SKINNY-Based RFID Lightweight Authentication Protocol

With the rapid development of the Internet of Things and the popularization of 5G communication technology, the security of resource-constrained IoT devices such as Radio Frequency Identification (RFID)-based applications have received extensive attention. In traditional RFID systems, the communication channel between the tag and the reader is vulnerable to various threats, including denial of service, spoofing, and desynchronization. Thus, the confidentiality and integrity of the transmitted data cannot be guaranteed. In order to solve these security problems, in this paper, we propose a new RFID authentication protocol based on a lightweight block cipher algorithm, SKINNY, (short for LRSAS). Security analysis shows that the LRSAS protocol guarantees mutual authentication and is resistant to various attacks, such as desynchronization attacks, replay attacks, and tracing attacks. Performance evaluations show that the proposed solution is suitable for low-cost tags while meeting security requirements. This protocol reaches a balance between security requirements and costs.

To simplify the description, the symbols and operation instructions of the LRSAS protocol are shown in Table 1.

SKINNY Algorithm
The SKINNY algorithm is a lightweight block cipher proposed by Beierle et al., in 2016 [24], and its security structure belongs to the SPN cipher. SKINNY is a tweakable block cipher with multiple versions of block size and key size, which results in SKINNY being better adaptable to different application environments and having better performance in hardware implementation. Its block size n has 64-bit and 128-bit versions, and the key size t has n, 2n, and 3n versions. Since this paper studies the application in passive 96-bit-EPC-encoded RFID systems, the SKINNY encryption algorithm with a block size of 128 bits and a key size of n is used.
The SKINNY encryption algorithm includes three modules of initialization, the round function, and key scheduling. The encryption process of the three modules is briefly described below. The number of rounds of the SKINNY algorithm is shown in Table 2. In this paper, the block length is 128 bits, the key size is 128 bits, and the encryption round is 40 times.  64  64  32  128  36  192  40  128  128  40  256  48  384 56 Initialization. The 96-bit FID is divided into 16

Block Size n / bit Key Size t / bit Round Times
The initial key of 128 bits is represented by K, and K is divided into 8-bit sub-units thus that The Round Function. One encryption round of SKINNY is composed of five operations in the following order: SubCells, AddConstants, AddRoundTweakey, ShiftRows, and MixColumns. The number of rounds to perform depends on the block and key sizes.
Sub Cells(SC): The plaintext matrix i IS is nonlinearly transformed by the Sbox in units of single bytes. When the subunit is 8-bit, the Sbox is shown in Table 3 (in hexadecimal notation). 1 0 1 1 1 0 0 0 The round function ( ) f x of the block cipher SKINNY-128-128 is shown in Figure 1. Key Schedule. Suppose the key size is n, the key scheduling module is implemented by a permutation T P , which is [9,15,8,13,10,14,12,11,0,1,2,3,4,5,6,7] T P  . The content of 16 cells are replaced cell by cell according to the subscript rule indicated by T P , thereby executing key updating.

LRSAS Protocol Description
In this protocol, passive RFID tags conforming to the 96-bit EPC code are used, which makes the tag limited by hardware and cost and cannot use traditional cryptographic encryption algorithms such as ECC and RSA. However, the lightweight block cipher SKINNY requires only 2391 logic gates under the premise of ensuring security, thus the SKINNY algorithm is very suitable for low-cost tags. The LRSAS protocol mainly includes four phases: Initialization phase, tag identification phase, mutual authentication phase, and update phase.
Initialization phase. There are three values inside each RFID tag: ID , FID , and K . ID and FID are 96-bit, K is 128-bit. FID and K are updated after each authentication. The back-end database will, respectively, store two sets of entries { } old old , which are the values communicated with the tag in the previous and current sessions, where FID is the pseudonym obtained by encrypting the ID using SKINNY.
Tag identification phase. The reader sends a request message, and the tag sends a response signal new FID to the reader after receiving the request signal. If the reader retrieves the data pair corresponding to new FID in the database, the authentication phase is entered; if the data pair corresponding to old FID is retrieved, the tag may be subjected to a desynchronization attack. In this case, the data pair ( The tag calculates r and 2 M . If 2 M and 2 M are equal, the reader is authenticated. Otherwise, the authentication ends.
The tag calculates message 3 M and sends it to the reader.
After receiving the message, the reader calculates 3 M according to its own 2 M and r . If 3 M and 3 M are equal, the tag is valid. Otherwise, the authentication ends.
Update phase. After the reader authenticates the tag, the session enters the updating phase. The reader sends OK information to the tag at the same time. Because the value of the last session tag is saved, the updating stage is divided into two situations. If the reader uses the ( ) old old FID K 、 pair to authenticate, the database will not update the pseudonym and shared key. If the reader uses the pair to authenticate, the database will update the pseudonym and the shared key in following way: The updating of the key new K is through the key schedule module in Section 2.2. After receiving the OK message, the tag updates its own pseudonym

