Detection of Malicious Packet Dropping in Wireless Ad Hoc
Networks Based on Privacy-Preserving Public Auditing
Tao Shu
Department of Computer Science and
Engineering
Oakland University
Rochester, MI 48309, USA
shu@oakland.edu
Marwan Krunz
Department of Electrical and Computer
Engineering
University of Arizona
Tucson, AZ 85721, USA
krunz@email.arizona.edu
ABSTRACT
In a multi-hop wireless ad hoc network, packet losses are at-
tributed to harsh channel conditions and intentional packet
discard by malicious nodes. In this paper, while observing
a sequence of packet losses, we are interested in determin-
ing whether losses are due to link errors only, or due to the
combined effect of link errors and malicious drop. We are es-
pecially interested in insider’s attacks, whereby a malicious
node that is part of the route exploits its knowledge of the
communication context to selectively drop a small number
of packets that are critical to network performance. Because
the packet dropping rate in this case is comparable to the
channel error rate, conventional algorithms that are based
on detecting the packet loss rate cannot achieve satisfac-
tory detection accuracy. To improve the detection accuracy,
we propose to exploit the correlations between lost pack-
ets. Furthermore, to ensure truthful calculation of these
correlations, we develop a homomorphic linear authentica-
tor (HLA) based public auditing architecture that allows
the detector to verify the truthfulness of the packet loss in-
formation reported by nodes. This architecture is privacy
preserving, collusion proof, and incurs low communication
and storage overheads. Through extensive simulations, we
verify that the proposed mechanism achieves significantly
better detection accuracy than conventional methods such
as a maximum-likelihood based detection.
Categories and Subject Descriptors
C.2.0 [Computer-Communication Networks]: General—
Security and Protection (e.g., firewalls)
General Terms
Security, reliability, algorithms, design
Keywords
Denial-of-service, malicious user detection, homomorphic lin-
ear authentication, wireless ad hoc networks, security
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
WiSec’12, April 16–18, 2012, Tucson, Arizona, USA.
Copyright 2012 ACM 978-1-4503-1265-3/12/04 ...$10.00.
1. INTRODUCTION
1.1 Motivation
In a multi-hop wireless network, nodes cooperate in relay-
ing/routing traffic. An adversary can exploit this cooper-
ative nature to launch denial-of-service (DoS) attacks. For
example, the adversary may first pretend to be a cooperative
node in the route discovery process. Once being included in
a route, the adversary may start maliciously dropping pack-
ets. In the most straightforward form of this attack, the ma-
licious node simply stops forwarding packets received from
upstream nodes, completely disrupting the traffic delivery
between the source and the destination. Eventually, such
severe DoS attacks can paralyze the network by partition-
ing its topology.
Even though persistent packet dropping can effectively de-
grade the performance of the network, from the attacker’s
standpoint performing such an “always-on” attack has its
disadvantages in terms of the ease of detection [22]. A ma-
licious node that is part of the route can actually exploit its
knowledge of the network protocols and the communication
context to launch an insider’s attack, aiming at achieving
the same attack effect but at a much lower risk of being
detected. Specifically, the malicious node can identify the
importance of various packets and drop a small number of
packets that are deemed highly critical to the performance
of the network. These important packets are typically con-
trol packets. For example, in a frequency-hopping network,
these packets may convey frequency hopping sequences; in
an ad hoc cognitive radio network, they could be the packets
that carry the idle channel lists (i.e., white spaces) that are
used to establish a network-wide control channel. By tar-
geting these critical packets, the authors in [18, 21, 22] have
shown that a non-p ersistent insider’s attack can cause sig-
nificant damage to the network performance. In this paper,
we are interested in combating such an insider’s attack. In
particular, we are interested in the problem of detecting the
events of selective packet drops and identifying the malicious
node(s) responsible for these drops.
