Research Article MAP: Towards Authentication for Multiple …downloads.hindawi.com/journals/ijdsn/2013/109439.pdfis is an open access article distributed under the Creative Commons

Hindawi Publishing CorporationInternational Journal of Distributed Sensor NetworksVolume 2013 Article ID 109439 14 pageshttpdxdoiorg1011552013109439

Research ArticleMAP Towards Authentication for Multiple Tags

Qingsong Yao123 Jinsong Han2 Saiyu Qi3 Zhuo Liu3 Shan Chang4 and Jianfeng Ma1

1 School of Computer Science and Technology Xidian University Xirsquoan China2 School of Electronic and Information Engineering Xirsquoan Jiaotong University Xirsquoan China3Department of Computer Science and Engineering Hong Kong University of Science and Technology Hong Kong4 School of Computer Science and Technology Donghua University Shanghai China

Correspondence should be addressed to Qingsong Yao qsyaoxidianeducn

Received 5 July 2013 Accepted 7 September 2013

Academic Editor Yuan He

Copyright copy 2013 Qingsong Yao et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

The prevalence of Radio Frequency Identification (RFID) technology requires Privacy-Preserving Authentication (PPA) protocolsto prevent privacy leakage during authentication Existing PPA protocols employ the per-tag authentication in which the readerhas to sequentially authenticate the tags within the detecting region Such a processing pattern becomes a bottleneck in currentRFID enabled systems especially for those batch-type processing applications In this paper we propose an efficient authenticationprotocol which leverages the collaboration among multiple tags for accelerating the authentication speed We also find that thecollision usually being considered as a negative factor is helpful media to enable collaborative authentication among tags Ourprotocol termed as Multiple-tags privacy-preserving Authentication Protocol (MAP) authenticates a batch of tags concurrentlywith strong privacy and high efficiencyThe analytical and simulation results show that the efficiency ofMAP is better thanO(log119873)and asymptotically approaches O(1)

1 Introduction

RFID technology has been involved in many daily appli-cations [1] RFID tags can be embedded in passports IDcards credit cards and logistical labels to perform remoteidentification as well as facilitate applications such as device-free activity monitoring [2] and fast inventory [3] RFID tagsusually contain or relate to sensitive information of the tagowners or carriers If the sensitive information on a tag isexposed the privacy of the tag holder will be jeopardizedRecently Privacy-Preserving Authentication (PPA) protocols[4ndash6] are proposed to enable authentication for tags withoutleaking private information Generally each tag shares somesecrets with the reader During authentication the readerinterrogates a tag with a nonce The tag responds with amessage computed with the shared secrets and the nonceto authenticate itself to the reader Upon this response thereader searches in the backend database to find a matchrecord for the tag and determine the validity of the tag If thetag is legitimate the reader emits a message to authenticate

itself to the tagUtilizing cryptographic functions andnoncesPPA protocols can strengthen privacy protection

Most PPA approaches are designed for the per-tag sce-nario where a reader can only authenticate one tag ateach time Due to cost concern an RFID tag is usuallydesigned to be extremely resource limited even with lesspower than in sensor-based data collection applications [7]Thus the tag cannot afford complex cryptographic functionssuch as asymmetric cryptographic functions Thus currentRFID tags usually adopt relatively low-cost cryptographicalgorithms for example the lightweight hash functions [8]or HB protocols [9] to perform the authentication Howeverit is proven that a large system with strong indistinguishableprivacy and constant complexity requires public key cryp-tography in [10] where the indistinguishable privacy (ind-privacy) means that none can link a tag and its behaviorwithout learning its internal states The proof also impliesthat the authentication complexity of PPA protocols is atleast 119874(119873) if utilizing symmetric cryptographic functionsto achieve strong privacy where 119873 is the number of tags

2 International Journal of Distributed Sensor Networks

in the system As a result existing PPA protocols althoughachieving119874(log119873) or even119874(1) complexity have the penaltyof privacy degrading

The above dilemma motivates us to change the per-spective of enhancing privacy and improving efficiency forPPA protocols Before presenting our protocol we report thefollowing important observations

(a) Essentially batch-type authentication pattern is moresuitable for current RFID applications Many RFIDapplications have urgent requirements for batch pro-cessing For example in port logistics applicationsitems are usually arranged in containersThe customsauthorities need to check or even real-timely monitorthe cargos to avoid hiding of dangerous goods Itwould be impractical and time consuming to openthe containers and authenticate the goods one by oneWhat is more the tags on goods may have sensitivebusiness information unwilling to be leaked Theseneeds also arise when express companies delivervaluable goods where privacy leakage may causereputation defamation of the customers If batch-type PPA protocols are available the urgent needs ofefficient and private authentication can be satisfied

(b) When facing multiple tags an RFID reader needs ananticollision process for communicating and dealingwith each individual tag Although being efficientexisting anticollision approaches cannot meet therequirement of privacy protection Thus the anti-collision process should be performed anonymouslyThe result of the anonymized anticollision processhowever is helpless to the authentication processSimply combining these two processes is inefficientfor real RFID systems In addition a large number ofoperations are redundant for processing multiple tagsif employing PPA protocols with the per-tag patternwhich also incurs a time waste as will be shown inSection 31

(c) To resist the tracking attack it is an intuitive way toemploy multiple tags for confusing the attackers aswill be shown in Section 61 But we cannot fully uti-lize this feature if adopting the per-tag authenticationpattern If we can allow multiple tags to collabora-tively protect themselves in PPA authentication theirprivacy can be enhanced

With the above observations we introduce the conceptof tag collaboration to RFID systems A group of tags cancooperate to obtain better privacy protection Furthermorethe collaboration can improve the efficiency of RFID authen-tication We thereby propose a protocol to allow a batch oftags to collaboratively authenticate themselves to the readerThe protocol also meets the urgent need from real RFIDapplications Our protocol termed as Multiple tags privacy-preserving Authentication Protocol (MAP) has three majormerits

(1) MAP allows multiple tags to perform collaborativeauthentication Particularly we leverage the collision

which is commonly considered as a negative impacton RFID authentication to perform collaborationThe collaboration accelerates the authentication pro-cess and hides each individual tag in the group

(2) MAP can effectively defend against compromisingattack in which an adversary tries to distinguishuncompromised tags based on the secret informationobtained from compromised tags and provide strongprivacy for multiple tags We define a notion of m-strong-ind-privacy as a refinement of ind-privacy toevaluate the privacy strength of multiple tagsrsquo authen-tication We prove that MAP can provide m-strong-ind-privacy With this feature the possibility thatadversaries successfully break the indistinguishableprivacy of tags is mitigated to be negligibleThereforeour scheme provides strong privacy protection forpractical RFID applications

(3) MAP also provides security and privacy protection interms of confidentiality cloning resistance trackingresistance timing-based attack resistance and for-ward secrecy

(4) Wepresent the theoretical upper bound lower boundand mean time cost of MAPrsquos authentication effi-ciency The results show that the authentication effi-ciency of MAP is better than 119874(log119873) which is theupper bound of most PPA approaches In particularthe efficiency asymptotically approaches to 119874(1) asthe size of the tag set enlarges

The rest of this paper is organized as follows We discussthe related works in Section 2 In Section 3 we present ourobservations andmotivations in authenticatingmultiple tagsWe present the details in the design of MAP in Section 4 InSection 5 we discuss the performance of MAP In Section 6we present the security and privacy analysis In Section 7 weprovide some possible variants and improvements At last weconclude the work

2 Related Works

21 Existing PPA Protocols and Their Limitations RecentlyPrivacy-Preserving Authentication (PPA) protocols [4ndash6] areproposed to protect private information for RFID usersThose approaches aim to provide authentication for tagswithout leaking their private information for example theIDs stored in tags

Early PPA protocols organize tags (or keys of the tags)in a linear structure [11 12] The linear structure results in119874(119873) search efficiency where 119873 is the number of tags in thesystem In large-scale systems that usually have millions oftags however 119874(119873) is insufficient to meet the need of fastprocessing In [13] the authors employ a time-space tradeoffto provide 119874(119873

23) search efficiency [14] but their work is

still inefficient for large-scale systems Later a number ofsynchronization protocols are proposed to utilize precom-puted records to accelerate the search procedure In [15ndash17] the reader synchronizes with tags for fast authenticationAlthough the synchronization approaches can provide 119874(1)

International Journal of Distributed Sensor Networks 3

search efficiency they are vulnerable to desynchronizationattacks In such attacks an adversary keeps interrogating atag until the counter of the tag goes beyond a predefinedthreshold In this case the protocol would be improperlybroken and the tag can be either unacceptable by legitimatereaders or trackable to attackers In [18] the authors proposea protocol which combines the synchronization methodwith exhaustive search Such a combination can achieveefficient authentication with high privacy protection whenthe protocol utilizes synchronizationmethod but suffers from119874(119873) search efficiency when the synchronization method isnot applicable

Besides the linear organization tags can be organizedin a virtual tree-based structure [19 20] In a tree-basedapproach each tag is attached to a leaf node Each node inthe tree keeps a random key A tag holds the keys on thepath from the root to the corresponding leaf node During anauthentication the reader sends a query and the tag generatesciphers using its keys Upon the ciphers the reader performsa Depth-First-Search (DFS) in the key tree for locating a pathwith correct keys that can successfully match those ciphersand hence authenticating the tag In this way the readercan authenticate a tag with an 119874(log119873) search efficiencywhere 119873 is the number of tags Tree-based protocols areefficient but they suffer from the compromising attack Intree-based approaches compromising attack is the mostserious threat because the tags share keys with each otherTheadversary can recognize an uncompromised tag via some ofthe keys obtained from compromised tags For example ina binary tree-based system with 220 tags compromising 20tags can achieve a nearly 955 probability of successfullytracking a tag [21] Many protocols are proposed to resistcompromising attack by utilizing key-updating mechanism[21] or balancing the tradeoff between time space andprivacy [22] Those protocols although mitigating the affectof compromising attacks still cannot provide strong ind-privacy [23] with less thanO(N) complexity In [9] a protocolemploying lightweight HB protocol instead of cryptographichash function is proposed to achieve efficient authenticationThis design based on tree architecture also suffers fromcompromising attack

Existing PPA protocols are designed for authenticating asingle tag at a time which is suitable for per-tag scenarioTheper-tag pattern however can hardly provide high efficiencyand privacy simultaneously which implies a need of adoptingpublic key cryptography [10] Unfortunately the adoptionof public key cryptography is prohibitively expensive formost tags due to the capability and resource limitationsSome researchers suggest weaker privacy models for per-tagauthentication [23 24]

Recently someworks emerged dealing withmultiple tagsrsquoidentification and thus are related to this work [25ndash28] Yanget al [25] propose to aggregate the responses from a batchof tags on corresponding readers and then the aggregatedresponses enable probabilistic verification for the batch oftags Bianchi [26] extends this approach and employs BloomFilter to achieve a more general frameworkThese two worksfocuses on the reader-to-server process procedure while our

approach focus on the searching process for authenticatingtags with privacy concern Zheng and Li [27] propose a fasttag searching protocol which is efficient and scalable formultiple tags However this work focuses on tag identifi-cation other than authentication Sheng and Tan [28] studythe group authentication problem with heterogeneous RFIDnetwork In this work more advanced computational RFIDtags are introduced helping regular tags to be authenticatedto the reader

22 Existing Anticollision Algorithms and Limitations On theother hand many anticollision algorithms such as [29ndash32]have been proposed to arbitrate collisions of multiple tagsThere are two major categories of anticollision algorithmsframed-slot-based approaches (also known asALOHA-basedapproaches) and tree-based approaches In an ALOHA-based approach a reader first sends query command claiminghowmany slots in a detecting frameThen each tag randomlyselects a slot and transmits the ID within the chosen slotIn some slots a collision may inevitably happen The readerwill repeatedly launch the detecting process until every tagcan be identified without collisions The tree-based anticol-lision protocols allow the reader to actively declare a filterAccording to the filter a set of tags are required to report theirIDs in a slot and others keep silent In this way the readercan decode responses and identify tags In [29] historicalinformation obtained from the last identification process isused in current identification process to decrease collisionsIn [30 31] a counter facilitates tags to evade collisions Thetags with a counter 0 respond the query and choose a valuefor example 0 or 1 for their counters in the next round if theycollide In [32] the authors propose a method for multiplereaders to interrogate tags with near-optimal number of timeslots

Being effective in collision arbitration the above designshowever are unsuitable for protecting privacy since the IDsare all in plain text during the anticollision process Althoughthe authors in [33] propose a pseudo-identifier to enableprivate anticollision the pseudo IDs cannot help the readerto know the real ID of the tagsThus the reader has to conductanother search procedure for locating the tags and gettingtheir keys needed for authentication

3 Observations and Motivation

31 Observations on Redundancy and Possible TreatmentsIn real RFID applications it is common that a batch oftags is within the detecting region of a reader The readeremploys an anticollision process to distinguish those tags andthen communicates with each of them for performing PPAauthentication Indeed the combination of anticollision andauthentication is inefficient

Firstly current PPA protocols are mainly designed forper-tag scenarios where the searching process for differenttagsrsquo keys contains many redundant computation and com-parison operations We demonstrate this fact via an exampleof a typical tree-based authentication protocol [20] The keysare arranged in a key tree as illustrated in Figure 1 The


k10

k20

k30

k21

k32 k33

k23

k11

T1 T2T3 T4

M1

M2

Figure 1 Tree-based architecture

Request NR

) Fk1198942(r) Fk119894

119889(rGenerate NT

RTi

NT k1198941(r )⟩⟨F

set r = NT ||NR

Figure 2 Typical tree-based protocol

protocol is performed as shown in Figure 2 In Figure 1 1198791rsquos

keys are (11989610 11989621 11989632) 119873119877and 119873

119879are two nonces 119903 =

119873119877||119873119879is their conjunction and 119865

11989610

(119903) 11986511989621

(119903) and 11986511989632

(119903)

are three hash values computed by using 119903 and the three keys(11989610 11989621 11989632) of 119879

1 respectively The hash value with the

inputs of 119903 and tag119879119894rsquos jth level key 119896

119894

119895is119865119896119894

119895

(119903)The reader thenchecks the hash values at level 119895 to determine the 119895th branchthat the tag lies in Continuing this process the reader caneventually identify and authenticate a tag For the example inFigure 1 the reader will travel along the path root rarr 119872

1rarr

1198722

rarr 1198791to reach the leaf node 119879

1 In this way the reader

can authenticate a tag with 119874(log119873) efficiencyIn Figure 1 if 119879

1and 119879

2are both in the batch the

reader has to check (11989610 11989621 11989632) to authenticate 119879

1and

check (11989610 11989621 11989633) for 119879

2 The checking for 119896

10and 119896

21

is redundant Previous works pay little attentions to theredundant operations in PPA authentication because theymainly focus on the interaction between the individual tagand reader in the per-tagrsquos authentication If those redundantoperations are well arranged a nontrivial improvement onthe authentication efficiency can be achieved in the batch-type process

Secondly the anticollision and authentication processesare generally conducted separately In the existing works theresult of anticollision cannot be reused by the authenticationprocess Since existing anticollisionmechanisms are designedwithout considering privacy protection if a tag uses itsreal identifier in the anticollision process the privacy willbe broken To meet the need of privacy a tag can onlyuse anonymized ID for example a pseudo-identifier inthe anticollision process Nevertheless the reader cannotleverage anonymized ID to locate the tag in the database

in the PPA authentication process If the anticollision infor-mation is generated and utilized without privacy leakagethe authentication process can be accelerated by reusing theresult of anticollision

32 Motivation Based on above observations our moti-vation is to enable the collaboration of multiple tags toconcurrently achieve privacy-preserving collision arbitrationand fast authentication

We still employ the example in Figure 1 to explain ourstrategy Consider two tags 119879

2and 119879

3 If simultaneously

queried by a single reader with a timestamp 119903 they will emitmessages for the readerrsquos verification as defined in the PPAprotocolsThese messages are computed using the 119903 and theirkeys According to the collision resistance property of cryp-tographic hash functions the keys in different branches willproduce different outputs Thus the two hash values will bedifferent at some bits We call those bits as different collisionbits and their positions as collision positions Indeed thesecollisions provide us a possible way to privately differentiatetags

In fact a legitimate reader knows the keys of all tags thatis it knows the keys at each branch in the key tree This factallows us to leverage precomputed results to accelerate theauthentication In Figure 1 with these known parameters Rcan compute the possible hash values of119879

