REACT: An RFID-based privacy-preserving children tracking ...bbcr.uwaterloo.ca/~xshen/paper/2010/rarbpp.pdf · amusement park, i.e., Canada’s Wonderland [2], as shown in Fig. 1

Computer Networks xxx (2010) xxx–xxx

ARTICLE IN PRESS

Contents lists available at ScienceDirect

Computer Networks

journal homepage: www.elsevier .com/ locate/comnet

REACT: An RFID-based privacy-preserving children tracking scheme forlarge amusement parks

Xiaodong Lin a, Rongxing Lu b, Davis Kwan a, Xuemin (Sherman) Shen b,*

a Faculty of Business and Information Technology, University of Ontario Institute of Technology, Oshawa, Ontario, Canada L1H 7K4b Department of Electrical and Computer Engineering, University of Waterloo, Waterloo, Ontario, Canada N2L 3G1

a r t i c l e i n f o a b s t r a c t

Article history:Received 15 December 2009Received in revised form 22 April 2010Accepted 9 May 2010Available online xxxxResponsible Editor: J. Misic

Keywords:RFIDChildren trackingPrivacy preservingPocket switched network

1389-1286/$ - see front matter � 2010 Elsevier B.Vdoi:10.1016/j.comnet.2010.05.005

* Corresponding author.E-mail addresses: [email protected] (X. Lin), r

ca (R. Lu), [email protected] (D. Kwan), xshe(Xuemin (Sherman) Shen).

Please cite this article in press as: X. Lin et al.parks, Comput. Netw. (2010), doi:10.1016/j.co

In this paper, we propose an RFID-based privacy-preserving children tracking (REACT)scheme for helping locate missing children in large amusement parks and other public ven-ues. The scheme is characterized by the cooperation among RFID readers, storage nodesand control center, which are strategically deployed across the amusement park, as wellas employees and visitors in the park. When a passive RFID tag, physically attached on achild, approaches an RFID reader, the reader will process the tag information. The readerthen forwards the information to a storage node through a pocket switched networkformed by employees and visitors in the park. When locating a lost child is requested,the system is able to track the missing child by querying the tag information stored inthe storage nodes. Detailed security analysis shows that the proposed REACT schemeachieves child’s identity privacy, unlinkable location privacy and forward security. In addi-tion, extensive simulations demonstrate that as more visitors participate in the pocketswitched network, the performance of our proposed REACT scheme increases whichdirectly improves the efficiency for the locating lost children.

� 2010 Elsevier B.V. All rights reserved.

1. Introduction

One of the greatest fears of parents is, without a doubt,losing sight of their children. Each year approximately65,000 children are reported missing in Canada [1], leadingto people suffering in different ways such as anguish andfranticness of parents and the potential loss of childrenlives. A fraction of these cases occur when the childrenare in public venues such as shopping malls, playgroundsand amusement parks. In the worst case scenario, thesemissing children are never reunited with their parents.Locating a child in an amusement park can be a very diffi-cult task. For example, large amusement parks usually cov-

. All rights reserved.

[email protected]@bbcr.uwaterloo.ca

, REACT: An RFID-based pmnet.2010.05.005

er an area greater than one squared kilometer, e.g., theCanada’s wonderland [2].

On a typical day during the high season, there may betens of thousands of visitors in the park. Finding one singlechild from this crowd is sometimes next to impossible, likefinding a needle in a hay stack. It is not unusual that guestservices at amusement parks constantly have long line upsand are busy trying to help anxious parents locate theirlost children. It takes at least a couple of hours on averageto locate a child in the park and in the worst case, they maynever be found as they have already left the park. This is amajor safety issue that is important to both the park oper-ators and visitors. Unfortunately, there are currently nosystems in place to aid in the tracking of missing childrenin public venues. Most searches for missing children casesare performed by reviewing recorded security surveillancetapes and requesting the help of bystanders and witnesses.Although there have been some success with this ap-proach, any further methods to increase the success rate

rivacy-preserving children tracking scheme for large amusement

http://dx.doi.org/10.1016/j.comnet.2010.05.005

mailto:[email protected]





http://www.sciencedirect.com/science/journal/13891286

http://www.elsevier.com/locate/comnet


2 X. Lin et al. / Computer Networks xxx (2010) xxx–xxx

ARTICLE IN PRESS

should be welcomed by the general public. Nowadaysthere are many existing location technologies (e.g., GPS,Satellite), which can be used to keep track of the locationof a child. However, with these technologies, the childrenbeing tracked must carry a GPS receiver or cellular phone.GPS receivers and cellular phones are moderately sizedelectronic devices that require extra care and protectionto prevent damage to the components. As a result, thesedevices become very inconvenient to the children whenplaying in an amusement park, especially during water-re-lated activities. Another approach to personnel tracking isto implant a special chip into a person, so that the personcan be tracked through communication between the chipand a satellite. However, it is extremely expensive toimplement for the purpose of tracking in an amusementpark setting and requires a chip to be permanently im-planted into the children. Thus, it is highly desired to havecost effective and efficient personnel tracking systems inplace to protect children in public venues.

Recently, RFID technology [3–5] has been emerging as apromising method for the purpose of identification andtracking using radio waves due to its low cost and broadapplicability. In this paper, we present a new RFID-basedprivacy-preserving children tracking (REACT) scheme,which utilizes RFID tags placed on children, for example,integrated to a wristband which is worn by a child, and willtrack their movements throughout the park as they passthrough the various checkpoints equipped with RFID read-ers. The data (also called tag information) collected fromthese checkpoints will be relayed back to storage nodeswirelessly where queries can be performed by the parkoperators to locate a child in the park at the request ofthe parent. Although the proposed REACT scheme will bebased on an amusement park setting, the system shouldbe portable to fit any public venue.

However, there are several challenges facing RFID-based personnel tracking system for amusement parks.Firstly, with the large physical area that must be covered,there will be a large number of RFID readers scatteredaround the park in order to effectively monitor the entirepark due to the limited coverage of RFID radio. It will beinfeasible and inefficient to provide consistent networkconnections to all RFID readers with the backbone net-work, where storage nodes are located, over a wireless orwired link. While some readers may have consistent com-munication links with the backbone network, the majorityof the readers have to relay information between them-selves and the storage nodes through the help of othercommunication devices carried by park employees and vis-itors (or patrons). Secondly, security and privacy preserva-tion is of importance to the success of such a trackingsystem. It is crucial to prevent any adversary from beingable to track and/or control children, which could posesecurity threats to the general public and lead to childabduction. Finally, it is well known that RFID devices, inparticular, RFID tags, lack computation, storage, energy,and communication capacities necessary for most crypto-graphic schemes adopted by most of security and privacypreservation protocols. As a result, it is critical to designan efficient and effective secure and privacy-preservingprotocol between a tag and a reader suitable for an RFID

Please cite this article in press as: X. Lin et al., REACT: An RFID-based pparks, Comput. Netw. (2010), doi:10.1016/j.comnet.2010.05.005

environment. In summary, the main contributions of thispaper are threefold.

