An Anonymous Ofﬂine RFID Grouping-Proof Protocol

: As more and more items are tagged with RFID (Radio Frequency Identification) tags, grouping-proof technology is widely utilized to provide a coexistence evidence for a group of related items. Due to the wireless channel used in RFID systems, a security risk exists in the communication between the reader and tags. How to ensure the tag’s information security and to generate reliable grouping-proof becomes a hot research topic. To protect the privacy of tags, the verification of grouping-proof is traditionally executed by the verifier, and the reader is only used to collect the proof data. This approach can cause the reader to submit invalid proof data to the verifier in the event of DoP (Deny of Proof) attack. In this paper, an ECC-based, off-line anonymous grouping-proof protocol (EAGP) is proposed. The protocol authorizes the reader to examine the validity of grouping-proof without knowing the identities of tags. From the security and performance analysis, the EAGP can protect the security and privacy of RFID tags, and defence impersonation and replay attacks. Furthermore, it has the ability to reduce the system overhead caused by the invalid submission of grouping-proofs. As a result, the proposed EAGP equips practical application values.


Introduction
RFID grouping-proof technology is a mechanism that can prove a group of tagged items appeared at the same time and the same place [1].The grouping-proof protocol can be widely adopted to many applications that need coexistence proof to guarantee the items with RFID tags have been scanned simultaneously, such as supply-chain, health care, and evidence in law [2][3][4].For example, in logistics management, we can generate a proof to guarantee the integrity of the container and the goods in it by scanning their tags simultaneously.In the intelligent health care environment, we can validate the correctness of the medicine taking through scanning the patients and their unit-dose medications at the same time and place [5].In the manufacturing field, a manufacturer of aircraft equipment can certify that a certain part always leaves its factories with a safety cap attached by scanning their RFID tags simultaneously.
According to the connection method between the reader and the verifier, there are two different modes: online and offline [4].The online mode requires a stable connection between the reader and the verifier, such as [6,7].In this model, the verifier can send and receive messages from a specific tag (via the reader) during the whole protocol execution.This mode has good real-time performance and high security, but the network condition requirement is relatively high.In some application fields, it is difficult to maintain the network connection between the reader and the background.In addition, the consistent network connection should take the energy efficiency into account [8][9][10].On the other hand, in the offline mode, the stable connection between the reader and the background is unnecessary; the reader can collect tag information and generate multiple grouping-proofs without the participation of the verifier.After these processes, the reader can finally send these proof data to the verifier.In this vein, the verifier in offline mode does not need to communicate with any specific tag (via the reader), it only needs the connection before and after the generation of grouping-proof.The connection requirement is more flexible during the protocol, however, there are many security problems need to be solved in this mode, which has become the research focus in many works proposed in the state of the art [3,4,[11][12][13][14][15][16][17][18].
Figure 1 shows a common offline mode of RFID grouping-proof system.The tags are divided into M groups: {Group 1 , Group 2 , . . ., Group M }.Each group represents n i items with RFID tags.The reader receives group information from the verifier and communicates with tags.If it can simultaneously scan all tags in the ith group, the reader generates a grouping-proof G . After all groups are scanned, the reader sends{G Group 1 with n 1 tags Group Information Grouping-proof ...

Reader Verifier
Group 2 with n 2 tags The offline mode of grouping-proof protocol.

Motivation
In this study, we focus on the offline mode of grouping-proof protocols.There are many works that engage in this mode.At first, the grouping-proof can show the presence of group items as a whole.Note that each single item intends to be sold or transported to other owners.To protect the privacy of these items, the anonymity should be considered as an important security property.In order to do this, the authentication should be anonymous so that any unauthorized third party cannot obtain a tag's identity during the protocol execution.The second point is the secret key distribution.Considering there are a large number of tags in RFID system, the management of secret keys becomes a complicated problem, the use of symmetric encryption schemes is not practical.So the PKI systems are considered.The encryption and decryption in the RSA algorithm need to perform modular exponentiation of great numbers to guarantee security, since the length of the modulus is always larger than 1024 bits, which makes multiplication and division a time-consuming calculation, it is impossible to apply the RSA algorithm in RFID tags in reality.The Ellipse Curve Cryptography (ECC) method is used instead.The point or scalar multiplication is the basic operation for ECC protocols; it is easily performed via repeated group operations which is applicable to low-cost RFID tags.The third problem of offline grouping-proof protocol is that the validity check can only be performed by the verifier.That means the invalid grouping-proof will not be found before submission to the background.This problem greatly reduces the response speed to illegal data.Our solution allows the reader to check the tag's identity before submitting the proof data.However, this solution needs the reader to store the tag's identity, which may bring a potential safety hazard about the tag's privacy information.Therefore, it is essentially necessary to find a way to guarantee the legality of grouping-proof without revealing the secret information of tags.

