1
A System-Theoretic Clean Slate Approach to
Provably Secure Ad Hoc Wireless Networking
Jonathan Ponniah*, Member, IEEE, Yih-Chun Hu*, Member, IEEE, and P. R. Kumar**, Fellow, IEEE
Abstract—Traditionally, wireless network protocols have been
designed for performance. Subsequently, as attacks have been
identified, patches have been developed. This has resulted in an
“arms race” development process of discovering vulnerabilities
and then patching them. The fundamental difficulty with this
approach is that other vulnerabilities may still exist. No provable
arXiv:1309.2904v1 [cs.NI] 11 Sep 2013
security or performance guarantees can ever be provided.
We develop a system-theoretic approach to security that
provides a complete protocol suite with provable guarantees,
as well as proof of min-max optimality with respect to any
given utility function of source-destination rates. Our approach
is based on a model capturing the essential features of an ad-
hoc wireless network that has been infiltrated with hostile nodes.
We consider any collection of nodes, some good and some bad,
possessing specified capabilities vis-a-vis cryptography, wireless
communication and clocks. The good nodes do not know the
bad nodes. The bad nodes can collaborate perfectly, and are
capable of any disruptive acts ranging from simply jamming to
non-cooperation with the protocols in any manner they please.
The protocol suite caters to the complete life-cycle, all the way
from birth of nodes, through all phases of ad hoc network for-
mation, leading to an optimized network carrying data reliably.
It provably achieves the min-max of the utility function, where
the max is over all protocol suites published and followed by the
good nodes, while the min is over all Byzantine behaviors of the
bad nodes. Under the protocol suite, the bad nodes do not benefit
from any actions other than jamming or cooperating.
This approach supersedes much previous work that deals with
several types of attacks including wormhole, rushing, partial
deafness, routing loops, routing black holes, routing gray holes,
and network partition attacks.
Index Terms—Ad hoc wireless networks, security.
I. I NTRODUCTION
UR focus is on the problem of security of ad-hoc,
O multi-hop, wireless networks. The wireless nodes in
these types of networks need to determine when to transmit
packets and at what power levels, discover routes from sources
to destinations, and ensure overall end-to-end reliability, all
without any centralized controller guiding the process. This
requires a suite consisting of multiple protocols.
Several candidate have been proposed. Medium access
control protocols include IEEE 802.11 [10] and MACAW [2],
power control protocols include COMPOW [12] and PCMA
[15], routing protocols include DSDV [17], AODV [16], DSR
[11], and OLSR [5], and transport protocols include TCP [20]
and variations for ad hoc networks [13], [6], [3], [21].
*CSL & ECE, Univ. of Illinois, 1308 West Main St., Urbana, IL 61801.
Email: {ponniah1,yihchun}@illinois.edu. Tel: 217-333-4220.
**Corresponding author: ECE, Texas A&M University, 3259 TAMU,
College Station, TX 77843-3259. Email: [email protected]. Tel: 979-862-3376.
This paper is partially based on work supported by NSF under Contract Nos.
CNS-1302182, CCF-0939370 and CNS-1232602, AFOSR under Contract No.
FA-9550-13-1-0008, and USARO under Contract No. W911NF-08-1-0238.
All the above protocols are designed on the assumption
that all nodes are “good,” and will conform to the protocol.
Some nodes can however be malicious, deliberately intent
on disrupting the network, a vulnerability especially acute
since the very purpose of ad hoc networks is to allow any
node to join a network. For wireless networks used in safety-
critical applications, e.g., vehicular networks, vulnerabilities
can be dangerous. Moreover, many wireless networking pro-
tocols have been based on wireline protocols, with possible
susceptibilities to novel over the air attacks.
The assumption of benignness, implicit or explicit, has
been the traditional starting point of protocol development.
Systems have been first designed to provide high performance.
Subsequently, as vulnerabilities have been discovered, they
have been patched on a case by case basis. For example, the
“wormhole” attack was discovered in [7], where an attacker
sets up a false link between two nodes. It is countered by
a fix using temporal and geographical packet leashes [7],
[19]. The “rushing” attack against DSR was discovered in
[8], in which attackers manipulate the network topology. This
is countered by a fix using network discovery chains. The
“partial deafness” attack against 802.11 was discovered in [4],
in which an attacker artificially reduces its link quality to draw
more network resources. It is countered by a fix using queue
regulation at the access point. Other attacks against DSR are
the routing loop attack in which an attacker generates forged
routing packets causing data packets to cycle endlessly; the
routing black hole attack in which an attacker simply drops
all packets it receives; and the network partition attack in
which an attacker injects forged routing packets to prevent
one set of nodes from reaching another. These attacks are
all countered in the Ariadne protocol [9] by the joint use of
routing chains, encryption, and packet leashes. Some protocols
such as Watchdog and Pathrater [14] try to pre-empt attacks
by maintaining a blacklist that tracks malicious behavior, but
this backfires if an attacker maligns a good node, causing
other good nodes to add that node to their blacklists. These
attacks are not targeted at violating privacy of communications
between nodes, which can be avoided simply by encryption.
Rather, they are generally Denial of Service attacks (DoS),
which usually take advantage of algorithms that assume the
participating users are good or cooperative.
The basic problem with this arms race approach of harden-
ing algorithms initially designed for good performance is that
one never knows what other vulnerabilities or attacks exist.
Thus no guarantees can be provided about the security of the
protocols at any stage of the arms race process.
Our goal in this paper is to propose an alternate clean slate
system-theoretic approach to security that provides provable
2
performance guarantees. We pursue a model-based approach,
comprising a physical model of node capabilities, clocks,
cryptography, and wireless communication. It is an initial
attempt to holistically model the entire dynamics of an ad-hoc
wireless network that has been infiltrated with hostile nodes.
Our goal is to design a protocol suite for the complete
life-cycle of the wireless system, all the way from the very
birth of the nodes, and continuing through all phases of the
network formation process, to a long-term operation where
the network is carrying data reliably from sources to their
destinations. The good nodes don’t know who the bad nodes
are, and are required to follow the published protocol suite.
Throughput all phases, the bad nodes can perfectly collaborate
and incessantly indulge in any disruptive behavior to make the
network formation and operation dysfunctional. They could
just “jam,” or engage in more intricate behavior such as not
relay a packet, advertise a wrong hop count, advertise a wrong
logical topology, cause packet collisions, disrupt attempts at
cooperative scheduling, drop an ACK, refuse to acknowledge
a neighbor’s handshake, or behave inconsistently.
We design a protocol suite that is provably secure against
all such attacks by the malicious nodes. Not only that, it
guarantees min-max optimal performance. The performance
is described by a given utility function, which the good nodes
wish to maximize by publishing a complete protocol suite and
conforming to it. The bad nodes on the other hand aim to
minimize this utility by indulging in all manner of “Byzantine”
behavior described above not conforming to the protocol.
This leads to a zero-sum game. Since the good nodes first
announce the protocol, the best value of the utility function that
the good nodes can hope to attain is its max-min, where the
maximization is over all protocol suites, and the minimization
is over all Byzantine behaviors of the bad nodes. We will prove
that the protocol suite designed attains this max-min to within
any  > 0. Moreover, we establish three even stronger results.
First, this game actually has a saddle point, i.e., the protocol
suite attains the min-max (to within any  > 0). (Generally,
min-max results in a higher utility than max-min, since the
bad nodes have to first disclose their tactics).
Second, the bad nodes can do no better than just jamming or
conforming to the published protocol suite on each “concurrent
transmission vector,” a generalization of the notion of an
“independent set” of nodes that can simultaneously transmit.
They do not benefit from more elaborate Byzantine antics.
Third, the protocol optimally exploits any non-hostile be-
havior of the bad nodes. If they behave suboptimally, i.e., are
not as hostile as they could be, then it will take advantage.
This is a desirable feature since while one wants to design
protocols that are guaranteeably secure in the worst case, one
would want them to exploit any benignness in the environment.
Some important qualifications need to be noted. First, the
results are valid only for the postulated model of the network.
Future research may identify technological capabilities outside
the model that can attack the protocol suite. Such discoveries
will, one hopes, lead to the development of more general
models and procotols provably secure in them. The research
enterprise will thereby be elevated to a higher level; instead of
reacting to each proposed protocol one reacts to each proposed
model, with provable guarantees provided at each step. Section
VII provides some such directions for model generalization.
Second, though not merely asymptotic, the optimality is
over a large time period, and the overhead of transient phases
of the protocol may be high. However, there is much scope
for optimizing protocol overhead while preserving security.
Third, how should one view the proposed protocol suite?
The answer is layered. At a minimum, it can be regarded
as a constructive existence proof that one can indeed pro-
vide optimal performance while guaranteeing security, with
the identified model class only serving as an exemplar of
conditions under which this can be done. To a more receptive
reader, the designed protocol suite is suggestive of of how one
can do so. The architectural decomposition into several phases
could perhaps be kept in mind by future protocol designers.
At any rate, one hopes that this approach will trigger several
critical reactions among a skeptical readership, and lead to
follow up work that designs protocols with guaranteed security
and performance for more general model classes.
Section II describes the model, Section III the main results,
Section IV an outline of the approach, Section V the protocol
suite, and Section VI proves feasibility and optimality.
II. T HE M ODEL
The model of an ad-hoc wireless network infiltrated by
hostile nodes can be organized into four categories: the nodal
model (N), communication model (CO), clock behavior (CL),
and cryptographic capabilities (CR).
Nodal model: (N1) There are n nodes, some good and some
bad. Let G denote the set of good nodes, and its complement
B the set of bad nodes. (N2) The good nodes do not know
who the bad nodes are a priori. (N3) The bad nodes are able
to fully coordinate their actions, and are fully aware of their
collective states (equivalent to unlimited bandwidth between
them). (N4) The good nodes are all initially powered off, and
they all turn on within U0 time units of the first good node
that turns on.
Communication model: (CO1) Each node i can choose
from among a finite set of transmission/reception modes Mi
at each time. Each mode corresponds, if transmitting, to a
joint choice of power level, modulation scheme and encoding
scheme for each other intended receiver node, or to just listen-
ing and not transmitting, or even to “jamming,” which simply
consists of using its power output to emit noise. (CO2) The
good nodes are half-duplex, i.e., cannot transmit and receive
simultaneously. (CO3) We call c = (c1 , c2 , . . . , cn ) denoting
the mode choices of all the nodes made at a certain time, as
a “concurrent transmission vector” (CTV). (It is more general
than an independent set that is sometimes used to model
wireless networks). We will denote by cG = (ci : i ∈ G)
and cB = (ci : i ∈ B) the vectors of choices of modes
made by the good and bad nodes respectively, with each
ci ∈ Mi , and let CG and CB denote the sets of all such
choices. We will denote by C := CG × CB , the set of all
CTVs. (CO4) Each c results in a “link-rate vector” r(c) of
dimension n(n − 1). Its ij-th component, rij (c), is the data
rate at which bits can be sent from node i to node j at that

