Privacy-Preserving Authorized RFID Authentication Protocols

Abstract

Radio Frequency Identification (RFID) has been widely ad-opted for object identification. An RFID system comprises three essential components, namely RFID tags, readers and a backend server. Conventionally, the system is considered to be controlled by a single party who maintains all the secret information. However, in some practical scenarios, RFID tags, readers and servers could be operated by different parties. Although the private information should not be shared, the system should allow a valid tag to be authenticated by a legal reader. The challenge in designing the system is preserving the tag and reader’s privacy. In this paper, we propose a novel concept of authorized RFID authentication. The proposed protocols allow the tag to be merely identifiable by an authorized reader and the server cannot reveal the tag during the reader-server interaction. We provide a formal definition of privacy and security models of authorized authentication protocols under the strong and weak notions and propose three provably secure protocols.

This work is supported by the Australian Research Council Discovery Project DP110101951.

A Complexity Assumptions

Definition 7

(Oracle Diffie-Hellman Assumption [1]). Given \(g^a,g^b\), a function \(H:\{0,1\}^*\rightarrow \{0,1\}^{l}\) and an oracle \(\mathcal {O}=H(X^b)\), where \(X\ne {g^a}\), the advantage of an adversary \(\mathcal {A}\) in violating the ODH assumption is

$$\begin{aligned} Adv^{odh}_{\mathcal {A},H}=\left| \Pr \left[ a,b:\mathcal {A}^{\mathcal {O}}(g^a,g^b,H(g^{ab}))=1\right] -\Pr \left[ a,b:\mathcal {A}^{\mathcal {O}}(g^a,g^b,t)=1\right] \right| , \end{aligned}$$

where \(t\in \{0,1\}^l\) We say that the ODH assumption holds, if \(Adv^{odh}_{\mathcal {A},H}\) is negligible.

Definition 8

(EDBDH Assumption). Let \((g,p,\mathbb {G},\mathbb {G}_T)\) be a pairing group. Given \((g,g^a,g^b,g^c,g^t)\), the Extended Decisional Bilinear Diffie-Hellman problem is to determine whether \(g^t=g^{abc}\). We say that the EDBDH assumption holds, if no PPT algorithm \(\mathcal {A}\) can solve the problem with non-negligible advantage.

Definition 9

(V- l -wDBDHI Assumption). Let \((g,h,p,\mathbb {G},\mathbb {G}_T)\) be a pairing group. Given \((g,h,g^{a},g^{a^2},\cdots ,g^{a^l},h^{a},h^{a^2},\cdots ,h^{a^l},g^t)\), the Variant l-weak Decisional Bilinear Diffie-Hellman Inversion problem is to determine whether \(g^t=g^{a^{2l+1}}\). We say that the V-\(l\)-wDBDHI assumption holds, if no PPT algorithm \(\mathcal {A}\) can solve the problem with non-negligible advantage.

Definition 10

( \(\varvec{k\!+\!1}\) -Exponent Assumption). Given \((g,g^{a},g^{a^2},\cdots ,g^{a^k})\), the \(k\)+1-Exponent problem is to compute \(g^{a^{k+1}}\). We say that the \(k\)+1-Exponent assumption holds, if no PPT algorithm \(\mathcal {A}\) can solve the problem with non-negligible advantage.

We show that the security of EDBDH assumption is related to the security of Decisional Bilinear Diffie-Hellman (DBDH) assumption.

Lemma 1

The EDBDH assumption holds if the DBDH assumption holds.

Proof

Suppose that there is a PPT algorithm \(\mathcal {A}\) who can break the EDBDH assumption. Given an instance \((g,g^a,g^b,g^c,g^t)\), \(\mathcal {A}\) can output whether \(g^t=g^{abc}\) in polynomial time with non-negligible advantage. It implies that \(\mathcal {A}\) decides whether \(\hat{e}(g,g^t)=\hat{e}(g,g^{abc})\) which is a solution of DBDH problem. Therefore, if DBDH problem is intractable then the EDBDH assumption holds.    \(\Box \)

In terms of V-\(l\)-wDBDHI, a solution of V-\(l\)-wDBDHI problem also implies that the algorithm \(\mathcal {A}\) can decide whether

$$\begin{aligned} \hat{e}(g,g^t)=\hat{e}(g,g^{a^{2l+1}}). \end{aligned}$$

Since that V-\(l\)-wDBDHI problem is modified from \(l\)-wDBDHI problem, its security can be bounded by using the similar strategy in the generic group model.