Anonymous communication.

The Tor network is extensively utilized for anonymous communication; however, its present low-latency architecture makes it highly vulnerable to traffic analysis. This susceptibility has been shown through both theoretical research and empirical evidence [14, 15].

Mixing networks (mixnets) [2] bolster protection against traffic analysis by incorporating higher latency through multiple hops and blending messages at one or more trusted nodes. Over the past forty years, various mixnet-inspired protocols [7, 16] have been devised to combat traffic analysis attacks. Despite their effectiveness, these protocols often involve significant latency overheads, typically lasting several seconds, which are impractical for applications such as browsing, messaging, and video calls. Additionally, mixnets are inherently fragile; the failure or crash of a single node can result in message loss.

Layered encryption is also a fundamental concept in onion routing. In this technique, the sender selects a random path of “somewhat trusted” routers and encrypts the packet in multiple layers, each corresponding to a router along the path. Each router removes one layer of encryption, with the final router decrypting the innermost layer and delivering the content to the intended recipient. The Tor network [3], the most widely used anonymous communication system, relies on onion routing as its core mechanism.

Dissent [17, 18] introduces semi-trusted servers to make dining cryptographers networks (DCnets) [19] practical on a reasonable scale. This approach ensures anonymity as long as at least one server is honest. Additionally, Dissent offers accountability, a feature often overlooked in most anonymous communication protocols. However, Dissent depends on the assumption that all members remain connected and send correctly signed messages throughout each round. Moreover, excluding a single disruptor is time-consuming, requiring O(N) time.

In [20], a novel approach to creating a coercion-resistant voting system is detailed through the introduction of VoteXX. This system features a unique mechanism where votes can be nullified by designated trusted agents known as “hedgehogs.” In this scheme, each voter is assigned two sets of public-private key pairs. Without disclosing their private keys, voters register their public keys with the election authority. Additionally, voters have the option to share their keys with one or more hedgehogs, adding an extra layer of security and ensuring the integrity of the voting process.

Secure multi-party computation (MPC) [21] has been suggested as a method to implement commit-and-reveal functionality while ensuring anonymous input disclosure, a concept also known as anonymous committed broadcast (ACB). This approach [22] anonymizes inputs by randomly shuffling them efficiently. Honest-majority MPC protocols are preferred in this context because they guarantee the correctness of the output as long as the majority of participants are honest.

Asynchronous BFT.

Among Byzantine Fault Tolerant (BFT) protocols, completely asynchronous BFT protocols have gained renewed attention due to their inherent robustness. Once considered primarily theoretical, recent implementations of asynchronous BFT systems—such as HALE [23], Dumbo [24], and FACOS [25]—have demonstrated performance levels comparable to their partially synchronous counterparts. Asynchronous Byzantine Fault Tolerant (BFT) protocols offer significant advantages, including robustness to unpredictable network conditions, improved security by being less vulnerable to timing attacks, higher resilience to network partitioning and delays, better scalability for large and geographically distributed systems, and greater flexibility in adapting to various network environments. These qualities make asynchronous BFT protocols particularly well-suited for decentralized and distributed systems where network reliability and timing cannot be guaranteed.

Dashing and Star propose a BFT mechanism that utilizes weak certificates, enhancing the protocol’s resilience while maintaining efficiency under Byzantine conditions [26]. Similarly, FIN introduces a practical, signature-free asynchronous common subset that operates in constant time, offering a significant improvement in consensus protocols by removing the reliance on digital signatures [27]. Sharding blockchains have also seen innovations aimed at improving cross-shard consensus. CHERUBIM introduces a quadruple pipelined two-phase commit mechanism for secure and highly parallel cross-shard consensus [28], while another protocol proposes a flexible sharding mechanism based on cross-shard BFT to enhance the scalability and security of blockchain systems [29].

Trust and reputation systems.

In the realm of federated learning and digital twin systems, trust evaluation is crucial. The TFL-DT scheme offers a novel approach to trust evaluation within federated learning, specifically tailored for mobile networks, ensuring that digital twins can be effectively managed and secured [30]. Furthermore, PPRU introduces a privacy-preserving reputation updating scheme for cloud-assisted vehicular networks, addressing the critical need for privacy and trust in such dynamic environments [31].

Deficient fault tolerance mechanisms.

