# On the Security of Rotation Operation Based Ultra-Lightweight Authentication Protocols for RFID Systems

^{1}

^{2}

^{3}

^{*}

^{†}

## Abstract

**:**

## 1. Introduction

**Problem Definition:**Assuming that a reader and a tag decided to communicate in the identification phase of their communication, to provide the security of RFID users, security protocols are also required. Security protocols, such as authentication protocols, are expected to provide the CIA triangle of security which is Confidentiality, Integrity, and Availability. Confidentiality means all of the secret information of protocols’ parties must be kept secret. To contradict this property, secret disclosure attack and traceability attack were proposed. Integrity means the adversary cannot change and control protocol messages without the protocol parties’ notice. Impersonation attacks can contradict integrity property. Availability means the protocols’ parties can authenticate each other at any time and be synchronized with each other. De-synchronization attacks can contradict this property, e.g., by blocking protocol messages or forcing protocols parties to update their shared secret values to different values, where the protocols’ parties do not authenticate each other any more and availability of service is destroyed.

**Our contributions:**The contributions of this paper are summarized as follows:

- We show that the ULRAS protocol [24], a protocol which has been designed based on rotation function, is not secure and fixing the security problem by any particular mode of rotation function may not be possible.
- An improved protocol named UEAP has also been proposed using lightweight encryption functions in which the ULRAS protocol’s security pitfalls are solved.
- The security proof of the UEAP protocol has been done through an informal way and also a formal way through Scyther tool.

**Paper’s organization:**The rest of this paper is structured as follows: Section 2 introduces required preliminaries including a brief review of rotation-based RFID authentication protocols and the explanation of the ULRAS protocol. We present the security analysis of the protocol in Section 3. We proposed an improved protocol in Section 4 and its security evaluation is explained in Section 4.1. Finally, we conclude the paper in Section 5.

## 2. Preliminaries

#### 2.1. The Adversary Model

#### 2.2. Related Work

#### 2.3. The ULRAS Protocol

- presents X and Y in their binary forms;
- computes ${X}^{\prime}=Reverse(X,Y)$, which inverses only those bits of X for which their correspondence bit-place in Y are “1”;
- computes $RR(X,Y)$ as $Rot({X}^{\prime},Y)$ which is the left rotation of ${X}^{\prime}$ by amount of $Y\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{3.33333pt}{0ex}}L$, where L is the length of X and Y.

- The reader starts the protocol by generating and sending a random time stamp ${T}_{R}$ and Query to the tag.
- The tag, once received the message, verifies whether ${T}_{R}\stackrel{?}{>}{T}_{t}$. If ${T}_{R}>{T}_{t}$, the tag:
- generates a random number ${R}_{t}$;
- calculates ${M}_{1}$ as below:${M}_{1}=RR(RR(ID\oplus K\oplus {R}_{t}\oplus {T}_{R},ID+{R}_{t}),K\oplus {R}_{t})$;
- and sends $IDS$, ${M}_{1}$ and ${R}_{t}$ to the reader.

- Upon reception of the message, the reader sends $IDS$, ${M}_{1}$, ${R}_{t}$ and ${T}_{R}$ to the back-end database.
- Once the back-end database receives the message, it verifies whether the received $IDS$ matches with $ID{S}_{new}$ or $ID{S}_{old}$. If the back-end database does not find any match, stops the protocol; otherwise, the database:
- calculates ${M}_{1}^{\prime}=RR(RR(ID\oplus {K}_{X}\oplus {R}_{t}\oplus {T}_{R},ID+{R}_{t}),{K}_{X}\oplus {R}_{t})$ which X is $new$ or $old$. Then it verifies whether ${M}_{1}^{\prime}\stackrel{?}{=}{M}_{1}$. If ${M}_{1}^{\prime}\ne {M}_{1}$, the back-end database stops the protocol; otherwise, it does as follows:
- -
- authenticates the tag;
- -
- generates ${i}_{sub}\in \{1,2,3,4\}$ and computes ${M}_{2}$ and ${M}_{3}$ as below:${M}_{2}=RR(RR(ID\oplus {R}_{t}\oplus {T}_{R},ID\oplus {R}_{t}),{K}_{X}+{R}_{t})$;${M}_{3}=RR({i}_{sub}\oplus {K}_{X},{K}_{X}\oplus {R}_{t}\oplus {T}_{R})$;
- -
- generates sub-key as below:$subkey=Rot({K}_{X}\left({i}_{sub}\right),{K}_{X}\oplus {R}_{t}\oplus {T}_{R})$;
- -
- updates its values as below:$ID{S}_{old}=ID{S}_{new}$;${K}_{old}={K}_{new}$;$ID{S}_{new}=Rot(IDS\oplus {R}_{t},K\oplus {R}_{t}\oplus {T}_{R})$;${K}_{new}$ is generated by replacing ${K}_{{i}_{sub}}$;
- -
- and sends ${M}_{2}$ and ${M}_{3}$ through reader to the tag.

