Privacy Analysis

updated its state successfully or not. If not, ownerO_k+1engages in mutual authentications with tagT until the latter updates its internal state.

Remark 4.5. To prevent the old owner O_k of tag T from tracing T later in the future, the new owner O_k+1 has to run a mutual authentication with T outside the range of Ok right after the ownership transfer. In this manner, tag T and ownerO_k+1 will share a symmetric key that Ok cannot retrieve without a physical access to the tag.

4.5 Privacy Analysis

In this section, we prove thatROTIV is privacy preserving under the XDH assumption.

4.5.1 Forward Unlinkability

Theorem 4.1. ROTIV ensures forward unlinkability under the XDH assumption.

Proof. Assume that there is an adversaryA(r, s, t, ǫ) who succeeds in the forward unlinkability game with a non negligible advantageǫ. We will now construct an adversary B, who usesA as a subroutine and breaks the DDH assumption inG₁ with a non-negligible advantageǫ^′.

LetO^DDH be an oracle that when queried, selects first two random elementsx, y∈F_qand flips a fair coinb∈ {0,1}. Ifb= 1, thenODDH sets z=xy; otherwise zis randomly selected from F_q. Finally, it returns the tuple (g, g^x, g^y, g^z)∈G₁.

To break the DDH assumption inG₁, adversaryBfirst queries the oracleODDH to receive (g, g^x, g^y, g^z) and simulates a complete ROTIV system forA.

• Adversary B selects randomly a random number sk_I ∈ F_q and computes pk_I = h^skI. (sk_I,pk_I) represents the secret and the public keys of issuer I.

• Adversary B picks η random numbers x_k ∈ F_q, and assigns to each owner O_k in the supply chain a public key pk_k= (g,˜g_k =g^xxk).

Although, owner O_k does not know the secret key sk_k = xx_k that corresponds to the public key pk_k, owner O_k can always authenticate tag T by running a MAC-based authentication. Also, owner O_k can always transfer the ownership of tags he owns, since the ownership references do not depends on the secret keysk_k.

• To issue a tag T, B first selects ID and K_T⁰ ∈F_q, then computes S = H(ID)^skI, c⁰_T = (u⁰_T, v⁰_T) = (1,S). Finally, he storesS_T⁰ = (K_T⁰, c⁰_T) in tagT.

Learning phase. Adversary Bsimulates challenger C.

• B simulatesOTag and gives Atwo challenge tags T₀ and T₁.

4. RFID-BASED OWNERSHIP TRANSFER WITH ISSUER VERIFICATION

• A calls the oracle OExecute for tags T₀ and T₁. Without loss of generality, we assume thatT₀ and T₁ are owned by ownerOk and Ol respectively.

After a successful authentication, the ciphertexts c^j_T

0 and c^j_T

1 stored into tags T₀ and T₁ respectively are updated using the pair (g^y, g^z) as follows:

c^j+1_T0 = (u^j+1_T0 , v_T^j+1₀ ) = (g^yrj+10 , H(ID₀)^skIg^zxkrj+10 ) who can run mutual authentications with tagsT_i^′.

Challenge phase.

• In the challenge phase,Bpicks randomlyb∈ {0,1}and returns tag T_b from the pair of tagsT₀ andT₁. Then, he starts a mutual authentication with tag T_b outside the range of adversaryA by sending a nonceN_T^j′

b.

Without loss of generality, we assume that tagT_b is owned by ownerO_k (i.e.,b= 0).

• At the end of the authentication,B updates the state of tagT_b as follows:

S_T^j′+1

b is the nonce generated by tagT_b during the mutual authentication.

• B simulatesOFlip and returns tag T_b to adversary A. The ownership of tagT_b is then transferred to A.

Notice that Bcan compute correct ownership references for tag T_b: ref_Tb = (Sb,id_b, K_b^old, K_b^new,rand^old_b ,rand^new_b ) giveAany information aboutT_b’s past interactions. Consequently, adversaryAhas to rely on ciphertext c^j_T^′+1

b to build his attack againstROTIV’s forward unlinkability.

• At the end of the challenge phase,Aoutputs his guess b^′ of bitb.

84

4.5 Privacy Analysis Ifz=xy, then the simulation of ROTIV by adversaryB in the learning phase does not differ from an actual ROTIVsystem. As a result, adversaryAcan output a correct guessb^′ for bit bwith a non-negligible advantage ǫ.

