Elliptic Curve Signcryption Based Security Protocol for RFID

Abstract

Providing security has been always on priority in all areas of computing and communication, and for the systems that are low on computing power, implementing appropriate and efficient security mechanism has been a continuous challenge for the researchers. Radio Frequency Identification (RFID) system is such an environment, which requires the design and implementation of efficient security mechanism. Earlier, the security protocols for RFID based on hash functions and symmetric key cryptography have been proposed. But, due to high strength and requirement of less key size in elliptic curve cryptography, the focus of researchers has been on designing efficient security protocol for RFID based on elliptic curves. In this paper, an efficient elliptic curve signcryption based security protocol for RFID has been proposed, which provides mutual authentication, confidentiality, non-repudiation, integrity, availability, forward security, anonymity, and scalability. Moreover, the proposed protocol successfully provides resistance from replay attack, impersonation attack, location tracking attack, de-synchronization attack, denial of service attack, man-in-the-middle attack, cloning attack, and key-compromise attack. Results have revealed that the proposed protocol is efficient than the other related protocols as it takes less computational time and storage cost, especially for the tag, making it ideal to be used for RFID systems.

1. Introduction

The rapidly changing computing age has enabled the automation of processes and identification of objects, which have now become very significant parts of computing since they lead to massive benefits in productivity by saving time and reducing errors. Many technologies which have been developed to implement AIDC include optical character recognition, bar codes, smart cards, chip cards, magnetic stripes, biometrics, voice recognition,and Radio Frequency Identification (RFID). RFID [1] has been proven as one of the most prominent technologies used for identification and data capture due to its ability to track moving objects. Furthermore, Jia et al. [2] have mentioned that with the evolution of the Internet of Things (IoT), the usage of RFID has grown exponentially since it is the fundamental technology behind IoT. Khattab et al. [3] have figured out that RFID outperforms other AIDC techniques when compared against different parameters including data density, readability by machine, readability by people, cost, reading speed, range, the effect of moisture, and sight distraction.

1.1 Overview of RFID

RFID is a radio frequency electromagnetic signal based wireless communication technology,which is used to automatically identify objects carrying tags. The two major communicating parties in an RFID system are the tags and the readers. The schematic diagrams of the RFID tag and the reader have been presented in Fig. 1 (a) and Fig. 1 (b) respectively. Yu and Chen[4] has mentioned that RFID tags can be divided into three categories namely passive tags,active tags, and semi-active tags. A passive tag does not hold a battery and it gets energy from the neighboring RFID reader. In contrast, an active tag holds a battery, which provides sufficient energy to pass its messages to a greater range. A semi-active tag has a small batteryon-board but it activates only in the presence of an RFID reader. According to Chetouane [5],the generic architecture of an RFID communication system is based on 3Cs: Context, Capture,and Control, which has been depicted in Fig. 2.

Fig. 1(a). RFID Tag

Fig. 1(b). RFID Reader

Fig. 2. Generic architecture of RFID system.

The main components of an RFID system are transponder (RFID Tag), transceiver (RFID Reader), antenna, server, and the database. The RFID tag contains a unique identification number, which is stored in the read-only memory of tag. This unique identification number enables the system to recognize the tag idiosyncratically among many tags. When an object carrying transponder enters in the zone of a transceiver its data is captured through the wireless channel by the transceiver and sent to the server for storage and further processing. An authorized user can access the data stored on the server according to the requirements of theuser’s applications. An RFID tag generally contains identification information, location information or specification of the object containing the tag, like price, make, date, etc.

1.2 RFID Security Requirements

The four basic security requirements of any communication are confidentiality, integrity,authentication, and non-repudiation. But for communication over the wireless medium, like between RFID tag and the reader, implementation of some more security functionalities is needed. Tan and Wu [6] have pointed out that three key security requirements of RFID are prevention from unauthorized access, prevention from illicit tracking and prevention from skimming. Knospe and Pohl [7] have mentioned confidentiality, availability, authenticity,integrity, and anonymity are the necessary security properties of an RFID system. Dinarvand and Barati [8] figured out that the two additional security features which must also be implemented in the RFID system are forward secrecy and scalability. Therefore, the necessary security requirements of an RFID system are data confidentiality, mutual authentication, data integrity, non-repudiation, availability, tag anonymity, forward secrecy, and scalability.

1.3 RFID Security Challenges

Designing an efficient security mechanism is a big concern for RFID because of the following technical constraints of RFID:

Limited Computing Capability – On an average, the RFID tags possess a processing speed of only a few MIPS, flash memory up to 1MB and RAM up to few 100s KB. With these limited computing resources, it has been very exigent to design and implement security schemes which provide all the necessary security functionalities.

Unreliable Communication – Since the data between tags and reader is transmitted through an insecure wireless channel, it is vulnerable to attacks by unauthorized readers and eavesdroppers. A strong security mechanism should be implemented to prevent the RFID system from these attacks.

Less Power – Since active and semi-active tags operate on a battery which is a limited power source, security schemes should be wisely selected and heavy computations must be avoided. The two major security challenges in the security of RFID are – first defeating threats and attacks made on to the system using appropriate countermeasures and second using efficient security mechanisms to implement these countermeasures along with necessary security functions.

In [9,10] authors have discussed security issues and challenges for RFID and provides an overview of threats and attacks on RFID systems. A comprehensive study of attacks on RFID has been made by Khattab et al. [11] in which they classified attacks on RFID into three types– physical attacks, system attacks, and channel attacks. The taxonomy of potential attacks on RFID is shown in Fig. 3. In Physical attacks, tag modification or tampering can be prevented by building a secure zone around the device or using sealed tamper resistant case for the device. Cloning and reverse engineering can be prevented by using a strong cryptographic fingerprint. The jamming attack can be countered by using spread spectrum technologies and polarization of the antenna. For prevention of other channel attacks and system attacks, design and implementation of appropriate cryptographic schemes is needed.The cryptographic systems which are potential candidates for securing any system are Symmetric KeyCryptosystem, RSA Cryptosystem, Elliptic Curve Cryptosystem, and Pairing Based Cryptosystem. A comparison of these cryptographic systems has been made on the basis of different aspects and is publicized in Table 1.

Fig. 3. Taxonomy of attacks on RFID.

Table 1. Comparison of cryptosystems.

