Certification of Compact Low-Stretch Routing Schemes

On the one hand, the correctness of routing protocols in networks is an issue of utmost importance for guaranteeing the delivery of messages from any source to any target. On the other hand, a large collection of routing schemes have been proposed during the last two decades, with the objective of transmitting messages along short routes, while keeping the routing tables small. Regrettably, all these schemes share the property that an adversary may modify the content of the routing tables with the objective of, e.g., blocking the delivery of messages between some pairs of nodes, without being detected by any node. In this paper, we present a simple certification mechanism which enables the nodes to locally detect any alteration of their routing tables. In particular, we show how to locally verify the stretch-3 routing scheme by Thorup and Zwick [SPAA 2001] by adding certificates of $\widetilde{O}(\sqrt{n})$ bits at each node in $n$-node networks, that is, by keeping the memory size of the same order of magnitude as the original routing tables. We also propose a new name-independent routing scheme using routing tables of size $\widetilde{O}(\sqrt{n})$ bits. This new routing scheme can be locally verified using certificates on $\widetilde{O}(\sqrt{n})$ bits. Its stretch is3 if using handshaking, and 5 otherwise.


Introduction
Context.A routing scheme is a mechanism enabling to deliver messages from any source to any target in a network.The latter is typically modeled as an undirected connected weighted graph G = (V, E) where V models the set of routers and E models the set of communication links between routers.All edges incident to a degree-d node are labeled from 1 to d, in an arbitrary manner, and the label at a node u of an incident edge e is called the port number of edge e at u.A routing scheme consists of a way of assigning a routing table to every node of the given network.These tables should contain enough information so that, for every target node t, each node is able to compute the port number of the incident edge through which it should forward a message of destination t.The routing tables must collectively guarantee that every message of any source s and any target t will eventually be delivered to t.

Certification of Compact Low-Stretch Routing Schemes
Two scenarios are generally considered in the literature.One scenario allows the routing scheme to assign names to the nodes, and each target is then identified by its given name.The other, called name independent, is assuming that fixed names are given a priori (typically, a name is restricted to be the identity of a node), and the scheme cannot take benefit of naming nodes for facilitating routing.
Among many criteria for evaluating the quality of routing schemes, including, e.g., the time complexity for constructing the routing tables, the two main parameters characterizing a routing scheme are the size of its routing tables and names, and the stretch.The stretch of a routing scheme is the maximum, taken over all pairs of source-target nodes, of the ratio between the length of the route generated by the scheme from the source to the target, and the length of a shortest path between these two nodes.During the last two decades, there has been an enormous effort to design compact routing scheme (i.e., schemes using small tables) of low stretch (i.e., with stretch upper bounded by a constant) -see, e.g., [1,2,3,4,11,16,21,22,24].A breakthrough was achieved in [24] where almost tight tradeoffs between size and stretch were explicitly demonstrated.In particular, [24] showed how to design a routing scheme with tables of size O( √ n) bits and stretch 3, in any network 1 .All the aforementioned routing schemes share the property that nodes do not have the capability to realize that the routing tables have been modified (either involuntarily or by an attacker).That is, a group of nodes may be provided with routing tables which look consistent with a desired routing scheme, but which do not achieve the desired performances of that scheme (e.g., large stretch, presence of loops, etc.).Indeed, the nodes are not provided with sufficient information to detect such an issue locally, that is, by having each node inspecting only the network structure and the tables assigned to nodes in its vicinity.
Objective.The objective of this paper is, given a routing scheme, to design a mechanism enabling each node to locally detect the presence of falsified routing tables, in the following sense.If some tables are erroneous, then at least one node must be able to detect that error by running a verification algorithm exchanging messages only between neighboring nodes.
Our mechanism for locally verifying the correctness of routing tables is inspired from proof-labeling schemes [20].It is indeed based on assigning to each node a certificate, together with its routing table, and designing a distributed verification algorithm that checks the consistency of these certificates and tables by having each node inspecting only its certificate and its routing table, and the certificate and routing table of each of its neighbors.The set of certificates assigned to the nodes and the verification algorithm running at all nodes in parallel must satisfy that: (1) if all tables are correctly set, then, with some appropriate certificates, all nodes accept, and (2) if one or more tables are incorrectly set, then, for every assignment of the certificates, at least one node must reject.The second condition guarantees that the verification algorithm cannot be cheated: if the tables are incorrect, there are no ways of assigning the certificates such that all nodes accept.
Rephrasing the objective of the paper, our goal is to assign certificates to nodes, of size not exceeding the size of the routing tables, enabling the nodes to collectively verify the correctness of the routing tables, by having each node interacting with its neighbors only.
Our Results.We show how to locally verify the stretch-3 size-O( √ n) routing scheme by Thorup and Zwick [24].Our certification mechanism uses certificates of O( √ n) bits at each node, that is, these certificates have size of the same order of magnitude as the original routing tables.Hence, verifying the scheme in [24] can be done without modifying the scheme, and without increasing the memory space consumed by that scheme.We also show that the same holds for the whole hierarchy of routing schemes proposed in [24] for providing a tradeoff between size and stretch.
The situation appears to be radically different for name-independent routing schemes.The stretch-3 name-independent routing scheme by Abraham et al. [2] also uses tables of size O( √ n) bits.However, each table includes references to far away nodes, whose validity does not appear to be locally verifiable using certificates of reasonable size.On the other hand, a simplified version of the scheme in [2] can be verified locally with certificates of size O( √ n) bits, but its stretch becomes at least 7. Therefore, we propose a new name-independent routing scheme, with tables of size O( √ n) bits that can be verified using certificates on O( √ n) bits as well.This new routing scheme has stretch at most 5, and the stretch can even be reduced to 3 using handshaking2 .The routing scheme of Arias et al. [3] has also stretch 5, but it does not appear to be locally verifiable with certificates of reasonable size, and using handshaking does not enable to reduce the stretch.
All our results are summarized in Table 1.