Detecting malicious selective packet dropping is extremely
challenging in a highly dynamic wireless environment. The
difficulty stems from the requirement that we need to not
only detect the location (or hop) where the packet drop took
place, but also identify whether the drop is intentional or
not. Specifically, because of the open nature of the wireless
medium, the quality of the channel typically fluctuates due
to fading, shadowing, interference, and background noise.
As a result, a packet drop in the route could be caused by
harsh channel conditions (a.k.a., link errors) or by malicious
behavior. In some cases, e.g., a highly mobile environment,
link errors are quite significant. So, a malicious node can
camouflage its attack under the background of harsh channel
conditions by selectively dropping a small number of highly
important packets. In this case, observing the packet loss
rate is not enough to accurately identify the exact cause of
a packet loss, because the packet drop rate by the malicious
node is comparable to that of wireless link errors. Clearly,
deciding whether a packet drop is intentional or uninten-
tional in such an ambiguous setup is a challenging problem.
The above problem has not been well addressed in the lit-
erature. As discussed in Section 2, most of the related works
preclude the ambiguity of the environment by assuming that
malicious dropping is the only source of packet loss, so that
there is no need to account for the impact of link errors. On
the other hand, for the small number of works that differen-
tiate between link errors and malicious packet drops, their
detection algorithms usually require the number of dropped
packets by the attacker to be significantly higher than link
errors, in order to provide an acceptable detection accuracy.
1.2 Main Contribution and Paper Organiza-
tion
In this paper, we develop an accurate algorithm for detect-
ing selective packet drops made by insider malicious nodes.
Our algorithm also provides a truthful and publicly verifi-
able decision statistics as a proof to support the detection
decision. The high detection accuracy is achieved by exploit-
ing the correlations between the positions of lost packets, as
calculated from the packet-loss bitmap (a bitmap describing
the lost/received status of each packet in a sequence of con-
secutive packet transmissions). The basic idea behind this
method is that even though malicious dropping may result
in a packet loss rate that is comparable to normal chan-
nel losses, the stochastic processes that characterize the two
phenomena exhibit different correlation structures (equiva-
lently, different patterns of packet losses). Therefore, by de-
tecting the correlations b etween lost packets, one can decide
whether the packet loss is purely due to regular link errors,
or is a combined effect of link error and malicious drop. Our
algorithm takes into account the cross-statistics between lost
packets to make a more informative decision, and thus is in
sharp contrast to the conventional methods that rely only
on the distribution of the number of lost packets.
The main challenge in realizing our mechanism lies in how
to guarantee that the packet-loss bitmaps reported by indi-
vidual nodes along the route are truthful, i.e., reflect the
actual status of each packet transmission. Such truthful-
ness is essential for correct calculation of the correlation be-
tween lost packets. This challenge is not trivial, because it
is natural for an attacker to report false information to the
detection algorithm to avoid being detected. For example,
the malicious node may understate its packet-loss bitmap,
i.e., some packets may have been dropped by the node but
the node reports that these packets have been forwarded.
Therefore, some auditing mechanism is needed to verify the
truthfulness of the reported information. Considering that
a typical wireless device is resource-constrained, we also re-
quire that a user should be able to delegate the burden of
auditing and detection to some public server to save its own
resources.
Our solution to the above public-auditing problem is con-
structed based on the homomorphic linear authenticator (HLA)
cryptographic primitive [2][3][24], which is basically a signa-
ture scheme widely used in cloud computing and storage
server systems to provide a proof of storage from the server
to entrusting clients [25]. However, direct application of
HLA do es not solve our problem well, mainly because in our
problem setup, there can be more than one malicious node
along the route. These nodes may collude (by exchanging
information) during the attack and when being asked to sub-
mit their reports. For example, a packet and its associated
HLA signature may be dropped at an upstream malicious
node, so a downstream malicious node does not receive this
packet and the HLA signature from the route. However, this
downstream attacker can still open a back-channel to request
this information from the upstream malicious node. When
being audited, the downstream malicious node can still pro-
vide valid proof for the reception of the packet. So packet
dropping at the upstream malicious node is not detected.
