Optmal Revocatons n Ephemeral Networks

Optmal Revocatons n Ephemeral Networks: A Game-Theoretc Framework Igor Blogrevc, Mohammad Hossen Manshae, Maxm Raya and Jean-Perre Hubaux Laboratory for computer Communcatons and Applcatons (LCA1), EPFL, Lausanne, Swtzerland Emal: {gor.blogrevc, hossen.manshae, maxm.raya, jean-perre.hubaux}@epfl.ch Abstract Revocaton of publc-key certfcates s an mportant securty prmtve. In ths paper, we desgn a fully dstrbuted local certfcate revocaton scheme for ephemeral networks - a class of extremely volatle wreless networks wth short-duraton and short-range communcatons - based on a game-theoretc approach. Frst, by provdng ncentves, we can guarantee the successful revocaton of the malcous nodes even f they collude. Second, thanks to the records of past behavor, we dynamcally adapt the parameters to nodes reputatons and establsh the optmal Nash equlbrum (NE) on-the-fly, mnmzng the socal cost of the revocaton. Thrd, based on the analytcal results, we defne a unque optmal NE selecton protocol and evaluate ts performance through smulatons. We show that our scheme s effectve n quckly and effcently removng malcous devces from the network. Index Terms Game Theory, Wreless Securty, Ephemeral Networks, Socal Optmum I. INTRODUCTION The emergng avalablty of wreless devces able to communcate drectly wth other peers s openng new ways for people to nteract and exchange nformaton ([1], [2], [3]). The absence of a centrally-managed nfrastructure, however, makes t harder to cope wth msbehavor. In the lterature, a consderable effort s beng devoted to the analyss of securty mechansms performed by self-nterested agents [4]. In partcular, the revocaton of compromsed publc-key certfcates s a very mportant prmtve for envronments where authentcaton s requred. In ephemeral networks, the short-lved and heterogeneous contacts among nodes (potentally unbeknownst to each other) make t mperatve to address the revocaton ssue n a dstrbuted and effcent way. One step n ths drecton has been taken by Raya et al. [5] through ther game-theoretc local certfcate revocaton protocol RevoGame. Ther model, however, has some lmtatons. Frst, t s often dffcult to obtan correct estmates of crucal parameters very frequently and thus the outcome of the revocaton could be unpredctable. Second, the dynamc knd of games used by ther model assumes that each node can observe the actons of the others before takng ts own decson, whch s not always be feasble n ephemeral envronments. For example, the duraton of the related publc-key operatons, such as sgnature verfcaton and generaton, mght take an excessve amount of tme. In ths paper, we desgn a substantally mproved and extended local certfcate revocaton framework for ephemeral networks. Wth respect to [5], our contrbuton s fourfold. Frst of all, we consder revocatons n whch nodes take actons smultaneously,.e. they do not know others decsons before takng ther own, as t mght take too much tme n practce and the nodes mght have already lost contact. Second, we provde ncentves that stmulate partcpaton and guarantee a successful revocaton of malcous nodes even when they collude or when the parameter estmatons are dffcult. Thrd, by consderng the past behavor of devces as ther reputaton, we are able to allow for personalzed and dynamc costs that depend on the behavor of each node n past games. Fourth, as each devce could potentally have a dfferent reputaton, we desgn a fully dstrbuted on-the-fly NE selecton protocol that establshes, f more than one NE exst, the best course of acton for each player wth the least socal cost. Smulaton results fnally show that our analytcal framework s effectve n removng the msbehavng nodes certfcates through the socally optmal NE of the revocaton game. The paper s organzed as follows. After dscussng the related work n Secton II, we present our system model n Secton III. We descrbe the revocaton process n Secton IV and we perform the game theoretc analyss n Secton V. We devote Secton VI to the desgn of the socally optmal Nash equlbrum selecton protocols and we evaluate ther performance through smulatons n Secton VII. We conclude the paper n Secton VIII. II. RELATED WORK L et al. [6] propose a key management model based on a web of trust, where nodes sgn each other s certfcates wthout any trusted thrd party. Revocaton s performed by a sngle node that broadcasts the revocaton request to all twohop neghbors, who then add the accused node s certfcate to ther blacklsts. However, the communcaton overhead related to blacklst exchange and the trust assumptons derved from ndrect chans of certfcates could lead to securty compromses when dealng wth nodes wthout prevous frsthand knowledge. A vrtual CA s envsaged by Luo et al. [7], where no sngle node s trusted to ssue certfcates on ts own, but any k trusted nodes together are allowed to ssue and revoke certfcates. Assumng a system-wde fxed value for k, new nodes wshng to enter the network are forced to mgrate n places where at least k already trusted devces are wllng to sgn the publc/prvate key par of the newcomer. Chnn et al. [8] propose a herarchcal trust model where a trusted thrd party (CA) s responsble for the generaton of

