On the Security of Rotation Operation Based Ultra-Lightweight Authentication Protocols for RFID Systems

Masoumeh Safkhani 1,*,† ID , Nasour Bagheri 2,3,† ID and Mahyar Shariat 1,† ID 1 Computer Engineering Department, Shahid Rajaee Teacher Training University, Tehran 16788-15811, Iran; m.shariat@sru.ac.ir 2 Electrical Engineering Department, Shahid Rajaee Teacher Training University, Tehran 16788-15811, Iran; Nbagheri@sru.ac.ir 3 School of Computer Science, Institute for Research in Fundamental Sciences (IPM), Tehran 19538-33511, Iran * Correspondence: Safkhani@sru.ac.ir; Tel.: +98-21-229-70117 † These authors contributed equally to this work.


Introduction
Today, many researchers are trying to develop systems that use mobile phones to reach beyond the boundaries of communications and convert a mobile device into a remote authenticator device or a remote control switch.We regularly use computers, mobile phones, and other smart communication systems as devices for electronic interactions, bank payments and pay bills remotely.All of these technologies, in order to provide comfort for their users, are seeking security and preserving privacy.To address this requirement, a lot of authentication protocols have been proposed for such environments.Some of the protocols' designers have designed their protocols using rotation operations to retain the protocol's ultra-weight.
RFID is one of the technologies that is often used in these devices, which identifies objects by using radio waves.RFID has three main components including tags, readers, and a back-end database.Tags are small electronic chips which connected to a product, an object, or a person that we aim to track or authenticate it.Readers, which can be implemented in our cell phones, tablets and etc., are electronic equipment that detect the presence of the tags in an environment and they retrieve the information stored in the tags.The back-end database which stores the extra information about the readers and the tags can be integrated with the reader in our cell phones or similar communication devices or on the separate server outside these devices.
There are two important issues in the RFID systems: Identification and Authentication.Identification means that the reader or tag can identify each other.When the reader broadcasts the query signals to identify or search a special tag, it is possible more than one tag receives the reader's request and replies simultaneously, where their data collide on the reader side with each other and the collision occurs and data is destroyed.This is also the case for readers.If two or more requests arrive to a particular tag from two or more readers, the collision will occur and the data will be destroyed.So there are three kinds of collisions: The tag-tag collision, the reader-reader collision and the tag-reader collision.To counter this problem, anti-collision algorithms have been introduced which have their own literature, e.g., [1][2][3][4][5][6][7][8][9][10][11].There are many issues in the field of anti-collision in RFID systems which researchers try to solve, e.g., increasing the number of read tags by the reader.Since the efficiency of RFID systems depends on the number of tags read at a specific time, much effort is being made to increase the number of tags that are read by the reader [5,10,11].Once the tag or the reader has been successfully identified, in the next step it should be authenticated, in order to solve the RFID security issues.In this phase, which is known as the authentication phase of their communication, the rest of the readers and the tags in the vicinity are remaining-silent, to avoid collision.It should be noted in this paper that we assume the reader and the tag are using proper anti-collision protocol and our concentration is on the authentication phase of a reader to a tag communication.
Authentication protocols are protocols that ensure that the parties involved in the protocol are the same as they claim, but the identification protocols do not provide that assurance.The authentication protocols can be one-way, that is, in the course of the process they are assured of one's identity, or they can be mutual, that is to say, they must ensure the identity of the parties during execution.
Problem Definition: Assuming that a reader and a tag decided to communicate in the identification phase of their communication, to provide the security of RFID users, security protocols are also required.Security protocols, such as authentication protocols, are expected to provide the CIA triangle of security which is Confidentiality, Integrity, and Availability.Confidentiality means all of the secret information of protocols' parties must be kept secret.To contradict this property, secret disclosure attack and traceability attack were proposed.Integrity means the adversary cannot change and control protocol messages without the protocol parties' notice.Impersonation attacks can contradict integrity property.Availability means the protocols' parties can authenticate each other at any time and be synchronized with each other.De-synchronization attacks can contradict this property, e.g., by blocking protocol messages or forcing protocols parties to update their shared secret values to different values, where the protocols' parties do not authenticate each other any more and availability of service is destroyed.
Many protocols have been proposed in the literature [12][13][14][15] that have attempted to address CIA security principles, but unfortunately, there have been several reports of attacks [16][17][18][19][20][21][22][23] against them that indicate they have failed to provide the desired security.Hence, efforts to design a secure protocol are still ongoing and the new attacks that are developing provide designers with new insight on how to (not) design a protocol.In this way, these attacks and security analyses have contributed to the development of the protocols.
Our contributions: The contributions of this paper are summarized as follows: • We show that the ULRAS protocol [24], a protocol which has been designed based on rotation function, is not secure and fixing the security problem by any particular mode of rotation function may not be possible.

