Sudarshan Vasudevan , Brian DeCleene , Neil Immerman , Jim Kurose , Don Towsley
Abstract for this problem; good surveys can be found in [1, 2]. Most
We consider the problem of secure leader election and pro- of the algorithms described in [1, 2] are extrema finding al-
pose two cheat-proof election algorithms : Secure Extrema gorithms that elect a node with the maximum identifier from
Finding Algorithm (SEFA) and Secure Preference-based among a set of candidate-nodes.
Leader Election Algorithm (SPLEA). Both algorithms as- Recently, there has been considerable interest in using
sume a synchronous distributed system in which the var- leader-election algorithms in wireless environments for key
ious rounds of election proceed in a lock-step fashion. distribution [4], routing coordination [10], sensor coordina-
SEFA assumes that all elector-nodes share a single com- tion [13], and general control [7, 6]. Here, user mobility
mon evaluation function that returns the same value at may result in frequent leader election, making the process
any elector-node when applied to a given candidate-node. a critical component of system operation. Security is also
When elector-nodes can have different preferences for a of particular concern in any wireless environment. Exist-
candidate-node, the scenario becomes more complicated. ing leader-election algorithms implicitly assume complete
Our Secure Preference-based Leader Election Algorithm trust among the nodes participating in the leader election
(SPLEA) deals with this case. Here, individual utility func- process, and consequently are vulnerable to a variety of at-
tions at each elector-node determine an elector-node’s pref- tacks. Secure group communications architectures in [4, 3]
erence for a given candidate-node. require a central key distributor to propagate key updates to
We relax the assumption of a synchronous distributed existing group members. In such applications, trust among
system in our Asynchronous Extrema Finding Algorithm nodes cannot be assumed while electing a new key distribu-
(AEFA) and also allow the topology to change during the tor. Also, most of the leader election algorithms for mobile
election process. In AEFA, nodes can start the process of ad hoc networks elect a “random” leader and hence are not
election at different times, but eventually after topological extrema-finding. In many scenarios, it might be preferable
changes stop long enough for the algorithm to terminate, to elect a leader that is “good” from some system related
all nodes agree on a unique leader. Our algorithm has been point of view, as against electing a “random” leader.
proven to be “weakly” self-stabilizing. We first consider the problem of secure leader election
Keywords : wireless ad hoc networks, secure leader in ad hoc networks and propose two algorithms, SEFA and
election, network protocols, formal specification and veri- SPLEA. These algorithms assume a synchronous network
fication, self-stabilization. and a lock-step execution of election rounds. We relax these
assumptions in our Asynchronous Extrema-Finding Algo-
rithm (AEFA). However, security issues in AEFA have not
yet been explored in detail.
1 Introduction SEFA and SPLEA use a round-based hierarchy-building
approach towards leader election:
Leader election algorithms find many applications in both
1
battery life, or certified level-of-trust within the system SEFA and SPLEA. The algorithm in [9] constructs a hierar-
are examples of values for which all nodes might well chy in a sensor network of low power devices by promoting
hold such a common view of a candidate node. nodes with higher energy up the hierarchy. A Landmark
hierarchy is constructed in a bottom-up fashion in [11] for
2
may have different preferences for a leader. For example, region) to the node’s identity. This certificate is ob-
if topological distance is taken as a metric for determining tained from a trusted Group Authority (GA), as de-
a node’s preference among candidate-nodes, each elector- scribed later. These latter certificates may change from
node might well have a different view of the “value” of each one election to the next, but remain constant (and valid)
candidate-node. In SPLEA, individual utility functions at during a given election.
each elector-node determine the elector-node’s preference 6. Reliability and Survivability: Participating nodes are
for a given candidate-node, and (loosely speaking) SPLEA reliable and do not fail during the election process.
serves to aggregate individual elector-node preferences into Furthermore, no messages are lost or delayed due to
a single, system-wide choice of a leader. buffering or other performance problems at the re-
ceiver.
