Non-Cooperative Location Privacy The Harvard community has made this article openly available. Please share how this access benefits you. Your story matters

—In mobile networks, authentication is a required primitive for most security protocols. Unfortunately, an adversary can monitor pseudonyms used for authentication to track the location of mobile nodes. A frequently proposed solution to protect location privacy suggests that mobile nodes collectively change their pseudonyms in regions called mix zones. This approach is costly. Self-interested mobile nodes might thus decide not to cooperate and jeopardize the achievable location privacy. In this paper, we analyze non-cooperative behavior of mobile nodes by using a game-theoretic model, where each player aims at maximizing its location privacy at a minimum cost. We obtain Nash equilibria in static n -player complete information games. As in practice mobile nodes do not know their opponents’ payoffs, we then consider static incomplete information games. We establish that symmetric Bayesian-Nash equilibria exist with simple threshold strategies. By means of numerical results, we predict behavior of selﬁsh mobile nodes. We then investigate dynamic games where players decide to change their pseudonym one after the other and show how this affects strategies at equilibrium. Finally, we design protocols - PseudoGame protocols - based on the results of our analysis and simulate their performance in vehicular network scenarios.


I. INTRODUCTION
The growing popularity of Bluetooth, WiFi in ad hoc mode [3] and other similar techniques is likely to fuel the adoption of peer-to-peer wireless communications. Corporations are developing wireless peer-to-peer technologies such as Nokia Instant Community [5] and Qualcomm FlashLinQ [29]. In addition to classic infrastructure-based communications, mobile devices can communicate directly with each other in an ad hoc wireless fashion. Such communications dramatically increase mobile devices' awareness of their environment, enabling a new breed of context-aware applications.
The integration of peer-to-peer wireless communications into mobile devices brings new security challenges, due to their mobile and ad hoc nature. Wireless communications are inherently dependent on geographic proximity: mobile devices detect each other's presence by periodically broadcasting beacon messages. These messages include pseudonyms such as public keys in order to identify communicating parties, route communications and secure communications. Much to the detriment of privacy, external parties can monitor pseudonyms in broadcasted messages in order to track the locations of mobile devices, thus jeopardizing location privacy.
There are multiple solutions to anonymously authenticate mobile devices. One of the most popular solutions is the multiple pseudonym approach [7] suggested in the context of Internet communications: it assigns a set of asymmetric key pairs to every node that are used alternatively.
A change to pseudonym by an isolated device in a wireless network can be trivially identified by an external party observing transmitted messages. Hence, a change of pseudonym should be spatially and temporally coordinated among mobile devices [4], i.e., a collective effort by neighboring devices. One solution [6] consists in changing pseudonyms periodically, at a pre-determined frequency. This works if at least two mobile nodes change their pseudonyms in proximity, a rarely met condition . Base stations can be used as coordinators to synchronize pseudonym changes [20], but this solution requires help from the infrastructure. The approach in [14] enables mobile nodes to change their pseudonyms at specific time instances (e.g., before associating with wireless base stations). However, this solution achieves location privacy only with respect to the infrastructure. Another approach [4], [11], [12] coordinates pseudonym changes by forcing mobile nodes to change their pseudonyms within pre-determined regions called mix zones. This approach however lacks flexibility and is prone to attacks because a central authority fixes mix zone locations and must shared them with mobile nodes.
Several researchers advocate the use of a distributed approach [19], [20], [22], where mobile nodes coordinate pseudonym changes to dynamically obtain mix zones. To do this, a mobile node simply broadcasts a pseudonym change request to its neighbors. This solution is particularly appealing in mobile ad hoc networks because it does not require infrastructure.
But pseudonym changes are costly, which can cause distributed approaches to fail. First, a pseudonym change causes considerable overhead, reducing networking performance, e.g., routing algorithms must update their routing tables [26]. Second, given the cost of pseudonym generation and management, pseudonyms can become a scarce resource if changed frequently. Third, mix zones impose limits on the services available to mobile users: in order to protect against spatial correlation of location traces, nodes in the mix zone are usually not allowed to communicate [19]. Finally, even if the distributed solution synchronizes pseudonym changes, it does not align incentives between mobile nodes: because the achieved location privacy depends on both the node density and the unpredictability of node movements in mix zones [4], a selfish mobile node might decide to not change its pseudonym in settings offering low location privacy guarantees.
In this paper, we investigate strategic aspects of location privacy in mobile networks. In contrast with existing approaches, we consider rational mobile nodes that locally decide whether to change their pseudonyms. Although selfish behavior can reduce the cost of location privacy, it can also jeopardize the welfare achieved with a location privacy scheme. We investigate whether the multiple pseudonym approach achieves location privacy in non-cooperative scenarios. We propose a user-centric location privacy model that captures the evolution of the location privacy level of mobile nodes over time and helps them determine when to change pseudonyms. We then define a game-theoretic model -the pseudonym change game -that models the decisions of mobile nodes in a mix zone.
We first analyze the static game with complete information (i.e., every node knows the user-centric location privacy level of other nodes) and obtain both pure and mixed Nash equilibria [23]. We show that nodes should either cooperate when there is a sufficient number of neighbors with low privacy, or defect. Then, because mobile nodes do not have good knowledge about payoffs of other nodes, we study, using a Bayesian approach [15], the incomplete information scenario. We evaluate the strategic behavior of mobile nodes and derive Bayesian Nash equilibria for a class of threshold strategies, where nodes decide whether to change their pseudonyms based on a comparison of their privacy level to a threshold value. We find a symmetric equilibrium where all nodes cooperate with the same probability. We then analyze a dynamic version of the game and show that it copes better with uncertainty. Finally, we design PseudoGame protocols that implement pseudonym change strategies, and evaluate them.

