1

Proper RFID Privacy: Model and ProtocolsJens Hermans, Roel Peeters, and Bart PreneelKU Leuven ESAT/COSIC & iMinds, BelgiumEmail: firstname.lastname@esat.kuleuven.be

Abstract—We approach RFID privacy both from modellingand protocol point of view. Our privacy model avoids thedrawbacks of several proposed RFID privacy models that eithersuffer from insufficient generality or put forward unrealis ticassumptions regarding the adversary’s ability to corrupt tags.Furthermore, our model can handle multiple readers and intro-duces two new privacy notions to capture the recently discoveredinsider attackers.

We analyse multiple existing RFID protocols, demonstratingthe easy applicability of our model, and propose a new wide-forward-insider private RFID authentication protocol. Th is pro-tocol provides sufficient privacy guarantees for most practicalapplications and is the most efficient of its kind, it only requirestwo scalar-EC point multiplications.

Index Terms—Computer security, authentication, privacy,cryptography, RFID tags.

I. I NTRODUCTION

As Radio Frequency Identification (RFID) systems arebecoming more common (for example in access control,product tracing, e-ticketing, electronic passports), managingthe associated privacy and security concerns becomes moreimportant [1]. Since RFID tags are primarily used for authen-tication purposes, security in this context means that it shouldbe infeasible to impersonate a legitimate tag. Privacy, on theother hand, means that unauthorized parties should not be ableto identify, trace, or link tag appearances.

For RFID tags used in consumer applications, an adversarytypically learns the outcome of the identification protocol, ontop of sending arbitrary queries to tags and getting responses.Successful identifications result in an unlocked door, unlockedcar or processed payment; while failure has no outcome.As low-cost devices, RFID tags are hardly protected againstphysical tampering. In particular, it has been shown that side-channel attacks may enable an adversary to extract secretsfrom the tag [2], [3], [4]. Furthermore, by inducing powerdrops or by otherwise influencing the physical environment ofthe tag, so-called ‘reset’ attacks enable the adversary to forcethe tag to re-use old randomness [5], [6], [7].

Several models for privacy and security in the context ofRFID systems have been proposed in the literature. SectionIIIdiscusses a selection ofgeneral models. For some of thesemodels we show that, despite their intended generality, itremains unclear how to apply these to protocols other than theprotocol in the context of which they were proposed. Otherexisting models do not allow for adversaries that corrupt tags.

So far, little attention has been paid to supporting multiplereaders. Most RFID models only take into account the limitedsetting of one reader. Multiple readers occur for example whenusing a single RFID card to access multiple disjoint security

systems (e.g. multiple buildings, printer systems, vendingmachines). Supporting multiple readers, however severelycomplicates the setup since it is more likely that one ofthe readers will be compromised. This should not affect thesecurity of the tags authenticating to other uncompromisedreaders. As such, sharing secrets among readers is impossible.

We present a new RFID privacy model in Sect.IV that isrobust in the sense that it can handle tampering with tags,is easily applicable, general and can handle multiple readers.Furthermore, we introduce two new privacy notions to alsocover the case where an adversary uses the internal state froma corrupted tag to attack privacy of other tags. These ‘insider’attacks were described by van Deursen and Radomirovic [8],clearly showing that wide-forward1 private protocols are notsufficient. At first glance wide-forward privacy seems to implythat even when the outcome of protocol is known to theadversary, all interactions of a tag up to the point of corruptioncannot be linked. However, it was shown for two wide-forwardprivate protocols, that the adversary can link uncorruptedtags,when given the ability to learn the outcome of the protocoland the state of one legitimate ‘insider’ tag.

Using this new model as a reference we evaluate theprivacy of several existing RFID protocols in Sect.V andwe design and evaluate a new wide-forward-insider privateRFID identification protocol in Sect.VI . An optimised versionof this protocol is discussed in Sect.VII . After listing someimplementation considerations for private RFID authenticationprotocols in Sect.VIII , we compare the security, privacyand performance features of our protocol with the discussedpreviously proposed protocols. This not only validates ournew model, but also shows that our new optimised protocolis the most efficient one, only requiring two scalar-EC pointmultiplications.

II. D EFINITIONS

A. RFID System

Throughout this article we use a common model for RFIDsystems, similar to the definitions introduced in [9], [10]. Forour model, we extend these definitions to allow for multiplereaders, unlike previously proposed models.

Definition 1 (RFID System). An RFID system consists of a setof tagsT and a set of readersR. Each tag is identified by anidentifier ID. The memory of the tags contains a stateS, whichmay change during the lifetime of the tag. The tag’s ID may ormay not be stored inS. Each tag is a transponder with limitedmemory and computation capability. A readerRj consists of

1An overview of the different privacy notions is given in Sect. III

2

one or more transceivers and a database. A reader’s task isto identify legitimate tags (i.e. to recover their IDs), andtoreject all other incoming communication. Each reader has adatabase that contains for every tagTi, its ID and a matchingsecretKRj,Ti

. The secretKRj,Tiis specific for every tag and

can be different for every tag-reader combination. A tag is‘registered’ with a reader if the reader database contains anentry for that tag and can successfully authenticate it.

In general, an RFID system requires several algorithms andprotocols for setting up the readers, tags, registering tags withreaders or even unregistrering tags. These routines are highlydependent on the specific layout of the RFID system and caneven take place offline. The privacy and security of these setupand registration algorithms and protocols is thus outside of thescope of this article. During the remainder of the article wewill only discuss the main protocol used for tag identificationand none of the auxiliary setup and registration routines.

B. Notation

If T is a set,t ∈R T means thatt is chosen uniformly atrandom fromT . |T | denotes the cardinality of the set. IfA isan algorithm andO an oracle, thenAO denotes the fact thatA has access to the oracleO.

Our proposed protocol is based on Elliptic Curve Cryp-tography, hence we make use of additive notation. Points onthe curve are represented by capital letters while scalars arerepresented by lowercase letters.

Thexcoord(·) function comes almost for free when usingelliptic curves. Assuming an elliptic curveE with prime orderℓ over Fp, then for a pointQ = {qx, qy} with qx, qy ∈[0 . . . p− 1], xcoord(Q) mapsQ to qx mod ℓ.

A functionf : N→ R is called ‘polynomial’ in the securityparameterk ∈ N if f(k) = O(kn), with n ∈ N. It is called‘negligible’ if, for every c ∈ N there exists an integerkc

such thatf(k) ≤ k−c for all k > kc. We denote a negligiblefunction byǫ.

C. Number-theoretical Assumptions

1) Discrete Logarithm:Let P be a generator of a groupGℓ

of orderℓ and letA be a given arbitrary element ofGℓ. Thediscrete logarithm (DL) problem is to find the unique integera ∈ Zℓ such thatA = aP . The DL assumption states that itis computationally hard to solve the DL problem.

2) One More Discrete Logarithm:The one more discretelogarithm (OMDL) problem was introduced by Bellare [11].Let P be a generator of a groupGℓ of order ℓ. Let O1()be an oracle that returns random elementsAi = aiP of Gℓ.Let O2(·) be an oracle that returns the discrete logarithm ofa given input baseP . The OMDL problem is to return thediscrete logarithms for each of the elements obtained from them queries toO1(), while making strictly less thanm queriesto O2(·) (with m > 0).

3) x-Logarithm: Brown and Gjøsteen [12] introduced thex-Logarithm (XL) problem: given an elliptic curve point,determine whether its discrete logarithm is congruent to thex-coordinate of an elliptic curve point. The XL assumption

states that it is computationally hard to solve the XL problem.Brown and Gjøsteen also provided some evidence that the XLproblem is almost as hard as the DDH problem.

4) Diffie-Hellman: Let P be a generator of a groupGℓ

of order ℓ and letaP, bP be two given arbitrary elements ofGℓ, with a, b ∈ Zℓ. The computational Diffie-Hellman (CDH)problem is, givenP, aP and bP , to find abP . The 4-tuple〈P, aP, bP, abP 〉 is called a Diffie-Hellman tuple. Given afourth elementcP ∈ Gℓ, the decisional Diffie-Hellman (DDH)problem is to determine if〈P, aP, bP, cP 〉 is a valid Diffie-Hellman tuple or not.

5) Oracle Diffie-Hellman: Abdalla et al. [13] introducedthe ODH assumption:

Definition 2. Oracle Diffie-Hellman (ODH) GivenA =aP, B = bP , a function H and an adversaryA, considerthe following experiments:

ExperimentExpodhH,A :

• O(Z) := H(bZ) for Z 6= ±A• g = AO(·)(A, B, H(C))• Returng

The valueC is equal toabP for the Expodh−realH,A

experiment, chosen at random inGℓ for theExpodh−random

H,A experiment.

We define the advantage ofA violating the ODH assumptionas:

|Pr[

Expodh−realH,A = 1

]

− Pr[

Expodh−randomH,A = 1

]

| .

The ODH assumption consists of the plain DDH assumptioncombined with an additional assumption on the functionH(·).The idea is to give the adversary access to an oracleOthat computesbZ, without giving the adversary the ability tocomputebA, which can then be compared withC. To achievethis one restricts the oracle toZ 6= ±A, and moreover, onlyH(bZ) instead ofbZ is released, to prevent the adversaryfrom exploiting the self-reducibility of the DL problem.2 Thecrucial property that is required forH(·) is one-wayness.

III. E XISTING PRIVACY MODELS

This section discusses certain existing RFID privacy mod-els. These models usually consist of a correctness (no falsenegatives), security (no false positives) and privacy definition.