2and 119879

3at level 1 in

advanceThen119877 can compare these two hash values to obtainthe possible positions of collision bits R can just query thefirst collision bit to check if there is a difference If a collisionis detected at a virtual node in the binary key tree each ofits branches contains at least one tag in the detecting regionFigure 3 illustrates an example for 119879

2and 119879

3 At level 119909 minus 1 119877

pre-computes hash values ℎ(1198962

119909 119903119910) = 10110 and ℎ(119896

3

119909 119903119910) =

10000 where ℎ(119896119895

119909 119903119910) is computed with 119879

119895rsquos 119909th key and the

timestamp 119903119910for this current sessionas inputs The two hash

values differ at the 3rd bit then 119877 sends out a query (119903119910 1

3) where 1 denotes a value for collision bit at level 119909 minus 2

denoting node 1198721 and 3 is the collision position of level 119909

Upon the query1198792and1198793compute responses where (10110)

3

= 1 (10000)3= 0 and (V)

119906is the 119906th bit in VThen119879

3responds

ldquo1rdquo at time slot 0 and1198792responds ldquo1rdquo at time slot 1 In this way

ONE bit transmission is adequate in each time slot for tagrsquosresponse At level x R receives the responses and chooses abranch which is related to slot 1 in this example R also pre-computes and sends out the message to continue the depth-first-search With this message R moves to the node relatedto 1198792at next level and119879

3enters the ldquoholdingrdquo status in which

1198793will keep silent until its turn for any action In this way

tags collaboratively conduct the anticollision R can verify atagrsquos unique information when it moves to the leaf level tocomplete the authentication for this tag Note that even if acollision happens due to the existence of multiple tags in aslot R can still conduct the anticollision process because 119877

only requires the information that whether a branch containstag instead of recovering individual responses from tags

Based on the above analysis we find that combiningprivate anticollision and authentication processes is feasible


In particular the length of each tagrsquos response message to thereader can be minimized to one bit

4 MAP Design

41 Overview The MAP has four components system ini-tialization tags authentication updating and system main-tenance

MAP also initializes a virtual tree to organize keys fortags Except the root each virtual node in the tree containsa key Each leaf node is assigned to a tag Hence the depthof the tree is 119874(log119873) where 119873 is the total number of tagsin the system The reader maintains the key tree and keeps itsecret

To enable concurrent authentication formultiple tags theauthentication of MAP contains two phases anticollision ofmultiple tags and authentication of individual tags Duringthe former phase tags return one-bit responses to thereader If more than one branch replies the reader splitsthe entire tree (or a branch of the tree) into two subtrees(or subbranches) The reader then informs the tags on onesubtree (or subbranch) to continue performing the MAPprotocol and the tags on the other subtrees (or subbranches)to hold

For each subtree (or sub branch) the reader recursivelyexecutes the MAP protocol When arriving at a leaf node inthe virtual tree MAP launches its authentication componentin which the reader mutually authenticates a tag

After a successful mutual authentication between thereader and a tag the keys of the tag will be updated and hencesynchronized at both the tag and the reader When updatingthe keys MAP employs a cryptographic hash function withthe current key and two random nonces as inputs to generatea new key

In addition MAP provides maintenance function to dealwith tagsrsquo joining and leaving Utilizing this component theexpired tags can also be renewed

42 System Initialization MAP employs a sparse treedenoted as 119878 to initialize and maintain the keys for alltags We use 120575 and 119889 to denote the branching factor (2 forbinary tree) and depth of 119878 respectively For the simplicity ofexplanation we choose the branching factor of 2 As shownin Figure 1 assuming there are 119873 tags 119879

119894 1 le 119894 le 119873

and a reader R in the RFID system the reader 119877 assigns119873 tags to 119873 leaf nodes in 119878 In the key tree each virtualnode except the root contains a secret key As a result eachtag has 119889 keys which form a path from the root of theresponding leaf node in 119878 Initially each key is randomlygenerated The cryptographic hash function used by 119877 andall tags is ℎ(sdot) A counter 119888

119901is stored in each tag recording

the anticollision sequence of the tag Each tag 119879119894also has a

timestamp timestampiWhen initializing a tag 119879

119894 119877 first dispatches 119889 keys to 119879

119894

and sets the 119888119901of 119879119894to 0 119877 also sets the value of an internal

counter 1198880= 0 The counters denote the ldquoholdingrdquo sequence

for later remounting The keys are corresponding to a pathfrom the root of 119878 to the tag For example in Figure 1 the keysstored in tag 119879

1are 11989610 11989621 and 119896

32 We denote the secret

keys of 119879119894as (1198961198941 119896119894

2 119896

119894

119889) We define 119896

119894

119909as the 119909th key of 119879

119894

corresponding to the depth 119909 119877 then sets the timestampi of119879119894to the current time

43 Tags Authentication The tags authentication of MAP isdifferent from existing protocols This component has twophases anticollision of multiple tags and authentication ofindividual tags as illustrated in Algorithm 1 On the readerside the corresponding authentication is recursively executedon the key tree as performing a depth-first-search (DFS)This is supported by the remount subcomponent

431 Anticollision The anticollision process starts from theroot of the key tree At each virtual node the reader 119877

conducts one round of communication with the tags in itsdetecting range In the anticollision process prior worksusually require a tag to respond with the whole hash valuecomputed using its key and ID Instead MAP requests thetag to reply with only ONE bit in each round of interactionas illustrated in Figure 3 The requested bit is in the highestposition of those bits that differ Algorithm 1 illustratesthe interactive communication We use 119875

119862to denote the

highest position of the possible collision bits and 119881119862

todenote the value of bit on this position Since the outputs ofcryptographic hash function in MAP are 64 bits long hashvalues the length of 119875

119862can be 6 bits The whole anticollision

is executed in 119878 as followsAt each non leaf depth 119909 minus 1 1 le 119909 le 119889 minus 1 (for the root

119909 = 1) 119877 has two tasks choosing the branch denoted by 1198811015840

119862

for the anticollision process at level 119909 minus 2 which is related toa node 119899 at level 119909 minus 1 and pre-computing 119875

119862using the keys

on 119899rsquos branches at level 119909 The value of 1198811015840

119862is computed using

the branch keys at depth 119909 minus 1To choose a branch related at depth 119909 minus 1 119877 randomly

chooses a collision value 1198811015840

119862based on the tagsrsquo responses

where1198811015840

119862is computed using the branch keys at depth 119909minus1 To

generate 119875119862 119877 creates a timestamp 119903

119910 where 119910 is an integer

counter 119877 uses the keys of 119899rsquos two children nodes to computetwo hash values in the form of ℎ(119896

119894

119909 119903119910) 119877 then compares

these two hash values and records the highest position of thepossible collision bits as 119875

119862 119877 then sends a query with four

parameters 119903119910 1198811015840119862 119875119862 and 119888

119910 where 119888

119910is a counter

Upon receiving the query a tag 119879119894 which responded in

depth 119909 minus 2 checks whether the timestamp is posterior tothe one it holds If yes 119879

119894believes the query is a new request

and checks if 1198811015840

119862matches its last response If yes 119879

119894computes

119881119862related to 119875

119862of level 119909 and chooses the 119881

119862th time slot

to respond with bit ldquo1rdquo Otherwise if not match 119879119894enters

the ldquoholdingrdquo status and stores 119888119910in 119888119901 If more than one

branch replies 119877 also records the pair of (119888119910 119899119910) where 119899

119910

denotes the sibling node related to the 1198811015840

119862at level 119909 minus 1 If 119879

119894rsquos

timestamp is larger than the one in the query it randomlychooses a slot to respond with bit ldquo1rdquo

The anticollision is an important part of authenticationprocess processing multiple tags at the same time Based onthis MAP provides multiple tags style authentication otherthan sequential authentication in which the authenticationprocedure for each tag does not overlap


Anti-collision sub-component At non-leaf depth 119909 minus 1119877 randomly selects a branch sends (119903

119910 119875119862 1198811015840119862 119888119910)

119877 records (119888119910 119909 minus 1) 119888

119910++

Tags which match 1198811015840

119862choose time slot (ℎ (119896

119894

119909 119903119910))119875119862

Tags not match wait and record 119888119910in 119888119901

Go to depth 119909

Authentication sub-component plus updatingif 119909 = 119889 At leaf level

119877 sends a timestamp 1198771to 119879119894

119879119894checks 119877

1and delay 119905max(119905ℎ119903119890119904ℎ119900119897119889 minus 119877

1+ 1)

then replies (1198772 119868) where 119868 = ℎ(1 119896

119894

119889 1198771 1198772)

119877 computes a hash value for 119879119894to check 119868

if match119877 accepts 119879

119894 and sends 119872 = ℎ(2 119896

119894

119889 1198771 1198772)

119877 updates 119896119894

119889to ℎ(3 119896

119894

119889 1198771 1198772) update R

else if not match119877 sends 119872 as a random number if match

119879119894gets 119872 and computes a value to check 119872

if 119872 matches the computed value by 119879119894

119879119894accepts 119877

119879119894updates 119896

119894

119889to ℎ(3 119896

119894

119889 1198771 1198772) update 119879

119894

Remount119877 chooses the max 119888

1199101015840 stored as 119888max in (119888

1199101015840 119901119900119904

1199101015840 )

While exists such 119888max119877 sends to tags (119888max 1199031199101015840 119875119862)119879119895with 119888max chooses slot (ℎ(119896

119895

1199091015840+1

1199031199101015840 ))119875119862

119877 deletes the pair stored related to 119888max119877 continues to tags-authentication atdepth 119909

1015840+ 1 in the sub-tree which roots at 119901119900119904

1199101015840

Algorithm 1 Tags authentication in MAP

ReaderQuery Query

Tagcomputing

Tagreply

Tagcomputing

Slot Slot0 1

T2

T3 HoldLevel x

ry 1 3 ry+1 0 2

middot middot middot


middot middot middotmiddot middot middot



Level x minus 2 Level x minus 1

3rd bit = 1

3rd bit = 0

2nd bit = 1

Figure 3 Anticollision with one bit

432 Authentication When arriving at a leaf node R startsthe authentication subcomponent with 119879

119894 R and 119879

119894authen-

ticate each other via this subcomponent At this point Rhas exploited the path from the root to the leaf node relatedto 119879119894 The subcomponent includes four steps as shown in

Algorithm 1(1) 119877 sends a query to 119879

119894with the timestamp 119877

1

(2) Upon this query 119879119894checks if 119877

1is acceptable and

delay 119905max(threshold minus 1198771

+ 1) where 119905max is a predefinedmaximum delay and threshold is a predefined maximum

counter value The value of 119905max and threshold can be ini-tialized empirically and adjusted in real application Then119879119894replies with a random nonce 119877

2and a hash value 119868 =

ℎ(1 1198771 1198772 119896119894

119889)

(3) 119877 compares 119868 to the hash value computed usingcorresponding key stored in the database If the two hashvalues are identical the reader accepts the tag as a legitimateone Otherwise 119877 treats the tag as illegal For a legal tagthe reader sends 119872 = ℎ(2 119877

1 1198772 119896119894

119889) as an authentication

message and then launches the updating component on the


reader side For an illegal tag the reader only sends a randombit string with the same length of ℎ(sdot)

Note that the key in the leaf node may not match thecorresponding tagrsquos key In this case 119877 has to search throughthe entire database to check if a matching key can be foundIf such a key is found the tag is accepted as legitimate Inthis way even a tag which is desynchronization attacked andthus has a big timestamp can also be authenticated This canprevent attackers from distinguishing tags by whether theycan be accepted

(4) UponM 119879119894computes the hash value based on the key

stored in it If they are matched119879119894takes 119877 as a legitimate one

119879119894then launches the updating on the tag side if119877 is legitimateA collisionmayhappenwhen two tags choose an identical

leaf node At this time there is more than one tag respondingto the readerTheir signals will collide and cannot be correctlydecodedThis can happenwhen a tagrsquos random choicesmatchthe path of the other tag from root to leaf The possibility is2minus119889 where 119889 is the depth of the key tree While the possibilityis negligible we just take these collidedmessages as a randommessage and complete the routine processes of authenticationand updating As each tag has a unique leaf key which will beupdated involving the random nonces during authenticationthe possibility they collide again at the leaf node will still benegligible we will process the colliding tags in the next roundof entire tags-authentication process

433 Remount After authentication and updating of atag the whole tag authentication process is remounted forunprocessed tags according to their ldquoholdingrdquo sequence indescending order 119877 finds out the max counter 119888max in the(1198881199101015840 1199011199001199041199101015840) pairs stored in the reader where 119910

1015840 is an integerIf there exists such a 119888max 119877 computes 119875

119862for the branches

of 1199011199001199041199101015840 and starts the anticollision subcomponent in the

subtree rooted at 1199011199001199041199101015840 To do this the reader sends a

recursive query command 1199031198901198881198761199061198901199031199101199101015840 with 119888max 119875

119862 and

a new timestamp 1199031199101015840 Upon this query each tag checks its

internal counter 119888119901The tags that have amatched 119888max respond

with the corresponding119881119862 If no such a 119888max exists the reader

terminates the current round of MAP and launches a newround The reader iteratively performs the authenticationprocess until all tags are processed or the number of roundsexceeds a predefined threshold threshold In MAP if there aresome tags moving into the detecting region of 119877 in currentround 119877 will treat them as newly coming tags in the nextround

We illustrate the above process by using the example ofauthenticating 119879

1 1198792 and 119879

3in Figure 1 Assume the reader

chooses the left branch each timeThen there is no collision atdepth 0 and the entire authentication procedure goes to thesubtree rooted at the node related to 119896

10at depth 1 The 119881

119862

values related to keys at depth 2 will collide 119877 moves downto the left branch related to 119896

20and 119896

30 119877 puts 119879

2and 119879

1in

a holding state at this point 119877 also records the anticollisionsequence and the node related to 119896

21 As there is no more

collision for1198793119877 completes the authentication of119879

3and goes

back to the holding tags 119877 requests 119881119862related to the keys at

depth 3The responses of 1198792and 119879

1fall in different branches

Then 119877 puts 1198792to holding state and authenticates 119879

1 After

that the reader 119877 authenticates 1198792

44 Updating After a successful mutual authenticationbetween the tag and reader the updating process follows asillustrated in Algorithm 1 MAP only updates the leaf keys formultiple tags environments where a leaf key is the key onthe leaf node There are two reasons First in our protocolthe keys on nonleaf nodes are only used for navigationSecond as analyzed in [22] updating keys for tags withoutchanging the sharing relationship of keys among tags will notincrease the difficulty for adversaries to successfully conductcompromising attacks We also allow a tag to be renewed inthe system maintenance component as an updating methodwhich also updates the tagrsquos location and the correspondingkeys in the virtual tree for better privacy

R updates the keys for a tag after a successful authentica-tion of the tag At the corresponding leaf node a new leaf keyis generated as 119896

119894

119889

1015840

= ℎ(3 1198771 1198772 119896119894

119889) for 119879

119894 119879119894updates its leaf

key only after a successful authentication of 119877 by checkingM

45 System Maintenance Users may want to insert renewor withdraw their tags The system maintenance componentdeals with these requests

If a new tag joins in the systemR initializes it by assigningit to an empty leaf node and generates the necessary keys forit If a tag is withdrawn R simply deletes the information oncorresponding nodes related to the tag from S

We also allow a tag to be renewed for better security andprivacy The permission is controlled by the manager Whena tag is permitted to be renewed it is first withdrawn by thereader Then the reader treats the tag like a new one andinserts it into the system After being renewed the new keysand related path in the key tree have no relation with the oldones

5 Performance Analysis

In this section we analyze the performance of MAP con-sidering both communication and computation costs Wetheoretically analyze the costs and give the correspondingupper bound lower bound andmean valueWe also launch asimulation Then we compare the performance of MAP withtwo combination solutions

51 Theoretical Analysis In MAP multiple tags are authenti-cated concurrently thus we care about the average time costsderived from costs for all tags divided by the number of tagsIn Section 5 when we mention a cost for each tag we aremeaning such an average time cost for each tag

There are cases when the tags to be authenticated coverthe least branchesThenpaths of these tags cover a full subtreeand a single path from the root of this subtree to the rootof system tree 119878 as 119879

1and 119879

2in Figure 4(a) In these cases

arbitrations and hash computations are shared by the mosttags Thus it is possible that both the communication andcompute cost for each tag are the least in these cases


k10

k21

k32 k33

T1 T2

M1

M2

(a) Most sharing

k20

k30

k10

T3

(b) Least sharing

Figure 4 The different sharing scenarios

Contrarily when the tags cover the most branchesrespecting no path being shared as 119879