•
An improved protocol named UEAP has also been proposed using lightweight encryption functions in which the ULRAS protocol's security pitfalls are solved.

•
The security proof of the UEAP protocol has been done through an informal way and also a formal way through Scyther tool.
In fact, in this paper, we show that the ULRAS protocol, consistent with the SASI protocol [12] and the Gossamer protocol [13], is not secure.Precisely, we present a de-synchronization attack against ULRAS protocol.Hence, employing it in any application is not recommended.In this regard, by using the ULRAS protocol as an example, we show that designing a secure protocol using only the rotation operation without the use of cryptography primitives is not possible.
Paper's organization: The rest of this paper is structured as follows: Section 2 introduces required preliminaries including a brief review of rotation-based RFID authentication protocols and the explanation of the ULRAS protocol.We present the security analysis of the protocol in Section 3. We proposed an improved protocol in Section 4 and its security evaluation is explained in Section 4.1.Finally, we conclude the paper in Section 5.

Preliminaries
In this section, we introduce the preliminaries used in this manuscript, as well as the work already done in this field and also the ULRAS protocol as an example for rotation-based RFID authentication protocol.

The Adversary Model
As our assumption, which is used in this paper, the adversary is an active man in the middle adversary who can eavesdrop, modify or block any transferred message between the tag and the reader.The adversary can also do reasonable amounts of offline computations.

Related Work
A rotation-based protocol is a protocol for which most of the operations performed on the parties involved in the protocol are rotation operations, combined with other ultra-lightweight operations, e.g., bitwise operations such as AND, OR and XOR, and no cryptographic primitives are used in them.
Designing an RFID authentication protocol based on rotation function began with the SASI protocol [12].However, soon after there were attacks such as [16][17][18][19] that revealed that the protocol was not safe against various attacks.After that, Peris et al. tried to improve the disadvantages of SASI protocol to provide resistance against traceability and de-synchronization attacks, which led to proposing the Gossamer protocol [13].However, it has been shown in [20] that the Gossamer protocol is vulnerable against denial of service, de-synchronization attack, and replay attacks.Tewari and Gupta in [14], following the method used by previous protocols, proposed another rotation based protocol.This time, the reports such as [21,22] were released on the vulnerability of this protocol against various attacks.Another example is ULRMAPC protocol [15] which [23] proved its vulnerability against DoS, impersonation and de-synchronization attacks.
Recently, in this regard, an ultra-lightweight authentication protocol named ULRAS was proposed by Fan et.al. [24].The designers of ULRAS have claimed that because of using a special rotation operation, called the RR method, and dividing the protocol secret key into four sub-keys, to update the secret key, their protocol provides forward security and resists against the known active and passive attacks, e.g., de-synchronization (DoS) attack.However, Aghili and Mala in [25], presented reader impersonation attack and secret disclosure attack against the ULRAS protocol and then proposed a new improved protocol.
In this paper, we will present in more depth security analysis of ULRAS protocol [24] and its improvement, proposed by Aghili and Mala [25], and show that, same as their predecessors, they are also vulnerable.
The long history of rotation function based protocol's vulnerabilities and also the current analysis have shown that designing an ultra-lightweight protocol which satisfies all desired security targets may not be feasible.On the other hand, recent advances in symmetric cryptography provided many secure primitives that could be implemented in a constrained environment such as passive RFID tags.For example, implementation of SIMON96/96 [26], which provides 96 bits security and its block length is also 96 bits, only needs 955 NAND gates equivalent (GE).Hence, we suggest employing such cryptographically-sound primitives in designing a protocol rather than attempting to design a secure ultra-lightweight protocol.

