morality-driven data forwarding with privacy preservation

IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 61, NO. 7, SEPTEMBER 2012 3209

Morality-Driven Data Forwarding With PrivacyPreservation in Mobile Social Networks

Xiaohui Liang, Student Member, IEEE, Xu Li, Tom H. Luan, Rongxing Lu, Member, IEEE,Xiaodong Lin, Senior Member, IEEE, and Xuemin Shen, Fellow, IEEE

Abstract—Effective data forwarding is critical for most mobilesocial network (MSN) applications such as content distributionand information searching. However, it could severely be inter-rupted or even disabled when the privacy preservation of usersis applied, because users become unrecognizable to each other,and the social ties and interactions are no longer traceable tofacilitate cooperative data forwarding. Therefore, how we canenable efficient user cooperation in MSNs without intruding onuser privacy is a challenging issue. In this paper, we addressthis issue by introducing social morality, which is a fundamentalsocial feature of human society, to MSNs and accordingly design athree-step protocol suite to achieve both privacy preservation andcooperative data forwarding. First, the developed protocol adoptsa novel privacy-preserving route-based authentication scheme thatnotifies a user’s anonymized mobility information to the public.Second, it measures the proximity of the user’s mobility informa-tion to a specific packet’s destination and evaluates the user’s for-warding capacity for the packet. Third, using a game-theoreticalapproach, it determines the optimal data-forwarding strategyaccording to users’ morality level and payoff. Using analysis andexamples, we show that the developed protocol suite can effectivelyprotect user personal information such as identity and visited loca-tions. Last, we conduct extensive trace-based simulations and showthat the proposed protocol suite is effective for efficiently exploringthe user cooperation and attain near-optimal performance in dataforwarding.

Index Terms—Data forwarding, game theory, mobile socialnetworks (MSNs), privacy preservation, social theory.

I. INTRODUCTION

MOBILE SOCIAL NETWORKS (MSNs) are emerg-ing social networking platforms over which partici-

pants can communicate with each other using Bluetooth orpeer-to-peer wireless fidelity (Wi-Fi)-enabled handheld devices[1]–[5]. With MSNs, proximity services can be supportedto strengthen the social interactions of geographically closeusers. For example, by probing other mobile phones in prox-

Manuscript received January 6, 2012; revised April 12, 2012; acceptedMay 7, 2012. Date of publication June 8, 2012; date of current versionSeptember 11, 2012. The review of this paper was coordinated by Prof. Y. Qian.

X. Liang, T. H. Luan, R. Lu, and X. Shen are with the Departmentof Electrical and Computer Engineering, University of Waterloo, Waterloo,ON N2L 3G1, Canada (e-mail: [email protected]; [email protected]; [email protected]; [email protected]).

X. Li is with the Institut National de Recherche en Informatique et enAutomatique (Inria) Lille–Nord Europe, 59650 Villeneuve d’Ascq, France(e-mail: [email protected]).

X. Lin is with the Faculty of Business and Information Technology, Instituteof Technology, University of Ontario Oshawa, ON L1H 7K4, Canada (e-mail:[email protected]).

Color versions of one or more of the figures in this paper are available onlineat http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/TVT.2012.2202932

imity through Bluetooth communication, PeopleNet [6] en-ables the human-like information search among mobile phones.Software [7] facilitates the carpool and ride sharing in prox-imity based on message relay among mobile social users. Amicroblog system [8] is built on MSNs to enable users to locallyrecord multimedia blogs on the fly, enriched with input fromother physical sensors. In general, MSNs rely on the oppor-tunistic contacts among users for cooperative data forwarding,and they are alternatively known as pocket switched networks.Unlike conventional wireless relay networks that assume end-device to be insensate, MSNs consider mobile devices to bepertained with human users and have specific social features.As such, MSN applications place great emphasis on user socialbehavior such as selfishness and social proximity and explorethe social features of devices for efficient data-forwardingprotocol design.

In MSNs, allowing the exchange of personal information tosome extent is inevitable to enable social-related cooperativecommunication. This, however, should strictly be controlled atthe prerequisite of effective user privacy preservation. Of all theuser privacy requirements, identity privacy and location privacy[9] are of paramount importance. In particular, identity privacydictates that the identities of users as source, relay, or destina-tion in cooperative data forwarding are not disclosed. Locationprivacy implies that a user’s future mobility route cannot bepredicted or inferred from its current and past route informa-tion. In other words, the exposed location information of a usershould not be linkable to its future location. The state-of-the-artprivacy-preserving techniques in MSNs include the multiple-pseudonym technique [10], [11] and the hotspot technique [12].The former approach assigns each user with a set of asymmet-ric key pairs and uses the alternatively changing public keysas the user’s pseudonyms for data communication. The useridentity can be protected, because only literally meaninglesspseudonyms are exposed to the public. By frequently changingits pseudonym for authentication over time, the user achieveslocation privacy due to the unlinkability of old and newpseudonyms. As a result, the multiple-pseudonym technique canguarantee both identity privacy and location privacy by makingthe social interactions of users anonymous. The hotspot tech-nique guarantees the receiver location privacy while achievingefficient data forwarding. In particular, it defines some hotspotsthat are common and with high population and then makesuse of these hotspot information to assist the data forwardingwithout revealing sensitive locations of receivers.

In this paper, we address a fundamental tradeoff betweenprivacy preservation and data-forwarding efficiency in MSNs.

0018-9545/$31.00 © 2012 IEEE

3210 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 61, NO. 7, SEPTEMBER 2012

In particular, with the multiple-pseudonym technique appliedfor privacy preservation, an unpleasant accompanying sideeffect is that users are unable to identify their social friendsbecause of the anonymity of users. This condition directlyimpedes the cooperative data forwarding. Because users areanonymous, malicious behaviors (e.g., selfish and free-riding)can no longer be tracked and punished on time using tradi-tional mechanisms. This case may discourage user cooperationand deteriorate data-forwarding efficiency. Therefore, privacypreservation protects and hides the identities of users to thepublic, which, however, hinders the social-based cooperativedata forwarding. Our goal is to resolve the two conflictinggoals in one framework by proposing a privacy-preservingsocial-based cooperative data-forwarding protocol. We exploitsocial morality for the cooperative data-forwarding design. Inparticular, the morality of human beings is a common socialphenomenon in the real world, which provides the rules forpeople to act upon and grounds the moral imperatives. It is thefundament of a cooperative and mutually beneficial social lifein the real-world society. Our main contributions are threefold.

First, we identify the conflicting nature between privacypreservation and cooperative data forwarding in MSNs. Onaddressing this issue, we are the first to leverage social moralityto incentivize the user cooperation and accordingly promotecommunication efficiency.

Second, we propose a three-step protocol suite to attainprivacy-preserving data forwarding. First, we introduce aprivacy-preserving route-based authentication scheme. It en-ables users to expose the mobility information to each otherfor cooperation, yet with location privacy preserving. Based onthe mobility of users, we evaluate the forwarding capabilityof individual users on a given packet. Last, a game-theoreticapproach that takes into account both morality and forwardingcapability is designed to adaptively determine the optimal data-forwarding strategy for individual users. The final optimalsolution of the protocol suite stands for a balance of moral peaceand benefit maximization for all users.

Third, we evaluate the performance of the proposed proto-cols through extensive trace-based simulations. Our simulationsvalidate the efficiency of the proposed data-forwarding protocolwith location privacy preservation.

The remainder of this paper is organized as follows. We intro-duce some related works in Section II. We describe the systemmodel and provide an overview of the three-step protocol suitein Section III. We present a privacy-preserving route-based au-thentication scheme and proximity measurement as the first twosteps in Section IV and use game-theoretic analysis to derivethe optimal forwarding strategies for users as the third step inSection V. We conduct trace-based simulations to evaluate theperformance of the proposed protocol in Section VI. Finally, wedraw our conclusions in Section VII.

II. RELATED WORK

A. Data-Forwarding Protocol

Data-forwarding protocols have extensively been investi-gated in delay-tolerant networks. Due to the sparse and dynamic

nature of delay-tolerant networks, user-to-user data forwardingoften relies on the mobility and random contacts of users.For example, Lindgren et al. [13] evaluated the forwardingcapability of a user by the historic contact information. Un-der a similar framework, [14]–[18] used social metrics thatwere calculated from the contact information to evaluate theforwarding capability of a user. Hui et al. [16] demonstratedthat community and centrality social metrics can effectively beused in a data-forwarding protocol. Li et al. [17] introduced thesocial-selfish effect into user behavior, i.e., a user gives prefer-ence to packets that are received from other users with strongersocial relations. Yuan et al. [18] proposed a data-forwardingprotocol that enables two users to share their historical mobilityinformation. Based on the opponent’s past mobility informa-tion, a user can predict the future location that the opponentwill visit.