Our Contributions
The main contributions of this paper are shown as follows.
(1) We investigate Kang's protocol [19] and provide improvements in key distribution [20], communication overhead, and resistance to impersonation attack and DoP (Denial of Proof) attack.(2) We establish a scheme to seal the identity of the tag into the grouping-proof message by the group key and session key.So the proof data include two types of tag information: the group member identity and the individual identity.(3) We propose an ECC based offline anonymous grouping-proof protocol with two tags, denoted as EAGP (2) .Based on EAGP (2) , we extend the protocol into n tags condition (n > 2), expressed as EAGP.The EAGP has two verification stages.The first stage is used to verify the legality of the tag's group member identity and check the grouping-proof briefly.The second stage is used to verify the identity of the tag and further confirm the grouping-proof.(4) We carry out the security analysis, performance analysis and correctness proof about the EAGP, and obtain a conclusion that this protocol can resist DoP attack [21] and impersonation attack.It can also protect the tag's information when the reader was compromised.Moreover, EAGP has good scalability in multiple tags condition.
The rest of the paper is organized as follows.An overview of related RFID grouping-proof protocols is presented in Section 2. Section 3 describes the preliminaries of EAGP.Section 4 introduces the Kang's protocol [19].The system model and definition are described in Section 5. Section 6 shows the EAGP protocol.The security analysis about EAGP are described in Section 7. In Section 8, we provides a performance analysis of our protocols.Section 9 draws a conclusion about this work.The correctness proof about EAGP is described in Appendix.

Related Work
The idea of grouping-proof was first introduced in [1], the protocol was called yoking-proof, which only involves two tags coexistence proof in the protocol.Since its introduction, the yoking-proof has evolved to include multiple tags and is now known as the "grouping-proof".In succeeding studies, the grouping-proof protocol is applied in many application fields.In [2][3][4][5], the authors used the protocol to generate the medical process evidence for inpatient medication safety.Chien et al. [13] constructed a tree-based tag organization to provide grouping-proof for a complicated system.In addition, there are many other promotions to enhance the security and privacy of this protocol.Burmester et al. in [22] pointed out that there are some problems in grouping-proof protocols: (1) vulnerability to replay attack; (2) unrelated tags can participate in a protocol session, and that the failure can only be found by the verifier; and (3) the protocol does not take the presence of a rogue reader into account.To mitigate these drawbacks, the authors improve the protocol by using group key, proposing the grouping-proof protocol with forward security.Li et al. [16] proposed a yoking-proof protocol with tag anonymous and prove the security within the Universally Composable (U.C.) framework [23].Cho et al. [18] described a grouping-proof protocol resisted replay attack.In [24], the authors used the code scheme to check the tag information and improve the protocol security.
In [4], the authors analyze the existing grouping-proof protocol, and declared the guidelines for future sound protocols.In order to further improve safety of RFID systems, the application of encryption algorithm is necessary.The work in [25] discussed the feasibility of the ECC in RFID systems.In [26], the authors proposed a RFID chip scheme to support ECC.After that, a RFID mutual authentication protocol based on ECC (ID-Transfer) was proposed [27].Based on the ID-Transfer, Batina proposed the first grouping-proof protocol based on the ECC in [28] and proved it can provide proof validation and privacy protection in the presence of untrusted tags or reader.The literature [29] showed that Batina's protocol is vulnerable to malicious tracking and proposed the improvement scheme.Kang in [19] further showed that the Batina's protocol is not secure with respect to impersonation attack and they proposed to use the authentication of the reader during the grouping-proof procedure to solve this problem.

Preliminaries
In this section, we introduce the ECC and the related hardness problem.The details are described as follows.

The Ellipse Curve Cryptography
Elliptic curves are algebraic structures that constitute a basic class of cryptographic primitives which rely on a mathematical hard problem.An elliptic curve E over a finite field F q with characteristic q > 3 can be defined by the Equation (1): where a, b, x, y ∈ F q and 4a 3 + 27b 2 = 0(mod p).The point (x, y) is a point on the elliptic curve.Let P be a fixed point on the curve E(F q ) with prime order n and k is a large integer scalar in [1, n − 1].Due to the hardness of Elliptic Curve Discrete Logarithm Problem [30], it is easy to compute the scalar multiplication Q = kP but hard to find k by knowing only Q and P.

