Introduction

The technology sector has seen a significant evolution in the last few decades. It has become a necessary tool in our everyday life. The Internet of Things (IoT), one of the recent technologies, has continuously improved and attracted the attention of many authors. IoT has various applications, including smart house, smart transportation, smart grid, smart cities, and healthcare. So, the number of connected devices is growing day after day. The Internet of Things provides an extensive infrastructure for communication between all connected objects [1,2,3,4]. These interconnected elements might be all digital devices, including laptops, domestic equipment, detectors, TVs, surveillance cameras, etc. The communication between them is assured by the Internet to keep them globally operational at all times. This model envisages the integration and simplification of various systems or networks such as sensor networks, smart cities, smart grids and, last but not least, the radio-frequency identification system (RFID). Due to its importance in smart applications, IoT has shown an exponential growth over the latest years. The security of these applications is an emerging and active area of research [5]. Data transmission between two devices can be made secure using conventional security techniques. However, since IoT devices are insufficiently resourced, the issue of communication between IoT devices is one of the main challenges to be faced today. RFID is a very exciting future technology which is designed to provide the ability to interconnect billions of different objects. It is widely used in various fields of industry to efficiently identify objects. Thanks to the numerous benefits of this new technology, such as its lower cost and higher speed, various organizations are interested in it and its scope of application is gradually widening.

In general, applications-based RFID technologies include healthcare, e-passport, smart agriculture, pharmaceutical, smart meters, etc. The RFID system includes RFID tags, RFID readers, and a database server. The reader device is an RFID interrogator that allows the identification of tags. However, the tags are transponders, which have different serial codes that the readers scan and handle. Figure 1 illustrates the components of an RFID system. Indeed, in the case of the RFID network, the tag encrypts its uniqueness data then transfers its value toward the reader. After reception, the reader is able to validate the collected information and the identity of the tag using the material accessible to the central server. On the other hand, several attacks can affect RFID systems, especially those communicated between the reader and the tag. Common attacks on RFID systems include spoofing attacks, tracking attacks, and denial of service attacks. The security issue will be one of the most interesting challenges of this technology. This issue can be resolved through the usage of various solution such as intrusion detection [6,7,8,9,10,11,12], encryption systems, digital signature, etc. However, the authentication protocol is still the most used one. Therefore, the IoT requires a safe and consistent RFID authentication system. Many RFID authentication schemes are built upon either hashing functions or symmetrical encryption [13,14,15,16].

Fig. 1
figure 1

The main components of an RFID system

Full size image

Recently, RFID authentication protocols based on elliptic curve cryptography (ECC) have been widely employed to effectively address privacy and security challenges in IoT applications [17,18,19,20]. Based on its excellent capacity and low key size specifications, ECC is an attractive solution for RFID authentication protocol. In this context, this research aims to propose an efficient RFID authentication protocol that can improve security through the use of ECC.

Contributions in this Paper

The key contributions in the current paper include:

  • Proposal of a new RFID authentication protocol to enhance security in the IoT environment.

  • Adoption of the ECC-based approach for providing the necessary security attributes like: confidentiality, integrity, mutual authentication, anonymity, and availability.

  • Development of the comparative study between our scheme and the existing protocol.

  • Evaluation of the performance of the proposed scheme using the AVISPA tool.

Paper’s Structure

The rest of this paper is organized as following. In the “Related Works” section, some recent RFID authentication techniques based on ECC are reviewed. In the “Background Information” section, the preliminaries of ECC are discussed. In the fourth section, the proposed scheme is described and detailed. Thereafter, the informal and formal validation of our protocol are discussed in the fifth section. Finally, the conclusion and future work are included in the last section.

Related Works

To guarantee a strong secure authentication service for IoT objects, various authentication protocols have been proposed in the literature over recent years. Those protocols are suggested for different critical organisms such as healthcare, smart cities, smart grids, industrial 4.0, etc. [21,22,23]. Nevertheless, all the proposed schemes are still suffering from many limitations and challenges. Moreover, there are few scientists who have explicitly addressed authentication schemes to support RFID systems and related issues of security.

