Fast and secure tag authentication in large-scale RFID systems using skip graphs

Accepted Manuscript

Fast and Secure Tag Authentication in Large-Scale RFID Systems Using Skip Graphs Yudai Komori, Kazuya Sakai, Satoshi Fukumoto PII: DOI: Reference:

S0140-3664(17)30019-1 10.1016/j.comcom.2017.11.008 COMCOM 5602

To appear in:

Computer Communications

Received date: Revised date: Accepted date:

7 January 2017 16 November 2017 18 November 2017

Please cite this article as: Yudai Komori, Kazuya Sakai, Satoshi Fukumoto, Fast and Secure Tag Authentication in Large-Scale RFID Systems Using Skip Graphs, Computer Communications (2017), doi: 10.1016/j.comcom.2017.11.008

This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

ACCEPTED MANUSCRIPT

Fast and Secure Tag Authentication in Large-Scale RFID Systems Using Skip Graphs

a Department

CR IP T

Yudai Komoria , Kazuya Sakaia , Satoshi Fukumotoa of Information and Communication Systems, Tokyo Metropolitan University, 6-6 Asahigaoka, Hino, Tokyo 191-0065, Japan

Abstract

AN US

Fast and secure object monitoring and management using Radio Frequency

Identification (RFID) technologies is crucial to Internet of Things (IoT) systems. Structured key-based private authentication protocols securely identify individual RF tags in the logarithmic order by having group keys shared by several tags. However, should some portion of tags in the system be physically compromised, the degree of privacy of the other tags will decrease. This

M

is because tampered group keys disclosed from the compromised tags can be correlated. Thus, preserving the degree of tags’ privacy in keeping with fast au-

ED

thentication speed is equivalent to reducing the correlation probability of group keys. Toward this goal, we propose Randomized Skip Graphs-Based Authentication (RSGA) that significantly improves the tags’ privacy in terms of anonymity

PT

with reasonable amount of key storage cost by using a skip graph key structure. Then, we augment RSGA with a key updating mechanism to securely update secret keys and a path pruning algorithm to further facilitate its authentication

CE

process. Our extensive computer simulation as well as mathematical analyses present that the proposed RSGA achieves its design goals.

AC

Keywords: Radio Frequency Identification, RFID, private authentication, skip graphs.

✩ Fully

documented templates are available in the elsarticle package on CTAN. author Email address: [email protected] (Kazuya Sakai)

∗ Corresponding

Preprint submitted to Journal of LATEX Templates

November 24, 2017

ACCEPTED MANUSCRIPT

1. Introduction Radio Frequency Identification (RFID) technologies lay in the very heart of Internet of Things (IoT), in which every physical objects are tagged and

5

CR IP T

identified in an internet-like structure. High performance and privacy-preserving interrogations of individual tags, generally called private tag authentication, is

crucial for effective monitoring and management of a large number of objects with RFID tags. In a singulation process, an RF reader first sends a query and energizes an RF tag, and then the tag replies its ID or data to the reader. As the tag’s ID itself is sensitive information, the reply from tags must be protected

against various threats, such as eavesdropping and compromise attacks, where

AN US

10

tags are physically tampered and the keys associated with compromised tags are disclosed to adversaries.

To defend tag’s replies, a number of private authentication protocols with low-cost operations, e.g., the XOR operation and 16-bit pseudo random functions (PRFs) [1] have been proposed. In [2], Hash Lock is proposed, where a

M

15

tag sends a hashed ID, instead of its real ID, to a reader, and then, the reader finds the corresponding entry in the back-end server. Although this approach

ED

protects tag’s replies from various attacks, the authentication time increases in proportion to the number of tags, i.e., O(N ), where N is the number of tags in the system. Hence, such a straightforward approach is not practical

PT

20

for large-scale RFID systems. In order to efficiently and securely access tags’ data, private authentication protocols with structured key management, such as

CE

groups [3], a balanced tree [4, 5, 6, 7], and skip lists [8, 9], have been designed, where the unique key of individual tags as well as group keys shared by several

25

tags are used. By applying efficient data structures, the authentication of a tag

AC

completes within O(logk N ), where k is the balancing factor. However, private authentication protocols with structured key management

unfortunately reduce the degree of privacy, should some tags in the system be compromised. This is because group keys are shared by several tags, and

30

physical tampering of some tags makes the other tags less anonymous. How to

2

ACCEPTED MANUSCRIPT

remedy this issue is equivalent to reducing the probability that two tags share common group keys (hence after we refer to it as the correlation probability). The introduction of random walking over a data structure, e.g., randomized tree-

35

CR IP T

walking [6] and randomized skip-lists [9], significantly reduces the correlation probability. Nevertheless, two tags are still correlated should they have same group keys at all the levels of in a balanced tree or skip lists. To the best of our

dlog N −1e 1 ki ,

knowledge, RSLA [9] achieves the smallest correlation probability Πi=1 k where k is the balancing factor.

Toward preserving high anonymity against the compromise attack, in this paper, we will further reduce the correlation probability by a novel structured

AN US

40

key management scheme with one of advanced data structures, called skip graphs [10]. Based on our preliminary work in [11], we propose a skip graphbased private RFID authentication protocol. The contributions of this paper are summarized as follows.

• First, we design a private tag authentication protocol, namely Randomized

M

45

Skip Graphs-Based Authentication (RSGA), in which unique and group keys are maintained with a skip graph. In keeping the authentication

ED

speed to be O(logk N ), RSGA provides higher degree of privacy with the storage cost of O(N logk N ). • Second, we augment the proposed RSGA with a key updating algorithm,

PT

50

in which unique and group keys are periodically updated to accommodate

CE

the dynamic nature of RFID systems. In addition, we propose a path pruning algorithm for RSGA to quickly singulate tags by taking a shortcut from an internal node to the corresponding node at the bottom of the skip

AC

55

graph. Note that the proposed algorithm does not sacrifice the degree of privacy under the compromise attack.

• Third, we provide security analyses. To be specific, we prove that the
dlogk N e−1 proposed RSGA results in the correlation probability of N1 ,

which is much lower than any of the existing solutions. In addition, the

3

ACCEPTED MANUSCRIPT

storage cost in terms of the number of keys stored at the back-end server

60

and tags are analyzed. Furthermore, the number of gates required to implement the proposed RSGA is discussed.

CR IP T

• Finally, we conduct extensive simulations for both static and dynamic environments, which demonstrate that the proposed scheme achieves much higher degree of anonymity, especially when the balancing factor of the

65

key structure is large and a large portion of tags in the system are compromised.

AN US

We have improved the preliminary work [11] as follows. Firstly, with the key updating algorithm, RSGA is made more complete. To be specific, not only 70

key initialization and authentication, but also the key updating and system maintenance mechanisms are designed. Secondly, the path pruning algorithm is introduced to further facilitate the authentication process in RSGA. Even when scanning a subset of group keys is sufficient to uniquely identity an individual

75

M

tag, the original RSGA always scans the list at all the levels. The path pruning algorithm removes such redundancy. Thirdly, additional security analyses

ED

are presented to stress that the proposed RSGA achieves the higher degree of privacy than the existing solutions in Sections 5.2. Fourthly, we conduct more simulations with both the static and dynamic systems for the complete perfor-

80

PT

mance evaluation. Finally, we have included illustrative examples of our RSGA mechanism in order to better exemplify its operation.

CE

The rest of this paper is organized as follows. The related works are reviewed in Section 2, and preliminary is provided in Section 3. In Section 4, we propose RSGA. The performance of the proposed scheme is evaluated by mathemati-

AC

cal analyses as well as by simulations in Section 5 and Section 6, respectively.

85

Section 7 concludes this paper.

4

ACCEPTED MANUSCRIPT

2. Related Works 2.1. Security and Privacy in RFID Applications

CR IP T

In all the RFID systems, an RF reader identifies individual tags by an Alohabased or tree-waking-based query-and-response [12]. The signal from the reader 90

to tags is called the forward channel; the signal from the tags to the reader is called the backward channel. Defending the forward channel is relatively easy, since the queries form a reader can be easily randomized [13]. On the other hand, designing backward channel protection mechanisms is non trivial work

AN US

due to the computational weakness of RF tags.

