On Desgnng Incentve-Compatble Routng and Forwardng Protocols n Wreless Ad-Hoc Networks An Integrated Approach Usng Game Theoretcal and Cryptographc Technques Sheng Zhong L (Erran) L Yanbn Grace Lu Yang Rchard Yang Department of Computer Scence and Engneerng, SUNY at Buffalo, Buffalo, NY 1426 Networkng Research Lab, Bell Laboratores, Lucent Technologes, Murray Hll, NJ 7974 Department of Computer Scences, The Unversty of Texas, Austn, TX 78712 Department of Computer Scence, Yale Unversty, New Haven, CT 652 ABSTRACT In many applcatons, wreless ad-hoc networks are formed by devces belongng to ndependent users. Therefore, a challengng problem s how to provde ncentves to stmulate cooperaton. In ths paper, we study ad-hoc games the routng and packet forwardng games n wreless ad-hoc networks. Unlke prevous work whch focuses ether on routng or on forwardng, ths paper nvestgates both routng and forwardng. We frst uncover an mpossblty result there does not exst a protocol such that followng the protocol to always forward others traffc s a domnant acton. Then we defne a novel soluton concept called cooperatonoptmal protocols. We present Corsac, a cooperaton-optmal protocol consstng of a routng protocol and a forwardng protocol. The routng protocol of Corsac ntegrates VCG wth a novel cryptographc technque to address the challenge n wreless ad-hoc networks that a lnk s cost (.e., ts type) s determned by two nodes together. Corsac also apples effcent cryptographc technques to desgn a forwardng protocol to enforce the routng decson, such that fulfllng the routng decson s the optmal acton of each node n the sense that t brngs the maxmum utlty to the node. Addtonally, we extend our framework to a practcal rado propagaton model where a transmsson s successful wth a probablty. We evaluate our protocols usng smulatons. Our evaluatons demonstrate that our protocols provde ncentves for nodes to forward packets. Sheng Zhong was supported n part by NSF grants ANI-27399 and ANI-23838. Ths work was done whle Sheng Zhong was at Yale Unversty. Yang Rchard Yang was supported n part by NSF grants ANI-27399 and ANI-23838. L (Erran) L was partally supported by NSF NRT grant# ANI-335244. Permsson to make dgtal or hard copes of all or part of ths work for personal or classroom use s granted wthout fee provded that copes are not made or dstrbuted for proft or commercal advantage and that copes bear ths notce and the full ctaton on the frst page. To copy otherwse, to republsh, to post on servers or to redstrbute to lsts, requres pror specfc permsson and/or a fee. MobCom 5, August 28 September 2, 25, Cologne, Germany. Copyrght 25 ACM 1-59593-2-5/5/8...$5.. Categores and Subject Descrptors C.2.1. [Computer-Communcaton Networks]: Network Archtecture and Desgn Wreless communcaton General Terms Algorthms, Economcs, Securty, Desgn Keywords Mechansm desgn, game theory, securty, ncentves, wreless adhoc network 1. INTRODUCTION Many wreless ad-hoc networks are currently beng desgned or deployed, drven by the vson of any-tme, any-where connectvty [27, 36, 42] and the wde avalablty of wreless communcaton devces such as PDAs, cell-phones, and 82.11 access ponts. The functonng of such ad-hoc networks depends on the assumpton that nodes n the network forward each other s traffc. However, because forwardng packets consumes scarce resources such as battery power, when the nodes n the network belong to dfferent users, they may not have ncentves to forward each other s traffc. To stmulate nodes to forward each other s traffc, many methods have recently been proposed and evaluated (e.g., [3, 4, 5, 6, 22, 24, 3, 31, 39, 4, 47]). Gven the complexty and the subtlety of the ncentve ssues, researchers start to formally apply gametheoretc technques to analyze and desgn protocols n wreless ad-hoc networks, by modelng the nodes n the networks as selfsh users whose goals are to maxmze ther own utltes (e.g., [1, 3, 4, 5, 6, 39, 24, 29, 4, 44, 47]). Although much progress has been made n the last few years, several fundamental ssues reman unaddressed. A major lackng of prevous studes s that each study focuses on a sngle component. Specfcally, all prevous studes focus ether on the routng component (e.g., [1, 44]) or the packet forwardng component (e.g., [15, 24, 29, 47]). However, t s clear that both routng and packet forwardng are needed to buld a complete system. The routng component determnes a packet forwardng path from a source to a destnaton; t may also determne how many credts a node on the path wll receve after forwardng each packet. However, because the nodes on the path should receve credts f and only f they actually forward packets, we also need 117
the packet-forwardng component to verfy that forwardng does happen. The desgns of both the routng component and the forwardng component are challengng: the routng component should dscover effcent packet forwardng paths (such as power-optmal paths) even when the nodes are selfsh and thus may try to cheat to mprove ther utltes; the packet-forwardng component should address the far exchange problem where no node wants to make a commtment before the others do [38]. Although both ndvdual components are challengng, t s more challengng to desgn and analyze a complete system that ntegrates both routng and forwardng, gven the nterdependency of the two components. In the more general networkng context, for scalable desgns, many network systems are desgned usng a layered archtecture; that s, an upper layer component reles on a lower layer component. Also, many network functons are mplemented n multple stages. However, there was no prevous methodology n nvestgatng the jont ncentve propertes of a system nvolvng multple components or stages where each component or stage needs to deal wth ncentve ssues. The ntegraton of multple components s partcularly challengng n wreless ad-hoc networks because the wreless and ad-hoc nature may make t mpossble to desgn protocols wth strong ncentve propertes. Consder the forwardng protocol. An deal forwardng protocol s one n whch power-effcent paths are dscovered; network nodes on the paths forward traffc; and followng the protocol s a domnant acton for each node [34]; that s, no matter what other nodes do, followng the protocol always brngs the maxmum utlty to a node. We call such a protocol a forwardngdomnant protocol. A forwardng-domnant protocol s more desrable than a protocol that acheves a Nash equlbrum, snce typcally there exst multple Nash equlbra [13] and t s hard to make a system converge to a desrable Nash equlbrum n a