Design and Evaluation of Lightweight

Cryptographic Protocols for Secure RFID

Authentication in Medicine Anti-Forgery
Applications

Aftabul Hoque - s230059

Jan Ariel Ocampo - s135214
Kazi Ejajul - s230039
Spyros Lamprou - s232525
Marco Muro - s233662

Technical University of Denmark (DTU), Denmark

 Table of Contents

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2.1 Functional Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2.2 Security Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Key Security Requirements and Threats . . . . . . . . . . . . . . . . . . . . . . 2
Real-World Impact and Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3 Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4 State of Art . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.1 Lightweight Cryptographic Protocols for RFID Security . . . . . . . . 4
4.2 Post-Quantum Cryptography and Future Directions . . . . . . . . . . . 5
5 Candidate Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
6 Selection of Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.1 Overall Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
6.2 Communication Protocol: EPC Gen 2 (ISO 18000-63) . . . . . . . . . . 7
6.3 RFID Reader - Backend-Server Link . . . . . . . . . . . . . . . . . . . . . . . . . 7
6.4 RFID Tag – RFID Reader Link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
6.5 Considerations and Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
6.6 Proposed Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
7 Design Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
8 Evaluation and Analysis - Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
8.1 Analysis of Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
8.2 Performance Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
8.3 Security Comparison-draft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
8.4 Cost Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
 RFID Authentication in Medicine Anti-Forgery Applications 1

1 Introduction

RFID technology is a widely used method for automatic identification and track-
ing of objects through the use of electromagnetic fields. At its core, an RFID
system consists of tags, readers, and a backend database. RFID tags are small
devices that can store information and communicate wirelessly with an RFID
reader via radio waves. There are two main types: passive tags (which do not
have an internal power source and rely on the reader’s signal for energy) and ac-
tive tags (which have their own power supply). These tags can operate at various
frequencies, with low-frequency (125 kHz, offering longer range but slower data
rates with basic protocols) and high-frequency (13.56 MHz, supporting shorter
ranges, faster data transfer, and more robust cryptographic security features).

In the evolving landscape of supply chain management, RFID technology

plays a crucial role, particularly by enabling the rapid and simultaneous scanning
of multiple items, streamlining inventory and tracking processes. This project
focuses specifically on the pharmaceutical supply chain, where ensuring the au-
thenticity and safety of medical products is critical. Traditionally, many processes
in this sector have been handled manually or through barcode scanning, which
can be inefficient and prone to errors. RFID offers a more efficient, automated
solution that enhances traceability and reduces the risk of counterfeit products
entering the supply chain.

This project aims to create a specialized cryptographic solution that is light

weight and designed to prevent counterfeiting in the pharmaceutical industry,
thereby guaranteeing the legitimacy and genuineness of medications within the
supply chain.

2 Requirements

The successful implementation of RFID authentication systems in the pharma-

ceutical supply chain depends on clearly defined functional and security require-
ments. These requirements are important for effective inspection and certifica-
tion of medical products. At the same time, it protects sensitive information by
setting strong criteria for functionality and security. This analysis aims to sup-
port the development of reliable systems that increase traceability and prevent
counterfeiting.

2.1 Functional Requirements

Users/Operators/employees must be able to authenticate products in real-time

as they move through the supply chain. The RFID system should facilitate the
tracking of products from the point of origin to the final destination, allowing
for comprehensive visibility throughout the logistics process. Furthermore, users
2 Group 5

should be able to access product data remotely, providing flexibility and en-
hanced monitoring capabilities.

The system should enable deactivation or storage of the RFID tag once the prod-
uct reaches its final destination as it should mantain an organized database of
the product lifecycle. Additionally, RFID should support high-volume operations
by allowing multiple tags to be scanned simultaneously to improve efficiency.

The system itself should be economically viable as it will be operated at a large

scale on worldwide level.

2.2 Security Requirements

The primary challenge of RFID systems in the pharmaceutical industry is en-

suring the authenticity and integrity of products across the supply chain. This
involves addressing key security requirements and being aware of various security
threats that could compromise the system.