In 2018, Alireza Radan et al. [24] proposed an efficient authentication protocol for RFID tags in the IoT environment. This protocol is able to reduce the computational complexity in backend server. In the same year, similar research was carried out by Alamr et al. [25]. Hence, authors have introduced an RFID mutual authentication protocol using the elliptic curve Diffie–Hellman key agreement to achieve required security services in the IoT. Then, they demonstrated that their proposed protocol can defend against various security attacks. Nevertheless, this scheme is not scalable and can satisfy only one tag. One year later, Mansoor et al. [13] suggested a lightweight authentication protocol based on RFID technology to ensure protection of IoT against the attacks like: Collision Attack, Denial-of-service (DoS), and Stolen verifier Attacks. To prove the message freshness property and security of the session key, authors have analyzed the proposed protocol using both BAN logic and ProVerif. They showed that their protocol is more efficient in terms of the security and the computation complexity compared with the related protocols.

In 2020, Naeem et al. [26] proposed an enhanced ECC-based protocol to address the problems found in Alamr et al.’s protocol. Subsequently, the authors prove that their proposal is considered secure and robust. Moreover, this protocol can be deployed regardless of the IoT environment. In addition, the suggested protocol provides mutual authentication between the RFID tag and the server securely. Nonetheless, this scheme cannot guarantee the data confidentiality when they are transferred. In the same year, Khan et al. [27] designed a secure framework based on ECC for authentication and encryption in IoT-based medical sensors. This protocol can combine biometric parameters and user credentials. The presented scheme is based on the two type of encryption that are Substitution-Ceaser encryption and improved ECC. Hence, for achieving better security of the system, the protocol generated an additional secret key.

In 2021, Gasbi et al. [28] are based on ECC method to suggest a new RFID authentication protocol. The proposed scheme is designed to address the security requirement of the previous authentication schemes and to warrantee data confidentiality and privacy. This scheme fits for communicating reader-to-reader environment. However, the scheme is not suitable for cloud environment and it might suffer from scalability problems. Also in this year, Izza et al. [29] suggested another RFID authentication scheme using ECC for Wireless Body Area Networks. The authors adopted the ECC encryption mechanism and ECC digital signature together with message recovery for mutual authentication of medical server tag.

In 2022, Noori et al. [30] recommended a novel RFID authentication scheme. This protocol is implemented to guaranty mutual authentication for RFID technologies in the IoT systems. Then, authors have proved that the planned scheme has lower computational costs, lower communication costs, and less ECC point multiplication time as compared with other related authentication schemes. Besides, based on the properties of the ultralight authentication protocol, Gao and Lu [31] proposed an efficient and reliable mutual authentication process based solely on bitwise operations, including XOR and the left-hand circular rotation operation. Cryptanalysis reveals that the proposed protocol can prevent multiple known attacks and offers better security performance than other existing ultralight protocols. In the same year, Meher et al. [32] developed a system that requires no public/private key pairs. They simply use the Elliptic Curve Discrete Logarithm (ECDLP) feature to implement this scheme in secure elliptic curves. This system is essentially designed for the efficient implementation of authentication systems in warehouse management systems (WMS), whose data are stored on local servers. The new idea helps to reduce memory space in labels and on the server. Compared with other methods, calculation costs are also considerably reduced.

Later, in 2023 Lee et al. [33] published a new lightweight cloud computing-based RFID authentication protocols using PUF for e-healthcare. The aim of this research is to develop an authentication key agreement protocol suitable for electronic healthcare systems, with a view to overcoming the difficulties associated with lean operation and promoting security by adopting a physical non-clonable function (PUF). Since PUFs exploit the uniqueness and randomness of their circuits for computational purposes, the fingerprints of messages act as authentication keys. The PUF is a lightweight tool, suitable for resource-constrained virtual health services. The proposed protocol meets more security criteria than existing authentication protocols, requires fewer computing resources and is more efficient. Moreover, Maurya and Bagchi [34] proposed an authentication method based on quadratic residuals applied to the Radio-Frequency Identification (RFID) system. It uses the square-root characteristics of the quadratic residue to prevent current potential attacks. Formal and informal security analyses carried out on the proposed scheme indicate that it is capable of coping with several types of attack. In addition, BAN logic and the Scyther program were used for simulation purposes. Their results show that the proposed device can withstand all forms of potential attack. A performance evaluation reveals that the proposed scheme is highly effective in the face of resource constraints.