dstrbuted settng [26]. However, an ssue that has not been nvestgated before s whether a forwardng-domnant protocol exsts. If not, what s a good and feasble soluton concept? The unque propertes of wreless ad-hoc networks also mply that tools from game theory may not be drectly applcable or a drect applcaton may result n ncorrect results. Novel technques are needed to adapt classc game theory tools to the new settngs. Consder the classc VCG (Vckrey-Clark-Groves) mechansm [9, 2, 43], whch has been appled to route dscovery n wreless adhoc networks [1]. To dscuss the challenge of applyng VCG to wreless networks, we frst brefly revew the VCG mechansm as follows. Assume that each user has a prvate type (the noton of type n specfc settngs wll be clear later). A user declares ts type (whch may or may not be the true type) to a socal planner, who decdes an outcome to optmze a socal objectve and a payment to each user. The outcome and the payments are determned n such a way that reportng type truthfully s a domnant acton and thus the computed outcome s socally optmal. A classc applcaton of the VCG mechansm s the second-prce aucton. In ths problem, the type of each user s ts nternal value of a gven tem and the objectve of the planner s to choose the user who values the tem the most. Then accordng to the VCG mechansm, each user declares ts value of the tem (called a bd) to the planner, the planner assgns the tem to the user who makes the hghest bd, and ths user pays the second hghest bd. It can be shown that under ths mechansm, declarng the true value of the tem s a domnant acton of each user;.e., regardless of the declaratons of all other users, the best a user can do s to declare ts true value. Although the VCG mechansm has been appled to many networkng problems n general (e.g., [12, 33, 35]) and to routng protocols n partcular (e.g., [1, 11]), wreless ad-hoc networks pose unque challenges. Specfcally, the VCG mechansm assumes that each user has a prvate type whch s nternal to the user. Therefore, to apply VCG drectly, a user must be able to determne ts type by tself. In wreless ad-hoc networks, for the problem of powereffcent routng, the type of a node ncludes the power levels to reach ts neghbors. However, a node alone cannot determne these power levels because t needs feedbacks from ts neghbors [27]. Snce the nodes are non-cooperatve, these feedbacks may allow one node to cheat ts neghbors n order to rase ts own welfare. Such mutually-dependent types have not been addressed before, nether n the game theory communty nor n the networkng communty. Such mutual dependency s challengng to address; for example, the authors of [47] comment that VCG cannot be appled because there s no prvate type n wreless ad-hoc routng. Ignorng such mutual dependency may ntroduce serous flaws nto protocols. For example, n Secton 4.1, we show that the Ad-hoc VCG protocol [1] s flawed because t does not properly handle cheatng n estmatng power levels. Last, the prevous work (e.g., [1]) on game desgn for routng and forwardng n wreless ad-hoc networks uses the bnary lnk model where a packet s always receved f the transmsson power s above a threshold. Recent measurements suggest that a more realstc lnk model s that a packet s receved wth a probablty [1, 16, 45, 46]. We refer to such lnks as lossy lnks. It s not known how to deal wth lossy lnks n routng and forwardng when we consder ncentves. The objectve of ths paper s to address the above ssues. Our contrbutons can be summarzed as follows. We frst show that there does not exst a forwardng-domnant protocol; that s, n the context of wreless ad-hoc networks, there does not exst a protocol mplementng both routng and packet forwardng such that under the protocol nodes always forward packets, and that followng the protocol s a domnant acton. A key reason for the mpossblty result s that the success of packet forwardng depends on the cooperaton of all nodes on a path. However, snce the nodes n a wreless ad-hoc network are dstrbuted, there are cases where t s mpossble for the system to pnpont the msbehavng node when a falure occurs. Thus t s nfeasble to desgn a domnant protocol, because such a protocol requres that a node be cooperatve even when some other node s not cooperatve. Gven the mpossblty result and the prevous msunderstandng of domnant actons n wreless ad-hoc networks, we need to search for a new, feasble soluton concept n the context of wreless ad-hoc networks. Then we defne the novel concept of a cooperaton-optmal protocol for non-cooperatve selfsh users n a wreless ad-hoc network. The concept of a cooperaton-optmal protocol s novel n that t conssts of two sub protocols for the two stages of a node s routng-and-forwardng behavor: the routng protocol and the forwardng protocol. The requrements of a cooperaton-optmal protocol are weaker than those of a forwardng-domnant protocol. However, f feasble, t also stmulates cooperaton. We show the feasblty of the concept of cooperaton-optmal protocols by desgnng a cooperaton-optmal protocol called Corsac, a Cooperatonoptmal routng-and-forwardng protocol n wreless ad-hoc networks usng cryptographc technques. Specfcally, the routng protocol of Corsac uses cryptographc technques to prevent a node from cheatng n the drecton where the node can beneft. Thus, a combnaton of ncentve consderaton and securty technques allows us to provde a novel soluton to the mutually-dependent-type problem. The routng protocol s also ntegrated wth a novel data forwardng protocol based on cryptographc technques to enforce the routng decson. The routng and forward protocols are nte- 118