Key Security Requirements and Threats The RFID system has to en-
sure mutual authentication between the tag and the reader in such a way that
unauthorized devices do not get any chance to communicate with the system. It
should also provide cloning attack assurance so that counterfeit products could
not enter because of replicated tags [1]. Another major threat is from replay
attacks, where previously intercepted communication is reused for unauthorized
access.
Other general threats include eavesdropping and Man-in-the-Middle attack-
active attacks, where the attacker tries to capture the communication between
the tags and readers and change it [2]. This implies that ensuring data confiden-
tiality and integrity in sensitive applications unauthorized exposure or tampering
with data could lead to dangerous consequences.
In this respect, both the hardware and also communication protocols have
several vulnerabilities that can be used by a malicious actor to perform most
of the above-mentioned attacks in RFID systems. The likelihood of conducting
such attacks in real-life applications is easier because RFID readers are available
at low costs, which permits an attacker to intercept and change information [3].
The limited computational power of RFID tags further aggravates the risks of
such attacks since strong security measures are harder to implement with low
computational power. Therefore, attacks can be modeled to take advantage of
such weak points where operations of high volumes reduce oversight, and strong
and scalable security solutions are going to be very important in mitigating these
risks.
Lastly, since RFID tags only have restricted computational powers, the se-
curity mechanisms must be lightweight so that their execution can be managed
efficiently without loss of performance. The trade-off between security and effi-
ciency is important for scalability to high-volume supply chain operations.
 RFID Authentication in Medicine Anti-Forgery Applications 3

Real-World Impact and Scalability The security issues regarding RFID

systems in the pharmaceutical supply chain are linked neither only to a tech-
nical issue but directly to the safety of the consumers and the reputation of
this industry [3]. An ineffective response to the security threats of cloning, re-
play attacks, and data tampering would create the opportunity for counterfeit
pharmaceuticals to enter the supply chain and not only create serious health
risks for customers but also erode trust in the whole industry. Moreover, with
the extension and growth of supply chains, the security mechanisms developed
should also be able to function effectively when there are thousands or millions
of RFID tags in the field. The security solutions would need to be designed in
such a way that they can maintain performance while supporting heavier loads
and block any potential bottlenecks or vulnerabilities that a growing system may
be exposed to.

3 Functionality
The following section will aim to describe how the workflow of this system should,
following the description depicted on Figure 1.

RFID Authentication System Work
ow

Manufacturing End of Life

Scanning
RFID tags applied Tag deactivated
RFID reader scans product
Unique identi er stored Audit trail maintained

Backend
Authentication
Database lookup
Queries RFID tag
Validates RFID tag
Veri es identity
Logs events
Con rms authenticity
Triggers alerts

Fig. 1: Workflow of the RFID Authentication System for Supplychain

Each product, or possibly every batch of products sealed in a box is tagged

with a passive RFID tag. The tag contains a unique identifier that can be tracked
in real-time at multiple stages within the supply chain, where it is scanned, ver-
ified, stored or transported.

The RFID authentication system is set up in several stages of the supply

chain, e.g. at the manufacturing facility the RFID tags are added to the prod-
uct and the initial RFID authentication is performed, logging the product in a
database. Then during transportation or upon the arrival at the warehouse, or
at the distribution centers, the product’s authenticity is again verified. The goal
is to prevent tampering from occurring during transportation or other critical
phases, by creating an audit trail in order to ensure that product is genuine
at the end of the supply chain. The backend system logs the products entire
journey, creating an audit trail and storing it in a secure database. It logs every
authentication event and keeps a record on where the product has been. If the
authentication is failed, then the backend sends an alert, and the product is
4 Group 5

flagged for immediate inspection as it could potentially be counterfeit.

The RFID Tags must last throughout the entire process, and all stages of
the supply chain. Once the product has arrived at its final destination, the tag is
then deactivated and, or archived. In the background, a record of the products
trail and lifecycle is kept insystem’s database. The logistics and scalability costs
are kept minimal, and the integration costs of RFID authentication system is
kept low, for existing supply chain infrastructures. With Ultra High Frequency
(UHF) RFID technology, the system is designed to handle a large volume of
products by scanning multiple tags simultaneously, keeping track of damaged or
tampered tags.

4 State of Art

The field of RFID security has, in the past years, seen many critical advances
due to increasing demands for efficiency and security, such as those present in
the pharmaceuticals area. Among the main focuses within state-of-the-art RFID
technology, one can find lightweight cryptographic protocols that are supposed
to be run on top of the resource constraints given by a passive RFID tag.

4.1 Lightweight Cryptographic Protocols for RFID Security

Some of the notable developments in the security related to RFID technology

include the proposal for light-weight cryptographic protocols based on ps-PRNG-
for mutual authentication between a tag and reader, for example, Flyweight
Protocol [1]. Another excellent approach is represented by PRNG-based secure
RFID authentication protocol introduced by Dass and Om, which provides fresh
session keys at every authentication, thus avoiding replay attacks [4].
Some protocols have also been developed further in order to secure RFID
systems by ensuring that a tag is within proximity to a reade. This has also
been done with distance bounding protocols. These protocols ensure that a tag
is proximal to a reader by using round-trip communication times to prevent relay
attacks [5]. Recently, a two-factor authentication system, SmartRFID, integrated
RFID chips and smart devices to be an advanced solution for high-security sit-
uations, though not appropriate for all use scenarios [2].
ECC and HBA+ are two lightweight cryptographic protocols that have been
proposed for the resource-constrained RFID systems. Since ECC has a small
key-size with effective security compared to the key sizes of other traditional
algorithms, it is optimal for RFID tags that usually have very low computational
capability. Based on the hardness of the elliptic curve discrete logarithm problem,
ECC provides secure mutual authentication with minimum overhead [6]. HBA+,
in contrast, combines block and stream cipher features and provides resistance to
various cryptanalyses of low-power devices. Because the light weight in the design
means a relatively small gate count, it should easily fit into RFID applications
in a high volume environment [7].
 RFID Authentication in Medicine Anti-Forgery Applications 5

