RCIA: A New Ultralightweight RFID Authentication Protocol Using Recursive Hash

RFID is one of the most protuberant systems in the field of ubiquitous computing. Since RFID tags have limited computation capabilities, numerous ultralightweight authentication protocols have been proposed to provide privacy and security. However all the previously proposed ultralightweight mutual authentication protocols have some security apprehensions and are vulnerable to various desynchronization and full disclosure attacks. This paper proposes a new ultralightweight mutual authentication protocol to provide robust confidentiality, integrity, and authentication (RCIA) in a cost effective manner. RCIA introduces a new ultralightweight primitive recursive hash, which efficiently detects the message tempering and also avoids all possible desynchronization attacks. RCIA involves only bitwise operations such as XOR, AND, left rotation, and recursive hash. Performance evaluation illustrates that RCIA requires less resources on tag in terms of on-chip memory, communication cost, and computational operations.


Introduction
Radio frequency identification (RFID) is a rapidly growing identification scheme; nonline of sight capability makes RFID systems superior and dominant than their contending systems. Cost effectiveness and miniaturization are the two rudimentary tools which have increased its commercialization and transformed its deployment into massive deployment. Unlike bar codes, in RFID systems each object is labeled with a miniaturized integrated circuit (IC) equipped with antenna and other memory blocks [1]. The demand for low cost RFID tags limits using only a few and cost effective computational operations on the tag side. Practically, the low cost RFID systems can store only hundreds of bits and can have 5 to 10 K gates. However only 250 to 3 K gates can be allocated to security related operations for EPC (electronic product code) class-1 generation 2 passive RFID tags [2].
In 2006, Peris-Lopez et al. [3,4] proposed a family of lightweight authentication protocols for such low cost RFID systems. These protocols provide the basic security using only simple bitwise operations (XOR, AND, and OR). Later on, some security vulnerabilities of these protocols were reported in different articles [5][6][7]. In 2007, Chien [8] classified the security protocols into four types: full-fledged, simple, lightweight, and ultralightweight.
(1) Full-fledged protocols can incorporate the traditional cryptographical algorithms and solutions, like one way hash functions, public or private key cryptography, and so forth.
(2) Simple authentication protocols can support random number generator and one-way hash functions only.
(3) Lightweight protocols can support only random number generators and simple functions such as cyclic redundancy check (CRC) but cannot use hash functions.
(4) Ultralightweight protocols can incorporate only simple bitwise logical operations and even random number generator cannot be used at the tag's side.
In this paper, a new ultralightweight mutual authentication protocol has been proposed: introduction of novel ultralightweight primitive "recursive hash" makes it much more 2 International Journal of Distributed Sensor Networks robust than its contending protocols [3,4,[8][9][10][11][12][13][14] against various desynchronization and full disclosure attacks. We have named the protocol "RCIA" to highlight its main features of robust confidentiality, integrity, and authentication. The rest of the paper is organized as follows: Section 2 discusses the related works. Section 3 introduces the novel protocol which is followed by the security analysis in Section 4. Section 5 shows the performance evaluation of the proposed protocol and finally conclusion will be highlighted in Section 6.