Such collusion is unique to our problem, because in the cloud
computing/storage server scenario, a file is uniquely stored
at a single server, so there are no other parties for the server
to collude with. We show that our new HLA construction is
collusion-proof.
Our construction also provides the following new features.
First, privacy-preserving: the public auditor should not be
able to decern the content of a packet delivered along the
route through the auditing information submitted by indi-
vidual hops, no matter how many independent reports of
the auditing information are submitted to the auditor. Sec-
ond, our construction incurs low communication and storage
overheads at intermediate nodes. This makes our mecha-
nism applicable to a wide range of wireless devices, including
low-cost wireless sensors that have very limited bandwidth
and memory capacities. This is also in sharp contrast to the
typical storage-server scenario, where bandwidth/storage is
not considered an issue.
The remainder of this paper is organized as follows. In
Section 2 we review the related work. The system/adversary
models and problem statement are described in Section 3.
We present the proposed scheme and analyze its security
performance and overheads in Section 4. Simulation results
are presented in Section 5, and we conclude the paper in
Section 6.
2. RELATED WORK
Depending on how much weight a detection algorithm
gives to link errors relative to malicious packet drops, the
related work can be classified into the following two cate-
gories.
The first category aims at high malicious dropping rates,
where most (or all) lost packets are caused by malicious
dropping. In this case, the impact of link errors is ignored.
Most related work falls into this category. Based on the
methodology used to identify the attacking nodes, these
works can be further classified into four sub-categories. The
first sub-category is based on credit systems [7][27]. A credit
system provides an incentive for cooperation. A node re-
ceives credit by relaying packets for others, and uses its
credit to send its own packets. As a result, a maliciously
node that continuous to drop packets will eventually de-
plete its credit, and will not be able to send its own traf-
fic. The second sub-category is based on reputation sys-
tems [9][6][11][16][17][8][4]. A reputation system relies on
neighbors to monitor and identify misbehaving nodes. A
node with a high packet dropping rate is given a bad repu-
tation by its neighbors. This reputation information is prop-
agated periodically throughout the network and is used as
an important metric in selecting routes. Consequently, a
malicious node will be excluded from any route. The third
sub-category of works relies on end-to-end or hop-to-hop ac-
knowledgements to directly locate the hops where packets
are lost [15][19][20]. A hop of high packet loss rate will be
excluded from the route. The fourth sub-category addresses
the problem using cryptographic methods. For example,
the work in [14] utilizes Bloom filters to construct proofs
for the number of packets that are forwarded at each node.
By examining the number of relayed packets at successive
hops along a route, one can identify suspicious hops that
exhibit high packet loss rates. Similarly, the method in [13]
traces the forwarding records of a particular packet at each
intermediate node by formulating the tracing problem as a
Renyi-Ulam game. The first hop where the packet is no
longer forwarded is considered a suspect for misbehaving.
The second category targets the scenario where the num-
ber of maliciously dropped packets is significantly higher
than that caused by link errors, but the impact of link errors
is non-negligible. Certain knowledge of the wireless channel
is necessary in this case. The authors in [23] proposed to
shape the traffic at the MAC layer of the source node ac-
cording to a certain statistical distribution, so that interme-
diate no des are able to estimate the rate of received traffic by
sampling the packet arrival times. By comparing the source
traffic rate with the estimated received rate, the detection
algorithm decides whether the discrepancy in rates, if any,
is within a reasonable range such that the difference can be
considered as being caused by normal channel impairments
only, or caused by malicious dropping, otherwise. The works
in [10] and [26] proposed to detect malicious packet dropping
by counting the number of lost packets. If the number of lost
packets is significantly larger than the expected packet loss
rate made by link errors, then with high probability a mali-
cious node is contributing to packet losses.
