Computer Networks 122 (2017) 70–82

Contents lists available at ScienceDirect

Computer Networks
journal homepage: www.elsevier.com/locate/comnet

A secure search protocol for low cost passive RFID tags
Saravanan Sundaresan a, Robin Doss a,∗, Selwyn Piramuthu b, Wanlei Zhou a
a
b

School of Information Technology, Deakin University, Australia
Information & Operations Management, University of Florida, USA

a r t i c l e

i n f o

Article history:
Received 12 July 2016
Revised 8 March 2017
Accepted 7 April 2017
Available online 18 April 2017
Keywords:
RFID secure search
EPC C1G2 passive tags
Security protocols

a b s t r a c t
We propose a secure RFID tag search protocol that ensures the security and privacy of the tags being

searched. To our knowledge, not much work has been done in this area of RFID systems. Further, most of
the current methods do not comply with the EPC standard as they use expensive hash operations or encryption schemes that cannot be implemented on resource-constrained, low-cost passive tags. Our work
aims to fill this gap by proposing a protocol based on quadratic residues which requires the tags to perform only simple XOR, MOD and 128 bit PRNG operations, thus achieving compliance with EPC standards.
Our protocol also addresses the vulnerabilities in the protocol proposed by Sundaresan et al. (2012) [1]
which is not forward secure, and the weak message construction leading to incorrect tag authentication.
We present a detailed security analysis to show that the proposed method achieves the required security
properties and the simulation results show that the proposed method is scalable.
© 2017 Elsevier B.V. All rights reserved.

1. Introduction
RFID applications span a wide variety of applications that include close physical proximity readers (e.g., Near Field Communications[NFC] applications), tags that initiate conversations (e.g.,
active tags), tags that have associated sensors (e.g., semi-passive
tags with sensors that measure temperature, pressure, light, etc.),
tags that cannot initiate conversations (e.g., passive tags), among
others. Unlike NFC (Near Field Communication) applications where
the involved reader(s) read one (or less than a handful at most)
RFID tag(s), a majority of other RFID applications necessarily involve readers with simultaneous access to several (e.g., dozens,
hundreds) tags. While such a setup does not work in bar code
applications, RFID systems routinely simultaneously scan several
dozen RFID tags to locate the one of interest. Such applications are
common in retail store as well as warehouse applications.
While the functionality of such RFID tag searches cannot be
argued, there exist associated privacy and security concerns with
specific emphasis on tracking RFID-tagged items. For example, an
adversary with the ability to eavesdrop on the communication between tag and reader is able to track that tagged object with a
significantly high level of probability even though the tag’s identity may be unknown to this adversary. In the worst case scenario,
the adversary may decipher enough information from such communication to be able to clone or impersonate the tag. Any com-

∗


Corresponding author.
E-mail address: (R. Doss).

/>1389-1286/© 2017 Elsevier B.V. All rights reserved.

munication between trusted readers and tags opens up the avenue
for vulnerabilities such that the very act of replying to a query can
be used to identify a tag [2]. For example, based on the communicated message signature (e.g., passports from different countries)
alone, an adversary has enough information (here, the nationality
associated with a given passport) to be able to misuse (e.g., mount
an attack on the RFID-tagged item holder) that information. It is
therefore paramount to ensure that the protocols that are used in
these RFID tag searches by readers are secure.
1.1. Motivation
Given that RFID tags are extremely resource-constrained devices, security and privacy concerns need to be addressed under
these hard constraints with respect to processing power and storage capacity. Clearly, relatively expensive computations (e.g., the
use of hash functions) can be prohibitive in basic (passive) RFID
tag applications. An overwhelming majority of proposed methods
in extant literature do not comply with the EPC standard for passive RFID tags since they use hash functions that require 8–10K
gates [3]. However, low-cost passive tags can only accommodate
roughly about 2.5 − 4.5K gates to implement security features [3–
5], and this amount is also insufficient for standard cryptographic
techniques such as RSA [6]. Although cheaper cryptographic alternatives such as Elliptic Curve Cryptography (ECC) exist [7], the
practical implementation of ECC on low cost RFID tags taking into
account tag cost, gate count and power consumption and is still an
open research problem [8]. As illustrated by Batina et al. [9] and
Lee et al. [10], implementation of ECC would require between 8.2K


S. Sundaresan et al. / Computer Networks 122 (2017) 70–82


and 15K equivalent gates. Complex encryption schemes such as
AES take up to 3400 gates as seen in [11] and are very slow. Physically Unclonable Functions (PUF) and and Linear Feedback Shift
Registers (LFSR) based hash-functions require 1400 gates, but they
are difficult to analyze since they are influenced by the physical
environment [12]. Also, another major drawback of PUF is that it
can produce fluctuating results based on the operating conditions
[3]. Thus, the large-scale implementation of PUF also remains an
open research problem.
The EPC standards (including EPC G2v2) suggest the use of
16 bit Cyclic Redundancy Check (CRC) and 16 bit Pseudo Random
Number Generators (PRNG) for security operations in passive tags.
However, CRC suffers from linearity-related issues while a 16-bit
PRNG is not secure and vulnerable to a brute-force attack. Therefore, there is a need for the use of more secure primitives. For instance, Lee and Hong [13] have proposed an authentication protocol for passive tags using 128 bit PRNG with 1435 gates (within
517 clock cycles and 64B memory) and Sundaresan et al. [14] have
proposed a grouping proof protocol using 128bit PRNG. The 128bit
PRNG in [13] utilizes a Self-Shrinking Generator (SSG) based on
a Linear Feedback Shift Register (LFSR), an algorithm designed by
Meier and Staffelback [15]. Improved versions of SSG by MolinaGil et al. [16] resolve the linearity issues in SSG; Tasheva et al.
[17] prove that PRNG can resist exhaustive search and entropy attacks and Burmester et al. [18] show that PRNG is resistant to active attacks such as online man-in-the-middle relay attacks.
Our protocol is based on Quadratic Residues (QR) which uses
128 bit PRNG and modular (MOD) operations. The strength of the
PRNG is an added advantage to QR, as the latter guarantees that an
attacker cannot decipher the messages without the knowledge of
the prime numbers that only the server knows. Hence, from a security perspective the use of QR is well supported. Modular squaring takes only a few hundred gates [19,20] and with 1.5K gates for
the 128 bit PRNG, our protocol can be implemented in less than
2.5K gates, which is a significant advantage considering the limitations of the passive tags. Our protocol achieves EPC compliance
since no hash functions or other complex encryption schemes are
used which makes the scheme practical.
1.2. Security properties fulfilled by our scheme

Our protocol offers the following security properties based on
[21–26].
• Tag/Reader anonymity: The protocol protects against information
leakage that can lead to disclosure of a tag’s/reader’s real identifier. This is important as otherwise an attacker may be able to
clone a valid tag/reader.
• Tag/Reader location privacy: The protocol ensures that the message contents are sufficiently randomized so they cannot be
used to track the tag’s/reader’s location(s) and thereby glean
social information about the wearer of the tag/reader.
• Forward secrecy: The protocol ensures that on compromise of
the internal secrets of the tag, its previous communications
cannot be decrypted by the attacker. This requires that previous messages are not dependent on current resident data on
the tag.
• Replay attacks: The protocol resists compromise by an attacker
through the replay of messages that have been collected by an
attacker during previous protocol sequences. This requires that
messages in each round of the protocol are unique.
• Denial of service (DoS): The protocol can recover from incomplete protocol sequences that can occur due to an attacker selectively blocking messages. Importantly, such blocking of messages by an attacker does not lead to desynchronization between the tag and the servers.

71

• Reader/Tag/Server impersonation Attack: Since the protocol is
serverless, server impersonation attack is not applicable in this
scenario. The protocol ensures that the tag cannot be impersonated by an attacker to the reader (and vice versa). This requires
that the reader challenges the tag, to prove its legitimacy and
the tag does the same to the reader.
The main contributions of this paper include:
• A novel approach to secure search in RFID systems based on
quadratic residues and in conformance to EPC standard. As
noted by Burmester et al. [27] and Chen et al. [28], quadratic
residues can be implemented on low-cost RFID tags by replacing modular squaring with integer squaring which results in a

circuit complexity of less than 10 0 0 gates.
• A secure search protocol that fixes the forward secrecy in the
protocol proposed by Sundaresan et al. [1] and addresses the
weak message construction issue (owing to the limitations of
the XOR operation), that could potentially lead to incorrect tag
authentication.
• A secure search protocol that does not use hash functions or
expensive encryption functions, making it a viable option for
large-scale implementations on low-cost passive tags. Also, the
protocol is suitable for mobile RFID readers and environments
as we do not make any secure channel assumptions between
the reader and the server.
The remainder of the paper is organized as follows.
Section 2 covers related work in the secure search area. The
protocols are briefly described and vulnerabilities (if any) are
identified. Section 3 provides detailed description of the proposed
protocol. Section 4 discusses the security analysis of the proposed
protocol and Section 5 concludes the paper.
2. Related work
While there has been a significant amount of work done in
the areas of RFID mutual authentication [29] and tag ownership/delegation [30], it is not the case for secure search. Tag search
being an important functionality, there is a need to provide security and privacy. In order to achieve this, a tag should authenticate
the reader before replying and the reader should also ensure that
only legitimate tags understand and respond to the query [31]. Further, an adversary should be prevented from learning the contents
of the query and the query response. As noted in [2], the problem
statement can be simply put as: readers want to query authenticated
tags but tags will only respond to authenticated readers.
Huang and Shieh [32] propose a secret search protocol which
solves the privacy problem by offering a search mechanism over
encrypted data. The protocol conducts search directly on ciphertexts without the need to decrypt them, giving enhanced performance. In the event a reader is compromised, it enables the adversary to recover all the private information. But, if the tags are notified that a reader was compromised, the tags can choose a new

random number to update the original ciphertext. Then, the tag
has to notify all but the compromised readers to update their ciphertexts using the new random number. The main drawback of
this protocol is that it uses one-way hash functions and hence is
not compliant with the EPC standard. Won et al. [33] propose a
search protocol utilizing AES-128 block cipher and timestamp and
without using a central database. The authors claim that the timestamp generated by a portable reader prevents illegal tag-tracking
by an adversary. The protocol also protects a portable reader’s privacy even in an insecure channel by encrypting the Reader ID
using AES-128 block-cipher. It is also noted that tags cannot be
cloned without the knowledge of their secret keys. Also, as there
are no shared secret values between the reader and the tag, DoS