� Firstly, we study a hierarchical network frameworkcomposing of RFID readers, storage nodes and centralcontrol center to efficiently monitor a large-scaleamusement park, and propose an RFID-based childrentracking (REACT) scheme, where the tag informationcan be forwarded from RFID readers to the storagenodes with a pocket switched network [6] formed bypark employees and visitors who carry the wirelesscommunication devices in the amusement park. Withthe REACT scheme, the location of a lost child with anattached passive RFID tag can be effectively identifiedin a large amusement park. To the best of our knowl-edge, the proposed REACT scheme is the first RFID-based solution to effectively track children in a large-scale amusement park.� Secondly, to prevent a privacy-curious attacker from

being able to track and/or control children in a largeamusement park, the child’s privacy (in particular, iden-tity privacy and unlinkable location privacy [7–11]) inthe proposed REACT scheme are concealed. Eventhough an attacker obtains the current position of achild, it still cannot infer the past locations of the child,also known as forward security.� Thirdly, we develop a custom simulator to demonstrate

the effectiveness of the proposed REACT scheme. Themore visitors participating in the pocket switched net-work, the more quickly the proposed REACT schemecan identify the locations of lost children in a largeamusement park.

The remainder of this paper is organized as follows. InSection 2, we introduce the system model, communicationmodel and design goal. Then, we present the REACTscheme in Section 3, followed by the security analysisand performance evaluation in Sections 4 and 5, respec-tively. We also review some related work in Section 6. Fi-nally, we draw our conclusions in Section 7.

2. System model, communication model and design goal

In this section, we formulate the system model, thecommunication model, as well as identify the design goal.

2.1. System model

We consider a heterogenous RFID-based children track-ing system, which consists of a control center (CC), a smallnumber of resource-rich storage nodes S ¼ fs1; s2; . . .g anda large number of RFID readers R ¼ fr1; r2; . . .g, in a largeamusement park, i.e., Canada’s Wonderland [2], as shownin Fig. 1.

� Control center (CC): The CC is a trustable and powerfulentity and is usually located at the amusement parkentrance, for example, guest services room. The CC isresponsible for the management of the storage nodesand RFID readers as well as the registration of chil-



EntranceReliable OpportunisticCC Storage node RFID reader

Fig. 1. Network model under consideration in a large amusement park.

X. Lin et al. / Computer Networks xxx (2010) xxx–xxx 3

ARTICLE IN PRESS

dren-carrying RFID tags. Later, when parents lose theirchildren in the amusement park, the CC can help themquery and locate the previous and current positions ofthe specific children via the deployed storage nodesand RFID readers.� Storage nodes S: Storage nodes with their high-storage-

capacity play a vital role for the RFID-based childrentracking system. Storage nodes are usually deployed atthe intersections in the amusement park. The main taskof these storage nodes is to (i) store the data reported bythe RFID readers and (ii) answer queries from the par-ents at the control center.� RFID readers R: A large number of RFID readers are

deployed at different locations in the amusement park.Each RFID reader consists of an radio frequency trans-mitter and receiver. Once a passive RFID tag attachedon a child is within range of an RFID reader, the RFIDreader can read the tag information. Because the RFIDreader is not rich in storage, it will periodically reportthe collected tag information to the storage nodes.

2.2. Communication model

2.2.1. Communication between CC and storage nodesWe assume both the CC, denoted as s0, and storage

nodes S ¼ fs1; s2; . . .g are equipped with wireless commu-nication devices, e.g., WiFi or cellular system. At the sametime, the communications among {s0, s1, s2, . . .} are bidirec-tional, i.e., two nodes within their wireless transmissionrange R may communicate with each other. Therefore, ifa storage node si is close to the CC s0, it can directly contactwith the CC. However, if a storage node is far from thetransmission range of the CC, it should resort to othernodes to establish a route and then communicate withthe CC. Formally, the communication between the CC andstorages nodes can be represented as an undirected graphG = (S,E), where S = {s0,s1, s2, . . .} and E = {eijjsi, sj 2 S} is the


set of edges. If the distance jsi � sjj is less than or equal tothe transmission range R, eij = 1. Otherwise, eij = 0. Becausethe storage nodes S ¼ fs1; s2; . . .g are well deployed in theamusement park, it is reasonable to assume that G = (S,E)is a connected graph. Then, based on the Dijkstra shortestpath algorithm [12], each storage node si 2 S can find itsshortest reliable path to the CC.

2.2.2. Communication between storage node and RFID readersThe RFID readers are usually deployed at on-demand

spots. When an RFID reader is very close to the intersectionin the amusement park, it could directly communicatewith the nearby storage node. However, if the RFID readeris far away from the storage node, the communication be-comes opportunistic. In specific, the RFID reader reports thetag information by a pocket switched network [6], as shownin Fig. 2, where the pocket nodes (including the park’semployees and visitors) carrying wireless devices in theirpockets pull the collected tag information from RFID read-ers and push them to the storage nodes in their travel path.

2.2.3. Communication between RFID reader and tagsAssume that the RFID tags attached to the children in

the amusement park are inexpensive passive tags, whichare powered by the signal of an interrogating reader.Therefore, the communication between the RFID readersand tags only work within short ranges. i.e., a few meters.

2.3. Design goal

Before describing the design goal for the RFID-basedchildren tracking system, we make the following assump-tions in our system. First, all devices in the amusementpark, including the control center, storage nodes and RFIDreaders, are in fixed positions. Once they are deployed inthe amusement park, their positions cannot be easily dis-placed. In our system, we assume that the control center



Storage Node

RFID reader Pull tag

information

Push tag information

Collect tag information

Pocket switched network

Fig. 2. Pocket switched network in large amusement parks.

AntennaChip

• keys• H(.)

batterytimerno RNG

Fig. 3. Architecture of a passive RFID tag under consideration.


ARTICLE IN PRESS

is fully trustable, storage nodes are not compromised,while the RFID readers could be faked by some attackersused for collecting tag information. Concretely, we con-sider a privacy-curious attacker in the threat model as fol-lows: A privacy-curious attacker is a party that doesn’tkidnap children at the amusement park, yet attempts tolearn and trace the position information of a specific child.specifically, to reveal the location privacy of a child, the at-tacker could use fake RFID readers to link the positions ofthe child. Note that an attacker can also perform a denialof service (DoS) attack such that a legitimate RFID readerfails to read the normal RFID tags in a large amusementpark. However, the DoS attack cannot compromise thelocation privacy of child. Thus, how to defend againstDoS attacks are beyond the scope of this paper.