All methods mentioned above do not perform well when
malicious packet dropping is highly selective. More specifi-
cally, for the credit-system-based method, a malicious node
may still receive enough credits by forwarding most of the
packets it receives from upstream nodes. Similarly, in the
reputation-based approach, the malicious node can main-
tain a reasonably good reputation by forwarding most of the
packets to the next hop. As for the acknowledgement-based
method, the Bloom-filter scheme, and all the mechanisms
in the second category, merely counting the number of lost
packets does not give a sufficient ground to detect the real
culprit that is causing packet losses. This is because the dif-
ference in the number of lost packets between the link-error-
only case and the link-error-plus-malicious-dropping case is
small when the attacker drops only a few packets. Conse-
quently, the detection accuracy of these algorithms deterio-
rates when malicious drops b ecome highly selective.
Our study targets the challenging situation where link er-
rors and malicious dropping lead to comparable packet loss
rates. The effort in the literature on this problem has been
quite preliminary, and there is a few related works. Note
that the cryptographic methods proposed in [21] to counter
selective packet jamming target a different issue than the de-
tection problem studied in this paper. The methods in [21]
delay a jammer from recognizing the significance of a packet
after the packet has been successfully transmitted, so that
there is no time for the jammer to conduct jamming based
on the content/importance of the packet. Instead of try-
ing to detect any malicious behavior, the approach in [21]
is proactive, and hence incurs overheads regardless of the
presence or absence of attackers.
3. SYSTEM MODELS AND PROBLEM STATE-
MENT
3.1 Network and Channel Models
Consider an arbitrary path P
SD
in a multi-hop wireless ad
hoc network, as shown in Figure 1. The source node S con-
tinuously sends packets to the destination node D through
intermediate nodes n
1
, . . . , n
K
, where n
i
is the upstream
node of n
i+1
, for 1 ≤ i ≤ K − 1. We assume that S is aware
of the route P
SD
, as in Dynamic Source Routing (DSR) [12].
If DSR is not used, S can identify the nodes in P
SD
by per-
forming a traceroute op eration.
Figure 1: Network and attack model.
We model the wireless channel of each hop along P
SD
as a random process that alternates between good and bad
states. Packets transmitted during the good state are suc-
cessful, and packets transmitted during the bad state are
lost. In contrast to the classical Gilbert-Ellioit (GE) chan-
nel model, here we do not assume any Markovian property
on the channel behavior. We only require that the sequence
of sojourn times for each state follows a stationary distribu-
tion, and the autocorrelation function of the channel state,
say f
c
(i), where i is a discrete time lag measured in pack-
ets, is also stationary. The function f
c
(i) can be calculated
using the probing approach in [1]. In brief, a sequence of
M packets are transmitted consecutively over the channel.
By observing whether the transmissions are successful or
not, the receiver obtains a realization of the channel state
(a
1
, . . . , a
M
), where a
j
∈ {0, 1} for j = 1, . . . , M. In this
sequence, “1” denotes the packet was successfully received,
and “0” denotes the packet was dropped. f
c
(i) is derived
by computing the auto-correlation function of this sample
sequence. Such measurement can take place online or of-
fline. A detailed discussion on how f
c
(i) is derived is out
of the scope of this paper, and we simply assume that this
information is given as input to our detection algorithm.
There is an independent auditor A
d
in the network. A
d
is
independent in the sense that it is not associated with any
node in P
SD
and does not have any knowledge of the secrets
(e.g., cryptographic keys) held by various nodes. The audi-
tor is responsible for detecting malicious nodes on demand.
Specifically, we assume S receives feedback from D when D
suspects that the route is under attack. Such a suspicion
may be triggered by observing any abnormal events, e.g.,
a significant performance drop, the loss of multiple packets
of a certain type, etc. We assume that the integrity and
authenticity of the feedback from D to S can be verified
by S using resource-efficient cryptographic methods such as
the Elliptic Curve Digital Signature Algorithm (ECDSA).
Once being notified of possible attacks, S submits an attack-
detection request (ADR) to A
d
. To facilitate its investiga-
tion, A
d
needs to collect certain information (elaborated on
in the next section) from the nodes on route P
SD
. We as-
sume that each such node must reply to A
d
’s inquiry, other-
wise the node will be considered as misbehaving. We assume
that normal nodes will reply with truthful information, but
malicious nodes may cheat. At the same time, for privacy
reasons, we require that A
d
cannot determine the content of
the normal packets delivered over P
SD
from the information
collected during the auditing.