grated n such a way that fulfllng the routng decson s the optmal acton of each node n the sense that t brngs the maxmum expected utlty to the node. Thrd, we present technques that allow us to extend our results from the bnary lnk model to lossy lnk models [2, 1, 16, 25, 45, 46]. In these models, packet recepton s probablstc and the probablty s a functon of transmsson power. We evaluate our protocols usng smulatons, takng nto account the effects of MAC and rado propagaton. We evaluate the relatonshp among credt balance, the total energy spent n forwardng each other s traffc, and the poston of a node. We show that our protocols are far n that nodes forwardng more packets receve more credts. We evaluate the relatonshp among Eucldean dstance between the source and the destnaton of a sesson, the payment to the ntermedate nodes, and the energy consumed by the ntermedate nodes. We show that t s manly the topology, nstead of Eucldean dstance, whch determnes the payment. We evaluate the effects of stoppng a node from generatng new packets when ts credt balance s below a threshold. We also evaluate the effects of cheatng and show that followng our protocols brngs hgher utlty. The rest of the paper s organzed as follows. We frst descrbe our network model and an mpossblty result n Secton 2. Then we gve our new soluton concept n Secton 3. We present the desgn and analyss of our routng and forwardng protocols n Sectons 4 and 5, respectvely. We extend our work to lossy lnks n Secton 6. In Secton 7 we present our evaluaton results. We conclude n Secton 8. 2. NETWORK MODEL AND AN IMPOSSI- BILITY RESULT ON AD-HOC GAMES 2.1 A Model of Ad-hoc Games Consder an ad-hoc network formed by a fnte number of nodes N = {1, 2,..., N}. We assume that each node has only a dscrete set P of power levels at whch t can send packets (e.g., Csco Aronet cards and Access Ponts can be confgured wth a few power levels such as 1 mw, 5 mw, 2 mw, 3 mw, 5 mw and 1 mw [8]). For each (ordered) par of nodes (, j), we assume that there s a mnmum power level P,j at whch node can reach node j. That s, when node sends a packet, node j receves the packet f and only f node sends the packet at a power level greater than or equal to P,j. It s possble that P,j =, whch means that even f node sends a packet at ts maxmum power level, node j stll cannot receve the packet. The above transmsson model s a bnary model. In Secton 6, we wll extend our results to lossy lnk models. As n prevous approaches, we model routng and forwardng as uncooperatve strategc games n game theory [34]. We call the games ad-hoc games. In an ad-hoc game, each player s a node who may partcpate n routng and packet forwardng. A node chooses an acton a. Gven a communcaton protocol, the acton a may or may not follow the protocol. Specfcally, for each computatonal task the protocol requres node to complete, a may replace the task wth an arbtrary polynomal-tme algorthm; for each message the protocol requres node to send, a may ether wthhold the message or replace t wth an arbtrary message and send the new message at an arbtrary power level. However, to smplfy our model, we do not allow a to send more messages than t s supposed n the protocol. As a notatonal conventon, we use a to denote the actons of all nodes, and a the actons of all nodes except node. Note that both a and a are vectors. Sometme we wrte a = (a, a ) to denote that the acton profle a where node takes acton a and the other nodes take actons a. The acton profle a of all nodes decdes each node s utlty n ths game. A node s utlty u conssts of two parts: u = c + p, where c s node s cost, and p node s payment. In ths paper, both cost and payment ncur for data packets. We gnore the cost of control packets because control packets are n general smaller and are only generated at the begnnng of a sesson. We dstngush two cases n explanng cost and payment: If node s outsde the packet forwardng path, then clearly both c and p should be. If node s on the packet forwardng path, then c stands for the energy cost consumed n forwardng data packets, 1 and p stands for the credt t receves from the system for forwardng the data packets. Whenever an ntermedate node forwards a data packet at power level l, the correspondng cost s l α, where α s a cost-of-energy parameter. Here α reflects node s nternal states such as remanng battery and the valuaton of each unt of power. Note that both c and p are decded by the actons of all players: c = c (a); p = p (a). DEFINITION 1. In a non-cooperatve strategc game, a domnant acton of a player s one that maxmzes ts utlty no matter what actons other players choose [34]. Specfcally, a s node s domnant acton f, for any a a and any a, u (a, a ) u (a, a ). It s clear that an deal ad-hoc network s a network where forwardng others packets s a domnant acton. More precsely we have the followng defnton for a forwardng-domnant protocol: DEFINITION 2. In an ad-hoc game, a forwardng-domnant protocol s a protocol n whch 1) a subset of the nodes are chosen to form a path from the source to the destnaton; 2) the protocol specfes that the chosen nodes should forward data packets, and 3) followng the protocol s a domnant acton. 2.2 Non-exstence of Forwardng-Domnant Protocol As a surprsng result, we show that there s no forwardng-domnant protocol for ad-hoc games. THEOREM 1. There does not exst a forwardng-domnant protocol for ad-hoc games. PROOF. We prove by contradcton. Suppose that there exsts a forwardng-domnant protocol. Then we consder a source node S, a destnaton D, and a node dstrbuton n whch there s a lnk (, j) on the packet forwardng path such that P,j <, whch means that node j can receve packets sent by node ; 1 We focus on transmsson power consumpton because recevng power consumpton s generally fxed and thus can be ncluded at a fxed value. There are also effectve methods such IEEE 82.11 sleepng modes to reduce power consumpton n dle states. 119
P,l =, for any l j, whch means that any other node cannot receve any packet sent by node. 2 Fgure 1 shows the setup. S communcaton radus usng maxmum power Fgure 1: Illustraton of the setup for the mpossblty result. We compare two acton profles. All nodes except node have the same actons n both profles. In both acton profles, any node except, j follows the protocol fathfully. Also n both acton profles, j almost follows the protocol except that t behaves as f t dd not receve the data packet wth sequence number, even f t does receve the packet. 3 However, has dfferent actons n these two profles: the acton a means that fathfully follows the protocol and forwards all packets; the acton a means that follows the protocol except that t dscards the data packet wth sequence number. Obvously, by no means can the system dstngush these two acton profles, because packet s always dscarded and there s no way to know who dscards t. Therefore, these two profles brng the same payment to : p (a, a ) = p (a, a ). On the other hand, a has a greater cost than a because t forwards one more packet: Thus we get c (a, a ) > c (a, a ). p (a, a ) c (a, a ) < p (a, a ) c (a, a ), whch s equvalent to u (a, a ) < u (a, a ). Ths contradcts the defnton of domnant acton. Remark The above theorem apples only f each node s autonomous and has the freedom to choose ts behavor. If, for example, the nodes behavor s restrcted by nstalled tamper-proof hardware, then a forwardng-domnant protocol can be desgned. Specfcally, consder the extreme stuaton n whch each node s completely bult on tamper-proof hardware n ths case, any protocol that forwards all packets s a domnant soluton. However, ad-hoc networks formed by nodes wth tamper-proof hardware may not be the common case. 2 We can make sure that such (, j) exsts on the packet forwardng path by consderng a stuaton n whch every path from S to D contans a lnk that satsfes the two condtons. Therefore, no matter whch path s chosen as the packet forwardng path, there s always a par (, j) on the packet forwardng path that satsfes these condtons. 