a non-negligible advantage ǫ, then there is an adversary B who breaks the resistance to existential forgery of ROTIV’s short signature with a non-negligible advantage ǫ′ =ǫ.
4.7 Related Work
Molnar et al. (117) address the problem of ownership transfer in RFID systems by using tag pseudonyms and relying on a trusted third party. Here, the TTP is the only entity than can identify tags. To transfer the ownership of some tag T, its current owner O(T,k) and its prospective owner O(T,k+1), contact the TTP, which then providesO(T,k+1) with T’s identity. Once the ownership transfer of T takes place, the TTP refuses identity requests from T’s previous owner O(T,k). Still, relying on a TTP is a drawback: in many scenarios, the availability of a trusted third party during tag ownership transfer is probably unrealistic.
Other solutions based on symmetric primitives have been proposed by Lim and Kwon (111), Fouladgar and Afifi (60), Song (149), and Kulseng et al. (101). These schemes however suffer as discussed in Section 4.2.2 from three major drawbacks: 1.) tag identification and authentication is linear in the number of tags, 2.) denial of service attacks and 3.) no tag issuer verification.
Dimitriou (51) proposes a solution to ownership transfer that relies on symmetric cryptog-raphy while relaxing the privacy requirements for both backward and forward unlinkability.
Unlike previous schemes on ownership transfer, this solution allows an owner of a tag to revert the tag to its original state. This is useful for after sale services where a retailer can recognize a sold tagT. Note that ROTIVoffers the same feature: the unique identifier of a tagT enables any owner to verify whether he ownedT before or not.
4.8 Summary
In this chapter, we presented ROTIV to address the security and the privacy issues related to RFID ownership transfer in supply chains. As part of ownership transfer,ROTIVoffers a constant-time and privacy-preserving authentication while tags only evaluate a hash function.
It also enables issuer verification that allows every owner in the supply chain to verify the ori-gin of tags that he owns. ROTIV’s main idea is to1.) combine a MAC-based authentication with Elgamal encryption to achieve constant-time and privacy preserving authentication, and 2.) to use a short signature scheme to execute issuer verification. ROTIV is provably secure and privacy preserving under standard assumptions: MAC security, the BCDH assumption and the XDH assumption.
4. RFID-BASED OWNERSHIP TRANSFER WITH ISSUER VERIFICATION
94
5
RFID-based Product Tracking in Supply Chains
5.1 Introduction
Product tracking is one of the major applications of RFID-enabled supply chains as it allows genuineness verification and replica prevention of products (56,83,118,151,160). The idea is to trace the path that products took in the supply chain by reading their attached RFID tags. However, the use of RFID tags for genuineness verification comes with new threats to security and privacy of both tags and partners in the supply chain.
With respect to security, it must be verifiable whether a product is genuine by only scanning the tag attached to the product. To this end, the supply chain has a set of verifiers that check the path that tags took in the supply chain, whereas readers along the supply chain update the states of tags in their vicinity. The main challenge is to enable readers to update tags’ states while preventing them from injecting fake products.
The second challenge regards the privacy of tags. Typically, partners in the supply chain do not want to reveal any information about their internal details, strategic relationships and processes to adversaries, e.g., competitors or customers. Thus, an adversary must not be able to trace and recognize tags through subsequent steps in the supply chain.
Solutions addressing these security and privacy requirements have to be lightweight to allow wide deployment. Ideally, they should be suited for the cheapest RFID tags, namely, storage only tags. Therefore, any cryptographic computation required by the scheme should be performed by the readers. Moreover, the path verification at the readers should not be computationally heavy to avoid overloading readers and hindering supply chain performances.
Along these lines, we present in this chapter two protocols calledTrackerandChecker for secure and privacy-preserving RFID-based product tracking in the supply chain. The main idea behind these two protocols is to encode paths in a supply chain using polynomials and then employ the path encoding to sign tags’ identifiers. Trackertargets the product
5. RFID-BASED PRODUCT TRACKING IN SUPPLY CHAINS
traceability scenario where the genuineness verification is performed by atrusted party called manager, whereas Checker addresses the problem of on-site checking by enabling each reader in the supply chain to act as a non-trusted verifier.
The major contributions of the protocols proposed in this chapter are:
• They allow to determine the exact path that each tag went through in the supply chain.
• They provide provable privacy and security in the random oracle model.
• Contrary to related work such as Ouafi and Vaudenay (127) or Li and Ding (110), our protocolsdo not require tags to perform any computation. Instead, they rely onstorage only tags .
The rest of this chapter is structured as follows: after presenting the notations that will be used throughout this chapter in Section5.2, we introduce formal definitions that capture the security and the privacy requirements of product tracking in Section5.3. Then in Section5.4, we present Tracker, our first tracking protocol that relies on a trusted party to perform the path verification for tags in the supply chain. In Section 5.5, we introduce Checker which implements on-site checking by allowing each reader in the supply chain to verify the genuineness of products. Then in Section5.6, we survey some of the previous work on product tracking. Finally, Section 5.7concludes the chapter.