MDS Code Based Ultralightweight Authentication Protocol for RFID System

Privacy and security are central issues in the deployment of an RFID system. It is vulnerable to several attacks, such as replay attacks, location tracking, man-in-middle attack, de-synchronization attack, etc., due to the inherent weaknesses of underlying wireless communications. In order to tackle these privacy and security concerns, this paper presents an ultralightweight authentication protocol based on group homomorphism and maximum distance separable (MDS) code. We use group homomorphism properties to make a server lookup table that reduces searching complexity and overcomes scalability issues. We develop an ultralightweight protocol using MDS code properties that employs only bit-wise operators. Formal and informal security analysis of the proposed protocol shows that our proposed protocol resists various attacks. In addition, we use automated security protocol verification tools, AVISPA and Scyther, to validate the security features of the proposed protocol. We demonstrate the correctness proof of the proposed protocol using BAN logic. To measure the level of privacy of the proposed protocol, we use two benchmark metrics to simulate the proposed protocol. The performance analysis indicates that the proposed protocol is efficient for a low-cost environment.


I. INTRODUCTION
RFID (radio frequency identification) is becoming the most promising technology for automated identification in many IoT applications such as automation, automotive, ticketing, medical, commerce, transport, logistics, etc. Due to low-cost and easy deployment, RFID technology is progressing rapidly in every industry sector. According to IDTechEx's report, the RFID market is expected to reach worth $13.2 billion by 2020 and $186.8 billion in 2026 [10]. Typically RFID system is made up of three components: an RFID tag or smart label, an RFID reader (interrogator), and a back-end server (middle-ware) [21]. An RFID tag consists of a small microchip and an antenna. The tag stores information about the product in which it is embedded. In addition, RFID tags The associate editor coordinating the review of this manuscript and approving it for publication was Chien-Ming Chen . comprise minimal resources with restricted storage capacity. According to the functionality, we can arrange RFID tags into two classifications in general, namely active tag and passive tag. Active tag: these type of tags have their in-built battery for internal processing and data transmission. Passive tag: these types of tags have no in-built power source. Passive tags harvest their power from the interrogator reader by the coupling method [22]. A reader or interrogator is a read/write device that works as a bridge between the back-end server and tags. A middle-ware is a software or database that stores information about the tags and readers and uses this information for various purposes. The workflow of an RFID system is as follows. Whenever a tag comes in the read range of a reader, the tag transmits its information to the reader through a wireless channel. The reader passes the received information to the back-end server via a secure link for validation of the tag.

