An efficient and secure ultra-lightweight RFID authentication scheme for low-cost tags

Internet of Things (IoT) technologies rapidly evolve and are used in many real-life applications. One of the core technologies used in various IoT applications is Radio Frequency IDentification (RFID) technology. RFID wirelessly and uniquely identifies the tagged objects without a direct line of sight. However, the research community had reported privacy and security-related concerns in RFID systems, where an adversary may tamper, eavesdrop, add, delete, or even modify the transmitted messages over an insecure communication channel. To address the issues mentioned above, we propose an Efficient, Secure, and practical ultra-lightweight RFID Authentication Scheme (ESRAS), which uses rank operation for low-cost tags. We utilize a simplistic bitwise exclusive-OR, circular left rotation, and a newly proposed ultra-lightweight rank operation to provide high security at low cost. The analysis of ESRAS concerning its security and performance shows that it effectively resists several known attacks and is relatively superior to the existing schemes regarding the computational and storage costs. Moreover, ESRAS shows more suitability for low-cost RFID tags and can be executed in a multimedia big data environment.


Introduction
Internet-of-Things (IoT) is an umbrella keyword that covers several aspects associated with the extension of the Internet [1].Over the past years, among various new technologies, IoT has emerged as a major topic researched in academia and industry, aiming to benefit society.IoT technology enables physical objects to exchange and collect data through the Internet [2].The devices are embedded with various technologies and entities like RFID tags, actuators, sensors, and network connectivity for communicating with the external environment or other devices [3].RFID technology is rapidly growing and becoming more popular with contactless technology.It has seen a tremendous increase in its applications used in the Automatic Identification and Data Capturing (ADIC) of any targeted object(s) with no direct line-ofsight or contact [4].In addition to this, it can read the data remotely and automatically through radio frequency signals.One of the first uses of RFID was seen during World War Second in Identify Friend or Foe (IFF) aircraft systems [5].Since then, several traditional automatic identification technologies have been used in various applications.These techniques include barcode recognition, biometric identification, optical character recognition, and magnetic card identification systems.However, these technologies are still unsatisfactory due to their several limitations.For example, the barcode system needs a direct line-ofsight contact between tags and readers for object identification and storing a small amount of data.While a biometric identification system is expensive for specific purposes, the optical character recognition cost is too high, and magnetic card identification needs close contact to identify an object.In contrast, RFID has numerous advantages over these traditional identification technologies.Therefore, RFID is considered one of the prominent technology in the twenty-first century [6,7].RFID technology is widely used in various real-life applications such as e-libraries, e-payment, animal identification, personnel identification, smart healthcare systems, human implantation, access control, and Internet of Vehicles (IoV), etc [8][9][10].
RFID systems typically contain three main components: tags, readers, and backend servers.Each RFID tag has two key elements: a silicon microchip and an antenna.The microchip stores and processes data, while an antenna transmits and receives data to the RFID reader via radio signals [11].The RFID tags consist of mainly three categories https://doi.org/10.1016/j.comnet.2022.109360Received 29 October 2021; Received in revised form 8 August 2022; Accepted 5 September 2022 such as active, semi-active, and passive.Nowadays, primarily passive tags are being used because these are relatively cheaper as compared to active tags.Also, they have no battery and get charged through Radio Frequency (RF) waves from the RFID reader.Instead, the active tags get power, are charged with their battery or energy sources, and transmit signals periodically.The semi-active tags get power and are charged with internal energy sources [11].Accordingly, the RFID tags can be operated at the three different types of frequency ranges, which includes the low-frequency range (LF: 125 kHz to 134 kHz, reading range: ∼10 cm), high-frequency range (HF: 13.56 MHz, reading range: ∼1 m), and ultra-high frequency range (UHF: 860 to 960 MHz, reading range: 10 to 15 m) [12].The RFID reader consists of three components: RF signal generator, microcontroller, and receiver or signal detector.It is used to read/write the secret information of the tags over an insecure communication channel and further transmit it into the database of the backend server [13][14][15].The RF signal generator produces radio waves, and an antenna is used to transmit them.Also, the reader receives feedback signals which come from the tag.The receiver/signal detector processes the information which is sent by the RFID tags.The backend server is connected with the reader and stores the associated secret information of the tags affixed to objects.
Typically, RFID authentication protocols can be classified into four categories depending upon the supported operations on the tags, the computational cost of the tags, and cryptographic primitives employed on the tags [16].
• Full-fledged protocols These support classical cryptographic primitives such as one-way hashing, symmetric/asymmetric encryption, and even private/public key algorithms [17,18].• Simple protocols These provide support for one-way cryptographic hash and Random Number Generator (RNG) on the tags [19,20].• Lightweight protocols These support RNG and Cyclic Redundancy Check (CRC) checksum on the tags.On the other hand, these protocols do not employ hash functions [21,22].• Ultra-lightweight protocols These support bitwise AND, OR, and XOR operations on the tags.Besides, the RNG cannot be employed on the tags [23][24][25].
As one of the key technologies used in several IoT domains, the main idea behind RFID is to provide secure and reliable access to the information or messages exchanged over secure channels.The sensitive information associated with particular things or objects should be securely delivered over RFID systems.In an RFID system, mutual authentication is considered one of the primary security requirements that should be accomplished between tag and server over a secure communication channel.RFID authentication schemes must always be secure, efficient, and robust against well-known malicious security attacks [26].However, several security attacks and privacy issues may occur while exchanging messages between tags and readers.Our proposed scheme satisfies various security and privacy requirements to ensure robust, efficient, and secure RFID communications.Besides, the RFID tags are resource-constrained devices with less computing power, limited computational resources, and low memory space.Therefore an RFID system typically cannot withstand the traditional known cryptographic primitives/algorithms, namely symmetric key and asymmetric key cryptographic techniques.To overcome such issues, our proposed authentication scheme exploits bitwise exclusive-OR (⊕), circular left rotates, and newly proposed ultra-lightweight rank operations to encrypt data instead of hash functions, ensuring less computational and storage overheads on the tags while supporting a higher level of security.In addition, the proposed scheme meets essential security requirements and protects from various security attacks.
To establish a secure RFID authentication system, we present the key objectives, which can be regarded as the main criteria for designing our proposed scheme.These objectives are as follows.
(3) Resist several known attacks like tag tracking, disclosure, and de-synchronization.(4) Minimize the storage and communication cost on tags with higher efficiency.
The key contributions of our proposed scheme are as follows.
(1) We propose an efficient and secure ultra-lightweight RFID authentication scheme suitable in IoT scenarios.In particular, we exploit bitwise exclusive-OR (⊕), circular left rotates (⋅, ⋅), and newly proposed ultra-lightweight rank (⋅, ⋅) operations for minimizing the computational overhead on tags.(2) The proposed scheme accomplishes mutual authentication and provides resistance against several attacks, including desynchronization and tag location tracking attacks.(3) We implement our proposed scheme, and a performance comparison has been made with the other similar existing schemes to show that our scheme greatly overcomes the storage and communication cost of tags while maintaining the key security requirements.
In Section 2, we describe previous schemes along with their limitations.The notations used and preliminaries are given in Section 3. The methodology of our proposed efficient and secure ultra-lightweight RFID authentication scheme using rank operation for low-cost tags is detailed in Section 4. Next, the informal security analysis is presented following the ESRAS's performance evaluation in Section 5. Section 6 provides the results obtained using Scyther simulation and the performance evaluation.Finally, Section 7 provides the concluding remark.