Related Work.
The design of compact routing tables, and the explicit identification of tradeoffs between the table size and the routes length was initiated thirty years ago, with the seminal work in [22] and [21].Since then, a large amount of papers were published on this topic, aiming at refining these tradeoffs, and at improving different aspects of the routing schemes, including routing in specific classes of graphs (see [15,17]).In particular, routing schemes were designed for trees in [11,24], with space complexity O(log 2 n/ log log n) bits3 .This space complexity was shown to be optimal in [12].It was proved [18] that, in n-node networks, any shortest path routing scheme requires tables of size Ω(n) bits.The aforementioned routing scheme in [24] with stretch 3 and space complexity O( √ n) bits was shown to be optimal in [16], in the following sense: no routing scheme with space complexity o(n) bits can achieve a stretch s < 3, and, assuming the correctness of a conjecture by Erdős regarding a tradeoff between girth and edge density in graphs, every routing scheme with stretch s < 5 has space complexity Ω( √ n) bits.On the positive side, [24] tightens the size-stretch tradeoff of [21] by showing that, for every k ≥ 2, there exists a routing scheme with stretch 4k − 5 and space complexity O(n 1/k ) bits.(The stretch can be reduced to 2k − 1 using handshaking).Recently, [8] showed that, for k ≥ 4, a stretch s = α k with α < 4 can be achieved using routing tables of size O(n 1/k ).

Certification of Compact Low-Stretch Routing Schemes
The distinction between name-independent routing schemes, and routing schemes assigning specific names to the nodes was first made in [4].Then, [5] presented techniques for designing name-independent routing schemes with constant stretch and space complexity o(n) bits.Almost 15 years after, [3] described a name-independent routing scheme with stretch 5 and space complexity O( √ n) bits.This was further improved in [2] thanks to a nameindependent routing scheme with stretch 3 and space complexity O( √ n) bits.A couple of years later, [1] showed that there are tradeoffs between stretch and space complexity for name-independent routing schemes as well.Specifically, [1] showed that, for any k ≥ 1, there exists a name-independent routing scheme with space complexity O(n 1/k ) bits and stretch O(k).
The certification mechanism used in this paper is based on the notion of proof-labeling scheme introduced in [20] in which an oracle, called prover, assigns certificates to the nodes, and a distributed algorithm, called verifier, checks that this certificates collectively form a proof that the global state of the network is legal with respect to a given boolean network predicate.Proof-labeling schemes have been widely used in literature.For example, [23] uses them to verify spanning trees in networks.This result has been extended in [14], where proof-labeling schemes are used to verify spanning trees in evolving networks that are evolving with time.Variants of proof-labeling schemes have been considered in, e.g., [7,13], and [19].More generally, see [10] for a survey of distributed decision.