Although they significantly improve the data-forwarding ef-fectiveness, most contact-based data-forwarding protocols re-quire a contact calculation phase in which each user must havea unique identity and reveal it to others. In this phase, userbehaviors are very easy to be linked together, and user’s iden-tity privacy and location privacy are completely compromised.In the contact-based data-forwarding protocol, a sender mustexchange the contact and unique identity with a relay user. In[13], [14], and [17], to improve the forwarding effectiveness,a sender can evaluate the forwarding capability of a relay userbased on both the relay user’s contact probability and forward-ing willingness. However, the required contact probability andunique identity information are privacy sensitive to the relayuser and not available in a privacy-preserving environment.The conventional contact-based data-forwarding protocols donot provide effective privacy preservation and can hardly beaccepted by the privacy-aware mobile users. In this paper, weaim to solve the privacy preservation and security issues ofcooperative data forwarding in MSNs.

Recently, a rich body of literature [19]–[24] has addressedthe cooperation stimulation issue from a game-theoretic per-spective. Yu and Liu [19] proposed a game-based approach tostimulate cooperation in mobile ad hoc networks, where twoparticipating users set a threshold on the number of forwardedpackets in each forwarding round, and they alternatively for-ward each other’s packets. The setting of the threshold canstimulate cooperation and also limit the possible damage causedby the opponent’s defection. If the opponent defects, a userimmediately terminates the interaction, and his/her maximumdamage is bounded by the threshold setting in the previousround. Li and Shen [24] proposed an integrated system overan individual reputation system and a price-based system thatdemonstrates superiority in terms of the effectiveness of coop-eration incentives and selfish node detection. However, theirworks do not address user privacy and are not applicable inprivacy-sensitive MSNs.

B. Privacy Preserving and Social Perspective

The studies in MSNs mainly focus on exploring the humanfactors and behaviors for communication in a distributed and

LIANG et al.: MORALITY-DRIVEN DATA FORWARDING WITH PRIVACY PRESERVATION IN MSNS 3211

autonomous environment. Privacy preservation as a fundamen-tal user requirement is, however, neglected in previous research.Recent proposals [25] indicated that one or few snapshots of auser’s location over time might assist an adversary to identifythe user’s trace, and an effective attack was presented to identifyvictims with high probability. As a defense technique, themultiple-pseudonym technique, which provides both identityand location privacy, is widely applied in the literature [9], [10],[26]. Freudiger et al. [10] developed a user-centric locationprivacy model to measure the evolution of location privacy overtime, and they derive the equilibrium strategies on changingpseudonyms for each user from the game-theoretic perspective.With the multiple-pseudonym technique applied, conventionalcooperation stimulation mechanisms without privacy preserva-tion [19], [27]–[29] are no longer applicable in the consideredenvironment.

This paper is inspired by the extensive literature in socialtheory related to human behaviors and their subjective morality.From a social perspective, Keterlaar and Au [30] introducedan “affect-as-information” model to investigate how the pasthuman behaviors influence the future behaviors of humansaccording to the internalized human rationalities. Based on thisresult, we develop the guilty model for cooperation stimulationin MSNs. In addition, some social-related works exploited asocial graph of humans to improve protocol efficiency. Forexample, Li et al. [17] observed that, if two users have a socialrelation in a social graph, they have more contacts than userswho do not have a relation. Based on this observation, theydemonstrated that introducing a social graph into the routingprotocol results in better network performance. However, theconstruction of such a social graph requires users to be fullycooperative without privacy concerns, which is not feasible inMSNs. Other social-related works [30]–[32] considered socialrelations, including not only interuser relations in a social graphbut also relations between users and established social organi-zations. Following this idea, we introduced sociality strengthfor each user to model their cooperation behavior influenced bythe social factor.

III. SYSTEM MODEL

We consider a homogenous MSN that is composed of aset V of mobile users with the network size |V| = N . Usersfollow the same behavior model: They are selfish, tend tomaximize their individual utilities during data forwarding, anddo not perform irrational attacks. A specific utility functionwill be given in Section IV. Users have equal communica-tion range, denoted by Rt. The communication between anytwo users i and j, i, j ∈ V , is bidirectional, i.e., user i cancommunicate to user j if and only if user j can also com-municate to user i. A trusted authority (TA) is available atthe initialization phase to generate pseudonyms and secretkeys for MSN users, but it will not be involved in the dataforwarding. Users continuously change their pseudonyms topreserve their identity and location privacy. The pseudonymchange breaks any relation that was previously establishedbetween two users, and as a result, they can no longer recognizeeach other.

Fig. 1. Mobile social network under consideration.

A. User-to-Spot Data Forwarding

We assume that there exists a set A = {a1, . . . , al} of socialhotspots in the network. They are located in regions such as su-permarkets, restaurants, office buildings, and residential blockswith high population density, as shown in Fig. 1. Different usershave different sets of favored hotspots that they frequently visit.The hotspots that a user visited in the past indicate the personalpreference of the user and, thus, may relate to the user’s futurelocations [18]. In addition, the hotspots can be categorized intosensitive hotspots, e.g., office buildings and residential blocks,and nonsensitive hotspots, e.g., supermarkets and restaurants.Sensitive hotspots are tightly related to users’ private lives. Theaccess to sensitive hotspots needs to be protected accordingto users’ privacy needs. In this paper, we apply the hotspottechnique [12] to preserve receiver location privacy.

We propose a user-to-spot data-forwarding protocol toachieve privacy preservation and user cooperative data forward-ing. In particular, each hotspot is equipped with a noncom-promised and communicable storage device that buffers thepackets for receivers to fetch. A data sender/forwarder leavespackets at selected hotspots, and receivers can fetch the packetsupon their later access to the same hotspots. Compared with thecontact-based data-forwarding protocols where users swap dataupon their contacts, the user-to-spot data-forwarding protocolwould have more successful deliveries in special cases, asshown in Fig. 2. In this figure, relay user j has no contact withreceiver i, but they enter the common hotspots during differenttime periods. By making use of this property, the user-to-spotdata-forwarding protocol enables j to deliver the packet to i.This user-to-spot data-forwarding protocol is practical due tothe following facts.

• Social users often have specific preferences on commonsocial hotspots such as supermarkets and office buildings.They are likely to choose part of these hotspots andfrequently visit them.

• In MSNs, a data sender often has a certain social rela-tionship with a receiver. The sender is likely to be par-tially aware of the social behaviors and frequently visitedhotspots of the receiver.


Fig. 2. Effective data forwarding by the proposed protocol.

• Hotspot buffers are low cost and can be pervasivelyavailable data storage resources [33]. They are not inter-connected and will not be involved in cooperative dataforwarding. They act as static receivers to temporarilystore user data and allow authorized wireless access of thedata when users come into their wireless communicationrange.

In this paper, the identity of the receiver is implicitly con-tained (thus protected) in the packet, and the receiver can fetchthe packet from the hotspot buffer after a simple authenticationoperation, e.g., using the scheme in [12].

B. Model of Social Morality

Social theory [34] indicates that, in a fully autonomoussystem, users independently behave based on the rational cal-culation of expediency. The decision on how to act in social in-teractions is viewed as either primarily economic and motivatedby self interest or noneconomic and is motivated by collectiveinterest and moral obligation. Different norms govern users’behavior in economic and noneconomic spheres of activity,and appropriate behavior varies according to the context andthe nature of the goods being exchanged. These norms are notonly learned but are also incorporated by social users into theirpersonalities. In reality, if users violate a deeply internalizednorm, they would feel guilty to a certain extent, regardless ofwhether anyone else knew of their actions, and would likelypunish themselves in some manner. This is known as socialmorality.

Social study [30] also indicates that individuals who experi-ence a feeling of guilt (compared to individuals who feel noguilt) after working toward a noncooperative strategy in thefirst round of play display higher levels of cooperation in thesubsequent round of play. Experimental results demonstratethat noncooperative individuals who experience a certain levelof guilt in a social bargaining game may use this feeling stateas “information” about the future costs of working toward anoncooperative strategy. Their findings that the guilt manipu-lation interacted with social motives (e.g., guilt tended to haveits intense effect on noncooperative individuals) also suggestthat these results do not occur merely because of preexistingindividual differences in the tendency to cooperate or defect.Instead, it would appear that guilt, in fact, provokes nonco-

Fig. 3. Markov chain model for morality state.

operative individuals to depart from their “typical” strategy ofnoncooperative behavior.

Observing the unique social features in the MSN, we exploitthe morality factor of the MSN by mimicking the morality-centric human society. We emphasize that the morality factorshould be counted into the calculation of users’ utility. To thisend, we instantiate two forms of social morality, i.e., guilt andhigh-mindedness, in the context of MSN-based data forward-ing, where cooperation is highly desirable: users feel guiltywhen they defect (i.e., refuse to forward a packet), and they feelhigh-minded when choosing to cooperate (i.e., help forward apacket). Guilt creates a feeling of indebtedness, which directsthem to cooperate, whereas high-mindedness alleviates theguilty feeling of users.

