4.4 Privacy-Preserving Authentication Protocol (Current Design)

Set-up Phase
In order to protect data against eavesdropping attack, each smart tag is preloaded with another secret identifier, μ, generated distinctly at each session. In order to reduce the computational cost on the tag side, points parameter, including < α × u ⋅ λ,β_u,1,β_u,0 >, were pre-computed and hard-coded in the source code on tag side. Therefore, it is necessary to have a data structure to maintain such list of points and provide efficient look-up.

(x)	= Au′(x) - μ
	= su ⋅ A(x,u) - - μ
(x)	= Bu′(x) - μ
	= su ⋅ B(x,u) - - μ
αu	= α × su
βu,1	= α ⋅λ⋅ (( ⋅ c1 + ⋅ d1) + (d1 + c1) ⋅ μ)
βu,0	= α ⋅λ⋅ (( ⋅ c0 + ⋅ d0) + (d0 + c0) ⋅ μ)

Communication Phase
Each transmission starts, when the reader first sends a random session nonce, γ₀ to the tag. After receiving data from reader, the tag generate a random session nonce of its own, called γ₁, and hash the concatenations of these two random session. That is, γ₂ = H(γ₁|γ₀). Last, the tag sends back a packet of data < γ₁,λ ⋅(γ₂),λ ⋅(γ₂),α_u ⋅ λ,β_u,1,β_u,0 > to reader side.

Authentication Phase
With the carefully selected coefficients, the authentication process could be achieved by checking the following equality, as shown in the figure 3 below⁷:

	α × C(γ2) ⋅λ⋅(γ2) + α ××D(γ2) ⋅λ⋅(γ2) + βu,1 ⋅γ2 + βu,0
=	α × C(γ2) ⋅λ⋅ (su ⋅ A(γ2,u) - -μ)
+	α × D(γ2) ⋅λ⋅ (su ⋅ B(γ2,u) - -μ)
+	α ×λ⋅ ⋅ c1 + ⋅ d1 + (c1 + d1) ⋅μ⋅γ2
+	α ×λ⋅ ⋅ c0 + ⋅ d0 + (c0 + d0) ⋅μ
=	α × su ⋅λ⋅C(γ2) ⋅ A(γ2,u) + D(γ2) ⋅ B(γ2,u)
=	α × su ⋅λ⋅ E(γ2)			(Equation 6)

4.4.1 Security Analysis

Resistance against Tag Compromise Attack
This scheme inherit the resistance against tag compromise attack from the previous scheme. In order to disturb the coefficients in the secret functions A(x,u) and B(x,u), we have introduced four tag-based parameters, s_u,,,μ. The following shows that this scheme can defend against k-tag compromise attack.

Tag 1:
…
Tag k:

Session 1:
…
Session k: