Wireless Pers CommunDOI 10.1007/s11277-014-1605-6

Privacy and Authentication Protocol for Mobile RFIDSystems

Ben Niu · Xiaoyan Zhu · Haotian Chi · Hui Li

© Springer Science+Business Media New York 2014

Abstract Security and privacy issues in RFID technology gain tremendous popularityrecently. However, existing work on RFID authentication problems always make assumptionssuch as (1) hash function can be fully employed in designing RFID protocols; (2) channelsbetween readers and server are always secure. The first assumption is not suitable for EPCClass-1 Gen-2 tags, which has been challenged in many research work, while the second onecannot be directly adopted in mobile RFID applications where wireless channels betweenreaders and server are always insecure. To solve these problems, in this paper, we proposea novel ultralightweight and privacy-preserving authentication protocol for mobile RFIDsystems. We only use bitwise XOR, and several special constructed pseudo-random numbergenerators to achieve our aims in the insecure mobile RFID environment. We use GNY logicto prove the security correctness of our proposed protocol. The security and privacy analysisshow that our protocol can provide several privacy properties and avoid suffering from anumber of attacks, including tag anonymity, tag location privacy, reader privacy, forwardsecrecy, and mutual authentication, replay attack, desynchronization attack etc. We imple-ment our protocol and compare several parameters with existing work, the evaluation resultsindicate us that our protocol significantly improves the system performance.

Keywords Mobile RFID systems · Authentication · Ultralightweight ·Privacy-preserving

B. Niu (B) · X. Zhu · H. Chi · H. LiNational Key Laboratory of Integrated Networks Services, Xidian University,Xi’an 710071, Chinae-mail: xd.niuben@gmail.com

X. Zhue-mail: xyzhu@mail.xidian.edu.cn

H. Chie-mail: cht148213@gmail.com

H. Lie-mail: lihui@mail.xidian.edu.cn

123

B. Niu et al.

1 Introduction

Radio Frequency identification (RFID) is an Automatic identification and data capture(AIDC) technology, which has been widely used in many applications. It uses radio signalsto identify a product, animal or person [1]. It is seen as the replacement for the traditionalbarcode system in several reasons. RFID technique can provide read/write capability (bar-codes are read only) and multiple tags can be read at the same time (barcodes cannot). Itdoes not require line-of-sight contact with reader (barcodes do), etc. RFID technology hasbeen widely used in numerous applications and many potential applications, such as in man-ufacturing, supply chain management, access control, e-passport and a number of emergingapplications [2]. A typical and large scale utilization is the national ID in China. IDTechEx[3] estimates that the RFID market will be worth more than USD 25 billion in 2018.

Typically, a RFID system architecture [4] consists of three key components: RFID tags,RFID reader and a back-end server which is shown in Fig. 1. The reader sends a radiosignal to the tags and listens to the tags’ responses. The tags detect the signal and replywith identifications. They communicate with each other through wireless network, whilethe communication channel between reader and database can be either wired or wireless.The insecure wireless communication channel will induce some serious security and privacyproblems. Among these problems, one of the most important issue is the mutual authenti-cation between tags, reader and server. Furthermore, the tags’ and reader’s privacy shouldbe provided. Last but not the least, all the design details should be practical and compliantwith industry standards. The Electronic Product Code (EPC) Class-1 Generation-2 standard[5] (which is called Gen-2 for short in this paper) has evolved as the industry standard forRFID tags. The Gen-2 tags have limited number of gates (about 2.5–5k equivalent gates onstandard chips) for security operations and only Code (CRC) operations can be adopted, butnot for the primitive cryptographic functions, such as one-way hashing, symmetric and evenasymmetric encryption (SHA-1 and MD5: 15–20k gates [6], lightweight AES: 5k gates [7],RSA: tens of thousands gates [7], Elliptic Curve Cryptography: 8.2–15k gates [8]). Theseinherent features limit our ability designing RFID protocols.

Normally, data stored on the tag side include some basic information, such as its identifier,secret keys even some timestamps. On the reader side, it stores the identifier and some secretkeys. In some cases, the powerful reader may store part of the registering information oftags and do the verification work as the back end server. Obviously, releasing these valuabledata may cause serious security and privacy problems. Since in traditional environment ofRFID systems, readers are always set to be fixed, the attackers can easily obtain the location

Fig. 1 RFID system architecture

123

Privacy and Authentication Protocol for Mobile RFID Systems

of the fixed reader, and then monitor and track all the tags. Another problem is caused bythe assumption on the channels between readers and server, which are always assumed tobe secure. However, these assumptions are becoming weaker in recent years by the reasonof the rapid development of mobile devices, such as PDA and smartphones. They can actas either distributed or off-line [9] readers. In these increasing modern cases, the wirelesschannels between readers and server are not secure and fixed, so we need to change thisexisting assumption on secure channels into insecure.

Therefore, our motivation of this paper is to propose an privacy-preserving authenticationprotocol, which meets the computation requirements of Gen-2 standard and the mobile envi-ronment (insecure channels between both the reader-server and reader-tags). To solve theseproblems, besides the traditional cryptographic methods, the widely used hash functions arealso unavailable in our protocol.

The main contributions of this paper are shown as follows.

1. We achieve our aims by employing simple operations such as bitwise XOR, and some spe-cial constructed pseudo-random number generators (RNGs), which are ultralightweightand can conform to the requirements of Gen-2 standard.

2. We use GNY logic to prove the security correctness of our proposed protocol. The furtheranalysis show that our proposed protocol can keep tags and reader security and privacyin mobile RFID systems where both the channels of reader-server and reader-tags areinsecure.

The rest of this paper is organized as follows. In Sect. 2, we introduce some relatedresearch work. Followed by some preliminaries in Sect. 3. In Sect. 4, we describe the detailsof our proposed protocol. Then, the security and performance analysis are provided in Sects.5 and 6. Finally, we show our evaluation results and draw the conclusions in Sects. 7 and 8,respectively.

2 Related Work

Several protocols have been proposed in recent years to overcome the security and privacyissues on RFID systems efficiently. Typical examples are the HB-family [10–12] and theMAP-family (LMAP [13], EMAP [14], M2AP [15] etc). They utilize lightweight or ultra-lightweight operations (e.g. XOR and some simple arithmetic operations) to achieve highlevel security with efficiency.

