Improved (and Practical) Public-Key Authentication for UHF RFID Tags

  • Sébastien Canard
  • Loïc Ferreira
  • Matt Robshaw
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7771)


cryptoGPS has been promoted as a public-key technology suitable for UHF RFID tag authentication. Since it is a classical commitment-challenge-response (CCR) scheme, it can be converted into a signature scheme using the transformation proposed by Fiat and Shamir. Previously this signature variant has not been considered for RFID, but in this paper we show how to achieve this transformation in a way that yields a compact and efficient scheme. Further, the three-pass CCR scheme is turned into a regular challenge-response scheme with the attendant protocol and implementation improvements. Since we use a block cipher rather than a hash function for the transformation, we justify our approach using results in the ideal cipher model and the net result is a variant of cryptoGPS that offers asymmetric UHF tag authentication with reduced communication and protocol complexity.


Hash Function Signature Scheme Authentication Scheme Block Cipher Random Oracle 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aigner, M., Burbridge, T., Ilic, A., Lyon, D., Soppera, A., Lehtonen, M.: RFID Tag Security, BRIDGE white paper,
  2. 2.
    Aumasson, J.-P., Henzen, L., Meier, W., Naya-Plasencia, M.: Quark: A Lightweight Hash. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 1–15. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Random Oracles are Practical: A paradigm for designing efficient protocols. In: ACM CCS 1993, pp. 62–73. ACM (1993)Google Scholar
  4. 4.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: An Ultra-Lightweight Block Cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Bogdanov, A., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y.: Hash Functions and RFID Tags: Mind the Gap. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 283–299. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Bogdanov, A., Knežević, M., Leander, G., Toz, D., Varıcı, K., Verbauwhede, I.: spongent: A Lightweight Hash Function. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 312–325. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  7. 7.
    Cho, J.Y.: Linear Cryptanalysis of Reduced-Round PRESENT. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 302–317. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  8. 8.
    Collard, B., Standaert, F.-X.: A Statistical Saturation Attack against the Block Cipher PRESENT. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 195–210. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård Revisited: How to Construct a Hash Function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    EPCglobal. EPC Radio-Frequency Identity Protocols, Class-1 Generation-2 UHF RFID, Protocol for Communications at 860-960 MHz, version 1.2.0 (October 23, 2008),
  11. 11.
    Fiat, A., Shamir, A.: How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)CrossRefGoogle Scholar
  12. 12.
    Girault, M.: Self-certified Public Keys. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 490–497. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  13. 13.
    Girault, M.: Low-Size Coupons for Low-Cost IC Cards. In: Domingo-Ferrer, J., Chan, D., Watson, A. (eds.) Proceedings of Smart Card Research and Advanced Applications, pp. 39–50. Kluwer Academic Press (2001)Google Scholar
  14. 14.
    Girault, M., Juniot, L., Robshaw, M.: The Feasibility of On-the-Tag Public Key Cryptography. RFIDsec 2007, Workshop Record (2007),
  15. 15.
    Girault, M., Lefranc, D.: Public Key Authentication with One (Online) Single Addition. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 413–427. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  16. 16.
    Girault, M., Poupard, G., Stern, J.: On the Fly Authentication and Signature Schemes Based on Groups of Unknown Order. Journal of Cryptology 19, 463–487 (2006)MathSciNetzbMATHCrossRefGoogle Scholar
  17. 17.
    Girault, M., Stern, J.: On the Length of Cryptographic Hash-Values Used in Identification Schemes. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 202–215. Springer, Heidelberg (1994)Google Scholar
  18. 18.
    Guo, J., Peyrin, T., Poschmann, A.: The PHOTON Family of Lightweight Hash Functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  19. 19.
    Hofferek, G., Wolkerstorfer, J.: Coupon Recalculation for the GPS Authentication Scheme. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 162–175. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  20. 20.
    Hutter, M., Nagl, C.: Coupon Recalculation for the Schnorr and GPS Identification Scheme: A Performance Evaluation. In: Proceedings of RFIDSec 2009 (2009),
  21. 21.
    ISO/IEC 9798: Information Technology – Security Techniques – Entity Authentication – Part 5: Mechanisms using Zero-Knowledge Techniques,
  22. 22.
    ISO/IEC 14888-2: Information Technology – Security Techniques – Digital Signatures – Part 2: Factoring Based TechniquesGoogle Scholar
