Fine-grained Identification with Real-time Fairness in Mobile Social Networks †

Xiaohui Liang† , Xu Li† , Rongxing Lu† , Xiaodong Lin‡ , and Xuemin (Sherman) Shen† Department of Electrical and Computer Engineering, University of Waterloo, Waterloo, Ontario, Canada N2L 3G1 ‡ Faculty of Business and Information Technology, University of Ontario Institute of Technology, Oshawa, Ontario, Canada L1H 7K4 Email: {x27liang, x279li, rxlu, xshen}@bbcr.uwaterloo.ca; [email protected]

Abstract—Mutual user identification is a necessary step for establishing trust among users in an unattended mobile social network (MSN). Directly revealing identity information to others who are unknown to the users may result in an unfair situation regarding identity when other parties of the identification process misbehave. Using an on-line trusted third party (TTP) for user identification causes communication and security problems, while a traditional off-line TTP solution generates delay in fair distribution. In this paper, we propose a novel fine-grained identification protocol, which provides confidentiality, unlinkability, and real-time fairness without the involvement of TTP. For the protocol, identification is carried out by an iterative identification information exchange process, where two participating users must disclose part of their identification information to each other in each iteration. The process terminates whenever one of them fails to do so. In this way, if a user loses part of his/her identification information to another user, he/she must have obtained an approximately equal amount of identification information of that user. Therefore, inappropriate behavior is discouraged, and fairness is improved. Through analysis, we demonstrate that fairness can be guaranteed as long as users strictly follow the protocol. Extensive simulation results further confirm that the proposed protocol can significantly reduce the loss of fairness in the MSN environment. Keywords- Mobile social networks; trust; fairness; identification.

I. I NTRODUCTION A mobile social network (MSN) is a peer-to-peer environment where multiple individuals (users) of similar interests or commonalities interact with each other using mobile handheld communication devices, such as cell phones (or PDAs). An MSN integrates a wide variety of resources, such as data, voice, video and other networked tools, and provides us with a platform through which we may converse in a uniformed way anytime, anywhere. Indeed, it is not computers but cell phones that accompany us most of time every day. With everadvancing wireless communication technologies and rapid adaptation of mobile devices, an MSN holds the promise of revolutionizing the way we develop and maintain social relations in the future. Similar to many spontaneous interest groups or clubs in human society, an MSN is an open environment where users enter and leave as they wish and may barely know each other. For self-defense, users interact based on the trust established among them and tend not to deal with untrusted peers. Trust is the degree of belief about the future behavior of others that

is based on one’s past experience with, and observation of, the others’ actions [1]. Since trust is implied with individual users, mutual user identification is often necessary for the establishment of trust. Direct exposure of a user’s identity in the communication process brings security and privacy issues that has attracted considerable research. Anonymity-enabling techniques [2]–[6] were presented to protect a user’s identify from being disclosed. In this paper, we address the user identification problem from a different perspective: ensuring equal information exposure, i.e., the fairness established during the course of identification. As an essential factor of the wide-acceptance of applications in distributed systems, fairness [7], [8] has been well studied. However, in an emerging MSN, establishing fairness faces a new set of challenges. First, the high mobility of social users poses significant difficulties in distinguishing between an unfair cheating behavior and an unpredictable disconnection. Second, the ever-increasing privacy needs compel users unlikely to provide traceable and identifiable information to the untrustworthy and short-term MSN neighbors. As an unpleasant result, even if a user detects an unfair cheating behavior, the malicious user cannot be effectively identified and fought. Third, the information exchanged in an MSN is mostly time-sensitive, e.g., restaurant guides or weather forecasts from location-based services. Their value diminishes over time. A delayed enforcement of fairness may not be compensatory to the loss of instant information. Many fair exchange protocols have appeared in the literature. In order to ensure perfect fairness, a trusted third party (TTP) must be involved, either on-line or off-line. On-line TTP [9] serves as an exchange center, collecting items and then delivering them to the proper destinations. It protects user privacy and provides real-time fairness. It, however, causes problems such as single point failure, communication bottleneck and vulnerability to network attacks. Off-line TTP [8] is requested on demand, only when unfairness occurs. It does not have the previously mentioned problems but increases time delay. Alternatively, an approach known as the gradual exchange protocol (GEP) [7] was presented to achieve fairness without TTP involvement. Two users release part of a secret to each other in iterations until they both have the each other’s entire secret. This approach ensures that, if a user exposes some information to the other user, it obtains a comparable amount

