Efficiency and Privacy Enhancement for a Track and Trace System of RFID-Based Supply Chains

: One of the major applications of Radio Frequency Identification (RFID) technology is in supply chain management as it promises to provide real-time visibility based on the function of track and trace. However, such an RFID-based track and trace system raises new security and privacy challenges due to the restricted resource of tags. In this paper, we refine three privacy related models ( i.e. , the privacy, path unlinkability, and tag unlinkability) of RFID-based track and trace systems, and clarify the relations among these privacy models. Specifically, we have proven that privacy is equivalent to path unlinkability and tag unlinkability implies privacy. Our results simplify the privacy concept and protocol design for RFID-based track and trace systems. Furthermore, we propose an efficient track and trace scheme, Tracker+, which allows for authentic and private identification of RFID-tagged objects


Introduction
Today, Radio Frequency Identification (RFID) tags are extensively used to track and identify goods, supplies, and equipments.In these applications, the tags are physically attached to objects, providing a convenient management of supply chains.Such convenience depends on the track and trace function of RFID-based supply chains, while such a track and trace system provides real-time visibility for supply chains.Thus, this may allow hackers to breach privacy by tracing and observing the tag through time and space.Since RFID tags are equipped with limited computational ability and storage, the design of track and trace system for RFID-based supply chains may bring new privacy and security challenges.
Recently, Blass et al. presented three kinds of privacy-related models [1] for RFID-based track and trace systems: privacy, path unlinkability, and tag unlinkability.Unfortunately, the definitions of privacy and path unlinkability in [1] are incomplete since they depend on the impractical assumption that each tag goes through each step (or each path) in supply chains with the same probability.Moreover, the above three kinds of privacy models are too complicated to understand the privacy of RFID-based track and trace systems.Can these privacy requirements be simplified?In other words, what are the relations among privacy, path unlinkability, and tag unlinkability?These problems have not yet been addressed in the literature.
In addition, RFID tags are resource-restricted devices, especially the EPC Class 1 Gen 2 tags [2], which have very limited memory and support only simple operations such as XOR, CRC, and the 16-bit random number generator.Moreover, the tag is passive and not tamperproof.Therefore, it cannot provide secure access control and authentication to readers.During the life cycle of a tag in the RFID-based supply chain, how to prepare the tag data in a way to enable secure and private track and trace becomes a substantial challenge.The existing track and trace scheme Tracker [1] aims to address this problem.However, it cannot guarantee the claimed privacy since the signature part of the internal state of each tag is unchanged for each path.Hence, an adversary can trace the tag by comparing the signature part of its current internal state with the previous one.Therefore, it is of vital importance to develop an efficient and secure track and trace scheme for RFID-based supply chains.

Our Contributions
In this paper, we address the abovementioned track and trace problems of RFID-based supply chains.The main contributions are as follows.
(1) We refine three privacy-related models reported in [1], the definitions of which rely on the impractical assumption that each tag goes through each step (or each path) in supply chains with the same probability.Our refined and improved models do not depend on such an assumption and capture the privacy requirements and the essences of RFID-based supply chains intuitively.
(2) We clarify the relations among privacy, path unlinkability, and tag unlinkability.Specifically, it has been proven that privacy is equivalent to path unlinkability and tag unlinkability implies privacy.
Our results simplify the privacy requirements for a track and trace system of RFID-based supply chains, and promise to design efficient and simple privacy-preserving track and trace schemes for RFID-based supply chains.
(3) We propose an efficient track and trace scheme, Tracker+.The Tracker+ allows for authentic and private identification of RFID-tagged objects in supply chains.In Tracker+ , only a few bytes of storage (such as EPC Class 1 Gen 2 tags) is needed to store the tag state, while no computational ability is required for tags.Indeed, Tracker+ improves Tracker [1] by reducing the memory requirement of one group element for each tag and by providing privacy against supply chain inside attacks.The efficiency and privacy enhancement of Tracker+ is attributed to the randomness reuse technique and the randomized HMAC [3] method.

Related Work
RFID-related security and privacy issues have been widely studied in the literature, such as a survey [4] and a more up-to-date bibliography [5].Most of this research focused on tag-reader interactions [6][7][8][9][10][11][12][13]; however, only a few reported the secure and privacy-preserving supply chain management, especially the RFID-based track and trace systems.For example, Ouafi and Vaudenay [14] addressed verification of the genuineness of products using strong cryptographically RFID tags.In their solution, tags authenticate readers at every step in the supply chain.The tags will update their internal state if the readers are successfully authenticated.The evaluation of authentication relies on two hash functions, one of which is for authentication of readers and the other is for tags' state update.Li and Ding [15] proposed a similar approach with tags evaluating cryptographic hash functions.