time. Due to the shared nature of the wireless medium, the
rate depends on the transmission mode choices made by all the
other nodes, as well as the geographic locations of the nodes,
the propagation path loss, the ambient noise, and all other
physical characteristics affecting data rate. A component rij (c)
may be zero, for example if the SINR at j is below a threshold
value for decoding, or if node i is not transmitting to node j.
(CO5) If a certain rate vector is achievable then lower rates are
also achievable. To state this, let Λ := {rij (c) : i 6= j, c ∈ C}
denote the finite set of all possible rates than can be achieved.
We suppose that for every c, and r0 ≤ r(c) (understood
component wise) with all elements in Λ, there is a choice
c0 ∈ C such that r(c0 ) = r0 . This assumption is not strictly
necessary, but it helps to simplify the statement that bad nodes
can claim to receive only at low rates. (CO6) In the case of
a bad node j, the rate rij (c) may be the result of some other
bad node being able to decode the packet from i at that rate,
and then passing on that packet to j, since bad nodes can
collaborate perfectly. In the case of a bad node i, the rate
rij (c) may be the result of some other bad node being able to
transmit the packet successfully to j at that rate, pretending to
be i. Meanwhile, in either case, the bad node may be jamming.
Thus a bad node can both jam and appear to be cooperating,
whether transmitting or receiving, at the same time. (CO7)
The bad nodes can claim to have received transmissions from
each other at any of the rates in the finite set Λ, as they please.
To state this, for c = (cG , cB ), we will partition the resulting
link-rate vector as r(c) = (rGG (c), rGB (c), rBG (c), rBB (c)),
where rBG denotes the link-rates from the bad nodes to the
good nodes, etc. We suppose that for every c = (cG , cB ) and
every r0 with all elements in Λ, there is a c0B ∈ CB such that
r(cG , c0B ) = (rGG (c), rGB (c), rBG (c), r0 ). (CO8) The good
nodes know Λ, and an upper bound on the cardinalities of
the Mi ’s, but do not know the values of the vectors r(c) for
any c ∈ C. (CO9) The assumption that the link-rate vector
r(c) does not change with time implicitly assumes that nodes
are not mobile to any significant extent. We comment further
about this assumption in Section VII,
Clock model: (CL1) Each good node i has a local
continuous-time clock that it initializes to zero when it turns
on. Its time τ i (t) is affine with respect to some reference time
t ≥ 0, i.e., τ i (t) = ai t + bi where ai and bi are called the
skew and offset respectively. Wlog, the time t above and in
(N4) is taken equal to the clock time of the first good node to
turn on. (CL3) Denoting the relative skew and offset between
nodes i and j by aij := aaji and bij := bi − aij bj , node i’s
time with respect to node j’s time s is τji (s) = aij s + bij . We
assume 0 < aij ≤ amax . As a corollary of (N4,CL1,CL3),
|bij | ≤ amax U0 , since τ i (U0 ) ≥ 0. (CL4) The good nodes do
not know their skew or offset a priori. (CL5) Finally, due to its
digital processor, a good node i can only observe a quantized
version of its continuous-time local clock τ i (t).
Cryptographic capabilities: (CR1) Each node is assigned
a public key and a private key; information encrypted by a
private key can only be decrypted with the corresponding
public key. The private key is never revealed by a good
node to any other node. Possession of a public key does not
3
enable an attacker to forge, alter, or tamper with an encrypted
packet generated with the corresponding private key. The
good nodes encrypt all their transmissions. (CR2) Each node
possesses the public key of a central authority. (CR3) Each
node possesses an identity certificate, signed by the central
authority, containing node i’s public key and ID number. The
certificate binds node i’s public key to its identity. (CR4) Each
node possesses a list of all the other n node IDs.
III. T HE M AIN R ESULTS
Each time that the good nodes make a certain choice cG , the
bad nodes could respond with some choice drawn only from
a certain subset CB,cG ⊆ CB . In this way they could ensure
that only the subset E := {(cG , cB ) : cG ∈ CG , cb ∈ CB,cG }
is ever employed by the network. If so, we will say that E
is enabled, while its complement D := C \ {(cG , cB ) : cG ∈
CG , cb ∈ CB,cG } is disabled by the bad nodes. We will denote
by ∆ the set of all such sets D that they have the capability
to disable. For any set E of enabled CTVs, let R(E) :=
ConvexHull({r(c) : c ∈ E}) be the set of link rate-vectors
supported by E, i.e., generated by time sharing over E. Let
G(E) be a directed graph over the nodes, where there is an
edge ij if and only if rij (c) > 0 for some c ∈ R(E).
We assume that the good nodes can communicate in a multi-
hop fashion with each other over bidirectional links at some
minimal positive rate, regardless of what the bad nodes do:
Connectedness Assumption (C): Let G ∗ := G(C \ D∗ ) be the
graph resulting from the maximum set D∗ ∈ ∆ that the bad
nodes can disable. We will assume that the good nodes are
connected in the subgraph of G ∗ that consists only of edges
ij for which both ij as well as ji are edges in G ∗ .
Denoting by Pij the set of all paths from i to j, the
multi-hop capacity region of n(n − 1)-dimensional end-to-
end source-destination throughput vectors is defined in the
P way as C(E) := {x : For some vector
standard Py ≥ 0 with
0 ≤ p:`∈p yp ≤ r` for some r ∈ R(E), xij = p∈Pij yp for
all 1 ≤ i, j ≤ n, j 6= i}.
We employ a utility function defined over the throughputs
of any subset of source-destination pairs of interest:
Utility function assumption (U): For any subset S ⊆
{1, 2, . . . , n} and any throughput vector x, let U (x, S) depend
only on xij for i, j ∈ S. For every S, U (x, S) is continuous
and monotone increasing in the components of x.
We now consider the game where the good nodes wish to
maximize it for the nodes perceived to be good, while the bad
nodes wish to minimize it over all their Byzantine behaviors.
To obtain an upper bound on utility, suppose that the bad nodes
disable only the CTVs in D and reveal this choice to the good
nodes. Let E := C \ D. If G(E) has several strongly connected
components, then, by the connectedness assumption (C), the
good nodes are all in the same component, denoted by F (E),
and thus know that the nodes outside F (E) are bad. They will
therefore only consider the utility accrued as U (x, F (E)), and
maximize it over all x ∈ C(E). Hence an upper bound on
achievable utility is min max U (x, F (C \ D)). Our main
D∈∆ x∈C(C\D)
result, elaborated on in Theorem 6.2, is:
4
Theorem 3.1: Consider a network that satisfies (N), (CO),
(CL), (CR), (C) and (U). Given an arbitrary , where 0 <  <
1, the protocol described in Section V ensures that all the good
nodes obtain a common estimate of the component that they
are all members of, and achieves the utility
(1 − ) min max U (x, F (C \ D)). (1)
D∈∆ x∈C(C\D)
Some important consequences are the following. Normally,
one would expect that since the good nodes have to first
declare their protocol and follow it, they can only attain “max-
min,” which is generally smaller than min-max. Since the latter
can be attained (arbitrarily closely), it shows firstly that the bad
nodes are unable to benefit from having a priori knowledge of
the protocol. Second, since all that the bad nodes can benefit
from is deciding which sets to disable, they are effectively
limited to jamming and/or cooperating in each CTV. Other
more Byzantine behaviors are not any more effective.
The example below shows why a bad node may prefer to
“conform” rather than jam for some utility functions.
Example 3.1: Consider the network of Figure 1. Nodes 1
and 2 are good and in close proximity, while node 3 is bad and
located far away. Consider the “fairness-based ”utility function
U (x) := min{x12 , x32 }. If node 3 jams, then the connected
component becomes {1, 2}, and the good nodes proceed to
maximize only x12 , which node 3 can only slightly impinge
because it is so far away from node 2. However, if node 3
cooperates, then the connected component is {1, 2, 3}, and
the optimal solution for this “fair” utility function is to make
x32 = x12 . However, link 32 being weak, it requires much
more airtime than link 12, thus considerably reducing x12 .
Fig. 1: Example 3.1.
IV. T HE O UTLINE OF THE A PPROACH
The heart of the approach is to investigate different CTVs,
exploiting the fact that the operation of the network consists of
invoking which such set to use at any given instant. If a good
node fails to receive a scheduled packet transmitted during a
CTV set, then that good node alerts the rest of the network
during a verification phase, and the offending CTV set is never
used again. After each such pruning the network then re-
optimizes its utility over the remaining CTVs. The decreasing
sequence of remaining sets of CTVs necessarily converges to
an operational collection of CTVs, over which the utility is
optimized by time sharing. Since the set of disabled CTVs is
determinable by the network, as we show, it is the same as
if it were revealed to the good nodes a priori, which allows
achievement of min-max. It also shows why more complex
Byzantine behaviors than jamming or cooperating are not any
more effective for the bad nodes.
There are however several problems that lie along the way
to realizing this scheme. First, all of the above presumes that
all the nodes are good, and, second, also that the nodes know
the network topology and other parameters, both of which
are false. This leads to the challenge: How to determine the
network, while under attack from bad nodes when one does
not know the network? We present a complete protocol suite
that proceeds through several phases to achieve this end result.
After their birth, the nodes need to first discover who their
neighbors are. This requires a two-way handshake, which
presents one problem already. Two good nodes that are neigh-
bors can successfully send packets to each other if there are
no primary (half-duplex) or secondary (collision) conflicts. To
achieve this we employ an Orthogonal MAC Code [18]. Next,
the two nodes need to update their clock parameters. After this,
the nodes propagate their neighborhood information so that
everyone learns about the network topology. This also poses
some challenges when there are intermediary bad nodes. This
is addressed by a version of the Byzantine General’s algorithm
of [1], by capitalizing on connectedness assumption (C). Next,
even though all the good nodes converge to a common network
view, that view may be internally inconsistent, especially with
respect to clocks. To resolve this we employ a certain consis-
tency check algorithm. Next, the nodes proceed to determine
an optimal schedule for time sharing over the set of CTVs
that have performed consistently from the very beginning, and
execute it. However, a bad node that has cooperated hitherto
may not cooperate at this point. Hence the results of this
operational phase need to be verified, the dysfunctional CTV
pruned, the schedule re-optimized, and the procedure iterated.
The reader may wonder: Why do we even need a notion of
“time”? First, without it, we cannot even speak of throughput
or thus of utility. Second, we use local clocks to schedule
transmissions and coordinate activity (as is quite common,
e.g., time-outs in MAC and transport protocols). On the
other hand, dependence on distributed synchronized clocks
for coordinated activity opens yet another avenue for bad
nodes to sabotage the protocol – interfering with the clock
synchronization algorithm. Therefore, topics like scheduling,
clock synchronization, utility maximization, and security, are
deeply interwoven. Therefore one needs a holistic approach
that addresses all these issues at every stage of the operating
lifetime, and guarantees overall security and min-max opti-
mality. This is the raison d’être for this paper.
V. T HE P HASES OF THE P ROTOCOL S UITE
The protocol suite consists of six phases: Neighbor Discov-
ery, Network Discovery, Consistency Check, Scheduling, Data
Transfer, and Verification. Proofs are deferred to Section VI.
We first note the necessity for a key ingredient. Even two
good nodes that are neighbors as in assumption (C) are only
guaranteed to be able to successfully send packets to each
other provided one is transmitting, the other is listening (since
good nodes are half-duplex), and the remaining good nodes
are all silent. The Orthogonal MAC Code (OMC) of [18]
ensures the simultaneity of all these events, even though the
clocks of different nodes have different skews and offsets.
For each pair of nodes i, j, it defines certain zero-one valued
functions of local time at each node, such that if i transmits
 5