Related Work
Nowadays, RFID systems are becoming an integral part of various commercial and industrial applications because of their enriched features and functional haste. On the other hand, the enormous deployment of such systems also alters the espionage to salvage the communicated data so conjecture secret data can be retrieved. In order to secure RFID systems in cost effective way, several ultralightweight mutual authentication protocols have already been proposed. However, all previously proposed protocols have some vulnerabilities and serious security flaws. A detailed survey of ultralightweight protocols and their vulnerabilities is described as follows.
In 2006, Peris-Lopez et al. [3,4] proposed a family of ultralightweight protocols: LMAP (lightweight mutual authentication protocol) and EMAP (efficient mutual authentication protocol). These protocols use simple bitwise logical operations (triangular functions) to provide basic security and rudimentary working of these protocols involving three steps: tags identification, mutual authentication, and variables (pseudonyms and keys) updating. The randomness of the exchanged messages has been tested with ENT [15], NIST [16], and Diehard [17] randomness test suites. However, Li and Wang [18] exploited the inherent poor diffusion properties of triangular functions and proposed two attacks (desynchronization and full disclosure) on LMAP and EMAP. These attacks successfully challenged the security claims of both protocols.
In 2007, Chien [8] proposed a new ultralightweight RFID authentication protocol to provide strong authentication and strong integrity (SASI). A new left rotation (Rot) function has been extensively used in SASI in addition to simple bitwise logical operations to avoid the full disclosure and desynchronization attacks. However Avoine et al. [19] highlighted the poor designing of the messages in SASI and presented a practical passive attack on SASI. The proposed attack requires 2 17 eavesdrop sessions to launch full disclosure attack. In 2013 Avoine et al. [20] improved the full disclosure attack from 2 17 eavesdropped sessions to a few sessions. Sun et al. [21] found two desynchronization attacks on SASI and thus put the SASI among vulnerable ultralightweight mutual authentication protocols.
In 2008, Peris-Lopez et al. [12] proposed a more sophisticated ultralightweight authentication protocol named GOASSMER. Peris introduced a new primitive: MixBits (using genetic programming) in GOASSMER. MixBits function enhanced the diffusion properties of the exchanged messages; however, the confrontation between protocol developers and cryptanalysts continued. In 2009, Bilal et al. [22] highlighted few vulnerabilities in GOASMER protocol. They proposed denial of service (DoS) and desynchronization attacks on GOASSMER protocol. These attacks raised the question mark on GOASSMER security litigations. In 2012, Zubair et al. proposed a counter based methodology in [23] to augment the performance of GOASSMER protocol. Integration of the counter in GOASSMER makes it resilient against DOS and desynchronization attacks.
David and Prasad [10] presented a new ultralightweight authentication protocol using only AND and XOR operations in 2009. David-Prasad protocol introduced a concept of day certificate " " for reader to eradicate the threat of reader impersonation. The protocol requires extremely less computational power at tag side thanks to inclusion of simple bitwise logical operations. However Hernandez-Castro et al. [24] proposed traceability and full disclosure attack (Tango) on the David-Prasad protocol. Tango attack requires GA (good approximations) equations based on hamming distance with unknown variable. Then Barrero et al. in [25] modified the Tango attack and presented genetic tango attack; the later one resolved the exhaustive searching of GA equations.
In 2012, Tian et al. [9] proposed a new ultralightweight authentication protocol: RAPP. RAPP introduced a new ultralightweight nontriangular primitive "Permutation" to enhance the diffusion properties of the secret variables. RAPP involves simple bitwise XOR, left rotation (Rot), and permutation (Per) operations, which ensures high security, low computational complexity, and low cost of the tags. In 2013, Ahmadian et al. [26] highlighted the poor composition of RAPP messages and proposed a desynchronization attack on the protocol. In the same year, Shao-hui et al. [27] showed the poor diffusion properties of the newly proposed permutation (Per) function, which can be easily exploited to reveal concealed secrets in tag. Ahmadian et al. [28] also introduced two new security models (frameworks): recursive linear and recursive differential cryptanalysis to evaluate the security performance of ultralightweight mutual authentication protocols. Both security models exploited the weak properties of functions used in ultralightweight authentication protocols to retrieve the concealed secrets.

RCIA: A New Ultralightweight RFID Authentication Protocol
In Step 2. As, seed = 3, so 3 (110101) memory block will be selected for Recursive hash.
Step 3. Take XOR between 3 and all other memory blocks except itself and left rotate , has been extensively used in RCIA. Recursive hash of any variable can be computed as follows.