The improvements in hardware security-addition of tamper-evident tags and

constant-time cryptographic operations, which mitigate the side-channel attacks-
further complement these innovations [8]. The latest EPC Gen 2 standards bring
updated encryption and session key management that is even better suited for
sensitive industries like pharmaceuticals.

4.2 Post-Quantum Cryptography and Future Directions

While current cryptographic schemes offer a fair security level against most con-
ventional attacks, the evolution of quantum computers can potentially be con-
sidered a threat to the security of RFID systems in the future. If highly powerful
quantum computers emerge, then traditional cryptography, including those used
in RFID systems, might be threatened by quantum attacks. Considering the
potential case of a quantum attack, the current challenging research and inves-
tigation under exploration for the protection of RFID systems is post-quantum
cryptography [9]. Also, other further developments could include the fact that, in
the future, blockchain technology may be applied to create unchangeable records
for the movement of products, augmenting further the already accumulated se-
curity and transparency in the supply chain. Innovations like the imminent EPC
Gen 3 in the air presuppose that RFID standards are bound to change anytime
soon. This hopefully means much more powerful security and better performance
to meet the growing modern supply chain challenges.

5 Candidate Techniques
The following section presents a selection of candidate techniques from the cur-
rent state of the art for RFID tag technology (Section 4) fulfilling the security
and functionality requirements of the system detailed in previous Sections 2,
3. The following subsections provide an overview of the selected techniques for
RFID tag security.

SmartRFID With the SmartRFID system proposed Li et al. (2023)[10], an

RFID auhtentication system can be employed that allows the use of crypto-less
UHF RFID tags. The proposed system can still retain a secure mutual authenti-
cation mechanism, despite the RFID tag’s inability to verify whether the RFID
reader is a dishonest or not. However, with the integration a smart device, more
computational power and communication overhead is required from a backend
server, performing statistical correlation the smart device’s accelerometer data,
through random motion or patterned hand-gestures. This additional complexity
may increase the costs for staff training, and increase backend server require-
ments.

Flyweight Protocol The Flyweight protocol developed by Burmester and Mu-

nilla in 2006 [1] is able to provide mutual authenticaiton, confidentiality, in-
tegrity, forward and backward secrecy for a desired RFID system. Moreover, as
6 Group 5

a candidate technique, the protocol provides strong synchronization, with the

server keeping record of the current and next response value of the tag. The
advantage this protocol provides the system is its minimal requirement of com-
putational resources, however, it’s simplicity may also renders it susceptible to
advanced cryptographic attacks that target basic PRNG mechanisms.

Secure Authentication for RFID Systems Similar to the flyweight proto-

col, the secure authentication scheme proposed by Dass et al. (2016)[4] is de-
signed to be EPC Gen 2 RFID standard compliant [11], and accommodates for
a generation of passive RFID tags that come with built in PRNGs. The scheme
minimizes the communication overhead by reducing the number of communica-
tions with the RFID tag, meeting the requirements as a candidate technique for
the RFID system. The scheme guarantees confidentiality, integrity, and mutual
authentication, but depends on PRNGs like flyweight. Also, unlike the flyweight
protocol, the scheme does not guarantee backward secrecy.

Distance Bounding Protocol A distance bounding protocol proposed by

Hancke et al. (2005)[12], developed a challenge-response protocol. The distance
bounding protocol ensures that the Prover P is bounded by fixed time-frame,
in order to compute and send the response to the Verifier V. The time between
sending the challenge and receiving the response by the V, determines the RFID
tag’s physical proximity. This candidate technique, provides security against
relay attacks, where an attacker could manipulate communications over long
distances, but can only provides this feature, and must be combined with other
techniques.

6 Selection of Design
The following section presents the design proposals based on previous section’s
candidate techniques along with the design selection process. The design selec-
tion process is determined by the overall functional requirements and constraints
listed in previous section 3, with the final implementation following the overall
design depicted on Figure 2.

