Journal of Computational Information Systems 8: 8 (2012) 32613268

Available at http://www.Jofcis.com
Mutual Authentication Protocol for Mobile RFID
Systems
Jingxian ZHOU
1,2,
, Yajian ZHOU
1,2
, Feng XIAO
1,2
, Xinxin NIU
1,2
1
Information Security Center, Beijing University of Posts and Telecommunications, Beijing 100876,
China
2
National Engineering Laboratory for Disaster Backup and Recovery, Beijing University of Posts and
Telecommunications, Beijing 100876, China
Abstract
Recently, the mobile RFID-based applications become a new hot zone for research and development,
because it has advantages of RFID technology and mobile smart device. However, mobile RFID system
is facing all kinds of security and privacy threats because of its own features (e.g. the communication
between a reader and a database is insecure). In this paper, we propose a mutual authentication protocol
based on elliptic curve cryptography (ECC) to address such severe problems. For avoiding exhaustive
compute to authentication only one single tag, the proposed protocol requires that without secret does be
shared by parties. The proposed protocol is designed to authenticate reader before tag authentication to
avoid impersonation of a valid mobile reader. Meanwhile, formal security proof show that the proposed
protocol no obvious design defect theoretically.
Keywords: Mobile RFID; Mutual Authentication; ECC
1 Introduction
Mobile RFID is a new eld and dierent from current implementations of ordinary RFID. It has
some major and obvious advantages over RFID, for example, no wires are needed to x readers
and several mobile RFID readers are enough to cover a whole area. Traditionally, it is believed
that the communication channel between the reader and the database is safe. However, in the
mobile RFID system, the communication between the reader and the database is using wireless
channel, and it is not assumed to be safe. The insecure channel is vulnerable to various threats
such as eavesdropping, business espionage, and tag masquerading. For this reason, the mobile
RFID system has security and privacy problems (e.g. impersonation, traceability, reply attack)
are dierent and more challenging than those of order RFID system.
In recent years, some authentication protocols [1-5] were proposed for secure mobile RFID
systems. These proposed protocols either need additional devices, or require complex encryption

Corresponding author.
Email address: zjxlr@yahoo.cn (Jingxian ZHOU).
15539105 / Copyright 2012 Binary Information Press
April 2012
3262 J. Zhou et al. /Journal of Computational Information Systems 8: 8 (2012) 32613268
and decryption calculations. They have a common inherent problem that the parties in their
protocol must be to share one or more secret key. According to Damg ard and Pedersens work
[6], if each tag is given an independently chosen key (e.g. [5]), then the reader or the back-end
server must search exhaustively through all keys every time a tag is read. This problem imposes
an obstacle for the use of the protocols in large-scale RFID systems. When the sharing keys are
dependent for every tag (e.g. [3]), privacy is lost if an adversary corrupts just a single tag.
Moreover, almost all of the existing mobile RFID authentication protocol is follow traditional
challenge-response mechanism. First, the mobile reader sending a random challenge to the tag,
then the tag replying with its authentication message which be generated by its secret value and
other random numbers. Adversary can transmit intended or meaningless requests to acquire the
location key and identication information from the tag. That is, the adversary can anticipate the
response message of the tag and can use it to perform location tracking. And, the tag information
can be obtained by sending some intended requests.
In this paper, we propose a novel mutual authentication protocol based on elliptic curve cryp-
tography for mobile RFID systems. In our protocol, the tag only sends a random number to
reply the mobile readers challenge to against intended or meaningless request attack. The mo-
bile readers valid to rst be veried. If the mobile reader is invalid, the probability that it passes
the authentication will be negligible. Each tags pseudo-id is unique and the secret key of the
mobile reader is dierent from the back-end servers in our protocol. Therefore, the mobile reader
or the back-end server does not need makes exhaustively operation to authentication a tag.
The remainder of this paper is organized as follows. Section 2 givens some preliminaries about
ECC computational assumptions and protocol security model denition. In section 3, the pro-
posed protocol is described. Security analysis and eciency analysis are given in section 4 and 5,
respectively. Finally, section 6 outlines the main conclusions.
2 Preliminaries
2.1 Notations
We rst introduce common notations used in this paper. R, T, S: a mobile reader, a tag, the
back-end server in the mobile RFID system respectively; 2m: the length of the point on elliptic
curve G. h(): a secure one-way hash function, where h : {0, 1}

{0, 1}
2m
; x/y(): a function
that denote the x/y-coordinate on the point on the elliptic curve E; ()
L
: left half bits of a
sequence; ()
R
: right half bits of a sequence; : exclusive-or operation; : concatenate operator.
2.2 Computational assumption
As we mentioned earlier, our approach is based on elliptic curve cryptography. The security of
ECC protocols is founded on the hardness of ECDL problem and CDH problem. Some compu-
tational assumptions about these problems are dened as follows:
Assumption 1 (ECDL assumption): Let Q G and Q = aP for a Z

n
. The prob-
lem of nding the logarithm a for given P and Q is called the elliptic curve discrete logarithm
(ECDL) problem. Any probabilistic polynomial time algorithm solves the ECDL problem only
with negligible probability.
J. Zhou et al. /Journal of Computational Information Systems 8: 8 (2012) 32613268 3263
Assumption 2 (Computational Die-Hellman (CDH) assumption): Given P, P, P
where and are randomly chosen in Z

n
, compute the value C = P G. Any probabilistic
polynomial time algorithm solves the CDH problem only with negligible probability.
2.3 Security model
A mutual authentication protocol run is said to be honest if the parties involved in the protocol
run use their key to exchange messages, and the messages exchanged in the protocol run have
been relayed faithfully (without modication). Inspired by the work of Basel Alomair et al. in
[7], we now provide a formal denition of secure mutual authentication for mobile RFID systems.
Denition 1 (Secure Mutual Authentication [7]) A mutual authentication protocol for
mobile RFID systems is said to be secure if it satises the following conditions:
1. Honest protocol = Authentication: if the protocol run is honest, T, R and S must authen-
tication each other with probability one.
2. No information about Ts pseudo-id, the secret keys of R and S are revealed by observing
messages exchanged in protocol runs.
3. Authentication = Honest protocol: the probability of authentication when the protocol is
not honest is negligible in the security parameter.
3 Protocol Description
In this section, we propose our mutual authentication protocol for mobile RFID environment on
ECC, which is shown in Fig. 1. The protocol involves three entities: a back-end server, a mobile
reader and a set of tags. The proposed protocol is divided into four phases: system initialization
phase, reader authentication phase, tag authentication phase, and information sending phase.
3.1 Initialization phase
S chooses a nite eld F
q
, an elliptic curve G dened over F
q
, a generator P of a cyclic subgroup
of points of G, the order of P is n; S randomly chooses k
1
, k
2
, k
3

R
Z

n
, as its secret, and compute
K = k
3
P for its public key; S composes ID
i
and DATA for each tag, where ID
i
( G) is the
tags ID, and DATA is the information of this tag. For each tag ID
i
, S writes the pseudo-id
T
Pi
to ID
i
s memory, where T
Pi
= k
1
1
ID
i
+ k
2
P. R randomly chooses a number r
R
Z

n
as its
secret key, and computes P
R
= rP as its public key.
3.2 Mobile reader authentication phase
For the purpose of avoiding impersonation of a valid reader, reader authentication phase must
take place before tag authentication. This phase consists of four steps:
Step 1: R chooses a random number s
R
Z

n
, and computes: Q = sP, then it sends Q to T as
a request;
Step 2: T chooses a randomly value t
R
Z

n
, and sends it to R;
3264 J. Zhou et al. /Journal of Computational Information Systems 8: 8 (2012) 32613268
Step 3: R computes v = rt s and sends it to T;
Step 4: T receives v, then it verify v by Rs public key P
R
as follows:
vP +Q = tP
R
(1)
If the equality holds, T will accept that R is valid one, T goes to the next step. Otherwise, it
suspends this protocol.
3.3 Tag authentication phase
Step 5: T chooses a random value c
R
Z

n
, computes and sends T
1
, T
4
, u as its authentication
information to R:
T
1
= cP, T
2
= cQ, T
3
= cK, T
4
= T
Pi
+T
3
(2)
u = h(x(T
2
), y(T
4
)) (3)
Step 6: After received T
1
, T
4
, u, R computes:
R
1
= sT
1
, w = h(x(R
1
), y(T
4
)) (4)
If the equality w = u holds, R will accept the message T
1
, T
4
, u is valid, goes to the next step;
otherwise, it discards this message.
Step 7: R chooses a random value g
R
Z

n
, produces a timestamp t
R
, and computes:
R
2
= gP, R
3
= (r +g)K, y
R
= h(y(R
3
), x(T
1
), x(T
4
), t
R
) (5)
Then R sends T
1
, T
4
, R
2
, t
R
, y
R
to S.
Step 8: After receiving the message T
1
, T
4
, R
2
, t
R
, y
R
, S rstly checks the freshness of t
R
. If t
R
is
not fresh, S aborts the current session; otherwise, it checks the validity of this message according
to its secret key k
3
and Rs public key P
R
as follows:
B
1
= k
3
(P
R
+R
2
), y
B
= h(y(B
1
), x(T
1
), x(T
4
), t
R
) (6)
If the equality y
B
= y
R
holds, S will accepts the message T
1
, T
4
, R
2
, t
R
, y
R
is valid, and consider
that R is legal. Then S goes to the tag information sending phase; otherwise, it terminates.
3.4 Tag information sending phase
In this phase, S recovers Rs identication value ID
i
, and nds corresponding value DATA in its
database table. Then, S sends DATA to R through insecure wireless communication channel.
Step 9: S recovers Ts identication value ID
i
form T
1
, T
2
as follows:
B
2
= T
4
k
3
T
1
, ID
i
= k
1
(B
2
k
2
P) (7)
Step 10: S searches for ID
i
in its database table, if here is not ID
i
, it terminates the protocol;
otherwise, it will nd corresponding value DATA.
J. Zhou et al. /Journal of Computational Information Systems 8: 8 (2012) 32613268 3265

Fig. 1: The proposed protocol
Note: From now on, our mutual authentication protocol is completed, S will consider R and
T are legal. Here, a information process way is given, it ensure S can secure sends DATA to R.
Step 11: S generates a random number l
R
Z

n
, and encrypts DATA {0, 1}
2m
as follows:
B
3
= lP, B
4
= lP
R
, B
5
= k
3
P
R
(8)
y
1
= y(B
4
) (DATA)
L
x(B
5
) (DATA)
R
(9)
y
2
= h(x(B
2
), (y
1
)
R
, t
R
+ 1) (10)
Then the ciphertext y
1
and check value B
3
, y
2
are emitted to R .
Step 12: As R receives the messages from S, the ciphertext integrity check can be done as
follow:
R
4
= rB
3
, R
5
= rk, y = h(x(R
4
), (y
1
)
R
, t
R
+ 1) (11)
If the equality y = y
2
holds, R can use R
5
to decrypt the ciphertext y
1
as follows:
DATA = (y
1
)
L
y(R
4
) (y
1
)
R
x(R
5
) (12)
4 Security Analysis
In the section, we focus on the security proofs of the proposed protocol. Before we can state our
main theorem regarding the security of mutual authentication protocol, we need some lemmas.
Lemma 1 In our protocol, if T, R and S are valid, the probability that they pass the authen-
tication are almost 1. Precisely, if T, R and S are legal and properly follow the authentication
phases, they will always are accepted as valid.
3266 J. Zhou et al. /Journal of Computational Information Systems 8: 8 (2012) 32613268
Proof: In the reader authentication phase, T operates verication algorithm according to Q
and P
R
as follows: vP + Q = (rt s)P + Q = trP sP + Q = tP
R
. Thus, T always accepts R
since this equation holds, only if R has the proper secret key value r.
In the tag authentication phase, suppose that T is valid and properly follows the protocol. S
and R operate verication algorithm according to their keys k
1
, k
2
, k
3
and r respectively. First,
R
1
= sT
1
= scP = cQ = T
2
. So we have, w = h(x(R
1
), y(T
4
)) = h(x(T
2
), y(T
4
)) = u; Meanwhile,
B
1
= k
3
(P
R
+R
2
) = k
3
(rP +gP) = (r +g)K = R
3
. Therefore, y
B
= h(y(B
1
), x(T
1
), x(T
4
), t
R
) =
h(y(R
3
), x(T
1
), x(T
4
), t
R
) = y
R
; Finally, B
2
= T
4
k
3
T
1
= T
Pi
+ cK k
3
T
1
= T
Pi
. Obviously,
k
1
(B
2
k
2
P) = k
1
(T
Pi
k
2
P) = k
1
k
1
1
ID
i
= ID
i
. Thus, S always accepts T since the value ID
i
can be found in database, only if T has the proper pseudo-id T
Pi
.
In tag information sending phase, R operates public verication according to its own secret key
value r. We have, B
5
= k
3
P
R
= k
3
rP = rK = R
5
. Therefore, y = h(x(R
5
), (y
1
)
R
, t
R
+ 1) =
h(x(B
5
), (y
1
)
R
, t
R
+ 1). Thus, R always accepts the messages B
3
, y
1
, y
2
from S, since the value y
consistent with y
2
, only if S has the proper secret key value k
3
.
Lemma 2 Under Assumption 1 and 2, no information about the secret key k
1
, k
2
, k
3
, r and
Ts pseudo-id T
Pi
are revealed by observing message of the proposed protocol.
Proof: We start with the basic assumption that secret keys k
1
, k
2
, k
3
, r and T
Pi
are security
in the setup phase. In the reader authentication phase, our take benet of the usage the elliptic
curve cryptography, no information about Rs key r will be leaked by v. In the follow steps, r
will be used to compute: R
3
= (r +g)K, R
4
= rB
3
, R
5
= rK. R
3
, R
4
, R
5
have not been publicly,
so it is impossible for adversary to obtain any information about r from R
3
, R
4
and R
5
.
For k
1
and k
2
, they are used to generated T
Pi
= k
1
1
ID
i
+k
2
P. According to our assumption,
T
Pi
is secrecy in the setup phase. Even in worse conditions that T
Pi
be learned by adversary, by
assumption 1, there is no information about k
1
and k
2
been revealed. For the same reason, there
is no secret information about k
3
has been revealed from the public key K = k
3
P.
In this protocol, T
Pi
only be used to generate T
4
= T
Pi
+T
3
. The adversary can known T
1
= cP
and K = k
3
P from the public messages. By assumption 2, it is impossible that the adversary
computes T
3
= ck
3
P. Therefore, there is no information leakage about T
Pi
.
In a word, there is no any secret information been revealed from the public message in the
proposed protocol.
Lemma 3 If an illegal reader