II. LITERATURE SURVEY
In the literature, researchers proposed several ultralightweight authentication protocols to resolve security and privacy vulnerabilities associated with the RFID system. Some prominent RFID authentication protocols with their methodology, benefits, and drawbacks are as follows.
In 2006, Lopez et al. [26] presented a minimalist, lightweight authentication protocol for the RFID system. The protocol uses an index pseudonym and four keys. The index pseudonym is used as an index in the database to reduce search complexity. The keys are used to make secure communication between the reader and the tag. The protocol employs only AND, OR, and XOR operators for computational purposes and uses around 300 gates for implementation. The proposed protocol tackles the computation problem that existed in the RFID system very efficiently. However, the protocol suffers from various attacks such as de-synchronization attacks, disclosure attacks, and impersonation attacks.
In 2007, Chien [9] proposed an ultralightweight authentication protocol that employs only simple bit-wise operators on the tag. The author claims that the protocol provides strong privacy and resists several well-known attacks. Unfortunately, the proposed protocol is susceptible to several attacks such as disclosure attacks, DoS attacks, de-synchronization attacks, etc. [6], [7].
Avoine et al. [3] proposed a group-based private authentication protocol by dividing the tags into a number of groups in 2007. In this approach, the proposed scheme achieves a huge improvement in security assurance at the cost of a high computational load.
In 2009, David and Prasad [11] proposed an ultralightweight authentication protocol to reduce computational load significantly without compromising security. The protocol uses only XOR, AND, and NOT operators for computational. In the protocol, the authors use two secret keys to transmit nonces to the tag securely, and the tag extracts the nonce with the help of the keys and uses them to mask the tag's ID. The protocol is very efficient in computational load, but it is susceptible to traceability attacks and disclosure attacks [14].
In 2012, Tian et al. [38] proposed an ultralightweight RFID authentication protocol known as RAPP. The proposed protocol employs a bit-wise operation called permutation to achieve a higher level of privacy and secrecy. The protocol is very efficient in a low-cost environment but does not resist disclosure attacks, traceability attacks, de-synchronization attacks, etc. [24].
Zhuang et al. [42] introduced a reconstruction-based ultralightweight authentication protocol called R 2 AP in 2014. The authors introduced a lightweight bit-wise operation, reconstruction, for computational work. The authors give a formal security analysis based on Jules-Weis's un-traceability model to claim that the proposed protocol resists all possible attacks. However, Safkhani [31] highlighted desynchronization attacks, disclosure attacks, and traceability attacks and challenged its security claims.
Tewari and Gupta [37] proposed a robust ultralightweight authentication protocol to overcome security challenges with the RFID system in 2016. The protocol is efficient in terms of the computational load because it involves only two bitwise operations, XOR and left rotation. The protocol uses random numbers to mask the tag ID and employs a secret key to hide the transmitted data. In addition to avoiding the de-synchronization attack, the proposed protocol stores current session data as well as previous session data. Unfortunately, the protocol is susceptible to several attacks, namely denial of service attacks, secret disclosure attacks, etc. [16], [32], [39].
In 2016, Luo et al. [19] introduced a succinct and lightweight authentication protocol (SLAP). This protocol is composed only of XOR, left rotation with hamming weight, and a bit-wise operation known as conversion. The security of the protocol depends on the introduced conversion function that possesses irreversibility, full confusion, and sensibility. The protocol uses two secret keys for each tag to transmit data securely over an insecure channel. After successful authentication sessions, it updates the secret keys to resist an un-traceability attack. The protocol guarantees to resist various attacks such as replay attacks, de-synchronization attacks, disclosure attacks, etc. However, Khalid et al. show that the protocol is vulnerable to impersonation attacks and de-synchronization attacks [16], [30].
In 2017, Rahman et al. [28] proposed a secure, anonymous group-based authentication protocol to address the tradeoff between the protection and scalability of RFID systems. The protocol is similar to Avoine et al. [3] except that the protocol uses an alternate grouping technique to accomplish better privacy. This protocol utilized an investigation-based definition to formalize RFID security according to the viewpoint of unlinkability among various RFID tags.
Younis and Abdulkareem [41] proposed a three-pass mutual authentication protocol for RFID systems in 2017. The protocol used PRNG, elliptic curve digital signature algorithm, encryption techniques, and XOR operations. Additionally, this protocol is secure against various known attacks, but the total computational cost is very high compared to some lightweight protocols.
Khor and Sidorov [17] improved the authentication protocol proposed by Tewari and Gupta [37] in 2018. The proposed protocol employs left rotation as well as right rotation with hamming weight to achieve anonymity by mix-up the bits. The authors claim that the protocol overcomes all vulnerabilities presented in Tewari and Gupta's protocol as well as resists all possible attacks. Safkhani and Bagheri [32] presented a full disclosure attack on the protocol proposed by Khor and Sidorov [17].
Qui et al. [27] proposed a robust authentication protocol based on ECC for TMIS in the same year. The protocol fails to prevent replay attacks, user anonymity, impersonation attacks, and password-guessing attacks.
In 2020, Fan et al. [12] proposed an efficient and reliable cloud-based authentication protocol for the RFID system. The authors used bit-wise rotation, permutation, and public-key encryption in the protocol to resist well-known attacks such as tracking, replay, and de-synchronization attacks. The protocol provides higher-level security. However, the protocol is not suitable for the low-cost environment due to the high computational overhead.
Noori et al. [25] proposed an ECC-based scalable RFID authentication protocol for an IoT environment in the same year. The protocol uses ECC, hash function, and random numbers. The scheme attains a higher level of privacy. However, the scheme is not practical for low-cost tags due to the high computational overhead.
In 2021, Shariq and Singh [35] designed a lightweight RFID protocol for passive tags that integrates vector space, linear mapping, basis mechanism, and hash function. The correctness of the protocol has been finished by using BAN logic. The scheme is not secure against impersonation attacks.
Xiao et al. [40] presented a lightweight RFID authentication protocol for TMIS in 2021. The authors used the properties of random numbers, PUF and ECC for a lowcost protocol. The protocol uses the ProVerif tool to test the security attribute, demonstrating that it is safe against various attacks.
In the same year, Agrahari and Varma [1] proposed an RFID authentication protocol for the healthcare environment based on ECC. The protocol uses a hash function, addition and multiplication of elliptic points. Formal security analyses were done by the AVISPA tool, ROR model, and BAN logic.
In 2022, Akleyle and Soyasald1 [2] presented a lattice-based RFID authentication protocol for IoT. They used the hardness of the inhomogeneous small integer solution (ISIS) problem, two hash functions, one permutation matrix, and random numbers. The authors claimed that the protocol could resist post-quantum attacks.
In the same year, Rostampour et al. [29] proposed a lightweight authentication protocol for IoT systems by utilizing an authentication encryption cryptosystem with associated data (AEAD). The formal security of the protocol was shown by using the ROR model and Scyther tool.
After reviewing the work done, we would like to propose an MDS code-based ultralightweight authentication protocol. In our approach, we use the concept of group homomorphism to divide the set of all tags into some clusters. Also, we use some properties of MDS code to minimize computational overhead without compromising the security and privacy of the protocol.