Formal Proof of the LRSAS Protocol
In this section, the GNY logic rules are used to prove the security and feasibility of the proposed LRSAS protocol. In this paper, the logical objects of GNY are tags and readers, which are represented by T and R, respectively. The key is represented by K. The formula variables are represented by X and Y. In order to simplify the structure of the article, the details of the GNY logic rules and symbolic representation can be found in [25].
(1) Protocol Initialization Assumption Before using GNY logic to prove the proposed protocol, several necessary initial assumptions need to be given. Here is a list of specific assumptions: The above description model can be converted into a model described using GNY logic language as follows: The proof of the LRSAS protocol is to prove the freshness of the information sent by the other party when communicating with the reader and the reader. The target formula for the proof is as follows: According to the inference rule  ,  and the message M3, it can conclude: According to the inference rule | ⎯⎯⎯⎯ , 

Informal Security Analysis
This section will analyze the security of LRSAS from seven security properties, including data confidentiality and integrity, replay attack, impersonation attack, tracking attack, desynchronization attack, denial of service attack, and forward security. The security of LRSAS is demonstrated by the following informal analysis.
Data confidentiality and integrity (DCI). In the authentication process, the ( , ) ID K of the tag and the r of the reader are transmitted in the form of ciphertext. Due to the security of the SKINNY packet encryption function and the pseudo-random number, the attacker cannot know the corresponding plaintext. In addition, the FID is that the tagʹs pseudonym, which is updated after each successful session, thus the identity information of the tag is not leaked. In this protocol, the random number generation depends on readers with stronger computing capacity. In order to ensure that the random number received by the tag is the same as the random number generated by the reader, 1 M and 2 M contain r and ID . Encryption also guarantees the integrity. The reason is that any bit change of the random number r will result in different results of the ciphertext, leading to authentication failure. Replay attack (RA). Since the tag and the reader communicate with each other through a wireless communication channel, an attacker can trick another subject by eavesdropping the transmitted submessage, impersonating the tag or reader, and by replaying the previously received sub-message. It is assumed that the attacker records the information sent by the tag in advance. When the reader communicates with the tag again, the attacker pretends to be a legitimate tag and communicates with the reader through the recorded tag information. The values of FID and are related to the random number r of the reader. Since the random number of each authentication is different, each value of the tag response is different. Even if the illegal attacker intercepts the previous information, it cannot be used in the next time to forge the value. Therefore, the tag or reader will not accept the copied information.
Impersonation attack (IA). As discussed above, in the process of executing the LRSAS protocol, the tag and the reader need to be mutually authenticated, and the information used by the tag and the reader for mutual authentication is encrypted by the SKINNY algorithm, and the key is already stored in the initialization phase. In the main body, when an attacker wants to spoof another subject by forging one of the subjects, the correct ciphertext for verifying the identity information cannot be generated.
Track attack (TA). In each authentication phase, the tag does not transmit the plaintext of its ID or key, and the transmitted messages contain random numbers. In addition, the tag and database update the shared pseudonym FID and key K after each successful authentication. Second, no unbalanced operations, such as AND or OR operations, are used in the authentication protocol. Therefore, it is not feasible for an attacker to attack the current session by eavesdropping on historical information.
Desynchronization attack (DA). Since the tag and the background database update the pseudonym FID and the key K in each session, there is a problem that the shared data are inconsistent thus that the legitimate tag is subjected to the desynchronization attack, and thus cannot be authenticated in subsequent sessions. When the adversary tampers with the sub-messages and , the tag obtains an invalid random number r  through , and then calculates through the wrong r′. The tag authenticates the reader by comparing whether and are equal. Because the protocol guarantees the confidentiality and integrity of the message, the reader authentication fails in this session. The tag does not update information such as pseudonyms and keys and terminates the authentication. In addition, when the attacker interrupts , the illegally generated will not pass the tag authentication, thus this protocol guarantees the synchronization of the information shared between the tag and the reader.
Denial of service attack (DoS). If the attacker blocks the final confirmation message sent by the reader, the adversary will cause a desynchronization attack. This problem can be overcome by storing the two versions of the ( ) FID K 、 values on the reader, storing the old version before the update, and storing the new version after the update. In addition, the tag can send an explicit ACK to confirm that the update phase was successful. Forward security (FS). Since the pseudonym FID and shared key for authentication are updated after each session, and the pseudonym update needs to contain a random number. If the tag is cracked, the attacker cannot discover the historical confidential information. The previous communication of the tag and reader is still secure, which means forward security.
Compared with the security of the protocols proposed with the existing solutions, it can be clearly seen that compared with other protocols, the proposed protocol has the best security performance, as shown in Table 4.