R interferes with the communication by impersonating as R,
and convincing T and S that it is R, T and S will always reject as invalid entity.
Proof: Suppose that

R is invalid, and this protocol based on the hardness of DL problem and
CDH problem. First,

R cannot to convince T that it is R in the reader authentication phase,
since v can not be changed. In the tag authentication phase, S needs to verication the validity
of T
1
, T
4
, R
2
, t
R
and

(y)
R
. That is, if

R wants to pass the verication, it has to successfully prove
the validity of

(y)
R
with a no-negligible probability. However,

R dont know any information
about Rs secret key r. So

R is unable to compute right R
3
(= B
1
). Obviously, S will reject

R as
invalid entity due to equation does not hold.
If

R only guesses r or

(y)
R
, it passes the authentication with the probability 1/n or 1/2
2m
.
Therefore, if

R is invalid, the probability that it passes the authentication is negligible.
J. Zhou et al. /Journal of Computational Information Systems 8: 8 (2012) 32613268 3267
Similar lemma 3, we have lemma 4 and 5. For saving place, here we omit their proof.
Lemma 4 If an illegal reader

T interferes with the communication by impersonating as T,
and convincing S that it is T, S will always reject as invalid entity.
Lemma 5 If an illegal reader

S interferes with the communication by impersonating as R,
and convincing R that it is S, R will always reject as invalid entity.
Theorem 1 Under the hardness of ECDLP and ECCDH, the proposed protocol is a secure
mutual authentication protocol for mobile RFID systems.
Proof: Lemma 1 implies that the rst condition of Denition 1 is satised. The second
condition of Denition 1 is shown to be satised in lemma 2. By lemma 3, 4 and lemma 5, we
can nd that the probability of authentication when the protocol any one entity is not honest is
negligible. It is mean that the third condition of Denition 1 is satised. Thus, all three conditions
of Denition 1 are satised. Therefore, the proposed protocol is a secure mutual authentication
protocol for mobile RFID systems.
5 Implementation Aspects
In the section we show that our protocol can in fact be implemented on RFID tags, i.e. it can
meet the low power consumption and limited chip area constraints of an RFID tag. The main
operations a tag has to carry out in our protocol are: generate pseudorandom number, elliptic
curve point addition and scalar multiplication, and one-way hush function. In the following, we
provide upper bounds on the gate equivalents (GE) required for implementing these operations
on RFID tags.
Pseudorandom number generator (PRNG): In [8], J. Melia-Segui et al. propose an alter-
native mechanism that ts resource constraints and satises the security requirements for RFID
tags. The approaches are ecient for PRNG implementations that require less than 800 GEs.
Almost all approaches for PRNGs implementations are designed based on linear feedback shift
register (LFSR). The main reason is that LFSR schemes are very fast and ecient in hardware
implementations as well as simple in terms of computational requirements.
Addition and multiplication operation on elliptic curve (EC): Points addition and
scalar multiplication on EC are two main operations in RFID tags side. The use of elliptic curve
cryptosystems (ECC) for the implementation of primitives for RFID tags has been discussed
in [9]. Its use of small key sizes is seen as very promising for providing an adequate level of
computational security at a relatively low cost. In [10], authors show how secure identication
