IEEE TRANSACTIONS ON DEPENDABLE AND SECURE …stefa/webpage/Publications_files/mei-jour… · selfishness—nodes that are selfish with outsiders and faithful with people from the

Give2Get: Forwarding in Social MobileWireless Networks of Selfish Individuals

Alessandro Mei, Member, IEEE, and Julinda Stefa

Abstract—In this paper, we present two forwarding protocols for mobile wireless networks of selfish individuals. We assume that all

the nodes are selfish and show formally that both protocols are strategy proof, that is, no individual has an interest to deviate.

Extensive simulations with real traces show that our protocols introduce an extremely small overhead in terms of delay, while the

techniques we introduce to force faithful behavior have the positive and quite surprising side effect to improve performance by reducing

the number of replicas and the storage requirements. We test our protocols also in the presence of a natural variation of the notion of

selfishness—nodes that are selfish with outsiders and faithful with people from the same community. Even in this case, our protocols

are shown to be very efficient in detecting possible misbehavior.

Index Terms—Delay tolerant networks, pocket switched networks, social mobility, selfishness, forwarding protocols.

Ç

1 INTRODUCTION

IN the last few years, the diffusion of mobile personaldevices exploded. Smartphones are used by people—not

only technology geeks—to communicate, to use applicationsonce run only by desktops, and to organize their life.Typically, these devices can communicate with each otherover short distances by using wireless technologies such asbluetooth. In this way, a new kind of network emerges wherenodes are carried by people and links appear and disappearas people move and get in contact. These networks, alsoknown as Pocket Switched Networks (PSN [1], [2]), can bekey technology to provide innovative services to the userswithout the need of any fixed infrastructure. PocketSwitched Networks are usually disconnected, are character-ized by social-based mobility and heterogeneous contactrate. Examples of such networks include people at workplaces, students on university campuses, and citizens inmetropolitan areas. Possible application scenarios of PSNsinclude bringing connectivity to rural areas and enablingservices such as e-governance, citizen journalism etc.

The problem of designing efficient forwarding protocolsfor PSNs has attracted the attention of many researchers. Inforwarding protocols, messages are routed from source todestination thanks to intermediate relays. One fundamentaland natural question, especially in this setting, is why nodesshould accept to use their own energy and bandwidth justto carry other people’s messages. Indeed, the protocols inthe literature break down immediately if you do not assumethat all the nodes cooperate in an altruistic manner. Weshow this phenomenon, which is intuitive indeed, by a fewexperiments on Epidemic Forwarding [3] and DelegationForwarding [4], two important protocols in the literature.

In this paper, we introduce Give2Get (G2G) EpidemicForwarding and Give2Get Delegation Forwarding, whichare, to the best of our knowledge, the first protocols forpacket forwarding in a social mobile setting that leverage onthe social aspects of the network to tolerate selfish behavior:friend nodes meet with high frequency. This helps usshowing formally that no rational node has any incentive todeviate. In other words, our two protocols are strategyproof, i.e., the strategies of following the protocols are NashEquilibria. However, for simplicity we will use the wordsprotocol and strategy (to follow that protocol) interchange-ably. In the paper, we describe our methodology and themain steps, the mechanisms, and the ideas that we haveused to build the complete proof.

Lastly, we perform a large set of experiments to check theperformance of G2G Epidemic Forwarding and G2GDelegation Forwarding. Quite surprisingly, we discoverthat some of the mechanisms that we introduce to makethese protocols Nash equilibria are also useful to control thenumber of replicas in the network and push the messagesquickly and cheaply far from the community where theyhave been generated. As a result, G2G Epidemic Forwardingand G2G Delegation Forwarding, besides providing robust-ness in a network where every node is selfish, have nearlythe same delay and success rate of their original alter egos,and have a considerably lower cost in terms of number ofreplicas (around 20 percent less). Moreover, we also performa detailed study of the memory load required by all theseprotocols. To the best of our knowledge, this is the first timesuch a detailed study is performed. We measure the costgenerated by each protocol by computing the averagestorage requirements to forward one message. Our experi-mental results show that our G2G protocols, aside providingtolerance to selfish behavior, require considerably lessstorage than their vanilla alter-egos in almost all cases, evenincluding the overhead due to signatures and otherinformation used by the G2G mechanisms.

The paper is organized as follows: Section 2 reports onthe literature in the area; Section 3 defines our systemmodel; Sections 4 and 5 present G2G Epidemic Forwarding

IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 4, JULY/AUGUST 2012 569

. The authors are with the Department of Computer Science, SapienzaUniversity of Rome, Via Salaria 113, 00198 Rome, Italy.E-mail: {mei, stefa}@di.uniroma1.it.

Manuscript received 7 Mar. 2011; revised 19 Nov. 2011; accepted 19 Mar.2012; published online 23 Mar. 2012.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference IEEECS Log Number TDSC-2011-03-0038.Digital Object Identifier no. 10.1109/TDSC.2012.37.

1545-5971/12/$31.00 � 2012 IEEE Published by the IEEE Computer Society

and G2G Delegation Forwanding along with proofs that thetwo protocols are Nash Equilibria; in Section 6 we firstillustrate a large set of experiments that show the dramaticeffect of selfish behavior on vanilla Epidemic and Delega-tion Forwarding; we show that our protocols detectefficiently and quickly possible deviations; we then describethe excellent performance of our protocols—similar successrate and delay of earlier protocols (that do not tolerateselfish behavior) and considerably less requirements interms of both number of replicas and storage. Lastly,Section 7 concludes the paper.

2 RELATED WORK

A lot of work has been done in building efficientforwarding protocols for Pocket Switched Networks. Manyof the protocols in the literature use in sophisticated waysthe properties of human mobility [4], [5], [6], [7], [8], [9]. Allof them rely on the altruistic cooperation among the nodes.

The problem of building mechanism and protocols thatcan tolerate selfish behavior is an important and modernissue in the design of networking protocols and distributedsystems. See, as an important example, the work in [10],[11]. Earlier work has been done to mitigate the impact ofselfish behavior in mobile ad hoc networks as well. Thesolutions can be classified into two main approaches:reputation-based schemes [12], [13], [14], [15] and credit basedschemes [16], [17], [18], [19]. In the former schemes, nodescollectively detect misbehaving members and propagatedeclarations of misbehavior throughout the network. Even-tually, other nodes will avoid routes through selfishmembers. In credit-based approaches, nodes pay and getpaid for providing service to others. Digital cash system isimplemented in order to encourage correct behavior amongnodes. In [20], a combination of the two schemes ispresented. All these solutions assume the use of publickey cryptography for authentication of messages. Regard-less of the performance of these schemes on ad hocnetworks, none of them is designed for social mobilenetworks. Indeed, no previous work is neither designedwith a social mobile scenario in mind, nor exploits the socialnature of the network or the properties of the movementthat such social nature generates.

Recently, Buttyan et al. [21] introduced a barter-basedcooperation system to increase message delivery rate inopportunistic networks. The authors assume that altruisticstatic nodes scattered on the network area generate messagesdownloadable by interested network members in physicalproximity. When two nodes meet, they exchange the list ofthe messages in their buffers and each node decides todownload from the other node only the messages of itsinterest. Then, the nodes start downloading messages tillthey move out each other’s communication range. A game-theoretical model helps the authors prove that the approachfoster cooperation. They support their findings with ex-tensive simulations done with the restricted random way-point (RRW) model and the Simulation of Urban MObilitySUMO [22]. Though it introduces a novel technique ofstimulation of cooperation, their work is oriented to a gossip-like service, where messages are created from special nodesand many other nodes are interested in downloading them,which is a natural incentive for the distribution.

COFFEE [23] is an interesting mechanism to enforcecooperation among nodes in wireless networks. However,the solution relies on fixed and known-in-advance routesamong nodes. Indeed, it uses the DSR routing protocol,which is shown to be inapplicable in a dynamic, delaytolerant setting such as pocket switched networks. In [24],[25], the authors study the impact of different degrees ofcooperation among the nodes on the performance ofEpidemic Forwarding [3], Binary Spray&Wait [26], andthe Two-Hop relaying algorithm [27]. A recent work [28]presents a routing mechanism built upon the willingness(declared by each individual) to forward other individuals’messages. In [29], the authors study for the first time theimpact of different distributions of altruism on thethroughput and the delay of mobile social communicationsystems. They show that, when forwarding algorithms thatuse multiple paths are considered, social mobile networksare robust to different distributions of altruism of nodes. Tothe best of our knowledge their work is the first studyaimed to explore altruistic/selfish behavior in these types ofnetworks and encourages for further work in this direction.