A self-regulated morality factor g, which is internalized foreach user and quantitatively depicts the internal moral force, isbased on the following two elements.

• Morality state x. The morality state reflects the behaviorhistory of a user. It increases by one level for a singlecooperation behavior and decreases by one level due toa single defection conduct.

• Sociality strength st. The sociality strength st is relatedto a user’s personal experience such as education andhabitation. It is stabilized and less independent, with short-term behavior changes. If the sociality strength of a useris significant, the user feels a correspondingly significantincrement of guilt toward a single defection behavior and acorrespondingly significant increment of high-mindednesstoward a single cooperation behavior.

Each user i has a sociality strength denoted by sti and avarying morality state xi. Following the social theory [30], [32],we depict the morality state xi by a Markov chain model, withthe state space and nonnull transitions shown in Fig. 3. LetPi(j, j + 1) and Pi(j, j − 1) denote the transition probabilitiesfrom the jth state to the (j + 1)th and the (j − 1)th states,respectively. The state j = 0 is the initial neutral state (neitherguilty nor high-minded). States with a positive index are high-minded states, and states with a negative index are guilty states.Being in a high-minded state implies frequent cooperationbehavior in the past, whereas being in a guilty state indicatesan overwhelming defection conduct in the past. The moralityfactor gi of user i is evaluated by a function f(xi, sti) thatincreases as xi decreases or sti increases. Later, in Section VI,when we present our performance evaluation, we will define aspecific f().

C. Overview of the Proposed Protocol

With the user-to-spot data-forwarding protocol deployed, inthe following sections, we concentrate on how we can for-ward packets to the hotspots for effective and efficient data


forwarding with privacy preservation. This delivery is enabledin the following three steps.

1) privacy-preserving route-based authentication;2) proximity measurement;3) morality-driven data forwarding.In the first step, the privacy-preserving route-based authen-

tication enables two encountered users to exchange partialroute information. The route information can be constructedin a privacy-preserving structure that is determined by usersthemselves. The use of an authentication scheme is to resistuser manipulation attacks, i.e., users have to honestly tell abouttheir hotspots. In the second step, each user measures a prox-imity score between the destination and the route informationprovided by the relay user. The proximity score reflects theforwarding capability of a relay node with respect to a specificdestination. The larger a proximity score is, the more effectivea relay’s forwarding becomes. In addition, the proximity scoreaffects the morality factor of the relay node. The rationale isthat a user would feel more guilty if he/she demonstrates morecapability to deliver a packet (with a large proximity score) andyet drops the packet. In the third step, the morality factor isincorporated into the utility calculation of a data-forwardinggame in which users selfishly act and preserve their privacy.We elaborate these three steps in the subsequent sections. Notethat we do not consider irrational attacks in this paper. Userstend to be rational and selfish to maximize their own utility.

IV. AUTHENTICATION AND PROXIMITY MEASUREMENT

In this section, we describe the following first two steps of theproposed protocol: 1) privacy-preserving route-based authenti-cation and 2) proximity measurement. The first step relies on anovel tree structure that provides limited user route informationto the public to boost data-forwarding efficiency. The secondstep calculates the shortest distance between a destination anda hotspot that will be visited by a user. The distance impliesthe forwarding capability when this user attempts to forwardpackets to the destination.

A. Privacy-Preserving Route-Based Authentication

We first show how we can construct a privacy-preservingrouting tree that describes the route of user i between hotspots.At the initial stage, the TA associates user i to a subset ofhotspots Ai = {ay|y = (2, 3, 6, 7)} ⊆ A, which represents thehotspots that are frequently visited by user i. We consider thatuser i is located at hotspot a1 and moves toward a8, as shownin Fig. 4. Suppose that user i moves along the route a1 →a2 → a3 → a6 → a7 → a8. Users that neighbor i have alreadyknown i’s current location a1. However, i has no intention toreveal a8 to them for privacy reasons. In addition, it is unwill-ing to authenticate the entire hotspot set {ay|y = (2, 3, 6, 7)},which contains privacy-sensitive hotspots {a3, a6, a7}. Then, icreates a tree for its mobility route Ti as “a2 AND (a3 ORa4) AND (two of (a5, a6, a7))” and only authenticates thistree to others. The authentication reveals the following fuzzyinformation instead of the precise route: user i will visit a2, oneof (a3, a4), and at least two hotspots from (a5, a6, a7).

Fig. 4. Geographical view of user i’s route.

Fig. 5. Tree structure of user i’s route.

We present the routing tree structure T as shown in Fig. 5,where each non–leaf node represents a threshold gate, and eachleaf node represents a hotspot in Au. We use AT = {az1 , az2 ,· · · , azτ } ⊆ Au to denote the hotspot set that corresponds to allleaf nodes in T . Note that if we assign 0 or 1 to the hotspots(az1 , az2 , · · · , azτ ) of leaf nodes in T , T will be transformedinto a Boolean function F (az1 , az2 , · · · , azτ ). For example,in Fig. 5, F (a1, a2, · · · , a7) = a2(a3 + a4)(a5a6 + a5a7 +a6a7). We say that a hotspot set Ai satisfies both T and functionF (az1 , az2 , · · · , azτ ) if and only if F (az1 , az2 , · · · , azτ ) = 1,where for each ay , y ∈ {z1, z2, · · · , zτ}, we have

ay =

{1, if ay ∈ Ai

0, if ay /∈ Ai.

The routing tree preserves user privacy by making sensi-tive hotspots anonymous, and at the same time, it providescertain information of the mobility route that can be used toevaluate the user’s forwarding capability. We are now readyto present our privacy-preserving route-based authenticationscheme, which supports a single threshold gate (maximumthreshold value d) for a routing tree. A multiple-thresholdtree can semantically be converted to multiple single-thresholdtrees. The proposed scheme is built on the bilinear pairingtechnique [35], [36].

Initialization: Let G and GT be two finite cyclic groupsof the same large order n, where n = pq is a product of twolarge primes p and q. Suppose that G and GT are equippedwith a pairing, i.e., a nondegenerated and efficiently computablebilinear map e : G×G → GT such that the following twocases hold: 1) ∀g, h ∈ G, ∀a, b ∈ Zn, and e(ga, hb) = e(g, h)ab

and 2) ∃g ∈ G, e(g, g) has order n in GT .The TA chooses a redundant hotspot set Ar = {al+1,

al+d−1}, two generators (g, u) of G, a generator h of Gq

(Gq is a subgroup of G with order q), a secure cryptographichash function H : {0, 1}∗ → Z

∗n, and random number δ ∈

Z∗n. For all 1 ≤ y ≤ l + d− 1, the TA chooses random


numbers ty ∈ Z∗n and computes Ty = gty . The TA also

computes Δ = e(g, u)δ . With these settings, the TA se-cretly keeps the master key (δ, (ty)1≤y≤l+d−1) and publishesthe public parameter pub = (n, g, u, h,G,GT , e,H,Δ, Ty(1 ≤y ≤ l + d− 1),A ∪Ar).

User Registration: The TA chooses a unique randomnumber t ∈ Z

∗n and a random polynomial q(x) = κd−1x

d−1 +κd−2x

d−2 + · · ·+ κ1x+ δ and generates Ei = 〈kd,(dy)ay∈Ai∪Ar

〉, where kd = t, and dy = uq(y)/t+ty . It informsthe registering user i about the secret key Ei.

Let users i and j denote the signer and verifier, respectively.Denote user i’s routing tree (with a single threshold) by Ti.Let k be the threshold value of the root of Ti and Θi be ahotspot set that corresponds to Ti’s leaf nodes. Φi ⊆ Ai ∩Θi

is a hotspot set of size k.Signing by User i: User i first chooses a subset Ar′ ⊆

Ar (|Ar′ | = d− k). Let Ar′ be {al+1, · · · , al+d−k}. Then,for each hotspot ay ∈ Ψ = Φi ∪ Ar′ , user i computes theLagrange coefficient ωy =

∑w|aw∈Ψ,w =y 0− w/y − w. It ran-

domly selects rt, rp, ry ∈ Z∗n for ay ∈ Θi ∪ Ar′ and computes

Sy for ay ∈ Θi ∪ Ar′ as

Sy =

{dωyy · hry , if ay ∈ Ψ

hry , if ay ∈ Θi \ Φi.(1)

It outputs the signature as

σi =⟨Ti, St, Sp, (Sy)ay∈Θi∪Ar′ , π1, π2

⟩

where St = gkd · hrt , Sp = g1/kd+H(pidi) · hrp , and

π1 =Srtp

(gH(pidi)gkd

)rp

π2 =∏ay∈Ψ

(dωyy

)rt ∏ay∈Θi∪Ar′

(StTy)ry .