a packet of duration W to j at that time, then the packet is Algorithm 1 The Neighbor Discovery Phase
successfully received, and the delay involved in waiting for procedure N EIGHBOR D ISCOVERY
Ni := {1, . . . , n} \ i
such an eventuality is never more than a certain TM AC (W ). while t ∈ S1 do
T X R X MAC(P RBi→Ni ,P RBNi →i )
U PDATE(Ni )
end while
A. The Neighbor Discovery Phase while t ∈ S2 do
T X R X MAC(ACKi→Ni ,ACKNi →i )
In this phase, each node i will determine the identity and end while
relative clock parameters of nodes in its neighborhood Ni , and while t ∈ S3 do
(1) (1)
T X R X MAC(T IMi→N ,T IMN →i )
include this data in a mutually authenticated link certificate. U PDATE(Ni )
i i

In the first two steps, each node i attempts a handshake with end while
while t ∈ S4 do
a neighbor node j by broadcasting a probe packet P RBij and (2) (2)
T X R X MAC(T IMi→N ,T IMN →i )
i i
waiting for an acknowledgement ACKji . The probe packet U PDATE(Ni )
end while
contains an identity certificate signed by a central authority. while t ∈ S5 do
Given Ni := {1, . . . , n}\i, an initial candidate for the set (1) (1)
T X R X MAC(LN Ki→N ,LN KN →i )
i i
of bidirectional neighbors of i (as in (C)), to indicate that U PDATE(Ni )
end while
node i transmits P RBij to each node j ∈ Ni via the while t ∈ S6 do
(2) (2)
OMC, and receives P RBjj from each node j ∈ Ni , we use T X R X MAC(LN Ki→N ,LN KN →i )
i i
U PDATE(Ni )
TxRxMAC(P RBi→Ni ,P RBNi →i ). If a probe packet is not end while
received from some node j, then j is pruned from Ni . end procedure

