An Untraceable Coin-based Incentive Scheme for Multi-Hop Networks

0 downloads 0 Views 2MB Size Report
encourage packet forwarding in multi-hop networks in absence of a managed ... fact that for individual nodes, forwarding traffic for others for one is a "losing ...
2005 International Conference on Wireless Networks, Communications and Mobile Computing

An Untraceable

Incentive Scheme for Multi-Hop Networks Coin-based

Ammar Alkassar, Susanne Wetzel The main problem which is not yet addressed by common solutions is how to provide incentive mechanisms for multihop networks which not only encourage collaboration between nodes but at the same time keep communication relationships unlinkable and ensure the anonymity of participating nodes. In single-hop wireless networks, e.g., base-station-oriented cellular networks, a subscriber can obtain a sufficient-level of privacy by activating his device only for the purpose of sending or receiving data. In contrast, in multi-hop networks the user is required to keep his device activated at all times in order to maintain a viable networking infrastructure for everyone. In this paper we propose a protocol that not only meets I. INTRODUCTION the increasing need of (location-)privacy but also provides In recent years, autonomous, self-organizing, wireless multi- an efficient incentive mechanism for forwarding packets in hop networks have received increased attention due to their a multi-hop wireless network. potential applications. In contrast to common communication The rest of the paper is organized as follows: In Section II models, e.g., cellular mobile networks, self-organizing multi- we review related work. In Sections III and IV we introduce hop networks do not rely on any pre-existing infrastructure. the model and building block of our solution. Subsequently, Instead, every user-device is a potential intermediate node for we present and analyze our protocol. We close this paper with forwarding data packets thus becoming part of the network some remarks on open problems and future work. infrastructure. Due to their distributed design these networks become a powerful and reliable tool for establishing a transport II. RELATED WORK infrastructure using equipment already deployed and under Ad hoc Network Models. One generally distinguishes beoperation. tween fully self-organizing multi-hop networks and hybrid However, ensuring reliable services in self-organizing net- networks. While the former do not rely on the existence of any works raises different problems than in common networks with infrastructure, the latter introduce some operational authority a centrally managed infrastructure. By large this is due to the such as, for example, a provider-driven base-station (e.g., [24], fact that for individual nodes, forwarding traffic for others [17], [3]). In symmetric hybrid networks both the route to and for one is a "losing deal" as it consumes potentially limited from the base station are multi-hop. In contrast in asymmetric resources. On the other hand, each node will need the help networks (e.g., [17]), the routes to any base station are hybrid of others when trying to send its own packets. Thus, finding multi-hop while the routes from any base station to any node a balance and motivating nodes to cooperate in forwarding are single-hop. packets is one of the main problems to be solved in the context Routing Protocols. In ad hoc networks, routing protocols are of self-organizing networks. Most models addressing this problem to date are based on generally categorized as proactive or reactive. In proactive the rational assumption of selfish behavior of participating routing protocols, the routing information is maintained in nodes. That is, a node will engage in the protocol if it local routing tables which are updated regularly by means of is beneficial to do so. Consequently, incentives are used to update messages. Unlike in proactive routing, reactive routing encourage the nodes to participate, either by rewarding nodes protocols are on-demand schemes in that routes are discovered for their efforts of forwarding other nodes' packets (e.g., [7], or updated as needed. While proactive protocols suffer an [8], [17], [25], [3]) or, by punishing them if a deviation from overhead of regular updates, reactive protocols potentially exhibit an expensive route discovery before data transmission. the protocol is discovered (e.g., [6], [20], [19]). Secure routing protocols such as, for example, [15], [9] Ammar Alkassar is at Saarland University, Department of Computer address security vulnerabilities ranging from DoS attacks, Science, Cryptography and Security Research Group, D-66123 Saarbruecken, Germany. His work was done during a research stay at Stevens Tech and partly cheating nodes, forging of routing information to impersonsupported by the European Union within the FIDIS Network of Excellence. ation of nodes. Solutions include the use of strong cryptogE-Mail: [email protected]. raphy (e.g., authentication methods, hash chains, threshold Susanne Wetzel is at Stevens Institute of Technology, Department of cryptography) as well as reputation based methods. Solutions Castle on NJ Point 07030. E-Mail: Computer Science, Hudson, Hoboken, [email protected]. that also address the issues of anonymity and unlinkability

Abstract-Encouraging cooperation in self-organizing ad hoc networks has been an important task in the last few years. The main focus of previous work is on providing protocols which encourage packet forwarding in multi-hop networks in absence of a managed infrastructure. Protocols proposed to date, however, do not consider any aspects of anonymity. Instead, the identities of the communication entities as well as the route including the identities of the intermediate nodes are revealed. In this paper, we propose a protocol that provides an efficient incentive mechanism for forwarding packets while keeping the identities of the participating entities private and untraceable.