Different RFID applications require different types of the backward chan-

95

nel protection mechanisms. For example, Czeskis et al. [14] develop a motion signature to counteract a man-in-the-middle variant, so-called the ghost-andleech. Saxena et al. [15] introduce tag activation, where a tag would not reply to a reader’s query until it is unlocked by the smartphone of the tag’s owner. Sakai et al. [16, 17] design jamming-based backward channel protection mech-

M

100

anism with bit encoding schemes. One of the advantages of their schemes is

ED

that no shared secret is required before interrogations. This can be achieved by the jamming-based technique, called privacy masking [18]. For example, when a tag sends a 4-bit string, say 1001, the reader (or a trusted masking device) simultaneously sends a mask, say 1011. Under the assumption of the additive

PT

105

channel, the reader and/or an eavesdropper receives 10X1, where X denotes a corrupted bit. From the received bits 10X1, the legitimate reader with the mask

CE

information can recover the original bit string from the information about the mask bits. On the other hand, an eavesdropper without the mask information cannot recover the original bit string. By doing this, a tag can securely trans-

AC

110

mit a bit string to the reader as long as at least one bit is corrupted. Based on this idea, randomization and encoding schemes are incorporated in [16]. The protocol in [17] also relies on jamming-based environment, but works on weaker physical layer assumptions in the sense that the jamming model relies on the

115

existing physical layer technologies. While these security mechanisms aim to

5

ACCEPTED MANUSCRIPT

protect RF tag embedded smart cards or devices, they cannot be applied to large-scale RFID systems. This is because bit-by-bit operations as well as additional devices for privacy masking are required, which are too expensive to

120

CR IP T

manage a number of objects with tags. In fact, to securely identify a tag, each bit must be encoded into a codeword with length being longer than or equal to

4-bit, i.e., the communication cost increases by at least four times. Then, the

each codeword must be masked by privacy masking or jamming. In addition,

all the aforementioned authentication schemes assume that no tag is physically tampered.

Secure grouping protocols are proposed in [19], which ensure the indistin-

AN US

125

guishablies among tag’s IDs and groups. In [20], a generic framework for detecting various anomalies and attacks, such as missing tags due to theft, cloned tags, targeted attacks, and so on. As a privacy preserving RFID protocol, a key-tag tracking algorithm to estimate the number of a small set of key tags 130

among all the tags in the system without disclosing tag’s IDs in [21]. However,

M

none of [19, 20, 21] provides any authentication mechanism. The most related works to this paper is the private tag authentication protocol design for the ob-

subsection.

2.2. Private Authentications Protocols

PT

135

ED

ject management in large-scale RFID systems, which is elaborated on the next

To protect the backward channel, or tag’s replies, a number of authentication protocols with light-weight cryptographic operations have been proposed

CE

in the past. Weis proposes Hash-lock [2], where a tag computes a hashed ID using its unique key, and then, replies the hash to a reader. The reader communicates back-end server for searching the pair of the tag’s ID and unique key

AC

140

corresponding to the tag’s reply. The reader must search all the pairs of a tag ID and a unique key, which causes authentication to take a long time. This motivates private authentication to have structured key management. Private authentication protocols with structured key management [3, 22, 4,

145

5, 6, 8, 9] use one unique key and a set of group keys. A tag’s reply contains a 6

ACCEPTED MANUSCRIPT

set of hash values each of which is computed using the unique key and one of group keys. In the authentication phase, A reader first scans the group keys to confine the search space of the unique key. As shown in Figure 1, the tree-based

150

CR IP T

authentication schemes [4, 5] use a balanced tree for the key management. The tags in the system are located at leaf nodes in the tree. Each tag obtains the

unique key, denoted by sk, from its leaf node and the set of group keys, denoted by gk, at the non-leaf nodes on the path to the root. Starting from the root, the

reader identifies a tag by traveling the tree toward the corresponding leaf node. Hence, authentication speed of the tree-based protocols is O(logk N ), where N

is the number of tags and k is the balancing factor of the tree. However, should

AN US

155

some tags be compromised and group keys be correlated, the system anonymity significantly decreases.

Improving anonymity is equivalent to making the correlation probability as small as possible. To this end, Lu et al. [7] use a sparse tree, where the number of 160

non-leaf nodes are much larger than the number of tags. However, this approach

M

increases the height of a tree causing to unacceptable storage cost to tags. Sun et al. [9] incorporates the idea of random walking over a skip list, which is a

ED

probabilistic tree-like structure consisted of a set of lists. By taking random shift at each level of skip lists and incorporating the dependency among levels, 165

two tags are never linked unless they have exactly the same set of group keys.

PT

There exists a faster authentication protocol, e.g., ETAP [23] and its extended version [24], which runs in O(1) by mapping hashed IDs and real IDs

CE

using a hash index. Their claim relies on that the random access of a hash index provides the O(1) access. However, this is the average performance, and

170

hash-based protocols may take O(n) in the worst case. Hence, this direction is

AC

out of our scope. Recently, some mutual authentication protocols for application-specific con-

text have been proposed. In [25], Luo et al. propose Succinct and Lightweight Authentication Protocol (SLAP) as an ultralight RFID protocol, which does

175

not require for tags to implement any pseudorandom function generator. While such a class of protocols is desirable for the RFID systems with low-cost tags, 7

ACCEPTED MANUSCRIPT

gk2,0

sk0

gk1,1

gk2,1

sk1

sk2

gk2,2

sk3

sk4

CR IP T

gk1,0

gk2,3

sk5

sk6

sk7

AN US

Figure 1: An example of tree-based protocols.

according to the EPC Global standard [26], tags may implement a random or pseudorandom number generator. Thus, we may still rely on the assumption of the availability of pseudorandom generators for protocol designs. The pro180

tocol proposed in [27] is primarily designed for healthcare applications. Farash et al. [27] improve the existing solution [28] in terms of the forward security

M

and untraceability by applying Ecliptic curves to the RFID mutual authentication. However, computing the public key operations incurs heavy burden

185

ED

for tags. In [29], Gope et al. study a lightweight authentication protocol for distributed IoT applications in smart city. Their protocol not only protects the forward security, anonymity, and tag access traces, but also the location

PT

of RFID-embedded objects/devices. The works [27, 28, 29] ensure the security and privacy in application-specific environments such as medical systems and

CE

IoT applications. In contrast, our study focuses on the RFID-based large-scale 190

object management, e.g., inventory management, RFID library, etc., using data

AC

structures for key management. 2.3. Cryptographic Operations for RFID systems Since RF tags are computationally weak devices, only lightweight crypto-

graphic operations are feasible at tags. According to the EPC standard [26],

195

the 16-bit pseudorandom number generator shall be implemented in all passive RF tags. To this end, Poschmann et al. developes Data Encryption Standard 8

ACCEPTED MANUSCRIPT

Lightweight (DESL) [30], which requires only 1,848 gates. Using a DES type s-box and the XOR operations, a lightweight short hash function is proposed by Jappinen et al. in [31]. A pseudorandom function can be implemented with the aforementioned low-cost operations by an 8-bit shift register with an XOR feedback loop [32]. 2.4. Physical Layer Issues in RFID Systems

CR IP T

200

EPC Global Gen 2 standard operates in the 860 MHz - 960 MHz UHF

range, and the ISO18000-4 standard operates in the 2.4GHz ISM band. The chennel conditions by an RFID system significantly affect the performance of

AN US

205

RFID protocols, which can be modeled by the product of distance-dependent average path loss law, variation in the local mean power (shadow fading), and small-scale fading. In [33], an additive model for shadow fading is proposed. Path loss and multipath propagation characteristics are studied in the UHF 210

band in [34]. In [35], the characterization of large-scale fading is investigated in

M

an obstacle-dense environment, a shadow depth calculation method is invented. Since the focus of this paper is on the protocol-level security in RFID sys-

ED

tems, a reader and tags are assumed to be able to communicate each other without frame-level errors. Therefore, the impact of channel conditions is out of our scope.

PT

215

3. Preliminary

CE

3.1. Anonymity

In many RFID applications, anonymity [9] is widely used as a privacy metric

which quantifies the state of not being identifiable within an anonymous set. That is, the replies of the tags in the same anonymous set are indistinguishable

AC 220

from each other. Consider that an RFID system with 8 tags are maintained by a binary

tree structure as shown in Figure 1. As long as an authentication protocol is secure, the replies form any tags in the system are not distinguishable from

9

ACCEPTED MANUSCRIPT

Head

Tail

83 Level 0

7

97

Level 1

Level 2

67

7

7

13

29

67

13

29

67

83

97

83

97

AN US

Figure 2: An example of skip graphs.