Next, node i transmits an acknowledgment ACKij to node

j containing a signed confirmation of the received probe
packet P RBj . Node i also listens for an acknowledgment
ACKji from node j. Node i further removes from Ni any
nodes that failed to return acknowledgements.
Then node i transmits to each node j ∈ Ni a pair of timing
(1) (2) (1)
packets T IMi,j and T IMj,i that contain the send-times sij
(2)
and sij respectively as recorded by its local clock τ j (t). Node
(1)
i also receives a corresponding pair of timing packets T IMi,j
(2)
and T IMj,i from node j, and records the corresponding
(1) (2)
receive-times rji and rji respectively, as measured by the
local clock τ i (t). Any node that fails to deliver timing packets
to node i is further removed from Ni . The timing packets are
(2) (1)
rji −rji
used to estimate the relative skew aji by âji := (2) (1)
sji −sji
The relative skew is used at the end of the Network
Discovery Phase, to estimate a reference clock with respect
to the local continuous-time clock. In the last two steps, node
(1)
i creates a link certificate LN Kij containing the computed
relative clock skew with respect to node j, and transmits this
link to node j using the OMC. Node i also listens for a similar
(2)
link certificate LN Kji from node j.
Finally, node i verifies and signs the received link certificate,
(2)
and transmits the authenticated version LN Kij back to node
j. Node i listens for a similar authenticated link certificate
(2)
LN Kji from j. Any nodes that fail to return link certificates
are removed from the set Ni . This set now represents the nodes
in the neighborhood of node i with whom node i has estab-
lished mutually authenticated link certificates. The Neighbor
Discovery Phase’s pseudocode is shown in Algorithm 1.
One problem is that the algorithm must be completed in
a partially coordinated manner even though the nodes are
asynchronous; the completion of any stage in the Exponential
Information Gathering (EIG) algorithm (see below) depends
on the successful completion of the previous stages by all
other good nodes. Consequently, we assign increasingly larger
intervals Sk := [tk , tk+1 ), k = 1, . . . 6, to each successive
protocol stage; see Section VI.
B. The Network Discovery Phase
The purpose of this Phase is to allow the good nodes to
obtain a common view of the network topology and consistent
estimates of all clock parameters. To accomplish this, the good
nodes must disseminate their lists of neighbors to all nodes,
so that all can decide on the same topology view. However
good nodes do not know a priori which nodes are bad, and
so bad nodes can selectively drop lists or introduce false lists
to prevent consensus. We resolve this by using a version of
the Byzantine General’s algorithm of [1], requiring an EIG
tree data structure. Let Ti denote node i’s EIG tree, which by
.
construction has depth n. The root of Ti is labelled with node
i’s neighborhood, i.e., the nodes in Ni and the corresponding
collection of link certificates. First node i transmits to every
node j ∈ Nj in its neighborhood, the list of nodes in Ni
and corresponding link certificates, while receiving similar
lists from each node in Nj . Node i updates its EIG tree with
the newly received lists from its neighbors, by assigning each
received list to a unique child vertex of the root of Ti . Node
i then transmits the set of level 1 vertices of Ti to every node
in its neighborhood, receiving a set of level 1 vertcies from
each neighbor in turn. The EIG tree Ti is updated again. This
process continues through all n levels of the EIG tree.
(k)
The notation Ti in Algorithm 2 indicates the
k-level vertices of the EIG tree Ti . The notation
(k) (k)
TxRxMAC(Ti→Ni , TNi →i ) indicates that, using the OMC,
(k) (k)
node i transmits Ti to each node j ∈ Ni , and receives Tj
from each node j ∈ Ni .
We use UPDATE(Ti ), to update the EIG tree Ti after the
arrival of new information, and the procedure DECIDE(Ti ) to
infer the network topology based on the EIG tree. The n-stage
EIG algorithm guarantees that if the subgraph of good nodes
is connected, then each good node will decide on the same
topological view.
6
Algorithm 2 The EIG Byzantine General’s Algorithm
procedure EIGB YZ MAC(Ni )
(0)
Ti := Ni
for k = 1, . . . n do
while t ∈ S6+k do
(k) (k)
T X R X MAC(Ti→N , TN →i )
i i
U PDATE(Ti )
end while
end for
D ECIDE(Ti )
end procedure
C. The Consistency Check Phase
Unfortunately, a fundamental difficulty is that malicious
nodes along a path 1, . . . , n may have generated false time
stamps in the Neighbor Discovery Phase, and thus corrupted
the measured relative skews between adjacent nodes. There
may be several connecting paths infiltrated by bad nodes that
thereby generate different values for the relative skew. It is
impossible to determine the correct path from the relative
skews alone. Every pair of such inconsistent paths corresponds
to an inconsistent cycle in which the skew product is not
equal to one. We use an algorithm called Consistency Check
to identify the path that generated the correct relative skew.
Consistency Check works by circling a timing packet around
every cycle in which the skew product differs from one by
more than a , a desired maximum skew error. At the conclu-
sion of the test, at least one link with a malicious endpoint
will be removed from the cycle, eliminating a connecting path.
During the test, each node in such a cycle is obliged to append
a receive time-stamp and a send time-stamp generated by the
local clock before forwarding the packet to the next node.
These time-stamps must satisfy a delay bound condition; the
send time and receive time cannot differ by more than 1 clock
count. A node fails the consistency check otherwise, or if its
time stamps do not agree with its declared relative skew. The
key idea is that if the test starts after a sufficiently large amount
of time has elapsed, the clock estimates based on faulty relative
skews will have diverged so extensively from the actual clocks
that at least one malicious node in the cycle will find it
impossible to generate time-stamps that are consistent with
its declared relative clock skew and satisfy the delay bound
condition (all proofs are in Section VI):.
Theorem 5.1: Let Tj be the start-time of the Consistency
Check for the jth inconsistent cycle, consisting of nodes
i1 , . . . , im . At least one malicious node in cycle j will violate a
â ∗ (m+1)K+b
consistency check condition, if Tj > im ,i a where
∗
i is the node with the smallest skew product âi∗ ,i1 .
Algorithm 3 depicts Consistency Check. Given a cycle,
j, k and m denote nodes that follow and precede node i
respectively in the cycle. If node i is the leader of the cycle,
i..e., the node with smallest ID, then node i initiates the timing
packet that traverses the cycle and transmits it to node k.
Otherwise, node i waits for the timing packet to arrive from
node m before forwarding it to node k.
After all inconsistent cycles have been tested, each node
i disseminates the set of all timing packets Ti it received to
other nodes. The EIG algorithm is used to ensure a common
view of the timing packets generated. Each node removes from
Algorithm 3 Consistency Check Algorithm at Node i
procedure C ONSISTENCY C HECK
(n+1)(a )n+1 +(n+1)(a
max max )n+1 U0
ST ART := a
for each cycle Cj do
k =N EXT(Cj )
m =P REV(Cj )
if i=L EADER(Cj ) and t ≥ ST ART then
T RANSMIT(T IMi→k )
else if i ∈ Cj then
R ECEIVE(T IMm→i )
T RANSMIT(T IMi→k )
end if
end for
end procedure
the topology any link whose endpoints generate time-stamps
inconsistent with its declared relative skew or violated the
delay bound. The complete Phase is shown in Algorithm 4.
Algorithm 4 The Network Discovery Phase at Node i
procedure N ETWORK D ISCOVERY
EIGB YZ MAC(Ni )
C ONSISTENCY C HECK
EIGB YZ MAC(Ti )
end procedure
At the conclusion of Network Discovery Phase node i shares
a common view of the network topology with all other good
nodes. As a result, the network can designate the node with
smallest ID as the reference clock. Furthermore, each node i
has an estimate of the reference clock τir (t) with respect to its
local clock t using the formula τ̂ir (t) := âri t, where estimated
âri and actual relative skews ari differ by at most a .
D. The Scheduling Phase
In the Scheduling Phase the good nodes in the network
obtain a common schedule governing the transmission and
reception of data packets. A “schedule” is simply a sequence
of CTVs, each with specified start and end times. Each node i
divides the Data Transfer Phase into time-slots, and assigns a
CTV to each time-slot so that the resulting throughput vector
is utility optimal. All the good nodes independently arrive at
the same schedule since they independently optimize the same
utility function over the same C (ties broken lexicographically).
Since the good nodes must conform to a common schedule,
each node i generates a local estimate of the reference clock
τ̂ir (t) with respect to its local clock t, as described in the
Network Discovery Phase. However, this estimate may not be
perfectly accurate; some of the nodes on a path along which
relative skew is estimated may be malicious and can introduce
an error of at most a into the computed relative skew. To
address this, the time-slots are separated by a dead-time of
size D, where given any pair of nodes (i, j), D is chosen to
satisfy |τ̂ir (t) − τ̂jr (τij (t))| ≤ D.
Finally, n2 (n−1) time-slots are enough to guarantee that ev-
ery pair of nodes can communicate once in either direction, via
multihop routing, during Data Transfer Phase. The algorithm
UtilityMaximization(C) for the Scheduling Phase is depicted
in Algorithm 5. At the end of Scheduling Phase, node i shares
a common utility maximizing schedule with other good nodes.