0-7803-9305-8/05/$20.00 ©2005 IEEE

323

include protocols such as [18], [16]. While [18] uses a public key protected onion, called onion routing a term originally introduced by Syvenson et al [23], Capkun et al.[16] propose a solution for hybrid networks in which the operator not only has access to location and identity of registered nodes but also shares a secret key with each individual node. Incentive Mechanisms. Mechanisms to encourage collaboration can be positive (reward) or negative (punishment) in nature. The latter approach is, for example, taken in reputation systems like CONFIDANT [6], CORE [20], and the watchdog/pathrater approach by Marti et al. [19]. They mainly consist of sophisticated observation and reporting mechanisms combined with a clear punishment strategy. Rewarding systems like [7], [8], [17], [25], [3], on the other hand, employ some payment or crediting system in order to charge and reward participants: one participant (in most cases the originator or the destination) is charged for services and all intermediate nodes along the route are paid for their forwarding efforts. In hybrid networks, the base station can monitor packets, enforce the rewarding policy and detect attacks [3], [17]. In self-organizing multi-hop networks, on the other hand, rewards can, for example, be redeemed through a clearing authority [25]. An alternative approach, is the local broadcast technique [7]. This technique links the actual forwarding of packets with remuneration. The information a node needs for getting remunerated is included in the packet which is sent by the subsequent hop. Receiving the broadcast from the next hop forwarding the original package confirms that the claiming node forwarded the package and that it was received by the next hop. The technique relies on the assumption that radio links are symmetric. Most incentive schemes proposed to date require some sort of trust. Trust is established, for example, by means of a public key infrastructure (e.g., [25]) or through the use of tamperresistant hardware-which can be viewed as a distributed trusted third party (e.g., [7], [8], [17]). Anonymous Off-line Coin-based Payment Systems have properties similar to those of common monetary systems using real coins. In particular, these electronic payment systems are anonymous and the genuineness of the coins can be verified by the payee. Electronic payment schemes are built on the two basic primitives of blind signatures and double-spender identification [10], [14], [11], [12]. Extensions of the original work include [4] which uses a modified version of the ChaumPedersen signature scheme [13]. III. MODEL, APPROACH AND REQUIREMENTS Anonymity and Unlinkability. We define anonymity of any node as this node not being identifiable within a set of all participating nodes. Two or more nodes or messages are said to be unlinkable within the system, if the messages or nodes are no more and no less related than they are related with respect to some a-priori knowledge. In other words, no one (regardless of it being a node or an outside observer) will gain any advantage in relating messages or nodes from observing the system (a-posteriori knowledge). For example, two messages are unlinkable if the probability that they are sent by the same

324

sender and/or received by the same recipient is the same as those imposed by some a-priori knowledge.

Network Model. Our system is based on a fully selforganizing multi-hop network. We assume wireless links to be symmetric, i.e., if a node Ni is in transmission range of some node Nj, then Nj is in transmission range of Ni. Nodes which are in each other's transmission range are said to be neighbors. Nodes communicate via local broadcast, i.e., all neighbors receive the transmission at once. Communication is based on reactive routing. It is packet-oriented and organized in sessions. A session is defined as the sequence of route discovery and the transmission of all packets between a fixed source and a particular destination'. The packet-size is a fixed, system-wide parameter. Adversarial Model. Depending on their capabilities, we distinguish three types of adversaries. While we assume that each attacker controls a particular node, we allow attackers to collaborate. We make the pessimistic assumption that all attacked nodes are controlled by the same adversary. . Eavesdropper: a passive attacker who intercepts all incoming and outgoing communication of the attacked node. . Manipulator: an active attacker who manipulates communication to and from an attacked node, i.e., who deletes and modifies correct messages or adds forged messages sent to or from the attacked node. JImpersonator: an active attacker who can not only manipulate communication for a particular node but can impersonate an attacked node, i.e., can simulate the behavior of an attacked node in a manner that is indistinguishable from the correct behavior of the attacked node. We restrict impersonators not to collude with the clearing service, a special entity, we introduce later. We assume our attacker to act rationally. That is, an adversary will only attempt to cheat if the expected benefit of doing so is greater than the benefit of acting honestly. We assume all nodes to be honest. Dishonest nodes are modeled as adversaries. Incentive Model. For our incentive mechanism we use electronic coins as system-wide currency. Each node may withdraw coins from and clear coins with a so-called clearing service2. The system allows for coins of different but fixed denominations. For each intermediate node (on the route from the source to the destination) the source node will withdraw one coin of sufficient denomination from the clearing service. The denomination of a coin directly corresponds to the maximum number of data packets to be transmitted during a session. That is, in order to have n intermediate nodes each forward IWe do not explicitly distinguish acknowledge messages from other data messages. If needed, they may be treated as data messages. It is beyond the scope of this paper to determine whether it would be more efficient to explicitly include error handling and acknowledgements into the protocol, thus avoiding extra sessions. 2It is also the clearing service which handles the exchange of electronic coins and real money. The system can be generalized using multiple (possibly hierarchically organized) clearing services.