3itself in Figure 4(b)

then it is possible that both communication and compute costfor each tag are the largest as arbitrations and hash computesare shared by the least tags

For theoretic comprehensibility we consider time cost fortransferring hash values in communication cost For computecost we consider only cost for computing hash values atboth reader end and tag end For the overall cost consideringoverheads we give a simulation result in Section 52

When tags cover the least branches the minimumcommunication and compute cost are computed as followsTheoretically they are the lower bound of MAP in terms oftime cost Indeed both of them are in O(1) complexity

Commmin = 119905auth + 2119905query + 119905reply minus

(119905query + 119905reply)

119873

asymp 119905auth + 2119905query + 119905reply

Compmin = (2 minus1

119873) 119905119905119888119900119898119901

+ (3 minus2

119873119860

) 119905119903119888119900119898119901

asymp 2119905119905119888119900119898119901

+ 3119905119903119888119900119898119901

(1)

where the 119889 is the height of the system tree 119878 119873 is thenumber of tags in the system 119873

119860is the number of tags to

be authenticated and 119873119860

= 119873 in this case 119905query is the timefor a reader 119877 to send out a query 119905reply is the time for eachtag on both branches to reply their related 1 bit 119881

119862values in

the two time slots 119905auth is the time for a tag to send the hashvalue of its leaf node 119905

119905119888119900119898119901is the time for a tag to compute

a hash value and 119905119903119888119900119898119901

is the time for 119877 to compute a hashvalue Note that we suppose sending the request commandsneeds the same time as the 119905query

When each tag covers themost branches there is only onetag to be authenticated Thus we get the maximum costs Wedenote the maximum communication and compute cost as

Commmax and Compmax respectively The theoretical upperbound cost of MAP is given by

Commmax = 119905auth + 119889 times 119905reply + (119889 + 1) 119905query

Compmax = (119889 + 1) 119905119903119888119900119898119901

+ (2119889 + 1) 119905119903119888119900119898119901

(2)

where 119889 is the height of the system tree 119878 We can find thatboth the maximum costs have an 119874(log119873) complexity

When tags cover all branches supposing the coverprobability is unique we get the mean communication andcomputing costs as follows

Commmean = 119905auth + 119905query

+ (119905query + 119905reply) (2 + 119889 minus log2119873119860

minus1

119873119860

)

asymp 119905auth + 119905query + (119905query + 119905reply)

times (2 + 119889 minus log2119873119860

)

Compmean = (2 + 119889 minus log2119873119860

minus1

119873119860

) 119905119905119888119900119898119901

+ 2 (1 + 119889 minus log2119873119860

minus1

119873119860

) 119905119903119888119900119898119901

asymp (2 + 119889 minus log2119873119860

) 119905119905119888119900119898119901

+ 2 (1 + 119889 minus log2119873119860

) 119905119903119888119900119898119901

(3)

Both Commmean and Compmean are strict monotonicfunctions of 119873

119860 When 119873

119860is big enough they approach the

constant value of 119874(1)Considering the minimum authentication cost without

anticollision or updating for a single tag in traditional tree-based protocol it will need to compute transmit and verifyat least log

120575119873 ciphers where 120575 is the branching factor of the

key tree When the tag lies at the first-reach leaf the costis minimum with message length and computation times ofabout log

120575119873 When the tag lies at the last-reach leaf the cost

is maximum with the computation times enlarged to about120575 times log

120575119873 The average computation cost is about (1 + 120575)2 times

log120575119873ThusMAP protocol outperforms the traditional tree-

based protocol theoretically

52 Simulation We compared the average processing timeof MAP to two simple combination solutions Both thetwo solutions use the slot-count (Q) selection algorithm inEPC C1G2 UHF Air Interface Protocol Standard [31] foranticollision The PPA protocols for these two solutions arethe typical tree-based protocol [20] and RWP protocol [22]with O(1) complexity In all protocols both tag side andreader side employ SQUASH (SQUaring haSH) which isproposed by Shamir in [8] to compute hash values SQUASHneeds only several hundred gate equivalents (GEs) and isappropriate for low cost RFID tags We consider the overalltime cost including communication cost and search cost


The communication cost includes the cost for transmittingcommands and data with overheads such as wait time timeout frame sync and preamble Note that compared to otherkinds of wireless communication such as WiFi the messagesexchanged between the reader and tags are very short Thusthe overheads are not negligible All the command formatsdata formats and link timing follow the standard In searchcost we consider compute cost for hash values by both readerand tags We assume the reader can process 223 times 64 bitsSQUASH in a second in average For the tag we assume it canprocess one time SQUASH in 6775 us and 242 us We makethese two assumptions based on the link timing requirementsspecified in the standard

In our simulation the forward data rate is 40Kbps andthe backward data rate is 320KbpsWe suppose that there are220 tags in the system We choose tags randomly and repeatthe whole process 100 times for average results

In Figure 5 we give the result for 1000 tags The simu-lation result shows that MAP gains a better efficiency thantypical tree-based protocol The average time cost of tree-based protocols is about 22 times to 42 times that of MAPThe efficiency of MAP asymptotically approaches the RWPprotocol with O(1) complexity as the size of the tag setapproaches 1000 The simulation result is in accordance withthe theoretical analysis That is because in MAP computingand communication are shared between all tags Moreoverduring anticollision subcomponent tags respond with only 1bit to save communication cost That is why MAP outper-forms typical tree-based protocol when tag size is small

According to the performance result in [26] for 1000 tagsin a system with 105 tags at 40Kbps forward rate achieving1 erroneous decision the SEBA approach [25] needs 41min-utes while the SEBA+ approach [26] needs about 4 minutesUtilizing MAP it takes about 1000 times 10405times 10minus6 s = 1122 swhich is less than SEBA and more than SEBA+ Howeverthe result in [26] considers only the message transmissiontime leaving out the nonnegligible computation time andthe communication overheads such as wait time time outframe sync and preamble Moreover MAP provides accurateauthenticationwith no error probabilityThusMAP is a goodchoice in performance for the authentication ofmultiple tags

6 Security and Privacy Analysis

In this section we analyze the security and privacy charactersof MAP Because our approach is tree based we focus onresistance to compromising attackwhich has themost seriousimpact on conventional tree-based approaches [23] Weprove that MAP is m-strong-ind-private showing that MAPsatisfies strong privacy protection in multiple tags scenarioWe also show the abilities of MAP in terms of confidentialitycloning resistance tracking resistance timing-based attackresistance and forward secrecy

61 Compromising Attack Compromising attack is the mosteffective way for crashing tree-based protocols That isbecause tags organized in tree-based structures share keyswith each other When an adversary 119860 compromises some

0 200 400 600 800 1000

39

4

41

42

43

44

45

46

47

48

Size of tag set to be authenticated

log10

style

)

Tree-basedTree-basedMAP

MAPRWPRWP

242120583s6775120583s

6775120583s

242120583s242120583s6775120583s

Aver

age p

roce

ssin

g tim

e (120583

sFigure 5 Comparison on performance for 1ndash1000 tags

tags and thus obtain their secret keysA can deduce the secretkeys of other tags In conventional tree-based protocols alegitimate reader splits a tag from other possible ones levelby level and finally authenticates it on the leaf using itskeys on related levels An adversary can also distinguishtags and further track them in this way with keys fromthe compromised tags For detailed analysis please refer to[14 21]

Our analysis is based on the works in [10 14 18 2123 34] The notion of strong ind-privacy defined in [23]which is equivalent to the destructive-privacy defined in[34] is very similar to the strong privacy provided byMAP except that MAP focuses on privacy protection formultiple tags The existing privacy models are designedfor one-tag-one-reader authentication scheme and focus ondistinguishability privacy between TWO tags only They arenot fit for the multiple tags scenario in MAP where thereader cannot communicate to a tag before anticollisionsubcomponent

We define a new model for multiple tags environmentsincluding four oracles Request(sdot sdot sdot) Send(sdotsdot) Relay(sdotsdot) andCompromise(sdot) to formulate the attacks to the tag sets andreader Assume we have a tag set 119873

119878 Any attack on 119877 or 119873

119878

can be represented by calling on its oraclesRequest(119873

119878 1198981 1198983) A queries the tag set 119873

119878by a query

message1198981and receives the responsesThen119860 sends another

message 1198983to 119873119878 including the collision arbitration and Rrsquos

authentication dataSend(R 119898

2) A sends a message 119898

2 representing the tag

setrsquos reply and authentication messages to 119877 and receives aresponse

Relay(119873119878 119877) A relays the messages between 119873

119878and R A

can arbitrarily modify the messages from one side to another


Compromise(119873119862) A compromises tags in set 119873

119862and

obtains their secret keys where 119873119862is a tag set 119860 obtains The

compromised tags are broken and cannot be used any furtherThe compromising attack on MAP denoted by

CAMAP119860

[1198960 119873119860

] is performed with the following steps

Step 1 The adversary 119860 compromises 1198960tags and obtains

their secret keys

Step 2 A chooses a target tag 119879 that has not been compro-mised A can query 119879 or act as a man-in-the-middle between119879 and the reader 119877 polynomial times Note that 119860 cannotcompromise119879 According to the secret keys119860 gains in Step 1A can compute outputs of these keys and compare to themTrsquosoutputs In this way 119860 can determine which of Trsquos keys equalto Arsquos known keys

Step 3 The system gives a tag set 119873119878with 119873

119874tags including

119879 Then 119873119878is divided into two subsets 119873

1198781and 119873

1198782 For the

simplicity we assume each subset contains 119873119860tags Or else

we can define the smaller set contains119873119860tags which will not

affect the result of analysis but complex the analysis processA randomly picks a subset 119873

119878119887 where b = 0 or b = 1 and

determines if 119879 is in this subset A can pick both subsets If119873119878119887

contains T A can proceed tracking 119879 by tracking 119873119878119887

otherwise 119873119878(1minus119887)

A can send queries to the tag set or act asa man-in-the-middle between the tag set and the reader 119877

polynomial times but cannot compromise those tagsWe denote

119875MAP = 119875119903[CAMAP119860

[1198960 119873119860

] = 1] (4)

as the possibility 119860 definitely knows whether tag set 119873119878119887

includes T A succeeds if 119860 definitely knows which tag setincludes 119879 Then the possibility that 119860 succeeds is

119875MAP = 119875119903[CAMAP119860

[1198960 119873119860

] = 1] = 1 minus (1 minus 1198750)2

(5)

where 1198750is the possibility that 119860 succeeds in either subset in

a system employing MAP

Definition 1 Theadvantage of adversary119860 in the compromis-ing attack is defined as

advMAP119860

(1198960 119873119860

) =

1003816100381610038161003816100381610038161003816(119875MAP +

1

2(1 minus 119875MAP)) minus

1

2

1003816100381610038161003816100381610038161003816=

119875MAP2

(6)

where the probability is the advantage of 119860 correctly guessagainst randomly guess which subset 119879 is in

Definition 2 (M-strong(120576 1198960 119873119860

)-ind-privacy) An RFIDprotocol PRO is m-strong( 120576 119896

0 119873119860)-ind-private if when 119873

119860

approaches N the advantage advPRO119860

(1198960 119873119860

) is at most 120576 inpolynomial time Where 119873

119860lt 119873 120576 is an infinitesimal when

119873 approaches infinity

M-weak(120576 1198960 119873119860)-ind-privacy is defined the same as m-

strong (120576 1198960 119873119860

)-ind-privacy except that 1198960= 0

Destructive Final NoCorrupt corrput Corrupt corrupt

Wide

Narrow

m-strong m-forward m-weak

m-narrow m-narrowm-narrowm-narrowstrong destructive

m-destructive

forward weak

Figure 6 The privacy levels

The above two privacy notions can be simply denotedas m-strong-ind-privacy (MSIP) and m-weak-ind-privacy(MWIP) where the letter ldquo119898rdquo is the abbreviation of mul-tiple tags When 119873

119860= 1 the MSIP (MWIP) equals the

strong-privacy (weak-privacy) in Juelsrsquos model [23] and thedestructive-privacy (weak-privacy) in Vaudenayrsquos model [34]At this time the case of a tag lying in a set is identical tothe case of the target tag being a particular tag in traditionalprivacy model with two tags Thus our multiple tags privacymodel is a generalized version of existing privacy models[23 34] On the contrary the existing privacy models arespecial cases of multiple tags privacy where each tag set hasonly one tagThen we can define 8 different levels of privacyby generalizing Vaudenayrsquos model for multiple tags scenariosas illustrated in Figure 6

The above model is dedicated for classifying the privacyprotection in multiple tags scenarios Intuitively it is easierfor a tag to hide in a set than to behavior indistinguishably toanother tag Thus the above model is a model weaker thanthe privacy models for one-reader-one-tag scenarios

However if the authentication protocol does not take thisadvantage then the protocol cannot provide better privacyin scenarios with multiple tags than in one-reader-one-tag scenarios no matter how many tags are there to beauthenticated For example in the OSK [12] protocol onedesynchronized tag cannot be accepted by a legitimate readerThus a desynchronized tag can still be distinguished in a tagset saying nothing of hiding in the set As a result the OSKmethod cannot providem-strong-ind-privacy orm-weak-ind-privacy

In the tree for MAP when 119860 is not aware of all keys inboth branches A does not know the 119875

119862and has to randomly

guess one for navigation and conduct the searching processWhen the guess fails A sends out a position that has nocollisions Then 119860 cannot split the tags Only when 119860 knowsall the keys in the branches related to T A can send outthe correct 119875

119862and proceed on tracking That is the main

reason whyMAP performs better than traditional tree-basedprotocols in defending against compromising attacks In facttheMAP protocol ism-strong-ind-private as will be proven inthe bellowing

Theorem 3 TheMAP protocol is MSIP private

Proof We perform the compromising attack with MAPprotocol as follows

We denote tags in 119873119878119887

by 1198791015840 We denote keys in 119879

and 1198791015840 with (119896119890119910

0 1198961198901199101 119896119890119910

119889) and (119896119890119910

1015840

0 1198961198901199101015840

1 119896119890119910

1015840

119889)


respectively where 119889 is the depth of the tree Considering atlevel 119909 where 119896119890119910

119909is in a subtree we use 119870

119909to denote the

set of known keys by 119860 in this subtree and 119896119909to denote

the number of keys in 119870119909 And 119896

0is the number of tags

compromised There are three cases to be considered at levelxCase 1 A does not succeed in previous 119909 minus 1 levels and thereis exactly one key 119896119890119910

1015840

119909equal to 119896119890119910

119909 A definitely knows 119873

119878119887

includes 119879 The possibility is

119875119903(1198621

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575times

1

120575119909times (1 minus

1

120575119909)

119873119860minus1

(7)

Case 2119860 does not succeed in previous 119909minus1 levels and therersquosno key 119896119890119910

1015840

119909equals to 119896119890119910

119909 A definitely knows that 119873

119878119887does

not include 119879 The possibility is

119875119903(1198622

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575times (1 minus

1

120575119909)

119873119860

(8)

Case 3 119860 does not succeed in previous 119909 minus 1 levels and morethan one key 119896119890119910

1015840

119909equals 119896119890119910

119909 In this case 119860 fails at level 119909

and should move to level 119909 + 1 The possibility is

119875119903(1198623

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575minus 119875119903(1198621

119909) minus 119875119903(1198622

119909)

(9)

Theoverall probability of119860 definitely knowswhether119873119878119887

includes 119879 is

1198750

= 119875119903(1198621

1or 1198622

1) +

119889

sum

119909=2

(119875119903(1198621

119909or 1198622

119909) times

119909minus1

prod

119910=1

119875119903(1198623

119910))

= (1 minus1

120575)

119873119860minus1

1198961

120575

120575minus1

prod

119895=0

1198961

minus 119895

120575 minus 119895

+

119889

sum

119909=2

((1 minus1

120575119909)

119873119860minus1

119896119909

120575119875 (119896119890119910

119909)

times

119909minus1

prod

119910=1

(119875 (119896119890119910119910)

119896119910

120575(1 minus (1 minus

1

120575119910)

119873119860minus1

)))

(10)

where

119875 (119896119890119910119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895) (120575 minus 119895)

(120575119909 minus 119895)2

1198961

= 120575 (1 minus (1 minus1

120575)

1198960

)

119896119909

= 120575 (1 minus (1 minus1

120575)

119892(119896119909)