of information from that user. This approach discourages cheating behaviors and finally improves fairness. Inspired by GEP, in this paper, we propose a fine-grained identification protocol that ensures real-time fairness while providing satisfactory user privacy preservation and good user mobility tolerance. Our contributions are threefold. First, we design an identification scheme by which a user is able to disclose a fine-grained amount of information about its interested attributes. Second, we develop an identification protocol with certain rules, and demonstrate that the protocol can not only achieve the confidentiality and unlinkability of the identification information, but also guarantee user fairness. Third, we incorporate users’ uncertainty into the measurement of fairness loss, and then we conduct extensive simulations to confirm the significant improvement on fairness by the proposed protocol. The remainder of this paper is organized as follows. Section II introduces the network model, security model and design goal. In Section III, we propose a fine-grained identification protocol with fairness, and we also confirm its security properties. The fairness loss of the proposed protocol is evaluated in Section IV, followed by the conclusions in Section V. II. P ROBLEM F ORMALIZATION A. Network Model We consider a typical homogeneous MSN consisting of s mobile social users denoted by V = {n1 , n2 , · · · , ns }, where the transmission range of all users, denoted by tr, are the same. The communication between any two users ni and nj is bidirectional, i.e., ni can hear nj if and only if nj can also hear ni . If ni can hear nj , nj is called a proximal user of ni . We have two observations from the social perspective. Firstly, a mobile social user usually has a fixed set of social spots that he/she frequently visits. The mobility pattern of each user is largely dependent on these social spots. Secondly, a mobile social user is usually willing to help others with whom he has the common interests, because such information exchange can be more effective and reciprocal. In our model, we denote Au = {a1 , · · · , al } as the universal attribute set and Su = {s1 , · · · , sm } as the universal social spot set. We also denote Ai ⊆ Au and Si ⊆ Su as the attribute set and the social spot set of user ni respectively. B. Security Model Since a mobile social network is unattended, any mobile social user possibly acts as a malicious adversary who may readily launch security attacks to violate other users’ privacy. In our security model, we assume an adversary can compromise a fraction of mobile social users and aggregate the information they collected. We consider two types of attacks, one is eavesdropping the transactions generated by the target mobile social users; the other one is linking multiple transactions to a specific user. Additionally, in the unattended mobile social networks, to maintain the real-time fairness on exchanging the identification information is very challenging. Since mobile social users

are likely to expose accurate identification information in return for other users’ trusts, a malicious user can take the advantage of users’ desire and always act passively to collect a large amount of “free” identification information. If a mobile social user accidentally or inappropriately discloses the critical identification information to such a malicious user, his/her privacy maybe completely violated. C. Design Goal The design goal is to develop an efficient identification protocol with real-time fairness. Specifically, the following two desirable objectives will be achieved. 1) Preserving confidentiality and unlinkability of the identification information: In the proposed protocol executed by any two mobile social users in proximity, it is desirable to secure the exchanged identification information with strong confidentiality. In addition, it is required that the identification information cannot be linked together by any compromised user, or even by colluded users. 2) Ensuring identification information fairness between any two mobile social users: In order to reduce the “free” identification information and lower the risk of privacy violation, it is significant to design a gradual identification information sharing protocol which maximumly ensures the fairness between two users. In the protocol, a mobile social user is able to start disclosing a small fraction of identification information to another untrusted user. Without enough feedbacks from that user, it will never advance the protocol with further transactions. III. P ROPOSED I DENTIFICATION P ROTOCOL In this section, we propose the identification protocol for mobile social networks. Before proceeding the identification protocol, the design rationale is first introduced. A. Design Rationale In mobile social networks, instead of being identified by unique identities, users have common interests, also referred as to attributes. Similar to identification, the appropriate disclosure of personal attributes, would assist users building trust relationship with other users in an unattended environment. We generally consider the mobile social networks with two types of entities, a Trusted Authority (TA) and many users. In the initialization phase, a TA generates credentials for users. Each user is assigned with a set of credentials and each credential corresponds to an attribute. At the same time, TA publishes the universal attribute information to all the users. The protocol also adopts the multiple pseudonym approach from [10]. The basic idea is that TA pre-loads a set of pseudonyms into each user’s mobile devices. Users periodically change the pseudonyms and whenever the pseudonyms are used up, they have to contact the TA for refill. As indicated in network model, when user ni and nj are in each other’s proximity, they start the proposed identification protocol to establish mutual trust. The first transaction trani,1 is generated by the user ni . Transaction trani,1 does not