72

S. Sundaresan et al. / Computer Networks 122 (2017) 70–82

and de-synchronization attacks are implicitly prevented. However,
the protocol is not compliant with the EPC standard as low-cost
passive tags cannot support complex encryption schemes such as
AES, which takes roughly 3400 gates [11].
Tan et al. [34] propose a serverless secure search protocol considering the security for both the reader and the tag. As stated earlier, the very act of replying to a query can be used to identify a
tag. The authors suggest different solutions to handle the problem
such as forcing the reader to use different random numbers for
each new query and have the tag store the list of random numbers used in earlier queries. If the tag recognizes an already used
random number it ignores the query. We note that this has severe
limitations such as high storage requirements on the tag side. Another solution is to have all the tags that match the first m bits of
the id respond to the query. This will generate multiple responses
for a single query but this solution does not suit well if the tag
IDs are structured (first few bits denoting the product code, next
few bits the tag origin and so on). The last solution is the use of

noise tags (also suggested by Zuo [35]) where each tag receiving
the query will have some probability (λ, which is pre-determined)
of replying the query even if the query is not intended for that tag.
Won et al. [33] has shown that scheme does not completely solve
the illegal tag tracking problem and also does not consider a reader
holder’s privacy. We note that the reader sends its unique reader
ID in clear text to the tags over an insecure channel since the tags
need the ID for verification. An attacker eavesdropping on a particular reader will be able to track the locations of the reader thereby
compromising the location privacy of the reader and its holder.
Kim et al. [36] propose a serverless search protocol by providing the readers with unique access list with a group of tags that
they are authorized to search. A vulnerability noted by the authors
in this protocol is that the tags should send their group identity
to a querying reader. Also, the tags reply to a search query for
a specific group. Thus, a simple eavesdropping leads to knowing
the group identity of the tags. The suggestion made to group all
tags equally over the entire service area introduces another problem as discussed by the authors. There is a trade-off between the
tag anonymity and the reader anonymity based on the number
of groups. If the number of groups is few, the tag anonymity is
well satisfied because many tags exist in one group but this violates the reader anonymity since the reader can use only a few
pseudonyms which is the same with the number of groups. If the
number of groups is large, then reader anonymity is achieved but
tag anonymity is violated since the number of tags in a group is
small. We further note that broadcasting group-IDs and also the
pseudonyms in the clear is not advisable since these two pieces of
information are vital to providing security to the tags and the readers. Also, tags seem to simply respond to the query without authenticating the reader, whereby an eavesdropper can simply capture the messages, impersonate a reader and replay the messages
to compromise tag location privacy.
Zuo [35] proposes a similar secure search protocol using a
pseudo-random function with a seed and one-way hash function.
The protocol uses noise tags as described above to make the normal tag’s response indistinguishable from that of the noise tags.
The reader only needs to decrypt the first part of the response to

see if it is coming from a normal tag or the noise tag. This reduces
the computational load of the reader. A significant weakness in the
protocol is that the reader stores all tag IDs. The portable and mobile nature of a reader increases the likelihood of it being stolen
[2]. An attacker with a stolen reader will have access to all the information in the reader including the secrets and in this case the
tag IDs as well, leading to tag cloning attack. Kulseng et al. [3] propose a secure search protocol that is based on PUF and LFSR which
is shown to be vulnerable to tracking and desynchronization at-

tack [37]. Some of the advantages of using a PUF circuit in low-cost
RFID system are: a) 64-bit PUF can be implemented using only 545
gates, b) two PUFs are highly unlikely to produce the same output
given the same input, and c) the output is not produced by a mathematical function and so it cannot be calculated or predicted. But
the drawbacks of PUF mentioned in Section 1.1 prevents the largescale implementation in passive tags. Chun et al. [38] proposed a
search protocol for based on symmetric encryption but it has been
shown to be vulnerable to DoS attack by Yoon [39]. Other search
protocols such as [40–43] are not compliant with EPC standard due
to the use of hash functions or other complex encryption schemes
on the tag.
Mtita et al. [44] develop two mutual authentication and tag
search protocols where each reader is allocated a set of tags by the
server through a secure initialization process. The authors claim
that their protocols require low computational resources and that
the reader and tags do not share any secrets. However, the server
does share temporary identifiers and keys of tags along with their
access rights with a reader. These are indeed shared by the reader,
tag, and the server. Both the mutual authentication and tag search
protocols they develop involve the use of hash functions (HMAC)
and are therefore not EPC compliant. Both these protocols are also
vulnerable to DoS and de-synchronization attacks as an adversary
can block the last message and prevent key update by tag and
reader respectively in the mutual authentication and tag search

protocols.
The tag search protocols presented in Zheng and Li [45] use
Bloom filter and hash function to identify the ‘wanted’ tags among
a set of tags that are in the field of the reader. Chen et al. [46] also
make use of Bloom filter but in an iterative manner to identify
wanted tags from unwanted tags in the field of the reader. Both
the reader and tags use hashed functions to determine the bit to
check to see if it is a candidate (i.e., wanted tag).
Several authors use the framed slotted Aloha protocol as a part
of their method. For example, Shahzad and Liu [47] estimate the
size of a given tag population using single as well as multiple
readers with the standardized framed slotted Aloha protocol. The
reader broadcasts the available number of time slots, which is
then hashed by each tag to choose a slot to respond. The average
number of runs in the response is used in the proposed method.
Shahzad and Liu [48] develop a variant of Tree Walking for tag
identification with the use of framed slotted Aloha for tag population size estimation. They attempt to minimize the expected number of queries as well as the expected identification time. It should
be noted that both [47] and [48] do not search for specific tags
but rather perform the preliminary step of estimating the number
of tags in the field of the reader(s). Gong et al. [49] use the framed
slotted Aloha method but with an index where the tags probabilistically decide whether or not to participate and then generate a
hash function value to determine the slot number for response to
reader. Instead of focusing on time efficiency alone, Zhang et al.
[50] use the framed slotted Aloha protocol and consider energy
efficiency as well during tag search with minimal data exchange
between tag and reader.
Wang et al. [51] propose a method to track slow-moving mobile RFID tags using phase periodicity. They also use carrier phase
measurement in GPS to track unknown trajectory of mobile RFID
tags.
Sasagawa et al. [52] develop a system that finds indoor tagged

items based on their distance from the reader and Received Signal
Strength Indicator (RSSI). They use an undirected graph to model
the distance between RFID tagged items in a given indoor location.
The edge-length in the graph is proportional to the distance between the tagged items of interest as represented by their nodes
in the graph.


S. Sundaresan et al. / Computer Networks 122 (2017) 70–82

2.1. Vulnerability in Sundaresan et al.’s protocol
Sundaresan et al. [1] proposed a secure search protocol based
on quadratic residues. The protocol is not forward secure. In flow
1 of the protocol, the reader generates a random number rr which
is hidden in the message y as y = rts j id j rr . This hides the random number in this step but in flow 3, the reader sends rr in the
clear along with the other messages. An adversary eavesdropping
the channels can capture the messages x, y from flow 1 and rr from
flow 2. This defeats the purpose of hiding the random number in
flow 1 and enables the attacker to track the previous communication of the tag in conjunction with a physical tampering of the tag.
Once the tag is tampered, the adversary gets rts, rts−1 . Using y and
rr captured in the previous round and rts−1 from the tampered tag,
he can compute y rr rts−1 which is rr rts j id j rr rts−1 .
Since y is from the previous round, rts would be equal to rts−1 and
hence reveals id. Hence, the protocol is not forward secure. Further,
the equality check used by the tag to verify if x = z can result in incorrect tag authentication. As an example, x = id P RNG(rts j rr )
and x = P RNG(rts j rr ) id will result in the same value but the
operands are not the same in the operation. An attacker could exploit the weakness of this construction and could potentially substitute one or both the operands with an arbitrary value but still
resulting in a valid x. The x = z verification in the tag would be
successful even though the values in the operands are not correct.
Our proposed protocol addresses both the forward security issue
and the equality check weakness in [1].


73

Table 1
Symbol notations.
Notation

Description

S, R, T
AL
TID, h(TID)
RID, h(RID)
ts

Represents Server, Reader and Tag respectively
Access List for the Reader
Unique Tag ID and hash value of TID
Unique Reader ID and hash value of RID
Secret key unique for each tag in the system, used to generate
id = h(T ID, ts ); known only to the server
Random number generated by server and previous value of s
Four large prime numbers generated by server
m = g · h stored in reader and n = p · q stored in the tag
Number of readers that can access a tag
Number of tags a reader is authorized to search
Computed as RT ID = h (T ID ) s
Computed as R−1
= h (T ID ) s−1
T ID

Shared secret between reader and a tag; previous value of rts
Random numbers generated by the reader
Random number generated by the tag
Current and max value for counter
Probability that a tag replies if query is not for that tag
Exclusive-OR Function (XOR) and Concatenation of two values

s, s−1
p, q, g, h
m, n
k
l
RTID
R−1
T ID
rts, rts−1
rr , δ
tr
ctr, cmax

λ

,

x2 , and if a solution exists for (x2 )2 = R mod n, it is clear that the
solution is required to be a perfect square (x2 ). However, of the
four possible solutions (obtained using the Chinese Remainder theorem) only one of those would be a quadratic residue modulo n
satisfying x2 = R mod n [53].

3. The proposed protocol

We now present our proposed protocol that is based on
quadratic residues using simple MOD, XOR and 128 bit PRNG operations. To provide additional security, a blind-factor is used where
necessary to hide the random numbers. The scheme is designed to
conform with the EPC standard (v2.0.1) and the associated ISO/IEC
29,167 since we do not employ any complex encryption schemes or
hash functions while meeting the necessary security requirements
and is designed to be executed as part of the inventory operations
of the reader over a selected tag population. The protocol assumes
that the channel between the reader and server is insecure in addition to the reader-tag channel being insecure. The protocol has
two phases. In the first phase, the back-end server initializes the
tags and the readers with the necessary information such as IDs,
private/shared secrets and so on. The second phase is the search
phase, where the search is conducted using the proposed protocol. Table 1 describes the notations that are used in the proposed
protocol. Note: The protocol is currently designed for cases where
the server can participate in the authentication process. But the
computational power of the RFID readers makes it possible for it
to solve the quadratic residues. Hence the operations done by the
server can be shifted to the reader with much ease which would
enable it perform offline search. Our future work includes a protocol design to include this scenario.
3.1. The quadratic residue property
For a positive integer n, R is its quadratic residue if the congruence x2 = R mod n (where 0 < x < n) has a solution. Suppose
that n = pq where p and q are distinct large primes and that the
congruence x2 = R mod n has a solution x = xo. From the Chinese
Remainder Theorem there are exactly four incongruent solutions of
the congruence x2 = R mod n (i.e., R has four incongruent square
roots modulo n). Knowledge of p and q is required to compute
these solutions. Due to the difficulty of factoring n it is computationally infeasible to find x satisfying x2 = R mod n without knowing p and q [28,53]. Without loss of generality, if x is replaced with

3.2. Setup phase
The setup phase is assumed to occur in a secure environment.

After authenticating the reader R, the server S feeds the reader
with an access list AL which is a list of tags that it is authorized
to search. The reader does not know the secrets of the tag or the
tag ID itself. It only stores the outcome of h(TID, ts ). The server S
also establishes the shared secret rts between the reader and each
tag that the reader is authorized to search. The reader also stores
m, which is the product of g and h and the hashed form of the
reader-ID h(RID). The tag stores the hashed form of tag ID h(TID);
id = h(T ID, ts ); the random number s; n which is the product of
p and q and the current and previous shared reader-tag secrets
rts and rts−1 for each reader. Note that the tag stores the precomputed hashed form of the tag ID and does not perform the
hash function by itself. The server stores TID, h(TID), RID, h(RID),
ts ; prime numbers p, q, g, h; current and previous server-tag shared
secret s, s−1 ; RT ID = h(T ID ) s and R−1
= h(T ID ) s−1 . The server
T ID
also stores two variables ctr and cmax for each tag-reader pair to
keep track of the number of searches performed by the reader. The
ctr variable is initialized to 0 at the start and after each successful search it is incremented by 1. The cmax variable is set to the
desired number of allowed searches. Once ctr reaches cmax the
reader has to renew the search authorization from the server again.
The access list AL for the reader and the tag data TD for k readers
are represented in the following two arrays as:

⎡

h(T ID1 , ts1 )
⎢h(T ID2 , ts2 )
⎢
..

AL = ⎢
.
⎢
⎣ h(T ID , ts )

: id1
: id2
..
:
.
: id

⎤
⎥
⎥
⎥
⎥
⎦


74

S. Sundaresan et al. / Computer Networks 122 (2017) 70–82

Fig. 1. Proposed secure search protocol based on quadratic residues.

⎡

id = h(T ID, ts )


s

Readers :
rts1
rts2
..
.
rtsk

rts−1
1
rts−1
2
..
.
rts−1
k

⎢
⎢
⎢
⎢
⎢
TD = ⎢
⎢
⎢
⎢
⎣

n


⎤
⎥
⎥
⎥
⎥
⎥
⎥
⎥
⎥
⎥
⎦

3.3. Secure search phase
Once the reader is loaded with AL, it can start sending queries
to the tags that it is authorized to search for. The server participates actively in authenticating the different entities involved
in the communication. The workings of the protocol is shown in
Fig. 1. The secure search phase consists of six steps.
1. Step 1: Reader → Tag
(a) Reader generates a random number rr .
(b) It then computes x = id j P RNG(rts j
P RNG(id j rts j ) rr .

rr )

and

y=

(c) x and y are broadcast as the search query to all the tags in

its field.
2. Step 2: Tag ← Reader (All tags receiving the messages perform
the following:)
(a) The random number rr is extracted using y and the stored
id, rts as PRNG(id
rts)
y → rr
(b) The tag checks if id = x P RNG(rts rr ). By using its stored
id and rts and the received x, if the tag is able to exactly
match its id then it can be sure of the authenticity of the
reader. This is where the weakness in [1] is fixed. Further,
this confirms to the tag that the query is for itself in which
case it performs the following:
i. Tag generates a random number tr .
ii. It then computes α = h(T ID ) rr s tr ; α = α 2 mod n;
α = (α 2 )2 mod n. Note: h(TID) is stored in the tag during the setup phase and not computed by the tag.
iii. Similarly tr is computed as tr = (tr2 )2 mod n.
(c) If the above check fails, the tag restarts this step using rts−1 .
If both rts and rts−1 do not return a valid id, then the tag
responds with a probability of λ. This is done to accomplish
tag location privacy and to prevent an adversary from being


S. Sundaresan et al. / Computer Networks 122 (2017) 70–82

be able to distinguish between the real tag’s reply and the
noise replies.
(d) If id was matched using rts then update rts−1 ← rts and rts
← PRNG(rts)
(e) The tag then sends back α and tr to the reader.

3. Step 3: Once the reader receives the response from the tag it
performs the following:
(a) Reader generates a random number δ .
(b) It then computes μ = h(RID ) rr δ ; μ = μ2 mod m; μ =
(μ2 )2 mod m.
(c) Similarly, δ and rr are computed as δ = (δ 2 )2 mod m and
rr = (rr2 )2 mod m. By computing rr , the forward security issue in [1] is fixed. Even if the adversary captures the messages by eavesdropping, he still cannot compute rr without
the knowledge of the factors of m.
(d) The reader then sends α , tr , μ , δ , rr to the server.
4. Step 4: When the server receives the messages from the reader
it performs the following:
(a) The server solves for μ, δ, rr using g, h.
(b) It then checks if the random number rr is reused. If yes, the
server aborts the process to prevent the replay attack. Otherwise, the server stores rr in the database.
(c) The reader is validated by checking if h(RID ) = μ δ rr . If
the validation fails the server aborts the process. Note: Because we use a modified form of the quadratic residue property (i.e., (x2 )2 mod n as opposed to x2 mod n), when solving for the quadratic residue, there will always be a unique
solution and not 4 solutions that satisfies the perfect square
(x2 ) requirement. Hence, the number of solutions that the
server will need to compute is at most 5. Due to the computational power of the server, this will not create any overhead.
(d) The server then checks if ctr has reached cmax. If so, it
means the reader has reached the pre-authorized number of search runs and has to go through the setup phase
for obtaining further search rights. The server responds
with an appropriate error to the reader and exits the
operation.
(e) Now, the server solves for α , tr using p and q and validates
the tag by checking if α rr tr = RT ID or R−1
. If the valiT ID
dation fails the server aborts the process.
(f) If the tag is identified using RTID then it updates s−1 ← s and
s ← PRNG(s).

(g) The server then computes acknowledgment ACK = h(T ID )
tr P RNG(α R ) and ACK is computed as ACK = (ACK
δ ) h ( μ ).
(h) The server increments the ctr variable by 1 and ACK is sent
to the reader.
5. Step 5: Once the reader receives the messages from the server
it performs the following:
(a) The reader Verifies if δ is correct in ACK
h(μ) by comparing with the least significant bits of ACK
h(μ), where
is the length of δ . If δ does not match, it aborts the process. Otherwise, it proves to the reader that the server is in
possession of g, h the factors of m and hence the server is
authenticated.
(b) The reader then extracts ACK as ACK = [ACK h(μ )]
and
updates rtsj as PRNG(rtsj )
(c) Finally, the reader then sends ACK to the tag.
6. Step 6: Once the tag receives the response back from the
reader, it performs the following:
(a) The tag verifies if ACK = h(T ID ) tr P RNG(α α ). If successful, it proves that the server is in possession of p, q and
was able to solve for the unique quadratic residues of modulo n. Hence the server is authenticated and by implication
the reader is also authenticated. Otherwise the tag aborts

75

Table 2
GNY Logic - protocol messages and parser outputs.
Protocol messages

Protocol parser output


x, y
α , tr
α , tr , μ , δ , rr

T ∗ (id
PRNG(rts
rr )), ∗ (PRNG(id
rts)
rr )
rr
s
tr )4 mod n), ∗ ((tr )4 mod n)
R ∗ ((h(TID)
rr
δ )4 mod m), ∗ (δ 4
S ∗ (α ), ∗(tr ), ∗ ((h(RID)
mod m), ∗((rr2 )2 mod m )
tr
PRNG(α
R) δ )
h(μ))
R ∗ ((h(TID)
h(μ)] )
T ∗ ([ACK

ACK
ACK

the process. Note that R on the server side and α on the

tag side are the quadratic residues and are the same.
(b) As the last step in the process, the tag updates s as PRNG(s).
4. Security analysis
In this section, we present the security analysis of the proposed
secure search protocol. The security correctness of the proposed
scheme is proved first followed by the privacy properties. We use
formal methods for this purpose.
4.1. Security correctness
GNY mechanism [54] enables a systematic way of understanding the working of cryptographic protocols. It distinguishes between what one possesses and what one believes in. Beliefs and
possessions are monotonic within a given session and the only universal assumption made is that the principals P do not reveal their
secrets. Also, principals are not assumed to be trustworthy and redundancy is always explicitly present in the encrypted messages.
The GNY model enables the expression of different trust levels and
implicit conditions behind protocol steps. We now verify the security correctness of our protocol using this method. The two objectives are that the messages received by each entity came from
a trusted source (belief) and that the messages are fresh. The assumptions, security correctness goals and the security correctness
proof are presented in Tables 2–5.
The GNY postulates used to prove the security correctness is
briefly explained here. T1 is a Being-told Rule denoted by P
X
means that a principal P is being told of a formula X (ex:variable,
constant, secret). P1 is a Possession Rule denoted by P
X means
“P possesses or is capable of possessing X”. P2 is the second possession rule that states that if a principal P possesses two formulae
then he is capable of possessing the formula constructed by concatenating the two formulae as well as a computationally feasible function F of them. F1 is a Freshness Rule denoted by P |≡ #(x )
means <ddq>“P believes in the freshness of X”. I1 is an Interpretation Rule which states that: suppose for a principal P all of the
following conditions hold: P receives a formula consisting of X encrypted with a key K and marked with a not-originated-here mark;
P possesses K; P believes K is a suitable secret for himself and Q;
P believes formula X is recognizable; P believes that K is fresh or
that X is fresh - then, P is entitled to believe that: Q once conveyed X; Q once conveyed X encrypted with K; Q possesses K. J1 is
the Jurisdiction Rule which states that: If P believes that Q is an authority on some statement C and that Q believes in C, then P ought
to believe in C.

4.2. Privacy properties
We study the security and privacy of the proposed scheme
using the adversarial model proposed by Avoine [55]. The notations used here are based on this model and is used to
prove that the protocol meets the security requirements a)
Existential-UNT-QSE - so that an adversary is never capable


76

S. Sundaresan et al. / Computer Networks 122 (2017) 70–82
Table 3
GNY Logic - assumptions used in the analysis.
No.

Assumption notation

Assumption description

A1
A2
A3
A4
A5
A6
A7
A8

R rr
R |≡ #rr
R rts

R |≡ #rts
T tr
T |≡ #tr
T rts
T |≡ #rts

R
R
R
R
T
T
T
T

A9

R |≡ R ←→ T

R believes rts is a suitable secret between itself and T

A10
A11
A12
A13
A14
A15
A16

T |≡ T ←→ R

T s
T |≡ #s
S s
S |≡ #s
R δ
R |≡ #δ

T believes rts is a suitable secret between itself and R
T Possesses s
T believes that s is fresh
S Possesses s
S believes that s is fresh
R Possesses δ
R believes that δ is fresh

A17

T |≡ T ←→ S

T believes ts is a suitable secret between itself and S

A18

S |≡ S ←→ T

S believes ts is a suitable secret between itself and T

rts

rts


ts

ts

Possesses rr
believes that
Possesses rts
believes that
Possesses tr
believes that
Possesses rts
believes that

rr is fresh
rts is fresh
tr is fresh
rts is fresh

Table 4
GNY Logic - security correctness goals.
No.

Goal notation

Goal description

G1
G2
G3

G4
G5
G6
G7
G8
G9
G10
G11

T |≡ R |∼ #(id PRNG(rts rr ))
T |≡ R |∼ #(PRNG(id rts ) rr )
R |≡ T |∼ #((h (T ID ) rr s tr )4 mod n )
R |≡ T |∼ #((tr )4 mod n )
S |≡ R |∼ #((h (T ID ) rr s tr )4 mod n )
S |≡ R |∼ #((tr )4 mod n )
S |≡ R |∼ #((h (RID ) rr δ )4 mod m )
S |≡ R |∼ #(δ 4 mod m )
S |≡ R |∼ #((rr2 )2 mod m )
R |≡ S |∼ #((h (T ID ) tr PRNG(α R ) δ )
T |≡ R |∼ #([ACK h (μ )] )

T believes R
T believes R
R believes T
R believes T
S believes R
S believes R
S believes R
S believes R
S believes R

R believes S
T believes R

h (μ ))

of tracking a tag by interacting with the tag and the reader, eavesdropping on the communications and b) Forward-UNT-QSER which means even by physically compromising a tag that reveals
its internal secrets, an adversary is not able to decrypt its communications in the past. Choosing this privacy model is motivated by
the flexibility of Avoine’s model and the drawbacks associated with
more recent models such as those proposed by Vaudney [56] and
Hermans [57] as noted in [58]. The means of an Adversary  over
tag T and reader R is defined in terms of the oracles as defined in
[55]. In the below oracles, forward channel represents the transfer
of messages from the reader to the tag and the backward channel
represents the transfer of messages from the tag to the reader.
• Query(πTi , m1 , m3 ) - This query models  sending a request m1
to T through the forward channel and subsequently sends m3
after receiving its answer.
j
• Send(πR , m2 ) - This query models  sending the message m2
to R through the backward channel.
j
• Execute (πTi , πR ) - This query models  running an instance of
P between T and R, and obtaining the messages exchanged in
both the forward and backward channels.
j
• Execute ∗ (πTi , πR ) - This query models  running an instance
of P between T and R, and obtaining the messages exchanged
in the forward channel only.
• Reveal (R) (πTi ) - This query models  obtaining the content
of T’s memory channel which can be used only once such that

Query (Q), Send (S), Execute (E) and Execute∗ (E∗ ) cannot be
used any longer.
Theorem

1. The

proposed

Existential-UNT-QSE.

secure

search

protocol

P

is

conveyed
conveyed
conveyed
conveyed
conveyed
conveyed
conveyed
conveyed
conveyed
conveyed

conveyed

#(id PRNG(rts rr ))
#(PRNG(id rts ) rr )
#((h (T ID ) rr s tr )4 mod n )
#((tr )4 mod n )
#((h (T ID ) rr s tr )4 mod n )
#((tr )4 mod n )
#((h (RID ) rr δ )4 mod m )
#(δ 4 mod m )
#((rr2 )2 mod m )
#((h (T ID ) tr PRNG(α R ) δ )
#([ACK h (μ )] )

h (μ ))

Proof. Consider that an adversary has access to the Q-oracle such
that ωi (T1 ) ∈ {Query(πTi , ∗ )} and ωi (T2 ) ∈ {Query(πTi , ∗ )}. For any
1

2

protocol interaction Ii whose length is ≤ Pchal , based on the output m2 {(α , tr )} of the Q-oracle, α is guaranteed to be not
connected since α = h(T ID ) rr s tr where rr (hidden using
blind-factor) and tr are freshly generated random numbers and s
is updated after each successful run. By a similar argument, tr is
also not connected since tr is a freshly generated random number which cannot be solved without the knowledge of the factors
of n. As seen, TID is never sent during the communication and id
which is h(TID, ts ) is well enciphered in the messages which cannot
be obtained without the knowledge of rts, rr , tr , s and the factors

p, q thus providing tag anonymity and tag location privacy. By a
similar argument, RID is not sent during the communication and
h(RID) is well protected in μ and cannot be obtained without the
factors of g, h thereby providing reader anonymity and reader location privacy.
To avoid impersonation attack, in the backward channel, the
tag challenges the server with α , tr where α is computed using
the secret s, freshly generated tr and the received rr (hidden using blind-factor). The sever solves for α using CRT and the factors,
and if it can successfully identify the tag in the system then the
authenticity of the tag is proved. An adversary can neither compute a valid α nor solve α without the knowledge of s, rr , tr and
the factors p, q, g and h and thus cannot impersonate the tag. In
a similar fashion, an adversary cannot impersonate the server by
guessing m3 {(ACK)} without the knowledge of R. Using α that
the tag computed, it verifies m3 . If it is successful, the tag authenticates the server because only a valid entity with the knowledge
of p and q can solve α or its quadratic residue R whereas an ad-


S. Sundaresan et al. / Computer Networks 122 (2017) 70–82

77

Table 5
GNY Logic - security correctness proof.
No

Proof notation

GNY postulate

V1
V2

V3
V4
V5
V6
V7
V8
V9
V10
V11
V12
V13
V14
V15
V16
V17
V18
V19
V20
V21
V22
V23
V24
V25
V26

T (id
PRNG(rts
rr )), (PRNG(id
rts)
rr )

PRNG(rts
rr )), (PRNG(id
rts)
rr )
T (id
T |≡ #(id PRNG(rts rr )), (PRNG(id rts ) rr )
T |≡ R |∼ #(id PRNG(rts rr ))
T |≡ R |∼ #(PRNG(id rts ) rr )
rr
s
tr )4 mod n), ((tr )4 mod n)
R ((h(TID)
rr
s
tr )4 mod n), ((tr )4 mod n)
R ((h(TID)
R |≡ #((h (T ID ) rr s tr )4 mod n ), ((tr )4 mod n) mod n
R |≡ T |∼ #((h (T ID ) rr s tr )4 mod n )
R |≡ T |∼ #((tr )4 mod n )
rr
s
tr )4 mod n), ((tr )4 mod n), ((h(RID)
rr
δ )4 mod m), (δ 4 mod m), ((rr2 )2 mod m )
S ((h(TID)
rr
s
tr )4 mod n), ((tr )4 mod n), ((h(RID)
rr
δ )4 mod m), (δ 4 mod m), ((rr2 )2 mod m )

S ((h(TID)
rr
δ )4 mod m), (δ 4 mod m), ((rr2 )2 mod m )
S |≡ #((h (T ID ) rr s tr )4 mod n ), ((tr )4 mod n), ((h(RID)
S |≡ R |∼ #((h (T ID ) rr s tr )4 mod n )
S |≡ R |∼ #((tr )4 mod n )
S |≡ R |∼ #((h (RID ) rr δ )4 mod m )
S |≡ R |∼ #(δ 4 mod m )
S |≡ R |∼ #(rr2 )2 mod m
tr
PRNG(α
R) δ )
h(μ)
R (h(TID)
tr
PRNG(α
R) δ )
h(μ)
R (h(TID)
R |≡ #(h (T ID ) tr PRNG(α R ) δ ) h (μ )
R |≡ S |∼ #(h (T ID ) tr PRNG(α R ) δ ) h (μ )
h(μ)] )
T ([ACK
h(μ)] )
T ([ACK
h(μ)] )
T | ≡ #([ACK
T |≡ R |∼ #([ACK h (μ )] )

x, y, T1

V1, P1
V2, F1
A2, A4, A9, V3, I1, P2
A2, A4, A9, V3, I1, P2
α , tr , T 1
V6, P1
V7, F1
A2, A6, A12, V8, I1, P2
A6, V8, I1, P2
α , tr , μ , δ , rr , T 1
V11, P1
V12, F1
A2, A6, A12, V13, I1, J1, P2
A6, V13, I1, J1, P2
A2, A16, V13, I1, J1, P2
A16, V13, I1, J1, P2
A2, V13, I1, J1, P2
ACK , T1
V19, P1
V20, F1
A6, A16, V21, I1, P2
ACK, T1
V23, P1
V24, F1
A6, V25, I1, J1, P2

versary cannot do so. By a similar argument, the reader cannot be
impersonated to either the tag or the server and is protected by rts,
rr , μ which cannot be solved without the knowledge of the factors
p, q, g, h. Hence, the protocol is resistent to tag, reader and server

impersonation attacks. Therefore, with the Q-oracle, the advantage
of the adversary is negligible as the adversary does not learn any
useful information. Hence the protocol is Existential-UNT-Q.
Now, consider that the adversary has access to QS-Oracle
such that ωi (T1 ) ∈ {Query(πTi , ∗ ), Send (πTi , m12 )} and ωi (T2 )
1

∈ {Query(πTi , ∗ ), Send (πTi , m22 )} where m2
2

1

2

{(α , tr )}. The ad-

versary on sending m2 as a response to the reader, receives
m3 {(ACK)}. The adversary cannot obtain anything from ACK since
it requires the knowledge of R which is infeasible to calculate
without the knowledge of the factors of n. Hence the adversary
is not presented with any additional advantage. Thus the protocol is Existential-UNT-QS. Finally, consider the adversary
having access to QSE-Oracle such that ωi (T1 ) ∈ {Query(πTi , ∗ ),
1

Send (πTi , m2 ), Execute(πTi , πR )} and ωi (T2 ) ∈ {Query(πTi , ∗ ),
j

1

1


2

Send (πTi , m2 ), Execute(πTi , πR )}. The use of random numbers tr
2

j

2

and rr and the computational infeasibility property provided by
quadratic residue, guarantee that the messages are unique each
time and by eavesdropping on multiple instances of the protocol
the adversary is not presented with any additional advantage over
the QS-oracle and hence is resistent to replay attacks. Thus the
protocol is Existential-UNT-QSE which is the strongest security requirement when the attacker cannot tamper with the tag.
Theorem

2. The

proposed

secure

search

protocol

P


is

Forward-UNT-QSER.
Proof. In addition to the QSE-oracles, consider that the adversary also has access to the R-oracle such that, ωi (T1 )
j
∈ {Query(πTi , ∗ ), Send (πTi , m2 ), Execute(πTi , πR ), Reveal (πTi )}
1

1

1

1

and ωi (T2 ) ∈ {Query(πTi , ∗ ), Send (πTi , m2 ), Execute(πTi , πR ),
Reveal (πTi )}.
2

2

2

j

2

By executing the R-oracle, the adversary obtains

{id = h(T ID, ts ), rts, rts−1 , s, h(T ID ), n}. After each complete run of
the protocol, rts and rts−1 and s are updated, n is public, id is

not transmitted during the protocol run but h(TID) is transmit-

ted and it remains constant. However using h(TID) if the adversary
can link with previous communications then the protocol is not
Forward-UNT-QSER. h(TID) can be obtained from α or ACK. But
α is enciphered well using two random numbers rr , tr , a shared
secret s and protected by the quadratic residues property. Getting
h(TID) from ACK is also not feasible since it requires the knowledge of R which is infeasible to get due to the quadratic residues
property. The random number tr is enciphered in tr and rr is hidden during transmission in y and enciphered in rr which cannot
be solved without the knowledge of the factors g, h. This step fixes
the forward security vulnerability in Sundaresan et al. [1]. Therefore, an adversary cannot trace the previous communications of a
tag and the advantage presented to the adversary by the R-oracle
is negligible. Hence the protocol is Forward-UNT-QSER.
Theorem 3. The proposed
synchronization attacks.

protocol

P

is

resistant

to

de-

Proof. Consider that the adversary has access to QS-Oracle such
that ωi (T1 ) ∈ {Query(πTi , ∗ ), Send (πTi , m12 )} where m2 {α , tr } or

1

1

m2 {ACK }. The adversary blocks m2 from reaching the reader (or
if the messages were lost due to other communication issues), it
would cause the tag to update its secret rts but the reader would
not, causing desynchronization of keys. But DoS attack is prevented
since the tag stores both the current value rts and the previous
value rts−1 . When the tag authenticates the reader by checking if
id = x P RNG(rts rr ). If it does not find a match using rts then it
would repeat the step using rts−1 . If either one results in a match,
the protocol would continue, otherwise the tag would respond
with a probability of λ. Now, consider that the adversary has access to QS-Oracle such that ωi (T1 ) ∈ {Query(πTi , ∗ ), Send (πTi , m12 )}
1
1
where m2 {ACK}. The adversary can cause DoS attack by desynchronizing the server and the tag by either blocking or forging
the message m2 . If m2 is blocked, the tag will fail to correctly update s. But the attack is prevented since the server stores both s
and s−1 and it will still be able to correctly identify the tag using
R−1
. If the attacker forges the message m2 then it can cause perT ID
manent DoS between the tag and the server since the tag will update s to s+1 resulting in unrecoverable de-synchronization since
the server only stores s and s−1 . But in order to forge m2 , it re-


78

S. Sundaresan et al. / Computer Networks 122 (2017) 70–82
Table 6
Comparison of security and privacy properties.

Scheme
Huang et al. [32]

P1

P2

P3

No

P4

Won et al. [33]

P6

A1

No
NA

No
§

- Fully Satisfied
P1: Basic Privacy
P4: Reader Anonymity
A1: Replay Attack
§ - Fully Satisfied under certain assumptions


No

No
No
No
No
No
No
No
No

NA
No
NA
NA

No

NA - Not Applicable
P2: Mutual Authentication
P5: Tag Location Privacy
A2: DoS/De-synchronization

quires the knowledge of R which requires the knowledge of p and
q. Thus only a valid server can compute the correct m2 and the
attacker cannot successfully forge ACK. Further, from Theorem 1, it
is seen that the protocol achieves the strongest security requirement of Existential-UNT-QSE which proves that an attacker
cannot successfully complete a protocol run. Hence the protocol is
de-synchronization resistant.

