Computer Networks 122 (2017) 70–82 Contents lists available at ScienceDirect Computer Networks journal homepage: www.elsevier.com/locate/comnet A secure search protocol for low cost passive RFID tags Saravanan Sundaresan a, Robin Doss a,∗, Selwyn Piramuthu b, Wanlei Zhou a a b School of Information Technology, Deakin University, Australia Information & Operations Management, University of Florida, USA a r t i c l e i n f o Article history: Received 12 July 2016 Revised March 2017 Accepted April 2017 Available online 18 April 2017 Keywords: RFID secure search EPC C1G2 passive tags Security protocols a b s t r a c t We propose a secure RFID tag search protocol that ensures the security and privacy of the tags being searched To our knowledge, not much work has been done in this area of RFID systems Further, most of the current methods not comply with the EPC standard as they use expensive hash operations or encryption schemes that cannot be implemented on resource-constrained, low-cost passive tags Our work aims to fill this gap by proposing a protocol based on quadratic residues which requires the tags to perform only simple XOR, MOD and 128 bit PRNG operations, thus achieving compliance with EPC standards Our protocol also addresses the vulnerabilities in the protocol proposed by Sundaresan et al (2012) [1] which is not forward secure, and the weak message construction leading to incorrect tag authentication We present a detailed security analysis to show that the proposed method achieves the required security properties and the simulation results show that the proposed method is scalable © 2017 Elsevier B.V All rights reserved Introduction RFID applications span a wide variety of applications that include close physical proximity readers (e.g., Near Field Communications[NFC] applications), tags that initiate conversations (e.g., active tags), tags that have associated sensors (e.g., semi-passive tags with sensors that measure temperature, pressure, light, etc.), tags that cannot initiate conversations (e.g., passive tags), among others Unlike NFC (Near Field Communication) applications where the involved reader(s) read one (or less than a handful at most) RFID tag(s), a majority of other RFID applications necessarily involve readers with simultaneous access to several (e.g., dozens, hundreds) tags While such a setup does not work in bar code applications, RFID systems routinely simultaneously scan several dozen RFID tags to locate the one of interest Such applications are common in retail store as well as warehouse applications While the functionality of such RFID tag searches cannot be argued, there exist associated privacy and security concerns with specific emphasis on tracking RFID-tagged items For example, an adversary with the ability to eavesdrop on the communication between tag and reader is able to track that tagged object with a significantly high level of probability even though the tag’s identity may be unknown to this adversary In the worst case scenario, the adversary may decipher enough information from such communication to be able to clone or impersonate the tag Any com- ∗ Corresponding author E-mail address: robin.doss@deakin.edu.au (R Doss) http://dx.doi.org/10.1016/j.comnet.2017.04.013 1389-1286/© 2017 Elsevier B.V All rights reserved munication between trusted readers and tags opens up the avenue for vulnerabilities such that the very act of replying to a query can be used to identify a tag [2] For example, based on the communicated message signature (e.g., passports from different countries) alone, an adversary has enough information (here, the nationality associated with a given passport) to be able to misuse (e.g., mount an attack on the RFID-tagged item holder) that information It is therefore paramount to ensure that the protocols that are used in these RFID tag searches by readers are secure 1.1 Motivation Given that RFID tags are extremely resource-constrained devices, security and privacy concerns need to be addressed under these hard constraints with respect to processing power and storage capacity Clearly, relatively expensive computations (e.g., the use of hash functions) can be prohibitive in basic (passive) RFID tag applications An overwhelming majority of proposed methods in extant literature not comply with the EPC standard for passive RFID tags since they use hash functions that require 8–10K gates [3] However, low-cost passive tags can only accommodate roughly about 2.5 − 4.5K gates to implement security features [3– 5], and this amount is also insufficient for standard cryptographic techniques such as RSA [6] Although cheaper cryptographic alternatives such as Elliptic Curve Cryptography (ECC) exist [7], the practical implementation of ECC on low cost RFID tags taking into account tag cost, gate count and power consumption and is still an open research problem [8] As illustrated by Batina et al [9] and Lee et al [10], implementation of ECC would require between 8.2K S Sundaresan et al / Computer Networks 122 (2017) 70–82 and 15K equivalent gates Complex encryption schemes such as AES take up to 3400 gates as seen in [11] and are very slow Physically Unclonable Functions (PUF) and and Linear Feedback Shift Registers (LFSR) based hash-functions require 1400 gates, but they are difficult to analyze since they are influenced by the physical environment [12] Also, another major drawback of PUF is that it can produce fluctuating results based on the operating conditions [3] Thus, the large-scale implementation of PUF also remains an open research problem The EPC standards (including EPC G2v2) suggest the use of 16 bit Cyclic Redundancy Check (CRC) and 16 bit Pseudo Random Number Generators (PRNG) for security operations in passive tags However, CRC suffers from linearity-related issues while a 16-bit PRNG is not secure and vulnerable to a brute-force attack Therefore, there is a need for the use of more secure primitives For instance, Lee and Hong [13] have proposed an authentication protocol for passive tags using 128 bit PRNG with 1435 gates (within 517 clock cycles and 64B memory) and Sundaresan et al [14] have proposed a grouping proof protocol using 128bit PRNG The 128bit PRNG in [13] utilizes a Self-Shrinking Generator (SSG) based on a Linear Feedback Shift Register (LFSR), an algorithm designed by Meier and Staffelback [15] Improved versions of SSG by MolinaGil et al [16] resolve the linearity issues in SSG; Tasheva et al [17] prove that PRNG can resist exhaustive search and entropy attacks and Burmester et al [18] show that PRNG is resistant to active attacks such as online man-in-the-middle relay attacks Our protocol is based on Quadratic Residues (QR) which uses 128 bit PRNG and modular (MOD) operations The strength of the PRNG is an added advantage to QR, as the latter guarantees that an attacker cannot decipher the messages without the knowledge of the prime numbers that only the server knows Hence, from a security perspective the use of QR is well supported Modular squaring takes only a few hundred gates [19,20] and with 1.5K gates for the 128 bit PRNG, our protocol can be implemented in less than 2.5K gates, which is a significant advantage considering the limitations of the passive tags Our protocol achieves EPC compliance since no hash functions or other complex encryption schemes are used which makes the scheme practical 1.2 Security properties fulfilled by our scheme Our protocol offers the following security properties based on [21–26] • Tag/Reader anonymity: The protocol protects against information leakage that can lead to disclosure of a tag’s/reader’s real identifier This is important as otherwise an attacker may be able to clone a valid tag/reader • Tag/Reader location privacy: The protocol ensures that the message contents are sufficiently randomized so they cannot be used to track the tag’s/reader’s location(s) and thereby glean social information about the wearer of the tag/reader • Forward secrecy: The protocol ensures that on compromise of the internal secrets of the tag, its previous communications cannot be decrypted by the attacker This requires that previous messages are not dependent on current resident data on the tag • Replay attacks: The protocol resists compromise by an attacker through the replay of messages that have been collected by an attacker during previous protocol sequences This requires that messages in each round of the protocol are unique • Denial of service (DoS): The protocol can recover from incomplete protocol sequences that can occur due to an attacker selectively blocking messages Importantly, such blocking of messages by an attacker does not lead to desynchronization between the tag and the servers 71 • Reader/Tag/Server impersonation Attack: Since the protocol is serverless, server impersonation attack is not applicable in this scenario The protocol ensures that the tag cannot be impersonated by an attacker to the reader (and vice versa) This requires that the reader challenges the tag, to prove its legitimacy and the tag does the same to the reader The main contributions of this paper include: • A novel approach to secure search in RFID systems based on quadratic residues and in conformance to EPC standard As noted by Burmester et al [27] and Chen et