AN EFFICIENT RFID ANONYMOUS BATCH AUTHENTICATION PROTOCOL BASED ON GROUP SIGNATURE

. In order to address the anonymous batch authentication problem of a legal reader to many tags in RFID (Radio Frequency Identiﬁcation) sys-tem, an eﬃcient RFID anonymous batch authentication protocol was proposed based on group signature. The anonymous batch authentications of reader to many tags are achieved by using a one-time group signature based on Hash function; the authentication of the tag to the reader is realized by employing MAC (Message Authentication Code). The tag’s anonymity is achieved via the dynamic TID (Temporary Identity) instead of the tag’s identity. The proposed protocol can resist replay attacks by using random number. Theoretical analyses show that, the proposed protocol reaches the expected security goals. Compared with the protocol proposed by Liu, the proposed protocol reduces the computation and storage of the server and tag while improving the security.

1. Introduction.RFID technology uses radio frequency signal through space coupling (alternating magnetic field and electromagnetic field) to achieve noncontact transmission of information, and uses the transmission of information to identify the object.RFID has been widely used in the fields such as supply chain management, commodity security, dangerous goods management and transportation management.RFID system is typically composed of three parts: tag, reader and back-end database, as shown in Fig. 1.Due to the open nature of the radio frequency signal, the communication between the reader and the tag is vulnerable to various types of attacks, for example, false tags are used in RFID system, or tags are tampered by the illegal readers, or tags are tracked by attackers, and so on.In many applications such as supply chain management, the authentications of one reader to multiple tags are needed.Therefore, this paper focuses on the mutual authentications between one reader and multiple tags, taking the efficiency into account.
Currently, many mutual authentication protocols between one reader and one tag have been proposed, such as the protocols based on Hash function [2,15,16,18], the protocols based on logical bit operations [6,7,10,17], the protocols based on CRC [1,3,9,14,19], the protocols based on ECC [4,8], and so on.However, when the protocols are used to achieve the authentications between one reader and multiple tags, the reader only authenticates multiple tags one by one.Moreover, the tag identifications before the authentications are time-consuming.As a result, such protocols have the following disadvantages: slow authentication, lack of expansion and heavy authentication server overload.Recently, liu et al. [13] firstly employed an identity-based ring signature scheme to achieve the anonymous batch authentications of one reader to multiple tags.In the protocol, the reader can authenticate multiple tags at the same time due to ring signature.However, the protocol does not take into account the authentication of the tags to the reader.Also, the tags need to store a large amount of messages and signatures, and the authentication server requires two time-consuming bilinear pairings for verification.In addition, the ring signature scheme can not provide the traceability of the problem tag.It means if something is wrong, the ring signature scheme can not use open algorithm to find the identity of the problem tag.In the group signature schemes, any member of a group represents the group to sign messages anonymously, and the problem member can been traced.Thereby, we resort to the group signature schemes for more secure and efficient solutions.In this paper, we address the anonymous batch authentications problem in the RFID system by designing a solution based on group signature with minimized computational and storage overheads.
In this paper, we propose a secure and efficient RFID batch authentication protocol based on group signature.This paper makes the followings contributions: 1) the paper introduces the efficient group signature scheme based on Hash function for the authentications of the reader to multiple tags to minimize the computational costs.2) The authentication of the tags to the reader is achieved by using the Message Authentication Code (MAC).3) The proposed protocol employs random number to prevent the replay attacks.4) The tag's anonymity is achieved via the dynamic TID (Temporary Identity) instead of the tag's identity.
The remaining part of this paper is organized as follows: Section 2 reviews the group signature scheme based on Hash function.Section 3 proposes a secure and efficient RFID batch authentication protocol based on group signature.Section 4 is the security analyses of the proposed protocol.Performance analyses are given in Section 5. Finally, the paper concludes in Section 6.
2. The group signature scheme based on Hash function.Liu et al. [12] proposed a one-time group signature scheme based on Hash function, which is the most efficient scheme among the existing group signature schemes because of the use of Hash function.Therefore, the group signature scheme is more suitable for resource constrained RFID tags.This paper employs the group signature scheme [12] to design the proposed RFID batch authentication protocols.The security analysis of the group signature scheme is given in [12].
Signature key of group member generation: Suppose there arem members in the group, any member ID i can randomly select n n-bit character strings that consist of 0 and 1 as its own private key K i , i.e., K i1 , K i2 , . . .K i k , . . .K in , where n .H is a secure Hash function, i.e., H : Group public key generation: Each member calculates the Hash values of n strings in it's own private key, i.e., H(K i k ), where 1 ≤ i ≤ m, 1 ≤ k ≤ n, and then computes exclusive-OR of n Hash values, i.e., Subsequently m group members deliver their own X i to the Third Authority (TA), and so TA gets m n-bit strings that are composed of 0 and 1, i.e., X 1 , X 2 , . . .X i , . . .X m , where 1 ≤ i ≤ m, X i ∈ {0, 1} n .TA gets group public key Y by computing the Hash values of exclusive-OR of m n-bit strings, i.e., Sign: Any member of group can represent the group to sign messages.The member ID i sign the message M ∈ {0, 1} * as follows: Firstly, the member ID i sends its own X i to TA.If TA can find the n-bit string in m members' X values that it saved, TA believes the member is a legal group member and computes exclusive-OR of the other m-1 members' X values, i.e., Then TA sends C i to the member ID i .Otherwise, TA deems the member as an illegal group member.
On receiving C i , the member computes the message digest of the message M , i.e., Then the member ID i generates the signature σ on the message M as follows: (1) if the corresponding bit in the message digest equals to 0, the corresponding bit of the signature is K i k .Otherwise, the corresponding bit of the signature is the Hash value of K i k , i.e., H(K i k ).(2) The n + 1-th bit of the signature is C i .Namely, σ = (σ 1 , σ 2 , . . ., σ n , C i ), Verify: A verifier checks the signature σ = (σ 1 , σ 2 , . . ., σ n , C i ) on the message M as follows: (1) computes the message digest of the message M , i.e., H(M ) = (d 1 , d 2 , . . ., d n ).( 2) gets the Q k (1 ≤ k ≤ n) according to the corresponding bit of the message digest, i.e., ( 5) outputs : accept if the value equals to 0, reject otherwise.
Open: When the signer's identity needs to be traced, TA calculates Then TA calculates Finally, TA searches for the X i in m members' X values that it saved.If there is the value, then the signer's identity is determined.
3. Proposed RFID anonymous batch authentication protocol based on group signature.