) (2 le 119909 le 119889)

119892 (119896119909) = 1198960

119909minus1

prod

119910=1

1

119896119910

(11)

The possibility 119860 succeeds in either subset is 1198750which is

a monotonically decreasing function of 119873119860 so is 119875MAP The

advantage of 119860 is 119875MAP which decreases exponentially to 0 as119873119860increases to be big enoughConsidering that 119896

119909le 120575 and 120575 ge 2 we have the following

derivations

(1 minus1

120575)

119873119860minus1

1198961

120575

120575minus1

prod

119895=0

1198961

minus 119895

120575 minus 119895

le (1

2)

119873119860minus1

1198961

120575

1198961

120575

1198961

minus 1

120575 minus 1

le (1

2)

119873119860minus1

119909minus1

prod

119910=1

(119875 (119896119890119910119910)

119896119910


1

120575119910)

119873119860minus1

))

lt

119909minus1

prod

119910=1

(119875 (119896119890119910119910) times 1 times 1)

=

119909minus1

prod

119910=1

119875 (119896119890119910119910)

(12)

Then we have the following deduction

1198750

lt (1

2)

119873119860minus1

+

119889

sum

119909=2

((1 minus1

120575119909)

119873119860minus1

119896119909

120575119875 (119896119890119910

119909)

119909minus1

prod

119910=1

119875 (119896119890119910119910))

lt (1

2)

119873119860minus1

+

119889

sum

119909=2

(1 minus1

120575119909)

119873119860minus1

lt (1

2)

119873119860minus1

+ 119889(1 minus1

1205752)

119873119860minus1

(13)

The right part of the inequality is a monotonicallydecreasing function of 119873

119860 For example it can be deduced

that 1198750

lt (12)119873119860minus1

+ 119889(34)119873119860minus1 when 120575 = 2 Then 119875

0is an

infinitesimal as 119873119860approaches 119873 so is 119875MAP According to

Definition 2 MAP ism-strong-ind-private


0 50 100 150 2000

02

04

06

08

1

Succ

essfu

l pro

b o

f atta

ck


MAPTree-based

Figure 7 Comparisons on defending against compromising attack

Assume a RFID system of 220 tags with 120575 = 2 and 119889 =

20 Figure 7 demonstrates possibilities119860 successfully tracks atag by compromising 200 tags employingMAP or tree-basedprotocol such as [20]

We can find that for both protocols the possibilities that119860

succeeds reduceswhen119873119860increases ForMAP the possibility

reduce rapidly while for traditional balance tree-based PPAit reduces slowly For MAP protocol when 119873

119860gt 8 119875MAP lt

005 saying 119860 can definitely distinguish and know which tagset includes 119879 with low possibility even the set size is smallThis is an acceptable result as environmentswith at least 8 tagsare common Moreover the successful tracking probabilityasymptotically approaches to 0 as the size of the tag set to beauthenticated arises For tree-based protocol 119860 always has asuccessful possibility larger than 08 with tag set size smallerthan 200

62 Confidentiality In MAP all information from a tag issent as the value of a cryptographic hash function or a partof such a hash value According to the preimage resistanceproperty of cryptographic hash functions the adversarycannot know the origin information

63 Cloning Resistance In cloning attack an adversaryrecords responses from a tag and replay them to foollegitimate readers In MAP the 119881

119862values are only used for

navigation and each tag uses its unique leaf key for the finalauthentication The tag generates the hash values of the leafkey with a timestamp from 119877 and a nonce from the tag asinputs Both the timestamp and the nonce are the sessiontokens of the conversation Therefore authentication mes-sages from a given tag will change in different conversationsdue to the different session tokens The navigation bits canbe replayed however they cannot help to fool 119877 because theadversary does not know the authentication message at theleaf node The replayed messages cannot be acceptable bylegitimate readers according to the protocol

64 Tracking Resistance In Section 61 we focus on tagsrsquo pathkeys and present that MAP can resist compromising attack

in scenarios with multiple tags For any leaf key it uniquelybelongs to an individual tag The adversary 119860 never knowsa tagrsquos leaf key unless compromising it When performingauthentication subcomponent a tag computes a hash valuewith its leaf key and the session tokens This authenticationmessage varies each time and 119860 cannot link the messages toa tag without knowing its leaf key

MAP resists against compromising attack inmultiple tagsscenarios However when a batch only has a few tags 119875MAPis not negligible According to the results shown in Figure 7when the number of tags is larger than 8 the probabilityof multiple tags exposing to attackers will not exceed 005which is acceptable for most RFID applications Thereforewe recommend to select MAP when the number of tags islarger than 8 otherwise choosing time consuming per-tagauthentication to prevent the tracking attack

An adversary 119860 may launch the Denial of Service (DoS)attack between a legitimate reader and tags In this attack 119860

firstly exhausts the timestamp in a tag Then 119860 can relay thetagrsquos response to a legitimate reader to see if the tag is acceptedand further track the tag by observing the result This attackis not feasible to MAP because desynchronized tags can alsobe accepted employing MAP as presented in Section 432Besides we recommend the system to thwart the responsespeed of the tags which are under attackThen a counter withan acceptable bit length is enough to avoid the timestamps ofthe tags run over a predefined threshold

65 Timing-Based Attack Resistance An adversary may timethe processing cost of a tag to identify the status of this tagand further distinguish it from other tags [35] This kindof attack is a new general attack which can even break theprivacy of proven private RFID authentication protocolsMAP can defend against such attack The reason is that theauthentication process for each tag in MAP corresponds tothe same procedure From root to leaf each branch selectioncorresponds to no sequential computation of tags Insteadthe tags do concurrent computation at each level In this waythe observable behavior of each tag is hard to distinguishThe problem in traversing the traditional binary tree whichcauses different searching cost does not happen in MAP Onthe other hand the thwart method used in MAP does notraise rapid increase in the response Thus the thwarted tagrsquosbehavior is hard to distinguish especially when the tag set islarge and the predefined threshold is big enough

66 Forward Secrecy An adversary 119860 can record the mes-sages sent by 119877 or tags And 119860 can compromise tags toobtain their current keys Forward secrecy requires that theinformation in previous messages will never be revealedIn MAP the leaf keys are updated after each successfulauthentication The forward secrecy is thereby guaranteedFor the nonleaf keys they are not used for data transfer butonly for navigation In addition they will be updated when atag is renewed Thus MAP does not update the nonleaf keysat each authentication and such a process does not damagethe forward secrecy


7 Possible Variants and Improvements

The storage requirement of MAP for a system larger than216 tags may be larger than 1 k bits This cost is practical fornowadays RFID tags For ultra-low storage path keys can becomputed employing SQUASH with the unique leaf key andidentifier of the tag as inputsThis would decrease the storagerequirement to 119874(1) but double the average computationtime It can be easily deduced that the performance ofMAP isstill better than the tree-based protocol in large-scale systems

MAP focuses on the interaction between tags and readeras well as reader-server side search accelerating On theother hand the SEBA [25 26] like protocols focuses onthe reader-to-server communication as well as the serverside probabilistic verification Thus a possible future workis to combine and gain profit from both of the two styles ofmultiple tags protocols

8 Conclusions and Future Work

In this work we propose a Multiple tags privacy-preservingAuthentication Protocol MAP to authenticate multipletags concurrently By enabling anticollision functionality inauthentication processMAP eliminates the redundant effortswasted in anticollision processes and authenticating tagsTags in MAP respond concurrently with 1 bit to conductthe authentication for better privacy MAP is m-strong-ind-private which is a variant of ind-privacy we define formultiple tags scenarios MAP can effectively mitigate theimpact of compromising attack in multiple tags scenarios toan acceptable extent EmployingMAP the successful trackingprobability of adversaries for tag set larger than 8 is below005 and will deduce rapidly to 0 as the size of the tag setenlarges The efficiency of MAP is better than 119874(log119873) andasymptotically approaches 119874(1) as the number of tags in thetag set to be authenticated increases as proven in theoreticalanalysis and shown in the simulationThe proposed protocolin our work MAP is dedicated for authenticating multipletags One prospective directionmay be building protocols forboth single tag and multiple tags to provide high efficiencyand strong privacy at the same time

Acknowledgments

The authors would like to thank Ling Zhu and XingjingWang for the efforts paid in coding for the simulationsThis work is supported by Program for Changjiang Scholarsand Innovative Research Team in University (IRT1078)the Key Program of NSFC-Guangdong Union Foundation(U1135002) National Natural Science Foundation of China(61303221 and 61373175) the Fundamental Research Fundsfor the Central Universities (K5051303021) and the ScientificResearch Startup Foundation for Young Teachers of DonghuaUniversity (13D211205) Part of this work has been presentedat IEEE International Conference on Mobile Ad-hoc andSensor Systems (IEEE MASS) October 17ndash22 2011 ValenciaSpain

References

[1] G Roussos and V Kostakos ldquoRFID in pervasive computingstate-of-the-art and outlookrdquo Pervasive and Mobile Computingvol 5 no 1 pp 110ndash131 2009

[2] Y Liu L Chen J Pei Q Chen and Y Zhao ldquoMiningfrequent trajectory patterns for activity monitoring using radiofrequency tag arraysrdquo in Proceedings of the 5th Annual IEEEInternational Conference on Pervasive Computing and Com-munications (PerCom rsquo07) pp 37ndash46 White Plains NY USAMarch 2007

[3] C Qian H Ngan and Y Liu ldquoCardinality estimation forlarge-scale RFID systemsrdquo in Proceedings of the 6th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo08) pp 30ndash39 Hong Kong ChinaMarch 2008

[4] G Avoine ldquoBibliography on security and privacy in RFID sys-temsrdquo 2013 httpwwwavoinenetrfiddownloadbibbiblio-graphy-rfidpdf

[5] A Juels ldquoRFID security and privacy a research surveyrdquo IEEEJournal on Selected Areas in Communications vol 24 no 2 pp381ndash394 2006

[6] G Tsudik ldquoA family of dunces trivial RFID identification andauthentication protocolsrdquo in Privacy Enhancing TechnologiesLecture Notes in Computer Science pp 45ndash61 Springer BerlinGermany 2007

[7] X Xu X Y Li X Mao S Tang and S Wang ldquoA delay-efficient algorithm for data aggregation in multihop wirelesssensor networksrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 1 pp 163ndash175 2011

[8] A Shamir ldquoSQUASHmdasha new MAC with provable securityproperties for highly constrained devices such as RFID tagsrdquo inFast Software Encryption Lecture Notes in Computer Sciencepp 144ndash157 Springer Berlin Germany 2008

[9] T Halevi N Saxena and S Halevi ldquoUsing HB family ofprotocols for privacy-preserving authentication of RFID tags ina populationrdquo in Proceedings of the Workshop on RFID Security(RFIDSec rsquo09) 2009

[10] M Burmester B de Medeiros and R Motta ldquoRobust anony-mous RFID authentication with constant key-lookuprdquo in Pro-ceedings of the ACM Symposium on Information Computer andCommunications Security (ASIACCS rsquo08) pp 283ndash291 TokyoJapan March 2008

[11] S A Weis S E Sarma R L Rivest and DW Engels ldquoSecurityand privacy aspects of low-cost radio frequency identificationsystemsrdquo in Security in Pervasive Computing Lecture Notes inComputer Science pp 201ndash212 2003

[12] M Ohkubo K Suzuki and S Kinoshita ldquoEfficient hash-chainbased RFID privacy protection schemerdquo in Proceedings of theACM Ubicomp Workshops 2004

[13] D Henrici and P Muller ldquoProviding security and privacy inRFID systems using triggered hash chainsrdquo in Proceedings ofthe 6th Annual IEEE International Conference on PervasiveComputing andCommunications (PerCom rsquo08) pp 50ndash59HongKong China March 2008

[14] G Avoine E Dysli and P Oechslin ldquoReducing time complexityin RFID systemsrdquo in Selected Areas in Cryptography LectureNotes in Computer Science pp 291ndash306 Springer BerlinGermany 2005

[15] D Henrici and PMuller ldquoHash-based enhancement of locationprivacy for radio-frequency identification devices using varyingidentifiersrdquo inProceedings of the 2nd IEEEAnnual Conference on


Pervasive Computing and CommunicationsWorkshops (PerComrsquo04) pp 149ndash153 March 2004

[16] A Juels ldquoMinimalist cryptography for low-cost RFID tags(extended abstract)rdquo in Proceedings of the 4th InternationalConference on Security in Communication Networks (SCN rsquo04)pp 149ndash164 Amalfi Italy September 2004

[17] S Yu K Ren and W Lou ldquoA privacy-preserving lightweightauthentication protocol for low-cost RFID tagsrdquo in Proceedingsof the Military Communications Conference (MILCOM rsquo07) pp1ndash7 Orlando Fla USA October 2007

[18] C Ma Y Li R H Deng and T Li ldquoRFID privacy rela-tion between two notions minimal condition and efficientconstructionrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCSrsquo09) pp 54ndash65New York NY USA November 2009

[19] D Molnar A Soppera and D Wagner ldquoA scalable delegatablepseudonym protocol enabling ownership transfer of RFID tagsselected areas in cryptographyrdquo in Selected Areas in Cryptogra-phy Lecture Notes in Computer Science pp 276ndash290 SpringerBerlin Germany 2005

[20] T Dimitriou ldquoA secure and efficient RFID protocol that couldmake big brother (partially) obsoleterdquo in Proceedings of the 4thAnnual IEEE International Conference on Pervasive Computingand Communications (PerCom rsquo06) pp 269ndash274 Pisa ItalyMarch 2006

[21] L Lu J Han L Hu Y Liu and L M Ni ldquoDynamic key-updating privacy-preserving authentication for RFID systemsrdquoin Proceedings of the 5th Annual IEEE International Conferenceon Pervasive Computing and Communications (PerCom rsquo07) pp13ndash22 White Plains NY USA March 2007

[22] Q Yao Y Qi J Han J Zhao X Li and Y Liu ldquoRandomizingRFID private authenticationrdquo in Proceedings of the 7th AnnualIEEE International Conference on Pervasive Computing andCommunications (PerCom rsquo09) Galveston Tex USA March2009

[23] A Juels and S A Weis ldquoDefining strong privacy for RFIDrdquoACM Transactions on Information and System Security vol 13no 1 pp 1ndash23 2009

[24] L Lu Y Liu and X-Y Li ldquoRefresh weak privacy model forRFID systemsrdquo in Proceedings of the IEEE INFOCOM pp 1ndash9San Diego Calif USA March 2010

[25] L Yang J Han Y Qi and Y Liu ldquoIdentification-free batchauthentication for RFID tagsrdquo in Proceedings of the 18th IEEEInternational Conference on Network Protocols (ICNPrsquo10) pp154ndash163 Kyoto Japan October 2010

[26] G Bianchi ldquoRevisiting an RFID identification-free batchauthentication approachrdquo IEEECommunications Letters vol 15no 6 pp 632ndash634 2011

[27] Y Zheng and M Li ldquoFast tag searching protocol for large-scaleRFID systemsrdquo in Proceedings of the 19th IEEE InternationalConference on Network Protocols (ICNP rsquo11) pp 363ndash372Vancouver Canada October 2011

[28] B Sheng andCC Tan ldquoGroup authentication in heterogeneousRFID networksrdquo in Proceedings of the IEEE Conference onTechnologies for Homeland Security (HST rsquo12) pp 167ndash172Waltham Mass USA November 2012

[29] J Myung and W Lee ldquoAdaptive splitting protocols for RFIDtag collision arbitrationrdquo in Proceedings of the 7th ACM Interna-tional Symposium onMobile AdHoc Networking and Computing(MOBIHOC rsquo06) pp 202ndash213 Florence Italy May 2006

[30] ldquoInformation technology automatic identification and datacapture techniquesmdashradio frequency identification for item

management air interfacemdashpart 6 parameters for air interfacecommunications at 860ndash960 MHZrdquo ISOIEC FDIS 18000-62003

[31] EPCglobal ldquoEPC radio-frequency identity protocols class-1generation-2 UHF RFID protocol for communications at 860MHzndash960MHz version 1 2 0rdquo May 2008

[32] Z Zhou H Gupta S R Das and X Zhu ldquoSlotted scheduled tagaccess in multi-reader RFID systemsrdquo in Proceesings of the 15thIEEE International Conference on Network Protocols (ICNP rsquo07)pp 61ndash70 Beijing China October 2007

[33] Auto-ID ldquoDraft protocol specification for a 900MHz class0 radio frequency identification tagrdquo 2003 httpwwwepcglobalincorg