p data packets (of fixed size), the source node must withdraw n single coins of denomination d > p from the clearing service. Coins are valid for one particular session only, used portions of a coin cannot be used up in subsequent sessions. A node is charged upon withdrawing coins, and rewarded when presenting received coins. Rewards are given only in the amount corresponding to the actual number of forwarded packets. A source node may claim refund for the difference between the denomination of the coin (used to pay an intermediate node for its efforts during a particular session) and the amount corresponding to the packets for which a reward was claimed3. For simplicity we assume that every node can regularly establish a direct, i.e., single-hop link to the clearing service. In order to assure unlinkability, the refund is to be handled by a separate trusted third party. Security Model. The system is considered to be secure if the incentive mechanism is fair and messages, respectively participants are anonymous and unlinkable. The incentive mechanism is fair if no node can gain any (monetary) advantage by cheating, i.e., deviating from the protocol. With respect to cheating one generally distinguishes (see for example [3]) between the refusal to pay and a false reward claim. The latter is a node trying to claim monetary reward for packet forwarding he never performed. The refusal to pay is characterized by a node refusing to pay for the forwarding services performed by intermediate nodes. Free-riding is a special case of refusing to pay in that collaborating nodes are trying to misuse the protocol in order to avoid charges (e.g., by interleaving sessions, using side-channels). IV. BUILDING BLOCKS Before we detail our untraceable coin-based incentive system, we will first introduce the main building block of our

scheme. Encryption and Authenticated Encryption. In our construction, we make use of symmetric encryption schemes and authenticated encryption schemes. We define an authenticated encryption scheme as the triple HI = (enc, dec, gen). Upon input of a security parameter L, the probabilistic key generation algorithm gen is used to generate the key k +- gen(L). Using key k, the deterministic encryption function enc is applied to message M and nonce N yielding the ciphertext C enck(N, M). The nonce is required to be non-recurring. The deterministic decryption algorithm deck(N,C*) e {I, M} returns M on input C*, if and only if C* = enck(N, M), otherwise the empty string 1. With respect to privacy we require the scheme to be secure in terms of indistinguishability under chosen-ciphertext attacks and for integrity in terms of integrity of plaintexts, both as defined in [1]. The encryption scheme A = (ence, dece, gene) (without authentication) is defined as above, except that the decryption function is required to fulfill deCe(N,enc'(N,M)) = Ml only. The security with respect to privacy is defined in 3Every coin is valid for some fixed, limited time oniy. Refunds may be claimed after a coin has expired. Since the intemal clock of one node may deviate from the internal clock of other nodes in the ad hoc network, nodes should accept coins only which have enough time left until expiry.

32E

terms of indistinguishability under chosen-plaintext attacks. Additionally, we require ence(x[l bits]) = ence(x)[1 bits] with lxl > l and z[l bits] indicating the first 1 bits of the binary representation of z. E.g., the cipher feedback and output feedback mode of operations used with an arbitrary symmetric cipher fulfill this additional requirement.4