RFID System

RFID Reader

«controls»
Antenna Reader

«communicates» «sends/receives data»

«stores/retrieves data»
RFID Tag Backend Server Database

Fig. 2: Diagram over the overall design for RFID System

 RFID Authentication in Medicine Anti-Forgery Applications 7

6.1 Overall Design

The overall design of the proposed solution consists of one or more HF passive
RFID tags, that are attached to, or embedded within the packaging or boxes of
the medical supplies, and a reader (or more than one if the process is streamlined
with parallel lines) along with a server for cloud storage (see Figure 2).
Given that the main security issue lies in the communication between both
the tag and the reader, it will be the main focus for the final design solution.
The following subsections describe the communication protocol and the links
between the components from the overall design, and then finally, the proposed
design is determined.

6.2 Communication Protocol: EPC Gen 2 (ISO 18000-63)

For the RFID system design, the communication protocol employed follows the
EPC Gen 2[11] (ISO 18000-63) standard for the tag (RFID tag) and interrogator
(RFID reader). The standard considers tags as passive, and therefore unsafe and
susceptible to physical attacks, due to restricted computational capabilities. The
protocol is half-duplex and operates on the physical layer, with an interrogator
transmitting data to the tag by modulating a Radio Frequency (RF) carrier wave
to the tag. The RF carrier is encoded using different shift-keying techniques e.g.
amplitude, phase and pulse interval encoding, for both single and double side
band formats. In order to receive data the interrogator transmits an unmodulated
RF carrier wave, and listening to the backscattering reply from the tag. The
backscatter (reflection of waves) is then modulated (e.g. phase, amplitude and
pulse), which is received by the interrogator for demodulation and decoding.

6.3 RFID Reader - Backend-Server Link

The communication between reader and the backend system (server), can be
wireless or wired and given the assumptions listed in previous section 2, is con-
sidered robust and secure. This assumption could be achieved by using Trans-
port Layer Security (TLS) protocol, a cryptographic protocol designed to ensure
end-to-end security for data transmitted between applications over the Internet.
Its primary purpose is to enhance privacy and data security in internet-based
communication by encrypting the data exchanged between web applications and
servers. TLS 1.3[13] represents the latest iteration of the TLS protocol, and in
a nutshell, it is faster and more secure than any previous version. Due to the
project details this section will not be covered further.

6.4 RFID Tag – RFID Reader Link

Due to the physical limitations of the passive tags in terms of computational
power and memory storage, the use of lightweight protocols is strictly required.
Such a scheme would need to employ light cryptographic operations like PRNGs,
hash functions, and XORs similar to the implementations proposed by [4] and
[1].
8 Group 5

6.5 Considerations and Constraints

The design selection is based on the candidate techniques and relies on the design
requirements, functionality and practicality. In scenarios related to supply chain
management, a trade-off between cost and security becomes clear. This is in part
due to the logistics involved in managing the transportation of medical products.
With the prices of tags being related to the type of RFID tag used, there is an
incentive for lessening the costs for the medical industry. Solutions involving the
SmartRFID solution would require the integration of a smart device into the
RFID system, acting as a dual authenticator, but allows for the implementation
of crypto-less passive RFID tags and RFID readers (interrogators) that are EPC
Gen 2 complient.
However, depending on the SmartRFID’s integration into the supply chain,
the company or logistics provider will need to provide secure smart devices, and
requiring additional training for employees for hand gestures, if not random ac-
celeration is sampled. But despite this, a use-case scenario for SmartRFID could
involve high security transportation of high priority medical provisions. More-
over, a system incorporating different modes of security may employ both the
flyweight protocol and SmartRFID, where depending on the provisions trans-
ported, security can be modified accordingly, allowing for the transportation
both with and without the need for a smart device.

On the other hand, in terms of cost and efficiency, the implementation pro-
posed by Dass et al. (2016) reduces the number communications made to the
RFID tag, as well as the number of overall operations required. The solution
proposed by Dass et al. (2016) is more lightweight than the Flyweight protocol,
and does not solely rely on PRNG, reduces the computational and communi-
cation overhead, whilst retaining similar security features. For a more robust
solution, the overall authentication scheme can be combined with a distance
bounding protocol, can provide a comprehensive level of security that reduces,
whilst remaining attractive to the medical industry and logistics providers. But
in terms of overall comprehensiveness of the security features employed, the so-
lution proposed by Dass et al. (2016) does not provide backward secrecy, i.e.
security against future attacks where once the tag has been compromised, at-
tackers might predict future attacks. But in the case of a tag being compromised,
given the costs related to a tag being cheap to replace, and the overall risks in-
volved in re-using a previously compromised tag, this solution may prove more
applicable in the overall assessment made by the medical industry and logistic
providers.

