Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Hindawi Publishing CorporationInternational Journal of Distributed Sensor NetworksVolume 2013 Article ID 109439 14 pageshttpdxdoiorg1011552013109439
Research ArticleMAP Towards Authentication for Multiple Tags
Qingsong Yao123 Jinsong Han2 Saiyu Qi3 Zhuo Liu3 Shan Chang4 and Jianfeng Ma1
1 School of Computer Science and Technology Xidian University Xirsquoan China2 School of Electronic and Information Engineering Xirsquoan Jiaotong University Xirsquoan China3Department of Computer Science and Engineering Hong Kong University of Science and Technology Hong Kong4 School of Computer Science and Technology Donghua University Shanghai China
Correspondence should be addressed to Qingsong Yao qsyaoxidianeducn
Received 5 July 2013 Accepted 7 September 2013
Academic Editor Yuan He
Copyright copy 2013 Qingsong Yao et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
The prevalence of Radio Frequency Identification (RFID) technology requires Privacy-Preserving Authentication (PPA) protocolsto prevent privacy leakage during authentication Existing PPA protocols employ the per-tag authentication in which the readerhas to sequentially authenticate the tags within the detecting region Such a processing pattern becomes a bottleneck in currentRFID enabled systems especially for those batch-type processing applications In this paper we propose an efficient authenticationprotocol which leverages the collaboration among multiple tags for accelerating the authentication speed We also find that thecollision usually being considered as a negative factor is helpful media to enable collaborative authentication among tags Ourprotocol termed as Multiple-tags privacy-preserving Authentication Protocol (MAP) authenticates a batch of tags concurrentlywith strong privacy and high efficiencyThe analytical and simulation results show that the efficiency ofMAP is better thanO(log119873)and asymptotically approaches O(1)
1 Introduction
RFID technology has been involved in many daily appli-cations [1] RFID tags can be embedded in passports IDcards credit cards and logistical labels to perform remoteidentification as well as facilitate applications such as device-free activity monitoring [2] and fast inventory [3] RFID tagsusually contain or relate to sensitive information of the tagowners or carriers If the sensitive information on a tag isexposed the privacy of the tag holder will be jeopardizedRecently Privacy-Preserving Authentication (PPA) protocols[4ndash6] are proposed to enable authentication for tags withoutleaking private information Generally each tag shares somesecrets with the reader During authentication the readerinterrogates a tag with a nonce The tag responds with amessage computed with the shared secrets and the nonceto authenticate itself to the reader Upon this response thereader searches in the backend database to find a matchrecord for the tag and determine the validity of the tag If thetag is legitimate the reader emits a message to authenticate
itself to the tagUtilizing cryptographic functions andnoncesPPA protocols can strengthen privacy protection
Most PPA approaches are designed for the per-tag sce-nario where a reader can only authenticate one tag ateach time Due to cost concern an RFID tag is usuallydesigned to be extremely resource limited even with lesspower than in sensor-based data collection applications [7]Thus the tag cannot afford complex cryptographic functionssuch as asymmetric cryptographic functions Thus currentRFID tags usually adopt relatively low-cost cryptographicalgorithms for example the lightweight hash functions [8]or HB protocols [9] to perform the authentication Howeverit is proven that a large system with strong indistinguishableprivacy and constant complexity requires public key cryp-tography in [10] where the indistinguishable privacy (ind-privacy) means that none can link a tag and its behaviorwithout learning its internal states The proof also impliesthat the authentication complexity of PPA protocols is atleast 119874(119873) if utilizing symmetric cryptographic functionsto achieve strong privacy where 119873 is the number of tags
2 International Journal of Distributed Sensor Networks
in the system As a result existing PPA protocols althoughachieving119874(log119873) or even119874(1) complexity have the penaltyof privacy degrading
The above dilemma motivates us to change the per-spective of enhancing privacy and improving efficiency forPPA protocols Before presenting our protocol we report thefollowing important observations
(a) Essentially batch-type authentication pattern is moresuitable for current RFID applications Many RFIDapplications have urgent requirements for batch pro-cessing For example in port logistics applicationsitems are usually arranged in containersThe customsauthorities need to check or even real-timely monitorthe cargos to avoid hiding of dangerous goods Itwould be impractical and time consuming to openthe containers and authenticate the goods one by oneWhat is more the tags on goods may have sensitivebusiness information unwilling to be leaked Theseneeds also arise when express companies delivervaluable goods where privacy leakage may causereputation defamation of the customers If batch-type PPA protocols are available the urgent needs ofefficient and private authentication can be satisfied
(b) When facing multiple tags an RFID reader needs ananticollision process for communicating and dealingwith each individual tag Although being efficientexisting anticollision approaches cannot meet therequirement of privacy protection Thus the anti-collision process should be performed anonymouslyThe result of the anonymized anticollision processhowever is helpless to the authentication processSimply combining these two processes is inefficientfor real RFID systems In addition a large number ofoperations are redundant for processing multiple tagsif employing PPA protocols with the per-tag patternwhich also incurs a time waste as will be shown inSection 31
(c) To resist the tracking attack it is an intuitive way toemploy multiple tags for confusing the attackers aswill be shown in Section 61 But we cannot fully uti-lize this feature if adopting the per-tag authenticationpattern If we can allow multiple tags to collabora-tively protect themselves in PPA authentication theirprivacy can be enhanced
With the above observations we introduce the conceptof tag collaboration to RFID systems A group of tags cancooperate to obtain better privacy protection Furthermorethe collaboration can improve the efficiency of RFID authen-tication We thereby propose a protocol to allow a batch oftags to collaboratively authenticate themselves to the readerThe protocol also meets the urgent need from real RFIDapplications Our protocol termed as Multiple tags privacy-preserving Authentication Protocol (MAP) has three majormerits
(1) MAP allows multiple tags to perform collaborativeauthentication Particularly we leverage the collision
which is commonly considered as a negative impacton RFID authentication to perform collaborationThe collaboration accelerates the authentication pro-cess and hides each individual tag in the group
(2) MAP can effectively defend against compromisingattack in which an adversary tries to distinguishuncompromised tags based on the secret informationobtained from compromised tags and provide strongprivacy for multiple tags We define a notion of m-strong-ind-privacy as a refinement of ind-privacy toevaluate the privacy strength of multiple tagsrsquo authen-tication We prove that MAP can provide m-strong-ind-privacy With this feature the possibility thatadversaries successfully break the indistinguishableprivacy of tags is mitigated to be negligibleThereforeour scheme provides strong privacy protection forpractical RFID applications
(3) MAP also provides security and privacy protection interms of confidentiality cloning resistance trackingresistance timing-based attack resistance and for-ward secrecy
(4) Wepresent the theoretical upper bound lower boundand mean time cost of MAPrsquos authentication effi-ciency The results show that the authentication effi-ciency of MAP is better than 119874(log119873) which is theupper bound of most PPA approaches In particularthe efficiency asymptotically approaches to 119874(1) asthe size of the tag set enlarges
The rest of this paper is organized as follows We discussthe related works in Section 2 In Section 3 we present ourobservations andmotivations in authenticatingmultiple tagsWe present the details in the design of MAP in Section 4 InSection 5 we discuss the performance of MAP In Section 6we present the security and privacy analysis In Section 7 weprovide some possible variants and improvements At last weconclude the work
2 Related Works
21 Existing PPA Protocols and Their Limitations RecentlyPrivacy-Preserving Authentication (PPA) protocols [4ndash6] areproposed to protect private information for RFID usersThose approaches aim to provide authentication for tagswithout leaking their private information for example theIDs stored in tags
Early PPA protocols organize tags (or keys of the tags)in a linear structure [11 12] The linear structure results in119874(119873) search efficiency where 119873 is the number of tags in thesystem In large-scale systems that usually have millions oftags however 119874(119873) is insufficient to meet the need of fastprocessing In [13] the authors employ a time-space tradeoffto provide 119874(119873
23) search efficiency [14] but their work is
still inefficient for large-scale systems Later a number ofsynchronization protocols are proposed to utilize precom-puted records to accelerate the search procedure In [15ndash17] the reader synchronizes with tags for fast authenticationAlthough the synchronization approaches can provide 119874(1)
International Journal of Distributed Sensor Networks 3
search efficiency they are vulnerable to desynchronizationattacks In such attacks an adversary keeps interrogating atag until the counter of the tag goes beyond a predefinedthreshold In this case the protocol would be improperlybroken and the tag can be either unacceptable by legitimatereaders or trackable to attackers In [18] the authors proposea protocol which combines the synchronization methodwith exhaustive search Such a combination can achieveefficient authentication with high privacy protection whenthe protocol utilizes synchronizationmethod but suffers from119874(119873) search efficiency when the synchronization method isnot applicable
Besides the linear organization tags can be organizedin a virtual tree-based structure [19 20] In a tree-basedapproach each tag is attached to a leaf node Each node inthe tree keeps a random key A tag holds the keys on thepath from the root to the corresponding leaf node During anauthentication the reader sends a query and the tag generatesciphers using its keys Upon the ciphers the reader performsa Depth-First-Search (DFS) in the key tree for locating a pathwith correct keys that can successfully match those ciphersand hence authenticating the tag In this way the readercan authenticate a tag with an 119874(log119873) search efficiencywhere 119873 is the number of tags Tree-based protocols areefficient but they suffer from the compromising attack Intree-based approaches compromising attack is the mostserious threat because the tags share keys with each otherTheadversary can recognize an uncompromised tag via some ofthe keys obtained from compromised tags For example ina binary tree-based system with 220 tags compromising 20tags can achieve a nearly 955 probability of successfullytracking a tag [21] Many protocols are proposed to resistcompromising attack by utilizing key-updating mechanism[21] or balancing the tradeoff between time space andprivacy [22] Those protocols although mitigating the affectof compromising attacks still cannot provide strong ind-privacy [23] with less thanO(N) complexity In [9] a protocolemploying lightweight HB protocol instead of cryptographichash function is proposed to achieve efficient authenticationThis design based on tree architecture also suffers fromcompromising attack
Existing PPA protocols are designed for authenticating asingle tag at a time which is suitable for per-tag scenarioTheper-tag pattern however can hardly provide high efficiencyand privacy simultaneously which implies a need of adoptingpublic key cryptography [10] Unfortunately the adoptionof public key cryptography is prohibitively expensive formost tags due to the capability and resource limitationsSome researchers suggest weaker privacy models for per-tagauthentication [23 24]
Recently someworks emerged dealing withmultiple tagsrsquoidentification and thus are related to this work [25ndash28] Yanget al [25] propose to aggregate the responses from a batchof tags on corresponding readers and then the aggregatedresponses enable probabilistic verification for the batch oftags Bianchi [26] extends this approach and employs BloomFilter to achieve a more general frameworkThese two worksfocuses on the reader-to-server process procedure while our
approach focus on the searching process for authenticatingtags with privacy concern Zheng and Li [27] propose a fasttag searching protocol which is efficient and scalable formultiple tags However this work focuses on tag identifi-cation other than authentication Sheng and Tan [28] studythe group authentication problem with heterogeneous RFIDnetwork In this work more advanced computational RFIDtags are introduced helping regular tags to be authenticatedto the reader
22 Existing Anticollision Algorithms and Limitations On theother hand many anticollision algorithms such as [29ndash32]have been proposed to arbitrate collisions of multiple tagsThere are two major categories of anticollision algorithmsframed-slot-based approaches (also known asALOHA-basedapproaches) and tree-based approaches In an ALOHA-based approach a reader first sends query command claiminghowmany slots in a detecting frameThen each tag randomlyselects a slot and transmits the ID within the chosen slotIn some slots a collision may inevitably happen The readerwill repeatedly launch the detecting process until every tagcan be identified without collisions The tree-based anticol-lision protocols allow the reader to actively declare a filterAccording to the filter a set of tags are required to report theirIDs in a slot and others keep silent In this way the readercan decode responses and identify tags In [29] historicalinformation obtained from the last identification process isused in current identification process to decrease collisionsIn [30 31] a counter facilitates tags to evade collisions Thetags with a counter 0 respond the query and choose a valuefor example 0 or 1 for their counters in the next round if theycollide In [32] the authors propose a method for multiplereaders to interrogate tags with near-optimal number of timeslots
Being effective in collision arbitration the above designshowever are unsuitable for protecting privacy since the IDsare all in plain text during the anticollision process Althoughthe authors in [33] propose a pseudo-identifier to enableprivate anticollision the pseudo IDs cannot help the readerto know the real ID of the tagsThus the reader has to conductanother search procedure for locating the tags and gettingtheir keys needed for authentication
3 Observations and Motivation
31 Observations on Redundancy and Possible TreatmentsIn real RFID applications it is common that a batch oftags is within the detecting region of a reader The readeremploys an anticollision process to distinguish those tags andthen communicates with each of them for performing PPAauthentication Indeed the combination of anticollision andauthentication is inefficient
Firstly current PPA protocols are mainly designed forper-tag scenarios where the searching process for differenttagsrsquo keys contains many redundant computation and com-parison operations We demonstrate this fact via an exampleof a typical tree-based authentication protocol [20] The keysare arranged in a key tree as illustrated in Figure 1 The
4 International Journal of Distributed Sensor Networks
k10
k20
k30
k21
k32 k33
k23
k11
T1 T2T3 T4
M1
M2
Figure 1 Tree-based architecture
Request NR
) Fk1198942(r) Fk119894
119889(rGenerate NT
RTi
NT k1198941(r )⟩⟨F
set r = NT ||NR
Figure 2 Typical tree-based protocol
protocol is performed as shown in Figure 2 In Figure 1 1198791rsquos
keys are (11989610 11989621 11989632) 119873119877and 119873
119879are two nonces 119903 =
119873119877||119873119879is their conjunction and 119865
11989610
(119903) 11986511989621
(119903) and 11986511989632
(119903)
are three hash values computed by using 119903 and the three keys(11989610 11989621 11989632) of 119879
1 respectively The hash value with the
inputs of 119903 and tag119879119894rsquos jth level key 119896
119894
119895is119865119896119894
119895
(119903)The reader thenchecks the hash values at level 119895 to determine the 119895th branchthat the tag lies in Continuing this process the reader caneventually identify and authenticate a tag For the example inFigure 1 the reader will travel along the path root rarr 119872
1rarr
1198722
rarr 1198791to reach the leaf node 119879
1 In this way the reader
can authenticate a tag with 119874(log119873) efficiencyIn Figure 1 if 119879
1and 119879
2are both in the batch the
reader has to check (11989610 11989621 11989632) to authenticate 119879
1and
check (11989610 11989621 11989633) for 119879
2 The checking for 119896
10and 119896
21
is redundant Previous works pay little attentions to theredundant operations in PPA authentication because theymainly focus on the interaction between the individual tagand reader in the per-tagrsquos authentication If those redundantoperations are well arranged a nontrivial improvement onthe authentication efficiency can be achieved in the batch-type process
Secondly the anticollision and authentication processesare generally conducted separately In the existing works theresult of anticollision cannot be reused by the authenticationprocess Since existing anticollisionmechanisms are designedwithout considering privacy protection if a tag uses itsreal identifier in the anticollision process the privacy willbe broken To meet the need of privacy a tag can onlyuse anonymized ID for example a pseudo-identifier inthe anticollision process Nevertheless the reader cannotleverage anonymized ID to locate the tag in the database
in the PPA authentication process If the anticollision infor-mation is generated and utilized without privacy leakagethe authentication process can be accelerated by reusing theresult of anticollision
32 Motivation Based on above observations our moti-vation is to enable the collaboration of multiple tags toconcurrently achieve privacy-preserving collision arbitrationand fast authentication
We still employ the example in Figure 1 to explain ourstrategy Consider two tags 119879
2and 119879
3 If simultaneously
queried by a single reader with a timestamp 119903 they will emitmessages for the readerrsquos verification as defined in the PPAprotocolsThese messages are computed using the 119903 and theirkeys According to the collision resistance property of cryp-tographic hash functions the keys in different branches willproduce different outputs Thus the two hash values will bedifferent at some bits We call those bits as different collisionbits and their positions as collision positions Indeed thesecollisions provide us a possible way to privately differentiatetags
In fact a legitimate reader knows the keys of all tags thatis it knows the keys at each branch in the key tree This factallows us to leverage precomputed results to accelerate theauthentication In Figure 1 with these known parameters Rcan compute the possible hash values of119879
2and 119879
3at level 1 in
advanceThen119877 can compare these two hash values to obtainthe possible positions of collision bits R can just query thefirst collision bit to check if there is a difference If a collisionis detected at a virtual node in the binary key tree each ofits branches contains at least one tag in the detecting regionFigure 3 illustrates an example for 119879
2and 119879
3 At level 119909 minus 1 119877
pre-computes hash values ℎ(1198962
119909 119903119910) = 10110 and ℎ(119896
3
119909 119903119910) =
10000 where ℎ(119896119895
119909 119903119910) is computed with 119879
119895rsquos 119909th key and the
timestamp 119903119910for this current sessionas inputs The two hash
values differ at the 3rd bit then 119877 sends out a query (119903119910 1
3) where 1 denotes a value for collision bit at level 119909 minus 2
denoting node 1198721 and 3 is the collision position of level 119909
Upon the query1198792and1198793compute responses where (10110)
3
= 1 (10000)3= 0 and (V)
119906is the 119906th bit in VThen119879
3responds
ldquo1rdquo at time slot 0 and1198792responds ldquo1rdquo at time slot 1 In this way
ONE bit transmission is adequate in each time slot for tagrsquosresponse At level x R receives the responses and chooses abranch which is related to slot 1 in this example R also pre-computes and sends out the message to continue the depth-first-search With this message R moves to the node relatedto 1198792at next level and119879
3enters the ldquoholdingrdquo status in which
1198793will keep silent until its turn for any action In this way
tags collaboratively conduct the anticollision R can verify atagrsquos unique information when it moves to the leaf level tocomplete the authentication for this tag Note that even if acollision happens due to the existence of multiple tags in aslot R can still conduct the anticollision process because 119877
only requires the information that whether a branch containstag instead of recovering individual responses from tags
Based on the above analysis we find that combiningprivate anticollision and authentication processes is feasible
International Journal of Distributed Sensor Networks 5
In particular the length of each tagrsquos response message to thereader can be minimized to one bit
4 MAP Design
41 Overview The MAP has four components system ini-tialization tags authentication updating and system main-tenance
MAP also initializes a virtual tree to organize keys fortags Except the root each virtual node in the tree containsa key Each leaf node is assigned to a tag Hence the depthof the tree is 119874(log119873) where 119873 is the total number of tagsin the system The reader maintains the key tree and keeps itsecret
To enable concurrent authentication formultiple tags theauthentication of MAP contains two phases anticollision ofmultiple tags and authentication of individual tags Duringthe former phase tags return one-bit responses to thereader If more than one branch replies the reader splitsthe entire tree (or a branch of the tree) into two subtrees(or subbranches) The reader then informs the tags on onesubtree (or subbranch) to continue performing the MAPprotocol and the tags on the other subtrees (or subbranches)to hold
For each subtree (or sub branch) the reader recursivelyexecutes the MAP protocol When arriving at a leaf node inthe virtual tree MAP launches its authentication componentin which the reader mutually authenticates a tag
After a successful mutual authentication between thereader and a tag the keys of the tag will be updated and hencesynchronized at both the tag and the reader When updatingthe keys MAP employs a cryptographic hash function withthe current key and two random nonces as inputs to generatea new key
In addition MAP provides maintenance function to dealwith tagsrsquo joining and leaving Utilizing this component theexpired tags can also be renewed
42 System Initialization MAP employs a sparse treedenoted as 119878 to initialize and maintain the keys for alltags We use 120575 and 119889 to denote the branching factor (2 forbinary tree) and depth of 119878 respectively For the simplicity ofexplanation we choose the branching factor of 2 As shownin Figure 1 assuming there are 119873 tags 119879
119894 1 le 119894 le 119873
and a reader R in the RFID system the reader 119877 assigns119873 tags to 119873 leaf nodes in 119878 In the key tree each virtualnode except the root contains a secret key As a result eachtag has 119889 keys which form a path from the root of theresponding leaf node in 119878 Initially each key is randomlygenerated The cryptographic hash function used by 119877 andall tags is ℎ(sdot) A counter 119888
119901is stored in each tag recording
the anticollision sequence of the tag Each tag 119879119894also has a
timestamp timestampiWhen initializing a tag 119879
119894 119877 first dispatches 119889 keys to 119879
119894
and sets the 119888119901of 119879119894to 0 119877 also sets the value of an internal
counter 1198880= 0 The counters denote the ldquoholdingrdquo sequence
for later remounting The keys are corresponding to a pathfrom the root of 119878 to the tag For example in Figure 1 the keysstored in tag 119879
1are 11989610 11989621 and 119896
32 We denote the secret
keys of 119879119894as (1198961198941 119896119894
2 119896
119894
119889) We define 119896
119894
119909as the 119909th key of 119879
119894
corresponding to the depth 119909 119877 then sets the timestampi of119879119894to the current time
43 Tags Authentication The tags authentication of MAP isdifferent from existing protocols This component has twophases anticollision of multiple tags and authentication ofindividual tags as illustrated in Algorithm 1 On the readerside the corresponding authentication is recursively executedon the key tree as performing a depth-first-search (DFS)This is supported by the remount subcomponent
431 Anticollision The anticollision process starts from theroot of the key tree At each virtual node the reader 119877
conducts one round of communication with the tags in itsdetecting range In the anticollision process prior worksusually require a tag to respond with the whole hash valuecomputed using its key and ID Instead MAP requests thetag to reply with only ONE bit in each round of interactionas illustrated in Figure 3 The requested bit is in the highestposition of those bits that differ Algorithm 1 illustratesthe interactive communication We use 119875
119862to denote the
highest position of the possible collision bits and 119881119862
todenote the value of bit on this position Since the outputs ofcryptographic hash function in MAP are 64 bits long hashvalues the length of 119875
119862can be 6 bits The whole anticollision
is executed in 119878 as followsAt each non leaf depth 119909 minus 1 1 le 119909 le 119889 minus 1 (for the root
119909 = 1) 119877 has two tasks choosing the branch denoted by 1198811015840
119862
for the anticollision process at level 119909 minus 2 which is related toa node 119899 at level 119909 minus 1 and pre-computing 119875
119862using the keys
on 119899rsquos branches at level 119909 The value of 1198811015840
119862is computed using
the branch keys at depth 119909 minus 1To choose a branch related at depth 119909 minus 1 119877 randomly
chooses a collision value 1198811015840
119862based on the tagsrsquo responses
where1198811015840
119862is computed using the branch keys at depth 119909minus1 To
generate 119875119862 119877 creates a timestamp 119903
119910 where 119910 is an integer
counter 119877 uses the keys of 119899rsquos two children nodes to computetwo hash values in the form of ℎ(119896
119894
119909 119903119910) 119877 then compares
these two hash values and records the highest position of thepossible collision bits as 119875
119862 119877 then sends a query with four
parameters 119903119910 1198811015840119862 119875119862 and 119888
119910 where 119888
119910is a counter
Upon receiving the query a tag 119879119894 which responded in
depth 119909 minus 2 checks whether the timestamp is posterior tothe one it holds If yes 119879
119894believes the query is a new request
and checks if 1198811015840
119862matches its last response If yes 119879
119894computes
119881119862related to 119875
119862of level 119909 and chooses the 119881
119862th time slot
to respond with bit ldquo1rdquo Otherwise if not match 119879119894enters
the ldquoholdingrdquo status and stores 119888119910in 119888119901 If more than one
branch replies 119877 also records the pair of (119888119910 119899119910) where 119899
119910
denotes the sibling node related to the 1198811015840
119862at level 119909 minus 1 If 119879
119894rsquos
timestamp is larger than the one in the query it randomlychooses a slot to respond with bit ldquo1rdquo
The anticollision is an important part of authenticationprocess processing multiple tags at the same time Based onthis MAP provides multiple tags style authentication otherthan sequential authentication in which the authenticationprocedure for each tag does not overlap
6 International Journal of Distributed Sensor Networks
Anti-collision sub-component At non-leaf depth 119909 minus 1119877 randomly selects a branch sends (119903
119910 119875119862 1198811015840119862 119888119910)
119877 records (119888119910 119909 minus 1) 119888
119910++
Tags which match 1198811015840
119862choose time slot (ℎ (119896
119894
119909 119903119910))119875119862
Tags not match wait and record 119888119910in 119888119901
Go to depth 119909
Authentication sub-component plus updatingif 119909 = 119889 At leaf level
119877 sends a timestamp 1198771to 119879119894
119879119894checks 119877
1and delay 119905max(119905ℎ119903119890119904ℎ119900119897119889 minus 119877
1+ 1)
then replies (1198772 119868) where 119868 = ℎ(1 119896
119894
119889 1198771 1198772)
119877 computes a hash value for 119879119894to check 119868
if match119877 accepts 119879
119894 and sends 119872 = ℎ(2 119896
119894
119889 1198771 1198772)
119877 updates 119896119894
119889to ℎ(3 119896
119894
119889 1198771 1198772) update R
else if not match119877 sends 119872 as a random number if match
119879119894gets 119872 and computes a value to check 119872
if 119872 matches the computed value by 119879119894
119879119894accepts 119877
119879119894updates 119896
119894
119889to ℎ(3 119896
119894
119889 1198771 1198772) update 119879
119894
Remount119877 chooses the max 119888
1199101015840 stored as 119888max in (119888
1199101015840 119901119900119904
1199101015840 )
While exists such 119888max119877 sends to tags (119888max 1199031199101015840 119875119862)119879119895with 119888max chooses slot (ℎ(119896
119895
1199091015840+1
1199031199101015840 ))119875119862
119877 deletes the pair stored related to 119888max119877 continues to tags-authentication atdepth 119909
1015840+ 1 in the sub-tree which roots at 119901119900119904
1199101015840
Algorithm 1 Tags authentication in MAP
ReaderQuery Query
Tagcomputing
Tagreply
Tagcomputing
Slot Slot0 1
T2
T3 HoldLevel x
ry 1 3 ry+1 0 2
middot middot middot
middot middot middot
middot middot middotmiddot middot middot
middot middot middot
middot middot middot
Level x minus 2 Level x minus 1
3rd bit = 1
3rd bit = 0
2nd bit = 1
Figure 3 Anticollision with one bit
432 Authentication When arriving at a leaf node R startsthe authentication subcomponent with 119879
119894 R and 119879
119894authen-
ticate each other via this subcomponent At this point Rhas exploited the path from the root to the leaf node relatedto 119879119894 The subcomponent includes four steps as shown in
Algorithm 1(1) 119877 sends a query to 119879
119894with the timestamp 119877
1
(2) Upon this query 119879119894checks if 119877
1is acceptable and
delay 119905max(threshold minus 1198771
+ 1) where 119905max is a predefinedmaximum delay and threshold is a predefined maximum
counter value The value of 119905max and threshold can be ini-tialized empirically and adjusted in real application Then119879119894replies with a random nonce 119877
2and a hash value 119868 =
ℎ(1 1198771 1198772 119896119894
119889)
(3) 119877 compares 119868 to the hash value computed usingcorresponding key stored in the database If the two hashvalues are identical the reader accepts the tag as a legitimateone Otherwise 119877 treats the tag as illegal For a legal tagthe reader sends 119872 = ℎ(2 119877
1 1198772 119896119894
119889) as an authentication
message and then launches the updating component on the
International Journal of Distributed Sensor Networks 7
reader side For an illegal tag the reader only sends a randombit string with the same length of ℎ(sdot)
Note that the key in the leaf node may not match thecorresponding tagrsquos key In this case 119877 has to search throughthe entire database to check if a matching key can be foundIf such a key is found the tag is accepted as legitimate Inthis way even a tag which is desynchronization attacked andthus has a big timestamp can also be authenticated This canprevent attackers from distinguishing tags by whether theycan be accepted
(4) UponM 119879119894computes the hash value based on the key
stored in it If they are matched119879119894takes 119877 as a legitimate one
119879119894then launches the updating on the tag side if119877 is legitimateA collisionmayhappenwhen two tags choose an identical
leaf node At this time there is more than one tag respondingto the readerTheir signals will collide and cannot be correctlydecodedThis can happenwhen a tagrsquos random choicesmatchthe path of the other tag from root to leaf The possibility is2minus119889 where 119889 is the depth of the key tree While the possibilityis negligible we just take these collidedmessages as a randommessage and complete the routine processes of authenticationand updating As each tag has a unique leaf key which will beupdated involving the random nonces during authenticationthe possibility they collide again at the leaf node will still benegligible we will process the colliding tags in the next roundof entire tags-authentication process
433 Remount After authentication and updating of atag the whole tag authentication process is remounted forunprocessed tags according to their ldquoholdingrdquo sequence indescending order 119877 finds out the max counter 119888max in the(1198881199101015840 1199011199001199041199101015840) pairs stored in the reader where 119910
1015840 is an integerIf there exists such a 119888max 119877 computes 119875
119862for the branches
of 1199011199001199041199101015840 and starts the anticollision subcomponent in the
subtree rooted at 1199011199001199041199101015840 To do this the reader sends a
recursive query command 1199031198901198881198761199061198901199031199101199101015840 with 119888max 119875
119862 and
a new timestamp 1199031199101015840 Upon this query each tag checks its
internal counter 119888119901The tags that have amatched 119888max respond
with the corresponding119881119862 If no such a 119888max exists the reader
terminates the current round of MAP and launches a newround The reader iteratively performs the authenticationprocess until all tags are processed or the number of roundsexceeds a predefined threshold threshold In MAP if there aresome tags moving into the detecting region of 119877 in currentround 119877 will treat them as newly coming tags in the nextround
We illustrate the above process by using the example ofauthenticating 119879
1 1198792 and 119879
3in Figure 1 Assume the reader
chooses the left branch each timeThen there is no collision atdepth 0 and the entire authentication procedure goes to thesubtree rooted at the node related to 119896
10at depth 1 The 119881
119862
values related to keys at depth 2 will collide 119877 moves downto the left branch related to 119896
20and 119896
30 119877 puts 119879
2and 119879
1in
a holding state at this point 119877 also records the anticollisionsequence and the node related to 119896
21 As there is no more
collision for1198793119877 completes the authentication of119879
3and goes
back to the holding tags 119877 requests 119881119862related to the keys at
depth 3The responses of 1198792and 119879
1fall in different branches
Then 119877 puts 1198792to holding state and authenticates 119879
1 After
that the reader 119877 authenticates 1198792
44 Updating After a successful mutual authenticationbetween the tag and reader the updating process follows asillustrated in Algorithm 1 MAP only updates the leaf keys formultiple tags environments where a leaf key is the key onthe leaf node There are two reasons First in our protocolthe keys on nonleaf nodes are only used for navigationSecond as analyzed in [22] updating keys for tags withoutchanging the sharing relationship of keys among tags will notincrease the difficulty for adversaries to successfully conductcompromising attacks We also allow a tag to be renewed inthe system maintenance component as an updating methodwhich also updates the tagrsquos location and the correspondingkeys in the virtual tree for better privacy
R updates the keys for a tag after a successful authentica-tion of the tag At the corresponding leaf node a new leaf keyis generated as 119896
119894
119889
1015840
= ℎ(3 1198771 1198772 119896119894
119889) for 119879
119894 119879119894updates its leaf
key only after a successful authentication of 119877 by checkingM
45 System Maintenance Users may want to insert renewor withdraw their tags The system maintenance componentdeals with these requests
If a new tag joins in the systemR initializes it by assigningit to an empty leaf node and generates the necessary keys forit If a tag is withdrawn R simply deletes the information oncorresponding nodes related to the tag from S
We also allow a tag to be renewed for better security andprivacy The permission is controlled by the manager Whena tag is permitted to be renewed it is first withdrawn by thereader Then the reader treats the tag like a new one andinserts it into the system After being renewed the new keysand related path in the key tree have no relation with the oldones
5 Performance Analysis
In this section we analyze the performance of MAP con-sidering both communication and computation costs Wetheoretically analyze the costs and give the correspondingupper bound lower bound andmean valueWe also launch asimulation Then we compare the performance of MAP withtwo combination solutions
51 Theoretical Analysis In MAP multiple tags are authenti-cated concurrently thus we care about the average time costsderived from costs for all tags divided by the number of tagsIn Section 5 when we mention a cost for each tag we aremeaning such an average time cost for each tag
There are cases when the tags to be authenticated coverthe least branchesThenpaths of these tags cover a full subtreeand a single path from the root of this subtree to the rootof system tree 119878 as 119879
1and 119879
2in Figure 4(a) In these cases
arbitrations and hash computations are shared by the mosttags Thus it is possible that both the communication andcompute cost for each tag are the least in these cases
8 International Journal of Distributed Sensor Networks
k10
k21
k32 k33
T1 T2
M1
M2
(a) Most sharing
k20
k30
k10
T3
(b) Least sharing
Figure 4 The different sharing scenarios
Contrarily when the tags cover the most branchesrespecting no path being shared as 119879
3itself in Figure 4(b)
then it is possible that both communication and compute costfor each tag are the largest as arbitrations and hash computesare shared by the least tags
For theoretic comprehensibility we consider time cost fortransferring hash values in communication cost For computecost we consider only cost for computing hash values atboth reader end and tag end For the overall cost consideringoverheads we give a simulation result in Section 52
When tags cover the least branches the minimumcommunication and compute cost are computed as followsTheoretically they are the lower bound of MAP in terms oftime cost Indeed both of them are in O(1) complexity
Commmin = 119905auth + 2119905query + 119905reply minus
(119905query + 119905reply)
119873
asymp 119905auth + 2119905query + 119905reply
Compmin = (2 minus1
119873) 119905119905119888119900119898119901
+ (3 minus2
119873119860
) 119905119903119888119900119898119901
asymp 2119905119905119888119900119898119901
+ 3119905119903119888119900119898119901
(1)
where the 119889 is the height of the system tree 119878 119873 is thenumber of tags in the system 119873
119860is the number of tags to
be authenticated and 119873119860
= 119873 in this case 119905query is the timefor a reader 119877 to send out a query 119905reply is the time for eachtag on both branches to reply their related 1 bit 119881
119862values in
the two time slots 119905auth is the time for a tag to send the hashvalue of its leaf node 119905
119905119888119900119898119901is the time for a tag to compute
a hash value and 119905119903119888119900119898119901
is the time for 119877 to compute a hashvalue Note that we suppose sending the request commandsneeds the same time as the 119905query
When each tag covers themost branches there is only onetag to be authenticated Thus we get the maximum costs Wedenote the maximum communication and compute cost as
Commmax and Compmax respectively The theoretical upperbound cost of MAP is given by
Commmax = 119905auth + 119889 times 119905reply + (119889 + 1) 119905query
Compmax = (119889 + 1) 119905119903119888119900119898119901
+ (2119889 + 1) 119905119903119888119900119898119901
(2)
where 119889 is the height of the system tree 119878 We can find thatboth the maximum costs have an 119874(log119873) complexity
When tags cover all branches supposing the coverprobability is unique we get the mean communication andcomputing costs as follows
Commmean = 119905auth + 119905query
+ (119905query + 119905reply) (2 + 119889 minus log2119873119860
minus1
119873119860
)
asymp 119905auth + 119905query + (119905query + 119905reply)
times (2 + 119889 minus log2119873119860
)
Compmean = (2 + 119889 minus log2119873119860
minus1
119873119860
) 119905119905119888119900119898119901
+ 2 (1 + 119889 minus log2119873119860
minus1
119873119860
) 119905119903119888119900119898119901
asymp (2 + 119889 minus log2119873119860
) 119905119905119888119900119898119901
+ 2 (1 + 119889 minus log2119873119860
) 119905119903119888119900119898119901
(3)
Both Commmean and Compmean are strict monotonicfunctions of 119873
119860 When 119873
119860is big enough they approach the
constant value of 119874(1)Considering the minimum authentication cost without
anticollision or updating for a single tag in traditional tree-based protocol it will need to compute transmit and verifyat least log
120575119873 ciphers where 120575 is the branching factor of the
key tree When the tag lies at the first-reach leaf the costis minimum with message length and computation times ofabout log
120575119873 When the tag lies at the last-reach leaf the cost
is maximum with the computation times enlarged to about120575 times log
120575119873 The average computation cost is about (1 + 120575)2 times
log120575119873ThusMAP protocol outperforms the traditional tree-
based protocol theoretically
52 Simulation We compared the average processing timeof MAP to two simple combination solutions Both thetwo solutions use the slot-count (Q) selection algorithm inEPC C1G2 UHF Air Interface Protocol Standard [31] foranticollision The PPA protocols for these two solutions arethe typical tree-based protocol [20] and RWP protocol [22]with O(1) complexity In all protocols both tag side andreader side employ SQUASH (SQUaring haSH) which isproposed by Shamir in [8] to compute hash values SQUASHneeds only several hundred gate equivalents (GEs) and isappropriate for low cost RFID tags We consider the overalltime cost including communication cost and search cost
International Journal of Distributed Sensor Networks 9
The communication cost includes the cost for transmittingcommands and data with overheads such as wait time timeout frame sync and preamble Note that compared to otherkinds of wireless communication such as WiFi the messagesexchanged between the reader and tags are very short Thusthe overheads are not negligible All the command formatsdata formats and link timing follow the standard In searchcost we consider compute cost for hash values by both readerand tags We assume the reader can process 223 times 64 bitsSQUASH in a second in average For the tag we assume it canprocess one time SQUASH in 6775 us and 242 us We makethese two assumptions based on the link timing requirementsspecified in the standard
In our simulation the forward data rate is 40Kbps andthe backward data rate is 320KbpsWe suppose that there are220 tags in the system We choose tags randomly and repeatthe whole process 100 times for average results
In Figure 5 we give the result for 1000 tags The simu-lation result shows that MAP gains a better efficiency thantypical tree-based protocol The average time cost of tree-based protocols is about 22 times to 42 times that of MAPThe efficiency of MAP asymptotically approaches the RWPprotocol with O(1) complexity as the size of the tag setapproaches 1000 The simulation result is in accordance withthe theoretical analysis That is because in MAP computingand communication are shared between all tags Moreoverduring anticollision subcomponent tags respond with only 1bit to save communication cost That is why MAP outper-forms typical tree-based protocol when tag size is small
According to the performance result in [26] for 1000 tagsin a system with 105 tags at 40Kbps forward rate achieving1 erroneous decision the SEBA approach [25] needs 41min-utes while the SEBA+ approach [26] needs about 4 minutesUtilizing MAP it takes about 1000 times 10405times 10minus6 s = 1122 swhich is less than SEBA and more than SEBA+ Howeverthe result in [26] considers only the message transmissiontime leaving out the nonnegligible computation time andthe communication overheads such as wait time time outframe sync and preamble Moreover MAP provides accurateauthenticationwith no error probabilityThusMAP is a goodchoice in performance for the authentication ofmultiple tags
6 Security and Privacy Analysis
In this section we analyze the security and privacy charactersof MAP Because our approach is tree based we focus onresistance to compromising attackwhich has themost seriousimpact on conventional tree-based approaches [23] Weprove that MAP is m-strong-ind-private showing that MAPsatisfies strong privacy protection in multiple tags scenarioWe also show the abilities of MAP in terms of confidentialitycloning resistance tracking resistance timing-based attackresistance and forward secrecy
61 Compromising Attack Compromising attack is the mosteffective way for crashing tree-based protocols That isbecause tags organized in tree-based structures share keyswith each other When an adversary 119860 compromises some
0 200 400 600 800 1000
39
4
41
42
43
44
45
46
47
48
Size of tag set to be authenticated
log10
style
)
Tree-basedTree-basedMAP
MAPRWPRWP
242120583s6775120583s
6775120583s
242120583s242120583s6775120583s
Aver
age p
roce
ssin
g tim
e (120583
sFigure 5 Comparison on performance for 1ndash1000 tags
tags and thus obtain their secret keysA can deduce the secretkeys of other tags In conventional tree-based protocols alegitimate reader splits a tag from other possible ones levelby level and finally authenticates it on the leaf using itskeys on related levels An adversary can also distinguishtags and further track them in this way with keys fromthe compromised tags For detailed analysis please refer to[14 21]
Our analysis is based on the works in [10 14 18 2123 34] The notion of strong ind-privacy defined in [23]which is equivalent to the destructive-privacy defined in[34] is very similar to the strong privacy provided byMAP except that MAP focuses on privacy protection formultiple tags The existing privacy models are designedfor one-tag-one-reader authentication scheme and focus ondistinguishability privacy between TWO tags only They arenot fit for the multiple tags scenario in MAP where thereader cannot communicate to a tag before anticollisionsubcomponent
We define a new model for multiple tags environmentsincluding four oracles Request(sdot sdot sdot) Send(sdotsdot) Relay(sdotsdot) andCompromise(sdot) to formulate the attacks to the tag sets andreader Assume we have a tag set 119873
119878 Any attack on 119877 or 119873
119878
can be represented by calling on its oraclesRequest(119873
119878 1198981 1198983) A queries the tag set 119873
119878by a query
message1198981and receives the responsesThen119860 sends another
message 1198983to 119873119878 including the collision arbitration and Rrsquos
authentication dataSend(R 119898
2) A sends a message 119898
2 representing the tag
setrsquos reply and authentication messages to 119877 and receives aresponse
Relay(119873119878 119877) A relays the messages between 119873
119878and R A
can arbitrarily modify the messages from one side to another
10 International Journal of Distributed Sensor Networks
Compromise(119873119862) A compromises tags in set 119873
119862and
obtains their secret keys where 119873119862is a tag set 119860 obtains The
compromised tags are broken and cannot be used any furtherThe compromising attack on MAP denoted by
CAMAP119860
[1198960 119873119860
] is performed with the following steps
Step 1 The adversary 119860 compromises 1198960tags and obtains
their secret keys
Step 2 A chooses a target tag 119879 that has not been compro-mised A can query 119879 or act as a man-in-the-middle between119879 and the reader 119877 polynomial times Note that 119860 cannotcompromise119879 According to the secret keys119860 gains in Step 1A can compute outputs of these keys and compare to themTrsquosoutputs In this way 119860 can determine which of Trsquos keys equalto Arsquos known keys
Step 3 The system gives a tag set 119873119878with 119873
119874tags including
119879 Then 119873119878is divided into two subsets 119873
1198781and 119873
1198782 For the
simplicity we assume each subset contains 119873119860tags Or else
we can define the smaller set contains119873119860tags which will not
affect the result of analysis but complex the analysis processA randomly picks a subset 119873
119878119887 where b = 0 or b = 1 and
determines if 119879 is in this subset A can pick both subsets If119873119878119887
contains T A can proceed tracking 119879 by tracking 119873119878119887
otherwise 119873119878(1minus119887)
A can send queries to the tag set or act asa man-in-the-middle between the tag set and the reader 119877
polynomial times but cannot compromise those tagsWe denote
119875MAP = 119875119903[CAMAP119860
[1198960 119873119860
] = 1] (4)
as the possibility 119860 definitely knows whether tag set 119873119878119887
includes T A succeeds if 119860 definitely knows which tag setincludes 119879 Then the possibility that 119860 succeeds is
119875MAP = 119875119903[CAMAP119860
[1198960 119873119860
] = 1] = 1 minus (1 minus 1198750)2
(5)
where 1198750is the possibility that 119860 succeeds in either subset in
a system employing MAP
Definition 1 Theadvantage of adversary119860 in the compromis-ing attack is defined as
advMAP119860
(1198960 119873119860
) =
1003816100381610038161003816100381610038161003816(119875MAP +
1
2(1 minus 119875MAP)) minus
1
2
1003816100381610038161003816100381610038161003816=
119875MAP2
(6)
where the probability is the advantage of 119860 correctly guessagainst randomly guess which subset 119879 is in
Definition 2 (M-strong(120576 1198960 119873119860
)-ind-privacy) An RFIDprotocol PRO is m-strong( 120576 119896
0 119873119860)-ind-private if when 119873
119860
approaches N the advantage advPRO119860
(1198960 119873119860
) is at most 120576 inpolynomial time Where 119873
119860lt 119873 120576 is an infinitesimal when
119873 approaches infinity
M-weak(120576 1198960 119873119860)-ind-privacy is defined the same as m-
strong (120576 1198960 119873119860
)-ind-privacy except that 1198960= 0
Destructive Final NoCorrupt corrput Corrupt corrupt
Wide
Narrow
m-strong m-forward m-weak
m-narrow m-narrowm-narrowm-narrowstrong destructive
m-destructive
forward weak
Figure 6 The privacy levels
The above two privacy notions can be simply denotedas m-strong-ind-privacy (MSIP) and m-weak-ind-privacy(MWIP) where the letter ldquo119898rdquo is the abbreviation of mul-tiple tags When 119873
119860= 1 the MSIP (MWIP) equals the
strong-privacy (weak-privacy) in Juelsrsquos model [23] and thedestructive-privacy (weak-privacy) in Vaudenayrsquos model [34]At this time the case of a tag lying in a set is identical tothe case of the target tag being a particular tag in traditionalprivacy model with two tags Thus our multiple tags privacymodel is a generalized version of existing privacy models[23 34] On the contrary the existing privacy models arespecial cases of multiple tags privacy where each tag set hasonly one tagThen we can define 8 different levels of privacyby generalizing Vaudenayrsquos model for multiple tags scenariosas illustrated in Figure 6
The above model is dedicated for classifying the privacyprotection in multiple tags scenarios Intuitively it is easierfor a tag to hide in a set than to behavior indistinguishably toanother tag Thus the above model is a model weaker thanthe privacy models for one-reader-one-tag scenarios
However if the authentication protocol does not take thisadvantage then the protocol cannot provide better privacyin scenarios with multiple tags than in one-reader-one-tag scenarios no matter how many tags are there to beauthenticated For example in the OSK [12] protocol onedesynchronized tag cannot be accepted by a legitimate readerThus a desynchronized tag can still be distinguished in a tagset saying nothing of hiding in the set As a result the OSKmethod cannot providem-strong-ind-privacy orm-weak-ind-privacy
In the tree for MAP when 119860 is not aware of all keys inboth branches A does not know the 119875
119862and has to randomly
guess one for navigation and conduct the searching processWhen the guess fails A sends out a position that has nocollisions Then 119860 cannot split the tags Only when 119860 knowsall the keys in the branches related to T A can send outthe correct 119875
119862and proceed on tracking That is the main
reason whyMAP performs better than traditional tree-basedprotocols in defending against compromising attacks In facttheMAP protocol ism-strong-ind-private as will be proven inthe bellowing
Theorem 3 TheMAP protocol is MSIP private
Proof We perform the compromising attack with MAPprotocol as follows
We denote tags in 119873119878119887
by 1198791015840 We denote keys in 119879
and 1198791015840 with (119896119890119910
0 1198961198901199101 119896119890119910
119889) and (119896119890119910
1015840
0 1198961198901199101015840
1 119896119890119910
1015840
119889)
International Journal of Distributed Sensor Networks 11
respectively where 119889 is the depth of the tree Considering atlevel 119909 where 119896119890119910
119909is in a subtree we use 119870
119909to denote the
set of known keys by 119860 in this subtree and 119896119909to denote
the number of keys in 119870119909 And 119896
0is the number of tags
compromised There are three cases to be considered at levelxCase 1 A does not succeed in previous 119909 minus 1 levels and thereis exactly one key 119896119890119910
1015840
119909equal to 119896119890119910
119909 A definitely knows 119873
119878119887
includes 119879 The possibility is
119875119903(1198621
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575times
1
120575119909times (1 minus
1
120575119909)
119873119860minus1
(7)
Case 2119860 does not succeed in previous 119909minus1 levels and therersquosno key 119896119890119910
1015840
119909equals to 119896119890119910
119909 A definitely knows that 119873
119878119887does
not include 119879 The possibility is
119875119903(1198622
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575times (1 minus
1
120575119909)
119873119860
(8)
Case 3 119860 does not succeed in previous 119909 minus 1 levels and morethan one key 119896119890119910
1015840
119909equals 119896119890119910
119909 In this case 119860 fails at level 119909
and should move to level 119909 + 1 The possibility is
119875119903(1198623
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575minus 119875119903(1198621
119909) minus 119875119903(1198622
119909)
(9)
Theoverall probability of119860 definitely knowswhether119873119878119887
includes 119879 is
1198750
= 119875119903(1198621
1or 1198622
1) +
119889
sum
119909=2
(119875119903(1198621
119909or 1198622
119909) times
119909minus1
prod
119910=1
119875119903(1198623
119910))
= (1 minus1
120575)
119873119860minus1
1198961
120575
120575minus1
prod
119895=0
1198961
minus 119895
120575 minus 119895
+
119889
sum
119909=2
((1 minus1
120575119909)
119873119860minus1
119896119909
120575119875 (119896119890119910
119909)
times
119909minus1
prod
119910=1
(119875 (119896119890119910119910)
119896119910
120575(1 minus (1 minus
1
120575119910)
119873119860minus1
)))
(10)
where
119875 (119896119890119910119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895) (120575 minus 119895)
(120575119909 minus 119895)2
1198961
= 120575 (1 minus (1 minus1
120575)
1198960
)
119896119909
= 120575 (1 minus (1 minus1
120575)
119892(119896119909)
) (2 le 119909 le 119889)
119892 (119896119909) = 1198960
119909minus1
prod
119910=1
1
119896119910
(11)
The possibility 119860 succeeds in either subset is 1198750which is
a monotonically decreasing function of 119873119860 so is 119875MAP The
advantage of 119860 is 119875MAP which decreases exponentially to 0 as119873119860increases to be big enoughConsidering that 119896
119909le 120575 and 120575 ge 2 we have the following
derivations
(1 minus1
120575)
119873119860minus1
1198961
120575
120575minus1
prod
119895=0
1198961
minus 119895
120575 minus 119895
le (1
2)
119873119860minus1
1198961
120575
1198961
120575
1198961
minus 1
120575 minus 1
le (1
2)
119873119860minus1
119909minus1
prod
119910=1
(119875 (119896119890119910119910)
119896119910
120575(1 minus (1 minus
1
120575119910)
119873119860minus1
))
lt
119909minus1
prod
119910=1
(119875 (119896119890119910119910) times 1 times 1)
=
119909minus1
prod
119910=1
119875 (119896119890119910119910)
(12)
Then we have the following deduction
1198750
lt (1
2)
119873119860minus1
+
119889
sum
119909=2
((1 minus1
120575119909)
119873119860minus1
119896119909
120575119875 (119896119890119910
119909)
119909minus1
prod
119910=1
119875 (119896119890119910119910))
lt (1
2)
119873119860minus1
+
119889
sum
119909=2
(1 minus1
120575119909)
119873119860minus1
lt (1
2)
119873119860minus1
+ 119889(1 minus1
1205752)
119873119860minus1
(13)
The right part of the inequality is a monotonicallydecreasing function of 119873
119860 For example it can be deduced
that 1198750
lt (12)119873119860minus1
+ 119889(34)119873119860minus1 when 120575 = 2 Then 119875
0is an
infinitesimal as 119873119860approaches 119873 so is 119875MAP According to
Definition 2 MAP ism-strong-ind-private
12 International Journal of Distributed Sensor Networks
0 50 100 150 2000
02
04
06
08
1
Succ
essfu
l pro
b o
f atta
ck
Size of tag set to be authenticated
MAPTree-based
Figure 7 Comparisons on defending against compromising attack
Assume a RFID system of 220 tags with 120575 = 2 and 119889 =
20 Figure 7 demonstrates possibilities119860 successfully tracks atag by compromising 200 tags employingMAP or tree-basedprotocol such as [20]
We can find that for both protocols the possibilities that119860
succeeds reduceswhen119873119860increases ForMAP the possibility
reduce rapidly while for traditional balance tree-based PPAit reduces slowly For MAP protocol when 119873
119860gt 8 119875MAP lt
005 saying 119860 can definitely distinguish and know which tagset includes 119879 with low possibility even the set size is smallThis is an acceptable result as environmentswith at least 8 tagsare common Moreover the successful tracking probabilityasymptotically approaches to 0 as the size of the tag set to beauthenticated arises For tree-based protocol 119860 always has asuccessful possibility larger than 08 with tag set size smallerthan 200
62 Confidentiality In MAP all information from a tag issent as the value of a cryptographic hash function or a partof such a hash value According to the preimage resistanceproperty of cryptographic hash functions the adversarycannot know the origin information
63 Cloning Resistance In cloning attack an adversaryrecords responses from a tag and replay them to foollegitimate readers In MAP the 119881
119862values are only used for
navigation and each tag uses its unique leaf key for the finalauthentication The tag generates the hash values of the leafkey with a timestamp from 119877 and a nonce from the tag asinputs Both the timestamp and the nonce are the sessiontokens of the conversation Therefore authentication mes-sages from a given tag will change in different conversationsdue to the different session tokens The navigation bits canbe replayed however they cannot help to fool 119877 because theadversary does not know the authentication message at theleaf node The replayed messages cannot be acceptable bylegitimate readers according to the protocol
64 Tracking Resistance In Section 61 we focus on tagsrsquo pathkeys and present that MAP can resist compromising attack
in scenarios with multiple tags For any leaf key it uniquelybelongs to an individual tag The adversary 119860 never knowsa tagrsquos leaf key unless compromising it When performingauthentication subcomponent a tag computes a hash valuewith its leaf key and the session tokens This authenticationmessage varies each time and 119860 cannot link the messages toa tag without knowing its leaf key
MAP resists against compromising attack inmultiple tagsscenarios However when a batch only has a few tags 119875MAPis not negligible According to the results shown in Figure 7when the number of tags is larger than 8 the probabilityof multiple tags exposing to attackers will not exceed 005which is acceptable for most RFID applications Thereforewe recommend to select MAP when the number of tags islarger than 8 otherwise choosing time consuming per-tagauthentication to prevent the tracking attack
An adversary 119860 may launch the Denial of Service (DoS)attack between a legitimate reader and tags In this attack 119860
firstly exhausts the timestamp in a tag Then 119860 can relay thetagrsquos response to a legitimate reader to see if the tag is acceptedand further track the tag by observing the result This attackis not feasible to MAP because desynchronized tags can alsobe accepted employing MAP as presented in Section 432Besides we recommend the system to thwart the responsespeed of the tags which are under attackThen a counter withan acceptable bit length is enough to avoid the timestamps ofthe tags run over a predefined threshold
65 Timing-Based Attack Resistance An adversary may timethe processing cost of a tag to identify the status of this tagand further distinguish it from other tags [35] This kindof attack is a new general attack which can even break theprivacy of proven private RFID authentication protocolsMAP can defend against such attack The reason is that theauthentication process for each tag in MAP corresponds tothe same procedure From root to leaf each branch selectioncorresponds to no sequential computation of tags Insteadthe tags do concurrent computation at each level In this waythe observable behavior of each tag is hard to distinguishThe problem in traversing the traditional binary tree whichcauses different searching cost does not happen in MAP Onthe other hand the thwart method used in MAP does notraise rapid increase in the response Thus the thwarted tagrsquosbehavior is hard to distinguish especially when the tag set islarge and the predefined threshold is big enough
66 Forward Secrecy An adversary 119860 can record the mes-sages sent by 119877 or tags And 119860 can compromise tags toobtain their current keys Forward secrecy requires that theinformation in previous messages will never be revealedIn MAP the leaf keys are updated after each successfulauthentication The forward secrecy is thereby guaranteedFor the nonleaf keys they are not used for data transfer butonly for navigation In addition they will be updated when atag is renewed Thus MAP does not update the nonleaf keysat each authentication and such a process does not damagethe forward secrecy
International Journal of Distributed Sensor Networks 13
7 Possible Variants and Improvements
The storage requirement of MAP for a system larger than216 tags may be larger than 1 k bits This cost is practical fornowadays RFID tags For ultra-low storage path keys can becomputed employing SQUASH with the unique leaf key andidentifier of the tag as inputsThis would decrease the storagerequirement to 119874(1) but double the average computationtime It can be easily deduced that the performance ofMAP isstill better than the tree-based protocol in large-scale systems
MAP focuses on the interaction between tags and readeras well as reader-server side search accelerating On theother hand the SEBA [25 26] like protocols focuses onthe reader-to-server communication as well as the serverside probabilistic verification Thus a possible future workis to combine and gain profit from both of the two styles ofmultiple tags protocols
8 Conclusions and Future Work
In this work we propose a Multiple tags privacy-preservingAuthentication Protocol MAP to authenticate multipletags concurrently By enabling anticollision functionality inauthentication processMAP eliminates the redundant effortswasted in anticollision processes and authenticating tagsTags in MAP respond concurrently with 1 bit to conductthe authentication for better privacy MAP is m-strong-ind-private which is a variant of ind-privacy we define formultiple tags scenarios MAP can effectively mitigate theimpact of compromising attack in multiple tags scenarios toan acceptable extent EmployingMAP the successful trackingprobability of adversaries for tag set larger than 8 is below005 and will deduce rapidly to 0 as the size of the tag setenlarges The efficiency of MAP is better than 119874(log119873) andasymptotically approaches 119874(1) as the number of tags in thetag set to be authenticated increases as proven in theoreticalanalysis and shown in the simulationThe proposed protocolin our work MAP is dedicated for authenticating multipletags One prospective directionmay be building protocols forboth single tag and multiple tags to provide high efficiencyand strong privacy at the same time
Acknowledgments
The authors would like to thank Ling Zhu and XingjingWang for the efforts paid in coding for the simulationsThis work is supported by Program for Changjiang Scholarsand Innovative Research Team in University (IRT1078)the Key Program of NSFC-Guangdong Union Foundation(U1135002) National Natural Science Foundation of China(61303221 and 61373175) the Fundamental Research Fundsfor the Central Universities (K5051303021) and the ScientificResearch Startup Foundation for Young Teachers of DonghuaUniversity (13D211205) Part of this work has been presentedat IEEE International Conference on Mobile Ad-hoc andSensor Systems (IEEE MASS) October 17ndash22 2011 ValenciaSpain
References
[1] G Roussos and V Kostakos ldquoRFID in pervasive computingstate-of-the-art and outlookrdquo Pervasive and Mobile Computingvol 5 no 1 pp 110ndash131 2009
[2] Y Liu L Chen J Pei Q Chen and Y Zhao ldquoMiningfrequent trajectory patterns for activity monitoring using radiofrequency tag arraysrdquo in Proceedings of the 5th Annual IEEEInternational Conference on Pervasive Computing and Com-munications (PerCom rsquo07) pp 37ndash46 White Plains NY USAMarch 2007
[3] C Qian H Ngan and Y Liu ldquoCardinality estimation forlarge-scale RFID systemsrdquo in Proceedings of the 6th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo08) pp 30ndash39 Hong Kong ChinaMarch 2008
[4] G Avoine ldquoBibliography on security and privacy in RFID sys-temsrdquo 2013 httpwwwavoinenetrfiddownloadbibbiblio-graphy-rfidpdf
[5] A Juels ldquoRFID security and privacy a research surveyrdquo IEEEJournal on Selected Areas in Communications vol 24 no 2 pp381ndash394 2006
[6] G Tsudik ldquoA family of dunces trivial RFID identification andauthentication protocolsrdquo in Privacy Enhancing TechnologiesLecture Notes in Computer Science pp 45ndash61 Springer BerlinGermany 2007
[7] X Xu X Y Li X Mao S Tang and S Wang ldquoA delay-efficient algorithm for data aggregation in multihop wirelesssensor networksrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 1 pp 163ndash175 2011
[8] A Shamir ldquoSQUASHmdasha new MAC with provable securityproperties for highly constrained devices such as RFID tagsrdquo inFast Software Encryption Lecture Notes in Computer Sciencepp 144ndash157 Springer Berlin Germany 2008
[9] T Halevi N Saxena and S Halevi ldquoUsing HB family ofprotocols for privacy-preserving authentication of RFID tags ina populationrdquo in Proceedings of the Workshop on RFID Security(RFIDSec rsquo09) 2009
[10] M Burmester B de Medeiros and R Motta ldquoRobust anony-mous RFID authentication with constant key-lookuprdquo in Pro-ceedings of the ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo08) pp 283ndash291 TokyoJapan March 2008