Hash Functions. Our construction makes use of different types of hash functions. We use correlation-free one-way hash functions 7H' (as defined in [21]) in Brands' payment scheme. Furthermore, we use hash functions 7H : {0, 1} -* {O,01}I that have at least the one-way property. In practice, one may use common instantiations of random oracles as described in [2] that are based on common heuristic hash constructions like SHA-l or RIPEMD. Brands Payment Scheme. As payment scheme we use Brands' anonymous, off-line payment system [4] which employs a blind signature scheme based on discrete logarithms (building on the Chaum-Pedersen scheme [13]). Since the payment scheme is a main component of our system, we briefly review the main protocol steps: System Setup. First, the participating bank (also known as clearing service) chooses primes ql, q2, generators 9, 91, 92 and, for determines hd = gXd with Xd ER Z* for every denomination Dd. We write "ER" for "chosen randomly and uniformly from". The Xd are kept private while all other parameters are published. For a matter of simplicity it is assumed that every payer/payee (node) already has a conventional account with the bank and that these participants have already obtained a key pair (skp, pkp) of an arbitrary signature scheme that can be used to authorize actions with respect to their bank account. Every participating node chooses a secret random number id (mod q) and provides the bank with f = g1d. (id is referred to as the identity of this node.) The node proves to the bank knowledge of id using Schnorr's identification protocol [22]. The node itself signs that m =f92 will be used for his withdrawals, using the agreed signature scheme. If a bank can later show a value id with g 9d2 = m, this will count as a proof that a coin from this payer was spent twice.5 Withdrawal. Withdrawing coins is an interactive protocol in which the payer requests a blind Chaum-Pedersen signature for each coin, using m to which he committed himself earlier for all his withdrawals. At first the bank generates w ER Zq and sends a = gW and b = mw to the payer. The payer generates s, Yi, Y2, u, v E Zq (s $/ 0) and computes a' = augv and b' = bsuAv with A = ms, B = g91 g2 and z' = z8. In the second move, the payer sends the blinded challenge c = cu-1 (mod q) with c' = V'(A B, z', a', b') to the bank. In a final step the bank responds by sending r = cx + w (mod q) and debits the (real) account of the payer with an amount of (real) money corresponding to the denomination of the withdrawn coin. The payer verifies that gr = hca and mr = zcb and 4 The need for this

description.

requirement will be explained later in our protocol

S This mechanism is the essence of the double-spender identification mechanism and will be clear later: The secret value id will be revealed, if the same coin using this id is used in two different payments.

computes r' = ur + v (mod q). Now, the payer can use the triple (A, B, a) with af = (z', a', b', r') as coin in the payment protocol.6

Payment. The payment is also a 3-move interactive protocol: In order to pay for some service, the payer sends his coin = (A, B, a) to the recipient. The recipient then checks the validity of the coin by verifying gr = hc a' and A' = z"' b' with c'-= '(A, B, z', a', b'). The recipient furthermore selects a random nonce r and sends it to the payer. Both the payer and the recipient calculate the challenge C = -'(A, B, r). In a final step, the payer responds to the recipient by sending (al, C2) with al= C id- s ± x and a2 =C S + X2. The recipient accepts the coin, if g 19g2 - ACB. If the payer has prior agreed on a nonce n for this payment, we can collapse the payment step to one single move since both can compute the challenge by themselves. Deposit. In order to clear a received coin, the recipient presents the all information exchanged during the payment, including the received coin, the responses (a1, a2) and the nonce r to the bank. The bank first checks the validity of the coin (as done by the recipient, see above) of the coin and, additionally, verifies that this coin has not been used in any other payment. If so, the identity id of the cheating payer is determined and he can be punished. In order to allow for this cross-checking, all coins must be kept in some data structure, for example a hash table, until they expire. Routing Scheme. Our construction requires a reactive routing scheme with the following properties: Assure Anonymity of Participating Nodes at all Times. That is, for a source node S intending to send data packets to a node D first requires discovery of a route through which the destination D can be reached. Let Rs be a route description of a route from S to D determined by the route discovery process of the respective routing protocol. We require Rs to be of the form

discuss each one of the stages setup, withdrawal, packet delivery, and rewarding separately. We furthermore present an alternative protocol to the basic protocol that allows for more flexibility in terms of the payload to be transmitted.

Setup. The clearing service and the nodes are set up as in Brands' payment system. That is, the clearing service generates different hd'S for different denominations Dd and publishes them in a non-repudiatable way.

Withdrawal. As described previously in Section III, a source node S intending to send a certain number of payload packets with the help of n intermediate nodes is required to withdraw at least n coins of sufficient denomination in order to pay for the service. The withdrawal is done as described in Brands' payment protocol (see Section IV). Packet Delivery. In order for a source node S to send a number of data packets to destination D, the source node S will first use a corresponding route discovery protocol (see Section IV) to determine route RsD to destination node D. Source node S may receive several answers to its route request corresponding to alternative routes to reach the destination D. The source node will select one route (e.g., one with the least number of hops in order to minimize costs). Let ||i=1,...,n (ki,ri) be the route description for the selected route and let N1, ..., Nn be the intermediate nodes on this route. Using the selected route Rs , the transmission of the payload -packets is organized in two steps: the initialization step in which one coin is sent to each one of the intermediate nodes, and the packet delivery step itself, in which the data is sent. In order to simplify matters, we will first focus on the structure of the messages sent during payload delivery. Afterwards, we will discuss the initialization phase in detail. Payload Message Structure. Let p < d be the number of packets that S intends to send during this particular session. We write msg31 for the i-th packet (i = 1, . .. , p) sent by the j -1st node to the jth node on the route from S to D. The RD = ||i=1,...,n (ki7ri) +- route-discovery(S,D) system is designed such that the last message (sent from node where ri is a nonce for the respective node and ki a private Nn to D) is of form key shared between the source S and node Ni only. With msgD = encD(payload) I i=1,.,nXi we denote the concatenation of all strings xi, to be interpreted as the route from S to D through the intermediate and for nodes Nj (= 1, .. , n) of form nodes N1, . . . Nn. In order for the protocol to be anonymous, msgX = enck, (msg>+). the route discovery process must work such that at any time the values of each pair (ki,ri) are known to source node Initialization Phase. At first, the source node computes soS and node Ni only. A protocol that fulfills the anonymity called authenticators AP =aj as they will later on be requirements is ANDOR [18]. However, it needs to be adapted seen by the respective intermediate nodes Nj (1 < j K n). in order to provide the route description as required above. The individual components ai are defined as Prevent Free-riding. We require that (collaborating) nodes a} = KHo(Hj(msgj+lj) cannot violate or misuse the routing protocol in order to obtain free-riding. (i corresponds to the ith packet with 1 < i < p) using two one-way hash functions XHo- and 7Hil7. V. THE SCHEME Now S can send a coin coin1 to each intermediate node Using the building blocks we can now describe our con- Nj with coin} = (A,B,a,ri,r2). In order to ensure that struction for an untraceable coin-based incentive scheme. We 7As we will see later, the first hash pre-image enables the node to 6Every coins has an expiration date, which is included as an additional authenticate the incoming message, while the pre-image of the hash pre-image

parameter in '.

326

will later on be used as a proof for correct forwarding of a message.

the coin is bound to both the respective node as well as the corresponding authenticator AP, we need to extend payment step in Brands' scheme by adding the authenticator AP to the hashed challenge, thus obtaining C = 'H(A, B, ,n A4). The actual initialization messages msg° are determined as

msgj = encj. (coin[j, A, msg°+1) and msg° 0~~~~~~ enckN (co in' , AN)

with j = 1,... , n-1. Upon receiving msg°, node Nj verifies the signature within the coin (as in Brands' payment step). Sending of Data Packets. After completing the initialization, the source S can send off the data packets. The intermediate node Nj, receiving msgjl (corresponding to data packet 1 < i < p), will decrypt and authenticate the message using its private key kj. If decryption was successful (i.e., did not return I), node Nj may forward the decryption result msg+, = dec(msg) to the next intermediate node Nj+1 on the route to destination D. Rewarding. In order to ensure that only those coins can be cleared by intermediate nodes for which the respective packets have been been forwarded by the node, the nodes must justify their claims by providing additional information. According to our model, messages are broadcasted and network links are assumed to be symmetrical. Hence, node Nj will also receive msg,i 2, the message sent from hop N±+1 to Nj+2. The sending of this message, however, can not occur unless node Nj had complied with the protocol forwarding msgj+> to node Nj+1 which in turn decrypted the message and sent on msg92. Thus, node Nj will keep x= 7-((sg+2) as authenticator. Together with coin'- and the preimage Xz of aj, Nj can prove its claims. Alternative Protocol. The previously proposed protocol requires the source node to know the payloads of all packets to be sent before transmitting the first data packet. For many applications this may be too great a limitation. It is possible to overcome this. shortcoming at the cost of additional communication. Unlike before, the authenticator parts a?3 are now to be determined as follows: Xn- 1 7n-2 ER x;j

{O, 1}

=H Et(de c'j (enc'j2(}+))

a}a

-

'Ho (xj)

with I = I(()I. The messages are defined as

msgi

encD(payload). msg- = ence. (x> msg+1). =

Unlike before, messages are now wrapped in onion encryptions without authentication. Every node Nj on the route decrypts the outer (onion) skin and verifies if 7(o(xi) = a> If the verification was successfully, the rest of the decrypted message is forwarded to the next node on the route. Within the last onion skin, the payload data itself is encrypted with an authenticated encryption scheme to provide authenticity for the receiver. 327

A node Nj proves that it forwarded a message correctly by supplying the clearing service with a preimage for x7. Node Nj does not receive this preimage until node Nj+1 has decrypted its received message msgj1+ and forwarded msg?+9. Receiving, this message, node Nj can calculate the required preimage xi = 'Ho(dec'j (encek.+ (msg4+j [1 bits]))) with I = IJo( )| and thus prove its claim.

A. Some Remarks a) Encouraging Collaboration: Because of the rewards, the proposed scheme obviously strongly encourages nodes to forward other node's packets, in particular as long as the cost (in terms of own resources) is smaller than the reward to be obtained. b) Accounting: The source node is charged for every coin it withdraws from the clearing service. As discussed earlier, one such coin pays one intermediate node for the forwarding of at most p packets. As unused portions of a coin can be refunded, a source node pays for those packets only that have indeed been forwarded. The forwarding node is rewarded for each coin for which it can provide evidence to the clearing service that it indeed forwarded the message. While each intermediate node can verify a coin once received, i.e., even before forwarding the first message, the node can claim a reward only after the next node on the route also forwarded the message. If a source node was to cheat by first sending a correct coin but later providing incorrect authenticators, it is still likely that the first data packet will reach its destination. However, it in turn is unlikely that intermediate nodes will also transmit the remaining packets as they had been cheated on before. Therefore, the accounting should be organized in an asymmetric manner: The originator is charged for the used coin some basic allowance, regardless whether he sent packets with respect to this coin or not. The forwarding nodes, however are only rewarded for presenting preimages. c)- Determining a Price for Forwarding: We consider forwarding to be a service for which the price is determined by supply and demand. For example, nodes on busy paths may want to receive a higher reward for their services. One possibility for a node to achieve that is by inserting additional "virtual" nodes in the route during the route request. phase. While this obviously increases the price for the service, a source node may still decide to not take this route. Extensions of this model could include additional measures such as, for example, quality of service. d) Receiving Refund: On one hand, intermediate nodes are only rewarded for packets which they have actually forwarded. On the other hand, the source node has payed in advance for the delivery of up to p packets. In principle it would be possible to implement a refund system for unused (portions of) coins. However, our system was designed in such a way that all participants remain anonymous at all times. It is possible to allow for refunding by introducing an additional trusted third party (TIP). The clearing service would then pass on (partially) unused coins to the TPU through which the source not can then claim its refund. It is crucial to note

that anonymity and unlinkability can be guaranteed only if the clearing service and the T'TP do not collaborate. e) Including Core Networks: In some models, e.g., multihop cellular networks, base stations are part of the business model. They serve as proxies to other networks (like the Internet, to cellular networks etc.). In our system, base stations can be regarded as "normal' nodes. Thus, a network provider can offer a route using his backbone and request a fee for forwarding the node - just as other (adhoc) nodes do. The amount of the fee can be chosen arbitrary (see Remark). This lets the system be very powerful as it can be employed in more realistic scenarios, where the packets are delivered within the multi-hop adhoc network just a few hops until a base station is reached and forwarded over its backbone. VI. SECURITY The proposed protocol aims to achieve two different security objectives: (1) to provide a fair incentive mechanism to foster collaboration between rational participants and (2) to ensure anonymity and unlinkability of messages respectively participants.

A. Fair Incentive Mechanism Security of Claiming Rewards/Non-repudiation. A claiming node Nj proves its claims for packet i to the clearing service by providing not only the corresponding coin but also the respective hash preimage xX (of a). The clearing service checks the correctness of the coin like in Brands' scheme. If the coin was spent twice the identity id of the double-spending node is revealed and punished (e.g., by excluding from getting any further coins, which means in fact his exclusion from the ad hoc network). Security against Free-riding. In both the initialization phase and the packet delivery phase only those packets are forwarded by intermediate nodes which have properly been authenticated before. Thus, nobody except the source of a current session can transmit data within these, packets. As pointed out earlier,, it is -crucial that the employed routing scheme is resistant against the misuse of control messages for free delivery of data packets between two nodes, as the exchange of packets during the routing discovery stage is neither charged by our protocol nor rewarded. B. Anonymity and Unlinkability Except for the rewarding stage, the anonymity and unlinkability follows directly from the property of semantic security of the encryption algorithm and that every combination (kj, Nj) is used only once. Anonymity and unlinkability during the rewarding stage is guaranteed because of the anonymity and unlinkability property in Brands' payment scheme: Linking two nodes in the rewarding stage would enable linking of two coins which in turn would break the underlying payment scheme. This is due to the fact that the coins are only pairwise known (onion encryptions) and in the basic protocol the authenticators have no relationship to other nodes. In the alternate protocol, 328

the authenticators are linked to other nodes authenticators. However, for anybody else than the intermediate node and the source node, the authenticators are indistinguishable from random data. VII. EFFICIENCY In this section, we estimate the overhead of our newly proposed solution in relation to the payload forwarded by the network in terms of additional communication, computation, and storage.