Algorithm 5 The Scheduling Phase at Node i
procedure S CHEDULING
U TILITY M AXIMIZATION(C)
end procedure
E. The Data Transfer Phase
In this Phase the nodes exchange data packets using the
generated schedule. It is divided into time-slots, with each
assigned a CTV, a rate vector, and set of packets for each
transmitter in the set. To prevent collisions resulting from
two nodes assigning themselves to different time slots due to
timing error, node i begins transmission D time-units after the
start of the time-slot. The transmitted packet is then guaranteed
to arrive at the receiver in the same time slot, for appropriate
choice of D and time-slot size Bslot .
Algorithm 7 defines this phase, with mk denoting a message
to be transmitted or received by node i in the kth slot, Tstart
the start time of the phase measured by the local estimate of
the reference clock τ̂ir (t)), Sk = [tk , tk+1 ), k = 1, . . . , N the
time-slots of the phase with N = n2 (n − 1), t1 = Tstart , and
tk+1 := tk + Bslot + 2D, and T X(k) and RX(k) the CTV,
and receiving nodes during slot k.
Algorithm 6 The Data Transfer Phase at Node i
procedure DATAT RANSFER(Tstart )
for k=1,. . . ,N do
if t ∈ Sk and t ≥ tk + D and i ∈ T X(k) then
T RANSMIT(mk )
else if t ∈ Sk and i ∈ RX(k) then
R ECEIVE(mk )
end if
end for
end procedure
F. The Verification Phase
However, malicious nodes may not cooperate in the Data
Transfer Phase. So whenever a scheduled packet fails to arrive
at node j, it adds the offending CTV and associated packet
number to a list, and disseminates the list in the Verification
Phase using the EIG Byzantine General’s algorithm. These
CTVs are then permanently further pruned from the collection
of feasible CTVs. With Lk denoting the list that failed during
the kth iteration of the Data Transfer Phase, the set Ck of
feasible CTVs during the kth iteration of the Scheduling Phase
is updated to Ck+1 = Ck \ Lk in Algorithm 7.
All communication can be scheduled into slots separated by
a dead-time of 2D. Within each of the n stages of the EIG
Byzantine General’s algorithm, there are n(n − 1) pairs of
nodes that may communicate, and at most n nodes on the
connecting path. Therefore, the total number of time slots
required is n3 (n − 1).
At the conclusion of the phase, the good nodes again share a
common view of the set of feasible CTVs for the next iteration
of the Scheduling Phase.
G. The Steady State
The network cycles through Scheduling, Data Transfer, and
Verification Phases for niter iterations. Eventually, by finite-
7
Algorithm 7 The Verification Phase at Node i
procedure V ERIFICATION
EIGB YZ(Lk )
U PDATE(Ck+1 )
end procedure
ness, it converges to a set of CTVs, and a utility-maximizing
schedule over it. The overall protocol is in Algorithm 8.
Algorithm 8 The Complete Protocol
N EIGHBOR D ISCOVERY
N ETWORK D ISCOVERY
for k = 1, . . . , niter do
S CHEDULING(Ck )
DATAT RANSFER(t)
V ERIFICATION
end for
VI. F EASIBILITY OF P ROTOCOL AND O PTIMALITY P ROOF
For the distributed wireless nodes to exchange data over the
network, they must not only have the same topological view, in
order to independently arrive at a common schedule, but they
must also have a consistent view of a reference clock so that
any activity will conform to this common schedule. For this,
we consider the consistency check algorithm of Section V-C.
Consider a chain network 1, . . . , n, where the endpoints,
nodes 1 and n are good, and the intermediate nodes 2, . . . , n−
1 are bad. Note that this network can also be reduced to a cycle
of size n − 1 by making both endpoints the same node. We
assume that the two good endpoints do not know if any of the
intermediate nodes are bad.
Now suppose that each pair of adjacent nodes (i, i − 1) for
i = 2, . . . , n has declared a set of relative skews and offsets
{âi,i−1 , b̂i,i−1 }, and that each node in the chain knows this set.
The two good nodes wish to determine whether Qn the declared
skews are accurate, i.e., whether an,1 = i=2 âi,i−1 . Unfor-
tunately, the good nodes have no way of directly measuring
an,1 . The estimate of an,1 is obtained from the skew product
itself, which is the very quantity that needs to be verified.
So, instead, the good nodes carry out the consistency check
described earlier. After waiting a sufficiently long time, node
1 initiates a timing packet that traverses the chain from left
to right. Each node in the chain is obligated to forward the
packet after appending receive and time-stamps that satisfy the
skew consistency and delay bound conditions.
In order to defeat this test, the bad nodes, having collectively
declared a false set of relative skews and offsets, must support
two sets of clocks for each node i ∈ {2, . . . , n}: a “left”
clock τ i,l (t) to generate receive time-stamps, and a “right”
clock τ i,r (t) to generate send-time stamps. Unlike the clocks
of the good nodes, the left and right clocks of the bad
nodes need not be affine with respect to the global reference
clock. In fact, the bad nodes are free to jointly select any
set of clocks {τ i,l (t), τ i,r (t), ∀i = 2, . . . , n − 1} that are
arbitrary functions of t, a much larger set than the affine
clocks being emulated. However, we will show that if node
1 waits sufficiently long enough, there is no set of clocks
{τ i,l (t), τ i,r (t), i = 2, . . . , n − 1} that can generate time-
stamps which satisfy both conditions of the consistency check.
8

   n+1,l 
ân,1 −1 τ (tn+1,l )−b̂n+1,n
Let ri,i−1 and si,i+1 denote the receive and send time- τ n,r (tn,r ) = ân,1 ân+1,n +
stamps generated by a bad node i with respect to the left Pn b̂i,i−1 
ân+1,n −1