al [28], quadratic residues can be implemented on low-cost RFID tags by replacing modular squaring with integer squaring which results in a circuit complexity of less than 10 0 gates • A secure search protocol that fixes the forward secrecy in the protocol proposed by Sundaresan et al [1] and addresses the weak message construction issue (owing to the limitations of the XOR operation), that could potentially lead to incorrect tag authentication • A secure search protocol that does not use hash functions or expensive encryption functions, making it a viable option for large-scale implementations on low-cost passive tags Also, the protocol is suitable for mobile RFID readers and environments as we not make any secure channel assumptions between the reader and the server The remainder of the paper is organized as follows Section covers related work in the secure search area The protocols are briefly described and vulnerabilities (if any) are identified Section provides detailed description of the proposed protocol Section discusses the security analysis of the proposed protocol and Section concludes the paper Related work While there has been a significant amount of work done in the areas of RFID mutual authentication [29] and tag ownership/delegation [30], it is not the case for secure search Tag search being an important functionality, there is a need to provide security and privacy In order to achieve this, a tag should authenticate the reader before replying and the reader should also ensure that only legitimate tags understand and respond to the query [31] Further, an adversary should be prevented from learning the contents of the query and the query response As noted in [2], the problem statement can be simply put as: readers want to query authenticated tags but tags will only respond to authenticated readers Huang and Shieh [32] propose a secret search protocol which solves the privacy problem by offering a search mechanism over encrypted data The protocol conducts search directly on ciphertexts without the need to decrypt them, giving enhanced performance In the event a reader is compromised, it enables the adversary to recover all the private information But, if the tags are notified that a reader was compromised, the tags can choose a new random number to update the original ciphertext Then, the tag has to notify all but the compromised readers to update their ciphertexts using the new random number The main drawback of this protocol is that it uses one-way hash functions and hence is not compliant with the EPC standard Won et al [33] propose a search protocol utilizing AES-128 block cipher and timestamp and without using a central database The authors claim that the timestamp generated by a portable reader prevents illegal tag-tracking by an adversary The protocol also protects a portable reader’s privacy even in an insecure channel by encrypting the Reader ID using AES-128 block-cipher It is also noted that tags cannot be cloned without the knowledge of their secret keys Also, as there are no shared secret values between the reader and the tag, DoS 72 S Sundaresan et al / Computer Networks 122 (2017) 70–82 and de-synchronization attacks are implicitly prevented However, the protocol is not compliant with the EPC standard as low-cost passive tags cannot support complex encryption schemes such as AES, which takes roughly 3400 gates [11] Tan et al [34] propose a serverless secure search protocol considering the security for both the reader and the tag As stated earlier, the very act of replying to a query can be used to identify a tag The authors suggest different solutions to handle the problem such as forcing the reader to use different random numbers for each new query and have the tag store the list of random numbers used in earlier queries If the tag recognizes an already used random number it ignores the query We note that this has severe limitations such as high storage requirements on the tag side Another solution is to have all the tags that match the first m bits of the id respond to the query This will generate multiple responses for a single query but this solution does not suit well if the tag IDs are structured (first few bits denoting the product code, next few bits the tag origin and so on) The last solution is the use of noise tags (also suggested by Zuo [35]) where each tag receiving the query will have some probability (λ, which is pre-determined) of replying the query even if the query is not intended for that tag Won et al [33] has shown that scheme does not completely solve the illegal tag tracking problem and also does not consider a reader holder’s privacy We note that the reader sends its unique reader ID in clear text to the tags over an insecure channel since the tags need the ID for verification An attacker eavesdropping on a particular reader will be able to track the locations of the reader thereby compromising the location privacy of the reader and its holder Kim et al [36] propose a serverless search protocol by providing the readers with unique access list with a group of tags that they are authorized to search A vulnerability noted by the authors in this protocol is that the tags should send their group identity to a querying reader Also, the tags reply to a search query for a specific group Thus, a simple eavesdropping leads to knowing the group identity of the tags The suggestion made to group all tags equally over the entire service area introduces another problem as discussed by the authors There is a trade-off between the tag anonymity and the reader anonymity based on the number of groups If the number of groups is few, the tag anonymity is well satisfied because many tags exist in one group but this violates the reader anonymity since the reader can use only a few pseudonyms which is the same with the number of groups If the number of groups is large, then reader anonymity is achieved but tag anonymity is violated since the number of tags in a group is small We further note that broadcasting group-IDs and also the pseudonyms in the clear is not advisable since these two pieces of information are vital to providing security to the tags and the readers Also, tags seem to simply respond to the query without authenticating the reader, whereby an eavesdropper can simply capture the messages, impersonate a reader and replay the messages to compromise tag location privacy Zuo [35] proposes a similar secure search protocol using a pseudo-random function with a seed and one-way hash function The protocol uses noise tags as described above to make the normal tag’s response indistinguishable from that of the noise tags The reader only needs to decrypt the first part of the response to see if it is coming from a normal tag or the noise tag This reduces the computational load of the reader A significant weakness in the protocol is that the reader stores all tag IDs The portable and mobile nature of a reader increases the likelihood of it being stolen [2] An attacker with a stolen reader will have access to all the information in the reader including the secrets and in this case the tag IDs as well, leading to tag cloning attack Kulseng et al [3] propose a secure search protocol that is based on PUF and LFSR which is shown to be vulnerable to tracking and desynchronization at- tack [37] Some of the advantages of using a PUF circuit in low-cost RFID system are: a) 64-bit PUF can be implemented using only 545 gates, b) two PUFs are highly unlikely to produce the same output given the same input, and c) the output is not produced by a mathematical function and so it cannot be calculated or predicted But the drawbacks of PUF mentioned in Section 1.1 prevents the largescale implementation in passive tags Chun et al [38] proposed a search protocol for based on symmetric encryption but it has been shown to be vulnerable to DoS attack by Yoon [39] Other search protocols such as [40–43] are not compliant with EPC standard due to the use of hash functions or other complex encryption schemes on the tag Mtita et al [44] develop two mutual authentication and tag search protocols where each reader is allocated a set of tags by the server through a secure initialization process The authors claim that their protocols require low computational resources and that the reader and tags not share any secrets However, the server does share temporary identifiers and keys of tags along with their access rights with a reader These are indeed shared by the reader, tag, and the server Both the mutual authentication and tag search protocols they develop involve the use of hash functions (HMAC) and are therefore not EPC compliant Both these protocols are also vulnerable to DoS and de-synchronization attacks as an adversary can block the last message and prevent key update by tag and reader respectively in the mutual authentication and tag search protocols The tag search protocols presented in Zheng and Li [45] use Bloom filter and hash function to identify the ‘wanted’ tags among a set of tags that are in the field of the reader Chen et al [46] also make use of Bloom filter but in an iterative manner to identify wanted tags from unwanted tags in the field of the reader Both the reader and tags use hashed functions to determine the bit to