Protocol
DCI RA IA TA DA DoS FS EMAP [13] × Table 4, the EMAP, SASI, and Gossamer protocols, which are ultra-lightweight protocols, are less secure than other lightweight and mature protocols in terms of secret disclosure attacks, denial of service attacks, and desynchronization attacks. Although the protocol based on the elliptic encryption curve achieves effective protection against common attacks, they need too much hardware resources due to the complexity of the mature encryption algorithm ECC calculation. The lightweight security protocols [16,19] reduce the consumption of hardware resources, but they cannot defend against synchronization attacks and tracking attacks. However, the LRSAS security protocol has reached a balance between security protection and resource consumption. Therefore, the LPSAS protocol has high availability and has a certain role in promoting the development of RFID security authentication protocols.

Performance Analysis
In the protocol proposed in this paper, the lightweight block cipher algorithm SKINNY was chosen as a security measure to ensure information confidentiality and integrity. Compared with the SIMON and PRESENT, which are common block ciphers, SKINNY not only has a lightweight key arrangement algorithm but also has the same efficiency as SIMON in execution [24]. This shows that SKINNY is very suitable for a low-cost RFID tag field. In addition, this protocol supports EPC coding for 96 bits. In the following, this paper compares and analyzes the protocol performance in terms of the communication overhead, storage overhead and computational overhead of the tag, as shown in Table 5. Among them, h denotes a hash function operation, r denotes a random number generation operation, e denotes an ECC encryption/decryption operation, a denotes a connection operation, x denotes a logical bit operation, m denotes a MIXBITS operation in Gossamer, c denotes a Con encryption operation in SLAP, s denotes a SKINNY encryption operation, and p denotes a PRESENT encryption/decryption operation. The efficiency of encryption algorithm is x>s>p>m>c>h>e. In addition, L is the length of the pseudonym and key.
The protocol designed in this paper uses one of the SKINNY encryption algorithms and can support 96-bit EPC encoding. The calculation time of the round function used by the SKINNY encryption algorithm in the encryption phase is smaller than the Hash, ECC, and Present encryption calculation. Therefore, the calculation overhead is also applicable to low-cost RFID tags. In addition, the storage overhead of the tag is 3 L, which significantly reduces the storage capacity of the tag compared with other protocols, and lowers the complexity of the logic gate design of the storage structure. Furthermore, in the mutual authentication of the tag and the reader, the protocol has five information interactions, and the total amount of data received and transmitted is 6 L, which is relatively small, thereby ensuring the efficiency of information interaction.
Finally, in terms of the number of equivalent logic gates, different versions of SKINNY have different quantities of equivalent logic gates. This protocol uses SKINNY-128-128 version, the number of equivalent logic gates is 2391, less than 3K. Thus, it can be used in low-cost tags. In addition, the number of equivalent logic gates of other protocols also leads to being vulnerable to certain security attacks. See Table 4 for details.

Conclusions
This paper chooses a lightweight block cipher SKINNY, which has the advantages of low hardware power consumption and low computational complexity on the premise of ensuring secure encryption, thus it can be used in low-cost IoT terminal equipment. Based on the algorithm, this paper first designed a lightweight RFID security authentication protocol LRSAS, and then verified its security from seven security requirements, including data confidentiality and integrity, replay attack, impersonation attack, tracking attack, desynchronization attack, denial of service attack, and forward security, through GNY logic proof and informal security analysis. Finally, the performance analysis of LRSAS and other protocols was performed by comparing communication, storage, and computational overhead, which shows that the protocol can meet the security requirements and hardware overhead of the lightweight protocol.