Most existing anonymous communication protocols suffer from inadequate fault tolerance, which can have severe implications for system efficiency and reliability. In these systems, a single point of failure—such as a malfunctioning node or a network partition—can lead to significant disruptions, including service outages or data loss. This lack of fault tolerance means that the system may be unable to recover quickly or gracefully from failures, resulting in degraded performance or complete system collapse. Effective fault tolerance is essential to ensure that the system can maintain its functionality and performance even when some nodes fail or exhibit faulty behavior. This involves implementing mechanisms to handle node failures, such as redundancy, error detection, and recovery strategies, to minimize the impact of individual failures and enhance the overall robustness of the communication protocol. Without such measures, anonymous communication systems are vulnerable to reliability issues, which can undermine user trust and system effectiveness.

Additionally, the absence of a leader mechanism within node groups further exacerbates fault tolerance issues. A leader node is crucial for coordinating and managing communication, and without it, systems can experience inefficient communication processes and increased vulnerability to faults. This lack of coordination can significantly impact the system’s reliability and overall performance.

Lack of evaluation and punishment mechanism.

Existing systems often lack effective reputation mechanisms to evaluate and incentivize nodes. Without such mechanisms, the system may struggle to maintain high standards of performance and reliability, leaving it vulnerable to malicious or suboptimal nodes. Traditional systems also struggle with detecting and mitigating malicious nodes. Techniques such as random partial checking and trap messages are employed to detect faults but do not provide robust solutions for penalizing or preventing malicious activities. Random partial checking offers only probabilistic guarantees, while trap messages can identify the presence of a malicious node but not its specific source.

High computational costs.

The computational costs associated with multi-signatures can be substantial, which poses challenges to system efficiency and scalability. Multi-signature schemes often require extensive cryptographic operations to sign and verify messages, leading to increased processing time and resource consumption. This can be particularly problematic in large-scale networks where frequent communication and numerous transactions are expected. High computational overhead can slow down the system and increase latency, impacting the user experience and system performance. To address this, improved multi-signature schemes with public key aggregation are needed to optimize performance. These advanced schemes aim to reduce the computational burden by aggregating multiple signatures into a single, compact form, thus lowering the overall resource usage and enhancing the system’s scalability while maintaining robust security standards.

Our contributions.

This paper offers several key contributions to anonymous communications:

• To address the problem of insufficient effective node evaluation and incentive mechanisms within the system, we introduce a novel reputation-based mechanism in SRFACS. This mechanism dynamically updates the node groups based on their historical activity and reliability. By evaluating nodes through their past performance, the system not only helps in identifying and mitigating faulty or malicious nodes but also encourages all nodes to maintain high standards of performance and reliability.
• SRFACS enhances fault tolerance and manages single points of failure by incorporating an improved Asynchronous Byzantine Fault Tolerance (ABFT) protocol. We use this protocol to expand the traditional communication nodes into structured node groups and handles up to (n − 1)/3 faulty nodes within these groups, enhancing fault tolerance and maintaining continuous operation, especially in asynchronous environments. With ABFT, SRFACS ensures continuous and reliable operation even in the presence of numerous faulty nodes, thereby improving the overall robustness of anonymous communication systems.
• To efficiently manage inter-group communication, SRFACS utilizes leader nodes to coordinate and streamline communication processes. To mitigate the risks associated with leader failures, we have implemented an efficient leader change protocol that promptly replaces defective leaders, ensuring uninterrupted system performance. Additionally, to prevent erroneous leader actions from compromising the system, we have introduced an advanced multi-signature scheme. This approach secures communication and reduces computational overhead by requiring multiple signatures for verification processes. Through rigorous security analysis and component performance evaluation, we can confirm that SRFACS shows the potential of scalability and effectiveness in anonymous communication networks.

The rest of this paper is organized as follows. In the Building Blocks section, we detail the building blocks used in our SRFACS scheme, including cryptographic techniques and protocols. The SRFACS Preliminary section outlines the assumptions and foundational elements needed to ensure the system’s secure operation. In the SRFACS Design section, we present our approach to integrating various components, including the reputation mechanism, the ABFT protocol, and the multi-signature process. The Security Analysis section assesses the robustness and reliability of the system against various threats. The Performance Evaluation section provides a detailed analysis of SRFACS’s performance, focusing on tests of key components to demonstrate the effectiveness of our methods. Finally, the Conclusion section summarizes our findings and discusses potential future research directions.

