1 Introduction

IoT contains various devices like tag, sensor, reader, smart card, actuator. According to Garner’s report [1], there are 8.4 billion IoT devices connected to the internet in 2017, and it will grow up to 20.4 billion devices in 2020. These large numbers of devices require a massive amount of power. Hence, the researcher develops various lightweight schemes for these IoT devices. IoT scheme can be applied in many domains such as smart transportation [2], smart grid [3], smart city [4], smart house [5], logistics [6]. However, there are many security issues in terms of authentication, authorization, and privacy [7].

In cryptography, there are various cryptography schemes concerns to IoT that divides into two parts, namely public key cryptography and symmetric key cryptography. Public key cryptography schemes consists of various traditional scheme like RSA, Diffie–Hellman key exchange, Elgamal. However, these schemes require lots of computational capacity and power. An elliptic curve introduces to eliminate these problems that provide less power and fewer communication steps. Symmetric key cryptographic schemes use simple bitwise operation (XOR, OR, AND, rotate), cyclic redundancy checksum, and symmetric encryption. Symmetric key cryptography schemes require less power and communication steps than public-key cryptography.

The radio frequency identification [8] uses to detect the location of devices in communication networks. There are two components in the RFID system, i.e., tags and reader. The tag store identification information (ID), shared key, and other essential information in his memory. There are various tags in an RFID system, such as passive tags, active tags, and semi-passive tags. The passive tags use for lifetime application and having short communication range applications. The passive tags contain no power battery, but it receives power from an electromagnetic field from the reader. Hence, the passive tag can compute simple bitwise operation, i.e., AND, OR, XOR. The active tag receives power from the battery. Hence, the active tags use for large sensing range applications. Generally, the active tags contain power supply last up to 3–4 years. The active tag can compute symmetric or asymmetric operations like the elliptic curve, recursive checksum. The semi-passive tag consists of a small battery supply. The semi-passive tag outside the range of the reader, it receives power from the battery supply. However, the tag inside the reader’s range receives power using the electromagnetic field similar to passive tag.

In RFID security, there are various classes of tags in the RFID system, such as full-fledged, simple, light-weight, and ultra-lightweight classes. The full-fledged class tag can be capable of computing computational costly operations. However, these tags require massive power and computation capacity than other types of tags. Hence, these tags are incredibly costly. The simple class tag capable of computing much lesser computational and power than full-fledged class. The lightweight tag can compute the elliptic curve, hash function. These types of tags are economical in the cost. The ultra-lightweight class consists of simple bitwise operations like OR, XOR, AND, Rot. These class tags require very less computational capacity. Figure 1 shows a general overview of RFID architecture. RFID tags contain a limited amount of power and low computational capacity. Hence, the researcher suggests various lightweight or ultra-lightweight algorithms for computing the authentication.

Fig. 1
figure 1

General overview of RFID architecture

Full size image

1.1 Our contribution

This paper creates a new ultra-lightweight authentication scheme for RFID. This scheme comprises of three different phases: tag identification phase, mutual authentication phase, and pseudonyms and key updating phase. This scheme uses Rot operation, “MIX” function, and XOR operation to computes mutual authentication. This paper consists of five sections: the second section involves various existing schemes for mutual authentication for the RFID system. The third section describes the proposed scheme for the RFID system. The fourth section consists of the security and performance analysis of the proposed scheme. The last section includes the overall conclusion of the entire paper

2 Literature review

Chien et al. [9] proposed an authentication scheme for RFID passive tag named as SASI. This scheme uses \(\oplus\), +, ROT, OR, AND operation during mutual authentication. The researcher found that SASI scheme cannot provide security against various attacks such as de-synchronization attack, disclosure attack, and tracking attack [10, 11]. After that, Peris-Lopez et al. [12] proposed an authentication scheme for RFID system and named as Gossamer. This scheme uses \(\oplus\), +, AND, MIXBIT, and Rot operations. This scheme address limitation of the SASI scheme using a double rotate function and MIXBIT function. The author uses MIXBIT operation to defend against desynchronization attack. In MIXBIT function consists of addition operation and bitwise right shift operation that is lightweight and easily implements in hardware. However, this scheme provides a low throughput. Later on, Bilal et al. [13] found a desynchronization attack possible on the Gossamer scheme.

