Download - IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 13, NO. 12

PSaD: A Privacy-Preserving Social-AssistedContent Dissemination Scheme in DTNs

Linke Guo, Student Member, IEEE, Chi Zhang,Member, IEEE,

Hao Yue, Student Member, IEEE, and Yuguang Fang, Fellow, IEEE

Abstract—Content dissemination is very useful for many mobile applications, like instant messaging, file sharing, and advertisement

broadcast, etc. In real life, for various kinds of time-insensitive contents, such as family photos and video clips, the process of content

dissemination forms a delay tolerant networks (DTNs). To improve the data forwarding performance in DTNs, several social-based

approaches have been proposed, most of which leverage mobile users’ social information, including contact history, moving trajectory,

and personal profiles as metrics to design routing schemes. However, although the social-based approaches provide better

performance, the revealing of mobile users’ information apparently compromises their privacy. Moreover, users’ contents may only

be shared with a particular group of users rather everyone in the system. In this paper, we propose the PSaD: a Privacy-preserving

Social-assisted content Dissemination scheme in DTNs. We apply users’ verifiable attributes to establish their social relationships in

terms of identical attributes in a privacy-preserving way. Besides, to provide the confidentiality of contents, our approach enables users

to encrypt contents before the dissemination process, and only allows users who have particular attributes to decrypt them. By

trace-driven simulations and experiments, we show the performance, privacy preservation, and efficiency of our proposed scheme.

Index Terms—Content dissemination, social networks, delay tolerant networks, privacy

Ç

1 INTRODUCTION

DELAY tolerant networks (DTNs) have drawn greatattentions in recent years due to the increasing num-

ber of applications that are delay-tolerant, such as disas-ter recovery, military networks, and vehicular networks,all of which are in accordance with the salient nature:intermittent connectivity and unpredictable networktopology. Lately, with the deployment of a tremendousnumber of mobile devices, e.g., laptops, smartphones,and tablets, people use these devices to opportunisticallyexchange and forward contents to expecting as manyreceivers and feedbacks as possible. The dissemination ofcontents potentially forms a new paradigm of DTNs,pocket switched networks (PSNs) [2] that feature bothopportunistic communication and mobile users’ mobility.In such networks, especially for mobile users’ time-insen-sitive data with large volume, they seek the opportunisticdevice-to-device (D2D) dissemination instead of upload-ing and downloading directly from Internet in order toreduce communication costs.

For the content dissemination with device-to-deviceexchange, mobile users’ privacy concerns should be welladdressed with respect to their contents and the way thatthey interact with each other. On the one hand, in some

cases, mobile users may be willing to share contents withgroups of receivers with specific requirements and remainundisclosed to others. For instance, imagine that Alice, whotakes a high-definition photo containing at Time Square,wants to disseminate her photo to users who have the simi-lar interests on photography and travel for social interactions.Rather than uploading to the online social networking sites,she prefers to use D2D exchange to dissemination the photodue to the expensive cellular data rate and rare free Wi-Fihotspots, both of which are hardly to access in a heavycrowded area. Since the photo contains private informationof Alice, such as identity, location, close or intimate relation-ships, for which she wants to keep undisclosed during thecontent dissemination. However, without any authentica-tion and verification mechanism, the D2D content exchangein the crowd would incur physical and cyber attacks basedon her photo, e.g., stalking her according to her current loca-tion, stealing her eye-catching belongings, or even postingher photo in the cyberspace for misuse. Unfortunately, dueto the lack of pre-established end-to-end routing path andunpredictable receivers, some of existing public-key crypto-graphic schemes cannot preserve the confidentiality ofcontents while maintaining the dissemination functionality.On the other hand, considering the way mobile users inter-act with each others, several works apply social-basedapproaches to design efficient content dissemination strate-gies. Most of these schemes rely on users’ personal socialprofiles and the corresponding information to determineforwarding metrics, such as the number of users they con-tacted before, or how frequently they have met each other,which obviously compromise mobile users’ privacy. In aword, existing social-based content dissemination schemesfail to jointly address the confidentiality of contents and theprivacy of users’ social information.

� L. Guo, H. Yue, and Y. Fang are with the Department of Electrical andComputer Engineering, University of Florida, Gainesville, FL 32611.E-mail: {blackglk, hyue, fang}@ece.ufl.edu.

� C. Zhang is with the School of Information Science and Technology, Uni-versity of Science and Technology of China, Hefei 230026, China.E-mail: [email protected].

Manuscript received 15 June 2013; revised 11 Feb. 2014; accepted 13 Feb.2014. Date of publication 24 Feb. 2014; date of current version 27 Oct. 2014.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference the Digital Object Identifier below.Digital Object Identifier no. 10.1109/TMC.2014.2308177

IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 13, NO. 12, DECEMBER 2014 2903

1536-1233� 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

To solve the above privacy breaches, a possible social-assisted solution would be leveraging users’ social attrib-utes to design both the dissemination strategy and privacymechanism for contents. In sociology [3], the homophily phe-nomenon shows that people with more similar attributescontact more frequently than complete strangers. Intui-tively, if users with more similarities exchange their con-tents with each other, the dissemination performancewould become better due to their frequently contacts. Wetake a step further to consider users’ potential social rela-tionships as shared identical attributes, which not only ena-bles users to determine their social-assisted disseminationstrategies, but also renders a way to preserve the privacy oftheir social profiles by using existing cryptographic mecha-nisms, e.g., secure multi-party computation (SMC) [4].Meanwhile, the confidentiality of contents can be well keptundisclosed by applying attribute-based encryption (ABE)schemes [5]. Thus, in this paper, we propose the PSaD, asocial-assisted content dissemination scheme that providesthe privacy of both users’ contents and their social informa-tion in terms of users’ attributes.

Related Works.Social-assisted routing. A thorough survey [6] on social-

based routing schemes in DTNs describes the currenttrends and development in this area, where Zhu et. al.mainly compare the positive (community, centrality, simi-larity and friendship) and negative (selfishness) socialeffects in designing the routing schemes. In [7], [8], [9],[10], a set of social based approaches have been proposedto improve the efficiency and effectiveness of content dis-semination. Gao et al. study a set of multicast routingmethods using both centrality and community for relayselection in [11]. One of their later works [12] designs apreference-aware data dissemination protocol using users’centrality values. However, the above approaches havetwo obvious drawbacks. First, the above schemes useusers’ social profiles, e.g., contact history, contact durationand friendships, to design their routing metrics, which iseven impractical in daily life, in the sense that one may notrender his/her contact history to a stranger. Second, alltheir schemes rely on the a posteriori knowledge (e.g., cen-trality values, betweenness utility, etc.) to design the rout-ing protocols. Unfortunately, as a mobile user, he/she willnot know such crucial information before the experimentalanalysis is done, and hence they cannot forward data tothe “best” relay. Wu and Wang propose a social feature-based multi-path routing scheme in DTN [13], which issimilar to our idea in using users’ features (attributes) toroute packets, but they do not consider the distribution ofsocial features together with the trace file.

Privacy-preserving dissemination in DTNs. In terms of pri-vacy preservation, Lu et al. in [14] propose a privacy-pre-serving relay filtering scheme for DTN, which intends toenable contact users to filter junk packets for the destinationnode. Their scheme considers the privacy of the relayedpackets, but it lacks of practical applications to maintainconnection with spam filter users. They also propose a pri-vacy-preserving scheme for vehicular DTNs in [15], whichconsider the existence of infrastructures that handlethe parameter distribution and content dissemination. In[16], Hasan et al. propose a dissemination scheme with

consideration on preserving the contact history privacy,and it lacks of the discussion on the content privacy.

Secure profile matching. Besides, there are several worksdiscussing the correlation between similarity of social pro-file and contact frequency [17], [18], [19], but none of theseworks jointly considers the social-assisted disseminationand privacy. Particularly, Costantino et al. in [20] addressesthe tradeoff between privacy preservation and forwardingaccuracy, which is quite similar to our work on designingthe scheme for preserving the profile or attributes privacy.The major difference between our work and this work is weadditionally provide the privacy of the disseminated con-tent. One of their another work in [21] shares the similaridea with us on providing the profile privacy during thepairwise verification between mobile devices. Their schemeapplies secure two-party computation for determine theinterest similarity differences, while our scheme uses one-by-one zero-knowledge proof for proving the equality ofeach private attribute.

Our contributions. Our major contributions are as follows:

� We propose a privacy-preserving mutual authentica-tion scheme that uses the verified identical attributesto establish potential social relationships betweenarbitrary users.

� We design an attribute-based privacy-preservingmobile dissemination scheme that provides the confi-dentiality of users’ content. Our scheme enables userswho have the corresponding attributes required bythe content owner to decrypt the content.

� To better capture the characteristics of the network,we make extensions to better fit practical scenariosin terms of setting different weights on users’ attrib-utes based on the analysis of real-world trace file.

� We apply real-world data set to evaluate the routingperformance of PSaD scheme, which outperformseveral existing approaches.

� Extensive simulations and experiments are con-ducted to verify the performance of our scheme onthe aspects of security, efficiency, and feasibility.

The remainder of this paper is organized as follows. Sec-tion 2 introduces our intuitions and cryptographic primi-tives in designing the scheme. We describe the systemmodel in Section 3, along with the design objectives.The proposed scheme is presented in detail in Section 4,followed by the protocol evaluation in Section 5. Finally,Section 6 concludes the paper.

2 MOTIVATION AND PRELIMINARIES

In this section, we introduce our motivation in designingour protocols and cryptographic primitives. Moreover, byanalyzing the real-world trace file, we give our preliminaryresults on verifying the homophily phenomenon and give ourresults on the weights of users’ attributes.

