Route Computation Method for Secure Delivery of Secret ... - J-Stage

IEICE TRANS. COMMUN., VOL.E95–B, NO.11 NOVEMBER 2012

3456

PAPER

Route Computation Method for Secure Delivery of Secret Shared Content Nagao OGINO†a) , Member, Takuya OMI†† , Nonmember, and Hajime NAKAMURA† , Member

SUMMARY Secret sharing schemes have been proposed to protect content by dividing it into many pieces securely and distributing them over different locations. Secret sharing schemes can also be used for the secure delivery of content. The original content cannot be reconstructed by the attacker if the attacker cannot eavesdrop on all the pieces delivered from multiple content servers. This paper aims to obtain secure delivery routes for the pieces, which minimizes the probability that all the pieces can be stolen on the links composing the delivery routes. Although such a route optimization problem can be formulated using an ILP (Integer Linear Programming) model, optimum route computation based on the ILP model requires large amounts of computational resources. Thus, this paper proposes a lightweight route computation method for obtaining suboptimum delivery routes that achieve a sufficiently small probability of all the pieces being stolen. The proposed method computes the delivery routes successively by using the conventional shortest route algorithm repeatedly. The distance of the links accommodating the routes that have already been calculated is adjusted iteratively and utilized for calculation of the new shortest route. The results of a performance evaluation clarify that sufficiently optimum routes can be computed instantly even in practical large-scale networks by the proposed method, which adjusts the link distance strictly based on the risk level at the considered link. key words: route computation method, secure content delivery, secret sharing scheme, shortest route algorithm, link distance adjustment

1.

Introduction

Secret sharing schemes have been proposed to protect content by preserving it in a secure manner [1]. Secret sharing schemes divide the content into many pieces, and these pieces are stored on several different servers. In a threshold secret sharing scheme, content is divided into n pieces, and at least k (≤ n) pieces are necessary to reconstruct the original content [2]. A threshold secret sharing scheme can also be used for the reliable content delivery. In this case, the n pieces obtained from the content are delivered using redundant n routes. The original content can be delivered successfully using the remaining normal k routes even if n−k routes incur damage. A threshold secret sharing scheme can also realize the secure delivery of content. In this case, only k pieces selected from the n pieces are delivered using k routes. The original content cannot be reconstructed by an attacker even if the attacker eavesdrops on the k − 1 pieces while they are being delivered. Secure content delivManuscript received May 23, 2011. Manuscript revised April 18, 2012. † The authors are with KDDI R&D Laboratories Inc., Fujimino-shi, 356-8502 Japan. †† The author was with the University of Electro-Communications, Chofu-shi, 182-8285 Japan. a) E-mail: [email protected] DOI: 10.1587/transcom.E95.B.3456

ery can be considered equivalent to reliable content delivery where n → k and k → 1. The coding and decoding of the content can be simplified for secure content delivery based on the threshold secret sharing scheme, compared with conventional secure content delivery using encryption schemes such as VPN and SSL/TLS. In order to ensure reliable and secure content delivery, multiple delivery routes must be as disjointed as possible relative to each other so as to avoid simultaneous loss of multiple pieces and simultaneous attacks on multiple pieces. Since computation of completely disjoint routes is time consuming [3], several distributed methods for computing completely disjoint routes have been proposed [4]–[6]. Reliable content delivery is especially important in mobile ad hoc networks and delay tolerant networks with dynamic and low connectivity, and therefore application of the secret sharing schemes to these networks has been widely investigated [7]–[9]. Several methods for computing completely disjoint routes have been proposed in terms of the mobile ad hoc networks [10]–[12]. These methods mainly compute n completely disjoint routes to minimize the probability that more than n − k routes of the n routes are cut due to variations in network topology. Nevertheless, the number of routes required for reliable and secure content delivery is generally greater than the possible number of completely disjoint routes in practical backbone networks. This paper aims to obtain k routes for secure content delivery, which minimizes the probability that all the k pieces can be stolen on the links composing the delivery routes. Since this paper considers backbone networks, the required number of delivery routes k is more than the possible number of completely link-disjoint routes. Although the above route optimization problem can be formulated using an ILP (Integer Linear Programming) model, optimum route computation by solving the ILP model requires large amounts of computational resources. Thus, this paper proposes a lightweight route computation method to obtain suboptimum delivery routes that achieve a sufficiently small probability of all the pieces being stolen. The proposed method computes the k delivery routes successively by using the conventional shortest route algorithm repeatedly [13]. The distance of the links accommodating the routes that have already been calculated is adjusted iteratively and utilized for calculation of the new shortest route. Sufficiently optimum routes can be obtained instantly using the proposed method based on strict adjustment of the link distance.