MSP (Pairing-based multi-signature with public-key aggregation).

We adopt the MSP scheme proposed by [32], which is based on bilinear pairings. This scheme achieves signature aggregation and key aggregation and is resilient against rogue key attacks [33]. In order to better adapt to our system, we have made adjustments. As shown in Algorithm 1, the description is as follows:

Algorithm 1 MSP Signature Scheme

1: System Initialization:

2: Generate security parameters and public parameters:

3:  params = (q, G₁, G₂, G_t, e, g₁, g₂)

4:

5: Key Generation:

6: for each signer i do

7:  Generate private key:

8:   

9:  Compute public key:

10:   

11: end for

12:

13: Key Aggregation:

14: Aggregate public keys:

15:  

16:

17: Signature Generation:

18: Map message m to a group element:

19:  H(m) ∈ G₁

20: for each signer i do

21:  Generate partial signature:

22:   

23: end for

24:

25: Signature Aggregation:

26: Aggregate partial signatures:

27:  agg = ∏s_i

28:

29: Signature Verification:

30: Verify if:

31:  

MSP.Init: Pg(λ) initializes the parameters par to establish a bilinear group (q, G₁, G₂, G_t, e, g₁, g₂), where G₁, G₂, and G_t are groups of prime order q, and g₁ and g₂ are generators of G₁ and G₂ respectively. The function e denotes a valid non-degenerate bilinear mapping e: G1 × G₂ → G_t. Additionally, the hash functions H₀ and H₁ and the parameter par are output as follows:

MSP.KeyGen: After initialization, each node i generates a unique key pair according to the following formula: a private key msk_i, a public key mpk_i, by selecting a random number random, and then publishes the public key to the network, where i represents the Node ID.

MSP.AggMpk(mpkList) → apk: Generate the aggregated public key apk according to the following formula, where mpkList is the set of public keys, a_i ← H1: (mpk_i, {mpk₁, …, mpk_n}).

MSP.Sig(par, mpkList, msk, m) → s_i: Nodes use par, mpkList, msk, and m to generate a BLS signature for the current round message m and send it to the Leader.

MSP.Agg({s_i}) → agg: The leader node generates the aggregated signature agg upon receiving the signatures {s_i}.

MSP.AggVf(par, apk, agg, m) → 1:Inputs par, apk, agg, m, output 1 if and only if the following equation holds true, indicating successful verification and valid signature:

Threshold encryption.

Threshold Public-Key Encryption (TPKE) is a cryptographic primitive that enables any party to encrypt a message using a master public key [34, 35], requiring network nodes to collaboratively decrypt it. The interface of a threshold scheme includes:

• TPKE.Setup(1^λ) → PK, SK_i: Generates a public encryption key PK and secret keys for each party SK_i.
• TPKE.Enc(PK, m) → C: Encrypts a message m.
• TPKE.DecShare(SK_i, c) → σ_i: Produces the i-th share of the decryption.
• TPKE.Dec(PK, C, i, σ_i) → m: Combines decryption shares i, σ_i from at least f + 1 parties to recover the plaintext m.

Byzantine reliable broadcast (RBC).

In RBC, a designated sender (one of the replicas) disseminates a message to all other replicas. The protocol ensures:

• Agreement: If two correct replicas receive messages m and m′, then m = m′.
• Totality: If some correct replica delivers a message m, all correct replicas deliver m.
• Validity: When a correct sender broadcasts a message m, it will be received by all correct replicas.
• Integrity: Every correct replica delivers a message m from sender p at most once. If p is correct, then m was previously broadcast by p.

Asynchronous binary agreement (ABA).

ABA enables replicas to agree on a single bit value, exhibiting the following properties:

• Validity: If all correct replicas have the same input value v, correct replicas will deliver v.
• Agreement: If a correct replica delivers v and another correct replica delivers v′, then v = v′.
• Termination: All correct replicas eventually deliver a binary value with probability 1.

