CHECKER: On-site checking in RFID-based supply chains

(1)

CHECKER: On-site Checking in RFID-based Supply Chains

Kaoutar Elkhiyaoui

EURECOM 2229, route des Cretes 06560 Sophia Antipolis,

France

Erik-Oliver Blass

∗ College of Computer and

Information Science Northeastern University

Boston, MA 02115

Refik Molva

EURECOM 2229, route des Cretes 06560 Sophia Antipolis,

France

ABSTRACT

Counterfeit detection in RFID-based supply chains aims at prevent-ing adversaries from injectprevent-ing fake products that do not meet qual-ity standards. This paper introduces CHECKER, a new protocol for counterfeit detection in RFID-based supply chains through on-site checking. While RFID-equipped products travel through the sup-ply chain, RFID readers can verify product genuineness by check-ing the validity of the product’s path. CHECKERuses a polynomial-based encoding to represent paths in the supply chain. Each tagT

in CHECKERstores an IND-CCA encryption ofT’s identifierID

and a signature ofIDusing the polynomial encoding ofT’s path as secret key. CHECKERis provably secure and privacy preserv-ing. An adversary can neither inject fake products into the supply chain nor trace products. Moreover, RFID tags in CHECKERcan be cheap read/write only tags that do not perform any computation. Per tag, only 120 Bytes storage are required.

Categories and Subject Descriptors

H.m [Information Systems]: Miscellaneous

General Terms

Security

Keywords

Privacy, RFID, Supply chain management

1. INTRODUCTION

One important application of RFID tags is product tracking and counterfeit detection in supply chains. In such a context, RFID tags are attached to products to enable product tracking along different partners in the supply chain.

In this paper, we propose a solution for genuineness verification based on RFID tags that allows product tracking while protecting the privacy of tags and partners in the supply chain. The main idea is to verify the genuineness of a product by verifying the validity

∗

Work done while at EURECOM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

Copyright 20XX ACM X-XXXXX-XX-X/XX/XX ...$10.00.

of the path (sequence of partners) that the product went through in the supply chain as suggested by Blass et al. [4].

However, the solution presented in [4] has two major drawbacks: 1.)It requires a centralized, trusted party called“manager”to carry out the path verification; otherwise, the manager is able to inject fake products into the supply chain. 2.) The verification can only be performed once the tags arrive at the manager, but not before. This limits the wide deployment of such a solution, especially in a context where partners do not trust each other and demand to be able to verify product genuineness in real-time “on-site”.

Contrary to Blass et al. [4], the solution presented in this paper addresses on-site checking by enabling each reader in the supply chain to verify the validity of the path taken by the tag, instead of a global path verification performed by a trusted party that only takes place at the final stage of the supply chain. Though such a so-lution will allow a faster and a more practical counterfeit detection, it comes with new threats to supply chain security and privacy.

With respect to security, the readers have to be able to verify the genuineness of a product by only reading the tag attached to the product. However, we have to make sure that these readers can by no means succeed in injecting fake products in the supply chain.

Furthermore, a product tracking system must take into account privacy concerns. Any solution that aims at tracking and tracing products is inherently exposed to malicious attacks targeting sensi-tive information about internal details and strategic relationships in the supply chain. Another requirement is the unlinkability of tags so that a reader in the supply chain must not be able to trace or tell tags apart once they leave its site. Moreover, a reader must not be able to learn any information about the path stored in a tag which has not visited its site.

Also, a secure and privacy preserving RFID-based solution has to be lightweight to allow wide deployment. Ideally, it should be suited to the cheapest RFID tags, i.e., read/write only tags. These tags come only with some re-writable memory and cannot perform any computation, let alone cryptographic operations. Moreover, the path verification at the readers should not be computationally heavy to avoid overloading readers and, thus hindering supply chain per-formance.

This paper introduces CHECKER, a secure and privacy preserv-ing protocol for on-site genuineness verification and product track-ing in supply chains ustrack-ing RFID tags. CHECKERstores in each tag

(2)

Cramer-Shoup encryption [8].

To summarize, CHECKER’s main contributions are:

• In contrast to [4], CHECKERdoes not require a trusted party to perform path verification. Instead, CHECKERallows each reader in the supply chain to individually verify on-site whether a tag went through a valid path or not.

• CHECKERrelies only on read/write only tags that are cheap and thus could allow wide deployment of CHECKER. A tag

T in CHECKERis not required to perform any computation.

T is only required to store its state that will be updated by readers along the supply chain.

• CHECKERis provably secure: an adversary cannot forge new tags. That is, an adversary cannot forge or change a tagT’s state to convince a reader in the supply chain thatT went through a valid path.

• CHECKERis provably privacy preserving: only readers in the supply chain can verify the validity of paths that tags have taken in the supply chain. Furthermore, an adversary cannot trace or link tags’ interactions in the supply chain.

• Finally, CHECKERovercomes some limitations of the formal security and the privacy definitions of [4].

2. BACKGROUND

We use terms and notations in accordance with the ones used by Ouafi and Vaudenay [18] and by Blass et al. [4].

In this paper, the supply chain consists of a set of valid paths: an ordered sequence of steps, i.e., partner sites, that genuine products are allowed to visit.

Now, each read/write only RFID tag is attached to a product and it stores a history of the path that the product has taken. As in [4], each step of the supply chain is equipped with an RFID reader. Each reader reads out the state of tags in its vicinity and checks whether these tags went through a valid path in the supply chain or not. Finally, the reader updates the state of tags accordingly.

2.1 Entities

CHECKERinvolves the following entities:

TagsTi: Each tag is attached to a single product or item. Each

tagTiis equipped with a re-writable memory storingTi’s current

“state” denotedsj_T i.

IssuerI: The issuerI initializes tags at the beginning of the supply chain. It attaches each tagTito a product and writes an

initial states0TiintoTi.

ReadersRk: Each reader is associated with a single step in the

supply chain. A readerRkinteracts with tagsTiin its range. He

readsTi’s current statesjTiand based on a setK

V k ={K

1

k, K

2

k, ...,

Kνk

k }ofνk verification keys decides whetherTiwent through a

valid path or not. Once the verification phase is finished,Rkwrites

an updated statesj_T+1 i intoTi.

2.2 Supply chain

A supply chain is modeled as a digraphG= (V, E), whereV is the set of vertexes andEis the set of edges. Each vertexvk∈V is

a step in the supply chain that is uniquely associated with a reader

Rk. On the other hand, each edgee ∈ E,e :=−−→vivj, denotes a

valid transition fromvitovj. The issuerIis represented inGas

being the only vertex with indegree equals to 0 denotedv0. A path in a supply chainPis a finite ordered set of stepsP = {v0,v1. . . ,vl}, where∀i∈ {0, . . . , l−1}:−v−−−ivi+1→∈E, andlis the length of pathP.

Naturally, the supply chain contains a set of valid pathsPvalidi,

which are the set of paths that genuine products are allowed to go through.

Contrary to [4], in this paper we do not assume the existence of a“manager”that checks the validity of the path that a product has undertaken. Instead, CHECKER attempts to allow each reader in the supply chain to verify whether the products that it is presented with went through a valid path or not.

2.3 A CHECKER System

A CHECKERsystem comprises the following:

• A supply chainG= (V, E).

• A setT ofntags.

• A set of possible statesSthat could be stored into tags.

• A setRofηreadersRk.

• Each readerRkknows a setPk ={P1k,P

2

k, ...,P νk

k }ofνk

valid paths leading toRk.

• Also, readerRkhas a setKkV ={Kk1, Kk2, ..., K νk

k }ofνk

verification keys. Each verification keyK_kjcorresponds to a valid pathPj_k.

• IssuerI.

• A set of valid statesSvalid. If tagTi stores a statesjTi ∈ Svalid, then this implies thatTitook a valid path in the supply

chain with high probability.

• A function ITERATESUPPLYCHAIN: When called, tags ad-vance by one step in the supply chain and they are read and re-written by readers.

• A function READ:T → Sthat reads tagTiand outputsTi’s

current statesj_T i.

• A function WRITE:T × S → Sthat writes a new statesjT+1i

into tagTi.

• A function CHECK:R × T → {0,1}performed by readers in the supply chain. Based onTi’s current statesj_T

iand the

set of verification keyKV

k of a readerRk, CHECK decides

whetherTiwent through a valid path in the supply chain that

is leading toRkor not.

CHECK(Rk, Ti) :S →

8

> <

> :

1, if tagTiwent through a

valid pathPjk∈ Pk

or 0, if@Pj_k∈ Pkthat matches

Ti’s state.

3. ADVERSARY MODEL

Readers in CHECKERare supposed to read the state stored into tags, check whether the tags took a valid path in the supply chain and then update the tags’ states accordingly. We assume that read-ers’ corruption is possible. That is, readers can try tracking tags in order to spy on other readers, as well as injecting fake products in the supply chain.

(3)

As CHECKERrelies on read/write only tags to implement prod-uct tracking, an adversaryAagainst CHECKERis not only allowed to eavesdrop on tags’ communication but to also tamper with tags’ internal state. A can as well have access to the communication between tags and readers and know the stepsvkthat a tagTis

vis-iting. He can also monitor a stepvkin the supply chain by

eaves-dropping on tags going into or leaving the stepvk.

To capture these capabilities in our definitions, an adversaryA

has access to the following oracles:

• ODraw(condition): When queried with a conditionc,ODraw

randomly selects a tagT from thentagsT in the supply chain that satisfies the conditioncand returnsT toA. For example:

1. To have access to a tagTwhich just entered the supply chain, i.e.,T is at stepv0,Aqueries the oracleODraw

with conditionc=“tag at stepv0”.

2. To have access to a tagTwhose identifier isID,Acalls the oracleODrawwith conditionc=“tag with identifier

ID”. ODrawreturns a tag with identifierIDif there is

any.

3. To have access to a tagT whose next step in the sup-ply chain is stepvk,Aqueries the oracleODrawwith

conditionc=“tag’s next step isvk”.

We indicate that adversaryAcan query the oracleODrawwith

any combination of disjunctions or conjunctions of condi-tions.

• OCheck(Rk, T): On input of readerRkand tagT,OCheck

re-turns the output of the CHECKfunction performed by reader

Rkfor tagT.

• OStep(T): On input of tagT, the oracleOStep(T)returns the

nextstep of tagT in the supply chain.

• OFlip(T0, T1): On input of two tagsT0andT1,OFlipflips a

coinb∈ {0,1}and returns tagTbtoA.

• OCorrupt(Rk): On input of readerRk, the oracleOCorrupt

returns the secret informationSkassociated with readerRk

toA. We say thatAcorrupted the stepvkassociated with

readerRk.

Note that wheneverA is given access to a tagT, Ais allowed to read fromT by calling the function READand to write intoT

through the function WRITE.

By having access to these oracles, an adversaryAis able1.)to corrupt readers,2.) to have an arbitrary access to tags, and3.) to monitor readers in the supply chain.

3.1 Security

The security goal of CHECKERis to prevent an adversaryAfrom forging a valid state for a tagTithat did not go through a valid path

in the supply chain. This goal matches thesoundnessproperty of the CHECKfunction.

More formally, if on input of a of tagTi and readerRk, the

function CHECK(Rk, Ti)outputs1, i.e., there is a pathPjk ∈ Pk

that corresponds to the statesTi stored intoTi,thenwe conclude

thatTimust have gone throughPj_k(with high probability).

It is important to note that when we say that a tagTiwent through

pathP=−−−−−→v0v1...vl, this means that tagTiwas issued byIand that

the state ofTihas been updated correctly by using the secrets of

readersR1, R2, ..., Rlin that order. It does not mean thatTiwent

actually through the steps composing the pathP. If we imagine a scenario where an adversaryAknows all the readers’ secrets,A

can update the state of any tagTiand make it look as ifTiwent

through some pathP.

Now, we say that CHECKER issound, if and only if, a reader

Rkin the supply chain accepts a tagTionly when the state of tag

Tihas been updated correctly using the secrets of readers in some

valid path leading toRk.

We formalize soundness using an experiment-based definition as in [4]. In this experiment, an adversaryAruns in two phases. First in the learning phase as depicted in Algorithm 1,Acan corrupt up torreadersRiof his choice by calling the oracleOCorrupt.

Then,Ais allowed to iterate the supply chain up toρtimes by calling the function ITERATESUPPLYCHAIN. Whenever called, the function ITERATESUPPLYCHAINadvances the tags to their next step.

In each iteration of the supply chain,Acan call the oracleODraw

to get up tostagsT(i,j)that satisfy some conditionc(i,j)specified byA. Acan read from and write into these tagsT(i,j). He can as well query the function CHECKfor each tagT(i,j).

fori:= 1to rdo

Si← OCorrupt(Ri);

end

fori:= 1toρdo

ITERATESUPPLYCHAIN; forj:= 1to sdo

T(i,j)← ODraw(c(i,j));

si

T_(i,j):=READ(T(i,j)); WRITE(T(i,j), s0

i T_(i,j));

bT(i,j)← OCheck(RT(i,j), T(i,j));

end end

Algorithm 1:Security learning phase ofA

Tc← A;

fori:= 1to ηdo

b(i,Tc)← OCheck(Ri,Tc);

end

Algorithm 2:Security challenge phase ofA

Finally in the challenge phase,Aselects a challenge tagTcthat

he gives to the oracleOCheck, cf., Algorithm 2.OCheckoutputs a set

ofηbitsb(i,Tc)such thatb(i,Tc)=CHECK(Ri,Tc). Ais said to be successful if and only if:

i.) ∃Risuch that CHECK(Ri,Tc) = 1, i.e., there is a pathPji

that corresponds toTc’state;ii.) ∃v ∈Pji such that stepvis not

corrupted byA;iii.)and finally,Tcdid not go through stepv.

DEFINITION1 (SECURITY). CHECKERprovides security⇔

For adversaryA, inequalityP r[Ais successful]≤ |Svalid|

S +

holds, whereis negligible.

The adversaryAcaptured by the definition above is a non narrow strong adversary in the sense of [22]. He can access tags arbitrarily and tamper with their states. He is also allowed to access the out-put of the protocol and corrupt readers. In the real world, such an adversary corresponds to a partner in the supply chain whose goal is to inject fake products.

(4)

can always invalidate the state ofTileading the CHECKfunction

to output 0.

Cloning. CHECKERtargets read/write only tags to perform on-site checking. As a result, any malicious entity can read and re-write the content of tags, and therewith, it can clone tags. Such an attack cannot be prevented in a setting that relies on read/write only tags which cannot implement any reader authentication.

To mitigate this problem, each partnerPi in the supply chain

keeps a databaseDBithat contains the identifiers of tags present

atPi’s site. Then, time is divided into epochsek (typically, the

duration of an epochek is one day) and partners are required to

update their databases at the beginning of each epochek.

To detect clones, each pair of partnersPiandPjinvoke a

proto-col for privacy preserving set intersection [9, 10] at the beginning of each epochek, to check whether there is an identifierIDthat is

present in both of their databases. At the end of the privacy pre-serving set intersection protocol, both partners obtain a set of iden-tifiersS(i,j)=DBi∩DBjthat represent the clones in their sites. If

S(i,j) 6=∅, thenPiandPjcan discard the clones and investigate

where the clones come from.

3.2 Privacy

In line with previous work [4], a privacy preserving verification of product genuineness in the supply chain should meet the two following requirements:

1.)An adversaryAmust not be able to distinguish between tags based on their interactions with the readers in the supply chain or based on their interactions withA. This requirement deals with tracking attacks. If the adversary is not able to tell tags apart, he will not be able to track tags along the supply chain. We call this re-quirementtag unlinkabilityin accordance with [4, 15]. Notice that tag unlinkability is a stronger requirement than tag confidentiality. If an adversaryAis able to jeopardize tag confidentiality, then he is automatically able to tell tags apart. Consequently, if CHECKER ensures tag unlinkability, then it ensures tag confidentiality as well. 2.) An adversaryAmust not be able to learn any information about the path of a tagTiin the supply chain. Such a requirement

ensures the privacy of the internal processes of the supply chain. Being unable to disclose any information about the path that tags took, the adversary cannot tell the origin of a tagTihe is having

access to, either the steps thatTiwent through or the pallet of tags

thatTibelongs to. In [4], this privacy requirement was captured by

the notion ofstep unlinkability. More precisely, given two tagsTi

andTj, an adversaryAmust not be able to tell whetherPi ∩ Pj=

{v₀}or not, wherePiandPjdenote the paths of tagsTi andTj

respectively. Observe that, all tags are issued by issuerIand thus, they all go through stepv0. For further details on step unlinkability, the interested reader may refer to Appendix A.1.

However, the definitions of tag unlinkability and step unlinkabil-ity as presented in [4] have two limitations:

1.) It is assumed that the managerMperforming path verifica-tion cannot be corrupt. In this paper, path verificaverifica-tion is performed by readers along the supply chain and these readers can behave ar-bitrarily, i.e., can be corrupt.

2.) It is assumed that adversaryAhas only a random access to tags in the supply chain. That is,Acannot choose tags he wants fromT. In this work, adversaryAhas more freedom in picking tags through the oracleODraw. We recall thatAcan query the oracle

ODrawwith a set of conditionsci, andODrawhas to return a tagT

satisfying these conditions if there is any.

To address these limitations, we extend the privacy definitions of [4] by considering a more realistic adversaryAwho is allowed to corrupt readers and to select tags according to some conditions

determined by him through the oracleODraw.