c 2012 The Institute of Electronics, Information and Communication Engineers Copyright 

OGINO et al.: ROUTE COMPUTATION METHOD FOR SECURE DELIVERY OF SECRET SHARED CONTENT

3457

The proposed route computation method is explained following the problem statement in Sect. 2. The effectiveness of the proposed method is evaluated in Sect. 3. Section 4 concludes this paper. 2.

Route Computation Method for Secure Content Delivery

2.1 Objective of Route Computation Method Figure 1 shows an example of secure delivery of secret shared content retained in several different content servers. The content receiver requires delivery of k pieces from the content servers in order to reconstruct the original secret shared content. First, the content receiver requests the route computation server to compute routes for k pieces [14]. The proposed route computation method is implemented and executed on the route computation server. The route computation server stores the topology information throughout the whole network and knows the probability of eavesdropping on each link in advance. The objective of the proposed method is the computation of secure routes, which minimizes the probability that all k pieces can be stolen on the links composing the k delivery routes, allowing the attacker to reconstruct the original content. Since the proposed method is executed independently within the route computation server, it has no influence on route computation for other services. The route computation server notifies the results of route computation to the content servers. Since the length of notification messages is relatively short, they can be protected against attackers using an existing encryption scheme. Each of the k pieces is delivered to the content receiver using one of the routes notified from the route computation server. The route computation server executes the proposed method successively for each route computation request. This means that the proposed method only assumes simul-

Fig. 1

Secure delivery of secret shared content.

taneous eavesdropping on several links and discounts eavesdropping on the delivery routes for the different route computation requests. A route computation method that considers multiple requests for the same content remains a subject for further study. The possible number of completely linkdisjoint routes between the content servers and the content receiver is denoted by m. If all k pieces are stolen by eavesdropping on several links, each of the k routes is supposed to traverse one of these links. Since the number of completely link-disjoint routes is m, each of the k routes traverses a link involved in a set of m links. This means that all k pieces can be stolen only by eavesdropping on the set of m links even if the number of pieces k is greater than the number of completely link-disjoint routes m. When the probability of eavesdropping on more than m links is sufficiently small compared to the probability of eavesdropping on m links, only eavesdropping on m links needs to be considered. From the above consideration, the objective of the proposed route computation method can be defined as minimization of the probability of stealing all the pieces by eavesdropping on m links. This corresponds to minimizing the sum of the probabilities of eavesdropping on the sets of m links traversed by all k delivery routes. If the attacker has no information on the positions of the server nodes and the receiver node, the probability of eavesdropping on each link is expected to be identical and independent of each other. In this case, the objective is to minimize the number of risky combinations of m links traversed by all the delivery routes. 2.2 Formulation Using an ILP Model The route computation problem considered in this paper can be formulated using an ILP model. In the ILP model, the network under consideration is extended as shown in Fig. 2. A virtual source node is added to the considered network and is connected to the server nodes using the virtual links. Each of the k delivery routes are computed from the virtual source node to the receiver node. The server node that the k-th delivery route starts from can be known from the virtual link that the k-th route traverses. The capacity of each virtual link is set at the number of pieces that the connected

Fig. 2

Extension of considered network.