Definitions
Routing Schemes.Let F be a family of edge-weighted graphs with edges labeled at each node by distinct port numbers from 1 to the degree of the node.The weights are all positive, and the weight of edge e represents its length.It is thus denoted by length(e).The nodes are given distinct identities.All node-identities and edge-weights are supposed to be stored on O(log n) bits.For the sake of simplifying notations, we do not make a distinction between a node v and its identity, also denoted by v. Given two nodes u, v, we denote by δ(u, v) the weighted distance between u and v.Given an edge e of end-point u, the port number of e at u is denoted by port u (e).
We follow the usual setting of proof-labeling scheme [20] in which the values of the edge-weights, node identities, and port numbers are fixed, and cannot be corrupted.Only the internal memories of the nodes, storing information about, say, routing, are susceptible to be corrupted.
A routing scheme for F is a mechanism assigning a name, name(u), and a routing table, table(u), to every node u of every graph G ∈ F such that, for any pair (s, t) of nodes of any G ∈ F, there exists a path u 0 , u 1 , . . ., u k from s to t in G with u 0 = s, u k = t, and for every i = 0, . . ., k − 1.That is, every intermediate node u i , 0 ≤ i < k, can determine on which of its ports the message has to be forwarded, based solely on its routing table, and on the name of the target.In Eq. 1, each table is viewed as a function taking names as arguments, and returning port numbers.The path u 0 , u 1 , . . ., u k is then called the route generated by the scheme from s to t.It is worth pointing out the following observations.Name-independent routing schemes are restricted to use names that are fixed a priori, that is, the name of a node is its identity, i.e., name(v) = v for every node v. Instead, name-dependent routing schemes allow names to be set for facilitating routing, and names are typically just bounded to be storable on a polylogarithmic number of bits.
The header of a message is the part of that message containing all information enabling its routing throughout the network.The header of a message with destination t is typically name(t).However, some routing schemes ask for message headers that can be modified.This holds for both name-dependent schemes (like, e.g., [24]) and name-independent schemes (like, e.g., [2]).The typical scenario requiring modifiable headers is when a message is routed from source s to target t as follows.From name(t) and table(s), node s can derive the existence of some node v containing additional information about how to reach t.Then the message is first routed from s to v, and then from v to t. Distinguishing these two distinct parts of the routes from s to t often requires to use different headers.In case of modifiable headers, Eq. ( 1) should be tuned accordingly as the argument of routing is not necessarily just a name, but a header.Some routing schemes may use a mechanism called handshaking [24], which is an abstraction of mechanisms such as Domain Name System (DNS) enabling to recover an IP address from its domain name.Let us consider the aforementioned scenario where a routing scheme routes a message from s to t via an intermediate node v identified by s from name(t) and table(s).One can then enhance the routing scheme by a handshaking mechanism, enabling s to query v directly, and to recover the information stored at v about t.Then s can route the message directly from s to t, avoiding the detour to v.That is, handshaking enables to distinguish the part of the routing used to get information about the target (like in DNS), from the part of routing used to transfer messages (like in IP).Handshaking is used in [24] to reduce the stretch of routing schemes with space complexity O(n 1/k ) bits from 4k − 5 to 2k − 1, for every k > 2.
The size of a routing scheme is the maximum, taken over all nodes u of all graphs in F, of the memory space required to encode the function table(u) at node u.The stretch of a routing scheme is the maximum, taken over all pairs (s, t) of nodes in all graphs G ∈ F, of the ratio of the length of the route from s to t (i.e., the sum of the edge weights along that route) with the weighted distance between s and t in G.
Distributed Verification.Given a graph G, a certificate function for G is a function certificate : V (G) → {0, 1} * assigning a certificate, certificate(u), to every node u ∈ V (G).A verification algorithm is a distributed algorithm running concurrently at all nodes in parallel.At every node u ∈ V (G) of every graph G ∈ F, the algorithm takes as input the identity of node u, the certificate certificate(u) and routing table table(u) assigned to node u, as well as the collection of pairs (table(v), certificate(v)) assigned to all neighbors v of u, with their identities, and outputs accept or reject.Definition 1.A routing scheme for F is verifiable if there exists a verification algorithm verif such that, for every G ∈ F, if the tables given to all nodes of G are the ones specified by the routing scheme, then there exists a certificate function for G such that the verification algorithm verif outputs accept at all nodes; if some tables given to some nodes of G differ from the ones specified by the routing scheme, then, for every certificate function for G, the verification algorithm verif outputs reject in at least one node.
The second bullet guarantees that if an adversary modifies some routing tables, or even just a single bit of a single table, then there are no ways it can also modify some, or even all certificates so that to force all nodes to accept: at least one node will detect the change.Of course, this node does not need to be the same for different modifications of the routing tables, or for different certificates.

Certification of Compact Low-Stretch Routing Schemes
Remark.The above definition is the classical definition of proof-labeling scheme applied to verifying routing schemes.In particular, it may well be the case that a correct labeling scheme be rejected if the certificates have not been set appropriately, just like a spanning tree T will be rejected by a proof-labeling scheme for spanning trees if the certificates have been set for another spanning tree T = T .