check to see if it is a candidate (i.e., wanted tag) Several authors use the framed slotted Aloha protocol as a part of their method For example, Shahzad and Liu [47] estimate the size of a given tag population using single as well as multiple readers with the standardized framed slotted Aloha protocol The reader broadcasts the available number of time slots, which is then hashed by each tag to choose a slot to respond The average number of runs in the response is used in the proposed method Shahzad and Liu [48] develop a variant of Tree Walking for tag identification with the use of framed slotted Aloha for tag population size estimation They attempt to minimize the expected number of queries as well as the expected identification time It should be noted that both [47] and [48] not search for specific tags but rather perform the preliminary step of estimating the number of tags in the field of the reader(s) Gong et al [49] use the framed slotted Aloha method but with an index where the tags probabilistically decide whether or not to participate and then generate a hash function value to determine the slot number for response to reader Instead of focusing on time efficiency alone, Zhang et al [50] use the framed slotted Aloha protocol and consider energy efficiency as well during tag search with minimal data exchange between tag and reader Wang et al [51] propose a method to track slow-moving mobile RFID tags using phase periodicity They also use carrier phase measurement in GPS to track unknown trajectory of mobile RFID tags Sasagawa et al [52] develop a system that finds indoor tagged items based on their distance from the reader and Received Signal Strength Indicator (RSSI) They use an undirected graph to model the distance between RFID tagged items in a given indoor location The edge-length in the graph is proportional to the distance between the tagged items of interest as represented by their nodes in the graph S Sundaresan et al / Computer Networks 122 (2017) 70–82 2.1 Vulnerability in Sundaresan et al.’s protocol Sundaresan et al [1] proposed a secure search protocol based on quadratic residues The protocol is not forward secure In flow of the protocol, the reader generates a random number rr which is hidden in the message y as y = rts j id j rr This hides the random number in this step but in flow 3, the reader sends rr in the clear along with the other messages An adversary eavesdropping the channels can capture the messages x, y from flow and rr from flow This defeats the purpose of hiding the random number in flow and enables the attacker to track the previous communication of the tag in conjunction with a physical tampering of the tag Once the tag is tampered, the adversary gets rts, rts−1 Using y and rr captured in the previous round and rts−1 from the tampered tag, he can compute y rr rts−1 which is rr rts j id j rr rts−1 Since y is from the previous round, rts would be equal to rts−1 and hence reveals id Hence, the protocol is not forward secure Further, the equality check used by the tag to verify if x = z can result in incorrect tag authentication As an example, x = id P RNG(rts j rr ) and x = P RNG(rts j rr ) id will result in the same value but the operands are not the same in the operation An attacker could exploit the weakness of this construction and could potentially substitute one or both the operands with an arbitrary value but still resulting in a valid x The x = z verification in the tag would be successful even though the values in the operands are not correct Our proposed protocol addresses both the forward security issue and the equality check weakness in [1] 73 Table Symbol notations Notation Description S, R, T AL TID, h(TID) RID, h(RID) ts Represents Server, Reader and Tag respectively Access List for the Reader Unique Tag ID and hash value of TID Unique Reader ID and hash value of RID Secret key unique for each tag in the system, used to generate id = h(T ID, ts ); known only to the server Random number generated by server and previous value of s Four large prime numbers generated by server m = g · h stored in reader and n = p · q stored in the tag Number of readers that can access a tag Number of tags a reader is authorized to search Computed as RT ID = h (T ID ) s Computed as R−1 = h (T ID ) s−1 T ID Shared secret between reader and a tag; previous value of rts Random numbers generated by the reader Random number generated by the tag Current and max value for counter Probability that a tag replies if query is not for that tag Exclusive-OR Function (XOR) and Concatenation of two values s, s−1 p, q, g, h m, n k l RTID R−1 T ID rts, rts−1 rr , δ tr ctr, cmax λ , x2 , and if a solution exists for (x2 )2 = R mod n, it is clear that the solution is required to be a perfect square (x2 ) However, of the four possible solutions (obtained using the Chinese Remainder theorem) only one of those would be a quadratic residue modulo n satisfying x2 = R mod n [53] The proposed protocol We now present our proposed protocol that is based on quadratic residues using simple MOD, XOR and 128 bit PRNG operations To provide additional security, a blind-factor is used where necessary to hide the random numbers The scheme is designed to conform with the EPC standard (v2.0.1) and the associated ISO/IEC 29,167 since we not employ any complex encryption schemes or hash functions while meeting the necessary security requirements and is designed to be executed as part of the inventory operations of the reader over a selected tag population The protocol assumes that the channel between the reader and server is insecure in addition to the reader-tag channel being insecure The protocol has two phases In the first phase, the back-end server initializes the tags and the readers with the necessary information such as IDs, private/shared secrets and so on The second phase is the search phase, where the search is conducted using the proposed protocol Table describes the notations that are used in the proposed protocol Note: The protocol is currently designed for cases where the server can participate in the authentication process But the computational power of the RFID readers makes it possible for it to solve the quadratic residues Hence the operations done by the server can be shifted to the reader with much ease which would enable it perform offline search Our future work includes a protocol design to include this scenario 3.1 The quadratic residue property For a positive integer n, R is its quadratic residue if the congruence x2 = R mod n (where < x < n) has a solution Suppose that n = pq where p and q are distinct large primes and that the congruence x2 = R mod n has a solution x = xo From the Chinese Remainder Theorem there are exactly four incongruent solutions of the congruence x2 = R mod n (i.e., R has four incongruent square roots modulo n) Knowledge of p and q is required to compute these solutions Due to the difficulty of factoring n it is computationally infeasible to find x satisfying x2 = R mod n without knowing p and q [28,53] Without loss of generality, if x is replaced with 3.2 Setup phase The setup phase is assumed to occur in a secure environment After authenticating the reader R, the server S feeds the reader with an access list AL which is a list of tags that it is authorized to search The reader does not know the secrets of the tag or the tag ID itself It only stores the outcome of h(TID, ts ) The server S also establishes the shared secret rts between the reader and each tag that the reader is authorized to search The reader also stores m, which is the product of g and h and the hashed form of the reader-ID h(RID) The tag stores the hashed form of tag ID h(TID); id = h(T ID, ts ); the random number s; n which is the product of p and q and the current and previous shared reader-tag secrets rts and rts−1 for each reader Note that the tag stores the precomputed hashed form of the tag ID and does not perform the hash function by itself The server stores TID, h(TID), RID, h(RID), ts ; prime numbers p, q, g, h; current and previous server-tag shared secret s, s−1 ; RT ID = h(T ID ) s and R−1 = h(T ID ) s−1 The server T ID also stores two variables ctr and cmax for each tag-reader pair to keep track of the number of searches performed by the reader The ctr variable is initialized to at the start and after each successful search it is incremented by The cmax variable is set to the desired number of allowed searches Once ctr reaches cmax the reader has to renew the search authorization from the server again The access list AL for the reader and the tag data TD for k readers are represented in the following two arrays as: ⎡ h(T ID1 , ts1 ) ⎢h(T ID2 , ts2 ) ⎢ AL = ⎢ ⎢ ⎣ h(T ID , ts ) : id1 : id2 : : id ⎤ ⎥ ⎥ ⎥ ⎥ ⎦ 74 S Sundaresan et al / Computer Networks 122 (2017) 70–82 Fig Proposed secure search protocol based on quadratic residues ⎡ id = h(T ID, ts ) s Readers : rts1 rts2 rtsk rts−1 rts−1 rts−1 k ⎢ ⎢ ⎢ ⎢ ⎢ TD = ⎢ ⎢ ⎢ ⎢ ⎣ n ⎤ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎦ 3.3 Secure search phase Once the reader is loaded with AL, it can start sending queries to the tags that it is authorized to search for The server participates actively in authenticating the different entities involved in the communication The workings