IEICE TRANS. COMMUN., VOL.E95–B, NO.11 NOVEMBER 2012

3458

server node stores. This means that the number of delivery routes starting from each server node never exceeds the number of pieces that the server node stores. While duplicated storage of the same piece in multiple server nodes can be also handled by an extension of the considered network, this paper assumes that each piece is only stored in one of the server nodes. This assures that all the k pieces delivered to the receiver node are different from each other. The possible number of completely link-disjoint routes m must be also calculated between the virtual source node and the destination node. While the capacity of each virtual link needs to be taken into account, link-disjointness between the routes is not required on the virtual links. All the links other than the virtual links are assumed to be bi-directional. The symbols used in the ILP model are defined as follows: l: Link; vl: Virtual link; n: Node; vs: Virtual source node; d: Receiver node; r: Identification of route; c: Combination of m links other than the virtual links; The constants and sets are defined as follows: m: Possible number of completely link-disjoint routes; k: Number of routes; Cvl : Capacity of virtual link vl; probl : Probability of eavesdropping on link l; L: Set of links; VL: Set of virtual links; N: Set of nodes; ninout : Set of links connecting to node n; Comb: Set of combinations of m links other than the virtual links; The variables are defined as follows: Xl (r): Integer variable indicating whether the route r (1 ∼ k) traverses the link l (=1) or not (=0); Un (r): Integer variable indicating whether the route r (1 ∼ k) traverses the node n (=1) or not (=0); Yc (r): Integer variable indicating whether the route r (1 ∼ k) traverses at least one link involved in the combination c (=1) or not (=0); Zc : Integer variable indicating whether all the routes traverse at least one link involved in the combination c (=1) or not (=0); The constraints in the ILP model are given as follows. First, the following constraints hold as the route preservation rule:  Xvl (r = 1; ∀r = 1 ∼ k vl∈V L



Xl (r) = 1;

∀r = 1 ∼ k

l∈dinout



Xl (r) = Un (r)×2;

∀n ∈ N −vs−d, ∀r = 1 ∼ k

(1)

l∈ninout

If the routes 1 through m are completely link-disjoint with

respect to each other, the following constraint holds: m 

Xl (r) ≤ 1;

∀l ∈ L − VL

(2)

r=1

Since the number of routes traversing each virtual link never exceeds the capacity of the virtual link, the following constraint holds: k 

Xvl (r) ≤ Cvl ;

∀vl ∈ VL

(3)

r=1

Since the value of Yc (r) becomes 1 only when the route r traverses at least one of m links involved in the combination c, the following constraint holds: Xl (r) ≤ Yc (r);

∀r = 1 ∼ k, ∀l ∈ c, ∀c ∈ Comb

(4)

Since the value of Zc becomes 1 only when all the routes traverse at least one of the m links involved in combination c, the following constraint holds: k 

Yc (r) − k + 1 ≤ Zc ;

∀c ∈ Comb

(5)

r=1

The objective function to be minimized is the sum of the probabilities of eavesdropping on risky combinations of m links traversed by all the routes:   SumProb = probl ; (6) Zc c∈Comb

l∈c

The final values of Xl (r) indicate the optimum route for the r-th piece. The server node selected for the r-th piece can be also known from the final values of Xvl (r). Generally, the total number of combinations of m links becomes vast even if the value of m is relatively small. Therefore, the above ILP model includes many integer variables, and solving the optimum routes from the above ILP model requires large amounts of computational resources. 2.3 Proposed Route Computation Method 2.3.1 Overall Procedure for the Proposed Method A heuristic method to compute the suboptimum delivery routes for the pieces is proposed aiming at lightweight route computation. Figure 3 is the flow chart for the proposed method. The proposed route computation method calculates each of k delivery routes sequentially using the conventional shortest route algorithm. The shortest route algorithm is applied to the extended network shown in Fig. 2 and computes the shortest route between the virtual source node and the receiver node. The server node selected for the delivery of corresponding content piece can be known from the virtual link that the computed shortest route traverses. The distance of the links accommodating the routes that have already been calculated is adjusted iteratively and utilized for calculation of the new shortest route. Although the distance