3 It can be the case that j s utlty s lower f t pretends that t dd not receve the packet when t does receve the packet; for example, see [47]. However, ths s a vald acton of j. j D Remark The above theorem s vald n not only our model, but also many alternatve models. For example, although our model assumes asymmetrc lnks (.e., P,j s not necessarly equal to P j,), the above theorem s also vald wth symmetrc lnks (.e., (, j), P,j = P j,), f relable overhearng s not avalable. Even f we assume symmetrc lnks plus relable overhearng, the above theorem s stll vald as long as the protocol cannot always use the maxmum power level for transmsson. Proofs under these models are smlar. 3. THE CONCEPT OF A COOPERATION- OPTIMAL PROTOCOL Gven the surprsng result that there s no forwardng-domnant protocol to ad-hoc games, we need to weaken the requrements so that feasble protocols can be desgned and the protocols stmulate cooperaton. Below we ntroduce the concept of a cooperatonoptmal protocol for wreless ad-hoc networks wth non-cooperatve selfsh users. Specfcally, the routng and forwardng behavor of a node occurs n two stages: the routng stage and the forwardng stage. Accordngly, each node s acton n the ad-hoc game s dvded nto two parts: ts subacton n the routng stage and ts subacton n the packet forwardng stage. In the routng stage, the nodes subactons jontly decde a routng decson the content of ths routng decson s all nodes forwardng subactons, whch specfy what each node s supposed to do n the forwardng stage. In the forwardng stage, the routng decson (.e., what each node s supposed to do n ths stage) and the nodes forwardng subactons (.e., what each node really does n ths stage) jontly decde each node s utlty. Formally, we have a = (a (r), a (f) ), where a (r) s node s subacton n the routng stage, and a (f) s s subacton n the forwardng stage. Let a denote the actons of all nodes the routng subactons of all nodes, and a (f) the subactons of all nodes durng packet forwardng. A routng decson R s decded by the routng subactons of all nodes: R = R(a (r) ). Snce a routng decson conssts of all nodes supposed forwardng subactons â (f), we also wrte R = â (f). Fnally, each node s utlty u s decded by the routng decson R and the nodes actual subactons a (f) n the forwardng game: u = u (R, a (f) ). It s clear that utltes gven as above are consstent wth the orgnal defnton of utltes n ad-hoc games. Remark The possblty of dvdng a game nto stages has also been suggested by Fegenbaum and Shenker n ther PODC tutoral sldes [14]. The defntons above dvde an ad-hoc game nto two stages. 3.1 Defnng Soluton Concept to the Routng Stage DEFINITION 3. Gven a routng decson, the prospectve routng utlty of a node s the utlty that t wll acheve under the routng decson, f all nodes n the packet forwardng stage follow the routng decson (.e., f each node takes the forwardng subacton 12
desgnated by the routng decson). Formally, let R(= â (f) ) be a routng decson. Then node s prospectve routng utlty s u (R) = u (R, â (f) ). Note that u (p) depends only on R, and that R s decded by the routng subactons a (r). Therefore, u (p) s decded by a (r). Formally, we wrte u (R) = u (R) (a (r) ). DEFINITION 4. In a routng stage, a domnant subacton of a potental forwardng node s one that maxmzes ts prospectve routng utlty no matter what subactons other players choose n ths stage. Formally routng stage f, for any ā (r) u (R) (a (r) s node s domnant subacton n the a (r), any a (r) ) u(r) (ā (r) ). (1) Remark In the above defnton, note that a (r), ā (r) are all program segments responsble for routng. Because these program segments mght contan con flps (due to usng probablstc algorthms), for practcal purpose, we requre only that Equaton (1) be satsfed wth hgh probablty, 4 where the probablty s computed over the con flps n the nvolved program segments. Also note that n the above defnton we follow the conventon of focusng on motvatng nodes to forward traffc (e.g., [1, 11, 21, 33]); therefore the defnton apples only to the potental forwardng nodes. DEFINITION 5. A routng protocol s a routng-domnant protocol to the routng stage f followng the protocol s a domnant subacton of each potental forwardng node n the routng stage. To fnsh defnng the routng stage, we also need to decde who should do the route computaton. To avod an onlne central node to perform all computaton, n our model, the destnaton of each sesson does the computaton. Because the destnaton does not need to pay any node, nether wll t receve any payment, t s lkely to be relable. Ths s partcularly true n a hybrd archtecture such as [24, 28, 39], where the destnaton s a base staton. If there s a possblty that the destnaton s not trustworthy n computaton, we can apply a samplng technque to valdate the computaton of the destnaton. That s, for a randomly chosen sesson, a node may ntate a valdaton sesson to check f the computaton s vald. The node or a central authorty collects the relevant nformaton sent to the destnaton and verfes the computaton. In the case that the central authorty s not avalable onlne, f a node detects cheatng, t can report all relevant nformaton to the central authorty offlne. If cheatng by a destnaton s detected, a hgh penalty s assessed (e.g., the destnaton s removed from the system). To prevent potental denal of servce attack on such a valdaton process, the number of sessons that can be sampled by a node should be lmted. 