III. PRELIMINARIES
This section overviews group homomorphism and maximum distance separable codes that we will use to construct our system model.

A. GROUP HOMOMORPHISM
Suppose (Gr, ⋆) and (Gr ′ , * ) are two groups with identity elements e and e ′ respectively. A group homomorphism φ from Gr to Gr ′ is a mapping that preserves group operation, i.e., φ(a ⋆ b) = φ(a) * φ(b) for all a, b ∈ Gr [13]. The kernel of a group homomorphism from Gr into Gr ′ is a subset of Gr defined as ker φ = {g ∈ Gr : φ(g) = e ′ }.
If | ker φ |= t, then the group homomorphism φ is a t − to − 1 mapping from Gr onto φ(Gr). We use this property VOLUME 11, 2023 of group homomorphism to divide the set of all tags into some clusters of the same size in our system model.

B. LINEAR CODE
Let GF(q) be a finite field with q elements. The set GF(q) n with cardinality q n forms a vector space over the field GF(q).
A linear code C of length n over the field GF(q) is a subspace of the vector space GF(q) n . If C has dimension k, then we say C is a q-ary [n, k] linear code over GF(q) [18]. The hamming distance of two codewords c 1 and c 2 , is denoted by d(c 1 , c 2 ) and defined as the number of positions at which the corresponding symbols differ. The minimum distance of the code C is denoted by d and defined as d = min{d(c 1 , If a q-ary [n, k] code C has the minimum distance d, then we denote it as q-ary [n, k, d] code over GF(q). A generator matrix G of the code C is a k × n matrix which spans the code C. A parity check matrix H of order (n−k)×n with rank (n−k) of the code C which satisfies the following property: where H T denotes the transpose of the matrix H .

C. MAXIMUM DISTANCE SEPARABLE CODES
A q-ary [n, k, d] linear code C over GF(q) is said to be a maximum distance separable (MDS) code if and only if d = n−k +1. MDS codes have many interesting properties. Some of them are as follows. 1) Any k columns of a generator matrix G of the code C are linearly independent. 2) Any n − k columns of a parity-check matrix H of the code C are linearly independent.

D. CONSTRUCTION OF A CODEWORD c FROM l -COORDINATES OF THE CODEWORD c WHERE l ≥ k
Suppose G is a generator matrix of an MDS code C = [n, k, d] over GF(q) and α = (α 1 , α 2 , . . . , α k ) ∈ GF(q) k . We can generate a codeword c of the code C as follows.
We index n columns of the generator matrix G of the code C by 1, 2, . . . , n and write G = [g 1 , g 2 , . . . , g n ], where g i is the i th column of G. Suppose, we know any l-components of a codeword c ∈ C, say, c i 1 , c i 2 , . . . , c i l , where l ≥ k. Then we can construct the whole codeword c by using the following procedure. We make a matrix G 1 = [g i 1 , g i 2 , . . . , g i l ] of order k × l from G. From Equation (III.1), we can write By properties of MDS code, the Equation (III.2) has a unique solution because rank(G 1 ) = k. In this way, we can uniquely identify α = (α 1 , α 2 , . . . , α k ) from the given . . , c i l ). Hence, we can generate whole codeword c = α × G using Equation (III.1).