Name-dependent routing scheme
In this section, we show how to verify the stretch-3 routing scheme by Thorup and Zwick in [24].This scheme uses tables of O( √ n) bits of memory at each node.We show the following: Theorem 2. The stretch-3 routing scheme by Thorup and Zwick in [24] can be locally verified using certificates of size O( √ n) bits.
Before proving the theorem, let us recall the structure of the routing scheme in [24].It assigns names and tables to nodes of every G = (V, E) as follows.
Landmarks, Bunch and Clusters.The routing scheme in [24] uses the notion of landmarks (a.k.a.centers).These landmarks form a subset L ⊆ V of nodes.For v ∈ V , let l v denote the landmark closest to v in G.For every v ∈ V , the bunch of v with respect to the set L is defined as follows: bunch The routing scheme in [24] also uses the notion of cluster.
As a consequence, for every u, v ∈ V , we have: u ∈ cluster(v) ⇐⇒ v ∈ bunch(u).Note that since, for every v ∈ V , and every l ∈ L, we have l / ∈ bunch(v), it follows that cluster(l) = ∅ for every l ∈ L. By construction of the bunches and the clusters, it also holds that, for every v ∈ V , cluster(v) ∩ L = ∅.Also, clusters satisfy the following property.

Lemma 3 ([24]
).If u ∈ cluster(v) then, for every node w on a shortest path between u and v, we have u ∈ cluster(w).
In [24], the landmarks are chosen by an algorithm that samples them uniformly at random in V until the following holds: for every node v, |cluster(v)| < 4 √ n.It is proved that this algorithm returns, w.h.p., a set of landmarks of size at most 2 log(n) √ n.
Names and tables.For every two nodes v and t, let next(v, t) be the port number of an edge incident to v on a shortest path between v and t.Each node t ∈ V is assigned a 3 log(n) -bit name as follows: name(t) = (t, l t , next(l t , t)).Each node v ∈ V then stores the following O( √ n)-bit information in its routing table, table(v): the identities of all the landmarks l ∈ L; the identities of all nodes t ∈ cluster(v); Routing.Note that, by Lemma 3, any message from a node v to a node in cluster(v) reaches its target along a shortest path.The same holds for landmarks since every node is given information about how to reach every landmark.In general, let us assume that v wants to send a message to some node t with label (t, l t , next(l t , t)) that is neither a landmark nor belongs to cluster(v).In this case, v extracts the landmark l t nearest to t from t's name (note here the impact of allowing the scheme to assign specific names to nodes), and forwards the message through the port on a shortest path towards l t using the information v has in its table.Upon reception of the message, l t forwards the message towards t on a shortest path using next(l t , t) (this information can also be extracted from the name of t), to reach a node z ∈ bunch(t).At last, since z ∈ bunch(t), we have t ∈ cluster(z), which means that z can route to t via a shortest path using the information available in its table.By Lemma 3, this also holds for every node along a shortest path between z and t.Using symmetry, and triangle inequality, [24] shows that this routing scheme guarantees stretch 3.
Proof of Theorem 2. To enable local verification of the stretch-3 routing scheme in [24], a certificate of size O( √ n) bits is given to each node.Let G = (V, E) be an undirected graph with positive weights assigned to its edges, and a correct assignment of the routing tables to the nodes according to the specifications of [24] as summarized before.Then each node v ∈ V is assigned a certificate composed of: the distance between v and every landmark in L; the distance between v and every node in cluster(v); the set {δ(t, l t ) : t ∈ cluster(v)}.As claimed, all these information can be stored using O( √ n) bits of memory.We assume, without loss of generality, that all nodes know n (verifying the value of n is easy using a proof-labeling scheme with O(log n)-bit certificates [20]).The verification of the routing scheme then proceeds as follows.We describe the verification algorithm verif running at node v ∈ V .This verification goes in a sequence of steps.At each step, either v outputs reject and stops, or it goes to the next step.
We denote by L(v), C(v), and {N (v, t) : t ∈ L(v) ∪ C(v)} the content of the routing table of v.These entries are supposed to be the set of landmarks, the cluster of v, and the set of next-pointers given to v, respectively.We also denote by d the distance given in the certificates.That is, node v is given a set {d(v, t) : t ∈ L(v) ∪ C(v)} and a set {d(t, l t ) : t ∈ C(v)} where l t is supposed to be the node in L(v) closest to t ∈ C(v).Of course, if a node does not have a table and a certificate of these forms, then it outputs reject.So, we assume that all tables and certificates have the above formats.The algorithm proceeds as follows at every node v. Node v checks that 1. the information in its  We now establish the correctness of this local verification algorithm.First, by construction, if all tables are set according to [24], that is, if, for every node v, L(v) = L, C(v) = cluster(v) and N (v, t) = next(v, t) for all t ∈ L ∪ cluster(v), then every node running the verification D I S C 2 0 1 7 6:8