2.1 Motivation

To better understand the content exchange and dissemina-tion process, we highlight our intuitive idea in the social-assisted approach. Given a pair of strangers, one cannotpush another to help forward his/her message if they do

2904 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 13, NO. 12, DECEMBER 2014

not have any pre-established relationship or without any incen-tive mechanism. However, comparing with completelystrangers, people may intend to help the one that sharessome similarities in terms of attributes, e.g., language,nationality, affiliation, etc. Thus, a potential social relation-ship can be set up based on the similarity. It has beenshown in [3] that individuals often befriend those whohave similar interests, reform similar actions and fre-quently meet each other. Such an observation is calledhomophily phenomenon. According to [22], users who sharesimilar interests in their profiles intend to form groups,and they can forward messages to the groups more effi-ciently in terms of delivery rate and delay. If users applyattribute similarity to form attribute-similar groups, thesocial-assisted content dissemination would be more effi-cient given the assumption that the attributes of contentsare identical with the content owner (homogeneity). Here,based on our following experimental results, we assumethat the attributes chosen for the dissemination have theproperty of homogeneity, which can be used for dissemi-nation based on social interactions.

We conduct an experiment on analyzing the contact ratewith the number of identical attributes based on the tracefile collected during INFOCOM 2006 [23] for a period of337,417 seconds. As we can see from Fig. 1, the contact ratein terms of the number of contacts between two usersincreases with the increment of identical attributes. Theabove results validate the existence of homophily phenome-non and further show that the dissemination processwould benefit from the content exchange between usershaving more identical attributes. Therefore, if the assump-tion homogeneity holds, leveraging identical attributes as aforwarding strategy would enhance the reliability of con-tent dissemination process.

2.2 Analysis on Weighted Attributes

In our scheme, we assume users are characterized by aunique set of attributes. We refer the term weight to repre-sent the normalized ratio of contact frequency resultingfrom each attribute.

According to what we observed from the above trace file,the weights on different attributes highly depend on thecharacteristics of both the designated network type andusers. The previous work [13] concludes that the feature Aff-liation ranks the top among all features (weighs the most),and followed by City, Nationality and Language, etc. How-ever, since their approach only relies on social feature sets

without considering the real contact trace file, the resultscannot reflect the real situation on how frequently userscontact with each other using their specific attributes. Weanalyze 65,536 contacts together with two involved users’attribute profiles and discover the positive correlationbetween identical attributes and their weights. Based on thecontact trace file, we show the weights of 8 out of total 10attributes, where we exclude the Association Membership andResearch Interest for their inaccurate information. Differentfrom what Wu and Wang observed in [13], we find out theattribute Language ranks the top among all attributes asshown in Table 1, which indicates that attendees mainlyspeak in English during the conference and seldom useother languages in formal occasions. Moreover, we observethe impact on different contact durations, due to the factthat some of the contact duration may not be sufficientlyenough to exchange contents. Therefore, for a specific typeof networks, the weights of users’ different attributes varyfrom one to another in accordance with the increasing con-tact durations.

3 SYSTEM MODEL

3.1 Network Model

We first give a brief introduction to the network model. Aswe can see from Fig. 2, the system mainly consists of a trust

Fig. 1. Contact Rate versus Identical Attributes.

TABLE 1Attribute Weight versus Contact Duration

Fig. 2. System Model.

GUO ET AL.: PSAD: A PRIVACY-PRESERVING SOCIAL-ASSISTED CONTENT DISSEMINATION SCHEME IN DTNS 2905

authority (TA) and multiple users with mobile devices.Here, TA can be any service provider which is able to runthe whole system and verify the corresponding attributes,and it can be found in real life, e.g., LinkedIn on verifyingusers’ occupations and professionals. For mobile users, theycan mutually communicate with each other and TA viawireless interfaces, such as WiFi, Bluetooth, Zigbee, etc. Wesimply assume users stay in the transmission range of eachother when they have contacts. TA can be considered as afully-trusted infrastructure, and it is responsible for param-eter distribution and attribute validation, both of which canbe done before the scheme starts. Then, TA can go offlineafter the scheme starts except when there is a new validuser comes in. Our PSaD scheme is a two-step process,which incorporates attribute verification and content dis-semination, and we will present it in Section 4.1 in detail.

3.2 Design Objectives

The main design objective of our proposed scheme is toapply users’ verified identical attributes to establish rela-tionships and disseminate content by opportunistic contactsbetween users. In our scheme, we assume the potentialsocial relationship established by shared attributes can beused as incentives to help disseminate the attribute-relatedcontents. To achieve better dissemination performance,users forward the received contents to their contact users asmuch as they can. For the same objective, we require users’contents should follow homogeneity assumption, such thatusers can disseminate contents using our social-assistedapproach. Another design objective is to provide the confi-dentiality of user-generated content during the dissemina-tion process. We require that users who do not have therequired attributes cannot obtain contents, and hence con-tents should be encrypted before the dissemination. We alsoneed to preserve the privacy of users’ attributes when twousers establish their social relationships.

4 PROPOSED SCHEME

In this section, we present our PSaD scheme in detail. Basedon the assumptions and intuitions listed in previous sec-tions, we first give the scheme overview and present ourscheme along with security mechanisms step by step.

4.1 Overview

In our system, we assume each user has jSjj ¼ & attrib-utes,1 where Sj represents the attribute set of a valid userj. TA issues certificates s and public/private key pairspk=sk after it verifies the authenticity of a user’s claimedattributes, where s corresponds to users’ attributes. Then,TA may go offline.

We continue to use Alice’s photo dissemination as anexample to demonstrate the dissemination process. Asshown in Fig. 2, Alice takes a photoM and only wants toshare with users whose attribute set SU has the followingproperty: RA ¼ SU

TSA, where RA is Alice’s attributerequirements, e.g., “photographers” and “teenagers”.Hence, the requirement of Alice would be like “I only

want to share my photo to users who have the number ofidentical attributes greater than t as mine”, in which t is anumber set by Alice. Then, Alice encrypts her contentusing threshold attribute-based encryption (th-ABE) [24]which allows users who have jRAj5 t to decrypt theciphertext C :¼ EpkðMÞ. We design the following formatof packet: fsid; EpkðMÞ; TTL; Sigg, where sid is the sessionID, TTL is the time-to-live of the packet, and Sig is the sig-nature of the packet.

Our scheme is a two-step process as shown in Fig. 2:attribute verification and content dissemination. Toincrease the delivery ratio, we ask contact users who can-not decrypt the content to store and forward encryptedcontent to next contact users, in order to increase the pos-sibility of reaching users who satisfied Alice’s require-ments as given in Algorithm 1 in the below.

Attribute verification. First, when Alice opportunisticallymeets a stranger Bob who may potentially help her forwardpackets, she first uses the certificate s to mutually check theattribute similarity between Bob and her using non-interac-tive witness-indistinguishable proof. For example, if sherequires the attribute position:photographer or age:22 as theforwarding criterion, she will only give packets to userswho have that verified jSU;sj ¼ u, where SU;s is the certificateset of user U’s verified attributes. Note this criterion is dif-ferent from t, where u is designed for checking the forward-ing requirement, while t is the encryption policy.

Content dissemination. If Bob successfully proves to Alicethat he has s, Alice forwards packets to Bob. Otherwise,Alice aborts the protocol and waits for another contactuser. Having Alice’s packet, Bob first attempts to decryptit using his private key sk corresponding to his attributeset SB. If jSB

TSAj5 t, he can view the video clipM andhe will not disseminateM to his next contact user, in the

1. If X is a set, jXj means its cardinality; if X is a number, jXjdenotes the length of bits representing the number.


sense we consider the dissemination process completes.Otherwise, Bob stores and forwards the packets to thenext contact user. As we can see from Fig. 2, Bob only hasthe certificate of age that meets Alice’s criterion, and thushe is not able to decrypt C. Then, he forwards the packetsto Eve, whom he opportunistically contacts, after theymutually verify their certificates on attribute age. Here,we assume Bob can only verify the attributes which aresuccessfully verified between him and Alice with the nextcontact user. Otherwise, Bob may maliciously add unnec-essary attributes on Alice’s contents, and further disablesreceivers from decrypting the contents. For practical con-cern, if Bob does not hold the certificates of photographer,he is not able to even initiate the verification process.Finally, since Eve’s attributes satisfy RA5 t, she is able todecrypt the ciphertext.

4.2 Setup

4.2.1 Global Parameter Initialization

Given the security parameter �, TA first generates a parame-ter tuple ðp;G1; G2; GT ; eÞ 1�, where e is a bilinear mape : G1 �G2 ! GT which has the properties of bilinearity,computability, and non-degeneracy [25], [26]. Then, TA ran-domly selects three generators g0; g1 2 G1, g2 2 G2 as well astwo random numbers b; g 2 Z�p , and sets w ¼ gbg0 2 G1 andz ¼ eðgb0 ; g2Þ 2 GT . TA generates a common reference string(crs) as follows, sets u1 :¼ ur

2 2 G21 and v1 :¼ vs2 2 G2

2, whereu2 ¼ ðg1; ga1Þ 2 G2

1 and v2 ¼ ðg2; gb2Þ 2 G22 and a; b; r; s 2 Zp

are randomly chosen by TA. Finally, TA distributes thecrs :¼ ðp;G1; G2; GT ; e; g1; g2; u1; u2; v1; v2Þ to every validuser for the purpose of attribute verification.

4.2.2 Key Distribution

Based on the system parameters, TA sets master secret key

as msk :¼ ðg0;b; gÞ. Then, we use m 2 Z�p to denote user’s

attribute values, and use S to represent the universe set of

attribute values in the system, where jSj ¼ a. Moreover, TA

chooses a set of dummy attributes D ¼ fd1; . . . ; da�1g whichconsists of a� 1 pairwise different elements of Z�p . Then,TA issues public/private key pair to users as pk :¼ fS;a;w; z; fgbgi2 gi¼0;...;2a�1;Dg. For each valid user j with corre-

sponding verified attributes Sj, TA picks a random number

kj 2 Z�p , and renders user j a private key as

skj :¼nn

gkj

gþmi0

omi2Sj;i¼1;...;&

;�gkjg

i

2

�i¼0;...;a�2; g

kj�1g

2

o:

We apply the constant-size ciphertext threshold attribute-

based encryption scheme in [24] to deploy our secure con-

tent dissemination. The encryption scheme relies on the

intractability of augmented multi-sequence of exponents

decisional Diffie-Hellman (mse� DDH) problem, which is

generated from the hardness problem DDH [27].

4.2.3 Attribute Validation and Certificate Issuance

For each verified attribute, apart from distributing corre-

sponding public/private key pairs, TA also issues users

certificates s on different values of attributes after it vali-

dates the authenticity of attribute values. Here, we use

Boneh-Boyen signature scheme [28] to sign each attribute

value, which is secure under weak chosen message attacks

based on the q � SDH assumption. TA uses x{ 2 Z�p to sign

different values of one specific attribute, e.g., photographer

and artist in attribute classification position. We can rewrite

each user’s attribute as m{:| 2 Z�p , where { is the general

classification of attributes and | denotes the specific value

of the attribute. Note that both { and | are the indices in its

own set. Given a verified attribute m{:|, TA outputs a certif-

icate as s{:| ¼ g1=ðx{þm{:|Þ1 and a verification key k{ ¼ gx{2 and

gives them to valid users. In what follows, we use mi{:| to

denote user i’s attribute value | on attribute classification {.

For privacy concerns, users cannot reveal the certificates

and keys for verification, otherwise malicious users may

perform impersonation attacks. Moreover, for the same

category of attribute values, the verification keys remain

the same and they should be kept undisclosed as well.

4.3 Attribute Verification

The attribute verification process takes place when Aliceopportunistically contacts a user, say Bob, and decideswhether forwards the ciphertext to him based on Alice’srequirements of s. In what follows, we design a mutual ver-ification scheme by applying non-interactive wittiness-indistinguishable (NIWI) proof.

4.3.1 Commitment and Proof Generation

We apply part of the non-interactive proof system for bilin-ear map discussed in [29], [30] and make extensions to fitour proposed scenario and scheme. To check the validity ofcorresponding certificates, the verifier needs to checkwhether the following equation is satisfied:2

e�s{:|; k{ � gm{:|

2

� ¼ eðg1; g2Þ: (1)

For privacy concern, we require that the verificationshould not reveal the certificates and verification keys. Weuse the following approach to generate commitments andproofs on the certificate and verification key, and furtherverify the equality of the above equation without exposingthe secret information. Alice first picks random numbersr1; r2; s1; s2 2 Zp, then she commits s{:| and k{ in the follow-ing way: cA ¼ ð1; s{:|Þur1

1 ur22 and dA ¼ ð1; k{gm{:|

2 Þvs11 vs22 with-

out exposing the value of s{:| and k{ of Alice.3 Note thatu1; u2 2 G2

1; v1; v2 2 G22 come from pre-loaded crs and

r1; r2; s1; s2 are randomly chosen from Zp. Based on the com-mitment fcA; dAg, Alice continues to generate NIWI proofsas follows:

pA1 :¼ v

t111 v

t122 d

r1i ;pA

2 :¼ vt211 v

t222 d

r2i ;

cA1 :¼ u

�t111 u

�t212 ss1

{:|;cA2 :¼ u

�t121 u

�t222 ss2

{:|:

where t11; t12; t21; t22 2 Zp are randomly selected by Alice.Finally, Alice sends Bob a set of commitments along withproofs as hcA; dA;pA

1 ;pA2 ;c

A1 ;c

A2 i for further verification.

2. The operation (�) is multiplication operation on the correspondinggroups, e.g., G1; G2, and GT .

3. The multiplication on G21 and G2

2 is defined as entrywisemultiplication.


4.3.2 Authenticity Verification

The verification is a two-step process. First, the verifier(contact user, say Bob) checks the authenticity of the cer-tificate set of Alice. Similarly, Bob sends back his commit-ment and proof set required by Alice. Then, Alice alsochecks the authenticity of Bob’s verified attributes. With-out loss of generality, we give the verification processperformed by Bob when he obtains Alice’s commitmentsand proof set.

With the entry-wise multiplication of G1 and G2, weobtain Zp-modules G2

1 and G22. Then, given the map

G1 �G2 ! GT , the entry-wise multiplication also makes G4T

aZp-module. Thus, there is a bilinearmap e : G21 �G2

2 ! G4T

egh

� �;

xy

� �� ! eðg; xÞ eðg; yÞ

eðh; xÞ eðh; yÞ� �

:

To verify the certificates satisfying Eq. (1), for each attribute,Bob checks whether the following equation is hold:

e�cA; dA

�¼ 1 1

1 G

� � � e�u1;pA1

� � e�u2;pA2

� � eðcA1 ; v1Þ � e

�cA

2 ; v2�;

(2)

where G ¼ eðg1; g2Þ is known to all users in the system. Ithas been proven in [29] that Eq. (1) holds when Eq. (2)can be successfully deduced. We also refer the matrixoperation (�) in Eq. (2) as the Schur product, in whichgiven two n� n matrixes A and B, the Schur product isðA �BÞ½i; j� ¼ A½i; j�B½i; j�.

Due to page limit, we only deduce the verification pro-cess of the element in the second row and second column ofthe corresponding matrix in Eq. (2). Thus, the left hand sidecan be written as

LHS22 ¼ e g1

x{þm{:|þarr1þar2

1 ; gx{þm{:|þbss1þbs22

� �

¼ eðg1; g2Þ1þbss1þbs2x{þm{:|

þðx{þm{:|þbss1þbs2Þðarr1þar2Þ:

Meanwhile, the element in the same position on right handside can be derived as

RHS22 ¼ G � e�gar1 ; gbst11þbt12þðx{þm{:|þbss1þbs2Þr12

�� e�ga1; gbst21þbt22þðx{þm{:|þbss1þbs2Þr2

2

�� e�g�art11�at21þ s1

x{þm{:|

1 ; gbs2�

� e�g�art12�at22þ s2x{þm{:|

1 ; gb2�

¼ G � eðg1; g2Þðx{þm{:|þbss1þbs2Þðarr1þar2Þþbss1þbs2x{þm{:| ;

which shows the equality of both sides. Till now, Bob is con-vinced that Alice has the verified attributes. Similarly, sinceour protocol is executed bilaterally, Alice can also be con-vinced that Bob has a set of verified attributes.

4.3.3 Equality Verification

The second step of verification process is to verify the equal-ity between two users’ attributes, which requires only users

who share the same attributes can know the comparisonresults, otherwise both of them learn nothing about bothcertificates and verification keys.

Suppose Alice wants to make sure that Bob has herrequired attributes. She sends her randomly selectedparameters used to generate hcA; dA;pA

1 ;pA2 ;c

A1 ;c

A2 i to Bob,

which are hr1; r2; s1; s2i. Then, Bob is able to generateanother set of NIWI proofs to show the equality of theirattributes. During the previous process, Bob has obtainedAlice’s commitments on s{:| and k{g

m{:|

2 , then he can con-struct the equality NIWI proofs as follows:

~p1 :¼ vt0111 v

t0122

�dA�r0

1 ; ~p2 :¼ vt0211 v

t0222 ðdAÞr

02 ;

~c1 :¼ u�t0

111 u

�t021

2

�sB{:|

�s1 ; ~c2 :¼ u�t0

121 u

�t022

2

�sB{:|

�s2 ;where the parameters r01; r

02; t011; t

012; t

021; t

022 2 Zp are ran-

domly chosen by Bob for generating his commitments andproofs.

The equality verification process is similar to theauthenticity verification. When Bob sends the equalityNIWI proofs to Alice, she checks whether the followingequation is satisfied:

eðcA; dBÞ ¼ 1 11 G

� �� eðu1; ~p1Þ � eðu2; ~pi2Þ � eð~c1; v1Þ

� eð~c2; v2Þ: (3)

If the equation holds, it implies that eðg1; g2Þx{þmB

{:|

x{þmA{:| ¼ eðg1; g2Þ,

such that Alice’s and Bob’s certificates on this attribute arethe same. Then, they are aware that they share the sameattribute values after the equality verification process. Onthe other hand, if they do not have the identical attributes,the output of equality verification is a random number inGT , which prevents users from knowing other users’ certifi-cates and verification keys. Users may compare more attrib-utes by creating multiple commitment and proof sets basedon their verified certificates and verification keys. Therefore,the potential social relationships can be established whenusers share identical attributes.

4.4 Privacy-Preserving Content Dissemination

The dissemination process happens when Alice and Bobhave established potential social relationships based onAlice’s criterion, she wants Bob to help her disseminate con-tents. Once users whose private keys can decrypt theencrypted contents, we consider the dissemination processis accomplished for these users. The dissemination processcan be divided into the following steps: policy setup, contentencryption, and user decryption scheme. Apart from our basicprivacy-preserving dissemination scheme, we also give ouradvanced scheme based on the analysis on attribute weightsin Section 2.2.

4.4.1 Policy Setup

We continue to use { to represent the classification, where S{is the set of attribute values in attribute {, and m{:| is the ele-ments of S{. Before presenting our scheme in detail, we firstlist the following definitions:


Definition 1. Uniqueness: 8 user i, given m{:| 2 S{, we require814|; |04jS{j, @mi

{:|;mi{:|0 2 S{i, where | 6¼ |0;

Definition 2. Completeness: 8 user i, 814{4jSij, 9mi{:| 2 S{i.

The uniqueness property requires each user has a spe-cific value of an attribute, and he/she cannot simulta-neously have multiple values on one attribute. Moreover,we require that users have corresponding values on all oftheir attributes. To create the encryption policy, user ichooses subsets from S{, and combines them together asher policy to encrypt her contents. Then, we define useri’s policy as

Pi :¼[jSij¼1

[j ~Sij�¼1

mi:j;

where ~S{i denotes user i attribute value requirement on clas-sification {, e.g., he/she requires photographer, artist or moviedirector under attribute classification position. Then, user iapplies the policy Pi to encrypt M using the followingencryption scheme.