Algorithm 2 Leader Change Protocol

1: procedure Leader Change Protocol

2:  Monitoring Phase:

3:  while True do

4:   Leader node k sends heartbeat messages to other nodes

5:   if node i does not receive heartbeat from k within timeout then

6:    Initiate leader change

7:    break

8:   end if

9:  end while

10:

11:  Broadcasting Phase:

12:  Node i broadcasts 〈Request, j, k, i〉 to all nodes

13:  Select node j with the highest RS score as the next candidate leader

14:

15:  Update Phase:

16:  if node j receives f + 1 request messages then

17:   Consensus on leader change is reached

18:   Node j broadcasts 〈Reply, j, k, C〉 to all nodes

19:   All nodes update their leader node information to j

20:   All nodes inform the management center (MC)

21:   if MC receives 2f + 1 change messages then

22:    MC updates the node information list

23:    MC sets the RS of node k to zero

24:    Node j starts its operation as the new leader

25:   end if

26:  end if

27: end procedure

Monitoring phase.

The leader node k periodically sends heartbeat messages to other nodes within AsynGroup, declaring itself as the Leader node, while other non-Leader nodes also wait to receive heartbeat messages. Certain circumstances may prevent these messages from being received, indicating a potential failure of the leader node k. If node i does not receive heartbeat messages from the leader node k within a certain period, it is assumed that the leader node has failed, and a request for a leader node change is initiated.

Broadcasting phase.

Node i broadcasts a message requesting node change <Request, j, k, i>to all replicas within AsynGroup, where j is the next candidate (with the highest RS score) node ID. If there are nodes with the same score, the one with the smaller Node ID is given priority.

Update phase.

Upon receiving f + 1 request node change messages, the new leader node j considers consensus reached for node change. The new leader node j broadcasts a reply message <Reply, j, k, C>to notify all nodes of the leader node change. This message includes the new Leader node information C. All nodes within AsynGroup update their local leader node information lists accordingly.

All nodes send leader node change information <Change, j, k, i>to MC. After receiving 2f + 1 change messages, MC updates the node information list, sets the RS of the failed leader node k to zero, and the new leader node begins operation. Communication terminates during protocol execution, and after the protocol ends, MR will initiate a new communication request.

Reputation update.

In the protocol, each node is required to maintain a local node information list obtained from MC. The initial RS of all nodes in MC is set to 1. At the beginning of each epoch, we calculate the RS of network nodes based on events from the previous epoch. The process is detailed as follows:

1. Node Evaluation: Our reputation score (RS) is calculated based on events throughout the entire epoch. The reputation score (RS) is used as the criterion for selecting nodes as candidates for the next epoch’s AsynGroup. In our reputation model, we have identified three important parameters for this evaluation along with their respective weight coefficients:

1)Participation Degree: During anonymous communication, we consider whether nodes actively participate in the AsynGroup’s intra-group asynchronous ABFT consensus during the recent anonymous communication rounds [37]. Participation is partially defined as follows: (1)

Our parameter S_p is defined as Eq (2): (2)

2) Credit: If a node can correctly complete the MSP signature algorithm process, its credibility will be higher. We define the terms as follows:

Complete signature correctly.

When a node’s aggregated signature passes the MSP. AggVf verification, we consider the node to have completed the signing process correctly.

C_sc represents the number of correct completions by the node in the recent rounds. C_se represents the number of error completions by the node. T_total represents the total number of communications in the recent rounds, where γ₁ and γ₂ are weight parameters. γ₂ is much larger than γ₁. The parameters are defined as Eq (3): (3)

3) Bandwidth: We consider the average network bandwidth performance of nodes in recent rounds (Bi) and set the threshold level Bt to 500 Mbps. The parameter is defined as Eq (4): (4)

2. Update: Our reputation updates are based on events in each round, to better track node behavior at different stages, mitigate the long-term impact of early node behavior on reputation, and more accurately reflect its current reputation status, we assume that the current round in which AsynGroup nodes start participating in anonymous communication is denoted as v. After passing through k rounds, it reaches v1, and after passing through another k rounds, it reaches v′. At this point, one epoch is completed, updating all AsynGroup nodes, and MC reconfiguring AsynGroup. We divide the evaluation into two stages, that is, reputation is evaluated every k rounds. For example, the evaluation of the first k rounds of v1 is as Eq (5): (5)

Following the combination of reputation evaluations in two stages, our update formula is as Eq (6): (6) where χ is the forgetting factor: (7)

After completing an entire Epoch, the system collects the above-mentioned metric data for nodes. Based on the algorithm, it calculates the RS of each node and stores it in the system.