OGINO et al.: ROUTE COMPUTATION METHOD FOR SECURE DELIVERY OF SECRET SHARED CONTENT

3459

Fig. 4

Adjustment of link distance.

constraint given in advance, the route is not extended on the search tree anymore. For example, extension of a route is aborted when the number of hops in the route exceeds the permitted number of hops. Since the proposed method only executes the shortest route algorithm repeatedly, it can also handle the additive constraints such as the allowed number of hops on the computed k routes. Fig. 3

Flow chart for the proposed method.

of each virtual link is fixed at zero, the capacity of each virtual link needs to be considered in the shortest route computation. The proposed method can compute the k routes instantly since it only executes the conventional shortest route algorithm k times. The proposed method adjusts the distance of the links traversed by the existing routes every time it computes a new shortest route. The distance of the links is adjusted as follows. If a new route traverses a link accommodating an existing route, two pieces delivered by the existing and new routes are attacked simultaneously due to eavesdropping on the considered link. This means that the new route should avoid traversing the link accommodating the existing routes. The proposed method adjusts the distance of the link traversed by the existing routes to a sufficiently large value every time a new route is calculated using the shortest route algorithm. Furthermore, many pieces are attacked simultaneously due to eavesdropping on a link traversed by a great number of existing routes. This means that the distance of the link accommodating more existing routes should be adjusted to a larger value because the new route never fails to avoid the considered link. The proposed method also considers the number of existing routes traversing the link when it adjusts the distance of the link. The proposed method adjusts the link distance strictly based on the probability that the new route and the relevant existing routes are attacked simultaneously when the new route traverses the considered link. The conventional shortest routing algorithm can deal with additive constraints on the shortest route. If a route is extended from the source node and violates an additive

2.3.2 Adjustment of Link Distance in the Proposed Method In the proposed method, the distance of the link l that no existing route traverses is set at the probability of eavesdropping on the link probl . In contrast, the distance of the link that the existing routes traverse is adjusted according to the risk level of the link. Figure 4 explains the method for adjusting the distance of the link traversed by the existing routes. In Fig. 4, four routes R1 through R4 have already been calculated. When the fifth route R5 is calculated, the distance of the links traversed by existing routes R1 through R4 is adjusted as follows. Here, symbols R1 through R4 also indicate sets of links comprising routes R1 through R4, respectively. When route R5 traverses either link n10-n11 or link n20-n21, three pieces delivered by route R5, in addition to existing routes R1 and R2 traversing either link n10-n11 or link n20-n21, are attacked simply by eavesdropping on two links. When route R5 traverses link n10-n11, the three pieces are attacked by eavesdropping on link n10-n11 and one of the links accommodating route R2. Therefore, the probability that all three pieces are stolen by eavesdropping on link n10-n11 and another link is given by the following expression:  probl ; (7) Probn10-n11 = probn10-n11 l∈R2

When route R5 traverses link n20-n21, the three pieces are attacked by eavesdropping on link n20-n21 and one of the links accommodating route R1. Therefore, the probability that all three pieces are stolen by eavesdropping on link n20n21 and another link is given by the following expression:

IEICE TRANS. COMMUN., VOL.E95–B, NO.11 NOVEMBER 2012

3460

Probn20-n21 = probn20-n21



probl ;

(8)

l∈R1

The distance of link n10-n11 is adjusted proportionally to the probability that the new route and the relevant existing routes traversing either link n10-n11 or link n20-n21 are stolen by eavesdropping on link n10-n11 and another link when the new route traverses link n10-n11. In the same way, the distance of link n20-n21 is adjusted proportionally to the probability that the new route and the relevant existing routes traversing either link n10-n11 or link n20-n21 are stolen by eavesdropping on link n20-n21 and another link when the new route traverses link n20-n21. This means that ratio of the distance for links n10-n11 and n20-n21 is expressed as follows: Distn10-n11 : Distn20-n21 = Probn10-n11 :Probn20-n21  = probn10-n11 probl : probn20-n21 probl l∈R1 l∈R2    = probn10-n11 probl : probn20-n21 probl ; l∈R1