4.4.2 Content Encryption

Before presenting the encryption scheme, we first list therequirements for encrypting the generated content. As weillustrated before, the content could be video clips, high-quality images or a large chunk of data, all of which con-sume not only a large amount of storage, but also the trans-mission bandwidth and power. Since users apply attributesas the encryption scheme, we need to consider the cost-effectiveness of our proposed scheme in practical scenarios.If the size of jPj is large, traditional encryption scheme [5]makes the ciphertext size of contents grow linearly, whichimpedes the possibility of content exchange in DTNs. Thus,we apply the constant-size ciphertext threshold attribute-based encryption scheme [24] in our proposed protocol toavoid large ciphertexts.

In our basic scheme, users treat every attribute equallywithout considering attribute weights. According to Defini-tion 1, users only have one value on one specific classifica-tion of attributes, which implies that the threshold of t is thenumber of attributes from different classifications. TakingAlice as an example, she wants to disseminate her contentM2 GT throughout the whole network with a correspond-ing policy PA. We denote that the cardinality of jPAj ¼ rA,and the threshold tA satisfies 14 tA 4 &A 4 rA 4a. Theencryption scheme is as follows. Alice first chooses a ran-dom number m 2 Z�p and computes,

C1 ¼ w�m; C2 ¼ gmbQ

mA{:|2PA

ðgþmA{:|ÞQ

d2Dh ðgþdÞ2 ;

K ¼ zm; C3 ¼ K � M;

where the ciphertext is ðC1; C2; C3Þ and K is the decryption

key. Note that the ciphertext C2 includes a set of

h ¼ aþ tA � rA � 1 dummy attributes, in order to obtain a

polynomial of degree aþ tA � 1 in the exponent of g2. Alice

uses the parameters fgbgi2 g2a�1i¼0 in pk to construct C2. Since

the threshold tA4a, the maximum degree of the exponent

of gbgi

2 is 2a� 1, then,

C2 ¼ gmbQ

iðgþliÞ

Qdj2DaþtA�rA�1

ðgþdjÞ2

¼ gbPr

i¼0rið Þgr�ilii

� �2 � g

bPh

j¼0hj

� gh�jdj

j

� 2

0@

1A

m

¼ gbgrþh

2 � � � gb�lrrd

hh

2

� �m

;

where maxðrþ hÞ ¼ 2a� 1. Then, Alice forwards theciphertext together with a signature (ref. Section 5.1.3) toBob.

4.4.3 User Decryption Scheme

The decryption process is as follows. First, Bob runs the

Aggregate algorithm using fgkB

gþmi0 gmi2SB;i¼1;...;& and attri-

bute values mB{:|. For the ease of description, we refer

x{ :¼ mB{:| for all { 2 SB and jSBj ¼ &. Define for any ðj; lÞ

such that

1 4 j < l 4 &; Pj;l ¼ g

1gþxl�

kQjðgþxjÞ

0 :

The Aggregate algorithm consists in computing sequen-tially Pj;l for j ¼ 1; 2; . . . ; & � 1 and l ¼ jþ 1; jþ 2; . . . ; &using the induction

Pj;l ¼ Pj�1;jPj�1;l

� � 1xl�xj

and setting P0;l ¼ gk

gþxl0 for l ¼ 1; 2; . . . ; &. The algorithm

finally outputs

P& ¼ P&�1;& ¼ g

kQiðgþxiÞ

0 :

Note that this computation process can be accomplishedbefore the protocol run.

Second, if jSATSBj5 tA, Bob can compute the follow-

ing parameter

L :¼ e g

kBQmB{:|ðgþmB

{:|Þ

0 ; C2

0@

1A:

Then, he uses fgkBgi2 ga�2i¼0 to compute the following parame-ters. Since the degree of Bob’s sk is less than a� 2, weneed to guarantee he is able to construct the polynomialwith degree no more than a� 2. Thus, we first define apolynomial,

Y ðgÞ ¼ 1

g

Qm{:|2PAðg þm{:|Þ

Qd2Dhðg þ dÞQ

m{:|2SATSBðg þm{:|Þ �XðSA

TSB;PAÞ

!;

where

XðSAB;PAÞ ¼Q

m{:|2PA m{:|

Qd2Dh dQ

m{:|2SATSB m{:|

:


Note that degðY ðgÞÞ < a� 2, which indicates the parame-ters in sk are enough to generate the decryption key K ifjSA

TSBj5tA.Then, Bob uses fgkBgi2 ga�2i¼0 to calculate,

e�C1; g

kBY ðgÞ2

� � L ¼ eðg0; g2Þm�kB�bXðSA

TSB;PAÞ (4)

and,

e C1; gkB�1g

2

� �¼ eðg0; g2Þbm�bmkB: (5)

As we can see, if jSATSBj < tA, which indicates the degree

of XðSAB;PAÞ is greater than a� 2, Bob fails to construct

gkBY ðgÞ2 . Then, Bob can derive the decryption key K by

combining two equations Eq. (4) and Eq. (5),

K ¼ ðe�C1; gkBY ðgÞ2

� � LÞ1=XðSAB;PAÞe C1; gkB�1g

2

� �¼ eðg0; g2Þbm ¼ zm:

Finally, Bob uses the derived key K to recover the contentby computingM¼ C3 �K�1.

For users who cannot decrypt the contents, they furtherforward encrypted contents to the next contact user afterrepeating the equality verification on certificates.

4.4.4 Advanced Scheme for Weighted Attributes

Our basic approach defines the threshold t as the numberof identical attributes between Alice and Bob. However,based on our observations, some of users’ attributesbecome more important in resulting the contacts. Forexample, in Section 2.2, we discuss the weighted attributesin each contact, in which the attribute Language weighs thetop according to the INFOCOM 2006 trace file. Here, wedistinguish the difference between Network-determinedWeight (NDW) fvigai¼1 and User-defined Weight (UDW)fnigai¼1, where Network-determined Weight denotes the char-acteristic weight of designated network and it variesdepending on different types of networks. User-definedWeight is the weight policy that the content generatordefined, e.g., he/she only wants users who have attributesprofessor and college of engineering to decrypt the content,so he/she assigns more weight on those attributes.

� Network-determined weight encryption schemeFor NDW, we redefine the universal attribute set as

S0 :¼ fm1k1; m1k2; . . .m1kV; . . . ; mak1; . . . ; makVg, whereV is the maximum integral weight of the correspondingattribute and k is the concatenation between attributeclassification and its weighed value. To better fit theencryption and decryption scheme, we define a mappingv : Q! Zþ, which maps the original weight wi to positiveintegral values. Depending on different types of net-works, users are connected or contacted based on differ-ent attribute set, e.g., the trace file collected at INFOCOM2006 shows that people with same affiliation or national-ity contact more frequently. Users may design their poli-cies P only using NDW to better fit the characteristic ofthe corresponding networks. Thus, we modify our basic

scheme for weighted attributes as follows. Based onNDW fvig, TA distributes elements in secret keys as

g

k

gþmji

0

( )&

i¼1;

where mji ¼ mikj for j ¼ 1; 2; . . . ;V. According to the NDW

value vi, TA assigns different values of j to attribute classifi-cation, which enables attributes with more weights per-forming crucial roles in decrypting the ciphertext. For eachattribute classification i with maximum weight vi :¼ Vi, TArenders a set of secret key elements

g

k

gþmji

0

( )Vi

j¼1

other than a single value gk

gþmi0

. Comparing to the basic

scheme, for the receiver, he/she carries more g

k

gþmji

0elements

to construct L0, which makes the degree of the exponential

part of L0 less than a� 2 only with the conditionPjPji¼1 Vi5t. Thus, he/she is able to decrypt the ciphertext if

he/she has several crucial attributes that satisfy sender’s

encryption policy P other than requiring no less than t same

attribute values.

� User-determined weight encryption scheme (UDW)Since our basic scheme does not specify the weights of

particular attributes, it would be possible that severalreceivers do not really satisfy the content generators’requirements on specific attributes, but they are able todecrypt the encrypted content because they share morethan t unspecified attributes. Although we achieve theNDW by expanding the private key set, it is infeasible for usto apply the same technique in the user-determined encryp-tion scheme, because, in our scheme, the content generatorand receiver do not each other beforehand. Therefore, theycannot exchange information based on their encryption pol-icy. To achieve the fine-grained access policy, we intend tosolve the above problem by introducing our advancedscheme, User-determined weight encryption scheme, which pri-oritizes required attributes in decrypting the content.

To better extend existing encryption scheme, we applythe CP-ABE scheme proposed in [31] and make several sig-nificant extensions in order to realize UDW. Here, we pro-vide the encryption scheme with UDW as ni :¼ f1;1; . . . ;�1;�1; . . . �; �; . . .g, where 1 denotes required attrib-utes, �1 is the attributes that the content generator excludesand � represents that the content generator does not specifyit and it can be any value. For example, Alice can weighPosition: Professor as 1 for required attributes, while assign-ing � on Nationality: United States for do not care attributes.Therefore, if Alice and Bob have more than tA same attrib-utes, Bob can decrypt the packet when he has requiredattributes, which further filters out desired users.