Note that covering all existing models would exceed thescope of this article by far. Many models, including the onesintroduced in [14], [15], [16], [17], [18], [19] do not allowcorrupted tags to be traced. We have selected one such model,i.e. Juels-Weis [19], for further discussion, in addition to thestronger models of Vaudenay [9] and Canardet al. [10].

A. Vaudenay

Several concepts from the privacy model introduced byVaudenay [9] are used in our model. Therefore, we presentthis model in detail.

2The adversary can setZ = rA for knownr and computer−1(bZ) = bA.

3

1) Adversarial model: The adversary has the ability toinfluence all communication between a tag and the readerand can therefore perform man-in-the-middle attacks on anytag within its range. It may also obtain the result of theauthentication of a tag,i.e. whether the reader accepts orrejects the tag. The adversary may also ‘draw’ (at random) tagsand then ‘free’ them again, moving them inside and outside itsrange. During these interactions the adversary is given a virtualreferencevtag (not the tag’s real referenceTi) in order to referto the tags that are inside its range. Finally the adversary maycorrupt tags, thereby learning their entire internal state.

The above interactions take place over eight ora-cles that the adversary may invoke:CreateTag(ID),DrawTag(distr) → (vtag) , Free(vtag), Launch →π, SendReader(m, π)→ m′, SendTag(m, vtag)→ m′,Result(π) → x andCorrupt(vtag). Let vtag denote avirtual tag reference,π a protocol instance,distr a polyno-mially bounded sampling algorithm,m andm′ messages andID the tag’s identifier. For a complete definition of the oraclesthe reader is referred to [9].

The Vaudenay model divides adversaries into differentclasses, depending on restrictions regarding their use of theabove the oracles. In particular, astrongadversary may use alleight oracles without any restrictions. Adestructiveadversaryis not allowed to interact with a tag after it has been corrupted.This models situations where corrupting a tag leads to thedestruction of the tag. Aforward adversary can only do othercorruptions after the first corruption. That is, no protocolinteractions are allowed after the first call to theCorruptoracle. Aweakadversary does not have the ability to corrupttags. Orthogonal to these four attacker classes there is thenotion of wide and narrow adversary. Awide adversary hasaccess to the result of the verification by the server whilea narrow adversary does not. The most important relationsbetween the above privacy notions are given below:

wide-strong ⇒ wide-destructive ⇒ wide-forward ⇒ wide-weak⇓ ⇓ ⇓ ⇓

narrow-strong ⇒ narrow-destructive⇒ narrow-forward ⇒ narrow-weak

In this caseA⇒ B means that if the protocol is A-private itimplies that the protocol is B-private. A protocol that iswide-strongprivate, for example, obviously also belongs to all otherprivacy classes, that only allow weaker adversaries.

Due to their generality, the above restrictions can be usedperfectly in other privacy models. Throughout the article wewill frequently refer to strong, destructive, forward, weak andwide/narrow adversaries.

2) Privacy, security and correctness:Privacy is defined bymeans of the notion of a ‘trivial’ adversary. Intuitively, atrivialadversary does not ‘use’ the communication captured duringthe protocol run to determine its output.

Definition 3 (Blinder, trivial adversary -<Simplified> Def. 7from [9]). A BlinderB for an adversaryA is a polynomial-time algorithm which sees the messages thatA sends and re-ceives, and simulates theLaunch, SendReader, SendTagandResult oracles toA. The blinder does not have accessto the reader tapes. A blinded adversaryAB is an adversarywho does not use theLaunch, SendReader, SendTag andResult oracles.

An adversaryA is trivial if there exists a blinderB suchthat |Pr(Awins)− Pr(AB wins)| is negligible.

Intuitively, an adversary is called trivial if, even whenblinded, it still produces the same output. Such an adversarydoes not ‘use’ the communication captured during the protocolrun in order to determine its output. Note that a blindedadversary is not the same as a simulator typically found insecurity proofs: the blinder is separate from the adversaryandhas no access to the adversary’s tape. The blinder just receivesincoming queries from the adversary and has to respond eitherby itself or by forwarding the queries to the system. We arenow ready to present the privacy definition.

Definition 4 (Privacy - <Simplified> Def. 6 from [9]).The privacy game between the challenger and the adversaryconsists of two phases:

1) Attack phase: the adversary issues oracle queries ac-cording to applicable restrictions.

2) Analysis phase: the adversary receives the table thatmaps everyvtag to a real tagID. Then it outputstrueor false.

The adversary wins if it outputstrue. A protocol is calledX-private, where X is an adversary class (strong, destructive,. . . ), if and only if all winning adversaries that belong to theclass X are trivial.

Besides privacy the protocol should also offer authenticationof the tag. We refer to this property as thesecurity of theprotocol.

Definition 5 (Security -<Simplified> Def. 4 from [9]). Weconsider any adversary in the classstrong. The adversary winsif the reader identifies an uncorrupted legitimate tag, but thetag and the reader did not have a matching conversation. TheRFID scheme is called secure if the success probability of anysuch adversary is negligible.

Definition 6 (Correctness - Def. 1 from [9]). An RFIDscheme is correct if its output is correct except with negligibleprobability for any polynomial-time experiment which can bedescribed as follows:

1) Set up the reader.2) Create a number of tags including one namedID.3) Execute a complete protocol between reader and tag

ID.

The output is correct if and only ifOutput =⊥ and tagIDis not legitimate orOutput = ID and tagID is legitimate.

In a follow-up paper by Paise and Vaudenay [20], theconcept of mutual authentication for RFID is defined. The tagsimply outputs a boolean, indicating whether or not the readerwas accepted. The authors extend the security definition byadding a criterion for reader authentication.

3) Discussion:The paper of Vaudenay inspired many au-thors to formulate derived RFID privacy models or to evaluatethe (Paise-)Vaudenay model [10], [20], [21], [22], [23], [24].Although Vaudenay’s privacy model is perhaps the strongestand most complete, it contains some flaws with respect tostrong privacy.

4

Vaudenay’s proof of the statement that “wide-strong privacyis impossible” uncovers some of these flaws. This proofassumes a wide-destructive private protocol. By definition,for every destructive adversary, there exists a blinder. Thisincludes the adversary that (a) creates one real tag, (b) corruptsthis tag right away, (c) starts a protocol using either the statefrom the corrupted tag or from another fake tag. In the end,the blinder has to answer theResult oracle. Obviously, theadversary knows which tag was selected and knows whichresult to expect. However, since the blinder has no accessto this random coin of the adversary, it must be able todistinguish a real and a fake tag just by looking at the protocolrun from the side of the reader. The proof then uses thisblinder to construct a wide-strong adversary. Since all wide-strong adversaries are also wide-destructive, this provestheimpossibility of wide-strong privacy.

Obviously, this proof only works because the blinder isseparated from the adversary. The issue with a separate blinderis exploited multiple times by Armknechtet al. [25] in thePaise-Vaudenay [20] model. Using this property the authorsshow the impossibility of reader authentication combined withrespectively narrow forward privacy (ifCorrupt revealsthe temporary state of tags) and narrow strong privacy (ifCorrupt only reveals the permanent state of tags). In laterwork [26], Ouafi and Vaudenay correct the inconsistency inthe model and shows that strong privacy is indeed possible. Inthis new approach, the blinder is given access to the randomcoin flips of the adversary.

Independent from this correction, Nget al. [21] alsoidentified the problems with strong privacy. They propose asolution, based on the concept of a ‘wise’ adversary thatdoes not make any ‘irrelevant’ queries to the oracles i.e.queries to which it already knows the answer. The authorsclaim that, if the protocol does not generate false negatives,then a wise adversary never calls theResult oracle. Giventhe vague definition of wise adversaries it is hard to verifythese claims. The existence of attacks which exploit falsepositives [27] however, suggests that the general claim thatResult is not used by a wise adversary is incorrect. Basedon this questionable general claim, the authors further identifyan IND-CPA-based protocol as being strong private, withoutgiving a formal proof.3

B. Canard et al.

1) Model: The model of Canardet al. [10] builds on thework of Vaudenay, so the definition of oracles is quite similar.For the privacy definition the model requires the adversary toproduce a non-obvious link between virtual tags.

Definition 7. (vtagi, vtagj) is a non-obvious link ifvtagi andvtagj refer to the same ID and if a ‘dummy’ adversary, whoonly has access toCreateTag, Draw, Free, Corrupt, isnot able to output this link with a probability better than1/2.

The definition requires the adversary to output a non-obvious link to win the privacy game. A protocol is said

3Note that the original security proof (i.e. no false positives) by Vaudenayrequires IND-CCA2 encryption, so using only IND-CPA encryption wouldrequire a new security proof.Result may serve as a decryption oracle.

to be untraceable if, for every adversaryA, it is possible toconstruct a ‘dummy’ adversaryAd such that|SuccUnt

A (1k)−SuccUnt

Ad(1k)| ≤ ǫ(k).

It is unclear why the authors use the probability threshold1/2, since one would expect some dependency on the totalnumber of non-obvious links.4

One major difference with respect to Vaudenay’s modelis that a ‘dummy’ adversary is used instead of a blindedadversary. This avoids some of the issues surrounding theuse of a blinder, because a ‘dummy’ adversary can alsoaccess its own random tape, while a blinder cannot accessthe adversary’s random tape.

2) Discussion: While the work certainly has its merit informalizing and fixing the Vaudenay model (by using a dummyadversary instead of a blinder), the model of Canardet al. lacksgenerality because it focuses on non-trivial links. Moreover theabove definitions are circular: the definition of a non-obviouslink refers to a dummy adversary, which on its turn is definedin terms of the probability of outputting a non-obvious link.In its current form, without changing any definition to breakthe circularity, the model is not useable.