The ULRAS Protocol
The designers of ULRAS only use exclusive-or operation ⊕ and a special left rotation operation called RR method in the structure of their protocol, inspired by Gossamer protocol [13].In the RR method, to compute the left rotation of X by using variable Y, which is of the same length, i.e., RR(X, Y), one can do as follows: • presents X and Y in their binary forms; • computes X = Reverse(X, Y), which inverses only those bits of X for which their correspondence bit-place in Y are "1"; • computes RR(X, Y) as Rot(X , Y) which is the left rotation of X by amount of Y mod L, where L is the length of X and Y.
In this section, we give a brief description of the ULRAS protocol, where we follow the notations that are represented in Table 1.While the designers [24] have used "Rot(X, Y) through RR method" to denote RR(X, Y), in our description, we use RR(X, Y) for the sake of simplicity.As shown in Figure 1, the ULRAS protocol runs as below: 1.
The reader starts the protocol by generating and sending a random time stamp T R and Query to the tag.

2.
The tag, once received the message, verifies whether T R ?> T t .If T R > T t , the tag: and sends IDS, M 1 and R t to the reader.

3.
Upon reception of the message, the reader sends IDS, M 1 , R t and T R to the back-end database.

4.
Once the back-end database receives the message, it verifies whether the received IDS matches with IDS new or IDS old .If the back-end database does not find any match, stops the protocol; otherwise, the database: Then it verifies whether M 1 ?
, the back-end database stops the protocol; otherwise, it does as follows: authenticates the tag; -generates i sub ∈ {1, 2, 3, 4} and computes M 2 and M 3 as below: updates its values as below: K new is generated by replacing K i sub ; and sends M 2 and M 3 through reader to the tag.

5.
Upon receipt of the messages, the tag calculates with its local values and then verifies whether M 2 ?= M 2 .If M 2 =M 2 , the tag: • successfully authenticates the back-end server; and finally updates its IDS, K and T t as below: The last successful tag's session key K new The current tag's session key K(i sub ) The last successful sub-key indexed by i sub i sub The number which is used for sub-keys index T R The random time stamp generated by the reader T t The last used time stamp R t The random number that is generated by the tag The binary representation of Y ≪ Left rotation operation Rot(X, Y) The left rotation of X by amount of Y mod L where X and Y are of the same length L RoR(X, Y) The right rotation of X by amount of Y mod L where X and Y are of the same length L L The length of protocol parameters X The inverse of X X = Reverse(X, Y) The inverse operation of X, where for any bit-place in Y that is "1", the corresponding bit in X is inverted RR(X, Y) This is RR method which has been presented in [24] to do rotation operation as The Encryption /Decryption function respectively with the key of K Aghili and Mala in [25], presented a secret disclosure attack and also reader impersonation attack against ULRAS and then presented the improved version of it and claimed their improvement provides security against various kind of attacks.However, their improvement such as its predecessor is still insecure.Aghili and Mala in their improvement removed RR method and instead used Rot(X, Y).They also slightly modified the messages of the protocol.Because of the close similarity to the ULRAS protocol, we ignore the detailed description of the Aghili and Mala protocol and only provide a brief description of it in Figure 2.

Security Analysis of ULRAS Protocol
The main observation which we used in our attacks against ULRAS protocol is that the used reverse function in the protocol, i.e., X = Reverse(X, Y), equals to X ⊕ Y, as shown by a truth table in Table 2. So, with this equality, we can express RR(X, Y) as where L is the bit-length of X and Y.
Given that RR(X, Y) = (X ⊕ Y) ≪ (Y mod L), in this section, we present our security analysis for ULRAS protocol.