Related work
RFID is considered a promising technology for ubiquitous environments, allowing almost every object to be wirelessly identified via Radio Frequency (RF) waves.Over the past decades, researchers have proposed many schemes to achieve secure communication for safeguarding RFID systems from several known attacks and privacy concerns.However, it is difficult to ensure security and privacy requirements in low-cost RFID systems because of insecure communication among tags and readers.Next, we discuss relevant state-of-the-art RFID authentication schemes with their pros and cons as shown in Table 1.
Peris-Lopez et al. [41][42][43] presented a class of Ultra-lightweight protocols called UMAP.The protocols are chronological, Ultra-lightweight, lightweight, minimalist, and efficient mutual authentication protocols namely, LMAP [41],  2 AP [42], and EMAP [43], respectively.These protocols utilized simple bitwise OR, exclusive-OR (⊕), and   operations to achieve a low-cost computation cost.Also, all these operations were efficient and cost-effective for passive RFID tags.However, Wang-Li [24] and Li-Deng [25] showed that the families of UMAP protocols were insecure against the full disclosure and the de-synchronization attacks.
In [44], an enhancement of RAPP [31] to fix the security weaknesses of the de-synchronization attack on RAPP.The protocol utilizes XOR (⊕), permutation  (⋅, ⋅), and build-in CRC-16 operations on the tag.Besides, the protocol utilizes a secret key backup mechanism to improve security functionalities with no increment in performance cost.The protocol provides security against tag tracing, replay, secret disclosure, and de-synchronization attacks.Later on, the protocol in [45] pointed out that the shared secret key between  and  can be easily obtained by an adversary.Thus, the protocol [44] is insecure against de-synchronization attacks.The scheme uses fewer resources on tags which is better suited for low-cost RFID systems.
[27] SCHEME I Lightweight ,  (⋅), ℎ(⋅),   The reader remotely connects with the backend server by employing 4G and 5G technology to increase the mobility of RFID systems.
Vulnerable to traceability attacks.
[27] SCHEME II Lightweight Square and Modulo operations ( 2 ≡   ∕) The Rabin algorithm only performs square and modulo operations to raise a higher level of security for the public key level.
Vulnerable to tag impersonation attacks.
Lack of authenticity of the tag to server.
The scheme does not take advantage of computation, communication, and storage costs.
Vulnerable to de-synchronization and secret disclosure attacks.
Insecure against de-synchronization attacks.
Vulnerable to de-synchronization and replay attacks.
Vulnerable to de-synchronization attacks.
[34] Ultralightweight ,  2  (+), Reverse Rotation () The scheme used a sub-key and sub-index mechanism for the key updating phase.
Vulnerable to secret disclosure attacks and reader impersonation attacks.
[35] Ultralightweight , , Syndrome decoding The scheme requires fewer resources on RFID tags which makes it more suitable for passive tags.
Vulnerable to tag traceability attacks and tag impersonation attacks.
Vulnerable to impersonation and de-synchronization attacks.
Vulnerable to secret disclosure and de-synchronization attacks.
Vulnerable to impersonation and de-synchronization attacks.
The scheme consumes high storage overhead on the tag.
In [38], a new succinct and Ultra-lightweight RFID authentication protocol called SLAP is presented.The protocol uses simple exclusive-OR, circular left rotate (⋅, ⋅), and conversion (⋅, ⋅) operations.The passive tags were suitable for implementation using these operations.The conversion operation ensures a security guarantee of the RFID system associated with these properties, including sensibility, full confusion, irreversibility, and low complexity.In addition, the protocol is insecure against replay, traceability, and de-synchronization attacks.Later, Safkhani and Bagheri [46] presented a protocol [38] that is still vulnerable to de-synchronization attacks.However, the protocol in [47] also pointed out that the protocol [38] is not secure under impersonation attacks.
In [36], an Ultra-lightweight RFID protocol called KMAP.To prevent unbalanced logical AND and OR operations, the protocol uses simple exclusive-OR (⊕), circular left rotate (⋅, ⋅), and pseudo-Kasami code (  ) operations.Besides, the protocol resists replay, desynchronization, and full disclosure attacks.Later on, Safkhani and Bagheri [46] pointed out that the protocol in [36] is not secure against de-synchronization attacks.After that, the protocol in [47] pointed out that the protocol [36] is not secure under impersonation attacks.
In [37], a novel Ultra-lightweight protocol is introduced for IoT devices by employing RFID tags.The protocol utilizes exclusive-OR and circular left rotation.The protocol is secure under de-synchronization, tag tracking, and disclosure attacks and ensures data confidentiality, integrity, and tag anonymity properties.Later on, Wang et al. [48] pointed out that the shared secret key between  and  can be obtained by an adversary.Hence, the protocol [37] is vulnerable to de-synchronization and disclosure attacks.
Zheng et al. [49] proposed a mobile RFID authentication scheme for the smart campus.The scheme employs one-way hash (⋅), XOR (⊕), and series operation (∥).It also guarantees known security features such as counterfeit, eavesdropping, tag location tracking, replay, Main-In-The-Middle (MITM), Denial-of-Service (DoS), and de-synchronization attacks.Later on, Safkhani and Vasilakos [50] pointed out that the scheme is susceptible to tag traceability, tag impersonation, and replay attacks.
In [27], two RFID-based protocols are presented using a one-way hash and Rabin Public Key (RPK) cryptosystem.The hashing protocol utilizes a secure one-way hash ℎ(⋅), PRNG function, secret keys, and index grouping (  ) on the RFID tag.In the hashing protocol, the index grouping number associated with the last successful authentication and the key groups associated with the previous three successful authentications are stored in the database.Later on, the hash-based protocol is susceptible to tag traceability attacks reported in [51].In contrast, in RPK-based protocol, RPK is a symmetric cryptographic approach that utilizes operations of square and modulo such that ( 2 ≡   ∕).Such operations verify the Rabin encryption algorithm process and resist replay, tag tracking, and DoS attacks.Subsequently, the protocol is susceptible to tag impersonation attacks reported in [51].
In [29], a lightweight authentication protocol for passive RFID tags is introduced.The scheme uses inverse operations, XORing, circular shift, and addition modulo 2  (+).The protocol guarantees several security features, including mutual authentication, location privacy or untraceability, data integrity, tag anonymity, data confidentiality, forward security, and resisting known attacks.
Xiao et al. [30] presented a block cipher-based RFID authentication protocol called LRSAS.The protocol uses some operations such as simple bitwise XORing (⊕),  (⋅), and SKINNY encryption algorithm.The SKINNY algorithm comprises three phases: setup, round function, and key updating.The protocol guarantees known security functionalities, including confidentiality, integrity, forward security, tag tracking, de-synchronization, and tag impersonation attacks.Later, Trinh et al. [52] reported that the protocol is susceptible to de-synchronization and secret disclosure attacks.