He et al. [14] proposed an authentication scheme for the RFID system with an ID verifier transfer protocol. This scheme requires 1440 bits + 480w bits of storage capacity for the server, and tag required 1760 bits of storage capacity. Hence, the total storage requirements of the RFID system is 3200 and 480w bits during the authentication process. RAPP [15] uses XOR, AND, OR, ROT, and Per operations, where Per operation defines as permutation operation. The author suggested that the Per operation is used to improve the security of authentication protocol. This scheme provides resistance from various security flaws such as disclosure attack, tracking, replay attack. Ahmadian [16] performs desynchronization attack on RAPP protocol. Then, Chien et al. [17] proposed a lightweight scheme for RFID in which he uses the elliptic curve and hash function during process of mutual authentication. However, this scheme cannot provide security against various attacks such as tracking, cloning, and replay attacks. Tewari et al. [18] proposed an ultra-lightweight authentication protocol in which it uses Rot and XoR operators to defend against the desynchronization attack. However, Safkhani et al. [19] performs secret disclosure attack on Tiwari and Guptascheme [18].

3 Proposed scheme

Figure 2 shows propose ultra-lightweight authentication scheme for passive RFID tag. In this scheme, there are three different phases to authentication between tag and reader, such as tag identification phase, mutual authentication phase, and pseudo-random and key updating phase. Table 1 represent various notation uses in this paper.

3.1 Tag identification

In this phase, the tag enters in communication range of a reader, then it receives “hello” packet from a reader, and the tag sends its pseudonyms ID (IDS) to the reader.

Table 1 Notation used in this paper
Full size table

3.2 Mutual authentication phase

  1. 1.

    After receiving IDS, the reader validates IDS with stored \(IDS_{new}\). If it matches with \(IDS_{new}\), then the reader computes A, B from \(K_{new}\) and random number, where A and B compute according to the Eqs. (1) and (2). After that, the reader transmits message packets A and B to the tag.

    $$\begin{aligned} A= & {} Rot (n \oplus K, K) \end{aligned}$$
    (1)
    $$\begin{aligned} B= & {} Rot (n_{1} \oplus MIX (n'_{1}, K) , n_{1} \oplus n'_{1} \oplus K) \end{aligned}$$
    (2)

    where \(n_{1}\), \(n{'}\), and \(n_{1^{'}}\) defined in Eqs. (3), (4) and (5) respectively

    $$\begin{aligned} n_{1}= & {} ROT(n, n \oplus n') \end{aligned}$$
    (3)
    $$\begin{aligned} n'= & {} MIX(n, K) \end{aligned}$$
    (4)
    $$\begin{aligned} n'_{1}= & {} Rot(n' \oplus n_{1}, K \oplus n_{1}) \end{aligned}$$
    (5)
  2. 2.

    If the reader cannot validate with \(IDS_{new}\), then the reader match IDS with \(IDS_{old}\), if it matches with \(IDS_{old}\), then the reader computes A, B from \(K_{old}\) and a random number in (1) and (2). If both \(IDS_{new}\) and \(IDS_{old}\) do not match with IDS, then the reader terminates the current authentication session.

  3. 3.

    After receiving message packets A and B from the reader, the tag computes n from A as Eq. (6):

    $$\begin{aligned} n = K \oplus Rot^{-1} (A, K) \end{aligned}$$
    (6)

    Then, the tag validating the reader by computing B1 from n and K. If the tag cannot validate the reader, then tag terminates the session. Otherwise, the tag computes C from Eq. (7) and sends back to the reader.

    $$\begin{aligned} C= & {} Rot (B\oplus n_{1}\oplus MIX(n'_{1},n_{1}\oplus K), \nonumber \\&\quad MIX(ID \oplus n_{1},K)) \end{aligned}$$
    (7)
  4. 4.

    After receiving C from the tag, the reader computes C\('\) and matches with C. After the successful validation, the reader verifies the tag and mutual authentication takes place.

Fig. 2
figure 2

Proposed authentication scheme for RFID system

Full size image

3.3 Pseudonyms and key updating phase

In this phase, After successful mutual authentication, both devices updates its key and IDS as Eqs. (8) and (9).

$$\begin{aligned} IDS_{new}= & {} IDS_{old} \oplus MIX (n'_{1}, K) \oplus n_{1} \end{aligned}$$
(8)
$$\begin{aligned} K_{new}= & {} K_{old} \oplus MIX (n_{1} \oplus n'_{1}, K) \oplus n'_{1} \end{aligned}$$
(9)

MIX Function: To computes MIX (X, K) function, there consists of two phases such as:

  1. 1.

    In the first phase, X\('\) is calculated such as X is left shift by a hamming distance of seed, where seed is calculated as X \(\oplus\) K.

  2. 2.

    In the second phase, XOR the X and X\('\) to compute the MIX(X, K). The Eq. (10) describe the mathematically formula of the MIX function.

    $$\begin{aligned} MIX(X, K) = X \oplus Rot(X, X \oplus K) \end{aligned}$$
    (10)

4 Security analysis

The paper analyzes this scheme in terms of functionality of protocol i.e., confidentiality, integrity, and mutual authentication.