directly disclose any of user ni ’s attributes to user nj . Instead, transaction trani,1 relates to user ni ’s policy tree Ti,1 and discloses the possibility of user ni ’s attributes. An example of the policy tree is shown in Fig. 1 and this policy tree can be satisfied by multiple attribute sets (not only user ni ’s attribute set). The formal definition of satisfying relation between an attribute set and a policy tree is given as follow: An attribute set satisfying a policy tree: A policy tree T consists of single threshold gate z among attributes. Let Θ denote the attribute set corresponding to all the leaf nodes in T . We define that an attribute set A satisfies T if |A∩Θ| ≥ z. At k-th iteration, let Ai,k be the set of all the attribute sets which satisfy the policy tree Ti,k . Possible interested attribute set

{a1 ,a2} {a1 ,a3} {a1 ,a4}

Policy tree

2 Satisfy

…

{a3 ,a4} Fig. 1.

a1

a2

a3

a4

Policy tree

To attain the fairness, the proposed protocol has two additional requirements: firstly, user ni is required to choose the next policy tree Ti,k+1 according to the previous policy tree Ti,k (k ≥ 1) such that Ai,k+1 ⊂ Ai,k . For example, if Ti,k is ”1 out of a1 , · · · , a8 ”, Ti,k+1 can be chosen as ”1 out of a3 , · · · , a6 ”. In this way, after user ni delivers k transactions, the amount of information received by user nj only depends on the policy tree Ti,k in the latest transaction trani,k , denoted as ci,k . Secondly, user ni ensures that ci,k ≤ cj,k before sending next transaction σi,k+1 . If user ni executes each step according to the above requirements, whenever the protocol is stopped, user ni only loses the amount of information ci,1 or ci,k+1 − cj,k (≤ ci,k+1 − ci,k ) for (k ≥ 1). In the proposed protocol, user ni can adjust the fine-grained level so that ci,1 and ci,k+1 − ci,k for (k ≥ 1) are minimum values. B. The Fine-grained Identification Scheme In this section, we present the details of the fine-grained identification scheme. This scheme can be divided into two phases: initialization and identification. I NITIALIZATION P HASE : Let G and GT be two finite cyclic groups of the same large order n, where n is the product of two large primes p and q. Suppose G and GT are equipped with a pairing, i.e., a non-degenerated and efficiently computable bilinear map e : G × G → GT such that i) ∀g, h ∈ G, ∀a, b ∈ Zn , e(g a , hb ) = e(g, h)ab ; and ii) ∃g ∈ G, e(g, g) has order n in GT [4], [11]. In the initialization phase, a trusted authority (TA) first chooses two generators (g, u) of G and a generator h of Gq (a subgroup of G with order q). Then, TA selects a secure cryptographic hash function H : {0, 1}∗ → Z∗n , and chooses a random number δ ∈ Z∗n . We suppose that the system supports the maximum threshold d. TA chooses a redundant attribute set Ar indexed from l + 1 to l + d − 1. For each attribute (ay )1≤y≤l+d−1 , it also chooses