n+1,l b̂n+1,n
+ τ̂ (tn+1,l ) + ân+1,n =
and right clocks τ i,l (t) and τ i,r (t) respectively. Let ti,l and  i=2 âi,1 ân+1,n
ân+1,1 −1 n+1 b̂
τ n+1,l (tn+1,l ) + i=2 i,i−1
P
ti,r denote the time with respect to the global reference clock ân+1,1 âi,1 , which follow from
at which the receive and send time-stamps are generated at the induction hypothesis above in the Lemma statement, and
node i. We have ri−1,i := τ i,l (ti,l ) and si,i+1 := τ i,r (ti,r ). the fact that τ n,r (tn,r ) ≥ τ n,l (tn,l ) and ai,1 ≥ 1 for all
Let t1 and tn denote the time with respect to the global 2 ≤ i ≤ n + 1 (that is, the coefficient âi,1 − 1 is negative).
reference clock at which the timing packet was transmitted We next Qjbound S1 in the special case when the reverse skew
by node 1 and received by node n respectively. We have product i=1 ân−(i−1),n−i ≤ 1 for all j ≥ 1.
s1,2 := τ 1 (t1 ),n−1,n := τ n (tn ). To simplify notation we will
Qj
Lemma 6.2: Suppose i=1 an−(i−1),n−i ≤ 1 for 2 ≤ j ≤
define left and right clocks at the endpoints so that t1,r := Pj
n − 1. Then i=1 (τ n−(i−1),l (tn−(i−1),l ) − τ n−i,r (tn−i,r )) ≤
t1 , tn,l := tn and τ 1,r (t1,r ) := τ 1 (t1 ), τ n,l (tn,l ) := τ n (tn ). Pn−1
(ân,n−j − 1) τ n−j,r (tn−j,r ) + b̂n,n−1 + i=n−j+1 ân,i b̂i,i−1 .
In order to prove that both conditions of the consis- Proof: We have by definition τ n−(k−1),l (tn−(k−1),l ) :=
tency check cannot be satisifed by any set of clocks ân−(k−1),n−k τ n−k,r (tn−k,r ) + b̂n−(k−1),n−k . For j = 1,
{τ i,l (t), τ i,r (t), i = 2, . . . , n − 1}, we will assume that the τ n,l (tn,l ) − τ n−1,r (tn−1,r ) = (an,n−1 − 1)τ n−1,r (tn−1,r ).
first condition is satisfied, and show that second must fail. Now assume the Lemma P holds for j. We will show that
Therefore, the clocks must satisfy: j+1 n−(k−1),l
it must hold for j + 1: k=1 (τ (tn−(k−1),l ) −
j
τ n−k,r (tn−k,r )) n−(k−1),l
P
τ i,l (ti,l ) = ai,i−1 τ i−1,r (ti−1,r ) + bi,i−1 for i ≤ 2 ≤ n. (2) = k=1 (τ (t n−(k−1),l ) −
n−k,r n−j,l n−(j+1),r
τ (tn−k,r )) + τ (tn−j,l ) − τ (tn−(j+1),r ) ≤
In addition, by virtue of causality, we also have: Pn−1
(ân,n−j −1)τ n−j,r (tn−j,r )+b̂n,n−1 + k=n−j+1 ân,k b̂k,k−1 +
τ i,l (ti,l ) ≤ τ i,r (ti,r ). (3) τ n−j,l (tn−j,l ) − τ n−(j+1),r (tn−(j+1),r ) ≤ (ân,n−j −
Pn−1
1)τ n−j,l (tn−j,l ) + b̂n,n−1 + k=n−j+1 ân,k b̂k,k−1 +
We prove that delay bound condition must be violated if node n−j,l n−(j+1),r
τ (tn−j,l ) − τ (tn−(j+1),r ) ≤ (ân,n−(j+1) −
1 waits for a sufficiently large period of time before before Pn−1
initiating the timing packet, i.e., if τ 1 (t1 ) is sufficiently large, 1)τ n−(j+1),r (tn−(j+1),r ) + b̂n,n−1 + k=n−j ân,k b̂k,k−1 .
then for some i, we have τ i,r (ti,r ) − τ i,l (ti,l )
> K. More pre- The above follow from induction hypothesis in Lemma 6.2,
Pn−1 since τ i,l (ti,l ) ≤ τ i,r (ti,r ) and ân,n−j ≤ 1 for 1 ≤ j ≤ n − 1
cisely, we show i=2 τ i,r (ti,r ) − τ i,l (ti,l ) > nK, which
(that is, the coefficient ân,n−j − 1 is negative), and from
implies that some node has violated delay bound condition.
Pn−1 i,r
substitution into τ n−j,l (tn−j,l ) and simplification.
The sum i=2 τ (ti,r ) − τ i,l (ti,l ) cannot be directly We will combine both special cases in Lemma 6.1 and
evaluated because the left and right clocks {τ i,l (t), τ i,r (t)} Lemma 6.2 to obtain an upper bound on S1 . First we define i∗
are arbitrary functions of t. However, we have the as the node with the smallest skew product âi∗ ,1 in the chain
following equality by P repeated addition and subtraction network, that is less than one. That is, âi∗ ,1 = min âk,1 and
n

τ n,l (tn,l ) = τ 1,r (t1,r ) + i=2 τ
i,l (ti,l ) − τ i−1,r (ti−1,r ) = âi∗ ,1 ≤ 1. If no such node exists, set i∗ = 1.
k
Pn−1 i,l
i=2 τ (ti,l ) − P τ i−1,r (ti−1,r ) = τ 1,r (t1,r ) +
S1 + S2 , Now we consider an arbitrary set of skews {âi,i−1 , i =
n i,l i−1,r
where S1 :=
Pn−1 i,l i=2 τ (ti,l
) − τ (ti−1,r ) , S2 := 2, . . . , n}. Next we show that if i∗ ≥ 2 then the forward skew
i−1,r
i=2 τ (ti,l ) − τ (ti−1,r ) . The value S2 is the sum product starting from i∗ is greater than 1, and the reverse skew
of the forwarding delays. We will use (2) and (3) to obtain an product starting from i∗ − 1 is always less than one.
upper bound on S1 . Inserting this upper bound and using the Lemma 6.3: If i∗ ≥ 2 then âj,i∗ ≥ 1 for i∗ + 1 ≤ j ≤ n
fact that τ n,l (t) and τ 1,r (t) are both affine functions of t, will and âi∗ ,i∗ −k+1 ≤ 1 for 1 ≤ k ≤ i∗ . Otherwise, âj,1 ≥ 1 for
allow us to obtain a lower bound on S2 . The proof will then 2 ≤ j ≤ n.
follow easily. We now Q obtain an upper bound on S1 when the Proof: Consider i∗ ≥ 2, and suppose the first part of the
j
forward skew product i=2 âi,i−1 ≥ 1 for all j ≥ 2. assertion is false. I.e., for some j 0 , âj 0 i∗ < 1. It follows that
Lemma 6.1: Suppose
Qj
ai,i−1 ≥ 1 for 2 ≤ âj 0 1 = âj 0 i∗ âi∗ 1 ≤ âi∗ 1 . But then j 0 is a node with a smaller
Pn i=2 i,l i−1,r skew product âj1 than node i∗ , which contradicts the definition
i ≤ n. Then i=2 (τ (ti,l ) − τ (ti−1,r )) ≤
ân,1 −1 n,l
Pn b̂i,i−1 of i∗ . Now suppose that the second part of the assertion is
τ (t n,l ) .
ân,1 i=2 âi,1 false. I.e., for some j 0 we have âi∗ j 0 > 1. It follows that âi∗ 1 =
Proof: We have by definition τ n+1,l (tn,l ) := âi∗ j 0 âj 0 1 ≥ âj 0 1 . But then j 0 is a node with a smaller skew
ân+1,n τ n,r (tn,r ) + b̂n+1,n . For n = 2, we have product than node i∗ , which again contradicts the definition
of i∗ . Now consider the case when i∗ = 1. Then by definition
 
a2,1 −1 b
τ 2,l (t2,l ) − τ 1,r (t1,r ) = a2,1 τ 2,l (t2,l ) + a2,1 .
Now assume the lemma is true for n. We
2,1
will of i∗ it follows that âj1 ≥ 1 for all 2 ≤ j ≤ n.
Pn+1 i,l We now obtain an upper bound on S1 for arbitrary skews.
show that it also holds for n + 1: i=2 (τ (ti,l ) −
n Lemma 6.4: Suppose i∗ ≥ 2. We have the follow-
τ i−1,r (ti−1,r )) = i,l i−1,r
P
i=2 (τ (t i,l ) − τ  (ti−1,r )) + Pn
 ing inequality: τ (t ) − τ j−1,r (tj−1,r ) ≤ (âi∗ ,1 −
j,l
τ n+1,l n,r
(tn+1,l ) − τ (tn,r ) ≤
ân,1 −1
τ n,l (tn,l ) +  j=2  j,l
ân,1 â ∗ −1 b̂n,1
Pn b̂i,i−1 1)τ 1,r (t1,r ) + n,i ân,i∗ τ n,l (tn,l ) + ân,i ∗
.
+ τ n+1,l (tn+1,l ) − τ n,r (tn,r ) ≤ Proof:
Pn
τ j,l
(t ) − τ j−1,r (tj−1,r )
 i=2 âi,1 j=2 j,l
ân,1 −1 n b̂ Pi∗ j,l
τ n,r (tn,r ) + + τ n+1,l (tn+1,l ) −
P i,i−1 n
j−1,r j,l
P
ân,1 i=2 âi,1 j=2 τ (tj,l ) − τ (tj−1,r ) + j=i∗ +1 τ (tj,l ) −
 9

