A New Ultralightweight RFID Mutual Authentication Protocol: SASI Using Recursive Hash

RFID is one of the most prominent identification schemes in the field of pervasive systems. Nonline of sight capability makes RFID systems much better choice than its contended systems (such as barcode, magnetic tape, etc.). Since the RFID uses wireless channel for communication with its associated devices, there should be some optimal encryption methods to secure the communicating data from adversaries. Several researchers have proposed ultralightweight mutual authentication protocols (UMAPs) to secure the RFID systems in cost effective manner. Unfortunately most of the previously proposed UMAPs are later found to be vulnerable against various desynchronization, Denial of Service (DoS), traceability, and full disclosure attacks. In this paper, we present a more sophisticated UMAP to provide Strong Authentication and Strong Integrity (SASI) using recursive hash function. The proposed protocol incorporates only simple bitwise logical operators XOR, Rot, and nontriangular function (recursive hash) in its design, which can be efficiently implemented with a low cost passive RFID tag. The performance analysis of the protocol proves the conformation of the proposed protocol with EPC-C1G2 passive tags. In addition to privacy and security, small chip area (miniaturization) is another design constraint (which is mandatory requirement for a protocol to be considered as ultralightweight authentication protocol). We have also proposed and implemented the efficient hardware design of the proposed protocol for EPC-C1G2 tags. Both the FPGA and ASIC implementation flows have been adopted. The FPGA flow is primarily used to validate the functionality of the proposed hardware design whereas ASIC flow (using TSMC 0.35 μm library) is used to validate the gate count. To the best of our knowledge, this is the first FPGA and ASIC implementation of any ultralightweight RFID authentication protocol.


Introduction
Currently barcodes and RFID are the two widely used identification systems. The efficient functional haste and prevailing features (automation and nonline of sight) of the RFID systems are main causes of its massive and rapid deployment compared to other contended schemes. The RFID systems comprise Radio Frequency (RF) tags and RF readers. The reader periodically broadcasts the RF signals and the tags (present in the reader's vicinity) share their internal data with the reader. Table 1 describes the main differences between RFID systems and barcode schemes.
Moreover, the RFID systems can uniquely identify each item/product (tag), while mostly barcodes schemes can only identify the type of the item/product (not unique identification). The only hindrance in rapid growth of RFID technology is its security concerns and overall cost of the tag, which should be $0.05 to 0.1 to be considered comparable with the barcodes [1,2]. The demand of low cost tags limits us to use passive RFID tags which only involve simple computational operations for security and other functions. Typically such tags can store only 32-1K bits and can support 250-4K logic gates for security related tasks. So conventional cryptographic algorithms (such as AES and Triple DES) and primitives (such as Hash function) cannot be used to secure the system. In spite of the certain limitations, RFID systems are evolving rapidly (9 billion USD revenue in 2014 [3]) with diverse applications. Although barcode is currently dominant identification technology RFID is an emerging successor and has captured marketplace in various sectors (such as animal tracking, cattle identification, and supply chain management). The RFID systems mainly consist of 2 International Journal of Distributed Sensor Networks three main components: tag, reader, and backend database.
A tag is small electronic chip (transponder) implanted on an object, which needs to be identified. A reader scans the tags, collects identification information, and forwards this information towards backend database (server) for final verification. Security and privacy are the two major concerns of RFID based identification systems, which are associated with the tag's cost. On the basis of the tag's cost and computational capabilities, the RFID tags can be classified into two types: high and low cost tags. The high cost tags are resourceful enough to support traditional cryptographic algorithms and primitives such as AES, hash functions, and stream ciphers for security. These conventional cryptographic algorithms and primitives have excessive power, memory, and silicon (chip) area requirements which are transcendent from the low cost tag's computational capabilities. So a new field of ultralightweight cryptography has been introduced to ensure the security of the low cost RFID tags in recent years. Numerous UMAPs have proposed that support only simple -functions [4] and some special purpose ultralightweight primitives perform security related tasks. To the best of our knowledge, all of the previously proposed UMAPs are reported to be vulnerable against numerous desynchronization and full disclosure attacks. In order to avoid all possible security attacks, this paper presents a new UMAP to provide Strong Authentication and Strong Integrity using recursive hash for extremely low cost RFID systems.
The organization of the paper is as follows. Section 2 describes the literature review, which is followed by the basic working of the novel UMAP in Section 3. Section 4 presents the functional analysis of the protocol and Section 5 lists the security analysis of the proposed UMAP. Section 6 discusses the performance analysis of the proposed UMAP. The efficient hardware implementation of the proposed scheme is described in Section 7. Finally Section 8 concludes the paper.