3.2 Adversarial Model
The goal of the adversary is to degrade the network’s
performance by maliciously dropping packets while remain-
ing undetected. We assume that the malicious node has
knowledge of the wireless channel, and is aware of the algo-
rithm used for misbehavior detection. It has the freedom to
choose what packets to drop. For example, in the random-
drop mode, the malicious node may drop any packet with
a small probability p
d
. In the selective-mode, the malicious
node only drops packets of certain types. A combination
of the two modes may be used. We assume that any node
on P
SD
can b e a malicious node, except the source and the
destination. In particular, there can be multiple malicious
nodes on P
SD
.
We consider the following form of collusion between ma-
licious nodes: A covert communication channel may exist
between any two malicious nodes, in addition to the path
connecting them on P
SD
. As a result, malicious nodes can
exchange any information without being detected by A
d
or
any other nodes in P
SD
. Malicious nodes can take advan-
tage of this covert channel to hide their misbehavior and
reduce the chance of being detected. For example, an up-
stream malicious node may drop a packet on P
SD
, but may
secretely send this packet to a downstream malicious node
via the covert channel. When being investigated, the down-
stream malicious node can provide a proof of the successful
reception of the packet. This makes the auditor believe that
the packet was successfully forwarded to the downstream
nodes, and not know that the packet was actually dropped
by an upstream attacker.
3.3 Problem Statement
Under the system and adversary models defined above, we
address the problem of identifying the nodes on P
SD
that
drop packets maliciously. We require the detection to be per-
formed by a public auditor that does not have knowledge of
the secrets held by the nodes on P
SD
. When a malicious
node is identified, the auditor should be able to construct
a publicly verifiable proof of the misb ehavior of that node.
The construction of such a proof should be privacy preserv-
ing, i.e., it does not reveal the original information that is
transmitted on P
SD
. In addition, the detection mechanism
should incur low communication and storage overheads, so
that it can be applied to a wide variety of wireless networks.
4. PROPOSED DETECTION SCHEME
4.1 Overview
The main idea of our detection algorithm is to compare
the auto correlation function of the observed packet loss pro-
cess of a link with that of a normal wireless channel (i.e.,
f
c
(i)) to accurately identify any possible malicious packet
drops. The necessity of exploiting the correlation of lost
packets to improve the detection accuracy can be illustrated
by examining the insufficiency of the conventional method
that relies only on the distribution of the number of lost
(a) mean of y much greater
than mean of x
(b) mean of y is comparable
to mean of x
Figure 2: Insufficiency of conventional detection al-
gorithms when malicious packet drops are highly se-
lective.
packets. More specifically, under the conventional method,
malicious-node detection is modeled as a binary hypothesis
test, where H
0
is the hypothesis that there is no malicious
node in a given link (all packet losses are due to link er-
rors) and H
1
denotes there is a malicious node in the given
link (packet losses are due to both link errors and malicious
drops). Let z be the observed number of lost packets on the
link during some interval t. Then,
z =
x, under H
0
(no malicious nodes)
x + y, under H
1
(there is a malicious node)
(1)
where x and y are the numbers of lost packets caused by
link errors and by malicious drops, respectively. Both x and
y are random variables. Let the probability density func-
tions of z conditioned on H
0
and on H
1
be h
0
(z) and h
1
(z),
respectively, as shown in Figure 2(a). We are interested in
the maximum-uncertainty scenario where the a priori prob-
abilities are given by Pr{H
0
} = Pr{H
1
} = 0.5, i.e., the
auditor has no prior knowledge of the distributions of H
0
and H
1
to make any biased decision regarding the presence
of malicious nodes. Let the false-alarm and miss-detection
probabilities be P
fa
and P
md
, respectively. The optimal
decision strategy that minimizes the total detection error
P
de
def
= 0.5(P
f a
+ P
md
) is the maximum-likelihood (ML) al-
gorithm:
if z ≤ z
th
, accept H
0
otherwise, accept H
1
(2)
where the threshold z
th
is the solution to the equation h
0
(z
th
) =
h
1
(z
th
). Under this strategy, P
fa
and P
md
are the areas of
the shaded regions shown in Figure 2(a), respectively. The
problem with this mechanism is that, when the mean of y is
small, h
1
(z) and h
0
(z) are not sufficiently separated, leading
to large P
fa
and P
md
, as shown in Figure 2(b). This obser-
vation implies that when malicious packet drops are highly
selective, counting the number of lost packets is not sufficient
to accurately differentiate between malicious drops and link
errors. For such a case, we use the correlation between lost
packets to form a more solid decision statistic.