IV. SYSTEM MODEL
We use characteristics of group homomorphism and coding theory to construct a system model. Using the group homomorphism property, we divide the set of all tags in the system into clusters of equal size. The division takes place as follows. Suppose T is a set of all tags in the system with cardinality p.
We choose a group Gr of order p and make a one-to-one correspondence between T and Gr, i.e., for each element g ∈ Gr, we associate a tag T with it, i.e., g ↔ T . We choose another group Gr ′ and find a homomorphism φ from Gr to Gr ′ with | ker φ| = t. So, φ is an t-to-1 mapping from Gr to φ(Gr). Moreover, as we know, with each element g ∈ Gr, there is a unique tag T , which is associated with g. Thus, the t number of tags maps to g ′ ∈ Gr ′ under φ. We use the set φ(Gr) as an index set in the system model. In this way, we divide the set of all tags T in the system into p/t clusters in which each cluster consists of t number of unique tags.
In addition, we use the properties of maximum distance separable codes, a concept of coding theory, in this system model. For this reason, we choose an MDS code C = [n, k, d] over the field GF(2) and store a fixed generator matrix G of the code C in the database as depicted in Table 1. This system model assumes that reader and server communicate over a secure channel. So, we can consider the reader and the server interchangeable.
The system components used in the system model are as follows.

A. READER
Reader stores all the information about each tag in the system. The reader stores a fixed generator matrix G of the chosen MDS code C = [n, k, d] and group homomorphism φ in its database. Table 1 depicts the reader's database lookup table. In Table 1, the symbol g ij ↔ T ij shows that the tag T ij is associated with the group's element g ij . For each tag T ij , the reader stores a unique codeword ID ij of the code C, a key K ij , and the group element g ij associated with the tag T ij in the database. The reader has a pseudo-random number generator function that generates a pseudo-random number with a hamming weight greater than or equal to k.

B. TAG
In the system model, each tag T ij possesses a unique identification number ID ij , which is a codeword of the code C, a key K ij , and an element g ij ∈ Gr, where g ij is the group element associated with the tag T ij in the system model.

V. PROCESS
This section introduces an MDS code-based ultralightweight authentication protocol according to our system model. The symbols used in the paper are given in Table 2, and the workflow of the proposed authentication protocol is shown in Figure 1. The steps of the proposed authentication protocol are as follows.
1) Whenever a tag T ij comes to the read range of a legitimate reader, the reader generates a pseudo-random number R 1 and transmits it to the tag. 2) Upon receiving, the tag generates a pseudo-random number R 2 . The tag T ij calculates β = ID ij ∧ R 1 and ). It transmits g ij and γ with R 2 to the reader. Here, note down that β contains only l-coordinates of the codeword ID ij , where l is the hamming weight of R 1 . 3) After receiving, the reader uses the Table 1 and does the following for each tag T ij in the cluster g ′ j (where g ′ j = φ(g ij )) until it authenticates the tag. • The reader calculates δ = g ij ≪ wt(K ij ⊕ R 2 ) with the help of stored K ij , and g ij corresponding to the tag T ij .
• It computes β ′ = γ ⊕ δ. • The reader uses R 1 to identify the position and value of the coordinates of the codeword ID ij from β ′ and calculates the whole codeword ID ij by using the generator matrix G of the code C as mentioned in Section III.
• The reader checks the calculated codeword ID ij is the same as the stored codeword for the tag T ij . If it holds, the reader authenticates the tag.

4) If
Step 3 does not hold for any tag in the cluster g ′ j , the reader terminates the session.

VI. ADVERSARY MODEL
In this section, we define the abilities of an adversary A , which is based on Juel's privacy model [15] with some modifications according to our requirements. Suppose an adversary has abilities to issue the following queries.
•SETKEY: The adversary can corrupt any tag by using this oracle query. We can not use any corrupt tag as a challenge tag in our privacy experiment.
•TAGINIT: By using this oracle query, A can initialize a protocol session with a tag. After the protocol session initialization, the adversary can communicate with the tag as a challenge-response methodology.
•READERINIT: The adversary can initialize a new protocol session with a reader by issuing this oracle query. Then, A can transmit and receive a message from the reader.
Here, we parametrized the adversary by applying some restrictions on the ability of the adversary. A can issue r number of READERINIT messages and t number of TAGINIT query. In addition, A can perform s number of computation steps. The adversary is able to send SETKEY query at most (n − 2) tags at any time, where n is the total number of tags in the system. In this section, we define the adversary's privacy game that the adversary used to mount an attack on the system. The main goal of the privacy game is to distinguish between two uncorrupted tags. In the game, the system is considered private if the adversary has no significant advantage. We can divide the privacy game into three phases as follows.