Certification of Compact Low-Stretch Routing Schemes
algorithm with the appropriate certificate {δ(v, t) : t ∈ L∪cluster(v)}∪{δ(t, l t ) : t ∈ cluster(v)} where l t is the node in L closest to t ∈ cluster(v), will face no inconsistencies with its neighbors, i.e., all the above tests are passed, leading every node to accept, as desired.
So, it remains to show that if some tables are not what they should be according to [24], then, no matter the certificates assigned to the nodes, at least one node will fail one of the tests.If all nodes output accept, then, by Step 1, all routing tables are of the appropriate size.Also, by Step 2, the set L of landmarks given to the nodes is the same for all nodes, as otherwise there will be two neighbors that would have different sets.Moreover, by Step 3, we get that, at every node v, the distances of this node to the landmarks, as stored in its certificate, are correct, from which we infer that N (v, l) is appropriately set in the table of v, that is N (v, l) = next(v, l) for every l ∈ L. Hence, if all the tests in Steps 1-3 are passed, all the data referring to L in both the tables and the certificates are consistent.In particular, every node v knows the landmark l v which is closest to it, and its distance δ(v, l v ).
We now show that if all these tests as well as the remaining tests are passed, then the clusters in the tables are correct, w.r.t.L, as well as the next-pointers.We first show that, if all tests are passed, then, for every node v ∈ V , C(v) ⊆ cluster(v).By Step 4, this latter equality holds for every landmark v.By Step 5, we get that, at every node v, the distance of this node to every node t ∈ C(u), as stored in its certificate, are correct, from which we infer that N (v, t) is appropriately set in the table of v, that is N (v, t) = next(v, t) for every t ∈ C(v).By Step 6, we get that, for every t ∈ C(v), we do have d(l t , t) = δ(l t , t).Indeed, this equality will be checked by all nodes on a shortest path between v and t (whose existence is guaranteed by Step 5), and t has the right distance δ(t, l t ) in its certificate by Step 3. Recall that cluster(v) = {t ∈ V | δ(v, t) < δ(l t , t)} where l t is the landmark closest to t. Step 7 precisely checks that inequality.
It remains to show that there are no nodes in cluster(v) that are not in C(v).Assume that there exists t ∈ cluster(v) \ C(v), and let P be a shortest path between v and t.Let v be the closest node to v on P such that t ∈ C(v ) ⊆ cluster(v ).Note that such a node v exists as t ∈ C(t).Let v be the node just before v on P traversed from v to t.By Lemma 3, since t ∈ cluster(v), we also have t ∈ cluster(v ).We have t ∈ cluster(v ) \ C(v ).Therefore δ(v , t) < δ(l t , t).Now, δ(v , t) = length({(v , v })+δ(v , t) because P is a shortest path between v and t passing through v .So, length({(v , v }) + δ(v , t) < δ(l t , t).Step 8 guarantees that it is not the case.Therefore, there are no nodes in cluster(v) \ C(v).It follows that cluster(v) = C(v) for all nodes v.This completes the proof of Theorem 2.

Name-independent Routing Scheme
The purpose of this section is twofold.First, it serves as recalling basic notions that will be helpful for the design of our new name-independent routing scheme.Second, it is used to show why the known name-independent routing scheme in [2] appears to be difficult, and perhaps even impossible to verify locally.