  23. 23.
    ISO/IEC 29192-4: Information Technology – Security Techniques – Lightweight Cryptography – Part 2: Block ciphersGoogle Scholar
  24. 24.
    ISO/IEC 29192-4: Information Technology – Security Techniques – Lightweight Cryptography – Part 4: Public key techniquesGoogle Scholar
  25. 25.
    Jenkins, J., Mills, P., Maidment, R., Profit, M.: Pharma Traceability Business Case Report. BRIDGE white paper (May 2007),
  26. 26.
    Leander, G.: On Linear Hulls, Statistical saturation attacks, PRESENT and a cryptanalysis of PUFFIN. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 303–322. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  27. 27.
    Lehtonen, M., Al-Kassab, J., Michahelles, F., Kasten, O.: Anti-counterfeiting Business Case Report. BRIDGE white paper (December 2007),
  28. 28.
    McLoone, M., Robshaw, M.J.B.: Public Key Cryptography and RFID Tags. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 372–384. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  29. 29.
    McLoone, M., Robshaw, M.J.B.: New Architectures for Low-Cost Public Key Cryptography on RFID Tags. In: Proceedings of SecureComm 2005, pp. 1827–1830. IEEE Computer Society Press (2007)Google Scholar
  30. 30.
    McLoone, M., Robshaw, M.J.B.: Low-cost Digital Signature Architecture Suitable for Radio-Frequency Identification Tags. IET Computers and Digital Techniques 4(1), 14–26 (2010)CrossRefGoogle Scholar
  31. 31.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography, 1st edn. CRC Press, Boca Raton (1996)CrossRefGoogle Scholar
  32. 32.
    Nakahara Jr., J., Sepehrdad, P., Zhang, B., Wang, M.: Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 58–75. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  33. 33.
    NESSIE consortium. Final Report of European Project IST-1999-12324: New European Schemes for Signatures, Integrity, and Encryption (NESSIE) (April 2004),
  34. 34.
    Ohkuma, K.: Weak keys of reduced-round PRESENT for linear cryptanalysis. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 249–265. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  35. 35.
    Özen, O., Varıcı, K., Tezcan, C., Kocair, Ç.: Lightweight Block Ciphers Revisited: Cryptanalysis of Reduced Round PRESENT and HIGHT. In: Boyd, C., González Nieto, J. (eds.) ACISP 2009. LNCS, vol. 5594, pp. 90–107. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  36. 36.
    Pointcheval, D., Stern, J.: Security Proofs for Signature Schemes. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  37. 37.
    Pointcheval, D., Stern, J.: Security Arguments for Digital Signatures and Blind Signatures. Journal of Cryptology 19, 361–396 (2000)CrossRefGoogle Scholar
  38. 38.
    Poschmann, A., Robshaw, M., Vater, F., Paar, C.: Lightweight Cryptography and RFID: Tackling the Hidden Overheads. In: Lee, D., Hong, S. (eds.) ICISC 2009. LNCS, vol. 5984, pp. 129–145. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  39. 39.
    Poschmann, A., Robshaw, M.J.B.: On Area, Time, and the Right Trade-Off. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 404–418. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  40. 40.
    Poupard, G., Stern, J.: Security Analysis of a Practical ”on the fly” Authentication and Signature Generation. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 422–436. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  41. 41.
    Robshaw, M.: The eSTREAM Project. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 1–6. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  42. 42.
    Shannon, C.: Communication theory of secrecy systems. Bell System Technical Journal 28, 656–715 (1949)MathSciNetzbMATHGoogle Scholar
  43. 43.
    Wang, M.: Differential Cryptanalysis of Reduced-Round PRESENT. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 40–49. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  44. 44.
    Z’aba, M.R., Raddum, H., Henricksen, M., Dawson, E.: Bit-Pattern Based Integral Attack. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 363–381. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  45. 45.
    Black, J., Rogaway, P., Shrimpton, T.: Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  46. 46.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: A synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  47. 47.
    Braun, M., Hess, E., Meyer, B.: Using Elliptic Curves on RFID Tags. IJCSNS International Journal of Computer Science and Network Security 8(2) (February 2008); Jun, J.M. (ed.)Google Scholar
  48. 48.
    Batina, L., Guajardo, J., Kerins, T., Mentens, N., Tuyls, P., Verbauwhede, I.: An Elliptic Curve Processor Suitable For RFID-Tags. In: 1st Benelux Workshop on Information and System Security (WISSec 2006), Antwerpen, Belgium, November 8-9, 14 pages (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Sébastien Canard
    • 1
  • Loïc Ferreira
    • 2
  • Matt Robshaw
    • 2
  1. 1.Applied Cryptography GroupOrange LabsCaen CedexFrance
  2. 2.Applied Cryptography GroupOrange LabsIssy les MoulineauxFrance

Personalised recommendations