- Upon receipt of the messages, the tag calculates ${M}_{2}^{\prime}=RR(RR(ID\oplus {R}_{t}\oplus {T}_{R},ID\oplus {R}_{t}),K+{R}_{t})$ with its local values and then verifies whether ${M}_{2}^{\prime}\stackrel{?}{=}{M}_{2}$. If ${M}_{2}^{\prime}={M}_{2}$, the tag:
- successfully authenticates the back-end server;
- extracts ${i}_{sub}$ from ${M}_{3}$;
- generates new sub-key as $subkey=Rot(K\left({i}_{sub}\right),K\oplus {R}_{t}\oplus {T}_{R})$;
- and finally updates its $IDS,K$ and ${T}_{t}$ as below:$ID{S}_{new}=Rot(IDS\oplus {R}_{t},K\oplus {R}_{t}\oplus {T}_{R})$;${K}_{new}$ is generated by replacing ${K}_{{i}_{sub}}$.

## 3. Security Analysis of ULRAS Protocol

#### 3.1. De-Synchronization Attack

- The reader sends ${T}_{R}$ and Query to the tag.
- The tag verifies whether ${T}_{R}\stackrel{?}{>}{T}_{t}$, generates ${R}_{t}$, calculates ${M}_{1}=RR(RR(ID\oplus K\oplus {R}_{t}\oplus {T}_{R},ID+{R}_{t}),K\oplus {R}_{t})$, and sends $IDS,{M}_{1}$ and ${R}_{t}$ to the reader.
- The reader sends $IDS$, ${M}_{1}$, ${R}_{t}$ and ${T}_{R}$ to the back-end database.
- The back-end database verifies the received ${M}_{1}$, authenticates the tag, generates ${i}_{sub}\in \{1,2,3,4\}$ and computes ${M}_{2}=RR(RR(ID\oplus {R}_{t}\oplus {T}_{R},ID\oplus {R}_{t}),{K}_{X}+{R}_{t})$ and ${M}_{3}=RR({i}_{sub}\oplus {K}_{X},{K}_{X}\oplus {R}_{t}\oplus {T}_{R})$ and sends them to the reader. It then generates $subkey=Rot({K}_{X}\left({i}_{sub}\right),{K}_{X}\oplus {R}_{t}\oplus {T}_{R})$ and updates the tag’s parameters as below:$ID{S}_{old}=ID{S}_{new}$;${K}_{old}={K}_{new}$;$ID{S}_{new}=Rot(IDS\oplus {R}_{t},K\oplus {R}_{t}\oplus {T}_{R})$;${K}_{new}$ generated by replacing ${K}_{{i}_{sub}}$;
- The adversary, who has eavesdropped ${T}_{R}$, ${R}_{t}$, ${M}_{2}$ and ${M}_{3}$, manipulates ${M}_{3}$ as follows:
- Assuming $x={K}_{X}\oplus {R}_{t}\oplus {T}_{R}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{3.33333pt}{0ex}}L$ and given that ${M}_{3}=({i}_{sub}\oplus {R}_{t}\oplus {T}_{R})\u22d8x$, because ${M}_{3}=RR({i}_{sub}\oplus {K}_{X},{K}_{X}\oplus {R}_{t}\oplus {T}_{R})=({i}_{sub}\oplus {K}_{X}\oplus {K}_{X}\oplus {R}_{t}\oplus {T}_{R})\u22d8({K}_{X}\oplus {R}_{t}\oplus {T}_{R})=({i}_{sub}\oplus {R}_{t}\oplus {T}_{R})\u22d8({K}_{X}\oplus {R}_{t}\oplus {T}_{R})=({i}_{sub}\oplus {R}_{t}\oplus {T}_{R})\u22d8x$, the adversary can determine ${i}_{sub}$ and also x by knowing ${M}_{3}$ as below:
- -
- Given that the adversary already has eavesdropped ${R}_{t}$ and ${T}_{R}$, she can calculate ${R}_{t}\oplus {T}_{R}$. On the other hand, ${i}_{sub}$ has only three bits. Hence, given ${R}_{t}\oplus {T}_{R}$ and $({i}_{sub}\oplus {R}_{t}\oplus {T}_{R})\u22d8x$, it would be easy to determine the values of x and ${i}_{sub}$, exclude that the value of $({i}_{sub}\oplus {R}_{t}\oplus {T}_{R})\u22d8x$ is rotation invariant which has no high probability and we omit it here for simplicity.