AsynGroup Update: After evaluating all nodes, MC sorts the nodes in the node information list from high to low based on RS (if RS is the same, nodes with smaller IDs are placed in front). The top 36 nodes in the node information list are selected as candidate high-scoring nodes for the next Epoch’s AsynGroup, with the top four nodes being leaders of each group. MC will add the selected new high-scoring nodes to the system in order. Each node updates its local list based on MC’s information. After the update, the system reconfigures the network settings of the nodes to ensure that they can connect to the system properly.

Through the above implementation steps, the system can dynamically configure nodes participating in anonymous communication better, selecting high-quality nodes based on their reputation scores RS to improve the security and performance stability of the system.

Workflow of SRFACS.

As shown in Fig 1, our system includes the following steps.

Algorithm 3 System Setup

1: Initialization:

2:  Rounds← Partition time into discrete units

3:  Epochs ← 2k

4:

5: Key Generation:

6:  Register nodes (MS, MR, AsynGroup) at key generation center

7:  Generate keys using:

8:   MSP.Init, MSP.KeyGen, TPKE.Setup

9:  Distribute generated keys to nodes

10:

11: AsynGroup Configuration:

12:  Sort nodes by RS at Management Center (MC)

13:  Select top 36 nodes as AsynGroup candidates

14:   Designate top 9 nodes as primary nodes

15:

16: Node Integration:

17:  Integrate high-scoring nodes into the system

18:  Update local node lists and network configurations

1. System setup: As shown in Algorithm 3, we partition time into discrete units known as Round and segment the operation of the entire system into continuous Epoch, with each Epoch comprising 2k Rounds. Each Round embodies a comprehensive anonymous communication process, while each Epoch signifies a full cycle of the system, We introduce the Symbols throughout the SRFACS in Table 3.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 3. Description of symbols.

https://doi.org/10.1371/journal.pone.0312817.t003

At the onset of each Epoch, we undertake the updating of AsynGroup to enhance the capability of system nodes in fulfilling anonymous communication tasks.

During AsynGroup node configuration, the Management Center (MC) orchestrates the sorting of nodes based on their reputation score (RS). The RS serves as a reflection of the node’s credibility and reliability within the system. Leveraging these RS metrics, MC selects the top 36 nodes from the node information list as candidate AsynGroup nodes. Among these 36 nodes, the top nine are designated as candidate primary nodes. These master nodes assume the responsibility of coordinating and overseeing their respective node combination to ensure normal communication among nodes.

Algorithm 4 Send Phase

1: Send Phase:

2: Initialization:

3:  m← message to be transmitted

4:  pk_A, pk_B, pk_C← public keys of current AsynGroup

5:  A_Leader← Leader node of AsynGroup A

6:  E_k← symmetric key for encryption

7:  A₁← Master node address

8:  C← ciphertext

9:

10: Message Encryption:

11:  E_k(m)← Encrypt message m using symmetric key E_k

12:  Encrypt E_k(m) and address using threshold public key encryption with pk_C, pk_B, pk_A

13:  C ← pk_A(pk_B(pk_C(E_k(m), A_r), A₃), A₂), A_r

14:

15: Message Transmission:

16:  Dispatch ciphertext C to A_Leader based on address A₁

After determining the members and leader nodes of AsynGroup, the identified high-scoring nodes are integrated into the system. Each node then updates its local list by the latest node information list of the system. Upon completion of the update process, MC reconfigures the network settings of nodes to facilitate accurate system connection and sustained communication among nodes.

2. Key Generation: Message Sender (MS), Message Receiver (MR), and every node in AsynGroup are registered within the key generation center. The key generation center employs the MSP.Init, MSP.KeyGen, and TPKE.Set up algorithms to generate global parameters and corresponding keys for users and nodes, subsequently distributing keys to the corresponding entities.