[34] S Vaudenay ldquoOn privacy models for RFIDrdquo in Advances inCryptologymdashASIACRYPT 2007 Lecture Notes in ComputerScience pp 68ndash87 Springer Berlin Germany 2007

[35] Q Yao J Han Y Qi L Yang and Y Liu ldquoPrivacy leakage inaccess mode revisiting private RFIDAuthentication protocolsrdquoin Proceedings of the 40th International Conference on ParallelProcessing (ICPP rsquo11) pp 713ndash721 Taipei City Taiwan Septem-ber 2011

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Active and Passive Electronic Components

Control Scienceand Engineering

Journal of



RotatingMachinery


Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpwwwhindawicom

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics


Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation



DistributedSensor Networks



in the system As a result existing PPA protocols althoughachieving119874(log119873) or even119874(1) complexity have the penaltyof privacy degrading

The above dilemma motivates us to change the per-spective of enhancing privacy and improving efficiency forPPA protocols Before presenting our protocol we report thefollowing important observations

(a) Essentially batch-type authentication pattern is moresuitable for current RFID applications Many RFIDapplications have urgent requirements for batch pro-cessing For example in port logistics applicationsitems are usually arranged in containersThe customsauthorities need to check or even real-timely monitorthe cargos to avoid hiding of dangerous goods Itwould be impractical and time consuming to openthe containers and authenticate the goods one by oneWhat is more the tags on goods may have sensitivebusiness information unwilling to be leaked Theseneeds also arise when express companies delivervaluable goods where privacy leakage may causereputation defamation of the customers If batch-type PPA protocols are available the urgent needs ofefficient and private authentication can be satisfied

(b) When facing multiple tags an RFID reader needs ananticollision process for communicating and dealingwith each individual tag Although being efficientexisting anticollision approaches cannot meet therequirement of privacy protection Thus the anti-collision process should be performed anonymouslyThe result of the anonymized anticollision processhowever is helpless to the authentication processSimply combining these two processes is inefficientfor real RFID systems In addition a large number ofoperations are redundant for processing multiple tagsif employing PPA protocols with the per-tag patternwhich also incurs a time waste as will be shown inSection 31

(c) To resist the tracking attack it is an intuitive way toemploy multiple tags for confusing the attackers aswill be shown in Section 61 But we cannot fully uti-lize this feature if adopting the per-tag authenticationpattern If we can allow multiple tags to collabora-tively protect themselves in PPA authentication theirprivacy can be enhanced

With the above observations we introduce the conceptof tag collaboration to RFID systems A group of tags cancooperate to obtain better privacy protection Furthermorethe collaboration can improve the efficiency of RFID authen-tication We thereby propose a protocol to allow a batch oftags to collaboratively authenticate themselves to the readerThe protocol also meets the urgent need from real RFIDapplications Our protocol termed as Multiple tags privacy-preserving Authentication Protocol (MAP) has three majormerits

(1) MAP allows multiple tags to perform collaborativeauthentication Particularly we leverage the collision

which is commonly considered as a negative impacton RFID authentication to perform collaborationThe collaboration accelerates the authentication pro-cess and hides each individual tag in the group

(2) MAP can effectively defend against compromisingattack in which an adversary tries to distinguishuncompromised tags based on the secret informationobtained from compromised tags and provide strongprivacy for multiple tags We define a notion of m-strong-ind-privacy as a refinement of ind-privacy toevaluate the privacy strength of multiple tagsrsquo authen-tication We prove that MAP can provide m-strong-ind-privacy With this feature the possibility thatadversaries successfully break the indistinguishableprivacy of tags is mitigated to be negligibleThereforeour scheme provides strong privacy protection forpractical RFID applications

(3) MAP also provides security and privacy protection interms of confidentiality cloning resistance trackingresistance timing-based attack resistance and for-ward secrecy

(4) Wepresent the theoretical upper bound lower boundand mean time cost of MAPrsquos authentication effi-ciency The results show that the authentication effi-ciency of MAP is better than 119874(log119873) which is theupper bound of most PPA approaches In particularthe efficiency asymptotically approaches to 119874(1) asthe size of the tag set enlarges

The rest of this paper is organized as follows We discussthe related works in Section 2 In Section 3 we present ourobservations andmotivations in authenticatingmultiple tagsWe present the details in the design of MAP in Section 4 InSection 5 we discuss the performance of MAP In Section 6we present the security and privacy analysis In Section 7 weprovide some possible variants and improvements At last weconclude the work

2 Related Works

21 Existing PPA Protocols and Their Limitations RecentlyPrivacy-Preserving Authentication (PPA) protocols [4ndash6] areproposed to protect private information for RFID usersThose approaches aim to provide authentication for tagswithout leaking their private information for example theIDs stored in tags

Early PPA protocols organize tags (or keys of the tags)in a linear structure [11 12] The linear structure results in119874(119873) search efficiency where 119873 is the number of tags in thesystem In large-scale systems that usually have millions oftags however 119874(119873) is insufficient to meet the need of fastprocessing In [13] the authors employ a time-space tradeoffto provide 119874(119873

23) search efficiency [14] but their work is

still inefficient for large-scale systems Later a number ofsynchronization protocols are proposed to utilize precom-puted records to accelerate the search procedure In [15ndash17] the reader synchronizes with tags for fast authenticationAlthough the synchronization approaches can provide 119874(1)













k10

k20

k30

k21

k32 k33

k23

k11

T1 T2T3 T4

M1

M2


Request NR

) Fk1198942(r) Fk119894

119889(rGenerate NT

RTi

NT k1198941(r )⟩⟨F

set r = NT ||NR



keys are (11989610 11989621 11989632) 119873119877and 119873



11989610

(119903) 11986511989621

(119903) and 11986511989632

(119903)




119894

119895is119865119896119894

119895


1rarr

1198722




1and 119879



1and

check (11989610 11989621 11989633) for 119879


10and 119896

21






2and 119879

3 If simultaneously



2and 119879

3at level 1 in


2and 119879

3 At level 119909 minus 1 119877


119909 119903119910) = 10110 and ℎ(119896

3

119909 119903119910) =

10000 where ℎ(119896119895

119909 119903119910) is computed with 119879







3

= 1 (10000)3= 0 and (V)


3responds










4 MAP Design








119894 1 le 119894 le 119873






119894




1are 11989610 11989621 and 119896


keys of 119879119894as (1198961198941 119896119894

2 119896

119894

119889) We define 119896

119894

119909as the 119909th key of 119879

119894





119862to denote the






119862








where1198811015840





119894

119909 119903119910) 119877 then compares



parameters 119903119910 1198811015840119862 119875119862 and 119888

119910 where 119888

119910is a counter






119894computes

119881119862related to 119875


119862th time slot




119910


119862at level 119909 minus 1 If 119879

119894rsquos





119910 119875119862 1198811015840119862 119888119910)

119877 records (119888119910 119909 minus 1) 119888

119910++



119894

119909 119903119910))119875119862


Go to depth 119909



119879119894checks 119877


1+ 1)


119894

119889 1198771 1198772)



119894 and sends 119872 = ℎ(2 119896

119894

119889 1198771 1198772)

119877 updates 119896119894

119889to ℎ(3 119896

119894

119889 1198771 1198772) update R




119879119894accepts 119877

119879119894updates 119896

119894

119889to ℎ(3 119896

119894

119889 1198771 1198772) update 119879

119894


1199101015840 stored as 119888max in (119888

1199101015840 119901119900119904

1199101015840 )


119895

1199091015840+1

1199031199101015840 ))119875119862



1199101015840


ReaderQuery Query

Tagcomputing

Tagreply

Tagcomputing

Slot Slot0 1

T2

T3 HoldLevel x

ry 1 3 ry+1 0 2







3rd bit = 1

3rd bit = 0

2nd bit = 1



119894 R and 119879

119894authen-




1


1is acceptable and





ℎ(1 1198771 1198772 119896119894

119889)


1 1198772 119896119894
















119862 and






1 1198792 and 119879




119862


20and 119896

30 119877 puts 119879

2and 119879

1in




3and goes





1 After




119894

119889

1015840

= ℎ(3 1198771 1198772 119896119894

119889) for 119879










1and 119879




k10

k21

k32 k33

T1 T2

M1

M2

(a) Most sharing

k20

k30

k10

T3

(b) Least sharing








(119905query + 119905reply)

119873


Compmin = (2 minus1

119873) 119905119905119888119900119898119901

+ (3 minus2

119873119860

) 119905119903119888119900119898119901

asymp 2119905119905119888119900119898119901

+ 3119905119903119888119900119898119901

(1)





119862values in



a hash value and 119905119903119888119900119898119901





Compmax = (119889 + 1) 119905119903119888119900119898119901

+ (2119889 + 1) 119905119903119888119900119898119901

(2)





minus1

119873119860

)


times (2 + 119889 minus log2119873119860

)


minus1

119873119860

) 119905119905119888119900119898119901

+ 2 (1 + 119889 minus log2119873119860

minus1

119873119860

) 119905119903119888119900119898119901

asymp (2 + 119889 minus log2119873119860

) 119905119905119888119900119898119901

+ 2 (1 + 119889 minus log2119873119860

) 119905119903119888119900119898119901

(3)


119860 When 119873




















0 200 400 600 800 1000

39

4

41

42

43

44

45

46

47

48


log10

style

)


MAPRWPRWP

242120583s6775120583s

6775120583s

242120583s242120583s6775120583s

Aver

age p

roce

ssin

g tim

e (120583





119878 Any attack on 119877 or 119873

119878



119878by a query








119878and R A




119862and



CAMAP119860

[1198960 119873119860



their secret keys





1198781and 119873

1198782 For the




119878119887 where b = 0 or b = 1 and



otherwise 119873119878(1minus119887)



119875MAP = 119875119903[CAMAP119860

[1198960 119873119860

] = 1] (4)



119875MAP = 119875119903[CAMAP119860

[1198960 119873119860

] = 1] = 1 minus (1 minus 1198750)2

(5)




advMAP119860

(1198960 119873119860

) =

1003816100381610038161003816100381610038161003816(119875MAP +

1


1

2

1003816100381610038161003816100381610038161003816=

119875MAP2

(6)





119860


(1198960 119873119860





strong (120576 1198960 119873119860



Wide

Narrow



m-destructive

forward weak














We denote tags in 119873119878119887


and 1198791015840 with (119896119890119910

0 1198961198901199101 119896119890119910

119889) and (119896119890119910

1015840

0 1198961198901199101015840

1 119896119890119910

1015840

119889)




119909to denote the





1015840

119909equal to 119896119890119910


119878119887


119875119903(1198621

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575times

1

120575119909times (1 minus

1

120575119909)

119873119860minus1

(7)


1015840

119909equals to 119896119890119910


119878119887does


119875119903(1198622

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909


1

120575119909)

119873119860

(8)


1015840

119909equals 119896119890119910



119875119903(1198623

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575minus 119875119903(1198621

119909) minus 119875119903(1198622

119909)

(9)


includes 119879 is

1198750

= 119875119903(1198621

1or 1198622

1) +

119889

sum

119909=2

(119875119903(1198621

119909or 1198622

119909) times

119909minus1

prod

119910=1

119875119903(1198623

119910))

= (1 minus1

120575)

119873119860minus1

1198961

120575

120575minus1

prod

119895=0

1198961

minus 119895

120575 minus 119895

+

119889

sum

119909=2

((1 minus1

120575119909)

119873119860minus1

119896119909

120575119875 (119896119890119910

119909)

times

119909minus1

prod

119910=1

(119875 (119896119890119910119910)

119896119910


1

120575119910)

119873119860minus1

)))

(10)

where

119875 (119896119890119910119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895) (120575 minus 119895)

(120575119909 minus 119895)2

1198961

= 120575 (1 minus (1 minus1

120575)

1198960

)

119896119909

= 120575 (1 minus (1 minus1

120575)

119892(119896119909)

) (2 le 119909 le 119889)

119892 (119896119909) = 1198960

119909minus1

prod

119910=1

1

119896119910

(11)





derivations

(1 minus1

120575)

119873119860minus1

1198961

120575

120575minus1

prod

119895=0

1198961

minus 119895

120575 minus 119895

le (1

2)

119873119860minus1

1198961

120575

1198961

120575

1198961

minus 1

120575 minus 1

le (1

2)

119873119860minus1

119909minus1

prod

119910=1

(119875 (119896119890119910119910)

119896119910


1

120575119910)

119873119860minus1

))

lt

119909minus1

prod

119910=1

(119875 (119896119890119910119910) times 1 times 1)

=

119909minus1

prod

119910=1

119875 (119896119890119910119910)

(12)


1198750

lt (1

2)

119873119860minus1

+

119889

sum

119909=2

((1 minus1

120575119909)

119873119860minus1

119896119909

120575119875 (119896119890119910

119909)

119909minus1

prod

119910=1

119875 (119896119890119910119910))

lt (1

2)

119873119860minus1

+

119889

sum

119909=2

(1 minus1

120575119909)

119873119860minus1

lt (1

2)

119873119860minus1

+ 119889(1 minus1

1205752)

119873119860minus1

(13)



that 1198750

lt (12)119873119860minus1

+ 119889(34)119873119860minus1 when 120575 = 2 Then 119875

0is an




0 50 100 150 2000

02

04

06

08

1

Succ

essfu

l pro

b o

f atta

ck


MAPTree-based







119860gt 8 119875MAP lt



















Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation





















k10

k20

k30

k21

k32 k33

k23

k11

T1 T2T3 T4

M1

M2


Request NR

) Fk1198942(r) Fk119894

119889(rGenerate NT

RTi

NT k1198941(r )⟩⟨F

set r = NT ||NR



keys are (11989610 11989621 11989632) 119873119877and 119873



11989610

(119903) 11986511989621

(119903) and 11986511989632

(119903)




119894

119895is119865119896119894

119895


1rarr

1198722




1and 119879



1and

check (11989610 11989621 11989633) for 119879


10and 119896

21






2and 119879

3 If simultaneously



2and 119879

3at level 1 in


2and 119879

3 At level 119909 minus 1 119877


119909 119903119910) = 10110 and ℎ(119896

3

119909 119903119910) =

10000 where ℎ(119896119895

119909 119903119910) is computed with 119879







3

= 1 (10000)3= 0 and (V)


3responds










4 MAP Design








119894 1 le 119894 le 119873






119894




1are 11989610 11989621 and 119896


keys of 119879119894as (1198961198941 119896119894

2 119896

119894

119889) We define 119896

119894

119909as the 119909th key of 119879

119894





119862to denote the






119862








where1198811015840





119894

119909 119903119910) 119877 then compares



parameters 119903119910 1198811015840119862 119875119862 and 119888

119910 where 119888

119910is a counter






119894computes

119881119862related to 119875


119862th time slot




119910


119862at level 119909 minus 1 If 119879

119894rsquos





119910 119875119862 1198811015840119862 119888119910)

119877 records (119888119910 119909 minus 1) 119888

119910++



119894

119909 119903119910))119875119862


Go to depth 119909



119879119894checks 119877


1+ 1)


119894

119889 1198771 1198772)



119894 and sends 119872 = ℎ(2 119896

119894

119889 1198771 1198772)

119877 updates 119896119894

119889to ℎ(3 119896

119894

119889 1198771 1198772) update R




119879119894accepts 119877

119879119894updates 119896

119894

119889to ℎ(3 119896

119894

119889 1198771 1198772) update 119879

119894


1199101015840 stored as 119888max in (119888

1199101015840 119901119900119904

1199101015840 )


119895

1199091015840+1

1199031199101015840 ))119875119862



1199101015840


ReaderQuery Query

Tagcomputing

Tagreply

Tagcomputing

Slot Slot0 1

T2

T3 HoldLevel x

ry 1 3 ry+1 0 2







3rd bit = 1

3rd bit = 0

2nd bit = 1



119894 R and 119879

119894authen-




1


1is acceptable and





ℎ(1 1198771 1198772 119896119894

119889)


1 1198772 119896119894
















119862 and






1 1198792 and 119879




119862


20and 119896

30 119877 puts 119879

2and 119879

1in




3and goes





1 After




119894

119889

1015840

= ℎ(3 1198771 1198772 119896119894

119889) for 119879










1and 119879




k10

k21

k32 k33

T1 T2

M1

M2

(a) Most sharing

k20

k30

k10

T3

(b) Least sharing








(119905query + 119905reply)