2 publc-key certfcates but revocaton s delegated to nodes. The authors suggest a method to deal wth msbehavng devces by mnmzng ther trust level among the neghbors based on the qualty of servce they provde but, at the same tme, they allow the trust to be reganed and therefore the certfcate renewal nterval can be extended. Smlarly, Arbot et al. [9] perform a game-theoretc securty analyss and compute a trust threshold value by takng nto account the reputatons of both the accused and accusng nodes. An accusaton made by a node wth a low reputaton,.e. a node that has many pendng accusatons on tself, has a lower weght than the accusaton by a node wth a hgher reputaton (wth fewer pendng accusatons). A revocaton s successful f the sum of weghted accusatons s greater than a threshold value, and the revoked certfcate s completely useless for further nteractons. Reputaton mechansms and ther applcatons n moble ad hoc networks have also been studed by Mchard et al. [10]. Ther CORE reputaton scheme naturally excludes nodes from the network, f they do not contrbute to ts functonng, by lowerng ther reputatons, whereas cooperatng nodes can operate and request more servces, as ther reputaton s ncreased for every servce ther provde to the communty. In [5], Raya et al. take a game-theoretc approach for certfcate revocatons n ephemeral networks by extendng the possblty of revocaton just by a sngle node s decson, n addton to the aggregate votng scheme. The nteractons among the well-behavng nodes are vsble to all of them as the game model s a dynamc complete nformaton game. As stated n Secton I, the estmaton of several game parameters, such as the number of detectors and the number of requred voters, coupled wth the sequental strategc behavor, are some of the lmtng factors addressed n ths work. A. Network III. SYSTEM MODEL We consder an ephemeral network wth short-duraton (1-10 sec), short-range (10-100 m) contacts that can take place both n lcensed and unlcensed frequency bands. We only requre the wreless devces to be able to establsh drect communcaton among themselves. Furthermore, we assume that all devces are powerful enough to run publc-key cryptographc algorthms. Ths assumpton s based on the evdence that most of today s smartphones (and future cell phones [11]) have ntegrated publc-key certfcates for connectng to secure HTTPS servers on the Internet or for authentcatng themselves on protected enterprse IEEE 802.11 WLAN networks. We consder that a trusted thrd party (or partes) exsts n such networks and that each moble node s pre-loaded wth publc-key certfcates ssued by a CA, that are used both for perodcally advertsng ther presence (by broadcastng a sgned beacon message) and for sgnng all sent messages. In order to allow for ntegrty and authentcty checks, we assume that only sgned messages wll be consdered. The unque certfcate seral number [12] serves as a unque ID that dstngushes each devce n a gven revocaton process. We also assume that each node has more than one certfcate n the ntal deployment phase, n order to allow for locaton prvacy protecton and to avod the possblty of beng tracked and dentfed over tme ([13], [14]). We assume that each node has a reserve contanng all vald certfcates, a counter whch measures the quantty of vald certfcates that can be used for revocatons, and a tamperresstant devce, such as a smart-card, where the revocaton protocols are executed. The counter and reserve can be updated and sgned ether by a CA or by the protocols but not by the devce tself. After the ntal deployment, we do not assume an always-on connecton wth the central authorty, but we do assume that nodes wll reconnect wth the CA sporadcally (from every few hours to every few days) through a drect connecton or a pre-deployed nfrastructure managed by the CA. Durng the successve connectons, the CA wll renew ther credentals by updatng the counter and/or reserve, after havng verfed ther past behavor n an approprate way. Nodes can thus obtan vald certfcates by ether (a) buyng them from the CA or (b) by revokng malcous nodes, as a reward for the useful servce provded to the communty. Note that when buyng certfcates, only the reserve s updated by the CA whereas by revokng malcous devces, both reserve and counter are updated by the same amount. By defnton, the level of the reserve cannot be lower than the counter and when the former reaches the latter (due to frequent pseudonym changes for nstance), a node would have to renew ts certfcates n order to contnue ensurng ts locaton prvacy. It s clear that the logstc costs assocated wth the certfcate management (by the CA) and frequent pseudonym changes (by the nodes) could make the lmted reserve of vald certfcates a crtcal resource. B. Threat Model The attacker could potentally be any wreless devce wth exactly the same characterstcs as the other bengn nodes. Examples of msbehavor nclude, for nstance, dssemnatng false nformaton n the network, sendng undesred advertsements or hjackng other nodes wth the ntent to subvert them to the attacker s advantage. We assume that multple attackers can also collude n order to revoke bengn nodes. IV. REVOCATION PROCESS The revocaton procedure begns when a node detects the presence of a msbehavng peer (node m) and decdes to accuse t. Note that for each accused node m, there s one revocaton process and each node can partcpate n at most one at any gven tme, even though there could be many processes runnng n parallel. For smplcty and wthout loss of generalty, n ths paper we consder one revocaton only. Moreover, we focus on the reacton [15] of a set of nodes once a malcous node has already been detected, rather than on the detecton mechansm tself. References on the latter aspect can be found n [16], [17].

3 Table I LIST OF SYMBOLS. Intator Partcpants Accused node tme Fgure 1. Revocaton process sequence of events: frst, the ntator broadcasts the accusaton and hs sgned counter and then partcpants and accused node broadcast ther own counters. The acton that each devce can take n a revocaton process s ether abstan, vote or commt self-sacrfce. By abstanng, the node does not take any actve 1 role but expects the other peers to eventually remove the accused node from the network. Votng aganst the ncrmnated node s decsve but a sngle vote s usually not suffcent for a successful revocaton. There should be at least n v votes n order to perform the revocaton. The determnaton of ths mportant parameter s performed n Secton V-B. Yet another possblty s obtaned by allowng a sngle node to entrely revoke the certfcate of the msbehavng node [18]. At the same tme, however, the node performng the revocaton has to sacrfce a consderable amount of ts own certfcates as well, n order to lmt abuses. We call ths powerful but expensve strategy the