C. Juels-Weis

1) Model: The model by Juels and Weis [19] is based onthe notion of indistinguishability. The model does not featurea DrawTag query and theCorrupt query is replaced by aSetKey query, which returns the current secret of the tag andallows the adversary to set a new secret. Figure1 shows a sim-plified version of the privacy game. The protocol is consideredprivate if ∀A, Pr

[

ExpprivA,S guessesb correctly

]

≤ 12 + ǫ.

ExperimentExpprivA,S

:

1) Setup:

• Generaten random keyskeyi.• Initialize the reader with the randomkeyi.• Createn tags, each with akeyi.

2) Phase (1): Learning

• A can interact with a polynomial number of calls to the system,but canonly issueSetKey on n − 2 tags, leaving at least 2 uncorrupted tags

3) Phase (2): Challenge

• A selects two uncorrupted tagsT0 andT1. Both are removed from theset of tags.

• One of these tags (Tb, the challenge tag) will be selected at random bythe challenger.

• A can make a polynomial number of calls to the system, but cannotcorrupt the challenge tagTb.

• A outputs a guess bitg ∈ {0, 1}.

Figure 1. Privacy experiment from Juels-Weis

2) Discussion: The Juels-Weis model is one of the fewmodels that are based on a indistinguishability game insteadof the notion of simulatability. The model is limited by thefact that the challenge tags cannot be corrupted. In terms ofthe Vaudenay model [9] it would be a weak adversary withregard to the challenge tags. For example, attacks in which theadversary links together executions of a tag that have takenplace prior to its corruption are not possible in the Juels-Weismodel because of this.

4One slightly different interpretation is that a ‘dummy’ adversary cannotdetermine if a given non-obvious candidate linkvtagi, vtagj is a link inreality or not. This interpretation however contradicts the definition of thesuccess probability of an adversary given in the paper.

5

The model from Haet al. [18] is very similar, with thedifference that the privacy is defined as distinguishing thereplyfrom a real tag from a random reply.

D. Bohli-Pashalidis

1) Model: Unlike the previous models, the Bohli-Pashalidis[28] model is not an RFID-specific model. Unfor-tunately, it captures only privacy properties; propertieslikesecurity and correctness are not covered. The model considersa set of users (with unique identifiers)U , whose size is at leastpolynomial in a security parameter. There is no formal differ-ence between different types of players, like there is with tagand reader in most RFID models. The systemS can be invokedwith input batches(u1, α1), (u2, α2), . . . , (uc, αc) ∈ (U , A)c,consisting of pairs of user identifiers and ‘parameters’ andwill output a batch((e1, . . . ec), β), with the outputsei fromeach system invocation and a general outputβ, applying tothe batch as a whole. Users can also be corrupted, revealingtheir internal state to the adversary.

The authors investigate the properties of the functionf ∈F , whereF = {f : {1, 2, . . . , n} → U} is the space offunctions that map the serial number of each output elementto the user it corresponds to. In the Strong Anonymity (SA)setting, no information should be revealed to the adversaryabout the functionf , guaranteeing the highest level of privacy.Several weaker notions (which revealsomeinformation onf )are defined and the relations among notions are examined.

The adversarial model is based on indistinguishability. Theadversary can cause different users to invoke the system usingdifferent parameters (e.g. messages) in both a left and rightworld with theInput((u0, α0), (u1, α1)) oracle. Based on abit b, selected by the challenger, the system will be invokedwith the user-data pair(ub, αb). That is, the adversary itselfdefines the functionsf0, f1 ∈ F , for respectively the left andright world. The adversary can also corrupt users. At the endof the game the adversary has to output a guess bitg. Theadversary wins the game ifg = b. By imposing restrictionsonf0 andf1, the authors investigate different levels of privacy.

Definition 8. A privacy protecting systemS is said to uncondi-tionally provide privacy notionX , if and only if the adversaryA is restricted to invocations(u0, α0) and (u1, α1) such thatf0 and f1 are X-indistinguishable for all invocations and forall such adversariesA, it holds thatAdvX

S,A(k) = 0.

2) Discussion: Due to its generality, and due to the factthat it is not meant to cover security properties, the Bohli-Pashalidis model needs non-trivial adaptations in order toapply to RFID setting. In its current form, the model doesnot support multi-pass protocols, where linking two messagesfrom the same protocol run is not a privacy breach. Moreoverthere is no distinction between tags that need to be protected,and the reader for which privacy is not an issue. An interestingquestion is whether the strictly binary distinguishing game(only one bit of randomness in the challenge) provides enoughflexibility compared to other models, like Vaudenay’s, wherethere are multiple bits of randomness that are to be guessed.

IV. OUR MODEL

A. Adversarial Model

We assume a set of readersR = {R1, R2, . . . , Rj} and aset of tagsT = {T1, T2, . . . , Ti}.R andT are initially empty,and readers and tags are added dynamically by the adversary.Each reader maintains a database of tuples(IDi, Ki), one forevery tagTi ∈ T that is registered with that reader. Moreover,every tagTi stores an internal stateSi.

Let A denote the adversary, which can adaptively controlthe systemS. A interacts withS through a set of oracles. Theexperiment that the challenger sets up forA (after the securityparameterk is fixed) proceeds as follows:

ExpS,A(k):1) b ∈R {0, 1}2) g ← AO()3) Returng == b.

At the beginning of the experiment, the challenger picks arandom bit b. The adversaryA subsequently interacts withthe challenger by means of the set of oraclesO:

• CreateReader() → Rj : this oracle creates a newreader. A referenceRj to the new reader is returned.

• CreateTag(ID) → Ti: on input a tag identifier ID,this oracle callsSetupTag(ID) and registers the new tagwith the server. A referenceTi to the new tag is returned.Note that this does not reject duplicate IDs.

• RegisterTag(Ti,Rj): register the tagTi with theserverRj . The registration of the tag with the reader canbe done in several ways (e.g. using a specific protocolthat involves both the tag and reader, between readers orusing some offline process).

• Launch(Rj) → π: a new protocol run is launched onthe readerRj , according to the protocol specification. Itreturns a session identifierπ, generated by the reader.

• DrawTag(Ti,Tj) → vtag: on input a pair of tagreferences, this oracle generates a virtual tag reference,as a monotonic counter,vtag and stores the triple(vtag, Ti, Tj) in a tableD. Depending on the value ofb,vtag either refers toTi or Tj . If one of the two tagsTi

or Tj is in the list of insider tagsI, ⊥ is returned and noentry is added toD. If Ti is registered with a differentset of readers thanTj , ⊥ is returned. IfTi is alreadyreferences as the left-side tag inD or Tj as the right-sidetag, then this oracle also returns⊥ and adds no entryto D. Otherwise, it returnsvtag.

• Free(vtag)b: on input vtag, this oracle retrieves thetriple (vtag, Ti, Tj) from the tableD. It resets eitherTi (if b = 0) or Tj (if b = 1). Then it removesthe entry (vtag, Ti, Tj) from D. When a tag is reset,its volatile memory is erased. The non-volatile memory,which contains the stateS, is preserved.

• SendTag(vtag,m)b → m′: on inputvtag, this oracleretrieves the triple(vtag, Ti, Tj) from the tableD andsends the messagem to either Ti (if b = 0) or Tj (ifb = 1). It returns the reply from the tag (m′). If theabove triple is not found inD, it returns⊥.

• SendReader(Rj, π, m) → m′: on inputπ, m thisoracle sends the messagem to the readerRj in sessionπ

6

and returns the replym′ from the reader (if any) isreturned by the oracle.5

• Result(Rj,π): on input π, this oracle returns a bitindicating whether or not the reader accepted sessionπas a protocol run that resulted in successful authenticationof a tag. If the session with identifierπ is not yet finished,or there exists no session with identifierπ, ⊥ is returned.

• Corrupt(Ti): on input a tag referenceTi, this oraclereturns the complete internal state ofTi. Note that theadversary is not given control overTi.

• CreateInsider(ID) → Ti, S: create an insider tagTi. This runsCreateTag to create a new tagTi andCorrupt on the newly created tag. The tagTi is addedto the listI of insider tags.

• CorruptReader(Rj): corrupt the readerRj , whichreturns the full database of the reader and all secrets of thereader. Note that in the default privacy game this oracleis not used.

According to the above experiment description, the chal-lenger presents to the adversary the system where either the‘left’ tags Ti (if b = 0) or the ‘right’ tagsTj (if b = 1) areselected when returning a virtual tag reference inDrawTag.A queries the oracles a number of times and, subsequently,

outputs a guess bitg. We say thatA wins the privacy gameif and only if g = b, i.e. if it correctly identifies which of theworlds was active. The advantage of the adversaryAdvS,A(k)is defined as

∣

∣Pr[

Exp0S,A(k) = 1

]

+ Pr[

Exp1S,A(k) = 1

]

− 1∣

∣ .

Restrictions on tag corruption: In the current setupCorrupt(Ti) reveals the full internal state of the tag, i.e.both its volatile and non-volatile parts. This follows [25] whereit is shown that, if corruptions reveal the volatile state, then theresulting privacy notions are stronger. Single-pass protocols(e.g. challenge-response) do not suffer from any issues, sincethe volatile memory is typically erased after sending the reply,and hence all computations are confined to the invocation ofthe SendTag oracle. Multi-pass protocols on the contrary,typically require storage of data in betweenSendTag in-vocations. In this case, corrupting a tag in between protocolpasses always reveals the activity of the tag and thus allowstrivial attacks on the privacy of the tag. In this case, additionalrestrictions in the privacy model are required to achieve areasonable privacy definition for such protocols. Note thatmutual authentication always requires a multi-pass protocol.