[11] S A Weis S E Sarma R L Rivest and DW Engels ldquoSecurityand privacy aspects of low-cost radio frequency identificationsystemsrdquo in Security in Pervasive Computing Lecture Notes inComputer Science pp 201ndash212 2003
[12] M Ohkubo K Suzuki and S Kinoshita ldquoEfficient hash-chainbased RFID privacy protection schemerdquo in Proceedings of theACM Ubicomp Workshops 2004
[13] D Henrici and P Muller ldquoProviding security and privacy inRFID systems using triggered hash chainsrdquo in Proceedings ofthe 6th Annual IEEE International Conference on PervasiveComputing andCommunications (PerCom rsquo08) pp 50ndash59HongKong China March 2008
[14] G Avoine E Dysli and P Oechslin ldquoReducing time complexityin RFID systemsrdquo in Selected Areas in Cryptography LectureNotes in Computer Science pp 291ndash306 Springer BerlinGermany 2005
[15] D Henrici and PMuller ldquoHash-based enhancement of locationprivacy for radio-frequency identification devices using varyingidentifiersrdquo inProceedings of the 2nd IEEEAnnual Conference on
14 International Journal of Distributed Sensor Networks
Pervasive Computing and CommunicationsWorkshops (PerComrsquo04) pp 149ndash153 March 2004
[16] A Juels ldquoMinimalist cryptography for low-cost RFID tags(extended abstract)rdquo in Proceedings of the 4th InternationalConference on Security in Communication Networks (SCN rsquo04)pp 149ndash164 Amalfi Italy September 2004
[17] S Yu K Ren and W Lou ldquoA privacy-preserving lightweightauthentication protocol for low-cost RFID tagsrdquo in Proceedingsof the Military Communications Conference (MILCOM rsquo07) pp1ndash7 Orlando Fla USA October 2007
[18] C Ma Y Li R H Deng and T Li ldquoRFID privacy rela-tion between two notions minimal condition and efficientconstructionrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCSrsquo09) pp 54ndash65New York NY USA November 2009
[19] D Molnar A Soppera and D Wagner ldquoA scalable delegatablepseudonym protocol enabling ownership transfer of RFID tagsselected areas in cryptographyrdquo in Selected Areas in Cryptogra-phy Lecture Notes in Computer Science pp 276ndash290 SpringerBerlin Germany 2005
[20] T Dimitriou ldquoA secure and efficient RFID protocol that couldmake big brother (partially) obsoleterdquo in Proceedings of the 4thAnnual IEEE International Conference on Pervasive Computingand Communications (PerCom rsquo06) pp 269ndash274 Pisa ItalyMarch 2006
[21] L Lu J Han L Hu Y Liu and L M Ni ldquoDynamic key-updating privacy-preserving authentication for RFID systemsrdquoin Proceedings of the 5th Annual IEEE International Conferenceon Pervasive Computing and Communications (PerCom rsquo07) pp13ndash22 White Plains NY USA March 2007
[22] Q Yao Y Qi J Han J Zhao X Li and Y Liu ldquoRandomizingRFID private authenticationrdquo in Proceedings of the 7th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo09) Galveston Tex USA March2009
[23] A Juels and S A Weis ldquoDefining strong privacy for RFIDrdquoACM Transactions on Information and System Security vol 13no 1 pp 1ndash23 2009
[24] L Lu Y Liu and X-Y Li ldquoRefresh weak privacy model forRFID systemsrdquo in Proceedings of the IEEE INFOCOM pp 1ndash9San Diego Calif USA March 2010
[25] L Yang J Han Y Qi and Y Liu ldquoIdentification-free batchauthentication for RFID tagsrdquo in Proceedings of the 18th IEEEInternational Conference on Network Protocols (ICNPrsquo10) pp154ndash163 Kyoto Japan October 2010
[26] G Bianchi ldquoRevisiting an RFID identification-free batchauthentication approachrdquo IEEECommunications Letters vol 15no 6 pp 632ndash634 2011
[27] Y Zheng and M Li ldquoFast tag searching protocol for large-scaleRFID systemsrdquo in Proceedings of the 19th IEEE InternationalConference on Network Protocols (ICNP rsquo11) pp 363ndash372Vancouver Canada October 2011
[28] B Sheng andCC Tan ldquoGroup authentication in heterogeneousRFID networksrdquo in Proceedings of the IEEE Conference onTechnologies for Homeland Security (HST rsquo12) pp 167ndash172Waltham Mass USA November 2012
[29] J Myung and W Lee ldquoAdaptive splitting protocols for RFIDtag collision arbitrationrdquo in Proceedings of the 7th ACM Interna-tional Symposium onMobile AdHoc Networking and Computing(MOBIHOC rsquo06) pp 202ndash213 Florence Italy May 2006
[30] ldquoInformation technology automatic identification and datacapture techniquesmdashradio frequency identification for item
management air interfacemdashpart 6 parameters for air interfacecommunications at 860ndash960 MHZrdquo ISOIEC FDIS 18000-62003
[31] EPCglobal ldquoEPC radio-frequency identity protocols class-1generation-2 UHF RFID protocol for communications at 860MHzndash960MHz version 1 2 0rdquo May 2008
[32] Z Zhou H Gupta S R Das and X Zhu ldquoSlotted scheduled tagaccess in multi-reader RFID systemsrdquo in Proceesings of the 15thIEEE International Conference on Network Protocols (ICNP rsquo07)pp 61ndash70 Beijing China October 2007
[33] Auto-ID ldquoDraft protocol specification for a 900MHz class0 radio frequency identification tagrdquo 2003 httpwwwepcglobalincorg
[34] S Vaudenay ldquoOn privacy models for RFIDrdquo in Advances inCryptologymdashASIACRYPT 2007 Lecture Notes in ComputerScience pp 68ndash87 Springer Berlin Germany 2007
[35] Q Yao J Han Y Qi L Yang and Y Liu ldquoPrivacy leakage inaccess mode revisiting private RFIDAuthentication protocolsrdquoin Proceedings of the 40th International Conference on ParallelProcessing (ICPP rsquo11) pp 713ndash721 Taipei City Taiwan Septem-ber 2011
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
2 International Journal of Distributed Sensor Networks
in the system As a result existing PPA protocols althoughachieving119874(log119873) or even119874(1) complexity have the penaltyof privacy degrading
The above dilemma motivates us to change the per-spective of enhancing privacy and improving efficiency forPPA protocols Before presenting our protocol we report thefollowing important observations
(a) Essentially batch-type authentication pattern is moresuitable for current RFID applications Many RFIDapplications have urgent requirements for batch pro-cessing For example in port logistics applicationsitems are usually arranged in containersThe customsauthorities need to check or even real-timely monitorthe cargos to avoid hiding of dangerous goods Itwould be impractical and time consuming to openthe containers and authenticate the goods one by oneWhat is more the tags on goods may have sensitivebusiness information unwilling to be leaked Theseneeds also arise when express companies delivervaluable goods where privacy leakage may causereputation defamation of the customers If batch-type PPA protocols are available the urgent needs ofefficient and private authentication can be satisfied
(b) When facing multiple tags an RFID reader needs ananticollision process for communicating and dealingwith each individual tag Although being efficientexisting anticollision approaches cannot meet therequirement of privacy protection Thus the anti-collision process should be performed anonymouslyThe result of the anonymized anticollision processhowever is helpless to the authentication processSimply combining these two processes is inefficientfor real RFID systems In addition a large number ofoperations are redundant for processing multiple tagsif employing PPA protocols with the per-tag patternwhich also incurs a time waste as will be shown inSection 31
(c) To resist the tracking attack it is an intuitive way toemploy multiple tags for confusing the attackers aswill be shown in Section 61 But we cannot fully uti-lize this feature if adopting the per-tag authenticationpattern If we can allow multiple tags to collabora-tively protect themselves in PPA authentication theirprivacy can be enhanced
With the above observations we introduce the conceptof tag collaboration to RFID systems A group of tags cancooperate to obtain better privacy protection Furthermorethe collaboration can improve the efficiency of RFID authen-tication We thereby propose a protocol to allow a batch oftags to collaboratively authenticate themselves to the readerThe protocol also meets the urgent need from real RFIDapplications Our protocol termed as Multiple tags privacy-preserving Authentication Protocol (MAP) has three majormerits
(1) MAP allows multiple tags to perform collaborativeauthentication Particularly we leverage the collision
which is commonly considered as a negative impacton RFID authentication to perform collaborationThe collaboration accelerates the authentication pro-cess and hides each individual tag in the group
(2) MAP can effectively defend against compromisingattack in which an adversary tries to distinguishuncompromised tags based on the secret informationobtained from compromised tags and provide strongprivacy for multiple tags We define a notion of m-strong-ind-privacy as a refinement of ind-privacy toevaluate the privacy strength of multiple tagsrsquo authen-tication We prove that MAP can provide m-strong-ind-privacy With this feature the possibility thatadversaries successfully break the indistinguishableprivacy of tags is mitigated to be negligibleThereforeour scheme provides strong privacy protection forpractical RFID applications
(3) MAP also provides security and privacy protection interms of confidentiality cloning resistance trackingresistance timing-based attack resistance and for-ward secrecy
(4) Wepresent the theoretical upper bound lower boundand mean time cost of MAPrsquos authentication effi-ciency The results show that the authentication effi-ciency of MAP is better than 119874(log119873) which is theupper bound of most PPA approaches In particularthe efficiency asymptotically approaches to 119874(1) asthe size of the tag set enlarges
The rest of this paper is organized as follows We discussthe related works in Section 2 In Section 3 we present ourobservations andmotivations in authenticatingmultiple tagsWe present the details in the design of MAP in Section 4 InSection 5 we discuss the performance of MAP In Section 6we present the security and privacy analysis In Section 7 weprovide some possible variants and improvements At last weconclude the work
2 Related Works
21 Existing PPA Protocols and Their Limitations RecentlyPrivacy-Preserving Authentication (PPA) protocols [4ndash6] areproposed to protect private information for RFID usersThose approaches aim to provide authentication for tagswithout leaking their private information for example theIDs stored in tags
Early PPA protocols organize tags (or keys of the tags)in a linear structure [11 12] The linear structure results in119874(119873) search efficiency where 119873 is the number of tags in thesystem In large-scale systems that usually have millions oftags however 119874(119873) is insufficient to meet the need of fastprocessing In [13] the authors employ a time-space tradeoffto provide 119874(119873
23) search efficiency [14] but their work is
still inefficient for large-scale systems Later a number ofsynchronization protocols are proposed to utilize precom-puted records to accelerate the search procedure In [15ndash17] the reader synchronizes with tags for fast authenticationAlthough the synchronization approaches can provide 119874(1)
International Journal of Distributed Sensor Networks 3
search efficiency they are vulnerable to desynchronizationattacks In such attacks an adversary keeps interrogating atag until the counter of the tag goes beyond a predefinedthreshold In this case the protocol would be improperlybroken and the tag can be either unacceptable by legitimatereaders or trackable to attackers In [18] the authors proposea protocol which combines the synchronization methodwith exhaustive search Such a combination can achieveefficient authentication with high privacy protection whenthe protocol utilizes synchronizationmethod but suffers from119874(119873) search efficiency when the synchronization method isnot applicable
Besides the linear organization tags can be organizedin a virtual tree-based structure [19 20] In a tree-basedapproach each tag is attached to a leaf node Each node inthe tree keeps a random key A tag holds the keys on thepath from the root to the corresponding leaf node During anauthentication the reader sends a query and the tag generatesciphers using its keys Upon the ciphers the reader performsa Depth-First-Search (DFS) in the key tree for locating a pathwith correct keys that can successfully match those ciphersand hence authenticating the tag In this way the readercan authenticate a tag with an 119874(log119873) search efficiencywhere 119873 is the number of tags Tree-based protocols areefficient but they suffer from the compromising attack Intree-based approaches compromising attack is the mostserious threat because the tags share keys with each otherTheadversary can recognize an uncompromised tag via some ofthe keys obtained from compromised tags For example ina binary tree-based system with 220 tags compromising 20tags can achieve a nearly 955 probability of successfullytracking a tag [21] Many protocols are proposed to resistcompromising attack by utilizing key-updating mechanism[21] or balancing the tradeoff between time space andprivacy [22] Those protocols although mitigating the affectof compromising attacks still cannot provide strong ind-privacy [23] with less thanO(N) complexity In [9] a protocolemploying lightweight HB protocol instead of cryptographichash function is proposed to achieve efficient authenticationThis design based on tree architecture also suffers fromcompromising attack
Existing PPA protocols are designed for authenticating asingle tag at a time which is suitable for per-tag scenarioTheper-tag pattern however can hardly provide high efficiencyand privacy simultaneously which implies a need of adoptingpublic key cryptography [10] Unfortunately the adoptionof public key cryptography is prohibitively expensive formost tags due to the capability and resource limitationsSome researchers suggest weaker privacy models for per-tagauthentication [23 24]
Recently someworks emerged dealing withmultiple tagsrsquoidentification and thus are related to this work [25ndash28] Yanget al [25] propose to aggregate the responses from a batchof tags on corresponding readers and then the aggregatedresponses enable probabilistic verification for the batch oftags Bianchi [26] extends this approach and employs BloomFilter to achieve a more general frameworkThese two worksfocuses on the reader-to-server process procedure while our
approach focus on the searching process for authenticatingtags with privacy concern Zheng and Li [27] propose a fasttag searching protocol which is efficient and scalable formultiple tags However this work focuses on tag identifi-cation other than authentication Sheng and Tan [28] studythe group authentication problem with heterogeneous RFIDnetwork In this work more advanced computational RFIDtags are introduced helping regular tags to be authenticatedto the reader
22 Existing Anticollision Algorithms and Limitations On theother hand many anticollision algorithms such as [29ndash32]have been proposed to arbitrate collisions of multiple tagsThere are two major categories of anticollision algorithmsframed-slot-based approaches (also known asALOHA-basedapproaches) and tree-based approaches In an ALOHA-based approach a reader first sends query command claiminghowmany slots in a detecting frameThen each tag randomlyselects a slot and transmits the ID within the chosen slotIn some slots a collision may inevitably happen The readerwill repeatedly launch the detecting process until every tagcan be identified without collisions The tree-based anticol-lision protocols allow the reader to actively declare a filterAccording to the filter a set of tags are required to report theirIDs in a slot and others keep silent In this way the readercan decode responses and identify tags In [29] historicalinformation obtained from the last identification process isused in current identification process to decrease collisionsIn [30 31] a counter facilitates tags to evade collisions Thetags with a counter 0 respond the query and choose a valuefor example 0 or 1 for their counters in the next round if theycollide In [32] the authors propose a method for multiplereaders to interrogate tags with near-optimal number of timeslots
Being effective in collision arbitration the above designshowever are unsuitable for protecting privacy since the IDsare all in plain text during the anticollision process Althoughthe authors in [33] propose a pseudo-identifier to enableprivate anticollision the pseudo IDs cannot help the readerto know the real ID of the tagsThus the reader has to conductanother search procedure for locating the tags and gettingtheir keys needed for authentication
3 Observations and Motivation
31 Observations on Redundancy and Possible TreatmentsIn real RFID applications it is common that a batch oftags is within the detecting region of a reader The readeremploys an anticollision process to distinguish those tags andthen communicates with each of them for performing PPAauthentication Indeed the combination of anticollision andauthentication is inefficient
Firstly current PPA protocols are mainly designed forper-tag scenarios where the searching process for differenttagsrsquo keys contains many redundant computation and com-parison operations We demonstrate this fact via an exampleof a typical tree-based authentication protocol [20] The keysare arranged in a key tree as illustrated in Figure 1 The
4 International Journal of Distributed Sensor Networks
k10
k20
k30
k21
k32 k33
k23
k11
T1 T2T3 T4
M1
M2
Figure 1 Tree-based architecture
Request NR
) Fk1198942(r) Fk119894
119889(rGenerate NT
RTi
NT k1198941(r )⟩⟨F
set r = NT ||NR
Figure 2 Typical tree-based protocol
protocol is performed as shown in Figure 2 In Figure 1 1198791rsquos
keys are (11989610 11989621 11989632) 119873119877and 119873
119879are two nonces 119903 =
119873119877||119873119879is their conjunction and 119865
11989610
(119903) 11986511989621
(119903) and 11986511989632
(119903)
are three hash values computed by using 119903 and the three keys(11989610 11989621 11989632) of 119879
1 respectively The hash value with the
inputs of 119903 and tag119879119894rsquos jth level key 119896
119894
119895is119865119896119894
119895
(119903)The reader thenchecks the hash values at level 119895 to determine the 119895th branchthat the tag lies in Continuing this process the reader caneventually identify and authenticate a tag For the example inFigure 1 the reader will travel along the path root rarr 119872
1rarr
1198722
rarr 1198791to reach the leaf node 119879
1 In this way the reader
can authenticate a tag with 119874(log119873) efficiencyIn Figure 1 if 119879
1and 119879
2are both in the batch the
reader has to check (11989610 11989621 11989632) to authenticate 119879
1and
check (11989610 11989621 11989633) for 119879
2 The checking for 119896
10and 119896
21
is redundant Previous works pay little attentions to theredundant operations in PPA authentication because theymainly focus on the interaction between the individual tagand reader in the per-tagrsquos authentication If those redundantoperations are well arranged a nontrivial improvement onthe authentication efficiency can be achieved in the batch-type process
Secondly the anticollision and authentication processesare generally conducted separately In the existing works theresult of anticollision cannot be reused by the authenticationprocess Since existing anticollisionmechanisms are designedwithout considering privacy protection if a tag uses itsreal identifier in the anticollision process the privacy willbe broken To meet the need of privacy a tag can onlyuse anonymized ID for example a pseudo-identifier inthe anticollision process Nevertheless the reader cannotleverage anonymized ID to locate the tag in the database
in the PPA authentication process If the anticollision infor-mation is generated and utilized without privacy leakagethe authentication process can be accelerated by reusing theresult of anticollision
32 Motivation Based on above observations our moti-vation is to enable the collaboration of multiple tags toconcurrently achieve privacy-preserving collision arbitrationand fast authentication
We still employ the example in Figure 1 to explain ourstrategy Consider two tags 119879
2and 119879
3 If simultaneously
queried by a single reader with a timestamp 119903 they will emitmessages for the readerrsquos verification as defined in the PPAprotocolsThese messages are computed using the 119903 and theirkeys According to the collision resistance property of cryp-tographic hash functions the keys in different branches willproduce different outputs Thus the two hash values will bedifferent at some bits We call those bits as different collisionbits and their positions as collision positions Indeed thesecollisions provide us a possible way to privately differentiatetags
In fact a legitimate reader knows the keys of all tags thatis it knows the keys at each branch in the key tree This factallows us to leverage precomputed results to accelerate theauthentication In Figure 1 with these known parameters Rcan compute the possible hash values of119879
2and 119879
3at level 1 in
advanceThen119877 can compare these two hash values to obtainthe possible positions of collision bits R can just query thefirst collision bit to check if there is a difference If a collisionis detected at a virtual node in the binary key tree each ofits branches contains at least one tag in the detecting regionFigure 3 illustrates an example for 119879
2and 119879
3 At level 119909 minus 1 119877
pre-computes hash values ℎ(1198962
119909 119903119910) = 10110 and ℎ(119896
3
119909 119903119910) =
10000 where ℎ(119896119895
119909 119903119910) is computed with 119879
119895rsquos 119909th key and the
timestamp 119903119910for this current sessionas inputs The two hash
values differ at the 3rd bit then 119877 sends out a query (119903119910 1
3) where 1 denotes a value for collision bit at level 119909 minus 2
denoting node 1198721 and 3 is the collision position of level 119909
Upon the query1198792and1198793compute responses where (10110)
3
= 1 (10000)3= 0 and (V)
119906is the 119906th bit in VThen119879
3responds
ldquo1rdquo at time slot 0 and1198792responds ldquo1rdquo at time slot 1 In this way
ONE bit transmission is adequate in each time slot for tagrsquosresponse At level x R receives the responses and chooses abranch which is related to slot 1 in this example R also pre-computes and sends out the message to continue the depth-first-search With this message R moves to the node relatedto 1198792at next level and119879
3enters the ldquoholdingrdquo status in which
1198793will keep silent until its turn for any action In this way
tags collaboratively conduct the anticollision R can verify atagrsquos unique information when it moves to the leaf level tocomplete the authentication for this tag Note that even if acollision happens due to the existence of multiple tags in aslot R can still conduct the anticollision process because 119877
only requires the information that whether a branch containstag instead of recovering individual responses from tags
Based on the above analysis we find that combiningprivate anticollision and authentication processes is feasible
International Journal of Distributed Sensor Networks 5
In particular the length of each tagrsquos response message to thereader can be minimized to one bit
4 MAP Design
41 Overview The MAP has four components system ini-tialization tags authentication updating and system main-tenance
MAP also initializes a virtual tree to organize keys fortags Except the root each virtual node in the tree containsa key Each leaf node is assigned to a tag Hence the depthof the tree is 119874(log119873) where 119873 is the total number of tagsin the system The reader maintains the key tree and keeps itsecret
To enable concurrent authentication formultiple tags theauthentication of MAP contains two phases anticollision ofmultiple tags and authentication of individual tags Duringthe former phase tags return one-bit responses to thereader If more than one branch replies the reader splitsthe entire tree (or a branch of the tree) into two subtrees(or subbranches) The reader then informs the tags on onesubtree (or subbranch) to continue performing the MAPprotocol and the tags on the other subtrees (or subbranches)to hold
For each subtree (or sub branch) the reader recursivelyexecutes the MAP protocol When arriving at a leaf node inthe virtual tree MAP launches its authentication componentin which the reader mutually authenticates a tag
After a successful mutual authentication between thereader and a tag the keys of the tag will be updated and hencesynchronized at both the tag and the reader When updatingthe keys MAP employs a cryptographic hash function withthe current key and two random nonces as inputs to generatea new key
In addition MAP provides maintenance function to dealwith tagsrsquo joining and leaving Utilizing this component theexpired tags can also be renewed
42 System Initialization MAP employs a sparse treedenoted as 119878 to initialize and maintain the keys for alltags We use 120575 and 119889 to denote the branching factor (2 forbinary tree) and depth of 119878 respectively For the simplicity ofexplanation we choose the branching factor of 2 As shownin Figure 1 assuming there are 119873 tags 119879
119894 1 le 119894 le 119873
and a reader R in the RFID system the reader 119877 assigns119873 tags to 119873 leaf nodes in 119878 In the key tree each virtualnode except the root contains a secret key As a result eachtag has 119889 keys which form a path from the root of theresponding leaf node in 119878 Initially each key is randomlygenerated The cryptographic hash function used by 119877 andall tags is ℎ(sdot) A counter 119888
119901is stored in each tag recording
the anticollision sequence of the tag Each tag 119879119894also has a
timestamp timestampiWhen initializing a tag 119879
119894 119877 first dispatches 119889 keys to 119879
119894
and sets the 119888119901of 119879119894to 0 119877 also sets the value of an internal
counter 1198880= 0 The counters denote the ldquoholdingrdquo sequence
for later remounting The keys are corresponding to a pathfrom the root of 119878 to the tag For example in Figure 1 the keysstored in tag 119879
1are 11989610 11989621 and 119896
32 We denote the secret
keys of 119879119894as (1198961198941 119896119894
2 119896
119894
119889) We define 119896
119894
119909as the 119909th key of 119879
119894
corresponding to the depth 119909 119877 then sets the timestampi of119879119894to the current time
43 Tags Authentication The tags authentication of MAP isdifferent from existing protocols This component has twophases anticollision of multiple tags and authentication ofindividual tags as illustrated in Algorithm 1 On the readerside the corresponding authentication is recursively executedon the key tree as performing a depth-first-search (DFS)This is supported by the remount subcomponent
431 Anticollision The anticollision process starts from theroot of the key tree At each virtual node the reader 119877
conducts one round of communication with the tags in itsdetecting range In the anticollision process prior worksusually require a tag to respond with the whole hash valuecomputed using its key and ID Instead MAP requests thetag to reply with only ONE bit in each round of interactionas illustrated in Figure 3 The requested bit is in the highestposition of those bits that differ Algorithm 1 illustratesthe interactive communication We use 119875
119862to denote the
highest position of the possible collision bits and 119881119862
todenote the value of bit on this position Since the outputs ofcryptographic hash function in MAP are 64 bits long hashvalues the length of 119875
119862can be 6 bits The whole anticollision
is executed in 119878 as followsAt each non leaf depth 119909 minus 1 1 le 119909 le 119889 minus 1 (for the root
119909 = 1) 119877 has two tasks choosing the branch denoted by 1198811015840
119862
for the anticollision process at level 119909 minus 2 which is related toa node 119899 at level 119909 minus 1 and pre-computing 119875
119862using the keys
on 119899rsquos branches at level 119909 The value of 1198811015840
119862is computed using
the branch keys at depth 119909 minus 1To choose a branch related at depth 119909 minus 1 119877 randomly
chooses a collision value 1198811015840
119862based on the tagsrsquo responses
where1198811015840
119862is computed using the branch keys at depth 119909minus1 To
generate 119875119862 119877 creates a timestamp 119903
119910 where 119910 is an integer
counter 119877 uses the keys of 119899rsquos two children nodes to computetwo hash values in the form of ℎ(119896
119894
119909 119903119910) 119877 then compares
these two hash values and records the highest position of thepossible collision bits as 119875
119862 119877 then sends a query with four
parameters 119903119910 1198811015840119862 119875119862 and 119888
119910 where 119888
119910is a counter
Upon receiving the query a tag 119879119894 which responded in
depth 119909 minus 2 checks whether the timestamp is posterior tothe one it holds If yes 119879
119894believes the query is a new request
and checks if 1198811015840
119862matches its last response If yes 119879
119894computes
119881119862related to 119875
119862of level 119909 and chooses the 119881
119862th time slot
to respond with bit ldquo1rdquo Otherwise if not match 119879119894enters
the ldquoholdingrdquo status and stores 119888119910in 119888119901 If more than one
branch replies 119877 also records the pair of (119888119910 119899119910) where 119899
119910
denotes the sibling node related to the 1198811015840
119862at level 119909 minus 1 If 119879
119894rsquos
timestamp is larger than the one in the query it randomlychooses a slot to respond with bit ldquo1rdquo
The anticollision is an important part of authenticationprocess processing multiple tags at the same time Based onthis MAP provides multiple tags style authentication otherthan sequential authentication in which the authenticationprocedure for each tag does not overlap
6 International Journal of Distributed Sensor Networks
Anti-collision sub-component At non-leaf depth 119909 minus 1119877 randomly selects a branch sends (119903
119910 119875119862 1198811015840119862 119888119910)
119877 records (119888119910 119909 minus 1) 119888
119910++
Tags which match 1198811015840
119862choose time slot (ℎ (119896
119894
119909 119903119910))119875119862
Tags not match wait and record 119888119910in 119888119901
Go to depth 119909
Authentication sub-component plus updatingif 119909 = 119889 At leaf level
119877 sends a timestamp 1198771to 119879119894
119879119894checks 119877
1and delay 119905max(119905ℎ119903119890119904ℎ119900119897119889 minus 119877
1+ 1)
then replies (1198772 119868) where 119868 = ℎ(1 119896
119894
119889 1198771 1198772)
119877 computes a hash value for 119879119894to check 119868
if match119877 accepts 119879
119894 and sends 119872 = ℎ(2 119896
119894
119889 1198771 1198772)
119877 updates 119896119894
119889to ℎ(3 119896
119894
119889 1198771 1198772) update R
else if not match119877 sends 119872 as a random number if match
119879119894gets 119872 and computes a value to check 119872
if 119872 matches the computed value by 119879119894
119879119894accepts 119877
119879119894updates 119896
119894
119889to ℎ(3 119896
119894
119889 1198771 1198772) update 119879
119894
Remount119877 chooses the max 119888
1199101015840 stored as 119888max in (119888
1199101015840 119901119900119904
1199101015840 )
While exists such 119888max119877 sends to tags (119888max 1199031199101015840 119875119862)119879119895with 119888max chooses slot (ℎ(119896
119895
1199091015840+1
1199031199101015840 ))119875119862
119877 deletes the pair stored related to 119888max119877 continues to tags-authentication atdepth 119909
1015840+ 1 in the sub-tree which roots at 119901119900119904
1199101015840
Algorithm 1 Tags authentication in MAP
ReaderQuery Query
Tagcomputing
Tagreply
Tagcomputing
Slot Slot0 1
T2
T3 HoldLevel x
ry 1 3 ry+1 0 2
middot middot middot
middot middot middot
middot middot middotmiddot middot middot
middot middot middot
middot middot middot
Level x minus 2 Level x minus 1
3rd bit = 1
3rd bit = 0
2nd bit = 1
Figure 3 Anticollision with one bit
432 Authentication When arriving at a leaf node R startsthe authentication subcomponent with 119879
119894 R and 119879
119894authen-
ticate each other via this subcomponent At this point Rhas exploited the path from the root to the leaf node relatedto 119879119894 The subcomponent includes four steps as shown in
Algorithm 1(1) 119877 sends a query to 119879
119894with the timestamp 119877
1
(2) Upon this query 119879119894checks if 119877
1is acceptable and
delay 119905max(threshold minus 1198771
+ 1) where 119905max is a predefinedmaximum delay and threshold is a predefined maximum
counter value The value of 119905max and threshold can be ini-tialized empirically and adjusted in real application Then119879119894replies with a random nonce 119877
2and a hash value 119868 =
ℎ(1 1198771 1198772 119896119894
119889)
(3) 119877 compares 119868 to the hash value computed usingcorresponding key stored in the database If the two hashvalues are identical the reader accepts the tag as a legitimateone Otherwise 119877 treats the tag as illegal For a legal tagthe reader sends 119872 = ℎ(2 119877
1 1198772 119896119894
119889) as an authentication
message and then launches the updating component on the
International Journal of Distributed Sensor Networks 7
reader side For an illegal tag the reader only sends a randombit string with the same length of ℎ(sdot)
Note that the key in the leaf node may not match thecorresponding tagrsquos key In this case 119877 has to search throughthe entire database to check if a matching key can be foundIf such a key is found the tag is accepted as legitimate Inthis way even a tag which is desynchronization attacked andthus has a big timestamp can also be authenticated This canprevent attackers from distinguishing tags by whether theycan be accepted
(4) UponM 119879119894computes the hash value based on the key
stored in it If they are matched119879119894takes 119877 as a legitimate one
119879119894then launches the updating on the tag side if119877 is legitimateA collisionmayhappenwhen two tags choose an identical
leaf node At this time there is more than one tag respondingto the readerTheir signals will collide and cannot be correctlydecodedThis can happenwhen a tagrsquos random choicesmatchthe path of the other tag from root to leaf The possibility is2minus119889 where 119889 is the depth of the key tree While the possibilityis negligible we just take these collidedmessages as a randommessage and complete the routine processes of authenticationand updating As each tag has a unique leaf key which will beupdated involving the random nonces during authenticationthe possibility they collide again at the leaf node will still benegligible we will process the colliding tags in the next roundof entire tags-authentication process
433 Remount After authentication and updating of atag the whole tag authentication process is remounted forunprocessed tags according to their ldquoholdingrdquo sequence indescending order 119877 finds out the max counter 119888max in the(1198881199101015840 1199011199001199041199101015840) pairs stored in the reader where 119910
1015840 is an integerIf there exists such a 119888max 119877 computes 119875
119862for the branches
of 1199011199001199041199101015840 and starts the anticollision subcomponent in the
subtree rooted at 1199011199001199041199101015840 To do this the reader sends a
recursive query command 1199031198901198881198761199061198901199031199101199101015840 with 119888max 119875
119862 and
a new timestamp 1199031199101015840 Upon this query each tag checks its
internal counter 119888119901The tags that have amatched 119888max respond
with the corresponding119881119862 If no such a 119888max exists the reader
terminates the current round of MAP and launches a newround The reader iteratively performs the authenticationprocess until all tags are processed or the number of roundsexceeds a predefined threshold threshold In MAP if there aresome tags moving into the detecting region of 119877 in currentround 119877 will treat them as newly coming tags in the nextround
We illustrate the above process by using the example ofauthenticating 119879
1 1198792 and 119879
3in Figure 1 Assume the reader
chooses the left branch each timeThen there is no collision atdepth 0 and the entire authentication procedure goes to thesubtree rooted at the node related to 119896
10at depth 1 The 119881
119862
values related to keys at depth 2 will collide 119877 moves downto the left branch related to 119896
20and 119896
30 119877 puts 119879
2and 119879
1in
a holding state at this point 119877 also records the anticollisionsequence and the node related to 119896
21 As there is no more
collision for1198793119877 completes the authentication of119879
3and goes
back to the holding tags 119877 requests 119881119862related to the keys at
depth 3The responses of 1198792and 119879
1fall in different branches
Then 119877 puts 1198792to holding state and authenticates 119879
1 After
that the reader 119877 authenticates 1198792
44 Updating After a successful mutual authenticationbetween the tag and reader the updating process follows asillustrated in Algorithm 1 MAP only updates the leaf keys formultiple tags environments where a leaf key is the key onthe leaf node There are two reasons First in our protocolthe keys on nonleaf nodes are only used for navigationSecond as analyzed in [22] updating keys for tags withoutchanging the sharing relationship of keys among tags will notincrease the difficulty for adversaries to successfully conductcompromising attacks We also allow a tag to be renewed inthe system maintenance component as an updating methodwhich also updates the tagrsquos location and the correspondingkeys in the virtual tree for better privacy
R updates the keys for a tag after a successful authentica-tion of the tag At the corresponding leaf node a new leaf keyis generated as 119896
119894
119889
1015840
= ℎ(3 1198771 1198772 119896119894
119889) for 119879
119894 119879119894updates its leaf
key only after a successful authentication of 119877 by checkingM
45 System Maintenance Users may want to insert renewor withdraw their tags The system maintenance componentdeals with these requests
If a new tag joins in the systemR initializes it by assigningit to an empty leaf node and generates the necessary keys forit If a tag is withdrawn R simply deletes the information oncorresponding nodes related to the tag from S
We also allow a tag to be renewed for better security andprivacy The permission is controlled by the manager Whena tag is permitted to be renewed it is first withdrawn by thereader Then the reader treats the tag like a new one andinserts it into the system After being renewed the new keysand related path in the key tree have no relation with the oldones
5 Performance Analysis
In this section we analyze the performance of MAP con-sidering both communication and computation costs Wetheoretically analyze the costs and give the correspondingupper bound lower bound andmean valueWe also launch asimulation Then we compare the performance of MAP withtwo combination solutions
51 Theoretical Analysis In MAP multiple tags are authenti-cated concurrently thus we care about the average time costsderived from costs for all tags divided by the number of tagsIn Section 5 when we mention a cost for each tag we aremeaning such an average time cost for each tag
There are cases when the tags to be authenticated coverthe least branchesThenpaths of these tags cover a full subtreeand a single path from the root of this subtree to the rootof system tree 119878 as 119879
1and 119879
2in Figure 4(a) In these cases
arbitrations and hash computations are shared by the mosttags Thus it is possible that both the communication andcompute cost for each tag are the least in these cases
8 International Journal of Distributed Sensor Networks
k10
k21
k32 k33
T1 T2
M1
M2
(a) Most sharing
k20
k30
k10
T3
(b) Least sharing
Figure 4 The different sharing scenarios
Contrarily when the tags cover the most branchesrespecting no path being shared as 119879
3itself in Figure 4(b)
then it is possible that both communication and compute costfor each tag are the largest as arbitrations and hash computesare shared by the least tags
For theoretic comprehensibility we consider time cost fortransferring hash values in communication cost For computecost we consider only cost for computing hash values atboth reader end and tag end For the overall cost consideringoverheads we give a simulation result in Section 52
When tags cover the least branches the minimumcommunication and compute cost are computed as followsTheoretically they are the lower bound of MAP in terms oftime cost Indeed both of them are in O(1) complexity
Commmin = 119905auth + 2119905query + 119905reply minus
(119905query + 119905reply)
119873
asymp 119905auth + 2119905query + 119905reply
Compmin = (2 minus1
119873) 119905119905119888119900119898119901
+ (3 minus2
119873119860
) 119905119903119888119900119898119901
asymp 2119905119905119888119900119898119901
+ 3119905119903119888119900119898119901
(1)
where the 119889 is the height of the system tree 119878 119873 is thenumber of tags in the system 119873
119860is the number of tags to
be authenticated and 119873119860
= 119873 in this case 119905query is the timefor a reader 119877 to send out a query 119905reply is the time for eachtag on both branches to reply their related 1 bit 119881
119862values in
the two time slots 119905auth is the time for a tag to send the hashvalue of its leaf node 119905
119905119888119900119898119901is the time for a tag to compute
a hash value and 119905119903119888119900119898119901
is the time for 119877 to compute a hashvalue Note that we suppose sending the request commandsneeds the same time as the 119905query
When each tag covers themost branches there is only onetag to be authenticated Thus we get the maximum costs Wedenote the maximum communication and compute cost as
Commmax and Compmax respectively The theoretical upperbound cost of MAP is given by
Commmax = 119905auth + 119889 times 119905reply + (119889 + 1) 119905query
Compmax = (119889 + 1) 119905119903119888119900119898119901
+ (2119889 + 1) 119905119903119888119900119898119901
(2)
where 119889 is the height of the system tree 119878 We can find thatboth the maximum costs have an 119874(log119873) complexity
When tags cover all branches supposing the coverprobability is unique we get the mean communication andcomputing costs as follows
Commmean = 119905auth + 119905query
+ (119905query + 119905reply) (2 + 119889 minus log2119873119860
minus1
119873119860
)
asymp 119905auth + 119905query + (119905query + 119905reply)
times (2 + 119889 minus log2119873119860
)
Compmean = (2 + 119889 minus log2119873119860
minus1
119873119860
) 119905119905119888119900119898119901
+ 2 (1 + 119889 minus log2119873119860
minus1
119873119860
) 119905119903119888119900119898119901
asymp (2 + 119889 minus log2119873119860
) 119905119905119888119900119898119901
+ 2 (1 + 119889 minus log2119873119860
) 119905119903119888119900119898119901
(3)
Both Commmean and Compmean are strict monotonicfunctions of 119873
119860 When 119873
119860is big enough they approach the
constant value of 119874(1)Considering the minimum authentication cost without
anticollision or updating for a single tag in traditional tree-based protocol it will need to compute transmit and verifyat least log
120575119873 ciphers where 120575 is the branching factor of the
key tree When the tag lies at the first-reach leaf the costis minimum with message length and computation times ofabout log
120575119873 When the tag lies at the last-reach leaf the cost
is maximum with the computation times enlarged to about120575 times log
120575119873 The average computation cost is about (1 + 120575)2 times
log120575119873ThusMAP protocol outperforms the traditional tree-
based protocol theoretically
52 Simulation We compared the average processing timeof MAP to two simple combination solutions Both thetwo solutions use the slot-count (Q) selection algorithm inEPC C1G2 UHF Air Interface Protocol Standard [31] foranticollision The PPA protocols for these two solutions arethe typical tree-based protocol [20] and RWP protocol [22]with O(1) complexity In all protocols both tag side andreader side employ SQUASH (SQUaring haSH) which isproposed by Shamir in [8] to compute hash values SQUASHneeds only several hundred gate equivalents (GEs) and isappropriate for low cost RFID tags We consider the overalltime cost including communication cost and search cost
International Journal of Distributed Sensor Networks 9
The communication cost includes the cost for transmittingcommands and data with overheads such as wait time timeout frame sync and preamble Note that compared to otherkinds of wireless communication such as WiFi the messagesexchanged between the reader and tags are very short Thusthe overheads are not negligible All the command formatsdata formats and link timing follow the standard In searchcost we consider compute cost for hash values by both readerand tags We assume the reader can process 223 times 64 bitsSQUASH in a second in average For the tag we assume it canprocess one time SQUASH in 6775 us and 242 us We makethese two assumptions based on the link timing requirementsspecified in the standard
In our simulation the forward data rate is 40Kbps andthe backward data rate is 320KbpsWe suppose that there are220 tags in the system We choose tags randomly and repeatthe whole process 100 times for average results
In Figure 5 we give the result for 1000 tags The simu-lation result shows that MAP gains a better efficiency thantypical tree-based protocol The average time cost of tree-based protocols is about 22 times to 42 times that of MAPThe efficiency of MAP asymptotically approaches the RWPprotocol with O(1) complexity as the size of the tag setapproaches 1000 The simulation result is in accordance withthe theoretical analysis That is because in MAP computingand communication are shared between all tags Moreoverduring anticollision subcomponent tags respond with only 1bit to save communication cost That is why MAP outper-forms typical tree-based protocol when tag size is small
According to the performance result in [26] for 1000 tagsin a system with 105 tags at 40Kbps forward rate achieving1 erroneous decision the SEBA approach [25] needs 41min-utes while the SEBA+ approach [26] needs about 4 minutesUtilizing MAP it takes about 1000 times 10405times 10minus6 s = 1122 swhich is less than SEBA and more than SEBA+ Howeverthe result in [26] considers only the message transmissiontime leaving out the nonnegligible computation time andthe communication overheads such as wait time time outframe sync and preamble Moreover MAP provides accurateauthenticationwith no error probabilityThusMAP is a goodchoice in performance for the authentication ofmultiple tags
6 Security and Privacy Analysis
In this section we analyze the security and privacy charactersof MAP Because our approach is tree based we focus onresistance to compromising attackwhich has themost seriousimpact on conventional tree-based approaches [23] Weprove that MAP is m-strong-ind-private showing that MAPsatisfies strong privacy protection in multiple tags scenarioWe also show the abilities of MAP in terms of confidentialitycloning resistance tracking resistance timing-based attackresistance and forward secrecy
61 Compromising Attack Compromising attack is the mosteffective way for crashing tree-based protocols That isbecause tags organized in tree-based structures share keyswith each other When an adversary 119860 compromises some
0 200 400 600 800 1000
39
4
41
42
43
44
45
46
47
48
Size of tag set to be authenticated
log10
style
)
Tree-basedTree-basedMAP
MAPRWPRWP
242120583s6775120583s
6775120583s
242120583s242120583s6775120583s
Aver
age p
roce
ssin
g tim
e (120583
sFigure 5 Comparison on performance for 1ndash1000 tags
tags and thus obtain their secret keysA can deduce the secretkeys of other tags In conventional tree-based protocols alegitimate reader splits a tag from other possible ones levelby level and finally authenticates it on the leaf using itskeys on related levels An adversary can also distinguishtags and further track them in this way with keys fromthe compromised tags For detailed analysis please refer to[14 21]
Our analysis is based on the works in [10 14 18 2123 34] The notion of strong ind-privacy defined in [23]which is equivalent to the destructive-privacy defined in[34] is very similar to the strong privacy provided byMAP except that MAP focuses on privacy protection formultiple tags The existing privacy models are designedfor one-tag-one-reader authentication scheme and focus ondistinguishability privacy between TWO tags only They arenot fit for the multiple tags scenario in MAP where thereader cannot communicate to a tag before anticollisionsubcomponent
We define a new model for multiple tags environmentsincluding four oracles Request(sdot sdot sdot) Send(sdotsdot) Relay(sdotsdot) andCompromise(sdot) to formulate the attacks to the tag sets andreader Assume we have a tag set 119873
119878 Any attack on 119877 or 119873
119878
can be represented by calling on its oraclesRequest(119873
119878 1198981 1198983) A queries the tag set 119873
119878by a query
message1198981and receives the responsesThen119860 sends another
message 1198983to 119873119878 including the collision arbitration and Rrsquos
authentication dataSend(R 119898
2) A sends a message 119898
2 representing the tag
setrsquos reply and authentication messages to 119877 and receives aresponse
Relay(119873119878 119877) A relays the messages between 119873
119878and R A
can arbitrarily modify the messages from one side to another
10 International Journal of Distributed Sensor Networks
Compromise(119873119862) A compromises tags in set 119873
119862and
obtains their secret keys where 119873119862is a tag set 119860 obtains The
compromised tags are broken and cannot be used any furtherThe compromising attack on MAP denoted by
CAMAP119860
[1198960 119873119860
] is performed with the following steps
Step 1 The adversary 119860 compromises 1198960tags and obtains
their secret keys
Step 2 A chooses a target tag 119879 that has not been compro-mised A can query 119879 or act as a man-in-the-middle between119879 and the reader 119877 polynomial times Note that 119860 cannotcompromise119879 According to the secret keys119860 gains in Step 1A can compute outputs of these keys and compare to themTrsquosoutputs In this way 119860 can determine which of Trsquos keys equalto Arsquos known keys
Step 3 The system gives a tag set 119873119878with 119873
119874tags including
119879 Then 119873119878is divided into two subsets 119873
1198781and 119873
1198782 For the
simplicity we assume each subset contains 119873119860tags Or else
we can define the smaller set contains119873119860tags which will not
affect the result of analysis but complex the analysis processA randomly picks a subset 119873
119878119887 where b = 0 or b = 1 and
determines if 119879 is in this subset A can pick both subsets If119873119878119887
contains T A can proceed tracking 119879 by tracking 119873119878119887
otherwise 119873119878(1minus119887)
A can send queries to the tag set or act asa man-in-the-middle between the tag set and the reader 119877
polynomial times but cannot compromise those tagsWe denote
119875MAP = 119875119903[CAMAP119860
[1198960 119873119860
] = 1] (4)
as the possibility 119860 definitely knows whether tag set 119873119878119887
includes T A succeeds if 119860 definitely knows which tag setincludes 119879 Then the possibility that 119860 succeeds is
119875MAP = 119875119903[CAMAP119860
[1198960 119873119860
] = 1] = 1 minus (1 minus 1198750)2
(5)
where 1198750is the possibility that 119860 succeeds in either subset in
a system employing MAP
Definition 1 Theadvantage of adversary119860 in the compromis-ing attack is defined as
advMAP119860
(1198960 119873119860
) =
1003816100381610038161003816100381610038161003816(119875MAP +
1
2(1 minus 119875MAP)) minus
1
2
1003816100381610038161003816100381610038161003816=
119875MAP2
(6)
where the probability is the advantage of 119860 correctly guessagainst randomly guess which subset 119879 is in
Definition 2 (M-strong(120576 1198960 119873119860
)-ind-privacy) An RFIDprotocol PRO is m-strong( 120576 119896
0 119873119860)-ind-private if when 119873
119860
approaches N the advantage advPRO119860
(1198960 119873119860
) is at most 120576 inpolynomial time Where 119873
119860lt 119873 120576 is an infinitesimal when
119873 approaches infinity
M-weak(120576 1198960 119873119860)-ind-privacy is defined the same as m-
strong (120576 1198960 119873119860
)-ind-privacy except that 1198960= 0
Destructive Final NoCorrupt corrput Corrupt corrupt
Wide
Narrow
m-strong m-forward m-weak
m-narrow m-narrowm-narrowm-narrowstrong destructive
m-destructive
forward weak
Figure 6 The privacy levels
The above two privacy notions can be simply denotedas m-strong-ind-privacy (MSIP) and m-weak-ind-privacy(MWIP) where the letter ldquo119898rdquo is the abbreviation of mul-tiple tags When 119873
119860= 1 the MSIP (MWIP) equals the
strong-privacy (weak-privacy) in Juelsrsquos model [23] and thedestructive-privacy (weak-privacy) in Vaudenayrsquos model [34]At this time the case of a tag lying in a set is identical tothe case of the target tag being a particular tag in traditionalprivacy model with two tags Thus our multiple tags privacymodel is a generalized version of existing privacy models[23 34] On the contrary the existing privacy models arespecial cases of multiple tags privacy where each tag set hasonly one tagThen we can define 8 different levels of privacyby generalizing Vaudenayrsquos model for multiple tags scenariosas illustrated in Figure 6
The above model is dedicated for classifying the privacyprotection in multiple tags scenarios Intuitively it is easierfor a tag to hide in a set than to behavior indistinguishably toanother tag Thus the above model is a model weaker thanthe privacy models for one-reader-one-tag scenarios
However if the authentication protocol does not take thisadvantage then the protocol cannot provide better privacyin scenarios with multiple tags than in one-reader-one-tag scenarios no matter how many tags are there to beauthenticated For example in the OSK [12] protocol onedesynchronized tag cannot be accepted by a legitimate readerThus a desynchronized tag can still be distinguished in a tagset saying nothing of hiding in the set As a result the OSKmethod cannot providem-strong-ind-privacy orm-weak-ind-privacy
In the tree for MAP when 119860 is not aware of all keys inboth branches A does not know the 119875
119862and has to randomly
guess one for navigation and conduct the searching processWhen the guess fails A sends out a position that has nocollisions Then 119860 cannot split the tags Only when 119860 knowsall the keys in the branches related to T A can send outthe correct 119875
119862and proceed on tracking That is the main
reason whyMAP performs better than traditional tree-basedprotocols in defending against compromising attacks In facttheMAP protocol ism-strong-ind-private as will be proven inthe bellowing
Theorem 3 TheMAP protocol is MSIP private
Proof We perform the compromising attack with MAPprotocol as follows
We denote tags in 119873119878119887
by 1198791015840 We denote keys in 119879
and 1198791015840 with (119896119890119910
0 1198961198901199101 119896119890119910
119889) and (119896119890119910
1015840
0 1198961198901199101015840
1 119896119890119910
1015840
119889)
International Journal of Distributed Sensor Networks 11
respectively where 119889 is the depth of the tree Considering atlevel 119909 where 119896119890119910
119909is in a subtree we use 119870
119909to denote the
set of known keys by 119860 in this subtree and 119896119909to denote
the number of keys in 119870119909 And 119896
0is the number of tags
compromised There are three cases to be considered at levelxCase 1 A does not succeed in previous 119909 minus 1 levels and thereis exactly one key 119896119890119910
1015840
119909equal to 119896119890119910
119909 A definitely knows 119873
119878119887
includes 119879 The possibility is
119875119903(1198621
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575times
1
120575119909times (1 minus
1
120575119909)
119873119860minus1
(7)
Case 2119860 does not succeed in previous 119909minus1 levels and therersquosno key 119896119890119910
1015840
119909equals to 119896119890119910
119909 A definitely knows that 119873
119878119887does
not include 119879 The possibility is
119875119903(1198622
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575times (1 minus
1
120575119909)
119873119860
(8)
Case 3 119860 does not succeed in previous 119909 minus 1 levels and morethan one key 119896119890119910
1015840
119909equals 119896119890119910
119909 In this case 119860 fails at level 119909
and should move to level 119909 + 1 The possibility is
119875119903(1198623
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575minus 119875119903(1198621
119909) minus 119875119903(1198622
119909)
(9)
Theoverall probability of119860 definitely knowswhether119873119878119887
includes 119879 is
1198750
= 119875119903(1198621
1or 1198622
1) +
119889
sum
119909=2
(119875119903(1198621
119909or 1198622
119909) times
119909minus1
prod
119910=1
119875119903(1198623
119910))
= (1 minus1
120575)
119873119860minus1
1198961
120575
120575minus1
prod
119895=0
1198961
minus 119895
120575 minus 119895
+
119889
sum
119909=2
((1 minus1
120575119909)
119873119860minus1
119896119909
120575119875 (119896119890119910
119909)
times
119909minus1
prod
119910=1
(119875 (119896119890119910119910)
119896119910
120575(1 minus (1 minus
1
120575119910)
119873119860minus1
)))
(10)
where
119875 (119896119890119910119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895) (120575 minus 119895)
(120575119909 minus 119895)2
1198961
= 120575 (1 minus (1 minus1
120575)
1198960
)
119896119909
= 120575 (1 minus (1 minus1
120575)
119892(119896119909)
) (2 le 119909 le 119889)
119892 (119896119909) = 1198960
119909minus1
prod
119910=1
1
119896119910
(11)
The possibility 119860 succeeds in either subset is 1198750which is
a monotonically decreasing function of 119873119860 so is 119875MAP The
advantage of 119860 is 119875MAP which decreases exponentially to 0 as119873119860increases to be big enoughConsidering that 119896
119909le 120575 and 120575 ge 2 we have the following
derivations
(1 minus1
120575)
119873119860minus1
1198961
120575
120575minus1
prod
119895=0
1198961
minus 119895
120575 minus 119895
le (1
2)
119873119860minus1
1198961
120575
1198961
120575
1198961
minus 1
120575 minus 1
le (1
2)
119873119860minus1
119909minus1
prod
119910=1
(119875 (119896119890119910119910)
119896119910
120575(1 minus (1 minus
1
120575119910)
119873119860minus1
))
lt
119909minus1
prod
119910=1
(119875 (119896119890119910119910) times 1 times 1)
=
119909minus1
prod
119910=1
119875 (119896119890119910119910)
(12)
Then we have the following deduction
1198750
lt (1
2)
119873119860minus1
+
119889
sum
119909=2
((1 minus1
120575119909)
119873119860minus1
119896119909
120575119875 (119896119890119910
119909)
119909minus1
prod
119910=1
119875 (119896119890119910119910))
lt (1
2)
119873119860minus1
+
119889
sum
119909=2
(1 minus1
120575119909)
119873119860minus1
lt (1
2)
119873119860minus1
+ 119889(1 minus1
1205752)
119873119860minus1
(13)
The right part of the inequality is a monotonicallydecreasing function of 119873
119860 For example it can be deduced
that 1198750
lt (12)119873119860minus1
+ 119889(34)119873119860minus1 when 120575 = 2 Then 119875
0is an
infinitesimal as 119873119860approaches 119873 so is 119875MAP According to
Definition 2 MAP ism-strong-ind-private
12 International Journal of Distributed Sensor Networks
0 50 100 150 2000
02
04
06
08
1
Succ
essfu
l pro
b o
f atta
ck
Size of tag set to be authenticated
MAPTree-based
Figure 7 Comparisons on defending against compromising attack
Assume a RFID system of 220 tags with 120575 = 2 and 119889 =
20 Figure 7 demonstrates possibilities119860 successfully tracks atag by compromising 200 tags employingMAP or tree-basedprotocol such as [20]
We can find that for both protocols the possibilities that119860
succeeds reduceswhen119873119860increases ForMAP the possibility
reduce rapidly while for traditional balance tree-based PPAit reduces slowly For MAP protocol when 119873
119860gt 8 119875MAP lt
005 saying 119860 can definitely distinguish and know which tagset includes 119879 with low possibility even the set size is smallThis is an acceptable result as environmentswith at least 8 tagsare common Moreover the successful tracking probabilityasymptotically approaches to 0 as the size of the tag set to beauthenticated arises For tree-based protocol 119860 always has asuccessful possibility larger than 08 with tag set size smallerthan 200
62 Confidentiality In MAP all information from a tag issent as the value of a cryptographic hash function or a partof such a hash value According to the preimage resistanceproperty of cryptographic hash functions the adversarycannot know the origin information
63 Cloning Resistance In cloning attack an adversaryrecords responses from a tag and replay them to foollegitimate readers In MAP the 119881
119862values are only used for
navigation and each tag uses its unique leaf key for the finalauthentication The tag generates the hash values of the leafkey with a timestamp from 119877 and a nonce from the tag asinputs Both the timestamp and the nonce are the sessiontokens of the conversation Therefore authentication mes-sages from a given tag will change in different conversationsdue to the different session tokens The navigation bits canbe replayed however they cannot help to fool 119877 because theadversary does not know the authentication message at theleaf node The replayed messages cannot be acceptable bylegitimate readers according to the protocol
64 Tracking Resistance In Section 61 we focus on tagsrsquo pathkeys and present that MAP can resist compromising attack
in scenarios with multiple tags For any leaf key it uniquelybelongs to an individual tag The adversary 119860 never knowsa tagrsquos leaf key unless compromising it When performingauthentication subcomponent a tag computes a hash valuewith its leaf key and the session tokens This authenticationmessage varies each time and 119860 cannot link the messages toa tag without knowing its leaf key
MAP resists against compromising attack inmultiple tagsscenarios However when a batch only has a few tags 119875MAPis not negligible According to the results shown in Figure 7when the number of tags is larger than 8 the probabilityof multiple tags exposing to attackers will not exceed 005which is acceptable for most RFID applications Thereforewe recommend to select MAP when the number of tags islarger than 8 otherwise choosing time consuming per-tagauthentication to prevent the tracking attack
An adversary 119860 may launch the Denial of Service (DoS)attack between a legitimate reader and tags In this attack 119860
firstly exhausts the timestamp in a tag Then 119860 can relay thetagrsquos response to a legitimate reader to see if the tag is acceptedand further track the tag by observing the result This attackis not feasible to MAP because desynchronized tags can alsobe accepted employing MAP as presented in Section 432Besides we recommend the system to thwart the responsespeed of the tags which are under attackThen a counter withan acceptable bit length is enough to avoid the timestamps ofthe tags run over a predefined threshold
65 Timing-Based Attack Resistance An adversary may timethe processing cost of a tag to identify the status of this tagand further distinguish it from other tags [35] This kindof attack is a new general attack which can even break theprivacy of proven private RFID authentication protocolsMAP can defend against such attack The reason is that theauthentication process for each tag in MAP corresponds tothe same procedure From root to leaf each branch selectioncorresponds to no sequential computation of tags Insteadthe tags do concurrent computation at each level In this waythe observable behavior of each tag is hard to distinguishThe problem in traversing the traditional binary tree whichcauses different searching cost does not happen in MAP Onthe other hand the thwart method used in MAP does notraise rapid increase in the response Thus the thwarted tagrsquosbehavior is hard to distinguish especially when the tag set islarge and the predefined threshold is big enough
66 Forward Secrecy An adversary 119860 can record the mes-sages sent by 119877 or tags And 119860 can compromise tags toobtain their current keys Forward secrecy requires that theinformation in previous messages will never be revealedIn MAP the leaf keys are updated after each successfulauthentication The forward secrecy is thereby guaranteedFor the nonleaf keys they are not used for data transfer butonly for navigation In addition they will be updated when atag is renewed Thus MAP does not update the nonleaf keysat each authentication and such a process does not damagethe forward secrecy
International Journal of Distributed Sensor Networks 13
7 Possible Variants and Improvements
The storage requirement of MAP for a system larger than216 tags may be larger than 1 k bits This cost is practical fornowadays RFID tags For ultra-low storage path keys can becomputed employing SQUASH with the unique leaf key andidentifier of the tag as inputsThis would decrease the storagerequirement to 119874(1) but double the average computationtime It can be easily deduced that the performance ofMAP isstill better than the tree-based protocol in large-scale systems
MAP focuses on the interaction between tags and readeras well as reader-server side search accelerating On theother hand the SEBA [25 26] like protocols focuses onthe reader-to-server communication as well as the serverside probabilistic verification Thus a possible future workis to combine and gain profit from both of the two styles ofmultiple tags protocols
8 Conclusions and Future Work
In this work we propose a Multiple tags privacy-preservingAuthentication Protocol MAP to authenticate multipletags concurrently By enabling anticollision functionality inauthentication processMAP eliminates the redundant effortswasted in anticollision processes and authenticating tagsTags in MAP respond concurrently with 1 bit to conductthe authentication for better privacy MAP is m-strong-ind-private which is a variant of ind-privacy we define formultiple tags scenarios MAP can effectively mitigate theimpact of compromising attack in multiple tags scenarios toan acceptable extent EmployingMAP the successful trackingprobability of adversaries for tag set larger than 8 is below005 and will deduce rapidly to 0 as the size of the tag setenlarges The efficiency of MAP is better than 119874(log119873) andasymptotically approaches 119874(1) as the number of tags in thetag set to be authenticated increases as proven in theoreticalanalysis and shown in the simulationThe proposed protocolin our work MAP is dedicated for authenticating multipletags One prospective directionmay be building protocols forboth single tag and multiple tags to provide high efficiencyand strong privacy at the same time
Acknowledgments
The authors would like to thank Ling Zhu and XingjingWang for the efforts paid in coding for the simulationsThis work is supported by Program for Changjiang Scholarsand Innovative Research Team in University (IRT1078)the Key Program of NSFC-Guangdong Union Foundation(U1135002) National Natural Science Foundation of China(61303221 and 61373175) the Fundamental Research Fundsfor the Central Universities (K5051303021) and the ScientificResearch Startup Foundation for Young Teachers of DonghuaUniversity (13D211205) Part of this work has been presentedat IEEE International Conference on Mobile Ad-hoc andSensor Systems (IEEE MASS) October 17ndash22 2011 ValenciaSpain
References
[1] G Roussos and V Kostakos ldquoRFID in pervasive computingstate-of-the-art and outlookrdquo Pervasive and Mobile Computingvol 5 no 1 pp 110ndash131 2009
[2] Y Liu L Chen J Pei Q Chen and Y Zhao ldquoMiningfrequent trajectory patterns for activity monitoring using radiofrequency tag arraysrdquo in Proceedings of the 5th Annual IEEEInternational Conference on Pervasive Computing and Com-munications (PerCom rsquo07) pp 37ndash46 White Plains NY USAMarch 2007
[3] C Qian H Ngan and Y Liu ldquoCardinality estimation forlarge-scale RFID systemsrdquo in Proceedings of the 6th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo08) pp 30ndash39 Hong Kong ChinaMarch 2008
[4] G Avoine ldquoBibliography on security and privacy in RFID sys-temsrdquo 2013 httpwwwavoinenetrfiddownloadbibbiblio-graphy-rfidpdf
[5] A Juels ldquoRFID security and privacy a research surveyrdquo IEEEJournal on Selected Areas in Communications vol 24 no 2 pp381ndash394 2006
[6] G Tsudik ldquoA family of dunces trivial RFID identification andauthentication protocolsrdquo in Privacy Enhancing TechnologiesLecture Notes in Computer Science pp 45ndash61 Springer BerlinGermany 2007
[7] X Xu X Y Li X Mao S Tang and S Wang ldquoA delay-efficient algorithm for data aggregation in multihop wirelesssensor networksrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 1 pp 163ndash175 2011
[8] A Shamir ldquoSQUASHmdasha new MAC with provable securityproperties for highly constrained devices such as RFID tagsrdquo inFast Software Encryption Lecture Notes in Computer Sciencepp 144ndash157 Springer Berlin Germany 2008
[9] T Halevi N Saxena and S Halevi ldquoUsing HB family ofprotocols for privacy-preserving authentication of RFID tags ina populationrdquo in Proceedings of the Workshop on RFID Security(RFIDSec rsquo09) 2009
[10] M Burmester B de Medeiros and R Motta ldquoRobust anony-mous RFID authentication with constant key-lookuprdquo in Pro-ceedings of the ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo08) pp 283ndash291 TokyoJapan March 2008
[11] S A Weis S E Sarma R L Rivest and DW Engels ldquoSecurityand privacy aspects of low-cost radio frequency identificationsystemsrdquo in Security in Pervasive Computing Lecture Notes inComputer Science pp 201ndash212 2003
[12] M Ohkubo K Suzuki and S Kinoshita ldquoEfficient hash-chainbased RFID privacy protection schemerdquo in Proceedings of theACM Ubicomp Workshops 2004
[13] D Henrici and P Muller ldquoProviding security and privacy inRFID systems using triggered hash chainsrdquo in Proceedings ofthe 6th Annual IEEE International Conference on PervasiveComputing andCommunications (PerCom rsquo08) pp 50ndash59HongKong China March 2008
[14] G Avoine E Dysli and P Oechslin ldquoReducing time complexityin RFID systemsrdquo in Selected Areas in Cryptography LectureNotes in Computer Science pp 291ndash306 Springer BerlinGermany 2005
[15] D Henrici and PMuller ldquoHash-based enhancement of locationprivacy for radio-frequency identification devices using varyingidentifiersrdquo inProceedings of the 2nd IEEEAnnual Conference on
14 International Journal of Distributed Sensor Networks
Pervasive Computing and CommunicationsWorkshops (PerComrsquo04) pp 149ndash153 March 2004
[16] A Juels ldquoMinimalist cryptography for low-cost RFID tags(extended abstract)rdquo in Proceedings of the 4th InternationalConference on Security in Communication Networks (SCN rsquo04)pp 149ndash164 Amalfi Italy September 2004
[17] S Yu K Ren and W Lou ldquoA privacy-preserving lightweightauthentication protocol for low-cost RFID tagsrdquo in Proceedingsof the Military Communications Conference (MILCOM rsquo07) pp1ndash7 Orlando Fla USA October 2007
[18] C Ma Y Li R H Deng and T Li ldquoRFID privacy rela-tion between two notions minimal condition and efficientconstructionrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCSrsquo09) pp 54ndash65New York NY USA November 2009
[19] D Molnar A Soppera and D Wagner ldquoA scalable delegatablepseudonym protocol enabling ownership transfer of RFID tagsselected areas in cryptographyrdquo in Selected Areas in Cryptogra-phy Lecture Notes in Computer Science pp 276ndash290 SpringerBerlin Germany 2005
[20] T Dimitriou ldquoA secure and efficient RFID protocol that couldmake big brother (partially) obsoleterdquo in Proceedings of the 4thAnnual IEEE International Conference on Pervasive Computingand Communications (PerCom rsquo06) pp 269ndash274 Pisa ItalyMarch 2006
[21] L Lu J Han L Hu Y Liu and L M Ni ldquoDynamic key-updating privacy-preserving authentication for RFID systemsrdquoin Proceedings of the 5th Annual IEEE International Conferenceon Pervasive Computing and Communications (PerCom rsquo07) pp13ndash22 White Plains NY USA March 2007
[22] Q Yao Y Qi J Han J Zhao X Li and Y Liu ldquoRandomizingRFID private authenticationrdquo in Proceedings of the 7th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo09) Galveston Tex USA March2009
[23] A Juels and S A Weis ldquoDefining strong privacy for RFIDrdquoACM Transactions on Information and System Security vol 13no 1 pp 1ndash23 2009
[24] L Lu Y Liu and X-Y Li ldquoRefresh weak privacy model forRFID systemsrdquo in Proceedings of the IEEE INFOCOM pp 1ndash9San Diego Calif USA March 2010
[25] L Yang J Han Y Qi and Y Liu ldquoIdentification-free batchauthentication for RFID tagsrdquo in Proceedings of the 18th IEEEInternational Conference on Network Protocols (ICNPrsquo10) pp154ndash163 Kyoto Japan October 2010
[26] G Bianchi ldquoRevisiting an RFID identification-free batchauthentication approachrdquo IEEECommunications Letters vol 15no 6 pp 632ndash634 2011
[27] Y Zheng and M Li ldquoFast tag searching protocol for large-scaleRFID systemsrdquo in Proceedings of the 19th IEEE InternationalConference on Network Protocols (ICNP rsquo11) pp 363ndash372Vancouver Canada October 2011
[28] B Sheng andCC Tan ldquoGroup authentication in heterogeneousRFID networksrdquo in Proceedings of the IEEE Conference onTechnologies for Homeland Security (HST rsquo12) pp 167ndash172Waltham Mass USA November 2012
[29] J Myung and W Lee ldquoAdaptive splitting protocols for RFIDtag collision arbitrationrdquo in Proceedings of the 7th ACM Interna-tional Symposium onMobile AdHoc Networking and Computing(MOBIHOC rsquo06) pp 202ndash213 Florence Italy May 2006
[30] ldquoInformation technology automatic identification and datacapture techniquesmdashradio frequency identification for item
management air interfacemdashpart 6 parameters for air interfacecommunications at 860ndash960 MHZrdquo ISOIEC FDIS 18000-62003
[31] EPCglobal ldquoEPC radio-frequency identity protocols class-1generation-2 UHF RFID protocol for communications at 860MHzndash960MHz version 1 2 0rdquo May 2008
[32] Z Zhou H Gupta S R Das and X Zhu ldquoSlotted scheduled tagaccess in multi-reader RFID systemsrdquo in Proceesings of the 15thIEEE International Conference on Network Protocols (ICNP rsquo07)pp 61ndash70 Beijing China October 2007
[33] Auto-ID ldquoDraft protocol specification for a 900MHz class0 radio frequency identification tagrdquo 2003 httpwwwepcglobalincorg
[34] S Vaudenay ldquoOn privacy models for RFIDrdquo in Advances inCryptologymdashASIACRYPT 2007 Lecture Notes in ComputerScience pp 68ndash87 Springer Berlin Germany 2007
[35] Q Yao J Han Y Qi L Yang and Y Liu ldquoPrivacy leakage inaccess mode revisiting private RFIDAuthentication protocolsrdquoin Proceedings of the 40th International Conference on ParallelProcessing (ICPP rsquo11) pp 713ndash721 Taipei City Taiwan Septem-ber 2011
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 3
search efficiency they are vulnerable to desynchronizationattacks In such attacks an adversary keeps interrogating atag until the counter of the tag goes beyond a predefinedthreshold In this case the protocol would be improperlybroken and the tag can be either unacceptable by legitimatereaders or trackable to attackers In [18] the authors proposea protocol which combines the synchronization methodwith exhaustive search Such a combination can achieveefficient authentication with high privacy protection whenthe protocol utilizes synchronizationmethod but suffers from119874(119873) search efficiency when the synchronization method isnot applicable
Besides the linear organization tags can be organizedin a virtual tree-based structure [19 20] In a tree-basedapproach each tag is attached to a leaf node Each node inthe tree keeps a random key A tag holds the keys on thepath from the root to the corresponding leaf node During anauthentication the reader sends a query and the tag generatesciphers using its keys Upon the ciphers the reader performsa Depth-First-Search (DFS) in the key tree for locating a pathwith correct keys that can successfully match those ciphersand hence authenticating the tag In this way the readercan authenticate a tag with an 119874(log119873) search efficiencywhere 119873 is the number of tags Tree-based protocols areefficient but they suffer from the compromising attack Intree-based approaches compromising attack is the mostserious threat because the tags share keys with each otherTheadversary can recognize an uncompromised tag via some ofthe keys obtained from compromised tags For example ina binary tree-based system with 220 tags compromising 20tags can achieve a nearly 955 probability of successfullytracking a tag [21] Many protocols are proposed to resistcompromising attack by utilizing key-updating mechanism[21] or balancing the tradeoff between time space andprivacy [22] Those protocols although mitigating the affectof compromising attacks still cannot provide strong ind-privacy [23] with less thanO(N) complexity In [9] a protocolemploying lightweight HB protocol instead of cryptographichash function is proposed to achieve efficient authenticationThis design based on tree architecture also suffers fromcompromising attack
Existing PPA protocols are designed for authenticating asingle tag at a time which is suitable for per-tag scenarioTheper-tag pattern however can hardly provide high efficiencyand privacy simultaneously which implies a need of adoptingpublic key cryptography [10] Unfortunately the adoptionof public key cryptography is prohibitively expensive formost tags due to the capability and resource limitationsSome researchers suggest weaker privacy models for per-tagauthentication [23 24]
Recently someworks emerged dealing withmultiple tagsrsquoidentification and thus are related to this work [25ndash28] Yanget al [25] propose to aggregate the responses from a batchof tags on corresponding readers and then the aggregatedresponses enable probabilistic verification for the batch oftags Bianchi [26] extends this approach and employs BloomFilter to achieve a more general frameworkThese two worksfocuses on the reader-to-server process procedure while our
approach focus on the searching process for authenticatingtags with privacy concern Zheng and Li [27] propose a fasttag searching protocol which is efficient and scalable formultiple tags However this work focuses on tag identifi-cation other than authentication Sheng and Tan [28] studythe group authentication problem with heterogeneous RFIDnetwork In this work more advanced computational RFIDtags are introduced helping regular tags to be authenticatedto the reader
22 Existing Anticollision Algorithms and Limitations On theother hand many anticollision algorithms such as [29ndash32]have been proposed to arbitrate collisions of multiple tagsThere are two major categories of anticollision algorithmsframed-slot-based approaches (also known asALOHA-basedapproaches) and tree-based approaches In an ALOHA-based approach a reader first sends query command claiminghowmany slots in a detecting frameThen each tag randomlyselects a slot and transmits the ID within the chosen slotIn some slots a collision may inevitably happen The readerwill repeatedly launch the detecting process until every tagcan be identified without collisions The tree-based anticol-lision protocols allow the reader to actively declare a filterAccording to the filter a set of tags are required to report theirIDs in a slot and others keep silent In this way the readercan decode responses and identify tags In [29] historicalinformation obtained from the last identification process isused in current identification process to decrease collisionsIn [30 31] a counter facilitates tags to evade collisions Thetags with a counter 0 respond the query and choose a valuefor example 0 or 1 for their counters in the next round if theycollide In [32] the authors propose a method for multiplereaders to interrogate tags with near-optimal number of timeslots
Being effective in collision arbitration the above designshowever are unsuitable for protecting privacy since the IDsare all in plain text during the anticollision process Althoughthe authors in [33] propose a pseudo-identifier to enableprivate anticollision the pseudo IDs cannot help the readerto know the real ID of the tagsThus the reader has to conductanother search procedure for locating the tags and gettingtheir keys needed for authentication
3 Observations and Motivation
31 Observations on Redundancy and Possible TreatmentsIn real RFID applications it is common that a batch oftags is within the detecting region of a reader The readeremploys an anticollision process to distinguish those tags andthen communicates with each of them for performing PPAauthentication Indeed the combination of anticollision andauthentication is inefficient
Firstly current PPA protocols are mainly designed forper-tag scenarios where the searching process for differenttagsrsquo keys contains many redundant computation and com-parison operations We demonstrate this fact via an exampleof a typical tree-based authentication protocol [20] The keysare arranged in a key tree as illustrated in Figure 1 The
4 International Journal of Distributed Sensor Networks
k10
k20
k30
k21
k32 k33
k23
k11
T1 T2T3 T4
M1
M2
Figure 1 Tree-based architecture
Request NR
) Fk1198942(r) Fk119894
119889(rGenerate NT
RTi
NT k1198941(r )⟩⟨F
set r = NT ||NR
Figure 2 Typical tree-based protocol
protocol is performed as shown in Figure 2 In Figure 1 1198791rsquos
keys are (11989610 11989621 11989632) 119873119877and 119873
119879are two nonces 119903 =
119873119877||119873119879is their conjunction and 119865
11989610
(119903) 11986511989621
(119903) and 11986511989632
(119903)
are three hash values computed by using 119903 and the three keys(11989610 11989621 11989632) of 119879
1 respectively The hash value with the
inputs of 119903 and tag119879119894rsquos jth level key 119896
119894
119895is119865119896119894
119895
(119903)The reader thenchecks the hash values at level 119895 to determine the 119895th branchthat the tag lies in Continuing this process the reader caneventually identify and authenticate a tag For the example inFigure 1 the reader will travel along the path root rarr 119872
1rarr
1198722
rarr 1198791to reach the leaf node 119879
1 In this way the reader
can authenticate a tag with 119874(log119873) efficiencyIn Figure 1 if 119879
1and 119879
2are both in the batch the
reader has to check (11989610 11989621 11989632) to authenticate 119879
1and
check (11989610 11989621 11989633) for 119879
2 The checking for 119896
10and 119896
21
is redundant Previous works pay little attentions to theredundant operations in PPA authentication because theymainly focus on the interaction between the individual tagand reader in the per-tagrsquos authentication If those redundantoperations are well arranged a nontrivial improvement onthe authentication efficiency can be achieved in the batch-type process
Secondly the anticollision and authentication processesare generally conducted separately In the existing works theresult of anticollision cannot be reused by the authenticationprocess Since existing anticollisionmechanisms are designedwithout considering privacy protection if a tag uses itsreal identifier in the anticollision process the privacy willbe broken To meet the need of privacy a tag can onlyuse anonymized ID for example a pseudo-identifier inthe anticollision process Nevertheless the reader cannotleverage anonymized ID to locate the tag in the database
in the PPA authentication process If the anticollision infor-mation is generated and utilized without privacy leakagethe authentication process can be accelerated by reusing theresult of anticollision
32 Motivation Based on above observations our moti-vation is to enable the collaboration of multiple tags toconcurrently achieve privacy-preserving collision arbitrationand fast authentication
We still employ the example in Figure 1 to explain ourstrategy Consider two tags 119879
2and 119879
3 If simultaneously
queried by a single reader with a timestamp 119903 they will emitmessages for the readerrsquos verification as defined in the PPAprotocolsThese messages are computed using the 119903 and theirkeys According to the collision resistance property of cryp-tographic hash functions the keys in different branches willproduce different outputs Thus the two hash values will bedifferent at some bits We call those bits as different collisionbits and their positions as collision positions Indeed thesecollisions provide us a possible way to privately differentiatetags
In fact a legitimate reader knows the keys of all tags thatis it knows the keys at each branch in the key tree This factallows us to leverage precomputed results to accelerate theauthentication In Figure 1 with these known parameters Rcan compute the possible hash values of119879
2and 119879
3at level 1 in
advanceThen119877 can compare these two hash values to obtainthe possible positions of collision bits R can just query thefirst collision bit to check if there is a difference If a collisionis detected at a virtual node in the binary key tree each ofits branches contains at least one tag in the detecting regionFigure 3 illustrates an example for 119879
2and 119879
3 At level 119909 minus 1 119877
pre-computes hash values ℎ(1198962
119909 119903119910) = 10110 and ℎ(119896
3
119909 119903119910) =
10000 where ℎ(119896119895
119909 119903119910) is computed with 119879
119895rsquos 119909th key and the
timestamp 119903119910for this current sessionas inputs The two hash
values differ at the 3rd bit then 119877 sends out a query (119903119910 1
3) where 1 denotes a value for collision bit at level 119909 minus 2
denoting node 1198721 and 3 is the collision position of level 119909
Upon the query1198792and1198793compute responses where (10110)
3
= 1 (10000)3= 0 and (V)
119906is the 119906th bit in VThen119879
3responds
ldquo1rdquo at time slot 0 and1198792responds ldquo1rdquo at time slot 1 In this way
ONE bit transmission is adequate in each time slot for tagrsquosresponse At level x R receives the responses and chooses abranch which is related to slot 1 in this example R also pre-computes and sends out the message to continue the depth-first-search With this message R moves to the node relatedto 1198792at next level and119879
3enters the ldquoholdingrdquo status in which
1198793will keep silent until its turn for any action In this way
tags collaboratively conduct the anticollision R can verify atagrsquos unique information when it moves to the leaf level tocomplete the authentication for this tag Note that even if acollision happens due to the existence of multiple tags in aslot R can still conduct the anticollision process because 119877
only requires the information that whether a branch containstag instead of recovering individual responses from tags
Based on the above analysis we find that combiningprivate anticollision and authentication processes is feasible
International Journal of Distributed Sensor Networks 5
In particular the length of each tagrsquos response message to thereader can be minimized to one bit
4 MAP Design
41 Overview The MAP has four components system ini-tialization tags authentication updating and system main-tenance
MAP also initializes a virtual tree to organize keys fortags Except the root each virtual node in the tree containsa key Each leaf node is assigned to a tag Hence the depthof the tree is 119874(log119873) where 119873 is the total number of tagsin the system The reader maintains the key tree and keeps itsecret
To enable concurrent authentication formultiple tags theauthentication of MAP contains two phases anticollision ofmultiple tags and authentication of individual tags Duringthe former phase tags return one-bit responses to thereader If more than one branch replies the reader splitsthe entire tree (or a branch of the tree) into two subtrees(or subbranches) The reader then informs the tags on onesubtree (or subbranch) to continue performing the MAPprotocol and the tags on the other subtrees (or subbranches)to hold
For each subtree (or sub branch) the reader recursivelyexecutes the MAP protocol When arriving at a leaf node inthe virtual tree MAP launches its authentication componentin which the reader mutually authenticates a tag
After a successful mutual authentication between thereader and a tag the keys of the tag will be updated and hencesynchronized at both the tag and the reader When updatingthe keys MAP employs a cryptographic hash function withthe current key and two random nonces as inputs to generatea new key
In addition MAP provides maintenance function to dealwith tagsrsquo joining and leaving Utilizing this component theexpired tags can also be renewed
42 System Initialization MAP employs a sparse treedenoted as 119878 to initialize and maintain the keys for alltags We use 120575 and 119889 to denote the branching factor (2 forbinary tree) and depth of 119878 respectively For the simplicity ofexplanation we choose the branching factor of 2 As shownin Figure 1 assuming there are 119873 tags 119879
119894 1 le 119894 le 119873
and a reader R in the RFID system the reader 119877 assigns119873 tags to 119873 leaf nodes in 119878 In the key tree each virtualnode except the root contains a secret key As a result eachtag has 119889 keys which form a path from the root of theresponding leaf node in 119878 Initially each key is randomlygenerated The cryptographic hash function used by 119877 andall tags is ℎ(sdot) A counter 119888
119901is stored in each tag recording
the anticollision sequence of the tag Each tag 119879119894also has a
timestamp timestampiWhen initializing a tag 119879
119894 119877 first dispatches 119889 keys to 119879
119894
and sets the 119888119901of 119879119894to 0 119877 also sets the value of an internal
counter 1198880= 0 The counters denote the ldquoholdingrdquo sequence
for later remounting The keys are corresponding to a pathfrom the root of 119878 to the tag For example in Figure 1 the keysstored in tag 119879
1are 11989610 11989621 and 119896
32 We denote the secret
keys of 119879119894as (1198961198941 119896119894
2 119896
119894
119889) We define 119896
119894
119909as the 119909th key of 119879
119894
corresponding to the depth 119909 119877 then sets the timestampi of119879119894to the current time
43 Tags Authentication The tags authentication of MAP isdifferent from existing protocols This component has twophases anticollision of multiple tags and authentication ofindividual tags as illustrated in Algorithm 1 On the readerside the corresponding authentication is recursively executedon the key tree as performing a depth-first-search (DFS)This is supported by the remount subcomponent
431 Anticollision The anticollision process starts from theroot of the key tree At each virtual node the reader 119877
conducts one round of communication with the tags in itsdetecting range In the anticollision process prior worksusually require a tag to respond with the whole hash valuecomputed using its key and ID Instead MAP requests thetag to reply with only ONE bit in each round of interactionas illustrated in Figure 3 The requested bit is in the highestposition of those bits that differ Algorithm 1 illustratesthe interactive communication We use 119875
119862to denote the
highest position of the possible collision bits and 119881119862
todenote the value of bit on this position Since the outputs ofcryptographic hash function in MAP are 64 bits long hashvalues the length of 119875
119862can be 6 bits The whole anticollision
is executed in 119878 as followsAt each non leaf depth 119909 minus 1 1 le 119909 le 119889 minus 1 (for the root
119909 = 1) 119877 has two tasks choosing the branch denoted by 1198811015840
119862
for the anticollision process at level 119909 minus 2 which is related toa node 119899 at level 119909 minus 1 and pre-computing 119875
119862using the keys
on 119899rsquos branches at level 119909 The value of 1198811015840
119862is computed using
the branch keys at depth 119909 minus 1To choose a branch related at depth 119909 minus 1 119877 randomly
chooses a collision value 1198811015840
119862based on the tagsrsquo responses
where1198811015840
119862is computed using the branch keys at depth 119909minus1 To
generate 119875119862 119877 creates a timestamp 119903
119910 where 119910 is an integer
counter 119877 uses the keys of 119899rsquos two children nodes to computetwo hash values in the form of ℎ(119896
119894
119909 119903119910) 119877 then compares
these two hash values and records the highest position of thepossible collision bits as 119875
119862 119877 then sends a query with four
parameters 119903119910 1198811015840119862 119875119862 and 119888
119910 where 119888
119910is a counter
Upon receiving the query a tag 119879119894 which responded in
depth 119909 minus 2 checks whether the timestamp is posterior tothe one it holds If yes 119879
119894believes the query is a new request
and checks if 1198811015840
119862matches its last response If yes 119879
119894computes
119881119862related to 119875
119862of level 119909 and chooses the 119881
119862th time slot
to respond with bit ldquo1rdquo Otherwise if not match 119879119894enters
the ldquoholdingrdquo status and stores 119888119910in 119888119901 If more than one
branch replies 119877 also records the pair of (119888119910 119899119910) where 119899
119910
denotes the sibling node related to the 1198811015840
119862at level 119909 minus 1 If 119879
119894rsquos
timestamp is larger than the one in the query it randomlychooses a slot to respond with bit ldquo1rdquo
The anticollision is an important part of authenticationprocess processing multiple tags at the same time Based onthis MAP provides multiple tags style authentication otherthan sequential authentication in which the authenticationprocedure for each tag does not overlap
6 International Journal of Distributed Sensor Networks
Anti-collision sub-component At non-leaf depth 119909 minus 1119877 randomly selects a branch sends (119903
119910 119875119862 1198811015840119862 119888119910)
119877 records (119888119910 119909 minus 1) 119888
119910++
Tags which match 1198811015840
119862choose time slot (ℎ (119896
119894
119909 119903119910))119875119862
Tags not match wait and record 119888119910in 119888119901
Go to depth 119909
Authentication sub-component plus updatingif 119909 = 119889 At leaf level
119877 sends a timestamp 1198771to 119879119894
119879119894checks 119877
1and delay 119905max(119905ℎ119903119890119904ℎ119900119897119889 minus 119877
1+ 1)
then replies (1198772 119868) where 119868 = ℎ(1 119896
119894
119889 1198771 1198772)
119877 computes a hash value for 119879119894to check 119868
if match119877 accepts 119879
119894 and sends 119872 = ℎ(2 119896
119894
119889 1198771 1198772)
119877 updates 119896119894
119889to ℎ(3 119896
119894
119889 1198771 1198772) update R
else if not match119877 sends 119872 as a random number if match
119879119894gets 119872 and computes a value to check 119872
if 119872 matches the computed value by 119879119894
119879119894accepts 119877
119879119894updates 119896
119894
119889to ℎ(3 119896
119894
119889 1198771 1198772) update 119879
119894
Remount119877 chooses the max 119888
1199101015840 stored as 119888max in (119888
1199101015840 119901119900119904
1199101015840 )
While exists such 119888max119877 sends to tags (119888max 1199031199101015840 119875119862)119879119895with 119888max chooses slot (ℎ(119896
119895
1199091015840+1
1199031199101015840 ))119875119862
119877 deletes the pair stored related to 119888max119877 continues to tags-authentication atdepth 119909
1015840+ 1 in the sub-tree which roots at 119901119900119904
1199101015840
Algorithm 1 Tags authentication in MAP
ReaderQuery Query
Tagcomputing
Tagreply
Tagcomputing
Slot Slot0 1
T2
T3 HoldLevel x
ry 1 3 ry+1 0 2
middot middot middot
middot middot middot
middot middot middotmiddot middot middot
middot middot middot
middot middot middot
Level x minus 2 Level x minus 1
3rd bit = 1
3rd bit = 0
2nd bit = 1
Figure 3 Anticollision with one bit
432 Authentication When arriving at a leaf node R startsthe authentication subcomponent with 119879
119894 R and 119879
119894authen-
ticate each other via this subcomponent At this point Rhas exploited the path from the root to the leaf node relatedto 119879119894 The subcomponent includes four steps as shown in
Algorithm 1(1) 119877 sends a query to 119879
119894with the timestamp 119877
1
(2) Upon this query 119879119894checks if 119877
1is acceptable and
delay 119905max(threshold minus 1198771
+ 1) where 119905max is a predefinedmaximum delay and threshold is a predefined maximum
counter value The value of 119905max and threshold can be ini-tialized empirically and adjusted in real application Then119879119894replies with a random nonce 119877
2and a hash value 119868 =
ℎ(1 1198771 1198772 119896119894
119889)
(3) 119877 compares 119868 to the hash value computed usingcorresponding key stored in the database If the two hashvalues are identical the reader accepts the tag as a legitimateone Otherwise 119877 treats the tag as illegal For a legal tagthe reader sends 119872 = ℎ(2 119877
1 1198772 119896119894
119889) as an authentication
message and then launches the updating component on the
International Journal of Distributed Sensor Networks 7
reader side For an illegal tag the reader only sends a randombit string with the same length of ℎ(sdot)
Note that the key in the leaf node may not match thecorresponding tagrsquos key In this case 119877 has to search throughthe entire database to check if a matching key can be foundIf such a key is found the tag is accepted as legitimate Inthis way even a tag which is desynchronization attacked andthus has a big timestamp can also be authenticated This canprevent attackers from distinguishing tags by whether theycan be accepted
(4) UponM 119879119894computes the hash value based on the key
stored in it If they are matched119879119894takes 119877 as a legitimate one
119879119894then launches the updating on the tag side if119877 is legitimateA collisionmayhappenwhen two tags choose an identical
leaf node At this time there is more than one tag respondingto the readerTheir signals will collide and cannot be correctlydecodedThis can happenwhen a tagrsquos random choicesmatchthe path of the other tag from root to leaf The possibility is2minus119889 where 119889 is the depth of the key tree While the possibilityis negligible we just take these collidedmessages as a randommessage and complete the routine processes of authenticationand updating As each tag has a unique leaf key which will beupdated involving the random nonces during authenticationthe possibility they collide again at the leaf node will still benegligible we will process the colliding tags in the next roundof entire tags-authentication process
433 Remount After authentication and updating of atag the whole tag authentication process is remounted forunprocessed tags according to their ldquoholdingrdquo sequence indescending order 119877 finds out the max counter 119888max in the(1198881199101015840 1199011199001199041199101015840) pairs stored in the reader where 119910
1015840 is an integerIf there exists such a 119888max 119877 computes 119875
119862for the branches
of 1199011199001199041199101015840 and starts the anticollision subcomponent in the
subtree rooted at 1199011199001199041199101015840 To do this the reader sends a
recursive query command 1199031198901198881198761199061198901199031199101199101015840 with 119888max 119875
119862 and
a new timestamp 1199031199101015840 Upon this query each tag checks its
internal counter 119888119901The tags that have amatched 119888max respond
with the corresponding119881119862 If no such a 119888max exists the reader
terminates the current round of MAP and launches a newround The reader iteratively performs the authenticationprocess until all tags are processed or the number of roundsexceeds a predefined threshold threshold In MAP if there aresome tags moving into the detecting region of 119877 in currentround 119877 will treat them as newly coming tags in the nextround
We illustrate the above process by using the example ofauthenticating 119879
1 1198792 and 119879
3in Figure 1 Assume the reader
chooses the left branch each timeThen there is no collision atdepth 0 and the entire authentication procedure goes to thesubtree rooted at the node related to 119896
10at depth 1 The 119881
119862
values related to keys at depth 2 will collide 119877 moves downto the left branch related to 119896
20and 119896
30 119877 puts 119879
2and 119879
1in
a holding state at this point 119877 also records the anticollisionsequence and the node related to 119896
21 As there is no more
collision for1198793119877 completes the authentication of119879
3and goes
back to the holding tags 119877 requests 119881119862related to the keys at
depth 3The responses of 1198792and 119879
1fall in different branches
Then 119877 puts 1198792to holding state and authenticates 119879
1 After
that the reader 119877 authenticates 1198792
44 Updating After a successful mutual authenticationbetween the tag and reader the updating process follows asillustrated in Algorithm 1 MAP only updates the leaf keys formultiple tags environments where a leaf key is the key onthe leaf node There are two reasons First in our protocolthe keys on nonleaf nodes are only used for navigationSecond as analyzed in [22] updating keys for tags withoutchanging the sharing relationship of keys among tags will notincrease the difficulty for adversaries to successfully conductcompromising attacks We also allow a tag to be renewed inthe system maintenance component as an updating methodwhich also updates the tagrsquos location and the correspondingkeys in the virtual tree for better privacy
R updates the keys for a tag after a successful authentica-tion of the tag At the corresponding leaf node a new leaf keyis generated as 119896
119894
119889
1015840
= ℎ(3 1198771 1198772 119896119894
119889) for 119879
119894 119879119894updates its leaf
key only after a successful authentication of 119877 by checkingM
45 System Maintenance Users may want to insert renewor withdraw their tags The system maintenance componentdeals with these requests
If a new tag joins in the systemR initializes it by assigningit to an empty leaf node and generates the necessary keys forit If a tag is withdrawn R simply deletes the information oncorresponding nodes related to the tag from S
We also allow a tag to be renewed for better security andprivacy The permission is controlled by the manager Whena tag is permitted to be renewed it is first withdrawn by thereader Then the reader treats the tag like a new one andinserts it into the system After being renewed the new keysand related path in the key tree have no relation with the oldones
5 Performance Analysis
In this section we analyze the performance of MAP con-sidering both communication and computation costs Wetheoretically analyze the costs and give the correspondingupper bound lower bound andmean valueWe also launch asimulation Then we compare the performance of MAP withtwo combination solutions
51 Theoretical Analysis In MAP multiple tags are authenti-cated concurrently thus we care about the average time costsderived from costs for all tags divided by the number of tagsIn Section 5 when we mention a cost for each tag we aremeaning such an average time cost for each tag
There are cases when the tags to be authenticated coverthe least branchesThenpaths of these tags cover a full subtreeand a single path from the root of this subtree to the rootof system tree 119878 as 119879
1and 119879
2in Figure 4(a) In these cases
arbitrations and hash computations are shared by the mosttags Thus it is possible that both the communication andcompute cost for each tag are the least in these cases
8 International Journal of Distributed Sensor Networks
k10
k21
k32 k33
T1 T2
M1
M2
(a) Most sharing
k20
k30
k10
T3
(b) Least sharing
Figure 4 The different sharing scenarios
Contrarily when the tags cover the most branchesrespecting no path being shared as 119879
3itself in Figure 4(b)
then it is possible that both communication and compute costfor each tag are the largest as arbitrations and hash computesare shared by the least tags
For theoretic comprehensibility we consider time cost fortransferring hash values in communication cost For computecost we consider only cost for computing hash values atboth reader end and tag end For the overall cost consideringoverheads we give a simulation result in Section 52
When tags cover the least branches the minimumcommunication and compute cost are computed as followsTheoretically they are the lower bound of MAP in terms oftime cost Indeed both of them are in O(1) complexity
Commmin = 119905auth + 2119905query + 119905reply minus
(119905query + 119905reply)
119873
asymp 119905auth + 2119905query + 119905reply
Compmin = (2 minus1
119873) 119905119905119888119900119898119901
+ (3 minus2
119873119860
) 119905119903119888119900119898119901
asymp 2119905119905119888119900119898119901
+ 3119905119903119888119900119898119901
(1)
where the 119889 is the height of the system tree 119878 119873 is thenumber of tags in the system 119873
119860is the number of tags to
be authenticated and 119873119860
= 119873 in this case 119905query is the timefor a reader 119877 to send out a query 119905reply is the time for eachtag on both branches to reply their related 1 bit 119881
119862values in
the two time slots 119905auth is the time for a tag to send the hashvalue of its leaf node 119905
119905119888119900119898119901is the time for a tag to compute
a hash value and 119905119903119888119900119898119901
is the time for 119877 to compute a hashvalue Note that we suppose sending the request commandsneeds the same time as the 119905query
When each tag covers themost branches there is only onetag to be authenticated Thus we get the maximum costs Wedenote the maximum communication and compute cost as
Commmax and Compmax respectively The theoretical upperbound cost of MAP is given by
Commmax = 119905auth + 119889 times 119905reply + (119889 + 1) 119905query
Compmax = (119889 + 1) 119905119903119888119900119898119901
+ (2119889 + 1) 119905119903119888119900119898119901
(2)
where 119889 is the height of the system tree 119878 We can find thatboth the maximum costs have an 119874(log119873) complexity
When tags cover all branches supposing the coverprobability is unique we get the mean communication andcomputing costs as follows
Commmean = 119905auth + 119905query
+ (119905query + 119905reply) (2 + 119889 minus log2119873119860
minus1
119873119860
)
asymp 119905auth + 119905query + (119905query + 119905reply)
times (2 + 119889 minus log2119873119860
)
Compmean = (2 + 119889 minus log2119873119860
minus1
119873119860
) 119905119905119888119900119898119901
+ 2 (1 + 119889 minus log2119873119860
minus1
119873119860
) 119905119903119888119900119898119901
asymp (2 + 119889 minus log2119873119860
) 119905119905119888119900119898119901
+ 2 (1 + 119889 minus log2119873119860
) 119905119903119888119900119898119901
(3)
Both Commmean and Compmean are strict monotonicfunctions of 119873
119860 When 119873
119860is big enough they approach the
constant value of 119874(1)Considering the minimum authentication cost without
anticollision or updating for a single tag in traditional tree-based protocol it will need to compute transmit and verifyat least log
120575119873 ciphers where 120575 is the branching factor of the
key tree When the tag lies at the first-reach leaf the costis minimum with message length and computation times ofabout log
120575119873 When the tag lies at the last-reach leaf the cost
is maximum with the computation times enlarged to about120575 times log
120575119873 The average computation cost is about (1 + 120575)2 times
log120575119873ThusMAP protocol outperforms the traditional tree-
based protocol theoretically
52 Simulation We compared the average processing timeof MAP to two simple combination solutions Both thetwo solutions use the slot-count (Q) selection algorithm inEPC C1G2 UHF Air Interface Protocol Standard [31] foranticollision The PPA protocols for these two solutions arethe typical tree-based protocol [20] and RWP protocol [22]with O(1) complexity In all protocols both tag side andreader side employ SQUASH (SQUaring haSH) which isproposed by Shamir in [8] to compute hash values SQUASHneeds only several hundred gate equivalents (GEs) and isappropriate for low cost RFID tags We consider the overalltime cost including communication cost and search cost
International Journal of Distributed Sensor Networks 9
The communication cost includes the cost for transmittingcommands and data with overheads such as wait time timeout frame sync and preamble Note that compared to otherkinds of wireless communication such as WiFi the messagesexchanged between the reader and tags are very short Thusthe overheads are not negligible All the command formatsdata formats and link timing follow the standard In searchcost we consider compute cost for hash values by both readerand tags We assume the reader can process 223 times 64 bitsSQUASH in a second in average For the tag we assume it canprocess one time SQUASH in 6775 us and 242 us We makethese two assumptions based on the link timing requirementsspecified in the standard
In our simulation the forward data rate is 40Kbps andthe backward data rate is 320KbpsWe suppose that there are220 tags in the system We choose tags randomly and repeatthe whole process 100 times for average results
In Figure 5 we give the result for 1000 tags The simu-lation result shows that MAP gains a better efficiency thantypical tree-based protocol The average time cost of tree-based protocols is about 22 times to 42 times that of MAPThe efficiency of MAP asymptotically approaches the RWPprotocol with O(1) complexity as the size of the tag setapproaches 1000 The simulation result is in accordance withthe theoretical analysis That is because in MAP computingand communication are shared between all tags Moreoverduring anticollision subcomponent tags respond with only 1bit to save communication cost That is why MAP outper-forms typical tree-based protocol when tag size is small
According to the performance result in [26] for 1000 tagsin a system with 105 tags at 40Kbps forward rate achieving1 erroneous decision the SEBA approach [25] needs 41min-utes while the SEBA+ approach [26] needs about 4 minutesUtilizing MAP it takes about 1000 times 10405times 10minus6 s = 1122 swhich is less than SEBA and more than SEBA+ Howeverthe result in [26] considers only the message transmissiontime leaving out the nonnegligible computation time andthe communication overheads such as wait time time outframe sync and preamble Moreover MAP provides accurateauthenticationwith no error probabilityThusMAP is a goodchoice in performance for the authentication ofmultiple tags
6 Security and Privacy Analysis
In this section we analyze the security and privacy charactersof MAP Because our approach is tree based we focus onresistance to compromising attackwhich has themost seriousimpact on conventional tree-based approaches [23] Weprove that MAP is m-strong-ind-private showing that MAPsatisfies strong privacy protection in multiple tags scenarioWe also show the abilities of MAP in terms of confidentialitycloning resistance tracking resistance timing-based attackresistance and forward secrecy
61 Compromising Attack Compromising attack is the mosteffective way for crashing tree-based protocols That isbecause tags organized in tree-based structures share keyswith each other When an adversary 119860 compromises some
0 200 400 600 800 1000
39
4
41
42
43
44
45
46
47
48
Size of tag set to be authenticated
log10
style
)
Tree-basedTree-basedMAP
MAPRWPRWP
242120583s6775120583s
6775120583s
242120583s242120583s6775120583s
Aver
age p
roce
ssin
g tim
e (120583
sFigure 5 Comparison on performance for 1ndash1000 tags
tags and thus obtain their secret keysA can deduce the secretkeys of other tags In conventional tree-based protocols alegitimate reader splits a tag from other possible ones levelby level and finally authenticates it on the leaf using itskeys on related levels An adversary can also distinguishtags and further track them in this way with keys fromthe compromised tags For detailed analysis please refer to[14 21]
Our analysis is based on the works in [10 14 18 2123 34] The notion of strong ind-privacy defined in [23]which is equivalent to the destructive-privacy defined in[34] is very similar to the strong privacy provided byMAP except that MAP focuses on privacy protection formultiple tags The existing privacy models are designedfor one-tag-one-reader authentication scheme and focus ondistinguishability privacy between TWO tags only They arenot fit for the multiple tags scenario in MAP where thereader cannot communicate to a tag before anticollisionsubcomponent
We define a new model for multiple tags environmentsincluding four oracles Request(sdot sdot sdot) Send(sdotsdot) Relay(sdotsdot) andCompromise(sdot) to formulate the attacks to the tag sets andreader Assume we have a tag set 119873
119878 Any attack on 119877 or 119873
119878
can be represented by calling on its oraclesRequest(119873
119878 1198981 1198983) A queries the tag set 119873
119878by a query
message1198981and receives the responsesThen119860 sends another
message 1198983to 119873119878 including the collision arbitration and Rrsquos
authentication dataSend(R 119898
2) A sends a message 119898
2 representing the tag
setrsquos reply and authentication messages to 119877 and receives aresponse
Relay(119873119878 119877) A relays the messages between 119873
119878and R A
can arbitrarily modify the messages from one side to another
10 International Journal of Distributed Sensor Networks
Compromise(119873119862) A compromises tags in set 119873
119862and
obtains their secret keys where 119873119862is a tag set 119860 obtains The
compromised tags are broken and cannot be used any furtherThe compromising attack on MAP denoted by
CAMAP119860
[1198960 119873119860
] is performed with the following steps
Step 1 The adversary 119860 compromises 1198960tags and obtains
their secret keys
Step 2 A chooses a target tag 119879 that has not been compro-mised A can query 119879 or act as a man-in-the-middle between119879 and the reader 119877 polynomial times Note that 119860 cannotcompromise119879 According to the secret keys119860 gains in Step 1A can compute outputs of these keys and compare to themTrsquosoutputs In this way 119860 can determine which of Trsquos keys equalto Arsquos known keys
Step 3 The system gives a tag set 119873119878with 119873
119874tags including
119879 Then 119873119878is divided into two subsets 119873
1198781and 119873
1198782 For the
simplicity we assume each subset contains 119873119860tags Or else
we can define the smaller set contains119873119860tags which will not
affect the result of analysis but complex the analysis processA randomly picks a subset 119873
119878119887 where b = 0 or b = 1 and
determines if 119879 is in this subset A can pick both subsets If119873119878119887
contains T A can proceed tracking 119879 by tracking 119873119878119887
otherwise 119873119878(1minus119887)
A can send queries to the tag set or act asa man-in-the-middle between the tag set and the reader 119877
polynomial times but cannot compromise those tagsWe denote
119875MAP = 119875119903[CAMAP119860
[1198960 119873119860
] = 1] (4)
as the possibility 119860 definitely knows whether tag set 119873119878119887
includes T A succeeds if 119860 definitely knows which tag setincludes 119879 Then the possibility that 119860 succeeds is
119875MAP = 119875119903[CAMAP119860
[1198960 119873119860
] = 1] = 1 minus (1 minus 1198750)2
(5)
where 1198750is the possibility that 119860 succeeds in either subset in
a system employing MAP
Definition 1 Theadvantage of adversary119860 in the compromis-ing attack is defined as
advMAP119860
(1198960 119873119860
) =
1003816100381610038161003816100381610038161003816(119875MAP +
1
2(1 minus 119875MAP)) minus
1
2
1003816100381610038161003816100381610038161003816=
119875MAP2
(6)
where the probability is the advantage of 119860 correctly guessagainst randomly guess which subset 119879 is in
Definition 2 (M-strong(120576 1198960 119873119860
)-ind-privacy) An RFIDprotocol PRO is m-strong( 120576 119896
0 119873119860)-ind-private if when 119873
119860
approaches N the advantage advPRO119860
(1198960 119873119860
) is at most 120576 inpolynomial time Where 119873
119860lt 119873 120576 is an infinitesimal when
119873 approaches infinity
M-weak(120576 1198960 119873119860)-ind-privacy is defined the same as m-
strong (120576 1198960 119873119860
)-ind-privacy except that 1198960= 0
Destructive Final NoCorrupt corrput Corrupt corrupt
Wide
Narrow
m-strong m-forward m-weak
m-narrow m-narrowm-narrowm-narrowstrong destructive
m-destructive
forward weak
Figure 6 The privacy levels
The above two privacy notions can be simply denotedas m-strong-ind-privacy (MSIP) and m-weak-ind-privacy(MWIP) where the letter ldquo119898rdquo is the abbreviation of mul-tiple tags When 119873
119860= 1 the MSIP (MWIP) equals the
strong-privacy (weak-privacy) in Juelsrsquos model [23] and thedestructive-privacy (weak-privacy) in Vaudenayrsquos model [34]At this time the case of a tag lying in a set is identical tothe case of the target tag being a particular tag in traditionalprivacy model with two tags Thus our multiple tags privacymodel is a generalized version of existing privacy models[23 34] On the contrary the existing privacy models arespecial cases of multiple tags privacy where each tag set hasonly one tagThen we can define 8 different levels of privacyby generalizing Vaudenayrsquos model for multiple tags scenariosas illustrated in Figure 6
The above model is dedicated for classifying the privacyprotection in multiple tags scenarios Intuitively it is easierfor a tag to hide in a set than to behavior indistinguishably toanother tag Thus the above model is a model weaker thanthe privacy models for one-reader-one-tag scenarios
However if the authentication protocol does not take thisadvantage then the protocol cannot provide better privacyin scenarios with multiple tags than in one-reader-one-tag scenarios no matter how many tags are there to beauthenticated For example in the OSK [12] protocol onedesynchronized tag cannot be accepted by a legitimate readerThus a desynchronized tag can still be distinguished in a tagset saying nothing of hiding in the set As a result the OSKmethod cannot providem-strong-ind-privacy orm-weak-ind-privacy
In the tree for MAP when 119860 is not aware of all keys inboth branches A does not know the 119875
119862and has to randomly
guess one for navigation and conduct the searching processWhen the guess fails A sends out a position that has nocollisions Then 119860 cannot split the tags Only when 119860 knowsall the keys in the branches related to T A can send outthe correct 119875
119862and proceed on tracking That is the main
reason whyMAP performs better than traditional tree-basedprotocols in defending against compromising attacks In facttheMAP protocol ism-strong-ind-private as will be proven inthe bellowing
Theorem 3 TheMAP protocol is MSIP private
Proof We perform the compromising attack with MAPprotocol as follows
We denote tags in 119873119878119887
by 1198791015840 We denote keys in 119879
and 1198791015840 with (119896119890119910
0 1198961198901199101 119896119890119910
119889) and (119896119890119910
1015840
0 1198961198901199101015840
1 119896119890119910
1015840
119889)
International Journal of Distributed Sensor Networks 11
respectively where 119889 is the depth of the tree Considering atlevel 119909 where 119896119890119910
119909is in a subtree we use 119870
119909to denote the
set of known keys by 119860 in this subtree and 119896119909to denote
the number of keys in 119870119909 And 119896
0is the number of tags
compromised There are three cases to be considered at levelxCase 1 A does not succeed in previous 119909 minus 1 levels and thereis exactly one key 119896119890119910
1015840
119909equal to 119896119890119910
119909 A definitely knows 119873
119878119887
includes 119879 The possibility is
119875119903(1198621
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575times
1
120575119909times (1 minus
1
120575119909)
119873119860minus1
(7)
Case 2119860 does not succeed in previous 119909minus1 levels and therersquosno key 119896119890119910
1015840
119909equals to 119896119890119910
119909 A definitely knows that 119873
119878119887does
not include 119879 The possibility is
119875119903(1198622
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575times (1 minus
1
120575119909)
119873119860
(8)
Case 3 119860 does not succeed in previous 119909 minus 1 levels and morethan one key 119896119890119910
1015840
119909equals 119896119890119910
119909 In this case 119860 fails at level 119909
and should move to level 119909 + 1 The possibility is
119875119903(1198623
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575minus 119875119903(1198621
119909) minus 119875119903(1198622
119909)
(9)
Theoverall probability of119860 definitely knowswhether119873119878119887
includes 119879 is
1198750
= 119875119903(1198621
1or 1198622
1) +
119889
sum
119909=2
(119875119903(1198621
119909or 1198622
119909) times
119909minus1
prod
119910=1
119875119903(1198623
119910))
= (1 minus1
120575)
119873119860minus1
1198961
120575
120575minus1
prod
119895=0
1198961
minus 119895
120575 minus 119895
+
119889
sum
119909=2
((1 minus1
120575119909)
119873119860minus1
119896119909
120575119875 (119896119890119910
119909)
times
119909minus1
prod
119910=1
(119875 (119896119890119910119910)
119896119910
120575(1 minus (1 minus
1
120575119910)
119873119860minus1
)))
(10)
where
119875 (119896119890119910119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895) (120575 minus 119895)
(120575119909 minus 119895)2
1198961
= 120575 (1 minus (1 minus1
120575)
1198960
)
119896119909
= 120575 (1 minus (1 minus1
120575)
119892(119896119909)
) (2 le 119909 le 119889)
119892 (119896119909) = 1198960
119909minus1
prod
119910=1
1
119896119910
(11)
The possibility 119860 succeeds in either subset is 1198750which is
a monotonically decreasing function of 119873119860 so is 119875MAP The
advantage of 119860 is 119875MAP which decreases exponentially to 0 as119873119860increases to be big enoughConsidering that 119896
119909le 120575 and 120575 ge 2 we have the following
derivations
(1 minus1
120575)
119873119860minus1
1198961
120575
120575minus1
prod
119895=0
1198961
minus 119895
120575 minus 119895
le (1
2)
119873119860minus1
1198961
120575
1198961
120575
1198961
minus 1
120575 minus 1
le (1
2)
119873119860minus1
119909minus1
prod
119910=1
(119875 (119896119890119910119910)
119896119910
120575(1 minus (1 minus
1
120575119910)
119873119860minus1
))
lt
119909minus1
prod
119910=1
(119875 (119896119890119910119910) times 1 times 1)
=
119909minus1
prod
119910=1
119875 (119896119890119910119910)
(12)
Then we have the following deduction
1198750
lt (1
2)
119873119860minus1
+
119889
sum
119909=2
((1 minus1
120575119909)
119873119860minus1
119896119909
120575119875 (119896119890119910
119909)
119909minus1
prod
119910=1
119875 (119896119890119910119910))
lt (1
2)
119873119860minus1
+
119889
sum
119909=2
(1 minus1
120575119909)
119873119860minus1
lt (1
2)
119873119860minus1
+ 119889(1 minus1
1205752)
119873119860minus1
(13)
The right part of the inequality is a monotonicallydecreasing function of 119873
119860 For example it can be deduced
that 1198750
lt (12)119873119860minus1
+ 119889(34)119873119860minus1 when 120575 = 2 Then 119875
0is an
infinitesimal as 119873119860approaches 119873 so is 119875MAP According to
Definition 2 MAP ism-strong-ind-private
12 International Journal of Distributed Sensor Networks
0 50 100 150 2000
02
04
06
08
1
Succ
essfu
l pro
b o
f atta
ck
Size of tag set to be authenticated
MAPTree-based
Figure 7 Comparisons on defending against compromising attack
Assume a RFID system of 220 tags with 120575 = 2 and 119889 =
20 Figure 7 demonstrates possibilities119860 successfully tracks atag by compromising 200 tags employingMAP or tree-basedprotocol such as [20]
We can find that for both protocols the possibilities that119860
succeeds reduceswhen119873119860increases ForMAP the possibility
reduce rapidly while for traditional balance tree-based PPAit reduces slowly For MAP protocol when 119873
119860gt 8 119875MAP lt
005 saying 119860 can definitely distinguish and know which tagset includes 119879 with low possibility even the set size is smallThis is an acceptable result as environmentswith at least 8 tagsare common Moreover the successful tracking probabilityasymptotically approaches to 0 as the size of the tag set to beauthenticated arises For tree-based protocol 119860 always has asuccessful possibility larger than 08 with tag set size smallerthan 200
62 Confidentiality In MAP all information from a tag issent as the value of a cryptographic hash function or a partof such a hash value According to the preimage resistanceproperty of cryptographic hash functions the adversarycannot know the origin information
63 Cloning Resistance In cloning attack an adversaryrecords responses from a tag and replay them to foollegitimate readers In MAP the 119881
119862values are only used for
navigation and each tag uses its unique leaf key for the finalauthentication The tag generates the hash values of the leafkey with a timestamp from 119877 and a nonce from the tag asinputs Both the timestamp and the nonce are the sessiontokens of the conversation Therefore authentication mes-sages from a given tag will change in different conversationsdue to the different session tokens The navigation bits canbe replayed however they cannot help to fool 119877 because theadversary does not know the authentication message at theleaf node The replayed messages cannot be acceptable bylegitimate readers according to the protocol
64 Tracking Resistance In Section 61 we focus on tagsrsquo pathkeys and present that MAP can resist compromising attack
in scenarios with multiple tags For any leaf key it uniquelybelongs to an individual tag The adversary 119860 never knowsa tagrsquos leaf key unless compromising it When performingauthentication subcomponent a tag computes a hash valuewith its leaf key and the session tokens This authenticationmessage varies each time and 119860 cannot link the messages toa tag without knowing its leaf key
MAP resists against compromising attack inmultiple tagsscenarios However when a batch only has a few tags 119875MAPis not negligible According to the results shown in Figure 7when the number of tags is larger than 8 the probabilityof multiple tags exposing to attackers will not exceed 005which is acceptable for most RFID applications Thereforewe recommend to select MAP when the number of tags islarger than 8 otherwise choosing time consuming per-tagauthentication to prevent the tracking attack
An adversary 119860 may launch the Denial of Service (DoS)attack between a legitimate reader and tags In this attack 119860
firstly exhausts the timestamp in a tag Then 119860 can relay thetagrsquos response to a legitimate reader to see if the tag is acceptedand further track the tag by observing the result This attackis not feasible to MAP because desynchronized tags can alsobe accepted employing MAP as presented in Section 432Besides we recommend the system to thwart the responsespeed of the tags which are under attackThen a counter withan acceptable bit length is enough to avoid the timestamps ofthe tags run over a predefined threshold
65 Timing-Based Attack Resistance An adversary may timethe processing cost of a tag to identify the status of this tagand further distinguish it from other tags [35] This kindof attack is a new general attack which can even break theprivacy of proven private RFID authentication protocolsMAP can defend against such attack The reason is that theauthentication process for each tag in MAP corresponds tothe same procedure From root to leaf each branch selectioncorresponds to no sequential computation of tags Insteadthe tags do concurrent computation at each level In this waythe observable behavior of each tag is hard to distinguishThe problem in traversing the traditional binary tree whichcauses different searching cost does not happen in MAP Onthe other hand the thwart method used in MAP does notraise rapid increase in the response Thus the thwarted tagrsquosbehavior is hard to distinguish especially when the tag set islarge and the predefined threshold is big enough
66 Forward Secrecy An adversary 119860 can record the mes-sages sent by 119877 or tags And 119860 can compromise tags toobtain their current keys Forward secrecy requires that theinformation in previous messages will never be revealedIn MAP the leaf keys are updated after each successfulauthentication The forward secrecy is thereby guaranteedFor the nonleaf keys they are not used for data transfer butonly for navigation In addition they will be updated when atag is renewed Thus MAP does not update the nonleaf keysat each authentication and such a process does not damagethe forward secrecy
International Journal of Distributed Sensor Networks 13
7 Possible Variants and Improvements
The storage requirement of MAP for a system larger than216 tags may be larger than 1 k bits This cost is practical fornowadays RFID tags For ultra-low storage path keys can becomputed employing SQUASH with the unique leaf key andidentifier of the tag as inputsThis would decrease the storagerequirement to 119874(1) but double the average computationtime It can be easily deduced that the performance ofMAP isstill better than the tree-based protocol in large-scale systems
MAP focuses on the interaction between tags and readeras well as reader-server side search accelerating On theother hand the SEBA [25 26] like protocols focuses onthe reader-to-server communication as well as the serverside probabilistic verification Thus a possible future workis to combine and gain profit from both of the two styles ofmultiple tags protocols
8 Conclusions and Future Work
In this work we propose a Multiple tags privacy-preservingAuthentication Protocol MAP to authenticate multipletags concurrently By enabling anticollision functionality inauthentication processMAP eliminates the redundant effortswasted in anticollision processes and authenticating tagsTags in MAP respond concurrently with 1 bit to conductthe authentication for better privacy MAP is m-strong-ind-private which is a variant of ind-privacy we define formultiple tags scenarios MAP can effectively mitigate theimpact of compromising attack in multiple tags scenarios toan acceptable extent EmployingMAP the successful trackingprobability of adversaries for tag set larger than 8 is below005 and will deduce rapidly to 0 as the size of the tag setenlarges The efficiency of MAP is better than 119874(log119873) andasymptotically approaches 119874(1) as the number of tags in thetag set to be authenticated increases as proven in theoreticalanalysis and shown in the simulationThe proposed protocolin our work MAP is dedicated for authenticating multipletags One prospective directionmay be building protocols forboth single tag and multiple tags to provide high efficiencyand strong privacy at the same time
Acknowledgments
The authors would like to thank Ling Zhu and XingjingWang for the efforts paid in coding for the simulationsThis work is supported by Program for Changjiang Scholarsand Innovative Research Team in University (IRT1078)the Key Program of NSFC-Guangdong Union Foundation(U1135002) National Natural Science Foundation of China(61303221 and 61373175) the Fundamental Research Fundsfor the Central Universities (K5051303021) and the ScientificResearch Startup Foundation for Young Teachers of DonghuaUniversity (13D211205) Part of this work has been presentedat IEEE International Conference on Mobile Ad-hoc andSensor Systems (IEEE MASS) October 17ndash22 2011 ValenciaSpain
References
[1] G Roussos and V Kostakos ldquoRFID in pervasive computingstate-of-the-art and outlookrdquo Pervasive and Mobile Computingvol 5 no 1 pp 110ndash131 2009
[2] Y Liu L Chen J Pei Q Chen and Y Zhao ldquoMiningfrequent trajectory patterns for activity monitoring using radiofrequency tag arraysrdquo in Proceedings of the 5th Annual IEEEInternational Conference on Pervasive Computing and Com-munications (PerCom rsquo07) pp 37ndash46 White Plains NY USAMarch 2007
[3] C Qian H Ngan and Y Liu ldquoCardinality estimation forlarge-scale RFID systemsrdquo in Proceedings of the 6th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo08) pp 30ndash39 Hong Kong ChinaMarch 2008
[4] G Avoine ldquoBibliography on security and privacy in RFID sys-temsrdquo 2013 httpwwwavoinenetrfiddownloadbibbiblio-graphy-rfidpdf
[5] A Juels ldquoRFID security and privacy a research surveyrdquo IEEEJournal on Selected Areas in Communications vol 24 no 2 pp381ndash394 2006
[6] G Tsudik ldquoA family of dunces trivial RFID identification andauthentication protocolsrdquo in Privacy Enhancing TechnologiesLecture Notes in Computer Science pp 45ndash61 Springer BerlinGermany 2007
[7] X Xu X Y Li X Mao S Tang and S Wang ldquoA delay-efficient algorithm for data aggregation in multihop wirelesssensor networksrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 1 pp 163ndash175 2011
[8] A Shamir ldquoSQUASHmdasha new MAC with provable securityproperties for highly constrained devices such as RFID tagsrdquo inFast Software Encryption Lecture Notes in Computer Sciencepp 144ndash157 Springer Berlin Germany 2008
[9] T Halevi N Saxena and S Halevi ldquoUsing HB family ofprotocols for privacy-preserving authentication of RFID tags ina populationrdquo in Proceedings of the Workshop on RFID Security(RFIDSec rsquo09) 2009
[10] M Burmester B de Medeiros and R Motta ldquoRobust anony-mous RFID authentication with constant key-lookuprdquo in Pro-ceedings of the ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo08) pp 283ndash291 TokyoJapan March 2008
[11] S A Weis S E Sarma R L Rivest and DW Engels ldquoSecurityand privacy aspects of low-cost radio frequency identificationsystemsrdquo in Security in Pervasive Computing Lecture Notes inComputer Science pp 201ndash212 2003
[12] M Ohkubo K Suzuki and S Kinoshita ldquoEfficient hash-chainbased RFID privacy protection schemerdquo in Proceedings of theACM Ubicomp Workshops 2004
[13] D Henrici and P Muller ldquoProviding security and privacy inRFID systems using triggered hash chainsrdquo in Proceedings ofthe 6th Annual IEEE International Conference on PervasiveComputing andCommunications (PerCom rsquo08) pp 50ndash59HongKong China March 2008
[14] G Avoine E Dysli and P Oechslin ldquoReducing time complexityin RFID systemsrdquo in Selected Areas in Cryptography LectureNotes in Computer Science pp 291ndash306 Springer BerlinGermany 2005
[15] D Henrici and PMuller ldquoHash-based enhancement of locationprivacy for radio-frequency identification devices using varyingidentifiersrdquo inProceedings of the 2nd IEEEAnnual Conference on
14 International Journal of Distributed Sensor Networks
Pervasive Computing and CommunicationsWorkshops (PerComrsquo04) pp 149ndash153 March 2004
[16] A Juels ldquoMinimalist cryptography for low-cost RFID tags(extended abstract)rdquo in Proceedings of the 4th InternationalConference on Security in Communication Networks (SCN rsquo04)pp 149ndash164 Amalfi Italy September 2004
[17] S Yu K Ren and W Lou ldquoA privacy-preserving lightweightauthentication protocol for low-cost RFID tagsrdquo in Proceedingsof the Military Communications Conference (MILCOM rsquo07) pp1ndash7 Orlando Fla USA October 2007
[18] C Ma Y Li R H Deng and T Li ldquoRFID privacy rela-tion between two notions minimal condition and efficientconstructionrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCSrsquo09) pp 54ndash65New York NY USA November 2009
[19] D Molnar A Soppera and D Wagner ldquoA scalable delegatablepseudonym protocol enabling ownership transfer of RFID tagsselected areas in cryptographyrdquo in Selected Areas in Cryptogra-phy Lecture Notes in Computer Science pp 276ndash290 SpringerBerlin Germany 2005
[20] T Dimitriou ldquoA secure and efficient RFID protocol that couldmake big brother (partially) obsoleterdquo in Proceedings of the 4thAnnual IEEE International Conference on Pervasive Computingand Communications (PerCom rsquo06) pp 269ndash274 Pisa ItalyMarch 2006
[21] L Lu J Han L Hu Y Liu and L M Ni ldquoDynamic key-updating privacy-preserving authentication for RFID systemsrdquoin Proceedings of the 5th Annual IEEE International Conferenceon Pervasive Computing and Communications (PerCom rsquo07) pp13ndash22 White Plains NY USA March 2007
[22] Q Yao Y Qi J Han J Zhao X Li and Y Liu ldquoRandomizingRFID private authenticationrdquo in Proceedings of the 7th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo09) Galveston Tex USA March2009
[23] A Juels and S A Weis ldquoDefining strong privacy for RFIDrdquoACM Transactions on Information and System Security vol 13no 1 pp 1ndash23 2009
[24] L Lu Y Liu and X-Y Li ldquoRefresh weak privacy model forRFID systemsrdquo in Proceedings of the IEEE INFOCOM pp 1ndash9San Diego Calif USA March 2010
[25] L Yang J Han Y Qi and Y Liu ldquoIdentification-free batchauthentication for RFID tagsrdquo in Proceedings of the 18th IEEEInternational Conference on Network Protocols (ICNPrsquo10) pp154ndash163 Kyoto Japan October 2010
[26] G Bianchi ldquoRevisiting an RFID identification-free batchauthentication approachrdquo IEEECommunications Letters vol 15no 6 pp 632ndash634 2011
[27] Y Zheng and M Li ldquoFast tag searching protocol for large-scaleRFID systemsrdquo in Proceedings of the 19th IEEE InternationalConference on Network Protocols (ICNP rsquo11) pp 363ndash372Vancouver Canada October 2011
[28] B Sheng andCC Tan ldquoGroup authentication in heterogeneousRFID networksrdquo in Proceedings of the IEEE Conference onTechnologies for Homeland Security (HST rsquo12) pp 167ndash172Waltham Mass USA November 2012
[29] J Myung and W Lee ldquoAdaptive splitting protocols for RFIDtag collision arbitrationrdquo in Proceedings of the 7th ACM Interna-tional Symposium onMobile AdHoc Networking and Computing(MOBIHOC rsquo06) pp 202ndash213 Florence Italy May 2006
[30] ldquoInformation technology automatic identification and datacapture techniquesmdashradio frequency identification for item
management air interfacemdashpart 6 parameters for air interfacecommunications at 860ndash960 MHZrdquo ISOIEC FDIS 18000-62003
[31] EPCglobal ldquoEPC radio-frequency identity protocols class-1generation-2 UHF RFID protocol for communications at 860MHzndash960MHz version 1 2 0rdquo May 2008
[32] Z Zhou H Gupta S R Das and X Zhu ldquoSlotted scheduled tagaccess in multi-reader RFID systemsrdquo in Proceesings of the 15thIEEE International Conference on Network Protocols (ICNP rsquo07)pp 61ndash70 Beijing China October 2007
[33] Auto-ID ldquoDraft protocol specification for a 900MHz class0 radio frequency identification tagrdquo 2003 httpwwwepcglobalincorg
[34] S Vaudenay ldquoOn privacy models for RFIDrdquo in Advances inCryptologymdashASIACRYPT 2007 Lecture Notes in ComputerScience pp 68ndash87 Springer Berlin Germany 2007
[35] Q Yao J Han Y Qi L Yang and Y Liu ldquoPrivacy leakage inaccess mode revisiting private RFIDAuthentication protocolsrdquoin Proceedings of the 40th International Conference on ParallelProcessing (ICPP rsquo11) pp 713ndash721 Taipei City Taiwan Septem-ber 2011
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
4 International Journal of Distributed Sensor Networks
k10
k20
k30
k21
k32 k33
k23
k11
T1 T2T3 T4
M1
M2
Figure 1 Tree-based architecture
Request NR
) Fk1198942(r) Fk119894
119889(rGenerate NT
RTi
NT k1198941(r )⟩⟨F
set r = NT ||NR
Figure 2 Typical tree-based protocol
protocol is performed as shown in Figure 2 In Figure 1 1198791rsquos
keys are (11989610 11989621 11989632) 119873119877and 119873
119879are two nonces 119903 =
119873119877||119873119879is their conjunction and 119865
11989610
(119903) 11986511989621
(119903) and 11986511989632
(119903)
are three hash values computed by using 119903 and the three keys(11989610 11989621 11989632) of 119879
1 respectively The hash value with the
inputs of 119903 and tag119879119894rsquos jth level key 119896
119894
119895is119865119896119894
119895
(119903)The reader thenchecks the hash values at level 119895 to determine the 119895th branchthat the tag lies in Continuing this process the reader caneventually identify and authenticate a tag For the example inFigure 1 the reader will travel along the path root rarr 119872
1rarr
1198722
rarr 1198791to reach the leaf node 119879
1 In this way the reader
can authenticate a tag with 119874(log119873) efficiencyIn Figure 1 if 119879
1and 119879
2are both in the batch the
reader has to check (11989610 11989621 11989632) to authenticate 119879
1and
check (11989610 11989621 11989633) for 119879
2 The checking for 119896
10and 119896
21
is redundant Previous works pay little attentions to theredundant operations in PPA authentication because theymainly focus on the interaction between the individual tagand reader in the per-tagrsquos authentication If those redundantoperations are well arranged a nontrivial improvement onthe authentication efficiency can be achieved in the batch-type process
Secondly the anticollision and authentication processesare generally conducted separately In the existing works theresult of anticollision cannot be reused by the authenticationprocess Since existing anticollisionmechanisms are designedwithout considering privacy protection if a tag uses itsreal identifier in the anticollision process the privacy willbe broken To meet the need of privacy a tag can onlyuse anonymized ID for example a pseudo-identifier inthe anticollision process Nevertheless the reader cannotleverage anonymized ID to locate the tag in the database
in the PPA authentication process If the anticollision infor-mation is generated and utilized without privacy leakagethe authentication process can be accelerated by reusing theresult of anticollision
32 Motivation Based on above observations our moti-vation is to enable the collaboration of multiple tags toconcurrently achieve privacy-preserving collision arbitrationand fast authentication
We still employ the example in Figure 1 to explain ourstrategy Consider two tags 119879
2and 119879
3 If simultaneously
queried by a single reader with a timestamp 119903 they will emitmessages for the readerrsquos verification as defined in the PPAprotocolsThese messages are computed using the 119903 and theirkeys According to the collision resistance property of cryp-tographic hash functions the keys in different branches willproduce different outputs Thus the two hash values will bedifferent at some bits We call those bits as different collisionbits and their positions as collision positions Indeed thesecollisions provide us a possible way to privately differentiatetags
In fact a legitimate reader knows the keys of all tags thatis it knows the keys at each branch in the key tree This factallows us to leverage precomputed results to accelerate theauthentication In Figure 1 with these known parameters Rcan compute the possible hash values of119879
2and 119879
3at level 1 in
advanceThen119877 can compare these two hash values to obtainthe possible positions of collision bits R can just query thefirst collision bit to check if there is a difference If a collisionis detected at a virtual node in the binary key tree each ofits branches contains at least one tag in the detecting regionFigure 3 illustrates an example for 119879
2and 119879
3 At level 119909 minus 1 119877
pre-computes hash values ℎ(1198962
119909 119903119910) = 10110 and ℎ(119896
3
119909 119903119910) =
10000 where ℎ(119896119895
119909 119903119910) is computed with 119879
119895rsquos 119909th key and the
timestamp 119903119910for this current sessionas inputs The two hash
values differ at the 3rd bit then 119877 sends out a query (119903119910 1
3) where 1 denotes a value for collision bit at level 119909 minus 2
denoting node 1198721 and 3 is the collision position of level 119909
Upon the query1198792and1198793compute responses where (10110)
3
= 1 (10000)3= 0 and (V)
119906is the 119906th bit in VThen119879
3responds
ldquo1rdquo at time slot 0 and1198792responds ldquo1rdquo at time slot 1 In this way
ONE bit transmission is adequate in each time slot for tagrsquosresponse At level x R receives the responses and chooses abranch which is related to slot 1 in this example R also pre-computes and sends out the message to continue the depth-first-search With this message R moves to the node relatedto 1198792at next level and119879
3enters the ldquoholdingrdquo status in which
1198793will keep silent until its turn for any action In this way
tags collaboratively conduct the anticollision R can verify atagrsquos unique information when it moves to the leaf level tocomplete the authentication for this tag Note that even if acollision happens due to the existence of multiple tags in aslot R can still conduct the anticollision process because 119877
only requires the information that whether a branch containstag instead of recovering individual responses from tags
Based on the above analysis we find that combiningprivate anticollision and authentication processes is feasible
International Journal of Distributed Sensor Networks 5
In particular the length of each tagrsquos response message to thereader can be minimized to one bit
4 MAP Design
41 Overview The MAP has four components system ini-tialization tags authentication updating and system main-tenance
MAP also initializes a virtual tree to organize keys fortags Except the root each virtual node in the tree containsa key Each leaf node is assigned to a tag Hence the depthof the tree is 119874(log119873) where 119873 is the total number of tagsin the system The reader maintains the key tree and keeps itsecret
To enable concurrent authentication formultiple tags theauthentication of MAP contains two phases anticollision ofmultiple tags and authentication of individual tags Duringthe former phase tags return one-bit responses to thereader If more than one branch replies the reader splitsthe entire tree (or a branch of the tree) into two subtrees(or subbranches) The reader then informs the tags on onesubtree (or subbranch) to continue performing the MAPprotocol and the tags on the other subtrees (or subbranches)to hold
For each subtree (or sub branch) the reader recursivelyexecutes the MAP protocol When arriving at a leaf node inthe virtual tree MAP launches its authentication componentin which the reader mutually authenticates a tag
After a successful mutual authentication between thereader and a tag the keys of the tag will be updated and hencesynchronized at both the tag and the reader When updatingthe keys MAP employs a cryptographic hash function withthe current key and two random nonces as inputs to generatea new key
In addition MAP provides maintenance function to dealwith tagsrsquo joining and leaving Utilizing this component theexpired tags can also be renewed
42 System Initialization MAP employs a sparse treedenoted as 119878 to initialize and maintain the keys for alltags We use 120575 and 119889 to denote the branching factor (2 forbinary tree) and depth of 119878 respectively For the simplicity ofexplanation we choose the branching factor of 2 As shownin Figure 1 assuming there are 119873 tags 119879
119894 1 le 119894 le 119873
and a reader R in the RFID system the reader 119877 assigns119873 tags to 119873 leaf nodes in 119878 In the key tree each virtualnode except the root contains a secret key As a result eachtag has 119889 keys which form a path from the root of theresponding leaf node in 119878 Initially each key is randomlygenerated The cryptographic hash function used by 119877 andall tags is ℎ(sdot) A counter 119888
119901is stored in each tag recording
the anticollision sequence of the tag Each tag 119879119894also has a
timestamp timestampiWhen initializing a tag 119879
119894 119877 first dispatches 119889 keys to 119879
119894
and sets the 119888119901of 119879119894to 0 119877 also sets the value of an internal
counter 1198880= 0 The counters denote the ldquoholdingrdquo sequence
for later remounting The keys are corresponding to a pathfrom the root of 119878 to the tag For example in Figure 1 the keysstored in tag 119879
1are 11989610 11989621 and 119896
32 We denote the secret
keys of 119879119894as (1198961198941 119896119894
2 119896
119894
119889) We define 119896
119894
119909as the 119909th key of 119879
119894
corresponding to the depth 119909 119877 then sets the timestampi of119879119894to the current time
43 Tags Authentication The tags authentication of MAP isdifferent from existing protocols This component has twophases anticollision of multiple tags and authentication ofindividual tags as illustrated in Algorithm 1 On the readerside the corresponding authentication is recursively executedon the key tree as performing a depth-first-search (DFS)This is supported by the remount subcomponent
431 Anticollision The anticollision process starts from theroot of the key tree At each virtual node the reader 119877
conducts one round of communication with the tags in itsdetecting range In the anticollision process prior worksusually require a tag to respond with the whole hash valuecomputed using its key and ID Instead MAP requests thetag to reply with only ONE bit in each round of interactionas illustrated in Figure 3 The requested bit is in the highestposition of those bits that differ Algorithm 1 illustratesthe interactive communication We use 119875
119862to denote the
highest position of the possible collision bits and 119881119862
todenote the value of bit on this position Since the outputs ofcryptographic hash function in MAP are 64 bits long hashvalues the length of 119875
119862can be 6 bits The whole anticollision
is executed in 119878 as followsAt each non leaf depth 119909 minus 1 1 le 119909 le 119889 minus 1 (for the root
119909 = 1) 119877 has two tasks choosing the branch denoted by 1198811015840
119862
for the anticollision process at level 119909 minus 2 which is related toa node 119899 at level 119909 minus 1 and pre-computing 119875
119862using the keys
on 119899rsquos branches at level 119909 The value of 1198811015840
119862is computed using
the branch keys at depth 119909 minus 1To choose a branch related at depth 119909 minus 1 119877 randomly
chooses a collision value 1198811015840
119862based on the tagsrsquo responses
where1198811015840
119862is computed using the branch keys at depth 119909minus1 To
generate 119875119862 119877 creates a timestamp 119903
119910 where 119910 is an integer
counter 119877 uses the keys of 119899rsquos two children nodes to computetwo hash values in the form of ℎ(119896
119894
119909 119903119910) 119877 then compares
these two hash values and records the highest position of thepossible collision bits as 119875
119862 119877 then sends a query with four
parameters 119903119910 1198811015840119862 119875119862 and 119888
119910 where 119888
119910is a counter
Upon receiving the query a tag 119879119894 which responded in
depth 119909 minus 2 checks whether the timestamp is posterior tothe one it holds If yes 119879
119894believes the query is a new request
and checks if 1198811015840
119862matches its last response If yes 119879
119894computes
119881119862related to 119875
119862of level 119909 and chooses the 119881
119862th time slot
to respond with bit ldquo1rdquo Otherwise if not match 119879119894enters
the ldquoholdingrdquo status and stores 119888119910in 119888119901 If more than one
branch replies 119877 also records the pair of (119888119910 119899119910) where 119899
119910
denotes the sibling node related to the 1198811015840
119862at level 119909 minus 1 If 119879
119894rsquos
timestamp is larger than the one in the query it randomlychooses a slot to respond with bit ldquo1rdquo
The anticollision is an important part of authenticationprocess processing multiple tags at the same time Based onthis MAP provides multiple tags style authentication otherthan sequential authentication in which the authenticationprocedure for each tag does not overlap
6 International Journal of Distributed Sensor Networks
Anti-collision sub-component At non-leaf depth 119909 minus 1119877 randomly selects a branch sends (119903
119910 119875119862 1198811015840119862 119888119910)
119877 records (119888119910 119909 minus 1) 119888
119910++
Tags which match 1198811015840
119862choose time slot (ℎ (119896
119894
119909 119903119910))119875119862
Tags not match wait and record 119888119910in 119888119901
Go to depth 119909
Authentication sub-component plus updatingif 119909 = 119889 At leaf level
119877 sends a timestamp 1198771to 119879119894
119879119894checks 119877
1and delay 119905max(119905ℎ119903119890119904ℎ119900119897119889 minus 119877
1+ 1)
then replies (1198772 119868) where 119868 = ℎ(1 119896
119894
119889 1198771 1198772)
119877 computes a hash value for 119879119894to check 119868
if match119877 accepts 119879
119894 and sends 119872 = ℎ(2 119896
119894
119889 1198771 1198772)
119877 updates 119896119894
119889to ℎ(3 119896
119894
119889 1198771 1198772) update R
else if not match119877 sends 119872 as a random number if match
119879119894gets 119872 and computes a value to check 119872
if 119872 matches the computed value by 119879119894
119879119894accepts 119877
119879119894updates 119896
119894
119889to ℎ(3 119896
119894
119889 1198771 1198772) update 119879
119894
Remount119877 chooses the max 119888
1199101015840 stored as 119888max in (119888
1199101015840 119901119900119904
1199101015840 )
While exists such 119888max119877 sends to tags (119888max 1199031199101015840 119875119862)119879119895with 119888max chooses slot (ℎ(119896
119895
1199091015840+1
1199031199101015840 ))119875119862
119877 deletes the pair stored related to 119888max119877 continues to tags-authentication atdepth 119909
1015840+ 1 in the sub-tree which roots at 119901119900119904
1199101015840
Algorithm 1 Tags authentication in MAP
ReaderQuery Query
Tagcomputing
Tagreply
Tagcomputing
Slot Slot0 1
T2
T3 HoldLevel x
ry 1 3 ry+1 0 2
middot middot middot
middot middot middot
middot middot middotmiddot middot middot
middot middot middot
middot middot middot
Level x minus 2 Level x minus 1
3rd bit = 1
3rd bit = 0
2nd bit = 1
Figure 3 Anticollision with one bit
432 Authentication When arriving at a leaf node R startsthe authentication subcomponent with 119879
119894 R and 119879
119894authen-
ticate each other via this subcomponent At this point Rhas exploited the path from the root to the leaf node relatedto 119879119894 The subcomponent includes four steps as shown in
Algorithm 1(1) 119877 sends a query to 119879
119894with the timestamp 119877
1
(2) Upon this query 119879119894checks if 119877
1is acceptable and
delay 119905max(threshold minus 1198771
+ 1) where 119905max is a predefinedmaximum delay and threshold is a predefined maximum
counter value The value of 119905max and threshold can be ini-tialized empirically and adjusted in real application Then119879119894replies with a random nonce 119877
2and a hash value 119868 =
ℎ(1 1198771 1198772 119896119894
119889)
(3) 119877 compares 119868 to the hash value computed usingcorresponding key stored in the database If the two hashvalues are identical the reader accepts the tag as a legitimateone Otherwise 119877 treats the tag as illegal For a legal tagthe reader sends 119872 = ℎ(2 119877
1 1198772 119896119894
119889) as an authentication
message and then launches the updating component on the
International Journal of Distributed Sensor Networks 7
reader side For an illegal tag the reader only sends a randombit string with the same length of ℎ(sdot)
Note that the key in the leaf node may not match thecorresponding tagrsquos key In this case 119877 has to search throughthe entire database to check if a matching key can be foundIf such a key is found the tag is accepted as legitimate Inthis way even a tag which is desynchronization attacked andthus has a big timestamp can also be authenticated This canprevent attackers from distinguishing tags by whether theycan be accepted
(4) UponM 119879119894computes the hash value based on the key
stored in it If they are matched119879119894takes 119877 as a legitimate one
119879119894then launches the updating on the tag side if119877 is legitimateA collisionmayhappenwhen two tags choose an identical
leaf node At this time there is more than one tag respondingto the readerTheir signals will collide and cannot be correctlydecodedThis can happenwhen a tagrsquos random choicesmatchthe path of the other tag from root to leaf The possibility is2minus119889 where 119889 is the depth of the key tree While the possibilityis negligible we just take these collidedmessages as a randommessage and complete the routine processes of authenticationand updating As each tag has a unique leaf key which will beupdated involving the random nonces during authenticationthe possibility they collide again at the leaf node will still benegligible we will process the colliding tags in the next roundof entire tags-authentication process
433 Remount After authentication and updating of atag the whole tag authentication process is remounted forunprocessed tags according to their ldquoholdingrdquo sequence indescending order 119877 finds out the max counter 119888max in the(1198881199101015840 1199011199001199041199101015840) pairs stored in the reader where 119910
1015840 is an integerIf there exists such a 119888max 119877 computes 119875
119862for the branches
of 1199011199001199041199101015840 and starts the anticollision subcomponent in the
subtree rooted at 1199011199001199041199101015840 To do this the reader sends a
recursive query command 1199031198901198881198761199061198901199031199101199101015840 with 119888max 119875
119862 and
a new timestamp 1199031199101015840 Upon this query each tag checks its
internal counter 119888119901The tags that have amatched 119888max respond
with the corresponding119881119862 If no such a 119888max exists the reader
terminates the current round of MAP and launches a newround The reader iteratively performs the authenticationprocess until all tags are processed or the number of roundsexceeds a predefined threshold threshold In MAP if there aresome tags moving into the detecting region of 119877 in currentround 119877 will treat them as newly coming tags in the nextround
We illustrate the above process by using the example ofauthenticating 119879
1 1198792 and 119879
3in Figure 1 Assume the reader
chooses the left branch each timeThen there is no collision atdepth 0 and the entire authentication procedure goes to thesubtree rooted at the node related to 119896
10at depth 1 The 119881
119862
values related to keys at depth 2 will collide 119877 moves downto the left branch related to 119896
20and 119896
30 119877 puts 119879
2and 119879
1in
a holding state at this point 119877 also records the anticollisionsequence and the node related to 119896
21 As there is no more
collision for1198793119877 completes the authentication of119879
3and goes
back to the holding tags 119877 requests 119881119862related to the keys at
depth 3The responses of 1198792and 119879
1fall in different branches
Then 119877 puts 1198792to holding state and authenticates 119879
1 After
that the reader 119877 authenticates 1198792
44 Updating After a successful mutual authenticationbetween the tag and reader the updating process follows asillustrated in Algorithm 1 MAP only updates the leaf keys formultiple tags environments where a leaf key is the key onthe leaf node There are two reasons First in our protocolthe keys on nonleaf nodes are only used for navigationSecond as analyzed in [22] updating keys for tags withoutchanging the sharing relationship of keys among tags will notincrease the difficulty for adversaries to successfully conductcompromising attacks We also allow a tag to be renewed inthe system maintenance component as an updating methodwhich also updates the tagrsquos location and the correspondingkeys in the virtual tree for better privacy
R updates the keys for a tag after a successful authentica-tion of the tag At the corresponding leaf node a new leaf keyis generated as 119896
119894
119889
1015840
= ℎ(3 1198771 1198772 119896119894
119889) for 119879
119894 119879119894updates its leaf
key only after a successful authentication of 119877 by checkingM
45 System Maintenance Users may want to insert renewor withdraw their tags The system maintenance componentdeals with these requests
If a new tag joins in the systemR initializes it by assigningit to an empty leaf node and generates the necessary keys forit If a tag is withdrawn R simply deletes the information oncorresponding nodes related to the tag from S
We also allow a tag to be renewed for better security andprivacy The permission is controlled by the manager Whena tag is permitted to be renewed it is first withdrawn by thereader Then the reader treats the tag like a new one andinserts it into the system After being renewed the new keysand related path in the key tree have no relation with the oldones
5 Performance Analysis
In this section we analyze the performance of MAP con-sidering both communication and computation costs Wetheoretically analyze the costs and give the correspondingupper bound lower bound andmean valueWe also launch asimulation Then we compare the performance of MAP withtwo combination solutions
51 Theoretical Analysis In MAP multiple tags are authenti-cated concurrently thus we care about the average time costsderived from costs for all tags divided by the number of tagsIn Section 5 when we mention a cost for each tag we aremeaning such an average time cost for each tag
There are cases when the tags to be authenticated coverthe least branchesThenpaths of these tags cover a full subtreeand a single path from the root of this subtree to the rootof system tree 119878 as 119879
1and 119879
2in Figure 4(a) In these cases
arbitrations and hash computations are shared by the mosttags Thus it is possible that both the communication andcompute cost for each tag are the least in these cases
8 International Journal of Distributed Sensor Networks
k10
k21
k32 k33
T1 T2
M1
M2
(a) Most sharing
k20
k30
k10
T3
(b) Least sharing
Figure 4 The different sharing scenarios
Contrarily when the tags cover the most branchesrespecting no path being shared as 119879
3itself in Figure 4(b)
then it is possible that both communication and compute costfor each tag are the largest as arbitrations and hash computesare shared by the least tags
For theoretic comprehensibility we consider time cost fortransferring hash values in communication cost For computecost we consider only cost for computing hash values atboth reader end and tag end For the overall cost consideringoverheads we give a simulation result in Section 52
When tags cover the least branches the minimumcommunication and compute cost are computed as followsTheoretically they are the lower bound of MAP in terms oftime cost Indeed both of them are in O(1) complexity
Commmin = 119905auth + 2119905query + 119905reply minus
(119905query + 119905reply)
119873
asymp 119905auth + 2119905query + 119905reply
Compmin = (2 minus1
119873) 119905119905119888119900119898119901
+ (3 minus2
119873119860
) 119905119903119888119900119898119901
asymp 2119905119905119888119900119898119901
+ 3119905119903119888119900119898119901
(1)
where the 119889 is the height of the system tree 119878 119873 is thenumber of tags in the system 119873
119860is the number of tags to
be authenticated and 119873119860
= 119873 in this case 119905query is the timefor a reader 119877 to send out a query 119905reply is the time for eachtag on both branches to reply their related 1 bit 119881
119862values in
the two time slots 119905auth is the time for a tag to send the hashvalue of its leaf node 119905
119905119888119900119898119901is the time for a tag to compute
a hash value and 119905119903119888119900119898119901
is the time for 119877 to compute a hashvalue Note that we suppose sending the request commandsneeds the same time as the 119905query
When each tag covers themost branches there is only onetag to be authenticated Thus we get the maximum costs Wedenote the maximum communication and compute cost as
Commmax and Compmax respectively The theoretical upperbound cost of MAP is given by
Commmax = 119905auth + 119889 times 119905reply + (119889 + 1) 119905query
Compmax = (119889 + 1) 119905119903119888119900119898119901
+ (2119889 + 1) 119905119903119888119900119898119901
(2)
where 119889 is the height of the system tree 119878 We can find thatboth the maximum costs have an 119874(log119873) complexity
When tags cover all branches supposing the coverprobability is unique we get the mean communication andcomputing costs as follows
Commmean = 119905auth + 119905query
+ (119905query + 119905reply) (2 + 119889 minus log2119873119860
minus1
119873119860
)
asymp 119905auth + 119905query + (119905query + 119905reply)
times (2 + 119889 minus log2119873119860
)
Compmean = (2 + 119889 minus log2119873119860
minus1
119873119860
) 119905119905119888119900119898119901
+ 2 (1 + 119889 minus log2119873119860
minus1
119873119860
) 119905119903119888119900119898119901
asymp (2 + 119889 minus log2119873119860
) 119905119905119888119900119898119901
+ 2 (1 + 119889 minus log2119873119860
) 119905119903119888119900119898119901
(3)
Both Commmean and Compmean are strict monotonicfunctions of 119873
119860 When 119873
119860is big enough they approach the
constant value of 119874(1)Considering the minimum authentication cost without
anticollision or updating for a single tag in traditional tree-based protocol it will need to compute transmit and verifyat least log
120575119873 ciphers where 120575 is the branching factor of the
key tree When the tag lies at the first-reach leaf the costis minimum with message length and computation times ofabout log
120575119873 When the tag lies at the last-reach leaf the cost
is maximum with the computation times enlarged to about120575 times log
120575119873 The average computation cost is about (1 + 120575)2 times
log120575119873ThusMAP protocol outperforms the traditional tree-
based protocol theoretically
52 Simulation We compared the average processing timeof MAP to two simple combination solutions Both thetwo solutions use the slot-count (Q) selection algorithm inEPC C1G2 UHF Air Interface Protocol Standard [31] foranticollision The PPA protocols for these two solutions arethe typical tree-based protocol [20] and RWP protocol [22]with O(1) complexity In all protocols both tag side andreader side employ SQUASH (SQUaring haSH) which isproposed by Shamir in [8] to compute hash values SQUASHneeds only several hundred gate equivalents (GEs) and isappropriate for low cost RFID tags We consider the overalltime cost including communication cost and search cost
International Journal of Distributed Sensor Networks 9
The communication cost includes the cost for transmittingcommands and data with overheads such as wait time timeout frame sync and preamble Note that compared to otherkinds of wireless communication such as WiFi the messagesexchanged between the reader and tags are very short Thusthe overheads are not negligible All the command formatsdata formats and link timing follow the standard In searchcost we consider compute cost for hash values by both readerand tags We assume the reader can process 223 times 64 bitsSQUASH in a second in average For the tag we assume it canprocess one time SQUASH in 6775 us and 242 us We makethese two assumptions based on the link timing requirementsspecified in the standard
In our simulation the forward data rate is 40Kbps andthe backward data rate is 320KbpsWe suppose that there are220 tags in the system We choose tags randomly and repeatthe whole process 100 times for average results
In Figure 5 we give the result for 1000 tags The simu-lation result shows that MAP gains a better efficiency thantypical tree-based protocol The average time cost of tree-based protocols is about 22 times to 42 times that of MAPThe efficiency of MAP asymptotically approaches the RWPprotocol with O(1) complexity as the size of the tag setapproaches 1000 The simulation result is in accordance withthe theoretical analysis That is because in MAP computingand communication are shared between all tags Moreoverduring anticollision subcomponent tags respond with only 1bit to save communication cost That is why MAP outper-forms typical tree-based protocol when tag size is small
According to the performance result in [26] for 1000 tagsin a system with 105 tags at 40Kbps forward rate achieving1 erroneous decision the SEBA approach [25] needs 41min-utes while the SEBA+ approach [26] needs about 4 minutesUtilizing MAP it takes about 1000 times 10405times 10minus6 s = 1122 swhich is less than SEBA and more than SEBA+ Howeverthe result in [26] considers only the message transmissiontime leaving out the nonnegligible computation time andthe communication overheads such as wait time time outframe sync and preamble Moreover MAP provides accurateauthenticationwith no error probabilityThusMAP is a goodchoice in performance for the authentication ofmultiple tags
6 Security and Privacy Analysis
In this section we analyze the security and privacy charactersof MAP Because our approach is tree based we focus onresistance to compromising attackwhich has themost seriousimpact on conventional tree-based approaches [23] Weprove that MAP is m-strong-ind-private showing that MAPsatisfies strong privacy protection in multiple tags scenarioWe also show the abilities of MAP in terms of confidentialitycloning resistance tracking resistance timing-based attackresistance and forward secrecy
61 Compromising Attack Compromising attack is the mosteffective way for crashing tree-based protocols That isbecause tags organized in tree-based structures share keyswith each other When an adversary 119860 compromises some
0 200 400 600 800 1000
39
4
41
42
43
44
45
46
47
48
Size of tag set to be authenticated
log10
style
)
Tree-basedTree-basedMAP
MAPRWPRWP
242120583s6775120583s
6775120583s
242120583s242120583s6775120583s
Aver
age p
roce
ssin
g tim
e (120583
sFigure 5 Comparison on performance for 1ndash1000 tags
tags and thus obtain their secret keysA can deduce the secretkeys of other tags In conventional tree-based protocols alegitimate reader splits a tag from other possible ones levelby level and finally authenticates it on the leaf using itskeys on related levels An adversary can also distinguishtags and further track them in this way with keys fromthe compromised tags For detailed analysis please refer to[14 21]
Our analysis is based on the works in [10 14 18 2123 34] The notion of strong ind-privacy defined in [23]which is equivalent to the destructive-privacy defined in[34] is very similar to the strong privacy provided byMAP except that MAP focuses on privacy protection formultiple tags The existing privacy models are designedfor one-tag-one-reader authentication scheme and focus ondistinguishability privacy between TWO tags only They arenot fit for the multiple tags scenario in MAP where thereader cannot communicate to a tag before anticollisionsubcomponent
We define a new model for multiple tags environmentsincluding four oracles Request(sdot sdot sdot) Send(sdotsdot) Relay(sdotsdot) andCompromise(sdot) to formulate the attacks to the tag sets andreader Assume we have a tag set 119873
119878 Any attack on 119877 or 119873
119878
can be represented by calling on its oraclesRequest(119873
119878 1198981 1198983) A queries the tag set 119873
119878by a query
message1198981and receives the responsesThen119860 sends another
message 1198983to 119873119878 including the collision arbitration and Rrsquos
authentication dataSend(R 119898
2) A sends a message 119898
2 representing the tag
setrsquos reply and authentication messages to 119877 and receives aresponse
Relay(119873119878 119877) A relays the messages between 119873
119878and R A
can arbitrarily modify the messages from one side to another
10 International Journal of Distributed Sensor Networks
Compromise(119873119862) A compromises tags in set 119873
119862and
obtains their secret keys where 119873119862is a tag set 119860 obtains The
compromised tags are broken and cannot be used any furtherThe compromising attack on MAP denoted by
CAMAP119860
[1198960 119873119860
] is performed with the following steps
Step 1 The adversary 119860 compromises 1198960tags and obtains
their secret keys
Step 2 A chooses a target tag 119879 that has not been compro-mised A can query 119879 or act as a man-in-the-middle between119879 and the reader 119877 polynomial times Note that 119860 cannotcompromise119879 According to the secret keys119860 gains in Step 1A can compute outputs of these keys and compare to themTrsquosoutputs In this way 119860 can determine which of Trsquos keys equalto Arsquos known keys
Step 3 The system gives a tag set 119873119878with 119873
119874tags including
119879 Then 119873119878is divided into two subsets 119873
1198781and 119873
1198782 For the
simplicity we assume each subset contains 119873119860tags Or else
we can define the smaller set contains119873119860tags which will not
affect the result of analysis but complex the analysis processA randomly picks a subset 119873
119878119887 where b = 0 or b = 1 and
determines if 119879 is in this subset A can pick both subsets If119873119878119887
contains T A can proceed tracking 119879 by tracking 119873119878119887
otherwise 119873119878(1minus119887)
A can send queries to the tag set or act asa man-in-the-middle between the tag set and the reader 119877
polynomial times but cannot compromise those tagsWe denote
119875MAP = 119875119903[CAMAP119860
[1198960 119873119860
] = 1] (4)
as the possibility 119860 definitely knows whether tag set 119873119878119887
includes T A succeeds if 119860 definitely knows which tag setincludes 119879 Then the possibility that 119860 succeeds is
119875MAP = 119875119903[CAMAP119860
[1198960 119873119860
] = 1] = 1 minus (1 minus 1198750)2
(5)
where 1198750is the possibility that 119860 succeeds in either subset in
a system employing MAP
Definition 1 Theadvantage of adversary119860 in the compromis-ing attack is defined as
advMAP119860
(1198960 119873119860
) =
1003816100381610038161003816100381610038161003816(119875MAP +
1
2(1 minus 119875MAP)) minus
1
2
1003816100381610038161003816100381610038161003816=
119875MAP2
(6)
where the probability is the advantage of 119860 correctly guessagainst randomly guess which subset 119879 is in
Definition 2 (M-strong(120576 1198960 119873119860
)-ind-privacy) An RFIDprotocol PRO is m-strong( 120576 119896
0 119873119860)-ind-private if when 119873
119860
approaches N the advantage advPRO119860
(1198960 119873119860
) is at most 120576 inpolynomial time Where 119873
119860lt 119873 120576 is an infinitesimal when
119873 approaches infinity
M-weak(120576 1198960 119873119860)-ind-privacy is defined the same as m-
strong (120576 1198960 119873119860
)-ind-privacy except that 1198960= 0
Destructive Final NoCorrupt corrput Corrupt corrupt
Wide
Narrow
m-strong m-forward m-weak
m-narrow m-narrowm-narrowm-narrowstrong destructive
m-destructive
forward weak
Figure 6 The privacy levels
The above two privacy notions can be simply denotedas m-strong-ind-privacy (MSIP) and m-weak-ind-privacy(MWIP) where the letter ldquo119898rdquo is the abbreviation of mul-tiple tags When 119873
119860= 1 the MSIP (MWIP) equals the
strong-privacy (weak-privacy) in Juelsrsquos model [23] and thedestructive-privacy (weak-privacy) in Vaudenayrsquos model [34]At this time the case of a tag lying in a set is identical tothe case of the target tag being a particular tag in traditionalprivacy model with two tags Thus our multiple tags privacymodel is a generalized version of existing privacy models[23 34] On the contrary the existing privacy models arespecial cases of multiple tags privacy where each tag set hasonly one tagThen we can define 8 different levels of privacyby generalizing Vaudenayrsquos model for multiple tags scenariosas illustrated in Figure 6
The above model is dedicated for classifying the privacyprotection in multiple tags scenarios Intuitively it is easierfor a tag to hide in a set than to behavior indistinguishably toanother tag Thus the above model is a model weaker thanthe privacy models for one-reader-one-tag scenarios
However if the authentication protocol does not take thisadvantage then the protocol cannot provide better privacyin scenarios with multiple tags than in one-reader-one-tag scenarios no matter how many tags are there to beauthenticated For example in the OSK [12] protocol onedesynchronized tag cannot be accepted by a legitimate readerThus a desynchronized tag can still be distinguished in a tagset saying nothing of hiding in the set As a result the OSKmethod cannot providem-strong-ind-privacy orm-weak-ind-privacy
In the tree for MAP when 119860 is not aware of all keys inboth branches A does not know the 119875
119862and has to randomly
guess one for navigation and conduct the searching processWhen the guess fails A sends out a position that has nocollisions Then 119860 cannot split the tags Only when 119860 knowsall the keys in the branches related to T A can send outthe correct 119875
119862and proceed on tracking That is the main
reason whyMAP performs better than traditional tree-basedprotocols in defending against compromising attacks In facttheMAP protocol ism-strong-ind-private as will be proven inthe bellowing
Theorem 3 TheMAP protocol is MSIP private
Proof We perform the compromising attack with MAPprotocol as follows
We denote tags in 119873119878119887
by 1198791015840 We denote keys in 119879
and 1198791015840 with (119896119890119910
0 1198961198901199101 119896119890119910
119889) and (119896119890119910
1015840
0 1198961198901199101015840
1 119896119890119910
1015840
119889)
International Journal of Distributed Sensor Networks 11
respectively where 119889 is the depth of the tree Considering atlevel 119909 where 119896119890119910
119909is in a subtree we use 119870
119909to denote the
set of known keys by 119860 in this subtree and 119896119909to denote
the number of keys in 119870119909 And 119896
0is the number of tags
compromised There are three cases to be considered at levelxCase 1 A does not succeed in previous 119909 minus 1 levels and thereis exactly one key 119896119890119910
1015840
119909equal to 119896119890119910
119909 A definitely knows 119873
119878119887
includes 119879 The possibility is
119875119903(1198621
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575times
1
120575119909times (1 minus
1
120575119909)
119873119860minus1
(7)
Case 2119860 does not succeed in previous 119909minus1 levels and therersquosno key 119896119890119910
1015840
119909equals to 119896119890119910
119909 A definitely knows that 119873
119878119887does
not include 119879 The possibility is
119875119903(1198622
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575times (1 minus
1
120575119909)
119873119860
(8)
Case 3 119860 does not succeed in previous 119909 minus 1 levels and morethan one key 119896119890119910
1015840
119909equals 119896119890119910
119909 In this case 119860 fails at level 119909
and should move to level 119909 + 1 The possibility is
119875119903(1198623
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575minus 119875119903(1198621
119909) minus 119875119903(1198622
119909)
(9)
Theoverall probability of119860 definitely knowswhether119873119878119887
includes 119879 is
1198750
= 119875119903(1198621
1or 1198622
1) +
119889
sum
119909=2
(119875119903(1198621
119909or 1198622
119909) times
119909minus1
prod
119910=1
119875119903(1198623
119910))
= (1 minus1
120575)
119873119860minus1
1198961
120575
120575minus1
prod
119895=0
1198961
minus 119895
120575 minus 119895
+
119889
sum
119909=2
((1 minus1
120575119909)
119873119860minus1
119896119909
120575119875 (119896119890119910
119909)
times
119909minus1
prod
119910=1
(119875 (119896119890119910119910)
119896119910
120575(1 minus (1 minus
1
120575119910)
119873119860minus1
)))
(10)
where
119875 (119896119890119910119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895) (120575 minus 119895)
(120575119909 minus 119895)2
1198961
= 120575 (1 minus (1 minus1
120575)
1198960
)
119896119909
= 120575 (1 minus (1 minus1
120575)
119892(119896119909)
) (2 le 119909 le 119889)
119892 (119896119909) = 1198960
119909minus1
prod
119910=1
1
119896119910
(11)
The possibility 119860 succeeds in either subset is 1198750which is
a monotonically decreasing function of 119873119860 so is 119875MAP The
advantage of 119860 is 119875MAP which decreases exponentially to 0 as119873119860increases to be big enoughConsidering that 119896
119909le 120575 and 120575 ge 2 we have the following
derivations
(1 minus1
120575)
119873119860minus1
1198961
120575
120575minus1
prod
119895=0
1198961
minus 119895
120575 minus 119895
le (1
2)
119873119860minus1
1198961
120575
1198961
120575
1198961
minus 1
120575 minus 1
le (1
2)
119873119860minus1
119909minus1
prod
119910=1
(119875 (119896119890119910119910)
119896119910
120575(1 minus (1 minus
1
120575119910)
119873119860minus1
))
lt
119909minus1
prod
119910=1
(119875 (119896119890119910119910) times 1 times 1)
=
119909minus1
prod
119910=1
119875 (119896119890119910119910)
(12)
Then we have the following deduction
1198750
lt (1
2)
119873119860minus1
+
119889
sum
119909=2
((1 minus1
120575119909)
119873119860minus1
119896119909
120575119875 (119896119890119910
119909)
119909minus1
prod
119910=1
119875 (119896119890119910119910))
lt (1
2)
119873119860minus1
+
119889
sum
119909=2
(1 minus1
120575119909)
119873119860minus1
lt (1
2)
119873119860minus1
+ 119889(1 minus1
1205752)
119873119860minus1
(13)
The right part of the inequality is a monotonicallydecreasing function of 119873
119860 For example it can be deduced
that 1198750
lt (12)119873119860minus1
+ 119889(34)119873119860minus1 when 120575 = 2 Then 119875
0is an
infinitesimal as 119873119860approaches 119873 so is 119875MAP According to
Definition 2 MAP ism-strong-ind-private
12 International Journal of Distributed Sensor Networks
0 50 100 150 2000
02
04
06
08
1
Succ
essfu
l pro
b o
f atta
ck
Size of tag set to be authenticated
MAPTree-based
Figure 7 Comparisons on defending against compromising attack
Assume a RFID system of 220 tags with 120575 = 2 and 119889 =
20 Figure 7 demonstrates possibilities119860 successfully tracks atag by compromising 200 tags employingMAP or tree-basedprotocol such as [20]
We can find that for both protocols the possibilities that119860
succeeds reduceswhen119873119860increases ForMAP the possibility
reduce rapidly while for traditional balance tree-based PPAit reduces slowly For MAP protocol when 119873
119860gt 8 119875MAP lt
005 saying 119860 can definitely distinguish and know which tagset includes 119879 with low possibility even the set size is smallThis is an acceptable result as environmentswith at least 8 tagsare common Moreover the successful tracking probabilityasymptotically approaches to 0 as the size of the tag set to beauthenticated arises For tree-based protocol 119860 always has asuccessful possibility larger than 08 with tag set size smallerthan 200
62 Confidentiality In MAP all information from a tag issent as the value of a cryptographic hash function or a partof such a hash value According to the preimage resistanceproperty of cryptographic hash functions the adversarycannot know the origin information
63 Cloning Resistance In cloning attack an adversaryrecords responses from a tag and replay them to foollegitimate readers In MAP the 119881
119862values are only used for
navigation and each tag uses its unique leaf key for the finalauthentication The tag generates the hash values of the leafkey with a timestamp from 119877 and a nonce from the tag asinputs Both the timestamp and the nonce are the sessiontokens of the conversation Therefore authentication mes-sages from a given tag will change in different conversationsdue to the different session tokens The navigation bits canbe replayed however they cannot help to fool 119877 because theadversary does not know the authentication message at theleaf node The replayed messages cannot be acceptable bylegitimate readers according to the protocol
64 Tracking Resistance In Section 61 we focus on tagsrsquo pathkeys and present that MAP can resist compromising attack
in scenarios with multiple tags For any leaf key it uniquelybelongs to an individual tag The adversary 119860 never knowsa tagrsquos leaf key unless compromising it When performingauthentication subcomponent a tag computes a hash valuewith its leaf key and the session tokens This authenticationmessage varies each time and 119860 cannot link the messages toa tag without knowing its leaf key
MAP resists against compromising attack inmultiple tagsscenarios However when a batch only has a few tags 119875MAPis not negligible According to the results shown in Figure 7when the number of tags is larger than 8 the probabilityof multiple tags exposing to attackers will not exceed 005which is acceptable for most RFID applications Thereforewe recommend to select MAP when the number of tags islarger than 8 otherwise choosing time consuming per-tagauthentication to prevent the tracking attack
An adversary 119860 may launch the Denial of Service (DoS)attack between a legitimate reader and tags In this attack 119860
firstly exhausts the timestamp in a tag Then 119860 can relay thetagrsquos response to a legitimate reader to see if the tag is acceptedand further track the tag by observing the result This attackis not feasible to MAP because desynchronized tags can alsobe accepted employing MAP as presented in Section 432Besides we recommend the system to thwart the responsespeed of the tags which are under attackThen a counter withan acceptable bit length is enough to avoid the timestamps ofthe tags run over a predefined threshold
65 Timing-Based Attack Resistance An adversary may timethe processing cost of a tag to identify the status of this tagand further distinguish it from other tags [35] This kindof attack is a new general attack which can even break theprivacy of proven private RFID authentication protocolsMAP can defend against such attack The reason is that theauthentication process for each tag in MAP corresponds tothe same procedure From root to leaf each branch selectioncorresponds to no sequential computation of tags Insteadthe tags do concurrent computation at each level In this waythe observable behavior of each tag is hard to distinguishThe problem in traversing the traditional binary tree whichcauses different searching cost does not happen in MAP Onthe other hand the thwart method used in MAP does notraise rapid increase in the response Thus the thwarted tagrsquosbehavior is hard to distinguish especially when the tag set islarge and the predefined threshold is big enough
66 Forward Secrecy An adversary 119860 can record the mes-sages sent by 119877 or tags And 119860 can compromise tags toobtain their current keys Forward secrecy requires that theinformation in previous messages will never be revealedIn MAP the leaf keys are updated after each successfulauthentication The forward secrecy is thereby guaranteedFor the nonleaf keys they are not used for data transfer butonly for navigation In addition they will be updated when atag is renewed Thus MAP does not update the nonleaf keysat each authentication and such a process does not damagethe forward secrecy
International Journal of Distributed Sensor Networks 13
7 Possible Variants and Improvements
The storage requirement of MAP for a system larger than216 tags may be larger than 1 k bits This cost is practical fornowadays RFID tags For ultra-low storage path keys can becomputed employing SQUASH with the unique leaf key andidentifier of the tag as inputsThis would decrease the storagerequirement to 119874(1) but double the average computationtime It can be easily deduced that the performance ofMAP isstill better than the tree-based protocol in large-scale systems
MAP focuses on the interaction between tags and readeras well as reader-server side search accelerating On theother hand the SEBA [25 26] like protocols focuses onthe reader-to-server communication as well as the serverside probabilistic verification Thus a possible future workis to combine and gain profit from both of the two styles ofmultiple tags protocols
8 Conclusions and Future Work
In this work we propose a Multiple tags privacy-preservingAuthentication Protocol MAP to authenticate multipletags concurrently By enabling anticollision functionality inauthentication processMAP eliminates the redundant effortswasted in anticollision processes and authenticating tagsTags in MAP respond concurrently with 1 bit to conductthe authentication for better privacy MAP is m-strong-ind-private which is a variant of ind-privacy we define formultiple tags scenarios MAP can effectively mitigate theimpact of compromising attack in multiple tags scenarios toan acceptable extent EmployingMAP the successful trackingprobability of adversaries for tag set larger than 8 is below005 and will deduce rapidly to 0 as the size of the tag setenlarges The efficiency of MAP is better than 119874(log119873) andasymptotically approaches 119874(1) as the number of tags in thetag set to be authenticated increases as proven in theoreticalanalysis and shown in the simulationThe proposed protocolin our work MAP is dedicated for authenticating multipletags One prospective directionmay be building protocols forboth single tag and multiple tags to provide high efficiencyand strong privacy at the same time
Acknowledgments
The authors would like to thank Ling Zhu and XingjingWang for the efforts paid in coding for the simulationsThis work is supported by Program for Changjiang Scholarsand Innovative Research Team in University (IRT1078)the Key Program of NSFC-Guangdong Union Foundation(U1135002) National Natural Science Foundation of China(61303221 and 61373175) the Fundamental Research Fundsfor the Central Universities (K5051303021) and the ScientificResearch Startup Foundation for Young Teachers of DonghuaUniversity (13D211205) Part of this work has been presentedat IEEE International Conference on Mobile Ad-hoc andSensor Systems (IEEE MASS) October 17ndash22 2011 ValenciaSpain
References
[1] G Roussos and V Kostakos ldquoRFID in pervasive computingstate-of-the-art and outlookrdquo Pervasive and Mobile Computingvol 5 no 1 pp 110ndash131 2009
[2] Y Liu L Chen J Pei Q Chen and Y Zhao ldquoMiningfrequent trajectory patterns for activity monitoring using radiofrequency tag arraysrdquo in Proceedings of the 5th Annual IEEEInternational Conference on Pervasive Computing and Com-munications (PerCom rsquo07) pp 37ndash46 White Plains NY USAMarch 2007
[3] C Qian H Ngan and Y Liu ldquoCardinality estimation forlarge-scale RFID systemsrdquo in Proceedings of the 6th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo08) pp 30ndash39 Hong Kong ChinaMarch 2008
[4] G Avoine ldquoBibliography on security and privacy in RFID sys-temsrdquo 2013 httpwwwavoinenetrfiddownloadbibbiblio-graphy-rfidpdf
[5] A Juels ldquoRFID security and privacy a research surveyrdquo IEEEJournal on Selected Areas in Communications vol 24 no 2 pp381ndash394 2006
[6] G Tsudik ldquoA family of dunces trivial RFID identification andauthentication protocolsrdquo in Privacy Enhancing TechnologiesLecture Notes in Computer Science pp 45ndash61 Springer BerlinGermany 2007
[7] X Xu X Y Li X Mao S Tang and S Wang ldquoA delay-efficient algorithm for data aggregation in multihop wirelesssensor networksrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 1 pp 163ndash175 2011
[8] A Shamir ldquoSQUASHmdasha new MAC with provable securityproperties for highly constrained devices such as RFID tagsrdquo inFast Software Encryption Lecture Notes in Computer Sciencepp 144ndash157 Springer Berlin Germany 2008
[9] T Halevi N Saxena and S Halevi ldquoUsing HB family ofprotocols for privacy-preserving authentication of RFID tags ina populationrdquo in Proceedings of the Workshop on RFID Security(RFIDSec rsquo09) 2009
[10] M Burmester B de Medeiros and R Motta ldquoRobust anony-mous RFID authentication with constant key-lookuprdquo in Pro-ceedings of the ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo08) pp 283ndash291 TokyoJapan March 2008
[11] S A Weis S E Sarma R L Rivest and DW Engels ldquoSecurityand privacy aspects of low-cost radio frequency identificationsystemsrdquo in Security in Pervasive Computing Lecture Notes inComputer Science pp 201ndash212 2003
[12] M Ohkubo K Suzuki and S Kinoshita ldquoEfficient hash-chainbased RFID privacy protection schemerdquo in Proceedings of theACM Ubicomp Workshops 2004
[13] D Henrici and P Muller ldquoProviding security and privacy inRFID systems using triggered hash chainsrdquo in Proceedings ofthe 6th Annual IEEE International Conference on PervasiveComputing andCommunications (PerCom rsquo08) pp 50ndash59HongKong China March 2008
[14] G Avoine E Dysli and P Oechslin ldquoReducing time complexityin RFID systemsrdquo in Selected Areas in Cryptography LectureNotes in Computer Science pp 291ndash306 Springer BerlinGermany 2005
[15] D Henrici and PMuller ldquoHash-based enhancement of locationprivacy for radio-frequency identification devices using varyingidentifiersrdquo inProceedings of the 2nd IEEEAnnual Conference on
14 International Journal of Distributed Sensor Networks
Pervasive Computing and CommunicationsWorkshops (PerComrsquo04) pp 149ndash153 March 2004
[16] A Juels ldquoMinimalist cryptography for low-cost RFID tags(extended abstract)rdquo in Proceedings of the 4th InternationalConference on Security in Communication Networks (SCN rsquo04)pp 149ndash164 Amalfi Italy September 2004
[17] S Yu K Ren and W Lou ldquoA privacy-preserving lightweightauthentication protocol for low-cost RFID tagsrdquo in Proceedingsof the Military Communications Conference (MILCOM rsquo07) pp1ndash7 Orlando Fla USA October 2007
[18] C Ma Y Li R H Deng and T Li ldquoRFID privacy rela-tion between two notions minimal condition and efficientconstructionrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCSrsquo09) pp 54ndash65New York NY USA November 2009
[19] D Molnar A Soppera and D Wagner ldquoA scalable delegatablepseudonym protocol enabling ownership transfer of RFID tagsselected areas in cryptographyrdquo in Selected Areas in Cryptogra-phy Lecture Notes in Computer Science pp 276ndash290 SpringerBerlin Germany 2005
[20] T Dimitriou ldquoA secure and efficient RFID protocol that couldmake big brother (partially) obsoleterdquo in Proceedings of the 4thAnnual IEEE International Conference on Pervasive Computingand Communications (PerCom rsquo06) pp 269ndash274 Pisa ItalyMarch 2006
[21] L Lu J Han L Hu Y Liu and L M Ni ldquoDynamic key-updating privacy-preserving authentication for RFID systemsrdquoin Proceedings of the 5th Annual IEEE International Conferenceon Pervasive Computing and Communications (PerCom rsquo07) pp13ndash22 White Plains NY USA March 2007
[22] Q Yao Y Qi J Han J Zhao X Li and Y Liu ldquoRandomizingRFID private authenticationrdquo in Proceedings of the 7th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo09) Galveston Tex USA March2009
[23] A Juels and S A Weis ldquoDefining strong privacy for RFIDrdquoACM Transactions on Information and System Security vol 13no 1 pp 1ndash23 2009
[24] L Lu Y Liu and X-Y Li ldquoRefresh weak privacy model forRFID systemsrdquo in Proceedings of the IEEE INFOCOM pp 1ndash9San Diego Calif USA March 2010
[25] L Yang J Han Y Qi and Y Liu ldquoIdentification-free batchauthentication for RFID tagsrdquo in Proceedings of the 18th IEEEInternational Conference on Network Protocols (ICNPrsquo10) pp154ndash163 Kyoto Japan October 2010
[26] G Bianchi ldquoRevisiting an RFID identification-free batchauthentication approachrdquo IEEECommunications Letters vol 15no 6 pp 632ndash634 2011
[27] Y Zheng and M Li ldquoFast tag searching protocol for large-scaleRFID systemsrdquo in Proceedings of the 19th IEEE InternationalConference on Network Protocols (ICNP rsquo11) pp 363ndash372Vancouver Canada October 2011
[28] B Sheng andCC Tan ldquoGroup authentication in heterogeneousRFID networksrdquo in Proceedings of the IEEE Conference onTechnologies for Homeland Security (HST rsquo12) pp 167ndash172Waltham Mass USA November 2012
[29] J Myung and W Lee ldquoAdaptive splitting protocols for RFIDtag collision arbitrationrdquo in Proceedings of the 7th ACM Interna-tional Symposium onMobile AdHoc Networking and Computing(MOBIHOC rsquo06) pp 202ndash213 Florence Italy May 2006
[30] ldquoInformation technology automatic identification and datacapture techniquesmdashradio frequency identification for item
management air interfacemdashpart 6 parameters for air interfacecommunications at 860ndash960 MHZrdquo ISOIEC FDIS 18000-62003
[31] EPCglobal ldquoEPC radio-frequency identity protocols class-1generation-2 UHF RFID protocol for communications at 860MHzndash960MHz version 1 2 0rdquo May 2008
[32] Z Zhou H Gupta S R Das and X Zhu ldquoSlotted scheduled tagaccess in multi-reader RFID systemsrdquo in Proceesings of the 15thIEEE International Conference on Network Protocols (ICNP rsquo07)pp 61ndash70 Beijing China October 2007
[33] Auto-ID ldquoDraft protocol specification for a 900MHz class0 radio frequency identification tagrdquo 2003 httpwwwepcglobalincorg
[34] S Vaudenay ldquoOn privacy models for RFIDrdquo in Advances inCryptologymdashASIACRYPT 2007 Lecture Notes in ComputerScience pp 68ndash87 Springer Berlin Germany 2007
[35] Q Yao J Han Y Qi L Yang and Y Liu ldquoPrivacy leakage inaccess mode revisiting private RFIDAuthentication protocolsrdquoin Proceedings of the 40th International Conference on ParallelProcessing (ICPP rsquo11) pp 713ndash721 Taipei City Taiwan Septem-ber 2011
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 5
In particular the length of each tagrsquos response message to thereader can be minimized to one bit
4 MAP Design
41 Overview The MAP has four components system ini-tialization tags authentication updating and system main-tenance
MAP also initializes a virtual tree to organize keys fortags Except the root each virtual node in the tree containsa key Each leaf node is assigned to a tag Hence the depthof the tree is 119874(log119873) where 119873 is the total number of tagsin the system The reader maintains the key tree and keeps itsecret
To enable concurrent authentication formultiple tags theauthentication of MAP contains two phases anticollision ofmultiple tags and authentication of individual tags Duringthe former phase tags return one-bit responses to thereader If more than one branch replies the reader splitsthe entire tree (or a branch of the tree) into two subtrees(or subbranches) The reader then informs the tags on onesubtree (or subbranch) to continue performing the MAPprotocol and the tags on the other subtrees (or subbranches)to hold
For each subtree (or sub branch) the reader recursivelyexecutes the MAP protocol When arriving at a leaf node inthe virtual tree MAP launches its authentication componentin which the reader mutually authenticates a tag
After a successful mutual authentication between thereader and a tag the keys of the tag will be updated and hencesynchronized at both the tag and the reader When updatingthe keys MAP employs a cryptographic hash function withthe current key and two random nonces as inputs to generatea new key
In addition MAP provides maintenance function to dealwith tagsrsquo joining and leaving Utilizing this component theexpired tags can also be renewed
42 System Initialization MAP employs a sparse treedenoted as 119878 to initialize and maintain the keys for alltags We use 120575 and 119889 to denote the branching factor (2 forbinary tree) and depth of 119878 respectively For the simplicity ofexplanation we choose the branching factor of 2 As shownin Figure 1 assuming there are 119873 tags 119879
119894 1 le 119894 le 119873
and a reader R in the RFID system the reader 119877 assigns119873 tags to 119873 leaf nodes in 119878 In the key tree each virtualnode except the root contains a secret key As a result eachtag has 119889 keys which form a path from the root of theresponding leaf node in 119878 Initially each key is randomlygenerated The cryptographic hash function used by 119877 andall tags is ℎ(sdot) A counter 119888
119901is stored in each tag recording
the anticollision sequence of the tag Each tag 119879119894also has a
timestamp timestampiWhen initializing a tag 119879
119894 119877 first dispatches 119889 keys to 119879
119894
and sets the 119888119901of 119879119894to 0 119877 also sets the value of an internal
counter 1198880= 0 The counters denote the ldquoholdingrdquo sequence
for later remounting The keys are corresponding to a pathfrom the root of 119878 to the tag For example in Figure 1 the keysstored in tag 119879
1are 11989610 11989621 and 119896
32 We denote the secret
keys of 119879119894as (1198961198941 119896119894
2 119896
119894
119889) We define 119896
119894
119909as the 119909th key of 119879
119894
corresponding to the depth 119909 119877 then sets the timestampi of119879119894to the current time
43 Tags Authentication The tags authentication of MAP isdifferent from existing protocols This component has twophases anticollision of multiple tags and authentication ofindividual tags as illustrated in Algorithm 1 On the readerside the corresponding authentication is recursively executedon the key tree as performing a depth-first-search (DFS)This is supported by the remount subcomponent
431 Anticollision The anticollision process starts from theroot of the key tree At each virtual node the reader 119877
conducts one round of communication with the tags in itsdetecting range In the anticollision process prior worksusually require a tag to respond with the whole hash valuecomputed using its key and ID Instead MAP requests thetag to reply with only ONE bit in each round of interactionas illustrated in Figure 3 The requested bit is in the highestposition of those bits that differ Algorithm 1 illustratesthe interactive communication We use 119875
119862to denote the
highest position of the possible collision bits and 119881119862
todenote the value of bit on this position Since the outputs ofcryptographic hash function in MAP are 64 bits long hashvalues the length of 119875
119862can be 6 bits The whole anticollision
is executed in 119878 as followsAt each non leaf depth 119909 minus 1 1 le 119909 le 119889 minus 1 (for the root
119909 = 1) 119877 has two tasks choosing the branch denoted by 1198811015840
119862
for the anticollision process at level 119909 minus 2 which is related toa node 119899 at level 119909 minus 1 and pre-computing 119875
119862using the keys
on 119899rsquos branches at level 119909 The value of 1198811015840
119862is computed using
the branch keys at depth 119909 minus 1To choose a branch related at depth 119909 minus 1 119877 randomly
chooses a collision value 1198811015840
119862based on the tagsrsquo responses
where1198811015840
119862is computed using the branch keys at depth 119909minus1 To
generate 119875119862 119877 creates a timestamp 119903
119910 where 119910 is an integer
counter 119877 uses the keys of 119899rsquos two children nodes to computetwo hash values in the form of ℎ(119896
119894
119909 119903119910) 119877 then compares
these two hash values and records the highest position of thepossible collision bits as 119875
119862 119877 then sends a query with four
parameters 119903119910 1198811015840119862 119875119862 and 119888
119910 where 119888
119910is a counter
Upon receiving the query a tag 119879119894 which responded in
depth 119909 minus 2 checks whether the timestamp is posterior tothe one it holds If yes 119879
119894believes the query is a new request
and checks if 1198811015840
119862matches its last response If yes 119879
119894computes
119881119862related to 119875
119862of level 119909 and chooses the 119881
119862th time slot
to respond with bit ldquo1rdquo Otherwise if not match 119879119894enters
the ldquoholdingrdquo status and stores 119888119910in 119888119901 If more than one
branch replies 119877 also records the pair of (119888119910 119899119910) where 119899
119910
denotes the sibling node related to the 1198811015840
119862at level 119909 minus 1 If 119879
119894rsquos
timestamp is larger than the one in the query it randomlychooses a slot to respond with bit ldquo1rdquo
The anticollision is an important part of authenticationprocess processing multiple tags at the same time Based onthis MAP provides multiple tags style authentication otherthan sequential authentication in which the authenticationprocedure for each tag does not overlap
6 International Journal of Distributed Sensor Networks
Anti-collision sub-component At non-leaf depth 119909 minus 1119877 randomly selects a branch sends (119903
119910 119875119862 1198811015840119862 119888119910)
119877 records (119888119910 119909 minus 1) 119888
119910++
Tags which match 1198811015840
119862choose time slot (ℎ (119896
119894
119909 119903119910))119875119862
Tags not match wait and record 119888119910in 119888119901
Go to depth 119909
Authentication sub-component plus updatingif 119909 = 119889 At leaf level
119877 sends a timestamp 1198771to 119879119894
119879119894checks 119877
1and delay 119905max(119905ℎ119903119890119904ℎ119900119897119889 minus 119877
1+ 1)
then replies (1198772 119868) where 119868 = ℎ(1 119896
119894
119889 1198771 1198772)
119877 computes a hash value for 119879119894to check 119868
if match119877 accepts 119879
119894 and sends 119872 = ℎ(2 119896
119894
119889 1198771 1198772)
119877 updates 119896119894
119889to ℎ(3 119896
119894
