SPM: Source Privacy for Mobile Ad Hoc Networks

,


Introduction
The decentralized nature of mobile ad hoc networks (MANETs) makes rapid deployment of independent mobile users practical. MANETs are suitable for many applications, such as establishing survivable, dynamic communication for emergency/rescue operations, disaster relief efforts, and military networks. MANETs consist of autonomous collection of mobile users that communicate over bandwidth constrained wireless links. All these issues make security, jamming protection, and even node capture significant concerns. Without privacy protection, adversaries can easily learn the identities of the communication parties and the relevant information that two users are communicating. For example, the adversaries can track your on-line orders, the web sites that you access, the doctors that you visit and many more. Adversaries can also easily overhear all the messages, passively eavesdrop on communications and perform traffic analysis, routing monitoring, and denial-of-service (DoS) attacks.
For a tactical military communication networks, communication privacy is becoming an essential security require-ment. As an example, an abrupt change in traffic pattern or volume may indicate some forthcoming activities. The exposure of such information could be extremely dangerous in that adversaries can easily identify critical network nodes and then launch direct DoS attacks on them. Communication privacy is also an indispensable security requirement for applications such as e-voting, e-cash and so on.
In the past two decades, originated largely from Chaum's mixnet [1] and DC-net [2], a number of privacy-preserving communication protocols have been proposed, including for example, onion routing [3], K-anonymous message transmission [4], Web MIXes [5], Mixminion [6], Mixing email [7], Mixmaster Protocol [8], Crowds [9], and Buses seat allocation [10], to name a few. The mixnet family protocols use a set of "mix" servers that mix the received packets to make the communication parties (including the sender and the recipient) ambiguous. They rely on the statistical properties of background traffic that is also referred to as cover traffic to achieve the desired source privacy. The DC-net family protocols [2,4,11,12] on the other hand, utilize secure multiparty computation techniques. They provide provable source privacy without relying on

Terminology and Preliminary
In this section, we will briefly describe the terminology that will be used in this paper. Then we will introduce some cryptographic tools that will be used in this paper. Finally, we will present a brief overview of the related works in this area.

Terminology.
Privacy is sometimes referred to as anonymity. Communication anonymity in information management has been discussed in a number of previous works [1,2,9,[13][14][15]. It generally refers to the state of being not identifiable within a set of subjects. This set is called the ambiguity set (AS). Three types of anonymity were defined [13]: sender anonymity, recipient anonymity, and relationship anonymity. Sender anonymity means that a particular message is not linkable to any sender and no message if linkable to a particular sender. Recipient anonymity similarly means that a message cannot be linked to any recipient and that no message is linkable to a recipient. Relationship Relationship anonymity is a weaker property than that of sender anonymity and recipient anonymity. The above anonymities are also referred to as the full anonymities, since they guarantee that an adversary cannot infer anything about the sender, the recipient, or the communication relationship from a transmitted message. We will start with the definition of unconditionally secure source anonymous message authentication scheme (SAMAS).
Definition 1 (SAMAS). An SAMAS consists of the following two algorithms: (i) generate (m, y 1 , y 2 , . . . , y n ): Given a message m and the public keys y 1 , y 2 , . . . , y n of the ambiguity set (AS) S = {A 1 , A 2 , . . . , A n }, the actual message sender A t , 1 ≤ t ≤ n, produces an anonymous message S(m) using her own private key x t ; (ii) verify S(m): Given a message m and an anonymous message S(m), which includes the public keys of all members in the AS, a verifier can determine whether S(m) is generated by a member in the AS.
EURASIP Journal on Wireless Communications and Networking 3 The security requirements for SAMAS include (i) Sender ambiguity: The probability that a verifier successfully determines the real sender of the anonymous message is exactly 1/n, where n is the total number of AS; (ii) Unforgeability: An anonymous message scheme is unforgeable if no adversary, given the public keys of all members of the AS and the anonymous messages m 1 , m 2 , . . . , m l adaptively chosen by the adversary, can produce in polynomial time a new valid anonymous message with nonnegligible probability.
In this paper, the user ID and user public key will be used interchangeably without making any distinguish.