6.6 Proposed Solution

Given previous sections, the proposed solution is a combination of a distance
bounding protocol [12] and an implementation based on the current widely used
EPC-C1-GEN2 standard by Dass et al. (2016)[4] in order to provide the security
requirements that are needed for the main purpose aim of the project. In the
next section 7, the design details will be provided.
 RFID Authentication in Medicine Anti-Forgery Applications 9

7 Design Details

This section explores the technicalities of the proposed solution.

Design Assumptions

The following assumptions are made in our design:

– a RFID system with only three entities will be considered: a tag, a RFID
reader, and a backend server. If multiple tags go thorugh a scanner / pass by a
reader at the same time, as the reader has no severe energy and computation
limits it will handle the different communications simultaneously in parallel
– the communication channel between reader and backend server is fully secure
(as stated previously)
– the tag is a passive device and communicates with reader through an insecure
wireless channel
– the tag contains two data fields (S, ID): the tag’s secret and the tag’s
pseudonym (index value in the database), where S is 128 bits and ID is
96 bits in length
– as seen later, S is going to be updated in the tag, rewritable memory is
required (EEPROM or FRAM) of 128 bits.
– the backend server maintains a local database with fields ID, h2 (ID), SOld ,
and SNew . Initially, SOld = 0 and SNew = S holds the tag’s secret value
– S is initialized at the tag’s creation and is only known by the tag itself and
the backend server
– the tag and backend system share a dedicated secret pseudorandom function
(in practice a keyed public pseudorandom function h1 with the dedicated
shared secret key S)
– the server’s database is considered secure, with proper access control and
perimeter definition
– random numbers generated are 96 bits in length
– tag memory is insecure and vulnerable to physical attacks

First part: Distance Bounding Protocol

In round-trip systems, signals flow in both directions, and the distance between
two stations is calculated as follows:
c · (tm − td )
d= (1)
2
tm = 2 · tp + td (2)

where c is the propagation speed, tp is the one-way propagation time, tm is the

measured total round-trip time, and td is the processing delay at the remote
device (tag).
10 Group 5

The aim of this part of the protocol is to infer an upper bound for the distance
between the reader and the tag from the fact that no information can propagate
faster than at the speed of light.
As before mentioned, the RFID device is computationally weak. It can com-
pute the secret pseudorandom function h2 mentioned above, but the time it takes
for this computation (e.g., several milliseconds) is many orders of magnitude
larger than the maximum response-delay variance acceptable for our distance-
bounding application (tens of nanoseconds). We do assume that it is reliably able
to detect large deviations from its nominal clock frequency, in particular any at-
tempt by an attacker to operate the RFID device at at least twice its normal
speed (overclocking attack).
The first phase is not time-critical and calculates (typically in software) a
response R to a challenge NR1 (+ a nonce NT1 ), using a pseudo-random function
h2 and the shared secret key S known to both parties. The 2n bits of R are
not returned directly. Instead, they are split up and loaded into two n-bit shift
registers. A pre-agreed fixed number of clock cycles after the transmission of NR1 ,
the time-critical second phase begins, in which additional single-bit challenges
Ci are transmitted. Each selects one of the two shift registers, which returns its
first bit directly, using fast asynchronous logic that does not wait on any clock
cycle. The first bit in the respective other shift register is discarded at the same
time. This way, only half of all response bits R that were generated for an NR1
are revealed.
Formulating the response RiCi based on the received Ci is a simple single-bit
lookup in a 2-bit memory, which can be implemented in an entirely asynchronous
fashion, requiring only a small number of gate delays, without any clock signals
that the attacker could accelerate to obtain RiCi pre-maturely. As the signal
propagation time tp is very small, it is important that the processing delay td of
the token is short and predictable.

Second part: Authentication Protocol

Once it is confirmed by the “handshake” that the tag is within a legitimate
distance the second part of the protocol can take part.
1. The reader generates another random number (NR2 ) and sends it to the
RFID tag.
2. Upon receiving NR2 , the tag generates NT2 and calculates V = PRNG(S ⊕
NR2 ⊕ NT2 ) and H = h1 (ID), using its stored data (S, ID). The tag sends
V , H, and NT2 to the reader, which forwards them, along with NR2 , to the
server.
3. The server, after receiving these values, retrieves database records of h(ID)
to find if there is a record corresponding to H.
– If no record is there corresponding to that value, then communication is
terminated.
– If a record is found, the server extracts the corresponding tag’s secret
SNew from the database and calculates V ′ = PRNG(SNew ⊕ NR2 ⊕ NT2 )
to verify if V ′ and the received V are identical or not.
 RFID Authentication in Medicine Anti-Forgery Applications 11

RFID Reader (Verifier) RFID Tag (Prover)

Secret key K, Secret key K,

Pseudorandom function h Pseudorandom function h

Generate nonce NV , NV Calculate h(K, NV ),

Calculate h(K, NV ), Split result into R0 ∥ R1
Split result into R0 ∥ R1 and place into shift registers:

Generate random bits C1 = 0 R0 : 10011011

C1 , . . . , C k R1 : 01110110

R1C1 = 1

C2 = 1 0011011
1110110

R2C2 = 1

... ...