119873


Compmin = (2 minus1

119873) 119905119905119888119900119898119901

+ (3 minus2

119873119860

) 119905119903119888119900119898119901

asymp 2119905119905119888119900119898119901

+ 3119905119903119888119900119898119901

(1)





119862values in



a hash value and 119905119903119888119900119898119901





Compmax = (119889 + 1) 119905119903119888119900119898119901

+ (2119889 + 1) 119905119903119888119900119898119901

(2)





minus1

119873119860

)


times (2 + 119889 minus log2119873119860

)


minus1

119873119860

) 119905119905119888119900119898119901

+ 2 (1 + 119889 minus log2119873119860

minus1

119873119860

) 119905119903119888119900119898119901

asymp (2 + 119889 minus log2119873119860

) 119905119905119888119900119898119901

+ 2 (1 + 119889 minus log2119873119860

) 119905119903119888119900119898119901

(3)


119860 When 119873




















0 200 400 600 800 1000

39

4

41

42

43

44

45

46

47

48


log10

style

)


MAPRWPRWP

242120583s6775120583s

6775120583s

242120583s242120583s6775120583s

Aver

age p

roce

ssin

g tim

e (120583





119878 Any attack on 119877 or 119873

119878



119878by a query








119878and R A




119862and



CAMAP119860

[1198960 119873119860



their secret keys





1198781and 119873

1198782 For the




119878119887 where b = 0 or b = 1 and



otherwise 119873119878(1minus119887)



119875MAP = 119875119903[CAMAP119860

[1198960 119873119860

] = 1] (4)



119875MAP = 119875119903[CAMAP119860

[1198960 119873119860

] = 1] = 1 minus (1 minus 1198750)2

(5)




advMAP119860

(1198960 119873119860

) =

1003816100381610038161003816100381610038161003816(119875MAP +

1


1

2

1003816100381610038161003816100381610038161003816=

119875MAP2

(6)





119860


(1198960 119873119860





strong (120576 1198960 119873119860



Wide

Narrow



m-destructive

forward weak














We denote tags in 119873119878119887


and 1198791015840 with (119896119890119910

0 1198961198901199101 119896119890119910

119889) and (119896119890119910

1015840

0 1198961198901199101015840

1 119896119890119910

1015840

119889)




119909to denote the





1015840

119909equal to 119896119890119910


119878119887


119875119903(1198621

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575times

1

120575119909times (1 minus

1

120575119909)

119873119860minus1

(7)


1015840

119909equals to 119896119890119910


119878119887does


119875119903(1198622

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909


1

120575119909)

119873119860

(8)


1015840

119909equals 119896119890119910



119875119903(1198623

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575minus 119875119903(1198621

119909) minus 119875119903(1198622

119909)

(9)


includes 119879 is

1198750

= 119875119903(1198621

1or 1198622

1) +

119889

sum

119909=2

(119875119903(1198621

119909or 1198622

119909) times

119909minus1

prod

119910=1

119875119903(1198623

119910))

= (1 minus1

120575)

119873119860minus1

1198961

120575

120575minus1

prod

119895=0

1198961

minus 119895

120575 minus 119895

+

119889

sum

119909=2

((1 minus1

120575119909)

119873119860minus1

119896119909

120575119875 (119896119890119910

119909)

times

119909minus1

prod

119910=1

(119875 (119896119890119910119910)

119896119910


1

120575119910)

119873119860minus1

)))

(10)

where

119875 (119896119890119910119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895) (120575 minus 119895)

(120575119909 minus 119895)2

1198961

= 120575 (1 minus (1 minus1

120575)

1198960

)

119896119909

= 120575 (1 minus (1 minus1

120575)

119892(119896119909)

) (2 le 119909 le 119889)

119892 (119896119909) = 1198960

119909minus1

prod

119910=1

1

119896119910

(11)





derivations

(1 minus1

120575)

119873119860minus1

1198961

120575

120575minus1

prod

119895=0

1198961

minus 119895

120575 minus 119895

le (1

2)

119873119860minus1

1198961

120575

1198961

120575

1198961

minus 1

120575 minus 1

le (1

2)

119873119860minus1

119909minus1

prod

119910=1

(119875 (119896119890119910119910)

119896119910


1

120575119910)

119873119860minus1

))

lt

119909minus1

prod

119910=1

(119875 (119896119890119910119910) times 1 times 1)

=

119909minus1

prod

119910=1

119875 (119896119890119910119910)

(12)


1198750

lt (1

2)

119873119860minus1

+

119889

sum

119909=2

((1 minus1

120575119909)

119873119860minus1

119896119909

120575119875 (119896119890119910

119909)

119909minus1

prod

119910=1

119875 (119896119890119910119910))

lt (1

2)

119873119860minus1

+

119889

sum

119909=2

(1 minus1

120575119909)

119873119860minus1

lt (1

2)

119873119860minus1

+ 119889(1 minus1

1205752)

119873119860minus1

(13)



that 1198750

lt (12)119873119860minus1

+ 119889(34)119873119860minus1 when 120575 = 2 Then 119875

0is an




0 50 100 150 2000

02

04

06

08

1

Succ

essfu

l pro

b o

f atta

ck


MAPTree-based







119860gt 8 119875MAP lt



















Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










k10

k20

k30

k21

k32 k33

k23

k11

T1 T2T3 T4

M1

M2


Request NR

) Fk1198942(r) Fk119894

119889(rGenerate NT

RTi

NT k1198941(r )⟩⟨F

set r = NT ||NR



keys are (11989610 11989621 11989632) 119873119877and 119873



11989610

(119903) 11986511989621

(119903) and 11986511989632

(119903)




119894

119895is119865119896119894

119895


1rarr

1198722




1and 119879



1and

check (11989610 11989621 11989633) for 119879


10and 119896

21






2and 119879

3 If simultaneously



2and 119879

3at level 1 in


2and 119879

3 At level 119909 minus 1 119877


119909 119903119910) = 10110 and ℎ(119896

3

119909 119903119910) =

10000 where ℎ(119896119895

119909 119903119910) is computed with 119879







3

= 1 (10000)3= 0 and (V)


3responds










4 MAP Design








119894 1 le 119894 le 119873






119894




1are 11989610 11989621 and 119896


keys of 119879119894as (1198961198941 119896119894

2 119896

119894

119889) We define 119896

119894

119909as the 119909th key of 119879

119894





119862to denote the






119862








where1198811015840





119894

119909 119903119910) 119877 then compares



parameters 119903119910 1198811015840119862 119875119862 and 119888

119910 where 119888

119910is a counter






119894computes

119881119862related to 119875


119862th time slot




119910


119862at level 119909 minus 1 If 119879

119894rsquos





119910 119875119862 1198811015840119862 119888119910)

119877 records (119888119910 119909 minus 1) 119888

119910++



119894

119909 119903119910))119875119862


Go to depth 119909



119879119894checks 119877


1+ 1)


119894

119889 1198771 1198772)



119894 and sends 119872 = ℎ(2 119896

119894

119889 1198771 1198772)

119877 updates 119896119894

119889to ℎ(3 119896

119894

119889 1198771 1198772) update R




119879119894accepts 119877

119879119894updates 119896

119894

119889to ℎ(3 119896

119894

119889 1198771 1198772) update 119879

119894


1199101015840 stored as 119888max in (119888

1199101015840 119901119900119904

1199101015840 )


119895

1199091015840+1

1199031199101015840 ))119875119862



1199101015840


ReaderQuery Query

Tagcomputing

Tagreply

Tagcomputing

Slot Slot0 1

T2

T3 HoldLevel x

ry 1 3 ry+1 0 2







3rd bit = 1

3rd bit = 0

2nd bit = 1



119894 R and 119879

119894authen-




1


1is acceptable and





ℎ(1 1198771 1198772 119896119894

119889)


1 1198772 119896119894
















119862 and






1 1198792 and 119879




119862


20and 119896

30 119877 puts 119879

2and 119879

1in




3and goes





1 After




119894

119889

1015840

= ℎ(3 1198771 1198772 119896119894

119889) for 119879










1and 119879




k10

k21

k32 k33

T1 T2

M1

M2

(a) Most sharing

k20

k30

k10

T3

(b) Least sharing








(119905query + 119905reply)

119873


Compmin = (2 minus1

119873) 119905119905119888119900119898119901

+ (3 minus2

119873119860

) 119905119903119888119900119898119901

asymp 2119905119905119888119900119898119901

+ 3119905119903119888119900119898119901

(1)





119862values in



a hash value and 119905119903119888119900119898119901





Compmax = (119889 + 1) 119905119903119888119900119898119901

+ (2119889 + 1) 119905119903119888119900119898119901

(2)





minus1

119873119860

)


times (2 + 119889 minus log2119873119860

)


minus1

119873119860

) 119905119905119888119900119898119901

+ 2 (1 + 119889 minus log2119873119860

minus1

119873119860

) 119905119903119888119900119898119901

asymp (2 + 119889 minus log2119873119860

) 119905119905119888119900119898119901

+ 2 (1 + 119889 minus log2119873119860

) 119905119903119888119900119898119901

(3)


119860 When 119873




















0 200 400 600 800 1000

39

4

41

42

43

44

45

46

47

48


log10

style

)


MAPRWPRWP

242120583s6775120583s

6775120583s

242120583s242120583s6775120583s

Aver

age p

roce

ssin

g tim

e (120583





119878 Any attack on 119877 or 119873

119878



119878by a query








119878and R A




119862and



CAMAP119860

[1198960 119873119860



their secret keys





1198781and 119873

1198782 For the




119878119887 where b = 0 or b = 1 and



otherwise 119873119878(1minus119887)



119875MAP = 119875119903[CAMAP119860

[1198960 119873119860

] = 1] (4)



119875MAP = 119875119903[CAMAP119860

[1198960 119873119860

] = 1] = 1 minus (1 minus 1198750)2

(5)




advMAP119860

(1198960 119873119860

) =

1003816100381610038161003816100381610038161003816(119875MAP +

1


1

2

1003816100381610038161003816100381610038161003816=

119875MAP2

(6)





119860


(1198960 119873119860





strong (120576 1198960 119873119860



Wide

Narrow



m-destructive

forward weak














We denote tags in 119873119878119887


and 1198791015840 with (119896119890119910

0 1198961198901199101 119896119890119910

119889) and (119896119890119910

1015840

0 1198961198901199101015840

1 119896119890119910

1015840

119889)




119909to denote the





1015840

119909equal to 119896119890119910


119878119887


119875119903(1198621

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575times

1

120575119909times (1 minus

1

120575119909)

119873119860minus1

(7)


1015840

119909equals to 119896119890119910


119878119887does


119875119903(1198622

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909


1

120575119909)

119873119860

(8)


1015840

119909equals 119896119890119910



119875119903(1198623

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575minus 119875119903(1198621

119909) minus 119875119903(1198622

119909)

(9)


includes 119879 is

1198750

= 119875119903(1198621

1or 1198622

1) +

119889

sum

119909=2

(119875119903(1198621

119909or 1198622

119909) times

119909minus1

prod

119910=1

119875119903(1198623

119910))

= (1 minus1

120575)

119873119860minus1

1198961

120575

120575minus1

prod

119895=0

1198961

minus 119895

120575 minus 119895

+

119889

sum

119909=2

((1 minus1

120575119909)

119873119860minus1

119896119909

120575119875 (119896119890119910

119909)

times

119909minus1

prod

119910=1

(119875 (119896119890119910119910)

119896119910


1

120575119910)

119873119860minus1

)))

(10)

where

119875 (119896119890119910119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895) (120575 minus 119895)

(120575119909 minus 119895)2

1198961

= 120575 (1 minus (1 minus1

120575)

1198960

)

119896119909

= 120575 (1 minus (1 minus1

120575)

119892(119896119909)

) (2 le 119909 le 119889)

119892 (119896119909) = 1198960

119909minus1

prod

119910=1

1

119896119910

(11)





derivations

(1 minus1

120575)

119873119860minus1

1198961

120575

120575minus1

prod

119895=0

1198961

minus 119895

120575 minus 119895

le (1

2)

119873119860minus1

1198961

120575

1198961

120575

1198961

minus 1

120575 minus 1

le (1

2)

119873119860minus1

119909minus1

prod

119910=1

(119875 (119896119890119910119910)

119896119910


1

120575119910)

119873119860minus1

))

lt

119909minus1

prod

119910=1

(119875 (119896119890119910119910) times 1 times 1)

=

119909minus1

prod

119910=1

119875 (119896119890119910119910)

(12)


1198750

lt (1

2)

119873119860minus1

+

119889

sum

119909=2

((1 minus1

120575119909)

119873119860minus1

119896119909

120575119875 (119896119890119910

119909)

119909minus1

prod

119910=1

119875 (119896119890119910119910))

lt (1

2)

119873119860minus1

+

119889

sum

119909=2

(1 minus1

120575119909)

119873119860minus1

lt (1

2)

119873119860minus1

+ 119889(1 minus1

1205752)

119873119860minus1

(13)



that 1198750

lt (12)119873119860minus1

+ 119889(34)119873119860minus1 when 120575 = 2 Then 119875

0is an




0 50 100 150 2000

02

04

06

08

1

Succ

essfu

l pro

b o

f atta

ck


MAPTree-based







119860gt 8 119875MAP lt



















Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











4 MAP Design








119894 1 le 119894 le 119873






119894




1are 11989610 11989621 and 119896


keys of 119879119894as (1198961198941 119896119894

2 119896

119894

119889) We define 119896

119894

119909as the 119909th key of 119879

119894





119862to denote the






119862








where1198811015840





119894

119909 119903119910) 119877 then compares



parameters 119903119910 1198811015840119862 119875119862 and 119888

119910 where 119888

119910is a counter






119894computes

119881119862related to 119875


119862th time slot




119910


119862at level 119909 minus 1 If 119879

119894rsquos





119910 119875119862 1198811015840119862 119888119910)

119877 records (119888119910 119909 minus 1) 119888

119910++



119894

119909 119903119910))119875119862


Go to depth 119909



119879119894checks 119877


1+ 1)


119894

119889 1198771 1198772)



119894 and sends 119872 = ℎ(2 119896

119894

119889 1198771 1198772)

119877 updates 119896119894

119889to ℎ(3 119896

119894

119889 1198771 1198772) update R




119879119894accepts 119877

119879119894updates 119896

119894

119889to ℎ(3 119896

119894

119889 1198771 1198772) update 119879

119894


1199101015840 stored as 119888max in (119888

1199101015840 119901119900119904

1199101015840 )


119895

1199091015840+1

1199031199101015840 ))119875119862



1199101015840


ReaderQuery Query

Tagcomputing

Tagreply

Tagcomputing

Slot Slot0 1

T2

T3 HoldLevel x

ry 1 3 ry+1 0 2







3rd bit = 1

3rd bit = 0

2nd bit = 1



119894 R and 119879

119894authen-




1


1is acceptable and





ℎ(1 1198771 1198772 119896119894

119889)


1 1198772 119896119894
















119862 and






1 1198792 and 119879




119862


20and 119896

30 119877 puts 119879

2and 119879

1in




3and goes





1 After




119894

119889

1015840

= ℎ(3 1198771 1198772 119896119894

119889) for 119879










1and 119879




k10

k21

k32 k33

T1 T2

M1

M2

(a) Most sharing

k20

k30

k10

T3

(b) Least sharing








(119905query + 119905reply)

119873


Compmin = (2 minus1

119873) 119905119905119888119900119898119901

+ (3 minus2

119873119860

) 119905119903119888119900119898119901

asymp 2119905119905119888119900119898119901

+ 3119905119903119888119900119898119901

(1)





119862values in



a hash value and 119905119903119888119900119898119901





Compmax = (119889 + 1) 119905119903119888119900119898119901

+ (2119889 + 1) 119905119903119888119900119898119901

(2)





minus1

119873119860

)


times (2 + 119889 minus log2119873119860

)


minus1

119873119860

) 119905119905119888119900119898119901

+ 2 (1 + 119889 minus log2119873119860

minus1

119873119860

) 119905119903119888119900119898119901

asymp (2 + 119889 minus log2119873119860

) 119905119905119888119900119898119901

+ 2 (1 + 119889 minus log2119873119860

) 119905119903119888119900119898119901

(3)


119860 When 119873




















0 200 400 600 800 1000

39

4

41

42

43

44

45

46

47

48


log10

style

)