Verification by User j: User j receives σi and checks⎧⎨⎩

e(StgH(pidi), Sp)

?= e(g, g) · e(h, π1)∏

ay∈Θi∪Ar′

e(Sy, StTy)?= Δ · e(h, π2).

If the aforementioned equations hold, user j confirms thatuser i has pseudonym pidi and a hotspot set that satisfies Ti.The correctness of the verification is based on the followingmathematical manipulation:

e(Stg

H(pidi), Sp

)

= e(gthrt · gH(pidi), g

1t+H(pidi)hrp

)

= e(g, g) · e(h,

(g

1t+H(pidi)hrp

)rt·(gtgH(pidi)

)rp)

= e(g, g) · e(h, Srt

p

(gH(pidi)gt

)rp)

= e(g, g) · e(h, π1)∏

ay∈Θi∪Ar′

e(Sy, StTy)

=∏ay∈Ψ

e(dωyy , StTy

)·

∏ay∈Θi∪Ar′

e(hry , StTy)

=∏ay∈Ψ

e

(u

ωyq(y)

kd+ty , gkdhrtgty)·

∏ay∈Θi∪Ar′

e(hry , StTy)

= e(g, u)δ∏ay∈Ψ

e

(u

rtωyq(y)

kd+ty , h

)·

∏ay∈Θi∪Ar′

e(hry , StTy)

= Δ · e

⎛⎝h,

∏ay∈Ψ

(dωyy

)rt ∏ay∈Θi∪Ar′

(StTy)ry

⎞⎠

= Δ · e(h, π2).

Privacy Discussion: For user privacy preservation, theroute-based authentication scheme mixes the hotspot ay ∈ Ψthat user i has with the hotspot ay /∈ Ψ that user i does nothave based on (1) by multiplying a subgroup element h. Thisapproach achieves full anonymity, i.e., any other user cannottrace the hotspots that are used to generate the signature,because the element h cannot be distinguished from either Gp

or Gq without p or q known as a priori. The theoretical proofcan be found in [35] and [36]. Consider that an adversarialuser may use the authenticated route information to identify thesigner’s trace. Without precaution, such misbehavior may vio-late location privacy. An effective defense mechanism againstthis privacy violation is to let each user change the routing treestructures of their route information as frequently as the changeof their pseudonyms and also include redundant hotspots intotheir routing tree. As a result, different users may generatethe same routing tree, and the signature cannot be used tolink the past/future locations and behaviors of any specificuser.

B. Proximity Measurement

In this section, we develop a novel proximity measurementfor implementing the user-to-spot data-forwarding protocol.Consider a packet that originated in user j and is destined to Dj ,which is a hotspot that its intended receiver frequently visits.When j meets a user i, it computes a forwarding score ej,i. Thisscore implies i’s forwarding capability of bringing the packetto Dj . It is subject to multiple factors such as the time-to-liveperiod of the packet, the probability that i drops the packet dueto limited storage buffer, and how close i can be to Dj when theclosest distance will occur. However, the more the factors thatare used, the more that personal information is revealed, and theless that privacy is preserved.

To avoid any additional privacy leakage, we define ej,i =ψ(rj,i), where rj,i is the smallest distance between Dj and thehotspots that i will visit, and ψ() is a monotonically decreasingfunction of rj,i. The smaller rj,i is, the more closely i candeliver the packet to Dj , and the larger ej,i becomes by thisdefinition. A particular case is shown in Fig. 6. Even if userh appears to move away from Dj , its forwarding, when used,will still be effective, because it is going to encounter user i,


Fig. 6. User that moves toward the opposite direction of the destination canstill provide effective forwarding.

who will visit Dj afterward. Given that no global knowledge isavailable and any user can be an effective forwarder, ψ() alwaysreturns a positive value.

Because user i only exposes partial information Ti of itsmobility route to user j during route-based authentication,user j cannot accurately compute rj,i. We devise an approx-imation algorithm for user j to obtain an approximate valuer∗j,i with the inputs Ti and Dj . In this algorithm, we firsttransform Ti to a Boolean function Fi(az1 , az2 , · · · , azτ ). Wedenote a self dual function of Fi as Fi(az1 , az2 , · · · , azτ ) =Fi(az1 , az2 , · · · , azτ ). Let ADj ,r denote a set of hotspots lo-cated in a circular area centered at the destination Dj withradius r. For a user i that neighbors user j, we can findthe smallest radius r∗j,i such that ADj ,r∗j,i

satisfies function

Fi(az1 , az2 , · · · , azi). The algorithm finally outputs an approx-imate value r∗j,i. The algorithmic detail is given in Algorithm 1.User j will then use this value r∗j,i to calculate the forwardingscore of user i.

Algorithm 1: Smallest radius calculation by user j.

1: Input: Ti and Dj .2: Transform Ti to Fi(az1 , az2 , · · · , azτ ).3: Calculate Fi(az1 , az2 , · · · , azτ ) =Fi(az1 , az2 , · · · , azτ ).

4: Calculate Ds = {dz1 , dz2 , · · · , dzi}, where dy is the dis-tance between Dj and ay for y ∈ {z1, z2, · · · , zτ}.

5: Sort Ds in ascending order {dz∗1, dz∗

2, · · · , dz∗

τ}, which

corresponds to spots {az∗1, az∗

2, · · · , az∗

i}.

6: Initialize A = {az∗1}, μ = 1.

7: while (A does not satisfy Fi(az1 , az2 , · · · , azτ )) do8: μ = μ+ 1,9: A = A ∪ {az∗

μ}.

10: end while11: Let r∗j,i = dz∗

μand ADj ,r∗j,i

= A.12: Output r∗j,i.

We use an example to illustrate how the proximity scoreis computed in accordance with the scenario given in Fig. 7.User i encounters user j. User i generates a routing tree Tiand the corresponding Boolean function Fi(a2, a3, · · · , a7) =“a2 AND (a3 OR a4) AND (two of (a5, a6, a7))”. User jhas two packets with destinations D1 and D2, respectively. Wehave Fi(a2, a3, · · · , a7) = “a2 OR (a3 AND a4) OR (two of(a5, a6, a7))”. According to Algorithm 1, with Ti and D1 as

Fig. 7. Example of the smallest radius calculation.

inputs, A is initialized to {a3}, because a3 is the hotspot thatis closest to D1. Then, {a4} will be added into A, because{a3} does not satisfy Fi(a2, a3, · · · , a7), and a4 is the secondclosest to D1. A = {a3, a4} now satisfies Fi(a2, a3, · · · , a7).The algorithm finally outputs the distance r′j,i between a4 andD1. Similarly, with Ti and D2 as inputs, the algorithm outputsthe distance r′′j,i between a5 and D2, where A = {a5, a7}satisfying Ti.

V. MORALITY-DRIVEN DATA FORWARDING

After finishing the first two steps, users can performmorality-driven data forwarding. Note that the mobile socialusers are autonomous and intelligent individuals. It is rea-sonable to assume that they are rational and their behaviorsare driven by personal profit and morality. On the one hand,they tend to act defection to reduce their forwarding costs.On the other hand, they offer cooperation from time to timeto counteract the guilty feelings that are brought by their pastselfish deeds. During MSN-based data forwarding, social usersimplement the best strategy to balance cost and payoff. In thissection, we apply the game theory to model individual userbehavior and obtain the optimal data-forwarding strategy.

Consider a scenario where users independently and randomlymove along determined mobility routes. Upon contact withanother user, a user would either cooperate or defect for dataforwarding. We assume that, for two users that both havepackets to send, cooperation is reciprocal. Due to the randommobility and privacy preservation, users’ future contacts areunpredictable. A user thus derives the optimal data-forwardingstrategy based on its self-related information, including itsown mobility route, the destination of its own packet, andmorality factor, as well as the opponent information, includingthe morality factor, mobility route, and packet destination of theencountered user.

From a user’s perspective, among a series of cooperationswith different encountered opponents, due to privacy preserva-tion, the opponent information of the current contact is alwaysindependent of previous contacts, and thus, the decision oncooperation or defection depends only on the self-related in-formation and the opponent information of the current contact.We thus model the interplay upon each contact, i.e., cooperationgame, as a nonzero sum two-player game.


TABLE IPAYOFF MATRIX. (a) PAYOFF MATRIX OF TWO-PLAYER B-GAME.

(b) PAYOFF MATRIX OF TWO-PLAYER E-GAME. (c) PAYOFF

MATRIX OF TWO-PLAYER S-GAME

A. Basic/Extended Cooperation Games

We first define a basic cooperation game, called the basic(B)-game, as a 3-tuple (N ,S,P), where N is a pair of users, Sis a set of strategies, and P is a set of payoff functions. Accord-ing to Section III, users continuously change their pseudonymsto preserve their privacy. Pseudonym change breaks any relationthat was previously established between two users, and as aresult, they no longer recognize each other. Therefore, B-gameis a nonrepeated that can be described as follows.