Literature Review
In 2006, Peris-Lopez et al. laid the foundation of ultralightweight cryptography and proposed three UMAPs: LMAP (lightweight mutual authentication protocol) [1], EMAP (extremely lightweight mutual authentication protocol) [5], and M2AP (minimalist mutual authentication protocol) [6]. All three UMAPs involve simple bitwise logical operations (XOR, AND, and ADD) in their designs and hence can be implemented within approximately 1K logical gates. However, in 2007, Tieyan et al. [7,8] highlighted the vulnerabilities in all three UMAPs listed above and proposed desynchronization and full disclosure attacks on them. They also reported that the combinations of -functions return another -function (linear), which are considered to be insecure for computation of the encrypted messages.
In 2007, Chien [9] reported that the assimilation of nontriangular function in UMAP designs makes UMAP more robust and reliable. Chien integrated the hamming weight based cyclic left rotation function, Rot, in protocol messages and proposed a new UMAP to provide Strong Integrity and Strong Authentication (SASI). However right after the introduction of protocol, several researchers highlighted the pitfalls in SASI protocol design. Sun et al. [10] reported two simple desynchronization attacks and Avoine et al. [11] presented full disclosure attack to reveal all the concealed secrets of the SASI protocol. Avoine's full disclosure attack requires 2 17 authentication sessions to fully disclose the tag's ID.
Peris-Lopez et al. [12] extended Chien's concept of assimilation of nontriangular function in UMAP designs. They proposed a new Genetic Programming based nontriangular primitive, MixBits, and introduced a new UMAP: GOASS-MER. To the best of our knowledge, the GOASSMER protocol is the most robust protocol of 2008 and it has received only desynchronization attack till date [13]. However, the authors have not clarified the hardware requirements of MixBits function.
In 2012, Tian et al. [17] introduced a new ultralightweight primitive, permutation, and proposed RFID authentication protocol using permutation (RAPP). The inclusion of the permutation function not only enhanced the diffusion properties of the protocol messages but also increased the randomness International Journal of Distributed Sensor Networks 3 in the messages. In 2013, Ahmadian et al. [18] exploited the poor properties of the permutation function and highlighted the desynchronization attack on the protocol. Wang et al. [19] made several observations on RAPP protocols and proposed a sequential full disclosure attack on the RAPP. The proposed full disclosure attack revealed all the concealed secrets of the tag and thus challenged the security claims of the RAPP.
In 2014, Zhuang et al. [20] proposed a new UMAP (R2AP) based on their new nontriangular primitive: reconstruction. Although the mathematical formulation of the protocol is quite robust the poor designing of the protocol structure makes the tag traceable. In R2AP protocol, if an adversary blocks the last two messages between tag and reader from reaching at tag's side, then next time both the reader and the tag use the same variables for computation of messages. Now repeated blocking of these messages restricts both parties to communicate with the same variables (static) and hence the adversary can easily track the movements of the tags through publically disclosed messages.