Preliminaries
We present the procedure of rank operation and circular rotation operations in this section.To achieve higher security, simple bitwise exclusive-OR, circular left and right, and newly proposed Ultralightweight (,  ) operation are used while designing an efficient and secure Ultra-lightweight RFID authentication scheme named ES-RAS.Table 2 shows all the necessary parameters with their description.

Circular left rotate operation
The proposed scheme uses two circular left and right rotation operations.In general, the rotation operation can be denoted (,  ).However, (,  ) does left rotate string  by () mod  bits, where  denotes the bit length of .The rank of  or  is defined as the number of 1's presented in string  or  .For example, considering  and  are two 8-bit length strings as follows:

Definition of rank and nullity
The rank and nullity of the string are defined as the number of 1's and 0's present in the given strings.Suppose that  and  are the given strings, the  and  of  and  can be defined as (   ) = Number of 1's presents in string  or  .(   ) = Number of 0's presents in string  or  .
Considering  and  are two -bit length strings can be defined as, To achieve full confusion, a new rank (,  ) operation is used for hiding the information presented in the  and  .The new proposed Ultra-lightweight  operation consists of four steps: rank and nullity, grouping, swapping, and composition.To better understand this operation, an example is illustrated below.We are assuming that  and  are two 32-bit strings.Assuming the value of the threshold is  ℎ = 6.