τ j−1,r (tj−1,r ) =  (âi∗ ,1 − 1)τ 1,r (t1,r ) + b̂i∗ ,i∗ −1 intervals [tk , tk+1 ) and corresponding schedule that guarantees
Pi∗ â ∗ −1 Pn b̂ any message of size W transmitted (via OMC) by node i in the
+ j=2 âi∗ ,j b̂j,j−1 + n,i τ n,l (tn,l )+ i=i∗ +1 âi,i−1 =
 ân,i∗  i,i∗
interval [tk , tk+1 ) (as measured by i’s clock) will be received
â ∗ −1 n â b̂j,j−1
(âi∗ ,1 − 1)τ 1,r (t1,r ) + n,i τ n,l (tn,l ) + j=2 n,j
P
ân,i∗ ân,i∗ by node j in the same interval as measured by node j’s clock.
Proof: Set tk+1 := (amax )2 tk + 2(amax )3 U0
 
1,r ân,i∗ −1 n,l b̂n,1
= (âi ,1 − 1)τ (t1,r ) + ân,i∗ τ (tn,l ) + ân,i∗ .which
∗

follow by applying Lemma 6.2 and Lemma 6.1, by multiplying + (amax )3 TM AC (W ). Suppose a message from node i to
â ∗ node j during [tk , tk+1 ) is transmitted (via the OMC) at
the terms in each summation by ân,i and simplifying, and
(i)
n,i∗ ts := amax tk + (amax )2 U0 with respect to node i’s clock. By
from the definitions of b̂ij and dji . ˆ
substitution and simplification it follows that τij (ts ) ≥ tk and
Now that we have an upper bound on S1 , we can obtain a τij (ts +TM AC (W )) < tk+1 . Hence τij ([ts , ts +TM AC (W ))) ⊂
lower bound on S2 , the sum of the forwarding delays. [tk , tk+1 ), and so j receives this message during the same
Lemma 6.5: The sum P of forwarding delays in
the interval with respect to j’s clock.
n−1 j,l j,r
chain network satisfies: j=2 τ (tj,l ) − τ (tj,r ) ≥ Theorem 6.1: After Network Discovery, the good nodes
(an,1 −ân,1 ) 1,r (b −b̂n,1 ) have a common view of the topology and consistent estimates
ân,i∗ τ (t1,r ) + n,1 .
Pn−1 j,l ân,i∗ j,r
(to within a ) of the skew of the reference clock.
Proof: j=2 τ (tj,l ) − τ (tj,r ) = τ n,l (tn,l ) −
n Proof: From Lemma 6.6 all good nodes will proceed
τ n,r (tn,r ) − j=2 τ j,l (tj,l ) − τ j−1,r (tj−1,r ) ≥ τ n,l (tn,l )
P
−
â ∗ −1
through each stage of Neighbor and Network Discovery Phases
τ n,r (tn,r ) − (âi∗ ,1 − 1)τ 1,r (t1,r ) − n,i ân,i∗ τ n,l (tn,l ) − together, and therefore establish link certificates with their
b̂n,1 τ n,l (tn,l ) b̂n,1 τ n,l (t1,r ) good neighbors. Since they form a connected component, the
ân,i∗ = ân,i∗ − âi∗ ,1 τ 1,r (t1,r ) − ân,i ∗
≥ ân,i∗ −
good nodes obtain a common view of their link certificates
1,r b̂n,1 an,1 τ 1,r (t1,r )+bn,1 1,r
âi∗ ,1 τ (t1,r ) − ân,i∗ = ân,i∗ − âi∗ ,1 τ (t1,r ) − using the EIGByzMAC algorithm and the schedule in Lemma
b̂n,1 (an,1 −ân,1 ) 1,r (bn,1 −b̂n,1 ) 6.6. The good nodes can therefore infer the network topology
ân,i∗ = ân,i∗ τ (t1,r ) + ân,i∗ , which follow
by noting from repeated and the relative skews of all adjacent nodes based upon the
Pn addition and subtraction that
collection of link certificates. Using Consistency Check, the
τ n,l (tn,l ) = τ 1,r (t1,r ) + j=2 τ j,l (tj,l ) − τ j−1,r (tj−1,r ) +
Pn−1 j,l j,r

good nodes can eliminate paths along which bad nodes have
j=2 τ (tj,l ) − τ (tj,r ) , by applying Lemma 6.4, be-
provided false skew data. The good nodes can disseminate this
cause tn,l ≥ t1,r since node n could not have received the
information to each other using the EIGByzMAC algorithm
timing packet before node 1 transmitted it, and since node n’s
and Lemma 6.6 and thus obtain consistent estimates of the
clock is relatively affine with respect to node 1’s clock.
reference clock to within a .
We now complete the proof of consistency check for a
Lemma 6.7: The sequence of adjacent intervals [tj , tj+1 ),
chain network. We show that if the start time of the con-
j = 0, . . . , k is contained in [t0 , c1 t0 + c2 W ) where constants
sistency check is sufficiently large, and the left and right
c1 and c2 depend on amax , k, U0 , and n.
clocks {τ i,l (ti,l ), τ i,r (ti,r )} satisfy the parameter consistency
Proof: For the OMC TM AC (W ) ≤ cW , where c depends
condition, then at least one node will violate delay bound
on amax , and n. The result for k = 1 follows from definition
condition. Hence there are no left and right clocks that can
of tk , and substitution of cW into TM AC (W ), and for general
pass both conditions of consistency check if start time is large.
k by induction and definition of tk .
Proof: We assume node 1 is a good node. Now
(an,1 −ân,1 ) 1,r (b −b̂n,1 )
Lemma 6.8: The time to complete Neighbor and Network
ân,i∗ τ (t1,r ) + n,1 ân,i∗ > nK. But by Lemma 6.5 Discovery Phases Tnei + Tnet is less than c1 log Tlif e + ca2
the LHS of this inequality P is the lower bound of the
sum where c1 , c2 depend only on n, amax , U0 .
n
of the delays in the chain j=2 τ j,l (tj,l j,r