Modified ElGamal Signature Scheme (MES).
Definition 2 (MES). The modified ElGamal signature scheme [16] consists of the following three algorithms: (i) Key generation algorithm: Let p be a large prime, g be a generator of Z * p . Both p and g are made public. For a random private key x ∈ Z p , the public key y is computed from y = g x mod p; (ii) Signature algorithm: The MES can also have many variants [17,18]. For the purpose of efficiency, we will describe the variant, called optimal scheme. To sign a message m, one chooses a random k ∈ Z * p−1 , then computes the exponentiation r = g k mod p and solves s from where h is a one-way hash function. The signature of message m is defined as the pair (r, s); (iii) Verification algorithm: The verifier checks the signature equation g s = r y rh(m,r) mod p. If the equality holds true, then the verifier accepts the signature and re jects otherwise.

Previous Work.
The existing anonymous communication protocols are largely stemmed from either mixnet [1] or DC-net [2]. A mixnet provides anonymity via packet reshuffling through (at least one trusted) "mix". In a mixnet, a sender encrypts an outgoing message and the ID of the recipient using the public key of the mix. The mix accumulates a batch of encrypted messages, decrypts and reorders these messages, and forwards them to the recipients. An eavesdropper cannot link a decrypted output message with any particular (encrypted) input message. The mixnet thus protects the secrecy of users' communication relationships. Recently, Möler presented a secure public-key encryption algorithm for mixnet [19]. This algorithm has been adopted by Mixminion [6]. However, since mixnetlike protocols rely on the statistical properties of background traffic, they cannot provide provable anonymity.
DC-net [2,15] is an anonymous multiparty computation amongst a set of participants, some pairs of which share secret keys. DC-net provides perfect (information theoretic) sender anonymity without requiring trusted servers. In a DC-net, users send encrypted broadcasts to the entire group, thus achieving receiver anonymity. However, all members of the group are made aware of when a message is sent, so DC-net does not have the same level of sender-receiver anonymity. Also, in DC-net, only one user can send at a time, so it takes additional bandwidth to handle collisions and contention. Lastly, a DC-net participant fixes its anonymity versus bandwidth trade off when joining the system, and there are no provisions to rescale that trade off when others join the system.
Crowds [9] extends the idea of anonymizer and is designed for anonymous web browsing. However, Crowds only provides sender anonymity. It does not hide the receivers and the packet content from the nodes en route. Hordes [20] builds on the Crowds. It uses multicast services and provides only sender anonymity.
Recently, message sender anonymity based on ring signatures was introduced [21]. This approach can enable message sender to generate source anonymous message signature with content authenticity assurance, while hiding the real identity of the message sender. The major idea is that the message sender (say Alice) randomly selects n of ring members as the AS on her own without awareness of these members. To generate a ring signature, for each member in the ring other than the actual sender (Alice), Alice randomly selects an input and computes the one-way output using message signature forgery. For the trapdoor one-way function corresponding to the actual sender Alice, she needs to solve the "message" that can "glue" the ring together, and then signs this "message" using her knowledge of the trap-door information. The original scheme has very limited flexibility and the complexity of the scheme is quite high. Moreover, the original paper only focuses on the cryptographic algorithm, the relevant network issues were totally left unaddressed.
In this paper, we first propose an unconditionally secure and efficient source anonymous message authentication scheme based on the modified ElGamal signature scheme. This is because the original ElGamal signature scheme is existentially forgeable with a generic message attack [22,23]. While the modified ElGamal signature (MES) scheme is secure against no-message attack and adaptive chosenmessage attack in the random oracle model [24].