𝑌 = 10111101110101100011110111000010.
All used operations are Ultra-lightweight.Thus these can be easily implemented on resource-constrained, low-cost RFID tags.The computational complexity of the rank operation depends on the threshold  ℎ value.If the value of  ℎ is small, the confusion will become greater.Therefore, we will suggest a larger value of  ℎ than 5.
Step 1: Rank and nullity Find the rank and nullity of both strings  and  with respect to 1's and 0's that appear in the given strings.Step 2: Grouping First, all the given strings (i.e.,  and  ) are divided into several small blocks by using the rule of segmentation, which is based on the () and ( ), respectively.In particular, a parameter threshold  ℎ is used to limit the size of each substring.Let us consider that () is m such that  ≤ , so the two substrings of  after division are given as Then, the division operation on substrings  1 and  2 will be continued by using the same segmentation rule based on their () until the length of all the substrings   ( ≤ ) are less than the threshold  ℎ .Similarly, the same rule is performed on string  divided into   ( ≤ ) by using the same segmentation rule.The computations on strings  and  are shown in Figs. 1 and 2.
Step 3: Swapping In Table 3, we divide the above-obtained strings  ′ and  ′ into two blocks according to () and ( ) given in  1, respectively.After that, we perform a swap operation on both parts to obtain  ′′ and  ′′ as shown in Table 4. Step 4: Composition To compute the final computation of the rank operation, we first perform (∼) operation on  ′′ and  ′′ .Thereafter, the simple bitwise exclusive-OR operation is performed between them.Then, we have Therefore, (,  ) = 10010111101010011001010001011101.

𝑟𝑎𝑛𝑘(𝑅𝑎𝑛𝑘(𝑋, 𝑌 )) = 17 and 𝑛𝑢𝑙𝑙𝑖𝑡𝑦(𝑅𝑎𝑛𝑘(𝑋, 𝑌 )) = 15.
The aforementioned rank operation is well-suitable and can be easily realized in low-cost RFID tags.The proposed rank operation has four major properties, which are as follows: • Full confusion For each given input, they are confused by the other one and have no predicted or fixed bit produced by the rank operation.Therefore, an adversary cannot obtain one bit of useful or even sensitive information from the output to predict the input.• Irreversibility For two given inputs, they can be confused by each other based on their rank, bit's position, and values.An adversary cannot obtain, predict, or even recover the other input if it knows one of the two inputs and the corresponding output in the rank operation.• Sensibility The corresponding output of the rank operation will be completely different only if one bit is changed in one of the two given inputs.• Low complexity The rank operation utilizes only simple XOR and circular left rotate operations.These operations are elementary to use as well as cost-effective for a passive tag implementation.

Proposed scheme
The proposed scheme consists of two phases: initialization and authentication.

Valid assumptions considered
The underlying assumptions on which the proposed scheme operates are as follows: (1) An adversary can mimic a genuine tag or reader.
(2) An adversary can tamper, modify, intercept, add, and/or even delete messages during the messages exchanged among RFID components.
(3) The communication channel is considered to be secure between  and  as well as insecure between  and , i.e., all attacks are possible.(4) The backend server is a fully trusted entity; an adversary cannot reveal the tags' information.

Initialization phase
This phase defines some underlying statements, which are as follows: (1) Initially, the manufacturer stores a unique static identification number  and an index  in each tag's internal memory.In contrast, the backend server has no such limitations.( 5) The other relevant tag's information is stored at .