To resist the privacy-curious attacker, our design goal inthis paper is to develop an RFID-based privacy-preservingchildren tracking system which can achieve the followingrequirements:

� R-1: Once a child is lost in a large amusement park, theproposed tracking system should be able to help theparent effectively locate the position of the child.� R-2: The proposed tracking system should also have

ability to conceal the child’s privacy from a privacy-curi-ous attacker, even after the attacker has eavesdroppedand collected many tag information using bogus RFIDreaders.� R-3: The RFID tags attached on the children should be

very low cost such that parents are willing to acceptthe children tracking service in a large amusement park.

3. Proposed RFID-based privacy-preserving childrentracking scheme

In this section, we present our RFID-based privacy-pre-serving children tracking (REACT) scheme, which mainlyconsists of the following parts: system initialization, childregistration, privacy-preserving location information col-lection, opportunistic location information aggregation,and child location query. Before introducing our scheme,we first review the architecture of the low cost passiveRFID tag, which guides what security techniques can bechosen and implemented in the children tracking system.

3.1. Passive RFID tag’s architecture

The architecture of a passive RFID tag is shown in Fig. 3,which includes a coiled antenna and a less complex chip.


Because a passive tag is typically inexpensive, it doesn’tcontain a battery itself [3]. Instead, the power is suppliedby the RFID reader. For example, when radio waves froman RFID reader are encountered by a passive tag, the coiledantenna within the tag forms a magnetic field, where thetag can draw the power and energize the circuits in thechip, and then use the energy to send the informationstored on the tag to the RFID reader.

The chip embedded in the tag is less complex, whichcannot support neither a timer, a random number genera-tor (RNG) [13] nor high-cost cryptographic algorithms [14].The only cryptographic algorithm that a passive tag cansupport is the Linear Feedback Shift Register (LFSR) basedhash function [15], where the generation of hash is onlybased on multiplications with random binary matrixes.Let H: {0,1}m ? {0,1}n, where n < m, be an efficient keyedLFSR based hash function, which can map any inputM = (M1,M2, . . . ,Mm) into a shorter hash value H(K;M) =(h1,h2, . . . ,hn) with a key K = {k1,k2, . . . ,kn}. LFSR based hashfunction is simple but keeps most of the strength of theCarter–Wegman hash family [16]. See the Appendix forthe detailed LFSR based hash construction. Formally, a se-cure hash function is called e-balanced if 8 eM – 0;h, theprobability Pr½Hð eMÞ ¼ h� 6 e. As proved in [15], we knowthe LFSR based hash function H: {0,1}m ? {0,1}n is e-bal-ance for e 6 m

2n�1. When n ¼ 64; m ¼ 128; e 6 1256, which

shows that LFSR based hash function achieves good secu-rity/cost ratio and can be securely applied in RFID-basedchildren tracking system.

3.2. Detailed procedure of the REACT scheme

3.2.1. System initializationBased on the system requirements, the following steps

are performed by the control center to bootstrap thesystem:

Step 1 (Initialize system parameters): Let G and GT be twocyclic groups of large prime order q. Suppose G and GT are



Fig. 4. Privacy preserving location information collection.


ARTICLE IN PRESS

equipped with a pairing, i.e., a non-degenerated and effi-ciently computable bilinear map e : G�G! GT such thateðga

1; gb2Þ ¼ eðg1; g2Þ

ab 2 GT for all a; b 2 Z�q and anyðg1; g2Þ 2 G�G [17]. Let g be the generator of G, the controlcenter chooses a random s 2 Z�q as the master key, and com-putes the public key Pcc = gs. In addition, three secure crypto-graphic hash functions H0, H1, H are chosen, whereH0 : f0;1g� ! G; H1 : f0;1g� ! Z�q and H: {0,1}128 ?{0,1}64 be a LSRF based hash function constructed from anirreducible LFSR hash polynomial with degree 64 overGF(2), i.e., f ðxÞ ¼ x64 þ

P63i¼0ci � xi, for ci 2 {0,1}. In the end,

the control center sets the system parameters asparams ¼ fG;GT ; q; g; e; Pcc;H0;H1;H; f ðxÞg.

Step 2 (Deploy storage nodes): The control center pre-loads each storage node si 2 S ¼ fs1; s2; . . .g withparams ¼ fG;GT ; q; g; e; Pcc;H0;H1;H; f ðxÞg and a privatekey ski = H0(si)s, where si is the identity of the ith storagenode, and deploys si at a critical point in the large amuse-ment park, for example, an intersection. Because any twoneighboring storage nodes si and sj can derive their staticshared key kij = H1(e(ski,H0(sj))) = H1(e(skj,H0(si))), thenode-to-node authentication is achieved [17]. Sequen-tially, the authenticated transmission from any storagenode to the control center is guaranteed as well.

Step 3 (Deploy RFID readers): The control center also de-ploys each RFID reader ri 2 R ¼ fr1; r2; . . .g at critical loca-tions Li in the large amusement park, then preloads thereader ri with params ¼ fG;GT ; q; g; e; Pcc;H0;H1;H; f ðxÞgand a location-aware private key lkj = H0(Li)s. Later, whenthe RFID reader is ready to report the collected tag infor-mation, it can use the location-aware key lkj to sign loca-tion-based signature for authentication.

3.2.2. Child registrationAssume that the amusement park opens at time ts and

closes at time te every day, and the control center dividesthe period te � ts into l time slots T1,T2, . . . ,Tl, where eachTi 2 {0,1}128. When parents decide to choose the childrentracking service for their child ci in the large amusementpark at slot Ta during their visit to the park, they first makea registration at the control center. Then, the control centerexecutes the following steps:

Step 1: The control center assigns a 64-bit keyKi ¼ ðki

1; ki2; . . . ; ki

64Þ for each time slot Ti, whereTa 6 Ti 6 Tl. Because the passive RFID tag is low-storage and in order to achieve forward security,the key Kiþ1 ¼ ðkiþ1

1 ; kiþ12 ; . . . ; kiþ1

64 Þ in slot Ti+1 isderived from Ki ¼ ðki

1; ki2; . . . ; ki

64Þ in slot Ti byapplying the LSRF based hash function H, i.e.,Ki+1 = H(Ki;Ti).

Step 2: The control center initializes a new passive RFIDtag and preloads the tag with the key Ka in slotTa, the LSFR based hash function H, and the currenttimestamp tc.

Step 3: The control center attaches the tag on the child ci

in a reliable way. In such a way, the tag won’t eas-ily drop when the child is playing.

Note that, for the reason of security, the control centerdoesn’t deal with the scenario when multiple children reg-


ister simultaneously, instead, only one child can register atone time.

3.2.3. Privacy preserving location information collectionWhen a child ci attached with an RFID tag passes by an

RFID reader at some location Lj, where the length of theidentifier Lj is 64 bits, in the large amusement park at timeslot Tk. As shown in Fig. 4, the RFID reader can detect it andread the tag information by performing the followinginteractive query protocol.