- Adversary selects ${i}_{sub}^{\prime}\in \{1,2,3,4\}/\left\{{i}_{sub}\right\}$ and calculates ${M}_{3}^{\prime}={M}_{3}\oplus (({i}_{sub}\oplus {i}_{sub}^{\prime})\u22d8x)$.

- The adversary sends ${M}_{2}$ and ${M}_{3}^{\prime}$ to the tag.
- Upon receipt of the messages, the tag calculates ${M}_{2}^{\prime}=RR(RR(ID\oplus {R}_{t}\oplus {T}_{R},ID\oplus {R}_{t}),K+{R}_{t})$ with its local values and then verifies whether ${M}_{2}^{\prime}\stackrel{?}{=}{M}_{2}$, which it is because the adversary has not changed ${M}_{2}$. Hence, the tag:
- successfully authenticates the back-end server;
- gets ${i}_{sub}^{\prime}$, where ${i}_{sub}^{\prime}\ne {i}_{sub}$.
- generates a new sub-key as $subkey=Rot(K\left({i}_{sub}^{\prime}\right),K\oplus {R}_{t}\oplus {T}_{R})$;
- and finally updates its $IDS,K$ and ${T}_{t}$ as below:$ID{S}_{new}=Rot(IDS\oplus {R}_{t},K\oplus {R}_{t}\oplus {T}_{R})$;${K}_{new}$ generated by replacing ${K}_{{i}_{sub}^{\prime}}$;

#### 3.2. Traceability Attack

Algorithm 1: The algorithm of proposed traceability attack against ULRAS protocol |

Data: ${T}_{R},{R}_{t},{M}_{3}=RR({i}_{sub}\oplus {K}_{X},{K}_{X}\oplus {R}_{t}\oplus {T}_{R})==({i}_{sub}\oplus {R}_{t}\oplus {T}_{R})\u22d8x$, ${i}_{sub},{i}_{sub}^{\prime}\ne 1$ |

Result: decides whether ${\mathcal{T}}^{\prime}\stackrel{?}{=}\mathcal{T}$ where $\mathcal{T}$ is an adversary’s target tag. |

1. Eavesdrops a session between reader and $\mathcal{T}$ and stores ${T}_{R},{R}_{t},{M}_{3}=RR({i}_{sub}\oplus {K}_{X},{K}_{X}\oplus {R}_{t}\oplus {T}_{R})==({i}_{sub}\oplus {R}_{t}\oplus {T}_{R})\u22d8x$; |

2. Obtains $x={K}_{X}\oplus {R}_{T}\oplus {T}_{R}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{3.33333pt}{0ex}}L$ and ${i}_{sub}$ by using ${M}_{3}$, ${T}_{R}$ and ${R}_{t}$ and this fact ${i}_{sub}\in \{2,3,4\}$; |

3. Retrieves $lo{g}_{2}L$ bits information from ${K}_{X}$ by using x; |

4. Eavesdrops a session between ${\mathcal{T}}^{\prime}$ and the reader; |

5. Obtains ${x}^{\prime}={K}_{X}^{\prime}\oplus {R}_{T}^{\prime}\oplus {T}_{R}^{\prime}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{3.33333pt}{0ex}}L$ and ${i}_{sub}^{\prime}$ by using ${M}_{3}^{\prime}$, ${T}_{R}^{\prime}$ and ${R}_{t}^{\prime}$ and this fact ${i}_{sub}^{\prime}\in \{2,3,4\}$; |