225

CR IP T

29 13

each other. In other words, an adversary can identify a tag with probability of no greater than random guessing, i.e., 1/8, by eavesdropping the tag’s reply. However, should one of the tags be compromised, anonymity of the other tags will decrease. For example, assume that tag 5 with unique key sk5 and group keys GK5 = {gk1,1 , gk2,2 } is compromised. Then, the replies from the other tags will be partially disclosed from the keys associated with tag 5. As a result, an

M

230

adversary can divide the uncompromised tags into 3 disjoint sets, i.e., {0, 1, 2, 3},

ED

{4}, and {6, 7}. These tags are anonymous within one of three sets, and thus, the adversary can identify them with probability of either 1, 0.5, or 0.25.

PT

3.2. Skip Graph

A skip graph [10] is a probabilistic data structure, which has the full func-

235

tionality of a balanced tree and consists of a set of ordered doubly linked lists

CE

as shown in Figure 2. In other words, a skip graph can be seen as a set of trees. Each level, except the lowest level (labeled by level 2), has one or more lists, and the lowest level has one list containing all the nodes. Every node participates to one of the lists at each level. A node in the list at level i for i > 0

AC 240

appears at level i − 1 with probability of 1/k, where k is the balancing factor. Given the number of inputs N , the number of levels, denoted by η, is defined as η = dlogk N e, Thus, there are k η−j lists at level j on average. The operations of search, insert, and delete are performed in O(logk N ). The space complexity

10

ACCEPTED MANUSCRIPT

245

is O(N logk N ). 4. RSGA

CR IP T

4.1. Motivations and Basic Idea

To the best of our knowledge, the use of random walking over a data struc-

ture, e.g., RSLA [9], achieves the highest degree of privacy among the existing 250

works. In this approach, the correlation probability depends on the number of levels and the number of internal nodes at each level. In the tree-based and

255

AN US

skip lists-based protocols, the number of levels is defined as η = dlogk N e. The

number of nodes at level i is defined as k i . Hence, the correlation probability Qdlog N e−1 1 can be obtained by i=1 k ki . One naive approach to decrease the correlation probability is the use of sparse

structures [7], i.e., the internal nodes in a data structure is much larger than the number of tags. However, introducing redundant internal nodes is undesirable.

M

The number of group keys that each tag stores increases in proportion to the number of levels of a data structure. In general, the passive tag has 512-bit memory, and the length of a tag’s ID is 96 bits. Assuming that the length of

ED

260

a unique key and a group key is 32 bits, the number of levels can be at most 13, (which can be derived by (512 − 96)/32 = 13. The number of tags which

PT

can be supported by this approach is much smaller than 213 when the structure is sparse. Therefore, increasing the number of levels of a key structure is not 265

practical for large-scale RFID systems.

CE

To tackle this issue, we propose Randomized Skip Graph-based Authentica-

tion (RSGA), which runs in O(logk N ). The overview of the proposed RSGA is

AC

as follows. First, a skip graph with η + 1 levels is deterministically constructed

in which unique keys are located at the nodes in the list at level η and the

270

group keys are located at the nodes in the list at level j (1 ≤ j ≤ η − 1). Then, each tag is associated with a node of the lowest level list. Starting from the bottom, a tag obtains the unique key and a set of group keys along the path toward the top level list. At each level, random shifting is performed (hence,

11

ACCEPTED MANUSCRIPT

Table 1: Definition of notations.

The balancing factor of a skip graph The number of tags in the system The number of levels of a skip graph, dlogk N e The l-th list at level j in a skip graph (0 ≤ j ≤ η) Node i in a list, and a set of nodes Tag i’s unique secret key A set of group keys of tag i, {gk1 , gk2 , ..., gkη−1 } A set of shift numbers of tag i, {r1 , r2 , ..., rη−1 } The index of the list at level 1 Nonces from a tag and a reader A tag’s reply, {β1 , β2 , ..., βη−1 } and γ The hash, encryption, and decryption functions

CR IP T

k N η Lj,l vi , V ski GKi Ri ptr nt , nr β, γ H(.), E(.), D(.)

Definition

AN US

Symbols

the protocal is randomized). In the singulation process, the reader will find the 275

node corespoinding to a tag’s reply in the lowest list by trveling from the top. The proposed RSGA differs from RSLA [9] in the initialization, key issuing, pri-

M

vate authentication phases, and key updating. For the system maintenance, the similar approaches in [5, 9] can be applied to RSGA. Each phase is elaborated

280

ED

on in the subsequent sections.

4.2. Definitions and Assumptions

PT

We assume that an RFID system consists of N tags and one reader, which is connected to the back-end server. In addition, the reader and back-end server are assumed to be connected via a secure channel. Hence, the reader is the final

CE

destination of all the tags. The nonces are randomly selected by the reader and a tag, which are de-

285

AC

noted by nr and nt , respectively. The hash function H(.) is assumed to be collision resistant, and an encryption function E(.) is implemented by low-cost cryptographic operations [2]. In addition, the pseudo random family (PRF) is defined as F (.) which returns a 96 bits value. We assume that RF reader has

290

enough computational power to run a decryption function D(.). The symbols used in this paper is listed in Table 1.

12

ACCEPTED MANUSCRIPT

4.3. The Proposed Authentication Protocol 4.3.1. Construction of A Skip Graph Given the number of tags N and the balancing factor k, a skip graph with η + 1 levels is generated, where η is defined as dlogk N e. There exits one list in

CR IP T

295

the lowest level, which contains all the nodes, so that every tag can be allocated. At level j (1 ≤ j ≤ η − 1), there are k η−j lists and each of them contains

N kη−j

nodes. To form a list, node vi has pointers to the right and left nodes in the same list at level j, which are denoted by vi .right[j] and vi .lef t[j]. The left 300

pointer of the head node and the right pointer of the tail in the list are null.

AN US

Let Lj,l be the l-th list at the j-th level from the top. For all the level, node vi

belongs to list Lj,l , where l is computed by i mod k η−j . The level 0 has one list which contains node v0 , and this is used as the entry point for key searching. Each node has a key for each level. Let vi .key[j] be the variable to store a 305

key at node vi . To be specific, vi .key[η] contains unique key ski and vi .key[j] (1 ≤ j ≤ η − 1) contains group key gki,j . No key is assigned to the node in level

M

0 list. Thus, v0 .key[0] is empty.

Since the construction of a skip graph is deterministic, our skip graph with

310

ED

the balancing factor k works in the same fashion to a set of k-balanced trees with the nodes in the lower levels belonging to more than one tree. For example, Figure 3 shows a skip graph with N = 8 and k = 2. The corresponding set of

PT

binary trees are shown in Figure 4.

CE

4.3.2. Key Issuing

In RSGA, every tag has four variables, the unique key skt , a set of group

315

keys GKt , a set of random shift numbers Rt , and list index ptr. Tag t is located

AC

at one of the nodes, say vi , in the list at level η, and the unique key at vi .key[η] is assigned to tag t. A set of group keys are assigned to tag t by traveling with random shifting from vi at level η to the top of the skip graph. At level j, node vi has a set of parents, denoted by Vi,j , since there are more than one lists at

320

level j (1 ≤ j ≤ η −1). Here, Vi,j includes k nodes, vp for p = (i−nk η−j ) mod N (0 ≤ n ≤ k − 1). The key issuer randomly selects one of the node in Vi,j and 13

ACCEPTED MANUSCRIPT

unif orm

AN US

CR IP T

Algorithm 1 KeyIssue() 1: /* Key Issuer does following */ 2: Issuer locates all tags t to node vi 3: /* For each tag t, Key Issuer does following */ 4: for each tag t in the system do 5: KeyIssue(t, vi ) 6: /* The function to assign keys to tag t */ 7: KeyIssue(t, vi ) 8: /* vi is the current node */ 9: Rt = φ /* Initialize the random shift numbers list */ 10: GKt = φ /* Initialize the group keys list */ 11: / * At the lowest level list Lη,0 */ 12: skt ← vi .key[η] 13: /* A parent is randomly chosen among k − 1 nodes */ n ←−−−−−− [0, k − 1] 15: vi ← vp where p = (i − nk η−j ) mod N 16: for (j from η − 1 to 1) do 17: /* Random shifting by r and add a group key */

21: 22: 23: 24: 25: 26:

unif orm

r ←−−−−−− [0, |Lj,l | − 1] Add r to Rt vi ← shift to the left by r Add vi .key[j] to GKt /* Move to upper level */ unif orm

M

18: 19: 20:

n ←−−−−−− [0, k − 1] vi ← vp where p = (i − nk η−j ) mod N j ←j−1 ptr ← vi

ED

14:

PT

moves to the upper list Lj−1,l to which node vi belongs at level j − 1. Then, random number rj ∈ [0, N − 1] is generated and the left shift by ri is taken.