PKC-Private Key Cryptosystem, RSA-RSA Cryptosystem, ECC-Elliptic Curve Cryptosystem,PBC-Pairing Based Cryptosystem, 𝐶𝑜 -Confidentiality, 𝐴𝑢 -Authentication, 𝑁𝑟 –Non-repudiation,𝐾𝑒 – Key Exchange, 𝑛-Number of parties

By Analyzing Table 1, it can be observed that PKC suffers from the problem of key distribution and only provides confidentiality, while RSA consumes high computational cost due to the computation of modular exponentiation. ECC and PBC perform better than RSA in terms of computational cost and security features. Cao and Liu [12] have pointed out that in PBC large size parameters are generated which requires a lot of computing resources and hence PBC is not suited for resource constrained systems like RFID. ECC based security solutions require less key size, produce smaller ciphertext, faster in key generation, quicker in signature verification, and quicker in encryption and decryption as compared to other public key cryptosystems. And due to this reason, ECC is an attractive cryptosystem for providing security to less computationally capable systems like RFID.

2. Related Work

Security and privacy have been a primary concern for RFID systems due to their less computational capacity. Many security solutions offering different security properties have been proposed over the years. But, a large amount of the emphasis has been given in designing secure authentication protocols for RFID, since majority of applications implement RFID for authentication of objects by the reader or the server. Furthermore, many secure and efficient protocols based on elliptic curves have been proposed in recent years, since elliptic curve based solutions are suitable for resource constrained applications.

Gódor, Giczi, and Imre [13] suggested an elliptic curve mutual authentication protocol for RFID which provides mutual authentication and forward secrecy, at the same time providing protection from replay attack and tracking attack. The computational time of different operations in the protocol was also analyzed. But, many necessary security attributes were not implemented in this scheme and it was not able to counter DoS attack.

In [14] Liu, Qin, and Wang proposed an authentication protocol for RFID based on ECC,which reduces the computational cost of RFID tag and provides data confidentiality, integrity,tag anonymity, and mutual authentication. The protocol was able to defend against tracking attack, replay attack, counterfeit attack, and desynchronization attack.

Chou [15] classified the RFID security protocols as full-fledged, simple, lightweight, and ultra-lightweight. Chou mentioned that full-fledged security protocols are attractive since non-full-fledged protocols are not scalable and vulnerable to tracking, desynchronization and impersonation attacks. Chou also presented an authentication protocol based on ECC and claimed that in addition to mutual authentication and location privacy it also provides forward secrecy and scalability, at the same time providing protection from DoS, replay, impersonation,and man-in-the-middle attacks.

Farash [16] demonstrated that Chou’s authentication protocol [15] fails to provide tag privacy,mutual authentication, and forward secrecy. It was also shown that Chou’s protocol failed to defend from impersonation, cloning attacks, and tracking attacks. Farash [16] also proposed an improved protocol which can counter reply, man-in-the-middle, impersonation, and tracking attacks at the same time providing forward secrecy and mutual authentication. But the total computational time of this protocol is higher than existing schemes for a RFID system.

Feng and Yao [17] designed an ECC based mutual authentication protocol for RFID which can resist impersonation, replay, tracking and denial of service attacks. They claimed that the proposed protocol takes less computational time, storage cost and communication overhead.

Alamr, Kausar, and Kim [18] suggested a secure protocol for RFID which uses elliptic curveDiffie-Hellman (ECDH) key exchange scheme to generate the shared secret key. This key is then used to encrypt the messages. This protocol provides resistance from man-in-the-middle attack, impersonation attack, and replay attack while satisfying forward security, mutual authentication, location privacy ,anonymity, and confidentiality.

Qian, Jia, and Zhang [19] proposed a lightweight security protocol for RFID using ECC encryption and basic computations like bitwise XOR, AND etc. Although this protocol reduces tag computation and does not use elliptic curve point multiplication operation, it is limited to provide authentication, confidentiality, forward security, and backward security.

Chen and Chou [20] analyzed some full-fledged RFID protocols based on ECC, and pointed out that few of these have security and privacy weaknesses while other possess high communication cost. They also proposed two protocols and claimed that they are secure and efficient. However, Shen et al. [21] proved that the protocol of Chen and Chou [20] is susceptible to replay attack and server spoofing attack. Shen et al. also proposed an ECC based authentication mechanism for RFID which offers mutual authentication, anonymity,confidentiality, forward secrecy, and untraceability. This mechanism also provides protection from masquerade, server spoofing, and replay attack.

Liao and Hsiao [22] proposed an elliptic curve based RFID authentication protocol which uses the transfer of secure challenge response and ID-verifier messages. Zhao [23] has shown that Liao and Hsiao’s protocol [22] endures with key compromise problem where an opponent could retrieve the key stored in the tag. Zhao also developed a authentication scheme and claimed that it is more secure and efficient than Liao’s protocol. Farash et al. [24] demonstrated that Zaho’s scheme [23] failed to provide forward security. They designed a new improved RFID authentication mechanism for healthcare surroundings offering forward security, provable security, mutual authentication, and location privacy while protecting from replay, impersonation, and man-in-the-middle attacks.

Lee et al. [25] exposed the issues of untraceability and anti-counterfeting in RFID systems. They also proposed a security scheme for RFID which provided many security features but it fails to satisfy mutual authentication, scalability, and resistance against de-synchronization attack.

Dinarvand and Barati [8] presented an elliptic curve based mutual authentication protocol which offers many security features including mutual authentication, confidentiality, forward security, scalability, anonymity, availability, and integrity. They also proved that the protocol can defend against cloning, replay, de-synchronization, location tracking, masquerade,modification, and server spoofing attacks. Dinarvand and Barati [8] also compared their protocol with the related ones and showed that it takes less computational time and communication cost than others.

Zhang et al. [26] suggested an elliptic curve based scheme with anonymity for session initiation. Lu et al. [27] exposed that Zhang et al.’s scheme [26] fails to provide proper mutual authentication and is susceptible to insider attack. Lu et al. designed a modified authentication scheme overcoming the security weaknesses of Zhang et al.’s scheme. Mehmood et al. [28] proved that the scheme proposed by Lu et al. [27] fails to defend against masquerade attack and cannot protect the user's identity. Mehmood et al. suggested an improved mutual authentication for session initiation which is secure against replay, password guessing, insider,masquerade, stolen verifier, and man-in-the-middle attack. The protocol also offers anonymity,privacy, forward secrecy, mutual authentication, forward security, and session key privacy. Jin et al. [37] applied elliptic curve cryptography to enhance medication safety of the patient and proposed a secure elliptic curve based authentication protocol for the healthcare environment.

Zheng et al. [38] designed a mutual authentication scheme based on ECC which provides confidentiality, forward security, scalability, mutual authentication, and anonymity. In addition to these security attributes, this protocol provides resistance against system internal attack , camouflage attacks, denial of service attacks, and tracking attacks.

Chiou, Ko, and Lu [39] developed an ECC based mutual authentication protocol for mobile RFID. But, in this protocol five elliptic curve point multiplication operations are to be executed by the tag, which puts a huge computational overhead on the tag. Therefore, this protocol is not suitable for RFID systems.

Fan et al. [40] presented a lightweight RFID security protocol for medical privacy and claimed that it satisfies secure authentication and confidentiality. This scheme utilized only XOR operation, hash computation, displacement operation, and cross operation. However, Aghili and Mala [41] performed a comprehensive security analysis of the protocol presented by Fan et al. and revealed that it is susceptible to server/reader impersonation attack and disclosure of secret information.

Liu et al. [42] designed an elliptic curve based authentication management protocol for mobile RFID systems. They claimed that their protocol can resist all kinds of attacks and is more efficient. However, it can be figured out by studying the authentication phase of the protocol that the tag has to execute four elliptic curve point multiplication operations which increases the tag’s computational cost by a huge amount i.e. the Liu et al.’s protocol is computationallyinefficient.

3. Preliminaries

3.1 Mathematics of Elliptic Curve

An elliptic curve over finite field is defined by the Weierstrass Equation 𝑦² = 𝑥³ + 𝐴𝑥 + 𝐵 where 𝐴, 𝐵 ∈ 𝐹_𝑞 are constants with the condition 4𝐴³ + 27𝐵² ≠ 0. An elliptic curve denoted by 𝐸 over finite field 𝐹_𝑞 is defined by the set of all points (𝑥, 𝑦) є 𝐹_𝑞 𝑋 𝐹_𝑞 along with a special point ∞ called as point at infinity 𝑂. These set of points is given by:

𝐸(𝐹_𝑞) = {𝑂}U { (x, y) є 𝐹_𝑞 X 𝐹_𝑞 ∶ 𝑦² = 𝑥³ + 𝐴𝑥 + 𝐵 }

The following laws and operations are satisfied by elliptic curve 𝐸(𝐹_𝑞):

1. Identity – For every point 𝑃 ∈ 𝐸(𝐹_𝑞),𝑃 + 𝑂 = 𝑂 + 𝑃 = 𝑃.

2. Negatives – Let 𝑃 = (𝑥, 𝑦 ∈ 𝐸(𝐹_𝑞), then – 𝑃 = (𝑥, – 𝑦) is called as the negative of P. And 𝑃 + (– 𝑃) = 𝑂. Furthermore, – 𝑂 = 𝑂.

3. Point Addition – Let 𝑃 = (𝑥₁, 𝑦₁ ∈ 𝐸(𝐹_𝑞) and 𝑄 = (𝑥₂, 𝑦₂) ∈ 𝐸(𝐹_𝑞) be the two points and𝑃 ≠ ±𝑄. The addition of these two points is defined by a third point on 𝐸(𝐹_𝑞),𝑃 + 𝑄 =(𝑥₃, 𝑦₃). The coordinates 𝑥₃ and 𝑦₃ are given by:

𝑥₃ = 𝜆² − 𝑥₁ – 𝑥₂ and 𝑦₃ = 𝜆(𝑥₁ − 𝑥₃) − 𝑦₁

where \(\lambda=\frac{y_{2}-y_{1}}{x_{2}-x_{1}}\), if 𝑃 ≠ 𝑄 and \(\lambda=\frac{3 x_{1}^{2}+A}{2 y_{1}}\), if 𝑃 = 𝑄

4. Point Multiplication – Let 𝑃 = (𝑥, 𝑦) є 𝐸(𝐹_𝑞), then point multiplication is defined by 𝑘𝑃 = 𝑃 + 𝑃 + … + 𝑃 (𝑘 𝑡𝑖𝑚𝑒𝑠). Where 𝑘 is an integer.

5. XOR Operation – The 𝑋𝑂𝑅 operation is the binary bitwise operation which returns a 0 bit when both the input bits are same. This is equivalent to the addition of two bits in radix 2, and discarding the carry bit. In this paper 𝑋𝑂𝑅 operation of two points on the the elliptic curve has been computed by performing 𝑋𝑂𝑅 operation between the 𝑥 -coordinates and the𝑦-coordinates of both the points respectively to give the new point on the elliptic curve.

6. Function F: function 𝐹 has been used to select only the 𝑥-coordinate of the point (𝑥, 𝑦) on the elliptic curve, i.e. 𝐹(𝑥, 𝑦) = 𝑥.

3.2 Computational Problems based on Elliptic Curve

The security of elliptic curve cryptosystem is based on the three computationally hard problems defined below. For these definitions let 𝐸(𝐹_𝑞) be an elliptic curve defined over finite field 𝐹_𝑞.

1. ECDLP (Elliptic Curve Discrete Logarithmic Problem) – Given two points 𝑃,𝑄 ∈ 𝐸(𝐹_𝑞), it is computationally hard to determine an integer 𝑘 ∈ [1, 𝑛 − 1] such that 𝑄 = 𝑘𝑃 [31].

2. ECDHP (Elliptic Curve Diffie-Hellman Problem) – Consider a point 𝑃 ∈ 𝐸(𝐹_𝑞), and two other points 𝑄 = 𝑎𝑃 and 𝑅 = 𝑏𝑃 on 𝐸, where 𝑎 and 𝑏 are integers. It is computationally hard to determine a point 𝑆 = 𝑎𝑏𝑃 [32], given 𝑃.

3. ECDDHP (Elliptic Curve Decision Diffie-Hellman Problem) – Given a point 𝑃 ∈ 𝐸(𝐹_𝑞),and three other points 𝑄 𝑎𝑃 and 𝑅 = 𝑏𝑃, and 𝑆 = 𝑐𝑃 on 𝐸. It is computationally hard to decide whether 𝑆 = 𝑎𝑏𝑃 [33].