6. Retrieves $lo{g}_{2}L$ bits information from ${K}_{X}^{\prime}$ by using ${x}^{\prime}$; |

7. Compares the retrieved bits of ${K}_{X}^{\prime}$ with ${K}_{X}$ to decide whether ${\mathcal{T}}^{\prime}\stackrel{?}{=}\mathcal{T}$. |

#### 3.3. Security Analysis of Aghili and Mala Improvement to ULRAS

- The use of a rotation operation several times is like using one rotation i.e., ${M}_{2}=Rot(Rot(K\oplus {R}_{t}\oplus {T}_{R},ID\oplus {R}_{t}),{K}_{X}+{R}_{t})$ in the Aghili and Mala improvement equals with ${M}_{2}=Rot(K\oplus {R}_{t}\oplus {T}_{R},i)$ where i is a value between 0 to L. The same point applies to ${M}_{1}$ message.
- Based on this fact given $M=Rot(X,Y)\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{3.33333pt}{0ex}}L$ and X, if we rotate right M for $i=0,\dots ,L$ and comparing the result with X, one can determine Y, the adversary with eavesdropping two sessions of protocol messages without completion of protocol sessions which leads to not updating secret values, can conduct secret disclosure attack which reveals $ID$ and K. Precisely, given ${M}_{2}=Rot(K\oplus {R}_{t}\oplus {T}_{R},i)$ and ${M}_{2}^{\prime}=Rot(K\oplus {R}_{t}^{\prime}\oplus {T}_{R}^{\prime},j)$, ${R}_{t}$, ${R}_{t}^{\prime}$, ${T}_{R}$, ${T}_{R}^{\prime}$, ${M}_{1}$ and ${M}_{1}^{\prime}$, the adversary for $i,j=0,\dots ,L$ verifies whether $RoR({M}_{2},i)\oplus {R}_{T}\oplus {T}_{R}\stackrel{?}{==}RoR({M}_{2}^{\prime},j)\oplus {R}_{T}^{\prime}\oplus {T}_{R}^{\prime}$ to retrieve K as $RoR({M}_{2},i)\oplus {R}_{T}\oplus {T}_{R}$. Similarly, for $i,j=0,\dots ,L$ the adversary verifies whether $RoR({M}_{1},i)\oplus {R}_{T}\oplus {T}_{R}\stackrel{?}{==}RoR({M}_{1}^{\prime},j)\oplus {R}_{T}^{\prime}\oplus {T}_{R}^{\prime}$ to retrieve $ID\oplus K$ as $RoR({M}_{1},i)\oplus {R}_{T}\oplus {T}_{R}$. Given that K has already been acquired, the adversary can get $ID$ and can verify the correctness of the obtained values by using other protocol’s messages.
- Since all the secret values of the protocol are revealed, it is easy to do a variety of attacks including impersonation attacks, traceability attacks, de-synchronization attacks, etc.

## 4. UEAP-Our Proposed Protocol

- The reader starts the protocol by generating and sending a random time stamp ${T}_{R}$ and $Query$ to the tag.
- The tag, once it receives the message, verifies whether ${T}_{R}\stackrel{?}{>}{T}_{t}$. If ${T}_{R}>{T}_{t}$, the tag:
- generates a random number ${R}_{t}$;
- calculates ${M}_{1}$ as ${E}_{K}(ID\parallel {R}_{t}\parallel {T}_{R})$;
- and sends $IDS$, ${M}_{1}$ and ${R}_{t}$ to the reader.

- Upon reception the message, the reader sends $IDS$, ${M}_{1}$, ${R}_{t}$ and ${T}_{R}$ to the back-end database.
- Once the back-end database received the message, verifies whether the received $IDS$ matches with $ID{S}_{new}$ or $ID{S}_{old}$. If the back-end database does not find any match, stops the protocol; otherwise, the database:
- calculates ${M}_{1}^{\prime}={E}_{{K}_{X}}(ID\parallel {R}_{t}\parallel {T}_{R})$ which X is $new$ or $old$. Then it verifies whether ${M}_{1}^{\prime}\stackrel{?}{=}{M}_{1}$. If ${M}_{1}^{\prime}\ne {M}_{1}$, the back-end database stops the protocol; otherwise, it does as follows:
- -
- authenticates the tag;
- -
- generates ${i}_{sub}\in \{1,2,3,4\}$ and computes ${M}_{2}$ and ${M}_{3}$ as below:${M}_{2}={E}_{{K}_{X}\oplus {R}_{t}}(ID\parallel {T}_{R}\parallel {K}_{X})$;${M}_{3}={E}_{{K}_{X}\oplus {T}_{R}}(({K}_{X}\oplus {i}_{sub})\parallel {R}_{t}\parallel {T}_{R})$;
- -
- generates sub-key as below:$subkey=Rot({K}_{X}\left({i}_{sub}\right),{K}_{X}\oplus {R}_{t}\oplus {T}_{R})$;
- -
- updates its values as below:$ID{S}_{old}=ID{S}_{new}$;${K}_{old}={K}_{new}$;$ID{S}_{new}=Rot(IDS\oplus {R}_{t},K\oplus {R}_{t}\oplus {T}_{R})$;${K}_{new}$ is generated by replacing ${K}_{{i}_{sub}}$;
- -
- and sends ${M}_{2}$ and ${M}_{3}$ through the reader to the tag.