Step 1: The RFID reader first gains the current 64-bit time-stamp t0c , then formats the time & location t0ckLj

into 128 bits information, and finally sends t0ckLj

to the RFID tag.Step 2: Upon receiving t0ckLj, the RFID tag first checks

whether t0c � tc > 0. If it is true, the RFID tag usesthe key Kk available at time slot Tk to computet ¼ HðKk; t

0ckLjÞ � tc;h ¼ HðKk; tckLjÞ, and returns h,

t to the RFID reader. Otherwise, the RFID tagdoesn’t respond the current RFID reader’s query.

Step 3: After receiving the returned values h, t, the RFIDreader formats the record t0ckLjkhkt and temporar-ily stores it. Note that, each record here is only 256bits.

3.2.4. Opportunistic tag information aggregationBecause the RFID reader is not rich in storage, each

reader rj at location Lj will periodically report the tag infor-mation to the storage nodes in a batch manner. The de-tailed steps are executed as follows.

Step 1: The RFID reader first aggregates several collectedtag information into one record recj, and then usesthe location-aware key skj = H0(Lj)s to make a sig-nature [18] on recj as rj = (aj,bj), whereaj ¼ H0ðLjÞr ; bj ¼ sk

rþH1ðrecj ;ajÞj with some random

number r 2 Z�q.Step 2: If the RFID reader is close to the intersection and

within the transmission range of one nearby stor-age node, the RFID reader will directly send(recj,rj) to the storage node. If the RFID reader isfar away from the some storage nodes, it willresort to the pocket switched network formed byselected visitors to carry the information (recj,rj)




ARTICLE IN PRESS

to the storage nodes in an opportunistic manner, asshown in Fig. 5. In order to enhance the reliabilityin opportunistic transmission, Multi-Copy Multi-Destination (MCMD) policy is adopted, in whichmulti copies of (recj,rj) will be carried by differentvisitors to multi storage nodes.It is worth noting that only a certain percentage ofvisitors are willing to register their own wirelessdevices to help carry and forward aggregated taginformation. However, it is mandatory for eachpark employee to carry a wireless device to helpwith tag information forwarding.

Step 3: When a storage node receives a copy of (recj,rj), itfirst uses the location Lj to verify the location-based signature rj by checking eðg; bjÞ¼

? eðPcc; aj�H0ðLjÞH1ðrecj ;ajÞÞ. If it holds, the tag information inrecj is authenticated and will be stored in the stor-age node; otherwise, recj will be rejected. The cor-rectness is shown as follows:

eðg; bjÞ ¼ e g; skrþH1ðrecj ;ajÞj

� �

¼ e g;H0ðLjÞsðrþH1ðrecj ;ajÞÞ� �

¼ e gs;H0ðLjÞrþH1ðrecj ;ajÞ� �

¼ e Pcc; aj � H0ðLjÞH1ðrecj ;ajÞ� �

: ð1Þ

Batch verification. When several records (re-c1,r1), . . . , (recn,rn) from different locations (L1, . . . ,Ln) ar-rive at the storage node simultaneously, the followingbatch verification is adopted to improve the verificationefficiency, i.e., eðg;

Qni¼1biÞ ¼ eðPcc;

Qni¼1ai � H0ðLiÞH1ðreci ;aiÞÞ.

The correctness of the batch signature verification can bederived from Eq. (1), and we refer readers to [19] for theefficiency and security analysis.

3.2.5. Child location queryWhen parents cannot find their child ci from time slot

Ts, they can report to the park authority and request thecontrol center to help locate the child. Then, the child loca-tion query is executed in the following steps.

Step 1: Let Ks be the key of the passive RFID tag attachedon the child ci at time slot Ts. The control centerfirst broadcasts the Ks to all storage nodes. Because

Opportuniswith the he

of visitors

Reliable

Storage node RFID readerOpportunistic

)δ(rec,

)δ(rec,

Fig. 5. Opportunistic tag information


the secure channels have been establishedamongst the control center and all storage nodes,the query with (Ks,Ts) wouldn’t be disclosed.

Step 2: After receiving (Ks,Ts), each storage node si 2 Sfirst computes the key set K ¼ fKs;Ksþ1; . . . ;Klgwith the LFSR based hash function H such thatKi+1 = H(Ki;Ti) where Ts 6 Ti < Tl. Then, the storagenode si invokes the Algorithm 1 to get the pri-vacy-preserving tracking records D0.

Algorithm 1: Privacy Preserving Tracking Query

1: Procedure Privacy Preserving Tracking QueryInput: K ¼ fKs;Ksþ1; . . . ;Klg and collected taginformation D ¼ ft0ckLjkhktjt0c 2 ½Ts; Tl�:gOutput: D0

2: set D0 ¼ null3: for each record ðt0ckLjkhktÞ 2 D

4: if t0c 2 time slot Ti; where Ts 6 Ti 6 Tl

5: compute tc ¼ HðKi; t0ckLjÞ � t

6: if h = = H(Ki, tckLj)7: set D0 ¼ D0 [ fðt0ckLjkhktÞg8: end if9: end if10: end for11: return D0

12: end Procedure

Step 3: Each storage node returns its records D0 to thecontrol center via a predefined shortest path. Sincethe MCMD policy is adopted in the opportunistictag information aggregation, the redundantrecords may produce in some downstream nodeswhen being forwarded to the control center.Therefore, before further forwarding the records,each downstream node should aggregate thoserecords coming from its upstream nodes to elimi-nate the redundancy.

Step 4: After receiving all records related to the specificchild ci, the control center can construct the trackinginformation, as shown in Fig. 6. In addition, becausea child usually stays at some amusement spot forsome time, the current position of the child can beidentified based on these track information.

ticlp

)δ(rec,

aggregation in MCMD policy.



t1

L1h1

t0

t2

L2h2

t1

ti-1

Li-1hi-1

ti-2

ti

Lihi

ti-1

Ts Tl

Fig. 6. Tracking information reconstructed at control center.


ARTICLE IN PRESS

Correctness. Because of the one-wayness of the LSFRbased hash function, only the authentic RFID tag attachedon the child ci can compute the real hash value. Thus, thestorage nodes S can identify it once granted with the cor-responding key. Since a previous timestamp tc can be com-puted from each tag current information t0ckLjkhkt, thechild’s tracking information can be plotted based on suchlinkability. Note that the tracking information is condition-ally revealed. Without knowing the key Kk, tc cannot be de-rived from t ¼ HðKk; t

0ckLjÞ � tc and h = H(Kk, tckLj).

4. Security analysis

In this section, we analyze the security of the proposedRFID-based privacy-preserving children tracking scheme.