self-sacrfce. We devote Secton V-D to the fne tunng of the self-sacrfce cost functon. The sequence of events encountered n each revocaton process s shown n Fgure 1 and descrbed hereafter. We assume that there s a set of N = n + M nodes n communcaton range, where n s the number of bengn nodes and M s the number of estmated malcous ones. M could also represent the estmated power of the colludng attackers, and n ths case M/N could be set by the CA to a hgh value n case of a conservatve atttude and repeated colluson attacks by malcous nodes. For nstance, statstcs on nodes behavor can be used by the CA to set the M/N value accordng to the expected power of colludng attackers. In the set n of bengn nodes there s one devce, called ntator, that broadcasts 1) the revocaton request aganst an accused node m, 2) ts sgned counter, 3) the attack-nduced cost parameter c and 4) the number M of malcous nodes to all peers, called partcpants, that are n communcaton range wth both the ntator and the accused node. The partcpants respond to the request by broadcastng ther own sgned counters, such that all partes are aware of the respectve amounts of vald certfcates. When the accused node receves the revocaton request aganst t, a sgned message contanng ts own counter s generated by ts tamper-resstant module and broadcast as well. Once all 1 By actve we mean nodes that have ether voted or commtted self-sacrfce n the revocaton process. SYMBOL DEFINITION N Total number of nodes n comm. range (bengn + malcous) M Number of malcous nodes n comm. range b Beneft for votng B Beneft for self-sacrfcng c Cost of non revocaton of malcous node c s, Cost of self-sacrfcng for player f(m/n) Rsk of attack by colludng malcous nodes for self-sacrfcng e(m/n) Rsk of attack by colludng malcous nodes for votng k If successful revocaton k = 1, otherwse k = 0 m Subscrpt used for the malcous node n v - u v γ(s - ) Number of votes requred for the revocaton Counter of player s vald certfcates for revocatons Cost of votng Sum of counters of players (other than ) that vote the n bengn nodes have complete knowledge of each others counters and M, they do not need to communcate anymore and the off-lne dstrbuted revocaton process (descrbed n Secton VI) begns. Our protocols then defne the unque outcome and the ndvdual actons for all devces. In order to prevent any abuse of bengn nodes and encourage partcpaton n revocatons aganst malcous devces, we need to assgn costs and benefts for every acton performed by a partcpant n any revocaton procedure (Table I). We express these n number of certfcates because they are a vtal (requred to sgn messages) and lmted resource n our network. For nstance, we assume that for any partcpant, castng a vote has a cost of v + e(m/n), where v 0 s a fracton of the counter set by the CA and e(m/n) 0 s a functon that represents the rsk of a retalaton attack by colludng malcous peers aganst a node that chooses to cast a vote. Smlarly, a self-sacrfce costs c s, + f(m/n), where c s, 0 s the ndvdual cost for the self-sacrfce acton and f(m/n) 0 s a functon that models the rsk a retalaton attack by colludng malcous peers aganst a node that performs a self-sacrfce. The two colluson rsk functons are characterzed n Secton V-C. If the revocaton s successful, the CA provdes rewards for votng and commttng self-sacrfce, whch are b and B respectvely. The abstan strategy, on the contrary, does not have a cost or beneft because t does not contrbute the revocaton. If the revocaton s not successful, the benefts are not dstrbuted. Moreover, a faled attempt and the wasted effort of the communty s computed by addng the attacknduced cost value c for all partcpants, whch s estmated by the ntator and broadcast together wth the revocaton request at the begnnng of the process. After each revocaton procedure, a report - contanng all the unque IDs of nodes nvolved n the process together wth the assocated acton - s compled by all nodes and stored. At the next possble occason, each partcpatng node sends the report to the CA who then verfes, n a sutable way,

4 the past behavor of the accused node and decdes whether to permanently revoke the certfcate or not. In case the accusaton was unfunded, the CA can also punsh nodes that have dssemnated false accusatons. Fnally, dependng on the acton taken by each devce, the CA rewards the partcpants wth fresh certfcates and updates the reserves and counters, whch then enable the partcpants to contnue operatng n the network. Clearly, f a devce s seldom requred to partcpate n revocaton procedures, ts counter does not evolve as quckly as that of the frequent partcpants and thus the CA does not need to renew ts credentals due to revocatons. However, all nodes wll have to perodcally renew ther certfcates when the level of the reserve reaches the value of the counter, n order to prevent eavesdroppers from trackng ther locaton. Although the revocaton protocols are run n a tamperresstant devce and certfcates are updated by a CA, there could stll be several possble combnatons of actons by whch each revocaton procedure mght end. Moreover, as the costs for each node depend both on the ndvdual acton (performed by that node) and on the outcome of the revocaton tself (whether the accused node s revoked or not), a gametheoretc framework s well adapted to model and analyze such strategc stuatons. Furthermore, f more than one soluton exst, game theory provdes means for all partes to converge to the socally optmal one, whch maxmzes the aggregated benefts of the communty of nodes. Sectons V and VI are devoted to the applcaton of game theory to local revocatons. V. GAME-THEORETIC ANALYSIS In ths secton, we present our game-theoretc framework and the analytcal results. Frst, we consder revocaton games where payoffs depend on the current strateges and game outcome only. Afterwards, we extend the framework to nclude nodes past behavor n the computatons of payoffs, strateges and outcomes by consderng the counter as the ndcator of a node s