3.3 Signcryption

Signcryption established by Zheng [29] is a cryptographic primitive which integrate encryption and authentication in a single logical phase. Before the advent of signcryption, to achieve confidentiality and authentication, the approach was to use signature-then-encryption which first apply the signature and then encrypt the message. In [29] it was shown by Zheng that signcryption saves 50% computational time and 85% communication cost in comparison to signature-then-encryption method. Zheng and Imai [30] proposed the first elliptic curve based signcryption mechanism which consumes 58% less computational time and 40 % less communication overhead in comparison to signature-then-encryption based on ECC. Using elliptic curve with signcryption saves huge computation cost and communication overhead,simultaneously implementing multiple security attributes comprising confidentiality,unforgeability, integrity, authentication, non-repudiation, forward security, secure key exchange, and public verification.

4. Proposed Security Protocol for RFID

In this section, an elliptic curve signcryption based security protocol for RFID has been proposed and explained in detail. The protocol presented here is applicable to passive tags,active tags, and semi-active tags since in this protocol, the first message is initiated by the server. In the proposed security protocol it is presumed that the communication link between the server and the tag is wireless and insecure, while the link between the reader and the server is wired and secure. The notations and symbols used in describing the proposed protocol are listed in Table 2. The proposed protocol has been divided into three phases: setup phase,signcryption-unsigncryption phase, and updating phase.

Table 2. Notations and symbols used in the protocol.

4.1 Setup Phase

In this phase, public keys, private keys, and the system parameters are generated. The following steps are carried out by the server in the setup phase:

1. Selects an elliptic curve 𝐸: 𝑦² = 𝑥³ + 𝐴𝑥 + 𝐵 with the curve parameters {𝑞, 𝐴, 𝐵, 𝐺, 𝑛}

2. Randomly selects a number 𝑣_𝑠 ∈ 𝑍_𝑛 which becomes its private key and computes its public key as 𝑃_𝑠 = 𝑣_𝑠𝐺.

3. For each tag, the server randomly chooses the unique identifier 𝑥_𝑡 ∈ 𝐺 for the tag on the elliptic curve E.

4. Randomly selects an integer 𝐼𝐷 ∈ 𝑍_𝑛 which becomes the unique pseudonym for the tag.

5. Hash function ℎ𝑎𝑠ℎ: {0 , 1}^∗ → {0 , 1}^𝑙 is selected by the server.

6. The server saves the pair {𝐼𝐷, 𝑥_𝑡} for each tag in its database.

7. The server also stores common elliptic curve parameters {𝑞, 𝐴, 𝐵, 𝐺, 𝑛} ,the unique identifier 𝑥_𝑡 and the unique pseudonym 𝐼𝐷 in the memory of each tag.

4.2 Signcryption-Unsigncryption Phase

In the signcryption-unsigncryption phase, authentication and confidentiality attribute is implemented in the transfer of messages involving the server and the tag. The tag and the server authenticate each other in this phase. The steps carried out in this phase are:

1. A number 𝑣_𝑠 ∈ 𝑍_𝑛 is selected by the server at random, which becomes its private key. And the server computes 𝑃_𝑠 = 𝑣_𝑠𝐺 as its public key. The server sends a message containing its public key {𝑃_𝑠} to the tag.

2. Upon receiving the public key {𝑃_𝑠} of the server, the tag performs the following operations:

(i) The tag randomly chooses a number 𝑣 ∈ 𝑍_𝑛.

(ii) Generate the key 𝑘 = ℎ𝑎𝑠ℎ(𝑣𝑃_𝑠 ⊕ 𝑥_𝑡).

(iii) Compute the ciphertext 𝑐 = 𝐸_𝑘 (𝐼𝐷).

(iv) Compute 𝑟 = ℎ𝑎𝑠ℎ(𝑐 ⊕ 𝑘).

(v) Calculate 𝑤 = (𝑣/𝑟) and 𝑇 = 𝑟𝐺.

(vi) The tag sends the signcrypted text {𝑐, 𝑇, 𝑤} to the server.

3. Upon receiving the signcrypted text {𝑐, 𝑇, 𝑤} the server performs the following computations:

(i) Generate the key 𝑘′ = ℎ𝑎𝑠ℎ(𝑣_𝑠𝑤𝑇 ⊕ 𝑥_𝑡).

(ii) Decrypt the ciphertext using key 𝑘′ as 𝐼𝐷′ = 𝐷_𝑘′ (𝑐) which is the unique pseudonym of the tag.

(iii) The server searches its database and finds the tag identifier 𝑥_𝑡 corresponding to the unique pseudonym 𝐼𝐷′ of tag . If the corresponding tag identifier is not found then the session is terminated by the server.

(iv) Compute 𝑟′ = ℎ𝑎𝑠ℎ(𝑐 ⊕ 𝑘′).

(v) Calculate 𝑇′ = 𝑟′𝐺.

(vi) If 𝑇 = 𝑇′ , then the server successfully authenticates the tag. Otherwise, the server terminates the session.

(vi) If the authentication of the tag is successful, the server computes 𝑎_𝑠 = 𝐸_𝑘 (𝑇′ ⊕ 𝑥_𝑡) and sends {𝑎_𝑠} to the tag.

4. On receiving {𝑎_𝑠}, the tag computes 𝑎′_𝑠 = 𝐸_𝑘 (𝑇 ⊕ 𝑥_𝑡) . If 𝑎_𝑠 = 𝑎′_𝑠 , then the tag successfully authenticates the server. Otherwise, the tag terminates the session. The working of the protocol has been demonstrated in Fig. 4.

Fig. 4. Proposed Security Protocol for RFID.

4.3 Updating Phase

After successfully authenticating each other, the server and the tag must update the unique pseudonym 𝐼𝐷 of the tag. Since 𝐼𝐷 of the tag is transmitted as plaintext in the proposed protocol, it is important to update the tag pseudonym so that it can be protected from unauthorized usage and de-synchronization attack. The tag updates the 𝐼𝐷 as:

𝐼𝐷^𝑁𝑒𝑤 = 𝐹(𝑣𝑃_𝑠) ⊕ 𝐹(𝑥_𝑡) ⊕ 𝐼𝐷

The server updates the 𝐼𝐷 of the tag by performing the following computation:

𝐼𝐷^𝑁𝑒𝑤 = 𝐹(𝑣_𝑠𝑤𝑇) ⊕ 𝐹(𝑥_𝑡) ⊕ 𝐼𝐷

5. Proof of Correctness

The correctness of the proposed signcryption based protocol is based on the fact that the tag and the server generate the same key in Step 2 and Step 3 of the protocol respectively, as these keys are used in encryption and mutual authentication between the two parties.