The SASI Protocol Using Recursive Hash
As we have already discussed, the SASI was the first UMAP that introduced the nontriangular function "Rot" in its design and was proposed in 2007 [9]. Many researchers highlighted the various loopholes and vulnerabilities in SASI protocol and challenged its claim of Strong Authentication and Strong Integrity (SASI) [10,11,24,29,30,33].
In this section, we improve the overall description of the SASI protocol and make it more robust against all the highlighted attacks to date. In our proposed scheme, both the reader and the tag preshare two copies of IDS and keys ( 1 , 2 ) (old and current). This storage of an extra copy of IDS and keys at both sides avoids all possible desynchronization attacks. Furthermore, like other UMAPs, this new protocol also updates its pseudonym and keys after each successful authentication session. To strengthen the diffusion properties of the publically disclosed messages, we have incorporated two new ultralightweight primitives (recursive hash ( ℎ ) [22] and double rotation) in protocol design. The recursive hash function ( ℎ ) can be computed as follows.
Then the computation of recursive hash of , ℎ ( ), involves the following four steps: (a) Decimate the string into " " number of chunks (memory blocks) with equal number of bits " " per memory block ( = / ).
(b) Extract random numbers ( 1 , 2 ) from messages sent by the reader; then the tag computes the seed (index of the memory block) for recursive hash in following manner: (ii) seed (index of memory block) = (Rand) mod , where (Rand) represents the hamming weight of Rand.
(c) Select the corresponding memory block ( ) of decimated string using seed calculated in step (b) and take XOR between selected memory block ( ) with all other blocks except the block itself.
Finally concatenate both strings (XORed and left rotated ( )) to have the final recursive hash of the string.
To better understand the concept of recursive hash function, consider the following example.
(2) Algorithm 1 shows the stepwise computation of the above example.
3.1. The Protocol. Figure 1 shows the basic working of the protocol. We have assumed that the channel between the reader and the database is secure as we can incorporate typical cryptographical algorithms to the secure that channel. The description of the protocol is as follows.
Step 1. The reader initiates the protocol by transmitting the message "hello" towards the tag.
Step 2. The tag responds with its current IDS.
Step 3. Upon receiving IDS, the reader uses it as an index and searches for a matched entry in its database. If the reader does not find the IDS in its database, then it sends an error message towards the tag (which means the tag should send IDS old ). However if a match occurs, then the reader generates two pseudorandom numbers ( 1 , 2 ) and conceals them in messages , : 4 International Journal of Distributed Sensor Networks Assume = 11001011010100101001101100101011, = 32, = 8, = 4 3 2 1 and Seed = 3 Step 1.
Steps 3 and 4. Take XOR between 3 and all other blocks except the block itself, left rotate 3 , Rot( 3 , ( 3 )) and concatenate all computed results sequentially.  (i) The reader then computes seed for recursive hash ( ℎ ): (ii) After calculating the recursive hash of the variables ( 1 , 2 , 1 , 2 ), the reader computes message : Step 4. After reception of messages ‖ ‖ , the tag performs following tasks: (i) Extracts pseudorandom numbers ( 1 , 2 ) from messages , : (iii) Computes the local value of message , : The tag authenticates the reader as follows: If = the tag authenticates the reader successfully else the protocol aborted end if (v) On successful authentication, the tag computes ℎ (ID) and conceals it in message : (vi) Tag → Reader: . (vii) The tag also updates its pseudonym (IDS) and keys ( 1 , 2 ) for future communication: Step 5. On receiving message , the reader computes the local value of message , " ": (i) The reader authenticates the tag as follows: If = the reader authenticates the tag successfully else the protocol aborted end if (ii) The reader uses (10) to update the pseudonym (IDS) and keys ( 1 , 2 ) of the tag in its database for future correspondence with the particular tag.

Functional Analysis of the Proposed Protocol
A UMAP can only be considered secure if it provides three basic functionalities: confidentiality, integrity, and authentication. Our proposed protocol ensures these functionalities optimally as described below.