unique random numbers ty ∈ Z∗n . TA computes A = e(g, u)δ and (Ty = g ty )1≤y≤l+d−1 . TA keeps the master key (δ, (ty )1≤y≤l+d−1 ) secretly, and publishes the public parameter ⟨n, g, u, h, G, GT , e, H, A, (Ty )1≤y≤l+d−1 , Au ∪ Ar ⟩. Let user ni ’s attribute set be Ai ⊆ Au . TA chooses a unique random number t ∈ Z∗n and a random polynomial q(x) = ρd−1 xd−1 +ρd−2 xd−2 +· · ·+ρ1 x+δ with degree d−1. Then, q(y)

TA generates Ei = ⟨t, (dy )ay ∈Ai ∪Ar ⟩, where dy = u t+ty . User ni obtains Ei from TA through a secure channel. I DENTIFICATION P HASE : Let users ni (with pseudonym pidi ) and nj be prover and verifier respectively, Ti,k (threshold z ≤ d) ni ’s policy tree, and Θi,k an attribute set corresponding to Ti,k ’s leaf nodes. Let Φi,k (⊆ Ai ∩ Θi,k ) be a z-size set. • User ni first chooses a subset Ar′ ∈ Ar such that |A′r | = d− k. Without loss of generality, let Ar′ = {al+1 , · · · , al+d−k }. Then, for each attribute in ay ∈ Ψ = ∑ Φi,k ∪ Ar′ , user ni 0−m . computes the Lagrange coefficient ωy = m|am ∈Ψ,m̸=y y−m ∗ User ni randomly selects rt , rp , ry ∈ Zn for ay ∈ Θi,k ∪ Ar′ and computes Sy for ay ∈ Θi,k ∪ Ar′ as follows { ry y dω y · h , if ay ∈ Ψ Sy = hry , if ay ∈ Θi,k \ Φi,k User ni outputs the signature σi,k = ⟨Ti,k , St , Sp , (Sy )ay ∈Θi,k ∪Ar′ , π1 , π2 ⟩, 1

where St = g t · hrt , Sp = g t+H(pidi ) · hrp and ∏ ∏ y rt π1 = Sprt (g H(pidi ) g t )rp ,π2 = (dω y ) ay ∈Ψ

(St Ty )ry

ay ∈Θi,k ∪Ar′

• User nj receives σi,k and checks  ? H(pidi )  , Sp ) = e(g, g) · e(h, π1 )  e(St g ∏ ? e(Sy , St Ty ) = A · e(h, π2 ),   ay ∈Θi,k ∪Ar′

If the above equations hold, nj confirms that ni with pseudonym pidi has an attribute set which satisfies Ti,k . C. Proposed Protocol Mobile social users will initiate the proposed protocol if there is at least another user in proximity. As discussed in Section II-A, to achieve user privacy, the mobile social users can coordinate a pseudonym change as the Swing protocol [10]. At the beginning of the protocol, we assume that users ni and nj exchange the currently-used pseudonyms pidi and pidj . The following steps of the proposed protocol will be alternatively executed by the two users ni and nj . E(id, ∗) denotes an id-based encryption algorithm with identity id [12]. As shown in Table I, for the first transaction trani,1 , user ni chooses a policy tree with self-satisfied anonymity; for the rest transactions like trani,k+1 and tranj,k (k ≥ 1), user ni always generates trani,k+1 so that trani,k+1 contains larger amount of information in tranj,k while user nj always generates tranj,k so that tranj,k contains the same amount of information in trani,k . Whenever receiving a transaction from

the other one, user ni responds if the amount of information in tranj,k equals to that of transi,k , and user nj responds if the amount of information in trani,k+1 is larger than tranj,k . TABLE I T HE PROPOSED IDENTIFICATION PROTOCOL user ni (pidi ) output σi,1

user nj (pidj ) pidi , pidj ←−−−−−−−−−−−→ trani,1 =E(pidj ,σi,1 ) −−−−−−−−−−−−−−−→

decrypt trani,1 verify σi,1 , output σj,1 (cj,1 = ci,1 )

tranj,1 =E(pidi ,σj,1 )

decrypt tranj,1 verify σj,1 if cj,1 = ci,1 , output

←−−−−−−−−−−−−−−−

σi,2 (ci,2 > cj,1 )