II. SYSTEM AND THREAT MODEL
We focus on peer-to-peer communications between nodes and do not consider communications with the infrastructure, such as cellular networks or WLAN. a) System Model: We study a network where mobile nodes are autonomous entities equipped with WiFi or Bluetooth-enabled devices and communicate with each other upon coming in range. In other words, we describe a pervasive communication system (a mobile ad hoc network) such as a vehicular network [16], a delay tolerant network [10], or a network of directly communicating hand-held devices [29].
As commonly assumed in such networks, we consider an offline Certification Authority (CA) run by an independent trusted third party that pre-establishes the credentials for devices. In line with the multiple pseudonym approach, we assume that prior to entering the network, every mobile node i registers with the CA that preloads a set of M public/private key pairs {P ub k i , P rv k i } M k=1 to provide verification and signature functionalities, respectively. A public key P ub k i serves as the identifier of node i and is referred to as its pseudonym. The private key P rv k i enables node i to digitally sign messages, and the digital certificate validates the signature authenticity.
We assume that mobile devices automatically exchange information (unbeknownst to their users, such as beacon messages in VANETs) as soon as they are in communication range of each other. Although our evaluation is independent from the communication protocol, we make common assumptions of pervasive communication systems: mobile nodes advertise their presence by periodically broadcasting proximity beacons (e.g., every 100ms over a range of 300m in vehicular networks) containing the node's authenticating information (as well as position and speed in vehicular networks). Due to the broadcast nature of wireless communications, beacons enable mobile nodes to discover their neighbors. When a node i receives a beacon, it verifies the legitimacy of the sender by checking the certificate of the public key of the sender. After this, i verifies the signature of the beacon message. Subsequently, if confidentiality is required, a security association is established (e.g., with Diffie-Hellman).
b) Threat Model: We assume that an adversary A aims to track the location of mobile nodes. We consider that A can have the same credentials as mobile nodes and is equipped to eavesdrop communications. In the worst case, a global adversary A obtains complete coverage and tracks nodes throughout the entire network, by placing eavesdropping devices in the network.
A collects identifying information (i.e., pseudonyms) from the network and obtains location traces that allow him to track the location of mobile nodes. Hence, the problem we tackle in this paper consists in protecting the location privacy of mobile nodes, that is, in preventing other parties from learning a node's past and current location [4]. Finally, we assume that the key-pair generation and distribution process cannot be altered or controlled by the adversary.

III. USER-CENTRIC LOCATION PRIVACY
We evaluate the location privacy provided by multiple pseudonyms and propose a user-centric model of location privacy to capture achievable location privacy over time.

A. Location Privacy
There are several techniques to mitigate the tracking of mobile nodes. We consider the use of multiple pseudonyms: over time, mobile nodes change the pseudonym to sign messages, thus reducing their long term linkability. To avoid spatial correlation of their location, mobile nodes in proximity coordinate pseudonym changes in regions called mix zones. In order to thwart Sybil attacks, we assume that as soon as a node changes pseudonyms, the old pseudonym expires and is removed from the node's memory. In other words, two nodes cannot use the same pseudonyms at the same time.
Mix zones can also conceal the trajectory of mobile nodes to protect against the spatial correlation of location traces, e.g., by using (i) silent/encrypted mix zones [11], [19], [22], (ii) a mobile proxy [25], or (iii) regions where the adversary has no coverage [6]. Without loss of generality, we assume silent mix zones: mobile nodes turn off their transceivers and stop sending messages for a certain period of time. If at least two nodes change pseudonyms in a silent mix zone, a mixing of their whereabouts occurs and the mix zone becomes a confusion point for the adversary.
Consider a mobile network composed of N mobile nodes. At time t, one node among a group of n(t) mobile nodes in proximity can initiate the pseudonym change using the oneround Swing protocol [22]: it broadcasts an initiation message to start the pseudonym change. The n(t) − 1 mobile nodes in proximity receive the message and enter a silent period during which they decide whether to change their pseudonyms or not.
The adversary A observes the set of n(T ) nodes changing pseudonyms, where T is the time at which the pseudonym change occurs. A compares the set B of pseudonyms before the change with the set D of pseudonyms after the change and, based on the mobility of the nodes, predicts the most probable matching [4], [22]. Let p d|b = P r("Pseudonym d ∈ D corresponds to b ∈ B"), that is the probability that a new pseudonym d ∈ D corresponds to an old pseudonym b ∈ B. As is standard in the literature [27], the location privacy level of node i involved in a successful pseudonym change at time T is computed as the adversary's uncertainty: The achievable location privacy depends on both the number of nodes n(T ) and the unpredictability p d|b of their whereabouts in the mix zone. If a node i is the only one to change its pseudonym, then its identity is known to the adversary and its location privacy level is defined to be A i (T ) = 0. The entropy is maximum for a uniform probability distribution p d|b , which would provide node i with a location privacy level of log 2 (n(T )). We denote T i the time of the last successful pseudonym change of node i, i.e. when at least one other node changed its pseudonym. The adversary could be physically present in mix zones to visually observe mobile nodes and/or prevent mix zone creation. We rule out this threat because of its high cost. The adversary could also strategically place sniffing devices. Previous work investigated this [21] and showed how mobile nodes could strategically retaliate. Finally, the adversary could physically follow mobile nodes across the network. Mix zones (as any other privacy-preserving mechanism) are useless against such a threat and we consider it out of scope.

B. User-Centric Model
The entropy measures the location privacy achieved in specific mix zones at some point in time. However, location privacy needs of individuals vary depending on time and location. It is thus desirable to protect location privacy in a user-centric manner, such that each user can decide when and where to protect its location privacy. We consider a usercentric model of location privacy, where each mobile node locally monitors its location privacy over time [17], [18], [22].
A network-wide metric could evaluate the average entropy in the network but might ignore that some nodes have a low location privacy level and are traceable for long distances. As a user-centric approach captures the evolution of location privacy of users over time, mobile nodes can evaluate the distance over which they are potentially tracked by an adversary (i.e., the distance-to-confusion [17]) and can act upon it by deciding whether and when to change its pseudonym.
With a user-centric model, mobile nodes can request a pseudonym change from other nodes in proximity if their local location privacy level is lower than a desired level. Nodes in proximity will then choose to cooperate when their location privacy level is low as well. The drawback of the user-centric model is that nodes may have misaligned incentives (i.e., different privacy levels) and this can lead to failed attempts to achieve location privacy.
The user-centric location privacy level of each mobile node i is modeled via a location privacy loss function β i (t, T i ) : (R + , R + ) → R + where t is the current time and T i ≤ t is the time of the last successful pseudonym change of mobile i. The maximum value of β i (t, T i ) equals the level of location privacy achieved at the last pseudonym change. The privacy loss is initially zero and increases with time according to a sensitivity parameter, 0 < λ i < 1, which models the belief of node i about the tracking power of the adversary. The higher the value of λ i , the faster the rate of privacy loss increase. For simplicity, we consider that λ i = λ, ∀i. For a given T i : +T i is the time when the function reaches the maximal privacy loss (i.e., the user-centric location privacy is null). Given this location privacy loss function, the usercentric location privacy of node i at time t is: Time T f i is the time at which node i's location privacy will be zero unless it is successful in changing its pseudonym at a new confusion point. Based on the time of the last successful pseudonym change T i , mobile nodes rationally estimate when next to change pseudonyms. 1 Note that, in practice, nodes cannot compute A i (T i ) precisely. Hence, we consider that nodes use an approximation such as the upperbound log 2 (n).
In our model, a node's location privacy does not accumulate over time. Rather, it depends only on the number of nodes that cooperate in the last successful pseudonym change. With this modeling assumption, mobile nodes are given the ability to control the length of path that is revealed to an adversary before the next pseudonym change. If a mix zone is a strong confusion point (i.e., A i (T i ) is large), then a node can choose to reveal a longer distance before changing pseudonym again. If a mix zone is a weak confusion point, a node can attempt another pseudonym change as soon as possible.

C. Pseudonym Cost
Pseudonyms are costly to manage and to acquire because they are a scarce resource and may require contacting a central authority for refill. Similarly, routing [26] becomes difficult as it requires frequent updates of routing tables. In addition, while traversing silent mix zones, mobile nodes cannot communicate and thus momentarily lose access to services. We take into account the various costs involved in changing pseudonym in parameter γ expressed as: γ = γ acq + γ rte + γ sil , where γ acq is the cost of acquiring new pseudonyms, γ rte is the cost of updating routing tables, and γ sil is the cost of remaining silent. The cost can be seen as the minimum privacy gain that compensates for the effort of a pseudonym change. Hence, we express the cost in privacy units (bits), causing a decrease in the achieved privacy.

IV. PSEUDONYM CHANGE GAMES
We present the game-theoretic aspects of achieving location privacy with multiple pseudonyms in a rational environment. We refer to the game-theoretic model as the pseudonym change game G. The key aspect of the game-theoretic analysis is to consider costs and the potential location privacy gain when making a pseudonym change decision.
Considering the cost of pseudonym and the available location privacy gain (upperbounded by the density of nodes and their locations unpredictability), the user-centric location privacy level might encourage selfish mobile nodes to change pseudonym and obtain a satisfactory location privacy level, as long as other nodes are also changing.
Nodes may also delay their decision in order to try to find the better conditions that maximize the effectiveness of pseudonym changes. Therefore, we investigate whether location privacy can emerge in a non-cooperative system despite the cost of changing pseudonym, differentiated privacy levels, and the need for coordination to achieve a confusion point.
Game theory allows for modeling situations of conflict and for predicting the behavior of participants. In our pseudonym change game G, nodes must decide upon meeting in the network whether to change pseudonym or not. We model the pseudonym change game both as a static and dynamic game depending on the constraints on the pseudonym change protocol. The static version of the game captures protocols in which nodes are unable to sense their wider environment when deciding whether or not to change its pseudonym, e.g., during the silent period, nodes cannot observe each other messages. At the end of the silent period, it appears that all pseudonym changes occur simultaneously. Mobile nodes must thus decide to change pseudonyms without knowing the decision of other nodes in proximity. The dynamic version of the game models protocols in which nodes do not start/stop transmitting at the same time, and may thus observe each others messages before making their decision.
The game G is defined as a triplet (P, S, U), where P is the set of players, S is the set of strategies and U is the set of payoff functions. At any time t, several games are played in parallel (but nodes participate in a single game at a time).

1) Players: The set of players
corresponds to the set of mobile nodes in transmission range of each other at time t. For a valid game we require n(t) > 1. We assume that each node knows the number of other nodes in the mix zone. To achieve a consensus on this number, each node can adopt a neighbor discovery protocol [28].
2) Strategy: Each player has two moves s i : Cooperate (C) or Defect (D). By cooperating, a mobile node changes its pseudonym. The set of strategies of node i is thus S i = {C, D} and the set of strategies in the game is on the level of location privacy of node i at time t, whereas the cost c i (t) depends on the privacy loss function and the cost of changing pseudonym at time t. If at least two nodes change pseudonyms, then each participating node improves its location privacy for the cost of a pseudonym change γ. If a node is alone in changing its pseudonym, then it still pays the cost γ and, in addition, its location privacy continues to decrease according to the location privacy loss function. If a node defects, its location privacy continues to decrease according to its location privacy loss function. Formally: which is the time immediately prior to t. s −i is the strategy of the other players, and n C (s −i ) is the number of cooperating nodes besides i, and α i (t, T i ) is the number of pseudonyms wasted by node i since its last successful pseudonym change T i . (Note that in contrast with the equality sign =, the sign := refers to the assignment of a new value to a variable.) Fig. 1 (a) shows seven users moving in a network and meeting in four mix zones. Fig. 1 (b) illustrates the evolution of user centric location privacy of node 1. The payoff of node 1 increases twice after a successful pseudonym change (in mix zones E 1 and E 3 ) and then decreases after a failed pseudonym change (in mix zone E 4 ) because of the penalty γ. Because we analyze only a single strategic interaction between players, we simplify notation and write in the following n = n(t),

4) Type:
In this paper we also deal with incomplete information games. For example, upon meeting other players, the strategy of a player depends on its knowledge of its opponent payoff function. As both the time of the last pseudonym change and the corresponding location privacy gain are unknown to other players, each player has incomplete information about its opponents payoffs. To solve the problem, Harsanyi [13] suggests the introduction of a new player named Nature that turns an incomplete information game into an imperfect information game. To do so, Nature assigns a type θ i to every player i according to a probability density function f (θ i ) known to all players, where θ i belongs to space of types Θ. The type of the players captures the private information of the player, θ i = u − i , where u − i is the payoff to player i at time t − just prior to the current opportunity to change pseudonym. Because γ is common and known to all nodes, this completely defines the payoff of the node.
The payoff of node 1 then decreases according to β 1 with slope λ. At t 2 (event E 2 ), node 1 defects. At t 3 (event E 3 ), node 1 cooperates with nodes 6 and 7. Consequently, the 3 nodes update their payoff and the time of the last successful pseudonym change. At t 4 , (event E 4 ) node 1 cooperates but node 8 does not. Hence, the payoff of node 1 decreases by γ. Finally, at T f 1 = t 5 , the payoff of node 1 reaches 0 (event E 5 ).

5) Equilibrium Concepts:
We introduce the game-theoretic concepts that model the strategic behavior of mobile nodes. In a complete information game, a pure-strategy for player i is defines the set of strategies of the players. Let us write br i (s −i ), the best response of player i to the opponent's strategy s −i .
Definition 1: The best response br i (s −i ) of player i to the profile of strategies s −i is a strategy s i such that: If two strategies are mutual best responses to each other, then no player has the motivation to deviate from the given strategy profile. This leads us to the concept of Nash Equilibrium [23]. Definition 2: A strategy profile s * is a Nash equilibrium (NE) if, for each player i: In other words, in a NE, none of the players can unilaterally change his strategy to increase his payoff. A player can also play each of his pure strategies with some probability using mixed strategies. A mixed strategy x i of player i is a probability distribution defined over the pure strategies s i . In an incomplete information game, a pure-strategy for player i is a function s i : is the set of strategies of the players. In incomplete information games, the NE concept does not apply as such because players are unaware of the payoff of their opponents. Instead, we adopt the concept of Bayesian Nash equilibrium [13], [15]. Consider that Nature assigns a type to every player according to a common probability distribution f (θ i ). Because the type of a player determines its payoff, every player computes its best move based on its belief about the type (and thus the strategy) of its opponents.
Definition 3: A strategy profile s * = {s * i } n i=1 is a purestrategy Bayesian Nash equilibrium (BNE) if, for each player i: V. ANALYSIS OF THE GAME We study several types of pseudonym change games with complete and incomplete information, and two type of strategies static or dynamic.

A. Static Game with Complete Information
We call the complete information game C-game (C stands for complete information). We assume that there exists only one time step, i.e., players have only one move as a strategy. In game-theoretic terms, this is called a single-stage or static game. This is a realistic assumption because in mix zones, nodes are unable to sense their environment. Hence, each player with common knowledge about the type of all players chooses a strategy simultaneously. For simplicity, we assume that upon a pseudonym change, every node achieves the same privacy and thus we consider the upperbound A i = log 2 (k), where k ≤ n is the number of cooperating nodes. Using the upperbound is qualitatively similar to using other privacy metrics as all are sublinear in the anonymity set size.
1) 2-player C-game: The strategic representation of the two player C-game is shown in Table I. Two players P 1 and P 2 , meeting in a mix zone at time t, take part in a pseudonym change game. Each mobile node decides independently whether to change its pseudonym without knowing the decision of its opponent. The game is played once and the two players make their moves simultaneously. Values in cells represent the payoff of each player.
We assume that u − i > γ for both players, so that u − i −γ > 0. Since u − i is itself bounded from above by log 2 (2) − γ = 1 − γ in a 2-player game, we require γ < 1/2 to bound the cost.
Each player knows u − −i , i.e. the payoff of the other player immediately before the game, which is sufficient to define its payoff for different strategy profiles because the cost γ is common knowledge. Theorem 1 identifies the potential equilibrium strategies for the players.
Theorem 1: The 2-player pseudonym change C-game has two pure-strategy Nash equilibria (C, C) and (D, D) and one mixed-strategy Nash equilibrium ( is the probability of cooperation of P i .
Proof: We first prove the existence of the pure-strategy For the mixed strategy NE, let x i denote the probability of cooperation of u i . The average payoff of player 1 is: The payoff is maximized for: We observe that the pseudonym change game is a coordination game [9], because Coordination games model situations in which all parties can realize mutual gains, but only by making consistent decisions. Coordination games have three NE, as obtained with Theorem 1. (C, C) is the Pareto-optimal strategy and thus the preferred equilibrium.
The complete information pseudonym change game is asymmetric because the payoff of each player depends on its private type. For example, the mixing probability is different for each node (i.e., x 1 = x 2 ).
2) n-player C-game: We extend the 2-player C-game by considering a set of n ≤ N players meeting in a mix zone at time t. Each player has complete information and knows the payoff function u − i of its n − 1 opponents. Let C k and D n−k denote the sets of k cooperating players and n − k defecting players, respectively. Lemma 1 identifies the existence of an All Defection NE.
Lemma 1: The All Defection strategy profile is a purestrategy Nash equilibrium for the n-player pseudonym change C-game.
Proof: All Defection is a NE, because if any player P i unilaterally deviates from D and cooperates, then its payoff is equal to u − i − γ, which is always smaller than its payoff of defection u − i . Lemma 2 identifies a condition for the existence of NE with cooperation.
Lemma 2: There is at least one cooperative pure-strategy Nash equilibrium (i.e., at least two players cooperate) for the n-player pseudonym change C-game if there exists a set of unilaterally deviates from cooperation to defect, then its payoff u i = u − i is smaller than be the set of all nodes except those in C k * . As C k * is the largest group of nodes where log 2 (|C k * |) − γ > u − i , no mobile node in D n−k * can increase its payoff by joining the set of nodes in C k * . Hence, none of the nodes can unilaterally change its strategy to increase its payoff and s * is a NE when |C k * | > 1.
Lemma 3: There are at most n 2 cooperative pure-strategy Nash equilibria for the n-player pseudonym change C-game.
Proof: Assume that the minimal set of cooperating nodes This is the purestrategy NE with the lowest number of cooperative players. We show by contradiction that if another set of cooperating nodes C k * 2 exists, then it must be a superset of C k * 1 .
for j = 1, 2 and users will merge into the larger group C k * and create a new cooperative equilibrium. Thus if C k * 2 exists, it must be a superset of C k * 1 .