Threat Model and Assumptions.
We assume the participating MANET nodes voluntarily cooperate with each other to provide the service. All nodes are potential message originators of anonymous communications. The adversaries can collaborate to passively monitor and eavesdrop every MANET traffic. In addition, they may compromise any node in the target network to become an internal adversary, which could be the internal perpetrators. In this paper, we assume that passive adversaries can only compromise a fraction of the nodes. We also assume that the adversaries are computationally bounded so that inverting and reading of encrypted messages are infeasible. Otherwise, it is believed that there is no workable cryptographic solution.
An agent of the adversary at a compromised node observes and collects all the information in the message, and thus reports the immediate predecessor and successor node for each message traversing the compromised node. Assume also that the adversary collects this information from all the compromised nodes, and uses it to derive the identity of the sender of a message. The sender has no information about the number or identity of nodes being compromised. The adversary collects all the information from the agents on the compromised nodes, and attempts to derive the true identity of the sender.

Unconditionally Secure Source Anonymous Message Authentication Scheme (SAMAS)
In this section, we propose an unconditionally secure and efficient source anonymous message authentication scheme (SAMAS). The main idea is that for each message m to be released, the message sender, or the sending node, generates a source anonymous message authentication for the message m. The generation is based on the MES scheme. Unlike ring signatures, which requires to compute a forgery signature for each member in the AS separately, our scheme only requires three steps to generate the entire SAMAS, and link all nonsenders and the message sender to the SAMAS alike. In addition, our design enables the SAMAS to be verified through a single equation without individually verifying the signatures.

The Proposed SAMAS Scheme.
Suppose that the message sender (say Alice) wishes to transmit a message m anonymously from her network node to any other node. The AS includes n members, A 1 , A 2 , . . . , A n , for example, S = {A 1 , A 2 , . . . , A n }, where the actual message sender Alice is A t , for some value t, 1 ≤ t ≤ n. Let p be a large prime number and g be a primitive element of Z * p . Then g is also a generator of Z * p . That is Both p and g are made public and shared by all members in S. Each A i ∈ S has a public key y i = g xi mod p, where x i is a randomly selected private key from Z * p−1 . In this paper, we will not distinguish between the node A i and its public key y i . Therefore, we also have S = {y 1 , y 2 , . . . , y n }.
Suppose m is a message to be transmitted. The private key of the message sender Alice is x t , 1 ≤ t ≤ n. To generate an efficient SAMAS for message m, Alice performs the following three steps: (1) Select a random and pairwise different k i for each 1 ≤ i ≤ n, i / = t and compute r i = g ki mod p; (2) Choose a random k ∈ Z p and compute r t = g k i / = t y −rihi i mod p such that r t / = 1 and r t / = r i for The SAMAS of the message m is defined as where g s = r 1 · · · r n y r1h1 1 · · · y rnhn n mod p, and h i = h(m, r i ).

Verification of SAMAS.
A verifier can verify an alleged SAMAS (m, S, r 1 , . . . , r n , s) for message m by verifying whether the following equation holds. If (3) holds true, the verifier Accepts the SAMAS as valid for message m. Otherwise the verifier Rejects the SAMAS.
In fact, if the SAMAS has been correctly generated, then we have r 1 · · · r n y r1h1 1 · · · y rnhn n mod p = g k1 · · · g kn y r1h1 Therefore, the verifier should always Accept the SAMAS if it is correctly generated without being modified.

Remark 1.
As a trade-off between computation and transmission, the SAMAS can also be defined as S(m) = (m, S, r 1 , . . . , r n , h 1 , . . . , h n , s). In case S is also clear, it can be eliminated from the SAMAS.

Security Analysis.
In this subsection, we will prove that the proposed SAMAS scheme is unconditionally anonymous and provably unforgeable against adaptive chosen-message attack.