Hopper and Blum [10] introduce us two authentication protocols for low-cost RFID sys-tems: HB and HB+ protocols.The main feature of the HB-family protocols is that they relyon the computational hardness of Learning Parity with Noise (LPN) problem. Juels and Weis[11] make a improvement in HB+, since the previous protocols are still suffering from theactive adversaries, but it is unsafe to man in the middle attack. To overcome this problem,Bringer et al. [12] proposed the HB++. However, Selwyn Piramuthu [16] showed that theHB++ has the same drawback as the HB+. We can note that the vital reason is the leakageof the secret information shared between the entities. Additionally, the HB-family proto-cols emphasize the authentication on the tags, but neglect the other security issues of theauthentication on the reader, tracking problem and anonymity etc.

In the MAP-family, the authors try to avoid the classical cryptographic primitives such asPRNGs, hash functions, block ciphers, etc., and propose lightweight Mutual AuthenticationProtocol (MAP) for Low-cost RFID tags. In LMAP [13] and M2AP [15], the authors use onlybitwise XOR (⊕), bitwise OR (∨), bitwise AND (∧), and addiction mod 2m (+) to guarantee

123

B. Niu et al.

the security and privacy properties. However, they need to assume the secure communica-tion channels between readers and server, which is not suitable for mobile RFID systems.EMAP [14] solves this problem by shifting the heavy burden of asymmetric encryption anddecryption operations on the more powerful reader/server side, and only leave lightweighthash operation on the tag side. However, it has been proved that the hash function is notcomputation friendly to the resource-restricted tags.

We thus classify the existing work on RFID secure systems into two main types. Someresearchers utilize traditional cryptographic methods such as hash function even EllipticCurve Cryptosystem (ECC) [17] to keep the RFID systems secure. Besides these two maintypes of RFID authentication protocols, which have both advantages and shortcomings obvi-ously, other researchers [18,19] tend to make a tradeoff between security and efficiency bycombining hash functions and lightweight operations together. For example, hash functionis a powerful and efficient cryptographic tool, and the methods which utilize hash functionare considered as proper solutions. Unfortunately, researchers in [6] have mentioned thatthe popular hash functions cannot be used in the Gen-2 tags well. Some researchers focustheir minds on the quadratic residues based RFID authentication protocols. Chen et al. [6]proposed the first RFID authentication protocol based on quadratic residues. However, Yehet al. [20] show the shortcomings and make an improved version by having the tag gener-ates an additional random number. Further, Doss et al. [21] propose their ultralightweightauthentication protocol, which removes the heavy hash functions and can be used in mobileenvironment.

Recently, Tian et al. [22] propose RAPP, which is a new ultralightweight RFID authenti-cation protocol with high level security and privacy. They introduce a permutation operationto break the orders of the bits while using rotation operation to break the bits balance. Sofar, three attacks have been proposed on RAPP. The first one [23] is traceability attack whichexploits Hamming weight-invariant property of the foregoing permutation. The second one[24] is an active full disclosure attack which requires about 230 counterfeit authenticationsessions with the compromised tag. In [25], Ahmadian et al. show the RAPP is vulnerableagainst desynchronization attack, which has a remarkable probability of success and is effec-tive whether Hamming weight-based or modular-based rotations are used. As a brief summaryon authentication in RFID system, the authors in [26] provide a comprehensive analysis ofprivacy-friendly authentication protocols and point out their drawbacks and weaknesses.

3 Preliminaries

In this section we make brief introductions to the mobile RFID systems and our specialconstructed pseudo-random number generator (RNG).

3.1 Mobile RFID Systems

Mobile RFID can be defined as services that provide information on objects equipped withan RFID tag over a telecommunication network. The reader or interrogator can be installedin a mobile device such as a mobile phone or tablet. Unlike ordinary fixed RFID, the readersin mobile RFID systems are not fixed any more, mobile data collection devices such assmartphones with integrated RFID readers, and vehicle mounted readers from companiessuch as Intermec, and Motorola. They can be brought to the asset instead of the asset havingto pass by the reader. These devices and custom applications running on them can often beused off-line to collect data for transmission to other entities of the system at later time.

123

Privacy and Authentication Protocol for Mobile RFID Systems

Another advantage of mobile RFID over ordinary RFID is the absence of wires to fixedreaders and the ability of a small number of mobile readers can cover a large area, instead ofdozens of fixed readers.

In the industrial field, Nokia, Philips and Sony established the Near Field Communication(NFC) Forum in 2004. KDDI Corporation in Japan has developed RFID reader phones. Also,in South Korea, Mobile RFID Forum (MRF) was established in Feb. 2005. In Sep. 2011,market research suggests that over the next few years, NFC technology will be in use allaround us. For consumers, when staying at a hotel, rather than swiping a magnetic card toaccess your room, you’ll be able to tap your mobile phone to the NFC reader on the door toyour room. You’ll be able to use your phone to pay for dinner or movie tickets. And you’llbe able to store a subway or rail card or bus pass on the device. Instead of carrying a loyaltytoken from a supermarket, pharmacy or other retailer or service provider, such as Starbucksor Mcdonalds. For social networks, check-in would be performed simply and on the spot,using a Google Places tag, or via a Foursquare or Facebook equivalent.

Although there are a number of mobile RFID-based applications in recent years and theyhave the advantages of both mobile technologies and RFID networks, they raises some seriousprivacy and security problems, simultaneously. The insecure transmission of information overthe insecure wireless channels between mobile readers and server can cause several problems,such as information leakage traceability and impersonation. To deal with these problems, inthis paper, we must understand the unique requirements and challenges of mobile applicationdevelopment, deployment, and usage, to design a privacy-preserving authentication RFIDprotocol.

3.2 Security Requirements

In this subsection, we present several security requirements [6,27,28] for mobile RFIDsystems in terms of several security properties and attacks.

3.2.1 Anonymity

In the processes of data transmissions between entities in the mobile RFID systems, thetags’ identifiers may be disclosed to the attackers through eavesdropping the communicationchannels. The exposed identifiers can lead to serious security problems (i.e., cloning attackand tracking attack), we thus need to provide the tag and reader anonymity in our designing.

3.2.2 Location Privacy

In mobile RFID systems, the location privacy is related to the uncertainty to distinguish twomessages sent from a particular tag. This property guarantees that the adversary cannot trackor monitor the tags. We thus need to make changes on each sending message.

3.2.3 Forward Secrecy

This threat happens when an adversary compromises a tag and obtains the stored data inthe tag’s memory. Even under this extreme case, forward secrecy ensures that the adversarycannot trace the tag through past conversations the tag involved in. Therefore, we should cutthe relationship between different messages sent from a same tag.