1) LEARNING PHASE
The adversary can issue READERINIT query and TAGINIT query to any number of readers and tags without exceeding its functionality-calls limit. A can also issue (n − 2) SETKEY calls to corrupt tags.

2) CHALLENGING PHASE
In this phase, the adversary performs the following steps.
1) A selects two uncorrupted tags say T i and T j .
2) Let b ∈ {i, j} and provides A to access T b .
3) A issues TAGINIT calls to initialize a protocol session with the tag T b . After that, the adversary communicates with the tag by using the challenge-response technique and performs some computation without exceeding s overall steps. Guessing Phase The adversary comes with a guess bit b ′ . Exp priv

VII. SECURITY AND PRIVACY ANALYSIS
A. FORMAL SECURITY ANALYSIS Theorem 1: The proposed protocol attains information privacy.
Proof: In this proof, we perform the privacy experiment Exp priv A [r, s, t] for the proposed scheme to evaluate the information privacy of the scheme. In the privacy game, an adversaryA chooses a tag randomly from the set of target tags. The adversary performs the oracle queries with the selected tag and try to guess the tag.
The adversary performs the privacy experiment as follows.
• Learning Phase: The adversary A interacts with a legitimate reader R by sending REDERINIT query to it.  A sends TAGINIT query to n tags to initialize protocol sessions with them.
• Challenging Phase: The adversary sends SETKEY query to corrupt (n − 2) tags. A selects the remaining VOLUME 11, 2023 two uncorrupted tags, say T 0 and T 1 , as target tags. The adversary randomly chooses one tag from selected target tags, say T b , b ∈ {0, 1}. A interacts with T b and gets the following information. TAGINIT(T b ) → (R 2 , γ , g ij ).
• Guessing Phase: The adversary comes with an output bit b for the tag T b . It is not possible to guess correctly T b is either T 0 or T 1 with the help of eavesdropped message (R 2 , γ , g ij ). Hence, the adversary can not succeed in his privacy game. Therefore, the proposed protocol preserves information privacy.
Proof: We prove that the proposed scheme preserves un-traceability by use of the privacy experiment Exp priv A [r, s, t]. In the experiment, A intercepts the transmitted messages of one session between a tag and the reader. In future sessions, the adversary tries to trace the tag on the ground of the intercepted messages.
The adversary executes the privacy experiment as follows.
• Learning Phase: The adversary interacts with a legitimate reader and n-number of tags through RED-ERINIT and TAGINIT queries, respectively. The adversary chooses a tag T i from the set of n uncorrupted tags and interacts with it by TAGINIT query. TAGINIT(T i ) → (R 2 , γ , g ij ).
• Challenging Phase: The adversary corrupts n − 2 tags by sending SETKEY query to them and chooses the remaining two uncorrupted tags, say T 0 and T 1 , as target tags. A randomly selects one tag, say T b , b ∈ {0, 1}, from above two uncorrupted tags. The adversary interacts with T b and gets the following information.
. • Guessing Phase: The adversary outputs a bit b for the tag T b . The adversary can win the privacy game only if Pr(γ ′ = γ ) − 1 2 , is not negligible. But γ ′ ̸ = γ because γ ′ contains two nonces R 1 and R 2 , which are different in each authentication session. Hence, The adversary can not precisely trace a tag in the proposed protocol. □

B. INFORMAL SECURITY ANALYSIS
In this subsection, we present an informal security analysis of the proposed protocol.

1) REPLAY ATTACK RESISTANCE
RFID system works over a wireless channel. An adversary can easily eavesdrop on all the transmitted messages over the wireless channel and uses them to disguise himself as a legitimate reader or a tag. In the proposed protocol, it is not feasible for an adversary to use the previous session's transmitted data (R 2 , γ , g ij ) in the current authenticated session to prove himself as a legitimate tag. Because γ contains two nonces (R 1 , R 2 ), which are different in each authentication session, this makes all the replayed messages illegal.

2) DE-SYNCHRONIZATION ATTACK RESISTANCE
Since an adversary can interrupt all the transmitted messages between reader and tag. So, the adversary can create a de-synchronization between a reader and a tag by interrupting some transmitted messages such that one of the two fails to update the data value. Our proposed protocol strongly resists the de-synchronization attack because it does not update any value during the authentication session.

3) MAN-IN-MIDDLE ATTACK RESISTANCE
In the proposed protocol, it is infeasible for an adversary to modify transmitted data to disguise himself as a legitimate tag to deceive the reader. The reason is that the transmitted message γ comprises two nonce and some static secret information. Without knowing this secret information, the adversary can not modify the transmitted data to prove himself as a legitimate tag.