reputaton. We defne a non-cooperatve statc revocaton game as G n = {P, S, U}, where P = {P } n =1 s the set of the n wreless players as descrbed n Secton III, S = {S } n =1 s the strategy set and U = {u } n =1 the payoff set. Moreover, we assume the game to be of complete nformaton,.e. every node has complete knowledge about the payoff functons and the counters of all partcpants. Ths assumpton s based on the fact that the game parameters are ether defned n advance on a system-level scale or they are completely defned by the nformaton exchanged durng the revocaton process tself. More often than not, securty decsons are made on mplct assumptons about the strength of the attacker, but here we need to commensurate the response of bengn players to quanttatve values of the current costs and benefts of the game. Therefore, we assume such values to be known to all partcpants before the actual game takes place. a) Strateges: The strateges avalable for each player are ether abstan (A), vote (V), or commt self-sacrfce (S). Each strategy has an assocated beneft and cost that depends Table II PAYOFF u OF PLAYER AFTER THE END OF A REVOCATION GAME, GIVEN THE STRATEGY s. IF THE REVOCATION WAS SUCCESSFUL, WE HAVE k = 1 AND OTHERWISE k = 0. Abstan Self-sacrfce Vote Cost (1-k) c c s, + f(m/n) v + e(m/n) + (1-k) c Beneft 0 B k b Payoff u - (1-k) c B - c s, f(m/n) k b v e(m/n) - (1-k) c on the successful or unsuccessful revocaton of the certfcate as well. b) Payoffs: The payoff functon u of player s defned as the dfference between benefts and costs, expressed n publc-key certfcates and s shown n Table II. The quantty of vald certfcates, avalable for revocaton purposes, s defned as u for each player, whereas the accused node m has u m. Accordng to Secton III, we refer to t as the counter, whch s updated after each game as the sum of the prevous value of the counter and the current payoff,.e. u u + u, such that t s accumulated over tme. The evoluton of u depends therefore on the way nodes partcpate n revocaton games and on ther past behavor. c) Game Solutons: A wdely adopted soluton concept n game theory s the Nash equlbrum (NE), a strategy set s = {s }n =1 from whch no node has ncentve to unlaterally devate, gven that all other players conform to t. In ths paper, we focus on Nash equlbra as the ratonal outcome for any revocaton game G n. Although computng any NE s PPAD hard [19], the fne tunng performed n Secton V-D allows nodes to substantally reduce the number of such computatons by consderng only effcent strategy profles that result n a successful revocaton. A. Revocatons wth Payoffs Let G f n be an n-player revocaton game, where beneft and cost values of Table II are fxed for all players (c s, = c s ). Intally, we assume that the number of votes requred to revoke a certfcate s a fxed value n v. We now establsh the solutons of G f n by means of the NE strateges whch defne, for each player, the strategy to adopt n order to acheve the desred outcome. The proofs of the lemmas can be found n Appendx. Lemma 1: In G f n, for (B = c s ) (b > v), the n- player statc game G n has a unque pure strategy NE profle s = (V,..., V ),.e. all players vote and the accused node s revoked. As the payoff for votng s strctly greater than for selfsacrfcng, all players are better off votng and revokng the certfcate. Lemma 2: In G f n, for (B = c s ) (b < v), f f(m/n) < c then the NE are all strategy profles s that have exactly one self-sacrfce and n-1 abstentons. If f(m/n) c, then the strategy profle all-abstan s a NE. In other words, f the rsk of retalaton by colludng malcous nodes s hgher than the attack nduced cost, then

5 the bengn nodes would prefer not to revoke the msbehavng devce. Lemma 3: In G f n, for [(B < c s ) (b < v)] [B c s f(m/n) > b v e(m/n)], f f(m/n) < B c s +c then the NE are all strategy profles that have exactly one self-sacrfce and n 1 abstentons. If f(m/n) > B c s + c then the strategy profle all-abstan s a NE. Even though both payoffs are negatve, f self-sacrfcng s stll better than votng and the retalaton rsk s contaned, then the revocaton s performed by only one player, because t s n the best nterest of all other players to avod wastng certfcates and thus to abstan. Lemma 4: In G f n, for [(B < c s ) (b < v)] [b v e(m/n) > B c s f(m/n)], f e(m/n) < b v + c then the NE are all strategy profles that have (a) one selfsacrfce wth n 1 abstentons and (b) n v votes wth n n v abstentons. If e(m/n) b v + c then (b) s not anymore a NE. The accused node s revoked by any NE. If the rsk of retalaton for a votng node s contaned, the revocaton could also be performed by the strct mnmum number of voters n v, wthout any self-sacrfce. If the rsk s hgher, then no votng strategy profle s a NE. Most of the NE defned by the precedent lemmas guarantee the revocaton of the accused node s certfcate. However, when costs are greater than benefts, the ratonal strateges do not predct any unnecessary waste of vald certfcates by the players. Only the strct mnmal number of voters n v or exactly one self-sacrfce s selected as NE of the game. The man drawback s, however, that n all cases we have more than one possble NE by whch the game could end. If actve players bear a postve cost, those who abstan beneft from the effort of the others wthout havng to pay for t. Thus, every node would prefer to be one of the abstanng players and enjoy the benefts wthout contrbutng to the well-beng of the communty. The decson about whch player should choose whch strategy s addressed n the followng subsectons, by takng nto account the past behavor of each node when computng ndvdual payoffs. We frst dscuss the number of votes n v and then we focus on self-sacrfce costs c s,. B. Dynamc Vote Prevously, we assumed that n v was a fxed value, e.g. the majorty of players, as we dd not consder reputatons. By accountng for past behavor, however, we can determne the number of necessary votes for a successful revocaton dependng on the devce that actually uses the vote