(9)

l∈R2

From the above expression (9), the link distance is adjusted proportionally to the probability of just eavesdropping on the considered link and is inversely proportional to the probability that the existing routes traversing the considered link are attacked simply by eavesdropping on a link. If the probability of eavesdropping on each link is identical, the adjusted link distance is simply inversely proportional to the number of links that accommodate the existing routes traversing the considered link. As another example, when route R5 traverses either link n20-n21 or link n30-n31, four pieces delivered by route R5, in addition to existing routes R2, R3, and R4 traversing either link n20-n21 or link n30-n31, are attacked simply by eavesdropping on two links. When route R5 traverses link n20-n21, the four pieces are attacked by eavesdropping on link n20-n21 and one of the links accommodating both routes R3 and R4. Therefore, the probability that all four pieces are stolen by eavesdropping on link n20-n21 and another link is given by the following expression:  probl ; (10) Probn20-n21 = probn20-n21 l∈R3∩R4

When route R5 traverses link n30-n31, the four pieces are attacked by eavesdropping on link n30-n31 and one of the links accommodating route R2. Therefore, the probability that all four pieces are stolen by eavesdropping on link n30n31 and another link is given by the following expression:  probl ; (11) Probn30-n31 = probn30-n31 l∈R2

The distance for link n20-n21 is adjusted proportionally to the probability that the new route and the relevant existing routes are stolen by eavesdropping on link n20-n21 and another link when the new route traverses link n20-n21. In the same way, the distance for link n30-n31 is adjusted

proportionally to the probability that the new route and the relevant existing routes are stolen by eavesdropping on link n30-n31 and another link when the new route traverses link n30-n31. This means that the ratio of the distance for links n20-n21 and n30-n31 is expressed as follows: Distn20-n21 : Distn30-n31 = Probn20-n21 : Prob  n30-n31  = probn20-n21 probl : probn30-n31 probl l∈R3∩R4  l∈R2   = probn20-n21 probl : probn30-n31 probl ; (12) l∈R2

l∈R3∩R4

From expression (12), the link distance is adjusted proportionally to the probability of just eavesdropping on the considered link and is inversely proportional to the probability that all existing routes traversing the considered link are attacked simply by eavesdropping on a link. If the probability of eavesdropping on each link is identical, the adjusted link distance is simply inversely proportional to the number of links that accommodate all existing routes traversing the considered link. Finally, the distance of link l traversed by the existing routes Ri is adjusted as follows:   Distl = W × probl probl ; (13) l ∈



Ri

l∈Ri

Here, symbol W indicates a sufficiently large link weight. Generally, the distance of the link traversed by a greater number of existing routes increases because the number of links that accommodate all existing routes traversing the considered link tends to decrease. When the probability of eavesdropping on each link is identical and regarded as 1.0, the value of W must be larger than the total number of links in the network so that the distance of the link traversed by the existing routes can be larger than 1.0. The proposed method adjusts the link distance using expression (13) and computes the new shortest route based on the adjusted link distance. The suboptimum routes for k pieces can be obtained sequentially using the proposed method. 3.

Performance Evaluation of Proposed Method

3.1 Evaluation in a Small-Scale Network The performance of the proposed route computation method is evaluated for a small-scale network. Figure 5 shows the evaluated small-scale network with the NSFNET topology composed of 21 bi-directional links [15]. Here, the probability of eavesdropping on each link is assumed to be identical. Thus, the number of risky combinations of m links that all the delivery routes traverse corresponds to the probability that the original content is reconstructed by the attacker due to eavesdropping on m links. The delivery routes are computed using a CPU with a clock speed of 3.0 GHz and RAM with a capacity of 2.0 GB. The numbers of risky combinations of m links derived from three kinds of route computation methods are

OGINO et al.: ROUTE COMPUTATION METHOD FOR SECURE DELIVERY OF SECRET SHARED CONTENT

3461 Table 2

Fig. 5

Number of risky link combinations.

