Improved Privacy-preserving Authorized Out Authentication Protocols

With wide applications of the radio frequency identification (RFID) technology in areas such as the supply chain, warehouse management, and so on, the privacy and security of RFID gradually become one of the hot topics. RFID privacy and security authentication protocols have been proposed to suit different scenarios. In 2014, the Alert Response Address (ARA) protocol based on the application scenario of a privileged membership club was presented, the formal definition of its privacy and security models was described, and the tag and reader’s privacy were preserved. In this study, we analyze the efficiency of the ARA scheme and find that it is not very good because the scheme overuses bilinear maps. Under the premise of without losing the ARA scheme’s privacy and security, we improve its two subprotocols, IARA1 and IARA2, with higher performance in the ARA protocol. The results show that the improved protocol is more efficient than the ARA protocol through the performance comparison of the protocols.


Introduction
Radio frequency identification (RFID) technology is widely used in today's intelligent logistics and management supply chain, manufacturing and assembly, ticket management and warehouse management, and other systems, and is a very common and effective technology.In the RFID system, users' personal information, hobbies, and the like can be linked by the unique identification code of the tags themselves, and the privacy leakage of the RFID system may be caused.At the same time, tags should not disclose any sensitive information to unauthorized readers, for which system security issues must be taken into account.Therefore, when designing and using the RFID system protocol, how to ensure that only authorized readers can identify legitimate tags and how to prevent attackers from malicious attacks, such as tracking, intercepting, and leaking to protect the privacy of users' information and ensure the security of the system, should be considered.
To resolve the privacy and security issues of the RFID system, many related RFID authentication protocols, such as LAMP, (1) LAMP + l, (2) SASI, (3) Gossamer, (4) AFMAP, (5) and RAPP (6) protocols, have been proposed.These protocols are authenticated by the introduction of the IDS (index-pseudonym), which is used to store a corresponding index in the tag information record, and each tag is associated with a key K.These solutions are based on the assumption of a secure communication of a back-end information channel that can only be used to perform simple binary bit operations, and most of the solutions are applied to the security certification of lightweight and ultra-lightweight RFID systems.In 2008, Tan et al. (7) proposed an RFID security authentication protocol without a back-end database.In this protocol, it is assumed that the information channel between the reader and the certification agency (CA) is secure, and the reader must download the tag-related information from the third-party CA protocol had a higher operating efficiency by analyzing and comparing the efficiencies of the ARA and IARA protocols.
In Sect. 2 of this paper, we provide a brief introduction of the prerequisites for the privacy and security of the RFID system.In Sect.3, we mainly describe the specific certification process of the ARA protocol proposed by Li et al. (15) In Sect.4, we detail the authentication process for the improved IARA protocol proposed in this paper.In Sect.5, we show that the IARA protocol is more efficient than the ARA protocol through performance analysis and comparison.Finally, in Sect.6, we provide the conclusion.

Composition and security model of RFID system
Usually, an RFID system generally consists of the following three major components: RFID tag (tag or transponder), RFID reader (reader or transceiver), and back-end database (back-end server), (16) as shown in Fig. 1.It is generally assumed that a tag does not have the ability to prevent tampering and destruction, and attackers can damage the tag and obtain all the secret information stored in the tag; at the same time, the tag has limited storage and computing resources.Public key cryptosystems generally do not apply to the tag, which can perform operations such as hash function and pseudorandom number generation.However, a reader is a device with relatively strong computing and storage capabilities, and can perform more complete cryptographic operations.The back-end server, as a storage device, stores all relevant information (17) about the tag in the system.In addition, in the design of an RFID system, the reader and back-end database are generally regarded as a whole, and the internal communication between them is assumed to be secure; on the other hand, the public wireless communication channel between the tag and the reader is unsafe, which may suffer from various active or passive attacks.
The security of an RFID system should meet the following requirements: 1. Forward privacy: In a forward secure game, adversary A can obtain the current key of the reader and attempt to distinguish whether the currently authenticated tag has interacted with the server or other readers.If no adversary can win the game with the probability of 1 2 ε + (ε is a negligible function), then the system is considered to meet forward privacy.2. Backward privacy: In a backward security game, after the reader updates the key, adversary A attempts to determine whether any tag has interacted with the server or other readers after that.If no adversary can win the game with the probability of 1 2 ε + (ε is a negligible function), then the system is considered to meet backward privacy.3. Readers' privacy: In the privacy security game of the reader, adversary A can obtain the server's key and try to determine which registration tag is authenticated at the moment.If the probability that adversaries win the game is negligible, then the system is considered to meet readers' privacy.4. Unforgeability security: In the unforgeability security game, adversary A can obtain the keys of the server and reader, and try to forge the output information of a certain tag for passing the authentication of the system during the authentication phase.If the probability that adversaries win the game is negligible, then the system is considered to be unforgeable or secure.
To describe the operations that adversary A and challenger C can perform in a secure game, Li et al. abstractly proposed a type of Oraclas program for calling (15) and gave a formalized definition of the RFID system security model.Detailed definitions and certifications are shown in Ref. 15.