3 THE SYSTEM MODEL

3.1 System and Node Properties

In our system model, every node is selfish. This is a realisticscenario, if people can get the same level of service withoutusing part of their battery or part of their wireless uptime ormemory without any consequence, they will. And as soonas the first user finds a way to get more (or the same) whilepaying less, and publishes the patch of the system software,everybody will download the patch and use it. So, it isreasonable to assume that, if some of the nodes deviateselfishly, after a while everybody will.

We assume that there are no byzantine nodes in thenetwork. We also assume that selfish nodes do not collude.All the nodes in the system are interested in receiving andsending messages, in other words, all the nodes areinterested in staying in the system. Nodes are loosely timesynchronized. Loose time synchronization (i.e., to effectivelylimit the clock-drift to an external reference [30]) is very easyto get, if a precision in the order of the second is enough, likein our protocol. We assume that every control message ofour protocols is labeled with a time stamp, though it doesnot appear in the protocols to keep the presentation clean.The clock is used to check the time-outs, and the time stampis used when reporting misbehavior to the authority.

Lastly, nodes are capable of making use of public keycryptography—this capability will be used to sign messagesand to make sender to destination encryption. Therefore,we assume that every node has a public key and thecorresponding private key.

3.2 The System Authority and Key Revocation

In our system nodes that join and leave are handled by acentral authority. The authority handles new nodes joiningthe network in a standard way: It identifies the new node andit signs the new node’s certificate (or the master public key ishanded out to the node in case of an identity-based publickey system). More authorities can coexist, as long as theyexchange information on nodes that enter and exit the system

570 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 4, JULY/AUGUST 2012

in real time. To communicate with the nodes, we assume thatthe authority can use the cellular infrastructure or wirelesstechnology like, e.g., GSM. This technology is very expensivecompared with Bluetooth communication used by ourforwarding protocols. However, it is used very sparingly:Just when a node is revoked from the system using methodslike in [31], [32]. We can reasonably expect that this event israre. The cellular network can also have some delay, usuallydue to nodes that are temporarily out of coverage—this is notan issue, even if a revocation due to misbehavior is late, itdoes not lose its power as a deterrent. Moreover, nodes canpretend to have run out of battery or to be out of coverage justto prevent communication with the authority. These pro-blems can be dealt with quite easily (for example, by forcingthe nodes to keep all the cryptographic proofs of theirbehavior until they are up and with cellular networkcoverage). However, in the following, we will assume thatthe cellular network covers the whole network and that nodesare always up and running. This assumption is not funda-mental (we can work out a solution even without it), it is notfar from reality, and it considerably simplifies presentation.Node failures are dealt with as if a node switches of the devicefor a certain amount of time. It is considered to be a legitimatebehavior in the system, even though, as we will prove, nonode will chose to do so deliberatively for its quality ofservice will drop during such time.

It is known that public key cryptography is moreexpensive than symmetric cryptography. However, moderncryptography techniques, like those based on ellipticcurves, provide short signatures (a secure signature basedon elliptic curves is just 320 bits long), and cheaper andcheaper computation [33], which is shown to be adequateeven for sensors. The same is true for identity-basedcryptosystems [34]. In addition to this, the delay tolerantnature of the PSNs (there are less delay constrains) givesnodes the time to generate and verify signatures. Moreover,in our study we are addressing a network of smartphonesor PDAs, which are not-so-small devices. Modern smart-phones can run sophisticated applications, like decoders ofstreaming videos, 3D games, web browsers that can openSSL sessions, and others. For these devices, a signature permessage can be considered a relatively low overhead. In therest of this paper, we will use HðÞ to denote a hash function,and hmiA to denote a message m signed by node A.

4 GIVE2GET EPIDEMIC FORWARDING

In Epidemic Forwarding [3], every contact is used as anopportunity to forward messages. When node A meetsnode B, and A has a message that B does not have, themessage is relayed to node B. Epidemic forwarding withunlimited buffer is often used as a benchmark, it is easy tosee that it is impossible to get smaller delay, or highersuccess rate. However, the overhead in terms of number ofcopies of the same message is very high. Put simply, manyof the forwarding protocols in the literature on PocketSwitched Networks have the goal of reducing drasticallythe overhead without affecting much the delay and thesuccess rate of Epidemic Forwarding.

However, Epidemic Forwarding does not tolerate ascenario in which users can make selfish choices. Indeed,

selfish nodes simply drop every message they receive (exceptthose destined to themselves!). We will call message droppersthe nodes that implement this simple form of deviation. Inthis section, we show how to build a version of EpidemicForwarding, called Give2Get Epidemic Forwarding, thatworks in a system where every node is selfish. We will seethat G2G Epidemic Forwarding is a Nash equilibrium, thatis, no selfish node has a better choice than following theprotocol truthfully. In this way, we protect the networkagainst message droppers and against any other rationaldeviation. Most of the ideas and techniques that we developin this section will be used in the more sophisticatedprotocols we introduce later in this paper.

G2G Epidemic Forwarding consists of three phases:Message generation, relay, and test. The idea behind eachphase is as follows: 1) during message generation themessage is modified so that a relay candidate has nointerest in not accepting it; 2) the relay phase “forces” nodesto collect the so-called proof of relay to show to previousrelays (or source), during the test phase, 3) that they havecorrectly behaved with the message—this is to make itimpossible to relays to drop messages. The details of eachphase will be given in the remaining of the section.

Message generation executes when one node creates amessage to send. Suppose that node S has a message to sendto node D. The message is built according to the followingform: m ¼ hD; EPKD

ðS;msg id; bodyÞiS . Key PKD is thepublic key of the destination D. Note that it is a precisedesign choice to hide the sender of the message to everypossible relay except the destination. We will see later whythis is important.

4.1 G2G Epidemic Forwarding: The Relay Phase

Once the message is generated, the sender S tries to relay itto the first two nodes it meets. When node S meets node B,node S starts a session with the possible relay bynegotiating a cryptographic session key with node B. Thisis easily and locally done by using the certificates of the twonodes, signed by the trusted authority. In this way, bothidentities are authenticated. From this point on, everycommunication during the session is encrypted with asymmetric algorithm like AES and the session key (to keepthe notation clean, this encryption is not shown in theprotocols). Node S starts the relay phase by asking node Bif it has already handled a message with hash HðmÞ (seeFig. 1, where the role of S is described as done by node Astep 1). Token TAB is a cryptographic proof that node A hascompleted with the test phase the last interaction with

MEI AND STEFA: GIVE2GET: FORWARDING IN SOCIAL MOBILE WIRELESS NETWORKS OF SELFISH INDIVIDUALS 571

Fig. 1. Protocol of the relay phase (in case node B does not have themessage).

node B. In the formal proof, the token will be key to showthat also intermediate relays—and not just the sender—hasan interest to perform the test phase. More details on howthe token TAB is being computed will be given in thedescription of the test phase (Session 4.2). However, in casethis is the first interaction, the token can be empty. In casenode B has never seen this message, the relay phase goeson (step 2), otherwise node B informs S that it should notbe chosen as a relay. Note that node B would not lie, sinceit still does not know the content of the message, itsdestination, and, in particular, if node B itself is thedestination. In other words, if B deviates and executes amodified version of the protocol in which it declines offersof being a relay without knowing the destination of themessage, it won’t receive any message, against its owninterest. Node S generates a random key k, and sendsmessage m to B, encrypted with key k (step 3). Then,node B sends a proof of relay to node S which in turn, lastly,sends key k to B, who now knows whether it is thedestination of the message or just a relay. Note that therelay phase is only started for messages that have notexpired yet. Indeed, after message time-out (that we willdenote with � in the rest of the paper), nodes are allowedto discard everything about expired messages.