123

B. Niu et al.

3.2.4 Mutual Authentication

Mutual authentication refers to the dual authentication phases between the tags, reader and theserver. With this property, the tags believe the legal reader/server who they are communicatingwith, while on the other side, the reader/server ensures the identifiers of the tags as well.Through this way, the validity of each entity is guaranteed.

3.2.5 Replay Attack

Replay attack happens when an adversary eavesdrops the communication channel, capturesthe conversation between the tags and server, and retransmits the obtained message to thelegitimate destination as being authentic. Replay attack is easy to perform and may causeserious security issues such as desynchronization attack.

3.2.6 Desynchronization Attack

Desynchronization attack is performed by disturbing the synchronization between entities.As the result, the legitimate tags may be out of service due to the desynchronization in termsof timestamps or randomly generated pseudo-random numbers.

3.3 RNGs in Our Protocol

Traditional RNGs always have their inherent shortcomings. They cannot avoid attacks suchas exhaustive-key attack and some adaptively attacks. Here we briefly talk about the specialconstructed RNGs used in our protocol. It is firstly proposed in Goldreich et al.’s work [29],whose aim is to construct pseudo-random functions efficiently. Suppose G is an n-bit RNGand K is an n-bit number, we denote that G0(K ) is the first n-bit number output of G, andG1(K ) is the next n-bit number. Here, K acts as a seed to generate pseudo-random numbers.Let X = X1, X2, . . . , Xt , t ≥ n, be a t-bit number and G X (K ) = G Xt (Zt−1), where

Zt−1 = (G Xt−1(· · · (G X1(G X0(K ))))).

We define a function fK : {0, 1}t → {0, 1}n by fK (X) = G X (K ) here. It is shown in[29] that the family Fn = { fK }|K |=n is a pseudo-random function (PRF).

The function fK (X) is used as a RNG in this paper. It is secure against attacks that exploitcorrelated values of X since Fn is a PRF. The first number drawn from fK (X) will be G X (K ).If a second number has to be drawn then, in the last step of the construction above we takeeither the second or the third n-bit number output by G(Zt−1), depending on whether Xt = 0or Xt = 1; for the t-th draw, we take either the t-th output number or the (t + 1)-th outputnumber of G(Zt−1).

3.4 Motivation and Our Main Idea

As the aforementioned requirements of mobile RFID systems, a well designed privacy-preserving authentication protocol for mobile RFID system should consider both a numberof security properties, the insecure communication channel between reader and server, andachieve these goals on the resources-restricting tags. Specifically, to satisfy the EPC standardand the environment of Mobile RFID systems, the heavy primitive cryptographic tools such astraditional hash function, asymmetric encryption and elliptic curve cryptography, etc. cannot

123

Privacy and Authentication Protocol for Mobile RFID Systems

be adopted in the designing any more. We can only use some lightweight/ultra-lightweightoperations, for example, bitwise XOR (⊕), bitwise OR (∨), bitwise AND (∧), addiction mod2m (+) and some specially constructed functions. Additionally, the communication channelbetween reader and server should be set to insecure, then we cannot transmit messagesbetween these two entities without any protection.

Our main idea thus can be divided into two parts. On the one hand, to avoid the heavyprimitive cryptographic tools, we combine the lightweight or ultra-lightweight operationswith the specially designed RNGs (shown in Sect. 3.3), which can be implemented on theGen-2 tags easily. While on the other hand, the reader in our protocol acts as an importantrole compared to existing solutions. Firstly, it verifies the identifiers of the handling tags;secondly, to guarantee the validity of the reader itself, the server also needs to verify eachreader. As the result, our protocol works well through the insecure channels between eithertag-reader or reader-server.

4 Our Proposed Protocol

In this section, we illustrate the notations used in our work first, and then, based on ourspecially constructed RNG, which can output 16-bits random number, we present our privacyand authentication protocol for mobile RFID systems in details. It consists of two phases: aninitialization phase and mutual authentication phase.

4.1 Notations

We use the notations given in Table 1 to describe our proposed protocol.

4.2 Initialization Phase

At the beginning of our proposed protocol, all the entities should initialize their memories.All the random numbers are generated from the special designed RNG, which is mentionedin Sect. 3.3. Server shares a key K R and {ID, KT , x} with reader and tag, respectively. IDis an unique and fixed identifier of a tag, K R and KT are secret keys to generate randomnumbers, and x is a secret information shared between server and tag. These informationwill be updated when the protocol ends successfully in each session except K R .

Table 1 Notations through thispaper

Our proposed protocol

R RFID reader

T RFID tag

S Back-end server

rR/rT Random numbers generated by RFID reader R or tag T

ID Unique identifier of tag T

xi Secret information on RFID tag T

KTi Secret key between server S and tag T

K Ri Secret key between server S and reader R

I Attacker

⊕ Exclusive-OR (XOR)

123

B. Niu et al.

4.3 Mutual Authentication Phase

We illustrate the details of our proposed protocol in steps which is shown in Fig. 2.

(1) Reader→ Tag: ChallengeThe RFID reader starts a session by sending a unique random number Challenge to tag.

(2) Tag→ Reader: B||rT

Upon the received message, the tag computes A = (ID⊕ x ⊕ rT ), where rT is a randomnumber generated by itself, and derives B and C from fKT (A), where A acts as a seedhere to generate the random numbers B and C . The adopted RNG has been mentionedin Sect. 3.3. The tag then sends B and rT to the reader.

(3) Reader→ Server: E ||rR ||rT

Once the reader receives the message from a tag, it generates its own random numberrR , followed, computes D = B ⊕ rR and E = fK R (D). Similarly, the random numberE is derived in a same way like B and C by performing our newly constructed RNG, thedifference is the seed here is D. At last, the reader sends E , rR and rT together to theserver.

(4) Server→ Reader: FBased on the received message {E, rR, rT } from the reader, the server retrieves B ′ andC ′ from fKT (ID⊕ x ⊕ rT ), searches its database and finds a {ID, K R, KT , x} to makethe formulation E = fK R (B ′ ⊕ rR) holds. It pre-updates the secret information x ′ = C ′and K ′T = RNG(KT ) if the forgoing process is verified successfully. Then it computesF = fK ′T (x ′ ⊕ rT ) ⊕ fK R (rR ⊕ rT ) before sending it to the reader. At last, the serverupdates the secret information by executing x ′ ← C ′ and K ′T ← RNG(KT ).