One result of our modifications to privacy definitions is proving that if CHECKERensures tag unlinkability, then it will as well en-sure step unlinkability, see Appendix A.2 for a thorough analysis. Henceforth, we only focus on tag unlinkability.

Tag unlinkability

Read/write only tags cannot perform any computation. As a result, a tagTiin CHECKERrelies on readers in the supply chain to update

its state, i.e.,Ti’s state does not change in between two protocol

executions. Therefore, it is impossible to ensure tag unlinkability against an adversary who monitors all ofTi’s interactions.

Accord-ingly, there has to be at leastone unobservedinteraction between

Tiand anhonestreader outside the range of the adversaryA. This

is in compliance with previous work dealing with read/write only tags, see Ateniese et al. [1], Dimitrou [11], Sadeghi et al. [19] and Blass et al. [4].

However, this assumption alone is not sufficient to ensure tag un-linkability against readersRkalong the supply chain. Notice that

the genuineness verification of tags require readersRkto have

ac-cess to tags’ identifiers or tags’ pseudonyms. Although, adversary

Adoes not observe all ofTi’s interaction, he will be always able to

link the interactions of tagTiwith corrupt readers.

Thus, we consider that adversaryAis successful in mounting an attack against tag unlinkability if he is able to distinguish between two tagsT0 andT1 which are not present at corrupt readers, and ifT0andT1 had at least one interaction with an honest readerRi

outside the range ofA.

We illustrate tag unlinkability by an experiment depicted in Al-gorithm 3 and AlAl-gorithm 4.

In the learning phase,A(r, s, ρ, )can call the oracleOCorruptto

corrupt up torreadersRi. Ais provided then with two challenge

tagsT0 andT1 that just entered the supply chain (tags at stepv0) from the oracleODraw. AdversaryAstarts iterating the supply chain

up toρtimes.

Before each iteration of the supply chain,Acan read and write into tagsT0,T1. He can also query the oracleOStepto get the next

steps of tagsT0andT1. Moreover, the oracleODrawsuppliesAwith

stagsT(i,j)fulfilling some conditionc(i,j). Acan read from and write into tagsT(i,j).Ais also supplied with the next step of tags

T(i,j). Athen iterates the supply chain and reads the state stored into tagsT(i,j).

In the challenge phase, cf., Algorithm 4,Ais provided with the next step of tagsT0andT1. He is also allowed to read and write intoT0andT1one more time. Then, the supply chain is iterated first outside the range ofA. That is, tagsT0andT1has an unobserved interaction with an honest reader outside the range ofA.

The oracleOFlipsuppliesAwith the tagTbwhichAcan read.

At the end of the challenge phase,Ais required to output his guess of bitb.

Ais said to be successful ifi.)his guess ofbis correct,ii.)the readers associated with stepsvkT0+1andv

k0+1

T1 are not corrupt, and

iii.)the reader associated with the next step of tagTbat the end of

the challenge phase is not corrupt byA.

DEFINITION2 (TAGUNLINKABILITY). CHECKERprovides tag unlinkability⇔ For adversaryA, inequalityP r(Ais success-ful)≤1

2+holds, whereis negligible.

In a real world scenario, the adversaryAagainst the above ex-periment corresponds to a set ofrpartners{P1, P2, ..., Pr}in the

(5)

fori:= 1tordo

Si← OCorrupt(Ri);

end

T0← ODraw(“tag at step ”v0);

T1← ODraw(“tag at step ”v0); fori:= 0toρ−1do

viT+10 ← OStep(T0); siT0:=READ(T0);

WRITE(T0, s0Ti0); viT+11 ← OStep(T1); siT1:=READ(T1);

WRITE(T1, s0Ti1);

forj= 1tosdo

T(i,j)← ODraw(c(i,j));

vT_(i,j)← OStep(T(i,j));

sT(i,j):=READ(T(i,j));

WRITE(sT(i,j), s

0

T_(i,j));

end

ITERATESUPPLYCHAIN; forj= 1tosdo

READ(T(i,j)); end

end

Algorithm 3:A’s tag unlinkability learning phase

vkT0+1← OStep(T0); skT0 :=READ(T0);

WRITE(T0, s0Tk0); vkT10+1← OStep(T1); skT10 :=READ(T1);

WRITE(T1, s0k 0 T1);

ITERATESUPPLYCHAIN;// Outside the range ofA Tb← OFlip{T0,T1};

sTb:=READ(Tb);

OUTPUTb;

Algorithm 4:A’s tag unlinkability challenge phase

Note on tag unlinkability. The adversaryAdefined above is a narrow adversary as defined by Vaudenay [22]. That is,Adoes not have access to the output of the protocol in the challenge phase. In CHECKER’s case, this corresponds to not accessing the result of the CHECKfunction. Note that if we allowAto have access to the output of the CHECKfunction,Acan mount a trivial attack where he writes garbage, i.e., “dummy data” into a tagTi. TagTiwill not

be accepted by any reader in the supply chain with high probability, and thusAcan always distinguishTifrom legitimate tags.

4. PROTOCOL

Protocol overview

In CHECKER, a tagT stores a statesj_T which consists of the en-cryptionofT’s identifierIDand theencryptionof apath signature

that encodes the sequence of steps thatThas visited.

To efficiently encode paths in the supply chain, we rely on a polynomial-based representation as introduced by Blass et al. [4]. That is, each pathPin the supply chain will match the evaluation of a unique polynomialQPin a fixed valuex0, i.e., a pathPin the supply chain is mapped toQP(x0)∈Fq.

A tagTgoing through a valid pathPstores a randomly encrypted

statesj_T = (Enc(ID),Enc(σP(ID))), such thatIDisT’s identifier,

σP(ID) = H(ID)QP(x0), andH is a cryptographic hash function.

The statesj_Tcould be regarded as a messageIDand a signature on this message using the secret keyQP(x0).

In CHECKER, the issuerIinitializes a tagTby writing an initial encrypted states0T. A readerRkin CHECKERreads the encrypted statesj_T stored intoT and decrypts it using its secret keyskkto

get the pair(ID, σP(ID)). Rk then uses its set ofνk verification

keysKV k ={K

1

k, K

2

k, ..., K νk

k }to verify whetherTwent through

a valid path leading toRk or not. After path verification, reader

Rkuses an update functionfkto update the state stored into tagT

accordingly. Finally,Rkencrypts the new state of tagT using the

public key ofT’s next step.

Privacy and security overview

To protectprivacyof tags in the supply chain against readers, tags store an IND-CCA secure encryption of their states. For ease of presentation, we use Cramer-Shoup’s scheme (CS for short) [8] as the underlying encryption. As CHECKERtakes place in subgroups of elliptic curves that support bilinear pairings, we note that any IND-CCA secure scheme that takes place in DDH-hard groups can be used to encrypt the tag state. Furthermore, readers in the supply chain do not share the same CS pair of keys, instead each reader

Rkis equipped with a matching pair of CS public and secret keys (skk,pkk).

To ensure security, a tagT in CHECKERstores a signature of its

IDusing the polynomial-based encoding of the path it took. With-out having access to the polynomial-based encoding of valid paths, an adversary cannot forge a valid state; otherwise, we show that there is an adversary who is able to break the bilinear computa-tional Diffie-Hellman (BCDH) assumption.

First, we introduce some of the definitions, notations and as-sumptions that will be used in the rest of the paper.

4.1 Preliminaries

CHECKERtakes place in subgroups of elliptic curves that sup-port bilinear pairings. Similar to related work on elliptic curves supporting bilinear pairings, we use multiplicative group notation [1, 2, 5]. IfGis a subgroup of orderqof some elliptic curveE, then

for allg∈Gandx∈Zq,gxdenotes point multiplication ofgby

x.

4.1.1 Bilinear pairings

LetG1,G2 andGT be groups, such thatG1 andGT have the

same orderq.

A pairinge:G1×G2→GTis a bilinear pairing if:

1. eisbilinear:∀x, y∈Zq,g∈G1andh∈G2,e(gx, hy) =

e(g, h)xy;

2. eiscomputable: there is an efficient algorithm to compute

e(g, h)for any(g, h)∈G1×G2;

3. e isnon-degenerate: ifg is a generator ofG1 andh is a generator ofG2, thene(g, h)is a generatorGT.

CHECKER’s security and privacy rely on the Bilinear Computa-tional Diffie-Hellman (BCDH) assumption and the Symmetric Ex-ternal Diffie-Hellman (SXDH) assumption [3, 20].

DEFINITION3 (BCDH ASSUMPTION). Letgbe a generator ofG1andhbe a generator ofG2. We say that the Bilinear

(6)

DEFINITION4 (SXDH ASSUMPTION). The Symmetric Exter-nal Diffie-Hellman assumption holds ifG1andG2are two groups

with the following properties:

1. There exists a bilinear pairinge:G1×G2→GT; 2. the decisional Diffie-Hellman problem (DDH) is hard in both

G1andG2.