MAPRWPRWP

242120583s6775120583s

6775120583s

242120583s242120583s6775120583s

Aver

age p

roce

ssin

g tim

e (120583





119878 Any attack on 119877 or 119873

119878



119878by a query








119878and R A




119862and



CAMAP119860

[1198960 119873119860



their secret keys





1198781and 119873

1198782 For the




119878119887 where b = 0 or b = 1 and



otherwise 119873119878(1minus119887)



119875MAP = 119875119903[CAMAP119860

[1198960 119873119860

] = 1] (4)



119875MAP = 119875119903[CAMAP119860

[1198960 119873119860

] = 1] = 1 minus (1 minus 1198750)2

(5)




advMAP119860

(1198960 119873119860

) =

1003816100381610038161003816100381610038161003816(119875MAP +

1


1

2

1003816100381610038161003816100381610038161003816=

119875MAP2

(6)





119860


(1198960 119873119860





strong (120576 1198960 119873119860



Wide

Narrow



m-destructive

forward weak














We denote tags in 119873119878119887


and 1198791015840 with (119896119890119910

0 1198961198901199101 119896119890119910

119889) and (119896119890119910

1015840

0 1198961198901199101015840

1 119896119890119910

1015840

119889)




119909to denote the





1015840

119909equal to 119896119890119910


119878119887


119875119903(1198621

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575times

1

120575119909times (1 minus

1

120575119909)

119873119860minus1

(7)


1015840

119909equals to 119896119890119910


119878119887does


119875119903(1198622

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909


1

120575119909)

119873119860

(8)


1015840

119909equals 119896119890119910



119875119903(1198623

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575minus 119875119903(1198621

119909) minus 119875119903(1198622

119909)

(9)


includes 119879 is

1198750

= 119875119903(1198621

1or 1198622

1) +

119889

sum

119909=2

(119875119903(1198621

119909or 1198622

119909) times

119909minus1

prod

119910=1

119875119903(1198623

119910))

= (1 minus1

120575)

119873119860minus1

1198961

120575

120575minus1

prod

119895=0

1198961

minus 119895

120575 minus 119895

+

119889

sum

119909=2

((1 minus1

120575119909)

119873119860minus1

119896119909

120575119875 (119896119890119910

119909)

times

119909minus1

prod

119910=1

(119875 (119896119890119910119910)

119896119910


1

120575119910)

119873119860minus1

)))

(10)

where

119875 (119896119890119910119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895) (120575 minus 119895)

(120575119909 minus 119895)2

1198961

= 120575 (1 minus (1 minus1

120575)

1198960

)

119896119909

= 120575 (1 minus (1 minus1

120575)

119892(119896119909)

) (2 le 119909 le 119889)

119892 (119896119909) = 1198960

119909minus1

prod

119910=1

1

119896119910

(11)





derivations

(1 minus1

120575)

119873119860minus1

1198961

120575

120575minus1

prod

119895=0

1198961

minus 119895

120575 minus 119895

le (1

2)

119873119860minus1

1198961

120575

1198961

120575

1198961

minus 1

120575 minus 1

le (1

2)

119873119860minus1

119909minus1

prod

119910=1

(119875 (119896119890119910119910)

119896119910


1

120575119910)

119873119860minus1

))

lt

119909minus1

prod

119910=1

(119875 (119896119890119910119910) times 1 times 1)

=

119909minus1

prod

119910=1

119875 (119896119890119910119910)

(12)


1198750

lt (1

2)

119873119860minus1

+

119889

sum

119909=2

((1 minus1

120575119909)

119873119860minus1

119896119909

120575119875 (119896119890119910

119909)

119909minus1

prod

119910=1

119875 (119896119890119910119910))

lt (1

2)

119873119860minus1

+

119889

sum

119909=2

(1 minus1

120575119909)

119873119860minus1

lt (1

2)

119873119860minus1

+ 119889(1 minus1

1205752)

119873119860minus1

(13)



that 1198750

lt (12)119873119860minus1

+ 119889(34)119873119860minus1 when 120575 = 2 Then 119875

0is an




0 50 100 150 2000

02

04

06

08

1

Succ

essfu

l pro

b o

f atta

ck


MAPTree-based







119860gt 8 119875MAP lt



















Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











119910 119875119862 1198811015840119862 119888119910)

119877 records (119888119910 119909 minus 1) 119888

119910++



119894

119909 119903119910))119875119862


Go to depth 119909



119879119894checks 119877


1+ 1)


119894

119889 1198771 1198772)



119894 and sends 119872 = ℎ(2 119896

119894

119889 1198771 1198772)

119877 updates 119896119894

119889to ℎ(3 119896

119894

119889 1198771 1198772) update R




119879119894accepts 119877

119879119894updates 119896

119894

119889to ℎ(3 119896

119894

119889 1198771 1198772) update 119879

119894


1199101015840 stored as 119888max in (119888

1199101015840 119901119900119904

1199101015840 )


119895

1199091015840+1

1199031199101015840 ))119875119862



1199101015840


ReaderQuery Query

Tagcomputing

Tagreply

Tagcomputing

Slot Slot0 1

T2

T3 HoldLevel x

ry 1 3 ry+1 0 2







3rd bit = 1

3rd bit = 0

2nd bit = 1



119894 R and 119879

119894authen-




1


1is acceptable and





ℎ(1 1198771 1198772 119896119894

119889)


1 1198772 119896119894
















119862 and






1 1198792 and 119879




119862


20and 119896

30 119877 puts 119879

2and 119879

1in




3and goes





1 After




119894

119889

1015840

= ℎ(3 1198771 1198772 119896119894

119889) for 119879










1and 119879




k10

k21

k32 k33

T1 T2

M1

M2

(a) Most sharing

k20

k30

k10

T3

(b) Least sharing








(119905query + 119905reply)

119873


Compmin = (2 minus1

119873) 119905119905119888119900119898119901

+ (3 minus2

119873119860

) 119905119903119888119900119898119901

asymp 2119905119905119888119900119898119901

+ 3119905119903119888119900119898119901

(1)





119862values in



a hash value and 119905119903119888119900119898119901





Compmax = (119889 + 1) 119905119903119888119900119898119901

+ (2119889 + 1) 119905119903119888119900119898119901

(2)





minus1

119873119860

)


times (2 + 119889 minus log2119873119860

)


minus1

119873119860

) 119905119905119888119900119898119901

+ 2 (1 + 119889 minus log2119873119860

minus1

119873119860

) 119905119903119888119900119898119901

asymp (2 + 119889 minus log2119873119860

) 119905119905119888119900119898119901

+ 2 (1 + 119889 minus log2119873119860

) 119905119903119888119900119898119901

(3)


119860 When 119873




















0 200 400 600 800 1000

39

4

41

42

43

44

45

46

47

48


log10

style

)


MAPRWPRWP

242120583s6775120583s

6775120583s

242120583s242120583s6775120583s

Aver

age p

roce

ssin

g tim

e (120583





119878 Any attack on 119877 or 119873

119878



119878by a query








119878and R A




119862and



CAMAP119860

[1198960 119873119860



their secret keys





1198781and 119873

1198782 For the




119878119887 where b = 0 or b = 1 and



otherwise 119873119878(1minus119887)



119875MAP = 119875119903[CAMAP119860

[1198960 119873119860

] = 1] (4)



119875MAP = 119875119903[CAMAP119860

[1198960 119873119860

] = 1] = 1 minus (1 minus 1198750)2

(5)




advMAP119860

(1198960 119873119860

) =

1003816100381610038161003816100381610038161003816(119875MAP +

1


1

2

1003816100381610038161003816100381610038161003816=

119875MAP2

(6)





119860


(1198960 119873119860





strong (120576 1198960 119873119860



Wide

Narrow



m-destructive

forward weak














We denote tags in 119873119878119887


and 1198791015840 with (119896119890119910

0 1198961198901199101 119896119890119910

119889) and (119896119890119910

1015840

0 1198961198901199101015840

1 119896119890119910

1015840

119889)




119909to denote the





1015840

119909equal to 119896119890119910


119878119887


119875119903(1198621

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575times

1

120575119909times (1 minus

1

120575119909)

119873119860minus1

(7)


1015840

119909equals to 119896119890119910


119878119887does


119875119903(1198622

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909


1

120575119909)

119873119860

(8)


1015840

119909equals 119896119890119910



119875119903(1198623

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575minus 119875119903(1198621

119909) minus 119875119903(1198622

119909)

(9)


includes 119879 is

1198750

= 119875119903(1198621

1or 1198622

1) +

119889

sum

119909=2

(119875119903(1198621

119909or 1198622

119909) times

119909minus1

prod

119910=1

119875119903(1198623

119910))

= (1 minus1

120575)

119873119860minus1

1198961

120575

120575minus1

prod

119895=0

1198961

minus 119895

120575 minus 119895

+

119889

sum

119909=2

((1 minus1

120575119909)

119873119860minus1

119896119909

120575119875 (119896119890119910

119909)

times

119909minus1

prod

119910=1

(119875 (119896119890119910119910)

119896119910


1

120575119910)

119873119860minus1

)))

(10)

where

119875 (119896119890119910119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895) (120575 minus 119895)

(120575119909 minus 119895)2

1198961

= 120575 (1 minus (1 minus1

120575)

1198960

)

119896119909

= 120575 (1 minus (1 minus1

120575)

119892(119896119909)

) (2 le 119909 le 119889)

119892 (119896119909) = 1198960

119909minus1

prod

119910=1

1

119896119910

(11)





derivations

(1 minus1

120575)

119873119860minus1

1198961

120575

120575minus1

prod

119895=0

1198961

minus 119895

120575 minus 119895

le (1

2)

119873119860minus1

1198961

120575

1198961

120575

1198961

minus 1

120575 minus 1

le (1

2)

119873119860minus1

119909minus1

prod

119910=1

(119875 (119896119890119910119910)

119896119910


1

120575119910)

119873119860minus1

))

lt

119909minus1

prod

119910=1

(119875 (119896119890119910119910) times 1 times 1)

=

119909minus1

prod

119910=1

119875 (119896119890119910119910)

(12)


1198750

lt (1

2)

119873119860minus1

+

119889

sum

119909=2

((1 minus1

120575119909)

119873119860minus1

119896119909

120575119875 (119896119890119910

119909)

119909minus1

prod

119910=1

119875 (119896119890119910119910))

lt (1

2)

119873119860minus1

+

119889

sum

119909=2

(1 minus1

120575119909)

119873119860minus1

lt (1

2)

119873119860minus1

+ 119889(1 minus1

1205752)

119873119860minus1

(13)



that 1198750

lt (12)119873119860minus1

+ 119889(34)119873119860minus1 when 120575 = 2 Then 119875

0is an




0 50 100 150 2000

02

04

06

08

1

Succ

essfu

l pro

b o

f atta

ck


MAPTree-based







119860gt 8 119875MAP lt



















Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation






















119862 and






1 1198792 and 119879




119862


20and 119896

30 119877 puts 119879

2and 119879

1in




3and goes





1 After




119894

119889

1015840

= ℎ(3 1198771 1198772 119896119894

119889) for 119879










1and 119879




k10

k21

k32 k33

T1 T2

M1

M2

(a) Most sharing

k20

k30

k10

T3

(b) Least sharing








(119905query + 119905reply)

119873


Compmin = (2 minus1

119873) 119905119905119888119900119898119901

+ (3 minus2

119873119860

) 119905119903119888119900119898119901

asymp 2119905119905119888119900119898119901

+ 3119905119903119888119900119898119901

(1)





119862values in



a hash value and 119905119903119888119900119898119901





Compmax = (119889 + 1) 119905119903119888119900119898119901

+ (2119889 + 1) 119905119903119888119900119898119901

(2)





minus1

119873119860

)


times (2 + 119889 minus log2119873119860

)


minus1

119873119860

) 119905119905119888119900119898119901

+ 2 (1 + 119889 minus log2119873119860

minus1

119873119860

) 119905119903119888119900119898119901

asymp (2 + 119889 minus log2119873119860

) 119905119905119888119900119898119901

+ 2 (1 + 119889 minus log2119873119860

) 119905119903119888119900119898119901

(3)


119860 When 119873




















0 200 400 600 800 1000

39

4

41

42

43

44

45

46

47

48


log10

style

)


MAPRWPRWP

242120583s6775120583s

6775120583s

242120583s242120583s6775120583s

Aver

age p

roce

ssin

g tim

e (120583





119878 Any attack on 119877 or 119873

119878



119878by a query








119878and R A




119862and



CAMAP119860

[1198960 119873119860



their secret keys





1198781and 119873

1198782 For the




119878119887 where b = 0 or b = 1 and



otherwise 119873119878(1minus119887)



119875MAP = 119875119903[CAMAP119860

[1198960 119873119860

] = 1] (4)



119875MAP = 119875119903[CAMAP119860

[1198960 119873119860

] = 1] = 1 minus (1 minus 1198750)2

(5)




advMAP119860

(1198960 119873119860

) =

1003816100381610038161003816100381610038161003816(119875MAP +

1


1

2

1003816100381610038161003816100381610038161003816=

119875MAP2

(6)





119860


(1198960 119873119860





strong (120576 1198960 119873119860



Wide

Narrow



m-destructive

forward weak














We denote tags in 119873119878119887


and 1198791015840 with (119896119890119910

0 1198961198901199101 119896119890119910

119889) and (119896119890119910

1015840

0 1198961198901199101015840

1 119896119890119910

1015840

119889)




119909to denote the





1015840

119909equal to 119896119890119910


119878119887


119875119903(1198621

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575times

1

120575119909times (1 minus

1

120575119909)

119873119860minus1

(7)


1015840

119909equals to 119896119890119910


119878119887does


119875119903(1198622

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909


1

120575119909)

119873119860

(8)


1015840

119909equals 119896119890119910



119875119903(1198623

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575minus 119875119903(1198621

119909) minus 119875119903(1198622

119909)

(9)


includes 119879 is

1198750

= 119875119903(1198621

1or 1198622

1) +

119889

sum

119909=2

(119875119903(1198621

119909or 1198622

119909) times

119909minus1

prod

119910=1

119875119903(1198623

119910))

= (1 minus1

120575)

119873119860minus1

1198961

120575

120575minus1

prod

119895=0

1198961

minus 119895

120575 minus 119895

+

119889

sum

119909=2

((1 minus1

120575119909)

119873119860minus1

119896119909

120575119875 (119896119890119910

119909)

times

119909minus1

prod

119910=1

(119875 (119896119890119910119910)

119896119910


1

120575119910)

119873119860minus1

)))

(10)

where

119875 (119896119890119910119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895) (120575 minus 119895)

(120575119909 minus 119895)2

1198961

= 120575 (1 minus (1 minus1

120575)

1198960

)

119896119909

= 120575 (1 minus (1 minus1

120575)

119892(119896119909)

) (2 le 119909 le 119889)

119892 (119896119909) = 1198960

119909minus1

prod

119910=1

1

119896119910

(11)





derivations

(1 minus1

120575)

119873119860minus1

1198961

120575

120575minus1

prod

119895=0

1198961

minus 119895

120575 minus 119895

le (1

2)

119873119860minus1

1198961

120575

1198961

120575

1198961

minus 1

120575 minus 1

le (1

2)

119873119860minus1

119909minus1

prod

119910=1

(119875 (119896119890119910119910)

119896119910


1

120575119910)

119873119860minus1

))

lt

119909minus1

prod

119910=1

(119875 (119896119890119910119910) times 1 times 1)

=

119909minus1

prod

119910=1

119875 (119896119890119910119910)

(12)


1198750

lt (1

2)

119873119860minus1

+

119889

sum

119909=2

((1 minus1

120575119909)

119873119860minus1

119896119909

120575119875 (119896119890119910

119909)

119909minus1

prod

119910=1

119875 (119896119890119910119910))

lt (1

2)

119873119860minus1

+

119889

sum

119909=2

(1 minus1

120575119909)

119873119860minus1

lt (1

2)

119873119860minus1

+ 119889(1 minus1

1205752)

119873119860minus1

(13)



that 1198750

lt (12)119873119860minus1

+ 119889(34)119873119860minus1 when 120575 = 2 Then 119875

0is an




0 50 100 150 2000

02

04

06

08

1

Succ

essfu

l pro

b o

f atta

ck


MAPTree-based







119860gt 8 119875MAP lt



















Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










k10

k21

k32 k33

T1 T2

M1

M2

(a) Most sharing

k20

k30

k10

T3

(b) Least sharing








(119905query + 119905reply)

119873


Compmin = (2 minus1

119873) 119905119905119888119900119898119901

+ (3 minus2

119873119860

) 119905119903119888119900119898119901

asymp 2119905119905119888119900119898119901

+ 3119905119903119888119900119898119901

(1)