4.3. Comparison with other protocols
In Table 6, we compare the security and privacy properties of
secure search protocols that have been proposed. Many of the protocols do not authenticate the other entity before responding to
the query or after receiving the reply. We emphasize that it is
very important for the entities to authenticate the other party before sending/processing any information so they know that the
query/reply they receive is from a trusted source. Our protocol
implements mutual authentication using the shared secrets. Kim
et al. [36] have shown that Tan et al.’s [2] protocol does not provide both tag and reader location privacy. We further note that
reader anonymity is not achieved in this scheme since the reader
ID is transmitted in clear. Also, authentication is only partially
done since the tags respond to a query by any reader without authenticating the reader. However, the reader validates the tag when
it receives the response from the tags.
We observe that Won et al.’s [33] scheme does not provide mutual authentication for the same reason discussed above and the
protocol does not provide tag location privacy since only the intended tag responds all the time enabling an attacker to compromise the location of the tag. The authors note that the protocol
does not support forward secrecy since all the secrets stored in
the tags and the readers are fixed. We observe that Kim et al.’s
[36] protocol does not provide mutual authentication. The reader
is not authenticated by the tags when the search request begins.
The tags simply respond to the query. Later the reader authenticates the tag. Also reader anonymity is only partially achieved
since a reader’s pseudonym is transmitted in the clear to the
tags. Even though the authors claim that the readers use multiple pseudonyms and an attacker has to know all the pseudonyms
to trace a reader, it still provides the opportunity to learn which
reader is sending the query and thereby compromising the location privacy of the reader. In a similar fashion, a tag’s group iden-

No
No
No
No
No
No

No
No

C1
No
No
No
No

No

No

No
NA
NA
NA
NA
No
No
No
No

A2

NA
No

Tan et al. [34]
Zuo [35]

Kulseng et al. [3]
Kim et al. [36]
Mtita et al. [44]
Zheng and Li [45]
Shahzad and Liu [47]
Wang et al. [51]
Shahzad and Liu [48]
Gong et al. [49]
Chen et al. [46]
Zhang et al. [50]
Sasagawa et al. [52]
Sundaresan et al. [59]
Our Scheme

P5

NA

NA
NA
NA
NA
NA
NA
NA
NA

No
NA
NA

NA
NA
NA
NA
NA
NA

No
No
No

No
No

- Partially Satisfied
P3: Tag Anonymity
P6: Reader Location Privacy
C1: EPC Compliance

tity is also transmitted in clear allowing attackers to know which
group of tags are responding. If there is no other tag present in the
area from the same group, the tag can be traced and by extension
the person’s location privacy is also compromised since they are
holding the tag at that time.
In Huang and Shieh’s secure search protocol [32] it is the sensor nodes that is responding back to the query and not the tags a slightly different architecture from the other proposed protocols.
So, some security properties do not directly apply to this protocol.
Also, the authors have proposed a mutual authentication protocol
but it has not been applied to the secure search protocol as the
sensor nodes do not authenticate the query request broadcast by
the reader. We observe that Kulseng et al.’s [3] protocol based on

PUF is the closest to meeting all the security and privacy requirements and also being EPC compliant. But as discussed in Section
3, PUF has disadvantages that prevent it from usage in large scale
implementations. Our protocol meets all the security and privacy
requirements and is EPC compliant making it a viable solution for
large-scale implementations.
Mutual authentication is absent in the methods that use Bloom
filter (Zheng and Li [45] and Chen et al. [46]). Similarly, the methods that use framed slotted Aloha protocol as an integral part of
the process (Shahzad and Liu [47], Shahzad and Liu [48], Gong
et al. [49] and Zhang et al. [50]) ignore mutual authentication or
authentication in general since the purpose in these methods is to
just identify the existence of a given tag in the field of the reader.
While the goal seems to be achieved in terms of recognizing an
RFID tag’s presence, an adversary can easily satisfy the expected
conditions and fake the presence of a wanted tag. Wang et al.
[51] use phase periodicity to identify an item as it changes location
over time and does not attempt to consider mutual authentication.
Similarly Sasagawa et al. [52] is interested in just identifying the
existence of an item at a given location, and no detail on the authentication of these items is provided.
In Table 7, we compare the performance of the secure search
protocols that have been proposed. We observe that most existing schemes except the one by Kulseng et al. employ cryptographic hash function and/or encryption functions. Implementing hash functions on passive tags is an open research problem
[60] and are not in conformance to EPC standards [61]. It is also
known that even the cheapest hash function will cost approximately 1.7K gates [28] to implement. Kulseng et al. propose the use


S. Sundaresan et al. / Computer Networks 122 (2017) 70–82

79

Table 7
Performance properties.

Scheme

CF on Reader

CF on Server

CF on Tag

P

M

C

Huang et al. [32]
Won et al. [33]
Kulseng et al. [3]
Tan et al. [2]
Zuo [35]
Kim et al. [36]
Mtita et al. [44]
Zheng and Li [45]
Shahzad and Liu [47]
Wang et al. [51]
Shahzad and Liu [48]
Gong et al. [49]
Chen et al. [46]
Zhang et al. [50]
Sasagawa et al. [52]
Sundaresan et al. [59]

Our Scheme

2
4
0
2
5
1∗
3
0
1
0
0
1
1
0
0
0
1

NA
NA
0
NA
NA
NA
2
NA
NA
NA

NA
NA
NA
NA
NA
NA
NA

2
4
–
2
5
4
4
0
1
0
0
1
1
0
0
–
–

3
1
2
1

1
2
1
1
0
NA
0
0
0
0
0
3
0

2
2
2
2
2
2
2
4
v
2
v
v
v
v
2
2

2

No
No

CF: No. of Crypto Functions
M: No. of Messages Exchanged
v: Varies based on number of tags

P: No. of PRNG Functions on Tag
C: EPC Compliance

of PUFs. However, this will require additional circuitry to be introduced into the RFID tag and hence the cost of low cost passive tags
will be increased. In our scheme, we do not require the tags to implement hash functions. Computation is restricted to XOR, CRC calculations and random number generation, all of which are within
the capabilities of passive tags. For implementation of modular
squaring on low-end devices such as RFID tags, modular squaring
can be replaced with integer squaring of the form f (x ) = x2 + kn,
where k is carefully chosen (i.e., x2 mod n is replaced with x2 + kn).
To compute f(x) for a 1280-bit wide n, the square x2 and the product kn are computed separately and then combined (with carries
buffered for the next iteration). Further, the individual bits of x2
and kn can be evaluated by convoluting x with itself and k with
n using a 128 bit register and invoking a PRNG. The cost of implementing such a function h can be estimated as 640 gates for
read-only storage of the 1280 bit modulus n, a PRNG and buffers
for computation. So the total complexity of implementing f is less
than 10 0 0 gates [4,27,28]. Thus we see that our scheme provides
the required security properties while at the same time conforming to EPC standard.

4.4. Parameter setting
Typically, low-cost passive RFID tags have non-volatile (EEPROM) memory of 10 0 0 bits to 1 kilobytes(KB) [62]. However, recent RFID application proposals such as plans by Airbus to track
flyable aircraft parts and components, as well as store data, such

as information regarding a part’s initial construction and maintenance demands have introduced passive RFID tags with even
higher memory capabilities (4 KB–8 KB) [63]. Also, Atmel Corporation has introduced passive RFID tags that can support memory
of between 1 KB and 64 KB [64].
The main requirements of the proposed approach is that the
modulus n used to compute the quadratic residues is sufficiently
large to ensure that factorisation is infeasible. Based on the recommendations in [65] we suggest that n = 1120 − 1464 bits at minimum. In our proposed approach, depending on the memory capabilities of the tag, we can choose an appropriate key length to
achieve a desired level of security. Given n = 1472 bits, a hash
length of 128 bits and a 128-bit PRNG such as Akari-X [66], the
storage requirements on the tag would be 1472 + 128 + 128 + 48 =
1984 bits ≈ 248 bytes. This is not excessive for applications using
low cost tags that require security.