Hence, CHECKER uses bilinear groups where DDH is hard, see Ateniese et al. [1, 2], Ballard et al. [3], Scott [20]. These groups can be chosen as specific subgroups of non supersingular elliptic curves such as Miyaji-Nakabayashi-Takano (MNT for short) curves [16]. Moreover, results by Galbraith et al. [13] indicate that these elliptic curves are the most efficient setting to implement pairing-based cryptography.

4.1.2 Polynomial-based path encoding

In this section, we briefly recall the polynomial-based path en-coding as presented in [4]. In a nutshell, each stepvi, 0≤i≤η,

in the supply chain is associated with a unique random number

ai∈Fq, whereqis a large prime (|q|= 160bits).

Each path in the supply chain is mapped to a unique polynomial inFq. The polynomial corresponding to pathP = −−−−−→v0v1...vlis

defined as:

QP(x) =a0xl+

l

X

i=1

aixl−i (1)

To have a compact representation of paths, a pathPis encoded as the evaluation ofQPatx0, wherex0is a generator ofF∗q.

Con-sequently, providing an efficient encoding of paths that does not depend on the length of the paths.

We point out that when the coefficientsaiare chosen randomly

inFq, then the above encoding has the following property: for any

two different pathsPandP0,QP(x0)6=QP0(x0)with high proba-bility, see [17] for more details.

In the remainder of this paper, we denoteφ(P) = QP(x0)the polynomial-based encoding of pathP.

For all pathsPand for all stepsvkin the supply chain, the

fol-lowing holds:

φ(−→Pvk) =x0·φ(P) +ak

4.1.3 Path signature in

CHECKER

LetT be a tag with the unique identifier ID ∈ G1 that went through the pathP=−−−−−→v0v1...vl. In CHECKERwe define thepath signatureof tagTas:

σP(ID) =H(ID)

φ(P)

whereH is a cryptographic hash functionH : G1 → G1. For anyID ∈ G1, such a hash function can be computed using the algorithms proposed by Icart [14] and Brier et al. [6]. In the security analysis, we viewHas a random oracle.

Note thatσP(ID)is a signature ofIDusing the secret keyφ(P).

More precisely, it is an aggregate signature using the secret coeffi-cientsaiof readersRiin pathP.

The identifierIDand the path signatureσP(ID) are encrypted

and stored into tagT. A readerRkthat is visited by tagT,

de-cryptsT’s state, verifies the validity of the state and updates the path signatureσP(ID). Without loss of generality, we assume that

T has gone through the pathP, and now it arrives at stepvk in

the supply chain.T stores the encrypted pair(ID, σP(ID))andPk

denotes the path−→Pvk. To obtainσPk(ID), readerRkcomputes its

state update functionfRkdefined as:

fRk(x, y) =x

x0_H₍_y₎ak ₍₂₎

Thus,

fR_k(σP(ID),ID) = σP(ID)

x0_H₍_ID₎ak

= H(ID)φ(P)·x0_H₍_ID₎ak = H(ID)x0·φ(P)+ak = H(ID)φ(

−→

Pv_k)

=σP_k(ID)

Therefore, we obtain the path signature ofPk =

−→

Pvkfrom the

path signature ofP.

4.1.4 Cramer-Shoup encryption

An elliptic curve Cramer-Shoup encryption consists of the fol-lowing operations:

• Setup: The system outputs an elliptic curveE over a finite fieldFp. LetG1be a subgroup ofEof a large prime orderq (|q|= 160bits), where DDH is intractable. Let(g1, g2)be a pair of generators of the groupG1.

• Key generation: The secret key is the random tuplesk = (x1, x2, y1, y2, z)∈F5q. The system computes then(c, d, f) = (gx1

1 g

x2

2 , g

y1

1 g

y2

2 , g

z

1). Let Gbe a cryptographic hash function. The public key ispk= (g1, g2, c, d, f, G).

• Encryption:Given a messagem∈G1, the encryption algo-rithm choosesr ∈ Fqat random. Then it computesu1 =

g1r, u2 = gr2, u = mfr, α = G(u1, u2, u), v = crdrα. The encryption algorithm outputs the ciphertextEncpk(m) =

(u1, u2, u, v).

• Decryption: On input of a ciphertext C = (u1, u2, u, v), the decryption algorithm first computesα =G(u1, u2, u), and tests ifv = ux1+y1α

1 u

x2+y2α

2 . If this condition does not hold, the decryption algorithm outputs⊥; otherwise, it outputsDecsk(C) = _uuz

1.

4.2 Protocol description

CHECKERconsists of an initial setup phase, the initialization of tags by the issuer, and finally the path verification and tag state update by the readers.

4.2.1 Setup

A trusted third party (TTP) outputs(q,G1,G2,GT, g1, g2, h, H,

G, e), whereG1,GTare subgroups of prime orderq.g1andg2are random generators ofG1. his a generator ofG2. H :G1 →G1 is a secure hash function.G:G31→Fqis a secure hash function,

ande:G1×G2→GTis a bilinear pairing.

The TTP generatesη+1pairs of matching public and secret keys for the Cramer-Shoup encryption:skk= (x(1,k), x(2,k), y(1,k),

y(2,k), zk) ∈ F5q andpkk = (g1, g2, ck, dk, fk, G),0 ≤k ≤η.

The TTP generates as wellη+ 1random coefficientsak ∈ Fq.

Then, it selects a generatorx0ofFq.

Through a secure channel, the TTP sends to each readerRk,1≤

k≤η, the tuple(x0, ak,skk,pkk, H)and sends the tuple(x0, a0,

sk0,pk0, H)to the issuerI.

The TTP computes the verification keys for each readerRkin

the supply chain. LetPkbe a path leading to readerRk. To obtain

the verification key corresponding to pathPk, the TTP computes

the path encodingφ(Pk). Then, the TTP outputs the corresponding

(7)

Once the verification keys are computed, the TTP provides each readerRkwith its setKkVof verification keys.

We assume that the public keyspk_k,0≤k≤η, are known to all parties in the system.

4.2.2 Tag initialization

For each new tagT in the supply chain,I chooses a random identifierID∈G1. The issuer computes the hashH(ID), and using his secret coefficienta0, he computesH(ID)a0. Provided with the public key ofT’s next step, the issuer computes a CS encryption of bothIDandσv0(ID) = H(ID)a0. Without loss of generality,

we assume thatT’s next step isv1. The public key of stepv1is

pk1= (g1, g2, c1, d1, f1, G).

IssuerI draws two random numberrIDandrσ inFqand

com-putes the following ciphertexts:

c0ID = Encpk₁(ID) = (u(1,ID), u(2,ID), uID, vID)

= (grID

1 , g

rID

2 ,IDf

rID

1 , c

rID

1 d

rIDαID

1 )

αID = G(u(1,ID), u(2,ID), uID)

c0σ = Encpk₁(σv0(ID)) = (u(1,σ), u(2,σ), uσ, vσ) = (grσ

1 , g

rσ

2 , σv0(ID)f

rσ

1 , c

rσ

1 d

rσασ

1 )

ασ = G(u(1,σ), u(2,σ), uσ)

Finally,I writes states0

T = (c0ID, c0σ) ∈ G81 into tagT. T then enters the supply chain.

4.2.3 Path verification by readers

Assume a tagT arrives at stepsvk in the supply chain. The

readerRkassociated with stepvk reads the statesj_T = (cjID, c

j σ)

stored in tagT. Without loss of generality, we assumeT went through pathP. Rk using its secret keyskk decrypts the CS

ci-phertextscjIDandc

j

σand gets respectively the pair(ID, σP(ID)).

LetKk

V denote the set of verification keysKVk ={Kk1, Kk2, ...,

Kνk

k } = {h φ(P1_k)

, hφ(P2_k)

, ..., hφ(Pνk_k )_}

corresponding to the valid paths leading to stepvk.

To verify whether the tagT went through a valid path or not,

Rkcomputes the hashH(ID)and checks whether there existsi∈

{1,2, ..., νk}, such that:

e(σP(ID), h) = e(H(ID), Kki)

= e(H(ID), hφ(Pi_k)

)

If so, this implies thatT went through a valid path leading to step

vk. Otherwise, the reader concludes that tagT is illegitimate and

rejectsT.

4.2.4 Tag state update by readers

If the verification succeeds, the readerRkin the supply chain is

required to update the state of tagT. Using the update function

fRk, the reader computes the new path signatureσ−Pv→k(ID).

fRk(σP(ID),ID) = σP(ID)

x0_H₍_ID₎ak

= H(ID)x0φ(P)+ak₌_H₍_ID₎φ(

−→

Pvk)

= σ−→

Pvk(ID)

Without loss of generality, we assume that the tag’s next step isvk+1. The readerRkprepares tag T for readerRk+1 by en-crypting the pair(ID, σ−→

Pvk(ID))using the public key pkk+1 =

(g1, g2, ck+1, dk+1, fk+1, G). ReaderRk obtains therefore, two

ciphertextscjID+1andc

j+1

σ .

