ECC-Based Lightweight Authentication Protocol with Un-traceability for Low-Cost RFID Authors: Hung-Yu, Chi-Sung Laih Sources: Journal of Parallel and Distributed Computing, Accepted Speaker: C. H. Wei

Outline The problem Authentication protocol Security analysis, and performance analysis Conclusion Comments

The Problem Only a few of the previous RFID authentication schemes consider anonymity and un-traceability In some schemes, the tags do not respond to identification-related information A server must search the whole database About perform computation, per tag in order to identify the communicating tag, which is not efficient.

Hamming code (1) 1 send 1101 Received 1101010 (2) e (3) (4)

Initialization The server randomly chooses a secret linear code C(n, k, d), length n, dimension k and minimum distance d The server assigns row vectors G[j] to the tag, where j=(i-1)*s+1,…i*s

Ti, Ki, G Ti, Ki, g( ), G[j] ci =mi*G G*HT=0

Security Analysis Mutual authentication Privacy Only the genuine server can compute Only the genuine tag can compute Vs Privacy The value seem random to an attacker who does not have the private parameters.

Security Analysis (cont.) Anonymity and un-traceability Attacker eavesdrop two or more sessions (c1+e1, …, ci+ei) Compromise of tags The attacker could derive the row vectors and key inside the tag The scheme does not provide the forward secrecy

Security Analysis (cont.) Performance analysis Only the server is required to be equipped with the decoding algorithms. The tag require the pseudo-random generator and simple bit operations The number of row vectors per tag being l, the space requirement per tag is l*n+|Ki| ex. (n=128,k=64,d=22), l=3, 64/3=21 tags, length of key is 32, space=3*128+32=416 bits

Comments 之前的論文在解決traceability和anonymity都需要將資料庫全部搜尋一次，才能確認對方身份 此論文建議的方法使用linear error correction codes 可以達到low-cost and better performance 缺點：不適合用在有大量的tag環境下 因為每個tag需要用到的儲存空間很大

A binary K-tuple m can be encoded to an N-bit codeword c=m A binary K-tuple m can be encoded to an N-bit codeword c=m*G, where G is an K-by-N generator matrix. An error vector e added to the codeword ci results in a vector r can be decoded in to c based on the syndrome vector s=r*HT, where H is an (N-K)-by-N parity-check matrix such that G*HT=0