Design goals.
The following goals should be achieved in the proposed protocol: (1) Achieving the authentication of a reader to multiple tags by using a secure and efficient group signature scheme.(2) Adding the authentication of tags to the reader at low cost.
(3) Preventing the tracking of tags, i.e., providing the anonymity of tags.(4) Defending against the passive eavesdropping, i.e., offering the confidentiality of messages.( 5) Preventing an adversary from tampering with messages, i.e., providing the integrity of messages.(6) Deterring replay attacks.

3.2.
Notations.We will use the notations in Table 1 to describe the proposed protocol.

Protocol description. 1) System initialization:
There are some assumptions as follows: (1) Secure hash function H : {0, 1} * → {0, 1} n is preloaded in tags and back-end database.(2) The identity ID i and authentication key K IDi of all tags are stored in the back-end database in advance.(3) Each tag is preloaded with its own authentication key.
In some scenarios such as smart mall, m tags near the mall forms a group.In the RFID system, m tags generate their own private key K i , 1 ≤ i ≤ m, and then send their own X values X i to the back-end database.The back-end database performs Hash operation for exclusive-OR of m n-bit strings and then gets group public keyY , i.e.,  2) Mutual authentications between the reader and tags: Fig. 2 shows the proposed RFID anonymous batch authentication protocol that proceeds as follows: One tag ID i of the group first transmits its X i to the back-end database through the reader.Then the back-end database looks for the X value in m tags' X values that it saved.If the value X i is found, the back-end database computes exclusive-OR of the other m-1 tags' X values and sends the value (i.e., C i ) to the tag ID i .Next, it sends GET-CHALLENGE to the tag ID i through the reader.Otherwise, the tag ID i is deemed as an illegal tag.
Once receiving the message "GET-CHALLENGE", the tag generates a random number R and sends the message R||H(ID i ||R) to the back-end database through reader, where H(ID i ||R) is the temporary identity (TID) of the tag.The back-end database calculates the Hash value of the tag's identity and the random number R for each tag, and then compares them with the received H(ID i ||R) one by one.When one of m Hash values is equal to the received Hash value, the back-end database finds the ID i and authentication key K IDi according to H(ID i ||R).Then the database uses the Hash function to calculate the message authentication code (MAC) < R||M > K IDi of the random number R and the message M , and sends the message R||M || < R||M > K IDi to the tag through reader.After receiving the message, the tag first check weather R is the random number sent by itself.If it is, the tag uses the Hash function to recalculate the MAC < R||M > K IDi and then compare the MAC with the received MAC.If they are equal, the authentication of the tag to the reader succeeds.
The tag ID i calculates the group signature σ, σ = (σ 1 , σ 2 , . . ., σ n , C i ) of the message M online according to the one-time group signature scheme based on Hash function in section 2. The signature process is as follows: Firstly, the tag ID i computes the digest of the message M , and then generates the group signature according to the corresponding position of the message digest, i.e., Secondly, the tag ID i sends the signature σ to the back-end database through the reader, and then the back-end database uses the group public key Y to verify the signature.Verification process is as follows: (1) The back-end database calculates the Q k according to the corresponding bit of the calculated message digest, i.e., (2) The back-end database calculates The back-end database checks whether H(Q)⊕Y equals 0 or not.If it does, the batch authentication of the reader to multiple tags is successful.Otherwise, the back-end database makes sure that the signature is illegal.
4. Security analyses and comparisons.