3. Send phase: As shown in Algorithm 4, MS encrypts the transmitted message m. Initially, MS acquires the master node address and the public keys pk_C, pk_B, and pk_A of the current AsynGroup from MC. Subsequently, MS utilizes the symmetric key E_k to encrypt the message m. Following this, MS employs the threshold encryption algorithm TPKE Enc along with the public keys pk_C, pk_B, and pk_A to encrypt E_k(m) and the address. The resultant encrypted ciphertext C is then dispatched to the A_Leader of AsynGroup A based on the address A₁. The ciphertext C is structured as follows:

Algorithm 5 MSP Signature Process

1: After achieving consensus through ABFT protocol:

2:

3: Message Signing:

4:  Each consensus node within group A signs the message C_A

5:  using MSP.Sig to obtain signature S_i

6:

7: Broadcast Signed Message:

8:  Nodes broadcast signed message 〈S_i, i〉 to A_Leader

9:

10: Key Aggregation:

11:  A_Leader aggregates public keys apk_A of each node

12:  using MSP.AggMpk

13:

14: Signature Aggregation:

15:  A_Leader runs MSP.Agg to obtain aggregated signature agg_A

16:

17: Message Broadcast:

18:  Broadcast message 〈C_A, agg_A, apk_A〉

19:  using Byzantine Reliable Broadcast to B_Leader within group B

4. Transmission phase: As shown in Algorithm 5 and Algorithm 6, this stage primarily consists of two components: 1. ABFT protocol, 2.MSP algorithm. We illustrate the propagation process of AsynGroup A as an example.

1) ABFT protocol: When the A_Leader of AsynGroup A receives the ciphertext C from MS, the nodes start executing the asynchronous BFT protocol, which includes Byzantine Reliable Broadcast (RBC) and Asynchronous Binary Agreement (ABA). Upon the conclusion of the asynchronous BFT protocol, each correct node within group A maintains the same message:

Each correct node can generate a decryption share σ_i using the threshold encryption scheme TPKE.DecShare. Subsequently, each correct node combines the decryption shares using TPKE.Dec to produce plaintext with threshold encryption. The plaintext is shown below. The message flow is shown in Fig 2.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 2. The message flow in AsynGroup A.

https://doi.org/10.1371/journal.pone.0312817.g002

Algorithm 6 Transmission and Receive Phase

1: Transmission Phase:

2: Input: Ciphertext C from MS

3: Output: Decrypted message C_A

4:

5: ABFT Protocol:

6: Byzantine Reliable Broadcast (RBC):

7:  SendToAll(C)    ▷ Broadcast ciphertext to all nodes in AsynGroup A

8:  WaitUntilAllReceived(C)    ▷Ensure each correct node receives C from A_Leader

9:

10: Asynchronous Binary Agreement (ABA):

11:  C_A← ABA(C)    ▷Nodes execute ABA protocol to agree on the message C_A

12:

13: Decryption:

14:  Each correct node generates decryption share σ_i using TPKE.DecShare

15:  Combine decryption shares using TPKE.Dec to produce plaintext with threshold encryption

16:  Plaintext: C_A = pk_B(pk_C(E_k(m), A_r), A₃), A₂

17:

18: Receive Phase:

19: Upon receiving message C_C:

20:

21: Signature Verification:

22:  Verify the signature of C_C

23:

24: Decryption:

25:  Decrypt the ciphertext E_k(m) using the symmetric key E_k to retrieve the message m

26:

27: Note:

28:  The system design ensures that adversaries can listen passively but cannot discern specific message exchanges.

2) MSP algorithm: After the nodes within group A achieve consensus through the asynchronous BFT protocol, the consensus nodes within the group utilize MSP.Sig to sign the message C_A and obtain the corresponding signature S_i. Nodes then broadcast the signed message <S_i, i>to the leader node A_Leader. Initially, A_Leader aggregates the public keys apk_A of each node using MSP.AggMpk and subsequently runs MSP.Agg to obtain the aggregated signature agg_A. Following this, utilizing the address A₂, the message <C_A, agg_A, apk_A>is broadcasted using Byzantine Reliable Broadcast to the leader node B_Leader within group B.

As shown in Fig 1. After the communication within AsynGroup A as described above, when the leader node BLeader of AsynGroup B receives <C_A, agg_A, apk>from A_Leader, it verifies the aggregated signature using MSP.AggVery. Upon successful verification, nodes in AsynGroup B execute the same ABFT protocol operations as AsynGroup A. Subsequently, each correct node within the group maintains the same plaintext: C_B = pk_C(E_k(m), A_r), A₃. Finally, the same MSP signature steps as AsynGroup A are executed to obtain the aggregated signature agg_B. Then broadcast the message <C_B, agg_B, apk_B>to the leader node C_Leader within group C. Similarly, AsynGroup C can verify and decrypt the message, obtaining C_C = E_k(m), A_r. Subsequently, it undergoes aggregation signature. As the message contains the address of MR, the leader node C_Leader within group C sends <C_C, agg_C, apk_C>to MR. At this point, the message propagation phase concludes.