No
No
No
No
No

No
No

NA: Not Applicable
: 1 for each response

∗

Finally, we note that the use of the xor operator raises the expectation that its operands have equal bit lengths in order to prevent leakage of information. Given that all the parameters are not
of equal length, we suggest a simple modification to the standard
xor operation to meet our requirements. As an example consider,
x = id P RNG(rts rr ) where the operands are unequal. In such a

situation we suggest that the largest operand is xored with a concatenation of the xor of the other operands. In this instance the
implementation would be x = id (P RNG(rts (rr rr . . . rr ))).
4.5. Simulation study
In order to study the scalability of our search scheme, we implemented a simulation using network simulator-2 (NS-2). We emphasise that the purpose here is not to compare the proposed
protocol to existing ones but rather to ensure that scalability is
achieved within acceptable response time limits. In this simulation, we implemented our secure search protocol and studied its
performance in terms of end-end search delay. This delay is calculated from the time the search query is initiated by the reader
to when the last ACK message is verified by the tag. The end-end
search delay includes two main parts, the network delay and the
search processing time in the reader, tag and the server including
the database search. The number of tags in the system was varied from 10 to 10 million and the number of readers for the mobile/wireless RFID system was set at 100 and 10 0 0. The results of
the simulation experiments are presented in Fig. 2 and each data

Fig. 2. Simulation results of the proposed protocol.


80

S. Sundaresan et al. / Computer Networks 122 (2017) 70–82

point corresponds to the average of 20 simulation runs. In both
sets of results we observe that as the number of tags in the system increases the search delay increases. This is along expected
lines as the database search has a complexity of O(n). However, we
observe that the end-end search delay is within acceptable bounds
(≈ 0.5 s) for all cases. In terms of the impact of number of readers, in the system we observe that delay increases are again quite
small. These results prove that our proposed search scheme is efficient and scalable, and achieves the required security properties
without compromising system performance.
5. Conclusion
In this paper, we have proposed a secure search protocol for
RFID systems that can be implemented on low-cost passive RFID

tags. The protocol is based on the quadratic residues property and
also uses basic XOR and PRNG operations. Additional protection
is ensured by hiding the random number where deemed necessary using a blind-factor. The protocol does not use hash functions
like other protocols we have discussed which cannot be implemented in the low-cost passive tags that have very low computational capabilities. To increase the security of the system, all authentications are accomplished by the backend server even though
the readers are mobile. By using quadratic residues and eliminating hash operations, the protocol meets the EPC standard. Security
analysis of the protocol shows that the scheme achieves the necessary security requirements for RFID systems including tag/reader
anonymity, tag/reader location privacy, forward security, while being resistant to replay attacks, tag/reader/server impersonation attacks and DoS/De-synchronization attacks. The simulation result
shows that the scheme is practical and can be implemented on
low-cost passive tags.
References
[1] S. Sundaresan, R. Doss, W. Zhou, A secure search protocol based on quadratic
residues for epc class-1 gen-2 uhf rfid tags, 23rd International Symposium on
Personal Indoor and Mobile Radio Communications, 2012.
[2] C. Tan, B. Sheng, Q. Li, Secure and serverless RFID authentication and search
protocols, IEEE Trans. Wireless Commun. 7 (4) (2008) 1400–1407.
[3] L. Kulseng, Z. Yu, Y. Wei, Y. Guan, Lightweight secure search protocols for low–
cost RFID systems, in: 2009 29th IEEE International Conference on Distributed
Computing Systems, 2009, pp. 40–48.
[4] R. Doss, W. Zhou, S. Yu, Secure RFID tag ownership transfer based on quadratic
residues, IEEE Trans. Inf. Forensics Secur. 8 (2) (2013) 390–401.
[5] Y.-J. Huang, C.-C. Yuan, M.-K. Chen, W.-C. Lin, H.-C. Teng, Hardware implementation of RFID mutual authentication protocol, IEEE Trans. Ind. Electron. 57 (5)
(2010) 1573–1582.
[6] A. Juels, S. Weiss, Authenticating Pervasive Devices with Human Protocols, in:
LNCS, 3621, 2005, pp. 293–308.
[7] P. Urien, S. Piramuthu, Elliptic curve-based RFID/NFC authentication with temperature sensor input for relay attacks, Decis. Support Syst. (2014) 28–36.
[8] Y.-P. Liao, C.-M. Hsia, A secure ECC-based RFID authentication scheme integrated with ID-Verifier transfer protocol, Ad Hoc Netw. 18 (2014) 133–146.
[9] L. Batina, J. Guajardo, T. Kerins, N. Mentens, P. Tuyls, I. Verbauwhede, An elliptic curve processor suitable for rfid-tags, Report 2006/227, Cryptology ePrint
Archive, 2006.
[10] Y.K. Lee, K. Sakiyama, L. Batina, I. Verbauwhede, Elliptic curve based security
processor for RFID, IEEE Trans. Comput. 57 (11) (2008) 1514–1527.

[11] M. Feldhofer, C. Rechberger, A case against currently used hash functions in
rfid protocols, in: On the Move to Meaningful Internet Systems 2006 – OTM
2006, in: Lecture Notes in Computer Science, 4277, 2006, pp. 372–381.
[12] L. Bolotnyy, G. Robins, Physically unclonable function -based security and privacy in rfid systems, PerCom ’07, 2007.
[13] H. Lee, D. Hong, The tag authentication scheme using self-shrinking generator
on RFID system, Trans. Eng. Comput. Technol. 18 (2006) 52–57.
[14] S. Sundaresan, R. Doss, S. Piramuthu, W. Zhou, A robust grouping proof protocol for RFID EPC C1G2 tags, IEEE Trans. Inf. Forensics Secur. (2014).
[15] W. Meier, O. Staffelback, The self-shrinking generator, in: Advances in Cryptology: EUROCRYPT 94, 950, 1994, pp. 205–214.
[16] J. Molina-Gil, P. Caballero-Gil, A. Fuster-Sabater, C. Caballero-Gil, Pseudorandom Generator to Strengthen Cooperation in VANETs, in: EUROCAST 2011,
2012, pp. 365–373.
[17] A.T. Tasheva, Z.N. Tasheva, A.P. Milev, Generalization of the self-Shrinking generator in the galois field GF(pn ), Adv. Artif. Intell. (2011) 1–10.

[18] M. Burmester, J. Munilla, A flyweight RFID authentication protocol, Report
2009/212, ePrint Archive, 2010.
[19] R. Doss, W. Zhou, S. Sundaresan, S. Yu, L. Gao, A minimum disclosure approach to authentication and privacy in RFID systems, Comput. Netw. (2012)
3401–3416.
[20] H.-Y. Chien, C.-H. Chen, Mutual authentication protocol for RFID conforming to
EPC class 1 generation 2 standards, Comput. Stand. Interfaces 29 (2) (2007)
254–259.
[21] H.-Y. Chien, C.-S. Laih, ECC-Based lightweight authentication protocol with untraceability for low-cost RFID, J. Parallel Distrib. Comput. 69 (2009) 848–853.
[22] D. Duc, K. Kim, Defending RFID authentication protocols against DoS attacks,
Comput. Commun. 34 (3) (2011) 384–390.
[23] R.D. Pietro, R. Molva, An optimal probabilistic solution for information confinement, privacy and security in RFID systems, J. Netw. Comput. Appl. (2010).
[24] S. Sundaresan, R. Doss, W. Zhou, A Serverless Ultra-Lightweight Secure Search
Protocol for EPC Class-1 Gen-2 UHF RFID Tags, in: International Conference on
Computer & Information Science (ICCIS), 2012a, pp. 580–585.
[25] S. Sundaresan, R. Doss, W. Zhou, A Secure Search Protocol based on Quadratic
Residues for EPC Class-I Gen-2 UHF RFID Tags, The 23rd IEEE International
Symposium on Personal Indoor and Mobile Radio Communications - (PIMRC),
2012b.

[26] S. Sundaresan, R. Doss, W. Zhou, S. Piramuthu, Secure ownership transfer for
multi-Tag multi-owner passive RFID environment with individual-Owner-Privacy, Comput. Commun. (2015) 112–124.
[27] M. Burmester, B. de Medeiros, R. Motta, Anonymous RFID authentication supporting constant-cost key-lookup against active adversaries, Int. J. Appl. Cryptography 1 (2) (2008) 79–90.
[28] Y. Chen, J.-S. Chou, H.-M. Sun, A novel mutual authentication scheme based on
quadratic residues for RFID systems, Comput. Netw. 52 (12) (2008) 2373–2380.
[29] S. Piramuthu, RFID Mutual authentication protocols, Decis. Support Syst. (2011)
387–393.
[30] W. Zhou, E.J. Yoon, S. Piramuthu, Simultaneous multi-level RFID tag ownership
& transfer in health care environments, Decis. Support Syst. (2012) 98–108.
[31] S. Piramuthu, Protocols for RFID tag/reader authentication, Decis. Support Syst.
(2007) 897–914.
[32] S.-I. Huang, S. Shieh, Authentication and secret search mechanisms for
RFID-aware wireless sensor networks, Int. J. Secur. Netw. 5 (1) (2010) 15–25.
[33] T.Y. Won, J.Y. Chun, D.H. Lee, Strong authentication protocol for secure RFID
tag search without help of central database, in: 2008 IEEE/IFIP International
Conference on Embedded and Ubiquitous Computing, 2008, pp. 153–158.
[34] C.C. Tan, B. Sheng, Q. Li, Serverless search and authentication protocols for
RFID, in: Proceedings of the Fifth Annual IEEE Conference on Pervasive Computing and Communications, 2007.
[35] Y. Zuo, Secure and private search protocols for RFID systems, Inf. Syst. Front.
12 (5) (2009) 507–519.
[36] Z. Kim, J. Kim, K. Kim, I. Choi, T. Shon, Untraceable and serverless RFID authentication and search protocols, in: 2011 IEEE Ninth International Symposium
on Parallel and Distributed Processing with Applications Workshops, 2011,
pp. 278–283.
[37] C. Lv, H. Li, M. Jianfeng, B. Niu, Vulnerability analysis of lightweight secure
search protocols for low-cost RFID systems, Int. J. RFID Technol. Appl. 4 (1)
(2012) 3–12.
[38] L. Chun, J. Hwang, D. Lee, RFID tag search protocol preserving privacy of mobile reader holders, IEICE Electron. Express 08 (2) (2011) 50–56.
[39] E.-J. Yoon, Cryptanalysis of an RFID tag search protocol preserving privacy of
mobile reader, in: International Federation for Information Processing, 2012,
pp. 575–580.