of the protocol is shown in Fig The secure search phase consists of six steps Step 1: Reader → Tag (a) Reader generates a random number rr (b) It then computes x = id j P RNG(rts j P RNG(id j rts j ) rr rr ) and y= (c) x and y are broadcast as the search query to all the tags in its field Step 2: Tag ← Reader (All tags receiving the messages perform the following:) (a) The random number rr is extracted using y and the stored id, rts as PRNG(id rts) y → rr (b) The tag checks if id = x P RNG(rts rr ) By using its stored id and rts and the received x, if the tag is able to exactly match its id then it can be sure of the authenticity of the reader This is where the weakness in [1] is fixed Further, this confirms to the tag that the query is for itself in which case it performs the following: i Tag generates a random number tr ii It then computes α = h(T ID ) rr s tr ; α = α mod n; α = (α )2 mod n Note: h(TID) is stored in the tag during the setup phase and not computed by the tag iii Similarly tr is computed as tr = (tr2 )2 mod n (c) If the above check fails, the tag restarts this step using rts−1 If both rts and rts−1 not return a valid id, then the tag responds with a probability of λ This is done to accomplish tag location privacy and to prevent an adversary from being S Sundaresan et al / Computer Networks 122 (2017) 70–82 be able to distinguish between the real tag’s reply and the noise replies (d) If id was matched using rts then update rts−1 ← rts and rts ← PRNG(rts) (e) The tag then sends back α and tr to the reader Step 3: Once the reader receives the response from the tag it performs the following: (a) Reader generates a random number δ (b) It then computes μ = h(RID ) rr δ ; μ = μ2 mod m; μ = (μ2 )2 mod m (c) Similarly, δ and rr are computed as δ = (δ )2 mod m and rr = (rr2 )2 mod m By computing rr , the forward security issue in [1] is fixed Even if the adversary captures the messages by eavesdropping, he still cannot compute rr without the knowledge of the factors of m (d) The reader then sends α , tr , μ , δ , rr to the server Step 4: When the server receives the messages from the reader it performs the following: (a) The server solves for μ, δ, rr using g, h (b) It then checks if the random number rr is reused If yes, the server aborts the process to prevent the replay attack Otherwise, the server stores rr in the database (c) The reader is validated by checking if h(RID ) = μ δ rr If the validation fails the server aborts the process Note: Because we use a modified form of the quadratic residue property (i.e., (x2 )2 mod n as opposed to x2 mod n), when solving for the quadratic residue, there will always be a unique solution and not solutions that satisfies the perfect square (x2 ) requirement Hence, the number of solutions that the server will need to compute is at most Due to the computational power of the server, this will not create any overhead (d) The server then checks if ctr has reached cmax If so, it means the reader has reached the pre-authorized number of search runs and has to go through the setup phase for obtaining further search rights The server responds with an appropriate error to the reader and exits the operation (e) Now, the server solves for α , tr using p and q and validates the tag by checking if α rr tr = RT ID or R−1 If the valiT ID dation fails the server aborts the process (f) If the tag is identified using RTID then it updates s−1 ← s and s ← PRNG(s) (g) The server then computes acknowledgment ACK = h(T ID ) tr P RNG(α R ) and ACK is computed as ACK = (ACK δ ) h ( μ ) (h) The server increments the ctr variable by and ACK is sent to the reader Step 5: Once the reader receives the messages from the server it performs the following: (a) The reader Verifies if δ is correct in ACK h(μ) by comparing with the least significant bits of ACK h(μ), where is the length of δ If δ does not match, it aborts the process Otherwise, it proves to the reader that the server is in possession of g, h the factors of m and hence the server is authenticated (b) The reader then extracts ACK as ACK = [ACK h(μ )] and updates rtsj as PRNG(rtsj ) (c) Finally, the reader then sends ACK to the tag Step 6: Once the tag receives the response back from the reader, it performs the following: (a) The tag verifies if ACK = h(T ID ) tr P RNG(α α ) If successful, it proves that the server is in possession of p, q and was able to solve for the unique quadratic residues of modulo n Hence the server is authenticated and by implication the reader is also authenticated Otherwise the tag aborts 75 Table GNY Logic - protocol messages and parser outputs Protocol messages Protocol parser output x, y α , tr α , tr , μ , δ , rr T ∗ (id PRNG(rts rr )), ∗ (PRNG(id rts) rr ) rr s tr )4 mod n), ∗ ((tr )4 mod n) R ∗ ((h(TID) rr δ )4 mod m), ∗ (δ S ∗ (α ), ∗(tr ), ∗ ((h(RID) mod m), ∗((rr2 )2 mod m ) tr PRNG(α R) δ ) h(μ)) R ∗ ((h(TID) h(μ)] ) T ∗ ([ACK ACK ACK the process Note that R on the server side and α on the tag side are the quadratic residues and are the same (b) As the last step in the process, the tag updates s as PRNG(s) Security analysis In this section, we present the security analysis of the proposed secure search protocol The security correctness of the proposed scheme is proved first followed by the privacy properties We use formal methods for this purpose 4.1 Security correctness GNY mechanism [54] enables a systematic way of understanding the working of cryptographic protocols It distinguishes between what one possesses and what one believes in Beliefs and possessions are monotonic within a given session and the only universal assumption made is that the principals P not reveal their secrets Also, principals are not assumed to be trustworthy and redundancy is always explicitly present in the encrypted messages The GNY model enables the expression of different trust levels and implicit conditions behind protocol steps We now verify the security correctness of our protocol using this method The two objectives are that the messages received by each entity came from a trusted source (belief) and that the messages are fresh The assumptions, security correctness goals and the security correctness proof are presented in Tables 2–5 The GNY postulates used to prove the security correctness is briefly explained here T1 is a Being-told Rule denoted by P X means that a principal P is being told of a formula X (ex:variable, constant, secret) P1 is a Possession Rule denoted by P X means “P possesses or is capable of possessing X” P2 is the second possession rule that states that if a principal P possesses two formulae then he is capable of possessing the formula constructed by concatenating the two formulae as well as a computationally feasible function F of them F1 is a Freshness Rule denoted by P |≡ #(x ) means “P believes in the freshness of X” I1 is an Interpretation Rule which states that: suppose for a principal P all of the following conditions hold: P receives a formula consisting of X encrypted with a key K and marked with a not-originated-here mark; P possesses K; P believes K is a suitable secret for himself and Q; P believes formula X is recognizable; P believes that K is fresh or that X is fresh - then, P is entitled to believe that: Q once conveyed X; Q once conveyed X encrypted with K; Q possesses K J1 is the Jurisdiction Rule which states that: If P believes that Q is an authority on some statement C and that Q believes in C, then P ought to believe in C 4.2 Privacy properties We study the security and privacy of the proposed scheme using the adversarial model proposed by Avoine [55] The notations used here are based on this model and is used to prove that the protocol meets the security requirements a) Existential-UNT-QSE - so that an adversary is never capable 76 S Sundaresan et al / Computer Networks 122 (2017) 70–82 Table GNY Logic - assumptions used in the analysis No Assumption notation Assumption description A1 A2 A3 A4 A5 A6 A7 A8 R rr R |≡ #rr R rts R |≡ #rts T tr T |≡ #tr T rts T |≡ #rts R R R R T T T T A9 R |≡ R ←→ T R believes rts is a suitable secret between itself and T A10 A11 A12 A13 A14 A15 A16 T |≡ T ←→ R T s T |≡ #s S s S |≡ #s R δ R |≡ #δ T believes rts is a suitable secret between itself and R T Possesses s T believes that s is fresh S Possesses s S believes that s is fresh R Possesses δ R believes that δ is fresh A17 T |≡ T ←→ S T believes ts is a suitable secret between itself and S A18 S |≡ S ←→ T S believes ts is a suitable secret between itself and T rts rts ts ts Possesses rr believes that Possesses rts believes that Possesses tr believes that Possesses rts believes that rr is fresh rts is fresh tr is fresh rts is fresh Table GNY Logic - security correctness goals No Goal notation Goal description G1 G2 G3 G4 G5 G6 G7 G8 G9 G10 G11 T |≡ R |∼ #(id PRNG(rts rr )) T |≡ R |∼ #(PRNG(id rts ) rr ) R |≡ T |∼ #((h (T ID ) rr s tr )4 mod n ) R |≡ T |∼ #((tr )4 mod n ) S |≡ R |∼ #((h (T ID ) rr s tr )4 mod n ) S |≡ R |∼ #((tr )4 mod n ) S |≡ R |∼ #((h (RID ) rr δ )4 mod m ) S |≡ R |∼ #(δ mod m ) S |≡ R |∼ #((rr2 )2 mod m ) R |≡ S |∼ #((h (T ID ) tr PRNG(α R ) δ ) T |≡ R |∼ #([ACK h (μ )] ) T believes R T believes R R believes T R believes T S believes R S believes R S believes R S believes R S believes R R believes S