7. Asymmetric links: The communication links in the ad
3.1 Objectives, Constraints, and Assump- hoc network may or may not be bi-directional.
tions
8. Network Topology: Although, nodes can be mobile
In developing our secure election algorithms for wireless before and after the election, it is assumed that the net-
networks, we must first define the security objectives and work topology remains static for the duration of elec-
related assumptions. Foremost, we assume that malicious tion.
nodes have the capacity to “snoop” on a conversation and
to corrupt messages. However, they cannot delete messages
from the network. That is, message loss can be detected.
The goal of the proposed algorithms is to efficiently elect 3.2 Secure Extrema Finding Algorithm
a leader without allowing a legitimate (but malicious) par- (SEFA)
ticipant to change or disrupt the election process. We make
the following assumptions about the nodes and the system SEFA is an extrema-finding algorithm in which all nodes use
architecture: a Common Election Algorithm (CEA) to determine their re-
spective votes. Specifically, we define the CEA as a map-
1. Unique and Ordered Node IDs: All nodes have ping, f, from decision factors, X , that are associated with
unique identifiers. These are used to construct certifi- node into the real numbers (f :
) such that the
cates and establish secure communications. They are larger the CEA value, the more “desirable” the node is as
also used to identify participants during the election a leader. Decision factors might include node identity, bat-
process. Also, node IDs are ordered and therefore use- tery life, or level-of-trust. It is important to note that since
ful in breaking ties during election. all elector-nodes use the same CEA, all elector-nodes will
compute the same CEA value for a given candidate node.
2. Clock Synchronization: The clocks of all nodes in As we will see, SEFA securely elects the node with the
the network are synchronized. This is used to prevent
maximum CEA value as the leader. We emphasise that the
replay attacks.
list of decision factors is defined based on the selected al-
3. Secure Node-to-Node Communications: Each node gorithm (or class of algorithms in the case of SPLEA) and
i has a (public-key,private-key) pair ( , ) that can the number/format of decision factors is chosen accordingly
be used to securely establish a communication link be- and agreed upon by all nodes prior to the start of election.
tween any two nodes. The public key is considered SEFA uses four message types : ELECTION, OK, PAR-
shared information and is available to all members of ENT and LEADER. The various fields in each message and
the domain. message security are discussed in detail in [21]. The vari-
ous actions and states taken by an elector node are shown
4. Reliable Node-to-Node Communications: The ad in the finite state machine in Figure 1. Each of the states is
hoc network is modeled as a discrete time system
where a node takes one time unit to deliver a packet described below:
reliably to its immediate neighbor.
3
Initialization State parent and sends an OK message to i. If w = i, then i
Winner True
k=0
does not have to choose a parent and therefore enters
the Adoption State. In the event of a tie, a tie-breaking
mechanism such as node with maximum identifier, is
used. The OK message originated by i contains a cer-
Election State Parent
k=k+1 Nomination State tificate that binds i’s identity with that of its parent.
send "ELECTION" Vi,k T_e timeout
W = TOP(Buff)
start timer T_e = A*k if (i <> W) send "OK" W
This certificate is signed using i’s private key. As be-
Rcv "ELECTION" from
other nodes in Buff Winner False
fore, a hash of the message is computed and signed
using i’s private key. Since i is no longer a candidate
T_p timeout in the election, it sets its variable Winner to false. Even
and
Winner = True
and
though i is no longer a candidate, i could have been
k<L
chosen as the parent of some other node. In order to
Parent/Decision State Adoption State
receive their OK messages, i enters the Adoption State.