By applying the scheme in [31], we modify the ciphertextin our basic scheme as ðC1; C2; C

03; C4Þ, where C03 ¼ C3 �K0,

and C4 is ciphertext of K0 generated by UDW scheme. Note

the setup and key generation process can be done before the


protocol run, and TA is responsible for distributing the pub-lic parameter and private keys for users with correspondingattributes. If the potential receiver is able to use his/her pri-vate keys to obtain C3, he/she satisfies UDW required bythe content generator. Then, he/she can use threshold-based decryption scheme to see whether he/she is able todisclose the contentM. We continue to use Alice’s contentdissemination as an illustrative example, and we assumedecisional bilinear Diffie-Hellman Problem (DBDH)assumption [25] is hard in our advanced scheme. Theadvanced UDW scheme is run as follows:

Setup. Based on the public parameter defined in previoussection, TA chooses the master secret key for UDW schemeas mk :¼ hy; hki 2 Zp, where k 2 f1; . . . ; 3&g denotes theindex of each attributes on different weights. Then, it setsthe public key as pk :¼ hY;Hki, where Y ¼ eðg0; g2Þy andHk ¼ g

hk2 . Hk;H&þk;H2&þk correspond to three types of

occurrences of k, positive, negative and do not care.KeyGen. For every m 2 S, TA chooses a random lk 2 Zp,

and sets l :¼Pak¼1 lk. Let D :¼ g

y��U l2 and let

Dk ¼ g�U lkhk0

if k 2 SU of a particular user U , where �U 2 Z�p is a privateparameter selected by TA for each user;

Dk ¼ g

�U lkh&þk0

for k 2 SU , where SU denotes attributes that user U doesnot have. Set

Dk :¼ g

�U lkh2&þk0

for else attributes. Finally, TA renders private keys to user Uas sk :¼ hD;Dk; E ¼ g

�U0 i.

Encryption. Alice first chooses her required attributesin her attribute set S, and labels other attributes asexcluded attributes and do not care attributes. Then,Alice chooses c 2 Zp, encryption key K0 2 GT , to constructthe ciphertext as,

C4 :¼\

mk2PAmk; C

0 :¼ K0 � Y c; C :¼ gc0; f ~Ckjmk 2 Sg !

:

Here, ~Ck ¼ Hck formk 2 PA and ~Ck ¼ Hc

&þk formk Alice doesnot share with. In particular, ~C&þk ¼ Hc

2&þk for the attributesthat Alice does not care.

Decryption. Formk 2 PA, the receiver, say Bob, computes

eð ~Ck;DkÞ ¼ e�ghk�c0 ; g

�Blkhk2

¼ eðg0; g2Þ�Blkc;

Formk 2 PA, he computes

eð ~Ck;DkÞ ¼ e�gh&þk�c0 ; g

�Blkh&þk2

¼ eðg0; g2Þ�Blkc;

For other do not care attributes, Bob computes

eð ~Ck;DkÞ ¼ e�gh2&þk�c0 ; g

�Blkh2&þk2

¼ eðg0; g2Þ�Blkc:

Then, based on these results, Bob derives the followingresults:

Y c ¼ eðC; DÞ �Yak¼1

eðg0; g2Þ�B�lk�c

¼ e�gc0; g

y��Bl2

� � eðg0; g2Þ�Blc¼ eðg0; g2Þy�c:

The encryption key K0 can be consequently derived asK0 ¼ C0=Y c. Bob can obtain the content if and only if hisattribute set satisfy both the requirement on UDW andAlice’s identical number of attributes. The deriving processis as follows:

C03 � ðK0Þ�1 � ðKÞ�1 ¼M � eðg0; g2Þbm � ðKÞ�1 ¼M:

We continue to consider the situation where bothNDW and UDW affect the forwarding process. Based onthe previous approaches, we can simply apply the NDWand UDW encryption and decryption scheme to guaran-tee the privacy-preservation dissemination, which meansTA distributes a set of secret key elements and publicparameters to let sender re-encrypt the ciphertext ofcontent instead of directly sending it, and further enablecontact users use NDW private keys to obtain the plain-text of content.

5 PROTOCOL EVALUATION

In this section, we evaluate our proposed scheme from theaspects of security, efficiency and feasibility. Our securityanalysis studies how the design objectives are achieved inscheme based on the adversarial model. The efficiency ofthe proposed system in terms of computation and storagecost is also discussed. We also conduct simulation based onthe real-world trace file to verify the feasibility of our pro-posed scheme.

5.1 Security Analysis

5.1.1 Adversarial Model

For active attacks, adversaries can launch impersonationattacks to compromise the attribute privacy. We allowadversaries to change their attributes to meet the require-ments of content. However, since all the user attributesshould be verified by TA, adversaries who launch thiskind of attack may fail to perform from the very begin-ning. As an active attacker, he/she may modify andinject bogus data during the transmissions. On the otherhand, we are also concerned with the collusion attackamong a group of malicious users who share differentprivate keys of attributes. They may intend to decryptcontents by collecting enough valid attributes. For pas-sive attacks, we allow adversaries to eavesdrop the com-munication channels during the forwarding anddissemination process. On the other hand, we do notconsider the possibility of sharing secrets with others.Similarly, we exclude attackers who successfully stealother valid users’ mobile devices perform attacks basedon the stolen secrets. The insider attack is also not con-sidered in our proposed scheme.


5.1.2 Attribute Privacy in the Verification Process

Our verification scheme relies on the issued certificates onattribute values. During the process of attribute verification,users need to mutually verify the authenticity and equalityof attribute certificates. Malicious users fail to learn thedetail of both k{ and s{:|, because they cannot obtain theplaintext of these during the verification process. Instead,users use the parameters u1; u2 2 G2

1; v1; v2 2 G22 to commit

above verification keys and certificates. Based on the DDHassumption, no user is able to reveal the plaintext valuesfrom the commitments. For the same reason, adversarieswill not discover certificates by comparing multiple cipher-texts which contain user-chosen random numbers. For theverifier, he/she can only check the equality of Eq. (2). If thecheck process succeeds, he/she learns that the correspond-ing verification keys and certificates are authentic withoutdisclosing k and s. Otherwise, the verifier knows nothingabout the detail of whether the commitments or proofs areauthentic or not.

For the equality verification, we consider two possible

attacks that may compromise the attribute privacy. The first

type of attack comes from sending random numbers used

for equality verification. In our example, Alice sends back to

Bob the random number set fr1; r2; s1; s2g for Bob generat-

ing equality proofs f~p1; ~p2; ~c1; ~c2g. It is obvious that Bob

can use the received random number set to construct

c0i ¼ ð1; 1Þur11 u

r22 and d0i ¼ ð1; 1Þvs11 v

s22 . Comparing to the

received cAi ¼ ð1; s{:|Þur11 u

r22 and dAi ¼ ð1; k{gm{:|

2 Þvs11 vs22 , it is

difficult for Bob to derive k{ and s{:| due to the assumption

that DDH and DL problems are hard. Thus, the above

approach guarantees the attribute privacy when two users

send random numbers back and forth. The other possible

attack is performed on the outcome of comparison results.

The verification result returns 1 if and only if

eðg1; g2Þðx{þmB{:|Þ=ðx{þmA

{:|Þ ¼ eðg1; g2Þ. Otherwise, the result is an

arbitrary string in GT instead of explicitly listing the values

of mA{:| and mB

{:|, which prevents adversaries from knowing

the detail regarding the different attribute values. Here, it is

possible for users to return incorrect random numbers and/

or proofs, which renders the inconsistent comparison

results on two sides. However, we exclude this kind of

attack if users agree to compare their attributes in advance

for the content dissemination.We also highlight the collusion attack during the whole

verification process, in which adversaries collude to com-pare commitments and proofs from the same user inorder to obtain the certificate. If a group of malicioususers want to find out the certificate and verification keyof a particular user, they have to launch a number ofqueries to this user. According to the above analysis,adversaries fail to find credential and certificate frommultiple commitments and proofs. Moreover, as an exten-sion to our proposed scheme, we allow users to use fre-quently changed collision-resistance pseudonyms togenerate and forward contents. A user can generate dif-ferent commitments representing the same attribute valueby using different pseudonyms, and thus attackers cannottell the relationship between commitments and the users’pseudo-identities.

5.1.3 Analysis on Content Dissemination Process

Based on our assumptions on adversarial model, attackersmay inject bogus data during the content dissemination pro-cess. We can apply the signature scheme in [32] to constructa signature on ðC1; C2; C3Þ. Define a set of collision-resis-tance hash functions, where H1 : G1 ! f0; 1g�, H2 : G2 !f0; 1g�, H3 : GT ! f0; 1g� and H : f0; 1g� ! f0; 1gn, where ndenotes the length of output hash value. When Alice trans-mits a packet including ðC1; C2; C3Þ, he/she generates a sig-nature SigskAðHðH1ðC1ÞkH2ðC2ÞkH3ðC3ÞÞÞ to guarantee thenon-repudiation of the ciphertext, where skA is a pre-assigned private key of Alice, and users can use the corre-sponding public key to verify the signature. The man-in-the-middle attack also can be prevented because we havethe attribute verification mechanism to prevent the attackerfrom even obtaining the ciphertext. Based on the mutualauthentication results, we can easily defeat this type ofattack. The above attacks cannot succeed because the adver-sary does not have the corresponding private keys.

By applying advanced scheme UDW, another possibleattack may happen on deriving the content when adversar-ies have correct K and eðg0; g2Þy. However, it is infeasibledue to our assumption that decisional bilinear Diffie-Hell-man Problem is assumed hard. Therefore, adversaries failcannot determineK0 andM from C03.

5.1.4 Collusion Attacks on Decrypting Encrypted

Contents

The collusion attack is a very powerful attack and will

severely threaten the security and privacy requirements of

our scheme if not thwarted during the content dissemina-

tion process. For our basic scheme and NDW, It mostly hap-

pens when one of the adversaries does not have sufficient

number of attributes satisfying PA. He/she intends to col-

lude with users who have enough attributes and combines

them in order to decrypt the ciphertext. However, the

decryption scheme perfectly prevents this attack as follows:

for each user’s private key, it includes a set of elements as

fgkj

gþmi0

gmi2Sj;i¼1;...;& based on the user’s verified attributes. It has

the unique parameter kj for user j, which is selected by TA.