Security analyses. 1) Batch authentication of the reader to multiple tags
The proposed protocol achieves batch authentication of the reader to multiple tags by using one-time group signature scheme based on Hash function.Owing to the characteristic of the group signature scheme, one tag of one group represents the group to sign the message sent by the reader, and then sends the group signature to the reader.The back-end database verifies the signature with the group public key.If the signature is valid, the batch authentication of the reader to multiple tags is achieved.The authentication of the reader to multiple tags keeps high efficiency, because the group signature scheme introduced to the RFID system only uses Hash operation and XOR operation.
2) The authentication of the tag to the reader Authentication of the tag to the reader is achieved by using the MAC, which is very suitable for low-cost tags.The tag sends a random number R to the reader.The back-end database searches for the authentication key K IDi according to the tag's ID i , and then calculates the MAC value of R and the message M under K IDi , i.e., < R||M > K IDi .Then the back-end database sends the message R||M || < R||M > K IDi to the tag through the reader.The tag first checks whether the received R equals the random number it sent before.Then the tag recalculates the MAC value of R and M under K IDi and compares the calculated MAC with the received MAC.If the two values are equal, the authentication of the tag to the reader is achieved.

3) The anonymity of tags
The group signature scheme is introduced into the RFID system in the proposed protocol.The property of group signature is that one member of one group signs a message on behalf of the group anonymously and the verifier uses the group public key to validate the signature.Therefore, the attackers do not know which tag signed the message in the process of authentication.In the protocol, the tag which represents the group to sign the message sends it's own X, but the X changes in each authentication, so the attackers can not track a specific tag.After that, the tag sends the message R||H(ID i ||R) to the reader, but R||H(ID i ||R) (i.e., TID) varies with each authentication, so the attackers can not know which tag has sent the message.Although the back-end database uses the same authentication key to calculate the MAC < R||M > K IDi of R and M in the proposed protocol, the MAC value also changes in each authentication due to the different random and messages.The attackers can not know the identity of the tag even if they have heard the MAC.From the above, the proposed protocol can prevent the attackers from tracking the tag and ensure the anonymity of the tag.

4) The confidentiality of messages
Although the tag transmits the X value associated with its own private key in plaintext on the link, the attackers can not obtain the private key of the tag even if the attackers eavesdrop on the X.This is because the X value equals to the XOR of the Hash values of n strings in the tag's private key.Therefore, the attackers can not forge the valid group signature.When the reader sends the C i which is exclusive-OR of other m-1 tags's X values to the tag, the private keys of other m-1 tags are not exposed.Hence, the protocol ensures the confidentiality of the private key of the other m-1 tags.
In addition, the group signature of one tag to the message consists of some bits of the tag's private key, the Hash values of other bits of its private key, and C i , so the group signature of the tag can not expose the private key of other m-1 tags.Because the tag will generate new private key in the next group signature, even a part of tag's private key has been exposed, the attackers can not get the next signature.The tag sends the random number R to the reader in plaintext in the proposed protocol, but the attackers can not calculate the next signature of the reader even if they eavesdrop on the random number R and the message R||M || < R||M > K IDi .As a result, the proposed protocol can prevent passive eavesdropping.