The Routing Scheme of [2]
The stretch-3 name-independent routing scheme of [2] uses O( √ n) space at each node.We provide a high level description of that scheme.Recall that, in name-independent routing, a target node is referred only by its identity.That is, name(t) is the identity of t, i.e., name(t) = t.Let G = (V, E).For every node v ∈ V , the vicinity ball of v, denoted by ball(v), is the set of the 4 α log(n) √ n closest nodes to v, for a large enough constant α > 0, where ties are broken using the order of node identities.By this definition, if u ∈ ball(v) and w is on a shortest path between v and u, then u ∈ ball(w).
Color-Sets.In [2], the nodes are partitioned into sets C 1 , . . .C √ n , called color-sets, and, for i = 1, . . ., √ n, the nodes in color-set C i are assigned the same color i.For every node v ∈ V , its vicinity ball, ball(v), contains at least one node from each color-set.To get this, the color of a given node v is determined by a hash function color which, given the identity of a node, maps that identity to a color in {1, . . ., √ n}.This mapping from identities to colors is balanced in the sense that at most O(log n √ n) nodes map to the same color.A color is chosen arbitrarily, and all nodes with that color are considered to be the landmarks.Let L be the set of landmarks.It holds that |L| = O(log n √ n).Also, each node v ∈ V has at least one landmark in its vicinity ball.We fix, for each vicinity ball ball(v), an arbitrary landmark, denoted by l v .
Routing in trees.This construction in [2] makes use of routing schemes in trees.More precisely, they use the results from [11,24], which states that there exists a shortest-path (namedependent) routing scheme for trees using names and tables both on O(log 2 (n)/ log log(n)) bits in n-node trees.For a tree T containing node v, let table T (v) and name T (v) denote the routing table of node v in T , and the name of v in T , as assigned by the scheme in [11].
The routing tables.For any node v, let T (v) be a shortest-path spanning tree rooted at v. Let P (v, w, u) be a path between v and u composed of a shortest path between v and w and a shortest path between w and u.Such a path is said to be good for (v, u) if v ∈ ball(w), and there exists an edge {x, y} along a shortest path between w and u with x ∈ ball(w) and y ∈ ball(u); Every node v ∈ V stores the following information in its routing table table the hash function color that maps identities in colors; the identity of every node u ∈ ball(v), and the port number next(v, u); for every landmark l ∈ L, the routing table table T (l) (v) for routing in T (l); for every node u ∈ ball(v), the routing table table T (u) (v) for routing in T (u); the identities of all nodes with same color as v, and, for each such node u, the following additional information: Rule 1: if there are no good paths P (v, w, u), v stores name T (lu) (l u ), name T (lu) (u) .Rule 2: if there exists a good path P (v, w, u), then let us pick a good path P of minimum length among all good paths; then, let us compare its length |P | with the length |Q| of the path Q composed of a shortest path between v and l u , and a shortest path between l u and u; provide v with name T (lu) (l u ), name T (lu) (u) if |Q| ≤ |P |, and with name T (v) (w), x, port x ({x, y}), name T (y) (u) otherwise.
Storing the hash function color requires O( √ n) bits.L and ball(v) are both of size O( √ n) bits.Moreover, the number of nodes with identical color is O( √ n), for every color.Finally, shortest-path routing in any tree can be achieved using tables and names of size O(log 2 n/ log log n) bits [11,24].
Routing.Routing from a source s to a target t is achieved in the following way (see [2] for more details).If t ∈ ball(s), or t ∈ L, or s and t have the same color, then s routes to t using the information available in its table.More specifically, if t ∈ ball(s) or t ∈ L, then s sets the header of the message as just the identity of the target t.Instead, if s and t have the same color but t / ∈ ball(s) ∪ L, the source s sets the header as one of the two possible rules 1 or 2. Otherwise, that is, if t / ∈ ball(s) ∪ L and color(s) = color(t), node s routes the message towards some node w ∈ ball(s) sharing the same color as t.(The color of t can be obtained by hashing the identity of t).The header is set to t, and w will change the header upon reception of this message, according to the rules previously specified.It is shown in [2] that this routing guarantees a stretch 3.  On the difficulty of locally verifying the scheme in [2] We note that the routing scheme in [2], as sketched in the previous subsection, has some "global" features that makes it plausibly difficult to locally verify, by adding certificates of size O( √ n) bits at each node.In this subsection, we mention one of these global features, illustrated in the example depicted on Fig. 1.We are considering routing from a source s / ∈ L to a target t / ∈ L, of different colors, with s / ∈ ball(t) and t / ∈ ball(s).Let us assume that node s has color red, while node t has color blue.According to the routing scheme in [2], node s first routes the message towards some blue node u ∈ ball(s) to get information about the blue target t.In the example of Fig. 1(left), node u stores name T (u) (s), x, port(x, y), name T (y) (t) , to guarantee a stretch 3. Instead, in the example of Fig. 1(right), node u stores name T (lt) (l t ), name T (lt) (t) .to guarantee such a small stretch.Verifying locally whether there exists a good path between s and t, which is the condition leading to distinguishing the case where the content of rule 1 must apply, from the case where the content of rule 2 must apply, appears to be a very difficult matter when restricted to certificates of size O( √ n).We point out that systematically applying rule 1 would result in a routing scheme that may be locally verifiable.However, its stretch is at least 7. To see why, let us consider the example displayed in Figure 2 where s ∈ ball(t) but t / ∈ ball(s).The radius of ball(s) is 50.Let u ∈ ball(s) be one of the farthest nodes to s, i.e., δ(s, u) = 50.The radius of ball(t) is 100 and δ(t, l t ) = 100.Although δ(u, t) = 100, we assume u / ∈ ball(t) due to lexicographical order priorities.Finally, assume that δ(s, t) = 50.The worst case route from s to t would then be s u s t l t t.This path is of length δ(s, u) + δ(u, s) + δ(s, t) + δ(t, l t ) + δ(l t , t) = 2 × 50 + 50 + 2 × 100 = 350 which is 7δ(s, t).