strategy and the reputaton of the accused node. For nstance, one vote by a node wth a hgher reputaton than the accused mght be enough to successfully revoke the certfcate (thus n v = 1), whereas several nodes mght need to vote f ther counter s not greater than the one of the accused devce (n v > 1). We now assume that a revocaton s successful when (a) :s =V u u m,.e. f the sum of counters of the players that vote s greater than the accused node s counter, or when (b) there s at least one self-sacrfcng player. We see that, for any gven strategy profle s = {s } n =1, the actual reputaton of the nodes performng the vote strategy determnes n v. For smplcty of future notaton, for each strategy profle s = (s 1,..., s 1, s +1,..., s n ), we defne the sum of counters of all players k (other than ) that choose to vote as γ(s ) = k :s k =V C. Retalaton Attack Cost Functons For each revocaton game aganst a malcous node, there s a rsk that the accused nodes mght collude and/or respond to the revocaton by accusng the bengn nodes. The more malcous nodes are present n a gven area, the more costly (or rsky) t becomes for bengn nodes to revoke them. Each partcpant n the revocaton game has two decsve actons (vote or commt self-sacrfce) that have dfferent strengths: one vote s usually not suffcent for a revocaton, as opposed to one self-sacrfce whch s entrely suffcent. Thus, the selfsacrfce strategy s more rsky to adopt because t s very easy for the malcous nodes to dentfy the unque player that commtted self-sacrfce and retalate aganst t. Therefore, we assume that 0 < e(m/n) < f(m/n). We choose f(m/n) = M/N and e(m/n) = z M/N, 0 < z 1, to model the retalaton attack cost functons n our games. They assure that n each revocaton game, f M/N s hgh, the nodes wll carefully consder ther actons before commttng to them. D. Self-Sacrfce Cost Functon If we consder the self-sacrfce strategy, we know that only one such strategy s suffcent to revoke the accused node. Thus, the extreme power assocated wth ts use should depend on the past behavor of each node. We make the plausble assumpton that a node wth a hgh counter has most lkely behaved correctly n the past and dd not abuse the revocatons, whereas a node wth a low counter has probably msbehaved. The well-behavng node has a better reputaton and should be gven a greater ncentve to perform the self-sacrfce. The msbehavng node should have to pay an extremely hgh prce for self-sacrfcng, whch would ultmately deplete ts counter and remove t automatcally from the network. Ths would lmt the abuse and ensure that msbehavor s quckly extngushed. We model the self-sacrfce cost c s, by a lnear functon of the counter u,.e. c s, = h g u. We tested several concave and convex functons for whch the cost decreases monotoncally wth the counter. We chose the lnear model because t provdes a good balance between the hgher costs determned by a concave functon and the lower costs dctated by a convex one. The two parameters of c s, to fne tune are h > 0 and g > 0. We begn by delneatng the best response functons for a player, assumng that b v e(m/n) > c,.e. the payoff for a successful vote s greater than the cost of abstanng n case the accused node s not revoked. The NE profles are then obtaned by the set of mutual best responses. The followng lemmas defne the scenaros where 1) the revocaton does not succeed even f votes, 2) the u k

6 revocaton succeeds f votes and 3) the revocaton succeeds even f abstans. Lemma 5: If s s such that u + γ(s ) < u m and n absence of a self-sacrfce, the best response functon for any player s defned as { br (s ) = arg max u A f u < τ 1 (s, s ) = s {A,V,S} S otherwse where τ 1 = h B c+f(m/n) g. Lemma 6: If s s such that u + γ(s ) u m and n absence of a self-sacrfce, the best response functon for any player s defned as br (s ) = { V f u < τ 2 S otherwse where τ 2 = h B v+b e(m/n)+f(m/n) g. Lemma 7: If s s such that γ(s ) u m or t has at least one self-sacrfce, the best response functon for any player s defned as A f b v < e(m/n) u < τ 3 V f b v > e(m/n) u < τ 2 br (s ) = S f (b v < e(m/n) u τ 3 ) (b v > e(m/n) u τ 2 ) where τ 3 = h B+f(M/N) g. Thanks to the best response functons, we can already fne tune h such that mn (τ 1, τ 2 ) > 0 as u 0, whch yelds h > B + c f(m/n). In addton, we are now able to mpose the followng three condtons on the game parameters: 1) Postve cost. We want that c s, + f(m/n) > 0 for all players P, otherwse t would encourage the abuse of self-sacrfce by malcous aganst bengn nodes. c s, = h g u + f(m/n) > 0, = 1..., n whch s equvalent to c s, = h g max u + f(m/n) > 0 h + f(m/n) max u > g (1) 2) Guaranteed revocaton. Consderng s of Lemma 5, we do not want abstan to be a best response for at least one player, otherwse the accused node would not be revoked. In other terms, we need that max u > h B c + f(m/n) g g > h B c + f(m/n) max u Ths requrement s essental f we want to protect ourselves n case the estmaton of the cost parameters assocated wth the attack of the accused node s dffcult or prone to errors. (2) 3) System-wde effcency. Consderng s of Lemma 7, we do not want self-sacrfce to be a best response. The malcous node would be revoked anyway, even f abstans (and thus does not ncur n any costs). We can guarantee ths by settng the largest threshold of the game lower than the maxmum counter. (a) If b v < e(m/n): max u < τ 3 (b) If b v e(m/n): g < h B + f(m/n) max u = τ 4 (3) max u < τ 2 h B v + b e(m/n) + f(m/n) g < max u = τ 5 (4) By mergng the upper bounds (1), (3), (4) and the lower bound (2) we have f b v < e(m/n): f b v e(m/n): h B c + f(m/n) max u h B c + f(m/n) max u < g < τ 4 < g < τ 5 In addton to the condtons 1) - 3) expressed prevously, n our NE selecton protocol defned n Secton VI we requre the exstence of at least one NE strategy profle. Thanks to bounds on the cost parameters h and g, we state the followng Theorem for b v < e(m/n) (when b v > e(m/n), the soluton s trval because there s always a unque NE, accordng to Lemma 1): Theorem 1: In G n, for b v < e(m/n), there s always a pure strategy NE profle s wth exactly one self-sacrfce and n 1 abstentons. Moreover, the player that commts selfsacrfce s the one wth the largest u. The proof s provded n Appendx. VI. SOCIAL WELFARE AND PROTOCOLS In ths secton, we descrbe the method that we use to select a sngle NE, n case more are present, wth the related protocols. The underlyng prncple s that of the prce of anarchy [20], whch takes nto account the utlty of all players or, n other words, the socal welfare functon ω. There are dfferent knds of these functons and two among them are the utltaran and egaltaran functons: n Utltaran: ω(s) = u (s) =0 Egaltaran: ω(s) = mn u (s)