To correctly calculate the correlation between lost pack-
ets, it is critical to enforce a truthful packet-loss bitmap
report by each node. We use HLA cryptographic primitive
for this purpose. The basic idea of our method is as follows.
An HLA scheme allows the source, which has knowledge of
the HLA secret key, to generate HLA signatures s
1
, . . . , s
M
for M independent messages r
1
, . . . , r
M
, respectively. The
source sends out the r
i
’s and s
i
’s along the route. The HLA
signatures are made in such a way that they can be used as
the basis to construct a valid HLA signature for any arbi-
trary linear combination of the messages,
M
i=1
c
i
r
i
, without
the use of the HLA secret key, where c
i
’s are randomly cho-
sen co efficients. A valid HLA signature for
M
i=1
c
i
r
i
can
be constructed by a node that does not have knowledge of
the secret HLA key if and only if the node has full knowl-
edge of s
1
, . . . , s
M
. So, if a node with no knowledge of the
HLA secret key provides a valid signature for
M
i=1
c
i
r
i
, it
implies that this node must have received all the signatures
s
1
, . . . , s
M
. Our construction ensures that s
i
and r
i
are sent
together along the route, so that knowledge of s
1
, . . . , s
M
also proves that the node must have received r
1
, . . . , r
M
.
Our detection architecture consists of four phases: setup,
packet transmission, audit, and detection. We elaborate on
these phases in the next section.
4.2 Scheme Details
4.2.1 Setup Phase
This phase takes place right after route P
SD
is established,
but before any data packets are transmitted over the route.
In this phase, S decides on a symmetric-key crypto-system
(encrypt
key
, decr ypt
key
) and K symmetric keys key
1
, . . . , key
K
,
where encrypt
key
and decrypt
key
are the keyed encryption
and decryption functions, respectively. S securely distributes
decr ypt
key
and a symmetric key key
j
to node n
j
on P
SD
,
for j = 1, . . . , K. Key distribution may be based on the
public-key crypto-system such as RSA: S encrypts key
j
us-
ing the public key of node n
j
and sends the cipher text to n
j
.
n
j
decrypts the cipher text using its private key to obtain
key
j
. S also announces two hash functions, H
1
and H
MAC
key
,
to all nodes in P
SD
. H
1
is unkeyed while H
MAC
key
is a keyed
hash function that will be used for message authentication
purposes later on.
Besides symmetric key distribution, S also needs to set
up its HLA keys. Let e : G × G → G
T
be a computable
bilinear map with multiplicative cyclic group G and support
Z
p
, where p is the prime order of G, i.e., for all α, β ∈
G and q
1
, q
2
∈ Z
p
, e(α
q
1
, β
q
2
) = e(α, β)
q
1
q
2
. Let g be a
generator of G. H
2
(.) is a secure map-to-point hash function:
{0, 1}
∗
→ G, which maps strings uniformly to G. S chooses
a random number x ∈ Z
p
and computes v = g
x
. Let u be
another generator of G. The secret HLA key is sk = x and
the public HLA key is a tuple pk = (v, g, u).
4.2.2 Packet Transmission Phase
After completing the setup phase, S enters the packet
transmission phase. S transmits packets to P
SD
according
to the following steps.