We assume that corrupting a tag implies some kind ofphysical access to the tag. Such physical access would almostcertainly be disruptive for any active protocols being executedon the tag at the time of corruption (if not, one would alsoneed to consider white-box or leakage-resilient cryptography).

Clearly corruption on itself should not yield any advantageto an adversary. For instance, an adversary is could randomlydraw one out of two tags and execute several corruptionsin between protocol runs while the tag is drawn to seeif the selected tag is active. Such an adversary behaviourwould also contradict the assumption that physical access is

5If no active sessionπ exists, the reader is likely to return⊥.

required: drawing a tag at random models the observation oftags passing in proximity of the adversary. The moment anadversary corrupts a tag it breaches the (possible) privacyofsuch a tag and can certainly identify the tag based on physicalproperties of the tag or the attached item. Hence it makes nosence to allow corruption of a drawn tag since an adversaryshould directly select such a tag instead of drawing it. Forthe remainder of this article we will therefore restrict theCorrupt oracle to inactive tags, i.e. tags that are drawn inneither the left or right world.

B. Privacy

The adversary restrictions, as defined in Sect.III-A , alsoapply to our privacy definition. Depending on the accept-able usage of theCorrupt oracle, an adversary in ourmodel is either strong, destructive (Corrupt destroys a tag),forward (after the firstCorrupt only further corruptionsare allowed), or weak (noCorrupt oracle) adversaries.Depending on the allowed usage of theResult oracle,there exist narrow (noResult oracle) and wide adversaries.If an adversary is allowed to callCreateInsider theprivacy notion is called ‘insider’, so we can speak of forward-insider and weak-insider adversaries. For strong and destruc-tive theCreateInsider can be simulated using the normalCreateTag and Corrupt oracles, i.e. strong-insider anddestructive-insider are equivalent to strong and destructiverespectively. An overview of the relations between the privacynotions, including our two new notions, is given below:

wide-forward-insider ⇒ wide-weak-insider

⇒ ⇓ ⇓

wide-strong ⇒ wide-destructive ⇒ wide-forward ⇒ wide-weak⇓ ⇓ ⇓ ⇓

narrow-strong ⇒ narrow-destructive ⇒ narrow-forward ⇒ narrow-weak

For most practical applications, wide-forward-insider pri-vacy is sufficient. By contrast, the weaker notion of wide-forward privacy isnot sufficient; indeed, ine.g., transporta-tion systems an adversary has easy access to an insider tagand can thus abuse any privacy guarantees of the system.Furthermore, it seems that the wide-strong notion capturesa scenario exceeding the practical requirements for privacy,where an adversary may first corrupt a tag and then releaseit again for future tracking. In practice this can be done moreeasily, without physically tampering with the tag itself (i.e.,corrupting it),e.g., by attaching a tracking device to the tag.

We now present our definition of privacy.X is used todenote one of the above privacy notions. For the remainderof this article, we will only consider computational privacy.

Definition 9 (Privacy). An RFID systemS, is said to un-conditionally provide privacy notionX , if and only if for alladversariesA of typeX , it holds thatAdvX

S,A(k) = 0. Simi-larly, we speak of computational privacy if for all polynomialtime adversaries,Adv

XS,A(k) ≤ ǫ(k).

C. Stateful protocols

Note that stateful protocols (which update their state after aprotocol run) do not satisfy our privacy definition. By issuinga Corrupt(Ti) query before and after a protocol run, onecan always identify whether or not the tag has been active.

7

The main solution we propose is to perform a (possiblyrandom) number of protocol executions on both tagsTi andTj whenFree is called. This models the protocol executionsthat happen outside of the adversaries range, i.e. when a tagis free. These executions are crucial to re-randomize the stateof the tag such that consecutive corruption of the tag does notreveal any information.

As an alternative we also mention theX+ privacy notions,as defined in [28] which can be combined with the firstrestriction from above. Simply put, this restriction implies that,whenever a tag is corrupted at some point during the privacygame, it always has to be drawn simultaniously in both theleft and the right world using aDrawTag(Ti, Ti) query withidentical arguments.

D. Correctness and soundness

Correctness ensures that a legitimate tag is always acceptedby a reader. Soundness is the property that an illegitimate tagis not accepted by the server. Specifically for the RFID setting,the RFID tag can only participate in one session at the time,hence concurrent attacks on the tag are impossible. This allowsus to relax the security definition from requiring matchingconversations to impersonation resistance as in [23]. Theadversary cannot interact with the tag they try to impersonateduring the protocol run between adversary and reader.

Definition 10. Correctness. A scheme is correct if the identifi-cation of a legitimate tag only fails with negligible probability.

Definition 11. Soundness. A scheme is resistant against imper-sonation attacks if no polynomially bounded strong adversarysucceeds, with non-negligible probability, in being identified bya verifier as the tag it impersonates. Adversaries may interactwith the tag they want to impersonate prior to, and with allother tags prior to and during the protocol run. All tags, exceptthe impersonated tag, can be corrupted by the adversary.

Definition 12. Extended Soundness. Identical to Def.11, butthe adversary is given access to theCorruptReader oracle.

E. Motivation and comparison

Our proposed model is based on the well-studied notionof (left-or-right) indistinguishability, thus avoiding the issueswith less well-studied concepts such as blinders that theVaudenay model suffers from (see Sect.III-A ). Moreover,several cryptographic schemes have proven security propertiesbased on indistinguishability games (e.g. IND-CPA, IND-CCA, IND-CCA2...). When using these schemes as buildingblocks for private RFID authentication protocols, it is likelyto simplify proofs using our model.

Note that the Juels-Weis model from Sect.III-C also usesa traditional indistinguishability setup. However, the modelrequires the adversary to distinguish one out of two selectedtags in the final phase. The disadvantage of this approach isthat it does not take into account other properties that mightleak privacy and that it limits the use of tag corruption. TheVaudenay model did introduce some crucial tools like virtualtag references and the corruption types that are still required.

Modelling details:

• The introduction ofCreateTag(·): since the set of tagsis not predefined we allow the adversary to dynamicallycreate new tags.

• DrawTag(·, ·) andFree(·)b are used to introduce theconcept of virtual tags. This concept is needed sinceotherwiseSendTag(·, ·)b would have to accept twotag/message pairs and select one of them based on thevalue of the bitb. In this case it would be trivial todetermineb for multi-pass protocols, simply by usingdifferent right (or left) tags for each pass of the protocol.For instance,SendTag(T0, T1)b for the first pass andSendTag(T0, T2)b for all consecutive passes. The proto-col would only succeed ifb = 0, thus allowing detectionof the bitb. Hence, it is crucial that the same tag is alwaysused within a certain protocol run, which can be ensuredby using virtual tag identifiers.

• A separate communication oracle for tags and reader isused, since the reader is not considered as an entity whoseprivacy can be compromised.

• Corrupt(·): corruption is done with respect to a tag,not a virtual tag. IfCorrupt(·)b would accept a vtag,then determining the bitb becomes trivial by performingthe following attack:

– vtagi ← DrawTag(T0,T1)– Ci ← Corrupt(vtagi)b

– Free(vtagi)– vtagj ← DrawTag(T0,T2)– Cj ← Corrupt(vtagj)b

If Ci = Cj thenb = 0, otherwiseb = 1.We believe that it is realistic to assume that one has thetag identifierTi when corrupting a tag, since corruptionimplies having physical access to a tag.

• The introduction ofCreateInsider(·) and two newprivacy notions (wide-weak-insider and wide-forward-insider): this models the case where an adversary usesthe internal state a corrupted tag to attack the privacy ofother tags.

• Allowing for a set of readersR and the introductionof CorruptReader(Rj): with multiple readers, theprobability that one will be corrupted (or is curiousabout the tag owner) rises. Even when a reader getscompromised, only the tag should be able to authenticateto the other readers is it registered with. Furthermore, thetag’s identity should remain private when authenticatingto other readers.

V. PREVIOUSLY PROPOSEDPROTOCOLS

In this section, we give an overview of previously proposedprotocols that are based on public key cryptography. Each ofthese protocols is correct, sound and achieves at least narrow-strong privacy. The reason why symmetric protocols are notconsidered is twofold: for private RFID symmetric authen-tication protocols 1) Vaudenay [9] proved that narrow-strongprivacy cannot be achieved and 2) Damgard and Pedersen [17]showed that privacy comes at the cost of a non-scalable lookupprocedure at the reader.

8

A. Zero Knowledge Based Protocols

These protocols are proofs of knowledge for a specificverifier (reader) with public keyY = yP . The prover (tag)proves knowledge of the private keyx ∈ Zℓ, which is thediscrete logarithm of the corresponding public keyX = xP ,for P a publicly agreed-on generator ofGℓ. The public keyX of the tag will serve as its identity and has been registeredwith the reader.

1) Randomized Schnorr:Bringeret al. [29] proposed Ran-domized Schnorr (see Fig.2). It achieves extended soundnessand narrow-strong privacy.

State:x, Y

Tag T

Secrets:y DB : {Xi}

ReaderR

r1, r2 ∈R Zℓ

R1 = r1P, R2 = r2Y

e ∈R Zℓ

e

s = ex + r1 + r2

X = e−1(sP − R1 − y−1R2)verify: X ∈ DB.

Figure 2. Randomized Schnorr [29].

2) Randomized Hashed GPS:Later, Bringeret al. [23] pro-posed Randomized Hashed GPS (see Fig.3). The protocol hasextended soundness and narrow-strong privacy. The authorsalso claim wide-PI-forward privacy, i.e., wide-forward privacyeven when the list of registered tags’ identities is known.

State:x, Y

Tag T

Secrets:y DB : {Xi}

ReaderR

r1, r2 ∈R Zℓ

R1 = r1P, R2 = r2Y

z = H(R1, R2)

e ∈R Zℓ

e

R1, R2, s = ex + r1 + r2

X = e−1(sP − R1 − y−1R2)Verify: z = H(R1, R2), X ∈ DB.

Figure 3. Randomized Hashed GPS [23].

Privacy-wise, both Randomized Schnorr and RandomizedHashed GPS suffer from the adversary having complete free-dom over the exame it sends to the tag and the fact thatthe final message from the tags contains a term that islinearly dependent on this exam and the secret of the tagx. For this reason these protocols cannot be wide-strongprivate.6 Furthermore, there exist a linear relation between thecommitments(R1, R2) and the answers. This, together with

6An attacker in the middle sendse − 1 to the virtual tag and responds tothe reader withs + x. For a correct guess of the tag’s identity with knowninternal statex, theresult oracle returns 1.

the above, makes that Randomized Schnorr cannot be wide-weak private.7 Randomized Schnorr and Randomized HashedGPS are also vulnerable to insider-attacks.8

3) IBIHOP: Peeterset al. [30] proposed IBIHOP (seeFig. 4). It achieves extended soundness, (reader-first) mutualauthentication and wide-strong privacy.

State:x, Y

Tag T

Secrets:y DB : {Xi}

ReaderR

e ∈R Z∗

ℓ

xcoord(E) = xcoord(e−1P )

r ∈R Z∗

ℓ

xcoord(R) = xcoord(rP )

f = xcoord(yR) + e

e = f − xcoord(rY )

eE?= P

s = ex + r

X = e−1(sP − R)?

∈ DB

Figure 4. The IBIHOP protocol [30].

B. Public Key Encryption Based Protocols

The reader has a public/private key pair(PK, pk). TheidentitiesID of tags that registered are stored in the reader’sdatabase. The tag and reader share a symmetric keyK.

1) Vaudenay’s Public Key Protocol:This protocol proposedby Vaudenay [9] (see Fig. 5) requires the tag to computethe public key encryption of one message. This cryptosystemneeds to be secure against adaptive chosen ciphertext attacks(IND-CCA2) to have a secure identification scheme thatachieves wide-strong privacy. One of the most efficient IND-CCA2 cryptosystems in the standard model is DHIES [13].

State:ID, K, PK

Tag T

Secrets:pk, KM DB : {IDi}

ReaderR

a ∈R {0, 1}α

a

c = EncPK(ID||K||a)

˙ID||K||a = Decpk(c)Verify: a = a,

K = FKM( ˙ID),

˙ID ∈ DB.

Figure 5. Vaudenay’s Public Key RFID Protocol [9].

7For an observed protocol runπ0, an adversary can test, using theresultoracle, that the current virtual tag is the tag ofπ0. The adversary mounts aMan-In-The-Middle attack, sends to the reader(R1 + R1,0, R2 + R2,0),challenges the tag withe − e0 and returns to the readers + s0.

8Similar to the above. The attacker sends the exame0 to the virtual tag inprotocol runπ1. When subtracting the answerss0 − s1, the tag specific partshould cancel out. The attacker starts a protocol runπ2 between its insidertag (with private keyx′) and the reader. The attacker setsR1 = R1,0−R1,1,R2 = R2,0 − R2,1 and replies withs′ = s0 − s1 + e2x′.

9

2) Hash ElGamal Based Protocol:Canardet al. [10] pro-posed a hash ElGamal-based protocol (see Fig.6), which is se-cure, narrow-strong private and future untraceable. It is unclearhow future untraceability (as defined by Canardet al. [10])and wide-strong privacy relate to each other, however, theseseem to be closely related. This protocol uses an IND-CPAcryptosystem, Hash ElGamal; and a MAC algorithm. It ismore efficient than Vaudenay’s public key scheme since theunderlying encryption does not need to be IND-CCA2. Notethat the combination of a MAC and IND-CPA encryption usedin this specific protocol in fact provides IND-CCA2 encryptionfor the type of plaintext messages used [31].

State:ID, K, Y

Tag T

Secrets:y DB : {IDi, Ki}

ReaderR

a ∈R Zℓ

a

b, r ∈R Zℓ

T0 = MAC(a||b, K)T1 = (T0||ID||b) ⊕ H(rY )T2 = rP

T1, T2

T0|| ˙ID||b = T1 ⊕ H(yT2)Get K from DB( ˙ID)Verify: T0 = MAC(a||b, K).

Figure 6. Hash ElGamal Based Protocol [10].

Neither protocol achieves extended soundness. Tag andreader need to store some shared (secret) data: an identifierID and a shared secret keyK. Both protocols achieve wide-strong privacy and soundness can also be proven under themore strict definition of matching conversations. Wide-strongprivacy rules out insider attacks on privacy.

VI. N EW WIDE-FORWARD-INSIDER PROTOCOL

Our proposed protocol (see Fig.7) is a modified version ofthe Schnorr [32] identification protocol. The original protocolis proven secure by Bellare and Palacio [33] under the OMDLassumption. Our starting point is a variant of the Schnorridentification protocol, where the exam of the reader is appliedto the tag’s randomness instead of its secret. This variant isequivalent to the original protocol, except for the case thate = 0. In the original Schnorr identification protocol thisresults in the adversary learning the tag’s randomness whilein the variant the adversary will learn the tag’s secret. Thissituation is avoided by having the tag check thate 6= 0.

Privacy is ensured by introducing a blinding factord thatcan only be computed by the tag and the reader. The blindingfactor is applied to the secretx. It is important to note thatthe factor that is applied to the secret, only depends on inputof the tag and the public key of the reader (known to thetag). As such an adversary cannot influence this value. This isan important difference with two of the previously proposedzero-knowledge based protocols (see Sect.V-A) for which theadversary can choose the factor that is applied to the secretofthe tag,9 leading to insider attacks against privacy.

9Due to IBIHOP’s reader-first mutual authentication, an adversary cannotchoose or even influence the valuee.

State:x, Y = yP

Tag T

Secrets:y DB : {Xi = xiP}

ReaderR

r1, r2 ∈R Z∗

ℓ

R1 = r1P, R2 = r2P

e ∈R Z∗

ℓ

e

d = xcoord(xcoord(r2Y )P )

s = dx + er1

d = xcoord(xcoord(yR2)P )X = d−1(sP − eR1) ∈ DB ?

Figure 7. Wide-forward-insider private RFID identification protocol.

We will now discuss the protocol in detail. The tag generatestwo random numbersr1 and r2, where the former is neededfor extended soundness and the latter is used to ensure privacy.The tag commits to its randomness by sendingR1, R2 to thereader. The reader verifies thatR1, R2 6= O, for O the point atinfinity. The tag’s response iss = dx+er1, with d the blindingfactor as computed by the tag. Note that the tag must checkthat d, e 6= 0.10 The reader verifies that a tag with public keyX = d−1(sP − eR1), with d the blinding factor as computedby the reader, has been registered. The reader keeps a listof all incomplete sessions. If a session timeout occurs or thetag fails to identify for a given challenge, the session is alsoconsidered to be completed.

The blinding factor containsr2Y = yR2. Given the CDHassumption, this value can only be computed when giveneitherr2 or y. To prevent an adversary of exploiting the self-reducibility of the DL problem, this value is encapsulated ina one-way function. Minimising the required circuit area forimplementation was one of the design criteria. Instead of usinga cryptographic hash function, we choose a one-way functionthat only uses EC operations:H(r2Y ) = xcoord(r2Y )P .The one-wayness of this function follows directly from theDL assumption. The valued is set to the x-coordinate of theEC point.

A. Correctness

Theorem 1. The protocol is correct according to Def.10.

Proof. Since d = xcoord(xcoord(r2Y )P ) =xcoord(xcoord(yR2)P ) = d, it follows thatX = d−1(sP − eR1) = d−1((dx + er1)P − er1P ) = X .

B. Soundness

Theorem 2. The proposed protocol has extended soundnessaccording to Def.11 under the OMDL assumption.

Proof. Assume an adversaryA that can break the extendedsoundness with non-negligible probability, i.e. that can per-form a fresh, valid authentication with the verifier. Without

10By appropriate selection of the elliptic curve (e.g. a curvewithout points(0, y)), checkingd 6= 0 is not necessary ifR2 6= O.

10

loss of generality we will assume the target tag is known atthe start of the game.11 We construct an adversaryB that winsthe OMDL game as follows:

• SetX = O1(). X will be used as the public key of thetarget tag.

• B executesA. During the first phase ofA, B simulatesthe SendTag oracles for the target tag as follows (allother oracles are simulated as per protocol specification):

– On the first SendTag(vtag)b query of the i’thprotocol run: returnR2,i = r2,iP with r2,i ∈R Zℓ

andR1,i = O1().– On the secondSendTag(vtag, ei)b query of thei’th

protocol run: setdi = xcoord(xcoord(r2,iY )P )and returnsi = O2(diX + eiR1,i)

• During the second phase ofA, B proceeds as follows:

– On the first call of A to Result(π), com-pute d = xcoord(xcoord(yR2)P ) and store(s, d). Next, rewindA until right before the callto SendReader(π, R1, R2). On the next call toSendReader(π, R1, R2), return a new randome′.

– On the next call ofA to Result(π): computer1 = (s−s′)/(e−e′) and x = d−1(s − er1) return(x, e−1

1 (s1 − xd1), . . . , e−1k (sk − xdk)).