−−−−−−−−−−−−−−−→

···

←−−−−−−−−−−−−−−− ···

trani,2 =E(pidj ,σi,2 )

tranj,2 =E(pidi ,σj,2 )

decrypt trani,2 verify σi,2 if ci,2 > cj,1 , output σj,2 (cj,2 = ci,2 )

D. Security Analysis In this section, we analyze the security properties of the proposed protocol. Specifically, following the security model II-B, our analysis focuses on how the proposed protocol can preserve the confidentiality and unlinkability of identification information, and maximumly guarantee user fairness as well. The proposed protocol can preserve confidentiality and unlinkability of the identification information: In the proposed protocol shown in Table I, the first interaction allows the users to exchange their currently-used pseudonyms. In the following, each user encrypts the identification information with the other’s pseudonym. The use of peer-to-peer encryption ensures no third user is able to decrypt the exchanging transactions. Therefore, the confidentiality of identification information is achieved. In addition, the proposed protocol adopts multiple pseudonyms approach. That is, a set of pseudonyms is preloaded into each user’ device by the TA. Users frequently change their pseudonyms used to send transactions and refill with new pseudonyms once the pre-loaded pseudonyms are used up. Therefore, the unlinkability between any two transactions generated by the same user is achieved. The proposed protocol can maximumly guarantee user fairness: The fairness between any two users is derived from two typical features of the proposed protocol. Firstly, a user anonymizes its interested attribute set by a policy tree and generates the transaction related to that policy tree. In this way, the receiver is able to learn that the sender’s attribute set satisfies the policy tree but still not sure about the exact interested attributes. The construction of the policy tree supports single threshold gate among attributes. This provides an efficient and expressive way allowing a user to minimize the fairness loss according to its own willingness. Secondly, except the first transaction voluntarily started by user ni , other transactions will be sent by the user after a strict verification of the last transaction from the other user. Specifically, the proposed fine-grained identification scheme is built based on the efficient non-interactive proof systems for bilinear groups

in [11] and its unforgeability and anonymity are guaranteed by the works [4], [11]. With the security properties, a user can verify whether the other user’s interested attribute set satisfies the policy tree. The protocol also requires that the user will not proceed with further transactions until it receives enough feedback from the other user. Therefore, the difference between the amounts of information obtained by the two users can be minimized as much as the user expects. In other words, the proposed protocol can maximumly guarantee user fairness. IV. P ERFORMANCE E VALUATION In order to give insights into user fairness of the proposed protocol in mobile social networks, we have conducted a set of custom simulations built in Java. In the following, we detail our simulation settings and then present simulation results. A. Simulation Settings We consider a relatively small and typical mobile social network model, where 100 mobile social users equipped with wireless PDA communication devices are uniformly deployed in an interest area 1, 000 m × 1, 000 m. We fix the number of universal attributes as 50, i.e., |Au | = 50. Each user ni could have any attribute subset Ai ⊆ Au . We also set the number of user attribute set into [5, 15], i.e., 5 ≤ |Ai | ≤ 15. Mobility Model: A set of 20 social spots, denoted as Su are randomly deployed into the interest area and each mobile social user has a fixed social spot set Si ⊂ Su , where 6 ≤ |Si | ≤ 10. Each user randomly chooses a social spot from its social spot set, and arrives there along the shortest path with the velocity between [0.5,2] m/sec. After arriving at the social spot, the user spends at most 5 minutes there and randomly chooses the next one. User Objective: We randomly select a user ni with an interested attribute aα ∈ Ai , and we simplify user ni ’s objective as to find the proximal users who have attribute aα . We set user ni ’s velocity as 1.5 m/sec. We assume that users ni chooses the policy trees following the sequence “1 of 16, 1 of 8, 1 of 4, 1 of 1”. Let Ai,z (z = 4, 8, 16) be the z-size set selected by user ni , where {aα } ⊂ Ai,4 ⊂ Ai,8 ⊂ Ai,16 . Then, user ni formalizes Ti,1 = 1 of Ai,16 , Ti,2 = 1 of Ai,8 , Ti,3 = 1 of Ai,4 , Ti,4 = aα . User ni generates the transactions transi,k corresponding to the policy tree Ti,k . Let user nj be a proximal user of user ni . If user nj does not have any common attribute with Ai,k , the protocol is immediately stopped by user nj . On the other hand, if user nj has the attribute aα , it also chooses the policy trees following the sequence “1 of 16, 1 of 8, 1 of 4, 1 of 1”. The evolution of the uncertainty about the attribute information is shown in Fig. 2, where ux represents the received information with uncertainty x. Referred to the work [13], the uncertainty of targeting the interested ∑ attribute aα from a set A can be given by the formula − ax ∈A Pr[aα ∑ = ax ] log2 Pr[aα = ax ]. Therefore, we denote Uθ (r) = − ax ∈A Pr[aα = ax ] log2 Pr[aα = ax ] (θ = i, j) as the uncertainty about user nθ¯’s attribute from user nθ ’s perspective, where A is the attribute set of the policy tree corresponding to the user nθ¯’s latest transaction after round r. As