T_o timeout start timer T_o = B* k
send "PARENT" to all nodes from
which "OK" received Rcv "OK" from children-to-be
start timer T_p = C*k Add children to set I_i of
Figure 1: Finite State Machine diagram of SEFA. de- Parent/Decision State: In this state, i sends a PARENT
notes the set of all nodes k hops away or less from node message to every node from which it received an OK
i message. It starts a timer for its PARENT message
to reach its children and also for receiving a PARENT
message from its parent. Following expiration of , i
evaluates its candidacy status and determines an appro-
less from node and starts a timer that is propor-
priate course of action. If the boolean variable Winner
tional to . This timer interval ensures that node i col- is still true and if L rounds of election are not yet over,
lects ELECTION messages from all other candidates it means that i is still a candidate in the election and
whose distance to i is k or less. Node ’s ELECTION so i loops back to Election State to participate in the
message contains the values of the decision factors, X , next round. If Winner has already been set to false, i
that are needed by the CEA to calculate f(X ). The de- goes to Wait State. If L rounds are over and the boolean
cision factors X include the factors that are signed ei- variable Winner is still true, i enters the Leader State.
ther by the TA or GA and those that have to be taken on
trust. Before sending an ELECTION message, the en-
Parent Nomination State: On receiving advertise- some other node does not maliciously declare itself the
ments from other candidate nodes, a node must deter- leader after the Lth round.
mine the node that it prefers from among those from Following this, i sends a LEADER message to all other
whom it has received an ELECTION message. This nodes, declaring itself the leader. This is done either
is done via the TOP function in Figure 1. This func- by distributing the LEADER message down the par-
tion computes f(X ) of every node i from which it re- ent/child hierarchy, or by a broadcast to all nodes. In
ceived an ELECTION message using X , and returns the former case, i sends the LEADER message to its
w =
f(X ), i.e. the node with maximum CEA immediate children in which in turn forward the
value. If w is a node different from i, i accepts w as its LEADER message to their immediate children, and so
4
on, until all nodes in the hierarchy receive the LEADER I
To illustrate the operation of SEFA, consider the net- SEFA elects the node with the maximum CEA value as
work shown in Figure 2. Each node has a unique iden- the leader, a result discussed in Section 4 and proven in Ap-
tifier followed by a bracketed number indicating its CEA pendix B. Intuitively, at every round high CEA-value nodes
value, and links are assumed to be bi-directional. During are propagated up the hierarchy. It is easy to see that the
the first round, node C receives decision factors from nodes CEA value of any node is greater than all of its descendants.
A, B, and D. Calculating their corresponding CEA values Since the leader is the root of the hierarchy, its CEA value
and comparing, node C selects node B as its parent, and is the highest of all of its descendants. We also prove that
send an OK message to B. Similarly, A and B also select B this algorithm prevents malicious nodes, that do not send
as their parent. The final hierarchy resulting from execution the required OK messages but continue to participate in the
of SEFA on graph of Figure 2 is shown in Figure 3. At the election process, from being elected leader.
end of round 1, nodes B,E,I and K are eligible to compete in
round 2. At the end of round 2, I is the only surviving node. 3.3 Secure Preference-based Leader Election
Algorithm (SPLEA)
H(6) J(5) Under SEFA, nodes share a common CEA and thus view
C(5) L(2)
E(11)
the “desirability” of a candidate node identically. Our sec-
D(3)
ond leader election algorithm, SPLEA, allows elector nodes
to have different views of the “desirability” of a candidate
node. We define elector node ’s utility function, , for a
K(9)
A(3)
5
a candidate node that they prefer (via their utility function) ification. Each ELECTION message in SPLEA also
over other candidate nodes. The voting process serves to contains the list of descendants of node i as of round k,
aggregate individual elector node preferences into a system- maintained by i in the form of a list denoted by .
wide decision for the elected leader. The extent to which the The list of descendants is in the form of a set of certifi-
elected leader is “good” (from a performance standpoint) cates - one for each of its descendants, thus allowing
or close to optimal (according to some meaningful system- to prove to others that it is indeed an ancestor for
wide objective function) remains an open question for future each of its descendants. The inclusion of the list of ’s
research. descendants in the ELECTION message allows other
nodes to consider this information in their evaluation
Initialization State of the utility of .