Another set of cooperating players
Indeed, with such condition, none of the players in C k * 2 \ C k * 1 can deviate from cooperation to unilaterally improve its strategy. Thus, a superset of C k * 1 can make another NE. Finally, we observe that |C k * 2 | − |C k * 1 | ≥ 2 meaning that at least two players must change their strategy to obtain a new NE. Otherwise, one player could unilaterally deviate to improve its strategy. Hence, the maximum number of cooperative NE will depend on the number of pairs of players that can exist, i.e., n 2 . Considering Lemma 1, 2 and 3, and as there are no NE in which only one player cooperates, we immediately have the following theorem.
Theorem 2: The n-player pseudonym change C-game has at least one and at most n 2 + 1 pure-strategy Nash equilibria. To illustrate the above results, we consider the set of all possible strategy profiles in a 3-player C-game. Assume that N = 10, the payoff of each P i before playing the game is in the interval [0, log 2 (10) − γ], depending on the number of nodes that have cooperated with P i in the past (at T i ) as well as the number of failed attempts and the rate of privacy loss. The set of all strategy profiles of this 3-player C-game is: are not NE, because |C k * | must be strictly larger than 1 to satisfy log 2 (|C k * |)−γ > u − i . Among the remaining strategy profiles, there might be 3/2 = 1 cooperative NE as defined by Lemma 3. The existence of this equilibrium depends on the payoff of each player. Assume that P 3 cooperated with 6 nodes at T 3 and its payoff is log 2 (7) − γ − β 3 − γα 3 that is bigger than log 2 (2) − γ before playing the game. Consider that the payoff of P 1 and P 2 is less than log 2 (2) − γ before playing the game. Then, the only cooperative NE strategy profile is (C, C, D), corresponding to |C k * | = 2.

B. Static Game with Incomplete Information
We call games of incomplete information I-games (I stands for incomplete information): players do not know the payoff type of their opponents. The incomplete information assumption better models the knowledge of mobile nodes.
1) Threshold Equilibrium: In an I-game, players decide their move based on their belief about their opponent's type.
Recall that a player's type is defined as θ i = A i −β i −γα i −γ; this defines the payoff immediately before the game. We establish an equilibrium in which each player adopts a strategy based on a threshold: if the type of a player is above a thresholdθ i , it defects, otherwise it cooperates. Hence, the space of types is divided into two regions. A player that has 0 ≤ θ i ≤θ i always cooperates, whereas a player with θ i < θ i ≤ log 2 (n) − γ always defects. With this threshold equilibrium, we define the probability of cooperation as: and 1 − F (θ i ) is the probability of defection. The equilibrium strategy at BNE of player i, denoted by s * = (θ * 1 ; ...;θ * n ), depends only on the thresholds. In the next section, we obtain the threshold equilibrium for the 2-player I-game.
2) 2-player I-Game: Each player predicts the type of its opponent based on the probability distribution f (θ i ). To determine the threshold values that define a BNE, fix a threshold strategy s 2 associated with thresholdθ 2 for player 2, and define the average payoff to player 1 for C and D, given type θ 1 , as: and similarly for player 2. For a threshold equilibrium, when a player's type is its threshold type, it must be indifferent between C and D. This is by continuity of payoffs. So, we can consider the effect of requiring that E[u i (C, s −i )|θ i ] = E[u i (D, s −i )|θ i ] for each player i ∈ {1, 2}, directly imposing this condition on the threshold types. This yields a system of two non-linear equations on the two variablesθ 1 andθ 2 . The following lemma establishes that solving for thresholds with this property defines a BNE for the 2-player I-game.

