1

Batch Identification Game Model for InvalidSignatures in Wireless Mobile Networks

Jing Chen, Kun He, Quan Yuan, Guoliang Xue, Fellow, IEEE, Ruiying Du, and Lina Wang

Abstract—Secure access is one of the fundamental problems in wireless mobile networks. Digital signature is a widely used techniqueto protect messages’ authenticity and nodes’ identities. From the practical perspective, to ensure the quality of services in wirelessmobile networks, ideally the process of signature verification should introduce minimum delay. Batch cryptography technique is apowerful tool to reduce verification time. However, most of the existing works focus on designing batch verification algorithms forwireless mobile networks without sufficiently considering the impact of invalid signatures, which can lead to verification failures andperformance degradation. In this paper, we propose a Batch Identification Game Model (BIGM) in wireless mobile networks, enablingnodes to find invalid signatures with reasonable delay no matter whether the game scenario is complete information or incompleteinformation. Specifically, we analyze and prove the existence of Nash Equilibriums (NEs) in both scenarios, to select the dominantalgorithm for identifying invalid signatures. To optimize the identification algorithm selection, we propose a self-adaptive auto-matchprotocol which estimates the strategies and states of attackers based on historical information. Comprehensive simulation results interms of NE reasonability, algorithm selection accuracy, and identification delay are provided to demonstrate that BIGM can identifyinvalid signatures more efficiently than existing algorithms.

Index Terms—Batch identification, game theory, wireless mobile networks.

F

1 INTRODUCTION

IN the past few years, Wireless Mobile Networks (WMNs)have been dramatically developed due to the prolifera-

tion of inexpensive, widely available wireless mobile de-vices [1]. With the increasing number of mobile applications,such as social media networks, GPS, yelp, etc., people’s lifehas been inseparable from mobile devices which can accessthe Internet at anytime and anywhere. However, due tothe openness characteristic of wireless channels, it becomeseasier for malicious nodes to interfere the access processby tampering or forging request messages [2]. To protectthe security of access, one effective approach is to signeach outgoing message with a digital signature, and let thedestination verify each received signature [3]. Generally, sig-nature verification induces extra delay and computationalcost. The traditional way that verifying messages signaturesindividually could induce tremendous delay and severelyaffect the Quality of Service (QoS), especially when networktraffic is heavy and a large number of signatures need to beverified [4].

To reduce verification delay and ensure QoS, researchersproposed the batch cryptographic technique which is apromising new direction in computer and communicationsecurity. The concept of batch cryptography was introducedby Fiat [5] in 1990 for an RSA-type signature, and the firstefficient batch verifier was proposed by Naccache et al. [6] in1994 for DSA-type signatures. Currently, researchers focus

• J. Chen, K. He, R.Y. Du, L. N. Wang are with the Computer School,Wuhan University, China, 430072.E-mail: chenjing@whu.edu.cn

• Q. Yuan is with Department of Math and Computer Science, Universityof Texas-Permian Basin, TX, USA.

• G. L. Xue is with the School of Computing, Informatics, and DecisionSystems Engineering, Arizona State University, Tempe, AZ, USA.

on two directions to apply the batch cryptography conceptin WMNs: batch verification and batch identification.

Batch verification deals with n (message, signature) pairsas a batch at a time [7]. As a result, compared with thetraditional way, the validity of a batch can be checked moreefficiently, and the verification delay can be remarkablyreduced. In detail, batch verification methods return trueif all of the n signatures are valid, and false when there isany invalid one. In 2008, considering that the verificationof massive messages may induce huge time cost in mobilenetworks, Yu et al. [8] proposed an efficient identity-basedbatch verification scheme to reduce the delay in networkcoding. Zhang et al. [9] discussed a batch signature verifica-tion scheme for the communications between mobile nodesand the infrastructure to lower the total verification time.Horng et al. [10] presented a group signature and batch ver-ification method for secure pseudonymous authenticationin VANET. Unfortunately, even though those schemes couldprotect the authenticity of messages, their performance canbe severely affected if there are invalid signatures existingin the verified batch. Adversaries can negate the advantagesof batch verification by polluting signatures within a batch.It is unrealistic to completely prevent all adversaries fromgenerating false messages with invalid signatures. Thus, toguarantee the performance of batch verification, we shouldidentify invalid signatures in a batch rapidly.

Batch identification is a technique to find the bad sig-natures within a batch when the batch verification fails.Due to the inefficiency of individual identification, divide-and-conquer techniques have been proposed to improvethe performance of batch identification [11]. Those methodscan significantly reduce the identification time at differentlevels. Existing batch identification algorithms have beendeveloped into two main branches: special and generic. The

2

special methods are designed for certain batch signaturetypes such as RSA-type, DSA-type, and pairing-type. Leeet al. [12] proposed a method to identify bad signaturesin RSA-type batches. Later, Law and Matt [13] presenteda quick binary and exponentiation method to find invalidsignatures. Stanek [14] showed that the method in [12] wasflawed, and proposed an improved protocol to resist attacks.Matt [15] discussed a solution in pairing-based signaturescheme, which can identify nontrivial numbers of invalidsignatures in batches. Though these works are state-of-the-art, it is challenging to apply them with various batchverification algorithms.

On the other side, the generic batch identification meth-ods utilize the group testing technique [16] to find invalidsignatures with the minimal number of tests, which can beapplied with any signature types. Pastuszak et al. [11] de-signed a divide-and-conquer verifier, which splits an batchinstance into sub ones, and applied the generic test to eachsub-batch recursively, until all bad signatures are identified.Zaverucha et al [16] presented and compared some grouptesting algorithms for finding invalid signatures. Zhang etal. [17] adopted the group testing technique to find invalidsignatures in a batch in mobile networks. Lee et al. [18]proposed a secure batch verification with group testingto improve the real-time performance of mobile networks.Note that those generic methods are usually suitable fora specific attack situation in terms of the number of in-valid signatures. Their performance may severely degradeif the number of invalid signatures varies, when the attackstrategy is changed by the movement of adversaries or thealteration of false message attacking frequency. To selectthe most suitable batch verification algorithm, Akinyele etal. [19] first proposed an automated tool. However, they didnot sufficiently consider the automatic selection of batch i-dentification. Therefore, designing a generic and auto-matchbatch identification solution towards the heterogeneous anddynamic attack scenario becomes significant.

In this paper, we propose a Batch Identification GameModel (BIGM) in WMNs, enabling nodes to identify invalidsignatures with a reasonable delay under heterogeneousand dynamic attacks. To enhance the flexibility of ourmodel, we subdivide BIGM into Batch Identification GameModel with Complete information (C-BIGM) and BatchIdentification Game Model with Incomplete information (I-BIGM) to protect regular nodes from the attacks of invalidsignatures in different scenarios. In our model, a mobilenode may be a regular one or a malicious one, and the gameoccurs between a regular node and its malicious neighbors.The regular node, as a verifier, aims at finding the invalidsignatures to eliminate the impact of malicious nodes. Themalicious neighbors, as attackers, intend to interpose batchverification process by broadcasting false messages signedby invalid signatures with different frequencies. Our maincontributions are summarized as follows.

• To evaluate the effectiveness of batch identification,we recast three generic batch identification algo-rithms based on the group testing techniques usedin [17]. We analyze and compare the time com-plexities of these algorithms with experiments. Weobserve that none of them has universal advantages

in all situations. Therefore, we need an auto-matchscheme to choose the batch identification algorithmadaptively, when the attack strategy changes.

• We design a game model to find the dominant batchidentification algorithm against various attack strate-gies. We analyze and prove the existence of Nashequilibriums in the complete information scenarioand the incomplete information scenario, respective-ly. Note that the members in strategy set are alter-native, as long as these generic batch identificationalgorithms have their own advantages under differ-ent attack strategies. Thus, our game model providesa paradigm to select the dominant one to identifyinvalid signatures. Furthermore, BIGM is a genericsolution, which can be equipped with any batchsignature scheme.

• Considering that the dominant strategy may notalways be the optimal choice, we propose a self-adaptive auto-match protocol to improve the selec-tion accuracy of the batch identification algorithmbased on history information. From the analysis andsimulations, we find that it can effectively strengthenthe prediction accuracy of nodes’ states and the sen-sitivity of attack perception, and reduce the averageidentification delay of the whole network.

The reminder of the paper is organized as follows. InSection 2, we state the problem. In Section 3, three genericbatch identification algorithms are recast and analyzed. InSection 4, we discuss the batch identification game modelswith complete information and incomplete information. InSection 5, a self-adaptive auto-match batch identificationprotocol is presented as an important part of our gamemodel. In Section 6, we evaluate the performance of ourscheme. Finally, section 7 concludes the paper.