According to our above brief review of very recent proposed authentication protocol for RFID in IoT context, we can notice that there is a need to decrease the computational costs for addressing the key security RFID questions. Accordingly, in the forthcoming section, we present a new authentication RFID protocol with enhanced security level based on ECC.

Background Information

ECC refers to asymmetric cryptographic approach based on elliptic curves over finite fields. Generally, elliptic curves are mostly defined over double finite fields: primary field \({\mathbb{F}}_{{\varvec{p}}}\), where p is a prime, and second field \({\mathbb{F}}_{{2}^{{\varvec{m}}}}\), where m is a positive digit [35]. Elliptic curves are used in several cryptosystems, such as key exchange protocol, encryption algorithm, and authentication protocol. In this paper, we introduce an RFID authentication scheme using ECC performance. The suggested protocol’s security is assured by the hardness of the Elliptic Curve Discrete Logarithm Problem (ECDLP).

Mathematical Basics of Elliptic Curve

An elliptic curve E over a field \({\mathbb{F}}_{{\varvec{p}}}\) is defined by the equation of the form:

$${y}^{2}={x}^{3}+ax+b \left[p\right],$$
(1)

where a and b are two integers satisfying the following condition:

$$4{a}^{3}+27{b}^{2}(\mathrm{mod}\,p)\ne 0.$$
(2)

An elliptic curve E over \({\mathbb{F}}_{{\varvec{p}}}\) consists of the points defined by Eqs. (1) and (2), along with an additional point called Ω (point at infinity) in EC.

  • Group law: Let E be an elliptic curve defined over the field \({\mathbb{F}}_{{\varvec{p}}}\). For adding two points in E(\({\mathbb{F}}_{{\varvec{p}}}\)), we apply a “chord-and-tangent” rule. The point result lies in the elliptic curve. The set of points belonging to the curve forms an abelian group with the internal composition law (i.e., the additive operation) properly defined [36].

  • Scalar multiplication: ECC adopts some fundamental operations on an elliptic curve, which include point doubling and adding operations. Scalar multiplication is a combination of addition operations. For computing kP, we repeat the addition operation k times. Figure 2 shows an example of the scalar multiplication operation.

Fig. 2
figure 2

Addition and doubling operations on an elliptic curve

Full size image

The addition operation of two points \(\text{P+Q=R}\left({\text{x}}{3}\text{,} \, {\text{y}}{3}\right)\) over an elliptic group is illustrated by the Eq. (3):

$$\left\{\begin{array}{l}{x}_{3}={t}^{2}-{x}_{1}-{x}_{2}\\ {y}_{3}=t\left({x}_{3}-{x}_{1}\right)-{y}_{1},\end{array}\right.$$
(3)

where

$$t= \left\{\begin{array}{lll} \frac{{y}_{2}-{y}_{1}}{{x}_{2}-{x}_{1}},& {\mathrm{if}} & P\ne Q \\ \frac{ 3{x}_{1}^{2}+a}{2{y}_{1}}, & {\mathrm{if}} & P=Q.\end{array}\right.$$

The security of an ECC cryptosystem depends on the hardness of discrete logarithm problem over the points on the elliptic curve. ECDLP states that given a base point P and a point Q = kP lying on the curve, it is hard to determine k.

