Protocol Specification

Our RFID scheme consists of two protocols: the tag authentication and the tag ano- nymization protocol. The tag authentication protocol is executed by the reader R and a tag T and allows R to check whether T is legitimate. The tag anonymization protocol ensures anonymity and untraceability of T in the authentication protocol by updating the authentication secrets of T .

System Initialization

Reader setup. Given a security parameter l_R= (h, n) ∈_N2_{, the reader R generates a}

key pair (sk_R, pk_R) ← Genkeyh(1h) for a CPA-secure homomorphic public-key encryption scheme (Definition 2.12). Moreover, R initializes a secret database DB ← { } that later stores the identities and authentication secrets of all legitimate tags. The secret key of R is sk_R whereas the corresponding public key is (h, n, pk_R). For brevity, we write pk_R to mean the complete tuple. Note that n denotes the bit length of the authentication secrets and nonces used in the tag authentication and the tag anonymization protocols.

Anonymizer setup. Given a security parameter l_P = (a, n) ∈ N2, the anonymizer P generates a key pair (sk_P, pk_P) ← Genkey(1a) for the CPA-secure public-key encryption scheme (Definition 2.12). The secret key of P is sk_P whereas the corresponding public key is the tuple (a, n, pk_P). We write pk_P to mean the complete tuple.6

Tag setup. A tag T with identifier ID is initialized by the issuer I as follows: First, I generates a long-term secret K← {0, 1}$ n and an ephemeral secret T ← {0, 1}$ n, which

6

As discussed in Section 5.1, there are two scenarios: public anonymizers and personal anonymizers. Since all public anonymizers have the same secret decryption key, they can be initialized with this key before they are deployed and the corresponding public key can be used with all tags in the system. Personal anonymizers (i.e., those running on the users’ mobile phone or PDA) can have different user-specific keys. However, this requires the user of a personal anonymizer to register the public key of the personal anonymizer once with the tag issuing entity before he obtains the first tag that shall be anonymized with this anonymizer. For instance, in the application scenario of electronic transit tickets, the user may register the personal anonymizer online or at a ticket vending machine once before he purchases the very first ticket.

5.3 Anonymizers in RFID Systems with Trusted Readers

Tag T Reader R

S = (A, T, E, F, G, ID, K) (skR, pkR,D)

N D, F, G

if D contains a pair (ID0_{, K}0_)then

D← RO(N, F, G, T, K) ID0_{← Dec}h sk_R(G) T0_{← Dec}h skR(F ) if RO(N, F, G, T0_{, K}0_{) = Dthen} return ID0 N← {0, 1}$ n else return ⊥

Figure 5.2: Privacy-Preserving Tag Authentication Protocol

are used later in the tag authentication protocol to authenticate T to the reader R. Moreover, I generates a symmetric encryption key A ← Genkey(1s) for some s ∈ N, which is used later by T to encrypt the communication of the anonymization protocol. Further, I encrypts E ← Enc_pk

P(A), F ← Enc

h

pk_R(T ) and G ← Enchpk_R(ID ). The

ciphertext E is used to transport the symmetric key A from T to P in the anonymization protocol whereas F and G are used to transport the ephemeral secret T and the tag identifier ID from T to R in the authentication protocol. Finally, I updates the database DB ← DB ∪ {(ID , K)} of R and initializes T with the state S ← (A, T, E, F, G, ID , K).

Tag Authentication Protocol

The authentication protocol (cf. Figure 5.2) is an interactive protocol between a tag T with identifier ID and the reader R with the goal to identify T on the reader side. R sends N ← {0, 1}$ n to T , which then computes D ← RO(N, F, G, T, K), where RO is a random oracle (Definition 2.5) and responds with (D, F, G). Then, R decrypts ID0 ← Dech_sk

R(G) and checks if its secret database DB contains a tuple (ID

0_{, K}0_{). If}

this is the case, R decrypts T0 ← Dech_sk

R(F ) and accepts T by returning ID

0 _{only if}

Tag T Anonymizer P S = (A, T, E, F, G, ID, K) (skP, pkP, pkR) START N, E F∗← Ench pk_R(T∗) λ N← {0, 1}$ n T∗ $_{← {0, 1}}n G∗_{← Enc}h pk_R(1) A← Decsk_P(E) λ← EncA(T∗, F∗, G∗, N ) (T∗, F∗, G∗, N0)← DecA(λ) if N0_{= Nthen} T0_{← T ◦ T}∗ F0_{← F • F}∗ G0← G • G∗ (T, F, G)← (T0_{, F}0_{, G}0₎

Figure 5.3: Tag Anonymization Protocol for Privacy-Preserving Authentication

Tag Anonymization Protocol

The tag anonymization protocol is illustrated in Figure 5.3. It is a protocol between a tag T with identifier ID and an anonymizer P with the goal to update the state S of T . First, T chooses N ← {0, 1}$ n _{and sends (N, E) to P. Then, P chooses a new ephemeral tag}

secret T∗ and encrypts it to F∗ ← Ench_pk

R(T

∗_{). Moreover, P computes G}∗ _{← Enc}h pk_R(1)

of the identity with regard to the homomorphic operation ◦ of the public-key encryption scheme. Finally, P decrypts A ← Dec_skP(E), computes λ ← EncA(T∗, F∗, G∗, N ) and

sends λ to T . Then, T decrypts (T∗, F∗, G∗, N0) ← DecA(λ) and checks whether N0 = N .

If this is the case, T computes a new ephemeral authentication secret T0 ← T ◦ T∗, the (homomorphic) public-key encryption F0 ← F • F∗ of the new ephemeral key T0 and a new (re-randomized) encryption G0 ← G • G∗ of the tag identifier ID . Eventually, T updates its state (T, F, G) ← (T0, F0, G0). If N0 6= N , T aborts the anonymization protocol without updating its state.

5.3 Anonymizers in RFID Systems with Trusted Readers