Compared with our conference version [20], we makesignificant improvements in four aspects as follows. First,we complement each batch identification algorithm withthe analysis of time complexity. Secondly, we extend ourgame model to support both the complete information andthe incomplete information scenarios at the same time.Thirdly, we propose a self-adaptive auto-match protocol toimprove the prediction accuracy of nodes’ states. Finally, weredesign the simulations to analyze the reasonability of NE,the selection accuracy of algorithms, and the identificationdelay, respectively.

2 PROBLEM STATEMENT

2.1 Network Model

We consider that the network has two layers as shown inFig. 1. The bottom layer consists of mobile nodes accessingthe network via GSM, 3G, etc. Each node has its ownpublic/private keys, which are used to sign the outgoingmessages and to verify the signatures of the received mes-sages. The top layer is composed of an authority centerand base stations. The authority center manages the keyoperations of all regular nodes which can be authenticat-ed and authorized by offline or other methods, includinggeneration, distribution, storage, update, and destruction. Ifmobile nodes directly communicate with each other by wifi,

3

Verifier

Attacker

Wireless

link

Authoritiy

server

Fig. 1. The Network Model

bluetooth, etc., they should mutually verify the validity ofthe other party. If base stations forward messages, they haveto verify the validity of requests. Hence, both base stationsand mobile nodes can be attack targets. They should protecttheir own security, and identify invalid signatures in falsemessages by themselves.

2.2 Attack Model

We assume that the network consists of regular nodes(called verifiers), and malicious nodes (called attackers),which are the two players in the game. For a verifier, itsattackers intend to interpose its batch verification process bybroadcasting false messages with invalid signatures, whilethe verifier needs to identify the invalid signatures quicklyto resist the attack. Note that the verifier is one player andall its malicious neighbors act as another player. In thispaper, the verifier can be a base station or a mobile node.In addition, in our attack model, the capability of attackersis described as follows.

• Attackers cannot interfere or control the distributionprocess of key pairs, while those private keys can bedistributed by a secure channel or offline method-s. They launch attacks in the way of broadcastingfalse messages with invalid signatures, to disturbthe batch verification process, and to consume theverifier’s resources.

• Each attacker can choose and change the number offalse messages at will. The verifier selects its strategyaccording to the sum of invalid signatures from itsmalicious neighbors.

• Attackers are divided into different types based ontheir preferences. For example, some attackers con-sider the risk of being traced, but others do not havesuch concerns.

• Attackers can acquire the public information of theverifier, such as the public key and the cryptographicalgorithm.

TABLE 1DESCRIPTION OF MAJOR NOTATIONS

Notation Descriptionn The number of signatures which are needed to be

verified in each roundd The upper bound number of invalid signatures in a

batchlog x log2 x

⌈x⌉ (⌊x⌋) The smallest (largest) integer not less (greater) thanx

MA(d, n) The worst-case number of tests required by algorith-m A

CnBV The cost of batch verification for n signatures. It

equals to the number of tests requiredQ The communication benefit in ideal network envi-

ronmentαi(j) The cost of verifier i when it chooses the batch

identification algorithm j

σA(l) The attack cost which equals to the number ofinvalid messages. Attack strategy l ∈ {H,L} whileH indicates high attack frequency and L indicateslow attack frequency.

α(j, k) The cost of batch identification algorithm. It is deter-mined by verification strategy j ∈ {CBI,MRI, II}and attack strategy k ∈ {H,L}, and it equals to thenumber of tests required.

Sha The attackers’ strategy in round h.

2.3 Design Goals and Notations

The main idea of our game model is to help regular nodes toselect the suitable batch identification algorithm no matterwhat the attack strategy is. We refine it as follows.

• BIGM has strong flexibility to handle various sce-narios, such as complete information or incompleteinformation, static or dynamic, and homogeneous orheterogeneous.

• BIGM is a distributed scheme which means that itcan work well even if the authority center is off-line.Each regular node assesses current attack strategy itfaces and determines the defence strategy accordingto the history information collected by itself.

• BIGM has the self-evolution ability to continuallyoptimize the selection accuracy of batch identifica-tion algorithm from two aspects. One is that it canselect more reasonable strategy, not just dependingon Nash Equilibrium. The other is that it can dynam-ically adjust the estimation results and improve theaccuracy as time goes.

The main notations are summarized in Table 1.

3 GENERIC BATCH IDENTIFICATION ALGORITHMS

Generic batch identification algorithms for a bad batch usu-ally adopt the group testing technique. In this section, wedescribe and analyze the idea of three generic algorithmsbased on the representative group testing techniques, in-cluding individual identification, generalized binary split-ting, and Li’s scheme [17], to identify d invalid signatures ina batch of n messages.

4

3.1 Individual Identification

One simple solution to identify all invalid signatures in abad batch, is to verify each signature individually. Note thatsignatures are not aggregated with others until all invalidsignatures have been found. Many schemes, which mainlyfocus on the batch verification process, adopt this algorithm.That is, once the batch verification fails, Individual Identi-fication (II) is employed to find all the invalid signatures.Obviously, the time complexity of II is O(n), where n is thenumber of signatures to verify, as shown in Table 1.

3.2 Condensed Binary Identification

Algorithm 1: Condensed Binary Identification Algo-rithm1 while true do2 if n ≤ 2d− 2 then3 Verify n messages using II;4 return;5 else6 z = n− d+ 1;7 θ = ⌊log (z/d)⌋;8 end9 Verify the prevenient 2θ messages with batch

verification;10 if verification succeeds then11 n = n− 2θ ;12 continue;13 else14 identify an invalid signature by basic binary

identification after verifying v messages;15 n = n− 1− v;16 d = d− 1;17 continue;18 end19 end

Inspired by the basic binary identification algorithmin [16], we present an improved scheme called the CondensedBinary Identification (CBI) algorithm. In the basic binaryidentification, it first divides the n messages into two groupsof equal size. Then, those two groups are verified usingbatch verification individually. If the batch verification suc-ceeds, there is no invalid signature in that group. Otherwise,messages in that group will be further divided into two sub-groups, and each sub-group is verified individually. Thatprocess repeats until all of the messages pass the batchverification. CBI improves the basic binary identificationby adjusting the group size for efficiency. Concerning theprobability, the ideal situation is that, each sub-group of⌈n/d⌉ messages has one invalid signature, where ⌈n/d⌉denotes the smallest integer not less than n/d. If we canadjust the sub-group size based on the number of theremaining invalid signatures, it can reduce the number ofreverifications in attacks. CBI is described as Algorithm 1,where z, θ and v are three intermediate variables.

Theorem 3.1. Assuming θ = ⌊log(z/d)⌋, and z = 2θd +2θk1 + k2, where k1 ≥ 0, and 0 ≤ k2 < 2θ , we have the

worst-case number of required verifications of CBI, MCBI(d, n)as,

MCBI(d, n) =

{n for n ≤ 2d− 2θd+ k1 for n ≥ 2d− 1

(1)

the time complexity of CBI is O(d log(n/d)).

Algorithm 2: Multiple Rounds Identification Algorith-m1 Copy n sample messages to test batch;2 while i ≤ m do3 γi =

⌈(n/d)

m−im

⌉;

4 δi = ⌊n/γi⌋+ 1;5 Divide test batch into δi groups of γi messages

(may be less than γi in the last group);6 for j = 0 to j < δi do7 if Batch verification on group j succeeds then8 Remove the contents of group j from

test batch;9 end

10 j ++;11 end12 i = i+ 1;13 end14 return test batch;

Proof: According to CBI, if n ≤ 2d − 2, it ver-ifies n messages using II. Hence, MCBI(d, n) = n. Ifn ≥ 2d − 1, there are two cases to consider. One is thatthe first 2θ samples are valid, while the other is that the first2θ sample messages include invalid signatures. Therefore,MCBI(d, n) = {1+MCBI(d, n−2θ), θ+MCBI(d−1, n−1)}.

Case 1: MCBI(d, n) = 1+MCBI(d, n− 2θ). Due to n′ =n−2θ and d′ = d, we have z′ = n′−d′+1 = n−2θ−d+1 =z − 2θ . Then,

z′ =

{2θd+ 2θ(k1 − 1) + k2 for k1 ≥ 12θd+ (k2 − 2θ) for k1 = 0

By mathematical induction,

MCBI(d, n− 2θ) =

{(θ + 2)d+ k1 − 2 for k1 ≥ 1(θ + 1)d+ d− 2 for k1 = 0

Case 2: MCBI(d, n) = θ + MCBI(d − 1, n − 1). Due ton′ = n− 1 and d′ = d− 1, we have z′ = n′ − d′ + 1 = z

z′ =

{2θd+ 2θk1 + k2 for k1 ≤ d− 22(θ+1)d− 2(θ+1) + k2 for k1 > d− 2

Hence, by mathematical induction

MCBI(d−1, n−1) =

{(θ + 2)(d− 1) + k1 + 1 for k1 ≤ d− 2(θ + 3)(d− 1) for k1 > d− 2

Consequently, for both cases under n ≥ 2d − 1, k1 = 0and k1 > d− 2 are mutually exclusive, we have

MCBI(d, n) = (θ+2)d+k1−1, for n ≥ 2d−1, 1 ≤ k1 ≤ d−2

Because θ = ⌊log(z/d)⌋, the time complexity of CBI isO(d log(n/d)).

5

3.3 Multiple Rounds IdentificationIn Multiple Rounds Identification (MRI) algorithm, we identifythe invalid signatures in an iterative way which has m(2 ≤ m ≤ n) rounds, as described in Algorithm 2. In the firstround, the n pending messages are divided into δ1 groups,and each group has γ1 messages except the last group. Then,each group is verified respectively. The groups identifiedwith invalid signatures are aggregated as a new pendingmessage batch. In the second round, that new message batchis divided into δ2 groups of γ2 messages. In general, inround i, 2 < i < m, messages from the contaminated groupsof round i − 1 are pooled, and arbitrarily divided into δigroups of γi size except the last group whose size may besmaller than γi. A batch verification test is performed oneach group. Note that γm is set to be 1. Thus every invalidsignature is identified at round m.

Theorem 3.2. Let MmMRI(d, n) denote the number of verifi-

cations required by MRI algorithm in the worst case, we haveMm

MRI(d, n) ≤ ed ln(n/d), where e is the base of naturallogarithm. The time complexity of MRI is O(log(n/d)).

Proof: To simplify the proof, we assume that n isdivisible by γ1. There are three cases in our proof.

Case 1: m = 1. This case corresponds to the II algorithm.Thus M1

MRI(d, n) = n.Case 2: m = 2. In this case, we have

M2MRI(d, n) = δ1 + δ2 ≤ n

γ1+ dγ1

Since γ1 =⌈(nd )

m−1m

⌉, we have δ1 ≤

√nd and

M2MRI(d, n) ≤ 2

√nd.

Case 3: m is general in this case. Obviously,

MmMRI(d, n) =

m∑i=1

δi ≤n

γ1+

dγ1γ2

+ . . .+dγm−2

γm−1+ dγm−1

Due to γi =⌈(nd )

m−im

⌉, γi ≥ (nd )

m−im , where 1 ≤ i ≤ m− 1.

That gives δi ≤ d(nd )( 1m ), and Mm

MRI(d, n) ≤ md(nd )( 1m ).

The first derivative of the above upper bound withrespect to a continuous m is

d(n

d)

1m (

m− ln nd

m),

which has a unique root m = ln(nd ). Obviously, m = ln(nd )is the unique maximum of the upper bound. Hence, we have

MmMRI(d, n) ≤ md(

n

d)(

1m ) ≤ ed ln(

n

d)

To execute the algorithm, one needs to compute theoptimal m and γi for i = 1, . . . ,m. Each γi can be computedwithin constant time. With approximating the optimal mby the ceiling or floor function of log(nd ) , MRI algorithm’scomplexity is O(log (n/d)).

3.4 Performance ComparisonBased on the above analysis, we summarize the timecomplexity of these algorithms in Table 2. In addition, inFig. 2, we investigate the relationship between the numberof invalid signatures and the number of required batchverification tests, when the number of messages n varies.

TABLE 2Batch Identification Algorithms Comparison

Algorithm ComplexityIndividual Identification (II) O(n)

Condensed Binary Identification (CBI) O(d log(n/d))

Multiple Rounds Identification (MRI) O(log(n/d))

0 5 10 15 20 25 30 350

20

40

60

80

100

120

140

160

180

The upper−bound number of invaild signatures(d) n=100

The

num

ber

of te

sts

requ

ired

IICBIMRI

point 1

(a) Messages n = 100

0 10 20 30 40 500

50

100

150

200

250

300

The upper−bound number of invaild signatures(d) n=150

The

num

ber

of te

sts

requ

ired

IICBIMRI

point 1

(b) Messages n = 150

0 10 20 30 40 50 60 700

50

100

150

200

250

300

350

The upper−bound number of invaild signatures(d) n=200

The

num

ber

of te

sts

requ

ired

IICBIMRI

point 1

(c) Messages n = 200

0 10 20 30 40 50 60 70 800

50

100

150

200

250

300

350

400

450

500

The upper−bound number of invaild signatures(d) n=250

The

num

ber

of te

sts

requ

ired

IICBIMRI

point 1

(d) Messages n = 250

Fig. 2. The number of required batch verifications

Figs. 2(a)-(d) present the situation where n is equal to 100,150, 200, and 250, respectively. The result shows that givena specific n, the number of required batch verificationsascends as the number of invalid signatures upper-boundincreases in CBI and MRI, but not in II. Also, CBI hasa lower start point and a larger slope, while MRI has ahigher start point, and its slope turns smaller. As a result,in Fig. 2, CBI and MRI eventually meet at a point, markedas point 1. For our game model design, we define thatpoint 1 as the demarcation point of attack strategy, becausethe optimal batch identification algorithm is changed atthat point. That is, if the number of invalid signatures isless than that of the demarcation point, given the messagenumber n, it means that attackers adopt the low-frequencyattack, denoted by strategy L. Otherwise, they employ thehigh-frequency attack, represented by strategy H . Each batchidentification algorithm has its own advantage under aspecific attack strategy. If we can automatically choose thebatch identification algorithms based on the attack strategy,it can achieve better performance.

4 BATCH IDENTIFICATION GAME MODEL

The algorithms in Section 3 assist verifiers to find invalidsignatures when the batch verification fails. From Fig. 2,we see that it is challenging to find an optimal algorithmfor a general purpose, since those algorithms have differentcapabilities under different attack strategies. Therefore, thefirst step of our scheme is to find the dominant strategy bythe game model from the three algorithms in Section 3.

6

Attackers

Verifier

MRI

CBI

Verifier

L

H

II

CBI

II

MRI

(1, ) ( ), (1, )n n

BV BVC H H Q C Ha s a+ - - -

(2, ) ( ), (2, )n n

BV BVC L L Q C La s a+ - - -

(1, ) ( ), (1, )n n

BV BVC L L Q C La s a+ - - -

(3, ) ( ), (3, )n n

BV BVC H H Q C Ha s a+ - - -

(2, ) ( ), (2, )n n

BV BVC H H Q C Ha s a+ - - -

(3, ) ( ), (3, )n n

BV BVC L L Q C La s a+ - - -

a

b

c

Fig. 3. Two-stage complete information game tree of C-BIGM

To satisfy the flexibility requirement of our design goal,we consider two general scenarios in wireless mobile net-works, respectively. In the first scenario, the verifier knowsthe strategy set and payoff function of attackers. Towardsthis scenario, we propose the Batch Identification Game Modelwith Complete information (C-BIGM). For the second one,we consider a more pervasive situation where the verifiercannot acquire exact information of attackers, and attack-ers may adopt different strategies at a certain probability.Towards this scenario, we propose the Batch IdentificationGame Model with Incomplete information (I-BIGM). Obviously,C-BIGM and I-BIGM are the specific instances of BIGM.

4.1 Game Model DefinitionWe consider the problem between a verifier and its attackersas a dynamic game, where attackers select the attack strate-gy first, and the verifier picks the batch identification algo-rithm accordingly. The definition of BIGM is represented bya triple (PL, S, U), where PL is the player set, S denotes thestrategy set of players, and U stands for the payoff functionset. The detailed description is as follows.

4.1.1 PlayersThe player set is represented by PL = {PLi}li=1, where i isthe index number of a player, and l is the total number ofplayers. Obviously, the set PL includes two players (l = 2).One is the verifier, and the other is the attackers, which arethe verifier’s malicious neighbors.

4.1.2 Strategy setThe strategy set of players is S = {Sa, Sv}. Different playersin the game may have different strategies. For attackers, theadopted strategies fall into two types, high-frequency attackH and low-frequency attack L, in terms of the total numberof invalid signatures. Hence, the strategy set of attackersis denoted as Sa = {H,L}. Note that the attack strategy isdetermined by the sum of invalid signatures of the verifier’smalicious neighbors, while each malicious neighbor canrandomly select its false message number. On the other side,the verifier’s strategy set is Sv = {CBI,MRI, II}, whichincludes the three batch identification algorithms defined inSection 3.

4.1.3 Payoff functionEach regular node acts as a verifier to protect its QoS. LetQ denote the communication benefit in an ideal mobile

Attackers

L

H

(1, ) ( ), (1, )n n

BV BVC L L Q C La s a+ - - -

(2, ) ( ), (2, )n n

BV BVC H H Q C Ha s a+ - - -

Fig. 4. The simplified game tree of C-BIGM

network environment. For the verifier V , the payoff functionis uV = bV − cV , where bV is the communication benefitQ, and cV indicates the total cost of batch verificationand batch identification. The cost of batch verification forn messages, denoted as Cn

BV , is determined by the batchverification algorithm. The cost of batch identification algo-rithm is represented by α(j, k), which is determined by theidentification strategy j ∈ {CBI,MRI, II}, and the attackstrategy k ∈ {H,L}. To simplify notations, we use 1, 2, 3to index the algorithm CBI, MRI, and II. Note that α(j, k)is determined by the number of required batch verificationtests. With the above discussion, the payoff function of theverifier V can be defined as uV = Q− Cn

BV − α(j, k).Recall that the intention of attackers is to consume the

verifier’s resources by broadcasting false messages, andeventually to downgrade the QoS of the wireless mobilenetwork. The payoff function of attackers A is uA = bA−cA,where bA is the loss of QoS, which is affected by the verifi-cation cost of the verifier. Therefore bA = Cn

BV + α(j, k).cA indicates the attack cost, which is determined by thenumber of the broadcasted false messages with invalidsignatures, denoted by σ(k) (k ∈ {H,L}). Therefore, thepayoff function is uA = Cn

BV + α(j, k)− σ(k).

4.2 Batch Identification Game Model with Complete In-formationIn this game scenario, attackers launch Denial of Service(DoS) attack by sending different quantities of invalid signa-tures, and the verifier selects batch identification algorithmafter the failure of batch verification. Because the verifiercan observe its neighboring attackers’ behaviors, and makedecision afterwards, obviously it is a two-stage sequentialgame.

According to the analysis in Section 3, we have σ(L) <σ(H). The performance difference of batch identificationalgorithms depends on the total quantity of messages, andthe upper bound of invalid signatures number. From Fig.2, we have α(1, L) < α(2, L) < α(3, L) when attackersadopt strategy L, and α(2,H) < α(3,H) < α(1,H) whenattackers employ strategy H . Taking all those factors intoconsideration, from Fig. 2, we can achieve that

α(1, L) < α(2, L) < α(2,H)

< α(3, L) = α(3,H) < α(1, H) (2)

In addition, the verifier can acquire the total number ofmessages by sniffing, but it can hardly estimate the accurateupper bound of the invalid signatures number. The goalof C-BIGM is to find the most suitable batch identificationalgorithm for the verifier in this scenario. We analyze C-BIGM with a two-stage game tree in Fig. 3.

Theorem 4.1. The C-BIGM has a pure strategy Nash equilibri-um.

7

Proof: Since C-BIGM is a two-stage sequential game,we analyze it in each stage. Fig. 3 shows that attackers selectattack strategy in stage 1, and the verifier chooses the batchidentification algorithm in stage 2 when batch verificationfails.

First of all, let us consider the choice of the verifierin stage 2 after attackers have employed a specific attackstrategy. If the attack strategy is L, which means that at-tackers send a relatively small number of false messages,the game moves to branch c of game tree in Fig. 3. Asthe previous analysis, for the verifier, we can get α(1, L) <α(2, L) < α(3, L). Hence, the CBI algorithm can bring thelargest benefit to the verifier, and it is the best choice forthe verifier under attack strategy L. If the attack strategy isH , which means that a significant number of false messagesare sent by attackers, the game moves to branch b of gametree. Due to α(2,H) < α(3,H) < α(1,H), accordingly, theMRI algorithm is the dominant option for the verifier in thiscase. In a word, if attackers select strategy L, the verifier willchoose CBI. Otherwise, the verifier will adopt MRI for batchidenfitication. As a result, we can simplify the game tree asFig. 4.

Secondly, we analyze the choice of attackers in stage 1from Fig. 4. From the simplified game tree, attackers onlyneed to compare the benefit of strategy H with that ofstrategy L. From Section 4.1.3, we can find that α(j, k) isdetermined by the number of required batch verificationtests, and σ(k) is determined by the number of the broad-casted false messages with invalid signatures. The delay ofone batch verification for n signatures is in the range of0.87n + 6.42 ms to 6.6n + 6.42 ms according to differentalgorithms, while the delay for forging one false messageis only about 0.2 ms [10]. Moreover, from Fig.2, we observethat the number of required batch verification tests increasesgreater than the upper-bound number of invalid signatures.For instance, in Fig.2(a) which has the smallest n and therequired test number in figs.2(a)-(d), if the attack strategy ischanged from L to H (e.g., 10 to 30), the number of testsrequired varies from 63 to 98. In other figures, the gap willbecome larger. Therefore, we can get

α(2,H)− α(2, L) > σ(H)− σ(L) (3)

From Equation (2), we can get

α(2, H) > α(2, L) > α(1, L) (4)

Hence,

α(2,H)− α(1, L) > α(2, H)− α(2, L) > σ(H)− σ(L) (5)

Because CnBV +α(2,H)−σ(H) > Cn

BV +α(1, L)−σ(L),the benefit of strategy H is higher than that of strategy Lfor attackers. As a result, attackers will adopt strategy H .Considering the analysis of stage 2 in game tree, we knowthat the verifier will choose MRI algorithm. Therefore, C-BIGM has a pure Nash equilibrium (H,MRI).

Notice that we only consider the number of verificationsrequired, and the invalid signatures as the cost, if morefactors are considered, such as the consumption differencebetween sending and receiving packets, the choice of at-tackers may be changed, and the Nash equilibrium is not(H,MRI) any more. However, from the previous analysis,

Hot-head

attackers

Verifier

MRI

CBI

Verifier

L

HII

CBI

II

MRI

Cautious

attackers

Verifier

MRI

CBI

Verifier

L

HII

CBI

II

MRI

Nature

P

1-P

(1, ) ( ), (1, )n n

BV BVC H H Q C H

(3, ) ( ) ( ), (3, )n n

BV BVC L L L Q C L

(1, ) ( ) ( ), (1, )n n

BV BVC L L L Q C L

(2, ) ( ) ( ), (2, )n n

BV BVC H H H Q C H

(3, ) ( ) ( ), (3, )n n

BV BVC H H H Q C H

(2, ) ( ), (2, )n n

BV BVC L L Q C L

(1, ) ( ), (1, )n n

BV BVC L L Q C L

(3, ) ( ), (3, )n n

BV BVC H H Q C H

(2, ) ( ), (2, )n n

BV BVC H H Q C H

(2, ) ( ) ( ), (2, )n n

BV BVC L L L Q C L

(3, ) ( ), (3, )n n

BV BVC L L Q C L

(1, ) ( ) ( ), (1, )n n

BV BVC H H H Q C H

Fig. 5. The game tree of I-BIGM after Harsanyi transformation

we can conclude that the pure Nash equilibrium still existsno matter which strategy attackers select.

4.3 Batch Identification Game Model with IncompleteInformation

In this section, we analyze the other instance I-BIGM for amore ubiquitous situation. Generally, attackers hiding in thedarkness can monitor and collect the verifier’s informationas common knowledge. However, it is hard for the verifierto acquire the complete information of attackers in advance.Recall that there are different types of attackers with variouspreferences in wireless mobile networks, and each attackersends different number of false messages. The verifier doesnot exactly know which strategies are adopted by whichtype of attackers. I-BIGM is designed toward that scenario.

Specifically, we divide attackers into two types based ontheir preferences. One type is hot-headed, who does notconsider the possibility of traceback by the verifier, whilethe other is more cautious, who does some extra work suchas ultilizing zombie [21] to confuse the verifier in order toprotect its identity. We denote the cost of extra protectionsfor anti-tracking as β(k) (k ∈ {H,L}), and it grows as thenumber of false messages increases.