Key generated by the tag in Step 2: 𝑘 = ℎ𝑎𝑠ℎ(𝑣𝑃_𝑠 ⊕ 𝑥_𝑡)

= ℎ𝑎𝑠ℎ(𝑣 𝑣_𝑠𝐺 ⊕ 𝑥_𝑡) ( 𝑆𝑖𝑛𝑐𝑒 𝑃_𝑠 = 𝑣_𝑠𝐺)

Key generated by the server in Step 3: 𝑘′ = ℎ𝑎𝑠ℎ(𝑣_𝑠𝑤𝑇 ⊕ 𝑥_𝑡)

\(\begin{array}{l} =\operatorname{hash}\left(v_{s}\left(\frac{v}{r}\right) r G \oplus x_{t}\right) \text { Since } \left.w=\left(\frac{v}{r}\right), T=r G\right) \\ =\operatorname{hash}\left(v_{s} v G \oplus x_{t}\right) \\ =k \end{array}\)

Since keys 𝑘 𝑎𝑛𝑑 𝑘′ are same, hence the correctness of the proposed protocol is verified

6. Security Functions of the Proposed Protocol

The security functionalities of the proposed protocol can be analyzed with respect to two dimensions, the first one is the security attributes implemented by the protocol and the second one is the resistance provided from different attacks.

6.1 Analysis of Security Attributes

As discussed in sub-section 1.2 the security attributes required by an RFID system are confidentiality, mutual-authentication, integrity, non-repudiation, forward security, tag anonymity, and availability. In this sub-section, an analysis of security attributes satisfied by the proposed protocol has been performed. To sustain the security analysis some reasonable assumptions have been made

Assumption 1: The tag id 𝑥_𝑡 is kept secret between the tag and the server only.

Assumption 2: The adversary can obtain common system parameters from a corrupted tag.

Assumption 3: The random numbers 𝑣 and 𝑣_𝑠 chosen by the tag and the server respectively are fresh in every session.

Assumption 4: The encryption algorithm 𝐸_𝐾 is secure enough such that an 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴 is unable to decode ciphertext 𝑐.

Assumption 5: If 𝑇 = 𝑟𝐺 then the adversary cannot obtain 𝑟, given T, due to the strength of ECDLP.

(1) Confidentiality

Confidentiality is the assurance that the messages to be kept secret, must not be readable by the 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴 during the transit. In the proposed protocol, three messages are transferred between the server and the tag. The first one is the public key of server 𝑃𝑠 sent by the server to the tag. Since the public key of the server is a public parameter, it can be sent as plaintext. The second message is the signcrypted text {𝑐, 𝑇, 𝑤} sent by the tag to the server. All the three components of the signcrypted text {𝑐, 𝑇, 𝑤} are generated in a way that they do not reveal any secret information to the 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴. The 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴 cannot decrypt 𝑐 since it needs private quantities 𝑣 and 𝑥_𝑡 of the tag to generate the key 𝑘. By the property of ECDLP, the𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴 cannot generate 𝑟, given 𝑇 and 𝐺. The component 𝑤 has been produced by dividing private number 𝑣 of the tag by 𝑟. Obtaining 𝑤 is not possible for adversary as 𝑣 and 𝑟are secretly generated by the tag. The third message is {𝑎_𝑠} and without knowing the key 𝑘and tag id 𝑥_𝑡 adversary cannot understand {𝑎_𝑠}. Therefore, the proposed protocol successfully provides confidentiality attribute.

(2) Mutual Authentication

(i) Authentication of the Tag by the Server - Upon receiving the signcrypted text {𝑐, 𝑇, 𝑤} from the tag, the server first generates the key 𝑘′ and decrypts 𝑐 to get the tag pseudonym 𝐼𝐷′. Thenit searches its database to find the matching tag id 𝑥_𝑡 of the tag. If a matching tag id is found, it calculates 𝑟′. Finally the server computes 𝑇′ = 𝑟′𝐺. If 𝑇′ computed by the server is equal to 𝑇 received within the signcrypted text from the tag, then the server authenticates the tag. The value of 𝑇 computed by the tag depends upon the value of 𝑟 and public parameter 𝐺 as 𝑇 = 𝑟𝐺. The value of 𝑟 calculated by the tag depends upon ciphertext 𝑐 and key 𝑘 generated by the tag. In turn, the value of ciphertext 𝑐 and key 𝑘 depends upon the secret values 𝑣 and 𝑥_𝑡, where 𝑣 is the private number generated by the tag and 𝑥_𝑡 is known only to the tag and the server. If an adversary pretends to be legitimate tag then, it should generate the correct value of 𝑇. Since the tag id 𝑥_𝑡 is only available to the server and the tag, no illegitimate tag can generate the correct value of 𝑇. Therefore, the signature generated by the tag is unforgeable.

(ii) Authentication of the Server by the Tag - Upon receiving 𝑎𝑠 from the server the tag computes 𝑎_𝑠′. If 𝑎𝑠 received from the server is equal to the 𝑎_𝑠′ computed by the tag, then the tag authenticates the server. The value of 𝑎𝑠 computed by the server depends upon the tag id 𝑥_𝑡 which is kept secret between the server and the tag. It is impossible for an illegitimate server to generate the correct value of 𝑎_𝑠. Therefore the signature generated by the server isunforgeable.

(3) Integrity

According to the random oracle model, it is not possible for an 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴 to find out two messages which provide the same message digest [36]. If an adversary changes any value in{𝑐, 𝑇, 𝑤} it can be easily detected by the server since the key 𝑘′ will not be same as key 𝑘generated by the tag, which in turn will enable the incorrect generation of 𝑇′ by the server. The authentication, in this case will fail and the server will terminate the session. Similarly, if an 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴 modifies the message 𝑎_𝑠 in transit then it can be easily detected because it will not be same as the value of 𝑎_𝑠′ computed by the tag and the tag will terminate the session. Thus the integrity of the messages is ensured in the proposed protocol.

(4) Non-repudiation

The value of all the three components in the message {𝑐, 𝑇, 𝑤} sent by the tag to the receiver depends upon the tag id 𝑥_𝑡. Similarly, the message {𝑎_𝑠} sent by the server to the tag is also a function of the tag id 𝑥_𝑡. According to Assumption 1, if 𝑇 = 𝑇′ then the tag cannot deny that it has sent the message and if 𝑎_𝑠 = 𝑎_𝑠′ then the server cannot deny that it has sent the message.