Confidentiality.
One of the main objectives of the UMAPs is the secure transmission of the secret ID from the tag to the reader. In SASI using recursive hash, both the reader and the tag preshare static ID and dynamic keys ( 1 , 2 ). Therefore only the legitimate party with prior knowledge of these variables can decrypt the , , , and messages. Increasing the number of rotations increases the level of confidentiality as shown by Khovratovich and Nikolić [32]. In our proposed scheme, the inclusion of double rotation function and recursive hash function causes the extensive overall rotations and makes number of rotations/additions: > − /log 2 ( ) [32], hence making system more secure and reliable against rotational cryptanalysis (where is the logarithmic probability of any ARX (Addition Rotation and XOR) system). Moreover, the optimal composition of the publically disclosed messages ( , , , and ) increases the computational complexity and hence makes it impossible for an adversary to retrieve the concealed data. The complexity of recovering conjuncture pseudorandom numbers ( 1 , 2 ) is as follows.
So with (64×log 2 1 ×log 2 2 ) complexity, an adversary may compute the pseudorandom numbers. However these pseudorandom numbers are updated after each authentication session regardless of success or failure of the protocol session. So the proposed protocol ensures the data confidentiality optimally.

4.2.
Integrity. In our proposed scheme, all the transmitted messages ( , , , and ) are interlinked. If an adversary tries to modify any of the messages by toggling certain bits then the impact of this modification directly transfers to other messages as well. For example, if an adversary modifies certain bits of the message , then the tag computes invalid 1 and further invalid 2 from the message . Now, the tag is not able to authenticate the reader and hence terminates its protocol session with the reader. The presence of 1 in message ensures the integrity of the messages.

Authentication.
As the name suggests, every UMAP should provide a strong mechanism of mutual authentication. In SASI, using recursive hash, the transmitted messages not only ensure the integrity but also provide the mutual authentication. After initial identification of the tag, the reader sends , , and messages towards the tag. Only the legitimate tag can extract the random nonces from and messages and hence can authenticate the reader. Moreover, the legitimate tag can only generate such message which is acceptable to the legitimate reader.

Security Analysis of the Proposed Protocol
In this section, we evaluate the resistance of the proposed protocol against various security attacks. The detailed description of the attack models is given below.

Desynchronization Attack.
In our proposed scheme, both the reader and the tag update their pseudonym (IDS) and keys ( 1 , 2 ) after each successful authentication session. Since the synchronization depends upon the reception of and messages, the adversary may interrupt the transmitted messages to desynchronize the legitimate pair (reader and tag). There are two possible desynchronization attack scenarios.
(i) Adversary Interrupts the Message . In such scenario, the tag does not receive the message so it does not authenticate the reader and keeps the previous values of the pseudonyms and keys. The tag also abandons this incomplete protocol session and hence does not compute the message . Therefore both the reader and the tag remain in the same state (synchronized).
(ii) Adversary Interrupts the Message . In this case, the reader does not receive the message ; therefore it keeps the previous values of pseudonyms and keys while the tag updates its internal variables (since it has received the message ). However our proposed scheme resolves such disruption issues by storing an extra copy of pseudonym and keys (old and new) at both sides. For the next session, the reader and the tag use the old values (pseudonym and keys) for authentication. Hence both legitimate parties remain synchronized.

Replay
Attack. The adversary impersonates as a valid tag and replays the (fake) message towards the reader. As the message involves recursive hash values and random nonces ( 1 , 2 ) (independent of the session), the genuine reader does not authenticate such tag and aborts the protocol session with the particular tag.
Another replay attack scenario: an adversary may interrupt the message in one session and then replay the previously captured messages (based on old values) ‖ ‖ towards the tag. This scenario does not affect internal secrets and synchronization of the legitimate parties. The storage of two copies of the local variables combats against all possible replay and desynchronization attacks. Moreover the replay attack proposed by Sun et al. for SASI [10] also takes advantage of single copy of pseudonyms and keys and hence is catered by our proposed protocol.

