ms. Therefore, the secure querying of the routing table can still be completed in less than 1s, and the user equipment can only obtain the information of 10 routing nodes fed back to the user equipment from the directory server, but not know the information of 10 additional routing nodes fed back by the directory server. On the other hand, the directory server knows neither the specific requirements of the routing nodes submitted by the user equipment, nor which 10 nodes the user equipment has selected among the 20 nodes fed back to the user equipment.

Figure 6 shows the performance test results of the SQRT scheme in terms of communication traffic when N_k and ∆ take different values. Similar to Figure 5, as the values of N_k and ∆ increase, the communication traffic of the SQRT scheme increases accordingly. By comparison, the change of communication traffic value is more affected by the change of N_k value than ∆ value. When N_k is 1, the traffic is generally less than 100 KB. When N_k is 10, the traffic is generally less than 400 KB. The experimental results show that the secure querying scheme of the routing table based on oblivious transfer proposed in the paper has less computational and communication overhead and is suitable for applications requiring high querying efficiency and security. Therefore, the SQRT scheme has good security and availability.

The authors give a comparison of the analysis results of the degree of anonymity between the SQRT scheme and the existing schemes, as shown in Figure 7. The degree of anonymity is a measure of the degree to which the identity or address information of the routing nodes in the anonymous networks is not recognized by the attacker. In [29], the degree of anonymity of anonymous networks is defined as D = log₂h/log₂n, where h is the number of routing nodes of which the private information is sniffed by the attacker, and n is the total number of routing nodes in anonymous networks. Therefore, the smaller the anonymity D, the better the privacy and security protection effect of the secure querying scheme of the routing table. When the number of routing nodes in the anonymous networks continues to increase, the degree of anonymity of various schemes declines, and the decline becomes slower. The degree of anonymity of the SQRT scheme is much lower than other existing schemes. That is because the SQRT scheme can effectively ensure that both user equipment and the directory server faithfully follow the routing querying protocol and protect the privacy information of both parties to the greatest extent. The experimental results better illustrate the security performance advantages of the SQRT scheme compared with the existing schemes.

6. Conclusions

The SQRT scheme proposed in the paper can effectively ensure that both user equipment and the directory server faithfully follow the routing querying protocol and protect the privacy information of both parties to the greatest extent. Compared with the existing schemes, the SQRT scheme proposed in the paper has obvious performance advantages in the degree of anonymity, running time, and communication traffic. Specifically, the SQRT scheme has the following four advantages:

(1)

The first is correctness. If the directory server and user equipment abide by the protocol, the user equipment will obtain the routing node information it needs after the implementation of the scheme.

(2)

The second is the confidentiality of the information of other routing nodes in the directory server, that is, after the policy has completed execution, the user equipment cannot obtain the information of any other routing nodes except the information of the routing nodes it needs.

(3)

The third is the confidentiality of the routing node information obtained by the user equipment. After the policy has completed execution, the directory server knows neither the specific requirements of the routing node submitted by the user equipment, nor which part of the routing node information is obtained from the user equipment.

(4)

The fourth is the efficiency of the network performance of the SQRT scheme in the operation process. For the semi-honest model, the SQRT scheme not only ensures the correctness and confidentiality, but also reduces the running time and traffic compared with the other existing schemes. It is expected to provide support and reference for the design and planning of the future secure communication system.

At the same time, this paper also has some limitations, mainly in the security analysis. This paper only carried out a theoretical analysis of the main possible threats; there was no strict mathematical basis to support this security analysis, and we did not use a provable security method for a more reliable security analysis. Therefore, the safety analysis part can be improved in future research.