The simulation byB is perfect during both phases. At theend of the gameB will successfully win the OMDL withnon-negligible probability, unlesss = s′, which happens withnegligible probability since bothe ande′ are randomly chosenafter R2 6= O is fixed.

C. Privacy

Before giving the privacy proof we introduce a crucialconjecture that is used as building block for obtaining wide-forward-insider privacy.

Conjecture 1. Assume a setX = {x1, . . . , xn} and I ={ι1, . . . , ιm} with xi, ιj ∈R Zℓ and n, m polynomial in thesecurity parameter. We conjecture that a PPT adversary hasnegligible probability in winning the following game:

1) b ∈R {0, 1}.2) The adversaryA is givenI and can interact with the

system through the following oracles:

• O1(α, β) :=

{

(i, dixα) if b = 0

(i, dixβ) if b = 1with di ∈R Zℓ and let i be a counter that isincremented at every call

• O2(s, i) := d−1i s ∈ X ∪ I

• O3(s) := s ∈ X 12

11Otherwise, the proof can be adapted by choosing the public keys of thetags asXi = O1(). All tag queries are simulated as for the target tag, untilthe tag is corrupted. When corrupting a tag, callO2(Xi) for that tag and usethe result as private key for simulating all following queries to that tag. Atthe end of the game, use theO2(·) oracle to extract all remaining discretelogarithms, except for the target tag.

12Due to a technicality in the privacy proof, we need to replacethisoracle byO3(S) := dlog(S) ∈ X . Note that it is the challenger, whichis computationally unbounded, that computes the discrete logarithm in thisoracle. This definition is equivalent to the one given here, since the adversarycan always callO3 with sP instead ofs.

3) The adversaryA is givenX and outputs a bitg.The adversary wins the game ifb == g.

The intuition behind the experiment described above is thatthe adversary has a set of insider tags for which it knows thesecret keys (I) and that there is a set of tags for which thekeys remains secret (X ). ThroughO1 the adversary can obtainoutput of the non-corrupted tags, which is a random valuemultiplied with the tag secret. Just as in the privacy definition,a random bit determines which tag secretxi is selected. Sincea fresh random valuedi is multiplied with every tag output,it is obvious that the adversary has negligible advantage inwinning the game when only givenO1. The oraclesO2 andO3 let the adversary verify the tag output. Both oracles onlyreturn a binary value indicating whether validation succeeded.The randomdi’s are used inO2 to verify the input. Intuitively,the only way that the adversary can win the game is by eitherguessing somexi and checking it through oracleO3 or bygiving an input (s, i) to O2 that did not directly originatefrom a call toO1 (i.e. that maps to a differentxi than the callto O1 did). The probability of both these events happeninghowever seems negligible.

Theorem 3. The proposed protocol is wide-forward-insiderand narrow-strong private according to Def.9 under the ODHassumption, the XL assumption and Conjecture1.

Proof. Assume an adversaryA that wins the privacy gamewith non-negligible advantage. Using a standard hybrid ar-gument [34], [35], we construct an adversary that breaks theODH-assumption. We setY = B. Bi plays the privacy gamewith A. Bi selects a random bitb, which will indicate whichworld is simulated toA. All oracles are simulated in theregular way, with the exception of theSendTag andResultoracle for the target tag:

• SendTag(vtag)b:– j 6= i: Generater1, r2 ∈R Zℓ. TakeR1 = r1P, R2 =

r2P . ReturnR1 andR2.– j = i: Generater1 ∈R Zℓ. TakeR1 = r1P, R2 = A.

ReturnR1 andR2.• SendTag(vtag, e)b, j’th query: retrieve the tuple

(vtag, T0, T1) from the tableD. Take the keyx for tagTb.

– j < i: Generate r ∈R Zℓ. Take d =xcoord(H(rP )). Returns = dx + er1.

– j = i: Taked = xcoord(H(C)). Returns = dx +er1.

– j > i: Take d = xcoord(H(r2Y )). Return s =dx + er1.

• Result(π): If the receivedR2 in sessionπ matchesAfrom the ODH problem taked = xcoord(H(C)). If not,check if R2 matches any of theR2’s generated duringthe first i− 1 SendTag queries. If so, use ther gener-ated in that query and computed = xcoord(H(rP )).Otherwise, taked = xcoord(O(R2)). Finally, computeX = d−1(sP −eR1). CheckX with the database, returntrue if X is found, false otherwise.

At the end of the gameA outputs its guessg for the privacygame.Bi outputs(b == g).

11

The above simulation toA is perfect, since validation isdone in the same way as the protocol specification. IfR2 = A,the oracleO(·) cannot be used. However, in this case we knowthe corresponding value ofd by directly usingH(C), whichgives the same result.

We useAi (with i ∈ [1 . . . k]) to denote the case thatAruns with the firsti SendTag queries random instances, andthe other queries real instances. This is the case whenBi+1

runs with a real ODH instance, orBi with a random ODHinstance. Note thatAi wins if b == g.

By the hybrid argument we get that:

‖Pr[

A0 wins]

− Pr[

Ak wins]

‖ ≤∑

AdvBi.

• In the case ofA0, it is clearPr[

A0 wins]

= Pr [Awins]since all oracles are simulated exactly as in the protocoldefinition.

• In the case ofAk, all SendTag queries are simulatedwith r ∈R Zℓ andd = xcoord(xcoord(rP )P ). Underthe XL assumption it follows thatd is indistinguishablefrom a random value from the x-coordinate distributionand thatd is independent ofR1, R2 ande.

a) Narrow-strong privacy: Since s = dx + er1 andR1 = r1P , it follows under the XL assumption that(s, e, R1),with d a random value from the x-coordinate distribution, isindistinguishable from(r, e, R), with r a uniformly randomvalue. Hence it follows thats is indistinguishable from auniformly random value independent ofx, as long ase, d 6= 0.Note that this only holds in the absence of aResult oracle(which is able to distinguishr from random).

So Ak has probability1/2 of winning the privacy game,since it obtains no information at all onx from a tag.

‖Pr[

A0 wins]

− Pr[

Ak wins]

‖ = ‖Pr [Awins]−1

2‖

=1

2Advprivacy

A

≤∑

AdvBi

It follows that at least one of theBi has non-negligibleprobability to win the ODH game.

b) Wide-forward-insider privacy: For proving wide-forward-insider privacy, we also have to simulate theResultoracle, which was ommitted in the case of narrow-strong pri-vacy. We can now do a straightforward reduction to the gamefrom Conjecture1. All SendTag(vtag, e)b calls are simulatedusingO1(i, j) for the tagsTi and Tj passed toDrawTag.Calls toResult are simulated usingO2(sP − eR1, i) if theR1 received by the server matches anR1 resulting from aSendTag(vtag)b, otherwised is computed as in the originalprotocol andO3(d

−1(sP − eR1)) is used to validate theresulting secret.

VII. E FFICIENCY OPTIMISATION

The protocol will be optimised by reducing the computa-tional effort at the tag side. This is done by having the tagonly generate one random valuer (r1 = r2). As such, the taghas to compute one less scalar-EC point multiplication andhas to transmit one less element. We also change the blinding

factor to d = xcoord(rY ). This reduces the computationaleffort required from the tag with another scalar-EC pointmultiplication. An overview of the protocol is given in Fig.8.

State:x, Y

Tag T

Secrets:y DB : {Xi}

ReaderR

r ∈R Z∗

ℓ

R = rP

e ∈R Z∗

ℓ

e

d = xcoord(rY )

s = d + x + er

d = xcoord(yR)X = (sP − dP − eR) ∈ DB ?

Figure 8. Optimised protocol.

A. Soundness

Theorem 4. The optimised protocol has extended soundnessaccording to Def.12 under the OMDL assumption.

The proof is similar to the one of the original protocol.

B. Privacy

For the privacy proofs, an extended ODH variant is required.To be able to verify the tag’s response, we only needdP =xcoord(rY )P , which is already available in the originalODH by oracleO(Z) = H(bZ). However, to also be able tocomputes, in the case thatR = A, the valuexcoord(C)+eais required. In our extended ODH variant, the adversary hasaccess to the oracleO′(z) := xcoord(C) + za that canbe called once withz 6= 0, in addition to A = aP, B =bP,xcoord(C)P and the oracleO(Z) of the original ODH.

Theorem 5. The optimised protocol is narrow-strong andwide-forward-insider private according to Def.9 under ourextended ODH assumption and the additive variant of Conj.1.

Proof. Assume an adversaryA that wins the privacy gamewith non-negligible advantage. Using a hybrid argument weconstruct an adversary that breaks the ODH-assumption. Weset Y = B. Bi plays the privacy game withA. Bi selects arandom bit b, which will indicate which world is simulatedto A. All oracles are simulated in the regular way, with theexception of theSendTag andResult oracle for the targettag:

• SendTag(vtag)b:

– j 6= i: Generater ∈R Zℓ. TakeR = rP . ReturnR.– j = i: TakeR = A. ReturnR.

• SendTag(vtag, e)b, j’th query: retrieve the tuple(vtag, T0, T1) from the tableD. Take the keyx for tagTb.

– j < i: Generater′ ∈R Zℓ. Taked = xcoord(r′P ).Returns = x + er + d.

– j = i: Returns = x +O′(e).

12

– j > i: Taked = xcoord(rY ). Returns = x+ er+d.

• Result(π): If the receivedR in sessionπ matchesAfrom the ODH problem takedP = xcoord(C)P . If not,check if R matches any of theR’s generated during thefirst i− 1 SendTag queries. If so, use ther′ generatedin that query and computedP = xcoord(r′P )P .Otherwise, takedP = O(R). Finally, computeX =sP − eR − dP . CheckX with the database, return trueif X is found, false otherwise.