r1

r2

r3

r4

r5

r7

r6

r8

r9

round

Fig. 2.

r

The effect of uncertainty to the proposed protocol

∑50 1 1 shown in Fig. 2, at round r2 , Ui (r2 ) = − k=1 50 log2 50 = ∑16 1 1 log2 50 and nj is Uj (r2 ) = − k=1 16 log2 16 = 4. It can be seen that for r = r1 , r3 , r5 , r7 , r9 , Ui (r) = Uj (r). If the protocol is stopped at these rounds, the fairness is perfectly achieved. For r = r2 , r4 , r6 , r8 , Ui (r) > Uj (r). We define the fairness loss f li,j (r) = Ui (r) − Uj (r). We set pseudonym change period as 1200 seconds [10] and user ni uses the same policy tree set for one entire period. We perform the simulations under different number of malicious users (5, 40) and two sets of policy trees “Set 1: (1 of 16, 1 of 8, 1 of 4, 1 of 1)” and “Set 2: (1 of 4, 1 of 2, 1 of 1)”. For each case, we take 500 samples ∑ and evaluate their average of accumulative fairness loss j f li,j (r) (j is the indexes of all the proximal users that user ni meets in one period). B. Simulation Results

200

160

140 120 100 80

140 120 100 80

60

60

40

40

20 0

PRO, mal = 5 TRD, mal = 5 PRO, mal = 40 TRD, mal = 40

180

Fairness loss factor

Fairness loss factor

160

20 0

5

10

15 20 25 The number of visited users

30

(a) Policy Tree Set 1 Fig. 3.

35

40

0

V. C ONCLUSIONS In this paper, we have presented a fine-grained identification protocol with real-time fairness in mobile social networks. The proposed protocol can not only preserve the confidentiality and unlinkability of user identification information, but it also is able to provide a maximum of real-time fairness to users. Through extensive performance evaluation, we have demonstrated the comparison of fairness loss between the proposed protocol and the traditional protocol under various parameter settings. The simulation results confirm that in mobile social networks, the proposed protocol can significantly reduce the fairness loss from users’ perspectives. R EFERENCES

200 PRO, mal = 5 TRD, mal = 5 PRO, mal = 40 TRD, mal = 40

180

equally into account. Therefore, the actual fairness loss not only depends on the number of malicious users, but also relates to how many proximal users has a common attribute with Ai,1 . The sub-figures 3(a) and 3(b) also show the comparisons of fairness loss in terms of different policy tree sets. In the case of figure 3(a), the first policy tree Ti,1 chosen by user ni is “1 of 16”, and the uncertainty of the transaction trani,1 would be 4, while in the case of figure 3(b), the uncertainty of the transaction trani,1 corresponding to the policy tree “1 of 4” would be 2. In mobile social environment, user ni may have much larger fairness loss if it discloses the information with less uncertainty. The simulation results confirm this conclusion by showing that the fairness loss of PRO significantly increases if the policy setting changes from “Set 1” to “Set 2”.