Following the system model discussed earlier, we knowthat the weakest part in the RFID-based tracking system isthe passive RFID tag. According to the principle that secu-rity relies essentially on the strength of the weakest link[20], the privacy preservation in RFID-based system de-pends primarily on the security of passive RFID tag. Be-cause the passive RFID tag is less expensive and, at thesame time, supports less complexity cryptographic algo-rithms than other high-trustable devices, the perfect secu-rity in the passive RFID tag does not exist and wouldprobably be ineffective and prohibitively expensive if itdoes exist. Therefore, a reasonable metric to measure theprivacy preservation provided by the passive RFID tag isthe privacy/cost ratio (PCR). Given some PCR, the privacythat needs to be protected is in direct proportion to thecosts associated with privacy preservation. Thus, for lowcost passive RFID tag, the provided privacy is obviouslylimited. Because the large amusement park is not as hostileas other scenarios, we only focus on the privacy preserva-tion against a privacy-curious attacker in the amusementpark. Specifically, the following security requirements canbe achieved.

� Identity privacy: During the child registration phase, it isthe control center that randomly chooses a key Ka for aspecific child ci, and no one else can link a key to the realchild’s identity, i.e., Ka ; ci. Therefore, the identity pri-vacy is ensured, even when a privacy-curious attackerobtains the key by compromising the passive RFID tagattached on the child.� Unlinkable location privacy: Given two tag information

t1kL1kh1kt and t2kL2kh2kt. Because of the one-waynessof the LSFR based hash function H(), a privacy-curiousattacker cannot extract the keys from h1 and h2, andthus cannot judge whether or not they are producedby the same RFID tag. A privacy-curious attacker could


replay an RFID query with t0ckLj once it obtains a taginformation t0ckLjkhkt. However, even though no RNGand timer are implemented in the passive RFID tag(due to its cost limitation), the RFID tag can still resistthis kind of attack. Because each tag stores the last-access timestamp tc, once a timestamp t0cð< tcÞ isreplayed, the judge condition t0c � tc > 0 cannot pass inmany RFID tags. Thus, the privacy-curious attacker hasno idea to link a tag information with a specific child,and the location-link privacy is achieved.� Forward security. Forward security means, even though

an RFID tag is compromised at time slot Ts, the attacker,with the key Ks at Ts, cannot track the locations in thepast time slots (<Ts). In the following, we formally provethat the passive RFID tag can achieve the forward secu-rity. Before proceeding with the proof, we first formal-ize the forward security model by the challenge-response game below.

riv

Forward Security Game. In the game, the interactionbetween an attacker A and the passive RFID tags onlyoccurs via oracle queries, which model the attackercapabilities in the real RFID attack scenarios. Duringthe game, the attack may query different RFID tags atany given time slot Ts. Let Ts

i denote the instance i ofa passive RFID tag at Ts and let b be a bit chosen uni-formly at random. The query types available to theattacker are as follows:

� Execute ðTs1; T

s2; . . . ; Ts

nÞ: This query models the pri-

vacy-curious attacker A passively eavesdrops on

honest executions among the RFID tags Ts1; . . . ; Ts

n

and RFID readers. It returns the tag information

that were exchanged during an honest execution.

� Send ðTsi ; t0ckLjÞ: This query models an active attack,

in which the privacy-curious attacker A actively

uses an illegal RFID reader to obtain the tag infor-

mation that an RFID tag Tsi would generate upon

receipt of the query t0ckLj.

� Corrupt ðTsi Þ: This query models the privacy-curious

attacker A obtains the key Ks by compromising Tsi .

� Test ðTs�1i ; Is�1

0 ; Is�11 Þ: This query tries to capture the

attacker’s ability to link a tag information of the cor-

rupted instance i in time slot Ts�1. The challenger

runs the follows steps: (1) Flip a coin and get

b 2 {0,1}; (2) Set Is�1b be the real tag information of

instance i, and Is�11�b be a tag information of other

instance – i; (3) Send Is�10 ; Is�1

1 to the privacy-curious

attacker A; (4) Obtain the guessing bit b0returned

from A.

We denote the advantage of the privacy-curious at-tacker A as the probability that A correctly guesses thevalue of b; more precisely we define AdvðAÞ ¼ 2Pr½b ¼b0� � 1, where the probability space is over all the ran-dom coins of the attacker and all the oracles. The RFIDtag is said to be forward security if A’s advantage isnegligible in the security parameters.

acy-preserving children tracking scheme for large amusement


Table 1Simulation Settings.

Parameter Setting

Simulation area 1200 m � 1200 mSimulation warm-up time 60 minSimulation duration time 120 minStorage nodes’s number 24Storage node’s transmission range 200 mRFID readers’ number 150RFID reader’s transmission range 50 mChildren’s number 1000Child’s velocity 1.8–2.0 m/sTransmission range of RFID tags 5 mNumber of pocket devices Np [20,40, . . . ,200]Pocket device’s transmission range 80 m


ARTICLE IN PRESS

Theorem 1 (Forward security). The passive RFID tag canachieve the forward security provided that the LSFR hashfunction H: {0,1}128 ? {0,1}64 is one-day secure in the RFIDtag, where one-day secure means that the inverting of thehash H cannot be successful in one-day.1

Proof. The result comes from the fact that the attacker Acannot invert the LSFR based hash function. More pre-cisely, suppose that, after a huge number of Execute andSend queries and obtaining the key Ks by CorruptðTs

i Þ intime slot Ts, the attacker A can win the above forwardsecurity game with a non-negligible advantageAdvðAÞ ¼ e. That is, the attacker A can distinguish a validtag information t0ckLjkhkt at time slot Ts�1, wheret0c 2 Ts�1. By observing t ¼ HðKs�1; t

0ckLjÞ � tc;h ¼ HðKs�1;

tckLjÞ, we know that the attacker A can correctly guessb = b

0by only two ways: (1) directly guessing b with 1/2

probability, denoted as the event E1; (2) obtaining thekey Ks�1 from Ks, where Ks = H(Ks�1,Ts�1), denoted as theevent E2. Then, Pr½b ¼ b0� ¼ Pr½E1� þ Pr½E2� ¼ 1

2þ Pr½E2�. Bycombining the definition AdvðAÞ ¼ e ¼ 2Pr½b ¼ b0� � 1 inthe game, we have Pr½E2� ¼ e

2. Because e is a non-negligibleadvantage, then Pr½E2� ¼ e

2 shows that the attacker A caninvert the LSFR based hash with another non-negligibleprobability, but it contradicts with the LSFR hash functionH() is one-day secure in the RFID tag. Therefore, the passiveRFID tag can achieve the forward security. h

Note. Due to the low cost of the passive RFID tag, an at-tacker A could use the close time te to query the passiveRFID tag. Then, any query with normal timestamp t0c , wheret0c < te, will be rejected, as shown in Fig. 4. This is one kindof DoS attacks. As discussed in the earlier attack model, theDoS attacks are not considered in the current system. Nev-ertheless, if we increase the cost of the passive RFID tag byadding a timer, this kind of DoS attack can be easily re-sisted by checking the validity of the current timestamp t0c .