For hot-headed attackers, the benefit of strategy H isgreater than that of strategy L. Hence, they are inclined toemploy strategy H . We can get α(x,H)−σ(H) > α(x, L)−σ(L), where x is the index of the batch identification algo-rithm. For cautious attackers, the extra confusion work willprotect itself, and that work is more effective in strategyL. Hence, we can achieve that α(x,H) − σ(H) − β(H) <α(x, L) − σ(L) − β(L). Since the cost of the verifier is acommon knowledge, the verifier only has one type. Thepayoff array of hot-headed attackers is as Table 3 and thatof cautious attackers is shown in Table 4.

Because both types of attackers may exist simultane-ously, we use P to denote the ratio between hot-headed

8

TABLE 3Game array between the verifier and its hot-headed attackers

HHHHAV CBI(1) MRI(2) II(3)

H CnBV +α(1, H)−

σ(H),Q − Cn

BV −α(1, H)

CnBV +α(2, H)−

σ(H),Q − Cn

BV −α(2, H)

CnBV +α(3, H)−

σ(H),Q − Cn

BV −α(3, H)

L CnBV +α(1, L)−

σ(L),Q − Cn

BV −α(1, L)

CnBV +α(2, L)−

σ(L),Q − Cn

BV −α(2, L)

CnBV +α(3, L)−

σ(L),Q − Cn

BV −α(3, L)

TABLE 4Game array between the verifier and its cautious attackers

HHHHAV CBI(1) MRI(2) II(3)

H CnBV +α(1, H)−

σ(H)− β(H),Q − Cn

BV −α(1, H)

CnBV +α(2, H)−

σ(H)− β(H),Q − Cn

BV −α(2, H)

CnBV +α(3, H)−

σ(H)− β(H),Q − Cn

BV −α(3, H)

L CnBV +α(1, L)−

σ(L)− β(L),Q − Cn

BV −α(1, L)

CnBV +α(2, L)−

σ(L)− β(L),Q − Cn

BV −α(2, L)

CnBV +α(3, L)−

σ(L)− β(L),Q − Cn

BV −α(3, L)

attackers to all attackers, and correspondingly, the ratiobetween cautious attackers to all attackers is 1 − P . Toanalyze the game with incomplete information, we designthe game tree of our model as shown in Fig. 5. From Fig. 5,we find that I-BIGM follows Theorem 4.2.

Theorem 4.2. I-BIGM has at least one Nash equilibrium.

Proof: Let us analyze the two different cases of our gamemodel respectively. In the discussion below, EuV

(j) repre-sents the benefit of the verifier V when it chooses the batchidentification algorithm j, and EuA

(k) indicates the benefitof attackers A when they choose the attack strategy k.

In practice, each attacker only cares about its own utility.The preference of hot-headed attackers is strategy H andthat of cautious attackers is strategy L. However, in amobile wireless network, a verifier may suffer from severalcautious attackers simultaneously. As a result, the verifiermay still encounter H attack strategy even if all attackersare cautious. Hence, we analyse two cases as follows.

Case 1: Two types of attackers adopt H attack strategy.In this situation, the benefit of the verifier is as follows

for algorithms CBI, MRI, and II.

EuV (CBI) = P (Q− CnBV − α(1,H))

+ (1− P )(Q− CnBV − α(1,H))

= Q− CnBV − α(1, H)

EuV(MRI) = P (A− Cn

BV − α(2,H))

+ (1− P )(Q− CnBV − α(2,H))

= Q− CnBV − α(2, H)

EuV (II) = P (Q− CnBV − α(3,H))

+ (1− P )(Q− CnBV − α(3,H))

= Q− CnBV − α(3,H)

From the analysis in Section 3, we know that EuV (MRI)

TABLE 5The conditions of different Nash Equilibriums

Nash Equilibrium Condition

(Attacker: hot-headed,H , cautious, L, P ; Ver-ifier: CBI)

0 < P <α(2,L)−α(1,L)

α(2,L)−α(1,L)+α(1,H)−α(2,H),

and 0 < P <α(3,L)−α(1,L)α(1,H)−α(1,L)

(Attacker: hot-headed,H , cautious, L, P ; Ver-ifier: MRI)

α(2,L)−α(1,L)α(2,L)−α(1,L)+α(1,H)−α(2,H)

< P < 1,

and α(3,L)−α(2,L)α(2,H)−α(2,L)

< P < 1

(Attacker: hot-headed,H , cautious, L, P ; Ver-ifier: II)

α(3,L)−α(1,L)α(1,H)−α(1,L)

< P < 1,

and 0 < P <α(3,L)−α(2,L)α(2,H)−α(2,L)

is the largest, and MRI is the dominant algorithm amongthose three algorithms in this situation.

Hence, (Attacker: hot-headed attacker, H , cautious attacker,H , P ; Verifier: MRI) is a candidate Nash Equilibrium.

Case 2: Two types of attackers adopt different strategies.In this case, the benefit of the verifier is displayed as

follows for algorithms CBI, MRI, and II.

EuV(CBI) = P (Q− Cn

BV − α(1, H))

+ (1− P )(Q− CnBV − α(1, L))

EuV(MRI) = P (A− Cn

BV − α(2,H))

+ (1− P )(Q− CnBV − α(2, L))

EuV(II) = P (Q− Cn

BV − α(3, H))

+ (1− P )(Q− CnBV − α(3, L))

First of all, let us analyze the situation that CBI isthe dominant algorithm. Then, we have EuV

(CBI) >EuV

(MRI) and EuV(CBI) > EuV

(II).We get,

0 < P <α(2, L)− α(1, L)

α(2, L)− α(1, L) + α(1,H)− α(2,H)(6)

0 < P <α(3, L)− α(1, L)

α(1,H)− α(1, L)(7)

For attackers, due to α(x,H)− σ(H) > α(x, L)− σ(L),the hot-headed attackers select strategy H . On the otherhand, since α(x,H)−σ(H)−β(H) < α(x, L)−σ(L)−β(L),the cautious attackers pick strategy L. Hence, (Attacker:hot-headed, H , cautious, L, P ; Verifier: CBI) is a candidateNash Equilibrium as long as P satisfies Equation 6 andEquation 7.

Similarly, (Attacker: hot-headed, H , cautious, L, P ; Verifier:MRI) and (Attacker: hot-headed, H , cautious, L, P ; Verifier:II) also are candidate Nash Equilibriums when P has theproper value. The relationship between Nash Equilibriumand the value range of P is summarized in Table 5.

Note that the cautious attackers gain more benefit in theNash Equilibriums of Case 2 than that of Case 1. Thus, inpractice, the cautious attackers are more inclined to adoptlow frequency attack strategy. In another word, if P is inthe appropriate range, the Nash Equilibrium of Case 2 isthe prime choice of the verifier. However, from Table 5, wefind that the Nash Equilibrium may not exist if the ratio ofhot-headed attackers P is in some special range. When thatsituation happens, the Nash Equilibrium in Case 1 will beused.

9

Hence, I-BIGM at least has one Nash Equilibrium. �With the game model, the verifier can pick the dom-

inant algorithm to identify invalid signatures. For exam-ple, assuming the ratio of hot-headed attackers P is 50%,

α(2,L)−α(1,L)α(2,L)−α(1,L)+α(1,H)−α(2,H) is 0.4, α(3,L)−α(1,L)

α(1,H)−α(1,L) is 0.45 andα(3,L)−α(2,L)α(2,H)−α(2,L) is 0.55, the Nash Equilibrium are (Attacker: hot-headed, H , cautious, L, P ∈ (0, 0.4); Verifier: CBI), (Attacker:hot-headed, H , cautious, L, P ∈ (0.55, 1); Verifier: MRI) and(Attacker: hot-headed, H , cautious, L, P ∈ (0.4, 0.45); Verifier:II). The verifier would first check whether it can achieve aNash Equilibrium from the results of Case 2. If yes, it picksthe strategy as the dominant choice accordingly. Otherwise,it will use the Nash Equilibrium of Case 1. Obviously, whenP ∈ (0.45, 0.55), there is no Nash Equlibrium in Case 2.Hence, the verifier will find the strategy from the NashEquilibrium in Case 1, and adopt MRI as the dominantalgorithm.