Lemma 4:
The threshold strategy profile s * = (θ * 1 ,θ * 2 ) is a pure-strategy Bayesian Nash equilibrium of the 2-player, incomplete information pseudonym change I-game if: Proof: Fix player 2's strategy to thresholdθ * 2 and consider player 1 with type θ 1 <θ * where the first inequality follows because F (θ * 2 ) ≥ 0. Therefore, the drop in payoff from D relative to with typeθ * 1 is at least that from C and a best-response for the player is to play C. Now consider player 1 with type θ 1 >θ * 1 . By a similar argument, we have , and the increase in payoff for D is greater than the increase in utility for C and the player's best response is to play D.
Theorem 3 guarantees the existence and symmetry of the 2-player I-game BNE. As before, we continue to require γ < 1/2 to make the 2 player game interesting (so that a player retains non-zero privacy value for more than one period after a successful pseudonym change.) For stating the result we assume continuous type distributions, so that probability Theorem 3: The 2-player pseudonym change I-game has All Cooperate and All Defect pure-strategy Bayesian-Nash equilibrium, and every threshold equilibrium s * = (θ * 1 ,θ * 2 ) is symmetric for continuous type distributions.
With numerical evaluations, we find an intermediate, symmetric threshold equilibrium in almost all cases, where players don't simply always cooperate or always defect. 2 To illustrate results of the theorem, we consider the following example. Consider that the distribution on types is uniform, with θ i ∼ U (0, 1 − γ), and cumulative probability function F (θ i ) = θ i /(1 − γ). Looking for an equilibrium with a threshold,θ * i ≥ γ, so that the max(0, ·) term in defining the payoff of the cooperation action can be dropped, we can simplify Eq. (16) and obtain the system of equations: Imposing symmetry and solving, we obtain (θ * i ) 2 −θ * i + γ(1 − γ) = 0 for i ∈ {1, 2}, which leads to the solutions: Recall that we assume γ < 1/2, so that γ < 1 − γ. The solutionθ * i = 1 − γ corresponds to an All Cooperation BNE because θ i ≤ 1 − γ in a two player game. Looking at the intermediate equilibrium whenθ * i = γ, we see that while E[u 1 (D, s * 2 )|θ 1 ) = θ 1 , and can confirm that C is the best response for θ 1 <θ * 1 and D is the best response for θ 1 >θ * 1 . By further analysis of Eq. (16) for the case ofθ * i < γ, there are a multiplicity of symmetric threshold equilibrium in this problem, for anyθ * 1 =θ * 2 < γ, including (s * 1 , s * 2 ) = (0, 0) which is the All Defection BNE. These results are in line with Theorem 3.
We numerically solve Eq. (16) to find symmetric threshold equilibrium for three different probability distributions (using fsolve() in Matlab). We consider the beta distribution B (a, b), a family of continuous probability distributions defined on the interval [0, 1] and parameterized by two positive shape parameters a and b. We consider this distribution for illustration purposes as in practice F (θ) would be obtained from real measurements. The beta distribution is easily configurable and thus allows for testing different scenarios corresponding to various network conditions. If θ ∼ B(2, 5), nodes have a small θ with a high probability, whereas with θ ∼ B(5, 2), nodes have a large θ with a high probability. If θ ∼ B(2, 2), θ is symmetric and centralized around 0.5. Fig. 2 shows the BNEθ * i and the related probability of cooperation F (θ * i ) as a function of the cost γ. For each distribution of type, we is an intermediate equilibrium, andθ * i,3 is an All Cooperation equilibrium. With the BNEθ * i,1 andθ * i,3 , nodes always play the same strategy. Withθ * i,2 , we observe that as γ increases, the probability of cooperation F (θ * i,2 ) increases as well, indicating that players should cooperate more when the cost of changing pseudonyms increases. In other words, with a high γ, users care more about the coordination success with others. If γ is small, the cooperation success becomes less important and nodes become selfish.
The probability of cooperation also depends on the type of Beta distribution. With a lower type distributions B(2, 5), the probability of cooperation at equilibrium is smaller than other distribution types. In other words, selfish nodes cooperate less because whenever they must change pseudonym, they know that the majority of their neighbors also needs to change pseudonym. On the contrary, for B(5, 2), selfish nodes cooperate more to maintain high privacy.
3) n-player I-Game: Assume n ≤ N players meet at time t and take part in a pseudonym change I-game. Let P r(K = k) be the probability that k nodes cooperate. We can again obtain the thresholds that define a BNE in the n-player game by comparing the average payoff of cooperation with that of defection, now defined as: By a similar argument to that for the 2-player I-game (Lemma 4), a BNE s * = (θ * 1 ; · · · ;θ * n ) can be obtained as the solution to the following system of n non-linear equations for the n variablesθ i : We denote the probability of cooperation q i = F (θ i ). Assume that the thresholdsθ * i are all equal: We obtain q i = q and thus have a symmetric equilibrium. Consequently, the probability that k nodes cooperate is P r(K = k) = n k q k (1− q) n−k . For example, consider the limit values of q: • If q → 0, thenθ * i = 0, P r(K > 0) = 0 and P r(K = 0) = 1. Thus, the All Defection equilibrium exists. • If q → 1, thenθ * i = 1, P r(K < n−1) = 0 and P r(K = n−1) = 1. Thus, the All Cooperation equilibrium occurs when log 2 (n) − γ > u − i for all nodes i.
For intermediate values of q, we numerically derive the thresholdsθ * i by solving Eq. (27) with Matlab (Fig. 3). For γ = 0.3, we observe that with a higher density of nodes n,θ * i,2 decreases, which means that players cooperate with a lower probability. Similarly,θ * i,3 disappears for large values of n, which means that Always Cooperation is not a BNE anymore. Yet in the case of β(5, 2), the All Cooperation equilibrium θ * i,4 persists. The reason is that with such a distribution of types, selfish nodes need to cooperate more. For a larger value γ = 0.7, we observe a similar behavior. Note that with β(5, 2) an additional threshold equilibrium, denoted byθ * i,3 , appears in which nodes cooperate more when n increases. Moreover, the All Cooperation equilibrium survives longer when γ increases.
We observe that the game admits several equilibriaθ * i,− , and thus different players may choose to play different equilibria. Some equilibria can be ruled out: All Defect does not provide privacy and All Cooperate incurs large cost. Intermediate equilibria can exist. If only one intermediate equilibrium exists, then NE selection is trivial. If multiple intermediate equilibria exist (θ * i,2 andθ * i,3 with β(5, 2) and γ = 0.7), then players pick the equilibrium with best outcome. As the game is symmetric, the same intermediate equilibrium is best for all. Extensive form of the Pseudonym Change Game. The game is represented by a tree and node 1 plays the first action. The game has three stages corresponding to the moves of the three players. The actions (cooperate C and defect D) are represented on each branch of the tree. The leaves of the tree represent the payoff of the game for all players.

C. Dynamic Game with Complete Information
Until now, we assumed that the players make their moves simultaneously in mix zones without knowing what the other players do. This is a reasonable assumption because in mix zones, nodes are unable to sense their environment. Yet, nodes could exchange messages in mix zones to advertise their decision. In this case, players have several moves as a strategy and can have sequential interactions: the move of one player can be conditioned by the move of other players (i.e., the second player knows the move of the first player before making his decision). These games are called dynamic games, and we refer to dynamic pseudonym change games with complete information as dynamic C-games. We can represent dynamic games by their extensive form (Fig. 4), similar to a tree where branches represent the strategies for a given player. Each level of the tree represents a stage of the game.
For such dynamic scenarios to exist, nodes must be able to observe the action of other nodes. There are several ways to achieve this. A simple solution is that players broadcast their decision to cooperate in a sequential manner [22]. Nonetheless, this increases the communication overhead. Another solution is that players observe the messages of other nodes exiting a mix zone. For example, if a node decides to defect, then it continues broadcasting messages that can be observed by other nodes in the mix zone. In other words, nodes participating in a mix zone can use defection as a signal to avoid the cost of being silent. Any of these solutions can be used, but we consider the latter because it requires less network resources.
1) Backward Induction: In dynamic game, we use the concept of subgame-perfect equilibrium. The strategy profile s is a subgame-perfect equilibrium of a finite extensive-form game G if it is a Nash equilibrium of any subgame G of the original game G [13]. We will check for the existence of subgame-perfect equilibria by backward induction [13]. Backward induction works by eliminating sub-optimal actions, beginning at the leaves of the extensive-form tree. The obtained path (sequence of actions) in the game tree defines the backward induction solution and any strategy profile that realizes this solution is a subgame-perfect equilibrium. Note that the above game belongs to a class of finite game, because it should be played in a short amount of time.
2) n-player Dynamic C-Game: For any order of players, the subgame-perfect Nash equilibrium can be derived by all nodes with the following theorem.
Theorem 4: Let C k * be a maximal set of cooperating nodes s.t. ∀P i ∈ C k * , log 2 (|C k * |) − γ > u − i . If there exist such a C k * , then in the n-player dynamic pseudonym change Cgame, there is a strategy that results in a single subgameperfect equilibrium: If there does not exist such a C k * , then the subgame perfect equilibrium is all defection.
Proof: Similar to the proof of Lemma 2, no player P i ∈ C k * has an incentive to unilaterally deviate from cooperation to defection as its payoff u − i would be smaller than log 2 (|C k * |) − γ. The same is true for players that defect, i.e., that are not in C k * . Hence, none of the nodes can unilaterally change its strategy to increase its payoff and s * is an subgame-perfect equilibrium when |C k * | > 1. If C k * is empty, then the subgame-perfect equilibrium corresponds to an All Defection. Because the actions of the players are dynamic, a single subgame-perfect equilibrium will be selected.
We observe that the All Defection equilibrium does not always exist as there is only one subgame-perfect equilibrium. An advantage of the dynamic game is that the All Defection equilibrium is often an incredible threat. Similarly, among possible cooperative equilibria, the equilibrium with the largest number of cooperating devices is selected. In other words, coordination is simpler in dynamic games than in static games.