Evaluated small-scale network.

Table 1

Evaluation scenarios.

compared in this subsection. The first route computation method denoted by “Optimum method” directly solves the ILP model formulated in Sect. 2.2 to obtain the optimum routes. All the values of probl are set at 1.0 in the objective function (5). The second route computation method denoted by “Disjoint method” computes the suboptimum routes with the least number of common links sequentially based on the adjusted link distance. The distance of the links traversed by the existing routes that have already been calculated is adjusted to a constant large value of 1000.0 while the distance of the links traversed by no existing route remains at 1.0. The third route computation method denoted by “Proposed method” corresponds to the proposed method. As explained in Sect. 2.3, the suboptimum routes are computed successively, while the distance of the links is adjusted on the basis of the security level at the links. In expression (12), the value of W is set to 1000.0, and all the values of probl are set to 1.0. The distance of the links traversed by no existing route remains at 1.0. Table 1 explains eight different scenarios evaluated in this subsection. Each server node is assumed to preserve a sufficient number of pieces in all scenarios shown in Table 1. The positions of the server nodes and the receiver node are different in each scenario. However, the value of m, i.e. the possible number of completely link-disjoint routes, is 3 in all the scenarios. Table 2 shows the numbers of risky combinations of m (=3) links traversed by all the delivery routes, which are derived from the delivery routes computed by the three route computation methods. The total number of combinations of m (=3) links is 1330 since the total number of links is 21 in the evaluated small-scale network. Thus, the number of integer variables Yc (r) and Zc in the ILP model

formulated in Sect. 2.2 is relatively large even in the evaluated small-scale network. This means that the optimum delivery routes cannot be computed due to insufficient memory resources when the number of delivery routes exceeds five. When the number of delivery routes is five, the optimum route computation takes approximately 2000 seconds. When the number of delivery routes is three, the numbers of risky link combinations derived from the three methods are identical in each scenario. This indicates that both the disjoint method and the proposed method can correctly compute the possible completely link-disjoint routes sequentially, avoiding the trap problem in all evaluation scenarios [16]. As expected, the number of risky link combinations can be reduced when the number of delivery routes increases. Furthermore, the number of risky link combinations can also be reduced when the number of server nodes increases. The number of risky link combinations derived from the proposed method is smaller than that derived from the disjoint method. This is because the proposed method can adjust the distance of the link more strictly based on the number of calculated routes traversing the link. The number of routes accommodated in the link can be regarded as reflecting the risk level at the considered link. As shown in Table 2, the proposed method can compute the sufficiently optimum delivery routes that result in a small number of risky link combinations. In particular, the proposed method can compute the strictly optimum de-

IEICE TRANS. COMMUN., VOL.E95–B, NO.11 NOVEMBER 2012

3462 Table 3

Evaluated large-scale random networks.

livery routes in evaluation scenarios (A) and (C). In these evaluation scenarios, the number of risky link combinations derived from the proposed method becomes identical to that derived from the optimum method. The route computation time required for the disjoint method and the proposed method is less than one second in all the evaluation cases shown in Table 2. 3.2 Evaluation in Large-Scale Networks The performance of the proposed route computation method is evaluated for practical large-scale networks [17]. Three large-scale random networks composed of 25 nodes, 50 nodes, and 100 nodes are evaluated. The performance evaluation is executed using 10 random networks with the same number of nodes. Table 3 shows the probability of link existence, the average number of links, and the average node degree in the 10 random networks for each number of nodes. The probability of eavesdropping on each link is also assumed to be identical in this subsection. Thus, the number of risky combinations of m links traversed by all the delivery routes is evaluated as the performance measure. The delivery routes are computed using a CPU with a clock speed of 3.0 GHz and RAM with a capacity of 2.0 GB. A receiver node and five server nodes between which the possible number of completely link-disjoint routes is four are selected randomly in each network. The optimum method cannot compute the delivery routes due to insufficient memory resources in the evaluated large-scale networks. Therefore, the numbers of risky combinations of m (=4) links traversed by all the delivery routes are only derived from the disjoint method and the proposed method. Table 4 shows the numbers of risky link combinations derived from the delivery routes computed by the disjoint method and the proposed method. Table 4 indicates the average number of risky link combinations in the 10 random networks with the same number of nodes. Each server node is assumed to preserve a sufficient number of pieces. The route computation time required for the disjoint method and the proposed method is only a few seconds in all the evaluation cases shown in Table 4. The number of risky link combinations can also be reduced in the large-scale networks as the number of delivery routes increases. When the average node degree is constant in the random network, the average route length is proportional to the logarithm of the total number of nodes while the number of links is proportional to the total number of nodes. This means that the average number of risky link