5 SELF-ADAPTIVE AUTO-MATCH PROTOCOL FORALGORITHM SELECTION

With the previous discussion, we find that both game sce-narios with complete information and incomplete informa-tion at least exist one Nash Equilibrium, which providesthe dominant choice for the verifier. However, there stillexist two challenges to be solved. The first one is that thedominant strategy may not always be the optimal choice.It works well when the verifier cannot acquire sufficientaccessorial data, such as the recent number of invalid signa-tures. Whereas, if the verifier can observe that the numberof invalid signatures has remained low during some peri-ods, MRI algorithm, which might be the choice from NashEquilibrium, obviously is not the optimal one. Therefore,the Nash Equilibrium is only useful when the verifier doesnot have any accessorial data, or attack strategy is changedfrequently. The other challenge is that the estimation processof Nash Equilibrium in the game with incomplete informa-tion heavily relies on the ratio of hot-headed attackers whichcan be acquired only after the batch identification process isfinished.

In this section, to overcome these two challenges, weformally propose a self-adaptive auto-match protocol forthe selection of batch identification algorithms based onhistory information, which can automatically choose thesuitable batch identification algorithm considering both ofthe analysis results of game theory and the recent behaviorsof attackers. Our protocol can be implemented within twophases: (a) Initialization phase, where the verifier configuressystem parameters to resist attacks; (b) Decision phase, wherethe verifier estimates the situation, and selects the suitablebatch identification algorithm. The process of protocol isillustrated as Fig. 6.

5.1 Initialization PhaseThe target of this phase is to negotiate and update someshared security information for batch verification, whichincludes several public parameters, such as signature algo-rithm, hash function, public key, etc., as well as a few privateparameters, such as private key and identity information.The initialization operation is triggered in two case. One

Whether

the BV is

successful

Select Dominant

batch identification

algorithm in NE

End

Yes

No

Sah-r1, Sa

h-r1-1,...,Sah-1

are the same

No

Record Sah according to the results of batch identification

Sah-1= = H

Select MRI Select CBI

Yes

Start hth period

h = h+1

Initialization

phase

new node joins

network

regular node leaves

network

Yes

No

Whether

it is incomplete

game

Calculate Ph by self-

adaptive prediction

algorithm

No Yes

Select dominant batch

identification algorithm

in NE

Adjust the parameters in Transition Matrix for incomplete game

Decisionphase

Fig. 6. Self-adaptive auto-match protocol process

is when a new regular node joins the WMN, the authorityserver distributes the related security information to it of-fline. The other is when a regular node leaves the WMN, theauthority server updates and broadcasts that information toother regular nodes with signatures. Note that in this paper,we focus on identifying invalid signatures. The schemes ofkey distribution and management are out of our scope.

5.2 Decision phase

After initialization phase, mobile nodes can be protectedfrom the attacks of malicious nodes by batch verification,such as forging and tampering signatures. Due to the ran-domness of network attacks, batch verification must beconducted periodically. Hence, we divide time into multipleperiods, and the verifier must automatically decide whichbatch identification algorithm is applied in each period. Inthis section, we focus on the first challenge how to leveragethe Nash Equilibrium of game model more reasonably. Themain idea is to estimate the current attack strategy basedon history information. As we know, cyber attacks oftenconcentrate outburst and malicious nodes often maintainthe attack state for some time. It means that the attack strat-egy may not change very frequently. Thus, if the strategy ofattackers remains stable in past several periods, we considerthat the current strategy will be changed with a small prob-ability. In fact, under this assumption, there indeed exista few counter-examples which lead to unsuitable selectionof batch identification algorithm. Fortunately, our protocolis keen to detect the change of attackers and respond the

10

Algorithm 3: Decision phase

1 while true do2 if (Batch verification succeeds) then3 h = h+ 1;4 continue;5 else6 if (Sh−r1

a ,Sh−r1+1a ,...,Sh−1

a ) are the same then7 if (Sh−1

a == H) then8 Select MRI algorithm;9 else

10 Select CBI algorithm;11 end12 else13 if Game with incomplete information then14 Calculate Ph by self-adaptive prediction

algorithm;15 Select the dominant batch identification

algorithm with I-BIGM;16 else17 Select the dominant batch identification

algorithm with C-BIGM;18 end19 end20 end21 Adjust the parameters in Transition Matrix;22 Record Sh

a according to the results of batchidentification;

23 h = h+ 1;24 if (Process should be ended) then25 Break;26 end27 end

strategy fluctuations rapidly, when the attack strategy isuncertain. In the decision phase, first of all, the verifiertests the messages with a batch verification algorithm. If itsucceeds, then nothing is done until the next period comes.Otherwise, the verifier must find the invalid signaturesusing a batch identification algorithm. Secondly, if the attackstrategy is not changed in the past r1 periods, where r1is configurable, the verifier can directly make a decisionto select the proper algorithm according to the observedbehavior history of attackers. Otherwise, the game modelcan provide the dominant choice for batch identificationin the complete information or the incomplete informationscenarios. Thus, the game model play an important rolewhen the attack strategy is unstable and cannot be estimatedby the verifier. In addition, due to the random variation ofmobile nodes’ states, we exploit a self-adaptive predictionalgorithm described in Section 5.3 to calculate Ph which de-notes the ratio between hot-headed attackers to all attackersin the hth period of our protocol. Thirdly, no matter whichbatch identification algorithm is chosen, the verifier needs tocollect the related parameters, such as the number of invalidsignatures, the ratios of different attackers, and analyze thecurrent attack strategy. Such information will be stored ashistory data for next period. The pseudo-code is shown inAlgorithm 3, where Sh

a indicates the attackers’ strategy inperiod h.

N

NN NO NC

p ON OO OC

CN CO CC

p p p

M p p p

p p p

O C

N

O

C

N

O

C

pNNpNO

pNC

pOO

pOC

pON

pCC

pCN pCO

Fig. 7. The transition matrix

5.3 Self-adaptive prediction algorithm

As above mentioned, the second challenge is to estimate thevalue of Ph. In wireless mobile networks, each node maybe a potential attacker. Even if an attacker is identified bysome mobile nodes, it may continue disturbing the batchverification process as a new forged identity. In our model,mobile nodes have three states: Non-threatening(N), hOt-headed(O), and Cautious(C). In detail, the non-threateningnodes include not only regular ones but also the onesidentified as malicious nodes. In another word, nodes inthe non-threatening state cannot launch effective attacks nomatter whether they are legal. Because the transition fromone state to another is a random process characterized asmemoryless, these states satisfy Markov property [22]. Thus,we construct the transition matrix and transition graph inFig. 7, while pij (i, j ∈ {N,O,C}) indicates the probabilityof transition from state i to state j in one period.

For example, pNO represents the probability that a nodein non-threatening state will turn to the hot-headed state. Topredict more accurately, each probability value in transitionmatrix evolves in each period as Equation 8, while phijrepresents pij in period h, µφ

ij and µφi denote the number

of transition nodes from state i to state j and the numberof nodes in state i in period φ, respectively. Note that theperiodicity of attacks may change, we use a configurableparameter r2 to adjust the amount of history information.

phij =

∑h−1φ=h−1−r2

µφij∑h−1

φ=h−1−r2µφi

(8)

In period h, Ph, the ratio of hot-headed state nodes in allattackers, can be calculated by following equation which isjointly determined by the amount of hot-headed state andcautious state nodes.

Ph =

∑i=N,O,C µh−1

i ph−1iO∑

i=N,O,C µh−1i ph−1

iO +∑

i=N,O,C µh−1i ph−1

iC

(9)

6 PERFORMANCE EVALUTION

6.1 Simulation Configuration

In our simulations, we define and evaluate the time cost ofcryptographic operations required in the batch identifica-tion. We adopt the MIRACL cryptographic library in [23],and run the simulation on an Intel Pentium IV 3.0GHZmachine. Also, as we mentioned in Section 5.2, the batchidentification is conducted every 5 seconds as one period.The other simulation parameters are presented in Table 6.

11

TABLE 6The simulation parameters

Simulation Parameter ValueSimulation platform NS2

Area Size 500m * 500mNode Number 100

Node Communication Range 50mWireless Protocol 802.11aSimulation Time 100s

Batch verification algorithm b-SPECS+ [10]Number of messages n in a batch for verification 100

0

10

20

30

40

50

60

70

80

90

100

5 10 15 20 25 30

The

per

centa

ge

of

dif

fere

nt

algori

thm

s(%

)

The percentage of attackers(%)

CBIMRI

(a) C-BIGM

0

10

20

30

40

50

60

70

80

90

100

5 10 15 20 25 30

The

per

centa

ge

of

dif

fere

nt

algori

thm

s(%

)

The percentage of attackers(%)

IICBIMRI

(b) I-BIGM

Fig. 8. Percentage of algorithms vs. percentage of attackers

Note that our scheme is independent from batch verifica-tion algorithms. Therefore, we can equip BIGM with variousbatch verification algorithms [9], [10], [18], [24], even thoughthe delay may be different, the relationship of the comparedalgorithms should be the same. We choose b-SPECS+ [10]as the batch verification algorithm, which calculates theprocessing time for a curve with embedding degree k = 6and 80-bit p.