Organization
The rest of the paper is organized as follows.In Section 2, we provide the technical precedents of the track and trace system.In Section 3, we introduce the security requirements for the track and trace system.In Section 4, we clarify the relations among privacy models of track and trace system.In Section 5, we propose an efficient track and trace system, Tracker+.In Section 6, we prove the security of Tracker+ and analyze its efficiency.Finally, Section 7 concludes this paper.

Preliminaries
In this section, we describe the mathematical conventions, the definition of supply chain, and the model of track and trace system.We use terms and expressions similar to the ones used by Ma et al. [16] and Blass et al. [1].
Mathematical Preliminaries: If ( ) A  is a randomized algorithm, then x x   are strings, then indicates that s is chosen uniformly at random from S and S   denotes its cardinality (i.e., the number of elements of S ).Let Pr[ ] E denote the probability that an event E occurs.

Supply Chain
As described in [1], there are four kinds of entities in a track and trace system of RFID-based supply chains: the tags, the issuer I , the readers, and the manager M .At first, the issuer I prepares the initial state of the tag that will enter the supply chain.Then, the products go through the supply chain and the reader interacts with their tags at each supply chain step.Finally, the manager M verifies the validity of a tag at the end of its trip.
Throughout this paper we denote a supply chain as a series of consecutive steps that a product has to pass through.Formally, a supply chain SC is represented by a digraph ( ) is equivalent to one step in the supply chain and  is the length of path P .A valid path valid P represents a particular legitimate sequence of steps in the supply chain.We assume there are  multiple different valid paths in a supply chain.The manager M will check for i T 's path validity in the checkpoint, which is the last step v  of a valid path 0 { }

Track and Trace System
Formally, a track and trace system TK { } valid valid G R T I M P S        consists of the following components: Initialize(  ): Upon the security parameter  , the system prepares a supply chain G , an issuer I and a manager M , a set of n tags T , a set of  readers R , a set of  valid paths valid P , and a set of valid state valid S .

Read( i T ):
A function that reads out tag i T and returns its current state i j T s .

Write( i T ):
A function that writes a new state 1 i j T s  into tag i T .

GoNext( i T ):
The tag position transition function, which transports the tag i T from its current step to its next step.Let its current state be i j T s .After this transportation, its state has been transformed to

Security Requirements
In this section, we introduce the security model of the track and trace system based on the following assumptions.One is that the readers in the supply chain are independent and the other is that a reader i R at step i v behaves correctly.For instance, a reader i R at step i v , which corresponds to quality control, does not update the state of j T unless the product attached to j T satisfies the quality requirements.
Basically, security requirements of track and trace system consist of authenticity, privacy, and unlinkability, which are defined in the following subsections.

Authenticity
The main security goal of the track and trace system is to prevent an adversary from forging a tag's internal state with a valid path that was not actually taken by the tag in the supply chain.It is formalized by the following experiment Exp aut A (cf., Experiment 1), where the adversary runs in two phases.Let CP O denote the operation (or oracle) that corrupts the internal party i v of supply chains.

It returns the secret information of party
Check, Read, and Write functions, respectively.First, in the learning phase, A can query the five oracles in any order to learn useful information, with the restriction that it cannot query ( ) Then, in the challenge phase, A is asked to output a tag i T .The total number of A 's oracle queries does not exceed  .
Experiment Exp [ ]   aut A  (1) initialize the Tracker system through Initialize(  ); (2) choose an honest party v  ; (3) and tag i T has not been through the step v  and then output 1; 0 otherwise.

Definition 1. The advantage of adversary in the experiment Exp [ ]
aut A  is defined as: where the probability is taken over the choice of the track and trace system TK and the coin tosses of the adversary A .Definition 2. An adversary A ( ) t    -breaks the authenticity of the track and trace system, if the advantage Adv ( ) aut A k of A in the experiment Exp aut A is at least  and the running time of A is at most t .Definition 3 Authenticity.A track and trace system is said to be ( ) t   -authenticated if there exists no adversary which can ( ) t    -break its authenticity.

Privacy
Informally, privacy means that an adversary should not be able to tell if a tag goes through some step v in the supply chain based on the data stored on the tag.