Table 4

Average number of risky link combinations.

combinations is slightly reduced when the total number of nodes increases as shown in Table 4. The average number of risky link combinations derived from the proposed method is smaller than that derived from the disjoint method. This is because the proposed method can adjust the distance of the links more strictly based on the risk level. When the number of delivery routes is not particularly large, the shortest routes with the least number of common links to each other tend to concentrate on a few links. The proposed method can distribute those routes more effectively as the number of delivery routes increases. This results from the fact that the proposed method also considers the number of routes traversing each link during the adjustment of the link distance. For this reason, the proposed method can reduce the number of risky link combinations rapidly when the number of delivery routes increases. When the number of delivery routes further increases, the disjoint method can also distribute the delivery routes throughout the whole network. Therefore, the number of risky link combinations in the disjoint method is also reduced when the number of delivery routes is relatively large. 4.

Conclusions

Secret sharing schemes can realize secure delivery of content. The original content cannot be reconstructed by the attacker if all the pieces are not eavesdropped on their delivery routes. This paper proposed a lightweight route computation method for minimizing the probability of eavesdropping on all the pieces on the links composing the delivery routes. The proposed method computes the suboptimum delivery routes successively using the conventional shortest route algorithm repeatedly. The distance of the links accommodating the routes that have already been calculated is adjusted iteratively and utilized for calculation of the new shortest route. In the proposed method, the link distance can be adjusted strictly according to the risk level of the considered link. The results of the performance evaluation clarified that the proposed method can compute the sufficiently optimum routes instantly even in practical large-scale networks, while the optimum route computation based on the ILP model requires large amounts of computational resources even in a small-scale network. The proposed method can distribute the delivery routes effectively and reduce the probability of eavesdropping on all the pieces on the delivery routes, even