(5) Reader→ Tag: IThe reader handles the received message by XORing a message fK R (rR⊕rT ), then sendsthe message I = F ⊕ fK R (rR ⊕ rT ) to the tag.

Fig. 2 Our proposed protocol

123

Privacy and Authentication Protocol for Mobile RFID Systems

Table 2 Notations used in ourproof

P Msg1 P owns Msg1

P � Msg1 P receives Msg1

P |≡ �(Msg1) P believes the freshness of Msg1

P |≡ ∅ (Msg1) P believes the content of Msg1 is recognizable

P |≡ Ps↔ Q Secret s is shared between P and Q

(6) On the tagThe tag verifies server and reader by checking the received message I with fK ′T (C⊕ rT )

where K ′T = RNG(KT ). Finally, the tag updates its memory x ← C and KT ← K ′T .

By performing these processes, our protocol can be achieved with fully considerationson both the un-secure communication channel between the reader and the server, and thesecurity and privacy issues on the resources-restricted tags.

5 Security and Property Analysis

Since the joint issues of privacy and mobile RFID systems have been studies in [30], inthis section, we first use GNY logic [31] to prove the security correctness of our proposedprotocol. Followed by some analysis on security and privacy properties.

5.1 Correctness Analysis

There are a number of logic tools to prove the cryptographic authentication protocols, suchas BAN logic [32], AVISPA logic1 and GNY logic, etc. We choose GNY logic to prove thesecurity correctness of our protocol since it is proposed for reasoning about cryptographicprotocols. Compared to the well-used BAN logic, the GNY logic offers important advantagesover the BAN logic and releases some assumptions, for example, it dose not assume thatredundancy is always presented in encrypted messages; additionally, it does not assume thata principal can always determine whether a message was not once originated by itself; finally,it is easy to formalize and apply onto our proposed authentication protocol.

The following proof is based on the GNY logic. We want to show that, after an executionof our protocol, (1) server S and tag T can be authenticated with each other; (2) they believethe received messages are from each other and these messages are fresh. To begin with, welist the notations in our following proof in Table 2.

To apply the GNY logic, we first list five messages exchanged between the each participantin our protocol. Challenge is a nonce generated by reader R, rR and rT are pseudo-randomnumbers generated by reader and tag respectively.

(1) R→ T : Challenge(2) T → R: fKT (ID⊕ x ⊕ rT ), rT

(3) R→ S: fK R (( fKT (ID⊕ x ⊕ rT ))⊕ rR), rR , rT

(4) S→ R: fKT (ID⊕ x ′ ⊕ rT )⊕ fK ′R (rR ⊕ rT )

(5) R→ T : fKT (ID⊕ x ′ ⊕ rT )

1 http://www.avispa-project.org/.

123

B. Niu et al.

Then we first translate some of the protocol steps to generic types below:

Step 1) T � ∗Challenge � R, RChallenge←→ T

Step 2) R � ∗ fKT (ID⊕ x ⊕ rT ), rT � T |≡ R∅( fKT (), rT ), TrT←→ R

Step 3) S � ∗ fK R (( fKT (ID⊕ x ⊕ rT ))⊕ rR), rR, rT � R |≡ S∅( fK R ( fKT (), .), rR, rT ),

RrR , rT←→ S

Step 4) T � ∗ fKT (ID⊕ x ′ ⊕ rT ) � S |≡ T ∅ fKT (), SID, x ′, K ′T←→ T

The goals to prove are given below:

G1) S |≡ T |∼ �( fKT (ID⊕ x ⊕ rT ))

G2) T |≡ S |∼ �( fK ′T (ID⊕ x ′ ⊕ rT ))

G3) S |≡ �(KT , x)

G4) T |≡ �(K ′T , x ′)

Goal G1 says that server S believes tag T conveys the message fKT (ID⊕ x ⊕ rT ). GoalsG2, G3 and G4 can be interpreted similarly. If these goals are proved, then tag T will believethat the received messages are sent by the valid server and the secret information sharedbetween tag and server can also be updated. To prove G1 we need to prove the following twosub-goals:

G1.1) S |≡ R |∼ �( fK R ( fKT (ID⊕ x ⊕ rT )⊕ rR))

Proof G1.1) says S believes R conveys the message fK R ( fKT (ID⊕ x ⊕ rT )⊕ rR) to it, andG1.2) says that S believes T conveys the message fKT (ID⊕ x ⊕ rT ) to it. Since no messagecontamination is possible during the message transmission without being detected, if the twosub-goals are proved, then goal G1 can be approved transitively. Furthermore, according toGNY logical postulate rule

I 6 : S |≡ R |∼ M1, S |≡ �(M1)

S |≡ R M1,

where

M1 = fKT (ID⊕ x ⊕ rT )⊕ rR .

If S believes that R once conveyed formula M1 and S believes the freshness of M1, then Sis entitled to believe that R possesses M1. To approve G1.1), two steps are necessary. In thefirst step, we apply the GNY logical postulate rule

I 1 = S � ∗{M1}K R , S K R, S |≡ SKR←→ R, S |≡ ∅(M1), S |≡ �(M1, K R)

S |≡ R |∼ M1, S |≡ R |∼ {M1}K R , S |≡ R K R,

which includes a freshness requirement that may seem rather surprising. Suppose that for S,all of the following conditions hold: (1) S receives a formula M1, which is encrypted withkey K R and marked with a “not-originated-here” symbol; (2) S possesses K R ; (3) S believesK R is a suitable secret for itself and R; (4) S believes M1 is recognizable; and (5) S believesK R is fresh. Then S is entitled to believe that (1) R once conveyed M1; (2) R possesses K R .The proof is shown as bellow:

S � ∗M1, S K R, S |≡ SKR←→ R, S |≡ ∅(M1), S |≡ �(K R)

S |≡ R |∼ M1, S |≡ R K R.

123

Privacy and Authentication Protocol for Mobile RFID Systems

In the second step, we apply the GNY logical postulate rule

P3 = S (M1, M2)

S M1.

It means, if a principal possesses a formula then he is capable of possessing any ne of theconcatenated components of that formula. In this rule, M1 and M2 are two formulae. Supposethat S possesses a formula M1 = fKT (ID⊕ x ⊕ rT )⊕ rR , then it is capable of possessingany one of the concatenated components of that formula such as fKT (ID ⊕ x ⊕ rT ). Theproof is shown followed:

P3 = S { fKT (ID XOR x XOR rT ) XOR rR}S fKT (ID XOR x XOR rT )

.