Proposed Authentication Protocol

Currently, ECC is extensively employed by various types of digital cryptosystems, namely, those that impose stringent requirements on power consumption, memory capacity, computational cost, etc. In this paper, we focus on the requirements of new cryptographic methods, such as the security level and the cost-effectiveness of the proposed device. Thus, our main objective is to design an efficient ECC-based authentication protocol to enhance the security of radio-frequency identification (RFID) systems. In addition, the protocol can withstand common RFID attacks, such as replay, tracking, denial of service, etc. The architecture of our protocol is shown in Fig. 2. The authentication procedure consists of two steps: the initialization process and the authentication process. Some notations related to the proposed system are explained in Table 1.

Table 1 Used notations and their descriptions
Full size table

Initialization Process

In the first step, a few public metrics are generated: an appropriate elliptic curve (E) on the finite field \({\mathbb{F}}_{{\varvec{p}}}\) and the basis point P, which has highest order n such that nP = Ω. The process starts here:

  • Generate the domain parameters for the RFID system, D = (p; \({\mathbb{F}}_{{\varvec{p}}}\); a; b; P; n).

  • Generate the private, public keys of the tag (t; \({P}_{t}\)), its identity \({T}_{id}\), and its pseudonym \({T}_{np}.\)

  • Generate the server’s private and public keys (s; \({P}_{s}\)).

When this phase is complete, the server saves both its private and public keys and the tag's identity information in the database. Meanwhile, the tag retains its private key, identity information and the server's public key in its memory.

Authentication Process

Figure 3 shows the authentication process, and the detailed steps are discussed here.

  • Step 1: Initially, the server selects randomly a point K(\({k}_{1}\),\({k}_{2}\)) on elliptic curve and computes: \({R}_{1}={k}_{1}P\). Then, it transmits to tag an authentication demand that contains \({R}_{1}\).

  • Step 2: Upon receiving the server’s authentication request and \({R}_{1}\), the tag randomly picks an integer \({r}_{1}\) and computes the point \(PT={r}_{1}{R}_{1}=({x}_{T},{y}_{T})\) and \({R}_{2}={r}_{1}P\). After this, the tag calculates two parameters \({X}_{1}=XoR({ {T}_{id},x}_{T})\) and \({X}_{2}=h( {T}_{np}{\| y}_{T})\). Finally, it sends the message \(({R}_{2},{X}_{1},{X}_{2})\) to the server.

  • Step 3: Once the server has received this message, with the x-coordinate of the secret key K, it computes the parameter \({k}_{1}{R}_{2}=({x}_{T},{y}_{T})\), then derives \({T}_{id}^{\prime}=XoR({x}_{T}, {X}_{1})\) and \({T}_{np}^{\prime}=h({y}_{T}\| {X}_{2})\). After this, the server searches in the database, the equivalent tag identifier \({T}_{id}^{\prime}\). In case it exists, it gets \({T}_{np}\), otherwise the process is stopped. Formerly, the server checks the correctness of \({T}_{np}\stackrel{?}{=}{T}_{np}^{\prime}\). If it is OK, the authentication of tag is success. However in other case, the server stops the communication. After a successful authentication, the server calculates \({r}_{2}={x}_{T} \mathrm{mod} n\), \(PS=s{r}_{2}{P}_{t}\) and \({R}_{3}=h({T}_{id}^{\prime}\| {r}_{2}\| {T}_{np}^{\prime})\). Then, sends (\(PS, {R}_{3})\) to the tag.

  • Step 4: Upon server’s response is received, the tag calculates the similar secret \({r}_{3}={x}_{T} \mathrm{mod} n\) and computes \({R}_{4}=h({T}_{id}\| {r}_{3}\| {T}_{np})\). Hence, it is able to check server authenticity by verifying the validity of \(PS\stackrel{?}{=}t{r}_{3}{P}_{s}\) and \({R}_{4}\stackrel{?}{=}{R}_{3}\). If it is valid, the server’s authentication is achieved. Otherwise, the authentication fails.

Fig. 3
figure 3

Proposed authentication protocol

Full size image

Security and Performance Results

Security Analysis

An overview on the specific performance requirements satisfied by our newly designed protocol is introduced in this section. The security attributes that are required are mutual authentication, confidentiality, integrity, anonymity, and availability.