4.2 G2G Epidemic Forwarding: The Test Phase

Once it realizes that it is a relay for message m, node Bfollows the same protocol as done by node A, the previousrelay. That is, find two other nodes and relay the message tothese two nodes by executing the relay phase as shown inFig. 1. By doing so, it can collect two proofs of relay (PORs)that it will be asked to show, when meeting node A again,during the test phase. If node B is not able either to showthe two proofs or to prove to have the message still in itsmemory (as detailed at Step 2 in Fig. 2), then node A cansend by the cellular network a proof of misbehavior (PoM) tothe authority. The proof of misbehavior consists of the proofof relay hPOR; HðmÞ; A; BiB, signed by node B. Theauthority, in turn, will revoke node B, if node B is not in theposition to prove that A is wrong by showing the twoproofs of relay or by proving to have the message still inits memory to the authority (the protocol between theauthority and node B is simple and similar to the test phasein Fig. 2). It is important to realize, however, that under ourassumptions misbehavior never happens. Indeed, all thenodes are rational—they will not deviate from the protocolsince it is against their own interest as we prove moreformally later in this paper. In particular, nodes have nointerest in sending fake proofs of misbehavior against othernodes to the authority since it is expensive and it is notgoing to have any effect.

Only when two proofs are collected the message can bediscarded from B’s memory. After a time-out �, B can stoplooking for relays and can discard every informationregarding the message. In turn, node A can discard thetoken TAB, in case a test phase between the two nodes isexecuted. Time-out � plays the role of the message time toleave (TTL) in Epidemic Forwarding. Therefore, it should bechosen in such a way that the success rate is high enough.Our experiments show that the delay of G2G EpidemicForwarding is very close to the delay of Epidemic Forward-ing, and so � can be chosen as in its original alter agowithout affecting the success rate.

The test phase is started by node A (see Fig. 2), whenmeeting node B before time-out �. During the test phase,node A challenges node B: Either it has two proofs of relay,or it still stores the message. In case node B has two proofsof relay, it can reply with the two proofs. The challenge is asimple cryptographic protocol in which node A generates arandom seed s and asks node B to send back the value of ahard to compute puzzle of message m and seed s. Thepuzzle (denoted with P ðm; sÞ in the figure) is a so-calledcost-function: efficiently verifiable, but expensive to com-pute. Example of cost-functions are the Interactive Hashcashfunction [35] used to mitigate sybil and DOS attacks toservers, or the Rivest et al. time-lock puzzle [36] famous formitigating distributed DOS attacks. By choosing a cost-function that is hard enough to compute, node B isencouraged to relay the message and get the two proofs ofrelay in all cases in which the probability of meeting node Aagain is not negligible (below a fixed and small probability).Note that B does not know the seed beforehand, it must bestoring the message unless it has found two relays. So, whileit is a legitimate part of the strategy to keep the message andnot to relay it, it is rational to relay it unless the meetingswith the previous relay are very infrequent. In this way, wecan make the event that B chooses to store the message rarein such a way that success probability is virtuallyunaffected. Note that in many cases A cannot check whetherB has correctly computed the puzzle: Node A may havealready forwarded m to 2 relays (one is B itself) and thuslegitimately dropped the message afterwards. However, ifA is the source, A is interested in storing the message and inchecking that B has behaved correctly by verifying thepuzzle result. Since B does not know whether A is thesource of m or not, node B has to behave otherwise it can beremoved from the system.

Lastly, if A (relay or source) does not start the test phaseas required by the protocol, node B is forced to keep proofsof relay in his buffer till time-out � expires, although itcould get rid of them and free the memory if A started thetest phase. Thus, the token TAB will not be sent to A, andwithout it, node B will punish A and not relay any messagewhose destination is node A until time-out � expires. If Adoes not start the test phase this is very important to getnode A perform the test phase. In addition, it is not possiblefor B to fool A by forging any of the two proofs, since theyare signed by the two relays. In any case, node A will storethe proof received by node B as token TAB until expirationof time-out �.


Fig. 2. Protocol of the test phase.

4.3 G2G Epidemic Forwarding Is a NashEquilibrium

We formally show that G2G Epidemic Forwarding is a Nashequilibrium by defining a set of players, a set of possiblestrategies S, and a payoff functionf : Sn 7! IRn. In our case, theset of players consists of the n nodes of the network, and theset S of possible strategies contains all the possible protocolsthat the nodes might implement. When each player ichooses strategy si 2 S, the payoff function maps thestrategy profile s ¼ ðs1; . . . ; snÞ to fðsÞ ¼ ðf1ðsÞ; . . . ; fnðsÞÞ,where fiðsÞ is the payoff of player i. Note that the payoffof each player depends on the strategies chosen by all theplayers. A strategy profile s is a Nash equilibrium if no playercan do better by changing unilaterally his strategy. Formally,a strategy profile s is a Nash equilibrium if for all players iand for all strategy profiles s0 such that s0 and s differ onlyin position i, fiðs0Þ � fiðsÞ. When we say “protocol s� is aNash equilibrium,” what we formally mean is that strategyprofile ðs�; . . . ; s�Þ is a Nash equilibrium.

Since strategies (that is, protocols) are not limited inlength, set S contains an infinite number of elements. Tohandle the proof, we organize it in the following way:Assume that our goal is to prove that protocol � is a Nashequilibrium and that � consists of r steps. We partition theset S of strategies into disjoint subsets P1; . . . ;Prþ1, where Pjcontains all the protocols that are equal to � in the firstj� 1 steps and then start to deviate. Clearly, P1 [ � � � [ Prþ1

is equal to S and Prþ1 ¼ f�g. Fixed player i and step j, if forall strategy profiles s0 2 Pj such that s0 and ð�; . . . ; �Þ differonly in position i it holds fiðs0Þ � fið�Þ, then we say thatplayer i executes step j of protocol � truthfully. Indeed, in thiscase player i has no incentive to deviate at step j. Therefore,we will prove that protocol � is a Nash equilibrium byshowing that for all players i and for all j ¼ 1; . . . ; r, player iexecutes step j of protocol � truthfully. Note that, while ourprotocol do not use randomization, the user can switch torandomized protocol steps like “do C1 with probability p,otherwise doC2.” Therefore, also randomized deviations aretaken into account (deviate with probability p). In thedescription of the protocols and in the proofs, keep in mindthat deviations can be randomized and performed with someprobability.

Lastly, we define the payoff function. One of the drivingforces in the system is that every node has the ultimateinterest of being part of the system and to get a service ofgood quality. At the same time, every node is selfish andhas a rational tendency to save energy and memory. We canmeasure energy cost in joules and memory cost in bytesseconds (clearly, using one KByte of memory for one secondor for one year does not have the same cost). Therefore, wecan define f in a very general way as a function fðsÞ ¼ðf1ðsÞ; . . . ; fnðsÞÞ of the strategy profile such that for all ifiðsÞ is strictly positive and

1. fiðsÞ ¼ 0 if player i, as a consequence of strategyprofile s, has a nonnegligible probability, say atleast 50 percent, of not being able to send or receivemessages with the same performance of the originalprotocol.

2. otherwise, fiðsÞ is decreasing when either theexpected value of energy cost or the expected valueof memory cost required by the protocol increase.

Our goal is to show that, if � is G2G Epidemic Forwarding,then the resulting strategy profile ð�; . . . ; �Þ is a Nashequilibrium. That is, no node has an incentive to unilaterallydeviate from the protocol. The proof is quite technical andlong, we organize it into two lemmas. We will considerplayer i, and show that, if player i deviates by executing aprotocol �0 6¼ �, then fið�0Þ � fið�Þ, that is, player i does notdo better by deviating (either it is not able any more to sendand receive messages with the same performance or it usesmore energy or memory).

Lemma 1. A rational node will follow all the steps of the relayphase truthfully.

Proof. Assume that � is G2G Epidemic Forwarding.Strategy � is composed by eight steps—the five stepsin Fig. 1 and the three steps in Fig. 2. Assume thats ¼ ð�; . . . ; �Þ, �0 6¼ �, and strategy profile s0 is equal tos except in position i, where the entry is �0. This is theformal way to say that in strategy profile s0 player ihas unilaterally chosen to deviate from protocol � (ourG2G Epidemic Forwarding) to protocol �0. We showthat, if �0 2 P1 [ � � � [ P5, then fiðs0Þ � fiðsÞ (in otherwords, if a node deviates from the relay phase then itspayoff is reduced). Recall that Pj contains all theprotocols that are equal to � in the first j� 1 steps andthat deviate starting from step j. We organize the proofin cases, from �0 2 P1 to �0 2 P5. These cases collec-tively cover all possible ways to deviate from the relayphase.

Let �0 2 P1. That is, player i deviates from step 1 of therelay phase (see Fig. 1, where player i has the role ofnode A). If player i deviates when it is the source of themessage, then player i is not able to deliver its ownmessages any more. Therefore, payoff fiðs0Þ ¼ 0 � fiðsÞand we are done. On the other hand, if node A is anintermediate relay, node A has a nonnegligible prob-ability to meet the previous relay and that it will beasked to show two proofs or relay (later on, in ourexperimental results, we will see that the probability ofdetection is higher than 90 percent, therefore theprobability of meeting again the previous relay for atleast one message is also more than 90 percent) or toshow that he still has the message and perform thepuzzle P and thus consuming more energy, in expecta-tion. Note, however, that a strategy where A deliberatelychoses to not relay the message and keep it in memory atthe cost of having to compute the heavy puzzle each timeit meets the previous relay is perfectly legitimate.However, since the puzzle P is a cost-function [35],[36] computationally expensive to compute, the energyconsumed is higher than the energy saved by storing themessage without relaying it. Thus, we get fiðs0Þ � fiðsÞ.Even so, there might be rare cases in which A knowsbeforehand that, with high probability, it will not meetthe previous relay soon enough. Thus, A might chose tonot forward the message to B and keep it in his memory:The risk of having to compute the heavy puzzle is verylow, and A knows it, i.e., in these rare cases fiðs0Þ � fiðsÞ.However, as our experiments show, these events arevery rare in social mobile networks, in which most themeetings are typically between people that know each


other or have something in common to each other whichmakes them frequent the same places over and overagain (e.g., go to the same gym, take the same bus to goto work in the morning, etc.). Thus, this strategy adoptedby node A very rarely (only for previous relays which heknows he will not see soon), does not impact neither thedelivery ratio nor the other performance metrics of theG2G protocol.

We get again fiðs0Þ � fiðsÞ if the node simply dropsthe message an so it is not able to perform any of the twooperations, indeed it is discarded from the system andhis payoff drops to zero. Moreover, node A is interestedin getting rid of the message as soon as possible, since amessage typically uses much more memory than theproofs of relays and it does not want to be in the positionof performing the heavy puzzle P in step 2 of the testphase. Therefore, we have shown that, if �0 2 P1, thenfiðs0Þ � fiðsÞ. In other words, player i executes step 1 ofthe protocol truthfully.

Let �0 2 P2. That is, player i deviates from step 2 of therelay phase (see Fig. 1, where player i has the role ofnode B). Let’s consider node B in the relay phase. Oncenode B is asked to be a relay of a particular message m, itdoes not know who is the destination of m. If player ideviates from the protocol and declines to be a relay(either it does no respond or does not send RELAY_OK),it will never receive any message, since it will discoverboth message content and message destination only atstep 5. Consequently, fiðs0Þ ¼ 0.

The case �0 2 P3 can be dealt exactly as the case�0 2 P1, and the case �0 2 P4 as the case �0 2 P2.

Lastly, player i will execute step 5 truthfully. Let�0 2 P5. Indeed, the message sent in step 5 is very shortand, if the key is not sent, node B freezes the session withnode A until it gets the key. In case A deviates to aprotocol in which step 5 is not executed, it won’t be ableto send and to receive any message through node B and,after many frozen sessions, it won’t be able to send orreceive any message at all (or with a limited perfor-mance), in such a way to make fiðs0Þ drop to zero. tu

Let’s consider the test phase.

Lemma 2. A rational node will follow all the steps of the test

phase truthfully.

Proof. Again, assume that s ¼ ð�; . . . ; �Þ, �0 6¼ �, and

strategy profile s0 is equal to s except in position i,

where the entry is �0. Just like in Lemma 1, we show that

if �0 2 P6 [ � � � [ P8, then fiðs0Þ � fiðsÞ.Let �0 2 P6. That is, node A does not start the test

phase. If this is the case, then node B will never relaynode A’s messages and therefore the quality of serviceexperienced by A is reduced. That is, fiðs0Þ � fiðsÞ. Now,let �0 2 P7. That is, player i deviates from step 2 of thetest phase (see Fig. 1, where player i has the role of nodeB). Again, we can show that fiðs0Þ � fiðsÞ. Indeed, themessage sent in step 2 of the test phase is very short and,if the proof is not sent, node A freezes the session withnode B until it gets the proof. In case B deviates to aprotocol in which step 2 is not executed, it won’t be ableto send and to receive any message through node A in

such a way to make fiðs0Þ drop to zero. Finally, node Bwill not risk avoid computing the heavy puzzle and sendto A a fake value: If A still has the message or is thesender (who always keeps the message till it expires), Bwill get busted and reported by A, thus, thrown out ofthe system.

Lastly, we can see that node A will perform step 3 ofthe test phase (Fig. 1) truthfully. Indeed, if A does notstore the proof received from B into token TAB, then A isnot able to start a new relay phase with node B. tu

Note that it is not a rational strategy to shut off the radioevery time node B meets node A in such a way to avoid thetest phase. Indeed, in this case node B will not receive othermessages destined to itself that node A or other nodesmight have during that interval of time. Therefore, node Bwould experience a reduced quality of the service thatmakes its payoff drop. Moreover, note that session inter-ruption due to node mobility is not a problem for none ofthe phases of the protocol. Indeed, in such case the sessionwill resume from where it was interrupted as soon as thenodes get in touch again with each other.

To summarize, if a node deviates from G2G EpidemicForwarding (deterministically or following a probabilitydistribution) then its payoff is reduced. Since the detectionhappens right away (as we will see from our experiments),rational users will follow the protocol truthfully.

Theorem 1. G2G Epidemic Forwarding is a Nash equilibrium.

4.4 Coalitions

Consistent with a very large part of the literature, in thispaper we assume that nodes do not collude. This is acommon assumption, coordination has a cost and in manypractical settings people just do not trust each other enoughto form a coalition. However, if a few nodes have a strong willto cheat the system, they could deviate in a coordinatedmanner from our protocols and do better. While this attack isout of the scope of this paper, we would like to point out a fewcountermeasures that can be worked out to mitigate its effect.

Assume that a set C of nodes, the coalition, deviate to aprotocol in which the nodes mark in some secret way the bodyof messages coming from members of the coalition, exchangefake proofs of relay when handling messages outside of thecoalition, never execute the test-phase within the coalition,and drop messages that are not originated or destined tomembers of the coalition. Of course, they stick to the protocolwhen in session with users outside the coalition. To stop thisone and similar attacks, we can put in place two mechanism:Random checks of conformity and rewarding traitors.

Random checks of conformity. The sender of a message, withsmall probability p, sends the proof of relays got from firstrelayB on the paths toward destination to the authority. Theauthority, at a random time before the time-out, checkswhether node B has collected two proofs of relay or it is stillstoring the message. Then, the authority can follow themessage at the next relays and check whether the messagehas not disappeared. The sender has an interest to performthis check, and nodeB does not know if the previous relay isthe sender or not. This check can be very costly since theauthority uses the expensive cellular network infrastructure.


However, since the authority can impose a very stiff penalty,like the eviction from the system, this mechanism can be agood deterrent even with an extremely small probability p, insuch a way that the cost can be reasonably low.

Rewarding traitors. A simple observation is that anymember of the coalition can prove that another node is amember as well. Suppose that node A 2 C, without actuallyexchanging message, gets a fake proof of relay fromnode B 2 C. Now, node A has a proof that can nail nodeB. If node A gives away the fake proof of relay signed bynode B to the authority, then the authority can ask node Bfor a proof of storing the message (or two proofs of relays)and node B will not be able to respond. If the authorityrewards node A in such a way that the benefit of betrayingis larger than the benefit of being part of the coalition, thisattack can be prevented efficiently.

These mechanisms, among others, can be used to extendour protocols in such a way to mitigate the possible presenceof coalitions or to limit the possible harm they can make,including the protocols described in the next section.However, the full development of these mechanisms is outof the scope of this paper. Therefore, we stick to the classicalassumption that nodes do not collude and proceed withmore sophisticated, social-aware forwarding protocols.

5 GIVE2GET DELEGATION FORWARDING

Delegation Forwarding [4] is a class of protocols that havebeen shown to perform very well. In Delegation Forward-ing, every node is associated with a forwarding quality, thatmay depend on the destination of the message at stake.When a message is generated, it is associated with theforwarding quality of the sender. Then, the message isforwarded from node to node, creating a new replica of themessage at each step, according to the following protocol:When a relay node A gets in contact with a possible furtherrelay B, node A checks whether the forwarding quality of Bis higher than the forwarding quality of the message. If thisis the case, node A creates a replica of the message, labelsboth messages with the forwarding quality of node B, andforwards one of the two replicas to B. Otherwise, themessage is not forwarded.