) − τ (tj,r ) . By Proof: From Algorithms 1, 2, 3 and 4 there are at
Pn j,l j,r
substitution, j=2 τ (tj,l ) − τ (tj,r ) > nK. It follows most 6 + n + n|C| + n protocol stages in the Neighbor
that for some malicious node j ∈ {2, . . . , n}, τ j,l (tj,l ) − and Network Discovery Phases. Hence the time required is
τ j,r (tj,r ) > K which violates the delay bound condition. at most c1 t0 + c2 W , where W is the size of a message
Now we can show that neighbor and network discovery to be transmitted, and c1 , c2 are constants depending on the
phases together allow the good nodes to form a rudimentary number of protocol stages amax , U0 , n. The maximum size of
network, where the good nodes have the same topological a message is proportional to the timing packet size log Tlif e .
view and consistent estimates of a reference clock. The first To account for the effect of the minimum start-time Ts for
obstacle is that the protocol is composed of stages that must be the consistency check, we can assume the worst case that the
completed sequentially by all the nodes in the network, even Ts comes into effect during the first protocol stage (instead of
prior to clock synchronization. Suppose that [tk , tk+1 ) is the later in the Network Discovery Phase). From Theorem 5.1 the
interval allocated to the kth stage. Any messages transmitted consistency check start-time is at most ca , where c depends
between adjacent good nodes must arrive in the same interval on U0 , amax , n. Substitution into t0 proves the lemma.
they were transmitted. Since send-times are measured with Lemma 6.9: The time required for the Data Transfer Phase
respect to the source clock, and receive-times with respect is at most c3 B + c4 D where B is the time spent transmitting
to the destination clock, the intervals must be chosen large data packets, D is the size of the dead-time separating time
enough to compensate for the maximum clock divergence slots, and c3 , c4 depend on n alone.
caused by skew aij ≤ amax and offset bij ≤ amax U0 . Proof: The total number of time-slots for data transfer
Lemma 6.6: There exists a sequence of adjacent time- between all source-destination pairs is n2 (n − 1), each sup-
10
porting data transfer of size Bs and a dead-time D.
Lemma 6.10: The time required for the Verification Phase
is at most c5 D where c5 depends on n alone.
Proof: In each stage of the EIG Byzantine General’s
algorithm, there are at most n! vertex values that must be
transmitted with each node in the neighborhood. The value of
a vertex is a list of CTVs. There are at most 2n CTVs and at
most n nodes in a CTV. Therefore the size of any message to
be transmitted by a node during EIG algorithm is at most cD,
where c is a constant dependent on n. Since there are n(n−1)
possible source-destination pairs, there are at most n(n − 1)
time slots in each stage, separated at the beginning and end
by a dead-time D. Therefore the duration of each stage is at
most cD + n(n − 1)2D. There are at most n stages.
We can now prove the main theorem of this paper.
Theorem 6.2: The protocol ensures that the network pro-
ceeds from startup to a functioning network carrying data.
There exists a selection of parameters niter , D, B, a and
Tlif e that achieves min-max utility over the enabled set, to
within a factor , where the min is over all policies of the bad
nodes that can only adopt two actions in each CTV: conform
to the protocol and/or jam. The achieved utility is -optimal.
Proof: We begin by choosing parameters so that the
protocol overhead, which includes Neighbor Discovery, Net-
work Discovery, Verification, all dead-times, and iterations
converging to the final rate vector, is an arbitrarily small
fraction of the total operating lifetime. With τ̂ir (t) := âri t
the estimate of reference clock r with respect to the local
clock at node i, the maximum difference in nodal estimates is
bounded as |τ̂ir (τ i (t)) − τ̂kr (τik (τ i (t)))| ≤ 2(amax )2 a Tlif e +
(amax )2 U0 . With kr be the number of rate vectors in the
rate region, we can choose niter , D, B, a and Tlif e to
niter B
satisfy: niter +2n kr ≥ 1 − l , c1 log Tlif e + c2 +B+c3 D+c4 D ≥
a
1 − d , niter ((c1 log Tlif e + ca2 + B + c3 D + c4 D) ≤ Tlif e ,
2(amax )2 a Tlif e + (amax )2 U0 ≤ D. These ensure that the
rate loss due to failed CTVs is arbitrarily small, the time
spent transmitting data is an arbitrarily large fraction of the
duration of that iteration, the operating lifetime is large enough
to support niter protocol iterations, and the dead-time D is
large enough to tolerate the maximum divergence in clock
estimates caused by skew error a .
Let {D(t)} be the decreasing sequence of sets of disabled
CTVs, with limit D̄ attained at some finite time T . Suppose x
achieves the maximum utility for D̄ over the nodes in the same
component as the good nodes. No protocol can do better when
D̄ is disabled. The proposed protocol attains x(1 − d )(1 − l ).
VII. C ONCLUDING R EMARKS
We have presented a complete suite of protocols that enables
a collection of good nodes interspersed with bad nodes to form
a functioning network from start-up, operating at a utility-
optimal rate vector, regardless of what the bad nodes conspire
to do, under a certain system model. Further, the attackers
cannot decrease the utility any more than they could by just
conforming to the protocol or jamming on each CTV.
This paper is only an initial attempt to obtain a theoretical
foundation for a much needed holistic all-layer approach to
secure wireless networking, and there are several open issues.
An important potential generalization is to allow probabilistic
communication. Since the protocol presented has poor tran-
sient behavior, though overall optimal, it needs to be explored
how to increase efficiency in the transient phase.
Much further work remains to be done.
R EFERENCES
[1] A. Bar-Noy, D. Dolev, C. Dwork, and H. R. Strong. Shifting gears:
changing algorithms on the fly to expedite Byzantine agreement. PODC
’87, pages 42–51, New York, NY, USA, 1987. ACM.
[2] V. Bharghavan, A. Demers, S. Shenker, and L. Zhang. Macaw: a
media access protocol for wireless lan’s. In ACM SIGCOMM Computer
Communication Review, volume 24, pages 212–225. ACM, 1994.
[3] K. Chandran, S. Raghunathan, S. Venkatesan, and R. Prakash. A
feedback-based scheme for improving TCP performance in ad hoc
wireless networks. IEEE Personal Communications Magazine, 8(1):34–
39, Feb. 2001.
[4] J. Choi, J. T. Chiang, D. Kim, and Y.-C. Hu. Partial deafness: A novel
denial-of-service attack in 802.11 networks. In Security and Privacy in
Communication Networks, volume 50 of Lecture Notes of the Institute
for Computer Sciences, Social Informatics and Telecommunications
Engineering, pages 235–252. Springer Berlin Heidelberg, 2010.
[5] T. Clausen and P. Jacquet. Optimized link state routing protocol (OLSR).
RFC 3626, Oct. 2003.
[6] Z. Fu, B. Greenstein, X. Meng, and S. Lu. Design and implementation
of a tcp-friendly transport protocol for ad hoc wireless networks. In
IEEE International Conference on Network Protocols’02, 2002.
[7] Y.-C. Hu, A. Perrig, and D. Johnson. Packet leashes: a defense against
wormhole attacks in wireless networks. In INFOCOM 2003, volume 3,
pages 1976 – 1986 vol.3, march-3 april 2003.
[8] Y.-C. Hu, A. Perrig, and D. B. Johnson. Rushing attacks and defense
in wireless ad hoc network routing protocols. WiSec ’03, pages 30–40,
2003.
[9] Y.-C. Hu, A. Perrig, and D. B. Johnson. Ariadne: a secure on-demand
routing protocol for ad hoc networks. Wirel. Netw., 11(1-2):21–38, Jan.
2005.
[10] IEEE Protocol 802.11. Draft standard for wireless lan: Medium access
control (MAC) and physical layer (PHY) specifications. IEEE, July
1996.
[11] D. Johnson, Y. Hu, and D. Maltz. The dynamic source routing protocol
(dsr) for mobile ad hoc networks for ipv4. RFC 4728, Feb. 2007.
[12] V. Kawadia and P. R. Kumar. Principles and protocols for power
control in wireless ad-hoc networks. IEEE Journal on Selected Areas
in Communications, 23:76–88, 2005.
[13] J. Liu and S. Singh. ATCP: TCP for mobile ad hoc networks. IEEE
J-SAC, 19(7):1300–1315, July 2001.
[14] S. Marti, T. J. Giuli, K. Lai, M. Baker, et al. Mitigating routing
misbehavior in mobile ad hoc networks. In International Conference on
Mobile Computing and Networking: Proceedings of the 6 th annual in-
ternational conference on Mobile computing and networking, volume 6,
pages 255–265, 2000.
[15] J. P. Monks, V. Bharghavan, and W.-M. Hwu. A power controlled
multiple access protocol for wireless packet networks. In INFOCOM
2001. Twentieth Annual Joint Conference of the IEEE Computer and
Communications Societies. Proceedings. IEEE, volume 1, pages 219–
228. IEEE, 2001.
[16] C. Perkins, E. Belding-Royer, and S. Das. Ad hoc on demand distance
vector (aodv) routing. RFC 3561, July 2003.
[17] C. E. Perkins and P. Bhagwat. Highly dynamic destination-sequenced
distance-vector routing. In SIGCOMM, pages 234–244, London, UK,
Aug. 1994.
[18] J. Ponniah, Y.-C. Hu, and P. R. Kumar. An orthogonal multiple access
coding scheme. Communications in Information and Systems, 12:41–76,
2012.
[19] M. Poturalski, P. Papadimitratos, and J.-P. Hubaux. Secure neighbor
discovery in wireless networks: formal investigation of possibility.
ASIACCS ’08, pages 189–200, New York, NY, USA, 2008. ACM.
[20] W. R. Stevens and G. R. Wright. TCP/IP Illustrated: Vol. 2: The
Implementation, volume 2. Addison-Wesley Professional, 1995.
[21] F. Wang and Y. Zhang. Improving TCP performance over mobile ad-hoc
networks with out-of-order detection and response. In Proceedings of
the third ACM international symposium on Mobile ad hoc networking
and computing, pages 217–225. ACM Press, 2002.