C
Compare received Ri i
Cn = o 1
with calculated ones 0
Cn
Rn =1

Fig. 3: Diagram for first part of the protcol

• If they are equal, it is confirmed that the previous session was suc-
cessful and the tag contains SNew as its S value. The server sends
SNew to the reader.
• If V ′ and V are not equal, the server extracts SOld value for the
corresponding matched tag and calculates V ′′ = PRNG(SOld ⊕NR2 ⊕
NT2 ).
It checks if V ′′ and V are equal. If equality holds, then it sets the
variable Flag = 1 and sends SOld to the reader. Here, the server
is confirmed about the unsuccessful previous session, and the tag
contains SOld as its S value.

4. The reader uses the received value (either SNew or SOld ) as a seed to calculate
M = PRNG(S, NR ). It then calculates a random number N = PRNG(M )
and sends N to the tag and M to the server.
5. The tag computes M as well; and uses M as a seed value to calculate N ′
and verifies whether N ′ = N . If they match, the tag confirms the reader is
12 Group 5

legitimate, updates its secret as S = h1 (S||M ′ ), and updates its secret value
as S ⊕ U .
6. The server, after getting M value from the reader, checks the Flag variable.
– If Flag = 0, the secret of the tag has matched with SNew value, and it
calculates U = h1 (SNew || M ). Then, the server updates the secret value
in the database as SOld = SNew and SNew = SNew ⊕ U .
– If Flag = 1, the secret of the tag has matched with SOld value, and it
calculates U = h1 (SOld || M ). Then, the server updates the secret value
in the database as SNew = SOld ⊕ U and SOld remains unchanged.

Backend Server RFID Reader Passive RFID Tag

Generate: NR

NR

Generate: NT ,
Calc V = PRNG(S ⊕ NR ⊕ NT ),
H = h(ID)

V, H, NT

V, H, NT , NR

Flag = 0
Test: Match h(ID) in DB
If match: Check V =
PRNG(SNew ⊕ NR ⊕ NT )
If true: Send SNew
Else if : V = PRNG(SOld ⊕
NR ⊕ NT ),
Set Flag = 1, send SOld

Snew or Sold

Seed = SNew or SOld

M N

If Flag = 0, Calc U = Calc M =

h(SNew ∥M ) PRNG(S, NR )
SOld = SNew , SNew = Calc N ′ = PRNG(M ′ )
SNew ⊕ U ?
Verify N ′ = N , If equal
Otherwise, Calc U = then Calc U =
h(SOld ∥M ) h(S∥M ′ )
SNew = SOld ⊕ U S =S⊕U

Fig. 4: Diagram based on Dass et al. (2016)

 RFID Authentication in Medicine Anti-Forgery Applications 13

8 Evaluation and Analysis - Discussion

In this section, we evaluate the effectiveness of our protocol design and its align-
ment with the identified security vulnerabilities and risks. This assessment covers
critical components, including distance bounding, pseudorandom number gener-
ation (PRNG), and cryptographic hash functions, examining how these elements
collectively address common security threats identified in the previous sections.

8.1 Analysis of Design

Our proposed solution ensures the security of RFID authentication systems
through several cryptographic techniques and protocol components, each ad-
dressing specific vulnerabilities.
The initial phase provides distance bounding as outlined in [12], which pre-
vents relay attacks by ensuring that a valid tag is within the correct proximity
to the reader by using a sequence of challenge-response mechanism that can be
sent and replied without (basically) any computational delay and so the distance
between devices can be accurately be measured.
The second phase, based on [4], offers several key security features. Tag
anonymity is preserved by never transmitting tag secrets (S and ID) directly.
These values are protected through cryptographic techniques involving pseu-
dorandom number generation (PRNG) and one-way hash functions, making it
computationally infeasible for attackers to extract sensitive information.
Confidentiality and integrity are ensured by encoding the tag’s secret and
pseudonym in such a way that any alteration of transmitted data (like V , H,
or NT2 ) leads to a failure in the authentication process (similarly to MAC mes-
sages function). Similarly, the protocol detects unauthorized modifications by
validating PRNG-based computations, ensuring that only correct and unaltered
information proceeds.
The design also resists replay attacks. Even if an attacker intercepts a session’s
messages, the use of nonces NR2 and NT2 , which change each session, ensures
that these captured values are useless in future interactions.
Mutual authentication guarantees both the reader and tag authenticate one
another. The server verifies the received tag values using a stored hash, and the
tag confirms the reader’s authenticity by comparing the received nonce with its
own calculations.
Protection against desynchronization attacks is provided by ensuring that
even if some messages are blocked or altered, the tag and server will revert
to their previous synchronized state in the next session, avoiding asynchronous
updates thanks to the stored Sold and Snew values.
The protocol is also designed to resist traceability attacks. Since the commu-
nicated messages V and N are recalculated in each session using random nonces
and PRNG, attackers cannot use intercepted messages to track a tag across
different sessions.
Forward secrecy ensures that even if an attacker compromises the current
session’s secret (Si ), they cannot deduce the secret of any previous session (Si−1 ),
14 Group 5