Definition and properties of bilinear map
Suppose G and G T are cyclic groups whose order is prime q, and g is the generator of group G; then, ê : G × G → G T is called a bilinear map, with only the following three properties: (18) (1) Bilinearity: (2) Computability: For any u, v ∈ G, bilinear map ê (u, v) is valid and computable; (3) Nondegeneration: If g is a generator of G, then ê (g, g) is a generator of G T .

ARA Protocol Described by Li et al.
To protect the personal privacy of privileged members in the club, a new authorization protocol, referred to as the ARA protocol, was proposed. (15)The significant differences between this protocol and many of the previous authentication protocols are as follows: for consistency, reader R and background server S are relatively independent; reader R should be authorized by background server S before tags can be authenticated; in the process of reader R authenticating tag T, background server S does not know the information of tag T. Li et al. (15) divided the ARA protocol into three subprotocols P1, P2, and P3, according to the degree of protection of privacy information of tags; in this paper, we will not discuss P1 further because it only basically realizes the members' privacy protection, but it is mainly for the briefing and improvement of P2 and P3.

Algorithm description of ARA protocol
The authentication process of the ARA protocol mainly consists of four algorithms, as shown in Table 1.

P2 and P3 of the ARA protocol
The authentication of the P2 and P3 of the ARA protocol can be divided into two stages: The first stage is the tag registration or parameter initialization stage, that is, when the tag is registered, the server issues a series of public information such as the server public key, and the tag selects the required public information according to its own needs for initialization.When the membership card is activated, the public key of the tag is sent to the server, and the private key is reserved by the tag itself.Then, the server authorizes the reader, that is, the server assigns a deadline key to the corresponding reader, and once the deadline of the key has expired, the reader no longer has the authority of tag authentication; the second stage is that the reader authenticates the tag, in which the reader and server must work together to confirm whether the tag has been registered and legal.
In the P2 and P3 of the ARA protocol, a multiplicative cyclic group whose order is prime p

Improved Protocol
Li et al. proposed the ARA protocol for the application scenario of a privileged member club, (15) which realized the privacy protection of authorized RFID.On the basis of the ARA Send rsk to the server and send rpk to the reader.

Auth() (sk, PK, rsk, rpk)
The reader authenticates the tags; if passed, the corresponding tag identifier T is output; otherwise, the algorithm is terminated.
system model, under the premise of without losing its privacy and security, for the P2 and P3 of the ARA protocol, we proposed two more efficient optimization protocols in this paper, namely, the improved IARA protocols, referred to as IARA1 and IARA2. , . Specific authentication process of ARA protocol 3.

Authentication process of IARA1
Let G, G T be a cyclic group whose order is prime p, * , q x Z α ∈ a bilinear map associated with the cyclic group, and g the generator of G. H 1 : {0,1} * → {0,1} n is a hash function (such as SHA-1) that maps an arbitrary bit string to a fixed bit string.The protocol process is described as follows.

Initialization phase
(1) ServerKeyGen(): Select * p α ∈ » randomly and calculate (PK, SK) = (g α , α) as the public and private keys of server S; (2) TagKeyGen(): x ∈ » randomly and calculate (pk, sk) = (g x , x) as the public and private keys of tag T; tag T is stored as (g, sk, pk, PK).The public key of server S for storing tag T is pk; (3) ReaderAuth(): To authorize reader R to verify tag set T R , server S randomly selects that and stores it as * p γ ∈ » .The reader stores rpk = (γ, T R ).

Stage of the reader authenticating tags
Algorithm Auth() for readers authenticating tags: During the execution of the algorithm, the specific process of interactive authentication among the tag, the reader, and the server is shown in Fig. 4.