protocols based on the DL problem on EC are implemented on a constrained device such as RFID
tag requiring between 8500 and 14000 GEs, depending on the implementation characteristics.
Hash function: During tag authentication message generation, a hash function h() be used
for checking some messages integrity and the security requires no collision resistance. In [11], an
overview of hardware-ecient implementations of hash function is given. The authors show that
a reasonable approach and can be implemented with approximately 1300 GEs. Using the same
stream cipher as for PRNGs is expected to result in a reduction of gate equivalents.
3268 J. Zhou et al. /Journal of Computational Information Systems 8: 8 (2012) 32613268
6 Conclusions
In this paper, the authors present a mutual authentication protocol based on elliptic curve cryp-
tography for mobile RFID systems. For both safety and eciency considerations, between the
parties each other does not have secret key in common to share in our protocol, which is an
advantage over general protocols. The proposed protocol is designed to minimize the computa-
tion amount on tags to meet the implementation restrictions. Finally, our approach is shown to
scalable on the number of tags in the mobile systems, and a security proof is provided that proves
the condence of this protocol.
Acknowledgement
This work was supported by the Fundamental Research Funds for the Central Universities
(BUPT2010PTB0503), by National Natural Science Foundation of China (Grant No. 61070204,
61003285), and by the National Science and technology key project (Grant No. 2010ZX03003-
003-01).
References
[1] S. Y. Kang et al. A study on secure RFID mutual authentication scheme in pervasive computing
environment. Computer Communications, 2008, 31 (18): 4248 4254.
[2] Cao. T, Zhang. Y. Cryptanalysis and improvement of a RFID authentication scheme. Journal of
Computational Information Systems, 2009, 5 (4): 1177 1182.
[3] Kejia Wu, Enjian Bai and Wen Zhang. A Hash-Based Authentication Protocol for Secure Mo-
bile RFID Systems. The 1st International Conference on Information Science and Engineering
(ICISE2009), 2009: 2440 2443.
[4] Ming Hour Yang, Lightweight authentication protocol for mobile RFID networks. Int. J. Security
and Networks, 2010, 5 (1): 53 62.
[5] M. Sandhya1, T. R. Rangaswamy. A forward secured authentication protocol for mobile RFID
systems. International Journal of Information Technology and Knowledge Management. July-
December 2011, 4 (2): 549 553.
[6] Ivan Damg ard and Michael stergaard Pedersen. RFID Security: Tradeos between Security and
Eciency. Lecture Notes in Computer Science, 2008, Volume 4964/2008: 318 332.
[7] Basel Alomair, Loukas Lazos, Radha Poovendran. Securing low-cost RFID systems: An uncondi-
tionally secure approach. Journal of Computer Security, 2011, 19 (2): 229 257.
[8] J. Melia-Segui, J. Garcia-Alfaro, J. Herrera-Joancomarti. Analysis and Improvement of a Pseu-
dorandom Number Generator for EPC Gen2 Tags. LNCS, vol. 6054 Financial Cryptography and
Data Security Workshops, Springer, Pages 34 46. Tenerife (Spain), January 2010.
[9] J. Wolkerstorfer. Is Elliptic-Curve Cryptography Suitable to Secure RFID Tags. Workshop on
RFID and Lightweight Crypto, Ecrypt, Graz, July 2005.
[10] L. Batina, J. Guajardo, T. Kerins, N. Mentens, P. Tuyls, and I. Verbauwhede. An elliptic curve
processor suitable for RFID-tags. Cryptology ePrint Archive, Report 2006/227, IACR, 2006.
[11] T. Good, W. Chelton, and M. Benaissa. Hardware Results for Selected Stream Cipher Candidates.
Presented at SASC 2007, February 2007: 191 204. Available for download via,
http://www.ecrypt.eu.org/stream/.