as the update mechanism relies on a secure hash-based operation that obfuscates

past values.
Against man-in-the-middle (MITM) attacks, the protocol ensures that all
communicated values depend on secret information combined with PRNGs and
one-way hash functions. Any unauthorized modification results in a mismatch,
causing the protocol to terminate.
Lastly, DoS attack resistance is achieved by maintaining both old and new
secret values (SOld and SNew ) in the server’s database. If an attack blocks or
alters certain messages, the protocol allows the tag to authenticate using its pre-
vious secret, thereby preventing failures in future sessions.

With regards to physical tampering a seal or any physical system that proves
that a package containing medical supplies has either been opened or its tag
removed and replaced (with another legit one) would be visible to the quality
assurance inspectors working on field.

8.2 Performance Analysis

Communication overhead : The two-way challenge-response system aligns
well with other lightweight RFID authentication protocols. The use of random
challenges and responses ensures that replay attacks are avoided, and the process
remains secure.
Computational overhead: Compared to more resource-intensive algorithms
like RSA or ECC, proposed protocol is well-suited for passive RFID tags that
have limited power and processing capabilities. It ensures that the cryptographic
operations performed by the tag are kept light enough to fit within the con-
straints of low-cost, resource-constrained RFID environments.
Storage requirements : Proposed protocol requires the tag to store two
main pieces of information:Secret key (128 bits) and Pseudonym/ID (96 bits).
This amounts to 224 bits of storage per tag, which is minimal compared to the
available storage capacity in most passive RFID tags, typically in the range of
a few kilobits. This efficient use of storage ensures that the protocol can be
implemented on low-cost tags without requiring significant memory.
Security, Efficiency and Scalability : The protocol is designed to handle
large volumes of RFID tags, especially in Ultra High Frequency (UHF) RFID
systems.

8.3 Security Comparison-draft

In Table 1, we analyse security aspects of our scheme along with some authenti-
cation schemes against the most commonly occurring attacks in RFID systems.

8.4 Cost Analysis

The cost analysis for the proposed protocol includes computation, communica-
tion, storage and energy considerations. The computational overhead consists of
 RFID Authentication in Medicine Anti-Forgery Applications 15

Protocol Replay Cloning Distance B. Desync. Traceability MITM DoS

HB++[14] Yes Yes No No No No N/A
SASI[15] Yes Yes No Yes No No Yes
PUF[16] Yes Yes No No Yes No N/A
LMAP[17] Yes Yes No Yes Yes Yes N/A
MAD[18] Yes Yes Yes No No No No
Proposed Protocol Yes Yes Yes Yes Yes Yes Yes
Li et al. (2023)[10] Yes Yes Yes No No Yes Yes
Burmester & Munilla (2011)[1] Yes Yes No Yes No No Yes
Dass et al. (2016)[4] Yes Yes No Yes No Yes N/A
Hancke et al. (2005)[12] Yes Yes Yes No No No No
Table 1: Security Comparison of RFID Authentication Protocols

secondary operations such as XOR, PRNG, and hashing, where a typical session
requires 1 connection, 1 XOR, 2 hash functions, 1 random number generation
and 3 PRNGs. Communication costs is also the smallest small payload. Three
messages are required - to ensure performance even in bandwidth-constrained
environments. Even though each tag stores 128 bits of secret and 96 bits of
alias, for a total of 224 bits. Avoiding heavy encryption reduces energy costs
which saves the energy of the tag and support longevity in applications such as
supply chain.