119889 1198771 1198772) update R
else if not match119877 sends 119872 as a random number if match
119879119894gets 119872 and computes a value to check 119872
if 119872 matches the computed value by 119879119894
119879119894accepts 119877
119879119894updates 119896
119894
119889to ℎ(3 119896
119894
119889 1198771 1198772) update 119879
119894
Remount119877 chooses the max 119888
1199101015840 stored as 119888max in (119888
1199101015840 119901119900119904
1199101015840 )
While exists such 119888max119877 sends to tags (119888max 1199031199101015840 119875119862)119879119895with 119888max chooses slot (ℎ(119896
119895
1199091015840+1
1199031199101015840 ))119875119862
119877 deletes the pair stored related to 119888max119877 continues to tags-authentication atdepth 119909
1015840+ 1 in the sub-tree which roots at 119901119900119904
1199101015840
Algorithm 1 Tags authentication in MAP
ReaderQuery Query
Tagcomputing
Tagreply
Tagcomputing
Slot Slot0 1
T2
T3 HoldLevel x
ry 1 3 ry+1 0 2
middot middot middot
middot middot middot
middot middot middotmiddot middot middot
middot middot middot
middot middot middot
Level x minus 2 Level x minus 1
3rd bit = 1
3rd bit = 0
2nd bit = 1
Figure 3 Anticollision with one bit
432 Authentication When arriving at a leaf node R startsthe authentication subcomponent with 119879
119894 R and 119879
119894authen-
ticate each other via this subcomponent At this point Rhas exploited the path from the root to the leaf node relatedto 119879119894 The subcomponent includes four steps as shown in
Algorithm 1(1) 119877 sends a query to 119879
119894with the timestamp 119877
1
(2) Upon this query 119879119894checks if 119877
1is acceptable and
delay 119905max(threshold minus 1198771
+ 1) where 119905max is a predefinedmaximum delay and threshold is a predefined maximum
counter value The value of 119905max and threshold can be ini-tialized empirically and adjusted in real application Then119879119894replies with a random nonce 119877
2and a hash value 119868 =
ℎ(1 1198771 1198772 119896119894
119889)
(3) 119877 compares 119868 to the hash value computed usingcorresponding key stored in the database If the two hashvalues are identical the reader accepts the tag as a legitimateone Otherwise 119877 treats the tag as illegal For a legal tagthe reader sends 119872 = ℎ(2 119877
1 1198772 119896119894
119889) as an authentication
message and then launches the updating component on the
International Journal of Distributed Sensor Networks 7
reader side For an illegal tag the reader only sends a randombit string with the same length of ℎ(sdot)
Note that the key in the leaf node may not match thecorresponding tagrsquos key In this case 119877 has to search throughthe entire database to check if a matching key can be foundIf such a key is found the tag is accepted as legitimate Inthis way even a tag which is desynchronization attacked andthus has a big timestamp can also be authenticated This canprevent attackers from distinguishing tags by whether theycan be accepted
(4) UponM 119879119894computes the hash value based on the key
stored in it If they are matched119879119894takes 119877 as a legitimate one
119879119894then launches the updating on the tag side if119877 is legitimateA collisionmayhappenwhen two tags choose an identical
leaf node At this time there is more than one tag respondingto the readerTheir signals will collide and cannot be correctlydecodedThis can happenwhen a tagrsquos random choicesmatchthe path of the other tag from root to leaf The possibility is2minus119889 where 119889 is the depth of the key tree While the possibilityis negligible we just take these collidedmessages as a randommessage and complete the routine processes of authenticationand updating As each tag has a unique leaf key which will beupdated involving the random nonces during authenticationthe possibility they collide again at the leaf node will still benegligible we will process the colliding tags in the next roundof entire tags-authentication process
433 Remount After authentication and updating of atag the whole tag authentication process is remounted forunprocessed tags according to their ldquoholdingrdquo sequence indescending order 119877 finds out the max counter 119888max in the(1198881199101015840 1199011199001199041199101015840) pairs stored in the reader where 119910
1015840 is an integerIf there exists such a 119888max 119877 computes 119875
119862for the branches
of 1199011199001199041199101015840 and starts the anticollision subcomponent in the
subtree rooted at 1199011199001199041199101015840 To do this the reader sends a
recursive query command 1199031198901198881198761199061198901199031199101199101015840 with 119888max 119875
119862 and
a new timestamp 1199031199101015840 Upon this query each tag checks its
internal counter 119888119901The tags that have amatched 119888max respond
with the corresponding119881119862 If no such a 119888max exists the reader
terminates the current round of MAP and launches a newround The reader iteratively performs the authenticationprocess until all tags are processed or the number of roundsexceeds a predefined threshold threshold In MAP if there aresome tags moving into the detecting region of 119877 in currentround 119877 will treat them as newly coming tags in the nextround
We illustrate the above process by using the example ofauthenticating 119879
1 1198792 and 119879
3in Figure 1 Assume the reader
chooses the left branch each timeThen there is no collision atdepth 0 and the entire authentication procedure goes to thesubtree rooted at the node related to 119896
10at depth 1 The 119881
119862
values related to keys at depth 2 will collide 119877 moves downto the left branch related to 119896
20and 119896
30 119877 puts 119879
2and 119879
1in
a holding state at this point 119877 also records the anticollisionsequence and the node related to 119896
21 As there is no more
collision for1198793119877 completes the authentication of119879
3and goes
back to the holding tags 119877 requests 119881119862related to the keys at
depth 3The responses of 1198792and 119879
1fall in different branches
Then 119877 puts 1198792to holding state and authenticates 119879
1 After
that the reader 119877 authenticates 1198792
44 Updating After a successful mutual authenticationbetween the tag and reader the updating process follows asillustrated in Algorithm 1 MAP only updates the leaf keys formultiple tags environments where a leaf key is the key onthe leaf node There are two reasons First in our protocolthe keys on nonleaf nodes are only used for navigationSecond as analyzed in [22] updating keys for tags withoutchanging the sharing relationship of keys among tags will notincrease the difficulty for adversaries to successfully conductcompromising attacks We also allow a tag to be renewed inthe system maintenance component as an updating methodwhich also updates the tagrsquos location and the correspondingkeys in the virtual tree for better privacy
R updates the keys for a tag after a successful authentica-tion of the tag At the corresponding leaf node a new leaf keyis generated as 119896
119894
119889
1015840
= ℎ(3 1198771 1198772 119896119894
119889) for 119879
119894 119879119894updates its leaf
key only after a successful authentication of 119877 by checkingM
45 System Maintenance Users may want to insert renewor withdraw their tags The system maintenance componentdeals with these requests
If a new tag joins in the systemR initializes it by assigningit to an empty leaf node and generates the necessary keys forit If a tag is withdrawn R simply deletes the information oncorresponding nodes related to the tag from S
We also allow a tag to be renewed for better security andprivacy The permission is controlled by the manager Whena tag is permitted to be renewed it is first withdrawn by thereader Then the reader treats the tag like a new one andinserts it into the system After being renewed the new keysand related path in the key tree have no relation with the oldones
5 Performance Analysis
In this section we analyze the performance of MAP con-sidering both communication and computation costs Wetheoretically analyze the costs and give the correspondingupper bound lower bound andmean valueWe also launch asimulation Then we compare the performance of MAP withtwo combination solutions
51 Theoretical Analysis In MAP multiple tags are authenti-cated concurrently thus we care about the average time costsderived from costs for all tags divided by the number of tagsIn Section 5 when we mention a cost for each tag we aremeaning such an average time cost for each tag
There are cases when the tags to be authenticated coverthe least branchesThenpaths of these tags cover a full subtreeand a single path from the root of this subtree to the rootof system tree 119878 as 119879
1and 119879
2in Figure 4(a) In these cases
arbitrations and hash computations are shared by the mosttags Thus it is possible that both the communication andcompute cost for each tag are the least in these cases
8 International Journal of Distributed Sensor Networks
k10
k21
k32 k33
T1 T2
M1
M2
(a) Most sharing
k20
k30
k10
T3
(b) Least sharing
Figure 4 The different sharing scenarios
Contrarily when the tags cover the most branchesrespecting no path being shared as 119879
3itself in Figure 4(b)
then it is possible that both communication and compute costfor each tag are the largest as arbitrations and hash computesare shared by the least tags
For theoretic comprehensibility we consider time cost fortransferring hash values in communication cost For computecost we consider only cost for computing hash values atboth reader end and tag end For the overall cost consideringoverheads we give a simulation result in Section 52
When tags cover the least branches the minimumcommunication and compute cost are computed as followsTheoretically they are the lower bound of MAP in terms oftime cost Indeed both of them are in O(1) complexity
Commmin = 119905auth + 2119905query + 119905reply minus
(119905query + 119905reply)
119873
asymp 119905auth + 2119905query + 119905reply
Compmin = (2 minus1
119873) 119905119905119888119900119898119901
+ (3 minus2
119873119860
) 119905119903119888119900119898119901
asymp 2119905119905119888119900119898119901
+ 3119905119903119888119900119898119901
(1)
where the 119889 is the height of the system tree 119878 119873 is thenumber of tags in the system 119873
119860is the number of tags to
be authenticated and 119873119860
= 119873 in this case 119905query is the timefor a reader 119877 to send out a query 119905reply is the time for eachtag on both branches to reply their related 1 bit 119881
119862values in
the two time slots 119905auth is the time for a tag to send the hashvalue of its leaf node 119905
119905119888119900119898119901is the time for a tag to compute
a hash value and 119905119903119888119900119898119901
is the time for 119877 to compute a hashvalue Note that we suppose sending the request commandsneeds the same time as the 119905query
When each tag covers themost branches there is only onetag to be authenticated Thus we get the maximum costs Wedenote the maximum communication and compute cost as
Commmax and Compmax respectively The theoretical upperbound cost of MAP is given by
Commmax = 119905auth + 119889 times 119905reply + (119889 + 1) 119905query
Compmax = (119889 + 1) 119905119903119888119900119898119901
+ (2119889 + 1) 119905119903119888119900119898119901
(2)
where 119889 is the height of the system tree 119878 We can find thatboth the maximum costs have an 119874(log119873) complexity
When tags cover all branches supposing the coverprobability is unique we get the mean communication andcomputing costs as follows
Commmean = 119905auth + 119905query
+ (119905query + 119905reply) (2 + 119889 minus log2119873119860
minus1
119873119860
)
asymp 119905auth + 119905query + (119905query + 119905reply)
times (2 + 119889 minus log2119873119860
)
Compmean = (2 + 119889 minus log2119873119860
minus1
119873119860
) 119905119905119888119900119898119901
+ 2 (1 + 119889 minus log2119873119860
minus1
119873119860
) 119905119903119888119900119898119901
asymp (2 + 119889 minus log2119873119860
) 119905119905119888119900119898119901
+ 2 (1 + 119889 minus log2119873119860
) 119905119903119888119900119898119901
(3)
Both Commmean and Compmean are strict monotonicfunctions of 119873
119860 When 119873
119860is big enough they approach the
constant value of 119874(1)Considering the minimum authentication cost without
anticollision or updating for a single tag in traditional tree-based protocol it will need to compute transmit and verifyat least log
120575119873 ciphers where 120575 is the branching factor of the
key tree When the tag lies at the first-reach leaf the costis minimum with message length and computation times ofabout log
120575119873 When the tag lies at the last-reach leaf the cost
is maximum with the computation times enlarged to about120575 times log
120575119873 The average computation cost is about (1 + 120575)2 times
log120575119873ThusMAP protocol outperforms the traditional tree-
based protocol theoretically
52 Simulation We compared the average processing timeof MAP to two simple combination solutions Both thetwo solutions use the slot-count (Q) selection algorithm inEPC C1G2 UHF Air Interface Protocol Standard [31] foranticollision The PPA protocols for these two solutions arethe typical tree-based protocol [20] and RWP protocol [22]with O(1) complexity In all protocols both tag side andreader side employ SQUASH (SQUaring haSH) which isproposed by Shamir in [8] to compute hash values SQUASHneeds only several hundred gate equivalents (GEs) and isappropriate for low cost RFID tags We consider the overalltime cost including communication cost and search cost
International Journal of Distributed Sensor Networks 9
The communication cost includes the cost for transmittingcommands and data with overheads such as wait time timeout frame sync and preamble Note that compared to otherkinds of wireless communication such as WiFi the messagesexchanged between the reader and tags are very short Thusthe overheads are not negligible All the command formatsdata formats and link timing follow the standard In searchcost we consider compute cost for hash values by both readerand tags We assume the reader can process 223 times 64 bitsSQUASH in a second in average For the tag we assume it canprocess one time SQUASH in 6775 us and 242 us We makethese two assumptions based on the link timing requirementsspecified in the standard
In our simulation the forward data rate is 40Kbps andthe backward data rate is 320KbpsWe suppose that there are220 tags in the system We choose tags randomly and repeatthe whole process 100 times for average results
In Figure 5 we give the result for 1000 tags The simu-lation result shows that MAP gains a better efficiency thantypical tree-based protocol The average time cost of tree-based protocols is about 22 times to 42 times that of MAPThe efficiency of MAP asymptotically approaches the RWPprotocol with O(1) complexity as the size of the tag setapproaches 1000 The simulation result is in accordance withthe theoretical analysis That is because in MAP computingand communication are shared between all tags Moreoverduring anticollision subcomponent tags respond with only 1bit to save communication cost That is why MAP outper-forms typical tree-based protocol when tag size is small
According to the performance result in [26] for 1000 tagsin a system with 105 tags at 40Kbps forward rate achieving1 erroneous decision the SEBA approach [25] needs 41min-utes while the SEBA+ approach [26] needs about 4 minutesUtilizing MAP it takes about 1000 times 10405times 10minus6 s = 1122 swhich is less than SEBA and more than SEBA+ Howeverthe result in [26] considers only the message transmissiontime leaving out the nonnegligible computation time andthe communication overheads such as wait time time outframe sync and preamble Moreover MAP provides accurateauthenticationwith no error probabilityThusMAP is a goodchoice in performance for the authentication ofmultiple tags
6 Security and Privacy Analysis
In this section we analyze the security and privacy charactersof MAP Because our approach is tree based we focus onresistance to compromising attackwhich has themost seriousimpact on conventional tree-based approaches [23] Weprove that MAP is m-strong-ind-private showing that MAPsatisfies strong privacy protection in multiple tags scenarioWe also show the abilities of MAP in terms of confidentialitycloning resistance tracking resistance timing-based attackresistance and forward secrecy
61 Compromising Attack Compromising attack is the mosteffective way for crashing tree-based protocols That isbecause tags organized in tree-based structures share keyswith each other When an adversary 119860 compromises some
0 200 400 600 800 1000
39
4
41
42
43
44
45
46
47
48
Size of tag set to be authenticated
log10
style
)
Tree-basedTree-basedMAP
MAPRWPRWP
242120583s6775120583s
6775120583s
242120583s242120583s6775120583s
Aver
age p
roce
ssin
g tim
e (120583
sFigure 5 Comparison on performance for 1ndash1000 tags
tags and thus obtain their secret keysA can deduce the secretkeys of other tags In conventional tree-based protocols alegitimate reader splits a tag from other possible ones levelby level and finally authenticates it on the leaf using itskeys on related levels An adversary can also distinguishtags and further track them in this way with keys fromthe compromised tags For detailed analysis please refer to[14 21]
Our analysis is based on the works in [10 14 18 2123 34] The notion of strong ind-privacy defined in [23]which is equivalent to the destructive-privacy defined in[34] is very similar to the strong privacy provided byMAP except that MAP focuses on privacy protection formultiple tags The existing privacy models are designedfor one-tag-one-reader authentication scheme and focus ondistinguishability privacy between TWO tags only They arenot fit for the multiple tags scenario in MAP where thereader cannot communicate to a tag before anticollisionsubcomponent
We define a new model for multiple tags environmentsincluding four oracles Request(sdot sdot sdot) Send(sdotsdot) Relay(sdotsdot) andCompromise(sdot) to formulate the attacks to the tag sets andreader Assume we have a tag set 119873
119878 Any attack on 119877 or 119873
119878
can be represented by calling on its oraclesRequest(119873
119878 1198981 1198983) A queries the tag set 119873
119878by a query
message1198981and receives the responsesThen119860 sends another
message 1198983to 119873119878 including the collision arbitration and Rrsquos
authentication dataSend(R 119898
2) A sends a message 119898
2 representing the tag
setrsquos reply and authentication messages to 119877 and receives aresponse
Relay(119873119878 119877) A relays the messages between 119873
119878and R A
can arbitrarily modify the messages from one side to another
10 International Journal of Distributed Sensor Networks
Compromise(119873119862) A compromises tags in set 119873
119862and
obtains their secret keys where 119873119862is a tag set 119860 obtains The
compromised tags are broken and cannot be used any furtherThe compromising attack on MAP denoted by
CAMAP119860
[1198960 119873119860
] is performed with the following steps
Step 1 The adversary 119860 compromises 1198960tags and obtains
their secret keys
Step 2 A chooses a target tag 119879 that has not been compro-mised A can query 119879 or act as a man-in-the-middle between119879 and the reader 119877 polynomial times Note that 119860 cannotcompromise119879 According to the secret keys119860 gains in Step 1A can compute outputs of these keys and compare to themTrsquosoutputs In this way 119860 can determine which of Trsquos keys equalto Arsquos known keys
Step 3 The system gives a tag set 119873119878with 119873
119874tags including
119879 Then 119873119878is divided into two subsets 119873
1198781and 119873
1198782 For the
simplicity we assume each subset contains 119873119860tags Or else
we can define the smaller set contains119873119860tags which will not
affect the result of analysis but complex the analysis processA randomly picks a subset 119873
119878119887 where b = 0 or b = 1 and
determines if 119879 is in this subset A can pick both subsets If119873119878119887
contains T A can proceed tracking 119879 by tracking 119873119878119887
otherwise 119873119878(1minus119887)
A can send queries to the tag set or act asa man-in-the-middle between the tag set and the reader 119877
polynomial times but cannot compromise those tagsWe denote
119875MAP = 119875119903[CAMAP119860
[1198960 119873119860
] = 1] (4)
as the possibility 119860 definitely knows whether tag set 119873119878119887
includes T A succeeds if 119860 definitely knows which tag setincludes 119879 Then the possibility that 119860 succeeds is
119875MAP = 119875119903[CAMAP119860
[1198960 119873119860
] = 1] = 1 minus (1 minus 1198750)2
(5)
where 1198750is the possibility that 119860 succeeds in either subset in
a system employing MAP
Definition 1 Theadvantage of adversary119860 in the compromis-ing attack is defined as
advMAP119860
(1198960 119873119860
) =
1003816100381610038161003816100381610038161003816(119875MAP +
1
2(1 minus 119875MAP)) minus
1
2
1003816100381610038161003816100381610038161003816=
119875MAP2
(6)
where the probability is the advantage of 119860 correctly guessagainst randomly guess which subset 119879 is in
Definition 2 (M-strong(120576 1198960 119873119860
)-ind-privacy) An RFIDprotocol PRO is m-strong( 120576 119896
0 119873119860)-ind-private if when 119873
119860
approaches N the advantage advPRO119860
(1198960 119873119860
) is at most 120576 inpolynomial time Where 119873
119860lt 119873 120576 is an infinitesimal when
119873 approaches infinity
M-weak(120576 1198960 119873119860)-ind-privacy is defined the same as m-
strong (120576 1198960 119873119860
)-ind-privacy except that 1198960= 0
Destructive Final NoCorrupt corrput Corrupt corrupt
Wide
Narrow
m-strong m-forward m-weak
m-narrow m-narrowm-narrowm-narrowstrong destructive
m-destructive
forward weak
Figure 6 The privacy levels
The above two privacy notions can be simply denotedas m-strong-ind-privacy (MSIP) and m-weak-ind-privacy(MWIP) where the letter ldquo119898rdquo is the abbreviation of mul-tiple tags When 119873
119860= 1 the MSIP (MWIP) equals the
strong-privacy (weak-privacy) in Juelsrsquos model [23] and thedestructive-privacy (weak-privacy) in Vaudenayrsquos model [34]At this time the case of a tag lying in a set is identical tothe case of the target tag being a particular tag in traditionalprivacy model with two tags Thus our multiple tags privacymodel is a generalized version of existing privacy models[23 34] On the contrary the existing privacy models arespecial cases of multiple tags privacy where each tag set hasonly one tagThen we can define 8 different levels of privacyby generalizing Vaudenayrsquos model for multiple tags scenariosas illustrated in Figure 6
The above model is dedicated for classifying the privacyprotection in multiple tags scenarios Intuitively it is easierfor a tag to hide in a set than to behavior indistinguishably toanother tag Thus the above model is a model weaker thanthe privacy models for one-reader-one-tag scenarios
However if the authentication protocol does not take thisadvantage then the protocol cannot provide better privacyin scenarios with multiple tags than in one-reader-one-tag scenarios no matter how many tags are there to beauthenticated For example in the OSK [12] protocol onedesynchronized tag cannot be accepted by a legitimate readerThus a desynchronized tag can still be distinguished in a tagset saying nothing of hiding in the set As a result the OSKmethod cannot providem-strong-ind-privacy orm-weak-ind-privacy
In the tree for MAP when 119860 is not aware of all keys inboth branches A does not know the 119875
119862and has to randomly
guess one for navigation and conduct the searching processWhen the guess fails A sends out a position that has nocollisions Then 119860 cannot split the tags Only when 119860 knowsall the keys in the branches related to T A can send outthe correct 119875
119862and proceed on tracking That is the main
reason whyMAP performs better than traditional tree-basedprotocols in defending against compromising attacks In facttheMAP protocol ism-strong-ind-private as will be proven inthe bellowing
Theorem 3 TheMAP protocol is MSIP private
Proof We perform the compromising attack with MAPprotocol as follows
We denote tags in 119873119878119887
by 1198791015840 We denote keys in 119879
and 1198791015840 with (119896119890119910
0 1198961198901199101 119896119890119910
119889) and (119896119890119910
1015840
0 1198961198901199101015840
1 119896119890119910
1015840
119889)
International Journal of Distributed Sensor Networks 11
respectively where 119889 is the depth of the tree Considering atlevel 119909 where 119896119890119910
119909is in a subtree we use 119870
119909to denote the
set of known keys by 119860 in this subtree and 119896119909to denote
the number of keys in 119870119909 And 119896
0is the number of tags
compromised There are three cases to be considered at levelxCase 1 A does not succeed in previous 119909 minus 1 levels and thereis exactly one key 119896119890119910
1015840
119909equal to 119896119890119910
119909 A definitely knows 119873
119878119887
includes 119879 The possibility is
119875119903(1198621
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575times
1
120575119909times (1 minus
1
120575119909)
119873119860minus1
(7)
Case 2119860 does not succeed in previous 119909minus1 levels and therersquosno key 119896119890119910
1015840
119909equals to 119896119890119910
119909 A definitely knows that 119873
119878119887does
not include 119879 The possibility is
119875119903(1198622
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575times (1 minus
1
120575119909)
119873119860
(8)
Case 3 119860 does not succeed in previous 119909 minus 1 levels and morethan one key 119896119890119910
1015840
119909equals 119896119890119910
119909 In this case 119860 fails at level 119909
and should move to level 119909 + 1 The possibility is
119875119903(1198623
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575minus 119875119903(1198621
119909) minus 119875119903(1198622
119909)
(9)
Theoverall probability of119860 definitely knowswhether119873119878119887
includes 119879 is
1198750
= 119875119903(1198621
1or 1198622
1) +
119889
sum
119909=2
(119875119903(1198621
119909or 1198622
119909) times
119909minus1
prod
119910=1
119875119903(1198623
119910))
= (1 minus1
120575)
119873119860minus1
1198961
120575
120575minus1
prod
119895=0
1198961
minus 119895
120575 minus 119895
+
119889
sum
119909=2
((1 minus1
120575119909)
119873119860minus1
119896119909
120575119875 (119896119890119910
119909)
times
119909minus1
prod
119910=1
(119875 (119896119890119910119910)
119896119910
120575(1 minus (1 minus
1
120575119910)
119873119860minus1
)))
(10)
where
119875 (119896119890119910119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895) (120575 minus 119895)
(120575119909 minus 119895)2
1198961
= 120575 (1 minus (1 minus1
120575)
1198960
)
119896119909
= 120575 (1 minus (1 minus1
120575)
119892(119896119909)
) (2 le 119909 le 119889)
119892 (119896119909) = 1198960
119909minus1
prod
119910=1
1
119896119910
(11)
The possibility 119860 succeeds in either subset is 1198750which is
a monotonically decreasing function of 119873119860 so is 119875MAP The
advantage of 119860 is 119875MAP which decreases exponentially to 0 as119873119860increases to be big enoughConsidering that 119896
119909le 120575 and 120575 ge 2 we have the following
derivations
(1 minus1
120575)
119873119860minus1
1198961
120575
120575minus1
prod
119895=0
1198961
minus 119895
120575 minus 119895
le (1
2)
119873119860minus1
1198961
120575
1198961
120575
1198961
minus 1
120575 minus 1
le (1
2)
119873119860minus1
119909minus1
prod
119910=1
(119875 (119896119890119910119910)
119896119910
120575(1 minus (1 minus
1
120575119910)
119873119860minus1
))
lt
119909minus1
prod
119910=1
(119875 (119896119890119910119910) times 1 times 1)
=
119909minus1
prod
119910=1
119875 (119896119890119910119910)
(12)
Then we have the following deduction
1198750
lt (1
2)
119873119860minus1
+
119889
sum
119909=2
((1 minus1
120575119909)
119873119860minus1
119896119909
120575119875 (119896119890119910
119909)
119909minus1
prod
119910=1
119875 (119896119890119910119910))
lt (1
2)
119873119860minus1
+
119889
sum
119909=2
(1 minus1
120575119909)
119873119860minus1
lt (1
2)
119873119860minus1
+ 119889(1 minus1
1205752)
119873119860minus1
(13)
The right part of the inequality is a monotonicallydecreasing function of 119873
119860 For example it can be deduced
that 1198750
lt (12)119873119860minus1
+ 119889(34)119873119860minus1 when 120575 = 2 Then 119875
0is an
infinitesimal as 119873119860approaches 119873 so is 119875MAP According to
Definition 2 MAP ism-strong-ind-private
12 International Journal of Distributed Sensor Networks
0 50 100 150 2000
02
04
06
08
1
Succ
essfu
l pro
b o
f atta
ck
Size of tag set to be authenticated
MAPTree-based
Figure 7 Comparisons on defending against compromising attack
Assume a RFID system of 220 tags with 120575 = 2 and 119889 =
20 Figure 7 demonstrates possibilities119860 successfully tracks atag by compromising 200 tags employingMAP or tree-basedprotocol such as [20]
We can find that for both protocols the possibilities that119860
succeeds reduceswhen119873119860increases ForMAP the possibility
reduce rapidly while for traditional balance tree-based PPAit reduces slowly For MAP protocol when 119873
119860gt 8 119875MAP lt
005 saying 119860 can definitely distinguish and know which tagset includes 119879 with low possibility even the set size is smallThis is an acceptable result as environmentswith at least 8 tagsare common Moreover the successful tracking probabilityasymptotically approaches to 0 as the size of the tag set to beauthenticated arises For tree-based protocol 119860 always has asuccessful possibility larger than 08 with tag set size smallerthan 200
62 Confidentiality In MAP all information from a tag issent as the value of a cryptographic hash function or a partof such a hash value According to the preimage resistanceproperty of cryptographic hash functions the adversarycannot know the origin information
63 Cloning Resistance In cloning attack an adversaryrecords responses from a tag and replay them to foollegitimate readers In MAP the 119881
119862values are only used for
navigation and each tag uses its unique leaf key for the finalauthentication The tag generates the hash values of the leafkey with a timestamp from 119877 and a nonce from the tag asinputs Both the timestamp and the nonce are the sessiontokens of the conversation Therefore authentication mes-sages from a given tag will change in different conversationsdue to the different session tokens The navigation bits canbe replayed however they cannot help to fool 119877 because theadversary does not know the authentication message at theleaf node The replayed messages cannot be acceptable bylegitimate readers according to the protocol
64 Tracking Resistance In Section 61 we focus on tagsrsquo pathkeys and present that MAP can resist compromising attack
in scenarios with multiple tags For any leaf key it uniquelybelongs to an individual tag The adversary 119860 never knowsa tagrsquos leaf key unless compromising it When performingauthentication subcomponent a tag computes a hash valuewith its leaf key and the session tokens This authenticationmessage varies each time and 119860 cannot link the messages toa tag without knowing its leaf key
MAP resists against compromising attack inmultiple tagsscenarios However when a batch only has a few tags 119875MAPis not negligible According to the results shown in Figure 7when the number of tags is larger than 8 the probabilityof multiple tags exposing to attackers will not exceed 005which is acceptable for most RFID applications Thereforewe recommend to select MAP when the number of tags islarger than 8 otherwise choosing time consuming per-tagauthentication to prevent the tracking attack
An adversary 119860 may launch the Denial of Service (DoS)attack between a legitimate reader and tags In this attack 119860
firstly exhausts the timestamp in a tag Then 119860 can relay thetagrsquos response to a legitimate reader to see if the tag is acceptedand further track the tag by observing the result This attackis not feasible to MAP because desynchronized tags can alsobe accepted employing MAP as presented in Section 432Besides we recommend the system to thwart the responsespeed of the tags which are under attackThen a counter withan acceptable bit length is enough to avoid the timestamps ofthe tags run over a predefined threshold
65 Timing-Based Attack Resistance An adversary may timethe processing cost of a tag to identify the status of this tagand further distinguish it from other tags [35] This kindof attack is a new general attack which can even break theprivacy of proven private RFID authentication protocolsMAP can defend against such attack The reason is that theauthentication process for each tag in MAP corresponds tothe same procedure From root to leaf each branch selectioncorresponds to no sequential computation of tags Insteadthe tags do concurrent computation at each level In this waythe observable behavior of each tag is hard to distinguishThe problem in traversing the traditional binary tree whichcauses different searching cost does not happen in MAP Onthe other hand the thwart method used in MAP does notraise rapid increase in the response Thus the thwarted tagrsquosbehavior is hard to distinguish especially when the tag set islarge and the predefined threshold is big enough
66 Forward Secrecy An adversary 119860 can record the mes-sages sent by 119877 or tags And 119860 can compromise tags toobtain their current keys Forward secrecy requires that theinformation in previous messages will never be revealedIn MAP the leaf keys are updated after each successfulauthentication The forward secrecy is thereby guaranteedFor the nonleaf keys they are not used for data transfer butonly for navigation In addition they will be updated when atag is renewed Thus MAP does not update the nonleaf keysat each authentication and such a process does not damagethe forward secrecy
International Journal of Distributed Sensor Networks 13
7 Possible Variants and Improvements
The storage requirement of MAP for a system larger than216 tags may be larger than 1 k bits This cost is practical fornowadays RFID tags For ultra-low storage path keys can becomputed employing SQUASH with the unique leaf key andidentifier of the tag as inputsThis would decrease the storagerequirement to 119874(1) but double the average computationtime It can be easily deduced that the performance ofMAP isstill better than the tree-based protocol in large-scale systems
MAP focuses on the interaction between tags and readeras well as reader-server side search accelerating On theother hand the SEBA [25 26] like protocols focuses onthe reader-to-server communication as well as the serverside probabilistic verification Thus a possible future workis to combine and gain profit from both of the two styles ofmultiple tags protocols
8 Conclusions and Future Work
In this work we propose a Multiple tags privacy-preservingAuthentication Protocol MAP to authenticate multipletags concurrently By enabling anticollision functionality inauthentication processMAP eliminates the redundant effortswasted in anticollision processes and authenticating tagsTags in MAP respond concurrently with 1 bit to conductthe authentication for better privacy MAP is m-strong-ind-private which is a variant of ind-privacy we define formultiple tags scenarios MAP can effectively mitigate theimpact of compromising attack in multiple tags scenarios toan acceptable extent EmployingMAP the successful trackingprobability of adversaries for tag set larger than 8 is below005 and will deduce rapidly to 0 as the size of the tag setenlarges The efficiency of MAP is better than 119874(log119873) andasymptotically approaches 119874(1) as the number of tags in thetag set to be authenticated increases as proven in theoreticalanalysis and shown in the simulationThe proposed protocolin our work MAP is dedicated for authenticating multipletags One prospective directionmay be building protocols forboth single tag and multiple tags to provide high efficiencyand strong privacy at the same time
Acknowledgments
The authors would like to thank Ling Zhu and XingjingWang for the efforts paid in coding for the simulationsThis work is supported by Program for Changjiang Scholarsand Innovative Research Team in University (IRT1078)the Key Program of NSFC-Guangdong Union Foundation(U1135002) National Natural Science Foundation of China(61303221 and 61373175) the Fundamental Research Fundsfor the Central Universities (K5051303021) and the ScientificResearch Startup Foundation for Young Teachers of DonghuaUniversity (13D211205) Part of this work has been presentedat IEEE International Conference on Mobile Ad-hoc andSensor Systems (IEEE MASS) October 17ndash22 2011 ValenciaSpain
References
[1] G Roussos and V Kostakos ldquoRFID in pervasive computingstate-of-the-art and outlookrdquo Pervasive and Mobile Computingvol 5 no 1 pp 110ndash131 2009
[2] Y Liu L Chen J Pei Q Chen and Y Zhao ldquoMiningfrequent trajectory patterns for activity monitoring using radiofrequency tag arraysrdquo in Proceedings of the 5th Annual IEEEInternational Conference on Pervasive Computing and Com-munications (PerCom rsquo07) pp 37ndash46 White Plains NY USAMarch 2007
[3] C Qian H Ngan and Y Liu ldquoCardinality estimation forlarge-scale RFID systemsrdquo in Proceedings of the 6th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo08) pp 30ndash39 Hong Kong ChinaMarch 2008
[4] G Avoine ldquoBibliography on security and privacy in RFID sys-temsrdquo 2013 httpwwwavoinenetrfiddownloadbibbiblio-graphy-rfidpdf
[5] A Juels ldquoRFID security and privacy a research surveyrdquo IEEEJournal on Selected Areas in Communications vol 24 no 2 pp381ndash394 2006
[6] G Tsudik ldquoA family of dunces trivial RFID identification andauthentication protocolsrdquo in Privacy Enhancing TechnologiesLecture Notes in Computer Science pp 45ndash61 Springer BerlinGermany 2007
[7] X Xu X Y Li X Mao S Tang and S Wang ldquoA delay-efficient algorithm for data aggregation in multihop wirelesssensor networksrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 1 pp 163ndash175 2011
[8] A Shamir ldquoSQUASHmdasha new MAC with provable securityproperties for highly constrained devices such as RFID tagsrdquo inFast Software Encryption Lecture Notes in Computer Sciencepp 144ndash157 Springer Berlin Germany 2008
[9] T Halevi N Saxena and S Halevi ldquoUsing HB family ofprotocols for privacy-preserving authentication of RFID tags ina populationrdquo in Proceedings of the Workshop on RFID Security(RFIDSec rsquo09) 2009
[10] M Burmester B de Medeiros and R Motta ldquoRobust anony-mous RFID authentication with constant key-lookuprdquo in Pro-ceedings of the ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo08) pp 283ndash291 TokyoJapan March 2008
[11] S A Weis S E Sarma R L Rivest and DW Engels ldquoSecurityand privacy aspects of low-cost radio frequency identificationsystemsrdquo in Security in Pervasive Computing Lecture Notes inComputer Science pp 201ndash212 2003
[12] M Ohkubo K Suzuki and S Kinoshita ldquoEfficient hash-chainbased RFID privacy protection schemerdquo in Proceedings of theACM Ubicomp Workshops 2004
[13] D Henrici and P Muller ldquoProviding security and privacy inRFID systems using triggered hash chainsrdquo in Proceedings ofthe 6th Annual IEEE International Conference on PervasiveComputing andCommunications (PerCom rsquo08) pp 50ndash59HongKong China March 2008
[14] G Avoine E Dysli and P Oechslin ldquoReducing time complexityin RFID systemsrdquo in Selected Areas in Cryptography LectureNotes in Computer Science pp 291ndash306 Springer BerlinGermany 2005
[15] D Henrici and PMuller ldquoHash-based enhancement of locationprivacy for radio-frequency identification devices using varyingidentifiersrdquo inProceedings of the 2nd IEEEAnnual Conference on
14 International Journal of Distributed Sensor Networks
Pervasive Computing and CommunicationsWorkshops (PerComrsquo04) pp 149ndash153 March 2004
[16] A Juels ldquoMinimalist cryptography for low-cost RFID tags(extended abstract)rdquo in Proceedings of the 4th InternationalConference on Security in Communication Networks (SCN rsquo04)pp 149ndash164 Amalfi Italy September 2004
[17] S Yu K Ren and W Lou ldquoA privacy-preserving lightweightauthentication protocol for low-cost RFID tagsrdquo in Proceedingsof the Military Communications Conference (MILCOM rsquo07) pp1ndash7 Orlando Fla USA October 2007
[18] C Ma Y Li R H Deng and T Li ldquoRFID privacy rela-tion between two notions minimal condition and efficientconstructionrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCSrsquo09) pp 54ndash65New York NY USA November 2009
[19] D Molnar A Soppera and D Wagner ldquoA scalable delegatablepseudonym protocol enabling ownership transfer of RFID tagsselected areas in cryptographyrdquo in Selected Areas in Cryptogra-phy Lecture Notes in Computer Science pp 276ndash290 SpringerBerlin Germany 2005
[20] T Dimitriou ldquoA secure and efficient RFID protocol that couldmake big brother (partially) obsoleterdquo in Proceedings of the 4thAnnual IEEE International Conference on Pervasive Computingand Communications (PerCom rsquo06) pp 269ndash274 Pisa ItalyMarch 2006
[21] L Lu J Han L Hu Y Liu and L M Ni ldquoDynamic key-updating privacy-preserving authentication for RFID systemsrdquoin Proceedings of the 5th Annual IEEE International Conferenceon Pervasive Computing and Communications (PerCom rsquo07) pp13ndash22 White Plains NY USA March 2007
[22] Q Yao Y Qi J Han J Zhao X Li and Y Liu ldquoRandomizingRFID private authenticationrdquo in Proceedings of the 7th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo09) Galveston Tex USA March2009
[23] A Juels and S A Weis ldquoDefining strong privacy for RFIDrdquoACM Transactions on Information and System Security vol 13no 1 pp 1ndash23 2009
[24] L Lu Y Liu and X-Y Li ldquoRefresh weak privacy model forRFID systemsrdquo in Proceedings of the IEEE INFOCOM pp 1ndash9San Diego Calif USA March 2010
[25] L Yang J Han Y Qi and Y Liu ldquoIdentification-free batchauthentication for RFID tagsrdquo in Proceedings of the 18th IEEEInternational Conference on Network Protocols (ICNPrsquo10) pp154ndash163 Kyoto Japan October 2010
[26] G Bianchi ldquoRevisiting an RFID identification-free batchauthentication approachrdquo IEEECommunications Letters vol 15no 6 pp 632ndash634 2011
[27] Y Zheng and M Li ldquoFast tag searching protocol for large-scaleRFID systemsrdquo in Proceedings of the 19th IEEE InternationalConference on Network Protocols (ICNP rsquo11) pp 363ndash372Vancouver Canada October 2011
[28] B Sheng andCC Tan ldquoGroup authentication in heterogeneousRFID networksrdquo in Proceedings of the IEEE Conference onTechnologies for Homeland Security (HST rsquo12) pp 167ndash172Waltham Mass USA November 2012
[29] J Myung and W Lee ldquoAdaptive splitting protocols for RFIDtag collision arbitrationrdquo in Proceedings of the 7th ACM Interna-tional Symposium onMobile AdHoc Networking and Computing(MOBIHOC rsquo06) pp 202ndash213 Florence Italy May 2006
[30] ldquoInformation technology automatic identification and datacapture techniquesmdashradio frequency identification for item
management air interfacemdashpart 6 parameters for air interfacecommunications at 860ndash960 MHZrdquo ISOIEC FDIS 18000-62003
[31] EPCglobal ldquoEPC radio-frequency identity protocols class-1generation-2 UHF RFID protocol for communications at 860MHzndash960MHz version 1 2 0rdquo May 2008
[32] Z Zhou H Gupta S R Das and X Zhu ldquoSlotted scheduled tagaccess in multi-reader RFID systemsrdquo in Proceesings of the 15thIEEE International Conference on Network Protocols (ICNP rsquo07)pp 61ndash70 Beijing China October 2007
[33] Auto-ID ldquoDraft protocol specification for a 900MHz class0 radio frequency identification tagrdquo 2003 httpwwwepcglobalincorg
[34] S Vaudenay ldquoOn privacy models for RFIDrdquo in Advances inCryptologymdashASIACRYPT 2007 Lecture Notes in ComputerScience pp 68ndash87 Springer Berlin Germany 2007
[35] Q Yao J Han Y Qi L Yang and Y Liu ldquoPrivacy leakage inaccess mode revisiting private RFIDAuthentication protocolsrdquoin Proceedings of the 40th International Conference on ParallelProcessing (ICPP rsquo11) pp 713ndash721 Taipei City Taiwan Septem-ber 2011
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
6 International Journal of Distributed Sensor Networks
Anti-collision sub-component At non-leaf depth 119909 minus 1119877 randomly selects a branch sends (119903
119910 119875119862 1198811015840119862 119888119910)
119877 records (119888119910 119909 minus 1) 119888
119910++
Tags which match 1198811015840
119862choose time slot (ℎ (119896
119894
119909 119903119910))119875119862
Tags not match wait and record 119888119910in 119888119901
Go to depth 119909
Authentication sub-component plus updatingif 119909 = 119889 At leaf level
119877 sends a timestamp 1198771to 119879119894
119879119894checks 119877
1and delay 119905max(119905ℎ119903119890119904ℎ119900119897119889 minus 119877
1+ 1)
then replies (1198772 119868) where 119868 = ℎ(1 119896
119894
119889 1198771 1198772)
119877 computes a hash value for 119879119894to check 119868
if match119877 accepts 119879
119894 and sends 119872 = ℎ(2 119896
119894
119889 1198771 1198772)
119877 updates 119896119894
119889to ℎ(3 119896
119894
119889 1198771 1198772) update R
else if not match119877 sends 119872 as a random number if match
119879119894gets 119872 and computes a value to check 119872
if 119872 matches the computed value by 119879119894
119879119894accepts 119877
119879119894updates 119896
119894
119889to ℎ(3 119896
119894
119889 1198771 1198772) update 119879
119894
Remount119877 chooses the max 119888
1199101015840 stored as 119888max in (119888
1199101015840 119901119900119904
1199101015840 )
While exists such 119888max119877 sends to tags (119888max 1199031199101015840 119875119862)119879119895with 119888max chooses slot (ℎ(119896
119895
1199091015840+1
1199031199101015840 ))119875119862
119877 deletes the pair stored related to 119888max119877 continues to tags-authentication atdepth 119909
1015840+ 1 in the sub-tree which roots at 119901119900119904
1199101015840
Algorithm 1 Tags authentication in MAP
ReaderQuery Query
Tagcomputing
Tagreply
Tagcomputing
Slot Slot0 1
T2
T3 HoldLevel x
ry 1 3 ry+1 0 2
middot middot middot
middot middot middot
middot middot middotmiddot middot middot
middot middot middot
middot middot middot
Level x minus 2 Level x minus 1
3rd bit = 1
3rd bit = 0
2nd bit = 1
Figure 3 Anticollision with one bit
432 Authentication When arriving at a leaf node R startsthe authentication subcomponent with 119879
119894 R and 119879
119894authen-
ticate each other via this subcomponent At this point Rhas exploited the path from the root to the leaf node relatedto 119879119894 The subcomponent includes four steps as shown in
Algorithm 1(1) 119877 sends a query to 119879
119894with the timestamp 119877
1
(2) Upon this query 119879119894checks if 119877
1is acceptable and
delay 119905max(threshold minus 1198771
+ 1) where 119905max is a predefinedmaximum delay and threshold is a predefined maximum
counter value The value of 119905max and threshold can be ini-tialized empirically and adjusted in real application Then119879119894replies with a random nonce 119877
2and a hash value 119868 =
ℎ(1 1198771 1198772 119896119894
119889)
(3) 119877 compares 119868 to the hash value computed usingcorresponding key stored in the database If the two hashvalues are identical the reader accepts the tag as a legitimateone Otherwise 119877 treats the tag as illegal For a legal tagthe reader sends 119872 = ℎ(2 119877
1 1198772 119896119894
119889) as an authentication
message and then launches the updating component on the
International Journal of Distributed Sensor Networks 7
reader side For an illegal tag the reader only sends a randombit string with the same length of ℎ(sdot)
Note that the key in the leaf node may not match thecorresponding tagrsquos key In this case 119877 has to search throughthe entire database to check if a matching key can be foundIf such a key is found the tag is accepted as legitimate Inthis way even a tag which is desynchronization attacked andthus has a big timestamp can also be authenticated This canprevent attackers from distinguishing tags by whether theycan be accepted
(4) UponM 119879119894computes the hash value based on the key
stored in it If they are matched119879119894takes 119877 as a legitimate one
119879119894then launches the updating on the tag side if119877 is legitimateA collisionmayhappenwhen two tags choose an identical
leaf node At this time there is more than one tag respondingto the readerTheir signals will collide and cannot be correctlydecodedThis can happenwhen a tagrsquos random choicesmatchthe path of the other tag from root to leaf The possibility is2minus119889 where 119889 is the depth of the key tree While the possibilityis negligible we just take these collidedmessages as a randommessage and complete the routine processes of authenticationand updating As each tag has a unique leaf key which will beupdated involving the random nonces during authenticationthe possibility they collide again at the leaf node will still benegligible we will process the colliding tags in the next roundof entire tags-authentication process
433 Remount After authentication and updating of atag the whole tag authentication process is remounted forunprocessed tags according to their ldquoholdingrdquo sequence indescending order 119877 finds out the max counter 119888max in the(1198881199101015840 1199011199001199041199101015840) pairs stored in the reader where 119910
1015840 is an integerIf there exists such a 119888max 119877 computes 119875
119862for the branches
of 1199011199001199041199101015840 and starts the anticollision subcomponent in the
subtree rooted at 1199011199001199041199101015840 To do this the reader sends a
recursive query command 1199031198901198881198761199061198901199031199101199101015840 with 119888max 119875
119862 and
a new timestamp 1199031199101015840 Upon this query each tag checks its
internal counter 119888119901The tags that have amatched 119888max respond
with the corresponding119881119862 If no such a 119888max exists the reader
terminates the current round of MAP and launches a newround The reader iteratively performs the authenticationprocess until all tags are processed or the number of roundsexceeds a predefined threshold threshold In MAP if there aresome tags moving into the detecting region of 119877 in currentround 119877 will treat them as newly coming tags in the nextround
We illustrate the above process by using the example ofauthenticating 119879
1 1198792 and 119879
3in Figure 1 Assume the reader
chooses the left branch each timeThen there is no collision atdepth 0 and the entire authentication procedure goes to thesubtree rooted at the node related to 119896
10at depth 1 The 119881
119862
values related to keys at depth 2 will collide 119877 moves downto the left branch related to 119896
20and 119896
30 119877 puts 119879
2and 119879
1in
a holding state at this point 119877 also records the anticollisionsequence and the node related to 119896
21 As there is no more
collision for1198793119877 completes the authentication of119879
3and goes
back to the holding tags 119877 requests 119881119862related to the keys at
depth 3The responses of 1198792and 119879
1fall in different branches
Then 119877 puts 1198792to holding state and authenticates 119879
1 After
that the reader 119877 authenticates 1198792
44 Updating After a successful mutual authenticationbetween the tag and reader the updating process follows asillustrated in Algorithm 1 MAP only updates the leaf keys formultiple tags environments where a leaf key is the key onthe leaf node There are two reasons First in our protocolthe keys on nonleaf nodes are only used for navigationSecond as analyzed in [22] updating keys for tags withoutchanging the sharing relationship of keys among tags will notincrease the difficulty for adversaries to successfully conductcompromising attacks We also allow a tag to be renewed inthe system maintenance component as an updating methodwhich also updates the tagrsquos location and the correspondingkeys in the virtual tree for better privacy
R updates the keys for a tag after a successful authentica-tion of the tag At the corresponding leaf node a new leaf keyis generated as 119896
119894
119889
1015840
= ℎ(3 1198771 1198772 119896119894
119889) for 119879
119894 119879119894updates its leaf
key only after a successful authentication of 119877 by checkingM
45 System Maintenance Users may want to insert renewor withdraw their tags The system maintenance componentdeals with these requests
If a new tag joins in the systemR initializes it by assigningit to an empty leaf node and generates the necessary keys forit If a tag is withdrawn R simply deletes the information oncorresponding nodes related to the tag from S
We also allow a tag to be renewed for better security andprivacy The permission is controlled by the manager Whena tag is permitted to be renewed it is first withdrawn by thereader Then the reader treats the tag like a new one andinserts it into the system After being renewed the new keysand related path in the key tree have no relation with the oldones
5 Performance Analysis
In this section we analyze the performance of MAP con-sidering both communication and computation costs Wetheoretically analyze the costs and give the correspondingupper bound lower bound andmean valueWe also launch asimulation Then we compare the performance of MAP withtwo combination solutions
51 Theoretical Analysis In MAP multiple tags are authenti-cated concurrently thus we care about the average time costsderived from costs for all tags divided by the number of tagsIn Section 5 when we mention a cost for each tag we aremeaning such an average time cost for each tag
There are cases when the tags to be authenticated coverthe least branchesThenpaths of these tags cover a full subtreeand a single path from the root of this subtree to the rootof system tree 119878 as 119879
1and 119879
2in Figure 4(a) In these cases
arbitrations and hash computations are shared by the mosttags Thus it is possible that both the communication andcompute cost for each tag are the least in these cases
8 International Journal of Distributed Sensor Networks
k10
k21
k32 k33
T1 T2
M1
M2
(a) Most sharing
k20
k30
k10
T3
(b) Least sharing
Figure 4 The different sharing scenarios
Contrarily when the tags cover the most branchesrespecting no path being shared as 119879
3itself in Figure 4(b)
then it is possible that both communication and compute costfor each tag are the largest as arbitrations and hash computesare shared by the least tags
For theoretic comprehensibility we consider time cost fortransferring hash values in communication cost For computecost we consider only cost for computing hash values atboth reader end and tag end For the overall cost consideringoverheads we give a simulation result in Section 52
When tags cover the least branches the minimumcommunication and compute cost are computed as followsTheoretically they are the lower bound of MAP in terms oftime cost Indeed both of them are in O(1) complexity
Commmin = 119905auth + 2119905query + 119905reply minus
(119905query + 119905reply)
119873
asymp 119905auth + 2119905query + 119905reply
Compmin = (2 minus1
119873) 119905119905119888119900119898119901
+ (3 minus2
119873119860
) 119905119903119888119900119898119901
asymp 2119905119905119888119900119898119901
+ 3119905119903119888119900119898119901
(1)
where the 119889 is the height of the system tree 119878 119873 is thenumber of tags in the system 119873
119860is the number of tags to
be authenticated and 119873119860
= 119873 in this case 119905query is the timefor a reader 119877 to send out a query 119905reply is the time for eachtag on both branches to reply their related 1 bit 119881
119862values in
the two time slots 119905auth is the time for a tag to send the hashvalue of its leaf node 119905
119905119888119900119898119901is the time for a tag to compute
a hash value and 119905119903119888119900119898119901
is the time for 119877 to compute a hashvalue Note that we suppose sending the request commandsneeds the same time as the 119905query
When each tag covers themost branches there is only onetag to be authenticated Thus we get the maximum costs Wedenote the maximum communication and compute cost as
Commmax and Compmax respectively The theoretical upperbound cost of MAP is given by
Commmax = 119905auth + 119889 times 119905reply + (119889 + 1) 119905query
Compmax = (119889 + 1) 119905119903119888119900119898119901
+ (2119889 + 1) 119905119903119888119900119898119901
(2)
where 119889 is the height of the system tree 119878 We can find thatboth the maximum costs have an 119874(log119873) complexity
When tags cover all branches supposing the coverprobability is unique we get the mean communication andcomputing costs as follows
Commmean = 119905auth + 119905query
+ (119905query + 119905reply) (2 + 119889 minus log2119873119860
minus1
119873119860
)
asymp 119905auth + 119905query + (119905query + 119905reply)
times (2 + 119889 minus log2119873119860
)
Compmean = (2 + 119889 minus log2119873119860
minus1
119873119860
) 119905119905119888119900119898119901
+ 2 (1 + 119889 minus log2119873119860
minus1
119873119860
) 119905119903119888119900119898119901
asymp (2 + 119889 minus log2119873119860
) 119905119905119888119900119898119901
+ 2 (1 + 119889 minus log2119873119860
) 119905119903119888119900119898119901
(3)
Both Commmean and Compmean are strict monotonicfunctions of 119873
119860 When 119873
119860is big enough they approach the
constant value of 119874(1)Considering the minimum authentication cost without
anticollision or updating for a single tag in traditional tree-based protocol it will need to compute transmit and verifyat least log
120575119873 ciphers where 120575 is the branching factor of the
key tree When the tag lies at the first-reach leaf the costis minimum with message length and computation times ofabout log
120575119873 When the tag lies at the last-reach leaf the cost
is maximum with the computation times enlarged to about120575 times log
120575119873 The average computation cost is about (1 + 120575)2 times
log120575119873ThusMAP protocol outperforms the traditional tree-
based protocol theoretically
52 Simulation We compared the average processing timeof MAP to two simple combination solutions Both thetwo solutions use the slot-count (Q) selection algorithm inEPC C1G2 UHF Air Interface Protocol Standard [31] foranticollision The PPA protocols for these two solutions arethe typical tree-based protocol [20] and RWP protocol [22]with O(1) complexity In all protocols both tag side andreader side employ SQUASH (SQUaring haSH) which isproposed by Shamir in [8] to compute hash values SQUASHneeds only several hundred gate equivalents (GEs) and isappropriate for low cost RFID tags We consider the overalltime cost including communication cost and search cost
International Journal of Distributed Sensor Networks 9
The communication cost includes the cost for transmittingcommands and data with overheads such as wait time timeout frame sync and preamble Note that compared to otherkinds of wireless communication such as WiFi the messagesexchanged between the reader and tags are very short Thusthe overheads are not negligible All the command formatsdata formats and link timing follow the standard In searchcost we consider compute cost for hash values by both readerand tags We assume the reader can process 223 times 64 bitsSQUASH in a second in average For the tag we assume it canprocess one time SQUASH in 6775 us and 242 us We makethese two assumptions based on the link timing requirementsspecified in the standard
In our simulation the forward data rate is 40Kbps andthe backward data rate is 320KbpsWe suppose that there are220 tags in the system We choose tags randomly and repeatthe whole process 100 times for average results
In Figure 5 we give the result for 1000 tags The simu-lation result shows that MAP gains a better efficiency thantypical tree-based protocol The average time cost of tree-based protocols is about 22 times to 42 times that of MAPThe efficiency of MAP asymptotically approaches the RWPprotocol with O(1) complexity as the size of the tag setapproaches 1000 The simulation result is in accordance withthe theoretical analysis That is because in MAP computingand communication are shared between all tags Moreoverduring anticollision subcomponent tags respond with only 1bit to save communication cost That is why MAP outper-forms typical tree-based protocol when tag size is small
According to the performance result in [26] for 1000 tagsin a system with 105 tags at 40Kbps forward rate achieving1 erroneous decision the SEBA approach [25] needs 41min-utes while the SEBA+ approach [26] needs about 4 minutesUtilizing MAP it takes about 1000 times 10405times 10minus6 s = 1122 swhich is less than SEBA and more than SEBA+ Howeverthe result in [26] considers only the message transmissiontime leaving out the nonnegligible computation time andthe communication overheads such as wait time time outframe sync and preamble Moreover MAP provides accurateauthenticationwith no error probabilityThusMAP is a goodchoice in performance for the authentication ofmultiple tags
6 Security and Privacy Analysis
In this section we analyze the security and privacy charactersof MAP Because our approach is tree based we focus onresistance to compromising attackwhich has themost seriousimpact on conventional tree-based approaches [23] Weprove that MAP is m-strong-ind-private showing that MAPsatisfies strong privacy protection in multiple tags scenarioWe also show the abilities of MAP in terms of confidentialitycloning resistance tracking resistance timing-based attackresistance and forward secrecy
61 Compromising Attack Compromising attack is the mosteffective way for crashing tree-based protocols That isbecause tags organized in tree-based structures share keyswith each other When an adversary 119860 compromises some
0 200 400 600 800 1000
39
4
41
42
43
44
45
46
47
48
Size of tag set to be authenticated
log10
style
)
Tree-basedTree-basedMAP
MAPRWPRWP
242120583s6775120583s
6775120583s
242120583s242120583s6775120583s
Aver
age p
roce
ssin
g tim
e (120583
sFigure 5 Comparison on performance for 1ndash1000 tags
tags and thus obtain their secret keysA can deduce the secretkeys of other tags In conventional tree-based protocols alegitimate reader splits a tag from other possible ones levelby level and finally authenticates it on the leaf using itskeys on related levels An adversary can also distinguishtags and further track them in this way with keys fromthe compromised tags For detailed analysis please refer to[14 21]
Our analysis is based on the works in [10 14 18 2123 34] The notion of strong ind-privacy defined in [23]which is equivalent to the destructive-privacy defined in[34] is very similar to the strong privacy provided byMAP except that MAP focuses on privacy protection formultiple tags The existing privacy models are designedfor one-tag-one-reader authentication scheme and focus ondistinguishability privacy between TWO tags only They arenot fit for the multiple tags scenario in MAP where thereader cannot communicate to a tag before anticollisionsubcomponent
We define a new model for multiple tags environmentsincluding four oracles Request(sdot sdot sdot) Send(sdotsdot) Relay(sdotsdot) andCompromise(sdot) to formulate the attacks to the tag sets andreader Assume we have a tag set 119873
119878 Any attack on 119877 or 119873
119878
can be represented by calling on its oraclesRequest(119873
119878 1198981 1198983) A queries the tag set 119873
119878by a query
message1198981and receives the responsesThen119860 sends another
message 1198983to 119873119878 including the collision arbitration and Rrsquos
authentication dataSend(R 119898
2) A sends a message 119898
2 representing the tag
setrsquos reply and authentication messages to 119877 and receives aresponse
Relay(119873119878 119877) A relays the messages between 119873
119878and R A
can arbitrarily modify the messages from one side to another
10 International Journal of Distributed Sensor Networks
Compromise(119873119862) A compromises tags in set 119873
119862and
obtains their secret keys where 119873119862is a tag set 119860 obtains The
compromised tags are broken and cannot be used any furtherThe compromising attack on MAP denoted by
CAMAP119860
[1198960 119873119860
] is performed with the following steps
Step 1 The adversary 119860 compromises 1198960tags and obtains
their secret keys
Step 2 A chooses a target tag 119879 that has not been compro-mised A can query 119879 or act as a man-in-the-middle between119879 and the reader 119877 polynomial times Note that 119860 cannotcompromise119879 According to the secret keys119860 gains in Step 1A can compute outputs of these keys and compare to themTrsquosoutputs In this way 119860 can determine which of Trsquos keys equalto Arsquos known keys
Step 3 The system gives a tag set 119873119878with 119873
119874tags including
119879 Then 119873119878is divided into two subsets 119873
1198781and 119873
1198782 For the
simplicity we assume each subset contains 119873119860tags Or else
we can define the smaller set contains119873119860tags which will not
affect the result of analysis but complex the analysis processA randomly picks a subset 119873
119878119887 where b = 0 or b = 1 and
determines if 119879 is in this subset A can pick both subsets If119873119878119887
contains T A can proceed tracking 119879 by tracking 119873119878119887
otherwise 119873119878(1minus119887)
A can send queries to the tag set or act asa man-in-the-middle between the tag set and the reader 119877
polynomial times but cannot compromise those tagsWe denote
119875MAP = 119875119903[CAMAP119860
[1198960 119873119860
] = 1] (4)
as the possibility 119860 definitely knows whether tag set 119873119878119887
includes T A succeeds if 119860 definitely knows which tag setincludes 119879 Then the possibility that 119860 succeeds is
119875MAP = 119875119903[CAMAP119860
[1198960 119873119860
] = 1] = 1 minus (1 minus 1198750)2
(5)
where 1198750is the possibility that 119860 succeeds in either subset in
a system employing MAP
Definition 1 Theadvantage of adversary119860 in the compromis-ing attack is defined as
advMAP119860
(1198960 119873119860
) =
1003816100381610038161003816100381610038161003816(119875MAP +
1
2(1 minus 119875MAP)) minus
1
2
1003816100381610038161003816100381610038161003816=
119875MAP2
(6)
where the probability is the advantage of 119860 correctly guessagainst randomly guess which subset 119879 is in
Definition 2 (M-strong(120576 1198960 119873119860
)-ind-privacy) An RFIDprotocol PRO is m-strong( 120576 119896
0 119873119860)-ind-private if when 119873
119860
approaches N the advantage advPRO119860
(1198960 119873119860
) is at most 120576 inpolynomial time Where 119873
119860lt 119873 120576 is an infinitesimal when
119873 approaches infinity
M-weak(120576 1198960 119873119860)-ind-privacy is defined the same as m-
strong (120576 1198960 119873119860
)-ind-privacy except that 1198960= 0
Destructive Final NoCorrupt corrput Corrupt corrupt
Wide
Narrow
m-strong m-forward m-weak
m-narrow m-narrowm-narrowm-narrowstrong destructive
m-destructive
forward weak
Figure 6 The privacy levels
The above two privacy notions can be simply denotedas m-strong-ind-privacy (MSIP) and m-weak-ind-privacy(MWIP) where the letter ldquo119898rdquo is the abbreviation of mul-tiple tags When 119873
119860= 1 the MSIP (MWIP) equals the
strong-privacy (weak-privacy) in Juelsrsquos model [23] and thedestructive-privacy (weak-privacy) in Vaudenayrsquos model [34]At this time the case of a tag lying in a set is identical tothe case of the target tag being a particular tag in traditionalprivacy model with two tags Thus our multiple tags privacymodel is a generalized version of existing privacy models[23 34] On the contrary the existing privacy models arespecial cases of multiple tags privacy where each tag set hasonly one tagThen we can define 8 different levels of privacyby generalizing Vaudenayrsquos model for multiple tags scenariosas illustrated in Figure 6
The above model is dedicated for classifying the privacyprotection in multiple tags scenarios Intuitively it is easierfor a tag to hide in a set than to behavior indistinguishably toanother tag Thus the above model is a model weaker thanthe privacy models for one-reader-one-tag scenarios