4) IMPERSONATION ATTACK RESISTANCE
An adversary can not impersonate a tag without knowing the secret information stored in the tag's memory. In the proposed protocol, it is not possible to extract the secret information from the transmitted message (R 2 , γ , g ij ). Hence, the proposed protocol does not susceptible to an impersonation attack.

5) TAG ANONYMITY RESISTANCE
Tag anonymity ensures that the identity of the tag is not revealed to everyone. In the proposed protocol, the tag's identity is ID ij , which is a codeword of the code C. This identity is transmitted by the tag using the cipher text γ with the help of β, K ij , and the random number R 2 . Also, the value β changes in each session because of the random number R 1 generated by the reader. Hence, the random numbers help to hide the tag's identity from the adversary.

6) FORWARD SECURITY RESISTANCE
Forward security makes sure that the information currently being transferred cannot be employed to track back the information that was previously transmitted. Any secret information containing those numbers is generated at random in each session. Even if the adversary manages to acquire the tag identity ID ij in some way, they will still be unable to determine the conversations that preceded it because it involves a random number, left rotation, and a key value K ij . Therefore, the adversary cannot predict future calculations using physical attacks. Hence, the proposed protocol ensures perfect forward security.

C. SIMULATION OF THE PROPOSED PROTOCOL USING AVISPA TOOL
AVISPA is a tool that automatically validates internet security-sensitive protocols and applications. It provides a  modular and expressive formal language (HLPSL) for specifying protocols and their security properties. HLPSL is a role-based formal language that allows the specification of intruder models, complex security properties, and cryptographic primitives with algebraic properties. AVISPA tool is made up of four back-ends. OFMC, CL-AtSe, SATMC, and TA4SP. We use the OFMC mode in this simulation to validate our proposed protocol. The role specification of the tag T i and the server Si in HLPSL is depicted in Figure 2. Initially, the server shares secret information with the tag by using the command Snd({IDij.Kij} S Kts). Later, whenever the tag comes in the read range of the server, it transmits a nonce by the command Snd(R1 ′ ). After receiving, the tag generates a nonce by the command R2 ′ = new() and calculates B ′ , A ′ . The tag sends Snd(R2 ′ .A ′ .Gij) to the server. The server receives these data by Rcv(R2 ′ .A ′ .Gij) and validates the tag. The role of the session, environment and goal in HLPSL is depicted in Figure 3. The goal secrecy of subs1 represents the sensitive data (IDij, Kij) is only known to Ti and Si. The simulation result of the proposed protocol is shown in Figure 4. It shows that the proposed protocol is safe under OFMC mode back-ends.

D. SIMULATION OF THE PROPOSED PROTOCOL USING SCYTHER TOOL
The scyther tool is a prominent and broadly acknowledged tool used for checking the correctness of security protocol. To use the Scyther tool, the description of the proposed protocol should be written in SPDL (security protocol description language). The tool provides an option to generate security claims and verify against these claims automatically. The proposed protocol has two communication agents: tag and reader. In the role specification of tag and reader, we comprise a sequence of events like macro, send, recv, claim, etc. The role specification of the tag and reader is shown in 5. At the end of each role specification, the claim events like Niagree, Alive, Nisynch, and Weakagree are stated as security properties. The Scyther tool checks the validity of the claim events internally. If it does not find any attack against claim events, it shows the result ''OK''. The resulting window of the proposed scheme is shown in Figure 6. The simulation result shows that the tool did not find any attack in the proposed scheme. Hence, the scheme preserves the claimed security features.

VIII. MEASUREMENT OF PRIVACY
This section characterizes the level of privacy of the proposed protocol in terms of anonymity set and data leakage. For the privacy measurement, we used two privacy metrics given in the papers [5] and [34]. Both metric utilizes disjoint partition sets of tags for perception. At the point when a few tags are compromised, the arrangement of all tags is parcelled in such a manner so that the adversary (A) can not recognize the tags that have a place with a similar partition, yet the adversary can recognize the tags belong to different partitions. Here, |P i | denotes the size of such partition P i and |P i | T is the probability that a randomly chosen tag belongs to partition P i , T stands for the total number of tags in the system.