4.1 Confidentiality

The shared key “K” and random number “n” is used to generate message packets A, B, C as represent in Eqs. (1), (2), (7). However, the shared key is stored in both the tag and reader and it cannot transmit over the communication channel. Also, the shared key (K) and IDS updating using random number “n” after every successful authentication. Therefore, it is difficult for an adversary to guess shared key (K) between tag and reader using eavesdrop message packets. Hence, this scheme provides data confidentiality.

4.2 Integrity

The transmitted packets A, B, C between tag and reader generate using the shared key K. However, the adversary eavesdrops message packets between communication networks. The adversary modifies these message packets A, or B. Hence, if the adversary modifies message packet A, and message packet B remain the same. Then, the adversary transmits A’, B message packet to the tag, where A’ is modifies message packet of A. The tag computes random number “\(n_{change}\)” from Eq. (11).

$$\begin{aligned} n_{change} = Rot (A', K) \oplus K \end{aligned}$$
(11)

Therefore, the random number generated by the tag is different from the actual. After that the tag computes B from Eq. (2) with modify random number \(n_{change}\). Due to this, the modify value of message packet B obtained as shown in Eq. (12)

$$\begin{aligned} B_{change}= & {} Rot(n_{1change}\oplus MIX (n'_{1change},K), \nonumber \\&\quad n_{1change}\oplus n'_{1change}\oplus K) \end{aligned}$$
(12)

The \(n'_{change}\), \(n_{1change}\) and \(n'_{1change}\) computed from Eqs. (13)–(15)

$$\begin{aligned} n'_{change}= & {} MIX(n_{change}, K) \end{aligned}$$
(13)
$$\begin{aligned} n_{1change}= & {} ROT(n_{change}, n_{change} \oplus n'_{change}) \end{aligned}$$
(14)
$$\begin{aligned} n'_{1change}= & {} Rot(n'_{change} \oplus n_{1change}, K \oplus n_{1}) \end{aligned}$$
(15)

Hence, the tag computes \(B_{change}\) that is different from B. Similarly, if adversary change message packet “B” and message packet “A” remain the same. Then also, the tag computes B’ that is also different from the original value. In both cases, the tag cannot verify alter message packets and terminates authentication sessions. So, this scheme provides the integrity of the message.

4.3 Mutual authentication

In mutual authentication, both genuine tag and reader authenticate each other. In this protocol, the tag or reader authenticates messages using shared key \(K_{old}\) or \(K_{new}\), which generates only by the genuine reader or tag. The shared key cannot transmit over an insecure channel. Therefore, the adversary cannot compute a shared key using eavesdropping messages. Also, the tag validates the reader using the packet B and reader validates the tag using packet c. In both of the case, the message packet generates using the random number and shared key. Hence, this protocol ensures mutual authentication between RFID devices.

4.4 Resistance from replay attack

In the replay attack, the attacker eavesdrops original packets communicating between RFID devices. Then, the attacker uses these packets to unauthorized access to a communication network. In the proposed scheme, Key and IDS update after the successful mutual authentication. Therefore, the adversary tries to use old genuine packets, the tag tries to verify these packets with new IDS and new shared key. Hence, it discards these modifies packet. Thus, the attacker cannot able to unauthorized access using eavesdrops genuine packet. Therefore, this scheme provides security against a replay attack.

4.5 Resistance from disclosure attack

In the disclosure attack, the adversary guesses secret information such as shared key or identity (ID) of the tag. There are two types of disclosure attacks: full disclosure attack, identity disclosure attack. In full disclosure attack, the adversary computes all stored information of the tag. In an identity disclosure attack, the adversary computes only identity (ID) of the tag. The adversary cannot guess shared key or other information from eavesdropping values A, B, C, IDS. Also, the combination of T operation (XOR, OR, AND operation) causes a tango attack. The scheme uses only rot and XOR function. So, a tango attack is not possible in this scheme. Hence, this scheme provides resistance from disclosure attacks.

4.6 Resistance from desynchronization attack

In the desynchronization attack, the adversary could disturb synchronization between tag and reader. To perform the desynchronization attack, the adversary eavesdrops “hello”, IDS, A, B, C packets between communication channels. Then, the adversary modifies a single bit of A, ands then try to modify B up to when tag validates the reader. In this protocol, a single bit change in bit A, there will be a different value of B, and tag cannot verify the reader. Hence, this protocol provides security against a desynchronization attack.