(5) Forward Security

Even if an 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴 somehow knows the tag id 𝑥_𝑡 , then also it cannot obtain the previous messages, since the messages {𝑐, 𝑇, 𝑤} and {𝑎_𝑠} sent by the tag and the server respectively, depends upon the key generated by both the parties, which in turn depends upon the private random numbers 𝑣 and 𝑣_𝑠 chosen by the tag and the server respectively. So the proposed protocol provides forward security as the adversary cannot get the past messages and use them later.

(6) Availability

In the messages sent between the tag and the server, tag id 𝑥_𝑡 remains same and the adversary cannot access it. Furthermore, the tag pseudonym 𝐼𝐷 which is transmitted to the server is updated after each session in updating phase explained in sub-section 4.3. Updating the tag pseudonym 𝐼𝐷 for both the tag and the server ensures that both the server and the tag are always synchronized. Therefore, the proposed protocol offers de-synchronization and meets the availability requirement.

(7) Anonymity

In the proposed protocol the only confidential information of the tag to be transmitted between the server and the tag is tag id 𝑥_𝑡. In the signcrypted message sent by the tag to the server, the security of the tag id 𝑥_𝑡 is maintained by performing XOR operation between the tag id 𝑥_𝑡 and 𝑣𝑃_𝑠. Moreover, the hash function is also applied over the result obtained from XOR operation. To obtain 𝑥_𝑡, an adversary needs to know the generated key 𝑘 and the private random number 𝑣 of the tag, which is not possible. Similarly in the message {𝑎_𝑠} sent by the server to the tag, secrecy of the tag id 𝑥_𝑡 is maintained by performing XOR operation between the tag id 𝑥_𝑡 and 𝑇′ and then encrypting the result of XOR using key 𝑘′. To get the value of 𝑥_𝑡 the adversary needs to decrypt the 𝑎_𝑠 which is not possible as it doesn’t know the key 𝑘′. So,the proposed protocol provides tag anonymity.

(8) Scalability

A scalable security protocol for RFID should avoid computational workload in proportion to the number of tags. In step 3 of the protocol, the server searches its database and finds the tag identifier 𝑥_𝑡 corresponding to the unique pseudonym 𝐼𝐷 received from the tag. Therefore the server does not require linear search to know the identity of each tag [22]. In the proposed protocol the server takes 𝑂(1) time to search the matching tag, thus saving a huge amount of cost as the number of tag increases in the system. Therefore, the proposed protocol provides scalability.

6.2 Analysis of Resistance against Attacks

An RFID security protocol must be able to counter the attacks made on the RFID system. The strength of the proposed RFID security protocol against different attacks, has been analyzed in this sub-section. To model the active and passive attacks launched by the 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴between the server Ś and the tag 𝑇, we consider the attack model given by Ouafi and Phan [35] in which three queries can be generated by the 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴 .

Query 1: 𝐸𝑥𝑒𝑐𝑢𝑡𝑒(Ś, 𝑇, 𝑘) – For passive attacks, we assume that the 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴eavesdrops the channel between Ś and 𝑇 to get honest execution of session 𝑘 of the protocol.

Query 2: 𝑆𝑒𝑛𝑑 (𝑈, 𝑉, 𝑘, 𝑀) – For active attacks, the 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴 impersonate a reader𝑈 ∈ 𝑅𝑒𝑎𝑑𝑒𝑟 (respective tag 𝑈 ∈ 𝑇𝑎𝑔𝑠) in some session 𝑘 of the protocol and sends its chosen message 𝑀 to an instance of some tag 𝑉 ∈ 𝑇𝑎𝑔𝑠 (respective reader 𝑉 ∈ 𝑅𝑒𝑎𝑑𝑒𝑟𝑠).

Query 3: 𝐶𝑜𝑟𝑟𝑢𝑝𝑡(𝑇,𝐾) – This query permits the 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴 to obtain the secret K storedon the tag. Since no secret key K is stored on the tag in the proposed protocol, this query can be omitted.

(1) Resistance against Replay Attack

An adversary eavesdropping the channel may pretend to be a legitimate tag or server by replaying the past messages sent between the server and the tag. When an 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴eavesdrops the messages between the tag and the receiver it can obtain {𝑃_𝑠, 𝑐, 𝑇, 𝑤, 𝑎_𝑠} and can replay the messages to the server or to the tag to produce an unauthorized effect. In the proposed protocol private random numbers are used and the tag pseudonym 𝐼𝐷 is updated to 𝐼𝐷^𝑛𝑒𝑤 after each session, hence the 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴 is unable to use the previously recorded messages in a new session to befool the tag or the server.

(i) If an 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴 tries to pretend to be a legitimate tag and sends the past recorded message {𝑐, 𝑇, 𝑤} to the server, then the server performs the following computations:

Computes the key as 𝑘′ = ℎ𝑎𝑠ℎ(𝑣_𝑠𝑤𝑇 ⊕ 𝑥_𝑡)

Decrypt the tag pseudonym as 𝐼𝐷′ = 𝐷_𝑘′ (𝑐)

Since 𝐼𝐷′ ≠ 𝐼𝐷^𝑛𝑒𝑤 the server cannot find a matching 𝑥_𝑡 and terminates the session.

(ii) If an 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴 tries to pretend to be a legitimate server and sends the past recorded messages {𝑃_𝑠} and {𝑎_𝑠} to the server, then the tag performs the computations given below.

• Upon receiving {𝑃_𝑠} the tag does the following for the new session started by the 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴:

𝑅𝑎𝑛𝑑𝑜𝑚𝑙𝑦 𝑠𝑒𝑙𝑒𝑐𝑡𝑠 𝑎𝑛 𝑖𝑛𝑡𝑒𝑔𝑒𝑟 𝑣^𝑛𝑒𝑤 (𝑣^𝑛𝑒𝑤 ∈ 𝑍_𝑛)

𝑘^𝑛𝑒𝑤 = ℎ𝑎𝑠ℎ(𝑣^𝑛𝑒𝑤𝑃_𝑠 ⊕ 𝑥_𝑡)

𝑐^𝑛𝑒𝑤 = 𝐸_{𝑘𝑛𝑒𝑤} (𝐼𝐷^𝑛𝑒𝑤)

𝑟^𝑛𝑒𝑤 = ℎ𝑎𝑠ℎ(𝑐^𝑛𝑒𝑤 ⊕ 𝑘)

𝑤^𝑛𝑒𝑤 = (𝑣^𝑛𝑒𝑤 / 𝑟^𝑛𝑒𝑤)

𝑇^𝑛𝑒𝑤 = 𝑟^𝑛𝑒𝑤G

• Upon receiving {𝑎𝑠} from the 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴 the tag computes

\(a_{s}^{n e w}=E_{k n e w}\left(T^{n e w} \oplus x_{t}\right)\)

Clearly, \(a_{s}^{n e w} \neq a_{s}\) as the random number 𝑣^𝑛𝑒𝑤 and the updated tag pseudonym 𝐼𝐷^𝑛𝑒𝑤 has been used by the tag in the new session, instead of 𝑣 and 𝐼𝐷 used in the earlier session. Therefore, the authentication of the server fails and the session is terminated by the tag. The resistance of replay attack by the server and the tag has been demonstrated in Fig. 5 and Fig. 6 respectively.