5. Receive phase: As shown in Algorithm 6, upon receiving message C_C, MR first verifies the signature and then decrypts the ciphertext E_k(m) using the symmetric key E_k to retrieve the message m sent by MS.This is the basic design of our system. The adversary can passively listen to the channel but he cannot tell this message from specific senders to the designated receivers.

Experimental results and analysis.

Fig 3 presents the total time taken for the MSP algorithm across different elliptic curves, broken down into the key generation, signature generation, signature aggregation, and signature verification stages. The results demonstrate distinct performance differences between the curves and node sizes. The MNT159 curve consistently exhibited the lowest total time across all node configurations, primarily due to its fast key generation and signature verification times. SS512, while slightly slower, provided a balanced performance across all stages, making it a good choice for applications with moderate time constraints.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 3. Time breakdown for each step of the MSP algorithm across different elliptic curves and varying numbers of nodes: 4, 8, 12, and 16.

https://doi.org/10.1371/journal.pone.0312817.g003

In contrast, BN254 showed the highest total time across all stages, particularly due to the high cost of signature verification, which was the most time-consuming step. This curve displayed a noticeable increase in total time as the number of nodes increased, indicating less scalability compared to the other curves. MNT224 also had a higher overall time, though it performed better than BN254 in key generation and signature aggregation.

The analysis highlights that our choice of elliptic curves and MSP method effectively reduces computational overhead, particularly for key generation and verification, which are crucial for real-time applications. MNT159 and SS512 stand out as the most efficient choices, especially as the number of nodes increases, suggesting that these curves are well-suited for applications requiring scalability. Furthermore, the total time remains manageable even with 16 nodes, demonstrating that the system can support a growing network size without significant performance degradation.

Experimental results and analysis.

The results of the reputation mechanism testing are summarized in Figs 4 and 5. Fig 4 shows the reputation scores obtained over multiple iterations, indicating how the scores evolve as the process progresses. The results demonstrate that the reputation mechanism effectively updates the scores based on the specified criteria, maintaining consistency and reliability. Fig 5 illustrates the time taken to calculate the reputation scores in each iteration. The time is recorded in milliseconds, providing a detailed view of the computational overhead introduced by the reputation mechanism. The test results indicate that while there is an increase in computation time with the number of iterations, the overhead remains manageable.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 4. Reputation scores per round for all nodes.

https://doi.org/10.1371/journal.pone.0312817.g004

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 5. Reputation calculation time (in milliseconds) per round.

https://doi.org/10.1371/journal.pone.0312817.g005

Experimental results and analysis.

The results of the experiments are shown in Figs 6 and 7. Dumbo, as implemented in SRFACS, consistently exhibits the lowest latency across all byte sizes, significantly outperforming PBFT (HTTP) and HoneyBadger. This demonstrates that SRFACS, powered by Dumbo, can efficiently handle larger data volumes while maintaining low latency, making it highly suitable for anonymous communication systems. PBFT (HTTP) shows the highest latency, particularly as byte sizes increase, which reveals its limitations in environments that require higher throughput and lower latency. HoneyBadger performs better than PBFT (HTTP) but still cannot match the performance of Dumbo, especially as byte sizes grow. The results highlight the scalability and efficiency of SRFACS, which benefits from the integration of Dumbo.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 6. Latency comparison of PBFT (HTTP), HoneyBadger, and SRFACS (Dumbo) with different byte sizes.

https://doi.org/10.1371/journal.pone.0312817.g006

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 7. SRFACS(Dumbo) latency for each node with different byte sizes.

https://doi.org/10.1371/journal.pone.0312817.g007

In conclusion, the experimental results confirm that SRFACS, utilizing Dumbo as its core protocol, achieves significantly lower latency compared to the baseline protocols. The comparison with PBFT (HTTP) and HoneyBadger illustrates that SRFACS is optimized for performance, ensuring minimal latency even under increasing data loads. This efficiency and scalability make SRFACS an ideal solution for secure and anonymous communication in dynamic environments.