- Upon receipt of the messages, the tag calculates ${M}_{2}^{\prime}={E}_{{K}_{X}\oplus {R}_{t}}(ID\parallel {T}_{R}\parallel {K}_{X})$ by its local values and then verifies whether ${M}_{2}^{\prime}\stackrel{?}{=}{M}_{2}$. If ${M}_{2}^{\prime}={M}_{2}$, the tag:
- successfully authenticates the back-end server;
- extracts ${i}_{sub}$ from ${M}_{3}$;
- generates new sub-key as $subkey=Rot(K\left({i}_{sub}\right),K\oplus {R}_{t}\oplus {T}_{R})$;
- and finally updates its $IDS,K$ and ${T}_{t}$ as below:$ID{S}_{new}=Rot(IDS\oplus {R}_{t},K\oplus {R}_{t}\oplus {T}_{R})$;${K}_{new}$ is generated by replacing ${K}_{{i}_{sub}}$.

#### 4.1. Security Evaluation of UEAP

#### 4.1.1. Informal Security Proof

**Resistance against de-synchronization attack:**Given that in the UEAP protocol all messages are encrypted, the adversary cannot modify the transferred messages in such a way that the protocol parties exist from synchronization. Any modification in any transferred encrypted message is identified by the tag or the reader and it will terminate the protocol.

**Resistance against traceability attack:**The vulnerability of ULRAS protocol was due to the fact that the adversary could retrieve the value of ${K}_{x}\oplus {R}_{t}\oplus {T}_{R}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{3.33333pt}{0ex}}L$. Because of using encryption function in calculating of messages in the UEAP protocol, the adversary cannot determine ${K}_{x}\oplus {R}_{t}\oplus {T}_{R}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{3.33333pt}{0ex}}L$, and so the UEAP protocol is secure against the traceability attack presented in this manuscript.

**Resistance against replay and impersonation attacks:**All protocols’ parties participate in the randomization of the messages exchanged in the UEAP protocol, and also all the messages exchanged are encrypted. Hence, the adversary cannot use a message later or fake a message on his behalf. Therefore, the UEAP protocol resists all types of replay and impersonation attacks.