5. Performance evaluation

In this section, we evaluate the performance of the pro-posed REACT scheme. Because the primary goal of the RE-ACT scheme is to help parents identify the location of theirlost children as quickly as possible, the high reliability andlow latency are desirable. Recall that the tag informationaggregation is based on pocket switched network, thusthe opportunistic aggregation becomes the dominant fac-tor affecting the reliability and the latency of the wholescheme. (Note that, the communications between the con-trol center and storage nodes are reliable as discussed ear-lier, which thus do not incur high latency in the system.) Inthe following, taking the delivery ratio (defined as the frac-tion of tag information that are correctly delivered fromthe RFID readers to some storage nodes within a given timeperiod) and delivery latency (defined as the time betweenwhen a tag information is collected at some RFID readerand when it is aggregated at some storage node) as theperformance metrics, we use our custom simulator built

1 If the 64-bit hash length is not enough to achieve the one-day secure,the hash length can be adaptively extended.


in Java to demonstrate the performance of the opportunis-tic tag information aggregation.

5.1. Simulation setup

By statistics, a larger amusement park could averagelyattract 1000 children everyday. To model such a largeamusement park, 24 storage nodes with proper transmis-sion radius are first deployed in a restricted1200 � 1200 m2 area to establish a connected networkwith the control center, as shown in Fig. 1. Assume thatthere are total n = 150 amusement spots (attractions) inthe area, and 150 RFID readers are uniformly deployed inthese spots. In addition, a number of pocket devices carriedby the visitors, which form the pocket switched network,are also rambling in the large amusement park. Concretely,the detailed parameter settings used in the simulations aresummarized in Table 1. In order to achieve more stablesimulation results, we set a 60-min warm-up time duringwhich results are not collected. We also vary the numberof replicated tag information from 1 to 3 to check the reli-ability in MCMD policy.

Mobility model. In the pocket switched network, the per-formance of networking applications is highly contingentupon the mobility of pocket device holders. As pocket de-vices are mostly carried by the adult visitors in the largeamusement park, modeling the mobility patterns of visi-tors (including children) can achieve a relatively accurateperformance evaluation. Let state st0 be when a visitor en-ters/exits the amusement park, and sti denotes that the vis-itor has visited i amusement spots in the amusement park.If the visitor just enters the amusement park, he/she willgo to an unvisited spot with the probability p = 1. If the vis-itor has visited i spots, he/she goes to an unvisited spotwith the probability p = q, and rambles in visited spotswith 1 � q. After having visited all spots, the visitor leavesthe amusement park with the probability p = q. On aver-age, the visitor will stay at each amusement spot with Tavg.However, if some event is trigged, e.g., the amusementpark closure time approaching or tourist’s emergence callincoming with the probability 0.01, the visitor directlyleaves the amusement park with the probability 1. Fig. 7shows such visitor mobility model.

Pocket device’s velocity 1.0–2.0 m/sAve. staying time at each spot Tavg [10,20,30] minNumber of replica of tag info. Nc [1,2,3]




ARTICLE IN PRESS

In the following, we set the parameter q as 0.85 ± 0.08,and simulate the pocket switched network based tag infor-mation aggregation with different parameters Np, Tavg andNc. The duration for each simulation is 120 min, and all re-sults are averaged over 10 runs.

5.2. Simulation results

Fig. 8 presents the delivery ratio versus the number ofpocket devices carried by the visitors Np, under differentTavg and Nc. In each subfigure, it is observed that the deliv-ery ratio improves with the increase of the number of pock-et devices Np. The more the pocket devices, the better thedelivery ratio. The reason is that the tag information can

st1st 0p=1 ρ

1-ρ 1

ρ

Enter/Exit

p=1

Fig. 7. Visitor mobility model consider

20 40 60 80 100 120 140 160 180 2000.65

0.7

0.75

0.8

0.85

0.9

0.95

1

Np

Del

iver

y ra

tio

Tavg= 10 minutesTavg= 20 minutesTavg= 30 minutes

(a) Nc = 1

20 40 60 80 1000.65

0.7

0.75

0.8

0.85

0.9

0.95

1

N

Del

iver

y ra

tio

(b) Nc

Fig. 8. Delivery ratio versus varyin

20 40 60 80 100 120 140 160 180 2000

5

10

15

20

25

30

Np

Aver

age

Del

ay (m

inut

es)


(a) Nc = 1

20 40 60 80 100 10

5

10

15

20

25

30

Np

Aver

age

Del

ay (m

inut

es)

(b) Nc =

Fig. 9. Average delay versus varyin


be carried from RFID readers to storage nodes with morechances, when large numbers of pocket devices are in-volved in the opportunistic tag information aggregation.In addition, with the decrease of the average staying timeTavg, the delivery ratio can be improved as well. Comparingall subfigures (a)–(c), we can also validate the delivery ratiois improved when the Nc increases.

We further evaluate the effect of the number of pocketdevices Np on the average delay, with results illustrated inFig. 9. From the figure, we can see that, with (1) the in-crease of Np; (2) the increase of Nc; or (3) the decrease ofTavg, the average delay will be reduced. However, in realamusement park scenarios, the condition (3) is impracticalto decrease Tavg. Therefore, by (1) encouraging more visi-

st 2 stnρ

-ρ 1-ρ

ed in the large amusement park.

120 140 160 180 200p


= 2

20 40 60 80 100 120 140 160 180 2000.65

0.7

0.75

0.8

0.85

0.9

0.95

1

Np

Del

iver

y ra

tioTavg= 10 minutesTavg= 20 minutesTavg= 30 minutes

(c) Nc = 3

g number of pocket devices.

20 140 160 180 200


2

20 40 60 80 100 120 140 160 180 2000

5

10

15

20

25

30

Np

Aver

age

Del

ay (m

inut

es)


(c) Nc = 3

g number of pocket devices.




ARTICLE IN PRESS

tors act as the pocket nodes plus (2) MCMD policy, the lostchild can be quickly located by the proposed REACTscheme. Nowadays, missing children is a very serious issuefacing our society. Various public campaigns can belaunched to create awareness of missing children issues.As a result, we believe that more and more public are will-ing to serve as the pocket nodes during their visit to thepark and thus make the proposed scheme very successful.