Delegation Forwarding, in many of its flavors, has beenshown to reduce considerably the cost of forwarding (that is,the number of replicas), without reducing considerablysuccess rate and delay. However, just like EpidemicForwarding, it is far from being a Nash equilibrium. Aselfish node can easily send messages and receive messageswithout taking care of relaying any other message. It is alsoeasy to see that it is not enough to translate all the techniquesused in G2G Epidemic Forwarding in order to get a versionof Delegation Forwarding that is a Nash equilibrium.

Simply speaking, the techniques we developed to buildG2G Epidemic Forwarding can be used to stop messagedroppers in G2G Delegation Forwarding, but are not enoughto make it a Nash Equilibrium. Indeed, selfish nodes havemany other rational ways to deviate in these moresophisticated protocols. First, nodes can lie on their for-warding quality. They can claim that their quality is zero andget their messages served without participating actively. Wewill call these nodes liars. Not only that, selfish nodes can

change the forwarding quality of the message to zero, insuch a way to get rid of the message soon—they would beable to relay it to the first two nodes they meet. We will callthese nodes cheaters. Of course, cheaters are less vicious thanliars, in our setting. However, we will show how to build aversion of Delegation Forwarding that is a Nash equili-brium. Just like what we did with G2G Epidemic Forward-ing, our approach is not to add patches against liars andcheaters or incentives for altruistic nodes, our approach is todesign a protocol such that, step by step, it can formally beshown that every rational player in the protocol cannot butfollow the protocol truthfully. In this way, we protect oursystem against liars, cheaters, and any other possible way todeviate rationally.

Here, we consider Delegation Destination Frequency andDelegation Destination Last Contact (DDLC) [4].

Delegation Destination Frequency. Node A forwardsmessage m to node B if node B has contacted m0sdestination more frequently than any other node that thecopy of the message m carried by A has seen so far.

Delegation Destination Last Contact. Node A forwardsmessage m to node B if node B has contacted m0sdestination more recently than any other node that thecopy of the message m carried by A has seen so far.

In the above definitions the forwarding quality qAB is,respectively, the number of encounters between node A andnode B, and the time of the last encounter between node Aand node B. Since encounters are committed by both nodeswith a commonly agreed time, it is easy to see that qAB ¼qBA for every pair of nodes A and B.

G2G Delegation Forwarding builds upon all the techni-ques that we have developed for G2G Epidemic Forward-ing. First, in G2G Delegation Forwarding the quality of themessage is changed only when forwarded (we will see laterwhy). G2G Delegation Forwarding consists of four phases:Message generation, relay, test by the sender, and test bythe destination. Message generation is just like messagegeneration and in G2G Epidemic Forwarding. Thus, in thenext sections, we will describe only the phases that aresubstantially different from G2G Epidemic Forwarding. Asin G2G Epidemic, the relay and the test phases are based onthe idea of making nodes collect proofs of relay and tocheck relays about their behavior with the message. The testby destination phase is to protect the system againstcheaters: very low forwarding qualities declared by nodesare “embedded” in the message by the source, and, wheneventually the destination is reached, are double-checked(forwarding qualities are symmetric) by the destination. Inthe remaining, we give details on the phases.

5.1 G2G Delegation Forwarding: The Relay Phaseand the Test by the Destination Phase

Fig. 3 shows the protocol of the relay phase. Just like G2GEpidemic Forwarding, node A has an interest to start thisphase, since it has to collect the proof of relay for themessage. In step 1, node A asks B what is its forwardingquality to destination D (denoted by qBD). Note thatforwarding quality qBD must be provable. That is, it mustbe computed based on signed interactions. This is whynodes A and B exchange signed messages carrying qAB andqBA at every session. Note that, if qAB 6¼ qBA, then one of the


two players is cheating, and the loyal player can prove itbased on the quality exchanged in the previous session.Again, in the request node A includes a token that certifiesthat the last interaction has completed with the test phase.Node B replies with its forwarding quality (we will see laterwhy B has no interest in lying). When the destination of mis different from B, D0 is the actual destination D; when thedestination of m is B, D0 is chosen as a random nodedifferent from B. This mechanism has the goal of making itimpossible to B to know whether it is the destination of themessage or not before taking the message and giving theproof of relay. Therefore, just like in G2G EpidemicForwarding, node B will follow all the relay protocol withthe hope of being the actual destination of the message.Note that in G2G Delegation Forwarding the proof of relaycontains much more information, including the forwardingquality toward D claimed by node B and the forwardingquality of the message at that point in time.

Node A forwards the message to two other nodes. In thecase when node A is also the sender of the message, Astores the signed message hFQ RESP; B; D; qBDiB for thenodes B that failed to be good relays for the message, that isqBD < qm (recall that D ¼ D0 except the case in which B ismessage’s destination). As soon as node A finds a goodrelay, the last two signed qualities of such failed relays areembedded into the message toward D. If the destination Dreceives the message, it will be able to check if qBD is corrector not (this is the test by destination phase). Indeed, qBDshould be equal to qDB. Since nodes B and C do not knowwhether A is the sender or not, they will not lie about theirforwarding quality since there is a nonnegligible probabilityto be tested by the destination (in the experiments we willsee that this is exactly the case). When D detects that node Bis a liar, he sends the proof to the authority by using thecellular network infrastructure. Indeed, node D can provethat the correct quality is different based on the qualitysigned by node B himself during their last interaction. Theauthority does not need to contact node B and can proceedwith its revocation from the system.

In order to make this mechanism work, the forwardingquality qBD is not the current quality, it is the qualitycomputed in the last completed time frame. Every node keepsthree versions of the forwarding quality, the current and thetwo forwarding qualities computed in the previous twocompleted time frames. In this way, B and D have aconsistent notion of forwarding quality. Of course, the timeframe has to be set in such a way that, with high probability,the message delay falls within one of the last two completedtime frames, so that the destination has the necessaryinformation to detect liars. As a consequence of this set of

techniques, no relay will lie about their forwardingquality—we will see in the experiments that, in case ofdeviation, the probability of being removed from the systemis actually very high.

5.2 G2G Delegation Forwarding: The Test Phase

The test by the sender is executed by the relay node as inG2G Epidemic Forwarding. Assume that node B hasreceived the message from the node A. When B gets incontact with A again, node B is tested and, just like inG2G Epidemic Forwarding, it gives the two proofs fromrelays C1 and C2hPOR; HðmÞ; B; C1; D; q

1m; qC1DiC1

andhPOR; HðmÞ; B; C2; D; q

2m; qC2DiC2

to node S. In thisway, it is guaranteed that it is not rational to become amessage dropper. More than that, this phase is alsoimportant to check that B is not a cheater, that is it has notreduced the message quality qm to get rid of the messagequickly. Indeed, A can check whether

qBD ¼ q1m < qC1D ¼ q2

m < qC2D:

The second equality in this equation is true since the qualityof the messages is changed only when forwarded. Since weare sure that nodes do not lie, than we know that qBD, qC1D,and qC2D are sound. Therefore, also q1

m ¼ qBD and conse-quently node B has not selfishly modified the forwardingquality of the message to convince B to take it. Similarly, wealso know that q2

m ¼ qC1D and so node B has not cheatedwith node C2 as well. Note that it is not possible for B toforge fake proofs or fake forwarding quality declarations ofanother node C. Indeed, as in G2G Epidemic, proofs andforwarding qualities are signed.

Again (as in G2G Epidemic), node A will store the proofsreceived by node B as token TAB until expiration of time-out�. Lastly, if A does not start the test phase as required bythe protocol, node B will not relay any message whosedestination is node A until time-out � expires.

To summarize, by using the techniques developed forG2G Epidemic Forwarding and specific techniques for G2GDelegation Forwarding, we can get the following result:

Theorem 2 G2G Delegation Forwarding. is a Nashequilibrium.

6 EXPERIMENTS

6.1 Selfishness and Selfishness with Outsiders

In social environments, it is natural to consider twodifferent ways of being selfish. The first is just selfishness—nodes that can deviate from the protocol with the goal ofmaximizing their personal interest. The second is selfishnesswith outsiders—nodes that can deviate from the protocol fortheir personal interest only when this does not damagepeople from the same community. This notion is naturalsince it comes from our personal experience: Some peoplecan tend to be truthful with those they care about, andselfish with outsiders. Formally, it is just vanilla selfishnesswith a different objective function. However, it is useful todefine it as an independent notion. To implement self-ishness with outsiders, we use the k-clique algorithm [37](also used in [5]) for community detection on each datatrace. Nodes that are selfish with outsiders deviate fromthe protocol only in sessions with nodes from othercommunities.