6.2 Result AnalysisIn this section, we analyze the performance from threeaspects.

6.2.1 The reasonability of NEThe percentage of a algorithm indicates the ratio betweenthe invoking number of the algorithm to that of all algo-rithms. For example, assuming that ten verifiers exist inthe wireless mobile network, where four verifiers chooseCBI as batch identification algorithm, the percentage of CBIis 40%. Figs. 8(a)-(b) show the changes of this parameter,where the game with complete information and incompleteinformation, individually. Form these figures, we can findthat all algorithms, including II, CBI, and MRI, are usedin the incomplete information scenario, but only CBI andMRI are adopted in the complete information scenario. Indetail, the percentage of MRI rises from 8.1% to 69.3% in C-BIGM, and it increases from 7.3% to 48.6% in I-BIGM. Whilethe percentage of CBI declines from 91.9% to 30.7% in C-BIGM, and it decreases from 89.2% to 45.4% in I-BIGM. Inaddition, in the latter scenario, the percentage of II growsup when the percentage of attackers increases at a low level,and it fluctuates in a certain range between 5% to 9% whenattackers become more and more.

Reviewing the game model, we can find that these phe-nomenons fit to the NE results. In C-BIGM, the probability

60

65

70

75

80

85

90

95

1 2 3 4 5 6 7 8Sel

ecti

on A

ccura

cy o

f al

gori

thm

s(%

)

Movement speed(m/s)

r1=1

r1=2r1=3

(a) C-BIGM

60

65

70

75

80

85

90

95

1 2 3 4 5 6 7 8Sel

ecti

on A

ccura

cy o

f al

gori

thm

s(%

)

Movement speed(m/s)

r1=1, r

2=2

r1=1, r

2=4

r1=3, r

2=2

r1=3, r

2=4

(b) I-BIGM

Fig. 9. Selection accuracy vs. movement speed

of H attack strategy increases accordingly with the growthof the number of attackers. Thus, more and more verifierschoose MRI as the defense strategy. The similar transitionhappens in I-BIGM for the same reason, while the existenceof cautious attackers leads to lower probability of H attackstrategy and less percentage of MRI than that in C-BIGM.

6.2.2 The selection accuracy of algorithmsThe selection accuracy of algorithms is the percentage of cor-rect choices which lead to less identification number, suchas CBI for L attack strategy and MRI for H attack strategy.Figs. 9(a)-(b) present the selection accuracy of algorithmswith different strategy transition rates, where the parame-ter r1 = 1, 2, 3 in complete information scenario and theparameter r2 = 2, 4 in incomplete information scenario, re-spectively. The attack strategy is determined by all attackersaround the verifier, thus, it is hard to control the transitionsof attack strategies precisely. Instead, we observe the resultsaccording to the variation of nodes’ movement speed. In thissimulation, the selection accuracy of algorithms declines atdifferent levels while the movement speed of mobile nodesrises. In C-BIGM, the curve with smallest r1 has the lowestselection accuracy 87.6% at the beginning and the highestselection accuracy 71.9% at the end, while the one withlargest r1 has the highest selection accuracy 92.6% at thebeginning and the lowest selection accuracy 67.5% at theend. In I-BIGM, the curves have the similar tendency whilethe larger r2 introduces the higher selection accuracy. Thus,the curve with r1 = 3 and r2 = 4 has the highest accuracy89.8% when the nodes’ speed is 1 m/s.

From above analysis, we can achieve three conclusionsas follows. First of all, our game model is more suitablewith the low strategy transition rate. Secondly, if the strategytransition rate grows up, smaller r1 is a better choice. At last,the selection accuracy of algorithm increases steadily whiler2 rises, no matter how the strategy transition rate changes.

6.2.3 The identification delayIn this part, we evaluate the influence to identification delayfrom four aspects: the number of invalid signatures, strategytransition rate, the percentage of attackers, and the ratio of hot-headed attackers. For concise presenting, we use the identifi-cation delay to indicate the average delay of all verifiers insimulations.

The number of invalid signatures. Figs. 10(a)-(d) showthe identification delay with different number of invalidsignatures, where the number of sampled messages n =100, 150, 200, 250, respectively. From these figures, we can

12

0

50

100

150

200

250

0 5 10 15 20 25 30 35 40

The

iden

tifi

cati

on d

elay

(ms)

The number of invalid signatures

IICBIMRI

BIGM

(a) n = 100

0

100

200

300

400

500

0 10 20 30 40 50 60

The

iden

tifi

cati

on d

elay

(ms)

The number of invalid signatures

IICBIMRI

BIGM

(b) n = 150

0

100

200

300

400

500

600

0 10 20 30 40 50 60 70 80

The

iden

tifi

cati

on d

elay

(ms)

The number of invalid signatures

IICBIMRI

BIGM

(c) n = 200

0

100

200

300

400

500

600

700

800

0 10 20 30 40 50 60 70 80

The

iden

tifi

cati

on d

elay

(ms)

The number of invalid signatures

IICBIMRI

BIGM

(d) n = 250

Fig. 10. Identification delay vs. the number of invalid signatures

120

125

130

135

140

145

150

1 2 3 4 5 6 7 8

The

iden

tifi

cati

on d

elay

(ms)

Movement speed(m/s)

r1=1

r1=2r1=3

(a) C-BIGM

120

125

130

135

140

145

150

155

1 2 3 4 5 6 7 8

The

iden

tifi

cati

on d

elay

(ms)

Movement speed(m/s)

r1=1, r

2=2

r1=1, r

2=4

r1=3, r

2=2

r1=3, r

2=4

(b) I-BIGM

Fig. 11. Identification delay vs. movement speed

find that the identification delay of II fluctuates in a certainrange, while the other algorithms’ identification delay in-creases. The performance of CBI algorithm is most impactedby the number of invalid signatures. CBI has the best per-formance when invalid signatures are few, while it has theworst performance when the number of invalid signaturesgoes up. The performance of MRI is more stable, and it hasthe lowest delay when more invalid signatures exist in thewireless mobile network. Relatively, BIGM has more stableperformance compared with CBI and MRI. BIGM has anapproximate performance with CBI, when the number ofinvalid signatures is small, and its performance approachesthat of MRI, when the number of invalid signatures increas-es. It means that the identification delay of BIGM is alwaysclose to the minimum value.

The strategy transition rate. From Figs. 11(a)-(b), we canfind the identification delay ascends with the increase ofmobile nodes’ speed in both games with complete informa-tion and incomplete information. In C-BIGM, when r1 risesfrom 1 to 3, the curves of identification delay become steeperwhich means the lower head and the higher tail. The r1 = 1curve is the steepest one, where the delay varies from 128.23ms to 140.29 ms with the mobile nodes’ speed rising. In I-BIGM, besides the affection of r1, the identification delaycan be reduced by increasing the value of r2. In addition, theinfluence of r2 rises when the mobile nodes’ speed increases.As a result, these simulations illustrate that the smaller r1is more suitable for frequently strategy transition and the

100

120

140

160

180

200

220

5 10 15 20 25 30

The

iden

tifi

cati

on d

elay

(ms)

The percentage of attackers(%)

IICBIMRI

BIGM

(a) C-BIGM

100

120

140

160

180

200

5 10 15 20 25 30

The

iden

tifi

cati

on d

elay

(ms)

The percentage of attackers(%)

IICBIMRI

BIGM

(b) I-BIGM

Fig. 12. Identification delay vs. percentages of attackers

larger r2 will decrease the identification delay. The reason isthat the smaller r1 means that our protocol is more sensitiveto strategy transitions, and the larger r2 means that ourprotocol can estimate the state transitions of mobile nodesmore accurately.

The percentage of attackers. Figs. 12(a)-(b) show theidentification delay of different algorithms with various per-centages of attackers. The identification delays of CBI, MRI,and BIGM rise obviously when attackers become intensive,while that of II fluctuates in a certain range. It is due to theconstant property of II in test number. The results indicatethat BIGM has the best performance no matter what thedensity of attackers is. Furthermore, the larger the density ofattackers is, the more the advantages BIGM has, comparedwith other algorithms.

The ratio of hot-headed attackers. As previous men-tioned, attackers can be subdivided into two classes: hot-headed and cautious. Figs. 13(a)-(c) display the relationshipbetween the identification delay and the elapsed time,where the percentages of attackers are 10%, 20%, and 30%,respectively. Furthermore, the ratios of hot-headed attackersare 30% in Fig. 13(a), 50% in Fig. 13(b), and 70% in Fig. 13(c).