Computation of Recursive Hash Function
Then computation of recursive hash of , ℎ ( ), involves the following three steps.
(2) After extracting random numbers ( 1 and 2 ) from messages sent by reader, tag calculates the seed (index of the memory block) for recursive hash in following manner.
where wt( ) represents the hamming weight of .
(3) Seed calculated in step 2 will select the corresponding memory block ( ) of decimated string and perform the following operations to compute final recursive hash of , ℎ ( ).
(a) Take XOR between selected memory block ( ) with all other blocks except the block itself. (b) Left rotate the with itself: Rot( , wt( )).
To better understand the concept of recursive hash function consider the following example.
Then we have ℎ ( ) = 001010011101011011000101. ( Algorithm 1 shows the computation of the above example.
The rotation function used in RCIA is explained as follows.
Rot( , ) is cyclic left rotation of according to 's hamming weight [21]. For = 1 2 ⋅ ⋅ ⋅ , each input , where 1 ≤ ≤ , is tested and cyclic left rotation operation is performed if = 1, otherwise no operation was performed. So Rot( , ) is in fact Rot( , wt( )), where wt( ) represents the hamming weight of . Rot is a simple operation but time (clock cycle) consuming function because term is cyclic left rotated for a minimum of zero and maximum of -bits (examining of requires clock cycles for the rotation operation).
RCIA mainly involves three entities: tag, reader, and backend database. Usually, it is assumed that communication channel between reader and backend database is secure since both reader and tag can incorporate traditional cryptographical algorithms for secure communications [3]. The channel between tag and reader is wireless and susceptible to all types of adverse attacks because of limited computational power at tag side. Each tag has unique static ID and preshares a pseudonym IDS and two keys ( 1 and 2 ) with backend database. To avoid the desynchronization attacks, both reader and tag store the values of old (IDS) pseudonym and old ( 1 and 2 ) keys. According to EPC-class-1 Gen 2, the length of ID, IDS, and two keys ( 1 and 2 ) is kept 96 bits for low cost passive RFID tags [2]. Both the tag and reader will update their pseudonym "IDS" and keys ( 1 and 2 ) after each successful authentication session. RCIA comprises three steps: tag identification, mutual authentication, and variable updating (pseudonyms and keys). Figure 1 shows the specifications of the protocol. The working details of the protocol are as follows.
(1) Reader sends a " " message to the tag to initiate the protocol session.
(2) Upon receiving the reader's query, tag responds with its "IDS. "  (3) On receiving IDS, the reader will use it as a matching index in the database. If it is an old one, IDS old , then the reader will use 1,old and 2,old for computation of messages ( ‖ ‖ ). If IDS is new one, IDS new , then reader will use 1,new and 2,new to compute messages ( ‖ ‖ ). If IDS is not in the database, then reader will immediately terminate the authentication session with the particular tag. However if a match is found in the database, reader will generate two random nonces ( 1 and 2 ) and conceal them in messages and . The reader will also compute = 1 ⊕ 2 , and seed for computation of recursive hash function. The seed is computed by taking mod of hamming weight of given by wt( ) mod . Finally, the reader will use recursive hash ( ℎ ) of the variables ( 1 , 2 , * 1 , * 2 , 1 , 2 ) to compute " " message.
(4) The tag first extracts random nonces ( 1 and 2 ) from messages and . Then it computes the seed for recursive hash function using = 1 ⊕ 2 and wt( ) mod . The tag further calculates * 1 and * 2 to compute the local value of * and compare it with the received . If both the values are equal, then the tag will perform two tasks: firstly calculate and transmit message towards reader and secondly update its pseudonym (IDS) and keys ( 1 and 2 ).
(5) Upon receiving message , the reader will compute a local value of and if match occurs, then reader will also update its pseudonym (IDS) and keys ( 1 and 2 ) for that particular tag.
The statistical properties of the messages , , , and have also been analyzed with three well-known randomness tests, Diehard [17], ENT [15], and NIST [16]. We have generated 11 MB file for each message and some of the results are presented in Table 1. We can observe from Table 1 that all