At the end of the gameA outputs its guessg for the privacygame.Bi outputs(b == g).

The above simulation toA is perfect, since validationis done in the same way as the protocol specification. IfR = A, the oracleO(·) cannot be used. However, in thiscase we know the corresponding value ofdP by directly usingxcoord(C)P , which gives the same result.

We useAi (with i ∈ [1 . . . k]) to denote the case thatAruns with the firsti SendTag queries random instances, andthe other queries real instances. This is the case whenBi+1

runs with a real ODH instance, orBi with a random ODHinstance. Note thatAi wins if b == g.

By the hybrid argument we get that:

‖Pr[

A0 wins]

− Pr[

Ak wins]

‖ ≤∑

AdvBi.

• In the case ofA0, it is clearPr[

A0 wins]

= Pr [Awins]since all oracles are simulated exactly as in the protocoldefinition.

• In the case ofAk, all SendTag queries are simulatedwith r ∈R Zℓ andd = xcoord(rP ).

a) Narrow-strong privacy:Since s = x + er + d andR = rP , it follows under the XL assumption that(s, e, R),with d a random value from the x-coordinate distribution, isindistinguishable from(r, e, R), with r a uniformly randomvalue. Hence it follows thats is indistinguishable from auniformly random value independent ofx, as long ase, d 6= 0.

So Ak has probability1/2 of winning the privacy game,since it obtains no information at all onx from a tag.

‖Pr[

A0 wins]

− Pr[

Ak wins]

‖ = ‖Pr [Awins]−1

2‖

=1

2Advprivacy

A

≤∑

AdvBi

It follows that at least one of theBi has non-negligibleprobability to win the ODH game.

b) Wide-forward-insider privacy: For proving wide-forward-insider privacy, we also have to simulate theResultoracle, which was ommitted in the case of narrow-strongprivacy. We can now do a straightforward reduction tothe game from (the additive variant of) Conjecture1. AllSendTag(vtag, e)b calls are simulated usingO1(i, j) forthe tagsTi and Tj passed toDrawTag. Calls to Resultare simulated usingO2() if the R1 received by the servermatches anR1 resulting from aSendTag(vtag)b, otherwised is computed as in the original protocol andO3() is used tovalidate the resulting secret.

VIII. I MPLEMENTATION CONSIDERATIONS

Our protocol mainly requires the evaluation of scalar-EC point multiplications and the generation of a randomnumber. For 80 bit security, we need an elliptic curve over afield that is approximately 160 bits in size. The protocol canbeimplemented on the architecture proposed by Leeet al. [36].Their ECC coprocessor can be built with less than 15 kGEs(Gate Equivalent), consumes±13, 8µW of power and takesaround 85ms for one scalar-EC point multiplication. Morerecently, Wenger and Hutter[37] proposed an ECC coprocessorthat only requires 9 kGEs, consumes±32, 3µW of power andtakes around 286ms for one scalar-EC point multiplication.Aside from the ECC coprocessor, circuit area is requiredfor the ROM (Read Only Memory), RAM (Random AccessMemory) and RNG (Random Number Generator).

A. (Non-)Sense of Coupons

Several papers have proposed to use precomputation as anoptimisation. The protocol is split in an off-line and on-linephase, for which the on-line phase is more efficient (faster)than the original protocol. The precomputed values are storedin the form of coupons. There are two options: either thesecoupons are precomputed externally and pushed on the tag orthe tag generates these coupons itself.

Computing coupons externally has the additional benefitthat for most protocols, less logic needs to be implementedon the tag. The downside of the tag itself not being ableto do these necessary computations is that an adversary canquite easily mount a denial of service attack, by trickingthe tag into authenticating over and over until it has nocoupons left. This attack could be prevented by introducingmutual authentication, more specifically have the reader firstauthenticate to the tag. Ironically the only efficient way toachieve authentication of the reader to a yet-unknown tag, isby using zero knowledge proofs, which in turn require a fullfletched ECC coprocessor on the tag to verify these. How tosecurely push these coupons onto the tag is an additional issue.

Having the tag itself precompute coupons can speed up theidentification process, or alternatively make it possible to usea slower EC coprocessor that is smaller. The tag computesthese coupons whenever energy is available. A tag can drawenergy as long as it is in the electromagnetic field around anyreader. Since the tag can do all the necessary computationsitself, one only needs limited storage forb coupons.

The disadvantage of coupons is that these need to be storedon the tag. When making abstraction of the control logicneeded to access this storage, one still needs about one floatinggate per bit. The size of the coupons can be minimized bynot storing the used randomness but instead implementinga pseudo-random function with a seed to generate randomnumbers on the tag. Taking this optimisation into account,the protocols discussed in this paper still require couponsthatconsist of two EC points. For an area of 10 KGe (≈ the sizeof Wenger and Hutter’s ECC coprocessor) one can store 20 to30 of such coupons.

In general it can be argued that strong privacy is notachievable when using coupons or a pseudo-random function

13

instead of a true random number generator. By making a queryto the Corrupt oracle, the adversary learns the completeinternal state of the tag, which also comprises coupons and/orthe seed of the pseudo-random function. When the couponsare generated by the tag itself,b-strong privacy is possible,meaning that the tag is unlinkable again afterb conversationsfrom the moment the tag was freed.

At least part of the coupons is reader specific. This putsan additional burden on tag storage requirements in the multi-reader setting, making the use of coupons impractical.

B. Comparison

Table I gives a comparision of our protocol to previouslyproposed protocols, described in Sect.V.

Both the Randomized Schnorr and our proposed protocolbenefit from a compact hardware design: only an ECC co-processor is needed. The other protocols require additionalhardware to evaluate a cryptographic hash function, whichmakes the design substantially larger. Current cryptographichash functions [38] require at least50% of the circuit area ofthe most compact ECC implementation.

The scalar-EC point multiplication is more complex thanthe evaluation of a hash/MAC. For a fair comparison betweenthe performance of protocols that require the evaluation ofahash/MAC and protocols that do not, one should assume thesame total available circuit size. This means that our protocolcan be implemented using a larger but faster ECC processor.

When also considering the more general setting, wherea single tag can identify the end-user privately to multiplereaders, the tags not only need to store an extra public keyfor every reader but also corresponding shared data, if any.In this setting there is a clear advantage for protocols thatprovide extended soundness, since the tag can use the sameprivate/public key pair to identify to each reader.

IX. CONCLUSION

RFID privacy was approached from both the modellingand protocol point of view. Several RFID privacy modelswere critically examined with respect to their assumptions,practical usability and other issues that arise when applyingtheir privacy definition to concrete protocols. Some modelsare based on unrealistic assumptions, others are impracticalto apply. We presented a new RFID privacy model, basedon the classic notion of indistinguishability, that combinesthe benefits of existing models while avoiding their identifieddrawbacks. Since this privacy model is based on an indistin-guishability game, one can rely on a wide range of existingproof techniques, making the model quite straightforwardto use in practice. Furthermore, this is the first model thatallows for a more general setting where a tag can privatelyauthenticate to multiple (independent) readers. This modelalso incorporates the creation of insider tags, in order to alsocapture privacy attacks for which the corrupted tag is not theone under attack. We showed that the combination of thenotions narrow-strong and wide-forward-insider is sufficientfor most practical applications.

From the protocol side, we examined several protocolstowards their security and privacy properties. We proposed

a new wide-forward-insider and narrow-strong private zero-knowledge RFID identification protocol and its optimisedversion. Security and privacy of our proposed protocols areproven in the standard model. Our protocol is the mostefficient privacy-preserving RFID authentication protocol formost practical applications and can be implemented on thetags, using only Elliptic Curve Cryptography. This allows for acompact hardware design and requires minimal computationaleffort from the tag, namely two scalar-EC point multiplica-tions. As an additional benefit, our protocols do not requireany shared secrets between readers and tags. This makes theseprotocols very suitable for use with multiple readers.

ACKNOWLEDGEMENTS

The authors would like to thank everyone that contributed tosome very fruitful discussions, came up with possible proofstrategies, provided useful suggestions or tried to break theclaimed privacy properties of the proposed protocols. Specialthanks to: Julien Bringer, Ivan Damgard, Junfeng Fan, JesperBuus Nielsen, Andreas Pashalidis, Dominique Raub, KoenSimoens, Dave Singelee, Serge Vaudenay and Frederik Ver-cauteren. The work leading to these results has received fund-ing from the European Community’s Framework Programme(FP7/2007-2013) under grant agreement no 284862, and theResearch Council KU Leuven: GOA TENSE (GOA/11/007).

REFERENCES

[1] S. A. Weis, S. E. Sarma, R. L. Rivest, and D. W. Engels, “Security andPrivacy Aspects of Low-Cost Radio Frequency IdentificationSystems,”in SPC, ser. LNCS, vol. 2802. Springer, 2003, pp. 201–212.

[2] S. Mangard, E. Oswald, and T. Popp,Power analysis attacks - revealingthe secrets of smart cards. Springer, 2007.

[3] M. Hutter, J.-M. Schmidt, and T. Plos, “RFID and Its Vulnerability toFaults,” inCHES, ser. LNCS, vol. 5154. Springer, 2008, pp. 363–379.

[4] T. Kasper, D. Oswald, and C. Paar, “New Methods for Cost-EffectiveSide-Channel Attacks on Cryptographic RFIDs,”RFIDSec, 2009.

[5] R. Canetti, O. Goldreich, S. Goldwasser, and S. Micali, “Resettablezero-knowledge (extended abstract),” inSTOC, 2000, pp. 235–244.