3.2 Defnng Soluton Concept to the Forwardng Stage The separaton of routng and forwardng facltates desgn. However, there was no prevous study n the context of networkng n analyzng the ncentve ssues of a system consstng of multple 4 Hgh probablty means 1 mnus a neglgble functon, whch decreases super-polynomally. See, e.g., [19], for a formal defnton of neglgble functons. nterdependent protocols. To analyze such systems, we adopt the concept of extensve games. Specfcally, we consder an extensve game model. Ths model can be represented as a game tree: each vertex of the game tree corresponds to a wreless node (but each wreless node corresponds to multple vertces n the game tree) and each edge gong out of the vertex stands for a possble decson by ths node n the forwardng stage. See Fgure 2 for an example of game tree. Clearly, each subtree of the game tree corresponds to a subgame and each path from the root down to a leaf corresponds to a possble set of decsons by the wreless nodes n the forwardng stage. In classc game theory, such a path s sad to be a subgame perfect equlbrum f t s a Nash equlbrum for every subgame. drop tamper Node 1 forward Node 2 drop tamper forward drop tamper Fgure 2: An example game tree. Last node forward DEFINITION 6. A forwardng protocol s a forwardng-optmal protocol to the forwardng stage under routng decson R f all packets are forwarded to ther destnatons n ths protocol and followng the protocol s a subgame perfect equlbrum under routng decson R n the forwardng stage. 3.3 Defnng Soluton Concept to the Ad-hoc Game DEFINITION 7. A protocol s a cooperaton-optmal protocol to an ad-hoc game f ts routng protocol s a routng-domnant protocol to the routng stage; for a routng decson R generated by the precedng routng subactons, ts forwardng protocol s a forwardng-optmal protocol to the forwardng stage under R. To fnd a cooperaton-optmal protocol to an ad-hoc game, we frst desgn a routng-domnant protocol to the routng stage and then an forwardng-optmal protocol to the forwardng stage. Combnng these two protocols together, we desgn a cooperaton-optmal to the ad-hoc game. 4. A ROUTING PROTOCOL FOR THE ROUTING STAGE In ths secton, we present a protocol for the routng stage. The routng decson s based on the well-known VCG mechansm. However, we wll frst show that, a straghtforward applcaton of VCG to ths problem (e.g., the Ad-Hoc VCG protocol [1]) s not a domnantsubacton soluton due to the specal propertes of wreless ad-hoc networks. Then, we construct a domnant-subacton soluton by combnng VCG wth a novel cryptographc technque. 121
4.1 VCG Payment To motvate our desgn, we frst brefly descrbe a straghtforward applcaton of VCG to ths problem. (Ths s a smplfed verson of the Ad-Hoc VCG protocol [1]. We omt some detals of [1] to make the presentaton clearer.) Suppose that the destnaton collects the cost for each node to reach each of ts neghbors (where a neghbor s a node that the node under dscusson can reach at some power level l P). Denote the lowest (clamed-)cost path from the source S to the destnaton D by LCP (S, D); denote the lowest (clamed- )cost path from the source S to the destnaton D that does not nclude node by LCP (S, D; ). Then the destnaton smply chooses LCP (S, D) as the packet forwardng path from S to D, and the payment to node s p = cost(lcp (S, D; )) cost(lcp (S, D) {}), where the functon cost() sums the costs of all lnks on a path, LCP (S, D) {} conssts of the lnks on the LCP but wth the lnk startng from node removed, f node s on the path. The above descrpton assumes that the cost of each lnk s known to the transmtter of the lnk. However, the transmtter of a wreless lnk needs the recever s feedback to estmate the lnk cost, namely the requred power level. Handlng cheatng n estmatng lnk cost s a challengng task. Below we wll show that the lnk-cost estmaton scheme of the Ad-Hoc VCG protocol [1] s flawed; therefore ther overall protocol does not preserve ncentve compatblty. S Cost of lnk AB: A cheats only: 6 Gven A cheats, B cheats: 2 True cost: 1 4? 4 A B 6 6 C Fgure 3: Illustraton: VCG alone does not guarantee the exstence of a domnant-subacton soluton n routng. Consder the lnk-cost estmaton algorthm used n the Ad-hoc VCG protocol (see Equaton (2) of [1]). The transmtter sends a plot sgnal at a gven power level P emt ; the recever sends back the rato R between receved power level and target (mnmal) power level; and then the transmtter determnes ts transmsson power level P = P emt /R so that the operatonal power level s acheved at the recever. Gven ths protocol to determne lnk power level (.e., lnk cost), we have a smple example shown n Fgure 3 to show that a straghtforward applcaton of VCG cannot be a domnant-subacton soluton. Suppose that the real cost of lnk AB should be 1 (e.g., P emt = 5 and R = 5). Recall that a domnant subacton of B must be the best choce of B no matter what subactons other nodes (such as A) choose. Therefore, t s enough for us to consder the followng specfc subacton of A (wth an attempt to overclam ts lnk cost): A sends at P emt = 5; after recevng the feedback about the rato R between receved and target power level at the recever, nstead of clamng 5/R, node A clams 5/R 6. Then, f B does not cheat, the clamed cost of lnk AB wll be 5/5 6 = 6; f B chooses a cheatng subacton (to underclam the cost by reportng R = 15), the clamed cost of lnk AB can be decreased back to 2. D Wth ths subacton of A, f B does not cheat, then the LCP s the lower path n the fgure, B receves zero payment and has a utlty of. If B takes the above cheatng subacton, t receves a payment of 12-4-2=6 whch covers ts cost of 4 on lnk BD and results n a postve utlty of 2. Therefore, wth ths subacton of A, t s benefcal for B to cheat. Consequently, truthfully helpng A to report the cost s not a domnant subacton of B by the defnton of domnant subacton. 5 Note that the above example uses a bnary estmaton scheme. We can show smlar examples usng other estmaton schemes such as the well-known SNR based scheme. We remark that the proof of Ad-Hoc VCG [1] s nvald n the case llustrated above. In the proof of ther Lemma 2, they argue that a node lke B n Fgure 3 wll not underclam the cost of AB because, wth the underclamed cost, A wll not be able to reach B n the data transmsson phase. However, ths argument becomes nvald f A cheats. Just as shown n Fgure 3, wth a cheatng A, when B underclams the cost of AB, the clamed cost (= 2) s stll hgher than the real cost (= 1) of the lnk. Therefore, A should stll be able to reach B n ths case, and so the proof s flawed. The above problem s a drect consequence of mutually dependent types. Wth prvate types, ths problem does not exst. To see ths, we look at the same example. However, ths tme each node can determne the costs of ts outgong lnks by tself. Therefore, f the clamed cost of AB s 3 when A takes a cheatng subacton and B does not cheat, then the clamed cost of AB s stll 3 when A takes the same cheatng subacton and B takes any cheatng subacton. As a result, B s cheatng s no longer benefcal. (To gan more nsght, nterested readers can refer to the proof n [11] that VCG mechansms result n domnant acton f each user has a prvate