• Players. Two users i and j belong to the universal userset V . User j can also be denoted as −i. The two usersare within the transmission range of each other, and theydecide to cooperate or defect, aiming at maximizing theirindividual payoff.

• Strategy. Upon the forwarding request of the opponentuser, each user has the following two strategies: 1) coop-erate (C) and 2) defect (D). Denote user i’s strategy by si.Then, si = C means that user i forwards user j’s packet,and si = D means that user i drops user j’s packet.

• Payoffs. The cost c of forwarding on one packet is a value,which is the same for both users. If user i’s data areforwarded by user j, the profit that was acquired by user iis b, which is also a constant. We set b ≥ c > 0 because theprofit that was acquired from each forwarding should be atleast equal to the incurred cost. The user payoffs underdifferent strategies are shown in Table I(a).

Based on the payoff matrix in Table I(a), it is observed thatB-game is a typical prisoner-dilemma game, where the onlyNash equilibrium (NE) is (D,D) for the nonrepeated version.In other words, regardless of the opponent’s strategy, the beststrategy for a user is to defect. This case is because b > b− c,0 > −c.

Next, we introduce an extended (E)-game, where the payoffmatrix is shown in Table I(b). This game considers users i andj’s behaviors affected by morality factors gi and gj . The moral-ity factors are introduced as the costs of defection behaviors intothe payoff functions. The best strategy of E-game for user i is tocooperate if gi > c and defect if gi ≤ c. Based on the Markovchain model given in Section III-B, there exists a moralitystate x∗ < 0 such that f(sti, x∗ + 1) < c < f(sti, x

∗). After afinite series of defections, user i will reach state x∗ and thenalternatively chooses to cooperate.

Fig. 8. Best strategy for different games. (a) Best strategy of E-game. (b) Beststrategy of S-game.

B. Social Cooperation Game

In the following discussion, we extend E-game to a complexsocial (S)-game, which is also denoted by a 3-tuple (N ,S,P).S-game further incorporates the forwarding scores ei,j and ej,ithat were computed in the previous two steps (see Section IV)into the payoff function.

• Players. There are two users i and j with different socialitystrength sti, stj and current morality factors gi, gj .

• Strategy. The strategy is the same as in B-game. User i’sstrategy is denoted by si.

• Payoffs. The payoff of user i is evaluated by

psi =

⎧⎪⎨⎪⎩

ei,jb− c, if si = C, sj = C−c, if si = C, sj = Dei,jb− ej,igi, if si = D, sj = C−gi, if si = D, sj = D.

(2)

In the payoff formula (2), the forwarding scores ei,j andej,i are used to measure user i’s profit and morality factor. Ifuser j forwards user i’s data, the profit that user i acquires isei,jb instead of b. If user i drops user j’s data, depending onuser j’s strategy, user i acquires different morality factors ej,igior gi. Note that, when users i and j both drop each other’spackets, the morality factor on user i’s payoff is independent ofthe forwarding score ej,i. This case is because users i and j treateach other equally and do not further consider their forwardingcapability.S-Game With Complete Information: We first analyze

S-game in the case that two players have complete information,including the sociality strength and morality state of each other.Each player can calculate the morality factor by ψ(), as definedin Section III-B, and determine the payoff before deciding onwhether to cooperate or defect according to Table I(c). We useTheorem 1 to identify the NE strategies of S-game.

Theorem 1: When the two players have complete informa-tion of each other in S-game, there are multiple pure-strategyNE in different cases and one mixed-strategy NE (xi, xj),where xi = c− g−θ/eθ,−θg−θ − g−θ is the probability that usernθ chooses to cooperate, as shown in Fig. 8(b).

Proof: For θ = i or j, we have the following three casesto consider.

• gθ < c/e−θ,θ. We have eθ,−θb− e−θ,θgθ > eθ,−θb− cand −gθ > −c/e−θ,θ ≥ −c due to e−θ,θ ≥ 1. As a result,when g−θ < c, (sθ = D, s−θ = D) is an NE, and wheng−θ > c, (sθ = D, s−θ = C) is an NE.


• gθ > c. We have −gθ < −c and eθ,−θb− e−θ,θgθ <eθ,−θb− c due to e−θ,θ ≥ 1. As a result, wheng−θ >(sθ = C, s−θ = C) is an NE, and wheng−θ < c/eθ,−θ, (sθ = C, s−θ = D) is an NE.

• c/e−θ,θ < gθ < c. Let xθ denote the forwarding probabil-ity of user nθ. For s−θ = C or s−θ = D, we separatelycalculate the payoff for n−θ as follows:

ps−θ|C =xθ × (e−θ,θb− c) + (1 − xθ)× (−c)

ps−θ|D =xθ × (e−θ,θb− eθ,−θg−θ) + (1 − xθ)× (−g−θ).

If xθ is the best strategy of nθ, we have ps−θ|C = ps−θ|D,which gives xθ = c− g−θ/eθ,−θg−θ − g−θ.

�S-Game With Incomplete Information: We consider the case

that the two players have incomplete information of each other.In particular, user i obtains sociality strength sti, morality stategi, and forwarding scores ei,j and ej,i, but it does not obtainthe sociality strength stj and morality factor gj of user j. As asupplementary information, we assume that user i obtains theprobability distribution of the morality factor of all users.Based on this condition, user i can estimate the morality factorgj of user j. Then, user i follows the following steps accordingto the best strategy, as shown in Fig. 8(b).

• If 0 ≤ gi < c/ej,i, then user i chooses to defect, regardlessof user j’s strategy.

• If c ≤ gi, then user i chooses to cooperate, regardless ofuser j’s strategy.

• If c/ej,i ≤ gi < c, then there exists a pure-strategy NE(D,D) for gj < c/ei,j , a pure-strategy NE (C,C) forgj > c, and a mixed-strategy NE for c/ei,j < gj < c. Forthe pure-strategy NE, we calculate the defection probabil-ity Pr1 and cooperation probability Pr2 as

Pr1 = Pr

(0 ≤ gj <

c

ei,j

)=

cei,j∫0

(α) dα

Pr2 = Pr(c ≤ gj) =

+∞∫c

(α) dα.

In addition, user i makes a mixed-strategy NE with proba-bility Pr3, which is given by

Pr3 = Pr

(c

ej,i≤ gi < c

)=

c∫c

ej,i

(α) dα.

For the mixed-strategy NE with probability Pr3,Theorem 1 indicates that the best strategy of user i is toforward the data with probability c− gj/ei,jgj − gj if gjis known by user i. In this case, the probability that user ichooses to cooperate is

Pr4 =

c∫c

ej,i

(c− α

ei,jα− α

)(α) dα. (3)

Overall, user i decides to cooperate with probabilityPrF = Pr2 + Pr4 and to defect with probability PrD =1 − PrF .

S-Game-Based Data Forwarding: Notice that S-game withincomplete information emulates MSN environments in reality,where the opponent’s morality factor cannot directly be ob-tained. We use the optimal strategy of this game in our protocolfor users to make the optimal data-forwarding strategies. As de-fined in Section III-B, the user morality factor would vary withboth sociality strength and morality state. However, revealingsuch information violates user privacy, because other adversar-ial users can utilize the information to track user behavior. Inthis case, we do not require an accurate calculation of moralityfactor in S-game. Instead, we examine the proposed strategy byusing a probability distribution function of morality factor.This function can be either observed by the TA or reported byindividual users. Further analysis is presented in Section VI-B3.

A user who has packets to forward starts the data-forwardingprotocol with a randomly selected neighbor. Consider twoneighboring users i and j that are running the protocol, i.e.,they are both able to provide cooperative data forwardingto each other, and any forwarding/defection decision in thetwo-user game will impact their social morality. Let Si ={pi1 , pi2 , · · · , piα} and Sj = {pj1 , pj2 , · · · , pjβ} be the packetsets held by i and j, respectively. We summarize the protocolas follows. User i first randomly selects a packet px (destinedto Di) from its local repository. It then calculates the digestof the packet di = H(px), where H is the cryptographic hashfunction. Last, it sends di to j. In the meantime, user j locallyexecutes a similar procedure and sends i the digest dj ofa packet of py (destined to Dj). According to di (dj), if j(respectively, i) finds that it already has px (respectively, py), itwill inform i (respectively, j) to reselect px (respectively, py).Through exhaustive packet reselection, if they cannot find anyexclusively owned packet, the protocol will terminate. Other-wise, they proceed to exchange (px,Di) and (py,Dj), togetherwith their own routing trees Ti and Tj . Then, they validateeach other’s routing trees (see Section IV-A). After that, theyevaluate each other’s forwarding scores (see Section IV-B)and finally make the forwarding strategy for each other (seeSection V-B2).