#### 4.1.2. Formal Security Proof

#### 4.2. Comparison

## 5. Conclusions

## Author Contributions

## Funding

## Acknowledgments

## Conflicts of Interest

## References

- Arjona, L.; Landaluce, H.; Perallos, A.; Onieva, E. Timing-Aware RFID Anti-Collision Protocol to Increase the Tag Identification Rate. IEEE Access
**2018**, 6, 33529–33541. [Google Scholar] [CrossRef] - Saadi, H.; Touhami, R.; Yagoub, M.C.E. TDMA-SDMA-based RFID algorithm for fast detection and efficient collision avoidance. Int. J. Commun. Syst.
**2018**, 31, e3392. [Google Scholar] [CrossRef] - Liu, B.; Su, X. An Anti-Collision Algorithm for RFID Based on an Array and Encoding Scheme. Information
**2018**, 9, 63. [Google Scholar] [CrossRef] - Arjona, L.; Landaluce, H.; Perallos, A. Energy-Aware RFID Anti-Collision Protocol. Sensors
**2018**, 18, 1904. [Google Scholar] [CrossRef] [PubMed] - Memon, M.Q.; He, J.; Yasir, M.A.; Memon, A. Improving Efficiency of Passive RFID Tag Anti-Collision Protocol Using Dynamic Frame Adjustment and Optimal Splitting. Sensors
**2018**, 18, 1185. [Google Scholar] [CrossRef] [PubMed] - Tan, X.; Wang, H.; Fu, L.; Wang, J.; Min, H.; Engels, D.W. Collision Detection and Signal Recovery for UHF RFID Systems. IEEE Trans. Autom. Sci. Eng.
**2018**, 15, 239–250. [Google Scholar] [CrossRef] - Zhang, L.; Xiang, W.; Tang, X.; Li, Q.; Yan, Q. A Time- and Energy-Aware Collision Tree Protocol for Efficient Large-Scale RFID Tag Identification. IEEE Trans. Ind. Inform.
**2018**, 14, 2406–2417. [Google Scholar] [CrossRef] - Rezaie, H.; Golsorkhtabaramiri, M. A fair reader collision avoidance protocol for RFID dense reader environments. Wirel. Netw.
**2018**, 24, 1953–1964. [Google Scholar] [CrossRef] - Su, J.; Sheng, Z.; Xie, L. A Collision-Tolerant-Based Anti-Collision Algorithm for Large Scale RFID System. IEEE Commun. Lett.
**2017**, 21, 1517–1520. [Google Scholar] [CrossRef][Green Version] - Liu, B.H.; Nguyen, N.T.; Pham, V.T.; Yeh, Y.H. A maximum-weight-independent-set-based algorithm for reader-coverage collision avoidance arrangement in rfid networks. IEEE Sens. J.
**2016**, 16, 1342–1350. [Google Scholar] [CrossRef] - Nguyen, N.T.; Liu, B.H.; Pham, V.T. A dynamic-range-based algorithm for reader-tag collision avoidance deployment in rfid networks. In Proceedings of the 2016 International Conference on Electronics, Information, and Communications (ICEIC), Danang, Vietnam, 27–30 January 2016; pp. 1–4. [Google Scholar]
- Chien, H.Y. Sasi: A new ultralightweight rfid authentication protocol providing strong authentication and strong integrity. IEEE Trans. Dependable Secur. Comput.
**2007**, 4, 337–340. [Google Scholar] [CrossRef] - Peris-Lopez, P.; Hernandez-Castro, J.C.; Tapiador, J.M.E.; Ribagorda, A. Advances in Ultralightweight Cryptography for Low-Cost RFID Tags: Gossamer Protoco. In Information Security Applications; Springer: Berlin/Heidelberg, Germany, 2008; pp. 56–68. [Google Scholar]
- Tewari, A.; Gupta, B.B. Cryptanalysis of a novel ultra-lightweight mutual authentication protocol for IoT devices using RFID tags. J. Supercomput.
**2017**, 73, 1085–1102. [Google Scholar] [CrossRef] - Fan, K.; Gong, Y.; Liang, C.; Li, H.; Yang, Y. Lightweight and ultralightweight RFID mutual authentication protocol with cache in the reader for IoT in 5G. Secur. Commun. Netw.
**2016**, 9, 3095–3104. [Google Scholar] [CrossRef] - Phan, R.C.W. Cryptanalysis of a new ultralightweight RFID authentication protocol—SASI. IEEE Trans. Dependable Secur. Comput.
**2009**, 6, 316–320. [Google Scholar] [CrossRef][Green Version] - Cao, T.; Bertino, E.; Lei, H. Security analysis of the SASI protocol. IEEE Trans. Dependable secur. Comput.
**2009**, 6, 73–77. [Google Scholar] - Hernandez-Castro, J.C.; Tapiador, J.M.E.; Peris-Lopez, P.; Quisquater, J.J. Cryptanalysis of the SASI ultralightweight RFID authentication protocol with modular rotations. arXiv, 2008; arXiv:0811.4257. [Google Scholar]
- Sun, H.M.; Ting, W.C.; Wang, K.H. On the security of Chien’s ultralightweight RFID authentication protocol. IEEE Trans. Dependable Secur. Comput.
**2011**, 8, 315–317. [Google Scholar] [CrossRef] - Bilal, Z.; Masood, A.; Kausar, F. Security analysis of ultra-lightweight cryptographic protocol for low-cost RFID tags: Gossamer protocol. In Proceedings of the 2009 International Conference on Network-Based Information Systems, Indianapolis, IN, USA, 19–21 August 2009; pp. 260–267. [Google Scholar]
- Safkhani, M.; Bagheri, N. Passive secret disclosure attack on an ultralightweight authentication protocol for Internet of Things. J. Supercomput.
**2017**, 73, 3579–3585. [Google Scholar] [CrossRef] - Wang, K.H.; Chen, C.M.; Fang, W.; Wu, T.Y. On the security of a new ultra-lightweight authentication protocol in IoT environment for RFID tags. J. Supercomput.
**2018**, 74, 65–70. [Google Scholar] [CrossRef] - Aghili, S.F.; Ashouri-Talouki, M.; Mala, H. DoS, impersonation and de-synchronization attacks against an ultra-lightweight RFID mutual authentication protocol for IoT. J. Supercomput.
**2018**, 74, 509–525. [Google Scholar] [CrossRef] - Fan, K.; Ge, N.; Gong, Y.; Li, H.; Su, R.; Yang, Y. An ultra-lightweight RFID authentication scheme for mobile commerce. Peer-to-Peer Netw. Appl.
**2016**, 10, 1–9. [Google Scholar] [CrossRef] - Aghili, S.F.; Mala, H. Security Analysis of an Ultra-lightweight RFID Authentication Protocol for M-commerce. IACR Cryptol. ePr. Archiv.
**2017**, 2017, 547. [Google Scholar] - Beaulieu, R.; Shors, D.; Smith, J.; Treatman-Clark, S.; Weeks, B.; Wingers, L. The SIMON and SPECK lightweight block ciphers. In Proceedings of the 52nd Annual Design Automation Conference, San Francisco, CA, USA, 7–11 June 2015; p. 175. [Google Scholar]
- Beierle, C.; Jean, J.; Kölbl, S.; Leander, G.; Moradi, A.; Peyrin, T.; Sasaki, Y.; Sasdrich, P.; Sim, S.M. The SKINNY family of block ciphers and its low-latency variant MANTIS. In Advances in Cryptology—CRYPTO 2016; Springer: Berlin/Heidelberg, Germany, 2016; pp. 123–153. [Google Scholar]
- Beaulieu, R.; Treatman-Clark, S.; Shors, D.; Weeks, B.; Smith, J.; Wingers, L. The SIMON and SPECK lightweight block ciphers. In Proceedings of the 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC), San Francisco, CA, USA, 8–12 June 2015; pp. 1–6. [Google Scholar]
- Cremers, C.J.F. The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols. In Computer Aided Verification; Springer: Berlin/Heidelberg, Germany, 2008; pp. 414–418. [Google Scholar]
- Avoine, G.; Carpent, X.; Martin, B. Strong authentication and strong. In Radio Frequency Identification: Security and Privacy Issues; Springer: Berlin/Heidelberg, Germany, 2010; pp. 50–64. [Google Scholar]