Finally,Rkwrites the statesj_T+1= (cjID+1, c

j+1

σ )intoT.

5. SECURITY AND PRIVACY ANALYSIS

In this section, we state the main theorems regarding CHECK -ER’s security and privacy.

5.1 Security analysis

THEOREM 1. CHECKER is secure under the BCDH assump-tion in the random oracle model.

PROOF. Assume there is an adversaryAwho breaks the secu-rity of CHECKERwith a non negligible advantage, we build an adversaryA0

that usesAas a subroutine to break the BCDH as-sumption with a non negligible advantage0.

LetOBCDHbe an oracle that selects randomlyx, y, z∈Fq, and

returnsg, gx, gy, gz ∈G1, andh, hx, hy∈G2.

Proof overview. IfAhas a non negligible advantage in breaking the security of CHECKER, thenAwill be able to output a challenge tagTcthat stores a valid encrypted statesTc, and:

i.)∃Rksuch that CHECK(Rk,Tc) = 1, i.e., there is a pathPj_k

that corresponds toTc’state;

ii.)∃v∈Pj_ksuch that stepvis not corrupted byA; iii.)Tcdid not go through stepv.

To break BCDH, adversaryA0simulates a CHECKERsystem for

Awhere he provides a stepviin the supply chain with the tuple (x0, gx,ski,pk_i)instead of the tuple(x0, ai,ski,pk_i).

Without loss of generality, we assume in the rest of the proof that

vi=v0and thatAcorrupts all readersRk(but not issuerI) in the

supply chain.

Now,A0must convinceAthatv0is associated with secret coef-ficienta0 =xthat corresponds to the pair(gx, hx)received from the oracleOBCDH. Accordingly, A0 has to be able to compute

H(ID)xonly by knowing(gx, hx). To tackle this issue,A0 simu-lates a random oracleHthat computes the hash functionH.

WhenHis queried in the learning phase with identifierIDj,A0

picks a random numberrjand computesH(IDj) =grj.

Before the challenge phase,Aqueries the random oracleHwith an identifierIDc, whereIDcis the identifier of the challenge tagTc.

SimulatingH,A0

picks a random numberrc, computesH(IDc) =

gzrc_{, and returns}_H₍_ID

c)toA.

In the challenge phase,AsuppliesA0

with the challenge tagTc.

As adversaryAhas a non negligible advantage in the security experiment, the challenge tagTcstores an encrypted valid state that

corresponds to the pair(IDc, σc)such thatσc =H(IDc)φ(Pvalid),

andTcdid not go through stepv0.

Usingσc,A0is able to identify the pathPvalidthat corresponds to the state of tagTc. We assume thatPvalid=

−→

v0P, and we denote

lthe length of pathPvalid.

By definition,φ(Pvalid) = a0xl0+φ(P) = xxl0+φ(P), and givenσcand the encodingφ(P)of the sub-pathP,A0computes:

σc

H(IDc)φ(P)

= H(IDc) φ(Pvalid) H(IDc)φ(P)

=H(IDc)xx

l 0

H(IDc)x =

„

H(IDc)φ(Pvalid)

H(IDc)φ(P)

«_xl1

0

A0thus have access toH(IDc)x = (gzrc)x=gxzrc, and

accord-ingly, he computes(gxzrc₎_rc1 ₌_gxz

. Finally,A0

computese(gxz_{, h}y_{) =}_e₍_{g, h}₎xyz_{, and this breaks}

the BCDH assumption which leads to a contradiction.

Simulation of the random oracleH.To respond to the queries to the random oracleH,A0

keeps a tableTHof tuples(IDj, rj,coin(

IDj), hj)as explained below.

(8)

1.)If there is a tuple(IDi, ri,coin(IDi), hi)that corresponds to

IDi, thenA0returnsH(IDi) =hi.

2.)IfIDihas never been queried before, thenA0picks a random

numberri∈Fq.A0flips a random coincoin(IDi)∈ {0,1}such

that: coin(IDi) = 1with probabilityp, and is equals to 0 with

probability1−p. The probabilitypwill be determined later. If

coin(IDi) = 0, thenA0answers withH(IDi) =gri. Otherwise,

A0

answers withhi = H(IDi) = (gz)ri. Finally, A0stores the

tuple(IDi, ri,coin(IDi), hi)in tableTH.

Construction.We detail below howA0breaks the BCDH assump-tion.

• First,A0

queriesOBCDHto receiveg, gx, gy, gz ∈G1and

h, hx, hy∈G2. Then,A0simulates a CHECKERsystem: 1.)A0

generatesη+1pairs of matching CS public and secret keys(skk,pk_k). Then, he generatesηrandom coefficients

ak.

2.)A0

provides each readerRkin CHECKERwith the tuple (x0, ak,skk,pkk).

3.)A0

provides the issuerIwith the tuple(x0, gx,sk0,pk₀), as ifa0=x.

4.) A0

computes the verification keys for each readerRk

in the supply chain. Without loss of generality, a valid path

Pvalid in the supply chain could be represented asPvalid =

−−−−→

v0P0valid. Thus, the corresponding verification keyK(Pvalid) is computed as:K(Pvalid) = (hx)x

l

0_hφ(P0valid)₌_hφ(Pvalid)_,

wherelis the length of pathPvalid.

Once the verification keys are computed for all the readers

Rk,Aprovides each readerRkwith his setKVk of

verifica-tion keys.

A0

then calls the adversaryA.

• A0

simulates the issuerIand createsntagsTjof CHECKER.

A0selects randomlyIDj∈G1. He simulates the oracleH.

A0

gets the tuple(IDj, rj,coin(IDj), hj).

If coin(IDj) = 1, i.e.,hj = H(IDj) = gzrj, thenA0

cannot computeH(IDj)x=gxzrj as he does not know both

xandz. Consequently,A0

stops the security experiment.

Otherwise, usingrjA0computesH(IDj)x= (gx)rj.

Finally,A0encrypts bothIDjandσv0(IDj)using the public

key of the tagTj’s next step.A0stores the resulting

cipher-texts(c0(ID,j), c 0

(σ,j))into tagTj.

• A0

simulates the oracleOCorrupt forA. For ease of

under-standing, we assume that Acorrupts all readersRk in the

supply chain.

• A0simulates readersRkalong the supply chain. LetTjbe a

tag which went through pathPand arrives at stepvk.

A0 decrypts the tagTj’s state using CS secret keyskk of

readerRkand gets the pair(IDj, σP(IDj)). He verifies the

path of tagTjusingKVk. Then,A

0

updates the path of tag

Tjusing the secret coefficientak.

Then using the public key ofTj’s next step,A0encryptsTj’s

identifier andTj’s path signature.

• In the challenge phase,Aoutputs a tagTc.

• A0simulates all the readers in the supply chain and verifies whether the encrypted state stored into tagTcmatches a valid

path in the supply chain. That is,A0

verifies whether there exists a readerRkin the supply chain that outputs CHECK(Rk,

Tc) = 1or not.

AdversaryAhas a non negligible advantage in the security experiment, consequently,i.)∃Rksuch that CHECK(Rk,Tc) = 1, andii.)Tcdid not go through stepv0.

We assume without loss of generality thatTc’s state corresponds to

the pair(IDc, σc), and thatTc’s path signatureσccorresponds to

pathPvalid=

−→ v0P.

• A0first checks whethercoin(IDc) = 1or not.

Ifcoin(IDc) = 0, thenA0stops the experiment. Notice that

ifhc = H(IDc) = grc, A0 will not be able to break the

BCDH assumption.

Ifcoin(IDc) = 1, i.e., hc = H(IDc) = gzrc, then A0

continues the experiment, and computese(g, h)xyz

.

Letldenote the length of pathPvalid. Accordingly,

φ(Pvalid) = a0xl0+φ(P) =xx

l

0+φ(P)

and,

H(IDc)xx

l

0 ₌ σc H(IDc)φ(P)

=H(IDc) φ(Pvalid)

H(IDc)φ(P)

H(IDc)x =

„

H(IDc)φ(Pvalid)

H(IDc)φ(P)

«_xl1

0

e(H(IDc)x, hy) = e((gzrc)x, hy) =e(g, h)xyzrc

Provided with the random numberrc,A0finally computes

e(g, h)xyz= (e(g, h)xyzrc₎_rc1

Here, we compute the advantage ofA0

.

Notice thatA0succeeds in breaking the BCDH assumption if he does not stop the security experiment.

1.) A0

halts the experiment, if during the initialization phase of the

ntagsTjof the CHECKERsystem, the simulated random oracle

Hreturns(IDj, rj,coin(IDj), hj)such thatcoin(IDj) = 1.

This event occurs with probabilityp. Hence, the probability thatA0

does not stop the experiment during the learning phase is:(1−p)n.