CE

If the pointer reaches to the head node in the list, it moves to the tail. The 325

value of ri is added to Rt for the j-th level. The pointer is now at a node, say vi0 , at level j − 1. The group key at vi0 .key[j − 1] is added to GKt . This

AC

process repeated until the pointer reaches at the top list. Unlike a tree and skip lists, there are more than one node at level 1. Thus, the entry point of the skip graph, i.e., the ID of list L1,l at level 1, is kept in ptr. At the end of this process,

330

tag t has one unique key, η − 1 group keys, η − 1 shift number, and ptr. The

pseudocode of key issuing is presented in Algorithm 1.

14

ACCEPTED MANUSCRIPT

Head V0

Level 1 V0 gk0,1

Level 2

Level 3

5

V1 gk1,1

4 V2 gk2,1

V4 gk4,1

V1 gk1,2 V0 gk0,2

2

V3 gk3,1

V4 gk4,2

1

V6 gk6,1 3

V5 gk5,2

V3 gk3,2 V2 gk2,2

V5 gk5,1

V7 gk7,1

CR IP T

Level 0

Tail

V7 gk7,2 V6 gk6,2

2

V0 sk0 V1 sk1 V2 sk2 V3 sk3 V4 sk4 V5 sk5 V6 sk6 V7 sk7

AN US

Figure 3: An example of key issuing.

Example Figure 3 illustrates a skip graph key structure with k = 2 and η = 3 of an RFID system with 8 tags. All tags are located at one of the nodes in the lowest level list L3,1 . The key issuer assigns group keys and random shift 335

numbers to a tag, say tag 3, by traveling the skip graph starting from v3 in L3,1 to the root as follows. First, unique key sk3 at v3 .key[3] is assigned to tag 3.

M

According to Figure 3, v3 has two parents nodes v2 and v3 at level 2. Assume that the key issuer randomly selects r2 = 2 and the random shift number is

340

ED

added to R3 . The current pointer shifts to the left by 2 and will be at v6 in L2 . Next, tag 3 obtains group key gk6,2 stored in v6 .key[2]. This process is repeated until the pointer reaches L0 . Assume that the key issuer selects a parent node

PT

v6 at level 1 and tag 3 selects r1 = 1 at level 1. At last, v2 (the head node in the list to which v6 belongs in level 1) is stored at ptr as the entry point to the skip graph. Eventually, tag 3 obtains sk3 , GK = {gk2,1 , gk6,2 }, R3 = {1, 2}, and ptr = v2 .

CE

345

AC

4.3.3. Mutual Authentication After issuing keys, the reader can securely communicate with tags. In the

RSGA authentication protocol, the reader first sends a query with nonce nr , then a tag generates a reply with nonce nt and sends the reply. The reader

350

receives and decrypts the tag’s reply. The replying process at the tag’s side is as follow. Assume tag t has the 15

ACCEPTED MANUSCRIPT

root

4 2

0 0

1

2

1

4 3

4

6 5

0

2

7

0

1

5

3 2

3

4

(b) Tree 2.

root

root

6 4

2 1

1

(a) Tree 1.

2 0

6

5

3

4

3 1

6 5

6

7

0

(c) Tree 3.

1

3 2

3

5

7 6

7

CR IP T

0

root

7

5

4

5

7

6

7

(d) Tree 4.

AN US

Figure 4: The corresponding set of trees.

unique key skt , a set of group keys GK = {gk1 , gk2 , ..., gkη−1 }, a set of random shift numbers Rt = {r1 , r2 , ..., rη−1 }, and the pointer ptr. When tag t receives a query with nonce nr from the reader, tag t generates a reply message with 355

nonce nt . The reply message is defined by ptr, β = {β1 , β2 , ..., βη−1 }, and γ.

M

The value of βj consists of a hash value βj .hash and encrypted shift number,

= E(gkj ||rj ).

ED

i.e., βj = (βj .hash, βj .num), where β.j hash = H(gkj ||rj−1 ||nt ||nr ) and βj .num At level 1, β1 .hash is computed with the base r0 = ptr. The reason why the 360

shift number is included at the previous level is to enforce dependency among

PT

the levels to preserve high anonymity. The random shift number rj is encrypted by E(gkj ||rj ) and set to βj .num. While each component of β is computed using

CE

a group key at each level i, and γ is computed using a unique key at level η. The value of γ is obtained by IDt ⊕ F (0||skt ||rη−1 ||nt ||nr ), where IDt is the

365

ID of a tag and F (.) is the PRF. As the input of F (.), 0 is concatenated with

AC

other parameters for the purpose of the mutual authentication. Finally, tag t sends nt , β, γ, and ptr to the reader. Note that β contains η − 1 elements. The

pseudocode of the tag’s reply is provided in Algorithm 2.

370

On receiving tag t’s reply, the reader scans k group keys associated to the

nodes in list L1,ptr . Let vi be the node whose key[1] contains the corresponding group key gk1 for β1 .hash. In addition, β1 .num is decrypted by gk1 to obtain 16

ACCEPTED MANUSCRIPT

Head V0 2

1 Level 1 V0 gk0,1

V1 gk1,1

V2 gk2,1

V3 gk3,1 V4 gk4,1

V5 gk5,1

V6 gk6,1

V7 gk7,1

3 V1 gk1,2

Level 2 V0 gk0,2 Level 3

4

V5 gk5,2

V3 gk3,2 V2 gk2,2

V4 gk4,2 5

CR IP T

Level 0

Tail

V7 gk7,2 V6 gk6,2

4

V0 sk0 V1 sk1 V2 sk2 V3 sk3 V4 sk4 V5 sk5 V6 sk6 V7 sk7

AN US

Figure 5: An example of authentication.

shift number r1 . The pointer moves to vi in Lj,l , and then right shift is token by r1 . If the pointer reaches at the tail node in the list, it moves to the head node of the same list. This process is repeated until the pointer arrives in a node in 375

the lowest level list. Since the nodes in the lowest list contains the unique key, the reader can identify the corresponding tag based on the information in the

M

signature γ. The pseudocode of tag authentication is given in Algorithm 3. After the tag identification, the mutual authentication process is kicked off.

380

ED

Note that the mutual authentication process of the RSGA is basically the same as the exiting ones [4, 9]. At the end of singulation, the reader knows IDt and skt . The reader computes π = IDt ⊕ F (1||skt ||nt ||nr ) and sends it to tag t.

PT

On receiving π, tag t computes IDt0 by IDt0 = π ⊕ F (1||skt ||nt ||nr ). If IDt0

equals to tag t’s IDt , tag t accepts the reader. By doing this process, tag t also

CE

authenticates the reader. 385

Example Figure 5 presents an example of how tag 3 is authenticated by the reader. Assume that tag 3 has sk3 , GK3 = {gk2,1 , gk6,2 }, R3 = {1, 2} and

AC

ptr = v2 . On receiving a query from the reader, tag 3 will generates nounce nt and computes its reply, β and γ, as follows:

17

ACCEPTED MANUSCRIPT

= H(gk2,1 ||nt ||nr ), E(gk2,1 , 1)

(1)

β2

= H(gk6,2 ||1||nt ||nr ), E(gk6,2 , 2)

(2)

= ID3 ⊕ F (0||sk3 ||2||nt ||nr )

(3)

γ

CR IP T

β1

When the reader receives the tag’s reply nt , β, γ, and ptr, it tries to search 390

the corresponding entry at the bottom list in a skip graph. As shown in Figure 5, there are four lists at the first level. The reader selects the one indicated by

AN US

ptr. To compare the obtained hash value with β1 .hash, two nodes v2 and v6 in

L1,2 are scanned, each of which contains gk2,1 and gk6,1 , respectively. Since the key gk2,1 is the valid key for β1 .hash, the reader executes D(gk2,1 , β1 .num) and 395

obtains r1 = 1. The reader moves the pointer to v6 by taking the right shift by 1. In the level 2, two group keys at v0 .key[2] and v6 .key[2] are scanned to identify the valid key for β2 .hash. The reader will figure out that gk6,2 works for β2 .hash

M

and obtains r2 = 2 by decrypting β2 .num. This process is repeated and at the end the reader reaches the lowest level list L3,1 . At this level, the unique keys stored at v2 .key[3] and v3 .key[3] are scanned. The value obtained with sk3 yields

ED

400

the same value as γ. The reader computes ID0 = γ ⊕ F (0||sk3 ||rη−1 ||nt ||nr )

and validates that ID0 equals to ID3 . As v3 is the corresponding node at which

PT

tag 3 is located and ID0 is tag 3’s ID, the reader finally concludes that the reply comes from tag 3.