These figures illustrate that it takes several periods forBIGM to reach the Nash Equilibrium, since it is hard forverifiers to acquire the precise attack information at once. InFig. 13, the identification delay decreases at beginning, andfinally turns stable at some level. Besides, as the percentageof attackers and the ratio of hot-headed attackers increase,the time to reach the Nash Equilibrium becomes larger, andthe stable value of identification delay also rises.

7 CONCLUSION

For selecting suitable batch identification algorithm withhigh efficiency, we propose a Batch Identification GameModel, named BIGM, which consists of three components.First, we analyze the performance of three generic batchidentification algorithms as the defence strategies of ourgame model, and discuss their advantages under differentattack strategies. Then, we give the definition of BIGM,and prove the Nash Equilibriums in the games with com-plete information and incomplete information. Finally, wedesign a self-adaptive auto-match protocol to improve thepracticability of our game model, considering the transitionpossibility of attack strategy and nodes’ states. From thesimulations, we find that our protocol can choose morereasonable batch identification algorithm to reduce delayand ensure network QoS, under the heterogeneous anddynamic attack scenario in WMNs.

13

60

70

80

90

100

110

120

130

140

150

5 10 15 20 25 30 35 40

Th

e id

enti

fica

tio

n d

elay

(ms)

Time(s)

10%20%30%

(a) 30% hot-headed attackers

60

70

80

90

100

110

120

130

140

150

5 10 15 20 25 30 35 40

Th

e id

enti

fica

tio

n d

elay

(ms)

Time(s)

10%20%30%

(b) 50% hot-headed attackers

60

70

80

90

100

110

120

130

140

150

5 10 15 20 25 30 35 40

Th

e id

enti

fica

tio

n d

elay

(ms)

Time(s)

10%20%30%

(c) 70% hot-headed attackers

Fig. 13. Identification delay vs. ratio of hot-headed attackers

REFERENCES

[1] L. Xiao, Y. Chen, W. S. Lin, and K. J. R. Liu, “Indirect ReciprocitySecurity Game for Large-Scale Wireless Networks,” in IEEE Trans-actions on Information Forensics and Security, 2012.

[2] Y. Liu, D. Bild, R. Dick, Z. Mao, and D. Wallach, “The Mason Test:A Defense Against Sybil Attacks in Wireless Networks WithoutTrusted Authorities,” in IEEE Transactions on Mobile Computing,2015.

[3] B. Alomair and R. Poovendran, “Efficient Authentication for Mo-bile and Pervasive Computing,” in IEEE Transactions on MobileComputing, 2014.

[4] L. Y. Yeh, Y. L. Huang, A. Joseph, S. Shieh, and W. Tsaur, “ABatch-Authenticated and Key Agreement Framework for P2P-Based Online Social Networks,” in IEEE Transactions on VehicularTechnology, 2012.

[5] A. Fiat, “Batch RSA,” in Proceedings of CRYPTO, 1989.[6] Naccache, M’Raihi, Vaudenay, and Raphaeli, “Can DSA be Im-

proved? Complexity Trade-offs with the Digital Signature Stan-dard,” in Proceedings of EUROCRYPT, 1994.

[7] J. Cheon, J. Coron, J. Kim, and M. Lee, “Batch Fully HomomorphicEncryption over the Integers,” in Proceedings of EUROCRYPT,2013.

[8] Z. Yu, Y. Wei, B. Ramkumar, and Y. Guan, “An Efficient Signature-Based Scheme for Securing Network Coding Against PollutionAttacks,” in Proceedings of IEEE INFOCOM, 2008.

[9] C. Zhang, R. Lu, X. Lin, P.-H. Ho, and X. S. Shen, “An EfficientIdentity-based Batch Verification Scheme for Vehicular SensorNetworks,” in Proceedings of IEEE INFOCOM, 2008.

[10] S. Horng, S. Tzeng, Y. Pan, and P. Fan, “b-SPECS+: Batch Verifi-cation for Secure Pseudonymous Authentication in VANET,” inIEEE Transactions on Information Forensics and Security, 2013.

[11] J. Pastuszak, D. Michalek, J. Pieprzyk, and J. Seberry, “Identifica-tion of Bad Signatures in Batches,” in PKC 2000, LNCS 1751, 2000.

[12] S. Lee, S. Cho, J. Choi, and Y. Cho, “Efficient Identication of BadSignatures in RSA-Type Batch Signature,” in IEICE Transactions onFundamentals of Electronics, Communications and Computer Sciences,2006.

[13] L. Law and B. Matt, “Finding Invalid Signatures in Pairing-basedBathes,” in Cryptography and Coding, 2007.

[14] M. Stanek, “Attacking LCCC Batch Verification of RSA Signa-tures,” in International Journal of Network Security, 2008.

[15] B. J. Matt, “Identification of Multiple Invalid Signatures in Pairing-Based Batched Signatures,” in PKC 2009, 2009.

[16] G. M. Zaverucha and D. R. Stinson, “Group Testing and BatchVerification,” in Proceedings of IEEE ICITS, 2009.

[17] C. Zhang, P. Ho, and J. Tapolcai, “On Batch Verification withGroup Testing for Vehicular Communications,” in Wireless Net-works, 2011.

[18] C. Lee and Y. Lai, “Toward a Secure Batch Verification with GroupTesting for VANET,” in Wireless Networks, 2013.

[19] J. A. Akinyele, M. Green, S. Hohenberger, and M. W. Pagano,“Machine-Generated Algorithms, Proofs and Software for theBatch Verification of Digital Signature Schemes,” in Proceedings ofACM CCS, 2012.

[20] J. Chen, Q. Yuan, G. L. Xue, and R. Y. Du, “Game-Theory-BasedBatch Identification of Invalid Signatures in Wireless Mobile Net-works,” in Proceedings of IEEE INFOCOM, 2015.

[21] Z. Lu, W. Wang, and C. Wang, “How can Botnets Cause Storms?Understanding the Evolution and Impact of Mobile Botnets,” inProceedings of IEEE INFOCOM, 2014.

[22] Y. Ephraim and W. J. J. Roberts, “An EM Algorithm for MarkovModulated Markov Processes,” in IEEE Transactions on SignalProcessing, 2009.

[23] “MIRACL Cryptographic Library: Multiprecision Integerand Rational Arithmetic C/C++ Library [Online],”https://www.certivox.com/miracl.

[24] “IEEE Trial-use Standard for Wireless Access in VehicularEnvironments-security Services for Applications and ManagementMessages,” in IEEE Standard 1609, 2006.

Jing Chen received the Ph.D. degree in comput-er science from Huazhong University of Scienceand Technology, Wuhan. He worked as an asso-ciate professor from 2010. His research interestsin computer science are in the areas of networksecurity, cloud security. He has published morethan 60 research papers in many internationaljournals and conferences, such as TPDS, INFO-COM, SECON, TrustCom, NSS.

Kun He received the MS degree in computerscience in 2011 from Wuhan University, Wuhan,China. He is a PH.D student of Wuhan Uni-versity. His research interests include networksecurity, cloud security, and mobile computing.

Quan Yuan is an Assistant Professor at Depart-ment of Math and Computer Science, Universityof Texas-Permian Basin, TX, USA. His researchinterests include Network Security, Mobile Com-puting, Routing Protocols, Peer-to-Peer comput-ing, Parallel and Distributed Systems, and Com-puter networks.

14

Guoliang Xue , an IEEE fellow, is a professorof computer science at Arizona State University.His research interests include survivability, se-curity and resource allocation issues in wirelessnetworks, social net-works and smart grid. Withover 200 pub-lished papers in those areas, heis an associate editor of the IEEE/ACM Transac-tions on Networking and of IEEE Network maga-zine. He served as technical program co-chair ofIEEEs INFOCOM’2010, which took place in SanDiego.

Ruiying Du received the BS, MS, PH.D degreesin computer science in 1987, 1994 and 2008,from Wuhan University, Wuhan, China. She is aprofessor at computer school, Wuhan University.Her research interests include network security,wireless network, and mobile computing.

Lina Wang received the Ph.D. degree in com-puter science from the Northeastern University,Shenyang, China, in 1999. She is a professor atcomputer school, Wuhan University. She is thedirector in Key Laboratory of Aerospace Informa-tion Security and Trusted Computing, Ministry ofEducation, China. Her research interests includenetwork and system security.