A Scalable, Delegatable Pseudonym Protocol Enabling Ownership Transfer of RFID Tags

(Extended Abstract)
  • David Molnar
  • Andrea Soppera
  • David Wagner
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3897)


The ability to link two different sightings of the same Radio Frequency Identification (RFID) tag enables invasions of privacy. The problem is aggravated when an item, and the tag attached to it, changes hands during the course of its lifetime. After such an ownership transfer, the new owner should be able to read the tag but the old owner should not.

We address these issues through an RFID pseudonym protocol. Each time it is queried, the RFID tag emits a different pseudonym using a pseudo-random function. Without consent of a special Trusted Center that shares secrets with the tag, it is infeasible to map the pseudonym to the tag’s real identity. We present a scheme for RFID pseudonyms that works with legacy, untrusted readers, requires only one message from tag to reader, and is scalable: decoding tag pseudonyms takes work logarithmic in the number of tags. Our scheme further allows for time-limited delegation, so that we can give an RFID reader the power to disambiguate a limited number of pseudonyms without further help from the Trusted Center. We show how RFID pseudonyms facilitate the transfer of ownership of RFID tags between mutually distrustful parties.

Our scheme requires only limited cryptographic functionality from the tag: we need a pseudo-random function (PRF) and the ability to update tag state or to generate random numbers. Tag storage and communication requirements are modest: we give example parameters for a deployment of one million tags in which each tag stores only 128 bits, makes 6 PRF evaluations, and sends 158 bits each time it is read.


RFID privacy pseudonym protocol cryptography 


  1. 1.
    Avoine, G., Oechslin, P.: A scalable and provably secure hash-based RFID protocol. In: IEEE PerSec (2005)Google Scholar
  2. 2.
    Feldhofer, M., Dominikus, S., Wolkerstorfer, J.: Strong authentication for RFID systems using the AES algorithm. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 357–370. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Juels, A.: Minimalist cryptography for RFID tags (2003),
  5. 5.
    Molnar, D., Soppera, A., Wagner, D.: A scalable, delegatable pseudonym protocol enabling ownership transfer of RFID tags (full version). To appear in Cryptology ePrint Archive (2005),
  6. 6.
    Molnar, D., Wagner, D.: Security and privacy in library RFID: Issues, practices, and architectures. In: ACM CCS (2004)Google Scholar
  7. 7.
    Naor, D., Naor, M., Lotspiech, J.: Revocation and tracing schemes for stateless receivers. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 41. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Ohkubo, M., Suzuki, K., Kinoshita, S.: Cryptographic approach to a privacy friendly tag. In: RFID Privacy Workshop, MIT (2003)Google Scholar
  9. 9.
    Weis, S.A., Sarma, S.E., Rivest, R.L., Engels, D.W.: Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems. In: Security in Pervasive Computing (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • David Molnar
    • 1
  • Andrea Soppera
    • 1
  • David Wagner
    • 1
  1. 1.UC Berkeley, British Telecom, and UC BerkeleyUSA

Personalised recommendations