Mutual Authentication

This service is realized by implementing at least two different operations: the first operation enables the authentication of the tag by the server. Upon receiving the message \(({R}_{2},{X}_{1},{X}_{2})\) from the tag, the server computes the parameters \({k}_{1}{R}_{2}=({x}_{T},{y}_{T})\), \({T}_{id}^{\prime}=XoR\left({X}_{1}{,x}_{T}\right)\) and \({T}_{np}^{\prime}=h\left({{X}_{2}\| y}_{T}\right)\). Then, it searches in the database to find the matched value of \({T}_{id}^{\prime}\). If found, then it gets the \({T}_{np}\) , else stops. The server verifies the legitimacy of \(PT\stackrel{?}{=}{k}_{1}{R}_{2}\) and \({T}_{np}\stackrel{?}{=}{T}_{np}^{\prime}\). If yes, tag authentication is successfully performed. The second procedure permits the authentication of the server by the tag. The server calculates \({r}_{2}={x}_{T}\mathrm{ mod} n\), \(PS=s{r}_{2}{P}_{t}\), and \({R}_{3}=h({T}_{id}^{\prime}\| {r}_{2}\| {T}_{np}^{\prime})\). Then, the server sends \((PS, {R}_{3})\) to the tag. The secret value \(s{r}_{2}\) is known only by the server. An attacker cannot derive this secret due to the hardness of the ECDLP. Upon receiving this message, the tag calculates the secure value \({r}_{3}={x}_{T} \mathrm{mod} n\) and \({R}_{4}=h\left({T}_{id}\Vert {r}_{3}\Vert {T}_{np}\right).\) In the final step, the tag checks the validity of \(PS\stackrel{?}{=}t{r}_{3}{P}_{s}\) and \({R}_{4}\stackrel{?}{=}{R}_{3}\). If both quantities are equal, the authentication of server is done correctly; or else, the validation process fails.

Confidentiality

The protocol makes certain that the tag's identity details cannot be retrieved by an attacker. This is only available to both the tag and the server. Although an attacker could have access to the transferred values \(({R}_{2},{X}_{1},{X}_{2})\), he can not derive the quantity (\({T}_{id},{T}_{np}\)) from (\({X}_{1},{X}_{2}\)) as long as the secret value of \({r}_{1}\) is private. It is hard to find \({r}_{1}\) from PT and \({R}_{2}\) due to the difficulty to resolve the ECDLP.

Integrity

Our scheme ensures data integrity that is exchanged between the tags and the servers. Both the secret keys \({r}_{1}\) and \({k}_{1}\) are only available to the tag and the server, respectively. These secret parameters are used as a basis for calculating the \({R}_{2}\) and \(PS\) values which are communicated by the two parties. So, in case an attacker tries to modify the data exchanged between the two entities (tag and server), the attack can be easily detected and thus, the authentication process will be failed. We note that the secret parameters cannot be communicated directly among communication. Hence, based on ECDLP capabilities, the attacker is not able to compute the private keys from the received message.

Anonymity

To maintain anonymity, the server and tag must communicate information in a way that makes it impossible for any transmitted data to be recovered. In our case, our protocol is based on the production of random parameters (\(K\), \({r}_{1}\)) that ensure this security service. For each new authentication transaction, the parameters are updated. Therefore, an attacker cannot retransmit the same data during another session.

Availability

The tag's identifier \({T}_{id}\) is retained throughout the conversation held between the tag and server, and is not available to any adversary. Furthermore, each session updates the alias of the label \({T}_{np}\) which is being submitted to the server. By updating the tag aliases, we ensure that the server and the tag always share the same alias. Therefore, the proposed protocol achieves availability and avoids de-synchronization.

Comparative Analysis

The present section discusses a comparison study of the proposed protocol with some recently published protocols to evaluate its performance. The comparison is computationally based to demonstrate the effectiveness and lightweight nature of the newly designed protocol. In general, ECC based on RFID authentication protocol mainly uses hash functions, concatenation, XOR and scalar multiplication operations. The amount of computing cost is determined according to the time taken to carry out the respective tasks. Here, we denote \({T}_{db}\) and \({T}_{ad}\) as the time required to execute the point doubling and the point addition operation, respectively. Similarly, \({T}_{h}\) is the time needed for one hash function and \({T}_{s}\) is the time necessary for the symmetric encryption/decryption process.