For the clarification, the pointers to the right and left nodes in the same level

CE

405

is used for random shifting, but nothing to to do with key scanning. When the reader moves the current pointer toward the bottom list in the authentication

AC

process, the corresponding child nodes of the current node are scanned. In this example, the current pointer is located at v6 in level 1, and its children v0 and

410

v6 in level 2. It will be clearer by seeing both Figures 4 and 5. As discussed, the skip graph in Figure 5 can be seen a set of 4 binary trees as shown in Figures 4 (a), (b), (c), and (d). Node v6 at level 1 belongs to list L1,2 and has two children v0 and v6 at level 2, which corresponds to Figure 4 (c). This is why 18

ACCEPTED MANUSCRIPT

the reader scans v0 .key[2] and v6 .key[2] in level 1. A similar argument holds for 415

key scanning at v2 .key[3] and v3 .key[3] of L3,1 in level 2. After identifying tag 3, the mutual authentication phase is kicked off. The

CR IP T

reader computes the proof π by ID3 ⊕ F (1||sk3 ||nt ||nr ) and sends π to tag

3. This time, 1 is concatenated with the input. On receiving the response

from the reader, tag 3 performs π ⊕ F (1||sk3 ||nt ||nr ) and resulted value will be 420

ID30 . Since the legitimate reader has the correct ID3 and sk3 , the value of ID30

computed by tag 3 shall be the same as ID3 . At the end of this process, tag 3

AN US

also authenticates the reader.

ED

M

Algorithm 2 ReplyToReader(nr ) 1: /* Assume tag t has skt , GKt , Rt , and ptr */ 2: /* where GKt = {gk1 , gk2 , ..., gkη−1 } and Rt = {r1 , r2 , ..., rη−1 } */ 3: Generate nonce nt 4: for i from 1 to η − 1 do 5: βi .hash ← H(gki ||ri−1 ||nt ||nr ) /* Note that r0 = ptr */ 6: βi .num ← E(gki , ri ) 7: Add βi to β 8: γ = IDt ⊕ F (0||skt ||rη−1 ||nt ||nr ) 9: reply nt , β, γ, and ptr.

4.4. Key Updating Algorithm

425

PT

To alleviate the compromise attack, the RFID systems should periodically update the unique and group keys. The unique keys are never shared by different

CE

tags, and so the updating of unique key is trivial. Upon accessing a tag, the reader and tag update the unique key in its key structure and the tag’s memory. The challenge of designing a key updating mechanism is how to update group

AC

keys. On one hand, SPA [5] first updates the group keys at tags, and then,

430

the corresponding group keys at the back-end server are updated. On the other hand, RSLA [9] first updates all the group keys in skip lists, and then, the group keys of individual tags are updated when they are accessed. The key updating algorithm we proposed in this paper is based on one in the RSLA. First, the key issuer randomly generates nonce r and updates all the 19

ACCEPTED MANUSCRIPT

keys in the skip graph by scanning every node of each list at each level. Here,

ED

435

M

AN US

CR IP T

Algorithm 3 Authentication(nr , nt , β, γ, ptr) 1: /* β = {β1 , β2 , ..., βη−1 } and γ*/ 2: vi ← v0 /* Here, vi is the current node */ 3: for j from 1 to η − 1 do 4: if 1 ≤ j ≤ η − 2 then 5: for m from 1 to k do 6: vi ← the m-th node in L1,ptr . 7: if H(vi .key[j + 1]||rj−1 ||nt ||nr ) = βj .hash then 8: r ← D(vi .key[j + 1], βj .num) 9: vi ← shift to the right by r 10: m←m+1 11: else 12: for m from 1 to k do 13: vi ← the m-th node in L1,l 14: /* Computing the signature γ */ 15: if IDt = γ ⊕ F (0||vi .key[η]||rη−1 ||nt ||nr ) then 16: Identify tag t by the IDt and the unique key vi .key[η] 17: return tag t 18: m←m+1 19: j ←j+1 20: if The key is not found then 21: return F AIL

nonce r is kept in secret by the key issuer. At each node, the key issuer performs H(r, v.key[j]) (1 ≤ j ≤ η) to generate a new key. Hence, it is computationally

PT

hard for an adversary to obtain a new key, because the new key is created by a one-way hash function. For the reader to interrogate the tags with old keys, 440

the old keys must be kept until all the tags associated with the old keys obtain

CE

the new keys. To this end, the old key at a node, say v.key[j] (1 ≤ j ≤ η),

is stored at v.old key[j]. As shown in Algorithm 1, when the reader accesses

AC

a tag, the tag’s unique key, group keys, random shift numbers, and the list pointer are updated at the tag’s side. Tags will keep only the latest set of keys

445

and random numbers, and thus, the old ones will be discarded when they are updated. Accordingly, the proposed key updating algorithm can successfully renew the keys in the system while the reader can still access tags with the old keys. 20

ACCEPTED MANUSCRIPT

4.5. Path Pruning To quickly singulate a tag, we propose a path pruning algorithm based

450

on the observation in which the reader does not always have to scan all the

CR IP T

group keys. Let GKt = {gk1 , gk2 , ..., gkη−1 } be the set of group keys of tag t. For all the other tags, say t0 , if there is level j such that {gk1 , gk2 , ..., gkj } 6= {gk10 , gk20 , ..., gkj0 }, then {gk1 , gk2 , ..., gkj } is the unique subset of group keys 455

with respect to all the other tags. This implies that the reader can singulate tag

1 without scanning gkj+1 , gkj+2 , ..., and gkη−1 . Let v and v 0 be the correspond-

ing node at level j to group key gkj and level η to unique key skη , respectively.

AN US

A shortcut from v to v 0 is stored at v.pp[j]. By doing this, the reader can quickly identify tag t than the original protocol. Note that this algorithm never 460

scarifies the degree of privacy against the compromise attack, since the shortcut information is never disclosed to adversaries unless the back-end server is compromised. The pseudo code of the proposed path pruning algorithm is given in Algorithm 4.

465

M

Note that the existing solutions, e.g., the tree-based and skip lists-based protocols, cannot benefit from the path pruning. In both of these approaches,

ED

there are k j internal nodes at level j. The unique subset of group keys is rarely seen for j > η − 1. Therefore, one of the advantages of RSGA over the existing

PT

solutions is compatibility with the path pruning. Example Assume that there are two tags in the system, tags 1 and 2, and 470

each of them has the group keys GK1 = {gk2,1 , gk6,2 , gk4,3 } and GK2 =

CE

{gk2,1 , gk1,2 , gk5,3 }, respectively. Also, tag 1’s secret key is assumed to be stored

at v3 . While the group keys of GK1 and GK2 at level 1 are the same, the second

AC

group keys are different from each other, i.e., gk6,2 6= gk4,3 . Thus, the subset of tag 1’s group keys {gk2,1 , gk6,2 } is unique with respect to the others. Node v6

475

stores gk6,2 at level 2, and tag 1 is mapped to v3 . Therefore, the shortcut from

level 2 to level 4 can be stored by v6 .pp[2] ← v3 .