Table 2 Analysis of various authentication schemes for RFID
Full size table

4.7 Resistance from tracking attack

In tracking attack, the adversary finds the correct ID of the tag. The adversary can guess the correct tag ID if the adversary gives various tag ID of an RFID system. The primary focus of the adversary finds the correct ID of the tag. Juel and weis [21] proposed a model for tracking attack.

4.7.1 Juel and Weis model [21]

This model consists of “n” number of tags and a reader. This model is a challenge-response model in which the adversary modifies pseudonym number and shared key after the execution of the challenge-response model. This model consists of four types of queries that the adversary can use to perform tracking attacks such as execute query, send query, corrupt query, and test query.

  • Execute query: In this execute query, the attacker eavesdrops packets between the tag (T) and reader (R) at session i.

  • Send query: The adversary impersonates party \(P_{1}\), where \(P_{1}\) maybe tag or reader in ith session and sends message m to another party \(P_{2}\).

  • Corrupt query: It is a SetKey query in which the adversary assign a new arbitrary shared key to tag.

  • Test query: The adversary is given randomly \(ID_{b1}\), where b1 belongs {0, 1} from \(ID_{0}\) and \(ID_{1}\), if the adversary guesses correct tag \(ID_{b1}\), then the adversary succeeds.

There are three phases to compute the identity of the tag, namely the learning phase, challenges phase, and guessing phase.

  1. 1.

    In the first phase, the adversary performs execute query to eavesdrop message packet between tag and reader.

  2. 2.

    The second phase, the challenger given two tags \(t_{1}\) and \(t_{2}\) with \(ID_{1}\) and \(ID_{2}\) to the adversary.

  3. 3.

    The third phase consists of guessing phase, the adversary guesses tag, and output is bit b1\('\) of the bit b1.

    $$\begin{aligned} Adv_{A}^{UNT}(k)= & {} |Pr[A_{wins}] - Pr[random\;coin\,flip]| \nonumber \\ Adv_{A}^{UNT}(k)= & {} |Pr[A_{wins}] - 1/2| \end{aligned}$$
    (16)

In this challenges-Response model, the adversary wins the game if \(Adv_{A}^{UNT}(k)\) > \(\in (k)\), where k is security parameter. In this scheme, the adversary can compute ID of the tag using message packets C as Eq. (7). Then, the probability of guessing correct identity of the tag:

$$\begin{aligned} Adv_{A}^{UNT}(k) = |[C' == C] - 1/2 | = |1/2 - 1/2| = 0 \end{aligned}$$
(17)

The advantage of the adversary to compute the identity of a tag is zero. So, the adversary cannot be able to compute the ID of the tag. Hence, this scheme provides security against the tracking attack.

5 Result and comparison

This section analyzes this scheme in terms of communication and storage costs with existing schemes. The MIX function uses XOR and ROT operations. This scheme analyzes in terms of storage cost, the communication cost of the tag for mutual authentication. The scheme uses XOR and ROT operation to mutual authenticate between tag and reader. The tag size 96-bit uses in the protocol. Each tag stores 96 bit length values i.e. \(IDS_{Old}\), \(IDS_{new}\), \(K_{new}\), \(K_{old}\), and ID. Therefore, the storage cost of the tag is 5L = 5 \(\times\) 96 = 480 bits. During mutual authentication IDS, A, B, C message packets communicate between tag and reader. Hence, the communication cost for mutual authentication of scheme is 4L = 4 \(\times\) 96 = 384 bits, Where L = 96, which is less than EMAP, RAPP. The tag transmits IDS, C message packets during authentication. So, the tag’s communication cost in the scheme is 2L = 2 \(\times\) 96 = 128 bits. The Table 2 shows the comparison of the various schemes like EMAP, LMAP, SASI, Gossamer, RAPP, Tewari et al. schemes with this scheme.

5.1 Limitation of the study

However, the attacker may transmit a large number of unauthorized message packets to the tag. After that, the tag tries validating these large number of message packets. Thus, the tag cannot be available to the legitimate user during this process. Therefore, the denial of service attack can be possible for this authentication scheme. Hence, it is also essential to develop a more secure authentication scheme for the RFID system.

6 Conclusion and future scope

In an RFID system, a passive tag consists of low power capacity. Hence, this paper proposed an ultra-lightweight mutual authentication scheme for a passive tag that uses XOR, ROT, and MIX operation to mutual authenticate between tag and reader. This scheme provides low communication and low memory for the passive tag. In the scheme, the “MIX” function uses to enhance the security of the protocol. The “MIX” function provides irreversibly and low complexity. This scheme requires small memory capacity and less communication between tag and reader. This scheme provides security against various attacks such as tracking, replay, disclosure, and desynchronization attack. Furthermore, it is developing a more secure authentication scheme with low power consumption and less computational cost.