**Figure 1.**The ULRAS protocol [24].

**Figure 2.**The Aghili and Mala improvement protocol from ULRAS [25].

Notation | Description |
---|---|

RFID | Radio Frequency Identification |

IoT | Internet of Things |

SD | Secret Disclosure |

DA | De-synchronization Attack |

IA | Impersonation Attack |

TA | Traceability Attack |

$ID{S}_{old}$ | The last time used index number |

$ID{S}_{new}$ | This time successful used of index number |

K | The tag’s key which is divided to four sub-keys indexed by ${i}_{sub}$ |

${K}_{old}$ | The last successful tag’s session key |

${K}_{new}$ | The current tag’s session key |

$K\left({i}_{sub}\right)$ | The last successful sub-key indexed by ${i}_{sub}$ |

${i}_{sub}$ | The number which is used for sub-keys index |

${T}_{R}$ | The random time stamp generated by the reader |

${T}_{t}$ | The last used time stamp |

${R}_{t}$ | The random number that is generated by the tag |

$X={X}_{1}{X}_{2}\dots {X}_{L}$ | The binary representation of X |

$Y={Y}_{1}{Y}_{2}\dots {Y}_{L}$ | The binary representation of Y |

⋘ | Left rotation operation |

$Rot(X,Y)$ | The left rotation of X by amount of $Y\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{3.33333pt}{0ex}}L$ where X and Y are of the same length L |

$RoR(X,Y)$ | The right rotation of X by amount of $Y\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{3.33333pt}{0ex}}L$ where X and Y are of the same length L |