D. Dynamic Game with Incomplete Information
We call dynamic games of incomplete information dynamic I-games. The concept of subgame-perfect Nash equilibrium introduced in the previous section cannot be used to solve games of incomplete information. Even if players observe one another's actions, the problem is that players do not know the others' types and cannot predict each others' strategy.
Dynamic games of incomplete information can be solved using the concept of perfect Bayesian equilibrium (PBE). This solution concept results from the idea of combining subgame perfection, Bayesian equilibrium and Bayesian inference. Strategies are required to yield a Bayesian equilibrium in every subgame given the a posteriori beliefs of the players about each others' types. To do so, players update their beliefs about their opponents' types based on others' actions using Bayes' rule. The resulting game is called a dynamic Bayesian game where "dynamic" means that the game is sequential and "Bayesian" refers to the probabilistic nature of the game. For further details, we refer the interested reader to [13].
1) n-player Dynamic I-Game: Consider that a pseudonym change game starts at time t 0 . Every player can decide to cooperate or defect at each stage of the game. Hence, players can delay their decision and enter the game at any time t ≥ t 0 . The actions of players at time t is denoted a t = (a t 1 , ..., a t n ) and is cooperate C or defect D. The history of actions of the game is h t = (a 0 , ..., a t−1 ). The following theorem provides a strategy that leads to a perfect Bayesian equilibrium.
Theorem 5: In the n-player dynamic pseudonym change I-game, the following strategy results in a unique perfect Bayesian equilibrium: (29) where n r < n is the number of nodes remaining in the game (i.e., that did not defect) and n D (t) is the number of nodes that defect at time t.
Proof: The strategy of players depends on their belief about other players' types. We define µ i (θ j |h t ) as the belief of a player i about the type of another player j given a history of actions h t . In order to obtain a perfect Bayesian equilibrium, Bayes' rule is used to update beliefs from µ i (θ j |h t ) to µ i θ j |h t+1 . Formally, for all i, j, h t and a j , we have: where σ j is the probability that a user j plays a certain action a j . Assume that the number of remaining nodes in the game is n r (i.e., the number of nodes that did not defect) and that the initial belief function is: µ i (θ j ) = f (θ j ). If at time t 1 > t player j defects, it indicates that the type of player j is above the current thresholdθ = log 2 (n r ). Hence, the behavior strategy σ j (a t1 j |h t1 , θ j ) returns 0 if θ j ≤θ and 1 otherwise. The denominator computes the belief about all possible types of player j and thus normalizes µ i (θ j |h t1 ) according the current thresholdθ. Other players that observe the action of player j can thus update their belief about the type of player j and obtain: µ i (θ j >θ|h t1 , a t1 ) = 1, i.e., they know that player j had a type above the current threshold. If at some time t 2 > t 1 no nodes defect (n D (t 2 ) = 0), it indicates that with probability one all remaining players have types below the current threshold: µ i (θ j ≤θ|h t2 , a t2 ) = 1. Hence, all these players will cooperate andθ * = log 2 (n r ).
Compared to the static game, the threshold computation is simpler as it only depends on the number of nodes remaining in the game.
We numerically evaluate the perfect Bayesian equilibrium using Matlab (Fig. 5). We compute the average number of nodes that cooperate in dynamic games of incomplete information given distributions of type and cost.
We observe that when the cost of cooperation γ increases, the number of nodes that cooperate decreases. The reason is that, in dynamic games, nodes have more information to optimize their decision and will thus avoid cooperating unless there is a large number of nodes in a game. The distribution of types also affects the number of cooperating nodes. We observe that a large population of nodes with high privacy (e.g., β(5, 2)) cooperate less than nodes with low privacy (e.g., β(2, 5)): nodes cooperate only if the privacy gain is large. We also observe that a larger number of nodes in a game, increases the probability of cooperation. In summary, the dynamic version of the game copes well with uncertainty by relying on the action of defecting nodes to improve the estimation of the potential privacy gain.

VI. PROTOCOLS
We formally describe location privacy protocols, including PseudoGame protocols and evaluate them using simulations. Pseudonym change protocols can be usually modeled with two parts: 1) an initiation phase, in which nodes request pseudonym changes, and 2) a decision phase, in which nodes decide upon receiving a request whether to change pseudonyms or not. Pseudonym change games model the latter.

A. Initiation Protocols
The initiation phase aims at finding appropriate contexts to request pseudonym changes from nearby nodes. A context provides high location privacy if there is high node density and mobility unpredictability.
1) NaiveInitiation Protocol: A simple solution consists in issuing a pseudonym change request at every time step t when there is at least another node nearby. The sender can choose a silent period in the range [sp min , sp max ] that it attaches to the initiation message. We call this protocol the NaiveInitiation protocol (Protocol 1).

Protocol 1 NaiveInitiation.
1: if (At least one neighbor) and (not in silent period) then 2: Broadcast initiation message to change pseudonym.
2) GainInitiation Protocol: In the GainInitiation protocol (Protocol 2), any node can initiate a pseudonym change by broadcasting an update message if a node has at least one neighbor and if its current location privacy is lower than the potential privacy gain. The sender can choose a silent period in the range [sp min , sp max ] that it attaches to the initiation message. This is a protocol similar to that in [22].

Protocol 2 GainInitiation.
1: maxGain = log 2 (number of neighbors) 2: if (At least one neighbor) and (current location privacy < maxGain) and (not in silent period) then 3: Broadcast initiation message to change pseudonym.