Elliptic Curve Discrete Logarithm Problem (ECDLP)
ECDLP Definition: Given an elliptic curve E defined over a finite field F q , a point P ∈ E(F q ) of order n, and a point Q = kP where 0 ≤ k ≤ n − 1, determine k.
The well-known hardness of the ECDLP is crucial for the security of our elliptic curve scheme.

Investigation of Kang's Protocol
Literature [19] proposed a grouping-proof protocol based on ECC.The framework of this protocol is shown in Figure 2. Table 1 describes the notations in this protocol.The protocol has four stages: (1) initialization stage, (2) authentication stage, (3) grouping-proof generation stage, and (4) verification stage.In initialization stage, the server writes the {s a , K, Y} into tag A, the {s b , K, Y} into tag B. The authentication stage is used to authenticate the identity of a reader.It can prevent the reader impersonation attack.In this stage, the reader generates its authentication code {C 0 = rP, C 1 = rK, s = r + kx(C 1 )} and uses it to identify itself to two tags.Then the reader starts the grouping-proof stage: (1) According to the random number broadcasted by the reader, tag A generates random number r a , calculates T a,1 and sends it to tag B via the reader.(2) Tag B calculates T b,1 , T b,2 and sends T b,2 to tag A via the reader.
(3) Tag A calculates T a,2 = (r a + x(T b,2 )s a )Y and send it to the reader.(4) Finally, the reader passes these data as grouping-proof to the verifier for validation.
Kang's protocol uses authentication to solve the impersonation attack, and there are some flaws which need to be pointed out.
(1) The key distribution: in Kang's protocol, tag A and tag B need to store the reader's public key.
If the reader is changed, the new public key needs to be written into all the tags.If the amount of tags is very big, the overhead is too serious.(2) The DoP attack: the reader in Kang's protocol can not validate the proof and is unable to check the legality of tags.If the reader suffered from DoP attack or some unrelated tags taken part into the proof process, before the proof be sent to the verifier, the failure can not be identified immediately which will reduce the system real-time performance.(3) Communication overhead: the using of authentication stage increases the number of communication times between the tag and the reader, which leads to the additional overhead of communication.

The System Model
In our work, the RFID grouping-proof system is consist of three parts: reader, RFID tags and verifier.
• Tag: the tags in our protocol are passive low-cost devices which have a relative small storage and limited computational capacity.The tags are divided into several groups.• Reader: the RFID reader is a powerful device which is controlled by an untrusted third party.
For security reasons, the privacy information of tag and verifier is unknown to the reader.• Verifier: an offline trusted third party (TTP) which maintains all the keys and identities of groups.
There are two types of channels in our protocol.The channel between the tag and the reader and the channel between the reader and the verifier.We assume the former is not secure and can be attacked by the adversary.The second channel is secure and the message transferred in this channel cannot be eavesdropped.

The Adversary Model
In grouping-proof protocols, the adversary has two purposes: (1) forge the grouping-proof which can pass the validation of verifier; and (2) get the privacy information of the reader and tags.According to the attacker described in [23], the adversary in our protocol can completely control the communication channel between the reader and tags, in terms of modifying, delaying and replaying any message in the protocol.In addition, the adversary can also hack the tag and fully control it.

The Security Requirement of Grouping-Proof System
The security requirements include these parts:

• Anonymity
The anonymity of tags and readers, which means the adversary cannot get the identity of a tag or a reader by eavesdropping the protocol message.

• Location Privacy
The adversary cannot track the location of a reader and tags through the protocol messages.

• Resist to replay attack
The adversary cannot use the message in previous sessions to cheat the reader or tags to generate grouping-proof.

• Defense the DoP Attack
The adversary cannot use illegal tag involved in the protocol to disturb the proof validation execute by the verifier [21].

• Tag secret information protection
If the reader is hacked in, the adversary can't use the information stored in it to extract any secret information of tags.

Description of EAGP
To overcome the weakness of the grouping-proof protocol which is put forward in [19], we come up with the improvement protocol EAGP.
6.1.EAGP (2)   The simultaneous scan is the basic requirement in grouping-proof protocols.To ensure this, the EAGP uses the timeout mechanism to guarantee the tags are scanned by a reader in a very short interval.When the protocol starts, both the reader and tag activate a timer.If a session of grouping-proof do not complete before the timeout, then the protocol is terminated.For simplicity, we assume each group has two tags.Without loss of generality, we assume the verifier can be trusted.The reader and tag are untrusted and can be impersonated or even controlled by an adversary.The notations used in EAGP (2) are summarized in Table 2.

Notation Description
r s , r a , r b The random number generated by reader, tag A and tag B.