According to [30, 37], an instance of \({T}_{db},\) \({T}_{ad}\), \({T}_{h,}\) and \({T}_{s }\) takes 0.063075, 0.0032, 0.0005, and 0.0087 s, respectively. The concatenation and XOR operations have less computation overhead than the other operations, so it can be ignored. The computational cost of our proposed protocol is compared with some associated works, and the whole comparison is illustrated in Table 2. The graphical representation of this comparison is shown in Fig. 4.

Table 2 Computation cost comparison
Full size table
Fig. 4
figure 4

Comparison of computational overhead

Full size image

From Table 1, we can notice that our proposed protocol requires only 3\({T}_{db}\) and \({2T}_{h}\) in tage side and only 3\({T}_{db}\) and \({2T}_{h}\) in server side. Hence, it is better than all illustrated protocols except the protocol [29] that requires 2\({T}_{db}\)+\({6T}_{h}\) in tag server. Even that, the protocol [29] requires more time in the server side. On the other hand, we can remark that the total execution time of all compared protocols is 0.63715, 0.7633, 0.63075, 0.5174, 0.38495, 0.91705, 0.5066, and 0.38045 s for [13, 24,25,26,27,28,29,30] and our proposed scheme. Hence, our proposed protocol is faster if it is compared with other things that we can easily detect in Fig. 4.

The results demonstrate that the execution time of the tag and the server is 190 ms. Hence, the overall time required to perform the operation of our protocol is 380 ms. Consequently, the proposed approach requires significantly less processing time to perform the various operations required, in comparison to other schemes. The comparative results make our protocol a more efficient and lightweight solution for RFID systems in the IoT environment.

Simulation Results Using AVISPA

This section attempts to check the safety and security of the suggested protocol through the use of AVISPA, the most widely used tool for the automated validation of security protocols [38]. The AVISPA tool operates under two validation states, namely SAFE and UNSAFE. The output of the simulation is a SAFE state if a proposed scheme provides resistance against the MITM attack. First, the AVISPA software converts the pseudo-code of the scheme into the HLPSL source code to validate the security of a cryptographic method. Then, the HLPSL2IF translator passes the code through modules such as OFMC (On-the-fly-Model-Checker) and CL-ATSE (CL-based Attack Searcher) to check if the protocol is SAFE or UNSAFE. For more details on the AVISPA tool, we refer the interested reader to [39, 40].

In this work, we perform the simulation on Intel Core i7 3.0 GHz under the Window 10 with 16 GB RAM. Figures 5 and 6 show the formal validation of the proposed protocol by OFMC and CL-AtSe methods, respectively. According to the simulation results, our protocol is safe. Moreover, our protocol has a bounded number of sessions. Hence, it is considered an improved secure mutual authentication model for IoT applications.

Fig. 5
figure 5

The obtained results with OFMC method

Full size image
Fig. 6
figure 6

The obtained results with CL-ATSE method

Full size image

Conclusion

ECC is frequently used in constrained environments to reduce the computational. Many schemes adopt ECC to secure communications between the different components of RFID systems in IoT environment. This research put forward a new RFID protocol using ECC that offers the mutual authentication between the tag and the server. The performance analysis shows that our scheme provides better security features and requires less computational costs as compared to the other protocols. In addition, the comparative study confirm that the proposed protocol is superior than its counterparts. Furthermore, the simulation results using the AVISPA tool show that our protocol is safe and more efficient in terms of computation cost. Besides having low computation cost, the security analysis confirms that the proposed protocol is secure and scalable enough to be deployed in any IoT application.

In future work, we will try to improve our proposed method using more complex techniques with the data, like the genetic function in a more complicated way. Furthermore, it is more interesting to integrate the proposed protocol into the embedded systems and perform real-time analysis.