T believes R h (μ )) of tracking a tag by interacting with the tag and the reader, eavesdropping on the communications and b) Forward-UNT-QSER which means even by physically compromising a tag that reveals its internal secrets, an adversary is not able to decrypt its communications in the past Choosing this privacy model is motivated by the flexibility of Avoine’s model and the drawbacks associated with more recent models such as those proposed by Vaudney [56] and Hermans [57] as noted in [58] The means of an Adversary  over tag T and reader R is defined in terms of the oracles as defined in [55] In the below oracles, forward channel represents the transfer of messages from the reader to the tag and the backward channel represents the transfer of messages from the tag to the reader • Query(πTi , m1 , m3 ) - This query models  sending a request m1 to T through the forward channel and subsequently sends m3 after receiving its answer j • Send(πR , m2 ) - This query models  sending the message m2 to R through the backward channel j • Execute (πTi , πR ) - This query models  running an instance of P between T and R, and obtaining the messages exchanged in both the forward and backward channels j • Execute ∗ (πTi , πR ) - This query models  running an instance of P between T and R, and obtaining the messages exchanged in the forward channel only • Reveal (R) (πTi ) - This query models  obtaining the content of T’s memory channel which can be used only once such that Query (Q), Send (S), Execute (E) and Execute∗ (E∗ ) cannot be used any longer Theorem The proposed Existential-UNT-QSE secure search protocol P is conveyed conveyed conveyed conveyed conveyed conveyed conveyed conveyed conveyed conveyed conveyed #(id PRNG(rts rr )) #(PRNG(id rts ) rr ) #((h (T ID ) rr s tr )4 mod n ) #((tr )4 mod n ) #((h (T ID ) rr s tr )4 mod n ) #((tr )4 mod n ) #((h (RID ) rr δ )4 mod m ) #(δ mod m ) #((rr2 )2 mod m ) #((h (T ID ) tr PRNG(α R ) δ ) #([ACK h (μ )] ) h (μ )) Proof Consider that an adversary has access to the Q-oracle such that ωi (T1 ) ∈ {Query(πTi , ∗ )} and ωi (T2 ) ∈ {Query(πTi , ∗ )} For any protocol interaction Ii whose length is ≤ Pchal , based on the output m2 {(α , tr )} of the Q-oracle, α is guaranteed to be not connected since α = h(T ID ) rr s tr where rr (hidden using blind-factor) and tr are freshly generated random numbers and s is updated after each successful run By a similar argument, tr is also not connected since tr is a freshly generated random number which cannot be solved without the knowledge of the factors of n As seen, TID is never sent during the communication and id which is h(TID, ts ) is well enciphered in the messages which cannot be obtained without the knowledge of rts, rr , tr , s and the factors p, q thus providing tag anonymity and tag location privacy By a similar argument, RID is not sent during the communication and h(RID) is well protected in μ and cannot be obtained without the factors of g, h thereby providing reader anonymity and reader location privacy To avoid impersonation attack, in the backward channel, the tag challenges the server with α , tr where α is computed using the secret s, freshly generated tr and the received rr (hidden using blind-factor) The sever solves for α using CRT and the factors, and if it can successfully identify the tag in the system then the authenticity of the tag is proved An adversary can neither compute a valid α nor solve α without the knowledge of s, rr , tr and the factors p, q, g and h and thus cannot impersonate the tag In a similar fashion, an adversary cannot impersonate the server by guessing m3 {(ACK)} without the knowledge of R Using α that the tag computed, it verifies m3 If it is successful, the tag authenticates the server because only a valid entity with the knowledge of p and q can solve α or its quadratic residue R whereas an ad- S Sundaresan et al / Computer Networks 122 (2017) 70–82 77 Table GNY Logic - security correctness proof No Proof notation GNY postulate V1 V2 V3 V4 V5 V6 V7 V8 V9 V10 V11 V12 V13 V14 V15 V16 V17 V18 V19 V20 V21 V22 V23 V24 V25 V26 T (id PRNG(rts rr )), (PRNG(id rts) rr ) PRNG(rts rr )), (PRNG(id rts) rr ) T (id T |≡ #(id PRNG(rts rr )), (PRNG(id rts ) rr ) T |≡ R |∼ #(id PRNG(rts rr )) T |≡ R |∼ #(PRNG(id rts ) rr ) rr s tr )4 mod n), ((tr )4 mod n) R ((h(TID) rr s tr )4 mod n), ((tr )4 mod n) R ((h(TID) R |≡ #((h (T ID ) rr s tr )4 mod n ), ((tr )4 mod n) mod n R |≡ T |∼ #((h (T ID ) rr s tr )4 mod n ) R |≡ T |∼ #((tr )4 mod n ) rr s tr )4 mod n), ((tr )4 mod n), ((h(RID) rr δ )4 mod m), (δ mod m), ((rr2 )2 mod m ) S ((h(TID) rr s tr )4 mod n), ((tr )4 mod n), ((h(RID) rr δ )4 mod m), (δ mod m), ((rr2 )2 mod m ) S ((h(TID) rr δ )4 mod m), (δ mod m), ((rr2 )2 mod m ) S |≡ #((h (T ID ) rr s tr )4 mod n ), ((tr )4 mod n), ((h(RID) S |≡ R |∼ #((h (T ID ) rr s tr )4 mod n ) S |≡ R |∼ #((tr )4 mod n ) S |≡ R |∼ #((h (RID ) rr δ )4 mod m ) S |≡ R |∼ #(δ mod m ) S |≡ R |∼ #(rr2 )2 mod m tr PRNG(α R) δ ) h(μ) R (h(TID) tr PRNG(α R) δ ) h(μ) R (h(TID) R |≡ #(h (T ID ) tr PRNG(α R ) δ ) h (μ ) R |≡ S |∼ #(h (T ID ) tr PRNG(α R ) δ ) h (μ ) h(μ)] ) T ([ACK h(μ)] ) T ([ACK h(μ)] ) T | ≡ #([ACK T |≡ R |∼ #([ACK h (μ )] ) x, y, T1 V1, P1 V2, F1 A2, A4, A9, V3, I1, P2 A2, A4, A9, V3, I1, P2 α , tr , T V6, P1 V7, F1 A2, A6, A12, V8, I1, P2 A6, V8, I1, P2 α , tr , μ , δ , rr , T V11, P1 V12, F1 A2, A6, A12, V13, I1, J1, P2 A6, V13, I1, J1, P2 A2, A16, V13, I1, J1, P2 A16, V13, I1, J1, P2 A2, V13, I1, J1, P2 ACK , T1 V19, P1 V20, F1 A6, A16, V21, I1, P2 ACK, T1 V23, P1 V24, F1 A6, V25, I1, J1, P2 versary cannot so By a similar argument, the reader cannot be impersonated to either the tag or the server and is protected by rts, rr , μ which cannot be solved without the knowledge of the factors p, q, g, h Hence, the protocol is resistent to tag, reader and server impersonation attacks Therefore, with the Q-oracle, the advantage of the adversary is negligible as the adversary does not learn any useful information Hence the protocol is Existential-UNT-Q Now, consider that the adversary has access to QS-Oracle such that ωi (T1 ) ∈ {Query(πTi , ∗ ), Send (πTi , m12 )} and ωi (T2 ) ∈ {Query(πTi , ∗ ), Send (πTi , m22 )} where m2 2 {(α , tr )} The ad- versary on sending m2 as a response to the reader, receives m3 {(ACK)} The adversary cannot obtain anything from ACK since it requires the knowledge of R which is infeasible to calculate without the knowledge of the factors of n Hence the adversary is not presented with any additional advantage Thus the protocol is Existential-UNT-QS Finally, consider the adversary having access to QSE-Oracle such that ωi (T1 ) ∈ {Query(πTi , ∗ ), Send (πTi , m2 ), Execute(πTi , πR )} and ωi (T2 ) ∈ {Query(πTi , ∗ ), j 1 Send (πTi , m2 ), Execute(πTi , πR )} The use of random numbers tr j and rr and the computational infeasibility property provided by quadratic residue, guarantee that the messages are unique each time and by eavesdropping on multiple instances of the protocol the adversary is not presented with any additional advantage over the QS-oracle and hence is resistent to replay attacks Thus the protocol is Existential-UNT-QSE which is the strongest security requirement when the attacker cannot tamper with the tag Theorem The proposed secure search protocol P is Forward-UNT-QSER Proof In addition to the QSE-oracles, consider that the adversary also has access to the R-oracle such that, ωi (T1 ) j ∈ {Query(πTi , ∗ ), Send (πTi , m2 ), Execute(πTi , πR ), Reveal (πTi )} 1 1 and ωi (T2 ) ∈ {Query(πTi , ∗ ), Send (πTi , m2 ), Execute(πTi , πR ), Reveal (πTi )} 2 j By executing the R-oracle, the adversary obtains {id = h(T ID, ts ), rts, rts−1 , s, h(T ID ), n} After each complete run of the protocol, rts and rts−1 and s are updated, n is public, id is not transmitted during the protocol run but h(TID) is transmit- ted and it remains constant However using h(TID) if the adversary can link with previous communications then the protocol is not Forward-UNT-QSER h(TID) can be obtained from α or ACK But α is enciphered well using two random numbers rr , tr , a shared secret s and protected by the quadratic residues property Getting h(TID) from ACK is also not feasible since it requires the knowledge of R which is infeasible to get due to the quadratic residues property The random number tr is enciphered in tr and rr is hidden during transmission in y and enciphered in rr which cannot be solved without the knowledge of the factors g, h This step fixes the forward security vulnerability in Sundaresan et al [1] Therefore, an adversary cannot trace the previous communications of a tag and the advantage presented to the adversary by the R-oracle is negligible Hence the protocol is Forward-UNT-QSER Theorem The proposed synchronization attacks protocol P is resistant to de- Proof Consider that the adversary has access to QS-Oracle such that ωi (T1 ) ∈ {Query(πTi , ∗ ), Send (πTi , m12 )} where m2 {α , tr } or 1 m2 {ACK } The adversary blocks m2 from reaching the reader (or if the messages were lost due to other communication issues), it would cause the tag to update its secret rts but the reader would not, causing desynchronization of keys But DoS attack is prevented since the tag stores both the current value rts and the previous value