Advances in Ultralightweight Cryptography for Low-Cost RFID Tags: Gossamer Protocol

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5379)


The design of ultralightweight authentication protocols that conform to low-cost tag requirements is imperative. This paper analyses the most important proposals (except for those based in hard problems such as the HB [1-3] family) in the area [4-6] and identifies the common weaknesses that have left all of them open to various attacks [7-11]. Finally, we present Gossamer, a new protocol inspired by the recently published SASI scheme [13], that was lately also the subject of a disclosure attack by Hernandez-Castro et al.[14]. Specifically, this new protocol is designed to avoid the problems of the past, and we examine in some deep its security and performance.


Hash Function Security Level Block Cipher Authentication Protocol Mutual Authentication 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Weis, S.: Security parallels between people and pervasive devices. In: Proc. of PERSEC 2005, pp. 105–109. IEEE Computer Society Press, Los Alamitos (2005)Google Scholar
  2. 2.
    Piramuthu, S.: HB and related lightweight authentication protocols for secure RFID tag/reader authentication. In: Proc. of CollECTeR 2006 (2006)Google Scholar
  3. 3.
    Munilla, J., Peinado, A.: HB-MP: A further step in the HB-family of lightweight authentication protocols. Computer Networks 51(9), 2262–2267 (2007)CrossRefzbMATHGoogle Scholar
  4. 4.
    Peris-Lopez, P., Hernandez-Castro, J.C., Estevez-Tapiador, J.M., Ribagorda, A.: M2AP: A minimalist mutual-authentication protocol for low-cost RFID tags. In: Ma, J., Jin, H., Yang, L.T., Tsai, J.J.-P. (eds.) UIC 2006. LNCS, vol. 4159, pp. 912–923. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Peris-Lopez, P., Hernandez-Castro, J.C., Estevez-Tapiador, J.M., Ribagorda, A.: LMAP: A real lightweight mutual authentication protocol for low-cost RFID tags. In: Hand. of Workshop on RFID and Lightweight Crypto (2006)Google Scholar
  6. 6.
    Peris-Lopez, P., Hernandez-Castro, J.C., Estevez-Tapiador, J.M., Ribagorda, A.: EMAP: An efficient mutual authentication protocol for low-cost RFID tags. In: Meersman, R., Tari, Z., Herrero, P. (eds.) OTM 2006 Workshops. LNCS, vol. 4277, pp. 352–361. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    Li, T., Deng, R.: Vulnerability analysis of EMAP - an efficient RFID mutual authentication protocol. In: Proc. of AReS 2007 (2007)Google Scholar
  8. 8.
    Li, T., Wang, G.: Security analysis of two ultra-lightweight RFID authentication protocols. In: Proc. of IFIP-SEC 2007 (2007)Google Scholar
  9. 9.
    Hung-Yu, C., Chen-Wei, H.: Security of ultra-lightweight RFID authentication protocols and its improvements. SIGOPS Oper. Syst. Rev. 41(4), 83–86 (2007)CrossRefGoogle Scholar
  10. 10.
    Bárász, M., Boros, B., Ligeti, P., Lója, K., Nagy, D.: Breaking LMAP. In: Proc. of RFIDSec 2007 (2007)Google Scholar
  11. 11.
    Bárász, M., Boros, B., Ligeti, P., Lója, K., Nagy, D.: Passive Attack Against the M2AP Mutual Authentication Protocol for RFID Tags. In: Proc. of First International EURASIP Workshop on RFID Technology (2007)Google Scholar
  12. 12.
    Shamir, A.: SQUASH - A New MAC With Provable Security Properties for Highly Constrained Devices Such as RFID Tags. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 144–157. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    Chien, H.-Y.: SASI: A New Ultralightweight RFID Authentication Protocol Providing Strong Authentication and Strong Integrity. IEEE Transactions on Dependable and Secure Computing 4(4), 337–340 (2007)CrossRefGoogle Scholar
  14. 14.
    Hernandez-Castro, J.C., Tapiador, J.M.E., Peris-Lopez, P., Quisquater, J.-J.: Cryptanalysis of the SASI Ultralightweight RFID Authentication Protocol. IEEE Transactions on Dependable and Secure Computing (submitted) (April 2008)Google Scholar
  15. 15.
    Weis, S.: Security and Privacy in Radio-Frequency Identification Devices. Master Thesis, MIT (2003)Google Scholar
  16. 16.
    Klimov, A., Shamir, A.: New Applications of T-functions in Block Ciphers and Hash Functions. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 18–31. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  17. 17.
    Sun, H.-M., Ting, W.-C., Wang, K.-H.: On the Security of Chien’s Ultralightweight RFID Authentication Protocol. Cryptology ePrint Archive,
  18. 18.
    Hernandez-Castro, J.C., Estevez-Tapiador, J.M., Ribagorda-Garnacho, A., Ramos-Alvarez, B.: Wheedham: An automatically designed block cipher by means of genetic programming. In: Proc. of CEC 2006, pp. 192–199 (2006)Google Scholar