Anonymity.
In order to prove that the proposed SAMAS is unconditionally anonymous, we have to prove that (i) for anybody other than the members of S, the probability to successfully identify the real sender is 1/n, and (ii) anybody from S can generate SAMAS. Proof. The identity of the message sender is unconditionally protected with the proposed SAMAC scheme. This is because that regardless of the sender's identity, there are exactly (p − 1)(p − 2) · · · (p − n) different options to generate the SAMAC, and all of them can be chosen by the SAMAC generation procedure and by any of the members in the AS with EURASIP Journal on Wireless Communications and Networking 5 equal probability without depending on any complexitytheoretic assumptions. The proof for the second part, that anybody from S can generate the SAMAC is straightforward. This finishes the proof of this theorem.

3.3.2.
Unforgeability. The design of the proposed SAMAS relies on the ElGamal signature scheme. Signature schemes can achieve different levels of security. Security against existential forgery under adaptive-chosen message attack is the maximum level of security.
In this section, we will prove that the proposed SAMAS is secure against existential forgery under adaptive-chosen message attacks in the random oracle model [25]. The security of our result is based on the well-known discrete logarithms problem (DLP), which assumes that the computation of discrete logarithm in Z p for large p is computationally infeasible. In other words, no efficient algorithms are known for non-quantum computers.
We will introduce two lemmas first. Lemma 2, or the Splitting Lemma, is a well-known probabilistic lemma from reference [24]. The basic idea of the Splitting Lemma is that when a subset Z is "large" in a product space X × Y , it will have many "large" sections. Lemma 3 is a slight modification of the Forking Lemma presented in [24]. The proof of this theorem is mainly probability theory related. We will skip the proof of these two lemmas here.   , r 1 , . . . , r n , h 1 , . . . , h n , s), such that h i = h i , for all 1 ≤ i ≤ n, i / = j for some fixed j.
such that for 1 ≤ i ≤ n, i / = j, h i = h i , and h j / = h j . That is g s = r 1 · · · r n y r1h1 1 · · · y rnhn n mod p, g s = r 1 · · · r n y r1h 1 1 · · · y rnh n n mod p.
Divide equations (6) and (7), we obtain Equivalently, we have Therefore, we can compute the discrete logarithm of y t in base g with nonnegligible probability, which contradicts to the assumption that it is computationally infeasible to compute the discrete logarithm of y j in base g. Therefore, it is computationally infeasible for any adversary to forge a valid SAMAC.

Network Model.
Keeping confidential who sends which messages, in a world where any physical transmission can be monitored and traced to its origin, seems impossible.
To solve this problem, in this paper, we consider networks with multiple MANETs. That is, the participating nodes are divided into a set of small subgroups. We classify the network nodes into two categories, normal nodes and super nodes.
A normal node is a network node that may not be able to communicate direct with the nodes in other MANETs. A super node can be a normal node that can also provide message forward services to other MANET nodes. It can also be a special node dedicated to providing message forward services to other MANET nodes. For energy optimization, the normal nodes can take turn to be the super nodes ( Figure 1). Prior to network deployment, there should be an administrator. The administrator is responsible for selection of security parameters and a group-wise master key s G ∈ Z * p . The group master key should be well safeguarded from unauthorized access and never be disclosed to the ordinary group members. The administrator then chooses a collisionresistant cryptographic hash function h, mapping arbitrary inputs to fixed-length outputs on Z p , for example, SHA-1 [26].
The administrator assigns each super node a sufficiently large set of collision-free pseudonyms that can be used to substitute the real IDs in communications to defend against passive attacks. If a super node uses one pseudonym continuously for some time, it will not help to defend against possible attacks since the pseudonym can be analyzed in the same way as its real ID. To solve this problem, each node should use dynamic pseudonyms instead. This requires each super node to sign up with the administrator, who will assign  each super node a list of random and collision-resistant pseudonyms: In addition, each super node will also be assigned a corresponding secret set:

Anonymous Local MANET Communication.
To realize anonymous network layer communications, obviously there should be no explicit information (such as the message sender and recipient addresses) in the message content. All of the information related to addresses, including the destination MANET where the recipient resides, should be embedded into the anonymizing message payload. Prior to network deployment, the administrator needs to select a set of security parameters for the entire system, including a large prime p and a generator g of Z * p . The network nodes A 1 , A 2 , . . . , A n and the corresponding public keys y 1 , y 2 , . . . , y n of the n participating network nodes, where x i ∈ Z p , is a randomly selected private key of node A i , and y i is computed from y i = g xi mod p.
A normal node only communicates to other nodes in the same MANET. The communication between two normal nodes in different MANETs has to be forwarded through the supper nodes in the respected local MANETs. Each message contains a nonce (N), a message flag (mF), a recipient flag (rF), and a secret key. The nonce is a random number that is used only once to prevent message replay attack. The recipient flag enables the recipient to know whether he is the targeted receiver or a forwarding node. The secret key is used to encrypt the message payload through symmetric encryption algorithm.
More specifically, for a node A i to transmit a message m anonymously to a node A j in the same MANET, through the nodes A i+1 , . . . , A j−1 , where j > i+1, node A i generates a new message M(i, j) defined in (11), where for l = i + 1, . . . , j, N l is a nonce, mF l is a message flag, rF l is a recipient flag, sk l is the secret key used for one time message encryption, and stands for message concatenation. When the node A i+1 receives the message packet, the node decrypts the first block of the received message using its private key corresponding to y i+1 . After that, the node will get the recipient flag and message flag with the instruction for the subsequent actions.
When a message reaches the targeted recipient, to ensure traffic balance, the node will generate a dummy message to its subsequent nodes. Only the super nodes can terminate or initiate a dummy message. In this way, the amount of traffic flow that a node creates as the initiator is concealed in the traffic that it forwards since the overall traffic that it receives is the same as the traffic that it forwards. In addition, the message is encrypted with the private key that only the recipient can recover. While the intermediate nodes can only view the instruction of the message allowed. The sender's message is indistinguishable by other nodes. The sender and the recipient are thus hidden amongst the other nodes. It is infeasible for the adversary to correlate messages using traffic analysis and timing analysis due to message encryption. Therefore, perfect obscure of its own messages can be assured. Detailed security analysis will be presented later.

Remark 2.
When the message is delivered to the recipient's local MANET, if the super node is close enough to the recipient node, then the super node can simply broadcast the message. In this case, the message format in (11) can be adjusted accordingly.

Dynamic Local MANET Formation.
Due to node mobility in the MANET, the local MANET will dynamically change over time. This makes reforming of the local MANET an essential part of our proposed scheme. The dynamic updating of the MANET can be characterized through mobility of each individual node, that can leave and join a local MANET.

Process for a Node to Join a Local MANET.
When a node, say node A j , wishes to join a local MANET, it needs EURASIP Journal on Wireless Communications and Networking 7 to send a request message to the local super node in the form of: Join Request y j T, (12) where y j is the public key of node A j , and T is a timestamp. After receiving this request message, the super node has to determine the relative location of this node according to the direction and strength of the request signal provided by nodes that also received this message. The super node will determine where the node should be located in the local MANET logically. Then the super node will broadcast a message in the following format to inform the local MANET that node y j will be joining the local MANET in between node y i and node y i+1 : where T is a timestamp.

Process for a Node to Leave a Local MANET.
A node can leave a local MANET either positively or passively. For positive leaving, the node, say node A j , is aware that it is leaving the local MANET. It will send a request message to the local super node in the format of: where y j is the public key of node A j , and T is a timestamp. For passive leaving, the node will just leave the local MANET without informing anyone. The super node will discover a node's leaving through message transmission failure and Hello message detection. When a super node is aware of a node's leaving through either of the two manners, it will inform all of the local MANET members through broadcasting a message: which means a node with public key y j has left the local MANET, and it should be removed from the local MANET.