7 By maxmzng ω(s) over all possble strategy profles s = (s 1,..., s n ) S, we acheve the socal optmum welfare Socal Optmum = max s S ω(s) The prce of anarchy (PoA) s then defned as the rato of the socal optmum welfare to the welfare of the worst NE strategy profle s Socal Optmum PoA = mn s NE ω(s ) The dea s that t gves a measure of how well selfsh players (NE) perform compared to the socal optmum. To solve the ssue and help players make consstent decsons,.e. to select the same NE strategy, we use the noton of socal optmum but n a slghtly dfferent way. We do not try to maxmze the welfare functon ω over all possble profles s but only over the NE profles s, because we are nterested n selectng one NE that s optmal wth respect to the gven ω. Consequently, all players wll be able to make ndependent, but mutually consstent, decsons about a unque NE. We now descrbe the unque optmal NE selecton protocols that are run durng the revocaton process, as descrbed n Secton IV. Frst of all, each player computes all NE as the frst step of the NESelect protocol. Knowng the optmzed game parameters, nodes can use heurstcs to mmedately dscard all strategy combnatons that do not result n a revocaton or that are neffcent, thus reducng the tme requred for the NE computatons. If more than one NE exsts, the second protocol OptNE s executed and the set G of all NE satsfyng the optmalty crtera (utltaran egaltaran or vce versa) defned by the varable frstoptcond s determned. We choose the utltaran crtera frst because t compares the aggregate utltes of all players at once, as opposed to the one-to-many comparson of each utlty, for all NE, done by the egaltaran crtera. The frst protocol then looks whether ths set s a sngleton or not and f so, t outputs the unque optmal NE profle s, otherwse t changes the optmalty crtera and restarts. If ths process ends up wth G havng more than one optmal NE as well, the player that ntated the revocaton game selects one optmal NE from the set G at random and broadcasts t to all partcpants. The fnal output of the two protocols s the unque socally optmal NE profle s. By agreeng on ths NE, all players are guaranteed not to pay the extra cost c that would result from the faled revocaton and to receve rewards from the CA. The functon getnext(.) takes the next n lne element of (.), SelectRandom(.) chooses one element of (.) at random, Broadcast(.) sends a broadcast message wth the element (.) to all neghbors and ReceveOpt(.) wats for the broadcasted element sent by the node wth the (.) ID. VII. PERFORMANCE EVALUATION We mplemented and smulated the optmal NE selecton protocols n Matlab, assumng a sngle attacker, although there could be as many attackers as revocaton games runnng n Protocol 1 NESelect. 1: AllNE = {s s NE} 2: f AllNE = 1 then 3: s = getnext(allne) 4: else 5: G = OptNE(utltaran, AllNE) 6: f G = 1 then 7: s = getnext(g) 8: else 9: G = OptNE(egaltaran, AllNE) 10: f G = 1 then 11: s = getnext(g) 12: else 13: f thsnodeid = ntatorid then 14: s = SelectRandom(G) 15: Broadcast(s ) 16: else 17: s = ReceveOpt(ntatorID) Protocol 2 OptNE(frstOptCond, AllNE). 1: f frstoptcond = utltaran then 2: ω 1 (s) = n =0 u (s) 3: ω 2 (s) = mn u (s) 4: else 5: ω 1 (s) = mn u (s) 6: ω 2 (s) = n =0 u (s) 7: G 1 = {s s = arg max s AllNE [ω 1 (s)] 8: f G 1 = 1 then 9: G = G 1 10: else 11: G 2 = {s s = arg max s G1 [ω 2 (s)] 12: G = G 2 13: return G parallel. We run 10 teratons for each number of players between 2 and 15, as we assume a hghly moble envronment and short-range communcatons. The confdence nterval s 95%. As n Secton V-D for the system-wse effcency of the self-sacrfce cost c s,, we assume here that b v < e(m/n) n order to avod any unnecessary effort due to the use of the vote strategy as well. The exact game parameters are: u [0 10] unformly at random, where we use the same maxmum value through all subsequent smulatons. h = 4.5 > B = 1 > c = 0.5 > v = 0.3 > b = 0.2 [certfcates], z = 0.25. g = 2(h B+f(M/N)) c s the mddle pont between the 2 max u lower (2) and upper bounds (3) to the slope of c s,. The rato of malcous/total nodes s M/N = 0 and M/N = 0.3. The man results are dscussed n the followng subsectons. A. Number of Nash Equlbra In Fgure 2 we see that by usng the dynamc vote, the number of vote NE s only 1/25 of the number obtaned

8 # of Nash equlbra 10 5 10 4 10 3 10 2 10 1 10 0 Vote NE Majorty Vote NE Dynamc, M/N=0 Vote NE Dynamc, M/N=0.3 Sacrfce NE % of selectons 100 90 80 70 60 50 40 30 20 10 Type of selected NE Majorty vote, M/N=0 Dynamc v. / u m =14, M/N=0 Dynamc v. / u m =14, M/N=0.3 Dynamc v. / u m =16, M/N=0 Dynamc v. / u =16, M/N=0.3 m 10 1 2 4 6 8 10 12 14 # of players 0 2 4 6 8 10 12 14 # of players 8 7 Fgure 2. Average number of Nash equlbra. # of votes requred for successful revocaton Majorty vote Dynamc v. / u m =14 Fgure 4. Percentage of vote Nash equlbrum selectons. to the greater number of players needed by the majorty and the consequently hgher socal cost. # of votes for succ. revoc. 