B. Decision Protocols
Mobile nodes receiving the initiation message must decide whether to stop communicating for a silent period, as defined in the initiation message, and change pseudonyms. The decision phase aims at making the best pseudonym change decision to maximize the level of privacy at a minimum cost. Below we describe several decision protocols, including protocols proposed in previous work and protocols resulting from the aforementioned game-theoretic analysis.
1) Swing Protocol: In the Swing protocol (Protocol 3) [22], the decision of mobile nodes to cooperate (or not) exclusively depends on their user-centric level of location privacy compared to a fixed thresholdθ. The cost of changing pseudonyms and the probability of cooperation of the neighbors are not considered in the computation of the threshold. Hence, this is a reactive model: users change pseudonyms only if their usercentric level of location privacy goes below the threshold. n ⇐ estimate(n) //Number of neighbors 3: Calculateθ * i as solution of 2) Static PseudoGame Protocol: Our game-theoretic evaluation allows us to design PseudoGame protocols that extend the Swing protocol to consider equilibrium strategies in a noncooperative environment. The static PseudoGame protocol is based on our results for static n-player I-games.
All nodes receiving the initiation message use the Pseu-doGame protocol to decide whether to change pseudonyms based on the number of neighbors and the probability of their cooperation (related to the distribution of user types f (θ i )). As described in Protocol 4 for any node i, the PseudoGame protocol assists mobile nodes in selecting the smallest intermediary BNE strategy (Please see Fig.3). Hence, after receiving the initiation message, the nodes calculate the equilibrium thresholds using their location privacy level, the estimated number of neighbors, and their belief f (θ i ). The PseudoGame protocol extends the Swing protocol by computing the optimal threshold in a rational environment to determine when to change pseudonym.
3) Dynamic PseudoGame Protocol: The dynamic version of the PseudoGame protocol (Protocol 5) uses the action of other nodes as a signal to improve its decision making strategy.
After receiving the initiation message, each player estimates the number of players in the game. At each time step t, players check whether their current utility u − i is superior to the potential benefit log 2 (n) and if so, defect. Players then observe the number of remaining players (that did not defect). If in a round t no nodes defected, it means that all remaining nodes are interested in changing pseudonym and thus cooperate.

4) All Cooperation Protocol:
The AllCooperation protocol (Protocol 6) is a straightforward method in which players always cooperate when asked to change pseudonyms.

5) Random Decision Protocol:
The Random protocol (Protocol 7) is a straightforward method in which players decide randomly whether to cooperate or not. 6) Evaluation: To evaluate the ability of these protocols to mix pseudonyms, we simulate them in a mobile network. We consider the following setup: mobility traces are generated with Sumo [1] over a cropped map [2] of Manhattan of 9 km 2 and include a total of 900 nodes injected in the map with average speed of 6, 63 m/s and average distance of 12.5 km. Each simulation lasts 5000 seconds; nodes have on average 116 encounters and the average nodes in encounter is 2.93. Throw a coin 3: if Heads then 4: Change pseudonym and comply with silent period spmax 5: else 6: Keep pseudonym For the game model, we consider an initial distribution of user types β(2, 5), λ = 0.0005 and a cost of pseudonym change γ = 0.3. The results are averaged across 5 simulations.
A numerical analysis is required to derive the BNE in Protocol 4. In our experiments, we find the solution to the system of equations using the Brent-Dekker algorithm and systematically in a negligible time. Fig. 6 shows the total number of games initiated by each initiation protocol. We observe that the NaiveInitiation protocol generates a larger number of games than the GainInitiation protocol. A large number of games will induce networking costs because of all the initiation messages, but will also provide more opportunities to change pseudonyms. Yet, the quality of the contexts of the initiated games may be lower. Fig. 7 shows the average utility obtained with the different initiation and decision protocols. We observe that the initiation protocols do not affect the achievable utility of PseudoGame protocols, intuitively because PseudoGame protocols avoid inefficient pseudonym changes. In contrast, the NaiveInitiation protocol decreases the achievable utility of the AllCooperation, Swing and Random protocols because it increases the number of inefficient pseudonym changes.
In Fig. 7, we also observe the achievable privacy (utility) of different decision protocols. The dynamic PseudoGame achieves the highest utility among all protocols, showing that even with rational behavior high coordination is possible. In the case of the Swing protocol, with a large threshold, nodes participate in many inefficient mix zones, whereas with a small threshold, nodes have to wait long before changing pseudonyms again. In this regard,θ = 3 appears as an efficient static threshold. Finally, the static PseudoGame performs slightly worse than the Swing protocol, showing that rational behavior negatively affects the achievable privacy in this case. This can be notably observed in Fig. 8 that shows the average cost associated with the different protocols. The cost is in general larger with the NaiveInitiation protocol.
Comparing decision protocols, we observe that the dynamic PseudoGame protocol dramatically reduces the cost compared to other protocols. For the Swing protocol, the cost increases with the threshold. The dynamic PseudoGame protocol provides the best trade-off between privacy and cost: it efficiently deals with the uncertainty of incomplete information. In contrast, the static PseudoGame protocol performs poorly: rationality does not always reduce cost.

VII. CONCLUSION
We have considered the problem of rationality in location privacy schemes based on pseudonym changes. We introduced a user-centric model of location privacy to measure the evolution of location privacy over time and evaluated the strategic behavior of mobile nodes with a game-theoretic model, the pseudonym change game. We analyzed the n-player scenario with complete and incomplete information and derived the equilibrium strategies for each node for both static and dynamic games. The obtained equilibria allow us to predict the strategy of rational mobile nodes seeking to achieve location privacy in a non-cooperative environment. This analysis results in the design of new protocols, the PseudoGame protocols, that coordinate pseudonym changes.
An intriguing result is that when uncertainty about others' strategies is high (i.e., static games), rational nodes care more about the successful unfolding of the game if the cost of pseudonyms is also high. This result indicates that cost, usually a negative parameter, can positively affect the game by increasing the success of pseudonym change coordination. By means of simulations, we showed that dynamic games dramatically increase the coordination success of pseudonym changes. The dynamic PseudoGame protocol coordinates pseudonym changes better than other protocols and leads to an efficient trade-off between privacy and cost. In future work, novel game models may be considered to include other strategic aspects, such as the evolution of user strategies across several games. It would also be interesting to consider how obtaining the distribution f (θ) in a distributed and noisy fashion may affect results.