21

ACCEPTED MANUSCRIPT

AN US

CR IP T

Algorithm 4 InitPathPruning() 1: For each tag t, call PathPruning(t, GKt , vt ) 2: /* Here, vt is the node at level η to which tag t is assigned. */ 3: PathPruning(t, GKt , vt ): 4: m ← 1 5: for each t0 (t0 6= t) do 6: count ← 1 7: for each j from 0 to η − 1 do 8: if gkj = gkj0 then 9: count ← count + 1 10: if m < count then 11: m ← count 12: if m < η − 1 then 13: v ← the node with gkm . 14: v.pp[m] ← vt . Head Level 0

V0

V7 gk7,1

V3 gk3,1

Level 1

2

V4 gk4,1

V3 gk3,2

3

ED V1 gk1,2

V0 gk0,2

V0 gk0,3

Level 4

V0 sk0

V1 gk1,3

V2 gk2,3

PT

Level 3

V2 gk2,2

V1 sk1

V2 sk2

V5 gk5,2

V4 gk4,2

V3 gk3,3

V3 sk3

V4 gk4,3 V4 sk4

V6 gk6,2

V5 sk5

V6 gk6,3 V6 sk6

V7 gk7,3

V7 sk7

V12 gk12,1

V8 gk8,1 V9 gk9,2 V8 gk8,2

4

V5 gk5,3

V14 gk14,1

V10 gk10,1

V7 gk7,2

V8 gk8,3 V8 sk8

V9 gk9,3

V9 sk9

V11 gk11,2 V10 gk10,2

V10 gk10,3 V10 sk10

V15 gk15,1

V13 gk13,1

V9 gk9,1

V6 gk6,1

V2 gk2,1

V0 gk0,1

Level 2

V5 gk5,1

1

M

V1 gk1,1

V11 gk11,1

Tail

V13 gk13,2 V12 gk12,2

V11 gk11,3

V11 sk11

V12 gk12,3 V12 sk12

V13 gk13,3

V13 sk13

V15 gk15,2 V14 gk14,2

V14 gk14,3 V14 sk14

V15 gk15,3

V15 sk15

CE

Figure 6: An example of the path pruning.

AC

5. Analyses In this section, security and performance analyses are provided in terms of

the system anonymity, the key storage cost at the back-end sever and tags, and

480

the number of gates required at tags.

22

ACCEPTED MANUSCRIPT

5.1. Anonymity Analysis In RSGA, two tags cannot be correlated unless they have the same group

be deduced by Theorem 1. 485

CR IP T

keys at all the levels in a skip graph. The correlation probability of RSGA can

Theorem 1 Given the number of tags N and the balancing factor k, the correlation probability of RSGA is ( N1 )dlogk N e−1 .

Proof A skip graph has η = dlogk N e levels excluding level 0 with each containing N nodes. Every tag obtains η −1 group keys from level j (1 ≤ j ≤ η −1), 490

AN US

and two tags will have the same group key with probability 1/N from level 1 to

η − 1. Thus, the two tags are correlated with probability ( N1 )dlogk N e−1 . This concludes the proof.

The anonymity of the system is defined by Equation 4, where Si is the

M

anonymous set consisting of one or more tags.

1 X |Si | |Si | · N i N

(4)

495

ED

If no tag is compromised, there exists only one anonymous set and |S1 | = N and the anonymity yields 1. Should some tags be compromised, the tags in the

PT

system are divided into disjoint set and each tag is anonymous within the set, and the resulted anonymity will be between 0 and 1. The definition of anonymity shown in Equation 4 is based on the following

CE

observation. When the tags in the system are divided into small disjoint sets, the

500

degree of privacy of an anonymous set, say Si , with respect to the total number of tags is computed by

AC

Thus,

|Si | N

|Si | N .

There are |Si | number of tags which belong to Si .

is weighted by multiplying with |Si |. After taking the summation of

them for each anonymous set, the average is computed by dividing

505

1 N.

In RSGA, an uncompromised tag belongs to the anonymous set with size

k or k − 1 only when it has the same group keys as any of the compromised nodes. Such a probability is formulated in Theorem 1. Otherwise, the tag

23

ACCEPTED MANUSCRIPT

remains anonymous within the set with size N − Nc , where Nc is the number of compromised tags.

CR IP T

5.2. The Comparisons with The Existing Solution In this subsection, we demonstrate the proposed RSGA achieves the lower

510

correlation probability than one of the existing solutions, RSLA. We first derive the correlation probability of RSLA by Theorem 2.

515

AN US

Theorem 2 Given the number of tags N and the balancing factor k, the corQdlog N e−1 1 relation probability of RSLA is i=1 k ki .

Proof Given the number of tags and the balancing factor, skip lists have η = dlogk N e levels, and each level j except 0 has one list that contains k j nodes with a group key. Hence, the probability of two tags having the exactly the Qdlog N e−1 1 same set of group keys is i=1 k ki . This completes the proof.

M

520

From Theorems 1 and 2, the correlation probability of RSGA is smaller than Qdlog N e−1 1 1 dlogk N e−1 that of RSLA. This can be proven by showing i=1 k > 0. ki −( N )

ED

Example Assume that the number of tags N = 210 = 1024, the balancing

factor k = 2, the height of tree η = 10. From Theorem 1, the correlation probability in RSGA is approximately 8.078 × 10−28 . On the other hand, the

525

PT

correlation probability of RSLA is approximately 2.842 × 10−14 by Theorem 2. Therefore, RSGA significantly improves the degree of privacy in term of the

CE

correlation probability by 10−14 . 5.3. The Storage Analysis

AC

The key storage cost at the back-end server is obtained by Theorem 3.

Theorem 3 Given the number of tags N and the balancing factor k, the number

530

of keys in the system is bounded by O(N log N ). Proof A skip graph has η = dlogk N e levels excluding level 0, and there are N nodes from level 1 to η. Note that the list at level 0 does not contain any 24

ACCEPTED MANUSCRIPT

key, and it is excluded from the consideration. Thus, the total number of nodes containing a key in the skip graph is N logk N . Therefore, the key storage cost 535

is O(N logk N ). This completes the proof.

CR IP T

While RSGA requires larger storage cost than the existing solutions, which

require O(N ) key storage cost, the back-end server has enough storage capacity. In addition, RSGA never sacrifices the authentication speed compared with the tree-based and skip lists-based approaches. Thus, we stress that RSGA provides 540

higher a privacy preserving mechanism with reasonable key storage cost.

AN US

Theorem 4 Given the number of tags N and the balancing factor k, the storage cost for a tag is bounded by O(logk N ).

Proof In a skip graph with η levels, one unique key, η − 1 group keys, η − 1 random shift numbers, and list pointer ptr are assigned to each tag. Since 545

η ≤ logk N + 1, the storage cost which each tag incurs is O(logk N ). This

5.4. Weight Analysis

M

completes the proof.

ED

Based on the weight analysis presented in [9], we can estimate the number of gates required to implement our RSGA in a tag as follows. Compared with 550

RSLA, the proposed RSGA introduces additional logk N bits to store ptr, which

PT

indicates the entry point of a skip graph. As 1-bit memory of a D flip-flop is implemented with 5 gates, keeping logk N -bit information introduces additional

CE

5 logk N gates. With the same condition as [9], the number of gates to implement RSGA at a tag is formulated by 3576 + 80 × (η − 1) + 5 logk N . For example,

555

to maintain 216 tags in a skip graph with the balancing factor k = 2, the

AC

number of additional gates for each tag equals to 4,856. Since 1,000 gates costs 1 cent [2], the RSGA implementation increases approximately 5 cents for each tag. However, we claim that additional 5 cents would not be a significant issue in the RFID systems, where each tag has a relatively long life-cycle, such as

560

library RFID systems.

25

ACCEPTED MANUSCRIPT

Table 2: The simulation parameters.

Values

The number of tags The balancing factor The compromised tags Num. of pseudo ID pools (AnonPri) Num. of pseudo IDs (AnonPri)

6. Performance Evaluation

28 to 214 2, 4, 8,or 16 1% to 90% 1000 10

CR IP T

Parameters

AN US

For the performance evaluation by computer simulations using a self-developed simulator in Java, the proposed RSGA is implemented along with the existing solutions, including the tree-based [4], SPA [5], AnonPri [22], and RSLA [9] pro565

tocols. Note that SPA is a tree-based protocol with a key updating mechanism. 6.1. Simulation Configuration

M

The way we conduct simulations is basically the same as [8, 9, 11] and similar to [3, 5, 22]. That is, the focus of our performance evaluation is on the protocollevel security, and thus, the physical functions of tags are not simulated. A simulation experiment is set up by locating one RF reader and 28 to 214 RF

ED

570

tags, which is sufficiently large to accomodate a large-scale system, such as inventory management and an RFID library. The construction of a key structure

PT

and key initialization is performed by the key issuing process of each private authentication protocol. Then, to emulate the compromise attack, randomly selected Nc tags are marked as being compromised, where Nc ranges 1% to 90%

CE

575

or is set to be either 64, 128, 256 or 512. In the tree-based, SPA, RSLA, and RSGA, the balancing factor k is set to be either 2, 4, 8, or 16. For AnonPri, the

AC

number of pseudo ID pools and the number of pseudo IDs that each tag has are set to be 1000 and 10, respectively. In order to make our performance evaluation

580

consistent with the related works, these protocol-specific parameters are set as the same as the performance evaluation conducted in the existing works [8, 9, 3, 5, 22]. For each system realization, 1000 experiments are performed.