L | The length of protocol parameters |

${X}^{\prime}$ | The inverse of X |

${X}^{\prime}=Reverse(X,Y)$ | The inverse operation of X, where for any bit-place in Y that is “1”, |

the corresponding bit in X is inverted | |

$RR(X,Y)$ | This is RR method which has been presented in [24] to do rotation operation as |

$RR(X,Y)=Rot({X}^{\prime},Y)$ | |

$\mathcal{T}$ | An RFID tag |

${E}_{K}(.)$/${D}_{K}(.)$ | The Encryption /Decryption function respectively with the key of K |

X | Y | ${\mathit{X}}^{\prime}=\mathit{Reverse}(\mathit{X},\mathit{Y})$ | $\mathit{X}\oplus \mathit{Y}$ |
---|---|---|---|

0000 | 1011 | 1011 | 1011 |

0001 | 1011 | 1010 | 1010 |

0010 | 1011 | 1001 | 1001 |

0011 | 1011 | 1000 | 1000 |

0100 | 1011 | 1111 | 1111 |

0101 | 1011 | 1110 | 1110 |

0110 | 1011 | 1101 | 1101 |

0111 | 1011 | 1100 | 1100 |

1000 | 1011 | 0011 | 0011 |

1001 | 1011 | 0010 | 0010 |

1010 | 1011 | 0001 | 0001 |

1011 | 1011 | 0000 | 0000 |

1100 | 1011 | 0111 | 0111 |

1101 | 1011 | 0110 | 0110 |

1110 | 1011 | 0101 | 0101 |

1111 | 1011 | 0100 | 0100 |

**Table 3.**Security comparison of the UEAP protocol with other protocols, where SD, DA, IA, TA, ✓ and × denote Secret Disclosure Attack, De-synchronization Attack, Impersonation Attack, Traceability Attack, Secure and Vulnerable respectively.

Protocol | SD | DA | IA | TA |
---|---|---|---|---|

SASI [12] | × [18,30] | × [19] | × [18,30] | × [16] |

Gossamer [13] | ✓ | × [20] | × [20] | × [20] |

ULRMAPC [15] | × [23] | ✓ | ×[23] | ×[23] |

Tewari and Gupta [14] | × [21,22] | ×[21,22] | × [21,22] | ×[21,22] |

ULRAS [24] | ×(in this paper,[25] ) | ✓ | ×[25] | ×(in this paper) |

Aghili and Mala [25] | ×(in this paper) | ×(in this paper) | ×(in this paper) | ×(in this paper) |

UEAP | ✓ | ✓ | ✓ | ✓ |

**Table 4.**Computational cost comparison of the UEAP protocol with other protocols, where L denotes the length of each parameter in protocols

Protocol | ♯ of ⊕ | ♯ of $\mathit{Rot}(\mathit{X},\mathit{Y})$ | ♯ of ${\mathit{E}}_{\mathit{K}}\left(\mathit{X}\right)/{\mathit{D}}_{\mathit{K}}\left(\mathit{X}\right)$ | ♯ of Transferred Bits |
---|---|---|---|---|

SASI [12] | 20 L | 4 | - | 6 L |

Gossamer [13] | 12 L | 36 | - | 6 L |

Tewari and Gupta [14] | 24 L | 12 | - | 7 L |

ULRMAPC [15] | 34 L | 14 | - | 11 L |

ULRAS [24] | 30 L | 14 | - | 13 L |

Aghili and Mala [25] | 36 L | 14 | - | 13 L |

UEAP | 16 L | 4 | 6 | 13 L |

© 2018 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Safkhani, M.; Bagheri, N.; Shariat, M. On the Security of Rotation Operation Based Ultra-Lightweight Authentication Protocols for RFID Systems. *Future Internet* **2018**, *10*, 82.
https://doi.org/10.3390/fi10090082

**AMA Style**

Safkhani M, Bagheri N, Shariat M. On the Security of Rotation Operation Based Ultra-Lightweight Authentication Protocols for RFID Systems. *Future Internet*. 2018; 10(9):82.
https://doi.org/10.3390/fi10090082

**Chicago/Turabian Style**

Safkhani, Masoumeh, Nasour Bagheri, and Mahyar Shariat. 2018. "On the Security of Rotation Operation Based Ultra-Lightweight Authentication Protocols for RFID Systems" *Future Internet* 10, no. 9: 82.
https://doi.org/10.3390/fi10090082