Combing the aforementioned two steps, then G1.1) is approved. ��G1.2) S |≡ T |∼ �( fKT (ID⊕ x ⊕ rT ))

Proof Then we prove the G1.2). We revisit the message E = fK R ( fKT (ID⊕ x ⊕ rT )⊕ rR)

sent by tag T to server S. Server S receives the valid information E if and only if the readerR is valid. We let A′ = ID ⊕ x ⊕ rT and rewrite E = fK R ( fKT (ID ⊕ x ⊕ rT ) ⊕ rR) =fK R ( fKT (A′)⊕ rR). This can be interpreted that A′ is encrypted using an XOR encryptionwith KT . Then, we apply GNY logical postulate rule

T 3 = S � A′KT, S KT

S � A′

If S is told a formula A′ encrypted with a hash value using the key it possesses, then it isconsidered to have been told the decrypted contents of that formula. The proof is shown asfollow:

S � XOR ( fK R (KT , rT ), A′), S K R, S KT , S rT

S � A′.

If the following two conditions hold: S applies fKT (ID⊕ x ⊕ rT ) and the result matches thereceived E ; and S believes T is the only entity to share the secret keys KT and x with it, thenS is entitled to believe that T conveys the message fKT (ID⊕ x ⊕ rT ). ��

Goals G2, G3 and G4 can be approved in a similar way. Due to page limitation, we willnot discuss the details.

5.2 Security and Privacy Properties

After analyzing the correctness of our proposed protocol, in this subsection, we prove thatour protocol preserves the security properties on both the tags, reader and server sides whilemaintaining their privacy. A security comparison of the schemes is summarized in Table 3.

(1) Tag Anonymity: an adversary tries to track a tag or even derive sensitive information,by eavesdropping communication channels. On the tag side, there are only three simpledata stored in its memory, the unique identity of the tag ID, secret key KT and secretinformation x . They are randomly generated and will be updated after every successfulprotocol running except the unique tag ID. To ensure the tag anonymity, we pay muchattention to the revealed information from tag side, B and rT . Here we consider themrespectively. For the rT , it is a randomly generated pseudo-random number, which will

123

B. Niu et al.

Table 3 Security comparison (×: does not satisfied, ◦: not fully satisfied (assumed),√

: fully satisfied)

[33] [34] [35] [20] [36] [37] [21] Ours

Tag anonymity × × × √ √ √ √ √Tag location privacy × × × √ √ √ √ √Reader privacy × × × × × × √ √Forward secrecy × × √ √ √ √ √ √Mutual authentication

√ √ √ √ × √ √ √Replay attack × √ × √ √ √ √ √Desynchronization attack ◦ × × √ × × √ √

be updated in each successful session. B is derived from ID⊕ x⊕ rR through the specialconstructed RNG function, which is mentioned in Sect. 3.3, so it is hard to link the inputand output and is also impossible for adversary to deduce the unique identity ID, which isunder protection of both the RNG function (secret key KT ) and the randomly generatedx and rR .

(2) Tag Location Privacy: the value of B and I cannot be linked with any particular tag,since the utilization of the new random numbers KT , x and rR in each session. We usethree random numbers and the fixed ID to generate B where B = fKT (ID ⊕ x ⊕ rR).Even if an adversary can send challenges to a tag for several times, the responses can stillbe refreshed each time, because the random value rR is generated in each request whileother random values KT and x are updated in each session.

(3) Reader Privacy: we should protect the real identity of reader to prevent the cloningattack which can be performed on valid reader. The reader should be involved to do somecalculations instead of a simple transmitter. We use K R as the identifier of the reader. Thisrandom value acts as a key which can help the reader to generate new random numbers,K R is only shared with the server.

(4) Forward Secrecy: forward secrecy means that the previous communications should notbe retrieved from the current resident data on a compromised tag. Assume that the cur-rent resident data on the compromised tag is {IDnow, KTnow , xnow} while the previouscommunication data is {Bpre, rTpre , Ipre}. The problem is that when the tag is compro-mised, the adversary can know the resident data {IDnow, KTnow , xnow}. How to preventthe adversary from computing the previous communications? In our protocol, we clearlyknow that Bpre is computed from the earlier data instead of the current data, so an adver-sary cannot infer Bpre from the compromised data at all. That means it is impossible toderive useful former data by compromising a tag. This situation also happens on Ipre. rT

is a random number, which is independent of the resident data.(5) Mutual Authentication: we analyze this problem from the tag and the server side,

respectively. From the tag side point of view, it will update its memory if and only if theverification on I is successful. The replied data I includes both the verification of serverand reader. Valid server can generate the original message F = fK ′T (ID ⊕ x ′ ⊕ rT ) ⊕fK R (rR ⊕ rT ), and valid reader can XORing its own verification fK R (rR ⊕ rT ) on F ,then replies to the tag. While on the server side, only the valid server can read and checkthe received data, since adversary does not have the unique tag ID (ID), the secret key(KT ), the secret information x to rebuild the value B.

(6) Resistance to Replay Attack: we employ four random numbers ID, K R , KT and x inour protocol. ID, K R are fixed while KT , x are not. Furthermore, another two random

123

Privacy and Authentication Protocol for Mobile RFID Systems

numbers rT and rR are generated in each session. All these values are never used alonein the messages constructing processes. Take message B for example, an adversary canintercept and save this message, once the message is replayed into another session, theserver can detect the replay attack right away by checking the value E which contains thevalue B. Consequently, the adversary gets nothing information useful to perform replayattack.

(7) Resistance to Desynchronization Attack: the desynchronization attack happens whenthe server and the tag update their secret information discordantly. For instance, if anadversary succeeds in blocking or forging the message I , the tag will not receive theresponse from the server correctly. Of course, it will not update its secret informationwhile the server has done. In our protocol, we store both the updated secret informationand the former ones. For a tag, when the desynchronization attack happens, the secretinformation in the storage is {ID, KTold , xold}, while the storage on the server stores{ID, K R, KTold , xold , KTnew , xnew} for the particular tag. In the next session, the tag sendsout the old information, then the server can detect that there has something wrong withthe tag, however, it can still verify the tag, and try to update the old secret information onthe tag into new version. Furthermore, we can employ a counter in our system to recordthe times of authentication for a particular tag. If a tag sending requests to server forseveral times in a short time interval, it will be tagged as compromised. Server cannotauthenticate a tag successfully when the tag is updated into a fake version in formersession.