P
The base point on the elliptic curve E(F q ).Y, y The public/private key of Group G. k a , k b Temporary grouping-proof key of tag A and tag B.
Secret key of tag A and tag B.
Public key of tag A and tag B.

x(T)
The x-coordinate of point T.
In EAGP (2) , without losing any security characteristics, we cut down the times of communication between the reader and tags to reduce the communication overhead.The proposed protocol consists of three phases: initial phase, grouping-proof generation phase and verification phase.
The descriptions of the protocol are as follows:

Initial Phase
The verifier divides the tag A and tag B into one group, allocates group parameters as: the verifier chooses a random number y ∈ Z and computes Y = y • P as its public key.The group's public key Y is stored in the tag, while keeping the private key y.Both tags share their secret keys k ai or k bi with verifier; in addition, the verifier stores the public key PK A and PK B .The reader gets the group key y from the verifier.

Grouping-Proof Generation Phase
The framework is demonstrated in Figure 3.
(1) Reader generates a random number r s , calculates C 0 = r s P, C 1 = r s Y, and s = r s + yx(C 1 ).Then, the {s, C 0 , C 1 , r s } is sent to the tag A along with the message of "start left".(2) Tag A verifies the equation sP = C 0 + x(C 1 )Y.If it does not hold, the protocol is terminated.
Otherwise, it generates a random number k 1 , calculates r a = x(k 1 P), generates the session secret key k a = x(Y) r a .Then, it seals its secret key k ai into message m a as follows: Finally, tag A sends {m a , r a } to the reader.4) and ( 5): The utilization of group key y can prove that tag A and B belong to the same group and be scanned by the reader simultaneously.(2) Verifier verification step: The second verification stage is executed by the verifier to authenticate the tag's identity in grouping-proof.The procedure of tag A is described as follows, the verification of tag B is the same as it: • Calculate the following equations x a = x(u • If x a = r a is valid, the validation is successful, and the verifier stores the proof in the server as a record.Otherwise, the validation fails and the proof is abandoned.

Extension to n > 2 Tags
In previous description, we assume the group only has two tags, in this section, the EAGP can be extended to multiple tags.

Initial Phase
We describe the group with multiple tags as G = {Tag 1 , Tag 2 , . . ., Tag n }.The notation of EAGP with n tags can be described by Table 3. Secret/Public key of Tag i .

x(T)
The x-coordinate of point T.

Grouping-Proof Generation Phase
The framework is shown in Figure 4.The solid arrow represents the direct communication, the dotted arrow represents the tag-to-tag communication via the reader.(1) Reader selects Tag 1 as the first tag to calculate the grouping-proof.It generates message M = {s, C 0 , C 1 } as Figure 3, and sends it to Tag 1 with the "Start first" query.(2) Tag 1 authorizes the reader, generates message m 1 by Equation ( 2) and sends it to Tag 2 by the reader.(3) Tag 2 selects a random number k r 2 , calculates r 2 = x(k r 2 • P), k t 2 = x(Y) ⊕ r 2 ,then sends m 2 to the reader, T 2 to Tag 3 via the reader, where

Verifier Reader
(4) Tag 3 generates k r 3 and r 3 the same way as Tag 2 , calculates m 3 , T 3 as below.
Tag 3 sends m 3 to the reader, T 3 to Tag 4 via the reader.(5) Tag i | (3<i<n) generates k r i and r i , calculates m i , T i as below.
Then Tag i sends m i to the reader, T i to Tag i+1 via the reader.(6) The last tag Tag n calculates m n , T n , and sends T n to Tag 1 via the reader.( 7) Tag 1 calculates T 1 by Equation ( 16), and sends it to the reader.

The Anonymous of Tag and Reader
During the execution of the protocol, the communication message set can be expressed as {r s , {m i , T i , r i } | i=1, ..., n }.Among them, {r i | i=1, ..., n }, r s are the random numbers generated by tags and reader, while the other messages are calculated from these random numbers.The adversary cannot get any information concerning protocol participants from the communication messages.

The Location Privacy of Tag and Reader
All the messages sent from the EAGP are random numbers or generated from random numbers.In each protocol session, the temporary session key k t i and random numbers are different.Adversary cannot figure out the protocol participants by the messages they send.Therefore, it is difficult for the adversary to track any tag or reader, since the locations of readers and tags are protected.

Defense Against DoP Attack
The EAGP adds the reader verification in protocol.When the reader sends the proof to a verifier, the reader can verify the tag's group member identity and proof data before hand.If the adversary does not know the group key, it cannot generate the legal grouping-proof G (n) to satisfy the Equation ( 21), then it is impossible to cheat the reader to sending invalid grouping-proof to the verifier.