Security Analysis
We analyze the security of RCIA in two aspects: basic functionality of the protocol and resistance to the various cryptanalysis attacks. As the name suggests, confidentiality, integrity, and authentication are the basic functionalities of the RCIA protocol, and these functionalities will be evaluated first. We have considered desynchronization, replay attack, traceability, impersonation, full disclosure, and recently proposed formal structural cryptanalysis such as Tango and recursive linear and differential cryptanalysis. Brief description of security analysis is presented in Figure 2 numbers ( 1 , 2 ), recursive hash ( ℎ ) of the variables, and tag's secret ID from the transmitted messages without knowing keys ( 1 , 2 ). Khovratovich [31] proposed rotational cryptanalysis to analyze the security of the systems based on modular addition, rotation, and XOR (ARX). For a given number of additions/rotations/XOR , the logarithmic probability (Pr) of any ARX systems for < − /log 2 (Pr) is considered being vulnerable to rotational cryptanalysis. Therefore rotational cryptanalysis can be avoided if a larger number of rotations and XOR operations are incorporated in the scheme [32]. In RCIA, recursive hash makes extensive use of XOR and rotation operations, which amplifies the diffusion (nonlinearity) properties of the protocol and provides optimal confidentiality to the system.

Integrity.
The messages and not only provide evidence for authentication of reader but also assure the integrity of the transmitted messages. For example, if an attacker tries to modify the random number 1 by flipping certain bits of message , then the impact of this alteration directly transfers to message and tag will extract invalid random number 2 from message . This invalid computation of 2 will calculate erroneous seed ( ) for recursive hash. Hence tag will not verify message and abort the protocol. However it is impossible for an attacker to adjust the value of to a correct value because Rot(IDS ∧ 1 , 2 ) ensures that any change in 1 will lead to computation of entirely different 2 . Hence the optimal messages construction in RCIA ensures the integrity of the messages.

Mutual Authentication.
The genuine readers and genuine tags can authenticate each other. The messages , , , and are based on preshared 1 and 2 (keys), so only genuine pair of reader and tag can generate these messages that will be accepted by both parties. In RCIA, reader is authenticated by checking the legitimacy and correctness of message . The message is computed with preshared keys and pseudorandom numbers ( 1 , 2 ), so only the valid tag can verify the message . Once the tag authenticates reader successfully, it transmits its shared secrets in the form of message . The reader authenticates tag after verifying the legitimacy of message ; therefore only genuine reader and tag can generate valid values in RCIA.

Desynchronization Attack.
In RCIA, both reader and tag update their shared secret keys ( 1 , 2 ) and IDS after every successful authentication session to maintain synchronization between each other. The synchronization depends upon the reception of messages and , so there are two possible approaches which can break the synchronization.
(a) Attacker Interrupts Message . Since tag does not receive message from reader, it will not update its values and will keep the tuple ( 1 , 2 and IDS ) in its memory. Secondly, tag also aborts the protocol session and will not compute message. Hence reader will also remain in the same state as that of tag (synchronized).
(b) Attacker Interrupts Message . Since reader does not receive message from tag, it will make the tag update its values but nothing happens at reader's end. As both tag and reader keep two entries of keys and IDS ( new 1 , new 2 , old 1 , old 2 , IDS new and IDS old ), so reader and tag (both) can still authenticate each other using old (previous) values. Moreover, if an attacker tries to make reader and tag use different random numbers ( 1 , 2 ) to update their values by tampering the messages and , the attacker will not succeed because tag will notice this tampering and abort such protocol session.