Winner True
k=0
Election state: This state is similar to the SEFA Elec- maximum number of votes. i sends an OK message to
tion State described earlier, with the following mod- that node accepting it as its parent and starts a timer .
6
As in the case of the VOTE message, the OK message true if and only if nodes i and j receive each other’s ELEC-
is sent to all of its competitors. Upon expiration of , TION messages in round k.
a competitor j of node i that has received more votes The properties of our algorithms have been divided into
than i will report an exception if it does not hear an OK two classes: correctness properties and security properties.
from i. Once an OK is sent, the Winner variable is set Correctness properties include those properties that are re-
to false and a transition to Adoption State is made. quired of a leader election algorithm regardless of security
aspects; the security properties specify the security claims
Adoption State: This state is identical to the SEFA that our algorithms satisfy. Properties C1-C3 and S1-S2 (be-
Adoption state described earlier. The only difference low) are proved in [21]. The correctness properties C1 and
from SEFA is that upon receipt of an OK message from C2 hold for both algorithms. Although while proving them
node j, i adds node j and all of j’s descendants (which we have used some specific details of SPLEA, the proof pro-
it knows from the ELECTION message) to the list cedures will remain exactly the same and will differ only
of its descendants. in minor details when applied to SEFA. We leave it to the
reader to see how proofs for C1 and C2 can be applied to
Parent/Decision State: This state is identical to the SEFA as well. The properties C3 and S2 are specific to
SEFA Parent/Decision State described earlier.
SEFA.
7
3.4.2 Security Properties if i competes with higher utility nodes and does not
send OK messages. This forms the basis of a cheat-
The algorithms that we propose are for secure election and
proof election in SEFA.
the biggest challenge in designing such an algorithm is
to ensure a cheat-proof election mechanism across a dis- $ = (
3: 8 /1012
(
1% 3%
(
.
(
B D
tributed system of nodes. In this section, we state the var- B . $% & 0 . # .
ious security properties of our algorithms. Some of these
properties are formally proved, while the others are obvious This property is shown by proving that maximum
(though no less important) and we state them for sake of CEA-value node, say w, will be a candidate in round
completeness. L and all nodes have to compete with one another in
round L. Hence if the malicious node does not send an
The algorithms guarantee the integrity of every mes- OK message accepting w as its parent in round L, w
sage. This is facilitated by hashing the message con- will report an exception.
tents and signing the hash using the sender’s private
key. This allows the recipient of the message to verify
the signature by using the sender’s public key which 4 Asynchronous Extrema Finding
is also sent in the message. Hence if a malicious in-
tervening node tries to corrupt a message from some
Algorithm (AEFA)
other node, it will be detected by the recipient. Also if
The secure leader election algorithms discussed in Section 3
the integrity of the message is verified, then the source assume a synchronous network in which nodes remain static
of the message is also verified. This is because only
for the duration of election. In this section, we discuss the
the source knows its private key and hence the signa-
Asynchronous Extrema-Finding Algorithm (AEFA). Unlike
ture must have been generated by the source only and
SEFA and SPLEA, AEFA is a non-secure election algo-
no one else.