[6] M. Bellare, M. Fischlin, S. Goldwasser, and S. Micali, “IdentificationProtocols Secure against Reset Attacks,” inEUROCRYPT, ser. LNCS,vol. 2045. Springer, 2001, pp. 495–511.

[7] V. Goyal and A. Sahai, “Resettably Secure Computation,”in EURO-CRYPT, ser. LNCS, vol. 5479. Springer, 2009, pp. 54–71.

[8] T. van Deursen and S. Radomirovic, “Insider attacks andprivacy ofRFID protocols,” inEuroPKI, ser. LNCS, vol. 7163. Springer, 2011,pp. 65–80.

[9] S. Vaudenay, “On Privacy Models for RFID,” inASIACRYPT, ser. LNCS,vol. 4833. Springer, 2007, pp. 68–87.

[10] S. Canard, I. Coisel, J. Etrog, and M. Girault, “Privacy-Preserving RFIDSystems: Model and Constructions,” Cryptology ePrint Archive, Report2010/405, 2010,http://eprint.iacr.org/.

[11] M. Bellare, C. Namprempre, D. Pointcheval, and M. Semanko, “TheOne-More-RSA-Inversion Problems and the Security of Chaum’s BlindSignature Scheme,”Journal of Cryptology, vol. 16, pp. 185–215, 2003.

[12] D. R. L. Brown and K. Gjøsteen, “A Security Analysis of the NIST SP800-90 Elliptic Curve Random Number Generator,” inCRYPTO, ser.LNCS, vol. 4622. Springer, 2007, pp. 466–481.

[13] M. Abdalla, M. Bellare, and P. Rogaway, “The Oracle Diffie-HellmanAssumptions and an Analysis of DHIES,” inCT-RSA, ser. LNCS, vol.2020. Springer, 2001, pp. 143–158.

[14] G. Avoine, E. Dysli, and P. Oechslin, “Reducing Time Complexity inRFID Systems,” inSAC, ser. LNCS, vol. 3897. Springer, 2005, pp.291–306.

[15] M. Burmester, T. Le, and B. Medeiros, “Provably secure ubiquitoussystems: Universally composable RFID authentication protocols,” inSECURECOMM. IEEE Press, 2006.

[16] T. Van Le, M. Burmester, and B. de Medeiros, “Universally com-posable and forward-secure RFID authentication and authenticated keyexchange,” inASIACCS. ACM, 2007, pp. 242–252.

14

Table IOVERVIEW OF DIFFERENT PROPOSED PROTOCOLS.

Protocol Strongest Privacy Insider Private Extended Soundness Mutual Tag Operations Reader Operations

Randomized Schnorr [29] narrow-strong no yes no 2 EC mult 3 EC mult3 EC add

Randomized Hashed GPS [23] narrow-strong no yes no 2 EC mult 3 EC multwide-forward 1 hash 3 EC add

1 hashIBIHOP [30] wide-strong yes yes yes 3 EC mult 4 EC mult

1 EC addVaudenay [9] wide-strong yes no no 2 EC mult 1 EC mult

+ DHIES [13] 2 hash/MAC 3 hash/MAC1 symm enc 1 symm dec

Hash ElGamal [10] wide-strong yes no no 2 EC mult 1 EC mult2 hash/MAC 2 hash/MAC

Proposed Protocol (Sect.VI) wide-forward-insider yes yes no 4 EC mult 4 EC mult1 EC add

Optimised Protocol (Sect.VII ) wide-forward-insider yes yes no 2 EC mult 3 EC mult2 EC add

[17] I. Damgard and M. Ø. Pedersen, “RFID Security: Tradeoffs betweenSecurity and Efficiency,” inCT-RSA, ser. LNCS, vol. 4964. Springer,2008, pp. 318–332.

[18] J. Ha, S.-J. Moon, J. Zhou, and J. Ha, “A New Formal Proof Model forRFID Location Privacy,” inESORICS, vol. LNCS. Springer, 2008, pp.267–281.

[19] A. Juels and S. A. Weis, “Defining Strong Privacy for RFID,” in PerComWorkshops. IEEE Computer Society, 2007, pp. 342–347.

[20] R.-I. Paise and S. Vaudenay, “Mutual Authentication inRFID: Securityand Privacy,” inASIACCS. ACM Press, 2008, pp. 292–299.

[21] C. Y. Ng, W. Susilo, Y. Mu, and R. Safavi-Naini, “RFID Privacy ModelsRevisited,” in ESORICS, ser. LNCS, vol. 5283. Springer, 2008, pp.251–266.

[22] ——, “New Privacy Results on Synchronized RFID AuthenticationProtocols against Tag Tracing,” inESORICS, ser. LNCS, vol. 5789.Springer, 2009, pp. 321–336.

[23] J. Bringer, H. Chabanne, and T. Icart, “Efficient Zero-KnowledgeIdentification Schemes which respect Privacy,” inASIACCS. ACM,2009, pp. 195–205.

[24] A.-R. Sadeghi, I. Visconti, and C. Wachsmann, “Anonymizer-EnabledSecurity and Privacy for RFID,” inCANS, ser. LNCS, vol. 5888.Springer, 2009, pp. 134–153.

[25] F. Armknecht, A.-R. Sadeghi, A. Scafuro, I. Visconti, and C. Wachs-mann, “Impossibility Results for RFID Privacy Notions,” inTransactionson Computational Science IX. Springer, 2010, pp. 39–63.

[26] K. Ouafi and S. Vaudenay, “Strong Privacy for RFID Systems fromPlaintext-Aware Encryption,” inCANS, ser. LNCS, vol. 7712. Springer,2012, pp. 247–262.

[27] D. Bleichenbacher, “Chosen Ciphertext Attacks Against Protocols Basedon the RSA Encryption Standard PKCS #1,” inCRYPTO, ser. LNCS,vol. 1462. Springer, 1998, pp. 1–12.

[28] J.-M. Bohli and A. Pashalidis, “Relations Among Privacy Notions,” inFinancial Cryptography, ser. LNCS, vol. 5628. Springer, 2009, pp.362–380.

[29] J. Bringer, H. Chabanne, and T. Icart, “Cryptanalysis of EC-RAC,a RFID Identification Protocol,” inCANS, ser. LNCS, vol. 5339.Springer-Verlag, 2008, pp. 149–161.

[30] R. Peeters, J. Hermans, and J. Fan, “IBIHOP: Proper Privacy PreservingMutual RFID Authentication,” inRFIDSec Asia 2013, ser. Cryptologyand Information Security, vol. 11. IOS PRESS, 2013, pp. 45–56.

[31] H. Krawczyk, “The Order of Encryption and Authentication for Pro-tecting Communications (or: How Secure Is SSL?),” inCRYPTO, ser.LNCS, vol. 2139. Springer, 2001, pp. 310–331.

[32] C.-P. Schnorr, “Efficient Signature Generation by Smart Cards,” J.Cryptology, vol. 4, no. 3, pp. 161–174, 1991.

[33] M. Bellare and A. Palacio, “GQ and Schnorr Identification Schemes:Proofs of Security against Impersonation under Active and ConcurrentAttacks,” in CRYPTO, ser. LNCS, vol. 2442. Springer, 2002, pp. 162–177.

[34] A. C.-C. Yao, “Theory and applications of trapdoor functions (extendedabstract),” inFOCS. IEEE Computer Society, 1982, pp. 80–91.

[35] O. Goldreich, Foundations of Cryptography: Volume 1, Basic Tools.Cambridge University Press, 2001.

[36] Y. K. Lee, L. Batina, D. Singelee, and I. Verbauwhede, “Low-CostUntraceable Authentication Protocols for RFID,” inWiSec. ACM, 2010,pp. 55–64.

[37] E. Wenger and M. Hutter, “A Hardware Processor Supporting EllipticCurve Cryptography for Less Than 9 kGEs,” inCARDIS, ser. LNCS,vol. 7079. Springer, 2011, pp. 182–198.

[38] SHA-3 Zoo. Overview of all candidates for the SHA-3 hashcompetitionorganized by NIST.http://ehash.iaik.tugraz.at/wiki/TheSHA-3 Zoo.

Jens Hermans is a postdoctoral researcher at theresearch group COSIC at KU Leuven (Belgium). Heobtained a Master’s degree in Mathematical Engi-neering and a Phd in Engineering Sciences at KULeuven in 2008 and 2012 respectively. His researchinterest are the analysis and design of cryptographicprotocols, provable security and implementation ofpublic key cryptography.

Roel Peeters is a postdoctoral researcher at theresearch group COSIC at KU Leuven. He obtained aMaster’s degree in Electrical Engineering and a Phdin Engineering Sciences at KU Leuven in 2007 and2012 respectively. His research interest are mainly inthe analysis and design of cryptographic protocols.He authored more than 20 scientific publications,and participated in various research projects.

Bart Preneel is a full professor at the KU Leuvenwhere he heads the COSIC research group. Hereceived the Electrical Engineering degree and theDoctorate in Applied Sciences from KU Leuven. Hewas visiting professor at five universities in Europeand was a research fellow at the University ofCalifornia at Berkeley. Bart Preneel coordinated theEU Network of Excellence ECRYPT and served aspanel member and chair for the European ResearchCouncil. Since 1997 he is serving on the Board ofDirectors of the IACR (International Association for

Cryptologic Research), from 2002-2007 as vice president and from 2008-2013 as president. He was program chair of 15 international conferences andhe has been invited speaker at more than 90 conferences in 40 countries. Hismain research interests are cryptography, information security and privacy. Heauthored more than 400 scientific publications and is inventor of 4 patents.