Replay Attack.
In RCIA, for each new session: reader generates new random numbers ( 1 , 2 ) and computation of message involves potential next keys ( * 1 and * 2 ). If an attacker replays previously captured message of valid tag, then the reader will not authenticate this tag (attacker). Another possible replay attack scenario, to make tag and reader desynchronized, has been proposed by Sun et al. [21]. The said attack takes advantage of single entry of local values (IDS and keys). RCIA caters the attack by storing two (previous and current) values of local values. The description of Sun et al. attack for RCIA is as follows.
Suppose a reader initiates the protocol session with a particular tag. The attacker sniffs and records IDS and the messages ( ‖ ‖ ) as IDS and ( ‖ ‖ ), respectively. The attacker then interrupts the message , so that tag will update its values but reader will not. Next, attacker allows the reader and tag to run the protocol again without intervening them. On receiving of reader's query, tag will respond with its IDS next but as attacker had blocked message in previous 6 International Journal of Distributed Sensor Networks authentication session so reader will ask for old values to start new authentication session. After successful completion of authentication session both reader and tag update their values in accordance with new ( 1 , 2 ) values. Now attacker starts a new protocol session with valid tag, pretending himself a valid reader (Impersonation). Tag responds with currently updated IDS but reader (attacker) asks for old values for execution of the protocol. On receiving IDS it will transmit the precaptured messages ( ‖ ‖ ) whose tag will definitely accept and update its values. However, this attack will also not affect the synchronization between reader and tag, because in RCIA both parties store the two entries of their Keys and IDS. The storage of previous and current values of keys and IDS makes RCIA much more robust against desynchronization and replay attacks.

Traceability Attack.
In RCIA, tag uses its IDS for interaction with reader instead of its original ID while the IDS will be updated after each successful session. Secondly, the updating operation involves pseudorandom numbers ( 1 and 2 ); therefore, this will protect tag's anonymity and make tracking impossible. Moreover, adversary will not be able to track the tags through exchanged messages ( , , , and ) because the freshness of message is ensured with ( 1 and 2 ) pseudorandom numbers.

Full Disclosure
Attack. RCIA protocol has extensively incorporated nontriangular functions such as recursive hash ( ℎ ) and left rotation (Rot) instead of simple -functions (XOR, AND, and OR) which makes it impossible to find probabilistic and other disclosure attacks for our protocol. Recursive hash function basically encompasses internal modular left Rot and XOR operations. In RCIA, we have further left rotated the recursive hash of values to compute publically transmitted messages, thus amplifying the diffusion properties of the messages. In most of the full disclosure attacks, the attacker tries numerous slightly modified combinations of the messages to find suitable approximation of internal secrets. However use of recursive hash in RCIA increases overall computational complexity for reverse engineering approximations as there can be many different pairs that may yield the same results.