5) The integrity of messages
In the proposed protocol, the reader sends the message R||M || < R||M > K IDi to the tag.Then the tag recalculates the MAC value of R and M under the key K IDi and compares the computed MAC value with the received MAC value.If the two values are equal, the authentication of the tag to the reader succeeds.The attackers cannot compute the valid MAC value because they do not know the tag's authentication key K IDi .The tag will find the received MAC value is not equal to the computed MAC value if the attackers modify the message R||M || < R||M > K IDi .Therefore, the MAC < R||M > K IDi of the message R||M || < R||M > K IDi ensures the integrity of R and M .

6) Replay protection
The proposed protocol employs the one-time group signature scheme based on Hash function to achieve the batch authentication of the reader to a number of tags, so the tag produces new private key used for the group signature in each authentication.Therefore, the illegal tag cannot be authenticated successfully if The Protocol [13] \ √ √ √ √ the attackers eavesdrop on the messages and replays it in the next authentication.
In the proposed protocol, the tag sends a random number R to the reader, and then the reader calculates the MAC < R||M > K IDi of R and M and sends the message R||M || < R||M > K IDi to the tag.If the attackers record the two messages from some pervious run of successful authentication and replay them, the message R||M || < R||M > K IDi cannot be authenticated successfully by the tag due to the MAC and the dynamic random number R. Therefore, the protocol prevents the replay attacks (or ensures the fresh of messages).