6. Related work

RFID-based personnel tracking is a major applicationand has attracted a lot of interest in recent years. Severalefficient RFID-based personnel tracking schemes closelyrelated to the proposed REACT scheme have been proposed[21–25]. However, the personnel’s privacy-preserving dur-ing the tracking and positioning is not well addressed. In[21], Zhang et al. propose a general algorithm for RFID-based tracking and locating the persons in undergroundmine environments to help with management of minesand avoid enormous losses. However, due to the uniquefeatures of underground mine scenarios, the algorithm justinvestigates the optimal deployment of RFID readers, andleaves the person’s privacy issues unconsidered. In [22],Huang et al. propose a psychiatric patient tracking systembased on RFID technology. In the system, the collaborationamong field generators, RFID readers and tags accom-plishes the required functions in using RFID in psychiatricpatient tracking. Specifically, the field generator constantlybroadcast signals within its transmission range. When anRFID tag attached on the patient receives the trigger signal,it responds to a reader with the identifier of the field gen-erator. Thus, the location of the patient associated with thetag can be approximately estimated. However, the systemonly aims to improve the tracking reliability, the patient’sprivacy is also not addressed. In [23], Satoh presents aframework for providing dynamically deployable settings.Using RFID-based tracking system, the framework can de-tect the people’s location. Although the framework ad-dresses the security and privacy issues, they are verysketchy. We have noticed that several detailed privacy-preserving RFID authentication schemes have been pro-posed, yet the privacy is only discussed at algorithm-level[26]. In [24,25], RFID-based children tracking has beenstudied, however the children privacy-preserving is notaddressed.

Distinct from the above work, the proposed REACTscheme devises an RFID-based privacy-preserving childrentracking in a large-scale area, and discusses the privacy-preserving in terms of both algorithm-level and system-le-vel. In addition, since neither timer nor RNG is required,the architecture of the passive RFID tag employed in theREACT scheme is much simpler and less expensive, whichattracts parents to accept the children tracking service in alarge amusement park.

7. Conclusions

To help parents identify the locations of their lost chil-dren in large amusement parks, we have presented a pri-


vacy-preserving children tracking scheme based on RFIDtechnology. The proposed scheme, named REACT, is char-acterized by the cooperation among RFID readers, storagenodes and control center as well as the employees and vis-itors of the parks in a large amusement park, and using thepocket switched network formed by the visitors to forwardthe children,s tag information from RFID readers to somestorage nodes for control center’s query. By security analy-sis, the proposed REACT scheme achieves children’s iden-tity privacy, unlinkable location privacy and forwardsecurity. In addition, through extensive simulations wedemonstrate the proposed REACT scheme can quickly lo-cate the lost children’s position, when more visitors arewilling to patriciate in the pocket switched network in alarge amusement park.

Acknowledgement

The research is financially supported by the Natural Sci-ences and Engineering Research Council of Canada(NSERC).

Appendix A

In the appendix, we will show how to construct LFSRbased hash function H: {0,1}m ? {0,1}n, where n is thesecurity parameter indicating the hash length, and m de-notes the length of the input message M = (M1,M2, . . . ,Mm).

Let f(x) be an irreducible LFSR hash polynomial with de-gree n over GF(2), i.e., f ðxÞ ¼ xn þ

Pn�1i¼0 ci � xi, where

ci 2 {0,1}. Let K = (k1,k2, . . . ,kn) 2 {0,1}n be a key, and set itas the initial state of LFSR hash. Then, LFSR outputs a se-quence (k1,k2, . . . ,kn,kn+1, . . . , kn+m�1) with total n + m � 1bits, and the sequence is used to construct a Toeplitz Ma-trix as

TM ¼

kn knþ1 . . . knþm�1

..

. ...

. . . ...

k2 k3 . . . kmþ1

k1 k2 . . . km

0BBBB@

1CCCCA:

In the end, the hash value H(K;M) = (h1,h2, . . . ,hn) onmessage M = (M1,M2, . . . ,Mm) can be calculated as

hn

..

.

h2

h1

0BBBB@

1CCCCA ¼ TM �

M1

M2

..

.

..

.

Mm

0BBBBBBB@

1CCCCCCCA:

Because of its simple construction, LFSR based hashfunction is suitable for the less complex hardware imple-mentation in low cost passive RFID tag.

References

[1] Missing Children Society of Canada, Website, <http://www.mcsc.ca/>.

[2] Canada’s Wonderland, Website, <http://www.canadaswonderland.com/>.


http://www.mcsc.ca/

http://www.mcsc.ca/

http://www.canadaswonderland.com/

http://www.canadaswonderland.com/



ARTICLE IN PRESS

[3] Wikipedia, Radio-frequency identification, Website, <http://en.wikipedia.org/wiki/Radio-frequency_identification>.

[4] J.-L. Chen, M.-C. Chen, C.-W. Chen, Y.-C. Chang, Architecture designand performance evaluation of RFID object tracking systems,Computer Communications 30 (9) (2007) 2070–2086.

[5] M.A. Bonuccelli, F. Lonetti, F. Martelli, Instant collision resolution fortag identification in RFID networks, Ad Hoc Networks 5 (8) (2007)1220–1232.

[6] P. Hui, A. Chaintreau, J. Scott, R. Gass, J. Crowcroft, C. Diot, Pocketswitched networks and human mobility in conferenceenvironments, in: Proceedings of the 2005 ACM SIGCOMMworkshop on Delay-tolerant networking, Philadelphia,Pennsylvania, USA, 2005, pp. 244–251.

[7] R. Lu, X. Lin, H. Zhu, P.-H. Ho, X. Shen, ECPP: Efficient conditionalprivacy preservation protocol for secure vehicular communications,in: Proceedings of the 27th Conference on ComputerCommunications (INFOCOM 2008), Phoenix, Arizona, USA, April2008, pp. 1229–1237.

[8] X. Lin, X. Sun, P.-H. Ho, X. Shen, GSIS: a secure and privacy-preserving protocol for vehicular communication, IEEE Transactionson Vehicular Technology 56 (6) (2007) 3442–3456.

[9] Y. Zhang, W. Liu, W. Lou, Y. Fang, Location-based compromise-tolerant security mechanisms for wireless sensor networks, IEEEJournal on Selected Areas in Communications, Special Issue onSecurity in Wireless Ad Hoc Networks 24 (2) (2006) 247–260.

[10] R. Lu, X. Lin, H. Zhu, X. Shen, Spark: a new vanet-based smart parkingscheme for large parking lots, in: Proceedings of the 28th Conferenceon Computer Communications (INFOCOM 2009), Rio de Janeiro,Brazil, April 2009.

[11] R. Lu, X. Lin, X. Shen, Spring: A social-based privacy-preservingpacket forwarding protocol for vehicular delay tolerant networks, in:Proceedings of the 29th IEEE International Conference on ComputerCommunications (INFOCOM 2010), San Diego, California, USA,March 2010.

[12] E. Dijkstra, A note on two problems in connexion with graphs,Numerische Mathematik 1 (1959) 269–271.