6 Performance Analysis

We analyze the performance characteristics of our proposed protocol since the resource-restricted tags can only store 250–3K bits and about 5K logic gates can be used for securityfunctions. In this section, we evaluate the performance of our proposed protocol in severalaspects below, computation cost, communication cost and storage requirement. Actually, wedo not pay too much attention to the server and reader sides, since they always have powerfulcapacity on computation, communication and storage comparing to tags.

The performance comparisons between our proposed protocol and the existing work areshown in Table 4. In [33,38,39,20] have an assumption that the channels between readers andserver are always secure, this assumption cannot be adopted in mobile RFID applications.

Table 4 Efficiency comparison (GC: Gen-2 Compliance, SA: Security Assumption on channels, h: One-wayhash function, r : Random number, none: No operation, search: Search data in database, C RC : 16-bit cyclicredundancy checking code, m: Modulo squaring operation, srs: Square root solving, l: Length of bits)

Protocols Tag Reader Server GC SA Rounds Storage

[33] 2h+ 1r 1h+ 1r none No Yes 4 2l

[38] 1h+ 2r none 1search+ 2h No Yes 5 3l

[39] 4h+ 2r none 1search+ 5h+ 1r No Yes 5 4l

[20] 4h+ 3m+ 2r 1r 14h+ 3srs+ 1r No Yes 5 4l

[36] 2h+ 2m+ 1r 1r 1h+ 1r No No 5 3l

[21] 3m+ 3r 3m+ 2r+ 1h 2srs+ 1h Yes No 5 4l

[37] 4r+ 3CRC 3r+ 1CRC 6r+ 4CRC+ 1search Yes No 5 4l

Ours 5r 2r 1search+ 3r Yes No 5 3l

123

B. Niu et al.

(1) Computation Cost: computation restriction on tag side is the bottleneck of the wholeRFID system. To achieve lower computation cost, which is practical and compliant withindustry standards, EPC Class-1 Generation-2 standard, we use several ultralightweightoperations on the tag such as bitwise XOR, and a special constructed RNG. All theseoperations can be implemented on passive tags efficiently. Tag in our protocol only needsto execute five RNG functions and several bitwise XOR to finish both the authenticationand secret updating phases. The implementation of the RNG function requires 12 gatesfor each input bit, while 2 input XOR consumes 2.5 gates averagely. Thus the computationrequirement of our protocol on tag side is: (5 × 16 × 12) + (4 × 2.5) = 970 gates. Inthis calculation, we need to add extra 20 % of logic gates are for control functions,andanother additional 8 gates are needed for implementing a flip flop as shown in [40].Totally, our protocol requires 970 + (970 × 20 %) + 8 = 1172 gates, which is a muchbetter solution than using traditional hash functions that require at least 3500 gates tobe implemented. Comparing with existing work in Table 4, our protocol employs noheavy-cost operations at all, even the widely used hash functions. In [21], they use 3RNGs and 3 modulo squaring operations on the tag side. There’s no further research onefficiency comparison between RNGs and modulo squaring operations, so we will giveour experiment results based on time consumption of these different operations in Sect. 7.

(2) Communication Cost: to reduce the communication cost, we have two methods avail-able, decreasing the communication rounds, or the data size transferred on the channels.In Table 4, we can see that almost all the protocols have same communication roundsexcept [33]. That is because there is no secret updating scheme employed in this protocol,of course, it cannot avoid the desynchronization attack. On the other side, we considerthe data size which is transferred on the channel. Take protocol in [21] for example, itneeds to transfer 11 segments of bits totally while our proposed protocol only transfer 8.The decreased data size saves both network bandwidth of channel and the transmissiondelay.Considering 5 bytes for the Challenge message, our proposed protocol performs mutualauthentication and integrity protection with only three messages between tag and reader,while four messages between reader and server. That means, the total communicationcost between tag and reader is: (3 × 16) + (5 × 8) = 88 bits, and 4 × 16 = 64 bitsbetween reader and server.Figure 3 shows the comparison of communication cost between our proposed protocoland several existing works [20,21,33,36–39], these protocols are chosen since both ofthem keep a comparable security and privacy properties with our protocol. We thenconsider the cost between tag and reader, as well as reader and server. In this figure, ourprotocol outperforms than most of other protocols. Compared to [20], the communicationcost in our work decrease to almost a half.

(3) Storage Cost: everything has a tradeoff. When we combine Table 3 and Table 4 together,it is quite easy to find a rule that, lower information stored always causes more attacks.With this information in mind, we compare our storage requirement with that in [21].Our protocol achieves same security and privacy properties while saving one storageunit. Each tag stores its static identifier (ID), secret key KT and secret information x .The ID is a static value, thus stored in ROM. The remaining values (2 × 16 = 32 bits)are stored in a rewritable memory because they need to be updated. Actually, we store alittle more information on the server side, which is much cheaper on hardware and easyto implement.

123

Privacy and Authentication Protocol for Mobile RFID Systems

[20] [21] [36] [39] [37] Ours0

25

50

75

100

125

150

175

Protocols

Com

m C

ost /

bits

Tag−ReaderReader−Server

Fig. 3 Comparison on communication cost

[20] [21] [36] [39] [37] Ours0

2

4

6

8

Protocols

Sto

rage

/ l b

its

Tag StorageServer Storage

Fig. 4 Comparison on storage

Figure 4 shows the storage comparison with other two RFID security and privacy pro-tocols. Storage requirement is represented in the unit of l bits. We need less memory inour proposed protocol than other protocols on both tag side and server side.

7 Evaluation

To validate our proposed protocol, in this section, we develop several programs in C++to simulate and compare our proposed protocol with existing work. They run in a laptopcomputer of Intel (R) Core i3 Duo. Processor speed is 2.40 GHz and memory 1.86 GB.The Operating System is Windows 7 Ultimate. The purpose of our programs is to check theauthentication delay in different scale of tags. To make the obtained result more exact, eachresult in our experiments is an average of 1,000 times’ running.