A. LEVEL OF PRIVACY BASED ON ANONYMITY SET
The level of privacy R based on the anonymity set is characterized as the average anonymity set size normalized with the total number of tags T [3], [28]. The level of privacy R is In the proposed protocol, if a tag is compromised, it releases no data about the cluster to which it belongs. Consequently, A can not recognize two tags regardless of whether they belong to a similar partition. So, if C is the total number of compromised tags in the system, we partitioned the system into C number of anonymity sets with size 1 and another anonymity set of size (T − C). Using equation VIII.1, the level of privacy R achieved by our protocol is

B. LEVEL OF PRIVACY BASED ON INFORMATION LEAKAGE IN BITS
If A partitioned a system with T tags into d disjoint sets, then the information leakage in bits is given by [28] Therefore, according to our partition, the information leakage in bits for the proposed protocol is given by

IX. EXPERIMENTAL RESULTS
This section presents a Matlab simulation of the proposed protocol to measure privacy and data leakage. We take a system of N = 2 12 number of tags and then divide all tags into 32 clusters. For the system setup, We choose a group Z 2 12 and associate each element of the group to a tag in the system as referred to in Section IV. We choose another group Z 2 7 and define a group homomorphism φ : Z 2 12 → Z 2 7 such that φ(x) = 36x (mod 2 7 ). The order of the kernel in φ is 128, i.e., | ker φ| = 128. Due to this, we get a 128-to-1 mapping from Z 12 2 to Z 7 2 . Thus, we divide all tags in the system into 32 clusters and in each cluster, we have 128 tags. The order of the Image in φ is 32, i.e., |Image φ| = 32. We use each element of Image(φ) as an index in our system, as shown in Table 1.
In the simulation, we randomly choose a range of compromised tags from 0 to 900. For each value of compromised tags, we run 100 simulations. We find the average of all the simulation runs and measure the privacy and data leakage by using VIII .2 and VIII .4, respectively. The simulation result of the privacy measurement is shown in Figure 7. The simulation result of Figure 7 shows that the proposed protocol attains higher privacy even if a large number of tags are compromised. The simulation result of the data leakage is shown in Figure 8. It shows that the proposed protocol does not disclose more information about the system while a large number of tags are compromised. With the conclusion of the simulation results, we claim that the proposed protocol achieves a higher level of privacy and discloses a small amount of data even if a large number of tags are compromised in the system.

X. BAN LOGIC PROOF
In this section, we demonstrate formal security proof of our proposed protocol by using BAN logic. The BAN logic is a logical method based on belief, and knowledge [1], [35]. By using BAN logic, we derive new beliefs from known beliefs. Some well-known BAN logic symbols and rules used in this paper are as follows. Symbols: 1) X |≡ Y : X believes that statement Y is true.   2) X ◁ Y : X receives a message that contains a statement Y from a network agent Z . 3) X |∼ Y : X has sent a message that contains Y to a network agent Z . 4) #X : X is fresh. 5) X ↔ YZ : Y is a secret shared between X and Z . 6) X Y ⇋ Z : Y is a shared statement between X and Z . 7) X ⊢ Y : X can drive Y . Rules: Rule 1 says that if a network agent X believes that Y is a shared secret between X and Z and receives a message Y, then X believes that Z has sent the message Y.
Rule 2: X |≡#R X |≡#M ,R . Rule 2 means that if an entity X believes that a message R is fresh, then X believes that a message that contains R, i.e., {M , R}, is also fresh.
The BAN logic correctness proof is divided into five parts as below. In the proof, R stands for a reader, and T stands for a tag.

A. PROTOCOL DESCRIPTION
This subsection describes the messages transmitted between a reader and a tag.
Here, we rewrite protocol descriptions into BAN logic syntax.
Initial assumptions of the proposed protocol are as follows.
The security goals of the proposed protocol are as follows.