[40] S.I. Ahamed, F. Rahman, E. Hoque, F. Kawsar, T. Nakajima, S3PR: Secure serverless search protocols for RFID, in: 2008 International Conference on Information Security and Assurance (isa 2008), 2008, pp. 187–192.
[41] Y. Zheng, M. Li, Fast tag searching protocol for large-scale RFID systems,
IEEE/ACM Trans. Netw. 21 (3) (2013) 924–934.
[42] J. Lim, S. Kim, H. Oh, K. Donghyun, A designated query protocol for serverless
mobile RFID systems with reader and tag privacy, Tsinghua Sci. Technol. 17 (5)
(2012) 521–536.
[43] C.-F. Lee, H.-Y. Chien, C.-S. Laih, Server-less RFID authentication and searching
protocol with enhanced security, Int. J. Commun. Syst. 25 (2012) 376–385.
[44] C. Mtita, M. Laurent, J. Delort, Efficient serverless radio-frequency identification
mutual authentication and secure tag search protocols with untrusted readers,
IET Inf. Secur. (2016) 262–271.
[45] Y. Zheng, M. Li, Fast tag searching protocol for large-scale rfid systems,
IEEE/ACM Trans. Networking (2013) 924–934.
[46] M. Chen, W. Luo, Z. Mo, S. Chen, Y. Fang, An efficient tag search protocol
in large-scale rfid systems with noisy channel, IEEE/ACM Trans. Networking
(2016) 703–716.
[47] M. Shahzad, A.X. Liu, Fast and accurate estimation of rfid tags, IEEE/ACM Trans.
Networking (2015) 241–254.
[48] M. Shahzad, A.X. Liu, Probabilistic optimal tree hopping for rfid identification,
IEEE/ACM Trans. Networking (2016) 796–809.
[49] W. Gong, J. Liu, Z. Yang, Fast and reliable unknown tag detection in large-scale
rfid systems, in: MobiHoc, 2016, pp. 141–150.
[50] S. Zhang, X. Liu, J. Wanga, J. Cao, G. Min, Energy-efficient active tag searching
in large scale rfid systems, Inf. Sci. (2015) 143156.
[51] Z. Wang, N. Ye, R. Malekian, F. Xiao, R. Wang, Trackt: accurate tracking of rfid
tags with mm-level accuracy using first-order taylor series approximation, Ad
Hoc Netw. (2016) 132–144.


S. Sundaresan et al. / Computer Networks 122 (2017) 70–82

[52] M. Sasagawa, K. Ikematsu, I. Siio, Simply tag and find: Finding indoor items by
using detection history of rfid tags, in: UbiComp/ISWC, 2016, pp. 365–368.
[53] K.H. Rosen, Fourth ed., 1999.
[54] L. Gong, R. Needham, R. Yahalom, Reasoning about belief in cryptographic protocols, in: Proceedings of the IEEE Symposium on Security ad Privacy, 1990,
pp. 234–248.
[55] G. Avoine, Adversarial model for radio frequency identification, Report
2005/049, Cryptology ePrint Archive, 2005.
[56] S. Vaudenay, On privacy models for RFID, in: Advanced in Cryptology - ASIACRYPT 2007, in: (LNCS 4833), 2007, pp. 68–87.
[57] J. Hermans, A. Pashalidis, F. Vercauteren, B. Preneel, A new RFID privacy model,
in: European Symposium on Research in Computer Security (ECORICS) 2009,
in: (LNCS 6879), 2011, pp. 568–587.
[58] I. Coisel, T. Martin, Untangling RFID Privacy Models, Cryptology ePrint Archive,
2011.
[59] S. Sundaresan, R. Doss, S. Piramuthu, W. Zhou, Secure tag search in rfid systems using mobile readers, IEEE Trans. Dependable Secure Comput. (2015)
230–242.

81

[60] J.-S. Cho, S.-S. Yeo, S.K. Kim, Securing against brute-force attack: a hash-based
RFID mutual authentication protocol using a secret value, Comput. Commun.
34 (3) (2011) 391–397.
[61] EPCGlobal, EPC Radio-Frequency Identity Protocols,Class-1 Generation-2 UHF
RFID Protocol for Communications at 860MHz-960MHz Version 1.2.0, 2008.
[62] F. Gosset, F.-X. Standaert, J.-J. Quisquater, FPGA implementation of SQUASH,
29th Symposium on Information Theory, 2008.
[63] R. Wessel, Airbus signs contract for high-memory rfid tags, RFID J. (2010).
[64] D. Dressen, Large memory RFID system solutions, ATMEL Appl. J. (2011) 48–49.
[65] A.K. Lenstra, E.R. Verheul, Selecting cryptographic key sizes, in: Public Key
Cryptography, in: (LNCS 1751), 01, 20 0 0, pp. 446–465.
[66] H. Martin, E.-S. Millan, L. Entrena, P.-P. Lopez, A case against currently used

hash functions in rfid protocols, in: On the Move to Meaningful Internet Systems 2006 – OTM 2006, in: Lecture Notes in Computer Science, 4277, 2006,
pp. 372–381.


82

S. Sundaresan et al. / Computer Networks 122 (2017) 70–82
Saravanan Sundaresan received his BSc (M) from the University of Madras, India in 1995 and the MIT and PhD degrees from Deakin University,
Australia. He started his career as a programmer in India and took up IT consulting in USA in 1997. He joined HP Inc. as a Senior Database
Administrator in 1999 and later joined Caterpillar Inc. in 2004 to become the Team Lead and Senior Database Administrator. In 2006, he took up
community work in the villages of South India and received a Social Entrepreneur Reward in 2010.

Robin Doss received the BEng from the University of Madras, India, in 1999, and the MEng and PhD degrees from the Royal Melbourne Institute
of Technology (RMIT), Australia, in 20 0 0 and 2004, respectively. He has held professional appointments with Ericsson Australia, RMIT University,
and IBM Research, Switzerland. He joined Deakin University, Melbourne, Australia, in 2003, and is currently an Associate Professor with the centre
for cyber security research, and Deputy Head of the School of Information Technology, Deakin University. Since 2003, he has published more than
50 papers in refereed international journals, international conference proceedings and technical reports for industry and government. His current
research interests are in the broad areas of communication systems, protocol design, wireless networks, security and privacy. He is a senior member
of the IEEE.

Selwyn Piramuthu has been at the University of Florida since Fall 1991. He is an Associate Researcher of Information Systems and Technologies
at ESCP-Europe (Ecole Supérieure de Commerce de Paris) and a member of the RFID European Lab in Paris. He taught in the Operations and Information Management department at the Wharton School of the University of Pennsylvania from 1998 to 2001. He has also held teaching and/or
research visiting appointments at a few other institutions including the Aarhus School of Business in Denmark, Copenhagen Business School in
Denmark, IRIDIA (Institut de Recherches Interdisciplinaires et de Développements en Intelligence Artificielle) at the Université Libre de Bruxelles
in Belgium, Interdisciplinary Center for Security, Reliability and Trust (SnT) at the Université du Luxembourg in Luxembourg, INFRES at TELECOM
ParisTech in Paris, Supply Chain Management at Technische Universität München in Munich and the Lehrstuhl für Informations- und TechnologieManagement at Universität des Saarlandes in Saarbrücken. His research and teaching interests include artificial intelligence, cryptography, database
management, data mining/machine learning, and simulation including their applications in computer integrated manufacturing, ecommerce, financial credit scoring, healthcare, RFID, supply chain management, and work flow management.

Wanlei Zhou received the BEng and MEng degrees from Harbin Institute of Technology, China, in 1982 and 1984, respectively; the PhD degree
from the Australian National University, Canberra, in 1991; and the DSc degree from Deakin University, Victoria, Australia, in 2002. He is currently

the Alfred Deakin chair professor of information technology, Deakin University, Melbourne, Australia. His research interests include distributed and
parallel systems, network security, mobile computing, bioinformatics and e-learning. He has published more than 200 papers in refereed international journals and refereed international conferences proceedings. Since 1997, he has been involved in more than 50 international conferences as
general chair, steering committee chair, PC chair, session chair, publication chair, and PC member. He is a senior member of the IEEE.