2.) A0

stops the experiment during the challenge phase, ifcoin(IDc) = 0. As a result,A0does not stop the experiment in the chal-lenge phase with probabilityp.

LetEdenote the event:A0does not abort the security experiment. LetE1denote the event:A0does not abort security experiment in the learning phase,P r(E1) = (1−p)n.

LetE2denote the event:A0does not abort security experiment in the challenge phase,P r(E2) =p. Hence,

π = P r(E) =P r(E1)P r(E2)

= p(1−p)n

Now, ifAhas a non negligible advantagein breaking the secu-rity of CHECKER, thenA0can break the BCDH assumption with advantage0=π, leading to a contradiction.

Remark thatπis maximal whenp= 1

nandπmax = (1−1

n) n

n '

1

en. Consequently, the advantage

0

in breaking BCDH is in this case0=

(9)

5.2 Privacy analysis

Tag unlinkability

THEOREM 2. CHECKER provides tag unlinkability under the SXDH assumption.

PROOF. To prove tag unlinkability, we use the IND-CCA prop-erty of Cramer-Shoup encryption ensured under the SXDH assump-tion.

Before presenting the proof, we introduce the definition of IND-CCA.

LetOdecryptionbe the oracle that, on input of a ciphertextc en-crypted with public keypk, outputs the underlying plaintextm.

LetOencryptionbe the oracle that, provided with two messages

m0,m1and public keypk, randomly choosesb∈ {0,1}, encrypts

mbusing public keypk, and returns the challenge ciphertextcb.

LetA(r, s, )be an adversary that is allowed to maker calls to the oracleOdecryption with arbitrary ciphertextsci. Then,A

selects two messagesm0andm1which he provides to the oracle

Oencryption. Oencryptionreturns the challenge ciphertextcb. After

receivingcb,Acan still query the decryption oracle Odecryption withsciphertextsc0i, with the only restrictions thatcb 6=c0i.

Fi-nally,Ais required to output his guess ofb. An encryption is IND-CCA secure, ifA(r, s, )has a negligible advantagein outputting a correct guess ofb.

Assume there is an adversaryAwho breaks the security of CHE -CKERwith a non negligible advantage, we show that there is an adversaryA0

that usesAas a subroutine and breaks the IND-CCA property of Cramer-Shoup encryption with a non-negligible advan-tage0.

Proof overview.The idea of the proof is to build a CHECKER sys-tem such that there is a stepviin the supply chain that is associated

with the public keypk, wherepkis the challenge public key from the IND-CCA security experiment.

In the learning phase,A0

is required to simulate readerRi. This

implies thatA0has to be able decrypt the state of tags arriving at stepvi. Hence the need to a decryption oracle and therewith to

an IND-CCA secure encryption. Now, whenever a tagTarrives at stepvi,A0 first calls the decryption oracle for the Cramer-Shoup

encryptionOdecryptionthat returns the underlying plaintexts, i.e.,

(ID, σP(ID)). Then,A0verifies the validity of the pair and updates

the state ofTaccordingly.

In the challenge phase,Areturns the challenge tagsT0andT1 toA0

. A0

decrypts the state of tagsT0andT1and gets their iden-tifiersID0andID1 respectively. Then,A0 queries the encryption oracleOencryptionwith messageID0andID1. Oencryptionreturns the challenge ciphertextcb=Encpk(IDb), b∈ {0,1}. A0iterates

the supply chain outside the range ofA, and simulatesOFlipby

re-turningTbwhich stores the ciphertextcbalong with an encryption

ofTb’s path signature. AsA0makes a guess for the value ofbto

up-dateTb’s path signature, this latter will be correct with probability

1 2.

IfAhas a non-negligible advantagein breaking the tag unlink-ability experiment, then he outputs a correct guess for the value of

b. Ifb = 0, then this implies thatTbstores an encryption ofID0 and thuscb=Encpk(ID0); otherwise,cb=Encpk(ID1).

Construction. To break the IND-CCA property of Cramer and Shoup encryption,A0proceeds as follows:

• A0creates a supply chain for the CHECKERprotocol.

• A0calls the adversaryA.Aqueries the oracleOCorruptwith

the identity ofrreadersRk.A0simulates the oracleOCorrupt

and assigns to each readerRka tuple(x0, ak,skk,pk_k)that

he returns toA.

• Now,A0selects a readerRifrom the set of uncorrupt readers

and assigns toRithe tuple(x0, ai,pki=pk). Without loss

of generality, we assume that stepviin the supply chain is

associated with readerRi.

• SimulatingODraw,A0suppliesAwith two challenge tagsT0 andT1that have just been issued by issuerI, i.e., just entered the supply chain.

• Aiterates the supply chainρtimes. Before each iterationj

of the supply chain:

1.)Areads and writes into tagsT0,T1.

2.) SimulatingOStep, A0providesAwith the next step of

tagsT0,T1.

3.)A0simulatesODrawand suppliesAwithstagsT(i,j). A is also provided withT(i,j)’s next step. Athen iterates the supply chain and reads the states stored into tagsT(i,j).

• If a tagT in the learning phase arrives at stepvi, thenA0

simulates readerRias follows:

1.)A0

reads the state stored intoTand gets two CS cipher-textscIDandcσ.

2.) A0

queries the oracle Odecryptionwith the ciphertexts

cIDandcσ. The oracleOdecryptionreturns the corresponding plaintextsIDandσ.

3.)A0

checks then if the pair(ID, σ)corresponds to a valid path leading to stepvi.

4.) Finally,A0updates the path signature ofT accordingly and encrypts both the identifierIDand the path signature us-ing the public key ofT’s next step.

• In the challenge phase, tagsT0andT1are submitted toA0.

A0

decrypts the states stored intoT0andT1, and getsID0and

ID1respectively.

• A0 queries the oracle Oencryption with messages ID0 and

ID1.Oencryptionreturnsc(ID,b)=Encpk(IDb).

• A0

prepares the tagTbfor the adversaryA:

1.) A0 updates the path of tagsT0 andT1 and encrypts the path signature using the public keypk. He obtains two ci-phertexts:c(σ,0)andc(σ,1).

2.) A0 randomly selectsb0 ∈ {0,1}and stores the state

sTb = (c(ID,b), c(σ,b0)) inTb. Therefore,Tb’s next step is

stepviassociated with public keypk.

• SimulatingOFlip,A

0

providesAwith the challenge tagTb.

Ais allowed to read from tagTb.

Notice that ifb = b0, then the statesTb = (c(ID,b), c(σ,b0₎)

com-puted by A0

when simulating CHECKER corresponds to a well formed pair(IDb, σP(IDb)), and consequently, the simulation of

CHECKERbyA0does not differ from an actual CHECKERsystem.

Acan accordingly output his guess for the tag corresponding to the challenge tagTbwith a non-negligible advantage.

IfAoutputsb = 0, this means thatTbstores an encryption of

ID0, andA0outputs0. IfAoutputsb= 1, this means thatTbstores

an encryption ofID1, andA0outputs1.

Ifb6=b0, then the probability thatA0breaks the IND-CCA prop-erty of CS is at worst a random guess, i.e., 1

2. Now, we quantify the advantage ofA0

(10)

– LetE1be the event thatA0breaks the IND-CCA property of CS.

– LetE2be the event thatb=b0.

Sinceb0 is selected randomly, the probability thatb =b0 is 1₂. Therefore,

P r(E1) = P r(E1|E2)·P r(E2) +P r(E1|E2)·P r(E2)

= 1

2P r(E1|E2) + 1

2P r(E1|E2) = 1

2

„

1 2+

«

+1

2P r(E1|E2)

≥ 1

2

„

1 2++

1 2

«

=1 2+

2

Thus, the advantage ofA0

to break the IND-CCA property of CS is at least0 =

2. Therefore, ifAhas a non-negligible advantage

to break CHECKER, thenA0

(q,0, 0)will have a non-negligible advantage0to break the IND-CCA property of Cramer and Shoup encryption, which leads to a contradiction.

6. RELATED WORK

Ouafi and Vaudenay [18] propose a solution that allows prod-uct tracking. However, this solution assumes that tags can perform hash functions. We argue that a wide implementation of such track-ing systems requires ustrack-ing the cheapest kind of tags which corre-spond to read/write only tags.

Also Burbridge and Soppera [7] suggest the use of proxy re-signature to allow path segment verification while using read/write only tags. The tag stores a signature of the last trusted party it has visited. To prevent product injection in the supply chain, partners in the supply chain do not have secret keys to sign tags’ identifiers, but rather secret proxy keys that only allow partners to transform a valid signature of one partner to their own signature. The paper however does not address the problem of implementing practical proxy re-signatures without trusted third party.

Although these two previous schemes ensure secure product track-ing in the supply chain, they fail at providtrack-ing a privacy preservtrack-ing solution. We emphasize that any solution dealing with product/tag tracking should preserve tag privacy in order to protect the privacy of the internal processes of partners in the supply chain.