26

ACCEPTED MANUSCRIPT

We consider both static and dynamic systems. In a static system, after initializing an RFID system, a set of Nc tags are randomly chosen and marked as 585

being compromised. Then, the system anonymity is computed. In a dynamic

CR IP T

system, randomly selected Nc tags are marked as being compromised. Then, another set of Nc tags run the key updating algorithm to update their unique

key, group keys, shift numbers, and the list pointer. This process is repeated to

emulate a dynamic system. For every iteration, the system anonymity is com590

puted just after a set of Nc tags are compromised. The simulation parameters are listed in Table 2.

AN US

Under those scenarios, umcompromised tags are interrogated by the reader

using a private authentication protocol. To compare the performance of each protocol in various aspects, the system anonymity, authentication speed, and key 595

storage cost are employed as metrics, each of which are computed by exactly the same way as [9]. That is, the system anonymity is computed by taking the average of the anonymity of each tag as formulated in Equation 4; the

M

authentication speed is obtained by the summation of the number of lightweight cryoptographic operations including key scanning and decryption of shift numbers; the total number of group and unique keys in the system is considered

ED

600

as the key storage cost.

PT

System anonymity

Tree AnonPri RSLA RSGA

0.6 0.4 0.2 0

AC

1

0.8

CE

System anonymity

1

1

5

10

50

90

Percentage of compromised tags (%)

0.8 RSLA:Nc=64 RSLA:Nc=128 RSGA:Nc=64 RSGA:Nc=128

0.6 0.4 0.2 0

2

4

8

16

Balancing factors

Figure 7: System anonymity.

Figure 8: System anonymity for different k.

27

ACCEPTED MANUSCRIPT

6.2. Simulation Results of Static Systems Figure 7 shows the system anonymity with the respect to the percentage of compromised tags in the case of k = 2. Clearly, RSLA and RSGA, which use a random walking over a data structure, outperform the other protocols. The

CR IP T

605

anonymity of RSGA is higher than RSLA by 5% ∼ 10% when the percentage of compromised tags is between 20% and 60%. This is because the correlation

probability of RSGA is much smaller than that of RSLA. Hence, RSGA provides

the strongest privacy protection mechanism against the compromised attack. 610

When the percentage of compromised tags is less than 20%, significant difference

AN US

between RSGA and RSLA is not observed when k = 2. However, as we will show later, RSGA outperforms RSLA for k ≥ 4.

Figures 8 and 9 demonstrate the system anonymity of RSLA and RSGA with respect to the balancing factor. Since tags have small memory to store keys, and 615

thus, the number of levels of a tree/skip lists/a skip graph is limited. Hence, the balancing factor must be set to be large to support more tags. However, the

M

larger balancing factor causes lower system anonymity as presented in [9]. In fact, as shown in 8 and 9, the system anonymity of RSLA decreases as the value

620

ED

of k increases. On the other hand, the proposed RSGA still preserves higher anonymity even when k = 16. Therefore, RSGA can scale an RFID system in keeping with higher system anonymity, which is one of the most significant

PT

advantages of RSGA over the existing solutions.

Authentication time

140

0.8

AC

CE

System anonymity

1

0.6 0.4

RSLA:Nc=256 RSLA:Nc=512 RSGA:Nc=256 RSGA:Nc=512

0.2 0

2

4

8

16

Balancing factors

120 100 80

Tree AnonPri RSLA RSGA RSGA w/ PP

60 40 20 0

256

512

1024

2048

4096

8192

Number of tags

Figure 9: System anonymity for different k.

Figure 10: Authentication speed.

Figure 10 presents the authentication speed with respect to the number of 28

ACCEPTED MANUSCRIPT

tags. AnonPri incurs the slowest authentication speed, since it does not run 625

in a logarithmic order. The tree-based, RSLA, and RSGA result in similar performance. This is because all of them run in O(logk N ). Although RSGA

CR IP T

w/ PP runs in a logarithmic order, the average authentication time is much smaller than logk N . In fact, as shown in the figure, RSGA w/ PP achieves the shortest authentication speed by using shortcuts. Note that the tree-based and 630

RSLA cannot benefit the path pruning algorithm as discussed in Section 4.5.

Figure 11 illustrates the storage cost in terms of the number of unique keys and group keys in the system. RSGA incurs the most key storage cost among the

AN US

existing solutions. To be specific, the key storage cost of RSGA is O(N logk N ), while that of the others is O(N ). However, as shown in the figure, the additional 635

storage cost in RSGA is not that significant compared with the others. We claim that unique keys and group keys are maintained in the back-end server which has enough data storage, and therefore, the additional key storage cost never

M

discourages the deployment of the proposed RSGA. 6.3. Simulation Results of Dynamic Systems

Figure 12 depicts the anonymity of the RFID system in a dynamic scenario

ED

640

for different protocols with respect to the percentage of compromised tags. In this setting, the balancing factor is set to be k = 2. Note that AnonPri is

PT

excluded because it does not provide a key updating mechanism. Compared with SPA (a tree-based protocol), RSGA and RSLA provides much higher system 645

anonymity. This is because RSGA and RSLA randomized key structure. Unlike

CE

to the one in a static environment shown in Figure 7, the difference between RSGA and RSLA is not significant when k = 2. However, again we claim

AC

that RSGA results in much higher system anonymity for k ≥ 4 in a dynamic environment.

650

Figures 13 and 14 illuminate the system anonymity in a dynamic scenario

for different protocols with respect to the balancing factor. Similar to the static scenario, the system anonymity of RSLA decreases in proportion to the balancing factor. On the other hand, the proposed RSGA maintains high system 29

ACCEPTED MANUSCRIPT

anonymity for large value of k. Particularly, when k = 16 and Nc = 512 in Fig655

ure 9, RSGA presents significant improvement compared with RSLA. Therefore, our RSGA can scale up the RFID system without sacrificing the degree of pri-

256

512

System anonymity

Figure 11: Storage cost.

0.6

SPA RSLA RSGA

0.4 0.2

1

5

10

50

90

Percentage of compromised tags (%)

Figure 12: System anonymity.

1

RSLA:Nc=64 RSLA:Nc=128 RSGA:Nc=64 RSGA:Nc=128

0.6 0.4 0.2

2

M

0.8

ED

System anonymity

1

0.8

0

1024 2048 4096 8192 16384

Number of tags

0

CR IP T

1

Tree AnonPri RSLA RSGA

AN US

1010 9 10 8 10 7 10 6 10 5 10 4 10 3 10 2 10 1 10 100

4

8

16

Balancing factors

System anonymity

Key storage cost

vacy.

0.8 0.6 0.4

RSLA:Nc=256 RSLA:Nc=512 RSGA:Nc=256 RSGA:Nc=512

0.2 0

2

4

8

16

Balancing factors

PT

Figure 13: System anonymity for different k.

Figure 14: System anonymity for different k.

CE

7. Conclusion

In this paper, we seek to preserve higher anonymity of a large-scale RFID

system under various attacks, including eavesdropping and the compromise at-

AC

660

tack. To this end, we propose Randomized Skip Graph-Based Authentication (RSGA) where one of the advanced data structures, called a skip graph, is employed to maintain unique and group keys. The key idea of RSGA is the randomization at each level and dependency among different levels of the skip

665

graph. In the proposed scheme, the replies from two different tags are never 30

ACCEPTED MANUSCRIPT

distinguishable unless they have exactly the same group keys at all the levels, and the analysis shows that the correlation probability of our RSGA is much smaller than any of the existing protocols. The proposed RSGA is augmented

670

CR IP T

by a key updating algorithm to adopt to a dynamic environment. In addition, we propose a path pruning algorithm to further facilitate the singulation process

by taking a shortcut from an internal node to the corresponding node of a tag in a skip graph. By analysis, we derive the correlation probability of RSGA as

well as that of existing solutions. Furthermore, the key storage cost in terms of the number of keys stored at the back-end server as well as at individual tags is

analyzed. Moreover, the number of gates required by tags are quantified. The

AN US

675

performance evaluation by computer simulations demonstrates that our RSGA achieves the highest anonymity among the existing tree-based, group-based, and skip lists-based protocols in keeping with reasonable storage cost.