type.) Consequently, the man remanng techncal challenge s how to prevent neghbors from cheatng n determnng lnk cost. Below we present a cryptographc technque to address ths ssue. 4.2 Prevent Cheatng n Determnng Lnk Costs Consder a node and ts neghbor j. There are two possbltes of cheatng by node j regardng the cost P,j: Case (A): node j cheats by makng P,j greater. Case (B): node j cheats by makng P,j smaller. In case (A), because we choose the lowest clamed-cost path, node j becomes less lkely to be on the packet forwardng path (and thus less lkely to get pad). Even f node j s stll on the packet forwardng path, ts payment wll decrease. In summary, ths knd of cheatng s not benefcal to node j. Therefore, f we can fnd a way to prevent case (B), then we can prevent a neghbor from cheatng. We prevent case (B) usng a cryptographc technque. Node sends pseudo-random test sgnals at ncreasng power levels. Each test sgnal contans the cost nformaton of node at the correspondng power level. We requre that node j report all the test sgnals t receves to the destnaton. Because test sgnals sent at lower power levels are not receved by node j drectly and other nodes who can hear s sgnals can not relay them to j under our model n Secton 2, node j has no way to report such a test sgnal to the destnaton. 6 Fnally, the destnaton translates node j s reported test 5 Note that ths example does not nvolve any colluson, because a colludng group maxmzes the group s overall utlty n some sense (e.g., sum of group members utltes), whle n our example, we only consder the utlty of one sngle node, B. 6 Note that ths s a bnary lnk model. We wll consder a more general lossy lnk model n Secton 6. 122
sgnals to derve the correspondng costs and selects the mnmum cost for node to reach node j. To acheve the above goal, suppose that node shares key k,d wth the destnaton D. Also suppose that the dentfer of the sesson s (S, D, r), where r s a random number used to dstngush dfferent sessons wth source S and destnaton D. Then, for each avalable power level l (n ncreasng order), node computes a test sgnal h l by encryptng [S, D, r, l, α ] (where α s a cost-ofenergy parameter representng the cost of unt energy at node ) usng key k,d and attachng a Message Authentcaton Code (MAC) usng the same key. Snce only and D know k,d, only and D can compute these test sgnals (h l s). Furthermore, h l s protected by the MAC so that t s nfeasble for any other node to tamper wth h l. Note that, n the above formula, S, D, and r cannot be omtted because we do not want dfferent sessons to use the same h l. To set up a shared key k,d between node and destnaton D, we use the well-known Dffe-Hellman key exchange n cryptography: suppose that node has a prvate key k and a publc key K = g k, and that D has a prvate key k D and a publc key K D = g k D (where g s a prmtve root n a group where computng dscrete logarthm s hard). Then we have k,d = g k k D = (K D) k = (K ) k D. Note that node can get k,d by computng (K D) k and D can get t by computng (K ) k D. Readers who are not famlar wth cryptography can read references such as [41] for detals. 4.3 Protocol for the Routng Stage Gven the precedng soluton, next we present our routng protocol. The protocol s an on-demand routng protocol n that the source ntates a route dscovery after recevng a sesson from the applcaton layer. (For ease of presentaton, n the followng protocol descrpton we assume, P = P.) 4.3.1 Source node s test sgnals Source S starts a sesson of M packets. Source S dvdes the packets nto M/b blocks, where b s the number of packets n a block. Source S pcks a random number r. Let H be a cryptographc hash functon. S computes r = H M/b (r ). (Note that r depends on the number of blocks n the sesson ths property wll be useful n the packet forwardng protocol.) For each power level l P (n ncreasng order), S sends out (TESTSIGNAL, [S, D, r], [S, h l ]) at power level l, where h l contans an encrypton of [S, D, r, l, α S] usng key k S,D and a MAC of the encrypton usng the same key. 4.3.2 Intermedate node s test sgnals Upon recevng (TESTSIGNAL, [S, D, r], [P, h]) from an upstream neghbor P, an ntermedate node does the followng. Node sends out (ROUTEINFO, [S, D, r], [P,, h ]) at power level P ctr (where P ctr s a power level for control messages such that the communcaton graph s connected when all lnks use power level P ctr for transmsson). Here h s computed by encryptng h usng key k,d. For ntegrty, ths message s protected by a MAC usng key k,d. If the TESTSIGNAL s the frst one receves for sesson (S, D, r), then for each l P (n ncreasng order), node sends out (TESTSIGNAL, [S, D, r], [, h l]) at power level l, where h l contans an encrypton of [S, D, r, l, α ] usng the key k,d and a MAC of the encrypton usng the same key. 4.3.3 Route nformaton forwardng Upon recevng (ROUTEINFO, [S, D, r], [P,, h]), an ntermedate node j does the followng: If ths ROUTEINFO s new to node j, then node j sends out (ROUTEINFO, [S, D, r], [P,, h]) at power level P ctr. 4.3.4 Destnaton protocol Destnaton D mantans a cost matrx for each sesson (S, D, r). Each entry of ths matrx s an array of power level and cost-ofenergy parameter. Upon recevng (TESTSIGNAL, [S, D, r], h) from neghbor P, D decrypts h, verfes the MAC usng the key k P,D, and translates h to the correspondng power level l and cost-ofenergy parameter α P. D records (l, α P ) n the cost matrx s entry for lnk (P, D). Upon recevng (ROUTEINFO, [S, D, r], [P,, h]), D decrypts h, verfes the packet s MAC usng key k,d, and translates h to the correspondng power level l and cost-ofenergy parameter α P. D records (l, α P ) n the cost matrx s entry for lnk (P, ). After collectng all lnk cost nformaton, D checks, for each lnk, that the cost-of-energy parameter does not change. Then D chooses the mnmum power level n record for each lnk, whch determnes the mnmum lnk cost together wth the cost-of-energy parameter. D computes the lowest cost path from S to D n ths cost graph, usng Djkstra s algorthm. Denote the computed lowest cost path by LCP (S, D). LCP (S, D) s the chosen path for packet forwardng. Recall that the lowest cost path n the graph wthout node by LCP (S, D; ). Then the unt payment (.e., the payment for one data packet) to node s p = cost(lcp (S, D; )) cost(lcp (S, D) {}). (Note that all the above computaton can be fnshed n O(N 3 ) tme.) 4.4 Analyss of the Routng Protocol THEOREM 2. If the destnaton s able to collect all nvolved lnk costs, then the protocol gven n Secton 4.3 s a routng-domnant protocol to the routng stage. PROOF. Consder node. Let a (r) be the subacton of node n the routng stage that follows the protocol fathfully. Let ā (r) a (r) be a dfferent sub-acton. Let a (r) be an arbtrary subacton profle of all other nodes n ths stage. We wll show that u (R) (a (r) ) u(r) (ā (r) ). We note that the dfference n node s subacton (ā (r) versus ) can only lead to dfference n the clamed costs of lnk (, j) s a (r) and/or lnk (j, ) s (whch, n turn, may nfluence the routng decson and the prospectve utlty). Because we are usng VCG payment, the prospectve utlty of node s ndependent of clamed costs of lnk (, j) s. So t s enough to consder the dfference n clamed costs of lnk (j, ) s. Note that our cryptographc technque prevents node from reducng costs of lnk (j, ) s (wth hgh probablty). Therefore, wth ā (r), the clamed costs of lnk (j, ) s can 123