Communication Overhead. We focus on the two phases initialization and packet delivery. The initialization message is sent once for every session and contains coins and authenticators for this session. The size of every coin is 5*sizeof(q1) + 3*sizeof(q2) with qi and q2 being the order of the respective groups used in Brands' payment system. Working in groups over elliptic curves, we can decrease the size of q1 to 160 bits. Choosing q2 and the hash value8 to be 80 bits is sufficient. Thus, every coin has an estimated size of about 1040 Bit. The overhead of A' is p*sizeof(7t). Thus, the total overhead in the initialization message is n* (5*Sizeof(q1) + 3* Sizeof(q2) + p * sizeof(]H)). In total this an overhead of n*(130 + p*10) bytes compared to a network without incentives. n \p 5 1020

Basic Protocol 10 50 100 7,5% 4,2% 3,75% 15,0% 8,4% 7,5% 30,0% 16,8% 15,0%

Alternative Protocol 10 50 100 10,8% 7,5% 7,1% 21,6% 15,0% 14,2% 43,2% 30,0% 28,4%

Fig. 1. Estimated overhead with an increasing number of data packets and hops.

The additional overhead within the packet delivery depends on the basic protocol or the alternative one is used: In the basic protocol, the overhead is just that of the authenticated encryption. As the objective of this authentication is to authenticate a packet between sender and forwarding node in order to prevent free-riding of third parties, a small authenticator is sufficient. We restrict that a message with a wrong message authenticator tag will not be accepted if sent again with a new authenticator tag. Hence an authenticator tag of length 8 bits will be sufficient to prevent free-riding attacks by correctly guessing the authenticator. In this case, we have an additional overhead in every packet of n bytes. In total, the estimated average overhead per packet is n*(130+p*11) bytes. In the alternative protocol, the onion encryptions cause an additional overhead of sizeof(7) per packet and node. Thus, we obtain an estimated average overhead per packet of n*(130+p*20) bytes. In Table 1, the efficiency is estimated p for different numbers of hops and nodes.

Computational Overhead The main computational overhead is caused during the session initialization phase. The originator has to perform one hash operations and two additions (modulo p). The intermediate nodes have to perform two hash operations and six exponentiaitons (modulo p). 8Shorter hash values are possible, since the main requirement is one-

wayness and thus the birthday attacks will not apply.

The computational overhead during packet delivery is minimal: For one, only fast symmetric cryptographic primitives are used. Furthermore, in the basic protocol every node must decrypt (and authenticate) the whole message, and performs two hash operations for computing the authenticator. In the alternative protocol one additional decryption (of one block) has to be performed in order to obtain the pre-image of the authenticator.

Storage Overhead For payment purposes, a node must store the coins withdrawn earlier, amounting to roughly 900 bytes for every intermediate hop and session. For claiming purposes, both the received coins (together with the responses a, and at2) and authenticators must be stored amounting to an additional hash value per packet and hop. VIII. CONCLUSION AND FUTURE WORK In this paper, we addressed two problem of encouraging cooperation in multi-hop networks, while keeping the participating nodes anonymous. To our best knowledge, this is done for the first time. We proposed an incentive scheme, based on a common anonymous, coin-based payment scheme. In terms of future work, we intend to incorporate an efficient error handling and acknowledgements into the protocol making reliable packet delivery more efficient. Finally, we will explore how to realize an anonymous routing protocol that prevents free-riding, which still seems to be an open problem.

REFERENCES [1] M. Bellare and C. Namprempre. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In T. Okamoto, editor, Advances in Ci-yptology - ASIACRYPT '2000, volume 1976 of Lecture Notes in Coinputer Science, pages 531-545, Kyoto, Japan, 2000. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany. [2] M. Bellare and P. Rogaway. Entity authentication and key distribution. In D. R. Stinson, editor, Advances in Cryptology - CRYPTO '93, volume 773 of Lecture Notes in Computter Science, pages 232-249. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany,

1994. [3] N. Ben Salem, L. Buttyan, J.-P. Hubaux, and M. Jakobsson. A Charging and Rewarding Scheme for Packet Forwarding in Multi-hop Cellular Networks. In Proceedings of MobiHOC, 2003. [4] S. Brands. An efficient off-line electronic cash system based on the representation problem. Technical Report CS-R9323, Centrum voor Wiskunde en Informatica, Mar. 1993. [5] E. Brickell, editor. Advances in Cryptology - CRYPTO '92, volume 740 of Lecture Notes in Comnputter Science. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany, 1993. [6] S. Buchegger and J. Y. Le Boudec. Performance analysis of the confidant protocol (cooperation of nodes - fairness in dynamic ad-hoc networks). In Proceedings of MobiHoc 2002, Lausanne, June 2002. [7] L. Buttyan and J. P. Hubaux. Enforcing service availability in mobile adhoc wans. In Prceedings of IEEE/ACM Workshop on Mobile Ad Hoc Networking and Computting (MobiHOC), Boston, MA, USA, August