rts−1 When the tag authenticates the reader by checking if id = x P RNG(rts rr ) If it does not find a match using rts then it would repeat the step using rts−1 If either one results in a match, the protocol would continue, otherwise the tag would respond with a probability of λ Now, consider that the adversary has access to QS-Oracle such that ωi (T1 ) ∈ {Query(πTi , ∗ ), Send (πTi , m12 )} 1 where m2 {ACK} The adversary can cause DoS attack by desynchronizing the server and the tag by either blocking or forging the message m2 If m2 is blocked, the tag will fail to correctly update s But the attack is prevented since the server stores both s and s−1 and it will still be able to correctly identify the tag using R−1 If the attacker forges the message m2 then it can cause perT ID manent DoS between the tag and the server since the tag will update s to s+1 resulting in unrecoverable de-synchronization since the server only stores s and s−1 But in order to forge m2 , it re- 78 S Sundaresan et al / Computer Networks 122 (2017) 70–82 Table Comparison of security and privacy properties Scheme Huang et al [32] P1 P2 P3 No P4 Won et al [33] P6 A1 No NA No § - Fully Satisfied P1: Basic Privacy P4: Reader Anonymity A1: Replay Attack § - Fully Satisfied under certain assumptions No No No No No No No No No NA No NA NA No NA - Not Applicable P2: Mutual Authentication P5: Tag Location Privacy A2: DoS/De-synchronization quires the knowledge of R which requires the knowledge of p and q Thus only a valid server can compute the correct m2 and the attacker cannot successfully forge ACK Further, from Theorem 1, it is seen that the protocol achieves the strongest security requirement of Existential-UNT-QSE which proves that an attacker cannot successfully complete a protocol run Hence the protocol is de-synchronization resistant 4.3 Comparison with other protocols In Table 6, we compare the security and privacy properties of secure search protocols that have been proposed Many of the protocols not authenticate the other entity before responding to the query or after receiving the reply We emphasize that it is very important for the entities to authenticate the other party before sending/processing any information so they know that the query/reply they receive is from a trusted source Our protocol implements mutual authentication using the shared secrets Kim et al [36] have shown that Tan et al.’s [2] protocol does not provide both tag and reader location privacy We further note that reader anonymity is not achieved in this scheme since the reader ID is transmitted in clear Also, authentication is only partially done since the tags respond to a query by any reader without authenticating the reader However, the reader validates the tag when it receives the response from the tags We observe that Won et al.’s [33] scheme does not provide mutual authentication for the same reason discussed above and the protocol does not provide tag location privacy since only the intended tag responds all the time enabling an attacker to compromise the location of the tag The authors note that the protocol does not support forward secrecy since all the secrets stored in the tags and the readers are fixed We observe that Kim et al.’s [36] protocol does not provide mutual authentication The reader is not authenticated by the tags when the search request begins The tags simply respond to the query Later the reader authenticates the tag Also reader anonymity is only partially achieved since a reader’s pseudonym is transmitted in the clear to the tags Even though the authors claim that the readers use multiple pseudonyms and an attacker has to know all the pseudonyms to trace a reader, it still provides the opportunity to learn which reader is sending the query and thereby compromising the location privacy of the reader In a similar fashion, a tag’s group iden- No No No No No No No No C1 No No No No No No No NA NA NA NA No No No No A2 NA No Tan et al [34] Zuo [35] Kulseng et al [3] Kim et al [36] Mtita et al [44] Zheng and Li [45] Shahzad and Liu [47] Wang et al [51] Shahzad and Liu [48] Gong et al [49] Chen et al [46] Zhang et al [50] Sasagawa et al [52] Sundaresan et al [59] Our Scheme P5 NA NA NA NA NA NA NA NA NA No NA NA NA NA NA NA NA NA No No No No No - Partially Satisfied P3: Tag Anonymity P6: Reader Location Privacy C1: EPC Compliance tity is also transmitted in clear allowing attackers to know which group of tags are responding If there is no other tag present in the area from the same group, the tag can be traced and by extension the person’s location privacy is also compromised since they are holding the tag at that time In Huang and Shieh’s secure search protocol [32] it is the sensor nodes that is responding back to the query and not the tags a slightly different architecture from the other proposed protocols So, some security properties not directly apply to this protocol Also, the authors have proposed a mutual authentication protocol but it has not been applied to the secure search protocol as the sensor nodes not authenticate the query request broadcast by the reader We observe that Kulseng et al.’s [3] protocol based on PUF is the closest to meeting all the security and privacy requirements and also being EPC compliant But as discussed in Section 3, PUF has disadvantages that prevent it from usage in large scale implementations Our protocol meets all the security and privacy requirements and is EPC compliant making it a viable solution for large-scale implementations Mutual authentication is absent in the methods that use Bloom filter (Zheng and Li [45] and Chen et al [46]) Similarly, the methods that use framed slotted Aloha protocol as an integral part of the process (Shahzad and Liu [47], Shahzad and Liu [48], Gong et al [49] and Zhang et al [50]) ignore mutual authentication or authentication in general since the purpose in these methods is to just identify the existence of a given tag in the field of the reader While the goal seems to be achieved in terms of recognizing an RFID tag’s presence, an adversary can easily satisfy the expected conditions and fake the presence of a wanted tag Wang et al [51] use phase periodicity to identify an item as it changes location over time and does not attempt to consider mutual authentication Similarly Sasagawa et al [52] is interested in just identifying the existence of an item at a given location, and no detail on the authentication of these items is provided In Table 7, we compare the performance of the secure search protocols that have been proposed We observe that most existing schemes except the one by Kulseng et al employ cryptographic hash function and/or encryption functions Implementing hash functions on passive tags is an open research problem [60] and are not in conformance to EPC standards [61] It is also known that even the cheapest hash function will cost approximately 1.7K gates [28] to implement Kulseng et al propose the use S Sundaresan et al / Computer Networks 122 (2017) 70–82 79 Table Performance properties Scheme CF on Reader CF on Server CF on Tag P M C Huang et al [32] Won et al [33] Kulseng et al [3] Tan et al [2] Zuo [35] Kim et al [36] Mtita et al [44] Zheng and Li [45] Shahzad and Liu [47] Wang et al [51] Shahzad and Liu [48] Gong et al [49] Chen et al [46] Zhang et al [50] Sasagawa et al [52] Sundaresan et al [59] Our Scheme 1∗ 0 1 0 NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA – 4 0 1 0 – – 1 1 NA 0 0 2 2 2 v v v v v 2 No No CF: No of Crypto Functions M: No of Messages Exchanged v: Varies based on number of tags P: No of PRNG Functions on Tag C: EPC Compliance of PUFs However, this will require additional circuitry to be introduced into the RFID tag and hence the cost of low cost passive tags will be increased In our scheme, we not require the tags to implement hash functions Computation is restricted to XOR, CRC calculations and random number generation, all of which are within the capabilities of passive tags For implementation of modular squaring on low-end devices such as RFID tags, modular squaring can be replaced with integer squaring of the form f (x ) = x2 + kn, where k is carefully chosen (i.e., x2 mod n is replaced with x2 + kn) To compute f(x) for a 1280-bit wide n, the square x2 and the product kn are computed separately and then combined (with carries buffered for the next iteration) Further, the individual bits of x2 and kn can be evaluated by convoluting x with itself and k with n using a 128 bit register and invoking a PRNG The cost of implementing such a function h can be estimated as 640 gates for read-only storage of the 1280 bit modulus n, a PRNG and buffers for computation So the total complexity of implementing f is less than 10 0 gates [4,27,28] Thus we see that our scheme provides the required security properties while at the same time conforming to EPC standard 4.4 Parameter setting Typically, low-cost passive RFID tags have non-volatile (EEPROM) memory of 10 0 bits to kilobytes(KB) [62] However, recent RFID application proposals such as plans by Airbus to track flyable aircraft parts and components, as well as store data, such as information regarding a part’s initial construction and maintenance demands have introduced passive RFID tags with even higher memory