Anonymous Communications between Two Arbitrary
Super Nodes. In the previous subsections, we present the mechanism that allows two arbitrary nodes to communicate anonymously within the same MANET. This includes communications between two super nodes in the same MANET. For any two arbitrary super nodes in different MANETs to communicate anonymously, we will first introduce the concept of anonymous authentication or secret handshake by Balfanz et al. [27]. Anonymous authentication allows two nodes in the same group to authenticate each other secretly in the sense that each party reveals its group membership to the other party only if the other party is also a group member. Nonmembers are not able to recognize group members. The scheme consists of a set of super nodes and an administrator who creates groups and enrolls super nodes in groups. For this purpose, the administrator will assign each super node A a set of pseudonyms id A 1 , . . . , id A τ , where τ is a large security parameter. In addition, the administrator also calculates a corresponding secret set {g sGh(id A 1 ) mod p, . . . , g sGh(id A τ ) mod p} for super node A, where s G is the group's secret and h is a hash function. The pseudonyms will be dynamically selected and used to substitute the real IDs for each communication. This means that two super nodes A and B can know each other's group membership only if they belong to the same group.
When the super node A wants to authenticate to the super node B, the following secret handshake can be conducted: (1) A → B: Super node A randomly selects an unused pseudonym id A i and a random nonce N 1 , then sends id A i , N 1 to super node B; (2) B → A: Super node B randomly selects an unused pseudonym id B i and a random nonce N 2 , then sends . If the verification succeeds, then A knows that B is an authentic group peer. Similarly, B can verify A by checking whether V 1 N 1 N 2 1). If the verification succeeds, then B knows that A is also an authentic group peer. However, in this authentication process, neither super node A, nor super node B can get the real identity of the other node. In other words, the real identities of super node A and super node B remain anonymous after the authentication process.

Anonymous Communication between Two Arbitrary Normal Nodes.
As mentioned before, there should be no explicit exposure about the addresses of the message sender and recipient. To transmit a message, the sender first randomly selects a local super node and transmits the message to the super node according to the mechanism described before. On receiving the message, the local super node first determines the destination MANET ID by checking the message recipient flag rF, either 0 or 1. If it is 0, then the recipient and the super node are in the same MANET. The message can be forwarded in the recipient node using the previously described mechanism. If rF is 1, then the recipient is in a different MANET, The super node forwards the message to a super node in the destination MANET as described in the previous subsection. Finally, when the super node in the recipient's local MANET receives the message, the communication again becomes local MANET communications. The message can now be transmitted in the same way that the sender and the recipient are in the same MANET.
While providing message recipient anonymity, the message can also be encrypted so that only the message recipient can decrypt the message. The proposed anonymous communication is quite general and can be used in a variety of situations for communication anonymity in MANET, including anonymous file sharing.

Security Analysis.
In this subsection, we will analyze anonymity, impersonation attack, and replay attack of the proposed anonymous communication protocol. 4.6.1. Anonymity. We will first prove that the proposed communication protocol can provide both message sender and recipient anonymity in the local MANET communications. Proof. (Sketch) First, since the number of message packages that each node receives from its immediate predecessor is the same as the number of packets that it forwards to its immediate successor, so the adversaries cannot determine the message source based on the traffic volume or the number of message packets. Second, since the message packages are encrypted using either the public keys or the shared secret keys of the intermediate nodes. No adversary is able to distinguish the real meaningful message from the dummy message in the transmission in any of the network nodes due to the traffic balance property and message content encryption. Therefore, the adversary cannot distinguish the initiator traffic from the indirection traffic and learn whether the node is a recipient, a receiver, or simply a node that provides message forward service. Consequently, both the message sender and recipient information is anonymous for the adversary attack.
For any two normal nodes in different MANETs to communicate anonymously, the communication can be broken into three segments: the communication between the sender and a local super node in the message sender's local MANET, the communication between two super nodes in the corresponding MANETs, and the communication between the recipient super node and the recipient. Theorem 5 has assured the communication anonymity between a super node and a normal node in the local MANETs. Therefore, we only need to ensure anonymity between two super nodes in different MANETs in order to achieve full anonymity between the sender and recipient.
We already described before that each super node is being assigned a large set of pseudonyms. A dynamically selected pseudonym will be used for each communication. The pseudonyms do not carry the user information implicitly. Therefore, the adversary cannot get any information of the super nodes from the network. This result can be summarized into the following theorem.