4.2.
Comparisons with the existing protocol.The reader authenticates multiple tags one by one, which brings about some shortcomings such as low authentication, lack of expansion and heavy authentication server overload.Therefore, we compare the proposed protocol with the existing RFID batch authentication protocol based on ring signature [13].Table 2 shows the security analyses of the two protocols.
Firstly, the protocol [13] achieves the batch authentication of the reader to a number of tags by using the ring signature scheme based on bilinear pairings, but the protocol [13] does not consider the authentication of the tag to the reader.Therefore, the mutual authentications between the reader and the tag are not achieved in the protocol [13].Secondly, the protocol [13] can prevent the tracking of the tag because the ring signature scheme is introduced in the protocol and the identity information of the tag cannot be revealed in the authentication process.Thirdly, the tags and readers have stored quite a number of messages in advance, and the tags also have stored the signatures of corresponding messages.That is to say, the message and the corresponding signature vary with each authentication.Therefore, the protocol [13] can ensure the freshness of messages and prevent replay attacks.Fourthly, The Hash values of the messages are computed in the signature process, so the protocol [13] can ensure the integrity of the message and prevent tampering with message.Fifthly, the proposed protocol can ensure the confidentiality of messages and prevent the passive eavesdropping because the attackers cannot get the private key of the tag even if the attackers have intercepted the messages and signatures transmitted in the link.
From the analyses above, the proposed protocol provides stronger security than the RFID batch authentication protocol based on ring signature [13].
5. Performance analyses.Suppose there are m tags in the RFID system, the size of the message M is 20 bytes and the identity ID i of the tag is 2 bytes.In the proposed protocol, the length of the message digest is 160 bits and n equals to 160, assuming SHA-3 is selected as Hash function.Suppose that the message authentication code (MAC) is calculated by using HMAC-SHA-1, the authentication key of the tag is 160 bits.Suppose that n/2 bits of the message digest equal to 1 and the others equal to 0 when the group signature is generated in the proposed protocol.For the existing RFID batch authentication protocol based on ring signature [13], p is 160bits in order to achieve the same security level as1024-bit RSA.We assume that k messages have been stored in advance in the protocol [13].We compare the performance of the proposed protocol with the existing protocol based on ring signature [13] in terms of the calculation on tag, the storage on tag, the calculation on back-end server and the storage on back-end server.The results are listed in Table 3, where h means Hash operation, SM means elliptic curve scalar multiplication operation, P stands for bilinear pairings, and XOR operation be omitted.
In the existing RFID batch authentication protocol based on ring signature [13], the tag needs to perform Hash operations m times and elliptic curve scalar multiplication operations m+1 times for signature generation in theory.However, in the protocol [13], quite a number of messages and corresponding signatures are stored in the tag in advance in order to save the calculation amount of the tag.In the protocol [13], the tag needs to store k messages and k corresponding signatures, so the storage amount on the tag equals to k × (20 + m × 20 + 20) = 20k(m + 2) bytes.The main operations on the back-end server are m elliptic curve scalar multiplications and 2 bilinear pairings, when k messages and the public keys of m tags, i.e., 20(k + m) bytes, are preloaded in the server.In the proposed protocol, the calculation amount of the tag is 2+n/2 Hash operations, i.e., 82 times Hash operations.The tag needs to store it's own authentication key, the private key for signature,X i and C i , i.e., 20 + n × n + n + n = 3260 bytes.The back-end server needs to compute Hash operations m + 1 + n/2 times, i.e., m+81 Hash operations.The server also stores the identities of m tags, authentication key, X i and group public key, i.e., m × (2 + 20 + 20) + 20 = (42m + 20) bytes.
The cryptography operation times of the back-end server are obtained from [5,11], as listed in Table 4. Therefore, the calculation time of server in the protocol [13] is 0.79m+6.32(ms), and the calculation time in the proposed protocol is 0.0002m+0.0162(ms), as shown in Fig. 3. From Fig. 3, we can conclude that the proposed protocol is superior to the existing protocol in terms of the calculation amount of server.Fig. 4 shows the storage amount of tag in the two protocols assuming k is 20 and 60, respectively.From Fig. 4, we have the following observations: (1) the proposed protocol has less storage on tag than the existing protocol [13] when m is greater than 7, assuming the number of tag in one group k is 20; (2) the storage amount of tag of the proposed protocol is less than that of the protocol [13], assuming k is 60; (3) there is a growing difference of storage The protocol [13] Our protocol amount on tag between the protocol [13] and the proposed protocol as k becomes large.Therefore, the proposed protocol outperforms the existing protocol in terms of the storage of tag.Fig. 5 shows the storage amount of server in the two protocols assuming k is 60 and 100, respectively.As illustrated in the figure, we have the following conclusions: (1) the proposed protocol has less storage on server than the existing protocol [13] when m is smaller than 52, assuming k is 60; (2) the proposed protocol is efficient that the protocol [13] in terms of the storage of server when m is smaller than 90, assuming k is 100.As a result, the proposed protocol outperforms the protocol [13] in terms of the storage of server when k and m are not too large, which is applicable to resource-limited tags.Although the tag requires some low-cost Hash operations in the proposed protocol while the calculation on tag is 0 in the protocol [13], the protocol [13] has much more storage on tag than the proposed protocol.In fact, the amount of calculation on tag is reduced by adding the amount of storage in the protocol [13], which is unsuitable for resource-constrained tags.Moreover, the existing protocol [13] cannot achieve the mutual authentications between the reader and the tags, so it has lower security level than the proposed protocol.To summarize, the proposed protocol is more suitable for the batch authentication of reader to multiple tags in the RFID system than the protocol [13].
6. Conclusions and future works.This paper employs the one-time group signature scheme based on Hash function to achieve the batch authentication of the reader to multiple tags in the RFID system.The authentication of the tag to the reader is given based on the MAC.The anonymity of the tag is ensured via the dynamic temporary identity and the group signature scheme.Replay attacks can be prevented using random number.It can be concluded that the proposed protocol achieves the foregoing security goals.Theoretical analyses demonstrate that the proposed protocol is superior to the existing protocol [13] in terms of the storage and calculation on the tag and server while improving security.Our future work is to present a more efficient group signature scheme and apply it to the RFID system.

Figure 1 .
Figure 1.A typical RFID system

Figure 2 .
Figure 2. The proposed RFID batch authentication protocol based on group signature number of tags in one group) the calculation time of server(ms)

Figure 3 .Figure 4 .
Figure 3.The comparison of the calculation time of server in the two protocols

Figure 5 .
Figure 5.The comparison of the storage amount of server in the two protocols

Table 1 .
NotationsK IDi authentication key of each tag, used to authenticate a reader K i private key of each tag in the group signature scheme X i exclusive-OR of the Hash values of n strings in one tag's private key Y group public key C i exclusive-OR of the other m-1 tags' X values except the tag that generated group signature σ σ = (σ 1 , σ 2 , . . ., σ n , C i ), the group signature be generated by one tag ID i one tag's identity information < M > K MAC value of message M under key K || concatenation of two data

Table 2 .
The security comparisons of the two protocols

Table 3 .
The performance comparisons of the two protocols

Table 4 .
The cryptography operation times of server (ms)