Moreover, according to the DLP assumption, user j fails to

deduce kj from g

kjgþmi0

even if mi is given. Hence, given differ-

ent elements from different users, the colluded users fail to

construct

g

kjQðgþmj

{:|Þ0

with the same kj, and hence colluded users cannot decryptthe ciphertext.

In particular to the advanced scheme UDW, we modify

the original scheme in [31] to prevent possible collusion

attacks among adversaries. As similar as the collusion attack

on the basic scheme, the attack objective of adversaries is

trying to obtain the content that they cannot decrypt by

using their own private keys sk. In our advanced scheme


UDW, the private key elements D :¼ gy��U l2 and Dk :¼ g

�U lkhk0

have the unique parameter �U for each particular user U .

Even though adversaries colluding with each other, they

fail to reconstruct eðg0; g2Þ�U lc due to their different values

on �. Furthermore, they cannot derive the encryption key

K0 by dividing the reconstructed element Y c. Therefore, the

collusion attacks on encrypted contents are prevented in

our scheme.

5.2 Performance of PSaD

Regardless of efficiency of the privacy preservation tech-nique used in PSaD, we first analyze the performance of theattribute-based content dissemination process. Based on thetrace file collected during INFOCOM 2006, we use the fol-lowing metrics in the simulation, which try to specificallyevaluate our proposed scheme. In addition, we compareour scheme with several existing social-assisted approachesin order to show the advantages of our scheme.

� Delivery ratio, the ratio of the number of delivereddestinations to the total number of destinations.

� Delivery delay, the average delay for all the delivereddestinations to receive the content.

� Average cost, the average number of relays used forone delivered destination to receive a content.

5.2.1 Analysis on Identical Attributes

We first analyze the distribution of number of identicalattributes between two arbitrary users in the data set, whichhelps us determine the forwarding strategy of PSaDscheme. According the system setting in the data set, thetotal number of possible pair-wise contacts is A2

78 ¼78!=ð78� 2Þ! ¼ 6; 006 given the number of participants is 78.As similar as the simulation setting in Section 2, we considerthe maximum number of identical attributes is 10. In Fig. 3,there are more than 1,800 pairwise users do not share anysimilar attributes. Besides, among all users with identicalattributes, the number of users sharing three attributes hasmore than 800 pairs. Regarding the analysis of distributionof identical attributes among users, it is easier to dissemi-nate content with threshold t ¼ 3, but it may not directlyshare with the desired group of users who are expected tohave the attributes threshold t> 3. Moreover, we need toconsider the parameter of u ¼ jSU;sj, which is the total num-ber of attributes required by the content generator for attri-bute verification.

In what follows, we intend to discuss the tradeoffbetween the selection of ðu; tÞ-pair and the performance ofPSaD scheme, where 1 4 u 4 t 4 10 for practical con-cern. In addition to the selection of the number of identi-cal attributes, we also investigate the impact of contactduration between contact users. The contact duration Tbetween users reflects the length of their interaction time.Due to the ways of data collection, users’ contacts may bemistakenly recorded, such as the Bluetooth connectionestablishment time and users’ unintentional interactions.As one of the parameter in the experiment settings, wegradually increase the threshold of contact duration T toexclude some of the contacts in the data sets. As thethreshold of T increases, the contacts can be used as realsocial interactions, and further can be applied for contentexchange and dissemination.

5.2.2 Performance Evaluation

We give our simulation results along with the discussion inthe following section.

� Analysis on Delivery RatioWe first discuss the delivery ratio of the proposed

scheme. The delivery ratio is calculated in the followingway to keep consistent with other approaches [7], [9], [11],

Delivery Ratio ¼P

i #Receivers for i hop

#Users in the system; (6)

where the purpose of content generator is to maximally dis-seminate the content based on the selection of ðu; tÞ-pair.Note that content owners will not be able to the number ofreceivers before they disseminate the content, and also it isinfeasible for them to determine the potential receiversgiven different selections on ðu; tÞ-pair. Although with morerestriction on (u; tÞ-pair, it may reduce the number of poten-tial receivers, we have to keep pace with content ownerssharing purposes, and to help them maximally disseminatethe content.

Fig. 4. Delivery Ratio of PSaD Scheme.

Fig. 3. Distribution of Users’ Identical Attributes (INFOCOM 2006).


As shown in Fig. 4, we show the delivery ratio of PSaDscheme for different ðu; tÞ-pair with consideration of therequirement on the contact duration T . For the maximumdelivery ratio, we refer the region with more than 75 percentas the maximum delivery ratio region. Meanwhile, the mini-mum delivery ratio region is referred as the selection ofðu; tÞ-pair in resulting the delivery ratio smaller than 30 per-cent. Apparently, the number of the selection of ðu; tÞ-pairsin maximum delivery region is reduced when the time con-straint T grows, which indicates that the increasing contactdurations will filter out the unintentional user interactions.Moreover, if we set T ¼ 600 s as shown in Fig. 4d, most ofthe contacts can be seen as real communication, and theycan be further used as content dissemination for practicalinformation exchange. We also highlight ðu; tÞ-pairs selec-tions for u ¼ t, which can be characterized as the single-hopdissemination. In Fig. 4a, the highest delivery ratio of sin-gle-hop dissemination is around 70 percent, and it signifi-cantly reduced to 32 percent when T ¼ 600 s. To increasethe delivery ratio given a threshold value T , the contentgenerator may increase the value of t, which indicates thatmore contact users may satisfy the requirement of the con-tent generator, and may further relay the content. Ratherthan the situation where u ¼ t (indicates the disseminationneglects the possible values of t which is greater than u), theselection of t > u forms the multi-hop dissemination pro-cess and it outperforms single-hop dissemination.

� Analysis on Delivery DelayAs similar as the performance with respect to the delivery

ratio, the average delay of PSaD scheme grows when thetime constraint increases as shown in Fig. 5. For T < 300 s,the average delay increases linearly when the content gener-ator sets u < 5. Meanwhile, it keeps flat when the time con-strains are greater than 300 s. The maximum delay pointsincreases from 48,984 s second to 53,671 seconds in Figs. 5aand 5d. An interesting observation is that the trends of aver-age delay varies for u44 and u55. In Figs. 5a and 5b, the

average delay increases for u ¼ 1; 3when the threshold num-ber of attributes t increases. Comparatively, the averagedelay decreases after t reaches a maximum delay point foru5 5. As what we discussed in Section 2, we refer this regionas homophily phenomenon region, where the increase ofcontact rate facilitates the communication between userswith more identical attributes. Therefore, the average delayof content dissemination dramatically reduces based on theirfrequently contacts, while the selection of smaller u keeps theaverage delay growing.

� Analysis on Average CostWe also give analysis on the average cost in terms of aver-

age number of relays during the dissemination process.Withthe number of threshold attributes growth, the average costincreases linearly in all the selections of ðu; tÞ-pairs as shownin Fig. 6. As the same as our analysis on delivery delay, theaverage cost decreases for u5 5 when the time constraintincreases. The maximum cost for the selection u47 isbetween 3:9 and 4:3 relays. Moreover, to achieve the bestdelivery ratio and lower delivery delay of PSaD scheme, theaverage cost is between 2:1 and 3:2 relays for T4600 s.

5.2.3 Discussion on Homophily Phenomenon

Based on the previous analysis, we show the existence ofhomophily phenomenon, which verifies our intuition on

Fig. 5. Average Delay of PSaD Scheme. Fig. 6. Average Cost of PSaD Scheme.

Fig. 7. Average Delay and Cost of PSaD Scheme for u44; t45.


designing the PSaD scheme. However, it is obvious thatthe selection of ðu; tÞ-pair will impact the increase anddecrease of delivery delay and average cost. In what fol-lows, we investigate the performance of PSaD schemewith respect to the time constraint and the selection ofðu; tÞ-pair, which help content generators set their verifica-tion and encryption policy.

We pick two sets of representative simulation results, inwhich we choose t 4 5 and t 5 9 as the decryption policyas shown in Figs. 7 and 8. For the selection of t 4 5, with theincrement of u, the average delay increases in Fig. 7a, whichindicates that the content generator requires more certifi-cates for attribute verification. Consequently, the averagedelay will grow when T is increasing. The average cost fort45 is shown in Fig. 7b. For u 4 3, it grows linearly with theincrement of T . However, the average cost decreases whenwe set u ¼ 4, in which we consider the homophily phenome-non appears among users with identical attributes greaterthan 4. To further verify this phenomenon, we analyze thedelivery delay and average cost for t 5 8which implies thatthe contact users have nearly all identical attributes. Com-pared with the results in Fig. 7, we find the performance ofPSaD scheme has an opposite result in Fig. 8. As shown inFig. 8a, the average delay decreases when T grows. Thisresults indicates that the content is disseminated within agroup of people with a lot of identical attributes, and theymay frequently contact with each other, which lower theaverage delay for approximately 30 percent compared withu ¼ 4; t ¼ 5 at T ¼ 600 s. Moreover, the average cost alsodecreases for t 5 8 in Fig. 8b, where it only has 1.76 relayswhen the content generator sets u ¼ 9; t ¼ 10 at T ¼ 600 s.

Therefore, we verify the existence of the well-knownhomophily phenomenon by real-world trace file. In

addition, in terms of content dissemination, content gen-erators may choose different selections of ðu; tÞ-pair, toachieve desired performance. If they intend to have betterdelivery ratio and smaller delivery delay, they can set alower ðu; tÞ-pair value, but their receivers may not be asdesired as they want; or, they can disseminate to a partic-ular group of users with almost all identical attributes inorder to achieve low cost on relays, but the price wouldbe the low delivery ratio.