Definition 4. The advantage of adversary in the experiment EXP [ ] prv A
 is defined as: The probability is taken over the choice of track and trace system TK and the coin tosses of the adversary A .Definition 5.An adversary A ( ) t   -breaks the privacy of the track and trace system, if the advantage Adv ( ) A is at least  and the running time of A is at most t .Definition 6 Privacy.A track and trace system is said to be ( ) t   -private if there exists no adversary that can ( ) t   -break its privacy.
Remark 1.Our privacy model is different from that of Blass et al. [1] in the choice of the challenge tag ch T .In our model, ch T is selected through a toss coin to decide whether it goes through the target step v or not; instead, ch T is chosen uniformly at random from the tag set in the model of Blass et al. [1].The privacy definition of [1] relies on the assumption that each tag goes through each step in the supply chains with the same probability.Unfortunately, it is easy to see that this assumption does not hold true in the supply chains.Furthermore, our privacy model allows inside attacks by providing CP O queries to the adversary.

Unlinkability
Another two privacy requirements of the track and trace system are path unlinkability and tag unlinkability to prevent the adversary A from binding the tag data to its path and behavior, respectively.We give the detailed descriptions of them in the following.

Path Unlinkability
The privacy model of path unlinkability is depicted in the following experiment Exp A chooses a tag 0 T T  ; Let 0 P denote the path 0 T took; (3) that does not go through 0 P , else choose a tag ch R T T  which goes through 0 P (6) operate GoNext( ch T );

Definition 7. The advantage of adversary
The probability is taken over the choice of track and trace system TK and the coin tosses of the adversary A .Definition 8.An adversary A ( ) t   -breaks the path unlinkability of the track and trace system, if the advantage Adv ( ) pul A k of A in the experiment Exp pul A is at least  and the running time of A is at most t .Definition 9 Path Unlinkability.A track and trace system is said to be ( ) t   -path-unlinkable if there exists no adversary that can ( ) t   -break its path unlinkability.
Remark 2. Our path unlinkability model is different from that of [1] in the choice of the challenge tag ch T .In the path unlinkability model of [1], ch T is chosen uniformly at random from the tag set.Such a model relies on the assumption that each tag goes through the 0 P with the same probability.However, this kind of assumption is not always true since some tags may never go through the path 0 P .Hence, the path unlinkability model of [1] is incomplete for RFID-based track and trace systems.In our model, ch T is selected through a toss coin to decide whether it goes through the target path 0 P or not.Our model avoids the abovementioned impractical assumption.Furthermore, our path unlinkability model allows inside attacks by providing CP O queries to the adversary.

Tag Unlinkability
The privacy model of tag unlinkability is depicted in the following experiment Exp tul A (cf., Experiment 4).In the learning phase, A chooses a tag 0 T from the supply chain and is allowed to query

Definition 10. The advantage of adversary A in the experiment Exp [ ]
where the probability is taken over the choice of track and trace system TK and the coin tosses of the adversary A .Definition 11.An adversary A ( ) t   -breaks the tag unlinkability of the track and trace system if the advantage Adv ( ) tul A k of A in the experiment Exp tul A is at least  and the running time of A is at most t .Definition 12 Tag Unlinkability.A track and trace system is said to be ( ) t   -tag-unlinkable if there exists no adversary that can ( ) t   -break its tag unlinkability.

Relations among Privacy Models
In this section, we investigate the relations between privacy, path unlinkability, and tag unlinkability.Our results illustrate that tag unlinkability implies privacy, which is equivalent to the path unlinkability.Therefore, with respect to the security of track and trace systems, we only need to consider the authenticity and tag unlinkability, which will lead to simple schemes.More detailed explanations are as follows.
Theorem 1. (privacy  path unlinkability) In the track and trace system TK, the privacy model is equivalent to the path unlinkability model.Proof.(1)  (2) path unlinkability  privacy.This can be inferred similarly to the method described in the above.
We have finished the proof of Theorem 1. □ Theorem 2. (tag unlinkability  privacy) If the track and trace system TK is tag unlinkable then it is also private.Proof.Assuming that TK is not private, i.e., there exists an adversary A that can ( ) t   -break its privacy.Then, we use A as a subroutine to construct an algorithm B , which breaks the tag unlinkability of TK.The algorithm B simulates the experiment Exp prv A for A and proceeds as follows.At first, when A submits the target step v , B selects two tags 0 T and 1 It is easy to see that B provides a perfect simulation of experiment Exp prv A for A and the advantage of B is just the same as that of A .
We have finished the proof of Theorem 2. □ The above two theorems illustrate that the tag unlinkability implies the privacy as well as the path unlinkability.Hence, with respect to the security of track and trace system, we only need to consider the authenticity and tag unlinkability, which simplifies the security concepts for the track and trace system.Definition 13.A track and trace system of RFID-based supply chains is said to be secure if it is authenticated and tag unlinkable.