VI. PERFORMANCE EVALUATION

In this section, we conduct trace-based custom simulationsof the MSN to evaluate the proposed data-forwarding protocol.

A. Simulation Settings

User Mobility, Hotspots, and Packet Generation: We gen-erate user mobility model according to the real-world trace ofpedestrian runners as provided in [37]. In the real trace set, N =100 mobile users are randomly deployed in a 1000 × 1000 m2

region, with the velocity randomly distributed with a meanvalue of 1 m/s. The communication range Rt of users is set to50 m. The log contains the user locations in successive T = 900time slots.


Fig. 9. Hotspots and population density. (a) Hotspots (denoted by H). (b)Population density.

We divide the network field into 10 × 10 grids, where eachgrid is a square with a side length of 100 m. We create acircle of radius Rt around each grid point, and there are totally121 circles. The areas enclosed by these circles are called spotsand are denoted by (a1, a2, · · · , a121), as shown in Fig. 9; notwo spots overlap.

We aggregate user route information to determine the mostpopular spots as follows. Let dm,n denote the number of usersin hotspot am at time slot n, where integers m ∈ [1, 121]and n ∈ [1900]. We sort the spots in descending order ac-cording to dm =

∑Tn=1 dm,n and choose the top-ten spots as

hotspots (i.e., l = 10). Fig. 9(a) shows the selected hotspots,and Fig. 9(b) shows the population density of spots according todm. In the middle of each hotspot, we place a wireless storagedevice with a communication range that is equal to Rt. Oncea user enters a hotspot, it can access the storage device of thehotspot through wireless communication.

For each simulation run, a total of 1000 packets were gener-ated for transmission, 100 packets per each user, with uniformlyselected hotspots being the packet destinations. In each timeslot, a user i randomly selects a neighboring user j to playa two-player cooperation game. In the cooperation game, weconsider the communication cost of data forwarding to be muchgreater than the computational cost of the associated authenti-cation. As such, the authentication scheme imposes negligibleinfluence on user behavior. Upon each contact, users uniformlyselect one available packet from their buffers to transmit. Tofocus on the impact of cooperation on the data-forwardingeffectiveness, we consider that packets do not expire during thesimulations and hotspot buffers and user device buffers are notlimited in size.

Sociality Strength and Morality Function: The socialitystrength sti of user i (1 ≤ i ≤ 100) is selected from the range[0,1]. The greater sti is, the more intense the social moralityimpact on user i’s cooperation becomes. In this section, weadopt different models of sociality strength represented bythree beta distributions β(2, 5), β(2, 2), β(5, 2), as shown inFig. 10(a), respectively, to evaluate the performance of theproposed protocol in the cases of low, medium, and high users’sociality strength, respectively.

The morality function f is used to calculate the moralityfactor of each user i using the user’s sociality strength sti andcurrent morality state x. Based on Section III-B, we define the

following three morality functions: 1) the linear function f1; 2)the natural logarithm function fe; and 3) the common logarithmfunction f10. They output 0 if x ≥ 0; otherwise

f1(sti, x) = k · sti · (−x)

fe(sti, x) = k · ln (1 + sti · (−x))

f10(sti, x) = k · log10 (1 + sti · (−x))

where k is a tunable coefficient in the range (0,+∞). Forsimplicity, we fix k = 1 in our simulation.

The three morality functions represent three different levelsof morality force that affect user cooperation behavior, respec-tively. They always output a nonnegative value. The commonlogarithm function f10 generates a smaller morality factorcompared with the other two functions. If it is adopted, we canexpect to see more defection behaviors.

Routing Tree and Forwarding Capability: Recall that auser’s routing tree preserves user privacy by making the sensi-tive hotspots anonymous and, in the meantime, provides partialinformation of user mobility route to facilitate cooperative dataforwarding. With ten hotspots in simulation, each user i mayhave at most ten hotspots and at least zero hotspot in Ai. Wegenerate a simplified routing tree structure T as follows. If|Ai| = 0, the tree cannot be created, whereas if 0 < |Ai| < 5,we set the threshold as |Ai| and the leaf nodes as all the hotspotsof Ai and other 5 − |Ai| ones from Au \ Ai. If |Ai| ≥ 5, we setthe threshold as 4 and the leaf nodes as four randomly selectedhotspots from Ai and another different hotspot. In short, forevery user, the tree structure can be written as “t of 5,” where1 ≤ t ≤ 4.

In Section IV-B, a function ψ is used to compute the for-warding capability of a given user i for a packet with a specificdestination. We set the lower bound of ψ as 1. In the networkgrid, r∗i,j can be 1000 ×

√2 = 1415 m at most and 0 m at

least. Intuitively, if r∗i,j = 1415, the forwarding capability ei,jreaches the minimum value, and if r∗i,j = 0, ei,j reaches the

maximum value. We define ψ(r∗i,j) = ek′−k′r∗i,j/1415 and set

k′ = 3 as an example to illustrate the effect of forwardingcapability.

B. Simulation Results

The performance metrics used in the simulation are given asfollows: 1) the delivery ratio, which is the fraction of packetsthat are correctly delivered to the hotspots as their destinationsand 2) the average morality state, which reflects the intentionof users to cooperate over time. The delivery ratio examines theoverall cooperation of users in the MSN, whereas the averagemorality state denotes the long-term cooperation strategies for asingle user. For each simulation, we conduct 50 simulation runsand report the average results.B-Game: We first examine B-game, where users always

choose defection as the best strategy, as discussed inSection V-A. Fig. 10(b) shows three delivery ratios in thefollowing three cases: 1) Users do not cooperate (i.e., B-game);2) users stochastically cooperate to forward packet with a prob-ability of 10%; and 3) users fully cooperate. It is shown that,


Fig. 10. Preliminary results. (a) Sociality strength. (b) Cooperation effect.

Fig. 11. Delivery ratio in E- and S-games with complete information. (a) E-game with f1. (b) E-game with fe. (c) E-game with f10. (d) S-game with f1.(e) S-game with fe. (f) S-game with f10.

at time slot 900, the full-cooperation strategy achieves 99% de-livery ratio, whereas the noncooperation strategy achieves only30%. Furthermore, Fig. 10(b) indicates that the probabilisticcooperation strategy provides a significant improvement to thedelivery ratio up to 74%. However, without effective incentiveand appropriate exploration of their social feature, users willnot take cooperation due to selfishness. Successful deliveryhappens only when the data senders arrive at their selectedhotspots. This inevitably results in a low delivery ratio inB-game.E- and S-Games: E-game extends B-game by embedding

the morality factor into the payoff function, as shown inTable I(b), whereas S-game further considers the forwardingcapability into the payoff of E-game. Fig. 11 shows the delivery

ratio of both E- and S-games with complete information, withred lines representing the performance of forwarding cost c =0.5, blue lines representing the performance of c = 1.5, andblack lines depicting the performance of full cooperation andnoncooperation as the best and worst case, respectively. It isclearly observed that the strategies with c = 0.5 can achievea higher delivery ratio than the strategies with c = 1.5. Therationale is that a large forwarding cost c = 1.5 hinders thecooperation performed by users who have limited resources andthus limits guilty incentive. In particular, when f10 is adopted,the cooperation condition in case of c = 1.5 approaches theworst case. This case is because the guilty function f10 returnsthe smallest morality factor, resulting in the least incentive tocooperate, compared with the function fe and f1. Fig. 11 shows


Fig. 12. Average morality states of all users in E- and S-games with complete information, c = 0.8, and common logarithm. (a) Sociality strength β(2, 5).(b) Sociality strength β(2, 2). (c) Sociality strength β(5, 2).

Fig. 13. S-game with incomplete information. (a) Morality factor. (b) Delivery ratio, f10, c = 1.5, and sti ∼ β(2, 5).

that the strategies with the sociality strength β(5, 2) performmuch better than the strategies with β(2, 2) and β(2, 5) interms of delivery ratio. This case is because, compared withcases β(2, 2) and β(2, 5), users will be initialized with largersociality strength in case β(5, 2), as shown in Fig. 10(a), and asdiscussed in Section III-B, more users feel intense guilt towardtheir defection and choose to cooperate, which leads to betterperformance.