Traceability Attack.
Like RCIA [22], the SASI using recursive hash also avoids all possible traceability attacks. In our proposed protocol, the tag uses dynamic IDS instead of its original static ID for interaction with the reader. For each new authentication session, both the reader and the tag use new (updated) IDS, which makes tracking of a particular tag impossible. Another possibility of traceability attack is tracking of the tag through exchanged messages. However in our proposed scheme, each new authentication session brings new random nonces (integrated in messages), which ensure the freshness of the messages and hence make the protocol untraceable. Raphael proposed one of the most sophisticated formal traceability models to validate the untraceability claims of UMAPs.
The analysis of the proposed protocol over Raphael formal traceability model [33] is as follows. Send (P 1 , P 2 , , ) Query. This query models the active adversary (A). The adversary (A) can impersonate either as P 1 (P 1 = T) or P 2 (P 2 = R) and send message in protocol session to its contended party (P 1 or P 2 ).
Corrupt (T, ) Query. This query allows the adversary (A) to obtain the concealed secret of the tags and then set = .
Since the RFID tags generally are not tamper, resistant, this query assumes that the adversary (A) has physical access to the tag.
Test ( , T 0 , T 1 ) Query. This query mainly defines the untraceability (UNT) and does not correspond to any adversary (A) capabilities. In the protocol session , this query gives adversary (A), ID from the set (ID 0 , ID 1 ) corresponding to the tags (T 0 , T 1 ) where ∈ {0, 1}. The adversary (A) succeeds if it can guess the correct value of . Now, the adversary's capabilities are clear so, the untraceability (UNT) problem can be defined as game (G). The game (G) is played between adversary (A) and protocol parties (P).
The SASI using recursive hash protocol proves to be untraceable against the described formal traceability model. Consider the untraceability (UNT) model presented above, where the adversary can send multiple queries to learn the relation between ID and the publically transmitted messages. The adversary returns to being successful, if an adversary computes the ID with probability in the form of where is the publically disclosed message and z denotes the logical operation between the messages. More precisely, if probability > 1/2, the adversary wins the game and the protocol does not resist traceability.
Assume that in learning phase, the adversary (A) computes (16)  The main reason which allows the adversary to compute (16) is the use of only unbalanced operators in protocol designs. In SASI, using recursive hash, none of the unbalanced operator is used in the messages. Therefore, the adversary may only compute the following ambiguous equation for our proposed scheme: The adversary wins the game (G) if he can rewrite (17) as follows: All the variables used in (17)  Therefore, the SASI using recursive hash protocol proves to be untraceable against the Raphael formal traceability attack.

Full Disclosure Attacks.
Most of the attacks proposed for UMAPs are ad hoc and probabilistic, which are not extensible to a broader class of the protocol. To the best of our knowledge there are only three formal (structural) cryptanalysis models (for UMAPs) that exist, namely, Tango [26,27], RLC, and RDC [25]. As our proposed scheme involves nontriangular primitives (i.e., recursive hash and double rotation) extensively in its design so none of the formal and ad hoc attack can disclose any concealed secret. This limitation of the formal attacks has also been indicated by their inventors. Hence the optimal designing of the protocol messages makes our proposed scheme robust against all possible full disclosure attacks.

Formal Security Analysis.
For formal security analysis of our proposed scheme, we have used Casper and FDR tools [34]. The FDR uses the assumptions of Dolev-Yao security model to find the possible attacks in the protocols [35], which is considerably more reliable than GNY and BAN (in the case of UMAPs) [36,37]. Firstly, we describe the proposed protocol in simple and abstract language understandable by Casper, which further produces the Communicating Sequential Processes (CSP) description of the same protocol. After loading of the CSP file protocol in FDR2, it does not identify any attack. Hence successful formal security analysis enlists our proposed protocol among secure UMAPs.