However if the authentication protocol does not take thisadvantage then the protocol cannot provide better privacyin scenarios with multiple tags than in one-reader-one-tag scenarios no matter how many tags are there to beauthenticated For example in the OSK [12] protocol onedesynchronized tag cannot be accepted by a legitimate readerThus a desynchronized tag can still be distinguished in a tagset saying nothing of hiding in the set As a result the OSKmethod cannot providem-strong-ind-privacy orm-weak-ind-privacy
In the tree for MAP when 119860 is not aware of all keys inboth branches A does not know the 119875
119862and has to randomly
guess one for navigation and conduct the searching processWhen the guess fails A sends out a position that has nocollisions Then 119860 cannot split the tags Only when 119860 knowsall the keys in the branches related to T A can send outthe correct 119875
119862and proceed on tracking That is the main
reason whyMAP performs better than traditional tree-basedprotocols in defending against compromising attacks In facttheMAP protocol ism-strong-ind-private as will be proven inthe bellowing
Theorem 3 TheMAP protocol is MSIP private
Proof We perform the compromising attack with MAPprotocol as follows
We denote tags in 119873119878119887
by 1198791015840 We denote keys in 119879
and 1198791015840 with (119896119890119910
0 1198961198901199101 119896119890119910
119889) and (119896119890119910
1015840
0 1198961198901199101015840
1 119896119890119910
1015840
119889)
International Journal of Distributed Sensor Networks 11
respectively where 119889 is the depth of the tree Considering atlevel 119909 where 119896119890119910
119909is in a subtree we use 119870
119909to denote the
set of known keys by 119860 in this subtree and 119896119909to denote
the number of keys in 119870119909 And 119896
0is the number of tags
compromised There are three cases to be considered at levelxCase 1 A does not succeed in previous 119909 minus 1 levels and thereis exactly one key 119896119890119910
1015840
119909equal to 119896119890119910
119909 A definitely knows 119873
119878119887
includes 119879 The possibility is
119875119903(1198621
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575times
1
120575119909times (1 minus
1
120575119909)
119873119860minus1
(7)
Case 2119860 does not succeed in previous 119909minus1 levels and therersquosno key 119896119890119910
1015840
119909equals to 119896119890119910
119909 A definitely knows that 119873
119878119887does
not include 119879 The possibility is
119875119903(1198622
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575times (1 minus
1
120575119909)
119873119860
(8)
Case 3 119860 does not succeed in previous 119909 minus 1 levels and morethan one key 119896119890119910
1015840
119909equals 119896119890119910
119909 In this case 119860 fails at level 119909
and should move to level 119909 + 1 The possibility is
119875119903(1198623
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575minus 119875119903(1198621
119909) minus 119875119903(1198622
119909)
(9)
Theoverall probability of119860 definitely knowswhether119873119878119887
includes 119879 is
1198750
= 119875119903(1198621
1or 1198622
1) +
119889
sum
119909=2
(119875119903(1198621
119909or 1198622
119909) times
119909minus1
prod
119910=1
119875119903(1198623
119910))
= (1 minus1
120575)
119873119860minus1
1198961
120575
120575minus1
prod
119895=0
1198961
minus 119895
120575 minus 119895
+
119889
sum
119909=2
((1 minus1
120575119909)
119873119860minus1
119896119909
120575119875 (119896119890119910
119909)
times
119909minus1
prod
119910=1
(119875 (119896119890119910119910)
119896119910
120575(1 minus (1 minus
1
120575119910)
119873119860minus1
)))
(10)
where
119875 (119896119890119910119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895) (120575 minus 119895)
(120575119909 minus 119895)2
1198961
= 120575 (1 minus (1 minus1
120575)
1198960
)
119896119909
= 120575 (1 minus (1 minus1
120575)
119892(119896119909)
) (2 le 119909 le 119889)
119892 (119896119909) = 1198960
119909minus1
prod
119910=1
1
119896119910
(11)
The possibility 119860 succeeds in either subset is 1198750which is
a monotonically decreasing function of 119873119860 so is 119875MAP The
advantage of 119860 is 119875MAP which decreases exponentially to 0 as119873119860increases to be big enoughConsidering that 119896
119909le 120575 and 120575 ge 2 we have the following
derivations
(1 minus1
120575)
119873119860minus1
1198961
120575
120575minus1
prod
119895=0
1198961
minus 119895
120575 minus 119895
le (1
2)
119873119860minus1
1198961
120575
1198961
120575
1198961
minus 1
120575 minus 1
le (1
2)
119873119860minus1
119909minus1
prod
119910=1
(119875 (119896119890119910119910)
119896119910
120575(1 minus (1 minus
1
120575119910)
119873119860minus1
))
lt
119909minus1
prod
119910=1
(119875 (119896119890119910119910) times 1 times 1)
=
119909minus1
prod
119910=1
119875 (119896119890119910119910)
(12)
Then we have the following deduction
1198750
lt (1
2)
119873119860minus1
+
119889
sum
119909=2
((1 minus1
120575119909)
119873119860minus1
119896119909
120575119875 (119896119890119910
119909)
119909minus1
prod
119910=1
119875 (119896119890119910119910))
lt (1
2)
119873119860minus1
+
119889
sum
119909=2
(1 minus1
120575119909)
119873119860minus1
lt (1
2)
119873119860minus1
+ 119889(1 minus1
1205752)
119873119860minus1
(13)
The right part of the inequality is a monotonicallydecreasing function of 119873
119860 For example it can be deduced
that 1198750
lt (12)119873119860minus1
+ 119889(34)119873119860minus1 when 120575 = 2 Then 119875
0is an
infinitesimal as 119873119860approaches 119873 so is 119875MAP According to
Definition 2 MAP ism-strong-ind-private
12 International Journal of Distributed Sensor Networks
0 50 100 150 2000
02
04
06
08
1
Succ
essfu
l pro
b o
f atta
ck
Size of tag set to be authenticated
MAPTree-based
Figure 7 Comparisons on defending against compromising attack
Assume a RFID system of 220 tags with 120575 = 2 and 119889 =
20 Figure 7 demonstrates possibilities119860 successfully tracks atag by compromising 200 tags employingMAP or tree-basedprotocol such as [20]
We can find that for both protocols the possibilities that119860
succeeds reduceswhen119873119860increases ForMAP the possibility
reduce rapidly while for traditional balance tree-based PPAit reduces slowly For MAP protocol when 119873
119860gt 8 119875MAP lt
005 saying 119860 can definitely distinguish and know which tagset includes 119879 with low possibility even the set size is smallThis is an acceptable result as environmentswith at least 8 tagsare common Moreover the successful tracking probabilityasymptotically approaches to 0 as the size of the tag set to beauthenticated arises For tree-based protocol 119860 always has asuccessful possibility larger than 08 with tag set size smallerthan 200
62 Confidentiality In MAP all information from a tag issent as the value of a cryptographic hash function or a partof such a hash value According to the preimage resistanceproperty of cryptographic hash functions the adversarycannot know the origin information
63 Cloning Resistance In cloning attack an adversaryrecords responses from a tag and replay them to foollegitimate readers In MAP the 119881
119862values are only used for
navigation and each tag uses its unique leaf key for the finalauthentication The tag generates the hash values of the leafkey with a timestamp from 119877 and a nonce from the tag asinputs Both the timestamp and the nonce are the sessiontokens of the conversation Therefore authentication mes-sages from a given tag will change in different conversationsdue to the different session tokens The navigation bits canbe replayed however they cannot help to fool 119877 because theadversary does not know the authentication message at theleaf node The replayed messages cannot be acceptable bylegitimate readers according to the protocol
64 Tracking Resistance In Section 61 we focus on tagsrsquo pathkeys and present that MAP can resist compromising attack
in scenarios with multiple tags For any leaf key it uniquelybelongs to an individual tag The adversary 119860 never knowsa tagrsquos leaf key unless compromising it When performingauthentication subcomponent a tag computes a hash valuewith its leaf key and the session tokens This authenticationmessage varies each time and 119860 cannot link the messages toa tag without knowing its leaf key
MAP resists against compromising attack inmultiple tagsscenarios However when a batch only has a few tags 119875MAPis not negligible According to the results shown in Figure 7when the number of tags is larger than 8 the probabilityof multiple tags exposing to attackers will not exceed 005which is acceptable for most RFID applications Thereforewe recommend to select MAP when the number of tags islarger than 8 otherwise choosing time consuming per-tagauthentication to prevent the tracking attack
An adversary 119860 may launch the Denial of Service (DoS)attack between a legitimate reader and tags In this attack 119860
firstly exhausts the timestamp in a tag Then 119860 can relay thetagrsquos response to a legitimate reader to see if the tag is acceptedand further track the tag by observing the result This attackis not feasible to MAP because desynchronized tags can alsobe accepted employing MAP as presented in Section 432Besides we recommend the system to thwart the responsespeed of the tags which are under attackThen a counter withan acceptable bit length is enough to avoid the timestamps ofthe tags run over a predefined threshold
65 Timing-Based Attack Resistance An adversary may timethe processing cost of a tag to identify the status of this tagand further distinguish it from other tags [35] This kindof attack is a new general attack which can even break theprivacy of proven private RFID authentication protocolsMAP can defend against such attack The reason is that theauthentication process for each tag in MAP corresponds tothe same procedure From root to leaf each branch selectioncorresponds to no sequential computation of tags Insteadthe tags do concurrent computation at each level In this waythe observable behavior of each tag is hard to distinguishThe problem in traversing the traditional binary tree whichcauses different searching cost does not happen in MAP Onthe other hand the thwart method used in MAP does notraise rapid increase in the response Thus the thwarted tagrsquosbehavior is hard to distinguish especially when the tag set islarge and the predefined threshold is big enough
66 Forward Secrecy An adversary 119860 can record the mes-sages sent by 119877 or tags And 119860 can compromise tags toobtain their current keys Forward secrecy requires that theinformation in previous messages will never be revealedIn MAP the leaf keys are updated after each successfulauthentication The forward secrecy is thereby guaranteedFor the nonleaf keys they are not used for data transfer butonly for navigation In addition they will be updated when atag is renewed Thus MAP does not update the nonleaf keysat each authentication and such a process does not damagethe forward secrecy
International Journal of Distributed Sensor Networks 13
7 Possible Variants and Improvements
The storage requirement of MAP for a system larger than216 tags may be larger than 1 k bits This cost is practical fornowadays RFID tags For ultra-low storage path keys can becomputed employing SQUASH with the unique leaf key andidentifier of the tag as inputsThis would decrease the storagerequirement to 119874(1) but double the average computationtime It can be easily deduced that the performance ofMAP isstill better than the tree-based protocol in large-scale systems
MAP focuses on the interaction between tags and readeras well as reader-server side search accelerating On theother hand the SEBA [25 26] like protocols focuses onthe reader-to-server communication as well as the serverside probabilistic verification Thus a possible future workis to combine and gain profit from both of the two styles ofmultiple tags protocols
8 Conclusions and Future Work
In this work we propose a Multiple tags privacy-preservingAuthentication Protocol MAP to authenticate multipletags concurrently By enabling anticollision functionality inauthentication processMAP eliminates the redundant effortswasted in anticollision processes and authenticating tagsTags in MAP respond concurrently with 1 bit to conductthe authentication for better privacy MAP is m-strong-ind-private which is a variant of ind-privacy we define formultiple tags scenarios MAP can effectively mitigate theimpact of compromising attack in multiple tags scenarios toan acceptable extent EmployingMAP the successful trackingprobability of adversaries for tag set larger than 8 is below005 and will deduce rapidly to 0 as the size of the tag setenlarges The efficiency of MAP is better than 119874(log119873) andasymptotically approaches 119874(1) as the number of tags in thetag set to be authenticated increases as proven in theoreticalanalysis and shown in the simulationThe proposed protocolin our work MAP is dedicated for authenticating multipletags One prospective directionmay be building protocols forboth single tag and multiple tags to provide high efficiencyand strong privacy at the same time
Acknowledgments
The authors would like to thank Ling Zhu and XingjingWang for the efforts paid in coding for the simulationsThis work is supported by Program for Changjiang Scholarsand Innovative Research Team in University (IRT1078)the Key Program of NSFC-Guangdong Union Foundation(U1135002) National Natural Science Foundation of China(61303221 and 61373175) the Fundamental Research Fundsfor the Central Universities (K5051303021) and the ScientificResearch Startup Foundation for Young Teachers of DonghuaUniversity (13D211205) Part of this work has been presentedat IEEE International Conference on Mobile Ad-hoc andSensor Systems (IEEE MASS) October 17ndash22 2011 ValenciaSpain
References
[1] G Roussos and V Kostakos ldquoRFID in pervasive computingstate-of-the-art and outlookrdquo Pervasive and Mobile Computingvol 5 no 1 pp 110ndash131 2009
[2] Y Liu L Chen J Pei Q Chen and Y Zhao ldquoMiningfrequent trajectory patterns for activity monitoring using radiofrequency tag arraysrdquo in Proceedings of the 5th Annual IEEEInternational Conference on Pervasive Computing and Com-munications (PerCom rsquo07) pp 37ndash46 White Plains NY USAMarch 2007
[3] C Qian H Ngan and Y Liu ldquoCardinality estimation forlarge-scale RFID systemsrdquo in Proceedings of the 6th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo08) pp 30ndash39 Hong Kong ChinaMarch 2008
[4] G Avoine ldquoBibliography on security and privacy in RFID sys-temsrdquo 2013 httpwwwavoinenetrfiddownloadbibbiblio-graphy-rfidpdf
[5] A Juels ldquoRFID security and privacy a research surveyrdquo IEEEJournal on Selected Areas in Communications vol 24 no 2 pp381ndash394 2006
[6] G Tsudik ldquoA family of dunces trivial RFID identification andauthentication protocolsrdquo in Privacy Enhancing TechnologiesLecture Notes in Computer Science pp 45ndash61 Springer BerlinGermany 2007
[7] X Xu X Y Li X Mao S Tang and S Wang ldquoA delay-efficient algorithm for data aggregation in multihop wirelesssensor networksrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 1 pp 163ndash175 2011
[8] A Shamir ldquoSQUASHmdasha new MAC with provable securityproperties for highly constrained devices such as RFID tagsrdquo inFast Software Encryption Lecture Notes in Computer Sciencepp 144ndash157 Springer Berlin Germany 2008
[9] T Halevi N Saxena and S Halevi ldquoUsing HB family ofprotocols for privacy-preserving authentication of RFID tags ina populationrdquo in Proceedings of the Workshop on RFID Security(RFIDSec rsquo09) 2009
[10] M Burmester B de Medeiros and R Motta ldquoRobust anony-mous RFID authentication with constant key-lookuprdquo in Pro-ceedings of the ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo08) pp 283ndash291 TokyoJapan March 2008
[11] S A Weis S E Sarma R L Rivest and DW Engels ldquoSecurityand privacy aspects of low-cost radio frequency identificationsystemsrdquo in Security in Pervasive Computing Lecture Notes inComputer Science pp 201ndash212 2003
[12] M Ohkubo K Suzuki and S Kinoshita ldquoEfficient hash-chainbased RFID privacy protection schemerdquo in Proceedings of theACM Ubicomp Workshops 2004
[13] D Henrici and P Muller ldquoProviding security and privacy inRFID systems using triggered hash chainsrdquo in Proceedings ofthe 6th Annual IEEE International Conference on PervasiveComputing andCommunications (PerCom rsquo08) pp 50ndash59HongKong China March 2008
[14] G Avoine E Dysli and P Oechslin ldquoReducing time complexityin RFID systemsrdquo in Selected Areas in Cryptography LectureNotes in Computer Science pp 291ndash306 Springer BerlinGermany 2005
[15] D Henrici and PMuller ldquoHash-based enhancement of locationprivacy for radio-frequency identification devices using varyingidentifiersrdquo inProceedings of the 2nd IEEEAnnual Conference on
14 International Journal of Distributed Sensor Networks
Pervasive Computing and CommunicationsWorkshops (PerComrsquo04) pp 149ndash153 March 2004
[16] A Juels ldquoMinimalist cryptography for low-cost RFID tags(extended abstract)rdquo in Proceedings of the 4th InternationalConference on Security in Communication Networks (SCN rsquo04)pp 149ndash164 Amalfi Italy September 2004
[17] S Yu K Ren and W Lou ldquoA privacy-preserving lightweightauthentication protocol for low-cost RFID tagsrdquo in Proceedingsof the Military Communications Conference (MILCOM rsquo07) pp1ndash7 Orlando Fla USA October 2007
[18] C Ma Y Li R H Deng and T Li ldquoRFID privacy rela-tion between two notions minimal condition and efficientconstructionrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCSrsquo09) pp 54ndash65New York NY USA November 2009
[19] D Molnar A Soppera and D Wagner ldquoA scalable delegatablepseudonym protocol enabling ownership transfer of RFID tagsselected areas in cryptographyrdquo in Selected Areas in Cryptogra-phy Lecture Notes in Computer Science pp 276ndash290 SpringerBerlin Germany 2005
[20] T Dimitriou ldquoA secure and efficient RFID protocol that couldmake big brother (partially) obsoleterdquo in Proceedings of the 4thAnnual IEEE International Conference on Pervasive Computingand Communications (PerCom rsquo06) pp 269ndash274 Pisa ItalyMarch 2006
[21] L Lu J Han L Hu Y Liu and L M Ni ldquoDynamic key-updating privacy-preserving authentication for RFID systemsrdquoin Proceedings of the 5th Annual IEEE International Conferenceon Pervasive Computing and Communications (PerCom rsquo07) pp13ndash22 White Plains NY USA March 2007
[22] Q Yao Y Qi J Han J Zhao X Li and Y Liu ldquoRandomizingRFID private authenticationrdquo in Proceedings of the 7th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo09) Galveston Tex USA March2009
[23] A Juels and S A Weis ldquoDefining strong privacy for RFIDrdquoACM Transactions on Information and System Security vol 13no 1 pp 1ndash23 2009
[24] L Lu Y Liu and X-Y Li ldquoRefresh weak privacy model forRFID systemsrdquo in Proceedings of the IEEE INFOCOM pp 1ndash9San Diego Calif USA March 2010
[25] L Yang J Han Y Qi and Y Liu ldquoIdentification-free batchauthentication for RFID tagsrdquo in Proceedings of the 18th IEEEInternational Conference on Network Protocols (ICNPrsquo10) pp154ndash163 Kyoto Japan October 2010
[26] G Bianchi ldquoRevisiting an RFID identification-free batchauthentication approachrdquo IEEECommunications Letters vol 15no 6 pp 632ndash634 2011
[27] Y Zheng and M Li ldquoFast tag searching protocol for large-scaleRFID systemsrdquo in Proceedings of the 19th IEEE InternationalConference on Network Protocols (ICNP rsquo11) pp 363ndash372Vancouver Canada October 2011
[28] B Sheng andCC Tan ldquoGroup authentication in heterogeneousRFID networksrdquo in Proceedings of the IEEE Conference onTechnologies for Homeland Security (HST rsquo12) pp 167ndash172Waltham Mass USA November 2012
[29] J Myung and W Lee ldquoAdaptive splitting protocols for RFIDtag collision arbitrationrdquo in Proceedings of the 7th ACM Interna-tional Symposium onMobile AdHoc Networking and Computing(MOBIHOC rsquo06) pp 202ndash213 Florence Italy May 2006
[30] ldquoInformation technology automatic identification and datacapture techniquesmdashradio frequency identification for item
management air interfacemdashpart 6 parameters for air interfacecommunications at 860ndash960 MHZrdquo ISOIEC FDIS 18000-62003
[31] EPCglobal ldquoEPC radio-frequency identity protocols class-1generation-2 UHF RFID protocol for communications at 860MHzndash960MHz version 1 2 0rdquo May 2008
[32] Z Zhou H Gupta S R Das and X Zhu ldquoSlotted scheduled tagaccess in multi-reader RFID systemsrdquo in Proceesings of the 15thIEEE International Conference on Network Protocols (ICNP rsquo07)pp 61ndash70 Beijing China October 2007
[33] Auto-ID ldquoDraft protocol specification for a 900MHz class0 radio frequency identification tagrdquo 2003 httpwwwepcglobalincorg
[34] S Vaudenay ldquoOn privacy models for RFIDrdquo in Advances inCryptologymdashASIACRYPT 2007 Lecture Notes in ComputerScience pp 68ndash87 Springer Berlin Germany 2007
[35] Q Yao J Han Y Qi L Yang and Y Liu ldquoPrivacy leakage inaccess mode revisiting private RFIDAuthentication protocolsrdquoin Proceedings of the 40th International Conference on ParallelProcessing (ICPP rsquo11) pp 713ndash721 Taipei City Taiwan Septem-ber 2011
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 7
reader side For an illegal tag the reader only sends a randombit string with the same length of ℎ(sdot)
Note that the key in the leaf node may not match thecorresponding tagrsquos key In this case 119877 has to search throughthe entire database to check if a matching key can be foundIf such a key is found the tag is accepted as legitimate Inthis way even a tag which is desynchronization attacked andthus has a big timestamp can also be authenticated This canprevent attackers from distinguishing tags by whether theycan be accepted
(4) UponM 119879119894computes the hash value based on the key
stored in it If they are matched119879119894takes 119877 as a legitimate one
119879119894then launches the updating on the tag side if119877 is legitimateA collisionmayhappenwhen two tags choose an identical
leaf node At this time there is more than one tag respondingto the readerTheir signals will collide and cannot be correctlydecodedThis can happenwhen a tagrsquos random choicesmatchthe path of the other tag from root to leaf The possibility is2minus119889 where 119889 is the depth of the key tree While the possibilityis negligible we just take these collidedmessages as a randommessage and complete the routine processes of authenticationand updating As each tag has a unique leaf key which will beupdated involving the random nonces during authenticationthe possibility they collide again at the leaf node will still benegligible we will process the colliding tags in the next roundof entire tags-authentication process
433 Remount After authentication and updating of atag the whole tag authentication process is remounted forunprocessed tags according to their ldquoholdingrdquo sequence indescending order 119877 finds out the max counter 119888max in the(1198881199101015840 1199011199001199041199101015840) pairs stored in the reader where 119910
1015840 is an integerIf there exists such a 119888max 119877 computes 119875
119862for the branches
of 1199011199001199041199101015840 and starts the anticollision subcomponent in the
subtree rooted at 1199011199001199041199101015840 To do this the reader sends a
recursive query command 1199031198901198881198761199061198901199031199101199101015840 with 119888max 119875
119862 and
a new timestamp 1199031199101015840 Upon this query each tag checks its
internal counter 119888119901The tags that have amatched 119888max respond
with the corresponding119881119862 If no such a 119888max exists the reader
terminates the current round of MAP and launches a newround The reader iteratively performs the authenticationprocess until all tags are processed or the number of roundsexceeds a predefined threshold threshold In MAP if there aresome tags moving into the detecting region of 119877 in currentround 119877 will treat them as newly coming tags in the nextround
We illustrate the above process by using the example ofauthenticating 119879
1 1198792 and 119879
3in Figure 1 Assume the reader
chooses the left branch each timeThen there is no collision atdepth 0 and the entire authentication procedure goes to thesubtree rooted at the node related to 119896
10at depth 1 The 119881
119862
values related to keys at depth 2 will collide 119877 moves downto the left branch related to 119896
20and 119896
30 119877 puts 119879
2and 119879
1in
a holding state at this point 119877 also records the anticollisionsequence and the node related to 119896
21 As there is no more
collision for1198793119877 completes the authentication of119879
3and goes
back to the holding tags 119877 requests 119881119862related to the keys at
depth 3The responses of 1198792and 119879
1fall in different branches
Then 119877 puts 1198792to holding state and authenticates 119879
1 After
that the reader 119877 authenticates 1198792
44 Updating After a successful mutual authenticationbetween the tag and reader the updating process follows asillustrated in Algorithm 1 MAP only updates the leaf keys formultiple tags environments where a leaf key is the key onthe leaf node There are two reasons First in our protocolthe keys on nonleaf nodes are only used for navigationSecond as analyzed in [22] updating keys for tags withoutchanging the sharing relationship of keys among tags will notincrease the difficulty for adversaries to successfully conductcompromising attacks We also allow a tag to be renewed inthe system maintenance component as an updating methodwhich also updates the tagrsquos location and the correspondingkeys in the virtual tree for better privacy
R updates the keys for a tag after a successful authentica-tion of the tag At the corresponding leaf node a new leaf keyis generated as 119896
119894
119889
1015840
= ℎ(3 1198771 1198772 119896119894
119889) for 119879
119894 119879119894updates its leaf
key only after a successful authentication of 119877 by checkingM
45 System Maintenance Users may want to insert renewor withdraw their tags The system maintenance componentdeals with these requests
If a new tag joins in the systemR initializes it by assigningit to an empty leaf node and generates the necessary keys forit If a tag is withdrawn R simply deletes the information oncorresponding nodes related to the tag from S
We also allow a tag to be renewed for better security andprivacy The permission is controlled by the manager Whena tag is permitted to be renewed it is first withdrawn by thereader Then the reader treats the tag like a new one andinserts it into the system After being renewed the new keysand related path in the key tree have no relation with the oldones
5 Performance Analysis
In this section we analyze the performance of MAP con-sidering both communication and computation costs Wetheoretically analyze the costs and give the correspondingupper bound lower bound andmean valueWe also launch asimulation Then we compare the performance of MAP withtwo combination solutions
51 Theoretical Analysis In MAP multiple tags are authenti-cated concurrently thus we care about the average time costsderived from costs for all tags divided by the number of tagsIn Section 5 when we mention a cost for each tag we aremeaning such an average time cost for each tag
There are cases when the tags to be authenticated coverthe least branchesThenpaths of these tags cover a full subtreeand a single path from the root of this subtree to the rootof system tree 119878 as 119879
1and 119879
2in Figure 4(a) In these cases
arbitrations and hash computations are shared by the mosttags Thus it is possible that both the communication andcompute cost for each tag are the least in these cases
8 International Journal of Distributed Sensor Networks
k10
k21
k32 k33
T1 T2
M1
M2
(a) Most sharing
k20
k30
k10
T3
(b) Least sharing
Figure 4 The different sharing scenarios
Contrarily when the tags cover the most branchesrespecting no path being shared as 119879
3itself in Figure 4(b)
then it is possible that both communication and compute costfor each tag are the largest as arbitrations and hash computesare shared by the least tags
For theoretic comprehensibility we consider time cost fortransferring hash values in communication cost For computecost we consider only cost for computing hash values atboth reader end and tag end For the overall cost consideringoverheads we give a simulation result in Section 52
When tags cover the least branches the minimumcommunication and compute cost are computed as followsTheoretically they are the lower bound of MAP in terms oftime cost Indeed both of them are in O(1) complexity
Commmin = 119905auth + 2119905query + 119905reply minus
(119905query + 119905reply)
119873
asymp 119905auth + 2119905query + 119905reply
Compmin = (2 minus1
119873) 119905119905119888119900119898119901
+ (3 minus2
119873119860
) 119905119903119888119900119898119901
asymp 2119905119905119888119900119898119901
+ 3119905119903119888119900119898119901
(1)
where the 119889 is the height of the system tree 119878 119873 is thenumber of tags in the system 119873
119860is the number of tags to
be authenticated and 119873119860
= 119873 in this case 119905query is the timefor a reader 119877 to send out a query 119905reply is the time for eachtag on both branches to reply their related 1 bit 119881
119862values in
the two time slots 119905auth is the time for a tag to send the hashvalue of its leaf node 119905
119905119888119900119898119901is the time for a tag to compute
a hash value and 119905119903119888119900119898119901
is the time for 119877 to compute a hashvalue Note that we suppose sending the request commandsneeds the same time as the 119905query
When each tag covers themost branches there is only onetag to be authenticated Thus we get the maximum costs Wedenote the maximum communication and compute cost as
Commmax and Compmax respectively The theoretical upperbound cost of MAP is given by
Commmax = 119905auth + 119889 times 119905reply + (119889 + 1) 119905query
Compmax = (119889 + 1) 119905119903119888119900119898119901
+ (2119889 + 1) 119905119903119888119900119898119901
(2)
where 119889 is the height of the system tree 119878 We can find thatboth the maximum costs have an 119874(log119873) complexity
When tags cover all branches supposing the coverprobability is unique we get the mean communication andcomputing costs as follows
Commmean = 119905auth + 119905query
+ (119905query + 119905reply) (2 + 119889 minus log2119873119860
minus1
119873119860
)
asymp 119905auth + 119905query + (119905query + 119905reply)
times (2 + 119889 minus log2119873119860
)
Compmean = (2 + 119889 minus log2119873119860
minus1
119873119860
) 119905119905119888119900119898119901
+ 2 (1 + 119889 minus log2119873119860
minus1
119873119860
) 119905119903119888119900119898119901
asymp (2 + 119889 minus log2119873119860
) 119905119905119888119900119898119901
+ 2 (1 + 119889 minus log2119873119860
) 119905119903119888119900119898119901
(3)
Both Commmean and Compmean are strict monotonicfunctions of 119873
119860 When 119873
119860is big enough they approach the
constant value of 119874(1)Considering the minimum authentication cost without
anticollision or updating for a single tag in traditional tree-based protocol it will need to compute transmit and verifyat least log
120575119873 ciphers where 120575 is the branching factor of the
key tree When the tag lies at the first-reach leaf the costis minimum with message length and computation times ofabout log
120575119873 When the tag lies at the last-reach leaf the cost
is maximum with the computation times enlarged to about120575 times log
120575119873 The average computation cost is about (1 + 120575)2 times
log120575119873ThusMAP protocol outperforms the traditional tree-
based protocol theoretically
52 Simulation We compared the average processing timeof MAP to two simple combination solutions Both thetwo solutions use the slot-count (Q) selection algorithm inEPC C1G2 UHF Air Interface Protocol Standard [31] foranticollision The PPA protocols for these two solutions arethe typical tree-based protocol [20] and RWP protocol [22]with O(1) complexity In all protocols both tag side andreader side employ SQUASH (SQUaring haSH) which isproposed by Shamir in [8] to compute hash values SQUASHneeds only several hundred gate equivalents (GEs) and isappropriate for low cost RFID tags We consider the overalltime cost including communication cost and search cost
International Journal of Distributed Sensor Networks 9
The communication cost includes the cost for transmittingcommands and data with overheads such as wait time timeout frame sync and preamble Note that compared to otherkinds of wireless communication such as WiFi the messagesexchanged between the reader and tags are very short Thusthe overheads are not negligible All the command formatsdata formats and link timing follow the standard In searchcost we consider compute cost for hash values by both readerand tags We assume the reader can process 223 times 64 bitsSQUASH in a second in average For the tag we assume it canprocess one time SQUASH in 6775 us and 242 us We makethese two assumptions based on the link timing requirementsspecified in the standard
In our simulation the forward data rate is 40Kbps andthe backward data rate is 320KbpsWe suppose that there are220 tags in the system We choose tags randomly and repeatthe whole process 100 times for average results
In Figure 5 we give the result for 1000 tags The simu-lation result shows that MAP gains a better efficiency thantypical tree-based protocol The average time cost of tree-based protocols is about 22 times to 42 times that of MAPThe efficiency of MAP asymptotically approaches the RWPprotocol with O(1) complexity as the size of the tag setapproaches 1000 The simulation result is in accordance withthe theoretical analysis That is because in MAP computingand communication are shared between all tags Moreoverduring anticollision subcomponent tags respond with only 1bit to save communication cost That is why MAP outper-forms typical tree-based protocol when tag size is small
According to the performance result in [26] for 1000 tagsin a system with 105 tags at 40Kbps forward rate achieving1 erroneous decision the SEBA approach [25] needs 41min-utes while the SEBA+ approach [26] needs about 4 minutesUtilizing MAP it takes about 1000 times 10405times 10minus6 s = 1122 swhich is less than SEBA and more than SEBA+ Howeverthe result in [26] considers only the message transmissiontime leaving out the nonnegligible computation time andthe communication overheads such as wait time time outframe sync and preamble Moreover MAP provides accurateauthenticationwith no error probabilityThusMAP is a goodchoice in performance for the authentication ofmultiple tags
6 Security and Privacy Analysis
In this section we analyze the security and privacy charactersof MAP Because our approach is tree based we focus onresistance to compromising attackwhich has themost seriousimpact on conventional tree-based approaches [23] Weprove that MAP is m-strong-ind-private showing that MAPsatisfies strong privacy protection in multiple tags scenarioWe also show the abilities of MAP in terms of confidentialitycloning resistance tracking resistance timing-based attackresistance and forward secrecy
61 Compromising Attack Compromising attack is the mosteffective way for crashing tree-based protocols That isbecause tags organized in tree-based structures share keyswith each other When an adversary 119860 compromises some
0 200 400 600 800 1000
39
4
41
42
43
44
45
46
47
48
Size of tag set to be authenticated
log10
style
)
Tree-basedTree-basedMAP
MAPRWPRWP
242120583s6775120583s
6775120583s
242120583s242120583s6775120583s
Aver
age p
roce
ssin
g tim
e (120583
sFigure 5 Comparison on performance for 1ndash1000 tags
tags and thus obtain their secret keysA can deduce the secretkeys of other tags In conventional tree-based protocols alegitimate reader splits a tag from other possible ones levelby level and finally authenticates it on the leaf using itskeys on related levels An adversary can also distinguishtags and further track them in this way with keys fromthe compromised tags For detailed analysis please refer to[14 21]
Our analysis is based on the works in [10 14 18 2123 34] The notion of strong ind-privacy defined in [23]which is equivalent to the destructive-privacy defined in[34] is very similar to the strong privacy provided byMAP except that MAP focuses on privacy protection formultiple tags The existing privacy models are designedfor one-tag-one-reader authentication scheme and focus ondistinguishability privacy between TWO tags only They arenot fit for the multiple tags scenario in MAP where thereader cannot communicate to a tag before anticollisionsubcomponent
We define a new model for multiple tags environmentsincluding four oracles Request(sdot sdot sdot) Send(sdotsdot) Relay(sdotsdot) andCompromise(sdot) to formulate the attacks to the tag sets andreader Assume we have a tag set 119873
119878 Any attack on 119877 or 119873
119878
can be represented by calling on its oraclesRequest(119873
119878 1198981 1198983) A queries the tag set 119873
119878by a query
message1198981and receives the responsesThen119860 sends another
message 1198983to 119873119878 including the collision arbitration and Rrsquos
authentication dataSend(R 119898
2) A sends a message 119898
2 representing the tag
setrsquos reply and authentication messages to 119877 and receives aresponse
Relay(119873119878 119877) A relays the messages between 119873
119878and R A
can arbitrarily modify the messages from one side to another
10 International Journal of Distributed Sensor Networks
Compromise(119873119862) A compromises tags in set 119873
119862and
obtains their secret keys where 119873119862is a tag set 119860 obtains The
compromised tags are broken and cannot be used any furtherThe compromising attack on MAP denoted by
CAMAP119860
[1198960 119873119860
] is performed with the following steps
Step 1 The adversary 119860 compromises 1198960tags and obtains
their secret keys
Step 2 A chooses a target tag 119879 that has not been compro-mised A can query 119879 or act as a man-in-the-middle between119879 and the reader 119877 polynomial times Note that 119860 cannotcompromise119879 According to the secret keys119860 gains in Step 1A can compute outputs of these keys and compare to themTrsquosoutputs In this way 119860 can determine which of Trsquos keys equalto Arsquos known keys
Step 3 The system gives a tag set 119873119878with 119873
119874tags including
119879 Then 119873119878is divided into two subsets 119873
1198781and 119873
1198782 For the
simplicity we assume each subset contains 119873119860tags Or else
we can define the smaller set contains119873119860tags which will not
affect the result of analysis but complex the analysis processA randomly picks a subset 119873
119878119887 where b = 0 or b = 1 and
determines if 119879 is in this subset A can pick both subsets If119873119878119887
contains T A can proceed tracking 119879 by tracking 119873119878119887
otherwise 119873119878(1minus119887)
A can send queries to the tag set or act asa man-in-the-middle between the tag set and the reader 119877
polynomial times but cannot compromise those tagsWe denote
119875MAP = 119875119903[CAMAP119860
[1198960 119873119860
] = 1] (4)
as the possibility 119860 definitely knows whether tag set 119873119878119887
includes T A succeeds if 119860 definitely knows which tag setincludes 119879 Then the possibility that 119860 succeeds is
119875MAP = 119875119903[CAMAP119860
[1198960 119873119860
] = 1] = 1 minus (1 minus 1198750)2
(5)
where 1198750is the possibility that 119860 succeeds in either subset in
a system employing MAP
Definition 1 Theadvantage of adversary119860 in the compromis-ing attack is defined as
advMAP119860
(1198960 119873119860
) =
1003816100381610038161003816100381610038161003816(119875MAP +
1
2(1 minus 119875MAP)) minus
1
2
1003816100381610038161003816100381610038161003816=
119875MAP2
(6)
where the probability is the advantage of 119860 correctly guessagainst randomly guess which subset 119879 is in
Definition 2 (M-strong(120576 1198960 119873119860
)-ind-privacy) An RFIDprotocol PRO is m-strong( 120576 119896
0 119873119860)-ind-private if when 119873
119860
approaches N the advantage advPRO119860
(1198960 119873119860
) is at most 120576 inpolynomial time Where 119873
119860lt 119873 120576 is an infinitesimal when
119873 approaches infinity
M-weak(120576 1198960 119873119860)-ind-privacy is defined the same as m-
strong (120576 1198960 119873119860
)-ind-privacy except that 1198960= 0
Destructive Final NoCorrupt corrput Corrupt corrupt
Wide
Narrow
m-strong m-forward m-weak
m-narrow m-narrowm-narrowm-narrowstrong destructive
m-destructive
forward weak
Figure 6 The privacy levels
The above two privacy notions can be simply denotedas m-strong-ind-privacy (MSIP) and m-weak-ind-privacy(MWIP) where the letter ldquo119898rdquo is the abbreviation of mul-tiple tags When 119873
119860= 1 the MSIP (MWIP) equals the
strong-privacy (weak-privacy) in Juelsrsquos model [23] and thedestructive-privacy (weak-privacy) in Vaudenayrsquos model [34]At this time the case of a tag lying in a set is identical tothe case of the target tag being a particular tag in traditionalprivacy model with two tags Thus our multiple tags privacymodel is a generalized version of existing privacy models[23 34] On the contrary the existing privacy models arespecial cases of multiple tags privacy where each tag set hasonly one tagThen we can define 8 different levels of privacyby generalizing Vaudenayrsquos model for multiple tags scenariosas illustrated in Figure 6
The above model is dedicated for classifying the privacyprotection in multiple tags scenarios Intuitively it is easierfor a tag to hide in a set than to behavior indistinguishably toanother tag Thus the above model is a model weaker thanthe privacy models for one-reader-one-tag scenarios
However if the authentication protocol does not take thisadvantage then the protocol cannot provide better privacyin scenarios with multiple tags than in one-reader-one-tag scenarios no matter how many tags are there to beauthenticated For example in the OSK [12] protocol onedesynchronized tag cannot be accepted by a legitimate readerThus a desynchronized tag can still be distinguished in a tagset saying nothing of hiding in the set As a result the OSKmethod cannot providem-strong-ind-privacy orm-weak-ind-privacy
In the tree for MAP when 119860 is not aware of all keys inboth branches A does not know the 119875
119862and has to randomly
guess one for navigation and conduct the searching processWhen the guess fails A sends out a position that has nocollisions Then 119860 cannot split the tags Only when 119860 knowsall the keys in the branches related to T A can send outthe correct 119875
119862and proceed on tracking That is the main
reason whyMAP performs better than traditional tree-basedprotocols in defending against compromising attacks In facttheMAP protocol ism-strong-ind-private as will be proven inthe bellowing
Theorem 3 TheMAP protocol is MSIP private
Proof We perform the compromising attack with MAPprotocol as follows
We denote tags in 119873119878119887
by 1198791015840 We denote keys in 119879
and 1198791015840 with (119896119890119910
0 1198961198901199101 119896119890119910
119889) and (119896119890119910
1015840
0 1198961198901199101015840
1 119896119890119910
1015840
119889)
International Journal of Distributed Sensor Networks 11
respectively where 119889 is the depth of the tree Considering atlevel 119909 where 119896119890119910
119909is in a subtree we use 119870
119909to denote the
set of known keys by 119860 in this subtree and 119896119909to denote
the number of keys in 119870119909 And 119896
0is the number of tags
compromised There are three cases to be considered at levelxCase 1 A does not succeed in previous 119909 minus 1 levels and thereis exactly one key 119896119890119910
1015840
119909equal to 119896119890119910
119909 A definitely knows 119873
119878119887
includes 119879 The possibility is
119875119903(1198621
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575times
1
120575119909times (1 minus
1
120575119909)
119873119860minus1
(7)
Case 2119860 does not succeed in previous 119909minus1 levels and therersquosno key 119896119890119910
1015840
119909equals to 119896119890119910
119909 A definitely knows that 119873
119878119887does
not include 119879 The possibility is
119875119903(1198622
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575times (1 minus
1
120575119909)
119873119860
(8)
Case 3 119860 does not succeed in previous 119909 minus 1 levels and morethan one key 119896119890119910
1015840
119909equals 119896119890119910
119909 In this case 119860 fails at level 119909
and should move to level 119909 + 1 The possibility is
119875119903(1198623
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575minus 119875119903(1198621
119909) minus 119875119903(1198622
119909)
(9)
Theoverall probability of119860 definitely knowswhether119873119878119887
includes 119879 is
1198750
= 119875119903(1198621
1or 1198622
1) +
119889
sum
119909=2
(119875119903(1198621
119909or 1198622
119909) times
119909minus1
prod
119910=1
119875119903(1198623
119910))
= (1 minus1
120575)
119873119860minus1
1198961
120575
120575minus1
prod
119895=0
1198961
minus 119895
120575 minus 119895
+
119889
sum
119909=2
((1 minus1
120575119909)
119873119860minus1
119896119909
120575119875 (119896119890119910
119909)
times
119909minus1
prod
119910=1
(119875 (119896119890119910119910)
119896119910
120575(1 minus (1 minus
1
120575119910)
119873119860minus1
)))
(10)
where
119875 (119896119890119910119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895) (120575 minus 119895)
(120575119909 minus 119895)2
1198961
= 120575 (1 minus (1 minus1
120575)
1198960
)
119896119909
= 120575 (1 minus (1 minus1
120575)
119892(119896119909)
) (2 le 119909 le 119889)
119892 (119896119909) = 1198960
119909minus1
prod
119910=1
1
119896119910
(11)
The possibility 119860 succeeds in either subset is 1198750which is
a monotonically decreasing function of 119873119860 so is 119875MAP The
advantage of 119860 is 119875MAP which decreases exponentially to 0 as119873119860increases to be big enoughConsidering that 119896
119909le 120575 and 120575 ge 2 we have the following
derivations
(1 minus1
120575)
119873119860minus1
1198961
120575
120575minus1
prod
119895=0
1198961
minus 119895
120575 minus 119895
le (1
2)
119873119860minus1
1198961
120575
1198961
120575
1198961
minus 1
120575 minus 1
le (1
2)
119873119860minus1
119909minus1
prod
119910=1
(119875 (119896119890119910119910)
119896119910
120575(1 minus (1 minus
1
120575119910)
119873119860minus1
))
lt
119909minus1
prod
119910=1
(119875 (119896119890119910119910) times 1 times 1)
=
119909minus1
prod
119910=1
119875 (119896119890119910119910)
(12)
Then we have the following deduction
1198750
lt (1
2)
119873119860minus1
+
119889
sum
119909=2
((1 minus1
120575119909)
119873119860minus1
119896119909
120575119875 (119896119890119910
119909)
119909minus1
prod
119910=1
119875 (119896119890119910119910))
lt (1
2)
119873119860minus1
+
119889
sum
119909=2
(1 minus1
120575119909)
119873119860minus1
lt (1
2)
119873119860minus1
+ 119889(1 minus1
1205752)
119873119860minus1
(13)
The right part of the inequality is a monotonicallydecreasing function of 119873
119860 For example it can be deduced
that 1198750
lt (12)119873119860minus1
+ 119889(34)119873119860minus1 when 120575 = 2 Then 119875
0is an
infinitesimal as 119873119860approaches 119873 so is 119875MAP According to
Definition 2 MAP ism-strong-ind-private
12 International Journal of Distributed Sensor Networks
0 50 100 150 2000
02
04
06
08
1
Succ
essfu
l pro
b o
f atta
ck
Size of tag set to be authenticated
MAPTree-based
Figure 7 Comparisons on defending against compromising attack
Assume a RFID system of 220 tags with 120575 = 2 and 119889 =
20 Figure 7 demonstrates possibilities119860 successfully tracks atag by compromising 200 tags employingMAP or tree-basedprotocol such as [20]
We can find that for both protocols the possibilities that119860
succeeds reduceswhen119873119860increases ForMAP the possibility
reduce rapidly while for traditional balance tree-based PPAit reduces slowly For MAP protocol when 119873
119860gt 8 119875MAP lt
005 saying 119860 can definitely distinguish and know which tagset includes 119879 with low possibility even the set size is smallThis is an acceptable result as environmentswith at least 8 tagsare common Moreover the successful tracking probabilityasymptotically approaches to 0 as the size of the tag set to beauthenticated arises For tree-based protocol 119860 always has asuccessful possibility larger than 08 with tag set size smallerthan 200
62 Confidentiality In MAP all information from a tag issent as the value of a cryptographic hash function or a partof such a hash value According to the preimage resistanceproperty of cryptographic hash functions the adversarycannot know the origin information
63 Cloning Resistance In cloning attack an adversaryrecords responses from a tag and replay them to foollegitimate readers In MAP the 119881
119862values are only used for
navigation and each tag uses its unique leaf key for the finalauthentication The tag generates the hash values of the leafkey with a timestamp from 119877 and a nonce from the tag asinputs Both the timestamp and the nonce are the sessiontokens of the conversation Therefore authentication mes-sages from a given tag will change in different conversationsdue to the different session tokens The navigation bits canbe replayed however they cannot help to fool 119877 because theadversary does not know the authentication message at theleaf node The replayed messages cannot be acceptable bylegitimate readers according to the protocol
64 Tracking Resistance In Section 61 we focus on tagsrsquo pathkeys and present that MAP can resist compromising attack
in scenarios with multiple tags For any leaf key it uniquelybelongs to an individual tag The adversary 119860 never knowsa tagrsquos leaf key unless compromising it When performingauthentication subcomponent a tag computes a hash valuewith its leaf key and the session tokens This authenticationmessage varies each time and 119860 cannot link the messages toa tag without knowing its leaf key
MAP resists against compromising attack inmultiple tagsscenarios However when a batch only has a few tags 119875MAPis not negligible According to the results shown in Figure 7when the number of tags is larger than 8 the probabilityof multiple tags exposing to attackers will not exceed 005which is acceptable for most RFID applications Thereforewe recommend to select MAP when the number of tags islarger than 8 otherwise choosing time consuming per-tagauthentication to prevent the tracking attack
An adversary 119860 may launch the Denial of Service (DoS)attack between a legitimate reader and tags In this attack 119860
firstly exhausts the timestamp in a tag Then 119860 can relay thetagrsquos response to a legitimate reader to see if the tag is acceptedand further track the tag by observing the result This attackis not feasible to MAP because desynchronized tags can alsobe accepted employing MAP as presented in Section 432Besides we recommend the system to thwart the responsespeed of the tags which are under attackThen a counter withan acceptable bit length is enough to avoid the timestamps ofthe tags run over a predefined threshold
65 Timing-Based Attack Resistance An adversary may timethe processing cost of a tag to identify the status of this tagand further distinguish it from other tags [35] This kindof attack is a new general attack which can even break theprivacy of proven private RFID authentication protocolsMAP can defend against such attack The reason is that theauthentication process for each tag in MAP corresponds tothe same procedure From root to leaf each branch selectioncorresponds to no sequential computation of tags Insteadthe tags do concurrent computation at each level In this waythe observable behavior of each tag is hard to distinguishThe problem in traversing the traditional binary tree whichcauses different searching cost does not happen in MAP Onthe other hand the thwart method used in MAP does notraise rapid increase in the response Thus the thwarted tagrsquosbehavior is hard to distinguish especially when the tag set islarge and the predefined threshold is big enough
66 Forward Secrecy An adversary 119860 can record the mes-sages sent by 119877 or tags And 119860 can compromise tags toobtain their current keys Forward secrecy requires that theinformation in previous messages will never be revealedIn MAP the leaf keys are updated after each successfulauthentication The forward secrecy is thereby guaranteedFor the nonleaf keys they are not used for data transfer butonly for navigation In addition they will be updated when atag is renewed Thus MAP does not update the nonleaf keysat each authentication and such a process does not damagethe forward secrecy
International Journal of Distributed Sensor Networks 13
7 Possible Variants and Improvements
The storage requirement of MAP for a system larger than216 tags may be larger than 1 k bits This cost is practical fornowadays RFID tags For ultra-low storage path keys can becomputed employing SQUASH with the unique leaf key andidentifier of the tag as inputsThis would decrease the storagerequirement to 119874(1) but double the average computationtime It can be easily deduced that the performance ofMAP isstill better than the tree-based protocol in large-scale systems
MAP focuses on the interaction between tags and readeras well as reader-server side search accelerating On theother hand the SEBA [25 26] like protocols focuses onthe reader-to-server communication as well as the serverside probabilistic verification Thus a possible future workis to combine and gain profit from both of the two styles ofmultiple tags protocols
8 Conclusions and Future Work
In this work we propose a Multiple tags privacy-preservingAuthentication Protocol MAP to authenticate multipletags concurrently By enabling anticollision functionality inauthentication processMAP eliminates the redundant effortswasted in anticollision processes and authenticating tagsTags in MAP respond concurrently with 1 bit to conductthe authentication for better privacy MAP is m-strong-ind-private which is a variant of ind-privacy we define formultiple tags scenarios MAP can effectively mitigate theimpact of compromising attack in multiple tags scenarios toan acceptable extent EmployingMAP the successful trackingprobability of adversaries for tag set larger than 8 is below005 and will deduce rapidly to 0 as the size of the tag setenlarges The efficiency of MAP is better than 119874(log119873) andasymptotically approaches 119874(1) as the number of tags in thetag set to be authenticated increases as proven in theoreticalanalysis and shown in the simulationThe proposed protocolin our work MAP is dedicated for authenticating multipletags One prospective directionmay be building protocols forboth single tag and multiple tags to provide high efficiencyand strong privacy at the same time
Acknowledgments
The authors would like to thank Ling Zhu and XingjingWang for the efforts paid in coding for the simulationsThis work is supported by Program for Changjiang Scholarsand Innovative Research Team in University (IRT1078)the Key Program of NSFC-Guangdong Union Foundation(U1135002) National Natural Science Foundation of China(61303221 and 61373175) the Fundamental Research Fundsfor the Central Universities (K5051303021) and the ScientificResearch Startup Foundation for Young Teachers of DonghuaUniversity (13D211205) Part of this work has been presentedat IEEE International Conference on Mobile Ad-hoc andSensor Systems (IEEE MASS) October 17ndash22 2011 ValenciaSpain
References
[1] G Roussos and V Kostakos ldquoRFID in pervasive computingstate-of-the-art and outlookrdquo Pervasive and Mobile Computingvol 5 no 1 pp 110ndash131 2009
[2] Y Liu L Chen J Pei Q Chen and Y Zhao ldquoMiningfrequent trajectory patterns for activity monitoring using radiofrequency tag arraysrdquo in Proceedings of the 5th Annual IEEEInternational Conference on Pervasive Computing and Com-munications (PerCom rsquo07) pp 37ndash46 White Plains NY USAMarch 2007
[3] C Qian H Ngan and Y Liu ldquoCardinality estimation forlarge-scale RFID systemsrdquo in Proceedings of the 6th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo08) pp 30ndash39 Hong Kong ChinaMarch 2008
[4] G Avoine ldquoBibliography on security and privacy in RFID sys-temsrdquo 2013 httpwwwavoinenetrfiddownloadbibbiblio-graphy-rfidpdf
[5] A Juels ldquoRFID security and privacy a research surveyrdquo IEEEJournal on Selected Areas in Communications vol 24 no 2 pp381ndash394 2006
[6] G Tsudik ldquoA family of dunces trivial RFID identification andauthentication protocolsrdquo in Privacy Enhancing TechnologiesLecture Notes in Computer Science pp 45ndash61 Springer BerlinGermany 2007
[7] X Xu X Y Li X Mao S Tang and S Wang ldquoA delay-efficient algorithm for data aggregation in multihop wirelesssensor networksrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 1 pp 163ndash175 2011
[8] A Shamir ldquoSQUASHmdasha new MAC with provable securityproperties for highly constrained devices such as RFID tagsrdquo inFast Software Encryption Lecture Notes in Computer Sciencepp 144ndash157 Springer Berlin Germany 2008
[9] T Halevi N Saxena and S Halevi ldquoUsing HB family ofprotocols for privacy-preserving authentication of RFID tags ina populationrdquo in Proceedings of the Workshop on RFID Security(RFIDSec rsquo09) 2009
[10] M Burmester B de Medeiros and R Motta ldquoRobust anony-mous RFID authentication with constant key-lookuprdquo in Pro-ceedings of the ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo08) pp 283ndash291 TokyoJapan March 2008
[11] S A Weis S E Sarma R L Rivest and DW Engels ldquoSecurityand privacy aspects of low-cost radio frequency identificationsystemsrdquo in Security in Pervasive Computing Lecture Notes inComputer Science pp 201ndash212 2003
[12] M Ohkubo K Suzuki and S Kinoshita ldquoEfficient hash-chainbased RFID privacy protection schemerdquo in Proceedings of theACM Ubicomp Workshops 2004
[13] D Henrici and P Muller ldquoProviding security and privacy inRFID systems using triggered hash chainsrdquo in Proceedings ofthe 6th Annual IEEE International Conference on PervasiveComputing andCommunications (PerCom rsquo08) pp 50ndash59HongKong China March 2008
[14] G Avoine E Dysli and P Oechslin ldquoReducing time complexityin RFID systemsrdquo in Selected Areas in Cryptography LectureNotes in Computer Science pp 291ndash306 Springer BerlinGermany 2005
[15] D Henrici and PMuller ldquoHash-based enhancement of locationprivacy for radio-frequency identification devices using varyingidentifiersrdquo inProceedings of the 2nd IEEEAnnual Conference on
14 International Journal of Distributed Sensor Networks
Pervasive Computing and CommunicationsWorkshops (PerComrsquo04) pp 149ndash153 March 2004
[16] A Juels ldquoMinimalist cryptography for low-cost RFID tags(extended abstract)rdquo in Proceedings of the 4th InternationalConference on Security in Communication Networks (SCN rsquo04)pp 149ndash164 Amalfi Italy September 2004
[17] S Yu K Ren and W Lou ldquoA privacy-preserving lightweightauthentication protocol for low-cost RFID tagsrdquo in Proceedingsof the Military Communications Conference (MILCOM rsquo07) pp1ndash7 Orlando Fla USA October 2007
[18] C Ma Y Li R H Deng and T Li ldquoRFID privacy rela-tion between two notions minimal condition and efficientconstructionrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCSrsquo09) pp 54ndash65New York NY USA November 2009
[19] D Molnar A Soppera and D Wagner ldquoA scalable delegatablepseudonym protocol enabling ownership transfer of RFID tagsselected areas in cryptographyrdquo in Selected Areas in Cryptogra-phy Lecture Notes in Computer Science pp 276ndash290 SpringerBerlin Germany 2005
[20] T Dimitriou ldquoA secure and efficient RFID protocol that couldmake big brother (partially) obsoleterdquo in Proceedings of the 4thAnnual IEEE International Conference on Pervasive Computingand Communications (PerCom rsquo06) pp 269ndash274 Pisa ItalyMarch 2006
[21] L Lu J Han L Hu Y Liu and L M Ni ldquoDynamic key-updating privacy-preserving authentication for RFID systemsrdquoin Proceedings of the 5th Annual IEEE International Conferenceon Pervasive Computing and Communications (PerCom rsquo07) pp13ndash22 White Plains NY USA March 2007
[22] Q Yao Y Qi J Han J Zhao X Li and Y Liu ldquoRandomizingRFID private authenticationrdquo in Proceedings of the 7th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo09) Galveston Tex USA March2009
[23] A Juels and S A Weis ldquoDefining strong privacy for RFIDrdquoACM Transactions on Information and System Security vol 13no 1 pp 1ndash23 2009
[24] L Lu Y Liu and X-Y Li ldquoRefresh weak privacy model forRFID systemsrdquo in Proceedings of the IEEE INFOCOM pp 1ndash9San Diego Calif USA March 2010
[25] L Yang J Han Y Qi and Y Liu ldquoIdentification-free batchauthentication for RFID tagsrdquo in Proceedings of the 18th IEEEInternational Conference on Network Protocols (ICNPrsquo10) pp154ndash163 Kyoto Japan October 2010
[26] G Bianchi ldquoRevisiting an RFID identification-free batchauthentication approachrdquo IEEECommunications Letters vol 15no 6 pp 632ndash634 2011
[27] Y Zheng and M Li ldquoFast tag searching protocol for large-scaleRFID systemsrdquo in Proceedings of the 19th IEEE InternationalConference on Network Protocols (ICNP rsquo11) pp 363ndash372Vancouver Canada October 2011
[28] B Sheng andCC Tan ldquoGroup authentication in heterogeneousRFID networksrdquo in Proceedings of the IEEE Conference onTechnologies for Homeland Security (HST rsquo12) pp 167ndash172Waltham Mass USA November 2012
[29] J Myung and W Lee ldquoAdaptive splitting protocols for RFIDtag collision arbitrationrdquo in Proceedings of the 7th ACM Interna-tional Symposium onMobile AdHoc Networking and Computing(MOBIHOC rsquo06) pp 202ndash213 Florence Italy May 2006
[30] ldquoInformation technology automatic identification and datacapture techniquesmdashradio frequency identification for item
management air interfacemdashpart 6 parameters for air interfacecommunications at 860ndash960 MHZrdquo ISOIEC FDIS 18000-62003
[31] EPCglobal ldquoEPC radio-frequency identity protocols class-1generation-2 UHF RFID protocol for communications at 860MHzndash960MHz version 1 2 0rdquo May 2008
[32] Z Zhou H Gupta S R Das and X Zhu ldquoSlotted scheduled tagaccess in multi-reader RFID systemsrdquo in Proceesings of the 15thIEEE International Conference on Network Protocols (ICNP rsquo07)pp 61ndash70 Beijing China October 2007
[33] Auto-ID ldquoDraft protocol specification for a 900MHz class0 radio frequency identification tagrdquo 2003 httpwwwepcglobalincorg
[34] S Vaudenay ldquoOn privacy models for RFIDrdquo in Advances inCryptologymdashASIACRYPT 2007 Lecture Notes in ComputerScience pp 68ndash87 Springer Berlin Germany 2007
[35] Q Yao J Han Y Qi L Yang and Y Liu ldquoPrivacy leakage inaccess mode revisiting private RFIDAuthentication protocolsrdquoin Proceedings of the 40th International Conference on ParallelProcessing (ICPP rsquo11) pp 713ndash721 Taipei City Taiwan Septem-ber 2011
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
8 International Journal of Distributed Sensor Networks
k10
k21
k32 k33
T1 T2
M1
M2
(a) Most sharing
k20
k30
k10
T3
(b) Least sharing
Figure 4 The different sharing scenarios
Contrarily when the tags cover the most branchesrespecting no path being shared as 119879
3itself in Figure 4(b)
then it is possible that both communication and compute costfor each tag are the largest as arbitrations and hash computesare shared by the least tags
For theoretic comprehensibility we consider time cost fortransferring hash values in communication cost For computecost we consider only cost for computing hash values atboth reader end and tag end For the overall cost consideringoverheads we give a simulation result in Section 52
When tags cover the least branches the minimumcommunication and compute cost are computed as followsTheoretically they are the lower bound of MAP in terms oftime cost Indeed both of them are in O(1) complexity
Commmin = 119905auth + 2119905query + 119905reply minus
(119905query + 119905reply)
119873
asymp 119905auth + 2119905query + 119905reply
Compmin = (2 minus1
119873) 119905119905119888119900119898119901
+ (3 minus2
119873119860
) 119905119903119888119900119898119901
asymp 2119905119905119888119900119898119901
+ 3119905119903119888119900119898119901
(1)
where the 119889 is the height of the system tree 119878 119873 is thenumber of tags in the system 119873
119860is the number of tags to
be authenticated and 119873119860
= 119873 in this case 119905query is the timefor a reader 119877 to send out a query 119905reply is the time for eachtag on both branches to reply their related 1 bit 119881
119862values in
the two time slots 119905auth is the time for a tag to send the hashvalue of its leaf node 119905
119905119888119900119898119901is the time for a tag to compute
a hash value and 119905119903119888119900119898119901
is the time for 119877 to compute a hashvalue Note that we suppose sending the request commandsneeds the same time as the 119905query
When each tag covers themost branches there is only onetag to be authenticated Thus we get the maximum costs Wedenote the maximum communication and compute cost as
Commmax and Compmax respectively The theoretical upperbound cost of MAP is given by
Commmax = 119905auth + 119889 times 119905reply + (119889 + 1) 119905query
Compmax = (119889 + 1) 119905119903119888119900119898119901
+ (2119889 + 1) 119905119903119888119900119898119901
(2)
where 119889 is the height of the system tree 119878 We can find thatboth the maximum costs have an 119874(log119873) complexity
When tags cover all branches supposing the coverprobability is unique we get the mean communication andcomputing costs as follows
Commmean = 119905auth + 119905query
+ (119905query + 119905reply) (2 + 119889 minus log2119873119860
minus1
119873119860
)
asymp 119905auth + 119905query + (119905query + 119905reply)
times (2 + 119889 minus log2119873119860
)
Compmean = (2 + 119889 minus log2119873119860
minus1
119873119860
) 119905119905119888119900119898119901
+ 2 (1 + 119889 minus log2119873119860
minus1
119873119860
) 119905119903119888119900119898119901
asymp (2 + 119889 minus log2119873119860
) 119905119905119888119900119898119901
+ 2 (1 + 119889 minus log2119873119860
) 119905119903119888119900119898119901
(3)
Both Commmean and Compmean are strict monotonicfunctions of 119873
119860 When 119873
119860is big enough they approach the
constant value of 119874(1)Considering the minimum authentication cost without
anticollision or updating for a single tag in traditional tree-based protocol it will need to compute transmit and verifyat least log
120575119873 ciphers where 120575 is the branching factor of the
key tree When the tag lies at the first-reach leaf the costis minimum with message length and computation times ofabout log
120575119873 When the tag lies at the last-reach leaf the cost
is maximum with the computation times enlarged to about120575 times log
120575119873 The average computation cost is about (1 + 120575)2 times
log120575119873ThusMAP protocol outperforms the traditional tree-
based protocol theoretically
52 Simulation We compared the average processing timeof MAP to two simple combination solutions Both thetwo solutions use the slot-count (Q) selection algorithm inEPC C1G2 UHF Air Interface Protocol Standard [31] foranticollision The PPA protocols for these two solutions arethe typical tree-based protocol [20] and RWP protocol [22]with O(1) complexity In all protocols both tag side andreader side employ SQUASH (SQUaring haSH) which isproposed by Shamir in [8] to compute hash values SQUASHneeds only several hundred gate equivalents (GEs) and isappropriate for low cost RFID tags We consider the overalltime cost including communication cost and search cost
International Journal of Distributed Sensor Networks 9
The communication cost includes the cost for transmittingcommands and data with overheads such as wait time timeout frame sync and preamble Note that compared to otherkinds of wireless communication such as WiFi the messagesexchanged between the reader and tags are very short Thusthe overheads are not negligible All the command formatsdata formats and link timing follow the standard In searchcost we consider compute cost for hash values by both readerand tags We assume the reader can process 223 times 64 bitsSQUASH in a second in average For the tag we assume it canprocess one time SQUASH in 6775 us and 242 us We makethese two assumptions based on the link timing requirementsspecified in the standard