Ifz6=xy, then the view of adversaryAduring the learning phase of the forward unlink-ability game is independent of b. Therefore, adversary A has only a negligible advantage in outputting a correct guess b^′ for the bitb.

This constructs a statistical distinguisher between the two distributions (g, g^x, g^y, g^xy) and (g, g^x, g^y, g^z), x, y, z ∈F_q, which breaks the DDH assumption inG₁. In fact, if adversaryA outputs a correct guessb^′ for the bitb, then adversaryBoutputsz=xy; otherwise adversary B outputsz6=xy.

Hence, if adversaryAhas a non-negligible advantageǫin breaking the forward unlinkabil-ity of ROTIV, then adversaryBwill also have a non-negligible advantage ǫ^′ =ǫin breaking the DDH assumption in G₁. This leads to a contradiction under the XDH assumption.

4.5.2 Backward Unlinkability

Theorem 4.2. ROTIV ensures backward unlinkability under the XDH assumption.

Proof. Assume that there is an adversary A(r, s, t, ǫ) who succeeds in the backward unlink-ability game with a non-negligible advantage ǫ. We will now construct an adversaryB, who usesAas a subroutine and breaks the DDH assumption inG₁with a non-negligible advantage ǫ^′.

To break the DDH assumption inG₁, adversaryBfirst queries the oracleO^DDH to receive (g, g^x, g^y, g^z) and simulates a complete ROTIV system forA. .

• Adversary B selects randomly a random number sk_I ∈ F_q and computes pk_I = h^skI. (sk_I,pk_I) represents the secret and the public keys of issuer I.

• Adversary B picks η random numbers xk ∈ F_q, and assigns to each owner Ok in the supply chain a public key pk_k= (g,˜g_k =g^xxk).

• To issue a tag T, B first selects ID and K_T⁰ ∈F_q, then computes S = H(ID)^skI, c⁰_T = (u⁰_T, v⁰_T) = (1,S). Finally, he storesS_T⁰ = (K_T⁰, c⁰_T) in tagT.

Learning phase. Adversary Bsimulates challenger Cas follows.

• B simulatesOTag and gives Atwo challenge tags T₀ and T₁.

• The ownership of tags T₀ and T₁ is transferred to adversaryA. A now has full control over tags T₀ andT₁.

• B providesA withstags T_i^′ whose ownership is transferred toA.

4. RFID-BASED OWNERSHIP TRANSFER WITH ISSUER VERIFICATION

Challenge phase.

• AdversaryAreleases the ownership of the challenge tagsT₀andT₁by calling the oracle OTransfer.

• Bsimulates challengerCby first picking randomlyb∈ {0,1}and returning tagT_b from the pair of tagsT₀andT₁. Then, he starts a mutual authentication with tagT_b outside the range of adversary A by sending a nonceN_T^j′

b.

Without loss of generality, we assume that tagT_b is owned by ownerOk.

• At the end of the authentication, B updates the state of tagT_b using the pair (g^y, g^z)

• B simulatesOFlip and returns tag T_b to adversary A. Given thatAdoes not have access toN_T^j′

b) does not give Aany information about tag T_b, and adversary Ahas to build his attack against the backward unlinkability ofROTIV upon the ciphertextc^j_T^′+1

b .

• At the end of the challenge phase,Aoutputs his guess b^′ of bitb.

Note that if z = xy, then the ciphertext c^j_T^′+1

b is a correct encryption of H(IDb)^skI, i.e., S_T^j′+1

b is a valid state that corresponds to tag T_b. Hence, the simulation of ROTIV by adversary B does not differ from an actual ROTIV system, and adversary A can output a correct guessb^′ for bit bwith a non-negligible advantage ǫ.

If z6=xy, then the state S_T^j′+1

b does not correspond to tag T_b, and the view of adversary A during the backward unlinkability game is independent of b. Consequently, adversary A has only a negligible advantage in outputting a correct guessb^′ for the bit b.

This leads to a statistical distinguisher between the two distributions (g, g^x, g^y, g^xy) and (g, g^x, g^y, g^z), x, y, z∈F_q, breaking hereby the DDH assumption in G₁. In fact, if adversary A outputsb^′=b, then adversaryB outputsz=xy; otherwise adversaryB outputsz6=xy.

Therefore, if Ahas a non-negligible advantage ǫin breaking the backward unlinkability of ROTIV, then adversary B will have a non-negligible advantageǫ=ǫ^′ in breaking the DDH assumption inG₁. This contradicts the XDH assumption.

86