Performance Analysis of the Proposed Protocol
This section presents the performance analysis of the proposed UMAP (SASI using recursive hash) in terms of computational operations, memory requirements, communication cost, and security for each tag. As far as computational operations (operators used) are concerned, our proposed UMAP involves only simple bitwise logical operations such as XOR, left rotation (Rot), and recursive hash ( ℎ ) operations. Regarding memory (storage) requirements, each tag owns one static ID and two dynamic entries of IDS and keys (old and new). Therefore ROM of size "1 " is required to store static ID and rewritable memory of size "6 " is required for storage of old and newly updated variables: keys ( 1 , 2 ) and IDS. For simplicity, here we have neglected the transitional registers, which are required to store the intermediate results.
The communication cost of the tag is basically the number of messages sent by the tag during one protocol session. Here in our proposed scheme, each tag transmits altogether two messages; hence the communication cost is "2 " bits.
As far as the security is concerned (discussed in Section 5 as well), our proposed UMAP provides robust security as compared to its contended (previously proposed) 8 International Journal of Distributed Sensor Networks ultralightweight mutual authentication protocols. None of the previous protocols completely satisfies the proposed comprehensive security model presented in Section 5. The existing UMAPs even fail to provide the basic functionalities (confidentiality, integrity, and authentication) which are the essential requirements for any security protocol. Moreover these UMAPs cannot resist against numerous structural (formal) cryptanalysis (Tango, RLC and RDC) and disclose tag's secret ID to adversaries after only few authentication sessions. Most of the -function based UMAPs (LMAP, EMAP, and M 2 AP, David-Prasad et al.) are less resistive against full disclosure attacks. For example, Hernandez-Castro et al. [27] proposed a structural cryptanalysis model (Tango attack) against David-Prasad protocol and retrieved all the concealed secrets (including ID) of the tag. The attack is mainly divided into two phases: selection of Good Approximations (GAs) and comparison of these approximations. In Tango attack, the adversary takes advantage of poor diffusion properties of -functions (used in the protocol) and constructs the multiple approximations of the secrets using various combinations of the exchanged messages ( , , , , and ). Further, the final selection of the GA equations is scrutinized using their hamming distance with secret itself. In the second phase of the attack, the main idea is to combine the multiple GAs for a particular secret, obtained in various protocol sessions and formation of these multiple session GAs matrixes. The adversary further compares the column wise total number of 1's ( ) with precomputed threshold ( ) for final conjecture secret: threshold function of th( ) can be computed as follows: where = 0.5 × × , is the number of Gas for the secrets, and is the number of eavesdropped sessions. By using the above methodology, the adversary can retrieve all the concealed secrets (ID and keys) with almost 100% success rate.
The nontriangular function based UMAPs (GOASSMER, RAPP, R 2 AP, RCIA, etc.) are more resistive against full disclosure attacks but researchers have identified many desynchronization and traceability attacks in such UMAPs due to weak protocol designs. For example, the GOASSMER protocol avoids all possible full disclosure attacks but fails to resist against desynchronization attack [38] (related to the structure of the GOASSMER protocol). The attacker stores ‖ ‖ messages of a genuine authentication session and blocks the message (round-1). Then, in round-2, the adversary lets the pair communicate without any interruption. Since the current IDS does not match, the tag uses its previous IDS and keys for authentication and updating its variables. Finally, the adversary initiates its protocol session with the tag and refuses to accept its current IDS. The tag then uses its previous IDS which is now accepted by the adversary and the adversary sends back the precaptured messages (round-1) ‖ ‖ . After accepting these messages, the tag updates its pseudonyms and permanently desynchronizes with its legitimate network. Likewise, the R 2 AP protocol avoids many existing adversarial attacks but the alternative approach for avoidance of desynchronization attacks enforces both parties (reader and tag) to compute the previously transmitted messages repeatedly. This repetition of the same messages opens the horizons for several traceability, replay, and Denial of Service (DoS) attacks. For example, if an adversary blocks the messages and then the reader updates its pseudonym and keys while the tag keeps the previous values of its pseudonym and keys. Hence, by repeatedly blocking the and messages, the adversary can easily identify and track the movement of the tag (because each time the adversary receives the same messages ( , , , , and )).
The only way to avoid such traceability attacks is to have new pseudorandom number for each new authentication session. The inclusion of new pseudorandom numbers ensures the freshness and anonymity of the messages. On the other hand, as discussed in Sections 4 and 5, our proposed protocol can withstand all the security attacks mentioned in the security model (including formal and ad hoc based attacks). A simple comparison of eminent ultralightweight protocols is listed in Table 2. The analysis depicts that the proposed UMAP outperforms the others while using minimal resources.