Protocol Computation Cost at Tag Storage at Tag Attacks Resisted

Proposed Protocol 1TC + 1TX + 2TH + 1TR + 3TP + 1AES 224 bits Replay, Cloning, Eavesdropping
HB++[14] 5TX + 2TH 160 bits Replay, Brute Force
SASI[15] 3TX + 2TH + 1TR 192 bits Desynchronization, Replay
PUF[16] 3TX + 1TF 128 bits Cloning, Impersonation
LMAP[17] 2TX + 2TH + 1TR 160 bits Cloning, Replay
MAD[18] 1TC + 1TX + 2TH + 1TF 256 bits Replay, Distance-based attacks
Li et al. (2023)[10] 1TX + 2TH + 1AES 240 bits Replay, Cloning
Burmester & Munilla (2011)[1] 1TX + 1TH + 1TR 128 bits Cloning, Impersonation
Dass et al. (2016)[4] 1TC + 1TX + 2TH + 1TR 160 bits Replay, Cloning
Hancke et al. (2005)[12] 1TC + 2TX + 1TH + 1TR + 1TF 128 bits Distance-based attacks, Relay
Table 2: Performance and Cost Comparison of RFID Protocols

Notations:

– TC : Concatenation operation.
– TX : XOR (Exclusive OR) operation.
– TH : Hash function.
– TR : Random number generation.
– TP : Pseudorandom number generation (PRNG).
– TF : Flip operation.
16 Group 5

References
1. M. Burmester and J. Munilla, “Lightweight rfid authentication with forward and
backward security,” ACM Transactions on Information and System Security (TIS-
SEC), vol. 14, no. 1, pp. 1–26, 2011.
2. A. Li, J. Li, Y. Zhang, D. Han, and T. Zhang, “Secure uhf rfid authentication with
smart devices,” IEEE Transactions on Wireless Communications, vol. 22, no. 7,
pp. 4520–4533, 2023.
3. R. Singh, D. Kim, and J. Kim, “Clone tag detection in distributed rfid systems,”
PLOS ONE, vol. 13, no. 3, pp. 1–22, 2018.
4. P. Dass and H. Om, “A secure authentication scheme for rfid systems,” Procedia
Computer Science, vol. 78, pp. 100–106, 2016.
5. G. Hancke and M. Kuhn, “An rfid distance bounding protocol,” in Proceedings of
IEEE/Create-Net SecureComm, pp. 67–73, 2005.
6. H. A. Mohamed and E. Elrabie, “Lightweight cryptographic solutions for rfid sys-
tems using elliptic curve cryptography,” Journal of Network Security, vol. 14,
pp. 47–62, 2019.
7. H. Hong, J. Lee, and S. Kim, “A comprehensive review of hummingbird crypto-
graphic protocols: Applications to rfid systems,” International Journal of Crypto-
graphic Research, vol. 7, pp. 101–118, 2020.
8. F. Amtmann and L. Angarita, EPC® Radio-Frequency Identity Generation-2 UHF
RFID Standard, Release 3.0. GS1 AISBL, 2024.
9. NIST, “Report on post-quantum cryptography,” tech. rep., National Institute of
Standards and Technology, 2024.
10. A. Li, J. Li, Y. Zhang, D. Han, T. Li, and Y. Zhang, “Secure uhf rfid authentication
with smart devices,” IEEE Transactions on Wireless Communications, vol. 22,
no. 7, pp. 4520–4533, 2023.
11. F. Amtmann, L. Angarita, et al., EPC® Radio-Frequency Identity Generation-2
UHF RFID Standard, Release 3.0. GS1 AISBL, January 2024. Specification for
RFID Air Interface Protocol for Communications at 860 MHz – 930 MHz. First
published in 2004, updated with Gen2v2 in 2013 and Gen2v3 in 2024.
12. G. P. Hancke and M. G. Kuhn, “An rfid distance bounding protocol,” Proceedings
of IEEE/Create-Net SecureComm 2005, pp. 67–73, September 2005.
13. National Cyber Security Centre, “Using tls to protect data.”
https://www.ncsc.gov.uk/guidance/using-tls-to-protect-data, 2021. Archived
from the original on July 21, 2021.
14. M. Madhavan, A. Thangaraj, Y. Sankarasubramanian, and K. Viswanathan, “Nlhb:
A non-linear hopper-blum protocol,” pp. 2498 – 2502, 07 2010.
15. H.-Y. Chien, “Sasi: A new ultralightweight rfid authentication protocol providing
strong authentication and strong integrity,” IEEE Transactions on Dependable and
Secure Computing, vol. 4, no. 4, pp. 337–340, 2007.
16. W. Che, F. Saqib, and J. Plusquellic, “Puf-based authentication,” in 2015
IEEE/ACM International Conference on Computer-Aided Design (ICCAD),
pp. 337–344, 2015.
17. A. Alkorji, M. Rohani, and M. Abuali, “Ultra-lightweight mutual authentication
protocol to prevent replay attacks for low-cost rfid tags,” IEEE Access, vol. PP,
pp. 1–1, 01 2024.
18. D. Yum, J. S. Kim, S. Hong, and P. J. Lee, “Distance bounding protocol for mutual
authentication,” IEEE Transactions on Wireless Communications, vol. 10, pp. 592–
601, 02 2011.