Fig. 11 shows the performance comparison between E- andS-games under the same parameters. It is shown that thedelivery ratio can further be improved by enabling privacy-preserving route-based authentication. However, because theroute information is limited due to the privacy preservation, theimprovements are not significant. For example, when choosingβ(2, 5) and c = 1.5, the delivery ratio increases from 0.309,as shown in Fig. 11(c), to 0.327, as shown in Fig. 11(f). Tofurther investigate the impact of the route information on data-forwarding cooperation, we randomly select 100 users in thenetwork and examine their average morality states. Fig. 12shows the average morality state of each selected user in termsof the user sociality strength in three settings of social strengthβ(2, 5), β(2, 2), and β(5, 2), respectively. The blue circle rep-resents a user that adopts the best strategy from S-game, andthe red star represents a user that adopts the best strategy fromE-game. It is shown that, with the same sociality strength, users

that are represented by the red star have smaller morality statesthan users that are represented by the blue circle. This is tosay that the incentive to defect in the cooperation game canfurther be reduced by enabling privacy-preserving route-basedauthentication.S-Game With Incomplete Information: For S-game with in-

complete information, the morality factor cannot directly beobtained in our morality model due to the lack of socialitystrength and morality state information about the opponent user.As such, the morality factor will be estimated by a probabilitydistribution function . In our simulation, we use exponentialdistribution with parameter λ = {1, 2, 10, 20} to generate themorality factors for all users. The probability distribution func-tion is shown in Fig. 13(a).

Fig. 13(a) shows that most users in case of λ = 1 may have arelatively large morality factor. Because we make sti ∼ β(2, 5),most users would have weak sociality strength. Thus, thelarge morality factors of users indicate that they have alreadyadopted a large amount of defections. Accordingly, they wouldhave intense guilty feeling; therefore, their following behaviorsare probably cooperative. In addition, it is shown that, whenλ = 20, most users with weak sociality strength have smallermorality factors, and without enough guilt as cooperation in-centives, their future behaviors would likely be defections. Theperformance results in Fig. 13(b) validate the aforementioned


analysis, where the delivery ratio largely decreases if λ changesfrom 1 to 20. By investigating the proposed strategy, it is shownthat, when λ = 20, from user i’s perspective, the opponentuser j has a morality factor gj < c/ei,j with a large probability.In this case, user i chooses to cooperate if gi ≥ c and defect ifgi < c. The best strategy of S-game with incomplete informa-tion is thus almost equal to the best strategy of E-game; bothgames indicate users to cooperate or defect based mostly onuser self-morality factors. However, S-game with incompleteinformation outperforms E-game, because it has an additionalmixed-strategy space, as shown in Fig. 8(b), to encourage usercooperation.

VII. CONCLUSION

In MSNs, the two fundamental design goals—privacy preser-vation and cooperative data forwarding—would severely con-flict with each other if carelessly designed. This case is becauseconcealing and protecting user information may prohibit track-ing the social behavior of users, which impedes the cooperativedata forwarding and effective incentive mechanism. In thispaper, we have attained the two conflicting design goals inone framework by exploiting social morality. In particular,first, we proposed a novel user-to-spot data-forwarding protocolwhere each packet is destined to a hotspot that is associatedwith the receiver and then retrieved by the receiver upon itsaccess to the hotspot. With this protocol, not only can receiverlocation privacy be preserved but the packet delivery ratio isalso enhanced. In addition, a privacy-preserving route-basedauthentication scheme was integrated to allow users to revealanonymized route information to the public. Based on theinformation, a user can evaluate the data-forwarding capabil-ity of each relay for a given packet with a specific destina-tion. Then, game-theoretic models were adopted to derive thebest data-forwarding strategy for users with respect to usermorality factor, interest, and forwarding capability. Throughextensive trace-based simulations, we have demonstrated thedata-forwarding effectiveness of the proposed protocol in termsof packet delivery ratio. In particular, the embedded privacy-preserving route-based authentication scheme makes importantcontributions to the protocol performance. For our future work,we will extend this paper by studying a more general andcomplicated situation in which mobile social users may havediverse behavior models.

REFERENCES

[1] A. Miklas, K. Gollu, K. Chan, S. Saroiu, P. Gummadi, and E. Lara,“Exploiting social interactions in mobile systems,” in Proc. UbiComp,2007, pp. 409–428.

[2] S. Ioannidis, A. Chaintreau, and L. Massoulié, “Optimal and scalabledistribution of content updates over a mobile social network,” in Proc.IEEE INFOCOM, 2009, pp. 1422–1430.

[3] R. Lu, X. Lin, and X. Shen, “Spring: A social-based privacy-preservingpacket forwarding protocol for vehicular delay-tolerant networks,” inProc. IEEE INFOCOM, 2010, pp. 632–640.

[4] W. He, Y. Huang, K. Nahrstedt, and B. Wu, “Message propagation inad-hoc-based proximity mobile social networks,” in Proc. PERCOMWorkshops, 2010, pp. 141–146.

[5] D. Niyato, P. Wang, W. Saad, and A. Hjrungnes, “Controlled coalitionalgames for cooperative mobile social networks,” IEEE Trans. Veh. Tech-nol., vol. 60, no. 4, pp. 1812–1824, May 2011.

[6] M. Motani, V. Srinivasan, and P. Nuggehalli, “PeopleNet: Engineering awireless virtual social network,” in Proc. MobiCom, 2005, pp. 243–257.

[7] M. Brereton, P. Roe, M. Foth, J. M. Bunker, and L. Buys, “Designingparticipation in agile ridesharing with mobile social software,” in Proc.OZCHI, 2009, pp. 257–260.

[8] S. Gaonkar, J. Li, R. R. Choudhury, L. P. Cox, and A. Schmidt, “Mi-croblog: Sharing and querying content through mobile phones and socialparticipation,” in Proc. ACM MobiSys, 2008, pp. 174–186.

[9] M. Li, K. Sampigethaya, L. Huang, and R. Poovendran, “Swing and swap:User-centric approaches towards maximizing location privacy,” in Proc.WPES, 2006, pp. 19–28.

[10] J. Freudiger, M. Manshaei, J.-P. Hubaux, and D. Parkes, “On noncoop-erative location privacy: A game-theoretic analysis,” in Proc. ACM CCS,2009, pp. 324–337.

[11] R. Lu, X. Lin, T. H. Luan, X. Liang, and X. Shen, “Pseudonym changingat social spots: An effective strategy for location privacy in VANETs,”IEEE Trans. Veh. Technol., vol. 61, no. 1, pp. 86–96, Jan. 2012.

[12] X. Lin, R. Lu, X. Liang, and X. Shen, “Stap: A social-tier-assisted packet-forwarding protocol for achieving receiver location privacy preservationin VANETs,” in Proc. IEEE INFOCOM, 2011, pp. 2147–2155.

[13] A. Lindgren, A. Doria, and O. Schelén, “Probabilistic routing in intermit-tently connected networks,” in Proc. SAPIR, 2004, pp. 239–254.

[14] E. M. Daly and M. Haahr, “Social network analysis for routingin disconnected delay-tolerant MANETs,” in Proc. MobiHoc, 2007,pp. 32–40.

[15] W. Gao, Q. Li, B. Zhao, and G. Cao, “Multicasting in delay tolerantnetworks: A social network perspective,” in Proc. MobiHoc, 2009,pp. 299–308.

[16] P. Hui, J. Crowcroft, and E. Yoneki, “BUBBLE rap: Social-based forward-ing in delay-tolerant networks,” IEEE Trans. Mobile Comput., vol. 10,no. 11, pp. 1576–1589, Nov. 2011.

[17] Q. Li, S. Zhu, and G. Cao, “Routing in socially selfish delay-tolerantnetworks,” in Proc. IEEE INFOCOM, 2010, pp. 857–865.

[18] Q. Yuan, I. Cardei, and J. Wu, “Predict and relay: An efficient routing indisruption-tolerant networks,” in Proc. MobiHoc, 2009, pp. 95–104.

[19] W. Yu and K. J. R. Liu, “Game-theoretic analysis of cooperation stimu-lation and security in autonomous mobile ad hoc networks,” IEEE Trans.Mobile Comput., vol. 6, no. 5, pp. 507–521, May 2007.

[20] H. Zhu, X. Lin, R. Lu, Y. Fan, and X. Shen, “Smart: A secure multilayercredit-based incentive scheme for delay-tolerant networks,” IEEE Trans.Veh. Technol., vol. 58, no. 8, pp. 4628–4639, Oct. 2009.

[21] M. H. Manshaei, Q. Zhu, T. Alpcan, T. Basar, and J.-P. Hubaux, “Gametheory meets network security and privacy,” Ecole Polytech. Fédéralede Lausanne (EPFL), Vaud, Switzerland, Tech. Rep. EPFL-Rep.-151965,Sep. 2010.

[22] M. Raya, R. Shokri, and J.-P. Hubaux, “On the tradeoff between trust andprivacy in wireless ad hoc networks,” in Proc. WISEC, 2010, pp. 75–80.

[23] M. Mahmoud and X. Shen, “Pis: A practical incentive system for multihopwireless networks,” IEEE Trans. Veh. Technol., vol. 59, no. 8, pp. 4012–4025, Oct. 2010.

[24] Z. Li and H. Shen, “Game-theoretic analysis of cooperation incentivestrategies in mobile ad hoc networks,” IEEE Trans. Mobile Comput., Jul.28, 2011, to be published.