Formal Structural Cryptanalysis.
Most of the attacks proposed on UMAP protocols are based on ad hoc or probabilistic methods which are not extendible to a broader class of ultralightweight protocols for their security analysis. To the best of our knowledge, only two formal structural cryptanalysis methods (frameworks) with certain limitations, namely, Tango and recursive linear and differential cryptanalysis, exist to evaluate the security analysis of UMAP protocols. RCIA evades these formal structured cryptanalysis in the following manner.
(a) Tango Attack. Tango attack [24] mainly exploits the inherent poor diffusion properties of triangular functions and improper designing of the protocol messages (equations). The attack is divided into two phases: (a) selection of good approximations (GA) for secrets (keys and ID) and (b) comparison of combination of GA to reveal the desired secret (for various iterative sessions) with optimal precomputed threshold value ( ( )), where is the total number of 1's in GA (columns); then ( ( )) can be computed as follows: where, = (1/2) * * , = Number of approximations for a Secret, = Number of eavesdropped sessions (Iterations).
GA that are used in Tango attack to retrieve the conjecture secrets are linear approximations. Tango attack cannot be applied to UMAP protocols which incorporate nontriangular functions abundantly. This limitation of Tango attack has also been highlighted by the Hernandez-Castro et al. [24]. However, in RCIA none of the unbalanced operations is used and as recursive hash comprises one left rotation (for one memory chunk ( ) of 12 bits) and seven XOR operations (for one memory chunk ( ) of 12 bits) which will further increase the overall complexity, (2 7 × log 2 ( )) for approximation of each secret value. Secondly, hamming distance between Rot( , ) and varies according to the value of . In RCIA hamming distance between and ℎ ( ) also differs according to the seed value ( = ( 1 ⊕ 2 )). So, it is impossible to find optimal approximations of secrets using nonlinear (left rotated and recursive hashed) public messages in the RCIA protocol. Therefore, RCIA is highly resistive to such Tango attacks. Hence in order to estimate the secret values for RCIA, other kinds of approximation should be considered.
(b) Recursive Linear and Differential Attacks [28]. recursive linear cryptanalysis (RLC) also exploits the -functions and constructs the system of linear equations for each bit of the secret values (Keys and ID). The RLC then solves the linear equations recursively (bitwise) starting from least significant bit (LSB) to retrieve all concealed secret variables. RLC is passive and deterministic and requires only one authentication session. However RLC completely fails to retrieve the secret variables of UMAP protocols which incorporate nontriangular functions (Rot, Permutation and Recursive hash, etc.) in their design [28]. Since RCIA extensively uses nontriangular function recursive hash, so RLC is not applicable on RCIA.
Recursive differential cryptanalysis (RDC) is more powerful attack than RLC and evidently has some more requirements. RDC is an active attack and requires more than one authentication sessions to construct the set of linear equations. In RDC, the attacker tends to limit both the reader and tag to run their new authentication sessions in previous state (Old), so that both parties will not update their variables (Keys and IDS). For each new session, all the dynamic secret variables will remain the same except random numbers ( ). Moreover these new random numbers usually have clear differential relation with previous ones that can be used to generate linear equations for secret variables. RDC also fails to construct the optimal linear equations for nontriangular incorporated protocols [28]. Hence, RCIA avoids both (RLC and RDC) attacks because the impact of recursive hash ( ℎ ) affects (nonlinear bit positioning) the computation of all dynamic secrets, so the even differential relation of the random numbers (new and old) will not allow attacker to construct linear set of equations for secret variables approximations.

Performance Evaluation
In this section, the performance analysis of RCIA protocol in terms of computational operations, memory storage requirement, communication cost, and security for each tag is presented. As far as computational operations are concerned, the tag involves simple bitwise operations: XOR, AND, left rotation, and recursive hash. Recursive hash is basically composed of three basic ultralightweight operations: grouping, left rotation, and XORing. These operations are extremely lightweight in nature and can easily be implemented on low cost passive tags. Regarding storage requirement, each tag requires a ROM memory of 7L bits to store bits of its static ID and 6L bits rewritable memory (two entries) of its pseudonyms (IDS, 1 , and 2 ). The communication cost of the tag is basically number of messages sent by a tag in one protocol run. Here in RCIA tag transmits altogether two messages; hence, the communication cost is 2L bits. RCIA provides robust security as compared to its contending previously proposed ultralightweight mutual authentication protocols [3,4,[8][9][10][11][12][13]. None of these protocols completely satisfies the proposed security model presented in Section 4. The existing ultralightweight mutual authentication protocols fail to provide the basic functionalities (confidentiality, integrity, and authentication) which are the unavoidable requirement for any security protocol. On the other hand, as discussed in Section 4, RCIA can withstand all the security attacks mentioned in the security model, as shown in Figure 1. A simple comparison of some ultralightweight protocols is listed in Table 2. The analysis depicts that RCIA outperforms the others while using minimal resources.

Conclusion
In this paper, we have proposed a novel ultralightweight mutual authentication protocol using recursive hash. The proposed scheme provides robust confidentiality, integrity of the transmitted messages, and authentication in optimal and cost effective way. In RCIA, there are only three computational operations at the tag's end: XOR, AND, and left rotation (Rot). A new ultralightweight primitive recursive hash has also been introduced in this paper which makes the proposed algorithm more secure and robust against various attacks. These tremendous features make RCIA the best choice for low cost and very low cost RFID tags.