  19. 19.
    Batina, L., Guajardo, J., Kerins, T., Mentens, N., Tuyls, P., Verbauwhede, I.: Public-Key Cryptography for RFID-Tags. In: Proc. of PerCom 2007, pp. 217–222 (2007)Google Scholar
  20. 20.
    Kumar, S., Paar, C.: Are standards compliant elliptic curve cryptosystems feasible on RFID. In: Proc. of RFIDSec 2006 (2006)Google Scholar
  21. 21.
    Hell, M., Johansson, T., Meier, W.: Grain: a stream cipher for constrained environments,
  22. 22.
    Hell, M., Johansson, T., Meier, W.: A stream cipher proposal: Grain-128,
  23. 23.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: An Ultra-Lightweight Block Cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  24. 24.
    Feldhofer, M., Wolkerstorfer, J., Rijmen, V.: AES implementation on a grain of sand. In: Proc. on Information Security, vol. 152, pp. 13–20. IEEE Computer Society, Los Alamitos (2005)Google Scholar
  25. 25.
    Poschmann, A., Leander, G., Schramm, K., Paar, C.: New Light-Weight Crypto Algorithms for RFID. In: Proc. of ISCAS 2007, pp. 1843–1846 (2007)Google Scholar
  26. 26.
    Peris-Lopez, P., Hernandez-Castro, J.C., Estevez-Tapiador, J.M., Ribagorda, A.: An Efficient Authentication Protocol for RFID Systems Resistant to Active Attacks. In: Denko, M.K., Shih, C.-s., Li, K.-C., Tsao, S.-L., Zeng, Q.-A., Park, S.H., Ko, Y.-B., Hung, S.-H., Park, J.-H. (eds.) EUC-WS 2007. LNCS, vol. 4809, pp. 781–794. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  27. 27.
    Peris-Lopez, P., Hernandez-Castro, J.C., Estevez-Tapiador, J.M., Ribagorda, A.: LAMED – A PRNG for EPC Class-1 Generation-2 RFID specification. Journal of Computer Standards & Interfaces (2008), doi:10.1016/j.csi.2007.11.013Google Scholar
  28. 28.
    O’Neill, M. (McLoone): Low-Cost SHA-1 Hash Function Architecture for RFID Tags. In: Hand. of Conference on RFID Security (2008)Google Scholar
  29. 29.
    Feldhofer, M., Rechberger, C.: A case against currently used hash functions in RFID protocols. In: Hand. of Workshop on RFID and Lightweight Crypto (2006)Google Scholar
  30. 30.
    Class-1 Generation-2 UHF air interface protocol standard version 1.0.9: “Gen-2” (2005),
  31. 31.
    ISO/IEC 18000-6:2004/Amd:2006 (2006),
  32. 32.
    Duc, D.N., Park, J., Lee, H., Kim, K.: Enhancing security of EPCglobal Gen-2 RFID tag against traceability and cloning. In: The 2006 Symposium on Cryptography and Information Security (2006)Google Scholar
  33. 33.
    Chien, H.Y., Chen, C.H.: Mutual authentication protocol for RFID conforming to EPC Class-1 Generation-2 standards. Computer Standards & Interfaces 29(2), 254–259 (2007)CrossRefGoogle Scholar
  34. 34.
    Konidala, D.M., Kim, K.: RFID Tag-Reader Mutual Authentication Scheme Utilizing Tag’s Access Password. Auto-ID Labs White Paper WP-HARDWARE-033 (January 2007)Google Scholar
  35. 35.
    Burmester, M., de Medewiros, B.: The Security of EPCGen2 Anonymous compliant RFID Protocols. In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 490–506. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  36. 36.
    Bono, S., Green, M., Stubblefield, A., Juels, A., Rubin, A., Szydlo, M.: Security analysis of a cryptographically-enabled RFID device. In: Proc. of 14th USENIX Security Symposium, pp. 1–16 (2005)Google Scholar
  37. 37.
    Garcia, F.D., de Koning Gans, G., Muijrers, R., van Rossum, P., Verdult, R., Wichers Schreur, R.: Dismantling MIFARE Classic. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  38. 38.
    de Koning Gans, G., Hoepman, J.-H., Garcia, F.D.: A Practical Attack on the MIFARE Classic. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 267–282. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  39. 39.
    Karten, N., Plotz, H.: Mifare little security, despite obscurity (2007),
  40. 40.
    Li, T., Wang, G.: SLMAP-A Secure ultra-Lightweight RFID Mutual Authentication Protocol. In: Proc. of Chinacrypt 2007 (2007)Google Scholar
  41. 41.
    Lo, N.-W., Shie, H.-S., Yeh, K.-H.: A Design of RFID Mutual Authentication Protocol Using Lightweight Bitwise Operations. In: Proc. of JWIS 2008 (2008)Google Scholar
  42. 42.
    Vajda, I., Buttyán, L.: Lightweight authentication protocols for low-cost RFID tags. In: Dey, A.K., Schmidt, A., McCarthy, J.F. (eds.) UbiComp 2003. LNCS, vol. 2864. Springer, Heidelberg (2003)Google Scholar
  43. 43.
    Juels, A.: Minimalist cryptography for low-cost RFID tags. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 149–164. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  1. 1.Computer Science DepartmentCarlos III University of MadridSpain

Personalised recommendations