Authentication phase
Fig. 3 shows the detailed process of the authentication phase of ESRAS scheme which is executed in the following steps.
Step 1: The reader  initiates an authentication session by sending a '''' message to  .
After receiving,  sends an index pseudonym  to .
Step 3: Upon receiving ,  uses the received  as an index to search the secrets of tags in the backend server database.If it finds a match in the database, then  generates a -bit pseudo-random number  1 and computes  and .After that,  sends the messages  ∥     to  , where   and   represent the left and right half of the string , respectively.The   or   of string  is transmitted to the tag based on the rank of  (if () is odd, then sent   , else sent   ).
After receiving  ∥     , the tag extracts  1 from  by XORing (( 1 ,  2 ),  1 ) with .After that, the tag computes a local value of  ′ and verifies whether  ′    ?=     , if so, then  authenticates  as a legitimate reader and computes the response message . sends the response message     to , where   and   represent the left and right half of the string , respectively.
Step 5: Upon receiving     ,  computes a local value of  ′ and verifies whether  ′    ?=     , if so, then  authenticates  as a legitimate tag  and update its index pseudonyms   and   in the database.After that, the reader generates -bit pseudo-random number  2 and computes the response messages  and .The reader  sends the response messages  ∥     to the tag  where   and   represent the left and right half of the string , respectively.
After receiving  ∥     , the tag extracts  2 from  by XORing ( 1 ,  1 ⊕  2 ) ⊕ ( 1 ,  2 ) with .The tag computes  ′ and the local value of  ′ and subsequently verifies whether  ′    ?=     , if so, the tag successfully authenticates the reader as a legitimate reader and updates its index pseudonym.
• Mutual authentication: It implies that genuine tags and readers need to authenticate each other.In the ESRAS scheme, the reader-server unit authenticates the genuine tag by comparing the left or right half of the transmitted messages that are  ′    ?=     and  ′    ?=     .Likewise, the genuine tag authenticates the server by comparing the left or right half of the transmitted message  ′    ?=     .Therefore, the property of mutual authentication is established between tag and server.
• Resistance to tag tracking: The tag's  or its secrets are not revealed in the ESRAS scheme.Moreover, it uses the index pseudonym .The  and the shared secret keys  1 and  2 are updated during each successful protocol run.Besides, the update operations also involve random numbers, so the tag will be anonymous to the adversary.This way, the adversary cannot track the response messages , , , , and  involving random numbers.In addition, we are not using any unbalanced operations during the update process, so the adversary cannot track the location of the tags through .• Forward security: It ensures securing past communications from a tag if the tag gets compromised by an adversary.Considering an adversary can access the tag, it cannot determine the previous secrets such as random numbers, index pseudonyms, and keys from the tag.Now, considering an adversary can determine the  and keys of the tag.However, the adversary still cannot determine the previous secrets as different values of the  and keys are used after a successful protocol run.Hence, the adversary cannot compromise the previously communicated information from the same tag.• Resistance to de-synchronization attacks: The shared secret cannot be de-synchronized among tag and reader through an adversary.The tag and the readers will use different random numbers to update the shared secret in each authentication phase.Therefore, the adversary cannot modify or even change the response messages to change the values of  1 and  2 .Hence, the proposed scheme successfully prevents the de-synchronization attack.• Resistance to disclosure attacks: The adversary can slightly modify the messages from the reader and send them to the tag to verify the correctness of modifications.It is quite difficult to disclose the secrets (i.e.,  1 and  2 ) even if the adversary knows (( 1 ,  2 ),  1 ).In our proposed scheme, the tag performs Therefore, it is impossible to disclose without knowing secrets.Hence, ESRAS resists the disclosure attack.

Performance evaluation
The performance evaluation of ESRAS is done in terms of computation, communication, and storage cost for each tag.The tags have limited computation capability and memory in comparison to the reader and server in RFID systems.However, the tags' performance can be evaluated with no limitations in the hardware environments of the backend database and reader.Therefore, any authentication scheme considers the computational complexity of an RFID system. the tag in each authentication session.The tag transmits a total of one and a half communication messages.All the used parameters have  bits.Thus, the communication cost generated on the tag is 1.5 bits.• Storage cost: The shared elements and the static tag  are stored in the tag's memory space.In the ESRAS scheme, a total of five strings, including its unique , the two entries for index pseudonym , and two shared secret keys (i.e.,  1 and  2 ) are stored on the tag.Hence, the storage of each tag is 5 bits.