rithm, but allows the topology to change during the process
All messages in the algorithms are replay protected. of election itself. Networks can partition or merge because
In each message, the sender is required to include the of node movement. Like SEFA, however, AEFA assumes
time when the message is originated. Since all nodes that each node has an associated CEA value and guarantees
have synchronized clocks, a recipient of a message can that after a finite number of topological changes, a unique
determine whether a message is recent or not. leader is elected that has the maximum CEA value from
among all nodes in its network. This algorithm belongs to
The election algorithms are cheat-proof. We show that the class of self-stabilizing algorithms [20] and uses diffus-
a node i that sends an OK message in any round k can ing computations [8] for leader election. Informally, self-
never get elected as the leader. This property means stabilizing algorithms are those algorithms that can start in
that our algorithms prevent nodes from cheating once any arbitrary state and are guaranteed to converge to a sta-
they lose in a round. ble state in a finite time. We have shown that starting from
>$%
( ( a restricted set of states (and not from any arbitrary state),
$ 4 &
0 . # . AEFA converges to a stable state in finite time. Hence
AEFA can be thought to be “weakly” self-stabilizing. Also,
This property is proved by showing that if a node that AEFA is terminating, i.e. upon reaching the stable state all
sent an OK message in a certain round k, but competes its program actions are disabled. Before presenting the de-
in the Lth round and survives that round, its LEADER tails of our algorithm, we note that self-stabilizing leader
message will reach all nodes in the hierarchy including election algorithms have been studied in [15, 17, 18]. But all
its parent in round k, which will report an exception. of these algorithms assume a shared-memory model in con-
Moreover, in SPLEA, we make it compulsory for trast to a message-passing system of interest here. When ex-
nodes to send an OK message when they encounter tended to a message-passing system, these algorithms can-
competitors with higher number of votes. As de- not be both self-stabilizing and terminating [16].
scribed in Section 3, every node monitors its competi-
tor closely and reports exceptions as and when a ma-
4.1 Objectives, Constraints and Assumptions
licious behavior is noticed. Since there is no enforce-
ment mechanism in SEFA for nodes to send OK mes- In developing an asynchronous leader election algorithm,
sages, a malicious node might not send an OK message we first define our system model, assumptions, and goal.
even after encountering a node with higher CEA value. Our ad hoc network is a multihop, wireless network of mo-
We show that if a node i is not the maximum CEA- bile nodes and is modeled as an undirected graph dynam-
value node, then i cannot get elected as the leader even ically changing over time as nodes move. The vertices
8
in the graph correspond to mobile nodes and an edge be- by Dijkstra and Scholten [8]. In this section, we provide
tween a pair of nodes represents the fact that the two nodes an overview of AEFA. Formal specification and a detailed
are within each other’s transmission radii and, hence, can discussion of the algorithm can be found in [22].
directly communicate with one another. The graph can
become disconnected if the network is partitioned due to
node movement. We make the following assumptions about 4.3 Overview
nodes and system architecture: We first describe our election algorithm in the context of
a static network, under the assumption that nodes and links
1. Unique and Ordered Node IDs: All nodes have
unique identifiers. They are used to identify partici- never fail. We assume that nodes have unique identifiers and
pants during the election process and also to break ties that all links are bidirectional. Like SEFA, we assume that
during election. all nodes have a Common Evaluation Algorithm (CEA), f,
that maps the decision factors, X , that are associated
2. Links: Links are bidirectional and FIFO, i.e., links do with node into the real numbers (f :
). As we
not reorder packets. will see, AEFA elects a leader with maximum CEA value.
3. Node Behavior: Nodes can crash arbitrarly at any The algorithm operates by first “growing” and then “shrink-
time and can come back up again at any time. Node ing” a spanning tree that is rooted at the node that initiates
crashes are implicitly modeled in our election algo- the algorithm. A node initiates the algorithm in response to
rithm as a node becoming disconnected from the net- a trigger indicating that it has become disconnected from its
work. The addition of a new node or the reboot leader. We refer to this computation-initiating node as the
of a previously down node is implicitly modeled by source node. When the spanning tree shrinks completely,
new link formations with its neighbors. When a node the source node will have adequate information to determine
restarts after a crash, the election process in that node the node with maximum CEA value and will then broadcast
is bootstrapped again.
the identifier of this node to the rest of the nodes in the net-
4. Reliable Node-to-Node Communications: Commu- work.
nication between nodes takes place using a reliable The algorithm uses three messages.
transport protocol. When a node sends a packet to an-
other node, the sender knows whether or not the packet
4.2 The AEFA Leader Election Algorithm Once the spanning tree is completely grown via propa-
gated ELECTION messages, the spanning tree starts
Our leader election algorithm is based on the classical “shrinking” back towards the source. Specifically,
termination-detection algorithm for diffusing computations once all of ’s outgoing ELECTION messages have
9
(5) (3)
been acknowledged, i will send its pending ACK mes-
sage to its parent, . Tree “shrinkage” begins at the
C D C D
10
( (
C,> B , :
: B
.