The Tracker+
In this section, we propose an efficient track and trace scheme Tracker+ for RFID-based supply chains.Specifically, no computational ability is required for tags in Tracker+, which implies that Tracker+ is totally compatible with EPC Class 1 Gen 2 standards.Although Blass et al. presented the track and trace scheme Tracker [1], it indeed cannot guarantee the claimed privacy since the adversary can trace a tag by comparing the deterministic signature part of its internal state with the history records.However, Tracker+ provides provable privacy even against supply chain inside attacks and is more efficient than Tracker.

Path Encoding
We use the same method of [1] to encode a path in the supply chain.Specifically, each path is represented by a number p q v Z   (where q is a big prime number, e.g., 160 q   ), which has been derived from a polynomial determined by all steps in the path.Concretely, we associate each step i v with a random number i q a Z   such that the numbers of all steps in a path can be used as the coefficients to construct a polynomial.W.l.o.g., let the path be

Multiple ElGamal Encryption and HMAC
Multiple ElGamal.Multiple ElGamal encryption is a variant of ElGamal encryption [17], which encrypts multiple messages under multiple public keys with the same randomness.Concretely, a multiple ElGamal encryption system MEG=(PKG,Encrypt,Decrypt) is as follows.
PKG.The public and private key generation algorithm, which selects the private key R q x Z   and computes the public key x y g  , where g is the generator of a abelian group whose order is a big prime q .
Encrypt.The encryption algorithm, which inputs a pair of messages  HMAC.HMAC is a hashed MAC algorithm that can be used to generate authentication code.An HMAC function  is defined as ( where k refers to key, m refers to a message, and h refers to a hash function.For more details about opad and ipad see Krawczyk et al. [3].

Detailed Description of Tracker+
Intuitively, Tracker+ should consist of an initial setup phase, the preparation of new tags entering the supply chain, interactions between readers and tags, and the path verification by the manager M .However, all of these functions can be achieved via the five components of the track and trace system TK described in Section 2.2.Therewith, we only need to design the five components for Tracker+.The detailed description of Tracker+ is as follows.
Initialize(  ): Upon the security parameter  , the system first prepares a supply chain a set of n tags T , a set of  readers R , a set of  valid paths valid P , and a set of valid state valid S , and then it does as follows.
(1) Set up a multiple ElGamal public key encryption system [17] and generate the private keys and the public keys x y g  , where g is the generator of group G whose order is a big prime q ( ( ) q poly    ); (2) Set up an HMAC algorithm  from the key space K ; (3) Select a generator 0 x of q Z  and  random numbers 0 1 (4) Provide the issuer I with the tuple 0 0 0 1 2 ( ) x a k y y     and each reader i R with the tuple 0 x a k y y     ; (5) Provide the manager with the set public key 1 2 ( ) y y  ; Finally, the issuer I initializes each tag i T T  by writing the tuple 0 0 0 0 0 1 2 ( ) e e e    into it, where 0 0 0  is a random number, and i ID is the identity of tag i T .The manager M computes the path mark i pmk for the valid path Then, M stores all the valid path marks and their corresponding path information into its database.

Write( i T ):
Let the tuple will be written into tag i T be 1 GoNext( i T ): When a tag i T arrived at step 1 j v  from step j v , the reader defined as follows.
Function ( ) s as 0 1 2 ( ) e e e    ; (2) Choose random number 1 ( )   ; (4) Compute Finally, reader Then, it searches the database to find the path mark and its corresponding path information If it does not find it then output  ; otherwise, continue to verify the validation of the path signature as follows.Compute and verify ) ) If the verification Equation (2) holds, then return the path Remark 3. The internal state of Tracker+ is three group elements plus a HMAC code, while that in the original Tracker [1] is four group elements plus a HMAC code.Moreover, the HMAC is randomized in Tracker+ for every path so that its privacy can be guaranteed even in the presence of replay attacks, whereas the HMAC is fixed for every path in Tracker.Hence, it is easy to trace a tag simply by comparing the HMAC values stored in its memory, which implies that the privacy of Tracker can be broken without any difficulty.More detailed efficiency and security analysis will be demonstrated in Section 6.