In our simulation the forward data rate is 40Kbps andthe backward data rate is 320KbpsWe suppose that there are220 tags in the system We choose tags randomly and repeatthe whole process 100 times for average results
In Figure 5 we give the result for 1000 tags The simu-lation result shows that MAP gains a better efficiency thantypical tree-based protocol The average time cost of tree-based protocols is about 22 times to 42 times that of MAPThe efficiency of MAP asymptotically approaches the RWPprotocol with O(1) complexity as the size of the tag setapproaches 1000 The simulation result is in accordance withthe theoretical analysis That is because in MAP computingand communication are shared between all tags Moreoverduring anticollision subcomponent tags respond with only 1bit to save communication cost That is why MAP outper-forms typical tree-based protocol when tag size is small
According to the performance result in [26] for 1000 tagsin a system with 105 tags at 40Kbps forward rate achieving1 erroneous decision the SEBA approach [25] needs 41min-utes while the SEBA+ approach [26] needs about 4 minutesUtilizing MAP it takes about 1000 times 10405times 10minus6 s = 1122 swhich is less than SEBA and more than SEBA+ Howeverthe result in [26] considers only the message transmissiontime leaving out the nonnegligible computation time andthe communication overheads such as wait time time outframe sync and preamble Moreover MAP provides accurateauthenticationwith no error probabilityThusMAP is a goodchoice in performance for the authentication ofmultiple tags
6 Security and Privacy Analysis
In this section we analyze the security and privacy charactersof MAP Because our approach is tree based we focus onresistance to compromising attackwhich has themost seriousimpact on conventional tree-based approaches [23] Weprove that MAP is m-strong-ind-private showing that MAPsatisfies strong privacy protection in multiple tags scenarioWe also show the abilities of MAP in terms of confidentialitycloning resistance tracking resistance timing-based attackresistance and forward secrecy
61 Compromising Attack Compromising attack is the mosteffective way for crashing tree-based protocols That isbecause tags organized in tree-based structures share keyswith each other When an adversary 119860 compromises some
0 200 400 600 800 1000
39
4
41
42
43
44
45
46
47
48
Size of tag set to be authenticated
log10
style
)
Tree-basedTree-basedMAP
MAPRWPRWP
242120583s6775120583s
6775120583s
242120583s242120583s6775120583s
Aver
age p
roce
ssin
g tim
e (120583
sFigure 5 Comparison on performance for 1ndash1000 tags
tags and thus obtain their secret keysA can deduce the secretkeys of other tags In conventional tree-based protocols alegitimate reader splits a tag from other possible ones levelby level and finally authenticates it on the leaf using itskeys on related levels An adversary can also distinguishtags and further track them in this way with keys fromthe compromised tags For detailed analysis please refer to[14 21]
Our analysis is based on the works in [10 14 18 2123 34] The notion of strong ind-privacy defined in [23]which is equivalent to the destructive-privacy defined in[34] is very similar to the strong privacy provided byMAP except that MAP focuses on privacy protection formultiple tags The existing privacy models are designedfor one-tag-one-reader authentication scheme and focus ondistinguishability privacy between TWO tags only They arenot fit for the multiple tags scenario in MAP where thereader cannot communicate to a tag before anticollisionsubcomponent
We define a new model for multiple tags environmentsincluding four oracles Request(sdot sdot sdot) Send(sdotsdot) Relay(sdotsdot) andCompromise(sdot) to formulate the attacks to the tag sets andreader Assume we have a tag set 119873
119878 Any attack on 119877 or 119873
119878
can be represented by calling on its oraclesRequest(119873
119878 1198981 1198983) A queries the tag set 119873
119878by a query
message1198981and receives the responsesThen119860 sends another
message 1198983to 119873119878 including the collision arbitration and Rrsquos
authentication dataSend(R 119898
2) A sends a message 119898
2 representing the tag
setrsquos reply and authentication messages to 119877 and receives aresponse
Relay(119873119878 119877) A relays the messages between 119873
119878and R A
can arbitrarily modify the messages from one side to another
10 International Journal of Distributed Sensor Networks
Compromise(119873119862) A compromises tags in set 119873
119862and
obtains their secret keys where 119873119862is a tag set 119860 obtains The
compromised tags are broken and cannot be used any furtherThe compromising attack on MAP denoted by
CAMAP119860
[1198960 119873119860
] is performed with the following steps
Step 1 The adversary 119860 compromises 1198960tags and obtains
their secret keys
Step 2 A chooses a target tag 119879 that has not been compro-mised A can query 119879 or act as a man-in-the-middle between119879 and the reader 119877 polynomial times Note that 119860 cannotcompromise119879 According to the secret keys119860 gains in Step 1A can compute outputs of these keys and compare to themTrsquosoutputs In this way 119860 can determine which of Trsquos keys equalto Arsquos known keys
Step 3 The system gives a tag set 119873119878with 119873
119874tags including
119879 Then 119873119878is divided into two subsets 119873
1198781and 119873
1198782 For the
simplicity we assume each subset contains 119873119860tags Or else
we can define the smaller set contains119873119860tags which will not
affect the result of analysis but complex the analysis processA randomly picks a subset 119873
119878119887 where b = 0 or b = 1 and
determines if 119879 is in this subset A can pick both subsets If119873119878119887
contains T A can proceed tracking 119879 by tracking 119873119878119887
otherwise 119873119878(1minus119887)
A can send queries to the tag set or act asa man-in-the-middle between the tag set and the reader 119877
polynomial times but cannot compromise those tagsWe denote
119875MAP = 119875119903[CAMAP119860
[1198960 119873119860
] = 1] (4)
as the possibility 119860 definitely knows whether tag set 119873119878119887
includes T A succeeds if 119860 definitely knows which tag setincludes 119879 Then the possibility that 119860 succeeds is
119875MAP = 119875119903[CAMAP119860
[1198960 119873119860
] = 1] = 1 minus (1 minus 1198750)2
(5)
where 1198750is the possibility that 119860 succeeds in either subset in
a system employing MAP
Definition 1 Theadvantage of adversary119860 in the compromis-ing attack is defined as
advMAP119860
(1198960 119873119860
) =
1003816100381610038161003816100381610038161003816(119875MAP +
1
2(1 minus 119875MAP)) minus
1
2
1003816100381610038161003816100381610038161003816=
119875MAP2
(6)
where the probability is the advantage of 119860 correctly guessagainst randomly guess which subset 119879 is in
Definition 2 (M-strong(120576 1198960 119873119860
)-ind-privacy) An RFIDprotocol PRO is m-strong( 120576 119896
0 119873119860)-ind-private if when 119873
119860
approaches N the advantage advPRO119860
(1198960 119873119860
) is at most 120576 inpolynomial time Where 119873
119860lt 119873 120576 is an infinitesimal when
119873 approaches infinity
M-weak(120576 1198960 119873119860)-ind-privacy is defined the same as m-
strong (120576 1198960 119873119860
)-ind-privacy except that 1198960= 0
Destructive Final NoCorrupt corrput Corrupt corrupt
Wide
Narrow
m-strong m-forward m-weak
m-narrow m-narrowm-narrowm-narrowstrong destructive
m-destructive
forward weak
Figure 6 The privacy levels
The above two privacy notions can be simply denotedas m-strong-ind-privacy (MSIP) and m-weak-ind-privacy(MWIP) where the letter ldquo119898rdquo is the abbreviation of mul-tiple tags When 119873
119860= 1 the MSIP (MWIP) equals the
strong-privacy (weak-privacy) in Juelsrsquos model [23] and thedestructive-privacy (weak-privacy) in Vaudenayrsquos model [34]At this time the case of a tag lying in a set is identical tothe case of the target tag being a particular tag in traditionalprivacy model with two tags Thus our multiple tags privacymodel is a generalized version of existing privacy models[23 34] On the contrary the existing privacy models arespecial cases of multiple tags privacy where each tag set hasonly one tagThen we can define 8 different levels of privacyby generalizing Vaudenayrsquos model for multiple tags scenariosas illustrated in Figure 6
The above model is dedicated for classifying the privacyprotection in multiple tags scenarios Intuitively it is easierfor a tag to hide in a set than to behavior indistinguishably toanother tag Thus the above model is a model weaker thanthe privacy models for one-reader-one-tag scenarios
However if the authentication protocol does not take thisadvantage then the protocol cannot provide better privacyin scenarios with multiple tags than in one-reader-one-tag scenarios no matter how many tags are there to beauthenticated For example in the OSK [12] protocol onedesynchronized tag cannot be accepted by a legitimate readerThus a desynchronized tag can still be distinguished in a tagset saying nothing of hiding in the set As a result the OSKmethod cannot providem-strong-ind-privacy orm-weak-ind-privacy
In the tree for MAP when 119860 is not aware of all keys inboth branches A does not know the 119875
119862and has to randomly
guess one for navigation and conduct the searching processWhen the guess fails A sends out a position that has nocollisions Then 119860 cannot split the tags Only when 119860 knowsall the keys in the branches related to T A can send outthe correct 119875
119862and proceed on tracking That is the main
reason whyMAP performs better than traditional tree-basedprotocols in defending against compromising attacks In facttheMAP protocol ism-strong-ind-private as will be proven inthe bellowing
Theorem 3 TheMAP protocol is MSIP private
Proof We perform the compromising attack with MAPprotocol as follows
We denote tags in 119873119878119887
by 1198791015840 We denote keys in 119879
and 1198791015840 with (119896119890119910
0 1198961198901199101 119896119890119910
119889) and (119896119890119910
1015840
0 1198961198901199101015840
1 119896119890119910
1015840
119889)
International Journal of Distributed Sensor Networks 11
respectively where 119889 is the depth of the tree Considering atlevel 119909 where 119896119890119910
119909is in a subtree we use 119870
119909to denote the
set of known keys by 119860 in this subtree and 119896119909to denote
the number of keys in 119870119909 And 119896
0is the number of tags
compromised There are three cases to be considered at levelxCase 1 A does not succeed in previous 119909 minus 1 levels and thereis exactly one key 119896119890119910
1015840
119909equal to 119896119890119910
119909 A definitely knows 119873
119878119887
includes 119879 The possibility is
119875119903(1198621
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575times
1
120575119909times (1 minus
1
120575119909)
119873119860minus1
(7)
Case 2119860 does not succeed in previous 119909minus1 levels and therersquosno key 119896119890119910
1015840
119909equals to 119896119890119910
119909 A definitely knows that 119873
119878119887does
not include 119879 The possibility is
119875119903(1198622
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575times (1 minus
1
120575119909)
119873119860
(8)
Case 3 119860 does not succeed in previous 119909 minus 1 levels and morethan one key 119896119890119910
1015840
119909equals 119896119890119910
119909 In this case 119860 fails at level 119909
and should move to level 119909 + 1 The possibility is
119875119903(1198623
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575minus 119875119903(1198621
119909) minus 119875119903(1198622
119909)
(9)
Theoverall probability of119860 definitely knowswhether119873119878119887
includes 119879 is
1198750
= 119875119903(1198621
1or 1198622
1) +
119889
sum
119909=2
(119875119903(1198621
119909or 1198622
119909) times
119909minus1
prod
119910=1
119875119903(1198623
119910))
= (1 minus1
120575)
119873119860minus1
1198961
120575
120575minus1
prod
119895=0
1198961
minus 119895
120575 minus 119895
+
119889
sum
119909=2
((1 minus1
120575119909)
119873119860minus1
119896119909
120575119875 (119896119890119910
119909)
times
119909minus1
prod
119910=1
(119875 (119896119890119910119910)
119896119910
120575(1 minus (1 minus
1
120575119910)
119873119860minus1
)))
(10)
where
119875 (119896119890119910119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895) (120575 minus 119895)
(120575119909 minus 119895)2
1198961
= 120575 (1 minus (1 minus1
120575)
1198960
)
119896119909
= 120575 (1 minus (1 minus1
120575)
119892(119896119909)
) (2 le 119909 le 119889)
119892 (119896119909) = 1198960
119909minus1
prod
119910=1
1
119896119910
(11)
The possibility 119860 succeeds in either subset is 1198750which is
a monotonically decreasing function of 119873119860 so is 119875MAP The
advantage of 119860 is 119875MAP which decreases exponentially to 0 as119873119860increases to be big enoughConsidering that 119896
119909le 120575 and 120575 ge 2 we have the following
derivations
(1 minus1
120575)
119873119860minus1
1198961
120575
120575minus1
prod
119895=0
1198961
minus 119895
120575 minus 119895
le (1
2)
119873119860minus1
1198961
120575
1198961
120575
1198961
minus 1
120575 minus 1
le (1
2)
119873119860minus1
119909minus1
prod
119910=1
(119875 (119896119890119910119910)
119896119910
120575(1 minus (1 minus
1
120575119910)
119873119860minus1
))
lt
119909minus1
prod
119910=1
(119875 (119896119890119910119910) times 1 times 1)
=
119909minus1
prod
119910=1
119875 (119896119890119910119910)
(12)
Then we have the following deduction
1198750
lt (1
2)
119873119860minus1
+
119889
sum
119909=2
((1 minus1
120575119909)
119873119860minus1
119896119909
120575119875 (119896119890119910
119909)
119909minus1
prod
119910=1
119875 (119896119890119910119910))
lt (1
2)
119873119860minus1
+
119889
sum
119909=2
(1 minus1
120575119909)
119873119860minus1
lt (1
2)
119873119860minus1
+ 119889(1 minus1
1205752)
119873119860minus1
(13)
The right part of the inequality is a monotonicallydecreasing function of 119873
119860 For example it can be deduced
that 1198750
lt (12)119873119860minus1
+ 119889(34)119873119860minus1 when 120575 = 2 Then 119875
0is an
infinitesimal as 119873119860approaches 119873 so is 119875MAP According to
Definition 2 MAP ism-strong-ind-private
12 International Journal of Distributed Sensor Networks
0 50 100 150 2000
02
04
06
08
1
Succ
essfu
l pro
b o
f atta
ck
Size of tag set to be authenticated
MAPTree-based
Figure 7 Comparisons on defending against compromising attack
Assume a RFID system of 220 tags with 120575 = 2 and 119889 =
20 Figure 7 demonstrates possibilities119860 successfully tracks atag by compromising 200 tags employingMAP or tree-basedprotocol such as [20]
We can find that for both protocols the possibilities that119860
succeeds reduceswhen119873119860increases ForMAP the possibility
reduce rapidly while for traditional balance tree-based PPAit reduces slowly For MAP protocol when 119873
119860gt 8 119875MAP lt
005 saying 119860 can definitely distinguish and know which tagset includes 119879 with low possibility even the set size is smallThis is an acceptable result as environmentswith at least 8 tagsare common Moreover the successful tracking probabilityasymptotically approaches to 0 as the size of the tag set to beauthenticated arises For tree-based protocol 119860 always has asuccessful possibility larger than 08 with tag set size smallerthan 200
62 Confidentiality In MAP all information from a tag issent as the value of a cryptographic hash function or a partof such a hash value According to the preimage resistanceproperty of cryptographic hash functions the adversarycannot know the origin information
63 Cloning Resistance In cloning attack an adversaryrecords responses from a tag and replay them to foollegitimate readers In MAP the 119881
119862values are only used for
navigation and each tag uses its unique leaf key for the finalauthentication The tag generates the hash values of the leafkey with a timestamp from 119877 and a nonce from the tag asinputs Both the timestamp and the nonce are the sessiontokens of the conversation Therefore authentication mes-sages from a given tag will change in different conversationsdue to the different session tokens The navigation bits canbe replayed however they cannot help to fool 119877 because theadversary does not know the authentication message at theleaf node The replayed messages cannot be acceptable bylegitimate readers according to the protocol
64 Tracking Resistance In Section 61 we focus on tagsrsquo pathkeys and present that MAP can resist compromising attack
in scenarios with multiple tags For any leaf key it uniquelybelongs to an individual tag The adversary 119860 never knowsa tagrsquos leaf key unless compromising it When performingauthentication subcomponent a tag computes a hash valuewith its leaf key and the session tokens This authenticationmessage varies each time and 119860 cannot link the messages toa tag without knowing its leaf key
MAP resists against compromising attack inmultiple tagsscenarios However when a batch only has a few tags 119875MAPis not negligible According to the results shown in Figure 7when the number of tags is larger than 8 the probabilityof multiple tags exposing to attackers will not exceed 005which is acceptable for most RFID applications Thereforewe recommend to select MAP when the number of tags islarger than 8 otherwise choosing time consuming per-tagauthentication to prevent the tracking attack
An adversary 119860 may launch the Denial of Service (DoS)attack between a legitimate reader and tags In this attack 119860
firstly exhausts the timestamp in a tag Then 119860 can relay thetagrsquos response to a legitimate reader to see if the tag is acceptedand further track the tag by observing the result This attackis not feasible to MAP because desynchronized tags can alsobe accepted employing MAP as presented in Section 432Besides we recommend the system to thwart the responsespeed of the tags which are under attackThen a counter withan acceptable bit length is enough to avoid the timestamps ofthe tags run over a predefined threshold
65 Timing-Based Attack Resistance An adversary may timethe processing cost of a tag to identify the status of this tagand further distinguish it from other tags [35] This kindof attack is a new general attack which can even break theprivacy of proven private RFID authentication protocolsMAP can defend against such attack The reason is that theauthentication process for each tag in MAP corresponds tothe same procedure From root to leaf each branch selectioncorresponds to no sequential computation of tags Insteadthe tags do concurrent computation at each level In this waythe observable behavior of each tag is hard to distinguishThe problem in traversing the traditional binary tree whichcauses different searching cost does not happen in MAP Onthe other hand the thwart method used in MAP does notraise rapid increase in the response Thus the thwarted tagrsquosbehavior is hard to distinguish especially when the tag set islarge and the predefined threshold is big enough
66 Forward Secrecy An adversary 119860 can record the mes-sages sent by 119877 or tags And 119860 can compromise tags toobtain their current keys Forward secrecy requires that theinformation in previous messages will never be revealedIn MAP the leaf keys are updated after each successfulauthentication The forward secrecy is thereby guaranteedFor the nonleaf keys they are not used for data transfer butonly for navigation In addition they will be updated when atag is renewed Thus MAP does not update the nonleaf keysat each authentication and such a process does not damagethe forward secrecy
International Journal of Distributed Sensor Networks 13
7 Possible Variants and Improvements
The storage requirement of MAP for a system larger than216 tags may be larger than 1 k bits This cost is practical fornowadays RFID tags For ultra-low storage path keys can becomputed employing SQUASH with the unique leaf key andidentifier of the tag as inputsThis would decrease the storagerequirement to 119874(1) but double the average computationtime It can be easily deduced that the performance ofMAP isstill better than the tree-based protocol in large-scale systems
MAP focuses on the interaction between tags and readeras well as reader-server side search accelerating On theother hand the SEBA [25 26] like protocols focuses onthe reader-to-server communication as well as the serverside probabilistic verification Thus a possible future workis to combine and gain profit from both of the two styles ofmultiple tags protocols
8 Conclusions and Future Work
In this work we propose a Multiple tags privacy-preservingAuthentication Protocol MAP to authenticate multipletags concurrently By enabling anticollision functionality inauthentication processMAP eliminates the redundant effortswasted in anticollision processes and authenticating tagsTags in MAP respond concurrently with 1 bit to conductthe authentication for better privacy MAP is m-strong-ind-private which is a variant of ind-privacy we define formultiple tags scenarios MAP can effectively mitigate theimpact of compromising attack in multiple tags scenarios toan acceptable extent EmployingMAP the successful trackingprobability of adversaries for tag set larger than 8 is below005 and will deduce rapidly to 0 as the size of the tag setenlarges The efficiency of MAP is better than 119874(log119873) andasymptotically approaches 119874(1) as the number of tags in thetag set to be authenticated increases as proven in theoreticalanalysis and shown in the simulationThe proposed protocolin our work MAP is dedicated for authenticating multipletags One prospective directionmay be building protocols forboth single tag and multiple tags to provide high efficiencyand strong privacy at the same time
Acknowledgments
The authors would like to thank Ling Zhu and XingjingWang for the efforts paid in coding for the simulationsThis work is supported by Program for Changjiang Scholarsand Innovative Research Team in University (IRT1078)the Key Program of NSFC-Guangdong Union Foundation(U1135002) National Natural Science Foundation of China(61303221 and 61373175) the Fundamental Research Fundsfor the Central Universities (K5051303021) and the ScientificResearch Startup Foundation for Young Teachers of DonghuaUniversity (13D211205) Part of this work has been presentedat IEEE International Conference on Mobile Ad-hoc andSensor Systems (IEEE MASS) October 17ndash22 2011 ValenciaSpain
References
[1] G Roussos and V Kostakos ldquoRFID in pervasive computingstate-of-the-art and outlookrdquo Pervasive and Mobile Computingvol 5 no 1 pp 110ndash131 2009
[2] Y Liu L Chen J Pei Q Chen and Y Zhao ldquoMiningfrequent trajectory patterns for activity monitoring using radiofrequency tag arraysrdquo in Proceedings of the 5th Annual IEEEInternational Conference on Pervasive Computing and Com-munications (PerCom rsquo07) pp 37ndash46 White Plains NY USAMarch 2007
[3] C Qian H Ngan and Y Liu ldquoCardinality estimation forlarge-scale RFID systemsrdquo in Proceedings of the 6th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo08) pp 30ndash39 Hong Kong ChinaMarch 2008
[4] G Avoine ldquoBibliography on security and privacy in RFID sys-temsrdquo 2013 httpwwwavoinenetrfiddownloadbibbiblio-graphy-rfidpdf
[5] A Juels ldquoRFID security and privacy a research surveyrdquo IEEEJournal on Selected Areas in Communications vol 24 no 2 pp381ndash394 2006
[6] G Tsudik ldquoA family of dunces trivial RFID identification andauthentication protocolsrdquo in Privacy Enhancing TechnologiesLecture Notes in Computer Science pp 45ndash61 Springer BerlinGermany 2007
[7] X Xu X Y Li X Mao S Tang and S Wang ldquoA delay-efficient algorithm for data aggregation in multihop wirelesssensor networksrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 1 pp 163ndash175 2011
[8] A Shamir ldquoSQUASHmdasha new MAC with provable securityproperties for highly constrained devices such as RFID tagsrdquo inFast Software Encryption Lecture Notes in Computer Sciencepp 144ndash157 Springer Berlin Germany 2008
[9] T Halevi N Saxena and S Halevi ldquoUsing HB family ofprotocols for privacy-preserving authentication of RFID tags ina populationrdquo in Proceedings of the Workshop on RFID Security(RFIDSec rsquo09) 2009
[10] M Burmester B de Medeiros and R Motta ldquoRobust anony-mous RFID authentication with constant key-lookuprdquo in Pro-ceedings of the ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo08) pp 283ndash291 TokyoJapan March 2008
[11] S A Weis S E Sarma R L Rivest and DW Engels ldquoSecurityand privacy aspects of low-cost radio frequency identificationsystemsrdquo in Security in Pervasive Computing Lecture Notes inComputer Science pp 201ndash212 2003
[12] M Ohkubo K Suzuki and S Kinoshita ldquoEfficient hash-chainbased RFID privacy protection schemerdquo in Proceedings of theACM Ubicomp Workshops 2004
[13] D Henrici and P Muller ldquoProviding security and privacy inRFID systems using triggered hash chainsrdquo in Proceedings ofthe 6th Annual IEEE International Conference on PervasiveComputing andCommunications (PerCom rsquo08) pp 50ndash59HongKong China March 2008
[14] G Avoine E Dysli and P Oechslin ldquoReducing time complexityin RFID systemsrdquo in Selected Areas in Cryptography LectureNotes in Computer Science pp 291ndash306 Springer BerlinGermany 2005
[15] D Henrici and PMuller ldquoHash-based enhancement of locationprivacy for radio-frequency identification devices using varyingidentifiersrdquo inProceedings of the 2nd IEEEAnnual Conference on
14 International Journal of Distributed Sensor Networks
Pervasive Computing and CommunicationsWorkshops (PerComrsquo04) pp 149ndash153 March 2004
[16] A Juels ldquoMinimalist cryptography for low-cost RFID tags(extended abstract)rdquo in Proceedings of the 4th InternationalConference on Security in Communication Networks (SCN rsquo04)pp 149ndash164 Amalfi Italy September 2004
[17] S Yu K Ren and W Lou ldquoA privacy-preserving lightweightauthentication protocol for low-cost RFID tagsrdquo in Proceedingsof the Military Communications Conference (MILCOM rsquo07) pp1ndash7 Orlando Fla USA October 2007
[18] C Ma Y Li R H Deng and T Li ldquoRFID privacy rela-tion between two notions minimal condition and efficientconstructionrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCSrsquo09) pp 54ndash65New York NY USA November 2009
[19] D Molnar A Soppera and D Wagner ldquoA scalable delegatablepseudonym protocol enabling ownership transfer of RFID tagsselected areas in cryptographyrdquo in Selected Areas in Cryptogra-phy Lecture Notes in Computer Science pp 276ndash290 SpringerBerlin Germany 2005
[20] T Dimitriou ldquoA secure and efficient RFID protocol that couldmake big brother (partially) obsoleterdquo in Proceedings of the 4thAnnual IEEE International Conference on Pervasive Computingand Communications (PerCom rsquo06) pp 269ndash274 Pisa ItalyMarch 2006
[21] L Lu J Han L Hu Y Liu and L M Ni ldquoDynamic key-updating privacy-preserving authentication for RFID systemsrdquoin Proceedings of the 5th Annual IEEE International Conferenceon Pervasive Computing and Communications (PerCom rsquo07) pp13ndash22 White Plains NY USA March 2007
[22] Q Yao Y Qi J Han J Zhao X Li and Y Liu ldquoRandomizingRFID private authenticationrdquo in Proceedings of the 7th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo09) Galveston Tex USA March2009
[23] A Juels and S A Weis ldquoDefining strong privacy for RFIDrdquoACM Transactions on Information and System Security vol 13no 1 pp 1ndash23 2009
[24] L Lu Y Liu and X-Y Li ldquoRefresh weak privacy model forRFID systemsrdquo in Proceedings of the IEEE INFOCOM pp 1ndash9San Diego Calif USA March 2010
[25] L Yang J Han Y Qi and Y Liu ldquoIdentification-free batchauthentication for RFID tagsrdquo in Proceedings of the 18th IEEEInternational Conference on Network Protocols (ICNPrsquo10) pp154ndash163 Kyoto Japan October 2010
[26] G Bianchi ldquoRevisiting an RFID identification-free batchauthentication approachrdquo IEEECommunications Letters vol 15no 6 pp 632ndash634 2011
[27] Y Zheng and M Li ldquoFast tag searching protocol for large-scaleRFID systemsrdquo in Proceedings of the 19th IEEE InternationalConference on Network Protocols (ICNP rsquo11) pp 363ndash372Vancouver Canada October 2011
[28] B Sheng andCC Tan ldquoGroup authentication in heterogeneousRFID networksrdquo in Proceedings of the IEEE Conference onTechnologies for Homeland Security (HST rsquo12) pp 167ndash172Waltham Mass USA November 2012
[29] J Myung and W Lee ldquoAdaptive splitting protocols for RFIDtag collision arbitrationrdquo in Proceedings of the 7th ACM Interna-tional Symposium onMobile AdHoc Networking and Computing(MOBIHOC rsquo06) pp 202ndash213 Florence Italy May 2006
[30] ldquoInformation technology automatic identification and datacapture techniquesmdashradio frequency identification for item
management air interfacemdashpart 6 parameters for air interfacecommunications at 860ndash960 MHZrdquo ISOIEC FDIS 18000-62003
[31] EPCglobal ldquoEPC radio-frequency identity protocols class-1generation-2 UHF RFID protocol for communications at 860MHzndash960MHz version 1 2 0rdquo May 2008
[32] Z Zhou H Gupta S R Das and X Zhu ldquoSlotted scheduled tagaccess in multi-reader RFID systemsrdquo in Proceesings of the 15thIEEE International Conference on Network Protocols (ICNP rsquo07)pp 61ndash70 Beijing China October 2007
[33] Auto-ID ldquoDraft protocol specification for a 900MHz class0 radio frequency identification tagrdquo 2003 httpwwwepcglobalincorg
[34] S Vaudenay ldquoOn privacy models for RFIDrdquo in Advances inCryptologymdashASIACRYPT 2007 Lecture Notes in ComputerScience pp 68ndash87 Springer Berlin Germany 2007
[35] Q Yao J Han Y Qi L Yang and Y Liu ldquoPrivacy leakage inaccess mode revisiting private RFIDAuthentication protocolsrdquoin Proceedings of the 40th International Conference on ParallelProcessing (ICPP rsquo11) pp 713ndash721 Taipei City Taiwan Septem-ber 2011
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 9
The communication cost includes the cost for transmittingcommands and data with overheads such as wait time timeout frame sync and preamble Note that compared to otherkinds of wireless communication such as WiFi the messagesexchanged between the reader and tags are very short Thusthe overheads are not negligible All the command formatsdata formats and link timing follow the standard In searchcost we consider compute cost for hash values by both readerand tags We assume the reader can process 223 times 64 bitsSQUASH in a second in average For the tag we assume it canprocess one time SQUASH in 6775 us and 242 us We makethese two assumptions based on the link timing requirementsspecified in the standard
In our simulation the forward data rate is 40Kbps andthe backward data rate is 320KbpsWe suppose that there are220 tags in the system We choose tags randomly and repeatthe whole process 100 times for average results
In Figure 5 we give the result for 1000 tags The simu-lation result shows that MAP gains a better efficiency thantypical tree-based protocol The average time cost of tree-based protocols is about 22 times to 42 times that of MAPThe efficiency of MAP asymptotically approaches the RWPprotocol with O(1) complexity as the size of the tag setapproaches 1000 The simulation result is in accordance withthe theoretical analysis That is because in MAP computingand communication are shared between all tags Moreoverduring anticollision subcomponent tags respond with only 1bit to save communication cost That is why MAP outper-forms typical tree-based protocol when tag size is small
According to the performance result in [26] for 1000 tagsin a system with 105 tags at 40Kbps forward rate achieving1 erroneous decision the SEBA approach [25] needs 41min-utes while the SEBA+ approach [26] needs about 4 minutesUtilizing MAP it takes about 1000 times 10405times 10minus6 s = 1122 swhich is less than SEBA and more than SEBA+ Howeverthe result in [26] considers only the message transmissiontime leaving out the nonnegligible computation time andthe communication overheads such as wait time time outframe sync and preamble Moreover MAP provides accurateauthenticationwith no error probabilityThusMAP is a goodchoice in performance for the authentication ofmultiple tags
6 Security and Privacy Analysis
In this section we analyze the security and privacy charactersof MAP Because our approach is tree based we focus onresistance to compromising attackwhich has themost seriousimpact on conventional tree-based approaches [23] Weprove that MAP is m-strong-ind-private showing that MAPsatisfies strong privacy protection in multiple tags scenarioWe also show the abilities of MAP in terms of confidentialitycloning resistance tracking resistance timing-based attackresistance and forward secrecy
61 Compromising Attack Compromising attack is the mosteffective way for crashing tree-based protocols That isbecause tags organized in tree-based structures share keyswith each other When an adversary 119860 compromises some
0 200 400 600 800 1000
39
4
41
42
43
44
45
46
47
48
Size of tag set to be authenticated
log10
style
)
Tree-basedTree-basedMAP
MAPRWPRWP
242120583s6775120583s
6775120583s
242120583s242120583s6775120583s
Aver
age p
roce
ssin
g tim
e (120583
sFigure 5 Comparison on performance for 1ndash1000 tags
tags and thus obtain their secret keysA can deduce the secretkeys of other tags In conventional tree-based protocols alegitimate reader splits a tag from other possible ones levelby level and finally authenticates it on the leaf using itskeys on related levels An adversary can also distinguishtags and further track them in this way with keys fromthe compromised tags For detailed analysis please refer to[14 21]
Our analysis is based on the works in [10 14 18 2123 34] The notion of strong ind-privacy defined in [23]which is equivalent to the destructive-privacy defined in[34] is very similar to the strong privacy provided byMAP except that MAP focuses on privacy protection formultiple tags The existing privacy models are designedfor one-tag-one-reader authentication scheme and focus ondistinguishability privacy between TWO tags only They arenot fit for the multiple tags scenario in MAP where thereader cannot communicate to a tag before anticollisionsubcomponent
We define a new model for multiple tags environmentsincluding four oracles Request(sdot sdot sdot) Send(sdotsdot) Relay(sdotsdot) andCompromise(sdot) to formulate the attacks to the tag sets andreader Assume we have a tag set 119873
119878 Any attack on 119877 or 119873
119878
can be represented by calling on its oraclesRequest(119873
119878 1198981 1198983) A queries the tag set 119873
119878by a query
message1198981and receives the responsesThen119860 sends another
message 1198983to 119873119878 including the collision arbitration and Rrsquos
authentication dataSend(R 119898
2) A sends a message 119898
2 representing the tag
setrsquos reply and authentication messages to 119877 and receives aresponse
Relay(119873119878 119877) A relays the messages between 119873
119878and R A
can arbitrarily modify the messages from one side to another
10 International Journal of Distributed Sensor Networks
Compromise(119873119862) A compromises tags in set 119873
119862and
obtains their secret keys where 119873119862is a tag set 119860 obtains The
compromised tags are broken and cannot be used any furtherThe compromising attack on MAP denoted by
CAMAP119860
[1198960 119873119860
] is performed with the following steps
Step 1 The adversary 119860 compromises 1198960tags and obtains
their secret keys
Step 2 A chooses a target tag 119879 that has not been compro-mised A can query 119879 or act as a man-in-the-middle between119879 and the reader 119877 polynomial times Note that 119860 cannotcompromise119879 According to the secret keys119860 gains in Step 1A can compute outputs of these keys and compare to themTrsquosoutputs In this way 119860 can determine which of Trsquos keys equalto Arsquos known keys
Step 3 The system gives a tag set 119873119878with 119873
119874tags including
119879 Then 119873119878is divided into two subsets 119873
1198781and 119873
1198782 For the
simplicity we assume each subset contains 119873119860tags Or else
we can define the smaller set contains119873119860tags which will not
affect the result of analysis but complex the analysis processA randomly picks a subset 119873
119878119887 where b = 0 or b = 1 and
determines if 119879 is in this subset A can pick both subsets If119873119878119887
contains T A can proceed tracking 119879 by tracking 119873119878119887
otherwise 119873119878(1minus119887)
A can send queries to the tag set or act asa man-in-the-middle between the tag set and the reader 119877
polynomial times but cannot compromise those tagsWe denote
119875MAP = 119875119903[CAMAP119860
[1198960 119873119860
] = 1] (4)
as the possibility 119860 definitely knows whether tag set 119873119878119887
includes T A succeeds if 119860 definitely knows which tag setincludes 119879 Then the possibility that 119860 succeeds is
119875MAP = 119875119903[CAMAP119860
[1198960 119873119860
] = 1] = 1 minus (1 minus 1198750)2
(5)
where 1198750is the possibility that 119860 succeeds in either subset in
a system employing MAP
Definition 1 Theadvantage of adversary119860 in the compromis-ing attack is defined as
advMAP119860
(1198960 119873119860
) =
1003816100381610038161003816100381610038161003816(119875MAP +
1
2(1 minus 119875MAP)) minus
1
2
1003816100381610038161003816100381610038161003816=
119875MAP2
(6)
where the probability is the advantage of 119860 correctly guessagainst randomly guess which subset 119879 is in
Definition 2 (M-strong(120576 1198960 119873119860
)-ind-privacy) An RFIDprotocol PRO is m-strong( 120576 119896
0 119873119860)-ind-private if when 119873
119860
approaches N the advantage advPRO119860
(1198960 119873119860
) is at most 120576 inpolynomial time Where 119873
119860lt 119873 120576 is an infinitesimal when
119873 approaches infinity
M-weak(120576 1198960 119873119860)-ind-privacy is defined the same as m-
strong (120576 1198960 119873119860
)-ind-privacy except that 1198960= 0
Destructive Final NoCorrupt corrput Corrupt corrupt
Wide
Narrow
m-strong m-forward m-weak
m-narrow m-narrowm-narrowm-narrowstrong destructive
m-destructive
forward weak
Figure 6 The privacy levels
The above two privacy notions can be simply denotedas m-strong-ind-privacy (MSIP) and m-weak-ind-privacy(MWIP) where the letter ldquo119898rdquo is the abbreviation of mul-tiple tags When 119873
119860= 1 the MSIP (MWIP) equals the
strong-privacy (weak-privacy) in Juelsrsquos model [23] and thedestructive-privacy (weak-privacy) in Vaudenayrsquos model [34]At this time the case of a tag lying in a set is identical tothe case of the target tag being a particular tag in traditionalprivacy model with two tags Thus our multiple tags privacymodel is a generalized version of existing privacy models[23 34] On the contrary the existing privacy models arespecial cases of multiple tags privacy where each tag set hasonly one tagThen we can define 8 different levels of privacyby generalizing Vaudenayrsquos model for multiple tags scenariosas illustrated in Figure 6
The above model is dedicated for classifying the privacyprotection in multiple tags scenarios Intuitively it is easierfor a tag to hide in a set than to behavior indistinguishably toanother tag Thus the above model is a model weaker thanthe privacy models for one-reader-one-tag scenarios
However if the authentication protocol does not take thisadvantage then the protocol cannot provide better privacyin scenarios with multiple tags than in one-reader-one-tag scenarios no matter how many tags are there to beauthenticated For example in the OSK [12] protocol onedesynchronized tag cannot be accepted by a legitimate readerThus a desynchronized tag can still be distinguished in a tagset saying nothing of hiding in the set As a result the OSKmethod cannot providem-strong-ind-privacy orm-weak-ind-privacy
In the tree for MAP when 119860 is not aware of all keys inboth branches A does not know the 119875
119862and has to randomly
guess one for navigation and conduct the searching processWhen the guess fails A sends out a position that has nocollisions Then 119860 cannot split the tags Only when 119860 knowsall the keys in the branches related to T A can send outthe correct 119875
119862and proceed on tracking That is the main
reason whyMAP performs better than traditional tree-basedprotocols in defending against compromising attacks In facttheMAP protocol ism-strong-ind-private as will be proven inthe bellowing
Theorem 3 TheMAP protocol is MSIP private
Proof We perform the compromising attack with MAPprotocol as follows
We denote tags in 119873119878119887
by 1198791015840 We denote keys in 119879
and 1198791015840 with (119896119890119910
0 1198961198901199101 119896119890119910
119889) and (119896119890119910
1015840
0 1198961198901199101015840
1 119896119890119910
1015840
119889)
International Journal of Distributed Sensor Networks 11
respectively where 119889 is the depth of the tree Considering atlevel 119909 where 119896119890119910
119909is in a subtree we use 119870
119909to denote the
set of known keys by 119860 in this subtree and 119896119909to denote
the number of keys in 119870119909 And 119896
0is the number of tags
compromised There are three cases to be considered at levelxCase 1 A does not succeed in previous 119909 minus 1 levels and thereis exactly one key 119896119890119910
1015840
119909equal to 119896119890119910
119909 A definitely knows 119873
119878119887
includes 119879 The possibility is
119875119903(1198621
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575times
1
120575119909times (1 minus
1
120575119909)
119873119860minus1
(7)
Case 2119860 does not succeed in previous 119909minus1 levels and therersquosno key 119896119890119910
1015840
119909equals to 119896119890119910
119909 A definitely knows that 119873
119878119887does
not include 119879 The possibility is
119875119903(1198622
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575times (1 minus
1
120575119909)
119873119860
(8)
Case 3 119860 does not succeed in previous 119909 minus 1 levels and morethan one key 119896119890119910
1015840
119909equals 119896119890119910
119909 In this case 119860 fails at level 119909
and should move to level 119909 + 1 The possibility is
119875119903(1198623
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575minus 119875119903(1198621
119909) minus 119875119903(1198622
119909)
(9)
Theoverall probability of119860 definitely knowswhether119873119878119887
includes 119879 is
1198750
= 119875119903(1198621
1or 1198622
1) +
119889
sum
119909=2
(119875119903(1198621
119909or 1198622
119909) times
119909minus1
prod
119910=1
119875119903(1198623
119910))
= (1 minus1
120575)
119873119860minus1
1198961
120575
120575minus1
prod
119895=0
1198961
minus 119895
120575 minus 119895
+
119889
sum
119909=2
((1 minus1
120575119909)
119873119860minus1
119896119909
120575119875 (119896119890119910
119909)
times
119909minus1
prod
119910=1
(119875 (119896119890119910119910)
119896119910
120575(1 minus (1 minus
1
120575119910)
119873119860minus1
)))
(10)
where
119875 (119896119890119910119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895) (120575 minus 119895)
(120575119909 minus 119895)2
1198961
= 120575 (1 minus (1 minus1
120575)
1198960
)
119896119909
= 120575 (1 minus (1 minus1
120575)
119892(119896119909)
) (2 le 119909 le 119889)
119892 (119896119909) = 1198960
119909minus1
prod
119910=1
1
119896119910
(11)
The possibility 119860 succeeds in either subset is 1198750which is
a monotonically decreasing function of 119873119860 so is 119875MAP The
advantage of 119860 is 119875MAP which decreases exponentially to 0 as119873119860increases to be big enoughConsidering that 119896
119909le 120575 and 120575 ge 2 we have the following
derivations
(1 minus1
120575)
119873119860minus1
1198961
120575
120575minus1
prod
119895=0
1198961
minus 119895
120575 minus 119895
le (1
2)
119873119860minus1
1198961
120575
1198961
120575
1198961
minus 1
120575 minus 1
le (1
2)
119873119860minus1
119909minus1
prod
119910=1
(119875 (119896119890119910119910)
119896119910
120575(1 minus (1 minus
1
120575119910)
119873119860minus1
))
lt
119909minus1
prod
119910=1
(119875 (119896119890119910119910) times 1 times 1)
=
119909minus1
prod
119910=1
119875 (119896119890119910119910)
(12)
Then we have the following deduction
1198750
lt (1
2)
119873119860minus1
+
119889
sum
119909=2
((1 minus1
120575119909)
119873119860minus1
119896119909
120575119875 (119896119890119910
119909)
119909minus1
prod
119910=1
119875 (119896119890119910119910))
lt (1
2)
119873119860minus1
+
119889
sum
119909=2
(1 minus1
120575119909)
119873119860minus1
lt (1
2)
119873119860minus1
+ 119889(1 minus1
1205752)
119873119860minus1
(13)
The right part of the inequality is a monotonicallydecreasing function of 119873
119860 For example it can be deduced
that 1198750
lt (12)119873119860minus1
+ 119889(34)119873119860minus1 when 120575 = 2 Then 119875
0is an
infinitesimal as 119873119860approaches 119873 so is 119875MAP According to
Definition 2 MAP ism-strong-ind-private
12 International Journal of Distributed Sensor Networks
0 50 100 150 2000
02
04
06
08
1
Succ
essfu
l pro
b o
f atta
ck
Size of tag set to be authenticated
MAPTree-based
Figure 7 Comparisons on defending against compromising attack
Assume a RFID system of 220 tags with 120575 = 2 and 119889 =
20 Figure 7 demonstrates possibilities119860 successfully tracks atag by compromising 200 tags employingMAP or tree-basedprotocol such as [20]
We can find that for both protocols the possibilities that119860
succeeds reduceswhen119873119860increases ForMAP the possibility
reduce rapidly while for traditional balance tree-based PPAit reduces slowly For MAP protocol when 119873
119860gt 8 119875MAP lt
005 saying 119860 can definitely distinguish and know which tagset includes 119879 with low possibility even the set size is smallThis is an acceptable result as environmentswith at least 8 tagsare common Moreover the successful tracking probabilityasymptotically approaches to 0 as the size of the tag set to beauthenticated arises For tree-based protocol 119860 always has asuccessful possibility larger than 08 with tag set size smallerthan 200
62 Confidentiality In MAP all information from a tag issent as the value of a cryptographic hash function or a partof such a hash value According to the preimage resistanceproperty of cryptographic hash functions the adversarycannot know the origin information
63 Cloning Resistance In cloning attack an adversaryrecords responses from a tag and replay them to foollegitimate readers In MAP the 119881
119862values are only used for
navigation and each tag uses its unique leaf key for the finalauthentication The tag generates the hash values of the leafkey with a timestamp from 119877 and a nonce from the tag asinputs Both the timestamp and the nonce are the sessiontokens of the conversation Therefore authentication mes-sages from a given tag will change in different conversationsdue to the different session tokens The navigation bits canbe replayed however they cannot help to fool 119877 because theadversary does not know the authentication message at theleaf node The replayed messages cannot be acceptable bylegitimate readers according to the protocol
64 Tracking Resistance In Section 61 we focus on tagsrsquo pathkeys and present that MAP can resist compromising attack
in scenarios with multiple tags For any leaf key it uniquelybelongs to an individual tag The adversary 119860 never knowsa tagrsquos leaf key unless compromising it When performingauthentication subcomponent a tag computes a hash valuewith its leaf key and the session tokens This authenticationmessage varies each time and 119860 cannot link the messages toa tag without knowing its leaf key
MAP resists against compromising attack inmultiple tagsscenarios However when a batch only has a few tags 119875MAPis not negligible According to the results shown in Figure 7when the number of tags is larger than 8 the probabilityof multiple tags exposing to attackers will not exceed 005which is acceptable for most RFID applications Thereforewe recommend to select MAP when the number of tags islarger than 8 otherwise choosing time consuming per-tagauthentication to prevent the tracking attack
An adversary 119860 may launch the Denial of Service (DoS)attack between a legitimate reader and tags In this attack 119860
firstly exhausts the timestamp in a tag Then 119860 can relay thetagrsquos response to a legitimate reader to see if the tag is acceptedand further track the tag by observing the result This attackis not feasible to MAP because desynchronized tags can alsobe accepted employing MAP as presented in Section 432Besides we recommend the system to thwart the responsespeed of the tags which are under attackThen a counter withan acceptable bit length is enough to avoid the timestamps ofthe tags run over a predefined threshold
65 Timing-Based Attack Resistance An adversary may timethe processing cost of a tag to identify the status of this tagand further distinguish it from other tags [35] This kindof attack is a new general attack which can even break theprivacy of proven private RFID authentication protocolsMAP can defend against such attack The reason is that theauthentication process for each tag in MAP corresponds tothe same procedure From root to leaf each branch selectioncorresponds to no sequential computation of tags Insteadthe tags do concurrent computation at each level In this waythe observable behavior of each tag is hard to distinguishThe problem in traversing the traditional binary tree whichcauses different searching cost does not happen in MAP Onthe other hand the thwart method used in MAP does notraise rapid increase in the response Thus the thwarted tagrsquosbehavior is hard to distinguish especially when the tag set islarge and the predefined threshold is big enough
66 Forward Secrecy An adversary 119860 can record the mes-sages sent by 119877 or tags And 119860 can compromise tags toobtain their current keys Forward secrecy requires that theinformation in previous messages will never be revealedIn MAP the leaf keys are updated after each successfulauthentication The forward secrecy is thereby guaranteedFor the nonleaf keys they are not used for data transfer butonly for navigation In addition they will be updated when atag is renewed Thus MAP does not update the nonleaf keysat each authentication and such a process does not damagethe forward secrecy
International Journal of Distributed Sensor Networks 13
7 Possible Variants and Improvements
The storage requirement of MAP for a system larger than216 tags may be larger than 1 k bits This cost is practical fornowadays RFID tags For ultra-low storage path keys can becomputed employing SQUASH with the unique leaf key andidentifier of the tag as inputsThis would decrease the storagerequirement to 119874(1) but double the average computationtime It can be easily deduced that the performance ofMAP isstill better than the tree-based protocol in large-scale systems
MAP focuses on the interaction between tags and readeras well as reader-server side search accelerating On theother hand the SEBA [25 26] like protocols focuses onthe reader-to-server communication as well as the serverside probabilistic verification Thus a possible future workis to combine and gain profit from both of the two styles ofmultiple tags protocols
8 Conclusions and Future Work
In this work we propose a Multiple tags privacy-preservingAuthentication Protocol MAP to authenticate multipletags concurrently By enabling anticollision functionality inauthentication processMAP eliminates the redundant effortswasted in anticollision processes and authenticating tagsTags in MAP respond concurrently with 1 bit to conductthe authentication for better privacy MAP is m-strong-ind-private which is a variant of ind-privacy we define formultiple tags scenarios MAP can effectively mitigate theimpact of compromising attack in multiple tags scenarios toan acceptable extent EmployingMAP the successful trackingprobability of adversaries for tag set larger than 8 is below005 and will deduce rapidly to 0 as the size of the tag setenlarges The efficiency of MAP is better than 119874(log119873) andasymptotically approaches 119874(1) as the number of tags in thetag set to be authenticated increases as proven in theoreticalanalysis and shown in the simulationThe proposed protocolin our work MAP is dedicated for authenticating multipletags One prospective directionmay be building protocols forboth single tag and multiple tags to provide high efficiencyand strong privacy at the same time
Acknowledgments
The authors would like to thank Ling Zhu and XingjingWang for the efforts paid in coding for the simulationsThis work is supported by Program for Changjiang Scholarsand Innovative Research Team in University (IRT1078)the Key Program of NSFC-Guangdong Union Foundation(U1135002) National Natural Science Foundation of China(61303221 and 61373175) the Fundamental Research Fundsfor the Central Universities (K5051303021) and the ScientificResearch Startup Foundation for Young Teachers of DonghuaUniversity (13D211205) Part of this work has been presentedat IEEE International Conference on Mobile Ad-hoc andSensor Systems (IEEE MASS) October 17ndash22 2011 ValenciaSpain
References
[1] G Roussos and V Kostakos ldquoRFID in pervasive computingstate-of-the-art and outlookrdquo Pervasive and Mobile Computingvol 5 no 1 pp 110ndash131 2009
[2] Y Liu L Chen J Pei Q Chen and Y Zhao ldquoMiningfrequent trajectory patterns for activity monitoring using radiofrequency tag arraysrdquo in Proceedings of the 5th Annual IEEEInternational Conference on Pervasive Computing and Com-munications (PerCom rsquo07) pp 37ndash46 White Plains NY USAMarch 2007
[3] C Qian H Ngan and Y Liu ldquoCardinality estimation forlarge-scale RFID systemsrdquo in Proceedings of the 6th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo08) pp 30ndash39 Hong Kong ChinaMarch 2008
[4] G Avoine ldquoBibliography on security and privacy in RFID sys-temsrdquo 2013 httpwwwavoinenetrfiddownloadbibbiblio-graphy-rfidpdf
[5] A Juels ldquoRFID security and privacy a research surveyrdquo IEEEJournal on Selected Areas in Communications vol 24 no 2 pp381ndash394 2006
[6] G Tsudik ldquoA family of dunces trivial RFID identification andauthentication protocolsrdquo in Privacy Enhancing TechnologiesLecture Notes in Computer Science pp 45ndash61 Springer BerlinGermany 2007
[7] X Xu X Y Li X Mao S Tang and S Wang ldquoA delay-efficient algorithm for data aggregation in multihop wirelesssensor networksrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 1 pp 163ndash175 2011
[8] A Shamir ldquoSQUASHmdasha new MAC with provable securityproperties for highly constrained devices such as RFID tagsrdquo inFast Software Encryption Lecture Notes in Computer Sciencepp 144ndash157 Springer Berlin Germany 2008
[9] T Halevi N Saxena and S Halevi ldquoUsing HB family ofprotocols for privacy-preserving authentication of RFID tags ina populationrdquo in Proceedings of the Workshop on RFID Security(RFIDSec rsquo09) 2009
[10] M Burmester B de Medeiros and R Motta ldquoRobust anony-mous RFID authentication with constant key-lookuprdquo in Pro-ceedings of the ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo08) pp 283ndash291 TokyoJapan March 2008
[11] S A Weis S E Sarma R L Rivest and DW Engels ldquoSecurityand privacy aspects of low-cost radio frequency identificationsystemsrdquo in Security in Pervasive Computing Lecture Notes inComputer Science pp 201ndash212 2003
[12] M Ohkubo K Suzuki and S Kinoshita ldquoEfficient hash-chainbased RFID privacy protection schemerdquo in Proceedings of theACM Ubicomp Workshops 2004
[13] D Henrici and P Muller ldquoProviding security and privacy inRFID systems using triggered hash chainsrdquo in Proceedings ofthe 6th Annual IEEE International Conference on PervasiveComputing andCommunications (PerCom rsquo08) pp 50ndash59HongKong China March 2008
[14] G Avoine E Dysli and P Oechslin ldquoReducing time complexityin RFID systemsrdquo in Selected Areas in Cryptography LectureNotes in Computer Science pp 291ndash306 Springer BerlinGermany 2005
[15] D Henrici and PMuller ldquoHash-based enhancement of locationprivacy for radio-frequency identification devices using varyingidentifiersrdquo inProceedings of the 2nd IEEEAnnual Conference on
14 International Journal of Distributed Sensor Networks
Pervasive Computing and CommunicationsWorkshops (PerComrsquo04) pp 149ndash153 March 2004
[16] A Juels ldquoMinimalist cryptography for low-cost RFID tags(extended abstract)rdquo in Proceedings of the 4th InternationalConference on Security in Communication Networks (SCN rsquo04)pp 149ndash164 Amalfi Italy September 2004
[17] S Yu K Ren and W Lou ldquoA privacy-preserving lightweightauthentication protocol for low-cost RFID tagsrdquo in Proceedingsof the Military Communications Conference (MILCOM rsquo07) pp1ndash7 Orlando Fla USA October 2007
[18] C Ma Y Li R H Deng and T Li ldquoRFID privacy rela-tion between two notions minimal condition and efficientconstructionrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCSrsquo09) pp 54ndash65New York NY USA November 2009
[19] D Molnar A Soppera and D Wagner ldquoA scalable delegatablepseudonym protocol enabling ownership transfer of RFID tagsselected areas in cryptographyrdquo in Selected Areas in Cryptogra-phy Lecture Notes in Computer Science pp 276ndash290 SpringerBerlin Germany 2005
[20] T Dimitriou ldquoA secure and efficient RFID protocol that couldmake big brother (partially) obsoleterdquo in Proceedings of the 4thAnnual IEEE International Conference on Pervasive Computingand Communications (PerCom rsquo06) pp 269ndash274 Pisa ItalyMarch 2006
[21] L Lu J Han L Hu Y Liu and L M Ni ldquoDynamic key-updating privacy-preserving authentication for RFID systemsrdquoin Proceedings of the 5th Annual IEEE International Conferenceon Pervasive Computing and Communications (PerCom rsquo07) pp13ndash22 White Plains NY USA March 2007
[22] Q Yao Y Qi J Han J Zhao X Li and Y Liu ldquoRandomizingRFID private authenticationrdquo in Proceedings of the 7th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo09) Galveston Tex USA March2009
[23] A Juels and S A Weis ldquoDefining strong privacy for RFIDrdquoACM Transactions on Information and System Security vol 13no 1 pp 1ndash23 2009
[24] L Lu Y Liu and X-Y Li ldquoRefresh weak privacy model forRFID systemsrdquo in Proceedings of the IEEE INFOCOM pp 1ndash9San Diego Calif USA March 2010
[25] L Yang J Han Y Qi and Y Liu ldquoIdentification-free batchauthentication for RFID tagsrdquo in Proceedings of the 18th IEEEInternational Conference on Network Protocols (ICNPrsquo10) pp154ndash163 Kyoto Japan October 2010
[26] G Bianchi ldquoRevisiting an RFID identification-free batchauthentication approachrdquo IEEECommunications Letters vol 15no 6 pp 632ndash634 2011
[27] Y Zheng and M Li ldquoFast tag searching protocol for large-scaleRFID systemsrdquo in Proceedings of the 19th IEEE InternationalConference on Network Protocols (ICNP rsquo11) pp 363ndash372Vancouver Canada October 2011
[28] B Sheng andCC Tan ldquoGroup authentication in heterogeneousRFID networksrdquo in Proceedings of the IEEE Conference onTechnologies for Homeland Security (HST rsquo12) pp 167ndash172Waltham Mass USA November 2012
[29] J Myung and W Lee ldquoAdaptive splitting protocols for RFIDtag collision arbitrationrdquo in Proceedings of the 7th ACM Interna-tional Symposium onMobile AdHoc Networking and Computing(MOBIHOC rsquo06) pp 202ndash213 Florence Italy May 2006
[30] ldquoInformation technology automatic identification and datacapture techniquesmdashradio frequency identification for item
management air interfacemdashpart 6 parameters for air interfacecommunications at 860ndash960 MHZrdquo ISOIEC FDIS 18000-62003
[31] EPCglobal ldquoEPC radio-frequency identity protocols class-1generation-2 UHF RFID protocol for communications at 860MHzndash960MHz version 1 2 0rdquo May 2008
[32] Z Zhou H Gupta S R Das and X Zhu ldquoSlotted scheduled tagaccess in multi-reader RFID systemsrdquo in Proceesings of the 15thIEEE International Conference on Network Protocols (ICNP rsquo07)pp 61ndash70 Beijing China October 2007
[33] Auto-ID ldquoDraft protocol specification for a 900MHz class0 radio frequency identification tagrdquo 2003 httpwwwepcglobalincorg
[34] S Vaudenay ldquoOn privacy models for RFIDrdquo in Advances inCryptologymdashASIACRYPT 2007 Lecture Notes in ComputerScience pp 68ndash87 Springer Berlin Germany 2007
[35] Q Yao J Han Y Qi L Yang and Y Liu ldquoPrivacy leakage inaccess mode revisiting private RFIDAuthentication protocolsrdquoin Proceedings of the 40th International Conference on ParallelProcessing (ICPP rsquo11) pp 713ndash721 Taipei City Taiwan Septem-ber 2011
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
10 International Journal of Distributed Sensor Networks
Compromise(119873119862) A compromises tags in set 119873
119862and
obtains their secret keys where 119873119862is a tag set 119860 obtains The
compromised tags are broken and cannot be used any furtherThe compromising attack on MAP denoted by
CAMAP119860
[1198960 119873119860
] is performed with the following steps
Step 1 The adversary 119860 compromises 1198960tags and obtains
their secret keys
Step 2 A chooses a target tag 119879 that has not been compro-mised A can query 119879 or act as a man-in-the-middle between119879 and the reader 119877 polynomial times Note that 119860 cannotcompromise119879 According to the secret keys119860 gains in Step 1A can compute outputs of these keys and compare to themTrsquosoutputs In this way 119860 can determine which of Trsquos keys equalto Arsquos known keys
Step 3 The system gives a tag set 119873119878with 119873
119874tags including
119879 Then 119873119878is divided into two subsets 119873
1198781and 119873
1198782 For the
simplicity we assume each subset contains 119873119860tags Or else
we can define the smaller set contains119873119860tags which will not
affect the result of analysis but complex the analysis processA randomly picks a subset 119873
119878119887 where b = 0 or b = 1 and
determines if 119879 is in this subset A can pick both subsets If119873119878119887
contains T A can proceed tracking 119879 by tracking 119873119878119887
otherwise 119873119878(1minus119887)
A can send queries to the tag set or act asa man-in-the-middle between the tag set and the reader 119877
polynomial times but cannot compromise those tagsWe denote
119875MAP = 119875119903[CAMAP119860
[1198960 119873119860
] = 1] (4)
as the possibility 119860 definitely knows whether tag set 119873119878119887
includes T A succeeds if 119860 definitely knows which tag setincludes 119879 Then the possibility that 119860 succeeds is
119875MAP = 119875119903[CAMAP119860
[1198960 119873119860
] = 1] = 1 minus (1 minus 1198750)2
(5)
where 1198750is the possibility that 119860 succeeds in either subset in
a system employing MAP
Definition 1 Theadvantage of adversary119860 in the compromis-ing attack is defined as
advMAP119860
(1198960 119873119860
) =
1003816100381610038161003816100381610038161003816(119875MAP +
1
2(1 minus 119875MAP)) minus
1
2
1003816100381610038161003816100381610038161003816=
119875MAP2
(6)
where the probability is the advantage of 119860 correctly guessagainst randomly guess which subset 119879 is in
Definition 2 (M-strong(120576 1198960 119873119860
)-ind-privacy) An RFIDprotocol PRO is m-strong( 120576 119896
0 119873119860)-ind-private if when 119873
119860
approaches N the advantage advPRO119860
(1198960 119873119860
) is at most 120576 inpolynomial time Where 119873
119860lt 119873 120576 is an infinitesimal when
119873 approaches infinity
M-weak(120576 1198960 119873119860)-ind-privacy is defined the same as m-
strong (120576 1198960 119873119860
)-ind-privacy except that 1198960= 0
Destructive Final NoCorrupt corrput Corrupt corrupt
Wide
Narrow
m-strong m-forward m-weak
m-narrow m-narrowm-narrowm-narrowstrong destructive
m-destructive
forward weak
Figure 6 The privacy levels
The above two privacy notions can be simply denotedas m-strong-ind-privacy (MSIP) and m-weak-ind-privacy(MWIP) where the letter ldquo119898rdquo is the abbreviation of mul-tiple tags When 119873
119860= 1 the MSIP (MWIP) equals the
strong-privacy (weak-privacy) in Juelsrsquos model [23] and thedestructive-privacy (weak-privacy) in Vaudenayrsquos model [34]At this time the case of a tag lying in a set is identical tothe case of the target tag being a particular tag in traditionalprivacy model with two tags Thus our multiple tags privacymodel is a generalized version of existing privacy models[23 34] On the contrary the existing privacy models arespecial cases of multiple tags privacy where each tag set hasonly one tagThen we can define 8 different levels of privacyby generalizing Vaudenayrsquos model for multiple tags scenariosas illustrated in Figure 6
The above model is dedicated for classifying the privacyprotection in multiple tags scenarios Intuitively it is easierfor a tag to hide in a set than to behavior indistinguishably toanother tag Thus the above model is a model weaker thanthe privacy models for one-reader-one-tag scenarios
However if the authentication protocol does not take thisadvantage then the protocol cannot provide better privacyin scenarios with multiple tags than in one-reader-one-tag scenarios no matter how many tags are there to beauthenticated For example in the OSK [12] protocol onedesynchronized tag cannot be accepted by a legitimate readerThus a desynchronized tag can still be distinguished in a tagset saying nothing of hiding in the set As a result the OSKmethod cannot providem-strong-ind-privacy orm-weak-ind-privacy
In the tree for MAP when 119860 is not aware of all keys inboth branches A does not know the 119875
119862and has to randomly
guess one for navigation and conduct the searching processWhen the guess fails A sends out a position that has nocollisions Then 119860 cannot split the tags Only when 119860 knowsall the keys in the branches related to T A can send outthe correct 119875
119862and proceed on tracking That is the main
reason whyMAP performs better than traditional tree-basedprotocols in defending against compromising attacks In facttheMAP protocol ism-strong-ind-private as will be proven inthe bellowing
Theorem 3 TheMAP protocol is MSIP private
Proof We perform the compromising attack with MAPprotocol as follows
We denote tags in 119873119878119887
by 1198791015840 We denote keys in 119879
and 1198791015840 with (119896119890119910
0 1198961198901199101 119896119890119910
119889) and (119896119890119910
1015840
0 1198961198901199101015840
1 119896119890119910
1015840
119889)
International Journal of Distributed Sensor Networks 11
respectively where 119889 is the depth of the tree Considering atlevel 119909 where 119896119890119910
119909is in a subtree we use 119870
119909to denote the
set of known keys by 119860 in this subtree and 119896119909to denote
the number of keys in 119870119909 And 119896
0is the number of tags
compromised There are three cases to be considered at levelxCase 1 A does not succeed in previous 119909 minus 1 levels and thereis exactly one key 119896119890119910
1015840
119909equal to 119896119890119910
119909 A definitely knows 119873
119878119887
includes 119879 The possibility is
119875119903(1198621
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575times
1
120575119909times (1 minus
1
120575119909)
119873119860minus1
(7)
Case 2119860 does not succeed in previous 119909minus1 levels and therersquosno key 119896119890119910
1015840
119909equals to 119896119890119910
119909 A definitely knows that 119873
119878119887does
not include 119879 The possibility is
119875119903(1198622
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575times (1 minus
1
120575119909)
119873119860
(8)
Case 3 119860 does not succeed in previous 119909 minus 1 levels and morethan one key 119896119890119910
1015840
119909equals 119896119890119910
119909 In this case 119860 fails at level 119909
and should move to level 119909 + 1 The possibility is
119875119903(1198623
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575minus 119875119903(1198621
119909) minus 119875119903(1198622
119909)
(9)
Theoverall probability of119860 definitely knowswhether119873119878119887