680

M

References

[1] Y. Li, R. H. Deng, J. Lai, C. Ma, On two RFID privacy notions and their

ED

relations, ACM Trans. Inf. Syst. Secur. 14 (4) (2011) Article No. 30. [2] S. A. Weis, Security and Privacy in Radio-Frequency Identification Devices, Master Thesis, MIT.

PT

[3] M. E. Hoque, F. Rahman, S. I. Ahamed, AnonPri: An Efficient Anonymous Private Authentication Protocol, in: PerCom, 2011, pp. 102–110.

685

CE

[4] D. Molnar, D. Wagner, Privacy and Security in Library RFID Issues, Practices, and Architectures, in: CCS, 2004, pp. 210–219.

AC

[5] L. Lu, J. Han, L. Hu, Y. Liu, L. M. Ni, Dynamic Key-Updating: Privacy-

690

Preserving Authentication for RFID Systems, in: PerCom, 2007, pp. 13–22.

[6] Q. Yao, Q. Qi, J. Han, J. Z. X. Li, Y. Liu, Randomized RFID Private Authentication, in: PerCom, 2009, pp. 1–10.

31

ACCEPTED MANUSCRIPT

[7] L. Lu, J. Han, R. Xiao, Y. Liu, ACTION: Breaking the Privacy Barrier for RFID Systems, in: Infocom, 2009, pp. 1951–1961. [8] K. Sakai, M.-T. Sun, W.-S. Ku, T. H. Lai, Randomized Skip Lists-Based

pp. 277–280.

CR IP T

Private Authentication for Large-Scale RFID Systems, in: Mobihoc, 2013,

695

[9] M.-T. Sun, K. Sakai, W.-S. Ku, T. H. Lai, A. V. Vasilakos, Private and Secure Tag Access for Large-Scale RFID Systems, IEEE Trans. Dependable Secur. Comput. 13 (6) (2016) 657–671.

[10] J. Aspnes, G. Shah, Skip Graphs, ACM Trans. Algorithms 3 (37).

AN US

700

[11] Y. Komori, K. Sakai, S. Fukumoto, Randomized Skip Graph-Based Authentication for Large-Scale RFID Systems, in: WASA, Vol. 9798, 2016, pp. 1–12.

[12] J. Myung, W. Lee, J. Srivastava, T. K. Shih, Tag-Splitting: Adaptive

M

Collision Arbitration Protocols for RFID Tag Identification, IEEE Trans.

705

ED

Parallel Distrib. Syst. 18 (6) (2007) 763–775. [13] S. A. Weis, S. E. Sarma, R. L. Rivest, D. W. Engels, Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems, in: SPC,

710

PT

2003, pp. 201–212.

[14] A. Czeskis, K. Koscher, J. R. Smith, T. Kohno, RFIDs and Secret Hand-

CE

shakes: Defending against Ghost-and-Leech Attacks and Unauthorized Reads with Context-Aware Communications, in: CCS, 2008, pp. 479–490.

AC

[15] N. Saxena, M. B. Uddin, J. Voris, N. Asokan, Vibrate-to-Unlock: Mobile

715

Phone Assisted User Authentication to Multiple Personal RFID Tags, in: PerCom, 2011, pp. 181–188.

[16] K. Sakai, W.-S. Ku, R. Zimmermann, M.-T. Sun, Dynamic Bit Encoding for Privacy Protection Against Correlation Attacks in RFID Backward Channel, IEEE Transactions on Computers 62 (1) (2013) 112–123. 32

ACCEPTED MANUSCRIPT

[17] K. Sakai, M.-T. Sun, W.-S. Ku, T. H. Lai, A Novel Coding Scheme for Secure Communications in Distributed RFID Systems, IEEE Trans. Comput.

720

65 (2) (2016) 409–421.

CR IP T

[18] W. Choi, M. Yoon, B.-H. Roh, Backward Channel Protection Based on Randomized Tree-Walking Algorithm and Its Analysis for Securing RFID

Tag Information and Privacy, IEICE Transactions 91-B (1) (2008) 172–182. 725

[19] Y. Komori, K. Sakai, S. Fukumoto, RFID Grouping Protocol Made Private, in: DSN, 2017, pp. 105–106.

AN US

[20] M. Chen, J. Liu, S. Chen, Y. Qiao, Y. Zheng, DBF: A General Framework for Anomaly Detection in RFID Systems, in: INFOCOM, 2017. [21] X. Liu, X. Xie, K. Li, B. Xiao, H. Q. J. Wu, D. Lu, An Additive Model as a Physical Basis for Shadow Fading, IEEE/ACM Trans. Netw. 25 (1)

730

(2017) 278–291.

M

[22] F. Rahman, M. E. Hoque, S. I. Ahamed, Anonpri: A secure anonymous private authentication protocol for RFID systems, Information Sciences 379

735

ED

(2017) 195–210.

[23] M. Chen, S. Chen, ETAP: Enable Lightweight Anonymous RFID Authen-

PT

tication with O(1) Overhead, in: ICNP, 2015, pp. 267–278. [24] M. Chen, S. Chen, Y. Fang, Lightweight Anonymous Authentication Pro-

CE

tocols for RFID Systems, IEEE/ACM Trans. Netw. [25] H. Luo, G. Wen, J. Su, Z. Huang, SLAP: Succinct and Lightweight Authentication Protocol for low-cost RFID system, Wireless Netw. 23 (2016)

AC

740

1–10.

[26] EPCglobal, EPC Radio-Frequency Identity Protocols Class-1 Generation2 UHF RFID Protocol for Communications at 860MHz-960MHz version 2.0.0., 2013.

33

ACCEPTED MANUSCRIPT

745

[27] M. S. Farash, O. Nawaz, K. Mahmood, S. A. Chaudhry, M. K. Khan, A Provably Secure RFID Authentication Protocol Based on Elliptic Curve for Healthcare Environments, J. Med. Syst. 40 (7) (2016) 165.

CR IP T

[28] Z. Zhang, Q. Qi, An Efficient RFID Authentication Protocol To Enhance Patient Medication Safety Using Elliptic Curve Cryptography, J. Med. Syst. 38 (5) (2014) 47.

750

[29] P. Gope, R. Amin, S. H. Islam, N. Kumar, V. K. Bhalla, Lightweight and Privacy-Preserving RFID Authentication Scheme for Distributed IoT

AN US

Infrastructure With Secure Localization Services For Smart City Environment, Future Generation Computer Systems, 2017, in press. 755

[30] A. Poschmann, G. Leander, K. Schramm, C. Paar, New Light-Weight Crypto Algorithms for RFID, in: ISCAS, 2007, pp. 1843–1846. [31] P. Jappinen, F. Lappeenranta, Probabilistic Authentication with Very

M

Lightweight Short Hash, in: ICS, 2012, pp. 539–543.

[32] Y. Zhang, L. T. Yang, J. Chen, RFID and Sensor Networks: Architectures, Protocols, Security, and Integrations, CRC Press, 2009.

ED

760

[33] J. Salo, L. Vuokko, H. M. El-Sallabi, P. Vainikainen, An Additive Model

PT

as a Physical Basis for Shadow Fading, IEEE Trans. Veh. Technol. 56 (1) (2007) 13–26.

CE

[34] Y. Oda, R. Tsuchihashi, K. Tsunekawa, M. Hata, Measured Path Loss and Multipath Propagation Characteristics in UHF and Microwave Frequency

765

AC

Bands for Urban Mobile Communications, in: IEEE VTC-Spring, 2001.

[35] T. Chrysikos, S. Kotsopoulos, Characterization of Large-Scale Fading for the 2.4 GHz Channel in Obstacle-Dense Indoor Propagation Topologies, in: IEEE VTC-Fall, 2012.

34