Hwaseong Lee 1∗ Eun Young Choi 2 Su-Mi Lee 2 Dong Hoon Lee1
Center for Information Security Technologies (CIST),
Korea University, Seoul, Korea
1
email{hwaseong,donghlee}@korea.ac.kr
2
email{bluecey,smlee}@cist.korea.ac.kr
1. Memory Cost. Normally, logic gates to be used for [4] D. N. Duc, J. Park, H. Lee, and K. Kim. En-
security are from 250 to 3000 in a tag [13]. In the hancing Security of EPCglobal Gen-2 RFID Tag
proposed scheme, a tag has to store one key and two against Traceability and Cloning. SCIS06, 2006.
binary matrices. A tag need not store the implementa- [5] EPC Radio-Frequency Identity Protocols Class-1
tion of a low-cost cryptographic primitives which can Generation-2 UHF RFID, EPCglobal Inc., 2005.
be constructed with 6 to 13 K gates [2]. It results in the
usage of less memory than previous scheme. [6] A. Juels. Minimalist Cryptography for Low-Cost
RFID Tags. SCN04, pp. 149-164, 2004.
2. Computation Cost. The proposed scheme requires
a lightweight bitwise operation both in a tag and a [7] A. Juels. RFID Security and Privacy:A Research
reader. It reduces the burden on database in process Survey. IEEE Journal on Selected Areas in Com-
of searching a tag ID as well as on a tag to operate. munications, Vol. 24, NO. 2, pp. 381-394, 2006.
3. Communication Cost. Communication cost can be af- [8] A. Juels and S. A. Weis. Authenticating Perva-
forded in a tag. If the bit length of R and the number of sive Devices with Human Protocols. Crypto05,
rows on M1 and the bit length of each row on M1 and pp. 293-308, 2005.
the length of ID are respectively 16, 128, 7, and 128, [9] S. Karthikeyan and M. Nesterenko. RFID Secu-
the length of message in Step 2 is in total 320 bits(= rity without Extensive Cryptography. SASN05,
128 + 192) and the length of message in step 3 is 256 pp. 63-67, 2005.
bits(= 128 + 128). A tag can afford it when consider-
ing a transmit rate in Section 3. By using complement [10] J. Kang and D. Nyang. RFID Authentication Pro-
rows, communication overhead is reduced as keeping tocol with Strong Resistance Against Traceability
strong security. and Denial of Service Attacks. ESAS05, pp. 164-
175, 2005.
We expect the proposed scheme to be practically used
[11] D. Molnar, A. Soppera, D. Wagner. A scalable,
in a current RFID tag. Further, it is likely to advance the
delegatable, pseudonym protocol enabling own-
feasible usage of RFID tag.
ership transfer of RFID tags. EASA05, pp. 1-16,
2005.
6 Conclusion
[12] M. Ohkubo, K. Suzuki, and S. Kinoshita. A
We defined attack models and security requirements for Cryptographic Approach to Privacy- Friendly tag.
RFID systems. As taking the requirements into account, RFID Privacy 2003 Workshop, 2003.
we proposed a lightweight mutual authentication, based on [13] P. Peris-Lopez, J. C. Hernandez-Castro, J.
trapdoor one-way property. The security of the proposed Estevez-Tapiador, A. Ribagorda. M2 AP: A Min-
scheme was proven under pre-defined attack models. It imalist Mutual-Authentication Protocol for Low-
means the proposed scheme to guarantee the security of cost RFID Tags. UIC06, pp. 912-923, 2006.
schemes performing cryptographic primitives, although it
does not perform cryptographic primitives and uses only [14] RFID Journal, http://www.rfidjournal.com/.
lightweight operation. Further, the proposed scheme can
be practically applied into current RFID systems because of [15] S. Sarma, S. Weis and D. Engels. Radio-frequency
lightweight property of the proposed scheme. identification : Security risks and challenges.
CryptoBytes 6, 2003.
References
[16] I. Vajda and L. Butydan. Lightweight authentica-
tion protocols for low-cost RFID tags. Workshop
[1] J. Bringer, H. Chabanne, E. Dottax. HB++ : on Security in Ubiquitous Computing, 2003.
a Lightweight Authentication Protocol Secure
agsint Some Attacks. eprint 2005. [17] http://protocol.korea.ac.kr/p̃uzzle
/paper/trapdoorRFID.pdf
[2] CRYPTOREC reports, published 2002