Tag Secret Information Protect
In EAGP, the reader only stores the group's private key y.No tag information is stored in the reader's memory.Even if the adversary gets the group's private key by hacking the reader, it still cannot get any secret information about tag, which makes sure the information security of tags.

Resist to Impersonation Attack
The impersonation attack includes two methods: impersonate tag, and impersonate reader.In the first type, the adversary impersonates the tag, tries to cheat the reader to pass the grouping-proof verification, and further cheats the verifier.In the second type, the adversary impersonates the reader to collect the tag's information, or generates the valid grouping-proof without scanning to the real tag.The attack process is described as follows.

• Impersonate tag
There are two situations where the adversary impersonate a tag: (1) the adversary does not know any secret key, that means it cannot deduce legal T i .In this situation, the grouping-proof generated in presence of attack cannot pass the reader validation Equation (21).This attack can be detected before the proof is sent to the verifier, protecting the system from DoP attack.(2) The adversary gets the group's public key Y. From Y, the adversary can deduce the session key k t i .Then the adversary can generate the grouping-proof that can satisfy Equations (21).However, due to the lack of tag Tag i 's authentication secret key k i , to forge the legal m i need solve the ECDLP described in Section II, thus the probability is negligible.So it is nearly impossible to pass the verifier validation.In conclusion, EAGP can resist the tag impersonation attack in both situations.

• Impersonate reader
If the adversary impersonate the reader, it needs the group key y to generate s, which is used by tag to authenticate the reader.Without the correct s, the tag will abort the protocol, and the adversary cannot get any information about Tag i .
From the above, it is difficult for the adversary to impersonate tag or reader.The EAGP can resist impersonation attack.

Resist to Eavesdrop Attack
If the adversary eavesdrop the protocol, the message set it can collect is {M, T i , m i }, all the information is transferred in the ciphertext.Without knowing the secret key of tag, the adversary cannot deduce the tag's identity and forge valid grouping-proof without scanning legal tags.

Resist to Replay Attack
The replay attack denotes when the adversary uses a tag's response to a rogue reader's challenge to impersonate the tag.Suppose the adversary collected the message of Tag i : {m 1 i , r 1 i , r 1 s , s 1 , T 1 i } in EAGP session p1, trying to replay these messages in session p2 in order to forge a valid grouping-proof including Tag i while it is absent.The adversary begins the attack as follows: (1) The adversary sends m 1 i to the reader.(2) The adversary sends T 1 i as T 2 i to Tag i+1 via the reader.(3) Tag i+1 calculates T 2 i+1 = (m Due to the different session p1, p2, we know r 1 s = r 2 s , so T 1 i = T 2 i , we get: The grouping proof cannot pass the validation of the reader.EAGP can resist the replay attack.

Security Comparison
Table 4 lists the comparison of the existing grouping-proof schemes and EAGP.It can be seen from the comparison that the EAGP basically satisfies the security requirements of the grouping-proof protocol.

DoP Attack
Tag cut down the communication overhead.When the tag number increases to n (EAGP), the transmission data amount of each tag is the same as (EAGP (2) ), EAGP has good scalability in multiple tags condition.

Conclusions
In this paper, we use the ECC as encryption means, cut down the transmission times and propose an offline grouping-proof protocol.In this protocol, the reader can verify the validity of grouping-proof before submitting it to the verifier.The protocol is described in condition of two tags at first (EAGP (2) ), then we extend it to n tags condition (EAGP).Through the security and performance analysis, EAGP can resist impersonation, DoP and replay attack, protect the security and privacy of tag's secret information.
According to Equations ( 7) and (8), we have: Then, we can obtain: The correctness proof of verifier authentication is completed.

( 3 )
Reader sends {m a , s, C 0 , C 1 , r s } along with the message of "start right" to tag B. (4) Tag B verifies the equation sP = C 0 + x(C 1 )Y.If it does not hold, the protocol is terminated.Otherwise, it generates a random number k 2 , calculates r b , k b , m b , T b and sends {m b , T b , r b } to the reader.(5) Reader sends the message T b to tag A. (6) Tag A calculates T a = (m a + x(T b )k a )Y, and sends it to the reader.(7) Reader generates the grouping-proof G shown in Equation (3)

Table 1 .
Summary of notations in Kang's protocol.

Table 3 .
Summary of notations in EAGP.The random number generated by reader and Tag i .PThe base point on the elliptic curve E(F q ).Temporary grouping-proof key of Tag i .k i , PK i

Table 4 .
The comparison of grouping-proof protocols.