Before sending out a packet P
i
, where i is a sequence num-
ber that uniquely identifies P
i
, S computes r
i
= H
1
(P
i
) and
generates the HLA signatures of r
i
for no de n
j
, as follows
s
ji
= [H
2
(i||j)u
r
i
]
x
, for j = 1, . . . , K (3)
where || denotes concatenation. These signatures are then
sent together with P
i
to the route by using a one-way chained
encryption that prevents an upstream node from decipher-
ing the signatures intended for downstream nodes. More
specifically, after getting s
ji
for j = 1, . . . , K, S iteratively
computes the following:
˜s
Ki
= encrypt
key
K
(s
Ki
)
τ
Ki
= ˜s
Ki
||MAC
key
K
(˜s
Ki
)
˜s
K−1i
= encrypt
key
K−1
(s
K−1i
||τ
Ki
)
τ
K−1i
= ˜s
K−1i
||MAC
key
K−1
(˜s
K−1i
)
.
.
.
˜s
ji
= encrypt
key
j
(s
ji
||τ
j+1i
)
τ
ji
= ˜s
ji
||MAC
key
j
(˜s
ji
)
.
.
.
˜s
1i
= encrypt
key
1
(s
1i
||τ
2i
)
τ
1i
= ˜s
1i
||MAC
key
1
(˜s
1i
) (4)
where the message authentication code (MAC) in each stage
j is computed according to the hash function H
MAC
key
j
. After
getting τ
1i
, S puts P
i
||τ
1i
into one packet and sends it to
node n
1
.
When node n
1
receives the packet from S, it extracts P
i
,
˜s
1i
, and MAC
key
1
(˜s
1i
) from the received packet. Then, n
1
verifies the integrity of ˜s
1i
by testing the following equality:
MAC
key
1
(˜s
1i
) = H
MAC
key
1
(˜s
1i
). (5)
If the test is true, then n
1
decrypts ˜s
1i
as follows:
decr ypt
key
1
(˜s
1i
) = s
1i
||τ
2i
. (6)
Then, n
1
extracts s
1i
and τ
2i
from the decrypted text. It
stores r
i
= H
1
(P
i
) and s
1i
in its proof-of-reception database
for future use. This database is maintained at every node on
P
SD
. It can be considered as a FIFO queue of size M, which
records the reception status for the most recent M packets
sent by S. Finally, n
1
assembles P
i
||τ
2i
into one packet and
relays this packet to node n
2
. In case the test in (5) fails, n
1
marks the loss of P
i
in its proof-of-reception database and
does not relay the packet to n
2
.
The above process is repeated at every intermediate node
n
j
, j = 1, . . . , K. As a result, node n
j
obtains r
i
and its HLA
signature s
ji
for every packet P
i
that the node has received,
and it relays P
i
||τ
j+1i
to the next hop on the route. The last
hop, i.e., node n
K
, only forwards P
i
to the destination D . As
proved in Theorem 4 in Section 4.3, the special structure of
the one-way chained encryption construction in (4) dictates
that an upstream node on the route cannot get a copy of the
HLA signature intended for a downstream node, and thus
the construction is resilient to the collusion model defined
in Section 3.2. Note that here we consider the verification
of the integrity of P
i
as an orthogonal problem to that of
verifying the tag τ
ji
. If the verification of P
i
fails, node n
1
should also stop forwarding the packet and should mark it
accordingly in its proof-of-reception database.
4.2.3 Audit Phase
This phase is triggered when the public auditor A
d
re-
ceives an ADR message from S. The ADR message includes
the id of the nodes on P
SD
, ordered in the downstream di-
rection, i.e., n
1
, . . . , n
K
, S’s HLA public key information
pk = (v, g, u), the sequence numbers of the most recent M
packets sent by S, and the sequence numb ers of the subset
of these M packets that were received by D. Recall that
we assume the information sent by S and D is truthful, be-
cause detecting attacks is in their interest. A
d
conducts the
auditing process as follows.