capabilities (4 KB–8 KB) [63] Also, Atmel Corporation has introduced passive RFID tags that can support memory of between KB and 64 KB [64] The main requirements of the proposed approach is that the modulus n used to compute the quadratic residues is sufficiently large to ensure that factorisation is infeasible Based on the recommendations in [65] we suggest that n = 1120 − 1464 bits at minimum In our proposed approach, depending on the memory capabilities of the tag, we can choose an appropriate key length to achieve a desired level of security Given n = 1472 bits, a hash length of 128 bits and a 128-bit PRNG such as Akari-X [66], the storage requirements on the tag would be 1472 + 128 + 128 + 48 = 1984 bits ≈ 248 bytes This is not excessive for applications using low cost tags that require security No No No No No No No NA: Not Applicable : for each response ∗ Finally, we note that the use of the xor operator raises the expectation that its operands have equal bit lengths in order to prevent leakage of information Given that all the parameters are not of equal length, we suggest a simple modification to the standard xor operation to meet our requirements As an example consider, x = id P RNG(rts rr ) where the operands are unequal In such a situation we suggest that the largest operand is xored with a concatenation of the xor of the other operands In this instance the implementation would be x = id (P RNG(rts (rr rr rr ))) 4.5 Simulation study In order to study the scalability of our search scheme, we implemented a simulation using network simulator-2 (NS-2) We emphasise that the purpose here is not to compare the proposed protocol to existing ones but rather to ensure that scalability is achieved within acceptable response time limits In this simulation, we implemented our secure search protocol and studied its performance in terms of end-end search delay This delay is calculated from the time the search query is initiated by the reader to when the last ACK message is verified by the tag The end-end search delay includes two main parts, the network delay and the search processing time in the reader, tag and the server including the database search The number of tags in the system was varied from 10 to 10 million and the number of readers for the mobile/wireless RFID system was set at 100 and 10 0 The results of the simulation experiments are presented in Fig and each data Fig Simulation results of the proposed protocol 80 S Sundaresan et al / Computer Networks 122 (2017) 70–82 point corresponds to the average of 20 simulation runs In both sets of results we observe that as the number of tags in the system increases the search delay increases This is along expected lines as the database search has a complexity of O(n) However, we observe that the end-end search delay is within acceptable bounds (≈ 0.5 s) for all cases In terms of the impact of number of readers, in the system we observe that delay increases are again quite small These results prove that our proposed search scheme is efficient and scalable, and achieves the required security properties without compromising system performance Conclusion In this paper, we have proposed a secure search protocol for RFID systems that can be implemented on low-cost passive RFID tags The protocol is based on the quadratic residues property and also uses basic XOR and PRNG operations Additional protection is ensured by hiding the random number where deemed necessary using a blind-factor The protocol does not use hash functions like other protocols we have discussed which cannot be implemented in the low-cost passive tags that have very low computational capabilities To increase the security of the system, all authentications are accomplished by the backend server even though the readers are mobile By using quadratic residues and eliminating hash operations, the protocol meets the EPC standard Security analysis of the protocol shows that the scheme achieves the necessary security requirements for RFID systems including tag/reader anonymity, tag/reader location privacy, forward security, while being resistant to replay attacks, tag/reader/server impersonation attacks and DoS/De-synchronization attacks The simulation result shows that the scheme is practical and can be implemented on low-cost passive tags References [1] S Sundaresan, R Doss, W Zhou, A secure search protocol based on quadratic residues for epc class-1 gen-2 uhf rfid tags, 23rd International Symposium on Personal Indoor and Mobile Radio Communications, 2012 [2] C Tan, B Sheng, Q Li, Secure and serverless RFID authentication and search protocols, IEEE Trans Wireless Commun (4) (2008) 1400–1407 [3] L Kulseng, Z Yu, Y Wei, Y Guan, Lightweight secure search protocols for low– cost RFID systems, in: 2009 29th IEEE International Conference on Distributed Computing Systems, 2009, pp 40–48 [4] R Doss, W Zhou, S Yu, Secure RFID tag ownership transfer based on quadratic residues, IEEE Trans Inf Forensics Secur (2) (2013) 390–401 [5] Y.-J Huang, C.-C Yuan, M.-K Chen, W.-C Lin, H.-C Teng, Hardware implementation of RFID mutual authentication protocol, IEEE Trans Ind Electron 57 (5) (2010) 1573–1582 [6] A Juels, S Weiss, Authenticating Pervasive Devices with Human Protocols, in: LNCS, 3621, 2005, pp 293–308 [7] P Urien, S Piramuthu, Elliptic curve-based RFID/NFC authentication with temperature sensor input for relay attacks, Decis Support Syst (2014) 28–36 [8] Y.-P Liao, C.-M Hsia, A secure ECC-based RFID authentication scheme integrated with ID-Verifier transfer protocol, Ad Hoc Netw 18 (2014) 133–146 [9] L Batina, J Guajardo, T Kerins, N Mentens, P Tuyls, I Verbauwhede, An elliptic curve processor suitable for rfid-tags, Report 2006/227, Cryptology ePrint Archive, 2006 [10] Y.K Lee, K Sakiyama, L Batina, I Verbauwhede, Elliptic curve based security processor for RFID, IEEE Trans Comput 57 (11) (2008) 1514–1527 [11] M Feldhofer, C Rechberger, A case against currently used hash functions in rfid protocols, in: On the Move to Meaningful Internet Systems 2006 – OTM 2006, in: Lecture Notes in Computer Science, 4277, 2006, pp 372–381 [12] L Bolotnyy, G Robins, Physically unclonable function -based security and privacy in rfid systems, PerCom ’07, 2007 [13] H Lee, D Hong, The tag authentication scheme using self-shrinking generator on RFID system, Trans Eng Comput Technol 18 (2006) 52–57 [14] S Sundaresan, R Doss, S Piramuthu, W Zhou, A robust grouping proof protocol for RFID EPC C1G2 tags, IEEE Trans Inf Forensics Secur (2014) [15] W Meier, O Staffelback, The self-shrinking generator, in: Advances in Cryptology: EUROCRYPT 94, 950, 1994, pp 205–214 [16] J Molina-Gil, P Caballero-Gil, A Fuster-Sabater, C Caballero-Gil, Pseudorandom Generator to Strengthen Cooperation in VANETs, in: EUROCAST 2011, 2012, pp 365–373 [17] A.T Tasheva, Z.N Tasheva, A.P Milev, Generalization of the self-Shrinking generator in the galois field GF(pn ), Adv Artif Intell (2011) 1–10 [18] M Burmester, J Munilla, A flyweight RFID authentication protocol, Report 2009/212, ePrint Archive, 2010 [19] R Doss, W Zhou, S Sundaresan, S Yu, L Gao, A minimum disclosure approach to authentication and privacy in RFID systems, Comput Netw (2012) 3401–3416 [20] H.-Y Chien, C.-H Chen, Mutual authentication protocol for RFID conforming to EPC class generation standards, Comput Stand Interfaces 29 (2) (2007) 254–259 [21] H.-Y Chien, C.-S Laih, ECC-Based lightweight authentication protocol with untraceability for low-cost RFID, J Parallel Distrib Comput 69 (2009) 848–853 [22] D Duc, K Kim, Defending RFID authentication protocols against DoS attacks, Comput Commun 34 (3) (2011) 384–390 [23] R.D Pietro, R Molva, An optimal probabilistic solution for information confinement, privacy and security in RFID systems, J Netw Comput Appl (2010) [24] S Sundaresan, R Doss, W Zhou, A Serverless Ultra-Lightweight Secure Search Protocol for EPC Class-1 Gen-2 UHF RFID Tags, in: International Conference on Computer & Information Science (ICCIS), 2012a, pp 580–585 [25] S Sundaresan, R Doss, W Zhou, A Secure Search Protocol based on Quadratic Residues for EPC Class-I Gen-2 UHF RFID Tags, The 23rd IEEE International Symposium on Personal Indoor and Mobile Radio Communications - (PIMRC), 2012b [26] S Sundaresan, R Doss, W Zhou, S Piramuthu, Secure ownership transfer for multi-Tag multi-owner passive RFID environment with individual-Owner-Privacy, Comput Commun (2015) 112–124 [27] M Burmester, B de Medeiros, R Motta, Anonymous RFID authentication supporting constant-cost key-lookup against active adversaries, Int J Appl Cryptography (2) (2008) 79–90 [28] Y Chen, J.-S Chou, H.-M Sun, A novel mutual authentication scheme based on quadratic residues for RFID systems, Comput Netw 52 (12) (2008) 2373–2380 [29] S Piramuthu, RFID Mutual authentication protocols, Decis Support Syst (2011) 387–393 [30] W Zhou, E.J Yoon, S Piramuthu, Simultaneous multi-level RFID tag ownership & transfer in health care environments, Decis Support Syst (2012) 98–108 [31] S Piramuthu, Protocols for RFID tag/reader authentication, Decis Support Syst (2007) 897–914 [32] S.