Authentication process of IARA2
Following the symbolic description of the IARA protocol in the previous text, h is the generator of G and h ≠ g.The authentication process of IARA2 is described as follows.

Initiation phase
(1) ServerKeyGen(): Select * p α ∈ » randomly and generate the public and (PK, SK) = (h α , α) private key pair corresponded by server S; (2) TagKeyGen(): Randomly select the parameters * p x ∈ » and generate the (pk, sk) = (h x , g x ) public and private key pair corresponded by tag T. Tag T stores the information (g, sk, pk, PK) and server S stores the public key pk of tag T; (3) ReaderAuth(): To authorize reader R to verify tag set T R , server S randomly selects and stores * p γ ∈ » , and calculates g γ .For each tag T i ∈ T R , the corresponding ( )

Stage of tag authentication by the reader
Algorithm of the reader authenticating tag Auth(): The specific process of interactive authentication among the tag, the reader, and the server is shown in Fig. 5.
(2) Tag T randomly selects t wo values * , p r s∈ » , f ig ures out C 1 = H 1 (ê( g γ ,h) s ) and T h α γ .If there is a data pair ( , ) i x i T h α γ that satisfies the equation, indicating that there exists a tag that has been registered with server S and is legal, the corresponding legitimate tag identifier T i is output; otherwise, the authentication process is terminated.

Protocol Analysis and Comparison
Li et al. performed an efficiency analysis for the P2 and P3 of the ARA protocol. (15)To illustrate that the improved protocol in this paper is more efficient than the protocol proposed by Li et al. in this section, performance analysis, comparison, and security descriptions are performed for IARA1, IARA, P2, and P3.

Performance analysis and comparison
The operating efficiency of this protocol scheme is mainly reflected in the reader computing load and server computing load, and the communication traffic depends on the number of bits of data transmitted between the reader and the server.The following is a performance analysis for the calculated amount at the reader and server sides and the traffic between the reader and the server for IARA1 and IARA2: Without loss of generality, we assume that the difference in operational efficiency between different hash functions is negligible, and in the efficiency analysis, the running time of any hash function is represented by H. G is used to indicate the time of the group operation.ê is used to represent the operation time of the bilinear pair.The number of bits of any element X is represented by |X|. 1. Calculated amount at the reader side: In IARA1, the reader only needs to compare C = C i once for the C i returned by the server, so the calculated amount of the reader is O(1).
Compared with the protocol P2, the reader needs to execute the group element and bilinear mapping operation, and the execution efficiency of the protocol reader is significantly improved.2. Calculated amount at the server side: The information α and i x g have been prestored at the server side, and = is calculated, only the H hash operation is completed once; thus, when the number of tags is n, the calculated amount of the server is nH.The execution efficiency is also significantly higher than G + (2n + 1)H in the computation of the P2 of the ARA protocol.3. Communication traffic: According to the assumption of the P2 of the ARA protocol, the reader has prestored the tag information T i ∈ T R , and the server does not consider the transmission of T i when transmitting the data to the reader, so only the data set {C i } should be transmitted.When there are n tags, the traffic of the IARA1 is nba, which saves half of the data transmission amount compared with that of the P2, so IARA1 has a higher operating efficiency.According to the efficiency analysis result of IARA1, the efficiency analysis result of IARA2 can also be obtained as well.The results of the efficiency analysis and comparison between the improved IARA protocol proposed in this paper and the ARA protocol proposed by Li et al. are  shown in Table 2.The results of the analysis higher than that of the previous ARA protocol are shown in Table 2.
In fact, the performance analysis in Ref. 15 is incorrect, taking P2 as an example.The calculated amount of P2 should not be G + 2nH at the server side but G + (2n + 1)H.The
is denoted by G and G T ; g, h ∈ G are two different generators of G, is a hash function that maps an arbitrary bit string to a multiplicative cyclic group in the number field ℤ p , and H 3 : {0,1} * → G is a hash function that maps an arbitrary bit string to the cyclic group G.The specific authentication processes for the P2 and P3 of the ARA protocol are shown in Figs.2 and 3, respectively.The authentication steps are shown in Ref.15.

and sends 2 (( 3 ) 2 (
as a response value to reader R; After reader R receives the tag feedback information

Table 1
Main description of ARA protocol.
R , sk, R) Generate public and private key pair of the reader: (rpk, rsk).