119862values in



a hash value and 119905119903119888119900119898119901





Compmax = (119889 + 1) 119905119903119888119900119898119901

+ (2119889 + 1) 119905119903119888119900119898119901

(2)





minus1

119873119860

)


times (2 + 119889 minus log2119873119860

)


minus1

119873119860

) 119905119905119888119900119898119901

+ 2 (1 + 119889 minus log2119873119860

minus1

119873119860

) 119905119903119888119900119898119901

asymp (2 + 119889 minus log2119873119860

) 119905119905119888119900119898119901

+ 2 (1 + 119889 minus log2119873119860

) 119905119903119888119900119898119901

(3)


119860 When 119873




















0 200 400 600 800 1000

39

4

41

42

43

44

45

46

47

48


log10

style

)


MAPRWPRWP

242120583s6775120583s

6775120583s

242120583s242120583s6775120583s

Aver

age p

roce

ssin

g tim

e (120583





119878 Any attack on 119877 or 119873

119878



119878by a query








119878and R A




119862and



CAMAP119860

[1198960 119873119860



their secret keys





1198781and 119873

1198782 For the




119878119887 where b = 0 or b = 1 and



otherwise 119873119878(1minus119887)



119875MAP = 119875119903[CAMAP119860

[1198960 119873119860

] = 1] (4)



119875MAP = 119875119903[CAMAP119860

[1198960 119873119860

] = 1] = 1 minus (1 minus 1198750)2

(5)




advMAP119860

(1198960 119873119860

) =

1003816100381610038161003816100381610038161003816(119875MAP +

1


1

2

1003816100381610038161003816100381610038161003816=

119875MAP2

(6)





119860


(1198960 119873119860





strong (120576 1198960 119873119860



Wide

Narrow



m-destructive

forward weak














We denote tags in 119873119878119887


and 1198791015840 with (119896119890119910

0 1198961198901199101 119896119890119910

119889) and (119896119890119910

1015840

0 1198961198901199101015840

1 119896119890119910

1015840

119889)




119909to denote the





1015840

119909equal to 119896119890119910


119878119887


119875119903(1198621

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575times

1

120575119909times (1 minus

1

120575119909)

119873119860minus1

(7)


1015840

119909equals to 119896119890119910


119878119887does


119875119903(1198622

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909


1

120575119909)

119873119860

(8)


1015840

119909equals 119896119890119910



119875119903(1198623

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575minus 119875119903(1198621

119909) minus 119875119903(1198622

119909)

(9)


includes 119879 is

1198750

= 119875119903(1198621

1or 1198622

1) +

119889

sum

119909=2

(119875119903(1198621

119909or 1198622

119909) times

119909minus1

prod

119910=1

119875119903(1198623

119910))

= (1 minus1

120575)

119873119860minus1

1198961

120575

120575minus1

prod

119895=0

1198961

minus 119895

120575 minus 119895

+

119889

sum

119909=2

((1 minus1

120575119909)

119873119860minus1

119896119909

120575119875 (119896119890119910

119909)

times

119909minus1

prod

119910=1

(119875 (119896119890119910119910)

119896119910


1

120575119910)

119873119860minus1

)))

(10)

where

119875 (119896119890119910119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895) (120575 minus 119895)

(120575119909 minus 119895)2

1198961

= 120575 (1 minus (1 minus1

120575)

1198960

)

119896119909

= 120575 (1 minus (1 minus1

120575)

119892(119896119909)

) (2 le 119909 le 119889)

119892 (119896119909) = 1198960

119909minus1

prod

119910=1

1

119896119910

(11)





derivations

(1 minus1

120575)

119873119860minus1

1198961

120575

120575minus1

prod

119895=0

1198961

minus 119895

120575 minus 119895

le (1

2)

119873119860minus1

1198961

120575

1198961

120575

1198961

minus 1

120575 minus 1

le (1

2)

119873119860minus1

119909minus1

prod

119910=1

(119875 (119896119890119910119910)

119896119910


1

120575119910)

119873119860minus1

))

lt

119909minus1

prod

119910=1

(119875 (119896119890119910119910) times 1 times 1)

=

119909minus1

prod

119910=1

119875 (119896119890119910119910)

(12)


1198750

lt (1

2)

119873119860minus1

+

119889

sum

119909=2

((1 minus1

120575119909)

119873119860minus1

119896119909

120575119875 (119896119890119910

119909)

119909minus1

prod

119910=1

119875 (119896119890119910119910))

lt (1

2)

119873119860minus1

+

119889

sum

119909=2

(1 minus1

120575119909)

119873119860minus1

lt (1

2)

119873119860minus1

+ 119889(1 minus1

1205752)

119873119860minus1

(13)



that 1198750

lt (12)119873119860minus1

+ 119889(34)119873119860minus1 when 120575 = 2 Then 119875

0is an




0 50 100 150 2000

02

04

06

08

1

Succ

essfu

l pro

b o

f atta

ck


MAPTree-based







119860gt 8 119875MAP lt



















Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation

















0 200 400 600 800 1000

39

4

41

42

43

44

45

46

47

48


log10

style

)


MAPRWPRWP

242120583s6775120583s

6775120583s

242120583s242120583s6775120583s

Aver

age p

roce

ssin

g tim

e (120583





119878 Any attack on 119877 or 119873

119878



119878by a query








119878and R A




119862and



CAMAP119860

[1198960 119873119860



their secret keys





1198781and 119873

1198782 For the




119878119887 where b = 0 or b = 1 and



otherwise 119873119878(1minus119887)



119875MAP = 119875119903[CAMAP119860

[1198960 119873119860

] = 1] (4)



119875MAP = 119875119903[CAMAP119860

[1198960 119873119860

] = 1] = 1 minus (1 minus 1198750)2

(5)




advMAP119860

(1198960 119873119860

) =

1003816100381610038161003816100381610038161003816(119875MAP +

1


1

2

1003816100381610038161003816100381610038161003816=

119875MAP2

(6)





119860


(1198960 119873119860





strong (120576 1198960 119873119860



Wide

Narrow



m-destructive

forward weak














We denote tags in 119873119878119887


and 1198791015840 with (119896119890119910

0 1198961198901199101 119896119890119910

119889) and (119896119890119910

1015840

0 1198961198901199101015840

1 119896119890119910

1015840

119889)




119909to denote the





1015840

119909equal to 119896119890119910


119878119887


119875119903(1198621

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575times

1

120575119909times (1 minus

1

120575119909)

119873119860minus1

(7)


1015840

119909equals to 119896119890119910


119878119887does


119875119903(1198622

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909


1

120575119909)

119873119860

(8)


1015840

119909equals 119896119890119910



119875119903(1198623

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575minus 119875119903(1198621

119909) minus 119875119903(1198622

119909)

(9)


includes 119879 is

1198750

= 119875119903(1198621

1or 1198622

1) +

119889

sum

119909=2

(119875119903(1198621

119909or 1198622

119909) times

119909minus1

prod

119910=1

119875119903(1198623

119910))

= (1 minus1

120575)

119873119860minus1

1198961

120575

120575minus1

prod

119895=0

1198961

minus 119895

120575 minus 119895

+

119889

sum

119909=2

((1 minus1

120575119909)

119873119860minus1

119896119909

120575119875 (119896119890119910

119909)

times

119909minus1

prod

119910=1

(119875 (119896119890119910119910)

119896119910


1

120575119910)

119873119860minus1

)))

(10)

where

119875 (119896119890119910119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895) (120575 minus 119895)

(120575119909 minus 119895)2

1198961

= 120575 (1 minus (1 minus1

120575)

1198960

)

119896119909

= 120575 (1 minus (1 minus1

120575)

119892(119896119909)

) (2 le 119909 le 119889)

119892 (119896119909) = 1198960

119909minus1

prod

119910=1

1

119896119910

(11)





derivations

(1 minus1

120575)

119873119860minus1

1198961

120575

120575minus1

prod

119895=0

1198961

minus 119895

120575 minus 119895

le (1

2)

119873119860minus1

1198961

120575

1198961

120575

1198961

minus 1

120575 minus 1

le (1

2)

119873119860minus1

119909minus1

prod

119910=1

(119875 (119896119890119910119910)

119896119910


1

120575119910)

119873119860minus1

))

lt

119909minus1

prod

119910=1

(119875 (119896119890119910119910) times 1 times 1)

=

119909minus1

prod

119910=1

119875 (119896119890119910119910)

(12)


1198750

lt (1

2)

119873119860minus1

+

119889

sum

119909=2

((1 minus1

120575119909)

119873119860minus1

119896119909

120575119875 (119896119890119910

119909)

119909minus1

prod

119910=1

119875 (119896119890119910119910))

lt (1

2)

119873119860minus1

+

119889

sum

119909=2

(1 minus1

120575119909)

119873119860minus1

lt (1

2)

119873119860minus1

+ 119889(1 minus1

1205752)

119873119860minus1

(13)



that 1198750

lt (12)119873119860minus1

+ 119889(34)119873119860minus1 when 120575 = 2 Then 119875

0is an




0 50 100 150 2000

02

04

06

08

1

Succ

essfu

l pro

b o

f atta

ck


MAPTree-based







119860gt 8 119875MAP lt



















Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











119862and



CAMAP119860

[1198960 119873119860



their secret keys





1198781and 119873

1198782 For the




119878119887 where b = 0 or b = 1 and



otherwise 119873119878(1minus119887)



119875MAP = 119875119903[CAMAP119860

[1198960 119873119860

] = 1] (4)



119875MAP = 119875119903[CAMAP119860

[1198960 119873119860

] = 1] = 1 minus (1 minus 1198750)2

(5)




advMAP119860

(1198960 119873119860

) =

1003816100381610038161003816100381610038161003816(119875MAP +

1


1

2

1003816100381610038161003816100381610038161003816=

119875MAP2

(6)





119860


(1198960 119873119860





strong (120576 1198960 119873119860



Wide

Narrow



m-destructive

forward weak














We denote tags in 119873119878119887


and 1198791015840 with (119896119890119910

0 1198961198901199101 119896119890119910

119889) and (119896119890119910

1015840

0 1198961198901199101015840

1 119896119890119910

1015840

119889)




119909to denote the





1015840

119909equal to 119896119890119910


119878119887


119875119903(1198621

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575times

1

120575119909times (1 minus

1

120575119909)

119873119860minus1

(7)


1015840

119909equals to 119896119890119910


119878119887does


119875119903(1198622

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909


1

120575119909)

119873119860

(8)


1015840

119909equals 119896119890119910



119875119903(1198623

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575minus 119875119903(1198621

119909) minus 119875119903(1198622

119909)

(9)


includes 119879 is

1198750

= 119875119903(1198621

1or 1198622

1) +

119889

sum

119909=2

(119875119903(1198621

119909or 1198622

119909) times

119909minus1

prod

119910=1

119875119903(1198623

119910))

= (1 minus1

120575)

119873119860minus1

1198961

120575

120575minus1

prod

119895=0

1198961

minus 119895

120575 minus 119895

+

119889

sum

119909=2

((1 minus1

120575119909)

119873119860minus1

119896119909

120575119875 (119896119890119910

119909)

times

119909minus1

prod

119910=1

(119875 (119896119890119910119910)

119896119910


1

120575119910)

119873119860minus1

)))

(10)

where

119875 (119896119890119910119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895) (120575 minus 119895)

(120575119909 minus 119895)2

1198961

= 120575 (1 minus (1 minus1

120575)

1198960

)

119896119909

= 120575 (1 minus (1 minus1

120575)

119892(119896119909)

) (2 le 119909 le 119889)

119892 (119896119909) = 1198960

119909minus1

prod

119910=1

1

119896119910

(11)





derivations

(1 minus1

120575)

119873119860minus1

1198961

120575

120575minus1

prod

119895=0

1198961

minus 119895

120575 minus 119895

le (1

2)

119873119860minus1

1198961

120575

1198961

120575

1198961

minus 1

120575 minus 1

le (1

2)

119873119860minus1

119909minus1

prod

119910=1

(119875 (119896119890119910119910)

119896119910


1

120575119910)

119873119860minus1

))

lt

119909minus1

prod

119910=1

(119875 (119896119890119910119910) times 1 times 1)

=

119909minus1

prod

119910=1

119875 (119896119890119910119910)

(12)


1198750

lt (1

2)

119873119860minus1

+

119889

sum

119909=2

((1 minus1

120575119909)

119873119860minus1

119896119909

120575119875 (119896119890119910

119909)

119909minus1

prod

119910=1

119875 (119896119890119910119910))

lt (1

2)

119873119860minus1

+

119889

sum

119909=2

(1 minus1

120575119909)

119873119860minus1

lt (1

2)

119873119860minus1

+ 119889(1 minus1

1205752)

119873119860minus1

(13)



that 1198750

lt (12)119873119860minus1

+ 119889(34)119873119860minus1 when 120575 = 2 Then 119875

0is an




0 50 100 150 2000

02

04

06

08

1

Succ

essfu

l pro

b o

f atta

ck


MAPTree-based







119860gt 8 119875MAP lt



















Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation












119909to denote the





1015840

119909equal to 119896119890119910


119878119887


119875119903(1198621

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575times

1

120575119909times (1 minus

1

120575119909)

119873119860minus1

(7)


1015840

119909equals to 119896119890119910


119878119887does


119875119903(1198622

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909


1

120575119909)

119873119860

(8)


1015840

119909equals 119896119890119910



119875119903(1198623

119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895

120575119909 minus 119895) times

119896119909

120575minus 119875119903(1198621

119909) minus 119875119903(1198622

119909)

(9)


includes 119879 is

1198750

= 119875119903(1198621

1or 1198622

1) +

119889

sum

119909=2

(119875119903(1198621

119909or 1198622

119909) times

119909minus1

prod

119910=1

119875119903(1198623

119910))

= (1 minus1

120575)

119873119860minus1

1198961

120575

120575minus1

prod

119895=0

1198961

minus 119895

120575 minus 119895

+

119889

sum

119909=2

((1 minus1

120575119909)

119873119860minus1

119896119909

120575119875 (119896119890119910

119909)

times

119909minus1

prod

119910=1

(119875 (119896119890119910119910)

119896119910


1

120575119910)

119873119860minus1

)))

(10)

where

119875 (119896119890119910119909) =

120575minus1

prod

119895=0

(120575119909minus1

119896119909

minus 119895) (120575 minus 119895)

(120575119909 minus 119895)2

1198961

= 120575 (1 minus (1 minus1

120575)

1198960

)

119896119909

= 120575 (1 minus (1 minus1

120575)

119892(119896119909)

) (2 le 119909 le 119889)

119892 (119896119909) = 1198960

119909minus1

prod

119910=1

1

119896119910

(11)





derivations

(1 minus1

120575)

119873119860minus1

1198961

120575

120575minus1

prod

119895=0

1198961

minus 119895

120575 minus 119895

le (1

2)

119873119860minus1

1198961

120575

1198961

120575

1198961

minus 1

120575 minus 1

le (1

2)

119873119860minus1

119909minus1

prod

119910=1

(119875 (119896119890119910119910)

119896119910


1

120575119910)

119873119860minus1

))

lt

119909minus1

prod

119910=1

(119875 (119896119890119910119910) times 1 times 1)

=

119909minus1

prod

119910=1

119875 (119896119890119910119910)

(12)


1198750

lt (1

2)

119873119860minus1

+

119889

sum

119909=2

((1 minus1

120575119909)

119873119860minus1

119896119909

120575119875 (119896119890119910

119909)

119909minus1

prod

119910=1

119875 (119896119890119910119910))

lt (1

2)

119873119860minus1

+

119889

sum

119909=2

(1 minus1

120575119909)

119873119860minus1

lt (1

2)

119873119860minus1

+ 119889(1 minus1

1205752)

119873119860minus1

(13)



that 1198750

lt (12)119873119860minus1

+ 119889(34)119873119860minus1 when 120575 = 2 Then 119875

0is an




0 50 100 150 2000

02

04

06

08

1

Succ

essfu

l pro

b o

f atta

ck


MAPTree-based







119860gt 8 119875MAP lt



















Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










0 50 100 150 2000

02

04

06

08

1

Succ

essfu

l pro

b o

f atta

ck


MAPTree-based







119860gt 8 119875MAP lt



















Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation















Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation


































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation









Documents

Research Article MAP: Towards Authentication for Multiple …downloads.hindawi.com/journals/ijdsn/2013/109439.pdfis is an open access article distributed under the Creative Commons