( 8 :
message. Each node, upon receipt of a LEADER message,
: computes the CEA value of the leader and compares it with
. 8 . its own CEA value. If its CEA value is greater than that of
and , B
represents the boolean guard of action from the announced leader, the node broadcasts an exception thus
preventing a malicious node from taking over as the leader.
the algorithm specification and f represents the Common We are currently investigating other possible solutions to
Evaluation Algorithm (CEA). Without loss of generality, incorporate security into AEFA, as also to extend AEFA to
the proofs in [22] assume the CEA value of a node is chosen handle preference-based election. In our future work, we
to be the id of that node. would also like to study the performance of AEFA through
The predicate captures the arbitrary failures that can oc- simulation.
cur in the system and which can affect the correctness and
termination of the election algorithm. Since is a stable
predicate, the LeaderElection algorithm is said to be sta-
bilizing to or . ! 5 Conclusions
The proof of this result is divided into two parts:
Safety Property: If diffusing computations stop in the In this paper, we have proposed two new algorithms for se-
network, then eventually all nodes will have a unique cure leader election in wireless ad hoc networks. SEFA as-
leader which is the node with maximum CEA value in sumes that all elector-nodes share a single common evalu-
the network. More formally we prove that, ation algorithm that returns the same value at any elector-
Progress Property: We also show that eventually there individual utility function that determines its preference for
are no more diffusing computations in the network. a given candidate-node. We formally specified and proved
:
:8
the correctness and security properties of SEFA and SPLEA
!
(
. using temporal logic. We have also analysed the messaging,
and encryption and decryption costs incurred by SEFA and
11
6 Acknowledgements [13] W. Heinzelman,A. Chandrakasan and H. Balakrishnan.
Energy-Efficient Communication Protocol for Wireless Mi-
We would like to thank Dr.Thomas Kostas for his useful crosensor Networks. In Proceedings of Hawaiian Interna-
tional Conference on Systems Science, January 2000.
comments and suggestions. We would also like to thank the
anonymous reviewers for their suggestions. [14] V. Park and M. Corson. A Highly Adaptive Distributed
This work was supported in part by the Defence Ad- Routing Algorithm for Mobile Wireless Networks. In Pro-
ceedings of IEEE INFOCOM, April 7-11, 1997.
vanced Research Projects Agency (DARPA) under contract
N66001-00-C-8011. [15] A. Arora and M. Gouda. Distributed Reset. In IEEE Trans-
actions on Computers, 43(9), 1026–1038, 1994.
[16] A. Arora and M. Nesterenko. Unifying Stabilization and
References Termination in Message-Passing Systems. In Proceedings
of 21st International Conference on Distributed Computing
[1] G. Tel. Introduction to Distributed Algorithms. Second Edi- Systems (ICDCS), Mesa, AZ, April 2001.
tion, 2000, Cambridge University Press.
[17] Y. Afek, S. Kutten and M. Yung. Local Detection for Global
[2] N. Lynch. Distributed Algorithms. 1996, Morgan Kaufmann Self Stabilization. In Theoretical Computer Science, Vol 186
Publishers, Inc. No. 1-2, 339 pp. 199-230, October 1997.
[3] C. Wong, M. Gouda and S. Lam. Secure Group Communica- [18] S. Dolev, A. Israeli and S. Moran. Uniform dynamic self-
tion using Key Graphs. In Proceedings of ACM SIGCOMM stabilizing leader election part 1: Complete graph protocols.