Design and Hardware Architecture
One of the major challenges in RFID systems is to design efficient and cost effective (ultralightweight) mutual authentication protocol. EPC-C1G2 tags are passive in nature, with no on-chip battery and hence can support fewer resources for routine operations. Only few thousand gates can be allocated to security related tasks, which makes design of such cryptographic protocols more challenging. As the proper hardware implementation of such ultralightweight protocols has been neglected since long hence it was unclear whether such protocols are practically compatible with low cost EPC-C1G2 RFID tags or not.
In this section, we present hardware architecture of the proposed UMAP for low cost passive EPC-C1G2 tags. Figure 2 shows the generic hardware architecture for UMAPs. Most of the ultralightweight authentication protocols follow a similar operational (working) model; the proposed hardware architecture can be used to implement several other UMAPs (such as SASI, Yeh et al., RAPP, RCIA, and R 2 AP) as well with some operational variations. For efficient implementation and cost effectiveness, we reuse the logical components (gates and registers) frequently. The proposed architecture mainly includes four blocks: registers, Arithmetic Logic Unit (ALU), counter, and Finite State Machine (FSM). The FSM mainly controls the data flow between register and ALU blocks, so it is also protocol specific. The low level optimized designs (registers, ALU, and FSM) of the proposed UMAP are described as follows.
International Journal of Distributed Sensor Networks 9  the most memory efficient protocol amongst its contended protocols.

ALU Block.
The ALU block mainly comprises bitwise logical operators (protocol specific) and performs the specified computational operations. The designing of ALU block entirely depends upon the protocol (operational) specifications. In our proposed UMAP, the ALU mainly performs four logical bitwise operations: XOR, rotation (Rot), and recursive hash ( ℎ ). Figure 3 shows the hardware design of ALU for the proposed protocol. For optimization, most efforts are concentrated on Rot and recursive hash ( ℎ ) blocks. The remaining operators perform basic logical operations and there is not much room for optimization. Moreover the modules have been optimally reused through FSM (Finite State Machine) to reduce the number of gates utilization. The recursive hash ( ℎ ) function is basically the combination of Rot and XOR operations, which requires seed, memory chunk selection ( ), XORing, and then rotation of selected memory chunk ( ) with itself. (iii) Computes the final recursive hash using logical operations (XOR and Rot) of selected chunk with the whole string.
The detailed computation of recursive hash function has already been discussed in Section 3. Figure 5 shows the low-level design (architecture) of recursive hash module (RH-IN-SEL and RH-OUT). In Step 1, MUX selects the 8-bit memory chunk from the -bit string (according the seed). In Step 2, selected chunk is forwarded to 8-bit rotation and XOR module. The 8-bit rotation module rotates the 8bit selected chunk with itself. The XOR module takes XOR between ( −1) copies of 8-bit selected chunk and -bit string. Finally, in Step 3, the results of both modules are applied to demux (control-signal, seed), which injects (places) the result of rotation module at the specified location (8-bit zeroes) in XORed -bit string. This module implements all (6)-(10) which incorporate recursive hash values of the variables. Figure 5 shows the architecture of recursive hash module.

Finite State Machine (FSM).
The FSM mainly controls the data flow (communications) between various hardware components (ALU and registers) of the circuit. It is considered as an abstract machine that can be operated over finite number of states, where each state defines different computational tasks. In order to achieve miniaturized and cost effective hardware (chip), the optimal designing of FSM is very important. Initially, each tag is in "Idle" state and after receiving "Hello" message; the tag moves to the next state "Send IDS." The tag then proceeds to the next states (receive , receive , and receive ) for reception of ‖ ‖ messages. The computation of pseudorandom numbers ( 1 , 2 ) requires six transition states and computation of each recursive hash function requires two states (XOR and rotation). After comparison of message " " (received and locally computed values), the tag proceeds to the final states "computation of state" and "pseudonym and keys update states."