5
A New Name-Independent Routing Scheme In this section, we describe and analyze a new name-independent routing scheme, denoted by R. The section is entirely dedicated to the proof of the following theorem.Recall that, given a family of events (E n ) n≥1 , event E n holds with high probability if Pr[E n ] = 1 − O(1/n c ) for some c ≥ 1.
Theorem 4. The name-independent routing scheme R uses routing tables of size O( √ n) bits at each node.It guarantees stretch 5, and, using handshaking, its stretch can be reduced to 3. In both cases, R can be locally verified using certificates of size O( √ n) bits, using a 1-sided error verification scheme which guarantees that incorrect tables are detected with high probability.
Our verifier used to establish Theorem 4 is actually deterministic.The certificates however store hash functions chosen at random.We assume that these hash functions are not corruptible, and that the adversary is not capable to create collisions (if not accidentally, by chance).Even though this assumption may seem strong, we point out that this is relevant to practical situations in which cryptographic hash functions designed to be collision resistant and hard to invert are used (for more details please refere to Chapter 5 of [9]).
The new routing scheme R. Our new routing scheme R borrows ingredients from both [2] and [24].In particular, the landmarks are chosen as for the (name-dependent) routing scheme in [24], i.e., in such a way that every node v has a cluster cluster(v) of size at most 4 √ n, and the landmarks form a set L of size at most 2 log n √ n.However, we reinforce the way the nearest landmark to v is selected, by picking the nearest landmark l v such that l v = argmin l∈L δ(v, l) where ties are broken by choosing the landmark with smallest identity.Also, we slightly reinforce the definition of next: For every two nodes v and t, we set next(v, t) as the smallest port number at v of an edge incident to v on a shortest path between v and t.These two reinforcements of the definitions of landmarks and next guarantee the following.Lemma 5. Let v ∈ V , and let l v be its landmark.Let u be a node on a shortest path between v and l v .Then l u = l v .Lemma 6.Let v ∈ V , let l v be its landmark, and let w be the neighbor of l v such that next(l v , v) = port lv ({l v , w)}.Let u be a node on a shortest path between v and w.We have next(l v , u) = next(l v , v).
As in [2], each node that is not a landmark is given a color in {1, . . ., √ n} determined by a hash function, color, that maps identities to colors, where at most O(log n √ n) nodes map to the same color.Also, each node v has a vicinity ball, ball(v), that contains the O(log(n) √ n) nodes closest to v (breaking ties using identities).This guarantees that, with high probability, for every node v, there is at least one node of each color in ball(v).
For each color c, where 1 ≤ c ≤ √ n, we define Dir c = { v, l v , next(l v , v) : color(v) = c} which includes the direction to take at l v for reaching v of color c along a shortest path.