Blass et al. [4] propose a tracking system using read/write only tags that preserve tags’ privacy in the supply chain. They use poly-nomial based path encoding to represent efficiently the paths in the supply chain, and they rely on the use of homomorphic and prob-abilistic encryption to preserve tag privacy against readers in the supply chain and external adversaries. However, contrary to the work at hand, [4] relies on the assumption that the path verifica-tion is carried out by a trusted party called managerM. Thus, it does not permit the readers in the supply chain to perform the path verification which is the main application scenario for CHECKER.

7. EVALUATION

CHECKER targets read/write only tags that do no feature any computational capabilities. A tag in CHECKERis required to store a pair of IND-CCA encryptions of its identifierIDand its path signa-tureσPvalid(ID) =H(ID)

φ(Pvalid)_{. In this paper, we use}

Cramer-Shoup’s scheme as the underlying encryption. This results in an overall tag storage of2·4·160 = 1280bits. We emphasize that any IND-CCA secure encryption in DDH-hard subgroups of ellip-tic curve is sufficient to implement CHECKER. One possible choice of encryption scheme is CS-lite [8]: a light variant of CS encryp-tion which is IND-CCA secure and costs 480 bits per encrypencryp-tion

instead of 640 bits. Also, there is a variant of Elgamal proposed by Fujisaki and Okamoto [12] which is IND-CCA secure in the ran-dom oracle model, and whose storage requirements are comparable to Elgamal’s.

We believe that CHECKERcan be implemented in current ISO 18000-3 HF tags, such as UPM RFID MiniTrack tags [21] that fea-ture 1 kbit of memory.

Moreover, a readerRkin the supply chain is required to decrypt

the state stored into tags using its secret keyskk, then to verify

the validity of the paths that tags went through, and to update and encrypt the state of tags. This amounts to performing:1.)two de-cryptions inG1where|G1|= 160bits,2.) νkbilinear pairings’

computation inGT, whereνkis the number of verification keys of

readerRkand|GT|= 1024bits,3.) two exponentiations inG1 to update the path signature, and finally4.)two encryptions inG1. The costly operation at readerRkis the verification of the path

sig-nature which is linear in the number of valid paths leading to reader

Rk. We can further decrease the computation load at the readers by

allowing tags to store the verification key that corresponds to the path that they took in the supply chain.

We recall that a verification key of pathPvalid ishφ(Pvalid) ∈

G2. Now, instead of storing an encrypted pair(ID, H(ID)φ(Pvalid)), a tagT stores the encrypted tuple(ID, H(ID)φ(P_valid)_{, h}φ(P_valid)₎_. WhenT arrives at stepvk, the readerRkdecryptsT’s state and

gets a tuple(α, β, γ). First,Rkchecks whetherγ is in his set of

verification keysKk

V or not. If so,Rk proceeds in verifying the

path signature of tagT. Consequently, the cost of the verification of the path signature at the readers is constant. On the one hand however, readers are required to perform an additional table lookup, one decryption, two exponentiations and one encryption inG2. On the other hand, tags have to store three encryptions of size 640 bits in the case of Cramer-Shoup, and of size 480 in the case of CS-lite.

8. CONCLUSION

In this paper, we presented CHECKERfor a secure and privacy preserving product genuineness verification in supply chains. CHE -CKERrelies solely on read/write RFID tags that do not feature any computational capabilities. CHECKERallows on-site checking by providing the readers with the means to verify the validity of the paths that products took. CHECKER’s main idea is to sign the tag’s identifier using the encoding of the path that the tag took. Then, each reader in CHECKERis supplied with a set of public keys that correspond to the set of valid paths in the supply chain. This grants readers the ability to verify the genuineness of products, while pre-venting them from injecting fake products. CHECKER’s security and privacy rely on standard assumptions: the BCDH and the DDH assumptions. Finally, CHECKER does not involve a trusted party and therefore, it is well suited for the distributed and heterogeneous setting of supply chains.

Bibliography

[1] G. Ateniese, J. Camenisch, and B. de Medeiros. Untraceable RFID tags via insubvertible encryption. InCCS ’05: Proceed-ings of the 12th ACM conference on Computer and communi-cations security, pages 92–101, New York, NY, USA, 2005. ACM. ISBN 1-59593-226-7.

[2] G. Ateniese, J. Kirsch, and M. Blanton. Secret Handshakes with Dynamic and Fuzzy Matching. InProceedings of the Network and Distributed System Security Symposium, NDSS. The Internet Society, 2007.

(11)

En-cryption. Cryptology ePrint Archive, Report 2005/417, 2005. http://eprint.iacr.org/.

[4] E-O Blass, K Elkhiyaoui, and R Molva. Tracker: security and privacy for RFID-based supply chains. InNDSS’11, 18th Annual Network and Distributed System Security Symposium, 6-9 February 2011, San Diego, California, USA, ISBN 1-891562-32-0, 02 2011.

[5] D. Boneh, B. Lynn, and H. Shacham. Short signatures from the weil pairing. Journal of Cryptology, 17:297–319, 2004. ISSN 0933-2790.

[6] E. Brier, J.S. Coron, T. Icart, D. Madore, H. Randriam, and Mehdi Tibouchi. Efficient indifferentiable hashing into ordi-nary elliptic curves. InAdvances in Cryptology – CRYPTO 2010, volume 6223 ofLecture Notes in Computer Science, pages 237–254. Springer Berlin / Heidelberg, 2010. ISBN 978-3-642-14622-0.

[7] T. Burbridge and A. Soppera. Supply chain control using a RFID proxy re-signature scheme. InRFID, 2010 IEEE Inter-national Conference on, pages 29 –36, april 2010.

[8] R. Cramer and V. Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In

CRYPTO ’98, pages 13–25. Springer-Verlag, 1998.

[9] E. De Cristofaro and G. Tsudik. Practical private set intersec-tion protocols with linear complexity. In Radu Sion, editor,

Financial Cryptography and Data Security, volume 6052 of

Lecture Notes in Computer Science, pages 143–159. Springer Berlin / Heidelberg, 2010. ISBN 978-3-642-14576-6.

[10] E. De Cristofaro, J. Kim, and G. Tsudik. Linear-complexity private set intersection protocols secure in malicious model. In Masayuki Abe, editor, Advances in Cryptology - ASI-ACRYPT 2010, volume 6477 ofLecture Notes in Computer Science, pages 213–231. Springer Berlin / Heidelberg, 2010. ISBN 978-3-642-17372-1.

[11] T. Dimitrou. rfidDOT: RFID delegation and ownership trans-fer made simple. InProceedings of International Conference on Security and privacy in Communication Networks, Istan-bul, Turkey, 2008. ISBN 978-1-60558-241-2.

[12] E. Fujisaki and T. Okamoto. How to Enhance the Security of Public-Key Encryption at Minimum Cost. InProceedings of the Second International Workshop on Practice and Theory in Public Key Cryptography, PKC ’99, pages 53–68, London, UK, 1999. Springer-Verlag. ISBN 3-540-65644-8.

[13] S. D. Galbraith, K. G. Paterson, and N. P. Smart. Pairings for cryptographers. Discrete Appl. Math., 156:3113–3121, September 2008. ISSN 0166-218X.

[14] T. Icart. How to Hash into Elliptic Curves. InAdvances in Cryptology - CRYPTO 2009, volume 5677 ofLecture Notes in Computer Science, pages 303–316. Springer Berlin / Hei-delberg, 2009. ISBN 978-3-642-03355-1.

[15] A. Juels and S.A. Weis. Defining Strong Privacy for RFID. InPerCom Workshops, pages 342–347, White Plains, USA, 2007. ISBN 978-0-7695-2788-8.

[16] A. Miyaji, M. Nakabayashi, and S. Takano. New Explicit Conditions of Elliptic Curve Traces for FR-Reduction. TIEICE: IEICE Transactions on Communica-tions/Electronics/Information and Systems, 2001.

[17] G. Noubir, K. Vijayan, and H. J. Nussbaumer. Signature-based method for run-time fault detection in communication protocols. Computer Communications Journal, 21(5):405– 421, 1998. ISSN 0140-3664.

[18] K. Ouafi and S. Vaudenay. Pathchecker: an RFID Application for Tracing Products in Suply-Chains. InWorkshop on RFID Security – RFIDSec’09, pages 1–14, Leuven, Belgium, 2009. http://www.cosic.esat.kuleuven.be/

rfidsec09/Papers/pathchecker.pdf.

[19] A.R. Sadeghi, I. Visconti, and C. Wachsmann. Anonymizer-Enabled Security and Privacy for RFID. In8th International Conference on Cryptology And Network Security – CANS’09, Kanazawa, Ishikawa, Japan, December 2009. Springer. ISBN 978-3-642-10432-9.

[20] M. Scott. Authenticated ID-based Key Exchange and re-mote log-in with simple token and PIN number. Cryptology ePrint Archive, Report 2002/164, 2002.http://eprint. iacr.org/.