[25] C. Y. T. Ma, D. K. Y. Yau, N. K. Yip, and N. S. V. Rao, “Privacy vulnera-bility of published anonymous mobility traces,” in Proc. MobiCom, 2010,pp. 185–196.

[26] D. Chaum, “Untraceable electronic mail, return addresses, and digitalpseudonyms,” Commun. ACM, vol. 24, no. 2, pp. 84–88, Feb. 1981.

[27] K. Hoffman, D. Zage, and C. Nita-Rotaru, “A survey of attack and defensetechniques for reputation systems,” ACM Comput. Surv., vol. 42, no. 1,p. 1, Dec. 2009.

[28] S. Zhong, E. L. Li, Y. G. Liu, and Y. R. Yang, “On designing incentive-compatible routing and forwarding protocols in wireless ad hoc networks:An integrated approach using game-theoretical and cryptographic tech-niques,” in Proc. MobiCom, 2005, pp. 117–131.

[29] R. Lu, X. Lin, H. Zhu, X. Shen, and B. Preiss, “Pi: A practical incentiveprotocol for delay-tolerant networks,” IEEE Trans. Wireless Commun.,vol. 9, no. 4, pp. 1483–1493, Apr. 2010.

[30] T. Ketelaar and W. T. Au, “The effects of feelings of guilt on the be-havior of uncooperative individuals in repeated social bargaining games:An effect-as-information interpretation of the role of emotion in socialinteraction,” Cognit. Emotion, vol. 17, no. 3, pp. 429–453, 2003.

[31] A. Colman, “Cooperation, psychological game theory, and limitations ofrationality in social interaction,” Behav. Brain Sci., vol. 26, no. 2, pp. 139–153, 2003.

[32] M. Wubben, Social Functions of Emotions in Social Dilemmas.Rotterdam, The Netherlands: Erasmus Univ. Rotterdam, 2010.


[33] H. Luan, L. Cai, J. Chen, X. Shen, and F. Bai, “Vtube: Towards the mediarich city life with autonomous vehicular content distribution,” in Proc.SECON, 2011, pp. 359–367.

[34] F. Fukuyama, Trust: Social Virtues and the Creation of Prosperity.New York: Free, 1995.

[35] X. Boyen and B. Waters, “Full-domain subgroup hiding and constant-sizegroup signatures,” in Proc. PKC, 2007, pp. 1–15.

[36] X. Liang, Z. Cao, J. Shao, and H. Lin, “Short group signature withoutrandom oracles,” in Proc. ICICS, 2007, pp. 69–82.

[37] X. Li, N. Mitton, and D. Simplot-Ryl, “Mobility-prediction-based neigh-borhood discovery for mobile ad hoc networks,” in Proc. NETWORKING,2011, pp. 241–253.

Xiaohui Liang (S’10) is currently working towardthe Ph.D. degree with the Department of Electricaland Computer Engineering, University of Waterloo,Waterloo, ON, Canada.

Currently, he is also a Research Assistant with theBroadband Communications Research Group, Uni-versity of Waterloo. His research interests includesecurity and privacy for e-healthcare systems andmobile social networks.

Xu Li received the B.Sc. degree in computer sciencefrom Jilin University, Changchun, China, in 1998,the M.Sc. degree in computer science from the Uni-versity of Ottawa, Ottawa, ON, Canada, in 2005, andthe Ph.D. degree in computer science from CarletonUniversity, Ottawa, in 2008.

He is currently a Research Scientist with the In-stitut National de Recherche en Informatique et enAutomatique (Inria) Lille–Nord Europe, Villeneuved’Ascq, France. Prior to joining Inria, he was a Post-doctoral Fellow with several institutions, including

the University of Waterloo, Waterloo, ON, Canada; Inria/Centre National de laRecherche Scientifique, France; and the University of Ottawa. From Januaryto August 2004, he was a Visiting Researcher with the National ResearchCouncil Canada. He serves on the editorial board of the Wiley Transactionson Emerging Telecommunications Technologies, Ad Hoc and Sensor WirelessNetworks, and Parallel and Distributed Computing and Networks. He has beena Guest Editor for Mobile Networks and Applications, Peer-to-Peer Networkingand Applications, the Journal of Communications, Computer Communications,and Ah Hoc and Sensor Wireless Networks. His research interests includemachine-to-machine communications and mobile social networks, with morethan 50 different works published in refereed journals, conference proceedings,and books.

Dr. Li has been a Guest Editor for the IEEE TRANSACTIONS ON PARALLEL

AND DISTRIBUTED SYSTEMS. He received the recipient of the Natural Sci-ences and Engineering Research Council of Canada Postdoctoral FellowshipProgram and a number of other awards.

Tom H. Luan received the B.E. degree from Xi’anJiaotong University, Xi’an, China, in 2004 and theM.Phil. degree in electronic and computer engineer-ing from the Hong Kong University of Science andTechnology, Kowloon, Hong Kong, in 2007. He iscurrently working toward the Ph.D. degree with theDepartment of Electrical and Computer Engineering,University of Waterloo, Waterloo, ON, Canada.

His research interests include wired and wirelessmultimedia streaming and content distribution invehicular networks.

Rongxing Lu (M’10) received the Ph.D. degree incomputer science from Shanghai Jiao Tong Univer-sity, Shanghai, China, in 2006 and the Ph.D. degreein electrical and computer engineering from the Uni-versity of Waterloo, Waterloo, ON, Canada, in 2008.

He is currently a Postdoctoral Fellow with theBroadband Communications Research Group, De-partment of Electrical and Computer Engineering,University of Waterloo. His research interests in-clude wireless network security, applied cryptogra-phy, and trusted computing.

Xiaodong Lin (SM’12) received the Ph.D. degreein information engineering from Beijing Universityof Posts and Telecommunications, Beijing, China,in 1998 and the Ph.D. degree (with OutstandingAchievement in Graduate Studies Award) in electri-cal and computer engineering from the University ofWaterloo, Waterloo, ON, Canada, in 2008.

He is currently an Assistant Professor of infor-mation security with the Faculty of Business andInformation Technology, Institute of Technology,University of Ontario, Oshawa, ON. His research

interests include wireless network security, applied cryptography, computerforensics, software security, and wireless networking and mobile computing.

Dr. Lin received the recipient of the Canada Graduate Scholarship DoctoralProgram from the Natural Sciences and Engineering Research Council ofCanada and the Best Paper Award at the 18th International Conference onComputer Communications and Networks in 2009, the Fifth InternationalConference on Body Area Networks in 2010, and the 2007 IEEE InternationalConference on Communications.

Xuemin (Sherman) Shen (F’09) received the B.Sc.degree in electrical engineering from Dalian Mar-itime University, Dalian, China, in 1982 and theM.Sc. and Ph.D. degrees in electrical engineeringfrom Rutgers, The State University of New Jersey,Piscataway, in 1987 and 1990, respectively.

He is currently a Professor and the UniversityResearch Chair with the Department of Electricaland Computer Engineering, University of Waterloo,Waterloo, ON, Canada. His research interests includeresource management in interconnected wireless/

wired networks, ultra-wideband wireless communications networks, wirelessnetwork security, wireless body area networks, and vehicular ad hoc and sensornetworks. He is a coauthor of three books and has published more than 400papers and book chapters on wireless communications and networks, control,and filtering.

Dr. Shen is a Fellow of the Engineering Institute of Canada and the CanadianAcademy of Engineering. He is a registered Professional Engineer in theProvince of Ontario and was a Distinguished Lecturer of the IEEE Commu-nications Society (ComSoc). He is the Editor-in-Chief of IEEE NETWORK

and will serve as a Technical Program Committee Cochair of the 2014 IEEEInternational Conference on Computer Communications. He is the Chair ofthe IEEE ComSoc Technical Committee on Wireless Communications andPeer-to-Peer Communications and Networking and a Voting Member of theIEEE ComSoc GLOBECOM/ICC Technical Contents (GITC) Committee. Hewas a Founding Area Editor for the IEEE TRANSACTIONS ON WIRELESS

COMMUNICATIONS and a Guest Editor for the IEEE JOURNAL ON SELECTED

AREAS IN COMMUNICATIONS, IEEE WIRELESS COMMUNICATIONS, and theIEEE COMMUNICATIONS MAGAZINE. He also served as the Technical Pro-gram Committee Chair of the 2007 IEEE Global Communications Conference(GLOBECOM), the Tutorial Chair for the 2008 IEEE International Conferenceon Communications (ICC), and the Symposia Chair for ICC 2010. He receivedthe Excellent Graduate Supervision Award in 2006, the Outstanding Perfor-mance Award from the University of Waterloo in 2004, 2007, and 2010, andthe Premier Research Excellence Award in 2003 from the Province of Ontario.

morality-driven data forwarding with privacy preservation

Documents