2000. [8] L. Buttyan and J. P. Hubaux. Stimulating cooperation in self-organizing mobile ad hoc networks. ACM/Kluwer Mobile Networks and Applications, 8(5), October 2003. [9] S. Capkun, J. P. Hubaux, and L. Buttyan. Mobility helps security in ad hoc networks. In Proceedings of MobiHOC 2003, page 11, Annapolis, June 2003. [10] D. Chaum. Blind signature systems. Abstact/Plenum, 1983. [11] D. Chaum. Privacy protected payments: Unconditional payer and/or payee untraceability. In D. Chaum and I. Schaumueller-Bichl, editors, Smartcard 2000, pages 69-93. Elsevier Science Publisher North Holland, 1989.

329

[12] D. Chaum, A. Fiat, and M. Naor. Untraceable electronic cash. In S. Goldwasser, editor, Advances in Cryptology CRYPTO '88, volume 403 of Lecture Notes in Comnputer Science, pages 319-327, Santa Barbara, CA, USA, 1990. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany. [13] D. Chaum and T. P. Pedersen. Wallet databases with observers. In Brickell [5], pages 89-105. [14] D. L. Chaum. Security without identification: transaction systems to make big brother obsolete. Communications of the ACM, 28(10):10301044, Oct. 1985. [15] S. R. for Mobile Ad hoc Networks. Panagiotis papadimitratos and zygmunt j. haas. In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002), San Antonio, TX, Jan. 2002. [16] M. Jakobsson, S. Capkun, and J. P. Hubaux. Secure and privacypreserving communication in hybrid ad hoc networks. Technical Report IC/2004/10, EPFL-DI-ICA, January 2004. [17] M. Jakobsson, J.-P. Hubaux, and L. Buttydn. A micro-payment scheme encouraging collaboration in multi-hop cellular networks. In Proceedings of the Fourth Conference on Financial Cryptography (FC '03), Lecture Notes in Computer Science, pages 15-33, Hamilton, Bermuda, 2003. International Financial Cryptography Association (IFCA), Springer-Verlag, Berlin Germany. [18] X. H. Jiejun Kong. Andor: Anonymous on demand routing with untraceable routes for mobile ad-hoc networks. In Fourth ACM International Symnposiuim on Mobile Ad Hoc Networking and Computing (MobiHoc'03), pages 291-302, 2003. [19] S. Marti, T. Giuli, K. Lai, and M. Baker. Mitigating routing misbehaviour in mobile ad hoc networks. In Proceedings of the sixth annual International Conference ont Mobile Comnputing and Networking, pages 255-265, Boston MA, USA, Aug. 2000. [20] P. Michiardi and R. Molva. CORE: a collaborative reputation mechanism to enforce node cooperation in mobile ad hoc networks. In CMS'2002, Commnunication and Mlultimedia Security 2002 Conference, September 26-27, 2002, Portoroz, Slovenia lAlso published in the book: Advanced Commnunications and Multimedia Secuirity /Borka Jermnan-Blazic & Tomnaz Klobiucar, editors, Kluwer Academic Publishers, ISBN 1-40207206-6, Aulgust 2002, 320 pp, May 2005. [21] T. Okamoto. Provably secure and practical identification schemes and corresponding signature schemes. In Brickell [5], pages 31-44. [22] C. P. Schnorr. Efficient signature generation by smart cards. Journal of Cmyptology, 4(3):161-174, 1991. [23] P. F. Syverson, D. M. Goldschlag, and M. G. Reed. Anonymous connections and onion routing. In Proceedings of the IEEE Symnposium on Research in Secuirity and Privacy, Oakland, CA, May 1997. IEEE Computer Society, Technical Committee on Security and Privacy, IEEE Computer Society Press. [24] Y.-C. H. Ying-Dar Jason Lin. Multihop cellular: A new architecture for wireless communications. In INFOCOM 2000, volume 3, pages 12731282. IEEE, 2000. [25] S. Zhong, J. Chen, and Y. R. Yang. Sprite: A simple, cheat-proof, credit-based system for mobile ad-hoc networks. In Proceedings of IEEE INFOCOM '03, San Francesco, CA, April 2003. -