0

5

10

15 20 25 The number of visited users

30

35

40

(b) Policy Tree Set 2

Fairness loss versus the visited users.

Fig. 3 shows the fairness loss in terms of different number of visited users. It can be seen that the proposed protocol (PRO) can significantly reduce the fairness loss in comparing to the traditional protocol (TRD), where users are assumed to identified their attribute to others in one-round in TRD. In addition, as the number ∑ of visited users increases, the accumulative fairness loss j f li,j (r) increases. This is because that user ni ’s fairness loss continuingly increases when meeting other unvisited users who do not have the attribute aα . Further observing the accumulative fairness loss with different number of malicious users in either Fig. 3(a) or Fig. 3(b), we can see that the fairness loss slightly increases even if the number of malicious users dramatically increases from “mal = 5” to “40”. The reason is that, when the number of malicious users is 5, if a normal proximal user nj does not have any attribute in Ai,1 , it will stop the protocol and acts exactly the same as a malicious adversary who passively collects the identification information. Since user ni cannot effectively differentiate the two cases, the calculated fairness loss will take both conditions

[1] A. Boukerche, L. Xu, and K. El-Khatib, “Trust-based security for wireless ad hoc and sensor networks,” Computer Communications, vol. 30, no. 11-12, pp. 2413–2427, 2007. [2] R. Lu, X. Lin, H. Zhu, P. Ho, and X. Shen, “A novel anonymous mutual authentication protocol with provable link-layer location privacy,” IEEE Transactions on Vehicular Technology, vol. 58, no. 3, pp. 1454–1466, 2009. [3] A. Wasef and X. Shen, “Edr: Efficient decentralized revocation protocol for vehicular ad hoc networks,” IEEE Transactions on Vehicular Technology, vol. 58, no. 9, pp. 5214–5224, 2009. [4] X. Liang, Z. Cao, J. Shao, and H. Lin, “Short group signature without random oracles,” in ICICS, 2007, pp. 69–82. [5] R. Lu, X. Lin, H. Zhu, P.-H. Ho, and X. Shen, “Ecpp: Efficient conditional privacy preservation protocol for secure vehicular communications,” in INFOCOM, 2008, pp. 1229–1237. [6] X. Liang, R. Lu, X. Lin, and X. Shen, “Message authentication with non-transferability for location privacy in mobile ad hoc networks,” in IEEE GLOBECOM, 2010. [7] M. Blum, “How to exchange (secret) keys (extended abstract),” in STOC, 1983, pp. 440–447. [8] F. Bao, R. H. Deng, and W. Mao, “Efficient and practical fair exchange protocols with off-line ttp,” in IEEE Symposium on Security and Privacy, 1998, pp. 77–85. [9] P. D. Ezhilchelvan and S. K. Shrivastava, “A family of trusted third party based fair-exchange protocols,” IEEE Transactions on Dependable and Secure Computing, vol. 2, no. 4, pp. 273–286, 2005. [10] M. Li, K. Sampigethaya, L. Huang, and R. Poovendran, “Swing & swap: user-centric approaches towards maximizing location privacy,” in WPES, 2006, pp. 19–28. [11] J. Groth and A. Sahai, “Efficient non-interactive proof systems for bilinear groups,” in EUROCRYPT, 2008, pp. 415–432. [12] B. Waters, “Efficient identity-based encryption without random oracles,” in EUROCRYPT, 2005, pp. 114–127. [13] A. Serjantov and G. Danezis, “Towards an information theoretic metric for anonymity,” in Privacy Enhancing Technologies, 2002, pp. 41–53.