’98, September 1998. Preliminary version appeared in Proceedings of 6th Interna-
tional Workshop on Distributed Algorithms, (S. Toueg et. al.,
[4] B. DeCleene et al. Secure Group Communication for Wire- eds.), LNCS 579, 167-180, 1992), 1993.
less Networks. In Proceedings of MILCOM 2001, VA, Octo-
ber 2001. [19] E. Gafni and D. Bertsekas. Distributed Algorithms for gen-
erating loop-free routes in networks with frequently chang-
[5] H. Harney and E. Harder. Logical Key Hierarchy Pro- ing topology. In IEEE Transactions on Communications,
tocol. Internet draft, draft-harney-sparta-lkhp-sec00.txt, C-29(1):11-18, 1981.
March 1999. [20] E.W. Dijkstra. Self-stabilizing systems in spite of distributed
control. In Communications of the ACM, 17:634-644,1974.
[6] N. Malpani, J. Welch and N. Vaidya. Leader Election Al-
gorithms for Mobile Ad Hoc Networks. In Fourth Inter- [21] S. Vasudevan, B. DeCleene, J. Kurose and D. Towsley. Se-
national Workshop on Discrete Algorithms and Methods for cure Leader Election for Wireless Ad Hoc Networks. UMass
Mobile Computing and Communications, Boston, MA, Au- Computer Science Technical Report 01-50. http://www-
gust 2000. net.cs.umass.edu/networks/publications.html
[7] K. Hatzis, G. Pentaris, P. Spirakis, V. Tampakas and R. Tan. [22] S. Vasudevan, N. Immerman, J. Kurose and D. Towsley. A
Fundamental Control Algorithms in Mobile Networks. In Leader Election Algorithm for Ad Hoc Networks. UMass
Proceedings of 11th Annual ACM Symposium on Parallel Computer Science Technical Report 03-01. http://www-
Algorithms and Architectures, pages 251-260, 1999. net.cs.umass.edu/networks/publications.html
[8] E.W. Dijkstra and C.S. Scholten. Termination detection for [23] C. Perkins and E. Royer Ad-hoc On Demand Distance Vec-
diffusing computations. In Information Processing Letters, tor Routing. In Proceedings of the 2nd IEEE Workshop on
vol. 11, no. 1,pp. 1-4, August 1980. Mobile Computing Systems and Applications, New Orleans,
LA, February 1999, pages 90-100.
[9] D. Estrin, R. Govindan, J. Heidemann and S. Kumar. Next
Century Challenges : Scalable Coordination in Sensor Net- [24] R. Rivest. The MD5 Message Digest Algorithm. RFC 1320,
works. In Proceedings of ACM MobiComm,August 1999. April 1992.
[25] J. Brunekreef, J. Katoen, R. Koymans and S. Mauw. De-
[10] E. Royer and C. Perkins. Multicast Operations of the Ad sign and Analysis of Leader Election Protocols in Broadcast
Hoc On-Demand Distance Vector Routing Protocol. In Pro- Networks. In Distributed Computing, vol. 9 no. 4, pages
ceedings of Fifth Annual ACM/IEEE International Confer- 157-171, 1996.
ence on Mobile Computing and Networking (MOBICOM),
pages 207-218, August 15-20, 1999. [26] Z. Manna and A. Pnueli. The Temporal Logic of Reactive
and Concurrent Systems - Specification. In Springer-Verlag,
[11] D. Coore, R. Nagpal and R. Weiss. Paradigms for Structure New York,1992.
in an Amorphous Computer. Technical Report 1614, Mas-
sachussetts Institute of Technology Artificial Intelligence [27] R. Gotzhein. Temporal logic and its applications - a tuto-
Laboratory, October 1997. rial. In Computer Networks and ISDN systems, 24:203-218,
1992.
[12] P. Tsuchiya. The Landmark Hierarchy : A new hierarchy for
routing in very large networks. In Proceedings of the ACM [28] N. Francez. Fairness Springer-Verlag, 1986.
SIGCOMM, 1988.
12