[21] UPM RFID Technology. UPM Raflatac MiniTrak datasheet, 2011.

http://www.upmrfid.com/rfid/images/ MiniTrack_SLI_datasheet.pdf/$FILE/ MiniTrack_SLI_datasheet.pdf.

[22] S. Vaudenay. On Privacy Models for RFID. InProceedings of ASIACRYPT, pages 68–87, Kuching, Malaysia, 2007. ISBN 978-3-540-76899-9.

APPENDIX

A. STEP UNLINKABILITY

A.1 Definition

As explained in Section 3.2, step unlinkability captures the abil-ity of an adversaryAof telling if the paths of two tagsT0andT1 have a step in common besides the stepv0. Notice that step un-linkability as defined hereafter makes sense only when the system comprises at least two tags.

We use an experiment based definition as in Section 3.2. In ad-dition to the oracles presented earlier,Ahas access to the oracle

OPath. WhenOPath is queried with a pathP, it flips a fair coin

b∈ {0,1}. Ifb= 1, thenOPathselects randomly a tagT which is

going through a stepv∈P\{v₀}in the next supply chain iteration. Otherwise,OPathselects randomly a tagTwhich is going through

a stepv6∈P. Finally,OPathreturns the tagTtoA.

An adversaryA(r, s, t, ρ, )against step unlinkability has access to CHECKERin two phases. In the learning phase as illustrated in Algorithm 5,Acalls the oracleOcorruptthat furnishesAwith the

secret information ofrreadersRiof his choice. Now,Acontrols

stepsviassociated with readersRi.Athen queries the oracleODraw

which suppliesAwith a tagT0entering the supply chain.

Ais allowed to iterate the supply chain up toρtimes. Before each iterationiof the supply chain,Acan read and re-write the internal state of tagT0. He also queries the oracleOStepthat returns

the next stepviT+10 of tagT0in the supply chain. Athen calls the

oracleODrawwhich gives As tagsT(i,j), that are going through

viT0+1 in the next supply chain iteration. Also, Acan query the

oracleODrawagain to provide him withtother tagsT

0

(i,j), that fulfill some conditionc(i,j)specified byA. Now,Ahas a full access to these tags, i.e.,Acan read from and write into them, he can as well have access to the next step of tagsT₍0_i,j₎. Finally,Aiterates the supply chain by calling ITERATESUPPLYCHAINand reads the state stored into the tagsT(i,j)andT(0i,j).

LetPT0denote the path that tagT0went through.

In the challenge phase, cf., Algorithm 6,Aqueries the oracle

(12)

fori:= 1tordo

Si← OCorrupt(Ri);

end

T0← ODraw(“tag at step ”v0); fori:= 0toρ−1do

viT+10 ← OStep(T0); si

T0:=READ(T0);

WRITE(T0, s0Ti0);

forj:= 1tosdo

T(i,j)← ODraw(“tag’s next step isv

i+1 T0 ”)); sT_(i,j):=READ(T(i,j));

WRITE(T(i,j), s0T(i,j));

end

forj:= 1totdo

T(0i,j)← ODraw(c(i,j));

vT_(i,j)0 ← OStep(T(0i,j));

sT_(i,j)0 :=READ(T

0

(i,j)); WRITE(T₍0_i,j₎, s0_T0

(i,j));

end

ITERATESUPPLYCHAIN; forj:= 1tosdo

READ(T(i,j)); end

forj:= 1totdo READ(T(0i,j)); end

end

Algorithm 5:A’s step unlinkability learning phase

T1← OPath(PT0);

sk

T1 :=READ(T1);

WRITE(T1, s0Tk1);

ITERATESUPPLYCHAIN;

sk+1

T1 :=READ(T1);

OUTPUTb;

Algorithm 6:A’s step unlinkability challenge phase

Aiterates the supply chain, and reads the state stored into tagT1. LetvT1denote the step that tagT1went through during the

chal-lenge phase. A’s goal is to decide whether the stepvT1 ∈ PT0 or

not. IfvT1 ∈ PT0, thenAoutputsb = 1; otherwise,Aoutputs b= 0.

The adversaryAis successful, ifi.)his guess of bitbis correct, and ifii.)the stepvT1is not corrupted byA.

DEFINITION5 (STEPUNLINKABILITY). CHECKERprovides step unlinkability⇔ For adversaryA, inequalityP r(Ais success-ful)≤1

2 +holds, whereis negligible.

A.2 Tag unlinkability and step unlinkability

The following theorem states that if CHECKERensures tag un-linkability, it will as well ensure step unlinkability.

THEOREM 3. IfCHECKERensures tag unlinkability, then it also ensures step unlinkability.

PROOF. Assume there is an adversaryAwho breaks the step unlinkability with a non negligible advantage. We show that there is an adversaryA0

who usesAto break the tag unlinkability as defined in Section 3.2 with a non negligible advantage0.

Proof overview. In the proof below, we show that if adversary

Ahas a non-negligible advantagein breaking step unlinkability, thenA0

can construct a statistical distinguisher that tells tagsT0and

T1 apart in the tag unlinkability experiment with a non negligible advantage0.

In a nutshell, adversaryA0

supplies adversaryAin the learning phase of step unlinkability with the first challenge tagT0that he receives in the tag unlinkability experiment.

Then, at the beginning of the challenge phase of the step unlink-ability experiment,A0providesAwith the second challenge tagT1 of tag unlinkability.

Finally, at the end of the challenge phase of step unlinkability,

A0replaces tagT1by tagTbthat was returned byOFlip.

Ifb= 1, thenAbreaks the step unlinkability of CHECKERwith a non-negligible advantage. Otherwise,A’s advantage is negligi-ble in breaking step unlinkability.

Now, the statistical distinguisher works as follows: wheneverA

outputs a correct guess for the step unlinkability experiment, then

A0

outputsb= 1; otherwise,A0

outputsb= 0.

Construction.A0simulates CHECKERto adversaryAwhose goal is to break step unlinkability.

I.)In the learning phase of step unlinkability:

• WheneverAwants to corrupt a readerRi,A0makes a query

to the oracleOCorruptwithRi’s identity.OCorruptreturns the

secrets of readerRitoA0, who then returns the same secrets

toA.

• WhenAqueriesA0

to get a tagT0, A0 queries the oracle

ODraw.ODrawreturns two challenge tagsT0andT1for the tag unlinkability experiment which just entered the supply chain. Then,A0

picks for instance tagT0and returnsT0toA.

• WhenAqueriesA0

to supply him with the next step of tag

T0,A0queries the oracleOstepwith tagT0.Ostepreturns the

next stepviT+10 of tagT0toA

0

, who then returnsviT+10 toA. • IfAqueriesA0 for tags whose next step isviT+10 , thenA

0

queries the oracleODrawwith the condition “tag’s next step

viT+10 ”.ODrawsuppliesA

0

with tagsT(i,j)satisfying the con-dition. Finally,A0givesAthe same set of tagsT(i,j).

• IfAqueriesA0

for tags satisfying some conditionc(i,j), then

A0

queries the oracleODrawwithc(i,j). ODrawfurnishesA0

with tagsT₍0_i,j₎fulfilling the conditionc(i,j).A

0

then returns the tagsT(0i,j)toA.

• A0iterates the supply chain.

• After iterating the supply chain,A0

givesAthe tagsT(i,j) andT(0i,j)thatAcan read from.

II.)In the challenge phase of step unlinkability:

• A0simulates the oracleOPath(PT0)and prepares tagT1for

adversaryA.

1. A0queries the oracleOStepwith the challenge tagsT0 andT1.A0gets therefore the next stepvkT0+1andv

k0+1 T1

of tagsT0andT1respectively.

Note that if the reader associated with stepvk

0 +1 T1 is

cor-rupt byA, and therewith byA0

, thenA0

stops the ex-periment as his attack against tag unlinkability is trivial.

2. A0

(13)

• Acan read and write into tagT1. Then, tagT1is given back toA0

.

• The supply chain is iterated outside the range ofA0. The oracleOFlipreturns tagTb,b∈ {0,1}.

• A0returns tagTbtoA. Now,Acan read from tagTb.

• Athen outputs his guess for the bitb0for the step unlinka-bility experiment, i.e.,b0 = 1, ifvkT10+1is a step inT0’s path;

otherwiseb0= 0.

IfTb = T1, thenA0’s simulation of the CHECKER system is perfect, andAwill have a non-negligible advantage in guessing the value of the bitb0.

IfTb=T0, thenA’s view of the step unlinkability experiment is independent ofb0, and thusA’s advantage is negligible.

This therefore leads to a statistical distinguisher between tagsT0 andT1. WhenAsucceeds in the step unlinkability experiment,A0 outputsb= 1, otherwiseA0

outputsb= 0.

CHECKER: On-site checking in RFID-based supply chains