includes 119879 is
1198750
= 119875119903(1198621
1or 1198622
1) +
119889
sum
119909=2
(119875119903(1198621
119909or 1198622
119909) times
119909minus1
prod
119910=1
119875119903(1198623
119910))
= (1 minus1
120575)
119873119860minus1
1198961
120575
120575minus1
prod
119895=0
1198961
minus 119895
120575 minus 119895
+
119889
sum
119909=2
((1 minus1
120575119909)
119873119860minus1
119896119909
120575119875 (119896119890119910
119909)
times
119909minus1
prod
119910=1
(119875 (119896119890119910119910)
119896119910
120575(1 minus (1 minus
1
120575119910)
119873119860minus1
)))
(10)
where
119875 (119896119890119910119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895) (120575 minus 119895)
(120575119909 minus 119895)2
1198961
= 120575 (1 minus (1 minus1
120575)
1198960
)
119896119909
= 120575 (1 minus (1 minus1
120575)
119892(119896119909)
) (2 le 119909 le 119889)
119892 (119896119909) = 1198960
119909minus1
prod
119910=1
1
119896119910
(11)
The possibility 119860 succeeds in either subset is 1198750which is
a monotonically decreasing function of 119873119860 so is 119875MAP The
advantage of 119860 is 119875MAP which decreases exponentially to 0 as119873119860increases to be big enoughConsidering that 119896
119909le 120575 and 120575 ge 2 we have the following
derivations
(1 minus1
120575)
119873119860minus1
1198961
120575
120575minus1
prod
119895=0
1198961
minus 119895
120575 minus 119895
le (1
2)
119873119860minus1
1198961
120575
1198961
120575
1198961
minus 1
120575 minus 1
le (1
2)
119873119860minus1
119909minus1
prod
119910=1
(119875 (119896119890119910119910)
119896119910
120575(1 minus (1 minus
1
120575119910)
119873119860minus1
))
lt
119909minus1
prod
119910=1
(119875 (119896119890119910119910) times 1 times 1)
=
119909minus1
prod
119910=1
119875 (119896119890119910119910)
(12)
Then we have the following deduction
1198750
lt (1
2)
119873119860minus1
+
119889
sum
119909=2
((1 minus1
120575119909)
119873119860minus1
119896119909
120575119875 (119896119890119910
119909)
119909minus1
prod
119910=1
119875 (119896119890119910119910))
lt (1
2)
119873119860minus1
+
119889
sum
119909=2
(1 minus1
120575119909)
119873119860minus1
lt (1
2)
119873119860minus1
+ 119889(1 minus1
1205752)
119873119860minus1
(13)
The right part of the inequality is a monotonicallydecreasing function of 119873
119860 For example it can be deduced
that 1198750
lt (12)119873119860minus1
+ 119889(34)119873119860minus1 when 120575 = 2 Then 119875
0is an
infinitesimal as 119873119860approaches 119873 so is 119875MAP According to
Definition 2 MAP ism-strong-ind-private
12 International Journal of Distributed Sensor Networks
0 50 100 150 2000
02
04
06
08
1
Succ
essfu
l pro
b o
f atta
ck
Size of tag set to be authenticated
MAPTree-based
Figure 7 Comparisons on defending against compromising attack
Assume a RFID system of 220 tags with 120575 = 2 and 119889 =
20 Figure 7 demonstrates possibilities119860 successfully tracks atag by compromising 200 tags employingMAP or tree-basedprotocol such as [20]
We can find that for both protocols the possibilities that119860
succeeds reduceswhen119873119860increases ForMAP the possibility
reduce rapidly while for traditional balance tree-based PPAit reduces slowly For MAP protocol when 119873
119860gt 8 119875MAP lt
005 saying 119860 can definitely distinguish and know which tagset includes 119879 with low possibility even the set size is smallThis is an acceptable result as environmentswith at least 8 tagsare common Moreover the successful tracking probabilityasymptotically approaches to 0 as the size of the tag set to beauthenticated arises For tree-based protocol 119860 always has asuccessful possibility larger than 08 with tag set size smallerthan 200
62 Confidentiality In MAP all information from a tag issent as the value of a cryptographic hash function or a partof such a hash value According to the preimage resistanceproperty of cryptographic hash functions the adversarycannot know the origin information
63 Cloning Resistance In cloning attack an adversaryrecords responses from a tag and replay them to foollegitimate readers In MAP the 119881
119862values are only used for
navigation and each tag uses its unique leaf key for the finalauthentication The tag generates the hash values of the leafkey with a timestamp from 119877 and a nonce from the tag asinputs Both the timestamp and the nonce are the sessiontokens of the conversation Therefore authentication mes-sages from a given tag will change in different conversationsdue to the different session tokens The navigation bits canbe replayed however they cannot help to fool 119877 because theadversary does not know the authentication message at theleaf node The replayed messages cannot be acceptable bylegitimate readers according to the protocol
64 Tracking Resistance In Section 61 we focus on tagsrsquo pathkeys and present that MAP can resist compromising attack
in scenarios with multiple tags For any leaf key it uniquelybelongs to an individual tag The adversary 119860 never knowsa tagrsquos leaf key unless compromising it When performingauthentication subcomponent a tag computes a hash valuewith its leaf key and the session tokens This authenticationmessage varies each time and 119860 cannot link the messages toa tag without knowing its leaf key
MAP resists against compromising attack inmultiple tagsscenarios However when a batch only has a few tags 119875MAPis not negligible According to the results shown in Figure 7when the number of tags is larger than 8 the probabilityof multiple tags exposing to attackers will not exceed 005which is acceptable for most RFID applications Thereforewe recommend to select MAP when the number of tags islarger than 8 otherwise choosing time consuming per-tagauthentication to prevent the tracking attack
An adversary 119860 may launch the Denial of Service (DoS)attack between a legitimate reader and tags In this attack 119860
firstly exhausts the timestamp in a tag Then 119860 can relay thetagrsquos response to a legitimate reader to see if the tag is acceptedand further track the tag by observing the result This attackis not feasible to MAP because desynchronized tags can alsobe accepted employing MAP as presented in Section 432Besides we recommend the system to thwart the responsespeed of the tags which are under attackThen a counter withan acceptable bit length is enough to avoid the timestamps ofthe tags run over a predefined threshold
65 Timing-Based Attack Resistance An adversary may timethe processing cost of a tag to identify the status of this tagand further distinguish it from other tags [35] This kindof attack is a new general attack which can even break theprivacy of proven private RFID authentication protocolsMAP can defend against such attack The reason is that theauthentication process for each tag in MAP corresponds tothe same procedure From root to leaf each branch selectioncorresponds to no sequential computation of tags Insteadthe tags do concurrent computation at each level In this waythe observable behavior of each tag is hard to distinguishThe problem in traversing the traditional binary tree whichcauses different searching cost does not happen in MAP Onthe other hand the thwart method used in MAP does notraise rapid increase in the response Thus the thwarted tagrsquosbehavior is hard to distinguish especially when the tag set islarge and the predefined threshold is big enough
66 Forward Secrecy An adversary 119860 can record the mes-sages sent by 119877 or tags And 119860 can compromise tags toobtain their current keys Forward secrecy requires that theinformation in previous messages will never be revealedIn MAP the leaf keys are updated after each successfulauthentication The forward secrecy is thereby guaranteedFor the nonleaf keys they are not used for data transfer butonly for navigation In addition they will be updated when atag is renewed Thus MAP does not update the nonleaf keysat each authentication and such a process does not damagethe forward secrecy
International Journal of Distributed Sensor Networks 13
7 Possible Variants and Improvements
The storage requirement of MAP for a system larger than216 tags may be larger than 1 k bits This cost is practical fornowadays RFID tags For ultra-low storage path keys can becomputed employing SQUASH with the unique leaf key andidentifier of the tag as inputsThis would decrease the storagerequirement to 119874(1) but double the average computationtime It can be easily deduced that the performance ofMAP isstill better than the tree-based protocol in large-scale systems
MAP focuses on the interaction between tags and readeras well as reader-server side search accelerating On theother hand the SEBA [25 26] like protocols focuses onthe reader-to-server communication as well as the serverside probabilistic verification Thus a possible future workis to combine and gain profit from both of the two styles ofmultiple tags protocols
8 Conclusions and Future Work
In this work we propose a Multiple tags privacy-preservingAuthentication Protocol MAP to authenticate multipletags concurrently By enabling anticollision functionality inauthentication processMAP eliminates the redundant effortswasted in anticollision processes and authenticating tagsTags in MAP respond concurrently with 1 bit to conductthe authentication for better privacy MAP is m-strong-ind-private which is a variant of ind-privacy we define formultiple tags scenarios MAP can effectively mitigate theimpact of compromising attack in multiple tags scenarios toan acceptable extent EmployingMAP the successful trackingprobability of adversaries for tag set larger than 8 is below005 and will deduce rapidly to 0 as the size of the tag setenlarges The efficiency of MAP is better than 119874(log119873) andasymptotically approaches 119874(1) as the number of tags in thetag set to be authenticated increases as proven in theoreticalanalysis and shown in the simulationThe proposed protocolin our work MAP is dedicated for authenticating multipletags One prospective directionmay be building protocols forboth single tag and multiple tags to provide high efficiencyand strong privacy at the same time
Acknowledgments
The authors would like to thank Ling Zhu and XingjingWang for the efforts paid in coding for the simulationsThis work is supported by Program for Changjiang Scholarsand Innovative Research Team in University (IRT1078)the Key Program of NSFC-Guangdong Union Foundation(U1135002) National Natural Science Foundation of China(61303221 and 61373175) the Fundamental Research Fundsfor the Central Universities (K5051303021) and the ScientificResearch Startup Foundation for Young Teachers of DonghuaUniversity (13D211205) Part of this work has been presentedat IEEE International Conference on Mobile Ad-hoc andSensor Systems (IEEE MASS) October 17ndash22 2011 ValenciaSpain
References
[1] G Roussos and V Kostakos ldquoRFID in pervasive computingstate-of-the-art and outlookrdquo Pervasive and Mobile Computingvol 5 no 1 pp 110ndash131 2009
[2] Y Liu L Chen J Pei Q Chen and Y Zhao ldquoMiningfrequent trajectory patterns for activity monitoring using radiofrequency tag arraysrdquo in Proceedings of the 5th Annual IEEEInternational Conference on Pervasive Computing and Com-munications (PerCom rsquo07) pp 37ndash46 White Plains NY USAMarch 2007
[3] C Qian H Ngan and Y Liu ldquoCardinality estimation forlarge-scale RFID systemsrdquo in Proceedings of the 6th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo08) pp 30ndash39 Hong Kong ChinaMarch 2008
[4] G Avoine ldquoBibliography on security and privacy in RFID sys-temsrdquo 2013 httpwwwavoinenetrfiddownloadbibbiblio-graphy-rfidpdf
[5] A Juels ldquoRFID security and privacy a research surveyrdquo IEEEJournal on Selected Areas in Communications vol 24 no 2 pp381ndash394 2006
[6] G Tsudik ldquoA family of dunces trivial RFID identification andauthentication protocolsrdquo in Privacy Enhancing TechnologiesLecture Notes in Computer Science pp 45ndash61 Springer BerlinGermany 2007
[7] X Xu X Y Li X Mao S Tang and S Wang ldquoA delay-efficient algorithm for data aggregation in multihop wirelesssensor networksrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 1 pp 163ndash175 2011
[8] A Shamir ldquoSQUASHmdasha new MAC with provable securityproperties for highly constrained devices such as RFID tagsrdquo inFast Software Encryption Lecture Notes in Computer Sciencepp 144ndash157 Springer Berlin Germany 2008
[9] T Halevi N Saxena and S Halevi ldquoUsing HB family ofprotocols for privacy-preserving authentication of RFID tags ina populationrdquo in Proceedings of the Workshop on RFID Security(RFIDSec rsquo09) 2009
[10] M Burmester B de Medeiros and R Motta ldquoRobust anony-mous RFID authentication with constant key-lookuprdquo in Pro-ceedings of the ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo08) pp 283ndash291 TokyoJapan March 2008
[11] S A Weis S E Sarma R L Rivest and DW Engels ldquoSecurityand privacy aspects of low-cost radio frequency identificationsystemsrdquo in Security in Pervasive Computing Lecture Notes inComputer Science pp 201ndash212 2003
[12] M Ohkubo K Suzuki and S Kinoshita ldquoEfficient hash-chainbased RFID privacy protection schemerdquo in Proceedings of theACM Ubicomp Workshops 2004
[13] D Henrici and P Muller ldquoProviding security and privacy inRFID systems using triggered hash chainsrdquo in Proceedings ofthe 6th Annual IEEE International Conference on PervasiveComputing andCommunications (PerCom rsquo08) pp 50ndash59HongKong China March 2008
[14] G Avoine E Dysli and P Oechslin ldquoReducing time complexityin RFID systemsrdquo in Selected Areas in Cryptography LectureNotes in Computer Science pp 291ndash306 Springer BerlinGermany 2005
[15] D Henrici and PMuller ldquoHash-based enhancement of locationprivacy for radio-frequency identification devices using varyingidentifiersrdquo inProceedings of the 2nd IEEEAnnual Conference on
14 International Journal of Distributed Sensor Networks
Pervasive Computing and CommunicationsWorkshops (PerComrsquo04) pp 149ndash153 March 2004
[16] A Juels ldquoMinimalist cryptography for low-cost RFID tags(extended abstract)rdquo in Proceedings of the 4th InternationalConference on Security in Communication Networks (SCN rsquo04)pp 149ndash164 Amalfi Italy September 2004
[17] S Yu K Ren and W Lou ldquoA privacy-preserving lightweightauthentication protocol for low-cost RFID tagsrdquo in Proceedingsof the Military Communications Conference (MILCOM rsquo07) pp1ndash7 Orlando Fla USA October 2007
[18] C Ma Y Li R H Deng and T Li ldquoRFID privacy rela-tion between two notions minimal condition and efficientconstructionrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCSrsquo09) pp 54ndash65New York NY USA November 2009
[19] D Molnar A Soppera and D Wagner ldquoA scalable delegatablepseudonym protocol enabling ownership transfer of RFID tagsselected areas in cryptographyrdquo in Selected Areas in Cryptogra-phy Lecture Notes in Computer Science pp 276ndash290 SpringerBerlin Germany 2005
[20] T Dimitriou ldquoA secure and efficient RFID protocol that couldmake big brother (partially) obsoleterdquo in Proceedings of the 4thAnnual IEEE International Conference on Pervasive Computingand Communications (PerCom rsquo06) pp 269ndash274 Pisa ItalyMarch 2006
[21] L Lu J Han L Hu Y Liu and L M Ni ldquoDynamic key-updating privacy-preserving authentication for RFID systemsrdquoin Proceedings of the 5th Annual IEEE International Conferenceon Pervasive Computing and Communications (PerCom rsquo07) pp13ndash22 White Plains NY USA March 2007
[22] Q Yao Y Qi J Han J Zhao X Li and Y Liu ldquoRandomizingRFID private authenticationrdquo in Proceedings of the 7th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo09) Galveston Tex USA March2009
[23] A Juels and S A Weis ldquoDefining strong privacy for RFIDrdquoACM Transactions on Information and System Security vol 13no 1 pp 1ndash23 2009
[24] L Lu Y Liu and X-Y Li ldquoRefresh weak privacy model forRFID systemsrdquo in Proceedings of the IEEE INFOCOM pp 1ndash9San Diego Calif USA March 2010
[25] L Yang J Han Y Qi and Y Liu ldquoIdentification-free batchauthentication for RFID tagsrdquo in Proceedings of the 18th IEEEInternational Conference on Network Protocols (ICNPrsquo10) pp154ndash163 Kyoto Japan October 2010
[26] G Bianchi ldquoRevisiting an RFID identification-free batchauthentication approachrdquo IEEECommunications Letters vol 15no 6 pp 632ndash634 2011
[27] Y Zheng and M Li ldquoFast tag searching protocol for large-scaleRFID systemsrdquo in Proceedings of the 19th IEEE InternationalConference on Network Protocols (ICNP rsquo11) pp 363ndash372Vancouver Canada October 2011
[28] B Sheng andCC Tan ldquoGroup authentication in heterogeneousRFID networksrdquo in Proceedings of the IEEE Conference onTechnologies for Homeland Security (HST rsquo12) pp 167ndash172Waltham Mass USA November 2012
[29] J Myung and W Lee ldquoAdaptive splitting protocols for RFIDtag collision arbitrationrdquo in Proceedings of the 7th ACM Interna-tional Symposium onMobile AdHoc Networking and Computing(MOBIHOC rsquo06) pp 202ndash213 Florence Italy May 2006
[30] ldquoInformation technology automatic identification and datacapture techniquesmdashradio frequency identification for item
management air interfacemdashpart 6 parameters for air interfacecommunications at 860ndash960 MHZrdquo ISOIEC FDIS 18000-62003
[31] EPCglobal ldquoEPC radio-frequency identity protocols class-1generation-2 UHF RFID protocol for communications at 860MHzndash960MHz version 1 2 0rdquo May 2008
[32] Z Zhou H Gupta S R Das and X Zhu ldquoSlotted scheduled tagaccess in multi-reader RFID systemsrdquo in Proceesings of the 15thIEEE International Conference on Network Protocols (ICNP rsquo07)pp 61ndash70 Beijing China October 2007
[33] Auto-ID ldquoDraft protocol specification for a 900MHz class0 radio frequency identification tagrdquo 2003 httpwwwepcglobalincorg
[34] S Vaudenay ldquoOn privacy models for RFIDrdquo in Advances inCryptologymdashASIACRYPT 2007 Lecture Notes in ComputerScience pp 68ndash87 Springer Berlin Germany 2007
[35] Q Yao J Han Y Qi L Yang and Y Liu ldquoPrivacy leakage inaccess mode revisiting private RFIDAuthentication protocolsrdquoin Proceedings of the 40th International Conference on ParallelProcessing (ICPP rsquo11) pp 713ndash721 Taipei City Taiwan Septem-ber 2011
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 11
respectively where 119889 is the depth of the tree Considering atlevel 119909 where 119896119890119910
119909is in a subtree we use 119870
119909to denote the
set of known keys by 119860 in this subtree and 119896119909to denote
the number of keys in 119870119909 And 119896
0is the number of tags
compromised There are three cases to be considered at levelxCase 1 A does not succeed in previous 119909 minus 1 levels and thereis exactly one key 119896119890119910
1015840
119909equal to 119896119890119910
119909 A definitely knows 119873
119878119887
includes 119879 The possibility is
119875119903(1198621
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575times
1
120575119909times (1 minus
1
120575119909)
119873119860minus1
(7)
Case 2119860 does not succeed in previous 119909minus1 levels and therersquosno key 119896119890119910
1015840
119909equals to 119896119890119910
119909 A definitely knows that 119873
119878119887does
not include 119879 The possibility is
119875119903(1198622
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575times (1 minus
1
120575119909)
119873119860
(8)
Case 3 119860 does not succeed in previous 119909 minus 1 levels and morethan one key 119896119890119910
1015840
119909equals 119896119890119910
119909 In this case 119860 fails at level 119909
and should move to level 119909 + 1 The possibility is
119875119903(1198623
119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895
120575119909 minus 119895) times
119896119909
120575minus 119875119903(1198621
119909) minus 119875119903(1198622
119909)
(9)
Theoverall probability of119860 definitely knowswhether119873119878119887
includes 119879 is
1198750
= 119875119903(1198621
1or 1198622
1) +
119889
sum
119909=2
(119875119903(1198621
119909or 1198622
119909) times
119909minus1
prod
119910=1
119875119903(1198623
119910))
= (1 minus1
120575)
119873119860minus1
1198961
120575
120575minus1
prod
119895=0
1198961
minus 119895
120575 minus 119895
+
119889
sum
119909=2
((1 minus1
120575119909)
119873119860minus1
119896119909
120575119875 (119896119890119910
119909)
times
119909minus1
prod
119910=1
(119875 (119896119890119910119910)
119896119910
120575(1 minus (1 minus
1
120575119910)
119873119860minus1
)))
(10)
where
119875 (119896119890119910119909) =
120575minus1
prod
119895=0
(120575119909minus1
119896119909
minus 119895) (120575 minus 119895)
(120575119909 minus 119895)2
1198961
= 120575 (1 minus (1 minus1
120575)
1198960
)
119896119909
= 120575 (1 minus (1 minus1
120575)
119892(119896119909)
) (2 le 119909 le 119889)
119892 (119896119909) = 1198960
119909minus1
prod
119910=1
1
119896119910
(11)
The possibility 119860 succeeds in either subset is 1198750which is
a monotonically decreasing function of 119873119860 so is 119875MAP The
advantage of 119860 is 119875MAP which decreases exponentially to 0 as119873119860increases to be big enoughConsidering that 119896
119909le 120575 and 120575 ge 2 we have the following
derivations
(1 minus1
120575)
119873119860minus1
1198961
120575
120575minus1
prod
119895=0
1198961
minus 119895
120575 minus 119895
le (1
2)
119873119860minus1
1198961
120575
1198961
120575
1198961
minus 1
120575 minus 1
le (1
2)
119873119860minus1
119909minus1
prod
119910=1
(119875 (119896119890119910119910)
119896119910
120575(1 minus (1 minus
1
120575119910)
119873119860minus1
))
lt
119909minus1
prod
119910=1
(119875 (119896119890119910119910) times 1 times 1)
=
119909minus1
prod
119910=1
119875 (119896119890119910119910)
(12)
Then we have the following deduction
1198750
lt (1
2)
119873119860minus1
+
119889
sum
119909=2
((1 minus1
120575119909)
119873119860minus1
119896119909
120575119875 (119896119890119910
119909)
119909minus1
prod
119910=1
119875 (119896119890119910119910))
lt (1
2)
119873119860minus1
+
119889
sum
119909=2
(1 minus1
120575119909)
119873119860minus1
lt (1
2)
119873119860minus1
+ 119889(1 minus1
1205752)
119873119860minus1
(13)
The right part of the inequality is a monotonicallydecreasing function of 119873
119860 For example it can be deduced
that 1198750
lt (12)119873119860minus1
+ 119889(34)119873119860minus1 when 120575 = 2 Then 119875
0is an
infinitesimal as 119873119860approaches 119873 so is 119875MAP According to
Definition 2 MAP ism-strong-ind-private
12 International Journal of Distributed Sensor Networks
0 50 100 150 2000
02
04
06
08
1
Succ
essfu
l pro
b o
f atta
ck
Size of tag set to be authenticated
MAPTree-based
Figure 7 Comparisons on defending against compromising attack
Assume a RFID system of 220 tags with 120575 = 2 and 119889 =
20 Figure 7 demonstrates possibilities119860 successfully tracks atag by compromising 200 tags employingMAP or tree-basedprotocol such as [20]
We can find that for both protocols the possibilities that119860
succeeds reduceswhen119873119860increases ForMAP the possibility
reduce rapidly while for traditional balance tree-based PPAit reduces slowly For MAP protocol when 119873
119860gt 8 119875MAP lt
005 saying 119860 can definitely distinguish and know which tagset includes 119879 with low possibility even the set size is smallThis is an acceptable result as environmentswith at least 8 tagsare common Moreover the successful tracking probabilityasymptotically approaches to 0 as the size of the tag set to beauthenticated arises For tree-based protocol 119860 always has asuccessful possibility larger than 08 with tag set size smallerthan 200
62 Confidentiality In MAP all information from a tag issent as the value of a cryptographic hash function or a partof such a hash value According to the preimage resistanceproperty of cryptographic hash functions the adversarycannot know the origin information
63 Cloning Resistance In cloning attack an adversaryrecords responses from a tag and replay them to foollegitimate readers In MAP the 119881
119862values are only used for
navigation and each tag uses its unique leaf key for the finalauthentication The tag generates the hash values of the leafkey with a timestamp from 119877 and a nonce from the tag asinputs Both the timestamp and the nonce are the sessiontokens of the conversation Therefore authentication mes-sages from a given tag will change in different conversationsdue to the different session tokens The navigation bits canbe replayed however they cannot help to fool 119877 because theadversary does not know the authentication message at theleaf node The replayed messages cannot be acceptable bylegitimate readers according to the protocol
64 Tracking Resistance In Section 61 we focus on tagsrsquo pathkeys and present that MAP can resist compromising attack
in scenarios with multiple tags For any leaf key it uniquelybelongs to an individual tag The adversary 119860 never knowsa tagrsquos leaf key unless compromising it When performingauthentication subcomponent a tag computes a hash valuewith its leaf key and the session tokens This authenticationmessage varies each time and 119860 cannot link the messages toa tag without knowing its leaf key
MAP resists against compromising attack inmultiple tagsscenarios However when a batch only has a few tags 119875MAPis not negligible According to the results shown in Figure 7when the number of tags is larger than 8 the probabilityof multiple tags exposing to attackers will not exceed 005which is acceptable for most RFID applications Thereforewe recommend to select MAP when the number of tags islarger than 8 otherwise choosing time consuming per-tagauthentication to prevent the tracking attack
An adversary 119860 may launch the Denial of Service (DoS)attack between a legitimate reader and tags In this attack 119860
firstly exhausts the timestamp in a tag Then 119860 can relay thetagrsquos response to a legitimate reader to see if the tag is acceptedand further track the tag by observing the result This attackis not feasible to MAP because desynchronized tags can alsobe accepted employing MAP as presented in Section 432Besides we recommend the system to thwart the responsespeed of the tags which are under attackThen a counter withan acceptable bit length is enough to avoid the timestamps ofthe tags run over a predefined threshold
65 Timing-Based Attack Resistance An adversary may timethe processing cost of a tag to identify the status of this tagand further distinguish it from other tags [35] This kindof attack is a new general attack which can even break theprivacy of proven private RFID authentication protocolsMAP can defend against such attack The reason is that theauthentication process for each tag in MAP corresponds tothe same procedure From root to leaf each branch selectioncorresponds to no sequential computation of tags Insteadthe tags do concurrent computation at each level In this waythe observable behavior of each tag is hard to distinguishThe problem in traversing the traditional binary tree whichcauses different searching cost does not happen in MAP Onthe other hand the thwart method used in MAP does notraise rapid increase in the response Thus the thwarted tagrsquosbehavior is hard to distinguish especially when the tag set islarge and the predefined threshold is big enough
66 Forward Secrecy An adversary 119860 can record the mes-sages sent by 119877 or tags And 119860 can compromise tags toobtain their current keys Forward secrecy requires that theinformation in previous messages will never be revealedIn MAP the leaf keys are updated after each successfulauthentication The forward secrecy is thereby guaranteedFor the nonleaf keys they are not used for data transfer butonly for navigation In addition they will be updated when atag is renewed Thus MAP does not update the nonleaf keysat each authentication and such a process does not damagethe forward secrecy
International Journal of Distributed Sensor Networks 13
7 Possible Variants and Improvements
The storage requirement of MAP for a system larger than216 tags may be larger than 1 k bits This cost is practical fornowadays RFID tags For ultra-low storage path keys can becomputed employing SQUASH with the unique leaf key andidentifier of the tag as inputsThis would decrease the storagerequirement to 119874(1) but double the average computationtime It can be easily deduced that the performance ofMAP isstill better than the tree-based protocol in large-scale systems
MAP focuses on the interaction between tags and readeras well as reader-server side search accelerating On theother hand the SEBA [25 26] like protocols focuses onthe reader-to-server communication as well as the serverside probabilistic verification Thus a possible future workis to combine and gain profit from both of the two styles ofmultiple tags protocols
8 Conclusions and Future Work
In this work we propose a Multiple tags privacy-preservingAuthentication Protocol MAP to authenticate multipletags concurrently By enabling anticollision functionality inauthentication processMAP eliminates the redundant effortswasted in anticollision processes and authenticating tagsTags in MAP respond concurrently with 1 bit to conductthe authentication for better privacy MAP is m-strong-ind-private which is a variant of ind-privacy we define formultiple tags scenarios MAP can effectively mitigate theimpact of compromising attack in multiple tags scenarios toan acceptable extent EmployingMAP the successful trackingprobability of adversaries for tag set larger than 8 is below005 and will deduce rapidly to 0 as the size of the tag setenlarges The efficiency of MAP is better than 119874(log119873) andasymptotically approaches 119874(1) as the number of tags in thetag set to be authenticated increases as proven in theoreticalanalysis and shown in the simulationThe proposed protocolin our work MAP is dedicated for authenticating multipletags One prospective directionmay be building protocols forboth single tag and multiple tags to provide high efficiencyand strong privacy at the same time
Acknowledgments
The authors would like to thank Ling Zhu and XingjingWang for the efforts paid in coding for the simulationsThis work is supported by Program for Changjiang Scholarsand Innovative Research Team in University (IRT1078)the Key Program of NSFC-Guangdong Union Foundation(U1135002) National Natural Science Foundation of China(61303221 and 61373175) the Fundamental Research Fundsfor the Central Universities (K5051303021) and the ScientificResearch Startup Foundation for Young Teachers of DonghuaUniversity (13D211205) Part of this work has been presentedat IEEE International Conference on Mobile Ad-hoc andSensor Systems (IEEE MASS) October 17ndash22 2011 ValenciaSpain
References
[1] G Roussos and V Kostakos ldquoRFID in pervasive computingstate-of-the-art and outlookrdquo Pervasive and Mobile Computingvol 5 no 1 pp 110ndash131 2009
[2] Y Liu L Chen J Pei Q Chen and Y Zhao ldquoMiningfrequent trajectory patterns for activity monitoring using radiofrequency tag arraysrdquo in Proceedings of the 5th Annual IEEEInternational Conference on Pervasive Computing and Com-munications (PerCom rsquo07) pp 37ndash46 White Plains NY USAMarch 2007
[3] C Qian H Ngan and Y Liu ldquoCardinality estimation forlarge-scale RFID systemsrdquo in Proceedings of the 6th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo08) pp 30ndash39 Hong Kong ChinaMarch 2008
[4] G Avoine ldquoBibliography on security and privacy in RFID sys-temsrdquo 2013 httpwwwavoinenetrfiddownloadbibbiblio-graphy-rfidpdf
[5] A Juels ldquoRFID security and privacy a research surveyrdquo IEEEJournal on Selected Areas in Communications vol 24 no 2 pp381ndash394 2006
[6] G Tsudik ldquoA family of dunces trivial RFID identification andauthentication protocolsrdquo in Privacy Enhancing TechnologiesLecture Notes in Computer Science pp 45ndash61 Springer BerlinGermany 2007
[7] X Xu X Y Li X Mao S Tang and S Wang ldquoA delay-efficient algorithm for data aggregation in multihop wirelesssensor networksrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 1 pp 163ndash175 2011
[8] A Shamir ldquoSQUASHmdasha new MAC with provable securityproperties for highly constrained devices such as RFID tagsrdquo inFast Software Encryption Lecture Notes in Computer Sciencepp 144ndash157 Springer Berlin Germany 2008
[9] T Halevi N Saxena and S Halevi ldquoUsing HB family ofprotocols for privacy-preserving authentication of RFID tags ina populationrdquo in Proceedings of the Workshop on RFID Security(RFIDSec rsquo09) 2009
[10] M Burmester B de Medeiros and R Motta ldquoRobust anony-mous RFID authentication with constant key-lookuprdquo in Pro-ceedings of the ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo08) pp 283ndash291 TokyoJapan March 2008
[11] S A Weis S E Sarma R L Rivest and DW Engels ldquoSecurityand privacy aspects of low-cost radio frequency identificationsystemsrdquo in Security in Pervasive Computing Lecture Notes inComputer Science pp 201ndash212 2003
[12] M Ohkubo K Suzuki and S Kinoshita ldquoEfficient hash-chainbased RFID privacy protection schemerdquo in Proceedings of theACM Ubicomp Workshops 2004
[13] D Henrici and P Muller ldquoProviding security and privacy inRFID systems using triggered hash chainsrdquo in Proceedings ofthe 6th Annual IEEE International Conference on PervasiveComputing andCommunications (PerCom rsquo08) pp 50ndash59HongKong China March 2008
[14] G Avoine E Dysli and P Oechslin ldquoReducing time complexityin RFID systemsrdquo in Selected Areas in Cryptography LectureNotes in Computer Science pp 291ndash306 Springer BerlinGermany 2005
[15] D Henrici and PMuller ldquoHash-based enhancement of locationprivacy for radio-frequency identification devices using varyingidentifiersrdquo inProceedings of the 2nd IEEEAnnual Conference on
14 International Journal of Distributed Sensor Networks
Pervasive Computing and CommunicationsWorkshops (PerComrsquo04) pp 149ndash153 March 2004
[16] A Juels ldquoMinimalist cryptography for low-cost RFID tags(extended abstract)rdquo in Proceedings of the 4th InternationalConference on Security in Communication Networks (SCN rsquo04)pp 149ndash164 Amalfi Italy September 2004
[17] S Yu K Ren and W Lou ldquoA privacy-preserving lightweightauthentication protocol for low-cost RFID tagsrdquo in Proceedingsof the Military Communications Conference (MILCOM rsquo07) pp1ndash7 Orlando Fla USA October 2007
[18] C Ma Y Li R H Deng and T Li ldquoRFID privacy rela-tion between two notions minimal condition and efficientconstructionrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCSrsquo09) pp 54ndash65New York NY USA November 2009
[19] D Molnar A Soppera and D Wagner ldquoA scalable delegatablepseudonym protocol enabling ownership transfer of RFID tagsselected areas in cryptographyrdquo in Selected Areas in Cryptogra-phy Lecture Notes in Computer Science pp 276ndash290 SpringerBerlin Germany 2005
[20] T Dimitriou ldquoA secure and efficient RFID protocol that couldmake big brother (partially) obsoleterdquo in Proceedings of the 4thAnnual IEEE International Conference on Pervasive Computingand Communications (PerCom rsquo06) pp 269ndash274 Pisa ItalyMarch 2006
[21] L Lu J Han L Hu Y Liu and L M Ni ldquoDynamic key-updating privacy-preserving authentication for RFID systemsrdquoin Proceedings of the 5th Annual IEEE International Conferenceon Pervasive Computing and Communications (PerCom rsquo07) pp13ndash22 White Plains NY USA March 2007
[22] Q Yao Y Qi J Han J Zhao X Li and Y Liu ldquoRandomizingRFID private authenticationrdquo in Proceedings of the 7th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo09) Galveston Tex USA March2009
[23] A Juels and S A Weis ldquoDefining strong privacy for RFIDrdquoACM Transactions on Information and System Security vol 13no 1 pp 1ndash23 2009
[24] L Lu Y Liu and X-Y Li ldquoRefresh weak privacy model forRFID systemsrdquo in Proceedings of the IEEE INFOCOM pp 1ndash9San Diego Calif USA March 2010
[25] L Yang J Han Y Qi and Y Liu ldquoIdentification-free batchauthentication for RFID tagsrdquo in Proceedings of the 18th IEEEInternational Conference on Network Protocols (ICNPrsquo10) pp154ndash163 Kyoto Japan October 2010
[26] G Bianchi ldquoRevisiting an RFID identification-free batchauthentication approachrdquo IEEECommunications Letters vol 15no 6 pp 632ndash634 2011
[27] Y Zheng and M Li ldquoFast tag searching protocol for large-scaleRFID systemsrdquo in Proceedings of the 19th IEEE InternationalConference on Network Protocols (ICNP rsquo11) pp 363ndash372Vancouver Canada October 2011
[28] B Sheng andCC Tan ldquoGroup authentication in heterogeneousRFID networksrdquo in Proceedings of the IEEE Conference onTechnologies for Homeland Security (HST rsquo12) pp 167ndash172Waltham Mass USA November 2012
[29] J Myung and W Lee ldquoAdaptive splitting protocols for RFIDtag collision arbitrationrdquo in Proceedings of the 7th ACM Interna-tional Symposium onMobile AdHoc Networking and Computing(MOBIHOC rsquo06) pp 202ndash213 Florence Italy May 2006
[30] ldquoInformation technology automatic identification and datacapture techniquesmdashradio frequency identification for item
management air interfacemdashpart 6 parameters for air interfacecommunications at 860ndash960 MHZrdquo ISOIEC FDIS 18000-62003
[31] EPCglobal ldquoEPC radio-frequency identity protocols class-1generation-2 UHF RFID protocol for communications at 860MHzndash960MHz version 1 2 0rdquo May 2008
[32] Z Zhou H Gupta S R Das and X Zhu ldquoSlotted scheduled tagaccess in multi-reader RFID systemsrdquo in Proceesings of the 15thIEEE International Conference on Network Protocols (ICNP rsquo07)pp 61ndash70 Beijing China October 2007
[33] Auto-ID ldquoDraft protocol specification for a 900MHz class0 radio frequency identification tagrdquo 2003 httpwwwepcglobalincorg
[34] S Vaudenay ldquoOn privacy models for RFIDrdquo in Advances inCryptologymdashASIACRYPT 2007 Lecture Notes in ComputerScience pp 68ndash87 Springer Berlin Germany 2007
[35] Q Yao J Han Y Qi L Yang and Y Liu ldquoPrivacy leakage inaccess mode revisiting private RFIDAuthentication protocolsrdquoin Proceedings of the 40th International Conference on ParallelProcessing (ICPP rsquo11) pp 713ndash721 Taipei City Taiwan Septem-ber 2011
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
12 International Journal of Distributed Sensor Networks
0 50 100 150 2000
02
04
06
08
1
Succ
essfu
l pro
b o
f atta
ck
Size of tag set to be authenticated
MAPTree-based
Figure 7 Comparisons on defending against compromising attack
Assume a RFID system of 220 tags with 120575 = 2 and 119889 =
20 Figure 7 demonstrates possibilities119860 successfully tracks atag by compromising 200 tags employingMAP or tree-basedprotocol such as [20]
We can find that for both protocols the possibilities that119860
succeeds reduceswhen119873119860increases ForMAP the possibility
reduce rapidly while for traditional balance tree-based PPAit reduces slowly For MAP protocol when 119873
119860gt 8 119875MAP lt
005 saying 119860 can definitely distinguish and know which tagset includes 119879 with low possibility even the set size is smallThis is an acceptable result as environmentswith at least 8 tagsare common Moreover the successful tracking probabilityasymptotically approaches to 0 as the size of the tag set to beauthenticated arises For tree-based protocol 119860 always has asuccessful possibility larger than 08 with tag set size smallerthan 200
62 Confidentiality In MAP all information from a tag issent as the value of a cryptographic hash function or a partof such a hash value According to the preimage resistanceproperty of cryptographic hash functions the adversarycannot know the origin information
63 Cloning Resistance In cloning attack an adversaryrecords responses from a tag and replay them to foollegitimate readers In MAP the 119881
119862values are only used for
navigation and each tag uses its unique leaf key for the finalauthentication The tag generates the hash values of the leafkey with a timestamp from 119877 and a nonce from the tag asinputs Both the timestamp and the nonce are the sessiontokens of the conversation Therefore authentication mes-sages from a given tag will change in different conversationsdue to the different session tokens The navigation bits canbe replayed however they cannot help to fool 119877 because theadversary does not know the authentication message at theleaf node The replayed messages cannot be acceptable bylegitimate readers according to the protocol
64 Tracking Resistance In Section 61 we focus on tagsrsquo pathkeys and present that MAP can resist compromising attack
in scenarios with multiple tags For any leaf key it uniquelybelongs to an individual tag The adversary 119860 never knowsa tagrsquos leaf key unless compromising it When performingauthentication subcomponent a tag computes a hash valuewith its leaf key and the session tokens This authenticationmessage varies each time and 119860 cannot link the messages toa tag without knowing its leaf key
MAP resists against compromising attack inmultiple tagsscenarios However when a batch only has a few tags 119875MAPis not negligible According to the results shown in Figure 7when the number of tags is larger than 8 the probabilityof multiple tags exposing to attackers will not exceed 005which is acceptable for most RFID applications Thereforewe recommend to select MAP when the number of tags islarger than 8 otherwise choosing time consuming per-tagauthentication to prevent the tracking attack
An adversary 119860 may launch the Denial of Service (DoS)attack between a legitimate reader and tags In this attack 119860
firstly exhausts the timestamp in a tag Then 119860 can relay thetagrsquos response to a legitimate reader to see if the tag is acceptedand further track the tag by observing the result This attackis not feasible to MAP because desynchronized tags can alsobe accepted employing MAP as presented in Section 432Besides we recommend the system to thwart the responsespeed of the tags which are under attackThen a counter withan acceptable bit length is enough to avoid the timestamps ofthe tags run over a predefined threshold
65 Timing-Based Attack Resistance An adversary may timethe processing cost of a tag to identify the status of this tagand further distinguish it from other tags [35] This kindof attack is a new general attack which can even break theprivacy of proven private RFID authentication protocolsMAP can defend against such attack The reason is that theauthentication process for each tag in MAP corresponds tothe same procedure From root to leaf each branch selectioncorresponds to no sequential computation of tags Insteadthe tags do concurrent computation at each level In this waythe observable behavior of each tag is hard to distinguishThe problem in traversing the traditional binary tree whichcauses different searching cost does not happen in MAP Onthe other hand the thwart method used in MAP does notraise rapid increase in the response Thus the thwarted tagrsquosbehavior is hard to distinguish especially when the tag set islarge and the predefined threshold is big enough
66 Forward Secrecy An adversary 119860 can record the mes-sages sent by 119877 or tags And 119860 can compromise tags toobtain their current keys Forward secrecy requires that theinformation in previous messages will never be revealedIn MAP the leaf keys are updated after each successfulauthentication The forward secrecy is thereby guaranteedFor the nonleaf keys they are not used for data transfer butonly for navigation In addition they will be updated when atag is renewed Thus MAP does not update the nonleaf keysat each authentication and such a process does not damagethe forward secrecy
International Journal of Distributed Sensor Networks 13
7 Possible Variants and Improvements
The storage requirement of MAP for a system larger than216 tags may be larger than 1 k bits This cost is practical fornowadays RFID tags For ultra-low storage path keys can becomputed employing SQUASH with the unique leaf key andidentifier of the tag as inputsThis would decrease the storagerequirement to 119874(1) but double the average computationtime It can be easily deduced that the performance ofMAP isstill better than the tree-based protocol in large-scale systems
MAP focuses on the interaction between tags and readeras well as reader-server side search accelerating On theother hand the SEBA [25 26] like protocols focuses onthe reader-to-server communication as well as the serverside probabilistic verification Thus a possible future workis to combine and gain profit from both of the two styles ofmultiple tags protocols
8 Conclusions and Future Work
In this work we propose a Multiple tags privacy-preservingAuthentication Protocol MAP to authenticate multipletags concurrently By enabling anticollision functionality inauthentication processMAP eliminates the redundant effortswasted in anticollision processes and authenticating tagsTags in MAP respond concurrently with 1 bit to conductthe authentication for better privacy MAP is m-strong-ind-private which is a variant of ind-privacy we define formultiple tags scenarios MAP can effectively mitigate theimpact of compromising attack in multiple tags scenarios toan acceptable extent EmployingMAP the successful trackingprobability of adversaries for tag set larger than 8 is below005 and will deduce rapidly to 0 as the size of the tag setenlarges The efficiency of MAP is better than 119874(log119873) andasymptotically approaches 119874(1) as the number of tags in thetag set to be authenticated increases as proven in theoreticalanalysis and shown in the simulationThe proposed protocolin our work MAP is dedicated for authenticating multipletags One prospective directionmay be building protocols forboth single tag and multiple tags to provide high efficiencyand strong privacy at the same time
Acknowledgments
The authors would like to thank Ling Zhu and XingjingWang for the efforts paid in coding for the simulationsThis work is supported by Program for Changjiang Scholarsand Innovative Research Team in University (IRT1078)the Key Program of NSFC-Guangdong Union Foundation(U1135002) National Natural Science Foundation of China(61303221 and 61373175) the Fundamental Research Fundsfor the Central Universities (K5051303021) and the ScientificResearch Startup Foundation for Young Teachers of DonghuaUniversity (13D211205) Part of this work has been presentedat IEEE International Conference on Mobile Ad-hoc andSensor Systems (IEEE MASS) October 17ndash22 2011 ValenciaSpain
References
[1] G Roussos and V Kostakos ldquoRFID in pervasive computingstate-of-the-art and outlookrdquo Pervasive and Mobile Computingvol 5 no 1 pp 110ndash131 2009
[2] Y Liu L Chen J Pei Q Chen and Y Zhao ldquoMiningfrequent trajectory patterns for activity monitoring using radiofrequency tag arraysrdquo in Proceedings of the 5th Annual IEEEInternational Conference on Pervasive Computing and Com-munications (PerCom rsquo07) pp 37ndash46 White Plains NY USAMarch 2007
[3] C Qian H Ngan and Y Liu ldquoCardinality estimation forlarge-scale RFID systemsrdquo in Proceedings of the 6th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo08) pp 30ndash39 Hong Kong ChinaMarch 2008
[4] G Avoine ldquoBibliography on security and privacy in RFID sys-temsrdquo 2013 httpwwwavoinenetrfiddownloadbibbiblio-graphy-rfidpdf
[5] A Juels ldquoRFID security and privacy a research surveyrdquo IEEEJournal on Selected Areas in Communications vol 24 no 2 pp381ndash394 2006
[6] G Tsudik ldquoA family of dunces trivial RFID identification andauthentication protocolsrdquo in Privacy Enhancing TechnologiesLecture Notes in Computer Science pp 45ndash61 Springer BerlinGermany 2007
[7] X Xu X Y Li X Mao S Tang and S Wang ldquoA delay-efficient algorithm for data aggregation in multihop wirelesssensor networksrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 1 pp 163ndash175 2011
[8] A Shamir ldquoSQUASHmdasha new MAC with provable securityproperties for highly constrained devices such as RFID tagsrdquo inFast Software Encryption Lecture Notes in Computer Sciencepp 144ndash157 Springer Berlin Germany 2008
[9] T Halevi N Saxena and S Halevi ldquoUsing HB family ofprotocols for privacy-preserving authentication of RFID tags ina populationrdquo in Proceedings of the Workshop on RFID Security(RFIDSec rsquo09) 2009
[10] M Burmester B de Medeiros and R Motta ldquoRobust anony-mous RFID authentication with constant key-lookuprdquo in Pro-ceedings of the ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo08) pp 283ndash291 TokyoJapan March 2008
[11] S A Weis S E Sarma R L Rivest and DW Engels ldquoSecurityand privacy aspects of low-cost radio frequency identificationsystemsrdquo in Security in Pervasive Computing Lecture Notes inComputer Science pp 201ndash212 2003
[12] M Ohkubo K Suzuki and S Kinoshita ldquoEfficient hash-chainbased RFID privacy protection schemerdquo in Proceedings of theACM Ubicomp Workshops 2004
[13] D Henrici and P Muller ldquoProviding security and privacy inRFID systems using triggered hash chainsrdquo in Proceedings ofthe 6th Annual IEEE International Conference on PervasiveComputing andCommunications (PerCom rsquo08) pp 50ndash59HongKong China March 2008
[14] G Avoine E Dysli and P Oechslin ldquoReducing time complexityin RFID systemsrdquo in Selected Areas in Cryptography LectureNotes in Computer Science pp 291ndash306 Springer BerlinGermany 2005
[15] D Henrici and PMuller ldquoHash-based enhancement of locationprivacy for radio-frequency identification devices using varyingidentifiersrdquo inProceedings of the 2nd IEEEAnnual Conference on
14 International Journal of Distributed Sensor Networks
Pervasive Computing and CommunicationsWorkshops (PerComrsquo04) pp 149ndash153 March 2004
[16] A Juels ldquoMinimalist cryptography for low-cost RFID tags(extended abstract)rdquo in Proceedings of the 4th InternationalConference on Security in Communication Networks (SCN rsquo04)pp 149ndash164 Amalfi Italy September 2004
[17] S Yu K Ren and W Lou ldquoA privacy-preserving lightweightauthentication protocol for low-cost RFID tagsrdquo in Proceedingsof the Military Communications Conference (MILCOM rsquo07) pp1ndash7 Orlando Fla USA October 2007
[18] C Ma Y Li R H Deng and T Li ldquoRFID privacy rela-tion between two notions minimal condition and efficientconstructionrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCSrsquo09) pp 54ndash65New York NY USA November 2009
[19] D Molnar A Soppera and D Wagner ldquoA scalable delegatablepseudonym protocol enabling ownership transfer of RFID tagsselected areas in cryptographyrdquo in Selected Areas in Cryptogra-phy Lecture Notes in Computer Science pp 276ndash290 SpringerBerlin Germany 2005
[20] T Dimitriou ldquoA secure and efficient RFID protocol that couldmake big brother (partially) obsoleterdquo in Proceedings of the 4thAnnual IEEE International Conference on Pervasive Computingand Communications (PerCom rsquo06) pp 269ndash274 Pisa ItalyMarch 2006
[21] L Lu J Han L Hu Y Liu and L M Ni ldquoDynamic key-updating privacy-preserving authentication for RFID systemsrdquoin Proceedings of the 5th Annual IEEE International Conferenceon Pervasive Computing and Communications (PerCom rsquo07) pp13ndash22 White Plains NY USA March 2007
[22] Q Yao Y Qi J Han J Zhao X Li and Y Liu ldquoRandomizingRFID private authenticationrdquo in Proceedings of the 7th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo09) Galveston Tex USA March2009
[23] A Juels and S A Weis ldquoDefining strong privacy for RFIDrdquoACM Transactions on Information and System Security vol 13no 1 pp 1ndash23 2009
[24] L Lu Y Liu and X-Y Li ldquoRefresh weak privacy model forRFID systemsrdquo in Proceedings of the IEEE INFOCOM pp 1ndash9San Diego Calif USA March 2010
[25] L Yang J Han Y Qi and Y Liu ldquoIdentification-free batchauthentication for RFID tagsrdquo in Proceedings of the 18th IEEEInternational Conference on Network Protocols (ICNPrsquo10) pp154ndash163 Kyoto Japan October 2010
[26] G Bianchi ldquoRevisiting an RFID identification-free batchauthentication approachrdquo IEEECommunications Letters vol 15no 6 pp 632ndash634 2011
[27] Y Zheng and M Li ldquoFast tag searching protocol for large-scaleRFID systemsrdquo in Proceedings of the 19th IEEE InternationalConference on Network Protocols (ICNP rsquo11) pp 363ndash372Vancouver Canada October 2011
[28] B Sheng andCC Tan ldquoGroup authentication in heterogeneousRFID networksrdquo in Proceedings of the IEEE Conference onTechnologies for Homeland Security (HST rsquo12) pp 167ndash172Waltham Mass USA November 2012
[29] J Myung and W Lee ldquoAdaptive splitting protocols for RFIDtag collision arbitrationrdquo in Proceedings of the 7th ACM Interna-tional Symposium onMobile AdHoc Networking and Computing(MOBIHOC rsquo06) pp 202ndash213 Florence Italy May 2006
[30] ldquoInformation technology automatic identification and datacapture techniquesmdashradio frequency identification for item
management air interfacemdashpart 6 parameters for air interfacecommunications at 860ndash960 MHZrdquo ISOIEC FDIS 18000-62003
[31] EPCglobal ldquoEPC radio-frequency identity protocols class-1generation-2 UHF RFID protocol for communications at 860MHzndash960MHz version 1 2 0rdquo May 2008
[32] Z Zhou H Gupta S R Das and X Zhu ldquoSlotted scheduled tagaccess in multi-reader RFID systemsrdquo in Proceesings of the 15thIEEE International Conference on Network Protocols (ICNP rsquo07)pp 61ndash70 Beijing China October 2007
[33] Auto-ID ldquoDraft protocol specification for a 900MHz class0 radio frequency identification tagrdquo 2003 httpwwwepcglobalincorg
[34] S Vaudenay ldquoOn privacy models for RFIDrdquo in Advances inCryptologymdashASIACRYPT 2007 Lecture Notes in ComputerScience pp 68ndash87 Springer Berlin Germany 2007
[35] Q Yao J Han Y Qi L Yang and Y Liu ldquoPrivacy leakage inaccess mode revisiting private RFIDAuthentication protocolsrdquoin Proceedings of the 40th International Conference on ParallelProcessing (ICPP rsquo11) pp 713ndash721 Taipei City Taiwan Septem-ber 2011
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 13
7 Possible Variants and Improvements
The storage requirement of MAP for a system larger than216 tags may be larger than 1 k bits This cost is practical fornowadays RFID tags For ultra-low storage path keys can becomputed employing SQUASH with the unique leaf key andidentifier of the tag as inputsThis would decrease the storagerequirement to 119874(1) but double the average computationtime It can be easily deduced that the performance ofMAP isstill better than the tree-based protocol in large-scale systems
MAP focuses on the interaction between tags and readeras well as reader-server side search accelerating On theother hand the SEBA [25 26] like protocols focuses onthe reader-to-server communication as well as the serverside probabilistic verification Thus a possible future workis to combine and gain profit from both of the two styles ofmultiple tags protocols
8 Conclusions and Future Work
In this work we propose a Multiple tags privacy-preservingAuthentication Protocol MAP to authenticate multipletags concurrently By enabling anticollision functionality inauthentication processMAP eliminates the redundant effortswasted in anticollision processes and authenticating tagsTags in MAP respond concurrently with 1 bit to conductthe authentication for better privacy MAP is m-strong-ind-private which is a variant of ind-privacy we define formultiple tags scenarios MAP can effectively mitigate theimpact of compromising attack in multiple tags scenarios toan acceptable extent EmployingMAP the successful trackingprobability of adversaries for tag set larger than 8 is below005 and will deduce rapidly to 0 as the size of the tag setenlarges The efficiency of MAP is better than 119874(log119873) andasymptotically approaches 119874(1) as the number of tags in thetag set to be authenticated increases as proven in theoreticalanalysis and shown in the simulationThe proposed protocolin our work MAP is dedicated for authenticating multipletags One prospective directionmay be building protocols forboth single tag and multiple tags to provide high efficiencyand strong privacy at the same time
Acknowledgments
The authors would like to thank Ling Zhu and XingjingWang for the efforts paid in coding for the simulationsThis work is supported by Program for Changjiang Scholarsand Innovative Research Team in University (IRT1078)the Key Program of NSFC-Guangdong Union Foundation(U1135002) National Natural Science Foundation of China(61303221 and 61373175) the Fundamental Research Fundsfor the Central Universities (K5051303021) and the ScientificResearch Startup Foundation for Young Teachers of DonghuaUniversity (13D211205) Part of this work has been presentedat IEEE International Conference on Mobile Ad-hoc andSensor Systems (IEEE MASS) October 17ndash22 2011 ValenciaSpain
References
[1] G Roussos and V Kostakos ldquoRFID in pervasive computingstate-of-the-art and outlookrdquo Pervasive and Mobile Computingvol 5 no 1 pp 110ndash131 2009
[2] Y Liu L Chen J Pei Q Chen and Y Zhao ldquoMiningfrequent trajectory patterns for activity monitoring using radiofrequency tag arraysrdquo in Proceedings of the 5th Annual IEEEInternational Conference on Pervasive Computing and Com-munications (PerCom rsquo07) pp 37ndash46 White Plains NY USAMarch 2007
[3] C Qian H Ngan and Y Liu ldquoCardinality estimation forlarge-scale RFID systemsrdquo in Proceedings of the 6th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo08) pp 30ndash39 Hong Kong ChinaMarch 2008
[4] G Avoine ldquoBibliography on security and privacy in RFID sys-temsrdquo 2013 httpwwwavoinenetrfiddownloadbibbiblio-graphy-rfidpdf
[5] A Juels ldquoRFID security and privacy a research surveyrdquo IEEEJournal on Selected Areas in Communications vol 24 no 2 pp381ndash394 2006
[6] G Tsudik ldquoA family of dunces trivial RFID identification andauthentication protocolsrdquo in Privacy Enhancing TechnologiesLecture Notes in Computer Science pp 45ndash61 Springer BerlinGermany 2007
[7] X Xu X Y Li X Mao S Tang and S Wang ldquoA delay-efficient algorithm for data aggregation in multihop wirelesssensor networksrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 1 pp 163ndash175 2011
[8] A Shamir ldquoSQUASHmdasha new MAC with provable securityproperties for highly constrained devices such as RFID tagsrdquo inFast Software Encryption Lecture Notes in Computer Sciencepp 144ndash157 Springer Berlin Germany 2008
[9] T Halevi N Saxena and S Halevi ldquoUsing HB family ofprotocols for privacy-preserving authentication of RFID tags ina populationrdquo in Proceedings of the Workshop on RFID Security(RFIDSec rsquo09) 2009
[10] M Burmester B de Medeiros and R Motta ldquoRobust anony-mous RFID authentication with constant key-lookuprdquo in Pro-ceedings of the ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo08) pp 283ndash291 TokyoJapan March 2008
[11] S A Weis S E Sarma R L Rivest and DW Engels ldquoSecurityand privacy aspects of low-cost radio frequency identificationsystemsrdquo in Security in Pervasive Computing Lecture Notes inComputer Science pp 201ndash212 2003
[12] M Ohkubo K Suzuki and S Kinoshita ldquoEfficient hash-chainbased RFID privacy protection schemerdquo in Proceedings of theACM Ubicomp Workshops 2004
[13] D Henrici and P Muller ldquoProviding security and privacy inRFID systems using triggered hash chainsrdquo in Proceedings ofthe 6th Annual IEEE International Conference on PervasiveComputing andCommunications (PerCom rsquo08) pp 50ndash59HongKong China March 2008
[14] G Avoine E Dysli and P Oechslin ldquoReducing time complexityin RFID systemsrdquo in Selected Areas in Cryptography LectureNotes in Computer Science pp 291ndash306 Springer BerlinGermany 2005
[15] D Henrici and PMuller ldquoHash-based enhancement of locationprivacy for radio-frequency identification devices using varyingidentifiersrdquo inProceedings of the 2nd IEEEAnnual Conference on
14 International Journal of Distributed Sensor Networks
Pervasive Computing and CommunicationsWorkshops (PerComrsquo04) pp 149ndash153 March 2004
[16] A Juels ldquoMinimalist cryptography for low-cost RFID tags(extended abstract)rdquo in Proceedings of the 4th InternationalConference on Security in Communication Networks (SCN rsquo04)pp 149ndash164 Amalfi Italy September 2004
[17] S Yu K Ren and W Lou ldquoA privacy-preserving lightweightauthentication protocol for low-cost RFID tagsrdquo in Proceedingsof the Military Communications Conference (MILCOM rsquo07) pp1ndash7 Orlando Fla USA October 2007
[18] C Ma Y Li R H Deng and T Li ldquoRFID privacy rela-tion between two notions minimal condition and efficientconstructionrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCSrsquo09) pp 54ndash65New York NY USA November 2009
[19] D Molnar A Soppera and D Wagner ldquoA scalable delegatablepseudonym protocol enabling ownership transfer of RFID tagsselected areas in cryptographyrdquo in Selected Areas in Cryptogra-phy Lecture Notes in Computer Science pp 276ndash290 SpringerBerlin Germany 2005
[20] T Dimitriou ldquoA secure and efficient RFID protocol that couldmake big brother (partially) obsoleterdquo in Proceedings of the 4thAnnual IEEE International Conference on Pervasive Computingand Communications (PerCom rsquo06) pp 269ndash274 Pisa ItalyMarch 2006
[21] L Lu J Han L Hu Y Liu and L M Ni ldquoDynamic key-updating privacy-preserving authentication for RFID systemsrdquoin Proceedings of the 5th Annual IEEE International Conferenceon Pervasive Computing and Communications (PerCom rsquo07) pp13ndash22 White Plains NY USA March 2007
[22] Q Yao Y Qi J Han J Zhao X Li and Y Liu ldquoRandomizingRFID private authenticationrdquo in Proceedings of the 7th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo09) Galveston Tex USA March2009
[23] A Juels and S A Weis ldquoDefining strong privacy for RFIDrdquoACM Transactions on Information and System Security vol 13no 1 pp 1ndash23 2009
[24] L Lu Y Liu and X-Y Li ldquoRefresh weak privacy model forRFID systemsrdquo in Proceedings of the IEEE INFOCOM pp 1ndash9San Diego Calif USA March 2010
[25] L Yang J Han Y Qi and Y Liu ldquoIdentification-free batchauthentication for RFID tagsrdquo in Proceedings of the 18th IEEEInternational Conference on Network Protocols (ICNPrsquo10) pp154ndash163 Kyoto Japan October 2010
[26] G Bianchi ldquoRevisiting an RFID identification-free batchauthentication approachrdquo IEEECommunications Letters vol 15no 6 pp 632ndash634 2011
[27] Y Zheng and M Li ldquoFast tag searching protocol for large-scaleRFID systemsrdquo in Proceedings of the 19th IEEE InternationalConference on Network Protocols (ICNP rsquo11) pp 363ndash372Vancouver Canada October 2011
[28] B Sheng andCC Tan ldquoGroup authentication in heterogeneousRFID networksrdquo in Proceedings of the IEEE Conference onTechnologies for Homeland Security (HST rsquo12) pp 167ndash172Waltham Mass USA November 2012
[29] J Myung and W Lee ldquoAdaptive splitting protocols for RFIDtag collision arbitrationrdquo in Proceedings of the 7th ACM Interna-tional Symposium onMobile AdHoc Networking and Computing(MOBIHOC rsquo06) pp 202ndash213 Florence Italy May 2006
[30] ldquoInformation technology automatic identification and datacapture techniquesmdashradio frequency identification for item
management air interfacemdashpart 6 parameters for air interfacecommunications at 860ndash960 MHZrdquo ISOIEC FDIS 18000-62003
[31] EPCglobal ldquoEPC radio-frequency identity protocols class-1generation-2 UHF RFID protocol for communications at 860MHzndash960MHz version 1 2 0rdquo May 2008
[32] Z Zhou H Gupta S R Das and X Zhu ldquoSlotted scheduled tagaccess in multi-reader RFID systemsrdquo in Proceesings of the 15thIEEE International Conference on Network Protocols (ICNP rsquo07)pp 61ndash70 Beijing China October 2007
[33] Auto-ID ldquoDraft protocol specification for a 900MHz class0 radio frequency identification tagrdquo 2003 httpwwwepcglobalincorg
[34] S Vaudenay ldquoOn privacy models for RFIDrdquo in Advances inCryptologymdashASIACRYPT 2007 Lecture Notes in ComputerScience pp 68ndash87 Springer Berlin Germany 2007
[35] Q Yao J Han Y Qi L Yang and Y Liu ldquoPrivacy leakage inaccess mode revisiting private RFIDAuthentication protocolsrdquoin Proceedings of the 40th International Conference on ParallelProcessing (ICPP rsquo11) pp 713ndash721 Taipei City Taiwan Septem-ber 2011
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
14 International Journal of Distributed Sensor Networks
Pervasive Computing and CommunicationsWorkshops (PerComrsquo04) pp 149ndash153 March 2004
[16] A Juels ldquoMinimalist cryptography for low-cost RFID tags(extended abstract)rdquo in Proceedings of the 4th InternationalConference on Security in Communication Networks (SCN rsquo04)pp 149ndash164 Amalfi Italy September 2004
[17] S Yu K Ren and W Lou ldquoA privacy-preserving lightweightauthentication protocol for low-cost RFID tagsrdquo in Proceedingsof the Military Communications Conference (MILCOM rsquo07) pp1ndash7 Orlando Fla USA October 2007
[18] C Ma Y Li R H Deng and T Li ldquoRFID privacy rela-tion between two notions minimal condition and efficientconstructionrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCSrsquo09) pp 54ndash65New York NY USA November 2009
[19] D Molnar A Soppera and D Wagner ldquoA scalable delegatablepseudonym protocol enabling ownership transfer of RFID tagsselected areas in cryptographyrdquo in Selected Areas in Cryptogra-phy Lecture Notes in Computer Science pp 276ndash290 SpringerBerlin Germany 2005
[20] T Dimitriou ldquoA secure and efficient RFID protocol that couldmake big brother (partially) obsoleterdquo in Proceedings of the 4thAnnual IEEE International Conference on Pervasive Computingand Communications (PerCom rsquo06) pp 269ndash274 Pisa ItalyMarch 2006
[21] L Lu J Han L Hu Y Liu and L M Ni ldquoDynamic key-updating privacy-preserving authentication for RFID systemsrdquoin Proceedings of the 5th Annual IEEE International Conferenceon Pervasive Computing and Communications (PerCom rsquo07) pp13ndash22 White Plains NY USA March 2007
[22] Q Yao Y Qi J Han J Zhao X Li and Y Liu ldquoRandomizingRFID private authenticationrdquo in Proceedings of the 7th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo09) Galveston Tex USA March2009
[23] A Juels and S A Weis ldquoDefining strong privacy for RFIDrdquoACM Transactions on Information and System Security vol 13no 1 pp 1ndash23 2009
[24] L Lu Y Liu and X-Y Li ldquoRefresh weak privacy model forRFID systemsrdquo in Proceedings of the IEEE INFOCOM pp 1ndash9San Diego Calif USA March 2010
[25] L Yang J Han Y Qi and Y Liu ldquoIdentification-free batchauthentication for RFID tagsrdquo in Proceedings of the 18th IEEEInternational Conference on Network Protocols (ICNPrsquo10) pp154ndash163 Kyoto Japan October 2010
[26] G Bianchi ldquoRevisiting an RFID identification-free batchauthentication approachrdquo IEEECommunications Letters vol 15no 6 pp 632ndash634 2011
[27] Y Zheng and M Li ldquoFast tag searching protocol for large-scaleRFID systemsrdquo in Proceedings of the 19th IEEE InternationalConference on Network Protocols (ICNP rsquo11) pp 363ndash372Vancouver Canada October 2011
[28] B Sheng andCC Tan ldquoGroup authentication in heterogeneousRFID networksrdquo in Proceedings of the IEEE Conference onTechnologies for Homeland Security (HST rsquo12) pp 167ndash172Waltham Mass USA November 2012
[29] J Myung and W Lee ldquoAdaptive splitting protocols for RFIDtag collision arbitrationrdquo in Proceedings of the 7th ACM Interna-tional Symposium onMobile AdHoc Networking and Computing(MOBIHOC rsquo06) pp 202ndash213 Florence Italy May 2006
[30] ldquoInformation technology automatic identification and datacapture techniquesmdashradio frequency identification for item
management air interfacemdashpart 6 parameters for air interfacecommunications at 860ndash960 MHZrdquo ISOIEC FDIS 18000-62003
[31] EPCglobal ldquoEPC radio-frequency identity protocols class-1generation-2 UHF RFID protocol for communications at 860MHzndash960MHz version 1 2 0rdquo May 2008
[32] Z Zhou H Gupta S R Das and X Zhu ldquoSlotted scheduled tagaccess in multi-reader RFID systemsrdquo in Proceesings of the 15thIEEE International Conference on Network Protocols (ICNP rsquo07)pp 61ndash70 Beijing China October 2007
[33] Auto-ID ldquoDraft protocol specification for a 900MHz class0 radio frequency identification tagrdquo 2003 httpwwwepcglobalincorg
[34] S Vaudenay ldquoOn privacy models for RFIDrdquo in Advances inCryptologymdashASIACRYPT 2007 Lecture Notes in ComputerScience pp 68ndash87 Springer Berlin Germany 2007
[35] Q Yao J Han Y Qi L Yang and Y Liu ldquoPrivacy leakage inaccess mode revisiting private RFIDAuthentication protocolsrdquoin Proceedings of the 40th International Conference on ParallelProcessing (ICPP rsquo11) pp 713ndash721 Taipei City Taiwan Septem-ber 2011
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of