Analysis
In this section, we first review the security definitions of HMAC and multiple encryption.Then, we prove the security of Tracker+.Our proofs illustrate that Tracker+ is provably secure against inside attacks.Finally, we evaluate the efficiency of Tracker+ and compare it with Tracker [1].

Let H
O be an HMAC oracle that when it is provided with a message m , returns HMAC ( ) m .
The security of HMAC consists of two aspects: (2) Indistinguishability: even the message m is known; an adversary A cannot distinguish ( ) HM AC m from a random number, i.e., the advantage of A is negligible.

Semantic Security
The semantic security of Multiple ElGamal is defined as follows.In the learning phase, an adversary is given the public key 1 y and 2 y .Then it selects two message pairs 0 0 , which have been submitted to the semantic security experiment.In the challenge phase, the adversary is given a ciphertext c  and asked to guess which message pair is the plain text of c  .Multiple ElGamal is said to be semantic secure if the probability that the adversary wins is at most 1 2 negligible  .

Security of Tracker+
The security of Tracker+ is guaranteed by the following Theorems 3, 4, and 5.  Proof.The proof of Theorem 5 can be inferred directly from Theorems 3 and 4. □

Efficiency and Comparisons
Efficiency Consideration.Tracker+ requires a tag only to store data.For each tag, only three group elements and a HMAC are required to be stored.If we choose the elliptic curve based multiple ElGamal encryption (where each element of group G is 160 bits) for Tracker+ and the output of HMAC is 160 bits, then the total storage requirement for each tag is 640 bits, which is feasible for EPC Class 1 Gen 2 tags.
Each reader in Tracker+ is required to store a tuple 0 ( ) x a k   and the manager's public key 1 2 ( ) y y  .
Thus the total storage per reader is 800 bits.Regarding the computation, for each interaction between a tag and a reader, the reader needs to compute a multiple ElGamal encryption and HMAC evaluation.This is feasible for modern readers, which are more powerful than tags.The manager M is responsible for the verification of the path that each tag goes through.To this end, manager M is required to decrypt the ciphertext stored in the tag and to verify the validity of the HMAC, which involves 3 j  exponentiations and j HMAC evaluations.We conjecture that this is feasible for a powerful manager.
Compared to Tracker [1].(cf.Table 1.)The storage of each tag in Tracker+ is 160 bits less than that of Tracker, which implies that Tracker+ saves storage for tags.The computation costs for readers 20% and managers in Tracker+ are almost the same as those of Tracker.Secondly, Tracker+ has been proven to satisfy the privacy requirements of track and trace systems-privacy, path unlinkability, and tag unlinkability-whereas Tracker cannot guarantee the privacy requirements.Finally, Tracker+ has been proven to be secure against supply chain inside attacks, while Tracker is vulnerable to inside attacks.So, Tracker+ beats Tracker in both security and efficiency.

Conclusions
One of the major applications of RFID technology is the supply chain management.RFID tags have advantages over traditional barcodes in that they are able to provide real-time visibility, etc.Such visibility relies on the track and trace function of RFID-based supply chains.In this paper, we refined the privacy-related models of RFID-based track and trace systems to capture the security requirements of supply chains.Then, we clarified the relations among the three existing privacy related models.Our results simplify the privacy requirements of RFID-based supply chains and promise to produce efficient and simple privacy-preserving track and trace schemes.Finally, we proposed Tracker+, an efficient privacy-preserving track and trace scheme, which is compatible with EPC Class 1 Gen 2 tags and is provably secure against inside attacks.

Experiment 4 .
and CO in any order.At the end of this phase, A outputs two tags (w.l.o.g., 0T and 1 T ).Then, in the challenge phase, the system tosses a coin b and performs the GoNext( b T ) operation to update b T 's internal state.A is given the challenge tag b T and is asked to guess the random bit b by outputting a bit b  .In this phase, A is also allowed to launch the five oracle queries under the restriction that it cannot query C O about tag b T 's internal state.The total number of A 's oracle queries does not exceed  .The tag unlinkability experiment.Experiment Exp [ ] tul A  (1) initialize the Tracker system through Initialize(  );

iT:
Let the internal state of tag i T

( 1 )
Existential Unforgeability under Adaptively Chosen Message Attacks (EUF-CMA): An adversary can launch oracle query , there is an advantage to A coming up with a new pair ( n is negligible.