De-Synchronization Attack
A de-synchronization attack is a type of attack for which the adversary tries to do operations that lead to a shared value between protocols' parties to be updated to different values.Therefore, in this case, protocols' parties may not authenticate each other any more and therefore the adversary, by using this attack, can destroy the availability property of security protocols.A security protocol which does not have any of three main security properties, i.e., confidentiality, integrity or availability (or in brief CIA triangle) is not secure and it is not recommended to be used in any sensitive application.
The ULRAS protocol's designers have claimed that, since the reader keeps a history of old shared IDS and K, an adversary cannot de-synchronize the tag and the reader.However, in this section, we present an efficient attack to de-synchronize the tag and the reader.In our attack, the adversary employs the fact that the tag and the reader partially update the key in the last step of the protocol.Hence, if the adversary forces them to update different parts of K, the tag and the reader will be de-synchronized.To do the attack, in a session of the protocol between the legitimate reader and the target tag T , the adversary does as follows: 1.
The reader sends T R and Query to the tag.

2.
The tag verifies whether T R ?
, and sends IDS, M 1 and R t to the reader.

3.
The reader sends IDS, M 1 , R t and T R to the back-end database.

4.
The back-end database verifies the received M 1 , authenticates the tag, generates i sub ∈ {1, 2, 3, 4} and computes ) and sends them to the reader.It then generates subkey = Rot(K X (i sub ), K X ⊕ R t ⊕ T R ) and updates the tag's parameters as below: The adversary, who has eavesdropped T R , R t , M 2 and M 3 , manipulates M 3 as follows: x, the adversary can determine i sub and also x by knowing M 3 as below: -Given that the adversary already has eavesdropped R t and T R , she can calculate R t ⊕ T R .On the other hand, i sub has only three bits.Hence, given R t ⊕ T R and (i sub ⊕ R t ⊕ T R ) ≪ x, it would easy to determine the values of x and i sub , exclude that the value of (i sub ⊕ R t ⊕ T R ) ≪ x is rotation invariant which has no high probability and we omit it here for simplicity.

6.
The adversary sends M 2 and M 3 to the tag.7.
Upon receipt of the messages, the tag calculates with its local values and then verifies whether M 2 ?= M 2 , which it is because the adversary has not changed M 2 .Hence, the tag: • successfully authenticates the back-end server; • gets i sub , where i sub = i sub .

•
generates a new sub-key as subkey = Rot(K(i sub ), K ⊕ R t ⊕ T R ); • and finally updates its IDS, K and T t as below: K new generated by replacing K i sub ; In the above attack, the tag updates K i sub and i sub = i sub ⊕ ∆ = i sub while the reader updated K i sub .In this attack, if R t ⊕ T R is not rotation invariant, the adversary's success probability to de-synchronize the tag and the reader would be '1' and its complexity is only one run of protocol and doing some offline computation and sending some messages.It should be noted in the given attack that the tag authenticates the reader and updates its parameters.Hence, keeping a record of old parameters by the back-end server does not prevent this attack and so the ULRAS protocol is not a secure protocol for use.

Traceability Attack
Traceability attacks often occur when a constant information binded with protocols' parties leak through the exchanged messages over protocol.Now, in this section, we present a traceability attack against the ULRAS protocol which once again shows that this protocol is not secure.
In the de-synchronization attack which was presented in Section 3.1, the adversary can determine x.Given that x = K X ⊕ R t ⊕ T R mod L and the adversary knows R t ⊕ T R , x leaks log 2 L bits information from K X , if L = 2 n , where n is an integer.In this case, the above de-synchronization attack can be used as a traceability attack on a target tag T , as long as the first quarter of K X has not been updated.To do this traceability attack, a passive adversary eavesdrops T R , R t and M 3 and determines x.Assuming that i sub = 1 the tag T will not update the first quarter of K X , which x depends on.Hence, in the next run of the ULRAS protocol, given a tag T , the adversary can eavesdrop a session between T and the reader R to determine log 2 L bits of the first quarter of K X and to decide whether T ?= T .Here, T is the target tag which previously adversary eavesdropped its authentication session with the reader and saved its protocol's exchanged messages and T is a new tag which adversary wants to know whether it is the target tag.The algorithm of the above attack is also shown in Algorithm 1.The adversary's success probability to trace the tag is '1' and its complexity is only two runs of the protocol and some offline computations.

Algorithm 1: The algorithm of proposed traceability attack against ULRAS protocol
Result: decides whether T ?= T where T is an adversary's target tag.1. Eavesdrops a session between reader and T and stores mod L and i sub by using M 3 , T R and R t and this fact i sub ∈ {2, 3, 4}; 3. Retrieves log 2 L bits information from K X by using x; 4. Eavesdrops a session between T and the reader; 5. Obtains x = K X ⊕ R T ⊕ T R mod L and i sub by using M 3 , T R and R t and this fact i sub ∈ {2, 3, 4}; 6. Retrieves log 2 L bits information from K X by using x ; 7. Compares the retrieved bits of K X with K X to decide whether T ?= T .

Security Analysis of Aghili and Mala Improvement to ULRAS
There are several important points to note about Aghili and Mala's [25] improvement to ULRAS:

•
The use of a rotation operation several times is like using one rotation i.e., where i is a value between 0 to L. The same point applies to M 1 message.

•
Based on this fact given M = Rot(X, Y) mod L and X, if we rotate right M for i = 0, . . ., L and comparing the result with X, one can determine Y, the adversary with eavesdropping two sessions of protocol messages without completion of protocol sessions which leads to not updating secret values, can conduct secret disclosure attack which reveals ID and K. Precisely, given the adversary for i, j = 0, . . ., L verifies whether Similarly, for i, j = 0, . . ., L the adversary verifies whether Given that K has already been acquired, the adversary can get ID and can verify the correctness of the obtained values by using other protocol's messages.

•
Since all the secret values of the protocol are revealed, it is easy to do a variety of attacks including impersonation attacks, traceability attacks, de-synchronization attacks, etc.

UEAP-Our Proposed Protocol
As shown above, the design of RFID security protocols using the rotation operation does not lead to desired security.Therefore, it seems it is not possible to achieve a secure protocol without the use of cryptographic primitives.There are also lightweight cryptographic primitives such as lightweight block ciphers e.g., Skinny [27], SIMON and SPECK [28] that are suggested to be used to design a secure protocol instead of rotation function, although they are more costly.Using a lightweight block cipher, the disadvantages of the ULRAS authentication protocol are resolved, it is also depicted in Figure 3.We call our improved protocol UEAP, which is the acronym for Ultra-lightweight Encryption based Authentication Protocol: 1.
The reader starts the protocol by generating and sending a random time stamp T R and Query to the tag.

2.
The tag, once it receives the message, verifies whether T R ?> T t .If T R > T t , the tag: and sends IDS, M 1 and R t to the reader.

3.
Upon reception the message, the reader sends IDS, M 1 , R t and T R to the back-end database.4.
Once the back-end database received the message, verifies whether the received IDS matches with IDS new or IDS old .If the back-end database does not find any match, stops the protocol; otherwise, the database: the back-end database stops the protocol; otherwise, it does as follows: authenticates the tag; -generates i sub ∈ {1, 2, 3, 4} and computes M 2 and M 3 as below: generates sub-key as below: updates its values as below: and sends M 2 and M 3 through the reader to the tag.

5.
Upon receipt of the messages, the tag calculates M 2 = E K X ⊕R t (ID

Security Evaluation of UEAP
In this section, we first informally prove that the protocol can resist against the attacks proposed in this paper and the other known active and passive attacks.Next, we show that the Scyther tool could not find any attack in UEAP.