E. PROOF PROCESS
From protocol idealization 1 and initial assumption 1, we can get Hence, protocol goal 1 is proved. According to initial assumptions 3, 4 and protocol idealization 2, we can get Hence, protocol goal 2 is proved. VOLUME 11, 2023
It is mandatory that a cryptographic protocol be liberated from security attacks with sensible complexities like computation and communication costs as well as storage costs. From Table 4, it can be easily observed that our proposed protocol performs extremely fewer computational operations than the others without sacrificing its security features. Subsequently, these features make our proposed protocol more suitable for a low-cost RFID system in comparison to other existing protocols. The details of the performance analysis are as follows. Table 4 shows the computational cost of the proposed scheme along with the other related protocols. The protocol (SASI) [9] used total 28 basic operations, two PRNG, and four bit-wise operations. Tian et al. [38] (RAPP) protocol used total 22 permutation operations, four bit-wise operations, 34 basic operations. Zhuang et al. [43] (R 2 AP) protocol used total 28 reconstruction operations, nine bit-wise operations, two PRNG, and 26 basic operations. Luo et al. [19] (SLAP) protocol used total 18 conversion operations, four bit-wise operations, and 18 basic operations. Tewari and Gupta [37] used a total 12 bit-wise operations, two PRNG, and 22 basic operations. Maurya et al. [20] protocol employed one cyclic redundancy check (CRC), one PRNG, one matrix multiplication, and four basic operations. Khor et al. [17] protocol used total 18 bit-wise operations, four PRNG, and 25 basic operations. Fan et al. [12] protocol used two bit-wise operations, five encryption/decryption operations, one PRNG, and nine basic operations. Shariq et al. [36] protocol used high computational modular operations, six hash functions, three PRNG, and eight basic operations. Shamshad et al. [33] protocol used a total of four elliptic curve point multiplication, three encryption/decryption operations, three PRNG, and 27 basic operations. Chander and Gopalakrishnan [8] protocol used a total of 18 hash functions, 3 PRNG, and 56 basic operations. Additionally, in a largescale environment, a protocol is unsustainable if its search complexity is O(N ). The proposed protocol has a searching complexity of O(1), but some related protocols have a complexity of O(N ), as shown in Table 4.

A. COMPUTATION COST
In contrast, the proposed protocol does not employ any specific operation like hash function, elliptic curve point operation, modular operation, CRC, permutation, and encryption/decryption operations. In our approach, the tag involves only one hamming weight-based left rotation, three basic operations, and one PRNG. These operations are very low-cost and easily be implemented in low-cost passive tags. On the server side, the proposed protocol employs only two matrix multiplication, one hamming weight-based left rotation, three basic operations and one PRNG to authenticate a tag. Therefore, the computation cost of the proposed protocol is less compared to the related existing protocols given in Table 4.

B. COMMUNICATION COST
In the proposed protocol, we assume that all the parameters are of length L(= 96) bits. The reader sends L bits message to the tag, and the tag sends 3L bits message to the reader in the proposed scheme. Following that, the proposed protocol's communication cost from reader to tag is 96 bits and from tag to reader is 3L = 3 × 96 = 288 bits. Thus, the total communication cost of the proposed scheme is 384 bits. A graphical representation of communication cost comparison from tag to reader and reader to tag is shown in Figure 9. According to this representation, it indicates that the communication cost of the proposed protocol is lower than the other protocols except the protocol [20]. But this protocol is vulnerable to impersonation attacks and traceability attacks. Consequently, the proposed protocol is more suitable than the other protocols.

C. STORAGE COST
The key information stored in the tag may be stolen by an adversary, so less key storage in the tag memory can bring higher security to the RFID system. In the proposed protocol, each tag requires only 3L bits for storing its static secret information, where L denotes the length of each parameter used in this protocol. We give a graphical representation of the storage costs in Figure 10 by considering L = 96. The storage requirement of the proposed protocol is less than the other protocols except that Chander and Gopalakrishnan [8] and Maurya et al. [20] protocols. Maurya et al.'s [20] protocol suffers from impersonation and traceability attacks, and Chander and Gopalakrishnan's [8] protocol used more computation compared to the proposed protocol. Therefore, the proposed protocol is more efficient and can be suitable for RFID systems with limited costs.

XII. CONCLUSION
This paper proposes an ultralightweight authentication protocol for an RFID system based on MDS code. The protocol uses properties of MDS codes and group homomorphism to reduce computational costs without compromising security features. We have analyzed the security features of the proposed protocol under a random oracle model, which shows that the protocol preserves information privacy as well as untraceability. The informal security analysis of the proposed protocol shows that the protocol resists all possible wellknown threats. The simulation results of the proposed protocol under AVISPA and Scyther tools show that the protocol is safe against various attacks. The simulation result of the measurement of the level of privacy shows that the protocol attains a higher level of privacy and discloses a very small amount of information when some tags are compromised in the system. We demonstrate the correctness of the proposed protocol by using BAN logic. The performance analysis of the proposed protocol illustrates that the protocol employs only bit-wise operators on the tag side to perform computational work. The rigorous analysis of the proposed protocol confirms that the proposed protocol achieves all desirable security features under the resource constraints environment of the RFID system.