Circuit Synthesis and Experimental
Results. In this section, circuit synthesis and experimental results of the proposed design on FPGA (Field Programmable Gate Array) and ASIC (Application Specific Integrated Circuit) are presented. We have first described our proposed protocol in Visual C platform for initial resource estimation and rudimentary working. Then all hardware components of the proposed design were described in VHDL for EPC-C1G2 specified three different bit lengths (32, 64, and 96 We have selected these FPGAs because of their extremely low power process technologies and optimized resource approximation. Spartan 6 FPGA is built on 45 nm low power copper process technology with dual flip-flops (FF) and efficient 6-input look-up tables (LUTs) [39]. Virtex-5 FPGA is considerably larger device, which is built on 65 nm copper CMOS process technology [40]. Table 3 shows the synthesis report (resource utilization) of the proposed designs on Spartan 6 and Virtex-5 FPGAs. We can observe from our synthesis results that increase in bit lengths increases the resource requirement on FPGAs (which means resources occupancy is independent of FPGA device). So, there is a trade-off between level of security robustness and hardware resources requirements, as if we increase the bit length then it provides more security but requires more resources and vice versa.
Martín et al. [41] also implemented and synthesized the similar EPC-C1G2 protocol (CRC-16 based) using PadGen function (for both MOD and XOR) on Virtex-5 XC5VLX30 and Altera Cyclone II. On Virtex-5, XOR scheme requires 599 register slices and 427 slice LUTs and for MOD Scheme 643 register slides and 599 slice LUTs are required. However our proposed UMAPs architecture (for 32-bit) requires less slice registers and slice LUTs on Virtex-5 XC5VLX30 FPGA (as listed in Table 3) which shows the preeminence of our protocols in terms of hardware than PadGen protocol.

Hardware Implementation on ASIC.
We have used Leonardo Spectrum for ASIC implementation and resource estimation of our proposed architectures. TSMC (Taiwan Semiconductor Manufacturing Company) 0.35 m library is used for circuit instantiation and synthesis of the proposed design.
For experimental setup, the operating frequency was set to 100 KHz for signal clock (as per EPC-C1G2 tag's requirement) while power supply is adjusted to 1.3 V. The number of gates (Gate Equivalents, GE) has been used for performance analysis of the proposed architecture. Table 4 summarizes the synthesis report (number of gates) of the proposed designs for 32-bit, 64-bit, and 96-bit lengths. We can observe that the area remains below 4000 GE for 32-bit (which is acquiescent with EPC-C1G2 tags) architecture of all three proposed designs. For larger message length, although the security of the protocol is enhanced, required resources exceed peripheral of ultralightweight class.

Conclusion
In this paper, we have proposed a novel ultralightweight mutual authentication protocol (UMAP): SASI using recursive hash. The proposed protocol involves two new Table 4: Resources utilization of proposed protocol design for ASIC. Number of gates  Basic logical operations  Rotation  Recursive hash  Total  32 bits  1884  1179  105  3168  64 bits  3198  1867  186  5251  96 bits  5306  2857  297  8460 nontriangular primitives: recursive hash ( ℎ ) and double rotation function, which can be efficiently implemented on low cost passive RFID tags. The optimal design of the protocol avoids all the previous pitfalls and gives the best ultralightweight solution for EPC-C1G2 tags. Compared to the previously proposed UMAPs, which only approximated the hardware utilization of their protocols theoretically, this paper presents the proper hardware implementation using both FPGA and ASIC design flows giving the exact hardware resources utilization. We have also proposed optimized reusable Rot module to perform both variable length rotations and efficient FSM for circuit reuse to reduce the silicon area. Our results show that there is clear trade-off between circuit area and bit length of the protocol messages (directly relates to robust security), so optimization of one may interrupt the other.