For each protocol implemented, we test the authentication delays when the number oftags is changing from 10 to 10,000. These delays include the time consumed of the wholeauthentication protocols from the challenge message sending to the ends of updating phases.In Fig. 5, we can clearly see these results. When the number of tags is small (less than 1,000),all the protocols have the similar authentication delays. The performance of [36] is almosttwo times better than our work. However, it does not have a secret updating scheme, which

123

B. Niu et al.

0 1000 2000 3000 4000 5000 6000 7000 8000 9000 100000

250

500

750

1000

1250

1500

The number of Tags

Ath

entic

atio

n D

elay

/ m

s Our Proposed Protocol[20][21][36][39][37]

Fig. 5 Comparison on authentication delay

is very important to avoid kinds of attacks, such as desynchronization attack. The samesituation happens on [39] as well. Performance of [20] is the worst one, and it needs securityassumption on the channel which cannot meet the requirement of Gen-2 standard. Then wefocus our mind on the remainders. Comparing with [21], our protocol is efficient with allthe tested numbers, especially in the large scale scenario, such as the number is 10,000. Theauthentication delay can be improved by 20.59 % while keeping all the security and privacyproperties provided in [21].

In our experiments, we did not consider the invalid tags or the compromised ones, whomay slow down the whole protocol. This part is also important and we will leave it as one ofour future work to enhance our test bed.

8 Conclusion and Future Work

An ultralightweight RFID authentication protocol is proposed in this paper to protect tag andreader privacy for mobile environment. More importantly, our protocol fits the EPC Class-1Gen-2 standard well since we only utilize operations like bitwise XOR and special designedRNGs to achieve the required security and privacy properties. We use GNY logic-basedmethod to prove the security correctness of our protocol. Security and performance analysisshow our protocol does provide protection to tag and reader, and is practical as well.

In our future work, we will focus our minds on optimizing our test bed, and consider thecollision problems of tags and readers.

Acknowledgments This work was supported by National Natural Science Foundation of China underGrant 61003300, Fundamental Research Funds for the Central Universities under Grant K5051201041, andChina 111 Project under Grant B08038. The work of Dr. Hui Li was supported by the National Project2012ZX03002003-002, 863 Project 2012AA013102, IRT1078 and NSFC 61170251.

References

1. Juels, A. (2006). Rfid security and privacy: A research survey. IEEE Journal on Selected Areas in Com-munications, 24(2), 381–394.

2. Berbain, C., Billet, O., Etrog, J., & Gilbert, H. (2009). An efficient forward private rfid protocol, in:Proceedings of the 16th ACM conference on Computer and communications security, CCS ’09, ACM,New York, NY, USA, pp. 43–53.

3. Das, R. (2008). Rfid market projections 2008–2018, IDTechEx.

123

Privacy and Authentication Protocol for Mobile RFID Systems

4. Thornton, F., Haines, B., Das, A. M., & Bhargava, H., Campbell, A. (2006). RFID Security, Syngress.5. Epcglobal, class-1 generation-2 uhf rfid protocol for communications at 860mhz-960mhz version 1.2.0,

EPC Radio Frequency Identity Protocols, 2008.6. Chen, Y., Chou, J.-S., & Sun, H.-M. (2008). A novel mutual authentication scheme based on quadratic

residues for rfid systems. Computer Networks, 52(12), 2373–2380.7. Juels, A., & Weis, S. A. (2005). Authenticating pervasive devices with human protocols. In Proceedings

of the 25th annual international conference on Advances in Cryptology, CRYPTO’05, Springer, Berlin,pp. 293–308.

8. Batina, L., Guajardo, J., Kerins, T., Mentens, N., Tuyls, P., Verbauwhede, I. (2006). An elliptic curveprocessor suitable for rfid-tags, jorge.Guajardo@philips.com 13333 received 4 Jul 2006.

9. Avoine, G., Coisel, I., & Martin, T. (2012). A privacy-restoring mechanism for offline rfid systems. InProceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks,WISEC ’12, ACM, New York, NY, USA, pp. 63–74.

10. Blum, M. (2001). Secure human identification protocols, in: In Asiacrypt: Springer. (pp. 52–66).11. Juels, A., & Weis, S. (2005). Authenticating pervasive devices with human protocols. In V. Shoup (Ed.),

Advances in Cryptology C CRYPTO 2005 (Vol. 3621, pp. 293–308)., Lecture Notes in Computer ScienceBerlin / Heidelberg, RSA Laboratories, Bedford, MA, USA: Springer.

12. Bringer, J., Chabanne, H., & Emmanuelle, D. (2006). HB++: a Lightweight Authentication ProtocolSecure against Some Attacks, in: IEEE International Conference on Pervasive Services, Workshop onSecurity, Privacy and Trust in Pervasive and Ubiquitous Computing - SecPerU 2006, IEEE, IEEE Com-puter Society, Lyon, France.

13. Peris-Lopez, P., Hernandez-Castro, J. C., Estevez-Tapiador, J. M., & Ribagorda, A. (2006). LMAP: A RealLightweight Mutual Authentication Protocol for Low-cost RFID tags, in: Workshop on RFID Security -RFIDSec’06, Ecrypt, Graz, Austria.

14. Peris-Lopez, P., Hernandez-Castro, J. C., Estevez-Tapiador, J. M., & Ribagorda, A. (2006). EMAP: AnEfficient Mutual Authentication Protocol for Low-Cost RFID Tags, in: OTM Federated Conferences andWorkshop: IS Workshop - IS’06, Vol. 4277 of Lecture Notes in Computer Science, Springer, Montpellier,France, pp. 352–361.

15. Peris-Lopez, P., Hernandez-Castro, J. C., Estevez-Tapiador, J. M., & Ribagorda, A. (2006). M2AP: AMinimalist Mutual-Authentication Protocol for Low-cost RFID Tags. In J. Ma, H. Jin, L. T. Yang, & J. J.P. Tsai (Eds.), International Conference on Ubiquitous Intelligence and Computing - UIC’06 (Vol. 4159,pp. 912–923)., Lecture Notes in Computer Science Wuhan and Three Gorges, China: Springer.

16. Piramuthu, S. (2006). Hb and related lightweight authentication protocols for secure rfid tag/reader authen-tication. In In CollECTeR 2006.

17. Batina, L., Lee, Y., Seys, S., Singele, D., & Verbauwhede, I. (2012). Extending ecc-based rfid authentica-tion protocols to privacy-preserving multi-party grouping proofs. Personal and Ubiquitous Computing,16(3), 323–335.

18. Dimitriou, T. ( 2005). A lightweight rfid protocol to protect against traceability and cloning attacks, in:Security and Privacy for Emerging Areas in Communications Networks, 2005. SecureComm 2005. FirstInternational Conference on, pp. 59–66.

19. Tsudik, G. (2007). A family of dunces: trivial rfid identification and authentication protocols, in: Pro-ceedings of the 7th international conference on Privacy enhancing technologies, PET’07, ( pp. 45–61)Berlin: Springer.