Fig. 3. G2G Delegation Forwarding: Protocol of the relay phase.

6.2 The Data Set

For our experiments we have used three traces collectedduring experiments done with real devices carried by people.We will refer to these traces as Infocom 05, Infocom 06, andCambridge 06. Characteristics of these data sets such asintercontact and contact distribution have been observed inseveral previous works [1], [38], [2]. Cambridge 06 [39] is a dataset collected by distributing Intel iMotes to students ofCambridge University. The iMotes were programmed to logcontacts of all visible mobile devices and a number ofstationary nodes (that we do not use in this paper). Thenumber of nodes is 36. This data set covers 11 days. Infocom 05[40] is a data set collected during the Infocom 2005 studentworkshop. The number of devices is 41. This experimentcovers approximately three days. Infocom 06 [41] is similar toInfocom 05 except that the scale is larger, with 78 participantsfrom the Infocom 2006 conference. Further details on the realtraces we use in this paper are shown in Table 1.

6.3 Experiments on Detecting Deviations

Here, we study the impact of selfish behavior on EpidemicForwarding. Then, we turn to G2G Epidemic Forwarding andtest how good is our protocol in detecting possible deviations.

6.3.1 Impact of Selfish Behavior on Epidemic

Forwarding and Detection of Deviations in G2G

Epidemic Forwarding

For each trace and forwarding protocol we use the sameassumptions and the same way of generating traffic to berouted as in [4]: A set of messages is generated with sourcesand destinations chosen uniformly at random, and genera-tion times from a Poisson process averaging one messageevery 4 seconds. We isolated 3-hour periods for each datatrace. Each simulation runs therefore 3 hours. To avoid endeffects no messages were generated in the last hour of eachtrace. The nodes are assumed to have infinite buffers. Weset the message TTL value to be the smallest one thatmaximizes the success rate of Epidemic Forwarding in eachscenario, in the sense that the performance is the same as ifmessages never expire. These values are, respectively,30 minutes for the two Infocom scenarios and 35 minutesfor the Cambridge one.

Fig. 4 shows how the success rate1 of EpidemicForwarding is affected by the presence of messagedroppers. In our experiments these nodes drop messagesright after the end of the relay phase (see Fig. 1). As you cansee, the performance of the protocol drops to around50 percent, which is unacceptably low. Basically, when allthe nodes are droppers, the only hope for success is that thesender gets personally in contact with the destination. It is

not much different when we consider selfishness withoutsiders (i.e., nodes who drop messages right after the endof the relay phase with an outsider). In the experiments wehave used the same notion of community as in [5].

Next, we focus on the detection of message droppers. Aswe already mentioned, � denotes the time interval withinwhich messages, proofs of relay, tokens (and everythingelse that G2G Epidemic requires) is kept in the memory ofrelay nodes. After this time interval nodes can safelydiscard everything related to the message. Thus, in order toget best delivery rate, � is bounded from below by theoptimal TTL. On the other side, � has to be large enough toallow droppers to be detected. Our experiments show that itis already safe to set � ¼ TTL in every scenario.

According to our experiments, shown in Table 2,detection probability is more than 94 percent in the selfishcase and more than 91 percent in the selfish with outsiderscase. Deviations are detected very quickly (on the order ofminutes) and the time does not depend on the number ofthe nodes that deviate (see Fig. 5). So, we can safely say thatour assumption, that nodes are tested with nonnegligibleprobability, is sound. For more details on the rate and timeof detection see Table 2.


TABLE 1The Three Experimental Data Sets

Fig. 4. Effect of message droppers on Epidemic Forwarding.

1. The success rate is under 100 percent when the number ofmisbehaviors is 0 because of the intermittent connectivity in the network.

6.3.2 Detection of Deviations in G2G Delegation

Forwarding

Here, we consider message droppers, liars, and cheaters.Note that it is not rational to be a cheater in DelegationForwarding—if a node labels a message with forwardingquality zero, then it will have to relay it with higherprobability, doing more work. It is different in G2GDelegation Forwarding, where cheaters can find two relaysmuch more quickly, discard the message, and save storagespace. Recall that no deviation is rational in G2G Delega-tion Forwarding—it is a Nash equilibrium—and theseexperiments on detection are important just to make surethat our assumption that every node has a nonnegligibleprobability of being tested during the test phase is sound.Here, we present the results for Delegation DestinationLast Contact. Delegation Destination Frequency, as far asdetection of deviations is concerned, behaves in a verysimilar way. In all our experiments we set � to be50 minutes in the Infocom scenarios and 80 minutes in theCambridge scenario. In the experiments, droppers areagain those who drop the message immediately, liars arethose who always report a node forwarding quality equalto 0, while cheaters are those who bring down the qualityof the message to be relayed (in order to get rid of it assoon as possible). We ran a set of experiments onDelegation Forwarding. Figs. 6 and 7 show the results,that clearly indicate that both droppers and liars have a bigimpact on the success rate, both in the case of selfishnessand in the case of selfishness with outsiders. Then, wehave run experiments to see how reliably these deviationsare detected by the protocols in all the three traces,Infocom 05, Infocom 06, and Cambridge 06. According toour results, droppers and liars are detected with aprobability that exceeds 80 percent, whereas cheaters aredetected with a probability that exceeds 60 percent in allscenarios. The detection rate remains high even in the caseof selfishness with outsiders. Table 3 shows all the results.Note that the detection probabilities are a bit lower for theCambridge 06 scenario, which is in accordance with itslower contact frequency with respect to the Infocomscenarios (see Table 1). In all cases, this is enough to saythat the probability of being detected is not negligible.

Then, our question is how fast is the detection. In Fig. 8we can see that in all scenarios droppers are detected soonerthan liars that are detected sooner than cheaters and that thespeed of detection does not depend on the number ofdeviating nodes. Moreover, detailed experimental resultsshown in Table 3 indicate that nodes cannot hope to deviateand remain in the system for long time. G2G DelegationForwarding is clearly very fast in the detection in allscenarios. Note that these experiments are just to prove thatthe probability of detection is very high in our system.

Therefore, our mathematical assumptions are realistic andthe threat of being removed from the system is actually adeterrent. As a consequence, no node deviate and there isno need for the authority to revoke (by using, e.g., GSM)any node. This is why the cellular infrastructure is notconsidered in our experiments.

6.4 Experiments on the Performance: Number ofReplicas and Delay

Initially, our goal was to show that adding all the mechanismsneeded to make the protocols Nash equilibria does not reducethe success rate and the delay, and does not increase the cost in


Fig. 5. Dependence of droppers detection time by the number ofdroppers in G2G Epidemic Forwarding. Detection time (in minutes) ismeasured starting from the moment in which a given dropper discardsthe message.

TABLE 2Performance of G2G Epidemic on the Real Traces

Detection time (in minutes) is measured starting from the moment in which a given dropper discards the message.

terms of number of replicas. During the protocols design, werealized that the mechanism used to reduce the number ofrelays to two, besides being fundamental to show that theprotocol is a Nash equilibrium, has the interesting propertythat the message more cheaply flows far from the communitythat generated it. Cheaply in the sense that fewer replicasneed to be generated to reach destinations that are far fromthe sender in terms of community. Fig. 9 summarizes a longset of experiments on success rate, delay, and cost. Indeed, theresults might seem surprising—G2G Epidemic Forwardingis much better than Epidemic Forwarding in terms of cost (the

improvement is around 20 percent), and G2G Delegation

Forwarding is considerably better than Delegation Forward-

ing, again in terms of cost, while the performance in terms of

delay and success rate very close to the original, more

expensive, protocols. Note that the experimental setting that

we have chosen is considered to be standard in the literature.

6.5 Experiments on the Performance: Storage andCommunication Overhead

Another natural question is whether the storage overhead

of G2G protocols is high. Indeed, G2G protocols introduce


Fig. 7. Effect of message liars on Delegation Forwarding.

TABLE 3Performance of G2G Delegation on the Real Traces

Detection time (in minutes) is measured starting from the moment in which a given dropper discards the message.

Fig. 6. Effect of message droppers on Delegation Forwarding.

PORs to be stored with the messages. For this reason, we

perform a detailed analysis of the memory required by each

of the protocols. Clearly, we also include the overhead due

to the G2G mechanisms. To the best of our knowledge, thisis the first such analysis in the literature for Pocket SwitchedNetworks.

The overhead depends on the size of the messages in thesystem. In our study, we consider two types of messages:Short messages (SMS or Tweets) and long messages (MMS).We assume that each message is composed by the header andthe message body, and that the header is 32 bytes long. Weassume that short messages have a body of 140 bytes. (This isactually the length of a regular SMS, 160 ASCII charactersencoded into 140 bytes, 7 bits per character; while tweetshave a limit of 140 UTF-8 characters, which is again140 bytes.) Long messages have a body of 600 kbyte. (Thelength of a standard MMS according to AT&T.) We use SHA-256 as the hash function, therefore hashes are 32 bytes long.Signatures are computed by using elliptic curve cryptogra-phy [33], therefore signatures are 320 bits long. The metric weuse for storage is kilobyte hour (kBh). If you take EpidemicForwarding, the analysis is easy. When a message is receivedby a relay node, the message is stored until the TTL lapses. Inthe case of long messages in a scenario like Infocom 06, wherethe TTL is 30 min, the cost incurred by the node to store themessage body is 600 kbyte times 30 min, that is 300 kBh. Thismetric is intuitive, it is clearly cheaper to store one MMS for aminute versus storing the same MMS for a hour.

The analysis for G2G protocols is more complicated. Take,

as an example, G2G Epidemic Forwarding. When a message

is received by a relay node, the storage used is just the

message—header and body. When the first relay is found,

the node has to store a POR along with the message. When

the second relay is found, the node has to store a second

POR, but it can discard the message. The PORs can be

discarded when the node is tested by the previous relay, but

a token must be stored by the tester according to the protocol.

The size of the POR depends on the protocol: In G2G

Epidemic Forwarding, we can see from Fig. 1 that a POR is

composed by the hash of the message and by the IDs of the

two relays, together with a signature. In G2G Delegation

Forwarding the POR is somewhat longer, since it stores other

information as described in Fig. 3.We have performed a complete analysis of the storage

requirement of all the protocols discussed in this paper by


Fig. 8. Dependence of detection time from the number of selfishindividuals in G2G Delegation Forwarding. Detection time (in minutes) ismeasured starting from the moment in which a given dropper discardsthe message.

Fig. 9. Performance of G2G Epidemic Forwarding and G2G Delegation Forwarding compared with Epidemic Forwarding and Delegation Forwarding.

using the same traces we have used for the other experi-ments. The results are shown in Figs. 10a and 10b for shortmessages and the long messages, respectively. Quitesurprisingly, the memory occupation of the G2G protocols,even including the overhead induced by the PORs that wehave used to make them Nash Equilibria, is almost alwayssmaller than their vanilla alter egos. If we consider shortmessages, only in the specific scenario of Infocom 06 andprotocol DDLC the overhead is about 10 percent; in all theother cases the storage overhead of G2G mechanisms rangesfrom -5 to -32 percent (that is, G2G mechanisms actuallyreduce storage requirements!). If we consider long messages,in Infocom 06 and DDLS the overhead of G2G mechanisms isabout -17 percent, while in all other cases it ranges from -37to -55 percent. The reason is that in G2G protocols the nodes,to optimize their own payoff function, discard the messageas soon as the first two relays are found. This is more thanenough to balance the overhead due to storing proofs ofrelays and other additional information.

Lastly, since the G2G mechanisms makes nodes ex-change more information (e.g., proofs of relay), one mightthink that they incur high-communication overhead.However, the execution of a Relay+Test phase induces arelatively small (422 Bytes for G2G Delegation and386 Bytes for G2G Epidemic) overhead per message,independent from the message payload. Moreover, sinceG2G mechanisms reduce the number of replicas distrib-uted in the network, the actual communication overheadis low. In Table 4 we show the average (per message)information incurred to be exchanged in the networkduring forwarding. We can see that, when short messageslike SMS are taken into consideration, the overhead ofG2G protocols is actually reasonably low compared totheir vanilla alter egos. While for longer messages likeMMS, G2G protocols have actually a smaller overhead totheir vanilla alter egos due to the reduced number ofreplicas. Because of space limitations we only show resultswith the Infocom 05 scenario. However, the otherscenarios present similar results.

7 CONCLUSIONS

In this paper, we have presented G2G Epidemic Forward-

ing and G2G Delegation Forwarding, the first protocols for

message forwarding that work under the assumption that

all the nodes in the network are selfish. We formally show

that the G2G protocols are Nash equilibria. Quite surpris-

ingly, G2G protocols also outperforms their alter egos in

terms of cost, while being almost as good in terms of

success rate and delay.

ACKNOWLEDGMENTS

A. Mei is supported by a Marie Curie Outgoing Interna-

tional Fellowship funded by the European Union Seventh

Framework Program (FP7/2007-2013) under grant agree-

ment n. 253461.

REFERENCES

[1] P. Hui, A. Chaintreau, J. Scott, R. Gass, J. Crowcroft, and C. Diot,“Pocket Switched Networks and Human Mobility in ConferenceEnvironments,” Proc. ACM SIGCOMM Workshop Delay-TolerantNetworking (WDTN ’05), 2005.

[2] A. Chaintreau, P. Hui, J. Crowcroft, C. Diot, R. Gass, and J. Scott,“Impact of Human Mobility on the Design of OpportunisticForwarding Algorithms,” Proc. IEEE INFOCOM ’06, 2006.

[3] A. Vahdat and D. Becker, “Epidemic Routing for PartiallyConnected Ad Hoc Networks,” Technical Report CS-200006, DukeUniv., 2000.

[4] V. Erramilli, M. Crovella, A. Chaintreau, and C. Diot, “DelegationForwarding,” Proc. ACM MobiHoc ’08, 2008.

[5] P. Hui, J. Crowcroft, and E. Yoneki, “Bubble Rap: Social-BasedForwarding in Delay Tolerant Networks,” Proc. ACM MobiHoc ’08,2008.

[6] E.M. Daly and M. Haahr, “Social Network Analysis for Routing inDisconnected Delay-Tolerant Manets,” Proc. ACM MobiHoc ’07,2007.

[7] F. Li and J. Wu, “LocalCom: A Community-Based EpidemicForwarding Scheme in Disruption-Tolerant Networks,” Proc. IEEECS Sixth Ann. Conf. Sensor, Mesh and Ad Hoc Comm. and Networks(SECON ’09), 2009.

[8] W. Gao, Q. Li, B. Zhao, and G. Cao, “Multicasting in DelayTolerant Networks: A Social Network Perspective,” Proc. ACMMobiHoc ’09, 2009.

[9] A. Mei, G. Morabito, P. Santi, and J. Stefa, “Social-awareStateless Forwarding in Pocket Switched Networks,” Proc. IEEEINFOCOM ’11, 2011.

[10] A.S. Aiyer, L. Alvisi, A. Clement, M. Dahlin, J.-P. Martin, and C.Porth, “Bar Fault Tolerance for Cooperative Services,” Proc. 20thACM Symp. Operating Systems Principles (SOSP ’05), 2005.

[11] H.C. Li, A. Clement, E.L. Wong, J. Napper, I. Roy, L. Alvisi, andM. Dahlin, “Bar Gossip,” Proc. Seventh Symp. Operating SystemsDesign and Implementation (OSDI ’06), 2006.


Fig. 10. In the figure “D.D.Last C.” refers to Delegation Destination Last Contact and “D.D.Freq” to Delegation Destination Frequency. The G2Gprefix indicates the respective Give to Get version of each protocol.

TABLE 4Average Information Transmitted per Message in the Network

[12] S. Marti, T. Giuli, K. Lai, and M. Baker, “Mitigating RoutingMisbehavior in Mobile Ad Hoc Networks,” Proc. MobiCom ’00,2000.

[13] S. Buchegger and J.-Y.L. Boudec, “Performance Analysis of theCONFIDANT Protocol: Cooperation Of Nodes Fairness inDynamic Ad-Hoc NeTworks,” Proc. IEEE/ACM MobiHoc ’02, June2002.

[14] K. Balakrishnan, J. Deng, and V. Varshney, “Twoack: PreventingSelfishness in Mobile Ad Hoc Networks,” Proc. IEEE WirelessComm. and Networking Conf., vol. 4, Mar. 2005.

[15] P. Michiardi and R. Molva, “Core: A Collaborative ReputationMechanism to Enforce Node Cooperation in Mobile Ad HocNetworks,” Proc. IFIP TC6/TC11 Sixth Joint Working Conf. Comm.and Multimedia Security, 2002.

