IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. A, NO. B, MONTH-YEAR 16
because by assumption, the adversary has not forged the signature of `
j+q+1
, which is non-compromised.
Since A has no adversarial neighbor, it could have received msg
00
only from a non-adversarial machine.
However, the only non-adversarial machine that would send out msg
00
is `
j+q+1
. This would mean that A is
a common adversarial neighbor of `
j
and `
j+q+1
, which contradicts the assumption of Case 2. This means
that our original assumption cannot be true, and hence, the adversary must have forged the signature of
a non-adversarial machine.
It should be intuitively clear that if the signature scheme is secure, then the adversary can forge a
signature only with negligible probability, and thus, a route reply message in Sys
ideal
conf ,A
is dropped due to
its plausibility flag set to false only with negligible probability. Nevertheless, we sketch how this could be
proven formally. The proof is indirect. We assume that there exist a configuration conf and an adversary
A such that a route reply message in Sys
ideal
conf ,A
is dropped due to its plausibility flag set to false with
probability ², and then, based on that, we construct a forger F that can break the signature scheme with
probability ²/n. If ² is non-negligible, then so is ²/n, and thus, the existence of F contradicts with the
assumption about the security of the signature scheme.
The construction of F is the following. Let puk be an arbitrary public key of the signature scheme.
Let us assume that the corresponding private key prk is not known to F , but F has access to a signing
oracle that produces signatures on submitted messages using prk . F runs a simulation of Sys
ideal
conf ,A
where
all machines are initialized as described in the model, except that the public key of a randomly selected
non-adversarial machine `
i
is replaced with puk . During the simulation, whenever `
i
signs a message m,
F submits m to the oracle, and replaces the signature of `
i
on m with the one produced by the oracle. This
signature verifies correctly on other machines later, since the public verification key of `
i
is replaced with
puk. By assumption, with probability ², the simulation of Sys
ideal
conf ,A
will result in a route reply message
msg such that all signatures in msg are correct and msg contains a non-plausible route. As we saw above,
this means that there exists a non-adversarial machine `
j
such that msg contains the signature sig
`
j
of `
j
,
but `
j
has never signed (the corresponding part of) msg. Let us assume that i = j. In this case, sig
`
j
is
a signature that verifies correctly with the public key puk . Since `
j
did not sign (the corresponding part
of) msg, F did not call the oracle to generate sig
`
j
. This means that F managed to produce a signature
on a message that verifies correctly with puk . Since F selected `
i
randomly, the probability of i = j is
1
n
, and hence, the success probability of F is ²/n.
Besides being provably secure, endairA has another significant advantage over Ariadne (and similar
protocols): it is more efficient, because it requires less cryptographic computation overall from the nodes.
This is because in endairA, only the processing of the route reply messages involves cryptographic
operations, and a route reply message is processed only by those nodes that are in the node list carried
in the route reply. In contrast to this, in Ariadne, the route request messages need to be digitally signed
by all intermediate nodes; however, due to the way a route request is propagated, this means that each
node in the network must sign each and every route request.
B. Practical extensions to the basic endairA protocol
Note that in our model presented in Section III, we made the assumption that the nodes are static
(at least during the period of time that is analyzed). The proof of security of endairA relies on this
assumption. More precisely, in the proof, we show that if a route is returned by endairA to an honest
node, then that route must exist in the graph that represents the network with overwhelming probability.
Moreover, once a route has been returned, it remains valid forever, because the graph does not change.
This means that under the assumption of static nodes, the basic endairA protocol is not vulnerable to
replay attacks. However, if we relax this assumption, and we allow the nodes to move, then the basic
protocol has a problem. In that case, when a node initiates a route discovery process and the adversary
receives a route request, it can replay an old route reply, and if that reply reaches the initiator, then it
will be accepted, despite the fact that it may contain outdated information (i.e., a route that does not exist
anymore due to the mobility of the nodes).