Fig. 5. Resistance against replay attack by the server.

Fig. 6. Resistance against replay attack by the tag.

(2) Resistance against Cloning Attack

Liao and Hsiao [22] have mentioned that if the same shared secret key is used in the authentication of a group of tags by the server, it is vulnerable to cloning attack. In the proposed protocol since there is no shared secret key stored on the tag, and the key is generated dynamically by the tag for each session, the adversary cannot steal the secret information to clone the tag. Even if the adversary is able to get unique id 𝑥_𝑡 for a group of tags, it cannot obtain 𝑥_𝑡 for other tags, since 𝑥_𝑡 is a random point chosen in the proposed protocol.

(3) Resistance against Location Tracking Attack

In our protocol, the messages transmitted between the tag and the server are protected such that an adversary cannot steal the tag id 𝑥_𝑡. When the tag sends the message {𝑐, 𝑇, 𝑤} the adversary is unable to extract 𝑥_𝑡 from this, since it has to solve ECDHP which is computationally hard. Similarly, when the server sends the message {𝑎_𝑠} to the tag the attacker cannot decrypt 𝑎_𝑠 since it is not in the possession of key 𝑘′ which is privately generated by both the server and the tag. Moreover, private random numbers are used in generating the messages. Therefore, the attacker cannot obtain the location information, and the proposed protocol is secure against location tracking attack.

(4) Resistance against De-synchronization Attack

In the de-synchronization attack, the adversary prevents simultaneous updating of the secret information shared between the server and the tag. When an attacker performs de-synchronization attack and intercepts the messages, it is possible that the server doesn’tupdate the entry of the tag while the tag does it [8]. To thwart de-synchronization attack the server stores both the previous tag pseudonym 𝐼𝐷 and the updated tag pseudonym 𝐼𝐷^𝑛𝑒𝑤 in its database. When the adversary transmits the message {𝑐, 𝑇, 𝑤} to the server, the server decrypts the component 𝑐 and identify that whether the decrypted value is previous tag pseudonym 𝐼𝐷or it is the updated tag pseudonym 𝐼𝐷^𝑛𝑒𝑤. Moreover, since the proposed protocol provides the mutual authentication and data integrity, the de-synchronization of shared secret cannot be performed by the attacker.

(5) Resistance against DoS Attack

In the proposed protocol, there is no synchronous updating of secret key between the serverand the tag. The only synchronous update is updating the tag pseudonym 𝐼𝐷. It has already been revealed that the proposed protocol provides availability and can resist de-synchronization attack in updating the tag pseudonym 𝐼𝐷, thus it can withstand DoS attack.

(6) Resistance against Impersonation Attack

An adversary eavesdropping the channel may try to impersonate to be a legitimate tag or server after reading the messages sent between the server and the tag.

(i) In the server impersonating attack, which is also called server spoofing attack, an adversary tries to mimic the behaviour of the server to the tag. In doing this, the 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴 first selects a random number 𝑣_𝑎 and computes 𝑃_𝑎 = 𝑣_𝑎𝐺, then it sends {𝑃_𝑎} to the tag. The tag then transmits the message {𝑐, 𝑇, 𝑤} to the 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴. After receiving {𝑐, 𝑇, 𝑤} 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴 cannot generate the key 𝑘′ correctly and in turn it is not able to generate the message {𝑎_𝑠} such that 𝑎𝑠 is same as 𝑎_𝑠′ produced by the tag. Since 𝑎_𝑠 ≠ 𝑎_𝑠′ the tag terminates the session. So, the 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴 fails to mimic the behaviour of the server to the tag and thus our protocol is safe against server impersonating attack. Resistance against server impersonation has been demonstrated in Fig. 7.

Fig. 7. Resistance against server impersonation attack.

(ii) An attacker may also try to mimic the behaviour of the tag to the server, this kind of impersonation is also known as tag masquerade attack. When the server sends the message{𝑃_𝑠} to the 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴, the adversary should create and send the message {𝑐, 𝑇, 𝑤} to thetag. Since the 𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴 cannot obtain 𝐼𝐷 and 𝑥_𝑡 , it is unable to generate the message{𝑐, 𝑇, 𝑤} correctly. At the server side, when the server decrypts the component 𝑐 to retrieve 𝐼𝐷, it cannot find a matching record in the database and terminates the session. Even if the𝐴𝑑𝑣𝑒𝑟𝑠𝑎𝑟𝑦 𝐴 uses the 𝐼𝐷 of the previous session then also it cannot impersonate the server as the protocol is resistant from replay attack. Resistance against tag impersonation has been shown in Fig. 8.

Fig. 8. Resistance against tag impersonation attack.

(7) Resistance against Man In The Middle (MITM) Attack

In MITM attack, an adversary sits between the tag and the server, and modifies the messages sent from the server to the tag and from the tag to the server, to make tag and server believe that they are communicating with the legitimate party [15]. As discussed in section 6.2 that the proposed protocol is resistant against tag impersonation and server impersonation, hence the proposed protocol can also counter MITM attack.

(8) Resistance against Key Compromise Attack

In a key compromise attack, an attacker somehow obtains the private key of a party and then impersonate the corrupted party to the other legitimate parties [34]. In the proposed RFID protocol the private keys 𝑣 and 𝑣_𝑠 are generated at random by both the tag and the server respectively which are then used in the dynamic generation of the shared key. Even if the attacker somehow knows the long term private key of the tag or the server, it cannot generate the shared secret key correctly since it needs to obtain 𝑥_𝑡 which is kept secret.