Scyther simulation of our proposed scheme
Scyther is a GUI-based automatic tool to verify security protocols [59].The Scyther tool checks whether the proposed protocol is secure under security attacks.The experimental setup is simulated by using Scyther installed on the Linux platform with Ubuntu v20.04.The command ''scyther-gui.py'' is used to open the window for opening and editing files.The Scyther input language is Security Protocol Description Language (SPDL), used for writing the protocol specification or description.The SPDL is case sensitive, where xyz.spdl is not the same as XYZ.spdl.Programs or SPDL descriptions of protocols are saved with a .spdlextension.A pre-defined set of claim events are in Scyther, such as Secret,  − , Niagree, Nisynch, Alive, and Weakagree.Moreover, a sequence of events is used, which includes sending or receiving.Figs. 4 and 5 show the SPDL specification of the roles of tag and reader.From Fig. 6, the result status  indicates that there are no possible attacks within bounds which means that the proposed ESRAS scheme strongly resists all possible active and passive (i.e., replay and Man-In-The-Middle) attacks.

Conclusion
Since security and privacy are two key concerns in RFID systems, several issues such as eavesdropping, tampering, and modifications may occur over a communication channel while transmitting messages.Considering these security flaws, we proposed an efficient and secure Ultra-lightweight RFID authentication scheme (ESRAS).We have utilized the simple bitwise exclusive-OR, circular left rotate, and newly proposed Ultra-lightweight rank operations to provide higher security with fewer computation and communication costs of tags.The rank operation has four major security properties: full confusion, irreversibility, sensibility, and low complexity.The security analysis demonstrates that our ESRAS scheme is resistant to possible security attacks.The performance evaluation demonstrates that ESRAS requires less storage cost and computation overhead than existing schemes.The Scyther results show that our scheme has no possible attacks within bounds.Furthermore, our scheme shows superiority for low-cost RFID systems and can be realized in several real-world domains.

Declaration of competing interest
The authors declare the following financial interests/personal relationships which may be considered as potential competing interests: Chhagan Lal reports was provided by Delft University of Technology.

( 2 )
For each  , the manufacturer stores two secret keys  1 and  2 , a new and old pseudonym   and   in .Initially,   =  and   = .(3) Each reader consists of two  (⋅).(4) The tag and the reader have limitations of computing resources.

Mohd Shariq :
Conception and design of study, Analysis and/or interpretation of data, Writing -original draft, Writing -review & editing.Karan Singh: Conception and design of study, Analysis and/or interpretation of data, Writing -original draft, Writing -review & editing.Chhagan Lal: Conception and design of study, Analysis and/or interpretation of data, Writing -original draft, Writing -review & editing.Mauro Conti: Conception and design of study, Analysis and/or interpretation of data, Writing -original draft, Writing -review & editing.Tayyab Khan: Conception and design of study, Analysis and/or interpretation of data, Writing -original draft, Writing -review & editing.

Table 1
Comparison among various RFID authentication schemes.

Table 2
Notations and their descriptions.Index pseudonym stored in the tag and the database  1 ,  2 Pseudo random numbers generated at reader  1 ,  2 Pre-shared secret keys of tags shared with the backend server (,  ) Rank operation between strings  and  (   )

Table 5
Security and privacy comparison among various Ultra-lightweight authentication schemes.Denotes satisfied; : Denotes not satisfied; Z: No discussion.

Table 6
Performance comparison among various Ultra-lightweight authentication schemes.

Table 6
illustrates the performance comparison of ESRAS with several considerable Ultra-lightweight RFID authentication schemes.