20. Yeh, T.-C., Wu, C.-H., & Tseng, Y.-M. (2011). Improvement of the rfid authentication scheme based onquadratic residues. Computer Communications, 34(3), 337–341.

21. Doss, R., Sundaresan, S., & Zhou, W. (2013). A practical quadratic residues based scheme for authenti-cation and privacy in mobile rfid systems. Ad Hoc Network, 11(1), 383–396.

22. Tian, Y., Chen, G., & Li, J. (2012). A new ultralightweight rfid authentication protocol with permutation.Communications Letters, IEEE, 16(5), 702–705.

23. Avoine, G., Carpent, X. Yet another ultralightweight authentication protocol that is broken, IACR Cryp-tology ePrint Archive (2011) 691.

24. Shaohui, W., Zhijie, H., Sujuan, L., Dan-wei, C. Security analysis of rapp an rfid authentication protocolbased on permutation, IACR Cryptology ePrint Archive (2012) 327.

25. Ahmadian, Z., Salmasizadeh, M., Aref, M. R. Desynchronization attack on rapp ultralightweight authen-tication protocol, IACR Cryptology ePrint Archive (2012) 490.

26. Avoine, G., Bingol, M., Carpent, X., & Yalcin, S. (2013). Privacy-friendly authentication in rfid systems:On sublinear protocols based on symmetric-key cryptography. IEEE Transactions on Mobile Computing,12(10), 2037–2049.

123

B. Niu et al.

27. Moriyama, D., Ohkubo, M., Matsuo, S. (2013). A forward privacy model for rfid authentication protocols,in: Information Security Theory and Practice. Security of Mobile and Cyber-Physical Systems, Vol. 7886of Lecture Notes in Computer Science (pp. 98–111) Berlin: Springer .

28. Yang, A., Zhuang, Y., Wong, D., Yang, G. (2013). A new unpredictability-based rfid privacy model. In:Network and System Security, Vol. 7873 of Lecture Notes in Computer Science (pp. 479–492) Berlin:Springer.

29. Goldreich, O., Goldwasser, S., & Micali, S. (1986). How to construct pseudorandom functions. Journalof the ACM, 33(4), 792–807.

30. Niu, B., Zhu, X., Li, H. (2013). An ultralightweight and privacy-preserving authentication protocol formobile rfid systems. In IEEE WCNC.

31. Gong, L., Needham, R., Yahalom, R. (1990). Reasoning about belief in cryptographic protocols, in:Research in Security and Privacy, 1990. Proceedings., 1990 IEEE Computer Society Symposium on,pp. 234–248.

32. Burrows, M., Abadi, M., & Needham, R. (1990). A logic of authentication. ACM Transactions on Com-puter Systems, 8(1), 18–36.

33. Liu, A. X., & Bailey, L. A. (2009). Pap: A privacy and authentication protocol for passive rfid tags.Computer Communications, 32(7–10), 1194–1199.

34. Yeh, T.-C., Wang, Y.-J., Kuo, T.-C., & Wang, S.-S. (2010). Securing rfid systems conforming to epc class1 generation 2 standard. Expert Systems with Applications, 37(12), 7678–7683.

35. Kulseng, L., yu, Z., Wei, Y., Guan, Y. (2010). Lightweight mutual authentication and ownership transferfor rfid systems. In INFOCOM, 2010 Proceedings IEEE, pp. 1–5.

36. Cho, J.-S., Yeo, S.-S., & Kim, S. K. (2011). Securing against brute-force attack: A hash-based rfid mutualauthentication protocol using a secret value. Computer Communications, 34(3), 391–397.

37. An-Ta, L., Chang, H. K.-C., Yuan-Shiang, L., Shen-Yi, W. The increase of rfid privacy and securitywith mutual authentication mechanism in supply chain management, International Journal of Electronic,Business Management 10 (1).

38. Morshed, M., Atkins, A., Yu, H. (2011). An efficient and secure authentication protocol for rfid systems,in: Automation and Computing (ICAC), Conference on 2011 17th International, pp. 51–56.

39. Chang, Y.-F., Lin, S.-C., Chang, P.-Y. (2011). A location-privacy-protected rfid authentication scheme,in: Communications (ICC), 2011 IEEE International Conference on, pp. 1–4.

40. Hell, M., Johansson, T., Meier, W. (2005). Grain - a stream cipher for constrained environments. estream,ecrypt stream cipher, Tech. rep., 2005/010, ECRYPT (European Network of Excellence for Cryptology.

Ben Niu received the B.E., M.E. in the school of TelecommunicationsEngineering from Xidian University, China, in 2006 and 2010, respec-tively. He is currently a Ph.D. student in School of TelecommunicationsEngineering at Xidian University. From 2011, he is with Department ofCSE, The The Pennsylvania State University as a visiting Ph.D. studentfor two years. His research interests are security and privacy in mobilesocial networks, and RFID security protocol.

123

Privacy and Authentication Protocol for Mobile RFID Systems

Xiaoyan Zhu received her B.E in Information Engineering and M.E.in Information and Communications Engineering, a Ph.D. from theSchool of Telecommunications Engineering, all at Xidian University,Xi’an, China, in 2000, 2004 and 2009 respectively. She was a vis-iting research scholar in the Department of Electrical and ComputerEngineering at University of Florida, Gainesville, USA from 2008 to2010. She is currently an Associate Professor in the School of Telecom-munications Engineering, at Xidian University. Her research interestsinclude wireless networks and network security.

Haotian Chi received the B.E. degree in the school of Telecommuni-cations Engineering from Xidian University, China, in 2012. He is cur-rently a MS student in the school of Telecommunications Engineeringof Xidian University. His research interests are the security and privacyin mobile social network and the privacy of RFID.

Hui Li received B.Sc. degree from Fudan University in 1990, M.Sc.and Ph.D. degrees from xidian University in 1993 and 1998. In 2009,he was with Department of ECE, University of Waterloo as a visit-ing scholar. Since 2005, he has been the professor in the school ofTelecommunications Engineering, Xidian University, China. Now, heis the vice dean of school of Telecommunications Engineering. Hisresearch interests are in the areas of cryptography, wireless networksecurity, information theory and network coding. He is the co-author oftwo books. He served as TPC co-chair of ISPEC 2009 and IAS 2009,general co-chair of E-Forensic 2010, ProvSec 2011 and ISC 2011.

123