5.2.4 Protocol Comparison

In what follows, we compare our PSaD scheme with severalexisting social-assisted routing protocol in DTNs as shownin Fig. 9. We mainly consider the routing protocol Epidemic[7], SDM [11], and PROPHET [9]. In Fig. 9a, the best deliveryratio of PSaD scheme is about 4 percent lower than the Epi-demic routing scheme, but it outperforms SDM andPROPHET for 7 and 21 percent, respectively. The deliverydelay of PSaD and SDM are more or less similar for the timelength smaller than 16 hours as shown in Fig. 9b. For theoverall performance (three days experiment time), the PSaDscheme is 792 seconds longer than Epidemic, but it issmaller than SDM and PROPHET for an average of 3,911seconds and 8,235 seconds. In terms of average cost, thePSaD scheme is better than the Epidemic, but it is largerthan PROPHET and SDM scheme, as shown in Fig. 9c.

5.3 Efficiency Analysis

5.3.1 Simulation-Based Analysis

First, we use Pairing-based Cryptography (0.5.12) Library toimplement our simulation on computational and storagecost. We continue to use the real-world trace file collected inINFOCOM 2006 to verify our proposed scheme, includingnumber of users and their corresponding attributes. Wetake Tate pairing as our basic pairing operation. The ellipticcurve we use for the our scheme is type D159. A curve ofsuch type has the form of y2 ¼ x3 þ axþ b. The base field ofthe curve is 159 bits, and it has the same security level as1024-bit RSA. For the experiments, we use a laptop with anIntel processor 2.8 GHz and 4 GB RAM under the platformUbuntu 11.10. All the timing reported below are averagedover 100 randomized runs.

Computational cost. We consider the computational costduring the attribute verification process and the content

Fig. 9. Comparison with Other Social-assisted Protocols, ðu; tÞ ¼ ð2; 3Þ:

Fig. 8. Average Delay and Cost of PSaD Scheme for u 5 8; t 5 9.


dissemination process. During the attribute verificationprocess, Alice generates two commitments and four proofsfor the secrets in Eq. (1). The commitment generating pro-cess takes two group elements from each of G1 and G2,while the proofs have four group elements from both G1

and G2. For the verification process, each user computes 20pairing operations to verify the validity of the correspond-ing attributes. For the equality verification, the verificationprocess takes another 20 pairing operations in total. As wecan see from Fig. 10a, the computational costs of generat-ing commitments, proofs, and verification grow nearly lin-early with the increment of the number of comparedattributes. To verify total 10 attributes takes less than 6 sec-onds for each side. On the other hand, we also need to con-sider the impact of identical attributes during theverification process. As shown in Fig. 10b, if the total num-ber of compared attributes is 10, the computation time ofcommitment and proof generation process keep stablewhen the identical attribute ratio grows. On the contrary,the verification time increases linearly with the growth ofidentical attribute ratio. To reduce the computational cost,we revise parts of our scheme in the simulation, in order toallow users pre-compute some costly operations and storethem for future use. As shown in Fig. 10, the computa-tional costs reduce for 52.3 percent on average during theverification process.

In the content dissemination process, we only considerthe computational cost in terms of time in our encryptionand decryption scheme. As we can see from the previoussection, the encryption scheme only takes aþ t� 1 expo-nentiations on the group elements over G2, and 1 expo-nentiation operation over each of G2 and GT . For the

decryption scheme, it requires three pairing operationsand Oðt2 þ aÞ exponentiations. In the following simula-tion settings, we fix the number a ¼ 10 (one attributevalue per attribute) and mostly focus on the computationtime in our encryption and decryption scheme. Based onthe simulation results, the average computation time forthe exponentiation operation over G1 is 1.14 ms, and2.53 ms over group G2 and GT . The average time in com-puting a pairing operation costs 11.9 ms under our simu-lation settings. As we can see from Fig. 11a, theencryption time increases with the growth of threshold t,and it takes about 27 ms for generating the ciphertextwhen t ¼ 10. The decryption time increases dramaticallycompared with encryption, which takes approximately241 ms for t ¼ 10. By using our optimized approach, thedecryption costs reduces to 112.4 ms for t ¼ 10. For ouradvanced scheme using NDW, the number of a0 ¼ 10 �Vincreases depending on the granularity of attributeweights. In our simulation, we define V ¼ 10. In Fig. 11b,it is shown that the decryption time increases rapidlycompared to the time consumed in the encryptionscheme, while the optimized decryption scheme reducesfor 53.7 percent. In UDW, to generate the ciphertext of C4

costs one exponentiation operation over group G1, 4aexponentiation operation on GT and one multiplicationoperation in GT . For the decryption scheme of UDW, itrequires aþ 1 pairing operations and a multiplication inG1 for decrypting ~C4, where the average cost of bilinearpairing is 10.56 ms. The decryption time costs less thanthe encryption time for 1 4 t4 10 as shown in Fig. 11c.In particular, the computational cost of encryption usingoptimized scheme decreases more than 50 percent com-pared with original scheme.

Storage cost. In our storage analysis, we choose jpj ¼ 160,and the element in G1 is 170 bits, while elements of G2 andGT will be 510 bits as introduced in [33], [34]. We first con-sider the storage cost in the attribute verification process.The crs costs jpj þ 5jG1j þ 5jG2j bits, where jG1j denotes thesize of the element in G1. To store the verification keys andcertificates of users’ attributes, they take &jG1j þ &jG2j bitsin total for one user. For the storage cost during the dissemi-nation process, both the basic scheme and NDW requirejGT j þ jG1j þ ð2a� 1ÞjG2j bits on public key and jG1jþjG2j þ jGT j bits as the constant-size ciphertext of contents.The private keys for the basic scheme have the length of

Fig. 11. Computational Cost in Content Dissemination.

Fig. 10. Computational Cost in Attribute Verification Process.


&jG1j þ ða� 1ÞjG2j bits, while NDW scheme requires&VjG1j þ ða� 1ÞjG2j bits for each user to store private keys.For the advanced scheme UDW , each user stores additionalð& þ 1ÞjG1j þ jG2j bits for the private key, while the publickey costs &jG2j þ jGT j bits.

5.3.2 Experiment-Based Analysis

Besides the simulation on laptops, we also conduct practicalexperiments on mobile devices. We use Java Pairing BasedCryptography (jPBC-1.2.0) Library to implement ourscheme. We continue to use curve D159 as the elliptic curve.For the experiment, we use the smartphone Nexus S with aSamsung Exynos 3110 processor. The smartphone has 1 GHzARM Cortex A8 core, and 512 MB RAM. The followingexperiment is built on the platform Android 2.3.2. Since thestorage cost in the experiment is the same as it in the simula-tion, we omit this analysis. For the computational costanalysis, we show the experimental results on attribute veri-fication process and the basic scheme of content dissemina-tion process. As we can see from Fig. 12a, the total cost ofverifying 10 attributes takes up to 60 s on the smartphoneplatform, which is almost 10 times than the results in oursimulation. Due to the insufficient computation capability ofsmartphones, it takes at most 4 s to decrypt the content withthe length no more than 510 bits. By applying our optimizedscheme, generating proof, commitment, and verification pro-cess reduce for 47.4, 32, and 41.2 percent, respectively. Wealso show our simulation results on the content dissemina-tion. As shown in Fig. 12b, the encryption time keeps flatwhen t increases, while the decryption time grows dramati-cally. For our advanced scheme NDW, the encryption timewith NDW reaches 79.2 s in Fig. 12c, which is approximatelythree times more than the time in Fig. 11b, while the opti-mized approach help the decryption time reduce to 29.8 s fort ¼ 10. If we applyUDW on our basic scheme, the maximumdecryption time is 5.13 s compared with the encryption time,which is 5.84 s. The optimized scheme also achieves betterperformances as shown in Fig. 12d.

6 CONCLUSION

In this paper, we propose the PSaD, a privacy-preservingsocial-assisted content dissemination scheme in DTNs. Thescheme mainly consists of attribute verification and pri-vacy-preserving content dissemination process. In ourscheme, mobile users first identify their social relationshipsin terms of identical attributes, then disseminate theirencrypted contents by each contact, in order to let userswho have the corresponding attributes decrypt the content.Based on the protocol evaluation, we show both the securityand efficiency of the proposed scheme.

ACKNOWLEDGMENTS

Thisworkwas partially supported by theUSNational ScienceFoundation under Grants CNS-0916391 and CNS-1343356,and the National Natural Science Foundation of China undergrant 61328208. The work of Chi was also partially supportedby the National Natural Science Foundation of China underGrant 61202140. The preliminary version of this paper waspublished in the 32nd IEEE International Conference onCom-puter Communications (INFOCOM) [1].

REFERENCES

[1] L. Guo, C. Zhang, H. Yue, and Y. Fang, “A Privacy-PreservingSocial-Assisted Mobile Content Dissemination Scheme inDTNS,” Proc. 32nd IEEE Int’l Conf. Computer Comm., pp. 2349-2357, 2013.

[2] P. Hui, A. Chaintreau, J. Scott, R. Gass, J. Crowcroft, and C. Diot,“Pocket Switched Networks and Human Mobility in ConferenceEnvironments,” Proc. ACM SIGCOMM Workshop Delay-TolerantNetworking, pp. 244-251, 2005.

[3] M. McPherson, L. Smith-Lovin, and J.M. Cook, “Birds of aFeather: Homophily in Social Networks,” Ann. Rev. of Sociology,vol. 27, no. 1, pp. 415-444, 2001.

[4] A.C.-C. Yao, “How to Generate and Exchange Secrets,” Proc. 27thAnn. Symp. Foundations of Computer Science (SFCS ’86), pp. 162-167,1986.

[5] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-Policy Attri-bute-Based Encryption,” Proc. IEEE Symp. Security and Privacy,pp. 321-334, 2007.

[6] Y. Zhu, B. Xu, X. Shi, and Y. Wang, “A Survey of Social-BasedRouting in Delay Tolerant Networks: Positive and Negative SocialEffects,” IEEE Comm. Surveys & Tutorials, vol. 15, no. 1, pp. 387-401, Jan./Mar. 2012.

[7] A. Vahdat and D. Becker, “Epidemic Routing for Partially-Con-nected Ad Hoc Networks,” technical report, Duke Univ., 2000.

[8] P. Hui, J. Crowcroft, and E. Yoneki, “Bubble Rap: Social-BasedForwarding in Delay Tolerant Networks,” Proc. Ninth ACM Int’lSymp. Mobile Ad Hoc Networking and Computing (MobiHoc ’08),pp. 241-250, 2008.

[9] A. Lindgren, A. Doria, and O. Schel�en, “Probabilistic Routingin Intermittently Connected Networks,” ACM SIGMOBILEMobile Computing and Comm. Rev., vol. 7, no. 3, pp. 19-20, July2003.

[10] E.M. Daly and M. Haahr, “Social Network Analysis for Routing inDisconnected Delay-Tolerant Manets,” Proc. Eighth ACM Int’lSymp. Mobile Ad Hoc Networking and Computing (MobiHoc ’08),pp. 32-40, 2007.

[11] W. Gao, Q. Li, B. Zhao, and G. Cao, “Multicasting in Delay Toler-ant Networks: A Social Network Perspective,” Proc. 10th ACMIntl’ Symp. Mobile Ad Hoc Networking and Computing (MobiHoc ’08),pp. 299-308, 2009.

[12] W. Gao and G. Cao, “User-Centric Data Dissemination in Disrup-tion Tolerant Networks,” Proc. IEEE INFOCOM, pp. 3119-3127,Apr. 2011.

[13] J. Wu and Y. Wang, “Social Feature-Based Multi-Path Routing inDelay Tolerant Networks,” Proc. IEEE INFOCOM, pp. 1368-1376,Mar. 2012.

Fig. 12. Experiment-based Results on Computational Cost.


[14] R. Lu, X. Lin, T. Luan, X. Liang, X. Li, L. Chen, and X. Shen,“Prefilter: An Efficient Privacy-Preserving Relay Filtering Schemefor Delay Tolerant Networks,” Proc. IEEE INFOCOM, pp. 1395-1403, Mar. 2012.

[15] R. Lu, X. Lin, and X. Shen, “Spring: A Social-Based Privacy-Preserving Packet Forwarding Protocol for Vehicular DelayTolerant Networks,” Proc. IEEE INFOCOM, pp. 1-9, 2010.

[16] O. Hasan, J. Miao, S. Mokhtar, and L. Brunie, “A Privacy Preserv-ing Prediction-Based Routing Protocol for Mobile Delay TolerantNetworks,” Proc. IEEE 27th Int’l Conf. Advanced Information Net-working and Applications (AINA), pp. 546-553, 2013.

[17] Y. Zhang and J. Zhao, “Social Network Analysis on Data Diffu-sion in Delay Tolerant Networks,” Proc. 10th ACM Int’l Symp.Mobile Ad Hoc Networking and Computing (MobiHoc ’09),pp. 345-346, 2009.

[18] A. Mei, G. Morabito, P. Santi, and J. Stefa, “Social-Aware StatelessForwarding in Pocket Switched Networks,” Proc. IEEE INFO-COM, pp. 251-255, Apr. 2011.

[19] E. Bulut and B. Szymanski, “Friendship Based Routing in DelayTolerant Mobile Social Networks,” Proc. IEEE GLOBECOM, pp. 1-5, Dec. 2010.

[20] G. Costantino, F. Martinelli, and P. Santi, “Investigating thePrivacy vs. Forwarding Accuracy Tradeoff in OpportunisticInterest-Casting,” IEEE Trans. Mobile Computing, vol. 13, no. 4,pp. 824-837, April 2014.

[21] G. Costantino, F. Martinelli, P. Santi, and D. Amoruso, “An Imple-mentation of Secure Two-Party Computation for Smartphoneswith Application to Privacy-Preserving Interest-Cast,” Proc. 18thAnn. Int’l Conf. Mobile Computing and Networking (Mobicom ’12),pp. 447-450, 2012.

[22] W.-J. Hsu, D. Dutta, and A. Helmy, “Profile-Cast: Behavior-AwareMobile Networking,” ACM SIGMOBILE Mobile Computing Comm.Rev., vol. 12, no. 1, pp. 52-54, Jan. 2008.

[23] J. Scott, R. Gass, J. Crowcroft, P. Hui, C. Diot, and A. Chaintreau,“CRAWDAD Trace Cambridge/Haggle/Imote/Infocom2006 (v.2009-05-29),” May 2009..

[24] J. Herranz, F. Laguillaumie, and C. R�afols, “Constant Size Cipher-texts in Threshold Attribute-Based Encryption,” Proc. 13th Int’lConf. Practice and Theory in Public Key Cryptography (PKC ’10),pp. 19-34, 2010.

[25] D. Boneh and M. Franklin, “Identity-Based Encryption from theWeil Pairing,” Proc. Advances in Cryptology (CRYPTO ’01), pp. 213-229, 2001.

[26] E.-J. Goh, “Encryption Schemes from Bilinear Maps,” PhD disser-tation, Department of Computer Science, Stanford Univ., Sept.2007.

[27] C. Delerabl�ee and D. Pointcheval, “Dynamic Threshold Public-Key Encryption,” Proc. 28th Ann. Conf. Cryptology: Advances inCryptology (CRYPTO ’08), pp. 317-334, 2008.

[28] D. Boneh, X. Boyen, and H. Shacham, “Short Group Signatures,”Proc. Advances in Cryptology (CRYPTO ’04), pp. 41-55, 2004.

[29] J. Groth and A. Sahai, “Efficient Non-Interactive Proof Systems forBilinear Groups,” Proc. Theory and Applications of CryptographicTechniques 27th Ann. Int’l Conf. Advances in Cryptology (EURO-CRYPT ’08), pp. 415-432, 2008.

[30] L. Guo, C. Zhang, J. Sun, and Y. Fang, “PAAS: Privacy-PreservingAttribute-Based Authentication System for Ehealth Networks,”Proc. 32nd IEEE Int’l Conf. Distributed Computing Systems (ICDCS’12), IEEE, 2012.

[31] L. Cheung and C. Newport, “Provably Secure Ciphertext PolicyAbe,” Proc. 14th ACM Conf. Computer and Comm. Security (CCS’07), pp. 456-465, 2007.

[32] P.S.L.M. Barreto, B. Libert, N. McCullagh, and J.-J. Quisquater,“Efficient and Provably-Secure Identity-Based Signatures andSigncryption from Bilinear Maps,” Proc. 11th Int’l Conf. Theory andApplication of Cryptology and Information Security (ASIACRYPT’05), pp. 515-532, 2005.

[33] B. Lynn, http://crypto.stanford.edu/pbc/, 2014.[34] M. Pirretti, P. Traynor, P. McDaniel, and B. Waters, “Secure Attri-

bute-Based Systems,” Proc. ACM Conf. Computer and Comm. Secu-rity (CCS ’06), pp. 99-112, 2006.

Linke Guo (S’10) received the BE degree inelectronic information science and technologyfrom the Beijing University of Posts and Tele-communications in 2008, and the MS degree inelectrical and computer engineering from theUniversity of Florida in 2011. He is currentlyworking toward the PhD degree in the Univer-sity of Florida. His research interests includenetwork security and privacy, social networks,and applied cryptography. He is a studentmember of the IEEE.

Chi Zhang received the BE and ME degrees inelectrical and information engineering from theHuazhong University of Science and Technol-ogy, China, in 1999 and 2002, respectively,and the PhD degree in electrical and computerengineering from the University of Florida in2011. He joined the University of Science andTechnology of China in September 2011 as anassociate professor of the School of Informa-tion Science and Technology. His researchinterests are in the areas of network protocol

design and performance analysis, and network security particularlyfor wireless networks and social networks. He has published over 60papers in journals such as IEEE/ACM Transactions on Networking,IEEE Journal on Selected Areas in Communications, and IEEETransactions on Mobile Computing and in networking conferencessuch as IEEE INFOCOM, ICNP, and ICDCS. He has served as theTechnical Program Committee members for several conferencesincluding IEEE INFOCOM, ICC, GLOBECOM, WCNC, and PIMRC.He has received the seventh IEEE ComSoc Asia-Pacific OutstandingYoung Researcher Award. He is a member of the IEEE.

Hao Yue (S’11) received the BE degree in tele-communication engineering from Xidian Univer-sity, China, in 2005. He has been working towardthe PhD degree in the Department of Electricaland Computer Engineering at University of Flor-ida since August 2009. His research interestsinclude wireless networks and mobile computing,cyber physical systems, and security and privacyin distributed systems. He is a student memberof the IEEE.

Yuguang Fang (F’08) received the PhD degreein systems engineering from Case WesternReserve University in January 1994, and thePhD degree in electrical engineering from Bos-ton University in May 1997. He was an assistantprofessor in the Department of Electrical andComputer Engineering at New Jersey Instituteof Technology from July 1998 to May 2000. Hethen joined the Department of Electrical andComputer Engineering at University of Floridain May 2000 as an assistant professor, got an

early promotion to an associate professor with tenure in August 2003and a professor in August 2005. He has published over 350 papers inrefereed professional journals and conferences. He received theNational Science Foundation Faculty Early Career Award in 2001 andthe Office of Naval Research Young Investigator Award in 2002. Hewon the Best Paper Award at IEEE ICNP ’2006. He has served onmany editorial boards of technical journals including IEEE Transac-tions on Communications, IEEE Transactions on Wireless Communi-cations, IEEE Transactions on Mobile Computing, Wireless Networks,and IEEE Wireless Communications (including the editor-in-chief). Heis currently the editor-in-chief of IEEE Transactions of Vehicular Tech-nology. He is also serving as the technical program co-chair for IEEEINFOCOM’2014. He is a fellow of the IEEE.

" For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.


Download - IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 13, NO. 12

Top Related