-I Huang, S Shieh, Authentication and secret search mechanisms for RFID-aware wireless sensor networks, Int J Secur Netw (1) (2010) 15–25 [33] T.Y Won, J.Y Chun, D.H Lee, Strong authentication protocol for secure RFID tag search without help of central database, in: 2008 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing, 2008, pp 153–158 [34] C.C Tan, B Sheng, Q Li, Serverless search and authentication protocols for RFID, in: Proceedings of the Fifth Annual IEEE Conference on Pervasive Computing and Communications, 2007 [35] Y Zuo, Secure and private search protocols for RFID systems, Inf Syst Front 12 (5) (2009) 507–519 [36] Z Kim, J Kim, K Kim, I Choi, T Shon, Untraceable and serverless RFID authentication and search protocols, in: 2011 IEEE Ninth International Symposium on Parallel and Distributed Processing with Applications Workshops, 2011, pp 278–283 [37] C Lv, H Li, M Jianfeng, B Niu, Vulnerability analysis of lightweight secure search protocols for low-cost RFID systems, Int J RFID Technol Appl (1) (2012) 3–12 [38] L Chun, J Hwang, D Lee, RFID tag search protocol preserving privacy of mobile reader holders, IEICE Electron Express 08 (2) (2011) 50–56 [39] E.-J Yoon, Cryptanalysis of an RFID tag search protocol preserving privacy of mobile reader, in: International Federation for Information Processing, 2012, pp 575–580 [40] S.I Ahamed, F Rahman, E Hoque, F Kawsar, T Nakajima, S3PR: Secure serverless search protocols for RFID, in: 2008 International Conference on Information Security and Assurance (isa 2008), 2008, pp 187–192 [41] Y Zheng, M Li, Fast tag searching protocol for large-scale RFID systems, IEEE/ACM Trans Netw 21 (3) (2013) 924–934 [42] J Lim, S Kim, H Oh, K Donghyun, A designated query protocol for serverless mobile RFID systems with reader and tag privacy, Tsinghua Sci Technol 17 (5) (2012) 521–536 [43] C.-F Lee, H.-Y Chien, C.-S Laih, Server-less RFID authentication and searching protocol with enhanced security, Int J Commun Syst 25 (2012) 376–385 [44] C Mtita, M Laurent, J Delort, Efficient serverless radio-frequency identification mutual authentication and secure tag search protocols with untrusted readers, IET Inf Secur (2016) 262–271 [45] Y Zheng, M Li, Fast tag searching protocol for large-scale rfid systems, IEEE/ACM Trans Networking (2013) 924–934 [46] M Chen, W Luo, Z Mo, S Chen, Y Fang, An efficient tag search protocol in large-scale rfid systems with noisy channel, IEEE/ACM Trans Networking (2016) 703–716 [47] M Shahzad, A.X Liu, Fast and accurate estimation of rfid tags, IEEE/ACM Trans Networking (2015) 241–254 [48] M Shahzad, A.X Liu, Probabilistic optimal tree hopping for rfid identification, IEEE/ACM Trans Networking (2016) 796–809 [49] W Gong, J Liu, Z Yang, Fast and reliable unknown tag detection in large-scale rfid systems, in: MobiHoc, 2016, pp 141–150 [50] S Zhang, X Liu, J Wanga, J Cao, G Min, Energy-efficient active tag searching in large scale rfid systems, Inf Sci (2015) 143156 [51] Z Wang, N Ye, R Malekian, F Xiao, R Wang, Trackt: accurate tracking of rfid tags with mm-level accuracy using first-order taylor series approximation, Ad Hoc Netw (2016) 132–144 S Sundaresan et al / Computer Networks 122 (2017) 70–82 [52] M Sasagawa, K Ikematsu, I Siio, Simply tag and find: Finding indoor items by using detection history of rfid tags, in: UbiComp/ISWC, 2016, pp 365–368 [53] K.H Rosen, Fourth ed., 1999 [54] L Gong, R Needham, R Yahalom, Reasoning about belief in cryptographic protocols, in: Proceedings of the IEEE Symposium on Security ad Privacy, 1990, pp 234–248 [55] G Avoine, Adversarial model for radio frequency identification, Report 2005/049, Cryptology ePrint Archive, 2005 [56] S Vaudenay, On privacy models for RFID, in: Advanced in Cryptology - ASIACRYPT 2007, in: (LNCS 4833), 2007, pp 68–87 [57] J Hermans, A Pashalidis, F Vercauteren, B Preneel, A new RFID privacy model, in: European Symposium on Research in Computer Security (ECORICS) 2009, in: (LNCS 6879), 2011, pp 568–587 [58] I Coisel, T Martin, Untangling RFID Privacy Models, Cryptology ePrint Archive, 2011 [59] S Sundaresan, R Doss, S Piramuthu, W Zhou, Secure tag search in rfid systems using mobile readers, IEEE Trans Dependable Secure Comput (2015) 230–242 81 [60] J.-S Cho, S.-S Yeo, S.K Kim, Securing against brute-force attack: a hash-based RFID mutual authentication protocol using a secret value, Comput Commun 34 (3) (2011) 391–397 [61] EPCGlobal, EPC Radio-Frequency Identity Protocols,Class-1 Generation-2 UHF RFID Protocol for Communications at 860MHz-960MHz Version 1.2.0, 2008 [62] F Gosset, F.-X Standaert, J.-J Quisquater, FPGA implementation of SQUASH, 29th Symposium on Information Theory, 2008 [63] R Wessel, Airbus signs contract for high-memory rfid tags, RFID J (2010) [64] D Dressen, Large memory RFID system solutions, ATMEL Appl J (2011) 48–49 [65] A.K Lenstra, E.R Verheul, Selecting cryptographic key sizes, in: Public Key Cryptography, in: (LNCS 1751), 01, 20 0, pp 446–465 [66] H Martin, E.-S Millan, L Entrena, P.-P Lopez, A case against currently used hash functions in rfid protocols, in: On the Move to Meaningful Internet Systems 2006 – OTM 2006, in: Lecture Notes in Computer Science, 4277, 2006, pp 372–381 82 S Sundaresan et al / Computer Networks 122 (2017) 70–82 Saravanan Sundaresan received his BSc (M) from the University of Madras, India in 1995 and the MIT and PhD degrees from Deakin University, Australia He started his career as a programmer in India and took up IT consulting in USA in 1997 He joined HP Inc as a Senior Database Administrator in 1999 and later joined Caterpillar Inc in 2004 to become the Team Lead and Senior Database Administrator In 2006, he took up community work in the villages of South India and received a Social Entrepreneur Reward in 2010 Robin Doss received the BEng from the University of Madras, India, in 1999, and the MEng and PhD degrees from the Royal Melbourne Institute of Technology (RMIT), Australia, in 20 0 and 2004, respectively He has held professional appointments with Ericsson Australia, RMIT University, and IBM Research, Switzerland He joined Deakin University, Melbourne, Australia, in 2003, and is currently an Associate Professor with the centre for cyber security research, and Deputy Head of the School of Information Technology, Deakin University Since 2003, he has published more than 50 papers in refereed international journals, international conference proceedings and technical reports for industry and government His current research interests are in the broad areas of communication systems, protocol design, wireless networks, security and privacy He is a senior member of the IEEE Selwyn Piramuthu has been at the University of Florida since Fall 1991 He is an Associate Researcher of Information Systems and Technologies at ESCP-Europe (Ecole Supérieure de Commerce de Paris) and a member of the RFID European Lab in Paris He taught in the Operations and Information Management department at the Wharton School of the University of Pennsylvania from 1998 to 2001 He has also held teaching and/or research visiting appointments at a few other institutions including the Aarhus School of Business in Denmark, Copenhagen Business School in Denmark, IRIDIA (Institut de Recherches Interdisciplinaires et de Développements en Intelligence Artificielle) at the Université Libre de Bruxelles in Belgium, Interdisciplinary Center for Security, Reliability and Trust (SnT) at the Université du Luxembourg in Luxembourg, INFRES at TELECOM ParisTech in Paris, Supply Chain Management at Technische Universität München in Munich and the Lehrstuhl für Informations- und TechnologieManagement at Universität des Saarlandes in Saarbrücken His research and teaching interests include artificial intelligence, cryptography, database management, data mining/machine learning, and simulation including their applications in computer integrated manufacturing, ecommerce, financial credit scoring, healthcare, RFID, supply chain management, and work flow management Wanlei Zhou received the BEng and MEng degrees from Harbin Institute of Technology, China, in 1982 and 1984, respectively; the PhD degree from the Australian National University, Canberra, in 1991; and the DSc degree from Deakin University, Victoria, Australia, in 2002 He is currently the Alfred Deakin chair professor of information technology, Deakin University, Melbourne, Australia His research interests include distributed and parallel systems, network security, mobile computing, bioinformatics and e-learning He has published more than 200 papers in refereed international journals and refereed international conferences proceedings Since 1997, he has been involved in more than 50 international conferences as general chair, steering committee chair, PC chair, session chair, publication chair, and PC member He is a senior member of the IEEE  ... I1, J1, P2 A6, V13, I1, J1, P2 A2, A16, V13, I1, J1, P2 A16, V13, I1, J1, P2 A2, V13, I1, J1, P2 ACK , T1 V19, P1 V 20, F1 A6, A16, V 21, I1, P2 ACK, T1 V23, P1 V24, F1 A6, V25, I1, J1, P2 versary... T1 V1, P1 V2, F1 A2, A4, A9, V3, I1, P2 A2, A4, A9, V3, I1, P2 α , tr , T V6, P1 V7, F1 A2, A6, A12, V8, I1, P2 A6, V8, I1, P2 α , tr , μ , δ , rr , T V 11, P1 V12, F1 A2, A6, A12, V13, I1, J1,... Computer Networks 12 2 (2 01 7 ) 70 82 77 Table GNY Logic - security correctness proof No Proof notation GNY postulate V1 V2 V3 V4 V5 V6 V7 V8 V9 V 10 V 11 V12 V13 V14 V15 V16 V17 V18 V19 V 20 V 21 V22 V23 V24