6 5 4 3 Dynamc v. / u m =16 Dynamc v. / u m =18 2 2 4 6 8 10 12 14 # of players Fgure 3. Number of votes requred for a successful revocaton. when usng the majorty vote for 15 players. Ths comes from the fact that there are fewer combnatons of players whose aggregate votes would result n a successful revocaton, compared to any combnaton of the majorty of players n the other case. The mpact of the presence of colludng malcous nodes that could retalate aganst the players s neglgble. We notce that the number of self-sacrfce NE s the same n both systems, because the self-sacrfce strategy s lmted to the one or two players that have the hghest counter and does not depend on the votng scheme beng used. B. Number of Votes for Revocaton Fgure 3 shows the number of players that are requred to vote n order to revoke the accused node s certfcate. For the majorty vote, the number of votes ncreases wth the total number of players, rrespectve of ther reputatons. Wth the dynamc vote, on the contrary, we see that the number of votes tends to decrease as the number of players ncreases. Thanks to the greater dversty of counters as the number of players ncreases, t becomes easer to fnd few players wth hgh counters (or reputatons), such that the vote NE becomes socally less costly. If the game were to end by votng, only these few players would need to vote, compared C. Type of Selected Nash Equlbrum Fgure 4 shows the percentage of vote NE that have been selected as the unque optmal NE by the protocols for, respectvely, majorty and dynamc votes. The percentage of selected optmal self-sacrfce NE s smply the dfference between 100% and the vote NE selecton percentage. Wth majorty votes, the vote NE s domnant n games wth less than 4 players, whereas wth 4 players and more, the selfsacrfce takes over. Ths s justfed by the socal optmalty crtera as the vote NE wll be less socally costly than the sacrfce f and only f (b v) n v > c/2. For our parameters, we have that the nequalty holds f n v 2, meanng that up to three players, a vote s less costly as the majorty s n v = 2, and afterwards t becomes more costly and therefore the selfsacrfce strategy s selected. Wth dynamc votes, we see that for relatvely low u m, the vote NE s domnant wth respect to the self-sacrfce because very few players are needed to vote and, as explaned earler, the vote s more socally optmal f and only f the two most wealthy players are suffcent to revoke the accused node. When u m ncreases, more players would be needed for the revocaton by vote and f most of them have a relatvely low u, t mght not even be feasble. In ths case, the self-sacrfce strategy would be the only opton. Fnally, we see that by ncreasng the number of players, there are more chances of fndng players wth relatvely hgh u and thus revocaton by vote would be less costly than self-sacrfce. When the number of colludng malcous nodes ncreases, the revocaton s done by self-sacrfce. Gven our parameters, t s socally less costly to rsk the revocaton of one bengn node that commtted self-sacrfce than two devces that voted. VIII. CONCLUSION In ths paper, we have desgned a game-theoretc framework for local certfcate revocaton n ephemeral networks. Frst, we have provded ncentves n order to guarantee the revocaton

9 of the malcous node even n presence of naccurate estmaton of the attack-nduced cost. Second, we have consdered reputatons, based on each node s past behavor, and we have optmzed the game model such that the adapted cost parameters guarantee a successful revocaton of the malcous node n the most socally effcent way. Based on the analytcal results, we then desgned a novel reputaton-based on-the-fly local revocaton scheme that establshes a unque optmal Nash equlbrum n a dstrbuted fashon. Smulaton results llustrated that, by consderng the past behavor of all partes nvolved n the process, our revocaton protocols are effectve n determnng the unque most effcent outcome that s also socally optmal,.e. that generates the least costs for the communty of players. As part of future work, we ntend to extend our gametheoretc model to other breeds of networks wth smlar characterstcs, and to nclude role attrbuton to a subset of players, where herarchy and past behavor wll be consdered whle determnng the outcome of the revocaton games. REFERENCES [1] Http://www.aka-ak.com/. [2] Http://www.csg.ethz.ch/research/projects/Blue star. [3] Http://realty.meda.mt.edu/serendpty.php. [4] J. Katz, Brdgng game theory and cryptography: Recent results and future drecton, Lecture Notes n Computer Scence, vol. 4948, p. 251, 2008. [5] M. Raya, M. Manshae, M. Félegyhaz, and J.-P. Hubaux, Revocaton games n ephemeral networks, n Proceedngs of the 15th ACM conference on Computer and communcatons securty. ACM New York, NY, USA, 2008, pp. 199 210. [6] R. L, J. L, H. Kameda, and P. Lu, Localzed publc-key management for moble ad hoc networks, n IEEE Global Telecommuncatons Conference, GLOBECOM 04, vol. 2, 2004. [7] H. Luo, P. Zerfos, J. Kong, S. Lu, and L. Zhang, Self-securng ad hoc wreless networks, n Seventh IEEE Symposum on Computers and Communcatons (ISCC02), 2002. [8] S. Chnn, J. Thomas, G. Ghnea, and Z. Shen, Trust model for certfcate revocaton n ad hoc networks, Ad Hoc Networks, vol. 6, no. 3, pp. 441 457, 2008. [9] G. Arbot, C. Crépeau, C. Davs, and M. Maheswaran, A localzed certfcate revocaton scheme for moble ad hoc networks, Ad Hoc Networks, vol. 6, no. 1, pp. 17 31, 2008. [10] P. Mchard and R. Molva, Core: a collaboratve reputaton mechansm to enforce node cooperaton n moble ad hoc networks, n Advanced communcatons and multmeda securty: IFIP TC6/TC11 Sxth Jont Workng Conference on Communcatons and Multmeda Securty, September 26-27, 2002, Portorož, Slovena. Kluwer Academc Pub, 2002, p. 107. [11] Wreless Publc Key Infrastructure - Man Specfcaton. [Onlne]. Avalable: Rev. 2.2, http://www.wpk.net/fles/wpki%20man%20specfcaton%202.2.pdf [12] IETF RFC 2459. [13] M. Gruteser and D. Grunwald, Enhancng locaton prvacy n wreless lan through dsposable nterface dentfers: a quanttatve analyss, Moble Networks and Applcatons, vol. 10, no. 3, pp. 315 325, 2005. [14] Mx zones: User prvacy n locaton-aware servces. [15] H. Yang, H. Luo, F. Ye, S. Lu, and L. Zhang, Securty n moble ad hoc networks: challenges and solutons, IEEE Wreless