The routing tables. Every node v ∈ V then stores the following information in table(v):
the hash function color that maps identities in colors; the identity of every landmark l ∈ L, and the corresponding port next(v, l); the identity of every node u ∈ cluster(v), and the corresponding port next(v, u); the identity of every node u ∈ ball(v), and the corresponding port next(v, u); the set Dir color(v) .
Storing the hash function color requires O( √ n) bits, as we use the same function as in [2].Since L, cluster(v), ball(v), and Dir Routing.Let us consider routing towards a target node t, and let v be the current node.If t ∈ cluster(v), then routing to t is achieved using next(v, t).Notice that, by Lemma 3, routing to t will actually be achieved along a shortest path.Similarly, if t ∈ ball(v), then routing to t is achieved using next(v, t) along a shortest path, and this also holds if t is a landmark.In general, i.e., if t is neither a landmark nor a node of cluster(v) ∪ ball(v), then node v computes color(t) by hashing the identity of t.
If color(t) = color(v), then v forwards the message towards l t using the information in Dir color(v) , and including (l t , next(l t , t)) in the header of the message so that intermediate nodes carry on routing this message to l t .At l t , the message will be routed to t using the information next(l t , t) available in the header, reaching a node u t such that t ∈ cluster(u t ).At this point, routing proceeds to t along a shortest path.
If color(t) = color(v), then the message is forwarded to an arbitrary node w ∈ ball(v) having the same color as t (we know that such a node exists), with w in the header of the message.The message then reach w along a shortest path.At w, we have color(t) = color(w), and thus routing proceeds as in the previous case.
Handshaking.The routing with handshaking to node t proceeds as follows.If t ∈ L ∪ cluster(v) ∪ ball(v), or color(v) = color(t), then routing proceeds as above.Otherwise, v performs a handshake with a node w ∈ ball(v) with color(w) = color(t) to get the identity of l t as well as next(l t , t).Then v routes the message to l t , where it is forwarded to a node u t such that t ∈ cluster(u t ).At this point, routing proceeds to t along a shortest path.
Stretch of the new routing scheme R. Let s, t ∈ V be two arbitrary nodes of the graph.We show that the routing scheme R routes messages from s to t along a route of length at most 5 δ(s, t) in general, and along a route of length at most 3 δ(s, t) whenever using handshaking.As we already observed, if t ∈ L ∪ cluster(v) ∪ ball(v), then the message is routed to t along a shortest path, i.e., with stretch 1.Otherwise, we consider separately whether the color of s is the same as the color of t, or not.
Assume first that color(t) = color(s).Then the message is routed towards l t along a shortest path, then from l t to t along a shortest path.The length of this route satisfies = δ(s, l t ) + δ(l t , t).By the triangle inequality, we get that ≤ δ(s, t) + 2δ(l t , t).Since t / ∈ cluster(s), we get δ(s, t) ≥ δ(t, l t ).Therefore ≤ 3 δ(s, t).We are left with the case where color(s) = color(t).Observe first that, with handshaking, the route from s to t will be exactly as the one described in the case color(s) = color(t), resulting in a stretch 3.This completes the proof that R achieves a stretch 3 with handshaking.Without handshaking, the message is forwarded along a shortest path to an arbitrary node w ∈ ball(v) having the same color as t, then from w to l t along a shortest path, and finally from l t to t along a shortest path.This route is of length δ(s, w) + δ(w, l t ) + δ(l t , t) ≤ δ(s, w) + δ(w, s) + δ(s, l t ) + δ(l t , t) ≤ 2 δ(s, w) + 3 δ(s, t) ≤ 5 δ(s, t), as desired.
Local Verification of R. We show how to verify R with a verification algorithm verif using certificates on O( √ n) bits.Let us define the certificates given to nodes when the routing tables are correctly set as specified by R. For each color c, 1 ≤ c ≤ √ n, let B c be the number of bits for encoding the set Dir c , and let r = max 1≤c≤ √ n B c .We have r = O( √ n).Let f 1 , . . ., f k be k = Θ(log n) hash functions, where each one is mapping sequences of at most r bits onto a single bit.More specifically, each function f i , 1 ≤ i ≤ k, is described as a sequence f i,1 , . . ., f i,r of r bits.Given a sequence D = (d 1 , . . ., d ) of ≤ r bits, we set f i (D) = ( j=1 f i,j d j ) mod 2. Hence, if the r bits describing f i are chosen independently stretches can be established for verifiable name-independent routing schemes.Specifically, are the existing families of name-independent routing schemes using, for every k ≥ 1, tables of size O(n 1/k ) with stretch at most O(k), verifiable with certificates of size O(n 1/k )?If not, is it possible to design a new family of verifiable name-independent routing schemes satisfying the same size-stretch tradeoff?

Figure 1 (
Figure1(Left) All the nodes in a shortest path between s and t belong to ball(s) ∪ ball(t).(Right) There are nodes in a shortest path between s and t that do not belong to ball(s) ∪ ball(t).

Figure 2
Figure 2 A route of stretch 7.
color(v) are all of size O( √ n), we get that |table(v)| = O(

Table 1
Summary of our results compared to previous work.All the listed routing schemes have space complexity of O( = length({v, u}) + d(u, t), and every neighbor uof v with t ∈ C(u) satisfies d(v, t) ≤ length({v, u}) + d(u, t), with N (v, t) pointing to a neighbor u satisfying t ∈ C(u) and d(v, t) = length({v, u}) + d(u, t); 6. for every node t ∈ C(v), for every neighbor u of v satisfying t ∈ C(u), the distance d(t, l t )in the certificate of u is equal to the distance d(t, l t ) in the certificate of v; passes all the above tests, then v outputs accept, else it outputs reject.
and, for every node t ∈ C(v) with t = v, there exists a neighbor u of v satisfying t ∈ C(u) with d(v, t)