[13] H. Larrondo, M. Martin, C. Gonzalez, A. Plastino, O. Rosso, Randomnumber generators and causality, Physics Letters A 352 (2006).

[14] W. Mao, Modern Cryptography: Theory and Practice, Prentice HallPTR, 2003.

[15] H. Krawczyk, LFSR based hashing and authentication, in:Proceedings of the 14th Annual International CryptologyConference on Advances in Cryptology, Lecture Notes In ComputerScience, vol. 839, Springer-Verlag, 1994, pp. 129–139.

[16] M.N. Wegman, J.L. Carter, New hash functions and their use inauthentication and set equality, Journal of Computer and SystemSciences 22 (3) (1981) 265–279.

[17] D. Boneh, M.K. Franklin, Identity-based encryption from the weilpairing, in: Proceedings of the 21st Annual International CryptologyConference on Advances in Cryptology, Lecture Notes In ComputerScience, vol. 2139, Springer-Verlag, 2001, pp. 213–229.

[18] J.C. Cha, J.H. Cheon, An identity-based signature from gap Diffie–Hellman groups, in: Proceedings of the Sixth InternationalWorkshop on Theory and Practice in Public Key Cryptography,Lecture Notes In Computer Science, vol. 2567, Springer-Verlag, 2003,pp. 18–30.

[19] A.L. Ferrara, M. Green, S. Hohenberger, M. Pedersen, Practical shortsignature batch verification, in: The Cryptographers’ Track at the RSAConference 2009 (CT-RSA 2009), Lecture Notes In Computer Science,5473, Springer-Verlag, 2009, pp. 309–324.

[20] B. Schneier, Beyond Fear: Thinking Sensibly About Security in anUncertain World, Springer, 2006.

[21] G. Zhang, L. Zhang, X. Liu, Time-shifting tracking and locatingalgorithm for rltlum system, in: Proceedings of InternationalConference on Industrial and Information Systems, 2009, IIS’09,April 2009, pp. 7–10.

[22] C.-L. Huang, P.-C. Chung, M.-H. Tsai, Y.-K. Yang, Y.-C. Hsu, Reliabilityimprovement for an RFID-based psychiatric patient localizationsystem, Computer Communications 10 (3) (2008) 2039–2048.

[23] I. Satoh, Location-based services in ubiquitous computingenvironments, International Journal on Digital Libraries 6 (3)(2006) 280–291.

[24] A. Bednarz, RFID everywhere: From amusement parks to bloodsupplies, network world, May 3, 2004.

[25] L. Sullivan, Legoland uses wireless and RFID for child security,InformationWeek.com, April 28, 2004.

[26] RFID Security & Privacy Lounge, Website, <http://www.avoine.net/rfid/>.


Xiaodong Lin received the Ph.D. degree ininformation engineering from Beijing Univer-sity of Posts and Telecommunications, Beijing,China, in 1998 and the Ph.D. degree (withOutstanding Achievement in Graduate StudiesAward) in electrical and computer engineer-ing from the University of Waterloo, Water-loo, ON, Canada, in 2008. He is currently anAssistant Professor of information securitywith the Faculty of Business and InformationTechnology, University of Ontario Institute ofTechnology, Oshawa, ON, Canada. His

research interests include wireless network security, applied cryptogra-phy, computer forensics, software security, and wireless networking andmobile computing. He was the recipient of a Natural Sciences and Engi-
neering Research Council of Canada (NSERC) Canada Graduate Scholar-ships (CGS) Doctoral and the Best Paper Awards of the IEEE InternationalConference on Computer Communications and Networks (ICCCN 2009)and IEEE International Conference on Communications (ICC’07) - Com-puter and Communications Security Symposium.
Rongxing Lu is currently working toward thePh.D degree with the Department of Electricaland Computer Engineering, University ofWaterloo, Waterloo, Ontario, Canada. He iscurrently a Research Assistant with theBroadband Communications Research (BBCR)Group, University of Waterloo. His researchinterests include wireless network security,applied cryptography, and trusted computing.

Davis Kwan received the master degree inInformation Technology Security from theUniversity of Ontario Institute of Technology,Oshawa, ON, Canada, in 2009 and Bachelordegree in Administrative Studies, InformationTechnology from York University, Toronto,ON, Canada, in 2005. He is currently employedat the Town of Georgina, Ontario, Canada, inthe role of IT Network Security Administrator.His research interests include wireless net-working and security, mobile computing,ubiquitous computing and smart

environments.

Xuemin (Sherman) Shen received the B.Sc.(1982) degree from Dalian Maritime Univer-sity (China) and the M.Sc. (1987) and Ph.D.degrees (1990) from Rutgers University, NewJersey (USA), all in electrical engineering. He isa University Research Chair Professor,Department of Electrical and Computer Engi-neering, University of Waterloo, Canada. Hisresearch focuses on mobility and resourcemanagement in interconnected wireless/wired networks, UWB wireless communica-tions networks, wireless network security,

wireless body area networks and vehicular ad hoc and sensor networks.He is a co-author of three books, and has published more than 400 papersand book chapters in wireless communications and networks, control and
filtering. He serves as the Tutorial Chair for IEEE ICC’08, the TechnicalProgram Committee Chair for IEEE Globecom’07, the General Co-Chair forChinacom’07 and QShine’06, the Founding Chair for IEEE Communica-tions Society Technical Committee on P2P Communications and Net-working. He also serves as a Founding Area Editor for IEEE Transactions

http://en.wikipedia.org/wiki/Radio-frequency_identification

http://en.wikipedia.org/wiki/Radio-frequency_identification

http://www.avoine.net/rfid/

http://www.avoine.net/rfid/



ARTICLE IN PRESS

on Wireless Communications; Editor-in-Chief for Peer-to-Peer Network-ing and Application; Associate Editor for IEEE Transactions on VehicularTechnology; KICS/IEEE Journal of Communications and Networks, Com-puter Networks; ACM/Wireless Networks; and Wireless Communicationsand Mobile Computing (Wiley), etc. He has also served as Guest Editor forIEEE JSAC, IEEE Wireless Communications, IEEE Communications Maga-zine, and ACM Mobile Networks and Applications, etc. He received the


Excellent Graduate Supervision Award in 2006, and the OutstandingPerformance Award in 2004 and 2008 from the University of Waterloo,the Premier’s Research Excellence Award (PREA) in 2003 from the Prov-ince of Ontario, Canada, and the Distinguished Performance Award in2002 and 2007 from the Faculty of Engineering, University of Waterloo.He is a registered Professional Engineer of Ontario, Canada. He is thefellow of IEEE.



Documents

REACT: An RFID-based privacy-preserving children tracking ...bbcr.uwaterloo.ca/~xshen/paper/2010/rarbpp.pdf · amusement park, i.e., Canada’s Wonderland [2], as shown in Fig. 1