only be greater or unchanged. For smplcty, let us assume that the cost of only one lnk (j, ) s ncreased by ā (r). (If more than one such lnk costs are ncreased, we can prove the result smlarly, by consderng the change of one lnk cost at a tme.) There are three cases: (1) Wth a (r), node s not on the packet forwardng path. In ths case, wth ā (r), node s stll not on the packet forwardng path, because ncreasng an upstream neghbor s cost to reach a node cannot move ths node tself to the lowest cost path. Therefore, u (R) (a (r) ) = u(r) (ā (r) ) =. (2) Wth a (r), node s on the packet forwardng path, but the lnk (j, ) s not (.e., node j s not the upstream neghbor of node along ths path). Then wth ā (r) (.e., wth ncreased cost of lnk (j, )), the packet forwardng path s not changed. Because the lnk (j, ) s not on LCP (S, D), cost(lcp (S, D)) s not changed. Because the lnk (j, )) has an end pont, t cannot be on LCP (S, D; ); thus cost(lcp (S, D; )) s not changed. Therefore, p s not changed. Consderng the cost of s not changed as well, we know that s prospectve utlty s not changed: u (R) (a (r) ) = u(r) (ā (r) ). (3) Wth a (r), node s on the packet forwardng path, and so s the lnk (j, ) (.e., node j s the upstream neghbor of node along ths path). Then wth ā (r), we wll have a greater cost(lcp (S, D)). Therefore, p decreases and so does the prospectve utlty: u (R) (a (r) Thus we fnsh the proof. ) > u(r) (ā (r) ). Remark Note that a routng-domnant protocol works n practce only f the computed payments can be enforced, and that the enforcement of payments s addressed n the forwardng stage. Remark All the above analyss gnores the cost of control messages. Remark Our proof covers all possble subactons, ncludng clamng false power levels and clamng false cost-of-energy parameters. 5. A SECURE FRAMEWORK FOR THE PACKET FORWARDING STAGE In the precedng secton we have descrbed our routng protocol, n ths secton we descrbe our packet forwardng protocol. 5.1 Desgn Technques We frst descrbe our desgn technques. 5.1.1 Block confrmaton usng reversed hash chan For effcency, data packets of a sesson wth M packets are transmtted n blocks. Each block conssts of b packets (except the last block n a sesson whch may have fewer packets). After the transmsson of each block, the destnaton gves the ntermedate nodes a confrmaton, whch proves that they have succeeded n transmttng ths block. Only after gettng ths confrmaton wll the ntermedate nodes contnue to forward the next block. We gve a very effcent way to mplement block confrmatons usng reversed hash chan. Recall that H s a cryptographc hash functon. Let r be a random number selected by the source of a sesson. The source computes r m = H m (r ) for block m. Because there are altogether M/b blocks, we let r = r M/b. The source makes r publc and computes r M/b m as the confrmaton of the m-th block. Therefore, t s very easy for any ntermedate node (and any outsder) to verfy ths confrmaton by checkng r = H m (r M/b m ). On the other hand, t s nfeasble for any ntermedate node to forge the confrmaton of any block that has not been successfully transmtted to the destnaton. Note that, when an ntermedate node receves the confrmaton of the m-th block, t can drop the confrmaton of the (m 1)-th block because the m-th block s confrmaton actually proves that all the frst m blocks have been successfully transmtted. 5.1.2 Mutual decson to resolve conflct It s stll possble that the source and the ntermedate nodes dsagree about whether the next block (.e., the block mmedately after the last one that has a confrmaton) has been successfully transmtted. To elmnate the ncentves to cheat, we use a technque called mutual decson [23]. That s, the source decdes whether the ntermedate nodes should be pad for the next block, whle the ntermedate nodes decde whether the source should be charged for ths block. Note that no node wll decde payment/charge to tself for ths block. Therefore, every node has no ncentve to cheat. Specfcally, the source sends the encrypted confrmaton at the end of the correspondng block to the destnaton, and the destnaton releases the (decrypted) confrmaton f t has receved the block successfully. If an ntermedate node has transmtted a block but does not get the confrmaton, t submts the routng decson to the system (e.g. the central bank n [47]) so that the source s stll charged for ths block. 5.2 Protocol for Packet Forwardng 5.2.1 Routng decson transmsson phase Upon fnshng the routng dscovery phase, the destnaton D sends the routng decson ([S, D, r], LCP (S, D), P S, {(P, p ) s an ntermedate node on LCP (S, D)}), wth a dgtal sgnature along the reversed path of LCP (S, D), where P (resp., P S) s the power level that node should use to forward (resp., send) data packets and p s the unt payment node should receve. Each ntermedate node forwards the routng decson at a power level that can reach the upstream neghbor of the forward path of LCP (S, D). For ease of explanaton, we assume lnks are bdrectonal n ths secton. 5.2.2 Data transmsson phase Upon recevng the sgned routng decson, the source verfes the dgtal sgnature accompaned the decson. If the sgnature s vald, the source enters the data transmsson phase. In ths phase, the source and the ntermedate nodes send data packets at the computed power levels (P S or P n the routng decson, respectvely). The source node sends out data packets n blocks. Recall that each block contans b packets. Together wth the last data packet n the m-th block, the source sends out r M/b m = H M/b m (r ) (whch s encrypted usng key k S,D = K k S D ). Then t wats for a confrmaton before t sends the next block. Once the source sends out packets n a block, the ntermedate nodes forward them along LCP (S, D) to the destnaton. After fnshng a block, the ntermedate nodes also wat for a confrmaton before they start forwardng the next block. Once the destnaton receves all the packets n a block, t decrypts r M/b m. It 124
sends r M/b m n clear-text back along LCP (S, D), as a confrmaton of ths block. Upon recevng the confrmaton of the mth block, each ntermedate node verfes that r = H m (r M/b m ). If ths s correct, then the ntermedate node saves the confrmaton (whch replaces the prevously saved confrmaton n ths sesson) and forwards t back along LCP (S, D). Upon recevng the confrmaton of one block, the source node starts sendng the next block. Suppose that, n a sesson, the last confrmaton saved by node s r M/b m. Then all node j before on the path gets a payment of p j b m from the source by submttng ths confrmaton to the system. If some packets n the (m + 1)-th block have been transmtted but the confrmaton s never receved, then the ntermedate nodes submt the routng decson to the system so that the system charges the source node p b n addton. Note that ths amount of credt does not go to the ntermedate nodes, but goes to the system. 5.3 Analyss of the Packet Forwardng Protocol THEOREM 3. Suppose that R s a routng decson computed by the routng subactons desgnated by the protocol n Secton 4.3. Assume that, for any node on the packet forwardng path, the computed payment s greater than the cost. Then the protocol presented n Secton 5.2 s a forwardng-optmal protocol to the packet forwardng stage under R. PROOF. We use a standard game-theoretc technque, backward nducton, to gve our proof. Usng ths technque, we start from the end of the forwardng stage and show that the ntermedate nodes should forward the confrmaton of the last block as specfed n the protocol; then we go back n tme and show that each node makng a decson n the forwardng stage should follow the protocol; thus, we can conclude that followng the protocol s a subgame perfect equlbrum. It s clear that each ntermedate node should forward the confrmaton of the last block because we gnore the cost of control packets (no matter they forward control packets or not, they get the same amount of payment and have the same amount of cost). Gong back one step n tme, we fnd that, for the same reason, the destnaton should send out ths confrmaton. Furthermore, we note that the last node on the path before the destnaton should forward the last packet to the destnaton, because otherwse t would not get the confrmaton and would lose the payment for the last block. Therefore, each node on the path should also forward the packet gven that the nodes after t would forward the packet. A smlar argument works for every packet n the last block. Then we go back to the last-but-one block and have a smlar argument for ths block. Fnally, we go back to the routng decson transmsson phase. In the phase, note that the ntermedate nodes cannot tamper wth the routng decson because t s protected by a dgtal sgnature. If an ntermedate node drops or corrupts the routng decson packets, then the sesson stops and t has a utlty of. Because the payment would be greater than the cost f the sesson does not stop, t s a better choce for the node to forward the routng decson packets. Remark The precedng theorem requres the condton that for any node on the packet forwardng path, the computed payment s greater than the cost. Ths condton s necessary to avod the scenaro that f the payment s equal to the cost, then a slght dsturbance wll cause the node to behave dfferently. Ths condton s practcal n that t s unlkely that a node wll cooperate f the payment s just enough to cover the cost. THEOREM 4. Our complete protocol, ncludng the routng protocol n 4.3 and the packet forwardng protocol n 5.2, s a cooperatonoptmal protocol to ad-hoc games under prevous condtons. PROOF. Ths mmedately follows from Theorems 2 and 3. 6. EXTENSION TO LOSSY LINKS In the precedng sectons, we study ad-hoc games usng the bnary lnk model, whch assumes that there exsts a power threshold for each lnk, such that any packet sent at ths power level or above can be receved, and that any packet sent at any lower power level cannot be receved. However, n some networks, we may need to consder lossy lnks (see, e.g., [2, 1, 25, 16, 45, 46]). For such lnks, packets receptons are probablstc n the sense that each packet s receved wth a probablty, and the probablty s decded by the power level at whch the packet s sent. In ths secton, we show how to extend our work for the bnary lnks to these lossy lnks. Wth such lossy lnks, there are three questons that need to be addressed: (1) For each lnk, how do we estmate the transmsson success rate at each power level? (2) For each lnk, gven the transmsson success rate at each power level, how do we choose the power level at whch data packets should be sent? (3) How do we adapt our protocols to lossy lnks, usng the answers to (1) and (2)? 6.1 Estmatng Transmsson Success Rate Consder a lnk (, j). Suppose that, when node sends a packet at power level l, the transmsson success rate, (.e., the probablty that node j receves ths packet,) s S,j(l). What we need to do s to estmate S,j(l) for l P. To estmate S,j(l), we let node send N s packets. Suppose that node j receves N r of them. If we smply estmate S,j(l) based on these N s packets, then clearly our estmate of S,j(l) s Ŝ,j(l) = Nr N s. However, we actually have more nformaton that we can use for estmatng S,j(l): We know that S,j(l) s a monotoncally ncreasng functon of l. 7 Therefore, we can use the followng algorthm to estmate S,j(l): (For notatonal smplcty, we present the algorthm for the case P = {1, 2,..., P max}. It s straghtforward to extend ths algorthm to any power level set P.) For l = 1,..., P max, set x(l) = Nr N s. Set Ŝ,j(1) = x(1). For l = 2,..., P max, f x(l) max l <l{x(l )}, then set Ŝ,j(l) = x(l); otherwse leave ths entry empty, because ths entry volates the knowledge that S,j(l) must be ncreasng. For l = 2,..., P max, f Ŝ,j(l) s an empty entry, do the followng: Case A: There s a non-empty entry after Ŝ,j(l). Then suppose that the nearest non-empty entry before Ŝ,j(l) s Ŝ,j(l ), and that the nearest non-empty entry after t s Ŝ,j(l ). We gve an estmate of S,j(l) usng a lnear nterpolaton based on these two values: Ŝ,j(l) = ((l l)ŝ,j(l ) + (l l )Ŝ,j(l ))/(l l ). 7 We may even know more than that. For example, certan analytcal expressons can be derved for the transmsson success rate n some lnk models [37]. However, because these models are stll under nvestgaton, we do not utlze such nformaton. 125