Theorem 5 .
    .Then, B prepares the challenge tag ch T for A as below.Choose a random bit b and set the internal state of b T to be 1 is the last part of the previous internal state of b T .Set ch b T T  and submit ch T to A .At last, A outputs a bit b  .If b b   then B outputs b, else B outputs a random bit.Let the advantage of A be  , then the advantage of B is at least 2  since B provides a perfect simulation for A if c  is an encryption of b T 's identity and its current path.We have finished the proof of Theorem 4. □ If the HMAC function  is EUF-CMA secure and indistinguishable, then Tracker+ is secure against inside attacks. 1 Experiment 2).Let T vO  denote the oracle that picks a tag that goes through the step v .In the learning phase, A chooses a step v from the supply chain and is allowed to query the six oracles G O , CP O , and T v O  in any order.Then, in the challenge phase, the system randomly selects an is given the tag ch T and is asked to guess if ch T has been through step v by outputting a bit b .In this phase, A is also to launch the six oracle queries under the restriction that it can query C O of tag ch T 's internal state.The total number of A's oracle queries does not exceed ρ.
R O , W O , C O , A privacy  path unlinkability.Assume that TK is not path-unlinkable, i.e., there exists an adversary A that can ( ) t   -break its path unlinkability.Then, we can use A as a subroutine to construct an algorithm B that can break the privacy of TK.The algorithm B simulates the experiment Exp pul A for A and is constructed as follows.At first, when A submits the target tag a T , B obtains the path Let the advantage of A be  .Now, we analyze the advantage of B .
a P through Check ( ) a T s , where a T s is the internal state of a T .Next, B chooses a step a v P  and submits it to the privacy experiment as the target step.Then, B prepares the answers for A 's as below.B answers R O , W O , C O , CP O , and G O directly by querying them in the privacy experiment.If A asks a query of a T P O  , B chooses a tag i T with initial state written by the issuer I and operates i T that goes through the path a P via the oracle query of G O to the privacy experiment.Then, B returns i T to A .Finally, in the challenge phase, B is given a challenge tag ch T , which is forwarded to A as the challenge tag of experiment Exp pul A .If A outputs 1, then B also outputs 1 b  ; else B outputs a bit {0 1} R b    .It is easy to see that B provides a perfect simulation of experiment Exp pul A for A .
T to its tag unlinkability experiment, which will return the challenge tag b T to B .Finally, in the challenge phase, B deliveries b T to A as its challenge tag ch T of experiment Exp prv A .If A outputs b , then B also outputs b .
T did not.Then, B answers A 's oracle queries as below.B answers R O , W O , C O , CP O , and G O directly by querying them in the privacy experiment.If A asks a query of T v O  , B chooses a tag i T with initial state setup by the issuer I and operates i T to go through the step v via the oracle query of G O to the privacy experiment.Then, B returns i T to A .After the learning phase, B submits 0 T and 1

Theorem 3 .
If the HMAC function  is EUF-CMA secure, then Tracker+ is authenticated.Proof.Assume that Tracker+ is not authenticated, i.e., there exists an adversary A such that it can break the authenticity of Tracker+.Then, we can construct a forger B to break the EUF-CMA security of HMAC function  (whose key is k which is unknown to B ). B uses A as a subroutine and answers A 's queries as follows.At first, B initializes the Tracker+ system in the same way as the Initialize operation except that the HMAC key of the manager is set to be k .It is easy to see that B can answer the queries of R O , Hellman (DDH) assumption.To this end, B uses A as a subroutine and maintains a list L to answer A 's queries as follows.B initializes the Tracker+ system in the same way as the Initialize operation except that the public and private key pairs of the manager are implicitly set to be 1 2 W O , CP O , and G O (the arrived step is not M ) directly.Upon a query of G O with an arrived step of M , B □ Theorem 4. If the HMAC function  is indistinguishable, then Tracker+ is tag unlinkable.Proof.Assume that Tracker+ is not tag unlinkable, i.e., there exists an adversary A such that it can break the tag unlinkability of Tracker+.Then, we can construct an algorithm B to break the semantic security of Multiple ElGamal encryption system, which has been proven secure under the Decisional Diffie-

Table 1 .
Comparisons of Tracker and Tracker+.