[16] L. Buttyan and J.-P. Hubaux, “Enforcing Service Availability inMobile Ad-Hoc Wans,” Proc. ACM MobiHoc ’00, 2000.

[17] J.-P. Hubaux, T. Gross, J.-Y. LeBoudec, and M. Vetterli, “TowardsSelf-Organized Mobile Ad Hoc Networks: The TerminodesProject,” IEEE Comm. Magazine, vol. 39, no. 1, pp. 118-124, Jan.2001.

[18] M. Jakobsson, J.-P. Hubaux, and L. Buttyan, “A Micro-PaymentScheme Encouraging Collaboration in Multi-Hop Cellular Net-works,” Proc. Int’l Conf. Financial Cryptography ’03, Jan. 2003.

[19] M. Onen, A. Shikfa, and R. Molva, “Optimistic Fair Exchange forSecure Forwarding,” Proc. Fourth Ann. Int’l Conf. Mobile andUbiquitous Systems: Networking & Services (MobiQuitous ’07), 2007.

[20] H. Miranda and L. Rodrigues, “Preventing Selfishness in OpenMobile Ad Hoc Networks,” Proc. Seventh CaberNet RadicalsWorkshop, Oct. 2002.

[21] L. Buttyan, L. Dora, M. Felegyhazi, and I. Vajda, “Barter TradeImproves Message Delivery in Opportunistic Networks,” Ad HocNetworks, vol. 8, no. 1, pp. 1-14, 2010.

[22] “SUMO-Simulation of Urban Mobility,” http://sumo.sourceforge.net/, 2012.

[23] C. Song and Q. Zhang, “Coffee: A Context-free Protocol forStimulating Data Forwarding in Wireless Ad Hoc Networks,”Proc. IEEE CS Sixth Ann. Conf. Sensor, Mesh and Ad Hoc Comm. andNetworks (SECON ’09), 2009.

[24] A. Panagakis, A. Vaios, and I. Stavrakakis, “On the Effects ofCooperation in DTNs,” Proc. Second Int’l Conf. Comm. SystemsSoftware and Middleware (COMSWARE ’07), pp. 1-6, 2007.

[25] G. Resta and P. Santi, “The Effects of Node Cooperation Level onRouting Performance in Delay Tolerant Networks” Proc. IEEE CSSixth Ann. Conf. Sensor, Mesh and Ad Hoc Comm. and Networks(SECON ’09), 2009.

[26] T. Spyropoulos, K. Psounis, and C.S. Raghavendra, “Spray andWait: An Efficient Routing Scheme for Intermittently ConnectedMobile Networks,” Proc. ACM SIGCOMM Workshops, Aug. 2005.

[27] M. Grossglauser and D. Tse, “Mobility Increases the Capacityof Ad Hoc Wireless Networks,” IEEE/ACM Trans. Networking,vol. 10, no. 4, pp. 477-486, Aug. 2002.

[28] Q. Li, S. Zhu, and G. Cao, “Routing in Socially Selfish DelayTolerant Networks,” Proc. IEEE INFOCOM ’10, 2010.

[29] P. Hui, K. Xu, V. Li, J. Crowcroft, V. Latora, and P. Lio,“Selfishness, Altruism and Message Spreading in Mobile SocialNetworks,” Proc. First IEEE Int’l Workshop Network Science forComm. Networks (NetSciCom ’09), Apr. 2009.

[30] D. Mills, “Internet Time Synchronization: The Network TimeProtocol,” IEEE Trans. Comm., vol. 39, no. 10, pp. 1482-1493, Oct.1991.

[31] B. Lampson, M. Abadi, M. Burrows, and E. Wobber, “Authentica-tion in Distributed Systems: Theory and Practice,” ACM Trans.Computers Systems, vol. 10, pp. 265-310, 1992.

[32] E. Frank and M. Buer, “Key Revocation in a Mobile Device,” USPatent Number 7860486, 2010.

[33] A. Liu and P. Ning, “Tinyecc: A Configurable Library for EllipticCurve Cryptography in Wireless Sensor Networks,” Proc. Int’lConf. Information Processing in Sensor Networks (IPSN ’08), 2008.

[34] A. Shamir, “Identity-Based Cryptosystems and SignatureSchemes,” Proc. CRYPTO ’84 Advances in Cryptology, pp. 47-53,1984.

[35] A. Back, “Hashcash—A Denial of Service Counter-measure,”Whitepaper, technical report, 2002.

[36] R. Rivest, A. Shamir, and D. Wagner, “Time-Lock Puzzles andTimed-Release Crypto,” technical report, Cambridge, MA, 1996.

[37] G. Palla, I. Derenyi, I. Farkas, and T. Vicsek, “Uncovering theOverlapping Community Structure of Complex Networks inNature and Society,” Nature, vol. 435, no. 7043, pp. 814-818, 2005.

[38] J. Leguay, A. Lindgren, J. Scott, T. Friedman, and J. Crowcroft,“Opportunistic Content Distribution in an Urban Setting,” Proc.SIGCOMM Workshop Challenged Networks (CHANTS ’06), 2006.

[39] J. Leguay, A. Lindgren, J. Scott, T. Riedman, J. Crowcroft, and P.Hui, “CRAWDAD Trace upmc/content/imote/cambridge(v. 2006-11-17),” Downloaded from http://crawdad.cs.dartmouth.edu/upmc/content/imote/cambridge, 2006.

[40] J. Scott, R. Gass, J. Crowcroft, P. Hui, C. Diot, and A. Chaintreau,“CRAWDAD Trace Cambridge/haggle/imote/infocom (v. 2006-01-31),” Downloaded from http://crawdad.cs.dartmouth.edu/cambridge/haggle/imote/infocom, Jan. 2006.

[41] J. Scott, R. Gass, J. Crowcroft, P. Hui, C. Diot, and A. Chaintreau,“CRAWDAD Trace Cambridge/haggle/imote (v. 2009-05-29),”Downloaded from http://crawdad.cs.dartmouth.edu/cambridge/haggle/imote, 2009.

Alessandro Mei received the laurea degree incomputer science summa cum laude from theUniversity of Pisa, Italy, in 1994. He continuedworking toward the PhD degree at the Depart-ment of Mathematics of the University of Trento,Italy, and as a visiting scholar at the Departmentof EE-Systems of the University of SouthernCalifornia during 1998 and part of 1999. Hereceived the PhD degree in mathematics at theUniversity of Trento in 1999. After a postdoctor-

al position at the University of Trento, in 2001 he joined the faculty ofthe Computer Science, Department at Sapienza, University of Rome,Italy. His main research interests include computer system security andparallel, distributed, and networked systems. He was presented with theBest Paper Award of the 16th IEEE International Parallel andDistributed Processing Symposium in 2002, the EE-Systems Out-standing Research Paper Award of the University of Southern Californiafor 2000, and the Outstanding Paper Award of the Fifth IEEE/ACMInternational Conference High Performance Computing in 1998. He is amember of the ACM and the IEEE, a past associate editor of the IEEETransactions on Computers (2005-2009), and the general chair of IEEEIPDPS 2009, Rome, Italy. During 2010-2011 he was on leave at theCSE Department, University of California at San Diego, supported by aMarie Curie fellowship.

Julinda Stefa received the Laurea degree incomputer science, summa cum laude, and thePhD degree in computer science from Sapien-za University of Rome, respectively, in July2006 and February 2010. She is a postdoc atthe Computer Science Department of SapienzaUniversity of Rome, Italy. In 2005 she joinedGoogle Zurich for three months as an en-gineering intern. She was a visiting scholar atthe CS Department of UNC-Chapel Hill, North

Carolina, from November 2008 to April 2009, and a Research Intern atMicrosoft Research, Cambridge, United Kingdom, from January toApril in 2011. Her research interests include computer systems andnetwork security, parallel and distributed systems, and analysis andmodeling of social mobile wireless networks. She has published insome of the topmost Conferences and journals like IEEE INFOCOM,ACM MobiHoc, IEEE ICDCS, and IEEE Transaction on Computers,and is involved as reviewer and in technical program committees ofseveral Conferences and workshops in the field. She is winner of aresearch grant from Working Capital PNI and offered by Telecom Italia(30 winners out of 2,138).

. For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.


Documents

IEEE TRANSACTIONS ON DEPENDABLE AND SECURE …stefa/webpage/Publications_files/mei-jour… · selfishness—nodes that are selfish with outsiders and faithful with people from the