Informal Security Proof
Resistance against de-synchronization attack: Given that in the UEAP protocol all messages are encrypted, the adversary cannot modify the transferred messages in such a way that the protocol parties exist from synchronization.Any modification in any transferred encrypted message is identified by the tag or the reader and it will terminate the protocol.
Resistance against traceability attack: The vulnerability of ULRAS protocol was due to the fact that the adversary could retrieve the value of K x ⊕ R t ⊕ T R mod L. Because of using encryption function in calculating of messages in the UEAP protocol, the adversary cannot determine K x ⊕ R t ⊕ T R mod L, and so the UEAP protocol is secure against the traceability attack presented in this manuscript.
Resistance against replay and impersonation attacks: All protocols' parties participate in the randomization of the messages exchanged in the UEAP protocol, and also all the messages exchanged are encrypted.Hence, the adversary cannot use a message later or fake a message on his behalf.Therefore, the UEAP protocol resists all types of replay and impersonation attacks.

Formal Security Proof
Scyther [29] is an automatic tool for security analysis of security protocols which can be used to check the security problems of protocols.In Scyther tool, entire possible behaviors of a protocol are predicted and let us know the possible attacks on the protocol and also let us know whether the security claims of the protocol are provided or not.Security claims are essential components of the security protocols.To evaluate the security of the protocol by the Scyther tool, first, we must write the protocol description in spdl language.Then, the Scyther tool verifies whether the defined security claims of the protocol are satisfied or not, and also the Scyther has this ability to define appropriate security claims of protocol automatically and then verifies them.The Scyther tool also let us interpret the principles and properties of security in the language of security claims, and then we can check whether these claims were either satisfied or violated.Precisely, the Scyther tool checks security claims of secrecy and authentication.The secrecy, which means keeping a certain data secret and confidential, and authentication should exist between communication parties [29].
In this section, we analyze the UEAP protocol with the Scyther tool.The output results of the Scythe tool for the UEAP protocol are presented in Figure 4.As it can be seen, this analysis with the Scyther tool showed that the UEAP protocol is resistant to defined threats.

Conclusions
In this paper, we analyzed the security of a rotation-based ultra-lightweight authentication protocol which has been recently proposed for mobile applications.We presented an efficient de-synchronization attack against this protocol and extended it to a traceability attack when the parameter length is an integer power of 2. Although it is possible to present several other attacks against the protocol, we just mentioned our most efficient attacks in this paper, which is enough to contradict the designers' claims on the security of this protocol.We also extend the attack against its improved version which has been introduced by Aghili and Mala.
Moreover, we presented a new lightweight RFID authentication protocol named UEAP using lightweight encryption functions and also its security proof which showed that the proposed protocol is safe against all types of active and passive attacks.
This paper once again showed that the design of a secure protocol based on rotation operation may not be possible, and hence the use of lightweight cryptographic primitives in the design of the security protocols is inevitable.

which x is 5 .
If IDS IDS or IDS , terminates new or old.verify the protocol otherwise computes M' RR(R R(ID K M' M , s If no, stops the protocol If yes, it authenticates tag

Figure 4 .
Figure 4.The result of UEAP protocol 's security analysis with Scyther.

Table 1 .
Notations used in this paper.
new This time successful used of index number K The tag's key which is divided to four sub-keys indexed by i sub K old

Table 2 .
The truth table to show the equality of X = Reverse(X, Y) with X ⊕ Y.
Rot(K(i sub ), K ⊕ R t ⊕ T R ); •and finally updates its IDS, K and T t as below:IDS new = Rot(IDS ⊕ R t , K ⊕ R t ⊕ T R ); K new is generated by replacing K i sub .

Table 3 .
Security comparison of the UEAP protocol with other protocols, where SD, DA, IA, TA, and × denote Secret Disclosure Attack, De-synchronization Attack, Impersonation Attack, Traceability Attack, Secure and Vulnerable respectively.

Table 4 .
Computational cost comparison of the UEAP protocol with other protocols, where L denotes the length of each parameter in protocols