OGINO et al.: ROUTE COMPUTATION METHOD FOR SECURE DELIVERY OF SECRET SHARED CONTENT

3463

if the shortest link-disjoint routes between the server nodes and the receiver node tend to concentrate on a few links. Acknowledgments The authors would like to thank Dr. Nakajima, president & CEO, and Dr. Hasegawa, executive director, of KDDI R&D Laboratories Inc. for their encouragement throughout the study. References [1] G.J. Simmons, “An introduction to shared secret and/or shared control schemes and the application,” Contemporary Cryptology: The Science of Information Integrity, pp.441–497, 1992. [2] A. Shamir, “How to share a secret,” Commun. ACM, vol.22, no.11, pp.612–613, Nov. 1979. [3] J.W. Suurballe, “Disjoint paths in a network,” Netw., vol.4, pp.125– 145, 1974. [4] D Sidhu, R. Nair, and S. Abdallah, “Finding disjoint paths in networks,” Proc. ACM SIGCOMM’91, pp.43–51, 1991. [5] W. Lou and Y. Fang, “A multipath routing approach for secure data delivery,” Proc. IEEE MILCOM 2001, pp.1467–1473, 2001. [6] A. Bagchi, A. Chaudhary, M.T. Goodrich, and S. Xu, “Constructing disjoint paths for secure communication,” Springer Lect. Notes Comput. Sci., vol.2848, pp.181–195, 2003. [7] L. Zhou and Z.J. Haas, “Securing ad hoc networks,” IEEE Netw. Mag., vol.13, no.6, pp.24–30, Nov./Dec. 1999. [8] S. Jain, M. Demmer, R. Patra, and K. Fall, “Using redundancy to cope with failures in delay tolerant networks,” Proc. ACM SIGCOMM’05, pp.109–120, 2005. [9] A. Fourati and K. Al Agha, “A shared secret-based algorithm for securing the OLSR routing protocol,” Telecommunication Systems, vol.31, no.2/3, pp.213–226, 2006. [10] S-J. Lee and M. Gerla, “Split multipath routing with maximally disjoint paths in ad hoc networks,” Proc. IEEE ICC 2001, pp.3201– 3205, June 2001. [11] A. Tsirigos and Z.J. Haas, “Multipath routing in the presence of frequent topological changes,” IEEE Commun. Mag., vol.39, no.11, pp.132–138, Nov. 2001. [12] W. Lou, W. Liu, and Y. Fang, “SPREAD: Enhancing data confidentiality in mobile ad hoc networks,” Proc. IEEE INFOCOM 2004, 2004. [13] E.W. Dijkstra, “A note on two problems in connexion with graphs,” Numerische Mathematik, vol.1, pp.269–271, 1959. [14] T. Takeda, E. Oki, I. Inoue, K. Shiomoto, K. Fujihara, and S. Kato, “Implementation and experiments of path computation element based backbone network architecture,” IEICE Trans. Commun., vol.E91-B, no.8, pp.2704–2706, Aug. 2008. [15] R. Ramaswami and K.N. Sivarajan, “Design of logical topologies for wavelength-routed optical networks,” IEEE J. Sel. Areas Commun., vol.14, no.5, pp.840–851, June 1996. [16] B.V. Canegem, W.V. Parys, F.D. Turck, and P.M. Demeester, “Dimensioning of survivable WDM networks,” IEEE J. Sel. Areas Commun., vol.16, no.7, pp.1146–1157, Sept. 1998. [17] N. Spring, R. Mahajan, D. Wetherall, and T. Anderson, “Measuring ISP topologies with rocketfuel,” IEEE/ACM Trans. Netw., vol.12, no.1, pp.2–16, Feb. 2004.

Nagao Ogino received his B.E., M.E., and Dr.E. degrees from the University of Tokyo, in 1977, 1979 and 1982, respectively. He joined the Research and Development Laboratories of Kokusai Denshin Denwa Co. Ltd. (currently KDDI) in 1982, and has been engaged in research on ATM networks, Intelligent Networks, and telecommunication software engineering. He was a supervisor at ATR Adaptive Communications Research Laboratories from 1996 until 2000, and was engaged in research on multi-agent based adaptive systems and market-based resource allocation schemes. He is currently a senior research engineer of Communications Network Planning Laboratory at KDDI R&D Laboratories Inc. and a guest associate professor at Electro-Communications University. His current interests include traffic engineering in future networks and platform technology for personalized services.

Takuya Omi received his B.E. and M.E. degrees from the University of ElectroCommunications, in 2009 and 2011, respectively. He is currently working for NEC Infrontia Corporation in Tokyo. His interests include the content delivery networks and peer-to-peer networks.

Hajime Nakamura received his B.E., M.E., and Ph.D. degrees from Waseda University, Tokyo in 1988, 1990, and 2002, respectively. He joined the Research and Development Laboratories of Kokusai Denshin Denwa Company Ltd. (currently KDDI) in 1990, and has been engaged in research on communications network design and planning. His current research interests include the architecture of next-generation telecommunication networks. He is currently a senior manager in Communications Network Planning Laboratory of KDDI R&D Laboratories Inc. He received the Young Engineer Award of the IEICE in 1996, Best Paper Award of the IEICE in 1998 and 2002, Information Network Research Award of the IEICE in 2002 and 2006, and Best Paper Award of APSITT 2005.