Impersonation Attacks.
For an adversary elected to perform impersonation attack to a normal node, he needs to be able to conduct forgery attack. We already proved in Theorem 4 that this is infeasible. Therefore, we only need to consider whether it is feasible for an adversary to forge a super node.
For an adversary to impersonate as a super node, he needs to be able to authenticate himself with a super node A. This requires the adversary A to compute g sGid A ·id A i mod p, where id A is the identity of the adversary and id A i is the ith pseudonym of the super node A. However, since the adversary does not know the master secret s G , he is unable to compute g sGh(id A )·h(id A i ) mod p and impersonate as a super node. Therefore, we have the following theorem.

Theorem 8. It is computationally infeasible for a PPT adversary A to impersonate as a super node.
Like all other network communication protocols, in our proposed protocol, an adversary may choose to drop some of the messages. However, if the immediate predecessor and the successor nodes are honest and willing to cooperate, then the messages being dropped, and the substitution of the valid messages with the dummy messages can be effectively tracked using the provided message flags.
An adversary that is elected as a super node may refuse to forward messages across the MANETs and thus block the anonymous communications between the sender and the receiver. This attack can be hard to detect if the sender does not have the capability to monitor all network traffic. However, the sender can randomly select the super nodes for each data transmission. If the nonce is properly generated, when a packet is lost, the recipient should be able to know.

Message Replay
Attacks. The message replay attack occurs when an adversary can intercept the communication packet, correlate the message to the corresponding sender and recipient, and retransmit it. We have the following theorem.
Theorem 9. It is computationally infeasible for an adversary to successfully modify/reply an (honest) node's message.
Proof (Sketch). According to (11), each message package in communication has a unique one-time session ID (nonce) to protect the message package from being modified or replayed. In addition, these fields are encrypted using the intermediate receiver nodes' public key so that only the designated receiver nodes can decrypt the message. In this way, each packet transmitted across different MANETs bears different and uncorrelated IDs and content for PPT adversaries. Therefore, it is computationally infeasible for the adversary to modify or replay any messages in the MANET. This includes the case that even if the same message is being  transmitted multiple times, the adversary still cannot link them together without knowing all the private keys of the intermediate nodes.

Performance Analysis and Simulation Results
In this section, we will provide simulation results of our proposed protocol on energy consumption, communication delay, and message delivery ratio. For energy consumption, we provide simulations for both the normal nodes and the super nodes. For wireless communications, due to collision and packet drop, it is very challenging to assure high messages delivered ratio. However, our simulation results demonstrate that the proposed protocol can achieve high message delivery ratio (Figure 2).
Our simulation was performed using ns-2 on Linux system. In the simulation, the target area is a square field of size 2000 × 2000 meters. There are 64 rings located in this area. The number of the nodes on each ring, that is, the ring length, is set to be from 7 to 16 in our simulation. The message generation interval is set to be four different values: 60 seconds, 90 seconds, 120 seconds, and 150 seconds in our simulation for comparison. The messages transmitted in the network are 512 bytes long.

Conclusion
In this paper, we first propose a novel and efficient source anonymous message authentication scheme (SAMAS) that can be applied to any messages. While ensuring message sender privacy, SAMAS can also provide message content authenticity. To provide provable communication privacy without suffering from transmission collusion problem, we then propose a novel privacy-preserving communication protocol for MANETs that can provide both message sender and recipient privacy protection. Security analysis shows that the proposed protocol is secure against various attacks. Our performance analysis and simulation results both demonstrate that the proposed protocol is efficient and practical. It can be applied for secure routing protection and file sharing.