Communcatons, vol. 11, no. 1, pp. 38 47, 2004. [16] H. Yang, J. Shu, X. Meng, and S. Lu, Scan: self-organzed networklayer securty n moble ad hoc networks, IEEE Journal on Selected Areas n Communcatons, vol. 24, no. 2, pp. 261 273, 2006. [17] S. Radosavac, J. Baras, and I. Koutsopoulos, A framework for mac protocol msbehavor detecton n wreless networks, n Proceedngs of the 4th ACM workshop on Wreless securty. ACM New York, NY, USA, 2005, pp. 33 42. [18] T. Moore, J. Clulow, S. Nagaraja, and R. Anderson, New strateges for revocaton n ad-hoc networks, Lecture Notes n Computer Scence, vol. 4572, p. 232, 2007. [19] C. Daskalaks, P. Goldberg, and C. Papadmtrou, The complexty of computng a nash equlbrum, Commun. ACM, 2009. [20] T. Roughgarden, Selfsh routng and the prce of anarchy. The MIT Press, 2005. APPENDIX Proofs of Lemmas 1-7 and Theorem 1. Lemma 1: By defnton, we know that a strategy profle s s a NE ff no sngle player has ncentve to unlaterally devate from hs equlbrum strategy s, gven the strateges of other players s. If we consder the payoff for any player correspondng to the strategy profle s = (V,..., V ) we have that s = A u (V,..., A, V,..., V ) = 0 s = V s = S u (V,..., V,..., V ) = b v e(m/n) u (V,..., S, V,..., V ) = B c s f(m/n) Gven the condtons of the Lemma, b v e(m/n) > 0 f(m/n) and thus for any s s, the correspondng payoff s lower than f s = s. Lemma 2: We consder the strategy profle s wth one self-sacrfce and n 1 abstentons. In ths case, the payoffs are u = (B c s f(m/n), 0,..., 0) = ( f(m/n),..., 0), where the self-sacrfcng player could be any of the n players. The payoffs are f s = S :u (A,..., s, A,..., A) = 0 f(m/n) u (A,..., A,..., A) = c u (A,..., V, A,..., A) = v e(m/n) c f s = A :u (s 1,..., s,..., s n) = 0 u (s 1,..., V, s +1,..., s n) = b v e(m/n) u (s 1,..., S, s +1,..., s n) = 0 f(m/n) For s = S, u (A,..., A) = c < u (s, A,..., A) = f(m/n) f and only f f(m/n) < c. For s = A, u (S, A,..., A) = 0 > u (S, A,..., S, A,..., A) = f(m/n) for all f(m/n) > 0. We see that f player s the only sacrfcng partcpant, he has no ncentve to devate from ths strategy f the rsk of retalaton s low (f(m/n) < c). In ths case, any strategy profle s wth exactly one self-sacrfce and n 1 abstentons s a NE. If, on the other hand, the rsk of retalaton s hgh, he would prefer to abstan and thus the all-abstan strategy profle would be a NE. Lemma 3: The proof s analog to the one of Lemma 2. Lemma 4: For the case (a), the proof s analog to the one of Lemma 2. For the case (b), we consder the strategy profle s that has exactly n v votes and n n v abstentons. Wthout loss of generalty, we assume that the frst n v players vote and the remanng players abstan. We refer to a votng player as

10 and to an abstanng player as j. If s 1 = V :u 1 (s 1,..., V, A,..., A) = b v e(m/n) u 1 (A, V,..., V, A,..., A) = c u 1 (S, V,..., V, A,..., A) = B c s f(m/n) If s n = A :u 1 (V,..., V, A,..., s n) = 0 u n (V,..., V, A,..., V ) = b v e(m/n) u n (V,..., V, A,..., S) = B c s f(m/n) Accordng to the condtons of the Lemma, we have that s = V s better than s = S for any votng player. Smlarly, we see that s = V s also better than s = A f and only f b v e(m/n) > c, or f e(m/n) < b v + c. Moreover, s j = A s better than s j = V or s j = S for any abstanng player j. Therefore, the strategy profle s wth exactly n v votes and n n v abstentons s a NE f and only f e(m/n) < b v c, otherwse s s not a NE. Lemma 5: We look at the payoff functons for the dfferent possble s, gven all s that respect the condton of the lemma. s = A s = V u (A, s ) = c u (V, s ) = c v e(m/n) s = S u (S, s ) = B h + g u f(m/n) From the above equatons we know that the strategy vote wll never be a best response snce the assocated payoff s always lower than the one gven by abstan. The only choce s then between the strategy S and A. Solvng the nequalty B h+g u f(m/n) > c we have that the best response of player s to abstan f u < h c B+f(M/N) g and to self-sacrfce otherwse. Lemmas 6, 7: The proof s analog to that of Lemma 5. Theorem 1: Let us consder the strategy profle s = (A,..., A, S, A,..., A), where the only S strategy s adopted by the player wth the largest u (we call hm P S ) and all the remanng n 1 players adopt the strategy abstan (we refer to any of these players as P A ). Usng the bounds found n Secton V-D for h and g, we show that s s always a NE. Frst, let us analyze the ndvdual payoffs for each player and for all hs possble strateges, gven the strateges of the other n 1 players. (a) For any P A : Moreover, we can see that u PA,(S,s ) u PA,(A,s ) = B c s,pa f(m/n) (a) < B h + h B + f(m/n) u P max u A f(m/n) = (1 u P A max u )(B h f(m/n)) (b) < (1 u P A ) max u (B B c + f(m/n) f(m/n)) } {{ } >0 = (1 u P A max u )( c) < 0 u PA,(S,s ) < u PA,(A,s ) where (a) follows from the lower bound (3) and (b) from the fne tunng of h,.e. h > B +c f(m/n). Therefore, no player P A has ncentve to unlaterally devate from hs equlbrum strategy abstan. (b) For P S, where u P S = max u : u PS,(A, s ) = u PS,(A,s ) = c u PS,(V, s ) = u PS,(V,s ) = c v e(m/n) u PS,(S, s ) = u PS,(S,s ) = B c s,ps f(m/n) Agan, to vote s not an opton for P S snce the strategy abstan would always gve hm a better payoff. Furthermore, we have u PS,(S,s ) u PS,(A,s ) = B c s,ps f(m/n) + c = B h + g u P S f(m/n) + c (c) > B h + h B c + f(m/n) max u u P S f(m/n) + c (d) = B h + h B c + f(m/n) u u P S f(m/n) + c P S = 0 where (c) follows from the lower bound (2) and (d) from = max u. Summng up, we have that u P S u PS,(S,s ) u PS,(A,s ) > 0 or u PS,(S,s ) > u PS,(A,s ) Therefore, P S has no ncentve to unlaterally devate from hs equlbrum strategy S. In the end, no player s better off devatng from hs equlbrum strategy and thus s s a Nash equlbrum n any n-player revocaton game G n. u PA,(A, s ) = u PA,(A,s ) = 0 u PA,(V, s ) = u PA,(V,s ) = b v e(m/n) u PA,(S, s ) = u PA,(S,s ) = B c s,pa f(m/n) Here, we can already exclude the second possblty as the correspondng payoff s always smaller than the other two.