7. Performance Analysis

In this section, the performance of the proposed RFID security protocol has been analyzed by measuring computational overhead, communication cost, and storage cost taken by the protocol. Moreover, a comparison of security functionalities and the costs have been made in this section to prove that the proposed protocol is efficient than the other schemes mentioned in [8, 18, 22, 23, 26, 37, 38]. It has been assumed that 160 bit ECC has been used and the tag memory is 504 bytes for all the protocols. The proposed protocol uses the SHA-1 algorithm for generating the hash code, and AES-128 algorithm for encryption and decryption.

7.1 Analysis of Computational Cost

The computational time of a security protocol depends upon the time taken by different operations executed by the protocol. The computational time of ECC based RFID protocols is proportional to the number of elliptic curve scalar multiplication (ECSM) operation executed since it is the most complicated and time-consuming operation. The time consumed by other operations is very small in comparison to ECSM operation and therefore can be ignored. It takes 0.064 sec on a 5 MHz tag to compute a single ECSM operation [13]. In the proposed signcryption based RFID protocol three ECSM operations are performed by the server and two ECSM operations are performed by the tag. So, the time consumed by the tag is 0.128 sec,the time taken by the server is 0.192 sec, and the total time taken by the proposed protocol is 0.32 sec. Comparison of computational costs of related protocols have been made and shown in Table 3. A graphical representation of the computational time of these protocols has been shown in Fig. 9(a). From Table 3 and Fig. 9(a) it has been revealed that the computational cost of the proposed elliptic curve signcryption based protocol is less than that of the other elliptic curve based protocols.

Table 3. Computational costs of different protocols.

Fig. 9(a). Comparison fo computational costs.

7.2 Analysis of Communication Cost

Communication cost can be calculated by computing the size of messages exchanged between the tag and the server during the execution of the protocol. In the proposed protocol, three messages {𝑃_𝑠}, {𝑐, 𝑇, 𝑤}, and {𝑎_𝑠} are transmitted. Since 160 bit ECC has been used, the size of each elliptic curve point (𝑥, 𝑦) is 320 bits. Assuming that 128-bit AES with the 128-bit key has been used for encryption which generates the 128-bit ciphertext. The communication cost of the proposed protocol is computed as:

Tag’s communication cost = 256+320+160= 736 (bits)

Server’s communication cost = 320+256= 576 (bits)

Total communication cost of the proposed protocol = 1312 (bits)

A comparison of the communication costs of the related protocols has been shown in Table 4. Fig. 9(b) shows the graphical analysis of the comparison of the communication cost of different RFID protocols.

Table 4. Commmunication costs and storage cost of different protocols.

Fig. 9(b). Comparison of communication costs.

7.3 Analysis of Storage Cost

The storage cost indicates the amount of memory space required to store the information on the server and the tag. Although it has been assumed that the tag has limited memory space and the server has the capability of storing a large amount of data in its memory, but the server has to store the data for 𝑚 number of tags belonging to the system. Therefore, analysis of the storage cost of both the server and the tag has been performed in this sub-section. In the proposed security protocol the tag is required to store system parameters {𝑞, 𝐴, 𝐵, 𝐺, 𝑛}, the public key 𝑃𝑠 of the server, tag’s unique id 𝑥_𝑡 and the unique pseudonym of the tag 𝐼𝐷. Based on the assumptions the storage cost of the tag is calculated as:

160+160+160+320+160+320+320+160 = 1760 (bits). For the server, it is assumed that there is 𝑚 number of tags in the system. The server is required to store system parameters {𝑞, 𝐴, 𝐵, 𝐺, 𝑛}, the private key of the server 𝑣_𝑠, tag id 𝑥_𝑡, the unique pseudonym of the tag 𝐼𝐷 and 𝐼𝐷^𝑛𝑒𝑤. The storage space required by the server can be calculated as:160+160+160+320+160+160+320m+160m+160m = 1120+640m (bits). Comparison of storage cost consumed by different RFID security protocols has been publicized in Table 4. Assuming the value of m=10, a graphical representation of this comparison is shown in Fig. 9(c).

Fig. 9(c). Comparison of storage costs.

7.4 Comparison of Security Functionalities

As mentioned in section 6 of this paper, the proposed signcryption based security protocol provides confidentiality, mutual authentication, integrity, forward security, availability,non-repudiation, anonymity, and scalability which are the necessary security attributes for an RFID system. At the same time, the protocol has the capability to resist replay attack, cloning attack, location tracking attack, de-synchronization attack, denial of service attack,impersonation attack, man-in-the-middle attack, and key compromise attack. The security functionalities of the proposed protocol have been compared with other related protocols and presented in Table 5. By analyzing Table 5, it has been revealed that the proposed protocol provides all the necessary security attributes, at the same time successfully resisting the security attacks made on an RFID system.

Table 5. Comparison of security functionalities of different protocols

CO-Confidentiality, MU-Mutual authentication, IN-Data integrity, NR-Non Repudiation, FW-Forward security, AV-Availability, AN-Anonymity, SC-Scalability, LO-Location privacy, MI-Man in the middle attack, RP-Replay attack, IM-Impersonation attack, KE-Key compromise attack, LC-location tracking attack, DO-Denial of service attack, CL-Cloning attack, SS-Server spoofing attack,DE-De-synchronization attack. -Security functionality satisfied, × - Security functionality not satisfied.

8. Discussion

This section presents a brief discussion of the results and comparisons made in section 7. The proposed elliptic curve signcryption based protocol has been compared on the basis of computational cost, communication cost, storage cost, and security functionalities with the protocols mentioned in [8, 18, 22, 23, 26, 37, 38]. As depicted from Table 5, the protocols in[18, 22, 23, 26, 37] fail to provide some set of security functionalities and are not found suitable for an RFID system. The proposed protocol and the protocols mentioned in [8,38] are the only protocols which provide all the necessary security functionalities. From Table 3 and Table 4 it has been realized that both the computational cost and storage cost for the tag in the proposed protocol is less than that of Dinarvand and Barati [8] and Zheng et al. [38]. Furthermore, the tag’s computational cost in the proposed protocol is least in all the protocols mentioned in Table 3, which makes it attractive to be used for RFID systems. The tag’scommunication costs in the proposed protocol is less than Dinarvand and Barati’s protocol [8] but more than Zheng et al.’s protocol [38]. Moreover, in the proposed protocol the unique tag pseudonym 𝐼𝐷 is encrypted and then send through the channel, making the protocol more secure. Since the proposed protocol provides all the necessary security functionalities at the same time taking less computational cost and storage cost for the tag, it is ideal for securing an RFID system.